Safety Function: Two Hand Control
Contents
1. E Stop 1 B2 E2 Sub System 1 Sub System 2 Sub System 3 meee eee Se SSS SS SSS RP See Ee ee elec ele ee eee eee eee elle eee ee eee eee ee eee The functional safety ratings for the E Stop INPUT subsystem are E Stop e 2 47E 8 4 100 High 99 High 65 fulfilled The functional safety ratings for the GSR SI LOGIC subsystem are 5H Monitoring Safety Relay GSA SI PFH 17h 133 Cat M T T Fd a FUN E PEF F TT DCavg fre Ayes 13 The functional safety ratings for the 100S OUTPUT subsystem are EB Safety Contactors 3 Cat MTTFd a DCavg 65 fulfilled Note that the 800Z palm buttons E Stop and Safety Contactors data includes MTTFd DCavg and CCF data This is because these are electromechanical devices Electromechanical devices functional safety evaluations include how frequently they are operated whether they are effectively monitored for faults and properly specified and installed SISTEMA calculates the MTTFd using B10d data provided for the contactors along with the estimated frequency of use entered during the creation of the SISTEMA project This application example presumes that the E Stop is operated or tested once per day ie 365 times per year The DCavg 99 for the contactors was selected from the Output Device table of EN ISO 13849 1 Annex E Direct Monitoring The DCavg 99 for the E Stop was selected from the Input Device table of EN ISO2. GSR Logic Solver Tests While Running remove the single wire safety connection between two adjoining safety relays in the system All contactors should de energize Verify proper machine status indication and safety relay LED indication Repeat for all safety connections This test is not applicable for single relay circuits While Running turn the logic rotary switch on the safety relay All contactors should remain de energized Verify proper machine status indication and safety relay LED indication Repeat for all safety relays in the system Safety Contactor Output Tests While Running remove the contactor feedback from the safety relay All contactors should remain energized Initiate a Stop Command followed by a Reset Command The relay should not restart or reset Verify proper machine status indication and safety relay LED indication GSR Emergency Stop Safety Function Verification and Validation Checklist General Machinery Information Machine Name Model Number Machine Serial Number Customer Name Test Date Tester Name s Schematic Drawing Number Guardmaster Safety Relay Model Safety Wiring and Relay Configuration Verification a Visually inspect the safety relay circuit is wired as documented in the schematics a ee a Visually inspect the safety relay rotary switch settings are correct as documented S es Normal Operation Verification The safety relay system properly respond
3. Important User Information Solid state equipment has operational characteristics differing from those of electromechanical equipment Safety Guidelines for the Application Installation and Maintenance of Solid State Controls publication SGI 1 1 available from your local Rockwell Automation sales office or online at http www rockwellautomation com literature describes some important differences between solid state equipment and hard wired electromechanical devices Because of this difference and also because of the wide variety of uses for solid state equipment all persons responsible for applying this equipment must satisfy themselves that each intended application of this equipment is acceptable In no event will Rockwell Automation Inc be responsible or liable for indirect or consequential damages resulting from the use or application of this equipment The examples and diagrams in this manual are included solely for illustrative purposes Because of the many variables and requirements associated with any particular installation Rockwell Automation Inc cannot assume responsibility or liability for actual use based on the examples and diagrams No patent liability is assumed by Rockwell Automation Inc with respect to use of information circuits equipment or software described in this manual Reproduction of the contents of this manual in whole or in part without written permission of Rockwell Automation Inc is prohibit
4. 13849 1 Annex E Cross Monitoring The CCF value is generated using the scoring process outlined in Annex F of ISO 13849 1 The complete CCF scoring process must be done when actually implementing an application A minimum score of 65 points must be achieved A CCF of 65 was entered for practical purposes in each case for this application example Verification and Validation Plan Verification and Validation play an important role in the avoidance of faults throughout the safety system design and development process ISO EN 13849 2 sets the requirements for verification and validation It calls for a documented plan to confirm all the Safety Functional Requirements have been met Verification is an analysis of the resulting safety control system The Performance Level PL of the safety control system is calculated to confirm it meets the Required Performance Level PLr specified The SISTEMA software tool is typically utilized to perform the calculations and assist with satisfying the requirements of ISO 13849 1 Validation is a functional test of the safety control system to demonstrate that it meets the specified requirements of the safety function The safety control system is tested to confirm all of the safety related outputs respond appropriately to their corresponding safety related inputs The functional test should include normal operating conditions in addition to potential fault inject of failure modes A checklist is typica
