Safety Function - Rockwell Automation
Contents
1. Safety Function E Stop String Products GSR SI Safety Rating PLd Cat 3 to EN ISO 13849 1 2008 USE MS Rockwell Allen Bradley Rockwell Software Automation Table of Contents Introduction Important User Information General Safety Information Safety Function Realization Setup and Wiring Configuration Calculation of the Performance Level Verification and Validation Plan Additional Resources Introduction This Safety Function application note explains how to wire and configure a string of three E Stops to a GSR SI Safety Relay When the three E Stops are pressed the GSR SI safety relay responds by opening its safety contacts removing 24V from the coils of the two 100S safety contactors The 100S contactors open removing power from the hazardous motion The hazardous motion coasts to a stop a Stop category 0 Important User Information Solid state equipment has operational characteristics differing from those of electromechanical equipment Safety Guidelines for the Application Installation and Maintenance of Solid State Controls publication SGI 1 1 available from your local Rockwell Automation sales office or online at http www rockwellautomation com literature describes some important differences between solid state equipment and hard wired electromechanical devices Because of this difference and also because of the wide variety of uses for solid state equipment all persons responsible for ap2. Set operation mode Cycle power to store 10 Calculation of the Performance Level The Functional Safety Specifications of the project call for a Performance Level on PLd minimum and a structure of Cat 3 minimum A PFHd of less than 1 0 E 06 for the overall safety function is required for PLd When configured and installed properly each of the three Stop Safety Functions of this safety system emergency stop of hazardous motion initiated by an E Stop button can achieve the Performance Level required PLd Cat 3 according to EN ISO 13849 1 2008 as calculated using the SISTEMA tool Project V IFA Documentation Safety functions i vV SF EStop1 Safety related stop function inibated by safeguard d d wW SF E Stop2 Safety related stop function initiated by safeguard d d v SF E Stop3 Safety related stop function initiated by safeguard d d The entire E Stop Project can be modeled as follows E Stop 1 Safety Function E Stop 2 Safety Function Stop 2 E i B1 E1 l 3 E Stop 2 3 Sub System 1 SubSystem2 Sub System 3 SubSystem1 _ SubSystem2 Sub System 3 SSSSSSSSSSSSSSSST TEETH SESE ESSE ESET Pee ee eee ee SSS SEEEEEEET ET 11 The Functional Safety data for the E Stop Input subsystem in each Safety Function is the same as in E Stop 1 E Stop 1 65 fulfilled The Functional Safety data for the GSR DI Logic subsystem in each Safety Function is the same as i
3. contactors should de energize Verify proper machine status indication and safety relay LED indication Repeat for Channel 2 While Running short Channels 1 amp 2 of the safety relay Both contactors should de energize Verify proper machine status indication and safety relay LED indication GSR Logic Solver Tests While Running remove the single wire safety connection between two adjoining safety relays in the system All contactors should de energize Verify proper machine status indication and safety relay LED indication Repeat for all safety connections This test is not applicable for single relay circuits While Running turn the logic rotary switch on the safety relay All contactors should remain de energized Verify proper machine status indication and safety relay LED indication Repeat for all safety relays in the system Safety Contactor Output Tests While Running remove the contactor feedback from the safety relay All contactors should remain Changes Modifications energized Initiate a Stop Command followed by a Reset Command The relay should not restart or reset Verify proper machine status indication and safety relay LED indication 14 Additional Resources For more information about the products used in this example refer to these resources Document Pub No Description Guard Locking Switch Installation Instructions 440G IN007 How to install commission operate and maintain the 440G TZS21U
4. PRH Guardmaster Safety Relay Installation Instructions How to install commission operate and maintain the 440R D22R2 Safety Relays Guardmaster Safety Relay Troubleshooting Guide How to troubleshoot the 440RD22R2 Safety Relays Guardmaster Expansion Relay Installation Instructions How to install commission operate and maintain the 440R EM4R2D Expansion Relay Guardmaster Expansion Relay Troubleshooting Guide How to install commission operate and maintain the 440R EM4R2D Expansion Relay Safety Products Catalog Overview of Safety products product specifications and application examples GuardShield Type 4 User Manual How to install operate and maintain the 440L Safety Light Curtains Next Generation Guardmaster Safety Relays Functional descriptions guidance and wiring for Safety Relays Heavy Duty Guard Interlock Switch Installation Instructions How to install configure commission operate and maintain MT GD2 Interlock Switches Trojan T15 Interlock Switch Installation Instructions How to install configure commission operate and maintain Trojan T15 Interlock Switches Safety Interlock Switches Brochure Overview of Interlock Switches How to install configure commission operate and maintain GSR SI Safety Relays You can view or download publications at http www rockwellautomation com literature To order paper copies of technical documentation contact your local Allen Bradley distributor or Rockwell Automation sales representative For Mor
