VersaSafe VersaPoint IC220SDL953 Safety Logic

GE
Intelligent Platforms
Programmable Control Products
VersaSafe
VersaPoint* Module: IC220SDL953
SAFETY LOGIC MODUL E , SAFE OUTPUT 24VDC, 8PT
User‘s Manual, GFK-2731
September 2011
Th
is
pa
ge
lef
tb
lan
ki
nte
nti
on
all
y
User‘s manual
VersaPoint module with integrated safety logic and safe digital outputs
2011-09-29
Catalog No.:
GFK-2731
Revision:
03
This user manual is valid for:
Catalog No.
Revision
IC220SDL953
HW/FW/FW: 00/100/100
HW/FW/FW: 00/101/100
Please observe the following notes
In order to ensure the safe use of the product described, you have to read and understand
this manual. The following notes provide information on how to use this user manual.
User group of this manual
The use of products described in this manual is oriented exclusively to qualified electricians
or persons instructed by them, who are familiar with applicable national standards and
other regulations regarding electrical engineering and, in particular, the relevant safety
concepts.
GE Intelligent Platforms accepts no liability for erroneous handling or damage to products
from GE Intelligent Platforms or third-party products resulting from disregard of information
contained in this user manual.
Explanation of symbols used and signal words
This is the safety alert symbol. It is used to alert you to potential personal
injury hazards. Obey all safety measures that follow this symbol to avoid
possible injury or death.
DANGER
This indicates a hazardous situation which, if not avoided, will result in death or serious
injury.
WARNING
This indicates a hazardous situation which, if not avoided, could result in death or serious
injury.
CAUTION
This indicates a hazardous situation which, if not avoided, could result in minor or
moderate injury.
The following types of message provide information about possible property damage and
general information concerning proper operation and ease of use.
NOTE
This symbol and the accompanying text alert the reader to a situation which may cause
damage or malfunction to the device, hardware or software, or surrounding property.
This symbol and the accompanying text provide the reader with additional information,
such as tips and advice on the efficient use of hardware and on software optimization. It
is also used as a reference to other sources of information (manuals, data sheets) on the
subject matter, product, etc.
User manual IC220SDL953 - September 2011
GFK-2731
General terms and conditions of use for technical documentation
This document is based on information available at the time of its publication. While efforts
have been made to be accurate, the information contained herein does not purport to cover
all details or variations in hardware or software, nor to provide for every possible
contingency in connection with installation, operation, or maintenance. Features may be
described herein which are not present in all hardware and software systems. GE
Intelligent Platforms assumes no obligation of notice to holders of this document with
respect to changes subsequently made.
Statement of legal authority
GE Intelligent Platforms makes no representation or warranty, expressed, implied, or
statutory with respect to, and assumes no responsibility for the accuracy, completeness,
sufficiency, or usefulness of the information contained herein. No warranties of
merchantability or fitness for purpose shall apply.
How to contact us
Internet
Up-to-date information on GE Intelligent Platforms products and our Terms and Conditions
can be found on the Internet at:
www.ge-ip.com.
Make sure you always use the latest documentation.
It can be downloaded at:
http://support.ge-ip.com.
Subsidiaries
Published by
If there are any problems that cannot be solved using the documentation, please contact
your GE Intelligent Platforms subsidiary.
Subsidiary contact information is available at www.ge-ip.com.
GE Intelligent Platforms. Inc
2500 Austin Dr.
Charlottesville
Virginia
Phone
(+1) 800-433-2682
Fax
(+1) 780-420-2047
Should you have any suggestions or recommendations for improvement of the contents
and layout of our manuals, please send your comments to:
support.ip@ge.com
* VersaPoint is a trademark of GE Intelligent Platforms, Inc. and/or its affiliates.
All other trademarks are the property of their respective owners.
© Copyright 2011 GE Intelligent Platforms, Inc. All Rights Reserved
GFK-2731
y
all
on
nti
nte
ki
lan
tb
lef
ge
pa
is
Th
User manual IC220SDL953 - September 2011
GFK-2731
Table of contents
1
2
3
4
For your safety..........................................................................................................................1-1
1.1
General safety notes .......................................................................................... 1-1
1.2
Electrical safety .................................................................................................. 1-2
1.3
Safety of the machine or system ........................................................................ 1-3
1.4
Safety for starting applications ........................................................................... 1-4
1.5
Directives and standards.................................................................................... 1-4
1.6
Correct usage..................................................................................................... 1-4
1.7
Documentation ................................................................................................... 1-5
1.8
Abbreviations used ........................................................................................... 1-5
Product description...................................................................................................................2-1
2.1
Note about the system description ..................................................................... 2-1
2.2
Brief description of the safety module ................................................................ 2-1
2.3
Structure of the safety module ........................................................................... 2-2
2.4
Housing dimensions ........................................................................................... 2-2
2.5
Safe digital outputs............................................................................................. 2-3
2.6
Connection options for actuators depending on the parameterization ............... 2-5
2.7
Local diagnostic and status indicators ............................................................... 2-6
2.8
Safe state ........................................................................................................... 2-8
2.8.1
Operating state ................................................................................... 2-8
2.8.2
Error detection in I/O devices ............................................................. 2-8
2.8.3
Device errors ...................................................................................... 2-9
2.8.4
Parameterization errors ...................................................................... 2-9
2.9
Process data words.......................................................................................... 2-10
2.10
Programming data/configuration data .............................................................. 2-10
2.10.1 Local bus .......................................................................................... 2-10
2.10.2 Other bus systems or networks ....................................................... 2-10
VersaPoint potential and data routing, and VersaPoint connectors .........................................3-1
3.1
VersaPoint potential and data routing ................................................................ 3-1
3.2
Supply voltage UL .............................................................................................. 3-1
3.3
Supply voltage UM .............................................................................................. 3-2
3.4
Terminal point assignment ................................................................................. 3-3
Assembly, removal, and electrical installation ..........................................................................4-1
4.1
GFK-2731
Assembly and removal ....................................................................................... 4-1
4.1.1
Unpacking the module ........................................................................ 4-1
4.1.2
General ............................................................................................... 4-1
4.1.3
Setting the DIP switches ..................................................................... 4-2
4.1.4
Assembly and removal of the safety module ...................................... 4-4
Table of contents
i
4.2
5
6
7
8
9
ii
Electrical installation........................................................................................... 4-6
4.2.1
Electrical installation of the VersaPoint station ................................... 4-6
4.2.2
Electrical installation of the safety module .......................................... 4-6
Parameterization of the safety module .....................................................................................5-1
5.1
Parameterization of the safety module in a VersaSafe system.......................... 5-1
5.2
Parameterization of the safe outputs ................................................................. 5-2
5.3
Behavior of the outputs in the event of enabled switch-off delay for
stop category 1................................................................................................... 5-4
Connection examples for safe outputs .....................................................................................6-1
6.1
Explanation of the examples .............................................................................. 6-1
6.2
Notes on the protective circuit for external relays/contactors
(free running circuit) ........................................................................................... 6-2
6.3
Measures required to achieve a specific safety integrity level ........................... 6-3
6.4
Single-channel assignment of safe outputs ....................................................... 6-5
6.5
Two-channel assignment of safe outputs........................................................... 6-8
Startup and validation...............................................................................................................7-1
7.1
Initial startup ....................................................................................................... 7-1
7.2
Restart after replacing a safety module ............................................................. 7-3
7.2.1
Replacing a safety module ................................................................. 7-3
7.2.2
Restart ................................................................................................ 7-3
7.3
Validation ........................................................................................................... 7-3
Errors: Messages and removal.................................................................................................8-1
8.1
Safe digital output errors .................................................................................... 8-4
8.2
Supply voltage errors ......................................................................................... 8-5
8.3
General errors .................................................................................................... 8-5
8.4
Parameterization errors...................................................................................... 8-6
8.5
Connection errors to satellites .......................................................................... 8-7
8.6
Acknowledging an error ..................................................................................... 8-8
Maintenance, repair, decommissioning, and disposal..............................................................9-1
9.1
Maintenance....................................................................................................... 9-1
9.2
Repair................................................................................................................. 9-1
9.3
Decommissioning and disposal.......................................................................... 9-1
User manual IC220SDL953 - September 2011
GFK-2731
10 Technical data and ordering data ........................................................................................... 10-1
A
10.1
System data ..................................................................................................... 10-1
10.1.1 VersaPoint ........................................................................................ 10-1
10.1.2 VersaSafe system ............................................................................ 10-1
10.2
IC220SDL953................................................................................................... 10-1
10.3
Conformance with EMC Directive .................................................................... 10-6
10.4
Ordering data ................................................................................................... 10-7
10.4.1 Ordering data: Safety module ........................................................... 10-7
10.4.2 Ordering data: Accessories .............................................................. 10-7
10.4.3 Ordering data: Software ................................................................... 10-7
10.4.4 Ordering data: Documentation ......................................................... 10-7
Appendix: VersaSafe system .................................................................................................. A-1
GFK-2731
A1
The VersaSafe system ..................................................................................... A-1
A 1.1
VersaSafe technology – Maximum flexibility and safety .................... A-1
A 1.2
Overview of VersaSafe system features ........................................... A-2
A 1.3
Differences in VersaSafe systems dependent upon which module
with integrated safety logic is used .................................................... A-2
A2
System topology............................................................................................... A-4
A 2.1
General topology ............................................................................... A-4
A 2.2
Network and controller requirements ................................................. A-5
A 2.3
Safe input and output devices ........................................................... A-5
A3
VersaSafe address assignment ...................................................................... A-6
A4
Operating modes and setting the DIP switches in the VersaSafe system ..... A-10
A 4.1
Module switch positions .................................................................. A-10
A 4.2
VersaSafe multiplexer mode ........................................................... A-11
A5
Process image ............................................................................................... A-13
A 5.1
Structure of the process image ........................................................ A-13
A 5.2
Description of the registers .............................................................. A-17
A6
Implementation of data flow between the standard controller and the
safety modules ............................................................................................... A-22
A 6.1
Implementation of data flow with a function block ........................... A-22
A 6.2
Implementation of data flow without a function block ...................... A-22
A7
Enable principle.............................................................................................. A-22
A8
Diagnostics..................................................................................................... A-24
A 8.1
Error detection in I/O devices .......................................................... A-24
A 8.2
Detection of device errors ................................................................ A-25
A 8.3
Acknowledgment of error messages for satellites ........................... A-25
A9
Configuration, parameterization, and download ............................................ A-26
A 9.1
Configuration and parameterization using the VersaConf Safety
tool ................................................................................................... A-26
A 9.2
Downloading the configuration and parameter data record
following power up ........................................................................... A-27
Table of contents
iii
B
C
iv
A 10
Safe state ....................................................................................................... A-27
A 11
Time response in the VersaSafe system........................................................ A-28
A 11.1 Typical response time ...................................................................... A-28
A 11.2 Shutdown times ............................................................................... A-29
A 12
Achievable safety depending on the modules used ....................................... A-30
A 13
Behavior in the event of an error .................................................................... A-31
A 13.1 Critical system or device errors ....................................................... A-31
A 13.2 Parameterization or configuration errors ......................................... A-32
A 13.3 Communication errors ..................................................................... A-32
A 13.4 I/O errors ......................................................................................... A-32
A 14
Startup and restart ......................................................................................... A-33
A 14.1 Startup/restart following power up ................................................... A-33
A 14.2 Restart after triggering a safety function .......................................... A-33
A 15
Memory sizes for the safety logic ................................................................... A-33
Appendix: Checklists ............................................................................................................... B-1
B1
Checklists for the VersaSafe system................................................................ B-2
B 1.1
Planning
.................................................................................... B-2
B 1.2
Configuration and parameterization
......................................... B-4
B 1.3
Startup
...................................................................................... B-5
B 1.4
Safety functions ................................................................................. B-6
B 1.5
Validation
.................................................................................. B-7
B2
Checklists for the
IC220SDL953 module ...................................................................................... B-8
B 2.1
Planning
..................................................................................... B-8
B 2.2
Assembly and electrical installation
............................................. B-9
B 2.3
Startup
........................................................................................ B-10
B 2.4
Validation ....................................................................................... B-11
Index........................................................................................................................................ C-1
User manual IC220SDL953 - September 2011
GFK-2731
1
1
For your safety
Purpose of this manual
The information in this document is designed to familiarize you with how the IC220SDL953
safety module works, its operating and connection elements, and its parameter settings.
This information will enable you to use the module within a VersaSafe system according to
your requirements.
Validity of the user manual
This manual is only valid for the IC220SDL953 module in the version indicated on the inner
cover page.
1.1
General safety notes
WARNING: Depending on the application, incorrect handling of the safety module
can pose serious risks for the user
When working with the safety module within the VersaSafesystem, please observe all
the safety notes included in this section.
Requirements
Knowledge of the following is required:
– The target system (e.g., PROFIBUS, PROFINET)
– The standard control system
– The VersaSafe system (see Appendix A)
– The components used in your application
– The VersaPoint product range
– Operation of the software tools used
– Safety regulations in the field of application
Qualified personnel
In the context of the use of the VersaSafe system, the following operations may only be
carried out by qualified personnel:
– Planning
– Configuration of the safety logic and parameterization
– Installation, startup, servicing
– Maintenance, decommissioning
This user manual is, therefore, aimed at:
– Qualified personnel who plan and design safety equipment for machines and systems
and are familiar with regulations governing safety in the workplace and accident
prevention
– Qualified personnel who install and operate safety equipment in machines and
systems
In terms of the safety notes in this manual, qualified personnel are persons who, because
of their education, experience and instruction, and their knowledge of relevant standards,
regulations, accident prevention, and service conditions, have been authorized to carry out
any required operations, and who are able to recognize and avoid any possible dangers.
GFK-2731
Chapter 1 For your safety
1-1
1
Documentation
You must observe all information in this manual as well as in the documents listed in
"Documentation" on page 1-5.
Safety of personnel and
equipment
The safety of personnel and equipment can only be assured if the safety module is used
correctly (see "Correct usage" on page 1-4).
Error detection
Depending on the wiring and the corresponding setting of the safe output module
parameters, the VersaSafe system can detect various errors within the safety equipment.
Do not carry out any
repairs
Repair work may not be carried out on the safety module.
In the event that an error cannot be removed, please contact GE Intelligent Platforms
immediately, engage a service engineer, or send the faulty module directly to GE Intelligent
Platforms.
Do not open the
housing/security seal
It is strictly prohibited to open the safety module housing. In order to prevent the
manipulation of the safety module and to detect the unauthorized opening of the safety
module, a security seal is applied to the module. This security seal is damaged in the event
of unauthorized opening. In this case, the correct operation of the safety module can no
longer be ensured.
Measures to prevent
incorrect connection and
polarity reversal
Take measures to prevent the incorrect connection, polarity reversal, and manipulation of
connections.
1.2
Electrical safety
WARNING: Hazardous body currents and the loss of functional safety
Disregarding instructions for electrical safety may result in hazardous body currents and
the loss of functional safety.
In order to ensure electrical safety, please observe the following points.
Direct/indirect contact
Ensure that all components connected to the system are protected against direct and
indirect contact according to VDE 0100 Part 410. In the event of an error, parasitic voltages
must not occur (single-fault tolerance).
This can be achieved by:
– Using power supply units with safe isolation (PELV).
– Decoupling circuits, which are not SELV or PELV systems, using optocouplers, relays,
and other components meeting the requirements of safe isolation.
Power supply unit for 24 V
supply
Only use power supply units with safe isolation and PELV according to
EN 50178/VDE 0160 (PELV). This prevents short circuits between primary and secondary
sides.
Make sure that the output voltage of the power supply does not exceed 32 V even in the
event of an error.
1-2
User manual IC220SDL953 - September 2011
GFK-2731
1
Insulation rating
When selecting the operating equipment, please take into consideration the contamination
and surge voltages, which may occur during operation.
The IC220SDL953 module is designed for surge voltage category II (according to
DIN EN 60664-1). If you expect surge voltages in the system, which exceed the values defined in surge voltage category II, take into consideration additional measures for voltage
limitation.
Installation and
configuration
Please observe the instructions for installing and configuring the system (see
"Documentation" on page 1-5).
WARNING: Depending on the application, incorrect installation and upgrades can
pose serious risks for the user
The user is obliged to design the devices used and their installation in the system
according to these requirements. This also means that existing plants and systems
retrofitted with the VersaSafe system must be checked and tested again in this respect.
1.3
Safety of the machine or system
The machine/system manufacturer and the operator are solely responsible for the safety
of the machine or system and the implemented application, in which the machine or system
is used. The Machinery Directive must be observed.
Draw up and implement a
safety concept
In order to use the safety module described in this document, you must have drawn up an
appropriate safety concept for your machine or system. This includes a hazard and risk
analysis according to the directives and standards specified in "Directives and standards"
on page 1-4, as well as a test report (checklist) for validating the safety function (see
"Appendix: Checklists" on page B-1).
The target safety integrity level (SIL according to EN 61508, SIL CL according to EN 62061
or performance level and category according to EN ISO 13849-1) is ascertained on the
basis of the risk analysis. The safety integrity level ascertained determines how to connect
and parameterize the safety module within the overall safety function.
Within a VersaSafe system, the IC220SDL953 safety module can be used to achieve
safety functions with the following requirements depending on the conditions of use:
– Up to SIL 3 according to standard EN 61508
– Up to SIL CL 3 according to standard EN 62061
– Up to Cat. 4/PL e according to standard EN ISO 13849-1
Please also refer to "Achievable safety depending on the modules used" on page A-30.
Check hardware and
parameterization
Carry out a validation every time you make a safety-related modification to your overall
system.
Use your test report to ensure that:
– The safe devices are connected to the correct safe sensors and actuators
– The safe input and output devices have been parameterized correctly
– The safety functions have been wired correctly
GFK-2731
Chapter 1 For your safety
1-3
1
1.4
Safety for starting applications
Consider your machine or system when determining the start conditions:
– Starting the machine or system may only take place when no persons are within the
danger zone.
– Comply with the requirements of EN ISO 13849-1 with respect to manual resetting
functions.
This applies to:
– Switching on of safe devices.
– Acknowledgment of device error messages.
– Acknowledgment of communication errors.
– Acknowledgment of block error messages in the application.
– Removing safeguards for safety functions.
Observe your safety logic during programming/configuring:
– The change from a safe state (replacement value = 0) to the operating state can cause
an edge change (zero-one-edge).
– Include measures in your safety logic that prevent this edge from starting or restarting
of the machine/system unexpectedly.
1.5
Directives and standards
The manufacturers and operators of machines and systems, in which the IC220SDL953
module is used, are responsible for adhering to all applicable directives and legislation.
For the standards observed by the module, please refer to the certificate issued by the
approval body and the EC declaration of conformity. These documents are available on the
Internet at www.ge-ip.com.
1.6
Correct usage
Only use the VersaSafe system in accordance with the instructions in this section.
The IC220SDL953 safety module is designed exclusively for use in a VersaSafe system.
It can only perform its safety-related tasks within the system if it has been integrated into
the execution process correctly and in such a way as to avoid errors.
You must observe all information in this manual as well as in the documents listed in
"Documentation" on page 1-5. In particular, only use the module according to the technical
data and ambient conditions specified in Section 10, "Technical data and ordering data" on
page 10-1 and onwards.
Within a VersaSafe system, the safety module can be used to achieve safety functions with
the following requirements depending on the conditions of use:
– Up to SIL 3 according to standard EN 61508
– Up to SIL CL 3 according to standard EN 62061
– Up to Cat. 4/PL e according to standard EN ISO 13849-1
Please also refer to "Achievable safety depending on the modules used" on page A-30.
1-4
User manual IC220SDL953 - September 2011
GFK-2731
1
The safety module is designed for connecting single-channel or two-channel actuators,
which can be used in association with safety technology.
For example, the module can be used in the following applications:
– Safety circuits according to EN 60204 Part 1
– Safe shutdown of contactors, motors (24 V DC), valves, ohmic, inductive, and
capacitive loads
The module is not suitable for applications in which stop category 1 also has to be
observed in the event of an error (see also "Behavior of the outputs in the event of enabled
switch-off delay for stop category 1" on page 5-4).
1.7
Documentation
Latest documentation
Make sure you always use the latest documentation. Changes or additions to this
document can be found on the Internet at http://support.ge-ip.com.
VersaSafe system
When working on the VersaSafe system and its components, you must always keep this
user manual and other items of product documentation to hand and observe the
information therein.
User manuals:
– For the controller used
– For VersaSafe system I/O modules
– For VersaSafe system function blocks
Please also observe the relevant information about the bus system used.
VersaPoint product range
GFK-2736
Automation terminals of the VersaPoint product range (configuration and installation)
Documentation for the Network Interface Unit (NIU) used
1.8
Abbreviations used
Table 1-1
GFK-2731
Abbreviations used
Abbreviation
Meaning
Standard
Example
SIL
Safety integrity level
EN 61508
SIL 2, SIL 3
SIL CL
SIL claim limit
EN 62061
SIL CL 3
Cat.
Category
EN ISO 13849-1
Cat. 2, Cat. 4
PL
Performance level
EN ISO 13849-1
PL e, PL d
Chapter 1 For your safety
1-5
1
Table 1-2
Abbreviations used
Abbreviation
Meaning
PELV
Protective extra-low voltage
A circuit in which the voltage does not exceed 30 V AC, 42.4 V peak
value or 60 V DC under normal conditions or single-fault conditions, except in the event of grounding errors in other circuits.
A PELV circuit is like a SELV circuit, but is connected to protective earth
ground.
(According to EN 61131-2)
EUC
1-6
Equipment under control
User manual IC220SDL953 - September 2011
GFK-2731
2
2
Product description
2.1
Note about the system description
The VersaSafe system is described in "Appendix: VersaSafe system" on page A-1.
In the description of the IC220SDL953 safety module, it is assumed that you are familiar
with the VersaSafe system. If this is not the case, please refer to "Appendix: VersaSafe
system" on page A-1 first for information about the system.
2.2
Brief description of the safety module
The IC220SDL953 module is designed for use within a VersaPoint station. The module
features integrated configurable safety logic and safe digital outputs.
The IC220SDL953 safety module can be used as part of a VersaPoint station at any point
within a VersaSafe system.
The transmission speed of the VersaPoint local bus can be set to 500 kbaud or 2 Mbaud
on the safety module using switches.
Use the same transmission speed throughout a VersaPoint station.
The module has a 10-pos. DIP switch, which is used to set the island number and
operating mode.
The module has four safe positive switching digital outputs for two-channel assignment or
eight safe positive switching digital outputs for single-channel assignment.
The outputs can be parameterized according to the application. The outputs enable
actuators to be integrated into the VersaSafe system.
