Allen-Bradley PowerFlex 527, Guardmaster Dual-input Safety Relay, Guardmaster Multifunction-delay Expansion Module, PowerFlex 525 Application Technique

  • Hello! I am an AI chatbot trained to assist you with the Allen-Bradley PowerFlex 527 Application Technique. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
Application Technique
Safety Function: Actuator Subsystems – Stop Category 1 via
the PowerFlex 525 and PowerFlex 527 Drives with Safe
Torque-off
Products: Guardmaster Dual-input Safety Relay, Guardmaster Multifunction-delay Expansion Module, PowerFlex 525 Drive,
PowerFlex 527 Drive
Safety Rating: CAT. 3, PLd to ISO 13849-1: 2008
Topic Page
Important User Information 2
General Safety Information 3
Introduction 3
Safety Function Realization: Risk Assessment 3
Stop Safety Functions 4
Safety Function Requirements 4
Functional Safety Description 5
Bill of Material 6
Setup and Wiring 6
Configuration 11
Calculation of the Performance Level 13
Verification and Validation Plan 17
Additional Resources 22
2 Rockwell Automation Publication SAFETY-AT140A-EN-P - May 2015
Safety Function: Actuator Subsystems – Stop Category 1 via the PowerFlex 525 and PowerFlex 527 Drives with Safe Torque-off
Important User Information
Read this document and the documents listed in the additional resources section about installation, configuration, and
operation of this equipment before you install, configure, operate, or maintain this product. Users are required to
familiarize themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws,
and standards.
Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance are required
to be carried out by suitably trained personnel in accordance with applicable code of practice.
If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may be
impaired.
In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the
use or application of this equipment.
The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and
requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or
liability for actual use based on the examples and diagrams.
No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or
software described in this manual.
Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation,
Inc., is prohibited.
Throughout this manual, when necessary, we use notes to make you aware of safety considerations.
Labels may also be on or inside the equipment to provide specific precautions.
WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous environment,
which may lead to personal injury or death, property damage, or economic loss.
ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, property
damage, or economic loss. Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.
IMPORTANT
Identifies information that is critical for successful application and understanding of the product.
SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous
voltage may be present.
BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may
reach dangerous temperatures.
ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people to
potential Arc Flash. Arc Flash will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL
Regulatory requirements for safe work practices and for Personal Protective Equipment (PPE).
Rockwell Automation Publication SAFETY-AT140A-EN-P - May 2015 3
Safety Function: Actuator Subsystems – Stop Category 1 via the PowerFlex 525 and PowerFlex 527 Drives with Safe Torque-off
General Safety Information
Contact Rockwell Automation to find out more about our safety risk assessment services.
Introduction
This safety function application technique is concerned primarily with the Logic and Output subsystems of a safety system.
The document illustrates how to combine a Guardmaster® dual-input safety relay (GSR DI) and Guardmaster
multifunction-delay expansion module (GSR EMD) with a PowerFlex® 525 drive or a PowerFlex 527 drive to provide a
category 1 stop. The category 1 stop provides a brief delay between the stop request to the programmable automation
controller (PAC) and the de-energizing of the STO inputs to allow the system time to execute an orderly stop before the
STO inputs are de-energized. The intent is to provide a less disruptive, but safe, response to a sudden emergency stop
demand.
In an actual application, any typical safety input device could be used as the Input subsystem if properly applied. A
SensaGuard™ switch, as in Safety Function: Door Monitoring Products: SensaGuard/GSR DI, publication SAFETY-
AT069, is used as a convenient example of an Input subsystem in this application technique.
Safety Function Realization: Risk Assessment
The required performance level is the result of a risk assessment and refers to the amount of the risk reduction to be carried
out by the safety-related parts of the control system. Part of the risk reduction process is to determine the safety functions of
the machine. In this application, the performance level required (PLr) by the risk assessment is Category 3, Performance
Level d (CAT. 3, PLd), for each safety function. A safety system that achieves CAT. 3, PLd, or higher, can be considered
IMPORTANT
This application example is for advanced users and assumes that you are trained and experienced in safety system requirements.
ATTENTION: Perform a risk assessment to make sure all task and hazard combinations have been identified and addressed. The risk
assessment can require additional circuitry to reduce the risk to a tolerable level. Safety circuits must take into consideration safety
distance calculations, which are not part of the scope of this document.
Input Logic Output
Subsystem 1 Subsystem 2 Subsystem 3 Subsystem 4
SensaGuard
Switch
Guardmaster
Dual-input
Safety Relay
Guardmaster
Expansion
Module
PowerFlex
527 Drive
4 Rockwell Automation Publication SAFETY-AT140A-EN-P - May 2015
Safety Function: Actuator Subsystems – Stop Category 1 via the PowerFlex 525 and PowerFlex 527 Drives with Safe Torque-off
control reliable. Each safety product has its own rating and can be combined to create a safety function that meets or
exceeds the PLr.
