Download SafeZone Scanner with a Configurable Safety Relay

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
Transcript 
NHP SAFETY REFERENCE GUIDE
440C
SAFETY FUNCTION
DOCUMENTS
SafeZone Scanner with a
Configurable Safety Relay
Application Technique
Safety Function
Documents:
Safety Function: Safety-Related
Stop
Initiated 440C
by a SafeZone
Safety-Related Stop Initiated by a SafeZone Scanner
Scanner
Products: Guardmaster 440C-CR30 Configurable Safety Relay, 442L SafeZone Laser Scanner,
100S-C Safety Contactors
Safety Rating:
CAT.Relay,
3, PLd442L
to ISOSafeZone
13849-1: Laser
2008 Scanner, 100S-C Safety Contactors
Products: Guardmaster 440C-CR30 Configurable
Safety
Safety Rating: CAT. 3, PLd to ISO 13849-1: 2008
Topic
Page
Important User Information
General Safety Information
Introduction
Safety Function Realization: Risk Assessment
2
Table of Contents:
3
3
3
Safety Function Requirements
3
Important User Information
4
Introduction 4
Functional Safety Description
4
General Safety Information
4
Bill of Material
5
Safety Function Realization: Risk Assessment
5
Area Scanner Single Zone6Safety Function
Area Scanner Single Zone Safety Function
Setup and Wiring
Configuration
Calculation of the Performance Level
3
5
5
5
Verification of the Configuration
24
Safety Function Requirements
26
Functional Safety Description
29
Additional Resources
Bill of Material
6
Verification and Validation Plan
31
5
Setup and Wiring
6
Configuration 7
Calculation of the Performance Level
17
Verification and Validation Plan
19
Verification of the Configuration
22
Additional Resources
23
NHP Safety Reference Guide > Safety Function Documents: 440C
6A-2
Safety Function Documents: 440C
Safety-Related Stop Initiated by a SafeZone Scanner
Products: Guardmaster 440C-CR30 Configurable Safety Relay, 442L SafeZone Laser Scanner, 100S-C Safety Contactors
Safety Rating: CAT. 3, PLd to ISO 13849-1: 2008
Introduction
Important User Information
This safety function application technique explains how to wire
and configure a Guardmaster® 440C-CR30 configurable safety
relay to monitor both an E-Stop and a SafeZone™ laser scanner.
If an object intrudes into the SafeZone laser-scanner sensing
field, if the E-Stop is actuated or if a fault is detected in the
monitoring circuit, the 440C-CR30 relay de-energizes the final
control devices, in this case, a pair of 100S-C safety contactors.
The safety scanner can be used in either vertical or horizontal
applications to detect the intrusion of personnel or objects into
the sensing field. You configure the safety scanner’s warning and
safety fields by using the Safety Configuration and Diagnostics
(SCD) software supplied with each scanner.
Read this document and the documents listed in the additional
resources section about installation, configuration, and
operation of this equipment before you install, configure,
operate, or maintain this product. Users are required to
familiarize themselves with installation and wiring instructions
in addition to requirements of all applicable codes, laws, and
standards.
Activities including installation, adjustments, putting into
service, use, assembly, disassembly, and maintenance are
required to be carried out by suitably trained personnel in
accordance with applicable code of practice.
If this equipment is used in a manner not specified by the
manufacturer, the protection provided by the equipment may
be impaired.
In no event will Rockwell Automation, Inc. be responsible or
liable for indirect or consequential damages resulting from the
use or application of this equipment.
The examples and diagrams in this manual are included
solely for illustrative purposes. Because of the many variables
and requirements associated with any particular installation,
Rockwell Automation, Inc. cannot assume responsibility or
liability for actual use based on the examples and diagrams.
No patent liability is assumed by Rockwell Automation, Inc. with
respect to use of information, circuits, equipment, or software
described in this manual.
Reproduction of the contents of this manual, in whole or in part,
without written permission of Rockwell Automation, Inc., is
prohibited.
NHP Safety Reference Guide > Safety Function Documents: 440C
6A-3
Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance are required
to be carried out by suitably trained personnel in accordance with applicable code of practice.
If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may be
impaired.
In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the
use or application of this equipment.
The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and
requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or
liability for actual use based on the examples and diagrams.
Safety Function Documents: 440C
Safety-Related Stop Initiated by a SafeZone Scanner
No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or
Products: Guardmaster 440C-CR30 Configurable Safety Relay, 442L SafeZone Laser Scanner, 100S-C Safety Contactors
software
described
inPLd
thisto
manual.
Safety
Rating:
CAT. 3,
ISO 13849-1: 2008
Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation,
Inc., is prohibited.
Important
User Information cont
Throughout
weuse
usenotes
notestotomake
makeyou
youaware
aware
safety
considerations.
Throughoutthis
thismanual,
manual, when
when necessary,
necessary, we
ofof
safety
considerations.
WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous environment,
which may lead to personal injury or death, property damage, or economic loss.
ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, property
damage, or economic loss. Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.
IMPORTANT
Identifies information that is critical for successful application and understanding of the product.
Labels may also be on or inside the equipment to provide specific precautions.
SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous
voltage may be present.
BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may
reach dangerous temperatures.
ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people to
potential Arc Flash. Arc Flash will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL
Regulatory requirements for safe work practices and for Personal Protective Equipment (PPE).
Contact
NHP to find out more aboutRockwell
our safety
riskPublication
assessment
services. - September 2014
2
Automation
SAFETY-AT134A-EN-P
Safety Function: Cable Pull Switch with a Configurable Safety Relay
General Safety Information
General Safety Information
Contact Rockwell Automation to find out more about our safety risk assessment services.
Contact Rockwell Automation to find out more about our safety risk assessment services.
IMPORTANT
This application example is for advanced users and assumes that you are trained and experienced in safety system requirements.
ATTENTION: Perform a risk assessment to make sure all task and hazard combinations have been identified and addressed. The risk
assessment can require additional circuitry to reduce the risk to a tolerable level. Safety circuits must take into consideration safety
distance calculations, which are not part of the scope of this document.
Introduction
This safety function application technique explains how to wire, configure, and integrate a Lifeline™ 4 cable pull switch,
and an E-stop with a Guardmaster® 440C-CR30 configurable safety relay and two safety contactors. When the Lifeline 4
cable pull switch is tripped, the E-stop is pressed, or a fault is detected, the 440C-CR30 relay turns off two outputs, which
then turn off two safety contactors and remove power from the motor.
NHP Safety Reference Guide > Safety Function Documents: 440C
6A-4
Safety Function: Cable Pull Switch with a Configurable Safety Relay
neral Safety Information
tact Rockwell Automation to find out more about our safety risk assessment services.
PORTANT
This application example is for advanced users and assumes that you are trained and experienced in safety system requirements.
ATTENTION: Perform a risk assessment to make sure all task and hazard combinations have been identified and addressed. The risk
assessment can require additional circuitry to reduce the risk to a tolerable level. Safety circuits must take into consideration safety
distance calculations, which are not part of the scope of this document.
roduction
Safety Function Documents: 440C
Safety-Related Stop Initiated by a SafeZone Scanner
Products: Guardmaster 440C-CR30 Configurable Safety Relay, 442L SafeZone Laser Scanner, 100S-C Safety Contactors
Safety Rating: CAT. 3, PLd to ISO 13849-1: 2008
s safety function application technique explains how to wire, configure, and integrate a Lifeline™ 4 cable pull switch,
an E-stop with a Guardmaster®
440C-CR30
configurable safety
and two safety contactors. When
the Lifeline
4
Safety Function
Realization:
Riskrelay
Assessment
Safety
Function
Requirements
e pull switch is tripped, the E-stop is pressed, or a fault is detected, the 440C-CR30 relay turns off two outputs, which
The
requiredand
performance
level
themotor.
result of a risk assessment
Interrupting the configured sensing zone of the laser scanner
turn off two safety
contactors
remove power
fromisthe
and refers to the amount of the risk reduction to be carried out
stops and prevents hazardous motion by removing power to the
by the safety-related parts of the control system. Part of the risk
motor. The motor coasts to a stop (Stop Category 0). When the
reduction process is to determine the safety functions of the
scanner is reset, hazardous motion and power to the motor do
machine. In this application, the performance level required
not resume until a secondary action occurs—the Start button
(PLr) by the risk assessment is Category 3, Performance Level d
is depressed. A fault at the laser scanner is detected before
(CAT.level
3, PLd),
each
function.and
A safety
system
that of the risk reduction
the next
required performance
is thefor
result
of safety
a risk assessment
refers to
the amount
to besafety
carrieddemand. The safe distance from the location
achieves
CAT.
3,
PLd,
or
higher,
can
be
considered
control
of
the
laser
scanner
to the hazard must be established per
by the safety-related parts of the control system. Part of the risk reduction process is to determine the safety functions
of
reliable. Each
safety product
its own
rating
and
be
13855:2010 such that hazardous motion must be stopped
machine. In this application,
the performance
levelhas
required
(PLr)
by the
riskcan
assessment
is CategoryISO
3, Performance
to create
a safety
function
meets or
exceeds
the
before
the user can reach the hazard.
el d (CAT. 3, PLd),combined
for each safety
function.
