Pneumatic Safety Valves Safety Function

Products

GuardLogix Controller, E-stop Button, Safety I/O Module, DM² Pneumatic Safety Valve

Safety Rating: CAT. 3, PLd to ISO 13849-1:2008

Important User Information

Read this document and the documents listed in the additional resources section about installation, configuration, and operation of this equipment before you install, configure, operate, or maintain this product. Users are required to familiarize themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws, and standards.

Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance are required to be carried out by suitably trained personnel in accordance with applicable code of practice.

If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may be impaired.

In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the use or application of this equipment.

The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or liability for actual use based on the examples and diagrams.

No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or software described in this manual.

Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation, Inc., is prohibited.

Throughout this manual, when necessary, we use notes to make you aware of safety considerations.

WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous environment, which may lead to personal injury or death, property damage, or economic loss.

ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, property damage, or economic loss. Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.

IMPORTANT: Identifies information that is critical for successful application and understanding of the product.

Labels may also be on or inside the equipment to provide specific precautions:

• SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous voltage may be present.
• BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may reach dangerous temperatures.
• ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people to potential Arc Flash. Arc Flash will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL Regulatory requirements for safe work practices and for Personal Protective Equipment (PPE).

General Safety Information

Contact Rockwell Automation to learn more about our safety risk assessment services.

IMPORTANT: This application example is for advanced users and assumes that you are trained and experienced in safety system requirements.

Safety Distance Calculations

ATTENTION: Perform a risk assessment to make sure that all task and hazard combinations have been identified and addressed. The risk assessment can require additional circuitry to reduce the risk to a tolerable level. Safety circuits must consider safety distance calculations, which are not part of the scope of this document.

ATTENTION: While safety distance or access time calculations are beyond the scope of this document, compliant safety circuits must often consider a safety distance or access time calculation.

Non-separating safeguards provide no physical barrier to prevent access to a hazard. Publications that offer guidance for calculating compliant safety distances for safety systems that use non-separating safeguards, such as light curtains, scanners, two-hand controls, or safety mats, include the following:

• EN ISO 13855:2010 (Safety of Machinery – Positioning of safeguards with respect to the approach speeds of parts of the human body)
• EN ISO 13857:2008 (Safety of Machinery - Safety distances to prevent hazardous zones being reached by upper and lower limbs)
• ANSI B11:19 2010 (Machines – Performance Criteria for Safeguarding)

Separating safeguards monitor a moveable, physical barrier that guards access to a hazard. Publications that offer guidance for calculating compliant access times for safety systems that use separating safeguards, such as gates with limit switches or interlocks (including SensaGuard™ switches), include the following:

• EN ISO 14119:2013 (Safety of Machinery – Interlocking devices associated with guards - Principles for design and selection)
• EN ISO 13855:2010 (Safety of Machinery – Positioning of safeguards with respect to the approach speeds of parts of the human body)
• EN ISO 13857:2008 (Safety of Machinery - Safety distances to prevent hazardous zones being reached by upper and lower limbs)
• ANSI B11:19 2010 (Machines – Performance Criteria for Safeguarding)

In addition, consult relevant national or local safety standards to assure compliance.

Introduction

This safety application technique explains how to wire, configure, and program a Compact GuardLogix controller and POINT Guard I/O™ module to monitor a dual-channel E-stop device. If the E-stop is actuated, or a fault is detected in the monitoring circuit, the GuardLogix controller de-energizes the final control device, in this case, a DM² pneumatic safety valve from ROSS Controls.

Safety Function Realization: Risk Assessment

The required performance level is the result of a risk assessment and refers to the amount of the risk reduction to be conducted by the safety-related parts of the control system. Part of the risk reduction process is to determine the safety functions of the machine. In this application, the performance level required (PLr) by the risk assessment is Category 3, Performance Level d (CAT. 3, PLd), for each safety function. A safety system that achieves CAT. 3, PLd, or higher, can be considered control reliable. Each safety product has its own rating and can be combined to create a safety function that meets or exceeds the PLr.

The process involves:

1. Identification of safety functions
2. Specification of characteristics of each function
3. Determination of required PL (PLr) for each safety function

The goal is Realization and PL Evaluation.

Pneumatic Safety Valves Safety Function

This application technique includes one safety function: the removal of power or energy from the hazard by actuation of any of the emergency stop push buttons.

