Safety Function - Rockwell Automation
Contents
1. Machine Name Model Number Customer Name Test Date C C wee O C GuardLogix Safety Controller CompactLogix Ethernet Bridge 1768 ENBT POINT 1 0 Ethernet Adapter 1734 AENT Be POINT Guard 1 0 Input Modules 1734 IB8S POINT Guard 1 0 Output Modules 1734 OB8S 20 Rockwell Automation Publication SAFETY AT061C EN P December 2014 Safety Function Door Locking and Monitoring GuardLogix Safety System Configuration and Wiring Verification fave eea 1 Verify that the safety system is designed in accordance with the GuardLogix System Safety Reference Manual publication 1756 RM093 2 Verify that the safety application program is designed in accordance with the GuardLogix Application Instruction Safety Reference Manual publication 1756 RM095 3 Visually inspect the safety system network and verify that the 1 0 is wired as documented in the schematics 4 Visually inspect the RSLogix 5000 program to verify that the safety system network and I O module configuration is configured as documented 5 Visually inspect the RSLogix 5000 application program to verify suitable safety certified instructions are used The logic must be readable understandable and testable with the aid of clear comments All input devices are qualified by cycling their respective actuators Monitor the status in the RSLogix 5000 Controller Tags window 7 All output devices are qualified by cycling their respective actuators Monitor the status in the2. depressed occurs Faults at the door interlock switch wiring terminals or safety controller are detected before the next safety demand The stop time of the machine must be established so that the hazardous motion can be stopped before the user reaches the hazard The safety function in this example is capable of connecting and interrupting power to motors rated up to 9A 600V AC The safety function in this application technique meets or exceeds the requirements for Category 3 Performance Level d CAT 3 PLd per ISO 13849 1 and control reliable operation per ANSI B11 19 4 Rockwell Automation Publication SAFETY AT061C EN P December 2014 Safety Function Door Locking and Monitoring Functional Safety Description In this example a request to unlock the door is made by placing a demand on a safety input interlock The demand on the safety input drops out the redundant contactors and hazardous motion coasts to a stop After a five second delay to allow the motion to completely stop the gate unlocks The TLS3 GD2 switch is wired to two pairs of safety inputs on a safety input module SI1 One pair is the lock monitoring contacts and the other is the door monitoring contacts The safety contactors K1 and K2 are connected to a pair of safety outputs on a safety output module SO1 The I O module is connected via CIP Safety protocol over an EtherNet IP network to the safety controller SC1 The safety code in SC1 monitors the status
3. RSLogix 5000 Controller Tags window Normal Operation Verification The safety relay system properly responds to all normal Start Stop E Stop Lock and Reset commands Initiate a Start command Both contactors should energize for a normal machine run condition Verify proper machine status indication and RSLogix 5000 safety application program indication Initiate a Stop command Both contactors should de energize immediately for a normal machine Stop condition After the preset time delay verify that the door unlocks Verify proper machine status indication and RSLogix 5000 safety application program indication 3 While the system is running attempt to open the guard door The door should remain closed and locked Both contactors should remain energized and closed for a normal safe condition Verify proper machine status indication and RSLogix 5000 safety application program indication Repeat for all guard doors While the system is stopped attempt to open the guard door The door should be unlocked and able to be opened Both contactors should remain de energized and open for a normal safe condition Verify proper machine status indication and RSLogix 5000 safety application program indication Repeat for all guard doors While the system is stopped with the guard door open initiate a Start command Both contactors should remain de energized and open for a normal safe condition Verify proper machine status indication and R
4. Request unlock request E Lock Feedback Gate_Lock_contacts O1 iH Hazard Stopped hazard stopped 0 Input Status AENT 1 LCombinredinputstalus 1 Reset AENT LPt0SData Gate ULC AENT 20 P07 Data ccrt gt Falling Edge Reset ISO 13849 1 stipulates that instruction reset functions must occur on falling edge signals To comply with this requirement a One Shot Falling OSF instruction is used on the reset rung Then the OSF instruction Output Bit tag is used as the reset bit for the Output Enable rung AENT 1 1 Pt04Data SF One Shot Falling Storage Bit store1 Output Bit Reset_FallingEdge Reset_FallingEdge Safety_Interlock O1 Gate O1 Gate_Lock_contacts O1 Safety_Contactors FP safety_output_enable safety_output_enable Calculation of the Performance Level When properly implemented this Door Monitoring and Locking safety function can achieve a safety rating of Category 3 Performance Level d CAT 3 PLd according to ISO 13849 1 2008 Rockwell Automation Publication SAFETY AT061C EN P December 2014 17 Safety Function Door Locking and Monitoring The Performance Level required PLr from the risk assessment for the safety functions in this application is PLd minimum and a structure of Cat 3 minimum A PFHd of less than 1 0E 06 for the overall safety function is required for PLd The individual subsystem values are shown below Safety function Wy IFA Documentat
