M580 Safety Configuration

Chapter 2 - Process and Machine Safety Standards 41 MACHINE SAFETY STANDARDS WHAT IS MACHINE SAFETY? Machine Safety is critical for worker in an area concerned with protecting the safety and health of worker engaged in operating the machine. Moving machine parts have the potential to cause severe workplace injuries, such as crushed fingers or hands, amputations, burns, or blindness. Safeguards are essential for protecting workers from these preventable injuries. Any machine part, function, or process that may cause injury must be safeguarded. When the operation of a machine or accidental contact injure the operator or others in the vicinity, the hazards must be eliminated or controlled. FUNCTIONAL SAFETY OF MACHINERY The functional safety standards are intended to encourage designers to focus more on the functions that are necessary to reduce each individual risk and, on the performance, required for each function, rather than simply relying on particular components. These standards make it possible to achieve greater levels of safety throughout the machine's life. EN 954-1 Traditionally, EN 954-1 was used as the standard for safety related parts of the control system both for machine builders and end users. Since it was first published in 1997, state of the art has moved on dramatically and components and systems are now available which are too technologically advanced to use EN 954-1, hence it was withdrawn at the end of December 2011. It was replaced by IEC/EN 62061 and EN ISO 13849-1, newer, more advanced standards which can deal with the newer technologies; however they require increased levels of knowledge and experience to apply correctly. Configuration Training

42 Chapter 2 - Process and Machine Safety Standards IEC/EN 62061 The IEC/EN 62061, which focus on machinery more than the IEC 61508, proposes a quantitative approach of the risk. It takes into consideration the frequency or exposure to a hazard, the probability of hazardous event and the probability of avoidance in accordance with the consequences for the operator if this event occurs. With these parameters taken into account, it can be defined a Safety Integrity Level (SIL) which measures the intended reliability of the system. It is important to consider each function in detail; EN/IEC 62061 requires a Safety Requirements Specification (SRS) to be drawn up. This includes a functional specification (what it does, in detail) and a safety integrity specification, which defines the required probability that the function will be performed under the specified conditions. An example often used is “stop the machine when the guard is open”, which really needs more detailed consideration, initially of the functional specification. For example, will the machine be stopped by removing the coil voltage from a contactor, or by ramping-down the speed using a variable speed drive? Is it necessary to lock the guard closed until the dangerous movements have stopped? Will other equipment, upstream or downstream, need to be shut down? How will the opening of the guard be detected? The safety integrity specification must consider both random hardware failures and systematic failures. Systematic failures are those which are related to a specific cause, and can only be avoided by removal of that cause, usually by a modification of the design. In practice, most ‘real-world’ failures are systematic and result from incorrect specification. As part of the normal design processes, this specification should lead to the selection of suitable design measures; for example, heavy and misaligned guards can lead to damaged interlock switches unless shock absorbers and alignment pins are fitted, contactors should be suitably rated and protected against overloads. How often will the guard be opened? What might be the consequences of a failure of the function? What will the ambient conditions (temperature, vibration, humidity, etc) be? In EN/IEC 62061, a safety integrity requirement is expressed as a target failure value for the probability of dangerous failure per hour of each Safety related control function (SRCF). This can be calculated from reliability data for each component or sub-system, and is related to the SIL. Modicon M580 Safety

Chapter 2 - Process and Machine Safety Standards 43 SIL AND IEC/EN 62061 IEC/EN 62061 describes both the amount of risk to be reduced and the ability of a control system to reduce that risk in terms of SIL (Safety Integrity Level). There are three SILs used in the machinery sector, SIL 1 is the lowest and SIL 3 is the highest. A SIL applies to a safety function. Because the term SIL is applied in the same manner in other industrial sectors such as Petro-chemicals, power generation and railways, IEC/EN 62061 is very useful when machinery is used within those sectors. EN ISO 13849-1 Compared to the quantitative approach defined by the IEC 62061, the ISO 13849-1 proposes a qualitative approach. The risk analysis is based on the severity of injury, the frequency or exposure to a hazard, and the possibility of avoiding the hazard. From this analysis, is defined Performance Levels, from a to e. The EN ISO 13849-1 replaced the former EN 954-1. Nevertheless, Performance Levels can be assimilated as the Safety Categories of the previous standard. In the past there has been a tendency for components specified to a high category of EN 954-1 to be chosen instead of components that have a lower category, but might actually have more suitable functions. This might be as a result of the misconception that the categories are hierarchical such that for example, category 3 is always “better” than category 2 and so on. Functional safety standards are intended to encourage designers to focus more on the functions that are necessary to reduce each individual risk, and what performance is required for each function, rather than simply relying on particular components. The main difference is that now the ISO 13849 focus on the performance level on the entire safety function, not the components themselves. Configuration Training

