GE Digital IC220SDL953 Operating Manual

GE Intelligent Platforms

Programmable

Control Products

VersaSafe

VersaPoint* Module: IC220SDL953

SAFETY LOGIC MODUL User‘s Manual, GFK-2731

September 2011

, SAFE OUTPUT 24VDC, 8PT

This page left blank intentionally

User‘s manual

VersaPoint module with integrated safety logic and safe digital outputs

2011-09-29

Catalog No.:

Revision:

This user manual is valid for:

Catalog No. Revision

IC220SDL953 HW/FW/FW: 00/100/100

GFK-2731

HW/FW/FW: 00/101/100

Please observe the following notes

In order to ensure the safe use of the product described, you have to read and understand this manual. The following notes provide information on how to use this user manual.

User group of this manual

The use of products described in this manual is oriented exclusively to qualified electricians or persons instructed by them, who are familiar with applicable national standards and other regulations regarding electrical engineering and, in particular, the relevant safety concepts.

GE Intelligent Platforms accepts no liability for erroneous handling or damage to products from GE Intelligent Platforms or third-party products resulting from disregard of information contained in this user manual.

Explanation of symbols used and signal words

This is the safety alert symbol. It is used to alert you to potential personal injury hazards. Obey all safety measures that follow this symbol to avoid possible injury or death.

DANGER

This indicates a hazardous situation which, if not avoided, will result in death or serious injury.

WARNING

This indicates a hazardous situation which, if not avoided, could result in death or serious injury.

CAUTION

This indicates a hazardous situation which, if not avoided, could result in minor or moderate injury.

The following types of message provide information about possible property damage and general information concerning proper operation and ease of use.

NOTE

This symbol and the accompanying text alert the reader to a situation which may cause damage or malfunction to the device, hardware or software, or surrounding property.

This symbol and the accompanying text provide the reader with additional information, such as tips and advice on the efficient use of hardware and on software optimization. It is also used as a reference to other sources of information (manuals, data sheets) on the subject matter, product, etc.

User manual IC220SDL953 - September 2011 GFK-2731

General terms and conditions of use for technical documentation

This document is based on information available at the time of its publication. While efforts have been made to be accurate, the information contained herein does not purport to cover all details or variations in hardware or software, nor to provide for every possible contingency in connection with installation, operation, or maintenance. Features may be described herein which are not present in all hardware and software systems. GE Intelligent Platforms assumes no obligation of notice to holders of this document with respect to changes subsequently made.

Statement of legal authority

GE Intelligent Platforms makes no representation or warranty, expressed, implied, or statutory with respect to, and assumes no responsibility for the accuracy, completeness, sufficiency, or usefulness of the information contained herein. No warranties of merchantability or fitness for purpose shall apply.

How to contact us

Internet Up-to-date information on GE Intelligent Platforms products and our Terms and Conditions

can be found on the Internet at:

www.ge-ip.com

Make sure you always use the latest documentation. It can be downloaded at:

http://support.ge-ip.com

Subsidiaries If there are any problems that cannot be solved using the documentation, please contact

your GE Intelligent Platforms subsidiary.

Published by

Subsidiary contact information is available at www.ge-ip.com

GE Intelligent Platforms. Inc 2500 Austin Dr. Charlottesville Virginia Phone (+1) 800-433-2682 Fax (+1) 780-420-2047

Should you have any suggestions or recommendations for improvement of the contents and layout of our manuals, please send your comments to:

support.ip@ge.com

* VersaPoint is a trademark of GE Intelligent Platforms, Inc. and/or its affiliates. All other trademarks are the property of their respective owners.

GFK-2731

User manual IC220SDL953 - September 2011 GFK-2731

This page left blank intentionally

Table of contents

1 For your safety..........................................................................................................................1-1

1.1 General safety notes ..........................................................................................1-1

1.2 Electrical safety ..................................................................................................1-2

1.3 Safety of the machine or system........................................................................1-3

1.4 Safety for starting applications ...........................................................................1-4

1.5 Directives and standards....................................................................................1-4

1.6 Correct usage.....................................................................................................1-4

1.7 Documentation ...................................................................................................1-5

1.8 Abbreviations used ...........................................................................................1-5

2 Product description...................................................................................................................2-1

2.1 Note about the system description.....................................................................2-1

2.2 Brief description of the safety module................................................................2-1

2.3 Structure of the safety module ...........................................................................2-2

2.4 Housing dimensions...........................................................................................2-2

2.5 Safe digital outputs.............................................................................................2-3

2.6 Connection options for actuators depending on the parameterization ...............2-5

2.7 Local diagnostic and status indicators ...............................................................2-6

2.8 Safe state ...........................................................................................................2-8

2.8.1 Operating state ...................................................................................2-8

2.8.2 Error detection in I/O devices .............................................................2-8

2.8.3 Device errors ......................................................................................2-9

2.8.4 Parameterization errors ......................................................................2-9

2.9 Process data words..........................................................................................2-10

2.10 Programming data/configuration data ..............................................................2-10

2.10.1 Local bus ..........................................................................................2-10

2.10.2 Other bus systems or networks .......................................................2-10

3 VersaPoint potential and data routing, and VersaPoint connectors .........................................3-1

3.1 VersaPoint potential and data routing ................................................................3-1

3.2 Supply voltage U

3.3 Supply voltage U

3.4 Terminal point assignment .................................................................................3-3

..............................................................................................3-1

