The application program developer must implement a specific fault reaction, e.g., setting safety output chan-nels to de-energized (‘0’ state), when required.2.13.2 Safety module with safety input channels (DI581-S, DX581-S and AI581-S)The safety function of safety modules (DI581-S, DX581-S and AI581-S) with digital and analog input chan-nels is to correctly read external analog and/or digital signals. If this function cannot be correctly executed,the safety module or only its input channel, depending on the fault scope, has to go to a safe state. In caseof a channel fault, the safe value (de-energized = ‘0’) is transferred to the safety logic module (e.g., SM560-S) with additional information about the fault for the given channel.In case of module fault, no valid telegrams are generated by the safety module to the safety logic module.The values of those safety input channels will be assigned to safe values (de-energized = ‘0’) on the SafetyCPU.Faults in the cyclic communication between the Safety CPU and the safety modules are detected by thesafety modules with input channels. If a communication fault occurs, all inputs of the affected safety modulego to a so-called passivation state in which ‘0’ values are sent as process values when the communication tothe Safety CPU is re-established. The switch-over (reintegration) from safety values ‘0’ to process data takesplace only after user acknowledgment.2.13.3 Safety module with safety output channels (DX581-S)The safety function of safety modules (DX581-S) with safety output channels is to correctly write their outputchannel signals. If this function cannot be correctly executed, the safety module or its output channel group,depending on the fault scope, has to go to a safe state. In case of a channel fault, the safe value (de-ener-gized = ‘0’) is set for the given safety output channels. In case of module fault, no valid telegrams are gener-ated by the safety output module to the Safety CPU. The values of all safety output channels will beassigned to safe values (de-energized = ‘0’).Faults in the cyclic communication between the Safety CPU and the safety output modules are detected bythe safety output module DX581-S. If a communication fault occurs, all outputs of the affected safety outputmodule are de-energized = ‘0’. The switch-over (reintegration) from safety values ‘0’ to process data takesplace only after user acknowledgment, when the communication is re-established.2.14 Safety function testAfter creating a safety program and system configuration, you must carry out a complete function test inaccordance with your automation task. For changes made to a safety program which has already undergonea complete function test, only the changes need to be tested, if a proper impact analysis was done before.Safety application program, Safety I/O configuration, etc. have to be verified, printed out and saved forproject data report and archive. The system acceptance test shall follow safety function test. After you finishconfiguring the hardware and assigning parameters for the Safety CPU and Safety I/O modules, you canperform an acceptance test. During the system acceptance test, all relevant application-specific standardsmust be adhered.Overview of AC500-S Safety PLCSafety function test30.03.2017 AC500-S 25