44 Chapter 2 - Process and Machine Safety Standards RELATIONSHIP BETWEEN PERFORMANCE LEVEL AND CATEGORIES Performance Levels still use the parameters for Severity of Harm (S), Frequency / duration of exposure (F) and Possibility of Avoidance (P) to determine the required Performance Level (PLr). Once the Performance Level is worked out, next determine the Category architecture for the circuit, select the components, then calculate to determine if the performance level has been achieved. The formula and calculation part is challenging for most people as the mathematics is reasonably complicated particularly for working out the Mean Time to Dangerous Failure (MTTFd). Then refer to some tables to determine if we have met the requirements for Diagnostic Coverage (DC) and Common Cause Failure (CCF). The Category concept is largely about how we arrange the components (some refer to this as circuit architecture). Basically, the theory is the more redundancy of components and monitoring features incorporated into the circuit, the more resistant it would be to failing to a dangerous situation. Modicon M580 Safety

Chapter 2 - Process and Machine Safety Standards 45 EN ISO 13849-1 - “Safety-related parts of control systems, Part 1: General principles for design”. This standard may be applied to SRP/CS (safety-related parts of control systems) and all types of machinery, regardless of the type of technology and energy used (electrical, hydraulic, pneumatic, mechanical, etc.). EN ISO 13849-1 also lists special requirements for SRP/CS with programmable electronic systems. PL AND EN ISO 13849-1 EN ISO 13849-1 does not use the term SIL; instead it uses the term PL (Performance Level). In many respects PL can be related to SIL. There are five performance levels, PLa is the lowest and PLe is the highest. WHICH ONE TO USE? A machine manufacturer can choose the standard to use to design his machine. The designer is free to choose whether to use EN/IEC 62061 or EN/ISO 13849-1, or indeed any other standard. Both EN/IEC 62061 and EN/ISO 13849-1 are harmonised standards that give a Presumption of Conformity to the Essential Requirements of the Machinery Directive, in so far as they apply. However, it should be remembered that whichever standard is chosen must be used in its entirety, and they cannot be mixed in a single system. Work is ongoing in a liaison group between IEC and ISO, to produce a common Annex for the two standards with the aim of eventually producing a single standard. EN/IEC 62061 is perhaps more comprehensive on the subjects of specification and management responsibilities, whereas EN/ISO 13849-1 is designed to allow an easier transition from previous EN 954-1. The performance of each safety function is specified as either a SIL (Safety Integrity Level) in the case of EN/IEC 62061 or PL (Performance Level) in the case of EN/ISO 13849-1. In both cases the architecture of the control circuit which delivers the safety function is a factor, but unlike EN 954-1 these new standards require consideration of the reliability of the selected components. Moreover, the EN/ISO 13849 covers not only safety to electrical systems but also to hydraulic, pneumatic, and so on systems, compared to the IEC 62061 which converts only safety for electrical systems. Configuration Training

46 Chapter 2 - Process and Machine Safety Standards COMPARISON OF SIL AND PL The IEC/EN 62061 and EN ISO 13849-1 both cover safety related electrical control systems. Both standards produce the same results but use different methods. They are intended to provide users with an option to choose the one most suitable for their situation. A user can choose to use either standard. The end result of both standards is comparable in levels of safety performance or integrity. The End User is responsible for ensuring the SIL requirements are met. ➢ SIL (Safety Integrity Level) for standard IEC 62061 ➢ PL (Performance Level) for standard EN ISO 13849-1 Below table shows the relationship between the SIL and PL: Modicon M580 Safety

