Beckhoff EL2911 Operating Instructions Manual

Operating Instructions for

EL2911

TwinSAFE Potential Supply Terminal with 4 digital fail-safe
inputs

Version:
Date:

1.0.0
2018-08-24

Table of contents

Table of contents

1 Foreword ....................................................................................................................................................5

1.1 Notes on the documentation..............................................................................................................5

1.2 Safety instructions .............................................................................................................................6

1.2.1 Delivery state ..................................................................................................................... 6

1.2.2 Operator's obligation to exercise diligence ........................................................................ 6

1.2.3 Description of safety symbols ............................................................................................ 7

1.3 Documentation issue status ..............................................................................................................7

1.4 Version history of the TwinSAFE product..........................................................................................8

2 System description ...................................................................................................................................9

2.1 The Beckhoff EtherCAT Terminal system .........................................................................................9

2.1.1 EtherCAT Bus Coupler .................................................................................................... 10

2.1.2 EtherCAT Terminals ........................................................................................................ 11

2.1.3 E-bus ............................................................................................................................... 11

2.1.4 Power contacts ................................................................................................................ 11

2.2 TwinSAFE........................................................................................................................................12

2.2.1 The I/O construction kit is extended safely ...................................................................... 12

2.2.2 Safety concept ................................................................................................................. 12

2.2.3 The fail-safe principle (Fail Stop) ..................................................................................... 13

3 Product description.................................................................................................................................14

3.1 EL2911 - TwinSAFE potential supply terminal with 4 digital fail-safe inputs ...................................14

3.2 Intended use....................................................................................................................................15

3.3 Requirements for the potential group ..............................................................................................17

3.4 Technical data .................................................................................................................................19

3.5 Safety parameters ...........................................................................................................................20

3.6 Safe inputs and outputs...................................................................................................................20

3.7 Characteristic curve of the inputs ....................................................................................................20

3.8 Dimensions......................................................................................................................................21

4 Operation..................................................................................................................................................22

4.1 Environmental conditions ................................................................................................................22

4.2 Installation .......................................................................................................................................22

4.2.1 Safety instructions ........................................................................................................... 22

4.2.2 Transport / storage .......................................................................................................... 22

4.2.3 Mechanical installation..................................................................................................... 22

4.2.4 Electrical installation ........................................................................................................ 29

4.3 Configuration of the terminal in TwinCAT........................................................................................34

4.3.1 Inserting a Bus Coupler ................................................................................................... 34

4.3.2 Inserting a Bus Terminal.................................................................................................. 34

4.3.3 Adding an EL2911 ........................................................................................................... 34

4.3.4 Using the integrated TwinSAFE Logic functions.............................................................. 35

4.3.5 Address settings on TwinSAFE terminals with 1023 possible addresses ....................... 36

4.3.6 Alias devices.................................................................................................................... 37

4.3.7 EL2911 parameters in TwinCAT...................................................................................... 38

4.3.8 EL2911 process image .................................................................................................... 41

EL2911 3Version: 1.0.0

Table of contents

4.4 TwinSAFE reaction times ................................................................................................................42

4.5 Diagnosis.........................................................................................................................................44

4.5.1 Status LEDs..................................................................................................................... 44

4.5.2 Diagnostic LEDs .............................................................................................................. 44

4.5.3 Flash code display ........................................................................................................... 45

4.5.4 Diagnosis History............................................................................................................. 45

4.5.5 Diag History tab ............................................................................................................... 48

4.6 Maintenance ....................................................................................................................................50

4.7 Service life .......................................................................................................................................51

4.8 Decommissioning ............................................................................................................................51

4.9 Firmware update of TwinSAFE products.........................................................................................52

5 Appendix ..................................................................................................................................................55

5.1 Support and Service ........................................................................................................................55

5.2 Certificates.......................................................................................................................................56

EL29114 Version: 1.0.0

Foreword

1 Foreword

1.1 Notes on the documentation

Intended audience

This description is only intended for the use of trained specialists in control and automation engineering who
are familiar with the applicable national standards.

