Banner SC10-2, SC26-2, XS26-2de, SC26-2d, SC26-2e Instruction Manual

...

Download

XS/SC26-2 and SC10-2 Safety Controllers

174868

Instruction Manual

Original Instructions 174868 Rev. P 26 April 2019

XS/SC26-2 and SC10-2 Safety Controllers

1 About This Document

1.1 Important . . . Read This Before Proceeding! .................................................................................................................................. 5

1.2 Use of Warnings and Cautions ........................................................................................................................................................ 5

1.3 EU Declaration of Conformity (DoC) ............................................................................................................................................... 5

.....................................................................................................................................................5

2 Product Description .........................................................................................................................................................6

2.1 Terms Used in this Manual ............................................................................................................................................................. 6

2.2 Software ..........................................................................................................................................................................................6

2.3 USB Connections ............................................................................................................................................................................ 6

2.4 Ethernet Connections ...................................................................................................................................................................... 7

2.5 Internal Logic .................................................................................................................................................................................. 7

2.6 Password Overview ........................................................................................................................................................................ 7

2.7 SC-XM2/3 Drive and SC-XMP2 Programming Tool ........................................................................................................................ 7

3 XS/SC26-2 Overview ......................................................................................................................................................8

3.1 XS/SC26-2 Models ......................................................................................................................................................................... 8

3.2 XS/SC26-2 Features and Indicators ................................................................................................................................................ 9

3.3 XS/SC26-2 Using FID 1 and FID 2 Safety Controllers ....................................................................................................................9

3.4 Input and Output Connections ........................................................................................................................................................ 9

3.4.1 XS/SC26-2 Safety and Non-Safety Input Devices ................................................................................................................... 9

3.4.2 XS/SC26-2 Safety Outputs ................................................................................................................................................... 10

3.4.3 XS/SC26-2 Status Outputs and Virtual Status Outputs ........................................................................................................10

3.5 XS/SC26-2 Automatic Terminal Optimization (ATO) Feature ....................................................................................................... 11

4 SC10-2 Overview ...........................................................................................................................................................13

4.1 SC10-2 Models .............................................................................................................................................................................13

4.2 SC10-2 Features and Indicators ...................................................................................................................................................13

4.3 SC10-2 FID ................................................................................................................................................................................... 14

4.4 Input and Output Connections ...................................................................................................................................................... 14

4.4.1 SC10-2 Safety and Non-Safety Input Devices ......................................................................................................................14

4.4.2 SC10-2 Safety Relay Outputs ............................................................................................................................................... 14

4.4.3 SC10-2 Status Outputs and Virtual Status Outputs ..............................................................................................................15

4.5 SC10-2 Automatic Terminal Optimization (ATO) Feature with External Terminal Blocks (ETB) ................................................... 15

5 Speciﬁcations

5.1 XS/SC26-2 Speciﬁcations ............................................................................................................................................................. 16

5.2 SC10-2 Speciﬁcations ................................................................................................................................................................... 18

5.3 Dimensions

5.4 PC Requirements ...........................................................................................................................................................................22

and Requirements .................................................................................................................................16

................................................................................................................................................................................... 21

6 System Installation ........................................................................................................................................................ 23

6.1 Installing the Software .................................................................................................................................................................. 23

6.2 Installing the Safety Controller ......................................................................................................................................................23

6.2.1 Mounting Instructions .............................................................................................................................................................23

7 Installation Considerations ............................................................................................................................................ 24

7.1 Appropriate Application ................................................................................................................................................................. 24

7.2 XS/SC26-2 Applications ................................................................................................................................................................ 24

7.3 SC10-2 Applications .....................................................................................................................................................................25

7.4 Safety Input Devices ......................................................................................................................................................................25

7.4.1 Safety Circuit Integrity and ISO 13849-1 Safety Circuit Principles ....................................................................................... 26

7.4.2 Safety Input Device Properties ...............................................................................................................................................27

7.5 Safety Input Device Options ......................................................................................................................................................... 29

7.5.1 Safety Circuit Integrity Levels .................................................................................................................................................30

7.5.2 Emergency Stop Push Buttons .............................................................................................................................................. 30

7.5.3 Rope (Cable) Pull ....................................................................................................................................................................31

7.5.4 Enabling Device ......................................................................................................................................................................31

7.5.5 Protective (Safety) Stop ..........................................................................................................................................................32

7.5.6 Interlocked Guard or Gate ......................................................................................................................................................32

7.5.7 Optical Sensor ........................................................................................................................................................................32

7.5.8 Two-Hand Control ..................................................................................................................................................................33

7.5.9 Safety Mat .............................................................................................................................................................................. 35

7.5.10 Muting Sensor ...................................................................................................................................................................... 38

7.5.11 Bypass Switch .....................................................................................................................................................................39

7.5.12 Adjustable Valve Monitoring (AVM) Function ....................................................................................................................... 40

7.6 Non-Safety Input Devices .............................................................................................................................................................41

7.6.1 Manual Reset Input ................................................................................................................................................................ 42

7.7 Virtual Non-Safety Input Devices (XS/SC26-2 FID 2 Only and SC10-2) ........................................................................................44

7.7.1 Virtual Manual Reset and Cancel Delay (RCD) Sequence ......................................................................................................44

XS/SC26-2 and SC10-2 Safety Controllers

7.7.2 Virtual ON/OFF and Mute Enable ...........................................................................................................................................46

7.8 Safety Outputs

7.8.1 XS/SC26-2 Solid-State Safety Outputs ................................................................................................................................. 49

7.8.2 Safety Relay Outputs ............................................................................................................................................................ 52

7.8.3 EDM and FSD Hookup ........................................................................................................................................................... 53

7.9 Status Outputs ..............................................................................................................................................................................59

7.9.1 Status Output Signal Conventions ........................................................................................................................................ 59

7.9.2 Status Output Functionality ...................................................................................................................................................60

7.10 Virtual Status Outputs .................................................................................................................................................................61

...............................................................................................................................................................................46

8 Getting Started ............................................................................................................................................................. 62

8.1 Creating a Conﬁguration ...............................................................................................................................................................62

8.2 Adding Inputs and Status Outputs ............................................................................................................................................... 62

8.2.1 Adding Safety and Non-Safety Inputs ...................................................................................................................................62

8.2.2 Adding Status Outputs ..........................................................................................................................................................64

8.3 Designing the Control Logic .......................................................................................................................................................... 65

8.4 Saving and Conﬁrming a Conﬁguration ........................................................................................................................................66

8.4.1 Notes on

8.5 XS/SC26-2 Sample Conﬁguration ................................................................................................................................................ 68

Conﬁrming or Writing a Conﬁguration to a Conﬁgured SC10-2 ............................................................................67

9 Software ....................................................................................................................................................................... 71

9.1 Abbreviations ................................................................................................................................................................................ 71

9.2 Software Overview .........................................................................................................................................................................73

9.3 Project Settings ............................................................................................................................................................................ 75

9.4 Equipment Tab ...............................................................................................................................................................................76

9.5 Functional View Tab .......................................................................................................................................................................77

9.5.1 Logic Blocks ...........................................................................................................................................................................78

9.5.2 Function Blocks .....................................................................................................................................................................80

9.6 Wiring Diagram Tab ....................................................................................................................................................................... 99

9.7 Ladder Logic Tab .........................................................................................................................................................................101

9.8 Industrial Ethernet Tab ................................................................................................................................................................102

9.8.1 Network Settings .................................................................................................................................................................103

9.8.2 EtherNet/IP Assembly Objects .............................................................................................................................................104

9.8.3 Industrial Ethernet: Table Row and Column Descriptions ................................................................................................... 105

9.8.4 Fault Log Support Tables ....................................................................................................................................................106

9.9 Conﬁguration

9.10 Print Options .............................................................................................................................................................................111

9.11 XS26-2 Password Manager ......................................................................................................................................................112

9.12 SC10-2 Password Manager ......................................................................................................................................................113

9.13 Viewing and Importing Controller Data ......................................................................................................................................113

9.14 Live Mode ................................................................................................................................................................................. 115

9.15 Simulation Mode .......................................................................................................................................................................118

9.15.1 Timed Action Mode ........................................................................................................................................................... 121

9.16 Reference Signals ......................................................................................................................................................................122

Summary Tab .......................................................................................................................................................110

10 XS/SC26-2 Onboard Interface .................................................................................................................................. 123

10.1 XS/SC26-2 Conﬁguration Mode ............................................................................................................................................... 123

11 System Checkout

11.1 Schedule of Required Checkouts ..............................................................................................................................................125

11.2 Commissioning Checkout Procedure ........................................................................................................................................125

11.2.1 Verifying System Operation ................................................................................................................................................125

11.2.2 Initial Setup, Commissioning, and Periodic Checkout Procedures ................................................................................... 126

..................................................................................................................................................... 125

12 Status and Operating Information ............................................................................................................................ 132

12.1 XS/SC26-2 LED Status .............................................................................................................................................................132

12.2 SC10-2 LED Status ...................................................................................................................................................................133

12.3 Live Mode Information: Software ..............................................................................................................................................134

12.4 Live Mode Information: Onboard Interface ................................................................................................................................135

12.5 Lockout Conditions ...................................................................................................................................................................135

12.6 Recovering from a Lockout ....................................................................................................................................................... 135

12.7 SC10-2 Using Automatic Terminal Optimization ....................................................................................................................... 136

12.8 SC10-2 Example Conﬁguration without Automatic Terminal Optimization ..............................................................................137

12.9 SC10-2 Using the SC-XM3

12.10 SC10-2 Reset the Safety Controller to Factory Defaults ........................................................................................................142

12.11 Factory Defaults ......................................................................................................................................................................142

........................................................................................................................................................141

13 Troubleshooting ........................................................................................................................................................144

13.1 Software: Troubleshooting ........................................................................................................................................................144

13.2 Software: Error Codes ............................................................................................................................................................... 145

13.3 Verifying Driver Installation ....................................................................................................................................................... 146

13.4 Finding and Fixing Faults ..........................................................................................................................................................147

13.4.1 XS/SC26-2 Fault Code Table ............................................................................................................................................. 148

13.4.2 SC10-2 Fault Code Table ..................................................................................................................................................151

14 Components and Accessories .................................................................................................................................. 154

XS/SC26-2 and SC10-2 Safety Controllers

14.1 Replacement Parts and Accessories .........................................................................................................................................154

14.2 Ethernet Cordsets

14.3 Interface Modules ...................................................................................................................................................................... 154

14.3.1 Mechanically Linked Contactors ........................................................................................................................................ 154

......................................................................................................................................................................154

15 Product Support and Maintenance .......................................................................................................................... 155

15.1 Cleaning .....................................................................................................................................................................................155

15.2 Repairs and Warranty Service ................................................................................................................................................... 155

15.3 Contact Us .................................................................................................................................................................................155

15.4 Banner Engineering Corp. Limited Warranty ............................................................................................................................ 155

15.5 Banner Engineering Corp. Software Copyright Notice ..............................................................................................................156

16 Standards and Regulations ....................................................................................................................................... 157

16.1 Applicable U.S. Standards .........................................................................................................................................................157

16.2 Applicable OSHA Regulations ................................................................................................................................................... 157

16.3 Applicable European and International Standards .................................................................................................................... 158

17 Glossary ....................................................................................................................................................................159

WARNING

CAUTION

XS/SC26-2 and SC10-2 Safety Controllers

1 About This Document

1.1 Important . . . Read This Before Proceeding!

It is the responsibility of the machine designer, controls engineer, machine builder, machine operator, and/or maintenance personnel or electrician to apply and maintain this device in full compliance with all applicable regulations and standards. The device can provide the required safeguarding function only if it is properly installed, properly operated, and properly maintained. This manual attempts to provide complete installation, operation, and maintenance instruction.

manual in its entirety is highly recommended.

Banner Engineering.

For more information regarding U.S. and international institutions that provide safeguarding application and safeguarding device performance standards, see

WARNING: User Responsibility

The user is responsible to:

•

Carefully read, understand, and comply with all instructions for this device.

• Perform a risk assessment that includes the speciﬁc machine guarding application. Guidance on a compliant methodology can be found in ISO 12100 or ANSI B11.0.

• Determine what safeguarding devices and methods are appropriate per the results of the risk assessment and implement per all applicable local, state, and national codes and regulations. See ISO 13849-1, ANSI B11.19, and/or other appropriate standards.

• Verify that the entire safeguarding system (including input devices, control systems, and output devices) is properly conﬁgured and installed, operational, and working as intended for the application. Periodically re-verify, as needed, that the entire safeguarding system is working as intended for

• the application.

Failure to follow any of these responsibilities may potentially create a dangerous condition that could result in serious injury or death.

Standards and Regulations

Please direct any questions regarding the application or use of the device to

on page 157.

Reading the

1.2 Use of Warnings and Cautions

The precautions and statements used throughout this document are indicated by alert symbols and must be followed for the safe use of the Banner Safety Controllers. Failure to follow all precautions and alerts may result in unsafe use or operation. The following signal words and alert symbols are deﬁned as follows:

Signal Word Deﬁnition Symbol

Warnings refer to potentially hazardous situations which, if not avoided, could result in serious injury or death.

Cautions refer to potentially hazardous situations which, if not avoided, could result in minor or moderate injury.

These statements are intended to inform the machine designer and manufacturer, the end user, and maintenance personnel, how to avoid misapplication and effectively apply the Banner Safety Controllers to meet the various safeguarding application requirements. These individuals are responsible to read and abide by these statements.

1.3 EU Declaration of Conformity (DoC)

Banner Engineering Corp. herewith declares that the SC26-2 Programmable Safety Controller, XS26-2 Programmable Safety Controller, XS2so and XS4so Solid-State Safety Output Modules, XS8si and XS16si Safety Input Modules, XS1ro and XS2ro Safety Relay Modules, and SC10-2 Safety Controller is in conformity with the provisions of the Machinery Directive 2006/42/EC and EMC Directive 2004/108/EC and all essential health and safety requirements have been met.

Representative in EU: Peter Mertens, Managing Director Banner Engineering Europe. Address: Park Lane, Culliganlaan 2F, bus 3,1831 Diegem, Belgium.

www.bannerengineering.com - Tel: + 1 888 373 6767 5

XS/SC26-2 and SC10-2 Safety Controllers

2 Product Description

Safety control is a critical and required part of any safety system. This is because safety controllers ensure that your safety measures 1) do not fail, or 2) if failure is inevitable, fail in a predictable safe way.

A safety controller is often an ideal safety control solution, because it provides more functionality than a safety relay, at a lower cost than a safety PLC. In addition, a smart, scalable safety controller can expand with your needs as well as enable remote monitoring of your machine safety systems.

Banner Safety Controllers are easy-to-use, multiple safety and non-safety input devices, providing safe stop and start functions for machines with hazardous motion. The Safety Controller can replace multiple safety relay modules in applications that include such safety input devices as Estop buttons, interlocking gate switches, safety light curtains, two-hand controls, safety mats, and other safeguarding devices. The Safety Controller may also be used in place of larger and more complex safety PLCs with the use of additional input and/or output expansion modules.

The onboard interface:

• Provides access to fault diagnostics

• Allows reading and writing the conﬁguration ﬁle from and to the SC-XM2 and SC-XM3 drives XS/SC26-2: Displays

•

conﬁguration summary, including terminal assignments and network settings

2.1 Terms Used in this Manual

The following terms are used in this manual.

Safety Controller—an abbreviated version referring to the entire XS/SC26-2 Safety Controller system, as well as to the SC10-2, both of which are covered by this manual

Expandable Safety Controller—refers to expandable models Base Controller—refers to the main module in the XS/SC26-2 Safety Controller System SC26-2 Programmable Safety Controller, XS26-2 Programmable Safety Controller, XS2so and XS4so Solid-State Safety

Output Modules, XS8si and XS16si Safety Input Modules, XS1ro and XS2ro Safety Relay Modules—formal name of the XS/SC26-2 product line

conﬁgurable, and expandable modules (XS26-2xx models) designed to monitor

2.2 Software

The Banner Safety Controller Software is an application with real-time display and diagnostic tools that are used to:

•

Design and edit conﬁgurations

• Test a

• Write a

• Read the current conﬁguration from the Safety Controller

• Display the real-time information, such as device statuses

• Display the fault information

The Software uses icons and circuit symbols to assist in making appropriate input device and property selections. As the various device properties and I/O control relationships are established on the Functional View tab, the program automatically builds the corresponding wiring and ladder logic diagrams.

See

Software Overview

conﬁguration in Simulation Mode

conﬁguration to the Safety Controller

on page 73 for details.

2.3 USB Connections

The micro USB port on the Base Controller and the SC10-2 is used to connect to the PC (via the SC-USB2 cable) and the SC-XM2/3 drive to read and write

CAUTION: Potential for Unintended Ground Return Path

The USB interface is implemented in an industry standard way and is not isolated from the 24 V supply.

The USB cable makes it possible for the computer and safety controller to become part of an unintended ground return path for other connected equipment. A large current could damage the PC and/or the Safety Controller. To minimize this possibility, Banner recommends that the USB cable is the only cable connected to the PC. This includes disconnecting the AC power supply to a laptop whenever possible.

The USB interface is intended for downloading conﬁgurations and temporary monitoring or troubleshooting. It is not designed for continuous use.

conﬁgurations created with the Software.

6 www.bannerengineering.com - Tel: + 1 888 373 6767

XS/SC26-2 and SC10-2 Safety Controllers

2.4 Ethernet Connections

Ethernet connections are made using an Ethernet cable connected from the Ethernet port of the Base Safety Controller (Ethernet models only) or SC10-2 to a network switch or to the control or monitoring device. The Safety Controller supports either the standard or crossover-style cables. A shielded cable may be needed in high-noise environments.

2.5 Internal Logic

The Safety Controller’s internal logic is designed so that a Safety Output can turn On only if all the controlling safety input device signals and the Safety Controller’s self-check signals are in the Run state and report that there is no fault condition.

The Banner Safety Controller Software uses both Logic and Safety Function blocks for simple and more advanced applications.

Logic Blocks are based on Boolean (True or False) logic laws. The following Logic Blocks are available:

NOT

•

• AND

• OR

• NAND

• NOR

• XOR

• Flip Flop (Set priority and Reset priority)

Logic Blocks

See

on page 78 for more information.

Function Blocks are pre-programmed blocks with built-in logic which provide various attribute selections to serve both

common and complex application needs. The following Function Blocks are available:

• Bypass Block

• Enabling Device Block

• Latch Reset Block

• Muting Block

• THC (Two-Hand Control) Block

• Delay Block (XS/SC26-2 FID 2 only and SC10-2)

Function Blocks

See

on page 80 for more information.

2.6 Password Overview

A password is required to via the Software. See

conﬁrm and write the conﬁguration to the Safety Controller and to access the Password Manager

XS26-2 Password Manager

on page 112 for more information.

2.7 SC-XM2/3 Drive and SC-XMP2 Programming Tool

Use the SC-XM2 and SC-XM3 drives to store a conﬁrmed conﬁguration.

XS/SC26-2: The conﬁguration can be written directly by the Safety Controller, when the drive is plugged in to the microUSB port (see Software without the need to plug in the Safety Controller.

XS/SC26-2 Conﬁguration Mode

Important: Verify that the conﬁguration that is being imported to the Safety Controller is the correct conﬁguration (via the Software or writing on the white label on the SC-XM2/3 drive).

on page 123), or via the SC-XMP2 Programming Tool using only the

Click

www.bannerengineering.com - Tel: + 1 888 373 6767 7

to access the programming tool options:

• Read—reads the current Safety Controller conﬁguration

• Write—writes a

• Lock—locks the SC-XM2/3 drive preventing any conﬁgurations from being written to it (an empty drive cannot be locked)

conﬁrmed conﬁguration from the Software to the SC-XM2/3 drive

Note: You will not be able to unlock the SC-XM2/3 drive after it has been locked.

from the SC-XM2/3 drive and loads it to the Software

XS/SC26-2 and SC10-2 Safety Controllers

3 XS/SC26-2 Overview

With the option to add up to eight I/O expansion modules, the XS26-2 Expandable Safety Controller has the capacity to adapt to a variety of machines, including large scale machines with multiple processes.

• Program in minutes with intuitive, easy-to-use conﬁguration software

• Up to eight expansion I/O modules can be added as automation requirements grow or change

• Choose from six expansion module models

• Expansion module models have a variety of safety inputs, solid-state safety outputs and safety relay outputs

• Innovative live display feature and diagnostics allow for active monitoring of I/O on a PC and assist in troubleshooting and commissioning

• Safety Controller and input modules allow safety inputs to be converted to status outputs for efﬁcient terminal use Ethernet-enabled models can be conﬁgured for up to 256

• virtual status outputs

3.1 XS/SC26-2 Models

All Expandable and Non-Expandable Base modules have 18 Safety Inputs, 8 Convertible Safety I/Os, and 2 Solid-State Safety Output pairs. Up to eight expansion modules, in any combination of input and output modules, can be added to the expandable models of the Base Controller.

Table 1: Expandable Base Models

Model Display Network

XS26-2 No No

XS26-2d Yes No

XS26-2e No Yes

XS26-2de Yes Yes

Table 2: Non-Expandable Base Models

Model Display Network

SC26-2 No No

SC26-2d Yes No

SC26-2e No Yes

SC26-2de Yes Yes

Table 3: I/O Expansion Modules

Model Description

XS16si Safety Input Module - 16 inputs (4 convertible)

XS8si Safety Input Module - 8 inputs (2 convertible)

XS2so 2 Dual Channel Solid-State Safety Output Module

XS4so 4 Dual Channel Solid-State Safety Output Module

XS1ro 1 Dual Channel Safety Relay Module

XS2ro 2 Dual Channel Safety Relay Module

8 www.bannerengineering.com - Tel: + 1 888 373 6767

Ethernet Port

Indicator LED’s

Onboard Interface Push Buttons

Onboard Display

Wiring Terminals

Expansion Port

Micro USB Port

Wiring Terminal

Row Designation

XS/SC26-2 and SC10-2 Safety Controllers

3.2 XS/SC26-2 Features and Indicators

3.3 XS/SC26-2 Using FID 1 and FID 2 Safety Controllers

Over time, Banner adds new features to some devices. The Feature ID (FID) included in a particular model. Generally, an increasing FID number corresponds to an increasing feature set. A

conﬁguration

FID 1 and FID 2 XS26 Base Modules can be used in the same application, however steps must be taken to ensure compatibility. See the side label on the module ( to determine whether a particular device is FID 1 or FID 2. PROFINET, virtual non-safety inputs, delay blocks, and some virtual status outputs are not compatible with FID 1 devices. In order to have one conﬁguration ﬁle that applies to both FID 1 and FID 2 devices, create conﬁgurations without using these features. Conﬁrm all conﬁgurations after loading to ensure that they are correct.

using a higher numbered FID feature is not supported by a Safety Controller of a lower FID.

Figure 1

on page 9) or query the Module Information of the Base Module

Figure 1. Example Label

identiﬁes the set of features and functions

3.4 Input and Output Connections

3.4.1 XS/SC26-2 Safety and Non-Safety Input Devices

The Base Controller has 26 input terminals that can be used to monitor either safety or non-safety devices; these devices may incorporate either solid-state or contact-based outputs. Some of the input terminals can be conﬁgured to either source 24 V dc for monitoring contacts or to signal the status of an input or an output. The function of each input circuit depends on the type of the device connected; this function is established during the controller conﬁguration.

The FID 2 Base Controller also supports non-safety virtual inputs.

The expansion modules XS8si and XS16si add additional inputs to the Safety Controller System.

www.bannerengineering.com - Tel: + 1 888 373 6767 9

Safety Outputs

Status Outputs

Ethernet

PLC

HMI

Safety Input Devices

XS/SC26-2 and SC10-2 Safety Controllers

Contact Banner Engineering for additional information about connecting other devices not described in this manual.

3.4.2 XS/SC26-2 Safety Outputs

The Safety Outputs are designed to control Final Switching Devices (FSDs) and Machine Primary Control Elements (MPCEs) that are the last elements (in time) to control the dangerous motion. These control elements include relays, contactors, solenoid valves, motor controls, and other devices that typically incorporate force-guided (mechanically-linked) monitoring contacts, or electrical signals needed for external device monitoring.

The Safety Controller has two independently controlled and redundant solid-state Safety Outputs (terminals SO1a & SO1b, and SO2a & SO2b). The Safety Controller’s self-checking algorithm ensures that the outputs turn On and Off at the appropriate times, in response to the assigned input signals.

Each redundant solid-state Safety Output is designed to work either in pairs or as two individual outputs. When controlled in pairs, the Safety Outputs are suitable for Category 4 applications; when acting independently, they are suitable for applications up to Category 3 when appropriate fault exclusion has been employed (see

(Protective) Stop Circuits

See

Safety Outputs

monitoring, single/dual-channel Safety Stop Circuits, and conﬁguring Safety Outputs.

Additional solid-state or safety relay outputs can be added to expandable models (XS26-2xx) of the Base Controller by incorporating expansion output modules (XS2so, XS4so, XS1ro, and XS2ro). Up to eight expansion modules, in any combination of input or output modules, can be added.

The Safety Outputs can be controlled by input devices with both automatic and manual reset operation.

on page 55 and

on page 46 for more information about hookup, solid-state and safety relay outputs, external device

Safety Circuit Integrity and ISO 13849-1 Safety Circuit Principles

Single-channel Control

on page 26).

Safety

Figure 2. Safety Outputs (Example Application)

Functional Stops according to IEC 60204-1 and ANSI NFPA79

The Safety Controller is capable of performing two functional stop types:

• Category 0: an uncontrolled stop with the immediate removal of power from the guarded machine

• Category 1: a controlled stop with a delay before power is removed from the guarded machine

Delayed stops can be used in applications where machines need power for a braking mechanism to stop the hazardous motion.

3.4.3 XS/SC26-2 Status Outputs and Virtual Status Outputs

The Base Controller has eight convertible I/Os (labeled IOx) that can be used as Status Outputs which have the capability to send non-safety status signals to devices such as programmable logic controllers (PLCs) or indicator lights. In addition, any unused Safety Output terminals may be conﬁgured to perform a Status Output function with the beneﬁt of higher current capacity (see

10 www.bannerengineering.com - Tel: + 1 888 373 6767

XS/SC26-2 Speciﬁcations

on page 16 for more information). For the solid state safety outputs conﬁgured as

XS/SC26-2 and SC10-2 Safety Controllers

status outputs, the safety test pulses stay enabled even when designated as a status output. The Status Output signal convention can be on the speciﬁc functions of a Status Output.