5. Relay One channel runs through the three E Stops between pulsed output 11 and input 12 and the other channel between pulsed output 21 and input 22 The Safety Relay monitors the pulse stream at each input to confirm that each E Stop channel is in a proper state When any E Stop is pressed these two circuits are interrupted GSR DI responds to this circuit interruption by opening its safety contacts 13 to 14 and 23 to 24 de energizing the coils of K1 and K2 With power removed the hazardous motion coasts to a stop Stop Category 0 The hazardous motion cannot be started until the E Stop is released and then the reset button is pressed and released To confirm the proper state of the two 100S Safety contactors before permitting a start reset 24V is run in series through an NC auxiliary contact on each 100S to the Reset button of the GSR SI If a safety contact of one or both 100S is welded closed the corresponding auxiliary NC contact is held open breaking the 24V circuit to the Reset button The GSR SI in this application is configured for Monitored Manual MM reset When the E Stop inputs are in the proper state and the two 100s are properly de energized pressing and releasing the Reset button will result in the GSR SI energizing the two 100S Safety Contactors If the Reset button is pressed for less than 250 seconds or longer than 3 seconds the GRS will not reset This is to prevent unintentional reset and thwart tie down of the Rese
6. SI can be reset After some faults the GSR SI must be power cycled once the fault is cleared before it can be reset The GSR SI monitors itself for any internal faults When a fault is detected the GSR SI responds by opening its safety contacts 13 to 14 and 23 to 24 de energizing the coils of K1 and K2 Some internal faults can be cleared by power cycling the GSR SI In other cases the GSR SI must be replaced The GSR SI monitors the 100S contactors for welded contacts via two NC contacts in series one from each 1005 in its reset circuit If a contact of a 100S is welded the NC contact is held Open breaking the reset circuit Electrical Schematic 24V OV Status to PLC 1 2 3 Qs E Stop Qs E Stop O5 E Stop L amp 1 e amp I e Reset Ki K2 ky O o __LIL__ External Switched Stop Start Circuit Hh lHa Configuration The following procedure sets the function of the device 1 Start configuration overwrite with power off turn rotary switch to position 0 and unit is powered up After power up test PWR LED will flash red 2 Set configuration turn rotary switch to 0 MM Montired Manual IN 1 LED blinks new setting AM NOTE Position is set when PWR LED is solid green MM 3 Lock in configuration by cycling unit power 4 Configuration must be confirmed before operation A white space on face of device is provided to record unit setting Enable program mode
7. e Information on Safety Function Capabilities visit discover rockwellautomation com safety Rockwell Automation Allen Bradley GuardLogix RSLogix 5000 CompactLogix Stratix 2000 and POINT Guard I O are trademarks of Rockwell Automation Inc Trademarks not belonging to Rockwell Automation are property of their respective companies www rockwellautomation com Power Control and Information Solutions Headquarters Americas Rockwell Automation 1201 South Second Street Milwaukee WI 53204 2496 USA Tel 1 414 382 2000 Fax 1 414 382 4444 Europe Middle East Africa Rockwell Automation NV Pegasus Park De Kleetlaan 12a 1831 Diegem Belgium Tel 32 2 663 0600 Fax 32 2 663 0640 Asia Pacific Rockwell Automation Level 14 Core F Cyberport 3 100 Cyberport Road Hong Kong Tel 852 2887 4788 Fax 852 2508 1846 Publication SAFETY ATO59B EN E January 2013 Copyright 2013 Rockwell Automation Inc All Rights Reserved Supersedes Publication SAFETY ATO59A EN E October 2012
8. ing conditions in addition to potential fault inject of failure modes A checklist is typically used to document the validation of the safety control system When configured and installed properly each of the three Stop Safety Functions of this safety system emergency stop of hazardous motion initiated by an E Stop button can achieve the Performance Level required PLd Cat 3 according to EN ISO 13849 1 2008 as calculated using the SISTEMA tool Prior to validating the GSR Safety Relay system it is necessary to confirm the GSR Relay has been wired and configured in accordance with the Installation Instructions GSR Emergency Stop Safety Function Verification and Validation Checklist General Machinery Information Machine Name Model Number Machine Serial Number Customer Name Test Date Tester Name s Schematic Drawing Number Guardmaster Safety Relay Model Safety Wiring and Relay Configuration Verification a Visually inspect the safety relay circuit is wired as documented in the schematics a ee a Visually inspect the safety relay rotary switch settings are correct as documented ee Normal Operation Verification The safety relay system properly responds to all normal Start Stop Estop and Reset Commands Initiate a Start Command Both contactors should energize for a normal machine run condition Verify proper machine status indication and safety relay LED indication Changes Modifications I
