Page 1
Operation Manual for
EL6910
TwinSAFE Logic Terminal
Version:
Date:
1.8.0
2019-01-09
Page 2
Page 3
Table of contents
Table of contents
1 Foreword ....................................................................................................................................................5
1.1 Notes on the documentation..............................................................................................................5
1.2 Safety instructions .............................................................................................................................6
1.2.1 Delivery state ..................................................................................................................... 6
1.2.2 Operator's obligation to exercise diligence ........................................................................ 6
1.2.3 Description of safety symbols ............................................................................................ 7
1.3 Documentation issue status ..............................................................................................................8
1.4 Version history of the TwinSAFE product..........................................................................................9
1.5 References ......................................................................................................................................10
2 TwinSAFE System Description ..............................................................................................................11
2.1 Extension of the Beckhoff I/O system with safety functions ............................................................11
2.2 Safety concept.................................................................................................................................11
3 Product description.................................................................................................................................12
3.1 EL6910 - TwinSAFE logic terminal..................................................................................................12
3.2 Intended use....................................................................................................................................13
3.3 Technical data .................................................................................................................................15
3.4 Safety parameters ...........................................................................................................................16
3.5 Dimensions......................................................................................................................................17
4 Operation..................................................................................................................................................18
4.1 Environmental conditions ................................................................................................................18
4.2 Installation .......................................................................................................................................18
4.2.1 Safety instructions ........................................................................................................... 18
4.2.2 Transport / storage .......................................................................................................... 18
4.2.3 Mechanical installation..................................................................................................... 18
4.2.4 Electrical installation ........................................................................................................ 25
4.2.5 TwinSAFE reaction times ................................................................................................ 28
4.3 Operation in potentially explosive atmospheres (ATEX) .................................................................30
4.3.1 Special conditions............................................................................................................ 30
4.3.2 Identification..................................................................................................................... 30
4.3.3 Date code and serial number........................................................................................... 31
4.3.4 Further ATEX documentation .......................................................................................... 31
4.4 Configuration of the terminal in TwinCAT........................................................................................32
4.4.1 Configuration requirements ............................................................................................. 32
4.4.2 Adding an EtherCAT coupler .......................................................................................... 32
4.4.3 Adding an EtherCAT Terminal......................................................................................... 32
4.4.4 Adding an EL6910 ........................................................................................................... 32
4.4.5 Address settings on TwinSAFE terminals with 1023 possible addresses ....................... 34
4.4.6 Creating a safety project in TwinCAT3 ........................................................................... 35
4.4.7 Downloading the safety application ................................................................................. 63
4.4.8 Online Mode .................................................................................................................... 67
4.4.9 New features in TC3.1 Build 4022 ................................................................................... 70
4.5 Info Data ..........................................................................................................................................89
4.5.1 Info data for the connection ............................................................................................ 89
EL6910 3Version: 1.8.0
Page 4
Table of contents
4.5.2 Info data for function blocks............................................................................................. 91
4.5.3 Info data for the TwinSAFE group ................................................................................... 92
4.5.4 Info data for the device .................................................................................................... 93
4.6 Version history.................................................................................................................................93
4.7 User Administration .........................................................................................................................94
4.8 Backup/Restore ...............................................................................................................................97
4.9 Export/import of the safety project.................................................................................................100
4.10 Diag History tab .............................................................................................................................102
4.11 Configuration of the PROFIsafe slave...........................................................................................103
4.11.1 Configuration of the slave connection in the PROFIsafe master software .................... 105
4.11.2 Configuration of the PROFINET device......................................................................... 106
4.11.3 Sample program for parameterizationIn the following sample program the parameter data
are received, stored in the PLC as persistent data, resent to the EL6910 whenever the
device starts up, and stored in CoE object 0x8005. ...................................................... 107
4.12 Configuration of the PROFIsafe master ........................................................................................109
4.12.1 Valid PROFIsafe configurations..................................................................................... 111
4.12.2 Invalid PROFIsafe configurations .................................................................................. 112
4.13 TwinSAFE SC configuration ..........................................................................................................113
4.14 Customizing / disabling TwinSAFE groups....................................................................................117
4.15 Saving the analog group inputs persistently..................................................................................120
4.16 Project design limits of EL6910/EJ6910........................................................................................121
4.17 Sync-Manager Configuration.........................................................................................................121
4.18 Diagnostics ....................................................................................................................................124
4.18.1 Diagnostic LEDs ............................................................................................................ 124
4.18.2 Status LEDs................................................................................................................... 125
4.18.3 Diagnostic objects.......................................................................................................... 126
4.18.4 Cycle time of the safety project...................................................................................... 127
4.19 Diagnosis History...........................................................................................................................127
4.20 Maintenance ..................................................................................................................................130
4.21 Service life .....................................................................................................................................131
4.22 Decommissioning ..........................................................................................................................131
4.23 Firmware update of TwinSAFE products.......................................................................................132
5 Appendix ................................................................................................................................................135
5.1 Support and Service ......................................................................................................................135
5.2 Certificates.....................................................................................................................................136
5.2.1 EN 81-20, EN 81-22 and EN 81-50 ............................................................................... 138
EL69104 Version: 1.8.0
Page 5
Foreword
1 Foreword
1.1 Notes on the documentation
Intended audience
This description is only intended for the use of trained specialists in control and automation engineering who
are familiar with the applicable national standards.
It is essential that the following notes and explanations are followed when installing and commissioning
these components.
The responsible staff must ensure that the application or use of the products described satisfy all the
requirements for safety, including all the relevant laws, regulations, guidelines and standards.
Origin of the document
This documentation was originally written in German. All other languages are derived from the German
original.
Currentness
Please check whether you are using the current and valid version of this document. The current version can
be downloaded from the Beckhoff homepage at http://www.beckhoff.com/english/download/twinsafe.htm.
In case of doubt, please contact Technical Support [}135].
Product features
Only the product features specified in the current user documentation are valid. Further information given on
the product pages of the Beckhoff homepage, in emails or in other publications is not authoritative.
Disclaimer
The documentation has been prepared with care. The products described are subject to cyclical revision. For
that reason the documentation is not in every case checked for consistency with performance data,
standards or other characteristics. We reserve the right to revise and change the documentation at any time
and without prior announcement. No claims for the modification of products that have already been supplied
may be made on the basis of the data, diagrams and descriptions in this documentation.
Trademarks
Beckhoff®, TwinCAT®, EtherCAT®, EtherCATP®, SafetyoverEtherCAT®, TwinSAFE®, XFC® and XTS® are
registered trademarks of and licensed by Beckhoff Automation GmbH.
Other designations used in this publication may be trademarks whose use by third parties for their own
purposes could violate the rights of the owners.
Patent Pending
The EtherCAT Technology is covered, including but not limited to the following patent applications and
patents: EP1590927, EP1789857, DE102004044764, DE102007017835 with corresponding applications or
registrations in various other countries.
The TwinCAT Technology is covered, including but not limited to the following patent applications and
patents: EP0851348, US6167425 with corresponding applications or registrations in various other countries.
EL6910 5Version: 1.8.0
Page 6
Foreword
EtherCAT® and Safety over EtherCAT® are registered trademarks and patented technologies, licensed by
Beckhoff Automation GmbH, Germany.
Copyright
© Beckhoff Automation GmbH & Co. KG, Germany.
The reproduction, distribution and utilization of this document as well as the communication of its contents to
others without express authorization are prohibited.
Offenders will be held liable for the payment of damages. All rights reserved in the event of the grant of a
patent, utility model or design.
Delivery conditions
In addition, the general delivery conditions of the company Beckhoff Automation GmbH & Co. KG apply.
1.2 Safety instructions
1.2.1 Delivery state
All the components are supplied in particular hardware and software configurations appropriate for the
application. Modifications to hardware or software configurations other than those described in the
documentation are not permitted, and nullify the liability of Beckhoff Automation GmbH & Co. KG.
1.2.2 Operator's obligation to exercise diligence
The operator must ensure that
• the TwinSAFE products are only used as intended (see chapter Product description);
• the TwinSAFE products are only operated in sound condition and in working order.
• the TwinSAFE products are operated only by suitably qualified and authorized personnel.
• the personnel is instructed regularly about relevant occupational safety and environmental protection
aspects, and is familiar with the operating instructions and in particular the safety instructions contained
herein.
• the operating instructions are in good condition and complete, and always available for reference at the
location where the TwinSAFE products are used.
• none of the safety and warning notes attached to the TwinSAFE products are removed, and all notes
remain legible.
EL69106 Version: 1.8.0
Page 7
1.2.3 Description of safety symbols
In these operating instructions the following instructions are used.
These instructions must be read carefully and followed without fail!
DANGER
Serious risk of injury!
Failure to follow this safety instruction directly endangers the life and health of persons.
WARNING
Risk of injury!
Failure to follow this safety instruction endangers the life and health of persons.
CAUTION
Personal injuries!
Failure to follow this safety instruction can lead to injuries to persons.
NOTE
Damage to the environment/equipment or data loss
Failure to follow this instruction can lead to environmental damage, equipment damage or data loss.
Foreword
Tip or pointer
This symbol indicates information that contributes to better understanding.
EL6910 7Version: 1.8.0
Page 8
Foreword
1.3 Documentation issue status
Version Comment
1.8.0 • Description Multiple Download added
• Note added to Project Settings
• Description of mounting rail installation updated
1.7.0 • Note added to Customizing
• Description of firmware update added
• Version history of the TwinSAFE product added
• Note EN81 updated
• Foreword updated
• Safety instructions adapted to IEC 82079-1.
1.6.0 • Description of the new features in TwinCAT 3.1 Build 4022 added
• Notes for the extension of certificates with EN 81-20, EN 81-22 and EN 81-50 added
• Notes on diagnostic history added
• Project planning limits updated
• Notes on the arrangement of TwinSAFE components added
• References and note for info data added
1.5.0 • Explanatory text and sequence chart added under Backup/Restore
• Explanatory text for input and output process image added
• Description added to Sync Manager configuration
• TwinSAFE SC description updated
1.4.1 • Technical data for permissible air pressure expanded
1.4.0 • User administration screenshots updated
• State and Diag of the TwinSAFE group updated
• Type examination certificate added
1.3.0 • Screenshots updated
• Certificate added
1.2.0 • Standards reference updated
• Safety parameters updated
1.1.0 • Description of diagnostic object 0xFEA0 expanded
1.0.0 • First released version
• Backup/Restore description expanded
EL69108 Version: 1.8.0
Page 9
Foreword
Version Comment
0.5.0 • Descriptions of external connections, properties of FB ports, parameterization of Alias Devices,
Variable Mapping and Customizing updated
0.4.0 • Description of the group sequence added
• Check Safe Addresses description added
0.3.0 • System description added
0.2.0 • Screenshots for TwinCAT release adapted
• Description of info data revised
• LED description added
0.1.0 • Migration and structural adaptation
0.0.7 • System description updated
0.0.6 • Online View extended
0.0.5 • TwinSAFE group description extended
0.0.4 • PROFIsafe master/slave description extended
0.0.3 • Customizing extended
0.0.2 • Creating network and group descriptions
0.0.1 • Creation of the document
1.4 Version history of the TwinSAFE product
This version history lists the software and hardware version numbers. A description of the changes
compared to the previous version is also given.
