NHP SAFETY REFERENCE GUIDE

Similar documents
Safety Function: Actuator Subsystems Stop Category 1 via the PowerFlex 525 and PowerFlex 527 Drives with Safe Torque-off

Application Technique. Products: Guardmaster 440C-CR30 Configurable Safety Relay, PowerFlex 755 Drive. Safety Rating: CAT. 3, PLe to ISO : 2008

Application Technique. Safety Function: Safety Camera with E-stop

NHP SAFETY REFERENCE GUIDE

Application Technique. Products: Guardmaster 440C-CR30 Configurable Safety Relay, PowerFlex 525 AC Drive

NHP SAFETY REFERENCE GUIDE

NHP SAFETY REFERENCE GUIDE

NHP SAFETY REFERENCE GUIDE

NHP SAFETY REFERENCE GUIDE

NHP SAFETY REFERENCE GUIDE

NHP SAFETY REFERENCE GUIDE

NHP SAFETY REFERENCE GUIDE

Actuator Subsystems Stop Cat. 0 or 1 via an Integrated Safety Controller and PowerFlex 527 Drive with Hardwired Safe Torque Off Safety Function

Safety Function: Safety Camera

GuardLogix: Dual Zone Gate Protection with E-stop and Trojan Interlock Switch

GuardLogix: Safety Gate Application with SensaGuard Switch

NHP SAFETY REFERENCE GUIDE

GuardLogix: TLS Guardlocking Application

Safety Function: Door Locking and Monitoring Products: TLS3-GD2 GuardLogix Controller POINT Guard Safety I/O Modules

Application Technique. Safety Function: Safe Limited Speed and Safe Maximum Speed

Application Technique. Safety Function: SensaGuard Non-contact Interlock Switch

PowerFlex 70 Safe-Off Control EtherNet/IP Guard I/O Safety Module and GuardLogix Integrated Safety Controller

NHP SAFETY REFERENCE GUIDE

Using TLS3-GD2 Guardlocking Interlock with ArmorBlock Guard I/O and SmartGuard Controller

DriveGuard. Safe-Off Option for PowerFlex 70 AC Drives. User Manual.

Using GuardShield Light Curtains (Safe 4, Micro 400, or 440L), with ArmorBlock Guard I/O and SmartGuard Controller

Using a Guard Locking Interlock Switch and Light Curtains with DeviceNet Guard I/O and a GuardLogix Controller

PowerMonitor 5000 Unit Catalog Number Upgrade

GuardLogix Controller to Kinetix 6000 Drive with Safe-Off using EtherNet/IP CompactBlock Guard I/O Module

Using the Safety Distribution R Box

PowerMonitor 1000 Unit Catalog Number Upgrade

Kinetix 6000 Axis Module and Shunt Module

PCI Expansion Slot Kit for 6181P (1500P) Series D Integrated Display Computer

Kinetix 300 Memory Module Programmer

PowerFlex 700H AC Drive Safe Torque Off Option

PowerFlex 750-Series Safe Torque Off Option Module

Solar Combiner Enclosure

NHP SAFETY REFERENCE GUIDE

Teaching Color-Sensing Connected Components Building Block. Quick Start

Digital ac/dc (24V) Input Module

Kinetix 5700 Safe Monitor Functions

Color-Sensing Connected Components Building Block. Quick Start

Copyright 2011 Rockwell Automation, Inc. All rights reserved. Next Generation Guardmaster Safety Relay Platform Overview

NHP SAFETY REFERENCE GUIDE

SmartGuard 600 Controllers

ControlLogix SIL2 System Configuration

Safety Function: Muting Products: Light Curtain RightSight Optical Sensors GuardLogix Controller

Options for ABB drives. User s manual Emergency stop, stop category 0 (option +Q951) for ACS880-07/17/37 drives

L01 - Effective Design Methods for Integrating Safety Using Logix Controllers. For Classroom Use Only!

Installation Instructions

InView Firmware Update

Application Guide. Considerations for 32 Bit Integer Parameters in 16 Bit Processors. PowerFlex 700VC, PowerFlex 700S. Introduction.

Installation Instructions

POINT Guard I/O Safety Modules

GV3000/SE General Purpose (Volts/Hertz) and Vector Duty AC Drive, HP, 230V AC

Guardmaster Safety Relays DI, DIS, SI, CI, GLP, EM, And EMD

Logix5000 Controllers Nonvolatile Memory Card

POINT Guard I/O Safety Modules

Options for ABB drives. User s manual Emergency stop, stop category 1 (option +Q964) for ACS880-07/17/37 drives

ControlLogix Redundancy Update and Module Replacement Guidelines

Zener Barriers Bulletin 937Z

Installation Instructions

SequenceManager Controls

Point Guard I/O Safety Modules

CompactLogix Power Supplies Specifications

Allen-Bradley Motors

Micro800 Programmable Controllers: Getting Started with Motion Control Using a Simulated Axis

Adapter Kit for PanelView 1200/1200e Touch Screen Terminal Cutout

Next Generation Guardmaster Safety Relay (GSR)

FLEX 5000 Digital I/O Modules

GuardLogix 5570 Controller Systems

Guardmaster Safety Relays. Innovative technology in a broad portfolio of safety control solutions

FSO Webnair FSO Safety Functions Module. ABB Group February 11, 2015 Slide 1

Studio 5000 Architect Getting Results Guide

Differential Liquid/Gas Pressure Transmitter

Bidirectional (4-sensor, T-type) Muting With MSR42 Relay Connected Components Building Block

Simple Package Measurement Connected Components Building Block. Quick Start

Bul. 440R Guardmaster Safety Relays (DI, DIS, SI, CI, EM, and EMD) Selection Guide

Bidirectional (2-sensor, T-type) Muting With Enable Using MSR42 Relay Connected Components Building Block

Options for ABB drives. User s manual Prevention of unexpected start-up (option +Q957) for ACS880-07/17/37 drives

The Guardmaster 440C-CR30 Software Configurable Safety Relay Training Demo Lab. For Classroom Use Only!

