Safety Function: Emergency Stop Products
Contents
1. 4 ma a s sar so Be 5 ai 3 gt p 2 bo Sn OS ee C28 628 Cy OA cae DEKA it eed eee ee on sd ee de E aya E A pe D perp Coe oem SIP ii des e a a DOHA DO cei PATIO cn FPS m E te e coe coe crm sei aya ROA A cos OO n Ssa Alil C Safety Function Emergency Stop Products GuardLogix Series Connection of E stops Safety Rating PLd Cat 3 to EN ISO 13849 1 2008 HS TERT E Rockwell i Allen Bradley Rockwell Software Automation Table of Contents Introduction Important User Information Safety Function Realization General Safety Information Setup and Wiring Configuration Calculation of the Performance Level Verification and Validation Plan Additional Resources Introduction This Safety Function application note explains how to wire configure and program a Compact GuardLogix controller and POINT Guard I O module to monitor a series of dual channel safety E stop devices If any of the E stops is actuated or a fault is detected in the monitoring circuit the GuardLogix controller de energizes the final control device in this case a redundant pair of 1005 contactors This example uses a Compact GuardLogix controller but is applicable to any GuardLogix controller Important User Information Solid state equipment has operational characteristics differing from those of electromechanical equipment Safety Guidelines for the Applic2. add the 1768 ENBT module to the 1768 Bus 3 Select the 1768 ENBT module and click OK 1768 ControlNet Bridge 768 ControlNet Bridge Rec 4 Name the module type its IP address and click OK We used 192 168 1 8 for this application example Yours may be different New Module OK Coca teo 5 Add the 1734 AENT adapter by right clicking the 1768 ENBT module in the Controller Organizer and choosing New Module 3 8 I O Configuration 2 68 1768 Bus G 1 1768 ENBT A ENBT E 6 Selectthe 1734 AENT adapter and click OK E Select Module mR 1734 Ethernet Adapter 2 Port Twisted Pair Media 1738 Ethernet Adapter Twisted Pair Media 1738 Ethernet Adapter 2 Port Twisted Pair Media 1756 10 100 Mbps Ethernet Bridge Fiber Media 1756 10 100 Mbps Ethernet Bridge Twisted Pair Media 1756 10 100 Mbps Ethernet Bridge 2 Port Twisted Pair 1756 10 100 Mbps Ethernet Bridge 2 Port Twisted Pair 1756 10 100 Mbps Ethernet Bridge Twisted Pair Media 1756 Ethernet Communication Interface 1756 Ethernet Communication Interface 10 100 i Enhanced AUG UE ast Dor Ma amd 2r Ma 7 Name the module type its IP address and click OK We used 192 168 1 11 for this application example Yours may be different 8 Click Change E New Module 10 11 9 Setthe Chassis Size as 3 for the 1734 AENT adapter and click OK Chassis size is the number of modules that will be
3. environment which may lead to personal injury or death property damage or economic loss Identifies information that is critical for successful application and understanding of the product ATTENTION Identifies information about practices or circumstances that can lead to personal injury or death property damage or economic loss Attentions help you identify a hazard avoid a hazard and recognize the consequence SHOCK HAZARD Labels may be on or inside the equipment for example a drive or motor to alert people that dangerous voltage may be present BURN HAZARD Labels may be on or inside the equipment for example a drive or motor to alert people that surfaces may reach dangerous temperatures General Safety Information Contact Rockwell Automation to find out more about our safety risk assessment services IMPORTANT This application example is for advanced users and assumes that you are trained and experienced in safety system requirements ATTENTION A risk assessment should be performed to make sure all task and hazard combinations have been identified and addressed The risk assessment may require additional circuitry to reduce the risk to a tolerable level Safety circuits must take into consideration safety distance calculations which are not part of the scope of this document Functional Safety Description Hazardous motion is interrupted or prevented by actuation of any emergency stop pushbutton ES1 ES2
4. or ES3 Each E Stop is considered a separate safety function The E stop pushbuttons are connected in series to a pair of safety inputs of a Safety Input module SI1 The safety contactors K1 8 K2 are connected to a pair of safety outputs of a Safety Output module SO1 The I O modules are connected via CIP Safety over an EtherNet IP network to the Safety Controller SC1 The safety code in SC1 monitors the status of the E Stop pushbuttons using a pre certified safety instruction named Dual Channel Input Stop DCS When all conditions are satisfied no faults are detected on the input modules and the reset push button is pressed a second certified function block called Configurable Redundant Output CROUT checks the status of the final control devices a pair of 1005 redundant contactors The controller then issues an output signal to the safety output module SO1 to switch ON a pair of outputs to energize the safety contactors Bill of Material This application example uses these components Catalog Number Description Quantity 800F Non illuminated Mushroom Operators Twist To 800FM MT34MX02 Release 30 mm Round Metal Red Metal Latch Mount 2 N C Contact S 800F Reset Push Button Metal Guarded Blue R 800FM G611MX10 Metal Latch Mount 1 N 0 Contact S Standard 1005 C097 230 Bulletin 100S C Safety Contactors 1768 ENBT CompactLogix EtherNet IP Bridge Module Compact GuardLogix Processor 1768 1435 2 0 MB stan
