new safety function: actuator subsystems – stop category 0 via … · 2015. 5. 18. · safety...

Application Technique

Safety Function: Actuator Subsystems – Stop Category 0 via the PowerFlex 525 and PowerFlex 527 Drives with Safe Torque-off Products: Guardmaster Dual-input Safety Relay, Guardmaster Expansion Module, PowerFlex 525 Drive, PowerFlex 527 Drive

Safety Rating: CAT. 3, PLd to ISO 13849-1: 2008

Topic Page

Important User Information 2

General Safety Information 3

Introduction 3

Safety Function Realization: Risk Assessment 3

Stop Safety Functions 4

Safety Function Requirements 4

Functional Safety Description 5

Bill of Material 6

Setup and Wiring 6

Configuration 11

Calculation of the Performance Level 13

Verification and Validation Plan 16

Additional Resources 21

Safety Function: Actuator Subsystems – Stop Category 0 via the PowerFlex 525 and PowerFlex 527 Drives with Safe Torque-off

Important User Information

Read this document and the documents listed in the additional resources section about installation, configuration, and operation of this equipment before you install, configure, operate, or maintain this product. Users are required to familiarize themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws, and standards.

Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance are required to be carried out by suitably trained personnel in accordance with applicable code of practice.

If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may be impaired.

In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the use or application of this equipment.

The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or liability for actual use based on the examples and diagrams.

No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or software described in this manual.

Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation, Inc., is prohibited.

Throughout this manual, when necessary, we use notes to make you aware of safety considerations.

Labels may also be on or inside the equipment to provide specific precautions.

WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous environment, which may lead to personal injury or death, property damage, or economic loss.

ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, property damage, or economic loss. Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.

IMPORTANT Identifies information that is critical for successful application and understanding of the product.

SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous voltage may be present.

BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may reach dangerous temperatures.

ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people to potential Arc Flash. Arc Flash will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL Regulatory requirements for safe work practices and for Personal Protective Equipment (PPE).

2 Rockwell Automation Publication SAFETY-AT139A-EN-P - May 2015


General Safety Information

Contact Rockwell Automation to find out more about our safety risk assessment services.

Introduction

This safety function application technique is concerned primarily with the Logic and Output subsystems of a safety system. The document illustrates how to combine a Guardmaster® dual-input (GSR DI) safety relay and Guardmaster expansion module (GSR EM) with a PowerFlex® 525 drive or a PowerFlex 527 drive to provide a category 0 stop (remove power, coast to stop) via a hardwired connection to the safe torque-off (STO) inputs of each drive.

In an actual application, any typical safety input device could be used as the Input subsystem, if properly applied. A SensaGuard™ switch, as in Safety Function: Door Monitoring Products: SensaGuard/GSR DI, publication SAFETY-AT069, is used as a convenient example of an Input subsystem in this application technique.

Safety Function Realization: Risk Assessment

The required performance level is the result of a risk assessment and refers to the amount of the risk reduction to be carried out by the safety-related parts of the control system. Part of the risk reduction process is to determine the safety functions of the machine. In this application, the performance level required (PLr) by the risk assessment is Category 3, Performance Level d (CAT. 3, PLd), for each safety function. A safety system that achieves CAT. 3, PLd, or higher, can be considered

IMPORTANT This application example is for advanced users and assumes that you are trained and experienced in safety system requirements.

ATTENTION: Perform a risk assessment to make sure all task and hazard combinations have been identified and addressed. The risk assessment can require additional circuitry to reduce the risk to a tolerable level. Safety circuits must take into consideration safety distance calculations, which are not part of the scope of this document.

Input Logic Output

Subsystem 1 Subsystem 2 Subsystem 3 Subsystem 4

SensaGuard Switch

Guardmaster Dual-Input

Safety Relay

Guardmaster Expansion

Module

PowerFlex 527 Drive

Rockwell Automation Publication SAFETY-AT139A-EN-P - May 2015 3

http://literature.rockwellautomation.com/idc/groups/literature/documents/at/safety-at069_-en-e.pdf



control reliable. Each safety product has its own rating and can be combined to create a safety function that meets or exceeds the PLr.

Stop Safety Functions

This application technique includes two safety functions:

1. Safety-related stop function initiated by a safeguard.

2. Prevention of an unexpected start-up.

Safety Function Requirements

Safety-related stop function initiated by a safeguard

When a partial-access guard door is opened, the Input subsystem initiates and maintains a stop command for the safety system to stop hazardous motion before a person can reach the hazardous area. The stop command cannot be reset until the guard door is closed.

