Page 1
Safety Application Example
PowerFlex 70 Safe-Off Control EtherNet/IP Guard I/O Safety Module and GuardLogix Integrated Safety Controller
Safety Rating: Category 3 (also see Achieving a Cat. 4
Safety Rating) according to EN954-1
Introduction
Important User Information..................................................................2
General Safety Information..................................................................3
Description............................................................................................4
Setup and Wiring ..................................................................................5
Configure...............................................................................................8
Programming ......................................................................................13
Performance Data ...............................................................................17
Achieving a Cat. 4 Safety Rating.......................................................19
Additional Resources.........................................................................22
...........................................................................................2
Page 2
2
Introduction In September 2006, NFPA 79 added an exception to the requirement for
disconnection of an actuator any time an E-stop is invoked. Safety PLCs
and other programmable devices such as drives are now allowed to be
the final switching element, provided they are designed to relevant safety
standards. This change is also in effect in IEC 60204-1. With this
modification, manufacturers will see a significant cost savings in terms
of equipment, wiring, and cabinet space.
DriveGuard safety solutions for Allen-Bradley PowerFlex AC drives
prevent a drive from delivering rotational energy to motors by integrating
an optional safety board in series with the power switching signals.
Along with a separate dedicated enable input on the base drive, this
option provides a certified solution that meets EN954-1, Category 3
(safe-off and protection against restart).
Features and Benefits
This application setup offers the following features and benefits:
• This configuration increases the life of the drive because of the use
of soft stopping, such as removal of power to the gate firing circuits
of the drive’s output power devices.
• This configuration requires a smaller panel size by using a control
• A drive with safe-off capabilities can offer increased productivity
Important User Information
Solid state equipment has operational characteristics differing from those
of electromechanical equipment. Safety Guidelines for the Application,
Installation and Maintenance of Solid State Controls (publication
SGI-1.1
online at http://literature.rockwellautomation.com
important differences between solid state equipment and hard-wired
electromechanical devices. Because of this difference, and also because
of the wide variety of uses for solid state equipment, all persons
responsible for applying this equipment must satisfy themselves that
each intended application of this equipment is acceptable.
In no event will Rockwell Automation, Inc. be responsible or liable for
indirect or consequential damages resulting from the use or application
of this equipment.
The examples and diagrams in this manual are included solely for
illustrative purposes. Because of the many variables and requirements
associated with any particular installation, Rockwell Automation, Inc.
cannot assume responsibility or liability for actual use based on the
examples and diagrams.
contactor included within the PowerFlex DriveGuard drives to
replace external power contactors.
through reduced downtime.
available from your local Rockwell Automation sales office or
) describes some
Publication SAFETY-AT017B-EN-P – July 2011
No patent liability is assumed by Rockwell Automation, Inc. with respect
to use of information, circuits, equipment, or software described in this
manual.
Page 3
Reproduction of the contents of this manual, in whole or in part, without
written permission of Rockwell Automation, Inc., is prohibited.
Throughout this manual, when necessary, we use notes to make you
aware of safety considerations.
Identifies information about practices or circumstances that
can cause an explosion in a hazardous environment,
which may lead to personal injury or death, property
damage, or economic loss.
Identifies information that is critical for successful
application and understanding of the product.
Identifies information about practices or circumstances that
can lead to personal injury or death, property damage, or
economic loss. Attentions help you identify a hazard, avoid
a hazard, and recognize the consequence.
Labels may be on or inside the equipment, for example, a
drive or motor, to alert people that dangerous voltage may
be present.
3
General Safety Information
Labels may be on or inside the equipment, for example, a
drive or motor, to alert people that surfaces may reach
dangerous temperatures.
This application example is for advanced users and
assumes that you are trained and experienced in safety
system requirements.
A risk assessment should be performed to make sure all
task and hazard combinations have been identified and
addressed. The risk assessment may require additional
circuitry to reduce the risk to a tolerable level. Safety
circuits must take into consideration safety distance
calculations which are not part of the scope of this
document.
Contact Rockwell Automation to find out more about our safety risk
assessment services.
Publication SAFETY-AT017B-EN-P-July 2011
Page 4
4
Description This application example shows how to control a PowerFlex 70 drive
with DriveGuard Safe-Off, via a GuardLogix integrated safety controller
and an EtherNet/IP Guard I/O safety module. An emergency stop
pushbutton and a Trojan gate interlock switch are used as safety inputs
within this safety system.
