Preventa XPSUAT

EIO0000003443 06/2019

Preventa XPSUAT
Safety Module
Original instructions

06/2019
EIO0000003443.00

www.schneider-electric.com
 The information provided in this documentation contains general descriptions and/or technical
characteristics of the performance of the products contained herein. This documentation is not
intended as a substitute for and is not to be used for determining suitability or reliability of these
products for specific user applications. It is the duty of any such user or integrator to perform the
appropriate and complete risk analysis, evaluation and testing of the products with respect to the
relevant specific application or use thereof. Neither Schneider Electric nor any of its affiliates or
subsidiaries shall be responsible or liable for misuse of the information contained herein. If you
have any suggestions for improvements or amendments or have found errors in this publication,
please notify us.
You agree not to reproduce, other than for your own personal, noncommercial use, all or part of
this document on any medium whatsoever without permission of Schneider Electric, given in
writing. You also agree not to establish any hypertext links to this document or its content.
Schneider Electric does not grant any right or license for the personal and noncommercial use of
the document or its content, except for a non-exclusive license to consult it on an "as is" basis, at
your own risk. All other rights are reserved.
All pertinent state, regional, and local safety regulations must be observed when installing and
using this product. For reasons of safety and to help ensure compliance with documented system
data, only the manufacturer should perform repairs to components.
When devices are used for applications with technical safety requirements, the relevant
instructions must be followed.
Failure to use Schneider Electric software or approved software with our hardware products may
result in injury, harm, or improper operating results.
Failure to observe this information can result in injury or equipment damage.
© 2019 Schneider Electric. All rights reserved.

2 EIO0000003443 06/2019
 Table of Contents

Safety Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
About the Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Device Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Front View and Side View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Nameplate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Type Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Chapter 2 Technical Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Environmental Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Mechanical Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Electrical Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Timing Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Data Functional Safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Chapter 3 Engineering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Electromagnetic Compatibility (EMC) . . . . . . . . . . . . . . . . . . . . . . . . . 36
Basic Principles of Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Safety-Related Inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Synchronization of Safety-Related Inputs . . . . . . . . . . . . . . . . . . . . . . 44
Dynamization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Signal Interlock Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Chapter 4 Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Prerequisites and Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Mechanical Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Electrical Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Chapter 5 Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Application Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Start Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Delay Function. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Chapter 6 Configuration and Commissioning . . . . . . . . . . . . . . . . . 83
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Commissioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Chapter 7 Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Diagnostics via LEDs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Diagnostics via Status Output Z1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

EIO0000003443 06/2019 3
 Chapter 8 Accessories, Service, Maintenance, and Disposal. . . . . . 95
Accessories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Transportation, Storage, and Disposal. . . . . . . . . . . . . . . . . . . . . . . . . 98
Service Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

4 EIO0000003443 06/2019
 Safety Information

Important Information

NOTICE
Read these instructions carefully, and look at the equipment to become familiar with the device
before trying to install, operate, service, or maintain it. The following special messages may appear
throughout this documentation or on the equipment to warn of potential hazards or to call attention
to information that clarifies or simplifies a procedure.

EIO0000003443 06/2019 5
PLEASE NOTE
Electrical equipment should be installed, operated, serviced, and maintained only by qualified
personnel. No responsibility is assumed by Schneider Electric for any consequences arising out of
the use of this material.
A qualified person is one who has skills and knowledge related to the construction and operation
of electrical equipment and its installation, and has received safety training to recognize and avoid
the hazards involved.

QUALIFICATION OF PERSONNEL
Only appropriately trained persons who are familiar with and understand the contents of this
manual and all other pertinent product documentation as well as all documentation of all
components and equipment of the machine/process are authorized to work on and with this
product.
The qualified person must be a certified expert in safety engineering.
The qualified person must be able to detect possible hazards that may arise from parameterization,
modifying configurations, settings, and wiring, and generally from mechanical, electrical, or
electronic equipment. The qualified person must be able to understand the effects that
modifications to configurations, settings, and wiring may have on the safety of the
machine/process.
The qualified person must be familiar with and understand the contents of the risk assessment as
per ISO 12100-1 and/or any other equivalent assessment as well as all documents related to such
risk assessment or equivalent assessments for the machine/process.
The qualified person must be familiar with the standards, provisions, and regulations for the
prevention of industrial accidents, which they must observe when designing, implementing, and
maintaining the machine/process.
The qualified person must be thoroughly familiar with the safety-related applications and the non-
safety-related applications used to operate the machine/process.

INTENDED USE
This product described in the present document is a safety module intended to perform safety-
related functions in a machine/process according to the present document, to the specified related
documents, and to all other documentation of the components and equipment of the
machine/process.
The product may only be used in compliance with all applicable safety regulations and directives,
the specified requirements and the technical data.
Prior to using the product, you must perform a risk assessment as per ISO 12100-1 in view of the
planned application. Based on the results of the risk assessment, the appropriate safety-related
measures must be implemented.
Since the product is used as a component in an overall machine or process, you must ensure the
safety of persons by means of the design of this overall machine or process.

6 EIO0000003443 06/2019
 Operate the product only with the specified cables and accessories. Use only genuine accessories.
Any use other than the use explicitly permitted is prohibited and can result in hazards.

EIO0000003443 06/2019 7
8 EIO0000003443 06/2019
 About the Book

At a Glance

Document Scope
This manual describes technical characteristics, installation, commissioning, operation and
maintenance of the safety module XPSUAT.

Validity Note
The present document is valid for the products listed in the type code (see page 19).
For product compliance and environmental information (RoHS, REACH, PEP, EOLI, etc.), go to
www.schneider-electric.com/green-premium.
The technical characteristics of the devices described in the present document also appear online.
To access the information online:

Step Action
1 Go to the Schneider Electric home page www.schneider-electric.com.
2 In the Search box type the reference of a product or the name of a product range.
 Do not include blank spaces in the reference or product range.
 To get information on grouping similar modules, use asterisks (*).

3 If you entered a reference, go to the Product Datasheets search results and click on the
reference that interests you.
If you entered the name of a product range, go to the Product Ranges search results and click
on the product range that interests you.
4 If more than one reference appears in the Products search results, click on the reference that
interests you.
5 Depending on the size of your screen, you may need to scroll down to see the datasheet.
6 To save or print a datasheet as a .pdf file, click Download XXX product datasheet.

The characteristics that are presented in the present document should be the same as those
characteristics that appear online. In line with our policy of constant improvement, we may revise
content over time to improve clarity and accuracy. If you see a difference between the document
and online information, use the online information as your reference.

EIO0000003443 06/2019 9
Related Documents

Title of documentation Reference number

Preventa XPSUAT User Guide EIO0000003443 (ENG)
EIO0000003444 (FRE)
EIO0000003445 (GER)
EIO0000003446 (ITA)
EIO0000003447 (SPA)
EIO0000003450 (CHS)
Preventa XPSUAT Instruction Sheet PHA71829 (ENG, FRE, GER,
ITA, SPA, CHS)
Preventa XPSUAT Instruction Sheet PHA71837 (ENG, JAP, KOR,
POR, RUS, TUR)
Preventa XPSUEP User Guide EIO0000003509 (ENG)
EIO0000003510 (FRE)
EIO0000003511 (GER)
EIO0000003512 (ITA)
EIO0000003513 (SPA)
EIO0000003516 (CHS)
Preventa XPSUEP Instruction Sheet PHA71854 (ENG, FRE, GER,
ITA, SPA, CHS)
Preventa XPSUEP Instruction Sheet PHA71855 (ENG, JAP, KOR,
POR, RUS, TUR)
PreventaSupport Library Guide EIO0000003835 (ENG)

You can download these technical publications and other technical information from our website
at www.schneider-electric.com/en/download.

Product Related Information

DANGER
HAZARD OF ELECTRIC SHOCK, EXPLOSION OR ARC FLASH
 Disconnect all power from all equipment including connected devices prior to removing any
covers or doors, or installing or removing any accessories, hardware, cables, or wires except
under the specific conditions specified in the appropriate hardware guide for this equipment.
 Always use a properly rated voltage sensing device to confirm the power is off where and when
indicated.
 Where 24 Vdc or Vac is indicated, use PELV power supplies conforming to IEC 60204-1.
 Replace and secure all covers, accessories, hardware, cables, and wires and confirm that a
proper ground connection exists before applying power to this equipment.
 Use only the specified voltage when operating this equipment and any associated products.
Failure to follow these instructions will result in death or serious injury.

10 EIO0000003443 06/2019
 This equipment has been designed to operate outside of any hazardous location. Only install this
equipment in zones known to be free of a hazardous atmosphere.

DANGER
POTENTIAL FOR EXPLOSION
Install and use this equipment in non-hazardous locations only.
Failure to follow these instructions will result in death or serious injury.

WARNING
LOSS OF CONTROL
 The designer of any control scheme must consider the potential failure modes of control paths
and, for certain critical control functions, provide a means to achieve a safe state during and
after a path failure. Examples of critical control functions are emergency stop and overtravel
stop, power outage and restart.
 Separate or redundant control paths must be provided for critical control functions.
 System control paths may include communication links. Consideration must be given to the
implications of unanticipated transmission delays or failures of the link.
 Observe all accident prevention regulations and local safety guidelines.1
 Each implementation of this equipment must be individually and thoroughly tested for proper
operation before being placed into service.
Failure to follow these instructions can result in death, serious injury, or equipment damage.

1
For additional information, refer to NEMA ICS 1.1 (latest edition), "Safety Guidelines for the
Application, Installation, and Maintenance of Solid State Control" and to NEMA ICS 7.1 (latest
edition), "Safety Standards for Construction and Guide for Selection, Installation and Operation of
Adjustable-Speed Drive Systems" or their equivalent governing your particular location.

EIO0000003443 06/2019 11
 WARNING
INSUFFICIENT AND/OR INEFFECTIVE SAFETY-RELATED FUNCTIONS
 Verify that a risk assessment as per ISO 12100 and/or other equivalent assessment has been
performed before this product is used.
 Before performing any type of work on or with this product, fully read and understand all
pertinent manuals.
 Verify that modifications do not compromise or reduce the Safety Integrity Level (SIL),
Performance Level (PL) and/or any other safety-related requirements and capabilities defined
for your machine/process.
 After modifications of any type whatsoever, restart the machine/process and verify the correct
operation and effectiveness of all functions by performing comprehensive tests for all
operating states, the defined safe state, and all potential error situations.
Failure to follow these instructions can result in death, serious injury, or equipment damage.

Terminology Derived from Standards

The technical terms, terminology, symbols and the corresponding descriptions in this manual, or
that appear in or on the products themselves, are generally derived from the terms or definitions
of international standards.
In the area of functional safety systems, drives and general automation, this may include, but is not
limited to, terms such as safety, safety function, safe state, fault, fault reset, malfunction, failure,
error, error message, dangerous, etc.
Among others, these standards include:

Standard Description
IEC 61131-2:2007 Programmable controllers, part 2: Equipment requirements and tests.
ISO 13849-1:2015 Safety of machinery: Safety related parts of control systems.
General principles for design.
EN 61496-1:2013 Safety of machinery: Electro-sensitive protective equipment.
Part 1: General requirements and tests.
ISO 12100:2010 Safety of machinery - General principles for design - Risk assessment and risk
reduction
EN 60204-1:2006 Safety of machinery - Electrical equipment of machines - Part 1: General
requirements
ISO 14119:2013 Safety of machinery - Interlocking devices associated with guards - Principles
for design and selection
ISO 13850:2015 Safety of machinery - Emergency stop - Principles for design
IEC 62061:2015 Safety of machinery - Functional safety of safety-related electrical, electronic,
and electronic programmable control systems

12 EIO0000003443 06/2019
 Standard Description
IEC 61508-1:2010 Functional safety of electrical/electronic/programmable electronic safety-
related systems: General requirements.
IEC 61508-2:2010 Functional safety of electrical/electronic/programmable electronic safety-
related systems: Requirements for electrical/electronic/programmable
electronic safety-related systems.
IEC 61508-3:2010 Functional safety of electrical/electronic/programmable electronic safety-
related systems: Software requirements.
IEC 61784-3:2016 Industrial communication networks - Profiles - Part 3: Functional safety
fieldbuses - General rules and profile definitions.
2006/42/EC Machinery Directive
2014/30/EU Electromagnetic Compatibility Directive
2014/35/EU Low Voltage Directive

In addition, terms used in the present document may tangentially be used as they are derived from
other standards such as:

Standard Description
IEC 60034 series Rotating electrical machines
IEC 61800 series Adjustable speed electrical power drive systems
IEC 61158 series Digital data communications for measurement and control – Fieldbus for use in
industrial control systems

Finally, the term zone of operation may be used in conjunction with the description of specific
hazards, and is defined as it is for a hazard zone or danger zone in the Machinery Directive
(2006/42/EC) and ISO 12100:2010.

