Kinetix 5500 CIP Safety
Kinetix 5500 CIP Safety:
Hands-On Lab
Training Lab Manual
LAB 1: NETWORK (CIP) SAFETY (20-30 MINUTES) _____________________________________ 7
ABOUT THIS HANDS-ON LAB __________________________________________________ 7
LAB MATERIALS ___________________________________________________________ 7
DOCUMENT CONVENTIONS ____________________________________________________ 8
BEFORE YOU BEGIN ________________________________________________________ 8
Kinetix 5500 CIP Safety (Rev 1.00)
6/13/2014 Page 5 of 23
Lab 1: Network (CIP) Safety (20-30 Minutes)
About This Hands-On Lab
This lab provides an overview of Network Safety for servo drives, enabled by CIP Safety.
The following sections explain what you’ll be doing in this lab session, and what you will need to do
to complete the hands-on exercises.
What You Will Accomplish In This Lab
As you complete the exercises in this hands-on session, you will:
Learn about the basic safety standards applied to servo drives and variable frequency
drives.
Examine the difference between various methods for Safe Torque Off (STO).
See how to configure a Kinetix 5500 drive with Networked Safety.
Review and write ladder logic that could be used to execute STO in a Kinetix 5500 drive.
Who Should Complete This Lab
This hands-on lab is intended for individuals who have:
General Kinetix Motion Experience
Working Knowledge of Studio 5000
Ladder Programming Experience
Lab Materials
For this Hands-On lab, we have provided you with the following materials that will allow you to
complete the labs in this workbook.
Hardware
This hands-on lab uses the following hardware:
Kinetix 5500 (-ERS2) CIP Safety Drive
ControlLogix Demo Box
Software
This hands-on lab uses the following software:
Studio 5000 v22
FactoryTalk View ME v6.0
Kinetix 5500 CIP Safety (Rev 1.00)
6/13/2014 Page 7 of 23
This style or symbol:
Indicates:
Words shown in bold italics
(e.g., RSLogix 5000 or OK)
Any item or button that you must click on, or a menu name
from which you must choose an option or command. This will
be an actual name of an item that you see on your screen or
in an example.
Words shown in bold italics,
enclosed in single quotes
(e.g., 'Controller1')
An item that you must type in the specified field. This is
information that you must supply based on your application
(e.g., a variable).
Note: When you type the text in the field, remember that you
do not need to type the quotes; simply type the words that
are contained within them (e.g., Controller1).
The text that appears inside of this gray box is supplemental
information regarding the lab materials, but not information
that is required reading in order for you to complete the lab
exercises. The text that follows this symbol may provide you
with helpful hints that can make it easier for you to use this
product. Most often, authors use this “Tip Text” style for
important information they want their students to see.
Document Conventions
Throughout this workbook, we have used the following conventions to help guide you through the
lab materials.
Note: If the mouse button is not specified in the text, you should click on the left mouse button.
Before You Begin
Even the most experienced motion control engineers occasionally struggle with complex
applications. This lab will cover advanced topics such as finding an optimal tradeoff between
response and stability when tuning, CAM instructions, drive multiplexing and more. Come along and
learn practical solutions to getting that machine really flying!
The following steps must be completed before starting the lab exercise:
1. Install an L72S GuardLogix Controller (or other L7xS Controller) into a ControlLogix rack.
2. Connect an Ethernet cable between the EN2T Ethernet module and the Stratix 8000.
3. Connect an Ethernet cable between the Kinetix 5500 drive and the Stratix 8000.
<Equipment Setup Here>
Kinetix 5500 CIP Safety (Rev 1.00)
6/13/2014 Page 8 of 23
Standard
Title
Description
Kinetix
5500
Hardwired
Kinetix
5500
Networked
ISO
13849-1
Safety of Machinery - Safetyrelated Parts of Control Systems
Part 1: General principles for
design
Uses Performance Levels to
define the risk of random
dangerous failure for simple
devices, including
electromechanical
components, and machine
systems.
