M580 Safety Configuration

Chapter 5 - Safety I/O Modules 191 OPERATING MODES AND WIRING Select an application based on its availability and fail-safe operation requirement. STATEMENT OF HAZARD E.G. UNGUARDED MACHINERY CAN CAUSE SERIOUS INJURY The maximum Safety Integrity Level (SIL) is determined by the sensor quality and the length of the proof-test interval to IEC 61508. Always wired sensors whose quality does not meet SIL requirements redundantly to two channels. Failure to follow these instructions can result in death, serious injury, or equipment damage. Configuration Training

192 Chapter 5 - Safety I/O Modules APPLICATION 1 - SIL 3, CAT 2 / PLD ➢ Single sensor connected with one input channel, supplied by internal VS Type of Fault Diagnostic Applicable Fault 1 Wire cut & Short-circuit to GND YES Fault 2 Short-circuit to 24V & cross-circuit between other lines YES ➢ Single sensor connected with one input, supplied by external power-supply Type of Fault Diagnostic Applicable Fault 1 Wire cut & Short-circuit to GND YES Fault 2 Short-circuit to 24V & cross-circuit between other lines NO Modicon M580 Safety

Chapter 5 - Safety I/O Modules 193 APPLICATION 2 - MODULE REDUNDANCY SIL 3, CAT 2 / PLD ➢ Use 2 different modules for high availability ➢ Single sensor connected on 2 inputs powered by external power-supply Type of Fault Diagnostic Applicable Fault 1 Wire cut & Short-circuit to GND NO NO Fault 2 Short-circuit to 24V & cross-circuit between other lines ➢ Two redundant sensors are wired to a single channel at the two input modules for each process signal. The sensors can also be connected to an external sensor supply. Type of Fault Diagnostic Applicable Fault 1 Wire cut & Short-circuit to GND YES YES Fault 2 Short-circuit to 24V & cross-circuit between other lines Acquisition of the same process variable, with mechanical separate sensors (Sensor 1 and sensor 2). In this kind of application, the safety function block \"S_DIHA\" could be used to manage the two inputs signals. Configuration Training

194 Chapter 5 - Safety I/O Modules APPLICATION 3 - CHANNEL REDUNDANCY SIL 3, CAT 4 / PLE ➢ 1oo2 evaluation; same module but different channels ➢ Single sensor connected on 2 inputs of same module ➢ Use “S_EQUIVALENT” function block to manage the 2 input signals ➢ Diagnostic results for Application 3 with single sensor connected on 2 inputs: Type of Fault Diagnostic Applicable Fault 1 Wire cut & Short-circuit to GND YES Fault 2 Short-circuit to 24V & cross-circuit between other lines YES ➢ Diagnostic results for Application 3 with single equivalent sensors connected on 2 inputs, using external power-supply: Type of Fault Diagnostic Applicable Fault 1 Wire cut & Short-circuit to GND YES NO Fault 2 Short-circuit to 24V & cross-circuit between other lines See Also: For further information about operating modes and wiring for Application 3, see the safety product user manual. Modicon M580 Safety

Chapter 5 - Safety I/O Modules 195 APPLICATION 4 - MODULE & CHANNEL REDUNDANCY SIL 3, CAT 4 / PLE ➢ Use 2 different modules for high availability ➢ Single-channel connection of 2 redundant single-channel sensors (linked mechanically or not) ➢ Use “S_EQUIVALENT” & “S_DIHA” function block to manage the 4 inputs signals ➢ Diagnostic results for Application 4 with single sensor connected on 2 inputs: Type of Fault Diagnostic Applicable Fault 1 Wire cut & Short-circuit to GND YES YES Fault 2 Short-circuit to 24V & cross-circuit between other lines ➢ Diagnostic result for Application 4 with single sensor connected on 2 inputs, but using external power supply: Type of Fault Diagnostic Applicable Fault 1 Wire cut & Short-circuit to GND YES NO Fault 2 Short-circuit to 24V & cross-circuit between other lines See Also: For further information about operating modes and wiring for Application 4, see the safety product user manual. Configuration Training

196 Chapter 5 - Safety I/O Modules SAFETY DIGITAL OUTPUT MODULE BMX SDO 0802 - 8 DO 24VDC MODULE The Safety Digital Output module, BMX SDO 0802, is an 8-bits non-electrical isolated digital output module. The following are its characteristics: ➢ 8 digital outputs, 24 Vdc, 0.5 A; non-electrically isolated ➢ Up to SIL 3 and Cat.4 / PLe can be achieved ➢ Configurable diagnostic functions: o Open-circuit detection by wire broken or cut o Overload and short-circuit detection to 0V channel by channel, output state 1 o Short-circuit with 0V channel by channel, output state 0, optionally by doing pulse test o Short-circuit detection with the 24V channel _by channel, or with another channel at state 1 ➢ External pre-actuator supply monitored ➢ Status LED display for each channel ➢ Configuration in running mode supported (CCOTF) Note: The diagrams in the manual are recommended only and if followed as shown will achieve the nominated level of safety in accordance with the design standard adopted. For a design following ISO13849, it is possible to use the M580 Safety modules for different architectures such as Cat 1 and Cat 3 however a safety assessment of the complete system by a suitably qualified party shall be undertaken in accordance with ISO13849 to ensure the system meets the required level of safety. Modicon M580 Safety

Chapter 5 - Safety I/O Modules 197 1OO2 INTERNAL ARCHITECTURE The BMX SD0 0802 module has a 1oo2 internal architecture. Each output command can be activated and monitored via the Device DDT. ➢ A read back signal can be used to validate the output command (“TRUE_VALUE”) ➢ The “TRUE_VALUE” variable can also be time-stamped by BMX / BME CRA modules If module detects a fault in the data coming from the CPU, the module set its outputs to configured fall-back state. The parameter ”IC“ (Invalid Channel) will be set to 1. The user is able to set a parameter “Safety control Timeout” (S_TO) in the EcoStruxure™ Control Expert V15 for Safety I/O screen. The value is the time before modules goes to fall-back state (in ms). It is recommended that this value is higher to “2 X safety task period”. Configuration Training