Chapter 2 - Process and Machine Safety Standards 47 TYPES OF SAFETY INTEGRATION SAFETY INTEGRATION Process control systems from reputable automation manufacturers are increasingly available that offer the opportunity to integrate the System Instrumented System (SIS) with the Basic Process Control System (BPCS). For an end user the question remains concerning the demonstration of independence. IEC 61511-1 clause 11.2.4 states that the BPCS (Basic Process Control System) shall be designed to be separate and independent to the extent that the functional integrity of the SIS is not compromised. Several automation vendors seem to have selectively interpreted this paragraph to mean that the standard does not require physical separation or diversity. However, another section of the same standard IEC 61511-1, clause 9.5, addresses the requirements for preventing common cause, common mode and dependent failures. Clause 9.5.2 states that the assessment shall consider: ➢ independency between protection layers, ➢ diversity between protection layers, ➢ physical separation between protection layers, and ➢ common cause failures between protection layers and BPCS. Integration of Process and Safety in hybrid industries are driven by latest new technologies and market trends: ➢ End user requirements ➢ System architecture flexibility and interoperability ➢ Lower cost of engineering ➢ Shorten time to market When selecting the architecture of an integrated BPCS & SIS, due consideration of the following points is recommended to ensure the proposed solution is appropriate for the application and the duty holder; and also maintains compliance to the relevant good practice standards: ➢ Adherence to policy, standards and recommended practices issued by the Duty Holder relating to the specification, design, engineering, installation, verification, operation, validation and maintenance of both BPCS & SIS. ➢ Evidenced competence of all stake holders involved in the supply chain for BPCS & SIS. ➢ Evidenced competence of the duty holder and those responsible for the continued operation and maintenance of the BPCS & SIS after handover. ➢ Adherence to prevailing international and national regulations, standards and good practice. Configuration Training

48 Chapter 2 - Process and Machine Safety Standards LEVELS OF SAFETY INTEGRATION Safety Integration for Process Automation allows the best possible type of integration of the SIS into the process control system. A distinction is basically made between the following four integrations levels: ➢ Separated o The BPCS and SIS are physically separated and independent to the extent that the functional integrity of the SIS is not compromised. Both systems are completely isolated running its own logic program. If process safety is main concern, physical and diverse separation/isolation between the SIS and BPCS is good engineering practice, conducive to a safe working environment. ➢ Interfaced o The BPCS and SIS are based on different hardware and are connected together by a gateway for data exchange. Engineering for each of the systems is performed via separated engineering tools. ➢ Integrated o The BPCS in the process control system and the SIS are based on different hardware, communication and engineering, but are implemented over standard systems. ➢ Common o The BPCS and the SIS are combined in the process control system. They use common hardware (controller, fieldbus, I/O). Standard and Safety- related programs are executed in parallel and independent of each other. Modicon M580 Safety

Chapter 2 - Process and Machine Safety Standards 49 INTEGRATION WITH COMMON SAFETY WHAT IS COMMON SAFETY? A single controller running two separated systems with: ➢ The BPCS and SIS in the same controller using same engineering tool, communicating on the same network. ➢ Safety and non-Safety modules integrate seamlessly providing high level of flexibility, adaptability, and ease-of-use. ➢ Engineering environment that provides independent and password protected task for the safety functions, that assures no impact in case the non-Safety process fails. SAFETY TECHNOLOGY With the latest technology, it is feasible to integrate Process and Safety Instrumented Functions (SIF) within a common automation infrastructure. The growing complexity of processes and machines along with rising engineering costs, efficient engineering is a key factor for success in the hybrid industry. The holistic approach of Common Safety paves the way for better production: faster, more flexible and more intelligent. This, in turn, is the basis for real added value in all automation tasks, particularly: ➢ Integrated engineering ➢ Industrial data management ➢ Industrial communication ➢ Industrial security ➢ Safety integrated While this can provide productivity and asset management benefits, if not done correctly, it can also compromise the safety and security of an industrial operation. Configuration Training

50 Chapter 2 - Process and Machine Safety Standards BENEFITS OF USING COMMON SAFETY With Common Safety and common platform, the key benefits for having Process and Safety in same controller are: ➢ One engineering system for process and safety applications ➢ A common controller platform ➢ Integrated data management with no complex data handling between process and safety applications ➢ Automatic integration various safety-related alarms and messages with time stamps ➢ Integration of safety-related hardware into asset management for diagnostics and preventive maintenance ➢ Engineering, commissioning and maintenance costs can be significantly reduced Modicon M580 Safety