EIO0000003443 06/2019 13
14 EIO0000003443 06/2019
 Preventa XPSUAT
Introduction
EIO0000003443 06/2019

Chapter 1
Introduction

Introduction

What Is in This Chapter?

This chapter contains the following topics:
Topic Page
Device Overview 16
Front View and Side View 17
Nameplate 18
Type Code 19

EIO0000003443 06/2019 15
Introduction

Device Overview

Outline
The device is a safety module for interruption of safety-related electrical circuits.
The device provides application functions used to monitor signals from different types of
sensors/devices.
Equipment with the following types of outputs can be connected to the safety-related inputs of the
device:
 NO, NC, C/O, for example, Emergency Stop push-buttons, guard door switches, coded
magnetic switches
 PNP, NPN transistors, for example, magnetic switches, proximity switches
 OSSD, for example, light curtains

The device is available in four different types: either spring terminals or screw terminals and either
24 Vac/Vdc supply voltage or 48 … 240 Vac/Vdc supply voltage.
Feature summary:
 10 application functions
 Configurable start function
 3 safety-related inputs
 7 safety-related relay outputs
 2 non-safety-related status/diagnostics outputs
 1 non-safety-related start input with 8 selectable start functions
 Connector for connection of extension module XPSUEP to increase the number of safety-
related outputs by 6

16 EIO0000003443 06/2019
 Introduction

Front View and Side View

Front View and Side View

1 Removable terminal blocks, top

2 Removable terminal blocks, bottom
3 LED indicators
4 Start function selector
5 Function selector
6 Delay factor selector
7 Delay base selector
8 Connector for optional output extension module XPSUEP (lateral)
9 Sealable transparent cover

EIO0000003443 06/2019 17
Introduction

Nameplate

Nameplate

The nameplate contains the following data:

1 Device type (refer to chapter Type Code (see page 19))
2 Nominal voltage
3 Frequency range Vac supply
4 Input power
5 Maximum current of safety-related outputs with utilization category AC15 (250 Vac)
6 Maximum current of safety-related outputs with utilization category DC13 (24 Vdc)
7 Maximum total thermal current
8 Maximum Safety Integrity Level (SIL) as per IEC 61508-1:2010
9 Maximum Performance Level and Category as per ISO 13849-1:2015
10 Maximum response time to request at safety-related input
11 Permissible ambient temperature range during operation
12 IP degree of protection
13 Serial number
14 Product version (PV), release (RL), software version (SV)
15 Plant code and date of manufacture (example: PP-2019-W10 means plant code PP, year of
manufacture 2019, week of manufacture 10)

18 EIO0000003443 06/2019
 Introduction

Type Code

Type Code

Item 1 2 3 4 5 6 7 8 9 10 11 12
Type code (example) X P S U A T 1 3 A 3 A C

Item Meaning
1 ... 4 Product range
XPSU = Preventa Universal
5 ... 6 Product version
AT
7 Supply voltage
1 = 24 Vac/Vdc
3 = 48 … 240 Vac/Vdc
8 ... 11 Number of safety-related outputs
3A3A = 3 normally open relay contacts, instantaneous, 3 normally open relay
contacts, delayed
12 Terminal type
C = Spring terminals, removable
P = Screw terminals, removable

If you have questions concerning the type code, contact your Schneider Electric service
representative.

EIO0000003443 06/2019 19
Introduction

20 EIO0000003443 06/2019
 Preventa XPSUAT
Technical Data
EIO0000003443 06/2019

Chapter 2
Technical Data

Technical Data

What Is in This Chapter?

This chapter contains the following topics:
Topic Page
Environmental Conditions 22
Mechanical Characteristics 24
Electrical Characteristics 26
Timing Data 29
Data Functional Safety 31

EIO0000003443 06/2019 21
Technical Data

Environmental Conditions

Environmental Conditions For Storage

The device complies with class 1K5 as per IEC 60721-3-1 (climatic conditions):

Characteristic Value
Ambient temperature -40 ... 70 °C (-40 ... 158 °F)
Rate of change of temperature 1 °C/min (1.8 °F/min)
Ambient humidity 10 ... 100 % relative humidity

The device complies with class 1M2 as per IEC 60721-3-1 (mechanical conditions):

Characteristic Value
Vibration, sinusoidal, displacement amplitude 1.5 mm
2 ... 9 Hz
Vibration, sinusoidal, acceleration amplitude 5 m/s2
9 ... 200 Hz
Shock, shock response spectrum type L, peak 40 m/s2
acceleration

Environmental Conditions For Transportation

The device complies with class 2K5H as per IEC 60721-3-2 (climatic conditions):

Characteristic Value
Ambient temperature -25 ... 85 °C (-13 ... 185 °F)
Change of temperature, air/air -25 ... 30 °C (-13 ... 86 °F)
Ambient humidity 5 ... 95 % relative humidity, no condensation

The device complies with class 2M2 as per IEC 60721-3-2 (mechanical conditions):

Characteristic Value
Vibration, sinusoidal, displacement amplitude 3.5 mm
2 ... 9 Hz
Vibration, sinusoidal, acceleration amplitude 10 m/s2
9 ... 200 Hz
Vibration, sinusoidal, acceleration amplitude 15 m/s2
200 ... 500 Hz
Shock, shock response spectrum type I, peak 100 m/s2
acceleration
Shock, shock response spectrum type II, peak 300 m/s2
acceleration

22 EIO0000003443 06/2019
 Technical Data

Environmental Conditions For Operation

Characteristic Value
Maximum installation altitude above mean sea level 2000 m (6562 ft)
Installation required in control cabinet/enclosure with IP54
degree of protection

The device complies with class 3K5 and special class 3Z11 as per IEC 60721-3-3 (climatic
conditions):

Characteristic Value
Ambient temperature -25 ... 55 °C (-13 ... 131 °F), no icing
Rate of change of temperature 0.5 °C/min (0.9 °F/min)
Ambient humidity 5 ... 95 % relative humidity, no condensation

The device complies with class 3M4 as per IEC 60721-3-3 (mechanical conditions):

Characteristic Value
Vibration, sinusoidal, displacement amplitude 3 mm
2 ... 9 Hz
Vibration, sinusoidal, acceleration amplitude 10 m/s2
9 ... 200 Hz
Shock, shock pulse shape: half-sine, peak 100 m/s2
acceleration

The devices complies with the following vibration and shock values as per IEC 60947-1:

Characteristic Value
Vibration, sinusoidal, displacement amplitude 1 mm
2 ... 13 Hz
Vibration, sinusoidal, acceleration amplitude 7 m/s2
13.2 ... 100 Hz
Shock, shock pulse shape: half-sine, peak 150 m/s2
acceleration

EIO0000003443 06/2019 23
Technical Data

Mechanical Characteristics

Dimensions

Characteristic Value
XPSUAT•••••C XPSUAT•••••P
Width 45 mm (1.77 in)
Height without terminals 99 mm (3.90 in)
Height with terminals 119 mm (4.70 in) 109 mm (4.30 in)
Depth 117 mm (4.61 in)

Weight

Characteristic Value
Weight 0.35 kg (0.77 lbs)

Degree Of Protection

Characteristic Value
Housing IP40
Terminals IP20

24 EIO0000003443 06/2019
 Technical Data

Wire Cross Sections, Stripping Lengths, and Tightening Torques

Characteristic
Stripping length for spring terminals
Stripping length for screw terminals
(1)
Wire cross section, single wire without wire ferrule
Wire cross section, single wire with wire ferrule
Wire cross section, two wires without wire ferrule(1)
Wire cross section, two wires with uninsulated wire
ferrule
Wire cross section, two wires with insulated wire
ferrule
Tightening torque for screw terminals
(1) Stranded or solid
Value
12 mm (0.47 in)
7 ... 8 mm (0.28 ... 0.31 in)
0.2 ... 2.5 mm2 (AWG 24 ... 12)
0.25 ... 2.5 mm2 (AWG 24 ... 12)
0.2 ... 1.5 mm2 (AWG 24 ... 16)
0.25 ... 1 mm2 (AWG 24 ... 18)
0.5 ... 1.5 mm2 (AWG 20 ... 16)
0.5 ... 0.6 N m (4.4 ... 5.3 lb in)

EIO0000003443 06/2019 25
Technical Data

Electrical Characteristics

Supply

Characteristic Value
XPSUAT1••••• XPSUAT3•••••
Supply voltage AC 24 Vac (-15 ... 10 %) 48 ... 240 Vac (-10 ... 10 %)
Supply voltage DC 24 Vdc (-20 ... 20 %) 48 ... 240 Vdc (-10 ... 10 %)
Nominal input power AC 6.5 VA (24 Vac) 10 VA (240 Vac)
Nominal input power DC 3 W (24 Vdc) 4 W (48 Vdc)
Frequency range AC 50 ... 60 Hz
Overvoltage category II
Pollution degree 2
Insulation voltage 300 V
Impulse withstand voltage 4 kV

Electromagnetic Compatibility (EMC)

Characteristic Value
XPSUAT1••••• XPSUAT3•••••
Conducted and radiated emissions as per IEC CISPR 11 Group 1/class B Group 1/class A
Usage in environment as per IEC/UL 60947-1 Environment B Environment A

Common Reference Potential

Terminal B2 is provided to obtain a common reference potential for 24 Vdc signals.

Safety-Related Inputs

Characteristic Value
Number of inputs, positive supplied (each with 1 control 2
output DC+ (S11, S21) and 1 input CH+ (S12, S22)),
single-channel
Number of inputs, negative supplied (1 control output DC- 1
(S31) and 1 input CH- (S32)), single-channel
Output voltage at DC+ >15 Vdc
Output voltage at DC- <2 Vdc
Input voltage at CH+ 0 ... 24 Vdc (+20 %)
Switching voltage for activation of CH+ >15 Vdc

26 EIO0000003443 06/2019
 Technical Data

Characteristic Value
Switching voltage for deactivation of CH+ <5 Vdc
Input voltage at CH- 0 ... 24 Vdc (+20 %)
Switching voltage for activation of CH- <2 Vdc
Switching voltage for deactivation of CH- >24 Vdc -5 V
Input current 5 mA
Maximum wire resistance 60 Ω

Start Input

Characteristic Value
Output voltage at DC+ >15 Vdc
Input voltage at CH+ 0 ... 24 Vdc (+20 %)
Switching voltage activate CH+ >15 Vdc
Switching voltage deactivate CH+ <5 Vdc
Input current 5 mA
Maximum wire resistance 60 Ω

Classification of Safety-Related Inputs and Start Input as per ZVEI CB241

Representation and values as per identifying key, ZVEI CB241:

Source/sink Interface type Additional measure Source/sink Interface type

Sink: A M Source: C0

Interface type A: Sink

Parameter Minimum value Maximum value
Input current Ii (in the ON state) 3 mA 5 mA
Output voltage Ui 15 V 24 V (+20 %)
Additional measure M The inputs are not types as per >15 Vdc
IEC 61131-2.
TE is S•1 for S•2
TE is Y1 for Y2

Refer to Dynamization of Safety-Related Inputs and Start Input (see page 30) for test pulse times.