Prevention of an unexpected start-up

The safety system cannot be reset, and hazardous motion cannot be restarted while the guard door is open. Once the guard door is closed and the stop command is reset, a second action (pressing a Start button) is required before the hazardous motion can resume. This document presumes that the Start/Stop button is connected to and controlled by the programmable automation controller (PAC).

From: Risk Assessment (ISO 12100)

1. Identification of safety functions

2. Specification of characteristics of each function

3. Determination of required PL (PLr) for each safety function

To: Realization and PL Evaluation



The safety functions in this application technique each meet or exceed the requirements for Category 3, Performance Level d (CAT. 3, PLd), per ISO 13849-1 and control reliable operation per ANSI B11.19.

Functional Safety Description

The Guardmaster dual-input safety relay, Guardmaster expansion module, and PowerFlex 525 and PowerFlex 527 drives with Safe Torque-off use 1oo2 architecture to achieve the PFH values that are used in the PL calculation verification section of this document.

The Guardmaster dual-input safety relay monitors its safety inputs for valid status and faults. The safety relay monitors its internal circuitry for proper operation and faults. The safety relay monitors its single wire safety (SWS) input/out (I/O) for valid status and faults. It monitors its safety output contacts for proper, valid status and faults. When it receives a safety demand on its inputs, or an invalid status or a fault is detected, the safety relay deactivates its safety outputs and sends a safety stop command to the Guardmaster expansion module via its L11 SWS.

The Guardmaster expansion module monitors its SWS input for safety stop commands, valid status, and faults. The expansion module monitors its internal circuitry for proper operation and faults. It monitors its safety output contacts for proper, valid status and for faults. When it receives a safety demand via its L12 SWS input, or it detects an invalid status, it deactivates its safety outputs.

The PowerFlex drive monitors its safe torque-off (STO) inputs for valid status and faults. The drive monitors its internal safety circuits for valid status and faults. The drive monitors its outputs for valid status and faults. When the safety relay de-energizes the drive STO inputs via the Guardmaster expansion module, the drive's STO feature forces the drive output power transistors to a disabled state. The hazardous motion controlled by the drive coasts to a stop. This feature does not provide electrical power isolation.

The system cannot be restarted until the gate is closed and the Guardmaster dual-input safety relay is reset. Once the safety relay is reset, the Start button can be pressed to start the hazardous motion. In the case of the PowerFlex 525 drive, the Start button is connected directly to the drive, as shown in the wiring diagram. In the case of the PowerFlex 527 drive, the Start button is connected to the PAC, which in turn, sends the Start request to the drive.

IMPORTANT The vendor must provide Probability of Failure per Hour (PFH), and all relevant functional safety data, for all the subsystems of this safety system necessary to prove that the overall safety functions meet the requirements for Performance Level d (PLd), per ISO 13849-1.



Bill of Material

The Logic and Output subsystems described in this document use these products.

Setup and Wiring

For detailed information on installing and wiring, refer to the publications listed in the Additional Resources section on the back cover.

System Overview

Safety-related Stop Function Initiated by a Safeguard

The Guardmaster dual-input safety relay monitors the status of a safety input device, for example a SensaGuard switch. When the input device is tripped (guard door opened), the safety relay de-energizes its two safety outputs and sends a safety stop command downstream to the Guardmaster expansion module via its SWS I/O. The Guardmaster expansion module deactivates its safety outputs, which remove power from the drive's (PowerFlex 525 or PowerFlex 527 drive) STO inputs. The drive disables its output power transistors, and lets the driven hazardous motion coast to a stop. When the input device is returned to its safe state (guard door closed) and the Reset button is pressed and released properly, the Guardmaster dual-input safety relay’s safety outputs energize, the Guardmaster expansion module energizes its safety outputs, and the drive's STO inputs are powered. The hazardous motion can then be restarted by an additional, separate action.

Prevention of an Unexpected Start-up

The Guardmaster dual-input safety relay cannot be reset while its input device is in a tripped (guard door open) state. The Guardmaster expansion module cannot reset until the safety relay is reset, the drive's STO inputs remain off, and the hazardous motion cannot be restarted. When the input device is returned to its safe state (guard door closed) and the reset button is pressed and released properly, the Guardmaster dual-input safety relay’s safety outputs energize, the Guardmaster expansion module energizes its safety outputs, and the drive's STO inputs are powered. The hazardous motion can then be restarted by an additional, separate action.