Within a VersaSafe system, the IC220SDL953 safety module can be used to achieve
safety functions with the following requirements:
– Up to SIL 3 according to standard EN 61508
– Up to SIL CL 3 according to standard EN 62061
– Up to Cat. 4/PL e according to standard EN ISO 13849-1
Please also refer to "Achievable safety depending on the modules used" on page A-30.
GFK-2731
Chapter 2 Product description
2-1
2
2.3
Structure of the safety module
4x
6
1
P
UM
2
FS
D
1
3
1 2
2
1 2
9
1 2
0
1 2
3
4
9 87 65 4 2
3 1 0
5
8
7
Figure 2-1
1
2
3
4
5
6
7
8
9
4x
79690002
Structure of the safety module
Data jumpers (local bus)
Electronics base with labeling including version designation
hardware/firmware/firmware (not shown)
Switch for setting the transmission speed and operating mode
Switch for setting the address
Potential jumper
Diagnostic and status indicators; for assignment and meaning see "Local diagnostic
and status indicators" on page 2-6
VersaPoint connector; for assignment see "Terminal point assignment" on page 3-3
Terminal points
Labeling field
2.4
Housing dimensions
119,8
71,5
9 8 7 6 5 4 2
3 1 0
Figure 2-2
2-2
on
off
48,8
79690008
Housing dimensions (in mm)
User manual IC220SDL953 - September 2011
GFK-2731
2
2.5
Safe digital outputs
The safety module has safe positive switching digital outputs, which can be used as follows:
– For two-channel assignment:
–
–
Four two-channel outputs
For single-channel assignment:
–
Eight single-channel outputs
Technical data
For the technical data for the safe outputs, please refer to page 10-4.
Parameterization
The individual safe digital outputs of a safety module can be parameterized differently. This
means that the outputs can be adapted to various operating conditions and different safety
integrity levels (SIL, SIL CL, Cat., PL) can be implemented.
In order to achieve a high level of error detection, the test pulses must be enabled. If this
is not possible for the connected loads, the test pulses can be disabled. However, in this
case error detection is reduced.
The safety integrity level (SIL, SIL CL, Cat., PL) and error detection that can be achieved
depend on the parameterization, the structure of the actuator, and the cable installation
(see "Connection examples for safe outputs" on page 6-1).
For information about parameterization, please refer to "Parameterization of the safe
outputs" on page 5-2.
Diagnostics
Diagnostics are provided via both the local diagnostic indicators and the diagnostic
messages, which are transmitted to the controller.
For information about the diagnostic messages of the outputs, please refer to "Safe digital
output errors" on page 8-4.
CAUTION: Diagnostic data is not safety-related
The diagnostic data is not safety-related. This data must not be used to execute safetyrelated functions or actions.
GFK-2731
Chapter 2 Product description
2-3
2
Requirements for controlled devices/actuators
The error detection of the module varies depending on the parameterization. This results
in specific requirements for the actuators.
– If the outputs are parameterized with test pulses, the output circuits are tested by test
pulses at regular intervals. These test pulses are visible at the output and can trigger
undesirable reactions with quick responding actuators.
WARNING: Unintentional machine startup
If the process does not tolerate this behavior, actuators with sufficient inertia must
be used.
In general, the load must not be so dynamic that it causes dangerous states within
1 ms.
Quick actuators, which offer a safety-related response to pulses in under 1 ms, may
not generally be used.
Switching off the test pulses affects the error detection of the module. Please observe
the achievable safety integrity level, which is specified in "Connection examples for
safe outputs" on page 6-1.
The failure detection time is 20 ms.
Please refer to "Single-channel assignment of safe outputs" on page 6-5 and "Twochannel assignment of safe outputs" on page 6-8 for additional information.
–
–
Only use appropriately qualified actuators.
Use reliable components. These include, for example:
–
–
–
–
–
–
2-4
Control contactors according to EN 60947-4-1
Power contactors
Relays with positively driven contacts according to DIN EN 50205
Use relays or contactors with positively driven N/C contacts to safely monitor the state
(pick-up, drop-out).
Please observe any special environmental requirements in your application when
selecting the controlled devices.
Please note applicable C standards in your application (e.g., EN 1010), in which, for
example, the number of controlled devices required to achieve a particular category is
specified.
User manual IC220SDL953 - September 2011
GFK-2731
2
2.6
Connection options for actuators depending on the
parameterization
Actuators that meet various safety requirements depending on the parameterization can
be connected to the outputs. For connection examples, please refer to Section 6,
"Connection examples for safe outputs".
The maximum achievable SIL/SIL CL/Cat./PL is specified in the table.
In order to achieve this:
– Observe the information in the connection examples (see Section 6, "Connection
examples for safe outputs")
– Observe the requirements of the standards with regard to the external wiring and the
actuators to be used to achieve a SIL/SIL CL/Cat./PL (see "Measures required to
achieve a specific safety integrity level" on page 6-3)
Output OUT0 to OUT3
"Output" parameterization
Single-channel
Two-channel
Any
ON/OFF*
Test pulses
Achievable category
SIL 2/SIL CL 2/Cat. 3/PL d SIL 3/SIL CL 3/Cat. 4/PL e
For connection example, see
page
6-5
6-8
Key:
*
If the test pulses are disabled, a cross circuit between the outputs is only detected
if the output is enabled.
To achieve Cat. 3, two-channel actuators are usually used.
GFK-2731
Chapter 2 Product description
2-5
2
2.7
Local diagnostic and status indicators
D
1 0
2
FS
1 1
2
UM
1 2
2
P
1 3
2
LPSDO8
P
UM
FS
D
1
2
3
1 2
1 2
1 2
0
1 2
O8
SD
LP
9 87 65 4 2
3 1 0
Figure 2-3
Table 2-1
D
79690003
Local diagnostic and status indicators of the IC220SDL953 module
Local diagnostic and status indicators
Green LED
Diagnostics
OFF:
Communications power is not present
Flashing at 0.5 Hz: Communications power present, local bus not active
Flashing at 4 Hz:
Communications power present, error at the interface between previous and flashing
terminal (the terminals after the flashing terminal cannot be addressed).
(E.g., loose contact at the bus interface, terminal before the flashing terminal has
failed, another terminal was snapped on during operation (not permitted))
Observe the module startup time of approximately 16 s. During this time the D LED flashes at
4 Hz and the bus cannot be started up.
Do not start to download the configuration and parameter data record until the firmware has
started up (approx. 16 s; bit SA = 1 in Dev-Reg-LPSDO; see Appendix A 5.2 on page A-17).
FS
ON:
Communications power present, local bus active
Red LED
Failure state
Flashing at 1 Hz:
Device not parameterized or parameterization was not accepted
ON:
Hardware fault
The output drivers are reset, there is no communication to the satellites
Or:
Impermissible switch position
The module will respond to certain impermissible switch positions by entering the
failure state immediately after power up.
2-6
User manual IC220SDL953 - September 2011
GFK-2731
2
Table 2-1
UM
P
Local diagnostic and status indicators (continued)
Green LED
Monitoring the supply voltage UM
OFF:
Communications power is not present
Flashing at 1 Hz:
UM below the permissible voltage range (undervoltage)
ON:
UM present
Green LED
Status indicator for communication
OFF:
IC220SDL953 not parameterized
Flashing at 0.5 Hz: IC220SDL953 is parameterized, but safe communication is not running to at least
one satellite
ON:
Communication OK
IC220SDL953 is parameterized and safe communication is running without any
errors to all configured satellites.
If no satellites have been configured: IC220SDL953 is parameterized.
Corresponds to COK bit = 1 (see "Dev-Diag-LPSDO (LPSDO diagnostics)" on
page A-18)
OUT
0.1 - 3.2
Green/red LED
Status of each output
(see "Terminal point assignment" on page 3-3)
Green:
Output at logic 1
OFF:
Output at logic 0, no error
Red ON:
Short circuit/overload of an output
(This diagnostic message is stored temporarily on the module. The message is
stored in the volatile memory and will be lost after a voltage reset.)
In the event of an error (red LED ON), the output is switched off until the acknowledgment sent
by the controller is received by the safety module (see also "Safe digital output errors" on
page 8-4).
GFK-2731
Chapter 2 Product description
2-7
2
2.8
Safe state
The safe state for the module is the low state at the output terminals (see "Safe digital
outputs" on page 2-3).
The safe state can be entered in the following cases:
1. Operating state
2. Error detection in I/O devices
3. Device errors
4. Parameterization errors
2.8.1
Operating state
In the operating state, the outputs can enter states "1" or "0". In general, state "0" is the
safe state.
WARNING: Loss of the safety function possible due to undetected accumulation
of errors
Also evaluate the diagnostics of modules that are not used, but are connected to the
power supply, at regular intervals or disconnect these modules from the supply voltage.
2.8.2
Outputs
Error detection in I/O devices
If an error is detected at an output, the affected output is disabled ("0" = OFF = safe state).
Depending on the parameterization, the following errors can be detected at outputs:
– Short circuit
– Cross circuit
– Overload
The relevant diagnostic message is transmitted to the controller (see "Safe digital output
errors" on page 8-4). For information about which errors are detected and when, please
refer to "Connection examples for safe outputs" on page 6-1.
If an error occurs on a channel of an output parameterized as "two-channel", the other
corresponding channel also enters the safe state.
2-8
User manual IC220SDL953 - September 2011
GFK-2731
2
2.8.3
Outputs
Device errors
If a hardware fault in the internal circuit is detected at an output, all module outputs are
disabled ("0" = OFF = safe state).
The relevant diagnostic message is transmitted to the controller (see "Safe digital output
errors" on page 8-4).
Serious errors
All serious errors that can result in the loss of or adversely affect the safety function cause
the entire module to enter the safe state. The FS LED on the safety module is permanently
on.
The following errors result in the safe state:
–
–
–
–
–
–
Serious hardware faults in the internal circuit
User errors
Module overload
Module overheating
Faulty supply voltage
Impermissible switch position, DIP switches
The relevant diagnostic message is transmitted to the controller (see "Errors: Messages
and removal" on page 8-1).
WARNING: Loss of the safety function due to sequential errors
In the event of a device error, the following measures should be taken to prevent
sequential errors:
Disconnect the module from the power supply and replace it.
2.8.4
Parameterization errors
Parameterization errors are indicated:
– As long as the module is not parameterized
or
– In the event of faulty parameterization
Parameterization errors cause the entire module to enter the safe state. The FS LED on
the safety module flashes.
In the event of faulty parameterization, the relevant diagnostic message is transmitted to
the controller (see "Parameterization errors" on page 8-6).
Exception:
If an output is operated in stop category 1 and this output is within the switch-off delay
time, then another instance of faulty parameterization results in the entire module
switching to the safe state only once the switch-off delay time has elapsed.
GFK-2731
Chapter 2 Product description
2-9
2
2.9
Process data words
The module uses 8, 16, or 24 words in the VersaPoint system. How these words are
mapped is described in "Process image" on page A-13.
The input data only indicates the actual status of the outputs if no bus errors or device
errors are present. Even during the parameterized switch-off delay in stop category 1, the
status of the outputs on the module does not correspond to the status of the outputs on the
controller.
The parameterization of the outputs determines whether the input data is mapped in
single-channel or two-channel mode. The value for "parameterized output" for the outputs
is also set for the input data.
2.10
Programming data/configuration data
2.10.1
Local bus
Operating mode
VersaSafe
24 words
VersaSafe
16 words
VersaSafe multiplexer
ID code
ABhex (171dec)
ABhex (171dec)
ABhex (171dec)
Length code
18hex (24dec)
10hex (16dec)
08hex (08dec)
Input address area
Application-specific
Application-specific
Application-specific
Output address area
Application-specific
Application-specific
Application-specific
Parameter channel (PCP)
0 words
0 words
0 words
Register length
24 words
16 words
8 words
2.10.2
Other bus systems or networks
The programming data/configuration data is defined in the device description (FDCML,
GSD, GSDML, etc.) according to the bus or network used.
2-10
User manual IC220SDL953 - September 2011
GFK-2731
3
3
VersaPoint potential and data routing, and VersaPoint
connectors
3.1
VersaPoint potential and data routing
For operation, the safety module must be integrated in a VersaPoint station within the VersaSafe system.
The bus signals are transmitted via the VersaPoint data jumpers. The required supply voltages are transmitted via the VersaPoint potential jumpers.
For more detailed information about potential and data routing within a VersaPoint station, please refer to the GFK-2736 user manual.
The segment circuit is looped through the safety module and is available again after the
module. The segment circuit cannot be accessed in the safety module.
3.2
Supply voltage UL
Feed in the 24 V supply voltage UBK/U24V at a bus coupler or a suitable power terminal.
The 7.5 V voltage UL is generated from this 24 V supply voltage in the bus coupler or power
terminal. It is made available to the safety module via the VersaPoint potential jumper UL.
WARNING: Loss of the safety function when using unsuitable power supplies
For the voltage supply at the bus coupler or power terminal, please note:
Only power supplies according to EN 50178/VDE 0160 (PELV) may be used.
Please also observe the points in "Electrical safety" on page 1-2.
The supply voltage UL is used to supply the bus controller board and the communications
power. For technical data for the supply voltage UL, please refer to "Supply voltage UL
(logic)" on page 10-3.
The maximum current carrying capacity for the supply voltage UL is 2 A.
This current carrying capacity can be reduced if certain terminals are used. Please refer to
the information in the terminal-specific data sheets.
GFK-2731
Chapter 3 VersaPoint potential and data routing, and VersaPoint connectors
3-1
3
3.3
Supply voltage UM
Feed in the supply voltage at a bus coupler or a power terminal. It is made available to the
safety module via the VersaPoint potential jumper UM.
WARNING: Loss of the safety function when using unsuitable power supplies
For the voltage supply at the bus coupler or power terminal, please note:
Only power supplies according to EN 50178/VDE 0160 (PELV) may be used.
Please also observe the points in "Electrical safety" on page 1-2.
The supply voltage UM is used to supply the output circuits. For technical data for the supply voltage UM, please refer to "Supply voltage UM (actuators)" on page 10-3.
The maximum current carrying capacity for the main circuit UM is 8 A (total current with the
segment circuit that is not used in the safety terminal). This current carrying capacity can
be reduced if certain terminals are used. Please refer to the information in the terminal-specific data sheets.
If the limit value of the potential jumpers UM and US is reached (total current of US and UM),
a new power terminal must be used.
NOTE: Module damage due to polarity reversal
Polarity reversal places a burden on the electronics and, despite protection against
polarity reversal, can damage the module. Therefore, polarity reversal must be
prevented.
For the behavior of the safety module in the event of an error at the supply voltage, please
refer to "Supply voltage errors" on page 8-5.
+
-
230 V
24 V DC
(PELV)
External
fuse
externe
Sicherung
8 A,
maximum
max.
8A
fürsupply
Einspeisung
Buskoppler
USS for
at a busam
coupler
or a power
oder einer
(wird
in der
terminal
(notEinspeiseklemme
required in the safety
terminal)
Sicherheitsklemme nicht benötigt)
für supply
Einspeisung
amcoupler
Buskoppler
UMM for
at a bus
or a
oder einer
Einspeiseklemme
power
terminal
24 V
GND for
at a bus
or a
dersupply
Einspeisung
amcoupler
Buskoppler
power
terminal
oder einer
e
76191004
Figure 3-1
Supply UM with connection to functional earth ground according to
60204-1
WARNING: Loss of functional safety due to parasitic voltages
Feed in the supply voltages UM and US at a bus coupler and/or a power terminal from
the same power supply unit, so that the loads of IC220SDL953 are not affected by parasitic voltages in the event of an error.
3-2
User manual IC220SDL953 - September 2011
GFK-2731
3
NOTE: Damage to module electronics in the event of surge voltage
Do not use a DC distribution network.
DC distribution network according to IEC 61326-3-1:
A DC distribution network is a DC power supply network, which supplies a complete
industrial hall with DC voltage and to which any device can be connected. A typical system
or machine distribution is not a DC distribution network. For devices that are provided for
a typical system or machine distribution, the DC connections are viewed and tested as I/O
signals according to IEC 61326-3-1.
3.4
Terminal point assignment
1
1.1
1.2
1.3
1.4
2
1
1.1 2.1
1
11
1.2 2.2
2
2
1
2
11
1
3.2 4.2 5.2 6.2 7.2 8.2
22
22
2
3.3 4.3 5.3 6.3 7.3 8.3
33
1.4 2.4
4
1
11
22
1.3 2.3
3
2
3.1 4.1 5.1 6.1 7.1 8.1
33
33
3
3.4 4.4 5.4 6.4 7.4 8.4
44
44
44
4
8.1
8.2
8.3
8.4
73410004
Figure 3-2
Terminal point assignment
The VersaPoint connectors are supplied with the module. They are keyed and labeled
accordingly for connection to prevent polarity reversal. If other connectors are used
according to the ordering data, they must also be keyed.
Only use the connectors supplied with the module or connectors that are approved as
replacement items (see "Ordering data: Accessories" on page 10-7).
The following applies for the tables below:
– All outputs are safe digital outputs
– 0 V (GND): Common ground for outputs
– FE: Common functional earth ground
Table 3-1
GFK-2731
Terminal point assignment for connector 1
Terminal point
Signal
Channel assignment
LED
1.1
OUT0_Ch1
Output 0, channel 1
0.1
2.1
OUT0_Ch2
Output 0, channel 2
0.2
1.2
Not used
2.2
Not used
1.3
0 V (GND)
Channel 1 and channel
2
Chapter 3 VersaPoint potential and data routing, and VersaPoint connectors
3-3
3
Table 3-1
Terminal point assignment for connector 1
Terminal point
Signal
Channel assignment
2.3
0 V (GND)
Channel 1 and channel
2
1.4
FE
2.4
FE
Table 3-2
Terminal point assignment for connector 2
Terminal point
Signal
Channel assignment
LED
3.1
OUT1_Ch1
Output 1, channel 1
1.1
4.1
OUT1_Ch2
Output 1, channel 2
1.2
3.2
Not used
4.2
Not used
3.3
0 V (GND)
Channel 1 and channel
2
4.3
0 V (GND)
Channel 1 and channel
2
3.4
FE
4.4
FE
Table 3-3
Terminal point assignment for connector 3
Terminal point
Signal
Channel assignment
LED
5.1
OUT2_Ch1
Output 2, channel 1
2.1
6.1
OUT2_Ch2
Output 2, channel 2
2.2
5.2
Not used
6.2
Not used
5.3
0 V (GND)
Channel 1 and channel
2
6.3
0 V (GND)
Channel 1 and channel
2
5.4
FE
6.4
FE
Table 3-4
3-4
LED
Terminal point assignment for connector 4
Terminal point
Signal
Channel assignment
LED
7.1
OUT3_Ch1
Output 3, channel 1
3.1
8.1
OUT3_Ch2
Output 3, channel 2
3.2
7.2
Not used
8.2
Not used
User manual IC220SDL953 - September 2011
GFK-2731
3
Table 3-4
Terminal point assignment for connector 4
Terminal point
Signal
Channel assignment
7.3
0 V (GND)
Channel 1 and channel 2
8.3
0 V (GND)
Channel 1 and channel 2
7.4
FE
8.4
FE
LED
WARNING: Loss of functional safety due to parasitic voltages
Connect the ground of the actuator to the ground terminal point of the corresponding
output on the VersaPoint connector. An external ground may not be used.
GFK-2731
Chapter 3 VersaPoint potential and data routing, and VersaPoint connectors
3-5
Th
is
pa
ge
lef
tb
lan
ki
nte
nti
on
all
y
3
3-6
User manual IC220SDL953 - September 2011
GFK-2731
4
4
Assembly, removal, and electrical installation
4.1
4.1.1
Assembly and removal
Unpacking the module
The module is supplied in an ESD box together with a package slip with installation
instructions. Please read the complete package slip carefully.
The module may only be installed and removed by qualified personnel.
NOTE: Electrostatic discharge
The safety module contains components that can be damaged or destroyed by
electrostatic discharge. When handling the safety module, observe the necessary safety
precautions against electrostatic discharge (ESD) according to EN 61340-5-1 and
EN 61340-5-2.
4.1.2
General
WARNING: Unintentional machine startup
Do not assemble or remove the module while the power is connected.
Before assembling or removing the module, disconnect the power to the module and the
entire VersaPoint station and ensure that it cannot be switched on again.
Make sure the entire station is reassembled before switching the power back on.
Observe the diagnostic indicators and any diagnostic messages.
The system may only be started provided neither the station nor the system poses a
hazard.
The IC220SDL953 safety terminal is designed for use within a VersaPoint station. Only use
the safety terminal in the 24 V DC area of a VersaPoint station.
To ensure reliable operation, install the safety terminal in housing protected from dust and
humidity (IP54 or higher). In order to prevent manipulation, secure the housing (control
cabinet/control box) against being opened by unauthorized persons.
Mount all VersaPoint terminals on 35 mm DIN rails.
Only connect the cables using the supplied VersaPoint connectors or VersaPoint
connectors listed in the ordering data.
GFK-2731
Chapter 4 Assembly, removal, and electrical installation
4-1
4
4.1.3
Setting the DIP switches
Set the DIP switches accordingly for your application before assembling the module in
a VersaPoint station. The switches cannot be accessed when the safety terminal is installed in the VersaPoint station.
The module has a 2-pos. and a 10-pos. DIP switch.
The DIP switches are located on the left-hand side of the safety module.
500KBD
Mode2
A
500KBD
Mode2
9 8 7 6 5 4 2
3 1 0
on
2MBD Mode1
off
A
Figure 4-1
B
2MBD Mode1
9 8 7 6 5 4 2
3 1 0
B
on
off
79690009
DIP switches
A
Switch for setting the transmission speed and the mode
B
Switch for setting the operating mode and the address
2-pos. DIP switch:
The transmission speed and the mode are set via the 2-pos. DIP switch.
Left switch:
Transmission speed
Set the transmission speed:
– 500 kbaud or
– 2 Mbaud
The transmission speed has been preset to 2 Mbaud.
Only use devices with a uniform transmission speed within a VersaPoint station (a local
bus). It is not possible to operate a mixture of devices with different transmission speeds.
Right switch:
Mode
Select VersaSafe: mode
Table 4-1
VersaSafe operating mode
Mode
Operating mode
1
VersaSafe 16 words
2
VersaSafe 24 words
As soon as more than three satellites are connected to one IC220SDL953, a data width
of 24 words is required. In this case, set Mode 2.
The Mode switch is not relevant in VersaSafe multiplexer mode.
4-2
User manual IC220SDL953 - September 2011
GFK-2731
4
10-pos. DIP switch:
Address
The operating mode and the island number are set via the 10-pos. DIP switch.