ProcessLogix R510.0 Server Installation Instructions

GuardLogix Controller Systems

Guard I/O EtherNet/IP Safety Modules

Drive Technology \ Drive Automation \ System Integration \ Services. Manual. MOVITRAC MC07B Functional Safety

Installation Instructions

Guard-Locking Proximity Inputs Safety Relay

DeviceNet Network Configuration

Rockwell Automation Library of Steam Table Instructions

PowerFlex 7000 Series Safe Torque Off

Logix5000 Control Systems: Connect a PanelView Plus Terminal over an EtherNet/IP Network

Micro800 Programmable Controllers

InView Communication Modules

Allen-Bradley. User Manual. PLC-5 Backup Communication Module (1785-BCM, 1785-BEM) product icon

Drive Technology \ Drive Automation \ System Integration \ Services. Manual. MOVITRAC MC07B Functional Safety

GuardLogix Controller Systems

Throughout this manual we use notes to make you aware of safety considerations:

User Manual. PowerFlex ENETR Dual-port EtherNet/IP Option Module Firmware Revision Number 1.xxx

For Classroom Use Only! Flying Start PowerFlex 755 AC Drives

Drive Technology \ Drive Automation \ System Integration \ Services. Manual. Electronic Motor DRC Functional Safety

Transcription:

NHP SAFETY REFERENCE GUIDE GSR SAFETY FUNCTION DOCUMENTS Safety Function: Actuator Subsystems Stop Category 1 via the PowerFlex 525 and PowerFlex 527 Drives with Safe Torque-off

Table of Contents: Important User Information 6-253 General Safety Information 6-254 Introduction 6-254 Safety Function Realization: Risk Assessment 6-255 Stop Safety Function 6-255 Safety Function Requirements 6-255 Functional Safety Description 6-255 Bill of Material 6-256 Setup and Wiring 6-256 Safety Distance Calculations 6-257 Configuration 6-261 Calculation of the Performance Level 6-263 Verification and Validation Plan 6-267 Additional Resources 6-272 NHP Safety Reference Guide > Safety Function Documents: GSR 6B-252

Important User Information Read this document and the documents listed in the additional resources section about installation, configuration, and operation of this equipment before you install, configure, operate, or maintain this product. Users are required to familiarize themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws, and standards. Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance are required to be carried out by suitably trained personnel in accordance with applicable code of practice. If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may be impaired. In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the use or application of this equipment. The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or liability for actual use based on the examples and diagrams. No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or software described in this manual. Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation, Inc., is prohibited. Throughout this manual, when necessary, we use notes to make you aware of safety considerations. WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous environment, which may lead to personal injury or death, property damage, or economic loss. ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, propertydamage, or economic loss. Attentions help you identify a hazard, avoid a hazard, and recognize the consequence. Identifies information that is critical for successful application and understanding of the product Labels may also be on or inside the equipment to provide specific precautions. SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous voltage may be present BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may reach dangerous temperatures. ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people topotential Arc Flash. Arc Flash will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALLRegulatory requirements for safe work practices and for Personal Protective Equipment (PPE). NHP Safety Reference Guide > Safety Function Documents: GSR 6B-253

General Safety Information Contact Rockwell Automation to find out more about our safety risk assessment services. This application example is for advanced users and assumes that you are trained and experienced in safety system requirements. ATTENTION: Perform a risk assessment to make sure all task and hazard combinations have been identified and addressed. The risk assessment can require additional circuitry to reduce the risk to a tolerable level. Safety circuits must take into consideration safety distance calculations, which are not part of the scope of this document. Introduction This safety function application technique is concerned primarily with the Logic and Output subsystems of a safety system. The document illustrates how to combine a Guardmaster dual-input safety relay (GSR DI) and Guardmaster multifunction-delay expansion module (GSR EMD) with a PowerFlex 525 drive or a PowerFlex 527 drive to provide a category 1 stop. The category 1 stop provides a brief delay between the stop request to the programmable automation controller (PAC) and the de-energizing of the STO inputs to allow the system time to execute an orderly stop before the STO inputs are de-energized. The intent is to provide a less disruptive, but safe, response to a sudden emergency stop demand. In an actual application, any typical safety input device could be used as the Input subsystem if properly applied. A SensaGuard switch, as in Safety Function: Door Monitoring Products: SensaGuard/GSR DI, publication SAFETYAT069, is used as a convenient example of an Input subsystem in this application technique. Input Logic Output SensaGuard Switch Guardmaster Dual-input Safety Relay Guardmaster Expansion Module PowerFlex 527 Drive Subsystem 1 Subsystem 2 Subsystem 3 Subsystem 4 NHP Safety Reference Guide > Safety Function Documents: GSR 6B-254