Cat. No. Description Quantity

440R-D22RD Guardmaster dual-input safety relay (DI) 1

440R-EM4R2 Guardmaster expansion module, 4 N.O. safety contacts 1

800FP-R611PQ10V 800F reset, round plastic 1

1606-XLP72E 1606-XLP72E: compact power supply, 24…28V DC, Class 2 1

25C-V2P5N104 PowerFlex 527 AC drive, with embedded EtherNet/IP and STO 1

or

25B-B5PON104 PowerFlex 525 AC drive, with embedded EtherNet/IP and STO 1



Safety Distance Calculations

Safeguarding systems must make certain that a person cannot reach a hazardous motion before the safeguarding system has brought that hazardous motion to a halt. This is addressed in safety standards relevant to this application:

• IS0 14119 (Safety of machinery - Interlocking devices associated with guards - Principles for design and selection)• ISO 18355 (Safety of machinery - Positioning of safeguards with respect to the approach speeds of parts of the

human body)• ANSI B11.19 (Performance Criteria for Safeguarding)

Safety Distance and Access Time

Safety Distance is the distance between the guarded access point and the hazardous motion necessary to make certain that a person cannot access a hazardous motion before it is stopped, that is, the hazard has ceased.

This document uses, as an example, an interlocking device (SensaGuard switch) monitoring a partial-body access gate. Imagine that this access gate allows a person time to reach their arm 762 mm (30 inches) into the potentially hazardous area to perform an occasional, necessary task.

ISO 14119 3.22 defines access time as the time taken by a person to reach the hazard zone after initiation of the stop command by the interlocking device, as calculated on the basis of an approach speed of the body or part of the body, in our case, a hand.

ISO 13855 defines the approach speed of a hand as 1600 mm per sec. Using this value, we calculate the access time:

762 mm/1600 mm per sec or 476 ms

ANSI B11:19 defines the approach speed of a hand as 63 in. per sec. Using this value, we calculate the access time:

30 in./63 in. per sec or 476 ms

Overall System Stopping Performance

ISO 14119 6.2.1 stipulates that the overall system stopping time for a hazardous machine safeguarded by an interlock must be less than the access time. If the overall system stopping performance is equal to or greater than the access time, an interlock with guard-locking must be used. The distance from the safeguard to the hazard must be increased, or a different method must be used to safeguard the hazard. In this document, the overall system stopping performance of our application, using an interlock, must be less than 476 ms.

The overall stopping performance of these applications is the sum of the response time of the input device (SensaGuard switch), the response time of the Guardmaster dual-input safety relay, the response time of the Guardmaster expansion module, the safety reaction time of the drive used (PowerFlex 525 or PowerFlex 527 drive), and the coast-to-stop time of the hazardous motion. The response and reaction times can be taken from the product support literature.

The sum response/reaction time of the Guardmaster dual-input safety relay, Guardmaster expansion module, PowerFlex drive, and coast-to-stop portion of the overall system stopping performance is the same regardless of the input device used.

IMPORTANT The overall system stopping performance of a safeguarding system must be determined by actual system testing and measurement. The worst-case overall system stopping performance from these tests and measurements must be used to evaluate the safety distance requirements.



It may be useful to determine how fast the hazardous motion must coast to a stop before the safeguarded system is available for testing.

The maximum safe coast-to-stop time for a system using the PowerFlex 525 drive can be calculated as follows:

SensaGuard switch (SG) + Guardmaster dual-input safety relay (GSR DI) + Guardmaster expansion module (GSR EM) + PowerFlex 525 drive (drive) = overall system-stopping performance less maximum safe coast-to-stop time

54 ms (SG) + 35 ms (GSR DI) + 35 ms (GSR EM) + 100 ms (drive) = 224ms = overall system stopping performance time less maximum safe coast-to-stop time

476 ms - 224 ms = 252 ms = Maximum safe coast-to-stop time

The maximum safe coast-to-stop time for a system using the PowerFlex 527 drive can be calculated as follows:

SensaGuard switch (SG) + Guardmaster dual-input safety relay (GSR DI) + Guardmaster expansion module (GSR EM) + PowerFlex 527 drive (drive) = overall system-stopping performance less maximum safe coast-to-stop time

54 ms (SG) + 35 ms (GSR DI) + 35 ms (GSR EM) + 12 ms (drive) = 136 ms = overall system stopping performance time less maximum safe coast-to-stop time

476 ms - 136 ms = 340 ms = Maximum safe coast-to-stop time



Electrical Schematic

In this application example, a local Start/Stop button is directly wired to the PowerFlex 525 drive. This button is used for normal, non-safety stops and starts of the system. It is also used to start/restart the drive after safety-related stops once the safety circuit is reset.

Figure 1 - PowerFlex 525 Circuit

24V DC

Typical Safety Input Device

Actuator

Digital Common

0V DC - COM

Initiate Configured ‘Normal’ Production Stop

Start

Stop

Gate control power supply

Gate control circuit

24V DC

0V DC

PowerFlex 525



This diagram presumes that a Start/Stop button is connected to the system PAC. It is referred to in Figure 2, but is not part of this circuit. This button is used for normal, non-safety stops and starts of the system. The button is also used to start or restart the drive after safety-related stops once the safety circuit is reset.