Updated hardware and software
TwinSAFE products are subject to a cyclical revision. We reserve the right to revise and change the
TwinSAFE products at any time and without prior notice.
No claims for changes to products already delivered can be asserted from these hardware and/or
software changes.
A description of how a firmware (software) update can be performed can be found in chapter Firmware
update of TwinSAFE products [}132].
Date Software ver-
sion
25.01.2017 01 00 First release
06.02.2017 02 00 • Time stamp of diag messages optimized
03.08.2018 03 00 • Swapping of data bytes for PROFIsafe implemented
Hardware
version
Modifications
• Revision display implemented
• Update of the CoE Online display
• Optimization in case of communication errors at low
temperatures
• FB Muting: After an FB error in Backwards mode, the FB
error can be acknowledged without restarting the TwinSAFE
group.
• An error acknowledgement is now required after a user has
logged into the logic without deleting the project.
EL6910 9Version: 1.8.0
Page 10
Foreword
1.5 References
No Version Title / description
[1] 3.1.0 or newer Documentation – TwinSAFE Logic FB
This document describes the safety-related function blocks that are
available in the TwinSAFE Logic and form the safety-related application.
[2] 1.8.0 or newer TwinSAFE Application Guide
The application guide provides the user with examples for the calculation of
safety parameters for safety functions according to the standards DIN EN
ISO 13849-1 and EN 62061 or EN 61508:2010 (if applicable), such as are
typically used on machines.
EL691010 Version: 1.8.0
Page 11
TwinSAFE System Description
2 TwinSAFE System Description
2.1 Extension of the Beckhoff I/O system with safety functions
The TwinSAFE products from Beckhoff enable convenient expansion of the Beckhoff I/O system with safety
components, and integration of all the cabling for the safety circuit within the existing fieldbus cable. Safe
signals can be mixed with standard signals as required. The transfer of safety-related TwinSAFE telegrams
is handled by the standard controller. Maintenance is simplified significantly thanks to faster diagnosis and
simple replacement of components.
The following basic functionalities are included in the TwinSAFE components:
digital inputs (e.g. EL19xx, EP1908), digital outputs (e.g. EL29xx), drive components (e.g. AX5805) and logic
units (e.g. EL6900, EL6910). For a large number of applications, the complete safety sensor and actuator
technology can be wired on these components. The required logical link of the inputs and the outputs is
handled by the EL69xx. In addition to Boolean operations, the EL6910 now also enables analog operations.
2.2 Safety concept
TwinSAFE: Safety and I/O technology in one system
• Extension of the familiar Beckhoff I/O system with TwinSAFE components
• Safe and non-safe components can be combined as required
• Logical link of the I/Os in the EL69xx TwinSAFE logic terminal
• Suitable for applications up to SIL3 according to EN61508:2010 and Cat4, PLe according to
DINENISO13849-1:2016-06
• Safety-relevant networking of machines via bus systems
• In the event of an error, all TwinSAFE components always switch to the wattless and therefore safe
state
• No safety requirements for the higher-level standard TwinCAT system
Safety over EtherCAT protocol (FSoE)
• Transfer of safety-relevant data via any media (“genuine black channel”)
• TwinSAFE communication via fieldbus systems such as EtherCAT, Lightbus, PROFIBUS, PROFINET
or Ethernet
• IEC 61508:2010 SIL 3 compliant
• FSoE is IEC standard (IEC 61784-3-12) and ETG standard (ETG.5100)
Fail-safe principle (fail stop)
The basic rule for a safety system such as TwinSAFE is that failure of a part, a system component or the
overall system must never lead to a dangerous condition. The safe state is always the switched off and
wattless state.
CAUTION
Safe state
For all TwinSAFE components the safe state is always the switched-off, wattless state.
EL6910 11Version: 1.8.0
Page 12
Product description
3 Product description
3.1 EL6910 - TwinSAFE logic terminal
The TwinSAFE Logic terminal is the link unit between the TwinSAFE inputs and outputs.
The EL6910 meets the requirements of EN62061:2005/A2:2015 and EN61508:2010SIL3, EN81-20:2014,
EN81-22:2014, EN81-50:2014 and ENISO13849-1:2015 (Cat4,PLe).
Fig.1: EL6910 - TwinSAFE Logic terminal
EL691012 Version: 1.8.0
Page 13
Product description
3.2 Intended use
WARNING
Caution - Risk of injury!
TwinSAFE components may only be used for the purposes described below!
The TwinSAFE terminals expand the application range of Beckhoff Bus Terminal system with functions that
enable them to be used for machine safety applications. The TwinSAFE terminals are designed for machine
safety functions and directly associated industrial automation tasks. They are therefore only approved for
applications with a defined fail-safe state. This safe state is the wattless state. Fail-safety according to the
relevant standards is required.
The EL6910 TwinSAFE Logic terminal is suitable for operation at the
• Beckhoff Bus Couplers, EK1xxx series
• Beckhoff CXxxxx series Embedded PCs with E-bus connection
WARNING
System limits
The TÜV SÜD certificate applies to the EL6910, the function blocks available in it, the documentation and
the engineering tool. Approved engineering tools are TwinCAT 3.1, TwinSAFE Loader and CODESYS
Safety for EtherCAT Safety Module. Any deviations from these procedures or tools, particularly externally
generated xml files for TwinSAFE import or externally generated automatic project creation procedures, are
not covered by the certificate.
WARNING
Power supply from SELV/PELV power supply unit!
The TwinSAFE components must be supplied with 24VDC by an SELV/PELV power supply unit with an output voltage limit U
of 36VDC. Failure to observe this can result in a loss of safety.
max
CAUTION
Follow the machinery directive!
The TwinSAFE components may only be used in machines as defined in the machinery directive.
CAUTION
Ensure traceability!
The buyer has to ensure the traceability of the device via the serial number.
EL6910 13Version: 1.8.0
Page 14
Product description
CAUTION
Note on approval according to EN 81-20, EN 81-22 and EN 81-50
• The TwinSAFE components may only be used in machines that have been designed and installed in accordance with the requirements of the EN60204-1 standard.
• Provide a surge filter for the supply voltage of the TwinSAFE components against overvoltages. (Reduction to overvoltage category II)
• EN81 requires that in the case of devices with internal temperature monitoring, a stop must be reached
in the event of an overtemperature. In this case, passengers must be able to disembark (see EN81-20
chapter 5.10.4.3, for example). To ensure this, application measures are necessary. The internal terminal temperature of the TwinSAFE components can be read out by the user. There is a direct switch-off at
the maximum permissible temperature of the respective TwinSAFE component (see chapter Temperature measurement).
The user must select a temperature threshold below the maximum temperature such that a stop can be
reached in all cases before the maximum temperature is reached. Information on the optimum terminal
configuration can be found under Notes on the arrangement of TwinSAFE components and under Example configuration for temperature measurement.
• For the use of the TwinSAFE components according to EN81-22 and EN81-50, the conditions described in the manuals for achieving category4 according to ENISO13849-1:2015 must be observed.
• The use of TwinSAFE components is limited to indoor applications.
• Basic protection against direct contact must be provided, either by fulfilling protection class IP2X or by
installing the TwinSAFE components in a control cabinet which corresponds at least to protection class
IP54 according to EN60529.
• The ambient conditions regarding temperature, humidity, heat dissipation, EMC and vibrations, as specified in the operating instructions under technical data, must be observed.
• The operating conditions in potentially explosive atmospheres (ATEX) are specified in the operating instructions.
• The safe state (triggering) of the application must be the de-energized state. The safe state of the TwinSAFE components is always the de-energized, switched-off state, and this cannot be changed.
• The service life specified in the operating instructions must be observed.
• If the TwinSAFE component is operated outside the permissible temperature range, it changes to
"Global Shutdown" state.
• The TwinSAFE components must be installed in a control cabinet with protection class IP54 according to
EN60529, so that the requirement for contamination level3 according to EN60664-1 can be reduced to
level2.
• The TwinSAFE components must be supplied by a SELV/PELV power supply unit with a maximum voltage of U
<=36VDC.
max
EL691014 Version: 1.8.0
Page 15
Product description
3.3 Technical data
Product designation EL6910
Number of inputs 0
Number of outputs 0
Status display 4 diagnostic LEDs
Minimum/maximum cycle time approx. 1 ms / according the project size
Fault response time ≤ watchdog times
Watchdog time min. 2ms, max. 60000ms
Input process image Dynamic, according to the TwinSAFE configuration in TwinCAT3
Output process image Dynamic, according to the TwinSAFE configuration in TwinCAT3
Supply voltage (SELV/PELV) 24VDC (–15%/+20%)
Current consumption via E-bus approx. 160mA
Power dissipation of the terminal typically 1W
Dimensions (WxHxD) 12mmx100mmx68mm
Weight approx.50g
Permissible ambient temperature (operation)
Permissible ambient temperature (transport/storage) -40°C to +70°C
Permissible air humidity 5% to 95%, non-condensing
Permissible air pressure (operation/storage/transport) 750hPa to 1100hPa
Climate category according to EN 60721-3-3 3K3
Permissible level of contamination according to EN60664-1
Inadmissible operating conditions TwinSAFE Terminals must not be used under the following operat-
Vibration / shock resistance conforms to EN60068-2-6/ EN60068-2-27
EMC immunity/emission conforms to EN61000-6-2/ EN61000-6-4
Shocks 15g with pulse duration 11ms in all three axes
Protection class IP20
Permitted operating environment In the control cabinet or terminal box, with minimum protection
correct installation position
Approvals CE, cULus, TÜVSÜD
-25°C to +55°C (see notes in section Sample configuration for
temperature measurement [}20])
(this corresponds to an altitude of approx. -690m to 2450m above
sea level, assuming an international standard atmosphere)
(the deviation from 3K3 is possible only with optimal environmental
conditions and also applies only to the technical data which are
specified differently in this documentation)
Contamination level 2 (note chapter Maintenance [}130])
ing conditions:
• under the influence of ionizing radiation (exceeding the
natural background radiation)
• in corrosive environments
• in an environment that leads to unacceptable soiling of the
Bus Terminal
class IP54 according to IEC60529
see chapter Installation position and minimum distances [}19]
EL6910 15Version: 1.8.0
Page 16
Product description
3.4 Safety parameters
Characteristic numbers EL6910
Lifetime [a] 20
Proof test interval [a] not required
PFH
D
%SIL3 of PFH
PFD
avg
%SIL3 of PFD
MTTF
DC high
Performance level PLe
Category 4
HFT 1
Classification element
1. Special proof tests are not required during the entire service life of the EL6910 EtherCAT Terminal.
2. Classification according to IEC61508-2:2010 (see chapters 7.4.4.1.2 and 7.4.4.1.3)
D
avg
D
2)
1.79E-09
1.79%
2.54E-05
2.54%
high
Type B
The EL6910 EtherCAT Terminal can be used for safety-related applications according to IEC62061 and
IEC61508:2010 up to SIL3 and ENISO13849-1:2015 up to PLe(Cat4).