Safety Function Realization: Risk Assessment The required performance level is the result of a risk assessment and refers to the amount of the risk reduction to be carried out by the safety-related parts of the control system. Part of the risk reduction process is to determine the safety functions of the machine. In this application, the performance level required (PLr) by the risk assessment is Category 3, Performance Level d (CAT. 3, PLd), for each safety function. A safety system that achieves CAT. 3, PLd, or higher, can be considered control reliable. Each safety product has its own rating and can be combined to create a safety function that meets or exceeds the PLr. create a safety function that meets or exceeds the PLr. Stop Safety Functions From: Risk Assessment (ISO 12100) 1. Identification of safety functions 2. Specification of characteristics of each function 3. Determination of required PL (PLr) for each safety function To: Realization and PL Evaluation This application technique includes two safety functions: 1. Safety-related stop function initiated by a safeguard. 2. Prevention of an unexpected startup. Safety Function Requirements Safety-related Stop Function Initiated by a Safeguard When a partial-access guard door is opened, the Input subsystem initiates and maintains a stop command for the safety system to stop hazardous motion before a person can reach the hazardous area. The stop command cannot be reset until the guard door is closed. Prevention of an Unexpected Startup The safety system cannot be reset, and hazardous motion cannot be restarted while the guard door is open. Once the guard door is closed and the stop command is reset, a second action (pressing a Start button) is required before the hazardous motion can resume. This document presumes that the Start/Stop button is connected to and controlled by the programmable automation controller (PAC). The vendor must provide probability of failure per hour (PFH) and all relevant functional safety data for all the subsystems of this safety system necessary to prove that the overall safety functions meet the requirements for Performance Level d (PLd), per ISO 13849-1. The safety functions in this application technique each meet or exceed the requirements for Category 3, Performance Level d (CAT. 3, PLd), per ISO 13849-1 and control reliable operation per ANSI B11.19. Functional Safety Description The Guardmaster dual-input safety relay, Guardmaster multifunction-delay expansion module, and PowerFlex drives with integrated safe torque-off (STO) use 1oo2 architecture to achieve the PFH value that is used in the PL calculation verification section of this document. The Guardmaster dual-input safety relay monitors its safety inputs for valid status and faults. It monitors its internal circuitry for proper operation and faults. The safety relay monitors its single wire safety (SWS) input/output (I/O) for valid status and faults. It monitors its safety output contacts for proper, valid status and faults. When it receives a safety demand on itsinputs, or an invalid status or a fault is detected, the safety relay deactivates its safety outputs and sends a safety stop command to the Guardmaster multifunction-delay expansion module via its L11 SWS. NHP Safety Reference Guide > Safety Function Documents: GSR 6B-255

The Guardmaster multifunction-delay expansion module monitors its SWS input for safety stop commands, valid status, and faults. It monitors its internal circuitry for proper operation and faults. It monitors its safety output contacts for proper, valid status and faults. When it receives a non-fault safety demand via its L12 SWS input, it deactivates its safety outputs in the manner for which it is configured. In this document, the Guardmaster multifunction-delay expansion module is configured to provide a 100 ms delay. In the event of an internal fault, or a fault signaled via the SWS, the Guardmaster multifunction-delay expansion module immediately de-energizes its safety outputs. The PowerFlex drive monitor its STO inputs for valid status and faults. The drive monitors its internal safety circuits for valid status and faults. The drive monitors its outputs for valid status and faults. When the Guardmaster dual-input safety relay de-energizes the drive STO inputs via the Guardmaster multifunction-delay expansion module, the drive s STO feature forces the drive output power transistors to a disabled state. The hazardous motion controlled by the drive coasts to a stop. This feature does not provide electrical power isolation. The system cannot be restarted until the gate is closed and the Guardmaster dual-input safety relay is reset. Once the safety relay is reset, the PAC-controlled Start button can be pressed to start the hazardous motion. Hardwired STO Safe Torque Off Considerations for a Category 1 Stop In the event of a malfunction, it is possible that stop category 0 may occur. When designing the machine application, timing and distance must be considered for a coast to stop, as well as the possibility of the loss of control of a vertical load. The nature of a malfunction causing this condition could be if a hardwired STO input to the drive were to go low (i.e. a wire falls off ) before the drive has a chance to completely stop the motor. Use additional protective measures if this occurrence might introduce unacceptable risks to personnel. Bill of Material This Logic and Output subsystems in this document use these products. Cat. No. Description Qty 440R-D22R2 Guardmaster dual-input safety relay (DI) 1 440R-EM4R2D Guardmaster multifunction-delay expansion module, 4 N.O. safety contacts 1 800FP-R611PQ10V 800F reset, round plastic 1 1606-XLP72E 1606-XLP72E compact power supply, 24 28V DC, class 2 1 25C-V2P5N104 PowerFlex 527 AC drive, with embedded EtherNet/IP and safe torque-off 1 25B-B5PON104 Setup and Wiring or PowerFlex 525 AC drive, with embedded EtherNet/IP and safe torque-off For detailed information on installing and wiring, refer to the publications listed in the Additional Resources on page 22. System Overview Safety-related Stop Function Initiated by a Safeguard The Guardmaster dual-input safety relay monitors the status of a safety input device, for example a SensaGuard switch. When the input device is tripped (guard door opened), the safety relay de-energizes its two safety outputs and sends a safety stop command downstream to the Guardmaster multifunction-delay expansion module via its SWS. After the 100 ms configured delay time, the Guardmaster multifunction-delay expansion module deactivates its safety outputs, which remove power from the drive s (PowerFlex 525 or PowerFlex 527 drive) STO inputs. The drive disables its output power transistors, leaving the hazardous motion to coast to a stop. When the input device is returned to its safe state (guard door closed), and the reset button is pressed and released properly, the Guardmaster dual-input safety relay s safety outputs energize, the Guardmaster multifunction delay expansion module energizes its safety outputs, and the drive s STO inputs are powered. The hazardous motion can then be restarted by pressing a PAC-controlled Start button. 1 NHP Safety Reference Guide > Safety Function Documents: GSR 6B-256

