NHP SAFETY REFERENCE GUIDE
GuardLogix
SAFETY FUNCTION
DOCUMENTS
Actuator Subsystems Category 0 or Category 1 Stop
via a PowerFlex 527 Drive with
Integrated Safe Torque-off
Products: GuardLogix
Controller, PowerFlex 527 Drive
Safety Rating: CAT. 4, PLe to ISO
13849-1: 2008
Application Technique
Function
Documents:
SafetySafety
Function:
Actuator
Subsystems GuardLogix
– Category 0 or
Safety
Function:
Subsystems
Category
1 Stop
via aActuator
PowerFlex
527 Drive with Integrated
Products: GuardLogix Controller, PowerFlex 527 Drive
Safe Torque-off
Safety Rating: CAT. 4, PLe to ISO 13849-1: 2008
Products: GuardLogix Controller, PowerFlex 527 Drive
Safety Rating: CAT. 4, PLe to ISO 13849-1: 2008
Topic
Page
Important User Information
2
Table of Contents:
General Safety Information
3
Introduction
3
Information
Safety FunctionImportant
Realization: Risk User
Assessment
4
Stop Safety Function
4
Safety Function Requirements
4
Introduction
Functional Safety
Description
5
Bill of Material
6
General Safety Information
Safety Function Realization: Risk Assessment
Setup and Wiring
6
Configuration Stop Safety Function
7
Calculation of the Performance Level
12
Requirements
Verification andSafety
ValidationFunction
Plan
Additional Resources
Functional Safety Description
15
17
6-260
6-262
6-262
6-263
6-263
6-263
6-263
Integrated Safety
6-264
Bill of Material
6-264
Setup and Wiring
6-264
Configuration
6-265
Programming
6-269
Calculation of the Performance Level
6-175
Verification and Validation Plan
6-273
Additional Resources
6-277
NHP Safety Reference Guide > Safety Function Documents: GL
6A-260
Safety Function Documents: GuardLogix
Safety Function: Actuator Subsystems
Products: GuardLogix Controller, PowerFlex 527 Drive
Safety Rating: CAT. 4, PLe to ISO 13849-1: 2008
Important User Information
Read this document and the documents listed in the additional
resources section about installation, configuration, and operation
of this equipment before you install, configure, operate,
or maintain this product. Users are required to familiarize
themselves with installation and wiring instructions in addition to
requirements of all applicable codes, laws,nand standards.
Activities including installation, adjustments, putting into service,
use, assembly, disassembly, and maintenance are required to
be carried out by suitably trained personnel in accordance with
applicable code of practice.
If this equipment is used in a manner not specified by the
manufacturer, the protection provided by the equipment may be
impaired.
The examples and diagrams in this manual are included solely
for illustrative purposes. Because of the many variables and
requirements associated with any particular installation, Rockwell
Automation, Inc. cannot assume responsibility or liability for
actual use based on the examples and diagrams.
No patent liability is assumed by Rockwell Automation, Inc. with
respect to use of information, circuits, equipment, or software
described in this manual.
Reproduction of the contents of this manual, in whole or in part,
without written permission of Rockwell Automation, Inc., is
prohibited.
Throughout this manual, when necessary, we use notes to make
you aware of safety considerations.
In no event will Rockwell Automation, Inc. be responsible or liable
for indirect or consequential damages resulting from the use or
application of this equipment.
WARNING: Identifies information about practices or circumstances that can cause an explosion
in a hazardous environment, which may lead to personal injury or death, property damage, or
economic loss.
ATTENTION: Identifies information about practices or circumstances that can lead to personal
injury or death, property damage, or economic loss. Attentions help you identify a hazard, avoid
a hazard, and recognize the consequence.
Identifies information that is critical for successful application and understanding of the product.
Labels may also be on or inside the equipment to provide specific precautions.
SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to
alert people that dangerous voltage may be present.
BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to
alert people that surfaces may reach dangerous temperatures.
ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control
center, to alert people to potential Arc Flash. Arc Flash will cause severe injury or death. Wear
proper Personal Protective Equipment (PPE). Follow ALL Regulatory requirements for safe work
practices and for PPE
NHP Safety Reference Guide > Safety Function Documents: GL
6A-261
Safety Function Documents: GuardLogix
Safety Function: Actuator Subsystems
Products: GuardLogix Controller, PowerFlex 527 Drive
Safety Rating: CAT. 4, PLe to ISO 13849-1: 2008
General Safety Information
Contact Rockwell Automation to find out more about our safety risk assessment services.
Safety Function: Actuator Subsystems – Category 0 or Category 1 Stop via a PowerFlex 527 Drive with Integrated Safe Torque-off
This application example is for advanced users and assumes that you are trained and
experienced in safety system requirements.
General Safety Information
ATTENTION:
Perform
risk assessment
toassessment
make sureservices.
all task and hazard combinations have
Contact Rockwell Automation
to find out
more aabout
our safety risk
been identified and addressed. The risk assessment can require additional circuitry to reduce the
risk to a tolerable level. Safety circuits must take into consideration safety distance calculations,
is for
advanced
and of
assumes
that you are trained and experienced in safety system requirements.
IMPORTANT This application
whichexample
are not
part
of theusers
scope
this document.
ATTENTION: Perform a risk assessment to make sure all task and hazard combinations have been identified and addressed. The risk
assessment can require additional circuitry to reduce the risk to a tolerable level. Safety circuits must take into consideration safety
Introduction
distance calculations, which are not part of the scope of this document.
This application technique explains how to program the logic
(GuardLogix® controller) and configure the actuator (PowerFlex®
You must add the PFH values for
527 drive with integrated safe torque-off ) subsystems of a safety
each subsystem together to create
function. In this application technique, the GuardLogix controller
a PFH for the overall safety function.
de-energizes the final control devices, in this case, the integrated
Depending on the sensor subsyssafe torque-off (STO) inputs on the PowerFlex 527 drive. The final
and devices you choose, the
control
element is
de-energized
immediately
for a category
0 (GuardLogix® controller) and tems
This
application
technique
explains
how to program
the logic
configure
the actuator
overall
safety rating of your system
stop, and a delay
(or monitoring
that the
hazard
is stopped
or in
(PowerFlex®
527 drive
with integrated
safe
torque-off
) subsystems
of a safety function. In thiscould
application
technique,
the of an
be reduced.