..............................................................................................3-2

4 Assembly, removal, and electrical installation..........................................................................4-1

4.1 Assembly and removal.......................................................................................4-1

4.1.1 Unpacking the module ........................................................................4-1

4.1.2 General ...............................................................................................4-1

4.1.3 Setting the DIP switches .....................................................................4-2

4.1.4 Assembly and removal of the safety module ......................................4-4

GFK-2731 Table of contents i

4.2 Electrical installation...........................................................................................4-6

4.2.1 Electrical installation of the VersaPoint station ...................................4-6

4.2.2 Electrical installation of the safety module ..........................................4-6

5 Parameterization of the safety module.....................................................................................5-1

5.1 Parameterization of the safety module in a VersaSafe system.......................... 5-1

5.2 Parameterization of the safe outputs .................................................................5-2

5.3 Behavior of the outputs in the event of enabled switch-off delay for

stop category 1...................................................................................................5-4

6 Connection examples for safe outputs .....................................................................................6-1

6.1 Explanation of the examples ..............................................................................6-1

6.2 Notes on the protective circuit for external relays/contactors

(free running circuit) ...........................................................................................6-2

6.3 Measures required to achieve a specific safety integrity level ...........................6-3

6.4 Single-channel assignment of safe outputs .......................................................6-5

6.5 Two-channel assignment of safe outputs...........................................................6-8

7 Startup and validation...............................................................................................................7-1

7.1 Initial startup.......................................................................................................7-1

7.2 Restart after replacing a safety module .............................................................7-3

7.2.1 Replacing a safety module .................................................................7-3

7.2.2 Restart ................................................................................................7-3

7.3 Validation ...........................................................................................................7-3

8 Errors: Messages and removal.................................................................................................8-1

8.1 Safe digital output errors ....................................................................................8-4

8.2 Supply voltage errors .........................................................................................8-5

8.3 General errors ....................................................................................................8-5

8.4 Parameterization errors......................................................................................8-6

8.5 Connection errors to satellites ..........................................................................8-7

8.6 Acknowledging an error .....................................................................................8-8

9 Maintenance, repair, decommissioning, and disposal..............................................................9-1

9.1 Maintenance.......................................................................................................9-1

9.2 Repair.................................................................................................................9-1

9.3 Decommissioning and disposal..........................................................................9-1

ii User manual IC220SDL953 - September 2011 GFK-2731

10 Technical data and ordering data...........................................................................................10-1

10.1 System data .....................................................................................................10-1

10.1.1 VersaPoint ........................................................................................10-1

10.1.2 VersaSafe system ............................................................................10-1

10.2 IC220SDL953...................................................................................................10-1

10.3 Conformance with EMC Directive ....................................................................10-6

10.4 Ordering data ...................................................................................................10-7

10.4.1 Ordering data: Safety module ...........................................................10-7

10.4.2 Ordering data: Accessories ..............................................................10-7

10.4.3 Ordering data: Software ...................................................................10-7

10.4.4 Ordering data: Documentation .........................................................10-7

A Appendix: VersaSafe system .................................................................................................. A-1

A 1 The VersaSafe system..................................................................................... A-1

A 1.1 VersaSafe technology – Maximum flexibility and safety .................... A-1

A 1.2 Overview of VersaSafe system features ........................................... A-2

A 1.3 Differences in VersaSafe systems dependent upon which module

with integrated safety logic is used .................................................... A-2

A 2 System topology............................................................................................... A-4

A 2.1 General topology ............................................................................... A-4

A 2.2 Network and controller requirements ................................................. A-5

A 2.3 Safe input and output devices ........................................................... A-5

A 3 VersaSafe address assignment ...................................................................... A-6

A 4 Operating modes and setting the DIP switches in the VersaSafe system ..... A-10

A 4.1 Module switch positions .................................................................. A-10

A 4.2 VersaSafe multiplexer mode ........................................................... A-11

A 5 Process image ............................................................................................... A-13

A 5.1 Structure of the process image ........................................................ A-13

A 5.2 Description of the registers .............................................................. A-17

A 6 Implementation of data flow between the standard controller and the

safety modules ............................................................................................... A-22

A 6.1 Implementation of data flow with a function block ........................... A-22

A 6.2 Implementation of data flow without a function block ...................... A-22

A 7 Enable principle.............................................................................................. A-22

A 8 Diagnostics..................................................................................................... A-24

A 8.1 Error detection in I/O devices .......................................................... A-24

A 8.2 Detection of device errors ................................................................ A-25

A 8.3 Acknowledgment of error messages for satellites ........................... A-25

A 9 Configuration, parameterization, and download ............................................ A-26

A 9.1 Configuration and parameterization using the VersaConf Safety

tool ................................................................................................... A-26