Stop Safety Functions
This application technique includes two safety functions:
1. Safety-related stop function initiated by a safeguard.
2. Prevention of an unexpected startup.
Safety Function Requirements
Safety-related Stop Function Initiated by a Safeguard
When a partial-access guard door is opened, the Input subsystem initiates and maintains a stop command for the safety
system to stop hazardous motion before a person can reach the hazardous area. The stop command cannot be reset until the
guard door is closed.
Prevention of an Unexpected Startup
The safety system cannot be reset, and hazardous motion cannot be restarted while the guard door is open. Once the guard
door is closed and the stop command is reset, a second action (pressing a Start button) is required before the hazardous
motion can resume. This document presumes that the Start/Stop button is connected to and controlled by the
programmable automation controller (PAC).
From: Risk Assessment (ISO 12100)
1. Identification of safety functions
2. Specification of characteristics of each function
3. Determination of required PL (PLr) for each safety function
To: Realization and PL Evaluation
Rockwell Automation Publication SAFETY-AT140A-EN-P - May 2015 5
Safety Function: Actuator Subsystems – Stop Category 1 via the PowerFlex 525 and PowerFlex 527 Drives with Safe Torque-off
The safety functions in this application technique each meet or exceed the requirements for Category 3, Performance
Level d (CAT. 3, PLd), per ISO 13849-1 and control reliable operation per ANSI B11.19.
Functional Safety Description
The Guardmaster dual-input safety relay, Guardmaster multifunction-delay expansion module, and PowerFlex drives with
integrated safe torque-off (STO) use 1oo2 architecture to achieve the PFH value that is used in the PL calculation
verification section of this document.
The Guardmaster dual-input safety relay monitors its safety inputs for valid status and faults. It monitors its internal
circuitry for proper operation and faults. The safety relay monitors its single wire safety (SWS) input/output (I/O) for
valid status and faults. It monitors its safety output contacts for proper, valid status and faults. When it receives a safety
demand on its inputs, or an invalid status or a fault is detected, the safety relay deactivates its safety outputs and sends a
safety stop command to the Guardmaster multifunction-delay expansion module via its L11 SWS.
The Guardmaster multifunction-delay expansion module monitors its SWS input for safety stop commands, valid status,
and faults. It monitors its internal circuitry for proper operation and faults. It monitors its safety output contacts for proper,
valid status and faults. When it receives a non-fault safety demand via its L12 SWS input, it deactivates its safety outputs in
the manner for which it is configured. In this document, the Guardmaster multifunction-delay expansion module is
configured to provide a 100 ms delay. In the event of an internal fault, or a fault signaled via the SWS, the Guardmaster
multifunction-delay expansion module immediately de-energizes its safety outputs.
The PowerFlex drive monitor its STO inputs for valid status and faults. The drive monitors its internal safety circuits for
valid status and faults. The drive monitors its outputs for valid status and faults. When the Guardmaster dual-input safety
relay de-energizes the drive STO inputs via the Guardmaster multifunction-delay expansion module, the drive's STO
feature forces the drive output power transistors to a disabled state. The hazardous motion controlled by the drive coasts to
a stop. This feature does not provide electrical power isolation.
The system cannot be restarted until the gate is closed and the Guardmaster dual-input safety relay is reset. Once the safety
relay is reset, the PAC-controlled Start button can be pressed to start the hazardous motion.
Hardwired STO Safe Torque Off Considerations for a Category 1 Stop
In the event of a malfunction, it is possible that stop category 0 may occur. When designing the machine application, timing
and distance must be considered for a coast to stop, as well as the possibility of the loss of control of a vertical load. The
nature of a malfunction causing this condition could be if a hardwired STO input to the drive were to go low (i.e. a wire
falls off ) before the drive has a chance to completely stop the motor. Use additional protective measures if this occurrence
might introduce unacceptable risks to personnel.
IMPORTANT
The vendor must provide probability of failure per hour (PFH) and all relevant functional safety data for all the subsystems of this
safety system necessary to prove that the overall safety functions meet the requirements for Performance Level d (PLd), per ISO
13849-1.
6 Rockwell Automation Publication SAFETY-AT140A-EN-P - May 2015
Safety Function: Actuator Subsystems – Stop Category 1 via the PowerFlex 525 and PowerFlex 527 Drives with Safe Torque-off
Bill of Material
This Logic and Output subsystems in this document use these products.
Setup and Wiring
For detailed information on installing and wiring, refer to the publications listed in the Additional Resources on page 22.
System Overview
Safety-related Stop Function Initiated by a Safeguard
The Guardmaster dual-input safety relay monitors the status of a safety input device, for example a SensaGuard switch.