The results
a safe state) is introduced before de-energizing for a category 1
GuardLogix controller de-energizes the final control devices, in this case, the integrated safe torque-off
(STO)
inputs
example calculation for on
a complete
stop. This example uses a 1756-L73S GuardLogix controller, but
the
PowerFlex
527
drive.
The
final
control
element
is
de-energized
immediately
for
a
category
0 stop,
and a delay
(or
safety
function
are shown
in the
is applicable to any GuardLogix 5570 controller (1756-L7xS) using
monitoring
that Logix
the hazard
is stopped
or in aversion
safe state)
is later.
introduced before de-energizing for
a category
1 stop.
This of the
the Studio 5000
Designer®
application,
24 or
section
titled
Calculation
Introduction
example
uses a 1756-L73S GuardLogix controller, but is applicable to any GuardLogix 5570Performance
controller (1756-L7xS)
using12.
Level on page
Use this application technique in conjunction with the sensor
the
Studio 5000
Designer®
application,
version 24
or later.
subsystems
fromLogix
any other
GuardLogix
safety function
application
technique. For example, you can use sensor subsystems 1 and
Use
thisGuardLogix:
applicationSafety
technique
conjunction
with
the sensor subsystems from any other GuardLogix safety function
2 from
Gatein
Application
with
SensaGuard™
Switch Safety
Application
application
technique.
ForExample,
example,publication
you can useSAFETY-AT029,
sensor subsystems 1 and 2 from GuardLogix: Safety Gate Application with
along with the
actuator
subsystems
fromExample,
this application
SensaGuard™
Switch
Safety
Application
publication SAFETY-AT029, along with the actuator subsystems from
technique,
to
create
the
following
overall
safety function.
this application technique, to create the following
overall safety function.
Logic
Input
Output
SensaGuard
Switch
1734-IB8S
1756-L7xS
PowerFlex 527
Drive
Subsystem 1
Subsystem 2
Subsystem 3
Subsystem 4
IMPORTANT
NHP Safety Reference Guide > Safety Function Documents: GL
You must add the PFH values for each subsystem together to create a PFH for the overall
safety function. Depending on the sensor
subsystems and devices you choose, the overall safety rating of your system could be reduced. The results of an example
6A-262
Safety Function Documents: GuardLogix
Safety Function: Actuator Subsystems
Products: GuardLogix Controller, PowerFlex 527 Drive
Safety Rating: CAT. 4, PLe to ISO 13849-1: 2008
Safety Function Realization: Risk Assessment
4
The required performance level is the result of a risk assessment
and refers to the amount of the risk reduction to be carried out
by the safety-related parts of the control system. Part of the risk
Safety
Function: Doorprocess
Monitoring is to determine the safety functions of the
reduction
Safety
Realization:
Assessment
machine. InFunction
this application,
the Risk
performance
level required (PLr)
Therisk
required
performanceis
level
is the result3,ofPerformance
a risk assessment Level
and refers
to the 3,
by the
assessment
Category
d (CAT.
amount of the risk reduction to be carried out by the safety-related parts of the
PLd),control
for each
safety
A safety
thatthe
achieves
CAT.
system.
Part of function.
the risk reduction
processsystem
is to determine
safety functions
of the machine. In this application, the performance level required (PLr) by the risk
3, PLd,
or
higher,
can
be
considered
control
reliable.
Each
safety
assessment is Category 3, Performance Level d (CAT. 3, PLd), for each safety
function.
safety
system
that achieves
CAT.be
3, PLd,
or higher, can
be considered
product
hasA its
own
rating
and can
combined
to create
a safety
control reliable. Each safety product has its own rating and can be combined to
function
that
meets
or
exceeds
the
PLr.
create a safety function that meets or exceeds the PLr.
From: Risk Assessment (ISO 12100)
1. Identification of safety functions
2. Specification of characteristics of each function
3. Determination of required PL (PLr) for each safety function
To: Realization and PL Evaluation
Door Monitoring Safety Function
StopPartSafety
of the risk Function
reduction process is to determine the safety functions included in the
safety project. This safety project has two safety functions:
This application
technique includes one partial safety function.
• Removal of power from the motor when the E-stop is pressed
The safety
function
is the
of athemotor
when the safety
• Removal
of power
fromstopping
the motor when
gate is opened
system
detects
that
one
or
more
sensor
subsystems
have placed
Safety Function Requirements
a demand
safety
function.
stopping
ofmotion
the motor
Pressingon
the the
E-stop
or opening
the guard The
gate stops
hazardous
by removal of
power the
to thehazard.
motor. When
E-stop
is released and
the guard gate
closed, is
removes
Thethestop
category
is category
0, iswhich
power to the motor and hazardous motion does not resume until the safety system is
an uncontrolled
coasting
of
the
motor.
If
the
risk
assessment
reset and a secondary action (Start button is pressed and released) occurs. Faults
at the E-stop,
gate
interlock switch,
wiring terminals,
or safety
controller are
detected
determines
that
coasting
is dangerous,
then
a category
1 stop
before the next safety demand.
should
implemented.
Thebe
PowerFlex
525 drive monitors itself for input, internal, and output faults. When
the PowerFlex 525 drive detects a fault, it turns off its output, removing power to the
motor.Function
The fault must be
corrected and power to the drive cycled before the drive
Safety
Requirements
can be restarted. Faults at the safe torque-off (STO) inputs on the PowerFlex 525
driveacan
go undetected.
Placing
demand
on the sensor subsystem generates a stop
command that prevents hazardous motion. Once the stop
command
is reset, a secondary action (pressing the Start button)
Rockwell Automation Publication SAFETY-AT126A-EN-P – January 2014
lets hazardous motion resume. Faults within these complex
subsystems are unknown and must be detected at a rate that
enables the overall safety function to meet the requirements
for Performance Level d (PLd), per ISO 13849-1. The vendor must
provide Probability of Dangerous Failure per Hour (PFHd) values
for these subsystems.
The safety functions in this application technique each meet or
exceed the requirements for Category 3, Performance Level d
(CAT. 3, PLd), per ISO 13849-1 and control reliable operation per
ANSI B11.19.