A 9.2 Downloading the configuration and parameter data record

following power up ........................................................................... A-27

GFK-2731 Table of contents iii

A 10 Safe state ....................................................................................................... A-27

A 11 Time response in the VersaSafe system........................................................ A-28

A 11.1 Typical response time ...................................................................... A-28

A 11.2 Shutdown times ............................................................................... A-29

A 12 Achievable safety depending on the modules used ....................................... A-30

A 13 Behavior in the event of an error.................................................................... A-31

A 13.1 Critical system or device errors ....................................................... A-31

A 13.2 Parameterization or configuration errors ......................................... A-32

A 13.3 Communication errors ..................................................................... A-32

A 13.4 I/O errors ......................................................................................... A-32

A 14 Startup and restart ......................................................................................... A-33

A 14.1 Startup/restart following power up ................................................... A-33

A 14.2 Restart after triggering a safety function .......................................... A-33

A 15 Memory sizes for the safety logic................................................................... A-33

B Appendix: Checklists ............................................................................................................... B-1

B 1 Checklists for the VersaSafe system................................................................ B-2

B 1.1 Planning .................................................................................... B-2

B 1.2 Configuration and parameterization ......................................... B-4

B 1.3 Startup ...................................................................................... B-5

B 1.4 Safety functions ................................................................................. B-6

B 1.5 Validation .................................................................................. B-7

B 2 Checklists for the

IC220SDL953 module ...................................................................................... B-8

B 2.1 Planning ..................................................................................... B-8

B 2.2 Assembly and electrical installation ............................................. B-9

B 2.3 Startup ........................................................................................ B-10

B 2.4 Validation ....................................................................................... B-11

C Index........................................................................................................................................ C-1

iv User manual IC220SDL953 - September 2011 GFK-2731

1 For your safety

Purpose of this manual

The information in this document is designed to familiarize you with how the IC220SDL953 safety module works, its operating and connection elements, and its parameter settings. This information will enable you to use the module within a VersaSafe system according to your requirements.

Validity of the user manual

This manual is only valid for the IC220SDL953 module in the version indicated on the inner cover page.

1.1 General safety notes

WARNING: Depending on the application, incorrect handling of the safety module can pose serious risks for the user

When working with the safety module within the VersaSafesystem, please observe all the safety notes included in this section.

Requirements Knowledge of the following is required:

– The target system (e.g., PROFIBUS, PROFINET) – The standard control system – The VersaSafe system (see Appendix A) – The components used in your application – The VersaPoint product range – Operation of the software tools used – Safety regulations in the field of application

Qualified personnel In the context of the use of the VersaSafe system, the following operations may only be

carried out by qualified personnel: – Planning – Configuration of the safety logic and parameterization – Installation, startup, servicing – Maintenance, decommissioning

This user manual is, therefore, aimed at: – Qualified personnel who plan and design safety equipment for machines and systems

and are familiar with regulations governing safety in the workplace and accident prevention

– Qualified personnel who install and operate safety equipment in machines and

systems

In terms of the safety notes in this manual, qualified personnel are persons who, because of their education, experience and instruction, and their knowledge of relevant standards, regulations, accident prevention, and service conditions, have been authorized to carry out any required operations, and who are able to recognize and avoid any possible dangers.

GFK-2731 Chapter 1 For your safety 1-1

Documentation You must observe all information in this manual as well as in the documents listed in

"Documentation" on page 1-5.

Safety of personnel and equipment

Error detection Depending on the wiring and the corresponding setting of the safe output module

Do not carry out any repairs

Do not open the housing/security seal

Measures to prevent incorrect connection and polarity reversal

The safety of personnel and equipment can only be assured if the safety module is used correctly (see "Correct usage" on page 1-4).

parameters, the VersaSafe system can detect various errors within the safety equipment.

Repair work may not be carried out on the safety module.

In the event that an error cannot be removed, please contact GE Intelligent Platforms immediately, engage a service engineer, or send the faulty module directly to GE Intelligent Platforms.

It is strictly prohibited to open the safety module housing. In order to prevent the manipulation of the safety module and to detect the unauthorized opening of the safety module, a security seal is applied to the module. This security seal is damaged in the event of unauthorized opening. In this case, the correct operation of the safety module can no longer be ensured.

Take measures to prevent the incorrect connection, polarity reversal, and manipulation of connections.

1.2 Electrical safety

WARNING: Hazardous body currents and the loss of functional safety

Disregarding instructions for electrical safety may result in hazardous body currents and the loss of functional safety.

In order to ensure electrical safety, please observe the following points.

Direct/indirect contact Ensure that all components connected to the system are protected against direct and

indirect contact according to VDE 0100 Part 410. In the event of an error, parasitic voltages must not occur (single-fault tolerance).

This can be achieved by: – Using power supply units with safe isolation (PELV). – Decoupling circuits, which are not SELV or PELV systems, using optocouplers, relays,

and other components meeting the requirements of safe isolation.

Power supply unit for 24 V supply

1-2 User manual IC220SDL953 - September 2011 GFK-2731

Only use power supply units with safe isolation and PELV according to EN 50178/VDE 0160 (PELV). This prevents short circuits between primary and secondary sides.

