Application Technique

Safety Function: Actuator Subsystems – Stop Category 1 via a Safety Relay and PowerFlex 755 Drive with Hardwired Safe Torque-offProducts: Guardmaster Dual-input Safety Relay, Guardmaster Multifunction-delay Expansion Module, PowerFlex 755 Drive

Safety Rating: CAT. 3, PLe to ISO 13849-1: 2008

Topic Page

Important User Information 2

General Safety Information 3

Introduction 3

Safety Function Realization: Risk Assessment 4

Stop Safety Function 5

Safety Function Requirements 5

Functional Safety Description 6

Bill of Material 7

Setup and Wiring 7

Configuration 9

Calculation of the Performance Level 11

Verification and Validation Plan 13

Additional Resources 17

Safety Function: Actuator Subsystems – Stop Category 1 via a Safety Relay and PowerFlex 755 Drive with Hardwired Safe Torque-off

Important User Information

Read this document and the documents listed in the additional resources section about installation, configuration, and operation of this equipment before you install, configure, operate, or maintain this product. Users are required to familiarize themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws, and standards.

Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance are required to be carried out by suitably trained personnel in accordance with applicable code of practice.

If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may be impaired.

In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the use or application of this equipment.

The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or liability for actual use based on the examples and diagrams.

No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or software described in this manual.

Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation, Inc., is prohibited.

Throughout this manual, when necessary, we use notes to make you aware of safety considerations.

Labels may also be on or inside the equipment to provide specific precautions.

WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous environment, which may lead to personal injury or death, property damage, or economic loss.

ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, property damage, or economic loss. Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.

IMPORTANT Identifies information that is critical for successful application and understanding of the product.

SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous voltage may be present.

BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may reach dangerous temperatures.

ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people to potential Arc Flash. Arc Flash will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL Regulatory requirements for safe work practices and for Personal Protective Equipment (PPE).

2 Rockwell Automation Publication SAFETY-AT146A-EN-P - August 2015

Safety Function: Actuator Subsystems – Stop Category 1 via a Safety Relay and PowerFlex 755 Drive with Hardwired Safe Torque-off

General Safety Information

Risk Assessments

Contact Rockwell Automation to find out more about our safety risk assessment services.

Safety Distance Calculations

Non-separating safeguards provide no physical barrier to prevent access to a hazard. Publications that offer guidance for calculating compliant safety distances for safety systems that use non-separating safeguards, such as light curtains, scanners, two-hand controls, or safety mats, include the following:

EN ISO 13855:2010 (Safety of Machinery – Positioning of safeguards with respect to the approach speeds of parts of the human body)

ANSI B11:19 2010 (Machines – Performance Criteria for Safeguarding)

Separating safeguards monitor a moveable, physical barrier that guards access to a hazard. Publications that offer guidance for calculating compliant access times for safety systems that use separating safeguards, such as gates with limit switches or interlocks (including SensaGuard™ switches), include the following:

EN ISO 14119:2013 (Safety of Machinery – Interlocking devices associated with guards - Principles for design and selection)

EN ISO 13855:2010 (Safety of Machinery – Positioning of safeguards with respect to the approach speeds of parts of the human body)

ANSI B11:19 2010 (Machines – Performance Criteria for Safeguarding)

In addition, consult relevant national or local safety standards to assure compliance.

Introduction

This safety function application technique is concerned primarily with the Logic and Output subsystems of a safety system. This document illustrates how to combine a Guardmaster® dual-input safety relay (GSR DI) and Guardmaster

IMPORTANT This application example is for advanced users and assumes that you are trained and experienced in safety system requirements.

ATTENTION: Perform a risk assessment to make sure all task and hazard combinations have been identified and addressed. The risk assessment can require additional circuitry to reduce the risk to a tolerable level. Safety circuits must take into consideration safety distance calculations, which are not part of the scope of this document.

ATTENTION: While safety distance or access time calculations are beyond the scope of this document, compliant safety circuits often must take into consideration a safety distance or access time calculation.

Rockwell Automation Publication SAFETY-AT146A-EN-P - August 2015 3

Safety Function: Actuator Subsystems – Stop Category 1 via a Safety Relay and PowerFlex 755 Drive with Hardwired Safe Torque-off

multifunction-delay expansion module (GSR EMD) with a PowerFlex® 755 drive featuring Safe Torque-off (STO) to provide a stop category 1. The stop category 1 provides a brief delay between the immediate, standard stop signal and the de-energizing of the STO inputs to allow the system time to execute an orderly stop before the STO inputs are de-energized. The intent is to provide a safe, less-disruptive response to a sudden emergency stop demand.