5. 34 UM013 and operating POINT Guard 1 0 Modules Contains detailed requirements for achieving and maintaining safety ratings with the GuardLogix controller system GuardLogix Controller Systems Safety Reference Manual Publication 1756 RM093 GuardLogix Safety Application Instruction Set Reference Manual Publication 1756 RM095 Provides detailed information on the GuardLogix Safety Application Instruction Set Safety Accelerator Toolkit for Provides a step by step guide to using the design GuardLogix Systems Quick Start Guide programming and diagnostic tools in the Safety Publication IASIMP 05005 Accelerator Toolkit Safety Products Catalog You can view or download publications at http www rockwellautomation com literature To order paper copies of technical documentation contact your local Allen Bradley distributor or Rockwell Automation sales representative For More Information on Safety Function Capabilities visit discover rockwellautomation com safety Rockwell Automation Allen Bradley GuardLogix RSLogix 5000 CompactLogix Stratix 2000 and POINT Guard I O are trademarks of Rockwell Automation Inc Trademarks not belonging to Rockwell Automation are property of their respective companies www rockwellautomation com Power Control and Information Solutions Headquarters Americas Rockwell Automation 1201 South Second Street Milwaukee WI 53204 2496 USA Tel 1 414 382 2000 Fax 1 414 382 4444 Europe M
6. All contactors should de energize Return key switch back to Run Mode all contactors should remain de energized Verify proper machine status indication and RSLogix 5000 safety application program indication Safety Contactor Output Tests Initiate a Start Command Both contactors should energize for a normal machine run condition Verify proper machine status indication and RSLogix 5000 safety application program indication Test Step While Running remove the contactor feedback from the Safety 1 0 All contactors should remain energized Initiate a Stop command and attempt a Reset command The system should not Restart or Reset Verify proper machine status indication and RSLogix 5000 safety application program indication While Running short the contactor feedback to the Safety 1 0 All contactors should remain energized Initiate a Stop command and attempt a Reset command The system should not Restart or Reset Verify proper machine status indication and RSLogix 5000 safety application program indication 21 Additional Resources For more information about the products used in this example refer to these resources Resource Description Compact GuardLogix Controllers User Manual Provides information on configuring operating Publication 1768 UM002 and maintaining Compact GuardLogix controllers POINT Guard 1 0 Safety Modules Installation Provides information on installing configuring and User Manual Publication 17
7. ation Installation and Maintenance of Solid State Controls publication SGI 1 1 available from your local Rockwell Automation sales office or online at http www rockwellautomation com literature describes some important differences between solid state equipment and hard wired electromechanical devices Because of this difference and also because of the wide variety of uses for solid state equipment all persons responsible for applying this equipment must satisfy themselves that each intended application of this equipment is acceptable In no event will Rockwell Automation Inc be responsible or liable for indirect or consequential damages resulting from the use or application of this equipment The examples and diagrams in this manual are included solely for illustrative purposes Because of the many variables and requirements associated with any particular installation Rockwell Automation Inc cannot assume responsibility or liability for actual use based on the examples and diagrams No patent liability is assumed by Rockwell Automation Inc with respect to use of information circuits equipment or software described in this manual Reproduction of the contents of this manual in whole or in part without written permission of Rockwell Automation Inc is prohibited Safety Function Realization Risk Assessment The required performance level is the result of a risk assessment and refers to the amount of the risk reduction to