Safety Function Requirements

Pressing any one of the series-wired E-stop buttons stops and prevents hazardous motion by removing power to the pneumatic safety valve. When the E-stop button is reset, the hazardous motion and power to the pneumatic safety valve do not resume until a secondary action (the Reset button is pressed and released) occurs. Faults at the E-stop button, wiring terminals, or safety controller are detected before the next safety demand. This emergency stop function is complementary to any other safeguards on the machine and does not reduce the performance of other safety-related functions.

The safety function in this application technique meets or exceeds the requirements for Category 3, Performance Level d (CAT. 3, PLd), per ISO 13849-1 and control reliable operation per ANSI B11.19.

Functional Safety Description

Hazardous motion is interrupted or prevented by actuation of any of the emergency stop buttons (ES1, ES2, or ES3). Each E-stop is considered a separate safety function. The E-stop buttons are connected in series to a pair of safety inputs of a safety input module (SI1). The pneumatic safety valve is connected to a pair of safety outputs of a safety output module (SO1). The I/O modules are connected via CIP Safety™ through an EtherNet/IP™ network to the safety controller (SC1). The safety code in SC1 monitors the status of the E-stop buttons by using a pre-certified safety instruction named Dual Channel Input Stop (DCS). When all conditions are satisfied, and no faults are detected on the input modules, and a Reset button is pressed and released, a secondary certified function block called Configurable Redundant Output (CROUT) checks the status of the final control device, a pneumatic safety valve. The safety controller then issues an output signal to the safety output module (SO1) to switch on a pair of safety outputs to energize the pneumatic safety valve.

Bill of Material

This application technique uses these products:

Setup and Wiring

For detailed information on how to install and wire, refer to the publications listed in the Additional Resources.

System Overview

The 1734-IB8S input module monitors the inputs from the E-stops, which are connected in series.

The 1734-IB8S module can source the 24V DC for all input channels to dynamically test the signal wiring for shorts to 24V DC and channel-to-channel shorts. If a fault occurs, either or both channels are set to low (0), and the controller reacts by dropping out the pneumatic safety valve. Only after the fault is cleared and the Reset button is pressed and released, does the function block reset.

Shorts to 0V DC (and wire off) are seen as an open circuit by the 1734-IB8S input module, and the controller reacts by dropping out the pneumatic safety valve. If the inputs remain discrepant for longer than the discrepancy time, then the function block in the controller safety task declares a fault. Only after the fault is cleared, and the Reset button is pressed and released, does the function block reset.

The final control device is a pneumatic safety valve that is controlled by a 1734-OB8S output module. A feedback circuit is wired through the normally-open contact and back to an input of the 1734-IB8S module to monitor the pneumatic safety valve for proper operation. The pneumatic safety valve cannot restart if the feedback circuit is not in the correct state.

The maximum output current is 1 A for each output point of the 1734-OB8S module.

Primary power consumption for each solenoid is as follows:

• 15.8VA inrush
• 12.8VA holding on 50 Hz or 60 Hz
• 5.8 W on DC

The system has individual Reset buttons for resetting faults and safety outputs. The Reset buttons and the pneumatic safety valve Ready to Run (N.O. Contacts) and Fault Indicator (N.C. Contacts) are all wired to the 1734-IB8S module in this example. This configuration is not required for functional safety. These four inputs can be wired to a standard input module.

Electrical Schematic

The electrical schematic illustrates the connections between the E-stop buttons, the 1734-IB8S input module, the 1734-OB8S output module, and the DM2 Pneumatic Safety Valve. It details the wiring for the reset and fault reset buttons, as well as the air supply and valve operation.

Key Components in Schematic:

• PB1 (Reset), PB2 (Fault Reset)
• E-stop 1, E-stop 2, E-stop 3
• 1734-IB8S Input Module (Inputs 0-7, COM)
• 1734-OB8S Output Module (Outputs 0-7, COM)
• DM2 Pneumatic Safety Valve (Pins 1, 2, 3, 4)
• Air Supply and Air to System connections

Valve Operation Notes:

• Pins 1 and 3 are connected when air pressure is present and the valve is Ready to Run.
• If a fault has occurred or pressure is removed from the valve inlet, pins 1 and 2 are connected.
• In the event of a fault, remove power from the pilot solenoids (A and B) momentarily, and apply power to the Reset solenoid to return the valve to Return To Run state. Wait at least 250 ms after removing power from the reset solenoid before trying to re-energize the pilot solenoids.