Ethernet models, using the Software, can be conﬁgured for up to 64 Virtual Status Outputs on FID 1 Base Controllers and up to 256 virtual status outputs on FID 2 Base Controllers. These outputs can communicate the same information as the status outputs over the network. See

conﬁgured to be 24 V dc or 0 V dc. See

Virtual Status Outputs

WARNING:

• Status Outputs and Virtual Status Outputs are not safety outputs and can fail in either the On or the Off state. If a Status Output or a Virtual Status Output is used to control a safety-critical application, a

• failure to danger is possible and may lead to serious injury or death.

• Never use a Status Output or Virtual Status Output to control any safety-critical applications.

Status Output Signal Conventions

on page 61 for more information.

on page 59 for information

3.5 XS/SC26-2 Automatic Terminal Optimization (ATO) Feature

Automatic Terminal Optimization (ATO) is a standard feature on all XS/SC26-2 models. This feature automatically combines up to two I/O terminals for two devices that require +24 V test pulses from the Safety Controller. When applicable, the Software automatically does this for every pair of devices that are added, until I/O terminals are no longer available. Sharing is limited to two because the screw-type terminals are capable of accepting up to two wires.

Manually reassign terminals in the device properties window, if preferred.

The following ﬁgures illustrates the XS/SC26-2 ATO feature optimizing terminals for two gate switches. This results in a total terminal usage of six, versus eight if it ATO is not utilized. The ﬁrst gate switch (GS1) is added. This is a dual channel, fourwire gate switch that requires two independent +24 V pulsed outputs from the Safety Controller. IO1 is assigned as +24 V test pulse 1 which runs through channel 1 of GS1 to IN1. IO2 is assigned as +24 V test pulse 2 which runs through channel 2 of GS1 to IN2. When the second gate switch GS2 is added, it also uses IO1 and IO2 but uses IN3 and IN4 to monitor its two channels.

Figure 3. GS1 and GS2 Sharing IO1 and IO2

www.bannerengineering.com - Tel: + 1 888 373 6767 11

Shared IO2

Shared IO1

XS/SC26-2 and SC10-2 Safety Controllers

Figure 4. Wiring Diagram Tab View of Shared I/Os

12 www.bannerengineering.com - Tel: + 1 888 373 6767

Micro USB & LED

4 Safe Inputs & LEDs

4 Non-Safe Outputs & LEDs

6 Safe Inputs & LEDs

Power & LED

Ethernet Port

RO1 and RO2 LEDs

Relay Output 1 (RO1)

• 6 Amps Total 240Vac / 24 Vdc

• 3 NO sets of contacts

Relay Output 2 (RO2)

• 6 Amps Total 240Vac / 24 Vdc

• 3 NO sets of contacts

XS/SC26-2 and SC10-2 Safety Controllers

4 SC10-2 Overview

Banner's SC10-2 conﬁgurable safety relay controller is an easy-to-use and cost effective alternative to safety relay modules. It replaces the functionality and capability of two independent safety relay modules while offering the conﬁgurability, simplicity, and advanced diagnostics capabilities offered by the rest of the Banner Safety Controller line-up.

• Intuitive, icon-based programming with drag-and-drop PC conﬁguration simpliﬁes device setup and management

• Two six-amp safety relay outputs, each with three N.O. sets of contacts

• Ten inputs, including four that can be used as non-safe outputs

• Automatic Terminal Optimization (ATO) can increase the inputs from 10 to up to 14

• Industrial Ethernet two-way communication

◦ 256 virtual non-safe status outputs

Figure 5. SC10-2 Safety Controller

• SC-XM3 external drive for fast swap and quick conﬁguration

4.1 SC10-2 Models

◦ 80 virtual non-safe inputs (reset, on/off, cancel off-delay,

mute enable)

without a PC (see

SC10-2 Using the SC-XM3

on page 141)

Model Description

SC10-2roe Conﬁgurable

safety relay controller - 10 inputs (4 convertible), two 3-channel safety relay outputs,

industrial ethernet

4.2 SC10-2 Features and Indicators

Connection points are push-in spring clamp connectors.

Wire Size: 24 to 14 AWG, 0.2 mm² to 2.08 mm²

Important: Clamp terminals are designed for one wire only. If more than one wire is connected to a terminal, a wire could loosen or become completely disconnected from the terminal, causing a short.

Use a stranded wire or a wire with an accompanying ferrule. Tinned wires are not recommended.

After inserting the wire into the terminal, tug the wire to make sure it is properly retained. If the wire is not retained, consider using a different wiring solution.

www.bannerengineering.com - Tel: + 1 888 373 6767 13

Figure 6. Features and Indicators

XS/SC26-2 and SC10-2 Safety Controllers

4.3 SC10-2 FID

Over time, Banner adds new features to some devices. The Feature ID (FID) identiﬁes the set of features and functions included in a particular model. Generally, an increasing FID number corresponds to an increasing feature set. A conﬁguration using a higher numbered FID feature is not supported by a Safety Controller of a lower FID.

SC10-2 Safety Controllers are FID 1.

Figure 7. Example SC10-2 Label

4.4 Input and Output Connections

4.4.1 SC10-2 Safety and Non-Safety Input Devices

The SC10-2 has 10 input terminals that can be used to monitor either safety or non-safety devices; these devices may incorporate either solid-state or contact-based outputs.

Some of the input terminals can be input or an output. The function of each input circuit depends on the type of the device connected; this function is established during the controller conﬁguration.

4.4.2 SC10-2 Safety Relay Outputs

The SC10-2 has two, three-channel, normally open (N.O.), safety relay outputs.

The Safety Outputs are designed to control Final Switching Devices (FSDs) and Machine Primary Control Elements (MPCEs) that are the last elements (in time) to control the dangerous motion. These control elements include relays, contactors, solenoid valves, motor controls, and other devices that may also incorporate force-guided (mechanically-linked) monitoring contacts, or electrical signals needed for external device monitoring (EDM).

Functional Stops according to IEC 60204-1 and ANSI NFPA79

The Safety Controller is capable of performing two functional stop types:

•

Category 0: an uncontrolled stop with the immediate removal of power from the guarded machine

• Category 1: a controlled stop with a delay before power is removed from the guarded machine

Delayed stops can be used in applications where machines need power for a braking mechanism to stop the hazardous motion.

conﬁgured to either source 24 V dc for monitoring contacts or to signal the status of an

14 www.bannerengineering.com - Tel: + 1 888 373 6767

XS/SC26-2 and SC10-2 Safety Controllers

4.4.3 SC10-2 Status Outputs and Virtual Status Outputs

Using the Software, the SC10-2 can be conﬁgured for up to 256 virtual status outputs to communicate information over the network. These outputs have the capability to send non-safety status signals to devices such as programmable logic controllers (PLCs) or human machine interfaces (HMIs). See

The SC10-2 has four convertible I/Os (labeled IOx) that can be used as Status Outputs to directly control indicator lights or be hard wired inputs to PLCs. These outputs communicate the same information as the virtual status outputs.

WARNING:

• failure to danger is possible and may lead to serious injury or death.

• Never use a Status Output or Virtual Status Output to control any safety-critical applications.

Virtual Status Outputs

on page 61 for more information.

4.5 SC10-2 Automatic Terminal Optimization (ATO) Feature with External Terminal Blocks (ETB)

Automatic Terminal Optimization (ATO) Feature with External Terminal Blocks (ETB) is a standard feature on all SC10 models and is enabled by default.

The ATO feature can expand the 10 terminals on the SC10-2 to work with additional inputs by optimizing terminals and using ETBs. As devices are added, deleted or edited, the Software automatically provides the optimum terminal assignment to minimize wiring and maximize terminal utilization.

ATO is a smart feature that provides all available device types and conﬁguration options as a conﬁguration is created. After all IN and I/O terminals are occupied and another device is added, ATO looks for devices that require +24 V test pulses from the Safety Controller. These devices are combined via an External Terminal Block (ETB) to free up an I/O terminal. Each ETB allows for up to three different devices to share a single I/O +24 V signal.

Disable ATO by editing the module properties of the SC10 in the Software, if preferred. ETBs will still be active, but you will be required to re-assign I/O terminals manually as needed to fully optimize terminal utilization.

www.bannerengineering.com - Tel: + 1 888 373 6767 15

Programmable Safety Controller

3NBN

XS/SC26-2 and SC10-2 Safety Controllers

Speciﬁcations and Requirements

5.1 XS/SC26-2 Speciﬁcations

Base Controller and Expansion Modules

Mechanical Stress

Shock: 15 61131-2) Vibration: 3.5 mm occasional / 1.75 mm continuous at 5 Hz to 9 Hz, 1.0 g occasional and 0.5 g continuous at 9 Hz to 150 Hz: all at 10 sweep cycles per axis (per IEC 61131-2)

Safety

Category 4, PL e (EN ISO 13849) SIL CL 3 (IEC 62061, IEC 61508)

Product Performance Standards

See industry applicable U.S. and international standards

EMC

Meets or exceeds all EMC requirements in IEC 61131-2, IEC 62061 Annex E, Table E.1 (increased immunity levels), IEC 61326-1:2006, and IEC61326-3-1:2008

for 11 ms, half sine, 18 shocks total (per IEC

Standards and Regulations

on page 157 for a list of

Important: The Safety Controller and all solid state output expansion modules should be connected only to a SELV rated (Safety Extra-Low Voltage) power supply.

Operating Conditions

Temperature: 0 °C to +55 °C (+32 °F to +131 °F) Storage Temperature: –30 °C to +65 °C (–22 °F to +149 °F) Humidity: 90% at +50 °C maximum relative humidity (non-condensing) Operating Altitude: 2000 m maximum (6562 ft maximum)

Environmental Rating

NEMA 1 (IEC IP20), for use inside NEMA 3 (IEC IP54) or better enclosure

Removable Screw Terminals

Wire size: 24 to 12 AWG (0.2 to 3.31 mm²) Wire strip length: 7 to 8 mm (0.275 in to 0.315 in) Tightening torque: 0.565 N·m (5.0 in-lb)

Removable Clamp Terminals

Important: Clamp terminals are designed for 1 wire only. If more than 1 wire is connected to a terminal, a wire could loosen or become completely disconnected from the terminal, causing a short.

Wire size: 24 to 16 AWG (0.20 to 1.31 mm²) Wire strip length: 8.00 mm (0.315 in)

XS26-2 and SC26-2 Base Safety Controller Modules

Power

24 V dc ± 20% (incl. ripple), 100 mA no load Ethernet models: add 40 mA Display models: add 20 mA Expandable models: 3.6 A max. bus load

Network Interface (Ethernet models only)

Ethernet 10/100 Base-T/TX, RJ45 modular connector Selectable auto negotiate or manual rate and duplex Auto MDI/MDIX (auto cross) Protocols: EtherNet/IP (with PCCC), Modbus/TCP, and PROFINET (FID 2 only) Data: 64 conﬁgurable virtual Status Outputs on FID 1 Base Controllers or 256 virtual Status Outputs on FID 2 Base Controllers; fault diagnostic codes and messages; access to fault log

Convertible I/O

Sourcing current: 80 mA maximum (overcurrent protected)

Automatic Terminal Optimization Feature

Up to two devices

Test Pulse

Width: 200 μs max. Rate: 200 ms typical

Output Protection

All solid-state outputs (safety and non-safety) are protected from shorts to 0 V or +24 V, including overcurrent conditions

Safety Ratings

PFH [1/h]: 1.05 × 10 Proof Test Interval: 20 years

Certiﬁcations

-9

Safety Inputs (and Convertible I/O when used as inputs)

Input On threshold: > 15 V dc (guaranteed on), 30 V dc max. Input Off threshold: < 5 V dc and < 2 mA, –3 V dc min. Input On current: 5 mA typical at 24 V dc, 50 mA peak contact cleaning current at 24 V dc Input lead resistance: 300 Ω max. (150 Ω per lead) Input requirements for a 4-wire Safety Mat:

· Max. capacity between plates: 0.22 μF

· Max. capacity between bottom plate and ground: 0.22 μF

· Max. resistance between the 2 input terminals of one plate: 20 Ω

Solid State Safety Outputs

0.5 A max. at 24 V dc (1.0 V dc max. drop), 1 A max. inrush Output OFF threshold: 1.7 V dc typical (2.0 V dc max.) Output leakage current: 50 μA max. with open 0 V Load: 0.1 μF max., 1 H max., 10 Ω max. per lead

Response and Recovery Times

Input to Output Response Time (Input Stop to Output Off): see the Conﬁguration Summary in the Software, as it can vary Input Recovery Time (Stop to Run): 250 ms typical, 400 ms max. Output xA to Output xB turn On differential (used as a pair, not split): 6 to 14 ms typical, ±25 ms max. Output X to Output Y turn on Differential (same input, same delay, any module): 3 scan times +25 ms max. Virtual Input (Mute Enable and On/Off) Timing (FID 2 only): RPI + 200 ms typical Virtual Input (Manual Reset and Cancel Delay) Timing (FID 2 only): see

Non-Safety Input Devices (XS/SC26-2 FID 2 Only and SC10-2)

details

Delay Tolerance

±(0.02% + 2 scan times)

Virtual

on page 44 for

16 www.bannerengineering.com - Tel: + 1 888 373 6767

Programmable Safety Controller

3NBN

Programmable Safety Controller

3NBN

XS/SC26-2 and SC10-2 Safety Controllers

XS2so and XS4so Solid-State Safety Output Modules

Solid State Safety Outputs

XS2so: 0.75 A max. at 24 V dc (1.0 V dc max drop) XS4so: 0.5 A max. at 24 V dc (1.0 V dc max drop) Inrush: 2 A max. Output Off threshold: 1.7 V dc typical (2.0 V dc max.) Output leakage current: 50 μA max. with open 0 V Load: 0.1 μF max., 1 H max., 10 Ω max. per lead

Safety Ratings

PFH [1/h]: 5.8 × 10 Proof Test Interval: 20 years

-10

Certiﬁcations

External Power

XS2so: 24 V dc ± 20% (including ripple); 0.075 A no load, 3.075 A max. load XS4so: 24 V dc ± 20% (including ripple); 0.1 A no load, 4.1 A max. load Maximum Power-up Delay: 5 seconds after the Base Controller Limited Isolation: ±30 V dc max. referenced to 0 V on the Base Controller

Bus Power

0.02 A

Test Pulse

Width: 200 μs max. Rate: 200 ms typical

Output Protection

All solid-state outputs (safety and non-safety) are protected from shorts to 0 V or +24 V, including overcurrent conditions

XS8si and XS16si Safety Input Modules

Convertible I/O

Sourcing current: 80 mA maximum at 55 °C (131 °F) operating ambient temperature (overcurrent protected)

Bus Power

XS8si: 0.07 A no load, 0.23 A max. load XS16si: 0.09 A no load, 0.41 A max. load

Safety Ratings

PFH [1/h]: 4 × 10 Proof Test Interval: 20 years

-10

Certiﬁcations

Safety Inputs (and Convertible I/O when used as inputs)

· Max. capacity between plates: 0.22 μF

· Max. capacity between bottom plate and ground: 0.22 μF

· Max. resistance between the 2 input terminals of one plate: 20 Ω

Output Protection

The convertible inputs are protected from shorts to 0 V or +24 V, including overcurrent conditions

www.bannerengineering.com - Tel: + 1 888 373 6767 17

Programmable Safety Controller

3NBN

XS/SC26-2 and SC10-2 Safety Controllers

XS1ro and XS2ro Safety Relay Modules

Bus Power

XS1ro 0.125 A (outputs On) XS2ro: 0.15 A (outputs On)

Maximum Power

2000 VA, 240 W

Electrical Life

50,000 cycles at full resistive load

Overvoltage Category

III

Pollution Degree

Mechanical Life

40,000,000 cycles

Note: Transient suppression is recommended when switching inductive loads. Install suppressors across load. Never install suppressors across output contacts.

Safety Ratings

PFH [1/h]: 7.6 × 10 Proof Test Interval: 20 years

-10

Certiﬁcations

Contact Rating

UL/NEMA:

• N.O. Contacts: 6 A 250 V ac/24 V dc resistive; B300/Q300 pilot duty

• N.C. Contacts: 2.5 A 150 V ac/24 V dc resistive; Q300 pilot duty

IEC 60947-5-1:

• N.O. Contacts: 6 A 250 V ac/dc continuous; AC 15: 3 A 250 V; DC13: 1 A 24 V/4 A 24 V 0.1 Hz

• N.C. Contacts: 2.5 A 150 V ac/dc continuous; AC 15: 1 A 150 V; DC13: 1 A 24 V/4 A 24 V 0.1 Hz

Contact Ratings to preserve 5 μm AgNi gold plating

Minimum Maximum

Voltage 100 mV ac/dc 60 V ac/dc

Current 1 mA 300 mA

Power 1 mW (1 mVA) 7 W (7 VA)

Required Overcurrent Protection

WARNING: Electrical connections must be made by qualiﬁed personnel in accordance with local and national electrical codes and regulations.

Overcurrent protection is required to be provided by end product application per the supplied table. Overcurrent protection may be provided with external fusing or via Current Limiting, Class 2 Power Supply. Supply wiring leads < 24 AWG shall not be spliced. For additional product support, go to

Supply Wiring (AWG) Required Overcurrent Protection (Amps)

20 5.0

22 3.0

24 2.0

26 1.0

28 0.8

30 0.5

www.bannerengineering.com

5.2 SC10-2 Speciﬁcations

Power

Voltage: 24 V dc ±20% (SELV) Current:

240 mA maximum, no load (relays on) 530 mA maximum, full load (IO1 to IO4 used as auxiliary outputs)

Safety Inputs (and Convertible I/O when used as inputs)

Input On threshold: > 15 V dc (guaranteed on), 30 V dc maximum Input Off threshold: < 5 V dc and < 2 mA, –3 V dc minimum Input On current: 5 mA typical at 24 V dc, 50 mA peak contact cleaning current at 24 V dc Input lead resistance: 300 Ω maximum (150 Ω per lead) Input requirements for a 4-wire Safety Mat:

· Maximum capacity between plates: 0.22 μF

· Maximum capacity between bottom plate and ground: 0.22 μF

· Maximum resistance between the 2 input terminals of one plate: 20 Ω

If the safety mats share a convertible I/O, this is the total capacitance of all shared safety mats.

18 www.bannerengineering.com - Tel: + 1 888 373 6767

Convertible I/O

Sourcing current: 80 mA maximum (overcurrent protected) Test Pulses: ~1 ms every 25 to 75 ms

Automatic Terminal Optimization Feature

Up to three devices connected with user-provided terminal blocks

Network Interface

Ethernet 10/100 Base-T/TX, RJ45 modular connector Selectable auto negotiate or manual rate and duplex Auto MDI/MDIX (auto cross) Protocols: EtherNet/IP (with PCCC), Modbus/TCP, and PROFINET Data: 256 virtual Status Outputs; fault diagnostic codes and messages; access to fault log

XS/SC26-2 and SC10-2 Safety Controllers

Response and Recovery Times

Input to Output Response Time (Input Stop to Output Off): see the Conﬁguration Summary in the Software, as it can vary Input Recovery Time (Stop to Run): 250 ms typical, 400 ms maximum Virtual Input (Mute Enable and On/Off) Timing: RPI + 200 ms typical Virtual Input (Manual Reset and Cancel Delay) Timing: see

Safety Input Devices (XS/SC26-2 FID 2 Only and SC10-2)

for details

Delay Tolerance

±(0.02% + 2 scan times)

Safety Outputs

3 NO sets of contacts for each output channel (RO1 and RO2). Each normally open output is a series connection of contacts from two forced-guided (mechanically linked) relays. RO1 consists of relays K1 and K2. RO2 consists of relays K3 and K4.

Contacts

AgNi + 0.2 μm gold

Overvoltage Category

Output relay contact voltage of 1 V to 150 V ac/dc: Category III Output relay contact voltage of 151 V to 250 V ac/dc: Category II (Category III, if appropriate overvoltage reduction is provided, as described in this document.)

Individual Contact Current Rating

Refer to the Temperature Derating graph when more than one contact output is used.

Minimum Maximum

Voltage 10 V ac/dc 250 V ac / 24 V dc

Current 10 mA ac/dc 6 A

Power 100 mW (100 mVA) 200 W (2000 VA)

Virtual Non-

on page 44

Operating Conditions

Temperature: 0 °C to +55 °C (+32 °F to +131 °F) (see Temperature Derating graph) Storage Temperature: –30 °C to +65 °C (–22 °F to +149 °F) Humidity: 90% at +50 °C maximum relative humidity (non-condensing) Operating Altitude: 2000 m maximum (6562 ft maximum)

Environmental Rating

NEMA 1 (IEC IP20), for use inside NEMA 3 (IEC IP54) or better enclosure

Mechanical Stress

Shock: 15 g for 11 ms, half sine, 18 shocks total (per IEC 61131-2) Vibration: 3.5 mm occasional / 1.75 mm continuous at 5 Hz to 9 Hz, 1.0 g occasional and 0.5 g continuous at 9 Hz to 150 Hz: all at 10 sweep cycles per axis (per IEC 61131-2)

Mechanical Life

20,000,000 cycles

Electrical Life

50,000 cycles at full resistive load

UL Pilot Duty

B300 Q300

B10d Values

Voltage Current B10d

230 V ac 2 A 350,000

230 V ac 1 A 1,000,000

24 V dc ≤ 4 A 10,000,000

Switching Capacity (IEC 60947-5-1)

AC 15 NO: 250 V ac, 3 A

DC 13 NO: 24 V dc, 2 A

DC 13 at 0.1 Hz NO: 24 V dc, 4 A

Push-in Spring Clamp Terminals

Important: Clamp terminals are designed for one wire only. If more than one wire is connected to a terminal, a wire could loosen or become completely disconnected from the terminal, causing a short.

Use a stranded wire or a wire with an accompanying ferrule. Tinned wires are not recommended.

After inserting the wire into the terminal, tug the wire to make sure it is properly retained. If the wire is not retained, consider using a different wiring solution.

Wire Size: 24 to 14 AWG, 0.2 mm² to 2.08 mm²

www.bannerengineering.com - Tel: + 1 888 373 6767 19

NRGF

PROGRAMMABLE

SAFETY

CONTROLLER

150

100

150

200

216

250

0 10 20 30 40 50 60

Sum of the squared current for each set of contacts

Temperature °C

SC10 Temperature Derating

3A/contact (54 A2)

5A/contact (150 A2)

6A/contact (216 A2)

Three modules side-by-side (no gap)

same load on each device

Single module free standing

XS/SC26-2 and SC10-2 Safety Controllers

EMC

Meets or exceeds all EMC requirements for immunity per IEC 61326-3-1:2012 and emissions per CISPR 11:2004 for Group 1, Class A equipment

Note: Transient suppression is recommended when switching inductive loads. Install suppressors across load. Never install suppressors across output contacts (see Warning).

Safety

Category 4, PL e (EN ISO 13849) SIL CL 3 (IEC 62061, IEC 61508)

Safety Ratings

PFH [1/h]: 5.01 × 10 Proof Test Interval: 20 years

Product Performance Standards

Standards and Regulations

See applicable U.S. and international standards

Certiﬁcations

-10

on page 157 for a list of industry

Required Overcurrent Protection

WARNING: Electrical connections must be made by qualiﬁed personnel in accordance with local and national electrical codes and regulations.

Supply Wiring (AWG) Required Overcurrent Protection (Amps)

20 5.0

22 3.0

24 2.0

26 1.0

28 0.8

30 0.5

www.bannerengineering.com

Single Unit, Free Standing Three Modules

∑I2 = I1 2 + I2 2 + I3 2 + I4 2 + I5 2 + I6

I1 = 4 A (normally open output RO1 channel 1) I1 = 4 A

I2 = 4 A (normally open output RO1 channel 2) I2 = 4 A

I3 = 4 A (normally open output RO1 channel 3) I3 = 4 A

I4 = 4 A (normally open output RO2 channel 4) I4 = 4 A

20 www.bannerengineering.com - Tel: + 1 888 373 6767

Example Temperature Derating Calculations

∑I2 = I1 2 + I2 2 + I3 2 + I4 2 + I5 2 + I6 2 (all six modules)

110 [4.3]

129 [5.1]

45 [1.8]

Ethernet Port

Micro USB Port

110 [4.3]

129 [5.1]

25 [.99]

Expansion Plug

115 [4.5]

100 [3.9]

45 [1.8]

Ethernet Port

Micro USB Port

XS/SC26-2 and SC10-2 Safety Controllers

Example Temperature Derating Calculations

Single Unit, Free Standing Three Modules

I5 = 4 A (normally open output RO2 channel 5) I5 = 4 A

I6 = 4 A (normally open output RO2 channel 6) I6 = 4 A

∑I2 = 42 + 42 + 42 + 42 + 42 + 42 = 96 A

= 55 °C T

max

∑I2 = 42 + 42 + 42 + 42 + 42 + 42 = 96 A

= 46 °C

max

5.3 Dimensions

All measurements are listed in millimeters [inches], unless noted otherwise.

Figure 8. XS/SC26-2 Base Module Dimensions

Figure 10. SC10-2 Dimensions

Figure 9. Expansion Module Dimensions

www.bannerengineering.com - Tel: + 1 888 373 6767 21

XS/SC26-2 and SC10-2 Safety Controllers

5.4 PC Requirements

Important: Administrative rights are required to install the Safety Controller drivers (needed for communication with the controller).

Operating system: Microsoft Windows 7, Windows 8 (except Windows RT), or Windows 10

System type: 32-bit, 64-bit

Hard drive space: 80 MB (plus up to 280 MB for Microsoft .NET 4.0, if not already installed)

Memory (RAM): 512 MB minimum, 1 GB+ recommended

Processor: 1 GHz minimum, 2 GHz+ recommended

Screen resolution: 1024 × 768 full color minimum, 1650 × 1050 full color recommended

Third-party software: Microsoft .NET 4.0 (included with installer), PDF Viewer (such as Adobe Acrobat)

USB port: USB 2.0 (not required to build conﬁgurations)

Microsoft and Windows are registered trademarks of Microsoft Corporation in the United States and/or other countries.

22 www.bannerengineering.com - Tel: + 1 888 373 6767

XS/SC26-2 and SC10-2 Safety Controllers

6 System Installation

6.1 Installing the Software

Important: Administrative rights are required to install the Safety Controller drivers (needed for communication with the controller).

1. Download the latest version of the software from

2. Navigate to and open the downloaded ﬁle.

3. Click Next to begin the installation process.

4. Conﬁrm

5. Click Next to install the software.

6. Depending on your system settings, a popup window may appear prompting to allow Banner Safety Controller to make changes to your computer. Click Yes.