NOTE: Malfunction in the event of incorrect addressing
Make sure that in an overall system comprising the VersaSafe system and any
higher-level PROFIsafe system, the addresses (address within the VersaSafe system and F-Address of the PROFIsafe system) are unique. Duplicate address assignment is not permitted.
Use switch 9 of the DIP switch to set the operating mode:
– 0 (off): VersaSafe 16 or 24 words or
– 1 (on): VersaSafe multiplexer.
In VersaSafe multiplexer mode, the data width is 8 words.
Set switch 8 and switches 2 to 0 of the DIP switch to 0 (off).
Use switches 7 to 3 to set the island number.
An "island" always comprises the IC220SDL953 and the satellites assigned to it.
The DIP switch is set to 3FFhex by default. This address is not valid for a VersaSafe
system; therefore, a valid address must be set.
Overview of the switch
positions
Table 4-2
Switch position for VersaSafe 16 words
VersaSafe 16 words
Mode switch
Address switch
Island number
Mode 1
9
8
off
off
7
6
5
4
Reserved
3
2
off
1dec to 31dec
Table 4-3
1
0
off
off
0dec
Switch position for VersaSafe 24 words
VersaSafe 24 words
Mode switch
Address switch
Island number
Mode 2
9
8
off
off
7
6
5
4
Reserved
3
2
1
0
off
off
off
1dec to 31dec
Table 4-4
0dec
Switch position for VersaSafe multiplexer
VersaSafe multiplexer
Mode switch
Address switch
Island number
Any
9
8
on
off
7
6
5
4
3
2
off
1dec to 31dec
GFK-2731
Reserved
Chapter 4 Assembly, removal, and electrical installation
1
0
off
off
0dec
4-3
4
4.1.4
Assembly and removal of the safety module
For general information about assembling and removing VersaPoint terminals, please
refer to the GFK-2736 user manual.
Assembly
–
–
– Snap on base
Set the DIP switches prior to assembly (see "Setting the DIP switches" on page 4-2).
The DIP switches cannot be accessed when the safety module is installed in the
VersaPoint station.
Observe a mounting distance of 30 mm above and 40 mm below the safety module.
Shorter distances may inhibit proper handling during installation.
•
Disconnect the power to the station.
•
Before snapping on the safety module, remove the inserted connectors from the safety
terminal and the adjacent connector from the neighboring VersaPoint terminal on the
left. This prevents the potential routing knife contacts and the keyway/featherkey
connections from being damaged.
Hold the safety module perpendicular and snap it onto the DIN rail (7.5 mm in height).
•
Ensure that all featherkeys and keyways on adjacent terminals are securely interlocked.
A1
Figure 4-2
– Insert connectors
B1
Snapping on the safety module base
•
Check that all the snap-on mechanisms are securely snapped into place.
•
Insert the connectors in the specified order (A, B).
Only use the connectors supplied with the module or connectors that are approved as
replacement items (see "Ordering data: Accessories" on page 10-7).
B
A
Figure 4-3
4-4
Inserting the connector
User manual IC220SDL953 - September 2011
GFK-2731
4
Removal
•
•
Disconnect the power to the station.
Remove the connectors from the safety module
and the adjacent connector from the neighboring VersaPoint terminal on the left.
– Remove connectors
•
Remove the connector by pressing the back shaft latching (A) and levering off the
connector (B).
A
B
Figure 4-4
– Remove base
•
Removing the connector
Release the base by pressing on the front and back snap-on mechanisms (A) and pull
it out perpendicular to the DIN rail (B).
A
B
A
Figure 4-5
GFK-2731
Removing the safety module base
Chapter 4 Assembly, removal, and electrical installation
4-5
4
4.2
Electrical installation
WARNING: Electric shock/unintentional machine startup
Prior to electrical installation, disconnect the power to the system and make sure that it
cannot be switched on again unintentionally.
Make sure installation has been completed before switching the power back on.
The system may only be started provided the system does not pose a hazard.
4.2.1
Electrical installation of the VersaPoint station
Electrical installation of the VersaPoint station includes the following:
– Connecting the bus system to the VersaPoint station
– Connecting the supply voltages for the VersaPoint station
Carry out electrical installation for the VersaPoint station according to the GFK-2736 user
manual or the VersaPoint system manual for your bus system. Please also observe the
specifications in the documentation for the bus coupler used.
4.2.2
Electrical installation of the safety module
During installation, always observe the instructions in "Electrical safety" on page 1-2.
Take measures to prevent the incorrect connection, polarity reversal, and manipulation
of connections.
The supply voltages are supplied at a bus coupler and/or a power terminal and are supplied
to the safety module via the potential jumpers. Therefore, the electrical installation of the
safety module only involves connecting the actuators.
The actuators are connected via VersaPoint connectors.
•
Wire the connectors according to your application. For the terminal point assignment,
please refer to "Terminal point assignment" on page 3-3.
For wiring, proceed as follows:
•
Strip 8 mm off the cable.
VersaPoint wiring is normally done without ferrules. However, it is possible to use
ferrules. If using ferrules, make sure they are properly crimped.
•
•
4-6
Push a screwdriver into the slot of the appropriate terminal point (Figure 4-6, detail 1),
so that you can insert the wire into the spring opening.
GE Intelligent Platforms recommends the SZF 1 - 0.6X3.5 screwdriver.
Insert the wire (Figure 4-6, detail 2). Remove the screwdriver from the opening. This
clamps the wire.
User manual IC220SDL953 - September 2011
GFK-2731
4
1
In p
ta l
ig i
6 4 5 2 B 0 3 2
Figure 4-6
•
•
GFK-2731
Connecting unshielded cables
Insert the assembled connectors in the corresponding module slot (see "Terminal
point assignment" on page 3-3).
Label all connections to prevent connections to the VersaPoint connectors being
mixed up (see GFK-2736 user manual).
Chapter 4 Assembly, removal, and electrical installation
4-7
Th
is
pa
ge
lef
tb
lan
ki
nte
nti
on
all
y
4
4-8
User manual IC220SDL953 - September 2011
GFK-2731
5
5
Parameterization of the safety module
5.1
Parameterization of the safety module in a VersaSafe system
For information about the configuration and parameterization of the VersaSafe system,
please refer to "Configuration and parameterization using the VersaConf Safety tool" on
page A-26.
Parameterization includes the following:
– Assignment of island numbers
– Parameterization of outputs
Configuration includes the following:
– Creation of the logic function with VersaConf Safety
Island number
The island number is a unique address of a VersaSafe island. Set the same island number
both in VersaConf Safety and on the module.
For additional information about the island number, please refer to
"Operating modes and setting the DIP switches in the VersaSafe system" on page A-10
and "VersaSafe address assignment" on page A-6.
Set this address via the DIP switches prior to assembling the safety module (see "Setting
the DIP switches" on page 4-2).
Parameterization and
configuration of the
module
Parameterization and configuration determine the behavior of the module and thus have a
considerable effect on the safety integrity level that can be achieved.
To parameterize and configure the module, the parameterization and configuration created
in the parameterization tool must be written from the controller to the module (e.g., with a
function block).
For information about downloading, please refer to "Downloading the configuration and
parameter data record following power up" on page A-27.
The supply voltage must be present and the local bus must be in the RUN state when
downloading.
The module cannot be operated if it is not parameterized.
In this case, the FS LED flashes.
The module is ready to operate if the parameters for all outputs are valid and transmitted
without errors. Valid output data is only written in this state. In any other state, every output
is set to the safe state.
If errors are detected during parameterization, the parameter data is not transmitted. The
FS LED on the module flashes to indicate that the parameterization is invalid. The error is
also indicated at the controller. In this case, check and correct the settings.
GFK-2731
Chapter 5 Parameterization of the safety module
5-1
5
5.2
Parameterization of the safe outputs
The individual outputs of a safety module can be parameterized differently and thus
achieve different safety integrity levels (SIL, SIL CL, Cat., PL).
Two-channel
If the outputs are operated via two channels, the following fixed assignment applies:
– OUT0_Ch1 to OUT0_Ch2
– OUT1_Ch1 to OUT1_Ch2
– OUT2_Ch1 to OUT2_Ch2
– OUT3_Ch1 to OUT3_Ch2
Single-channel
If two-channel operation in the external wiring of the outputs is not required, the outputs
can be parameterized in such a way that they operate independently of one another
(single-channel).
Parameterization
All safe outputs must be parameterized individually. The parameterization options are
described in Table 5-1.
Table 5-1
Parameterization of outputs
Parameterization
Value range
Remark
OUT0 - OUT3
Assignment
Output
Not assigned
Assigned
The outputs that are not assigned are disabled. However, the
monitoring of these outputs remains active.
Single-channel
Two-channel
In two-channel operation, the assignment of the outputs to one
another is specified and cannot be parameterized.
Switch-off delay for stop
category 1
Disabled
Enabled
Disabled (default): No switch-off delay.
Enabled: The outputs are switched off once the parameterized
switch-off delay has elapsed.
Switch-off delay for stop
category 1
1 to 63
Please observe the notes below this table.
5-2
Time conversion according to the parameterization of the "Value
range of switch-off delay for stop category 1" parameter.
Permissible value range:
OUT0 to OUT3:
150 ms to 630 s
Accuracy:
-5% of the parameterized value - 2 ms/+0 ms
Please observe the notes below this table.
User manual IC220SDL953 - September 2011
GFK-2731
5
Table 5-1
Parameterization of outputs (continued)
Parameterization
Value range
Remark
OUT0 - OUT3
Value range of switch-off
delay for stop category 1
Value x 10 in ms
Value x 100 in ms
Value in s
Value x 10 in s
Test pulses (output
disabled) (in software: test
impulses (output switched
off))
Disabled
Enabled
Enable
Disabled
Enabled
Value range/unit for the parameterization of the "Switch-off delay for
stop category 1" parameter.
Please observe the notes below this table.
Enabling and disabling of test pulses. For these test pulses, the
output drivers that are disabled are temporarily enabled for test
purposes.
See note below this table.
Disabled (default value): The corresponding safe output is operated
exclusively according to the safety logic.
Enabled: Enable is active; the safe output data is output after being
ANDed with the "Data_LPSDO" process data item (Data_LPSDO
see Figure A-4 on page A-15)
See also "Enable principle" on page A-22.
Test pulses
Note on test pulses
If the test pulses are disabled, cross circuits and short circuits cannot be detected.
Regardless of the parameterization selected under "Test impulses (output switched off)",
the outputs parameterized as "Not assigned" are tested by test pulses.
Please also refer to "Requirements for controlled devices/actuators" on page 2-4 and
"Connection examples for safe outputs" on page 6-1.
Switch-off delay for stop
category 1
The switch-off delay for stop category 1 is calculated from the "Switch-off delay for stop
category 1" and "Value range of switch-off delay for stop category 1" parameters.
Switch-off delay for stop category 1 =
Switch-off delay for stop category 1 x
Value range of switch-off delay for stop category 1
If the switch-off delay for stop category 1 is parameterized with a value less than 150 ms,
this value is rejected as a parameterization error (error code 028xhex).
Two-channel
parameterization
GFK-2731
Please note the following for two-channel parameterization:
Ensure that the values for the switch-off delay for stop category 1 are the same for both
channels. This means that the time must have the same value and the same value range.
Chapter 5 Parameterization of the safety module
5-3
5
5.3
Behavior of the outputs in the event of enabled
switch-off delay for stop category 1
Depending on the event that causes the outputs to be switched off, and on the parameterization
of the switch-off delay, the time until the outputs are actually switched off can vary.
Table 5-2
Switching off of the outputs according to the trigger event and the parameterization
Switching off of outputs
Influence of parameterized
switch-off delay
Switching off of outputs
–
By the controller
Yes
Once the parameterized switch-off delay
has elapsed
–
After a bus error
Yes
Once the parameterized switch-off delay
has elapsed
–
After a short circuit, cross circuit, failure of
the supply voltage, or hardware fault
No
Immediately (only stop category 0)
–
After time monitoring has been exceeded
(watchdog time; FWD_Time) (e.g., in the
event of faulty bus connection)
Yes
Once the parameterized switch-off delay
has elapsed
WARNING: Delayed shutdown when using stop category 1
For stop category 1 please take into consideration the following:
– The guaranteed shutdown time tG is extended by the parameterized switch-off delay.
– In the event of an error (excluding bus errors) the affected outputs are switched off
immediately (without delay). In this case, only stop category 0 is supported.
For the switch-off operation, please take into consideration the following:
– The switch-off operation can be interrupted by switching the output on again.
– If the parameterization of the module is modified, the modified parameterization does
not take effect until all the outputs have been switched off.
If the parameterization is modified before the switch-off operation is complete,
diagnostic message 02F2hex is generated.
– Carry out a validation every time the parameterization is modified.
– Please note that when the parameterization is modified, this can result in delayed
startup due to the switch-off delay time.
5-4
User manual IC220SDL953 - September 2011
GFK-2731
6
6
Connection examples for safe outputs
6.1
Explanation of the examples
Depending on the type of wiring, the outputs of a module can achieve different safety
integrity levels (SIL, SIL CL, Cat., PL) at the same time (as long as the settings do not
contradict one another).
The following examples only describe the options for the electrical connection of controlled
devices/actuators to the safe outputs.
Should you have any questions regarding applications to be implemented, please contact
the GE Intelligent Platforms.
The following are specified for each example:
– Basic specifications
The main data for the example is specified in the table.
– Device diagnostics and behavior of the module in the event of an error
Diagnostic capability depends on the parameterization.
If a message is transmitted to the controller in the event of an error, the message is
specified in the tables. For information about the relevant error code, possible
remedies, and information about whether acknowledgment is required, please refer to
"Errors: Messages and removal" on page 8-1.
– Typical parameterization
The table illustrates an example of all the parameters for the specified assignment.
Key for all tables in this section:
Table 6-1
"Device diagnostics and behavior of the module in the event of an error"
tables
Representation
Meaning
SF
Safety function
OUTx
OUT1 or OUT2 LED; diagnostic message for each output
Table 6-2
Parameterization tables
Representation
Meaning
Bold
Mandatory setting
Normal
Typical setting, another setting is possible depending on the application
–
Not evaluated
Errors (cross circuits, short circuits), which can be prevented by correct installation (e.g.,
protected cable installation, isolated cable installation, double insulation, use of ferrules)
are not described in the following tables.
Therefore, for example, only errors between outputs, which are on the same connector, are
described. For example, in the event of correct installation, cross circuits with outputs of
other connectors cannot occur.
GFK-2731
Chapter 6 Connection examples for safe outputs
6-1
6
For all examples, please also observe the measures specified in the individual tables,
which must be taken to achieve the specified SIL/SIL CL/Cat./PL and all measures
according to standards EN 61508, EN 62061, EN 954-1, and EN ISO 13849-1 to
achieve the specified SIL/SIL CL/Cat./PL.
WARNING: Disregarding this warning may lead to the loss of the safety function
An external voltage may not be supplied in an output (e.g., via cross circuits). These
errors can adversely affect the operation of the module (or even destroy the module) and
thus result in the loss of the safety function. Therefore, these errors must be prevented.
Install the connecting cables for connecting the actuators so that they are protected
against cross circuits.
Please observe the load capacity of the outputs according to the technical data in "Safe
digital outputs" on page 2-3.
6.2
Notes on the protective circuit for external
relays/contactors (free running circuit)
K 1
6 9 4 0 0 0 2 1
Figure 6-1
–
–
–
6-2
Example of the free running circuit for an external relay
Limit the voltage induced on circuit interruption to < -15 V (e.g., with RC elements,
suppressor diodes or varistors).
Please note that the free running circuit affects the fall time and the service life of the
contactor.
Please observe the specifications of the relay manufacturer when sizing the relay
protective circuit.
User manual IC220SDL953 - September 2011
GFK-2731
6
6.3
Measures required to achieve a specific safety
integrity level
The safety integrity level (SIL, SIL CL, performance level, and category) that can be
achieved is specified for each connection example.
Please also refer to "Achievable safety depending on the modules used" on page A-30.
SIL/SIL CL
Use the relevant standard to determine the probability of failure in your application
according to EN 61508 (SIL) and EN 62061 (SIL CL).
When the SIL/SIL CL is specified, the module takes up 1% of the specified SIL/SIL CL.
Table 6-3
PFD and PFH depending on the SIL/SIL CL
PFD
PFH
SIL 2/SIL CL 2
1% of 10-2
1% of 10-6
SIL 3/SIL CL 3
10-3
1% of 10-7
1% of
Performance level
Use standard EN ISO 13849-1 to determine the performance level in your application.
Category
In order to actually achieve the specified category, the required measures listed below
must be implemented.
Cat. 2
–
–
–
–
–
–
–
GFK-2731
Use proven and basic safety principles according to EN ISO 13849-2.
Use appropriately qualified actuators (see "Requirements for controlled
devices/actuators" on page 2-4).
Please note that mechanical failure of the switching device can result in the loss of the
safety function.
Prevent the welding of contacts on the connected contactors or safety relays with
appropriate protection against overcurrent and surge voltage.
Please note that a single error can result in the loss of the safety function between
tests.
Ensure that the external wiring is tested by the machine control system on machine
startup and at suitable intervals. This test must detect the loss of the safety function.
In the event of an error, either safe disconnection must be implemented or a warning
(optical and/or audible) must be generated depending on the application.
Chapter 6 Connection examples for safe outputs
6-3
6
Cat. 3
–
–
–
–
–
–
–
Use proven and basic safety principles according to EN ISO 13849-2.
Use appropriately qualified actuators (see "Requirements for controlled
devices/actuators" on page 2-4).
Please note that mechanical failure of the switching device can result in the loss of the
safety function.
Prevent the welding of contacts on the connected contactors or safety relays with
appropriate protection against overcurrent and surge voltage.
All errors that cannot be detected can result in the loss of the safety function. Take
appropriate measures to prevent such errors. Suitable measures include, for example,
protected cable installation or double insulation. Please note the information in the
following tables.
Please take into consideration errors with a common cause.
Ensure that a single error does not result in the loss of the safety function.
Cat. 4
–
–
–
–
–
–
–
6-4
Use proven and basic safety principles according to EN ISO 13849-2.
Use appropriately qualified actuators (see "Requirements for controlled
devices/actuators" on page 2-4).
Please note that mechanical failure of the switching device can result in the loss of the
safety function.
Prevent the welding of contacts on the connected contactors or safety relays with
appropriate protection against overcurrent and surge voltage.
An accumulation of errors must not result in the loss of the safety function. Following
the third error, evaluation can be aborted if the probability of further errors occurring is
low.
All errors that cannot be detected can result in the loss of the safety function. Take
appropriate measures to prevent such errors. Suitable measures include, for example,
protected cable installation or double insulation. Please note the information in the
following tables.
Please take into consideration errors with a common cause.
User manual IC220SDL953 - September 2011
GFK-2731
6
6.4
Single-channel assignment of safe outputs
OUT1_Ch1
K1
K1 (R)
GND
K2
K2 (R)
M
Figure 6-2
–
–
73421005
Single-channel assignment of outputs
In order to achieve Cat. 3 or PL d with single-channel assignment of the outputs, a
two-channel actuator must be used. The two-channel operation of the actuator with
the corresponding connection is represented on a gray background.
The failure detection time is 20 ms. This means that high pulses of this width can
occur in the event of an error.
If the application responds to these pulses, use the two-channel assignment of the
outputs.
K1 (R) and K2 (R) represent the positively driven N/C contacts for monitoring the state of
the relay (readback contacts). Connect these contacts via safe digital inputs. Evaluate the
readback and thus the state of the switching elements in the safety logic.
WARNING: Loss of safety function
Connect the actuator ground directly to terminal point GND of the safety module. An
external ground may not be used.
Basic specifications
Actuator
Single-channel
Two-channel
Achievable SIL/SIL CL/Cat./PL
SIL 2/SIL CL 2/Cat. 2/PL c
SIL 2/SIL CL 2/Cat. 3/PL d
WARNING: Loss of electrical and functional safety
– To achieve the specified safety integrity level, please refer to "Measures required to
achieve a specific safety integrity level" on page 6-3.
– Please note that in order to achieve the specified PL, the actuator must have a
medium level of diagnostic coverage (90% to 99%) and medium MTTFd. A high level
of diagnostic coverage (> 99%) is recommended for the application according to
PL d.
– To achieve Cat. 3 and PL d the test pulses must be enabled.
– Use actuators that can achieve the required safety integrity level.
– Evaluate the readback contacts to achieve the corresponding safety integrity level.
GFK-2731
Chapter 6 Connection examples for safe outputs
6-5
6
Enable the test pulses to improve device diagnostics.
If the test pulses for the actuator are faulty, they can be disabled. In this case, test the
switching capability of the outputs at regular intervals.
Device diagnostics and behavior of the module in the event of an error
Table 6-4
Single-channel: Test pulses enabled
Error type
Detection
Diagnostics
Loss of
SF
Remark
Despite being disabled, the
No
actuator does not switch to the safe
state (e.g., a contact will not open)
None
Yes
Detect errors using external monitoring. Please take into
consideration all the possible errors for the actuator used.
Test the shutdown capability of the actuator at regular intervals.
If necessary, use a two-channel actuator.
No
None
No
Detect errors using external monitoring. Please take into
consideration all the possible errors for the actuator used.
Ensure that this error does not result in delayed system startup.
Error in the actuator
Actuator cannot be enabled
(e.g., interrupt)
Please take into consideration all possible errors that can occur
in the actuator.
Other errors
(depending on the actuator)
Error in the wiring
Interrupt
Cable interrupt between output and No
actuator or between actuator and
ground
None
No
Detect errors using external monitoring. Please take into
consideration all the possible errors for the actuator used.
Ensure that this error does not result in delayed system startup.
Cross circuit
Output to output
Yes
All LEDs Yes
OUT:
Red ON
When the outputs are disabled, a cross circuit between the outputs
is only detected if the test pulses are enabled. If an error is detected,
the module disables all its outputs.
Yes
Short
No
circuit or
overload,
OUTx
The error is detected in the ON state. The output is disabled (safe
state). The module cannot be switched on again with an edge from
"0" to "1" until the error has been removed and acknowledged.
Short circuit
Output to ground
or
output to FE
WARNING: Unexpected machine startup
An operator acknowledgment leads to a positive
edge and can thus result in the outputs being reenabled.
6-6
User manual IC220SDL953 - September 2011
GFK-2731
6
Typical parameterization
Parameterization
Parameterized as
Remark
Assignment
Assigned
Output
Single-channel
Switch-off delay for stop
category 1
Enabled
Or disabled
Switch-off delay for stop
category 1
30
Application-specific
Value range of switch-off
delay for stop category 1
Value in s
Application-specific
Test pulses (output disabled)
(in software: test impulses
(output switched off))
Enabled
Or disabled
According to the "Value range of switch-off delay for stop category 1" and "Switch-off delay
for stop category 1" parameters, in this example, the switch-off delay is 30 * 1 s = 30 s.