A safety
system that
that achieves
CAT.
3, PLd,
or higher, can
be considered
rol reliable. Each safety
meets the
or E-Stop button stops hazardous motion by
PLr. product has its own rating and can be combined to create a safety function that
Pressing
eds the PLr.
removing power to the motor. Releasing the E-Stop does not
fety Function Realization: Risk Assessment
From: Risk Assessment (ISO 12100)
restart hazardous motion. Once the Reset button is pressed and
all faults are cleared, the system is enabled to accept a separate
Start command.
1. Identification of safety functions
The safety functions in this application technique each meet the
requirements for Category 3, Performance Level d (CAT. 3, PLd),
per ISO 13849-1 and control reliable operation per ANSI B11.19.
2. Specification of characteristics of each function
3. Determination of required PL (PLr) for each safety function
To: Realization and PL Evaluation
Area Scanner Single Zone Safety Function
This application technique includes two safety functions:
1.Safety-related stop function initiated by presence in the
protective
areaAutomation
of the safety
Rockwell
Publicationscanner.
SAFETY-AT134A-EN-P - September 2014
2. Safety-related stop function initiated by actuation of an
E-Stop button.
Functional Safety Description
Hazardous motion is stopped or prevented by interrupting the
sensing field of the SafeZone laser scanner. The laser scanner
and the E-Stop are connected to the Guardmaster 440C-CR30
software configurable safety relay. The 440C-CR30 relay provides
two solid-state safety outputs that control power to the 100S-C
contactor coils. Whenever the 440C-CR30 relay disables its
outputs, hazardous motion is stopped. When all safety input
signals are correct, no faults are detected, and the Reset button
is pressed, the 440C-CR30 is enabled to accept a separate Start
command.
The E-Stop is connected to the 440C-CR30 relay inputs EI_00
3
and EI_01, which uses pulse-checking to monitor the EStop for
actuation and faults. Whenever the E-Stop is actuated, the 440CCR30 relay disables its safety outputs and hazardous motion
is stopped. When all safety input signals are correct, no faults
are detected, and the Reset button is pressed (for 0.25…3.0
seconds), then released, the 440C-CR30 relay re-energizes
its safety outputs EO_18 and EO_19 providing power to the
contactor coils.
In summary, when the laser scanner is blocked or the E-Stop
is actuated, the contactors drop out. When the laser scanner
is unblocked, the E-Stop is released, and the reset button is
pressed, the contactors are energized.
NHP Safety Reference Guide > Safety Function Documents: 440C
6A-5
Safety Function Documents: 440C
Safety-Related Stop Initiated by a SafeZone Scanner
Products: Guardmaster 440C-CR30 Configurable Safety Relay, 442L SafeZone Laser Scanner, 100S-C Safety Contactors
Safety Rating: CAT. 3, PLd to ISO 13849-1: 2008
Bill of Material
System Overview
This application uses these products.
Cat. No.
Description
Quantity
442L-SFZNMZ
SafeZone multizone scan head and I/O module
1
442L-CSFZNMZ-10
10M prewired 13 conductor memory module
1
442L-ACUSB-2
2 meter RS232 programming cable with USB
connector
1
440C-CR30-22BBB
Guardmaster 440C-CR30 software configured safety
relay, PLe SIL 3, 22 safety I/O, embedded serial port,
USB programming port, 2 plug-in slots, 24V DC
1
800F-1YP8
800F 1-hole enclosure E-Stop station, plastic, PG,
twist-to-release 60 mm, non-illuminated, 1 N.O. /
2 N.C.
1
800FM-G611MX10
800F push button, metal, guarded, blue, R, metal
latch mount, 1 N.O. contact, 0 N.C. contacts, standard
1
100S-C09EJ23BC
Modular Control System (MCS) 100S-C safety
contactor, 9 A, 24V DC (with electrical coil), bifurcated
contact
2
Setup and Wiring
For detailed information on installing and wiring, refer to the
publications listed in the Additional Resources on the back
cover.
INFORMATION: A multizone scanner, configured as a singlezone
scanner, was used in this safety function.
The Guardmaster 440C-CR30 software configurable safety relay
monitors the input from the SafeZone laser scanner control and
the E-Stop. The laser scanner control provides two PNP outputs
that are de-energized when an object interrupts the field of
view.
When an intrusion in the SafeZone sensing area is detected, a
pair of 100S-C safety contactors, K1 and K2, are deenergized.
The contactors are controlled by the 440C-CR30 relay. These are
wired in a redundant configuration and are tested on startup
for faults.
These de-energized contactors remove power to the motor
and the motor coasts to a stop (Stop Category 0). When the
laser scanner control returns to the non-interrupted state, the
contactors in the output do not energize until the system is
reset by a momentary push button.
The 440C-CR30 relay also monitors the E-Stop circuit for faults.
Open-circuit faults, shorts to 24V DC, shorts to GND, output
faults, and cross-channel faults are detected. When a fault is
detected, or when the E-Stop is actuated, the 440CCR30
relay responds by de-energizing the 100S-C contactor coils,
removing power to the motor. The motor coasts to a stop (Stop
Category 0).
Two N.C. contacts, one from each of the safety contactors, are
connected as part of the reset circuit. The outputs of the 440CCR30 relay can only be energized if both safety contactors are in
a proper de-energized state.
The system is to be designed such that no single fault results in
the safety system failing to perform its safety function. A single
fault is detected before the next demand on the safety system.
The system cannot be reset until the fault is corrected.
NHP Safety Reference Guide > Safety Function Documents: 440C
6A-6
Safety Function Documents: 440C
Safety-Related Stop Initiated by a SafeZone Scanner
Products: Guardmaster 440C-CR30 Configurable Safety Relay, 442L SafeZone Laser Scanner, 100S-C Safety Contactors
Safety Rating: CAT. 3, PLd to ISO 13849-1: 2008
Safety Function: Safety-Related Stop Initiated by a SafeZone Scanner
Electrical Schematic
Electrical Schematic
24V DC
BROWN
BLUE
RESET
PINK
GREY
0V DC
Configuration
Configuration
Configure the
Safety
Configure
theSafeZone
SafeZonelaser
laserscanner
scannerbybyusing
usingthethe
Safety Configuration and Diagnostics (SCD) software supplied with
Configuration and Diagnostics (SCD) software supplied with
each scanner. SCD software, revision 3.0.0, is used in this application technique.
each scanner. SCD software, revision 3.0.0, is used in this
application technique.
Configure the SafeZone Laser Scanner
Follow these steps to configure the SafeZone laser scanner.
NHP Safety Reference Guide > Safety Function Documents: 440C
1. Connect the scanner’s USB cable to the PC and verify that the correct Com port is set on the PC.
6A-7
3. To go online, locate your project and expand Serial communication.
4. Right-click Com2 and choose Connect.
Safety Function Documents: 440C
Safety-Related Stop Initiated by a SafeZone Scanner
Products: Guardmaster 440C-CR30 Configurable Safety Relay, 442L SafeZone Laser Scanner, 100S-C Safety Contactors
Safety Rating: CAT. 3, PLd to ISO 13849-1: 2008
Configure the SafeZone Laser Scanner
The Configuration
searches for and connects to the scanner.
5. Clicksoftware
Continue.
When the connection is made, the scanner name appears in
Follow these steps to configure the SafeZone laser scanner.
5. Click Continue.
Blue.
1. Connect the scanner’s USB cable to the PC and verify that
Safety
Function:
Safety-Related Stop
Initiatedthe
by ascanner
SafeZone Scanner
When
the connection
is made,
name appears in Blue.
the correct Com port is set on the
PC.
Safety Function: Safety-Related Stop Initiated by a SafeZone Scanner
TIP This example uses the Com2 port.
2. Start the SCD
2. software.
Start the SCD software.
D software.
Safety Function: Safety-Related Stop Initiated by a SafeZone Scanner
6. To configure the scanner, right-click the scanner and choose
Open
device window.
6. To configure the scanner,
right-click
the scanner and choose Open device window.
Rockwell Automation Publication SAFETY-AT137A-EN-P - March 2015
Safety Function: Safety-Related Stop Initiated by a SafeZone Scanner
locate your project
Seriallocate
communication.
3. and
Toexpand
go online,
your project and expand Serial
communication.
om2Toand
3.
gochoose
online,Connect.
locate your project and expand Serial communication.
6. To configure the scanner, right-click the scanner and choose Open device window.
4. Right-click Com2 and choose Connect.
4. Right-click Com2 and choose Connect.
The device window opens. This window provides the Arc
drawing tool, which lets you configure the protective and
The device window opens. This window provides the Arc drawing tool, which lets you configu
warning
fields
for your
facility.
The device window
opens.
This window
provides
the Arc drawing tool, which lets you configure the protective a
warning fieldswarning
for your
fieldsfacility.
for your facility.
ration software searches for and connects to the scanner.
ue.
nnection is made,
the The
scanner
name appearssoftware
in Blue. searches for and connects to
Configuration
The Configuration
software searches for and connects to the scanner.
the scanner.