1)
Further information on calculating or estimating the MTTFD value from the PFHD value can be found in the
TwinSAFE Application Guide or in ENISO13849-1:2015, TableK.1.
In terms of safety-related parameters, the Safety-over-EtherCAT communication is already considered with
1% of SIL3 according to the protocol specification.
EL691016 Version: 1.8.0
Page 17
3.5 Dimensions
Product description
Fig.2: Dimensions of the EL6910
Width: 12 mm (side-by-side installation)
Height: 100 mm
Depth: 68 mm
EL6910 17Version: 1.8.0
Page 18
Operation
4 Operation
4.1 Environmental conditions
Please ensure that the TwinSAFE components are only transported, stored and operated under the specified
conditions (see technical data)!
WARNING
Risk of injury!
The TwinSAFE components must not be used under the following operating conditions.
• under the influence of ionizing radiation (that exceeds the level of the natural environmental radiation)
• in corrosive environments
• in an environment that leads to unacceptable soiling of the TwinSAFE component
NOTE
Electromagnetic compatibility
The TwinSAFE components comply with the current standards on electromagnetic compatibility with regard
to spurious radiation and immunity to interference in particular.
However, in cases where devices such as mobile phones, radio equipment, transmitters or high-frequency
systems that exceed the interference emissions limits specified in the standards are operated near TwinSAFE components, the function of the TwinSAFE components may be impaired.
4.2 Installation
4.2.1 Safety instructions
Before installing and commissioning the TwinSAFE components please read the safety instructions in the
foreword of this documentation.
4.2.2 Transport / storage
Use the original packaging in which the components were delivered for transporting and storing the
TwinSAFE components.
CAUTION
Note the specified environmental conditions
Please ensure that the digital TwinSAFE components are only transported and stored under the specified
environmental conditions (see technical data).
4.2.3 Mechanical installation
DANGER
Risk of injury!
Bring the bus system into a safe, de-energized state before starting installation, disassembly or wiring of
the devices!
EL691018 Version: 1.8.0
Page 19
Operation
4.2.3.1 Control cabinet / terminal box
The TwinSAFE terminals must be installed in a control cabinet or terminal box with IP54 protection class
according to IEC60529 as a minimum.
4.2.3.2 Installation position and minimum distances
For the prescribed installation position the mounting rail is installed horizontally and the mating surfaces of
the EL/KL terminals point toward the front (see illustration below). The terminals are ventilated from below,
which enables optimum cooling of the electronics through convection. The direction indication “down”
corresponds to the direction of positive acceleration due to gravity.
Fig.3: Installation position and minimum distances
In order to ensure optimum convection cooling, the distances to neighboring devices and to control cabinet
walls must not be smaller than those shown in the diagram.
EL6910 19Version: 1.8.0
Page 20
Operation
4.2.3.3 Sample configuration for temperature measurement
Fig.4: Sample configuration for temperature measurement
The sample configuration for the temperature measurement consists of an EK1100 EtherCAT coupler with
connected terminals that match the typical distribution of digital and analog signal types at a machine. On the
EL6910 a safety project is active, which reads safe inputs and enables all 4 safe outputs during the
measurement.
External heat sources / radiant heat / impaired convection
The maximum permissible ambient temperature of 55°C was checked with the above sample configuration. Impaired convection, an unfavorable location near heat sources or an unfavorable configuration of the EtherCAT Terminals may result in overheating of the terminals.
The key parameter is always the maximum permitted internally measured temperature of 95°C,
above which the TwinSAFE terminals switch to safe state and report an error. The internal temperature can be read from the TwinSAFE components via CoE.
EL691020 Version: 1.8.0
Page 21
Operation
4.2.3.4 Installation on mounting rails
WARNING
Risk of electric shock and damage of device!
Bring the bus terminal system into a safe, powered down state before starting installation, disassembly or
wiring of the Bus Terminals!
Mounting
Fig.5: Installation on the mounting rail
The Bus Couplers and Bus Terminals are attached to commercially available 35mm mounting rails (DIN rail
according to EN60715) by applying slight pressure:
1. First attach the Fieldbus Coupler to the mounting rail.
2. The Bus Terminals are now attached on the right-hand side of the Fieldbus Coupler. Join the components with slot and key and push the terminals against the mounting rail, until the lock clicks onto the
mounting rail.
If the terminals are clipped onto the mounting rail first and then pushed together without slot and key,
the connection will not be operational! When correctly assembled, no significant gap should be visible
between the housings.
Fastening of mounting rails
The locking mechanism of the terminals and couplers protrudes into the profile of the mounting rail.
When installing the components, make sure that the locking mechanism doesn't come into conflict
with the fixing bolts of the mounting rail. For fastening mounting rails with a height of 7.5mm under
the terminals and couplers, use flat fastening components such as countersunk head screws or
blind rivets.
EL6910 21Version: 1.8.0
Page 22
Operation
Disassembly
Fig.6: Removal from mounting rail
Each terminal is secured by a lock on the mounting rail, which must be released for disassembly:
1. Pull down the terminal at its orange-colored straps from the mounting rail by approx. 1 cm. The rail
locking of this terminal is automatically released, and you can now pull the terminal out of the Bus Terminal block with little effort.
2. To do this, grasp the unlocked terminal simultaneously at the top and bottom of the housing surfaces
with your thumb and index finger and pull it out of the Bus Terminal block.
EL691022 Version: 1.8.0
Page 23
Operation
4.2.3.5 Notes on the arrangement of TwinSAFE components
The following notes show favorable and unfavorable arrangement of the terminals in relation to thermal
aspects. Components with higher waste heat are marked with a red symbol and components with low
waste heat with a blue symbol .
EtherCAT coupler EK11xx and power supply terminal EL9410
The more terminals are connected behind an EtherCAT coupler or a power supply terminal, the higher is the
E-Bus current, which must be supplied by their power supply units. As the current increases, the waste heat
of the power supply units is also increased..
EL69x0
The EL69x0 has a rather high waste heat because it has a high internal clock and high logic power.
EL2904
The EL2904 has a rather high waste heat, due to the possibly high output current of the connected
actuators.
EL1904
Even the EL1904 has a rather high waste heat, although the external load by clock outputs and safe inputs is
rather low.
EL6910 23Version: 1.8.0
Page 24
Operation
Thermally unfavorable arrangement of the TwinSAFE terminals
The following structure is rather unfavorable, since terminals with rather high waste heat are connected
directly to couplers or power supply terminals with high E-Bus load. The additional external heating of the
TwinSAFE terminals by the adjacent power supply units increases the internal terminal temperature, which
can lead to the maximum permissible temperature being exceeded. This leads to a diagnosis message
"overtemperature”.
Fig.7: Thermally unfavorable arrangement of the TwinSAFE terminals
EL691024 Version: 1.8.0
Page 25
Operation
Thermally favorable arrangement of the TwinSAFE terminals
The following structure is thermally favorable, since between the coupler / power supply terminal and
terminals with rather high waste heat, terminals with low current consumption and thus rather low waste heat
are placed.
Fig.8: Thermally favorable arrangement of the TwinSAFE terminals
4.2.4 Electrical installation
4.2.4.1 Connections within a Bus Terminal block
The electric connections between the Bus Coupler and the Bus Terminals are automatically realized by
joining the components:
Spring contacts (E-bus)
The six spring contacts of the E-bus deal with the transfer of the data and the supply of the Bus Terminal
electronics.
NOTE
Observe the E-bus current
Observe the maximum current that your Bus Coupler can supply to the E-bus! Use the EL9410 Power Supply Terminal if the current consumption of your terminals exceeds the maximum current that your Bus Coupler can feed to the E-bus supply.
Power contacts
The power contacts deal with the supply for the field electronics and thus represent a supply rail within the
Bus Terminal block. The power contacts are supplied via terminals on the Bus Coupler.
EL6910 25Version: 1.8.0
Page 26
Operation
Note the connection of the power contacts
During the design of a Bus Terminal block, the pin assignment of the individual Bus Terminals must
be taken account of, since some types (e.g. analog Bus Terminals or digital 4-channel Bus Terminals) do not or not fully loop through the power contacts.
Potential supply terminals (EL91xx, EL92xx) interrupt the power contacts and thus represent the
start of a new supply rail.
PE power contact
The power contact labelled PE can be used as a protective earth. For safety reasons this contact mates first
when plugging together, and can ground short-circuit currents of up to 125A.
Fig.9: PE power contact
CAUTION
Insulation tests
Note that, for reasons of electromagnetic compatibility, the PE contacts are capacitatively coupled to the
mounting rail. This may lead to incorrect results during insulation testing or to damage on the terminal (e.g.
disruptive discharge to the PE line during insulation testing of a consumer with a rated voltage of 230V).
For insulation testing, disconnect the PE supply line at the Bus Coupler or the Potential Supply Terminal! In
order to decouple further feed points for testing, these Power Feed Terminals can be released and pulled at
least 10mm from the group of terminals.
DANGER
Serious risk of injury!
The PE power contact must not be used for other potentials!
4.2.4.2 Overvoltage protection
If protection against overvoltage is necessary in your plant, provide a surge filter for the voltage supply to the
Bus Terminal blocks and the TwinSAFE terminals.
EL691026 Version: 1.8.0
Page 27
4.2.4.3 EL6900/EL6910 pin assignment
Operation
Fig.10: EL6900/EL6910 pin assignment
Terminal point Output Signal
1 - not used, no function
2 not used, no function
3 - not used, no function
4 not used, no function
5 - not used, no function
6 not used, no function
7 - not used, no function
8 not used, no function
EL6910 27Version: 1.8.0
Page 28
Operation
4.2.5 TwinSAFE reaction times
The TwinSAFE terminals form a modular safety system that exchanges safety-oriented data via the Safetyover-EtherCAT protocol. This chapter is intended to help you determine the system's reaction time from the
change of signal at the sensor to the reaction at the actuator.