When the input device is tripped (guard door opened), the safety relay de-energizes its two safety outputs and sends a
safety stop command downstream to the Guardmaster multifunction-delay expansion module via its SWS. After the
100 ms configured delay time, the Guardmaster multifunction-delay expansion module deactivates its safety outputs,
which remove power from the drive's (PowerFlex 525 or PowerFlex 527 drive) STO inputs. The drive disables its output
power transistors, leaving the hazardous motion to coast to a stop. When the input device is returned to its safe state (guard
door closed), and the reset button is pressed and released properly, the Guardmaster dual-input safety relay’s safety outputs
energize, the Guardmaster multifunction delay expansion module energizes its safety outputs, and the drive's STO inputs
are powered. The hazardous motion can then be restarted by pressing a PAC-controlled Start button.
Prevention of an Unexpected Start-up
The Guardmaster dual-input safety relay cannot be reset while its input device is in a tripped (guard door open) state. The
Guardmaster multifunction-delay expansion module cannot reset until the Guardmaster dual-input safety relay is reset, the
drive's STO inputs remain off, and the hazardous motion cannot be restarted. When the input device is returned to its safe
state (guard door closed), and the reset button is pressed and released properly, the Guardmaster dual-input safety relay’s
safety outputs energize, the Guardmaster multifunction-delay expansion module energizes its safety outputs, and the drive's
STO inputs are powered. The hazardous motion can then be restarted by pressing a PAC-controlled Start button.
Cat. No. Description Quantity
440R-D22R2 Guardmaster dual-input safety relay (DI) 1
440R-EM4R2D Guardmaster multifunction-delay expansion module, 4 N.O. safety contacts 1
800FP-R611PQ10V 800F reset, round plastic 1
1606-XLP72E 1606-XLP72E compact power supply, 24…28V DC, class 2 1
25C-V2P5N104 PowerFlex 527 AC drive, with embedded EtherNet/IP™ and safe torque-off 1
or
25B-B5PON104 PowerFlex 525 AC drive, with embedded EtherNet/IP and safe torque-off 1
Rockwell Automation Publication SAFETY-AT140A-EN-P - May 2015 7
Safety Function: Actuator Subsystems – Stop Category 1 via the PowerFlex 525 and PowerFlex 527 Drives with Safe Torque-off
Safety Distance Calculations
Detailed calculation of a proper safety distance is beyond the scope of this document, but some considerations follow.
Safeguarding systems must make certain that a person cannot reach a hazardous motion before the safeguarding system has
brought that hazardous motion to a halt. This is addressed in safety standards relevant to this application:
IS0 14119 (Safety of machinery - Interlocking devices associated with guards - Principles for design and selection)
ISO 18355 (Safety of machinery - Positioning of safeguards with respect to the approach speeds of parts of the
human body)
ANSI B11.19 (Performance Criteria for Safeguarding)
Safety Distance and Access Time
Safety distance is the distance between the guarded access point and the hazardous motion necessary to make certain that a
person cannot access a hazardous motion before it is stopped, that is, the hazard has ceased.
This document uses, as an example, an interlocking device (SensaGuard switch) monitoring a partial-body access gate.
Imagine that this access gate allows a person time to reach their arm 762 mm (30 inches) into the potentially hazardous area
to perform an occasional, necessary task.
ISO 14119 3.22 defines access time as the time taken by a person to reach the hazard zone after initiation of the stop
command by the interlocking device (the SensaGuard actuator moving beyond sensing range), as calculated on the basis of
an approach speed of the body or part of the body, in our case, a hand.
ISO 13855 defines the approach speed of a hand as 1600 mm per sec. Using this value, we calculate the access time:
762 mm/1600 mm per sec or 476 ms
ANSI B11:19 defines the approach speed of a hand as 63 in. per sec. Using this value, we calculate the access time:
30 in./63 in. per sec or 476 ms
Overall System Stopping Performance
ISO 14119 6.2.1 stipulates that the overall system stopping time for a hazardous machine safeguarded by an interlock must
be less than the access time. If the overall system stopping performance is equal to or greater than the access time, an
interlock with guard-locking must be used, the distance from the safeguard to the hazard must be increased, or a different,
more suitable method must be used to safeguard the hazard. In this document, the overall system stopping performance of
our application, using an interlock must, therefore, be less than 476 ms.
The overall stopping performance of these applications is the sum of the response time of the input device (SensaGuard
switch), the response time of Guardmaster dual-input safety relay, the response time of the Guardmaster multifunction-
delay expansion module, the delay configured in the Guardmaster multifunction-delay expansion module, the safety
reaction time of the drive used (PowerFlex 525 or PowerFlex 527 drive), and the coast-to-stop time of the hazardous
motion. The response and reaction times can be taken from the product support literature.
IMPORTANT
The overall system stopping performance of a safeguarding system must be determined by actual system testing and
measurement. The worst-case, overall system stopping performance from these tests and measurements must be used to
evaluate the safety distance requirements.