198 Chapter 5 - Safety I/O Modules TERMINAL BLOCK The Safety Digital Output module can be used with: ➢ BMX FTB 2000 - 20 points, cage clamp terminal block ➢ BMX FTB 2010 - 20 points, screw clamp terminal block ➢ BMX FTB 2020 - 20 points, spring type terminal block There are 2 groups of 8 outputs channels; common 0V and 24 Vdc are internally connected. The terminal block cannot be removed while the process is running. Not allowed to remove terminal block when is powered (required to isolate the 24 Vdc to the I/O module). It is recommended to use a process power supply which does not recover automatically after a disjunction; for example the 24 Vdc 10 A, ABL8 RPS24100 in manual mode. Pin Description Pin Pin Description Number Common 0V Output 0 21 Common 0V Output 1 43 Common 0V Common 0V Output 2 65 Common 0V Common 0V Output 3 87 Common 0V Common 0V Output 4 10 9 Common 0V Common 0V Output 5 12 11 Output 6 14 13 Output 7 16 15 24V Power Supply 18 17 24V Power Supply 20 19 Note: Module will not start without an external 24 Vdc. It's mandatory to use fuse (fast blow, maximum 6 A depend on load) IMPROPER SELECTION OF FUSE Use fast acting fuses to protect the electronic components of the module from over current. Improper fuse selection could result in damage to the module. Failure to follow these instructions can result in injury or equipment damage. Modicon M580 Safety

Chapter 5 - Safety I/O Modules 199 OPERATING MODES AND WIRING Select an application based on its availability and fail-safe operation requirement. STATEMENT OF HAZARD E.G. UNGUARDED MACHINERY CAN CAUSE SERIOUS INJURY The maximum Safety Integrity Level (SIL) is determined by the sensor quality and the length of the proof-test interval to IEC 61508. Always wired sensors whose quality does not meet SIL requirements redundantly to two channels. Failure to follow these instructions can result in death, serious injury, or equipment damage. APPLICATION 1 - FAIL SAFE; SIL 3, CAT 4 / PLE ➢ One actuator is connected via one digital output channel ➢ Uses pulse test for monitoring Self test monitoring allows the module to test automatically the capability of the outputs to execute the demand state with a complete transparency for the device (or load). This self-test is performed on each output with a period less than 1 second. The safe state of the outputs is de-energized. The module complies with applications where the demand state is the de-energized state or energized-state. Configuration Training

200 Chapter 5 - Safety I/O Modules APPLICATION 2 - MODULE REDUNDANCY SIL 3, CAT 4 / PLE ➢ Activate same or two different actuators Two redundant outputs supervise the same physical process variable. The outputs can be either connected together to activate the same actuator or connected to two different actuators. In both cases, the outputs coming from two different output modules. The safe state of the output is de-energized. The module complies with applications where the demand state is the de-energized state or energized-state. Note: Module will not start without external 24 Vdc. Modicon M580 Safety

Chapter 5 - Safety I/O Modules 201 For this type of Application 2, with redundancy for high availability, it is possible for two output channels coming from 2 different output modules, to activate one actuator. ➢ Wired in parallel and connected to the same actuator ➢ The 2 output channels are managed by the CPU In case of one of both modules becomes faulty, the system is still running in a SIL 3 configuration and the only time limit for the exchange of the faulty module is the proof test interval. The module in fault could be replaced without interrupting the process application. Note: In this configuration, short-circuit detection with 24 Vdc feature on external wiring is not operational and should be disabled. Configuration Training

202 Chapter 5 - Safety I/O Modules DIAGNOSTIC FUNCTIONS The following are configurable diagnostic functions: ➢ Open circuit detection channel by channel ➢ Overload and short-circuit detection with the 0V channel by channel, output state energized o To recover, it is necessary to rearm by setting the overloaded output command of the module to the \"OFF\" state. ➢ Short circuit with 0V channel by channel, output state de-energized o Detection is applied to the output a pulse test to the state “energized” during less than 1ms; performed with a period less than 1 second. ➢ Short-circuit detection with the 24 Vdc channel by channel, or with another channel (state “energized”) o When the output is driven “de-energized”, the diagnostic is performed at each cycle. o When the output is driven “energized”, the diagnostic is performed with a period less than 1 second. Diagnostic Functions Output Energized Output De-energized Output open circuit YES (Diagnostic at each cycle) YES (Diagnostic at each cycle) Output Overload Output short circuit to 0V YES (Diagnostic at each cycle) * NO YES (Diagnostic at each cycle) * YES (Diagnostic < 1s) Output short circuit to 24V YES (Diagnostic < 1s) YES (Diagnostic at each cycle) Output short circuit to YES (Diagnostic < 1s) YES (Diagnostic at each cycle) another channel * To recover the control of the output, it is necessary to set first the reset output state to \"0\". It will then allow (rearm) possibility to set output. Modicon M580 Safety