5. Click Continue.
When the connection is made, the scanner name appears in Blue.
NHP Safety Reference Guide > Safety Function Documents: 440C
6A-8
Safety Function: Safety-Related Stop Initiated by a SafeZone Scanner
A Progress dialog box appears and displays warning notices for the parameters you set for the scanner.
Safety Function Documents: 440C
Safety-Related Stop Initiated by a SafeZone Scanner
Products: Guardmaster 440C-CR30 Configurable Safety Relay, 442L SafeZone Laser Scanner, 100S-C Safety Contactors
Safety Rating: CAT. 3, PLd to ISO 13849-1: 2008
Configure the SafeZone Laser Scanner cont
10. Review the warning notices, make any necessary
adjustments to the confirmation, and when you are satisfied
with the results, click Continue. A configuration window
Review the warning notices, make any necessary adjustments to the confirmation, and when you are satisfied with
the results,appears.
click Continue.
Safety Function: Safety-Related Stop Initiated by a SafeZone Scanner
7. To configure the protective and warning field, use the Arc
drawing tool.
7. To configure the protective and warning field, use the Arc drawing tool.
10.
A configuration window appears.
Safety Function: Safety-Related Stop Initiated by a SafeZone Scanner
7. To configure the protective and warning field, use the Arc drawing tool.
11. Review the configuration details, and if you are satisfied that the configuration meets your requirements, click
Release.
8. When you finish configuring the protective and warning field, click Transfer to transfer the information to the
8. When you finish configuring the protective and warning
scanner.
field,
Transfer to transfer the information to the
The Transfer
dialogclick
box appears.
scanner.
10
11. Review the configuration details, and if you are satisfied
that the configuration meets your requirements, click
Release. A second Progress dialog
box appears and displays
Safety Function: Safety-Related Stop Initiated by a SafeZone Scanner
information about the transfer progress.
Rockwell Automation Publication SAFETY-AT137A-EN-P - March 2015
A second Progress dialog box appears and displays information about the transfer progress.
8. When you finish configuring the protective and warning field, click Transfer to transfer the information to the
scanner.
The Transfer dialog box appears.
The Transfer dialog box appears.
9. Click Yes.
Click Yes.
9. Click9.
Yes.
A Progress dialog box appears and displays warning notices
for the parameters you set for the scanner.
Safety Function: Safety-Related Stop Initiated by a SafeZone Scanner
A Progress dialog box appears and displays warning notices for the parameters you set for the scanner.
Rockwell Automation Publication SAFETY-AT137A-EN-P - March 2015
9
Rockwell Automation Publication SAFETY-AT137A-EN-P - March 2015
12. Once the transfer is complete, click Continue.
12.Once the transfer is complete, click Continue.
The Progress dialog box closes, and the application returns
you to the main window of the SCD software.
The Progress dialog box closes, and the application returns you to the main window of the SCD software.
9
10. Review the warning notices, make any necessary adjustments to the confirmation, and when you are satisfied with
the results, click Continue.
A configuration window appears.
Rockwell Automation Publication SAFETY-AT137A-EN-P - March 2015
NHP Safety Reference Guide > Safety Function Documents: 440C
11
6A-9
Safety Function Documents: 440C
Safety-Related Stop Initiated by a SafeZone Scanner
Products: Guardmaster 440C-CR30 Configurable Safety Relay, 442L SafeZone Laser Scanner, 100S-C Safety Contactors
Safety Rating: CAT. 3, PLd to ISO 13849-1: 2008
Configure the SafeZone Laser Scanner cont
Configure the 440C-CR30 Relay
Safety Function: Safety-Related Stop Initiated by a SafeZone Scanner
13. To verify that your programmed field is running, select the
Data-Recorder in the Diagnostic group.
13. To verify that your programmed field is running, select the Data-Recorder in the Diagnostic group.
The 440C-CR30 relay is configured by using Connected
Components Workbench™ software, release 6.01 or later.
A detailed description of each step is beyond the scope of
this document. Knowledge of the Connected Components
Workbench software is assumed.
Function: Safety-Related
Stop Initiated by a SafeZone Scanner
Follow these steps to configure the Safety
Guardmaster
440C-CR30
relay by using the Connected Components Workbench
software.
Follow these steps to configure
the Guardmaster 440C-CR30
relay by using the Connected Components Workbench
Safety Function: Safety-Related Stop Initiated by a SafeZone Scanner
software.
1. In Connected Components Workbench software, choose
View
andrelay
then
Device
Toolbox.
Follow these steps
the Guardmaster
by using
the Connected
Components
Workbench
1. to
Inconfigure
Connected
Components440C-CR30
Workbench
software,
choose
View and
then Device
Toolbox.
software.
1. In Connected Components Workbench software, choose View and then Device Toolbox.
2. Select 440C-CR30-22BBB.
2. Select 440C-CR30-22BBB.
2. Select 440C-CR30-22BBB.
The SCD
software
a real-time view
of the status
of the warning
fieldsofyou configured.
The displays
SCD software
displays
a real-time
viewand
ofprotective
the status
the warning and protective fields you configured.
Configure the 440C-CR30 Relay
The 440C-CR30 relay is configured by using Connected Components Workbench™ software, release 6.01 or later. A
detailed description of each step is beyond the scope of this document. Knowledge of the Connected Components
Workbench software is assumed.
Safety Function: Safety-Related Stop Initiated by a SafeZone Scanner
3. In the Project Organizer, double-click the
Guardmaster_440C_CR30 relay.
3. In the Project Organizer, double-click the Guardmaster_440C_CR30 relay.
12
Rockwell Automation Publication SAFETY-AT137A-EN-P - March 2015
Rockwell Automation Publication SAFETY-AT137A-EN-P - March 2015
13
13
Rockwell Automation Publication SAFETY-AT137A-EN-P - March 2015
4. To add the plug-in I/O module called for in the schematic, right-click the left plug-in module space and choose the
2080-IQ4OB4 module.
NHP Safety Reference Guide > Safety Function Documents: 440C
6A-10
6. From the View pull-down menu, choose Toolbox.
Safety Function: Safety-Related Stop Initiated by a SafeZone Scanner
6. From the View pull-down menu, choose Toolbox.
Safety Function Documents: 440C
Safety-Related Stop Initiated by a SafeZone Scanner
Products: Guardmaster 440C-CR30 Configurable Safety Relay, 442L SafeZone Laser Scanner, 100S-C Safety Contactors
Safety Rating: CAT. 3, PLd to ISO 13849-1: 2008
Configure the 440C-CR30 Relay cont
Configure the Inputs
Configure the Inputs
4. To add the plug-in I/O module calledConfigure
for in the
schematic,
Follow
Follow
these steps to configure
thethese
inputs.steps to configure the inputs.
the
Inputs
the left
plug-in module
and module
choose the
1. Select
odule called for in right-click
the schematic,
right-click
the leftspace
plug-in
space and choose
the Emergency Stop.
2080-IQ4OB4 module.
1. Select
Emergency
Stop.
Follow these steps
to configure
the inputs.
1. Select Emergency Stop.
2. Emergency
toSafety
the green
rectangle
underit.Safety
2. Drag Emergency Stop
toDrag
the green
rectangleStop
under
Monitoring
and release
TIP: The I/O module is shown in standard gray2.
because
it is not a safety
Drag Emergency
Stop to the green rectangle
under Safety
Monitoring
and Monitoring
release it.and release it.
module.
a problem
in thisThat
application
because the
hown in standard grayI/O
because
it isThat
not isa not
safety
I/O module.
is not a problem
in this application because
standard
I/O signals.
module Inputs
is not used
safety
Inputs such
odule is not used to connect
safety
suchtoasconnect
Feedback
andsignals.
Reset button
are not considered strict,
as Feedback and Reset button are not considered strict, safety signals.
ing the standard I/O module
for
these
non-safety
signals,
you
can
reserve
the
limited
number of safety inputs
By using the standard I/O module for these non-safety signals, you can
e safety signals.
reserve the limited number of safety inputs and outputs for true safety
signals.
Click Edit Logic
to open the
Connected Components
he Connected 5.
Components
Workbench
Workspace.
Workbench Workspace.
Safety Function: Safety-Related Stop Initiated by a SafeZone Scanner
6. From the View pull-down menu, choose Toolbox.
6. From the View pull-down menu, choose Toolbox.
Connected Components Workbench software has assigned
Connected Components Workbench software has assigned input terminals EI_00 and EI_01 on the left side of the
Connected Components Workbench
software
hasEI_01
assigned
input
terminals
and EI_01 on the l
EI_00
and
on the
left
side The
ofEI_00
the
block.
block. The software automaticallyinput
assignsterminals
the next unused
terminal
for a newly
added
device.
terminals
can be
block. The softwareThe
automatically
assigns
the next unused
terminal
forunused
aisnewly
added device. The term
software
automatically
assigns
the
terminal
changed to any unused input terminal,
but in this case,
leave the default.
Because
annext
E-Stop
an electro-mechanical
changedhas
to automatically
any unused
terminal,
but
in 13
thisasThe
case,
leave the
default.
an E-Stop
is an elect
for ainput
newly
added12
device.
can be
changed
to
device, the software
added
terminals
and
test terminals
sources.