7. Click Close to exit the installer.

Open Banner Safety Controller from the Desktop or the Start Menu.

the software destination and availability for users and click Next.

www.bannerengineering.com/safetycontroller

6.2 Installing the Safety Controller

Do not exceed the operating speciﬁcations for reliable operation. The enclosure must provide adequate heat dissipation so that the air closely surrounding the Safety Controller does not exceed its maximum operating temperature (see

Speciﬁcations and Requirements

Important: Mount the Safety Controller in a location that is free from large shocks and high-amplitude vibration.

CAUTION: Electrostatic Discharge (ESD) can cause damage to electronic equipment. To prevent this, follow the proper ESD handling practices such as wearing an approved wrist strap or other grounding products, or touching a grounded object before handling the modules. See ANSI/ESD S20.20 for further information about managing ESD.

6.2.1 Mounting Instructions

on page 16).

The Safety Controller mounts to a standard 35 mm DIN-rail track. It must be installed inside an enclosure rated NEMA 3 (IEC IP54) or better. It should be mounted to a vertical surface with the vent openings at the bottom and the top to allow for natural convection cooling.

Follow the mounting instructions to avoid damage to the Safety Controller.

To mount the SC26-2 Programmable Safety Controller, XS26-2 Programmable Safety Controller, XS2so and XS4so SolidState Safety Output Modules, XS8si and XS16si Safety Input Modules, XS1ro and XS2ro Safety Relay Modules, and SC10-2 Safety Controller:

Tilt the top of the module slightly backward and place it on the DIN rail.

2. Straighten the module against the rail.

3. Lower the module onto the rail.

To remove the SC26-2 Programmable Safety Controller, XS26-2 Programmable Safety Controller, XS2so and XS4so SolidState Safety Output Modules, XS8si and XS16si Safety Input Modules, XS1ro and XS2ro Safety Relay Modules, and SC10-2 Safety Controller:

1. Push up on the bottom of the module.

2. Tilt the top of the module slightly forward.

3. Lower the module after the top rigid clip is clear of the DIN rail.

Note: To remove an expansion module, pull apart other modules on each side of the desired module to free bus connectors.

www.bannerengineering.com - Tel: + 1 888 373 6767 23

Hinge Switches

E-Stop Buttons

Safety Light Screens

Muting Indicator Lights

Manual Reset

Hazardous Area

Muting Sensors

XS/SC26-2 and SC10-2 Safety Controllers

7 Installation Considerations

7.1 Appropriate Application

The correct application of the Safety Controller depends on the type of machine and the safeguards that are to be interfaced with the Safety Controller. If there is any concern about whether or not your machinery is compatible with this Safety Controller, contact Banner Engineering.

WARNING: Not a Stand-Alone Safeguarding Device

This Banner device is considered complementary equipment that is used to augment safeguarding that limits or eliminates an individual's exposure to a hazard without action by the individual or others. Failure to properly safeguard hazards according to a risk assessment, local regulations, and relevant standards may lead to serious injury or death.

WARNING: User Is Responsible for Safe Application of this device

The application examples described in this document depict generalized guarding situations. Every guarding application has a unique set of requirements.

Make sure that all safety requirements are met and that all installation instructions are followed. Direct any questions regarding safeguarding to a Banner applications engineer at the number or addresses listed this document.

WARNING: Read this Section Carefully Before Installing the System

The Banner Safety Controller is a control device that is intended to be used in conjunction with a machine safeguarding device. Its ability to perform this function depends upon the appropriateness of the application and upon the Safety Controller's proper mechanical and electrical installation and interfacing to the machine to be guarded.

If all mounting, installation, interfacing, and checkout procedures are not followed properly, the Banner Safety Controller cannot provide the protection for which it was designed. The user is responsible for satisfying all local, state, and national laws, rules, codes, or regulations relating to the installation and use of this control system in any particular application. Make sure that all safety requirements have been met and that all technical installation and maintenance instructions contained in this document are followed.

7.2 XS/SC26-2 Applications

The Safety Controller can be used wherever safety modules are used. The Safety Controller is well suited to address many types of applications, including, but not limited to:

• Two-hand control with mute function

• Robot weld/processing cells with dualzone muting

• Material-handling operations that require multiple inputs and bypass functions

• Manually loaded rotary loading stations

• Multiple two-hand-control station applications

• Lean manufacturing stations

• Dynamic monitoring of single- or dualsolenoid valves or press safety valves

Figure 11. Sample Application - Robotic Cell

24 www.bannerengineering.com - Tel: + 1 888 373 6767

E-Stop Buttons

Safety Light Screens

Muting Indicator Lights

HMI

Hazardous Area

XS/SC26-2 and SC10-2 Safety Controllers

7.3 SC10-2 Applications

The SC10-2 Safety Controller is ideal for any small to medium size machine that would typically use two independent safety relay modules.

Figure 12. SC10-2 Sample Application

7.4 Safety Input Devices

The Safety Controller monitors the state of the safety input devices that are connected to it. In general, when all of the input devices that have been conﬁgured to control a particular Safety Output are in the Run sate, the Safety Output turns or remains On. When one or more of the safety input devices change from Run state to Stop state, the Safety Output turns Off. A few special safety input device functions can, under predeﬁned circumstances, temporarily suspend the safety input stop signal to keep the Safety Output On, for example, muting or bypassing.

The Safety Controller can detect input faults with certain input circuits that would otherwise result in a loss of the control of the safety function. When such faults are detected, the Safety Controller turns the associated outputs Off until the faults are cleared. The function blocks used in the conﬁguration impact the safety outputs. It is necessary to carefully review the

conﬁguration

Methods to eliminate or minimize the possibility of these faults include, but are not limited to:

• Physically separating the interconnecting control wires from each other and from secondary sources of power

• Routing interconnecting control wires in separate conduit, runs, or channels

• Locating all control elements (Safety Controller, interface modules, FSDs, and MPCEs) within one control panel,

• Properly installing multi-conductor cabling and multiple wires through strain-relief ﬁttings. Over-tightening of a

•

• Periodically checking the functional integrity/safety function

• Training the operators, maintenance personnel, and others involved with operating the machine and the

if the input device faults occur.

adjacent to each other, and directly connected with short wires

strain-relief can cause short circuits at that point Using positive-opening or direct-opening components, as described by IEC 60947-5-1, that are installed and mounted in a positive mode

safeguarding to recognize and immediately correct all failures

Note: Follow the device manufacturer's installation, operation, and maintenance instructions and all relevant regulations. If there are any questions about the device(s) that are connected to the Safety Controller, contact Banner Engineering for assistance.

www.bannerengineering.com - Tel: + 1 888 373 6767 25

XS/SC26-2 and SC10-2 Safety Controllers

Figure 13. XS/SC26-2 Input and output terminal locations Figure 14. SC10-2 Input and output terminal locations

WARNING: Input Device and Safety Integrity

The Safety Controller can monitor many different safety input devices. The user must conduct a Risk Assessment of the guarding application to determine what Safety Integrity Level needs to be reached in order to know how to properly connect the input devices to the Safety Controller. The user must also take steps to eliminate or minimize possible input signal faults/failures that may result in the loss of the safety functions.

7.4.1 Safety Circuit Integrity and ISO 13849-1 Safety Circuit Principles

Safety circuits involve the safety-related functions of a machine that minimize the level of risk of harm. These safety-related functions can prevent initiation, or they can stop or remove a hazard. The failure of a safety-related function or its associated safety circuit usually results in an increased risk of harm.

The integrity of a safety circuit depends on several factors, including fault tolerance, risk reduction, reliable and well-tried components, well-tried safety principles, and other design considerations.

Depending on the level of risk associated with the machine or its operation, an appropriate level of safety circuit integrity (performance) must be incorporated into its design. Standards that detail safety performance levels include ANSI B11.19 Performance Criteria for Safeguarding and ISO 13849-1 Safety-Related Parts of a Control System.

Safety Circuit Integrity Levels

Safety circuits in International and European standards have been segmented into Categories and Performance Levels, depending on their ability to maintain their integrity in the event of a failure and the statistical likelihood of that failure. ISO 13849-1 details safety circuit integrity by describing circuit architecture/structure (Categories) and the required performance level (PL) of safety functions under foreseeable conditions.

In the United States, the typical level of safety circuit integrity has been called "Control Reliability". Control Reliability typically incorporates redundant control and self-checking circuitry and has been loosely equated to ISO 13849-1 Category 3 or 4 and/or Performance Level “d” or “e” (see ANSI B11.19).

Perform a risk assessment to ensure appropriate application, interfacing/hookup, and risk reduction (see ANSI B11.0 or ISO

12100). The risk assessment must be performed to determine the appropriate safety circuit integrity in order to ensure that the expected risk reduction is achieved. This risk assessment must take into account all local regulations and relevant standards, such as U.S. Control Reliability or European "C" level standards.

The Safety Controller inputs support up to Category 4 PL e (ISO 13849-1) and Safety Integrity Level 3 (IEC 61508 and IEC

62061) interfacing/hookup. The actual safety circuit integrity level is dependent on the conﬁguration, proper installation of external circuitry, and the type and installation of the safety input devices. The user is responsible for the determination of the overall safety rating(s) and full compliance with all applicable regulations and standards.

The following sections deal only with Category 2, Category 3, and Category 4 applications, as described in ISO 13849-1. The input device circuits shown in the table below are commonly used in safeguarding applications, though other solutions are possible depending on fault exclusion and the risk assessment. The table below shows the input device circuits and the safety category level that is possible if all of the fault detection and fault exclusion requirements are met.

WARNING: Risk Assessment

The level of safety circuit integrity can be greatly affected by the design and installation of the safety devices and the means of interfacing of those devices. A risk assessment must be performed to determine the appropriate level of safety circuit integrity to ensure the expected risk reduction is achieved and all relevant regulations and standards are complied with.

26 www.bannerengineering.com - Tel: + 1 888 373 6767

XS/SC26-2 and SC10-2 Safety Controllers

WARNING: Input Devices with dual contact inputs using 2 or 3 terminals

Detection of a short between two input channels (contact inputs, but not complementary contacts) is not possible, if the two contacts are closed. A short can be detected when the input is in the Stop state for at least 2 seconds (see the INx & IOx input terminals Tip in

WARNING:

• Category 2 or 3 Input Shorts It is not possible to detect a short between two input channels (contact inputs, but not

• complementary contacts) if they are supplied through the same source (for example, the same terminal from the Safety Controller in a dual-channel, 3-terminal hookup, or from an external 24 V supply) and the two contacts are closed.

• Such a short can be detected only when both contacts are open and the short is present for at least 2 seconds.

Safety Input Device Options

on page 29).

Fault Exclusion

An important concept within the requirements of ISO 13849-1 is the probability of the occurrence of a failure, which can be reduced using a technique termed "fault exclusion." The rationale assumes that the possibility of certain well-deﬁned failure(s) can be reduced via design, installation, or technical improbability to a point where the resulting fault(s) can be, for the most part, disregarded—that is, "excluded" in the evaluation.

Fault exclusion is a tool a designer can use during the development of the safety-related part of the control system and the risk assessment process. Fault exclusion allows the designer to design out the possibility of various failures and justify it through the risk assessment process to meet the requirements of ISO 13849-1/-2.

Requirements vary widely for the level of safety circuit integrity in safety applications (that is, Control Reliability or Category/ Performance Level) per ISO 13849-1. Although Banner Engineering always recommends the highest level of safety in any application, it is the responsibility of the user to safely install, operate, and maintain each safety system and comply with all relevant laws and regulations.

WARNING: Risk Assessment

7.4.2 Safety Input Device Properties

The Safety Controller is

Inputs and Status Outputs

conﬁgured via the Software to accommodate many types of safety input devices. See

on page 62 for more information on input device conﬁguration.

Reset Logic: Manual or Automatic Reset

A manual reset may be required for safety input devices by using a Latch Reset Block or conﬁguring a safety output for a latch reset before the safety output(s) they control are permitted to turn back On. This is sometimes referred to as “latch” mode because the safety output “latches” to the Off state until a reset is performed. If a safety input device is conﬁgured for automatic reset or “trip” mode, the safety output(s) it controls will turn back On when the input device changes to the Run state (provided that all other controlling inputs are also in the Run state).

Connecting the Input Devices

The Safety Controller needs to know what device signal lines are connected to which wiring terminals so that it can apply the proper signal monitoring methods, Run and Stop conventions, and timing and fault rules. The terminals are assigned automatically during the conﬁguration process and can be changed manually using the Software.

Signal Change-of-State Types

Two change-of-state (COS) types can be used when monitoring dual-channel safety input device signals: Simultaneous or Concurrent.

Adding

www.bannerengineering.com - Tel: + 1 888 373 6767 27

2 Terminals 3 Terminals 2 Terminals, PNP

24V

OFFON

2-Ch, 2 Terminal

PNP

2-Ch, 2 Terminals 2-Ch, 3 Terminals 2-Ch, 4 Terminals

24V

ONON

4 Terminals 5 Terminals

PNP

24V

OFFON OFFON

2-Ch, 4 Terminals

XS/SC26-2 and SC10-2 Safety Controllers

Input Circuit

Dual-Channel A and B Complementary

Dual-Channel A and B

2X Complementary A and B

4-Wire Safety Mat

Input Signal COS Timing Rules

Stop State—SO turns Off when3: Run State—SO turns On when4:

Simultaneous: A and B are both in the Stop state and then both switch to the Run

state within 3 seconds before outputs turn At least 1 channel (A or B) input is in the Stop state.

At least 1 channel (A or B) within a pair of contacts is in the Stop state.

One of the following conditions is met:

•

Input channels are shorted together (normal operation)

• At least 1 of the wires is disconnected

• One of the normally low channels is detected high

• One of the normally high channels is detected low

On.

Concurrent: A and B concurrently switch to the Stop state, then both switch to the Run state with no simultaneity to turn outputs On.

Simultaneous: A and B are concurrently in the Stop state, then the contacts within a channel switch to the Run state within 400 ms (150 ms for two-hand control), both channels are in the Run state within 3 seconds (0.5 seconds for two-hand control).

Concurrent: A and B are concurrently in the Stop state, then contacts within a channel in the Run state within 3 seconds. There is no simultaneity requirement between the switching of channel A and channel B.

Each channel detects its own pulses.

Signal Debounce Times

Closed-to-Open Debounce Time (from 6 ms to 1000 ms in 1 ms intervals, except 6 ms to 1500 ms for mute sensors). The closed-to-open debounce time is the time limit required for the input signal to transition from the high (24 V dc) state to the steady low (0 V dc) state. This time limit may need to be increased in cases where high-magnitude device vibration, impact shock, or switch noise conditions result in a need for longer signal transition times. If the debounce time is set too short under these harsh conditions, the system may detect a signal disparity fault and lock out. The default setting is 6 ms.

CAUTION: Debounce and Response

Any changes in the debounce times may affect the Safety Output response (turn Off) time. This value is computed and displayed for each Safety Output when a conﬁguration is created.

Open-to-Closed Debounce Time (from 10 ms to 1000 ms in 1 ms intervals, except 10 ms to 1500 ms for mute sensors). The open-to-closed debounce time is the time limit required for the input signal to transition from the low (0 V dc) state to the steady high (24 V dc) state. This time limit may need to be increased in cases where high magnitude device vibration,

Safety Outputs turn Off when one of the controlling inputs is in the Stop state.

Safety Outputs turn On only when all of the controlling inputs are in the Run state and after a manual reset is performed (if any safety inputs are

conﬁgured

28 www.bannerengineering.com - Tel: + 1 888 373 6767

for Manual reset and were in their Stop state).

Cat 2 Cat 2 Cat 2 Cat 2 Cat 2

Cat 3 Cat 3 Cat 3 Cat 3 Cat 3 Cat 3

Cat 4 Cat 4 Cat 4 Cat 4 Cat 4 Cat 4

Cat 4 Cat 4 Cat 4 Cat 4 Cat 4

Cat 4 Cat 4

Cat 3

24V

ONON

OFFON

24V

OFFON OFFON

General Circuit Symbols

1 & 2 Terminal

Single

Channel

(see note 1)

2 & 3 Terminal

Dual Channel

(see

note 2)

2 Terminal Dual Channel

PNP w/

integral monitoring

(see note 3)

2 & 3 Terminal Dual Channel

Complementary

4 & 5 Terminal Dual Channel

Complementary

2 Terminal Dual Channel

Complementary

PNP

4 Terminal Dual Channel

Complementary

PNP

4 Terminal Safety Mat

3 & 4 Terminal

Dual

Channel

(see notes 2 & 4)

Circuits shown in Run State

ES GS OS RP SMPS THC

Circuits shown in Stop State

Type IIIa Cat 1 T

ype IIIb Cat 3

Type IIIa Cat 1 T

ype IIIb Cat 3

Type IIIa Cat 1

Type IIIc Cat 4

XS/SC26-2 and SC10-2 Safety Controllers

impact shock, or switch noise conditions result in a need for longer signal transition times. If the debounce time is set too short under these harsh conditions, the system may detect a signal disparity fault and lock out. The default setting is 50 ms.

7.5 Safety Input Device Options

Notes:

Circuit typically meets up to ISO 13849-1 Category 2 if input devices are safety rated and fault exclusion wiring practices prevent a) shorts across the contacts or solid state devices and b) shorts to other power sources.

www.bannerengineering.com - Tel: + 1 888 373 6767 29

Figure 15. Input Device Circuit—Safety Category Guide

WARNING: Incomplete Information—many installation considerations that are necessary to properly apply input devices are not covered in this document. Refer to the appropriate device installation instructions to ensure the safe application of the device.

WARNING: This table lists the highest safety categories possible for common safety rated input device circuits. If the additional requirements stated in the notes below are not possible due to safety device or installation limitations, or if, for example, the Safety Controller's IOx input terminals are all in use, then the highest safety category may not be possible.

Tip: INx & IOx input terminals, these circuits can be manually requirements by changing the ﬁrst (left most) standard input terminal (INx) to any available convertible terminal (IOx) as shown below. These circuits will detect shorts to other power sources and between channels when the input has been in the Stop state for at least 2 seconds.

conﬁgured to meet Category 4 circuit

XS/SC26-2 and SC10-2 Safety Controllers

2. Circuit typically meets up to ISO 13849-1 Category 3 if input devices are safety rated (see Tip: INx & IOx input terminals above). The 2 Terminal circuit detects a single channel short to other power sources when the contacts open and close again (concurrency fault). The 3 Terminal circuit detects a short to other power sources whether the contacts are open or closed.

Circuit meets up to ISO 13849-1 Category 4 if input devices are safety rated and provide internal monitor of the PNP

3. outputs to detect a) shorts across channels and b) shorts to other power sources.

4. Circuit meets up to ISO 13849-1 Category 4 if input devices are safety rated (see Tip: INx & IOx input terminals above). These circuits can detect both shorts to other power sources and shorts between channels.

7.5.1 Safety Circuit Integrity Levels

The application requirements for safeguarding devices vary for the level of control reliability or safety category per ISO 13849-1. While Banner Engineering always recommends the highest level of safety in any application, the user is responsible to safely install, operate, and maintain each safety system and comply with all relevant laws and regulations.

The safety performance (integrity) must reduce the risk from identiﬁed hazards as determined by the machine’s risk assessment. See requirements as described by ISO 13849-1 need to be implemented.

Safety Circuit Integrity and ISO 13849-1 Safety Circuit Principles

on page 26 for guidance if the

7.5.2 Emergency Stop Push Buttons

The Safety Controller safety inputs may be used to monitor Emergency Stop (E-stop) push buttons.

WARNING:

• Do not mute or bypass any emergency stop device Muting or bypassing the safety outputs renders the emergency stop function ineffective.

•

• ANSI B11.19, ANSI NFPA79 and IEC/EN 60204-1 require that the emergency stop function remain active at all times.

WARNING: The Safety Controller Emergency Stop conﬁguration prevents muting or bypassing of the Estop input(s). However, the user still must ensure that the E-stop device remains active at all times.

WARNING: Reset Routine Required

U.S. and international standards require that a reset routine be performed after clearing the cause of a stop condition (for example, arming an E-stop button, closing an interlocked guard, etc.). Allowing the machine to restart without actuating the normal start command/device can create an unsafe condition which could result in serious injury or death.

In addition to the requirements stated in this section, the design and installation of the Emergency Stop device must comply with ANSI NFPA 79 or ISO 13850. The stop function must be either a functional stop Category 0 or a Category 1 (see ANSI NFPA79).

Emergency Stop Push Button Requirements

E-stop switch must provide one or two contacts for safety which are closed when the switch is armed. When activated, the E-stop switch must open all its safety-rated contacts, and must require a deliberate action (such as twisting, pulling, or unlocking) to return to the closed-contact, armed position. The switch must be a positive-opening (or direct-opening) type, as described by IEC 60947-5-1. A mechanical force applied to such a button (or switch) is transmitted directly to the contacts, forcing them to open. This ensures that the switch contacts open whenever the switch is activated.

Standards ANSI NFPA 79, ANSI B11.19, IEC/EN 60204-1, and ISO 13850 specify additional Emergency Stop switch device requirements, including the following:

Emergency Stop push buttons must be located at each operator control station and at other operating stations

• where emergency shutdown is required

• Stop and Emergency Stop push buttons must be continuously operable and readily accessible from all control and operating stations where located. Do not mute or bypass any E-stop button

• Actuators of Emergency Stop devices must be colored red. The background immediately around the device actuator must be colored yellow. The actuator of a push-button-operated device must be of the palm or mushroomhead type

• The Emergency Stop actuator must be a self-latching type

30 www.bannerengineering.com - Tel: + 1 888 373 6767

XS/SC26-2 and SC10-2 Safety Controllers

Note: Some applications may have additional requirements; the user is responsible to comply with all relevant regulations.

7.5.3 Rope (Cable) Pull

Rope (cable) pull emergency stop switches use steel wire rope; they provide emergency stop actuation continuously

over a distance, such as along a conveyor.

Rope pull emergency stop switches have many of the same requirements as emergency stop push buttons, such as positive (direct) opening operation, as described by IEC 60947-5-1. See additional information.

In emergency stop applications, the rope pull switches must have the capability not only to react to a pull in any direction, but also to a slack or a break of the rope. Emergency stop rope pull switches also need to provide a latching function that requires a manual reset after actuation.

Rope (Cable) Pull Installation Guidelines

ANSI NFPA 79, ANSI B11.19, IEC/EN 60204-1, and ISO 13850 specify emergency stop requirements for rope (cable) pull installations, including the following:

• Rope (cable) pulls must be located where emergency shutdown is required

• Rope (cable) pulls must be continuously operable, easily visible, and readily accessible. Do not mute or bypass

• Rope (cable) pulls must provide constant tension of the rope or cable pull

• The rope or cable pull, as well as any ﬂags

• The rope or cable pull must have the capability to react to a force in any direction

• The switch must:

◦ Have a self-latching function that requires a manual reset after actuation ◦ Have a direct opening operation ◦ Detect a slack condition or a break of the rope or cable

Additional installation guidelines:

• The wire rope should be easily accessible, red in color for E-Stop functions, and visible along its entire length. Markers or

• Mounting points, including support points, must be rigid and allow access

• The rope should be free of friction at all supports. Pulleys are recommended. Lubrication may be necessary. Contamination of the system, such as dirt, metal chips or swarf, etc., must be prevented from adversely affecting operation

• Use only pulleys (not eye bolts) when routing the rope around a corner or whenever direction changes, even slightly

• Never run rope through conduit or other tubing

• Never attach weights to the rope

• A tensioning spring is recommended to ensure compliance with direction-independent actuation of the wire rope and must be installed on the load bearing structure (machine frame, wall, etc.)

• Temperature affects rope tension. The wire rope expands (lengthens) when temperature increases, and contracts (shrinks) when temperature decreases. Signiﬁcant temperature variations require frequent checks of the tension adjustment

ﬂags may be ﬁxed on the rope to increase its visibility

or markers, must be colored Red

Emergency Stop Push Buttons

sufﬁcient space around the rope to allow easy

on page 30 for

WARNING: Failure to follow the installation guidelines and procedures may result in the ineffectiveness or non-operation of the Rope Pull system and create an unsafe condition resulting in a serious injury or death.

7.5.4 Enabling Device

An enabling device is a manually operated control which, when continuously actuated, allows a machine cycle to be initiated in conjunction with a start control. Standards that cover the design and application of enabling devices include: ISO 12100-1/-2, IEC 60204-1, ANSI/NFPA 79, ANSI/RIA R15.06, and ANSI B11.19.

The enabling device actively controls the suspension of a Stop signal during a portion of a machine operation where a hazard may occur. The enabling device permits a hazardous portion of the machine to run, but must not start it. An enabling device can control one or more safety outputs. When the enable signal switches from the Stop state to the Run state, the Safety Controller enters the Enable mode. A separate machine command signal from another device is needed to start the hazardous motion. This enabling device must have ultimate hazard turn Off or Stop authority.

www.bannerengineering.com - Tel: + 1 888 373 6767 31

XS/SC26-2 and SC10-2 Safety Controllers

7.5.5 Protective (Safety) Stop

A Protective (Safety) Stop is designed for the connection of miscellaneous devices that could include safeguarding (protective) devices and complementary equipment. This stop function is a type of interruption of operation that allows an orderly cessation of motion for safeguarding purposes. The function can be reset or activated either automatically or manually.

Protective (Safety) Stop Requirements

The required safety circuit integrity level is determined by a risk assessment and indicates the level of control performance that is acceptable, for example, category 4, Control Reliability (see

Principles

situation(s), and removing power from the machine actuators. This functional stop typically meets category 0 or 1 as described by ANSI NFPA 79 and IEC60204-1.

on page 26). The protective stop circuit must control the safeguarded hazard by causing a stop of the hazardous

Safety Circuit Integrity and ISO 13849-1 Safety Circuit

7.5.6 Interlocked Guard or Gate

The Safety Controller safety inputs may be used to monitor electrically interlocked guards or gates.

Safety Interlock Switch Requirements

The following general requirements and considerations apply to the installation of interlocked guards and gates for the purpose of safeguarding. In addition, the user must refer to the relevant regulations to ensure compliance with all necessary requirements.

Hazards guarded by the interlocked guard must be prevented from operating until the guard is closed; a stop command must be issued to the guarded machine if the guard opens while the hazard is present. Closing the guard must not, by itself, initiate hazardous motion; a separate procedure must be required to initiate the motion. The safety interlock switches must not be used as a mechanical or end-of-travel stop.