PLd
PLe
IEC
60261
Safety of Machinery - Functional
safety of safety-related electrical,
electronic, and programmable
electronic control systems
Uses Safety Integrity Levels
to define the risk of random
dangerous failure for
complex electronic devices,
such as Programmable
Automation Controllers, and
machine systems.
SILCL 2
SILCL 3
IEC
61800-52
Adjustable speed electrical power
drive systems
Part 5-2: Safety Requirements Functional
Defines the expected
behavior for various safety
functions that can be
performed by variable
frequency drives and servo
drives.
Check
Check
IEC
61508
Functional safety of
electrical/electronic/programmable
electronic safety-related systems
Uses Safety Integrity Levels
to define the risk of random
dangerous failure for any
scale of electronic control
system, from small
machines to very complex
processes.
SILCL 2
SILCL 3
Safety Basics
Variable frequency drives, servo drives, and motors in general are covered by a variety of safety
standards. These standards fit into legal frameworks in different ways, depending on the region.
Some of the standards are written around components (such as a drive), and others are written
around the entire machine. The drives made by Rockwell Automation that support Functional
Safety are all certified by an independent third party (TÜV Rheinland) to the following product
standards:
6/13/2014 Page 9 of 23
Kinetix 5500 CIP Safety (Rev 1.00)
Certification to these standards implies that the drive can be used as a subsystem in a safety
function up to the limit shown in the table. These certifications alone do not guarantee that the
drive is implemented in the proper way. There are many aspects of the Machine Safety Lifecycle
that are not covered in this tutorial that influence the overall Performance Level or Safety Integrity
Level of a machine, including the:
Risk Assessment
Functional Requirements
Mitigation Design & Verification
Installation & Validation
Change Management & Improvements
For more information on any of these areas, please visit another session during this event focused
on Safety Lifecycle Management, or consult with your local Rockwell Automation or distributor
resources.
Safe Torque Off (STO)
One of the most visible and common hazards on machines comes from moving parts. Since many
of these parts are moving because of motors attached to them, let's focus on ways to make those
motors safe. At the most basic level, there is only one safety control function that can be performed
with a motor - removal of torque producing power. This was done traditionally with Lock Out Tag
Out (LOTO), to remove all sources of power from a machine. More recently, control power has
been left on and motor power was removed through a variety of means.
With across the line motors, contactors were commonly placed in front of the motor. These
contactors would be opened when a safety demand occurred, letting the motor coast to a stop.
Using multiple contactors on the output side would be required for Category 3 and Category 4
circuits.
Kinetix 5500 CIP Safety (Rev 1.00)
6/13/2014 Page 10 of 23
Since these contactors have to be sized relative to the current requirements of the motor, and then
upsized to reduce chances of welding (according to the best safety practices), these aren't very
convenient. They are also typically the most likely to fail in a high-cycle application. As an upside,
it is very easy to monitor for failures and simple for electricians to triage. As drives were added to
the control scheme, contactors maintained their relevance for a long time, but with some cautions:
Opening a contactor between the drive and the motor could have very high voltages, depending
on the operational mode. This can lead to welding more frequently, and with older drives,
burning out the drive.
Opening a contactor between the line and the drive requires the drive to completely reboot after
the safety demand is reset. This adds to the recovery time from safety demands, and
depending on the frequency of request, can lead to premature failure of the pre-charge circuitry
in the drive.
Notice that the PLC doesn’t necessarily have any connection to the drive or the safety circuit.
They aren't inherently connected. A lot of extra wiring is required if the standard control system
needs to be aware of what is happening in the safety circuit, or with the drive.
Kinetix 5500 CIP Safety (Rev 1.00)
6/13/2014 Page 11 of 23
When the functionality of the contactors is embedded in the drive, this feature is called Safe Torque
Off, and it is generally accomplished by removing the internal gate driver enable AND the power
from the gate control circuitry in the drive. When these inputs to the Pulse Width Modulation portion
of the Inverter are removed, no torque can be produced at the motor. This means that the drive
never loses power, and recovering from the safety demand can be as simple as resetting the safety
circuit.
