Operating Instructions for
EL2912
TwinSAFE Terminal with 2 digital fail-safe outputs
Version:
Date:
1.0.0
2019-09-06
Table of contents
Table of contents
1 Foreword ....................................................................................................................................................5
1.1 Notes on the documentation..............................................................................................................5
1.2 Safety instructions .............................................................................................................................6
1.2.1 Delivery state ..................................................................................................................... 6
1.2.2 Operator's obligation to exercise diligence ........................................................................ 6
1.2.3 Description of instructions.................................................................................................. 7
1.3 Documentation issue status ..............................................................................................................7
1.4 Version history of the TwinSAFE product..........................................................................................7
2 System description ...................................................................................................................................8
2.1 The Beckhoff EtherCAT Terminal system .........................................................................................8
2.1.1 EtherCAT Bus Coupler ...................................................................................................... 9
2.1.2 EtherCAT Terminals ........................................................................................................ 10
2.1.3 E-bus ............................................................................................................................... 10
2.1.4 Power contacts ................................................................................................................ 10
2.2 TwinSAFE........................................................................................................................................11
2.2.1 The I/O construction kit is extended safely ...................................................................... 11
2.2.2 Safety concept ................................................................................................................. 11
2.2.3 The fail-safe principle (Fail Stop) ..................................................................................... 12
3 Product description.................................................................................................................................13
3.1 EL2912 - TwinSAFE terminal with two fail-safe outputs..................................................................13
3.2 Intended use....................................................................................................................................14
3.3 Technical data .................................................................................................................................16
3.4 Safety parameters ...........................................................................................................................17
3.5 Safe output ......................................................................................................................................18
3.6 Fuse.................................................................................................................................................18
3.7 Dimensions......................................................................................................................................18
3.8 Using the integrated TwinSAFE Logic functions .............................................................................19
3.9 Project design limits for the EL2912 ................................................................................................19
4 Operation..................................................................................................................................................21
4.1 Environmental conditions ................................................................................................................21
4.2 Installation .......................................................................................................................................21
4.2.1 Safety instructions ........................................................................................................... 21
4.2.2 Transport / storage .......................................................................................................... 21
4.2.3 Mechanical installation..................................................................................................... 21
4.2.4 Electrical installation ........................................................................................................ 27
4.3 Configuration of the terminal in TwinCAT........................................................................................32
4.3.1 Inserting a Bus Coupler ................................................................................................... 32
4.3.2 Inserting a Bus Terminal.................................................................................................. 32
4.3.3 Adding an EL2912 ........................................................................................................... 32
4.3.4 Address settings on TwinSAFE terminals with 1023 possible addresses ....................... 33
4.3.5 Alias devices.................................................................................................................... 34
4.3.6 EL2912 parameters in TwinCAT...................................................................................... 35
4.3.7 EL2912 process image .................................................................................................... 37
EL2912 3Version: 1.0.0
Table of contents
4.4 TwinSAFE reaction times ................................................................................................................37
4.5 Diagnostics ......................................................................................................................................39
4.5.1 Status LEDs..................................................................................................................... 39
4.5.2 Diagnostic LEDs .............................................................................................................. 39
4.5.3 Flash code display ........................................................................................................... 40
4.5.4 Diagnostic objects............................................................................................................ 40
4.5.5 Cycle time of the safety project........................................................................................ 42
4.5.6 Diagnosis History............................................................................................................. 43
4.5.7 Diag History tab ............................................................................................................... 46
4.6 Maintenance ....................................................................................................................................47
4.7 Service life .......................................................................................................................................48
4.8 Decommissioning ............................................................................................................................48
4.9 Firmware update of TwinSAFE products.........................................................................................49
5 Appendix ..................................................................................................................................................52
5.1 Support and Service ........................................................................................................................52
5.2 Certificates.......................................................................................................................................53
EL29124 Version: 1.0.0
Foreword
1 Foreword
1.1 Notes on the documentation
Intended audience
This description is only intended for the use of trained specialists in control and automation engineering who
are familiar with the applicable national standards.
It is essential that the following notes and explanations are followed when installing and commissioning
these components.
The responsible staff must ensure that the application or use of the products described satisfy all the
requirements for safety, including all the relevant laws, regulations, guidelines and standards.
Origin of the document
This documentation was originally written in German. All other languages are derived from the German
original.
Currentness
Please check whether you are using the current and valid version of this document. The current version can
be downloaded from the Beckhoff homepage at http://www.beckhoff.com/english/download/twinsafe.htm.
In case of doubt, please contact Technical Support [}52].
Product features
Only the product features specified in the current user documentation are valid. Further information given on
the product pages of the Beckhoff homepage, in emails or in other publications is not authoritative.
Disclaimer
The documentation has been prepared with care. The products described are subject to cyclical revision. For
that reason the documentation is not in every case checked for consistency with performance data,
standards or other characteristics. We reserve the right to revise and change the documentation at any time
and without prior announcement. No claims for the modification of products that have already been supplied
may be made on the basis of the data, diagrams and descriptions in this documentation.
Trademarks
Beckhoff®, TwinCAT®, EtherCAT®, EtherCATG®, EtherCATG10®, EtherCATP®, SafetyoverEtherCAT®,
TwinSAFE®, XFC®, XTS® and XPlanar® are registered trademarks of and licensed by Beckhoff Automation
GmbH. Other designations used in this publication may be trademarks whose use by third parties for their
own purposes could violate the rights of the owners.
Patent Pending
The EtherCAT Technology is covered, including but not limited to the following patent applications and
patents: EP1590927, EP1789857, EP1456722, EP2137893, DE102015105702 with corresponding
applications or registrations in various other countries.
EL2912 5Version: 1.0.0
Foreword
EtherCAT® and Safety over EtherCAT® are registered trademarks and patented technologies, licensed by
Beckhoff Automation GmbH, Germany.
Copyright
© Beckhoff Automation GmbH & Co. KG, Germany.
The reproduction, distribution and utilization of this document as well as the communication of its contents to
others without express authorization are prohibited.
Offenders will be held liable for the payment of damages. All rights reserved in the event of the grant of a
patent, utility model or design.
Delivery conditions
In addition, the general delivery conditions of the company Beckhoff Automation GmbH & Co. KG apply.
1.2 Safety instructions
1.2.1 Delivery state
All the components are supplied in particular hardware and software configurations appropriate for the
application. Modifications to hardware or software configurations other than those described in the
documentation are not permitted, and nullify the liability of Beckhoff Automation GmbH & Co. KG.
1.2.2 Operator's obligation to exercise diligence
The operator must ensure that
• the TwinSAFE products are only used as intended (see chapter Product description);
• the TwinSAFE products are only operated in sound condition and in working order.
• the TwinSAFE products are operated only by suitably qualified and authorized personnel.
• the personnel is instructed regularly about relevant occupational safety and environmental protection
aspects, and is familiar with the operating instructions and in particular the safety instructions contained
herein.
• the operating instructions are in good condition and complete, and always available for reference at the
location where the TwinSAFE products are used.
• none of the safety and warning notes attached to the TwinSAFE products are removed, and all notes
remain legible.
EL29126 Version: 1.0.0
1.2.3 Description of instructions
In these operating instructions the following instructions are used.
These instructions must be read carefully and followed without fail!
DANGER
Serious risk of injury!
Failure to follow this safety instruction directly endangers the life and health of persons.
WARNING
Risk of injury!
Failure to follow this safety instruction endangers the life and health of persons.
CAUTION
Personal injuries!
Failure to follow this safety instruction can lead to injuries to persons.
NOTE
Damage to the environment/equipment or data loss
Failure to follow this instruction can lead to environmental damage, equipment damage or data loss.
Foreword
Tip or pointer
This symbol indicates information that contributes to better understanding.
1.3 Documentation issue status
Version Comment
1.0.0 • First release of the documentation
1.4 Version history of the TwinSAFE product
This version history lists the software and hardware version numbers. A description of the changes
compared to the previous version is also given.
Updated hardware and software
TwinSAFE products are subject to a cyclical revision. We reserve the right to revise and change the
TwinSAFE products at any time and without prior notice.
No claims for changes to products already delivered can be asserted from these hardware and/or
software changes.
A description of how a firmware (software) update can be performed can be found in chapter Firmware
update of TwinSAFE products [}49].