Prevention of an Unexpected Start-up The Guardmaster dual-input safety relay cannot be reset while its input device is in a tripped (guard door open) state. The Guardmaster multifunction-delay expansion module cannot reset until the Guardmaster dual-input safety relay is reset, the drive s STO inputs remain off, and the hazardous motion cannot be restarted. When the input device is returned to its safe state (guard door closed), and the reset button is pressed and released properly, the Guardmaster dual-input safety relay s safety outputs energize, the Guardmaster multifunction-delay expansion module energizes its safety outputs, and the drive s STO inputs are powered. The hazardous motion can then be restarted by pressing a PACcontrolled Start button. Safety Distance Calculations Detailed calculation of a proper safety distance is beyond the scope of this document, but some considerations follow. Safeguarding systems must make certain that a person cannot reach a hazardous motion before the safeguarding system has brought that hazardous motion to a halt. This is addressed in safety standards relevant to this application: IS0 14119 (Safety of machinery - Interlocking devices associated with guards - Principles for design and selection) ISO 18355 (Safety of machinery - Positioning of safeguards with respect to the approach speeds of parts of the human body) ANSI B11.19 (Performance Criteria for Safeguarding) Safety Distance and Access Time Safety distance is the distance between the guarded access point and the hazardous motion necessary to make certain that a person cannot access a hazardous motion before it is stopped, that is, the hazard has ceased. This document uses, as an example, an interlocking device (SensaGuard switch) monitoring a partial-body access gate. Imagine that this access gate allows a person time to reach their arm 762 mm (30 inches) into the potentially hazardous area to perform an occasional, necessary task. ISO 14119 3.22 defines access time as the time taken by a person to reach the hazard zone after initiation of the stop command by the interlocking device (the SensaGuard actuator moving beyond sensing range), as calculated on the basis of an approach speed of the body or part of the body, in our case, a hand. ISO 13855 defines the approach speed of a hand as 1600 mm per sec. Using this value, we calculate the access time: 762 mm/1600 mm per sec or 476 ms ANSI B11:19 defines the approach speed of a hand as 63 in. per sec. Using this value, we calculate the access time: 30 in./63 in. per sec or 476 ms Overall System Stopping Performance ISO 14119 6.2.1 stipulates that the overall system stopping time for a hazardous machine safeguarded by an interlock must be less than the access time. If the overall system stopping performance is equal to or greater than the access time, an interlock with guard-locking must be used, the distance from the safeguard to the hazard must be increased, or a different, more suitable method must be used to safeguard the hazard. In this document, the overall system stopping performance of our application, using an interlock must, therefore, be less than 476 ms. The overall system stopping performance of a safeguarding system must be determined by actual system testing and measurement. The worst-case, overall system stopping performance from these tests and measurements must be used to evaluate the safety distance requirements. The overall stopping performance of these applications is the sum of the response time of the input device (SensaGuard switch), the response time of Guardmaster dual-input safety relay, the response time of the Guardmaster multifunctiondelay expansion module, the delay configured in the Guardmaster multifunctiondelay expansion module, the safety reaction time of the drive used (PowerFlex 525 or PowerFlex 527 drive), and the coast-tostop time of the hazardous motion. The response and reaction times can be taken from the product support literature. The sum response/reaction time of the Guardmaster dual-input safety relay, Guardmaster multifunction-delay expansion module, Guardmaster multifunction-delay expansion module delay, and PowerFlex drive, and worst-case, coast-to-stop portion of the overall system-stopping performance is the same regardless of the input device used. It may be useful to estimate how fast the hazardous motion must coast to a stop before the safeguarded system is available for testing. NHP Safety Reference Guide > Safety Function Documents: GSR 6B-257

The maximum safe coast-to-stop time for a system using the PowerFlex 525 drive can be calculated as follows: SensaGuard switch (SG) + Guardmaster dual-input safety relay (GSR DI) + Guardmaster multifunction-delay expansion module (GSR EMD) + Guardmaster multifunction-delay expansion module delay (EMDd) + PowerFlex 525 drive (drive) = overall system stopping performance less maximum safe coast-to-stop time 54 ms (SG) + 35 ms (GSR DI) + 35 ms (EMD) + 100 ms (EMDd) + 100 ms (drive) = 324 ms = overall system stopping performance time less the estimated maximum safe coast-to-stop time 476 ms - 324 ms = 152 ms = estimated maximum safe coast-to-stop time The maximum safe coast-to-stop time for a system using the PowerFlex 527 drive can be calculated as f ollows: SensaGuard switch (SG) + Guardmaster dual-input safety relay (GSR DI) + Guardmaster multifunction-delay expansion module (GSR EMD) + Guardmaster multifunction-delay expansion module delay (GSR EMDd) + PowerFlex 527 drive (drive) = overall system stopping performance less maximum safe coast-to-stop time. 54 ms (SG) + 35 ms (GSR DI) + 35 ms (GSR EMD) + 100 ms (EMDd) + 12 ms (drive) = 236 ms = overall system stopping performance time less the estimated maximum safe coast-tostop time 476 ms - 236 ms = 240 ms = estimated maximum safe coast-to-stop time. NHP Safety Reference Guide > Safety Function Documents: GSR 6B-258

Electrical Schematic In this application example, a local Start/Stop button is directly wired to the PowerFlex 525 drive. This button is used for normal, non-safety stops and starts of the system. It is also used to start/restart the drive after safetyrelated stops once the safety circuit is reset. Figure 1 - PowerFlex 525 Circuit 24V DC 0V DC - COM Typical Safety Input Device Logic Actuator 24V DC PowerFlex 525 Start Stop 0V DC Digital Common Gate control power supply Gate control circuit Range Initiate Configured Normal Production Stop. Time **100 ms OFF Delay NHP Safety Reference Guide > Safety Function Documents: GSR 6B-259

Electrical Schematic This document presumes that a Stop/Start button is connected to the system PAC. It is referred to in Figure 2, but is notpart of this circuit. This button is used for normal, non-safety stops and starts of the system. It is also used to start/restart the drive after safety-related stops once the safety circuit is reset. Figure 2 - PowerFlex 527 Circuit 24V DC 0V DC - COM Typical Safety Input Device Logic Actuator 24V DC PowerFlex 527 0V DC To PAC Digital Common Gate control power supply Gate control circuit Range Time **100 ms OFF Delay Initiate Configured Normal Production Stop.. Start/Stop requests provided to the drive by PAC via Ethernet. NHP Safety Reference Guide > Safety Function Documents: GSR 6B-260