Safety Function
The EtherNet/IP Guard I/O safety module uses its test pulse outputs to
continually send pulses over the E-stop and interlock switch safety
circuits in order to detect faults. These faults include shorts to 24V DC
and between channels.
The GuardLogix safety controller monitors the status of the E-stop
pushbutton and safety interlock switch. When the interlock conditions
defined within programming logic are satisfied, the safety outputs of the
EtherNet/IP Guard I/O safety module can be enabled. These safety
outputs are used to control the Safe-Off and Drive Enable inputs on the
PowerFlex 70 drive.
This example meets the requirements of Category 3 according to
EN954-1, which is Safe-Off and protection against restart.
Example Bill of Material
This application example uses these components.
Part Number Description Quantity
1791ES-IB8XOBV4 Safety I/O module with solid state outputs 1
1756-L61S GuardLogix safety controller 1
1756-LSP GuardLogix safety partner 1
1756-A4 4 slot chassis 1
1756-ENBT/A Ethernet module 1
1756-PA72 ControlLogix power supply 1
440K-T11365 Trojan Interlock, 2NC + 1NO, MBB, QD, Fully Flex
800FM-MT44 E-stop Button 40mm, maintained, twist to release
800F P-F4 800F pushbutton, red 1
800F P-F0 800F pushbutton, amber 1
20AB4P2A3NYNNG1 PowerFlex 70 drive 1
1
1
Publication SAFETY-AT017B-EN-P – July 2011
20A-DG01 DriveGuard Safe-Off board 1
Page 5
Setup and Wiring For detailed information on installing and wiring, refer to the product
manuals listed in the Additional Resources
System Overview
.
5
GuardLogix Controller
EtherNet/IP Guard I/O
EtherNet/IP
Emergency Stop
Trojan Interlock Switch
Fault Reset
Circuit Reset
PowerFlex 70
with DriveGuard
Wiring
This diagram shows the appropriate wiring.
Publication SAFETY-AT017B-EN-P-July 2011
Page 6
6
Wiring Considerations
The following wiring considerations should be addressed for your
application:
The common for the digital input board on the PowerFlex
70 must be tied to the output common for the 1791ESIB8XOBV4 module.
This application example requires that a digital input on
the PowerFlex 70 drive be configured for Drive Enable.
This input must be controlled by the Guard I/O Safety
module.
The Drive Enable digital input on the PowerFlex 70 drive is
a solid state circuit. For this reason, the safety outputs on
the Guard I/O safety module must not be configured for
Safety Pulse Test as it may interfere with the operation of
the digital input.
If your risk assessment determines you must pulse test your safety
output circuits in order to catch shorts of P terminal to 24V or M terminal
to 0V, refer to Achieving a Cat. 4 Safety Rating, for an alternative wiring
schematic.
Publication SAFETY-AT017B-EN-P – July 2011
Page 7
Reaction to Faults
Based on the wiring and safety module configuration shown in this
application example, this section details how the safety module responds
to line faults incurred between the safety outputs and the PowerFlex 70
drive:
Channel-to-channel Short
Channel Start Fault Immediate Reaction Immediate Detection
P HI ch-ch LO Yes*
M HI ch-ch LO Yes*
Short to 24V
Channel Start Fault Immediate Reaction Immediate Detection
P HI Short HI Undetectable
M HI HI
PHI LO
M HI Short LO Yes*
7
Short to 0V
Channel Start Fault Immediate Reaction Immediate Detection
P HI Short LO Yes*
M HI LO
PHI HI
M HI Short HI Undetectable
Wire OFF
Channel Start Fault Immediate Reaction Immediate Detection
P HI off LO Yes**
M HI LO
PHI LO
M HI off LO Yes**
* These faults result in the output status going LO. The error remains for
the duration of the Output Error Latch Time configured in the module
properties.
** These faults result in the output status remaining HI. The feedback of
the ROUT instruction detects this type of fault.
Publication SAFETY-AT017B-EN-P-July 2011
Page 8
8
Fault Exclusion Affecting Category Rating
There is a combination of undetected faults that could cause a dangerous
failure of the safety function in this application. The accumulation of the
following two faults would disable your safety system from stopping the
PowerFlex 70 drive:
• Short of P terminal to 24V
• Short of M terminal to 0V
If a P terminal short to 24V and/or an M terminal short to
0V are faults that must be detected as determined by your
risk assessment, refer to Achieving a CAT 4 Safety Rating
for an alternative wiring scheme.
Configure Set the Network IP Address for the 1791ES-IB8XOBV4
Module
The module ships with the rotary switches set to 999 and DHCP enabled.