Date Software ver-
sion
24.07.2019 01(V01.04) 00 First release of the EL2912
EL2912 7Version: 1.0.0
Hardware
version
Modifications
System description
2 System description
2.1 The Beckhoff EtherCAT Terminal system
The Beckhoff EtherCAT Terminal system is used for decentralized connection of sensors and actuators to a
controller. The components of the Beckhoff EtherCAT Terminal system are mainly used in industrial
automation and building management systems. As a minimum, a bus station consists of an EtherCAT
Coupler and connected EtherCAT Terminals. The EtherCAT Coupler forms the communication interface to
the higher-level controller, while the EtherCAT Terminals form the interface to the sensors and actuators.
The whole bus station is clipped onto a 35mm DIN mounting rail (EN 60715). The mechanical link of the bus
station is established with a slot and key system on EtherCAT Couplers and EtherCAT Terminals.
The sensors and actuators are connected with the terminals via the screwless (spring-loaded) connection
system.
Fig.1: Slot and key system and screwless (spring-loaded) connection system
EL29128 Version: 1.0.0
2.1.1 EtherCAT Bus Coupler
Mechanical data Bus Coupler
Material polycarbonate, polyamide (PA6.6).
Dimensions (W x H x D) 44mm x 100mm x 68mm
Mounting on 35 mm mounting rail (EN60715) with locking
Attachable by double slot and key connection
System description
Fig.2: Bus Coupler (EtherCAT)
Connection technology Bus Coupler
Wiring Spring-loaded system
Connection cross-section 0.08mm² ... 2.5mm², stranded wire, solid wire
Fieldbus connection EtherCAT
Power contacts 3 spring contacts
Current load 10A
Nominal voltage 24V
DC
EL2912 9Version: 1.0.0
System description
2.1.2 EtherCAT Terminals
Mechanical data Bus Terminal
Material polycarbonate, polyamide (PA6.6).
Dimensions (W x H x D) 12mm x 100mm x 68mm or 24mm x 100mm x 68mm
Mounting on 35 mm mounting rail (EN60715) with locking
Attachable by double slot and key connection
Fig.3: Overview of EtherCAT Terminals
Connection technology Bus Terminal
Wiring Spring-loaded system
Connection cross-section typically 0.08mm² – 2.5mm², stranded wire, solid wire
Communication E-bus
Power contacts Up to 3 blade/spring contacts
Current load 10A
Nominal voltage Depending on terminal type (typically 24 VDC)
2.1.3 E-bus
The E-bus is the data path within a terminal strip. The E-bus is led through from the Bus Coupler through all
the terminals via six contacts on the terminals' side walls.
2.1.4 Power contacts
The operating voltage is passed on to following terminals via three power contacts. Terminal strip can be
split into galvanically isolated groups by means of potential supply terminals as required. The supply
terminals play no part in the control of the terminals, and can be inserted at any locations within the terminal
strip.
EL291210 Version: 1.0.0
System description
2.2 TwinSAFE
2.2.1 The I/O construction kit is extended safely
The integrated TwinSAFE safety solution is the logical continuation of the open, PC-based Beckhoff control
philosophy. Due to their modularity and versatility, the TwinSAFE components fit seamlessly into the
Beckhoff control system. The I/O components are available in the formats Bus Terminal, EtherCAT Terminal,
EtherCAT plug-in module and EtherCAT Box.
Thanks to the fieldbus-neutral safety protocol (TwinSAFE/Safety-over-EtherCAT), TwinSAFE devices can be
integrated into any fieldbus system. They are integrated into existing networks with K-bus or EtherCAT and
can be used directly in the machine as IP67 modules. These safety I/Os form the interfaces to the safetyrelevant sensors and actuators.
The possibility to transmit the safety-relevant signals over a standard bus system gives rise to substantial
advantages in terms of planning, installation, operation, maintenance, diagnostics and costs.
The safety application is configured or programmed respectively in the TwinCAT software. This application is
then transferred via the bus to a TwinSAFE logic component. These form the heart of the TwinSAFE system.
All safety devices in the system communicate with this logic component. Due to the enormous flexibility of
the system, several TwinSAFE logic components can also be operated simultaneously in a network.
2.2.2 Safety concept
TwinSAFE: Safety and I/O technology in one system
• Extension of the familiar Beckhoff I/O system with TwinSAFE Terminals
• Freely selectable mix of safe and standard signals
• Logic link of the I/Os in the TwinSAFE logic component, e.g. EL6910
• Safety-relevant networking of machines via bus systems
TwinSAFE protocol (FSoE / Safety-over-EtherCAT)
• Transfer of safety-relevant data via any media (“genuine black channel”)
• TwinSAFE communication via fieldbus systems such as EtherCAT, Lightbus, PROFIBUS or Ethernet
• IEC 61508:2010 SIL 3 compliant
TwinCAT software and TwinSAFE editor
• Safety application is configured or programmed in the TwinCAT software
• Certified function blocks such as emergency stop, operation mode, etc.
• simple handling
• Transfer of the application via the bus to the TwinSAFE logic component
TwinSAFE logic component, e.g. EL6910
• Processing of the safety-related application and communication with the TwinSAFE terminals
• No safety requirements for higher-level control system
• TwinSAFE enables a network with up to 65,535 TwinSAFE components.
• TwinSAFE logic component can establish up to 512 connections (TwinSAFE connections).
• Several TwinSAFE logic components can be operated in a network
• Suitable for applications up to SIL 3 according to IEC 61508:2010 and category 4 / PL e according to
ENISO13849-1:2015.
EL2912 11Version: 1.0.0
System description
TwinSAFE I/O components
• The TwinSAFE I/O components are available in the formats Bus Terminal, EtherCAT Terminal,
EtherCAT plug-in module, EtherCAT Box and TwinSAFE Drive option card
• All common safety sensors and actuators can be connected
• Operation with a TwinSAFE logic component
• Typically meet the requirements of IEC 61508:2010 up to SIL 3 and ENISO13849-1:2015 up to
Category 4, PLe. More detailed information can be found in the respective user documentation
2.2.3 The fail-safe principle (Fail Stop)
The basic rule for a safety system such as TwinSAFE is that failure of a part, a system component or the
overall system must never lead to a dangerous condition.
CAUTION
Safe state!
The safe state of the TwinSAFE system is always the switched-off and de-energized state.
EL291212 Version: 1.0.0
Product description
3 Product description
3.1 EL2912 - TwinSAFE terminal with two fail-safe outputs
The EL2912 is a safe output terminal with two fail-safe outputs, each with 2A (24VDC).
The EL2912 meets the requirements of the following standards:
• EN61508:2010(SIL 3)
• EN62061:2005/A2:2015(SILCL3)
• ENISO13849-1:2015(Cat.4,PLe).
The TwinSAFE terminal has the typical design of a 12mm EtherCAT Terminal. The outputs use the voltage
of the power contacts. In addition, the voltage of the power contacts is applied to terminal points 2/6 and 3/7.
The terminal points GND1, GND2 and GND UP (terminal points 3/7) are directly connected internally.
Fig.4: EL2912 - TwinSAFE terminal with two fail-safe outputs
EL2912 13Version: 1.0.0
Product description
3.2 Intended use
WARNING
Caution - Risk of injury!
TwinSAFE components may only be used for the purposes described below!
The TwinSAFE Terminals expand the application area of Beckhoff Bus Terminal system with functions that
enable them to be used for machine safety applications. The TwinSAFE Terminals are designed for machine
safety functions and directly associated industrial automation tasks. They are therefore only approved for
applications with a defined fail-safe state. This safe state is the switched-off and de-energized state. Failsafety according to the relevant standards is required.
The TwinSAFE I/O components allow the connection of:
• 24VDC sensors such as
emergency stop push-buttons, rope pull switches, position switches, two-hand switches, safety
switching mats, light curtains, light barriers, laser scanners, etc.
• 24VDC actuators such as
contactors, protective door switches with tumbler, signal lamps, servo drives, etc.
Test pulses
When selecting actuators please ensure that the test pulses of the TwinSAFE component do not
lead to switching of the actuator or a diagnostic message of the TwinSAFE component.
The following TwinSAFE components were developed for these tasks:
• The EL1904 is an EtherCAT Terminal with 4 digital fail-safe inputs
• The EL2904 is an EtherCAT Terminal with 4 digital fail-safe outputs
• The EL6910 is an EtherCAT Terminal with integrated TwinSAFE logic
These TwinSAFE components are suitable for operation on the
• Beckhoff EKxxxx series Bus Couplers
• Beckhoff CXxxxx series Embedded PCs with E-bus connection
WARNING
System limits
The TÜV SÜD certificate applies to this TwinSAFE component, the function blocks available in it, the documentation and the engineering tool. TwinCAT 3.1 and the TwinSAFE Loader are permitted as engineering
tools. Any deviations from these procedures or tools, particularly externally generated xml files for TwinSAFE import or externally generated automatic project creation procedures, are not covered by the certificate.