Figure 2 - PowerFlex 527 Circuit

24V DC 0V DC - COM

Typical Safety Input Device

Digital Common

Gate control power supply

Gate control circuit

*Initiate Configured ‘Normal’ Production Stop

Start/Stop requests provided to the drive by PAC via Ethernet.

.

Actuator 24V DC

0V DCTo PAC

PowerFlex 527

*

Start/Stop Request to (PAC)



Configuration

Configure the Guardmaster Dual-Input Safety Relay

Follow these steps to configure the Guardmaster dual-input safety relay. For more information about this relay, refer to Guardmaster Safety Relay DI Installation Instructions, publication 440R-IN037.

1. Enable Program mode.

2. Set Operation mode to 2: Manual Reset (IN1 and IN2) or L12.

3. Cycle power to store the configuration setting.

Configure the Guardmaster Expansion Module

The Guardmaster expansion module requires no configuration. It follows its SWS input from the Guardmaster dual-input safety relay. For more information about the Guardmaster expansion module, refer to the Guardmaster Safety Relay EM Installation Instructions, publication 440R-IN043.

Logic

Logic


http://literature.rockwellautomation.com/idc/groups/literature/documents/in/440r-in043_-mu-p.pdf



Configure the PowerFlex 525 Drive

The PowerFlex 525 drive is configured by using Connected Components Workbench™ software, version 7 or later. A detailed description of how to fully configure the PowerFlex 525 drive is beyond the scope of this document. For more information about this drive, refer to the PowerFlex 520-Series Adjustable Frequency AC Drive User Manual, publication 520-UM001.

You must set the following four parameters, as shown in Table 1 for the PowerFlex 525 drive, to perform as intended in this application example.

Parameters 46, 62, and 63 must be set as listed in Table 1 for the Start/Stop button to operate as intended.

Parameter 105 essentially configures the PowerFlex 525 drive to accept the STO inputs without generating a spurious F111 fault.

By default, the PowerFlex 525 drive provides a coast to stop in response to an STO input. This action overrides any other stop type that might be configured for the drive for its normal production stop.

Configure the PowerFlex 527 Drive

The PowerFlex 527 drive is configured using Studio 5000 Automation Engineering & Design Environment™ software. A detailed description of how to fully configure the PowerFlex 527 drive is beyond the scope of this document. For more information about this drive, refer to PowerFlex 527 Adjustable Frequency AC Drive User Manual, publication 520-UM002.

By default, the PowerFlex 527 drive provides a coast to stop in response to an STO input. This action overrides any other stop type that might be configured for the drive for its standard stop.

IMPORTANT The PowerFlex 525 drive ships with the STO feature disabled by jumpers. Refer to the appropriate user manual for guidance on how to remove these jumpers.

Table 1 - Configuration Parameters for PowerFlex 525 Drive

Parameter # Name Value Units Internal Value

46 Start Source 1 Digin TrmBlk 2

62 Digin TermBlk 02 3-Wire Start 49

63 Digin TermBlk 03 3-Wire Dir 51

105 Safe Open En FaultDisable 1

IMPORTANT The PowerFlex 527 drive ships with the STO feature disabled by jumpers. Refer to the appropriate user manual for guidance on how to remove these jumpers.


http://literature.rockwellautomation.com/idc/groups/literature/documents/um/520-um001_-en-e.pdf



Calculation of the Performance Level

When properly implemented, both the PowerFlex 525 and Power Flex 527 drives with safe torque-off (STO) can be used in a safety function that has a Performance Level required (PLr) rating of Category 3, Performance Level d (CAT. 3, PLd), according to ISO 13849-1: 2008, as calculated by using the Safety Integrity Software Tool for the Evaluation of Machine Applications (SISTEMA).

The functional safety data for the SensaGuard switch, Guardmaster dual-input safety relay, Guardmaster expansion module, and PowerFlex 525 drive is provided from the Rockwell Automation SISTEMA library. The functional safety data for the PowerFlex 527 drive is from the PowerFlex 527 Adjustable Frequency AC Drive User Manual, publication 520-UM002.

Logic and Output Subsystems Calculation

The PowerFlex 525 drive yields the following results.

This can be modeled as follows.

Logic Output

Subsystem 1 Subsystem 2 Subsystem 3


Safety Relay


Module

PowerFlex 525 Drive




The PowerFlex 527 drive yields virtually the same results.

This can be modeled as follows.

The rest of the SISTEMA calculation in this document features a SensaGuard switch as an example of a typical safety input device.