8. be carried out by the safety related parts of the control system Part of the risk reduction process is to determine the safety functions of the machine For the purposes of this document the assumed required performance level is Category 3 PLd Emergency Stop Safety Function Emergency stop by actuation of an emergency stop push button Safety Function Requirements Pressing of any one of the series wired E Stops will stop and prevent hazardous motion by removal of power to the motor Upon resetting the E Stop pushbutton hazardous motion and power to the motor will not resume until a secondary action start button depressed occurs Faults at the E Stop button wiring terminals or safety controller will be detected before the next safety demand This Emergency Stop function is complementary to any other safeguards on the machine and shall not reduce the performance of other safety related functions The safety function in this example is capable of connecting and interrupting power to motors rated up to 9A 600VAC The safety function will meet the requirements for Category 3 Performance Level d Cat 3 PLd per ISO 13849 1 and SIL3 per IEC 62061 and control reliable operation per ANSI B11 19 Throughout this manual when necessary we use notes to make you aware of safety considerations gt IMPORTANT Pe gt WARNING Identifies information about practices or circumstances that can cause an explosion in a hazardous
9. culated to confirm it meets the Required Performance Level PLr specified The SISTEMA software tool is typically utilized to perform the calculations and assist with satisfying the requirements of ISO 13849 1 Validation is a functional test of the safety control system to demonstrate that it meets the specified requirements of the safety function The safety control system is tested to confirm all of the safety related outputs respond appropriately to their corresponding safety related inputs The functional test should include normal operating conditions in addition to potential fault inject of failure modes A checklist is typically used to document the validation of the safety control system Validation of software development is a process in which similar methodologies and techniques that are used in hardware development are deployed Faults created through poor software development process and procedure are systemic in nature rather than faults associated with hardware which are considered as random Prior to validating the GuardLogix Safety System it is necessary to confirm the safety system and safety application program have been designed in accordance with the GuardLogix System Safety Reference Manual 1756 RM093 and the GuardLogix Application Instruction Safety Reference Manual 1756 RMO095 19 GuardLogix Emergency Stop Function Verification and Validation Checklist General Machinery Information Machine Name Model Numbe
10. dard memory 0 5 MB safety memory 1769 ECR Right End Cap Terminator 1734 AENT 24V DC Ethernet Adapter 1734 18 Module Base with Removable IEC Screw Terminals 1734 1885 POINT Guard Safety Input Module 1734 0B85 POINT Guard Safety Output Module 1783 USO5T Stratix 2000 Unmanaged Ethernet Switch 1768 PA3 Power Supply 120 240 VAC Input 3 5 A 24V DC Setup and Wiring For detailed information on installing and wiring refer to the product manuals listed in the Additional Resources System Overview The 1734 IB8S input module monitors the inputs from the E stops which are connected in series This method conserves the number of inputs that are used but reduces the granularity of system diagnostics Typically E stops are not operated as often as a safety gate for example therefore the need to connect each E stop contact into its own dedicated input is reduced An E stop is considered to be a complementary safety device EN 12100 2 5 5 1 provides details on complementary protective measures These are measures which are neither inherently safe design nor safeguarding but are required due to intended use or reasonably foreseeable misuse of the machine The circuit is tested by using test pulses TO and T1 on the inputs l0 and 11 These test pulses source the 24V DC for the circuit By periodically dropping the 24V DC to OV DC it is possible to detect cross channel faults and shorts to an external 24V DC Shorts to OV DC will be s
11. e status indication and RSLogix 5000 safety application program indication Restore Channel 1 and repeat for Channel 2 While Running short the Channel 1 of the Safety 1 0 to 24VDC Both contactors should de energize Verify proper machine status indication and RSLogix 5000 safety application program indication Verify unable to reset and restart with fault Restore Channel 1 and repeat for Channel 2 While Running short the Channel 1 of the Safety 1 0 to OVDC Both contactors should de energize Verify proper machine status indication and RSLogix 5000 safety application program indication Restore Channel 1 and repeat for Channel 2 While Running short the Channels 1 amp 2 of the Safety 1 0 Both contactors should de energize Verify proper machine status indication and RSLogix 5000 safety application program indication Restore Channel 1 amp 2 wiring GuardLogix Controller and Network Tests While Running remove the Ethernet network connection between the Safety 1 0 and the controller All contactors should de energize Verify proper machine status indication and 1 0 Connection Status in the RSLogix 5000 safety application program Test Step Restore the Safety 1 0 module network connection and allow time to reestablish communication Verify the Connection Status Bit in the RSLogix 5000 safety application program Repeat for all Safety 1 0 connections While Running switch the controller out of Run Mode