In an actual application, any typical safety input device could be used as the Input subsystem, if properly applied. A SensaGuard switch is used as a convenient example of an Input subsystem in this application technique.

Safety Function Realization: Risk Assessment

The required performance level is the result of a risk assessment and refers to the amount of the risk reduction to be carried out by the safety-related parts of the control system. Part of the risk reduction process is to determine the safety functions of the machine. In this application, the performance level required (PLr) by the risk assessment is Category 3, Performance Level d (CAT. 3, PLd), for each safety function. A safety system that achieves CAT. 3, PLd, or higher, can be considered control reliable. Each safety product has its own rating and can be combined to create a safety function that meets or exceeds the PLr.

Input Logic Output

Subsystem 1 Subsystem 2 Subsystem 3 Subsystem 4

SensaGuard Switch

PowerFlex 755 Drive

Guardmaster Multifunction-

delay Expansion Module

Guardmaster Dual-input

Safety Relay

From: Risk Assessment (ISO 12100)

1. Identification of safety functions

2. Specification of characteristics of each function

3. Determination of required PL (PLr) for each safety function

To: Realization and PL Evaluation

4 Rockwell Automation Publication SAFETY-AT146A-EN-P - August 2015

Safety Function: Actuator Subsystems – Stop Category 1 via a Safety Relay and PowerFlex 755 Drive with Hardwired Safe Torque-off

Stop Safety Function

This application technique includes two safety functions:

1. Safety-related stop function initiated by a safeguard.

2. Prevention of an unexpected startup.

Safety Function Requirements

The requirements for both safety functions are described in the following sections.

Safety-related Stop Function Initiated by a Safeguard

When a partial-access guard door is opened, the input subsystem initiates and maintains a stop command for the safety system to stop hazardous motion before a person can reach the hazardous area. The stop command cannot be reset until the guard door is closed. Once the guard door is closed, the input subsystem is in its safe state, and the stop command is reset, a second action (pressing a Start button) is required before the hazardous motion can resume.

Prevention of an Unexpected Startup

The safety system cannot be reset, and hazardous motion cannot be restarted while the guard door is open. Once the guard door is closed, the input subsystem is in its safe state, and the stop command is reset, a second action (pressing a Start button) is required before the hazardous motion can resume.

The safety functions in this application technique each meet or exceed the requirements for Category 3, Performance Level d (CAT. 3, PLd), per ISO 13849-1 and control reliable operation per ANSI B11.19.

Considerations for Safety Distance and Stopping Performance

Based on the selection of a sensor subsystem, the risk assessment determines if a safety distance calculation is required. Typically, a safety distance calculation is required if a non-separating sensor subsystem (such as a light curtain) is selected for the safety function. For moveable, separating-safeguard systems, the overall system- stopping performance must be calculated, measured, and compared to the calculated/measured access time.

When calculating a compliant safety distance for a non-separating safeguard system or the overall system-stopping performance of a separating safeguard system, see the safety relay installation instructions listed in the Additional Resources on page 17 for the necessary response-time data.

Rockwell Automation Publication SAFETY-AT146A-EN-P - August 2015 5

Safety Function: Actuator Subsystems – Stop Category 1 via a Safety Relay and PowerFlex 755 Drive with Hardwired Safe Torque-off

Functional Safety Description

The Guardmaster dual-input safety relay, Guardmaster multifunction-delay expansion module, and PowerFlex drives with integrated safe torque-off (STO) use 1oo2 architecture to achieve the PFH value that is used in the PL calculation verification section of this document.

The Guardmaster dual-input safety relay monitors its safety inputs for valid status and faults. It monitors its internal circuitry for proper operation and faults. The safety relay monitors its single wire safety (SWS) input/output (I/O) for valid status and faults. It monitors its safety output contacts for proper, valid status and faults. When it receives a safety demand on its inputs, or an invalid status or a fault is detected, the safety relay immediately deactivates its safety outputs and removes 24V DC from the drive’s Stop/Start buttons. The drive performs a normal stop as configured in response to the Stop button. The safety relay also sends a safety stop command to the Guardmaster multifunction-delay expansion module via its L11 SWS.