WARNING
Power supply from SELV/PELV power supply unit!
The TwinSAFE components must be supplied with 24VDC by an SELV/PELV power supply unit with an output voltage limit U
of 36VDC. Failure to observe this can result in a loss of safety.
max
WARNING
Commissioning test
Before the EL2912 can be used for safety-related tasks, a commissioning test must be carried out by the
user so that faulty sensor wiring can be ruled out.
EL291214 Version: 1.0.0
Product description
CAUTION
Follow the machinery directive!
The TwinSAFE components may only be used in machines as defined in the machinery directive.
CAUTION
Ensure traceability!
The buyer has to ensure the traceability of the device via the serial number.
EL2912 15Version: 1.0.0
Product description
3.3 Technical data
Product designation EL2912
Number of outputs 2
Status display 4 (one green and one red LED for each output)
Fault response time ≤ watchdog times
Output current per channel max. 2A (at 24VDC)
Actuators When selecting actuators please ensure that the EL2912 test
Cable length between actuator and terminal unshielded max. 100m
Wire cross-section min. 0.75mm
Input process image 6bytes
Output process image 6bytes
Supply voltage of the EL2912 (SELV/PELV) 24VDC (–15%/+20%)
Current consumption via E-bus approx. 200mA
Power dissipation of the terminal typically 1.7W
Electrical isolation (between the channels) no
Electrical isolation (between the channels and the E-bus) yes
Insulation voltage (between the channels and the E-bus, under com-
mon operating conditions)
Dimensions (WxHxD) 12 mm x 100 mm x 68 mm
Weight approx.55g
Permissible ambient temperature (operation)
Permissible ambient temperature (transport/storage) -40°C to +85°C
Permissible air humidity 5% to 95%, non-condensing
Permissible air pressure (operation/storage/transport) 750hPa to 1100hPa
Climate category according to EN60721-3-3 3K3
Permissible level of contamination
according to EN 60664-1
Inadmissible operating conditions TwinSAFE Terminals must not be used under the following oper-
EMC immunity/emission conforms to EN61000-6-2/ EN61000-6-4 (EMC ZoneB)
Vibration resistance conforms to EN60068-2-6
Shock resistance conforms to EN60068-2-27
Protection class IP20
Permitted operating environment In the control cabinet or terminal box, with minimum protection
Correct installation position
Approvals CE, TÜV SÜD
pulses do not lead to actuator switching.
shielded max. 100m
(A 10A fuse should be provided for the potential group)
Insulation tested with 500V
-25°C to +55°C (note chapter Temperature measurement
[}23])
(this corresponds to an altitude of approx. -690m to 2450m
above sea level, assuming an international standard atmosphere)
(the deviation from 3K3 is possible only with optimal environmental conditions and also applies only to the technical data which
are specified differently in this documentation)
level of contamination 2
(note chapter Maintenance [}47])
ating conditions:
• under the influence of ionizing radiation (exceeding the
• in corrosive environments
• in an environment that leads to unacceptable soiling of
5 Hz ≤ f < 8.4 Hz (3.5 mm peak)
8.4 Hz ≤ f < 150 Hz (10 m/s2 peak)
15g with pulse duration 11ms in all three axes
class IP54 according to IEC60529
see chapter Installation position and minimum distances [}22]
2
DC
natural background radiation)
the Bus Terminal
EL291216 Version: 1.0.0
Product description
Derating table for altitudes above 2000m
The derating table (table 8) from the IEC61131-2:2017 standard can be referred to for the use of the
TwinSAFE components above the specified maximum altitude.
Altitude in m Derating factor for the temperature
0 to 2000
2
1.0
1
3000 0.9
4000 0.8
5000 0.7
Note: Linear interpolation is permissible between the altitudes
1)
Ambient temperature of the device at an altitude of 2000m
2)
The air pressure and air density increase as the altitude decreases. Therefore the derating factor for 0 to
2000 m (1.0) is used for altitudes below sea level.
Calculation example
In the following example the calculation is performed for a TwinSAFE component at an operating altitude of
4000m.
Permissible ambient temperature up to 2000 m above sea level = 55°C
Permissible ambient temperature up to 4000m above sea level = 55°C * 0.8 = 44°C
CAUTION
Compliance with the temperature limits
The TwinSAFE component has a maximum internal temperature at which a switch-off takes place. This is
designed for the maximum permissible ambient temperature. If the derating factor for the temperature for
higher altitudes is used, the user is solely responsible for ensuring that the calculated maximum ambient
temperature is complied with.
3.4 Safety parameters
Characteristic numbers EL2912
Lifetime [a] 20
Prooftest Interval [a] not required
PFH
D
2.88 E-09
PFD 2.55 E-05
MTTF
D
high
DC high
Performance level PL e
Category 4
HFT 1
Element classification
1)
No special proof tests are required during the entire service life of the EL2912.
2)
Classification according to IEC 61508-2:2010 (chapter 7.4.4.1.2 and 7.4.4.1.3)
2
Type B
1
The EL2912 EtherCAT Terminal can be used for safety-related applications within the meaning of
EN61508:2010 up to SIL3 and ENISO13849-1:2015 up to PL e (Cat4).
Further information on calculating or estimating the MTTFD value from the PFHD value can be found in the
TwinSAFE Application Guide or in ENISO13849-1:2015, TableK.1.
In terms of safety-related parameters, the Safety-over-EtherCAT communication is already considered with
1% of SIL3 according to the protocol specification.
EL2912 17Version: 1.0.0
Product description
3.5 Safe output
The safe outputs are implemented as a single channel per module. It is essential to pay attention to the
following note if two or more outputs run in a common sheathed cable.
DANGER
Clocked signals inside a sheathed cable
If clocked signals from different modules are used inside a single sheathed cable, then a module error such
as a cross-circuit or external power supply must lead to the switch-off of all of these modules. This is
achieved by setting the Module Fault Link active parameter for all modules involved. This parameter is set
to TRUE by default.
3.6 Fuse
Power supply of the power contacts
The safe outputs are supplied from the power contacts. The current carrying capacity of the power contacts
is limited to 10A. The power supply of the power contacts for each potential group must be protected with a
10A fuse.
3.7 Dimensions
Fig.5: EL2912 - Dimensions
Width: 12mm (side-by-side installation)
Height: 100mm
Depth: 68mm
EL291218 Version: 1.0.0
Product description
3.8 Using the integrated TwinSAFE Logic functions
On delivery, the EL2912 behaves like a safe TwinSAFE I/O slave, which can be used as an alias device
within a TwinSAFE Logic, e.g. EL6910.
Alternatively, the local logic function of the EL2912 can be used. To this end please create a TwinSAFE
project in the Safety Editor and select the EL2912 as the target system. Further information on creating a
project can be found in the EL6910 documentation and the description of the function blocks under http://
www.beckhoff.de/english/download/twinsafe.htm.
In order to be able to use the EL2912 again as a safe TwinSAFE I/O slave, please delete the logic, the
mapping and the parameter data on the EtherCAT Terminal and switch the voltage off and on again.
Fig.6: Delete project data
3.9 Project design limits for the EL2912
Project design limits
The maximum project design size of the EL2912 is limited by the available memory. This is managed dynamically. The values specified in the following table are therefore only guide values and
may differ from the actual values, depending on the safety project.
NOTE
Execution time of the logic function
Compared to the EL6910 with an identical logic program, the execution time will be typically longer as the
safe I/O signals have to be processed in addition. Accordingly this also affects the processing of the I/O signals, as they can only be evaluated less frequently as the size of the project increases.
EL2912 19Version: 1.0.0
Product description
Process image size max. 1486bytes per data direction
(max. memory size 0x1E00 for 3 buffers, i.e. with identical input and
output process data sizes the maximum size is 1280 bytes per data
direction. Only even-numbered start addresses are possible, therefore
padding bytes may have to be included)
TwinSAFE connections maximum 212
(up to 255 CRCs in total; 1 CRC is required for a TwinSAFE connection
with 1 or 2 byte safe data.)