Make sure that the output voltage of the power supply does not exceed 32 V even in the event of an error.

Insulation rating When selecting the operating equipment, please take into consideration the contamination

and surge voltages, which may occur during operation.

The IC220SDL953 module is designed for surge voltage category II (according to DIN EN 60664-1). If you expect surge voltages in the system, which exceed the values defined in surge voltage category II, take into consideration additional measures for voltage limitation.

Installation and configuration

Draw up and implement a safety concept

Please observe the instructions for installing and configuring the system (see "Documentation" on page 1-5).

WARNING: Depending on the application, incorrect installation and upgrades can pose serious risks for the user

The user is obliged to design the devices used and their installation in the system according to these requirements. This also means that existing plants and systems retrofitted with the VersaSafe system must be checked and tested again in this respect.

1.3 Safety of the machine or system

The machine/system manufacturer and the operator are solely responsible for the safety of the machine or system and the implemented application, in which the machine or system is used. The Machinery Directive must be observed.

In order to use the safety module described in this document, you must have drawn up an appropriate safety concept for your machine or system. This includes a hazard and risk analysis according to the directives and standards specified in "Directives and standards" on page 1-4, as well as a test report (checklist) for validating the safety function (see "Appendix: Checklists" on page B-1).

The target safety integrity level (SIL according to EN 61508, SIL CL according to EN 62061 or performance level and category according to EN ISO 13849-1) is ascertained on the basis of the risk analysis. The safety integrity level ascertained determines how to connect and parameterize the safety module within the overall safety function.

Within a VersaSafe system, the IC220SDL953 safety module can be used to achieve safety functions with the following requirements depending on the conditions of use:

– Up to SIL 3 according to standard EN 61508 – Up to SIL CL 3 according to standard EN 62061 – Up to Cat. 4/PL e according to standard EN ISO 13849-1

Please also refer to "Achievable safety depending on the modules used" on page A-30.

Check hardware and parameterization

GFK-2731 Chapter 1 For your safety 1-3

Carry out a validation every time you make a safety-related modification to your overall system.

Use your test report to ensure that: – The safe devices are connected to the correct safe sensors and actuators – The safe input and output devices have been parameterized correctly – The safety functions have been wired correctly

1.4 Safety for starting applications

Consider your machine or system when determining the start conditions: – Starting the machine or system may only take place when no persons are within the

danger zone.

– Comply with the requirements of EN ISO 13849-1 with respect to manual resetting

functions.

This applies to:

– Switching on of safe devices. – Acknowledgment of device error messages. – Acknowledgment of communication errors. – Acknowledgment of block error messages in the application. – Removing safeguards for safety functions.

Observe your safety logic during programming/configuring: – The change from a safe state (replacement value = 0) to the operating state can cause

an edge change (zero-one-edge).

– Include measures in your safety logic that prevent this edge from starting or restarting

of the machine/system unexpectedly.

1.5 Directives and standards

The manufacturers and operators of machines and systems, in which the IC220SDL953 module is used, are responsible for adhering to all applicable directives and legislation.

For the standards observed by the module, please refer to the certificate issued by the approval body and the EC declaration of conformity. These documents are available on the Internet at www.ge-ip.com

1.6 Correct usage

Only use the VersaSafe system in accordance with the instructions in this section.

The IC220SDL953 safety module is designed exclusively for use in a VersaSafe system. It can only perform its safety-related tasks within the system if it has been integrated into the execution process correctly and in such a way as to avoid errors.

You must observe all information in this manual as well as in the documents listed in "Documentation" on page 1-5. In particular, only use the module according to the technical data and ambient conditions specified in Section 10, "Technical data and ordering data" on page 10-1 and onwards.

Within a VersaSafe system, the safety module can be used to achieve safety functions with the following requirements depending on the conditions of use:

– Up to SIL 3 according to standard EN 61508 – Up to SIL CL 3 according to standard EN 62061 – Up to Cat. 4/PL e according to standard EN ISO 13849-1

Please also refer to "Achievable safety depending on the modules used" on page A-30.

1-4 User manual IC220SDL953 - September 2011 GFK-2731

The safety module is designed for connecting single-channel or two-channel actuators, which can be used in association with safety technology. For example, the module can be used in the following applications:

– Safety circuits according to EN 60204 Part 1 – Safe shutdown of contactors, motors (24 V DC), valves, ohmic, inductive, and

capacitive loads

The module is not suitable for applications in which stop category 1 also has to be observed in the event of an error (see also "Behavior of the outputs in the event of enabled switch-off delay for stop category 1" on page 5-4).

1.7 Documentation

Latest documentation Make sure you always use the latest documentation. Changes or additions to this

document can be found on the Internet at http://support.ge-ip.com.

VersaSafe system When working on the VersaSafe system and its components, you must always keep this

user manual and other items of product documentation to hand and observe the information therein.

User manuals: – For the controller used – For VersaSafe system I/O modules – For VersaSafe system function blocks

Please also observe the relevant information about the bus system used.

