Allen-Bradley ArmorKinetix System Safe Monitor Functions Reference Manual
Allen-Bradley ArmorKinetix System Safe Monitor Functions is a safety system designed for use in up to SIL 3 (PLe) applications. This device is designed to provide safe stopping and monitoring functions for servo and induction motors, ensuring machine safety and operational reliability. The ArmorKinetix modules offer various configurations that meet specific safety requirements and enable flexible integration into your machine systems.
PDF
Download
Document
Advertisement
Advertisement
ArmorKinetix System Safe Monitor Functions Catalog Numbers 2198-DSDxxxx-ERS2, 2198-DSDxxxx-ERS5, 2198-DSMxxxx-ERS2, 2198-DSMxxxx-ERS5 Safety Reference Original Instructions ArmorKinetix System Safe Monitor Functions Reference Manual Important User Information Read this document and the documents listed in the additional resources section about installation, configuration, and operation of this equipment before you install, configure, operate, or maintain this product. Users are required to familiarize themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws, and standards. Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance are required to be carried out by suitably trained personnel in accordance with applicable code of practice. If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may be impaired. In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the use or application of this equipment. The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or liability for actual use based on the examples and diagrams. No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or software described in this manual. Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation, Inc., is prohibited. Throughout this manual, when necessary, we use notes to make you aware of safety considerations. WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous environment, which may lead to personal injury or death, property damage, or economic loss. ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, property damage, or economic loss. Attentions help you identify a hazard, avoid a hazard, and recognize the consequence. IMPORTANT Identifies information that is critical for successful application and understanding of the product. These labels may also be on or inside the equipment to provide specific precautions. SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous voltage may be present. BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may reach dangerous temperatures. ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people to potential Arc Flash. Arc Flash will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL Regulatory requirements for safe work practices and for Personal Protective Equipment (PPE). The following icon may appear in the text of this document. Identifies information that is useful and can help to make a process easier to do or easier to understand. 2 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Table of Contents Preface Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Chapter 1 About Safe Stop and Safe Monitor Safety Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Certification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Functions Important Safety Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Stop Category Definition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Performance Level (PL) and Safety Integrity Level (SIL) . . . . . . . . . . . . . . . . . . . . . . . 11 Average Frequency of a Dangerous Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Kinetix Safe Motion-monitoring Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Compatible Safety Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Motion and Safety Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Motion Safety Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Safety Function Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Safe Monitor Network Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Explicit Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Out of Box State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Chapter 2 Safe Stop Functions Timed SS1 (drive-based) Stopping Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Monitored SS1 (drive-based) Stopping Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Ramp Monitored Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Monitored SS1 With Fault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Monitored SS1 Request Removed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Safe Torque-off Function. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Safe Stop Functions (drive-based) Assembly Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Drive-based Safe Stopping Application Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Safety Application Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 System Safety Reaction Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Chapter 3 Configure the Motion Safety Instances Understand Module Properties Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Motion Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Safety Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Motion and Safety. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Configuring the Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Ethernet Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Advanced Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Safety Network Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Module Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Connection and Safety Categories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Additional Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 3 Table of Contents Motion Category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Actions Category. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Motion Safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Primary Feedback Category. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Secondary Feedback Category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Scaling Category. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Discrepancy Checking Category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 STO Category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 SS1 Category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Axis Properties Safety Actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Safety Actions Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Safe Torque Off Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Safe Stop Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Safety Connection Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Safe Stop Only-No Feedback - ArmorKinetix DSD Module to Induction Motor . . . . . . . 63 Single Feedback Monitoring ArmorKinetix DSD Module to Kinetix VPL Motor with SIL2 Encoder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Dual Feedback Monitoring ArmorKinetix DSD Module to Kinetix VPL Motor with SIL2 Encoder and using an 842HR for Discrepancy Encoder Checking. . . . . . . . . . . . . . . . 68 Single Feedback Monitoring ArmorKinetix DSD Module to Kinetix MPL Motor with Hiperface, non-rated Safety Encoder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Single Feedback Monitoring of ArmorKinetix DSM Module with Integrated Safety Encoder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Encoder Types and SIL Ratings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Chapter 4 Controller-based Safety Functions Drive Safety Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Before Adding the Safety Instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Drive Safety Instruction Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Pass-through Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 SFX Instruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 SFX Instruction Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Chapter 5 Troubleshoot Safety Faults Safety Fault Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Understand Safety Faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Safety Core Fault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Safe Torque-off Fault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Safe Stop 1 Fault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 SS2, SOS, SBC, SLS, SLP, and SDI Faults. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Safety Feedback Faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Troubleshoot the Safety Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Safety Fault Reset. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Appendix A Controller Tags and Safety Attributes 4 Motion Connection Axis Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Safety Assembly Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Safety Feedback Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Table of Contents Safe Stop Function Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Dual Channel Feedback Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Appendix B Safety Function Validation Checklist Safe Stop 1 (SS1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Safe Stop 2 (SS2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Safe Operating Stop (SOS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Safely Limited Speed (SLS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Safely Limited Position (SLP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Safe Direction (SDI). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Safe Feedback Interface (SFX). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Safe Brake Control (SBC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 5 Table of Contents Notes: 6 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Preface This publication explains how the ArmorKinetix® system can be used in up to Safety Integrity Level (SIL 3), Performance Level (PLe) applications. It describes the safety requirements, including PFH values and application verification information, and provides information to configure and troubleshoot the ArmorKinetix modules with safe-stopping and safe-monitoring functions. Use this publication if you are responsible for designing, configuring, or troubleshooting safety applications that use the ArmorKinetix modules. You must have a basic understanding of electrical circuitry and familiarity with Kinetix 5700 drives and ArmorKinetix modules. ATTENTION: Personnel responsible for the application of safety-related programmable electronic systems (PES) shall be aware of the safety requirements in the application of the system and shall be trained in using the system. To install, configure, startup, and troubleshoot your ArmorKinetix system, refer to the ArmorKinetix System User Manual, publication 2198-UM006. For Kinetix 5700 drive specifications, see the Kinetix 5700, 5500, 5300, and 5100 Servo Drives Specifications Technical Data, publication KNX-TD003. Conventions These conventions are used throughout this publication: • Bulleted lists, such as this one, provide information, not procedural steps • Numbered lists provide sequential steps or hierarchical information • When the phrase ‘GuardLogix® controller’ is used in this publication, it refers to either of the following controller families: - GuardLogix 5580 - Compact GuardLogix 5380 • When the phrase ‘Logix 5000™ controller’ is used in this publication, it refers to any of the following controller families: - ControlLogix® 5570, CompactLogix™ 5370, or GuardLogix 5570 - ControlLogix 5580 or GuardLogix 5580 - CompactLogix 5380 or Compact GuardLogix 5380 Terminology This table defines the abbreviations that are used in this manual. Table 1 - Abbreviations and Definitions Abbreviation Timed SS1 Full Term Timed Safe Stop 1 SS1-t Safe Stop 1 time-controlled Monitored SS1 Monitored Safe Stop 1 SS1-r Safe Stop 1 ramp-monitored Integrated STO – Integrated Safe Torque Off Control application – Safety control application – Safe motion monitoring drive DSL CIP™ 1oo2 CAT Digital Servo Link Common Industrial Protocol One out of Two Category International Electrotechnical Commission IEC Definition Timed SS1 and Safe Stop 1 time-controlled (SS1-t) are synonymous. Both mean safe stop where the motor speed is decelerated to zero and once the maximum stop-time elapses, torque is removed from the motor. Safe Stop 1 time-controlled (SS1-t) is according to IEC 61800-5-2. Monitored SS1 and Safe Stop 1 ramp-monitored (SS1-r) are synonymous. Both mean a safe stop where the motor speed is reduced to standstill within deceleration limits and once standstill speed is reached or the maximum stop-time elapses, torque is removed from the motor. Safe Stop 1 ramp-monitored (SS1-r) is according to IEC 61800-5-2. Safe Torque Off safety function activated over the network. Program that is designed using Studio 5000 Logix Designer® and downloaded to the controller. Safety program that is designed using Studio 5000 Logix Designer and downloaded to the GuardLogix controller for functional safety. A drive that supports safety feedback and communicates safety function status or control over the EtherNet/IP™ network. HIPERFACE DSL is a digital protocol that is trademarked by SICK AG. Protocol for industrial automation applications and trademarked by ODVA, Inc. Refers to the behavioral design of a dual-channel safety system. ISO 13849-1 safety category. Non-profit, non-governmental international standards organization that prepares and publishes international standards for all electrical, electronic, and related technologies, collectively known as electrotechnology. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 7 Preface Table 1 - Abbreviations and Definitions (Continued) Abbreviation EN Full Term European Norm Insulated Gate Bi-polar Transistors International Organization for Standardization Definition European Standards (EN specifications) developed by the European Committee for Standardization for the European Union. PES Programmable Electronic Systems System for control, protection, or monitoring based on one or more programmable electronic devices, including all elements of the system such as power supplies, sensors and other input devices, data highways and other communication paths, and actuators and other output devices. PFH Average Frequency of a Dangerous Failure The average frequency of a system to have a dangerous failure occur. HFT Hardware Fault Tolerance PL SIL DSD DSM DSx Performance Level Safety Integrity Level Distributed Servo Drive Distributed Servo Motor PIM Power Interface Module Hardware fault tolerance is the minimum number of faults that can cause a loss of the safety function as defined by IEC 61508-2. ISO 13849-1 safety category. A measure of a products ability to lower the risk that a dangerous failure could occur. The Distributed Servo Drive (DSD) is an electronic drive that can be mounted on machine to control a servo or induction motor. The Distributed Servo Motor (DSM) combines an electronic servo drive with a servo motor resulting in a hybrid unit. A DSx module, refers to either a distributed servo drive (DSD) module or a distributed servo motor (DSM) module. The Power Interface Module is an in-cabinet module that takes 24V DC input and provides 58V output with 4A rating, to provide control power to DSD/DSM modules. IGBT ISO Additional Resources Typical power switch used to control main current. Voluntary organization whose members are recognized authorities on standards, each one representing another country. These documents contain additional information concerning related products from Rockwell Automation. You can view or download publications at rok.auto/literature. Resource Kinetix Rotary Motion Specifications Technical Data, publication KNX-TD001 Kinetix Linear Motion Specifications Technical Data, publication KNX-TD002 Kinetix 5700, 5500, 5300, and 5100 Servo Drives Specifications Technical Data, publication KNX-TD003 Kinetix Rotary and Linear Motion Cable Specifications Technical Data, publication KNX-TD004 Kinetix Servo Drive Performance Specifications per Ecodesign Regulation (EU) 2019/1781 Technical Data, publication KNX-TD006 ArmorKinetix System User Manual, publication 2198-UM006 ArmorKinetix 2090 Cables and Connectors Installation Instructions, publication 2090-IN053 Vertical Load and Holding Brake Management Application Technique, publication MOTION-AT003 GuardLogix 5580 and Compact GuardLogix 5380 Controller Systems Safety Reference Manual, publication 1756-RM012 GuardLogix Safety Application Instruction Set Reference Manual, publication 1756-RM095 Industrial Automation Wiring and Grounding Guidelines, publication 1770-4.1 Product Certifications website, rok.auto/certifications 8 Description Product specifications for Kinetix® VPL, VPC, VPF, VPH, VPS, Kinetix MPL, MPM, MPF, MPS; Kinetix TL and TLY, Kinetix RDB, Kinetix MMA, and Kinetix HPK rotary motors. Provides product specifications for Kinetix MPAS and MPMA linear stages, Kinetix VPAR, MPAR, and MPAI electric cylinders, Kinetix LDAT linear thrusters, and Kinetix LDC linear motors. Provides product specifications for Kinetix Integrated Motion over the EtherNet/IP network and EtherNet/IP networking servo drive families. Product specifications for Kinetix 2090 motor and interface cables. Provides energy efficiency performance data for Rockwell Automation Kinetix servo drives. This data supports IE2 compliance of Kinetix servo drives per EU 2019/1781. Provides information to install, configure, startup, and troubleshoot your ArmorKinetix system. Provides information for the ArmorKinetix 2090 cables. Provides information on vertical loads and how the servo motor holding-brake option can be used to help keep a load from falling. Provides information for development, operation, or maintenance of a GuardLogix or Compact GuardLogix controller-based safety system that uses the Studio 5000 Logix Designer application. Provides information that describes the GuardLogix Safety Application Instruction Set. Provides general guidelines for installing a Rockwell Automation industrial system. Provides declarations of conformity, certificates, and other certification details. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 1 About Safe Stop and Safe Monitor Functions Use this chapter to become familiar with the safe stop and safe monitor functions that are built into ArmorKinetix® Distributed Servo Drive (DSD) and Distributed Servo Motor (DSM) (inverter/motor). Topic Page Safety Concept 10 Kinetix Safe Motion-monitoring Operation 12 Out of Box State 20 The ArmorKinetix DSD and DSM inverters are equipped for integrated (drive-based) Monitored SS1 and Timed SS1 stopping functions over the EtherNet/IP™ network. Drive-based safety functions operate in the drive and are activated through the network safety connection. The ArmorKinetix DSx inverters also support controller-based monitoring functions. Controllerbased safety functions operate in the GuardLogix® 5580 or Compact GuardLogix 5380 controllers and use the EtherNet/IP network to communicate with the safety I/O. This includes the safety functions provided by the Drive Safety tab of your Studio 5000 Logix Designer® project. • The drive-based (Monitored SS1) stopping functions and controller-based monitoring functions apply to the 2198-DSD and 2198-DSM ERS5 modules Table 2 - Integrated Functional Safety Support Integrated Safety Over the EtherNet/IP Network Safety Function Distributed Servo Motor Cat. No. • 2198-DSMxxx-ERS2 • 2198-DSMxxx-ERS5 Distributed Servo Drive Cat. No. • 2198-DSDxxx-ERS2 • 2198-DSDxxx-ERS5 2198-DSMxxx-ERS5 2198-DSMxxx-ERS5 Safety feedback function Monitored Safe Stop 1 (SS1) • Monitored Safe Stop 1 (SS1) • Safe Stop 2 (SS2) • Safe Operational Stop (SOS) • Safely-limited Speed (SLS) • Safety-limited position (SLP) • Safe Direction (SDI) Safety Feedback Interface (SFX) Integrated STO mode Safe Torque-off (STO) • 2198-DSMxxx-ERS2 • 2198-DSMxxx-ERS5 • 2198-DSDxxx-ERS2 • 2198-DSDxxx-ERS5 Drive-based stopping functions Controller-based stopping functions Controller-based monitoring functions Timed Safe Stop 1 (SS1) The 2198-DSD-ERS5 and 2198-DSM-ERS5 modules also support the safety feedback (SFX) instruction that provides safety position and velocity data to a GuardLogix safety controller for use in controller-based monitoring functions. The ArmorKinetix DSD/DSM ERS2/ERS5 inverters/motor are only equipped for integrated Safe Torque Off (STO). See the ArmorKinetix System User Manual, publication 2198-UM006. The Kinetix 5700 family contains ERS3 and ERS4 drives, which support both Hardwire and Integrated STO for information. See the Kinetix 5700 Servo Drives User Manual, publication 2198-UM002 and Kinetix 5700 Safe Monitor Functions Safety Reference Manual, publication 2198-RM001 for more information. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 9 Chapter 1 About Safe Stop and Safe Monitor Functions Table 3 - Achievable Safety Function Ratings Function Mode Achievable Safety Rating (1) SS1 (2) Monitored SIL 3, PLe SS2 (2) Velocity check SIL 3, PLe SOS (2) Velocity check SIL 3, PLe SLS SS2 SOS SDI SLP (2) - SIL 3, PLe Position check Position check - SIL 2, PLd SIL 2, PLd SIL 2, PLd SIL 2, PLd (1) Achievable safety rating depends on each system component. Performance level (PL) per ISO 13849-1 and safety integrity level (SIL) per IEC 61508, IEC 61800-5-2, and IEC 62061. (2) SIL 3, PLe rating requires the use of two encoders. The safe motion-monitoring drives can be configured for single feedback or dual feedback per axis to achieve the following safety rating: • Single feedback configurations provide up to SIL 2 (PLd) capability. • Dual feedback configurations provide up to SIL 3 (PLe) capability using velocity discrepancy checking. Safety functions that use position check with dual feedback have up to SIL 2 (PLd) capability. Safety Concept This section introduces you to the functional safety specifications and how the ArmorKinetix DSx modules meet those requirements. Certification The TÜV Rheinland group has approved the ArmorKinetix DSM ERS5 modules with support for Stopping Function SS1-r and DSM Monitoring Functions. The TÜV Rheinland group has approved the ArmorKinetix DSx ERS2/ERS5 modules with support for Stopping Function STO/SS1-t and DSD ERS5 Stopping Function SS1-r and DSD Monitoring Functions. These safety functions are for use in safety-related applications up to: • Performance Level e (PLe), Category 3 per ISO 13849-1. • SIL CL 3 per IEC 61508, IEC 61800-5-2, and IEC 62061. Removing the motion producing power is considered to be the safe state. See the GuardLogix Safety Application Instruction Set Reference Manual, publication 1756-RM095, for more information on safe motion-monitoring instructions. For product certifications currently available from Rockwell Automation, go to rok.auto/certifications. Important Safety Considerations The system user is responsible for the following: • Validation of any sensors or actuators that are connected to the system • Completing a machine-level risk assessment • Certification of the machine to the desired ISO 13849 Performance Level or IEC 62061 SIL level • Project management and proof testing in accordance with ISO 13849 10 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 1 About Safe Stop and Safe Monitor Functions Stop Category Definition You must use a risk assessment to determine the selection of a stop category for each stop function. • Stop Category 0, as defined in IEC 60204, or Safe Torque-off as defined by IEC 61800-5-2, is achieved with immediate removal of power to the actuator, which results in an uncontrolled coast-to-stop. • Stop Category 1, as defined in IEC 60204, or Safe Stop 1 (Monitored SS1 and Timed SS1), as defined by IEC 61800-5-2, is achieved with power available to the machine actuators to achieve the stop. Power is removed from the actuators when the configured stop is achieved. Performance Level (PL) and Safety Integrity Level (SIL) For safety-related control systems, Performance Level (PL), according to ISO 13849-1, and SIL levels, according to IEC 61800-5-2, IEC 61508, and IEC 62061, include a rating of the systems ability to perform its safety-related functions. All safety-related components of the control system must be included in both a risk assessment and the determination of the achieved levels. See the ISO 13849-1, IEC 61508, and IEC 62061 standards for complete information on requirements for PL and SIL determination. Average Frequency of a Dangerous Failure Safety-related systems are classified as operating in a High-demand/continuous mode. The SIL value for a High-demand/continuous mode safety-related system is directly related to the average frequency of a dangerous failure per hour (PFH). PFH calculation is based on the equations from IEC 61508 and show worst-case values. Table 4 demonstrates the worst-case effect of various configuration changes on the data. IMPORTANT Determination of safety parameters is based on the assumptions that the system operates in High-demand mode and that the safety function is requested at least once every three months. Table 4 - PFH for 20-year Proof Test Interval - DSD Modules Attribute PFH (1e-9) (under worst case conditions) HFT (hardware fault tolerance) (1) Proof test (years) MTTFd (Mean Time to Failure) years DC avg (Diagnostic Coverage) % Category PL (Performance Level) SIL (Safety Integrity Level) SFF (Safe Failure Fraction) % 2198-DSx-ERS2 Single-axis Inverters 3.38 2198-DSx-ERS5 Single-axis Inverters 3.38 1 1 20 128 90 3 e - for support of the safety stopping functions d - for support of monitoring functions 3 - for support of the stopping functions 2 - for support of monitoring functions 95 20 128 90 3 e - for support of the safety stopping functions up to 3 95 (1) A hardware fault tolerance of N means that N+1 is the minimum number of faults that can cause a loss of the safety function as defined by IEC 61508-2. The DSM module is equipped with a Hiperface DSL functional safety-rated feedback sensor, which is designed to maintain the functional safety rating of the feedback sensor attached. Table 5 - PFH for 20-year Proof Test Interval - DSM Module Encoder Reliability Data Attribute Probability of a Dangerous Failure per Hour (PFH) 2198-DSM0xx-ERSx-x075xx-W 2198-DSM0xx-ERSx-x1xxxx-T 350.0 x 10 -9 at 115 °C (239 °F) ambient temperature 370.0 x 10 -9 at 115 °C (239 °F) ambient temperature Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 11 Chapter 1 About Safe Stop and Safe Monitor Functions Kinetix Safe Motionmonitoring Operation In safe motion-monitoring applications, the 2198-DSDxx-ERS5 and the 2198-DSMxxx-ERS5 inverter/motors provide safety position and velocity information over the EtherNet/IP network. The following components are included in typical safe motion-monitoring drive systems. Table 6 - Safe Motion-monitoring System Components Safety System Component Bulletin/Cat. No. 2198-DSDxx-ERS5 ArmorKinetix modules 2198-DSMxx-ERS5 Description Distributed Servo Drive with Safe motion monitoring support. Distributed Servo Motor with safe motion monitoring support. Safety controllers required for use in safe motionmonitoring applications with 2198-xxxxx-ERS5 distributed servo motor/inverter Application environment Used in Dual Feedback Monitoring applications on the Distributed Servo drive/inverter only when using VPx SIL2 motor configurations. Compact GuardLogix controller 5380 GuardLogix controller 5580 Studio 5000 Logix Designer Version 35.00 or later External SIN/COS encoder 842HR Kinetix VP rotary motors (1) • VPL-Bxxxx-W, VPL-Bxxxx-Q • VPF-Bxxxx-W, VPF-Bxxxx-Q • VPH-Bxxxx-W, VPH-Bxxxx-Q Kinetix VPL, VPF, or VPH servo motors with SIL 2 (PLd) rated (-W or -Q) encoders. Kinetix VP electric cylinders VPAR-Bxxxx-W, VPAR-Bxxxx-Q Kinetix VPAR electric cylinder with SIL 2 (PLd) rated (-W or -Q) encoders MP-Series™ rotary motors (1) (2) • MPL-Bxxxx-S, MPL-Bxxxx-M MP servo motors with single-turn (-S) and • MPF-Bxxxx-S, MPF-Bxxxx-M Kinetix multi-turn (-M) encoders. • MPM-Bxxxx-S, MPM-Bxxxx-M (1) SIL and PL rating is dependent on the motor encoder, the external encoder (if present), and how they are used in the safety application. (2) Kinetix MP motors can only be used for single channel feedback purposes to a 2198-DSDxxx-ERS5 because there is a single power and feedback connection. In this example, the components that are described in Table 6 are used in a motion and safety control system with dual-feedback monitoring. 12 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 1 About Safe Stop and Safe Monitor Functions Figure 1 - Safe Motion-monitoring Configuration Compact GuardLogix 5380 or GuardLogix 5580 Safety Controller (GuardLogix 5580 Safety Controller is shown) EtherNet/IP 1783-BMS Stratix® 5700 Switch LNK1 LNK2 NET OK 2 1 1585J-M8CBJM-x Ethernet (shielded) Cable Studio 5000 Logix Designer Application (version 35.00 or later) 1734-AENTR POINT Guard I/O™ EtherNet/IP Adapter ArmorKinetix PIM Module Safety Device MOD NET 2 2 1 1 ArmorKinetix System with Integrated Safety Functions Controller-based Instruction Example Secondary Feedback Bulletin 842HR SIN/COS Encoder for Dual Feedback Monitoring Applications Position feedback is sent separately to the drive for safety and for motion control. 