SF_EDM (External Device Monitoring)

Applicable Safety Standards

SF_EDM is a certified PLCopen function block. For detailed information about the applied standards , see: "PLCopen – Technical Committee 5 – Safety Software"

Important

The requirements which are listed in the standards must be met by the user.

Interface Description

This function block applies an input signal (S_OutControl) to an output signal (S_EDM_Out). The function block monitors that two inputs switch off within a defined time (MonitoringTime). If they do not switch off within the defined time, S_EDM_OUT is set to FALSE.

The SF_EDM (External Device Monitoring) FB monitors the initial state and the switching state of actuators, for example switch amplifiers, which are controlled by safe output devices.

Table 17. VAR_INPUT

Name	Data Type	Initial Value	Description, Parameter Values
`Activate`	`BOOL`	`FALSE`	See General Input Parameters
`S_OutControl`	`SAFEBOOL`	`FALSE`	Variable Control signal of the preceding safety FBs. Typical function block signals from the PLCopen library (e.g. `SF_OutControl`, `SF_TwoHandControlTypeII`) `FALSE`: Disable safety output (`S_EDM_Out`) `TRUE`: Enable safety output (`S_EDM_Out`)
`S_EDM1`	`SAFEBOOL`	`FALSE`	Variable Feedback signal of the first connected actuator (switch amplifier). `FALSE`: Switching state of the first connected actuator. `TRUE`: Initial state of the first connected actuator.
`S_EDM2`	`SAFEBOOL`	`FALSE`	Variable Feedback signal of the second connected actuator (switch amplifier). Depending on the actuators installed, the wiring between the feedback signals and the targeted safety level, it can be that only combined input is used here. In that case, the user must use a graphic connection to jumper the `EDM1` and `EDM2` parameters. `S_EDM1` and `S_EDM2` are then controlled by the same signal. `FALSE`: Switching state of the second connected actuator. `TRUE`: Initial state of the second connected actuator
`MonitoringTime`	`TIME`	`#0ms`	Constant Maximum response time of the connected and monitored actuators. The cautionary note `MonitoringTime` must be observed.
`Reset`	`BOOL`	`FALSE`	See General Input Parameters

`MonitoringTime`

Applies to developers in Extended Level: The MonitoringTime input must be activated with a constant value. The value must not be changed for the calls.

Table 18. VAR_OUTPUT

Name	Data Type	Initial Value	Description, Parameter Values
`Ready`	`BOOL`	`FALSE`	See General Output Parameters
`S_EDM_Out`	`SAFEBOOL`	`FALSE`	Controls the actuator. The result is monitored by the feedback signal `S_EDMx`. `FALSE`: Disable connected actuators `TRUE`: Enable connected actuators
`SafetyDemand`	`BOOL`	`FALSE`	See General Output Parameters
`ResetRequest`	`BOOL`	`FALSE`	See General Output Parameters
`Error`	`BOOL`	`FALSE`	See General Output Parameters
`DiagCode`	`WORD`	`16#0000`	See Diagnostic Codes

Figure 18. Function block: SF_EDM

Functional Description

The SF_EDM FB controls a safety output and monitors controlled actuators.

This function block monitors the initial state of the actuators via the feedback signals (S_EDM1 and S_EDM2) before the actuators are enabled by the FB.

The function block monitors the switching state of the actuators (MonitoringTime) after the actuators have been enabled by the FB.

Two single feedback signals must be used for an exact diagnosis of the connected actuators. A common feedback signal from the two connected actuators must be used for a restricted yet simple diagnostic function of the connected actuators. In this case, the user must connect this common signal to both S_EDM1 and S_EDM2 parameters. S_EDM1 and S_EDM2 are then controlled by the same signal.

The switching devices used in the safety function should be selected from the category specified in the risk analysis.

Optional startup inhibit

Startup inhibit in the event of block activation

Caution

The S_StartReset input shall only be activated if it is ensured that no hazardous situation can occur when the safety controller is started.

State diagram

Figure 19. State diagram: SF_EDM

Tip

The transition from any state to the Idle state due to Activate = FALSE is not shown. However these transitions have the highest priority.