Chapter 2 - Process and Machine Safety Standards 51 ALL-IN-ONE PROCESS AND SAFETY SAFETY EPAC FOR PROCESS SAFETY With the evolution of M580 technology, the Safety ePAC is introduced for safety industries in Process and Machine Safety. The Safety ePAC is a TÜV Rheinland certified SIL 3 / PL e controller able to deeply integrate safety functions into standard process. This is based on common I/O platform and Safety I/O platform (X80 I/Os). A single controller that ensures that the two systems in charge of Safety and Process Control are separated and independent with different hardware resources in a common engineering environment. The main key features are: ➢ Safe Memory Isolation Cells ➢ Watch dog Safe ➢ Clock Monitoring ➢ Safe application is executed in a CPU core o use as an Independent Layer of Protection by using Safety Functions in the Safety Task programming o use as an Integrated Layer of Protection by using Safety and Non-Safety Tasks ➢ Memory isolation controlling the access to the memory safe or not safe ➢ The safety memory is physically different from the standard CPU ➢ A HALT in non-safety does not generate a HALT in the Safety part ➢ A HALT in standard Task do not impact the Safety Task ➢ A change online in the non-Safety does not impact the safety part ➢ Separation of Common modes Configuration Training

52 Chapter 2 - Process and Machine Safety Standards CONSIDERATIONS FOR COMMON SAFETY With latest technology, it’s feasible to integrate process and Safety Instrumented Functions (SIF) within a common automation infrastructure. If this is not done correctly, it can compromise the safety and security of an industrial operation. This is very critical and need to draw the line: ➢ Independent Layers of Protection - both Control & Safety should be completely independent. o Diversity and physical separation between different protection layers. o Avoid common cause faults, minimize systematic errors and provide Cybersecurity. ➢ The logic system performing safety function shall not be combined with any other logic. ➢ Any failure of any non-safety related functions should not cause a dangerous failure of the safety related functions. ➢ Wherever practicable, the SIFs should be separated from the non-safety instrumented functions. ➢ Neither failure of any non-safety functions nor the programming access to the non-safety software functions is capable of causing a dangerous failure of the SIF. ➢ Operating information may be exchanged but should not compromise the functional safety of the SIS. Hints & Tips When the BPCS / DCS (Basic Process Control System / Distributed Control System) is not qualified to IEC 61511, the SIS shall be designed to be separate and independent from the BPCS / DCS to the extent that the safety integrity of the SIS is not compromised. The most important point is that the independent layers of protection need to be just that; INDEPENDENT. Modicon M580 Safety

Chapter 2 - Process and Machine Safety Standards 53 SCHNEIDER ELECTRIC SAFETY OFFER TECHNOLOGIES FOR IMPLEMENTING SIS A number of technologies are available for use in Safety Instrumented Systems. Here are some of the common technology used: ➢ Relay based system ➢ Solid state system, and ➢ Programmable based system There is no one \"overall\" best system; each has its own advantages. The decision over which system may be best suited for an application will depend upon many factors, e.g. budget, size, level of risk, flexibility, maintenance, interface and communication requirements, security, etc. RELAYS BASED SYSTEM Relay systems are relatively simple (at least when they are small). They are relatively inexpensive, and are immune to most forms of electro-magnetic interference (EMI) and can be built for many different voltage ranges. However, they are prone to nuisance trips, and they can become unwieldy as the system gets larger. Any time logic changes are required, wiring must be changed and drawings must be updated. Relay systems are based on discrete (on/off) logic signals. Traditional discrete input sensors (switches) were used. About the only time relays are used is for very small systems, typically those with less than about 15 inputs and outputs (I/O). Configuration Training

54 Chapter 2 - Process and Machine Safety Standards SOLID STATE SYSTEMS The configuration of a typical solid state SIS logic solver function is performed by standardized electronic function blocks mainly AND gates, OR gates, logic inverters and timers. Solid state systems are hardwired, much like relays. ➢ Same characteristics as relay-based system ➢ Modules need to be wired into logic configuration required for the system ➢ Typically, have about 50:50 failure mode characteristics ➢ Built for safety include features for testing and performing bypasses ➢ Offer serial communications to external computer-based systems The modules of the logic solver are operated in a continuous switching mode transmitting a square wave signal through each gate or circuit. Diagnostic circuits on board each module then immediately detect if the unit stops passing the pulses. The detectors in turn link to a common diagnostic communication module that reports the defect to the maintenance interface. Normally the detection of a failed unit will lead to an alarm and sometimes a trip of the plant. Solid state systems offer several significant benefits over PLC-based systems. ➢ Do not use any software’s ➢ Wiring is relatively easy to test and check ➢ System responds much faster than software-based system ➢ Like relays any changes made to system logic requires changes in wiring and updates of drawing ➢ Low cost for small/medium system Example: Modicon Orbus® (SIL 1/2/3/4) Modicon M580 Safety