Functional Safety Description
The GuardLogix controller and PowerFlex 527 drive with
integrated safe torque-off (STO) both use 1oo2 architectures to
achieve the PFHd value that is used in the PL calculation section
of this document. The GuardLogix controller PFHd was generated
with a 20-year Proof Test Interval (PTI), and the PowerFlex 527
drive PFHd was generated with a 10-year PTI.
The PowerFlex 527 drive integrated STO feature is used to stop
and prevent hazardous motion. PowerFlex 527 drives have
a single, module-defined, integrated STO safety tag that is
controlled within the safety task of the GuardLogix controller.
The PowerFlex 527 drive is connected via CIP Safety over an
EtherNet/IP™ network to the GuardLogix safety controller.
The PowerFlex 527 drive integrated STO uses the CIP Safety
protocol. The CIP Safety™ protocol inserts the data into the CIP
Safety packet twice. One piece of data is normal and the other is
inverted. CIP Safety packets are also timestamped by the producer
so that the consumer can determine the age of the packet when
it arrives. If a good packet does not arrive before the Connection
Reaction Time Limit (CRTL) expires, then the STO feature within
the PowerFlex 527 drive goes to the safe state: OFF.
CIP Safety protocol supports a direct connection between the
PowerFlex drive and the GuardLogix controller, making the
EtherNet/IP hardware between these two end devices a black
channel. Therefore, the EtherNet/IP hardware does not have to be
included in the PL calculation. The Probability of Failure per Hour
(PFH) of the CIP Safety protocol has already been included in the
controller PFH value.
The STO feature forces the drive output power transistors to a
disabled state when the STO command from the GuardLogix
controller is de-energized, which results in a condition where
the drive is coasting. This feature does not provide electrical
power isolation. For safe distance calculations and reaction time
calculations, the response time of the STO feature is less than
12 ms from the time the STO command is de-energized in the
PowerFlex 527 drive.
When all safety input interlocks are satisfied, no faults are
detected, and a proper reset occurs, the STO tags within the
GuardLogix controller are set to high (1). In summary, when a
demand is placed on the safety function, the STO tag is deenergized and the motor coasts to a stop for a category 0 stop. If
a category 1 stop is being used, then the demand on the safety
function drives the speed to zero (using a STOP command issued
from the Logix controller to the PowerFlex 527 drive), and after
a pre-determined delay, the STO tag is de-energized. When the
safety interlocks are returned to the active state (closed), and a
proper reset function occurs, the PowerFlex drive STO is enabled.
NHP Safety Reference Guide > Safety Function Documents: GL
6A-263
Safety Function Documents: GuardLogix
Safety Function: Actuator Subsystems
Products: GuardLogix Controller, PowerFlex 527 Drive
Safety Rating: CAT. 4, PLe to ISO 13849-1: 2008
Integrated Safety: Safe Torque-off Considerations
for a Stop Category 1
In the event of a malfunction, the most likely stop category is
category 0. When designing the machine application, timing
and distance must be considered for a coast to stop, as well
as the possibility of the loss of control of a vertical load. These
malfunctions include a transition (programmatic or keyswitch)
from Run to Program mode, or any loss of communication that
drops out the STO networked tags. Use additional protective
measures if this occurrence might introduce unacceptable risks
to personnel.
Bill of Material
The GuardLogix controller and the PowerFlex 527 drive are
both connected on an EtherNet/IP network. CIP Safety protocol
requires a direct connection between the PowerFlex drive and
the GuardLogix controller. This makes the EtherNet/IP hardware
between these two end devices a black channel. Any EtherNet/IP
hardware can be used with no effect on the PL calculation.
The overall safety function must have individual reset buttons
for resetting faults and for resetting safety outputs. These reset
buttons can be wired to any input module (safety or standard)
in your system. The safety rating of the reset button must
not diminish the rating of the relevant safety function. This is
accomplished by the trailing edge or falling edge of the button
generating the reset command, thus tolerating faults in the reset
circuit..
The output subsystems in this application technique use these
products.
Cat. No.
Description
Qty
25C-V2P5N104
PowerFlex 527 drive, 120VAC, 2.5A, Frame A
1
1756-L73S
GuardLogix processor, 8.0 MB standard memory,
4.0 MB safety memory
1
1756-EN2T
ControlLogix® EtherNet/IP bridge
3
1756-A4
4-slot ControlLogix chassis
1
1756-PA72
Power supply, 120/240V AC input, 3.5 A @ 24V
DC
1
800FM-G611MX10
800F reset push button - metal, guarded, blue,
R, metal latch mount, 1 N.O. contact, standard
2
Setup and Wiring
For detailed information on installing and wiring, refer to the
publications listed in the Additional Resources on the back cover
System Overview
The final control device is the PowerFlex 527 drive with integrated
safe torque-off (STO). Because this drive features integrated STO
inputs, rather than hard-wired inputs, there is no need for a safety
output module in this safety function.
NHP Safety Reference Guide > Safety Function Documents: GL
6A-264
Safety Function: Actuator Subsystems – Category 0 or Category 1 Stop via a PowerFlex 527 Drive with Integrated Safe Torque-off
Schematic
Safety Function Documents: GuardLogix
Safety Function: Actuator Subsystems
for this actuator
subsystem
is not needed,
because
the 527
PowerFlex
Products:
GuardLogix
Controller,
PowerFlex
Drive 527 drive and the GuardLogix controller are
Safety Function: Actuator Subsystems – Category 0 or Category 1 Stop via a PowerFlex 527 Drive with Integrated Safe Torque-off
n an EtherNet/IP
network.
Safety Rating: CAT. 4, PLe to ISO 13849-1: 2008
ng I/O configuration shows the GuardLogix controller and the EtherNet/IP module in the local chassis,
omatic
the PowerFlex 527 drive over an EtherNet/IP network.
Electricalis Schematic
this actuator subsystem
not needed, because the PowerFlex 527 drive and the GuardLogix controller are
EtherNet/IP network.
A schematic for this actuator subsystem is not needed, because the PowerFlex 527 drive and the GuardLogix controller are
connected on an EtherNet/IP network.
Theshows
following
configuration
shows the
GuardLogix
controllermodule
and thein
EtherNet/IP
module in the local chassis, connected to
O configuration
the I/O
GuardLogix
controller
and
the EtherNet/IP
the local chassis,
the
PowerFlex
527
drive
over
an
EtherNet/IP
network.