Typical Timing Diagrams

Figure 20. Typical timing diagram for SF_EDM, S_StartReset = FALSE

Error Detection

The following conditions force a transition to the Error state:

Invalid static Reset signal in the process
Invalid EDM signal in the process
The S_OutControl and Reset inputs are incorrectly interconnected due to programming error.

Error Behavior

In error states, the outputs are as follows:

The S_EDM_Out is set to FALSE and remains in this safe state.
An EDM error message must always be reset by a rising trigger at Reset.
A Reset error message can be reset by setting Reset to FALSE.

After function block activation, the optional startup inhibit can be reset by a rising edge at the Reset input.

FB-Specific Error and State Codes

Table 19. FB-specific error codes

`DiagCode`	State Name	State Description and Output Setting
`16#C001`	`Reset Error 1`	Static Reset signal in state `16#8401`. `Ready = TRUE` `S_EDM_Out = FALSE` `SafetyDemand = FALSE` `ResetRequest = FALSE` `Error = TRUE`
`16#C011`	`Reset Error 21`	Static Reset signal or same signals at `EDM1` and `Reset` (rising trigger at `Reset` and `EDM1` at the same time) in state `16#C010`. `Ready = TRUE` `S_EDM_Out = FALSE` `SafetyDemand = FALSE` `ResetRequest = FALSE` `Error = TRUE`
`16#C021`	`Reset Error 22`	Static Reset signal or same signals at `EDM2` and `Reset` (rising trigger at `Reset` and `EDM2` at the same time) in state `16#C020`. `Ready = TRUE` `S_EDM_Out = FALSE` `SafetyDemand = FALSE` `ResetRequest = FALSE` `Error = TRUE`
`16#C031`	`Reset Error 23`	Static Reset signal or same signals at `EDM1`, `EDM2`, and `Reset` (rising trigger at `Reset`, `EDM1`, and `EDM2` at the same time) in state `16#C030`. `Ready = TRUE` `S_EDM_Out = FALSE` `SafetyDemand = FALSE` `ResetRequest = FALSE` `Error = TRUE`
`16#C041`	`Reset Error 31`	Static Reset signal or same signals at `EDM1` and `Reset` (rising trigger at `Reset` and `EDM1` at the same time) in state `16#C040`. `Ready = TRUE` `S_EDM_Out = FALSE` `SafetyDemand = FALSE` `ResetRequest = FALSE` `Error = TRUE`
`16#C051`	`Reset Error 32`	Static Reset signal or same signals at `EDM2` and `Reset` (rising trigger at `Reset` and `EDM2` at the same time) in state `16#C050`. `Ready = TRUE` `S_EDM_Out = FALSE` `SafetyDemand = FALSE` `ResetRequest = FALSE` `Error = TRUE`
`16#C061`	`Reset Error 33`	Static Reset signal or same signals at `EDM1`, `EDM2`, and `Reset` (rising trigger at `Reset`, EDM1, and EDM2 at the same time) in state `16#C060`. `Ready = TRUE` `S_EDM_Out = FALSE` `SafetyDemand = FALSE` `ResetRequest = FALSE` `Error = TRUE`
`16#C071`	`Reset Error 41`	Static Reset signal in state `16#C070`. `Ready = TRUE` `S_EDM_Out = FALSE` `SafetyDemand = FALSE` `ResetRequest = FALSE` `Error = TRUE`
`16#C081`	`Reset Error 42`	Static Reset signal in state `16#C080`. `Ready = TRUE` `S_EDM_Out = FALSE` `SafetyDemand = FALSE` `ResetRequest = FALSE` `Error = TRUE`
`16#C091`	`Reset Error 43`	Static Reset signal in state `16#C090`. `Ready = TRUE` `S_EDM_Out = FALSE` `SafetyDemand = FALSE` `ResetRequest = FALSE` `Error = TRUE`
`16#C010`	`EDM Error 11`	The signal at `EDM1` is not valid in the initial actuator state. In state `16#8810`, the `EDM1` signal is `FALSE` when enabling `S_OutControl`. `Ready = TRUE` `S_EDM_Out = FALSE` `SafetyDemand = FALSE` `ResetRequest = R` (*) `Error = TRUE`