5. Application Technique Allen Bradley Safety Function Door Locking and Monitoring Products TLS3 GD2 Interlock Switch GuardLogix Controller POINT Guard 1 0 Safety Modules Safety Rating CAT 3 PLd to ISO 13849 1 2008 Topic Page Important User Information 2 General Safety Information Introduction Safety Function Realization Risk Assessment Guard Locking Interlock Safety Function Safety Function Requirements Functional Safety Description Bill of Material Setup and Wiring Sp ms my my By A Sy U Configuration gt Programming Calculation of the Performance Level NO Verification and Validation Plan N ww Additional Resources USE NE Use Rockwell Allen Bradley Rockwell Software Automation SOME Safety Function Door Locking and Monitoring Important User Information Read this document and the documents listed in the additional resources section about installation configuration and operation of this equipment before you install configure operate or maintain this product Users are required to familiarize themselves with installation and wiring instructions in addition to requirements of all applicable codes laws and standards Activities including installation adjustments putting into service use assembly disassembly and maintenance are required to be carried out by suitably trained personnel in accordance with applicable code of practice If this equip
6. CROLUT Satety_Contectors Feedback Type KEGATIVE Feedback Reaclion Tene Mec 250 Actuate satety_output_enabbe 1 Feedback 1 SENT LPO Dats i Feedback 2 SENT 1 1 to Data 1 inp Status AENT 1 Combinedinpeut St ait i Output Staus AENT 2i CombinedOutpu isis 1 Resa AENT 1 PS DaiA Safety Contactos Oi Satety_Conaciors O2 AENT 20 Phiobaa 8 c a e AENT 20 PHO Duata End If you wish to use software to programmatically cycle channel A and channel B on the DCSTL instruction the following code shows one example of how to accomplish this Whenever the lock feedback goes to 0 low for one scan channel A 16 Rockwell Automation Publication SAFETY AT061C EN P December 2014 Safety Function Door Locking and Monitoring and channel B are logically dropped out to satisfy y the DCSTL instruction requirements to cycle the gate For the rest of the time the two door monitoring contacts drive the state of channel A and channel B Gate Lock contacts O1 one Open sabe Simulation A ONS ____ _ OpenGate Simulation AENT 1 P00Data Channel gt AENT LPi0iData Channele DCSTL m Dual Channel input Stop Vith Test Amd Lock DCSTL Gae Ol Safety Function SAFETY GATE Input Type EQUI ALENT ACTIVE HIGH TC Discrepancy Time Mec 250 Restart Type AUTOMATIC LULC 3 Cold Start Type AUTOMATK Channel Channel LFF j o Channel B channe e Test Request test_request 1 Unlock
7. ISTEMA tool You can view or download publications at http www rockwellautomation com literature To order paper copies of technical documentation contact your local Allen Bradley distributor or Rockwell Automation sales representative Rockwell Automation Publication SAFETY AT061C EN P December 2014 23 Documentation Feedback Your comments will help us serve your documentation needs better If you have any suggestions on how to improve this document complete this form publication RA DU002 available at http www rockwellautomation com literature For more information on Safety Function Capabilities visit http marketing rockwellautomation com safety en safety functions Allen Bradley Compact GuardLogix CompactLogix GuardLogix LISTEN THINK SOLVE POINT I O POINT Guard I O RSLogix Rockwell Automation Rockwell Software and Stratix 2000 are trademarks of Rockwell Automation Inc Trademarks not belonging to Rockwell Automation are property of their respective companies EtherNet IP is a trademark of the ODVA Rockwell Otomasyon Ticaret A Kar Plaza Is Merkezi E Blok Kat 6 34752 erenk y Istanbul Tel 90 216 5698400 www rockwellautomation com Power Control and Information Solutions Headquarters Americas Rockwell Automation 1201 South Second Street Milwaukee WI 53204 2496 USA Tel 1 414 382 2000 Fax 1 414 382 4444 Europe Middle East Africa Rockwell Automation NV Pegasus Park De Kleetlaa
8. SLogix 5000 safety application program indication Repeat for all guard doors Initiate a Reset command Both contactors should remain de energized Verify proper machine status indication and RSLogix 5000 safety application program indication Abnormal Operation Validation The GuardLogix safety system properly responds to all foreseeable faults with corresponding diagnostics Door Monitoring and Lock Input Tests 1 While the system is running remove the door monitor channel 1 wire from the safety 0 Both contactors should de energize Verify proper machine status indication and RSLogix 5000 safety application program indication Verify that the system cannot be reset and restarted with the fault Restore channel 1 and repeat for channel 2 Pf While the system is running short the door monitor channel 1 of the safety 1 0 to 24V DC Both contactors should de energize Verify proper machine status indication and RSLogix 5000 safety application program indication Verify that the system cannot be reset and restarted with the fault Restore channel 1 and repeat for channel 2 Rockwell Automation Publication SAFETY AT061C EN P December 2014 21 Safety Function Door Locking and Monitoring While the system is running short the door monitor channel 1 of the safety 1 0 to OV DC Both contactors should de energize Verify proper machine status indication and RSLogix 5000 safety application program indication Verify that the syste