GFK-2731
Chapter 6 Connection examples for safe outputs
6-7
6
6.5
Two-channel assignment of safe outputs
For two-channel assignment of the safe outputs, two adjacent outputs are always used.
This assignment is fixed and cannot be parameterized (see "Two-channel" on page 5-2).
OUT1_Ch1
K1
K1 (R)
GND
OUT1_Ch2
K2
K2 (R)
GND
M
Figure 6-3
73420006
Two-channel assignment of outputs
K1 (R) and K2 (R) represent the positively driven N/C contacts for monitoring the state of
the relay (readback contacts). Connect these contacts via safe digital inputs. Evaluate the
readback and thus the state of the switching elements in your safety logic.
WARNING: Loss of safety function
– Connect the actuator ground directly to terminal point GND of the safety module. An
external ground may not be used.
– The failure detection time is 20 ms. This means that high pulses of this width can
occur at the faulty output (channel) in the event of an error. The two-channel
assignment means that this does not result in a hazardous state.
Basic specifications
Actuator
Two-channel
Achievable SIL/SIL CL/Cat./PL
SIL 3/SIL CL 3/Cat. 4/PL e
WARNING: Loss of electrical and functional safety
– To achieve the specified safety integrity level, please refer to "Measures required to
achieve a specific safety integrity level" on page 6-3.
– Please note that in order to achieve the specified PL, the actuator must have a
medium level of diagnostic coverage (90% to 99%) and medium MTTFd. A high level
of diagnostic coverage (> 99%) is recommended for the application according to
PL d.
– Use actuators that can achieve the required safety integrity level.
– Evaluate the readback contacts to achieve Cat. 3 or Cat. 4.
– If the test pulses are disabled:
Test the outputs and external wiring by enabling the outputs at regular intervals. The
time between two tests must not exceed eight hours.
6-8
User manual IC220SDL953 - September 2011
GFK-2731
6
Enable the test pulses to improve device diagnostics.
If the test pulses for the actuator are faulty, they can be disabled. In this case, test the
switching capability of the outputs at regular intervals.
Device diagnostics and behavior of the module in the event of an error
Table 6-5
Two-channel
Error type
Detection
Diagnostics
Loss of
SF
Remark
None
No
No loss of the safety function as the second switching element of the
two-channel actuator can be disabled.
Error in the actuator
Despite being disabled, a switching No
element of the two-channel
actuator does not switch to the safe
state (e.g., a contact will not open)
Detect errors using external monitoring.
Implement a restart inhibit in the event of this error.
Please take into consideration all the possible errors for the actuator
used.
Test the shutdown capability of the actuator at regular intervals.
Actuator cannot be enabled
(e.g., interrupt)
No
None
No
Detect errors using external monitoring. Please take into
consideration all the possible errors for the actuator used.
Ensure that this error does not result in delayed system startup.
Please take into consideration all possible errors that can occur
in the actuator.
Other errors
(depending on the actuator)
Error in the wiring
Interrupt
Cable interrupt between output and No
actuator or between actuator and
ground
None
No
Detect errors using external monitoring. Please take into
consideration all the possible errors for the actuator used.
Ensure that this error does not result in delayed system startup.
Yes
All LEDs No
(conditio OUT:
nal)
Red ON
When the outputs are disabled, a cross circuit between the outputs
is only detected if the test pulses are enabled. If an error is detected,
the module disables all its outputs.
If the test pulses have been disabled, test the circuit and the
external wiring at regular intervals by enabling the outputs.
Yes
The error is detected in the ON state. The output is disabled (safe
state). The module cannot be switched on again with an edge from
"0" to "1" until the error has been removed and acknowledged.
Cross circuit
Output to output
Short circuit
Output to ground
or
output to FE
Short
No
circuit or
overload,
OUTx
WARNING: Unexpected machine startup
An operator acknowledgment leads to a positive
edge and can thus result in the outputs being reenabled.
GFK-2731
Chapter 6 Connection examples for safe outputs
6-9
6
Typical parameterization
Parameterization
Parameterized as
Remark
Channel 1
Channel 2
Assignment
Assigned
Assigned
Output
Two-channel
Two-channel
Switch-off delay for stop
category 1
Enabled
Enabled
Or disabled
Switch-off delay for stop
category 1
30
30
Application-specific
Value range of switch-off
delay for stop category 1
Value in s
Value in s
Application-specific
Test pulses (output disabled)
(in software: test impulses
(output switched off))
Enabled
Enabled
According to the "Value range of switch-off delay for stop category 1" and "Switch-off delay
for stop category 1" parameters, in this example, the switch-off delay is 30 * 1 s = 30 s.
6-10
User manual IC220SDL953 - September 2011
GFK-2731
7
7
Startup and validation
7.1
Initial startup
Parameterization and configuration must already have been carried out
Table 7-1
Steps for parameterization and configuration (via VersaConf Safety)
Step
Relevant section and literature
Parameterization and configuration must already have been carried out before commencing startup.
Carry out the necessary parameterization.
"Parameterization of the safety module" on page 5-1
Make the necessary parameterization settings for the island
satellites.
User manuals for the modules used
Configure the safety function.
Online help in VersaConf Safety
To start up, proceed as described in Table 7-2.
Table 7-2
Steps for startup
Step
Relevant section and literature
Set the transmission speed and the operating mode.
"Setting the DIP switches" on page 4-2
Set the address.
"Setting the DIP switches" on page 4-2
Install the safety module within the VersaPoint station.
"Assembly, removal, and electrical installation" on page 4-1
Connect the bus system and supply voltage cables to the
VersaPoint station.
GFK-2736 user manual or documentation for the bus coupler
Wire the outputs according to your application.
"Assembly, removal, and electrical installation" on page 4-1
"VersaPoint potential and data routing" on page 3-1
User manuals for the function blocks used
Before applying the operating voltage:
– Ensure that there are no wiring errors (e.g., cross
circuit or short circuit) or grounding errors by testing
with a multimeter.
– Check whether the ground connection is safe.
Connect the required voltages to the VersaPoint station.
GFK-2731
GFK-2736 user manual or documentation for the bus
coupler, the VersaPoint Controller, or the power terminal
Chapter 7 Startup and validation
7-1
7
Table 7-2
Steps for startup (continued)
Step
Relevant section and literature
Once the operating voltage has been applied:
– If possible, measure the wave form of the voltages to
ensure that there are no deviations.
– Measure the output voltages on the module, as well as
the supply voltages, which supply the connected loads
(e.g., motor) to ensure that they are in the permissible
range.
– Use the LEDs on the devices to check that the module
starts up without any errors (there must be no red LEDs
permanently on; the FS LED flashes because the
device is not parameterized).
Check the assembly and installation.
Checklist "Assembly, removal, and electrical installation" on
page 4-1
Implement data flow between the standard controller and
the safety modules and between the safety modules
themselves.
"Implementation of data flow between the standard
controller and the safety modules" on page A-22
Download the parameterization and configuration data from
the standard controller to the safety modules.
"Downloading the configuration and parameter data record
following power up" on page A-27
Perform a function test and validation. Check whether the
safety function responds as planned during configuration
and parameterization.
Checklist "Validation" on page B-11
When connecting the supply voltages, use the diagnostic and status indicators to check
whether the module has started up correctly or whether any errors are indicated. For
instructions on how to proceed in the event of an error, please refer to "Errors: Messages
and removal" on page 8-1.
7-2
User manual IC220SDL953 - September 2011
GFK-2731
7
7.2
7.2.1
Restart after replacing a safety module
Replacing a safety module
WARNING: Unintentional machine startup
Do not assemble or remove the module while the power is connected.
Before assembling or removing the module, disconnect the power to the module and the
entire VersaPoint station and ensure that it cannot be switched on again.
Make sure the entire station is reassembled before switching the power back on.
Observe the diagnostic indicators and any diagnostic messages.
The system may only be started provided neither the station nor the system poses a
hazard.
If replacing a module, proceed as described for assembly and removal (see "Assembly,
removal, and electrical installation" on page 4-1).
Ensure that the new safety module is mounted at the correct position in the local bus. The
new module must meet the following requirements:
– Same device type
– Same or later version
Carry out a validation and perform a function test after replacing the module.
7.2.2
Restart
Once the safety module has been replaced, proceed as described for initial startup
(see "Initial startup" on page 7-1).
Plug the VersaPoint connectors into the correct connections.
Carry out a validation and perform a function test after replacing the module
7.3
Validation
Carry out a safety validation every time you make a safety-related modification to the
VersaSafe system.
When validating your EUC, check the assignment of the individual actuator connections.
Determine whether:
– The correct safe actuators are connected to the safety module
– The safety module has been parameterized correctly
– The signals used in your safety logic have been linked to the safe actuators correctly
Perform a function test and error simulation.
Please follow the checklist "Validation" on page B-11 during validation.
GFK-2731
Chapter 7 Startup and validation
7-3
Th
is
pa
ge
lef
tb
lan
ki
nte
nti
on
all
y
7
7-4
User manual IC220SDL953 - September 2011
GFK-2731
8
8
Errors: Messages and removal
Depending on the error type, errors that are diagnosed are displayed via the local
diagnostic indicators and/or transmitted to the controller as diagnostic messages.
The tables below provide an overview of the diagnosed errors, their causes, effects, and
possible measures for error removal.
In this manual, diagnostic codes are sorted in ascending order by error type. The following
errors are possible:
Table 8-1
Overview of diagnostic codes
Diagnostic
code
Error type
See
X010 ... X0AA
Safe digital output errors
Section 8.1 on page 8-4
X1F0
Supply voltage errors
Section 8.2 on page 8-5
X1F2
General errors
Section 8.3 on page 8-5
X230 ... X2F2
Parameterization errors
Section 8.4 on page 8-6
X3FC ... X7C4
Connection errors to satellites
Section 8.5 on page 8-7
For every error that occurs, the cause of the error must first be removed. If necessary, the
error is then acknowledged. Errors that must be acknowledged are indicated in the
"Acknowledgment" column in the tables below.
If diagnostic codes are indicated by the system, which do not appear in the tables below,
please contact GE Intelligent Platforms.
Error removal
To remove the cause of an error, please proceed as described in the "Remedy" column in
the tables below.
Error acknowledgment
Instructions on how to acknowledge an error can be found in "Acknowledging an error" on
page 8-8.
WARNING: Unexpected machine startup
An operator acknowledgment leads to a positive edge and can thus result in the outputs
being re-enabled.
GFK-2731
Chapter 8 Errors: Messages and removal
8-1
8
Notes on the tables below
Diagnostic code
The diagnostic register of the module includes both status bits and the diagnostic code
(see "Dev-Diag-LPSDO (LPSDO diagnostics)" on page A-18). This diagnostic code, which
is shown in bits 10 to 0 of the register, is listed in the tables below starting from Table 8-4).
However, it is the code of the entire diagnostic register that is indicated. To obtain the
diagnostic code specified in the documentation, logically AND the code of the diagnostic
register indicated with the code 07FFhex.
Example: ANDing the
diagnostic code
Diagnostic code indicated: 2290hex
Table 8-2
Relationship between the diagnostic code indicated and the diagnostic code specified in the
documentation
Assignment of the diagnostic
register (see page A-18)
15
14
13
12
11
COK
SA
E
PUR
OAR
10
...
0
Diagnostic code
2
2
9
0
Diagnostic code
indicated
hex
bin
0
0
1
0
0
0
1
0
1
0
0
1
0
0
0
0
Mask (07FFhex)
bin
0
0
0
0
0
1
1
1
1
1
1
1
1
1
1
1
Diagnostic code in the
documentation
bin
0
0
0
0
0
0
1
0
1
0
0
1
0
0
0
0
hex
2
0 -> X (not relevant)
9
0
Diagnostic code specified in the documentation: X290hex (see Table 8-8 on page 8-6).
As the first digit is never relevant, the code always starts with an X.
If the same error can occur at different outputs/channels, a generalizing diagnostic code is
indicated with an n where the error location is specified.
Generalizing diagnostic code specified in the documentation: X03nhex
For some errors a single channel is specified as the error location (e.g., OUT0_Ch1).
Some errors only occur for outputs parameterized for two-channel operation. Here, the
channel pair is specified as the error location (e.g., OUT0_Ch1&2).
Example: Channels in the
diagnostic code
Safe output errors (Table 8-4)
Error cause
Diagnostic code (hex)
Short circuit or overload
003n
X030: OUT0_Ch1
X031: OUT1_Ch1
X032: OUT2_Ch1
X033: OUT3_Ch1
X037: OUT0_Ch2
X038: OUT1_Ch2
X039: OUT2_Ch2
X03A: OUT3_Ch2
003n
Short circuit or overload
003n
Error location
This means, for example:
8-2
X032
Cross circuit at OUT2_Ch1 (output 2 channel 1)
X03A
Cross circuit at OUT3_Ch2 (output 3 channel 2)
User manual IC220SDL953 - September 2011
GFK-2731
8
Example: ANDing the
diagnostic code
Table 8-3
Diagnostic code indicated: 0D03hex
Relationship between the diagnostic code indicated and the diagnostic code specified in the
documentation
Assignment of the diagnostic
register (see page A-18)
Diagnostic code
indicated
15
14
13
12
11
COK
SA
E
PUR
OAR
0
hex
bin
0
0
10
...
Diagnostic code
D
0
0
0
0
3
1
1
0
1
0
0
0
0
0
0
1
1
Mask (07FFhex)
bin
0
0
0
0
0
1
1
1
1
1
1
1
1
1
1
1
Diagnostic code in the
documentation
bin
0
0
0
0
0
1
0
1
0
0
0
0
0
0
1
1
hex
0 -> X (not relevant)
5
0
3
Diagnostic code specified in the documentation: X503hex (see Table 8-9 on page 8-7).
LED
The "LED" column specifies which local diagnostic LEDs indicate the error.
Acknowledgment
To remove the error, evaluate the PUR and OAR bits in the diagnostic register of the
IC220SDL953 (see "Dev-Ack-x (device acknowledgment)" on page A-17). These specify
whether a power up is expected or whether an acknowledgment is required.
Errors that must be acknowledged are indicated with "Yes" in the "Acknowledgment"
column. Special conditions for re-enabling an output or the module are specified in
brackets [e.g., Yes (1)] in the "Acknowledgment" column and explained below the relevant
table.
For information about acknowledging satellite errors, see "Acknowledgment of error
messages for satellites" on page A-25.
GFK-2731
Chapter 8 Errors: Messages and removal
8-3
8
8.1
Table 8-4
Safe digital output errors
Safe output errors
Error cause
Diagnostic
code (hex)
LED
Remark
Effect
Remedy
Hardware
fault
X01n
The indicated output
cannot be disabled
All module outputs
are in the safe state
Power up with errorfree selftest
X010: OUT0_Ch1
X011: OUT1_Ch1
X012: OUT2_Ch1
X013: OUT3_Ch1
X017: OUT0_Ch2
X018: OUT1_Ch2
X019: OUT2_Ch2
X01A: OUT3_Ch2
All
OUT:
Red
ON
Short circuit
or overload
X03n
X030: OUT0_Ch1
X031: OUT1_Ch1
X032: OUT2_Ch1
X033: OUT3_Ch1
X037: OUT0_Ch2
X038: OUT1_Ch2
X039: OUT2_Ch2
X03A: OUT3_Ch2
Error at the
output
or short
circuit during
the test
X05n
X050: OUT0_Ch1
X051: OUT1_Ch1
X052: OUT2_Ch1
X053: OUT3_Ch1
X057: OUT0_Ch2
X058: OUT1_Ch2
X059: OUT2_Ch2
X05A: OUT3_Ch2
Error at the
output
during the
test
X06n
X060: OUT0_Ch1
X061: OUT1_Ch1
X062: OUT2_Ch1
X063: OUT3_Ch1
X067: OUT0_Ch2
X068: OUT1_Ch2
X069: OUT2_Ch2
X06A: OUT3_Ch2
Hardware
fault
X091
Cross circuit
at the
indicated
output
X0An
X0A0: OUT0_Ch1
X0A1: OUT1_Ch1
X0A2: OUT2_Ch1
X0A3: OUT3_Ch1
X0A7: OUT0_Ch2
X0A8: OUT1_Ch2
X0A9: OUT2_Ch2
X0AA: OUT3_Ch2
Acknowledgment
Yes (1)
Replacement
OUTy
: Red
ON
Affected output is in
the safe state
Check actuator
Yes (2)
Check connector
and cabling
Check free running
circuit at the
contactor
All
OUT:
Red
ON
Pulse test (brief
activation) at the
output failed
All module outputs
are in the safe state
All
OUT:
Red
ON
Pulse test (brief
deactivation) at the
output failed
All module outputs
are in the safe state
All
OUT:
Red
ON
Detected by internal
tests.
All module outputs
are in the safe state
All
OUT:
Red
ON
Cross circuit with
another output or
with an external
signal
Power up with errorfree selftest
Yes (1)
Replacement
Power up with errorfree selftest
Yes (1)
Replacement
Power up with error- Yes (1)
free selftest
Replacement
All module outputs
are in the safe state
Remove error
Yes (1)
Power up with errorfree selftest
Acknowledge all errors that are present. Only then can the outputs be re-enabled.
Acknowledgment: Yes (1)
8-4
Acknowledging the diagnostic message deletes the message. The module can only be
restarted following power up and error-free selftest.
User manual IC220SDL953 - September 2011
GFK-2731
8
Acknowledgment: Yes (2)
Acknowledging the diagnostic message deletes the message and enables a restart.
Following successful acknowledgment, the module also expects a positive edge from the
application for the output.
WARNING: Unexpected machine startup
An operator acknowledgment leads to a positive edge and can thus result in the outputs
being re-enabled.
8.2
Table 8-5
Supply voltage errors
Supply voltage UM errors
Error cause
Diagnostic code
(hex)
LED
Remark
Effect
Remedy
Undervoltage
UM
X1F0
UM
flashing
UM below the
permissible voltage
range
All module outputs
are in the safe state
Check supply
voltage level and
correct
Acknowledgment
Yes (1)
Check supply line
length and load
Acknowledgment: Yes (1)
Acknowledging the diagnostic message deletes the message and activates the outputs.
Undervoltage at UM:
Supply voltage UM is measured. If UM < 17 V, a diagnostic message is generated.
Table 8-6
8.3
General errors
LED
Remark
General errors
Error cause
Diagnostic code
(hex)
Device
temperature
at critical
value
X1F2
Hardware
fault
FS ON
Effect
Remedy
Immediate
shutdown. Further
temperature
increase causes the
module to switch to
the safe state.
Check and adapt:
– Ambient
conditions
– Derating
– Output loads
– Switching
frequency
Error in the logic
area
Module is in the safe
state
Replacement
Impermissible DIP
switch position
Module is in the safe
state
Check and correct
switch position
Acknowledgment
Yes (1)
Acknowledgment: Yes (1)
Acknowledging the diagnostic message deletes the message.
Acknowledgment: Yes (2)
Acknowledging the diagnostic message deletes the message and enables the outputs.
GFK-2731
Chapter 8 Errors: Messages and removal
8-5
8
8.4
Table 8-7
Parameterization errors
Parameterization errors
Error cause
Diagnostic code
(hex)
LED
Remark
Effect
Remedy
Incorrect
parameterization
See
Table 8-8
FS
(flashing)
Each output is parameterized individually
Module is in the safe
state
Check and correct
parameterization.
Acknowledgment
–
In order to determine what type of parameterization error has occurred, use the
corresponding software to access the controller online and read the error (see "Description
of the registers" on page A-17).
Proceed as follows,e.g., in the VersaSafe system:
•
The diagnostic LEDs indicate that an error has occurred.
•
Go online to the higher-level standard controller.
For each module of the VersaSafe island, a diagnostic register is mapped to the
process image of the IC220SDL953 (see "Description of the registers" on page A-17).
From this, determine the module of the safety island in which an error has occurred.
•
Evaluate the specified diagnostic code.
Table 8-8
Parameterization errors
Diagnostic code
(hex)
X23n
X230: OUT0_Ch1&2
X231: OUT1_Ch1&2
X232: OUT2_Ch1&2
X233: OUT3_Ch1&2
560: OUT0_Ch1&2
561: OUT1_Ch1&2
562: OUT2_Ch1&2
563: OUT3_Ch1&2
X28n
X280: OUT0_Ch1
X281: OUT1_Ch1
X282: OUT2_Ch1
X283: OUT3_Ch1
X287: OUT0_Ch2
X288: OUT1_Ch2
X289: OUT2_Ch2
X28A: OUT3_Ch2
640: OUT0_Ch1
641: OUT1_Ch1
642: OUT2_Ch1
643: OUT3_Ch1;
647: OUT0_Ch2
648: OUT1_Ch2
649: OUT2_Ch2
650: OUT3_Ch2
X29n
X290: OUT0_Ch1&2
X291: OUT1_Ch1&2
X292: OUT2_Ch1&2
X293: OUT3_Ch1&2
656: OUT0_Ch1&2
657: OUT1_Ch1&2
658: OUT2_Ch1&2
659: OUT3_Ch1&2
X2Bn
X2B0: OUT0_Ch1&2
X2B1: OUT1_Ch1&2
X2B2: OUT2_Ch1&2
X2B3: OUT3_Ch1&2
688: OUT0_Ch1&2
689: OUT0_Ch1&2
690: OUT0_Ch1&2
691: OUT3_Ch1&2
X2F2
754
8-6
Short description
Remedy
The parameterization of two related
outputs does not correspond to the
two-channel setting.
Correct value and resend parameter
data to the module.
The parameterized switch-off delay
time for the output is outside the permissible value range.
Correct value and resend parameter
data to the module.
For outputs parameterized for twochannel operation, the same settings
were not assigned for the switch-off
delay.
Correct setting and resend parameter
data to the module.
For outputs parameterized for twochannel operation, the same settings
were not assigned for enabling.
Correct setting and resend parameter
data to the module.
At least one output with parameterized
switch-off delay is still performing a
switch-off operation.
Wait until the switch-off operation is
complete and resend parameter data
to the module.
(dec)
User manual IC220SDL953 - September 2011
GFK-2731
8
8.5
Table 8-9
Connection errors to satellites
Connection errors to satellites
Error cause
Diagnostic
code
Short description
Remedy
(hex)
(hex)
Wrong
island number
X3FC
Island number at IC220SDL953
not set correctly
Check switch position Reload project.
and value in software
and adapt accordingly.
Communication
connection
faulty
X5nn
One or more safe
communication connections are
faulty, see Table 8-10.
Check and adapt data
status and copy
routines.