To support the hardware configuration shown above, use the following
configuration.
,
Set the network address using one of the following methods:
• Adjust the three switches on the front of the module.
• Use a Dynamic Host Configuration Protocol (DHCP) server, such as
Rockwell Automation BootP/DHCP Server Utility.
• Retrieve the IP address from nonvolatile memory.
Using the Rotary Switches to Set the Network IP Address
The module reads the switches first to determine if the switches are set to
a valid number.
Set the network address by adjusting the three switches on the front of
the module.
Valid settings range from 001…254. When the switches are set to a valid
number, the module’s IP address is 192.168.1.xxx (xxx represents the
number set on the switches).
The module’s subnet mask is 255.255.255.0 and the gateway address is
set to 0.0.0.0. When the module is reading the network address set on the
switches, the module does not have a host name assigned to it nor does it
use any Domain Name System.
Publication SAFETY-AT017B-EN-P – July 2011
If the switches are set to an invalid number (such as 000 or a value
greater than 254), the module checks to see if DHCP is enabled. If
DHCP is enabled, the module asks for an address from a DHCP server.
Page 9
The DHCP server also assigns other transport control protocol (TCP)
parameters.
Using the Rockwell Automation BootP/DHCP Server Utility
Follow these steps to use the Rockwell Automation BootP/DHCP Server
Utility to set the Network IP Address.
1. Identify the target module by the MAC address listed on the
EtherNet/IP Guard I/O safety module.
The MAC address is displayed in the BootP/DHCP Server Utility as
shown.
9
2. Select the entry with the MAC address that corresponds with your
target module to define the address and Transport Control
Parameters for the module.
3. After the new IP address is displayed in the BootP/DHCP Server
Utility, disable BootP/DHCP.
If DHCP is not enabled, the module uses the IP address (along with
other TCP configurable parameters) stored in nonvolatile memory.
Publication SAFETY-AT017B-EN-P-July 2011
Page 10
10
Configuring the 1791ES-IB8XOBV4 Guard I/O Safety
Module in RSLogix 5000 Software
In the RSLogix 5000 project, the 1791ES-IB8XOBV4 module is added
to the I/O Configuration under the 1756-ENBT EtherNet/IP bridge
module, as shown.
Set the Module Properties
The 1791ES-IB8XOBV4 module is configured as follows.
1. On the General tab of the 1791ES-IB8OBV4 Module Properties
dialog box, configure the following fields:
• Name: Unique module name
• IP Address: IP address of target module
Publication SAFETY-AT017B-EN-P – July 2011
Page 11
2. Click Change to open the Module Definition dialog box.
3. Configure the module as shown below.
11
Combined Status consolidates all eight input status bits into a
single status bit. The same is true for Output Data. For status bits
for individual input/output/test points, choose an alternative
Input/Output Status data format.
4. Make edits on the Connection and Safety tabs to match your
application requirements.
This example uses the default data in the Connection and Safety
tabs shown below. The data should be changed based on the
throughput requirements of your system.
Publication SAFETY-AT017B-EN-P-July 2011
Page 12
12
Edit the Module’s Input Configuration
1. Select the Input Configuration tab.
2. Select one of the following under Point Mode:
• Standard – Input circuits not tested internally
• Safety – Input circuits tested internally
• Safety Pulse Test – Input circuits tested internally and wired
to a Test Source for Pulse-Testing
3. Select Inputs 0 and 1 for the E-stop.
These are configured as Safety Pulse Test and utilize Test Sources
0 and 1, respectively.
4. Select Inputs 2 and 3 for the Interlock Switch.
These are configured as Safety Pulse Test and utilize Test Sources
0 and 1, respectively.
5. Select Inputs 4 and 5 for the Safety Circuit and Fault Reset
buttons.
These are not safety inputs so they are configured as Standard.
6. Select Input 7 to monitor the feedback from the Safe-Off relay in
the PowerFlex 70 drive.
This is a Standard input.
Edit the Module’s Test Output Configuration
1. Select the Test Output tab.
Publication SAFETY-AT017B-EN-P – July 2011
2. Configure Test Outputs 0 and 1 as Pulse Test.
Page 13
13
3. Configure Output 7 as a Power Supply for the monitoring circuit.
Edit the Module’s Output Configuration
1. Select the Output tab.
2. Configure Output points 6 and 7 as Safety outputs because they are
used to control the Safe-Off relay and Drive Enable digital input in
the PowerFlex 70 drive.