12. een as an open circuit by the input and will be detected by either the hardware if configured to detect discrepancy errors or by the appropriate safety function block in the application code The final control device in this case is a pair of 100S safety contactors K1 and K2 The contactors are controlled by a 1734 OBS safety output module These are wired in a redundant configuration and are tested on start up for faults The start up test is accomplished by using a CROUT instruction to monitor the feedback circuit into input 7 17 before the contactors are energized The system is reset by means of the momentary push button PB1 Electrical Schematic as gt gt 9 E stop 9 E stop 9 E stop 1734 OB8S Configuration The Compact GuardLogix controller is configured by using RSLogix 5000 software version 17 or later You must create a new project and add the I O modules Then configure the I O modules for the correct input and output types A detailed description of each step is beyond the scope of this document Knowledge of the RSLogix programming environment is assumed Configure the Controller and Add I O Modules Follow these steps 1 In RSLogix 5000 software create a new project 1768 1435 CompactLogix53435 Safety Controller 1 Redundancy Enabled eaux Po Lnassis Ippe Piet mu Plat o i al Pi aa slat Salet Partner Slot lt ntemal gt CARSLogix 5000 Projects 2 Inthe Controller Organizer
13. ess than 1 0 E 06 for the overall safety function is required for PLd A PFH 14h 11 26E 7 When modeled in SISTEMA each safety E stop string is treated as an individual safety function and can be modeled as follows This diagram shows a single E stop safety function i l J l l 1734 IB8S Sub System 1 17 Calculations are based on 1 operation of the E stop per month with 12 operations per year therefore 36 operations of contactors per year The Diagnostic Coverage Dcavg is reduced to 60 for the E stops because they are connected in series The measures against Common Cause Failure CCF are quantified using the scoring process outlined in Annex F of ISO 13849 1 For the purposes of the PL calculation the required score of 65 needed to fulfill the CCF requirement is considered to be met The complete CCF scoring process must be done when implementing this example Estop 1 Cat MTTFd a DCavg CCF 18 Verification and Validation Plan Verification and Validation play an important role in the avoidance of faults throughout the safety system design and development process ISO EN 13849 2 sets the requirements for verification and validation It calls for a documented plan to confirm all the Safety Functional Requirements have been met Verification is an analysis of the resulting safety control system The Performance Level PL of the safety control system is cal
14. ety inputs Channel A and Channel B are in the active state as determined by the Input Type parameter and the correct reset actions are carried out The DCS instruction monitors dual input channels for consistency Equivalent Active High and detects and traps faults when the inconsistency is detected for longer than the configured Discrepancy Time ms The Configurable Redundant Output CROUT instruction controls and monitors redundant outputs The reaction time for output feedback is configurable The instruction supports positive and negative feedback signals The safety application code in the safety output routine prevents outputs from restarting if the input channel resets automatically providing anti tiedown functionality for the Circuit Reset The Input OK status is used as a permissive in the safety output routines oo ALS g Dua granna ngt Siop DOGS Zona Estoni OO Salety Function EMERGENCY STOP re Types EQUIVALENT ACTIVE HIGH EFF Discrepanoy Thine esc 300 Restad Type ALT Ste ThE Cold Start Type ALT Ste TEE Channel AERTA POO a a Channel A SERMT 1 LPO Dala mpd Stsiuz SENT 1 1 CombinedinputSta iL 0 Reset Cme_tene _Fauithtsset SENT LAM coe a Zoned_Estop 101 Se _Zoned_Estop_1 ngubok 5 _ _ _ _ _ _ _ _ al ZAENT 1 LAC Vik Zoned Saret Revel one le_Zone1_Etop 1 Input Zonei HZ FP nd inel Ou WEnele roa Peal ONS Cmd Zone _ Cul G
15. iddle East Africa Rockwell Automation NV Pegasus Park De Kleetlaan 12a 1831 Diegem Belgium Tel 32 2 663 0600 Fax 32 2 663 0640 Asia Pacific Rockwell Automation Level 14 Core F Cyberport 3 100 Cyberport Road Hong Kong Tel 852 2887 4788 Fax 852 2508 1846 Publication SAFETY ATO80B EN E January 2013 Copyright 02013 Rockwell Automation Inc All Rights Reserved Supersedes Publication SAFETY ATO80A EN E October 2012