Note: The hardwired external enable is not the same as the internal gate driver
enable.
Some of first drives with integrated Safe Torque Off use the DriveGuard platform, which combines
the hardwired external enable with a single safety input. This has been thoroughly vetted by third
party certification agencies, however it is important to emphasize that removing the external
hardwire enable to the drive is not a certified safety circuit without the DriveGuard addition. As you
can see on the block diagram, only one of the two channels is monitored for faults, and there is not
inherent diagnostics to validate that the two inputs are switching together. Again, the PLC does not
have any inherent connection to either the drive, or the safety circuit.
All of our newer drives have two dedicated safety inputs, and most do not have a dedicated
feedback output, and both safety inputs are wired through a safety control section of the drive.
Using solid state electronic relays are more consistent and reliable that electromechanical switches.
Failure rates for solid state devices tend to be dependent on time and temperature, instead of
number of cycles. This makes the potential for random device failure more predictable.
Kinetix 5500 CIP Safety (Rev 1.00)
6/13/2014 Page 12 of 23
Over the last decade, communication channels between field devices and controllers have evolved
to include "safe connections". The protocol used by Rockwell Automation is based on the CIP
Safety standard from ODVA. This standard is designed and certified for transport of data with high
integrity. This design includes sending the data over standard networks, in specialized packets to
remove the chances for data corruption. This is accomplished by using basic safety principles,
including Duality, Diversity, and Diagnostics.
Seamless communication in the past was nearly impossible because no single network was able to
integrate safety and standard control systems while also enabling the seamless transport of data
across multiple plant-floor physical networks. That changed with the Common Industrial Protocol
(CIP), an application protocol for industrial networking that is independent of the physical network.
The CIP protocol provides a set of common services for control, configuration, collection and
sharing across all of the CIP networks, DeviceNet, ControlNet and EtherNet/IP.
Kinetix 5500 CIP Safety (Rev 1.00)
6/13/2014 Page 13 of 23
CIP Safety also helps eliminate the need to install expensive and difficult-to-maintain gateways
between each network. Before the development of safety networks, engineers often had to use
smaller systems or minimize their performance requirements since it was difficult to hard-wire
interlocks and relay-based safety logic into a complete automation system. Now, engineers can
integrate their devices on common physical network segments and allow safety and standard
information to flow between devices and controllers.
The latest generation of Safe Torque Off drives includes the ability to safely remove torque using
the network connection, with CIP Safety over EtherNet/IP. That network connection can provide
tremendous diagnostics on the same wires that provide the standard control, and reduces your
wiring to an absolute minimum.
Safe Torque Off should be used for routine, repetitive, predictable actions, such as clearing a jam or
changing tooling. Safe Torque Off is not suitable for electrical work of any kind. While it removes
the ability to create torque, there can still be hazardous voltages present on the motor terminals.
This is why LOTO is still a crucial part of a safety strategy.
Kinetix 5500 CIP Safety (Rev 1.00)
6/13/2014 Page 14 of 23
Configure a Network Safety Drive
Follow these steps to see how to configure Kinetix 5500 drives with networked STO.
1. Open file Network_Safety_Begin.ACD.
2. From the I/O tree, right-click on the 1756-EN3TR Module (EN3TR_Drives) and choose New
Module… Attention! You will need to configure a 1756-EN2T Module for the equipment
provided for this lab.
The Select Module Type dialog appears.
3. By using the filters, check Motion and Allen-Bradley, and select your 2198-H008-ERS2 servo
drive.
4. Click the Create button.
The New Module dialog box appears.