To prevent the test pulse from causing the drive enable
digital input to malfunction, Rockwell Automation
recommends that the safety outputs are configured as
Safety.
Programming This section details how to program your GuardLogix project based on
the wiring and configuration detailed in the previous sections. The
programming code for this application example was generated using the
Safety Accelerator Toolkit for GuardLogix Systems publication,
IASIMP-QS005. This toolkit provides easy-to-use system design,
programming, and diagnostic tools to assist you in the rapid development
and deployment of your safety systems using Rockwell Automation’s
GuardLogix controller, Guard I/O, and safety devices.
Publication SAFETY-AT017B-EN-P-July 2011
Page 14
14
Safety Tags
The safety logic shown below requires the creation and use of the
following safety tags.
Safety Logic
The following code should be programmed in a routine within your
Safety Task in the GuardLogix controller.
Emergency Stop Safety Logic
The E-stop instruction provides SIL 3 level diagnostics for a dualchannel emergency stop function. The E-stop monitors input channels for
consistency and detects and traps faults (inconsistency greater than
500 ms).
Publication SAFETY-AT017B-EN-P – July 2011
The Reset Type is configured as Automatic for continuous monitoring of
input device states. Using Automatic reset functionally moves the Safety
Output Reset function from the E-stop instruction (Circuit Reset) to the
Safety Output logic. Because the Circuit Reset function is not performed
Page 15
15
within this instruction, a dummy tag named None is used as a
placeholder.
Input status is not monitored because the input data will go LO
if the channel faults. The safety code in the safety output
routine will prevent outputs from restarting if the E-stops reset
automatically.
The InputOK status is used as one of the permissives in the safety output
routines.
Gate Switch Safety Logic
The RIN instruction provides SIL 3 level diagnostics for a channel
Redundant Input function. The RIN monitors input channels for
consistency and detects and traps faults (inconsistency greater than
500 ms). In this application, the RIN instruction monitors the status of
the two channels from the Trojan interlock switch.
Publication SAFETY-AT017B-EN-P-July 2011
Page 16
16
Safety Input Interlock Rung
This rung includes the safety device input interlocks, with tag names
Sts_Zone1_EStop_InputOK and Sts_Zone1_GateSwitch_InputOK, that
energize the Sts_Zone1_InputsOK OTE instruction. These interlock tags
are driven by the individual safety device input logic rungs shown
earlier. The Sts_Zone1_InputsOK tag is then included in the Output
Enable Rung which drives the ROUT instruction.
Output Enable Rung
This rung provides the operator action required to reset or enable the
safety zone output. The operator action is a HI transition of
Cmd_Zone1_SafetyReset. It latches the output enable until either a
demand is placed on a safety input, there is an input channel or output
channel fault, or a feedback fault on the output circuit. The
Sts_Zone1_InputsOK will go LO in the event of a demand on any safety
input(s) or fault on any safety input channel(s) within the zone.
The CombinedOutputStatus will go LO if any output channel on the
1791ES Guard I/O module faults or there is a connection timeout to the
I/O module. The .FP feedback fault present drops out the output enable
in the event of a feedback fault, so that reset or enable cannot occur
without operator action.
Publication SAFETY-AT017B-EN-P – July 2011
Page 17
Safety Output Rungs
This rung controls the dual outputs on the 1791ES Guard I/O module
named CellGuard1. The ROUT instruction outputs, O1 and O2, are used
to drive the safety outputs 06 and 07 (Tags: CellGuard1:O.Pt06Data and
CellGuard1:O.Pt07Data) which are wired to the PowerFlex 70 Safe-Off
relay and Drive Enable digital input.
17
Reassignment of the feedback and output channels must
be made to match your unique safety wiring configuration.
Performance Data Worst-case Reaction Time Based on Safety System
Typically, both channels are HI coming from the interlock switch and the
E-stop. If any one channel goes LO, the corresponding filter timer
configured in the 1791ES-IB8OBV4 module starts. If the channel is still
LO when the filter times out, the output is turned OFF.
Publication SAFETY-AT017B-EN-P-July 2011
Page 18
18
Worst case, the time it takes to occur is the sum of the A to E path as
described below.
A
B
C
A – Input M
B – Input
The Connection Reaction Time Limit is configured in the 1791ES
Module Properties within RSLogix 5000 software. The Input
Connection defaults to 4 x RPI.