8 Rockwell Automation Publication SAFETY-AT140A-EN-P - May 2015
Safety Function: Actuator Subsystems – Stop Category 1 via the PowerFlex 525 and PowerFlex 527 Drives with Safe Torque-off
The sum response/reaction time of the Guardmaster dual-input safety relay, Guardmaster multifunction-delay expansion
module, Guardmaster multifunction-delay expansion module delay, and PowerFlex drive, and worst-case, coast-to-stop
portion of the overall system-stopping performance is the same regardless of the input device used.
It may be useful to estimate how fast the hazardous motion must coast to a stop before the safeguarded system is available
for testing.
The maximum safe coast-to-stop time for a system using the PowerFlex 525 drive can be calculated as follows:
SensaGuard switch (SG) + Guardmaster dual-input safety relay (GSR DI) + Guardmaster multifunction-delay
expansion module (GSR EMD) + Guardmaster multifunction-delay expansion module delay (EMDd) + PowerFlex
525 drive (drive) = overall system stopping performance less maximum safe coast-to-stop time
54 ms (SG) + 35 ms (GSR DI) + 35 ms (EMD) + 100 ms (EMDd) + 100 ms (drive) = 324 ms = overall system
stopping performance time less the estimated maximum safe coast-to-stop time
476 ms - 324 ms = 152 ms = estimated maximum safe coast-to-stop time
The maximum safe coast-to-stop time for a system using the PowerFlex 527 drive can be calculated as f ollows:
SensaGuard switch (SG) + Guardmaster dual-input safety relay (GSR DI) + Guardmaster multifunction-delay
expansion module (GSR EMD) + Guardmaster multifunction-delay expansion module delay (GSR EMDd) +
PowerFlex 527 drive (drive) = overall system stopping performance less maximum safe coast-to-stop time.
54 ms (SG) + 35 ms (GSR DI) + 35 ms (GSR EMD) + 100 ms (EMDd) + 12 ms (drive) = 236 ms = overall system
stopping performance time less the estimated maximum safe coast-to-stop time
476 ms - 236 ms = 240 ms = estimated maximum safe coast-to-stop time.
Rockwell Automation Publication SAFETY-AT140A-EN-P - May 2015 9
Safety Function: Actuator Subsystems – Stop Category 1 via the PowerFlex 525 and PowerFlex 527 Drives with Safe Torque-off
Electrical Schematic
In this application example, a local Start/Stop button is directly wired to the PowerFlex 525 drive. This button is used for
normal, non-safety stops and starts of the system. It is also used to start/restart the drive after safety-related stops once the
safety circuit is reset.
Figure 1 - PowerFlex 525 Circuit
24V DC
0V DC - COM
Typical Safety Input Device
24V DC
0V DC
Start
Stop
Gate control
power supply
Gate control
circuit
Initiate Configured ‘Normal’
Production Stop.
Digital Common
Actuator
Logic
Range
Time
**100 ms OFF Delay
PowerFlex
525
10 Rockwell Automation Publication SAFETY-AT140A-EN-P - May 2015
Safety Function: Actuator Subsystems – Stop Category 1 via the PowerFlex 525 and PowerFlex 527 Drives with Safe Torque-off
This document presumes that a Stop/Start button is connected to the system PAC. It is referred to in Figure 2, but is not
part of this circuit. This button is used for normal, non-safety stops and starts of the system. It is also used to start/restart
the drive after safety-related stops once the safety circuit is reset.
Figure 2 - PowerFlex 527 Circuit
24V DC
0V DC - COM
Typical Safety Input Device
24V DC
0V DC
To PAC
Digital Common
Gate control
power supply
Gate control
circuit
Initiate Configured ‘Normal’
Production Stop.
Start/Stop requests provided to
the drive by PAC via Ethernet.
Actuator
Logic
Range
Time
**100 ms OFF Delay
.
PowerFlex
527
Rockwell Automation Publication SAFETY-AT140A-EN-P - May 2015 11
Safety Function: Actuator Subsystems – Stop Category 1 via the PowerFlex 525 and PowerFlex 527 Drives with Safe Torque-off
Configuration
Configure the Guardmaster Dual-input Safety Relay
Follow these steps to configure the Guardmaster dual-input safety relay. For more information about this relay, refer to
Guardmaster Safety Relay DI Installation Instructions, publication 440
R-IN037.
1. Enable Program mode.
2. Set Operation mode to 2: Manual Reset (IN1 and IN2)) or L12.
3. Cycle power to store the configuration setting.
Configure the Guardmaster Multifunction-delay Expansion Module
Follow these steps to configure the Guardmaster multifunction-delay expansion module. For more information about this
expansion module, refer to Guardmaster Safety Relay EMD Installation Instructions, publication 440R-IN045
.