The guard must be located an adequate distance from the danger zone (so that the hazard has time to stop before the guard is opened sufﬁciently to provide access to the hazard), and it must open either laterally or away from the hazard, not into the safeguarded area. The guard also should not be able to close by itself and activate the interlocking circuitry. In addition, the installation must prevent personnel from reaching over, under, around, or through the guard to the hazard. Any openings in the guard must not allow access to the hazard (see OSHA 29CFR1910.217 Table O-10, ANSI B11.19, ISO 13857, ISO14120/EN953 or the appropriate standard). The guard must be strong enough to contain hazards within the guarded area, which may be ejected, dropped, or emitted by the machine.

The safety interlock switches, actuators, sensors, and magnets must be designed and installed so that they cannot be easily defeated. They must be mounted securely so that their physical position cannot shift, using reliable fasteners that require a tool to remove them. Mounting slots in the housings are for initial adjustment only; ﬁnal mounting holes must be used for permanent location.

WARNING: Perimeter Guarding Applications

If the application could result in a pass-through hazard (for example, perimeter guarding), either the safeguarding device or the guarded machine's MSCs/MPCEs must cause a Latched response following a Stop command (for example, interruption of the sensing ﬁeld of a light curtain, or opening of an interlocked gate/guard). The reset of this Latched condition may only be achieved by actuating a reset switch that is separate from the normal means of machine cycle initiation. The switch must be positioned as described in this document.

Lockout/Tagout procedures per ANSI Z244.1 may be required, or additional safeguarding, as described by ANSI B11 safety requirements or other appropriate standards, must be used if a passthrough hazard cannot be eliminated or reduced to an acceptable level of risk. Failure to follow these instructions could result in serious injury or death.

7.5.7 Optical Sensor

The Safety Controller safety inputs may be used to monitor optical-based devices that use light as a means of

detection.

32 www.bannerengineering.com - Tel: + 1 888 373 6767

XS/SC26-2 and SC10-2 Safety Controllers

Optical Sensor Requirements

When used as safeguarding devices, optical sensors are described by IEC61496-1/-2/-3 as Active Opto-electronic Protective Devices (AOPD) and Active Opto-electronic Protective Devices responsive to Diffuse Reﬂection (AOPDDR).

AOPDs include safety light screens (curtains) and safety grids and points (multiple-/single-beam devices). These devices generally meet Type 2 or Type 4 design requirements. A Type 2 device is allowed to be used in a Category 2 application, per ISO 13849-1, and a Type 4 device can be used in a Category 4 application.

AOPDDRs include area or laser scanners. The primary designation for these devices is a Type 3, for use in up to Category 3 applications.

Optical safety devices must be placed at an appropriate safety distance (minimum distance), according to the application standards. Refer to the applicable standards and to manufacturer documentation speciﬁc to your device for the appropriate calculations. The response time of the Safety Controller outputs to each safety input is provided on the Conﬁguration Summary tab in the Software.

If the application includes a pass-through hazard (a person could pass through the optical device beams and stand undetected on the hazard side), other safeguarding may be required, and manual reset should be selected (see

Reset Input

on page 42).

Manual

7.5.8 Two-Hand Control

The Safety Controller may be used as an initiation device for most powered machinery when machine cycling is

controlled by a machine operator.

The Two-Hand Control (THC) actuators must be positioned so that hazardous motion is completed or stopped before the operator can release one or both of the buttons and reach the hazard (see

Distance)

The Safety Controller safety inputs used to monitor the actuation of the hand controls for two-hand control comply with the functionality of Type III requirements of IEC 60204-1 and ISO 13851 (EN 574) and the requirements of ANSI NFPA79 and ANSI B11.19 for two-hand control, which include:

on page 34).

• Simultaneous actuation by both hands within a 500 ms time frame

• When this time limit is exceeded, both hand controls must be released before operation is initiated

• Continuous actuation during a hazardous condition

• Cessation of the hazardous condition if either hand control is released

• Release and re-actuation of both hand controls to re-initiate the hazardous motion or condition (anti-tie down)

• The appropriate performance level of the safety-related function (Control Reliability, Category/Performance level, or appropriate regulation and standard, or Safety Integration Level) as determined by a risk assessment

Two-Hand Control Safety Distance (Minimum

WARNING: Point-of-Operation Guarding

When properly installed, a two-hand control device provides protection only for the hands of the machine operator. It may be necessary to install additional safeguarding, such as safety light screens, additional two-hand controls, and/or hard guards, to protect all individuals from hazardous machinery.

Failure to properly guard hazardous machinery can result in a dangerous condition which could lead to serious injury or death.

CAUTION: Hand Controls

The environment in which hand controls are installed must not adversely affect the means of actuation. Severe contamination or other environmental of mechanical or ergonomic buttons. This may result in exposure to a hazard.

The level of safety achieved (for example, ISO 13849-1 Category) depends in part on the circuit type selected.

Consider the following when installing hand controls:

Failure modes, such as a short circuit, a broken spring, or a mechanical seizure, that may result in not detecting the

• release of a hand control

• Severe contamination or other environmental inﬂuences that may cause a slow response when released or false ON condition of the hand control(s), for example, sticking of a mechanical linkage

• Protection from accidental or unintended operation, for example, mounting position, rings, guards, or shields

• Minimizing the possibility of defeat, for example, hand controls must be far enough apart so that they cannot be operated by the use of one arm—typically, not less than 550 mm (21.7 in) in a straight line, per ISO 13851

• The functional reliability and installation of external logic devices

• Proper electrical installation per NEC and NFPA79 or IEC 60204

inﬂuences may cause slow response or false On conditions

www.bannerengineering.com - Tel: + 1 888 373 6767 33

XS/SC26-2 and SC10-2 Safety Controllers

CAUTION: Install Hand Controls to Prevent Accidental Actuation

Total protection for the two-hand control system from defeat is not possible. However, the user is required by U.S. and International standards to arrange and protect hand controls to minimize the possibility of defeat or accidental actuation.

CAUTION: Machine Control Must Provide Anti-Repeat Control

Appropriate anti-repeat control must be provided by the machine control and is required by U.S. and International standards for single-stroke or single-cycle machines.

This Banner device can be used to assist in accomplishing anti-repeat control, but a risk assessment must be accomplished to determine the suitability of such use.

Two-Hand Control Safety Distance (Minimum Distance)

The hand controls operator must not be able to reach the hazardous area with a hand or any other body part before the machine motion ceases. Use the formula below to calculate the safety distance (minimum distance).

WARNING: Location of Touch Button Controls

Hand controls must be mounted a safe distance from moving machine parts, as determined by the appropriate standard. It must not be possible for the operator or other non-qualiﬁed persons to relocate them. Failure to establish and maintain the required safety distance could result in serious injury or death.

U.S. Applications

The Safety Distance formula, as provided in ANSI B11.19:

Part-Revolution Clutch Machinery

(the machine and its controls allow the machine to stop motion during the hazardous portion of the machine cycle)

Ds = K x (Ts + Tr) + D

For Full-Revolution Clutch Machinery

Ds = K x (Tm + Tr + Th)

the Safety Distance (in inches)

the OSHA/ANSI recommended hand-speed constant (in inches per second), in most cases is calculated at 63 in/sec, but may vary between 63 in/sec to 100 in/sec based on the application circumstances;

not a conclusive determination; consider all factors, including the physical ability of the operator, when determining the value of K to be used

the response time of the slowest hand control from the time when a hand disengages that control until the switch opens;

Th is usually insigniﬁcant for purely mechanical switches. However, Th should be considered for safety distance calculation when using electronic or electromechanical (powered) hand controls. For Banner Self-checking Touch Buttons (STBs) the response time is 0.02 seconds

the maximum time (in seconds) the machine takes to cease all motion after it has been tripped. For full revolution clutch presses with only one engaging point, Tm is equal to the time necessary for one and one-half revolutions of the crankshaft. For full revolution clutch presses with more than one engaging point, Tm is be calculated as follows:

= (1/2 + 1/N) x T

N = number of clutch engaging points per revolution

Tcy = time (in seconds) necessary to complete one revolution of the crankshaft

the response time of the Safety Controller as measured from the time a stop signal from either hand control. The Safety Controller response time is obtained from the Conﬁguration Summary tab in the Software.

(the machine and its controls are designed to complete a full machine cycle)

34 www.bannerengineering.com - Tel: + 1 888 373 6767

XS/SC26-2 and SC10-2 Safety Controllers

U.S. Applications

the overall stop time of the machine (in seconds) from the initial stop signal to the ﬁnal ceasing of all motion, including stop times of all relevant control elements and measured at maximum machine velocity

Ts is usually measured by a stop-time measuring device. If the speciﬁed machine stop time is used, add at least 20% as a safety factor to account for brake system deterioration. If the stop-time of the two redundant machine control elements is unequal, the slower of the two times must be used for calculating the separation distance

European Applications

The Minimum Distance Formula, as provided in EN 13855:

S = (K x T) + C

the Minimum Distance (in millimeters)

the EN 13855 recommended hand-speed constant (in millimeters per second), in most cases is calculated at 1600 mm/sec, but may vary between 1600 to 2500 mm/sec based on the application circumstances;

not a conclusive determination; consider all factors, including the physical ability of the operator, when determining the value of K to be used.

the overall machine stopping response time (in seconds), from the physical initiation of the safety device to the ﬁnal ceasing of all motion

the added distance due to the depth penetration factor equals 250 mm, per EN 13855. The EN 13855 C factor may be reduced to 0 if the risk of encroachment is eliminated, but the safety distance must always be 100 mm or greater

7.5.9 Safety Mat

The Safety Controller may be used to monitor pressure-sensitive safety mats and safety edges.

The purpose of the Safety Mat input of the Safety Controller is to verify the proper operation of 4-wire, presence-sensing safety mats. Multiple mats may be connected in series to one Safety Controller, 150 ohms maximum per input (see

Mat Hookup Options

on page 38).

Important: The Safety Controller is not designed to monitor 2-wire mats, bumpers, or edges (with or without sensing resistors).

The Safety Controller monitors the contacts (contact plates) and the wiring of one or more safety mat(s) for failures and prevents the machine from restarting if a failure is detected. A reset routine after the operator steps off the safety mat may be provided by the Safety Controller, or, if the Safety Controller is used in auto-reset mode, the reset function must be provided by the machine control system. This prevents the controlled machinery from restarting automatically after the mat is cleared.

WARNING:

Application of Safety Mats — Safety Mat application requirements vary for the level of control reliability or category and performance level as described by ISO 13849-1 and ISO 13856. Although Banner Engineering always recommends the highest level of safety in any application, the user is responsible to safely install, operate, and maintain each safety system per the manufacturer's recommendations and comply with all relevant laws and regulations.

Do not use safety mats as a tripping device to initiate machine motion (such as in a presence-sensing device initiation application), due to the possibility of unexpected start or re-start of the machine cycle resulting from failure(s) within the mat and the interconnect cabling.

Do not use a safety mat to enable or provide the means to allow the machine control to start hazardous motion by simply standing on the safety mat (for example, at a control station). This type of application uses reverse/negative logic and certain failures (for example, loss of power to the Module) can result in a false enable signal.

Safety

www.bannerengineering.com - Tel: + 1 888 373 6767 35

XS/SC26-2 and SC10-2 Safety Controllers

Safety Mat Requirements

The following are minimum requirements for the design, construction, and installation of four-wire safety mat sensor(s) to be interfaced with the Safety Controller. These requirements are a summary of standards ISO 13856-1, ANSI/RIA R15.06 and ANSI B11.19. The user must review and comply with all applicable regulations and standards.

Safety Mat System Design and Construction

The safety mat system sensor, Safety Controller, and any additional devices must have a response time that is fast enough to reduce the possibility of an individual stepping lightly and quickly over the mat’s sensing surface (less than 100 to 200 ms, depending on the relevant standard).

For a safety mat system, the minimum object sensitivity of the sensor must detect, at a minimum, a 30 kg (66 lb) weight on an 80 mm (3.15 in) diameter circular disk test piece anywhere on the mat’s sensing surface, including joints and junctions. The effective sensing surface or area must be identiﬁable and can comprise one or more sensors. The safety mat supplier should state this minimum weight and diameter as the minimum object sensitivity of the sensor.

User adjustments to actuating force and response time are not allowed (ISO 13856-1). The sensor should be manufactured to prevent any reasonably foreseeable failures, such as oxidation of the contact elements which could cause a loss in sensitivity.

The environmental rating of the sensor must meet a minimum of IP54. When the sensor is speciﬁed for immersion in water, the sensor’s minimum enclosure level must be IP67. The interconnect cabling may require special attention. A wicking action may result in the ingress of liquid into the mat, possibly causing a loss of sensor sensitivity. The termination of the interconnect cabling may need to be located in an enclosure that has an appropriate environmental rating.

The sensor must not be adversely affected by the environmental conditions for which the system is intended. The effects of liquids and other substances on the sensor must be taken into account. For example, long-term exposure to some liquids can cause degradation or swelling of the sensor’s housing material, resulting in an unsafe condition.

The sensor’s top surface should be a lifetime non-slip design, or otherwise minimize the possibility of slipping under the expected operating conditions.

The four-wire connection between the interconnect cables and the sensor must withstand dragging or carrying the sensor by its cable without failing in an unsafe manner, such as broken connections due to sharp or steady pulls, or continuous

If such connection is not available, an alternative method must be employed to avoid such failure, for example, a

ﬂexing.

cable which disconnects without damage and results in a safe situation.

Safety Mat Installation

The mounting surface quality and preparation for the safety mat must meet the requirements stated by the sensor’s manufacturer. Irregularities in the mounting surfaces may impair the function of the sensor and should be reduced to an acceptable minimum. The mounting surface should be level and clean. Avoid the collection of ﬂuids under or around the sensor. Prevent the risk of failure due to a build-up of dirt, turning chips, or other material under the sensor(s) or the associated hardware. Special consideration should be given to joints between the sensors to ensure that foreign material does not migrate under or into the sensor.

Any damage (cuts, tears, wear, or punctures) to the outer insulating jacket of the interconnect cable or to any part of the exterior of the safety mat must be immediately repaired or replaced. Ingress of material (including dirt particles, insects,

ﬂuid,

moisture, or turning-chips), which may be present near the mat, may cause the sensor to corrode or to lose its

sensitivity.

Routinely inspect and test each safety mat according to the manufacturer’s recommendations. Do not exceed operational

speciﬁcations,

Securely mount each safety mat to prevent inadvertent movement (creeping) or unauthorized removal. Methods include, but are not limited to, secured edging or trim, tamper-resistant or one-way fasteners, and recessed ﬂooring or mounting surface, in addition to the size and weight of large mats.

Each safety mat must be installed to minimize tripping hazards, particularly towards the machine hazard. A tripping hazard may exist when the difference in height of an adjacent horizontal surface is 4 mm (1/8 in) or more. Minimize tripping hazards at joints, junctions, and edges, and when additional coverings are used. Methods include a ground-ﬂush installation of the mat, or a ramp that does not exceed 20° from horizontal. Use contrasting colors or markings to identify ramps and edges.

Position and size the safety mat system so that persons cannot enter the hazardous area without being detected, and cannot reach the hazard before the hazardous conditions have ceased. Additional guards or safeguarding devices may be required to ensure that exposure to the hazard(s) is not possible by reaching over, under, or around the device’s sensing surface.

A safety mat installation must take into account the possibility of easily stepping over the sensing surface and not being detected. ANSI and international standards require a minimum depth of ﬁeld of the sensor surface (the smallest distance between the edge of the mat and hazard) to be from 750 to 1200 mm (30 to 48 in), depending on the application and the

such as the maximum number of switching operations.

36 www.bannerengineering.com - Tel: + 1 888 373 6767

Hazardous

Zone

Area

Safety Mat

K(Ts + Tr) D

XS/SC26-2 and SC10-2 Safety Controllers

relevant standard. The possibility of stepping on machine supports or other physical objects to bypass or climb over the sensor also must be prevented.

Safety Mat Safety Distance (Minimum Distance)

As a stand-alone safeguard, the safety mat must be installed at a safety distance (minimum distance) so that the exterior edge of the sensing surface is at or beyond that distance, unless it is solely used to prevent start/restart, or solely used for clearance safeguarding (see ANSI B11.19, ANSI/RIA R15.06, and ISO 13855).

The safety distance (minimum distance) required for an application depends on several factors, including the speed of the hand (or individual), the total system stopping time (which includes several response time components), and the depth penetration factor. Refer to the relevant standard to determine the appropriate distance or means to ensure that individuals cannot be exposed to the hazard(s).

Figure 16. Determining safety distance for the safety mat

U.S. Applications

The Safety Distance formula, as provided in ANSI B11.19:

Ds = K x (Ts + Tr) + D

the Safety Distance (in inches)

the OSHA/ANSI recommended hand-speed constant (in inches per second), in most cases is calculated at 63 in/sec, but may vary between 63 in/sec to 100 in/sec based on the application circumstances;

not a conclusive determination; consider all factors, including the physical ability of the operator, when determining the value of K to be used

the overall stop time of the machine (in seconds) from the initial stop signal to the ﬁnal control elements and measured at maximum machine velocity

the added distance due to the penetration depth factor

equals 48 in, per ANSI B11.19

European Applications

The Minimum Distance Formula, as provided in EN 13855:

ceasing of all motion, including stop times of all relevant

S = (K x T) + C

the Minimum Distance (in millimeters)

www.bannerengineering.com - Tel: + 1 888 373 6767 37

–

XS/SC26-2 and SC10-2 Safety Controllers

European Applications

the EN 13855 recommended hand-speed constant (in millimeters per second), in most cases is calculated at 1600 mm/sec, but may vary between 1600 to 2500 mm/sec based on the application circumstances;

not a conclusive determination; consider all factors, including the physical ability of the operator, when determining the value of K to be used.

the overall machine stopping response time (in seconds), from the physical initiation of the safety device to the ﬁnal ceasing of all motion

the added distance due to the depth penetration factor equals 1200 mm, per EN 13855

Safety Mat Hookup Options

Pressure-sensitive mats and pressure-sensitive speciﬁed and marked. These categories are deﬁned in ISO 13849-1.

The safety mat, its Safety Controller, and any output signal switching devices must meet, at a minimum, the Category 1 safety requirements. See ISO 13856-1 (EN 1760-1) and ISO 13849-1 for relevant requirement details.

The Safety Controller is designed to monitor 4-wire safety mats and is not compatible with two-wire devices (mats, sensing edges, or any other devices with two wires and a sensing resistor).

This circuit typically meets ISO 13849-1 Category 2 or Category 3 requirements depending on the safety rating and installation of the mat(s). The Safety Controller enters a Lockout mode when an open wire, a short to 0 V, or a short to another source of power is detected.

ﬂoors must meet the requirements of the category for which they are

4-Wire

7.5.10 Muting Sensor

Safety device muting is an automatically controlled suspension of one or more safety input stop signals during a portion of a machine operation when no immediate hazard is present or when access to the hazard is safeguarded. Muting sensors can be mapped to one or more of the following safety input devices:

•

Safety gate (interlocking) switches

• Optical sensors

• Two-hand controls

• Safety mats

• Protective stops

US and International standards require the user to arrange, install, and operate the safety system so that personnel are protected and the possibility of defeating the safeguard is minimized.

Examples of Muting Sensors and Switches

WARNING: Avoid Hazardous Installations

Two or four independent position switches must be properly adjusted or positioned so that they close only after the hazard no longer exists, and open again when the cycle is complete or the hazard is again present. If the switches are improperly adjusted or positioned, injury or death may result.

The user is responsible to satisfy all local, state, and national laws, rules, codes, and regulations relating to the use of safety equipment in any particular application. Make sure that all appropriate agency requirements have been met and that all installation and maintenance instructions contained in the appropriate manuals are followed.

Photoelectric Sensors (Opposed Mode)

Opposed-mode sensors should be conﬁgured for dark operate (DO) and have open (non-conducting) output contacts in a power Off condition. Both the emitter and receiver from each pair should be powered from the same source to reduce the possibility of common mode failures.

38 www.bannerengineering.com - Tel: + 1 888 373 6767

XS/SC26-2 and SC10-2 Safety Controllers

Photoelectric Sensors (Polarized Retroreﬂective Mode)

The user must ensure that false proxying (activation due to shiny or reﬂective sensors with linear polarization can greatly reduce or eliminate this effect.

Use a sensor conﬁgured for light operate (LO or N.O.) if initiating a mute when the retroreﬂective target or tape is detected (home position). Use a sensor conﬁgured for dark operate (DO or N.C.) when a blocked beam path initiates the muted condition (entry/exit). Both situations must have open (non-conducting) output contacts in a power Off condition.

surfaces) is not possible. Banner low proﬁle

Positive-Opening Safety Switches

Two (or four) independent switches, each with a minimum of one closed safety contact to initiate the mute cycle, are typically used. An application using a single switch with a single actuator and two closed contacts may result in an unsafe situation.

Inductive Proximity Sensors

Typically, inductive proximity sensors are used to initiate a muted cycle when a metal surface is detected. Do not use twowire sensors due to excessive leakage current causing false On conditions. Use only three- or four-wire sensors that have discrete PNP or hard-contact outputs that are separate from the input power.

Mute Device Requirements

The muting devices must, at a minimum, comply with the following requirements:

1. There must be a minimum of two independent hard-wired muting devices.

2. The muting devices must have one of the following: normally open contacts, PNP outputs (both of which must fulﬁll the input requirements listed in the action. At least one of these contacts must close when the switch is actuated, and must open (or not conduct) when the switch is not actuated or is in a power-off state.

3. The activation of the inputs to the muting function must come from separate sources. These sources must be mounted separately to prevent an unsafe muting condition resulting from misadjustment, misalignment, or a single common mode failure, such as physical damage to the mounting surface. Only one of these sources may pass through, or be affected by, a PLC or a similar device.

4. The muting devices must be installed so that they cannot be easily defeated or bypassed.

5. The muting devices must be mounted so that their physical position and alignment cannot be easily changed.

6. It must not be possible for environmental conditions, such as extreme airborne contamination, to initiate a mute condition.

7. The muting devices must not be set to use any delay or other timing functions unless such functions are accomplished so that no single component failure prevents the removal of the hazard, subsequent machine cycles are prevented until the failure is corrected, and no hazard is created by extending the muted period.

Speciﬁcations and Requirements

on page 16), or a complementary switching

7.5.11 Bypass Switch

The safety device bypass is a manually activated and temporary suspension of one or more safety input stop signals, under supervisory control, when no immediate hazard is present. It is typically accomplished by selecting a bypass mode of operation using a key switch to facilitate machine setup, web alignment/adjustments, robot teach, and process troubleshooting.

Bypass switches can be mapped to one or more of the following safety input devices:

•

Safety gate (interlocking) switches

• Optical sensors

• Two-Hand Controls

• Safety mats

• Protective stop

Requirements of Bypassing Safeguards

Requirements to bypass a safeguarding device include

•

The bypass function must be temporary

• The means of selecting or enabling the bypass must be capable of being supervised

• Automatic machine operation must be prevented by limiting range of motion, speed, or power (used inch, jog, or slow-speed modes). Bypass mode must not be used for production

This summary was compiled from sources including ANSI NFPA79, ANSI/RIA R15.06, ISO 13849-1, IEC60204-1, and ANSI B11.19.

www.bannerengineering.com - Tel: + 1 888 373 6767 39

Adjustable Valve Monitoring AVM is a way to check the operation of dual channel valves. The force guided N.C. monitoring contacts of the valves are used as an input to detect a “stuck on” fault condition and will prevent the safety controller outputs from turning On.

Adjustable Valve

Monitoring

50 ms

5 sec.

50 ms

5 sec.

Don’t Care Don’t Care

Closed

Open

SO1

AVM

XS/SC26-2 and SC10-2 Safety Controllers

• Supplemental safeguarding must be provided. Personnel must not be exposed to hazards The means of bypassing must be within full view of the safeguard to be bypassed

•

• Initiation of motion should only be through a hold-to-run type of control

• All emergency stops must remain active

• The means of bypassing must be employed at the same level of reliability as the safeguard

• Visual indication that the safeguarding device has been bypassed must be provided and be readily observable from the location of the safeguard

• Personnel must be trained in the use of the safeguard and in the use of the bypass

• Risk assessment and risk reduction (per the relevant standard) must be accomplished

• The reset, actuation, clearing, or enabling of the safeguarding device must not initiate hazardous motion or create a hazardous situation

muting

Bypassing a safeguarding device should not be confused with safeguarding function of a safeguarding device during a non-hazardous portion of the machine cycle. Muting allows for material to be manually or automatically fed into a machine or process without issuing a stop command. Another term commonly confused with bypassing is device, such as disabling one or more beams of a safety light curtain so that a speciﬁc beam break is ignored.

blanking

, which desensitizes a portion of the sensing ﬁeld of an optical safeguarding

, which is a temporary, automatic suspension of the

7.5.12 Adjustable Valve Monitoring (AVM) Function

Monitoring (1-channel EDM, see the device(s) that are controlled by the safety output to which the function is mapped. When the safety output turns Off, the AVM input must be high/On (+24 V dc applied) before the AVM timer expires or a lockout will occur. The AVM input must also be high/On when the safety output attempts to turn On or a lockout will occur.

The Adjustable Valve (Device) Monitoring (AVM) function is similar in function to One-Channel External Device

External Device Monitoring (EDM)

on page 53). The AVM function monitors the state of

Note: 50 ms to 5 s time period is adjustable in 50 ms intervals (default is 50 ms).

40 www.bannerengineering.com - Tel: + 1 888 373 6767

Figure 17. Timing logic—AVM Function

XS/SC26-2 and SC10-2 Safety Controllers

The Adjustable Valve (Device) Monitoring function is useful for dynamically monitoring devices under the control of the safety output that may become slow, stick, or fail in an energized state or position, and whose operation needs to be

after a Stop signal occurs. Example applications include single- or dual-solenoid valves controlling clutch/brake

veriﬁed

mechanisms, and position sensors that monitor the home position of a linear actuator.

Synchronization or checking a maximum differential timing between two or more devices, such as dual valves, may be achieved by mapping multiple AVM functions to one safety output and conﬁguring the AVM timer to the same values. Any number of AVM inputs can be mapped to one safety output. An input signal can be generated by a hard/relay contact or a solid-state PNP output.

WARNING:

• Adjustable Valve Monitoring (AVM) Operation

•

When the AVM function is used, the Safety Output(s) will not turn ON until the AVM input is

satisﬁed.

• It is the user's responsibility to ensure the AVM monitoring time is properly conﬁgured for the application and to instruct all individuals associated with the machine about the possibility of the ON-Delay effect, which may not be readily apparent to the machine operator or to other personnel.

This could result in an ON-delay up to the conﬁgured AVM monitoring time.

7.6 Non-Safety Input Devices

The non-safety input devices include manual reset devices, On/Off switches, mute enable devices, and cancel delay inputs.