Chapter 5 - Safety I/O Modules 203 CONFIGURABLE DIAGNOSTIC FUNCTIONS Diagnostic functions can be Enabled or Disabled via EcoStruxure™ Control Expert V15 for Safety in the I/O screen. The user is able to set a parameter “Safety control Timeout” (S_TO) in the I/O screen of EcoStruxure™ Control Expert V15 for Safety. The value is the time before modules goes to fall-back state (in ms). It is recommended that this value is to be set higher to “2 X safety task period”. • In case the module detects a fault in the data coming from the CPU, the module set its outputs to configured fall-back state. The user is able to set a parameter “Validate the pulse test to Energized” (V_PULSE_ON) in the I/O screen of EcoStruxure™ Control Expert V15 for Safety. It allows the user to enable for each channel the automatic pulse test to Energized when the output is de-energized to check potential short-circuit to 0V. The user is able to set a parameter “Validate the Short cut test to 24V” (V_SC) in the I/O screen of EcoStruxure™ Control Expert V15 for Safety. It allows the user to enable for each channel the automatic test to detect potential short-circuit with the 24V, or with another channel (State “energized”). The user is able to set a parameter “Validate the Open circuit test” (V_OC) in the I/O screen of EcoStruxure™ Control Expert V15 for Safety. It allows the user to enable for each channel the automatic test to detect if the channel output is not connected to the actuator (wiring is broken or cut). The 24VDC external pre-actuator supply is monitored and information is sent to the CPU via a dedicated bit (PP_STS). Activation of system bit, %S9 from the Process area has no influence on Safety output module: outputs are not set to fall-back state when %S9 is set to 1. System bits %S40- >%S47 and %S119 have no effect on the safety modules. Dedicated function blocks are available in the Safety FFB library to retrieve system information related to the context of the SAFE task (i.e. operating mode, time management, and error handling). They are only manageable in “Safety” user code throughout “S_SYST_READ_TASK_BIT_MX” and “S_SYST_RESET_TASK_BIT_MX” function blocks. Configuration Training

204 Chapter 5 - Safety I/O Modules SAFETY RELAY OUTPUT MODULE BMX SRA 0405 - 4 RELAY OUTPUT MODULE The Safety Relay output module, BMX SRA 0405, has embedded 4 safety relays with N.O contact built-in. The following are its characteristics: ➢ 4 relays with output current of 5 A ➢ Rated load voltage 24 Vdc and 24 to 230 Vac (over voltage Category II) ➢ Up to SIL 3 and Cat 4 / PLe can be achieved ➢ Programmable automatic self-monitoring ➢ Status LED display for each channel ➢ Configuration in running mode supported (CCOTF) ➢ Module hot swappable ➢ Module is conformal coated with a thin polymeric film which ‘conforms’ to the contours of a printed circuit board to protect the board's components ➢ The relays are conformal coated and compliant to EN 50205 - relays with forcibly guided (mechanically linked) contacts. o This standard applies to elementary relays in which special design and constructional measures are used to ensure that make (normally-open) contacts cannot assume the same state as break (normally-closed) contacts The coil commands and the state of the relay are internally read back and controlled by the module at start-up and during normal operation (running). The fault is detected by comparing this read back values with the expected Value. Note: The diagrams in the manual are recommended only and if followed as shown will achieve the nominated level of safety in accordance with the design standard adopted. For a design following ISO13849, it is possible to use the M580 Safety modules for different architectures such as Cat 1 and Cat 3 however a safety assessment of the complete system by a suitably qualified party shall be undertaken in accordance with ISO13849 to ensure the system meets the required level of safety. Modicon M580 Safety

Chapter 5 - Safety I/O Modules 205 1OO2 INTERNAL ARCHITECTURE The BMX SRA 0405 module has a 1oo2 internal architecture. Each output command can be activated and monitored via the Device DDT. The coil command and state of each relay are internally read back and controlled by the module. ➢ Fault can be detected by comparing the read back value (“TRUE_VALUE”) with the expected value ➢ The “TRUE_VALUE” variable can be time-stamped by BMX / BME CRA modules If module detects a fault in the data coming from the CPU, the module set its outputs to configured fall-back state. The parameter ”IC“ (Invalid Channel) will be set to 1. The user is able to set a parameter “Safety control Timeout” (S_TO) in the EcoStruxure™ Control Expert V15 for Safety I/O screen. The value is the time before modules goes to fall-back state (in ms). It is recommended that this value is higher to “2 X safety task period”. Configuration Training

206 Chapter 5 - Safety I/O Modules TERMINAL BLOCK The Safety Relay Output module can be used with: ➢ BMX FTB 2000 - 20 points, cage clamp terminal block ➢ BMX FTB 2010 - 20 points, screw clamp terminal block ➢ BMX FTB 2020 - 20 points, spring type terminal block The terminal block cannot be removed while the process is running. Not allowed to remove terminal block when is powered (required to isolate the 24 Vdc to the I/O module). There is no external wiring diagnostic. Customer is responsible to implement appropriate diagnostics or avoid dangerous fault which could occurs on external wiring. It is recommended to use a process power supply which does not recover automatically after a disjunction; for example the 24 Vdc 10 A, ABL8 RPS24100 in manual mode. Pin Description Pin Pin Description Number N.O contact, REL 0a 2 1 Not Used N.O contact, REL 0b 4 3 N.O contact, REL 0a N.O contact, REL 1a 6 5 N.O contact, REL 0b N.O contact, REL 1b 8 7 N.O contact, REL 1a Not Used 10 9 N.O contact, REL 1b N.O contact, REL 2a 12 11 Not Used N.O contact, REL 2b 14 13 N.O contact, REL 2a N.O contact, REL 3a 16 15 N.O contact, REL 2b N.O contact, REL 3b 18 17 N.O contact, REL 3a Not Used 20 19 N.O contact, REL 3b Note: It's mandatory to use a fuse (fast blow, maximum 6 A depend on load) IMPROPER SELECTION OF FUSE Use fast acting fuses to protect the electronic components of the module from over current. Improper fuse selection could result in damage to the module. Failure to follow these instructions can result in injury or equipment damage. Modicon M580 Safety

