External safety controller requirements

• The safety controller and all other safety-related subsystems must be approved for at least the safety class required in the overall system for the respective application-related safety sub-function.

• The wiring of the safety controller must be suitable for the endeavored safety class (see manufacturer's documentation). The STO input of the device can be switched with 2 poles (sourcing output, sourcing/sinking, or serial sourcing), or with 1 pole (sourcing output).
• The values specified for the safety controller must be strictly adhered to when designing the circuit.
• No electro-sensitive protective equipment (such as a light grid or scanner) in accordance with EN 61496‑1 or emergency stop buttons may be connected directly to the STO input. The connection must be made using safety relays, safety controllers, etc.
• To ensure protection against an unexpected restart in accordance with EN ISO 14118, the safe control system must be designed and connected in such a way that resetting the command device alone does not lead to a restart. This means that a restart may only be carried out after a manual reset of the safety circuit.
• If no fault exclusion is used for the STO wiring in accordance with DIN EN ISO 13849‑2 or DIN EN 61800‑5‑2, the external safety device must detect the following faults with regard to the STO wiring within 20 s depending on the connection type:
• Two-pole sourcing output:
• Short circuit of 24 V at F_STO_P1 or F_STO_P2 (Stuck-at 1)
• Crossfault between F_STO_P1 and F_STO_P2
• Two-pole sourcing/sinking:
• Short circuit of 24 V at F_STO_P1 (Stuck-at 1)
• Short circuit of 0 V at F_STO_M (Stuck-at 0)
• Dual-channel serial sourcing output:
• Fault exclusion is mandatory
• Single-pole sourcing:
• Short circuit of 24 V at F_STO_P (Stuck-at 1)
• Test pulses can take place in the switched on or switched off condition with connection type "Two-pole sourcing output".
• The test pulses on both sourcing channels must be switched with a time delay. However, additional switch-off test pulses may occur simultaneously.
• The test pulses in both sourcing channels must not exceed 1 ms.
• The next switch-off test pulse in one sourcing channel must only occur after a 2 ms time period.
• A maximum of 3 switch-on test pulses may be generated in sequence at an interval of 2 ms. Wait for at least 500 ms after any packet before you generate another switch-on test pulse or another switch-on test pulse packet.
• The signal levels must be read back by the safety controller and compared to the expected value.
• The signal levels may have a maximum temporal discrepancy of 130 ms. In case of a larger temporal discrepancy, the device changes to the STO fault state (F20.11).
• Test pulses can take place in the switched on or switched off condition with connection type "Two-pole sourcing/sinking".
• The test pulses in the sourcing and sinking channel must not exceed 1 ms.
• The next switch-off test pulse in the sourcing or sinking channel must only occur after a 2 ms time period.
• A maximum of 3 switch-on test pulses may be generated in sequence at an interval of 2 ms. Wait for at least 500 ms after any packet before you generate another switch-on test pulse or another switch-on test pulse packet.
• The signal levels must be read back by the safety controller and compared to the expected value.
• Test pulses can take place in the switched on or switched off condition with connection type "Single-pole sourcing output".
• The test pulse on the sourcing channel must not exceed 1 ms.
• The next switch-off test pulse may only occur after a time period of 2 ms at the earliest.
• A maximum of 3 switch-on test pulses may be generated in sequence at an interval of 2 ms. Wait for at least 500 ms after any packet before you generate another switch-on test pulse or another switch-on test pulse packet.
• The signal levels must be read back by the safety controller and compared to the expected value.