5. MSE Tr E e Safety Function Two Hand Control Products 800Z Zero Force Buttons MSR125 Safety Relay GSR SI Safety Relay Safety Rating PLe Cat 4 to EN ISO 13849 1 2008 Rockwell Allen Bradley Rockwell Software Automation Table of Contents Introduction Important User Information Safety Function Realization Risk Assessment Two Hand Control Safety Function Safety Function Requirements General Safety Information Functional Safety Description Bill of Material Setup and Wiring System Overview Electrical Schematic Configuration Calculation of the Performance Level Verification and Validation Plan Additional Resources Introduction This Safety Function application note explains how to wire and configure two 800Z Zero Force palm buttons an MSR125 two hand control an E Stop a GSR SI Safety Relay and two 100S safety contactors to create a two hand control safety system When the operator places one hand on each button simultaneously within 0 5 sec of each other confirming that the operator is in the proper safe location the two 100s contactors are energized powering the hazardous motion Removing either or both hands will cause the system to turn off the safety contactors The SISTEMA calculations in this document are for the system described here A system using different components or a different configuration would have to be calculated based on its actual components and system structure
6. b No Description l Gu y y g nstructions y Rela ySlinstallation Instructions 440R N042 How to install configure commission operate and maintain GSR SI Safety Relays You can view or download publications at http www rockwellautomation com literature To order paper copies of technical documentation contact your local Allen Bradley distributor or Rockwell Automation sales representative For More Information on Safety Function Capabilities visit discover rockwellautomation com safety Rockwell Automation Allen Bradley GuardMaster GuardShield PHOTOSWITCH RightSight and SensaGuard are trademarks of Rockwell Automation Inc Trademarks not belonging to Rockwell Automation are property of their respective companies www rockwellautomation com Power Control and Information Solutions Headquarters Americas Rockwell Automation 1201 South Second Street Milwaukee WI 53204 2496 USA Tel 1 414 382 2000 Fax 1 414 382 4444 Europe Middle East Africa Rockwell Automation NV Pegasus Park De Kleetlaan 12a 1831 Diegem Belgium Tel 32 2 663 0600 Fax 32 2 663 0640 Asia Pacific Rockwell Automation Level 14 Core F Cyberport 3 100 Cyberport Road Hong Kong Tel 852 2887 4788 Fax 852 2508 1846 Publication SAFETY ATO71C EN E May 2013 Copyright 2013 Rockwell Automation Inc All Rights Reserved Supersedes Publication SAFETY ATO71B EN E January 2013
7. ed Safety Function Realization Risk Assessment The required performance level is the result of a risk assessment and refers to the amount of the risk reduction to be carried out by the safety related parts of the control system Part of the risk reduction process is to determine the safety functions of the machine For the purposes of this document the assumed performance level required PLr is PLe Category 4 Two Hand Control Safety Function The safety system described in this Safety Function application note contains two safety functions 1 Two Hand Monitoring Safety Function Power is provided to the hazard only when the operator s hands have been placed on the palm buttons simultaneously and remain on the buttons Power is removed when one or either hand is removed from its palm button 2 E Stop Safety Function The removal of power from the hazard when the safety system detects that the E Stop has been actuated Safety Function Requirements Two Hand Monitoring Safety Function Controlled location of an operator s hands during hazardous motion by requiring the continuous actuation of two palm buttons to enable power to the motor Simultaneous operation of the two buttons must be within 0 5 seconds per ISO 13851 Upon releasing either or both of the two palm buttons power to the motor will be removed Placing both hands on the palm buttons simultaneously will restart the hazardous motion Faults at the two hand palm buttons wiri
8. is PLd Cat 3 When configured correctly the two safety functions project can achieve a safety rating of PLe Cat 4 according to EN ISO 13849 1 2008 The Functional Safety Specifications of the project call for a Performance Level on PLd minimum and a structure of Cat 3 minimum A PFHd of less than 1 0 E 06 for the overall safety function is required for PLd Project Documentation Safety functions Holdtovun function Safety elated stop function initiated by safeguard d e The overall Two Hand Control Safety Function value is shown below Two Hand Control Pe fd PL _ je PFH 17h 5 95E 8 The Two Hand Control Safety Function can be modeled as follows INPUT I logc OUTPUT MSR125 The functional safety ratings for the 800Z INPUT subsystem are Two Hand Buttons PFH 17h 13 39 High 65 fulfilled The functional safety ratings for the MSR125 LOGIC subsystem are PL O PFH 1 h Cat MTTFd a DCavg 4 i uT i i fa ALT Le ie i ey 1 nr ay The functional safety ratings for the 100S OUTPUT subsystem are 100S Safety Contactor e PFH 17h 2 47E 8 Cat 4 MTTFd a 1100 High 23 High 65 fulfilled The overall E Stop safety function value is shown below E Stop PLr PFH 17h The E Stop safety function can be modeled as follows input Logic output PN le llr
9. l application and understanding of the product ATTENTION Identifies information about practices or circumstances that can lead to personal injury or death property damage or economic loss Attentions help you identify a hazard avoid a hazard and recognize the consequence SHOCK HAZARD Labels may be on or inside the equipment for example a drive or motor to alert people that dangerous voltage may be present BURN HAZARD Labels may be on or inside the equipment for example a drive or motor to alert people that surfaces may reach dangerous temperatures General Safety Information Contact Rockwell Automation to find out more about our safety risk assessment services IMPORTANT This application example is for advanced users and assumes that you are trained and experienced in safety system requirements ATTENTION A risk assessment should be performed to make sure all task and hazard combinations have been identified and addressed The risk assessment may require additional circuitry to reduce the risk to a tolerable level Safety circuits must take into consideration safety distance calculations which are not part of the scope of this document Functional Safety Description The purpose of the two hand monitoring safety function in this application note is to provide safe and easy running and stopping of a hazardous machine to suit the requirements of a manufacturing process The machine is allowed to run performing it
10. lly used to document the validation of the safety control system Prior to validating the GSR Safety Relay system it is necessary to confirm the GSR Relay has been wired and configured in accordance with the Installation Instructions 14 Two Hand Control Station Safety Function Verification and Validation Checklist General Machinery Information Machine Name Model Number Machine Serial Number Customer Name Test Date Tester Name s Schematic Drawing Number Guardmaster Safety Relay Model Safety Wiring and Relay Configuration Verification a Visually inspect the safety relay circuit is wired as documented in the schematics a ee a Visually inspect the safety relay rotary switch settings are correct as documented a ees Normal Operation Verification The safety relay system properly responds to all normal Start Stop Estop and Reset Commands Initiate a Start Command by simultaneously pressing both palm buttons Both contactors should energize for a normal machine run condition Verify proper machine status indication and safety relay LED indication Initiate a Stop Command by simultaneously releasing both palm buttons Both contactors should de energize for a normal machine Stop condition Verify proper machine status indication and safety relay LED indication While Stopped only press the left palm button The door should remain closed and locked Both contactors should remain de energized and ope
11. n for a normal safe condition Verify proper machine status indication and safety relay LED indication Repeat for right palm button Initiate Reset Command Both contactors should remain de energized Verify proper machine status indication and safety relay LED indication Abnormal Operation Verification The Safety Relay system properly responds to all foreseeable faults with corresponding diagnostics Two Hand Run Station Input Tests While Stopped press the left palm button followed by the right 1 sec later Both contactors should remain de energized and open Verify proper machine status indication and safety relay LED indication Repeat for sequence starting with the right palm button While Running remove the Channel 1 wire from the E Stop pushbutton Both contactors should de energize Verify proper machine status indication and safety relay LED indication Repeat for Channel 2 While Running short Channel 1 of the safety relay to 24V DC Both contactors should de energize Verify proper machine status indication and safety relay LED indication Repeat for Channel 2 While Running short Channel 1 of the safety relay to OV DC Both contactors should de energize Verify proper machine status indication and safety relay LED indication Repeat for Channel 2 While Running short Channels 1 amp 2 of the safety relay Both contactors should de energize Verify proper machine status indication and safety relay LED indication
12. ng terminals or safety controller will be detected before the next safety demand The safe distance location of the two hand control station must be established per ISO 13855 such that the hazardous motion must be stopped before the operator can reach the hazard E Stop Safety Function Pressing the E Stop will stop hazardous motion and prevent motion by removal of power to the motor Upon resetting the E Stop pushbutton hazardous motion and power to the motor will not resume until a secondary action pressing and releasing the reset button is performed This Emergency Stop function is complementary to any other safeguards on the machine and shall not reduce the performance of other safety related functions The safety functions in this example are each capable of connecting and interrupting power to motors rated up to 9A 600VAC The safety functions will meet the requirements for Performance Level e Category 4 PLe Cat 4 per ISO 13849 1 and SIL3 per IEC 62061 and control reliable operation per ANSI B11 19 The stop implemented by each safety function is Stop Category 0 Throughout this manual when necessary we use notes to make you aware of safety considerations IMPORTANT WARNING Identifies information about practices or circumstances that can cause an explosion in a hazardous environment which may lead to personal injury or death property damage or economic loss Identifies information that is critical for successfu
13. ngth 440R D23171 MSR125HP Relay Model Two hand Control 2 N 0 Immediate Safety Outputs N A Auxiliary Outputs N A Delayed Safety Outputs 24V AC DC Power Supply Automatic Manual Reset Removable Terminals 2 2 440R A23209 Bag of 4 4 pin Screw Terminal Blocks 1 800F 1 hole Enclosure E Stop Station Plastic PG Twist to Release 40 mm Non illuminated 2 N C 1 1 800F BX10 NO Status Contact add to 800F 1YP3 ae 440R S12R2 Guardmaster Safety Relay 1 Dual Channel Universal Input 1 N C Solid State Auxiliary a Outputs 800FM G611MX10 800F Push Button Metal Guarded Blue R Metal Latch Mount 1 N 0 Contact s 0 N C 1 Contact s Standard Standard Pack qty 1 100S C09EJ23C MCS 100S C Safety Contactor 9 A 24V DC Setup and Wiring For detailed information on installing and wiring refer to the product manuals listed in the Additional Resources System Overview The MSR125 relay model monitors the contacts of the two 800Z palm buttons When the system is running and one hand or both hands move from a palm button the MSR125 responds by opening its safety contacts removing 24V from the coils of both 100S contactors The contactors open their contacts removing power from the hazardous motion The hazardous motion coasts to a stop The MSR125 is wired automatic reset As required by standards the MSR125 will only reset if both palm buttons are actuated by an operator s hands within 0 5 seconds of each other sim
14. s task when the operator is in a safe location with both the operator s hands are placed on each of two palm buttons When either one or both of the operator s hands are removed from a palm button the MSR125 responds by opening its safety contacts and removes power to the hazardous motion This stops the machine and allows the operator to perform some safe task in the guarded area while the machine is stopped and maintained stopped Once this task is completed the operator must move a distance away from the guarded area to access the two palm buttons The operator must place their hands on the two palm buttons simultaneously Responding to this the MSR125 responds by closing its safety contacts This starts the machine allowing it to perform its task The purpose of the E Stop safety function is straightforward When an urgent need to stop the machine arises the E Stop pushbutton is pressed The GSR SI monitoring the E Stop pushbutton responds by opening its safety contacts removing power from the coils of the two 100S safety contactors The 100s contacts open removing power from the hazardous motion Bill of Material Catalog Number Description Quantity 800Z GL205Y 22 5 mm Type 4 4X 13 IP 66 Zero Force Momentary General Purpose Touch Button 10 40V DC and 20 30V AC Input Relay Output 5 pin QD Yellow Guard 800Z G2AH1 Plastic Mounting Kit for 22 5 mm Holes GP i a 889D F5AG2 5 pin Straight QD Cable 22 5 mm Mounting Hole 2 m 6 56 ft Le
15. s to all normal Start Stop Estop and Reset Commands Initiate a Start Command Both contactors should energize for a normal machine run condition Verify proper machine status indication and safety relay LED indication Initiate a Stop Command Both contactors should de energize for a normal machine Stop condition Verify proper machine status indication and safety relay LED indication While Running press the E Stop pushbutton Both contactors should de energize and open for a normal safe condition Verify proper machine status indication and safety relay LED indication Repeat for all E Stop pushbuttons While Stopped press the E Stop pushbutton initiate a Start Command Both contactors should remain de energized and open for a normal safe condition Verify proper machine status indication and safety relay LED indication Repeat for all E Stop pushbuttons Initiate Reset Command Both contactors should remain de energized Verify proper machine status indication and safety relay LED indication Abnormal Operation Verification The Safety Relay system properly responds to all foreseeable faults with corresponding diagnostics E Stop Input Tests While Running remove the Channel 1 wire from the safety relay Both contactors should de energize Verify proper machine status indication and safety relay LED indication Repeat for Channel 2 While Running short the Channel 1 of the safety relay to 24V DC Both contactors should de energi
16. the GSR SI resets closing its safety contacts The hazardous motion is restarted When the reset button is pressed for less than 250 seconds or longer than 3 seconds the reset signal is ignored and the GSR SI safety contactors remain open This is to prevent inadvertent reset and thwart tie down of the reset button Electrical Schematic 24V OV MSR125 Brn B Sy 800Z LEFT k Blu BI Brn Status K1 _ Status 6 2 to PLC Status oO o oe to PLC Status to PLC Reset K1 K2 Status to PLC MSR125 440R D23171 SI 440R S12R2 l External Switched i 1 Stop Start Circuit 1 HH K HY rc Configuration Configuration GSR 5I The following procedure sets the function ofthe device 1 Start conhguration overwrite with power off turn rotary switch ta position 0 and unit is powered Up After power up test PWR LED will flash red 2 5et configuration turn rotary switch to MM monitored manuali IN 1 LED blinks new setting NOTE Position is set when PWR LED is solid green 3 Lock in configuration by cycling unit Power 4 Configuration must be confirmed before operation A white space an face of device is provided to record unit setting Enable program mode fd 0 Set operation mode AM 0 E Cycle power to store 10 Calculation of the Performance Level The Performance Level required PLr for each safety function in this application note project
17. ultaneity When the standard s simultaneity requirement is met the MSR125 closes its safety contacts provided that two auxiliary contacts of the 100S contactors K1 and K2 wired in series between Y1 and Y2 of the MSR125 are closed confirming that both 100Ss are properly de energized The closing safety contacts energize the coils of the 100S contactors The hazardous motion is restarted The MSR125 uses Plausibility check e g use of normally open and normally closed mechanically linked contacts to monitor the 800Z palm buttons for faults The GSR SI monitors the E Stop push button The pulsed outputs of the GSR SI terminals 11 and 21 are run separately through the two E Stop contacts to input terminals 12 and S22 respectively This enables the GSR SI to detect loose wire short to 24V short to GND welded contact and cross channel faults When the E Stop push button is pressed the pulsed output to input circuits are broken The GSR SI responds by opening its safety contacts removing 24V from the coils of the 100S contactors De energized the 100Ss open their contacts The hazardous motion coasts to a stop The GSR S is configured for monitored manual reset 24V is connected to the reset button via two auxiliary NC contacts of the 100S contactors The two closed NC contacts confirm that the 100S contactors are properly de energized Once the E Stop button is released and the reset pushbutton is pressed for 250 to 3 seconds then released
18. ze Verify proper machine status indication and safety relay LED indication Repeat for Channel 2 While Running short the Channel 1 of the safety relay to OV DC Both contactors should de energize Verify proper machine status indication and safety relay LED indication Repeat for Channel 2 While Running short Channels 1 amp 2 of the safety relay Both contactors should de energize Verify proper machine status indication and safety relay LED indication GSR Logic Solver Tests While Running remove the single wire safety connection between two adjoining safety relays in the system All contactors should de energize Verify proper machine status indication and safety relay LED indication Repeat for all safety connections This test is not applicable for single relay circuits While Running turn the logic rotary switch on the safety relay All contactors should remain de energized Verify proper machine status indication and safety relay LED indication Repeat for all safety relays in the system Safety Contactor Output Tests While Running remove the contactor feedback from the safety relay All contactors should remain energized Initiate a Stop Command followed by a Reset Command The relay should not restart or reset Verify proper machine status indication and safety relay LED indication 16 Additional Resources For more information about the products used in this example refer to these resources Document Pu
Download Pdf Manuals
Related Search