Chapter 5 - Safety I/O Modules 207 OPERATING MODES AND WIRING Select an application based on its availability and fail-safe operation requirement. STATEMENT OF HAZARD E.G. UNGUARDED MACHINERY CAN CAUSE SERIOUS INJURY The maximum Safety Integrity Level (SIL) is determined by the sensor quality and the length of the proof-test interval to IEC 61508. Always wired sensors whose quality does not meet SIL requirements redundantly to two channels. Failure to follow these instructions can result in death, serious injury, or equipment damage. APPLICATIONS SELECTION This module embeds 4 safety relays with N.O contacts, allowing to reach SIL 2 / Cat 2 / PLc or SIL 3 / Cat 4 / PLe applications with or without self-test monitoring. Self test monitoring allows the module to test automatically the capability of the relays to execute the demand state with a complete transparency for the device (or load). The different type of configuration allows the user to select in which kind of application the user wants to use the module. The safe state of the outputs of the safety relay module is de-energized. The module allows the user to configure it, in order to comply with applications where the demand state is the de-energized state or energized-state. Configuration Training

208 Chapter 5 - Safety I/O Modules APPLICATION 1 - SIL 2 / CAT 2 / PLC ➢ 4 control outputs without automatic self-test monitoring ➢ Demand state is de-energized ➢ If module detects internal fault on a channel, the related output will be de- energized ➢ To maintain SIL certified, user has to process at least a daily signal transition from energized to de-energized on the output In order to maintain the Safety Integrity Level (SIL), and because there is no automatic self-monitoring to perform a pulse test, the user has to process at least a daily signal transition from de-energized to energized on the output. Modicon M580 Safety

Chapter 5 - Safety I/O Modules 209 APPLICATION 2 - SIL 2 / CAT 2 / PLC ➢ 2 control outputs with automatic self-test monitoring o Each output is a result from 2 relays o User has to manage each relays individually for output control ➢ Demand state is de-energized ➢ If module detects internal fault on one of its relay, the 2 relays related to this control will be de-energized ➢ Automatically perform a pulse test (< 50ms) to the state open alternatively on each relays with a user defined period In order to maintain the safety integrity level (SIL), the module is performing automatically a pulse test to the state open alternatively on each relays with a period defined by the user from 1 to 1440 minutes (1 day). This test has no impact on the load and then the process. The duration of the pulse test is less than 50 ms. Configuration Training

210 Chapter 5 - Safety I/O Modules APPLICATION 3 - SIL 2 / CAT 2 / PLC ➢ 4 control outputs without automatic self-test monitoring ➢ Demand state is energized ➢ If module detects internal fault on a channel, the related output will be de- energized ➢ To maintain SIL certified, the user has to process at least a daily signal transition from de-energized to energized on the output In order to maintain the Safety Integrity Level (SIL), and because there is no automatic self-monitoring to perform a pulse test, the user has to process at least a daily signal transition from de-energized to energized on the output. Modicon M580 Safety

Chapter 5 - Safety I/O Modules 211 APPLICATION 4 - SIL 2 / CAT 2 / PLC ➢ 2 control outputs with automatic self-test monitoring o Each output is a result from 2 relays o User has to manage each relays individually for output control ➢ Demand state is energized ➢ If module detects internal fault on one of its relay, the 2 relays related to this control will be de-energized ➢ Automatically perform a pulse test (< 50ms) to the state closed alternatively on each relays with a user defined period In order to maintain the Safety Integrity Level (SIL), the module is automatically performing a pulse test to the state closed alternatively on each relays with a period defined by the user from 1 to 1440 minutes (1 day). This test has no impact on the load and then the process. The duration of the pulse test is less than 50 ms. Note that Application 4 and Application 8 are exactly the same internally and external wiring. Difference is the safety reason that leads to the configuration: ➢ For configuration 4, requires SIL 2 so one relay per loop should be enough but for self-monitoring in energized mode (output normally set to 1), need to redundant the lines in parallel ➢ For configuration 8, requires SIL 3 so have to use redundant relays BMX SRA 0405 - Application 8 Configuration Training

212 Chapter 5 - Safety I/O Modules APPLICATION 5 - SIL 3 / CAT 4 / PLE ➢ 2 control outputs without automatic self-test monitoring o Each output is a result from 2 relays o User has to manage each relays individually for output control ➢ Demand state is de-energized ➢ If module detects internal fault on one of its relay, the 2 relays related to this control will be de-energized ➢ To maintain SIL certified, user has to process at least a daily signal transition from energized to de-energized on the output In order to maintain the Safety Integrity Level (SIL), and because there is no automatic self-monitoring to perform a pulse test, the user has to process at least a daily signal transition from energized to de-energized on the output. Modicon M580 Safety

Chapter 5 - Safety I/O Modules 213 APPLICATION 6 - SIL 3 / CAT 4 / PLE ➢ 1 control outputs with automatic self-test monitoring o All 4 relays result of an output o User has to manage each relays individually for an output control ➢ Demand state is de-energized ➢ If module detects internal fault on one of its relay, all 4 relays will be de-energized ➢ Automatically perform a pulse test (< 50ms) to the state open alternatively on each relays with a user defined period In order to maintain the Safety Integrity Level (SIL), the module is automatically performing a pulse test to the state open alternatively on each relays with a period defined by the user from 1 to 1440 minutes (1 day). This test has no impact on the load and then the process. The duration of the pulse test is less than 50 ms. Configuration Training

214 Chapter 5 - Safety I/O Modules APPLICATION 7 - SIL 3 / CAT 4 / PLE ➢ 2 control outputs without automatic self-test monitoring o Each output is a result from 2 relays o User has to manage each relays individually for output control ➢ Demand state is energized ➢ If module detects internal fault on one of its relay, the 2 relays related to this control will be de-energized ➢ To maintain SIL certified, user has to process at least a daily signal transition from energized to de-energized on the output In order to maintain the Safety Integrity Level (SIL), and because there is no automatic self-monitoring to perform a pulse test, the user has to process at least a daily signal transition from energized to de-energized on the output. Modicon M580 Safety