6/13/2014 Page 15 of 23
Kinetix 5500 CIP Safety (Rev 1.00)
5. Configure the new drive.
1. Type the drive Name: UM_CIP_Drive.
2. Set Ethernet Address: 192.168.1.88.
3. Under Module Definition click Change. The Module Definition dialog box appears.
4. From the Connection pull-down menu, choose the Connection mode; Motion and Safety
Note: When ‘Safety’ appears in the Connection mode, networked safety is implied.
6. Click OK on the Module Definition dialog.
7. The Safety Network Number (SNN) field populates automatically when the Connection mode
includes a networked Motion and Safety or Safety Only connection
For a detailed explanation of the safety network number, refer to the GuardLogix Controller
Systems Safety Reference Manual, publication 1756-RM099.
Kinetix 5500 CIP Safety (Rev 1.00)
6/13/2014 Page 16 of 23
Connection
Mode
Controller Needed
Description
Drive Cat. No. 2198Hxxx-ERS
Description
Drive Cat. No. 2198-Hxxx-
ERS2
Motion
only
ControlLogix 1756L7x,
GuardLogix 1756L7xS,
or CompactLogix
5370
Only hardwired safe
torque-off
connections are
possible.
Motion is managed by this
controller.
Safety is managed by
another controller that has
a Safety-only connection to
the drive.
Motion and
Safety
GuardLogix 1756L7xS
N/A
Motion and Safety are
managed by this controller.
Safety only
GuardLogix 1756L7xS
N/A
Safety is managed by this
controller.
Motion is managed by
another controller that has
a Motion-only connection to
the drive.
6/13/2014 Page 17 of 23
Kinetix 5500 CIP Safety (Rev 1.00)
L72S provided for this lab.
1756-EN2T provided for this lab.
8. Click OK to close the New Module dialog box. Your 2198-H008-ERS2 servo drive appears in
the Controller Organizer under the Ethernet controller in the I/O Configuration folder.
9. Right-click the drive you just created in the Controller Organizer and choose Properties.
The Module Properties dialog box appears.
10. Click the Safety tab.
The connection between the owner and the 2198-Hxxx-ERS2 drive is based on the following:
Servo drive catalog number must be 2198-Hxxx-ERS2 (networked)
Servo drive safety network number
GuardLogix slot number
GuardLogix safety network number
Path from the GuardLogix controller to the 2198-Hxxx-ERS2 drive
Configuration signature
If any differences are detected, the connection between the GuardLogix controller and the 2198Hxxx-ERS2 drive is lost, and the yellow yield icon appears in the controller project tree after you
download the program.
6/13/2014 Page 18 of 23
Kinetix 5500 CIP Safety (Rev 1.00)
11. Click Advanced button.
The Advanced Connection Reaction Time Limit Configuration dialog box appears.
Analyze each safety channel to determine the appropriate settings. The smallest Input RPI
allowed is 6ms. Selecting small RPI values consumes network bandwidth and can cause
nuisance trips because other devices cannot get access to the network.
12. Click OK to close the Advanced Connection Reaction Time Limit Configuration dialog box.
For more information about the Advanced Connection Reaction Time Limit Configuration, refer
to the GuardLogix 5570 Controllers User Manual, publication 1756-UM022.
13. Click OK to close the Module Properties dialog box.
Write Program Code
Let’s examine the ladder logic associated with using networked Safe Torque Off drives, hardwired
Safe Torque Off drives, and contactors. There are two zones in this example:
Zone 1 has five network Safe Torque Off drives and one motor that is safeguarded with
redundant contactors. This zone will utilize Stop Category 0, and coast to a stop upon a
safety demand.
Zone 2 has five network Safe Torque Off drives and one drive that is used in a hardwired
configuration. This zone will utilize Stop Category 1, and ramp to stop upon a safety
demand, removing power after a configurable time.
Each zone has the same inputs, including an Emergency Stop, a Light Curtain, and a SensaGuard
door monitor. Each zone is represented as a program with routines for Input, Logic, and Output.