For instance, when the PowerFlex 525 drive is used, here are the SISTEMA calculations for the safety function, “Safety-related stop initiated by a safeguard.”

Logic Output

Subsystem 1 Subsystem 2 Subsystem 3


Safety Relay


Module

PowerFlex 527 Drive



When the PowerFlex 525 drive is used in the safety function, “Prevention of an unexpected start-up,” the SISTEMA calculations are identical, because all of the same components are used.

The two PowerFlex 525 safety functions each achieve their necessary PLr.

When the PowerFlex 527 drive is used in the safety function, "Safety-related stop initiated by a safeguard," the SISTEMA calculation results are as follows.

As before, when the PowerFlex 527 drive is used in the safety function, "Prevention of an unexpected start-up," the calculations are identical, because all of the same components are used.



Each PowerFlex 527 safety function achieves its PLr.

Verification and Validation Plan

Verification and validation play important roles in the avoidance of faults throughout the safety system design and development process. ISO 13849-2 sets the requirements for verification and validation. The standard calls for a documented plan to confirm that all of the safety functional requirements have been met.

Verification is an analysis of the resulting safety control system. The Performance Level (PL) of the safety control system is calculated to confirm that the system meets the required Performance Level (PLr) specified. The SISTEMA software is typically used to perform the calculations and assist with satisfying the requirements of ISO 13849-1.

Validation is a functional test of the safety control system to demonstrate that the system meets the specified requirements of the safety function. The safety control system is tested to confirm that all of the safety-related outputs respond appropriately to their corresponding safety-related inputs. The functional test includes normal operating conditions in addition to potential fault injection of failure modes. A checklist is typically used to document the validation of the safety control system.

This document uses, as an example, a SensaGuard switch for an input device. Notice that all of the purposely-created faults are created at the input terminals of the Guardmaster dual-input safety relay. All of the relay’s responses to these faults are the same as they would be using any typical input device with OSSD outputs, or an electro-mechanical input device using the Guardmaster dual-input safety relay’s pulse test output feature.

Some of the SensaGuard switch’s reactions to these faults are unique to the SensaGuard switch, as some responses from other OSSD devices might be unique to those devices.

The responses of the PowerFlex 527 drive and the PowerFlex 525 drive to faults on their STO inputs are the same. Therefore, the following tests, using purposely-created faults, are appropriate for either drive.



Verification and Validation Checklist

General Machinery Information

Machine Name/Model Number

Machine Serial Number

Customer Name

Test Date

Tester Name(s)

Schematic Drawing Number

Input Devices 440N-Z21SS2AN9

GuardMaster Dual-Input Safety Relay 440R-D22R2

GuardMaster Expansion Module 440R-EM4R2

Variable Frequency Drive 25C-V2P5N104 (PowerFlex 525 drive) or25C-V2P5N104 (PowerFlex 527 drive)

Safety Wiring and Relay Configuration

Test Step Verification Pass/Fail Changes/Modifications

1 Confirm that all components' specifications are suitable for the application. Refer to Basic Safety Principles and Well-tried Safety Principles from ISO 13849-2.

2 Visually inspect the safety relay circuit to confirm that it is wired as documented in the schematics.

3 Confirm that the Guardmaster dual-input safety relay is set to the proper Logic configuration setting of 2.

Normal Operation Verification - The safety system responds properly to all normal Start, Stop, Reset, and SensaGuard Switch inputs.

Test Step Verification Pass/Fail Changes/Modifications

1 Confirm that no one is in the guarded area.

2 Confirm that the hazardous motion is stopped.

3 Confirm that the door is closed.

4 Apply power to the safety system.

5 Confirm that the PWR/Fault, IN1 and IN2 status indicators of the Guardmaster dual-input safety relay are green. Confirm that the OUT status indicator blinks green. Confirm that the PWR/Fault indicator of the Guardmaster expansion module is steady green.

6 Press and release the Reset button. Confirm that the Guardmaster dual-input safety relay OUT status indicator is now steady green. Confirm that the Logic IN and OUT indicators of the Guardmaster expansion module are steady green.

7 Confirm that the hazardous motion does not start on powerup.

8 Press and release the external drive Start button. Confirm that the hazardous motion begins and the machine begins to operate.

9 Press the external Stop button. The machine must stop in its normal, configured manner. The safety system must not respond.

10 Press and release the external Start button. Confirm that the hazardous motion starts and the machine begins to operate.

11 Open the guarded door. The safety system must trip. The hazardous motion must stop within the required time. Monitor the status indicators on the Guardmaster dual-input safety relay and the Guardmaster expansion module for proper operation. Only the PWR/Fault status indicator on each relay should be steady green. All other status indicators should be OFF.

12 Press and release the Reset button. The Guardmaster dual-input safety relay and the Guardmaster expansion module must not respond.