Logic
Logic
12 Rockwell Automation Publication SAFETY-AT140A-EN-P - May 2015
Safety Function: Actuator Subsystems – Stop Category 1 via the PowerFlex 525 and PowerFlex 527 Drives with Safe Torque-off
1. Start configuration/overwrite: With power off, turn the Range rotary switch to 0 and power up the unit.
After the power-up test, the PWR/Fault status indicator will flash red.
2. Set timing/mode configuration: Turn the Range rotary switch to 1 (0.1. to 1.0 second), and then turn the Time
rotary switch to 1 (10%).
The B1 and IN indicators blink the new setting. The PWR/Fault status indicator flashes steady green to indicate
that the positions are set.
3. Cycle power to the unit to store the configuration setting.
IMPORTANT
The configuration must be confirmed before operation. A white space is provided on the face of the unit to record the setting.
Range
Range
Time
Rockwell Automation Publication SAFETY-AT140A-EN-P - May 2015 13
Safety Function: Actuator Subsystems – Stop Category 1 via the PowerFlex 525 and PowerFlex 527 Drives with Safe Torque-off
Configure the PowerFlex 525 Drive
The PowerFlex 525 drive is configured by using Connected Components Workbench™ software, version 7 or later. A
detailed description of how to fully configure the PowerFlex 525 drive is beyond the scope of this document. For more
information about this drive, refer to the PowerFlex 520-Series Adjustable Frequency AC Drive User Manual, publication
520-UM001
The PowerFlex 525 drive must have the following four parameters adjusted to perform as intended in the document.
Parameters 46, 62, and 63 must be set as above for the Start/Stop button to operate as intended.
Parameter 105 configures the PowerFlex 525 drive to accept the STO inputs without generating a spurious F111 fault.
By default, the PowerFlex 525 drive provides a coast-to-stop in response to an STO input. This action overrides any other
stop type that might be configured for the drive for its normal production stop.
Configure the PowerFlex 527 Drive
The PowerFlex 527 drive is configured by using Studio 5000 Automation Engineering & Design Environment™. A detailed
description of how to fully configure the PowerFlex 527 drive is beyond the scope of this document. For more information
about this drive, refer to PowerFlex 527 Adjustable Frequency AC Drive User Manual, publication 520-UM002
.
By default, the PowerFlex 527 drive provides a coast-to-stop in response to an STO input. This action overrides any other
stop type that might be configured for the drive for its standard stop.
For a stop category 1, after a demand, an immediate controlled stop should be executed using a Motion Axis Stop or
Motion Servo Off command.
Calculation of the Performance Level
When properly implemented, both the PowerFlex 525 and PowerFlex 527 drives with safe torque-off (STO) can be used in
a safety function that has a Performance Level required (PLr) rating of Category 3, Performance Level d (CAT. 3, PLd),
according to ISO 13849-1: 2008, as calculated by using the Safety Integrity Software Tool for the Evaluation of Machine
Applications (SISTEMA).
IMPORTANT
Both the PowerFlex 525 and PowerFlex 527 drives ship with the STO feature disabled by jumpers. Refer to the appropriate user
manual for guidance on removing these jumpers.
Parameter # Name Value Units Internal Value Default Min. Max
46 Start Source 1 EtherNet/I: 5 Keypad 1 5
62 Digin TermBlk 02 3-Wire Start 49 2-Wire FWD 0 49
63 Digin TermBlk 03 3-Wire Dir 51 2-Wire REV 0 51
105 Safety Open En FaultDisable 1 FaultEnable 0 1
14 Rockwell Automation Publication SAFETY-AT140A-EN-P - May 2015
Safety Function: Actuator Subsystems – Stop Category 1 via the PowerFlex 525 and PowerFlex 527 Drives with Safe Torque-off
The functional safety data for the SensaGuard switch, Guardmaster dual-input safety relay, Guardmaster multifunction-
delay expansion module, and PowerFlex 525 drive is provided from the Rockwell Automation® SISTEMA library. The
functional safety data for the PowerFlex 527 drive is from the PowerFlex 527 Adjustable Frequency AC Drive User Manual,
publication 520-UM002
.
Logic and Output Subsystems Calculation
The PowerFlex 525 drive yields the following results.
This can be modeled as follows:
The PowerFlex 527 drive yields virtually the same results. The same parts produce the same results.
Logic
Output
Subsystem 1
Subsystem 2
Subsystem 3
Guardmaster
Dual-input
Safety Relay
Guardmaster
Multifunction-delay
Expansion Module
PowerFlex
525 Drive
Rockwell Automation Publication SAFETY-AT140A-EN-P - May 2015 15
Safety Function: Actuator Subsystems – Stop Category 1 via the PowerFlex 525 and PowerFlex 527 Drives with Safe Torque-off
This can be modeled as follows:
The rest of the SISTEMA calculation in this document features a SensaGuard switch as an example of a typical safety input
device.