PowerFlex 527 drive over an EtherNet/IP network.
ration
Logix controller is configured by using the Studio 5000 Logix Designer application, version 24 or later. You
a new project and
add the PowerFlex 527 drive. A detailed description of each step is beyond the scope of this
Configuration
Knowledge of the Logix Designer application is assumed.
ion
The GuardLogix controller is configured by using the Studio 5000 Logix Designer application, version 24 or later. You must
create a new project and add the PowerFlex 527 drive. A detailed description of each step is beyond the scope of this document.
Knowledge of the Logix Designer application is assumed.
roject with a GuardLogix Controller and a PowerFlex 527 Drive
Create a Project
a GuardLogix
Controller
and a PowerFlex
x controller is configured
by usingwith
the Studio
5000 Logix
Designer application,
version527
24 orDrive
later. You
1. Inthe
the PowerFlex
Logix Designer
application,
create adescription
new projectof
with
a GuardLogix
controller.
w
project
and
add
527
drive.
A
detailed
each
step
is
beyond
the
scope
of this
e Logix Designer application, create a new project with a GuardLogix controller.
wledge of the Logix Designer application is assumed.
ct with a GuardLogix Controller and a PowerFlex 527 Drive
The Logix Designer
application, version 24
or later, is required to
support PowerFlex 527
drives with integrated STO.
gix Designer application, create a new project with a GuardLogix controller.
NT
The Logix Designer application, version 24 or later, is required to support PowerFlex 527 drives with integrated STO.
NHP Safety Reference Guide > Safety Function Documents: GL
Rockwell Automation Publication SAFETY-AT141A-EN-P - May 2015
7
6A-265
Safety Function Documents: GuardLogix
Safety Function: Actuator Subsystems
Products: GuardLogix Controller, PowerFlex 527 Drive
Safety Rating: CAT. 4, PLe to ISO 13849-1: 2008
nction: Actuator Subsystems – Category 0 or Category 1 Stop via a PowerFlex 527 Drive with Integrated Safe Torque-off
afety Function: Actuator Subsystems – Category 0 or Category 1 Stop via a PowerFlex 527 Drive with Integrated Safe Torque-off
2. Enable Timefor
Synchronization
forcontroller.
the GuardLogix controller.
Enable Time Synchronization
the GuardLogix
2. Enable Time Synchronization for the GuardLogix controller.
In the Controller Organizer, add the 1756-EN2T module to the 1756 Backplane.
3. In the Controller Organizer, add the 1756-EN2T module to the 1756 Backplane.
3. In the Controller Organizer, add the 1756-EN2T module to the 1756 Backplane.
NHP Safety Reference Guide > Safety Function Documents: GL
6A-266
Safety Function Documents: GuardLogix
Safety Function: Actuator Subsystems
Products: GuardLogix Controller, PowerFlex 527 Drive
Safety Rating: CAT. 4, PLe to ISO 13849-1: 2008
Safety Function: Actuator Subsystems – Category 0 or Category 1 Stop via a PowerFlex 527 Drive with Integrated Safe Torque-off
Safety Function: Actuator Subsystems – Category 0 or Category 1 Stop via a PowerFlex 527 Drive with Integrated Safe Torque-off
4. On the 1756-EN2T General tab, do the following:
4. On the 1756-EN2T General tab, do the following:
a.
Name the 1756-EN2T module.
Name
the 1756-EN2T
module.
4.a.On
the 1756-EN2T
General
tab, do the following:
b. Type an IP address for the 1756-EN2T module (your address may differ from the one shown in the image).
b.a.Type
an
IP
address
for
the
1756-EN2T
module (your address may differ from the one shown in the image).
Name the 1756-EN2T module.
c.
Change the Time Sync Connection to Time Sync and Motion.
c.b.Change
Sync
to Time
Sync(your
and Motion.
Type anthe
IPTime
address
forConnection
the 1756-EN2T
module
address may differ from the one shown in the image).
d. Click OK.
d.c.Click
OK.
Change
the Time Sync Connection to Time Sync and Motion.
d. Click OK.
5. Add the PowerFlex 527 drive under the 1756-EN2T module.
5. Add the
PowerFlex
527
under the
1756-EN2T module.
5. Add the PowerFlex
527
drive under
thedrive
1756-EN2T
module.
Rockwell Automation Publication SAFETY-AT141A-EN-P - May 2015
Rockwell Automation Publication SAFETY-AT141A-EN-P - May 2015
9
NHP Safety 9Reference Guide > Safety Function Documents: GL
6A-267
Safety Function Documents: GuardLogix
Safety Function: Actuator Subsystems
Products: GuardLogix Controller, PowerFlex 527 Drive
Safety Rating: CAT. 4, PLe to ISO 13849-1: 2008
fety Function: Actuator Subsystems – Category 0 or Category 1 Stop via a PowerFlex 527 Drive with Integrated Safe Torque-off
6. In the PowerFlex 527 New Module dialog box, do the following:
a.527 New
Change
the dialog
name.box, do the following:
6. In the PowerFlex
Module
name.
b. Set the IP address (your address may differ from the one shown in the image).
a. Change the
c. (your
Change
themay
Connection
tothe
Motion
and Safety
to indicate that both motion and safety are being managed by the
b. Set the IP address
address
differ from
one shown
in the image).
GuardLogix
controller.
c. Change the Connection to Motion and Safety to indicate that both motion and safety are being managed by the
GuardLogix
controller.
d. Select the proper Power Structure.
d. Select the proper Power Structure.
NHP Safety Reference Guide > Safety Function Documents: GL
Rockwell Automation Publication SAFETY-AT141A-EN-P - May 2015
6A-268
Safety Function Documents: GuardLogix
Safety Function: Actuator Subsystems
Products: GuardLogix Controller, PowerFlex 527 Drive
Safety Rating: CAT. 4, PLe to ISO 13849-1: 2008
Safety Function: Actuator Subsystems – Category 0 or Category 1 Stop via a PowerFlex 527 Drive with Integrated Safe Torque-off
Program
Program
the the
LogicLogic
The accumulated ‘safety interlocks OK’ tag is used in the seal-in rung to drive the STO tag. If the safety interlock tag drops
The
accumulated
'safety
OK'
tag isfeature,
used in and
the seal-in
rung to
STO tag.reset
If theaction
safetyisinterlock
out,
so does the
safeinterlocks
torque-off
(STO)
it remains
offdrive
untilthe
a manual
carried tag
out.drops
The STO output
out,
does the safe
torque-off
(STO) feature,
and it remains
a manual
resetisaction
is carried
out. The
STO
output
is so
energized
if the
safety interlocks
are satisfied,
thereoff
areuntil
no faults,
there
a valid
connection,
and
there
is a falling edge
is energized
if thebutton.
safety interlocks are satisfied, there are no faults, there is a valid connection, and there is a falling edge on
on the reset
the reset button.