Typical reaction time
The typical reaction time is the time that is required to transmit information from the sensor to the actuator, if
the overall system is working without error in normal operation.
Fig.11: Typical reaction time
Definition Description
RTSensor Reaction time of the sensor until the signal is provided at the interface. Typically supplied by
the sensor manufacturer.
RTInput Reaction time of the safe input, such as EL1904 or EP1908. This time can be found in the
technical data. In the case of the EL1904 it is 4 ms.
RTComm Reaction time of the communication This is typically 3x the EtherCAT cycle time, because
new data can only be sent in a new Safety-over-EtherCAT telegram. These times depend
directly on the higher-level standard controller (cycle time of the PLC/NC).
RTLogic Reaction time of the logic terminal. This is the cycle time of the logic terminal and typically
ranges from 500 µs to 10 ms for the EL6900, depending on the size of the safety project.
The actual cycle time can be read from the terminal.
RTOutput Reaction time of the output terminal. This typically lies within the range of 2 to 3 ms.
RTActor Reaction time of the actuator. This information is typically supplied by the actuator
manufacturer
WDComm Watchdog time of the communication
This results in the following equation for the typical reaction time:
with, for example
Worst-case reaction time
The worst case reaction time is the maximum time required to switch off the actuator in the case of an error.
EL691028 Version: 1.8.0
Page 29
Operation
Fig.12: Worst-case reaction time
This assumes that a signal change occurs at the sensor and is transmitted to the input. A communication
error occurs at precisely the moment when the signal is to be transferred to the communication interface.
This is detected by the logic following the watchdog time of the communication link. This information should
then be transferred to the output, but a further communication error occurs here. This error is detected at the
output following the expiry of the watchdog time and leads to the switch-off.
This results in the following equation for the worst-case reaction:
with, for example
EL6910 29Version: 1.8.0
Page 30
Operation
4.3 Operation in potentially explosive atmospheres (ATEX)
4.3.1 Special conditions
WARNING
Observe the special conditions for the intended use of Beckhoff fieldbus components in
potentially explosive atmospheres (directive 2014/34/EU)!
The certified components are to be installed in a suitable housing that guarantees a protection class of at
least IP54 in accordance with EN60529! The environmental conditions during use are thereby to be taken
into account.
If the temperatures during rated operation are higher than 70°C at the feed-in points of cables, lines or
pipes, or higher than 80°C at the wire branching points, then cables must be selected whose temperature
data correspond to the actual measured temperature values!
Observe the permissible ambient temperature range of 0 to 55 °C when using Beckhoff fieldbus components in potentially explosive atmospheres!
Measures must be taken to protect against the rated operating voltage being exceeded by more than 40%
due to short-term interference voltages!
The individual terminals may only be unplugged or removed from the Bus Terminal system if the supply
voltage has been switched off or if a non-explosive atmosphere is ensured!
The connections of the certified components may only be connected or disconnected if the supply voltage
has been switched off or if a non-explosive atmosphere is ensured!
The fuses of the EL92xx power feed terminals may only be exchanged if the supply voltage has been
switched off or if a non-explosive atmosphere is ensured!
Address selectors and ID switches may only be adjusted if the supply voltage has been switched off or if a
non-explosive atmosphere is ensured!
The fundamental health and safety requirements are fulfilled by compliance with the following standards:
• EN 60079-0 : 2103
• EN 60079-15 : 2011
4.3.2 Identification
Beckhoff fieldbus components that are certified for use in potentially explosive atmospheres bear one of the
following markings:
II 3 G Ex nA II T4 KEMA 10ATEX0075 X Ta: 0 - 55°C
or
II 3 G Ex nA nC IIC T4 KEMA 10ATEX0075 X Ta: 0 - 55°C
EL691030 Version: 1.8.0
Page 31
4.3.3 Date code and serial number
The TwinSAFE terminals bear a date code, which is composed as follows:
Datecode: CWYYSWHW
Operation
Legend:
CW: Calendar week of manufacture
YY: Year of manufacture
SW: Software version
HW: Hardware version
In addition the TwinSAFE terminals bear a unique serial number.
Sample: Datecode 29100201
Calendar week: 29
Year: 2010
Software version: 02
Hardware version: 01
4.3.4 Further ATEX documentation
Please also refer to the further documentation
Notes regarding application of the Bus Terminal system in areas potentially explosive atmosphere
are available in the Download section of the Beckhoff website at http://www.beckhoff.de.
EL6910 31Version: 1.8.0
Page 32
Operation
4.4 Configuration of the terminal in TwinCAT
CAUTION
Do not change CoE objects!
Do not change any of the CoE objects in the TwinSAFE terminals. Any modifications of the CoE objects
(e.g. via TwinCAT) will permanently set the terminals to the Fail-Stop state or lead to unexpected behavior
of the terminals!
4.4.1 Configuration requirements
Version 3.1 Build4020 or higher of the TwinCAT automation software is required for configuring the EL6910.
The current version is available for download from the Beckhoff website (www.beckhoff.de).
NOTE
TwinCAT support
The EL6910 cannot be used under TwinCAT2.
4.4.2 Adding an EtherCAT coupler
See TwinCAT 3 automation software documentation.
4.4.3 Adding an EtherCAT Terminal
See TwinCAT 3 automation software documentation.
4.4.4 Adding an EL6910
An EL6910 is added in exactly the same way as any other Beckhoff EtherCAT Terminal. In the list, open
Safety Terminals and select the EL6910.
EL691032 Version: 1.8.0
Page 33
Operation
Fig.13: Adding an EL6910
Size of the process image
The process image of the EL6910 is adjusted dynamically, based on the TwinSAFE configuration
created in TwinCAT 3.
EL6910 33Version: 1.8.0
Page 34
Operation
4.4.5 Address settings on TwinSAFE terminals with 1023 possible addresses
Fig.14: Address settings on TwinSAFE terminals with 1023 possible addresses
The TwinSAFE address of the terminal is set via the 10-way DIP switch on the left-hand side of the
TwinSAFE terminal. TwinSAFE addresses between 1 and 1023 are available.
DIP switch Address
1 2 3 4 5 6 7 8 9 10
ON OFF OFF OFF OFF OFF OFF OFF OFF OFF 1
OFF ON OFF OFF OFF OFF OFF OFF OFF OFF 2
ON ON OFF OFF OFF OFF OFF OFF OFF OFF 3
OFF OFF ON OFF OFF OFF OFF OFF OFF OFF 4
ON OFF ON OFF OFF OFF OFF OFF OFF OFF 5
OFF ON ON OFF OFF OFF OFF OFF OFF OFF 6
ON ON ON OFF OFF OFF OFF OFF OFF OFF 7
... ... ... ... ... ... ... ... ... ... ...
ON ON ON ON ON ON ON ON ON ON 1023
WARNING
TwinSAFE address
Each TwinSAFE address may only be used once within a network/ a configuration!
The address 0 is not a valid TwinSAFE address!
EL691034 Version: 1.8.0
Page 35
Operation
4.4.6 Creating a safety project in TwinCAT3
Further documentation
Information on TwinSAFE function blocks, groups and connections can be found in the TwinSAFE
Logic FB documentation on the Beckhoff website under
http://www.beckhoff.com/english/download/twinsafe.htm.
4.4.6.1 Add new item
In TwinCAT 3 a new project can be created via AddNewItem… in the context menu of the Safety node.
Fig.15: Creating a safety project - Add New Item
The project name and the directory can be freely selected.
Fig.16: Creating a safety project - project name and directory
4.4.6.2 TwinCAT Safety Project Wizard
In the TwinCATSafetyProject wizard you can then select the target system, the programming language, the
author and the internal project name. Select the setting HardwareSafetyPLC as the target system and the
graphical editor as the programming language. The author and the internal project name can be freely
selected by the user.
EL6910 35Version: 1.8.0
Page 36
Operation
Fig.17: TwinCAT Safety Project Wizard
4.4.6.3 Target System
Once the project has been created with the project wizard, the safety project can be assigned to the physical
TwinSAFE terminal EL6910 by selecting the Target System node.
Fig.18: Selecting the Target System node
Set the target system to EL6910 via the drop-down list and link it with the EL6910 terminal via the Link
button next to Physical Device. If online ADS access to the terminal is possible, the software version,
serial number, online project CRC and hardware address are automatically read from the terminal. The
hardware address must match the Safe Address set by the user.
EL691036 Version: 1.8.0
Page 37
Fig.19: Linking of target system and TwinSAFE terminal
Operation
4.4.6.4 Alias devices
The communication between the safety logic and the I/O level is realized via an alias level. At this alias level
(subnode Alias Devices) corresponding alias devices are created for all safe inputs and outputs, and also for
standard signal types. For the safe inputs and outputs, this can be done automatically via the I/O
configuration.
The connection- and device-specific parameters are set via the alias devices.
Fig.20: Starting the automatic import from the I/O configuration
If the automatic import is started from the I/O configuration, a selection dialog opens, in which the individual
terminals to be imported can be selected.
EL6910 37Version: 1.8.0
Page 38
Operation
Fig.21: Selection from the I/O tree
The alias devices are created in the safety project when the dialog is closed via OK.
Alternatively, the user can create the alias devices individually. To this end select Add and New item from
the context menu, followed by the required device.
Fig.22: Creating alias devices by the user
EL691038 Version: 1.8.0
Page 39
Operation
4.4.6.5 Parameterization of the alias device
The settings can be opened by double-clicking on the Alias Device in the safety project structure.
Fig.23: Alias Device in the safety project structure
The Linking tab contains the FSoE address, the checkbox for setting as External Device and the link to the
physical I/O device. If an ADS online connection to the physical I/O device exists, the DIP switch setting is
displayed. Re-reading of the setting can be started via the button . The links to the EL6910/EJ6910
process image are displayed under Full Name (input) and Full Name (output).
Fig.24: Links to EL6910/EJ6910 process image
The Connection tab shows the connection-specific parameters.
Fig.25: Connection-specific parameters
EL6910 39Version: 1.8.0
Page 40
Operation
Parameter Description User inter-
action required
Conn. no. Connection number - automatically assigned by the TwinCAT system No
Conn ID Connection ID: preallocated by the system, but can be changed by the user. A
Conn ID must be unique within a configuration. Duplicate connection IDs result in
an error message.
Mode FSoE master: EL6910/EJ6910 is FSoE master for this device.
FSoE slave: EL6910/EJ6910 is FSoE slave for this device.
Watchdog Watchdog time for this connection. A ComError is generated if the device fails to
return a valid telegram to the EL6910/EJ6910 within the watchdog time.