Numbers
12Because
and 13 refer
to multidevice,12the
software
has and
automatically
terminals
as test
sources.
Numbers 12 and 13 r
purpose terminals
and
13 (MP_12
MP_13).
any
unused
inputadded
terminal,
but12
in and
this13
case,
leave
the default.
purpose terminals 12
and 13 (MP_12
andisMP_13).
Because
an E-Stop
an electro-mechanical device, the software
has Automation
automatically
added terminals
Rockwell
Publication SAFETY-AT137A-EN-P
- March 201512 and 13 as test sources.
15
Numbers 12
andAutomation
13 referPublication
to multipurpose
terminals
Rockwell
SAFETY-AT137A-EN-P
- March 2015 12 and 13
Safety Function: Safety-Related Stop Initiated by a SafeZone Scanner
(MP_12 and MP_13).
3. To add the Scanner monitoring block, use a Light curtain
block
forcurtain
the scanner
also uses
typetype
3. To add the Scanner monitoring block, use
a Light
block forbecause
the scanneritbecause
it alsoOSSD
uses OSSD
outputs.
outputs.
Rockwell Automation Publication SAFETY-AT137A-EN-P - March 2015
Configure the Inputs
4. Choose inputs EI_08 and EI_09 for4.the
scanner. inputs EI_08 and EI_09 for the scanner.
Choose
Follow these steps to configure the inputs.
1. Select Emergency Stop.
5. Add a Reset.
2. Drag Emergency Stop to the green rectangle under Safety Monitoring and release it.
6. Change the Reset input to Plug-In input P1_00 to complete the configuration of the inputs.
NHP Safety Reference Guide > Safety Function Documents: 440C
6A-11
a SafeZone Scanner
ated by a SafeZone Scanner
afeZone Scanner
oring block, use a Light curtain block for the scanner because it also uses OSSD type
monitoring block, use a Light curtain block for the scanner because it also uses OSSD type
ing block, use a Light curtain block for the scanner because it also uses OSSD type
EI_09 for the scanner.
8 and EI_09 for the scanner.
I_09 for the scanner.
Safety Function Documents: 440C
Safety-Related Stop Initiated by a SafeZone Scanner
Products: Guardmaster 440C-CR30 Configurable Safety Relay, 442L SafeZone Laser Scanner, 100S-C Safety Contactors
Safety Rating: CAT. 3, PLd to ISO 13849-1: 2008
Configure the Inputs cont
5. Add a Reset.
Configure the Outputs
Configure the Outputs
Follow these steps to configure the safety and diagnostic
outputs
Follow these steps to configure the safety
diagnostic
outputs
1. and
Select
and drag
the Immediate OFF safety output function
block to the top position in the Safety Output column of the
1. Select and drag the Immediate OFF safety
output function block to the top position in the Safety Output column o
Workspace.
the Workspace.
Plug-In input 6.
P1_00
to complete
configuration
of the
inputs.
Change
the Resetthe
input
to Plug-In input
P1_00
to complete
theP1_00
configuration
of thethe
inputs.
put to Plug-In input
to complete
configuration of the inputs.
lug-In input P1_00 to complete the configuration of the inputs.
ng input.
nitoring input. 7. Add a Feedback Monitoring input.
input.
Safety Function: Safety-Related Stop Initiated by a SafeZone Scanner
The software automatically assigns two outputs to the next
Function: Safety-Related Stop Initiated by a SafeZone Scanner
the next available input terminal, which in this caseSafety
is EI_02.
available safety outputs, which in this case are EO_18, and
it to the next available input terminal, which in this case
is software
EI_02. automatically assigns
The
twoand
outputs
to one
the next
available
safety output.
outputs,One,
whichtwo,
in this
EO_19,
leaves
blank,
unassigned
or case are E
e next available
input
case
is EI_02.
and
and
leaves one blank,
unassigned
output.
two, or
three
may
be configured.
Becau
Rockwell
Automation
Publication
SAFETY-AT137A-EN-P
- March
2015outputs
three
outputs
may
beOne,
configured.
Because
we are
using
TheEO_19,
software
automatically
assigns
two
outputs
to the
next
available
safety
outputs,
which
inEO_18
this case are
EO1
Theterminal,
software which
assignsin
it this
to the
next
available
input terminal,
which in this case is EI_02.
using
EO_18 and
andInitiated
EO_19
ourand
outputs,
changes
EO_19noasI/O
our
outputs,
norequired.
I/O
are required.
and
EO_19,
leaves
blank,
unassigned
output.
One,are
two,
orchanges
three outputs
may be configured. Because
Safety Function:
Safety-Related
Stop
byone
a as
SafeZone
Scanner
using
EO_18
and EO_19 as our2.outputs,
nothe
I/OFeedback
changes are
required.
Change
input
to SMF 4.
8. Change the number of inputs to 2, 2.
andChange
use the
Input
the
Feedback input to SMF
4.
pull-down menu to select plug-in inputs
P1_01
and
P1_02
2. Change the Feedback input to SMF 4.
r of inputs to 2, and instead.
use the Input pull-down menu to select plug-in inputs P1_01 and P1_02
3. Change the Reset Input to SMF 3.
3. Change the Reset Input to SMF3.3. Change the Reset Input to SMF 3.
Rockwell Automation Publication SAFETY-AT137A-EN-P - March 2015
Rockwell Automation Publication SAFETY-AT137A-EN-P - March 2015
Rockwell Automation Publication SAFETY-AT137A-EN-P - March 2015
4. Configuration of the safety outputs
is complete. of the safety outputs is complete.
4. Configuration
4. Configuration of the safety outputs is complete.
Configure
Configurethe
theLogic
Logic
NHP Safety Reference Guide > Safety Function Documents: 440C
6A-12
The
respond to
to the
theinputs
inputsininthe
themanner
mannerrequired.
required.
Thelogic
logicties
tiesthe
theinputs
inputsto
tothe
theoutputs,
outputs, making
making the
the outputs
outputs respond
Safety Function Documents: 440C
Safety-Related Stop Initiated by a SafeZone Scanner
Products: Guardmaster 440C-CR30 Configurable Safety Relay, 442L SafeZone Laser Scanner, 100S-C Safety Contactors
Safety Rating: CAT. 3, PLd to ISO 13849-1: 2008
Configure the Logic
The logic ties the inputs to the outputs, making the outputs respond to the inputs in the manner
required.
1. Add an AND function to the Logic Level A.
2. Click the blue dot on the E-Stop input block, and notice that the dot turns gray.
3. Click the blue dot on the LLA1 block to connect the blocks.
4. Connect the output of the Light Curtain block SMF 2 to LLA1.
5. Connect the output of the LLA1 block to the input of the Immediate OFF block SOF 1.
The software automatically adds the Pass Through blocks because no
Logic Functions
Safetyadditional
Function: Safety-Related
Stop Initiated byare
a SafeZone Scanner
being used.
The completed logic looks like this.
The completed logic looks like this.
Configure the Status Indicators
The 440C-CR30 relay lets you configure ten input status indicators and six output status indicators. These status
indicators can be very helpful while testing the system during installation and commissioning. They are also useful for
monitoring the system in operation.
To configure LED status indicators to show the status of the E-Stop (Terminals 00 and 01), and SafeZone laser scanner,
follow these steps.
1. Click Guardmaster_440C_CR30.
NHP Safety Reference Guide > Safety Function Documents: 440C
6A-13
3. Choose Terminal Status as the Type Filter for LED 0.
Safety Function Documents:
3. Choose 440C
Terminal Status as the Type Filter for LED 0.
Safety-Related Stop Initiated by a SafeZone Scanner
Products: Guardmaster 440C-CR30 Configurable Safety Relay, 442L SafeZone Laser Scanner, 100S-C Safety Contactors
Safety Rating: CAT. 3, PLd to ISO 13849-1: 2008
Configure the Status Indicators
4. Select Terminal 00 as the Value for LED 0.
4. Select Terminal 00 as the Value for LED 0.
The 440C-CR30 relay lets you configure ten input status
nfigure the Status
Indicators
indicators and six output status indicators. These status
4. Select Terminal 00 as the Value for LED 0.
indicators can be very helpful while testing the system during
e 440C-CR30 relay lets you configure ten input status indicators and six output status indicators. These status
commissioning.
They
are also
useful
for
icators can be veryinstallation
helpful whileand
testing
the system during
installation
and
commissioning.
They are also useful for
monitoring
the
system
in
operation.
nitoring the system in operation.
To configure LED status indicators to show the status of the
configure LED status
indicators
to show00the
status
the E-Stop
(Terminals
00 and 01),
and SafeZone laser scanner,
E-Stop
(Terminals
and
01),ofand
SafeZone
laser scanner,
follow
ow these steps. these steps.
In this example, the E-Stop inputs
onexample,
are displayed
LED 0inputs
and 1. The
Scanner
inputs are
on LED 2 an
In this
theonE-Stop
on are
displayed
ondisplayed
LED 0 and
3. LED 4 and 5 display the status
of the
Reset and
Feedback
monitoringon
blocks.
1.