C – GuardLogix Delay
The maximum delay for the GuardLogix controller is:
Period + Task Watchdog
D – Output Connection Reaction Time Limit
E – Output Module Delay = 6ms
Worst Case Reaction Time = A + B + C + D + E
odule Delay – 16 ms + on/off delay filters
Connection Reaction Time Limit (CTRL)
D
E
Publication SAFETY-AT017B-EN-P – July 2011
Page 19
19
Typical Reaction Time of Safety System
Typically, both channels are HI coming from the interlock switch and the
E-stop. If any one channel goes LO, the corresponding filter timer
configured in the 1791ES-IB8OBV4 module starts. If the channel is still
LO when the filter times out, the output is turned OFF.
Typically, the time it takes to occur is the sum of the A to E path as
described below.
A
B
C
A – Input M
B – Input
C – GuardLogix Delay
The typical delay time for the GuardLogix controller is:
(Period / 2) + Task Scan Time
D – Output Connection Reaction Time / Output RPI = Task Period
E – Output Module Delay / (max / 2) = 3ms
Typical Reaction Time = A + B + C + D + E
odule delay / (max/2) = 8ms + on/off delay filters
Connection Reaction Time / Input RPI
Achieving a Cat. 4 Safety Rating
D
E
In order to achieve Cat. 4, modifications must be made to the bill of
materials, software configuration, and wiring schematic.
The Category 3 solution used a drive enable digital input to the drive and
the relay as switching signals to disconnect power to the motor. In that
solution, we had no means to monitor the status of the Drive Enable
digital input. In the Cat. 4 solution, we replace the Drive Enable input
with a safety contactor.
Publication SAFETY-AT017B-EN-P-July 2011
Page 20
20
Modified Bill of Materials
A Cat. 4 solution requires a safety contactor which disconnects power to
the motor that the PowerFlex 70 is controlling under a hazardous
condition.
Catalog Number Description Quantity
100S-C43DJ14BC Bulletin 100S Safety Contactor 1
Choose a safety contactor that is rated for your application requirements.
Modified Wiring Schematic
This wiring diagram, using a safety contactor, illustrates turning off
power to the motor under a hazardous condition. The safety contactor is
turned on via the outputs from the EtherNet/IP Guard I/O module and
feedback from this contactor is linked from the Safe-Off relay contactor
and is feedback into Input 7 of the EtherNet/IP Guard I/O module.
Publication SAFETY-AT017B-EN-P – July 2011
Page 21
21
Modified Configuration
The safety Output Configuration for the Guard I/O module can now be
configured for Safety Pulse Test. With Safety Pulse Test configured,
shorts of the P terminal to 24V and shorts of the M terminal to 0V can be
detected during system operation.
Publication SAFETY-AT017B-EN-P-July 2011
Page 22
22
Additional Resources For more information about the products used in this example refer to
these Resources.
Resource Description
CompactBlock Guard I/O EtherNet/IP
Safety Modules
Publication 1791ES-IN001
Guard I/O Ethernet/P Safety Modules
Publication 1791ES-UM001
GuardLogix Safety Application
Instruction Set
Publication 1756-RM095
GuardLogix Controller Systems
Publication 1756-RM03
DriveGuard Safe-Off Option for
PowerFlex 70 Drives
Publication PFLEX-UM001
Safety Accelerator Toolkit for
GuardLogix Systems
Quick Start Publication IASIMP-QS005
Provides installation instructions for the
1791ES-IB8XOBV4 module
Provides operation and troubleshooting
information for the 1791 ES-IB8XOBV4
module
Describes the Safety Application
Instruction Set for the GuardLogix
Controller
Explains how the GuardLogix controller
can be used in safety applications
Provides installation, operation, and
troubleshooting information for PowerFlex
70 drives with Safe-Off
Describes how to use GuardLogix Safety
System Design Tools available on the
SAFETY-CL002 CD
You can view or download publications at
http://literature.rockwellautomation.com
. To order paper copies of
technical documentation, contact your local Rockwell Automation
distributor or sales representative.
Publication SAFETY-AT017B-EN-P – July 2011
Page 23
Notes:
23
Publication SAFETY-AT017B-EN-P-July 2011
Page 24
24
Allen-Bradley, ControLogix, DriveGuard, GuardLogix, PowerFlex, and Rockwell Automation
are trademarks of Rockwell Automation, Inc.
Trademarks not belonging to Rockwell Automation are property of their respective companies.
Publication SAFETY-AT017B-EN-P – July 2011
Publication SAFETY-AT017B-EN-P – July 2011
Supersedes publication SAFETY-AT017A-EN-P – July 2008 Copyright © 2011 Rockwell Automation, Inc. All rights reserved. Printed in USA.
Loading...