9. TIC ULC Cold Start Type AUTOMATIC Channel A AENT 1 1 Pt00Data FP 1 Channel B AENT 1 1 Pt01Data 1 Test Request test_request Unlock Request unlock_request 0 Lock Feedback Gate_Lock_contacts O1 1 Hazard Stopped hazard_stopped 0 Input Status AENT 1 1 CombinedInputStatus 1 Reset AENT 1 1 Pt05Data 0 Gate ULC AENT 2 0 Pt07Data Safety_Interlock O1 unlock_request TON Timer On Delay Timer Stop Motion_timer Preset 5000 Accum 0 AENT 2 0 Pt00Data AENT 2 0 Pt01Data Stop_Motion_timer DN hazard_stopped Rockwell Automation Publication SAFETY AT061C EN P December 2014 15 Safety Function Door Locking and Monitoring Satety_interlock Safety Function EMERGENCY STOP Input Type EQUIVALENT ACTIVE HGH f Discrepancy Tine Maec 250 Restart Type AUTOMATIC Cold Start Type AUTOMATIC Channel A BRB 1S ESIPOEData 1 Channel 5 IBEOB 4 17 SUES PIO Data 1 Input Status B ra 17S BSc CombinedinputStabus 1 Rese AENT 1 A0SData o I 5 Dual Channel input Montor DEM Gate _Lock_c ntacts Oi j Safety Function USER DEFINED Input Type EQUIVALENT ACTIVE HGH EE E Discrepancy Time Maec 20 FP Channel A AENT 1 1 AO2Data Channel B EAEE Inpad Stebus AENT 11 Cormbinedinipui Sai Araneae Reset AENT LAUD ata ong Setety_inierock O1 Gate Gabe Lock contacts Oi Safety Conmiaciors FP zalety output enable 6 E os i fatety aipu enie ROUT T Contigurante Redundant Output
10. and Monitoring 6 Click Output Configuration and configure the module as shown E Module Properties AENT 2 1734 0885 1 1 E e ioj x General Connection Safety Module Info Output Configuration takelaka teha hal Output Enor Latch Time 1000 H m Status Running Cancel Apply Help Typically contactor coils outputs 0 and 1 do not react to the pulse testing of the output wires If using a contactor that does react to the pulse test then disable the pulse testing This should not affect the overall safety rating if redundancy and monitoring are being used Output 7 is the TLS3 GD2 locking solenoid 7 Click OK Programming The Dual Channel Input Stop with Test and Lock DCSTL instruction monitors and locks dual channel safety devices whose main function is to stop a machine safely for example a safety gate with locking solenoid When the unlock request goes to 1 high the DCSTL instruction waits for the Hazard Stopped input to go to 1 high and then turns on the ULC unlock command output At the same time the output O1 goes to 0 low to indicate that the gate is no longer protecting the hazard The Lock Feedback should go to 0 low indicating the gate is indeed unlocked The operator can now open the gate The DCSTL requires that the door monitors channel A and channel B cycle at this time or a fault occurs when a restart is attempted This cycle can be done by opening or closing the gate or
11. ate a Start command Both contactors should energize for a normal machine run condition Verify proper machine status indication and RSLogix 5000 safety application program indication 22 Rockwell Automation Publication SAFETY AT061C EN P December 2014 Safety Function Door Locking and Monitoring While the system is running remove the contactor feedback from the safety 1 0 All contactors should remain energized Initiate a Stop command and attempt a Reset command The system should not Restart or Reset Verify proper machine status indication and RSLogix 5000 safety application program indication While the system is running short the contactor feedback to the safety 1 0 All contactors should remain energized Initiate a Stop command and attempt a Reset command The system should not Restart or Reset Verify proper machine status indication and RSLogix 5000 safety application program indication While the system is stopped remove the safety output to the door lock The door should remain locked and all contactors should remain de energized Verify proper machine Status indication and RSLogix 5000 safety application program indication Additional Resources These documents contain additional information concerning related products from Rockwell Automation Resource Compact GuardLogix Controllers User Manual publication 1768 UM002 POINT Guard 1 0 Safety Modules Installation and User Manual publication 1734 UM013 GuardL
12. blication SAFETY AT061C EN P December 2014 Safety Function Door Locking and Monitoring 2 Click Test Output and configure the module as shown Pulse Test Pulse Test Pulse Test Not Used TO and T1 are being used to pulse test the TLS3 GD2 channels T2 is being used to pulse test the contactor feedback circuit 3 Click Input Configuration and configure the module as shown GH Module Properties AENT 1 1734 IB8S 1 1 General Connection Safety Module Info Input Configuration Test Output Input Delay Time ms Point Operation Discrepancy te rs Test Point Mode Saree Safety Pulse Test 0 Safety Pulse Test xf Safety Pulse Test x0 Safety Pulse Test 1 4 Safety Pulse Test Input Error Latch Time 1000 4 ms Status Offline Cancel Apply Help IMPORTANT Inputs 0 1 are the TLS3 GD2 door monitoring contacts Recall that inputs 0 1 are being sourced from test outputs 0 1 Inputs 2 3 are the lock monitoring contacts They are also being sourced from test outputs 0 1 Inputs 4 5 are the reset buttons Input 7 is the contactor monitoring circuit Recall that input 7 is being sourced from Test Output 2 4 Click OK 5 In the Controller Organizer right click the 1734 OB8S module and choose Properties Rockwell Automation Publication SAFETY AT061C EN P December 2014 13 Safety Function Door Locking