The following code is an example for a category 0 stop. When a demand is placed on safety interlocks, and ‘Safety_
Interlocks_OK’
to low (0),
the PowerFlex
527adrive
STOisoutput
immediately
goes and
to low (0) as well.
The
following codegoes
is an example
forthen
a category
0 stop. When
demand
placed on
safety interlocks,
'Safety_Interlocks_OK' goes to low (0), then the PowerFlex 527 drive STO output immediately goes to low (0) as well.
Rockwell Automation Publication SAFETY-AT141A-EN-P - May 2015
NHP Safety Reference Guide > Safety Function Documents: GL
11
6A-269
Safety Function Documents: GuardLogix
Safety Function: Actuator Subsystems
Products: GuardLogix Controller, PowerFlex 527 Drive
Safety Rating: CAT. 4, PLe to ISO 13849-1: 2008
Safety Function: Actuator Subsystems – Category 0 or Category 1 Stop via a PowerFlex 527 Drive with Integrated Safe Torque-off
The
codeisisananexample
example
a category
stop. aWhen
a demand
is placed
the safety
interlocks,
then the
Thefollowing
following code
for afor
category
1 stop.1When
demand
is placed on
the safetyon
interlocks,
then
the
PowerFlex
527
drive
STO
output
goes
to
low
(0)
after
a
three-second
delay.
The
length
of
the
delay
is
determined
by the
PowerFlex 527 drive STO output goes to low (0) after a three-second delay. The length of the delay is determined by the
risk
During
three-second
the ‘Motion_Axis_Stop’
be used
to For
stopexample,
the axis.
riskassessment.
assessment. During
thethe
three-second
delay,delay,
the 'Motion_Axis_Stop'
tag can betag
usedcan
to stop
the axis.
thisFor example, this
could
MotionAxis
AxisStop
Stop
command.
couldcontrol
control aaMotion
command.
Falling
FallingEdge
EdgeReset
Reset
ISO 13849-1 stipulates that instruction reset functions must occur on falling edge signals. To comply with this requirement,
stipulates
that
instruction is
reset
functions
onThen,
fallingthe
edgeOSF
signals.
To complyOutput
with this
a ISO
One13849-1
Shot Falling
(OSF)
instruction
used
on themust
resetoccur
rung.
instruction
Bit tag is used as the reset
requirement,
a One
ShotorFalling
(OSF)
instruction is used on the reset rung. Then, the OSF instruction Output Bit tag is
bit
for the STO
output
enable
rungs.
used as the reset bit for the STO output or enable rungs.
Calculation of the Performance Level
When properly implemented, the PowerFlex 527 drive with integrated safe torque-off (STO) subsystem can be used in
the
Performance
Level
a Calculation
safety functionof
that
achieves
a safety rating
of CAT. 4, Performance Level e (PLe), according to ISO 13849-1: 2008, as
calculated by using the Safety Integrity Software Tool for the Evaluation of Machine Applications (SISTEMA).
When properly implemented, the PowerFlex 527 drive with integrated safe torque-off (STO) subsystem can be used in a
safety function that achieves a safety rating of CAT. 4, Performance Level e (PLe), according to ISO 13849-1: 2008, as
calculated by using the Safety Integrity Software Tool for the Evaluation of Machine Applications (SISTEMA).
IMPORTANT
12
To calculate the PL of your entire safety function, you must include the sensor
subsystems along with the logic and actuator subsystems shown here. Depending on
To calculate the PL of your entire safety function, you must include the sensor subsystems along with the logic and actuator
subsystems
and
devices
you choose,
overall
rating
subsystemsthe
shownsensor
here. Depending
on the sensor
subsystems
and devices
you choose,the
the overall
safetysafety
rating of your
systemof your system
could
be
reduced.
An
example
that
describes
how
to
calculate
the
safety
could be reduced. An example that describes how to calculate the safety rating for a complete safety function appears in the rating for a
complete
safety
function
appears
the13.section titled Complete Safety Function PL
section titled
Complete Safety
Function
PL Calculation
Example oninpage
Calculation Example on page 13.
Rockwell Automation Publication SAFETY-AT141A-EN-P - May 2015
NHP Safety Reference Guide > Safety Function Documents: GL
6A-270
Safety Function Documents: GuardLogix
Safety Function: Actuator Subsystems
Products: GuardLogix Controller, PowerFlex
527Actuator
Drive Subsystems – Category 0 or Category 1 Stop via a PowerFlex 527 Drive with Integrated Safe Torque-off
Safety Function:
Safety Rating: CAT. 4, PLe to ISO 13849-1: 2008
Safety Function: Actuator Subsystems – Category 0 or Category 1 Stop via a PowerFlex 527 Drive with Integrated Safe Torque-off
Safety Function: Actuator Subsystems – Category 0 or Category 1 Stop via a PowerFlex 527 Drive with Integrated Safe Torque-off
Logic and Actuator Subsystem Calculation
LogicSubsystem
and Actuator
Subsystem Calculation
ogic and Actuator
Calculation
The
(logic)
subsystem
uses 1.20% of PLe bandwidth. The (actuator) PowerFlex 527 integrated
Logic
andGuardLogix
Actuatorcontroller
Subsystem
Calculation
STO
subsystem
uses
2.10%
of
PLe
bandwidth.
The1.20%
PFH of
of
the
527
drive
was generated
with
a integrated
Proof
Test STO
The
(logic)
GuardLogix
controller
subsystem
uses
bandwidth.
The
(actuator)
PowerFlex
527
The (logic) GuardLogix controller subsystem uses
1.20%
ofPLe
PLePowerFlex
bandwidth.
The
(actuator)
PowerFlex
527
integrated
The (logic) GuardLogix
controller
subsystem
uses
1.20% ofThe
PLe
bandwidth.