Chapter 5 - Safety I/O Modules 215 APPLICATION 8 - SIL 3 / CAT 4 / PLE ➢ 2 control outputs with automatic self-test monitoring o Each output is a result from 2 relays o User has to manage each relays individually for output control ➢ Demand state is energized ➢ If module detects internal fault on one of its relay, the 2 relays related to this control will be de-energized ➢ Automatically perform a pulse test (< 50ms) to the state closed alternatively on each relays with a user defined period In order to maintain the Safety Integrity Level (SIL), the module is performing automatically a pulse test to the state closed alternatively on each relays with a period defined by the user from 1 to 1440 minutes (1 day). This test has no impact on the load and then the process. The duration of the test is less than 50 ms. Note that Application 4 and Application 8 are exactly the same internally and external wiring. Difference is the safety reason that leads to the configuration: ➢ For configuration 4, requires SIL 2 so one relay per loop should be enough but for self-monitoring in energized mode (output normally set to 1), need to redundant the lines in parallel BMX SRA 0405 - Application 4 (page Error! Bookmark not defined.) ➢ For configuration 8, requires SIL 3 so have to use redundant relays Configuration Training

216 Chapter 5 - Safety I/O Modules DIAGNOSTIC FUNCTIONS The Safety Relay output module, BMX SRA 0405, does not have any diagnostic on the external wiring. Customer is responsible to implement appropriate diagnostics or avoid dangerous fault which could occurs on external wiring. Depending on the module configuration, with the user applications selected: ➢ Allows module to automatically test the capability of the relays to execute the safety function when demanded ➢ Will automatically perform a pulse test to the state closed alternatively on each relays with a period defined by the user This test has no impact on the load and the process The duration of the pulse test is less than 50 ms Self-test monitoring allows the module to test automatically the capability of the relays to execute the demand state with a complete transparency for the device (or load). For example, for a ESD application where the demand state is de-energized, the module is able to test the capability of the relays to be opened without any impact for the load and so, the capability for the module to execute the safety function when demanded. In order to maintain the Safety Integrity Level (SIL), the module is automatically performing a pulse test to the state open alternatively on each relays with a period defined by the user from 1 to 1440 minutes (1 day). This test has no impact on the load and then the process. ➢ The safe state of the outputs of the safety relay module is de-energized. ➢ The duration of the pulse test is less than 50 ms. Modicon M580 Safety

Chapter 5 - Safety I/O Modules 217 The Relay Output Module is configurable via EcoStruxure™ Control Expert V15 for Safety. ➢ User is able to select the relay configuration from the lists of 8 application types ➢ Allows user to select application type, from 1 to 8, in which the module is wired accordingly In case the Relay Output Module detects a fault in the communication data coming from the CPU, the module will set its outputs to configured fall-back state. If the SAFE task of the CPU is not running, the module goes into its fall-back state. Configure the Safety control timeout before module goes to fall-back state. The value must be great then “2 x Safety Task Period” (in ms). As soon as the module is serviced correctly again by the CPU with correct data, the module sets again its outputs relay as required by the CPU. Configuration Training

218 Chapter 5 - Safety I/O Modules Activity 9 - CONFIGURE SAFETY I/O MODULES In this activity: • Configure an operating mode for the Safety Digital Input module • Configure an operating mode for the Safety Digital Output module • Configure an operating mode for the Safety Relay Output module • Test and understand the different type of diagnostic features Understand below wiring setup before proceeding to the following exercise. WIRING SETUP FOR TRAINING ONLY Above wiring setup is just given as a training exercise and must not be used or referred in a real case. Failure to follow these instructions can result in injury or equipment damage. Note: Use system Default variable names and variables names declared in this training manual. These variables are used in the operator screen when you import the file. Modicon M580 Safety

Chapter 5 - Safety I/O Modules 219 1. Configure Safety Digital Input module a. The Safety DI module is hardwired to two toggle switches to simulate the different conditions in the wire cable. Two toggle switches are connected to two input channels of the Safety DI module. • Switch 1: Digital input channel 0 (Rank A) • Switch 2: Digital input channel 0 (Rank B) Both toggle switches get 24Vdc supply from the module's monitored power supply, VS1. b. Open previously created application. From the Project Browser, double- click the EIO Bus item. The Safety remote I/O drop will be displayed as shown below: c. To configure the Safety Digital Input module, double-click the module BMX SDI 1602. d. The configuration screen for Safety Digital Input module, BMX SDI 1602, will be displayed as shown below: Configuration Training

220 Chapter 5 - Safety I/O Modules e. Click the pull-down menu to select \"Active\" to enable short circuit and open wire faults detection for: • Switch 1: Digital input channel 0 (Rank A) in row 0 as shown above • Switch 2: Digital input channel 0 (Rank B) in row 8 as shown above f. When done, Validate the changes. g. Close the I/O configuration screen. 2. Configure Safety Relay Output Module for Application 2 operating mode a. The Safety Relay Output module has 4 relay output channels: • First 2 channels are hardwired in \"OR logic\" for Application 2, as SIL 2, Cat 2 / PLc with automatic self-test monitoring, demand state is de- energized. • The next 2 channels are hardwired in \"AND logic\" for Application 4, as SIL 2, Cat 2 / PLc with automatic self-test monitoring, demand state is energized b. From the Safety remote I/O drop configuration, double-click the module BMX SRA 0405. c. The configuration screen for Safety Relay Output module, BMX SRA 0405, will be displayed as shown below: d. From Function selection, select \"Application_2\" from the pull-down menu. e. A dialog box appeared. Click OK to continue. f. For each channels, select the Fallback mode to \"Fallback\" and Fallback value to \"De-Energized\". Modicon M580 Safety