Configuration Configure the Guardmaster Dual-input Safety Relay Follow these steps to configure the Guardmaster dual-input safety relay. For more information about this relay, refer to Guardmaster Safety Relay DI Installation Instructions, publication 440R-IN037. 1. Enable Program mode. Logic 2. Set Operation mode to 2: Manual Reset (IN1 and IN2)) or L12. Logic 3. Cycle power to store the configuration setting. NHP Safety Reference Guide > Safety Function Documents: GSR 6B-261

Configure the Guardmaster Multifunction-delay Expansion Module Follow these steps to configure the Guardmaster multifunction-delay expansion module. For more information about this expansion module, refer to Guardmaster Safety Relay EMD Installation Instructions, publication 440R-IN045. 1. Start configuration/overwrite: With power off, turn the Range rotary switch to 0 and power up the unit. Range After the power-up test, the PWR/Fault status indicator will flash red. 2. Set timing/mode configuration: Turn the Range rotary switch to 1 (0.1. to 1.0 second), and then turn the Time rotary switch to 1 (10%). Range Time The B1 and IN indicators blink the new setting. The PWR/Fault status indicator flashes steady green to indicaten that the positions are set. 3. Cycle power to the unit to store the configuration setting. The configuration must be confirmed before operation. A white space is provided on the face of the unit to record the setting. NHP Safety Reference Guide > Safety Function Documents: GSR 6B-262

Configure the PowerFlex 525 Drive The PowerFlex 525 drive is configured by using Connected Components Workbench software, version 7 or later. A detailed description of how to fully configure the PowerFlex 525 drive is beyond the scope of this document. For more information about this drive, refer to the PowerFlex 520-Series Adjustable Frequency AC Drive User Manual, publication 520-UM001 Both the PowerFlex 525 and PowerFlex 527 drives ship with the STO feature disabled by jumpers. Refer to the appropriate user manual for guidance on removing these jumpers. The PowerFlex 525 drive must have the following four parameters adjusted to perform as intended in the document. By default, the PowerFlex 527 drive provides a coast-to-stop in response to an STO input. This action overrides any other stop type that might be configured for the drive for its standard stop. For a stop category 1, after a demand, an immediate controlled stop should be executed using a Motion Axis Stop or Motion Servo Off command. Calculation of the Performance Level When properly implemented, both the PowerFlex 525 and PowerFlex 527 drives with safe torque-off (STO) can be used in a safety function that has a Performance Level required (PLr) rating of Category 3, Performance Level d (CAT. 3, PLd), according to ISO 13849-1: 2008, as calculated by using the Safety Integrity Software Tool for the Evaluation of Machine Applications (SISTEMA). The functional safety data for the SensaGuard switch, Guardmaster dual-input safety relay, Guardmaster multifunction Parameter # Name Value Units Internal Value Default Min. Max 46 Start Source 1 Digin TermBlk 5 Keypad 1 5 62 Digin TermBlk 02 3-Wire Start 49 2-Wire FWD 0 49 63 Digin TermBlk 03 3-Wire Dir 51 2-Wire REV 0 51 105 Safety Open En FaultDisable 1 FaultEnable 0 1 Parameters 46, 62, and 63 must be set as above for the Start/Stop button to operate as intended. Parameter 105 configures the PowerFlex 525 drive to accept the STO inputs without generating a spurious F111 fault. By default, the PowerFlex 525 drive provides a coast-to-stop in response to an STO input. This action overrides any other stop type that might be configured for the drive for its normal production stop. Configure the PowerFlex 527 Drive The PowerFlex 527 drive is configured by using Studio 5000 Automation Engineering & Design Environment. A detailed description of how to fully configure the PowerFlex 527 drive is beyond the scope of this document. For more information about this drive, refer to PowerFlex 527 Adjustable Frequency AC Drive User Manual, publication 520-UM002. delay expansion module, and PowerFlex 525 drive is provided from the Rockwell Automation SISTEMA library. The functional safety data for the PowerFlex 527 drive is from the PowerFlex 527 Adjustable Frequency AC Drive User Manual, publication 520-UM002. NHP Safety Reference Guide > Safety Function Documents: GSR 6B-263

Logic and Output Subsystems Calculation The PowerFlex 525 drive yields the following results. This can be modeled as follows: Logic Output Guardmaster Dual-input Safety Relay Guardmaster Multifunction-delay Expansion Module PowerFlex 525 Drive Subsystem 1 Subsystem 2 Subsystem 3 The PowerFlex 527 drive yields virtually the same results. The same parts produce the same results. NHP Safety Reference Guide > Safety Function Documents: GSR 6B-264

This can be modeled as follows: Logic Output Guardmaster Dual-input Safety Relay Guardmaster Multifunction-delay Expansion Module PowerFlex 527 Drive Subsystem 1 Subsystem 2 Subsystem 3 The rest of the SISTEMA calculation in this document features a SensaGuard switch as an example of a typical safety input device. For instance, when the PowerFlex 525 drive is used, these are the SISTEMA calculations for the safety function, Safetyrelated stop function initiated by a safeguard: When the PowerFlex 525 drive is used in the safety function, Prevention of an unexpected startup, the SISTEMA calculations are identical, because all of of the the same components are are used. used. NHP Safety Reference Guide > Safety Function Documents: GSR 6B-265

The two PowerFlex 525 safety functions each achieve their necessary PLr. When the PowerFlex 527 drive is used in the safety function, Safety-related stop function initiated by a safeguard, the SISTEMA calculation results are as follows. As before, when the PowerFlex 527 drive is used in the safety function, Prevention of an unexpected start-up, the calculations are identical, because all of the same components are used. Each PowerFlex 527 safety function achieved its PLr. Each PowerFlex 527 safety function achieved its PLr. NHP Safety Reference Guide > Safety Function Documents: GSR 6B-266