Manual Reset Devices—Used to create a reset signal for an output or function block conﬁgured for a manual reset, requiring an operator action for the output of that block to turn on. Resets can also be created using virtual reset input; see

Virtual Non-Safety Input Devices (XS/SC26-2 FID 2 Only and SC10-2)

on page 44.

WARNING: Non-Monitored Resets

If a non-monitored reset (either latch or system reset) is conﬁgured and if all other conditions for a reset are in place, a short from the Reset terminal to +24 V will turn On the safety output(s) immediately.

ON/Off Switch—Provides an On or Off command to the machine. When all of the controlling safety inputs are in the Run state, this function permits the safety output to turn On and Off. This is a single-channel signal; the Run state is 24 V dc and the Stop state is 0 V dc. An On/Off input can be added without mapping to a safety output, which allows this input to control only a status output. An On/Off switch can also be created using a virtual input; see

Devices (XS/SC26-2 FID 2 Only and SC10-2)

Mute Enable Switch—Signals the Safety Controller when the mute sensors are permitted to perform a mute function. When the mute enable function is conﬁgured, the mute sensors are not enabled to perform a mute function until the mute enable signal is in the Run state. This is a single-channel signal; the enable (Run) state is 24 V dc and the disable (Stop) state is 0 V dc. A mute enable switch can also be created using a virtual input; see

Only and SC10-2)

Cancel Off-Delay Devices—Provide the option to cancel a conﬁgured Off-delay time of a safety output or a delay block output. It functions in one of the following ways:

• Keeps the safety output or delay block output On

• Turns the safety output or delay block output Off immediately after the Safety Controller receives a Cancel Off-Delay signal

• When Cancel Type is set to "Control Input", the safety output or delay block output stays on if the input turns On again before the end of the delay

A status output function (Output Delay in Progress) indicates when a Cancel Delay Input can be activated in order to keep the Off-delayed safety output On. A cancel off-delay device can also be created using a virtual input; see

on page 44.

Input Devices (XS/SC26-2 FID 2 Only and SC10-2)

on page 44.

Virtual Non-Safety Input Devices (XS/SC26-2 FID 2

on page 44.

Virtual Non-Safety Input

Virtual Non-Safety

www.bannerengineering.com - Tel: + 1 888 373 6767 41

Off Delay

Time Limit

Note 1 - If “turn output off” function is selected

Safety Inputs

Cancel Delay Input

SO1 or

Delay Block Output

0.5 sec.

Safety Inputs

Cancel Delay Input

SO1 or

Delay Block Output

Off Delay Time Limit

Safety Inputs

Latch Reset Input

Cancel Delay Input

SO1

Off

Off Delay

Time Limit

Off Delay

Started

Off Delay

Ended

Off Delay Normal End

Cancel Delay Performed

Safety Inputs

Cancel Delay Input

SO1 or

Delay Block Output

Off Delay

Off

XS/SC26-2 and SC10-2 Safety Controllers

Cancel Off-Delay Timing

Figure 18. Safety Input remains in Stop mode

Figure 20. Keep Output On function for Safety Inputs with the Latch Reset

Figure 21. Keep Output On function for Safety Inputs without the Latch

Figure 19. Turn Output Off function

Reset

7.6.1 Manual Reset Input

The Manual Reset input may be conﬁgured to perform any combination of the following (see

Outputs

on page 62):

Reset of Safety Inputs

Sets the output of the Latch Reset Block(s) to a Run state from a Latched state when the IN node is in a Run state

Reset of Safety Outputs

Sets the Output to On if the Output Block conﬁgured for Latch Reset is On.

Adding Inputs and Status

System Reset

Output Fault Reset

42 www.bannerengineering.com - Tel: + 1 888 373 6767

Exceptions:

A Safety Output cannot be conﬁgured to use a Manual Reset when associated with a Two Hand Control input or an Enabling Device Function Block.

Sets the System to a Run state from a Lockout state due to a system fault. Possible scenarios when System Reset is needed include:

• Signals are detected on unused terminal pins

• Conﬁguration Mode timeout

• Exiting Conﬁguration Mode

• Internal faults

Clears the fault and allows the output to turn back On if the cause of the fault has been removed. Possible scenarios when an Output Fault Reset is needed include:

• Output faults

• EDM or AVM faults

XS/SC26-2 and SC10-2 Safety Controllers

Manual Reset on Power-Up

Allows various Latch Reset Blocks and/or Output Blocks to be controlled by a single reset input after the power up.

Enable Mode Exit

A reset is required to exit the Enable Mode.

Track Input Group Reset

Resets the Status Output function Track Input Group and the Virtual Status Output function Track Input Group.

The reset switch must be mounted at a location that complies with the warning below. A key-actuated reset switch provides some operator or supervisory control, as the key can be removed from the switch and taken into the guarded area. However, this does not prevent from any unauthorized or inadvertent resets due to spare keys being in the possession of others, or additional personnel entering the guarded area unnoticed (a pass-through hazard).

WARNING: Reset Switch Location

All reset switches must be accessible only from outside, and in full view of, the hazardous area. Reset switches must also be out of reach from within the safeguarded space, and must be protected against unauthorized or inadvertent operation (for example, through the use of rings or guards). If any areas are not visible from the reset switch(es), additional means of safeguarding must be provided. Failure to follow these instructions could result in serious injury or death.

Important: Resetting a safeguard must not initiate hazardous motion. Safe work procedures require a start-up procedure to be followed and the individual performing the reset to verify that the entire hazardous area is clear of all personnel before each reset of the safeguard is performed. If any area cannot be observed from the reset switch location, additional supplemental safeguarding must be used: at a minimum, visual and audible warnings of the machine start-up.

Note: Automatic Reset sets an output to return to an On state without action by an individual once the input device(s) changes to the Run state and all other logic blocks are in their Run state. Also known as "Trip mode," automatic reset is typically used in applications in which the individual is continually being sensed by the safety input device.

WARNING: Automatic Power Up

On power up, the Safety Outputs and Latch Reset Blocks their outputs On if all associated inputs are in the Run state. If manual reset is required, conﬁgure for a manual power mode.

conﬁgured for automatic power up will turn

outputs

Automatic and Manual Reset Inputs Mapped to the Same Safety Output

By default, Safety Outputs are conﬁgured for automatic reset (trip mode). They can be conﬁgured as a Latch Reset using the Solid State Output Properties attribute of the Safety Output (see

Safety Input Devices operate as automatic reset unless a Latch Reset Block is added. If a Latch Reset Block is added in line with an output conﬁgured for Latch Reset mode, the same or different Manual Reset Input Device(s) may be used to reset the Latch Reset Block and the Safety Output latch. If the same Manual Reset Input Device is used for both, and all inputs are in their Run state, a single reset action will unlatch the function block and the output block. If different Manual Reset Input Devices are used, the reset associated with the Safety Output must be the last one activated. This can be used to force a sequenced reset routine, which can be used to reduce or eliminate pass-through hazards in perimeter guarding applications (see

If the controlling inputs to a Latch Reset Block or a Safety Output Block are not in the Run state, the reset for that block will be ignored.

Safety Input Device Properties

on page 27).

Function Blocks

on page 80).

Reset Signal Requirements

Reset Input devices can be conﬁgured for monitored or non-monitored operation, as follows:

Monitored reset: Requires the reset signal to transition from low (0 V dc) to high (24 V dc) and then back to low. The high state duration must be 0.5 seconds to 2 seconds. This is called a trailing edge event.

Non-monitored reset: Requires only that the reset signal transitions from low (0 V dc) to high (24 V dc) and stays high for at least 0.5 seconds. After the reset, the reset signal can be either high or low. This is called a leading-edge event.

www.bannerengineering.com - Tel: + 1 888 373 6767 43

XS/SC26-2 and SC10-2 Safety Controllers

7.7 Virtual Non-Safety Input Devices (XS/SC26-2 FID 2 Only and SC10-2)

All virtual inputs require FID 2 for XS/SC26-2. The virtual non-safety input devices include manual reset, On/Off, mute enable, and cancel off delay.

WARNING: Virtual Non-Safety Inputs must never be used to control any safety-critical applications. If a Virtual Non-Safety Input is used to control a safety-critical application, a failure to danger is possible and may lead to serious injury or death.

7.7.1 Virtual Manual Reset and Cancel Delay (RCD) Sequence

According to section 5.2.2 of EN ISO 13849-1:2015, a "deliberate action" by the operator is required to reset a safety function. Traditionally, this requirement is met by using a mechanical switch and associated wires connected to speciﬁed terminals on the Safety Controller. For a monitored reset, the contacts must be open initially, then closed, and then open again within the proper timing. If the timing is not too short or too long, it is determined to be deliberate and the reset is performed.

Banner has created a virtual reset solution that requires deliberate action. For example, in place of the mechanical switch, an HMI may be used. In place of the wires, a unique Actuation Code is used for each Safety Controller on a network. Also, each virtual reset within a Safety Controller is associated with a speciﬁc bit in a register. This bit, along with the Actuation Code, must be written and cleared in a coordinated way. If the steps are completed with the proper sequence and timing, it is determined to be deliberate and the reset is performed.

While the standards do not require a "deliberate action" to perform a virtual cancel delay, to avoid additional complexity, Banner has implemented this function in the same way as the virtual manual reset.

The user must set matching Actuation Codes in both the Safety Controller and the controlling network device (PLC, HMI, etc.). The Actuation Code is part of the Network Settings and is not included in the conﬁguration CRC. There is no default Actuation Code. The user must set one up on the Network Settings screen. The Actuation Code can be active for up to 2 seconds for it to be effective. Different Safety Controllers on the same network should have different Actuation Codes.

The HMI/PLC programmer can choose from two different methods depending on their preferences; a feedback-based sequence or a timed sequence. These methods are described in the following ﬁgures. The actual register location depends upon which protocol is being used.

44 www.bannerengineering.com - Tel: + 1 888 373 6767

RCD Register Bit X

RCD Enable Register

RCD Feedback Register Bit X

RCD Enable Feedback Register

Actuation Code

RCD success

Ignore

Logical 0 after power-up or after other RCD activity has occurred

Logical 1 if this was the last RCD successfully

performed

RCD Register Bit X

RCD Enable Register

Actuation Code

RCD Feedback Register Bit X

RCD success

Ignore

125 ms

(min.)

XS/SC26-2 and SC10-2 Safety Controllers

Virtual Reset or Cancel Delay (RCD) Sequence—Feedback Method

Figure 22. Virtual Reset or Cancel Delay (RCD) Sequence—Feedback Method

1. Write a logical 1 to the RCD Register Bit(s) corresponding to the desired Virtual Reset or Cancel Delay.

2. At the same time, or any time later, write the Actuation Code to the RCD Enable Register.

3. Monitor the RCD Enable Feedback Register for the Actuation Code to appear (125 ms typical). Then write a logical 0 to the RCD Register Bit.

4. At the same time, or any time later, clear the Actuation Code (write a logical 0 to the RCD Enable Register). This step must be completed within 2 seconds of when the code was ﬁrst

5. If desired, monitor the RCD Feedback Register to know if the desired Reset or Cancel Delay was accepted (175 ms typical).

Virtual Reset or Cancel Delay (RCD) Sequence—Timed Method

written (step 2).

1. Write a logical 1 to the RCD Register Bit(s) corresponding to the desired Virtual Reset or Cancel Delay.

2. At the same time, or any time later, write the Actuation Code to the RCD Enable Register.

3. At least 125 ms after step 2, write a logical 0 to the RCD Register Bit.

4. At the same time, or any time later, clear the Actuation Code (write a logical 0 to the RCD Enable Register). This step must be completed within 2 seconds from when the code was

5. If desired, monitor the RCD Feedback Register to know if the desired Reset or Cancel Delay was accepted (175 ms typical).

Virtual Manual Reset Devices are used to create a reset signal for an output or function block conﬁgured for a manual reset, requiring an operator action for the output of that block to turn on. Resets can also be created using physical reset input; see

Non-Safety Input Devices

WARNING: Virtual Manual Reset

Any Virtual Manual Reset conﬁgured to perform a Manual Power Up function in conjunction with equipment in several locations on the same network should be avoided unless all hazardous areas can be veriﬁed safe.

Virtual Cancel Off-Delay Devices: provide the option to cancel a conﬁgured Off-delay time. It functions in one of the following ways:

Keeps the safety output or delay block output On

•

• Turns the safety output or delay block output Off immediately after the Safety Controller receives a Cancel Off-Delay signal

www.bannerengineering.com - Tel: + 1 888 373 6767 45

Figure 23. Virtual Reset or Cancel Delay (RCD) Sequence—Timed Method

ﬁrst written (step 2).

on page 41.

Off Delay

Time Limit

Note 1 - If “turn output off” function is selected

Safety Inputs

Cancel Delay Input

SO1 or

Delay Block Output

0.5 sec.

Safety Inputs

Cancel Delay Input

SO1 or

Delay Block Output

Off Delay Time Limit

Safety Inputs

Latch Reset Input

Cancel Delay Input

SO1

Off

Off Delay

Time Limit

Off Delay

Started

Off Delay

Ended

Off Delay Normal End

Cancel Delay Performed

Safety Inputs

Cancel Delay Input

SO1 or

Delay Block Output

Off Delay

Off

XS/SC26-2 and SC10-2 Safety Controllers

• When Cancel Type is set to "Control Input", the safety output or delay block output stays on if the input turns On again before the end of the delay

Input Devices

on page 41.

Non-Safety

Virtual Cancel Off-Delay Timing

Figure 24. Safety Input remains in Stop mode

Figure 26. Keep Output On function for Safety Inputs with the Latch Reset

Figure 27. Keep Output On function for Safety Inputs without the Latch

Figure 25. Turn Output Off function

Reset

7.7.2 Virtual ON/OFF and Mute Enable

Virtual ON/OFF

Provides an ON or OFF command to the machine. When all of the controlling safety inputs are in the Run state, this function permits the safety output to turn ON and OFF. The Run state is a logical 1 and the Stop state is a logical 0. A virtual ON/OFF input can be added without mapping to a safety output, allowing it to control a non-safety status output. An ON/OFF switch can also be created using a physical input; see

Virtual Mute Enable

Signals the Safety Controller when the mute sensors are permitted to perform a mute function. When the mute enable function is conﬁgured, the mute sensors are not enabled to perform a mute function until the mute enable signal is in the Run state. The enable (Run) state is a logical 1 and the disable (Stop) state is a logical 0. A mute enable switch can also be created using a physical input; see

Non-Safety Input Devices

on page 41.

7.8 Safety Outputs

XS/SC26-2

The Base Controller has two pairs of Solid-State Safety Outputs (terminals SO1a and b, and SO2a and b). These outputs provide up to 500 mA each at 24 V dc. Each redundant Solid-State Safety Output can be conﬁgured to function individually or in pairs, for example, split SO1a independent of SO1b, or SO1 as a dual-channel output.

46 www.bannerengineering.com - Tel: + 1 888 373 6767

XS/SC26-2 and SC10-2 Safety Controllers

Additional Safety Outputs can be added to expandable models of the Base Controller by incorporating I/O modules. These additional safety outputs can be isolated relay outputs that can be used to control/switch a wide range of power characteristics (see

SC10-2

The SC10-2 has two isolated redundant relay outputs. Each relay output has 3 independent sets of contacts. See

Speciﬁcations

XS/SC26-2 and SC10-2

The following list describes additional nodes and attributes that can be conﬁgured from the Safety Output function block Properties window (see

EDM (External Device Monitoring)

Enables the Safety Controller to monitor devices under control (FSDs and MPCEs) for proper response to the stopping command of the safety outputs. It is strongly recommended to incorporate EDM (or AVM) in the machine design and the Safety Controller conﬁguration to ensure the proper level of safety circuit integrity (see

FSD Hookup

AVM (Adjustable Valve Monitoring)

Enables the Safety Controller to monitor valves or other devices that may become slow, stick, or fail in an energized state or position and whose operation needs to be veriﬁed after a Stop signal occurs. Up to three AVM inputs can be selected if EDM is not used. It is strongly recommended to incorporate AVM (or EDM) in the machine design and the Safety Controller conﬁguration to ensure the proper level of safety circuit integrity (see

Monitoring (AVM) Function

LR (Latch Reset)

Keeps the SO or RO output Off until the input changes to the Run state and a manual reset operation is performed See

Manual Reset Input

RE (Reset Enable)

This option appears only if LR (Latch Reset) is enabled. The Latch Reset can be controlled by selecting Reset Enable to restrict when the Safety Output can be reset to a Run condition.

FR (Fault Reset)

Provides a manual reset function when input faults occur. The FR node needs to be connected to a Manual Reset button or signal. This function is used to keep the SO or RO output Off until the Input device fault is cleared, the faulted device is in the Run state , and a manual reset operation is performed. This replaces power down/up cycle reset operation. See

Power up mode

The Safety Output can be applied):

• Normal Power-Up Mode (default)

• Manual Power-up Mode

• Automatic Power-Up Mode

Manual Reset Input

See

Split (Safety Outputs)—XS/SC26-2 only

This option is only available for Solid-State Safety Outputs. Each redundant Solid-State Safety Output can be conﬁgured to function individually or in pairs (default). Splitting a solid-state safety output creates two independent single channel outputs (control of SO1a is independent of SO1b). To combine a split safety output, open the Mx:SOxA Properties window and click Join.

XS/SC26-2 Speciﬁcations

on page 16).

SC10-2

on page 18 for rating and derating considerations.

WARNING: Safety Outputs must be connected to the machine control so that the machine’s safetyrelated control system interrupts the circuit to the machine primary control element(s), resulting in a nonhazardous condition.

Do not wire an intermediate device(s), such as a PLC, PES, or PC, that can fail in such a manner that there is the loss of the safety stop command, or that the safety function can be suspended, overridden, or defeated, unless accomplished with the same or greater degree of safety.

Adding Inputs and Status Outputs

on page 62):

EDM and

on page 53).

Adjustable Valve

on page 40).

on page 42 for more information.

Manual Reset Input

conﬁgured for three power-up scenarios (operational characteristics when power is

on page 42 for more information.

www.bannerengineering.com - Tel: + 1 888 373 6767 47

Safety Inputs

SO1

(On-Delay)

SO2

(Off-Delay)

Delay

500 ms

Delay

XS/SC26-2 and SC10-2 Safety Controllers

On-Delays and Off-Delays

Each safety output can be

conﬁgured to function with either an On-Delay or an Off-Delay (see

Figure 28

on page

48), where the output turns On or Off only after the time limit has elapsed. An output cannot have both On- and Off-Delays. The On- and Off-Delay time limit options range from 100 milliseconds to 5 minutes, in 1 millisecond increments.

Figure 28. Timing Diagram—General Safety Output On-Delay and Off-Delay

WARNING:

• With a power interruption or loss, an OFF-delay time can end immediately.

•

Failure to follow these instructions could result in serious injury or death.

• The safety output OFF-delay time is honored even if the safety input that caused the OFF-delay timer to start switches back to the Run state before the delay time expires. If such an immediate machine stop condition could cause a potential danger, taken additional safeguarding measures to prevent injuries.

Two Safety Outputs can be linked together when one of the Safety Outputs is conﬁgured for an Off-Delay, and the other does not have a delay. After it is linked, the non-delayed output does not immediately turn back on if the controlling input turns on during the Off Delay as shown in

Figure 31

on page 49. To link two Safety Outputs:

1. Open the Properties window of the Safety Output that needs to have an Off-Delay.

2. Select "Off-Delay" from the

Safety Output Delay

Figure 29. Example Safety Output Delay Selection: Off Delay

drop-down list.

3. Set the desired Output Delay time.

4. Click OK.

5. Open the Properties window of the Safety Output that will link to the Safety Output with an Off-Delay.

6. From

Link to Safety Output

drop-down list, select the Safety Output with an Off-Delay to which you wish to link this

Safety Output.

48 www.bannerengineering.com - Tel: + 1 888 373 6767

SO1

SO2

XS/SC26-2 and SC10-2 Safety Controllers

Figure 30. Example Link to Safety Output Selection

Note: The same input(s) need to be connected to both Safety Outputs in order for outputs to show up as available for linking.

7. Click OK. The linked Safety Output will have a link icon indicator.

Figure 31. Timing Diagram—Linked Safety Outputs

7.8.1 XS/SC26-2 Solid-State Safety Outputs

The solid-state Safety Outputs, for example, SO1a and b, and SO2a and b, are actively monitored to detect short circuits to the supply voltage, to each other, and to other voltage sources and are designed for Category 4 safety applications. If a failure is detected on one channel of a safety output pair, both outputs attempt to turn Off and will enter a lockout state. The output without the fault is able to turn off the hazardous motion.

Similarly, a Safety Output that is used individually (split), is also actively monitored to detect short circuits to other power sources, but is unable to perform any actions. Take extreme care in the wiring of the terminals and in the routing of the wires to avoid the possibility of shorts to other voltage sources, including other Safety Outputs. Each split Safety Output is

sufﬁcient

must be prevented.

www.bannerengineering.com - Tel: + 1 888 373 6767 49

for Category 3 applications due to an internal series connection of two switching devices, but an external short

XS/SC26-2 and SC10-2 Safety Controllers

Important: When Solid-State Safety Output modules (XS2so or XS4so) are used, the power to those modules must be applied either prior to or within 5 seconds after applying the power to the Base Controller, if using separate power supplies.

WARNING: Single Channel (Split) Outputs use in Safety Critical Applications

If a single channel output is used in a safety critical application then fault exclusion principles must be incorporated to ensure Category 3 safety operation. Routing and managing single channel output wires so shorts to other outputs or other voltage sources are not possible is an example of a proper fault exclusion method. Failure to incorporate proper fault exclusion methods when using single channel outputs in safety critical applications may cause a loss of safety control and result in a serious injury or death.

Whenever possible, incorporating External Device Monitoring (EDM) and/or Adjustable Valve Monitoring (AVM) is highly recommended to monitor devices under control (FSDs and MPCEs) for unsafe failures. See

(EDM)

on page 53 for more information.

External Device Monitoring

Output Connections

The Safety Outputs must be connected to the machine control such that the machine’s safety related control system interrupts the circuit or power to the machine primary control element(s) (MPCE), resulting in a non-hazardous condition.

When used, Final Switching Devices (FSDs) typically accomplish this when the safety outputs go to the Off state. Refer to

XS/SC26-2 Speciﬁcations

the

on page 16 before making connections and interfacing the Safety Controller to the machine.

The level of the safety circuit integrity must be determined by risk assessment; this level is dependent on the conﬁguration, proper installation of external circuitry, and the type and installation of the devices under control (FSDs and MPCEs). The solid-state safety outputs are suitable for Category 4 PL e / SIL 3 applications when controlled in pairs (not split) and for applications up to Category 3 PL d / SIL 2 when acting independently (split) when appropriate fault exclusion has been employed. See

Figure 32

on page 51 for hookup examples.

WARNING:

• Safety Output Lead Resistance A resistance higher than 10 ohms could mask a short between the dual-channel safety outputs

• and could create an unsafe condition that could result in serious injury or death.

• Do not exceed 10 ohms resistance in the safety output wires.

50 www.bannerengineering.com - Tel: + 1 888 373 6767

XS2so

Solid State Safety

Output Module

XS26-2 Expandable

Safety Controller

Power

Supply

0V 24V

24V 0V24V 0V

= Common leadwire shared by multiple loads or systems

Sharing of small gauge leadwire can lead to faults on solid

state outputs.

Load current

Other current

Other

Equipment

0V 24V

XS/SC26-2 and SC10-2 Safety Controllers

Common Wire Installation

Consider the wire resistance of the 0 V common wire and the currents ﬂowing in that wire to avoid nuisance lockouts. Notice the location of the resistance symbol in the diagram below representing 0 V common wire resistance (RL).

Methods to prevent this situation include:

Using larger gauge or shorter wires to reduce the resistance (RL) of the 0 V common wire

•

• Separate the 0 V common wire from the loads connected to the Safety Controller and the 0 V common wire from other equipment powered by the common 24 V supply

Figure 32. Common Wire Installation

Note: When the Safety Output turns Off, the voltage at that output terminal must drop below 1.7 V with respect to the 0 V terminal on that module. If the voltage is higher than 1.7 V, the Safety Controller will decide that the output is still on, resulting in a lockout. Consider using larger gauge wires, shorter wires, or using a single point grounding scheme similar to what is shown in the following diagrams.

www.bannerengineering.com - Tel: + 1 888 373 6767 51

0V 24V0V 24V

XS2so

Solid State Safety

Output Module

XS26-2

Base Controller

Power

Supply

Power

Supply

#1 #2

Power Supply

0V 24V

24V

Functional Earth

(optional)

Preferred 0V routing plan when a single power supply is used

Preferred 0V routing plan when separate power supplies are used

+/- 30V peak

Local 0V Common

The voltage for all safety input devices (including all Input Expansion Modules) should be measured in reference to the 0V terminal of the Base Controller

24V

XS2so

Solid State Safety

Output Module

(limited isolation)

XS26-2

Base Controller

XS/SC26-2 and SC10-2 Safety Controllers

Figure 33. Wiring Diagram—Recommended Grounding

7.8.2 Safety Relay Outputs

XS/SC26-2 Expansion Safety Relay modules and the SC10-2 have isolated redundant relay outputs that can be used to control/switch a wide range of power characteristics (see on page 18). Unlike a solid-state Safety Output, within an output module an individual safety relay output (Mx:ROx) functions as a group and cannot be split.

The Safety Relay Outputs are controlled and monitored by the XS/SC26-2 Base Controller or the SC10-2 without requiring additional wiring.

For circuits requiring the highest levels of safety and reliability, when used in pairs (two N.O.), either Safety Output must be capable of stopping the motion of the guarded machine in an emergency. When used individually (a single N.O. output), fault exclusion must ensure that failures cannot occur that would result in the loss of the safety function, for example, a short-circuit to another safety output or a secondary source of energy or voltage. For more information, see

Control

Safety (Protective) Stop Circuits

on page 55 and

XS/SC26-2 Speciﬁcations

Fault Exclusion

on page 27.

on page 16 and

SC10-2 Speciﬁcations

Single-channel

52 www.bannerengineering.com - Tel: + 1 888 373 6767

XS/SC26-2 and SC10-2 Safety Controllers

(EDM)

on page 53 for more information.

Output Connections—The Safety Relay Outputs must be connected to the machine control such that the machine's safety related control system interrupts the circuit or power to the machine primary control element(s) (MPCE), resulting in a nonhazardous condition. When used, Final Switching Devices (FSDs) typically accomplish this when the safety outputs go to the Off state.