EIO0000003443 06/2019 27
Technical Data

Safety-Related Outputs

Characteristic Value
Number of relay contacts, Normally Open, instantaneous 3
Number of relay contacts, Normally Open, delayed 3
Number of relay contacts, Normally Closed, delayed 1
Maximum short circuit current IK 1 kA
Maximum continuous current, Normally Open relay 6A
contacts
Maximum continuous current, Normally Closed relay 3A
contacts
Maximum total thermal current ∑ITHERM 16 A
Minimum current 10 mA
Utilization category as per UL 60947-5-1 B300 and R300 for Normally Open contacts
D300 and R300 for Normally Closed contacts
Utilization category as per IEC 60947-4-1 and IEC 60947- AC1: 250 V
5-1) AC15: 250 V
DC1: 24 V
DC13: 24 V
Maximum current, normally open relay contacts AC1: 5 A
AC15: 3 A
DC1: 5 A
DC13: 3 A
Maximum current, normally closed relay contacts AC1: 3 A
AC15: 1 A
DC1: 3 A
DC13: 1 A
External fusing 10 A, category gG, for Normally Open
4 A, category gG, for Normally Closed

Additional Non-Safety-Related Outputs

Characteristic Value
Number of semiconductor pulsed outputs 1
Number of semiconductor binary status outputs 1
Output voltage 24 Vdc
Maximum current 20 mA

28 EIO0000003443 06/2019
 Technical Data

Timing Data

Maximum Response Times

Characteristic Value
XPSUAT1••••• XPSUAT3•••••
Maximum response time to request at safety-related input 20 ms
Maximum response time after power outage AC 200 ms 100 ms
Maximum response time after power outage DC 140 ms 100 ms

Recovery Time

Characteristic Value
Recovery time after request at safety-related input 200 ms

Switch-On and Activation Delays

Characteristic Value
Switch on delay after power on and automatic start 2500 ms
Delay after activation of safety-related input or valid start 100 ms
condition

Monitored Start

Characteristic Value
Waiting time 2500 ms
Minimum duration of start pulse for monitored start 80 ms

Delay Times for Delay Function of Safety-Related Outputs

Characteristic Value
Possible values 0 s, 0.1 s, 0.2 s, 0.3 s, 0.4 s, 0.5 s, 0.6 s, 0.7 s, 0.8 s,
0.9 s, 1 s, 2 s, 3 s, 4 s, 5 s, 6 s, 7 s, 8 s, 9 s, 10 s, 20 s,
30 s, 40 s, 50 s, 60 s, 70 s, 80 s, 90 s, 100 s, 200 s, 300 s,
400 s, 500 s, 600 s, 700 s, 800 s, 900 s

EIO0000003443 06/2019 29
Technical Data

Dynamization of Safety-Related Inputs and Start Input

Characteristic Value
Test pulse duration (safety-related input must be activated 2 ms
for longer than duration of test pulse)
Test pulse interval 500 ms
Maximum delay of test pulse 40 ms
Test pulse phase shift At least 70 ms

Debounce Time of Safety-Related Inputs

Characteristic Value
Debounce time, standard 2.5 ms
Debounce time, with OSSD 4 ms

Signal Interlock Monitoring Time

Characteristic Value
Signal interlock monitoring time 200 ms

Synchronization Times
The synchronization times for the synchronization of safety-related inputs depend on the
application function (see page 60).

30 EIO0000003443 06/2019
 Technical Data

Data Functional Safety

Data Functional Safety

Characteristic Value
XPSUAT1••••• XPSUAT3•••••
Defined safe state Safety-related outputs are de-energized
Normally Open: open
Normally Closed: closed
Maximum Performance Level (PL), Category Normally Open: PL e, Category 4
(as per ISO 13849-1:2015) Normally Closed: PL c, Category 1
Actual PL and category depend on wiring and
configuration.
Maximum Safety Integrity Level (SIL) Normally Open: 3
(as per IEC 61508-1:2010) Normally Closed: 1
Actual SIL depends on wiring and configuration.
Safety Integrity Level Claim Limit (SILCL) Normally Open: 3
(as per IEC 62061:2005+AMD1:2012+AMD2:2015) Normally Closed: 1
Actual SILCL depends on wiring and configuration.
Type B
(as per IEC 61508-2)
Hardware Fault Tolerance (HFT) 1
(as per IEC 61508 and IEC 62061)
Stop Category for Emergency Stops 0 or 1
(as per ISO 13850 and IEC 60204-1)
Lifetime in years at an ambient temperature of 55 °C 20
(131 °F)
Safe Failure Fraction (SFF) >99 %
(as per IEC 61508 and IEC 62061)
Probability of Dangerous Failure per hour (PFHD) in 1/h 0.94 x 10-9 for Safe Stop 0 1.47 x 10-9 for Safe Stop 0
(as per IEC 61508 and ISO 13849-1) 0.95 x 10-9 for Safe Stop 1 1.48 x 10-9 for Safe Stop 1
Mean Time To Dangerous Failure (MTTFd) in years >30
(high as per ISO 13849-1)
Average Diagnostic Coverage (DCavg) ≥99 %
(high as per ISO 13849-1)

EIO0000003443 06/2019 31
Technical Data

Characteristic Value
XPSUAT1••••• XPSUAT3•••••
Maximum number of cycles over lifetime DC13, 24 Vdc 1 A: 1200000 with Safe Stop 0
DC13, 24 Vdc 1 A: 1200000 with Safe Stop 1
DC13, 24 Vdc 3 A: 180000 with Safe Stop 0
DC13, 24 Vdc 3 A: 275000 with Safe Stop 1
AC1, 250 Vac 4 A: 180000 with Safe Stop 0
AC1, 250 Vac 4 A: 90000 with Safe Stop 1
AC15, 250 Vac 1 A: 70000 with Safe Stop 0
AC15, 250 Vac 1 A: 90000 with Safe Stop 1
AC15, 250 Vac 5 A: 28000 with Safe Stop 0
AC15, 250 Vac 5 A: 50000 with Safe Stop 1

Electrical durability of the safety-related output relay contacts (instantaneous) as per IEC 60947-5-1

1 Operating cycles
2 Rated current in A

32 EIO0000003443 06/2019
 Technical Data

Electrical durability of the safety-related output relay contacts (instantaneous) as per IEC 60947-5-1

1 Operating cycles
2 Rated current in A

EIO0000003443 06/2019 33
Technical Data

Electrical durability of the safety-related output relay contacts (delayed) as per IEC 60947-5-1

1 Operating cycles
2 Rated current in A

Refer to chapter Timing Data (see page 29) for additional technical data that may affect your
functional safety calculations.

34 EIO0000003443 06/2019
 Preventa XPSUAT
Engineering
EIO0000003443 06/2019

Chapter 3
Engineering

Engineering

What Is in This Chapter?

This chapter contains the following topics:
Topic Page
Electromagnetic Compatibility (EMC) 36
Basic Principles of Operation 37
Safety-Related Inputs 42
Synchronization of Safety-Related Inputs 44
Dynamization 45
Signal Interlock Monitoring 47

EIO0000003443 06/2019 35
Engineering

Electromagnetic Compatibility (EMC)

Conducted and Radiated Electromagnetic Emissions

Equipment of class A as per IEC CISPR 11 is not intended for use in residential environments and
may not provide adequate protection to radio reception in such environments.

WARNING
INSUFFICIENT ELECTROMAGNETIC COMPATIBILITY
 Verify compliance with all EMC regulations and requirements applicable in the country in
which the device is to be operated and with all EMC regulations and requirements applicable
at the installation site.
 Do not install and operate devices of class A as per IEC CISPR 11 in residential environments.
 Implement all required radio interference suppression measures and verify their effectiveness.
Failure to follow these instructions can result in death, serious injury, or equipment damage.

According to IEC CISPR 11, device type XPSUAT1••••• is a group 1, class B device. Class B as
per IEC CISPR 11 corresponds to environment B as per IEC 60947-1.
According to IEC CISPR 11, device type XPSUAT3••••• is a group 1, class A device. Class A as
per IEC CISPR 11 corresponds to environment A as per IEC 60947-1.

36 EIO0000003443 06/2019
 Engineering

Basic Principles of Operation

Introduction
The following sections provide basic information on the principles of operation of the device to
assist you in engineering your application function.

Operating States
The following graphic illustrates the operating states and state transitions of the device:

Operating state Description In defined

safe state
Off / Configuration Configuration only possible in this operating state Yes
Initialization Self-tests Yes
Run: Outputs Deenergized Regular operation with safety-related function active Yes
Run: Outputs Energized Regular operation with safety-related function not active No
Error Error detected Yes

EIO0000003443 06/2019 37
Engineering

NOTE: See the chapter Data Functional Safety (see page 31) for the defined safe state of the
device.

State Transitions

State transition Condition

T1  Power on

T2  Initialization successful
 Switch on delay has passed

T3  Start condition fulfilled (for example, automatic start or manual start with start
button pressed)
 Safety-related inputs activated
 For application functions with signal interlock monitoring: no signal interlock
condition
 For application functions with synchronization: synchronization time
requirements met
T4  Safety-related inputs deactivated (corresponds to triggering of the safety-
related function)
T5  Error detected on

T6  Power off

NOTE: Refer to the Activation and Deactivation (see page 42) for details on the use of the terms
“activated” and “deactivated” in the present document.

Example with Emergency Stop

The following example uses a machine with an Emergency Stop pushbutton, a start pushbutton for
manual start, and a motor to demonstrate the individual operating states and state transitions. The
selected application function is Monitoring of Emergency Stop Circuits. The selected start function
is Manual Start. The example assumes that the equipment is properly wired and configured.
 After the device is powered on, it enters the operating state Initialization (T1).
 If the initialization is successful, the device enters the operating state Run: Outputs Deenergized
(T2).
If an error is detected, the device transitions to the operating state Error (T5).
 On entering the operating state Run: Outputs Deenergized, the device verifies the state of the
safety-related inputs and of the start input. The motor is at a standstill.
 If the start pushbutton is not pressed, the start input stays deactivated and the device remains
in the operating state Run: Outputs Deenergized. The motor is at a standstill.
Detailed information on the start functions and the timing can be found in the chapter Start
Functions (see page 73).
 If the start pushbutton is pressed, the start input is activated, i.e. the start condition is fulfilled.
The state of the safety-related inputs determines whether the device transitions to the operating
state Run: Outputs Energized.

38 EIO0000003443 06/2019
 Engineering

 If the safety-related inputs are not activated (actuator of Emergency Stop pushbutton pushed
down), the device remains in the operating state Run: Outputs Deenergized. The motor remains
at a standstill.
If the safety-related inputs are activated (actuator of Emergency Stop pushbutton pulled out),
the device transitions to the operating state Run: Outputs Energized (T3). The motor runs. This
operating corresponds to regular operation of the machine.
If an application function with synchronization (see page 44) of the safety-related inputs is used,
this transition only occurs if the safety-related inputs are activated within the synchronization
time.
 In the operating state Run: Outputs Energized, the device monitors the state of the safety-
related inputs.
If the actuator of the Emergency Stop pushbutton is pushed down (safety-related inputs
deactivated), the safety-related outputs are deactivated within the response time (transition T4
to operating state Run: Outputs Deenergized). The device is again in the defined safe state. The
motor is stopped.
This corresponds to the Emergency Stop condition of the machine.
 To return to the operating state Run: Outputs Energized (T3), the start input and the safety-
related inputs need to be activated again (start button pressed and actuator of the Emergency
Stop pushbutton pulled out).
If an application function with signal interlock monitoring (see page 47) is used, this transition
only occurs if there is no signal interlock condition.
If an application function with synchronization (see page 44) of the safety-related inputs is used,
this transition only occurs if the safety-related inputs are activated within the synchronization
time.

EIO0000003443 06/2019 39
Engineering

Timing Diagram for Example with Emergency Stop

The following timing diagram provides an overview of the example with Emergency Stop.

Legend

Item Description
1  The first safety-related input (A) is activated (actuator of Emergency Stop button pulled out).
 The device remains in the defined safe state.