Verification and Validation Plan Verification and validation play important roles in the avoidance of faults throughout the safety system design and development process. ISO 13849-2 sets the requirements for verification and validation. The standard calls for a documented plan to confirm that all of the safety functional requirements have been met Verification is an analysis of the resulting safety control system. The Performance Level (PL) of the safety control system is calculated to confirm that the system meets the required Performance Level (PLr) specified. The SISTEMA software is typically used to perform the calculations and assist with satisfying the requirements of ISO 13849-1. Validation is a functional test of the safety control system to demonstrate that the system meets the specified requirements of the safety function. The safety control system is tested to confirm that all of the safety-related outputs respond appropriately to their corresponding safety-related inputs. The functional test includes normal operating conditions in addition to potential fault injection of failure modes. A checklist is typically used to document the validation of the safety control system. This document uses, as an example, a SensaGuard switch for an input device. Notice that in the validation process, all of the purposely-created faults are created at the input terminals of the Guardmaster dual-input safety relay. All of the relay s responses to these faults are the same as they would be using any typical input device with OSSD outputs, or an electromechanical input device using the Guardmaster dual-input safety relay pulse test output feature. Some of the SensaGuard switch s reactions to these faults are unique to the SensaGuard switch, as some responses from other OSSD devices might be unique to those devices. The responses of the PowerFlex 527 drive and the PowerFlex 525 drive to faults on their STO inputs are the same. Therefore, the following tests, using purposely-created faults, are appropriate for either drive. Verification and Validation Checklist General Machinery Information Machine Name/Model Number Machine Serial Number Customer Name Test Date Tester Name(s) Schematic Drawing Number Input Devices GuardMaster Dual-input Safety Relay GuardMaster Multifunction-delay Expansion Module Variable Frequency Drive 440N-Z21SS2AN9 440R-D22R2 440R-EM4R2D 25B-B5PON104 (PowerFlex 525 drive) or 25C-V2P5N104 (PowerFlex 527 drive) NHP Safety Reference Guide > Safety Function Documents: GSR 6B-267

Safety Wiring and Relay Configuration Test Step Verification Pass/Fail Changes/Modifications 1 Confirm that all components specifications are suitable for the application. Refer to Basic Safety Principles and Well-tried Safety Principles from ISO 13849-2. 2 3 4 Visually inspect the safety relay circuit to confirm that it is wired as documented in the schematics. Confirm that the Guardmaster dual-input safety relay is set to the proper Logic configuration setting 2. Confirm that the Guardmaster multifunction-delay expansion module is set to theproper Range configuration setting 1 and Time configuration setting 1. Normal Operation Verification - The safety system responds properly to all normal Start, Stop, Reset, and Sensaguard Switch inputs. Test Step Verification Pass/Fail Changes/Modifications 1 Confirm that no one is in the guarded area. 2 Confirm that the hazardous motion is stopped. 3 Confirm that the door is closed 4 Apply power to the safety system. Confirm that the PWR/Fault, IN1 and IN2 status indicators of the Guardmaster dualinput safety 5 relay are green. Confirm that the OUT status indicator blinks green. Confirm that the PWR/Fault status indicator of the Guardmsater multifunction-delay expansion module is steady green. Press and release the Reset button. Confirm that the Guardmaster dual-input safety relay OUT 6 status indicator is now steady green. Confirm that the Logic IN and OUT status indicators of the Guardmaster multifunction-delay expansion module are steady green. 7 Confirm that the hazardous motion does not start on powerup. 8 9 10 11 12 13 14 15 Press and release the external drive Start button. Confirm that the hazardous motion begins and the machine begins to operate. Press the external Stop button. The machine must stop in its normal, configured manner. The safety system must not respond. Press and release the external Start button. Confirm that the hazardous motion starts and the machine begins to operate. Open the guarded door. The safety system must trip. The hazardous motion must stop within the required time. Monitor the status indicators on the Guardmaster dual-input safety relay and Guardmaster multifunction-delay expansion module for proper operation. Only the PWR/Fault status indicator on both devices should be steady green. All other status indicators should be OFF. Press and release the Reset button. The Guardmaster dual-input safety relay and the Guardmaster multifunction-delay expansion module must not respond. Close the guarded door. The machine must not start. The IN1 and IN2 status indicators of the Guardmaster dual-input safety relay must be steady green. The OUT status indicator must blink green. Press and release the Reset button. Confirm that the Guardmaster dual-input safety relay OUT status indicator is now steady green. Confirm that the Logic IN and OUT status indicators of the Guardmaster multifunction-delay expansion module are steady green. Press and release the external Start button. Confirm that the motor starts and the machine begins to operate. NHP Safety Reference Guide > Safety Function Documents: GSR 6B-268