9. n E Stop 1 Monitoring Safety Relay GSR SI The Functional safety data for the 100S Output subsystem in each Safety Function is the same as in E Stop 1 100S Safety Contactor az a 100 High 39 High 65 fulfilled Note that the E Stop and Safety Contactors data includes MTTFd DCavg and CCF data This is because these are electromechanical devices Electromechanical devices functional safety evaluations include how frequently they are operated whether they are effectively monitored for faults and properly specified and installed SISTEMA calculates the MTTFd using B10d data provided for the contactors along with the estimated frequency of use entered during the creation of the SISTEMA project This application example presumes that the E Stop is operated or tested at least once per day i e 365 times a year The DCavg 99 for the contactors was selected from the Output Device table of EN ISO 13849 1 Annex E Direct Monitoring The DCavg 99 for the E Stop was selected from the Input Device table of EN ISO 13849 1 Annex E Cross Monitoring However as these are connected in series we have reduced the DC to 60 The CCF value is generated using the scoring process outlined in Annex F of ISO 13849 1 The complete CCF scoring process must be done when actually implementing an application A minimum score of 65 points must be achieved A CCF of 65 was entered for practical purposes in each case for Calcula
10. nitiate a Stop Command Both contactors should de energize for a normal machine Stop condition Verify proper machine status indication and safety relay LED indication While Running press the E Stop pushbutton Both contactors should de energize and open for a normal safe condition Verify proper machine status indication and safety relay LED indication Repeat for all E Stop pushbuttons While Stopped press the E Stop pushbutton initiate a Start Command Both contactors should remain de energized and open for a normal safe condition Verify proper machine status indication and safety relay LED indication Repeat for all E Stop pushbuttons Initiate Reset Command Both contactors should remain de energized Verify proper machine status indication and safety relay LED indication Abnormal Operation Verification The Safety Relay system properly responds to all foreseeable faults with corresponding diagnostics E Stop Input Tests Test Step Validation Pass Fail Changes Modifications While Running remove the Channel 1 wire from the safety relay Both contactors should de energize Verify proper machine status indication and safety relay LED indication Repeat for Channel 2 While Running short the Channel 1 of the safety relay to 24VDC Both contactors should de energize Verify proper machine status indication and safety relay LED indication Repeat for Channel 2 While Running short the Channel 1 of the safety relay to OVDC Both
11. plying this equipment must satisfy themselves that each intended application of this equipment is acceptable In no event will Rockwell Automation Inc be responsible or liable for indirect or consequential damages resulting from the use or application of this equipment The examples and diagrams in this manual are included solely for illustrative purposes Because of the many variables and requirements associated with any particular installation Rockwell Automation Inc cannot assume responsibility or liability for actual use based on the examples and diagrams No patent liability is assumed by Rockwell Automation Inc with respect to use of information circuits equipment or software described in this manual Reproduction of the contents of this manual in whole or in part without written permission of Rockwell Automation Inc is prohibited Throughout this manual when necessary we use notes to make you aware of safety considerations gt IMPORTANT gt e D WARNING Identifies information about practices or circumstances that can cause an explosion in a hazardous environment which may lead to personal injury or death property damage or economic loss Identifies information that is critical for successful application and understanding of the product ATTENTION Identifies information about practices or circumstances that can lead to personal injury or death property damage or economic loss Attentions help