VersaPoint product range GFK-2736

Automation terminals of the VersaPoint product range (configuration and installation) Documentation for the

1.8 Abbreviations used

Table 1-1 Abbreviations used

Abbreviation

SIL Safety integrity level EN 61508 SIL 2, SIL 3

SIL CL SIL claim limit EN 62061 SIL CL 3

Cat. Category EN ISO 13849-1 Cat. 2, Cat. 4

PL Performance level EN ISO 13849-1 PL e, PL d

Network Interface Unit (NIU) used

Meaning Standard Example

GFK-2731 Chapter 1 For your safety 1-5

Table 1-2 Abbreviations used

Abbreviation

PELV Protective extra-low voltage

EUC Equipment under control

Meaning

A circuit in which the voltage does not exceed 30 V AC, 42.4 V peak value or 60 V DC under normal conditions or single-fault conditions, except in the event of grounding errors in other circuits.

A PELV circuit is like a SELV circuit, but is connected to protective earth ground.

(According to EN 61131-2)

1-6 User manual IC220SDL953 - September 2011 GFK-2731

2 Product description

2.1 Note about the system description

The VersaSafe system is described in "Appendix: VersaSafe system" on page A-1.

In the description of the IC220SDL953 safety module, it is assumed that you are familiar with the VersaSafe system. If this is not the case, please refer to "Appendix: VersaSafe system" on page A-1 first for information about the system.

2.2 Brief description of the safety module

The IC220SDL953 module is designed for use within a VersaPoint station. The module features integrated configurable safety logic and safe digital outputs.

The IC220SDL953 safety module can be used as part of a VersaPoint station at any point within a VersaSafe system.

The transmission speed of the VersaPoint local bus can be set to 500 kbaud or 2 Mbaud on the safety module using switches. Use the same transmission speed throughout a VersaPoint station.

The module has a 10-pos. DIP switch, which is used to set the island number and operating mode.

The module has four safe positive switching digital outputs for two-channel assignment or eight safe positive switching digital outputs for single-channel assignment.

The outputs can be parameterized according to the application. The outputs enable actuators to be integrated into the VersaSafe system.

Within a VersaSafe system, the IC220SDL953 safety module can be used to achieve safety functions with the following requirements:

– Up to SIL 3 according to standard EN 61508 – Up to SIL CL 3 according to standard EN 62061 – Up to Cat. 4/PL e according to standard EN ISO 13849-1

Please also refer to "Achievable safety depending on the modules used" on page A-30.

GFK-2731 Chapter 2 Product description 2-1

79690002

9 8 7

6 5 4

1 0

79690008

48,8

71,5

119,8

9 8

6 5 4

1 0

off

2.3 Structure of the safety module

Figure 2-1 Structure of the safety module

1 Data jumpers (local bus) 2 Electronics base with labeling including version designation

hardware/firmware/firmware (not shown)

3 Switch for setting the transmission speed and operating mode 4 Switch for setting the address 5 Potential jumper 6 Diagnostic and status indicators; for assignment and meaning see "Local diagnostic

and status indicators" on page 2-6

7 VersaPoint connector; for assignment see "Terminal point assignment" on page 3-3 8 Terminal points 9 Labeling field

2.4 Housing dimensions

2-2 User manual IC220SDL953 - September 2011 GFK-2731

Figure 2-2 Housing dimensions (in mm)

2.5 Safe digital outputs

The safety module has safe positive switching digital outputs, which can be used as follows:

– For two-channel assignment:

– Four two-channel outputs

– For single-channel assignment:

– Eight single-channel outputs

Technical data For the technical data for the safe outputs, please refer to page 10-4.

Parameterization The individual safe digital outputs of a safety module can be parameterized differently. This

means that the outputs can be adapted to various operating conditions and different safety integrity levels (SIL, SIL CL, Cat., PL) can be implemented.

In order to achieve a high level of error detection, the test pulses must be enabled. If this is not possible for the connected loads, the test pulses can be disabled. However, in this case error detection is reduced.

The safety integrity level (SIL, SIL CL, Cat., PL) and error detection that can be achieved depend on the parameterization, the structure of the actuator, and the cable installation (see "Connection examples for safe outputs" on page 6-1).

For information about parameterization, please refer to "Parameterization of the safe outputs" on page 5-2.

Diagnostics Diagnostics are provided via both the local diagnostic indicators and the diagnostic

messages, which are transmitted to the controller.

For information about the diagnostic messages of the outputs, please refer to "Safe digital output errors" on page 8-4.

CAUTION: Diagnostic data is not safety-related

The diagnostic data is not safety-related. This data must not be used to execute safetyrelated functions or actions.

GFK-2731 Chapter 2 Product description 2-3

Requirements for controlled devices/actuators

The error detection of the module varies depending on the parameterization. This results in specific requirements for the actuators.

– If the outputs are parameterized with test pulses, the output circuits are tested by test

pulses at regular intervals. These test pulses are visible at the output and can trigger undesirable reactions with quick responding actuators.

WARNING: Unintentional machine startup

If the process does not tolerate this behavior, actuators with sufficient inertia must be used.