Incorrect
F_Source_
Address
X7C2
IC220SDL953 address settings
in the software and on the device
do not match.
Incorrect
operating mode
X7C3
The operating mode set on the
device is not supported.
Incorrect
F_Source_
Address
X7C4
The F_Source_Address set on
the device is not within the
permissible value range.
Check switch position Power up.
and value in software (The PUR bit is set in the
and adapt accordingly. diagnostic register of the
IC220SDL953; see "DevCheck and correct
Diag-LPSDO (LPSDO
switch position.
diagnostics)" on page A-18)
Check and correct
switch position.
Communication
connection
faulty
XDnn
See X5nn, the OAR bit is set in the diagnostic register of the IC220SDL953
Table 8-10
OAR bit
Acknowledgment required.
(The OAR bit is set in the
diagnostic register of the
IC220SDL953; see "DevDiag-LPSDO (LPSDO
diagnostics)" on page A-18)
Diagnostic codes for faulty communication connection
Diagnostic code bit 0 ... 4
0
1
Faulty connection to
satellite ...
5
4
3
2
1
X
=0
X501
=1
XD01
4
0
3
0
2
0
1
0
X502
XD02
0
0
0
1
0
X
X503
XD03
0
0
0
1
1
X
X504
XD04
0
0
1
0
0
X
X505
XD05
0
0
1
0
1
X
X506
XD06
0
0
1
1
0
X
X
X507
XD07
0
0
1
1
1
X
X
X508
XD08
0
1
0
0
0
X
X509
XD09
0
1
0
0
1
X
X50A
XD0A
0
1
0
1
0
X
X
X
X
X
X
X50B
XD0B
0
1
0
1
1
X
X50C
XD0C
0
1
1
0
0
X
X
X50D
XD0D
0
1
1
0
1
X
X
X50E
XD0E
0
1
1
1
0
X
X
X
X50F
XD0F
0
1
1
1
1
X
X
X
GFK-2731
Acknowledgment
X
X
X
X
OAR bit
Diagnostic code bit 0 ... 4
0
1
Faulty connection to
satellite ...
5
4
3
2
1
X
X
1
0
X
1
1
X
0
0
X
X
1
0
1
X
X
1
1
0
X
X
X
0
1
1
1
X
X
X
1
0
0
0
X
X
1
0
0
1
X
X
1
0
1
0
X
X
=0
X511
=1
XD11
4
1
3
0
2
0
1
0
X512
XD12
1
0
0
X513
XD13
1
0
0
X514
XD14
1
0
1
X515
XD15
1
0
X516
XD16
1
0
X517
XD17
1
X518
XD18
1
X519
XD19
1
X51A
XD1A
1
X
X
X
X
X
X
X51B
XD1B
1
1
0
1
1
X
X
X51C
XD1C
1
1
1
0
0
X
X
X
X51D
XD1D
1
1
1
0
1
X
X
X
X51E
XD1E
1
1
1
1
0
X
X
X
X
X51F
XD1F
1
1
1
1
1
X
X
X
X
Chapter 8 Errors: Messages and removal
X
X
X
X
X
8-7
8
8.6
Acknowledging an error
In the VersaSafe system, the errors of the IC220SDL953 as well as those of the corresponding island satellites must be acknowledged via the IC220SDL953.
After removing the cause of an error, the diagnostic message must be acknowledged. To
do this, set the corresponding bit in the "Dev-Ackn-LPSDO" register (see "App-DiagLPSDO (application diagnostics)" on page A-19).
WARNING: Acknowledgment may result in a hazardous system state
With the exception of a few special cases, the acknowledgment of an error immediately
returns the safe input or output to the operating state. Before acknowledging an error you
must, therefore, make sure that the acknowledgment will not cause the machine to
switch to a dangerous state.
When planning the machine or system, make sure that acknowledgment is only possible
if the danger zone is visible.
If in the event of failure the safety module is replaced, please proceed as described in
Section 4, "Assembly, removal, and electrical installation" and "Restart after replacing a
safety module" on page 7-3.
8-8
User manual IC220SDL953 - September 2011
GFK-2731
9
9
Maintenance, repair, decommissioning, and disposal
9.1
Maintenance
The device is designed in such a way that maintenance work is not required during the
duration of use. However, depending on the application and connected I/O devices it may
be necessary to test the function of the I/O devices and the safety chain at regular intervals.
The duration of use of the module is 20 years.
Repeat testing within this time is not required.
Carry out maintenance of connected I/O devices (e.g., light grid) according to the relevant
manufacturer specifications.
9.2
Repair
Repair work may not be carried out on the safety module. In the event of an error, send the
module to GE Intelligent Platforms.
It is strictly prohibited to open the safety module. In order to prevent the manipulation of the
module and to detect the unauthorized opening of the module, a security seal is applied to
the module. This security seal is damaged in the event of unauthorized opening. In this
case, the correct operation of the safety module can no longer be ensured.
9.3
Decommissioning and disposal
The machine or system manufacturer specifies the procedure for decommissioning.
Decommissioning may only take place according to these specified procedures.
When decommissioning a VersaSafe system or parts thereof, ensure that the safety modules used:
– Are correctly reused in another system.
In this case, please observe the storage and transport requirements according to the
technical data (see "IC220SDL953" on page 10-1).
Or
– Are disposed of according to the applicable environmental regulations, and in this case
can never be reused.
GFK-2731
Chapter 9 Maintenance, repair, decommissioning, and disposal
9-1
Th
is
pa
ge
lef
tb
lan
ki
nte
nti
on
all
y
9
9-2
User manual IC220SDL953 - September 2011
GFK-2731
10
10 Technical data and ordering data
10.1
System data
10.1.1
VersaPoint
For system data, please refer to the following user manual:
VersaPoint
10.1.2
Automation terminals of the VersaPoint product range GFK-2736
VersaSafe system
VersaSafe system
Shutdown time tOUT_LPSDO
10 ms
Maximum number of VersaSafe islands in the system
31
Maximum number of modules within a VersaSafe island
1 IC220SDL953
5 satellites (IC220SDL543, IC220SDL...., mixed at will)
Memory capacity
20 kB for safety logic
10.2
IC220SDL953
General data
Housing dimensions (width x height x depth)
48.8 mm x 119.8 mm x 71.5 mm
Weight (with connectors)
200 g
Operating mode
VersaSafe
Process data mode with 16 or 24 words
VersaSafe multiplexer
Process data mode with 8 words
Transmission speed (local bus)
500 kbaud or 2 Mbaud
Ambient temperature
Operation
-25°C to +55°C
Storage/transport:
-25°C to 70°C
Humidity
Operation
75% on average, 85% occasionally (no condensation)
In the range from -25°C to +55°C appropriate measures against increased humidity must be taken.
Storage/transport:
75% on average; 85% occasionally (no condensation)
For a short period, slight condensation may appear on the outside of the housing.
GFK-2731
Chapter 10 Technical data and ordering data
10-1
10
General data (continued)
Air pressure
Operation
80 kPa to 108 kPa (up to 2000 m above sea level)
Storage/transport:
66 kPa to 108 kPa (up to 3500 m above sea level)
Degree of protection
IP20
Housing material
Plastic PBT, self-extinguishing (V0)
Air and creepage distances
According to IEC 60439-1, derived from IEC 60664-1
Protection class
III (PELV)
Gases that may endanger functions according to DIN 40046-36, DIN 40046-37
Sulfur dioxide (SO2)
Concentration 10 ±0.3 ppm
Ambient conditions:
–
Temperature 25°C ±2 K
–
Humidity 75% ±5%
–
Test duration 10 days
Hydrogen sulfide (H2S)
Concentration 1 ±0.3 ppm
Ambient conditions:
–
Temperature 25°C ±2 K
–
Humidity 75% ±5%
–
Test duration 4 days
Resistance of housing material to termites
Resistant
Resistance of housing material to fungal decay
Resistant
Ambient compatibility
Not resistant to chloroform
Connection data for VersaPoint connectors
Connection method
Spring-cage terminals
Conductor cross-section
0.2 mm2 to 1.5 mm2 (solid or stranded), 24 - 16 AWG
Supported stop category according to EN 60204
0
1 in error-free state
Mechanical requirements
Vibration according to IEC 60068-2-6
Operation: 2g, Criterion A
Shock according to IEC 60068-2-27
15g over 11 ms, Criterion A
Safety characteristics according to IEC 61508/EN 61508
Achievable SIL
SIL 2 (single-channel)
SIL 3 (two-channel)
Depends on the parameterization and wiring (see "Connection
options for actuators depending on the parameterization" on
page 2-5 and "Connection examples for safe outputs" on page 6-1)
Probability of a dangerous failure on demand by the safety function
(PFD)
SIL 2: 1% of 10-2, maximum (corresponds to 1 x 10-4)
SIL 3: 1% of 10-3, maximum (corresponds to 1 x 10-5)
Probability of a dangerous failure per hour for the entire module
(PFH)
SIL 2: 1% of 10-6, maximum (corresponds to 1 x 10-8)
SIL 3: 1% of 10-7, maximum (corresponds to 1 x 10-9)
Depends on the parameterization (see Table 6-3 on page 6-3)
Hardware fault tolerance (HFT) of the module
1
Permissible duration of use
20 years
10-2
User manual IC220SDL953 - September 2011
GFK-2731
10
Safety characteristics according to DIN EN 62061
Achievable SIL claim limit
SIL CL = SIL 2 (single-channel)
SIL CL = SIL 3 (two-channel)
Depends on the parameterization and wiring (see "Connection
options for actuators depending on the parameterization" on
page 2-5 and "Connection examples for safe outputs" on page 6-1)
Safe failure fraction (SFF)
99%
Probability of a dangerous failure per hour for the entire module
(PFH)
SIL CL 2: 1 % of 10-6, maximum (corresponds to 1 * 10-8)
SIL CL 3: 1 % of 10-7, maximum (corresponds to 1 * 10-9)
1 % of 10-7, maximum (corresponds to 1 * 10-9)
Depends on the parameterization (see Table 6-3 on page 6-3)
Hardware fault tolerance (HFT) of the module
1
Permissible duration of use
20 years
Safety characteristics according to EN ISO 13849-1
Achievable performance level
PL e (two-channel)
PL d (single-channel)
Depends on the parameterization and wiring (see "Connection
options for actuators depending on the parameterization" on
page 2-5 and "Connection examples for safe outputs" on page 6-1)
See also "Achievable safety depending on the modules used" on
page A-30.
Diagnostic coverage (DC)
99%
Mean time to dangerous failure (MTTFd)
For single-channel assignment: 100 years
For two-channel assignment: 100 years
Supply voltage UL (logic)
The safety terminal is supplied with communications power via the bus coupler, a VersaPoint controller, or a designated
power terminal in the station. Potential routing is used for the communications power in the VersaPoint station. For technical data, please refer to the data sheet for the bus coupler, VersaPoint controller, or power terminal used.
Current consumption
230 mA, maximum
Supply voltage UM (actuators)
The safety terminal is supplied with main voltage UM via the bus coupler, a VersaPoint controller, or a power terminal in the station. Potential
routing is used for the main voltage in the VersaPoint station. For technical data, please refer to the data sheet for the bus coupler,
VersaPoint controller, or power terminal used.
WARNING: Loss of the safety function when using unsuitable power supplies
Only use power supplies according to EN 50178/VDE 0160 (PELV).
Nominal voltage
24 V DC according to EN 61131-2 and EN 60204
Tolerance
-15%/+20% including an entire AC voltage component with peak value of 5%
Ripple
3.6 Vpp
Permissible voltage range
19.2 V DC to 30.0 V DC, ripple included
Current consumption
30 mA, typical (all outputs set) (plus actuator current)
GFK-2731
Chapter 10 Technical data and ordering data
10-3
10
Supply voltage UM (actuators) (continued)
Permissible interruption time
10 ms;
Within this time, the output voltage for the safe outputs fails as the outputs
are not internally buffered.
Surge protection
Yes (in the bus coupler/power terminal)
Protection against polarity reversal
Yes (in the bus coupler/power terminal)
NOTE: Module damage due to polarity reversal
Polarity reversal places a burden on the electronics and, despite protection against polarity reversal, can damage the module. Therefore,
polarity reversal must be prevented.
Undervoltage detection
Yes, at 17 V, approximately
Diagnostic indicators
Green UM LED
(see "Local diagnostic and status indicators" on page 2-6)
External fuse protection
Maximum 8 A, slow-blow
NOTE: Module damage in the event of overload
The power supply unit must be able to supply four times (400%) the nominal current of the external fuse.
Safe digital outputs OUT0 to OUT3
Number
4 two-channel or 8 single-channel (positive switching)
Supply
From supply voltage UM
Maximum output current per output
2A
Maximum output current for all outputs (total current)
6 A (observe derating and maximum output current for each group)
Maximum output current for each group (total current)
Group 1 (OUT0_K1, OUT1_K1, OUT2_K1, OUT3_K1)
Group 2 (OUT0_K2, OUT1_K2, OUT2_K2, OUT3_K2)
Maximum output voltage in the low state
3A
3A
<5V
WARNING: Loss of safety function
At this voltage, the load must not switch to or remain in the ON state. Please take this into consideration when selecting the actuator.
Maximum leakage current in the low state
2 mA
WARNING: Loss of safety function
At this current, the load must not switch to or remain in the ON state. Please take this into consideration when selecting the actuator.
Minimum withstand voltage of the connected loads
>5V
Maximum inductive load
1H
10-4
User manual IC220SDL953 - September 2011
GFK-2731
10
Safe digital outputs OUT0 to OUT3 (continued)
Maximum capacitive load depending on the current
C = 1 s/(R x 1400)
Where:
C
R
Maximum capacitive load depending on the load current
Load capacity in F
Load resistance in ohms
60
µF
50
C 40
30
20
10
0
0.50
1.00
1.50
I
2.00 A 2.50
73422007
Key:
C Load capacity in µF
I
Load current in A
Hatched area: Permissible range
Minimum load
1.5 k (16 mA at 24 V)
Limitation of the voltage induced on circuit interruption
-15 V
Output voltage
UM - 1 V, approximately
Simultaneity
100% up to 45°C (observe maximum current load)
Derating
Up to 50°C, total current of all outputs 6 A, maximum
Up to 55°C, total current of all outputs 4 A, maximum
Maximum switching frequency
1 Hz; 0.2 Hz at > 1 A
Filter time
None
Switch-off delay for shutdown according to stop category 1
Can be parameterized; 150 ms to 630 s; see "Parameterization of the safe
outputs" on page 5-2
Accuracy ±5% of the parameterized value
Maximum duration of the test pulses (when switched off; active driving)
1 ms
Maximum duration of the test pulses (when switched on)
3 ms (depending on the load capacity)
Status indicators
One green LED (two-color LED green/red) per output
(see "Local diagnostic and status indicators" on page 2-6)
Diagnostic indicators
One red LED (two-color LED green/red) per output
(see "Local diagnostic and status indicators" on page 2-6)
WARNING: Loss of safety function
–
–
GFK-2731
Connect the ground of the actuator directly to the ground terminal point of the corresponding output on the VersaPoint connector.
An external ground may not be used.
The connected load must not respond in a hazardous way to test pulses.
Chapter 10 Technical data and ordering data
10-5
10
Electrical isolation/Isolation of the voltage areas
To provide electrical isolation between the logic level and the I/O area, separate power supply units must be used for each of the station bus
coupler and this safety module. Interconnection of the power supply units in the 24 V area is not permitted. (See also IL SYS INST UM E
user manual.)
Separate potentials in the system comprising bus coupler/power terminal and safety module
- Test distance
- Test voltage
5 V supply incoming remote bus/7.5 V supply (bus logic)
500 V AC, 50 Hz, 1 min.
5 V supply outgoing remote bus/7.5 V supply (bus logic)
500 V AC, 50 Hz, 1 min.
7.5 V supply (bus logic)/24 V supply UM, FE
500 V AC, 50 Hz, 1 min.
Approvals
For the latest approvals, please visit http://support.ge-ip.com.
10.3
Conformance with EMC Directive
Conformance with EMC Directive 2004/108/EC
Noise immunity test according to DIN EN 61000-6-2
Electrostatic discharge (ESD)
EN 61000-4-2
(IEC 61000-4-2)
Criterion B
Electromagnetic fields
EN 61000-4-3
(IEC 61000-4-3)
Criterion A, field strength 10 V/m
Fast transients (burst)
EN 61000-4-4
(IEC 61000-4-4)
Criterion B, test voltage 2 kV
Surge voltage
EN 61000-4-5
(IEC 61000-4-5)
Test intensity 2, Criterion B
6 kV contact discharge, 8 kV air discharge
DC supply lines:
0.5 kV/0.5 kV (symmetrical/asymmetrical)
Signal lines:
1.0 kV/2.0 kV (symmetrical/asymmetrical)
Conducted interference
EN 61000-4-6
(IEC 61000-4-6)
Criterion A, test voltage 10 V
Noise emission test according to DIN EN 61000-6-4
Noise emission
10-6
EN 55011
Class A, industrial applications
User manual IC220SDL953 - September 2011
GFK-2731
10
10.4
10.4.1
Ordering data
Ordering data: Safety module
Description
Catalog No.
Pcs. / Pkt.
VersaPoint module with integrated safety
logic and safe digital outputs
IC220SDL953
1
10.4.2
Ordering data: Accessories
Description
Catalog No.
Connector set as replacement item
On request
1 set
Connector set, consisting of four VersaPoint connectors with integrated discharge electronics
IC220SCO753
1 set
10.4.3
Pcs. / Pkt.
Ordering data: Software
Description
Name
Pcs. / Pkt.
Parameterization and configuration tool
VersaConf Safety
1
The software can be downloaded free of charge from http://support.ge-ip.com.
10.4.4
Ordering data: Documentation
Description
Catalog No.
Pcs. / Pkt.
User manual
Automation terminals of the VersaPoint
product range
GFK-2736
1
Quick start guide VersaSafe
GFK-2735
1
VersaPoint
Make sure you always use the latest documentation.
It can be downloaded from http://support.ge-ip.com.
GFK-2731
Chapter 10 Technical data and ordering data
10-7
Th
is
pa
ge
lef
tb
lan
ki
nte
nti
on
all
y
10
10-8
User manual IC220SDL953 - September 2011
GFK-2731
A Appendix: VersaSafe system
A1
A 1.1
The VersaSafe system
VersaSafe technology – Maximum flexibility and safety
In all safety applications in which conventional safety relays are not flexible enough,
parallel wiring proves too complex due to the expansiveness of the safety circuits, or the
use of a safe bus system in connection with a safe controller is cost-prohibitive, VersaSafe
technology from GE Intelligent Platforms offers a cost-effective solution.
The VersaSafe system works independently of the relevant network and the standard
control system used. Both simply act as a transport medium for safe data packets, which
are exchanged between the safe input and safe output modules. The safe inputs and
outputs are distributed in the network and do not require a higher-level safety controller or
a separate safety bus system. Therefore, instead of having to choose a safe network such
as PROFIsafe or CIP Safety with safety controllers available accordingly, users can
instead continue to use the systems or technologies they have come to rely on. This means
that a hitherto unseen level of flexibility can be achieved in bus-based safety applications.
Direct processing of safety operations in the module
VersaSafe technology has been integrated into the proven VersaPoint I/O system. No
special installation guidelines have to be observed when installing the corresponding
modules. They can be distributed in the network and operated at any point in the I/O
station. Due to the technology used, a special bus coupler is not required as the safety
operations are processed directly in the IC220SDL953 intelligent safe output module.
Thanks to the comprehensive range of parameterization options, the input or output
channels can be adapted flexibly to the relevant application. Data transmission over the
network from the safe input module to the output module is protected by a special protocol,
which is operated by the intelligent output module. The standard control system simply has
to copy standard I/O data bidirectionally between the input and output modules. Like the
network used, it does not perform any safety-related tasks.
Easy configuration of the safety logic
The safety mechanisms used in the VersaSafe system, such as the "black channel"
principle, are based on proven technologies that have been used for many years in the
PROFIsafe systems. With appropriate parameterization, applications up to
Cat. 4/SIL 3/SIL CL 3/PL e can be implemented. The VersaConf Safety software supports
user-friendly parameterization of the safe input and output channels and creation of the
safety logic. The tool does not require programming experience, as predefined function
blocks are available for virtually every application. VersaSafe technology can be used to
implement distributed safety applications cost-effectively in a network independently of the
network and standard control system.
GFK-2731
Chapter A
A-1
A
A 1.2
–
–
–
–
–
–
–
–
–
–
Overview of VersaSafe system features
Network independent
Controller independent
No higher-level safety controller required
Up to five connections to satellites
All data, including parameterizations, is located on the standard controller
Only the IC220SDL953 module is parameterized by the standard controller
No parameterization required in multiplexer mode
The VersaConf Safety parameterization tool can be downloaded free of charge (see
"Ordering data" on page 10-7)
Enable principle
Standard controller can access all safe signals and diagnostic data
A 1.3
Differences in VersaSafe systems dependent upon which
module with integrated safety logic is used
Table A-1
A-2
VersaSafe system specifications
Functionality
IC220SDL953
Supported networks
–
–
–
–
–
–
–
PROFIBUS
PROFINET
ETHERNET IP
MODBUS TCP
DeviceNet
CANopen
sercos III
Number of safe communications
5 IN/OUT (mixed)
Size of memory for safety logic
20 kB
Non-volatile memory
Yes
Safe function blocks
–
–
–
–
–
–
–
–
–
–
–
–
–
Implicit enable
Yes
User manual IC220SDL953 - September 2011
E-STOP
EDM
GuardMonitoring
TwoHandControl II
EnableSwitch
ESPE
GuardLocking
ModeSelector
TwoHandControl III
TestableSafetySensor
MutingSeq
MutingPar
MutingPar2
GFK-2731
A
Table A-1
VersaSafe system specifications
Functionality
IC220SDL953
Mirroring of local safe output data
Yes
Forwarding of safe outputs
Yes
Satellites supported
–
–
–
–
IC220SDL543
IC220SDL753
IC220SDL752
IC220SDL840
Permissible revision see
Table 10-1
Multiplexer mode
Yes
Support of partial configurations
Yes
Table 10-1
Revision as of which a module is permitted for use on the logic module
Order No.:
Type
Revision as of which a module is
permitted for use on
2985688
IC220SDL543
00/200
2985631
IC220SDL753
01/200/100
2985864
IC220SDL840
01/200/100
2916493
IC220SDL752
01/200/100
IC220SDL953
GFK-2731
Chapter A
A-3
A
A2
System topology
A 2.1
General topology
A VersaSafe system can be integrated into various bus systems including PROFINET, and
PROFIBUS. The standard bus system is thus supplemented by components to achieve
safety.