The Safety Relay Outputs can be used as the Final Switching Device (FSD) and can be interfaced in either a Dual-Channel or Single-Channel safety (protective) stop circuit (see

Speciﬁcations

Controller to the machine.

on page 16 and

Important: The user is responsible for supplying overcurrent protection for all relay outputs.

SC10-2 Speciﬁcations

FSD Interfacing Connections

on page 18 before making connections and interfacing the Safety

Figure 32

on page 51 for hookup examples.

on page 55). Refer to

External Device Monitoring

XS/SC26-2

Overvoltage Category II and III Installations (EN 50178 and IEC 60664-1)

The XS/SC26-2 and SC10-2 are rated for Overvoltage Category III when voltages of 1 V to 150 V ac/dc are applied to the output relay contacts. They are rated for Overvoltage Category II when voltages of 151 V to 250 V ac/dc are applied to the output relay contacts and no additional precautions are taken to attenuate possible overvoltage situations in the supply voltage. The XS/SC26-2 or SC10-2 can be used in an Overvoltage Category III environment (with voltages of 151 V to 250 V ac/dc) if care is taken either to reduce the level of electrical disturbances seen by the XS/SC26-2 or SC10-2 to Overvoltage Category II levels by installing surge suppressor devices (for example, arc suppressors), or to install extra external insulation in order to isolate both the XS/SC26-2 or SC10-2 and the user from the higher voltage levels of a Category III environment.

For Overvoltage Category III installations with applied voltages from 151 V to 250 V ac/dc applied to the output contact(s): the XS/SC26-2 or SC10-2 may be used under the conditions of a higher overvoltage category where appropriate overvoltage reduction is provided. Appropriate methods include:

•

An overvoltage protective device

• A transformer with isolated windings

• A distribution system with multiple branch circuits (capable of diverting energy of surges)

• A capacitance capable of absorbing energy of surges

• A resistance or similar damping device capable of dissipating the energy of surges

When switching inductive ac loads, it is good practice to protect the XS/SC26-2 or SC10-2 outputs by installing appropriately-sized arc suppressors. However, if arc suppressors are used, they must be installed across the load being switched (for example, across the coils of external safety relays), and never across the XS/SC26-2 or SC10-2 output contacts (see WARNING, Arc Suppressors).

7.8.3 EDM and FSD Hookup

External Device Monitoring (EDM)

The Safety Controller’s safety outputs can control external relays, contactors, or other devices that have a set of normally closed (N.C.), force-guided (mechanically linked) contacts that can be used for monitoring the state of the machine power contacts. The monitoring contacts are normally closed (N.C.) when the device is turned Off. This capability allows the Safety Controller to detect if the devices under load are responding to the safety output, or if the N.O. contacts are possibly welded closed or stuck On.

The EDM function provides a method to monitor these types of faults and to ensure the functional integrity of a dualchannel system, including the MPCEs and the FSDs.

A single EDM input can be mapped to one or multiple Safety Outputs. This is accomplished by opening the Safety Output Properties window and checking EDM, then adding External Device Monitoring from the Safety Input tab in the Add Equipment window (accessed from the Equipment tab or Functional View tab), and connecting the External Device Monitoring input to the EDM node of the Safety Output.

The EDM inputs can be conﬁgured OSSD outputs directly control the de-energizing of the MPCEs or external devices.

• One-Channel Monitoring—A series connection of closed monitor contacts that are forced-guided (mechanically linked) from each device controlled by the Safety Controller. The monitor contacts must be closed before the Safety Controller outputs can be reset (either manual or automatic). After a reset is executed and the safety outputs turn On, the status of the monitor contacts are no longer monitored and may change state. However, the monitor

www.bannerengineering.com - Tel: + 1 888 373 6767 53

as one-channel or two-channel monitoring. One-channel EDM inputs are used when the

+24V dc

MPCE 1

R/SO1

MPCE1

Safety Input

Device

EDM

Safety Controller

MPCE 2

MPCE2

Single-channel EDM used to monitor both MPCE feedback signals. If one or both channels do not close, the system enters a lockout mode.

+24V dc

MPCE 1

R/SO1

MPCE1

Safety Input

Device

EDM EDM

Safety Controller

MPCE 2

MPCE2

Dual-channel EDM used to monitor both MPCE feedback signals. If the channels are not in the same state, the system enters a Lockout mode.

XS/SC26-2 and SC10-2 Safety Controllers

contacts must be closed within 250 milliseconds of the safety outputs changing from On to Off. See

Figure 36

page 55.

• Two-Channel Monitoring—An independent connection of closed monitor contacts that are forced-guided (mechanically linked) from each device controlled by the Safety Controller. Both EDM inputs must be closed before the Safety Controller can be reset and the OSSDs can turn On. While the OSSDs are On, the inputs may change state (either both open, or both closed). A lockout occurs if the inputs remain in opposite states for more than 250 milliseconds. See

Figure 38

on page 55.

• No Monitoring (default)—If no monitoring is desired, do not enable the Safety Output EDM node. If the Safety Controller does not use the EDM function in Category 3 or Category 4 applications, the user must make sure that any single failure or accumulation of failures of the external devices does not result in a hazardous condition and that a successive machine cycle is prevented.

CAUTION: EDM Conﬁguration

If the application does not require the EDM function, it is the user’s responsibility to ensure that this does not create a hazardous situation.

CAUTION: External Device Monitoring Connection

Wire at least one normally closed, forced-guided monitoring contact of each MPCE or external device to monitor the state of the MPCEs (as shown). If this is done, proper operation of the MPCEs will be

veriﬁed.

Use MPCE monitoring contacts to maintain control reliability.

Figure 34. One-channel EDM hookup

54 www.bannerengineering.com - Tel: + 1 888 373 6767

Figure 35. Two-channel EDM hookup

External Device Monitoring EDM is a way to check the operation of dual channel final switching devices or machine primary control elements. The force guided N.C. monitoring contacts of the FSD or MPCE are used as an input to detect a “stuck on” fault condition and will prevent the safety controller outputs from turning On.

External Device

Monitoring

250 ms250 ms

Don’t Care Don’t Care

Closed

Open

SO1

EDM

Safety Output

250 ms

Max.

250 ms

Max.

250 ms

Max.

250 ms

Max.

250 ms

Max.

250 ms

Max.

Don’t Care

Closed

Open

Closed

Open

EDM 1

EDM 2

Safety Output

Must Match EDM 2 Must Match EDM 2

OFF

Closed

Open

EDM 1

Must Match EDM 1 Must Match EDM 1

Closed

Open

EDM 2

XS/SC26-2 and SC10-2 Safety Controllers

Figure 36. Timing logic: One-channel EDM status, with respect to Safety Output

For two-channel EDM, as shown below, both channels must be closed before the Safety Output(s) turn On.

Figure 37. Timing logic: Two-channel EDM, timing between channels

Figure 38. Timing logic: Two-channel EDM status, with respect to Safety

Output

FSD Interfacing Connections

Final switching devices (FSDs) interrupt the power in the circuit to the Machine Primary Control Element (MPCE) when the Safety Outputs go to the Off-state. FSDs can take many forms, though the most common are forced-guided (mechanically linked) relays or Interfacing Modules. The mechanical linkage between the contacts allows the device to be monitored by the external device monitoring circuit for certain failures.

Depending on the application, the use of FSDs can facilitate controlling voltage and current that differs from the Safety Outputs of the Safety Controller. FSDs may also be used to control an additional number of hazards by creating multiple safety stop circuits.

Safety (Protective) Stop Circuits

A safety stop allows for an orderly cessation of motion or hazardous situation for safeguarding purposes, which results in a stop of motion and removal of power from the MPCEs (assuming this does not create additional hazards). A safety stop circuit typically comprises a minimum of two normally open contacts from forced-guided (mechanically linked) relays, which are monitored (via a mechanically linked NC contact) to detect certain failures so that the loss of the safety function does not occur. Such a circuit can be described as a “safe switching point.”

www.bannerengineering.com - Tel: + 1 888 373 6767 55

XS/SC26-2 and SC10-2 Safety Controllers

Typically, safety stop circuits are a series connection of at least two N.O. contacts coming from two separate, positiveguided relays, each controlled by one separate safety output of the Safety Controller. The safety function relies on the use of redundant contacts to control a single hazard, so that if one contact fails On, the second contact stops the hazard and prevents the next cycle from occurring.

Interfacing safety stop circuits must be wired so that the safety function cannot be suspended, overridden, or defeated, unless accomplished in a manner at the same or greater degree of safety as the machine’s safety-related control system that includes the Safety Controller.

The normally open outputs from an interfacing module are a series connection of redundant contacts that form safety stop circuits and can be used in either single-channel or dual-channel control methods.

Dual-Channel Control—Dual-channel (or two-channel) control has the ability to electrically extend the safe switching point beyond the FSD contacts. With proper monitoring, such as EDM, this method of interfacing is capable of detecting certain failures in the control wiring between the safety stop circuit and the MPCEs. These failures include a short-circuit of one channel to a secondary source of energy or voltage, or the loss of the switching action of one of the FSD outputs, which may lead to the loss of redundancy or a complete loss of safety if not detected and corrected.

The possibility of a wiring failure increases as the physical distance between the FSD safety stop circuits and the MPCEs increase, as the length or the routing of the interconnecting wires increases, or if the FSD safety stop circuits and the MPCEs are located in different enclosures. Thus, dual-channel control with EDM monitoring should be used in any installation where the FSDs are located remotely from the MPCEs.

Single-Channel Control—Single-channel (or one-channel) control uses a series connection of FSD contacts to form a safe switching point. After this point in the machine’s safety-related control system, failures that would result in the loss of the safety function can occur, for example, a short-circuit to a secondary source of energy or voltage.

Thus, this method of interfacing should be used only in installations where FSD safety stop circuits and the MPCEs are physically located within the same control panel, adjacent to each other, and are directly connected to each other; or where the possibility of such a failure can be excluded. If this cannot be achieved, then two-channel control should be used.

Methods to exclude the possibility of these failures include, but are not limited to:

Physically separating interconnecting control wires from each other and from secondary sources of power

•

• Routing interconnecting control wires in separate conduit, runs, or channels

• Routing interconnecting control wires with low voltage or neutral that cannot result in energizing the hazard

• Locating all elements (modules, switches, devices under control, etc.) within the same control panel, adjacent to each other, and directly connected with short wires

• Properly installing multi-conductor cabling and multiple wires that pass through strain-relief ﬁttings. Over-tightening of a strain-relief can cause short circuits at that point Using positive-opening or direct-drive components installed and mounted in a positive mode

•

WARNING:

• Properly install arc or transient suppressors

•

Failure to follow these instructions could result in serious injury or death.

• Install any suppressors as shown across the coils of the FSDs or MPCEs. Do not install suppressors directly across the contacts of the FSDs or MPCEs. In such a conﬁguration, it is possible for suppressors to fail as a short circuit.

WARNING: Safety Output Interfacing

To ensure proper operation, the Banner product output parameters and machine input parameters must be considered when interfacing the solid state safety outputs to the machine inputs. Machine control circuitry must be designed so that:

•

The maximum cable resistance value between the Safety Controller solid-state safety outputs and the machine inputs is not exceeded

• The Safety Controller’s solid-state safety output maximum Off state voltage does not result in an On condition

• The Safety Controller’s solid-state safety output maximum leakage current, due to the loss of 0 V, does not result in an On condition

Failure to properly interface the safety outputs to the guarded machine may result in serious bodily injury or death.

56 www.bannerengineering.com - Tel: + 1 888 373 6767

XS/SC26-2xx

XS2so or XS4so

Single-Channel

Stop Circuit

Dual-Channel

Stop Circuit

+24Vdc

+24Vdc 0Vdc

0Vdc

SO1a

(SO1 not split)

SO1b

EDM

FSD1

FSD2

Solid-State Safety Outputs SO2, SO3, and

SO4 can be wired

similarly.

When a Solid-State Safety Output has been split into two individual outputs, each output requires an individual EDM or AVM input for monitoring.

DC common (0Vdc) must be common between the module’s 0Vdc terminal and the common of the load (e.g. FSD).

XS/SC26-2 and SC10-2 Safety Controllers

WARNING: Shock Hazard and Hazardous Energy

Always disconnect power from the safety system (for example, device, module, interfacing, etc.) and the machine being controlled before making any connections or replacing any component.

Electrical installation and wiring must be made by Qualiﬁed Personnel6 and must comply with the relevant electrical standards and wiring codes, such as the NEC (National Electrical Code), ANSI NFPA79, or IEC/EN 60204-1, and all applicable local standards and codes.

Lockout/tagout procedures may be required. Refer to OSHA 29CFR1910.147, ANSI Z244-1, ISO 14118, or the appropriate standard for controlling hazardous energy.

WARNING:

• Properly Wire the Device Failure to properly wire the Safety Controller to any particular machine could result in a

• dangerous condition that could result in serious injury or death.

• The user is responsible for properly wiring the Safety Controller. The generalized wiring

conﬁgurations

are provided only to illustrate the importance of proper installation.

Generic XS/SC26-2 Hookup: Safety Output with EDM

A person who, by possession of a recognized degree or certiﬁcate of professional training, or who, by extensive knowledge, training and experience, has successfully demonstrated the ability to solve problems relating to the subject matter and work.

www.bannerengineering.com - Tel: + 1 888 373 6767 57

Figure 39. Generic XS/SC26-2 Hookup: Solid-State Safety Output with EDM

24 32

+24Vdc

0Vdc

L2/-V

L1/+V

EDM

XS1ro or XS2ro

XS26-2xx

23 31

Safety Relay Outputs 43/44, 53/54 and 61/62 can be wired similarly, but require a separate EDM or AVM input for monitoring.

MPCE1

MPCE2

Arc Suppressors

Machine

Control

Circuit

Feedback Loop (optional)

0V dc

K2 K1

MPCE

IM-T-9A

+24V dc

Feedback (optional)

* Installation of transient (arc) suppressors across the coils of MPCE1 and MPCE2 is recommended (see W

arning)

Machine

Control

XS/SC26-2xx

+24Vdc

0Vdc

SO1a

(SO1 not split)

SO1b

EDM

XS/SC26-2 and SC10-2 Safety Controllers

Figure 40. Generic XS/SC26-2 Hookup: Safety Relay Output (Dual-Channel) with EDM

Figure 41. Generic XS/SC26-2 Hookup: Solid-State Safety Output to IM-T-9A

58 www.bannerengineering.com - Tel: + 1 888 373 6767

+24Vdc

0Vdc

L2/-V

L1/+V

EDM

SC10

Safety Relay Outputs 43/44, 53/54 and 63/64 can be wired similarly, but require a separate EDM or AVM input for monitoring.

MPCE1

MPCE2

Arc Suppressors

Machine

Control

Circuit

Feedback Loop (optional)

XS/SC26-2 and SC10-2 Safety Controllers

Generic SC10-2 Hookup: Safety Output with EDM

7.9 Status Outputs

7.9.1 Status Output Signal Conventions

There are two signal conventions selectable for each status output: "PNP On" (sourcing 24 V dc), or "PNP Off" (nonconducting). The default convention is Active = PNP On.

Table 4: Status Output Signal Conventions

Function

Bypass Bypassed Not Bypassed Bypassed Not Bypassed

Mute Muted Not Muted Muted Not Muted

Output Delay In Progress Delay No Delay Delay No Delay

Track Input Run Stop Run Stop

Track Input Fault Fault Ok Fault Ok

Track Any Input Fault Fault Ok Fault Ok

Track Input Group Initiated Stop Other Input Caused Stop Initiated Stop Other Input Caused Stop

Track Output SO On SO Off SO On SO Off

Track Output Fault Fault Ok Fault Ok

Track Output Fault All Fault Ok Fault Ok

Figure 42. Generic SC10-2 Hookup: Safety Relay Output (Dual-Channel) with EDM

Note: You cannot use the safety outputs as status outputs in the SC10-2.

Signal Conventions

Active = PNP On Active = PNP Off

Status Output State Status Output State

+24 V dc Off Off 24 V dc

www.bannerengineering.com - Tel: + 1 888 373 6767 59

XS/SC26-2 and SC10-2 Safety Controllers

Signal Conventions

Function

+24 V dc Off Off 24 V dc

Track Output Logical State Logically On Logically Off Logically On Logically Off

Track Function Block State (XS/ SC26-2 FID 2 only and SC10-2)

Waiting for Manual Reset Reset Needed Not Satisﬁed Reset Needed Not Satisﬁed

System Lockout Lockout Run Mode Lockout Run Mode

Active = PNP On Active = PNP Off

Status Output State Status Output State

Run Stop Run Stop

7.9.2 Status Output Functionality

SC10-2: Up to four convertible inputs may be used as a Status Output.

XS/SC26-2: Up to 32 convertible inputs or Safety Outputs may be used as a Status Output. Solid-State Safety Outputs may be split and used as Status Outputs. Relay Safety Outputs cannot be used as Status Outputs and cannot be split.

Status Outputs can be

Bypass

Indicates when a particular Safety Input is bypassed.

Mute

Indicates a muting active status for a particular mutable Safety Input:

• On when a mutable input is muted

• Off when a mutable input is not muted

• Flashing when the conditions to start a mute-dependent override exist (an inactive muting cycle, the mutable Safety Input is in the stop state, and at least one muting sensor is in the stop (blocked) state); not available for Virtual Status Output

• On during an active mute-dependent override function (not a bypass function) of a mutable Safety Input

Output Delay In Progress

Indicates if either On- or Off-Delay is active.

Track Input

Indicates the state of a particular Safety Input.

Track Input Fault

Indicates when a particular Safety Input has a fault.

Track Any Input Fault

Indicates when

Track Input Group

Indicates the state of a group of Safety Inputs, for example, which Safety Input turned off ﬁrst. has been indicated, the function may be re-enabled by a conﬁgured Reset Input. Up to three Input Groups can be tracked.

Track Output

Indicates the physical state of a particular Safety Output (On or Off).

Track Output Fault

Indicates when a particular Safety Output has a fault.

Track Output Fault All

Indicates a fault from

Track Output Logical State

Indicates the logical state of a particular Safety Output. For example, the logical state is Off but the Safety Output is in an Off-Delay and not physically off yet.

Track Function Block State (XS/SC26-2 FID 2 Only and SC10-2)

Indicates the state of a particular Function Block.

Waiting for Manual Reset

Indicates a particular conﬁgured reset is needed.

conﬁgured to perform the following functions:

any Safety Input has a fault.

Once this function

any Safety Output.

60 www.bannerengineering.com - Tel: + 1 888 373 6767

XS/SC26-2 and SC10-2 Safety Controllers

System Lockout

Indicates a Non-Operating Lockout Condition, for example unmapped input connected to 24 V.

7.10 Virtual Status Outputs

Up to 64 Virtual Status Outputs can be added for any conﬁguration using Modbus/TCP, EtherNet/IP Input Assemblies, EtherNet/IP Explicit Messages, and PCCC protocols on FID 1 Base Controllers and up to 256 virtual Status Outputs can be added on FID 2 Base Controllers and SC10-2 Safety Controllers. FID 2 Base Controllers and SC10-2 Safety Controllers can also use PROFINET. These outputs can communicate the same information as the Status Outputs over the network. See

Status Output Functionality

Ethernet tab of the Software, automatically conﬁgures the Virtual Status Outputs to a set of commonly used functions, based on the current conﬁguration. This function is best used after the conﬁguration has been determined. Virtual Status Output conﬁguration can be manually revised after the Auto Conﬁgure function has been used. The information available over the network is consistent with the logical state of the inputs and outputs within 100 ms for the Virtual Status Output tables (viewable via the Software) and within 1 second for the other tables. The logical state of inputs and outputs is determined after all internal debounce and testing is complete. See conﬁguring Virtual Status Outputs.

on page 60 for more information. The Auto Conﬁgure function, located on the Industrial

Industrial Ethernet Tab

on page 102 for details on

www.bannerengineering.com - Tel: + 1 888 373 6767 61

XS/SC26-2 and SC10-2 Safety Controllers

8 Getting Started

Power up the Safety Controller, and verify that the power LED is ON green.

8.1 Creating a Conﬁguration

The following steps are required to complete and

1. Deﬁne the safeguarding application (risk assessment).

• Determine the required devices

• Determine the required level of safety

2. Install the Banner Safety Controller software. See

3. Become familiar with the Software options. See

4. Start the Software and select the desired device.

5. Start a new project by clicking New Project/Recent Files.

6. Deﬁne

7. XS/SC26-2: Customize the Base Controller module and add Expansion Modules (if used). See

8. Add Safety Input devices, Non-Safety Input devices, and Status Outputs. See

9. Design the control logic. See

10. Set optional Safety Output On- or Off-time delays.

11. If used, conﬁgure the network settings. See

12. Save and conﬁrm the conﬁguration. See

The following steps are optional and may be used to aid with the system installation:

• Modify the conﬁguration access rights. See

• View the Conﬁguration Summary tab for the detailed device information and response times. See

• Print the conﬁguration views, including the Conﬁguration Summary and Network Settings. See

• Test the conﬁguration using Simulation Mode. See

the Project Settings. See

page 76.

page 62.

Network Settings: PROFINET (XS/SC26-2 FID 2 Only and SC10-2)

Summary Tab

page 111

on page 110.

Project Settings

Designing the Control Logic

conﬁrm (write to controller) the conﬁguration:

Installing the Software

Software Overview

on page 75.

on page 65.

Network Settings: Modbus/TCP, Ethernet/IP, PCCC

Saving and Conﬁrming a Conﬁguration

XS26-2 Password Manager

Simulation Mode

on page 23.

on page 73.

Adding Inputs and Status Outputs

on page 104.

on page 66.

on page 112.

on page 118.

Equipment Tab

on page 103 or

Conﬁguration

Print Options

8.2 Adding Inputs and Status Outputs

Safety and Non-Safety Inputs can be added from either the Equipment tab or the Functional View tab. Status Outputs can be added from the Equipment tab only. When inputs are added on the Equipment tab, they are automatically placed in the Functional View tab. All inputs and Logic and Function Blocks can be moved around on the Functional View tab. The Safety Outputs are statically positioned on the right side.

8.2.1 Adding Safety and Non-Safety Inputs

1. On the Equipment tab, click

terminals can be changed from the input device Properties window) or any of the placeholders on the Functional View tab.

Note: Virtual Non-Safety Inputs are available only from the Functional View tab.

below the module which will have the input device connected (the module and

62 www.bannerengineering.com - Tel: + 1 888 373 6767

XS/SC26-2 and SC10-2 Safety Controllers

2. Click Safety Input or Non-Safety Input to add input devices:

Figure 43. Safety Inputs (Virtual Non-Safety Inputs available only from the Functional View Tab)

Figure 44. Non-Safety Inputs (Virtual Non-Safety Inputs available only from the Functional View Tab)

www.bannerengineering.com - Tel: + 1 888 373 6767 63

XS/SC26-2 and SC10-2 Safety Controllers

3. Select appropriate device settings:

Basic settings:

Figure 45. Basic Safety Input Settings

•

Name

—input device name; generated automatically and can be changed by the user

Circuit Type

•

Module

•

I/O Terminals

•

Enable Startup Test

each power-up

Reset Options

• Reset Track Input Group

—the circuit and signal convention options appropriate for the selected input device

—the module to which the input device is connected

—the assignment of input terminals for the selected device on the selected module

(where applicable)—an optional precautionary safety input device test required after

(where applicable)—various reset options such as Manual Power Up, System Reset, and

Advanced settings (where applicable):

Figure 46. Advanced Safety Input Settings

•

Simultaneity Debounce Times

•

Monitored/Non-Monitored

(where applicable)—Simultaneous or Concurrent (see

—the signal state transition time

(where applicable)

Glossary

on page 159 for deﬁnitions)

8.2.2 Adding Status Outputs

1. On the Equipment tab, click below the module which will have the status monitoring.

64 www.bannerengineering.com - Tel: + 1 888 373 6767

XS/SC26-2 and SC10-2 Safety Controllers

2. Click Status Outputs to add status monitoring7.

Figure 47. Status Outputs

3. Select appropriate Status Output settings:

Figure 48. Status Output Properties

•

Name

•

Module

•

I/O (where applicable)

•

Terminal

•

Input or Output (where applicable)

•

Signal Convention

8.3 Designing the Control Logic

To design the control logic:

Add the desired Safety and Non-Safety Inputs:

• On the Equipment tab: click changed in the input Properties window)

• On the Functional View tab: click any of the empty placeholders in the left column

See

Adding Inputs and Status Outputs

2. Add Logic and/or Function Blocks (see any of the empty placeholders in the middle area.

Status outputs can be conﬁgured when the state of an input device or an output needs to be communicated. The IOx terminals are used for these status signals.

www.bannerengineering.com - Tel: + 1 888 373 6767 65

under the module to which the input will be connected (the module can be

on page 62 for more information and device properties.

Logic Blocks

on page 78 and

Function Blocks

on page 80) by clicking

XS/SC26-2 and SC10-2 Safety Controllers

Note: The response time of the Safety Outputs can increase if a large number of blocks are added

conﬁguration. Use the function and logic blocks efﬁciently to achieve the optimum response

to the time.

3. Create the appropriate connections between added inputs, Function and Logic Blocks, and Safety Outputs.

Note: The Check List on the left displays connections that are required for a valid conﬁguration and all items must be completed. The Safety Controller will not accept an invalid

Tip: To aid with creating a valid conﬁguration, the program displays helpful tooltips if you attempt to make an invalid connection.

conﬁguration.

8.4 Saving and Conﬁrming a Conﬁguration

Conﬁrmation

logical integrity and completeness. The user must review and approve the results before the conﬁguration can be saved and used by the Safety Controller. Once conﬁrmed, the conﬁguration can be sent to a Safety Controller or saved on a PC or an SC-XM2/3 drive.

Saving a

1. Click

3. Navigate to the folder where you wish to save the conﬁguration.

4. Name the

5. Click Save.

Conﬁrming

1. Click

5. Verify that the

6. Scroll to the end of the conﬁguration and click Conﬁrm.

is a veriﬁcation process where the Safety Controller analyzes the conﬁguration generated by the Software for

WARNING:

Complete the Commissioning Checkout Procedure

•

• Failure to follow the commissioning process may lead to serious injury or death.

• After conﬁrming the conﬁguration, the Safety Controller operation must be fully tested (commissioned) before it can be used to control any hazards.

Conﬁguration:

Save Project.

Select Save As.

ﬁle (may be the same or different from the conﬁguration name).

a Conﬁguration (the Safety Controller must be powered up and connected to the PC via the SC-USB2 cable):

. Click Write Conﬁguration to Controller. If prompted, enter the password (default password is 1901).

The Entering conﬁg-mode screen opens. Click Continue to enter the conﬁguration mode.