In general, the load must not be so dynamic that it causes dangerous states within 1ms.

Quick actuators, which offer a safety-related response to pulses in under 1 ms, may not generally be used.

Switching off the test pulses affects the error detection of the module. Please observe the achievable safety integrity level, which is specified in "Connection examples for safe outputs" on page 6-1. The failure detection time is 20 ms.

Please refer to "Single-channel assignment of safe outputs" on page 6-5 and "Twochannel assignment of safe outputs" on page 6-8 for additional information.

– Only use appropriately qualified actuators. – Use reliable components. These include, for example:

– Control contactors according to EN 60947-4-1 – Power contactors – Relays with positively driven contacts according to DIN EN 50205

– Use relays or contactors with positively driven N/C contacts to safely monitor the state

(pick-up, drop-out).

– Please observe any special environmental requirements in your application when

selecting the controlled devices.

– Please note applicable C standards in your application (e.g., EN 1010), in which, for

example, the number of controlled devices required to achieve a particular category is specified.

2-4 User manual IC220SDL953 - September 2011 GFK-2731

2.6 Connection options for actuators depending on the parameterization

Actuators that meet various safety requirements depending on the parameterization can be connected to the outputs. For connection examples, please refer to Section 6, "Connection examples for safe outputs".

The maximum achievable SIL/SIL CL/Cat./PL is specified in the table. In order to achieve this:

– Observe the information in the connection examples (see Section 6, "Connection

examples for safe outputs")

– Observe the requirements of the standards with regard to the external wiring and the

actuators to be used to achieve a SIL/SIL CL/Cat./PL (see "Measures required to achieve a specific safety integrity level" on page 6-3)

Output OUT0 to OUT3

"Output" parameterization

Test pulses Any ON/OFF*

Achievable category SIL 2/SIL CL 2/Cat. 3/PL d SIL 3/SIL CL 3/Cat. 4/PL e

For connection example, see page

Key:

Single-channel Two-channel

6-5 6-8

* If the test pulses are disabled, a cross circuit between the outputs is only detected

if the output is enabled.

To achieve Cat. 3, two-channel actuators are usually used.

GFK-2731 Chapter 2 Product description 2-5

LPSDO8

79690003

LPSDO8

9 8 7

6 5 4

1 0

Observe the module startup time of approximately 16 s. During this time the D LED flashes at 4 Hz and the bus cannot be started up.

Do not start to download the configuration and parameter data record until the firmware has started up (approx. 16 s; bit SA = 1 in Dev-Reg-LPSDO; see Appendix A 5.2 on page A-17).

2.7 Local diagnostic and status indicators

Figure 2-3 Local diagnostic and status indicators of the IC220SDL953 module

Table 2-1 Local diagnostic and status indicators

D Green LED Diagnostics

OFF: Communications power is not present

Flashing at 0.5 Hz: Communications power present, local bus not active

Flashing at 4 Hz: Communications power present, error at the interface between previous and flashing

terminal (the terminals after the flashing terminal cannot be addressed). (E.g., loose contact at the bus interface, terminal before the flashing terminal has failed, another terminal was snapped on during operation (not permitted))

ON: Communications power present, local bus active

FS Red LED Failure state

Flashing at 1 Hz: Device not parameterized or parameterization was not accepted

ON: Hardware fault

The output drivers are reset, there is no communication to the satellites

Or:

Impermissible switch position The module will respond to certain impermissible switch positions by entering the failure state immediately after power up.

2-6 User manual IC220SDL953 - September 2011 GFK-2731

Table 2-1 Local diagnostic and status indicators (continued)

In the event of an error (red LED ON), the output is switched off until the acknowledgment sent by the controller is received by the safety module (see also "Safe digital output errors" on page 8-4).

UM Green LED Monitoring the supply voltage U

OFF: Communications power is not present

Flashing at 1 Hz: U

ON: U

P Green LED Status indicator for communication

OFF: IC220SDL953 not parameterized

Flashing at 0.5 Hz: IC220SDL953 is parameterized, but safe communication is not running to at least

ON: Communication OK

OUT

0.1 - 3.2

Green/red LED Status of each output

Green: Output at logic 1

OFF: Output at logic 0, no error

Red ON: Short circuit/overload of an output

below the permissible voltage range (undervoltage)

present

one satellite

IC220SDL953 is parameterized and safe communication is running without any errors to all configured satellites.

If no satellites have been configured: IC220SDL953 is parameterized.

Corresponds to COK bit = 1 (see "Dev-Diag-LPSDO (LPSDO diagnostics)" on page A-18)

(see "Terminal point assignment" on page 3-3)

(This diagnostic message is stored temporarily on the module. The message is stored in the volatile memory and will be lost after a voltage reset.)

GFK-2731 Chapter 2 Product description 2-7

2.8 Safe state

The safe state for the module is the low state at the output terminals (see "Safe digital outputs" on page 2-3).

The safe state can be entered in the following cases:

1. Operating state

2. Error detection in I/O devices

3. Device errors

4. Parameterization errors

2.8.1 Operating state

In the operating state, the outputs can enter states "1" or "0". In general, state "0" is the safe state.