Chapter 5 - Safety I/O Modules 221 g. When done, Validate the changes. h. Close the I/O configuration screen. i. Save the application. 3. Connect and Transfer the application. a. From EcoStruxure™ Control Expert V15 for Safety, Build the application. b. Connect, and Transfer the application. c. Switch the Safety ePAC controller to RUN state, and verify the drop is online. 4. Test and understand the configured operating mode of Safety I/O modules a. The functions for the 2 toggle switches are shown below: b. Make sure both switches are in the DOWN position - normal operation with connection to the Safety Relay Output module. c. Switch the toggle Switch 1 to CENTER position. Observe the LEDs status on the front panel of Safety DI module. What has happened? d. Switch the toggle Switch 1 to UP position. Observe the LEDs status on the front panel of Safety DI module. What has happened? Configuration Training

222 Chapter 5 - Safety I/O Modules e. From EcoStruxure™ Control Expert V15 for Safety, create a simple operator screen (or import file \"Safety IO Monitor.XCR\", provided by your Instructor) to control and monitor the 2 toggle switches. The 4 push buttons above are linked to the 4 Safety Relay Output module's channels. f. From EcoStruxure™ Control Expert V15 for Safety, switch to Maintenance mode. g. Test the different type of diagnostic functions by switching the toggle switches and observe the results from the EcoStruxure™ Control Expert V15 for Safety operator screen. Refer to the simulator's modules wiring if necessary. h. Save the application. Modicon M580 Safety

Chapter 5 - Safety I/O Modules 223 SAFETY ANALOG INPUT MODULE BMX SAI 0410 - 4 Analog Input 4-20mA The Safety Analog input module, BMX SAI 0410, has 4 analog input channels. The following are its characteristics: ➢ 4 Analog current input channels range from 4 to 20mA ➢ 16 bits resolution with data values represent input range from 0 to 25mA ➢ Up to SIL3 and Cat.4 / PLe can be achieved ➢ Out of range 4 to 20mA current on the channel detection ➢ Status LED display for each channel ➢ Configuration in running mode supported (CCOTF) Note: A drift on a resistor value from the divider will be detected by the cross comparison of the two half channels values. In order to protect the input against potential EMC issues, a Transient Voltage Suppressor (TVS) is necessary on the input channel. However, two TVS are implemented in order to be one fault tolerant on one channel and reach required SFF. Note: The diagrams in the manual are recommended only and if followed as shown will achieve the nominated level of safety in accordance with the design standard adopted. For a design following ISO13849, it is possible to use the M580 Safety modules for different architectures such as Cat 1 and Cat 3 however a safety assessment of the complete system by a suitably qualified party shall be undertaken in accordance with ISO13849 to ensure the system meets the required level of safety. Configuration Training

224 Chapter 5 - Safety I/O Modules 1OO2 INTERNAL ARCHITECTURE The BMX SAI 410 module has a 1oo2 internal architecture. Each analog input channel can be enabled or disabled for use via the I/O screen in EcoStruxure™ Control Expert V15 for Safety. ➢ Linear measure range of each channel is 0..25mA / 0..12500 counts (500 pt/mA) ➢ The “VALUE” parameter will provide the analog input value from the field instrument ➢ The “FCT_TYPE” parameter is to define each channel to be used or not in the configuration Note: Activation of system bits %S40 to %S47 and %S119 in Process area has NO effect on the safety modules. Modicon M580 Safety

Chapter 5 - Safety I/O Modules 225 TERMINAL BLOCK The Safety Analog Input module can be used with: ➢ BMX FTB 2000 - 20 points, cage clamp terminal block ➢ BMX FTB 2010 - 20 points, screw clamp terminal block ➢ BMX FTB 2020 - 20 points, spring type terminal block The terminal block cannot be removed while the process is running. Not allowed to remove terminal block when is powered (required to isolate the 24 Vdc to the I/O module). There are 4 analog channels; use of one analog input allows to achieve up to SIL 3 / Cat 2 / PLd. Pin Description Pin Pin Description Number Input (+) of channel 0 Input (+) of channel 0 Input (-) of channel 0 21 Input (-) of channel 0 43 Input (+) of channel 1 6 5 Input (+) of channel 1 Input (-) of channel 1 8 7 Input (-) of channel 1 Not Used 10 9 Not Used Not Used 12 11 Not Used Input (+) of channel 2 14 13 Input (+) of channel 2 Input (-) of channel 2 16 15 Input (-) of channel 2 Input (+) of channel 3 18 17 Input (+) of channel 3 Input (-) of channel 3 20 19 Input (-) of channel 3 Configuration Training

226 Chapter 5 - Safety I/O Modules OPERATING MODES AND WIRING Select an application based on its availability and fail-safe operation requirement. STATEMENT OF HAZARD E.G. UNGUARDED MACHINERY CAN CAUSE SERIOUS INJURY The maximum Safety Integrity Level (SIL) is determined by the sensor quality and the length of the proof-test interval to IEC 61508. Always wired sensors whose quality does not meet SIL requirements redundantly to two channels. Failure to follow these instructions can result in death, serious injury, or equipment damage. APPLICATION 1 - SIL 3 / CAT 2 / PLD ➢ One field device to one analog input channel ➢ To achieve SIL 3 / Cat 2 / PLd using this wiring, user must select a suitable qualified SIL device Modicon M580 Safety

Chapter 5 - Safety I/O Modules 227 APPLICATION 2 - MODULE REDUNDANCY SIL 3 / CAT 2 / PLD ➢ Achieve high availability using 2 analog input modules ➢ redundant field devices are controlled by the same physical process variable from the CPU ➢ Each field devices is connected to one analog input channel coming from 2 different modules ➢ Use \"S_AIHA\" function block in safe application to manage the 2 values Note: In order to achieve SIL 3 / Cat 2 / PLd using this wiring, user must select a suitable qualified SIL device. Configuration Training