The Guardmaster multifunction-delay expansion module monitors its SWS input for safety stop commands, valid status, and faults. It monitors its internal circuitry for proper operation and faults. It monitors its safety output contacts for proper, valid status and faults. When it receives a non-fault safety demand via its L12 SWS input, it deactivates its safety outputs in the manner for which it is configured. In this document, the Guardmaster expansion module is configured to provide a 100 ms delay. In the event of an internal fault, or a fault signaled via the SWS, the Guardmaster expansion module immediately de-energizes its safety outputs.

The PowerFlex drive monitors its STO inputs for valid status and faults. The drive monitors its internal safety circuits and its outputs for valid status and faults. When the Guardmaster dual-input safety relay de-energizes the drive STO inputs via the Guardmaster multifunction-delay expansion module, the drive's STO feature forces the drive output power transistors to a disabled state. The hazardous motion controlled by the drive coasts to a stop. This feature does not provide electrical power isolation.

The system cannot be restarted until the safety input device is in its safe state (gate is closed) and the Guardmaster dual-input safety relay is reset. Once the safety relay is reset, the Start button can be pressed to start the hazardous motion.

Hardwired Safety: Safe Torque-off Considerations for a Stop Category 1

In the event of a malfunction, it is possible that stop category 0 may occur. When designing the machine application, timing and distance must be considered for a coast to stop, as well as the possibility of the loss of control of a vertical load. The nature of a malfunction causing this condition could be if a hardwired STO input to the drive were to go low (that is, a wire falls off ) before the drive has a chance to completely stop the motor. Use additional protective measures if this occurrence might introduce unacceptable risks to personnel.

6 Rockwell Automation Publication SAFETY-AT146A-EN-P - August 2015

Safety Function: Actuator Subsystems – Stop Category 1 via a Safety Relay and PowerFlex 755 Drive with Hardwired Safe Torque-off

Bill of Material

This application uses these products.

Setup and Wiring

For detailed information on installing and wiring, refer to the publications listed in the Additional Resources.

System Overview

This section describes how each product is used in the safety function, and it also describes how the products are connected together to achieve the requirements of the safety function.

Safety-related Stop Function Initiated by a Safeguard

The Guardmaster dual-input safety relay monitors the status of a safety input device, for example a SensaGuard switch. When the input device is tripped (guard door opened), the safety relay de-energizes its two safety outputs and removes power from the drive’s Stop/Start buttons, signaling the drive to begin a normal stop. The safety relay also sends a safety stop command downstream to the Guardmaster multifunction-delay expansion module via its SWS. It also sends a stop command to the PowerFlex drive. The multifunction-delay module delays de-energizing its safety outputs for 100 ms to allow the drive to execute its normally-configured, controlled stop. The drive disables its output power transistors, leaving any remaining hazardous motion to coast to a stop. When the input device is returned to its safe state (guard door closed), and the reset button is pressed and released properly, the Guardmaster dual-input safety relay's safety outputs energize, the Guardmaster multifunction delay expansion module energizes its safety outputs, and the drive's STO inputs are powered. The hazardous motion can then be restarted by pressing the Start button.

Prevention of an Unexpected Start-up

The Guardmaster dual-input safety relay cannot be reset while its input device is in a tripped (guard door open) state. The Guardmaster multifunction-delay expansion module cannot reset until the Guardmaster dual-input safety relay is reset, the

Cat. No. Description Quantity

800FP-MP45PX12S 800F non-illuminated mushroom operators, push-pull, 40 mm, round plastic (Type 4/4X/13, IP66), yellow, plastic latch mount, 1 N.O. contact, 2 N.C. contacts, self-monitoring, standard pack

1

440R-D22R2 Guardmaster dual-input safety relay (DI), two dual-channel universal inputs, 1 N.C. solid state auxiliary outputs 1

800FP-R611PQ10V 800F reset, round plastic (Type 4/4x/13, IP66), blue, R, plastic latch mount, 1 N.O. contact, 0 N.C. contact, low voltage standard pack

1

440R-EM4R2D Expansion units, expansion module (single wire safe is only input) inputs, N/A safety outputs, N/A auxiliary outputs 1

800FP-U2E4F3PQ11 800F 2 pos. momentary multifunction, round, plastic (IP66, 4/4X, IP65), pos. A-red ext. PB, pos. C-green flush PB, plastic latch mount, 1 N.O. contact, 1 N.C. contact, standard, standard pack