2  The second safety-related input (B) is activated (second output contact of Emergency Stop
button).
 If an application function with synchronization (see page 44) is used, the first safety-related
output (A) is only activated if the second safety-related input (B) is activated within the
synchronization time.
 The start button has not yet been pressed so the start condition is not yet fulfilled and the
device remains in the defined safe state.
3  The start button is pressed.
 The start condition is fulfilled. See the chapter Start Functions (see page 73) for detailed
information on the start functions.
 The safety-related output is activated within the activation delay time (see page 29).
 If an application function with synchronization (see page 44) of two input channels is used,
the safety-related output is only activated if the two channels of the safety-related input have
been activated within the synchronization time.
 The motor runs. The device is not in the defined safe state.

4  The start button is released.

40 EIO0000003443 06/2019
 Engineering

Item Description
5  The safety-related input B is deactivated (actuator of Emergency Stop button pushed).
 The safety-related output is deactivated within the response time (see page 29).
 The Emergency Stop is triggered. The device is in the defined safe state.

6  The safety-related input A is deactivated (by second output contact of Emergency Stop
button).
 If an application function with signal interlock monitoring(see page 47) is used, both safety-
related inputs must be deactivated within the signal interlock monitoring time (between (5)
and (6)).

EIO0000003443 06/2019 41
Engineering

Safety-Related Inputs

Overview

WARNING
INSUFFICIENT AND/OR INEFFECTIVE SAFETY-RELATED FUNCTIONS
Only connect a sensor/device to a safety-related input that meets all requirements as per your
risk assessment and that complies with all regulations, standards, and process definitions
applicable to your machine/process.
Failure to follow these instructions can result in death, serious injury, or equipment damage.

The following sections provide basic information on the safety-related inputs such as principle of
activation and deactivation as well as antivalent behavior. Refer to the chapters Electrical
Characteristics (see page 26) and Electrical Installation (see page 55) for more details on the
safety-related inputs.

General Information on Activation and Deactivation of Safety-Related Inputs

In the present document, “activation” of a safety-related input means that a safety-related input
changes its state so that the device can enter the operating state Run: Outputs Energized.
The term “deactivation” of a safety-related input means that a safety-related input changes its state
so that the device enters the operating state Run: Outputs Deenergized.
See Operating States (see page 37) for details on the state machine of the device.

Activation and Deactivation with Antivalent Behavior Between Two Safety-Related Inputs with One Input
Channel Each
Depending on the selected application function, the safety-related inputs are configured for
antivalent behavior. Antivalent is defined here as a normally open and a normally closed contacts
working in synchronization.
For example, for application function 3 (see page 65), the signal for input channel S12 is provided
by a normally open contact, whereas the signal for input channel S22 is provided by a normally
closed contact.

42 EIO0000003443 06/2019
 Engineering

Two safety-related inputs with one input channel each with antivalent behavior (magnetic switch
with NO at S12 and NC at S22):

If the level at terminal S12 is logically 0 and the level at terminal S22 is logically 1, the safety-related
input is activated,.
Timing diagram for two safety-related inputs with one input channel each with antivalent behavior:

1 = Activation, transition to operating state Run: Outputs Energized

2 = Deactivation, transition to operating state Run: Outputs Deenergized (defined safe state)

Truth table for two safety-related inputs with one input channel each with antivalent behavior:

Signal State Signal State Activation State and Operating State (see page 37)
at S12 at S22
0 1 Safety-related input channel activated, operating state Run: Outputs
Energized
1 0 Safety-related input channel deactivated, operating state Run: Outputs
Deenergized

Identical signal states are only permissible within the synchronization time (see page 44).
Otherwise, identical signal states trigger an alert.
The truth table applies to the wiring diagrams presented for the application functions.
If the magnetic switch in the wiring example above is used for guard monitoring, this means that
the magnetic switch is presented in the activated state and the guard is closed.
Consult the manual of the sensor/device you want to use for your application function for details
on signal state required for activation and deactivation as defined in the present document.

EIO0000003443 06/2019 43
Engineering

Synchronization of Safety-Related Inputs

Overview
The device can monitor synchronized behavior of the input channels of the safety-related inputs
using various synchronization mechanisms with different synchronization times. If the
synchronized input channels of the safety-related inputs are not activated within the synchroni-
zation time, the safety-related output or outputs are not activated.
The synchronized terminals of the safety-related inputs and the corresponding synchronization
times are also listed for each individual application function (see page 60) using synchronization,
including information on the sequences in which the synchronized input channels are activated, if
applicable.
Refer to the chapter Safety-Related Inputs (see page 42) for additional information on the use of
the term “activation” in the present document.

44 EIO0000003443 06/2019
 Engineering

Dynamization

Dynamization of Inputs
Dynamization is used for cross circuit detection between two safety-related inputs or between one
safety-related input and the Start input or a cross-circuit to an external power supply unit or to
ground. Dynamization is implemented by means of periodically generated test pulses at the control
outputs of the safety-related inputs S•1 and of the start input Y1.
Whether dynamization of the safety-related inputs is used depends on the selected application
function (see page 59).
The following diagram illustrates the dynamization principle and timing:

The same logic applies to Y1 and Y2.

EIO0000003443 06/2019 45
Engineering

Designation Value Explanation

TDDUR 2 ms Duration of the test pulse. The duration of the test pulse is the
time between the start of the test pulse and the end of the test
pulse.
TDINT 500 ms Interval between test pulses. This interval is the time between the
start of a test pulse and the start of the next test pulse at the same
control output.
TDDEL 40 ms Maximum delay of test pulse. This delay is the maximum time
between the start of the test pulse at the control output and the
associated input channel, that is, the maximum time during which
the input expects to “see” dynamization.
TDPSHL At least 70 ms Phase shift of test pulses. This time is the phase shift between
the test pulses at the control outputs of the safety-related inputs.

46 EIO0000003443 06/2019
 Engineering

Signal Interlock Monitoring

Overview
Signal interlock is a monitoring function used to detect conditions in which one of the
sensors/devices cannot provide the expected input signal for the device, for example, as a result
of contact welding.
The device expects “simultaneous” deactivation of the two safety-related inputs within the signal
interlock monitoring time of 200 ms.
If the two monitored safety-related inputs are not deactivated within 200 ms, this is a signal
interlock condition and the device triggers a signal interlock alert. The device remains in the defined
safe state, i.e., there is no transition from operating state Run: Outputs Deenergized to operating
state Run: Outputs Energized (T3).
To exit the signal interlock condition, the two affected safety-related inputs must be deactivated for
at least one second. After that, the safety-related inputs can be activated again which activates the
safety-related outputs as well.
Signal interlock is available for certain of the application functions (see page 60) the device
provides.

Examples
The following figure illustrates a condition without signal interlock:

Both safety-related inputs are deactivated within the signal interlock monitoring time of 200 ms.
When they are activated again, the safety-related outputs are also activated.

EIO0000003443 06/2019 47
Engineering

The following figure illustrates a condition with signal interlock:

The first safety-related input is deactivated which starts the signal interlock monitoring time of
200 ms. It is then activated again before the second safety-related input is deactivated. This
immediately triggers a signal interlock alert even though the 200 ms have not yet elapsed.
The following figure illustrates a condition with signal interlock:

The first safety-related input is deactivated which starts the signal interlock monitoring time of
200 ms. The second safety-related remains activated longer than 200 ms. This triggers a signal
interlock alert 200 ms after interlock monitoring has started.

48 EIO0000003443 06/2019
 Preventa XPSUAT
Installation
EIO0000003443 06/2019

Chapter 4
Installation

Installation

What Is in This Chapter?

This chapter contains the following topics:
Topic Page
Prerequisites and Requirements 50
Mechanical Installation 51
Electrical Installation 53

EIO0000003443 06/2019 49
Installation

Prerequisites and Requirements

Inspecting the Device

Damaged products may cause electric shock or unintended equipment operation.

DANGER
ELECTRIC SHOCK OR UNINTENDED EQUIPMENT OPERATION
 Do not use damaged products.
 Keep foreign objects (such as chips, screws or wire clippings) from getting into the product.
Failure to follow these instructions will result in death or serious injury.

Verify the product type by means of the type code (see page 19) and the data printed on the
device.

Control Cabinet/Enclosure
Install the device in a control cabinet or enclosure with degree of protection IP54 that is secured
by a keyed or tooled locking mechanism.
The ventilation of the control cabinet/enclosure must be sufficient to comply with the specified
ambient conditions for the device and the other components operated in the control
cabinet/enclosure.

Label on Extension Module Connector

The connector for connection of the extension module XPSUEP is covered by a label. Do not
remove the label from the connector unless you want to connect the extension module XPSUEP.

NOTICE
INOPERABLE EQUIPMENT
Do not remove the protective label from the extension connector unless you are immediately
attaching an extension module.
Failure to follow these instructions can result in equipment damage.

50 EIO0000003443 06/2019
 Installation

Mechanical Installation

Mounting to DIN Rail

The device can be mounted to the following DIN rails as per IEC 60715:
 35 x 15 mm (1.38 x 0.59 in)
 35 x 7.5 mm (1.38 x 0.29 in)

Mounting procedure (left illustration)

Step Action
1 Slightly tilt the device and hook it onto the DIN rail.
2 Push the lower part of the device towards the DIN rail.
3 Snap in the DIN rail clip.

Dismounting procedure (center illustration)

Step Action
1 Unlock the DIN rail clip using a screwdriver.
2 Pull the lower part of the device away from the DIN rail and lift the device towards the top to
remove it from the DIN rail.

EIO0000003443 06/2019 51
Installation

Screw-Mounting

Mounting procedure:

Step Action
1 Push the additional fastener into the grooves at the device.
2 Prepare the holes.
3 Screw the device to the mounting surface using the specified screws and a washer M4 as per
ISO 7093 for each screw.

52 EIO0000003443 06/2019
 Installation

Electrical Installation

General Information

DANGER
FIRE, ELECTRIC SHOCK OR ARC FLASH
 Disconnect all power from all equipment of your machine/process prior to electrical installation
of the device.
 Confirm the absence of power using a properly rated voltage sensing device.
 Place a "Do Not Turn On" or equivalent hazard label on all power switches and lock them in
the non-energized position.
Failure to follow these instructions will result in death or serious injury.

Wiring of the device depends on the safety-related function to be implemented. Before wiring the
device, engineer the safety-related function, perform a risk assessment with regard to your
machine/process, and determine the suitability of the device as well as the connected equipment.
Refer to the Schneider Electric Safety Chain Solutions at https://www.schneider-electric.com for
application-specific examples of wiring the device, including the safety-related outputs with
feedback and the start input with external start condition.
You can wire the device with the terminal blocks in the device or you can remove the terminal
blocks. For the latter, pull the terminal blocks out of the device, connect the individual terminals and
push the terminal blocks back into the device.
Use 75 °C (167 °F) copper conductors to wire the device.

Wire Cross Sections, Stripping Lengths, and Tightening Torques

Characteristic
Stripping length for spring terminals
Stripping length for screw terminals
(1)
Wire cross section, single wire without wire ferrule
Wire cross section, single wire with wire ferrule
Wire cross section, two wires without wire ferrule(1)
Wire cross section, two wires with uninsulated wire
ferrule
Wire cross section, two wires with insulated wire
ferrule
Tightening torque for screw terminals
(1) Stranded or solid
Value
12 mm (0.47 in)
7 ... 8 mm (0.28 ... 0.31 in)
0.2 ... 2.5 mm2 (AWG 24 ... 12)
0.25 ... 2.5 mm2 (AWG 24 ... 12)
0.2 ... 1.5 mm2 (AWG 24 ... 16)
0.25 ... 1 mm2 (AWG 24 ... 18)
0.5 ... 1.5 mm2 (AWG 20 ... 16)
0.5 ... 0.6 N m (4.4 ... 5.3 lb in)

EIO0000003443 06/2019 53
Installation

Block Diagram and Terminals

The following drawings present the block diagram and the terminals with their designations in the
removable terminal blocks.