WARNING: Loss of the safety function possible due to undetected accumulation of errors

Also evaluate the diagnostics of modules that are not used, but are connected to the power supply, at regular intervals or disconnect these modules from the supply voltage.

2.8.2 Error detection in I/O devices

Outputs If an error is detected at an output, the affected output is disabled ("0" = OFF = safe state).

Depending on the parameterization, the following errors can be detected at outputs: – Short circuit – Cross circuit – Overload

The relevant diagnostic message is transmitted to the controller (see "Safe digital output errors" on page 8-4). For information about which errors are detected and when, please refer to "Connection examples for safe outputs" on page 6-1.

If an error occurs on a channel of an output parameterized as "two-channel", the other corresponding channel also enters the safe state.

2-8 User manual IC220SDL953 - September 2011 GFK-2731

2.8.3 Device errors

Outputs If a hardware fault in the internal circuit is detected at an output, all module outputs are

disabled ("0" = OFF = safe state).

The relevant diagnostic message is transmitted to the controller (see "Safe digital output errors" on page 8-4).

Serious errors All serious errors that can result in the loss of or adversely affect the safety function cause

the entire module to enter the safe state. The FS LED on the safety module is permanently on.

The following errors result in the safe state:

– Serious hardware faults in the internal circuit – User errors – Module overload – Module overheating – Faulty supply voltage – Impermissible switch position, DIP switches

The relevant diagnostic message is transmitted to the controller (see "Errors: Messages and removal" on page 8-1).

WARNING: Loss of the safety function due to sequential errors

In the event of a device error, the following measures should be taken to prevent sequential errors:

Disconnect the module from the power supply and replace it.

2.8.4 Parameterization errors

Parameterization errors are indicated: – As long as the module is not parameterized

or – In the event of faulty parameterization

Parameterization errors cause the entire module to enter the safe state. The FS LED on the safety module flashes.

In the event of faulty parameterization, the relevant diagnostic message is transmitted to the controller (see "Parameterization errors" on page 8-6).

Exception: If an output is operated in stop category 1 and this output is within the switch-off delay time, then another instance of faulty parameterization results in the entire module switching to the safe state only once the switch-off delay time has elapsed.

GFK-2731 Chapter 2 Product description 2-9

2.9 Process data words

The module uses 8, 16, or 24 words in the VersaPoint system. How these words are mapped is described in "Process image" on page A-13.

The input data only indicates the actual status of the outputs if no bus errors or device errors are present. Even during the parameterized switch-off delay in stop category 1, the status of the outputs on the module does not correspond to the status of the outputs on the controller.

The parameterization of the outputs determines whether the input data is mapped in single-channel or two-channel mode. The value for "parameterized output" for the outputs is also set for the input data.

2.10 Programming data/configuration data

2.10.1 Local bus

Operating mode VersaSafe

24 words

ID code ABhex (171dec) AB

Length code 18

Input address area Application-specific Application-specific Application-specific

Output address area Application-specific Application-specific Application-specific

Parameter channel (PCP) 0 words 0 words 0 words

(24dec) 10

hex

2.10.2 Other bus systems or networks

The programming data/configuration data is defined in the device description (FDCML, GSD, GSDML, etc.) according to the bus or network used.

VersaSafe 16 words

(171

hex

(16

hex

VersaSafe multiplexer

)AB

dec

)08

dec

hex

(08dec)

hex

(171

dec

)

2-10 User manual IC220SDL953 - September 2011 GFK-2731

3 VersaPoint potential and data routing, and VersaPoint

connectors

3.1 VersaPoint potential and data routing

For operation, the safety module must be integrated in a VersaPoint station within the VersaSafe system.

The bus signals are transmitted via the VersaPoint data jumpers. The required supply voltages are transmitted via the VersaPoint potential jumpers.

For more detailed information about potential and data routing within a VersaPoint station, please refer to the GFK-2736 user manual.

The segment circuit is looped through the safety module and is available again after the module. The segment circuit cannot be accessed in the safety module.

3.2 Supply voltage U

Feed in the 24 V supply voltage UBK/U The 7.5 V voltage UL is generated from this 24 V supply voltage in the bus coupler or power terminal. It is made available to the safety module via the VersaPoint potential jumper UL.

WARNING: Loss of the safety function when using unsuitable power supplies

For the voltage supply at the bus coupler or power terminal, please note: Only power supplies according to EN 50178/VDE 0160 (PELV) may be used. Please also observe the points in "Electrical safety" on page 1-2.

The supply voltage U power. For technical data for the supply voltage UL, please refer to "Supply voltage UL (logic)" on page 10-3.

The maximum current carrying capacity for the supply voltage UL is 2 A. This current carrying capacity can be reduced if certain terminals are used. Please refer to the information in the terminal-specific data sheets.

is used to supply the bus controller board and the communications

at a bus coupler or a suitable power terminal.