228 Chapter 5 - Safety I/O Modules APPLICATION 3 - CHANNEL REDUNDANCY SIL 3 / CAT 4 / PLE ➢ Achieve channel redundancy using 2 analog input channels ➢ redundant field devices are controlled by the same physical process variable from the CPU ➢ Each field devices is connected to one analog input channel from the same module ➢ Use \"S_AI_COMP\" function block in safe application to perform 1oo2 evaluation of both values coming from the field devices Note: In order to achieve SIL 3 / Cat 4 / PLe using this wiring, user must select a suitable qualified SIL device. Modicon M580 Safety

Chapter 5 - Safety I/O Modules 229 APPLICATION 4 - MODULE & CHANNEL REDUNDANCY SIL 3 / CAT 4 / PLE ➢ All 4 field devices are controlled by the same physical process variable from the CPU ➢ groups of 2 devices are connected to 2 different modules; managed by using S_AIHA function block ➢ redundant channels managed the 2 devices; to perform a 1oo2 evaluation by using S_AI_COMP Two groups of two sensors are connected to two different BMX SAI 0410 module in order to manage the switch from values coming from one module to values coming from other modules. The redundant two sensors connected to two input analog channels of the same BMX SAI 0410 module allows to perform a 1oo2 evaluation in order to reach SIL3 / Cat4 / PLe level. In this kind of application, the user shall use the two function block S_AI_COMP and S_AIHA : ➢ S_AI_COMP inside the safe application in order to perform the 1oo2 evaluation of the two pairs of values coming from both sensors connected to the same module ➢ S_AIHA inside the safe application to manage the High Availability feature Note: In order to achieve SIL 3 / Cat 4 / PLe using this wiring, user must select a suitable qualified SIL device. Configuration Training

230 Chapter 5 - Safety I/O Modules DIAGNOSTIC FUNCTIONS In case of a fault detected inside an analog input inside the module by the diagnostics, the module set the input value to 0. In addition, the \"IC\" (Invalid Channel) bit representing the channel is set to 1. The analog module provide a linear measure range of a channel is 0 to 25 mA / 0 to 12,500 counts (500 pt/mA). If the input current gets out of the functional limits (value < 3.75mA or value > 20.75 mA), the \"OR\" (out of range) corresponding flags “Out of range” is set to 1. In case of a communication problem between the module and the CPU is detected, the CPU shall set all the input value to 0. Each analog channel can be enabled or disabled for used in a safe application. Activate or deactivate an analog channel can be done via the I/O screen in EcoStruxure™ Control Expert V15 for Safety. User is also able to set its Device DDT parameter “FCT_TYPE” for each channel to be used or not in the safe application. Modicon M580 Safety

Chapter 5 - Safety I/O Modules 231 Activity 10 - SAFETY ANALOG INPUT MODULE In this activity: • Configure an operating mode for the Safety Analog Input module • Test and understand the different type of diagnostic features. Understand below wiring setup before proceeding to the following exercise. 1. WIRING SETUP FOR TRAINING ONLY Above wiring setup is just given as a training exercise and must not be used or referred in a real case. Failure to follow these instructions can result in injury or equipment damage. Note: Use system Default variable names and variables names declared in this training manual. These variables are used in the operator screen when you import the file. Configuration Training

232 Chapter 5 - Safety I/O Modules 1. Configure Safety Analog Input module for Application 1 operating mode a. The Safety AI module is hardwired for Application 1, as SIL 3, Cat 2 / PLd configuration. One potentiometer, act as a 4-20 mA analog sensor, is connected to one input analog channel of the AI module. b. Open previously created application. From the Project Browser, double- click the EIO Bus item. The Safety remote I/O drop will be displayed as shown below: c. To configure the Safety AI module, double-click the module BMX SAI 0410. d. The configuration screen for the Safety AI module, BMX SAI 0410, will be displayed as shown below: e. For this exercise, the potentiometer is connected to Channel 0. From the Used column, in Channel 0, click to Checked for enable analog input channel 0. f. Unchecked all other analog channels from 1 to 3, as not using. g. When done, Validate the changes. h. Close the I/O configuration screen. i. Save the application. Modicon M580 Safety

Chapter 5 - Safety I/O Modules 233 2. Connect and Transfer the application. a. From EcoStruxure™ Control Expert V15 for Safety, Build, Connect, Transfer and RUN the application. b. Rectify any error(s) and Save the application. 3. Test and analyse the configured operating mode of the Safety Analog Input module. a. Each analog input channel of Safety AI module has a linear measure range from 0 to 25 mA (0 to 12500 counts). The functional limits will be range between: 3.75 mA < VALUE < 20.75 mA If out of the limits, the parameter in its Device DDT, \"OR\", (out of range) will be set to 1. b. On the Safety AI module, there's a knob attached to a potentiometer. Turn the knob to fully anti-clockwise to its minimum analog signal. Observe the LEDs status on the front panel of the Safety AI module. What has happened? c. Create a simple logic in the SAFE task under the \"Program Safety\" folder to convert the number of counts into real analog value in mA. • Name: Temp_Conversion • Language: FBD Note below variable \"TT1\" is an alias name of an analog input channel 0. Configuration Training

234 Chapter 5 - Safety I/O Modules d. From EcoStruxure™ Control Expert V15 for Safety, create a simple operator screen (or import file \"Safety AI Monitor.XCR\", provided by your Instructor) to monitor the analog count values and also its current in mA. e. Slowly turn the knob and observe the feedback from the operator screen. Observe the error status from the operator screen and the LEDs front panel when the knob turns out of the functional limits: 3.75 mA < VALUE < 20.75 mA f. Test and understand the behaviour of the Safety AI module. Refer to the simulator's modules wiring if necessary. g. Save the application. Modicon M580 Safety

