Safety Function: Enabling Switch with Single-input and Dual

Application Technique
Safety Function: Enabling Switch with Single-input and
Dual-input Safety Relays
Products: 440J Enabling Switch, Guardmaster Single-input Safety Relay, Guardmaster Dual-input Safety Relay
Safety Rating: CAT. 3, PLd to ISO 13849-1: 2008
Topic
Page
Important User Information
2
General Safety Information
3
Introduction
4
Safety Function Realization: Risk Assessment
4
Enabling Switch Safety Function
4
Safety Function Requirements
5
Functional Safety Description
5
Bill of Material
7
Setup and Wiring
7
Configuration
10
Calculation of the Performance Level
11
Verification and Validation Plan
15
Additional Resources
20
Safety Function: Enabling Switch with Single-input and Dual-input Safety Relays
Important User Information
Read this document and the documents listed in the additional resources section about installation, configuration, and
operation of this equipment before you install, configure, operate, or maintain this product. Users are required to
familiarize themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws,
and standards.
Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance are required
to be carried out by suitably trained personnel in accordance with applicable code of practice.
If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may be
impaired.
In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the
use or application of this equipment.
The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and
requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or
liability for actual use based on the examples and diagrams.
No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or
software described in this manual.
Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation,
Inc., is prohibited.
Throughout this manual, when necessary, we use notes to make you aware of safety considerations.
WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous environment,
which may lead to personal injury or death, property damage, or economic loss.
ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, property
damage, or economic loss. Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.
IMPORTANT
Identifies information that is critical for successful application and understanding of the product.
Labels may also be on or inside the equipment to provide specific precautions.
SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous
voltage may be present.
BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may
reach dangerous temperatures.
ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people to
potential Arc Flash. Arc Flash will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL
Regulatory requirements for safe work practices and for Personal Protective Equipment (PPE).
2
Rockwell Automation Publication SAFETY-AT067D-EN-P - March 2016
Safety Function: Enabling Switch with Single-input and Dual-input Safety Relays
General Safety Information
IMPORTANT
This application example is for advanced users and assumes that you are trained and experienced in safety system requirements.
Risk Assessments
ATTENTION: Perform a risk assessment to make sure that all task and hazard combinations have been identified and addressed.
The risk assessment can require additional circuitry to reduce the risk to a tolerable level. Safety circuits must consider safetydistance calculations, which are not part of the scope of this document.
Contact Rockwell Automation to learn more about our safety-risk assessment services.
Safe Distance Calculations
ATTENTION: While safe distance or access time calculations are beyond the scope of this document, compliant safety circuits must
often consider a safe distance or access time calculation.
Non-separating safeguards provide no physical barrier to prevent access to a hazard. Publications that offer guidance for
calculating compliant safe distances for safety systems that use non-separating safeguards, such as light curtains, scanners,
two-hand controls, or safety mats, include the following:
EN ISO 13855:2010 (Safety of Machinery – Positioning of safeguards with respect to the approach speeds of parts
of the human body)
ANSI B11:19 2010 (Machines – Performance Criteria for Safeguarding)
Separating safeguards monitor a moveable, physical barrier that guards access to a hazard. Publications that offer guidance
for calculating compliant access times for safety systems that use separating safeguards, such as gates with limit switches or
interlocks (including SensaGuard™ switches), include the following:
EN ISO 14119:2013 (Safety of Machinery – Interlocking devices associated with guards - Principles for design and
selection)
EN ISO 13855:2010 (Safety of Machinery – Positioning of safeguards with respect to the approach speeds of parts
of the human body)
ANSI B11:19 2010 (Machines – Performance Criteria for Safeguarding)
In addition, consult relevant national or local safety standards to assure compliance.
Rockwell Automation Publication SAFETY-AT067D-EN-P - March 2016
3
Safety Function: Enabling Switch with Single-input and Dual-input Safety Relays
Introduction
This safety function application technique explains how to wire and configure a safety system that includes a Guardmaster®
single-input safety relay, a Guardmaster dual-input safety relay, a gate interlock, an E-stop, and an enabling switch. This
configuration lets an operator have safe, monitored access to a hazardous area and it provides a pushbutton-actuated
jogging function while the operator is in the hazardous area.
Safety Function Realization: Risk Assessment
The required performance level is the result of a risk assessment and refers to the amount of the risk reduction to be carried
out by the safety-related parts of the control system. Part of the risk reduction process is to determine the safety functions of
the machine. In this application, the performance level required (PLr) by the risk assessment is Category 3, Performance
Level d (CAT. 3, PLd), for each safety function. A safety system that achieves CAT. 3, PLd, or higher, can be considered
control reliable. Each safety product has its own rating and can be combined to create a safety function that meets or
exceeds the PLr.
From: Risk Assessment (ISO 12100)
1. Identification of safety functions
2. Specification of characteristics of each function
3. Determination of required PL (PLr) for each safety function
To: Realization and PL Evaluation
Enabling Switch Safety Function
This application technique includes three safety functions:
• Emergency stop of hazardous motion that is initiated by an E-stop button.
• Safety-related stop of hazardous motion that is initiated by a gate interlock switch.
• Hold-to-run function by using an enabling switch.
4
Rockwell Automation Publication SAFETY-AT067D-EN-P - March 2016
Safety Function: Enabling Switch with Single-input and Dual-input Safety Relays
Safety Function Requirements
The three safety functions are described in the following sections.
E-stop Safety Function
Pressing the E-stop button stops and prevents hazardous motion by removing power to the motor. After the E-stop button
is reset, hazardous motion and power to the motor do not resume until a secondary action (pressing the Start button)
occurs.
Door Monitoring Safety Function
Opening the guard gate stops and prevents hazardous motion by removing power to the motor. After the door is closed,
hazardous motion and power to the motor do not resume until a secondary action (pressing and releasing the Start button)
occurs.
Enabling Switch Safety Function
While holding the enabling switch in the middle position, an operator can open the gate and gain access to the guarded area
without initiating an emergency stop. Releasing or fully squeezing the enabling switch initiates an emergency stop of the
hazardous motion.
The three safety functions in this example are capable of connecting and interrupting power to motors rated up to 9A,
600V AC.
The safety functions in this application technique each meet or exceed the requirements for Category 3, Performance
Level d (CAT. 3, PLd), per ISO 13849-1 and control reliable operation per ANSI B11.19.
Functional Safety Description
The E-stop connects to the Guardmaster single-input safety relay. One safety-monitoring channel circuit runs through the
E-stop between pulsed output S11 and input S12, and the other channel between pulsed output S21 and input S22. The
safety relay monitors the pulse stream at each input to confirm that each circuit is in a proper state. When the E-stop is
pressed, these two circuits are interrupted. The Guardmaster dual-input safety relay responds to this circuit interruption by
signaling its tripped status to the dual-input safety relay via the single wire safety (SWS). The dual-input safety relay
responds to the single-input safety relay SWS tripped-status signal by opening its safety contacts (13...14 and 23...24),
which de-energizes the coils of K1 and K2.
The 440K-T11118 gate interlock switch connects to the dual-input safety relay. One safety-monitoring circuit runs
through one of the N.C. safety contacts between pulsed output S11 and input S12, and the other through the second N.C.
safety contact between pulsed output S21 and input S22. The safety relay monitors the pulse stream at each input to
confirm that each circuit is in a proper state. When the gate is opened, the actuator key is drawn from the interlock switch.
The removal of the actuator forces the two N.C. contacts open, which breaks each circuit. The dual-input safety relay
Rockwell Automation Publication SAFETY-AT067D-EN-P - March 2016
5
Safety Function: Enabling Switch with Single-input and Dual-input Safety Relays
responds to the broken circuits by opening its safety contacts (13...14 and 23...24), which de-energizes the coils of K1 and
K2.
The 440J-N21TNPM-NP enabling switch connects to the Guardmaster dual-input safety relay. One safety-monitoring
circuit runs through one of the N.O. safety contacts between pulsed output S11 and input S32, and the other through the
second N.O. safety contact between pulsed output S21 and input S42. The enabling switch must be gripped in its middle
position to close these two safety-monitoring circuits. When the enabling switch is not in its MT GD2 storage station and
the gate is open, releasing or fully squeezing the enabling switch from the middle position breaks the two safety-monitoring
circuits. The dual-input safety relay responds to the broken circuits by opening its safety contacts (13...14 and 23...24),
which de-energizes the coils of K1 and K2. With power removed, the hazardous motion coasts to a stop (Stop Category 0).
When the system is operating in the Non-enabling Switch safety-function mode, the hazardous motion cannot be started
unless all relevant safety inputs are in the safe state and the Start button is pressed and released.
When the system is operating in the Enabling Switch safety-function mode with the enabling switch held in the middle
position and with the gate open, pressing the jog button of the enabling switch restores power to the hazardous motion.
Releasing the jog button removes power to the hazardous motion.
Description of Enabling Switch Operation
When the enabling switch is removed from its MT GD2 storage station, power is removed from the safety contacts of the
dual-input safety relay. The hazardous motion coasts to a stop. The safety system is not tripped; there has been no demand
on the safety system. By holding the enabling switch in the middle position, the operator can open the gate without the
interlock tripping the safety system. The jog button functions only while the enabling switch is gripped in the middle
position and the gate is open. Pressing the jog button on the enabling switch restores power to the safety contacts of the
dual-input safety relay. Releasing the jog button removes power from the safety contacts of the dual-input safety relay.
When the enabling switch is released or fully squeezed, the system performs an emergency stop of the hazardous motion.
Power is restored when the enabling switch is gripped in the middle position and the jog button is pressed. Faults at the
enabling switch, gate interlock switch, E-stop, safety relay, or output safety contactors are detected before the next safety
demand. The safety functions in this application technique are capable of connecting and interrupting power to motors
rated up to 9 A, 600V AC.
6
Rockwell Automation Publication SAFETY-AT067D-EN-P - March 2016
Safety Function: Enabling Switch with Single-input and Dual-input Safety Relays
Bill of Material
This application uses these products.
Cat. No.
Description
Quantity
800F-1YP8
800F one-hole enclosure E-stop station, plastic, PG, twist-to-release 60 mm, non-illuminated, 1 N.O., 2 N.C.
1
440R-S12R2
Guardmaster safety relay, one dual-channel universal input, one N.C. solid-state auxiliary output
1
440R-D22R2
Guardmaster safety relay, two dual-channel universal inputs, one N.C. solid-state auxiliary output
1
440J-N21TNPM-NP
Switch with jog button
1
440J-A01N
Mounting bracket suitable for one actuator that is mounted onto switch, includes four flat-head screws and one Resistorx
bit
1
440J-A02N
Mounting bracket suitable for single enabling switch and single safety switch
1
440K-T11460
Tongue switch - Trojan™ 5 and 6: contacts (safety and aux): 2 N.C., 2 N.O., MBB preference: make-before-break, actuator:
no actuator, model type: GD2 front entry, conduit entry: M20 conduit
1
440G-A27011
GD2 standard actuator (GD2 model only)
1
440K-MT55083
Tongue switch - MT-GD2: contacts (safety and aux): 2 N.C., 2 N.O., MBB preference: make-before-break, actuator: no
actuator, model type: latch release, conduit entry: M20 conduit
1
440G-A27011
GD2 standard actuator (GD2 model only)
1
855EE-G24L5
Control tower stack light, pre-assembled, 25 cm pole mount with cap, gray housing, 24V AC/DC full voltage, amber
flashing status indicator
1
800FM-U2F3E4MX11
800F 2 pos. momentary multifunction- rd. metal (IP66, 4, IP65), pos. A- green flush PB, pos. C- red ext. PB, metal latch
mount, one N.O. contact, one N.C. contact, standard, standard pack
1
100S-C09EJ23BC
MCS™ 100S-C safety contactor, 9 A, 24V DC (w/elec. coil), bifurcated contact
2
Setup and Wiring
For detailed information on installing and wiring, refer to the publications listed in the Additional Resources.
System Overview
The pulsed outputs of the Guardmaster single-input safety relay (terminals S11 and S21) are run separately through the
two E-stop contacts to input terminals S12 and S22 respectively. This configuration enables the single-input safety relay to
detect loose wire, short to 24V, short to GND, welded contact, and cross channel faults.
The pulsed outputs of the dual-input safety relay (terminals S11 and S21) are run separately through the two 440K-T11118
safety contacts to input terminals S12 and S22 respectively. This configuration enables the dual-input safety relay to detect
loose wire, short to 24V, short to GND, a welded contact, and cross channel faults.
The pulsed outputs of the dual-input safety relay (terminals S11 and S21) are run separately through the two 440KMT55083 contacts and the enabling switch contacts to input terminals S32 and S42, respectively. This configuration
enables the dual-input safety relay to detect loose wire, short to 24V, short to GND, and cross channel faults. A welded
contact on one device could be masked by the other device.
Rockwell Automation Publication SAFETY-AT067D-EN-P - March 2016
7
Safety Function: Enabling Switch with Single-input and Dual-input Safety Relays
The single-input safety relay monitors the state of its input. The single-input safety relay monitors itself for any internal
faults. When an input demand or fault is detected, the single-input safety relay responds by opening its safety contacts
(13...14 and 23...24) and signaling an input demand or fault via its Single Wire Safety (SWS) output. The single-input
safety relay monitors the state of the two 100S safety contactors via two N.C. contacts, one from each 100S, connected in
series in its reset circuit. The single-input safety relay does not reset unless both contacts are properly closed.
Some internal faults can be cleared by power cycling the single-input safety relay. In other cases, the single-input safety relay
must be replaced.
The dual-input safety relay monitors the state of all its inputs, including the SWS input (L12). The dual-input safety relay
monitors itself for any internal faults. When an input demand or fault is detected, the dual-input safety relay responds by
opening its safety contacts (13...14 and 23...24) and signaling an input demand or fault via its SWS output. The dual-input
safety relay monitors the state of the two 100S safety contactors via two N.C. contacts, one from each 100S, connected in
series in its reset circuit. The dual-input safety relay does not reset unless both contacts are properly closed.
Some internal faults can be cleared by power cycling the dual-input safety relay. In other cases, the dual-input safety relay
must be replaced.
A circuit using a single 440K-T11118 gate interlock, due to its tongue actuator, can achieve a CAT. 3 maximum circuit
structure. The circuit in this safety function application technique achieves a CAT. 3 circuit structure.
In this document, the 440K-55083 enabling switch is used in a way that is not part of a safety function. It functions to
determine when the enabling switch is out of the holder and active. The failure of this switch does not lead to an unsafe
condition.
A circuit that uses a 440J-N21TNPM-NP enabling switch can achieve a CAT. 3 maximum circuit structure. The circuit in
this safety function application technique achieves a CAT. 3 circuit structure.
The final control device in this case is a pair of 100S safety contactors, K1 and K2. The contactors are controlled by the
safety contacts of the dual-input safety relay.
The system has a Start/Stop button for starting and stopping the system in normal operation. The Start button is also used
to restore power to the safety contacts of the dual-input safety relay after a demand on the safety system has occurred and
the system is ready to restart.
8
Rockwell Automation Publication SAFETY-AT067D-EN-P - March 2016
Safety Function: Enabling Switch with Single-input and Dual-input Safety Relays
Electrical Schematic
0V
0V DC
DC
24V DC
DC
+24V
A2
A1
SI
S11
Y32
S21
E-Stop
E-stop
Status
Status
to PLC
to
PLC
Status
Status
to
PLC
to PLC
Reset 0
Reset
AM
MM
S12
S22
K1
K2
S34
14
13
Status
Status
to
to PLC
PLC
23
24
L11
SWS
L12
A2
A1
DI
440J
440J
Enabling
Enabling
Switch
S11
Switch
Y32
Status
Status
to
to PLC
PLC
S21
Logic
LOGIC
Standard
GD2
Standard
GD2
1 Actuator
Actuator
440K-T11543
440K-T11543
8
7
6 5
0
1
2
3
4
S12
Term.
1
Term.
1
S22
Term.
Term.
33
440K-MT55083
440K-MT55083
Term.
Term.
44
Term.
Term.
22
S32
S42
S34
Start
Start
K1
Stop
Stop
1
24
K1
A2
A1
K2
A2
L11
Status
Status
to PLC
PLC
to
Status
Status
to PLC
PLC
to
K1
23
A1
Status
Status
PLC
totoPLC
Jog
Jog
Button
Button
Term.
Term.
Term.
Term.
8
77
8
440K-T11453
440K-T11453
14
440K-MT55083
440K-MT55083
Latch
Latch
K2
13
K2
Jog
Jog
Enabled
Enabled
A
SI = 440R-S12R2
SI = 440R-S12R2
DI = 440R-D22R2
DI = 440R-D22R2
440K-T11543
Gate Interlock
440K-T11543
= Gate=Interlock
- MBB - MBB
440K-MT55083
= Enabling
Switch Monitoring
Interlock - MBB
440K-MT55083
= Enabling
Switch Monitoring
Interlock - MBB
SWS
=
Single
Wire
Safety
SWS = Single-wire Safety
L1 L2L3
External
Switched
External Switched
Stop/Start Circuit
Stop/Start
Circuit
K1
K2
M
Rockwell Automation Publication SAFETY-AT067D-EN-P - March 2016
9
Safety Function: Enabling Switch with Single-input and Dual-input Safety Relays
Configuration
Configure the Guardmaster single-input and dual-input safety relay as described in the following procedures.
Configure the Guardmaster Single-input Safety Relay
1. With power off, turn the rotary switch to position 0.
The unit powers up. After the power-up test, the PWR status indicator flashes red.
2. Turn the rotary switch to AM (automatic/manual).
The IN 1 status indicator blinks the new setting. The position is set when the PWR status indicator is solid green.
3. Lock in the configuration by cycling power to the unit.
IMPORTANT
Configuration must be confirmed before operation. Record the unit setting in the white space on the face of the device.
Configure the Guardmaster Dual-input Safety Relay
1. With power off, turn the rotary switch to position 0.
The unit powers up. After the power-up test, the PWR status indicator flashes red.
2. Turn the rotary switch to position 7.
10
Rockwell Automation Publication SAFETY-AT067D-EN-P - March 2016
Safety Function: Enabling Switch with Single-input and Dual-input Safety Relays
The IN 1 status indicator blinks the new setting. The position is set when the PWR status indicator is solid green.
3. Lock in configuration by cycling power to the unit.
IMPORTANT
Configuration must be confirmed before operation. Record the unit setting in the white space on the face of the device.
Calculation of the Performance Level
When properly implemented, these safety functions can achieve a safety rating of Category 3, Performance Level d
(CAT. 3, PLd), according to ISO 13849-1: 2008, as calculated by using the Safety Integrity Software Tool for the
Evaluation of Machine Applications (SISTEMA).
E-stop Safety Function
The E-stop safety function can be modeled as follows.
Input
Input
Logic
Logic
Output
Output
E-stop
E-stop
B1/E1
B1/E1
100S
100S
K1
Fault
Fault
Exclusion
Exclusion
(allowed)
(allowed)
Guardmaster
Guardmaster
Single-input
Single-Input
Safety
Safety Relay
Relay
Guardmaster
Guardmaster
Dual-input
Dual-Input
Safety
Safety Relay
Relay
E-stop
E-stop
B2/E2
B2/E2
Subsystem 1
100S
100S
K2
K2
Subsystem 2
Subsystem 3
Subsystem 4
Rockwell Automation Publication SAFETY-AT067D-EN-P - March 2016
Subsystem 5
11
Safety Function: Enabling Switch with Single-input and Dual-input Safety Relays
Because the E-stop, interlock, and enabling switch are electromechanical input devices and the contactors are
electromechanical output devices, the safety contactor data includes the following:
• Mean Time to Failure, dangerous (MTTFd)
• Diagnostic Coverage (DCavg)
• Common Cause Failure (CCF)
The functional safety evaluations of electromechanical devices include the following:
• How frequently they are operated
• Whether they are effectively monitored for faults
• Whether they are properly specified and installed
A fault exclusion is included in these calculations to recognize that the E-stop has a single mechanical actuator, a potential,
single-point failure. ISO 13849-2:2012, Annex D, allows a safety function that includes an emergency stop device, as
defined in IEC 60497-5-5, to achieve PLe provided the annual usage is appropriate for an emergency stop that is properly
used. These calculations are based on the E-stop being actuated 250 times a year.
SISTEMA calculates the MTTFd by using B10d data that is provided for the contactors along with the estimated
frequency of use, entered during the creation of the SISTEMA project.
The DCavg (99%) for the E-stop is selected from the Input Device table of ISO 13849-1 Annex E, Cross Monitoring.
The DCavg (99%) for the contactors is selected from the Output Device table of ISO 13849-1 Annex E, Direct
Monitoring.
The CCF value is generated by using the scoring process that is outlined in Annex F of ISO 13849-1. The complete CCF
scoring process must be performed when actually implementing an application. A minimum score of 65 must be achieved.
The Emergency Stop function is a complementary protective measure that is intended to be used with other safeguarding
measures and protective devices to sufficiently reduce risk.
Door-Monitoring Safety Function
12
Rockwell Automation Publication SAFETY-AT067D-EN-P - March 2016
Safety Function: Enabling Switch with Single-input and Dual-input Safety Relays
The door-monitoring safety function can be modeled as follows.
Logic
Logic
Input
Input
Interlock
Interlock
B1/E1
B1/E1
100S
100S
K1
K1
Fault
Fault
Exclusion
Exclusion
Guardmaster
Guardmaster
Dual-input
Dual-Input
Safety Relay
Relay
Safety
Interlock
Interlock
B2/E2
B2/E2
Subsystem 1
Output
Output
100S
100S
K2
K2
Subsystem 2
Subsystem 3
Subsystem 4
Because these devices are electromechanical devices, the safety contactor data includes the following:
• Mean Time to Failure, dangerous (MTTFd)
• Diagnostic Coverage (DCavg)
• Common Cause Failure (CCF)
The functional safety evaluations of electromechanical devices include the following:
• How frequently they are operated
• Whether they are effectively monitored for faults
• Whether they are properly specified and installed
SISTEMA calculates the MTTFd by using B10d data that is provided for the contactors along with the estimated
frequency of use, entered during the creation of the SISTEMA project.
The DCavg (99%) for the interlock is selected from the Input Device table of ISO 13849-1 Annex E, Cross Monitoring.
A fault exclusion is included to recognize that the 440K-T1111B interlock has a single mechanical tongue actuator; a
potential, single-point failure. ISO 13849-2:2012, Annex D, restricts a safety function from using a single
electromechanical interlock to a performance level higher no than PLd.
The DCavg (99%) for the contactors is selected from the Output Device table of ISO 13849-1 Annex E, Direct
Monitoring.
The CCF value is generated by using the scoring process that is outlined in Annex F of ISO 13849-1. The complete CCF
scoring process must be performed when actually implementing an application. A minimum score of 65 must be achieved.
Rockwell Automation Publication SAFETY-AT067D-EN-P - March 2016
13
Safety Function: Enabling Switch with Single-input and Dual-input Safety Relays
Enabling Switch Safety Function
The enabling switch safety function can be modeled as follows.
Input
Input
Logic
Logic
Enabling
Enabling
Switch
Switch
B1/E1
B1/E1
100S
100S
K1
K1
Fault
Fault
Exclusion
Exclusion
Guardmaster
Guardmaster
Dual-input
Dual-Input
Safety Relay
Relay
Safety
Enabling
Enabling
Switch
Switch
B2/E2
B2/E2
Subsystem 1
Output
Output
100S
100S
K2
K2
Subsystem 2
Subsystem 3
Subsystem 4
Because these devices are electromechanical devices, the safety contactor data includes the following:
• Mean Time to Failure, dangerous (MTTFd)
• Diagnostic Coverage (DCavg)
• Common Cause Failure (CCF)
The functional safety evaluations of electromechanical devices include the following:
• How frequently they are operated
• Whether they are effectively monitored for faults
• Whether they are properly specified and installed
SISTEMA calculates the MTTFd by using B10d data that is provided for the contactors along with the estimated
frequency of use, entered during the creation of the SISTEMA project.
The DCavg (99%) for the enabling switch is selected from the Input Device table of ISO 13849-1 Annex E, Cross
Monitoring.
In accordance with ISO 13849 parts 1 and 2, a fault exclusion is included to recognize that the 400J-enabling switch has a
single, mechanical actuator; a potential, single-point failure. A safety function that uses this enabling switch can achieve a
performance level higher no than PLd.
The DCavg (99%) for the contactors is selected from the Output Device table of ISO 13849-1 Annex E, Direct
Monitoring.
14
Rockwell Automation Publication SAFETY-AT067D-EN-P - March 2016
Safety Function: Enabling Switch with Single-input and Dual-input Safety Relays
The CCF value is generated by using the scoring process that is outlined in Annex F of ISO 13849-1. The complete CCF
scoring process must be performed when actually implementing an application. A minimum score of 65 must be achieved.
Verification and Validation Plan
Verification and validation play important roles in the avoidance of faults throughout the safety system design and
development process. ISO 13849-2 sets the requirements for verification and validation. The standard calls for a
documented plan to confirm that all safety functional requirements have been met.
Verification is an analysis of the resulting safety control system. The Performance Level (PL) of the safety control system is
calculated to confirm that the system meets the required Performance Level (PLr) specified. The SISTEMA software is
typically used to perform the calculations and assist with satisfying the requirements of ISO 13849-1.
Validation is a functional test of the safety control system to demonstrate that the system meets the specified requirements
of the safety function. The safety control system is tested to confirm that all safety-related outputs respond appropriately to
their corresponding safety-related inputs. The functional test includes normal operating conditions and potential fault
injection of failure modes. A checklist is typically used to document the validation of the safety control system.
Before validating the system, confirm that the Guardmaster single-input and dual-input safety relays have been wired and
configured in accordance with the installation instructions.
Verification and Validation Checklist
General Machinery Information
Machine Name/Model Number
Machine Serial Number
Customer Name
Test Date
Tester Name
Schematic Drawing Number
Guardmaster Single-input Safety Relay
Guardmaster Dual-input Safety Relay
440J Enabling Switch
Safety Wiring and Relay Configuration Verification
Test Step
Verification
Pass/Fail
1
Visually inspect the safety relay circuit and verify that it is wired as documented in the
schematics.
2
Visually inspect the rotary-switch settingsof the safety relay and verify that they are
correct as documented.
Rockwell Automation Publication SAFETY-AT067D-EN-P - March 2016
Changes/Modifications
15
Safety Function: Enabling Switch with Single-input and Dual-input Safety Relays
Verification and Validation Checklist
Normal Operation Verification - The safety system responds properly to all normal Start, Stop, and E-stop commands.
Test Step
Verification
1
Confirm that the system is powered up, the E-stop is not pressed, the monitored gate
is closed, and the enabling switch is inserted into the 440K-MT 55083 switch. Confirm
that the OUT status indicator on the dual-input safety relay is green.
2
Press and release the Start button. The hazardous motion begins.
3
While the system continues to run, press the E-stop button. The dual-input safety
relay de-energizes its safety outputs and the contactors. The hazardous motion stops.
4
Press and release the Start button. The dual-input safety relay does not respond.
5
Release the E-stop button. The OUT status indicator on the dual-input safety relay is
green. Press and release the Start button. The hazardous motion begins.
6
While the system continues to run, open the monitored gate. The dual-input safety
relay de-energizes its safety outputs and the contactors. The OUT status indicator of
the dual-input safety relay is OFF. The hazardous motion stops.
7
While the monitored gate is open, press and release the Start button. The hazardous
motion does not begin.
8
Close the monitored gate. The OUT status indicator on the dual-input safety relay is
green. Press and release the Start button. The hazardous motion begins.
9
While the system continues to run, remove the enabling switch from the 440KMT55083 module without holding it in the middle position. The hazardous motion
stops. The OUT status indicator on the dual-input safety relay remains green.
10
Press and release the Start button. The hazardous motion remains stopped.
11
Hold and maintain the enabling switch in the middle position. Press and hold the jog
button. The hazardous motion begins.
12
Open the monitored gate. The hazardous motion continues.
13
Hold the enabling switch in the middle position, and release and press the jog button
on the enabling switch. The hazardous motion stops when the jog button is released
and commences when the jog button is pressed. Grip and maintain the enabling
switch in the middle position.
14
Hold the jog button down to run the hazardous motion. Squeeze the enabling switch,
out of the middle position, to the inner position. The dual-input safety relay deenergizes its safety outputs and the contactors. The OUT status indicator of the dualinput safety relay is off. The hazardous motion stops.
15
Press and release the Start button. The system does not respond.
16
Hold the enabling switch in the middle position. The OUT status indicator of the dualinput safety relay is green. Press and release the Start button. The hazardous motion
remains stopped. Maintain the enabling switch in the middle position.
17
Press and maintain the jog button. The hazardous motion begins.
18
Relax the grip on the enabling switch so that it moves to the outer, at-rest position.
The dual-input safety relay de-energizes its safety outputs and the contactors. The
OUT status indicator on the dual-input safety relay is OFF. The hazardous motion stops.
19
Press and release the Start button. The system does not respond.
20
Hold the enabling switch in the middle position. The OUT status indicator of the dualinput safety relay is green. Press and release the Start button. The hazardous motion
remains stopped. Maintain the enabling switch in the middle position.
21
Press the jog button. The hazardous motion begins.
16
Pass/Fail
Rockwell Automation Publication SAFETY-AT067D-EN-P - March 2016
Changes/Modifications
Safety Function: Enabling Switch with Single-input and Dual-input Safety Relays
Verification and Validation Checklist
Validation of Safe Response to Abnormal Operation - The safety system responds properly to all foreseeable faults with corresponding diagnostics.
E-stop - Dual-input Safety Relay Tests
Test Step
Validation
Pass/Fail
Changes/Modifications
Note: Steps 1…5 validate proper E-stop operation in both the case of a single, loose
wire and in the case of one E-stop channel failing to open when the E-stop is pressed.
1
While the system continues to run, remove the E-stop wire on S12 of the single-input
safety relay. The dual-input safety relay de-energizes its safety outputs and the
contactors. The hazardous motion stops.
2
Reconnect the wire to S12. Press and release the Start button. The hazardous motion
does not begin.
3
Release the E-stop button. Press and release the Start button. The hazardous motion
does not begin.
4
Press and release the E-stop button. Press and release the Start button. The hazardous
motion begins.
5
Repeat steps 1…4 by using S22 of the single-input safety relay in place of S12.
6
While the system continues to run, briefly jump 24V to E-stop terminal S12 on the
single-input safety relay. The dual-input safety relay de-energizes its safety outputs
and the contactors. The hazardous motion stops. The PWR/Fault status indicator on
the single-input safety relay is steady red.
7
Press and release the Start button. The dual-input safety relay does not respond.
8
Cycle power to the single-input safety relay. When the OUT status indicator on the
single-input safety relay turns green, press and release the Start button. The
hazardous motion begins.
9
Repeat steps 6…8 by using S22 on the single-input safety relay in place of S12.
10
While the system continues to run, briefly jump 0V to E-stop terminal S12. The dualinput safety relay de-energizes its safety outputs and the contactors. The hazardous
motion stops. The PWR/Fault status indicator on the single-input safety relay is steady
red.
11
Press and release the Start button. The dual-input safety relay does not respond.
12
Cycle power to the single-input safety relay. When the OUT status indicator on the
single-input safety relay turns green, press and release the Start button. The
hazardous motion begins.
13
Repeat steps 10…12 by using S22 on the single-input safety relay in place of S12.
14
While the system continues to run, briefly jump terminal S12 of the single-input
safety relay to terminal S22 of the same relay. The dual-input safety relay de-energizes
its safety outputs and the contactors. The hazardous motion stops. The PWR/Fault
status indicator on the single-input safety relay blinks red.
15
Press and release the Start button. The dual-input safety relay does not respond.
16
Cycle power to the single-input safety relay. When the OUT status indicator on the
single-input safety relay turns green, press and release the Start button. The
hazardous motion begins.
Validation of Safe Response to Abnormal Operation - The safety system responds properly to all foreseeable faults with corresponding diagnostics.
Interlock - Dual-input Safety Relay Tests
Test Step
Validation
Pass/Fail
Changes/Modifications
Note: Steps 1…8 validate proper interlock operation in both the case of a single, loose
wire and in the case of one interlock channel failing to open when the monitored gate
is opened.
1
While the system continues to run, remove the interlock wire on S12 of the dual-input
safety relay. The dual-input safety relay de-energizes its safety outputs and the
contactors. The hazardous motion stops.
Rockwell Automation Publication SAFETY-AT067D-EN-P - March 2016
17
Safety Function: Enabling Switch with Single-input and Dual-input Safety Relays
Verification and Validation Checklist
2
Reconnect the wire to S12. Press and release the Start button. The hazardous motion
does not begin.
3
Open and close the monitored gate. Press and release the Start button. The hazardous
motion begins.
4
Repeat steps 1…3 by using S22 of the dual-input safety relay in place of S12.
5
While the system continues to run, briefly jump 24V to interlock terminal S12 on the
dual-input safety relay. The dual-input safety relay de-energizes its safety outputs and
the contactors. The hazardous motion stops. The PWR/Fault status indicator on the
dual-input safety relay is steady red.
6
Press and release the Start button. The dual-input safety relay does not respond.
7
Cycle power to the dual-input safety relay. When the OUT status indicator on the dualinput safety relay turns green, press and release the Start button. The hazardous
motion begins.
8
Repeat steps 5…7 by using S22 on the dual-input safety relay in place of S12.
9
While the system continues to run, briefly jump 0V to interlock terminal S12 on the
dual-input safety relay. The dual-input safety relay de-energizes its safety outputs and
the contactors. The hazardous motion stops. The PWR/Fault status indicator on the
dual-input safety relay is steady red.
10
Press and release the Start button. The dual-input safety relay does not respond.
11
Cycle power to the dual-input safety relay. When the OUT status indicator on the dualinput safety relay turns green, press and release the Start button. The hazardous
motion begins.
12
Repeat steps 9…11 by using S22 on the dual-input safety relay in place of S12.
13
While the system continues to run, briefly jump terminal S12 of the dual-input safety
relay to terminal S22 of the same relay. The dual-input safety relay de-energizes its
safety outputs and the contactors. The hazardous motion stops. The PWR/Fault status
indicator on the dual-input safety relay blinks red.
14
Press and release the Start button. The dual-input safety relay does not respond.
15
Cycle power to the dual-input safety relay. When the OUT status indicator on the dualinput safety relay turns green, press and release the Start button. The hazardous
motion begins.
Validation of Safe Response to Abnormal Operation - The safety system responds properly to all foreseeable faults with corresponding diagnostics.
Enabling Switch - Dual-input Safety Relay Tests
Test Step
Validation
Pass/Fail
Note: Steps 1…7 validate proper enabling switch operation in both the case of a
single, loose wire and the case of one enabling switch channel failing to open when
the enabling switch leaves the middle position.
1
While the system continues to run, remove the enabling switch from its 440KMT55083 station. The hazardous motion continues to run.
2
Grip and maintain the enabling switch in the middle position. Open the monitored
gate. The hazardous motion continues to run.
3
While the system continues to run, remove the enabling switch wire from S32 of the
dual-input safety relay. The dual-input safety relay de-energizes its safety outputs and
the contactors. The hazardous motion stops.
4
Reconnect the wire to S32. Press and release the Start button. The hazardous motion
does not begin.
5
Release the enabling switch from the middle position, and then grip and maintain it in
the middle position.
6
Press and release the Start button. The hazardous motion begins.
7
Repeat steps 1…6 by using S42 of the dual-input safety relay in place of S32.
18
Rockwell Automation Publication SAFETY-AT067D-EN-P - March 2016
Changes/Modifications
Safety Function: Enabling Switch with Single-input and Dual-input Safety Relays
Verification and Validation Checklist
8
Grip and maintain the enabling switch in the middle position. While the system
continues to run, briefly jump 24V to enabling switch terminal S32 on the dual-input
safety relay. The dual-input safety relay de-energizes its safety outputs and the
contactors. The hazardous motion stops. The PWR/Fault status indicator on the dualinput safety relay is steady red.
9
Press and release the Start button. The dual-input safety relay does not respond.
10
Cycle power to the dual-input safety relay. When the OUT status indicator on the dualinput safety relay turns green, press and release the Start button. The hazardous
motion begins.
11
Repeat steps 8…10 by using S42 on the dual-input safety relay in place of S32.
12
Grip and maintain the enabling switch in the middle position. While the system
continues to run, briefly jump 0V to enabling switch terminal S32 on the dual-input
safety relay. The dual-input safety relay de-energizes its safety outputs and the
contactors. The hazardous motion stops. The PWR/Fault status indicator on the dualinput safety relay is steady red.
13
Press and release the Start button. The dual-input safety relay does not respond.
14
Cycle power to the dual-input safety relay. When the OUT status indicator on the dualinput safety relay turns green, press and release the Start button. The hazardous
motion begins.
15
Repeat steps 12…14 by using S42 on the dual-input safety relay in place of S32.
16
Grip and maintain the enabling switch in the middle position. While the system
continues to run, briefly jump terminal S32 of the dual-input safety relay to terminal
S42 of the same relay. The dual-input safety relay de-energizes its safety outputs and
the contactors. The hazardous motion stops. The PWR/Fault status indicator on the
dual-input safety relay blinks red.
17
Press and release the Start button, The dual-input safety relay does not respond.
18
Cycle power to the dual-input safety relay. When the OUT status indicator on the dualinput safety relay turns green, press and release the Start button. The hazardous
motion begins.
Validation of Safe Response to Abnormal Operation - The safety system responds properly to all foreseeable faults with corresponding diagnostics.
Single-input Safety Relay - Logic Tests
Test Step
Validation
Pass/Fail
1
While the system continues to run, turn the RESET rotary switch on the single-input
safety relay from the proper AM position to position MM. The PWR/Fault status
indicator blinks red-green twice, pauses steady green, and repeats. The hazardous
motion continues to run.
2
Confirm that the response of the single-input safety relay to the E-stop input
continues to be normal.
3
Return the RESET rotary switch on the single-input safety relay to AM. The red-green
blinking ceases. The PWR/Fault status indicator is steady green. The system continues
to operate normally.
Changes/Modifications
Validation of Safe Response to Abnormal Operation - The safety system responds properly to all foreseeable faults with corresponding diagnostics.
Dual-input Safety Relay Tests
Test Step
Validation
Pass/Fail
1
While the system continues to run, break the connection between the K1 and K2 N.C.
feedback contacts of the contactors. The hazardous motion continues to run.
2
Press the E-stop button. The single-input safety relay de-energizes its safety outputs.
The dual-input safety relay de-energizes its safety outputs. Its Logic IN status indicator
is off. The hazardous motion stops.
3
Release the E-stop. Neither the single-input safety relay nor the dual-input safety
relay respond. Press the Start button. The hazardous motion remains stopped.
Rockwell Automation Publication SAFETY-AT067D-EN-P - March 2016
Changes/Modifications
19
Safety Function: Enabling Switch with Single-input and Dual-input Safety Relays
Verification and Validation Checklist
4
Restore the connection between the K1 and K2 N.C. feedback contacts.
5
The single-input safety relay and dual-input safety relay energize their Safety outputs.
The Logic IN status indicator on the dual-input safety relay is green. The hazardous
motion remains stopped.
6
Press and release the Start button. The hazardous motion begins.
Validation of Safe Response to Abnormal Operation - The safety system responds properly to all foreseeable faults with corresponding diagnostics.
Dual-input Safety Relay - Logic Tests
Test Step
Validation
Pass/Fail
1
While the system continues to run, turn the LOGIC rotary switch on the dual-input
safety relay from the proper 2 position to position 5. The PWR/Fault status indicator
blinks red-green twice, pauses steady green, and repeats. The hazardous motion
continues to run.
2
Confirm that the response of the dual-input safety relay to the E-stop input continues
to be normal.
3
Return the LOGIC rotary switch on the dual-input safety relay to 2. The red-green
blinking ceases. The PWR/Fault status indicator is steady green. The system continues
to operate normally.
Changes/Modifications
Additional Resources
These documents contain more information about related products from Rockwell Automation.
Resource
Description
Guardmaster Safety Relay SI Installation Instructions, publication 440R-IN042
Provides instructions on how to install, configure, and maintain a GuardMaster 440R-S12R2 (SI)
safety relay.
Guardmaster Safety Relay DI Installation Instructions, publication 440R-IN037
Provides instructions on how to install, configure, and maintain a GuardMaster 440R-D22R2 (DI)
safety relay.
440J-N Enabling Switch Installation Instructions, publication 440J-IN001
Provides instructions on how to install, configure, and maintain a GuardMaster 440J-N21TNPM-NP
enabling switch with jog button.
Trojan 5 and 6 lnstallation Instructions, publication 440K-IN002
Provides instructions on how to install, configure, and maintain a GuardMaster 440K-T11453
interlock switch.
MT-GD2 Installation Instructions, publication MTGD2-IN001
Provides instructions on how to install, configure, and maintain a GuardMaster 440K-MT55083
interlock switch.
Safety Contactors with DC Coil Installation Instructions, publication 100S-IN006
Provides instructions on how to install 100S-C safety contactors.
Industrial Automation Wiring and Grounding Guidelines, publication 1770-4.1
Provides general guidelines on how to install a Rockwell Automation industrial system.
Safety Products Catalog, publication S117-CA001
Website http://www.rockwellautomation.com/rockwellautomation/catalogs/
overview.page
Provides information about Rockwell Automation safety products.
Product Certifications website, http://www.rockwellautomation.com/global/
certification/overview.page
Provides declarations of conformity, certificates, and other certification details.
You can view or download publications at http://www.rockwellautomation.com/literature/. To order paper copies of
technical documentation, contact your local Allen-Bradley distributor or Rockwell Automation sales representative.
20
Rockwell Automation Publication SAFETY-AT067D-EN-P - March 2016
Safety Function: Enabling Switch with Single-input and Dual-input Safety Relays
Notes:
Rockwell Automation Publication SAFETY-AT067D-EN-P - March 2016
21
Rockwell Automation Support
Use the following resources to access support information.
Technical Support Center
Knowledgebase Articles, How-to Videos, FAQs, Chat,
User Forums, and Product Notification Updates.
www.rockwellautomation.com/knowledgebase
Local Technical Support Phone Numbers
Locate the phone number for your country.
www.rockwellautomation.com/global/support/get-supportnow.page
Direct Dial Codes
Find the Direct Dial Code for your product. Use the
code to route your call directly to a technical support
engineer.
www.rockwellautomation.com/global/support/directdial.page
Literature Library
Installation Instructions, Manuals, Brochures, and
Technical Data.
www.rockwellautomation.com/literature
Product Compatibility and Download Center
(PCDC)
Get help determining how products interact, check
features and capabilities, and find associated
firmware.
www.rockwellautomation.com/global/support/pcdc.page
Documentation Feedback
Your comments will help us serve your documentation needs better. If you have any suggestions on how to improve this document, complete the
How Are We Doing? form at http://literature.rockwellautomation.com/idc/groups/literature/documents/du/ra-du002_-en-e.pdf.
For more information on
Safety Function Capabilities, visit:
http://marketing.rockwellautomation.com/safety/en/safety_functions
Rockwell Automation maintains current product environmental information on its website at http://www.rockwellautomation.com/rockwellautomation/about-us/sustainability-ethics/product-environmental-compliance.page.
Allen-Bradley, Guardmaster, LISTEN. THINK. SOLVE, MCS, Rockwell Automation, Rockwell Software, SensaGuard, and Trojan are trademarks of Rockwell Automation, Inc.
Trademarks not belonging to Rockwell Automation are property of their respective companies.
Rockwell Otomasyon Ticaret A.Ş., Kar Plaza İş Merkezi E Blok Kat:6 34752 İçerenköy, İstanbul, Tel: +90 (216) 5698400
Publication SAFETY-AT067D-EN-P - March 2016
Supersedes Publication SAFETY-AT067C-EN-E - May 2013
Copyright © 2016 Rockwell Automation, Inc. All rights reserved. Printed in the U.S.A.