1

20G11RD011AA0NNNNN PowerFlex 755 AC drive with embedded EtherNet/IP™, air-cooled, AC input with DC terminals, open type/frame 1, 11 amps, (Fr1 7.5 HP ND, 5 HP HD/Fr2 7.5 HP ND, 7.5 HP HD), 480V AC, 3 PH, frame 1, filtered, CM jumper removed, DB transistor, blank (no HIM)

1

20-750-S PowerFlex 750 safe torque-off module 1

1606-XLP72E 1606-XLP72E: compact power supply, 24…28V DC, 72 W, 120/240V AC/85…375V DC input voltage 1

Rockwell Automation Publication SAFETY-AT146A-EN-P - August 2015 7

Safety Function: Actuator Subsystems – Stop Category 1 via a Safety Relay and PowerFlex 755 Drive with Hardwired Safe Torque-off

drive's STO inputs remain off, and the hazardous motion cannot be restarted. When the input device is returned to its safe state (guard door closed), and the reset button is pressed and released properly, the Guardmaster dual-input safety relay's safety outputs energize, the Guardmaster multifunction-delay expansion module energizes its safety outputs, and the drive's STO inputs are powered. The hazardous motion can then be restarted by pressing the Start button.

Electrical Schematic

440R-D22R2

A1 A2

DIS11

S12

S21

S22

S34

13

23

14

24

L11

Y32

Reset

A1 A2

EMD

L12

X32

17

27

18

28

37

47

38

48

L11

440R-EM4R2D

+ 24V DC

0 V DC

N/C

Rd Yl BrGy

Pk

Wh

Bu

Gn

Aux(PAC)

Aux(PAC)

Typical Safety Input Device

440N-Z21SS2AN9

+24V DC 0V DC - COM

Actuator

S32

S42

LOGIC

Aux(PAC)

Aux(PAC)

RANGE

TIME

0123

4567

89

1234

5678

109

B1

B2

**100ms OFF Delay

**

012

345

678

SP+

SE+

Sd

SP–

SE–

Sd

AC Line Input Power

PowerFlex 755

+24V DC

STOP

START

START/STOP COM

24V DC COM

Jumpers:ENABLE InstalledSAFETY Removed

Gate ControlPower Supply

Gate ControlCircuit

M

20G11RD011AA0NNNNN

24V DC 0V DC – COM

Typical Safety Input DeviceLogic

24V DC

0V DC

Actuator

AC Line Input Power

Gate control power supply

Gate control circuit

Range

Time

**100 ms OFF Delay

24V DC

STOP

START

START/STOP COM

24V DC COM

Jumpers:ENABLE InstalledSAFETY Removed

Reset

8 Rockwell Automation Publication SAFETY-AT146A-EN-P - August 2015

Safety Function: Actuator Subsystems – Stop Category 1 via a Safety Relay and PowerFlex 755 Drive with Hardwired Safe Torque-off

Configuration

Configure the Guardmaster Dual-input Safety Relay

Follow these steps to configure the Guardmaster dual-input safety relay, For more information about this relay, refer to Guardmaster Safety Relay DI Installation Instructions, publication 440R-IN037.

1. Enable program mode.

2. Set operation mode to 2: Manual Reset (IN1 and IN2) or L12.

3. Cycle power to store the configuration setting.

Configure the Guardmaster Multifunction-delay Expansion Module

Follow these steps to configure the Guardmaster multifunction-delay expansion module. For more information about this expansion module, refer to Guardmaster Safety Relay EMD Installation Instructions, publication 440R-IN045.

Logic

Logic

Rockwell Automation Publication SAFETY-AT146A-EN-P - August 2015 9

Safety Function: Actuator Subsystems – Stop Category 1 via a Safety Relay and PowerFlex 755 Drive with Hardwired Safe Torque-off

1. With power off, turn the Range rotary switch to 0 and power up the unit.

After the power-up test, the PWR/Fault indicator flashes red.

2. To set the timing and mode, turn the Range rotary switch to 1 (0.1 to 1.0 second), and then turn the Time rotary switch to 1 (10%).

The B1 and IN indicators blink the new setting. The PWR/Fault status indicator flashes steady green to indicate that the positions are set.

3. Cycle power to the unit to store the configuration setting.

IMPORTANT The configuration must be confirmed before operation. A white space is provided on the face of the unit to record the setting.