Chapter 2 - Process and Machine Safety Standards 55 PROGRAMMABLE BASED SYSTEMS Computer-based systems appear to be the system of choice for many applications today. Such systems offer: ➢ Low cost, for large systems ➢ Ability to make changes easily and flexibly ➢ Serial reporting capabilities ➢ Graphical operator interfaces, etc. Programmable Logic Controllers (PLCs) were originally designed to replace relays, yet their application as shutdown systems requires close scrutiny. Conventional PLCs were not designed for use in critical safety applications, as they lack extensive diagnostic capabilities, fail safe characteristics, etc. A special class of PLCs, known as Safety PLCs, are used instead. The logic solver, PLC, evaluates the input signals, determines if a potentially hazardous condition exists and energizes or de-energizes the solid-state output. In a de-energized to trip safety system, the output de-energizes to move the process to a safe state. Example 1: EcoStruxure™ Modicon M580 Safety (SIL 1/2/3) Example 2: Triconex - Tricon® CX Configuration Training

56 Chapter 2 - Process and Machine Safety Standards SENSORS As transmitters or sensors, the offer includes: ➢ Mats: Any detection of an object on the mat initiates stopping of any dangerous machine movement. ➢ E-Stop, Trip wires: When the emergency stop instruction ceases, the effect must be maintained until it is reset. Manual resetting must only be possible in the location where the instruction was given. Resetting must not start the machine, but simply enable the starting cycle. Restarting of the machine must not be possible until the emergency stop has been reset. ➢ Foot switches, Two hands control: requires simultaneous operation by both hands – or foot - in order to start and maintain operation of a machine. It therefore provides protection exclusively for the person operating it. ➢ Limit switches (or Guard switches): An effective means of protection is to install a guard which, according to the type of installation, will cut-off the power to the motor if an attempt is made to open it during the machine operating phase. In all cases, it must not be possible to restart the machine until the guard is closed. ➢ Enabling switches: allow authorised personnel to carry out maintenance, adjustment or programming operations within hazardous zones of machines, provided certain conditions are met. ➢ Contactless switches: non-contact solution is often used on industrial machines fitted with a door or guards with imprecise guiding. It is particularly suitable for machines subjected to frequent washing or splashing of liquids as well as small machines with a single guard for self-contained systems. ➢ Light curtains: Safety light curtains are electro-sensitive systems (Electro- Sensitive Protective Equipment) designed to protect persons working in the vicinity of machinery, by stopping dangerous movements when a light beam is broken. Modicon M580 Safety

Chapter 2 - Process and Machine Safety Standards 57 LOGIC SOLVERS Control and process are achieved using safety modules, safety controllers, AS-Interface components, and safety PLCs. It offers a wide range of functionalities. The Schneider Electric range of safety control solutions comprises four product families: ➢ Dedicated safety modules with one or two safety functions. ➢ Configurable controllers managing several safety functions. ➢ Safety monitors and interfaces dedicated to the AS-Interface system, allowing use of a single medium for control and safety. ➢ Safety PLCs used within complex safety systems. ACTUATORS Actuators in a Safety chain do not need to be with safety labels embedded or certified. Standard actuators can be used to stop a process, as long as their reliability is performant enough in the SIL or Performance Level calculation of the Safety Instrumented Function. Configuration Training

58 Chapter 2 - Process and Machine Safety Standards PROCESS, HYBRID AND MACHINE SAFETY Safety and Availability are both important aspects with interactions to affect the integrated performance of Safety Instrumented System (SIS). Availability is defined as the probability that the system is operating properly when it is requested for use. The availability of a SIS to perform the task for which it was designed as presented in percentage (%). Below shows the positioning of Schneider Electric's Safety systems offer based on the Availability requirements: ➢ Process & DCS Industry: o Availability = 99.999999% o Product range: Triconex o typical targeted segments are in Oil & Gas, Chemical, Petrol Chemical, Refinery and Power ➢ Hybrid Industry: o Availability = 99.9999% o Product range: Safety Controller o typical targeted segments are in MMM, WWW, F&B, Infrastructure and Tunnelling ➢ Machine Industry: o Availability = 99.9% o Product range: XPS MC, MP, MCM, MF Safety PLCs o typical targeted segments are in isolated machines, packaging, press and lifts Modicon M580 Safety