13. cation SAFETY AT061C EN P December 2014 11 Safety Function Door Locking and Monitoring 13 When the Module Definition dialog box opens change the Output Data to None verify the Input Status is set to Combined Status Power and click OK xi Series a Revision i x ME Electronic Keying Compatible Module Configured By This Controller 4 Input Data i Safety j Output Data None zi Input Status Combined Status Power Data Format Integer OK Cancel Help IMPORTANT Setting the output data to None means that you cannot use the Test Outputs as standard outputs This saves one controller connection because we are only using the input connection 14 Close the Module Properties dialog box by clicking OK 15 Repeat steps 10 14 to add the 1734 OB8S safety output module name the module OB8S choose slot 2 and choose Combined Status Readback Power for Input Status definition Module Definition J l x Series a Revision fi 1 H Electronic Keying Compatible Module Configured By This Controller Input Data iNet Output Data Input Status Combined Status Readback Power Data Format integer zi Cancel Help Configure the 1 0 Modules Follow these steps to configure the POINT Guard I O modules 1 In the Controller Organizer right click the 1734 IB8S module and choose Properties 12 Rockwell Automation Pu
14. ew Module T768 ENBT A 1768 10 100 Mbps Ethemet Bdge Twisted Par kledia Alen Bradey Ir Address Hoot Hame fom eo o Electronic Keying Compatible Keying M Open Module Properties This example uses 192 168 1 8 as the IP address Yours can be different 5 Toadd the 1734 AENT adapter in the Controller Organizer right click the 1768 ENBT module and choose New Module SS LO Configuration 1768 Bus S 1 1768 ENBT A ENBT da E o 17 1769 Bus FS o 176i 6 Select the 1734 AENT adapter and click OK E Select Module Module Description nda Communications a 193 DNENCAT Ethernet to Dewicelet Communications Amdiary Allen Bradley 195 DNENCATR Ethernet to DewiceNet Communications Aundliary 2 Port Allen Bradley 440R ENETR 4408 Ethernet Interface 2 Port Twesbhed Pair Meda Allen Bradley tener aries Allen Bradley 1738 AENTR 1733 Ethernet Adapter 2 Port Twisted Pair Media Allen Bradley 1756 EN2F 1756 10 100 Migs Ethernet Bridge Fier Meda Allen Bradley 1756 EN2T 1756 10 100 bgs Ethernet Bridge Twished Pair Media Allen Bradley 1756 ENZTR 1756 10 100 Mbps Ethernet Bridge 2 Port Twisted Pair Allen Bradley 1756 EN3TR 1756 10 100 Mbps Ethernet Bridge 2 Port Twisted Pair Allen Bradley Rockwell Automation Publication SAFETY AT061C EN P December 2014 9 Safety Function Door Locking and Monitoring 7 In t
15. he New Module dialog box do the following a Name the module b Type its IP address c Click OK This example uses 192 168 1 11 as the IP address Yours can be different 8 Click Change O New Module Chassis size is the number of modules that are inserted in the chassis The 1734 AENT adapter is considered to be in slot 0 so for one input and one output module the chassis size is 3 10 Rockwell Automation Publication SAFETY AT061C EN P December 2014 Safety Function Door Locking and Monitoring 10 In the Controller Organizer right click the 1734 AENT adapter and choose New Module 5 Trends ES 1 0 Configuration Gl 1768 Sus 5 1 1768 ENST A ENST E Ethernet 1768 ENBT A ENBT 2 1734 AENT A AENT Ponti 3 Sot Ghas 1435 cGLN 6G tol 17 A New Module Eff 1769 Bus i Paste trit E 0 1768 1535 cGLX 11 Expand Safety select the 1734 IB8S module and click OK xj 8 Point 24V DC Sink Input Allen Bradley 8 Point 24V DC Source Output Alien Draciey 12 In the New Module dialog box name the device IB8S and click Change General Connection Safety Module Info Input Configuration Test Output Type 17344885 8 Point 24V DC Sink Input Vendor Allen Bradley Patent AENT Name es O Moer fT Detcrption T Safety Network 3387 0408 m Sec pri 37 M08 O12E i 4 27 2012 250 3062 PM Status Creating Cancel Help Rockwell Automation Publi
16. he Performance Level PL of the safety control system is calculated to confirm it meets the Required Performance Level PLr specified The SISTEMA software tool is typically used to perform the calculations and assist with satisfying the requirements of ISO 13849 1 Validation is a functional test of the safety control system to demonstrate that it meets the specified requirements of the safety function The safety control system is tested to confirm all of the safety related outputs respond appropriately to their corresponding safety related inputs The functional test should include normal operating conditions in addition to potential fault inject of failure modes A checklist is typically used to document the validation of the safety control system Validation of software development is a process in which similar methodologies and techniques that are used in hardware development are deployed Faults created through poor software development process and procedure are systemic in nature rather than faults associated with hardware which are considered as random Prior to validating the GuardLogix Safety System it is necessary to confirm the safety system and safety application program have been designed in accordance with the GuardLogix System Safety Reference Manual publication 1756 RM093 and the GuardLogix Application Instruction Safety Reference Manual publication 1756 RM095 Verification and Validation Checklist General Machinery Information
