Rockwell Automation Allen-Bradley Guardmaster 440C-CR30 Application Technique

Brand: Rockwell Automation

Model: Allen-Bradley Guardmaster 440C-CR30

Type: Application Technique

This manual is also suitable for

Application Technique

Safety Function: Cable Pull Switch with a Configurable Safety

Relay

Products: Lifeline 4 Cable Pull Switch, Guardmaster 440C-CR30 Configurable Safety Relay, 100S-C Safety Contactors

Safety Rating: CAT. 3, PLd to ISO 13849-1: 2008

Topic Page

Important User Information 2

General Safety Information 3

Introduction 3

Safety Function Realization: Risk Assessment 3

Lifeline 4 Cable Pull Switch Safety Function 4

Safety Function Requirements 4

Functional Safety Description 4

Bill of Material 5

Setup and Wiring 5

Configuration 6

Calculation of the Performance Level 19

Verification and Validation Plan 22

Verification of the Configuration 28

Additional Resources 31

2 Rockwell Automation Publication SAFETY-AT134B-EN-P - November 2015

Safety Function: Cable Pull Switch with a Configurable Safety Relay

Important User Information

Read this document and the documents listed in the additional resources section about installation, configuration, and

operation of this equipment before you install, configure, operate, or maintain this product. Users are required to

familiarize themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws,

and standards.

Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance are required

to be carried out by suitably trained personnel in accordance with applicable code of practice.

If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may be

impaired.

In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the

use or application of this equipment.

The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and

requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or

liability for actual use based on the examples and diagrams.

No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or

software described in this manual.

Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation,

Inc., is prohibited.

Throughout this manual, when necessary, we use notes to make you aware of safety considerations.

Labels may also be on or inside the equipment to provide specific precautions.

WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous environment,

which may lead to personal injury or death, property damage, or economic loss.

ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, property

damage, or economic loss. Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.

IMPORTANT

Identifies information that is critical for successful application and understanding of the product.

SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous

voltage may be present.

BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may

reach dangerous temperatures.

ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people to

potential Arc Flash. Arc Flash will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL

Regulatory requirements for safe work practices and for Personal Protective Equipment (PPE).

Rockwell Automation Publication SAFETY-AT134B-EN-P - November 2015 3

Safety Function: Cable Pull Switch with a Configurable Safety Relay

General Safety Information

Contact Rockwell Automation to find out more about our safety risk assessment services.

Introduction

This safety function application technique explains how to wire, configure, and integrate a Lifeline™ 4 cable pull switch,

and an E-stop with a Guardmaster® 440C-CR30 configurable safety relay and two safety contactors. When the Lifeline 4

cable pull switch is tripped, the E-stop is pressed, or a fault is detected, the 440C-CR30 relay turns off two outputs, which

then turn off two safety contactors and remove power from the motor.

Safety Function Realization: Risk Assessment

The required performance level is the result of a risk assessment and refers to the amount of the risk reduction to be carried

out by the safety-related parts of the control system. Part of the risk reduction process is to determine the safety functions of

the machine. In this application, the performance level required (PLr) by the risk assessment is Category 3, Performance

Level d (CAT. 3, PLd), for each safety function. A safety system that achieves CAT. 3, PLd, or higher, can be considered

control reliable. Each safety product has its own rating and can be combined to create a safety function that meets or

exceeds the PLr.

IMPORTANT

This application example is for advanced users and assumes that you are trained and experienced in safety system requirements.

ATTENTION: Perform a risk assessment to make sure all task and hazard combinations have been identified and addressed. The risk

assessment can require additional circuitry to reduce the risk to a tolerable level. Safety circuits must take into consideration safety

distance calculations, which are not part of the scope of this document.

From: Risk Assessment (ISO 12100)

1. Identification of safety functions

2. Specification of characteristics of each function

3. Determination of required PL (PLr) for each safety function

To: Realization and PL Evaluation

4 Rockwell Automation Publication SAFETY-AT134B-EN-P - November 2015

Safety Function: Cable Pull Switch with a Configurable Safety Relay

Lifeline 4 Cable Pull Switch Safety Function

This application technique includes two safety functions:

• Safety-related stop function initiated by a safeguard (Lifeline 4 cable pull switch)

• Manually-actuated Emergency stop (E-stop)

These safety functions both execute a Stop Category 0 stop.

Safety Function Requirements

Actuating the Lifeline 4 cable pull switch stops and prevents hazardous motion by de-energizing the redundant safety

contactors. When the cable pull switch is de-activated, the 440C-CR30 relay is reset, and no faults are detected, motion

does not resume until a secondary start command is issued by the external start/stop system.

Pressing the E-stop prevents hazardous motion by de-energizing the redundant safety contactors. When the E-stop is de-

activated, the 440C-CR30 relay is reset, and no faults are detected, motion does not resume until a secondary start

command is issued by the external start/stop system.

The safety functions in this application technique each meet or exceed the requirements for Category 3, Performance

Level d (CAT. 3, PLd), per ISO 13849-1 and control reliable operation per ANSI B11.19.

Functional Safety Description

An assembly conveyor needs to be protected from accidental contact with personnel. The risk assessment determined that,

due to the length of the hazardous area, a cable pull switch must be installed to protect the area and to help mitigate the

risk. When the switch is activated, a Stop Category 0 stop takes place on the conveyor motor. The cable pull switch

prevents unexpected startup of the machine while the switch is activated.

An E-stop is also provided to address unanticipated emergency situations. The E-stop is a manually-actuated

complementary safety device. Pressing the E-stop also initiates a Stop Category 0 stop of the conveyor motor. The E-stop

switch prevents unexpected startup of the machine while the E-stop is depressed.

After a safety-related stop, the safety system cannot be reset unless the cable pull switch is reset and the E-stop is released.

Once the safety system is reset, a separate, deliberate action can be used to restart the conveyor with the external start/stop

system.

Rockwell Automation Publication SAFETY-AT134B-EN-P - November 2015 5

Safety Function: Cable Pull Switch with a Configurable Safety Relay

Bill of Material

This application uses these products.

Setup and Wiring

For detailed information on installing and wiring, refer to the publications listed in the Additional Resources. Follow the

installation instructions for your cable pull switch to make sure the pull switch operates properly.

System Overview

The Lifeline 4 cable pull switch is equipped with two normally closed (N.C.) contacts between two test pulse outputs

(MP_12 and MP_13) of the 440C-CR30 relay and two embedded safety inputs (EI_00 and EI_01). The pulse test

outputs are used to feed the inputs so that shorts can be detected on the input circuits. By using the pulse test outputs to

source the inputs, the 440C-CR30 relay can detect a short between input channels, a short to 24V DC, and a short to

ground. If any of these faults are detected, the 440C-CR30 relay takes the system to a safe state.

The E-stop is equipped with two normally closed (N.C.) contacts between two test pulse outputs (MP_12 and MP_13) of

the 440C-CR30 relay and two embedded safety inputs (EI_02 and EI_03). The pulse test outputs are used to feed the

inputs so that shorts can be detected on the input circuits. By using the pulse test outputs to source the inputs, the

440C-CR30 relay can detect a short between input channels, a short to 24V DC, and a short to ground. If any of these

faults are detected, the 440C-CR30 relay takes the system to a safe state.

If either the Lifeline 4 cable pull switch or the E-stop is depressed, the 440C-CR30 relay reacts by turning off two outputs

(EO_18 and EO_19) which are connected to two safety contactors (K1 and K2). These safety contactors are wired in series

to the motor. When the contactors drop out, motion at the motor stops. Each safety contactor is equipped with a normally

closed (N.C.) contact. The normally closed contact from each safety contactor is wired in series to a plug-in input (P1_00)

on the 440C-CR30 relay to serve as a feedback status for the contactors. This plug-in input is used to reserve the safety

inputs on the 440C-CR30 relay for actual safety devices. A safety input is not required for feedback status. This input is

monitored by the 440C-CR30 relay to make sure that neither safety contactor is welded in the closed position. If the

440C-CR30 relay detects that either contactor is welded closed, it does not let the system restart until the fault has been

corrected and the reset button has been pressed and released.

The reset function is carried out by a push button with a single, normally open (N.O.) contact that is tied to a plug-in input

(P1_01) on the 440C-CR30 relay. This plug-in input is used to reserve the safety inputs on the 440C-CR30 relay for

actual safety devices. A safety input is not required for the reset function. The reset function takes place during the ON-to-

Cat. No. Description Quantity

440E-L13137 440E emergency stop device – Lifeline 4 cable pull switch 1

100S-C12EJ23BC Bulletin 100S-C safety contactors, 12 A, 24V DC with electronic coil, bifurcated contacts 2

440C-CR30-22BBB Guardmaster 440C-CR30 software-configured safety relay, PLe, SIL 3, 22 safety I/O embedded serial port, USB

programming port, 2 plug-in slots, 24V DC

2080-IQ4OB4 4-channel digital input/output combination module 1

800FP-R611PQ10V 800F reset PB, round plastic (type 4/4x/13,IP66), blue, plastic latch mount, 1 N.O. contact 1

800F-1YP3 800F 1-hole enclosure E-stop station, plastic, PG, twist-to-release 40mm, non-illuminated, 2 N.C. 1

6 Rockwell Automation Publication SAFETY-AT134B-EN-P - November 2015

Safety Function: Cable Pull Switch with a Configurable Safety Relay

OFF transition of the reset button. This functionality is built in to the 440C-CR30 relay to make sure that the reset button

has not failed in the ON state, or that no one has defeated the button in the closed position.

Electrical Schematic

Configuration

Configure the 440C-CR30 relay by using Connected Components Workbench™ software, release 6.01 or later. A detailed

description of each step is beyond the scope of this document. Knowledge of Connected Components Workbench

software is assumed.

24V DC

DC_COM

Cable Pull Switch

Contactor–Feedback

Reset–PB

E-stop

24V DC

External_Switched

Start/Stop_Circuit

Feedback–to–P1_00

11 12

EI_00

EI_01

EO_18

EO_19

MP_13

MP_12

L2 L3

EI_02

EI_03

440C-CR30-22BBB

2080-IQ40B4

P1_00

P1_01

Rockwell Automation Publication SAFETY-AT134B-EN-P - November 2015 7

Safety Function: Cable Pull Switch with a Configurable Safety Relay

Configure the 440C-CR30 Relay

Follow these steps to configure the Guardmaster 440C-CR30 relay by using Connected Components Workbench

software.

1. In Connected Components Workbench software, choose View and then Device Toolbox.

2. Select 440C-CR30-22BBB.

3. In the Project Organizer, double-click the Guardmaster_400C_CR30 relay.

8 Rockwell Automation Publication SAFETY-AT134B-EN-P - November 2015

Safety Function: Cable Pull Switch with a Configurable Safety Relay

The Guardmaster_440C_CR30 screen appears.

4. To add the plug-in I/O module called for in the schematic, right-click the left plug-in module space and choose the

2080-IQ4OB4 module.

TIP

The I/O module is shown in standard gray, because it is not a safety I/O module. That is permissible in this application, because the

standard I/O module is not used to connect safety signals. The contactor feedback and reset button signals are not considered

strict, safety signals. By using standard I/O for these non-safety signals, you can reserve the limited number of safety inputs and

outputs for true safety signals.

Rockwell Automation Publication SAFETY-AT134B-EN-P - November 2015 9

Safety Function: Cable Pull Switch with a Configurable Safety Relay

5. Click the Edit Logic button to open the Connected Components Workbench Workspace.

6. From the View pull-down menu, choose Toolbox.

Configure the Inputs

Follow these steps to configure the inputs.

1. Select Emergency Stop.

2. Drag it to the green rectangle under Safety Monitoring and release it.

10 Rockwell Automation Publication SAFETY-AT134B-EN-P - November 2015

Safety Function: Cable Pull Switch with a Configurable Safety Relay

Connected Components Workbench software assigns input terminals EI_00 and EI_01 on the left side of the block.

The software automatically assigns the next unused terminal for a newly-added device. The terminals can be changed

to any unused input terminal, but in this case, leave the default. Because an E-stop is an electro-mechanical device,

the software automatically adds terminals 12 and 13 as test sources. Numbers 12 and 13 refer to multi-purpose

terminals 12 and 13 (MP_12 and MP_13). The diagnostic technique of using the test pulses lets the E-stop be used

in a safety system that achieves the required PL.

3. To add the Lifeline 4 cable pull switch, which is not included in the Toolbox, select Alternate Device and drag and

release it to the block below the E-stop you added previously.

Connected Components Workbench software assigns input terminals EI_02 and EI_03 on the left side of the block.

The software automatically assigns the next unused terminal for a newly-added device. The terminals can be changed

to any unused input terminal, but in this case, leave the default. Because the Lifeline 4 cable pull switch is an electro-

mechanical device, the software automatically adds terminals 12 and 13 as test sources. Numbers 12 and 13 refer to

multi-purpose terminals 12 and 13 (MP_12 and MP_13). The diagnostic technique of using the test pulses lets the

Lifeline 4 cable pull switch be used in a safety system that achieves the required PL.

4. To add a Feedback Monitoring input from the Toolbox, select Feedback Monitoring and drag and drop it onto the

block below the cable pull switch you added in the previous step.

The input defaults to one of the embedded safety EI inputs, and Connected Components Workbench software

names the block SMF3.

5. Because the feedback block is used to monitor the auxiliary contacts from the two safety contactors, change this to

use the non-safety plug-in module input P1_00, as shown.

6. To add a Reset input from the Toolbox. select Reset and drag and drop it onto the block below the Feedback Device.

The input defaults to one of the embedded safety EI inputs, and Connected Components Workbench software

names the block SMF4.

Rockwell Automation Publication SAFETY-AT134B-EN-P - November 2015 11

Safety Function: Cable Pull Switch with a Configurable Safety Relay

7. Because this reset block is used to reset the Immediate OFF Output in the case of a fault, change this to use the non-

safety plug-in module input P1_01, as shown.

These are the completed inputs for the system.

12 Rockwell Automation Publication SAFETY-AT134B-EN-P - November 2015

Safety Function: Cable Pull Switch with a Configurable Safety Relay

Configure the Outputs

Follow these steps to configure the safety outputs.

1. From the Toolbox, select and drag the Immediate OFF safety output function block to the top position in the Safety

Output column of the Workspace.

The software displays two automatically-assigned outputs and one blank, unassigned output. One, two, or three

outputs may be configured. For this application we use the defaults shown, which are E0_18 and E0_19. Both of

these outputs default to PT, which is pulse testing. Leave this default setting as well.

2. Using the pull-down menu next to each item in the Immediate OFF safety output function block, change the

following values:

a. Change Feedback to SMF3.

b. Leave Reset Type set to Manual to perform a manual reset on the Immediate OFF safety output function block.

c. Change Reset Input to SMF4.

The completed Immediate OFF output function block appears as shown.

Configure the Logic

The logic ties the inputs to the outputs, making the outputs respond to the inputs in the manner required.

IMPORTANT

SMF3 is the name given to the feedback input block created earlier to monitor the auxiliary contacts on the two safety contactors.

SMF4 is the name given to the Reset input function block created earlier to reset this output block.

Rockwell Automation Publication SAFETY-AT134B-EN-P - November 2015 13

Safety Function: Cable Pull Switch with a Configurable Safety Relay

1. From the Toolbox, select and drag the AND logic function and release it under the Logic Level A header as shown.

2. Connect the logic by completing the following steps:.

a. Click the blue dot on the E-stop input.

It turns gray.

b. Click the upper left blue dot on the AND gate.

The connection is formed.

14 Rockwell Automation Publication SAFETY-AT134B-EN-P - November 2015

Safety Function: Cable Pull Switch with a Configurable Safety Relay

3. Add connections between the Safety Device function block (this is the Lifeline 4 cable pull switch) and the lower

blue dot of the AND gate as shown.

4. Connect the blue dot on the right side of the AND gate to the blue dot of the safety output SOF1.

The software automatically routes the connection through a Pass Through under Logic Level B.

The completed logic looks like this.

Rockwell Automation Publication SAFETY-AT134B-EN-P - November 2015 15

Safety Function: Cable Pull Switch with a Configurable Safety Relay

Configure the Status Indicators

The 440C-CR30 relay lets you configure ten input status indicators and six output status indicators. These status

indicators can be very helpful while testing the system during installation and commissioning. They are also useful for

monitoring the system in operation.

To configure LED status indicators to show the status of the E-stop (terminals 00 and 01), follow these steps:

1. Click Guardmaster_440C_CR30.

2. Select LED configuration.

16 Rockwell Automation Publication SAFETY-AT134B-EN-P - November 2015

Safety Function: Cable Pull Switch with a Configurable Safety Relay

3. Choose Terminal Status as the Type Filter for LED 0.

4. Choose Terminal 00 as the Value for LED 0.

5. Assign the rest of the Input LED status indicators as follows:

6. Assign the Output LED status indicators as follows:

Confirm the Validity of the Build

Follow these steps to confirm the validity of the logic by using the Build feature in Connected Components Workbench

software.

1. Click Guardmaster_440C_CR30 in the bar above the Workspace.

E-stop Channel 1

E-stop Channel 2

E-stop Status

Lifeline 4 Channel 1

Lifeline 4 Channel 2

Lifeline 4 Status

Safety Contactor K1 Output

Safety Contactor K2 Output

Immediate Off Output Status

Rockwell Automation Publication SAFETY-AT134B-EN-P - November 2015 17

Safety Function: Cable Pull Switch with a Configurable Safety Relay

2. Click Build.

A Build Succeeded message confirms that the configuration is valid.

If an error or omission is discovered during a build, a message is displayed which details the error so that it may be

corrected. After you correct the error, you need to perform the build again.

Save and Download the Project

Follow these steps to save and download the project.

1. From the File menu, choose Save as to save the project.

2. In the Project Organizer window, double click Guardmaster_440C_CR30 to open the workspace.

3. Power up the 440C-CR30 safety relay.

4. Connect the USB cable to the 440C-CR30 relay.

IMPORTANT

Saving the project with a new name closes the workspace window(s).

18 Rockwell Automation Publication SAFETY-AT134B-EN-P - November 2015

Safety Function: Cable Pull Switch with a Configurable Safety Relay

5. Click Download.

6. In the Connection Browser, expand the AB_VBP-1 Virtual Chassis and select the Guardmaster 440C-CR30-

22BBB.

7. Click OK.

8. Click Yes to change from Run to Program mode.

9. When the download is complete, click Yes to change from Program to Run mode.

Rockwell Automation Publication SAFETY-AT134B-EN-P - November 2015 19

Safety Function: Cable Pull Switch with a Configurable Safety Relay

10. Click Edit Logic to see the online diagnostics.

Green indicates that a block is True or that an input or output terminal is ON. Flashing green indicates that a Safety

Output Function is ready to be Reset.

The online diagnostics mode of the 440C-CR30 relay can be very helpful during the verification process.

11. Review the information in C

alculation of the Performance Level on page 19 and Verification and Validation Plan on

page 22 before proceeding with Verification of the Configuration on page 28.

Calculation of the Performance Level

When properly implemented, these safety functions can achieve a safety rating of Category 3, Performance Level d (CAT.

3, PLd), according to ISO 13849-1: 2008, as calculated by using the SISTEMA software PL calculation tool.

The Performance Level required (PLr) from the risk assessment for each of the safety functions in this application is PLd or

better. Additionally, each safety function must achieve a CAT. 3 rating or better.

The Performance Level and Category achieved by each subsystem of the Lifeline 4 cable pull switch safety function, as

calculated by SISTEMA, is shown below.

20 Rockwell Automation Publication SAFETY-AT134B-EN-P - November 2015

Safety Function: Cable Pull Switch with a Configurable Safety Relay

The Lifeline 4 cable pull switch safety function can be modeled as follows.

Lifeline4 cable pull switches are considered complimentary safety devices by the relevant standards. As such, they are not a

substitute for safeguarding measures, nor can they impair the effective operations of any safeguarding measures.

Due to the single mechanical actuator of the cable pull switch, a fault exclusion must be considered. In most instances the

fault exclusion required for electromechanical devices with a single mechanical actuator, such as a typical tongue interlock,

limits the safety function in which they are included to a maximum Performance Level of PLd.

Calculation of the 440C-CR30 relay subsystem is straightforward. Its relevant safety data is automatically entered into

SISTEMA when it is selected from the Rockwell Automation SISTEMA library.

The calculation for the Lifeline 4 cable pull switch input subsystem, and the 100S contactor output subsystem is different.

Because these are electro-mechanical devices, the Lifeline 4 cable pull switch and safety contactor data includes the

following:

• Mean Time to Failure, dangerous (MTTFd)

• Diagnostic Coverage (DCavg)

• Common Cause Failure (CCF)

• Electro-mechanical devices' functional safety evaluations include the following:

• How frequently they are operated

• Whether they are effectively monitored for faults

• Whether they are properly specified and installed

• SISTEMA calculates the MTTFd by using B10d data provided for the contactors along with the estimated

frequency of use, entered during the creation of the SISTEMA project. In this application, the estimated annual

number of contactor operations is 17520 per year (the Lifeline 4 cable switch is initiated once per hour, plus the

E-stop is initiated once per hour, 24 hours per day, 365 days a year).

The DCavg (99%) for the contactors is selected from the Output Device table of ISO 13849-1 Annex E, Direct

Monitoring.

The DCavg (99%) for the E-stop is selected from the Input Device table of ISO 13849-1 Annex E, Cross Monitoring.

Input

Logic

Output

Cable Pull Switch 1

Cable Pull Switch 2

Subsystem 1

Subsystem 2

Subsystem 3

440C-CR30

Relay

100S-C

Subsystem 4

Fault Exclusion

Fault

Exclusion

Page is loading ...

Rockwell Automation Allen-Bradley Guardmaster 440C-CR30 Application Technique

Brand: Rockwell Automation

Model: Allen-Bradley Guardmaster 440C-CR30

Type: Application Technique

This manual is also suitable for

Download PDF

report

Rockwell Automation Allen-Bradley Guardmaster 440C-CR30 Application Technique

This manual is also suitable for

Rockwell Automation Allen-Bradley Guardmaster 440C-CR30 Application Technique

Related papers

Other documents