Beckhoff EL2912 Operating Instructions Manual

Operating Instructions for

EL2912

TwinSAFE Terminal with 2 digital fail-safe outputs

Version:
Date:

1.0.0
2019-09-06

Table of contents

Table of contents

1 Foreword ....................................................................................................................................................5

1.1 Notes on the documentation..............................................................................................................5

1.2 Safety instructions .............................................................................................................................6

1.2.1 Delivery state ..................................................................................................................... 6

1.2.2 Operator's obligation to exercise diligence ........................................................................ 6

1.2.3 Description of instructions.................................................................................................. 7

1.3 Documentation issue status ..............................................................................................................7

1.4 Version history of the TwinSAFE product..........................................................................................7

2 System description ...................................................................................................................................8

2.1 The Beckhoff EtherCAT Terminal system .........................................................................................8

2.1.1 EtherCAT Bus Coupler ...................................................................................................... 9

2.1.2 EtherCAT Terminals ........................................................................................................ 10

2.1.3 E-bus ............................................................................................................................... 10

2.1.4 Power contacts ................................................................................................................ 10

2.2 TwinSAFE........................................................................................................................................11

2.2.1 The I/O construction kit is extended safely ...................................................................... 11

2.2.2 Safety concept ................................................................................................................. 11

2.2.3 The fail-safe principle (Fail Stop) ..................................................................................... 12

3 Product description.................................................................................................................................13

3.1 EL2912 - TwinSAFE terminal with two fail-safe outputs..................................................................13

3.2 Intended use....................................................................................................................................14

3.3 Technical data .................................................................................................................................16

3.4 Safety parameters ...........................................................................................................................17

3.5 Safe output ......................................................................................................................................18

3.6 Fuse.................................................................................................................................................18

3.7 Dimensions......................................................................................................................................18

3.8 Using the integrated TwinSAFE Logic functions .............................................................................19

3.9 Project design limits for the EL2912 ................................................................................................19

4 Operation..................................................................................................................................................21

4.1 Environmental conditions ................................................................................................................21

4.2 Installation .......................................................................................................................................21

4.2.1 Safety instructions ........................................................................................................... 21

4.2.2 Transport / storage .......................................................................................................... 21

4.2.3 Mechanical installation..................................................................................................... 21

4.2.4 Electrical installation ........................................................................................................ 27

4.3 Configuration of the terminal in TwinCAT........................................................................................32

4.3.1 Inserting a Bus Coupler ................................................................................................... 32

4.3.2 Inserting a Bus Terminal.................................................................................................. 32

4.3.3 Adding an EL2912 ........................................................................................................... 32

4.3.4 Address settings on TwinSAFE terminals with 1023 possible addresses ....................... 33

4.3.5 Alias devices.................................................................................................................... 34

4.3.6 EL2912 parameters in TwinCAT...................................................................................... 35

4.3.7 EL2912 process image .................................................................................................... 37

EL2912 3Version: 1.0.0

Table of contents

4.4 TwinSAFE reaction times ................................................................................................................37

4.5 Diagnostics ......................................................................................................................................39

4.5.1 Status LEDs..................................................................................................................... 39

4.5.2 Diagnostic LEDs .............................................................................................................. 39

4.5.3 Flash code display ........................................................................................................... 40

4.5.4 Diagnostic objects............................................................................................................ 40

4.5.5 Cycle time of the safety project........................................................................................ 42

4.5.6 Diagnosis History............................................................................................................. 43

4.5.7 Diag History tab ............................................................................................................... 46

4.6 Maintenance ....................................................................................................................................47

4.7 Service life .......................................................................................................................................48

4.8 Decommissioning ............................................................................................................................48

4.9 Firmware update of TwinSAFE products.........................................................................................49

5 Appendix ..................................................................................................................................................52

5.1 Support and Service ........................................................................................................................52

5.2 Certificates.......................................................................................................................................53

EL29124 Version: 1.0.0

Foreword

1 Foreword

1.1 Notes on the documentation

Intended audience

This description is only intended for the use of trained specialists in control and automation engineering who
are familiar with the applicable national standards.

It is essential that the following notes and explanations are followed when installing and commissioning
these components.

The responsible staff must ensure that the application or use of the products described satisfy all the
requirements for safety, including all the relevant laws, regulations, guidelines and standards.

Origin of the document

This documentation was originally written in German. All other languages are derived from the German
original.

Currentness

Please check whether you are using the current and valid version of this document. The current version can
be downloaded from the Beckhoff homepage at http://www.beckhoff.com/english/download/twinsafe.htm.
In case of doubt, please contact Technical Support [}52].

Product features

Only the product features specified in the current user documentation are valid. Further information given on
the product pages of the Beckhoff homepage, in emails or in other publications is not authoritative.

Disclaimer

The documentation has been prepared with care. The products described are subject to cyclical revision. For
that reason the documentation is not in every case checked for consistency with performance data,
standards or other characteristics. We reserve the right to revise and change the documentation at any time
and without prior announcement. No claims for the modification of products that have already been supplied
may be made on the basis of the data, diagrams and descriptions in this documentation.

Trademarks

Beckhoff®, TwinCAT®, EtherCAT®, EtherCATG®, EtherCATG10®, EtherCATP®, SafetyoverEtherCAT®,
TwinSAFE®, XFC®, XTS® and XPlanar® are registered trademarks of and licensed by Beckhoff Automation
GmbH. Other designations used in this publication may be trademarks whose use by third parties for their
own purposes could violate the rights of the owners.

Patent Pending

The EtherCAT Technology is covered, including but not limited to the following patent applications and
patents: EP1590927, EP1789857, EP1456722, EP2137893, DE102015105702 with corresponding
applications or registrations in various other countries.

EL2912 5Version: 1.0.0

Foreword

EtherCAT® and Safety over EtherCAT® are registered trademarks and patented technologies, licensed by
Beckhoff Automation GmbH, Germany.

Copyright

© Beckhoff Automation GmbH & Co. KG, Germany.
The reproduction, distribution and utilization of this document as well as the communication of its contents to
others without express authorization are prohibited.
Offenders will be held liable for the payment of damages. All rights reserved in the event of the grant of a
patent, utility model or design.

Delivery conditions

In addition, the general delivery conditions of the company Beckhoff Automation GmbH & Co. KG apply.

1.2 Safety instructions

1.2.1 Delivery state

All the components are supplied in particular hardware and software configurations appropriate for the
application. Modifications to hardware or software configurations other than those described in the
documentation are not permitted, and nullify the liability of Beckhoff Automation GmbH & Co. KG.

1.2.2 Operator's obligation to exercise diligence

The operator must ensure that

• the TwinSAFE products are only used as intended (see chapter Product description);

• the TwinSAFE products are only operated in sound condition and in working order.

• the TwinSAFE products are operated only by suitably qualified and authorized personnel.

• the personnel is instructed regularly about relevant occupational safety and environmental protection
aspects, and is familiar with the operating instructions and in particular the safety instructions contained
herein.

• the operating instructions are in good condition and complete, and always available for reference at the
location where the TwinSAFE products are used.

• none of the safety and warning notes attached to the TwinSAFE products are removed, and all notes
remain legible.

EL29126 Version: 1.0.0

1.2.3 Description of instructions

In these operating instructions the following instructions are used.
These instructions must be read carefully and followed without fail!

DANGER

Serious risk of injury!

Failure to follow this safety instruction directly endangers the life and health of persons.

WARNING

Risk of injury!

Failure to follow this safety instruction endangers the life and health of persons.

CAUTION

Personal injuries!

Failure to follow this safety instruction can lead to injuries to persons.

NOTE

Damage to the environment/equipment or data loss

Failure to follow this instruction can lead to environmental damage, equipment damage or data loss.

Foreword

Tip or pointer

This symbol indicates information that contributes to better understanding.

1.3 Documentation issue status

Version Comment

1.0.0 • First release of the documentation

1.4 Version history of the TwinSAFE product

This version history lists the software and hardware version numbers. A description of the changes
compared to the previous version is also given.

Updated hardware and software

TwinSAFE products are subject to a cyclical revision. We reserve the right to revise and change the
TwinSAFE products at any time and without prior notice.
No claims for changes to products already delivered can be asserted from these hardware and/or
software changes.

A description of how a firmware (software) update can be performed can be found in chapter Firmware
update of TwinSAFE products [}49].

Date Software ver-

sion

24.07.2019 01(V01.04) 00 First release of the EL2912

EL2912 7Version: 1.0.0

Hardware
version

Modifications

System description

2 System description

2.1 The Beckhoff EtherCAT Terminal system

The Beckhoff EtherCAT Terminal system is used for decentralized connection of sensors and actuators to a
controller. The components of the Beckhoff EtherCAT Terminal system are mainly used in industrial
automation and building management systems. As a minimum, a bus station consists of an EtherCAT
Coupler and connected EtherCAT Terminals. The EtherCAT Coupler forms the communication interface to
the higher-level controller, while the EtherCAT Terminals form the interface to the sensors and actuators.
The whole bus station is clipped onto a 35mm DIN mounting rail (EN 60715). The mechanical link of the bus
station is established with a slot and key system on EtherCAT Couplers and EtherCAT Terminals.

The sensors and actuators are connected with the terminals via the screwless (spring-loaded) connection
system.

Fig.1: Slot and key system and screwless (spring-loaded) connection system

EL29128 Version: 1.0.0

2.1.1 EtherCAT Bus Coupler

Mechanical data Bus Coupler

Material polycarbonate, polyamide (PA6.6).
Dimensions (W x H x D) 44mm x 100mm x 68mm
Mounting on 35 mm mounting rail (EN60715) with locking
Attachable by double slot and key connection

System description

Fig.2: Bus Coupler (EtherCAT)

Connection technology Bus Coupler

Wiring Spring-loaded system
Connection cross-section 0.08mm² ... 2.5mm², stranded wire, solid wire
Fieldbus connection EtherCAT
Power contacts 3 spring contacts
Current load 10A
Nominal voltage 24V

DC

EL2912 9Version: 1.0.0

System description

2.1.2 EtherCAT Terminals

Mechanical data Bus Terminal

Material polycarbonate, polyamide (PA6.6).
Dimensions (W x H x D) 12mm x 100mm x 68mm or 24mm x 100mm x 68mm
Mounting on 35 mm mounting rail (EN60715) with locking
Attachable by double slot and key connection

Fig.3: Overview of EtherCAT Terminals

Connection technology Bus Terminal

Wiring Spring-loaded system
Connection cross-section typically 0.08mm² – 2.5mm², stranded wire, solid wire
Communication E-bus
Power contacts Up to 3 blade/spring contacts
Current load 10A
Nominal voltage Depending on terminal type (typically 24 VDC)

2.1.3 E-bus

The E-bus is the data path within a terminal strip. The E-bus is led through from the Bus Coupler through all
the terminals via six contacts on the terminals' side walls.

2.1.4 Power contacts

The operating voltage is passed on to following terminals via three power contacts. Terminal strip can be
split into galvanically isolated groups by means of potential supply terminals as required. The supply
terminals play no part in the control of the terminals, and can be inserted at any locations within the terminal
strip.

EL291210 Version: 1.0.0

System description

2.2 TwinSAFE

2.2.1 The I/O construction kit is extended safely

The integrated TwinSAFE safety solution is the logical continuation of the open, PC-based Beckhoff control
philosophy. Due to their modularity and versatility, the TwinSAFE components fit seamlessly into the
Beckhoff control system. The I/O components are available in the formats Bus Terminal, EtherCAT Terminal,
EtherCAT plug-in module and EtherCAT Box.

Thanks to the fieldbus-neutral safety protocol (TwinSAFE/Safety-over-EtherCAT), TwinSAFE devices can be
integrated into any fieldbus system. They are integrated into existing networks with K-bus or EtherCAT and
can be used directly in the machine as IP67 modules. These safety I/Os form the interfaces to the safety­relevant sensors and actuators.

The possibility to transmit the safety-relevant signals over a standard bus system gives rise to substantial
advantages in terms of planning, installation, operation, maintenance, diagnostics and costs.

The safety application is configured or programmed respectively in the TwinCAT software. This application is
then transferred via the bus to a TwinSAFE logic component. These form the heart of the TwinSAFE system.
All safety devices in the system communicate with this logic component. Due to the enormous flexibility of
the system, several TwinSAFE logic components can also be operated simultaneously in a network.

2.2.2 Safety concept

TwinSAFE: Safety and I/O technology in one system

• Extension of the familiar Beckhoff I/O system with TwinSAFE Terminals

• Freely selectable mix of safe and standard signals

• Logic link of the I/Os in the TwinSAFE logic component, e.g. EL6910

• Safety-relevant networking of machines via bus systems

TwinSAFE protocol (FSoE / Safety-over-EtherCAT)

• Transfer of safety-relevant data via any media (“genuine black channel”)

• TwinSAFE communication via fieldbus systems such as EtherCAT, Lightbus, PROFIBUS or Ethernet

• IEC 61508:2010 SIL 3 compliant

TwinCAT software and TwinSAFE editor

• Safety application is configured or programmed in the TwinCAT software

• Certified function blocks such as emergency stop, operation mode, etc.

• simple handling

• Transfer of the application via the bus to the TwinSAFE logic component

TwinSAFE logic component, e.g. EL6910

• Processing of the safety-related application and communication with the TwinSAFE terminals

• No safety requirements for higher-level control system

• TwinSAFE enables a network with up to 65,535 TwinSAFE components.

• TwinSAFE logic component can establish up to 512 connections (TwinSAFE connections).

• Several TwinSAFE logic components can be operated in a network

• Suitable for applications up to SIL 3 according to IEC 61508:2010 and category 4 / PL e according to
ENISO13849-1:2015.

EL2912 11Version: 1.0.0

System description

TwinSAFE I/O components

• The TwinSAFE I/O components are available in the formats Bus Terminal, EtherCAT Terminal,
EtherCAT plug-in module, EtherCAT Box and TwinSAFE Drive option card

• All common safety sensors and actuators can be connected

• Operation with a TwinSAFE logic component

• Typically meet the requirements of IEC 61508:2010 up to SIL 3 and ENISO13849-1:2015 up to
Category 4, PLe. More detailed information can be found in the respective user documentation

2.2.3 The fail-safe principle (Fail Stop)

The basic rule for a safety system such as TwinSAFE is that failure of a part, a system component or the
overall system must never lead to a dangerous condition.

CAUTION

Safe state!

The safe state of the TwinSAFE system is always the switched-off and de-energized state.

EL291212 Version: 1.0.0

Product description

3 Product description

3.1 EL2912 - TwinSAFE terminal with two fail-safe outputs

The EL2912 is a safe output terminal with two fail-safe outputs, each with 2A (24VDC).

The EL2912 meets the requirements of the following standards:

• EN61508:2010(SIL 3)

• EN62061:2005/A2:2015(SILCL3)

• ENISO13849-1:2015(Cat.4,PLe).

The TwinSAFE terminal has the typical design of a 12mm EtherCAT Terminal. The outputs use the voltage
of the power contacts. In addition, the voltage of the power contacts is applied to terminal points 2/6 and 3/7.
The terminal points GND1, GND2 and GND UP (terminal points 3/7) are directly connected internally.

Fig.4: EL2912 - TwinSAFE terminal with two fail-safe outputs

EL2912 13Version: 1.0.0

Product description

3.2 Intended use

WARNING

Caution - Risk of injury!

TwinSAFE components may only be used for the purposes described below!

The TwinSAFE Terminals expand the application area of Beckhoff Bus Terminal system with functions that
enable them to be used for machine safety applications. The TwinSAFE Terminals are designed for machine
safety functions and directly associated industrial automation tasks. They are therefore only approved for
applications with a defined fail-safe state. This safe state is the switched-off and de-energized state. Fail­safety according to the relevant standards is required.

The TwinSAFE I/O components allow the connection of:

• 24VDC sensors such as
emergency stop push-buttons, rope pull switches, position switches, two-hand switches, safety
switching mats, light curtains, light barriers, laser scanners, etc.

• 24VDC actuators such as
contactors, protective door switches with tumbler, signal lamps, servo drives, etc.

Test pulses

When selecting actuators please ensure that the test pulses of the TwinSAFE component do not
lead to switching of the actuator or a diagnostic message of the TwinSAFE component.

The following TwinSAFE components were developed for these tasks:

• The EL1904 is an EtherCAT Terminal with 4 digital fail-safe inputs

• The EL2904 is an EtherCAT Terminal with 4 digital fail-safe outputs

• The EL6910 is an EtherCAT Terminal with integrated TwinSAFE logic

These TwinSAFE components are suitable for operation on the

• Beckhoff EKxxxx series Bus Couplers

• Beckhoff CXxxxx series Embedded PCs with E-bus connection

WARNING

System limits

The TÜV SÜD certificate applies to this TwinSAFE component, the function blocks available in it, the docu­mentation and the engineering tool. TwinCAT 3.1 and the TwinSAFE Loader are permitted as engineering
tools. Any deviations from these procedures or tools, particularly externally generated xml files for Twin­SAFE import or externally generated automatic project creation procedures, are not covered by the certifi­cate.

WARNING

Power supply from SELV/PELV power supply unit!

The TwinSAFE components must be supplied with 24VDC by an SELV/PELV power supply unit with an out­put voltage limit U

of 36VDC. Failure to observe this can result in a loss of safety.

max

WARNING

Commissioning test

Before the EL2912 can be used for safety-related tasks, a commissioning test must be carried out by the
user so that faulty sensor wiring can be ruled out.

EL291214 Version: 1.0.0

Product description

CAUTION

Follow the machinery directive!

The TwinSAFE components may only be used in machines as defined in the machinery directive.

CAUTION

Ensure traceability!

The buyer has to ensure the traceability of the device via the serial number.

EL2912 15Version: 1.0.0

Product description

3.3 Technical data

Product designation EL2912

Number of outputs 2
Status display 4 (one green and one red LED for each output)
Fault response time ≤ watchdog times
Output current per channel max. 2A (at 24VDC)
Actuators When selecting actuators please ensure that the EL2912 test

Cable length between actuator and terminal unshielded max. 100m

Wire cross-section min. 0.75mm
Input process image 6bytes
Output process image 6bytes
Supply voltage of the EL2912 (SELV/PELV) 24VDC (–15%/+20%)

Current consumption via E-bus approx. 200mA
Power dissipation of the terminal typically 1.7W
Electrical isolation (between the channels) no
Electrical isolation (between the channels and the E-bus) yes
Insulation voltage (between the channels and the E-bus, under com-

mon operating conditions)
Dimensions (WxHxD) 12 mm x 100 mm x 68 mm
Weight approx.55g
Permissible ambient temperature (operation)

Permissible ambient temperature (transport/storage) -40°C to +85°C
Permissible air humidity 5% to 95%, non-condensing
Permissible air pressure (operation/storage/transport) 750hPa to 1100hPa

Climate category according to EN60721-3-3 3K3

Permissible level of contamination
according to EN 60664-1

Inadmissible operating conditions TwinSAFE Terminals must not be used under the following oper-

EMC immunity/emission conforms to EN61000-6-2/ EN61000-6-4 (EMC ZoneB)
Vibration resistance conforms to EN60068-2-6

Shock resistance conforms to EN60068-2-27

Protection class IP20
Permitted operating environment In the control cabinet or terminal box, with minimum protection

Correct installation position
Approvals CE, TÜV SÜD

pulses do not lead to actuator switching.

shielded max. 100m

(A 10A fuse should be provided for the potential group)

Insulation tested with 500V

-25°C to +55°C (note chapter Temperature measurement
[}23])

(this corresponds to an altitude of approx. -690m to 2450m
above sea level, assuming an international standard atmos­phere)

(the deviation from 3K3 is possible only with optimal environmen­tal conditions and also applies only to the technical data which
are specified differently in this documentation)

level of contamination 2
(note chapter Maintenance [}47])

ating conditions:

• under the influence of ionizing radiation (exceeding the

• in corrosive environments

• in an environment that leads to unacceptable soiling of

5 Hz ≤ f < 8.4 Hz (3.5 mm peak)

8.4 Hz ≤ f < 150 Hz (10 m/s2 peak)

15g with pulse duration 11ms in all three axes

class IP54 according to IEC60529
see chapter Installation position and minimum distances [}22]

2

DC

natural background radiation)

the Bus Terminal

EL291216 Version: 1.0.0

Product description

Derating table for altitudes above 2000m

The derating table (table 8) from the IEC61131-2:2017 standard can be referred to for the use of the
TwinSAFE components above the specified maximum altitude.

Altitude in m Derating factor for the temperature

0 to 2000

2

1.0

1

3000 0.9
4000 0.8
5000 0.7
Note: Linear interpolation is permissible between the altitudes

1)

Ambient temperature of the device at an altitude of 2000m

2)

The air pressure and air density increase as the altitude decreases. Therefore the derating factor for 0 to

2000 m (1.0) is used for altitudes below sea level.

Calculation example

In the following example the calculation is performed for a TwinSAFE component at an operating altitude of
4000m.

Permissible ambient temperature up to 2000 m above sea level = 55°C

Permissible ambient temperature up to 4000m above sea level = 55°C * 0.8 = 44°C

CAUTION

Compliance with the temperature limits

The TwinSAFE component has a maximum internal temperature at which a switch-off takes place. This is
designed for the maximum permissible ambient temperature. If the derating factor for the temperature for
higher altitudes is used, the user is solely responsible for ensuring that the calculated maximum ambient
temperature is complied with.

3.4 Safety parameters

Characteristic numbers EL2912

Lifetime [a] 20
Prooftest Interval [a] not required
PFH

D

2.88 E-09
PFD 2.55 E-05
MTTF

D

high
DC high
Performance level PL e
Category 4
HFT 1
Element classification

1)

No special proof tests are required during the entire service life of the EL2912.

2)

Classification according to IEC 61508-2:2010 (chapter 7.4.4.1.2 and 7.4.4.1.3)

2

Type B

1

The EL2912 EtherCAT Terminal can be used for safety-related applications within the meaning of
EN61508:2010 up to SIL3 and ENISO13849-1:2015 up to PL e (Cat4).

Further information on calculating or estimating the MTTFD value from the PFHD value can be found in the
TwinSAFE Application Guide or in ENISO13849-1:2015, TableK.1.

In terms of safety-related parameters, the Safety-over-EtherCAT communication is already considered with
1% of SIL3 according to the protocol specification.

EL2912 17Version: 1.0.0