Chapter 2 - Process and Machine Safety Standards 59 SAFETY EPAC IN ECOSTRUXURE™ PLANT HYBRID ARCHITECTURE The Safety ePAC is a TÜV Rheinland certified SIL 3 / PL e controller provides reliability and performance with the availability to integrate Remote and Distributed I/Os over the Ethernet network based on the EtherNet/IP technology with reliable CIP object model. Its also able to integrate safety functions into standard process. A single Safety ePAC controller that ensures that the two systems in charge of Safety and Process Control are separated and independent with different hardware resources in a common engineering environment. Figure below shows an example of an EcoStruxure™ Plant system architecture with the Safety ePAC as a global automation solution: Plant Hybrid Architecture Configuration Training

60 Chapter 2 - Process and Machine Safety Standards SYSTEM ARCHITECTURE INTEROPERABILITY With the integration to Remote and Distributed I/Os over the Ethernet network, the Safety ePAC will provides: ➢ Openness o Fieldbus integration in drops o Other expert and third-party modules o Possibility to mix safety and non-safety modules in the same rack o Compatibility with all existing Mx80 family ➢ Transparent o Configuration and monitoring from anywhere via the Ethernet network THE COMPLETE MACHINE SAFETY CHAIN Below shows the complete machine safety chain that Schneider Electric can provides: Modicon M580 Safety

Chapter 2 - Process and Machine Safety Standards 61 SAFETY SYSTEMS OFFER - MACHINERY Safety control systems are also vital in protecting the factory-floor workers, the machines they operate and the plant assets. The Safety ePAC in Machine industries will provides: ➢ Configuration and monitoring anywhere via Ethernet technology ➢ Possible to mix safety and non-safety modules in the same rack o Fieldbus integration in remote drops o Compatibility with all x80 I/O modules Configuration Training

62 Chapter 2 - Process and Machine Safety Standards SUMMARY This chapter gave an overview of Process and Machinery Safety standards needed for protecting workers from these preventable injuries. QUESTIONS The following questions will help to check understanding of the topics covered in this chapter: ➢ List the 5 phases of System Life Cycle applied in the IEC 61508 standard. ➢ Which new standards will merge the two existing Machine Safety standards? ➢ Briefly describe the different levels of safety integration commonly used in safety industries. ➢ What are the advantages of using Common Safety in Automation industries? ➢ What are the main key features in Safety ePAC? ➢ What is the list of sensors, logic solvers and actuators that Schneider Electric can provide in the Safety industrial sectors? Modicon M580 Safety

Chapter 3 - Introduction to the Safety ePAC 63 Chapter 3 - INTRODUCTION TO THE SAFETY EPAC Based on the evolution of M580 technology, the Safety ePAC is born and introduced into the safety industries market for process and machinery safety. The Safety ePAC is a TÜV Rheinland certified SIL 3 / PL e controller that provides reliability and performance with the availability to integrate remote and distributed I/Os over the Ethernet network. It is also able to integrate safety functions into standard process. A single controller that ensures that the two systems in charge of safety and process control are separated and independent with different hardware resources in a common engineering environment. This Chapter will give you an understanding of the Safety ePAC used in process and machinery safety. CONTENTS: General Overview.............................................................................................................. 64 1oo2 Internal Architecture ................................................................................................. 65 Module Presentation ......................................................................................................... 69 Safety CPU Module........................................................................................................... 70 Safety Coprocessor Module .............................................................................................. 77 Modes of Operation........................................................................................................... 80 Non-Interfering Ethernet Backplanes ................................................................................ 84 SIL 3 Power Supply Modules ............................................................................................ 97 Cybersecurity in Safety ................................................................................................... 109 Configuration Training