17. if the feedback circuit is not in the correct state The system has individual reset buttons for resetting faults and safety outputs The reset buttons and the contactor feedback circuit are all wired to the 1734 IB8S module in this example This is not required for functional safety These three inputs could be wired to a standard input module In this example the gate solenoid is controlled by a safety output This is not required for functional safety The solenoid could be controlled by a standard output If the solenoid faults to 0 low the gate does not unlock If the solenoid were to fault to 1 high the gate unlocks but unless the Motion Stopped input is 1 high the Dual Channel Input Stop with Test and Lock DCSTL instruction in the safety task declares a fault and drops out its output For these reasons the solenoid is not a part of the safety function 6 Rockwell Automation Publication SAFETY AT061C EN P December 2014 Safety Function Door Locking and Monitoring Electrical Schematic 24V DC Safety Reset Fault Reset The safety interlock that requests the unlock function is not shown in this wiring diagram 1734 1BAS OM COM COM COM CoM COM COM Configuration The Compact GuardLogix controller is configured by using RSLogix 5000 software version 17 or later You must create a new project and add the I O modules Then configure the I O modules for the correct input and output types A detai
18. ion PLr PL Subsystems fey Library gt Stat Type Name PL PFH ish CCFscore DCavg MTTFd a Category Requirements of the category y B TLS3 GD Interlock Switch e 247E 8 65 fulfilled 99 High 100 High fulfilled New ll 2B Mechanical Fault Exclusion d 31567 notrelevont notrelevent not relevant fulfilled SB Safety 1 0 1734 1685 e 2256 10 not ret fulfilled sll 36 Safety PLC Compact GuardLogm 1768 2 1E 10 fulfilled G Vo S Safety VO 1734 0885 2 29E 10 notrelevant n trelvant not relevant fulfilled v sE Contactors e 2476 8 65 fulfilled 99 High 100 High fulfilled The overall safety function value is shown below Safety function IFA Documentation Plr PL Subsystems O Determine PL from subsystems Performance Level PL PFH l h 3 66E 7 The Guard Door Monitoring and Locking safety function can be modeled as shown in the following safety related block diagram Input Fault Exclusion Logic Logic Logic ah Output p e fe eS S 4 fe Se HK fF PHS SE HK Pe SES SK Se Ml ee eS Ss 1734 0B8S Subsystem 1 I l Subsystem 2 Subsystem 3 Subsystem 4 Subsystem 5 Subsystem 6 L ees ee ee es ee eB ee se as ee ee nes ee ed L ee ce TLS3 GD2 channel A Fault Exclusion 1734 IB8S 1768 L435S TLS3 GD2 channel B Calculations are based on one operation
19. iring refer to the publications listed in the Additional Resources on the back cover Rockwell Automation Publication SAFETY AT061C EN P December 2014 5 Safety Function Door Locking and Monitoring System Overview The 1734 IB8S input module monitors two door channels and two lock channels of the TLS3 GD2 switch The 1734 IB8S module can source the 24V DC for all these channels to dynamically test the signal wiring for shorts to 24V DC and channel to channel shorts If a fault occurs either or both channels are set to 0 low and the controller reacts by dropping out the safety contactors Only after the fault is cleared and the gate is cycled is the function block reset Shorts to OV DC and wire off are seen as an open circuit by the 1734 IB8S input module and the controller reacts by dropping out the safety contactors If the inputs remain discrepant for longer than the discrepancy time then the function blocks in the controller safety task declare a fault Only after the fault is cleared and the gate is cycled is the function block reset The final control device in this case is a pair of 100S C safety contactors K1 and K2 The contactors are controlled by a 1734 OBS safety output module The contactors are wired in a redundant series configuration A feedback circuit is wired through the N C auxiliary contact and back to an input on the 1734 IB8S module to monitor the contactors for proper operation The contactors cannot restart
20. it can be done in software as shown later in this section In this example the unlock request is generated by placing a demand on the safety interlock being controlled by the Dual Channel Input Stop DCS instruction For this application all that is required is that the unlock request be set to 0 low The demand on the safety interlock drops out the safety contactors and five seconds later the Hazard Stopped tag is set to 1 high This causes the DCSTL instruction to set the ULC output which energizes output 7 and unlocks the gate IMPORTANT The requirements of your application determine the proper way to generate the Hazard Stopped tag There are two lock monitoring contacts on the TLS3 GD2 switch yet there is only one lock feedback tag required for the DCSTL instruction The Dual Channel Input Monitor DCM instruction is used to monitor both lock contacts and its output is used for the DCSTL Lock Feedback tag The DCSTL DCM and DCS instructions monitor their respective dual channel inputs for consistency Equivalent Active High and detect faults when the inconsistency is detected for longer than the configured Discrepancy Time ms 14 Rockwell Automation Publication SAFETY AT061C EN P December 2014 Safety Function Door Locking and Monitoring The automatic restart type allows the DCSTL and DCS outputs O1 to reset automatically after a demand The manual action typically required for safety is provided in rung 6 to reset the