For instance, when the PowerFlex 525 drive is used, these are the SISTEMA calculations for the safety function, "Safety-
related stop function initiated by a safeguard:"
When the PowerFlex 525 drive is used in the safety function, "Prevention of an unexpected startup," the SISTEMA
calculations are identical, because all of the same components are used.
Logic
Output
Subsystem 1
Subsystem 2
Subsystem 3
Guardmaster
Dual-input
Safety Relay
Guardmaster
Multifunction-delay
Expansion Module
PowerFlex
527 Drive
16 Rockwell Automation Publication SAFETY-AT140A-EN-P - May 2015
Safety Function: Actuator Subsystems – Stop Category 1 via the PowerFlex 525 and PowerFlex 527 Drives with Safe Torque-off
The two PowerFlex 525 safety functions each achieve their necessary PLr.
When the PowerFlex 527 drive is used in the safety function, "Safety-related stop function initiated by a safeguard," the
SISTEMA calculation results are as follows.
As before, when the PowerFlex 527 drive is used in the safety function, "Prevention of an unexpected start-up," the
calculations are identical, because all of the same components are used.
Each PowerFlex 527 safety function achieved its PLr.
Rockwell Automation Publication SAFETY-AT140A-EN-P - May 2015 17
Safety Function: Actuator Subsystems – Stop Category 1 via the PowerFlex 525 and PowerFlex 527 Drives with Safe Torque-off
Verification and Validation Plan
Verification and validation play important roles in the avoidance of faults throughout the safety system design and
development process. ISO 13849-2 sets the requirements for verification and validation. The standard calls for a
documented plan to confirm that all of the safety functional requirements have been met.
Verification is an analysis of the resulting safety control system. The Performance Level (PL) of the safety control system is
calculated to confirm that the system meets the required Performance Level (PLr) specified. The SISTEMA software is
typically used to perform the calculations and assist with satisfying the requirements of ISO 13849-1.
Validation is a functional test of the safety control system to demonstrate that the system meets the specified requirements
of the safety function. The safety control system is tested to confirm that all of the safety-related outputs respond
appropriately to their corresponding safety-related inputs. The functional test includes normal operating conditions in
addition to potential fault injection of failure modes. A checklist is typically used to document the validation of the safety
control system.
This document uses, as an example, a SensaGuard switch for an input device. Notice that in the validation process, all of the
purposely-created faults are created at the input terminals of the Guardmaster dual-input safety relay. All of the relay’s
responses to these faults are the same as they would be using any typical input device with OSSD outputs, or an electro-
mechanical input device using the Guardmaster dual-input safety relay pulse test output feature.
Some of the SensaGuard switchs reactions to these faults are unique to the SensaGuard switch, as some responses from
other OSSD devices might be unique to those devices.
The responses of the PowerFlex 527 drive and the PowerFlex 525 drive to faults on their STO inputs are the same.
Therefore, the following tests, using purposely-created faults, are appropriate for either drive.
Verification and Validation Checklist
General Machinery Information
Machine Name/Model Number
Machine Serial Number
Customer Name
Test Date
Tester Name(s)
Schematic Drawing Number
Input Devices 440N-Z21SS2AN9
GuardMaster Dual-input Safety Relay 440R-D22R2
GuardMaster Multifunction-delay Expansion Module 440R-EM4R2D
Variable Frequency Drive 25B-B5PON104 (PowerFlex 525 drive) or 25C-V2P5N104 (PowerFlex 527 drive)
Safety Wiring and Relay Configuration
Test Step Verification Pass/Fail Changes/Modifications
1 Confirm that all components' specifications are suitable for the application. Refer to
Basic Safety Principles and Well-tried Safety Principles from ISO 13849-2.
2 Visually inspect the safety relay circuit to confirm that it is wired as documented in the
schematics.
18 Rockwell Automation Publication SAFETY-AT140A-EN-P - May 2015
Safety Function: Actuator Subsystems – Stop Category 1 via the PowerFlex 525 and PowerFlex 527 Drives with Safe Torque-off
3 Confirm that the Guardmaster dual-input safety relay is set to the proper Logic
configuration setting "2."
4 Confirm that the Guardmaster multifunction-delay expansion module is set to the
proper Range configuration setting "1" and Time configuration setting "1."
Normal Operation Verification - The safety system responds properly to all normal Start, Stop, Reset, and Sensaguard Switch inputs.
Test Step Verification Pass/Fail Changes/Modifications
1 Confirm that no one is in the guarded area.
2 Confirm that the hazardous motion is stopped.
3 Confirm that the door is closed.
4 Apply power to the safety system.
5 Confirm that the PWR/Fault, IN1 and IN2 status indicators of the Guardmaster dual-
input safety relay are green. Confirm that the OUT status indicator blinks green.
Confirm that the PWR/Fault status indicator of the Guardmsater multifunction-delay
expansion module is steady green.