Module
Fault is
ComError
ComErrAck If ComErrAck is linked to a variable, the connection must be reset via this signal in
Info data The info data to be shown in the process image of the EL6910/EJ6910 can be
This checkbox is used to specify the behavior in the event of an error. If the
checkbox is ticked and a module error occurs on the Alias Device, this also leads
to a connection error and therefore to disabling of the TwinSAFE group, in which
this connection is defined.
the event of a communication error.
defined via these checkboxes. Further information can be found in the
documentation for TwinCAT function blocks for TwinSAFE Logic terminals.
Check
Check
Yes
Yes
Yes
Yes
The EL6910/EJ6910 support activation of a ComErrAck at each connection. If this signal is connected, the
respective connection must be reset after a communication error via the signal ComErrAck, in addition to the
ErrAck of the TwinSAFE group. This signal is linked via the link button next to COM ERR Ack. The
following dialog can be used for selecting an alias device. The signal can be cancelled via the Clear button in
the Map to dialog.
Fig.26: Selecting an alias device
The safety parameters matching the device are displayed under the Safety Parameters tab. They have to be
set correctly to match the required performance level. Further information can be found in the TwinSAFE
application manual.
EL691040 Version: 1.8.0
Page 41
Fig.27: Safety parameter for the device
4.4.6.6 Connection to AX5805/AX5806
Operation
There are separate dialogs for linking an AX5805 or AX5806 TwinSAFE Drive option card, which can be
used to set the safety functions of the AX5000 safety drive options.
Creating and opening of an alias device for an AX5805 results in five tabs; the Linking, Connection and
Safety Parameters tabs are identical to other alias devices.
Fig.28: AX5000 safety drive functions
The General AX5805 Settings tab can be used to set the motor string and the SMS and SMA functions for
one or two axes, depending on the added alias device.
EL6910 41Version: 1.8.0
Page 42
Operation
Fig.29: AX5000 safety drive options - general AX5805 settings
The Process Image tab can be used to set the different safety functions for the AX5805.
Fig.30: AX5000 safety drive options - Process Image
The parameters under the General AX5805 Settings and Process Image tabs are identical to the parameters
under the Safety Parameters tab. Offers user-friendly display and editing of the parameters. The parameters
under the Safety Parameters tab can also be edited.
The parameters for this function can be set by selecting a function in the inputs or outputs and pressing the
Edit button. New safety functions can be added in the process image by selecting an empty field (---) and
pressing Edit.
The parameter list corresponding to the safety function can be shown; in addition, an optional diagram of the
function can be shown. At present the diagram is still static and does not show the currently selected values.
EL691042 Version: 1.8.0
Page 43
Operation
Fig.31: AX5000 safety drive options - Function Diagram
4.4.6.7 External connection
An external Custom FSoE Connection can be created for a connection to a further EL69x0, EJ6910, KL6904
or third-party device. If a dedicated ESI file exists for a third-party device, the device is listed as a selectable
safety device, and the Custom FSoE Connection option is not required.
EL6910 43Version: 1.8.0
Page 44
Operation
Fig.32: Creating an external connection (Custom FSoE Connection)
Before the connection can be used and linked further, the process image size must be parameterized. This
can be set under the Process Image tab. Suitable data types for different numbers of safety data are
provided in the dropdown lists for the input and output parameters.
Fig.33: Parameterization of the process image size
Once the size is selected, the individual signals within the telegram can be renamed, so that a corresponding
plain text is displayed when these signals are used in the logic. If the signals are not renamed, the default
name is displayed in the editor (Safe Data Byte 0[0], …).
EL691044 Version: 1.8.0
Page 45
Operation
Fig.34: Renaming the individual signals within the telegram
The connection is linked under the Linking tab. The Link button next to Full Name (input) and Full
Name (output) can be used to select the corresponding variable.
Fig.35: Selecting the variables
This can be a PLC variable, for example, which is then forwarded to the remote device or can be linked
directly with the process image of an EtherCAT Terminal (e.g. EL69x0 or EL6695).
EL6910 45Version: 1.8.0
Page 46
Operation
Fig.36: Direct linking with the process image of an EtherCAT Terminal
Further information can be found in the TwinCAT documentation for the variable selection dialog.
The Connection tab is used to set the connection-specific parameters.
Fig.37: Connection-specific parameters
EL691046 Version: 1.8.0
Page 47
Operation
Detailed information about the individual settings can be found in the following table.
Parameter Description User inter-
action required
Conn. no. Connection number: is automatically assigned by the TwinCAT system No
Conn ID Connection ID: preallocated by the system, but can be changed by the user. A
Conn ID must be unique within a configuration. Duplicate connection IDs result in
an error message
Mode FSoE master: EL6910/EJ6910 is FSoE master for this device.
FSoE slave: EL6910/EJ6910 is FSoE slave for this device.
Type None: Setting for third-party equipment, for which no ESI file is available.
KL6904: Setting for KL6904 (safety parameter inactive)
EL69XX: Setting for EL6900/EL6930/EL6910/EJ6910 (safety parameter inactive)
Watchdog Watchdog time for this connection: A ComError is generated, if the device fails to
return a valid telegram to the EL6910 within the watchdog time.
Module
Fault is
ComError
Safe
Parameters
(Appl.
Param)
ComErrAck If ComErrAck is linked to a variable, the connection must be reset via this signal
Info data The info data to be shown in the process image of the EL6910/EJ6910 can be
This checkbox is used to specify the behavior in the event of an error. If the
checkbox is ticked and a module error occurs on the Alias Device, this also leads
to a connection error and therefore to disabling of the TwinSAFE group, in which
this connection is defined.
Device-specific parameters: The parameter length is automatically calculated
from the number of characters that is entered. This information will typically be
provided by the device manufacturer.
in the event of a communication error.
defined via these checkboxes. Further information can be found in the
documentation for TwinCAT function blocks for TwinSAFE Logic terminals.
Check
Check
Yes
Yes
Yes
Yes
Yes
Yes
4.4.6.8 Creating the safety application
The safety application is realized in the SAL worksheet pertaining to the TwinSAFE group (SAL - Safety
Application Language).
The toolbox provides all the function blocks available on the EL6910/EJ6910.
EL6910 47Version: 1.8.0
Page 48
Operation
Fig.38: Function blocks available for EL6910/EJ6910
The function blocks can be moved from the toolbox into the SAL worksheet via drag and drop. Variables can
be created by clicking next to a function block input or output, which can then be linked with alias devices in
the Variable Mapping dialog.
Fig.39: Function block on the SAL worksheet
EL691048 Version: 1.8.0
Page 49
Operation
Once the pointer connector has been selected from the toolbox, connections between the
input and output ports of the function blocks can be dragged with the mouse.
Fig.40: Dragging a connection between two function blocks
EL6910 49Version: 1.8.0
Page 50
Operation
Fig.41: Connection between two function blocks
4.4.6.9 Networks
For structuring the safety application, several networks can be created within a sal worksheet. Right-click in
the worksheet and select Add After and Network or Add Before and Network to create a network after or
before the current network.
Fig.42: Creating a network
The instance path to the FB port to be linked can be specified, in order to exchange signals between the
networks. The instance path consists of the network name, the FB name and the FB port, each separated by
a dot. The input of the instance path is case-sensitive.
<Network name>.<FB name>.<FB port name>
Sample: Network1.FBEstop1.EStopIn3
EL691050 Version: 1.8.0
Page 51
Alternatively, Change Link can be selected by opening the context menus next to the FB port.
Fig.43: Change Link
This function opens a dialog for selecting a suitable FB port.
Operation
Fig.44: Dialog for selecting a suitable FB port
Once the link has been created on one side of the connection, the link is automatically set/displayed on the
opposite side.
Fig.45: Link display
EL6910 51Version: 1.8.0
Page 52
Operation
4.4.6.10 TwinSAFE groups
It makes sense to create TwinSAFE groups in cases where different machine safety zones are to realize, or
simply in order to separate the fault behavior. Within a group, a FB or connection error (here: alias device)
leads to a group error and therefore to switching off all outputs for this group. If an error output of an FB is
set, it will be forwarded as a logical 1 signal.
A group can be created by opening the context menu of the safety project and selecting Add and New
Item....
Fig.46: Creating a TwinSAFE group
Like the first group, the group of a subitem for the alias devices and a sal worksheet.
Fig.47: Components of the TwinSAFE group
The instance path to the FB port to be linked can be specified, in order to exchange signals between the
groups. The instance path consists of the group name, the FB name and the FB port, each separated by a
dot. The input of the instance path is case-sensitive.
<group name>.<network name>.<FB name>.<FB port name>
Sample: TwinSafeGroup1.Network1.FBEstop1.EStopIn3
Alternatively, Change Link can be selected by opening the context menus next to the FB port.
EL691052 Version: 1.8.0
Page 53
Fig.48: Change Link
This function opens a dialog for selecting a suitable FB port.
Operation
Fig.49: Dialog for selecting a suitable FB port
Once the link has been created on one side of the connection, the link is automatically set/displayed on the
opposite side.
EL6910 53Version: 1.8.0
Page 54
Operation
Fig.50: Link display
4.4.6.11 Variables of the TwinSAFE group
The inputs and outputs of the TwinSAFE groups are consolidated under the Group Ports tab of the Variable
Mapping dialog.
Group inputs EL6910/EJ6910
For a project to be valid, as a minimum the signals Run/Stop and ErrAck must be linked.
Fig.51: The Variable Mapping dialog
EL691054 Version: 1.8.0
Page 55
Group Port Direction Description
Err Ack IN Error Acknowledge for resetting errors within the group
- Signal must be linked with a standard variable
Run/Stop IN 1 - Run; 0 – Stop
- Signal must be linked with a standard variable
Module
Fault
Com Err OUT Communication error in one of the connections
FB Err OUT Error at one of the FBs used
Out Err OUT not used
Other Err OUT ModuleFault OR AnalogValueFault OR WaitComTimeoutFault
Com Startup OUT At least one of the connections of this group is in startup
FB Deactive OUT
FB Run OUT FBs of the TwinSAFE group are processed
In Run OUT TwinSAFE group is in RUN state
Group State
IN Input for an error output of another module that is connected, e.g.
EK1960
The group was deactivated. (See also chapter Customizing / disabling
TwinSAFE groups [}117])
Operation
Value Status Description
1 RUN Input RUN=1, no error in the group, and all connections have started up
without error
2 STOP Input RUN = 0
4 ERROR Group is in error, see Diagnostic information
5 RESET After an error has occurred, all errors have been rectified and the ErrAck
signal is 1
6 START The group remains in this state as long as not all connections have
started up after the start of the group (RUN=1)
7 STOPERROR When the group is started or initialized, it assumes the STOPERROR
status if the TwinSAFE connections are assigned to the group.