21. k monitor channel 1 of the safety 1 0 to OV DC Both contactors should de energize Verify proper machine status indication and RSLogix 5000 safety application program indication Verify that the system cannot be reset and restarted with the fault Restore channel 1 and repeat for channel 2 While the system is running short the lock monitor channel 1 and 2 of the safety 1 0 Both contactors should de energize Verify proper machine status indication and RSLogix 5000 safety application program indication Verify that the system cannot be reset and restarted with the fault Restore channel 1 and 2 wiring GuardLogix Controller and Network Tests 1 While the system is running remove the Ethernet network connection between the safety 1 0 and the controller All contactors should de energize Verify proper machine status indication and 1 0 connection status in the RSLogix 5000 safety application program 2 Restore the safety 1 0 module network connection and allow time to re establish communication Verify the Connection Status Bit in the RSLogix 5000 safety application program Repeat for all safety 1 0 connections While the system is running switch the controller out of Run mode All contactors should de energize Return the key switch back to Run mode All contactors should remain de energized Verify proper machine status indication and RSLogix 5000 safety application program indication Safety Contactor Output Tests 1 Initi
22. l for successful application and understanding of the product Labels may also be on or inside the equipment to provide specific precautions SHOCK HAZARD Labels may be on or inside the equipment for example a drive or motor to alert people that dangerous voltage may be present BURN HAZARD Labels may be on or inside the equipment for example a drive or motor to alert people that surfaces may reach dangerous temperatures ARC FLASH HAZARD Labels may be on or inside the equipment for example a motor control center to alert people to potential Arc Flash Arc Flash will cause severe injury or death Wear proper Personal Protective Equipment PPE Follow ALL Regulatory requirements for safe work practices and for Personal Protective Equipment PPE gt gt gt 2 Rockwell Automation Publication SAFETY AT061C EN P December 2014 Safety Function Door Locking and Monitoring General Safety Information Contact Rockwell Automation to find out more about our safety risk assessment services IMPORTANT This application example is for advanced users and assumes that you are trained and experienced in safety system requirements assessment can require additional circuitry to reduce the risk to a tolerable level Safety circuits must take into consideration safety ATTENTION Perform a risk assessment to make sure all task and hazard combinations have been identified and addressed The risk distance calculations which are not par
23. led description of each step is beyond the scope of this document Knowledge of the RSLogix 5000 programming environment is assumed Rockwell Automation Publication SAFETY AT061C EN P December 2014 7 Safety Function Door Locking and Monitoring Configure the Controller and Add 1 0 Modules Follow these steps to configure the controller and add I O modules 1 In RSLogix 5000 software create a new project Hew Controller Vendor Type Flevisionc Bis E Salet Pathe Slot crtermalt Create Irk EARS Logi KOI rogects Browiee Secor AUY Mo Protectan of E Uz onthe selected Security Authority tor cuthentication and L k P Antherization 2 In the Controller Organizer add the 1768 ENBT module to the 1768 Bus ioon FS eee C 0 A New Module S 17696 fF Paste Etri ED o b Print 3 Select the 1768 ENBT module and click OK LS Select Module Communications 17 68 ONB A 1763 Controlet Bridge Allen Bradley 1 66 BE io Le Con brciver Brine Peuren Miedis Allern Brady 1765 ENST SA 1762 10 1000 Mbps Ethernet Bridge Twisted Pair Media Allen Bradley 4 Motion 4 Other Find _ Add Favorite o f ca He By Categee Favertee 8 Rockwell Automation Publication SAFETY AT061C EN P December 2014 Safety Function Door Locking and Monitoring 4 In the New Module dialog box do the following a Name the module b Type its IP address c Click OK
24. m cannot be reset and restarted with the fault Restore channel 1 and repeat for channel 2 While the system is running short the door monitor channels 1 and 2 of the safety 1 0 Both contactors should de energize Verify proper machine status indication and RSLogix 5000 safety application program indication Verify that the system cannot be reset and restarted with the fault Restore channel 1 and 2 wiring While the system is running short channel 1 to Test Source 1 of the safety 1 0 Open the guard door Both contactors should de energize Verify proper machine status indication and RSLogix 5000 safety application program indication Verify that the system cannot be reset and restarted with the fault Restore channel 1 and repeat for channel 2 While the system is running remove the Lock Monitor channel 1 wire from the safety 1 0 Both contactors should de energize Verify proper machine status indication and RSLogix 5000 safety application program indication Verify that the system cannot be reset and restarted with the fault Restore channel 1 and repeat for channel 2 While the system is running short the lock monitor channel 1 of the safety 1 0 to 24V DC Both contactors should de energize Verify proper machine status indication and RSLogix 5000 safety application program indication Verify that the system cannot be reset and restarted with the fault Restore channel 1 and repeat for channel 2 While the system is running short the loc