4 I/O ArmorKinetix DSD Module Primary Feedback • Kinetix VPL, VPF, VPH servo motors with W or -Q encoders • Kinetix VPAR electric cylinders with -W or -Q encoders Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 13 Chapter 1 About Safe Stop and Safe Monitor Functions Compatible Safety Controllers A GuardLogix 5580 or Compact GuardLogix 5380 safety controller is required for integrated safety control of the ArmorKinetix module stopping and monitoring functions. The Studio 5000 Logix Designer application, version 35 or later, supports programming, commissioning, and maintaining GuardLogix safety controllers with ArmorKinetix systems. The safety connection can originate from either of these GuardLogix controllers: • A GuardLogix 5580 or Compact GuardLogix 5380 safety controller that provides both safety and motion control • A GuardLogix 5580 or Compact GuardLogix 5380 safety controller that controls only the safety connection, while a separate ControlLogix® 5570, ControlLogix 5580, CompactLogix™ 5370, or CompactLogix 5380 controller that controls the motion connection Motion and Safety Tasks Motion systems that are built using Rockwell Automation® Integrated Architecture® components have separate motion and safety functions. In a typical control application with motion and safety connections, motion and safety tasks run in the following Logix 5000™ controllers: • Motion functions operate in a motion task of any ControlLogix or CompactLogix (Logix 5000) controller • Safety functions operate in a safety task of only GuardLogix 5580 or Compact GuardLogix 5380 controllers • Motion tasks and safety tasks can operate in the same GuardLogix controller or in separate controllers • The safety task, operating in a GuardLogix controller, communicates with the drive module with a safety connection over the EtherNet/IP network. See Safety Task in Figure 3 on page 17. • The motion task, operating in any of these controllers, communicates with the drive module Associated Axes with a motion connection over the EtherNet/IP network. See Motion Task in Figure 3 on page 17. • Feedback from position encoders, supplied to the motion tasks, is also associated with the axis. Motion Safety Instances The ArmorKinetix (2198-xxxx-ERS5) modules also contain a motion safety instance to provide integrated safety functions. The safety instances operate independently of the inverters and feedback that is used for motion. The drive module safety instances receive encoder safety feedback for use with the integrated safety functions. The safety feedback is also supplied to the controller safety task over the safety connection, for use with controller-based safety functions that may operate in the controller. A motion and safety system can be configured so that a safety function operates in the controller. This type of configuration is referred to as a controller-based safety function. The system can also be configured so that the safety function operates in the drive module, with the initiation and monitoring of the function in the safety task. This type of safety function is referred to as drive-based safety. A motion system can have both controller-based and drive-based safety functions. 14 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 1 About Safe Stop and Safe Monitor Functions Safety Function Operation In this example, we describe how a motion and safety control system operates and how motion and safety tasks are coordinated. In typical motion and safety system applications, an E-stop switch is used to stop the system. In the following example, the switch is used to initiate the process that brings the axis to a controlled stop before removing power. This type of stop is called Stop Category 1. The motion task and drive inverter are responsible for bringing the axis to a Category 1 stop. Simultaneously, to make sure that the Stop Category 1 is correctly executed by the motion system, the safety task initiates a Monitored SS1 safety function. The SS1 safety function can be configured to use the drive-based SS1 function or it can be configured to use the controller-based SS1 function. This sequence of events represents the steps that are required for a Monitored SS1 drive-based safety function. 1. 2. 3. 4. 5. 6. 7. The words module and axis (italic) in these steps represent the module and axis name assigned in the Studio 5000 Logix Designer application. The safety task reads the E-stop input and detects the switch actuation. The safety task communicates an SS1 request by setting the bit: module:SO.SS1Request tag of the drive (inverter) motion-safety instance. The motion-safety instance in the drive communicates to the drive motion core of the Axis Safety Status. The motion core communicates with the motion controller running the motion task by updating the motion axis tag axis.SS1ActiveStatus. The motion task controls the axis to bring the motor to a stop within the Monitored SS1 limits for speed and time. While the axis is stopping, the SS1 function (in the motion-safety instance) monitors the axis speed to make sure it remains below the speed limit and maximum stopping time. When the axis reaches standstill speed, the motion-safety core activates the Safe Torqueoff function. This sequence of events represents the steps that are required for a Monitored SS1 controllerbased safety function. 1. 2. 3. 4. 5. 6. 7. 8. 9. The words module and axis (italic) in these steps represent the module and axis name assigned in the Studio 5000 Logix Designer application. The safety task reads the E-stop input and detects the switch actuation. The safety task activates the SS1 safety instruction running in the safety task. The SS1 instruction communicates an SS1 active by setting the bit: module:SO.SS1Active tag of the drive (inverter) motion-safety instance. The motion-safety instance in the drive communicates to the drive motion core of the Axis Safety Status. The motion core communicates with the motion controller running the motion task, by updating the motion axis tag axis.SS1ActiveStatus. The motion task controls the axis to bring the motor to a stop within the Monitored SS1 limits for speed and time. While all events are occurring, the motion-safety instance updates the Feedback Velocity tag, module:SI.FeedbackVelocity, in the safety controller. The SS1 function running in the safety task receives the speed that is scaled by the SFX safety instruction and makes sure that the axis remains below the speed limit and maximum stopping time. When the axis reaches standstill speed the SS1 safety instruction outputs SS1 complete. The safety task communicates to the drive motion safety instance to activate STO by clearing the bit: module:SO.STOOutput tag of the drive motion-safety instance. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 15 Chapter 1 About Safe Stop and Safe Monitor Functions This figure shows how the safety task and motion tasks communicate with the drive. Figure 2 - Safe Monitor System Communication Kinetix 5700 Single-axis Inverter CIP Motion™ Protocol Control Hardware Motion (1) Controller (motion task) Integrated Motion Core Motion Safety Instance Motion Core CIP Safety™ Protocol Safety (1) Controller (safety task) Power Hardware Primary Encoder (SIL 2, PLd) Servo Motor Secondary Encoder (1) Motion and Safety connections can be made from a single Safety controller or two separate Motion and Safety controllers. (2) The secondary encoder is required to meet a SIL 3 system rating. 16 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 1 About Safe Stop and Safe Monitor Functions Safe Monitor Network Communication The safe monitor network executes motion and safety tasks by using CIP™ protocol. Figure 3 - Motion and Safety Connections GuardLogix Safety Controller Logix 5000 Motion Controller When a single controller is used for motion task and safety task. Safety Task Sa fet y Co nn ec ti it Explic Motion Task ges Messa tio Mo on n on nC tio ec n Safety fault and status sent to motion controller axis tags. Motion Axis Motion Motion Safety Core Instance 2198-DSxxxx-ERSx Drive Module Motion Connection The motion connection communicates drive motion and safety status to the motion task. The motion connection also receives motion commands from the motion task in the motion controller. Data is exchanged at a periodic rate over the connection. To configure the drive-module motion connection Axis Properties in the Studio 5000 Logix Designer application, see the ArmorKinetix System User Manual, publication 2198-UM006. Some of the axis tags are updated from fault and safety status provided by the safety instance in the drive module. The safety instance sends this status to the motion core and then on to the motion controller. Axis tags show the updated status. See Figure 3 - Motion and Safety Connections for an illustration on how status is sent to the motion controller. IMPORTANT Axis tags are for status only and are not used by the safety function. Table 7 - Motion Connection Axis Tags Axis Tag Name (motion controller) Motion Connection Attribute # Data Type Description Axis.AxisSafetyState 760 DINT Drive module Safety Supervisor state. See the Safety Supervisor State on page 19 for more details. None Axis.AxisSafetyDataA 986 DINT 32-bit data container holding general purpose safety-data passed from the safety controller. module:SO:PassThruDataA Axis.AxisSafetyDataB 987 DINT 32-bit data container holding general purpose safety-data passed from the safety controller. module:SO:PassThruDataB Axis.AxisSafetyStatus 761 DINT Collection of bits indicating the status of the standard safety functions for the axis as reported by Drive Safety Instance. See individual bits in Table 37 on page 95. Axis.AxisSafetyStatusRA 762 DINT Collection of bits indicating the status of Rockwell Automation specific safety functions for the axis as reported by Drive See individual bits in Table 37 on page 95. Safety Instance. Axis.AxisSafetyFaults 763 DINT Collection of bits indicating the Safety Fault status of the drive-module safety instances and integrated safety functions. Axis.AxisSafetyFaultsRA 764 DINT Collection of bits indicating the safety fault status of Rockwell See individual bits in Table 37 on page 95. Automation safety functions. Axis.AxisSafetyAlarms 753 DINT Reserved for future use. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Safety Output Assembly Tag Name (safety controller) See individual bits in Table 37 on page 95. — 17 Chapter 1 About Safe Stop and Safe Monitor Functions Pass-through Data Some of the Motion Connection axis tags are updated from information received from the Safety Connection. This data originates in the safety controller as Safety Output assembly tags and are passed through the drive and on to the motion controller where the corresponding axis tag is updated. These data are called pass-through data. The pass-through data includes items such as status and faults for controller-based safety functions. Two general purpose 32-bit words are provided in the output assembly from the safety controller and appear as AxisSafetyDataA and Axis SafetyDataB in the motion controller associated axis. Safety Data A and B are provided for the safety and motion application for additional safety program status. A typical use of Safety Data A and Safety Data B can be to indicate the value of a safety limit that is currently in effect for the motion application to accordingly control the motion. IMPORTANT Axis tags are for status only and are not used by the safety function. For more information on pass-through data, see See Pass-through Data on page 84. Safety Connection The safety controller communicates with the safety instances in the drive module over the safety connection. Cyclic data are passed in each direction over the safety connection that appears in Safety Controller tag structures called input and output assemblies. The safety connection cyclic rate is configured in the Studio 5000 Logix Designer application. The Safety Input Assembly tag structure is data from the drive module safety instances to the safety controller. The Safety Output Assembly tag structure is data from the safety controller to the drive module safety instances. Table 8 - Safety Input Assembly Tags Safety Input Assembly Tag Name (input to safety controller) Type/ [bit] Description module:SI.ConnectionStatus SINT See individual bits in Table 38 on page 98. module:SI.FeedbackPosition DINT Primary Feedback Position from drive-module safety instance. Value is in feedback counts. module:SI.FeedbackVelocity REAL Primary Feedback Velocity from drive-module safety instance. Value is in revolutions/second. module:SI.SecondaryFeedbackPosition DINT Secondary Feedback Position from drive-module safety instance. Value is in position counts. module:SI.SecondaryFeedbackVelocity REAL Secondary Feedback Velocity from drive-module safety instance. Value is in revolutions/second. module:SI.StopStatus SINT See individual bits in Table 38 on page 98. module:SI.SafeStatus SINT See individual bits in Table 38 on page 98. module:SI.FunctionSupport SINT See individual bits in Table 38 on page 98. Safety Output Assembly Tag Name (output to safety controller) Type/ [bit] Description module:SO.PassThruDataA DINT 32-bit data container holding general purpose safety data passed from the safety controller. module:SO.PassThruDataB DINT 32-bit data container holding general purpose safety data passed from the safety controller. module:SO.PassThruStopStatus SINT Collection of Safe Stop Function Status bits. module:SO.PassThruSpeedLimitStatus SINT Collection of Limit Function Status bits. module:SO.PassThruPositionLimitStatus SINT Collection of bits indicating the Monitoring Function Limit status of controller-based functions. See individual bits in Table 39 on page 98. module:SO.PassThruStopFaults SINT Collection of bits indicating the Safety Fault status of controller-based safety functions. See individual bits in Table 39 on page 98. module:SO.PassThruLimitFaults SINT Collection of bits indicating the Safety Fault status of controller-based safety functions. See individual bits in Table 39 on page 98. module:SO.SafetyStopFunctions SINT A collection of bits used to activate (request) safety functions as in Table 39 on page 98. Table 9 - Safety Output Assembly Tags 18 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 1 About Safe Stop and Safe Monitor Functions Explicit Messages Use explicit messages to communicate with a drive and obtain additional fault, status, or configuration information that is not be available in the Safety I/O Tag structure. Attribute data is useful for additional diagnostic information. An explicit message can be sent by any controller on the network and used to read any drive module attribute. See Motion Connection Axis Tags on page 95 for the drive-module safety attribute names, and numbers to read the attribute values by using an MSG instruction. Refer to Figure 3 on page 17 to see how explicit messages are part of motion and safety communication. When an explicit message is used, a class ID must be specified. The class ID identifies the safety object type in the drive module that is accessed. Table 10 - Object Classes Available in Motion Safety Instances Object Class Safety Supervisor Safe Stop Functions Safety Feedback Dual-channel Safety Feedback IMPORTANT Motion Safety Instances Single-axis Inverters 1 1 2 1 Explicit messages must not be used for any safety related function. Safety Supervisor State In the drive module, the connection to the safety instance or instances is controlled by a safety supervisor. The supervisor status can be read by the motion controller through the motion connection and the safety controller through the Safety Input Assembly or by an explicit message. The safety supervisor state provides information on the state of the integrated safety connection and the mode of operation. There is only one safety supervisor object per drive module. Table 11 - Safety Supervisor State: MSG Parameter Service Code Class Value 0x0E 0x39 Instance 1 Attribute Data Type 0x0B SINT Description Get attribute single Safety supervisor Drive-module safety instance associated with an axis Device status Short integer Table 12 - Safety Supervisor States Value 2 4 7 8 51 52 Safety Supervisor State Definition Configured (no safety connection) No active connections Running Normal running state Configuring Transition state Not Configured Torque disabled of box state with torque Not Configured (torque permitted) Out permitted Running (torque permitted) STO bypass state Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Safety Mode Integrated Integrated Integrated Out of the box Out of box state, safety bypassed Integrated 19 Chapter 1 About Safe Stop and Safe Monitor Functions Figure 4 - Explicit Message Example Safe Torque-off Mode You can use the attribute STO Mode to check if the ArmorKinetix DSx module is in STO Bypass mode. STO Bypass mode is used to allow motion while commissioning or troubleshooting a system when Motion Direct Commands (MDC) are needed. See the ArmorKinetix System User Manual, publication 2198-UM006, for more about Safety Bypass and MDC commands. Table 13 - Safe Torque-off Mode: MSG Parameter Service Code Class Value 0x0E 0x5A Instance 1 Attribute Data Type 0x104 SINT Description Get attribute single Safety stop functions Drive-module safety instance associated with an axis STO mode Short integer Table 14 - Safe Torque-off Mode: Values Value 1 2 Definition Normal operation STO bypass mode Out of Box State IMPORTANT 20 For procedures to restore the modules to the out-of-box state, see the ArmorKinetix System User Manual, publication 2198-UM006. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 2 Safe Stop Functions Use this chapter to learn more about the Monitored SS1 and Timed SS1 stopping functions that are built into ArmorKinetix® DSD or DSM modules. Topic Page Timed SS1 (drive-based) Stopping Function 21 Monitored SS1 (drive-based) Stopping Function 22 Safe Torque-off Function 27 Safe Stop Functions (drive-based) Assembly Tags 27 Drive-based Safe Stopping Application Requirements 29 Monitored SS1 and Timed SS1 meet the requirements of Performance Level e (PL e) per ISO 13849-1 and SIL CL 3 per IEC 61508, IEC 61800-5-2, and IEC 62061. In drive-based SS1 mode, the GuardLogix® 5580 or Compact GuardLogix 5380 safety controller issues the SS1 command over the EtherNet/IP™ network and the 2198-DSDxxx-ERS5 inverter or 2198-DSM-ERS5-xxx inverter/motor combination and execute the SS1 command. Timed SS1 (drive-based) Stopping Function Timed SS1 is a safe stop function where a fixed amount of time is given for the drive to stop. Timed SS1 does not monitor the speed of the drive or detect standstill. Timed SS1 is initiated by setting the SS1 Request tag in the Safety Output Assembly for the drive module. When SS1 Request is received by the drive, the axis safety status is updated with SS1 Active. Once SS1 Active is set high (1), either the motion controller or the drive itself must stop the axis within the SS1 Max Stop Time. When Max Stop Time expires, SS1 Complete transitions to high (1), which activates STO. Once activated, STO operates as described in the section on STO Stop Function. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 21 Chapter 2 Safe Stop Functions Figure 5 - Timed SS1 Normal Operation Stop Time, max Axis Speed SS1 Request SS1 Active SS1 Complete STO Active Torque Disabled SS1 Start STO Delay (1) (1) For more information on STO Delay, see STO Category on page 51. Attribute Name Tag Name Description An Output Assembly member that requests the drive to initiate it's Safe Stop 1 function. SS1 Request module:SO.SS1Request SS1 Active module:SO.SS1Active SS1 Complete Tag Name does not apply. See Safe Stop Function Attributes on page 101. STO Active module:SI.STOActive Torque Disabled module:SI.TorqueDisabled Value 0 – No Request 1 – Request Not Active The SS1 Active attribute is set to Active when any bit in SS1 Activation is set. 01 –– Active When using SS1-Timed, the STO Activation Bit SS1-Complete is set when the 0 – Not Active SS1 Timer expires, setting STO Active to Disable Torque. 1 – Active When using SS1-Timed, the STO Activation Bit SS1-Complete is set when the 0 – Not Active SS1 Timer expires, setting STO Active to Disable Torque. 1 – Active 0 – Torque Permitted Output status of the Safe Toque Off control. 1 – Torque Disabled Both elements of the Timed SS1 safety function design have SIL 3/PL e (Cat 3) rating. The word module (italic) in these tag names represent the module name assigned in the Studio 5000 Logix Designer® application. Monitored SS1 (drive-based) Stopping Function Monitored SS1 is a ramped safe-stop where the motion safety instance monitors the speed ramp to standstill speed, while either the motion task or the drive itself controls the deceleration to standstill speed. When standstill is reached, then the motion safety instance removes torque from the motor. IMPORTANT In the event of a malfunction, the most likely stop category is Stop Category 0. When designing the machine application, timing and distance must be considered for a coast to stop. For more information regarding stop categories, refer to IEC 60204-1. When active, the Axis Speed is monitored and must remain below the Speed Limit ramp shown in Figure 6. The axis motion control application must be coordinated with the SS1 activation to bring the axis to Standstill Speed, also known as a Stop Category 1. This section explains several ways to configure the drive and controller for a Monitored SS1 safety function. 22 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 2 Safe Stop Functions Figure 6 - Monitored SS1 Normal Operation Stop Monitor Delay Stop Time, max Stop Delay, x Decel Reference Rate, y/x Axis Speed Speed Limit Decel Speed Tolerance Standstill Speed Decel Reference Speed, y SS1 Request SS1 Active SS1 Complete STO Active Torque Disabled Capture Speed and Begin Monitoring SS1 Start Attribute Name Tag Name SS1 Request module:SO.SS1Request SS1 Active module:SO.SS1Active SS1 Complete Tag Name does not apply. See Safe Stop Function Attributes (Class 0x5A) on page 101. STO Active module:SI.STOActive Torque Disabled module:SI.TorqueDisabled STO Delay Description An Output Assembly member that requests the drive to initiate it's Safe Stop 1 function. Value 0 – No Request 1 – Request Not Active The SS1 Active attribute is set to Active when any bit in SS1 Activation is set. 01 ––Active When the drive speed is at or below SS1Standstill Speed, the STO Activation 0 – Not Active bit SS1 Complete is set, setting STO Active to Disable Torque. 1 – Active When the drive speed is at or below SS1Standstill Speed, the STO Activation 0 – Not Active bit SS1 Complete is set, setting STO Active to Disable Torque. 1 – Active 0 – Torque Permitted Output status of the Safe Toque Off control. 1 – Torque Disabled Ramp Monitored Function The Monitored SS1 (ramp monitored) function is the ramped deceleration of the axis. A ramp function represents the maximum speed while the axis is stopping as a function of time (t). The ramp function depends on several variables as stated in this equation: Speed (t) = Speed 0 – (DR • t ) + S tol • Speed0 is the actual speed captured at the end of the monitoring delay in rev/s. • S tol is a speed tolerance that is added to account for instantaneous speed variations as the actual speed ramps down to standstill. • DR is the slope (deceleration) of the ramp function in rev/s2. The slope is calculated by entering the Decel Reference speed and the Stop Delay. You enter the Decel Reference Speed and the Stop Delay while configuring SS1 in the Logix Designer application to calculate DR and display the value. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 23 Chapter 2 Safe Stop Functions When choosing a value for Stol there are several considerations that depend on the velocity average time. If the velocity average time is too small, the instantaneous speed calculated by the motion safety instance can exceed the ramped speed-limit function. If the velocity average time is too large, the result can be more delay in the speed calculated and compared to the ramped speed-limit function. Refer to Instantaneous Velocity in Figure 17 on page 45. Use your maximum axis speed for the Decel Reference Speed and the maximum time to bring the axis to Standstill Speed for the Stop Delay. For more information see the Actions Definitions table in the ArmorKinetix System User Manual, publication 2198-UM006. Monitored SS1 Example In this example, an axis is running at 1200 rpm when SS1 Request goes high (1), which sets SS1 Active high (1). SS1 Active is read by the Main task and prepares to decelerate the axis. At the end of Stop Monitor Delay, the axis speed is 1200 rpm. Data summary for this Monitored SS1 example: • The Deceleration Reference Speed is 2400 rpm because the original application sizing calculated this value as the maximum axis speed. • A 10 second Stop Delay value is used, based on the control system ability and the safety evaluation. • Stop Monitor Delay is set to 2 seconds. At the end of the Stop Monitor Delay, the motor speed is measured at 1200 rpm. • Deceleration Speed Tolerance is set to 240 rpm, based on machine characteristics and safety evaluation. At the end of Stop Monitor Delay and the beginning of Stop Delay time, t = 0 for the ramp function. Figure 7 shows the data summary values inserted into the equation. Figure 7 - Monitored SS1 Example Speed (t) = Speed0 – (D R • t ) + S tol S tol = DR = ( 240 Revolutions Minutes ( )• ( ) ( 1 Minute = 60 Seconds )( )= ( ) •( ) 2400 Revolutions • 1 Minute 60 Seconds Minutes Speed0 = 1200 rpm • ( 1 Minute 60 Seconds ) 4 Revolutions Seconds ) ( 1 Minute = 10 Seconds ) 4 Revolutions Seconds2 20 Revolutions Seconds Values of t in the equation are only valid during the Stop Delay where t starts at 0 and increases to a maximum of Stop Delay. Figure 8 - Final Monitored SS1 Example Speed (t) = ( )( ) 24 Revolutions 4 Revolutions – •t Second Seconds2 For any value of t between 0…5 seconds, if the actual speed exceeds Speed (t), a Deceleration Rate fault is set by the SS1 function. 24 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 2 Safe Stop Functions Monitored SS1 With Fault This figure shows how the Monitored SS1 behaves when the axis speed does not stay below the ramp function limit. Figure 9 - Deceleration Rate Fault Stop Monitor Delay Stop Time, max Stop Delay, x Decel Reference Rate, y/x Axis Speed Standstill Speed Speed Limit Decel Speed Tolerance Decel Reference Speed, y Condition SS1 Request SS1 Active SS1 Complete SS1 Deceleration Rate Fault STO Active No STO Delay Applied Torque Disabled Restart Required Safety Reset SS1 Start Attribute Name Tag Name SS1 Request module:SO.SS1Request SS1 Active module:SO.SS1Active Capture Speed and Manual or Automatic Restart Description Value An Output Assembly member that requests the drive to initiate it's Safe 0 – No Request Stop 1 function. 1 – Request The SS1 Active attribute is set to Active when any bit in SS1 Activation is 0 – Not Active set. 1 – Active Tag Name does not apply. See Safe Stop Function Attributes (Class 0x5A) on page 101. Tag Name does not apply. See Safe Stop SS1 Deceleration Rate Fault Function Attributes (Class 0x5A) on page 101. When the drive speed is at or below SS1Standstill Speed, the STO 0 – Not Active Activation bit SS1 Complete is set, setting STO Active to Disable Torque. 1 – Active STO Active module:SI.STOActive Torque Disabled module:SI.TorqueDisabled Restart Required module:SI.RestartRequired Safety Reset module:SO.ResetRequest When the drive speed is at or below SS1Standstill Speed, the STO 0 – Not Active Activation bit SS1 Complete is set, setting STO Active to Disable Torque. 1 – Active 0 – Torque Permitted Output status of the Safe Toque Off control. 1 – Torque Disabled 0 – Restart Not Required Performs restart of safety instance attribute. 1 – Restart Required 0 – No Restart Performs reset of safety instance attribute. 1 – Restart SS1 Complete Describes detailed information about the fault. 1 = No Fault 3 = Deceleration Rate Series of events when a Monitored SS1 fault occurs. 1. If an SS1 fault occurs, STO Active goes high (1), and Torque Disabled goes high (1) immediately and ignores STO Delay. The safety instance detects a fault and activates the STO function within 6.0 ms of when the fault condition occurred. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 25 Chapter 2 Safe Stop Functions IMPORTANT The fault condition for a deceleration fault is measured after velocity averaging. Velocity averaging adds additional delay before STO activation in this case. 2. Restart Required goes high (1) whenever an SS1 fault is present. 3. To reset the SS1 fault, SS1 Request must go low (0), followed by Reset (0-1 transition). Monitored SS1 Request Removed This figure shows what happens when SS1 Request goes low (0) before completion. Figure 10 - Monitored SS1 Request Removed Before Completion Stop Monitor Delay Stop Time, max Stop Delay, x Speed Axis Speed Decel Reference Rate, y/x Decel Speed Tolerance Standstill Speed Decel Reference Speed, y SS1 Request SS1 Active SS1 Complete STO Active SS1 Start Capture Speed and Begin Monitoring SS1 Reset Attribute Name Tag Name SS1 Request module:SO.SS1Request Description An Output Assembly member that requests the drive to initiate it's Safe Stop 1 function. SS1 Active module:SO.SS1Active The SS1 Active attribute is set to Active when any bit in SS1 Activation is set. SS1 Complete Tag Name does not apply. See Safe Stop Function Attributes (Class 0x5A) on page 101. STO Active module:SI.STOActive When the drive speed is at or below SS1Standstill Speed, the STO Activation bit SS1 Complete is set, setting STO Active to Disable Torque. When the drive speed is at or below SS1Standstill Speed, the STO Activation bit SS1 Complete is set, setting STO Active to Disable Torque. Value 0 – No Request 1 – Request 0 – Not Active 1 – Active 0 – Not Active 1 – Active 0 – Not Active 1 – Active The word module (italic) in these tag names represent the module name assigned in the Studio 5000 Logix Designer application. Series of events when SS1 Request is removed before completion. 1. When SS1 Request goes low (0) before completion, SS1 function is reset and ready for another operation. 2. Main task reads the SS1 Active axis tag and resumes normal operation. 26 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 2 Safe Torque-off Function Safe Stop Functions The safe torque-off (STO) function provides a method, with sufficiently low probability of failure, to force the power-transistor control signals to a disabled state. When the command to execute the STO function is received from the GuardLogix controller, all of the drive output-power transistors are released from the ON-state. This results in a condition where the motor is coasting. Disabling the power transistor output does not provide isolation of the electrical output that is required for some applications. ATTENTION: The STO function removes motion-producing power from the motor and must be considered in vertical load applications. These conditions must be met for integrated control of the STO function: • The ArmorKinetix module must be added to the GuardLogix or Compact GuardLogix controller I/O Configuration. • The module must be configured for either: - Safety Only - Motion and Safety connections Response times are listed in Table 15. Response time for the drive is the delay between the time the drive STO command receives the CIP Safety™ packet with an STO request and the time when motion producing power is removed from the motor. Table 15 - Safe Torque-off Specifications Attribute STO function response time Safety connection RPI, min Value 10 ms, max 6 ms Input assembly connections (1) 1 (1) 1 Output assembly connections Integrated safety open request support Type 1 and Type 2 requests (1) Motion and Safety and Safety-only connections with the DSD or DSM modules use 1 input assembly connection and 1 output assembly connection. Safe Stop Functions (drivebased) Assembly Tags In Integrated safe torque-off (STO) mode, a GuardLogix or Compact GuardLogix safety controller controls the safe torque-off function through the SO.STOOutput tag in the safety output assembly. Table 16 - Safety Output Assembly Tag Name Description Tag Name (1) Value module:SO.STOOutput 0 = Activate STO Function 1 = Permit Torque 0 = Remove SS1 Request 1 = Activate Drive Based SS1 Function 0 = One transition resets drive-based Safe Stop function 0 = Torque Permitted 1 = Torque Disabled module:SO.SS1Request module:SO.ResetRequest module:SI.TorqueDisabled (1) Output assembly tag name from safety controller. The SO.Command tags are sent from the GuardLogix safety output assembly to the drive safety output assembly to control the safe torque-off function. The SI.Status tags are sent from the drive to the GuardLogix safety input assembly and indicate the drive safety control status. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 27 Chapter 2 Safe Stop Functions Table 17 - Safety Input Assembly Tag Name Description Tag Name(1) Value module:SI.SafetyFault 0 = Safety fault not present 1 = Safety fault present 0 = Reset is not required 1 = Reset is required Indicates STO function status 0 = STO function not active 1 = STO function active Indicates drive-based SS1 active status 0 = SS1 function not active 1 = SS1 function active 0 = Drive-based SS1 function is not configured or faulted 1 = Drive-based SS1 function is configured and ready for operation module:SI.RestartRequired module:SI.STOActive module:SI.SS1Active module:SI.SS1Ready (1) Input assembly tag name from safety controller. The SI.ConnectionStatus tags indicate the safety input connection status. The word module (italic) in these tag names represent the module name assigned in the Studio 5000 Logix Designer application. Controller Tags in Studio 5000 Logix Designer Application Double-click Controller Tags in the Controller Organizer to see the Safety Assembly controller tags. The controller tags created for your drive configuration appears. Safety Assembly Tags on page 98 list the safety tags added to the controller tags when an ArmorKinetix module is added to a GuardLogix I/O configuration and the connection is configured for Safety Only. In this example, the SO.STOOutput bit permits torque when the bit is high. Figure 11 - Safe Torque-off Function Safety Logic Example 28 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 2 Drive-based Safe Stopping Application Requirements Safe Stop Functions This section describes some of the safety information required to design your safety application. Table 18 - Achievable Safety Ratings Safety Function STO Timed SS1 Monitored SS1 Achievable Functional Safety Rating (1) SIL 3, PL e SIL 3, PL e • SIL 2, PL d in a single feedback sensor configuration when used with SIL 2, PL d compliant feedback sensor • SIL 3, PL e in a dual feedback sensor configuration when primary feedback sensor is SIL 2, PL d compliant (1) Rating according to IEC 61508 and ISO 13849. The 2198-xxxx-ERS5 STO circuit is designed to turn off all of the output-power transistors when the STO function is requested. You can use the STO circuit in combination with other safety devices to achieve the Stop Category 0 as described in Stop Category Definition on page 13, and protectionagainst-restart as specified in IEC 60204-1. ATTENTION: The safe torque-off (STO) feature is suitable only for performing mechanical work on the drive system or affected area of a machine. It does not provide electrical safety. SHOCK HAZARD: In Safe Torque-off mode, hazardous voltages can still be present at the drive. To avoid an electric shock hazard, disconnect power to the system and verify that the voltage is zero before performing any work on the drive. ATTENTION: Personnel responsible for the application of safety-related programmable electronic systems (PES) shall be aware of the safety requirements in the application of the system and shall be trained in using the system. Safety Application Requirements Safety application requirements include evaluating probability of failure rates (PFH), system reaction time settings, and functional verification tests that fulfill your required SIL level criteria. See Average Frequency of a Dangerous Failure on page 11 for more PFH information. Creating, recording, and verifying the safety signature is also a required part of the safety application development process. Safety signatures are created by the safety controller. The safety signature consists of an identification number, date, and time that uniquely identifies the safety portion of a project. This includes all safety logic, data, and safety I/O configuration. For safety system requirements, including information on the safety network number (SNN), verifying the safety signature, and functional verification tests refer to the appropriate GuardLogix controller publication as defined in Additional Resources on page 8. IMPORTANT You must read, understand, and fulfill the requirements detailed in the GuardLogix controller systems safety reference manual prior to operating a safety system that uses a GuardLogix controller and ArmorKinetix module. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 29 Chapter 2 Safe Stop Functions System Safety Reaction Time System safety reaction time is the sum of sensor reaction time, GuardLogix controller system reaction time and actuator reaction time. GuardLogix controller system reaction time is estimated based on a number of factors that include: • Fixed delay time per selected Input/Output module • Non-configurable variables that are determined by the amount of network communication traffic and the EMC environment • Configurable values for your specific settings (for example, Safety Input RPI and Safety Task Period) For a complete list of the factors that affect GuardLogix controller reaction time, refer to the appropriate GuardLogix controller publication as defined in Additional Resources on page 8. To optimize the configurable factors and minimize the safety reaction time, the GuardLogix Safety Estimator tool can be used to determine the reaction time under these three conditions: • If there are no faults or errors, the safety function is demanded under normal operation • Considering a Single Fault (Max) - Safety function is demanded when there is a single delay in the system (for example, loss of a packet) • Considering Multiple Faults (Max) - Safety function is demanded when there are multiple delays in the system The GuardLogix Safety Estimator tool, in Microsoft Excel format, is available from the Product Compatibility Download Center (PCDC) to help you determine the reaction time of your particular control loop. Go to website: at rok.auto/pcdc click Find Downloads and, in the Search PCDC box under Compatibility and Downloads, search for GLX Safety Tools. IMPORTANT 30 Using this tool does not substitute for taking proper validation and verification measures. See Appendix B on page 107 for more information. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 3 Configure the Motion Safety Instances Use this chapter to configure ArmorKinetix® DSD or DSM modules for safety applications with Allen-Bradley® servo motors. This chapter covers these items: • Understand Module Properties Categories • Configuring the Module • Module Properties • Motion Safety • Axis Properties Safety Actions • Safety Connection Examples - ArmorKinetix DSD module connected to induction motor, safe stop only, no feedback - ArmorKinetix DSD module to Kinetix VPL motor with Q encoder single feedback monitoring - ArmorKinetix DSD module to Kinetix VPL motor with Q encoder and 842 HR encoder for dual feedback monitoring - ArmorKinetix DSD module to Kinetix MPL motor with M encoder single feedback monitoring - ArmorKinetix DSM module for single feedback monitoring • Encoder Types and SIL Ratings Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 31 Chapter 3 Configure the Motion Safety Instances Understand Module Properties Categories We recommend that you layout your ArmorKinetix 5700 System with use of the ArmorKinetix System User Manual, publication 2198-UM006. If an existing Kinetix 5700 inverter systems is used, see the Kinetix 5700 Servo Drives User Manual, publication 2198-UM002 for layout and configuration information as well. 11 12 1 2 6 6 6 14 3 3 3 11 6 Item Description 32 6 4 3 14 6 3 8 3 7 9 Kinetix VPL motor shown. 13 4 3 Item Description DSD to Induction Motor Power Cable (2090-CPWFLP7-14AFxx) 8 ArmorKinetix 1…4 m (3.28…13.12 ft) DSD to Induction Motor Feedback or Stand-alone Feedback Cable 9 ArmorKinetix (2090-CFBFLS7-CDAFxx) 1…4 m (3.28…13.12 ft) DSD to Kinetix Motor Feedback Cable (2090-CFBM7S7-CDAFxx) 10 ArmorKinetix 1…4 m (3.28…13.12 ft) Ethernet patchcord, 1 Gigabit with hybrid connector to connect to communication 11 extension 85 m (278 ft) max. (1585D-M8UGDM, 1585D-M8TGDE, or 1585D-E8TGDE) 1 ArmorKinetix PIM Modules 2 Kinetix 5700 Servo Drives 3 ArmorKinetix DSD or DSM Module 4 Kinetix VPL or Kinetix MPL Motor 5 ArmorKinetix PIM to DSx Hybrid Cable (2090-CDHIFS-12AFxxxx) 3…50 m (9.8…164 ft) ArmorKinetix DSx to DSx Hybrid Cable (2090-CDHP1S-12AFxxxx) 0.5…30 m (1.64…98.4 ft) ArmorKinetix DSD to Kinetix Motor Power/Feedback Cable (2090-CSBM1P7-14AFxx) 1…4 m (3.28…13.12 ft) 7 Kinetix MPL motor shown. 3 5 6 10 7 5 12 Managed Ethernet Switch 13 Induction Motor 14 Communication Extension Jumper Cable (2090-CDET) Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 3 Configure the Motion Safety Instances See the ArmorKinetix 5700 System with use of the ArmorKinetix System User Manual, publication 2198-UM006 for more information about these module definitions. Table 19 - Module Definitions Module Definition Firmware Revision Electronic Keying Power Structure Verify Power Rating on Connection Safety Application Connection Motion Safety DSD Module -ERS2 -ERS5 14.000 or later • Disable Keying • Compatible Module • Exact Match 2198-DSM016-ERS2 as an example DSM Module -ERS2 Networked - used for Safety Only OR Motion And Safety connections. No Safety - used for Motion Only connections. Module must be in out of box state. Motion Only - for motion instructions only. Safety Only - safety controller separate from motion controller. Motion and Safety - both safety and motion in this controller control. • Safe Stop - No Feedback • Safe Stop - No Feedback • Single Feedback • Safe Stop - No Feedback • Dual Feedback • • • -ERS5 • Safe Stop - No Feedback • Single Feedback Safe Stop Only-No Feedback - indicates ERS2 or ERS5 are in Integrated STO/SS1 Timed Mode Only. Single Feedback Monitoring - indicates the safety function can monitor the main DSD/DSM encoder signal for SFX, SLS and other advanced safety functions. Dual Feedback - indicates the safety function can monitor the main DSD (VPx Only) encoder signal and second encoder for SFX, SLS, dual checking and other advanced safety functions. Safety Configurations of the 2198-DSD and 2198-DSM modules are limited to specific functions. Table 20 - ERS2 vs ERS5 Safety Capability Drive/Motor 2198-DSDxxx-ERS2 2198-DSDxxx-ERS5 2198-DSMxxx-ERS2 2198-DSMxxx-ERS5 • • • • • Safe Stop No Feedback Yes Yes Yes Yes Primary Feedback — Yes — Yes Secondary Feedback — Yes — — 2198-DSxxx-ERS2 or 2198-DSxxx-ERS5 contain integrated STO and SS1 timed function. ArmorKinetix modules do not support Hardwire STO. 2198-DSxxx-ERS2 cannot do Safely-limited Speed functions such as SFX and SLS. 2198-DSDxx-ERS5 can do Primary Feedback to the following motors: - Kinetix VPL, VPH, VPF, or VPAR with Q or W encoders only - Kinetix MPL, MPF, MPS, MPM, or MPAR with M or S encoders only - Induction Motors with Hiperface/Sin, Cos encoders only 2198-DSDxx-ERS5 can do Secondary Feedback to ONLY the Kinetix VPL, VPH, and VPS with Q or W encoders because these motors use a single cable for power/feedback for the main connection, then an alternate 2090-C cable for the secondary feedback. 2198-DSMxx-ERS5 module supports Primary Feedback only to all DSM module listed encoders. The 2198-DSMxx-ERS5 module does not support Secondary Feedback because there are no external feedback terminations for that distributed servo motor control physical device. The sizing of the 2198-Pxxx Non-Regenerative Converter Power Supply must be able to handle all existing or new inverters (such as 2198-D020-ERS4, if used) along with the 2198-PIM070 connected to a bus group configured with the 2198-DSD drive to external motor and 2198-DSM distributed servo motors. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 33 Chapter 3 Configure the Motion Safety Instances Thus, the 2198-Pxxx Non-Regenerative Converter must be sized to handle the entire kW continuous and peak needs of all DC power for all modules. It must also be configured in the IO tree and added as a Non-Regenerative converter as shown. Once the 2198-P is configured or already maybe configured, the 2198-PIM070 can be configured for a primary and secondary bus sharing group. 34 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 3 Configure the Motion Safety Instances If the 2198-Pxxx is controlling 2198-D or S -ERSx modules already OR if there are higher power modules or units configured for use, then it is best to configure the 2198-Pxxx primary bus sharing group with these modules and then configure the 2198-PIM070 primary bus sharing group with the ArmorKinetix module bus sharing. For example, the system uses 2198-S086-ERS4 and 2198-D012-ERS4 and keeps these modules with group 1 primary group. Then, use the 2198-DSD or DSM module with the 2198-PIM070 module and add these modules in group 2 or the secondary bus sharing group as shown. The primary reason for adding the 2198PIM070 with the DSD/DSM module is that the converter output power and current from the 2198PIM070 can be monitored to evaluate if high power draw and current is being seen and to take some type of action to remedy based on application needs. Configuration considerations: • The 2198-Pxxx still supplies rectified AC to DC for the 2198-S/D modules and the 2198-PIM070. Thus, kW output RMS and peak must be sized not to exceed. • 2198-PIM070 converter output and capacity to all ArmorKinetix DSD/DSM modules can be monitored for overload and other power conditions more accurately because they are in the same bus sharing group. • If a 2198-Pxxx converter and multiple 2198-PIM070 modules are used: - Do not exceed 2198-Pxxx kW output draw continuous and peak - Each 2198-PIM070 can support multiple 2198-DSD or DSM modules in separate bus sharing groups and thus monitored for converter metrics to each module, even from the same non-regenerative converter module. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 35 Chapter 3 Configure the Motion Safety Instances The 2198-PIM070 configures a DC/DC Converter that basically transfers the 2198-Pxxx NonRegenerative Converter Module power to one or more 2198-DSDxxx-ERS5 or 2198-DSMxxx-ERS5-xx modules. See ArmorKinetix System User Manual, publication 2198-UM006 and other tools for the configuration and sizing of the 2198-Pxxx and 2198-PIM070 modules in a Kinetix cluster. Each 2198-DSD/DSM module has these module property categories: • Motion Only • Safety Only • Motion and Safety These categories are discussed in the next sections along with what selections are available and tags associated in the GuardLogix controller. This Category List changes based on which connection that you use; Motion Only, Safety Only, or Motion and Safety, as well if you use Safe Stop Only No Feedback, Primary Feedback, or Secondary Feedback. Table 20 outlines the various selections in each module. Motion Only The Motion Only category has Safety Application options of Safety Off or Networked and no Motion Safety configuration options. Figure 12 - General Tab - Motion Only 36 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 3 Configure the Motion Safety Instances Safety Only The Safety Only category has a Safety Application configuration of Networked and Motion Safety configuration options. When Safety Only is selected in a project, no motion control planner functions, such as Motion Servo On and Motion Axis Move, are allowed. In the Categories, there are no associated axis that tie the Motion group to the axis. Only Motion Safety appears with the selections. Figure 13 - General Tab - Safety Only When Safety Only is selected in a project, no motion control planner functions, such as Motion Servo On and Motion Axis Move, are allowed. In the Categories, there are no associated axis that tie the Motion group to the axis. Only Motion Safety appears with the selections. Safety IO data does not use CIP Sync. Figure 14 - General Tab - Safety Only, Single Feedback Primary Feedback and Scaling are now added to the Category List. Both the DSD and DSM modules support this function, see Table 20. The associated tags don't change, just the enabled function to allow safe monitoring position functions (primary and secondary). The 2198-DSD-ERS5 adds in the ability, when using a Kinetix VPx motor, per the above chart, to do secondary feedback monitoring functions, basically, velocity discrepancy checking. In this case, the Add On Profile adds the secondary feedback and discrepancy checking functions to the functions listed in Figure 14. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 37 Chapter 3 Configure the Motion Safety Instances Figure 15 - General Tab - Safety Only, Dual Feedback The 2198-DSD-ERS5 is the only module with the ability to add a feedback configuration if the primary motor used is a Kinetix VPx motor with single power/feedback combination. The 2198-DSM-ERS5 module has no external feedback port to accommodate a secondary feedback. Motion and Safety The Motion and Safety category combines both the Motion and the Safety functions and have both Motion associated selections as well as combinations of the selected safety configuration, see Safety Only on page 37. The 2198-DSD-ERS5 module with dual feedback monitoring is used for example. Figure 16 - General Tab - Motion and Safety Configuring the Module 38 The configuration for the ERS5 module primarily takes place in the AOP. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 3 Configure the Motion Safety Instances Ethernet Address • • • Private Network selected at 192.168.1.xxx where xxx is 1 to 254 valid fourth octet IP address selected as something specific to system network IP address is unique to each PIM, DSD, and DSM module. See the ArmorKinetix System User Manual, publication 2198-UM006 for proper configuration. Advanced Tab The Advanced tab lets you use a Network Address Translation configuration. Network Address Translation (NAT) enables the reuse of IP addressing without introducing a duplicate IP address error into your application architecture. See Deploying Network Address Translation within a Converged Plantwide Ethernet Architecture, publication ENET-TD007. Safety Network Number The document purpose is not to describe how or what to set the SNN, but to give you the ability to evaluate and change how the GuardLogix controllers recommend for the SNN. See publication 1756-UM543. Module Properties Connection and Safety Categories Follow these steps to configure the Safety Output and Safety Input values. 1. Select the Connection category. From the Connection category you can observe the status of the Safety Output and Safety Input requested packet interval (RPI) values. The default values are shown. IMPORTANT The Safety Output and Safety Input values, when viewed from the Connection category, is for status only. To set the Safety Output and Safety Input values, continue with step 2 through step 6. 2. To set the Safety Output value, right-click SafetyTask in the Controller Organizer and select Properties. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 39 Chapter 3 Configure the Motion Safety Instances 3. Select the Configuration tab. The default safety task Period value (and output RPI) is 20 ms. IMPORTANT The period is the interval at which the safety task executes. The watch dog must be less than the period. For more safety task information, see the GuardLogix 5580 and Compact GuardLogix 5380 Controller Systems Safety Reference Manual, publication 1756-RM012. 4. Select OK. 5. To set the Safety Input value, select the Safety category. The default Safety Input RPI value is 10 ms. Edit as appropriate for your application. Configuration Ownership shows the upper level GuardLogix device that 'owns' this module safety function. If the configuration needs to reset ownership it is best to either inhibit this module from the owner or use the Kinetix HMI to do the reset. The ownership reset is explained in the ArmorKinetix System User Manual, publication 2198-UM006. Configuration Signature can apply a unique ID for use for configuring safety zones and organization. See the GuardLogix 5580 and Compact GuardLogix 5380 Controller Systems Safety Reference Manual, publication 1756-RM012 to review such requirements based on application needs. 6. Select Apply. Additional Categories Time Sync, Module Info, Internet Protocol, Port Configuration, and Network are all fields for standard CIP Sync Motion functions. References to each function can be found in documents from Rockwell Automation such as the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide, publication ENET-TD001. Motion Category The Motion Category appears when Motion Only or Motion and Safety Connections are used. This document refers more to the Safety Configuration, thus the Motion Category is further expanded on in the ArmorKinetix System User Manual, publication 2198-UM006. 40 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 3 Configure the Motion Safety Instances Actions Category The Actions category provides fault behavior options. Determine the preferred machine function when a connection loss or connection idle condition occurs. Safe Torque-off (STO) means that the drive immediately disables the motor power outputs causing a coast condition for the motor and load. Safe Stop 1 (SS1) means that the drive decelerates the load to zero speed before removing the motor power outputs causing a controlled stop for the motor and load. Follow these steps to configure the Actions to Take Upon Conditions dialog box. 1. Select the Motion Safety 1>Actions category. Table 21 - Motion Safety Actions Attribute Description Values • Connection Loss is caused by a failure or disconnection of the Ethernet SS1 Connection Loss cable to the drive. Action • The loss could also be an indication of excessive traffic causing the drive STO to lose synchronization to the grandmaster clock/motion controller. Connection Idle Connection Idle is caused by the safety output task becoming disabled Action because the controller is in Remote Program mode. Restart type means that the safety function resets and will be ready for subsequent operation when the request is removed. See specific function for more detail. Cold start type means that the configured safety function is ready for Cold Start Type operation immediately after the controller enters run mode. Restart Type SS1 STO Description Drive-based Safe Stop 1 instruction is initiated and operates according to the SS1 configuration for each motion safety instance. Torque is removed from the associated axis according to the STO configuration of each motion safety instance. Drive-based Safe Stop 1 instruction is initiated and operates according to the SS1 configuration for each motion safety instance. Torque is removed from the associated axis according to the STO configuration of each motion safety instance. Automatic Automatic is the only choice. Automatic Automatic is the only choice. 2. From the Connection Loss Action and Connection Idle Action dropdown menus, choose SS1 or STO as required for your application. 3. Select Apply. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 41 Chapter 3 Configure the Motion Safety Instances Motion Safety Primary Feedback Category Configure primary feedback if you intend to use any drive-based or controller-based safety function that monitors motion. There are many different combinations of feedback for motion control and safety that can be configured. See Table 24 on page 79 for single feedback instances where only primary feedback is configured. See Table 25 on page 79 for dual feedback instances that require a primary and secondary feedback configuration. Follow these steps to configure the Primary Feedback dialog box. 1. Select the Motion Safety>Primary Feedback category. IMPORTANT Only Kinetix VPL, VPF, and VPH motors or Kinetix VPAR electric cylinders, with -Q or -W encoder options are SIL 2 rated. Other motors can be selected, but do not support the SIL 2 rating. 2. Set the remaining Primary Feedback attributes. Attribute Description Units Default value is revolutions (Rev) that supports rotary motors. Resolution Units Default value is Cycles/Revolution (Rev). Used in the Effective Resolution calculation. The actual motor encoder cycle resolution. This is the raw encoder cycle resolution of the motor or encoder device Cycle Resolution type. For example, when DSL Hiperface (VPL-Bxxxx-Q motors) is the chosen primary feedback Type, the value is 4096 cycles/rev. VPL-B063xxx and VPL-B075xxx motors have 512 cycle resolution. Cycle Used in the Effective Resolution calculation. The safety primary-feedback that is interpolated counts as opposed to the motion axis-feedback interpolated Interpolation counts. For DSL encoders this value is 1. For sin/cos encoders this value is 4. Effective The product of cycle resolution and cycle interpolation for the primary safety function evaluation. Resolution Polarity Based on encoder rotation and evaluation requirements. Choose between Normal (default) or Inverted as appropriate for your application. Kinetix VP motors with -Q or -W, and Kinetix MMA motors with -S2 or -M2 types are SIL 2 capable and 2 is shown. For non SIL-rated motor or encoder, this field indicates Unknown. The velocity average time attribute is a moving-average window of time for which the velocity samples are averaged. A small value results in more deviation in Velocity Average the velocity evaluation. A large value results in less deviation in the velocity evaluation, but also adds more delay to the resulting evaluation.This delay should be Time considered with system requirements for over-speed response. See Velocity Average Time Parameter on page 43 for more information. Used in the safe-monitoring process to indicate to the safety controller that the motor has stopped rotating. The system is at standstill when the speed detected Standstill Speed is less than or equal to the configured Standstill Speed. This parameter sets the speed at which module:SI.MotionPositive or module:SI.MotionNegative tags are set in the safety input assembly. SIL Capability 3. Select Apply. 42 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 3 Configure the Motion Safety Instances For the DSD modules, feedback is connected to these connectors on the module. Motor Power and Feedback Connector Motor Feedback Connector Kinetix VPx motors connect to the motor power and feedback connector by using the single ArmorKinetix 2090 motor power and feedback cable. IMPORTANT A 2198-DSDxxx-ERS5 module supports Kinetix VPF, VPL, VPH, and VPAR motors with Q or W feedback based on power density and selection. The Primary Feedback is always mapped to the DSL Feedback Connector on the 2198-DSD module. IMPORTANT A 2198-DSDxxx-ERS5 module can connect to an induction motor with or without feedback OR a Kinetix MPAR, MPF, MPL , MPM, or MPS motor with M or S Feedback. The Primary Feedback is always mapped to the Motor Feedback Connector termed the Universal Feedback Connector. Velocity Average Time Parameter The Velocity Average Time parameter sets the time period for a moving average filter that is applied to velocity samples reported in Velocity Feedback. The Velocity Average Time is important for three reasons: • For low resolution encoders there is not enough shaft movement between position samples to allow for a smooth velocity signal. Instead it will jump between zero and a higher value than the actual velocity. This determines the minimum velocity that can be resolved and used in the safety application. • The safety input connection cycle time or input RPI may be slow compared to changes in the velocity signal. If the velocity changes several times between these Input Assembly updates to the drive, then all of the changes will not be seen at the safety controller. This is known as aliasing. Aliasing has the potential to report velocities that are different from the actual velocity. To avoid aliasing set Velocity Average Time parameter to greater than the safety input connection RPI time. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 43 Chapter 3 Configure the Motion Safety Instances • Value that is chosen for velocity average time affects the Response time of the safety monitoring function. Higher values result in slower response time. The motion safety instance of the drive calculates velocity by taking the differences in position count samples that are divided by the sample period. The safety feedback position and velocity, in the motion safety instance, are updated every 3 ms. Velocity average time determines the number of most recent velocity samples that are averaged. The number of samples averaged is given by the Velocity Average Time/3 ms. Any remainder is truncated. At low velocities with low-resolution encoders, the encoder shaft position does not have enough movement for a change in the encoder output with each sample. This results in delta positions of zero followed by a position increment of one count. The reported velocity in this case jumps between zero and a large value. On average, the velocity is correct. Large velocity fluctuations are avoided by averaging velocity samples. Figure 17 on page 45 shows the relationships between the encoder cycles, counts, sample points, velocity with no averaging, and averaging. The figure also shows that as the averaging time is increased, the effective velocity resolution is improved. However, with higher resolution comes a longer delay in reporting the velocity due to the N point average. To determine the Velocity Average Time for a given encoder and Velocity Resolution, use the following equation. ( Velocity Average Time = 60 Velocity Resolution • Encoder Cycle Count • Cycle Interpolation ) Where: • Velocity Average Time is in seconds. • Velocity Resolution is in RPM (Revolutions Per Minute). • Encoder Cycle Count is the number of cycles per revolution. - For motors with Q type feedback, the count is 4096 cycles. - For motors with W type feedback, the count is 512 cycles. - For motors with sin/cos feedback the number of sinusoidal cycles per revolution. For example: - For Kinetix MPL motors with M type feedback, the count is 1024 cycles. • Encoder interpolation is either 4 or 1. - For motors with Q or W type feedback, the value is 1. - For motors with Sin/Cos feedback, the value is 4 (Figure 17 shows interpolation with Sin/ Cos signals). For velocity average time in the equation, use the following conversion for the value entered: Average Time Setting in Studio 5000 Logix Designer 0…5 ms 6…8 ms 9…11 ms 12…14 ms Effective Value 3 ms 6 ms 9 ms 12 ms and continuing to …(1) (1) Effective Value = (floor(Average Time Setting ÷ 3 ms)) • 3 ms. Floor(x) is the greatest integer ≤ x. 44 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 3 Configure the Motion Safety Instances Figure 17 - Encoder Sampling and Velocity Encoder Cycle Clockwise Counter Clockwise Sin Cos 128 cyles/rev A B Posion Sample Times Incremental Posion 3 mSec 0.1678 39 RPM Velocity with no averaging 6 mSec Controller Input Assembly Updates Aliasing of Feedback Velocity Tag - due to no averaging 0 RPM -39 RPM velocity aliased as zero In this region 6.5 RPM 0 RPM -6.5 RPM 6.5 RPM Feedback Velocity 36 msec Average Time 0 RPM Feedback Velocity 18 msec Average Time This table shows different values of velocity resolution based on the encoder cycle count and the velocity average time. Table 22 - Velocity Resolution vs Velocity Average Time for Different Interpolated Encoder Cycle Counts Interpolated Count Velocity Resolution Velocity Average Time Velocity Average Time Velocity Average Time 100 ms 500 ms 1000 ms 64 9.375 rpm 1.875 rpm 0.9375 rpm 512 1.171875 rpm 0.234375 rpm 0.117188 rpm 2048 0.292969 rpm 0.058594 rpm 0.029297 rpm 4096 0.146484 rpm 0.029297 rpm 0.014648 rpm Secondary Feedback Category Configure secondary feedback for your motion monitoring application that requires SIL 3 or PL e for drive-based or controller-based safety functions. IMPORTANT For Motion Safety Dual Channel Feedback configurations, the primary feedback must be a SIL 2 rated encoder. Secondary feedback device can only be used as follows: • A DSDxx-ERS5 module with a VPxx-Q/W primary motor. • A DSM module does not allow a secondary feedback device. Consider using a 843ES when configuring such a requirement. • The motor feedback connector, shown in Primary Feedback Category on page 42 and in the ArmorKinetix System User Manual, publication 2198-UM006, is the only place to connect a secondary feedback device to the DSDxxx-ERS5 module. • ArmorKinetix ERS2 modules are Safe Stop Only-No Feedback and not applicable. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 45 Chapter 3 Configure the Motion Safety Instances Configure polarity so that when the primary encoder position increments positive , the secondary encoder position increments positive too. To configure the Secondary Feedback dialog box, see Primary Feedback Category on page 42. Secondary feedback module properties have the same attributes and drop-down menus as the primary feedback category. Scaling Category The Primary Feedback category provides safety resolution in terms of counts per revolution. The Scaling category configures the position and time to be used in terms of counts per position unit in the safe monitoring functions. Figure 18 - Scaling Category (default settings) Table 23 - Scaling Category Attributes Attribute Feedback Resolution Position Units Time Position Description The number of counts per motor revolution, which is determined by the Primary Feedback category. The position units for this safety application. Enter text for the name of your units. The evaluation of position per unit of time for a velocity evaluation. Choose between Seconds (default) and Minutes as appropriate for your application. The conversion constant showing the counts per position units. This is the number of counts for one of your position units. Refer to Scaling Example 1 on page 47 and Scaling Example 2 on page 48 to see how scaling is configured for two rotary knife applications. 46 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 3 Configure the Motion Safety Instances Scaling Example 1 In the following example, a rotary knife with one blade is directly coupled to the motor. The servo motor is a Kinetix VPL-B1306C-Q with SIL 2 encoder that generates 4096 counts per revolution. Figure 19 - Rotary Knife with One Blade Unwind Rotary Knife Kinetix VPL-Bxxxx-Q Servo Motor with DSL Hiperface (primary) Encoder Figure 20 - Scaling Example 1 Dialog Box Data summary for this scaling example: • VPL-B1306C-Q motor with DSL Hiperface encoder that generates 4096 counts per revolution • Units = Knife Revolutions (one revolution evaluated in seconds) ( )•( 4096 Counts Motor Revolution ) 4096 Counts 1 Motor Revolution = Knife Revolution 1 Knife Revolution Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 47 Chapter 3 Configure the Motion Safety Instances Scaling Example 2 In this example, a rotary knife with two blades is driven by a 10:1 gear reduction and servo motor. The servo motor is a VPL-B1306C-Q with SIL 2 encoder that generates 4096 counts per revolution Figure 21 - Rotary Knife with Two Blades Unwind Rotary Knife Application includes external encoder for secondary feedback. Application Includes 10:1 Gear Reduction Kinetix VPL-Bxxxx-Q Servo Motor with DSL Hiperface (primary) Encoder Figure 22 - Scaling Example 2 Dialog Box Data summary for this scaling example: • VPL-B1152C-Q motor with DSL Hiperface encoder that generates 4096 counts per revolution • Motor connects with a 10:1 gear reduction to drive the knife blades • Units = Knife Cuts (two cuts per load revolution evaluated in seconds) • Secondary encoder used to improve safety rating ( )• ( 4096 Counts Motor Revolution IMPORTANT 48 )( ) 20480 Counts 10 Motor Revolution 1 Load Revolution = • Knife Cut 2 Knife Cuts 1 Load Revolution Scaling for the GuardLogix Motion Function, the Guardlogix Safety Function, and the Integral Safety Function all can have different scaling and cause confusion. See Knowledgebase article How to scale the SFX instruction to meet the Motion/IO mode and safety configuration units for help with all three functions based on various configuration examples. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 3 Configure the Motion Safety Instances Discrepancy Checking Category Discrepancy checking is only used in applications where the Module Definition>Safety Instance is configured for Dual Feedback Monitoring. Its purpose is to perform an evaluation of the speed discrepancy between primary and secondary feedback. Primary Feedback is used for safe monitoring functions. Secondary feedback is used for fault diagnostics. If primary feedback and secondary feedback differ in the velocity deadband value for longer than the time entry, a velocity discrepancy fault occurs. Figure 23 - Discrepancy Checking Dialog Box (default attributes) IMPORTANT When setting discrepancy tolerances in terms of the velocity deadband attribute, consider that configuring a high gear-ratio between primary feedback and secondary feedback can lead to unexpected dual-feedback position faults. This is because a very large primary feedback movement translates into very small secondary feedback increments. When Module Definition>Safety Instance is configured for Single Feedback Monitoring, use the No Check (default) setting. Follow these steps to configure the Discrepancy Checking attribute. 1. From the Mode pull-down menu, choose Dual Velocity Check. Use Dual Velocity Check to measure the difference between primary feedback speed and secondary feedback speed to see if that tolerance is greater than the velocity deadband for more than the time tolerance. 2. Set the remaining Discrepancy Checking attributes. Attribute Description Time The amount of time (ms) specified for velocity deadband to be evaluated and trigger a safety fault condition. Ratio The gear ratio of one primary feedback revolution to one secondary feedback revolution. Velocity Deadband The velocity units of the difference between primary and secondary feedback speed for the discrepancy check. 3. Select Apply. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 49 Chapter 3 Configure the Motion Safety Instances Discrepancy Checking Example This example uses Scaling Example 2 on page 48 to show how discrepancy checking is used to measure the speed discrepancy between primary and secondary feedback and avoid dualfeedback position faults. Figure 24 - Discrepancy Checking Example Data summary for this scaling example: • The primary feedback encoder is rotating at 600 rpm • Hence, the secondary feedback encoder is rotating at 60 rpm (10:1 gear reduction) • Time = 1000 ms To calculate the secondary feedback speed: ( )• ( 600 Motor Revolutions Minute 1 Minute 60 Seconds )• ( 1 Load Revolution 10 Motor Revolutions )• ( ) 2 Knife Cuts 2 Knife Cuts = Second 1 Load Revolution Primary encoder feedback speed is calculated in the same safety units, but rotating at 20 knife cuts/s. If primary versus secondary feedback speed differs by more than the Velocity Deadband value (0.1 knife cuts/s), for the Time (1000 ms) duration, a velocity discrepancy fault occurs. 50 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 3 Configure the Motion Safety Instances STO Category The STO category provides a disable and coast fault action. However, if a torque disable delay is needed following STO Active, you can enter a value in the Delay field. STO Output is a tag in the safety output assembly, which is used to activate the STO function, and is written by the GuardLogix controller. When any source for STO is asserted, STO Active becomes high to indicate that the STO function is operating. Figure 25 - Motion Safety STO STO becomes active if any of the following inputs to STO are asserted: • STO Output = 0 • Safety Connection Loss and Connection Loss Action = STO • Safety Connection is Idle and Connection Idle Action = STO • Drive-based SS1 Function is Complete (= 1) • Safety Stop Fault = 1 • Critical Safety fault occurs See Safe Stop Function attribute 265 (STO Activation) on page 103. STO Delay follows this sequence of events. 1. STO becomes active and the STO delay timer begins. 2. The STO delay timer expires. Torque producing power is removed from the inverter output. - If STO is activated by a Safety Stop fault or Critical Safety fault, torque is removed immediately without the STO delay. - If STO is reset by removing all inputs, torque is immediately permitted without delay. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 51 Chapter 3 Configure the Motion Safety Instances SS1 Category The Motion Safety>SS1 category is configured when a Timed or Monitored Safe Stop 1 (SS1) function is desired. Timed SS1 mode is the default setting. Monitored SS1 and Not Used are also available. Figure 26 - SS1 Dialog Box (Timed SS1, default) Timed SS1 is a fixed time for the motor to stop before removing torque. Motor feedback is not monitored. Stop Delay is the only parameter used for Timed SS1 and determines the Max Stop Time. Figure 27 - SS1 Dialog Box (Monitored SS1) Monitored SS1 is a ramped safe-stop where the motion safety instance monitors the speed ramp to standstill speed, while either the motion task or the drive controls the deceleration to standstill speed. When standstill is reached, the motion safety instance removes torque from the motor. 52 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 3 Axis Properties Safety Actions Configure the Motion Safety Instances The drive and controller combination supports multiple stopping functions: • STO with optional STO Delay • Timed Safe Stop 1 (drive-based) • Monitored Safe Stop 1 (drive-based or controller-based) • Monitored Safe Stop 2 (controller-based) The motion control of the drive does not have a safety performance rating, but often must control the motor in coordination with the safety stopping functions. For example, the Monitored Safe Stop 1 function monitors the deceleration of the motor and maintains a disabled state for the torque producing output, while the motion control executes the deceleration of the motor, engages the brake (if applicable), and disables the motion control torque. Proper coordination of the safety and motion control of the drive is, therefore, necessary to achieve the expected and optimal behavior. The Safety Actions configurations, in the Axis Properties, are to assist in the coordination of the motion control with the safety stopping functions while also meeting the needs of the application. IMPORTANT The Safety Actions are part of the drive's motion control and are not included as a part of the safety performance level of the safety function. Failures in the motion control system should be considered as a part of a worst-case fault reaction analysis of the safety functions. Safety Actions Parameters The Safety Actions parameters, located in the Axis Properties on the Actions tab, determine if the drive or the user motion control program initiates the stopping sequence in response to an STO or SS1. The selection options for both Safe Torque Off Action Source and Safe Stopping Action Source are the following: • Connected Drive - the drive initiates the Safe Torque Off Action stopping sequence upon detection of the Safe Torque Off function activation • Running Controller - requires the user motion control program to monitor the Axis.SafeTorqueOffActiveStatus tag and initiate a stopping action If the drive is initiating the stopping sequence, the stopping method is based off the Action parameter selection. The Safe Torque Off Action and/or Safe Stopping Action are ignored when Running Controller is selected because the motion control program performs the stopping sequence. The Safe Torque Off Action parameters are dependent on the axis configuration setting. Available options are the following: • Disable and Coast • Current Decel and Disable • Ramped Decel and Disable (Velocity Mode, Frequency Mode only) Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 53 Chapter 3 Configure the Motion Safety Instances The Safe Stopping Action parameter options are dependent on the axis configuration setting. Available options are the following: • Current Decel (Disable implied) • Ramped Decel (Velocity Mode, Frequency Mode only) Initiate Safety Function Execution When you use networked safety, the Guardlogix controller initiates the safety function request. Initiation is done by controlling bits in the Safety Output Assembly of the drive module. The safety program logic is used to execute the drive-based safety functions. Initiating STO The STO safety function is controlled by the drive module tag Module:SO.STOOutput tag. During normal operation the Module:SO.STOOutput tag would be ON. To initiate the STO, the Module:SO.STOOutput tag would need to transition to OFF. Below is an example of controlling the Module:SO.STOOutput bit. Initiating SS1 The SS1 safety function is controlled by the drive module tag Module:SO.SS1Request tag. To initiate the SS1, the Module:SO.SS1Request tag needs to transition to ON. Below is an example of controlling the SS1Request bit. Safe Torque Off Actions The STO drive safety function is in both ArmorKinetix ERS2 and ERS5 modules. The STO safety function has some added functionality due to the IEC61800-5-2 change that was mentioned and previous drive network STO solutions. This STO configuration allows better coordination of STO with engaging a brake prior. The STO Delay starts timing when the Axis.SafeTorqueOffActiveStatus bit is set (ON). This delay is used to allow time for the motor to decelerate to zero speed, engage a holding brake, and disable the motor before removing torque producing ability when the STO Delay time expires. 54 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 3 Configure the Motion Safety Instances Figure 28 - STO Execution with Different Action Sources Both the STO and SS1 examples can use the Zero Speed value as an indicator that the motor has reached zero speed. Zero Speed is an Axis parameter that can be modified and lets you manually set the zero-speed condition that is used by the Studio 5000 Logix Designer application to indicate the motor is at zero speed. This value is used together with a disabling operation to determine when the holding brake output is applied in a Category 0 and Category 1 Stop and is a percentage of the motor rated speed. Once the motor speed is less than the Zero Speed value, a timer begins timing (Zero Speed Time) which, upon expiring, is meant to indicate a true zero-speed condition of the motor. Safe Torque Off - Connected Drive When the Safe Torque Off Action Source is set to Connected Drive, the drive performs the Safe Torque Off Action before removing torque producing ability and completing the STO request. • • • In the Safety Program, Module:SO.STOOutput is cleared (OFF) to initiate the STO Request. The drive sets Module:SI.STOActive (ON) and STO Delay begins timing. Current Decel & Disable: The drive uses the Stopping Torque to bring the motor to zero speed. (Current Decel & Disable is shown - Disable and Coast is also available. When Disable & Coast is used, be sure the STO Delay is large enough so the motor can reach zero speed). Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 55 Chapter 3 Configure the Motion Safety Instances • • • • At zero speed, the drive disabling begins, the Mechanical Brake Output is cleared (OFF) and MechanicalBrakeEngageDelay begins timing. PowerStructureEnabled is cleared (OFF) once the MechanicalBrakeEngageDelay time expires. STO Delay timer expires and torque producing ability is removed. STO Request is complete. Figure 29 - Timing Chart Showing the STO Action Source Connected Drive (Current Decel & Disable) IMPORTANT Vertical Load application techniques are used commonly. See the Vertical Load and Holding Brake Management Application Technique, publication MOTION-AT003 to help supplement the timing diagram in Figure 29. Safe Torque Off - Running Controller When the Safe Torque Off Action Source is set to Running Controller, the motion control program executes the stopping action and performs any additional control including disabling of the motor. Once the Safe Torque Off delay expires, torque producing ability is removed and the STO Request is complete. Safe Torque Off Action is ignored in this configuration. Figure 30 - Safety Actions>Safe Torque Off Action Source - Running Controller 56 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 3 • • • • • • • Configure the Motion Safety Instances In the Safety Program, Module:SO.STOOutput is cleared (OFF) to initiate the STO Request. The drive sets Module:SI.STOActive (ON) and STO Delay begins timing. The motion control program uses the pass-through axis tag Axis.SafeTorqueOffActiveStatus as a condition to initiate the stopping of the motor to zero speed. At zero speed, a disable is executed by the motion control program, Axis.MechanicalBrakeOutputStatus is cleared (OFF) and MechanicalBrakeEngageDelay begins timing. Axis.PowerStructureEnabledStatus is cleared (OFF) once the MechanicalBrakeEngageDelay time expires. STO Delay timer expires and torque producing ability is removed. STO Request is complete. Figure 31 - Timing Chart Showing the STO Action Source - Running Controller IMPORTANT In the Axis Properties, when the STO Action Source is set to Running Controller, the DANGER note implies the user created logic monitors for a Safe Torque Off Active Status and executes a stopping action in the standard user task. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 57 Chapter 3 Configure the Motion Safety Instances IMPORTANT If STO is activated by a Safety Stop fault or Critical Safety fault, torque is removed immediately without the STO delay. Safe Stop Actions The SS1 (Safe Stop 1) is designed to perform in combination with a Category 1 stop. There are two different modes of the SS1, Timed and Monitored. The modes are selected in the Drive AOP Properties. • ArmorKinetix ERS2 modules can only execute a SS1-t (timed) because there is no monitored feedback. • ArmorKinetix ERS5 modules can execute both SS1-t (timed) or SS1-r (monitored). Figure 32 - SS1 Mode Selection from Drive Properties - SS1/Motion Safety Category Similar to the STO safety function, the Action Source of the SS1 is selected as Connected Drive or Running Controller. Either of these selections take different monitoring and execution paths, but have the same result. The SS1 examples can use the Zero Speed or Standstill Speed value as an indicator that the motor has reached zero speed. Standstill speed is a parameter that can be modified either by the SS1 instruction or in the drive module AOP and lets you manually set a zerospeed condition that is in user units. Once the motor speed is below the Standstill Speed value, the ‘standstill’ condition is met. Standstill speed is used with the Monitored SS1 function only. When the Standstill Speed condition is met, the STO request is initiated. It is typical for the Standstill Speed and Zero Speed to be similar values. One way to think about Zero/Standstill speed and their use is the following: • Zero Speed is used in the Standard environment as a permissive to disable the motor. • Standstill Speed is used by the Safety environment to initiate an STO request. These figures show the execution for both of the SS1 functions when using different Safe Stopping Action Sources. Figure 33 - SS1 - Timed Sequence Execution with Different Safe Stopping Action Sources 58 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 3 Configure the Motion Safety Instances Figure 34 - SS1 - Monitored Sequence Execution with Different Safe Stopping Action Sources IMPORTANT The Safe Stopping Action configuration in the Axis Properties shows the Action of Current Decel. This setting is not changeable. SS1 is a Current Decel & Disable (Cat 1 Stop), SS2 is a Current Decel & Hold (Cat 2 Stop). The reason Current Decel is the selection is because it is common to both SS1 and SS2. At this time, the Current Decel selection implies a Disable to fulfill the SS1 condition. Timed SS1 - Connected Drive Timed SS1 is available in both the ArmorKinetix -ERS2 and -ERS5 modules. The timed SS1 is a basic function and used as a drive-based safety function. The timed SS1 uses the Stop Delay time and does not monitor the deceleration of the motor. Once the Stop Delay expires, the STO Request is made from the drive. The motor is decelerated by the drive using the Stopping Torque and Stopping Time to reach zero speed. At zero speed, the motor is disabled by the drive. Figure 35 - • • • • • • • • • The SS1 Request function (drive based safety function) is initiated by setting the SS1Request bit ON (drive safety output tag - Module:SO.SS1Request = 1). SS1 Stop Delay begins timing. Stopping Torque/Stopping Time is used to decelerate the motor to reach zero speed. At zero speed, the drive disabling begins, the mechanical brake output is cleared (OFF) and BrakeEngageDelay begins timing. PowerStructureEnabled bit is cleared (OFF) once the BrakeEngageDelay time expires. SS1 Stop Delay expires and STO Request is made by the drive and the STO Action defined by the Axis Properties is initiated. STO Delay timer begins. STO Delay timer expires and torque producing ability is removed. STO Request is complete. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 59 Chapter 3 Configure the Motion Safety Instances Figure 36 - Timed SS1 Action Source - Connected Drive 60 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 3 Configure the Motion Safety Instances Timed SS1 - Running Controller Timed SS1 is available in the both the ArmorKinetix -ERS2 and -ERS5 modules. Timed SS1 is used as a drive based safety function. The Timed SS1 uses the Stop Delay Time and does not monitor the deceleration of the motor. Once the Stop Delay expires, the STO Request is made from the drive. The motor is decelerated by the motion control program to reach zero speed. At zero speed, the motor is disabled by the motion control program. • The SS1 Request function (drive based safety function) is initiated by setting the SS1Request bit ON (drive safety output tag - Module:SO.SS1Request = 1). • SS1 Stop Delay begins timing. • Motion control program is used (based on pass-through axis tag SS1ActiveStatus) to decelerate the motor to zero speed. • At zero speed, the motor is disabled by the motion control program, the mechanical brake output is cleared (OFF) and MechanicalBrakeEngageDelay begins timing. • PowerStructureEnabled bit is cleared (OFF) once the MechanicalBrakeEngageDelay time expires. • SS1 Stop Delay expires and STO Request is made by the drive and the STO Action defined by the Axis Properties is initiated. • STO Delay timer begins. • STO Delay timer expires and torque producing ability is removed. • STO Request is complete. Figure 37 - Timed SS1 Action Source - Running Controller Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 61 Chapter 3 Configure the Motion Safety Instances Monitored SS1 - Connected Drive Monitored SS1 is only available in the ArmorKinetix -ERS5 module. When Monitored SS1 is used with Connected Drive as the Action Source, the drive receives the SS1 Request from the safety program. The drive uses the Stop Delay Time and the Safety defined primary feedback device to monitor the deceleration of the motor. The motor is decelerated by the drive by using the Stopping Torque and Stopping Time to reach zero speed. At zero speed, the motor is disabled by the drive. Once the Stop Delay expires, or the Standstill Speed is reached, the STO Request comes from the drive and the STO Action, as defined in the Axis Properties, is performed. Figure 38 - Monitored SS1 Safety AOP Configuration IMPORTANT 62 Monitored SS1 is available with a Ramped Decel Safe Stopping Action when the axis is configured for Velocity Loop, or Frequency Control. Position Loop uses Current Decel as the Safe Stopping Action. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 3 Configure the Motion Safety Instances Safety Connection Examples The following are examples of each of the Safety Connection available when using ArmorKinetix ERS2 and ERS5 based on allowed function. For these examples not all safety monitoring functions are shown because many are user specific. For instance, showing of the Motion Safety Actions (when communications are interrupted) or STO. • ArmorKinetix DSD module to induction motor, safe stop only, no feedback • ArmorKinetix DSD module to Kinetix VPL Q motor single feedback monitoring • ArmorKinetix DSD module to Kinetix VPL Q motor with 842 HR for dual feedback monitoring • ArmorKinetix DSD module to Kinetix MPL M motor with single feedback monitoring • ArmorKinetix DSM module for single feedback monitoring Safe Stop Only-No Feedback - ArmorKinetix DSD Module to Induction Motor The motion instance has been configured to run an asynchronous induction motor. Example of a configuration layout when Safe Stop Only-No Feedback is used on the ERS5 module to induction motor. Figure 39 - 2198-DSDxxx-ERS5 Module to Induction Motor Kinetix 5700 Servo Drives PIM Modules DSD Module Induction Motor 1. In this example, the 2198-DSDxxx-ERS5 module is used, but an ERS2 module supports Safe Stop Only-No Feedback as well. To select the module properties, select Change. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 63 Chapter 3 Configure the Motion Safety Instances 2. Make these selections for the module definitions: - Safety Application - Networked - Connection - Motion and Safety - Motion Safety - Safe Stop Only - No Feedback A reason for using Safe Stop Only - No Feedback for a 2198-DSDxxx-ERS2/5 module is to control an induction motor open loop, in frequency control. Because both VHz and SVC modes do not have current loops, the current decel type of stopping actions are not real stopping types. We recommend you use this configuration for STO and SS1 as shown. 3. From the Actions tab, set the Safety Actions. a. For a Safe Torque Off Action for frequency control, we recommend the following actions: - If the Safe Torque Off Action Source is set to Connected Drive, the drive accepts the Module:SO.STOOutput and after the Delay, if used, disables the drive modulation and lets the motor to coast-to-stop due to friction/losses. - If the Safe Torque Off Action Source is set to Running Controller and uses the Module:SO.STOOutput pass through to the controller, the controller uses Axis.SafeTorqueOffActiveStatus to control the motor to a stop. Then, the controller removes the Module:SO.STOOutput OTE, which sets the motor in a Safe Torque Off Condition. b. For a Safe Stopping Action for frequency control, we recommend the following action: - If the Safe Stopping Action Source is set to Running Controller and uses the SS1Request bit ON (Drive Safety Output tag - Module:SO.SS1Request = 1) pass through to the controller, the controller uses of the SS1ActiveStatus tag to control the motor to a stop. 64 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 3 IMPORTANT Configure the Motion Safety Instances The only drive selection for SS1 is timed (or none). Note this is the drive safety planner but the running controller won't be affected unless the SS1-t stop time is exceeded. When the SS1-t stop time is reached in the safety planner, the drive will automatically initiate a Safe Torque Off, regardless of the motor's speed at the time of expiration. Single Feedback Monitoring ArmorKinetix DSD Module to Kinetix VPL Motor with SIL2 Encoder Figure 40 - 2198-DSDxxx-ERS5 Module to Kinetix VPL Motor with SIL2 Encoder PIM Kinetix 5700 Servo Drives Modules DSD Module Kinetix VPL Motor Safety Connection Primary Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 65 Chapter 3 Configure the Motion Safety Instances The single feedback monitoring, along with the Kinetix VPx SIL2 encoder is the most common application type for an ArmorKinetix ERS5 drive. For example, you can use this application type in a Safely-limited Speed application to know when a specific speed is controlled/monitored. 1. To select the module properties, from the General tab, select Change. 2. Make these selections for the module definitions, then select OK: - Safety Application - Networked - Connection - Motion and Safety - Motion Safety - Single Feedback Monitoring Compared to Safe Stop Only - No Feedback, you can select both Primary Feedback and Scaling for feedback monitoring functions. 3. Configure the following items in the Primary Feedback. - Device - Select DSL Feedback for device type. Kinetix VPL motors can use either the Q or W SIL2 encoder based on current density. - Catalog - Change value to the correct motor catalog number. - Polarity - Select the safety encoder count direction. - Velocity Average Time - Set this value based on previous analysis for speed accuracy and safety monitoring function response time. IMPORTANT This setting is an important requirement for maintaining proper safety monitoring, such as the accuracy and response time of the Safely-limited Speed functions. - Standstill Speed - Set this value to know when the Deceleration of a Monitored Safe Stop 1 is complete. 