64 Chapter 3 - Introduction to the Safety ePAC GENERAL OVERVIEW With the evolution of M580 technology, the Safety ePAC is introduced into the safety industries market for process and machinery safety. The Safety ePAC is a TÜV Rheinland certified controller achieving: ➢ SIL 3 in IEC 61508 / IEC 61511 for Process industry ➢ PL e and SIL Claim Limit 3 in EN 13849 / EN 62061 for Machine industry It provides reliability and performance with the availability to integrate remote and distributed I/Os over the Ethernet network. A modular automation controller that integrates safety functions into standard process control. Compatible with existing X80 I/Os, currently available in the M340 range of controllers. A single controller that ensures safety functions and process control are separated and independent with different hardware resources in a common engineering environment. This will be the latest innovation to become part of the EcoStruxure™ Plant system offer. MAIN FEATURES Some of the main features of the Safety ePAC offer are: ➢ Safety application is executed in a dedicated core: o Safety functions in Safety Task programming o Standard functions in non-safety task programming (MAST Task) ➢ Safe Memory Isolation Cells - Error Code Correction (ECC) mechanism reduces spurious trips o Dynamic Error Code Correction (ECC) – Auto detect and correct bit error ➢ Memory isolation controlling the access to the memory safe or non-safe ➢ The safety memory area is physically different from the standard CPU ➢ A HALT signal in non-safety (MAST Task) does not generate a HALT in the safety part (Safety Task) ➢ A change on-line in the non-safety does not impact the safety part ➢ Having 2 CPUs (Safety & Coprocessor) with a 1oo2 safety architecture will provide: o Double executable codes independently generated o Detection of systematic error in the code generation Modicon M580 Safety

Chapter 3 - Introduction to the Safety ePAC 65 1OO2 INTERNAL ARCHITECTURE SIL 3 / PL E SAFETY CONTROLLER In order to achieve the Safety Integrity Level (SIL) 3, Schneider Electric has developed two separated and independent hardware modules: ➢ Main Safety CPU module that based on the M580 CPU ➢ Safety Coprocessor module that based on a depopulated M580 CPU Ethernet Backplane (BME XBP) is required for installing CPU and Coprocessor. Each modules will take up two slots on the backplane and are installed next to each other just after the power supply module. The main CPU and the coprocessor internal architecture uses the dual core CPU SPEAr 1380 and when work together will provide a 1oo2 safety architecture to achieve the SIL 3 target level. The Safety ePAC CPU uses the principle of double code generation and execution to reach SIL 3. ➢ The code is executed in parallel in two different CPU's core ➢ Each core compares result of both execution to detect both systematic errors in the code execution and random errors in the controller. Below shows the internal architecture of the main Safety CPU and the Safety Coprocessor: The Safety ePAC will required an additional hardware, Safety Coprocessor, to be installed next to the main Safety CPU in order to achieve TÜV Rheinland certified SIL 3 and PL e. - The Safety ePAC is certified for use in low and high demand systems: ➢ PFD ≥ 10-4 to < 10-3 for low demand mode of operation ➢ PFH ≥ 10-8 to < 10-7 for high demand mode of operation Configuration Training

66 Chapter 3 - Introduction to the Safety ePAC SAFETY ARCHITECTURES DESIGN - VOTING Decision can be built into the basic parallel redundant model by inputting signals from parallel elements into a voter to compare each signal with remaining signals. Valid decisions are made only if the number of useful elements exceeds the failed elements. HARDWARE FAULT TOLERANCE (HFT) Hardware Fault Tolerance is the ability of a component or subsystem to continue to be able to undertake the required safety instrumented function in the presence of one or more dangerous faults in hardware. For example, a Hardware Fault Tolerance of 1 means that there are, e.g., 2 devices and the architecture is such that the dangerous failure of one of the two components or subsystems does not prevent the Safety action from occurring. It is a measure of Redundancy and needs to be determined for each sub-system. 1OO2 SAFETY ARCHITECTURE A key result of the analysis is establishing a Safe Failure Fraction (SFF) for a product. To achieve SIL 3 safety level, the Safety ePAC's Hardware Fault Tolerance (HFT) must be at 1. Below shows the relationship of SFF values, HFT and the corresponding SIL rating: Safe Failure Fraction Hardware Fault Tolerance (HFT) (SFF) 0 12 < 60% 60% < 90% Not Allowed SIL 1 SIL 2 90% < 99% SIL 1 SIL 2 SIL 3 >= 99% SIL 2 SIL 3 SIL 4 SIL 3 SIL 4 SIL 4 With a HFT = 1, the controller will be able to achieve 1oo2 internal architecture. Fault Tolerance Configuration 0 1 1oo1 2oo2 2 1oo2 2oo3 1oo3 2oo4 Note: With the IEC 61511 Edition 2.0, the Safe Failure Fraction (SFF) will be removed. Modicon M580 Safety