1
PLC
MRESET
RU N
STP
ETH
Controller
FAIL
I1
RUN / PROG
I3
10/100
LN K
AC T
100
I5
I2
I7
I4
Q1 E
Q2
Q3
Q4
I9
I10
I11
I12
I6
I8
US
UL
UM
R UN/P
MR
11
22
11
22
11
22
11
22
11
ES
R OG
S TP
ET
22
DIS
1
11
11
11
11
1
2
22
22
22
22
2
3
33
33
33
33
3
PL
AY
RESET
LNK
PRG
IL
LAN1.1
AC
RDY / RU N
T
LNK
BSA
4
FAIL
44
44
44
44
US
4
L AN1
B
AC
.2
T
LNK
RF
L AN2
55
55
5
66
66
6
T
REMOTE
55
66
COM 1
AC
5
6
+
-
Network
D
1 0
2
FS
1 1
2
UM
1 2
2
1 3
2
IC220SDL543
IC220SDL753
IC220SDL953
D
1 0
2
FS
1 1
2
UM
1 2
2
P
1 3
2
D
1 0
2
FS
1 1
2
UM
1 2
2
P
1 3
2
D
1 0
2
UT1
LPSDO8
PSDO8
PSDO8
PSDI8
UT2
FS
1 1
2
UM
1 2
2
P
1 3
2
D
1 0
2
UT1
PSDI8
UT2
FS
1 1
2
UM
1 2
2
P
1 3
2
D
1 0
2
UT1
PSDI8
FS
1 1
2
UM
1 2
2
P
1 3
2
UT2
VersaSafe
79692020
Figure A-1
Network independence
Control level
A standard controller is used (see also "Network and controller requirements" on
page A-5).
I/O level
Safe devices are integrated into the VersaPoint station at I/O level. Safe and standard devices can be operated simultaneously in the overall system.
Communication
Communication takes place via the standard controller and the standard bus system using
safe data packets.
System
The system comprises a standard controller and up to 31 VersaSafe islands.
A-4
User manual IC220SDL953 - September 2011
GFK-2731
A
VersaSafe island
Each VersaSafe island comprises one VersaSafe module with integrated safety logic
(IC220SDL953) and up to five distributed VersaSafe modules without safety logic
(e.g., IC220SDL543, IC220SDL...). The module with integrated safety logic is referred to
as the island node, while the modules without safety logic are referred to as remote devices
or satellites. Satellite is the preferred term to describe these modules and is used in this
document.
The satellites and the IC220SDL953 are assigned to an island using island numbers that
are specified in the parameterization tool. The satellites are numbered in the order they are
assigned in VersaConf Safety.
A 2.2
Network and controller requirements
The VersaSafe system does not place any special requirements on the standard controller.
However, it must be able to perform the following tasks:
Network:
– Deterministic network; pauses caused by sporadic errors must not exceed the
watchdog time set for the module
Controller:
– Fast enough that it can meet time expectations for the response time
– Sufficient memory to save configuration and parameter data records
– Ensuring data consistency when copying data
Data consistency must at least be ensured using the data telegram of a module.
Function blocks for copying data and downloading the configuration are available for
selected controllers.
A 2.3
Safe input and output devices
Safe input and output devices form the interface to connected I/O devices. The devices
control contactors or valves, for example, and/or read the input status of connected safetyrelated sensors.
The internal structure of the devices enables component failures, interruptions in
transmission or the absence of data to be detected and reported immediately.
Even errors in the wiring or internal device errors can be detected. Errors are indicated via
the process image of the devices, the function blocks, and the device LEDs. They can be
evaluated by the user.
The safe I/O devices are from the VersaPoint product range. Their design and interfaces
correspond to standard VersaPoint I/O devices. This means that no additional installation
effort is required.
The devices are parameterized using the VersaConf Safety software according to the
safety function that is to be performed. The parameterization and wiring of the inputs and
outputs depends on the application (e.g., single-channel or two-channel). For more
detailed information about the parameterization options, please refer to the user manual
for the relevant device. The wiring and parameterization of devices determines which
errors are detected.
GFK-2731
Chapter A
A-5
A
A3
VersaSafe address assignment
NOTE: Malfunction in the event of incorrect addressing
Make sure that in an overall system comprising the VersaSafe system and any higherlevel PROFIsafe system, the addresses (address within the VersaSafe system and
F-Address of the PROFIsafe system) are unique. Duplicate address assignment is not
permitted.
The VersaSafe address of the IC220SDL953 is the same as the island number of the
module.
The VersaSafe address of a satellite comprises the island number and the position in the
bus navigator of the VersaConf Safety software tool.
Enter the address for the IC220SDL953 in VersaConf Safety.
Table A-2
VersaSafe address IC220SDL953
VersaSafe address
Island number
7
6
5
4
Reserved
3
2
1dec to 31dec
Table A-3
1
0
0dec
VersaSafe address, e.g., IC220SDL543
VersaSafe address
Island number
7
6
5
4
Satellite number
3
2
1dec to 31dec
1
0
1dec to 5dec
Example:
Table A-4
Example 1: VersaSafe addresses
Island number
7
6
IC220SDL953
0
IC220SDL543 Position 1
3
2
0
0
0
0
1
0
0
0
0
0
0
8dec (8hex)
1
9dec (9hex)
0
10dec (Ahex)
1dec
0
1
0
0
2dec
1dec
0
1
VersaSafe address
0dec
1dec
0
A-6
4
1dec
0
IC220SDL...
Position 2
5
Satellite number
0
1
0
User manual IC220SDL953 - September 2011
1
GFK-2731
A
Table A-5
Example 2: VersaSafe addresses
Island number
7
6
IC220SDL953
4
Satellite number
3
2
16dec (10hex)
1
0
1
0
IC220SDL840 Position 1
0
0
0
0
0
0
0
0
0
1
0
IC220SDL752 Position 3
0
IC220SDL753 Position 4
0
0
0
0
0
0
0
1
0
IC220SDL543 Position 5
0
128dec (80hex)
0
1
129dec (81hex)
1
0
130dec (82hex)
1
1
131dec (83hex)
0
132dec (84hex)
1
133dec (85hex)
4dec
0
0
1
0
0
1
16dec (10hex)
0
0
3dec
16dec (10hex)
1
0
2dec
16dec (10hex)
0
VersaSafe address
0
1dec
16dec (10hex)
1
1
0dec
16dec (10hex)
IC220SDL543 Position 2
GFK-2731
5
0
5dec
Chapter A
0
A-7
A
Example addresses
Figure A-2 and Table A-6 illustrate examples of addresses in the VersaSafe system for
three islands.
Island 1 (00001xxx; red) and island 2 (00010xxx, green) operate in VersaSafe mode.
Island 3 (00011xxx, blue) operates in VersaSafe multiplexer mode.
IC220SDL543
IC220SDL543
D
1 0
2
UT1
PSDI8
IC220SDL753
FS
1 1
2
UM
1 2
2
P
1 3
2
UT2
D
1 0
2
UT1
PSDI8
00001
001
IC220SDL543
FS
1 1
2
UM
1 2
2
P
1 3
2
D
1 0
2
UT1
UT2
PSDI8
FS
1 1
2
UM
1 2
2
P
1 3
2
PSDI8
00010
100
00011
111
D
1 0
2
UT1
UT2
FS
1 1
2
UM
1 2
2
P
1 3
2
UT2
00010
101
IC220SDL953
IC220SDL543
IC220SDL953
D
1 0
2
FS
1 1
2
UM
1 2
2
P
1 3
2
D
1 0
2
UT1
PSDO8
PSDI8
FS
1 1
2
UM
1 2
2
P
1 3
2
UT2
D
1 0
2
UT1
PSDI8
FS
1 1
2
UM
1 2
2
P
1 3
2
UT2
D
1 0
2
FS
1 1
2
UM
1 2
2
1 3
2
LPSDO8
00001
101
00001
010
IC220SDL753
00010
001
D
1 0
2
FS
1 1
2
UM
1 2
2
1 3
2
00001
000
D
1 0
2
UT1
PSDI8
LPSDO8
00010
000
FS
1 1
2
UM
1 2
2
P
1 3
2
UT2
00001
011
D
1 0
2
UT1
PSDI8
FS
1 1
2
UM
1 2
2
P
1 3
2
UT2
00010
010
D
1 0
2
UT1
PSDI8
FS
1 1
2
UM
1 2
2
P
1 3
2
UT2
00010
011
D
1 0
2
FS
1 1
2
UM
1 2
2
1 3
2
LPSDO8
D
1 0
2
FS
1 1
2
UM
1 2
2
P
1 3
2
PSDO8
00011
000
00001
100
79691025
Figure A-2
Example addresses for VersaSafe islands 1 to 3
All the possible addresses for island numbers 1 to 3 are listed in Table A-6. The addresses
actually used in the example in Figure A-2 are in bold.
A-8
User manual IC220SDL953 - September 2011
GFK-2731
A
Table A-6
Example addresses for VersaSafe islands
Addresses for
island number 1
(red in Figure A-2)
Addresses for
island number 2
(green in Figure
A-2)
Addresses for
island number 3
(blue in Figure
A-2)
Devices
00001 000 (08hex)
00010 000 (10hex)
00011 000 (18hex)
IC220SDL953 (island node)
00001 001 (09hex)
00010 001 (11hex)
Assigned IC220SDL543/IC220SDL... in VersaSafe
mode
00001 010 (0Ahex)
00010 010 (12hex)
Assigned IC220SDL543/IC220SDL... in VersaSafe
mode
00001 011 (0Bhex)
00010 011 (13hex)
Assigned IC220SDL543/IC220SDL... in VersaSafe
mode
00001 100 (0Chex)
00010 100 (14hex)
Assigned IC220SDL543/IC220SDL... in VersaSafe
mode
00001 101 (0Dhex)
00010 101 (15hex)
Assigned IC220SDL543/IC220SDL... in VersaSafe
mode
00011 111 (1Fhex)
Assigned IC220SDL543 in VersaSafe multiplexer
mode
In VersaSafe multiplexer mode, the IC220SDL953 is always assigned one IC220SDL543
with the address xxxxx111 (xxxxx = island number). The IC220SDL953 and IC220SDL543
modules operate with a fixed parameterization.
To differentiate between VersaSafe and VersaSafe multiplexer mode, in VersaSafe mode
the address with "111" in the last three bits is not used. If an address with the format
xxxxx111 is specified in VersaSafe mode, the module enters the safe state.
Therefore, in VersaSafe multiplexer mode, the address xxxxx111 set on the IC220SDL543
corresponds to the setting for VersaSafe multiplexer mode and the island number on the
IC220SDL953.
GFK-2731
Chapter A
A-9
A
A4
Operating modes and setting the DIP switches in
the VersaSafe system
A 4.1
Module switch positions
For more detailed information about the function of the DIP switches, please refer to
"Setting the DIP switches" on page 4-2.
The following tables show the settings on the IC220SDL953, IC220SDL543, and
IC220SDL... for operation in a VersaSafe system.
Table A-7
IC220SDL953 switch position
IC220SDL953
DIP switches for address
9
8
7 ... 3
Mode
2 ... 0
500 KBD/
2 MBD
Operating mode
Address:
31 addresses (see below)
Off
On
Reserved
(must be
off)
Off (Mode1)
Island number Must be 0 (off)
On (Mode2)
No function
500 KBD
or 2 MBD
VersaSafe 16 words
VersaSafe 24 words
VersaSafe multiplexer 8 words
The following 31 addresses are available for the IC220SDL953:
08hex, 10hex, 18hex, 20hex, 28hex ... 90hex, 98hex, A0hex, A8hex, B0hex, B8hex ... F0hex, F8hex.
Table A-8
Switch position of the satellites in VersaSafe and VersaSafe multiplexer mode
Satellites
DIP switches for address
Mode
9
8
7 ... 3
2 ... 0
Off
Off
Island number
Satellite
number
1 ... 5
On
(Mode 2)
Off
Off
Island number
Satellite
number
7
On
(Mode 2)
500 KBD/
2 MBD
500 KBD
or 2 MBD
Operating mode
VersaSafe,
parameterization by
IC220SDL953
VersaSafe multiplexer,
parameterization by
IC220SDL953
(only for satellites with inputs)
For the VersaSafe system, no other switch positions are permitted on the satellites.
Only use devices with a uniform transmission speed within a VersaPoint station (a local
bus). It is not possible to operate a mixture of devices with different transmission speeds.
A-10
User manual IC220SDL953 - September 2011
GFK-2731
A
A 4.2
VersaSafe multiplexer mode
In this operating mode, the input data of a IC220SDL543 safe input module is output oneto-one to the output terminals of the IC220SDL953. A controller is still required as this
copies the data (see also Figure A-5 "I/O image and data flow in multiplexer mode" on
page A-16).
The IC220SDL953 and IC220SDL543 which are to operate together in multiplexer mode
are configured and assigned to one another via the switch position of the DIP switches (see
"Setting the DIP switches" on page 4-2). The parameterizations of both modules are fixed
and cannot be modified. A parameterization tool is not required for this operating mode.
Multiplexer mode is intended as a replacement for cabling. A stand-alone solution (one
using MUX modules, for example) cannot be implemented with multiplexer mode.
NOTE: Not a safe application
In order to ensure correct use, subsequent safety logic (an evaluation unit) is required.
The IC220SDL953 parameterizes both the local safe I/O devices and the input module as
follows:
Table A-9
Parameterization of all safe outputs of the IC220SDL953
Parameterization
Parameterized as
Assignment
Assigned
Output
Single-channel
Switch-off delay for stop
category 1
Disabled
Value of switch-off delay for
stop category 1
–
Value range of switch-off
delay for stop category 1
–
Test pulses (output disabled)
(in software: test impulses
(output switched off))
Enabled
Enable
Disabled
Remark
The parameterization is set automatically
and cannot be changed.
The watchdog time (tFWD) is set to a fixed value of 200 ms.
GFK-2731
Chapter A
A-11
A
Table A-10
Parameterization of all safe inputs of the IC220SDL543
Parameterization
Parameterized as
Remark
Input
Assignment
Assigned
Evaluation
Single-channel
Sensor type
Standard sensor
Filter time (tFilter)
5 ms
Symmetry
Disabled
Clock selection
UT1 for inputs of channel 1
The parameterization is set automatically
and cannot be changed.
UT2 for inputs of channel 2
Bounce time monitoring
Disabled
Start inhibit due to symmetry
violation
Disabled
Input signal
Equivalent
Clock output
UT1 ON/UT2 ON
Example application
Wireless Ethernet Adapter
Wireless Ethernet Adapter
IC220SDL953
ILC 170 ETH 2TX
Order-No.: 2916532
HW/FW: 00/220
MAC Addr.: xx.xx.xx.xx
AUTOMATIONWORX
MRESET
FR
UL FF
USBF
UMSF
E
RDY FAIL
BSA PF
Q1 Q2
Q3 Q4
I1 I2
I3 I4
I5 I6
I7 I8
D
1 0
2
FS
1 1
2
UM
1 2
2
1 3
2
LPSDO8
IC220SDL54
ILC 170 ETH 2TX
Order-No.: 2916532
HW/FW: 00/220
MAC Addr.: xx.xx.xx.xx
AUTOMATIONWORX
MRESET
E
RDY FAIL
BSA PF
Q1 Q2
Q3 Q4
I1 I2
I3 I4
I5 I6
I7 I8
D
1 0
2
UT1
PSDI8
FS
1 1
2
UM
1 2
2
P
1 3
2
UT2
RUN / PROG
X1
RUN / PROG
X1
RESET
RESET
PRG
PRG
LNK
ACT
LNK
ACT
LNK
ACT
X2.1
X2.1
LNK
ACT
X2.2
X2.2
NIU I
Figure A-3
I Modules
I NIU
I Modules
Example
NIU
VersaPoint Modules
A-12
FR
UL FF
USBF
UMSF
STOP
STOP
VersaPoint NIU standard controller
VersaPoint terminals according to your requirements
User manual IC220SDL953 - September 2011
GFK-2731
A
A5
A 5.1
Table A-11
Process image
Structure of the process image
Key for Figure A-4
Designation
Meaning
PII
Process image of inputs
Explanation
PIO
Process image of outputs
SATx
Satellite x (x = 1 ... 3)
PSDI
IC220SDL543
PSDO
IC220SDL...
8
Number of bytes to be transmitted
Prot-x
Protocol data
On page A-17
Short Protocol
Short protocol
On page A-20
Dev-Ack-x
Acknowledgment of device and communication errors affecting satellite
x
(x = 1 ... 3)
On page A-17
Read-only parts for the standard controller (bold in PAE)
Dev-Diag-x
Diagnostic data of satellite x (x = 1 ... 3)
On page A-17
Data-x
Safe data of satellite x (x = 1 ... 3)
On page A-17
Dev-Diag-LPSDO
Diagnostic data of all modules
On page A-19
App-Diag-LPSDO
Freely configurable feedback signals of the IC220SDL953 to the standard controller
On page A-19
Feedback-Data-PSDO
Safe output data of the IC220SDL... read back automatically
On page A-20
Feedback-Data-LPSDO
Safe output data of the IC220SDL953 read back automatically
On page A-20
Read/write parts for the standard controller (bold in PIO)
Dev-Ack-LPSDO
Acknowledgment of device and communication errors affecting the
IC220SDL953
On page A-19
App-Ack-LPSDO
Freely configurable acknowledgment signals of the standard controller
to the IC220SDL953
On page A-20
Enable-PSDO
Standard data of the standard controller, which is to enable the
IC220SDL...
On page A-20
Enable-LPSDO
Standard data of the standard controller, which is to enable the
IC220SDL953
On page A-20
Figure A-4 shows an example of the structure of the I/O image and data flow for the 16word-wide version of the IC220SDL953 with 3 satellites (2 x IC220SDL543,
1 x IC220SDL...). For an explanation of the data flow, please refer to Section A 6,
"Implementation of data flow between the standard controller and the safety modules" on
page A-22.
GFK-2731
Chapter A
A-13
A
If a VersaSafe island is made up of a different constellation, the following rules apply for
mapping the individual submodules within the IC220SDL953:
– The sequence of the satellites within the IC220SDL953 must be determined by the satellite numbers.
– The corresponding VersaSafe addresses within an island are in ascending order and
without gaps.
Figure A-5 shows an example of the structure of the I/O image and data flow for multiplexer
mode.
A-14
User manual IC220SDL953 - September 2011
GFK-2731
A
8 Bytes
SAT 2
PSDI
SAT 2 base-addr + 7
:
Dev-Diag-2
Dev-Diag-2
Data-2
Prot-2
Prot-2
Prot-2
Prot-2
---
8 Bytes
:
:
SAT 3 base-addr + 7
Dev-Diag-3
Dev-Diag-3
Prot-3
Prot-3
Prot-3
Prot-3
--Feedback-Data-PSDO
Dev-Ack-3
Dev-Ack-3
Data-3
Prot-3
Prot-3
Prot-3
Prot-3
Enable-PSDO
LPSDO-base-addr + 0
LPSDO-base-addr + 1
LPSDO-base-addr + 2
LPSDO-base-addr + 3
Dev-Diag-LPSDO
Dev-Diag-LPSDO
App-Diag-LPSDO
Feedback-Data-LPSDO
SAT 3
PSDO
SAT 3 base-addr + 0
8 Bytes
:
:
Dev-Ack-LPSDO
App-Ack-LPSDO
App-Ack-LPSDO
Enable-LPSDO
Short Protocol
Short Protocol
Short Protocol
Short Protocol
LPSDO
LPSDO-base-addr + 8
Dev-Ack-1
Dev-Ack-1
Prot-1
Prot-1
Prot-1
Prot-1
Short Protocol
Short Protocol
Short Protocol
Short Protocol
8 Bytes
-----
LPSDO-base-addr + 16
Dev-Ack-2
Dev-Ack-2
Prot-2
Prot-2
Prot-2
Prot-2
LPSDO-base-addr + 24
16 Words
Dev-Ack-3
Dev-Ack-3
Data-3
Prot-3
Prot-3
Prot-3
Prot-3
8 Bytes
Dev-Diag-1
Dev-Diag-1
Data-1
Prot-1
Prot-1
Prot-1
Prot-1
LPSDO-base-addr + 8
Dev-Diag-2
Dev-Diag-2
Data-2
Prot-2
Prot-2
Prot-2
Prot-2
LPSDO-base-addr + 16
Dev-Diag-3
Dev-Diag-3
Prot-3
Prot-3
Prot-3
Prot-3
-----
LPSDO-base-addr + 24
---
8 Bytes
---
Figure A-4
LPSDO-base-addr + 0
LPSDO-base-addr + 1
LPSDO-base-addr + 2
LPSDO-base-addr + 3
---
-----
GFK-2731
Dev-Ack-2
Dev-Ack-2
Prot-2
Prot-2
Prot-2
Prot-2
-----
SAT 2
PSDI
:
SAT 2 base-addr + 0
Dev-Ack-1
Dev-Ack-1
Prot-1
Prot-1
Prot-1
Prot-1
-----
SAT 3
PSDO
SAT 1 base-addr + 7
Dev-Diag-1
Dev-Diag-1
Data-1
Prot-1
Prot-1
Prot-1
Prot-1
---
LPSDO
SAT 1
PSDI
SAT 1 base-addr + 0
PAA
SAT 1
PSDI
PAE
81522024
I/O image and data flow in a system comprising 1 IC220SDL953 and 3 satellites
Chapter A
A-15
A
PAA
SAT 1 base-addr + 7
8 Bytes
:
:
:
LPSDO-base-addr + 0
LPSDO-base-addr + 1
LPSDO-base-addr + 2
LPSDO-base-addr + 3
:
Dev-Diag-LPSDO
Dev-Diag-LPSDO
App-Diag-LPSDO
Feedback-Data-LPSDO
Dev-Ack-LPSDO
App-Ack-LPSDO
App-Ack-LPSDO
Enable-LPSDO
Short Protocol
Short Protocol
Short Protocol
Short Protocol
LPSDO
LPSDO-base-addr + 8
Dev-Ack-1
Dev-Ack-1
Prot-1
Prot-1
Prot-1
Prot-1
-----
Dev-Ack-1
Dev-Ack-1
Prot-1
Prot-1
Prot-1
Prot-1
Short Protocol
Short Protocol
Short Protocol
Short Protocol
8 Bytes
-----
Dev-Diag-1
Dev-Diag-1
Data-1
Prot-1
Prot-1
Prot-1
Prot-1
LPSDO-base-addr + 0
LPSDO-base-addr + 1
LPSDO-base-addr + 2
LPSDO-base-addr + 3
LPSDO-base-addr + 8
LPSDO
SAT 1
PSDI
Dev-Diag-1
Dev-Diag-1
Data-1
Prot-1
Prot-1
Prot-1
Prot-1
---
SAT 1
PSDI
PAE
SAT 1 base-addr + 0
---
81521030
Figure A-5
A-16
I/O image and data flow in multiplexer mode
User manual IC220SDL953 - September 2011
GFK-2731
A
A 5.2
Description of the registers
The register assignment for the IC220SDL953, IC220SDL543, and IC220SDL753 is
illustrated below.