66 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 3 Configure the Motion Safety Instances 4. Configure the Scaling. This section can be quite complex based on your machine code. We recommend that you see Knowledgebase article How to scale the SFX instruction to meet the Motion/IO mode and safety configuration units to use good engineering practices to program similar units. • The Motion Safety Scaling • The GuardLogix Safety Task Scaling from the SFX to the Safety instructions • The Motion Planner Scaling for use of Motion Axis Moves - The encoder counts are the resolution of the safety encoder, therefore, 12 bit or 212 = 4096 counts per motor revolution. - There also are evaluations of machine transmissions that alter motor speed at the load due to use of gearbox or other such devices. 5. Configure the SS1 function. - When using an encoder in the drive safety configuration the use of SS1-monitoring can be used for controlled deceleration. - SS1-timed can be used but the deceleration rate and standstill speed is not monitored. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 67 Chapter 3 Configure the Motion Safety Instances Dual Feedback Monitoring ArmorKinetix DSD Module to Kinetix VPL Motor with SIL2 Encoder and using an 842HR for Discrepancy Encoder Checking Figure 41 - 2198-DSDxxx-ERS5 Module to Kinetix VPL Motor and 842 Encoder PIM Kinetix 5700 Servo Drives Modules DSD Module Secondary Discrepancy Kinetix VPL Motor Dual Monitoring Primary By using a SIL 2 rated Kinetix VP encoder with an external secondary encoder lets you achieve the use of the speed in safety speed monitoring functions with a performance level up to SIL3 PLe, Category 3. See Table 24 and Table 25 for details. The configuration uses the following: • ArmorKinetix DSD ERS5 module • Kinetix VPx SIL 2 encoder for single feedback monitoring function • 842HR to allow for discrepancy checking of the Kinetix VP motor speed 1. To select the module properties, from the General tab, select Change. 2. Make these selections for the module definitions, then select OK: - Safety Application - Networked - Connection - Motion and Safety - Motion Safety - Dual Feedback Monitoring 68 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 3 Configure the Motion Safety Instances Compared to Single Feedback Monitoring, you have the ability to select both Secondary Feedback and Discrepancy Checking for dual feedback monitoring functions 3. Configure the following items in Primary Feedback. - Device - Select DSL Feedback for device type. Kinetix VPL motors can use either the Q or W SIL2 encoder based on current density. - Catalog - Change value to the correct motor catalog number. - Polarity - Select the safety encoder direction count. - Velocity Average Time - Set this value based on previous analysis for speed accuracy and safety speed monitoring function response time. IMPORTANT This setting is an important requirement for maintaining proper safety monitoring, such as the accuracy and response time of the Safely-limited Speed functions. - Standstill Speed - Set this value to know when the Deceleration of a Monitored Safe Stop 1 is complete. 4. Configure the Scaling. This section can be quite complex based on your machine code. We recommend that you see Knowledgebase article How to scale the SFX instruction to meet the Motion/IO mode and safety configuration units to use good engineering practices to program similar units. • The Motion Safety Scaling • The GuardLogix Safety Task Scaling from the SFX to the Safety instructions • The Motion Planner Scaling for use of Motion Axis Moves - The encoder counts are the resolution of the safety encoder, therefore, 12 bit or 212 = 4096 counts per motor revolution. - There also are evaluations of machine transmissions that alter motor speed at the load due to use of gearbox or other such devices. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 69 Chapter 3 Configure the Motion Safety Instances 5. Configure the following items in Secondary Feedback. - Device - Select Universal Feedback for device type. As with the DSL Feedback, the Universal Feedback is geared more toward a Hiperface/SIN/COS device. The Safety AOP of the drive keeps the same feedback configuration nomenclature as the Axis Properties, but it is important to note that these two configurations are separate and isolated. - Catalog - Change value to NONE as there is no motor connected to this port. - Polarity - Select the safety encoder count direction. - Velocity Average Time - Set this value based on previous analysis for speed accuracy. • This function must consider now the Discrepancy Checking algorithm such that a wider speed variance of the secondary encoder versus the primary Kinetix VPx motor can be misleading. • It is recommended to make sure that resolutions are comparable and velocity average time to be comparable. - Standstill Speed - Set this value to know when the Deceleration of a Monitored Safe Stop 1 is complete. 6. Configure the Discrepancy Checking. IMPORTANT Confirm the ratio of primary to secondary is accurate, based on encoder resolution and gearing. Differences in encoder resolutions and velocity average times can impact the velocity discrepancy. We recommend that you see Knowledgebase article How to scale the SFX instruction to meet the Motion/IO mode and safety configuration units due to the complexity of the configuration. - Mode - supports Dual Velocity Check for comparison of the encoder feedback devices. If no feedback comparison is needed, then Not Used would be selected. - Ratio - sets the ratio between the primary and secondary feedback for the speed comparison. In this example the Kinetix VPx Q/W encoder rotates 1 revolution and the 842HR rotates 1 revolution. This establishes the gear ratio in the drive safety planner. - Velocity deadband - set to 0.1 position units/second. Both the primary and secondary encoders use the same position units to evaluate the actual discrepancy. - Time - set to 100 ms. This value indicates that the monitoring of the Kinetix VPx Q/W encoder position units/sec cannot differ from the 842HR secondary position units/sec more than the Velocity Deadband for 100 ms, lest the drive safety planner posts a fault and takes specific fault action (coast to stop are typical safety fault actions). 70 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 3 Configure the Motion Safety Instances - In this example, both the VPL-B1152C-Q encoder and 842HR encoder are 4096 counts per motor revolution in the Scaling tab. The ideal configuration has two similar count encoders. If, for instance, a mandatory use of a VPL-B1152C-Q of 4096 counts per motor were directly coupled to a line shaft with encoder 2048 counts per motor, the scaling can't change but the discrepancy ratio can change to one primary revolution to two secondary revolution, which could satisfy a gear ratio configuration. 7. Configure the SS1 function. - When using an encoder in the drive safety configuration the use of SS1-monitoring can be used for controlled deceleration. - SS1-timed can be used but the deceleration rate and standstill speed is not monitored. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 71 Chapter 3 Configure the Motion Safety Instances Single Feedback Monitoring ArmorKinetix DSD Module to Kinetix MPL Motor with Hiperface, non-rated Safety Encoder Figure 42 - 2198-DSDxxx-ERS5 Module to Kinetix MPL Motor with non-rated Encoder PIM Kinetix 5700 Servo Drives Modules DSD Module Kinetix MPL Motor Single Monitoring Primary This example shows single feedback monitoring for ArmorKinetix DSD ERS5 module that is connected to a Kinetix MPL Hiperface. This example shows another common application type. This application is similar to the Kinetix VPx SIL 2 encoder for single feedback monitoring applications. For instance, in the use of a Safely-limited Speed application, to know when a specific speed is controlled/monitored. The hybrid cable connection from the DSD module has one motor power cable to the Kinetix MPL motor power connector and an auxiliary encoder cable to the Kinetix MPL motor feedback connector. In this case, the use of Dual Feedback Monitoring cannot be used because only one feedback device is being used. 1. To select the module properties, from the General tab, select Change. 72 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 3 Configure the Motion Safety Instances 2. Make these selections for the module definitions, then select OK: - Safety Application - Networked - Connection - Motion and Safety - Motion Safety - Single Feedback Monitoring Compared to Safe Stop Only - No Feedback, you can select both Primary Feedback and Scaling for feedback monitoring functions. 3. Configure the following items in Primary Feedback. - Device - Select Universal Feedback for device type. The catalog numbers for the nonrated SIL encoders or the Kinetix MPx with S or M designation are then available. Kinetix MPx motors must use the S (single turn) or M (multi-turn) type encoder. The H (incremental) or R (resolver) are not compatible. The MPL-B420P-M motor is shown here, for example. - Catalog - Change value to the correct motor catalog number. - Polarity - Select the safety encoder count direction. - Velocity Average Time - Set this value based on previous analysis for speed accuracy and safety speed monitoring function response time. IMPORTANT This setting is an important requirement for maintaining proper safety monitoring, such as the accuracy and response time of the Safely-limited Speed functions. - Standstill Speed - Set this value to know when the Deceleration of a Monitored Safe Stop 1 is complete. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 73 Chapter 3 Configure the Motion Safety Instances - SIL Capability - For Kinetix MPx motors with S/M encoders, the designation is None because these motors do not have safety rated encoders. Contact the Rockwell Technical Consultant/Safety Engineers to discuss system safety performance level (PL) with the MPx with S/M encoders. For Kinetix VPx with Q or W encoders, the SIL 2 is shown because the encoder itself meets that designation per the encoder manufacturer. 4. Configure the Scaling. This section can be quite complex based on your machine code. We recommend that you see Knowledgebase article How to scale the SFX instruction to meet the Motion/IO mode and safety configuration units to use good engineering practices to program similar units. • The Motion Safety Scaling • The GuardLogix Safety Task Scaling from the SFX to the Safety instructions • The Motion Planner Scaling for use of Motion Axis Moves - Kinetix MPx motors with S/M encoders do not have a safety configured encoder but the standard channel is evaluated with 1024 lines per revolution x 4 or 4096 counts per motor revolution. This is used in the safety channel for monitoring functionality. - There also are evaluations of machine transmissions that can alter the scaling of the encoder feedback, due to the use of a gearbox or other such device. 74 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 3 Configure the Motion Safety Instances 5. Configure the SS1 function. - When using an encoder in the drive safety configuration the use of SS1-monitoring can be used for controlled deceleration. - SS1-timed can be used but but the deceleration rate and standstill speed is not monitored. Single Feedback Monitoring of ArmorKinetix DSM Module with Integrated Safety Encoder PIM Kinetix 5700 Servo Drives Modules DSM Module This example is single feedback monitoring for a drive/motor 2198-DSMxxx-ERS5 module with Safety Encoder. This configuration does not require drive to motor wiring and allows for single feedback monitoring applications. For example, in use of a Safely-limited Speed application, to know when a specific speed is controlled/monitored. 1. To select the module properties, from the General tab, select Change. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 75 Chapter 3 Configure the Motion Safety Instances 2. Make these selections for the module definitions, then select OK: - Safety Application - Networked - Connection - Motion and Safety - Motion Safety - Single Feedback Monitoring Compared to Safe Stop Only - No Feedback, you can select both Primary Feedback and Scaling for feedback monitoring functions. Dual feedback monitoring is not available because the DSM module has the motor and encoder feedback integrated with the drive and the connector available for a secondary encoder connection. 3. Configure the following items in Primary Feedback. - Device - Select DSL Feedback for device type. The DSM modules use the -W or -T Safety Encoders based on current density/encoder dimensions. The ArmorKinetix ERS5 to the 2198-DSMxxx-B1152F-T is shown here for example. The DSM module catalog numbers that use safety encoders use W or T for the encoder type. For comparison purposes, Kinetix VPx motors use W or Q encoder types. - Catalog - Change value to the correct motor catalog number. - Polarity - Select the safety encoder count direction. - Velocity Average Time - Set this value based on previous analysis for speed accuracy and safety speed monitoring function response time. 76 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 3 IMPORTANT Configure the Motion Safety Instances This setting is an important requirement for maintaining proper safety monitoring, such as the accuracy and response time of the Safely-limited Speed functions. - Standstill Speed - Set this value to know when the Deceleration of a Monitored Safe Stop 1 is complete. 4. Configure the Scaling. This section can be quite complex based on your machine code. We recommend that you see Knowledgebase article How to scale the SFX instruction to meet the Motion/IO mode and safety configuration units to use good engineering practices to program similar units. • The Motion Safety Scaling • The GuardLogix Safety Task Scaling from the SFX to the Safety instructions • The Motion Planner Scaling for use of Motion Axis Moves - The encoder counts are the resolution of the safety encoder, 13 bit or 213 = 8192 counts per motor revolution - There also are evaluations of machine transmissions that can alter the scaling of the encoder feedback, due to the use of a gearbox or other such device. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 77 Chapter 3 Configure the Motion Safety Instances 5. Configure the SS1 function. - When using an encoder in the drive safety configuration the use of SS1-monitoring can be used for controlled deceleration. - SS1-timed can be used but the deceleration rate and standstill speed is not monitored. Encoder Types and SIL Ratings Encoder feedback is used for motion control, safety motion monitoring, or both. The drive must be configured to use a feedback device for motion and/or for safety. The motion and safety functions in the drive are independent regarding the encoder feedback. For SIL 2 PLd safety applications, one encoder can be used. The encoder for SIL 2 applications has restrictions. Table 24 and Table 25 show how different feedback types can be used with a drive to achieve the desired motion control and safety for SIL 2 PLd applications. For SIL 3 PLe applications, two encoders must be used. One of the encoders must be a SIL 2 rated Hiperface DSL encoder that is provided in a Kinetix VP (VPL, VPF, VPH, or VPS motors) servo motor. The secondary encoder must be a Sin/Cos type that meets specific requirements for diagnostic coverage. 78 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 3 Configure the Motion Safety Instances Table 24 - Feedback Types Assigned to Feedback Ports for SIL 2 and PL d Applications Motor Feedback (UFB) Connector (1) Motor Power/Feedback (MF) Connector (1) Encoder Source VPL-Bxxxxx-Q VPL-Bxxxxx-W VPF-Bxxxxx-Q VPF-Bxxxxx-W VPH-Bxxxxx-Q VPH-Bxxxxx-W VPAR-Bxxxxx-Q VPAR-Bxxxxx-W VPL-Bxxxxx-C VPL-Bxxxxx-P VPF-Bxxxxx-C VPF-Bxxxxx-P VPH-Bxxxxx-C VPAR-Bxxxxx-C Encoder Source Primary • No encoder • Any encoder supported Not used by the drive • None • 1/2 axis • Dual-loop load feedback Single Channel SIL 2/PL d Motor feedback Any Sin/Cos encoder compatible with drive • None • 1/2 axis • Dual-loop load feedback • Single Channel SIL 2/PL d for rated encoders. • PLd according to machinery safety standard and additional (customer-supplied) safety measures. (2) Motor Feedback Motor Feedback Not used Motor feedback Encoder Safety Function Primary No encoder Not used Not used • SIL 2 Safety rated Sin/ Cos encoder compatible Primary with drive(2) (3) (4) No encoder Not used Not used • Any Sin/Cos encoder compatible with driver Primary (2) (3) (4) (6) Encoder Motion Function Achievable System Safety Rating Encoder Safety Encoder Motion Function Function • Single Channel SIL 2/PL d for rated encoders according to machinery safety standard and additional (customer supplied) safety measures.(5) • PL d according to machinery safety standard and additional (customersupplied) safety measures. (5) • Applies for Kinetix MP motors with -M and -S encoder options. (1) (2) (3) (4) (5) The motor power/feedback connector and motor feedback connector appear on 2198-DSD modules. Applies to generic sin/cos and Hiperface with Sin/Cos. Does not support absolute position. Hiperface encoders must be programmed with the Rockwell Automation Encoder Data format to be compatible with the drive. Encoder diagnostics for SIN/COS encoders provided by the drive include: 5V encoder power supply monitoring, 9V encoder power supply monitoring, and SIN2 and COS2 (vector length) test. You must determine the suitability of the encoder and the system safety rating. Determine encoder suitability from the failure rate provided by the encoder manufacturer. (6) You must determine if the encoder is suitable for the application according to reliability data obtained from manufacturer. Table 25 - Feedback Types Assigned to Feedback Ports for SIL 3/PL e Applications Universal Feedback (UFB) Connector (1) Motor Feedback (MF) Connector (1) Encoder Source Encoder Safety Function Encoder Motion Function Encoder Source Encoder Safety Function Encoder Motion Function VPL-Bxxxxx-Q VPL-Bxxxxx-W VPF-Bxxxxx-Q VPF-Bxxxxx-W VPH-Bxxxxx-Q VPH-Bxxxxx-W VPAR-Bxxxxx-Q VPAR-Bxxxxx-W Primary Motor Feedback Any Sin/Cos encoder compatible with drive (includes Hiperface (2)) Secondary • None • 1/2 axis • Dual-loop load feedback Achievable System Safety Rating Dual Channel SIL 3/PL e (3) (1) The motor power/feedback connector and motor feedback connector appear on 2198-DSD modules. (2) Secondary sin/cos encoders do not need to have a SIL rating, however, you must determine the suitability of the encoder for the safety application. Encoder diagnostics for SIN/COS encoders provided by the drive include: 5V encoder power supply monitoring, 9V encoder power supply monitoring, and SIN2 and COS2 (vector length) test. (3) Dual-channel SIL 3 (PL e) applies only to velocity discrepancy checking and functions that use velocity (or speed) checking. The SLP and SDI safety functions use position checking. SS2 and SOS can also be configured for position checking. The 2198-DSD module does not perform position discrepancy checking in the drive, limiting position safety functions to SIL 2 (PL d). Position checking safety functions requiring SIL 3 (PLe) require dual-channel position discrepancy checking in the GuardLogix controller with user defined safety logic. IMPORTANT Due to complexity of application of encoder types and the many combinations, final system reliability calculation is the responsibility of the system designer. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 79 Chapter 3 Configure the Motion Safety Instances Notes: 80 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 4 Controller-based Safety Functions Use this chapter to become familiar with the GuardLogix® controller-based Drive Safety instructions and how they interact with the ArmorKinetix® system ERS5 DSD inverter and DSM motor/inverter. Topic Page Drive Safety Instructions 81 Pass-through Data 84 SFX Instruction 86 • • • Drive Safety Instructions See the GuardLogix Safety Application Instruction Set Reference Manual, publication 1756-RM095, for more information on the Drive Safety instructions and TÜV Rheinland certification. See Safe Monitoring Solutions for Drives Application Note, publication SAFETY-AT175. See Knowledgebase article How to scale the SFX instruction to meet the Motion/IO mode and safety configuration units. The Drive Safety instructions are designed to work with the 2198-DSDxxx-ERS5 inverters and 2198DSMxxx-ERS5 motor/inverter. They are available in the Studio 5000 Logix Designer® application, version 35.00 or later, under the Drive Safety tab when a Safety Task routine is active. Controller-based safety functions operate in GuardLogix 5580 or Compact GuardLogix 5380 controllers and use the EtherNet/IP™ network to communicate with the safety I/O. Drive Safety instructions use safety feedback, provided by ArmorKinetix modules in the Safety Task of the controller, to perform safe monitoring functions. IMPORTANT Each machine axis used with safety functions must be verified each time a motor, drive, cable or encoder is installed or replaced to verify that the safety instruction operates as intended. See Appendix B Safety Function Validation Checklist. Table 26 - Drive Safety Instructions Safety Instruction Safety Feedback Interface SFX Safe Stop 1 SS1 Safe Stop 2 SS2 Safe Operational Stop SOS Safely Limited Speed SLS Description The SFX function scales feedback position into position units and feedback velocity into position units per time unit. SFX is used with other Drive Safety instructions. SFX also provides unwind for rotary applications and position homing. The SS1 function monitors the motor deceleration rate within set limits during motor stopping and provides an indication to initiate safe torque-off (STO) function when the motor speed is below the specified limit. The SS2 function monitors the motor deceleration rate within set limits during motor stopping and initiates the safe operating stop (SOS) function when the motor speed is below the specified limit. The SOS function prevents the motor from deviating more than a defined amount from the stopped position. The SLS function prevents the motor from exceeding the specified speed limit. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 81 Chapter 4 Controller-based Safety Functions Table 26 - Drive Safety Instructions (Continued) Safety Instruction Safely Limited Position SLP Safe Direction SDI Safe Brake Control SBC Description The SLP function prevents the motor shaft from exceeding the specified position limits. The SDI function prevents the motor shaft from moving in the unintended direction. The SBC function provides safe output signals to control an external brake. Figure 43 - Drive Safety Tab and Instructions Drive Safety Instructions Drive Safety Tab Drive Safety Example Before Adding the Safety Instructions Before adding Drive Safety instructions to your Studio 5000 Logix Designer application, you must perform the following: 1. Add the 2198-DSD-ERS5 distributed servo drive module to the I/O Configuration folder, set Safety Application as Networked, set Connection as either Motion and Safety or Safety Only and set Motion Safety Feedback as required for your application. 2. Configure drive module Motion Safety instance. 82 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 4 Controller-based Safety Functions 3. Add and configure an axis in the Motion Group. For help with these Studio 5000 Logix Designer configuration examples see the ArmorKinetix System User Manual, publication 2198-UM006. 4. Configure the Safety Actions in the axis property action tab. 5. Add Drive Safety instructions to your Safety Task safety program. Drive Safety Instruction Example Drive Safety instructions provide the following information. In this example, the Safely Limited Speed (SLS) instruction is shown. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 83 Chapter 4 Controller-based Safety Functions Figure 44 - SLS Drive Safety Instruction Outputs Configurable Inputs Inputs Pass Through Outputs Table 27 - Drive Safety Instruction Definitions Instruction Description Information Configurable Inputs Safety function parameters used to define how the safety function operates. • Feedback SFX is the link to the SFX instruction for an axis. Inputs • Request initiates the safe monitoring function. • Reset initiates a safety instruction reset. Safety Output assembly object tags pass safety function status information from the Pass Through Safety Task of the safety controller to the safety instance of the drive module. The status is made available to the motion controller. • Fault Type is the instruction fault code that indicates the type of fault that occurred. • Diagnostic Code provides additional details on the fault. • O1 - Output 1 indicates the status of the instruction. When ON (1), it indicates that the Outputs input conditions are satisfied. • RR- Reset Required indicates when a reset is needed to restart the instruction or to clear faults. • FP - Fault Present indicates whether a fault is present in the instruction. Pass-through Data The Drive Safety instructions provide safety function monitoring in the Safety Task of the controller. Control of the drive is done in the motion programming within the Standard Task of the controller. For the motion program to receive status information from the Drive Safety instruction, tag data in the output assembly for the drive module (Safety Task) are passed to the drive and then to the corresponding tag in the axis structure (Standard Task). This is especially useful when the motion program is in a separate controller from the safety program that is in a safety controller. Figure 45 shows how this works for the SLS instruction. IMPORTANT Pass-through data is for status information only and does not impact configured safety functions. ATTENTION: Tags used for the safety pass through attributes of instructions should only be used once. Re-use of the pass through tag in other instructions can cause unintended operation. This may result in damage to equipment or personal injury. 84 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 4 Controller-based Safety Functions Figure 45 - Pass Through Data Path MOD NET Safety Task Programming 2 2 1 SLS Active status is sent to the drive. Safety Device Safety demand initiates monitoring of the SLS safety function. 1 4 I/O SLS Active status is passed to the Standard Task. SLS Active is set high (1). Controller-based Instruction Example Standard Task Programming SLS Active Status initiates change of motion speed. Table 28 - SLS Tag Information Safety Output Assembly Tag module:SO.SLSActive module:SO.SLSLimit module:SO.SLSFault Axis Tag Axis.SLSActiveStatus Axis.SLSLimitStatus Axis.SLSFault The words module and axis (italic) in these tag names represent the module and axis name assigned in the Studio 5000 Logix Designer application. The following steps correspond to the activity in Figure 45. 1. Safety device reports a request to the safety zone. Initiates monitoring by the SLS instruction (Safety Task). 2. SLS Active status is passed to the motion program (Safety Task to Standard Task via the drive). 3. The motion program adjusts the speed of the drive to below the SLS Active Limit during the Check Delay (Standard Task). 4. If the drive speed exceeds the SLS Active Limit (Safety Task) during SLS monitoring, the SLS Limit output is set. - Optionally, a stopping safety function can be initiated within the safety program. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 85 Chapter 4 Controller-based Safety Functions SFX Instruction The Safety Feedback Interface (SFX) instruction scales feedback position into position units and feedback velocity into speed units per unit of time. Feedback position and velocity are read from the safety input assembly and become inputs to the instruction. The SFX instruction also sets a reference position from a home input and performs position unwind in rotary applications. The 2198-DSD-ERS5 module and 2198-DSM-ERS5 drive/motor module safe motion-monitoring drive provides safe position and velocity feedback. Up to SIL 3 PL e safety rating can be achieved by using dual feedback with velocity discrepancy checking. Up to SIL 2 PL d safety rating can be achieved by using single or dual feedback for functions that require position checking. The outputs of the SFX instruction are used as inputs to other Drive Safety instructions. For any safe motion-monitoring drive to execute a controller-based safety function, an SFX instruction is required. Although the SFX instruction is a safety instruction, it alone does not perform a safety function. In Figure 46, the SS1 instruction uses the Actual Speed output from the SFX instruction during execution of the SS1 safety function. Figure 46 - SFX Instruction Feeds Data to SS1 Instruction ArmorKinetix -ERS5 module Feedback Position (counts) Actual Position (position units) Feedback Velocity (feedback units/second) Actual Speed (position units/second or position units/minute) SFX Instruction Example In this SFX example, a VPL-B1152C-Q motor is used in the safety function. The motor has 4096 feedback counts per motor revolution and is scaled for position to have 4096 counts per motor revolution. The SFX instruction scales the applicable safety instructions with feedback position units from the safety encoder/motor, into position feedback units used in applicable safety instructions. It also scales feedback velocity units from the safety encoder/motor into position feedback units per time unit. Scaling Setup When configuring the SFX instruction, calculate the value for Position Scaling so that the Actual Position and Actual Speed output from the instruction matches the Actual Position and Actual Velocity in the motion controller. Values from Axis Properties>Scaling and Motion Safety>Primary Feedback are required to calculate the instruction input. The Feedback Resolution is determined based on the feedback device and the Effective Resolution of the feedback. This information is configured on the Module Properties>Motion Safety>Primary Feedback category. 86 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 4 Controller-based Safety Functions Figure 47 - Effective Resolution Parameter The VPL-B1152C-Q motor is used in a rotary application where the unwind is set to rollover each motor revolution. Therefore, the unwind of 4096 counts/ rev was added in the SFX instruction appropriately. Figure 48 - Scaling Homing Setting the Actual Position output to the Home Position input (homing) of the instruction is required if using a position-based drive safety instruction like Safely-limited Position (SLP). If a positionbased drive safety instruction is not being used on an axis, homing the SFX instruction is not required. IMPORTANT Homing as described here is for the safety position and is not related to axis homing on the Motion Redefine Position (MRP) instruction. The data in the Primary Feedback category, Scaling category, and motor unwind value is used to populate the SFX instruction. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 87 Chapter 4 Controller-based Safety Functions Figure 49 - SFX Instruction Example Position Scaling value from Figure 48. Feedback Resolution value from Figure 47. Unwind value as specified for the VPL-B1152C-Q rotary motor used in this example. Used only with position-based drive safety instructions Refer to the GuardLogix Safety Application Instruction Set Reference Manual, publication 1756-RM095 See the GuardLogix Safety Application Instruction Set Reference Manual, publication 1756-RM095, for more information on the Drive Safety instructions. 88 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 5 Troubleshoot Safety Faults This chapter provides troubleshooting tables and related information for ArmorKinetix® systems that include 2198-DSDxxx-ERS5 or 2198-DSMxxx-ERS5 modules. Safety Fault Names Topic Page Safety Fault Names 89 Understand Safety Faults 90 The Motion Safety instance in the drive reports faults to the drive through the AxisSafetyFaults and AxisSafetyFaultsRA tags. Each bit in these tags indicates a specific fault. This information is used by the drive to log and display faults. The Studio 5000 Logix Designer® application displays axis faults and status. When an axis is selected in the Controller Organizer, axis faults and status are displayed in the quick-view window. Figure 50 - Axis Faults and Status The safety faults named in Table 29 appear as Safety Faults when they occur. In addition, if any of these faults are present, a safety fault appears under the axis fault. Corresponding axis tags are set with any of the faults. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 89 Chapter 5 Troubleshoot Safety Faults Table 29 - Safety Fault Names Fault Name SafetyCoreFault STOFault Description Internal fault in the drive’s safety processor A fault was detected by the Safe Torque-off function SS1Fault (1) SS2Fault SOSFault SBCFault SLSFault SDIFault SLPFault A fault was detected by the Safe Stop 1 function A fault was detected by the Safe Stop 2 function A fault was detected by the Safe Operating Stop function A fault was detected by the Safe Brake Control function A fault was detected by the Safely-limited Speed function A fault was detected by the Safe Direction function A fault was detected by the Safe Limited Position function The Safety processor has detected a problem with one or more of the safety feedback devices associated with the axis. SafetyFeedbackFault (1) The SS1 fault bit can be set because the SS1 fault was detected by the drive internal SS1 safety function (if it is configured), or by the connected safety controller. Read the SS1 Fault attribute from the drive to determine if the fault was generated by the drive or received from the safety controller. Understand Safety Faults To obtain more detailed information about any faults that are detected, most faults have a corresponding fault-type attribute. These attributes are read by using an MSG instruction in the ladder program to read the specific attribute information. Details of the various fault-type attributes are described in the following sections. See Explicit Messages on page 19 for an example of using the MSG instruction to read status. See Motion Connection Axis Tags on page 95 for a list of attributes including fault information that can be read by using a MSG instruction. Safety Core Fault The Motion Safety instance has detected a non-recoverable fault or internal error. When this happens, the Motion Safety instance reboots itself and attempts to re-establish normal operation. Safe Torque-off Fault The safe torque-off (STO) function detected a fault. The safe stop function in the Motion Safety instance records the specific fault type in the attribute. Explicit messaging can be used to read the fault type information from the drive. For example, for STO Fault Type (Safe Stop Function [class code 0x5A], attribute ID 0x108). The drive immediately disables torque if an STO fault is detected. Table 30 - Safe Torque-off Fault Type: MSG Parameter Service Code Class Value 0x0E 0x5A Instance 1 or 2 Attribute Data Type 0x108 SINT Description Get attribute single Safety stop functions Drive-module safety instance associated with an axis STO fault type Short integer Table 31 - STO Fault Types 90 STO Fault Type Value 0 1 STO Fault Type Name Description Reserved No Fault 2 Invalid Configuration 3 Circuit Error Not used No Fault is present A safe stop function has been requested when it is not in the Ready state. Safety diagnostics have detected an error in the STO circuits. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 5 Troubleshoot Safety Faults Safe Stop 1 Fault The safe stop 1 (SS1) function detected a fault. The safe stop function in the Motion Safety instance records the specific fault type in the attribute. Explicit messaging can be used to read the fault type information from the drive. For example, for SS1 Fault Type (Safe Stop Function object [class code 0x5A], safety instance 1 or 2, attribute ID 0x11C). The drive immediately disables torque, ignoring STO delay, if an SS1 fault is detected. If the SS1 Fault Type is reported as 1 (no fault), the SS1 fault was generated by the connected safety controller and reported to the drive over the safety connection. Table 32 - SS1 Fault Types SS1 Fault Type Value 0 1 SS1 Fault Type Name Description Reserved No Fault 2 Invalid Configuration 3 Decel Rate error 4 Maximum Time exceeded 100 STO Request Received 101 Feedback Invalid Not used No Fault is present The SS1 function has been requested when it has been configured as ‘not used’. Applies only when SS1 is configured for Monitored SS1 mode. The SS1 function has detected that the feedback speed is not decelerating as fast as expected. Applies only when SS1 is configured for Monitored SS1 mode. The SS1 function has detected that the device has not reached standstill speed within the maximum stopping time. An STO request was received during execution of the SS1 function. The Monitored SS1 function was requested when the associated safety feedback is not valid. SS2, SOS, SBC, SLS, SLP, and SDI Faults The Motion Safety instance in the drive does not support the SS2, SOS, SBC, SLS, SLP, and SDI safe stop/safety limit functions. If the drive reports one of these faults, then the fault was detected by the safety controller and reported to the drive over the safety output connection. Additional information for these faults must be obtained from the safety controller associated with the drive. In addition, the safety controller is responsible for issuing a torque disable request. Safety Feedback Faults When configured for safety feedback, the Motion Safety instance performs periodic diagnostics to make sure that the feedback device is operating correctly. Explicit messaging can be used to read the fault type information from the drive. For example, if an error is detected, the Safe Feedback object (class code 0x58) updates the Safe Feedback Fault Type attribute (attribute ID 0x09) with the reason for the fault. A safety feedback fault does not immediately result in torque disable of the drive. A safety feedback fault only causes a torque disable under these two conditions: • SS1 is configured for Monitored SS1 mode • SS1 request is received from the safety controller Table 33 - Safety Feedback Faults Safe Feedback Fault Type Value 0 1 Safe Feedback Fault Type Name Description Reserved No Fault 2 Invalid Configuration 5 Sin2 + Cos2 Error 7 Discrepancy Error 8 Partner Faulted Not used – No Fault is present – The DSL safety feedback diagnostics have detected that the actual resolution of the connected DSL feedback No device does not match the configured resolution of the corresponding Motion Safety instance. Analog signal diagnostics for Sin/Cos feedback have detected an error in the signal levels. This could Yes indicate an open or short circuit in the Sin/Cos feedback wiring, or device failure. Safety Dual Channel Feedback has detected a discrepancy in the velocity reported by the two monitored No feedback devices. Safety Dual Channel Feedback has detected a safety feedback fault with the partner feedback device. No Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Duplicated to Other Axis? 91 Chapter 5 Troubleshoot Safety Faults Table 33 - Safety Feedback Faults (Continued) Safe Feedback Safe Feedback Fault Type Fault Type Name Value 9 11 12 13 100 101 102 103 104 105 106 Duplicated to Other Axis? Description Safety diagnostics have detected that the power supply for the configured safety feedback device is out of Yes range. This can indicate a problem in feedback wiring or internal failure of the drive circuits. The safety diagnostics for Sin/Cos feedback have detected loss of signal (below the minimum level) from the Feedback Signal Lost Sin/Cos encoder. This can indicate open or short circuit in the feedback device connection, or feedback Yes device failure. The safety diagnostics for DSL feedback have detected loss of data from the DSL encoder. This can indicate No Feedback Data Loss an open circuit in the feedback connections or feedback device failure. • The safety diagnostics for Sin/Cos feedback have detected an internal error with the feedback interface. Feedback Device Failure Yes • The safety diagnostics for DSL feedback have detected an internal data error with the encoder. The safety diagnostics for DSL feedback have detected that the connected DSL feedback device is not Unsupported DSL Device No supported by the drive. The safety diagnostics for DSL feedback have detected that the device for one axis is connected to the other Yes DSL Unexpected UEI axis. Occurs only during startup or re-configuration. This applies to only dual-axis inverters. DSL Position Comparison The safety diagnostics for DSL feedback have detected an error with the reported position from the DSL No Failure encoder. This can be an indication of encoder failure. safety diagnostics for DSL feedback have detected an error with the data received from the DSL DSL Position Checksum Error The No encoder. This can indicate noise on the DSL signals or an encoder failure. The safety diagnostics have detected that the feedback device for one axis is connected to the other axis. Yes DSL Multi Implementation error This applies to only dual-axis inverters. The safety diagnostics for DSL feedback have detected an error with the DSL encoder. This indicates an DSL Test Message error No encoder failure. safety diagnostics for DSL feedback have detected that the DSL encoder did not complete its internal No DSL Power On Self-Test failure The power-on self-test diagnostics. Repeated occurrence of this error likely indicates an encoder failure. Supply Voltage Error Troubleshoot the Safety Function Table 34 - Safe FLT Sxx Fault Codes Exception Code on Drive Display Fault Message Logix Designer SAFE FLT S01 - Safety Core Internal Fault SafetyFault SAFE FLT S02 - Safety Feedback Fault SafetyFeedbackFault SAFE FLT S03 - Safe Torque Off Fault SafeTorqueOffFault (1) SAFE FLT S04 - Safe Stop 1 Fault SS1Fault SAFE FLT S05 - Safe Stop 2 Fault SS2Fault SAFE FLT S06 - Safe Operating Stop Fault SOSFault SAFE FLT S07 - Safe Brake Fault SBCFault SAFE FLT S16 - Safe Speed Monitor Fault SSMFault 92 Problem Possible Solutions Drive safety diagnostic detected internal • Cycle control power STO design failure. • Return drive for repair if fault continues Use explicit messages to read the fault reason from the Safety feedback has detected a fault. primary feedback device. See Safety Feedback Attributes on page 100 for fault reasons. • Check the cause of the fault using a Safe Torque-off faults Drive safety diagnostic detected internal explicit message. Refer to Explicit Messages on page 21. STO design failure or hardwired input • Execute STO function. received while in integrated safety mode. • Return drive for repair if fault continues. • If a controller-based SS1 function has faulted, check the SS1 controller instruction fault code and diagnostic codes for more information in the controller help or the GuardLogix® Safety Application Instruction Set Reference Manual, publication 1756-RM095. SS1 safety function has detected a fault. • If the drive-based SS1 function has faulted, check attribute 284 (SS1 Fault Type) by using explicit messaging to the drive module safety instance operating the SS1 function. See Safe Stop Function Attributes on page 102. Controller-based SS2 instruction has detected a fault. Check the controller instruction fault code and diagnostic Controller-based SOS instruction has codes for more information in the controller help or the detected a fault. GuardLogix Safety Application Instruction Set Reference Manual, publication 1756-RM095. Controller-based SBC instruction has detected a fault. Controller-based SSM instruction has This fault is not used. Check your application program for detected a fault. correct tag values. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Chapter 5 Troubleshoot Safety Faults Table 34 - Safe FLT Sxx Fault Codes (Continued) Exception Code on Drive Display Fault Message Logix Designer Problem Possible Solutions SAFE FLT S17 - Safe Limited Speed Fault SAFE FLT S19 - Safe Limited Direction Fault SLSFault SDIFault Check the controller instruction fault code and diagnostic codes for more information in the controller help or the GuardLogix Safety Application Instruction Set Reference Manual, publication 1756-RM095. SAFE FLT S20 - Safe CAM Fault SCAFault Controller-based SLS instruction has detected a fault. Controller-based SDI instruction has detected a fault. Controller-based SCA instruction has detected a fault. SAFE FLT S21 - Safe Limited Position Fault SLPFault Controller-based SLP instruction has detected a fault. This fault is not used. Check your application program for correct tag values. Check the controller instruction fault code and diagnostic codes for more information in the controller help or the GuardLogix Safety Application Instruction Set Reference Manual, publication 1756-RM095. (1) Displayed in the Quick View Pane as Safety Fault. Table 35 - Init FLT Invalid Safety Firmware Fault Code Exception Code on Drive Display Fault Message Logix Designer INIT FLT M14 - Safety Firmware InvalidSafetyFirmwareFault (1) Problem Possible Solutions Invalid safety firmware. • Cycle control power. • Upgrade the drive firmware. • Call Technical Support. • Return drive for repair if fault continues. Fault Message Logix Designer Problem Possible Solutions SFXFault Controller-based SFX instruction has detected a fault. Check the controller instruction fault code and diagnostic codes for more information in the controller help or the GuardLogix Safety Application Instruction Set Reference Manual, publication 1756-RM095. (1) Displayed in the Quick View Pane as Initialization Fault. Table 36 - SAFE FLT SFX Fault Code Exception Code on Drive Display SAFE FLT M01 - Safety Feedback Interface Fault Safety Fault Reset If the drive motion safety instance detects a fault, the input assembly tag module:SI.SafetyFault is set to 1. The associated axis.SafetyFault tag is also set to 1. The word module (italic) in these tag names represent the module name assigned in the Studio 5000 Logix Designer application. A SafetyFault can result from the SS1 stopping function, STO function, safety feedback, or other safety diagnostics. To clear (reset) the SafetyFault, the fault conditions must be removed first and then a transition from logic 0 to 1 of the module:SO.ResetRequest tag is required. It is only the 0 to 1 transition that clears the fault. To clear an axis fault associated with a SafetyFault, first clear the SafetyFault from the safety task of your application, then clear the axis fault using the MAFR command from the motion application. Faults after Download Whenever an axis is configured with Hiperface DSL feedback and the motion connection is closed, a SafetyFeedbackFault is generated. When a single controller is used for motion and safety connections, and Hiperface DSL is the configured feedback type, a SafetyFeedbackFault is generated after program download due to DSL feedback signal loss. To clear the SafetyFeedbackFault, first clear the fault and then use the MAFR command to clear the axis fault. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 93 Chapter 5 Troubleshoot Safety Faults When separate controllers are used for motion and safety connections, a SafetyFeedbackFault is generated after program download to the controller that manages the motion connection. IMPORTANT Transition of the SO.STOOutput tag to logic 1 must always be executed prior to transition of the SO.ResetRequest tag to logic 1. IMPORTANT All ArmorKinetix inverter axes enter the faulted state if any STO function fault is detected. Refer to Table 34 on page 92 for integrated safety troubleshooting. Refer to Figure 51 on page 94 for an understanding of the drive STO state restart function. Figure 51 - Reset Safe Stop Fault Diagram Safety Fault Occurs Drv:SO.STOOutput Disable Torque Permit Torque Drv:SO.ResetRequest Drv:SI.TorqueDisabled Torque Permited Drv:SI.SafetyFault No Fault Drv:SI.RestartRequired Axis.SafetyFault Axis.SafeTorqueOffActiveInhibit Axis.SafetyFaultStatus Restart Not Required Restart Required No Fault Faulted (cleared by MAFR) Start Permitted Start Inhibitted No Fault Faulted Axis.SafetyResetRequestStatus S0.ResetRequest Axis.SafetyResetRequiredStatus Reset Not Required Reset Required Axis.SafeTorqueOffActiveStatus Permit Torque Disable Torque Axis.SafeTorqueDisabledStatus Torque Permited Torque Disabled Axis.SafeStopFault 94 Torque Disabled No Fault Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Appendix A Controller Tags and Safety Attributes Controller axis tags are used by the motion controller motion task to read the status of safety functions and coordinate motion. This appendix lists the motion controller tags that are associated with the safety instances and with safety functions operating in the safety task of the controller. Topic Page Motion Connection Axis Tags 95 Safety Assembly Tags 97 Safety Feedback Attributes 100 Safe Stop Function Attributes 101 Dual Channel Feedback Attributes 105 Safety attributes provide additional information not available through the tag structure. Attributes are read using explicit messages. IMPORTANT The controller axis tags and the safety attributes read by using explicit messages must not be used in the operation of a safety function. Motion Connection Axis Tags This table provides motion-connection axis tag names that are updated to show safety instance status or controller-based safety function status. The words module, instance, and axis (italic) in these tag names represent the module, instance, and axis name assigned in the Studio 5000 Logix Designer® application. Table 37 - Motion Connection Axis Tags Axis Tag Name (motion controller) Motion Connection Data Type Description Attribute Number Axis.AxisSafetyState 760 DINT Drive module Safety Supervisor state. See the Safety Supervisor State None on page 19 for more details. Axis.AxisSafetyDataA 986 DINT 32-bit data container holding general purpose safety-data passed from the safety controller. module:SO:PassThruDataA Axis.AxisSafetyDataB 987 DINT 32-bit data container holding general purpose safety-data passed from the safety controller. module:SO:PassThruDataB Axis.AxisSafetyStatus 761 DINT Collection of bits indicating the status of the standard safety functions See individual bits below. for the axis as reported by Drive Safety Instance. [0] BOOL Any Safe Stop Fault occurring in the Safety Instance. 0 = Not Faulted 1 = Safety Fault None module:SO.ResetRequest None Axis.SafetyFaultStatus Axis.SafetyResetRequestStatus [1] BOOL Indicates that the state of the reset request output from the safety controller (in the safety output assembly) connected with the drive safety instance. This is the reset input to the safety instance in the drive module. 0 = Reset Request OFF 1 = Reset Request ON Axis.SafetyResetRequiredStatus [2] BOOL Indicates that the drive-module safety instance associated with this Axis requires a reset of the safety function. 0 = Normal 1 = Reset Required Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Safety Output Assembly Tag Name (safety controller) 95 Appendix A Controller Tags and Safety Attributes Table 37 - Motion Connection Axis Tags (Continued) Axis Tag Name (motion controller) 96 Motion Connection Data Type Description Attribute Number Safety Output Assembly Tag Name (safety controller) Axis.SafeTorqueOffActiveStatus [3] BOOL Indicates that the state of the STO output from the safety controller, which is the STO input to the drive-module safety instance associated with this axis. module:SO.STOOuput 0 = STO Output Is active 1 = STO is not active, STO is not requested Axis.SafeTorqueDisabledStatus [4] BOOL Indicates that the drive-module safety instance Torque Disabled Status. 0 = Axis power structure is not inhibited by the safety instance 1 = Axis power structure is inhibited None Axis.SBCActiveStatus [5] BOOL Indicates that the SBC function is active and the sequence to set the Safety Brake has started. This function is only available as a controllerbased function. module:SO.SBCActive 0 = SBC Function is not Active 1 = SBC Function is Active Axis.SBCEngagedStatus [6] BOOL Indicates that the External Safety Brake is engaged by the controllerbased SBC function. 0 = Brake is Engaged 1 = Brake is Released module:SO.SBCBrakeEngaged Axis.SS1ActiveStatus [7] BOOL Indicates that the controller-based or the drive-based SS1 function is active. 0 = SS1 Function is not Active 1 = SS1 Function is Active module:SO.SSActive Axis.SS2ActiveStatus [8] BOOL Indicated that the controller-based SS2 function is active. 0 = SS2 Function is not Active 1 = SS2 Function is Active module:SO.SSActive Axis.SOSActiveStatus [9] BOOL Indicates that the controller-based SOS function is active. 0 = SOS Function is not Active 1 = SOS Function is Active module:SO.SOSActive Axis.SOSStandstillStatus [10] BOOL Indicates that the controller-based SOS function has detected standstill according to the function configuration. 0 = monitored axis is not at Standstill 1 = monitored axis is at standstill module:SO.SOSLimit Axis.SMTActiveStatus [11] BOOL Always 0. This function is not available None Axis.SMTOvertemperatureStatus [12] BOOL Always 0. This function is not available. None Axis.SSMActiveStatus [16] BOOL For use with a controller-based SSM function. module:SO.SSMActive Axis.SSMStatus [17] BOOL For use with a controller-based SSM function. module:SO.SSMStatus module:SO.SLSActive Axis.SLSActiveStatus [18] BOOL Indicates that the controller-based SLS function is active. 0 = SLS Function is not Active 1 = SLS Function is Active Axis.SLSLimitStatus [19] BOOL Indicates that the controller-based SLS function has detected the monitored axis speed above the limit set-point. 0 = axis is below set-point speed 1 = axis is greater than or equal to the set-point speed module:SO.SLSILimit Axis.SLAActiveStatus [20] BOOL Always 0. This function is not available. None Axis.SLALimitStatus [21] BOOL Always 0. This function is not available. None module:SO.SDIActive Axis.SDIActiveStatus [22] BOOL Indicates that the controller-based SDI function is active. 0 = SDI Function is not Active 1 = SDI Function is Active Axis.SDILimitStatus [23] BOOL Indicates that the controller-based SDI function detected motion greater than the limit in the unintended direction. 0 = Limit not reached 1 = Unintended motion module:SO.SDILimit Axis.SafePositiveMotionStatus [24] BOOL Always 0. This function is not available. None Axis.SafeNegativeMotionStatus [25] BOOL Always 0. This function is not available. None Axis.SCAActiveStatus [26] BOOL For use with a controller-based SCA function. module:SO.SCAActive Axis.SCAStatus [27] BOOL For use with a controller-based SCA function. module:SO.SCAStatus module:SO.SLPActive module:SO.SLPLimit Axis.SLPActiveStatus [28] BOOL Indicates that the controller-based SLP function is active. 0 = SLP Function is not Active 1 = SLP Function is Active Axis.SLPLimitStatus [29] BOOL Indicates that the controller-based SLP function has detected the monitored axis position outside of the set-point limits. 0 = axis position is within the limits 1 = axis position is outside of the limits Axis.SafetyOutputConnectionClosedStatus [30] BOOL Indicates the safety connection status from the controller to the drive module. None 0 = connection open 1 = connection closed Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Appendix A Controller Tags and Safety Attributes Table 37 - Motion Connection Axis Tags (Continued) Axis Tag Name (motion controller) Motion Connection Data Type Description Attribute Number Safety Output Assembly Tag Name (safety controller) [31] BOOL Indicates the safety connection status from the controller to the drive module. None 0 = connection active 1 = connection idle 762 DINT Collection of bits indicating the status of Rockwell Automation specific See individual bits below. safety functions for the axis as reported by Drive Safety Instance. Axis.SafeBrakeIntegrityStatus [0] BOOL Status of an external safety brake controlled by SBC instruction. The brake status, released or engaged, is undetermined. 0 = SBC fault 1 = No faults detected module:SO.SBCIntegrity Axis.SafeFeedbackHomedStatus [1] BOOL Status of the controller-based SFX position homing function. module:SO.SFHome 763 DINT Collection of bits indicating the Safety Fault status of the drive-module See individual bits below. safety instances and integrated safety functions. Axis.SafetyCoreFault [0] BOOL Indicates an internal fault occurred within the drive-module safety instance. 0 = Normal Operation 1 = Fault None (use explicit message) Axis.SafetyFeedbackFault [2] BOOL Indicates a fault occurred with the safety feedback or with the safety dual-channel feedback. 0 = Normal Operation 1 = Fault None (use explicit message) Axis.SafeTorqueOffFault [3] BOOL Indicates a fault occurred within the STO function of the drive-module safety instance. None (use explicit message) 0 = Normal Operation 1 = Fault Axis.SS1Fault [4] BOOL Indicates that a fault occurred with the drive-based or a controllerbased SS1 function. 0 = Normal Operation 1 = Fault module:SO.SSFault Axis.SS2Fault [5] BOOL Indicates that a fault occurred with the drive-based SS2 function. 0 = Normal Operation 1 = Fault module:SO.SSFault Axis.SOSFault [6] BOOL Indicates that a fault occurred with the drive-based SOS function. 0 = Normal Operation 1 = Fault module:SO.SOSFault Axis.SBCFault [7] BOOL Indicates that a fault occurred with the controller-based SS2 function. 0 = Normal Operation module:SO.SBCFault 1 = Fault Axis.SMTFault [8] BOOL Always 0. This function is not available. – module:SO.SSMFault Axis.SafetyOutputConnectionIdleStatus Axis.AxisSafetyStatusRA Axis.AxisSafetyFaults Axis.SSMFault [16] BOOL Controller-based SSM fault. 0 = Normal Operation 1 = Fault Axis.SLSFault [17] BOOL Controller-based SLS fault. 0 = Normal Operation 1 = Fault module:SO.SLSFault Axis.SLAFault [18] BOOL Always 0. This function is not available. – module:SO.SDIFault Axis.SDIFault [19] BOOL Controller-based SDI fault. 0 = Normal Operation 1 = Fault Axis.SCAFault [20] BOOL Controller-based SCA fault. 0 = Normal Operation 1 = Fault module:SO.SCAFault Axis.SLPFault [21] BOOL Controller-based SLP fault. 0 = Normal Operation 1 = Fault module:SO.SLPFault Axis.SafetyValidatorFault [30] BOOL Always 0. This function is not available. – Axis.SafetyUNIDFault [31] BOOL Always 0. This function is not available. – Axis.AxisSafetyFaultsRA 764 DINT Collection of bits indicating the safety fault status of Rockwell Automation safety functions. See individual bits below. Axis.SFXFault [1] BOOL Controller-based SFX fault. 0 = Normal Operation 1 = Fault module:SO.SFXFault Axis.AxisSafetyAlarms 753 DINT Reserved for future use. – Safety Assembly Tags Safety assembly tags are associated with a safety connection from a safety controller to a drive module. The data in these tags are communicated at the configured connection rate. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 97 Appendix A Controller Tags and Safety Attributes The word module (italic) in these tag names represent the module name assigned in the Studio 5000 Logix Designer application. Data from the drive module to the safety controller is in the safety input assembly. Data from the safety controller to the drive module is in the safety output assembly. Table 38 - Safety Input Assembly Tags Safety Input Assembly Tag Name (input to safety controller) Type/ [bit] Description module:SI.ConnectionStatus SINT Collection of bits listed below. module:SI.RunMode [0] Safety Connection 0= idle 1 = Run module:SI.ConnectionFaulted [1] Safety Connection 0=normal 1= Faulted module:SI.FeedbackPosition DINT Primary Feedback Position from drive-module safety instance. Value is in feedback counts. module:SI.FeedbackVelocity REAL Primary Feedback Velocity from drive-module safety instance. Value is in revolutions/second. module:SI.SecondaryFeedbackPosition DINT Secondary Feedback Position from drive-module safety instance. Value is in position counts. module:SI.SecondaryFeedbackVelocity REAL Secondary Feedback Velocity from drive-module safety instance. Value is in revolutions/second. module:SI.StopStatus SINT Collection of bits listed below. module:SI.STOActive [0] Indicates STO function status. 0 = STO function not active 1 = STO function active module:SI.SBCActive [1] Always 0 [2] Indicates drive-based SS1 active status. 0 = SS1 function not active 1 = SS1 function active module:SI.SS1Active module:SI.SS2Active [3] Always 0 module:SI.SOSStandstill [4] Always 0 module:SI.SafetyFault [6] 1 = Safe Stop Fault present module:SI.RestartRequired [7] 1 = Reset is required module:SI.SafeStatus SINT Collection of bits listed below. module:SI.TorqueDisabled [0] 0 = Torque Permitted 1 = Torque Disabled module:SI.BrakeEngaged [1] Always 0 SINT Collection of bits listed below. module:SI.MotionPositive [0] 0 = no positive motion 1 = motion in positive direction module:SI.MotionNegative [1] 0 = no negative motion 1 = motion in negative direction module:SI.FunctionSupport SINT Collection of bits listed below. [0] 0 = Primary Feedback not configured or Faulted 1 = Primary Feedback Value is valid module:SI.MotionStatus module:SI.PrimaryFeedbackValid module:SI.SecondaryFeedbackValid [1] Collection of bits listed below. module:SI.DiscrepancyCheckingActive [2] 1 = Feedback Velocity Discrepancy checking is active module:SI.SBCReady [3] Always 0 [4] 0 = Drive-based SS1 function is not configured or faulted 1 = Drive-based SS1 function is configured and ready for operation module:SI.SS1Ready module:SI.SS2Ready [5] Always 0 module:SI.SOSReady [6] Always 0 Safety Output Assembly Tag Name (output to safety controller) Type/ [bit] Description module:SO.PassThruDataA DINT 32-bit data container holding general purpose safety data passed from the safety controller. module:SO.PassThruDataB DINT 32-bit data container holding general purpose safety data passed from the safety controller. module:SO.PassThruStopStatus SINT Collection of Safe Stop Function Status bits. module:SO.SBCIntegrity [0] Status of an external Safety Brake controlled by SBC function. 