The
(actuator)
PowerFlex
527 integrated
Interval
(PTI)
of
10
years,
which
generates
the
yellow
warning
shown
below.
The
GuardLogix
controller
and
other
subsystem
uses
2.10%
of
PLe
bandwidth.
PFH
of
the
PowerFlex
527
drive
was
generated
with
a
Proof
Test
Interval
STO subsystem uses 2.10% of PLe bandwidth. The PFH of the PowerFlex 527 drive was generated with a Proof Test (PTI)
TO subsystem subsystems
uses
of
PLe
bandwidth.
The
PFH
of the PowerFlex
527
drive
was
with a Proof
Test subsystems used in
used
this
safety
function
example
have
a warning
PTI
of 20shown
years
or generated
higher.
of 102.10%
years,
which
generates
the
yellow
warning
shown
below.
The
GuardLogix
and controller
other
Interval
(PTI)
ofin10
years,
which
generates
the yellow
below.
Thecontroller
GuardLogix
and other
nterval (PTI) ofthis
10 years,
which
generates
the
yellow
warning
shown
below.
The
GuardLogix
controller
and
other
safety function
example
a PTIexample
of 20 years
subsystems
used in this
safety have
function
haveorahigher.
PTI of 20 years or higher.
ubsystems used in this safety function example have a PTI of 20 years or higher.
The logic and actuator subsystems can be modeled as follows.
The
and
subsystems can
bebemodeled
follows.
The logic
logic
and actuator
actuator
modeledasas
follows.
Logic
Input ascan
The logic and actuator
subsystems
can besubsystems
modeled
follows.
Input
Determined by
the sensor
subsystems
you choose
Subsystem 1
Input
Determined by
the sensor
Determined
subsystemsby
thechoose
sensor
you
subsystems
you choose
Subsystem 1
Subsystem 1
Logic
GuardLogix
Controller
Logic
GuardLogix
Controller
GuardLogix
Controller
Output
Output
PowerFlex 527
Drive
Subsystem 2
Subsystem 2
Subsystem 2
Output
PowerFlex 527
Drive
PowerFlex 527
Drive
Subsystem 3
Subsystem 3
Subsystem 3
Complete Safety Function PL Calculation Example
Complete
Safety
Function
PL
Calculation
Example
Complete
Safety
Function
PL
Calculation
Example
omplete Safety
Function
PL Calculation
Example
This example takes the actuator subsystems from this document and combines them with the sensor subsystems from
This example takes the actuator subsystems from this document and combines them with the sensor subsystems from
GuardLogix:
Safety
Gate
Application
with SensaGuard
SensaGuard
SwitchSafety
Safety
Application
Example,
publication
SAFETY-AT029,
GuardLogix:
Gate
Application
with
Switch
Application
Example,
publication
SAFETY-AT029,
This
exampleSafety
takes the
actuator
subsystems
from this document
and combines
them
with the
sensor subsystems
from to
This example takes
the actuator
subsystems
from
this document
and combines
themsubsystems
with the sensor
subsystems
from
to
illustrate
how
any
sensor
subsystems
can
be
added
to
the
output
within
this
publication.
illustrate howSafety
any sensor
subsystems with
can be
added to the
output
subsystems
within
this publication.
GuardLogix:
Gate Application
SensaGuard
Switch
Safety
Application
Example,
publication SAFETY-AT029,
GuardLogix: Safety Gate Application with SensaGuard Switch Safety Application Example, publication SAFETY-AT029,
to
illustrate
any sensor
subsystems
can beinadded
to the output subsystems within this publication.
Here
are thehow
actuator
subsystems
described
this publication.
o illustrate howHere
any sensor
can be added
to the output
subsystems within this publication.
are thesubsystems
actuator subsystems
described
in this publication.
Here are the actuator subsystems described in this publication.
Here are the actuator subsystems described in this publication.
NHP Safety Reference Guide > Safety Function Documents: GL
6A-271
Safety Function Documents: GuardLogix
Safety Function: Actuator Subsystems
Products: GuardLogix Controller, PowerFlex 527 Drive
Safety Rating: CAT. 4, PLe to ISO 13849-1: 2008
Safety Function: Actuator Subsystems – Category 0 or Category 1 Stop via a PowerFlex 527 Drive with Integrated Safe Torque-off
Safety Function: Actuator Subsystems – Category 0 or Category 1 Stop via a PowerFlex 527 Drive with Integrated Safe Torque-off
Safety
Actuator
Subsystems from
– Category
0 or Category 1Safety
Stop via aGate
PowerFlex
527 Drive withwith
Integrated
Safe Torque-off
HereFunction:
are the
subsystems
GuardLogix:
Application
SensaGuard
Switch Safety Application Example,
Here
are the subsystems
fromsensor,
GuardLogix:
Safety
Gate Application with SensaGuard Switch Safety Application Example,
publication
SAFETY-AT029:
logic, and
actuator.
publication
SAFETY-AT029:
sensor,
logic,
and
actuator.
Here are the subsystems from GuardLogix: Safety Gate Application with SensaGuard Switch Safety Application Example,
Here are SAFETY-AT029:
the subsystems from
GuardLogix:
Gate Application with SensaGuard Switch Safety Application Example,
publication
sensor,
logic, andSafety
actuator.
publication SAFETY-AT029: sensor, logic, and actuator.
The sensor subsystems from GuardLogix: Safety Gate Application with SensaGuard Switch Safety Application Example,
The sensor subsystems from GuardLogix: Safety Gate Application with SensaGuard Switch Safety Application Example,
publication
SAFETY-AT029,
are the SensaGuard
Interlock
Switch
andSensaGuard
the 1734-IB8S POINT
I/O™ input
module.
The
sensor subsystems
from GuardLogix:
Safety Gate
Application
with
SafetyGuard
Application
Example,
publication
SAFETY-AT029,
are the SensaGuard
Interlock
Switch and
the 1734-IB8S Switch
POINT Guard
I/O™
input module.