Configuration

The Compact GuardLogix controller is configured using RSLogix 5000 software, version 18 or later. The process involves creating a project, adding I/O modules, and configuring them for the correct input and output types. Knowledge of the RSLogix™ programming environment is assumed.

Steps for Project Creation:

1. In RSLogix 5000 software, create a project.
2. In the New Controller dialog box, select the 1768-L43S CompactLogix™ 5343S Safety Controller, choose the appropriate revision, and name the controller.
3. Add the 1768-ENBT module to the 1768 bus.
4. Configure the 1768-ENBT module with an IP address (e.g., 192.168.1.8).
5. Add the 1734-AENT adapter, configuring it with an IP address (e.g., 192.168.1.11) and a chassis size (e.g., 3).
6. Add the 1734-IB8S safety input module, naming it CellGuard_1. Configure its Input Status to Combined Status-Power-Muting and Output Data to None.
7. Repeat steps 10-14 to add the 1734-OB8S safety output module, naming it OB8S and setting its Input Status to Combined Status-Readback-Power.

Configuring the POINT Guard I/O Modules:

1. Right-click the 1734-IB8S module in the Controller Organizer and choose Properties.
2. Configure the Input Configuration, setting Point Operation, Input Delay Time, Discrepancy Time, and Point Mode for each point.
3. Configure the Test Output settings.
4. Click OK.
5. Right-click the 1734-OB8S module and choose Properties.
6. Configure the Output Configuration.
7. Click OK.

Programming

The Dual Channel Input Stop (DCS) instruction monitors dual-input safety devices (e.g., E-stop, light curtain, safety gate) to safely stop a machine. It energizes the output only when both safety inputs are active and correct reset actions are implemented. The DCS instruction monitors for consistency and detects faults.

The Configurable Redundant Output (CROUT) instruction controls and monitors redundant outputs with configurable reaction times and supports positive and negative feedback signals.

The safety application code in the safety output routine prevents outputs from restarting if the input channel resets automatically, providing anti-tiedown functionality. The input OK status serves as a permissive in the safety output routines.

The diagram illustrates the programming logic using DCS and CROUT instructions, including timers for re-energizing delays and feedback mechanisms.

Calculation of the Performance Level

When properly implemented, this safety function can achieve a safety rating of Category 3, Performance Level d (CAT. 3, PLd), according to ISO 13849-1: 2008. The SISTEMA software is used to validate that the safety functions can achieve the required Performance Level (PLr).

Each safety E-stop string is modeled as an individual safety function in SISTEMA. The diagram shows one E-stop safety function, including input, logic, and output subsystems.

The SISTEMA calculations confirm that the proposed safety functions are capable of achieving the required level of protection: CAT. 3, PLd.

The SISTEMA results for the E-stop 1 safety function are shown, indicating that all three E-stop safety functions are identical. The calculations consider Mean Time to Failure, dangerous (MTTFd), Diagnostic Coverage (DCavg), and Common Cause Failure (CCF).

The functional safety evaluations of electromechanical devices include:

• How frequently they are operated (MTTFd)
• Whether they are effectively monitored for faults (DCavg)
• Whether they are properly specified and installed (CCF)

SISTEMA calculates MTTFd using B10d data and estimated frequency of use. The example assumes E-stops are operated or tested at least once a month (12 times a year).

The DCavg (60%) for the E-stops was entered manually, accounting for masking due to series connection, which reduces fault detection capability. Fault exclusion is considered for electromechanical devices where one actuator controls two channels. A fault exclusion subsystem is added to SISTEMA, with Category 4 and Performance Level e manually entered to not affect the overall calculation.

Common Cause Failure (CCF) measures are calculated using the scoring process outlined in Annex F of ISO 13849-1. A required score of 65 is needed to fulfill the CCF requirement.

The functional safety data for the DM²C Safety solenoid valve is taken from product literature and entered directly into the DM²C subsystem of the SISTEMA safety functions:

• PL = PLe
• PFH = 7.7E-9
• CAT. = CAT. 4

Verification and Validation Plan

Verification and validation are crucial for avoiding faults throughout the safety system design and development process. ISO 13849-2 sets the requirements for verification and validation, calling for a documented plan to confirm that all safety functional requirements have been met.

Verification is an analysis of the resulting safety control system. The Performance Level (PL) is calculated to confirm that the system meets the required Performance Level (PLr). SISTEMA software is typically used for these calculations.