25. ment is used in a manner not specified by the manufacturer the protection provided by the equipment may be impaired In no event will Rockwell Automation Inc be responsible or liable for indirect or consequential damages resulting from the use or application of this equipment The examples and diagrams in this manual are included solely for illustrative purposes Because of the many variables and requirements associated with any particular installation Rockwell Automation Inc cannot assume responsibility or liability for actual use based on the examples and diagrams No patent liability is assumed by Rockwell Automation Inc with respect to use of information circuits equipment or software described in this manual Reproduction of the contents of this manual in whole or in part without written permission of Rockwell Automation Inc is prohibited Throughout this manual when necessary we use notes to make you aware of safety considerations WARNING Identifies information about practices or circumstances that can cause an explosion in a hazardous environment which may lead to personal injury or death property damage or economic loss ATTENTION Identifies information about practices or circumstances that can lead to personal injury or death property damage or economic loss Attentions help you identify a hazard avoid a hazard and recognize the consequence gt gt IMPORTANT Identifies information that is critica
26. n 12a 1831 Diegem Belgium Tel 32 2 663 0600 Fax 32 2 663 0640 Asia Pacific Rockwell Automation Level 14 Core F Cyberport 3 100 Cyberport Road Hong Kong Tel 852 2887 4788 Fax 852 2508 1846 Publication SAFETY AT061C EN P December 2014 Supersedes Publication SAFETY AT061B EN P January 2013 Copyright 2014 Rockwell Automation Inc All rights reserved Printed in the U S A
27. of the gate using the pre certified safety instruction Dual Channel Input Stop with Test and Lock DCSTL When all safety input interlocks are satisfied no faults are detected and the reset push button is pressed a second certified function block called Configurable Redundant Output CROUT controls and monitors feedback for a redundant pair of 100S C contactors In summary when a demand is placed on a safety interlock the contactors drop out Five seconds later the gate unlocks When the door is closed and locked and the reset button is pressed the contactors are energized Bill of Material This application uses these products 800FP MT44PX02 800F non illuminated mushroom operators twist to release 40 mm round plastic Type 4 4X 13 IP66 red 2 N C 1 contacts 800F 15YE112 800F legend plate 60 mm round English EMERGENCY STOP yellow with black legend text 1 1768 ENBT CompactLogix EtherNet IP bridge module _ _ 1768 L43S Compact GuardLogix processor 2 0 MB standard memory 0 5 MB safety memory 1768 PA3 Power supply 120 240V AC input 3 5 A 24V DC 1769 ECR Right end cap terminator 1734 AENT 24V DC Ethernet adapter a 1734 TB Module base with removable IEC screw terminals 1734 IB8S POINT Guard 1 0 safety input module 1734 OB8S POINT Guard 1 0 safety output module 1783 US05T Stratix 2000 unmanaged Ethernet switch Setup and Wiring For detailed information on installing and w
28. of the safety guard door per hour therefore 8 760 operations of contactors per year The measures against Common Cause Failure CCF are quantified using the scoring process outlined in Annex F of ISO 13849 1 For the purposes of the PL calculation the required score of 65 needed to fulfill the CCF requirement is considered to be met The complete CCF scoring process must be done when implementing this example 18 Rockwell Automation Publication SAFETY AT061C EN P December 2014 Safety Function Door Locking and Monitoring The TLS3 GD2 switch uses a single tongue actuator for door monitoring and locking Due to the inherent strength and simplicity of the actuator design Fault Exclusion FE for this single mechanical actuator is applied in accordance with ISO 13849 Parts 1 and 2 TLS3 GD2 Interlock Switch Cat MTTFd a DCavg Cat FE Hich not relevan TTF fa vorera 3 t 65 fulfilled Rockwell Automation Publication SAFETY AT061C EN P December 2014 19 Safety Function Door Locking and Monitoring Verification and Validation Plan Verification and Validation play an important role in the avoidance of faults throughout the safety system design and development process ISO 13849 2 sets the requirements for verification and validation It calls for a documented plan to confirm all the Safety Functional Requirements have been met Verification is an analysis of the resulting safety control system T
