Festo CAMC-G-S3 Manual page 122

2 Product description of safety module CAMC-G-S3
The safe output (including clock output) should always follow the idle current principle,
i.e. the Low level is the safe status.
The user must ensure this during configuration by inverting the control signal LOUT_D40
to ensure this principle is implemented.
The user must ensure that a voltage-free output leads to the safe status for the overall
system.
Each safe digital output can also be used as a clock output to feed passive sensors. In this case, it is
configured as "permanently ON".
Error detection
The output drivers have a two-channel, redundant structure. The output levels at DOUT4xA/B are con­
tinually read back by both microcontrollers during operation. Both microcontrollers output test pulses
to the outputs, which read back and analyse the pulses from their counterpart.
These measures safely detect short circuits to 24 V, 0 V and cross circuits between any outputs. If there
is an error, the output switches to the safe status (DOUT4xA/B switched off or 0 V). An error message
[57-0] IO-ERR is generated.
If there are serious internal errors and, as a result, one or both microprocessors can no longer control
the status of the outputs safely, then all the outputs are switched off jointly. Even in the case of anti­
valent outputs, both pins A/B are switched to the Low level.
Examples of such errors:
– operating voltage faulty,
– position sensors faulty,
– memory error, stack error,
– program sequence monitoring indicates an error, internal communication fault
Timing diagram
Fig. 2.31 shows an example of the runtime performance when the output DOUT40 is switched off and on
again. The test pulses for High level are also shown. They are temporally offset for all the outputs.
122 Festo – GDCP-CAMC-G-S3-EN – 1406NH – English