The group switches from STOPERROR state into ERROR state if the
Run input is TRUE.
16 DEACTIVE Group was deactivated via customizing
17 WAITCOMERROR This state is set when the customizing function “Passivate” is selected
and the system waits for ComError of the group
Group Diag
Value Status Description
0 - No error
1 FBERROR at least one FB is in ERROR state
2 COMERROR at least one connection is faulty
3 MODULEERROR the input ModuleFault is 1
4 CMPERROR On startup, at least one analog FB input deviates from the last saved
value (Power-On Analog Value Check Error)
5 DEACTIVATE
ERROR
6 RESTARTERROR The TwinSAFE Logic program was restarted because the EtherCAT
In "passivate manual control unit" mode the timeout has elapsed while
waiting for the COM error
connection was restarted or a user logged in without reloading the
TwinSAFE Logic program (or parts of it).
EL6910 55Version: 1.8.0
Page 56
Operation
4.4.6.12 Order of the TwinSAFE groups
The order of the groups can be changed, in order to realize a defined processing sequence of the safety
application.
To this end, select the entry Edit TwinSAFE Group Order via the node menu of the safety project node. A
dialog opens, in which the order of the groups can be changed. The individual groups do not necessarily
have to be numbered in consecutive ascending order. The numbering can contain gaps.
Fig.52: Context menu Edit TwinSAFE Group Order
The current group order is shown in the column Current Value. The new order is specified by entering a
value in the column New Value, followed by OK.
Fig.53: Dialog Change Execution Order of TwinSAFE Groups
4.4.6.13 Command line
The command line below the SAL worksheet can be used to enter commands for executing functions.
EL691056 Version: 1.8.0
Page 57
Fig.54: The command line below the SAL worksheet
Currently the commands listed in the following table are supported.
Command Description
FBNAME FB_INSTANCENAME NETWORKNAME; Adding a function block
Sample: safeAnd FBAnd1 Network1
FB_INSTANCENAME->PORTNAME =
VARIABLE_NAME;
FB_INSTANCENAME->PORTNAME =
FB_INSTANCENAME->PORTNAME;
Creating a variable mapping
Sample: FBAnd1->AndIn1 = testVariable
Creating a connection between two FBs
Sample: FBAnd1->AndIn1 = FBOr1->OrOut;
Operation
4.4.6.14 FB port properties
The behavior of the inputs can be parameterized by opening the properties for the upper input of an input
pair or an individual input of the function block. For an input group, such as the function block ESTOP, the
individual inputs to be activated or deactivated, and single- or two-channel evaluation can be set.
Fig.55: FB port properties
EL6910 57Version: 1.8.0
Page 58
Operation
Channel Interface Description
Both Deactivated Both inputs are deactivated
Single-Channel 1 Activated Channel 1: Single-channel evaluation
Channel 2: deactivated
Single-Channel 2 Activated Channel 1: deactivated
Channel 2: Single-channel evaluation
Single-Channel Both Activated Channel 1: Single-channel evaluation
Channel 2: Single-channel evaluation
Two-Channel Both inputs are activated, and two-channel evaluation with
Discrepancy Time (ms)
If the Two-Channel evaluation is enabled, the corresponding Discrepancy time (ms) can be set in
milliseconds. For each input there is a setting to indicate whether the input should be evaluated as Break
Contact (NC) or Make Contact (NO). When a variable or a connecting line is connected to the function block,
the corresponding channel is enabled automatically.
Fig.56: Make Contact (NO) / Break Contact (NC) setting
These settings are also accessible for each individual port of an FB via the context menu item Change InPort
Settings.
EL691058 Version: 1.8.0
Page 59
Operation
Fig.57: Menu Change Inport Settings
Fig.58: Dialog Change InPort Settings
4.4.6.15 Variable Mapping
Fig.59: Variable Mapping
EL6910 59Version: 1.8.0
Page 60
Operation
Variables are linked to the alias devices in the Variable Mapping window. Use the Link button to open
the selection dialog for the alias port. Safe only signal types or safe and standard signal types are offered in
the selection dialog, depending on the port setting of the FB. Safe Boolean signals are shown with a yellow
background, standard signal types with a white background.
If several outputs are to be written by one variable, these signals can be assigned by holding down the CTRL
key and selecting the channels.
Fig.60: Selection dialog for the alias port
4.4.6.16 Safety toolbars
Once the development of the safety project is complete, the project has to be loaded onto the target system,
in this case EL6910/EJ6910. To this end the toolbars TwinCAT Safety and TwinCAT Safety CRC have to be
added.
Fig.61: Activation of the TwinCAT Safety and TwinCAT Safety CRC toolbars
Fig.62: Display of the TwinCAT Safety and TwinCAT Safety CRC toolbars
EL691060 Version: 1.8.0
Page 61
Toolbar TwinCAT Safety
Icon Name Description
Verify Safety Project The safety project is checked for validity.
Operation
Verify Complete Safety
Project
Download Safety Project Loading the safety project onto the target system, here EL6910/
Delete Safety Project Deleting the safety project from the target system, here EL6910/
Show Online Data of Safety
Project
Customize Safety Project Customizing the safety project (switching off TwinSAFE groups and
Toolbar TwinCAT Safety CRC
Icon Name Description
CRC Toolbar Left-click on the toolbar to initiate an update of the CRCs by the user.
CRC Toolbar Green icon: All CRCs are identical
Online CRC CRC of the safety project on EL6910/EJ6910. This value is read online
The safety project including the hardware level is checked for validity.
EJ6910
EJ6910
Switching on the Online View for the safety project.
setting of safe substitute values for the group outputs). This is possible
if the online and offline CRC are the same and at least one group has
been configured for customizing.
Red icon: CRCs are different
by the EL6910/EJ6910. In the absence of an ADS connection to the
EL6910/EJ6910, this value is displayed with .
Downloaded
CRC
Offline CRC CRC of the current safety project, as stored in the safety editor. A CRC
CRC of the safety project that was loaded last. If no safety project is
loaded when the TwinCAT project is opened, the value is displayed
with .
is displayed, if the stored project is valid. If the project is invalid,
is displayed as CRC.
4.4.6.17 Checking the TwinSAFE addresses
The hardware addresses of the alias devices used can be checked and set via the dialog Check Safe
Addresses.
To this end, select the entry Check Safe Addresses via the node menu of the safety project node. A dialog
opens, which lists all alias devices that use hardware addresses. The addresses set in the software (Safe/
FSoE Address) and the hardware addresses (Hardware Address) are shown in separate columns for each
alias device and for the target system. In the column Take Hardware Address the user can specify whether
the hardware addresses for the alias devices settings are applied when the dialog is closed via the OK
button.
EL6910 61Version: 1.8.0
Page 62
Operation
Fig.63: Check Safe Addresses context menu
Fig.64: Check Safe Addresses dialog
EL691062 Version: 1.8.0
Page 63
Operation
4.4.7 Downloading the safety application
Before downloading the safety project to the EL6910/EJ6910 or a logic component, the project should first
be checked for validity. If the hardware is complete, the hardware level can be used for checking, or
checking can take place at the project level , if online access is only available for the EL6910/EJ6910 or
the logic component. If the check returns no errors, the project download can continue.
CAUTION
Use only qualified tools
Only use a qualified tool (see note on system limits) for loading, verifying and enabling the project on the
EL6910/EJ6910 or the logic component!
User name and password are case-sensitive
Pay attention to upper/lower case characters for the user name and password.
The standard user is Administrator, the standard password is TwinSAFE.
NOTE
Power supply during download
Make sure that the TwinSAFE Logic is not switched off during the download. This can lead to unexpected
behavior or permanently disable the TwinSAFE Logic.
WARNING
Execution of the safety application
During a login or download of a safety application, the execution of the current project is stopped on the
TwinSAFE Logic.
Fig.65: Download Project Data – The Login dialog
In the Download Project Data dialog specify the user name, the serial number of the EL6910/EJ6910 or the
logic component onto which the project is to be loaded, and the user password. The default user name is
Administrator, the default-password is TwinSAFE. Use the Next button to move to the next dialog.
EL6910 63Version: 1.8.0
Page 64
Operation
Fig.66: Download Project Data – The Select Project Data dialog
In the Select Project Data dialog select Complete Project Data to load the whole project onto the EL6910/
EJ6910 or the logic component. Use the Next button to move to the next dialog.
Fig.67: Download Project Data – The Download Result dialog
Once the download is complete, the download results are displayed. Use the Next button to move to the next
dialog.
EL691064 Version: 1.8.0
Page 65
Fig.68: Download Project Data – The Final Verification dialog
Operation
The locally calculated CRCs and the online CRCs of the safety project are displayed in the Final Verification
dialog. They are automatically checked for equality and displayed via the column Verification Result. The
user must also check these data for equality and then confirm this by ticking the checkbox. Use the Next
button to move to the next dialog.
Fig.69: Download Project Data – The Activation dialog
In the Activation dialog the user re-enters the password to activate the safety project on the EL6910/EJ6910
or the logic component. Use the Finish button to complete the download of the safety project.
WARNING
Verification of the input and output process data
After downloading the safety-related program to the TwinSAFE logic, the user must check that the input
and output process data of the TwinSAFE logic are plausible, within the valid value range and in the expected magnitude. This is especially true for analog signals, which are transmitted via e.g. PROFIsafe,
FSoE sensors, TwinSAFE SC terminals or external control systems to the TwinSAFE logic. It is particularly
important to check whether the device uses the Motorola or the Intel format or Big or Little Endian.
EL6910 65Version: 1.8.0
Page 66
Operation
Project data Description
Safe Logic Data Safe Logic Data contains the safety related program.
Mapping Data Mapping Data contains the link data for inputs, outputs, function blocks, connections
etc.
Parameter Data Parameter Data contains the safe user parameters that are stored on the TwinSAFE
Logic. These can be safe substitute values and the user parameters of the connections.
Info Data Info Data contains the settings which Info Data for connections, function blocks, groups
etc. are activated and have to be filled by the TwinSAFE Logic.
Info Data of the safety project
The Info Data will NOT take effect to the calculation of the project CRC. This allows the Info Data to
be changed at a later stage without changing the project CRC.
If the Info Data for an existing project are changed, a project download including at least the Info
Data must be carried out, despite the fact that the CRC is unchanged, otherwise the Info Data will
not be filled. In addition, the TwinCAT configuration must be activated so that the process image
size in TwinCAT matches the expected size within the TwinSAFE Logic.
EL691066 Version: 1.8.0
Page 67
Operation
4.4.8 Online Mode
In Online mode the current values of the safety project are displayed. A green color change indicates
logical 1 within the SAL worksheet and the variable mapping. No color change means logical 0.