Terminal Designation Explanation

A1, A2 Power supply
Y1 Control output (DC+) of start input
Y2 Input channel (CH+) of start input
S11, S21 Control outputs (DC+) of positive safety-related
inputs
S31 Control output (DC-) of negative safety-related input
S12, S22 Input channels (CH+) of positive safety-related inputs

54 EIO0000003443 06/2019
 Installation

Terminal Designation Explanation

S32 Input channel (CH-) of negative safety-related inputs
B2 Terminal for common reference potential for 24 Vdc
signals. The power supplies of the connected
equipment must have a common reference potential
to be connected to this terminal.
13, 14, 23, 24, 33, 34, 47, 48, 57, 58, 67, 68, 75, 76 Terminals of the safety-related outputs
Z1 Pulsed output for diagnostics (see page 91), not
safety-related
Z2 Solid state output, not safety-related
EXT Connector for output extension module XPSUEP
(1) Input can be used to cancel the delay function
(see page 79) for safety-related outputs.

Safety-Related Inputs

WARNING
INSUFFICIENT AND/OR INEFFECTIVE SAFETY-RELATED FUNCTIONS
Only connect a sensor/device to a safety-related input that meets all requirements as per your
risk assessment and that complies with all regulations, standards, and process definitions
applicable to your machine/process.
Failure to follow these instructions can result in death, serious injury, or equipment damage.

The device provides two positive safety-related inputs. Each positive safety-related input consists
of one control output DC+ (terminals S11, S21) and one input channel CH+ (terminals S12, S22).
In addition, the device provides one negative safety-related input. The negative safety-related input
consists of one control output DC- (terminal S31) and one input channel CH- (terminal S32).
The control output of the positive safety-related inputs provides a nominal voltage of 24 Vdc to the
connected sensor/device. The control output of the negative safety-related input provides a
nominal voltage of 0 Vdc to the connected sensor/device. The control output is also used for
dynamization (see page 45).
The positive safety-related input switches to 24 Vdc (CH+ has 24 Vdc if activated). The negative
safety-related input switches to 0 Vdc/reference potential (CH- has 0 Vdc/reference potential if
activated).
The negative safety-related input S31-S32 or the positive safety-related input S21-S22 can be
used to cancel the delay function (see page 80) for the safety-related outputs, depending on the
selected application function.

EIO0000003443 06/2019 55
Installation

If you want to use the delay function for safety-related outputs, also connect the device which is to
provide the cancel signal to the terminals of the appropriate safety-related input S21-S22 or S31-
S32. Refer to the chapter Application Functions (see page 60) for information on which safety-
related input is to be connected for a given application function.
Respect the maximum wire resistance of 60 Ω when determining the cable length. The maximum
wire length between a safety-related input and a sensor/device is 30 m (98.43 ft) if the supply via
the control outputs (terminals S•1) of the safety-related inputs are not used.
Wire the terminals of the safety-related inputs according to the wiring diagram for the application
function (see page 60) to be implemented.

Safety-Related Outputs
The wiring of the safety-related outputs depends on the safety-related function to be implemented.
Install fuses with the rating specified in the chapter Electrical Characteristics (see page 28).

Start Input

WARNING
UNINTENDED EQUIPMENT OPERATION
 Do not use the Start function for safety-related purposes.
 Use Monitored Start or Startup Test if unintended restart is a hazard according to your risk
assessment.
Failure to follow these instructions can result in death, serious injury, or equipment damage.

The start input consists of one control output DC+ (terminal Y1) and one input channel CH+
(terminal Y2).
The control output provides a nominal voltage of 24 Vdc to the connected sensor/device. It is also
used for dynamization (see page 45).
The wiring of the start input depends on the start function (see page 73) to be implemented.
For automatic start, bridge terminals Y1 and Y2 or connect terminal Y2 to an external 24 Vdc power
supply.
For manual start or monitored start and if the control output Y1 (DC+) is to be used:
 Connect terminals Y1 and Y2 to the device providing the start signal, such as a push-button.
For manual start or monitored start and if the device providing the start signal is supplied externally:
 Connect terminal Y2 to the device providing the start signal, such as a push-button or a logic
controller. Leave terminal Y1 unconnected.
The common reference potential is established via terminal B2.

56 EIO0000003443 06/2019
 Installation

Respect the maximum wire resistance of 60 Ω when determining the cable length. The maximum
wire length between the start input and a sensor/device is 30 m (98.43 ft) if the supply via the
control output (terminal Y1) of the start input is not used.

Additional, Non-Safety-Related Outputs Z1 and Z2

WARNING
INCORRECT USE OF OUTPUT
Do not use the additional outputs Z1 and Z2 for safety-related purposes.
Failure to follow these instructions can result in death, serious injury, or equipment damage.

Connect the semiconductor pulsed output Z1 to a suitable input of the logic controller if you want
to use the diagnostics pattern the output provides.
Connect the semiconductor binary status output Z2 to a suitable device for evaluation of the signal
provided via this output. Output Z2 is deactivated as long as the safety-related outputs are
activated or if an error is detected.
The maximum wire length between the additional outputs Z1 or Z2 and connected equipment is
30 m (98.43 ft)
The common reference potential is established via terminal B2.

Power Supply
Connect the terminals A1 and A2 to a power supply providing the supply voltage specified for the
device in the chapter Electrical Characteristics (see page 26).

Common Reference Potential

Terminal B2 is provided to obtain a common reference potential for 24 Vdc signals.
The power supplies of the connected equipment must have a common reference potential.

EIO0000003443 06/2019 57
Installation

58 EIO0000003443 06/2019
 Preventa XPSUAT
Functions
EIO0000003443 06/2019

Chapter 5
Functions

Functions

What Is in This Chapter?

This chapter contains the following topics:
Topic Page
Application Functions 60
Start Functions 73
Delay Function 79

EIO0000003443 06/2019 59
Functions

Application Functions

Introduction
The following sections provide an overview of the available application functions and a detailed
listing of requirements and values of each of the application functions. The chapter Configuration
(see page 84) describes the configuration procedure by means of the selectors of the device.

Overview of Application Functions

Typical applications Type of outputs of sensor/device Synchro Dynamiz Application

providing the input signal for nization ation Function
application function Selector
Monitoring of Emergency Stop Normally open, normally closed No Yes Position 1
circuits as per ISO 13850 and and/or changeover outputs (see page 62
IEC 60204-1, stop category 0 )
Monitoring of Emergency Stop
Yes Yes Position 2
circuits as per ISO 13850 and
(see page 63
IEC 60204-1, stop category 1
)
Monitoring of guards as per
ISO 14119/14120 with
electrical switches
Monitoring of guards as per Yes Yes Position 3
ISO 14119/14120 with (see page 65
electrical switches )
Monitoring of guards as per
ISO 14119/14120 with coded
magnetic switches
Monitoring of proximity
switches

Monitoring of proximity One PNP output No No Position 4

switches (see page 66
)
One PNP (sensor/device A) and one No No Position 5
NPN (sensor/device B) output (see page 67
)
One PNP output Yes No Position 6
(see page 68
)
One PNP (sensor/device A) and one Yes No Position 7
NPN (sensor/device B) output (see page 69
)

60 EIO0000003443 06/2019
 Functions

Typical applications Type of outputs of sensor/device Synchro Dynamiz Application

providing the input signal for nization ation Function
application function Selector
Monitoring of pressure- Short-circuit-generating outputs No Yes Position 8
sensitive 4-wire protective (see page 70
devices such as mats or edges )
as per ISO 13856
Monitoring of electro-sensitive OSSD (Output Signal Switching No No Position 9
protective equipment such as Device) outputs (see page 71
type 4 light curtains as per )
IEC 61496-1
Yes No Position 10
Monitoring of RFID sensors (see page 72
)

EIO0000003443 06/2019 61
Functions

Application Function 1

Characteristic Value/Description
Typical applications Monitoring of Emergency Stop circuits as per
ISO 13850 and IEC 60204-1, stop category 0

Monitoring of Emergency Stop circuits as per

ISO 13850 and IEC 60204-1, stop category 1

Monitoring of guards as per ISO 14119/14120

with electrical switches

Type of outputs of sensor/device providing the input signal Normally open, normally closed and/or changeover
for application function outputs
S•• terminals to be connected S11-S12 and S21-S22
Leave the safety-related input S31-S32 unconnected or
use it to cancel a delay configured with the Delay function
(see page 79).
Dynamization Yes
Signal interlock monitoring Between terminals S12 and S22
Synchronization of safety-related inputs No

Wiring of the inputs for Emergency Stop

Wiring of the inputs for guards

62 EIO0000003443 06/2019
 Functions

Application Function 2

Characteristic Value/Description
Typical applications Monitoring of Emergency Stop circuits as per
ISO 13850 and IEC 60204-1, stop category 0

Monitoring of Emergency Stop circuits as per

ISO 13850 and IEC 60204-1, stop category 1

Monitoring of guards as per ISO 14119/14120

with electrical switches

Type of outputs of sensor/device providing the input signal Normally open, normally closed and/or changeover
for application function outputs
S•• terminals to be connected S11-S12 and S21-S22
Leave the safety-related input S31-S32 unconnected or
use it to cancel a delay configured with the Delay function
(see page 79).
Dynamization Yes
Signal interlock monitoring Between terminals S12 and S22

Synchronization:

Synchronized terminals Synchronization time

S12 synchronized with S22 If S12 is activated before S22, S22 has to be activated
within 2 s.
If S22 is activated before S12, S12 has to be activated
within 4 s.

Wiring of the inputs for Emergency Stop

EIO0000003443 06/2019 63
Functions

Wiring of the inputs for guards

64 EIO0000003443 06/2019
 Functions

Application Function 3

Characteristic Value/Description
Typical applications Monitoring of guards as per ISO 14119/14120
with electrical switches

Monitoring of guards as per ISO 14119/14120

with coded magnetic switches

Monitoring of proximity switches

Type of outputs of sensor/device providing the input signal Normally open, normally closed and/or changeover
for application function outputs
S•• terminals to be connected S11-S12 and S21-S22
Leave the safety-related input S31-S32 unconnected or
use it to cancel a delay configured with the Delay function
(see page 79).
Dynamization Yes
Signal interlock monitoring No

Synchronization:

Synchronized terminals Synchronization time

S12 synchronized with S22 S12 and S22 have to be activated within 0.5 s.

Wiring of the inputs for coded magnetic switches

EIO0000003443 06/2019 65
Functions

Application Function 4

Characteristic Value/Description
Typical applications Monitoring of proximity switches

Type of outputs of sensor/device providing the input signal One PNP output
for application function
S•• terminals to be connected S12 and S22
Leave the safety-related input S31-S32 unconnected or
use it to cancel a delay configured with the Delay function
(see page 79).
Dynamization No
Signal interlock monitoring Between terminals S12 and S22
Synchronization of safety-related inputs No

Wiring of the inputs for sensors/devices with PNP output

66 EIO0000003443 06/2019
 Functions

Application Function 5

Characteristic Value/Description
Typical applications Monitoring of proximity switches

Type of outputs of sensor/device providing the input signal One PNP (sensor/device A) and one NPN (sensor/device
for application function B) output
S•• terminals to be connected S12 and S32
Leave the safety-related input S21-S22 unconnected or
use it to cancel a delay configured with the Delay function
(see page 79).
Dynamization No
Signal interlock monitoring Between terminals S12 and S32
Synchronization of safety-related inputs No

Wiring of the inputs for sensors/devices with PNP output and NPN output

EIO0000003443 06/2019 67
Functions

Application Function 6

Characteristic Value/Description
Typical applications Monitoring of proximity switches

Type of outputs of sensor/device providing the input signal One PNP output
for application function
S•• terminals to be connected S12 and S22
Leave the safety-related input S31-S32 unconnected or
use it to cancel a delay configured with the Delay function
(see page 79).
Dynamization No
Signal interlock monitoring Between terminals S12 and S22

Synchronization:

Synchronized terminals Synchronization time

S12 synchronized with S22 S12 and S22 have to be activated within 0.5 s.