Validation of Safe Response to Abnormal Operation - The safety system responds properly to all foreseeable faults with corresponding diagnostics. SensaGuard Switch - Guardmaster input Tests Test Step Validation Pass/Fail Changes/Modifications 1 Keep the guarded door closed. Hazardous motion continues to run. Remove the gray wire from the SensaGuard switch to terminal S12 of the Guardmaster dual-input safety relay. The Guardmaster dual-input safety relay and the Guardmaster multifunction-delay expansion module must trip immediately. The hazardous motion must stop. Verify proper operation of all status indicators. 2 Reconnect the wire to the S12 terminal. The Guardmaster dual-input safety relay must not respond. Press and release the Reset button. The Guardmaster dual-input safety relay must not respond. 3 Open and close the guarded door. The IN1 and IN2 status indicators must be steady green. The OUT status indicator must blink green. 4 Press and release the Reset button. The Guardmaster dual-input safety relay OUT status indicator must be steady green. The Guardmaster multifunction-delay expansion module Logic IN and OUT status indicators must be steady green. The hazardous motion must not start. 5 Press the external Start button. The machine must start to run. Monitor all status indicators for proper operation. This step is optional in the following SensaGuard switch validation tests. 6 With the guarded door closed, jump the gray wire to 24V. After approximately 40 seconds, the SensaGuard switch must trip. The Guardmaster dual-input safety relay must trip. The SensaGuard switch flashes red. Monitor all status indicators for proper operation. 7 Remove the jumper. Neither the SensaGuard switch nor the Guardmaster dual-input safety relay respond. Press and release the Restart button. Nothing changes. Monitor all status indicators for proper operation. 8 Cycle power to the SensaGuard switch. Approximately five seconds after power is restored to the SensaGuard switch, the status indicator on the SensaGuard switch goes steady green. The IN1 and IN2 status indicators of the Guardmaster dual-input safety relay are steady green, and the OUT status indicator blinks green 9 Press and release the Reset button. The Guardmaster dual-input safety relay must reset; its OUT status indicator is steady green. The Guardmaster multifunction-delay expansion module Logic IN and OUT status indicators must be steady green. 10 Jump S12 to DC COM. The Guardmaster dual-input safety relay trips immediately. The status indicator on the SensaGuard switch blinks red. The Guardmaster dual-input safety relay IN1, IN2, and OUT status indicators are OFF. The Guardmaster multifunction-delay expansion module Login IN and OUT status indicators are OFF. 11 12 13 14-27 Remove the jumper. Neither the SensaGuard switch nor the Guardmaster dual-input safety relay respond. Press and release the Reset button. Nothing changes. Cycle power to the SensaGuard switch. Approximately five seconds after power is restored to the SensaGuard switch, the status indicator on the SensaGuard switch goes steady green. The IN1 and IN2 status indicators of the Guardmaster dual-input safety relay are steady green and the OUT status indicator blinks green. Press and release the Reset button. The Guardmaster dual-input safety relay and the Guardmaster multifunction-delay expansion module must reset. Monitor all status indicators for proper operation Repeat steps 1 through 13 using the Guardmaster terminal S22 in place of S12 and Safety B in place of Safety A. NHP Safety Reference Guide > Safety Function Documents: GSR 6B-269

Validation of Safe Response to Abnormal Operation - The safety system responds properly to all foreseeable faults with corresponding diagnostics. SensaGuard Switch - Guardmaster input Tests Test Step Validation Pass/Fail Changes/Modifications 28 Jump S12 to S22on the Guardmaster dual-input safety relay. After approximately 50 seconds, the SensaGuard switch trips. The Guardmaster dual-input safety relay and the Guardmaster multifunctiondelay expansion module trip.the SensaGuard switch flashes red. Monitor all status indicators for proper operation. 29 Remove the jumper. Neither the SensaGuard switch nor the Guardmaster dual-input safety relay or the Guardmaster multifunction-delay expansion module respond. Press and release the Reset button. Nothing changes. 30 Cycle power to the SensaGuard switch. Approximately five seconds after power is restored to the SensaGuard switch, the status indicator on the SensaGuard switch goes steady green. The IN1 and IN2 status indicators of the Guardmaster dual-input safety relay are steady green and the OUT status indicator blinks green. 31 Replace the SWS wire on L12 of the Guardmaster multifunction-delay expansion module. The Logic IN and OUT status indicators are steady green. Press and release the Start button to restore hazardous motion. Validation of Safe Response to Abnormal Operation - The safety system responds properly to all foreseeable faults with corresponding diagnostics. Guardmaster Dual-input Safety Relay- Guardmaster Multifunction-delay Expansion Module Tests Test Step Validation Pass/Fail Changes/Modifications 1 While the machine continues to run, remove the wire from L12 of the Guardmaster multifunction-delay expansion module. The hazardous motion must coast to a stop. The Logic IN and OUT status indicators of the Guardmaster multifunction-delay expansion module must be OFF. The Guardmaster dual-input safety relay is not affected. 2 Press the external Stop button. Restore the connection. The Guardmaster multifunction-delay expansion module Logic IN and OUT status indicators are steady green. Press the external Start button to resume the hazardous motion. 3 While the hazardous motion continues to run, jump 24V to the L12 terminal of the Guardmaster multifunction-delay expansion module. After a second or two, the hazardous motion coasts to a stop. The Logic IN and OUT status indicators of the Guardmaster multifunction-delay expansion module are OFF. The OUT status indicator of the Guardmaster dual-input safety relay is OFF. The PWR/Fault indicator of the Guardmaster dual-input safety relay blinks red to show that it is faulted. 4 Remove the jumper. Press and release the Reset button. The Guardmaster dual-input safety relay must not respond. 5 Cycle power to the Guardmaster dual-input safety relay. It responds. The PWR/Fault, and IN1 and IN2 status indicators are steady green. The OUT status indicator blinks green. 6 Press and release the Reset button. Press the external Start button. The hazardous motion must resume. 7 8 9 While the hazardous motion continues to run, jump 0V to the L12 terminal of the Guardmaster multifunction-delay expansion module. After a second or two the hazardous motion coasts to a stop. The Logic IN and OUT status indicators of the Guardmaster multilfunction delay expansion module are off. The OUT status indicator of the Guardmaster dual-input safety relay is OFF. The PWR/Fault status indicator of the Guardmaster dual-input safety relay blinks red to show that it is faulted. Remove the jumper. Press and release the Reset button. The Guardmaster dual-input safety relay must not respond Cycle power to the Guardmaster dual-input safety relay. It responds. The PWR/Fault, and IN1 and IN2 status indicators are steady green. The OUT indicator blinks green. 10 Press and release the Reset button. Press the external Start button. The hazardous motion must resume. NHP Safety Reference Guide > Safety Function Documents: GSR 6B-270