Chapter 5 - Safety I/O Modules 235 NON-INTERFERING MODULES Safety ePAC System The Safety ePAC system mix safety and non-safety modules in the same rack. The system also provides: ➢ Fieldbus integration in remote drops ➢ Compatibility with all x80 I/O modules A remote I/O drop can be Safety or Non-safety A rule of thumb in Safety ePAC application: ➢ Safety CPU and Coprocessor MUST be powered by a Safety Redundant power supply module ➢ All Safety remote I/O drops MUST install with a Safety Redundant power supply module ➢ All Safety remote I/O drops can MUST work with approved non-interfering Type 1 X80 I/O modules Configuration Training

236 Chapter 5 - Safety I/O Modules TYPE 1 - NON-INTERFERING BACKPLANES The following table shows the supported backplanes: Part Number Description BME XBP 0400 4 slots Ethernet Backplane BMX XBP 0400 4 slots X-Bus Backplane BMX XBP 0600 6 slots X-Bus Backplane BME XBP 0602 6 slots dual PWS Ethernet Backplane BME XBP 0800 8 slots Ethernet Backplane BMX XBP 0800 8 slots X-Bus Backplane BME XBP 1002 10 slots dual PWS Ethernet Backplane BME XBP 1200 12 slots Ethernet Backplane BMX XBP 1200 12 slots X-Bus Backplane TYPE 1 - NON-INTERFERING MODULES Following are modules classified as non-interfering Type 1: Part Number Description BMX XBE 1000 X-Bus Rack Extender module BMX ERT 1604 Time Stamping 16 DI module BMX NGD 0100 Global Data module BME NOS 0300 Network Option Switch BME NOC 0301/0311 Ethernet Communication module BME NOC 0321 IP Forwarding Router module BME NOP 0300 IEC 61850 Communication module BMX ETM 0200H Turbomachinery Frequency Input 2 CH Modicon M580 Safety

Chapter 5 - Safety I/O Modules 237 TYPE 2 - NON-INTERFERING MODULES These are Type 2 non-interfering modules; NOT allow in safety racks: Part Number Description BME PXM 0100 Profibus X80 Master BME CXM 0100 CANopen X80 Master PME SWT 0100 Weight module PMX NOW 0300 Wi-Fi bridge communication PMX CDA 0400 Diagnostic module (AIDIAG) PMX UCM 0202 TCP-Open communication module BME CRA 312 00 Standard Remote I/O Adapter SAFETY EPAC NON-INTERFERING MODULES In summary, typically all existing X80 and eX80 I/O modules are Type 1 non-interfering modules (i.e. with the correct module's PV version). All M580 supported communication modules are also Type 1 non-interfering modules; except some modules coming from Schneider Electric Technology Partner Program (TPP) are Type 2 non-interfering modules and have to be validated by Schneider Electric. All standard M580 supported single & redundant power supply modules are Type 2 non-interfering modules. Type 2 modules are NOT allow to install in main Safety CPU rack and Safety remote I/O racks. ➢ MUST use Safety power supply modules with safety CPU ➢ MUST use Safety power supply modules for all safety remote I/O drops ➢ The standard non-safety power supply modules are NOT TÜV Rheinland certified See Also: Refer to Safety Manuals for a full list of Type 1 and Type 2 non-interfering modules. Configuration Training

238 Chapter 5 - Safety I/O Modules SUMMARY This chapter provided information on how to implement the 4 Safety I/O modules. QUESTIONS The following questions will help to check understanding of the topics covered in this chapter: ➢ Do you need to enable NTP Server/Client for use in Safety Remote I/O network? Why? ➢ Possible to use System bits/words and located variables in Safety Logic programming? ➢ What is the main purpose of having Module ID in the Safety I/O modules? ➢ What is the purpose of the blue button on top of Safety I/O module? ➢ Which Safety I/O modules cannot start without external 24 Vdc? ➢ What are the rules to consider when mixing safety and non-safety modules in a safety system? Modicon M580 Safety

Chapter 6 - Safety Programming Software 239 Chapter 6 - SAFETY PROGRAMMING SOFTWARE This chapter will provide information on how to use EcoStruxure Control Expert V15 for Safety to implement the control and safety program logic that is running in the controllers. CONTENTS: Safety Software Implementation.................................................................................240 Safe Peer-to-Peer Communication.............................................................................259 Safe Communication with CPU FW ≤ 3.10.................................................................272 Safe Communication with CPU FW ≥ 3.20.................................................................295 TÜV Certified Safety Libraries ....................................................................................315 Configuration Training

240 Chapter 6 - Safety Programming Software SAFETY SOFTWARE IMPLEMENTATION Total integration with Common Safety into Remote and Distributed I/Os over the Ethernet network, the BPCS and SIS are running in the same controller will require a common engineer tool to communicate on the same network. Engineering, commissioning and maintenance costs can be significantly reduced. Configuration and monitoring will be possible anywhere in the network. A safety programming tool, EcoStruxure™ Control Expert V15 for Safety, that comes everything needed to program a complete control and safety automation system for the entire life cycle from design, through debugging operation and maintenance. KEY EVOLUTIONS The main keys evolution of EcoStruxure™ Control Expert V15 for Safety for the Safety ePAC are: ➢ Supporting the new Safety ePAC offers ➢ Mixing process and safety on a single project ➢ Supporting build changes and device replacement for safety part of the project ➢ Ensure compatibility with all EcoStruxure™ Modicon M580 ePAC offers managed by former Unity Pro since version 8.0 release Modicon M580 Safety