Wiring of the inputs for sensors/devices with PNP output

68 EIO0000003443 06/2019
 Functions

Application Function 7

Characteristic Value/Description
Typical applications Monitoring of proximity switches

Type of outputs of sensor/device providing the input signal One PNP (sensor/device A) and one NPN (sensor/device
for application function B) output
S•• terminals to be connected S12 and S32
Leave the safety-related input S21-S22 unconnected or
use it to cancel a delay configured with the Delay function
(see page 79).
Dynamization No
Signal interlock monitoring Between terminals S12 and S32

Synchronization:

Synchronized terminals Synchronization time

S12 synchronized with S32 S12 and S32 have to be activated within 0.5 s.

Wiring of the inputs for sensors/devices with PNP output and NPN output

EIO0000003443 06/2019 69
Functions

Application Function 8

Characteristic Value/Description
Typical applications Monitoring of pressure-sensitive 4-wire
protective devices such as mats or edges as
per ISO 13856
Type of outputs of sensor/device providing the input signal Short-circuit-generating outputs
for application function
S•• terminals to be connected S11-S12 and S31-32
Leave the safety-related input S21-S22 unconnected or
use it to cancel a delay configured with the Delay function
(see page 79).
Dynamization Yes
Signal interlock monitoring Between terminals S12 and S32
Synchronization of safety-related inputs No

Wiring of the inputs for short circuit generating mats or edges

70 EIO0000003443 06/2019
 Functions

Application Function 9

Characteristic Value/Description
Typical applications Monitoring of electro-sensitive protective
equipment such as type 4 light curtains as per
IEC 61496-1
Monitoring of RFID sensors

Type of outputs of sensor/device providing the input signal OSSD (Output Signal Switching Device) outputs
for application function
S•• terminals to be connected S12 and S22
Leave the safety-related input S31-S32 unconnected or
use it to cancel a delay configured with the Delay function
(see page 79).
Dynamization No
Signal interlock monitoring Between terminals S12 and S22
Synchronization of safety-related inputs No

Wiring of the inputs for sensors/devices with OSSD outputs

EIO0000003443 06/2019 71
Functions

Application Function 10

Characteristic Value/Description
Typical applications Monitoring of electro-sensitive protective
equipment such as type 4 light curtains as per
IEC 61496-1
Monitoring of RFID sensors

Type of outputs of sensor/device providing the input signal OSSD (Output Signal Switching Device) outputs
for application function
S•• terminals to be connected S12 and S22
Leave the safety-related input S31-S32 unconnected or
use it to cancel a delay configured with the Delay function
(see page 79).
Dynamization No
Signal interlock monitoring Between terminals S12 and S22

Synchronization:

Synchronized terminals Synchronization time

S12 synchronized with S22 S12 and S22 have to be activated within 0.5 s.

Wiring of the inputs for sensors/devices with OSSD outputs

72 EIO0000003443 06/2019
 Functions

Start Functions

Overview

WARNING
UNINTENDED EQUIPMENT OPERATION
 Do not use the Start function for safety-related purposes.
 Use Monitored Start or Startup Test if unintended restart is a hazard according to your risk
assessment.
Failure to follow these instructions can result in death, serious injury, or equipment damage.

The device provides several start functions which are selected by means of the start function
selector. The start function determines the start behavior of the device after power-on and for a
transition from the operating state Run: Outputs Deenergized (defined safe state) to the operating
state Run: Outputs Energized.
The start behavior is configured using the following characteristics:
 Type of start (automatic/manual start and monitored start)
 With or without startup test
 With or without dynamization (see page 45)
Refer to the chapter Electrical Installation (see page 56) for additional information on wiring the
start input.

Automatic Start
With automatic start, the start input is permanently active. This can be achieved by bridging the
start input or providing an external power supply. When the safety-related input is activated, the
safety-related outputs are activated within a maximum of 100 ms (activation delay).

EIO0000003443 06/2019 73
Functions

The following timing diagram illustrates the automatic start:

1 Activation delay (100 ms): maximum time between activation of safety-related input and activation of
safety-related output
2 Response time (20 ms): maximum time between deactivation of safety-related input and deactivation of
safety-related output
3 Recovery time (200 ms): time that must pass before the safety-related input can be activated again

The timing diagram exemplifies the timing using one safety-related input and one safety-related
output. The same logic applies in the case of multiple safety-related inputs and/or safety-related
outputs.

Manual Start
A manual start requires the start input to be activated. The safety-related outputs are activated after
both the start input and the safety-related inputs have been activated.

74 EIO0000003443 06/2019
 Functions

The following timing diagram illustrates the manual start:

1 Activation delay (100 ms): maximum time between activation of start input and activation of safety-related
output
2 Response time (20 ms): maximum time between deactivation of safety-related input and deactivation of
safety-related output
3 Recovery time (200 ms): time that must pass before the safety-related input can be activated again

The timing diagram exemplifies the timing using one safety-related input and one safety-related
output. The same logic applies in the case of multiple safety-related inputs and/or safety-related
outputs.
The signal required for activation of the Start input can be provided, for example, via a push-button,
or a logic controller.

Monitored Start with Falling Edge

In the case of a monitored start with falling edge, the start input must be activated and remain active
for a duration of 80 ms. The safety-related outputs are activated with a falling edge of the start input
if the safety-related inputs have been activated in the meantime.

EIO0000003443 06/2019 75
Functions

1 Activation delay (100 ms): maximum time between deactivation of start input and activation of safety-
related output
2 Response time (20 ms): maximum time between deactivation of safety-related input and deactivation of
safety-related output
3 Waiting time after power-on (2500 ms): time that must pass between power-on and activation of the start
input
4 Minimum duration of start pulse (80 ms): time for which the start input must be activated before the falling
edge at the start input

The timing diagram exemplifies the timing using one safety-related input and one safety-related
output. The same logic applies in the case of multiple safety-related inputs and/or safety-related
outputs.
The signal required for activation of the Start input can be provided, for example, via a push-button
or a logic controller.

Startup Test
The startup test is performed after the device is powered on. The startup test is typically used for
applications involving guard monitoring. The start input is permanently activated by, for example,
bridging. After power up, the safety-related inputs must be deactivated and activated before the
safety-related outputs are activated. This is achieved by, for example, opening and closing the
guard.

76 EIO0000003443 06/2019
 Functions

1 Activation delay (100 ms): time between activation of safety-related input and activation of safety-related
output
2 Response time (20 ms): time between deactivation of safety-related input and deactivation of safety-
related output
3 Recovery time (200 ms): time that must pass before the safety-related input can be activated again

The timing diagram exemplifies the timing using one safety-related input and one safety-related
output. The same logic applies in the case of multiple safety-related inputs and/or safety-related
outputs.
After power up, the safety-related outputs are not activated before each of the safety-related inputs
has been deactivated and activated again, either concurrently or one after the other, regardless of
sequence. If the safety-related inputs are already inactive at startup (power cycle), the startup test
is considered to have been completed and the safety-related outputs are activated once the safety-
related inputs have been activated and the activation delay has passed. If the safety-related inputs
are active at power up, they must be deactivated and activated again for the startup test to
complete.

Configuring the Start Function

The start function is configured by means of the start function selector.

Position of start function selector Configured start function

1  Manual/automatic start (depends on
sensor/device connected to start input)
 Without startup test
 With dynamization

2  Manual/automatic start (depends on

sensor/device connected to start input)
 With startup test
 With dynamization

EIO0000003443 06/2019 77
Functions

Position of start function selector Configured start function

3  Monitored start
 Without startup test
 With dynamization

4  Monitored start
 With startup test
 With dynamization

5  Manual/automatic start (depends on

sensor/device connected to start input)
 Without startup test
 Without dynamization

6  Manual/automatic start (depends on

sensor/device connected to start input)
 With startup test
 Without dynamization

7  Monitored start
 Without startup test
 Without dynamization

8  Monitored start
 With startup test
 Without dynamization

A start function with dynamization is typically if the start input is connected to a start push-button.
A start function without dynamization is typically used if the start input is connected to a logic
controller. Refer to the chapter Dynamization (see page 45) for details.

78 EIO0000003443 06/2019
 Functions

Delay Function

Overview
The device provides a delay function that allows for delayed deactivation of the delayed safety-
related outputs. The delay is the time between deactivation of the safety-related inputs and the
deactivation of the safety-related outputs. It is also possible to configure a delay for the safety-
related outputs of a connected output extension module XPSUEP.
The delay function is available for the following safety-related outputs: 47-48, 57-58, 67-68 and 75-
76.
A configured delay can be canceled by activating the appropriate safety-related inputs S21-22 or
S31-32, depending on the application function (see page 60).

Configuration
The delay is configured with the delay base selector and the delay factor selector (refer to Front
View and Side View (see page 17) for the selectors). The numerical value set by means of the
delay base selector is multiplied by the factor set by means of the delay factor selector. The result
is the time delay in seconds for deactivation of the delayed safety-related outputs.
The position of the delay base selector also determines whether the safety-related outputs of a
connected output extension module XPSUEP are deactivated immediately or with the selected
delay time.
Delay factor selector:

Position of delay factor selector Factor

1 0.0
2 0.1
3 0.2
4 0.3
5 0.4
6 0.5
7 0.6
8 0.7
9 0.8
10 0.9

Delay base selector:

Position of delay base selector Base value and behavior of safety-related outputs of
output extension module XPSUEP
1 1, outputs of extension module instantaneous

EIO0000003443 06/2019 79
Functions

Position of delay base selector Base value and behavior of safety-related outputs of
output extension module XPSUEP
2 10, outputs of extension module instantaneous
3 100, outputs of extension module instantaneous
4 1000, outputs of extension module instantaneous
5 1, outputs of extension module delayed
6 10, outputs of extension module delayed
7 100, outputs of extension module delayed
8 1000, outputs of extension module delayed

Configuration Examples

Position of delay Position of delay base Delay time Delayed deactivation of outputs of
factor selector selector extension module XPSUEP
3 6 2 seconds Yes
6 1 0.5 seconds No
1 Any 0 seconds No

Canceling a Configured Delay

The safe state of the device is “safety-related outputs deactivated”, i.e. relays de-energized. Take
into account that the defined safe state of the device is not necessarily identical to the defined safe
state of your machine or process. For example, canceling a configured delay may prematurely
trigger the safety-related function STO or allow untimely access to the zone of operation,
depending on your application. A configured delay is a part of the safety-related function.
Cancelation of the delay constitutes a modification to the safety-related function. You must ensure
that any modification of the timing for reaching the defined safe state of the device via a canceled
delay is adapted to the defined safe state of your machine or process.

80 EIO0000003443 06/2019
 Functions

WARNING
INSUFFICIENT AND/OR INEFFECTIVE SAFETY-RELATED FUNCTION
 Verify that the cancelation of a configured delay including all ramifications with regard to the
timing of the safety-related function as well as the technical and organizational means of
triggering the cancelation are covered in your risk assessment as per ISO 12100 and/or other
equivalent assessment.
 Verify that canceling a configured delay does not compromise or reduce the Safety Integrity
Level (SIL), Performance Level (PL) and/or any other safety-related requirements and
capabilities defined for your machine or process.
 Ensure that all necessary organizational measures are taken (such as, but not limited to,
operator training, efficient access control to manually operated equipment, or hazard signs) if
a configured delay can be canceled manually by an operator.
Failure to follow these instructions can result in death, serious injury, or equipment damage.