Range

Range

Time

10 Rockwell Automation Publication SAFETY-AT146A-EN-P - August 2015

Safety Function: Actuator Subsystems – Stop Category 1 via a Safety Relay and PowerFlex 755 Drive with Hardwired Safe Torque-off

Configure the PowerFlex 755 Drive

By default, the PowerFlex 755 drive provides a coast-to-stop in response to an STO input. This action overrides any other stop type that might be configured as the standard stop type for the drive. A detailed description of how to fully configure the PowerFlex 755 drive is beyond the scope of this document. For more information about this drive, see the publications listed in the Additional Resources.

The recommended settings for stop mode, P370, is ramp. A ramp selection always provides the fastest stopping time, if a method to dissipate the required energy from the DC bus is provided (that is, dynamic braking resistor, regenerative brake, and so on). For a detailed explanation of dynamic braking, see Chapter 4 – Motor Control in the PowerFlex 750-Series AC Drives Reference Manual, publication 750-RM002.

Calculation of the Performance Level

When properly implemented, the PowerFlex 755 drive with integrated safe torque-off (STO) can be used in a safety function that has a Performance Level required (PLr) rating of Category 3, Performance Level e (CAT. 3, PLe), according to ISO 13849-1: 2008, as calculated by using the Safety Integrity Software Tool for the Evaluation of Machine Applications (SISTEMA).

The functional safety data for the SensaGuard switch, Guardmaster dual-input safety relay, Guardmaster multifunction delay expansion module, and PowerFlex 755 drive is provided from the Rockwell Automation® SISTEMA library.

Logic and Subsystems Calculation

The Guardmaster dual-input safety relay, Guardmaster multifunction-delay expansion module, and PowerFlex 755 drive yield the following results.

IMPORTANT To calculate the PL of your entire safety function, you must include the sensor subsystems along with the logic and actuator subsystems shown here. Depending on the sensor subsystems and devices you choose, the overall safety rating of your system could be reduced. An example that describes how to calculate the safety rating for a complete safety function appears in the section titled Complete Safety Function PL Calculation Example on page 12.

Rockwell Automation Publication SAFETY-AT146A-EN-P - August 2015 11

Safety Function: Actuator Subsystems – Stop Category 1 via a Safety Relay and PowerFlex 755 Drive with Hardwired Safe Torque-off

They can be modeled as follows.

Complete Safety Function PL Calculation Example

The rest of the SISTEMA calculation in this document features a SensaGuard switch as an example of a typical safety input device.

For instance these are the SISTEMA calculation results for the safety function, "Safety related stop function initiated by a safeguard:"

For the safety function, "Prevention of an unexpected startup," the SISTEMA calculation results are identical, because all of the same components are used.

Each safety function achieves, or exceeds, its PLr.

Logic Output

Subsystem 1 Subsystem 2 Subsystem 3

Guardmaster Dual-input

Safety Relay

Guardmaster Multifunction-

delay Expansion Module

PowerFlex 755 Drive

12 Rockwell Automation Publication SAFETY-AT146A-EN-P - August 2015

Safety Function: Actuator Subsystems – Stop Category 1 via a Safety Relay and PowerFlex 755 Drive with Hardwired Safe Torque-off

Verification and Validation Plan

Verification and validation play important roles in the avoidance of faults throughout the safety system design and development process. ISO 13849-2 sets the requirements for verification and validation. The standard calls for a documented plan to confirm that all of the safety functional requirements have been met.

Verification is an analysis of the resulting safety control system. The Performance Level (PL) of the safety control system is calculated to confirm that the system meets the required Performance Level (PLr) specified. The SISTEMA software is typically used to perform the calculations and assist with satisfying the requirements of ISO 13849-1.

Validation is a functional test of the safety control system to demonstrate that the system meets the specified requirements of the safety function. The safety control system is tested to confirm that all of the safety-related outputs respond appropriately to their corresponding safety-related inputs. The functional test includes normal operating conditions in addition to potential fault injection of failure modes. A checklist is typically used to document the validation of the safety control system.