After the Reading

After the Writing Conﬁguration To Controller process is completed, click Close.

Conﬁguration from the Controller process is completed, the Conﬁrm Conﬁguration screen opens.

conﬁguration is correct.

Note:

Network settings are sent separately from the conﬁguration settings. Click Send from the

• Network Settings window to write the network settings to the Safety Controller.

• SC10-2: Network settings are automatically sent only if the SC10-2 is a factory default Safety Controller. Otherwise, use the Network Settings window.

• SC10-2: Passwords are automatically written only if the SC10-2 is a factory default Safety Controller and the conﬁguration is conﬁrmed. In any other case, use the Password Manager window to write passwords to an SC10-2.

If you are conﬁguring an SC10-2, the Do you want to change the passwords of the controller? screen may display. SC10-2 only: If prompted and if desired, change the SC10-2 passwords.

9. Cycle power or perform a System Reset for the changes to take effect in the Safety Controller.

66 www.bannerengineering.com - Tel: + 1 888 373 6767

XS/SC26-2 and SC10-2 Safety Controllers

Note: Saving the now conﬁrmed ﬁle format (.xcc) than an unconﬁrmed ﬁle (.xsc). Conﬁrmed conﬁgurations are required for loading into an SC-XM2/3 drive. Click Save As to save.

conﬁguration is recommended. Conﬁrmed conﬁgurations are a different

8.4.1 Notes on Conﬁrming or Writing a Conﬁguration to a Conﬁgured

SC10-2

User settings and passwords affect how the system responds when conﬁrming a conﬁguration or writing a conﬁrmed conﬁguration to a

User1

1. Click Write conﬁguration to Controller to conﬁrm a conﬁguration (or write a conﬁrmed conﬁguration) to a conﬁgured Safety Controller.

2. Enter the User1 password.

3. The

At the end of the conﬁrmation (or writing) process, the Safety Controller will have received:

• New passwords

• New

Network settings are not changed.

User2 or User3—Successful

This scenario assumes the following settings for User2 or User3:

• Allowed to change the conﬁguration = enabled

• Allowed to change the network settings = enabled OR disabled

1. Click Write conﬁguration to Controller to conﬁrm a Safety Controller.

Enter the User2 or User3 password.

3. The conﬁrmation (or writing) process begins.

At the end of the

• New conﬁguration

Passwords and Network settings are not changed.

conﬁgured SC10-2 Safety Controller.

conﬁrmation (or writing) process begins.

conﬁguration

Conﬁguration Conﬁrmation or Writing

conﬁguration (or write a conﬁrmed conﬁguration) to a conﬁgured

conﬁrmation (or writing) process, the Safety Controller will have received:

User2 or User3—Unsuccessful Conﬁguration

This scenario assumes the following settings for User2 or User3:

• Allowed to change the conﬁguration = disabled

• Allowed to change the network settings = enabled OR disabled

1. Click Write conﬁguration to Controller to conﬁrm a conﬁguration (or write a conﬁrmed conﬁguration) to a conﬁgured Safety Controller.

2. Enter the User2 or User3 password.

3. The conﬁrmation (or writing) process is aborted.

Conﬁrmation or Writing

www.bannerengineering.com - Tel: + 1 888 373 6767 67

External

Device

Monitoring

(EDM)

External

Device

Monitoring

(EDM)

External

Device

Monitoring

(EDM)

Gate

Switch

Optical Sensor (x3)

Emergency Stop

On/Off Switch

Enabling Device

Manual Reset

Safety Output Devices

Mute Enable (x3)

Mute Sensor Pair (x3)

Gate

Switch

XS/SC26-2 and SC10-2 Safety Controllers

8.5 XS/SC26-2 Sample Conﬁguration

Figure 49. Sample Conﬁguration Schematic

The Software provides several Sample Conﬁgurations that demonstrate various applications of the Safety Controller. To access these conﬁgurations, click Open Project/Recent Files and then click Sample Projects. This section describes designing a sample Input Module, three optical sensors (muting is added via the software), two interlock switches, a manual reset, and an Emergency Stop.

To design the conﬁguration for this application:

Click New Project.

2. Deﬁne

3. Select Base Controller model. See required to be checked).

4. Add the expansion module XS8si by clicking on

a. b. Select XS8si.

5. Add the following inputs, changing only the circuit type:

Input Quantity Type Module Terminals Circuit

Emergency Stop 1 Safety Input XS8si IO1, IN1, IN2 Dual Channel 3 terminal

Enabling Device 1 Safety Input XS8si IO1, IN3, IN4 Dual Channel 3 terminal

conﬁguration for a robotic palletizer application that utilizes an XS26-2 Safety Controller, XS8si Safety

project settings. See

Project Settings

Equipment Tab

on page 75.

on page 76 (for this conﬁguration, only the Is Expandable box is

to the right of the Base Controller module.

Click Input Modules.

External Device Monitoring

68 www.bannerengineering.com - Tel: + 1 888 373 6767

Gate Switch 2 Safety Input Base

Manual Reset 1 Non-Safety Input XS8si IN6 Single-Channel 1 terminal

Muting Sensor Pair 3 Safety Input Base

Mute Enable 3 Non-Safety Input Base

On-Off 1 Non-Safety Input XS8si IN5 Since-Channel 1 terminal

3 Safety Input Base

1. IO3

IO4

3. IO5

1. IO1, IN15, IN16

IO2, IN17, IN18

1. IN9, IN10

IN11, IN12

3. IN13, IN14

1. IN1 IN2

3. IO8

Single-Channel 1 terminal

Dual Channel 3 terminal

Dual-Channel 2 terminal

Single Channel 1 terminal

XS/SC26-2 and SC10-2 Safety Controllers

Input Quantity Type Module Terminals Circuit

1. IN3, IN4

Optical Sensor 3 Safety Input Base

IN5, IN6

3. IN7, IN8

Dual-Channel PNP

6. Go to the Functional View tab.

Tip: You may notice that not all inputs are placed on Page 1. There are two solutions to keep the conﬁguration on one page. Perform one of the following steps:

1. Add a Reference to the block located on a different page—click any of the empty placeholders in the middle area, select Reference and select the block that is on the next page. Only blocks from other pages can be added as a Reference.

2. Re-assign page—by default all inputs added on the Equipment tab are placed on the Functional View tab to the

ﬁrst available placeholder in the left column. However, inputs can be moved to any location in the middle area. Move one of the blocks to any of the placeholders in the middle area. Go to the page which contains the block that needs to be moved. Select the block and change the page assignment below the Properties table.

7. Split M0:SO2:

a. Double-click M0:SO2 or select it and click Edit under the Properties table. b. Click Split.

8. Add the following Function Blocks by clicking on any of the empty placeholders in the middle area of the Functional View tab (see

Function Blocks

on page 80 for more information):

• Muting Block x 3 (Muting Mode: One Pair, ME (Mute Enable): Checked)

• Enabling Device Block (ES: Checked, JOG (Jog): Checked)

9. Add the following Logic Blocks by clicking on any of the empty placeholders in the middle area of the Functional View tab (see

Logic Blocks

on page 78 for more information):

• AND with 2 input nodes

• AND with 4 input nodes

10. Connect the following to each Muting Block:

• 1 x Optical Sensor (IN node)

• 1 x Mute Sensor Pair (MP1 node)

• 1 x Mute Enable (ME node)

11. Connect Gate Switch x 2 to the AND block with 2 nodes.

12. Connect Muting Block x 3, and AND block with 2 nodes to the AND block with 4 nodes.

13. Connect one of the Muting Blocks to one of the split safety outputs (M0:SO2A or M0:SO2B) and one to the other split safety output.

14. Connect the following to the Enabling Device Block:

• Emergency Stop (ES node)

• Enabling Device (ED node)

• AND block with four input nodes (IN node)

• Manual Reset (RST node)

• On-Off (JOG node)

15. Connect Enabling Device Block to the remaining Safety Output (M0:SO1).

16. Enable

EDM (External Device Monitoring)

in each of the Safety Output Properties windows.

17. Connect 1x External Device Monitoring input to each of the Safety Outputs.

The Sample Conﬁguration is complete.

Note: At this point you may want to reposition the blocks in the Functional View tab for a better conﬁguration ﬂow (see

www.bannerengineering.com - Tel: + 1 888 373 6767 69

Figure 50

on page 70).

XS/SC26-2 and SC10-2 Safety Controllers

Figure 50. Sample Conﬁguration—Functional View Tab

70 www.bannerengineering.com - Tel: + 1 888 373 6767

XS/SC26-2 and SC10-2 Safety Controllers

9 Software

The Banner Safety Controller Software is an application with real-time display and diagnostic tools that are used to:

Design and edit

•

• Test a conﬁguration in Simulation Mode

• Write a conﬁguration

• Read the current

• Display the real-time information, such as device statuses

• Display the fault information

Creating a Conﬁguration

See page 68 for a sample conﬁguration design process.

Wiring Diagram Tab

See rendering of the conﬁguration.

See

Live Mode

on page 115 for the Safety Controller Run-time information.

9.1 Abbreviations

conﬁgurations

to the Safety Controller

conﬁguration from the Safety Controller

on page 62 for the conﬁguration design process. See

on page 99 to connect the devices, and

Ladder Logic Tab

XS/SC26-2 Sample Conﬁguration

on page 101 for the ladder logic

Abbreviation

Description

AVM Adjustable Valve Monitoring input node of the Safety Outputs

AVMx Adjustable Valve Monitoring input

BP Bypass input node of the Bypass Blocks and Muting Blocks

BPx Bypass Switch input

CD Cancel Delay input node of the Safety Outputs

CDx Cancel Delay input

ED Enabling Device input node of the Enabling Device Blocks

EDx Enabling Device input

EDM External Device Monitoring input node of the Safety Outputs

EDMx External Device Monitoring input

ES Emergency Stop input node of the Enabling Device Blocks

ESx Emergency Stop input

ETB External Terminal Block (SC10-2 only)

FID Feature identiﬁcation

FR Fault Reset input node of the Safety Outputs

GSx Gate Switch input

JOG Jog Input node of the Enabling Device Blocks

IN Normal Input node of function blocks and Safety Output blocks

LR Latch Reset input node of the Latch Reset Block and the Safety Outputs

ME Mute Enable input node of the Muting Blocks and Two-Hand Control Blocks

MEx Mute Enable input

MP1 First Muting Sensor Pair input node in Muting Blocks and Two-Hand Control Blocks

MP2 Second Muting Sensor Pair input node (Muting Blocks only)

Mx Base Controller and Expansion modules (in the order displayed on the Equipment tab)

The "x" sufﬁx denotes the automatically assigned number.

www.bannerengineering.com - Tel: + 1 888 373 6767 71

XS/SC26-2 and SC10-2 Safety Controllers

Abbreviation

Description

MRx Manual Reset input

MSPx Muting Sensor Pair input

ONx On-Off input

OSx Optical Sensor input

PSx Protective Stop input

RE Reset Enable input node of the Latch Reset Blocks and the Safety Outputs

ROx Relay Output

RPI Requested Packet Interval

RPx Rope Pull input

RST Reset node of the SR-Flip-Flop, RS-Flip-Flop, Latch Reset Blocks, and Enabling Device Blocks

SET Set node of the SR- and RS-Flip-Flop Blocks

SMx Safety Mat input

SOx Safety Output

STATx Status Output

TC Two-Hand Control input node of the Two-Hand Control Blocks

TCx Two-Hand Control input

The "x" sufﬁx denotes the automatically assigned number.

72 www.bannerengineering.com - Tel: + 1 888 373 6767

XS/SC26-2 and SC10-2 Safety Controllers

9.2 Software Overview

Note: The following sections use the XS/SC26-2 as an example. The SC10-2 interface is similar.

Figure 51. Banner Safety Controller Software

www.bannerengineering.com - Tel: + 1 888 373 6767 73

XS/SC26-2 and SC10-2 Safety Controllers

(1) Navigation Toolbar

Starts a New project

Opens an existing project, opens a Recent project, or opens Sample Projects

Saves (or Save As) the project to the user-deﬁned location Makes the Live Mode view available

Prints a customizable Conﬁguration Summary Makes the Simulation Mode view available

Reverts up to ten previous actions Indicates SC-XM2 or SC-XM3 drive connection

Re-applies up to ten previously reverted actions

Displays Network Settings and writes the Network Settings to the Safety Controller

Displays Project Settings

Opens Password Manager

Reads the data, such as Fault Log, Conﬁguration, Network Settings, and Device Information from the Safety Controller

Writes the data, such as Conﬁguration Settings to the Safety Controller

Opens the Help options

• Help—Opens Help topics

• About—Displays Software version number and user responsibilities warning

• Release Notes—Displays the release notes for each version of the software

• Icons—Switches between US- and Europeanstyle icons

• Support Information—Describes how to request help from the Banner Advanced Technical Support Group

• Language—Selects the Software language options

(2) Tabs for Worksheets and Diagrams

Equipment—Displays an editable view of all connected equipment Functional View—Provides editable iconic representation of the control logic Wiring Diagram—Displays the I/O device wiring detail for the use by the installer Ladder Logic—Displays a symbolic representation of the Safety Controller’s safeguarding logic for the use by the

machine designer or controls engineer Industrial Ethernet(when enabled) —Displays editable network conﬁguration options Conﬁguration Summary—Displays a detailed conﬁguration summary Live Mode (when enabled)—Displays the live mode data, including current faults Simulation Mode (when enabled)—Displays the simulation mode data

(3) Selected View

Displays the view corresponding to the selected tab (Equipment view shown)

(4) Module Summary

Displays the Base Controller and any connected modules or displays the SC10-2

(5) Check List

Provides action items to conﬁgure the system and correct any errors to successfully complete the conﬁguration

(6) Properties

Displays the properties of the selected device, function block, or connection (properties cannot be edited in this view; click Edit below to make changes)

Delete—Deletes the selected item Edit—Displays the conﬁguration options for the selected device or function block

See

Software: Troubleshooting

on page 144 for issues related to the Software functionality.

74 www.bannerengineering.com - Tel: + 1 888 373 6767

XS/SC26-2 and SC10-2 Safety Controllers

9.3 Project Settings

Figure 52. Project Settings

Each conﬁguration has an option to include additional project information for easier differentiation between multiple

conﬁgurations. To enter this information click Project Settings.

Conﬁguration Name

Name of the

Project

Project name; useful for distinguishing between various application areas.

Author

Person designing the

Notes

Supplemental information for this conﬁguration or project.

Project Date

Date pertaining to the project.

Disable Automatic Terminal Optimization Feature (SC10-2 only)

Enable or disable Automatic Terminal Optimization, which allows for the expansion of the number of inputs using an external terminal block (ETB).

conﬁguration; displayed on the Safety Controller (models with display); different from ﬁle name.

conﬁguration.

www.bannerengineering.com - Tel: + 1 888 373 6767 75

XS/SC26-2 and SC10-2 Safety Controllers

9.4 Equipment Tab

Figure 53. Example XS/SC26-2 Equipment Tab

XS/SC26-2: The Equipment tab is used to select the base model, add the expansion modules (input and output), and add

input devices and status outputs. Add the expansion modules by clicking

SC10-2: The Equipment tab is used to add input devices and status outputs.

Customize the Base Controller module or SC10-2 by either double-clicking the module or selecting it and clicking Edit under the Properties table on the left and selecting the appropriate Safety Controller features (display, Ethernet, expandability, Automatic Terminal Optimization). The properties of Safety and Non-Safety inputs, Status Outputs, Logic Blocks, and Function Blocks are also conﬁgured by either double-clicking the block or selecting it and clicking Edit under the Properties table. Clicking the block the second time de-selects it.

Figure 54. XS/SC26-2 Module Properties Figure 55. SC10-2 Module Properties

76 www.bannerengineering.com - Tel: + 1 888 373 6767

to the right of the Base Controller module.

XS/SC26-2 and SC10-2 Safety Controllers

9.5 Functional View Tab

Figure 56. Functional View Tab

The Functional View tab is used to create the control logic. The left column of the Functional View tab is used for Safety and Non-Safety Inputs; the middle area is used for Logic and Function Blocks and the right column is reserved for Safety Outputs. Safety and Non-Safety Inputs can be moved between the left and middle areas. Function and Logic Blocks can only be moved within the middle area. Outputs are placed statically by the program and cannot be moved. Reference blocks of any type can be placed anywhere within the left and middle areas.

Important: The Banner Safety Controller Software is designed to assist in creating a valid conﬁguration, however, the user is responsible for verifying the integrity, safety, and functionality of the conﬁguration by following the

On the Functional View tab you can:

Customize the look of the diagram by repositioning inputs, Function Blocks, and Logic blocks

•

Undo and Redo up to 10 most recent actions

•

Add additional pages for larger conﬁgurations using the page navigation toolbar (see

• Zoom in and out of the diagram view, or automatically adjust it to the best ratio for the current window size (see

Figure 57

• Navigate between pages by clicking the left and right arrows within the page navigation area in the top right corner of the Software

www.bannerengineering.com - Tel: + 1 888 373 6767 77

on page 77)

Commissioning Checkout Procedure

Figure 57. Page Navigation and Diagram Size toolbar

on page 125.

Figure 57

on page 77)

XS/SC26-2 and SC10-2 Safety Controllers

• Modify properties of all blocks by either double-clicking a block or by selecting a block and clicking Edit under the Properties table Delete any block or connection by selecting the item and then either pressing the Delete key on your keyboard or

• clicking Delete under the Properties table

Note: There is no conﬁrmation of the object deletion. You may undo the deletion by clicking Undo.

By default all inputs added on the Equipment tab are placed on the Functional View tab to the ﬁrst available placeholder in the left column. There are two ways to move signals from one page to another. To do so, perform one of the following steps:

Add a Reference to the block located on a different page—click any of the empty placeholders in the middle area, select Reference and select the block that is on the next page. Only blocks from other pages can be added as a Reference.

2. Re-assign page—on the page where you want to keep the conﬁguration, move one of the blocks to any of the placeholders in the middle area. Go to the page which contains the block that needs to be moved. Select the block and change the page assignment below the Properties table.

9.5.1 Logic Blocks

Logic Blocks are used to create Boolean (True or False) functional relationships between inputs, outputs, and other logic and function blocks. Logic Blocks accept appropriate safety inputs, non-safety inputs, or safety outputs as an input. The state of the output reﬂects the Boolean logic result of the combination of the states of its inputs (1 = On, 0 = Off, x = do not care).

CAUTION: Inverted Logic

It is not recommended to use Inverted Logic conﬁgurations in safety applications where a hazardous situation can occur.

Signal states can be inverted by the use of NOT, NAND, and NOR logic blocks, or by selecting "Invert Output" or "Invert Input Source" check boxes (where available). On a Logic Block input, inverted logic treats a Stop state (0 or Off) as a "1" (True or On) and causes an output to turn On, assuming all inputs are satisﬁed. Similarly, the inverted logic causes the inverse function of an output when the block becomes "True" (output turns from On to Off). Because of certain failure modes that would result in loss of signal, such as broken wiring, short to GND/0 V, loss of safeguarding device supply power, etc., inverted logic is not typically used in safety applications. A hazardous situation can occur by the loss of a stop signal on a safety input, resulting in a safety output turning On.

AND

(US) (EU)

The output value is based on the logical AND of 2 to 5 inputs.

Output is On when all inputs are On.

Input 1 Input 2 Output

0 x 0

x 0 0

1 1 1

(US) (EU)

The output value is based on the logical OR of 2 to 5 inputs.

Output is On when at least one input is On.

Input 1 Input 2 Output

0 0 0

1 x 1

x 1 1

78 www.bannerengineering.com - Tel: + 1 888 373 6767

XS/SC26-2 and SC10-2 Safety Controllers

NAND

(US) (EU)

The output value is based on inverting the logical AND of 2 to 5 inputs.

Output is Off when all inputs are On.

NOR

(US) (EU)

The output value is based on inverting the logical OR of 2 to 5 inputs.

Output is On when all inputs are Off.

XOR

(US) (EU)

The output value is an exclusive OR of 2 to 5 inputs.

Output is On when only one (exclusive) input is On.

Input 1 Input 2 Output

0 x 1

x 0 1

1 1 0

Input 1 Input 2 Output

0 0 1

1 x 0

x 1 0

Input 1 Input 2 Output

0 0 0

0 1 1

1 0 1

1 1 0

NOT

(US) (EU)

Output is the opposite of the input.

RS Flip-Flop

This block is Reset Dominant (Reset has priority if both inputs are On).

Input Output

0 1

1 0

Input 1 (Set) Input 2 (Reset) Output

0 0 Value remains the same

0 1 0 (Reset)

1 0 1 (Set)

1 1 0 (Reset has priority)

www.bannerengineering.com - Tel: + 1 888 373 6767 79

M0:SO1

A1 Output

M0:BP1

Bypass

Function Block

XS/SC26-2 and SC10-2 Safety Controllers

SR Flip-Flop

Input 1 (Set) Input 2 (Reset) Output

0 0 Value remains the same

0 1 0 (Reset)

This block is Set Dominant (Set has priority if both inputs are On).

1 0 1 (Set)

1 1 1 (Set has priority)

9.5.2 Function Blocks

Function Blocks provide built-in functionality for most common applications in one block. While it is possible to design a

conﬁguration

improved functionality.

Most Function Blocks expect the corresponding safety input device to be connected to it. The Check List on the left creates a notiﬁcation if any required connections are missing. Depending on the application, some Function Blocks may be connected to other Function Blocks and/or Logic Blocks.

Dual-channel safety input devices have two separate signal lines. Dual-channel signals for some devices are both positive (+24 V dc) when the device is in the Run state. Other devices may have a complementary circuit structure where one channel is at 24 V dc and the other is at 0 V dc when the device is in the Run state. This manual uses the Run state/Stop state convention instead of referring to a safety input device as being On (24 V dc) or Off (0 V dc).

without any function blocks, using the Function Blocks offers substantial efﬁciency, ease of use, and

Bypass Block

Default Nodes Additional Nodes Notes

Bypass Time Limit—A bypass function time limit must be established to limit how long the safety input device bypass is active. The time limit can be adjusted from 1 second (default) to 12 hours and cannot be disabled. Only one time limit can be set, and this limit will apply to all safety devices that are bypassed. At the end of the time limit, the safety output control authority is transferred back to the bypassed safety input devices.

Two-Hand Control Bypassing—The Safety Controller issues a Stop signal if a Two-Hand Control input is actuated while the input is being bypassed. This ensures that the operator does not mistakenly assume that the Two-Hand Control is functional; unaware that the Two-Hand Control is bypassed and no longer providing the safeguarding function.

When the BP node is inactive, the safety signal simply passes through the Bypass Block. When the BP node is active, the output of the block is On regardless of the state of the IN node (if the Output turns Off when both inputs (IN&BP) are On checkbox is clear). The Bypass Block output turns Off when the bypass timer expires.

Figure 58. Timing Diagram—Bypass Block

80 www.bannerengineering.com - Tel: + 1 888 373 6767

IN Node

Output Node - On Delay

Output Node - Off Delay

OFF Delay

ON Delay

XS/SC26-2 and SC10-2 Safety Controllers

Lockout/Tagout

Hazardous energy (lockout/tagout) must be controlled in machine maintenance and servicing situations in which the unexpected energization, start up, or release of stored energy could cause injury. Refer to OSHA 29CFR 1910.147, ANSI

2244.1, ISO 14118 , ISO 12100 or other relevant standards to ensure that bypassing a safeguarding device does not with the requirements that are contained within the standards.

conﬂict

WARNING: Limit Use of Bypass Function

The Bypass function is not intended for production purposes; it is to be used only for temporary or intermittent actions, such as to clear the deﬁned area of a safety light screen if material becomes "stuck". When Bypass is used, it is the user's responsibility to install and use it according to relevant standards (such as ANSI NFPA79 or IEC/EN60204-1).

Safe Working Procedures and Training

Safe work procedures provide the means for individuals to control exposure to hazards through the use of written procedures for speciﬁc tasks and the associated hazards. The user must also address the possibility that an individual could bypass the safeguarding device and then either fail to reinstate the safeguarding or fail to notify other personnel of the bypassed condition of the safeguarding device; both cases could result in an unsafe condition. One possible method to prevent this is to develop a safe work procedure and ensure personnel are trained and correctly follow the procedure.

Delay Block (XS/SC26-2 FID 2 Only and SC10-2)

The Delay Block allows a user-conﬁgurable ON or OFF delay of a maximum of 5 minutes, in 1 ms increments.

Default Nodes Additional Nodes Notes

Depending on the selection, a signal/state transition on the input node

IN -

will be delayed by the output delay time by either holding the output OFF (ON Delay) or holding the output ON (OFF Delay) after a signal transition.

Note: The actual delay time of a delay function block or a safety output with a delay can be up to 1 scan time longer than the delay setting. Multiple delay blocks or delay outputs in series will increase the ﬁnal delay time by up to 1 scan for each delay function. For example, three 100 ms off delay function blocks in series and a scan time of 15 ms may result in an actual delay time of up to 345 ms (300 ms + 45 ms).

The Cancel Delay Node is a conﬁgurable node if Off Delay is selected.

Figure 59. Delay Block Timing Diagram

CAUTION: Delay time effect on response time

The off delay time may signiﬁcantly increase the safety control response time. This will impact the positioning of safeguards whose installation is determined by the safety (minimum) distance formulas or are otherwise inﬂuenced by the amount of time to reach a non-hazardous state. The installation of safeguards must account for the increase in response time.

www.bannerengineering.com - Tel: + 1 888 373 6767 81

Note: The response time provided on the

Conﬁguration Summary tab is a maximum time that can change depending on the use of delay blocks and other logic blocks (such as OR functions). It is the user’s responsibility to determine, verify, and incorporate the appropriate response time.

XS/SC26-2 and SC10-2 Safety Controllers

Figure 60. Delay Block Properties

The Delay Block Properties window allows the user to conﬁgure the following:

Name

The input designation.

Safety Output Delay

• None

• Off Delay

• On Delay

Output Delay

Available when the Safety Output Delay is set to either Off Delay or On Delay Delay time: 1 ms to 5 minutes, in 1 ms increments. The default setting is 100 ms.

Cancel Type

Available when the Safety Output Delay is set to Off Delay.

• Do Not Cancel

• Control Input

• Cancel Delay Node

End Logic

Available when the Cancel Type is set to Cancel Delay Node.

• Keep Output On

• Turn Output Off

82 www.bannerengineering.com - Tel: + 1 888 373 6767

limit

M0:SO1

M0:ES1

M0:ED1

M0:OS1

M0:MR1

Enable Mode

ES1 &

ED1 have On/Off Control

Enabling Device

Function Block

E1 enabling mode starts when the Enabling Device ED1 is switched to the Run state. ED1 and ES input devices have On/Off control authority while in Enable mode. When MR1 is used to perform a reset, the normal Run mode is re-established and OS1 and ES1 have the On/Off control authority.

Enabling Device Primary & Secondary Output Control

Enable Mode

M0:ON1

M0:SO1

M0:SO2

M0:ES1

M0:ED1

M0:OS1

M0:MR1

XS/SC26-2 and SC10-2 Safety Controllers

Enabling Device Block

Default Nodes Additional Nodes Notes

RST

JOG

An Enabling Device Block must be connected directly to an Output Block. This method assures that the ﬁnal control of the outputs is given to the operator holding the Enabling Device. Use the ES node for safety signals that should not be bypassed by the ED node. If no other inputs of the function block are conﬁgured, using an Enabling Device function block is not required.

www.bannerengineering.com - Tel: + 1 888 373 6767 83

Figure 61. Timing Diagram—Enabling Device, Simple Conﬁguration

Figure 62. Timing Diagram—Enabling Device

The Latch Reset function block LR1 will turn its output and the safety output SO1 Off when the E-Stop button changes to the Stop state. The latch off condition can be reset when the Reset Enable RE of LR1 detects that the SO2 reference signal is in the Run state & MR1 is used to perform a reset.

Latch Reset

Function Block

Non Monitored

Reset Signal

M0:ES1

M0:MR1

M0:SO2

M0:SO1

XS/SC26-2 and SC10-2 Safety Controllers

To exit the Enable mode, the enabling device must be in the Off state, and an Enabling Device Block reset must be performed.

The enabling device time limit may be adjusted between 1 second (default) and 30 minutes and cannot be disabled. When the time limit expires, the associated safety outputs turn Off. To start a new Enable mode cycle, with the time limit reset to its original value, the enabling device must switch from On to Off, and then back to On.

All On- and Off-delay time limits associated with the safety outputs that are controlled by the enabling device function are followed during the Enable mode.

Latch Reset Block

Default Nodes Additional Nodes Notes

The RE (Reset Enable) node can be used to enable or disable the Latch Reset function. If the input devices connected to the IN node are all in the Run state and RE input signal is high, the LR function block can be manually reset to have its output turn On. See SO2 connected to the RE node.

Figure 63

on page 84 with Reference Signal

84 www.bannerengineering.com - Tel: + 1 888 373 6767

Figure 63. Timing Diagram—Latch Reset Block

The Manual Reset input device can be configured for one of two types of reset signals: Monitored & Non-Monitored

Manual Reset Input

Monitored Reset

>.5s time < 2s

Non-Monitored Reset

Monitored Reset

Non-Monitored

Reset

M0:ES1

M0:MR1 Monitored

M0:SO1

M0:ES1

M0:MR1 Non-Monitored

M0:SO1

XS/SC26-2 and SC10-2 Safety Controllers

Figure 64. Timing Diagram—Latch Reset Block, Monitored/Non-Monitored Reset

www.bannerengineering.com - Tel: + 1 888 373 6767 85

A Reference Signal is used to: ▪ Control an output based on the state of another output ▪ Represent the state of an output, input, safety function or logic block on another page.

When output SO2 is On, the SO2 reference signal state is On or High. The function block

above shows reference signal SO2 connected to the Reset Enable node RE of

Latch Reset Block LR1.

LR1 can only be reset (turned On) when ES1 is in the Run state and SO2 is On.

Reference Signals

M0:ES1

M0:MR1

M0:SO2

LR1 & SO1

XS/SC26-2 and SC10-2 Safety Controllers

See

Reference Signals

Figure 65. Timing Diagram—Latch Reset Block and Referenced Safety Output

on page 122 for use of referenced Safety Outputs.

86 www.bannerengineering.com - Tel: + 1 888 373 6767

In the figure below, reference signal A3 is on page 1 of the function block diagram and the A3 AND block is on page 2. The output node on the A3 AND block can also be used on page 2 for other safety control logic.

Reference Signals

Reference signal A3 on page 1 AND logic block A3 on page 2

When a safeguarding device OS1 transitions to a Stop state in a valid muting cycle, the latch reset function block will latch and require a reset signal to keep SO1 on after muting ends. If OS1 switches to the Stop state in a valid muting cycle and no reset signal is seen, SO1 turns off after muting ends.

M0:OS1

M0:MR1

M0:MSP1

M0:SO1

Latch Reset

Mute Function

XS/SC26-2 and SC10-2 Safety Controllers

Figure 66. Latch Reset and Referenced Safety Output and AND block

Figure 67. Timing Diagram—Latch Reset Block and Muting Block

www.bannerengineering.com - Tel: + 1 888 373 6767 87

One Way - 1 Mute Sensor Pair

Two Way - 1 Mute Sensor Pair

One Way - 2 Mute Sensor Pair

Two Way - 2 Mute Sensor Pair

Two Way - 1 Mute Sensor Pair

Mute Function Block

There are five Mute Function types listed below. The following timing diagrams show the function detail and sensor/safeguarding state change order for each mute function type.

In the Mute Block Properties menu in the Advanced settings, if the Bypass check box is checked, the option to select a Bypass or a Mute Dependent Override is possible.

The Mute Dependent Override is used to temporarily restart an incomplete mute cycle (for example after the mute time limit expires). In this case, one or more mute sensors must be activated while the safeguard is in the Stop state.

The normal Bypass is used to temporarily bypass the safeguarding device to keep on or turn on the output of the function block.

There are 2 types of Mute Bypass: ▪ Mute Dependent Override ▪ Bypass (normal)

XS/SC26-2 and SC10-2 Safety Controllers

Muting Block

Default Nodes Additional Nodes Notes

MP1

MP2

Muting Sensor Pair input blocks must be connected directly to the Muting function block.

Figure 68. Muting Block—Function Types

Figure 69. Muting Block—Bypass/Override Mode Options

88 www.bannerengineering.com - Tel: + 1 888 373 6767

Mute Dependent

Override

On or Off

M0:OS1

M0:MSP1-1

M0:MSP1-2

M0:ME1

M0:BP1

M0:SO1

Mute Bypass

BypassTime

Expired

BypassTime

Expired

On or Off

M0:OS1

M0:MSP1-1

M0:MSP1-2

M0:BP1

M0:SO1

XS/SC26-2 and SC10-2 Safety Controllers

Figure 70. Mute-Dependent Override

Figure 71. Mute Bypass

www.bannerengineering.com - Tel: + 1 888 373 6767 89

Mute Function

One Way - 1 Sensor Pair

Max. Time

Max. T

ime

Max. Time

< 3s< 3s

Mute ends due to

defined

area going clear

Mute ends due to

defined area going clear

Note: MO:OS1 must

be blocked before either MSP1-1 or MSP1-2 clears.Note: MO:OS1 must be blocked before either MSP1-1 or MSP1-2 clears.

End Delay Timer

M0:SO1

M0:OS1

Mute

M0:ME1

M0:MSP1-1

M0:MSP1-2

< 3s< 3s

Mute ends due to

Mute Delay timeout

Mute ends due to

Mute Delay timeout

On or Off

Max.

Time

Max.

Time

< 3s< 3s

M0:MSP2-1

M0:MSP2-2

Mute Time Limit

M0:SO1

M0:OS1

M0:ME1

M0:MSP1-1

M0:MSP1-2

Mute Function

One Way - 2 Sensor Pair

On or Off On or Off

XS/SC26-2 and SC10-2 Safety Controllers

Figure 72. Timing Diagram—One-Way Muting Block, One Muting Sensor Pair

90 www.bannerengineering.com - Tel: + 1 888 373 6767

Figure 73. Timing Diagram—One-Way Muting Block, Two Muting Sensor Pairs

Mute Function

Two Way - 1 Sensor Pair

M0:SO1

M0:OS1

M0:MSP1

M0:ME1

On or Off

Mute Function

Two Way - 2 Sensor Pair

Max.

Time

Max.

Time

Max. T

ime

Max. Time

< 3s< 3s

M0:MSP2-1

M0:MSP2-2

Mute Time Limit

M0:SO1

M0:OS1

M0:ME1

M0:MSP1-1

M0:MSP1-2

On or Off On or Off

XS/SC26-2 and SC10-2 Safety Controllers

Figure 74. Timing Diagram—Two-Way Muting Block, One Muting Sensor Pair

www.bannerengineering.com - Tel: + 1 888 373 6767 91

Figure 75. Timing Diagram—Two-Way Muting Block, Two Muting Sensor Pairs

Improper E-Stop Control NOT RECOMMENDED

The configuration top right shows OS1 and E-Stop button ES1 with a Latch Reset LR1 connected to a mute function via the AND function. In this case both ES1 and OS1 will be muted.

If there is an active mute cycle in progress and the E-Stop button is pressed (switched to the Stop state), SO1 will not turn Off. This will result in a loss of safety control and may lead to a potential hazardous condition.

Proper E-Stop Control

The configuration

to the right shows OS1 connected directly to the Mute block M1. M1 and ES1 are both inputs to AND A1. In this case both M1 and ES1 control SO1.

If there is a an active mute cycle in progress and the E-Stop button is pressed (switched to the Stop state), SO1 will turn Off.

E-Stop Button control authority when using the Mute function

WARNING

XS/SC26-2 and SC10-2 Safety Controllers

E-stop buttons, rope pulls, enabling devices, external device monitoring, and bypass switches are non-mutable devices or functions.

To mute the primary safeguard appropriately, the design of a muting system must:

1. Identify the non-hazardous portion of the machine cycle.

2. Involve the selection of the proper muting devices.

3. Include proper mounting and installation of those devices.

The Safety Controller can monitor and respond to redundant signals that initiate the mute. The mute then suspends the safeguarding function by ignoring the state of the input device to which the muting function has been assigned. This allows an object or person to pass through the deﬁned area of a safety light screen without generating a stop command. This should not be confused with blanking, which disables one or more beams in a safety light screen, resulting in larger resolution.

The mute function may be triggered by a variety of external devices. This feature provides a variety of options to design the system to meet the requirements of a speciﬁc application.

A pair of muting devices must be triggered simultaneously (within 3 seconds of one another). This reduces the chance of common mode failures or defeat. Directional muting, in which sensor pair 1 is required to be blocked ﬁrst, also may reduce the possibility of defeat.

At least two mute sensors are required for each muting operation. The muting typically occurs 100 ms after the second mute sensor input has been satisﬁed. One or two pairs of mute sensors can be mapped to one or more safety input devices so that their assigned safety outputs can remain On to complete the operation.

WARNING:

• Use Mute and Bypass operations in a way that minimizes personnel risk. Failure to follow these rules could cause an unsafe condition that could result in serious injury or

• death.

• Guard against unintended stop signal suspension by using one or more diverse-redundant mute sensor pairs or a dual channel key-secured bypass switch.

• Set reasonable time limits for the mute and bypass functions.

Figure 76. Emergency Stop and Mute Function

92 www.bannerengineering.com - Tel: + 1 888 373 6767

Mute

Enable

ON or OFF

Safety

Input

Mute Sensor

Pair

Safety

Output

XS/SC26-2 and SC10-2 Safety Controllers

WARNING: Muting Limitations

Muting is allowed only during the non-hazardous portion of the machine cycle.

A muting application must be designed so that no single component failure can prevent the stop command or allow subsequent machine cycles until the failure is corrected.

WARNING: Mute Inputs Must Be Redundant

It is not acceptable to use a single switch, device, or relay with two N.O. contacts for the mute inputs. This single device, with multiple outputs, may fail so that the System is muted at an inappropriate time. This could result in a hazardous situation.

Optional Muting Attributes

The Muting Sensor Pair Input and the Muting Block have several optional functions that can be used to minimize an unauthorized manipulation and the possibility of an unintended mute cycle.

Mute Enable (ME)

The Mute Enable input is a non-safety-rated input. When the input is closed, or active for virtual input, the Safety Controller allows a mute condition to occur; opening this input while the System is muted will have no effect.

Typical uses for Mute Enable include:

• Allowing the machine control logic to create a period of time for muting to begin

• Inhibiting muting from occurring

• Reducing the chance of unauthorized or unintended bypass or defeat of the safety system

The optional Mute Enable function may be conﬁgured to ensure that a mute function is permitted only at the appropriate time. If a Mute Enable input device has been mapped to a Muting Block, the safety input device can be muted only if the mute enable switch is in the enable (24 V dc) state, or active state for virtual input, at the time the mute cycle is started. A mute enable input device can be mapped to one or more Muting Blocks.

Figure 77. Timing logic—One mute sensor pair with mute enable

Simultaneity Timer Reset Function

The Mute Enable input can also be used to reset the simultaneity timer of the mute sensor inputs. If one input is active for longer than 3 seconds before the second input becomes active, the simultaneity timer prevents a mute cycle from occurring. This could be due to a normal stoppage of an assembly line that may result in blocking one mute device and the simultaneity time running out.

If the ME input is cycled (closed-open-closed or active-inactive-active for virtual input) while one mute input is active, the simultaneity timer is reset, and if the second mute input becomes active within 3 seconds, a normal mute cycle begins. The function can reset the timer only once per mute cycle (all mute inputs M1–M4 must open before another reset can occur).

Bypass

An optional Bypass/Override Mode may be enabled by checking the BP (Bypass) box in the Muting Block properties window. There are two available Bypass/Override Modes—Bypass and Mute Dependent Override. The Bypass mode is used to temporarily bypass the safeguarding device to keep On or turn On the output of the function block. The Mute Dependent Override mode is used to manually override an incomplete mute cycle (for example after the mute time limit expires). In this case, one or more mute sensors must be activated while the safeguard is in the Stop state to initiate the override.

www.bannerengineering.com - Tel: + 1 888 373 6767 93

XS/SC26-2 and SC10-2 Safety Controllers

Mute Lamp Output (ML)

Depending on a risk assessment and relevant standards, some applications require that a lamp (or other means) be used to indicate when the safety device, such as a light screen, is muted. The Safety Controller provides a signal that the protective function is suspended through the Mute status output.

Important: Mute Status Indication

Indication that the safety device is muted must be provided and be readily observable from the location of the muted safety device. Operation of the indicator may need to be veriﬁed by the operator at suitable intervals.

Muting Time Limit

The muting time limit allows the user to select a maximum period of time that muting is allowed to occur. This feature hinders the intentional defeat of the muting devices to initiate an inappropriate mute. It is also useful for detecting a common mode failure that would affect all mute devices in the application. The time limit can be adjusted from 1 second to 30 minutes, in increments of 100 milliseconds (the default is 30 s). The mute time limit may also be set to Inﬁnite (disabled).

The timer begins when the second muting device meets the simultaneity requirement (within 3 seconds of the After the timer expires, the mute ends despite what the signals from the mute devices indicate. If the input device being muted is in an Off state, the corresponding Muting Block output turns off.

WARNING: Muting Time Limit. Select an inﬁnite time for the Muting Time Limit only if the possibility of an inappropriate or unintended mute cycle is minimized, as determined, and allowed by the machine’s risk assessment. The user is responsible to make sure that this does not create a hazardous situation.

ﬁrst device).

Mute Off-Delay Time

A delay time may be established to extend the Mute state up to the selected time (1, 2, 3, 4, or 5 seconds) after the Mute Sensor Pair is no longer signaling a muted condition. Off-delay is typically used for Safety Light Screen/Grid workcell "Exit Only" applications with mute sensors located only on one side of the deﬁned area. The Muting Block output will remain On for up to 5 seconds after the ﬁrst mute device is cleared, or until the muted Safety Input device (Mute Block In) returns to a Run state, whichever comes ﬁrst.

Mute on Power-Up

This function initiates a mute cycle after power is applied to the Safety Controller. If selected, the Mute on Power-Up function initiates a mute when:

• The Mute Enable input is On (if conﬁgured)

• The safety device inputs are active (in Run mode)

• Mute sensors M1-M2 (or M3-M4, if used, but not all four) are closed

If Auto Power-Up is conﬁgured, the Safety Controller allows approximately 2 seconds for the input devices to become active to accommodate systems that may not be immediately active at power-up.

If Manual Power-Up is conﬁgured and all other conditions are satisﬁed, the ﬁrst valid Power-Up Reset after the muted safety inputs are active (Run state or closed) will result in a mute cycle. The Mute On Power-up function should be used only if safety can be assured when the mute cycle is expected, and the use of this function is the result of a risk assessment and is required by that particular machine operation.

WARNING: The Mute on Power-Up should be used only in applications where:

• Muting the System (MP1 and MP2 closed) when power is applied is required

• Using it does not, in any situation, expose personnel to hazard

Mute Sensor Pair Debounce Times

The input debounce times, accessible under the Advanced settings in the Mute Sensor Pair properties window, may be used to extend a mute cycle after a mute sensor signal is removed. By conﬁguring the close-to-open debounce time, the mute cycle may be extended up to 1.5 seconds (1500 ms) to allow the Safety Input Device to turn On. The start of the mute cycle can also be delayed by conﬁguring the open-to-close debounce time.

Muting Function Requirements

The beginning and the end of a mute cycle is triggered by signals from a pair of muting devices. The muting device circuit options are conﬁgurable channels of the mute device change to the Mute Active states while the muted safeguard is in the Run state.

94 www.bannerengineering.com - Tel: + 1 888 373 6767

and shown in the Mute Sensor Pair Properties window. A proper mute signal occurs when both

Either the TC1 input or the OS1 input has turn Off authority. OS1 needs to be in the Run state before TC1 can turn the output of T1 & SO1 On.

Two-Hand Control

Function Block

M0:SO1

M0:TC1

M0:OS1

XS/SC26-2 and SC10-2 Safety Controllers

The Safety Controller monitors the mute devices to verify that their outputs turn ON within 3 seconds of each other. If the inputs do not meet this simultaneity requirement, a mute condition cannot occur.

Several types and combinations of mute devices can be used, including, but not limited to photoelectric sensors, inductive proximity sensors, limit switches, positive-driven safety switches, and whisker switches.

Corner Mirrors, Optical Safety Systems, and Muting

Mirrors are typically used with safety light screens and single-/multiple-beam safety systems to guard multiple sides of a hazardous area. If the safety light screen is muted, the safeguarding function is suspended on all sides. It must not be possible for an individual to enter the guarded area without being detected and a stop command issued to the machine control. This supplemental safeguarding is normally provided by an additional device(s) that remains active while the Primary Safeguard is muted. Therefore, mirrors are typically not allowed for muting applications.

Multiple Presence-Sensing Safety Devices

Muting multiple presence-sensing safety devices (PSSDs) or a PSSD with multiple sensing ﬁelds is not recommended unless it is not possible for an individual to enter the guarded area without being detected and a stop command issued to the machine control. As with the use of corner mirrors (see

Corner Mirrors, Optical Safety Systems, and Muting

on page 95 ), if multiple sensing ﬁelds are muted, the possibility exists that personnel could move through a muted area or access point to enter the safeguarded area without being detected.

For example, in an entry/exit application where a pallet initiates the mute cycle by entering a cell, if both the entry and the exit PSSDs are muted, it may be possible for an individual to access the guarded area through the “exit” of the cell. An appropriate solution would be to mute the entry and the exit with separate safeguarding devices.

WARNING: Guarding Multiple Areas

Do not safeguard multiple areas with mirrors or multiple sensing ﬁelds, if personnel can enter the hazardous area while the System is muted, and not be detected by supplemental safeguarding that will issue a stop command to the machine.

Two-Hand Control Block

Default Nodes Additional Nodes Notes

(up to 4 TC

nodes)

MP1

Two-Hand Control inputs must connect either directly to a Two-Hand Control Block or indirectly through a Bypass Block connected to a Two-Hand Control Block. It is not possible to use a Two-Hand Control input without a Two-Hand Control Block.

Use the IN node to connect input devices that must be on before the THC can turn the outputs on.

Figure 78. Timing Diagram—Two-Hand Control Block

www.bannerengineering.com - Tel: + 1 888 373 6767 95

Two-Hand Control &

Bypass Function Blocks

The Two-Hand Control actuators TC2 and the Bypass Switch BP1 need to be in the Run state and need to be the

last devices in time to transition to the Run state for the TC1 function block to turn

On.

M0:SO1

M0:TC1

M0:BP1

M0:TC2

M0:OS1

Two-Hand Control &

Bypass Function Blocks

If both TC1 actuators and the BP1 Bypass switch active at the same time, the B1 Bypass function block

output and the Two-Hand Control function block output turn Off. The outputs for B1 and T1 will only turn On when either the TC1 actuators or the BP1 switch are in the Run state.

M0:SO1

M0:TC1

M0:BP1

XS/SC26-2 and SC10-2 Safety Controllers

Figure 79. Timing Diagram—Two-Hand Control Block and Bypass Blocks

Figure 80. Timing Diagram—Two-Hand Control Block and Bypass Blocks with 1 Two-Hand Control Input

96 www.bannerengineering.com - Tel: + 1 888 373 6767

Two-Hand Control &

Bypass Function Blocks

The Bypass function can be used with the TC2 actuators to turn the Safety Output On.

When the TC1 actuators are not bypassed they must be used along with the TC2 actuators to turn the Safety Output

On. If the TC1 actuators and the Bypass switch are both in the Run state, TI and

SO1 cannot be turned On or will turn Off.

M0:TC1

M0:BP1

M0:TC2

M0:SO1

To configure the Two-Hand Control mute option, the TC actuators first need to be connected to the Two-Hand Control function block in the Function View. Check boxes (blue square above) in the Properties menu will display the names of all TC actuator input devices. Only those THC station boxes that are checked will be muted.

XS/SC26-2 and SC10-2 Safety Controllers

Figure 81. Timing Diagram—Two-Hand Control Block and Bypass Blocks with 2 Two-Hand Control Inputs

Figure 82. Two-Hand Control Muting Options

www.bannerengineering.com - Tel: + 1 888 373 6767 97

Actuators TC1 and TC2 can initiate a two-hand cycle if the mute enable ME1 is not active. ME1 must be active for the MSP1 mute sensors to keep the SO On after the TC1 and TC2 actuators are in the Stop state.

Two Hand Control

with Muting

M0:ME1

M0:SO1

M0:TC1

M0:TC2

A1 Output

M0:MSP1

XS/SC26-2 and SC10-2 Safety Controllers

Two-Hand Control Activation on Power-Up Protection. The Safety Controller’s two-hand control logic does not permit the assigned safety output to turn On when power is initially supplied while the THC actuators are in their Run state. The THC actuators must change to their Stop state and return to the Run state before the Safety Output can turn On. A Safety Output associated with a Two-Hand Control device will not have a manual reset option.

Figure 83. Timing Diagram—Two-Hand Control Block with Muting

98 www.bannerengineering.com - Tel: + 1 888 373 6767

XS/SC26-2 and SC10-2 Safety Controllers

9.6 Wiring Diagram Tab

Figure 84. Wiring Diagram Tab—XS26-2

The Wiring Diagram tab shows the terminal assignments and the electrical circuits for the safety and non-safety inputs, Safety Outputs, and status outputs, and any terminals that are still available for the selected module. Use the wiring diagram as a guide to physically connect the devices. Navigate between modules using the Page Navigation toolbar at the top right corner of the Software.

www.bannerengineering.com - Tel: + 1 888 373 6767 99

XS/SC26-2 and SC10-2 Safety Controllers

Figure 85. Wiring Diagram Tab—SC10-2 with External Terminal Blocks

100 www.bannerengineering.com - Tel: + 1 888 373 6767

Banner SC10-2, SC26-2, XS26-2de, SC26-2d, SC26-2e Instruction Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents

1 About This Document

1.1 Important . . . Read This Before Proceeding!

1.2 Use of Warnings and Cautions

1.3 EU Declaration of Conformity (DoC)

2 Product Description

2.1 Terms Used in this Manual

2.2 Software

2.3 USB Connections

2.4 Ethernet Connections

2.5 Internal Logic

2.6 Password Overview

2.7 SC-XM2/3 Drive and SC-XMP2 Programming Tool

3 XS/SC26-2 Overview

3.1 XS/SC26-2 Models

3.2 XS/SC26-2 Features and Indicators

3.3 XS/SC26-2 Using FID 1 and FID 2 Safety Controllers

3.4 Input and Output Connections

3.4.1 XS/SC26-2 Safety and Non-Safety Input Devices

3.4.2 XS/SC26-2 Safety Outputs

Functional Stops according to IEC 60204-1 and ANSI NFPA79

3.4.3 XS/SC26-2 Status Outputs and Virtual Status Outputs

3.5 XS/SC26-2 Automatic Terminal Optimization (ATO) Feature

4 SC10-2 Overview

4.1 SC10-2 Models

4.2 SC10-2 Features and Indicators

4.3 SC10-2 FID

4.4 Input and Output Connections

4.4.1 SC10-2 Safety and Non-Safety Input Devices

4.4.2 SC10-2 Safety Relay Outputs

Functional Stops according to IEC 60204-1 and ANSI NFPA79

4.4.3 SC10-2 Status Outputs and Virtual Status Outputs

4.5 SC10-2 Automatic Terminal Optimization (ATO) Feature with External Terminal Blocks (ETB)

5.3 Dimensions

5.4 PC Requirements

6 System Installation

6.1 Installing the Software

6.2 Installing the Safety Controller

6.2.1 Mounting Instructions

7 Installation Considerations

7.1 Appropriate Application

7.2 XS/SC26-2 Applications

7.3 SC10-2 Applications

7.4 Safety Input Devices

7.4.1 Safety Circuit Integrity and ISO 13849-1 Safety Circuit Principles

Safety Circuit Integrity Levels

Fault Exclusion

7.4.2 Safety Input Device Properties

Reset Logic: Manual or Automatic Reset

Connecting the Input Devices

Signal Change-of-State Types

Signal Debounce Times

7.5 Safety Input Device Options

7.5.1 Safety Circuit Integrity Levels

7.5.2 Emergency Stop Push Buttons

Emergency Stop Push Button Requirements

7.5.3 Rope (Cable) Pull

Rope (Cable) Pull Installation Guidelines

7.5.4 Enabling Device

7.5.5 Protective (Safety) Stop

Protective (Safety) Stop Requirements

7.5.6 Interlocked Guard or Gate

Safety Interlock Switch Requirements

7.5.7 Optical Sensor

Optical Sensor Requirements

7.5.8 Two-Hand Control

Two-Hand Control Safety Distance (Minimum Distance)

7.5.9 Safety Mat

Safety Mat Requirements

Safety Mat System Design and Construction

Safety Mat Installation

Safety Mat Safety Distance (Minimum Distance)

Safety Mat Hookup Options

7.5.10 Muting Sensor

Examples of Muting Sensors and Switches

Photoelectric Sensors (Opposed Mode)