The
Scanner
inputs
are
displayed
LED
2
and
3.
LED
4
and
5
1. Click Guardmaster_440C_CR30.
1. Click Guardmaster_440C_CR30.
the status
the
Reset
and 0Feedback
blocks.
5. ConfigureInthe
remaining
LED inputs
status
indicators
as shown.
this
example,Input
thedisplay
E-Stop
on areof
displayed
on LED
and 1. Themonitoring
Scanner inputs
are displayed on
3. LED 4 and 5 display
the status ofthe
the Reset
and Feedback
monitoring
5. Configure
remaining
Input LED
status blocks.
indicators as
6. Configure the Output LED status
indicators as shown.
shown.
5. Configure the remaining Input LED status indicators as shown.
6. LED
Configure
the Output
LED status indicators as shown.
6. Configure the Output
status indicators
as shown.
K1 Coil
K2 Coil
E-Stop SOF
unction: Safety-Related Stop Initiated by a SafeZone Scanner
K1 Coil
K2 Coil
E-Stop SOF
elated Stop Initiated by a SafeZone Scanner
Select LED configuration.
2. Select LED configuration.
D configuration.
Safety Function: Safety-Related Stop Initiated by a SafeZon
Rockwell Automation Publication SAFETY-AT137A-EN-P - March 2015
Safety Function: Safety-Related Stop Initiated by a SafeZon
20
Confirm the Validity of the Build
Confirm
the Validity of the Build Rockwell
Rockwell Automation Publication SAFETY-AT137A-EN-P - March20
2015
19 Automation Publication SAFETY-AT137A-EN-P - March 2015
these steps to confirm the validity of the logic by using
Confirm the Validity ofFollow
the Build
the Build feature in Connected Components Workbench
Follow these steps to confirm the validity of the logic by using the Build feature in Connected Components Workbe
software.
software.
Follow
these steps to confirm
the validity of the logic by using the Build feature in Connected Components Workbe
software.
1. Click Guardmaster_440C_CR30 in the bar above the
1. Click Guardmaster_440C_CR30
in the bar above the Workspace.
Workspace.
1. Click Guardmaster_440C_CR30 in the bar above the Workspace.
2. Click Build.
2. Click Build.
2. Click Build.
Choose Terminal Status as the Type Filter for LED 0.
3. Choose Terminal Status as the Type Filter for LED 0.
rminal Status as the Type Filter for LED 0.
A Build Succeeded message confirms that the configuration is
A Build Succeeded message confirms that the configuration is valid.
valid. confirms that the configuration is valid.
A Build Succeeded message
Select Terminal 00 as the Value for LED 0.
minal 00 as the Value for LED 0.
If an error or omission
is discovered
during a build,
a message is displayed
detailsa the
error so is
that it can be
If an
error or omission
is discovered
during that
a build,
message
corrected.
you correct
the error,
you need
to perform
theisbuild
again.that details the error so that it can be
If
an error After
or omission
is discovered
during
a build,
a message
displayed
displayed that details the error so that it can be corrected. After
corrected. After you correct the error, you need to perform the build again.
you correct the error, you need to perform the build again.
Save and Download the Project
Save and Download the Project
NHP Safety Reference Guide > Safety Function Documents: 440C
Follow these steps to save and download the project.
Follow
theseare
steps
to save and
download
In this example, the E-Stop inputs on are displayed on LED 0 and 1. The Scanner
inputs
displayed
on LED
2 andthe project.
6A-14
Safety Function: Safety-Related Stop Initiated by a SafeZone Scanner
Safety Function: Safety-Related Stop Initiated by a SafeZone Scanner
5. Click Download.
Safety Function: Safety-Related Stop Initiated by a SafeZone Scanner
5. Click Download.
5. Click Download.
Safety Function Documents: 440C
Safety-Related Stop Initiated by a SafeZone Scanner
Products: Guardmaster 440C-CR30 Configurable Safety Relay, 442L SafeZone Laser Scanner, 100S-C Safety Contactors
Safety Rating: CAT. 3, PLd to ISO 13849-1: 2008
Save and Download the Project
6. In the Connection Browser, expand the AB_VBP-1 Virtual
Chassis
select theVirtual
Guardmaster
440C-CR30-22BBB.
6. In the Connection Browser,
expandand
the AB_VBP-1
Chassis and
select the Guardmaster 440C-CR30Follow these steps to save and download the project.
22BBB.
1. From the File menu, choose Save as to save
project. Browser, expand the AB_VBP-1 Virtual Chassis and select the Guardmaster 440C-CR306. In the
the Connection
22BBB.
6. In the Connection Browser, expand the AB_VBP-1 Virtual Chassis and select the Guardmaster 440C-CR30INFORMATION: Saving the project with a new name
closes the
22BBB.
workspace windows.
2. In the Project Organizer window, double-click
Guardmaster_440C_CR30 to open the workspace.
3. Power up the 440C-CR30 safety relay.
ion: Safety-Related Stop Initiated by a SafeZone Scanner
lick Download.
4. Connect the USB cable to the 440C-CR30 relay.
5. Click Download.
7. Click OK.
7. Click
8. Click Yes to change from
Run toOK.
Program mode.
7. Click OK.
8. Click Yes to change from Run to Program mode.
7. Click
8. Click
Yes toOK.
change from Run to Program mode.
8. Click Yes to change from Run to Program mode.
9. When the download is complete, click Yes to change from Program to Run mode.
When
download
is complete,
click Yes to change from
9. When the download is complete,9.click
Yes to the
change
from Program
to Run mode.
tochange
Run mode.
9. When the download is complete,Program
click Yes to
from Program to Run mode.
n the Connection Browser, expand the AB_VBP-1 Virtual Chassis and select the Guardmaster 440C-CR302BBB.
22
22
Rockwell Automation Publication SAFETY-AT137A-EN-P - March 2015
Rockwell Automation Publication SAFETY-AT137A-EN-P - March 2015
22
Rockwell Automation Publication SAFETY-AT137A-EN-P - March 2015
lick OK.
lick Yes to change from Run to Program mode.
When the download is complete, click Yes to change from Program to Run mode.
NHP Safety Reference Guide > Safety Function Documents: 440C
6A-15
Safety Function Documents: 440C
Safety-Related Stop Initiated by a SafeZone Scanner
Products: Guardmaster 440C-CR30 Configurable Safety Relay, 442L SafeZone Laser Scanner, 100S-C Safety Contactors
Safety Rating: CAT. 3, PLd to ISO 13849-1: 2008
Save and Download the Project cont
Safety Function: Safety-Related Stop Initiated by a SafeZone Scanner
10. Click Edit Logic to see the online diagnostics.
10. Click Edit Logic to see the online diagnostics.
Greenindicates
indicates that
a block
is True
or thator
anthat
inputan
or input
output or
terminal
is ON.
Flashing
indicates that
a Safety
Green
that
a block
is True
output
terminal
is green
ON. Flashing
green
indicates
Output
Function
is
ready
to
be
Reset.
that a Safety Output Function is ready to be Reset.
Theonline
online diagnostics
mode
of theof440C-CR30
relay canrelay
be very
helpful
during
the verification
process.
The
diagnostics
mode
the 440C-CR30
can
be very
helpful
during the
verification
11.process.
Review the information in Calculation of the Performance Level on page 24 and Verification and Validation Plan on
page 26 before proceeding with Verification of the Configuration on page 29.
11. Review the information in Calculation of the Performance Level on page 24 and Verification and
Validation Plan on page 26 before proceeding with Verification of the Configuration on page 29.
Rockwell Automation Publication SAFETY-AT137A-EN-P - March 2015
23
NHP Safety Reference Guide > Safety Function Documents: 440C
6A-16
Safety Function Documents: 440C
Safety-Related Stop Initiated by a SafeZone Scanner
Products: Guardmaster 440C-CR30 Configurable Safety Relay, 442L SafeZone Laser Scanner, 100S-C Safety Contactors
Safety
Rating: CAT. 3, PLd to ISO 13849-1: 2008
Safety Function: Safety-Related Stop Initiated by a SafeZone Scanner
Safety Function: Safety-Related Stop Initiated by a SafeZone Scanner
Safety Function: Safety-Related Stop Initiated by a SafeZone Scanner
Calculation
Level
Calculationofofthe
thePerformance
Performance
Level
Calculation of the Performance Level
Calculation of the Performance Level
When properly implemented, these safety functions can achieve a safety rating of Category 3,
Performance
d (CAT. 3,these
PLd),
according
tocan
ISOachieve
13849-1:
2008,
as calculated
the SISTEMA
When properlyLevel
implemented,
safety
functions
a safety
rating
of Categoryby
3, using
Performance
Level d (CAT.
software
PL
calculation
tool.
3,
PLd),
according
to
ISO
13849-1:
2008,
as
calculated
by
using
the
SISTEMA
software
PL
calculation
tool.
When properly implemented, these safety functions can achieve a safety rating of Category 3, Performance
Level d (CAT.
When
implemented,
these safety
canby
achieve
safety
rating ofsoftware
Category
Performance
Level d (CAT.