Verification and Validation Checklist

General Machinery Information

Machine Name/Model Number

Machine Serial Number

Customer Name

Test Date

Tester Name(s)

Schematic Drawing Number

Input Devices

GuardMaster Dual-input Safety Relay 440R-D22R2

GuardMaster Multifunction-delay Expansion Module 440R-EM4R2D

PowerFlex 750 Safe Torque-off Module 20-750-S

PowerFlex Variable Frequency Drive 20G11RD011AA0NNNNN

Safety Wiring and Relay Configuration Verification

Test Step Verification Pass/Fail Changes/Modifications

1 Confirm that all components' specifications are suitable for the application. Refer to Basic Safety Principles and Well-tried Safety Principles from ISO 13849-2.

2 Visually inspect the safety relay circuit to confirm that it is wired as documented in the schematics.

3 Confirm that the Guardmaster dual-input safety relay is set to the proper Logic configuration setting (2).

4 Confirm that the Guardmaster multifunction-delay expansion module is set to the proper Range configuration setting (1) and Time configuration setting (1).

Normal Operation Verification - The safety system responds properly to all normal Start, Stop, Reset, and sensor device inputs.

Test Step Verification Pass/Fail Changes/Modifications

1 Confirm that no one is in the guarded area.

2 Confirm that the hazardous motion is stopped.

3 Confirm that the door is closed.

Rockwell Automation Publication SAFETY-AT146A-EN-P - August 2015 13

Safety Function: Actuator Subsystems – Stop Category 1 via a Safety Relay and PowerFlex 755 Drive with Hardwired Safe Torque-off

4 Apply power to the safety system.

5 Confirm that the PWR/Fault, IN1, and IN2 status indicators on the Guardmaster dual-input safety relay are green. Confirm that the OUT status indicator blinks green. Confirm that the PWR/Fault status indicator of the Guardmaster multifunction-delay expansion module is steady green.

6 Press and release the Reset button. Confirm that the Guardmaster dual-input safety relay OUT status indicator is now steady green. Confirm that the Logic IN and OUT status indicators on the Guardmaster multifunction-delay expansion module are steady green.

7 Confirm that the hazardous motion does not start on powerup.

8 Press and release the external drive Start button. Confirm that the hazardous motion begins and the machine begins to operate.

9 Press the external Stop button. The machine must stop in its normal, configured manner. The safety system must not respond.

10 Press and release the external Start button. Confirm that the hazardous motion starts and the machine begins to operate.

11 Trip the input device. The safety system must trip. The hazardous motion must stop within the required time. Monitor the status indicators on the Guardmaster dual-input safety relay and Guardmaster multifunction-delay expansion module for proper operation. Only the PWR/Fault status indicator on both devices should be steady green. All other status indicators should be OFF.

12 Press and release the Reset button. The Guardmaster dual-input safety relay and Guardmaster multifunction-delay expansion module must not respond.

13 Restore the input device to the safe state. The machine must not start. The IN1 and IN2 status indicators of the Guardmaster dual-input safety relay must be steady green. The OUT status indicator must blink green.

14 Press and release the Reset button. Confirm that the Guardmaster dual-input safety relay OUT status indicator is now steady green. Confirm that the Logic IN and OUT status indicators of the Guardmaster multifunction-delay expansion module are steady green.

15 Press and release the external Start button. Confirm that the motor starts and the machine begins to operate.

Validation of Safe Response to Abnormal Operation - The safety system responds properly to all foreseeable faults with corresponding diagnostics.

Input Device - Guardmaster Input Tests

Test Step Validation Pass/Fail Changes/Modifications

1 To find a safety function application technique that uses the type of input device you plan to use along with a Guardmaster dual input (or single input) safety relay, refer to:http://www.marketing.rockwellautomation.com/safety-solutions/en/MachineSafety/OurSafetySolutions/safety_functionsUse the input section of that validation procedure as a guide to test your input device.

Validation of Safe Response to Abnormal Operation - The safety system responds properly to all foreseeable faults with corresponding diagnostics.

Guardmaster Dual-input Safety Relay - Guardmaster Multifunction-delay Expansion Module Tests

Test Step Validation Pass/Fail Changes/Modifications

1 While the machine is continues to run, remove the wire from L12 of the Guardmaster multifunction-delay expansion module. The hazardous motion must coast to a stop. The Logic IN and OUT status indicators on the Guardmaster multifunction-delay expansion module must be OFF. The Guardmaster dual-input safety relay is not affected.

2 Press the external Stop button. Restore the connection. The Guardmaster multifunction-delay expansion module Logic IN and OUT status indicators are steady green. Press the external Start button to resume the hazardous motion.