6 Press and release the Reset button. Confirm that the Guardmaster dual-input safety
relay OUT status indicator is now steady green. Confirm that the Logic IN and OUT
status indicators of the Guardmaster multifunction-delay expansion module are
steady green.
7 Confirm that the hazardous motion does not start on powerup.
8 Press and release the external drive Start button. Confirm that the hazardous motion
begins and the machine begins to operate.
9 Press the external Stop button. The machine must stop in its normal, configured
manner. The safety system must not respond.
10 Press and release the external Start button. Confirm that the hazardous motion starts
and the machine begins to operate.
11 Open the guarded door. The safety system must trip. The hazardous motion must stop
within the required time. Monitor the status indicators on the Guardmaster dual-input
safety relay and Guardmaster multifunction-delay expansion module for proper
operation. Only the PWR/Fault status indicator on both devices should be steady
green. All other status indicators should be OFF.
12 Press and release the Reset button. The Guardmaster dual-input safety relay and the
Guardmaster multifunction-delay expansion module must not respond.
13 Close the guarded door. The machine must not start. The IN1 and IN2 status indicators
of the Guardmaster dual-input safety relay must be steady green. The OUT status
indicator must blink green.
14 Press and release the Reset button. Confirm that the Guardmaster dual-input safety
relay OUT status indicator is now steady green. Confirm that the Logic IN and OUT
status indicators of the Guardmaster multifunction-delay expansion module are
steady green.
15 Press and release the external Start button. Confirm that the motor starts and the
machine begins to operate.
Validation of Safe Response to Abnormal Operation - The safety system responds properly to all foreseeable faults with corresponding diagnostics.
SensaGuard Switch - Guardmaster input Tests
Test Step Validation Pass/Fail Changes/Modifications
1 Keep the guarded door closed. Hazardous motion continues to run. Remove the gray
wire from the SensaGuard switch to terminal S12 of the Guardmaster dual-input
safety relay. The Guardmaster dual-input safety relay and the Guardmaster
multifunction-delay expansion module must trip immediately. The hazardous motion
must stop. Verify proper operation of all status indicators.
2 Reconnect the wire to the S12 terminal. The Guardmaster dual-input safety relay must
not respond. Press and release the Reset button. The Guardmaster dual-input safety
relay must not respond.
Rockwell Automation Publication SAFETY-AT140A-EN-P - May 2015 19
Safety Function: Actuator Subsystems – Stop Category 1 via the PowerFlex 525 and PowerFlex 527 Drives with Safe Torque-off
3 Open and close the guarded door. The IN1 and IN2 status indicators must be steady
green. The OUT status indicator must blink green.
4 Press and release the Reset button. The Guardmaster dual-input safety relay OUT
status indicator must be steady green. The Guardmaster multifunction-delay
expansion module Logic IN and OUT status indicators must be steady green. The
hazardous motion must not start.
5 Press the external Start button. The machine must start to run. Monitor all status
indicators for proper operation. This step is optional in the following SensaGuard
switch validation tests.
6 With the guarded door closed, jump the gray wire to 24V. After approximately 40
seconds, the SensaGuard switch must trip. The Guardmaster dual-input safety relay
must trip. The SensaGuard switch flashes red. Monitor all status indicators for proper
operation.
7 Remove the jumper. Neither the SensaGuard switch nor the Guardmaster dual-input
safety relay respond. Press and release the Restart button. Nothing changes. Monitor
all status indicators for proper operation.
8 Cycle power to the SensaGuard switch. Approximately five seconds after power is
restored to the SensaGuard switch, the status indicator on the SensaGuard switch goes
steady green. The IN1 and IN2 status indicators of the Guardmaster dual-input safety
relay are steady green, and the OUT status indicator blinks green.
9 Press and release the Reset button. The Guardmaster dual-input safety relay must
reset; its OUT status indicator is steady green. The Guardmaster multifunction-delay
expansion module Logic IN and OUT status indicators must be steady green.
10 Jump S12 to DC COM. The Guardmaster dual-input safety relay trips immediately. The
status indicator on the SensaGuard switch blinks red. The Guardmaster dual-input
safety relay IN1, IN2, and OUT status indicators are OFF. The Guardmaster
multifunction-delay expansion module Login IN and OUT status indicators are OFF.
11 Remove the jumper. Neither the SensaGuard switch nor the Guardmaster dual-input
safety relay respond. Press and release the Reset button. Nothing changes.
12 Cycle power to the SensaGuard switch. Approximately five seconds after power is
restored to the SensaGuard switch, the status indicator on the SensaGuard switch goes
steady green. The IN1 and IN2 status indicators of the Guardmaster dual-input safety
relay are steady green and the OUT status indicator blinks green.
13 Press and release the Reset button. The Guardmaster dual-input safety relay and the
Guardmaster multifunction-delay expansion module must reset. Monitor all status
indicators for proper operation.