The
The
overall
safety
function
is
shown
here,
combining
those
sensor
subsystems
from
publication
SAFETY-AT029,
and the
The
sensor
subsystems
from
GuardLogix:
Safety
Gate
Application
with
SensaGuard
Switch
Safety
Application
Example,
publication
SAFETY-AT029,
are
the
SensaGuard
Interlock
Switch
and
the
1734-IB8S
POINT
Guard
I/O™
input
module.
overall safety function is shown here, combining those sensor subsystems from publication SAFETY-AT029, and the logic
logic
and
actuator
subsystems
from
this
document.
publication
SAFETY-AT029,
are
the
SensaGuard
Switch
and the from
1734-IB8S
POINT
Guard I/O™ input
The
overall
safety
function
isfrom
shown
here,
combining Interlock
those sensor
subsystems
publication
SAFETY-AT029,
andmodule.
the
and
actuator
subsystems
this
document.
The
safety
functionfrom
is Input
shown
combining those sensor subsystems
from
publication
SAFETY-AT029,
and
the
logic
andoverall
actuator
subsystems
this here,
document.
Logic
Output
logic and actuator subsystems from this document.
Logic
Output
Input
Input
SensaGuard
Switch
SensaGuard
Switch
SensaGuard
Switch
Subsystem
1
Subsystem 1
Subsystem 1
Logic
1734-IB8S
1734-IB8S
1734-IB8S
Subsystem 2
Subsystem 2
Subsystem 2
GuardLogix
Controller
GuardLogix
Controller
GuardLogix
Controller
Subsystem
3
Subsystem 3
Subsystem 3
Output
PowerFlex 527
Drive
PowerFlex 527
Drive
PowerFlex 527
Drive
Subsystem 4
Subsystem 4
Subsystem 4
The PFH values for each subsystem in the safety function modeled above are taken from their respective publications and
combined.
The
PFH
values
forfor
each
subsystem
in the
safety
function
modeled
above
areare
taken
from
their
respective
publications
and
The
PFH
values
each
subsystem
in the
safety
function
modeled
above
taken
from
their
respective
publications
The
PFH
values
for
each
subsystem
in
the
safety
function
modeled
above
are
taken
from
their
respective
publications
and
combined.
and combined.
combined.
IMPORTANT The PFH for this complete safety function, with the sensor, logic, and actuator subsystems, is 4.93E-09, which consumes 4.93% of
thePFH
PLeforbandwidth.
The safety
PL for the
complete
function
is PLe.
this complete
function,
withsafety
the sensor,
logic,
and actuator subsystems, is 4.93E-09, which consumes 4.93% of
IMPORTANT The
The
PFH
for
this
complete
safety
function,
with
the
sensor,
logic,
and actuator subsystems, is 4.93E-09, which consumes 4.93% of
the
PLe
bandwidth.
The
PL
for
the
complete
safety
function
is
PLe.
IMPORTANT
the PLe bandwidth. The PL for the complete safety function is PLe.
NHP Safety Reference Guide > Safety Function Documents: GL
6A-272
Logic
Input
SensaGuard
Switch
1734-IB8S
Subsystem 1
Subsystem 2
Output
PowerFlex 527
Drive
GuardLogix
Controller
Subsystem 3
Subsystem 4
Safety Function Documents: GuardLogix
The PFH values for each subsystem in the safety function modeled above are taken from their respective publications and
combined.
Safety Function: Actuator Subsystems
Products: GuardLogix Controller, PowerFlex 527 Drive
Safety Rating: CAT. 4, PLe to ISO 13849-1: 2008
IMPORTANT
14
The PFH for this complete safety function, with the sensor, logic, and actuator
subsystems, is 4.93E-09, which consumes 4.93% of the PLe bandwidth. The PL for the
The PFH forcomplete
this completesafety
safety function
function, with
the sensor, logic, and actuator subsystems, is 4.93E-09, which consumes 4.93% of
is PLe.
the PLe bandwidth. The PL for the complete safety function is PLe.
Rockwell Automation Publication SAFETY-AT141A-EN-P - May 2015
Verification and Validation Plan
Verification and validation play important roles in the avoidance
of faults throughout the safety system design and development
process. ISO 13849-2 sets the requirements for verification and
validation. The standard calls for a documented plan to confirm
that all of the safety functional requirements have been met.
Verification is an analysis of the resulting safety control system.
The Performance Level (PL) of the safety control system is
calculated to confirm that the system meets the required
Performance Level (PLr) specified. The SISTEMA software is
typically used to perform the calculations and assist with
satisfying the requirements of ISO 13849-1.
Validation is a functional test of the safety control system to
demonstrate that the system meets the specified requirements
of the safety function. The safety control system is tested
to confirm that all of the safety-related outputs respond
appropriately to their corresponding safety-related inputs.
The functional test includes normal operating conditions in
addition to potential fault injection of failure modes. A checklist
is typically used to document the validation of the safety control
system.
The following plan assumes a category 0 stop is being used. You
must make appropriate adaptations to the plan if your safety
function requires a category 1 stop.
NHP Safety Reference Guide > Safety Function Documents: GL
6A-273
Safety Function Documents: GuardLogix
Safety Function: Actuator Subsystems
Products: GuardLogix Controller, PowerFlex 527 Drive
Safety Rating: CAT. 4, PLe to ISO 13849-1: 2008
Verification and Validation Checklist
General Machinery Information
Machine Name/ModelNumber
Machine Serial Number
Customer Name
Test Date
Tester Name(s)
Schematic Drawing Number
Controller Name
Safety Signature ID
Safety Network Number(s)
Logix Designer Application
Safety Control System Modules GuardLogix Modules
Firmware Version
GuardLogix Safety Controller
1768-L73S
V24 or later
Logix Ethernet Bridge
1756-EN2T
GuardLogix Safety System Configuration and Wiring Verification
Test Step
Verification
1
Verify that the safety system has been designed in accordance
with the GuardLogix 5570 Controller Systems Safety
Reference Manual, publication 1756-RM099.
2
Verify that the safety application program has been designed
in accordance with the GuardLogix Application Instruction
Safety Reference Manual, publication 1756-RM095.
3
Visually inspect the safety system network and verify that the
I/O is wired as documented in the schematics.
4
Visually inspect the Logix Designer application program
to verify that the safety system network and I/O module
configuration is configured as documented.