13 Close the guarded door. The machine must not start. The IN1 and IN2 status indicators of the Guardmaster dual-input safety relay must be steady green. The OUT status indicator must blink green.

14 Press and release the Reset button. Confirm that the Guardmaster dual-input safety relay OUT status indicator is now steady green. Confirm that the Logic IN and OUT status indicators of the Guardmaster expansion module are steady green.

15 Press and release the external Start button. Confirm that the motor starts and the machine begins to operate.

Validation of Safe Response to Abnormal Operation - The safety system responds properly to all foreseeable faults with corresponding diagnostics.

SensaGuard Switch- Guardmaster Input Test

Test Step Validation Pass/Fail Changes/Modifications

1 Keep the guarded door closed. Hazardous motion continues to run. Remove the gray wire from the SensaGuard switch to terminal S12 of the Guardmaster dual-input safety relay. The safety relay and the Guardmaster expansion module must trip immediately. The hazardous motion must stop. Verify proper operation of all status indicators.

2 Reconnect the wire to the S12 terminal. The Guardmaster dual-input safety relay must not respond. Press and release the Reset button. The safety relay must not respond.

3 Open and close the guarded door. The IN1 and IN2 status indicators must be steady green. The OUT status indicator must blink green.

4 Press and release the Reset button. The Guardmaster dual-input safety relay OUT status indicator must be steady green. The Guardmaster expansion module Logic IN and OUT status indicators must be steady green. The hazardous motion must not start.

5 Press the external Start button. The machine must start. Monitor all status indicators for proper operation. This step is optional in the following SensaGuard switch validation tests.

6 With the guarded door closed, jump the gray wire to 24V. After approximately 40 seconds, the SensaGuard switch must trip. The Guardmaster dual-input safety relay must trip. The status indicator on the SensaGuard switch flashes red. Monitor all status indicators for proper operation.

7 Remove the jumper. Neither the SensaGuard switch nor the Guardmaster dual-input safety relay responds. Press and release the Restart button. Nothing changes. Monitor all status indicators for proper operation.

8 Cycle power to the SensaGuard switch. Approximately five seconds after power is restored, the SensaGuard switch status indicator goes steady green. The IN1 and IN2 status indicators of the Guardmaster dual-input safety relay are steady green, and the OUT status indicator blinks green.

9 Press and release the Reset button. The Guardmaster dual-input safety relay must reset; its OUT status indicator is steady green. The Guardmaster expansion module Logic IN and OUT status indicators must be steady green.

10 Jump S12 to the DC COM. The Guardmaster dual-input safety relay trips immediately. The SensaGuard switch blinks red. The Guardmaster dual-input safety relay IN1 and IN2 OUT status indicators are OFF. The Guardmaster expansion module Logic IN and OUT status indicators are OFF.

11 Remove the jumper. Neither the SensaGuard switch nor the Guardmaster dual-input safety relay responds. Press and release the Reset button. Nothing changes.

12 Cycle Power to the SensaGuard switch. Approximately five seconds after power is restored, the SensaGuard switch status indicator goes steady green. The IN1 and IN2 status indicators of the Guardmaster dual-input safety relay are steady green and the OUT status indicator blinks green.

13 Press and release the Reset button. The Guardmaster dual-input safety relay and the Guardmaster expansion module must reset. Monitor all indicators for proper operation.



14 to 27 Repeat steps 1 through 13 using the Guardmaster terminal S22 in place of S12 and "Safety B" in place of "Safety A.”

28 Jump S12 to S22 on the Guardmaster dual-input safety relay. After approximately 50 seconds, the SensaGuard switch trips. The Guardmaster dual-input safety relay and the Guardmaster expansion module trip. The status indicator on the SensaGuard switch flashes red. Monitor all status indicators for proper operation.

29 Remove the jumper. Neither the SensaGuard switch nor the Guardmaster dual-input safety relay or the Guardmaster expansion module respond. Press and release the Reset button. Nothing changes.

30 Cycle power to the SensaGuard switch. Approximately five seconds after power is restored, the SensaGuard switch status indicator goes steady green. The IN1 and IN2 status indicators of the Guardmaster dual-input safety relay are steady green and the OUT indicator blinks green.

31 Replace the SWS wire on L12 of the Guardmaster expansion module. The Logic IN and OUT status indicators are steady green. Press and release the Start button to restore hazardous motion.


Guardmaster Dual-Input Safety Relay- Guardmaster Expansion Module Tests

Test Step Validation Pass/Fail Changes/Modifications

1 While the machine is running, remove the wire from L12 of the Guardmaster expansion module. The hazardous motion must coast to a stop. The Logic IN and OUT status indicators of the Guardmaster expansion module must be OFF. The Guardmaster dual-input safety relay is not affected.