It is essential that the following notes and explanations are followed when installing and commissioning
these components.

The responsible staff must ensure that the application or use of the products described satisfy all the
requirements for safety, including all the relevant laws, regulations, guidelines and standards.

Origin of the document

This documentation was originally written in German. All other languages are derived from the German
original.

Currentness

Please check whether you are using the current and valid version of this document. The current version can
be downloaded from the Beckhoff homepage at http://www.beckhoff.com/english/download/twinsafe.htm.
In case of doubt, please contact Technical Support [}55].

Product features

Only the product features specified in the current user documentation are valid. Further information given on
the product pages of the Beckhoff homepage, in emails or in other publications is not authoritative.

Disclaimer

The documentation has been prepared with care. The products described are subject to cyclical revision. For
that reason the documentation is not in every case checked for consistency with performance data,
standards or other characteristics. We reserve the right to revise and change the documentation at any time
and without prior announcement. No claims for the modification of products that have already been supplied
may be made on the basis of the data, diagrams and descriptions in this documentation.

Trademarks

Beckhoff®, TwinCAT®, EtherCAT®, EtherCATP®, SafetyoverEtherCAT®, TwinSAFE®, XFC® and XTS® are
registered trademarks of and licensed by Beckhoff Automation GmbH.
Other designations used in this publication may be trademarks whose use by third parties for their own
purposes could violate the rights of the owners.

Patent Pending

The EtherCAT Technology is covered, including but not limited to the following patent applications and
patents: EP1590927, EP1789857, DE102004044764, DE102007017835 with corresponding applications or
registrations in various other countries.

The TwinCAT Technology is covered, including but not limited to the following patent applications and
patents: EP0851348, US6167425 with corresponding applications or registrations in various other countries.

EL2911 5Version: 1.0.0

Foreword

EtherCAT® and Safety over EtherCAT® are registered trademarks and patented technologies, licensed by
Beckhoff Automation GmbH, Germany.

Copyright

© Beckhoff Automation GmbH & Co. KG, Germany.
The reproduction, distribution and utilization of this document as well as the communication of its contents to
others without express authorization are prohibited.
Offenders will be held liable for the payment of damages. All rights reserved in the event of the grant of a
patent, utility model or design.

Delivery conditions

In addition, the general delivery conditions of the company Beckhoff Automation GmbH & Co. KG apply.

1.2 Safety instructions

1.2.1 Delivery state

All the components are supplied in particular hardware and software configurations appropriate for the
application. Modifications to hardware or software configurations other than those described in the
documentation are not permitted, and nullify the liability of Beckhoff Automation GmbH & Co. KG.

1.2.2 Operator's obligation to exercise diligence

The operator must ensure that

• the TwinSAFE products are only used as intended (see chapter Product description);

• the TwinSAFE products are only operated in sound condition and in working order.

• the TwinSAFE products are operated only by suitably qualified and authorized personnel.

• the personnel is instructed regularly about relevant occupational safety and environmental protection
aspects, and is familiar with the operating instructions and in particular the safety instructions contained
herein.

• the operating instructions are in good condition and complete, and always available for reference at the
location where the TwinSAFE products are used.

• none of the safety and warning notes attached to the TwinSAFE products are removed, and all notes
remain legible.

EL29116 Version: 1.0.0

1.2.3 Description of safety symbols

In these operating instructions the following instructions are used.
These instructions must be read carefully and followed without fail!

DANGER

Serious risk of injury!

Failure to follow this safety instruction directly endangers the life and health of persons.

WARNING

Risk of injury!

Failure to follow this safety instruction endangers the life and health of persons.

CAUTION

Personal injuries!

Failure to follow this safety instruction can lead to injuries to persons.

NOTE

Damage to the environment/equipment or data loss

Failure to follow this instruction can lead to environmental damage, equipment damage or data loss.

Foreword

Tip or pointer

This symbol indicates information that contributes to better understanding.

1.3 Documentation issue status

Version Comment

1.0.0 • Certificate added

• First release

0.0.5 • Overview screen updated

0.0.4 • Connection added

• Parameter description updated

0.0.3 • Requirements for the potential group added

0.0.2 • Update after review

0.0.1 • First draft

EL2911 7Version: 1.0.0

Foreword

1.4 Version history of the TwinSAFE product

This version history lists the software and hardware version numbers. A description of the changes
compared to the previous version is also given.

Updated hardware and software

TwinSAFE products are subject to a cyclical revision. We reserve the right to revise and change the
TwinSAFE products at any time and without prior notice.
No claims for changes to products already delivered can be asserted from these hardware and/or
software changes.

A description of how a firmware (software) update can be performed can be found in chapter Firmware
update of TwinSAFE products [}52].

Date Software ver-

sion

16.08.2018 01 00 First release of the EL2911

Hardware
version

Modifications

EL29118 Version: 1.0.0

System description

2 System description

2.1 The Beckhoff EtherCAT Terminal system

The Beckhoff EtherCAT Terminal system is used for decentralized connection of sensors and actuators to a
controller. The components of the Beckhoff EtherCAT Terminal system are mainly used in industrial
automation and building management systems. As a minimum, a bus station consists of an EtherCAT
Coupler and connected EtherCAT Terminals. The EtherCAT Coupler forms the communication interface to
the higher-level controller, while the EtherCAT Terminals form the interface to the sensors and actuators.
The whole bus station is clipped onto a 35mm DIN mounting rail (EN 60715). The mechanical link of the bus
station is established with a slot and key system on EtherCAT Couplers and EtherCAT Terminals.

The sensors and actuators are connected with the terminals via the screwless (spring-loaded) connection
system.

Fig.1: Slot and key system and screwless (spring-loaded) connection system

EL2911 9Version: 1.0.0

System description

2.1.1 EtherCAT Bus Coupler

Mechanical data Bus Coupler

Material polycarbonate, polyamide (PA6.6).
Dimensions (W x H x D) 44mm x 100mm x 68mm
Mounting on 35 mm mounting rail (EN60715) with locking
Attachable by double slot and key connection

Fig.2: Bus Coupler (EtherCAT)

Connection technology Bus Coupler

Wiring Spring-loaded system
Connection cross-section 0.08mm² ... 2.5mm², stranded wire, solid wire
Fieldbus connection EtherCAT
Power contacts 3 spring contacts
Current load 10A
Nominal voltage 24V

DC

EL291110 Version: 1.0.0

2.1.2 EtherCAT Terminals

Mechanical data Bus Terminal

Material polycarbonate, polyamide (PA6.6).
Dimensions (W x H x D) 12mm x 100mm x 68mm or 24mm x 100mm x 68mm
Mounting on 35 mm mounting rail (EN60715) with locking
Attachable by double slot and key connection

System description

Fig.3: Overview of EtherCAT Terminals

Connection technology Bus Terminal

Wiring Spring-loaded system
Connection cross-section typically 0.08mm² – 2.5mm², stranded wire, solid wire
Communication E-bus
Power contacts Up to 3 blade/spring contacts
Current load 10A
Nominal voltage Depending on terminal type (typically 24 VDC)

2.1.3 E-bus

The E-bus is the data path within a terminal strip. The E-bus is led through from the Bus Coupler through all
the terminals via six contacts on the terminals' side walls.

2.1.4 Power contacts

The operating voltage is passed on to following terminals via three power contacts. Terminal strip can be
split into galvanically isolated groups by means of potential supply terminals as required. The supply
terminals play no part in the control of the terminals, and can be inserted at any locations within the terminal
strip.

EL2911 11Version: 1.0.0

System description

2.2 TwinSAFE

2.2.1 The I/O construction kit is extended safely

The integrated TwinSAFE safety solution is the logical continuation of the open, PC-based Beckhoff control
philosophy. Due to their modularity and versatility, the TwinSAFE components fit seamlessly into the
Beckhoff control system. The I/O components are available in the formats Bus Terminal, EtherCAT Terminal,
EtherCAT plug-in module and EtherCAT Box.

Thanks to the fieldbus-neutral safety protocol (TwinSAFE/Safety-over-EtherCAT), TwinSAFE devices can be
integrated into any fieldbus system. They are integrated into existing networks with K-bus or EtherCAT and
can be used directly in the machine as IP67 modules. These safety I/Os form the interfaces to the safety­relevant sensors and actuators.

The possibility to transmit the safety-relevant signals over a standard bus system gives rise to substantial
advantages in terms of planning, installation, operation, maintenance, diagnostics and costs.

The safety application is configured or programmed respectively in the TwinCAT software. This application is
then transferred via the bus to a TwinSAFE logic component. These form the heart of the TwinSAFE system.
All safety devices in the system communicate with this logic component. Due to the enormous flexibility of
the system, several TwinSAFE logic components can also be operated simultaneously in a network.

2.2.2 Safety concept

TwinSAFE: Safety and I/O technology in one system

• Extension of the familiar Beckhoff I/O system with TwinSAFE Terminals

• Freely selectable mix of safe and standard signals

• Logic link of the I/Os in the TwinSAFE logic component, e.g. EL6910

• Safety-relevant networking of machines via bus systems

TwinSAFE protocol (FSoE / Safety-over-EtherCAT)

• Transfer of safety-relevant data via any media (“genuine black channel”)

• TwinSAFE communication via fieldbus systems such as EtherCAT, Lightbus, PROFIBUS or Ethernet

• IEC 61508:2010 SIL 3 compliant

TwinCAT software and TwinSAFE editor

• Safety application is configured or programmed in the TwinCAT software

• Certified function blocks such as emergency stop, operation mode, etc.

• simple handling

• Transfer of the application via the bus to the TwinSAFE logic component

TwinSAFE logic component, e.g. EL6910

• Processing of the safety-related application and communication with the TwinSAFE terminals

• No safety requirements for higher-level control system

• TwinSAFE enables a network with up to 65,535 TwinSAFE components.

• TwinSAFE logic component can establish up to 512 connections (TwinSAFE connections).

• Several TwinSAFE logic components can be operated in a network

• Suitable for applications up to SIL 3 according to IEC 61508:2010 and category 4 / PL e according to
ENISO13849-1:2015.

EL291112 Version: 1.0.0

System description

TwinSAFE I/O components

• The TwinSAFE I/O components are available in the formats Bus Terminal, EtherCAT Terminal,
EtherCAT plug-in module, EtherCAT Box and TwinSAFE Drive option card

• All common safety sensors and actuators can be connected

• Operation with a TwinSAFE logic component

• Typically meet the requirements of IEC 61508:2010 up to SIL 3 and ENISO13849-1:2015 up to
Category 4, PLe. More detailed information can be found in the respective user documentation

2.2.3 The fail-safe principle (Fail Stop)

The basic rule for a safety system such as TwinSAFE is that failure of a part, a system component or the
overall system must never lead to a dangerous condition.

CAUTION

Safe state

The safe state of the TwinSAFE system is always the switched-off and de-energized state.

EL2911 13Version: 1.0.0

Product description

3 Product description

3.1 EL2911 - TwinSAFE potential supply terminal with 4 digital fail-safe inputs

The EL2911 is a safe potential supply terminal for the power contacts for a downstream potential group. In
addition, it has 4 fail-safe inputs for sensors with potential-free contacts for 24VDC.

The EL2911 meets the requirements of IEC61508:2010SIL3 and ENISO13849-1:2015(Cat4, PLe). The
safe inputs of the EL2911 meet the requirements of EN62061:2005/A2:2015 up to SILCL3, the safe output
up to SILCL2.

The TwinSAFE Terminal has the usual design of a 24mm EtherCAT Terminal. It has no power contacts on
the left side and therefore forms the start of a new potential group.

The safe inputs and the safe output are supplied from UP.

Fig.4: EL2911 - TwinSAFE potential supply terminal with 4 fail-safe inputs

EL291114 Version: 1.0.0

Product description

3.2 Intended use

WARNING

Caution - Risk of injury!

TwinSAFE components may only be used for the purposes described below!

The TwinSAFE Terminals expand the application area of Beckhoff Bus Terminal system with functions that
enable them to be used for machine safety applications. The TwinSAFE Terminals are designed for machine
safety functions and directly associated industrial automation tasks. They are therefore only approved for
applications with a defined fail-safe state. This safe state is the switched-off and de-energized state. Fail­safety according to the relevant standards is required.

The TwinSAFE I/O components allow the connection of:

• 24VDC sensors such as
emergency stop push-buttons, rope pull switches, position switches, two-hand switches, safety
switching mats, light curtains, light barriers, laser scanners, etc.

• 24VDC actuators such as
contactors, protective door switches with tumbler, signal lamps, servo drives, etc.

Test pulses

When selecting actuators please ensure that the test pulses of the TwinSAFE component do not
lead to switching of the actuator or a diagnostic message of the TwinSAFE component.

The following TwinSAFE components were developed for these tasks:

• The EL1904 is an EtherCAT Terminal with 4 digital fail-safe inputs

• The EL2904 is an EtherCAT Terminal with 4 digital fail-safe outputs

• The EL6900 is an EtherCAT Terminal with integrated TwinSAFE logic

These TwinSAFE components are suitable for operation on the

• Beckhoff EKxxxx series Bus Couplers

• Beckhoff CXxxxx series Embedded PCs with E-bus connection

WARNING

The fail-safe principle!

The basic rule for a safety system such as TwinSAFE is that failure of a part, a system component or the
overall system must never lead to a dangerous condition. The safe state is always the switched off and

wattless state.

WARNING

System limits

The TÜV SÜD certificate applies to these TwinSAFE components, the function blocks available in it, the
documentation and the engineering tool. TwinCAT 3.1 and the TwinSAFE Loader are permitted as engi­neering tools. Any deviations from these procedures or tools, particularly externally generated xml files for
TwinSAFE import or externally generated automatic project creation procedures, are not covered by the
certificate.

WARNING

Power supply from SELV/PELV power supply unit!

The TwinSAFE components must be supplied with 24VDC by an SELV/PELV power supply unit with an out­put voltage limit U

of 36VDC. Failure to observe this can result in a loss of safety.

max

WARNING

Commissioning test

Before the EL2911 can be used for the safety task, the user must carry out a commissioning test so that
sensor and actuator wiring errors can be ruled out.

EL2911 15Version: 1.0.0

Product description

CAUTION

Follow the machinery directive!

The TwinSAFE components may only be used in machines as defined in the machinery directive.

CAUTION

Ensure traceability!

The buyer has to ensure the traceability of the device via the serial number.

CAUTION

Note on approval according to EN 81-20, EN 81-22 and EN 81-50

• The TwinSAFE components may only be used in machines that have been designed and installed in ac­cordance with the requirements of the EN60204-1 standard.

• Provide a surge filter for the supply voltage of the TwinSAFE components against overvoltages. (Reduc­tion to overvoltage category II)

• EN81 requires that in the case of devices with internal temperature monitoring, a stop must be reached
in the event of an overtemperature. In this case, passengers must be able to disembark (see EN81-20
chapter 5.10.4.3, for example). To ensure this, application measures are necessary. The internal termi­nal temperature of the TwinSAFE components can be read out by the user. There is a direct switch-off at
the maximum permissible temperature of e.g. 95°C when using the EL terminals.
The user must select a temperature threshold below the maximum temperature such that a stop can be
reached in all cases before the maximum temperature is reached. Information on the optimum terminal
configuration can be found under Notes on the arrangement of TwinSAFE components and under Exam­ple configuration for temperature measurement.

• For the use of the TwinSAFE components according to EN81-22 and EN81-50, the conditions de­scribed in the manuals for achieving category4 according to ENISO13849-1:2015 must be observed.

• The use of TwinSAFE components is limited to indoor applications.

• Basic protection against direct contact must be provided, either by fulfilling protection class IP2X or by
installing the TwinSAFE components in a control cabinet which corresponds at least to protection class
IP54 according to EN60529.

• The ambient conditions regarding temperature, humidity, heat dissipation, EMC and vibrations, as speci­fied in the operating instructions under technical data, must be observed.

• The operating conditions in potentially explosive atmospheres (ATEX) are specified in the operating in­structions.

• The safe state (triggering) of the application must be the de-energized state. The safe state of the Twin­SAFE components is always the de-energized, switched-off state, and this cannot be changed.

• The service life specified in the operating instructions must be observed.

• If the TwinSAFE component is operated outside the permissible temperature range, it changes to
"Global Shutdown" state.

• The TwinSAFE components must be installed in a control cabinet with protection class IP54 according to
EN60529, so that the requirement for contamination level3 according to EN60664-1 can be reduced to
level2.

• The TwinSAFE components must be supplied by a SELV/PELV power supply unit with a maximum volt­age of U

<=36VDC.

max

EL291116 Version: 1.0.0

Product description

3.3 Requirements for the potential group

WARNING

Prevention of feedback

Feedback must be prevented through the following measures:

• No switching of loads with a separate power supply

• Excluding a line short-circuit fault (see following alternatives)

CAUTION

Non-reactive EtherCAT Terminals

In the potential group connected through the EL2911, only non-reactive standard terminals must be used. A
list the non-reactive EtherCAT Terminals can be found in the Beckhoff Information System under http://in-

fosys.beckhoff.de

NOTE

Maximum achievable safety level for the safe output

Provided feedback is avoided by excluding line short-circuit faults, the following safety levels can be
achieved:

• EN ISO 13849-1: max. Cat. 4 / PL e

• IEC 61508: max. SIL3

• EN 62061: max. SIL2

No switching of loads with a separate power supply

Loads that have their own power supply must not be switched by standard terminals, since in this case
feedback via the load cannot be ruled out.

Fig.5: External load

EL2911 17Version: 1.0.0

Product description

CAUTION

Exceptions

Exceptions to the general requirement are allowed only if the manufacturer of the connected load guaran­tees that feedback to the control input cannot occur.

Cable short-circuit fault exclusion

It must be possible to avoid the risk of feedback due to a short circuit in the line through further measures.
The following measures can be implemented as an alternative.

Fig.6: protected wiring

Alternative 1: Load connection via separate sheathed cables

The non-safely switched potential of the standard terminal may not be conducted together with other
potential-conducting cores inside the same sheathed cable

Alternative 2: Wiring only inside the control cabinet

All loads connected to the non-safe standard terminals must be located in the same control cabinet as the
terminals. The cables are routed entirely inside the control cabinet.

Alternative 3: Dedicated earth connection per conductor

All conductors connected to the non-safe standard terminals are protected by a separate ground connection.

Alternative 4: Permanent (fixed) wiring, protected from external damage

All conductors connected to the non-safe standard terminals are permanently installed and protected from
external damage, e.g. through a cable duct or an armored conduit.

CAUTION

Fault exclusion

The machine manufacturer or the user is solely responsible for the correct execution and evaluation of the
applied alternatives.

EL291118 Version: 1.0.0