Pass/Fail
Changes/Modifications
NHP Safety Reference Guide > Safety Function Documents: GL
6A-274
Safety Function Documents: GuardLogix
Safety Function: Actuator Subsystems
Products: GuardLogix Controller, PowerFlex 527 Drive
Safety Rating: CAT. 4, PLe to ISO 13849-1: 2008
Verification and Validation Checklist
GuardLogix Safety System Configuration and Wiring Verification cont.
Test Step
Verification
5
Visually inspect the Logix Designer application program to
verify that suitable safetycertified instructions are utilized.
The logic must be readable, understandable, and testable with
the aid of clear comments.
6
All input devices are qualified by cycling their respective
actuators. Monitor the status in the Controller Tags window of
the Logix Designer application.
7
All output devices are qualified by cycling their respective
actuators. Monitor the status in the Controller Tags window of
the Logix Designer application.
Pass/Fail
Changes/Modifications
Normal Operation Verification - The GuardLogix safety system properly responds to all normal Start, Stop, and Reset commands.
Test Step
Verification
1
Initiate a Start command. The PowerFlex 527 drive safe
torque-off (STO) feature should energize for a normal machine
run condition. Verify proper machine status indication and
safety application program indication.
2
Initiate a Stop command. The PowerFlex 527 drive STO feature
should de-energize for a normal machine stop condition.
Verify proper machine status indication and safety application
program indication.
3
While the system is running, place a demand on the sensor
subsystem. The PowerFlex 527 drive STO feature should deenergize for a normal safe condition. Verify proper machine
status indication and safety application program indication.
Repeat for all sensor subsystems.
4
While the system is stopped with the sensor subsystems in a
safe state, initiate a Start command. The PowerFlex 527 drive
STO feature should remain de-energized for a normal safe
condition. Verify proper machine status indication and safety
application program indication.
5
While the system is stopped with the sensor subsystems in
a safe state, initiate a Reset command. The PowerFlex 527
drive STO feature should remain de-energized. Verify proper
machine status indication and safety application program
indication
Pass/Fail
Changes/Modifications
NHP Safety Reference Guide > Safety Function Documents: GL
6A-275
Safety Function Documents: GuardLogix
Safety Function: Actuator Subsystems
Products: GuardLogix Controller, PowerFlex 527 Drive
Safety Rating: CAT. 4, PLe to ISO 13849-1: 2008
Verification and Validation Checklist
GuardLogix Controller and Network Tests
Test Step
Validation
1
While the system is running, remove the EtherNet/IP
network connection between the PowerFlex 527 drive and
the controller. The PowerFlex 527 drive STO feature should
deenergize. Verify proper machine status indication and I /O
connection status in the safety application program.
2
Restore the EtherNet/IP connection and allow time to
reestablish communication. Verify that the PowerFlex 527
drive STO feature does not automatically energize.
3
While the system is running, switch the controller out of Run
mode. The PowerFlex 527 drive should de-energize. Return
the controller to Run mode. The PowerFlex 527 drive STO
feature should remain de-energized. Verify proper machine
status indication and safety application program indication.
Pass/Fail
Changes/Modifications
Pass/Fail
Changes/Modifications
Safety Output Tests
Test Step
Validation
1
Initiate a Safety Reset command. The PowerFlex 527 drive STO
feature should energize for a normal machine run condition.
Verify proper machine status indication and safety application
program indication.
In addition to the verification and validation steps provided here, consult the application technique
for your input subsystem for the steps required to validate the input device. For the input
subsystem example used in this safety function application technique, we reference GuardLogix:
Safety Gate Application with SensaGuard Switch Safety Application Example, publication
SAFETY-AT029.
NHP Safety Reference Guide > Safety Function Documents: GL
6A-276
Safety Function Documents: GuardLogix
Safety Function: Actuator Subsystems
Products: GuardLogix Controller, PowerFlex 527 Drive
Safety Rating: CAT. 4, PLe to ISO 13849-1: 2008
Additional Resources
These publications contain additional information concerning related products from Rockwell Automation
Document
Description
GuardLogix 5570 Controller Systems Safety Reference
Manual, publication 1756-RM099
Describes the GuardLogix 5570 controller system. Provides
instructions on how to develop, operate, or maintain a GuardLogix
5570 controller-based safety system that uses the Studio 5000 Logix
Designer application, version 21 or later.
GuardLogix Application Instruction Safety Reference
Manual, publication 1756-RM095
Describes the Rockwell Automation GuardLogix Safety Application
Instruction Set. Provides instructions on how to design, program, or
troubleshoot safety applications that use GuardLogix controllers.
GuardLogix: Safety Gate Application with SensaGuard
Switch Safety Application Example, publication SAFETYAT029
Provides instructions on how to wire, configure, and program a
Compact GuardLogix® controller and POINT Guard I/O module to
monitor a SensaGuard switch mounted on a door.
PowerFlex 527 Adjustable Frequency AC Drive User
Manual, publication 520-UM002
Provides detailed information on how to install, configure, operate,
and maintain a PowerFlex 527 adjustable frequency AC drive.
Industrial Automation Wiring and Grounding Guidelines,
publication 1770-4.1
Provides general guidelines on how to install a Rockwell Automation®
industrial system.
Safety Products Catalog, publication S117-CA001
website http://www.rockwellautomation.com/
rockwellautomation/catalogs/overview.page
Provides information about Rockwell Automation safety products.
Product Certifications website, available from the Product
Certifications link on http://www.ab.com
Provides declarations of conformity, certificates, and other
certification details.
You can view or download publications at http://www.rockwellautomation.com/literature/. To order paper copies of technical
documentation, contact your local Allen-Bradley® distributor or Rockwell Automation sales representative.
NHP Safety Reference Guide > Safety Function Documents: GL
6A-277
Safety Function Document
Disclaimer
The information contained in this and any related publications
is intended as a guide only. Every care has been taken to ensure
that the information given is accurate at time of publication.
Neither NHP nor any of the manufacturers portrayed in this and
any related publications accept responsibility for any errors or
omissions contained therein nor any misapplications resulting
from such errors or omissions.
Risk assessments should be conducted by authorized persons.
The purchaser and installer are responsible for ensuring the
safety system(s) incorporating these products complies with all
current regulations and applicable standards.
Products are subject to change without notice and may differ
from any illustration(s) provided. All products offered for sale are
subject to NHP standard Conditions of Sale, a copy of which is
available on application.
NHP Safety Reference Guide > Safety Function Documents: GL
6A-278