16. inserted in the chassis The 1734 AENT adapter is considered to be in slot 0 so for one input and one output module the chassis size is 3 Module Definition 3 Mi 13 Compatible Module Y A 5 8 I O Configuration 1 4 1768 Bus 11 Expand Safety select the 1734 1885 module and click OK E Select Module Add Fayorite 12 13 13 When the Module Definition dialog box opens change the Input Status to Combined Status Power and click OK Module Definition 14 Close the Module Properties dialog box by clicking OK 15 Repeat steps 10 14 to add the 1734 OB8S safety output module 14 Configure the I O Modules Follow these steps to configure the POINT Guard I O modules 1 In the Controller Organizer right click the 1734 IB8S module and choose Properties 2 Click Input Configuration and configure the module as shown Connection Safety Module nfo Input Contiguraton Test Output E A 07 re Gatas seres SL ost 4 Click OK 5 In the Controller Organizer right click the 1734 OB8S module and choose Properties 6 Click Output Configuration and configure the module as shown LEE 7 Click OK 15 Programming The Dual Channel Input Stop DCS instruction monitors dual input safety devices whose main function is to stop a machine safely for example an E stop light curtain or safety gate This instruction can only energize Output 1 when both saf
17. ite rene he ALT CONT Grok Redandant Taul CROLIT Zane R12 Feedback Type NEGATIWE Fee dkach Reaction Time Mec 500 Aciuale md Fone Cad gti Prades 0 Feedback 1 ALERTA PO Dala l Feedback 2 AER LPO Gaia Input telus BENT 40 Combnedrpi ta TLE uip Staus AENT Combined itt ene g Resa Cmo_fonel_Fauithiaset ENT AOS G o fone Bik Oi Zone hike oe BERT 220 Pill labs LENT 200 PRO Data Encl Falling Edge Reset ISO 13849 1 stipulates that instruction reset functions must occur on falling edge signals To comply with this requirement add a One Shot Falling instruction to the rung immediately preceding the Cmd_Zone1_OutputEnable rung Then use the OSF instruction Output Bit tag as the reset bit for the following rung The Cmd_Zone1_OutputEnable is then used to Enable the CROUT instruction Modify the reset code as shown below Resell sAERT 1 1 AG Daas One Shot Falling Slorage Gil Wk Toned _Satety Resat OF 5851 Dp Bd wth Zonet SafelyReset_Follingidge 0 wk fone Saten Raana Pal picos SSIS Ep I pOH Sia inel Sataa 7 Ine i ae md Ore AEri e ca Emd_Zonel_CilpolEnable Calculation of the Performance Level When configured correctly the safety system can achieve a safety rating of PLd Cat 3 according to EN ISO 13849 1 2008 The Functional Safety Specifications of the project call for a Performance Level on PLd minimum and a structure of Cat 3 minimum A PFHd of l
18. r Machine Serial Number Customer Name Test Date Tester Name s Schematic Drawing Number Controller Name Safety Signature ID Safety Network Number s RSLogix5000 Software Version Safety Control System Modules GuardLogix Modules Firmware Version 1768 L43S 1768 ENBT 1734 AENT GuardLogix Safety Controller CompactLogix Ethernet Bridge POINT 1 0 Ethernet Adapter POINT 1 0 Input Modules 1734 1885 POINT 1 0 Output Modules 1734 0B85 GuardLogix Safety System Configuration and Wiring Verification Verify the safety system has been designed in accordance with the GuardLogix System Safety Reference Manual 1756 RM093 Verify the safety application program has been designed in accordance with the GuardLogix Application Instruction Safety Reference Manual 1756 RM095 Visually inspect the safety system network and 1 0 is wired as documented in the schematics Visually inspect the RSLogix 5000 program to verify that the safety system network and 1 0 module configuration is configured as documented 1 2 3 4 5 Visually inspect the RSLogix 5000 application program to verify suitable safety certified instructions are utilized The logic is readable understandable and testable with the aid of clear comments All input devices are qualified by cycling their respective actuators Monitor the status in the RSLogix 5000 Controller Tags window All output devices are qualified by cycling their
19. respective actuators Monitor the status in the RSLogix 5000 Controller Tags window Normal Operation Verification The GuardLogix safety system properly responds to all normal Start Stop Enabling and Reset Commands Initiate a Start Command Both contactors should energize for a normal machine run condition Verify proper machine status indication and RSLogix 5000 safety application program indication Changes Modifications Initiate a Stop Command Both contactors should de energize for a normal machine Stop condition Verify proper machine status indication and RSLogix 5000 safety application program indication While Running press the E Stop pushbutton Both contactors should remain de energized and open for a normal safe condition Verify proper machine status indication and RSLogix 5000 safety application program indication Repeat for all E Stop pushbuttons While Stopped press the E Stop pushbutton and initiate a Start Command Both contactors should remain de energized and open for a normal safe condition Verify proper machine status indication and RSLogix 5000 safety application program indication Repeat for all E Stop pushbuttons Initiate Reset Command Both contactors should remain de energized Verify proper machine status indication and RSLogix 5000 safety application program indication 20 While Running remove the Channel 1 wire from the Safety 1 0 Both contactors should de energize Verify proper machin
Download Pdf Manuals
Related Search