0 = SBC fault. The brake status, released or engaged, is undetermined. 1 = No faults detected. module:SO.SBCActive [1] Indicates that the SBC function is active and the sequence to set the Safety Brake has started. This function is only available as a controller-based function. 0 = SBC Function is not Active 1 = SBC Function is Active Table 39 - Safety Output Assembly Tags 98 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Appendix A Controller Tags and Safety Attributes Table 39 - Safety Output Assembly Tags (Continued) Safety Output Assembly Tag Name (output to safety controller) Type/ [bit] Description module:SO.SBCBrakeEngaged [2] Indicates that the External Safety Brake is engaged by the controller-based SBC function. 0 = Brake is Engaged 1 = Brake is Released module:SO.SS1Active [3] Indicates that the controller-based SS1 function is active. 0 = SS1 Function is not Active 1 = SS1 Function is Active module:SO.SS2Active [4] Indicated that the controller-based SS2 function is active. 0 = SS2 Function is not Active 1 = SS2 Function is Active module:SO.SOSActive [5] Indicates that the controller-based SOS function is active. 0 = SOS Function is not Active 1 = SOS Function is Active module:SO.SOSStandstill [6] Indicates that the controller-based SOS function has detected Standstill according to the function configuration. 0 = Monitored axis is not at Standstill 1 = Monitored axis is at Standstill module:SO.PassThruSpeedLimitStatus SINT Collection of Limit Function Status bits. module:SO.SLSActive [2] Indicates that the controller-based SLS function is active. 0 = SLS Function is not active 1 = SLS Function is active module:SO.SLSLimit [3] Indicates that the controller-based SLS function has detected the monitored axis speed above the limit set-point. 0 = axis is below set-point speed 1 = axis is greater than or equal to the set-point speed module:SO.SDIActive [6] Indicates that the controller-based SDI function is active. 0 = SDI Function is not active 1 = SDI Function is active module:SO.SDILimit [7] Indicates that the controller-based SDI function detected motion greater than the limit in the unintended direction. 0 = Limit not reached 1 = Unintended motion SINT Collection of bits indicating the Monitoring Function Limit status of controller-based functions. The bits are listed below. module:SO.SLPActive [2] Indicates that the controller-based SLP function is active. 0 = SLP Function is not active 1 = SLP Function is active module:SO.SLPLimit [3] Indicates that the controller-based SLP function has detected the monitored axis position outside of the set-point limits. 0 = axis position is within the limits 1 = axis position is outside of the limits module:SO.SFHomed [7] Status of the controller-based SFX position homing function. 1 = SFX Homed SINT Collection of bits indicating the Safety Fault status of controller-based safety functions The bits are listed below. module:SO.SFXFault [0] Indicates that a fault occurred with the controller-based SFX function. 0 = Normal Operation 1 = Fault module:SO.SBCFault [1] Indicates that a fault occurred with the controller-based SBC function. 0 = Normal Operation 1 = Fault module:SO.SS1Fault [2] Indicates that a fault occurred with the controller-based SS1 function. 0 = Normal Operation 1 = Fault module:SO.SS2Fault [3] Indicates that a fault occurred with the controller-based SS2 function. 0 = Normal Operation 1 = Fault module:SO.SOSFault [4] Indicates that a fault occurred with the controller-based SOS function. 0 = Normal Operation 1 = Fault module:SO.PassThruPositionLimitStatus module:SO.PassThruStopFaults module:SO.PassThruLimitFaults SINT Collection of bits indicating the Safety Fault status of controller-based safety functions. The bits are listed below. Controller-based SLS fault. 0 = Normal Operation 1 = Fault module:SO.SLSFault [1] module:SO.SDIFault [2] Controller-based SDI fault. 0 = Normal Operation 1 = Fault module:SO.SLPFault [4] Controller-based SLP fault. 0 = Normal Operation 1 = Fault Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 99 Appendix A Controller Tags and Safety Attributes Table 39 - Safety Output Assembly Tags (Continued) Safety Output Assembly Tag Name (output to safety controller) Type/ [bit] Description module:SO.SafetyStopFunctions SINT A collection of bits used to activate (request) safety functions as listed below. module:SO.STOOutput [0] 0 = Activate STO Function 1 = Permit Torque module:SO.SBCOutput [1] Drive-based function not available. module:SO.SS1Request [2] 0 = Remove SS1 Request 1 = Activate Drive-based SS1 Function Drive-based function not available. module:SO.SS2Request [3] module:SO.SOSRequest [4] Drive-based function not available. module:SO.ResetRequest [7] 0 -> 1 transition resets drive-based Safe Stop function. Safety Feedback Attributes Safety feedback attributes provide configuration and status information for safety feedback. Single-axis drives (inverters) have two safety feedback instances. Safety feedback attributes provide status and configuration data. All attributes can be read by using explicit messages. Attributes that can be written are indicated in Table 41. Configuration attributes can only be read using explicit messages. Table 40 - Safety Feedback Instance Numbers Safety Feedback ArmorKinetix DSD/DSM Instance 1 Single-axis inverters 2 Single-axis inverters Motion Safety Category Feedback Motion Safety Motion Safety DSL Hiperface Sin/Cos or Hiperface Table 41 - Safety Feedback Attributes (Class 0x58) Attribute ID Decimal (Hex) Attribute Name Attribute Description Values 1 (0x1) Velocity Data Type Determines the data type of feedback velocity and feedback acceleration and all related attributes. 1 = REAL (hard-coded) 2 (0x2) Feedback Position Actual position of the feedback device. 3 (0x3) Feedback Velocity Actual velocity of the feedback device. 4 (0x4) Feedback Acceleration Actual acceleration of the feedback device. 5 (0x5) Feedback Mode Motion Feedback mode. 8 (0x8) Feedback Fault Status of this motion feedback channel. 9 (0x9) Feedback Fault Reason Determines cause of the fault detected. 10 (0xA) Reset Feedback Fault Resets a motion feedback fault (read/write access). 100 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Feedback Counts Safety data with a safe value defined by Position Safe State Behavior Feedback Units/s Safety data with a safe value defined by Velocity Safe State Behavior. Feedback Units/s² Safety data with a safety state of 0. 0 = Not Used (default) 1 = Used 0 = No Fault 1 = Faulted 0 = Reserved 1 = No Fault 2 = Invalid Configuration 3 = Exceeded Max Speed 4 = Exceeded Max Acceleration 5 = Sin2+Cos2 Error 6 = Quadrature Error 7 = Discrepancy Error 8 = Partner Faulted 9 = Supply Voltage Error 10 = Feedback Signal Noise 11 = Feedback Signal Lost 12 = Feedback Data Loss 13 = Feedback Device Failure 100 = DSL ECN Mismatch 101 = DSL Unexpected UEI 102 = DSL Position Comparison Failure 103 = DSL Position Checksum Failure 104 = DSL Multi-Axis FPGA Failure 105 = DSL Test Message Failure 106 = DSL Power-on Self-test Failure 0 to 1 transition required to reset Appendix A Controller Tags and Safety Attributes Table 41 - Safety Feedback Attributes (Class 0x58) (Continued) Attribute ID Decimal (Hex) 11 (0xB) 13 (0xD) 14 (0xE) 15 (0xF) 16 (0x10) 17 (0x11) 18 (0x12) 19 (0x13) 20 (0x14) 22 (0x16) 31 (0x1F) 32 (0x20) 33 (0x21) 110 (0x6E) Attribute Name Attribute Description Values Position Safe State Behavior Defines behavior for value reporting when faulted. 2 = Hold Last Value Velocity Safe State Behavior Defines behavior for value reporting when faulted. 0 = Use Velocity Safe State Value (default) Velocity Safe State Value Safe Velocity Feedback and Acceleration Feedback value. Default = 0 Unit of measure for feedback resolution used by Feedback Cycle Resolution Default = 0 Feedback Resolution Unit attribute. Feedback Unit Unit of measure for the feedback device. 0 = Rev (default) 0 = Not Specified (default) 2 = Sine/Cosine Feedback Type Identifies the type of feedback device. 3 = Hiperface 7 = Hiperface DSL Feedback polarity of Normal provides increasing position values when the feedback device is moved in position according to the encoder 0 = Normal (default) Feedback Polarity manufacture specifications. For feedback devices internal to Allen1 = Inverted Bradley® motors, the Normal direction is clockwise rotation of the shaft when facing the end of the motor shaft. is the number of feedback cycles per revolution of the encoder. For a 0 = Default Feedback Cycle Resolution This Sin/Cos encoder, this is the number of sinusoidal cycles per revolution. Counts/Cycle Feedback Cycle This value is the number of feedback counts per feedback cycle. This value Default = 0 interpolation is always 4 for sin/cos or incremental encoders and 1 for DSL encoders. 4 for Feedback Type=2/3/4 Otherwise 1 A moving average filter is applied to velocity that is provided by the Motion Safety instance of the drive. This parameter specifies the window of time 0 = Disable Averaging (default) Velocity Average Time where the average is taken. Feedback velocity is provided as a REAL data 1 to 65565 ms type. Indicates positive motion according to the direction and Standstill Speed 0 = No Positive Motion Motion Positive attribute. 1 = Positive Motion Indicates negative motion according to the direction and Standstill Speed 0 = No Negative Motion Motion Negative attribute. 1 = Negative Motion Feedback Units/s Standstill Speed Defines the speed below which motion is considered stopped. Default = 0 Safety Feedback object is supported, configured, not faulted and is Safety Feedback Data Invalid Feedback Valid currently producing valid safety feedback data from a connected feedback 01 ==Safety Feedback Data Valid device. Safe Stop Function Attributes Safe-stop function attributes provide configuration and status information for safety feedback. Single-axis drives (inverters) have one safe-stop function instance. Safe-stop function attributes provide status and configuration data. All attributes can be read using explicit messages. Attributes that can be written are indicated in the table. Configuration attributes can be read but cannot be written using an explicit message. Table 42 - Safe Stop Function Instance Numbers Safe Stop Instance 1 Kinetix 5700 Drive Single-axis inverters Motion Safety Category Motion Safety Table 43 - Safe Stop Function Attributes (Class 0x5A) Attribute ID Decimal (Hex) Attribute Name 10 (0xA) Safety Reset 11 (0xB) Restart Type 12 (0xC) Cold Start Type 20 (0x14) Safety Feedback Instance 21 (0x15) Safety Feedback Fault Attribute Description Values Reset all safety functions. 0 to 1 transition required to reset Selects safety function restart behavior while operating. 1 = Automatic Selects safety function restart behavior when applying controller power or 1 = Automatic mode change to Run. feedback (default) Instance ID of a Safety Feedback instance to provide position, velocity, and 01,2==No2198-Sxxx-ERS4 acceleration data used by safe stop functions. 1,2,3,4 = 2198-Dxxx-ERS4 Copy of feedback status from the Safety Feedback instance. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 0 = No Fault 1 = Faulted 101 Appendix A Controller Tags and Safety Attributes Table 43 - Safe Stop Function Attributes (Class 0x5A) (Continued) Attribute ID Decimal (Hex) Attribute Name 22 (0x16) 30 (0x1E) 31 (0x1F) 32 (0x20) 33 (0x21) 34 (0x22) 40 (0x28) 41 (0x29) 50 (0x32) 51 (0x33) 100 (0x64) 101 (0x65) 102 Attribute Description Values 0 = Reserved 1 = No Fault 2 = Invalid Configuration 1 3 = Exceeded Max Speed 1 5 = Sin2+Cos2 Error 1 6 = Quadrature Error 1 7 = Discrepancy Error 1 8 = Partner Faulted 1 9 = Supply Voltage Error 1 10 = Feedback Signal Noise 1 11 = Feedback Signal Lost 1 12 = Feedback Data Loss 1 Safety Feedback Fault Type Condition detected that caused the Feedback Status attribute to fault. 13 = Feedback Device Failure 1 52 = Invalid Configuration 2 53 = Exceeded Max Speed 2 55 = Sin2+Cos2 Error 2 56 = Quadrature Error 2 57 = Discrepancy Error 2 58 = Partner Faulted 2 59 = Supply Voltage Error 2 60 = Feedback Signal Noise 2 61 = Feedback Signal Lost 2 62 = Feedback Data Loss 2 63 = Feedback Device Failure 2 0 = No Fault Safety Function Fault Logical OR of all Fault attributes that reference this instance. 1 = Faulted 0 = No Fault Safety Stop Fault Logical OR of all Stop Fault attributes in this instance. 1 = Faulted 0 = No Fault Safety Limit Fault Logical OR of all Limit Fault attributes that reference this instance. No Limit Functions Supported 0 = No Limit Safety Limit Active Logical OR of all Limit Active attributes that reference this instance. No Limit Functions Supported 0 = Restart Not Required Restart Required A stop function has been activated and Restart Type is Manual. 1 = Restart Required Bit: 0 = Safety Function Fault 1 = Safety Reset Safety Stop Status Collection of Safety Stop Status bits: 2 = Restart Required 3 = STO Active 4 = Torque Disabled 7 = SS1 Active Bit: 2 = Feedback Fault 3 = STO Fault 4 = SS1 Fault Safety Stop Faults Collection of Safety Stop Fault bits: 5 = SS2 Fault 6 = SOS Fault 7 = SBC Fault 8 = SMT Fault Safety Output Connection is lost (or closed) and optional Connection Loss 0 = STO (default) Connection Loss Action Action is Set to STO (default). 1 = SS1 Safety Output Connection’s Run/Idle bit transitions from Run to Idle and 0 = STO (default) Connection Idle Action Optional Connection Idle Action is Set to STO (default). 1 = SS1 Bit: 0 = PWM Power On (1 On) 1 = PWM Enable A (1 Enable) 2 = Enable A Readback (1 Enabled) 3 = Enable Test A (1 Enabled) 4 = Safety Input A (0 Energized) Safety IO Status State of MPU inputs 8 = Pulse Test Enable (1 Enabled) 9 = PWM Enable B (1 Enable) 10 = Enable B Readback (1 Enabled) 11 = Enable Test B (1 Enabled) 12 = PWM Power Status (0 On) 13 = Safety Input B (0 Energized) Specify delay time from STO Active to Torque Disabled. This delay allows the Delay in milliseconds STO Delay time for an external brake to engage before torque disabled. Default = 0 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Appendix A Controller Tags and Safety Attributes Table 43 - Safe Stop Function Attributes (Class 0x5A) (Continued) Attribute ID Decimal (Hex) Attribute Name Attribute Description 110 (0x6E) SBC Ready 111 (0x6F) SS1 Ready Safe Break Control safety function is supported, configured, and ready for operation. Safe Stop 1 safety function is supported, configured, and ready for operation. 112 (0x70) SS2 Ready 113 (0x71) SOS Ready 114 (0x72) SMT Ready 260 (0x104) STO Mode 261 (0x105) STO Output 262 (0x106) STO Active 263 (0x107) STO Fault 264 (0x108) STO Fault Type 265 (0x109) STO Activation 266 (0x10A) Torque Disabled 280 (0x118) SS1 Mode 281 (0x119) SS1 Request 282 (0x11A) SS1 Active 283 (0x11B) SS1 Fault 284 (0x11C) SS1 Fault Type 285 (0x11D) SS1 Max Stop Time 286 (0x11E) SS1 Standstill Speed 287 (0x11F) SS1 Stop Monitor Delay 288 (0x120) SS1 Decel Ref Rate Values 0 = Not Ready SBC Function Not Supported 0 = Not Ready 1 = Ready 0 = Not Ready Safe Stop 2 safety function is configured and ready for activation. SS2 Function Not Supported = Not Ready Safe Operating Stop safety function is configured and ready for activation. 0SOS Function Not Supported Safe Motor Temperature safety function is configured and ready for 0 = Not Ready activation. SMT Function Not Supported 1 = Used Safe torque-off mode. 2 = Permit Torque Disable Torque Enables or disables energy to the motor that can generate torque (or force 01 ==Permit Torque in the case of a linear motor). Safety data with a safety state of 0. 0 = Permit Torque Output of STO Activation block. 1 = Disable Torque 0 = No Fault Safe Torque-off fault. 1 = Faulted 1 = No Fault 2 = Invalid Configuration 3 = Circuit Error 4 = Stuck At Low Detailed information about a fault. 5 = Stuck At High 6 = Cross Connection 102 = Hardwired STO Input Discrepancy 104 = Hardwired STO Input Active in Network Safety Bit: 0 = STO Output Active 1 = SS1 Complete 2 = Safety Stop Fault Bit string showing status of all inputs to the STO Activation block. 3 = Safety Limit Fault 4 = Safety Limit Action 5 = Connection Loss 6 = Connection Idle 0 = Torque Permitted Status of Safe Torque-off. 1 = Torque Disabled 0 = Not Used Safe Stop 1 mode. 1 = Timed SS1 (default) 2 = Monitored SS1 0 = No Request Select Safe Stop 1 request. 1 = Request 0 = Not Active Safe Stop 1 function active. 1 = Active 0 = No Fault Safe Stop 1 fault. 1 = Faulted 1 = No Fault 2 = Invalid Configuration 3 = Deceleration Rate Describes detailed information about the Fault. 4 = Maximum Time 100 = STO Request during SS1 101 = SS1 Request while Feedback not valid 0-65535 milliseconds Allowed time to stop. Default = 0 Feedback Units / s Defines the speed below which motion is considered stopped. Default = 0 0-65535 milliseconds Delay before deceleration is monitored. Default = 0 Feedback Units / s² Minimum rate of deceleration while stopping. 0 = No Decel Check (default) Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 103 Appendix A Controller Tags and Safety Attributes Table 43 - Safe Stop Function Attributes (Class 0x5A) (Continued) Attribute ID Decimal (Hex) Attribute Name 289 (0x121) SS1 Activation 290 (0x122) SS1 Decel Ref Tolerance 291 (0x123) SS1 Ext Max Stop Time 292 (0x124) SS1 Max Stop Time Source 303 (0x12F) SS2 Fault 304 (0x130) SS2 Fault Type 323 (0x143) SOS Fault 324 (0x144) SOS Fault Type 341 (0x155) SMT Fault 342 (0x156) SMT Fault Type 363 (0x16B) SBC Fault 364 (0x16C) SBC Fault Type 104 Attribute Description Values The source of the SS1 activation. Bit: 0 = SS1 Request 0 = SS1 Request 1 = Safe Limit Active 2 = Connection Loss 3 = Connection Idle Feedback Units/s2 Default = 0 Allowed time to stop with extended range to support possibility of long stop 0-4294967296 ms times. This attribute is optional in the implementation. Default = 0 Selects which Max Stop Time attribute determines the allowed time to stop. 0 = Max Stop Time Must be supported if optional SS1 Ext Max Stop Time is supported. 1 = Ext Max Stop Time 0 = No Fault Safe stop 2 fault. 1 = Faulted 1 = No Fault Detailed information about a fault. 2 = Invalid Configuration SS2 Function Not Supported 0 = No Fault Safe Operating Stop fault. 1 = Faulted 1 = No Fault Detailed information about a fault. 2 = Invalid Configuration SOS Function Not Supported 0 = No Fault Safe motor temperature fault. 1 = Faulted 1 = No Fault Detailed information about a fault. 2 = Invalid Configuration SMT Function Not Supported 0 = No Fault Safe brake control fault. 1 = Faulted 1 = No Fault Detailed information about a fault. 2 = Invalid Configuration SBC Function Not Supported Defines the speed tolerance applied to the deceleration ramp check. This attribute is optional in the implementation. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Appendix A Dual Channel Feedback Attributes Controller Tags and Safety Attributes These parameters are set by using the Studio 5000 Logix Designer application only when dualchannel feedback is configured. These attributes cannot be individually set by using explicit messaging, but can be read by using a message command. Table 44 - Dual Channel Feedback Attributes (Class 0x59) Attribute ID Decimal (Hex) Attribute Name Attribute Description 1 (0x1) Dual Channel Mode Single Feedback Selects the mode for the two channels of the Safety Dual Channel Feedback. 01 ==Dual Velocity Check 2 (0x2) Dual Channel Evaluation Status Status of the Dual Channel evaluation. 3 (0x3) Discrepancy Time The time limit at which the input discrepancy becomes an error. 4 (0x4) ID of one of the pair of Safety Feedback instances that forms the Default = 0, no pairing Primary Feedback Instance Instance Safety Dual Channel Feedback (primary channel). Secondary Feedback Instance ID of the second instance of the dual channel safety feedback pair Default = 0, no pairing Instance (secondary channel). Ratio of velocity from primary channel divided by velocity from secondary Positive REAL value Velocity Ratio channel. Velocity Discrepancy Allowed difference for the channel. Default = 0, no Deadband Deadband Velocity Discrepancy Measured velocity discrepancy. Feedback Units/s Measured 0 = No Discrepancy Velocity Discrepancy Status Status of the Dual Channel evaluation. 1 = Discrepancy Detected Safety Dual Channel Feedback object is supported, configured for dual Discrepancy Checking Feedback Discrepancy Checking Inactive channel operation, is actively checking primary and secondary feedback 01 == Feedback Active Discrepancy Checking Active data discrepancy, and no discrepancies have been detected. 5 (0x5) 6 (0x6) 7 (0x7) 8 (0x8) 9 (0x9) 110 (0x6E) Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Values 0 = No Discrepancy 1 = Discrepancy Detected 0 = No Monitoring (default) 1 to 65535 ms 105 Appendix A Controller Tags and Safety Attributes Notes: 106 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Appendix B Safety Function Validation Checklist Use this appendix to validate your Drive Safety instructions. Each instruction has a checklist with test commands and results to verify for normal operation and abnormal operation scenarios. Safe Stop 1 (SS1) Topic Page Safe Stop 1 (SS1) 107 Safe Stop 2 (SS2) 108 Safe Operating Stop (SOS) 111 Safely Limited Speed (SLS) 113 Safely Limited Position (SLP) 113 Safe Direction (SDI) 115 Safe Feedback Interface (SFX) 115 Safe Brake Control (SBC) 117 Use this SS1 instruction checklist to verify normal operation and the abnormal operation scenarios. IMPORTANT Perform I/O verification and validation before validating your safety ladder program. SFX instruction must be verified within your application. When possible, use immediate operands for instructions to reduce the possibility of systematic errors in your ladder program. Instruction operands must be verified for your safety ladder program. Table 45 - SS1 Instruction Checklist Test Type Normal Operation Test Description Initiate a Start command. • Verify that the machine is in a normal machine run condition • Verify proper machine status and safety application program status Operate the machine at the desired operating system speed. Set up a trend with expected time scale and the following tags to graphically capture this information: • SFX_Name.ActualSpeed • SS1_Name.SpeedLimit • SS1_Name.DecelerationRamp • SS1_Name.O1 Initiate SS1 demand. Make sure that the instruction output SS1_Name.01 turns off without generating a fault and that the drive initiates an STO instruction. • Verify that the STO instruction de-energizes the motor for a normal safe condition. While the system is stopped with the sensor subsystems in a safe state, initiate a Start command. • Verify that the STO instruction remains de-energized for a normal safe condition • Verify proper machine status and safety application program status While the system is stopped with the SS1 demand removed, initiate a Reset command of the STO and SS1 instructions. • Verify that the STO instruction remains de-energized • Verify proper machine status and safety application program status Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Test Status 107 Appendix B Safety Function Validation Checklist Table 45 - SS1 Instruction Checklist (Continued) Test Type Abnormal Operation 1 Abnormal Operation 2 Test Description Change the actual motion deceleration rate within the motion task associated with this SS1 function so that it is slower than the calculated speed limit used by the SS1 instruction. Initiate a Start command. • Verify that the machine is in a normal machine run condition • Verify proper machine status and safety application program status Operate machine at the desired operating system speed. Set up a trend with expected time scale and the following tags to graphically capture this information: • SFX_Name.ActualSpeed • SS1_Name.SpeedLimit • SS1_Name.DecelerationRamp • SS1_Name.O1 Initiate SS1 demand. Make sure that the instruction generates a deceleration fault and that the drive initiates an STO instruction. • Verify that the STO instruction de-energizes the motor for a normal safe condition While the system is stopped with the sensor subsystems in a safe state, initiate a Start command. • Verify that the STO instruction remains de-energized for a normal safe condition • Verify proper machine status and safety application program status While the system is stopped with the SS1 demand removed, initiate a Reset command of the STO and SS1 instructions. • Verify that the STO instruction remains de-energized • Verify proper machine status and safety application program status Change the motion deceleration rate within the motion task associated with this SS1 function so that the stop delay time is exceeded without triggering a deceleration fault. Initiate a Start command. • Verify that the machine is in a normal machine run condition • Verify proper machine status and safety application program status Operate machine at desired operating system speed. Set up a trend with expected time scale and the following tags to graphically capture this information: • SFX_Name.ActualSpeed • SS1_Name.SpeedLimit • SS1_Name.DecelerationRamp • SS1_Name.O1 Initiate SS1 demand. Make sure that the instruction generates a maximum time fault and that the drive initiates an STO instruction. • Verify that the STO instruction de-energizes the motor for a normal safe condition While the system is stopped with the sensor subsystems in a safe state, initiate a Start command. • Verify that the STO instruction remains de-energized for a normal safe condition • Verify proper machine status and safety application program status While the system is stopped with the SS1 demand removed, initiate a Reset command of the STO and SS1 instructions. • Verify that the STO instruction remains de-energized • Verify proper machine status and safety application program status Safe Stop 2 (SS2) Use this SS2 instruction checklist to verify normal operation and the abnormal operation scenarios. IMPORTANT 108 Test Status Perform I/O verification and validation before validating your safety ladder program. SFX instruction must be verified within your application. When possible, use immediate operands for instructions to reduce the possibility of systematic errors in your ladder program. Instruction operands must be verified for your safety ladder program. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Appendix B Safety Function Validation Checklist Table 46 - SS2 Instruction Checklist Test Type Normal Operation Abnormal Operation 1 Test Description Initiate a Start command. • Verify that the machine is in a normal machine run condition • Verify proper machine status and safety application program status Operate machine at the desired operating system speed. Set up a trend with expected time scale and the following tags to graphically capture this information: • SFX_Name.ActualSpeed • SS2_Name.SpeedLimit • SS2_Name.DecelerationRamp • SS2_Name.ActualPosition • SS2_Name.StandstillSetPoint • SS2_Name.Output 1 Initiate SS2 demand. Make sure that while the SS2 instruction is monitoring that the motor decelerates below the SS2_Name.SS2StandstillSpeed setting and then maintains a speed below the SS2_Name.SOSStandstillSpeed (or for position mode, maintains the SS2_Name.StandstillSetpoint without exceeding the SS2_Name.StandstillDeadband setting). While the system is in standstill state and with the sensor subsystems in a safe state, remove the SS2 demand. • Verify proper machine status and safety application program status. Resume normal machine operation. • Verify proper machine status and safety application program status. Change the actual motion deceleration rate within the motion task associated with this SS2 function so that it is slower than the calculated speed limit used by the SS2 instruction. Initiate a Start command. • Verify that the machine is in a normal machine run condition • Verify proper machine status and safety application program status Operate machine at the desired operating system speed. Set up a trend with expected time scale and the following tags to graphically capture this information: • SFX_Name.ActualSpeed • SS2_Name.SpeedLimit • SS2_Name.DecelerationRamp • SS2_Name.ActualPosition • SS2_Name.StandstillSetPoint • SS2_Name.Output 1 Initiate SS2 demand. Make sure that the instruction generates a deceleration fault and that the drive initiates an STO instruction. • Verify that the STO instruction de-energizes the motor for a normal safe condition While the system is stopped with the sensor subsystems in a safe state, initiate a Start command. • Verify that the STO instruction remains de-energized for a normal safe condition • Verify proper machine status and safety application program status While the system is stopped with the SS1 demand removed, initiate a Reset command of the STO and SS2 instructions. • Verify that the STO instruction remains de-energized • Verify proper machine status and safety application program status Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Test Status 109 Appendix B Safety Function Validation Checklist Table 46 - SS2 Instruction Checklist (Continued) Test Type Abnormal Operation 2 Abnormal Operation 3 (Speed mode) 110 Test Description Change the motion deceleration rate within the motion task associated with this SS2 function so that the stop delay time is exceeded without triggering a deceleration fault. Initiate a Start command. • Verify that the machine is in a normal machine run condition • Verify proper machine status and safety application program status Operate machine at desired operating system speed. Set up a trend with expected time scale and the following tags to graphically capture this information: • SFX_Name.ActualSpeed • SS2_Name.SpeedLimit • SS2_Name.DecelerationRamp • SS2_Name.ActualPosition • SS2_Name.StandstillSetPoint • SS2_Name.Output 1 Initiate SS2 demand. Make sure that the instruction generates a maximum time fault and that the drive initiates an STO instruction. • Verify that the STO instruction de-energizes for a normal safe condition While the system is stopped with the sensor subsystems in a safe state, initiate a Start command. • Verify that the STO instruction remains de-energized for a normal safe condition • Verify proper machine status and safety application program status While the system is stopped with the SS2 demand removed, initiate a Reset command of the STO and SS2 instructions. • Verify that the STO instruction remains de-energized • Verify proper machine status and safety application program status Initiate a Start command. • Verify that the machine is in a normal machine run condition • Verify proper machine status and safety application program status Operate the machine at maximum (normal) operating system speed. Set up a trend with expected time scale and the following tags to graphically capture this information: • SFX_Name.ActualSpeed • SS2_Name.SpeedLimit • SS2_Name.DecelerationRamp • SS2_Name.ActualPosition • SS2_Name.StandstillSetPoint • SS2_Name.Output 1 Initiate SS2 demand. Make sure that while the SS2 instruction is monitoring, that the motor decelerates below the SS2_Name.SS2StandstillSpeed setting and then maintains a speed below the SS2_Name.SOSStandstillSpeed. While the system is in the standstill state, initiate a motion command that violates the standstill speed. • Verify that standstill speed fault is generated and STO is initiated • Verify that the STO instruction de-energizes for a normal safe condition While the system is stopped with the sensor subsystems in a safe state, initiate a Start command. • Verify that the STO instruction remains de-energized for a normal safe condition • Verify proper machine status and safety application program status While the system is stopped with the SS2 demand removed, initiate a Reset command of the STO and SS2 instructions. • Verify that the STO instruction remains de-energized • Verify proper machine status and safety application program status Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Test Status Appendix B Safety Function Validation Checklist Table 46 - SS2 Instruction Checklist (Continued) Test Type Abnormal Operation 4 (Position mode) Test Description Initiate a Start command. • Verify that the machine is in a normal machine run condition • Verify proper machine status and safety application program status Operate the machine at maximum (normal) operating system speed. Set up a trend with expected time scale and the following tags to graphically capture this information: • SFX_Name.ActualSpeed • SS2_Name.SpeedLimit • SS2_Name.DecelerationRamp • SS2_Name.ActualPosition • SS2_Name.StandstillSetPoint • SS2_Name.Output 1 Initiate SS2 demand. Make sure that while SS2 instruction is monitoring, that the motor maintains the SS2_Name.StandstillSetPoint without exceeding the SS2_Name.StandstillDeadband setting). While the system is in the standstill state, initiate a motion command that violates the standstill deadband. • Verify that standstill position fault is generated and STO is initiated • Verify that the STO instruction de-energizes for a normal safe condition While the system is stopped with the sensor subsystems in a safe state, initiate a Start command. • Verify that the STO instruction remains de-energized for a normal safe condition • Verify proper machine status and safety application program status While the system is stopped with the SS2 demand removed, initiate a Reset command of the STO and SS2 instructions. • Verify that the STO instruction remains de-energized • Verify proper machine status and safety application program status Safe Operating Stop (SOS) Test Status Use this SOS instruction checklist to verify normal operation and the abnormal operation scenarios. IMPORTANT Perform I/O verification and validation before validating your safety ladder program. SFX instruction must be verified within your application. When possible, use immediate operands for instructions to reduce the possibility of systematic errors in your ladder program. Instruction operands must be verified for your safety ladder program. Table 47 - SOS Instruction Checklist Test Type Normal Operation Test Description Initiate a Start command. • Verify that the machine is in a normal machine run condition • Verify proper machine status and safety application program status Operate machine at the desired operating system speed. Set up a trend with expected time scale and the following tags to graphically capture this information: • SFX_Name.ActualSpeed • SFX_Name.ActualPosition • SOS_Name.StandstillSpeed • SOS_Name.StandstillDeadband • SOS_Name.Output 1 Initiate SOS demand. Make sure that while the SOS instruction maintains a speed below the SOS_Name.StandstillSpeed (or for position mode, maintains position within the SOS_Name.StandstillDeadband setting). While the system is in standstill state and with the sensor subsystems in a safe state, remove the SOS demand. • Verify proper machine status and safety application program status Resume normal machine operation. • Verify proper machine status and safety application program status Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Test Status 111 Appendix B Safety Function Validation Checklist Table 47 - SOS Instruction Checklist (Continued) Test Type Abnormal Operation 1 (Speed mode) Abnormal Operation 2 (Position mode) 112 Test Description Initiate a Start command. • Verify that the machine is in a normal machine run condition • Verify proper machine status and safety application program status Operate machine at the desired operating system speed. Set up a trend with expected time scale and the following tags to graphically capture this information: • SFX_Name.ActualSpeed • SFX_Name.ActualPosition • SOS_Name.StandstillSpeed • SOS_Name.StandstillDeadband • SOS_Name.Output 1 Initiate SOS demand. Make sure that the SOS instruction maintains a speed below the SOS_Name.StandstillSpeed. While the system is in the standstill state, initiate a motion command that violates the SOS_Name.StandstillSpeed. • Verify that the standstill speed fault is generated and that the STO is initiated • Verify that the STO instruction de-energizes for a normal safe condition While the system is stopped with the sensor subsystems in a safe state, initiate a Start command. • Verify that the STO instruction remains de-energized for a normal safe condition • Verify proper machine status and safety application program status While the system is stopped with the SOS demand removed, initiate a Reset command of the STO and SOS instructions. • Verify that the STO instruction remains de-energized • Verify proper machine status and safety application program status Initiate a Start command. • Verify that the machine is in a normal machine run condition • Verify proper machine status and safety application program status Operate the machine at maximum (normal) operating system speed. Set up a trend with expected time scale and the following tags to graphically capture this information: • SFX_Name.ActualSpeed • SFX_Name.ActualPosition • SOS_Name.StandstillSpeed • SOS_Name.StandstillDeadband • SOS_Name.Output 1 Initiate SOS demand. Make sure that the SOS instruction maintains position within the SOS_Name.StandstillDeadband setting. While the system is in the standstill state, initiate a motion command that violates the SOS_Name.StandstillDeadband. • Verify that standstill position fault is generated and STO is initiated • Verify that the STO instruction de-energizes for a normal safe condition While the system is stopped with the sensor subsystems in a safe state, initiate a Start command. • Verify that the STO instruction remains de-energized for a normal safe condition • Verify proper machine status and safety application program status While the system is stopped with the SOS demand removed, initiate a Reset command of the STO and SOS instructions. • Verify that the STO instruction remains de-energized • Verify proper machine status and safety application program status Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Test Status Appendix B Safely Limited Speed (SLS) Safety Function Validation Checklist Use this SLS instruction checklist to verify normal operation and the abnormal operation scenarios. IMPORTANT Perform I/O verification and validation before validating your safety ladder program. SFX instruction must be verified within your application. When possible, use immediate operands for instructions to reduce the possibility of systematic errors in your ladder program. Instruction operands must be verified for your safety ladder program. Table 48 - SLS Instruction Checklist Test Type Normal Operation Abnormal Operation 1 Test Description Initiate a Start command. • Verify that the machine is in a normal machine run condition • Verify proper machine status and safety application program status Operate the machine within the desired speed range. Set up a trend with expected time scale and the following tags to graphically capture this information: SFX_Name.ActualSpeed SLS_Name.SLSLimit SLS_Name.ActiveLimit SLS_Name.Output 1 Initiate SLS demand. Verify that the drive achieves the speed below the SLS_Name.ActiveLimit without asserting the SLS_Name.SLSLimit output. While the system is in SLS monitoring state and with the sensor subsystems in a safe state, remove the SLS demand. • Verify proper machine status and safety application program status Resume normal machine operation. • Verify proper machine status and safety application program status Initiate a Start command. • Verify that the machine is in a normal machine run condition • Verify proper machine status and safety application program status Operate the machine within the normal speed range. Set up a trend with expected time scale and the following tags to graphically capture this information: SFX_Name.ActualSpeed SLS_Name.SLSLimit SLS_Name.ActiveLimit SLS_Name.Output 1 Initiate SLS demand. Verify that the drive achieves the speed below the SLS_Name.ActiveLimit without asserting the SLS_Name.SLSLimit output. While the system is in the SLS monitoring state, initiate a motion command that violates the SLS_Name.ActiveLimit. • Verify that the SLS_Name.SLSLimit output is asserted and the programmed stop action is initiated While the system is stopped with the sensor subsystems in a safe state, initiate a Start command. • Verify proper machine status and safety application program status While the system is stopped, initiate a Reset command. • Verify proper machine status and safety application program status Test Status Safely Limited Position (SLP) Use this SLP instruction checklist to verify normal operation and the abnormal operation scenarios. IMPORTANT Perform I/O verification and validation before validating your safety ladder program. SFX instruction must be verified within your application. When possible, use immediate operands for instructions to reduce the possibility of systematic errors in your ladder program. Instruction operands must be verified for your safety ladder program. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 113 Appendix B Safety Function Validation Checklist Table 49 - SLP Instruction Checklist Test Type Normal Operation Abnormal Operation 1 Abnormal Operation 2 114 Test Description Test Status Initiate a Start command. • Verify that the machine is in a normal machine run condition • Verify proper machine status and safety application program status Operate the machine within the desired position range. Set up a trend with expected time scale and the following tags to graphically capture this information: • SFX_Name.ActualPosition • SLP_Name.SLPLimit • SLP_Name.PositiveTravelLimit • SLP_Name.NegativeTravelLimit • SLP_Name.Output 1 Initiate SLP demand. Verify that the drive achieves and maintains a position between the SLP_Name.PositiveTravelLimit and the SLP_Name.NegativeTravelLimit without asserting the SLP_Name.SLPLimit output. While the system is in SLP monitoring state and with the sensor subsystems in a safe state, remove the SLP demand. • Verify proper machine status and safety application program status Resume normal machine operation. • Verify proper machine status and safety application program status Initiate a Start command. • Verify that the machine is in a normal machine run condition • Verify proper machine status and safety application program status Operate the machine within the desired position range. Set up a trend with expected time scale and the following tags to graphically capture this information: • SFX_Name.ActualPosition • SLP_Name.SLPLimit • SLP_Name.PositiveTravelLimit • SLP_Name.NegativeTravelLimit • SLP_Name.Output 1 Initiate SLP demand. Verify that the drive achieves and maintains a position between the SLP_Name.PositiveTravelLimit and the SLP_Name.NegativeTravelLimit without asserting the SLP_Name.SLPLimit output. While the system is in the SLP monitoring state, initiate a motion command that violates the SLP_Name.PositiveTravelLimit. • Verify that SLP_Name.SLPLimit output is asserted and the programmed stop action is initiated While the system is stopped with the sensor subsystems in a safe state, initiate a Start command. • Verify proper machine status and safety application program status While the system is stopped, initiate a Reset command. • Verify proper machine status and safety application program status Initiate a Start command. • Verify that the machine is in a normal machine run condition • Verify proper machine status and safety application program status Operate the machine within the desired position range. Set up a trend with expected time scale and the following tags to graphically capture this information: • SFX_Name.ActualPosition • SLP_Name.SLPLimit • SLP_Name.PositiveTravelLimit • SLP_Name.NegativeTravelLimit • SLP_Name.Output 1 Initiate SLP demand. Verify that the drive achieves and maintains a position between the SLP_Name.PositiveTravelLimit and the SLP_Name.NegativeTravelLimit without asserting the SLP_Name.SLPLimit output. While the system is in the SLP monitoring state, initiate a motion command that violates the SLP_Name.NegativeTravelLimit. • Verify that SLP_Name.SLPLimit output is asserted and the programmed stop action is initiated While the system is stopped with the sensor subsystems in a safe state, initiate a Start command. • Verify proper machine status and safety application program status While the system is stopped, initiate a Reset command. • Verify proper machine status and safety application program status Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Appendix B Safe Direction (SDI) Safety Function Validation Checklist Use this SDI instruction checklist to verify normal operation and the abnormal operation scenarios. IMPORTANT Perform I/O verification and validation before validating your safety ladder program. SFX instruction must be verified within your application. When possible, use immediate operands for instructions to reduce the possibility of systematic errors in your ladder program. Instruction operands must be verified for your safety ladder program. Table 50 - SDI Instruction Checklist Test Type Normal Operation Abnormal Operation 1 Test Description Test Status Initiate a Start command. • Verify that the machine is in a normal machine run condition • Verify proper machine status and safety application program status Operate the machine within the desired operating range. Set up a trend with expected time scale and the following tags to graphically capture this information: • SFX_Name.ActualPosition • SDI_Name.SDILimit • SDI_Name.PositionWindow • SDI_Name.Output 1 Initiate SDI demand. Verify that motion is in the intended direction and the SDI_Name.SDILimit output is not asserted. While the system is in SDI monitoring state and with the sensor subsystems in a safe state, remove the SDI demand. • Verify proper machine status and safety application program status Resume normal machine operation. • Verify proper machine status and safety application program status Initiate a Start command. • Verify that the machine is in a normal machine run condition • Verify proper machine status and safety application program status Operate the machine within the desired operating range. Set up a trend with expected time scale and the following tags to graphically capture this information: • SFX_Name.ActualPosition • SDI_Name.SDILimit • SDI_Name.PositionWindow • SDI_Name.Output 1 Initiate SDI demand. Verify that motion is in the intended direction and the SDI_Name.SDILimit output is not asserted. While the system is in the SDI monitoring state, initiate a motion command that violates the SDI_Name.PositionWindow in the unintended direction. • Verify that SDI_Name.SDILimit output is asserted and the programmed stop action is initiated While the system is stopped with the sensor subsystems in a safe state, initiate a Start command. • Verify proper machine status and safety application program status While the system is stopped, initiate a Reset command. • Verify proper machine status and safety application program status Safe Feedback Interface (SFX) Use this SFX instruction checklist to verify normal operation and the abnormal operation scenarios. IMPORTANT Perform I/O verification and validation before validating your safety ladder program. SFX instruction must be verified within your application. When possible, use immediate operands for instructions to reduce the possibility of systematic errors in your ladder program. Instruction operands must be verified for your safety ladder program. Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 115 Appendix B Safety Function Validation Checklist Table 51 - SFX Instruction Checklist Test Type Normal Scaling Operation Normal Homing Operation Abnormal Operation 1 Abnormal Operation 2 116 Test Description Test Status Initiate a Start command. • Verify that the machine is in a normal machine run condition • Verify proper machine status and safety application program status Operate the machine within the normal operating range. Set up a trend with the expected time scale and the following tags to graphically compare the motion position and speed from the Main task to the scaled position and speed in the Safety task. • Axis_Name.ActualPosition • Axis_Name.ActualSpeed • SFX_Name.ActualPosition • SFX_Name.ActualSpeed Verify that the standard and safety position and speed are correlated as expected. Initiate a Start command. Initiate a Homing procedure. • Verify that the Home Position in the SFX instruction is set Set up a trend with the expected time scale and the following tags to graphically compare the motion position and speed from the Main task to the scaled position and speed in the Safety task. • Axis_Name.ActualPosition • SFX_Name.ActualPosition Verify that the standard and safety position are correlated as expected. Initiate a Start command. • Verify that the machine is in a normal machine run condition • Verify proper machine status and safety application program status Operate the machine within the normal operating range. Set up a trend with the expected time scale and the following tags to graphically compare the motion position and speed from the Main task to the scaled position and speed in the Safety task. • Axis_Name.ActualPosition • Axis_Name.ActualSpeed • SFX_Name.ActualPosition • SFX_Name.ActualSpeed Verify that the standard and safety position and speed are correlated as expected. Disconnect the feedback between the motor/encoder and drive. Verify the generation of a Fault Type: 100 Feedback Invalid by checking Device_Name.SI.PrimaryFeedbackValid tag. Verify the system fault action takes place as configured. While the system is stopped with the sensor subsystems in a safe state, initiate a Start command. • Verify proper machine status and safety application program status While the system is stopped, initiate a Reset command. • Verify proper machine status and safety application program status Initiate a Start command. • Verify that the machine is in a normal machine run condition • Verify proper machine status and safety application program status Operate the machine within the normal operating range. Set up a trend with the expected time scale and the following tags to graphically compare the motion position and speed from the Main task to the scaled position and speed in the Safety task. • Axis_Name.ActualPosition • Axis_Name.ActualSpeed • SFX_Name.ActualPosition • SFX_Name.ActualSpeed Verify that the standard and safety position and speed are correlated as expected. Disconnect the Ethernet cable between the controller and the drive. Verify the generation of a Fault Type: 101 Connection Fault by checking the Device_Name.SI.ConnectionFaulted tag. Verify the system fault action takes place as configured While the system is stopped with the sensor subsystems in a safe state, initiate a Start command. • Verify proper machine status and safety application program status While the system is stopped, initiate a Reset command. • Verify proper machine status and safety application program status Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Appendix B Safe Brake Control (SBC) Safety Function Validation Checklist Use this SBC instruction checklist to verify normal operation and the abnormal operation scenarios. IMPORTANT Perform I/O verification and validation before validating your safety ladder program. When possible, use immediate operands for instructions to reduce the possibility of systematic errors in your ladder program. Instruction operands must be verified for your safety ladder program. Table 52 - SBC Instruction Checklist Test Type Normal Operation Abnormal Operation Test Description Verify that the brake feedback is properly wired to the input module as documented. Initiate a Start command. • Verify that the machine is in a normal machine run condition • Verify proper machine status and safety application program status Set up a trend with expected time scale and the following tags to graphically capture this information: • SBC_Name.BO1 • SBC_Name.BO2 • SBC_Name.TOR • Device_Name.STOOutput Initiate an SBC request and initiate the STO event. • Verify expected coordination of the STO output initiation and the SBC_Name.BO1 and SBC_Name.BO2 outputs • Verify proper machine status and safety application program status While the system is stopped, initiate a Start command. • Verify that the system remains de-energized for a normal safe condition • Verify proper machine status and safety application program status While the system is stopped, initiate a Reset command. • Verify that the system remains de-energized for a normal safe condition • Verify proper machine status and safety application program status Verify that brake feedback is properly wired to the input module as documented. Initiate a Start command. • Verify that the machine is in a normal machine run condition • Verify proper machine status and safety application program status Initiate machine function to make sure the brake is released. Set up a trend with expected time scale and the following tags to graphically capture this information: • SBC_Name.BO1 • SBC_Name.BO2 • SBC_Name.TOR • Device_Name:STOOutput Remove brake feedback wires from the input module. • Verify that the appropriate diagnostic code is generated • Verify that the brake output SBC_Name.BO1 and SBC_Name.BO2 bits clear • Verify the external brake engagement While the system is stopped with the sensor subsystems in a safe state, initiate a Start command. • Verify proper machine status and safety application program status While the system is stopped, initiate a Reset command. • Verify proper machine status and safety application program status Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Test Status 117 Appendix B Safety Function Validation Checklist Notes: 118 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 Index Numerics 1oo2 definition 7 A actions 41 application requirements 29 assembly tags 27 input 98 output 98 attributes dual channel feedback 105 feedback 100 safe stop 101 axis tags 17 motion connection 95 C category 3 stop category definitions 11 certification application requirements 29 PL and SIL 11 TÜV Rheinland 10, 81 user responsibilities 10 CIP definition 7 compatible safety controllers 14 configure action 41 discrepancy checking 49 discrepancy checking example 50 primary feedback 42 safety input 39 safety output 39 scaling 46 scaling example 47, 48 secondary feedback 45 STO 51 velocity average time 43 velocity resolution 45 controller tags 28 controller-based instructions 81 monitoring functions 9 stopping functions 9 drive safety instructions 81 adding instruction 82 example 83 homing 87 pass through data 84 SFX instruction 86 tab 82 drive-based stopping functions 9 drive-based stopping functions monitored SS1 9 timed SS1 9 DSD definition 8 DSL definition 7 DSM definition 8 DSx definition 8 dual channel feedback attributes 105 E EN definition 8 explicit messages 19 F fault actions 41 codes 92 names 90 faults 91, 92 safety core 90 SS1 91 SS2, SOS, SBC, SLS, SLP, SDI 91 STO 90 feedback attributes 100 configure 45 discrepancy checking 49 scaling 46 G GuardLogix controllers 9, 21 D decel rate fault 25 discrepancy checking 49 checking example 50 downloads 30 H HFT definition 8 homing 87 I IEC definition 7 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 119 Index IEC 60204-1 22 IEC 61508 11, 21 IEC 61800-5-2 11, 21 IEC 62061 11, 21 IGBT definition 8 input assembly tags 18, 98 integrated STO 9 STO mode STO state reset 93 STO mode operation 27 IP address 39 ISO definition 8 ISO 13849-1 21 ISO 13849-1 CAT 3 stop category definitions 11 L Logix Designer controller tags 28 M monitored SS1 9, 29 definition 7 drive based 22 request removed 26 with fault 25 motion and safety connection 17 connection 17 connection axis tags 17 connection tags 95 safety actions 41 safety instances 14, 16 task 14, 16 O out of box state 20 output assembly tags 18, 98 P pass through data 18, 84 PCDC download 30 PES definition 8 PFH definition 8 PFH definition 11 PIM definition 8 PL definition 8 primary encoder 16 feedback 33, 42 120 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 R ramp monitor function 23 example 24 reaction time 30 S safe motion monitoring configuration 13 safe stop function assembly tags 27 attributes 101 monitored SS1 (drive based) 22 timed SS1 (drive based) 21 safe torque-off integrated STO mode 93 out of box state 20 PFH 11 safety actions 41 controllers 14 core fault 90 feedback 91 feedback faults 91 function 15 input 39 output 39 reaction time 30 supervisor state 19 task 14, 16 safety connection 18, 63 input assembly tags 18 output assembly tags 18 safety feedback function 9 SBC 117 fault 91 validation checklist 117 scaling 46 example 47, 48 SFX 86 SDI 115 fault 91 validation checklist 115 secondary encoder 16 feedback 33 SFX 15, 116 instruction 86 scaling 86 validation checklist 116 SIL rating definition 8 monitored SS1 29 timed SS1 29 SLP 114 fault 91 validation checklist 114 SLS 113 fault 91 validation checklist 113 SOS 111 fault 91 validation checklist 111 Index SS1 15, 107 fault 91 validation checklist 107 SS1-r definition 7 SS1-t definition 7 SS2 109 fault 91 validation checklist 109 standstill speed 58 STO 51 fault 90 integrated 9 SIL rating 29 state reset 93 stop category 0 22 category 1 15 T timed SS1 9, 29 SS1 (drive based) 21 SS1 definition 7 timing diagram decel rate fault 25 monitored SS1 23 request removed 26 timed SS1 22 troubleshooting 92 V validation checklist 107, 109, 111, 113, 114, 115, 116, 117 velocity average time 43 resolution 45 velocity average time 43 W website product downloads 30 Z zero speed 55 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 121 Index Notes: 122 Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 ArmorKinetix System Safe Monitor Functions Reference Manual Rockwell Automation Publication 2198-RM007A-EN-P - June 2023 123 Rockwell Automation Support Use these resources to access support information. Technical Support Center Local Technical Support Phone Numbers Technical Documentation Center Literature Library Product Compatibility and Download Center (PCDC) Find help with how-to videos, FAQs, chat, user forums, Knowledgebase, and product notification updates. Locate the telephone number for your country. Quickly access and download technical specifications, installation instructions, and user manuals. Find installation instructions, manuals, brochures, and technical data publications. Download firmware, associated files (such as AOP, EDS, and DTM), and access product release notes. rok.auto/support rok.auto/phonesupport rok.auto/techdocs rok.auto/literature rok.auto/pcdc Documentation Feedback Your comments help us serve your documentation needs better. If you have any suggestions on how to improve our content, complete the form at rok.auto/docfeedback. Waste Electrical and Electronic Equipment (WEEE) At the end of life, this equipment should be collected separately from any unsorted municipal waste. Rockwell Automation maintains current product environmental compliance information on its website at rok.auto/pec. Allen-Bradley, ArmorKinetix, CompactLogix, ControlLogix, expanding human possibility, GuardLogix, Integrated Architecture, Kinetix, Logix 5000, POINT Guard I/O, Rockwell Automation, Stratix, and Studio 5000 Logix Designer are trademarks of Rockwell Automation, Inc. EtherNet/IP, CIP, CIP Safety, and CIP Motion are trademarks of ODVA, Inc. Trademarks not belonging to Rockwell Automation are property of their respective companies. Rockwell Otomasyon Ticaret A.Ş. Kar Plaza İş Merkezi E Blok Kat:6 34752, İçerenköy, İstanbul, Tel: +90 (216) 5698400 EEE Yönetmeliğine Uygundur Publication 2198-RM007A-EN-P - June 2023 Copyright © 2023 Rockwell Automation, Inc. All rights reserved. Printed in the U.S.A. ">
Advertisement
Key features
- Integrated Safe Stop functions
- Controller-based monitoring
- Safety feedback interface
- SIL 3 (PLe) capability
- Dual feedback configurations
- Safety function validation checklist
Frequently asked questions
The ArmorKinetix modules support a range of safety functions, including Safe Stop 1 (SS1), Safe Stop 2 (SS2), Safe Operational Stop (SOS), Safely Limited Speed (SLS), Safety-limited Position (SLP), Safe Direction (SDI), and Safe Feedback Interface (SFX).
The ArmorKinetix modules can achieve a safety rating of up to SIL 3 (PLe) with dual feedback configurations. Single feedback configurations provide up to SIL 2 (PLd) capability.
The SFX function provides safety position and velocity data to a GuardLogix safety controller for use in controller-based monitoring functions. This allows for advanced safety monitoring and control within your application.
The manual includes a Safety Function Validation Checklist which can be used to verify the correct implementation and operation of the safety functions within your application. This checklist helps ensure that the system meets the required safety standards.