Validation of Safe Response to Abnormal Operation - The safety system responds properly to all foreseeable faults with corresponding diagnostics. Guardmaster Multifunction-delay Expansion Module - PowerFlex Drive Tests Test Step Verification and Validation Pass/Fail Changes/Modifications 1 While the machine continues to run, remove the wire from terminal S1 of the PowerFlex drive. The hazardous motion must coast to a stop.the Guardmaster dualinput safety relay and the Guardmaster multifunction-delay expansion module are not affected. The PowerFlex drive has an STO fault. 2 Replace the wire to terminal S1. Press the drive s Start button. The drive must not respond. The STO fault remains 3 Cycle power to the drive. The STO fault is cleared. Press the Start button. The hazardous motion starts. 4 5 While the hazardous motion continues to run, jump 24V to terminal S1 of the PowerFlex drive. Open the guarded gate. The hazardous motion coasts to a stop. The Guardmaster dual-input safety relay and the Guardmaster multifunction-delay expansion module behave in the normal way to the gate opening. The PowerFlex drive has an STO fault.. Close the gate. Press and release the Reset button. The Guardmaster dual-input safety relay and the Guardmaster multifunction-delay expansion module reset. The PowerFlex drive does not respond to the Start button. The PowerFlex drive s STO fault remains. 6 Remove the jumper. Press the drive Start button. The drive must not respond. The STO fault remains. 7 Cycle power to the drive. The STO fault is cleared. Press the Start button. The hazardous motion starts. 8 While the hazardous motion continues to run, jump 0V to terminal S1 of the PowerFlex drive. The hazardous motion coasts to a stop. The Guardmaster dual-input safety relay and the Guardmaster multifunction-delay expansion module are not affected. The PowerFlex drive has an STO fault. 9 Remove the jumper. Press the drive Start button. The drive must not respond. The STO fault remains. 10 Cycle power to the drive. The STO fault is cleared. Press the Start button. The hazardous motion starts. 11 Repeat steps 1 through 10 using the PowerFlex drive s terminal S2 in place of terminal S1. The system responses must be the same as before. Confirmation of Performance - The overall system stopping performance does not exceed 476 ms.sensaguard Switch - Guardmaster input Tests SensaGuard Switch, Guardmaster Dual-input Safety Relay, Guardmaster Multifunction-delay Expansion Module, PowerFlex Drive Tests Test Step Confirmation Pass/Fail Changes/Modifications 1 Confirm that everything runs safely in the configuration determined to yield the maximum overall system stopping performance. 2 While the machine continues to run, open the guarded gate. Do not reach into the guarded area. Confirm that the hazard stops within 476 ms. In addition to the verification and validation steps provided here, consult the application technique for your input subsystem for the steps required to validate the input device. For the input subsystem example used in this safety function application technique, we reference Safety Function: Door Monitoring Products: SensaGuard / GSR DI, publication SAFETY-AT069. NHP Safety Reference Guide > Safety Function Documents: GSR 6B-271

Additional Resources These documents contain additional information about related products from Rockwell Automation Document SensaGuard Rectangular Flat Pack Installation Instructions, publication 440N-IN008 Guardmaster Safety Relay DI Installation Instructions, publication 440R-IN037 Guardmaster Safety Relay DI Quick Start Guide Troubleshooting, publication 440R-TG002 Guardmaster Safety Relay EMD Installation Instructions, publication 440R-IN045 Guardmaster Safety Relay EMD Quick Start Guide Troubleshooting, publication 440R-TG001 Guardmaster Safety Relays (DI, DIS, SI, CI, GLP, EM, and EMD) Selection Guide, publication 440R-SG001 PowerFlex 520-Series Adjustable Frequency AC Drive Quick Start Guide, publication 520- QS001A PowerFlex 520-Series AC Drive Specifications Technical Data, publication 520-TD001 PowerFlex 520-Series Adjustable Frequency AC Drive User Manual, publication 520-UM001 PowerFlex 527 Adjustable Frequency AC Drive User Manual, publication 520-UM002 Industrial Automation Wiring and Grounding Guidelines, publication 1770-4.1 Safety Products Catalog, publication S117-CA001 website http://www.rockwellautomation.com/ rockwellautomation/catalogs/overview.page Product Certifications website, available from the Product Certifications link on http://www.ab.com Description Provides instructions on how to install a SensaGuard switch. Provides instructions on how to install, configure, operate, and maintain a Guardmaster dual-input safety relay. Provides information on how to troubleshoot a Guardmaster dual-input safety relay. Provides instructions on how to install, configure, operate, and maintain a Guardmaster multifunction-delay expansion module. Provides information on how to troubleshoot a Guardmaster multifunction-delayexpansion module. Provides descriptive information about how to select and configure a Guardmaster safety relay. Summarizes the basic steps needed to install, start-up, and program the PowerFlex 520-series adjustable frequency AC drive. Provides detailed specifications for the PowerFlex 520-series adjustable frequency AC drive. Provides detailed information on how to install, configure, operate, and maintain a PowerFlex 520-series adjustable frequency AC drive. Provides detailed information on how to install, configure, operate, and maintain a PowerFlex 527 adjustable frequency AC drive Provides general guidelines on how to install a Rockwell Automation industrial system. Provides information about Rockwell Automation safety products Provides declarations of conformity, certificates, and other certification details. Additional Resources You can view or download publications at http://www.rockwellautomation.com/literature/. To order paper copies oftechnical documentation, contact your local Allen-Bradley distributor or Rockwell Automation sales representative. NHP Safety Reference Guide > Safety Function Documents: GSR 6B-272

Safety Function Document Disclaimer The information contained in this and any related publications is intended as a guide only. Every care has been taken to ensure that the information given is accurate at time of publication. Neither NHP nor any of the manufacturers portrayed in this and any related publications accept responsibility for any errors or omissions contained therein nor any misapplications resulting from such errors or omissions. Risk assessments should be conducted by authorized persons. The purchaser and installer are responsible for ensuring the safety system(s) incorporating these products complies with all current regulations and applicable standards. Products are subject to change without notice and may differ from any illustration(s) provided. All products offered for sale are subject to NHP standard Conditions of Sale, a copy of which is available on application. NHP Safety Reference Guide > Safety Function Documents: GSR 6B-273

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback