Dual Channel Input Stop (DCS)
This information applies to the 5x70 family of
GuardLogix
controllers.The Dual Channel Input Stop instruction monitors dual-input safety devices whose main function is to stop a machine safely, for example, an E-stop, light curtain, or safety gate. This instruction can only energize O1 (Output 1) when both safety inputs, Channel A and Channel B, are in the active state as determined by the Input type parameter, and the correct reset actions are carried out.
Available Languages
Ladder Diagram
Function Block
This instruction is not available in function block.
Structured Text
This instruction is not available in structured text.
Operands
IMPORTANT:
Do not use the same tag name for more than one instruction in the same program. Do not write to any instruction output tag under any circumstance.
IMPORTANT:
Make sure that your safety input points are configured as single, not Equivalent or Complementary. These instructions provide all dual channel functionality necessary for PLd (Cat. 3) or Ple (Cat. 4) safety functions.
WARNING:
ATTENTION:
If you change instructions parameters while in Run mode, you must accept the pending edits and cycle the controller mode from Program to Run for the changes to take effect. The following table provides the parameters that are used to configure the instruction. These parameters cannot be changed at runtime.
Operand | Type | Format | Description |
|---|---|---|---|
DCS | DCI_STOP | tag | This parameter is a backing tag that maintains important execution information for each usage of this instruction.  ATTENTION: To avoid unexpected operation do not reuse this backing tag and its members. Do not write to any of the tag members anywhere else in the program. |
Safety Function | DINT | name | This parameter provides a text name for how this instruction is being used. Choices include E-stop, safety gate, light curtain, area scanner, safety mat, cable (rope) pull switch, and user-defined. This parameter does not affect instruction behavior. It is for information/documentation purposes only. |
Input Type | DINT | name | This parameter selects input channel behavior. Equivalent (0): Active High: Inputs are in the active state when Channel A and Channel B inputs are 1.Complementary (2): Inputs are in the active state when Channel A is 1 and Channel B is 0. |
Discrepancy Time (ms) | DINT | immediate | The amount of time that the inputs can be in an inconsistent state before an instruction fault is generated. The inconsistent state depends on the Input Type. Equivalent: Inconsistent state is when:
Complementary: Inconsistent state is when:
The range is 5...3000 ms. |
Restart Type | List | name | This input configures Output 1 for either Manual or Automatic Restart. Manual (0): A transition of the Reset input from OFF (0) to ON (1), while all of the Output 1 enabling conditions are met, is required to energize Output 1Automatic (1): Output 1 is energized 50 ms after all enabling conditions are met. ATTENTION: Automatic restart may only be used in application situations where you can prove that no unsafe conditions can occur as a result of its use, or the reset function is being performed elsewhere in the safety circuit (for example, output function). |
Cold Start Type | BOOL | name | This parameter specifies the Output 1 behavior when applying controller power or mode change to Run. Manual (0): Output 1 is not energized when the Input status becomes valid or when the Input Status fault is cleared. The device must be tested before Output 1 can be energized.Automatic (1): Output 1 is energized immediately when the Input status becomes valid or when the Input Status fault is cleared and both inputs are in their active state. |
This table explains instruction inputs. The inputs may be field device signals from input devices or derived from user logic.
Operand | Data Type | Format | Description |
Channel A 1 | BOOL | tag | This input is one of the two safety inputs to the instruction. |
Channel B 1 | BOOL | tag | This input is one of the two safety inputs to the instruction. |
Input Status | BOOL | immediate tag | If instruction inputs are from a safety I/O module, this is the status from the I/O module (Connection Status or Combined Status). If instruction inputs are derived from internal logic, it is the application programmer’s responsibility to determine the conditions. ON (1): The inputs to this instruction are valid.
OFF (0): The inputs to this instruction are invalid. |
Reset 2 | BOOL | tag | If Restart Type = Manual, this input is used to energize Output 1 once Channel A and Channel B are both in the active state. If Restart Type = Automatic, this input is not used to energize Output 1. OFF (0) -> ON (1): The FP (Fault Present) and Fault Code outputs are reset. |
1
If the input is from a Guard I/O
input module, make sure that the input is configured as single, not Equivalent or Complementary. 2
ISO 13849-1 stipulates instruction reset functions must occur on falling edge signals. To comply with ISO 13849-1 requirements, add this logic immediately before this instruction. Rename the Reset_Signal tag in this example to your reset signal tag name. Then use the OSF instruction Output Bit tag as the reset source of the instruction.
The following table explains instruction outputs. The outputs may be external tags (safety output modules) or internal tags for use in other logic routines.
Operand | Data Type | Description |
Output 1 (O1) | BOOL | This output is energized when the input conditions have been satisfied. The output becomes de-energized when:
|
Fault Present (FP) | BOOL | ON (1): A fault is present in the instruction.
OFF (0): This instruction is operating normally. |
Fault Code | DINT | This output indicates the type of fault that occurred. See the Fault Codes section for a list of fault codes. This parameter is not safety-related. |
Diagnostic Code | DINT | This output indicates the diagnostic status of the instruction. See the Diagnostic Codes section for a list of diagnostic codes. This parameter is not safety-related. |
IMPORTANT:
Do not write to any instruction output tag under any circumstances.
Operation
Normal Operation
The timing diagram illustrates normal operation with Restart Type configured for Manual and Cold Start Type configured for Manual. At (A), Output 1 will not be energized because the safety inputs have not been through the safe state (0 in this case). At (B), Output 1 is energized because the safety inputs have been cycled through the safe state and are in the active state when the reset is triggered. At (C), Output 1 is de-energized because one of the safety inputs (Channel A) has transitioned to a safe state. At (D), Output 1 is once again energized when a reset is triggered with both safety inputs in the active state.
Normal Operation (Manual Restart, Manual Cold Start)
Normal Operation (Manual Restart, Manual Cold Start, Complementary)
The same behavior is demonstrated below as in the previous timing diagram except that the Input Type is Complementary.
Normal Operation (Manual Restart, Automatic Cold Start)
The timing diagram illustrates normal operation with Cold Start Type configured for Automatic. When Cold Start Type is automatic, Output 1 is energized as soon as the Input Status becomes valid (OFF (0) to ON (1) transition) for the first time such as when power is applied to a PLC controller. At (A), Output 1 is energized when the Input Status becomes valid with the safety inputs in the active state. At (B), Output 1 is de-energized when one of the safety inputs transitions to the safe state. Output 1 is not energized again until (C), when the reset is triggered with the safety inputs in the active state.
The Automatic Cold Start only has effect the first time the Input Status becomes valid.
Normal Operation (Automatic Restart, Manual Cold Start)
The timing diagram illustrates normal operation with Automatic Restart and manual cold start. Because Cold Start Type is manual, both safety inputs must go through the safe state before Output 1 can be energized. At (A), Output 1 is energized automatically 50 ms after the safety inputs transition to the active state (1 in this case). At (B), Output 1 is de-energized when one of the safety inputs transitions to the safe state. At (C), Output 1 is automatically energized 50 ms after both safety inputs transition back to the active state.
Normal Operation (Automatic Restart, Automatic Cold Start)
The timing diagram illustrates normal operation with Automatic Restart and Automatic Cold Start. Here the instruction does not have to wait for the safety inputs to go through the safe state. At (A), Output 1 is energized immediately after the Input Status becomes valid for the first time with the safety inputs in the active state.
Input Status Fault (Manual Cold Start)
The timing diagram illustrates a fault occurring when the Input Status becomes invalid. When Cold Start Type is configured for manual, the safety inputs must go through the safe state after a fault has been cleared. At (A), Output 1 is energized when a reset is triggered with the safety inputs in the active state. At (B), a fault occurs because the Input Status becomes invalid, which de-energizes Output 1. At (C), the fault cannot be cleared because the Input Status is still invalid. At (D), the fault is cleared, but Output 1 cannot yet be energized because the safety inputs must transition through the safe state when Cold Start Type is manual. At (E), the safety inputs have gone through the safe state. At (F), Output 1 is once again energized when the Reset is triggered.