A configured delay can be canceled by activating the inputs S21-22 or S31-32, depending on the
application function (see page 60).
The signal for canceling a configured delay can be provided via an HMI and a logic controller with
a corresponding output, or via a pushbutton.
Use cases for canceling a delay include applications in which the time required for the application
to reach the defined safe state of the machine or process varies greatly. For example, long
conveyors may take considerable time to decelerate to a standstill if they carry heavy loads. If they
are empty, such a deceleration may be achieved in a fraction of the time.
The safe state defined for the conveyor could be, for example, standstill and activation of the
safety-related function Safe Torque Off (STO) to help avoid unintended restart. If you use the
safety-related outputs to control a guard to allow access to the zone of operation of the conveyor
once the defined safe state of the machine or process has been achieved, you would use the
maximum time the conveyor takes to reach a standstill as the delay time. This helps to ensure that
access to the zone of operation is not possible as long as the conveyor is still in motion.
If standstill is reached before the maximum delay time has elapsed (for example, due to a low load),
the machine may be in the defined safe state at an earlier point in time and access to the zone of
operation does not pose a hazard. Under this condition, the delay might be canceled, depending
on your risk assessment.
Another possible scenario would be to trigger the safety-related function STO via the device once
the maximum time required for deceleration to standstill under the maximum possible load
condition has elapsed and the conveyor is at a standstill. If standstill is achieved at an earlier point
in time, the configured delay could be canceled and STO triggered earlier so that the machine or
process is available again more rapidly.

EIO0000003443 06/2019 81
Functions

82 EIO0000003443 06/2019
 Preventa XPSUAT
Configuration and Commissioning
EIO0000003443 06/2019

Chapter 6
Configuration and Commissioning

Configuration and Commissioning

What Is in This Chapter?

This chapter contains the following topics:
Topic Page
Configuration 84
Commissioning 86

EIO0000003443 06/2019 83
Configuration and Commissioning

Configuration

Overview
The device detects certain technically incorrect configurations (for example, a configured start
function cannot be used with a configured application function). The device cannot detect
unwanted configurations (for example, automatic start has been configured, but a monitored start
is required for your application as a result of your risk assessment).

WARNING
INEFFECTIVE SAFETY-RELATED FUNCTION AND/OR UNINTENDED EQUIPMENT
OPERATION
 Only modify the settings of the selectors of the device if you are fully aware of all effects of
such modifications.
 Verify that the settings of the selectors match the intended safety-related function and the
corresponding wiring of the device.
 Verify that modifications do not compromise or reduce the Safety Integrity Level (SIL),
Performance Level (PL), and/or any other safety-related requirements and capabilities defined
for your machine/process.
 Commission the device before it is used for the first time and after each configuration
according to the instructions in the present manual and in compliance with all regulations,
standards, and process definitions applicable to your machine/process
Failure to follow these instructions can result in death, serious injury, or equipment damage.

The device is configured by means of the application function selector, the start function selector,
the delay base selector, and the delay factor selector.
The device must be installed and wired according to the requirements of the safety-related function
to be implemented before you can configure it.
Modifications to the positions of the selectors only become effective after power-up. Remove
power from the device before modifying the position of the selectors. If the positions of the
selectors are modified while power is applied to the device, the device detects a configuration error.
Go through the full commissioning procedure (see page 86) after having modified the positions of
the selectors.

Configuration Procedure

Step Action
1 Verify that the device has been wired according to the safety-related function to be configured.
2 Remove power if the device is not powered off.
If an extension module XPSUEP is connected, remove power from the extension module as
well.

84 EIO0000003443 06/2019
 Configuration and Commissioning

Step Action
3 Open the transparent cover of the device.
4 Set the application function selector to the required application function.
5 Set the start function selector to the required start function.
6 Set the delay base selector and the delay factor selector to the required delay function.
7 Commission the device according to the chapter Commissioning (see page 86).

EIO0000003443 06/2019 85
Configuration and Commissioning

Commissioning

Overview

WARNING
INEFFECTIVE SAFETY-RELATED FUNCTION AND/OR UNINTENDED EQUIPMENT
OPERATION
 Commission the device before it is used for the first time and after each configuration.
 Commission or recommission the machine/process pursuant to all regulations, standards, and
process definitions applicable to your machine/process.
 Only start the machine/process if there are no persons or obstructions in the zone of operation.
 Verify correct operation and effectiveness of all functions by performing comprehensive tests
for all operating states, the defined safe state, and all potential error situations.
 Document all modifications and the results of the commissioning procedure in compliance with
all regulations, standards, and process definitions applicable to your machine/process.
Failure to follow these instructions can result in death, serious injury, or equipment damage.

Commissioning Procedure

Step Action
1 Verify correct mechanical and electrical installation (see page 49) according to the intended
application.
2 Verify correct configuration (see page 84) according to the intended application.
3 Verify that there are no persons or obstructions in the zone of operation.
4 Apply power and start the machine/process.
If an extension module XPSUEP is connected, apply power to the extension module at the same
time as to the device.
5 Perform comprehensive tests for all operating states, the defined safe state, and all potential
error situations.
6 Close the transparent cover of the device and seal it with a lead seal.
7 Document all modifications and the results of the commissioning procedure.

86 EIO0000003443 06/2019
 Preventa XPSUAT
Diagnostics
EIO0000003443 06/2019

Chapter 7
Diagnostics

Diagnostics

WARNING
INEFFECTIVE SAFETY-RELATED FUNCTION AND/OR UNINTENDED EQUIPMENT
OPERATION
Only attempt to resolve alerts and errors detected by the device if you are fully familiar with the
safety-related applications and the non-safety-related applications as well as the hardware used
to operate your machine/process.
Failure to follow these instructions can result in death, serious injury, or equipment damage.

What Is in This Chapter?

This chapter contains the following topics:
Topic Page
Diagnostics via LEDs 88
Diagnostics via Status Output Z1 91

EIO0000003443 06/2019 87
Diagnostics

Diagnostics via LEDs

Overview
The device features various LEDs (see page 17) that provide status information and information
on alerts and detected errors.
Recommission the device (see page 86) if, during troubleshooting, you modify the position of the
application function selector, the start function selector, or the delay function selectors.

LED POWER

State Meaning
Off No power supply
Solid on Power supply on

LED STATE1
This LED provides information on the state of the instantaneous safety-related outputs.

State Meaning
Off Instantaneous safety-related outputs deactivated
Solid on Instantaneous safety-related outputs activated

LED STATE2
This LED provides information on the state of the delayed safety-related outputs. Refer to the
chapter Delay Function (see page 79) for details.

State Meaning
Off Delayed safety-related outputs deactivated
Solid on Delayed safety-related outputs activated

LED START
This LED provides information on the start condition. Refer to the chapter Start Function
(see page 73) for detailed information on the conditions and timing of the selected start function.

State Meaning
Off Start condition not fulfilled
Solid on Start condition fulfilled
Flashing Waiting for start condition to be fulfilled

88 EIO0000003443 06/2019
 Diagnostics

LEDs S••
These LEDs provide information on the state of the corresponding safety-related input terminal.

State Meaning
Off Safety-related input deactivated
Solid on Safety-related input activated

LED ERROR - Alerts

This LED flashes in conjunction with additional S•• LEDs to indicate alerts. In the case of an alert,
the device transitions to the defined safe state. Remove the cause of the alert to exit the defined
safe state and resume operation. Contact your Schneider Electric service representative if the
condition persists.

State In conjunction with additional Meaning Remedy

LEDs
Additional LEDs State of
additional LEDs
Flashing S•• and S•• Flashing Synchronization time  Verify correct operation of the
alternatively exceeded. sensors/devices providing the input
signal.
 If synchronization is not required for
your application, use an equivalent
application function without
synchronization.
Flashing S•• and S•• Flashing Signal interlock condition  Deactivate the two safety-related
synchronously of two safety-related inputs affected by the signal
inputs. interlock condition for at least
The two safety-related 1 second.
inputs affected by the  Verify correct operation of the
signal interlock condition contacts of the sensor/sdevices
must be deactivated for providing the input signal.
at least 1 second before
the safety-related outputs
can be activated again.

LED ERROR - Detected Errors

This LED lights solid in conjunction with additional LEDs to indicate detected errors. In the case of
a detected error, the device transitions to the defined safe state. You must remove the cause of
the detected error and perform a power cycle of the device to exit the defined safe state and
resume operation. Contact your Schneider Electric service representative if the condition persists.

EIO0000003443 06/2019 89
Diagnostics

State In conjunction with additional Meaning Remedy

LEDs
Additional LEDs State of
additional LEDs
Solid on STATE1, Flashing General error detected.  Verify correct wiring.
STATE2, synchronously
START and S••
Solid on STATE1, Solid on Configuration error  Verify that the positions of the
STATE2, detected. selectors are appropriate for the
START and S•• application to be implemented.
Solid on POWER Flashing Power supply error  Verify correct wiring.
detected.  Use a suitable power supply.

Solid on STATE1 Flashing Error detected at  Perform a power cycle.

instantaneous safety-
related output.
Solid on STATE2 Flashing Error detected at delayed  Perform a power cycle.
safety-related output.
Solid on START Flashing Cross circuit detected at  Verify correct wiring.
start input.
Solid on STATE and Flashing Error detected at safety-  Perform a power cycle.
START synchronously related output of
extension module.
Solid on STATE1, Flashing Error detected at safety-  Perform a power cycle.
STATE2 and synchronously related output of
START extension module.
Solid on S•• and S•• Flashing Cross circuit detected at  Verify correct wiring.
synchronously safety-related input.

90 EIO0000003443 06/2019
 Diagnostics

Diagnostics via Status Output Z1

Overview

WARNING
INCORRECT USE OF OUTPUT
Do not use the additional outputs Z1 and Z2 for safety-related purposes.
Failure to follow these instructions can result in death, serious injury, or equipment damage.

The pulsed output Z1 provides diagnostics information in the form of a bit pattern. If the output Z1
is connected to a logic controller, the PreventaSupport library can be used to evaluate the
diagnostics information. The library consists of the function blocks FB_PreventaDiag and
FB_PreventaMain. The function block FB_PreventaDiag converts the bit sequences into
diagnostics codes for monitoring the status of the device. The function block FB_PreventaMain
uses the diagnostics codes as input to perform calculations concerning, for example, maintenance
tasks.
Refer to the PreventaSupport Library Guide (see page 10) for details.

Diagnostics Codes
The device encodes diagnostics information into sequences of 10 bits with a duration of 200 ms.
The first four bits (0010) represent the beginning of a bit sequence. The next six bits contain the
diagnostics code itself.
The following table lists the bit sequences of the diagnostics codes, the description of the
corresponding status as well as correctives, if applicable.

Bit sequence Description Correctives Type (1)

0010101101 Supply voltage out of Verify correct wiring. E
tolerance. Use a suitable power supply.
0010000011 General error detected. Verify correct wiring. E
Perform a power cycle.
If the error persists, replace the device.
0010000110 General error detected in Verify correct wiring. E
expansion module. Perform a power cycle of the base safety module and the
connected extension module.
If the error persists, replace the extension module.
(1) Type of message: E = Error detected, A = Alert, S = Status information

EIO0000003443 06/2019 91
Diagnostics

Bit sequence Description Correctives Type (1)

0010000111 Configuration error Verify that the position of the selectors is appropriate for E
detected. The position of the application to be implemented.
at least one of the Perform a power cycle.
selectors has been If the error persists, replace the device.
modified during
operation.
0010001100 Cross circuit detected at Verify correct wiring. E
input terminal S12. Verify that the sensor/device providing the input signal is
suitable for cross circuit detection by means of
dynamization. If it is not, use an application function
without dynamization or a sensor/device suitable for
dynamization.
Verify correct operation of sensor/device providing the
input signal.
Perform a power cycle.
0010001111 Cross circuit detected at Verify correct wiring. E
input terminal S22. Verify that the sensor/device providing the input signal is
suitable for cross circuit detection by means of
dynamization. If it is not, use an application function
without dynamization or a sensor/device suitable for
dynamization.
Verify correct operation of sensor/device providing the
input signal.
Perform a power cycle.
0010011000 Cross circuit detected at Verify correct wiring. E
input terminal S32. Verify that the sensor/device providing the input signal is
suitable for cross circuit detection by means of
dynamization. If it is not, use an application function
without dynamization or a sensor/device suitable for
dynamization.
Verify correct operation of sensor/device providing the
input signal.
Perform a power cycle.
0010110000 Cross circuit detected at Verify correct wiring. E
start input. Verify that the device providing the input signal is suitable
for cross circuit detection by means of dynamization. If it
is not, use a start function without dynamization or a
device suitable for dynamization.
Verify correct operation of device providing the input
signal.
Perform a power cycle.
(1) Type of message: E = Error detected, A = Alert, S = Status information