14 Rockwell Automation Publication SAFETY-AT146A-EN-P - August 2015

Safety Function: Actuator Subsystems – Stop Category 1 via a Safety Relay and PowerFlex 755 Drive with Hardwired Safe Torque-off

3 While the hazardous motion continues to run, jump 24V to the L12 terminal of the Guardmaster multifunction-delay expansion module. After a second or two, the hazardous motion coasts to a stop. The Logic IN and OUT status indicators on the Guardmaster multifunction-delay expansion module are OFF. The OUT status indicator on the Guardmaster dual-input safety relay is OFF. The PWR/Fault status indicator on the Guardmaster dual-input safety relay blinks red to show that it is faulted.

4 Remove the jumper. Press and release the Reset button. The Guardmaster dual-input safety relay must not respond.

5 Cycle power to the Guardmaster dual-input safety relay. It responds. The PWR/Fault, IN1, and IN2 status indicators are steady green. The OUT status indicator blinks green.

6 Press and release the Reset button. Press the external Start button. The hazardous motion must resume.

7 While the hazardous motion continues to run, jump 0V to the L12 terminal on the Guardmaster multifunction-delay expansion module. After a second or two, the hazardous motion coasts to a stop. The Logic IN and OUT status indicators on the Guardmaster multifunction-delay expansion module are OFF. The OUT status indicator on the Guardmaster dual-input safety relay is OFF. The PWR/Fault status indicator on the Guardmaster dual-input safety relay blinks red to show that it is faulted.

8 Remove the jumper. Press and release the Reset button. The Guardmaster dual-input safety relay must not respond.

9 Cycle power to the Guardmaster dual-input safety relay. It responds. The PWR/Fault, IN1, and IN2 status indicators are steady green. The OUT status indicator blinks green.

10 Press and release the Reset button. Press the external Start button. The hazardous motion must resume.

Validation of Safe Response to Abnormal Operation - The safety system responds properly to all foreseeable faults with corresponding diagnostics.

Guardmaster Multi-function Delay Expansion Module - PowerFlex Drive Tests

Test Step Validation Pass/Fail Changes/Modifications

1 While the machine continues to run, remove the wire from terminal SP+ of the PowerFlex drive. The hazardous motion must coast to a stop.The Guardmaster dual-input safety relay and Guardmaster multifunction-delay expansion module are not affected.

2 Replace the wire to terminal SP+. Press the drive Start button. The drive starts normally; the hazardous motion begins.

3 While the hazardous motion continues to run, jump 24V to terminal SP+ of the PowerFlex drive. Trip the input device. The hazardous motion coasts to a stop. The Guardmaster dual-input safety relay and the Guardmaster multifunction-delay expansion module behave in the normal way to the input device being tripped.

4 Restore the input device to the safe state. Press and release the Reset button. The Guardmaster dual-input safety relay and the Guardmaster multifunction-delay expansion module reset.

5 Remove the jumper. Press the drive Start button. The drive starts normally; the hazardous motion begins.

6 While the hazardous motion continues to run, jump 0V to terminal SP+ of the PowerFlex drive. The hazardous motion coasts to a stop. The Guardmaster dual-input safety relay and the Guardmaster multifunction-delay expansion module are not affected.

7 Remove the jumper. Press the drive Start button. The drive starts normally; the hazardous motion begins.

8 Repeat steps 1 through 7 using the PowerFlex drive’s terminal SE+ in place of terminal SP+. The system responses must be the same as before.

Rockwell Automation Publication SAFETY-AT146A-EN-P - August 2015 15

Safety Function: Actuator Subsystems – Stop Category 1 via a Safety Relay and PowerFlex 755 Drive with Hardwired Safe Torque-off

Confirmation of Performance - The overall system-stopping performance does not exceed the total required stopping time.

Input Device, Guardmaster Dual-input Safety Relay, Guardmaster Multifunction-delay Expansion Module, PowerFlex Drive Tests

Test Step Confirmation Pass/Fail Changes/Modifications

1 Confirm that everything runs safely in the configuration determined to yield the maximum overall system-stopping performance.

2 While the machine continues to run, trip the input device. Do not reach into the guarded area. Confirm that the hazard stops within the required total stopping time.

IMPORTANT In addition to the verification and validation steps that are provided here, consult the application technique for your input subsystem for the steps that are required to validate the input device. Safety function application techniques are available at http://marketing.rockwellautomation.com/safety/en/safety_functions.