14 to 27 Repeat steps 1 through 13 using the Guardmaster terminal S22 in place of S12 and
"Safety B" in place of "Safety A."
28 Jump S12 to S22on the Guardmaster dual-input safety relay. After approximately 50
seconds, the SensaGuard switch trips. The Guardmaster dual-input safety relay and
the Guardmaster multifunction-delay expansion module trip.The SensaGuard switch
flashes red. Monitor all status indicators for proper operation.
29 Remove the jumper. Neither the SensaGuard switch nor the Guardmaster dual-input
safety relay or the Guardmaster multifunction-delay expansion module respond. Press
and release the Reset button. Nothing changes.
30 Cycle power to the SensaGuard switch. Approximately five seconds after power is
restored to the SensaGuard switch, the status indicator on the SensaGuard switch goes
steady green. The IN1 and IN2 status indicators of the Guardmaster dual-input safety
relay are steady green and the OUT status indicator blinks green.
31 Replace the SWS wire on L12 of the Guardmaster multifunction-delay expansion
module. The Logic IN and OUT status indicators are steady green. Press and release the
Start button to restore hazardous motion.
20 Rockwell Automation Publication SAFETY-AT140A-EN-P - May 2015
Safety Function: Actuator Subsystems – Stop Category 1 via the PowerFlex 525 and PowerFlex 527 Drives with Safe Torque-off
Validation of Safe Response to Abnormal Operation - The safety system responds properly to all foreseeable faults with corresponding diagnostics.
Guardmaster Dual-input Safety Relay- Guardmaster Multifunction-delay Expansion Module Tests
Test Step Validation Pass/Fail Changes/Modifications
1 While the machine continues to run, remove the wire from L12 of the Guardmaster
multifunction-delay expansion module. The hazardous motion must coast to a stop.
The Logic IN and OUT status indicators of the Guardmaster multifunction-delay
expansion module must be OFF. The Guardmaster dual-input safety relay is not
affected.
2 Press the external Stop button. Restore the connection. The Guardmaster
multifunction-delay expansion module Logic IN and OUT status indicators are steady
green. Press the external Start button to resume the hazardous motion.
3 While the hazardous motion continues to run, jump 24V to the L12 terminal of the
Guardmaster multifunction-delay expansion module. After a second or two, the
hazardous motion coasts to a stop. The Logic IN and OUT status indicators of the
Guardmaster multifunction-delay expansion module are OFF. The OUT status indicator
of the Guardmaster dual-input safety relay is OFF. The PWR/Fault indicator of the
Guardmaster dual-input safety relay blinks red to show that it is faulted.
4 Remove the jumper. Press and release the Reset button. The Guardmaster dual-input
safety relay must not respond.
5 Cycle power to the Guardmaster dual-input safety relay. It responds. The PWR/Fault,
and IN1 and IN2 status indicators are steady green. The OUT status indicator blinks
green.
6 Press and release the Reset button. Press the external Start button. The hazardous
motion must resume.
7 While the hazardous motion continues to run, jump 0V to the L12 terminal of the
Guardmaster multifunction-delay expansion module. After a second or two the
hazardous motion coasts to a stop. The Logic IN and OUT status indicators of the
Guardmaster multilfunction delay expansion module are off. The OUT status indicator
of the Guardmaster dual-input safety relay is OFF. The PWR/Fault status indicator of
the Guardmaster dual-input safety relay blinks red to show that it is faulted.
8 Remove the jumper. Press and release the Reset button. The Guardmaster dual-input
safety relay must not respond.
9 Cycle power to the Guardmaster dual-input safety relay. It responds. The PWR/Fault,
and IN1 and IN2 status indicators are steady green. The OUT indicator blinks green.
10 Press and release the Reset button. Press the external Start button. The hazardous
motion must resume.
Validation of Safe Response to Abnormal Operation - The safety system responds properly to all foreseeable faults with corresponding diagnostics.
Guardmaster Multifunction-delay Expansion Module - PowerFlex Drive Tests
Test Step Verification and Validation Pass/Fail Changes/Modifications
1 While the machine continues to run, remove the wire from terminal S1 of the
PowerFlex drive. The hazardous motion must coast to a stop.The Guardmaster dual-
input safety relay and the Guardmaster multifunction-delay expansion module are
not affected. The PowerFlex drive has an STO fault.
2 Replace the wire to terminal S1. Press the drive’s Start button. The drive must not
respond. The STO fault remains.
3 Cycle power to the drive. The STO fault is cleared. Press the Start button. The hazardous
motion starts.
4 While the hazardous motion continues to run, jump 24V to terminal S1 of the
PowerFlex drive. Open the guarded gate. The hazardous motion coasts to a stop. The
Guardmaster dual-input safety relay and the Guardmaster multifunction-delay
expansion module behave in the normal way to the gate opening. The PowerFlex drive
has an STO fault.
/