Safe data per TwinSAFE
connection
TwinSAFE function blocks maximum 512 (For using ESTOP function blocks with complete input and
TwinSAFE groups maximum 128
TwinSAFE user maximum 40
Standard PLC inputs dynamic (memory-dependent), max. 1484bytes
Standard PLC outputs dynamic (memory-dependent), max. 1484bytes
maximum 126bytes (telegram length 255bytes)
output mapping. Other function blocks may lead to a lower maximum
number.)
NOTE
Project planning
TwinCAT 3.1 Build 4022 or later is required for the use of the internal logic functions. If the EL2912 is used
as a TwinSAFE slave with the default project, at least an EL6910, EK1960 or newer logic components are
required as a TwinSAFE master.
EL291220 Version: 1.0.0
Operation
4 Operation
4.1 Environmental conditions
Please ensure that the TwinSAFE components are only transported, stored and operated under the specified
conditions (see technical data)!
WARNING
Risk of injury!
The TwinSAFE components must not be used under the following operating conditions.
• under the influence of ionizing radiation (that exceeds the level of the natural environmental radiation)
• in corrosive environments
• in an environment that leads to unacceptable soiling of the TwinSAFE component
NOTE
Electromagnetic compatibility
The TwinSAFE components comply with the current standards on electromagnetic compatibility with regard
to spurious radiation and immunity to interference in particular.
However, in cases where devices such as mobile phones, radio equipment, transmitters or high-frequency
systems that exceed the interference emissions limits specified in the standards are operated near TwinSAFE components, the function of the TwinSAFE components may be impaired.
4.2 Installation
4.2.1 Safety instructions
Before installing and commissioning the TwinSAFE components please read the safety instructions in the
foreword of this documentation.
4.2.2 Transport / storage
Use the original packaging in which the components were delivered for transporting and storing the
TwinSAFE components.
CAUTION
Note the specified environmental conditions
Please ensure that the digital TwinSAFE components are only transported and stored under the specified
environmental conditions (see technical data).
4.2.3 Mechanical installation
WARNING
Risk of injury!
Bring the bus system into a safe, de-energized state before starting installation, disassembly or wiring of
the devices!
EL2912 21Version: 1.0.0
Operation
4.2.3.1 Instructions for ESD protection
NOTE
Devices can be destroyed by electrostatic charging!
The devices contain electrostatically sensitive components which can be damaged by improper handling.
• Please ensure you are electrostatically discharged when handling the components; also
avoid touching the spring contacts directly (see illustration).
• Avoid contact with highly insulating materials (synthetic fibers, plastic films etc.)
• When handling the components, ensure good grounding of the environment (workplace,
packaging and persons)
• Each bus station must be terminated on the right side with the EL9011 or EL9012 end cap
to ensure the protection class and ESD protection.
Fig.7: Spring contacts of Beckhoff I/O components
4.2.3.2 Control cabinet / terminal box
The TwinSAFE terminals must be installed in a control cabinet or terminal box with IP54 protection class
according to IEC60529 as a minimum.
4.2.3.3 Installation position and minimum distances
For the prescribed installation position the mounting rail is installed horizontally and the mating surfaces of
the EL/KL terminals point toward the front (see illustration below). The terminals are ventilated from below,
which enables optimum cooling of the electronics through convection. The direction indication “down”
corresponds to the direction of positive acceleration due to gravity.
EL291222 Version: 1.0.0
Operation
Fig.8: Installation position and minimum distances
In order to ensure optimum convection cooling, the distances to neighboring devices and to control cabinet
walls must not be smaller than those shown in the diagram.
4.2.3.4 Temperature measurement
The temperature measurement consists of an EK1100 EtherCAT Coupler, to which EtherCAT Terminals are
attached, based on the typical distribution of digital and analog signal types at a machine. On the EL6910 a
safety project is active, which reads safe inputs and enables safe outputs during the measurement.
NOTE
External heat sources / radiant heat / impaired convection
The maximum permissible ambient temperature of 55°C was checked with the example configuration described above. Impaired convection, an unfavorable location near heat sources or an unfavorable configuration of the EtherCAT Terminals may result in overheating of the TwinSAFE components.
The key parameter is always the maximum permitted internally measured temperature of 110°C, above
which the TwinSAFE components switch to safe state and report an error. The internal temperature can be
read from the TwinSAFE components via CoE.
4.2.3.5 Notes on the configuration of TwinSAFE components
The following notes illustrate favorable and unfavorable terminal arrangements from a thermal perspective.
Components with higher waste heat are identified with a red symbol , components with lower waste heat
are identified with a blue symbol .
EK11xx EtherCAT Coupler and EL9410 power supply terminal
The more terminals are attached after an EtherCAT Coupler or a power supply terminal, the higher the E-bus
current that their power supply units have to supply. With increasing current the waste heat from the power
supply units also increases.
EL2912 23Version: 1.0.0
Operation
EL69x0
The EL69x0 emits a relatively high amount of waste heat, since it has a high internal clock rate and high
logic performance.
EL2904/EL291x
The EL2904/EL291x emits a relatively high amount of waste heat due to the potentially high output current of
the connected actuators.
EL1904
The EL1904 also emits a relatively high amount of waste heat, despite the fact that the external load due to
clock outputs and safe inputs is relatively low.
Thermally unfavorable arrangement of the TwinSAFE terminals
The following arrangement is rather unfavorable, as terminals with relatively high waste heat are attached
directly to the EtherCAT Coupler or the power supply terminal with high E-bus load. The additional external
heating of the TwinSAFE terminals by the adjacent power supply units increases the internal terminal
temperature, which can lead to the maximum permissible temperature being exceeded. This leads to the
diagnosis “Overtemperature” message.
Fig.9: Thermally unfavorable arrangement of the TwinSAFE terminals
Thermally favorable arrangement of the TwinSAFE terminals
The following arrangement is thermally optimized, as terminals with low current consumption and therefore
low waste heat are attached between the EtherCAT Coupler/power supply terminal and terminals with higher
waste heat.
EL291224 Version: 1.0.0
Operation
Fig.10: Thermally favorable arrangement of the TwinSAFE terminals
EL2912 25Version: 1.0.0
Operation
4.2.3.6 Installation on mounting rails
WARNING
Risk of electric shock and damage of device!
Bring the bus terminal system into a safe, powered down state before starting installation, disassembly or
wiring of the Bus Terminals!
Mounting
Fig.11: Installation on the mounting rail
The Bus Couplers and Bus Terminals are attached to commercially available 35mm mounting rails (DIN rail
according to EN60715) by applying slight pressure:
1. First attach the Fieldbus Coupler to the mounting rail.
2. The Bus Terminals are now attached on the right-hand side of the Fieldbus Coupler. Join the components with slot and key and push the terminals against the mounting rail, until the lock clicks onto the
mounting rail.
If the terminals are clipped onto the mounting rail first and then pushed together without slot and key,
the connection will not be operational! When correctly assembled, no significant gap should be visible
between the housings.
Fastening of mounting rails
The locking mechanism of the terminals and couplers protrudes into the profile of the mounting rail.
When installing the components, make sure that the locking mechanism doesn't come into conflict
with the fixing bolts of the mounting rail. For fastening mounting rails with a height of 7.5mm under
the terminals and couplers, use flat fastening components such as countersunk head screws or
blind rivets.
EL291226 Version: 1.0.0
Disassembly
Fig.12: Removal from mounting rail
Each terminal is secured by a lock on the mounting rail, which must be released for disassembly:
Operation
1. Pull down the terminal at its orange-colored straps from the mounting rail by approx. 1 cm. The rail
locking of this terminal is automatically released, and you can now pull the terminal out of the Bus Terminal block with little effort.
2. To do this, grasp the unlocked terminal simultaneously at the top and bottom of the housing surfaces
with your thumb and index finger and pull it out of the Bus Terminal block.
4.2.4 Electrical installation
4.2.4.1 Connections within a Bus Terminal block
The electric connections between the Bus Coupler and the Bus Terminals are automatically realized by
joining the components:
Spring contacts (E-bus)
The six spring contacts of the E-bus deal with the transfer of the data and the supply of the Bus Terminal
electronics.
NOTE
Observe the E-bus current
Observe the maximum current that your Bus Coupler can supply to the E-bus! Use the EL9410 Power Supply Terminal if the current consumption of your terminals exceeds the maximum current that your Bus Coupler can feed to the E-bus supply.
Power contacts
The power contacts deal with the supply for the field electronics and thus represent a supply rail within the
Bus Terminal block. The power contacts are supplied via terminals on the Bus Coupler.
Note the connection of the power contacts
During the design of a Bus Terminal block, the pin assignment of the individual Bus Terminals must
be taken account of, since some types (e.g. analog Bus Terminals or digital 4-channel Bus Terminals) do not or not fully loop through the power contacts.
Potential supply terminals (EL91xx, EL92xx) interrupt the power contacts and thus represent the
start of a new supply rail.
EL2912 27Version: 1.0.0
Operation
4.2.4.2 Overvoltage protection
If protection against overvoltage is necessary in your plant, provide a surge filter for the voltage supply to the
Bus Terminal blocks and the TwinSAFE terminals.
4.2.4.3 Wiring
Fig.13: Connection of a cable to a terminal point
Up to eight terminal points enable the connection of solid or finely stranded cables to the Bus Terminal. The
terminal points are implemented in spring force technology. Connect the cables as follows:
1. Open a terminal point by pushing a screwdriver straight against the stop into the square opening
above the terminal point. Do not turn the screwdriver or move it alternately (don't toggle).
2. The wire can now be inserted into the round terminal opening without any force.
3. The terminal closes automatically when the pressure is released, holding the wire safely and permanently.
See the following table for the suitable wire size width.
Wire size width (single core wires) 0.08 ... 2.5mm
Wire size width (fine-wire conductors) 0.08 ... 2.5mm
Wire size width (conductors with a wire end sleeve) 0.14 ... 1.5mm
2
2
2
Wire stripping length 8 ... 9mm
EL291228 Version: 1.0.0
4.2.4.4 EL2912 connection
Operation
Fig.14: EL2912 - connection
Terminal point Input/ Output Signal
1 Output1 Output 1 (+ 24VDC)
2 - 24VDC U
3 - GND U
P
P
4 Output2 Output 2 (+ 24VDC)
5 GND1 Output 1 GND (directly connected to GND UP)
6 - 24VDC U
7 - GND U
P
P
8 GND2 Output 2 GND (directly connected to GND UP)
Power contact (top) - 24VDC U
Power contact (low) - GND U
P
P
EL2912 29Version: 1.0.0
Operation
4.2.4.5 Signal cables
Fig.15: Max. cable length EL2912
When connecting a single actuator via its own continuous cabling (or via a sheathed cable), the maximum
permitted cable length is 100 m.
The use of contact points, connectors or small cable cross-sections in the wiring reduces the maximum
expansion.
Cable routing
Fig.16: Cable routing
EL291230 Version: 1.0.0
Operation
NOTE
Route the signal cable separately
The signal cable must be routed separately from potential sources of interference, such as motor supply cables, 230 VAC power cables etc.!
Interference caused by cables routed in parallel can influence the signal form of the test pulses and thus
cause diagnostic messages (e.g. sensor errors or OpenLoad errors).
D: Distance between the cable ducts should be as large as possible
blue arrows: signal line
red arrows: potential source of interference
The common routing of signals together with other clocked signals in a common cable also reduces the
maximum propagation, since crosstalk of the signals can occur over long cable lengths and cause diagnostic
messages.
EL2912 31Version: 1.0.0
Operation
4.3 Configuration of the terminal in TwinCAT
CAUTION
Do not change CoE objects!
Do not change any of the CoE objects in the TwinSAFE terminals. Any modifications (e.g. via TwinCAT) of
the CoE objects will permanently set the terminals to the Fail-Stop state or lead to unexpected behavior of
the terminals!
4.3.1 Inserting a Bus Coupler
See TwinCAT automation software documentation.
4.3.2 Inserting a Bus Terminal
See TwinCAT automation software documentation.
4.3.3 Adding an EL2912
An EL2912 is added in exactly the same way as any other Beckhoff EtherCAT Terminal. Open TwinSAFE
Terminals item in the list and select the EL2912.
Fig.17: Adding an EL2912
EL291232 Version: 1.0.0
Operation
4.3.4 Address settings on TwinSAFE terminals with 1023 possible addresses
Fig.18: Address settings on TwinSAFE terminals with 1023 possible addresses
The TwinSAFE address of the terminal is set via the 10-way DIP switch on the left-hand side of the
TwinSAFE terminal. TwinSAFE addresses between 1 and 1023 are available.
DIP switch Address
1 2 3 4 5 6 7 8 9 10
ON OFF OFF OFF OFF OFF OFF OFF OFF OFF 1
OFF ON OFF OFF OFF OFF OFF OFF OFF OFF 2
ON ON OFF OFF OFF OFF OFF OFF OFF OFF 3
OFF OFF ON OFF OFF OFF OFF OFF OFF OFF 4
ON OFF ON OFF OFF OFF OFF OFF OFF OFF 5
OFF ON ON OFF OFF OFF OFF OFF OFF OFF 6
ON ON ON OFF OFF OFF OFF OFF OFF OFF 7
... ... ... ... ... ... ... ... ... ... ...
ON ON ON ON ON ON ON ON ON ON 1023
WARNING
TwinSAFE address
Each TwinSAFE address may only be used once within a network/ a configuration!
The address 0 is not a valid TwinSAFE address!
EL2912 33Version: 1.0.0
Operation
4.3.5 Alias devices
The communication between the safety logic and the I/O level is realized via an alias level. At this alias level
(subnode Alias Devices) corresponding alias devices are created for all safe inputs and outputs, and also for
standard signal types. For the safe inputs and outputs, this can be done automatically via the I/O
configuration.
The connection- and device-specific parameters are set via the alias devices.
Fig.19: Starting the automatic import from the I/O configuration
If the automatic import is started from the I/O configuration, a selection dialog opens, in which the individual
terminals to be imported can be selected.
Fig.20: Selection from the I/O tree
The alias devices are created in the safety project when the dialog is closed via OK.
Alternatively, the user can create the alias devices individually. To this end select Add and New item from
the context menu, followed by the required device.
EL291234 Version: 1.0.0
Operation
Fig.21: Creating alias devices by the user
4.3.6 EL2912 parameters in TwinCAT
After creating the alias device, it can be parameterized according to the user specifications. The FSoE
address is set under the Linking tab, and the link to the physical device is created.
Fig.22: Linking tab of the alias device
EL2912 35Version: 1.0.0
Operation
Under the Connection tab you can make further settings, e.g. the mapping of the info data or the behavior in
case of a module error.
Fig.23: Connection tab of the alias device
The Safety Parameters tab contains the parameters of the EL2911 to be set. The output is parameterized via
parameter 0x8000. The inputs are configured via the objects 0x8010 and 0x8011.
Fig.24: EL2912 parameters
Index Name Default value/
unit
80x0:01 ModuloDiagTestPulse 0x00 / integer Modulo value for the frequency of the generation of a
80x0:02 MultiplierDiagTestPulse 0x01 / integer Length of the test pulse in multiples of 400µs
80x0:03 Standard outputs active FALSE / Boolean Activation of the logical AND operator of the safe and
80x0:04 Diag TestPulse active TRUE / Boolean Activation of test pulses for the corresponding output
80x0:07 Module Fault Link active TRUE / Boolean If a module error occurs in this module, a module
Description
test pulse.
0 -> every time
1 -> every 2nd time
...
standard outputs of the module
module
error is also set for all other modules of this
TwinSAFE component for which this parameter is set
to TRUE.
EL291236 Version: 1.0.0
Operation
4.3.7 EL2912 process image
The process image of the EL2912 consists of 6 bytes process data in the input and 6 bytes process data in
the output.
Fig.25: EL2912 process image
The assignment of the individual signals in the safe data is listed in the following table.
Name Process
image
FSOUT Module1.Module Fault IN 0.0 Module error information for output 1
FSOUT Module2.Module Fault IN 0.1 Module error information for output 2
FSOUT Module 1.Output OUT 0.0 Safe output 1
FSOUT Module 1.ErrAck OUT 0.1 Error Acknowledge for safe output 1
FSOUT Module 2.Output OUT 0.2 Safe output 2
FSOUT Module 2.ErrAck OUT 0.3 Error Acknowledge for safe output 2
Bit position Description
4.4 TwinSAFE reaction times
The TwinSAFE terminals form a modular safety system that exchanges safety-oriented data via the Safetyover-EtherCAT protocol. This chapter is intended to help you determine the system's reaction time from the
change of signal at the sensor to the reaction at the actuator.
Typical response time
The typical response time is the time required for transferring a piece of information from the sensor to the
actuator, when the whole system operates normally, without error.
Fig.26: Typical response time
EL2912 37Version: 1.0.0
Operation
3 * 3 *
typ Sensor Input Comm Logic Comm Output Actuator
ReactionTime RT RT RT RT RT RT RT= + + + + + +
5 4 3 *1 10 3 *1 3 20 48
typ
ReactionTime ms ms ms ms ms ms ms ms= + + + + + + =
max Comm Comm Actuator
ReactionTime WD WD RT= + +
max
2 *15 20 50ReactionTime ms ms ms= + =
Definition Description
RT
Sensor
Response time of the sensor, until the signal is made available at the interface. Typically
provided by the sensor manufacturer.
RT
Input
Response time of the safe input, e.g. EL1904 or EP1908. This time can be found in the
technical data. In the case of the EL1904 it is 4ms.
RT
Comm
Response time of the communication. This is typically 3 times the EtherCAT cycle time, since a
new Safety-over-EtherCAT telegram has to be generated before new data can be sent. These
times depend directly on the higher-level standard controller (cycle time of the PLC/NC).
RT
Logic
Response time of the logic terminal. This is the cycle time of the logic terminal and typically
ranges from 500µs to 10ms for the EL6900, depending on the size of the safety project. The
actual cycle time can be read from the terminal.
RT
RT
Output
Actuator
Response time of the output terminal. This is typically between 2 and 3ms.
Response time of the actuator. This information is typically provided by the actuator
manufacturer
WD
Comm
Watchdog time of the communication
The typical response time is based on the following formula:
with
Worst case response time
The worst-case response time is the maximum time required for switching off the actuator in the event of an
error.
Fig.27: Worst case response time
It is assumed that a signal change takes place at the sensor, and that this is passed to the input. A
communication error occurs just at the moment when the signal is to be passed to the communication
interface. This is detected by the logic once the watchdog time of the communication link has elapsed. This
information should then be passed on to the output, resulting in a further communication error. This fault is
detected at the output once the watchdog time has elapsed, resulting in shutdown.
This results in the following formula for the worst-case response time:
with
EL291238 Version: 1.0.0
4.5 Diagnostics
4.5.1 Status LEDs
Fig.28: EL2912 - Status and diagnostic LEDs
LED Color Description
Output 1 green Status and error display for the respective output
Error 1 red
Output 2 green
Error 2 red
LED lights up: Output/error is set
LED not lit: Output is not set or there is no error
Operation
4.5.2 Diagnostic LEDs
LED lit flashes off
Diag1
(green)
Diag2 (red) Together with Diag3 and 4:
Diag3 (red) Global fault or global
Diag4 (red) Global fault or global
Diag Out
(red)
1. A global fault permanently disables the TwinSAFE component, so that it has to be replaced. A global
shutdown temporarily disables the TwinSAFE component. The error can be reset by switching off and
back on again.
Environment variables,
operating voltage and
internal tests are in the valid
range
• If Diag2 flashes, a logic
error code applies
Global shutdown1) has
occurred. (see diag history
of the TwinSAFE
components)
shutdown on µC1
shutdown on µC2
1)
1)
Module error in the output
module
- Environment variables, operating
voltage and internal tests are
outside the valid range
• If Diag2 flashes, an
environment error code applies
Logic or environment error
code according to Diag1
and tables below is output
Together with Diag3 and 4:
Global fault1) has occurred. (see
diag history of the TwinSAFE
components)
- No global fault or global shutdown
on µC1
- No global fault or global shutdown
on µC2
1)
1)
- No error in the output module
EL2912 39Version: 1.0.0
Operation
Logic error codes of LED Diag2 (if LED Diag1 is lit)
Flashing
Code
1 Function block error in one of the TwinSAFE groups
2 Communication error in one of the TwinSAFE groups
3 Error combination: Function block and communication
4 General error in one of the TwinSAFE groups
5 Error combination: General and function block
6 Error combination: General and communication
7 Error combination: General, function block and communication
flickering There is an error in an input or output module
Environment error codes of LED Diag2 (if LED Diag1 is off)
Flashing
Code
1 Maximum supply voltage µC1 exceeded
2 Supply voltage µC1 below minimum value
3 Maximum supply voltage µC2 exceeded
4 Supply voltage µC2 below minimum value
5 Maximum internal temperature exceeded
6 Internal temperature below minimum value
7 Valid temperature difference between µC1 and µC2 exceeded
8 reserved
9 reserved
10 General error
Description
Description
4.5.3 Flash code display
LED Display Description
flashing 400ms ON / 400ms OFF
1 second pause between the flash codes
flickering 50ms ON / 50ms OFF
4.5.4 Diagnostic objects
CAUTION
Do not change CoE objects!
Do not make any modifications to the CoE objects in the TwinSAFE components! Any modifications (e.g.
using TwinCAT) of the CoE objects will permanently set the TwinSAFE components to the Fail-Stop state.
Index F984
CoE object F984
: Device Info Data C1
hex
currently displays internal temperature and voltage values for the TwinSAFE component.
hex
EL291240 Version: 1.0.0
Operation
Index Name Meaning Flags Default
F984:01 Voltage C2 Voltage µC2 RO 0
F984:02 Temperature C1 Temperature µC1 RO 0
dec
dec
F984:03 Firmware CRC C1 CRC of the firmware on µC1 RO F984:04 Vendor data CRC C1 CRC of the vendor data on µC1 RO -
Index F985
CoE object F985
: Device Info Data C2
hex
currently displays internal temperature and voltage values for the TwinSAFE component.
hex
Index Name Meaning Flags Default
F985:01 Voltage C1 Voltage µC1 RO 0
F985:02 Temperature C2 Temperature µC2 RO 0
dec
dec
F985:03 Firmware CRC C2 CRC of the firmware on µC2 RO F985:04 Vendor data CRC C2 CRC of the vendor data on µC2 RO -
Diagnostics history
Any errors, which occur during operation of the TwinSAFE component, such as overtemperature or
undervoltage, are entered in the diagnostics history with a corresponding timestamp.
Index F100
The CoE object F100
Index Name Meaning Flags Default
F100:01 Safe Logic State Status of the internal logic:
F100:02 Cycle Counter Life cycle counter, which is incremented with each TwinSAFE logic
: FSLOGIC status
hex
shows the current status of the TwinSAFE component.
hex
0: OFFLINE
1: RUN
3: SAFE
6: START
8: PREPARE
10: RESTORE
11: PROJECT-CRC-OK
cycle.
RO 0
RO 0
bin
bin
The following table contains a description of all values of the index F100
SubIndex 01
hex
.
EL2912 41Version: 1.0.0
Operation
Index Value Description
F100:01 0: OFFLINE In the OFFLINE state no TwinSAFE logic program is loaded. No TwinSAFE groups and no
1: RUN In the RUN state all TwinSAFE groups and all TwinSAFE connections configured in the
3: SAFE The SAFE state is assumed from the RUN state when the TwinSAFE logic program is
6: START The START state is assumed if the TwinSAFE logic program is loaded but the standard
8: PREPARE The PREPARE state is assumed at the transition from START to RUN or from SAFE to
10: RESTORE In the RESTORE state the loaded TwinSAFE restore program is to be checked by com-
11: PROJECT-CRC-OK The PROJECT-CRC-OK state is assumed once the project CRC of the loaded TwinSAFE
TwinSAFE connections are processed.
TwinSAFE logic program are processed.
stopped.
If the TwinSAFE logic program is restarted without a new TwinSAFE logic program having
been transferred, the TwinSAFE logic should switch again from SAFE to RUN. All TwinSAFE groups should be initialized with the initial state STOPERROR, so that an error acknowledgement occurs before safe outputs are connected again.
In the SAFE state no TwinSAFE groups and no TwinSAFE connections are processed.
communication channel (e.g. EtherCAT) is not yet in process data exchange or the
process data lengths configured via the standard communication channel do not match the
process data lengths calculated using the TwinSAFE logic program.
The START state is also assumed when a user is logged in for the purpose of deleting the
current TwinSAFE logic program or transferring the user list.
In the START state no TwinSAFE groups and no TwinSAFE connections are processed.
RUN.
In the PREPARE state, the stored data read in from the FRAM is checked and then the
RUN state is assumed.
If an error is detected during checking of the stored data, all TwinSAFE groups assume
the initial state STOPERROR.
If no error is detected during checking of the stored data, all TwinSAFE groups assume
the initial state STOP.
paring its project CRC with the project CRCs read in via the corresponding TwinSAFE
connections.
In the RESTORE state all TwinSAFE connections configured in the TwinSAFE Restore
program are processed.
restore program has been successfully checked via the TwinSAFE connections.
In the PROJECT-CRC-OK state no TwinSAFE groups and no TwinSAFE connections are
processed.
This CoE object is additionally copied into the cyclic process image of the TwinSAFE component. From
there, this information can be directly linked into the PLC.
Fig.29: Diagnostic object: FSLOGIC Status (F100
) in the process image of the TwinSAFE component.
hex
4.5.5 Cycle time of the safety project
The execution time of the TwinSAFE logic can be read from the CoE objects listed below. To determine the
cycle time, it has to be multiplied with 1.25, because this is the factor used internally for generating a delay
time before the next cycle.
EL291242 Version: 1.0.0
Operation
Index FEA0
: CTRL Diag Data
hex
Index Name Meaning Flags Default
FEA0:09 Actual Safety Control
Task Execution Time
Current execution time of the TwinSAFE logic with a
logic state of1(RUN)
RO 0
hex
Cycle time = 1.25 * value
(average value of 64 cycles)
FEA0:0A Min Safety Control
Task Execution Time
Minimum execution time of the TwinSAFE logic with a
logic state of 1(RUN)
RO 0
hex
Cycle time = 1.25 * value
FEA0:0B Max Safety Control
Task Execution Time
Maximum execution time of the TwinSAFE logic with a
logic state of 1(RUN)
RO 0
hex
Cycle time = 1.25 * value
FEA0:15 Actual Safety Control
Task Execution Time
Current execution time of the TwinSAFE logic with a
logic state of<>1
RO 0
hex
Cycle time = 1.25 * value
(average value of 64 cycles)
FEA0:16 Min Safety Control
Task Execution Time
Minimum execution time of the TwinSAFE logic with a
logic state of<>1
RO 0
hex
Cycle time = 1.25 * value
FEA0:17 Max Safety Control
Task Execution Time
Maximum execution time of the TwinSAFE logic with a
logic state of<>1
RO 0
hex
Cycle time = 1.25 * value
Resetting the values
The max. and min. values can be reset by writing a value to the CoE object 0x1C32:08.
4.5.6 Diagnosis History
The diagnostic history of the TwinSAFE devices that support this function is implemented in accordance with
the ETG guideline ETG.1020 Chapter 13 "Diagnosis Handling". The diagnostic messages are saved by the
TwinSAFE device in a dedicated CoE object under 0x10F3 and can be read out by the application or by
TwinCAT.
Both the control entries and the history itself can be found in the CoE object 0x10F3. The entry Newest
Message (0x10F3:02) contains the subindex of 0x10F3, which contains the latest diagnostic message, e.g.
0x06 for diagnostic message 1.
EL2912 43Version: 1.0.0
Operation
Index 10F3
Diagnosis History
hex
Index (hex) Name Meaning Data type Flags Default
10F3:0 Diagnosis
History
10F3:01 Maximum
Messages
Maximum number of stored messages. A
maximum of 64 messages can be stored. After
UINT8 RO 0x40 (64
that the respective oldest messages are
overwritten.
10F3:02 Newest
Subindex of the latest message UINT8 RO 0x00 (0
Message
10F3:03 Newest
Subindex of the last confirmed message UINT8 RW 0x00 (0
Acknowledged
Message
10F3:04 New
Indicates that a new message is available BOOLEANRO 0x00 (0
Messages
Available
10F3:05 Flags Set via the startup list. If set to 0x0001, the
diagnostic messages are additionally sent by
UINT16 RW 0x0000
(0
)
dec
emergency to the EtherCAT master
10F3:06 Diagnosis
Diagnosis message 1 BYTE[32] RO {0}
Message 001
... ... ... ... ... ...
10F3:45 Diagnosis
Diagnosis message 64 BYTE[32] RO {0}
Message 064
dec
dec
dec
dec
)
)
)
)
Structure of the diagnosis messages
• DiagCode (4 bytes) – in this case always 0x 0000 E000
• Flags (2 bytes) - diagnosis type (info, warning or error), time stamp and number of parameters
contained (see the following table)
• Text ID (2 bytes) – ID of the diagnosis message as a reference to the message text from the ESI/XML
• Time stamp (8 bytes) – local slave time in ns since switching on the TwinSAFE device
• dynamic parameters (16 bytes) – parameters that can be inserted in the message text (see following
table)
Flags in diagnosis messages
Data type Offset Description
UINT16 Bit 0…3 DiagType (value)
0 Info message
1 Warning message
2 Error message
3…15 reserved
Bit 4 If the bit = 1, the time stamp contained in the message is the local time stamp of the
TwinSAFE device. The age of the diagnosis message can be deduced by calculation
with the current time stamp from the CoE object 0x10F8.
Bit 5…7 reserved
Bit 8…15 Number of parameters in this diagnosis message
EL291244 Version: 1.0.0
Dynamic parameters in the diagnosis messages
Type Data type Description
Flags parameter 1 UINT16 Describes the type of parameter 1
Bit 12…15 = 0 Bit 0…11 = data type of parameter 1
0x0001 - BOOLEAN
0x0002 - INT8
0x0003 - INT16
0x0004 - INT32
0x0005 - UINT8
0x0006 - UINT16
0x0007 - UINT32
0x0008 - REAL32
0x0011 - REAL64
0x0015 - INT64
0x001B - UINT64
Text parameters and formats are
specified in ETG.2000.
Parameter 1 Data type in accordance with
flags
Flags parameter 2 UINT16 see Flags parameter 1
Parameter 2 Data type in accordance with
flags
...
Value of parameter 1
Value of parameter 2
Operation
The diagnostic messages are saved in text form in the ESI/XML file belonging to the TwinSAFE device. On
the basis of the Text ID contained in the diagnostic message, the corresponding plain text message can be
found in the respective languages. The parameters can be inserted in the appropriate positions. In the
following example, %x is used for a hexadecimal representation of the parameters.
Fig.30: ESI/XML message text
Via the entry New Messages Available the user receives information that new messages are available. The
messages can be read out via CompleteAccess (a CoE read command for the complete CoE object
0x10F3). The New Messages Available bit is reset after reading the messages.
The sending of emergency messages to the EtherCAT master is activated by adding the CoE object
0x10F3:05 to the startup list (Transition IP, value 0x0001). If new diagnostic messages arrive, they are
entered in object 0x10F3 and additionally sent by emergency to the EtherCAT master.
Fig.31: Startup list
EL2912 45Version: 1.0.0
Operation
4.5.7 Diag History tab
All errors occurring within the TwinSAFE components are stored in their diag history. The diag history can be
viewed by selecting the corresponding TwinSAFE component in the I/O tree structure and then selecting the
Diag History tab. Use the Update History button to fetch the current data from the TwinSAFE component.
Errors within the logic, the function blocks, the connections or the component itself are stored with a
corresponding time stamp.
Fig.32: Diag history
Use the Advanced… button to open the advanced settings. Here, the user can customize the behavior of the
diag history.
Fig.33: Diag history – advanced settings
EL291246 Version: 1.0.0
Operation
Advanced Settings
Setting Description
Message Types • disable Info
Messages with the Info status are not saved in the diag history
• disable Warnings
Messages with the Warning status are not saved in the diag history
• disable Errors
Messages with the Error status are not saved in the diag history
Emergency In addition to saving the message in the diag history, an emergency object
is also sent and displayed in the TwinCAT logger window.
Overwrite/Acknowledge Mode This setting is currently not supported.
4.6 Maintenance
Maintenance
The TwinSAFE components are maintenance-free!
Environmental conditions
WARNING
Observe the specified environmental conditions!
Please ensure that the TwinSAFE components are only stored and operated under the specified conditions
(see technical data).
If the TwinSAFE component is operated outside the permitted temperature range it will switch to Global
Shutdown state.
Cleaning
Protect the TwinSAFE component from unacceptable soling during operation and storage!
If the TwinSAFE component was subjected to unacceptable soiling it may no longer be operated!
WARNING
Have soiled terminals checked!
Cleaning of the TwinSAFE component by the user is not permitted!
Please send soiled terminals to the manufacturer for inspection and cleaning!
EL2912 47Version: 1.0.0
Operation
4.7 Service life
The TwinSAFE terminals are designed for a service life of 20 years.
Due to the high diagnostic coverage within the lifecycle no special proof tests are required.
The TwinSAFE terminals bear a date code, which is composed as follows:
Datecode: CWYYSWHW
Legend:
CW: Calendar week of manufacture
YY: Year of manufacture
SW: Software version
HW: Hardware version
In addition the TwinSAFE terminals bear a unique serial number.
Fig.34: Unique serial number of a TwinSAFE terminal
Sample: DateCode 17110500
Calendar week: 17
Year: 2011
Software version: 05
Hardware version: 00
4.8 Decommissioning
WARNING
Risk of electric shock!
Bring the bus system into a safe, de-energized state before starting disassembly of the devices!
Disposal
In order to dispose of the device, it must be removed.
In accordance with the WEEE Directive 2012/19/EU, Beckhoff takes back old devices and accessories in
Germany for proper disposal. Transport costs will be borne by the sender.
Return the old devices with the note "for disposal" to:
Beckhoff Automation GmbH & Co. KG
Service Department
Stahlstrasse 31
D-33415 Verl
Observe the applicable national laws and guidelines for disposal!
• Housing components (polycarbonate, polyamide (PA6.6)) are suitable for plastic recycling.
• Metal parts can be sent for metal recycling.
• Electronic parts such as circuit boards must be disposed of in accordance with national electronics
scrap regulations.
EL291248 Version: 1.0.0
Operation
4.9 Firmware update of TwinSAFE products
For TwinSAFE products there is the option of performing a firmware update via the EtherCAT interface. The
complete firmware of the TwinSAFE component is deleted and replaced by a new version.
The latest firmware can be downloaded from the Beckhoff website or requested from Beckhoff Support. The
versions are available in an encrypted form and can only be loaded onto the matching TwinSAFE product.
An incorrect firmware file is rejected by the respective TwinSAFE product.
Prerequisite for a firmware update
DANGER
Put the machine into a safe state!
A firmware update stops the current processing of the firmware of the TwinSAFE product. It is essential that
you switch the TwinSAFE system to the safe state before you start an update.
All safe outputs must be in a safe, de-energized state. If hanging or pulling loads are present on the machine or the TwinSAFE system, these must also be brought into a safe state through external safety measures if necessary.
DANGER
Monitor the machine state!
It is necessary that you have control over the machine, i.e. you can see it and thus ensure that it is in a safe
state and that a firmware update can be carried out without endangering the operators or other personnel.
NOTE
Avoid communication interruptions during the download
Please avoid disconnecting the EtherCAT connection while downloading the firmware under any circumstances. If a communication error does occur, the TwinSAFE product may subsequently be unusable and
must be sent to the Beckhoff Service.
WARNING
Default project for TwinSAFE I/O components with local logic function!
After a firmware update, any implemented default project starts automatically. An EK1960, for example,
would start up as a TwinSAFE I/O slave after a firmware update.
NOTE
Firmware update of TwinSAFE logics
If a firmware update is performed for a TwinSAFE logic component, e.g. on a TwinSAFE logic EL6910, the
safety-related user program must be reloaded to the TwinSAFE logic after the update. After the update the
user administration is set to the default settings.
EtherCAT communication
When an EtherCAT component is updated, it is switched to BOOTSTRAP mode. This can have an
effect on the EtherCAT communication with other EtherCAT devices.
EL2912 49Version: 1.0.0
Operation
Performing the firmware update
Click the button (1) in the TwinCAT system to enter Config mode. Confirm the query with OK (2). After that a
further window appears which must be confirmed with Yes (Ja) (3). Deactivate the "Free Run" with No (Nein)
(4). The system is now in Configuration mode.
Fig.35: Firmware update of TwinSAFE products - Part 1
To perform the firmware update, select the "Online" tab (6) for the "EtherCAT Device" (5). If you want to
update several components, you can select the corresponding components (7) together; for individual
components, select only these. Subsequently, click with the right mouse button inside the selected area and
select the command "Firmware Update..." (8) in the command overview.
EL291250 Version: 1.0.0
Operation
Fig.36: Firmware update of TwinSAFE products - Part 2
In the place where you have stored the desired firmware version, select the firmware file (9) and click
"Open" (10). Confirm the window that then opens with "OK" (11); the firmware update is then performed.
After successful completion you must click OK (12) in the concluding "Function Succeeded" window. You
can then switch the system back to Run mode and use the TwinSAFE system.
Fig.37: Firmware update of TwinSAFE products - Part 3
EL2912 51Version: 1.0.0
Appendix
5 Appendix
5.1 Support and Service
Beckhoff and their partners around the world offer comprehensive support and service, making available fast
and competent assistance with all questions related to Beckhoff products and system solutions.
Beckhoff's branch offices and representatives
Please contact your Beckhoff branch office or representative for local support and service on Beckhoff
products!
The addresses of Beckhoff's branch offices and representatives round the world can be found on her internet
pages:
http://www.beckhoff.com
You will also find further documentation for Beckhoff components there.
Beckhoff Headquarters
Beckhoff Automation GmbH & Co. KG
Huelshorstweg 20
33415 Verl
Germany
Phone: +49 5246 963 0
Fax: +49 5246 963 198
e-mail: info@beckhoff.com
Beckhoff Support
Support offers you comprehensive technical assistance, helping you not only with the application of
individual Beckhoff products, but also with other, wide-ranging services:
• support
• design, programming and commissioning of complex automation systems
• and extensive training program for Beckhoff system components
Hotline: +49 5246 963 157
Fax: +49 5246 963 9157
e-mail: support@beckhoff.com
Beckhoff Service
The Beckhoff Service Center supports you in all matters of after-sales service:
• on-site service
• repair service
• spare parts service
• hotline service
Hotline: +49 5246 963 460
Fax: +49 5246 963 479
e-mail: service@beckhoff.com
EL291252 Version: 1.0.0
5.2 Certificates
Appendix
EL2912 53Version: 1.0.0
List of figures
List of figures
Fig. 1 Slot and key system and screwless (spring-loaded) connection system..................................... 8
Fig. 2 Bus Coupler (EtherCAT).............................................................................................................. 9
Fig. 3 Overview of EtherCAT Terminals ................................................................................................ 10
Fig. 4 EL2912 - TwinSAFE terminal with two fail-safe outputs.............................................................. 13
Fig. 5 EL2912 - Dimensions .................................................................................................................. 18
Fig. 6 Delete project data....................................................................................................................... 19
Fig. 7 Spring contacts of Beckhoff I/O components............................................................................... 22
Fig. 8 Installation position and minimum distances ............................................................................... 23
Fig. 9 Thermally unfavorable arrangement of the TwinSAFE terminals ................................................ 24
Fig. 10 Thermally favorable arrangement of the TwinSAFE terminals .................................................... 25
Fig. 11 Installation on the mounting rail................................................................................................... 26
Fig. 12 Removal from mounting rail......................................................................................................... 27
Fig. 13 Connection of a cable to a terminal point .................................................................................... 28
Fig. 14 EL2912 - connection.................................................................................................................... 29
Fig. 15 Max. cable length EL2912 ........................................................................................................... 30
Fig. 16 Cable routing ............................................................................................................................... 30
Fig. 17 Adding an EL2912 ....................................................................................................................... 32
Fig. 18 Address settings on TwinSAFE terminals with 1023 possible addresses ................................... 33
Fig. 19 Starting the automatic import from the I/O configuration ............................................................. 34
Fig. 20 Selection from the I/O tree........................................................................................................... 34
Fig. 21 Creating alias devices by the user............................................................................................... 35
Fig. 22 Linking tab of the alias device...................................................................................................... 35
Fig. 23 Connection tab of the alias device............................................................................................... 36
Fig. 24 EL2912 parameters ..................................................................................................................... 36
Fig. 25 EL2912 process image................................................................................................................ 37
Fig. 26 Typical response time.................................................................................................................. 37
Fig. 27 Worst case response time ........................................................................................................... 38
Fig. 28 EL2912 - Status and diagnostic LEDs......................................................................................... 39
Fig. 29 Diagnostic object: FSLOGIC Status (F100hex) in the process image of the TwinSAFE compo-
nent.............................................................................................................................................. 42
Fig. 30 ESI/XML message text ................................................................................................................ 45
Fig. 31 Startup list.................................................................................................................................... 45
Fig. 32 Diag history.................................................................................................................................. 46
Fig. 33 Diag history – advanced settings................................................................................................. 46
Fig. 34 Unique serial number of a TwinSAFE terminal............................................................................ 48
Fig. 35 Firmware update of TwinSAFE products - Part 1 ........................................................................ 50
Fig. 36 Firmware update of TwinSAFE products - Part 2 ........................................................................ 51
Fig. 37 Firmware update of TwinSAFE products - Part 3 ........................................................................ 51
EL291254 Version: 1.0.0
Loading...