SF_Antivalent

Applicable Safety Standards

SF_Antivalent is a certified PLCopen function block. For detailed information about the applied standards , see: "PLCopen – Technical Committee 5 – Safety Software"

Important

The requirements which are listed in the standards must be met by the user.

Interface Description

This function block converts two antivalent SAFEBOOL inputs (NO/NC pair) to one SAFEBOOL output with discrepancy time monitoring. This FB should not be used stand-alone since it has no restart interlock. It is required to connect the output to other safety related functionalities.

Table 13. VAR_INPUT

Name	Data Type	Initial Value	Description, Parameter Values
`Activate`	`BOOL`	`FALSE`	See General Input Parameters
`S_ChannelNC`	`SAFEBOOL`	`FALSE`	Variable `NC` stands for `Normally Closed`. Input for NC connection `FALSE`: NC contact open `TRUE`: NC contact closed
`S_ChannelNO`	`SAFEBOOL`	`TRUE`	Variable `NO` stands for Normally Open Input for `NO` connection `FALSE`: `NO` contact open `TRUE`: `NO` contact closed
`DiscrepancyTime`	`TIME`	`T#0ms`	Constant Maximum monitoring time for discrepancy status of both inputs The cautionary note "DiscrepancyTime" must be observed.

`DiscrepancyTime`

Applies to developers in Extended Level: The DiscrepancyTime input must be activated with a constant value. As a result, the value must not be changed for the calls.

Table 14. VAR_OUTPUT

Name	Data Type	Initial Value	Description, Parameter Values
`Ready`	`BOOL`	`FALSE`	See General Output Parameters
`S_AntivalentOut`	`SAFEBOOL`	`FALSE`	Safety-related output `FALSE`: Minimum of one input signal "not active" or status change outside of monitoring time `TRUE`: Both inputs signals "active" and status change within monitoring time.
`SafetyDemand`	`BOOL`	`FALSE`	See General Output Parameters
`Error`	`BOOL`	`FALSE`	See General Output Parameters
`DiagCode`	`WORD`	`16#0000`	See Diagnostic Codes

Tip

"Antivalent" means that during normal operation, the two inputs are in opposite states at the same time. This is sometimes called "complementary" or "non-equivalent".

For certain (lower) levels of safety requirements, it can be allowed to use BOOL as inputs and SAFEBOOL as output. However, this has to be evaluated via the FMEA of the application. In the library, there should be made a distinction between the SAFEBOOL and BOOL version.

Figure 14. Function block: SF_Antivalent

Functional Description

This function block converts two antivalent SAFEBOOL inputs to one SAFEBOOL output with discrepancy time monitoring. Both inputs are interdependent. The function block output shows the result of the evaluation of both channels.

If S_AntivalentOut = TRUE and one of the safety-related inputs changes, then the output immediately switches to FALSE.

Discrepancy time monitoring: The discrepancy time is the maximum period during which both inputs may have the same states without the function block detecting an error. Discrepancy time monitoring starts when the status of an input changes. The function block detects an error when both inputs have the same values once the discrepancy time has elapsed.

Both inputs must be switched symmetrically. This means that monitoring is performed for both inputs for switching from TRUE to FALSE as well as for switching from FALSE to TRUE.

Table 15. Logic table of inputs/outputs

Inputs				Outputs
`Activate`	`S_ChannelNC`	`S_ChannelNO`	`DiscrepancyTime`	`Ready`	`S_AntivalentOut`	`SafetyDemand`	`Error`	`DiagCode`
`FALSE`	`FALSE`	`TRUE`	Not started	`FALSE`	`FALSE`	`FALSE`	`FALSE`	`16#0000`
`TRUE`	`FALSE`	`TRUE`	Not started	`TRUE`	`FALSE`	`TRUE`	`FALSE`	`16#8801`
`TRUE`	`FALSE -> TRUE`	`TRUE`	Started	`TRUE`	`FALSE`	`TRUE`	`FALSE`	`16#8802`
`TRUE`	`TRUE`	`TRUE -> FALSE`	Started	`TRUE`	`TRUE`	`FALSE`	`FALSE`	`16#8000`
`TRUE`	`TRUE`	`FALSE`	Not started	`TRUE`	`TRUE`	`FALSE`	`FALSE`	`16#8000`
`TRUE`	`TRUE`	`FALSE -> TRUE`	Started	`TRUE`	`FALSE`	`TRUE`	`FALSE`	`16#8806`
`TRUE`	`TRUE -> FALSE`	`TRUE`	Started	`TRUE`	`FALSE`	`TRUE`	`FALSE`	`16#8801`
`TRUE`	`FALSE`	`TRUE`	Not started	`TRUE`	`FALSE`	`TRUE`	`FALSE`	`16#8801`
`TRUE`	`FALSE`	`TRUE -> FALSE`	Started	`TRUE`	`FALSE`	`TRUE`	`FALSE`	`16#8804`
`TRUE`	`FALSE -> TRUE`	`FALSE`	Started	`TRUE`	`TRUE`	`FALSE`	`FALSE`	`16#8000`
`TRUE`	`TRUE -> FALSE`	`FALSE`	Started	`TRUE`	`FALSE`	`TRUE`	`FALSE`	`16#8806`
`TRUE`	`FALSE`	`FALSE -> TRUE`	Started	`TRUE`	`FALSE`	`TRUE`	`FALSE`	`16#8801`