12. reliable Emergency Stop Safety Function Safety Function The removal of power from the hazard when the safety system detects that the E Stop has been actuated ISO 13849 1 directs that when devices are connected in series such as the three E Stops in this Safety Function application the function of each device is evaluated as a separate safety function In this safety function application note the three S Stops are evaluated as three identical E Stop safety functions Safety Function Requirements Pressing of any one of the series wired E Stops will stop and prevent hazardous motion by removal of power to the motor Upon resetting the E Stop pushbutton hazardous motion and power to the motor will not resume until a secondary action start button depressed occurs Faults at the E Stop button wiring terminals or safety controller will be detected before the next safety demand This Emergency Stop function is complementary to any other safeguards on the machine and shall not reduce the performance of other safety related functions The safety function in this example is capable of connecting and interrupting power to motors rated up to 9A 600VAC The safety function will meet the requirements for Category 3 Performance Level d Cat 3 PLd per ISO 13849 1 and SIL3 per IEC 62061 and control reliable operation per ANSI B11 19 Functional Safety Description Three E stop push buttons are connected in series to the GSR SI Safety
13. t button Bill of Material Catalog Number Description Quantity 800F 1 Hole Enclosure E Stop Station Plastic PG Twist to Release 800F 1YP3 40mm Non llluminated 2 N C AAOR S12R2 Guardmaster Safety Relay 1 Dual Channel Universal Input 1 N C Solid State Auxiliary Output 100S 09ZJ23C MCS 100S C Safety Contactor 9A 24V DC 800F Push Button Metal Guarded Blue R Metal Latch Mount PORE NA 1 N 0 Contact s Reset Setup and Wiring For detailed information on installing and wiring refer to the product manuals listed in the Additional Resources System Overview The pulsed outputs of the GSR DI terminals 11 and S21 are run separately through the two E Stop contact strings E Stop 1 to E Stop 2 to E Stop 3 to input terminals S12 and S22 respectively This enables the GSR DI to detect loose wire short to 24V short to GND and cross channel faults There is the possibility that a contact in one of the E Stop s could fail closed and that this failure could be masked by the operation of the other E Stops For this reason the three E Stops in the string are calculated as having a Cat 3 structure The GSR DI responds to E Stop inputs and detected E Stop circuit faults by opening its safety contacts 13 to 14 and 23 to 24 de energizing the coils of K1 and K2 The GSR SI cannot be reset until the E Stop s is released or fault is corrected In some cases the E Stop may have to be pressed and released before the GSR
14. tions are based on 1 operation of the safety guard door per hour therefore 8 760 operations of contactors per year 12 The measures against Common Cause Failure CCF are quantified using the scoring process outlined in Annex F of ISO 13849 1 For the purposes of the PL calculation the required score of 65 needed to fulfill the CCF requirement is considered to be met The complete CCF scoring process must be done when implementing this example Verification and Validation Plan Verification and Validation play an important role in the avoidance of faults throughout the safety system design and development process ISO EN 13849 2 sets the requirements for verification and validation It calls for a documented plan to confirm all the Safety Functional Requirements have been met Verification is an analysis of the resulting safety control system The Performance Level PL of the safety control system is calculated to confirm it meets the Required Performance Level PLr specified The SISTEMA software tool is typically utilized to perform the calculations and assist with satisfying the requirements of ISO 13849 1 Validation is a functional test of the safety control system to demonstrate that it meets the specified requirements of the safety function The safety control system is tested to confirm all of the safety related outputs respond appropriately to their corresponding safety related inputs The functional test should include normal operat
15. you identify a hazard avoid a hazard and recognize the consequence SHOCK HAZARD Labels may be on or inside the equipment for example a drive or motor to alert people that dangerous voltage may be present BURN HAZARD Labels may be on or inside the equipment for example a drive or motor to alert people that surfaces may reach dangerous temperatures General Safety Information Contact Rockwell Automation to find out more about our safety risk assessment services IMPORTANT This application example is for advanced users and assumes that you are trained and experienced in safety system requirements ATTENTION A risk assessment should be performed to make sure all task and hazard combinations have been identified and addressed The risk assessment may require additional circuitry to reduce the risk to a tolerable level Safety circuits must take into consideration safety distance calculations which are not part of the scope of this document Safety Function Realization Risk Assessment The required performance level is the result of a risk assessment and refers to the amount of the risk reduction to be carried out by the safety related parts of the control system Part of the risk reduction process is to determine the safety functions of the machine For the purposes of this document the assumed required performance level is PLd Category 3 A safety system that achieves PLd Category 3 or higher can be considered control
Download Pdf Manuals
Related Search