29. ogix Controller Systems Safety Reference Manual publication 1756 RM093 GuardLogix Safety Application Instruction Set Reference Manual publication 1756 RM095 Safety Accelerator Toolkit for GuardLogix Systems Quick Start Guide publication IASIMP QS005 Industrial Automation Wiring and Grounding Guidelines publication 1770 4 1 Rockwell Automation Safety Products Catalog available from the Product Catalogs link at http www ab com Product Certifications website http www ab com The SISTEMA Cookbook 4 available at http www dguv de ifa Praxishilfen Software SISTEMA SISTEMA Kochb C3 BCcher index 2 jsp Description Provides information on how to configure operate and maintain Compact GuardLogix controllers Provides information on how to install configure and operate POINT Guard 1 0 modules Contains detailed requirements for how to achieve and maintain safety ratings with the GuardLogix controller system Provides detailed information on the GuardLogix Safety Application Instruction Set Provides a step by step guide on how to use the design programming and diagnostic tools in the Safety Accelerator Toolkit Provides general guidelines for how to install a Rockwell Automation industrial system Provides information on safety products available from Rockwell Automation Provides declarations of conformity certificates and other certification details Provides details on how to model safety functions in the S
30. process is to determine the safety functions of the machine In this application the performance level required PLr by the risk assessment is Category 3 Performance Level d CAT 3 PLd for each safety function A safety system that achieves CAT 3 PLd or higher can be considered control reliable Each safety product has its own rating and can be combined to create a safety function that meets or exceeds the PLr From Risk Assessment ISO 12100 1 Identification of safety functions y 2 Specification of characteristics of each function 3 Determination of required PL PLr for each safety function To Realization and PL Evaluation Guard Locking Interlock Safety Function The safety function is the removal of power from the hazard when the safety system detects that the door has been opened or that the lock has been energized Safety Function Requirements Access to hazardous motion is prevented by using an interlocked guard door with guard locking Once motor power has been removed the guard door remains closed and locked for a predetermined amount of time to confirm that the hazardous motion is stopped When the hazardous motion is stopped the operator is allowed to unlock the door by applying power to the guard lock While the door is open the system is monitored to detect an unexpected start up When the door is closed hazardous motion and power to the motor are not resumed until a secondary action the Start button is
31. safety output enable Input Status typically represents the channel status of the two input channels In this example the Combined Input Status bit goes to 0 low if any of the 8 input channels on the 1734 IB8S module have a fault In this example the DCSTL DCM and DCS reset acts as a fault reset Even when the system is configured for automatic restart a reset is required to recover from a fault The outputs O1 of the DCSTL DCM and DCS instructions are used as a safety interlock in the seal in rung to drive the Output Enable tag If any of the three outputs drop out so does the output enable and it remains OFF until a manual reset action is carried out The Configurable Redundant Output CROUT instruction controls and monitors redundant outputs Essentially this instruction verifies that feedback follows the safety outputs appropriately For the negative feedback used in this example if the outputs are 1 high the feedback should be 0 low and vice versa In this example the feedback has 500 ms to change to the proper state Because only a single feedback circuit is being used the feedback tag is used for both feedback 1 and 2 The two output tags from the CROUT instruction are used to drive the contactor outputs on the 1734 OB8S module DCSTL Dual Channel Input Stop With Test And Lock DCSTL Gate 01 Safety Function SAFETY GATE Input Type EQUIVALENT ACTIVE HIGH TC Discrepancy Time Msec 250 Restart Type AUTOMA
32. t of the scope of this document Introduction This safety function application technique explains how to wire configure and program a Compact GuardLogix controller and POINT Guard I O module to monitor and lock a TLS3 GD2 interlock switch mounted on a door If the gate is opened or unlocked or a fault is detected in the monitoring circuit the GuardLogix controller de energizes the final control device in this case a redundant pair of 100S C contactors This example uses a Compact GuardLogix controller but is applicable to any GuardLogix controller This example uses a TLS3 GD2 interlock switch but is applicable to power to release locking switches with at least two N C door contacts and at least one N C lock contact Power to lock switches can use this document with one simple change in the ladder logic This example assumes that the jumpers in the TLS3 GD2 switch have been removed and that separate feedback is available for both the lock and the door The SISTEMA calculations shown later in this document would have to be re calculated using the actual products Rockwell Automation Publication SAFETY AT061C EN P December 2014 3 Safety Function Door Locking and Monitoring Safety Function Realization Risk Assessment The required performance level is the result of a risk assessment and refers to the amount of the risk reduction to be carried out by the safety related parts of the control system Part of the risk reduction
Download Pdf Manuals
Related Search