24V

GFK-2731 Chapter 3 VersaPoint poten tial and data routing, and VersaPoint connectors 3-1

3.3 Supply voltage U

Feed in the supply voltage at a bus coupler or a power terminal. It is made available to the safety module via the VersaPoint potential jumper U

WARNING: Loss of the safety function when using unsuitable power supplies

The supply voltage U ply voltage U

, please refer to "Supply voltage UM (actuators)" on page 10-3.

The maximum current carrying capacity for the main circuit U

is used to supply the output circuits. For technical data for the sup-

is 8 A (total current with the

segment circuit that is not used in the safety terminal). This current carrying capacity can be reduced if certain terminals are used. Please refer to the information in the terminal-specific data sheets.

If the limit value of the potential jumpers U

and US is reached (total current of US and UM),

a new power terminal must be used.

NOTE: Module damage due to polarity reversal

Polarity reversal places a burden on the electronics and, despite protection against polarity reversal, can damage the module. Therefore, polarity reversal must be prevented.

For the behavior of the safety module in the event of an error at the supply voltage, please refer to "Supply voltage errors" on page 8-5.

U für Einspeisung am Buskoppler

US for supply at a bus coupler or a power

oder einer Einspeiseklemme (wird in der

terminal (not required in the safety terminal) Sicherheitsklemme nicht benötigt)

U für Einspeisung am Buskoppler

UM for supply at a bus coupler or a

oder einer Einspeiseklemme

power terminal

230 V

24 V

24 V DC

(PELV)

External fuse

externe Sicherung

8 A, maximum

max. 8 A

GND for supply at a bus coupler or a

GND der Einspeisung am Buskoppler power terminal

Figure 3-1 Supply U

oder einer e

with connection to functional earth ground according to

76191004

60204-1

WARNING: Loss of functional safety due to parasitic voltages

Feed in the supply voltages U

and US at a bus coupler and/or a power terminal from

the same power supply unit, so that the loads of IC220SDL953 are not affected by parasitic voltages in the event of an error.

3-2 User manual IC220SDL953 - September 2011 GFK-2731

73410004

1.1

1.2

1.3

1.4

2.1

2.2

2.3

2.4

3.1

3.2

3.3

3.4

4.1

4.2

4.3

4.4

5.1

5.2

5.3

5.4

6.1

6.2

6.3

6.4

7.1

7.2

7.3

7.4

8.1

8.2

8.3

8.4

1.1

1.2

1.3

1.4

8.1

8.3

8.4

8.2

NOTE: Damage to module electronics in the event of surge voltage

Do not use a DC distribution network.

DC distribution network according to IEC 61326-3-1: A DC distribution network is a DC power supply network, which supplies a complete industrial hall with DC voltage and to which any device can be connected. A typical system or machine distribution is not a DC distribution network. For devices that are provided for a typical system or machine distribution, the DC connections are viewed and tested as I/O signals according to IEC 61326-3-1.

3.4 Terminal point assignment

Figure 3-2 Terminal point assignment

The VersaPoint connectors are supplied with the module. They are keyed and labeled accordingly for connection to prevent polarity reversal. If other connectors are used according to the ordering data, they must also be keyed.

Only use the connectors supplied with the module or connectors that are approved as replacement items (see "Ordering data: Accessories" on page 10-7).

The following applies for the tables below: – All outputs are safe digital outputs – 0 V (GND): Common ground for outputs – FE: Common functional earth ground

Table 3-1 Terminal point assignment for connector 1

Terminal point Signal Channel assignment LED

1.1 OUT0_Ch1 Output 0, channel 1 0.1

2.1 OUT0_Ch2 Output 0, channel 2 0.2

1.2 Not used

GFK-2731 Chapter 3 VersaPoint poten tial and data routing, and VersaPoint connectors 3-3

2.2 Not used

1.3 0 V (GND)

Channel 1 and channel

Table 3-1 Terminal point assignment for connector 1

Terminal point Signal Channel assignment LED

2.3 0 V (GND)

Channel 1 and channel

1.4 FE

2.4 FE

Table 3-2 Terminal point assignment for connector 2

Terminal point Signal Channel assignment LED

3.1 OUT1_Ch1 Output 1, channel 1 1.1

4.1 OUT1_Ch2 Output 1, channel 2 1.2

3.2 Not used

4.2 Not used

3.3 0 V (GND)

4.3 0 V (GND)

Channel 1 and channel

3.4 FE

4.4 FE

Table 3-3 Terminal point assignment for connector 3

Terminal point Signal Channel assignment LED

5.1 OUT2_Ch1 Output 2, channel 1 2.1

6.1 OUT2_Ch2 Output 2, channel 2 2.2

5.2 Not used

6.2 Not used

5.3 0 V (GND)

6.3 0 V (GND)

Channel 1 and channel

5.4 FE

6.4 FE

Table 3-4 Terminal point assignment for connector 4

Terminal point Signal Channel assignment LED

7.1 OUT3_Ch1 Output 3, channel 1 3.1

8.1 OUT3_Ch2 Output 3, channel 2 3.2

7.2 Not used

8.2 Not used

3-4 User manual IC220SDL953 - September 2011 GFK-2731

+ 94 hidden pages