Tip

In the logic table, an arrow -> stands for a transition. TRUE -> FALSE means that the value of the variable has changed from TRUE to FALSE.

State diagram

Figure 15. State diagram: SF_Antivalent

Tip

The transition from any state to the Idle state due to Activate = FALSE is not shown. However these transitions have the highest priority.

Typical Timing Diagrams

Figure 16. Timing diagram 1: SF_Antivalent

Figure 17. Timing diagram 2: SF_Antivalent

Error Detection

The function block monitors the discrepancy time between Channel NO and Channel NC.

Error Behavior

The output S_AntivalentOut is set to FALSE. Error is set to TRUE. DiagCode indicates the Error states. There is no Reset defined as an input coupled with the reset of an error. As soon as a Set of input values with the correct S_AntivalentOut is present, Error is FALSE again.

FB-Specific Error and State Codes

Table 16. FB-specific error codes

`DiagCode`	State Name	State Description and Output Setting
`16#C010`	`Error 1`	Discrepancy time elapsed in state `16#8802` `Ready = TRUE` `S_AntivalentOut = FALSE` `SafetyDemand = FALSE` `Error = TRUE`
`16#C020`	`Error 2`	Discrepancy time elapsed in state `16#8804` `Ready = TRUE` `S_AntivalentOut = FALSE` `SafetyDemand = FALSE` `Error = TRUE`
`16#C030`	`Error 3`	Discrepancy time elapsed in state `16#8806` `Ready = TRUE` `S_AntivalentOut = FALSE` `SafetyDemand = FALSE` `Error = TRUE`

DiagCode

State Name

State Description and Output Setting

16#C010

Error 1

Discrepancy time elapsed in state 16#8802

Ready = TRUE

S_AntivalentOut = FALSE

SafetyDemand = FALSE

Error = TRUE

16#C020

Error 2

Discrepancy time elapsed in state 16#8804

Ready = TRUE

S_AntivalentOut = FALSE

SafetyDemand = FALSE

Error = TRUE

16#C030

Error 3

Discrepancy time elapsed in state 16#8806

Ready = TRUE

S_AntivalentOut = FALSE

SafetyDemand = FALSE

Error = TRUE

Table 17. FB-specific state codes

`DiagCode`	State Name	State Description and Output Setting
`16#0000`	`Idle`	The function block is not active (initial state). `Ready = FALSE` `S_AntivalentOut = FALSE` `SafetyDemand = FALSE` `Error = FALSE`
`16#8801`	`Init`	An activation has been detected by the FB and the FB is now activated. `Ready = TRUE` `S_AntivalentOut = FALSE` `SafetyDemand = TRUE` `Error = FALSE`
`16#8000`	`Safety Output Enabled`	The inputs are switched to `TRUE` in antivalent mode. `Ready = TRUE` `S_AntivalentOut = TRUE` `SafetyDemand = FALSE` `Error = FALSE`
`16#8802`	`Wait for NO`	`ChannelNC` has been switched to `TRUE` – waiting for `ChannelNO` to be switched to `FALSE`; discrepancy timer started. `Ready = TRUE` `S_AntivalentOut = FALSE` `SafetyDemand = TRUE` `Error = FALSE`
`16#8804`	`Wait for NC`	`ChannelNO` has been switched to `FALSE` – waiting for `ChannelNC` to be switched to `TRUE`; discrepancy timer started. `Ready = TRUE` `S_AntivalentOut = FALSE` `SafetyDemand = TRUE` `Error = FALSE`
`16#8006`	`From Active Wait`	One channel has been switched to inactive; waiting for the second channel to be switched to inactive too. `Ready = TRUE` `S_AntivalentOut = FALSE` `SafetyDemand = TRUE` `Error = FALSE`