The code in the Safety Task is based on ladder logic from the Safety Accelerator Toolkit and the
standard task is based on the Drives and Motion Accelerator Toolkit.
Kinetix 5500 CIP Safety (Rev 1.00)
6/13/2014 Page 19 of 23
Zone 1
1. From the Safety Task in the Controller Organizer, expand the Zone1 program.
2. Review the Inputs routine. The three input devices are in this routine. The E-Stop code is
shown here. There is extensive commentary in the rung descriptions that helps explain each
portion of the code.
Kinetix 5500 CIP Safety (Rev 1.00)
6/13/2014 Page 20 of 23
3. Review the Logic routine. These three rungs monitor the status of the inputs, restart
functionality, and setting of the Output Enable bit. This logic is quite simple functionally
(immediate removal of power), however there are more complex functions that can be
developed as well.
4. In the Outputs routine from Zone 1, there are two different examples. The first five devices are
all Network Safety drives, while the last example is a contactor.
The drives have much simpler code because they handle all of their own diagnostics and can
easily report back that information to the controller, as shown:
Note: This could even be combined into a simple Add-On Instruction for even more
simplicity!
5. The last two rungs of the Outputs routine from Zone 1 demonstrate the additional work that
needs to be included for contactors. The controller must manage all of the diagnostics for the
contactors, so the CROUT instruction is used to coordinate the timing of the actuation
command, feedback, and module statuses.
Zone 2
6. From the Safety Task in the Controller Organizer, expand the Zone2 program.
7. Since the Input routine is similar to Zone1, skip ahead and open the Logic routine.
Kinetix 5500 CIP Safety (Rev 1.00)
6/13/2014 Page 21 of 23
8. There is an important difference in this routine on the rung (rung 3) that energizes the Output
Enable bit.
The addition of the TOF instruction gives the standard task time to execute stopping instructions
to put the axes into a disabled state at a known position before the torque is removed. This is
essential for vertical loads and many other coordinated applications.
9. Open up routine MainTask -> P02_Zone2 -> R03_Control and examine rung 3.
Since these drives are only rated for Stop Category 0, the programmer should plan to execute
code in the Standard Task to bring the drives to a stop and disable them before the torque is
removed. This ensures that any mechanical brakes can be set before holding torque
disappears.
The addition of the "\Zone2.Sts_Zone_InputsOK" tag provides a "Stop" command to the
application. This will stop the running sequence and reset sequence, and initiate the stopping
sequence. By doing this, you can program the machine to come to the controlled stop of your
desire.
10. Most of the Outputs routine remains unchanged. There is a difference in the last two rungs from
Zone 1. The Feedback parameters for the CROUT instruction are tied to tags mapped from the
Standard Task to the Safety Task. Open the routine and view this difference in the last two
rungs.
11. Tag mapping is accomplished from the dialog box that appears after following the menu path;
Logic -> Map Safety Tags.
6/13/2014 Page 22 of 23
Kinetix 5500 CIP Safety (Rev 1.00)
12. Follow the path and view the dialog box.
Feedback for purely diagnostic purposes is a common function that uses mapping from the
Standard Task to the Safety Task. Reset functionality does not necessarily need to be "safety
rated", since many other safeguards are in place to prevent restart when dangerous situations
could occur, and represents another example of when to use Tag Mapping. Tag mapping
should not be abused, since putting logic in the Safety Task does not necessarily make it "safe",
but it can be a very helpful tool for appropriate uses.
13. Close the dialog box when finished.
14. To see how the mapped tag is energized, open up the DriveManagerTask -> P11_Axis_11 ->
R02_Monitor routine and look at rung 24. The Servo_Axis.GuardGateDriveOutputStatus tag is
used to reflect back to the Kinetix_STO_Feedback_Map tag, the status of the gate drivers in the
servo drive.
This concludes this lab.
Kinetix 5500 CIP Safety (Rev 1.00)
6/13/2014 Page 23 of 23
Loading...