2 Press the external Stop button. Restore the connection. The Guardmaster expansion module Logic IN and OUT status indicators are steady green. Press the external Start button to resume the hazardous motion.

3 While the hazardous motion continues to run, jump 24V to the L12 terminal of the Guardmaster expansion module. After a second or two, the hazardous motion coasts to a stop. The Logic IN and OUT status indicators of the Guardmaster expansion module are OFF. The OUT status indicator of the Guardmaster dual-input safety relay is OFF. The PWR/Fault status indicator of the safety relay blinks red to show that it is faulted.

4 Remove the jumper. Press and release the Reset button. The Guardmaster dual-input safety relay must not respond.

5 Cycle power to the Guardmaster dual-input safety relay. The safety relay responds. The PWR/Fault IN1 and IN2 status indicators are steady green. The OUT status indicator blinks green.

6 Press and release the Reset button. Press the external Start button. The hazardous motion must resume.

7 While the hazardous motion is running, jump 0V to the L12 terminal of the Guardmaster expansion module. After a second or two, the hazardous motion coasts to a stop. The Logic IN and OUT status indicators of the Guardmaster expansion module are OFF. The OUT status indicator of the Guardmaster dual-input safety relay is OFF. The PWR/Fault status indicator of the safety relay blinks red to show that it is faulted.

8 Remove the jumper. Press and release the Reset button. The Guardmaster dual-input safety relay must not respond.

9 Cycle power to the Guardmaster dual-input safety relay. The safety relay responds. The PWR/Fault, IN1 and IN2 status indicators are steady green. The OUT status indicator blinks green.

10 Press and release the Reset button. Press the external Start button. The hazardous motion must resume.




Guardmaster Expansion Module - PowerFlex Drive Tests

Test Step Verification and Validation Pass/Fail Changes/Modifications

1 While the machine is running, remove the wire from terminal S1 of the PowerFlex drive. The hazardous motion must coast to a stop. The Guardmaster dual-input safety relay and the Guardmaster expansion module are not affected. The PowerFlex drive displays an STO fault.

2 Replace the wire to terminal S1. Press the drive’s Start button. The drive must not respond. The STO fault remains.

3 Cycle power to the drive. The STO fault is cleared. Press the Start button. The hazardous motion starts.

4 While the hazardous motion continues to run, jump 24V to terminal S1 of the PowerFlex drive. Open the guarded gate. The hazardous motion coasts to a stop. The Guardmaster dual-input safety relay and the Guardmaster expansion module behave in the normal way to the gate opening. The PowerFlex drive displays an STO fault.

5 Close the gate. Press and release the Reset button. The Guardmaster dual-input safety relay and the Guardmaster expansion module reset. The PowerFlex drive does not respond to the Start button. The PowerFlex drive’s STO fault remains.

6 Remove the jumper. Press the drive start button. The drive must not respond. The STO fault remains.


8 While the hazardous motion continues to run, jump 0V to terminal S1 of the PowerFlex drive. The hazardous motion coasts to a stop. The Guardmaster dual-input safety relay and the Guardmaster expansion module and the are not affected. The PowerFlex drive displays an STO fault.

9 Remove the jumper. Press the drive Start button. The drive must not respond. The STO fault remains.


11 Repeat steps 1 through 10 using the PowerFlex drive’s terminal S2 in place of terminal S1. The system responses must be the same as before.

Confirmation of Performance - The overall system stopping performance does not exceed 476 ms.

SensaGuard Switch, Guardmaster Dual-input Safety Relay, Guardmaster Expansion Module, PowerFlex Drive Tests

Test Step Confirmation Pass/Fail Changes/Modifications

1 Confirm that everything runs safely in the configuration determined to yield the maximum overall system stopping performance.

2 While the machine continues to run, open the guarded gate. Do not reach into the guarded area. Confirm that the hazard stops within 476 ms.

IMPORTANT In addition to the verification and validation steps provided here, consult the application technique for your input subsystem for the steps required to validate the input device. For the input subsystem example used in this safety function application technique, we reference Safety Function: Door Monitoring Products: SensaGuard/GSR DI, publication SAFETY-AT069.




Additional Resources

These documents contain additional information concerning related products from Rockwell Automation.

You can view or download publications at http://www.rockwellautomation.com/literature/. To order paper copies of technical documentation, contact your local Allen-Bradley™ distributor or Rockwell Automation® sales representative.

Resource Description

SensaGuard Rectangular Flat Pack Installation Instructions, publication 440N-IN008 Provides instructions on how to install a SensaGuard switch.