3, PLd),properly
according
to ISO 13849-1:
2008, functions
as calculated
using athe
SISTEMA
PL3,calculation
tool.
3, PLd), according to ISO 13849-1: 2008, as calculated by using the SISTEMA software PL calculation tool.
The Performance
Performance Level
and
Category
achieved
by each
of the SafeZone
scannerlaser
safety
function,
as
The
Level
and
Category
achieved
bysubsystem
each subsystem
of the laser
SafeZone
scanner
safety
calculated
by SISTEMA,
is shown below.
The
Performance
Level and
achieved
by each
subsystem of the SafeZone laser scanner safety function, as
function,
as calculated
byCategory
SISTEMA,
is shown
below.
The
Performance
Level and
Category
achieved by each subsystem of the SafeZone laser scanner safety function, as
calculated
by SISTEMA,
is shown
below.
calculated by SISTEMA, is shown below.
The Performance Level and Category achieved by each subsystem of the emergency stop safety function, as calculated by
SISTEMA,
is shown
below.
The Performance
Level
and Category achieved by each subsystem of the emergency stop safety function, as calculated by
The
Performance
Level
and
Category
achieved
bysubsystem
each subsystem
of the emergency
stop safety
function,
The
Performance
Level
and
Category
achieved
by each
of the emergency
stop safety function,
as calculated
by
SISTEMA,
is shown
below.
as
calculated
by
SISTEMA,
is
shown
below.
SISTEMA, is shown below.
24
Rockwell Automation Publication SAFETY-AT137A-EN-P - March 2015
24
24
Rockwell Automation Publication SAFETY-AT137A-EN-P - March 2015
Rockwell Automation Publication SAFETY-AT137A-EN-P - March 2015
NHP Safety Reference Guide > Safety Function Documents: 440C
6A-17
Safety Function Documents: 440C
Safety-Related Stop Initiated by a SafeZone Scanner
Products: Guardmaster 440C-CR30 Configurable Safety Relay, 442L SafeZone Laser Scanner, 100S-C Safety Contactors
Safety Rating: CAT. 3, PLd to ISO 13849-1: 2008
Safety Function: Safety-Related Stop Initiated by a SafeZone Scanner
Calculation of the Performance Level cont
The E-Stop safety function can be modeled as follows.
The E-Stop safety function can be modeled as follows.
Input
• Mean
Safety Function: Safety-Related Stop Initiated by a SafeZone
Scanner
Logic
Output
Logic
Output
100S-C
K1
E-Stop 1
440C-CR30
Relay
E-Stop21
E-Stop
440C-CR30
Relay
E-Stop 2 1
Subsystem
Subsystem 2
Subsystem 2
100S-C
K2
Subsystem
3
Subsystem 3
The presence-sensing
SafeZone laser scanner safety function
Input
Logic
Output
can be modeled as follows.
The presence-sensing SafeZone laser scanner safety function can be modeled as follows.
Input
Logic
Output
100S-C
K1
SafeZone
Laser Scanner
440C-CR30
Relay
SafeZone
Laser Scanner
440C-CR30
Relay
Subsystem 1
Subsystem 2
Electro-mechanical devices’ functional safety evaluations
include the following:
• How frequently they are operated
• Whether they are effectively monitored for faults
100S-C
100S-C
K1
K2
The presence-sensing SafeZone laser scanner safety function can be modeled as follows.
Subsystem 1
Time to Failure, dangerous (MTTFd)
• Diagnostic Coverage (DCavg)
• Common Cause Failure (CCF)
The E-Stop safety function can be modeled as follows.
Input
Because these are electro-mechanical devices, the safety
contactor data includes the following:
100S-C
100S-C
K1
K2
100S-C
K2
Subsystem
3
• Whether they are properly specified and installed
SISTEMA calculates the MTTFd by using B10d data provided
for the contactors along with the estimated frequency of use,
entered during the creation of the SISTEMA project.
The DCavg (99%) for the contactors is selected from the Output
Device table of ISO 13849-1 Annex E, Direct Monitoring. The
DCavg (99%) for the E-Stop is selected from the Input Device
table of ISO 13849-1 Annex E, Cross Monitoring.
The CCF value is generated by using the scoring process
outlined in Annex F of ISO 13849-1. The complete CCF scoring
process must be performed when actually implementing an
application. A minimum score of 65 must be achieved.
The Emergency Stop function is a complementary protective
measure which is intended to be used with other safeguarding
measures and protective devices to sufficiently reduce risk. The
emergency stop function shall be designed not to impair the
effectiveness of the other protective devices or safety functions.
For emergency stop devices in accordance with IEC 60947- 5-5,
a fault exclusion for mechanical aspects is allowed up to PLd if
the maximum number of operations is considered. However,
the actual number of operations (NOP) is used for the purposes
of the MTTFd calculation in this document.
Because these are electro-mechanical devices, the safety contactor data includes the following:
Subsystem 1
Subsystem 3
Subsystem 2
• Mean Time to Failure, dangerous (MTTFd)
• Diagnostic Coverage (DCavg)
Because
these areCause
electro-mechanical
• Common
Failure (CCF)devices, the safety contactor data includes the following:
• Mean Time to Failure, dangerous (MTTFd)
Electro-mechanical
devices' functional
• Diagnostic Coverage
(DCavg) safety evaluations include the following:
How frequently
they are
operated
• •Common
Cause Failure
(CCF)
• Whether they are effectively monitored for faults
Electro-mechanical
devices'
functional
safety evaluations
include the following:
• Whether they
are properly
specified
and installed
• How frequently they are operated
SISTEMA
calculates
theare
MTTFd
by using
B10d data
provided for the contactors along with the estimated frequency of
• Whether
they
effectively
monitored
for faults
use, entered
during the
of thespecified
SISTEMA
• Whether
theycreation
are properly
andproject.
installed
SISTEMA calculates the MTTFd by using B10d data provided for the contactors along with the estimated frequency of
use, entered during the creation of theRockwell
SISTEMA
project.
Automation
Publication SAFETY-AT137A-EN-P - March 2015
25
Rockwell Automation Publication SAFETY-AT137A-EN-P - March 2015
25
NHP Safety Reference Guide > Safety Function Documents: 440C
6A-18
Safety Function Documents: 440C
Safety-Related Stop Initiated by a SafeZone Scanner
Products: Guardmaster 440C-CR30 Configurable Safety Relay, 442L SafeZone Laser Scanner, 100S-C Safety Contactors
Safety Rating: CAT. 3, PLd to ISO 13849-1: 2008
Verification and Validation Plan
Verification and validation play important roles in the avoidance
of faults throughout the safety system design and development
process. ISO 13849-2 sets the requirements for verification and
validation. The standard calls for a documented plan to confirm
that all of the safety functional requirements have been met.
Verification is an analysis of the resulting safety control system.
The Performance Level (PL) of the safety control system is
calculated to confirm that the system meets the required
Performance Level (PLr) specified. The SISTEMA software is
typically used to perform the calculations and assist with
satisfying the requirements of ISO 13849-1.
Verification and Validation is a functional test of the safety
control system to demonstrate that the system meets the
specified requirements of the safety function. The safety
control system is tested to confirm that all of the safety-related
outputs respond appropriately to their corresponding safetyrelated inputs. The functional test includes normal operating
conditions in addition to potential fault injection of failure
modes. A checklist is typically used to document the validation
of the safety control system.
Prior to validating the system, confirm that the Guardmaster
440C-CR30 configurable safety relay has been wired and
configured in accordance with the installation instructions.
NHP Safety Reference Guide > Safety Function Documents: 440C
6A-19
Safety Function Documents: 440C
Safety-Related Stop Initiated by a SafeZone Scanner
Products: Guardmaster 440C-CR30 Configurable Safety Relay, 442L SafeZone Laser Scanner, 100S-C Safety Contactors
Safety Rating: CAT. 3, PLd to ISO 13849-1: 2008
Verification and Validation Checklist
GENERAL MACHINERY INFORMATION
Machine Name / Model Number
Machine Serial Number
Customer Name
Test Date
Tester Name(s)
Schematic Drawing Number
Configurable Safety Relay
Safety Wiring and Relay Configuration Verification
Test Step
Verification
1
Visually inspect the 440C-CR30 circuit to verify that it is wired as documented in the schematics.
2
Visually inspect the SafeZone laser scanner to verify that it is wired as documented.
Pass/Fail
Changes/Modifications
Normal Operation Verification - The 440C-CR30 configurable safety relay responds properly to all normal Start, Stop, Reset, and E-Stop commands.
Test Step
Verification
Pass/Fail
1
Initiate a Start command. Both contactors energize for a normal machine run condition. Verify proper machine-status indication and 440C-CR30
relay status indication.
2
Initiate a Stop command. Both contactors de-energize for a normal machine Stop condition. Verify proper machine-status indication and 440CCR30 relay status indication.
3
While the system is running, interrupt the SafeZone laser scanner. Both contactors are de-energized and open for a normal safe condition. Verify
proper machine-status indication and 440C-CR30 relay status indication if configured.
4
While the system is stopped, interrupt the SafeZone laser scanner and initiate a Start command. Both contactors remain de-energized and open
for a normal safe condition. Verify proper machine-status indication and 440C-CR30 relay status indication.