Fig.70: SAL worksheet and variable mapping in online mode
On each function block the current FB state is shown as text and in the form of an icon. The different states
are listed in the FB documentation. The following table describes the icons.
FB Icon Description
FB State: RUN
In RUN state no error is present, and the output of the FB is set.
FB State: SAFE
In SAFE state no error is present, and the output of the FB is NOT set.
FB State: ERROR/STOP
In ERROR/STOP state an FB error is present or the FB is still in STOP state. This is the
case if the group has not yet been started.
In addition, the online display can be extended by displaying analog and digital values. To this end the
function can be enabled or disabled by selecting Show Online Values from the context menu in the SAL
worksheet.
EL6910 67Version: 1.8.0
Page 68
Operation
Fig.71: Activation of Show Online Values
In online mode the analog and digital values are then displayed as text next to the respective variables.
Fig.72: Display of the analog and digital values in online mode
Detailed information about the whole safety project is shown on the Safety Project Online View tab. Any
errors in the connections or function blocks are displayed in plain text.
EL691068 Version: 1.8.0
Page 69
Operation
Fig.73: The Safety Project Online View tab
EL6910 69Version: 1.8.0
Page 70
Operation
4.4.9 New features in TC3.1 Build 4022
In the TwinCAT Version 3.1 Build 4022 some extensions have been implemented for the TwinSAFE editor.
With the release of the TwinCAT version, these are available to the user. This chapter lists the new features.
4.4.9.1 Group status
The status of the TwinSAFE group is displayed as a color-coded frame in online mode.
The RUN state is marked with a green one, the ERROR state with a red frame, and all other states with a
blue frame.
Fig.74: Group Status Online RUN
EL691070 Version: 1.8.0
Page 71
Operation
Fig.75: Group Status Online ERROR
Fig.76: Group Status Online STOP
EL6910 71Version: 1.8.0
Page 72
Operation
4.4.9.2 Online view group ports
In online mode the group inputs and outputs are marked according to their signal status. A logical 1 of the
signal is represented with a green background, a logical 0 with a white background. Error information is
displayed with a red background.
Fig.77: Online View Group Ports
4.4.9.3 Group templates
The user has a choice between three templates.
The templates differ by the number of already existing links (none, ErrAck created and linked to group port,
ErrAck and Run created and linked to group ports).
Fig.78: Templates for Safety Projects
4.4.9.4 Networks collapsable
The networks defined in a TwinSAFE group can be collapsed.
EL691072 Version: 1.8.0
Page 73
Fig.79: Collapsing networks
Operation
4.4.9.5 Subfolder Alias Devices
Under the node Alias Devices, further subfolders can be created. After the subfolder has been created, it can
be renamed, here for example to Drives.
Fig.80: Adding a subfolder
After adding a subfolder, Alias Devices can be added in this folder.
Fig.81: Subfolder e.g. Drives
EL6910 73Version: 1.8.0
Page 74
Operation
4.4.9.6 Goto linked element
The entry Goto Linked Element can be called via the context menu. All links and variables used on that port
are listed. Selecting an entry triggers a jump to the corresponding position in the network, a TwinSAFE group
or variable mapping.
Fig.82: Goto Linked Element
4.4.9.7 Path view to linked signal
The Linking tab of the Alias Devices displays the links to the PLC and to the I/O devices. The name in the
process image of the TwinSAFE logic is displayed under the entry Name.
Fig.83: Path view for safety Alias Devices
For the Standard Alias Devices, the path to the signal below the TwinSAFE logic (full name), the link to the
PLC (Linked to), and the name in the process image of the TwinSAFE logic are displayed.
EL691074 Version: 1.8.0
Page 75
Fig.84: Path view for Standard Alias Devices
4.4.9.8 Multiline comments
Comments in the TwinSAFE project may now be multiline.
Operation
Fig.85: Multiline comments
EL6910 75Version: 1.8.0
Page 76
Operation
4.4.9.9 Names of Alias Devices in the process image
The user has now the option of adapting the naming of process data below the TwinSAFE logic in the I/O
tree. For this purpose, checkboxes are available on the Target System dialog to accept the naming of
TwinSAFE connections and standard inputs and outputs from the respective Alias Device names.
Fig.86: Properties under Target System
After the checkboxes are set, the names of the alias devices are taken.
Fig.87: Take Alias Device Name - Safety Project
In the I / O tree below the TwinSAFE logic, the project is shown in the following screenshot. The name
consists of the group name, alias device name, and a running index.
Fig.88: Take Alias Device Name - TwinSAFE logic process image
EL691076 Version: 1.8.0
Page 77
4.4.9.10 Project settings - Verification
The project settings can be found below the target system.
Safe Address Verification
The Safe Address Verification entry is used to set how the safety addresses are checked.
• Project wide unique (recommended) - Unique safety addresses within the entire solution
• Similar to TwinCAT 2 - Unique addresses per TwinSAFE Logic
• Allow multiple usage - Multiple safety addresses are possible (user evaluation required)
Fig.89: Safe Address Verification
Operation
FB InPort Activation Verification
The FB InPort Activation Verification entry is used to set how the input ports of TwinSAFE FBs are checked.
• Strict activated & connected (recommended) - Each activated port must be connected, and each
connected port must be activated.
• Activated or connected allowed - If a port is only activated or only connected, this does not lead to an
error message.
Fig.90: FB InPort Activation Verification
NOTE
Support of project settings
The settings are supported from software version 03 of the EL6910 (SW03) and EK1960 (SW03). Furthermore, all newer logic components, such as the EL1918, are supported.
4.4.9.11 Displaying the project size
Diagnostic Properties of the project node
If the project node of the TwinSAFE project is selected, the properties under the entry Diagnostic show the
current project parameters. These are e.g. the project size in bytes, the number of connections, the number
of function blocks, or the number of TwinSAFE groups.
EL6910 77Version: 1.8.0
Page 78
Operation
Fig.91: Project Properties - Diagnostic
Diagnostic Properties of the group node
If the group node of the TwinSAFE project is selected, the properties under the entry Diagnostic display the
current TwinSAFE group parameters. These are e.g. the number of connections, the number of function
blocks, or the number of standard signals.
Fig.92: Group Properties - Diagnostic
4.4.9.12 Copy and Paste for FBs and comments
The copy and paste function refers to function blocks, comments and connections between function blocks.
The copied variable names and links remain unchanged, the FB instances are automatically incremented
(here FBEstop1 becomes FBEstop2).
EL691078 Version: 1.8.0
Page 79
Operation
Fig.93: Copying the data
After inserting the data, the following message appears. The user may have to adjust copied variable names.
Fig.94: Message box after inserting the data
EL6910 79Version: 1.8.0
Page 80
Operation
Fig.95: Inserted data
Here, in the example, the user must adapt the links of the output EStopOut and change the variable names
Restart, Input_01, Input_02 and EDM so that no duplicate names are assigned.
4.4.9.13 Global settings in Visual Studio
Options can be selected under the Tools menu in Visual Studio. In these options, settings for the TwinSAFE
environment can be made.
Fig.96: Visual Studio - Menu Tools / Options
Under TwinCAT / TwinSAFE Environment / Default Info Data you can configure which info data should be
activated automatically when TwinSAFE projects, groups, connections or FBs are created.
EL691080 Version: 1.8.0
Page 81
Operation
Fig.97: Global setting - Default Info Data
Under TwinCAT / TwinSAFE Environment / Group Diagram Editor you can specify whether the Undo / Redo
function should automatically zoom and scroll into the area that has changed.
Fig.98: Global Setting - Group Diagram Editor
EL6910 81Version: 1.8.0
Page 82
Operation
4.4.9.14 Sorting
Setting the execution order of the groups via dialog
The context menu of the project node can be used to access the execution order of the TwinSAFE groups.
Fig.99: Context menu - Edit TwinSAFE Group Order
By selecting a group and then holding and dragging an entry with the mouse, the execution order of the
groups can be changed. The new order is accepted with the OK button.
Fig.100: Execution order for TwinSAFE groups
Sorting of Alias Devices
You can use the context menu of the Alias Devices node to configure the display order of the alias devices.
EL691082 Version: 1.8.0
Page 83
Operation
Fig.101: Sorting of Alias Devices
Sorting of FBs (execution order)
The execution order of the function blocks can be accessed via the context menu within the graphical
worksheet.
Fig.102: Context Menu - Change Execution Order of FBs
By selecting an FB and then holding and dragging an entry with the mouse, the execution order of the
function blocks can be changed. The new order is accepted with the OK button.
EL6910 83Version: 1.8.0
Page 84
Operation
Fig.103: Execution order FBs
4.4.9.15 Direct mapping of local I/Os
If a TwinSAFE Logic has local inputs and outputs, e.g. an EK1960, an assignment to safe and non-safe
signals can be made by the user via the Internal Direct Mapping tab of the alias device. These direct
assignments have the advantage that no logic program has to be created by the user for this purpose.
To be able to use the internal direct mapping, the Linking mode of the Alias Device must be set to local.
Fig.104: Dialog - Internal Direct Mapping
Typical applications are linking the ErrAck signals of the modules with a Standard Alias Device or switching
an output due to a safe input signal.
In the figure the relay output FSOUT Relay Module Channel 1.Output is switched by the safe input Term(15)
(EL1904) - Module 1 (FSOES) InputChannel 1.
EL691084 Version: 1.8.0
Page 85
Operation
4.4.9.16 Backup/Restore settings
Backup/restore settings have been extended so that TwinSAFE logic components can also be used to store
a TwinSAFE project CRC. The following table describes the settings for each TwinSAFE connection listed in
the Backup/Restore dialog.
Checkbox Desciption Available in
Store Project CRC in Slave Only active when FSoE Connection Type is set
to Master.
The CRC of the local project is stored on the
target slave and can be used for the backup/
restore mechanism.
Now, besides the EL1904 and EL2904,
TwinSAFE logics are also supported for storing
the CRC.
Store Slave Project CRC in
Master
Store Master Project CRC in
Slave
Read Project CRC from Master Only active if FSoE Connection Type is set to
Only active when FSoE Connection Type is set
to Master.
If the target slave is a logic component that
uses the backup/restore mechanism, the
project CRC of the logic project of the target
slave must be entered manually here.
Only active if FSoE Connection Type is set to
Slave.
The FSoE master sends a CRC to be stored on
the local TwinSAFE component so that it can
be used for a restore function on the remote
FSoE master. This checkbox can be used even
if the local backup/restore function is not active.
Slave.
The CRC, which is entered on the FSoE master
(see Store Slave Project CRC in Master), can
be read by the FSoE slave for the local restore
function.