16 Rockwell Automation Publication SAFETY-AT146A-EN-P - August 2015

Safety Function: Actuator Subsystems – Stop Category 1 via a Safety Relay and PowerFlex 755 Drive with Hardwired Safe Torque-off

Additional Resources

These documents contain more information about related products from Rockwell Automation.

You can view or download publications at http://www.rockwellautomation.com/literature/. To order paper copies of technical documentation, contact your local Allen-Bradley® distributor or Rockwell Automation sales representative.

Resource Description

SensaGuard Rectangular Flat Pack Installation Instructions, publication 440N-IN008 Provides instructions on how to install a SensaGuard switch.

Guardmaster Safety Relay DI Installation Instructions, publication 440R-IN037 Provides instructions on how to install, configure, operate, and maintain a Guardmaster dual-input safety relay.

Guardmaster Safety Relay DI Quick Start Guide–Troubleshooting, publication 440R-TG002 Provides information on how to troubleshoot a Guardmaster dual-input safety relay.

Guardmaster Safety Relay EMD Installation Instructions, publication 440R-IN045 Provides instructions on how to install, configure, operate, and maintain a Guardmaster multifunction-delay expansion module.

Guardmaster Safety Relay EMD Quick Start Guide– Troubleshooting, publication 440R-TG001 Provides information on how to troubleshoot a Guardmaster multifunction-delay expansion module.

Guardmaster Safety Relays (DI, DIS, SI, CI, GLP, EM, and EMD) Selection Guide, publication 440R-SG001

Provides descriptive information about how to select and configure a Guardmaster safety relay.

PowerFlex 750-Series AC Drives Technical Data, publication 750-TD001 Provides technical information about the PowerFlex 750-series AC drives. Includes information about certifications and specifications, as well as dimensions and weights. Also discusses cable, motor, and design considerations, and lists the drive options available for these drives.

PowerFlex 750-Series AC Drives Installation Instructions, publication 750-IN001 Provides instructions on how to install, configure, operate, and maintain the PowerFlex 750-series AC drives.

PowerFlex 750-Series Safe Torque Off User Manual, publication 750-UM002 Provides instructions on how to install, configure, operate, and maintain the PowerFlex 750-series safe torque-off drives.

PowerFlex 750-Series AC Drives Programming Manual, publication 750-PM001 Provides instructions on how to program and troubleshoot the PowerFlex 750-series AC drives. Also includes several application notes for these drives.

PowerFlex 750-Series AC Drives Reference Manual, publication 750-RM002 Provides detailed drive information for the PowerFlex 750-series AC drives, which includes operation, parameter descriptions, and programming information.

Industrial Automation Wiring and Grounding Guidelines, publication 1770-4.1 Provides general guidelines on how to install a Rockwell Automation industrial system.

Safety Products Catalog, publication S117-CA001website http://www.rockwellautomation.com/rockwellautomation/catalogs/overview.page

Provides information about Rockwell Automation safety products.

Product Certifications website, available from the Product Certifications link on http://www.ab.com

Provides declarations of conformity, certificates, and other certification details.

Rockwell Automation Publication SAFETY-AT146A-EN-P - August 2015 17

Allen-Bradley, Guardmaster, LISTEN. THINK. SOLVE, PowerFlex, Rockwell Automation, Rockwell Software, and SensaGuard are trademarks of Rockwell Automation, Inc.

Trademarks not belonging to Rockwell Automation are property of their respective companies.

EtherNet/IP is a trademark of ODVA, Inc.

Publication SAFETY-AT146A-EN-P - August 2015 Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Printed in the U.S.A.

Documentation Feedback

Your comments will help us serve your documentation needs better. If you have any suggestions on how to improve this document, complete this form, publication RA-DU002, available at http://www.rockwellautomation.com/literature/.

Rockwell Otomasyon Ticaret A.Ş., Kar Plaza İş Merkezi E Blok Kat:6 34752 İçerenköy, İstanbul, Tel: +90 (216) 5698400

For more information onSafety Function Capabilities, visit:http://marketing.rockwellautomation.com/safety/en/safety_functions

Rockwell Automation maintains current product environmental information on its website athttp://www.rockwellautomation.com/rockwellautomation/about-us/sustainability-ethics/product-environmental-compliance.page.