`16#C020`	`EDM Error 12`	The signal at `EDM2` is not valid in the initial actuator state. In state `16#8810`, the `EDM2` signal is `FALSE` when enabling `S_OutControl`. `Ready = TRUE` `S_EDM_Out = FALSE` `SafetyDemand = FALSE` `ResetRequest = R` (*) `Error = TRUE`
`16#C030`	`EDM Error 13`	The signals at `EDM1` and `EDM2` are not valid in the initial actuator states. In state `16#8810`, the `EDM1` and `EDM2` signals are `FALSE` when enabling `S_OutControl`. `Ready = TRUE` `S_EDM_Out = FALSE` `SafetyDemand = FALSE` `ResetRequest = FALSE` `Error = TRUE`
`16#C040`	`EDM Error 21`	The signal at `EDM1` is not valid in the initial actuator state. In state `16#8810`, the `EDM1` signal is `FALSE` and the monitoring time has elapsed. `Ready = TRUE` `S_EDM_Out = FALSE` `SafetyDemand = FALSE` `ResetRequest = R` (*) `Error = TRUE`
`16#C050`	`EDM Error 22`	The signal at `EDM2` is not valid in the initial actuator state. In state `16#8810`, the `EDM2` signal is `FALSE` and the monitoring time has elapsed. `Ready = TRUE` `S_EDM_Out = FALSE` `SafetyDemand = FALSE` `ResetRequest = R` (*) `Error = TRUE`
`16#C060`	`EDM Error 23`	The signals at `EDM1` and `EDM2` are not valid in the initial actuator states. In state `16#8810`, the `EDM1` and `EDM2` signals are `FALSE` and the monitoring time has elapsed. `Ready = TRUE` `S_EDM_Out = FALSE` `SafetyDemand = FALSE` `ResetRequest = R` (*) `Error = TRUE`
`16#C070`	`EDM Error 31`	The signal at `EDM1` is not valid in the actuator switching state. In state `16#8000`, the `EDM1` signal is `TRUE` and the monitoring time has elapsed. `Ready = TRUE` `S_EDM_Out = FALSE` `SafetyDemand = FALSE` `ResetRequest = TRUE` `Error = TRUE`
`16#C080`	`EDM Error 32`	The signal at `EDM2` is not valid in the actuator switching state. In state `16#8000`, the `EDM2` signal is `TRUE` and the monitoring time has elapsed. `Ready = TRUE` `S_EDM_Out = FALSE` `SafetyDemand = FALSE` `ResetRequest = TRUE` `Error = TRUE`
`16#C090`	`EDM Error 33`	The signals at `EDM1` and `EDM2` are not valid in the actuator switching states. In state `16#8000`, the `EDM1` and `EDM2` signals are `FALSE` and the monitoring time has elapsed. `Ready = TRUE` `S_EDM_Out = FALSE` `SafetyDemand = FALSE` `ResetRequest = TRUE` `Error = TRUE`
`16#C100`	`Init Error`	Similar signals at `S_OutControl` and `Reset` (`R_TRIG` at same cycle) detected (may be a programming error). `Ready = TRUE` `S_EDM_Out = FALSE` `SafetyDemand = FALSE` `ResetRequest = FALSE` `Error = TRUE`

(*)
IF EDM_1 = TRUE AND EDM_2 = TRUE THEN	
    R:= TRUE;
ELSE	
    R:= FALSE;
END_IF

Table 20. FB-specific state codes

`DiagCode`	State Name	State Description and Output Setting
`16#0000`	`Idle`	The function block is not active (initial state). `Ready = FALSE` `S_EDM_Out = FALSE` `SafetyDemand = FALSE` `ResetRequest = FALSE` `Error = FALSE`
`16#8401`	`Init`	Block activation startup inhibit is active. Reset required. `Ready = TRUE` `S_EDM_Out = FALSE` `SafetyDemand = FALSE` `ResetRequest = TRUE` `Error = FALSE`
`16#8810`	`Output Disable`	EDM control is not active. Timer starts when state is entered. `Ready = TRUE` `S_EDM_Out = FALSE` `SafetyDemand = TRUE` `ResetRequest = FALSE` `Error = FALSE`
`16#8000`	`Output Enable`	EDM control is active. Timer starts when state is entered. `Ready = TRUE` `S_EDM_Out = TRUE` `SafetyDemand = FALSE` `ResetRequest = FALSE` `Error = FALSE`