92 EIO0000003443 06/2019
 Diagnostics

Bit sequence Description Correctives Type (1)

0010100011 Cross circuit detected at Verify correct wiring. E
input used for Cancel Verify that the sensor/device providing the input signal is
Delay function. suitable for cross circuit detection by means of
dynamization. If it is not, use an application function
without dynamization or a sensor/device suitable for
dynamization.
Verify correct operation of sensor/device providing the
input signal.
Perform a power cycle.
0010110011 Synchronization alert. Restore the original condition of the states of the inputs A
One of the synchronized and retry.
safety-related inputs is Verify correct operation of sensors/devices providing the
still deactivated, but the input signals.
synchronization time has
already elapsed.
0010100111 Synchronization alert. Restore the original condition of the states of the inputs A
Both synchronized and retry.
safety-related inputs Verify correct operation of sensors/devices providing the
have been activated, but input signals.
not within the
synchronization time.
0010110110 Instantaneous safety- - S
related outputs are
deactivated, delayed
safety-related outputs
are still activated.
0010110111 Safety-related inputs - S
deactivated, safety-
related outputs
deactivated.
0010110101 Input S12 is expected to - S
change its state. In the
case of a configuration
with antivalent inputs,
inputs S12 and S13 are
expected to change their
states.
0010111100 Input S22 is expected to - S
change its state. In the
case of a configuration
with antivalent inputs,
inputs S22 and S23 are
expected to change their
states.
(1) Type of message: E = Error detected, A = Alert, S = Status information

EIO0000003443 06/2019 93
Diagnostics

Bit sequence Description Correctives Type (1)

0010111111 Input S32 is expected to - S
change its state. In the
case of a configuration
with antivalent inputs,
inputs S32 and S33 are
expected to change their
states.
0010101011 Waiting for startup test. - S
0010101010 Waiting for rising edge - S
for automatic/manual
start or monitored start.
0010101110 Start input activated. - S
Waiting for falling edge
for monitored start.
0010101111 Device in operating state - S
Run:Outputs Energized,
safety-related outputs
activated.
(1) Type of message: E = Error detected, A = Alert, S = Status information

94 EIO0000003443 06/2019
 Preventa XPSUAT
Accessories, Service, Maintenance, and Disposal
EIO0000003443 06/2019

Chapter 8
Accessories, Service, Maintenance, and Disposal

Accessories, Service, Maintenance, and Disposal

What Is in This Chapter?

This chapter contains the following topics:
Topic Page
Accessories 96
Maintenance 97
Transportation, Storage, and Disposal 98
Service Addresses 99

EIO0000003443 06/2019 95
Accessories, Service, Maintenance, and Disposal

Accessories

Accessories
The following accessories are available for the device:

Description Commercial Reference

Coding bits XPSEC
The coding bits are used if the terminal blocks are removed to help ensure
correct insertion of the terminal blocks into the device.
30 pieces per packaging unit
Sealing strips XPSES
The uniquely numbered sealing strips are used to seal the transparent front
cover of the device to help prevent unauthorized access to the configuration
selectors.
10 pieces per packaging unit

96 EIO0000003443 06/2019
 Accessories, Service, Maintenance, and Disposal

Maintenance

Service and Repairs

The device contains no user-serviceable parts. Do not attempt to open, service, or repair the
device.

Maintenance Plan
Maintenance plan:
 Ensure that a safety-related function implemented with the device is triggered at the minimum
intervals required by the regulations, standards, and process definitions applicable to your
machine/process.
 Inspect the wiring at regular intervals.
 Tighten the threaded connections at regular intervals.
 Verify that the device is not used beyond the specified lifetime (see page 31).
To determine the end of the lifetime, add the specified lifetime to the date of manufacture
indicated on the nameplate (see page 18) of the device.
Example: If the date of manufacture indicated on the nameplate is 2019-W10, do not use the
device after week 10, 2039.
As a machine designer or system integrator, you must include this information in the maintenance
plan for your customer.

EIO0000003443 06/2019 97
Accessories, Service, Maintenance, and Disposal

Transportation, Storage, and Disposal

Transportation and Storage

Ensure that the environmental conditions (see page 22) specified for transportation and storage
are respected.

Disposal
Dispose of the product in accordance with all applicable regulations.
Visit https://www.schneider-electric.com/green-premium for information and documents on
environmental protection as per ISO 14025 such as:
 EoLi (Product End-of-Life Instructions)
 PEP (Product Environmental Profile)

98 EIO0000003443 06/2019
 Accessories, Service, Maintenance, and Disposal

Service Addresses

Schneider Electric Automation GmbH

Schneiderplatz 1
97828 Marktheidenfeld, Germany
Phone: +49 (0) 9391 / 606 - 0
Fax: +49 (0) 9391 / 606 - 4000
Email: [email protected]
Internet: http://www.schneider-electric.com

Additional Contact Addresses

See the homepage for additional contact addresses:
http://www.schneider-electric.com

EIO0000003443 06/2019 99
Accessories, Service, Maintenance, and Disposal

100 EIO0000003443 06/2019

 Preventa XPSUAT
Index
EIO0000003443 06/2019

Index

A dimensions, 24
dynamization, 45
accessories, 96
activation, safety-related inputs, 42
alerts, 88 E
antivalent behavior, safety-related inputs, 42
electrical characteristics, 26
application functions
electrical durability, 32, 34
configuration, 84
electro-sensitive protective equipment
application functions: see index entry func-
(type 4 light curtains) as per IEC 61496-1,
tions, 60
monitoring of, 71, 72
automatic start, 73
electromagnetic compatibility, 36
EMC, 36
B Emergency Stop circuits as per ISO 13850
and IEC 60204-1, stop category 0, monitoring
block diagram, 54
of, 62, 63
Emergency Stop circuits as per ISO 13850
C and IEC 60204-1, stop category 1, monitoring
of, 62, 63
Category, 31 environmental characteristics, 22
commissioning, 86 errors, detected, 88
configuration example Emergency Stop
application functions, 84 overview, 38
delay function, 79 timing diagram, 40
delay function, configuration examples,
80
start functions, 77 F
cross circuit detection, 45
functional safety data, 31
functions
automatic start, 73
D configuration of application functions, 84
DCavg, 31 configuration of start function, 77
deactivation, safety-related inputs, 42 delay function, 79
degree of protection, 24 delay function, cancelation, 80
delay base selector, 79 delay function, configuration, 79
delay factor selector, 79 delay function, configuration examples,
delay function 80
cancelation, 80 dynamization, 45
configuration, 79 light curtains, type 4 as per IEC 61496-1,
overview, 79 monitoring of, 71, 72
diagnostics, 88 manual start, 74
diagram, block, 54 mats or edges as per ISO 13856, monitor-

EIO0000003443 06/2019 101

Index

ing of, 70 inputs, safety-related

monitored start with falling edge, 75, 76 technical data, 26
monitoring of electro-sensitive protective wiring, 55
equipment (type 4 light curtains) as per installation, 50, 51, 53
IEC 61496-1, 71, 72 control cabinet, 50
monitoring of Emergency Stop circuits as enclosure, 50
per ISO 13850 and IEC 60204-1, stop mechanical, 51
category 0, 62, 63 prerequisites, 50
monitoring of Emergency Stop circuits as
per ISO 13850 and IEC 60204-1, stop
category 1, 62, 63 L
monitoring of guards as per L, 31
ISO 14119/14120 with coded magnetic LEDs, 88
switches, 65 lifetime, 31
monitoring of guards as per light curtains type 4 as per IEC 61496-1,
ISO 14119/14120 with electrical switch- monitoring of, 71, 72
es, 62, 63, 65
monitoring of pressure-sensitive 4-wire
protective devices (mats or edges) as per M
ISO 13856, 70 maintenance, 97
monitoring of proximity switches, 65, 66, manual start, 74
67, 68, 69 mechanical characteristics, 24
monitoring of RFID sensors, 71, 72 monitored start with falling edge, 75
overview application functions, 60 monitoring of electro-sensitive protective
signal interlock monitoring, 47 equipment (type 4 light curtains) as per
start functions, 73 IEC 61496-1, 71, 72
synchronization of safety-related inputs, monitoring of Emergency Stop circuits as per
44 ISO 13850 and IEC 60204-1, stop category
0, 62, 63
monitoring of Emergency Stop circuits as per
G ISO 13850 and IEC 60204-1, stop category
guards as per ISO 14119/14120 with coded 1, 62, 63
magnetic switches, monitoring of, 65 monitoring of guards as per
guards as per ISO 14119/14120 with electri- ISO 14119/14120 with coded magnetic
cal switches, monitoring of, 62, 63, 65 switches, 65
monitoring of guards as per
ISO 14119/14120 with electrical switches,
H 62, 63, 65
HFT, 31 monitoring of pressure-sensitive 4-wire pro-
tective devices (mats or edges) as per
ISO 13856, 70
I monitoring of proximity switches, 65, 66, 67,
input, start 68, 69
technical data, 27 monitoring of RFID sensors, 71, 72
wiring, 56

102 EIO0000003443 06/2019

 Index

mounting, 51 S
DIN rail, 51
safe state, defined, 31
screw mounting, 52
Safety Integrity Level, 31
MTTFd, 31
safety-related inputs
activation, 42
antivalent behavior, 42
N deactivation, 42
nameplate, 18 dynamization, 45
signal interlock monitoring, 47
synchronization, 44
O technical data, 26
operating cycles over lifetime , 32 wiring, 55
operating state transitions, 38 safety-related outputs
operating states, 37 technical data, 28
operation, environmental characteristics, 23 wiring, 56
output Z1 service addresses, 99
diagnostics, 91 SFF, 31
technical data, 28 signal interlock monitoring, 47
wiring, 57 signal output Z2
output Z2 technical data, 28
technical data, 28 wiring, 57
wiring, 57 SIL, 31
outputs, safety-related SILCL, 31
technical data, 28 start functions, 73
wiring, 56 automatic start, 73
configuration, 77
dynamization, 45
P manual start, 74
Performance Level, 31 monitored start with falling edge, 75, 76
PFHD, 31 start input
power supply technical data, 27
technical data, 26 wiring, 56
wiring, 57 startup test, 76
pressure-sensitive 4-wire protective devices state machine, 37
(mats or edges) as per ISO 13856, monitor- state transitions, 38
ing of, 70 status output Z1
proximity switches, monitoring of, 65, 66, 67, diagnostics, 91
68, 69 technical data, 28
wiring, 57
stop category, 31
R storage, environmental characteristics, 22
response times stripping lengths, 25
technical data, 29 supply
RFID sensors, monitoring of, 71, 72 technical data, 26
wiring, 57

EIO0000003443 06/2019 103

Index

synchronization, 44 wiring, 53
power supply, 57
safety-related inputs, 55
T safety-related outputs, 56
technical data start input, 56
degree of protection, 24 supply, 57
dimensions, 24 Z2, 57
electrical characteristics, 26
environmental characteristics, 22
functional safety data, 31 Z
mechanical characteristics, 24 Z1 status output
operation, 23 diagnostics, 91
power supply, 26 technical data, 28
response times, 29 wiring, 57
safety-related inputs, 26 Z2 signal output
safety-related outputs, 28 technical data, 28
signal output Z2, 28 wiring, 57
start input, 27 ZVEI CB241, 27
status output Z1, 28
storage, 22
stripping lenghts, 25
supply, 26
tightening torques terminals, 25
timing data, 29
transportation, 22
weight, 24
wire cross sections, 25
tightening torques terminals, 25
timing data, 29
transportation, environmental characteristics,
22
troubleshooting, 88
type code, 19

V
view
front view, 17
side view, 17

W
weight, 24
wire cross sections, 25

104 EIO0000003443 06/2019