Validation is a functional test of the safety control system to demonstrate that it meets the specified requirements of the safety function. The system is tested to confirm that all safety-related outputs respond appropriately to their corresponding safety-related inputs. The functional test includes normal operating conditions and potential fault injection of failure modes. A checklist documents the validation.

Software development validation uses similar methodologies to hardware development. Faults arising from poor software development processes are systemic, unlike hardware faults which are considered random.

Before validating the GuardLogix safety system, confirm that the safety system and safety application program are designed in accordance with the GuardLogix Controller Systems Safety Reference Manual (1756-RM093) and the GuardLogix Safety Application Instruction Set Safety Reference Manual (1756-RM095).

The document includes a Verification and Validation Checklist covering:

• General Machinery Information
• Safety System Wiring and Configuration Verification
• Normal Operation Verification
• Validation of Safe Response to Abnormal Operation (Door-monitoring Input Tests, GuardLogix Controller, Network Tests, Pneumatic Safety Valve Output Tests)

Each test step includes validation criteria and columns for Pass/Fail and Changes/Modifications.

Additional Resources

These documents contain more information about related products from Rockwell Automation:

You can view or download publications at http://www.rockwellautomation.com/literature/. To order paper copies of technical documentation, contact your local Allen-Bradley distributor or Rockwell Automation sales representative.

Rockwell Automation Support

Use the following resources to access support information:

• Technical Support Center: Knowledgebase Articles, How-to Videos, FAQs, Chat, User Forums, and Product Notification Updates. (www.rockwellautomation.com/knowledgebase)
• Local Technical Support Phone Numbers: Locate the phone number for your country. (www.rockwellautomation.com/global/support/get-support-now.page)
• Direct Dial Codes: Find the Direct Dial Code for your product. Use the direct dial code to route your call directly to a technical support engineer. (www.rockwellautomation.com/global/support/direct-dial.page)
• Literature Library: Installation Instructions, Manuals, Brochures, and Technical Data. (www.rockwellautomation.com/literature)
• Product Compatibility and Download Center (PCDC): Get help determining how products interact, check features and capabilities, and find associated firmware. (www.rockwellautomation.com/global/support/pcdc.page)

Documentation Feedback: Your comments will help us serve your documentation needs better. If you have any suggestions on how to improve this document, complete the How Are We Doing? form at http://literature.rockwellautomation.com/idc/groups/literature/documents/du/ra-du002_-en-e.pdf.

For more information on Safety Function Capabilities, visit: http://marketing.rockwellautomation.com/safety/en/safety functions

Rockwell Automation maintains current product environmental information on its website at http://www.rockwellautomation.com/rockwellautomation/about-us/sustainability-ethics/product-environmental-compliance.page.

Allen-Bradley, CompactLogix, GuardLogix, LISTEN. THINK. SOLVE, POINT Guard I/O, POINT I/O, RSLogix, RSLogix 5000, Rockwell Automation, Rockwell Software, SensaGuard, and Stratix 2000 are trademarks of Rockwell Automation, Inc. DM² is a trademark of ROSS Controls. CIP Safety and EtherNet/IP are trademarks of ODVA, Inc. Trademarks not belonging to Rockwell Automation are property of their respective companies.

Rockwell Otomasyon Ticaret A.Ş., Kar Plaza İş Merkezi E Blok Kat:6 34752 İçerenköy, İstanbul, Tel: +90 (216) 5698400

www.rockwellautomation.com

Power, Control and Information Solutions Headquarters

Americas: Rockwell Automation, 1201 South Second Street, Milwaukee, WI 53204-2496 USA, Tel: (1) 414.382.2000, Fax: (1) 414.382.4444

Europe/Middle East/Africa: Rockwell Automation NV, Pegasus Park, De Kleetlaan 12a, 1831 Diegem, Belgium, Tel: (32) 2 663 0600, Fax: (32) 2 663 0640

Asia Pacific: Rockwell Automation, Level 14, Core F, Cyberport 3, 100 Cyberport Road, Hong Kong, Tel: (852) 2887 4788, Fax: (852) 2508 1846

Publication SAFETY-AT128B-EN-P - July 2016

Supersedes Publication SAFETY-AT128A-EN-P - February 2014

Copyright © 2016 Rockwell Automation, Inc. All rights reserved. Printed in the U.S.A.