EL69xx, EL1904, EL2904,
EP1908
EL691x, EK1960, EJx9xx
and newer products
EL691x, EK1960, EJx9xx
and newer products
EL691x, EK1960, EJx9xx
and newer products
EL6910 85Version: 1.8.0
Page 86
Operation
Fig.105: Backup/Restore settings
4.4.9.17 Multiple download
New TwinSAFE products typically also support the use of a local logic function. Thus the number of
necessary downloads can increase significantly. In TwinCAT 3.1 Build 4022 it is now also possible to load
several safety projects simultaneously onto the corresponding logic components via the Multiple Download
feature.
This feature can be selected in the toolbar and via the TwinSAFE menu.
Fig.106: Multiple Download - Toolbar
After selecting the function, select the projects for which a simultaneous download of the safety project is to
be carried out and confirm the selection with the Next button.
NOTE
Multiple downloads for different users
If safety projects are to be loaded onto logic components with different users, the multiple download with
selection of the respective suitable logic components must be carried out several times.
EL691086 Version: 1.8.0
Page 87
Operation
Fig.107: Multiple Download - Selection of projects
In the general settings, enter the user name and password and check the displayed serial numbers of the
logic components. Use the Verified checkbox to confirm that the correct serial numbers are displayed and
used. Click the Next button to start the download.
Fig.108: Multiple Download - general settings
In the Final Verification dialog confirm the correctness of the online and calculated CRCs by checking the
checkbox. Click the Next button to switch to the Activation dialog.
EL6910 87Version: 1.8.0
Page 88
Operation
Fig.109: Multiple Download - Final Verification
To activate the safety projects, enter the password for the current user again and confirm with the Next
button.
Fig.110: Multiple Download - Activation
The Result dialog lists all safety projects with the status Activated and Downloaded. Click the Finish button to
finish the multiple download.
EL691088 Version: 1.8.0
Page 89
Operation
Fig.111: Multiple Download - Result
4.5 Info Data
Further Information
Information on the contents of the info data can be found in the TwinSAFE Logic FB documentation
(see References [}10])
4.5.1 Info data for the connection
Info data for connections can be enabled on the Connection tab of the alias device.
Fig.112: Enabling the info data for connections
The info data are shown in the I/O tree structure below the EL6910 in the process image. From here, these
signals can be linked with PLC variables. Further information on the included data can be found in the
documentation for TwinCAT function blocks for TwinSAFE logic terminals. Use the checkbox Show Input/
Output Data as byte array under Target System to adjust the process image.
EL6910 89Version: 1.8.0
Page 90
Operation
Fig.113: Checkbox for the connection info data
Fig.114: Info data for the connection in the I/O tree structure as byte array
Fig.115: Info data for the connection in the I/O tree structure as individual data
EL691090 Version: 1.8.0
Page 91
4.5.2 Info data for function blocks
For function blocks, info data can be enabled in the properties of the function block.
Fig.116: Enabling the info data for function blocks
Operation
The info data are shown in the I/O tree structure below the EL6910 in the process image. From here, these
signals can be linked with PLC variables. Further information on the included data can be found in the
documentation for TwinCAT function blocks for TwinSAFE logic terminals.
Fig.117: Info data for the function block in the I/O tree structure
EL6910 91Version: 1.8.0
Page 92
Operation
4.5.3 Info data for the TwinSAFE group
For TwinSAFE groups, info data can be enabled via the properties of the TwinSAFE group.
Fig.118: Enabling the info data in the properties of the TwinSAFE group
The info data are shown in the I/O tree structure below the I/O device in the process image. From here,
these signals can be linked with PLC variables. Further information on the included data can be found in the
documentation for TwinCAT function blocks for TwinSAFE logic terminals.
Fig.119: Info data for the TwinSAFE group in the tree structure
EL691092 Version: 1.8.0
Page 93
Operation
4.5.4 Info data for the device
The info data for the EL6910 can be enabled on the Target System tab. These are the serial number of the
EL6910 and the current online CRC of the safety project.
Fig.120: Enabling the info data for the EL6910
The info data are shown in the I/O tree structure below the EL6910 in the process image. From here, these
signals can be linked with PLC variables.
Fig.121: Info data of the EL6910 in the tree structure
4.6 Version history
The version history button under Target System can be used to read the version history of the EL6910,
EJ6910 or EK1960. It includes the user, the date, the version and the CRC of the safety projects loaded on
the EL6910, EJ6910 or EK1960.
EL6910 93Version: 1.8.0
Page 94
Operation
Fig.122: Version History
4.7 User Administration
User administration is called up via the Target System tree item. Use Get User List to read the current list of
users of the EL6910, EJ6910 or EK1960. The user Administrator cannot be deleted. The default password
can and should be replaced with a customer-specific password. This is done via the Change Password
button. The default password is TwinSAFE. The password must be at least 6 characters long. A maximum of
40 users can be created.
Fig.123: User Administration
The administrator password is required to create or delete users. Open the Login dialog by left-clicking on
Add User(s).
EL691094 Version: 1.8.0
Page 95
Fig.124: User Administration - Login
Operation
The Add User dialog opens once the correct serial number and administrator password have been entered.
Fig.125: User Administration - Add New User(s) - User Credentials
EL6910 95Version: 1.8.0
Page 96
Operation
Fig.126: User Administration - Add New User(s) - Access Rights
Enter the new user and the corresponding password (twice). The password must be at least 6 characters
long. In addition, select the rights for the new user. Use the button to apply these data and
display them in the New User list.
Fig.127: User Administration - New User added
Several users can be created before leaving the dialog via the Finish button.
EL691096 Version: 1.8.0
Page 97
Operation
Access Rights Description
Change Password Users can change their password.
Download Safe Logic Data The user can load the safety-related program onto the EL6910, EJ6910 or
EK1960.
Download Mapping Data The user can load the mapping data for inputs, outputs, FBs etc. onto the
EL6910, EJ6910 or EK1960.
Download Safe User Data/
Replacement Values
Download Info Data The user can activate and load the info data for connections and FBs on
Download Project Data in
Restore Mode
Activate / Deactivate Groups The user can execute Customizing (enable and disable TwinSAFE groups)
The user can change safe user parameters on the EL6910, EJ6910 or
EK1960 and also change and load safe substitute values
the EL6910, EJ6910 or EK1960.
The user can perform a restore. Not currently supported.
on the EL6910, EJ6910 or EK1960.
4.8 Backup/Restore
Following the exchange of an EL6910, EJ6910 or EK1960, the previous project can be loaded to the new
device using the Backup/Restore mechanism.
In order to be able to use this functionality, the Backup/Restore mechanism must be enabled in the safety
project, and the terminals must be selected, on which the current CRC of the safety project is to be stored.
For a restore operation the user can specify the minimum number of selected terminals on which the correct
CRC must be stored.
Using the checkbox Restore User Administration the user can specify whether the user administration should
be transferred to the new device via the restore mechanism.
Fig.128: Backup/Restore
In order to be able to use the Backup/Restore mechanism, create a backup of the current safety project and
store it on the hard disk of the controller, for sample. To carry out a restore, the user can either check when
starting the controller whether the serial number of the EL6910, EJ6910 or EK1960 has changed, or start the
restore manually via a service menu, e.g. in the visualization. Detailed information about the Backup/Restore
mechanism is available from Beckhoff Support.
EL6910 97Version: 1.8.0
Page 98
Operation
Restore
If a project that doesn't match the system is loaded during a restore, this will only be detected when
the distributed CRCs are checked. The previous project is then deleted from the logic terminal. This
cannot be undone.
One possible sequence for checking whether a restore is carried out is shown in the following sequence
chart.
Fig.129: Restore check sequence chart
Function blocks for backup/restore
The PLC function blocks with which a backup and restore to a TwinSAFE logic component (currently
EL6910, EJ6910 or EK1960) can be carried out are available through Beckhoff Support. This is a compiled
library that can be installed in the TwinCAT Library Repository.
The TC3_EL6910_Backup_Restore library contains two PLC function blocks. FB_SAVELOGICPROGRAM
and FB_RESTORELOGICPROGRAM.
FB_SAVELOGICPROGRAM
EL691098 Version: 1.8.0
Page 99
Fig.130: FB_SAVELOGICPROGRAM illustration
Fig.131: FB_SAVELOGICPROGRAM parameters
Operation
FB_RESTORELOGICPROGRAM
Fig.132: FB_RESTORELOGICPROGRAM illustration
Fig.133: FB_RESTORELOGICPROGRAM parameters
Sample
PROGRAM MAIN
VAR
fb_save:FB_SAVELOGICPROGRAM;
fb_restore:FB_RESTORELOGICPROGRAM;
StartBackup:BOOL;
EL6910AmsNetID AT %I*:ARRAY [0..5] OF BYTE;
EL6910port AT %I*:WORD;
internalBuffer: array[0..16#FFFF] of byte;
FileString: T_MaxString := 'c:\temp\safety\complibTest_EL6910.bin';
LocalAmsNetID: T_AmsNetID := '172.55.76.53.1.1';
SaveDone: BOOL;
SaveResult: STRING(200);
SaveErr: BOOL;
StartRestore: BOOL;
internalbuffer2: array[0..16#FFFF] of Byte;
RestoreDone: BOOL;
EL6910 99Version: 1.8.0
Page 100
Operation
RestoreResult: STRING(200);
RestoreErr: BOOL;
END_VAR
// Backup of the TwinSAFE logic program
fb_save(
bExecute:=StartBackup,
au8EcatNetId:=EL6910AmsNetID,
u16EcatPort:=EL6910port,
u32BufferAddress:=ADR(internalBuffer),
u32BufferSize:=SIZEOF(internalBuffer),
sFileName:=FileString,
sNetIDWriteFile:=LocalAmsNetID,
Done=>SaveDone,
sResult=>SaveResult,
bErr=>SaveErr);
// Restore of the TwinSAFE logic program
fb_restore(
bExecute:=StartRestore,
au8EcatNetId:=EL6910AmsNetID,
u16EcatPort:=EL6910port,
u32BufferAddress:=ADR(internalbuffer2),
u32BufferSize:=SIZEOF(internalBuffer2),
sFileName:=FileString,
sNetIDReadFile:=LocalAmsNetID,
Done=>RestoreDone,
sResult=>RestoreResult,
bErr=>RestoreErr);
4.9 Export/import of the safety project
The safety project can be archived via the context menu of the safety project. The data type of this archive is
*.tfzip.
Fig.134: Archiving the safety project
The safety project can be exported to XML format one level below the safety project node. This XML format
can be used for exchange between TwinCAT3 and TwinCAT2.
The menu item Export project (as bin file) can be used to save the safety project in a binary format, so that it
can be used by the TwinSAFE loader, for sample.
EL6910100 Version: 1.8.0
Loading...