Input Status Fault (Automatic Cold Start)
The timing diagram illustrates a fault occurring when the Input Status becomes invalid. When Cold Start Type is configured for automatic, the safety inputs are not required to go through the safe state after a fault has been cleared. At (A), Output 1 is energized when the Input Status becomes valid because the Cold Start Type is automatic. At (B), a fault occurs because the Input Status becomes invalid, which de-energizes Output 1. At (C), the fault cannot be cleared because the Input Status is still invalid. At (D), the fault is cleared because the Input Status is valid and a reset occurred. Output 1 is then energized because the Cold Start Type is automatic.
It is not necessary for the Safety Inputs to go through the safe state after an Input Status fault is cleared when the Cold Start Type is Automatic.
Cycle Inputs Fault
The timing diagram illustrates one of the two safety inputs transitioning to the safe state and back to the active state while Output 1 is energized. At (A), Output 1 is energized in the normal way. At (B), Channel A transitions to the safe state, which immediately de-energizes Output 1. At (C), Channel A transitions back to the active state before the 250 ms Discrepancy Time causes a fault. At (D), Output 1 is energized because the safety inputs have cycled through the safe state, and a reset has been triggered.
Discrepancy Fault
The timing diagram illustrates a fault occurring when Channel A and Channel B are in an inconsistent state for longer than the Discrepancy Time parameter. At (A), a discrepancy fault occurs because Channel A has been in the active state and Channel B has been in the safe state for 250 ms (Discrepancy Time parameter). At (B), the fault is reset, but Output 1 is not energized because the safety inputs must cycle through the safe state after a discrepancy fault is cleared, energize Output 1. At (C), Output 1 is energized because the safety inputs have transitioned through the safe state and a reset has been triggered. At (D), another discrepancy fault occurs when the safety inputs are again in an inconsistent state for longer than 250 ms.
False Rung State Behavior
When the instruction is executed on a false rung, all instruction outputs are de-energized.
Fault Codes and Corrective Actions
The fault codes are listed in hexadecimal format followed by decimal format.
Fault Code | Description | Corrective Action |
|---|---|---|
00 | No fault. |
|
16#20 32 | The Input Status input transitioned from ON (1) to OFF (0) while the instruction was executing. |
|
16#4000 16384 | Channel A and Channel B were in an inconsistent state for longer than the Discrepancy Time. At the time of the fault, Channel A was in the active state. Channel B was in the safe state. |
|
16#4001 16385 | Channel A and Channel B were in an inconsistent state for longer than the Discrepancy Time. At the time of the fault, Channel A was in the safe state. Channel B was in the active state. | |
16#4002 16386 | Channel A went to the safe state and back to the active state while Channel B remained active. | |
16#4003 16387 | Channel B went to the safe state and back to the active state while Channel A remained active. |
Diagnostic Codes and Corrective Actions
The diagnostic codes are listed in hexadecimal format followed by decimal format.
Diagnostic Code | Description | Corrective Action |
|---|---|---|
00 | No fault | None |
16#05
5 | The Reset input is held ON (1). | Set the Reset input to OFF (0). |
16#20 32 | The Input Status was OFF(0) when the instruction started. | Check the I/O module connection or the internal logic used to source input status. |
16#4000 16384 | The device has not been functionally tested at startup. | Perform a functional test of the inputs (put Channel A and Channel B in a safe state). |
16#4001 16385 | The device has not been functionally tested after a fault occurs. |
|
Affects Math Status Flags
No
Major / Minor Faults
None specific to this instruction. See Index Through Arrays for array-indexing faults.
Execution
Condition/State | Action Taken |
|---|---|
Prescan | Same as Rung-condition-in is false. |
Rung-condition-in is false | The .O1 and .FP are cleared to false. |
Rung-condition-in is true | The instruction executes as described in the Normal Operation section. |
Postscan | Same as Rung-condition-in is false. |
Provide Feedback