As the registers are device-specific, the assignment for other modules may differ from
the description. Check the register assignment against the device-specific
documentation.
The actual assignment of the data registers (Data..., Feedback-Data...) is determined by
the parameterization (single-channel, two-channel). The register description below
describes all bits. Please refer to the description of the process data words in the
documentation for the modules for information about which bits are actually assigned.
Data-x
(safe data of satellite x)
Table A-12
The register contains the safe data of the specified satellite. The structure and function of
the register are as follows:
Data-x register
7
6
5
4
3
2
1
0
IC220SDL543
IN3
_Ch2
IN3
_Ch1
IN2
_Ch2
IN2
_Ch1
IN1
_Ch2
IN1
_Ch1
IN0
_Ch2
IN0
_Ch1
IC220SDL...
OUT3
_Ch2
OUT3
_Ch1
OUT2
_Ch2
OUT2
_Ch1
OUT1
_Ch2
OUT1
_Ch1
OUT0
_Ch2
OUT0
_Ch1
The data is only valid as long as the connection is active.
Prot-x
Protocol data; the user cannot access this register.
Dev-Diag-x
(PSDI, PSDO diagnostics)
The diagnostic register of the specified (x) IC220SDL543 or IC220SDL... has the following
structure and function:
Table A-13
15
14
Dev-Diag register of the IC220SDL543 or IC220SDL...
13
12
11
10
Diag-Sel
Dev-Ack-x
(device acknowledgment)
GFK-2731
...
0
Diagnostic code/address
Bit
Meaning
Function
15 ...
13
DiagSel
111bin:
Bit 12 has no function.
Bits 11 ... 0 contain the diagnostic code of the
module.
Please refer to the user manual for the
satellites you are using for information about
the function of the diagnostic codes.
100bin:
No errors (8000hex)
010bin:
Bits 12 ... 0 contain the address of the module.
Others:
Reserved
Diagnostic
selector
This register is used to acknowledge device errors internally. The user cannot access this
register.
Chapter A
A-17
A
Dev-Diag-LPSDO
(LPSDO diagnostics)
Bit
15
COK
The diagnostic register of the IC220SDL953 has the following structure and function:
Table A-14
Dev-Diag register of the IC220SDL953
15
14
13
12
11
COK
SA
E
PUR
OAR
10
...
0
Diagnostic code/address
Meaning
Function
Communication
OK
0:
IC220SDL953 is not parameterized or at least one of the safe
communication relationships is not running without any errors.
1:
Communication OK
IC220SDL953 is parameterized and safe communication is running
without any errors to all configured satellites.
If no satellites have been configured: IC220SDL953 is parameterized.
14
13
12
11
Bits
10 ...
0
SA
E
PUR
OAR
Safety address
Device error
0:
The error message of the IC220SDL953 is displayed in bits 10 ... 0
together with the error class, number, and location (see "Errors:
Messages and removal" on page 8-1).
1:
Firmware startup after power up completed.
The VersaSafe address setting is displayed in bits 10 ... 0.
0:
No error messages pending at any modules.
1:
Group error message: A device error, a parameterization error, or an I/O
error has been detected in one of the connected satellites or in the
IC220SDL953 itself. This can be detected via the corresponding DevDiag registers of the individual satellites.
Power up
requested
0:
A power up is not expected.
1:
Following an error that cannot be acknowledged, the IC220SDL953 or
one of the satellites expects a power up.
Operator
acknowledge
requested
0:
No request for acknowledgment.
1:
The IC220SDL953 requests an acknowledgment by the user.
Diagnostic
code/address
Bit 14 = 0: The error message of the IC220SDL953 is displayed in bits 10 ... 0
together with the error class, number, and location (see "Errors:
Messages and removal" on page 8-1).
Previously: VersaSafe communication detected an acknowledgeable
error resulting in communication being deactivated.
Bit 14 = 1: The error message of the VersaSafe address setting is displayed in bits
10 ... 0.
OAR:
If safe communication is not running to one or more satellites, the OAR bit can indicate
that communication can be restored. The user restores communication by means of a
positive edge at the OA bit in Dev-Ack-LPSDO.
A positive edge at the OA flag acknowledges all currently pending operator acknowledge
requests from all satellites.
WARNING: Unexpected machine startup
If you do not want the machine to start up/restart automatically, configure the safety logic
accordingly.
A-18
User manual IC220SDL953 - September 2011
GFK-2731
A
Dev-Ack-LPSDO
(acknowledgment)
Bit
The register for acknowledging the IC220SDL953 has the following structure and function:
Table A-15
Dev-Ack register of the IC220SDL953
7
6
5
4
3
2
1
0
OA
S
QE5
QE4
QE3
QE2
QE1
QE0
Meaning
Function
0 -> 1: Acknowledgment of error message regarding failsafe communication
(see also OAR bit in Dev-Diag register).
7
OA
Operator acknowledge
6
S
Start LPSDO
5 ... 1
QE
Quit error device
5 ... 1 5 ... 1
0 -> 1: Acknowledgment of satellite error (satellite 5 to 1) by the user. If another error is present on the corresponding module, it is displayed as
the next error.
0
QE0
0 -> 1: Acknowledgment of IC220SDL953 error message by the user. If another error is present on the module, it is displayed as the next error.
0 -> 1: Start of the project saved on the IC220SDL953.
Quit error device
IC220SDL953
OA:
A positive edge at the OA bit acknowledges all currently pending operator acknowledge
requests from all satellites.
S:
To start a project with a quick start, proceed as follows:
1. Initialize registers 4 to 7 of the IC220SDL953 (short protocol) with 0.
2. Set bit S to 1.
3. Write the project header CRC to registers 4 to 7 of the IC220SDL953.
App-Diag-LPSDO
(application diagnostics)
The bits in this register can be freely programmed in VersaConf Safety. Implement diagnostics using these bits.
The IC220SDL953 register has the following structure and function:
Table A-16
IC220SDL953 App-Diag-LPSDO register
7
6
5
4
3
2
1
0
Identifier in VersaConf Safety
0_Q7
0_Q6
0_Q5
0_Q4
0_Q3
0_Q2
0_Q1
0_Q0
Help text in VersaConf Safety
App_
Diag.X7
App_
Diag.X6
App_
Diag.X5
App_
Diag.X4
App_
Diag.X3
App_
Diag.X2
App_
Diag.X1
App_
Diag.X0
GFK-2731
Chapter A
A-19
A
App-Ack-LPSDO
(application
acknowledgment for
IC220SDL953)
Table A-17
The bits in this register can be freely programmed in VersaConf Safety and can be used
for the safety logic. Implement diagnostics using these bits.
The IC220SDL953 register has the following structure and function:
IC220SDL953 App-Ack-LPSDO register
15
14
...
1
0
Identifier in VersaConf Safety
0_I15
0_I14
...
0_Q1
0_Q0
Help text in VersaConf Safety
App_
Ack.X15
App_
Ack.X14
...
App_
Ack.X1
App_
Ack.X0
Feedback-Data-PSDO/
Feedback-Data-LPSDO
(mirroring)
The bits in this register mirror the states of the digital outputs. In the event of an error, the
mirrored data can differ from the actual state of the outputs. This data is, therefore, only
provided as diagnostic information and must not be used as standard data. The structure
and function of the register are as follows:
Table A-18
Enable-PSDO,
Enable-LPSDO
(data of the standard
controller for the enable
function)
Short protocol
7
6
5
4
3
2
1
0
OUT3
_Ch2
OUT3
_Ch1
OUT2
_Ch2
OUT2
_Ch1
OUT1
_Ch2
OUT1
_Ch1
OUT0
_Ch2
OUT0
_Ch1
The register contains standard data of the standard controller, which is to enable the
IC220SDL953 or the IC220SDL.... Each bit is assigned to a specific output. The structure
and function of the register are as follows:
Table A-19
Enable-PSDO/Enable-LPSDO register
7
6
5
4
3
2
1
0
OUT3
_Ch2
OUT3
_Ch1
OUT2
_Ch2
OUT2
_Ch1
OUT1
_Ch2
OUT1
_Ch1
OUT0
_Ch2
OUT0
_Ch1
The short protocol is assigned as follows:
Table 10-2
Byte
A-20
Feedback-Data register (mirrored data)
Short protocol assignment
Meaning
Description
1
Index
Object index to be accessed
2
Offset (low)
Start offset within the object (low)
3
Offset (high)
Start offset within the object (high)
4
Data
Value (dependent upon object index)
User manual IC220SDL953 - September 2011
GFK-2731
A
Table 10-3
GFK-2731
Possible indices in the short protocol
Index
[hex]
Meaning
Note
11
Project header saved in the IC220SDL953
Read-only,
uses short protocol
90
IC220SDL953 status
Read-only
91
Loading and starting of the project header
Write-only,
uses short protocol
92
Address block
Write-only,
uses short and long protocol
93
Logic block
Write-only,
uses short and long protocol
94
Deletion of the project saved in the
IC220SDL953
Write-only,
uses short protocol
Chapter A
A-21
A
A6
Implementation of data flow between the standard
controller and the safety modules
For the parallel communication required between safe components, data flow must be
ensured by the relevant standard controller. Consistency must, therefore, be ensured over
the entire data width of the safe devices.
If data consistency is not ensured, the module shuts down and requests an operator
acknowledgment.
Data flow within standard infrastructure components is not safety-related. The measures
for safeguarding failsafe communication are implemented in the safe termination devices.
A 6.1
Implementation of data flow with a function block
A copy function block (COPY FB) to safeguard data flow between the VersaSafe modules
is available from GE Intelligent Platforms for certain systems.
A 6.2
Implementation of data flow without a function block
If a function block (COPY FB) is not available for your controller, you must implement data
flow within the VersaSafe system yourself.
The VersaSafe components are represented in the process image of the higher-level controller with a special I/O structure. The structure is mapped in the corresponding device description.
The components illustrated in Figure A-4 must be copied according to the arrows for the
data flow required between the VersaSafe components. The data/registers in bold are also
useful for the standard application program of the standard controller.
A7
Enable principle
The enable principle is implemented in the VersaSafe system. For this, all modules with
local outputs have an enable function integrated in the device firmware (ANDed bit-by-bit)
for each local safe output channel. The enable function can be parameterized
(enabled/disabled) for each specific channel.
When the enable function is enabled, the relevant safe local output is ANDed bit-by-bit with
the corresponding standard output of the standard controller (Data-LPSDO register). This
output is then only set if the result of the safety function calculation permits this and the
standard controller has set the corresponding output in the Data-LPSDO register (see also
"I/O image and data flow in a system comprising 1 IC220SDL953 and 3 satellites" on
page A-15).
The enable function is performed according to the single-channel or two-channel
parameterization of the safe outputs.
A-22
User manual IC220SDL953 - September 2011
GFK-2731
A
The enable function cannot be used in multiplexer mode.
The enable function is not graphically represented in VersaConf Safety in the safety logic
editor. Parameterize the enable function when parameterizing the channels.
The following figure illustrates the enable principle.
IC220SDL953
SL
SSDI
SFB
&
Data_LPSDO. 0
SSDI
SFB
&
Data_LPSDO. 1
SSDI
SFB
&
Data_LPSDO. 2
SSDI
SFB
&
Data_LPSDO. 4
SSDI
SFB
SSDI
SFB
OUT0_Ch1
OUT0_Ch2
OUT1_Ch1
OUT1_Ch2
OUT2_Ch1
OUT2_Ch2
OUT3_Ch1
OUT3_Ch2
81520023
Figure A-6
Enable principle (example)
SL
Safety logic
SFB
Safe function block
&
Standard function block for ANDing
SSDI
Signal from the IC220SDL543 safe input module
Data-LPSDO.x
OUTx_Chy
Standard data of the standard control system, which is to enable the
IC220SDL953; bit x
Output x, channel y
Internal sequences
Table A-20
GFK-2731
Parameterization of output channels for the example in Figure A-6
Output/Channel
Output
Enable
OUT0_Ch1
Single-channel
Enabled
OUT0_Ch2
Single-channel
Enabled
OUT1_Ch1
Two-channel
Enabled
OUT1_Ch2
Two-channel
Enabled
OUT2_Ch1
Two-channel
Enabled
OUT2_Ch2
Two-channel
Enabled
OUT3_Ch1
Single-channel
Disabled
OUT3_Ch2
Single-channel
Disabled
Chapter A
A-23
A
A8
Diagnostics
In addition to precise diagnostics for the standard bus system, the safe input and output
devices also support the detection of I/O errors and device errors.
A 8.1
Safe inputs
Error detection in I/O devices
Depending on the device type and parameterization, the following errors can be detected
at safe inputs:
– Short circuit
– Cross circuit
– Overload/short circuit of the clock outputs
When an error is detected at an input, the safe state is set for this input and a "0" is
transmitted in the input data of the input ("0" = safe state).
The corresponding error message is transmitted to the IC220SDL953 and the standard
controller.
For more detailed information about error detection at safe inputs, please refer to the user
manual for the IC220SDL543.
Safe outputs
Depending on the device type and parameterization, the following errors can be detected
at safe outputs:
– Short circuit
– Cross circuit
– Overload
– Violation of the shutdown time
When an error is detected at an output, the affected output is disabled ("0" = OFF = safe
state).
The corresponding error message is transmitted to the IC220SDL953 and the standard
controller.
For more detailed information about error detection at safe outputs, please refer to the
user manual for the IC220SDL... modules.
A-24
User manual IC220SDL953 - September 2011
GFK-2731
A
A 8.2
Detection of device errors
All serious errors that can result in the loss of or adversely affect the safety function cause
the entire device to enter the safe state. The FS LED on the safe device is permanently on.
Depending on the device type, the following errors lead to the safe state:
– Hardware fault in the circuit
– User error
– Module overload
– Overheating
– Faulty supply voltage
The corresponding error message is transmitted to the IC220SDL953 and the standard
controller.
To determine which errors are detected by a specific device, please refer to the
corresponding device documentation.
A 8.3
Acknowledgment of error messages for satellites
Errors that occur on satellites are acknowledged by the standard controller in the Dev-AckLPSDO register on the IC220SDL953 (see "Description of the registers" on page A-17).
The acknowledgment is forwarded to the satellites.
An example for the acknowledgment of error messages can be found in the quick start
guide for the IC220SDL953 (see "Ordering data: Documentation" on page 10-7).
GFK-2731
Chapter A
A-25
A
A9
Configuration, parameterization, and download
An example for configuration, parameterization, and download can be found in the quick
start guide for the IC220SDL953 (see "Ordering data: Documentation" on page 10-7).
A 9.1
Configuration and parameterization using the VersaConf
Safety tool
The VersaConf Safety software tool is available to users for configuring the safety logic and
parameterizing the channels of the safety modules used. Configuration and
parameterization can be carried out offline, without connecting to the safety modules.
Configuration
During configuration, you select the modules, set the switches, and connect the safety
function in VersaConf Safety.
Parameterization
To parameterize the system, parameterize each input and output of the system. You must
also set the watchdog time for each satellite.
Configuration and
parameter data record
The safe configuration and parameterization user interface of VersaConf Safety generates
a data record containing the configuration and parameterization data of all modules of a
VersaSafe island in the format specific to the controller. So that data consistency and
uniqueness can be checked, suitable means such as addresses, module IDs, and CRCs
are included in the configuration and parameter record.
Import this configuration and parameter data record into the standard controller used
according to the controller.
On every power up, make this data record available to the IC220SDL953 island node (see
"Downloading the configuration and parameter data record following power up" on
page A-27). The IC220SDL953 module is thus parameterized. The satellites are
parameterized automatically by the IC220SDL953 module.
VersaConf Safety can be used as a stand-alone tool. However, depending on the control
system, calling VersaConf Safety can also integrate the transfer of the configuration and
parameter record deeper into the relevant control system.
Online help is available for the VersaConf Safety software tool.
VersaConf Safety should also be used in the planning phase. If the size of the configuration and parameter data record for the planned safety functions exceeds the memory
size, an error message is displayed and changes can be made at an early stage.
To roughly estimate the memory required, please use the information in "Memory sizes
for the safety logic" on page A-33.
A-26
User manual IC220SDL953 - September 2011
GFK-2731
A
A 9.2
Downloading the configuration and parameter data record
following power up
The entire configuration and parameterization can be created offline with VersaConf
Safety. A fully installed system is not required until the download stage. Communication
must be running when transmitting the data record.
WARNING: Loss of safety function
Before downloading a data record, check whether the current data record is actually
loaded.
Make sure that you do not overwrite the data record on the IC220SDL953 with an old data
record. Information about a data record is provided in the project header.
During startup, do not configure a delete service for a configuration and parameter data
record. Before overwriting a data record, always read back the project header first.
Make sure that you are sending the correct data record to the correct IC220SDL953. If a
data record is sent to a IC220SDL953 for which it was not intended, an error message is
displayed in the diagnostic register of the IC220SDL953.
Function blocks can be downloaded for selected controllers.
A 10
Safe state
The safe state
– For safe output devices, the safe state is the power off state at the affected output
terminals
– For safe input devices, the safe state is the transmission of the "safe state value" ("0")
in the image of the affected inputs to the safe standard control system
– For transmission on the bus, the safe state is the transmission of the value "0"
The safe state can be a normal operating state or is set if a corresponding error has been
detected.
GFK-2731
Chapter A
A-27
A
A 11
Time response in the VersaSafe system
In the planning phase of the machine/system and the VersaSafe system, specify the
required shutdown time for each safety function. This is ascertained on the basis of the
safety evaluation of the machine/system, taking into consideration the safety distances and
the approach speed. Observe the applicable standards and regulations.
In the planning phase of the planned VersaSafe system, also calculate the shutdown time
for the outputs.
Then, for each safety function, check whether, in conjunction with all other components,
the calculated shutdown time is sufficient to ensure compliance with the required shutdown
time for the safety function.
The aim of the calculations is to ensure that the safety function responds within the
required time.
A 11.1
Typical response time
The typical response time of the VersaSafe system is the time that elapses from the signal
being applied at the safe input terminal through to the response at the safe output terminal.
This time can usually only be achieved and measured during error-free operation of the
VersaSafe system.
The typical response time of the VersaSafe system is not relevant and not suitable for
dimensioning safety distances.
Typical response time of the
VersaSafe system
tSF
79690010
Figure A-7
Table A-21
Typical response time and required shutdown time for the safety function
Key for formula and Figure A-8
Abbreviation
Meaning
Note
tSF
Required shutdown time for the safety function
Determined from the application, e.g., from the
required times according to the distance of a light
grid
The typical response time depends on the network and standard controller used.
A-28
User manual IC220SDL953 - September 2011
GFK-2731
A
A 11.2
Shutdown times
The required shutdown time for the safety function is based on the response times of the
sensors used, the VersaSafe system, the actuator used, and the stopping time of the
system. The required shutdown time of the safety function can be determined from the
safety distances or the safety distances are defined based on the determined guaranteed
shutdown time.
The guaranteed shutdown time for the safety function is based on the longest processing
time of the safe inputs involved in the safety function and the shutdown time of the safe
output (single-channel or two-channel) involved.
For the processing time of the safe inputs, please refer to the corresponding data sheets
for the safe input devices.
tSF
tS
tIN
tFWD_IN
tOUT_LPSDO tFWD_OUT
tOUT
tA
tSTOP
tG
B
A
Figure A-8
81520011
Overview of shutdown times
This results in the following formula for tSF
tSF = tS + tIN + tFWD_IN + tOUT_LPSDO + tFWD_OUT + tOUT+ tA + tSTOP
Table A-22
Key for formula and Figure A-8
Abbreviation
Meaning
A
Demand of the safety function
Note
B
Safe state of the system
tSF
Required shutdown time for the safety function
tS
Response time of the sensor
Sensor data sheet
tIN
Processing time of the input
Safe input module user manual
tFWD_IN
F-Watchdog time (communication)
Specified by the user in VersaConf Safety for each
IC220SDL543 module
tOUT_LPSDO
Shutdown time of the IC220SDL953
10 ms; see technical data "VersaSafe system" on
page 10-1
tFWD_OUT
F-Watchdog time (communication)
Specified by the user in VersaConf Safety for each
IC220SDL... module
Without forwarding to a satellite with outputs,
tFWD_OUT = 0.
tOUT
Shutdown time of the output
Safe output module user manual
Without forwarding to a satellite with outputs, tOUT =
0.
GFK-2731
Chapter A
Determined from the application, e.g., from the
required times according to the distance of a light
grid
A-29
A
Table A-22
Key for formula and Figure A-8
Abbreviation
Meaning
Note
tA
Response time of the actuator
Actuator data sheet
tSTOP
Stopping time of the machine
Measurement
tG
Guaranteed shutdown time
Calculation: tG = tIN + tFWD + tOUT_LPSDO
Fluctuations in network communication and in the copy routines (e.g., including controller
STOP) result in safe communication being aborted.
tFWD
The F-Watchdog time (tFWD) is specified for each communication relationship in
VersaConf Safety.
The minimum achievable tFWD depends on the network and the controller (see
documentation for the controller used).
When specifying the F-Watchdog time, please remember that it can be affected by future
system expansions.
Within tFWD, the standard network and the standard controller must be able to transmit
telegrams from satellite to the IC220SDL953.
tS, tIN
If several sensors are involved in the safety function, the longest response time of the
sensors involved is included in the calculation.
If several inputs are involved in the safety function, the longest processing time of the
inputs involved is included in the calculation.
If several IC220SDL543 devices are involved in a safety function, the longest
F-Watchdog time is included in the calculation.
A 12
Achievable safety depending on the modules used
GE Intelligent Platforms recommends using the SISTEMA software utility to determine
achievable safety.
The SISTEMA software utility for the safety of control systems on machines can be
downloaded free of charge from the Internet site of the Institute for Occupational Safety
and Health of the German Social Accident Insurance, see
www.dguv.de/ifa/de/pra/softwa/sistema/index.jsp.
This Windows tool provides assistance in evaluating the safety of control systems within
the scope of EN ISO 13849-1.
According to SISTEMA, performance level PL e can be achieved with the maximum
configuration (IC220SDL953 module and 5 satellites). However, you should always check
your actual application to ascertain the level of safety that can be achieved.
A-30
User manual IC220SDL953 - September 2011
GFK-2731
A
A 13
Error messages
Behavior in the event of an error
Errors that occur on the safe devices can be detected using process data, function blocks,
and device LEDs.