5
Initiate a Reset command. Both contactors remain de-energized. Verify proper machine-status indication and 440C-CR30 relay status
indication.
Changes/Modifications
Validation of Safe Response to Abnormal Operation - The safety system responds properly to all foreseeable faults with corresponding diagnostics.
SafeZone Laser Scanner
Test Step
Validation
Pass/Fail
1
While the system is running, remove the channel 1 wire from the input EI_08. Both contactors de-energize. Verify proper machine-status
indication and 440C-CR30 relay status indication. Repeat for channel 2.
2
While the system is running, short channel 1 terminal EI_08 of the 440C-CR30 relay to 24V DC. Both contactors de-energize. Verify proper
machine-status indication and 440C-CR30 relay status indication. Repeat for channel 2.
3
While the system is running, short channel 1 terminal EI_08 of the 440C-CR30 relay to 0V DC. Both contactors de-energize. Verify proper
machine-status indication and 440C-CR30 relay status indication. Repeat for channel 2.
4
While the system is running, short channels 1 and 2 (terminal EI_08 and 09) of the 440C-CR30 relay. Both contactors are de-energized. Verify
proper machinestatus indication and 440C-CR30 relay status indication.
Changes/Modifications
Validation of Safe Response to Abnormal Operation - The safety system responds properly to all foreseeable faults with corresponding diagnostics.
Safety Contactor Output Tests
Test Step
Validation
1
While the system is running, remove the contactor feedback from the safety relay. All contactors remain energized. Initiate a Stop command
followed by a Reset command. The relay does not restart or reset. Verify proper machine status indication and 440C-CR30 relay status indication.
Pass/Fail
Changes/Modifications
NHP Safety Reference Guide > Safety Function Documents: 440C
6A-20
Safety Function Documents: 440C
Safety-Related Stop Initiated by a SafeZone Scanner
Products: Guardmaster 440C-CR30 Configurable Safety Relay, 442L SafeZone Laser Scanner, 100S-C Safety Contactors
Safety Rating: CAT. 3, PLd to ISO 13849-1: 2008
Verification and Validation Checklist – E-Stop Safety Function
GENERAL MACHINERY INFORMATION
Machine Name / Model Number
Customer Name
Test Date
Tester Name(s)
Schematic Drawing Number
Configurable Safety Relay
Safety Wiring and Relay Configuration Verification
Test Step
Verification
1
Visually inspect the safety relay circuit to verify that it is wired as documented in the schematics.
2
Visually inspect the 440C-CR30 rotary switch settings to verify that they are correct as documented.
Pass/Fail
Changes/Modifications
Normal Operation Verification - The safety system responds properly to all normal Start, Stop, E-Stop, and Reset commands.
Test Step
Verification
1
Initiate a Start command. Both contactors energize for a normal machine run condition. Verify proper machine-status indication and 440C-CR30
relay status indication.
Pass/Fail
2
Initiate a Stop command. Both contactors de-energize for a normal machine Stop condition. Verify proper machine-status indication and 440CCR30 relay status indication.
3
While the system is running, press the E-Stop button. Both contactors deenergize and open for a normal safe condition. Verify proper machinestatus indication and 440C-CR30 relay status indication. Repeat for all E-Stop buttons.
4
While the system is stopped, press the E-Stop button and initiate a Start command. Both contactors remain de-energized and open for a normal
safe condition. Verify proper machine-status indication and 440C-CR30 relay status indication. Repeat for all E-Stop buttons.
5
Initiate a Reset command. Both contactors remain de-energized. Verify proper machine-status indication and 440C-CR30 relay status
indication.
Changes/Modifications
Validation of Safe Response to Abnormal Operation – The safety system responds properly to all foreseeable faults with corresponding diagnostics.
E-Stop Input Tests
Test Step
Validation
Pass/Fail
1
While the system is running, remove the channel 1 EI_00 wire from the 440CCR30 relay input. Both contactors de-energize. Verify proper
machine-status indication and 440C-CR30 relay status indication. Repeat for channel 2.
2
While the system is running, short channel 1 terminal EI_00 to 24V DC. Both contactors de-energize. Verify proper machine-status indication
and 440CCR30 relay status indication. Repeat for channel 2.
3
While the system is running, short channel 1 terminal EI_00 to 0V DC. Both contactors de-energize. Verify proper machine-status indication and
440CCR30 relay status indication. Repeat for channel 2.
4
While the system is running, short channel 1 and 2, EI_00 to EI_01. Both contactors de-energize. Verify proper machine-status indication and
440CCR30 relay status indication.
Changes/Modifications
Validation of Safe Response to Abnormal Operation - The safety system responds properly to all foreseeable faults with corresponding diagnostics.
Safety Contactor Output Tests
Test Step
Validation
Pass/Fail
1
While the system is running, remove the contactor feedback from the safety relay. All contactors remain energized. Initiate a Stop command
followed by a Reset command. The relay does not restart or reset. Verify proper machinestatus indication and 440C-CR30 relay status indication.
Changes/Modifications
NHP Safety Reference Guide > Safety Function Documents: 440C
6A-21
5
Release the 440C-CR30 relay Reset button. The 440C-CR30 relay must not
respond and the K1 contactor must not activate.
6
Cycle power to the 440C-CR30 relay. The red 440C-CR30 relay Fault status LED
should be OFF.
7
Press, but do not release the 440C-CR30 relay Reset button. The 440C-CR30
relay must not respond and the K1contactor must not activate.
8
Release the 440C-CR30 relay Reset button. The 440C-CR30 relay must respond
and activate the K1 contactor.
9
While the machine is running, short the A1 terminal of the K1 coil to DC COM.
The 440C-CR30 relay must trip. The red 440C-CR30 relay Fault status LED is ON.
The K1 contactor must de-energize.
10
Press, but do not release the 440C-CR30 relay Reset button. The 440C-CR30
relay must not respond and the K1 contactor must not activate.
11
Release the 440C-CR30 relay Reset button. The 440C-CR30 relay must not
respond and the K1 contactor must not activate.
12
Cycle power to the 440C-CR30 relay. The 440C-CR30 relay Fault status LED
should be OFF.
Safety Function: Safety-Related Stop Initiated by a SafeZone Scanner
3. Click Verify.
Safety Function: Safety-Related Stop Initiated by a SafeZone Scanner
Safety Function Documents: 440C
3. Click Verify.
13
Press, but do not release the 440C-CR30
relay ResetInitiated
button. The 440C-CR30
Safety-Related
Stop
by a SafeZone Scanner
relay must not respond and the K1contactor must not activate.
Safety Function: Safety-Related Stop Initiated by a SafeZone Scanner
While the systemGuardmaster
is running, short channel 1 terminal
EI_00 to 24V DC. Both Configurable Safety Relay, 442L SafeZone Laser Scanner, 100S-C Safety Contactors
Products:
440C-CR30
14 contactors de-energize.
ReleaseVerify
the 440C-CR30
relay Reset
button.
The 440C-CR30 relay must respond
proper machine-status
indication
and 440CCR30
relay
status
indication.
Repeat
for
channel
2.
and
activate
the
K1
contactor.
Safety Rating: CAT. 3, PLd to ISO 13849-1: 2008
2
3
15
4
While the system is running, short channel 1 terminal EI_00 to 0V DC. Both
Repeat Verify
stepsproper
1 to machine-status
14 using EO_19
andand
the440CK2 contactor.
contactors de-energize.
indication
CR30 relay status indication. Repeat for channel 2.
While the system is running, short channel 1 and 2, EI_00 to EI_01. Both
contactors de-energize. Verifyof
proper machine-status
indication and 440CVerification
the Configuration
CR30 relay status indication.
4. Answerand
allcheck
the questions
and check each box, if completed.
4. Answer all the
questions
each box, if completed.
The system must
verify
the configuration of each individual
Verification
of the
Configuration
Validation of Safe Response to Abnormal Operation - The safety system responds properly to all foreseeable faults with corresponding diagnostics.
Safety Contactor Output Tests
application
by using the Verify command.
If the 440C-CR30
Validation
Pass/Fail
Changes/Modifications
Test Step
The
system
must
verify
configuration
of each individual
usingallthe
command.
Ifeach
the 440C-CR30
While the system
is running,
removethe
the contactor
feedback
the safety
configurable
safety
relay
is from
not
verified,
it will application
fault after
24
4. by
Answer
theVerify
questions
and check
box, if completed.
relay. All contactors remain energized. Initiate a Stop command followed by a
configuration
safety
isornot
verified,
it will fault after 24 hours of operation.
Reset command. The
relay doesrelay
not restart
reset. Verify
proper machine-
1
hours
of operation.
status indication and 440C-CR30 relay status indication.
ATTENTION: The verification process should be
ATTENTION: The verification process should be documented in the safety system's technical file.
in the safety system’s technical file.
Verification ofdocumented
the Configuration
The system
must verify
the configuration
ofdownload
each individual application
by using the
the Verify
command. If the 440C-CR30
Follow
these
steps
to
and
verify
configuration.