Guardmaster Safety Relay DI Installation Instructions, publication 440R-IN037 Provides instructions on how to install, configure, operate, and maintain a Guardmaster dual-input safety relay.

Guardmaster Safety Relay DI Quick Start Guide–Troubleshooting, publication 440R-TG002 Provides information on how to troubleshoot a Guardmaster dual-input safety relay.

Guardmaster Safety Relay EM Installation Instructions, publication 440R-IN043 Provides instructions on how to install, configure, operate, and maintain a Guardmaster expansion module.

Guardmaster Safety Relays (DI, DIS, SI, CI, GLP, EM, and EMD) Selection Guide, publication 440R-SG001

Provides descriptive information about how to select and configure a Guardmaster safety relay.

PowerFlex 520-Series Adjustable Frequency AC Drive Quick Start Guide, publication 520-QS001A

Summarizes the basic steps needed to install, start-up, and program the PowerFlex 520-series adjustable frequency AC drive.

PowerFlex 520-Series AC Drive Specifications Technical Data, publication 520-TD001 Provides detailed specifications for the PowerFlex 520-series adjustable frequency AC drive.

PowerFlex 520-Series Adjustable Frequency AC Drive User Manual, publication 520-UM001 Provides detailed information on how to install, configure, operate, and maintain a PowerFlex 520-series adjustable frequency AC drive.

PowerFlex 527 Adjustable Frequency AC Drive User Manual, publication 520-UM002 Provides detailed information on how to install, configure, operate, and maintain a PowerFlex 527 adjustable frequency AC drive.

Industrial Automation Wiring and Grounding Guidelines, publication 1770-4.1 Provides general guidelines on how to install a Rockwell Automation industrial system.

Safety Products Catalog, publication S117-CA001website http://www.rockwellautomation.com/rockwellautomation/catalogs/overview.page

Provides information about Rockwell Automation safety products.

Product Certifications website, available from the Product Certifications link on http://www.ab.com

Provides declarations of conformity, certificates, and other certification details.


http://www.rockwellautomation.com/literature/

http://literature.rockwellautomation.com/idc/groups/literature/documents/in/440n-in008_-en-p.pdf

http://www.literature.rockwellautomation.com/idc/groups/literature/documents/in/1770-in041_-en-p.pdf

http://literature.rockwellautomation.com/idc/groups/literature/documents/ca/s117-ca001_-en-p.pdf

http://www.rockwellautomation.com/rockwellautomation/catalogs/overview.page

http://www.ab.com

http://www.ab.com


http://literature.rockwellautomation.com/idc/groups/literature/documents/tg/440r-tg002_-en-p.pdf


http://literature.rockwellautomation.com/idc/groups/literature/documents/sg/440r-sg001_-en-p.pdf

http://literature.rockwellautomation.com/idc/groups/literature/documents/qs/520-qs001_-en-e.pdf

http://literature.rockwellautomation.com/idc/groups/literature/documents/qs/520-qs001_-en-e.pdf

http://literature.rockwellautomation.com/idc/groups/literature/documents/td/520-td001_-en-e.pdf



Allen-Bradley, Connected Components Workbench, Guardmaster, LISTEN. THINK. SOLVE, PowerFlex, Rockwell Automation, Rockwell Software, SensaGuard, and Studio 5000 Automation Engineering & Design Environment are trademarks of Rockwell Automation, Inc.

Trademarks not belonging to Rockwell Automation are property of their respective companies.

Publication SAFETY-AT139A-EN-P - May 2015 Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Printed in the U.S.A.

Documentation Feedback

Your comments will help us serve your documentation needs better. If you have any suggestions on how to improve this document, complete this form, publication RA-DU002, available at http://www.rockwellautomation.com/literature/.

Rockwell Otomasyon Ticaret A.Ş., Kar Plaza İş Merkezi E Blok Kat:6 34752 İçerenköy, İstanbul, Tel: +90 (216) 5698400

For more information onSafety Function Capabilities, visit:http://marketing.rockwellautomation.com/safety/en/safety_functions

Rockwell Automation maintains current product environmental information on its website athttp://www.rockwellautomation.com/rockwellautomation/about-us/sustainability-ethics/product-environmental-compliance.page.

http://www.rockwellautomation.com/rockwellautomation/about-us/sustainability-ethics/product-environmental-compliance.page

http://literature.rockwellautomation.com/idc/groups/literature/documents/du/ra-du002_-en-e.pdf

http://literature.rockwellautomation.com/idc/groups/literature/documents/du/ra-du002_-en-e.pdf

http://www.rockwellautomation.com/literature/

http://marketing.rockwellautomation.com/safety/en/safety_functions

new safety function: actuator subsystems – stop category 0 via … · 2015. 5. 18. · safety...

Documents