These error messages can be evaluated in the standard application program or can be
displayed by means of a visualization.
For instructions on how to proceed in the event of an error, please refer to "Parameterization errors" on page 8-6.
Service information
In addition to error messages, service information can also be output. This information
takes the form of device message warnings that do not affect the safety function. These
warnings are either unacknowledged messages or messages that are acknowledged via
the controller.
Error classes
The response of all devices connected to the system and the safety functions to an error
depends on the error class detected.
There are 3 different error classes in the VersaSafe system:
– Critical system and device errors
– Parameterization and configuration errors
– I/O errors
A distinction is made based on:
– The severity of the error
– The reciprocal effects on other components in the system
– The acknowledgment and restart options
Acknowledgment
The acknowledgment of an error is an intentional user action (controlled via the standard
application program) with the aim of showing the system (or subsystem) that an error has
been removed and that the system (or subsystem) can reactivate the faulty component.
Errors affecting a VersaSafe island are acknowledged via the acknowledgment register of
the IC220SDL953 (see "Dev-Ack-LPSDO (acknowledgment)" on page A-19).
A 13.1
Critical system or device errors
All errors that are detected and immediately switch the device to the failure state are
assigned to this class.
They include:
– Hardware faults (detected by selftests within devices)
– Parameterization and configuration data errors (detected via the CRC)
– Control flow/program sequence errors within the firmware of a device
Errors in this class are usually errors within the system, the hardware, or the firmware,
which were not caused by the user and cannot be removed (device-specific exceptions are
possible).
It is not possible to acknowledge the error or continue operating. The affected devices can
only be restarted via a voltage reset. If the power on selftests are successful following a
restart, the system can continue to operate.
GFK-2731
Chapter A
A-31
A
A 13.2
Parameterization or configuration errors
All errors that are detected during the plausibility check of parameters and configuration
data are assigned to this class. This check is usually carried out during the initialization
phase of the system. Following the detection of an error in this class, the devices enter the
safe state and are still able to send diagnostic information or receive new parameter or
configuration data.
It is not possible to acknowledge the error or continue operating without modifying the
parameter or configuration data of the affected device.
A 13.3
Communication errors
Errors detected in the safe protocol during network communication can lead to "operator
acknowledge requested" (acknowledgement by the user; see "Dev-Diag-LPSDO (LPSDO
diagnostics)" on page A-18). For example, these include:
– Transmission errors
– Data inconsistency when copying
– tFWD setting is incorrect (the network is too slow for the tFWD setting)
– Standard controller in STOP
These errors can be acknowledged. Do not acknowledge these errors from within the
application program. Acknowledgment must be triggered by an intentional user action.
A 13.4
I/O errors
All errors that can occur and are detected within the I/O devices connected to the safe I/O
devices are assigned to this class. For example, these include:
– Short/cross circuits at the inputs or outputs
– Other application-specific errors
These errors are usually detected in the operating phase of the system. When an error is
detected, the affected input or output is disabled and a diagnostic message is sent to the
IC220SDL953 and the standard controller. The standard system remains ready for
operation. Ongoing operation of the application depends on the application itself.
I/O errors can be acknowledged individually by the user in the standard application
program.
A-32
User manual IC220SDL953 - September 2011
GFK-2731
A
A 14
A 14.1
Startup and restart
Startup/restart following power up
The module starts up once the configuration and parameterization data record has been
downloaded successfully and the internal tests have been completed without errors.
WARNING: Unexpected machine startup
If you do not want the machine to start up/restart automatically, configure the safety logic
accordingly.
A 14.2
Restart after triggering a safety function
The VersaSafe system resets a safety-related output to "1" automatically when the safety
function trigger is reset.
WARNING: Unexpected machine startup
If you do not want the machine to restart automatically, configure the safety logic
accordingly.
A 15
Memory sizes for the safety logic
The maximum size of the safety logic is 20 kB.
The following guide values can be used as a basis for creating your safety logic:
– Size of the first instance of each block: 800 bytes
– Size of each additional instance: 300 bytes
– In the mix calculation, both of these values include a reserve for various other logic
operations (AND, OR, NOT, etc.).
For the actual size of the data record, please refer to VersaConf Safety. If the safety logic
limit has been exceeded, a corresponding error message is displayed by VersaConf
Safety. In this case, reduce the size of your safety logic.
GFK-2731
Chapter A
A-33
Th
is
pa
ge
lef
tb
lan
ki
nte
nti
on
all
y
A
A-34
User manual IC220SDL953 - September 2011
GFK-2731
B Appendix: Checklists
The checklists listed in this section provide support during the planning, assembly and
electrical installation, startup, parameterization, and validation of the IC220SDL953
module.
These checklists may be used as planning documentation and/or as verification to
ensure the steps in the specified phases are carried out carefully.
Archive the completed checklists to use as reference for recurring tests.
The checklists do not replace the validation, initial startup, and regular testing performed
by qualified personnel.
The following section of a checklist shows an example of a completed checklist.
Checklist . . .
Device type/equipment identification
IC220SDL953/BK20NA10
Version: HW/FW/FW
00/100/100
Date
2011-03-01
Author
John Smith
Test engineer
Jane Brown
Remark
System XXX has been checked for engine hood production
No Requirement (mandatory)
Yes
Remark
.
X
...
No Requirement (optional)
.
Y
Yes
No Remark
...
Key:
Equipment identification
Enter the device type and/or the equipment identification for the relevant device.
Version: HW/FW/FW
Enter the hardware and firmware version of the device (see "Structure of the safety
module" on page 2-2).
Date
Enter the date on which you began to fill in this checklist.
Author/Test engineer
Enter the names of the author and the test engineer.
Remark
Enter a remark, if necessary.
Requirement (mandatory)
These requirements must be met for a safety application, in order to complete the
relevant phase using the checklist.
Requirement (optional)
These requirements are optional. For points that are not met, please enter an
appropriate remark in the relevant field.
GFK-2731
Chapter B
B-1
B
B1
B 1.1
Checklists for the VersaSafe system
Planning
Checklist for planning the use of the VersaSafe system
Equipment identification
Date
Author
Test engineer
Remark
No. Requirement (mandatory)
1 Has a hazard and risk analysis been carried out for the system/machine?
2
Has the corresponding safety integrity level (SIL, SIL CL, Cat., PL) been
derived from the hazard and risk analysis?
3
Does the VersaSafe system meet the required safety integrity level?
4
Has the current IC220SDL953 user manual been used as the basis for
planning?
5
Has the voltage supply been planned according to the specifications for the
protective extra-low voltage in accordance with PELV?
6
Are safety distances that must be observed calculated according to the
response and delay times implemented?
7
Has the required shutdown time for the safety function tSF resulting from the
machine/system design been determined?
8
Can the planned application be implemented with the configuration options
(e.g., by using function blocks)?
9
Does the planned use correspond to the intended use of the system?
Yes
Remark
Revision:
tSF:
10 Has the technical data of the VersaSafe system been observed?
11 Has it been ensured that in an overall system comprising the VersaSafe
system and any higher-level PROFIsafe system, the addresses (address
within the VersaSafe system and F-Address of the PROFIsafe system) are
unique?
12 Within a VersaSafe system, is each island number only assigned once?
13 Is the application stop (OFF, STOP, emergency stop, triggering of safety
equipment) implemented according to EN 60204?
14 When planning the safety functions, has the VersaConf Safety software tool
been used to determine whether the memory space is sufficient for the size of
the safety logic?
15 Has it been ensured that any person intentionally starting hazardous
movements has a direct view of the danger zone?
B-2
User manual IC220SDL953 - September 2011
GFK-2731
B
No. Requirement (optional)
16 Are all measures that are based on applicable standards planned?
Yes
No Remark
17 Have the VersaPoint specifications (e.g., cabling, power supply) been
observed?
18 Have the accessories to be used been planned (e.g., cables, connectors)?
19 Is the transmission speed for the individual VersaPoint stations specified?
20 Are the specifications for parameterization, assembly, electrical installation,
startup, and validation of the IC220SDL953 described?
21 Are the specifications for parameterization, assembly, electrical installation,
startup, and validation of the satellites described?
22 Is the assignment of responsibility specified (e.g., for assembly/installation/
Name/company:
configuration, parameterization/startup/validation, etc.)?
23 Are measures planned which prevent hazardous states in each phase
(e.g., specification of individual steps in the procedure for each phase)?
24 Is monitoring of the actuators and sensors controlled/requested by the
VersaSafe system planned (e.g., reading of outputs)?
GFK-2731
Chapter B
Date
Signature (author)
Date
Signature (test engineer)
B-3
B
B 1.2
Configuration and parameterization
Checklist for configuration and parameterization of the VersaSafe system
Equipment identification
Date
Author
Test engineer
Remark
No. Requirement (mandatory)
1 Has the safety logic been configured?
Yes
Remark
2 Have all inputs and outputs been fully and correctly parameterized?
3 Are standard input signals exclusively used to configure standard operations
4
5
(e.g., for the enable principle using the EN_OUT block or for
acknowledgment)?
Has it been ensured that in the overall system comprising VersaSafe and any
higher-level PROFIsafe system, the addresses (address within the VersaSafe
system and F-Address of the PROFIsafe system) are unique?
Has watchdog time tFWD been set for each satellite according to the
application?
6 Has the correct terminal point been assigned to the correct signal?
7 Is the island address set correctly?
8 For IC220SDL953 outputs that are parameterized for two-channel operation,
are both channels parameterized correctly for each other?
9 For satellite inputs that are parameterized for two-channel operation, are both
channels parameterized correctly for each other?
10 For satellite outputs that are parameterized for two-channel operation, are both
channels parameterized correctly for each other?
11 Has the switch-off delay for stop category 1 been observed in the calculation of
the total response time for the machine/system?
12 Has prevention of undesired startup/restart been configured?
13 Has it been ensured that an operator acknowledgment can only be executed
by an intentional user action? (Not configured as "automatic".)
14 Has the checklist/project information been processed in VersaConf Safety
("Project... Project Info" menu item)?
No. Requirement (optional)
15
B-4
Yes
No Remark
Date
Signature (author)
Date
Signature (test engineer)
User manual IC220SDL953 - September 2011
GFK-2731
B
B 1.3
Startup
Checklist for startup of the VersaSafe system
Equipment identification
Date
Author
Test engineer
Remark
No. Requirement (mandatory)
1 During startup, is it ensured that any person starting hazardous movements
Yes
Remark
intentionally can only do so with a direct view of the danger zone?
No. Requirement (optional)
2 Are startup specifications applicable?
Yes
No Remark
3 If applicable, have startup specifications been met?
GFK-2731
Chapter B
Date
Signature (author)
Date
Signature (test engineer)
B-5
B
B 1.4
Safety functions
Enter all the safety functions for your application in this checklist.
Checklist for checking safety functions
Equipment identification
Date
Author
Test engineer
Remark
No. Safety functions
1
Yes
Remark
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
B-6
Date
Signature (author)
Date
Signature (test engineer)
User manual IC220SDL953 - September 2011
GFK-2731
B
B 1.5
Validation
Checklist for validating the VersaSafe system
Equipment identification
Date
Author
Test engineer
Remark
No. Requirement (mandatory)
1 Have the mandatory requirements for planning been met?
2
If applicable, have the mandatory requirements for startup been met?
3
Has validation of the safe devices used been carried out and are the results
available?
4
Are safety distances that must be observed calculated according to the
response and delay times implemented?
5
Have all the safety functions been checked successfully?
6
Do all the islands in the system have different island addresses?
7
Has it been ensured that in the overall system comprising VersaSafe and any
higher-level PROFIsafe system, the addresses (address within the VersaSafe
system and F-Address of the PROFIsafe system) are unique?
Has the VersaConf Safety project been printed with the project information
(name, CRC, time stamp, etc.)?
8
9
Yes
Remark
Has the CRC of the VersaConf Safety project printout been compared with the
CRC of the loaded project header and do they match?
No. Requirement (optional)
10 Are the directives and standards used listed in the declaration of conformity?
Yes
No Remark
11 Has the safety logic created in VersaConf Safety been packed and archived?
Enter the archiving location (e.g., drive or cabinet) in the "Remark" column.
12 Has a complete printout of the safety logic configured in VersaConf Safety
been stored for the system?
13 Have all fully completed checklists been stored for the system?
GFK-2731
Chapter B
Date
Signature (author)
Date
Signature (test engineer)
B-7
B
B2
B 2.1
Checklists for the
IC220SDL953 module
Planning
Checklist for planning the use of the safety module
Device type/equipment identification
Version: HW/FW/FW
Date
Author
Test engineer
Remark
No. Requirement (mandatory)
1 Has the current module user manual been used as the basis for planning?
2
Does the planned use correspond to the intended use?
3
Has the technical data of the module been observed?
4
Are the actuators approved for connection to the module (according to the
technical data and parameterization options)?
Has the voltage supply been planned according to the specifications for the
protective extra-low voltage in accordance with PELV?
Has the power supply of UM and US from a power supply unit been planned?
5
6
7
8
Is external fuse protection of the module planned (according to the
specifications in this user manual for supply voltage UM)?
Is use in a control cabinet (IP54) planned?
9
Are measures planned to prevent simple manipulation?
Yes
Remark
Revision:
10 Are measures planned to prevent connectors being mixed up?
11 Are requirements for the actuators and cable installation observed according
to the SIL/SIL CL CL/Cat./PL to be achieved and is the corresponding
implementation planned?
12 Are the specifications for the address assignment for the islands specified?
13 Are the specifications for the parameterization for each channel specified?
14 Are test intervals specified for testing the shutdown capability of the actuators,
if this is required to achieve a SIL/SIL CL/Cat./PL?
15 Has it been ensured that any person intentionally starting hazardous
movements has a direct view of the danger zone?
16 Have test intervals been defined?
17 Has the switch-off delay for stop category 1 been observed in the calculation of
the total response time for the machine/system?
No. Requirement (optional)
18 Have specifications for assembly and electrical installation been defined (e.g.,
Yes
No Remark
EPLAN) and communicated to the relevant personnel?
19 Have specifications for startup been defined and communicated to the relevant
personnel?
B-8
Date
Signature (author)
Date
Signature (test engineer)
User manual IC220SDL953 - September 2011
GFK-2731
B
B 2.2
Assembly and electrical installation
Checklist for assembly and electrical installation of the safety module
Device type/equipment identification
Version: HW/FW/FW
Date
Author
Test engineer
Remark
No. Requirement (mandatory)
1 Was assembly and installation completed according to the specifications
Yes
Remark
(specifications from the planning phase or according to the user manual)?
2
Was the safety module installed in the control cabinet (IP54)?
3
Do the cable cross sections correspond to the specifications?
4
Are requirements for the actuators and cable installation observed according to
the SIL/SIL CL CL/Cat./PL to be achieved and is the corresponding
implementation observed?
If error prevention (e.g., cross circuit to external signals) has been defined:
Have the conditions for error prevention been implemented?
5
6
Is the transmission speed set correctly according to the specifications?
7
Is the operating mode set correctly according to the specifications?
8
Is the address set correctly according to the specifications?
No. Requirement (optional)
9
GFK-2731
Yes
Chapter B
No Remark
Date
Signature (author)
Date
Signature (test engineer)
B-9
B
B 2.3
Startup
Checklist for startup of the safety module
Device type/equipment identification
Version: HW/FW/FW
Date
Author
Test engineer
Remark
No. Requirement (mandatory)
1 Was startup completed according to the specifications (specifications from the
Yes
Remark
planning phase or according to the user manual)?
2
During startup, is it ensured that any person starting hazardous movements
intentionally can only do so with a direct view of the danger zone?
3
Are safety distances that must be observed calculated according to the
response and delay times implemented?
No. Requirement (optional)
4
B-10
Yes
No Remark
Date
Signature (author)
Date
Signature (test engineer)
User manual IC220SDL953 - September 2011
GFK-2731
B
B 2.4
Validation
Checklist for validating the safety module
Device type/equipment identification
Version: HW/FW/FW
Date
Author
Test engineer
Remark
No. Requirement (mandatory)
1 Have all the mandatory requirements for the "Planning" checklist been met?
2
Have all the mandatory requirements for the "Assembly and electrical
installation" checklist been met?
3
Have all the mandatory requirements for the "Startup" checklist been met?
4
Does the parameterization of the safe outputs correspond to the version and
the actual connection of the controlled device?
5
Has the assignment of the actuators to the safety logic outputs been checked?
6
Has a function test been performed to check all safety functions, in which the
module is involved?
7
Have measures been taken to achieve a specific Cat.?
8
Do all cables correspond to the specifications?
9
Does the voltage supply correspond to the specifications for the protective
extra-low voltage in accordance with PELV?
Yes
Remark
10 Has the power supply of UM and US in the VersaPoint system from a power
supply unit been implemented?
11 Is external fuse protection of the module implemented (according to the
specifications in this user manual for supply voltage UM)?
12 Have measures been taken to prevent simple manipulation?
13 Have measures been taken to prevent connectors being mixed up?
14 Are the requirements for the actuators and cable installation observed
according to the SIL/SIL CL/Cat./PL to be achieved?
15 Are the specifications for the parameterization for each channel implemented?
16 Are test intervals specified for testing the shutdown capability of the actuators,
if this is required to achieve a SIL/SIL CL/Cat./PL?
17 Has it been ensured that any person intentionally starting hazardous movements has a direct view of the danger zone?
GFK-2731
Chapter B
Date
Signature (author)
Date
Signature (test engineer)
B-11
Th
is
pa
ge
lef
tb
lan
ki
nte
nti
on
all
y
B
B-12
User manual IC220SDL953 - September 2011
GFK-2731
C Index
A
Abbreviations ............................................................. 1-5
Acknowledgment .................................................... A-31
Actuators
Connection options .............................................. 2-5
Requirements....................................................... 2-4
App-Ack-LPSDO..................................................... A-20
Assembly ................................................................... 4-4
C
Configuration error.................................................. A-32
Conformance with EMC Directive ............................ 10-6
Current carrying capacity................................... 3-1, 3-2
D
F
Feedback-Data-LPSDO.......................................... A-20
Feedback-Data-PSDO............................................ A-20
Free running circuit .................................................... 6-2
H
I
I/O errors................................................................. A-32
ID code .................................................................... 2-10
Indicators, diagnostic and status ............................... 2-6
Input address area................................................... 2-10
Installation
Instructions........................................................... 4-1
Insulation rating ......................................................... 1-3
Island node ............................................................... A-5
Island number ............................................................ 5-1
L
Length code ............................................................. 2-10
Location ID................................................................. 5-1
E
GFK-2731
8-8
8-7
8-4
8-6
8-1
8-5
Housing dimensions .................................................. 2-2
Data-x ..................................................................... A-17
Decommissioning ...................................................... 9-1
Dev-Ack-LPSDO..................................................... A-19
Dev-Ack-x ............................................................... A-17
Dev-Diag-x.............................................................. A-17
Device error ............................................................ A-31
Device errors
Outputs................................................................. 2-9
Serious errors....................................................... 2-9
Diagnostic indicators.................................................. 2-6
Directives ................................................................... 1-4
Disposal ..................................................................... 9-1
Documentation, latest ................................................ 1-5
Enable-LPSDO .......................................................
Enable-PSDO .........................................................
Error
Behavior in the event of an error.......................
Configuration.....................................................
Device ...............................................................
Parameterization ...............................................
System ..............................................................
Error classes...........................................................
Error messages ......................................................
Errors
Acknowledgment..................................................
General ................................................................
Outputs ................................................................
Parameterization..................................................
Removal...............................................................
Supply voltage .....................................................
A-20
A-20
A-31
A-32
A-31
A-32
A-31
A-31
A-31
M
Maintenance .............................................................. 9-1
module ....................................................................... 2-6
Mounting
Location ............................................................... 4-1
Chapter C
C-1
C
O
Output address area ................................................ 2-10
Outputs ...................................................................... 2-3
Device errors........................................................ 2-9
Errors ................................................................... 8-4
I/O errors .............................................................. 2-8
Parameterization .................................................. 5-2
Positive switching................................................. 2-3
Requirements for actuators.................................. 2-4
Single-channel assignment .................................. 2-3
Two-channel assignment ..................................... 2-3
P
Package slip .............................................................. 4-1
Parameter channel .................................................. 2-10
Parameterization........................................................ 5-1
Outputs................................................................. 5-2
Parameterization error ............................................ A-32
PELV........................................................... 1-2, 3-1, 3-2
Power supply unit ...................................................... 1-2
Processing time of the input ................................... A-29
PROFIsafe address ................................................... 5-1
Protective circuit ........................................................ 6-2
Prot-x ...................................................................... A-17
Q
Qualified personnel.................................................... 1-1
R
Register
App-Ack-LPSDO ............................................... A-20
Data-x................................................................ A-17
Dev-Ack-LPSDO ............................................... A-19
Dev-Ack-x.......................................................... A-17
Dev-Diag-x ........................................................ A-17
Enable-LPSDO.................................................. A-20
Enable-PSDO.................................................... A-20
Feedback-Data-LPSDO .................................... A-20
Feedback-Data-PSDO ...................................... A-20
Prot-x................................................................. A-17
Register length......................................................... 2-10
Remote device.......................................................... A-5
Removal..................................................................... 4-4
Repair ........................................................................ 9-1
Replacement, module................................................ 7-3
C-2
Response time
Typical............................................................... A-28
Response time of the actuator................................ A-30
Response time of the sensor .................................. A-29
Restart ............................................................. 7-3, A-33
S
Safe state................................................................... 2-8
Operating state .................................................... 2-8
Outputs ......................................................... 2-8, 2-9
Safety notes............................................................... 1-1
Satellite ..................................................................... A-5
Security seal .............................................................. 1-2
Service information ................................................. A-31
Shutdown time ........................................................ A-29
Guaranteed ....................................................... A-29
Required ........................................................... A-29
smartSafe system ..................................................... A-4
Standards .................................................................. 1-4
Startup ............................................................. 7-1, A-33
Status indicators ........................................................ 2-6
Stopping time of the machine ................................. A-30
Supply voltage
UM ................................................................ 3-1, 3-2
System error ........................................................... A-31
T
Test pulses ................................................................ 2-4
Transmission speed................................................... 1-2
Setting.................................................................. 4-2
U
Usage, correct ........................................................... 1-4
V
Validation ................................................................... 7-3
VersaSafe island....................................................... A-5
User manual IC220SDL953 - September 2011
GFK-2731
Download PDF
Similar pages
OPERATING INSTRUCTIONS W1550
W1560
D2572-01-01 SEM1720 User Guide.vsd
Sanitas SIL 16
USER MANUAL - Brash Imports
User manual M1
User Manual M1
User manual M1
User Manual M1
User manual M1