Follow
these
download
andafter
verify
the
configurable
safety
relaysteps
is notto
verified,
it will fault
24 hours
ofconfiguration.
operation.
1. Make sure the 440C-CR30 relay is powered up and
1. connected
Make sure theto
440C-CR30
relay is powered up
and connected
to your workstation via the USB cable.
your
workstation
ATTENTION: The verification
process should
be documented in thevia
safetythe
system'sUSB
technicalcable.
file.
2. Confirm that the upper right-hand corner of the Connected
tab shows that the 440CCR30
relay is relay
connected.
If connected
the relay
is workstation
not connected,
click
Make sure
the 440C-CR30
is powered up and
to your
via the USB cable.
Confirm
that the upper
corner
the Connectedthe
Components
Workbench
Project tab shows that the
Connect
toright-hand
Device
toofestablish
software
connection.
Follow these Components
steps to download and verify
the configuration.
Workbench
Project
1.
2.
440C-CR30 relay is connected. If the relay is not connected, click Connect to Device to establish the IMPORTANT
software
connection.
IMPORTANT
of the
boxes
must
be marked
AllIMPORTANT:
of the boxes must beAll
marked
in order
to Generate
the Verification
ID. in order to
Generate the Verification ID.
All of the boxes must be marked in order to Generate the Verification ID.
5. Click Generate.
5.Click Generate.
5. Click Generate.
6. Click Yes to proceed with the verification.
6. Click Yes
Rockwell Automation Publication SAFETY-AT134A-EN-P
- September
6. Click
Yes to2014
proceed with the verification.
to proceed
with the verification.
27
y Function: Safety-Related Stop Initiated by a SafeZone Scanner
3. Click Verify.
3. Click Verify.
7. Click Yes
change
to to
Run
mode. to Run mode.
7. toClick
Yes
change
7. Click Yes to change to Run mode.
Safety Function: Safety-Related Stop Initiated by a SafeZone S
8. Record the Safety Verification ID in the machine’s
documentation.
Rockwell
AutomationID
Publication
- March 2015
Record the Safety
Verification
in theSAFETY-AT137A-EN-P
machine's documentation.
29
Rockwell Automation Publication SAFETY-AT137A-EN-P - March 2015
30
30
8.
Rockwell Automation Publication SAFETY-AT137A-EN-P - March 2015
4. Answer all the questions and check each box, if completed.
MPORTANT
This
is the
the440C-CR30
feedbackrelay
tothat
thethe
440C-CR30
relayand
that
the tests have been
This process
is theprocess
feedback to
system verification
functional
completed.system
The unique
verification IDand
can be
used to checktests
if changes
have
been made
to a configuration file. A
verification
functional
have
been
completed.
change to the configuration removes the Safety Verification ID. Subsequent verification actions generate a differ
The unique verification ID can be used to check if changes
verification ID. The Safety Verification ID is displayed in Connected Components Workbench software only w
have been
made to arelay.
configuration file. Any change to the
you are connected
to the 440C-CR30
All of the boxes must be marked in order to Generate the Verification ID.
5. Click Generate.
6. Click Yes to proceed with the verification.
configuration removes the Safety Verification ID. Subsequent
verification actions generate a different verification ID. The
Safety Verification ID is displayed in Connected Components
Additional Resources
Workbench software only when you are connected to the
relay.
These documents440C-CR30
contain additional
information concerning related products from Rockwell Automation.
Resource
Description
NHP Safety Reference Guide > Safety Function Documents: 440C
6A-22
SafeZone Singlezone and Multizone Safety Laser Scanner User Manual, publication 442LProvides information on how to mount, install, commission, operate, and maint
UM003
the SafeZone laser scanner.
Guardmaster 440C-CR30 Software Configurable Safety Relay Quick Start Guide, publication
Provides information on how to configure a Guardmaster 440C-CR30 configurab
Safety Function Documents: 440C
Safety-Related Stop Initiated by a SafeZone Scanner
Products: Guardmaster 440C-CR30 Configurable Safety Relay, 442L SafeZone Laser Scanner, 100S-C Safety Contactors
Safety Rating: CAT. 3, PLd to ISO 13849-1: 2008
Additional Resources
These documents contain additional information concerning related products from Rockwell
Automation.
Resource
Description
SafeZone Singlezone and Multizone Safety Laser
Scanner User Manual, publication 442LUM003
Provides information on how to mount, install,
commission, operate, and maintain the SafeZone laser
scanner.
Guardmaster 440C-CR30 Software Configurable Safety
Relay Quick Start Guide, publication 440C-QS001
Provides information on how to configure a
Guardmaster 440C-CR30 configurable safety relay to
communicate with a PanelView Component terminal
via Modbus communication protocol.
Guardmaster 440C-CR30 Configurable Safety Relay User
Manual, publication 440C-UM00
Provides detailed information on how to install,
configure, operate, and troubleshoot a Guardmaster
440C-CR30 configurable safety relay.
Safety Contactors with DC Coil Installation Instructions,
publication 100S-IN006
Provides instructions on how to install 100S-C safety
contactors.
Industrial Automation Wiring and Grounding
Guidelines, publication 1770-4.1
Provides general guidelines on how to install a
Rockwell Automation® industrial system.
Safety Products Catalog, publication S117-CA001
website http://www.rockwellautomation.com/
rockwellautomation/catalogs/overview.page
Provides information about Rockwell Automation
safety products.
Product Certifications website, available from the
Product Certifications link on http://www.ab.com
Provides declarations of conformity, certificates, and
other certification details.
You can view or download publications at http://www.rockwellautomation.com/literature/.
To order paper copies of technical documentation, contact your local Allen-Bradley distributor or
Rockwell Automation sales representative.
NHP Safety Reference Guide > Safety Function Documents: 440C
6A-23
Safety Function Documents: 440C
Safety-Related Stop Initiated by a SafeZone Scanner
Products: Guardmaster 440C-CR30 Configurable Safety Relay, 442L SafeZone Laser Scanner, 100S-C Safety Contactors
Safety Rating: CAT. 3, PLd to ISO 13849-1: 2008
Documentation Feedback
Your comments will help us serve your documentation
needs better. If you have any suggestions on how to
improve this document, complete this form, publication
RA-DU002, available at http://www.rockwellautomation.
com/literature/.
For more information on Safety Function
Capabilities, visit:
http://marketing.rockwellautomation.com/safety/en/
safety_functions
Rockwell Automation maintains current product
environmental information on its website at:
http://www.rockwellautomation.com/
rockwellautomation/about-us/sustainability-ethics/
product-environmental-compliance.page.
NHP Safety Reference Guide > Safety Function Documents: 440C
6A-24
Safety Function Document
Disclaimer
The information contained in this and any related
publications is intended as a guide only. Every care
has been taken to ensure that the information given is
accurate at time of publication.
Neither NHP nor any of the manufacturers portrayed in
this and any related publications accept responsibility
for any errors or omissions contained therein nor any
misapplications resulting from such errors or omissions.
Risk assessments should be conducted by authorized
persons. The purchaser and installer are responsible
for ensuring the safety system(s) incorporating these
products complies with all current regulations and
applicable standards.
Products are subject to change without notice and may
differ from any illustration(s) provided. All products
offered for sale are subject to NHP standard Conditions of
Sale, a copy of which is available on application.
NHP Safety Reference Guide > Safety Function Documents: 440C
6A-25
Related documents
Integrated personal digital assistant device
Integrated personal digital assistant device
Sartorius CAH3 Operating instructions
Sartorius CAH3 Operating instructions
Error Messages
Error Messages
IFB # 2013-05 Amendment Two (2) - Dated: 1/13/2014
IFB # 2013-05 Amendment Two (2) - Dated: 1/13/2014
Untitled
Untitled
TS 190320 User Manual
TS 190320 User Manual
User Manual User Manual
User Manual User Manual
Argus DC2700 Specifications
Argus DC2700 Specifications
DIAMOND MODULE INSTALLATION MANUAL
DIAMOND MODULE INSTALLATION MANUAL
Scarlett 8i6 - User Guide
Scarlett 8i6 - User Guide
Fabric network management and diagnostic tool
Fabric network management and diagnostic tool
Dyna-Glo Delux RMC-FA300DGD Instructions / Assembly
Dyna-Glo Delux RMC-FA300DGD Instructions / Assembly
Picture
Picture
FLOW TEMP. CONTROLLER 2B (Cased) PAC-IF032B-E
FLOW TEMP. CONTROLLER 2B (Cased) PAC-IF032B-E
Dyna-Glo RMC-TT15P Operating instructions
Dyna-Glo RMC-TT15P Operating instructions
USER`S MANUAL
USER`S MANUAL
netasq unified manager v.9.0 userconfiguration manual
netasq unified manager v.9.0 userconfiguration manual
Safety Function: Door-Monitoring Interlock Switch
Safety Function: Door-Monitoring Interlock Switch
InLoox PM 8
InLoox PM 8
Projectiondesign Action two User`s guide
Projectiondesign Action two User`s guide
Service Manual - Appliance Factory Parts
Service Manual - Appliance Factory Parts
User's Manual AH-480 Series [Machine / Software]
User's Manual AH-480 Series [Machine / Software]