Chapter 3 - Introduction to the Safety ePAC 67 IEC 61511 EDITION 2.0 One of the biggest changes in Edition 2.0 is the removal of the Safety Failure Fraction (SFF) in relation to the minimum Hardware Fault Tolerant (HFT) requirements. Table below shows simplified, minimum HFT based on route 2H (IEC61508-2 Edition 2.0): SIL Low Demand mode High Demand or Minimum HFT Continuous mode Minimum HFT 10 0 20 1 31 2 42 3 ➢ Low demand mode - defined in 3.5.16 of IEC 61508-4 o Is where the frequency of demands for operation made on a safety-related system is no greater than one per year ➢ High demand or continuous mode - defined in 3.5.16 of IEC 61508-4 o Is where the frequency of demands for operation made on a safety-related system is greater than one per year o Continuous is regarded as very high demand SAFETY ARCHITECTURE SELECTION With the voting mechanisms, Hardware Fault Tolerance (HFT) can be achieved. HFT = Total Number of Paths - Number of Paths Required Architecture Type Paths required to Total Number HFT carry out the of Paths 1 1oo1 0 2 2oo2 Safety Function 0 3 1oo2 1 4 2oo3 11 1 22 12 23 Configuration Training

68 Chapter 3 - Introduction to the Safety ePAC SAFETY EPAC ARCHITECTURE To achieve SIL 3 safety level, additional module, Safety Coprocessor, will be used as a separate hardware, with its own complete system so it is totally isolated from the main Safety CPU; separated and independent from each other. ➢ The Master core of the Spear CPU (Spear n°1) execute all the Tasks, safe and non- safe programs ➢ The Master core of the Spear Coprocessor (Spear n°2) execute the Safe Task only ➢ The Com core of the Spear CPU (Spear n°1) execute the communication and other operations The Master core execution runs all the different tasks in a multi-tasking way. No real separation between safe and non-safe. Separation and non-interference is a guarantee thanks to the redundant execution done by Spear n°2 (Coprocessor). The code is executed in parallel in the two cores. Each core compares the result of both execution. Thus, the CPU is able to detect both systematic errors in the code execution and random errors in the PAC. BENEFITS OF DOUBLE CODE EXECUTION Two hardware processors, Safety CPU & Safety Coprocessor, of the Safety ePAC, working together to achieve 1oo2 architecture, allow double code generation and execution. This diversity provides the following advantages in error detection: ➢ Two executable codes are generated independently. The diversity of compilers allows the detection of systematic error in the code generation. ➢ The two generated codes are executed by two different hardware processors. Thus, the CPU is able to detect both systematic errors in the code execution and random errors in the PAC. ➢ Independent memory areas are used for the two processors. Thus, the CPUs are able to detect random errors in the RAM. Modicon M580 Safety

Chapter 3 - Introduction to the Safety ePAC 69 MODULE PRESENTATION PHYSICAL CHARACTERISTICS The physical characteristics of Safety ePAC is similar to the M340 range of PLC, this is because the Safety ePAC has been designed to take advantage of existing components of the market leading M340 offer. The Safety ePAC makes use of existing non-interfering modules, like the M340 power supplies, backplanes and I/O modules, and therefore is also able to take advantage of the X80 Remote I/O offer. The physical size of both Safety CPU and Safety Coprocessor modules each occupies two slots of the backplane and is slightly longer in size, therefore both modules hang slightly lower (approx. 30mm / 1.16in) than the rest of the M340 / X80 modules range. Both modules must be installed next to each other and just after the power supply module: ➢ Main Safety CPU installed across slots 0 and 1 of the local rack ➢ Safety Coprocessor installed across slots 2 and 3 of the local rack Similar to the M580 CPU, there are two connectors on the back of both processor modules. The two connectors allow the Safety ePAC CPU to have: ➢ X-Bus connectivity (1) o CPU: support existing M340 / X80 modules o Coprocessor : 24Vdc, 3.3Vdc supply and diagnostics ➢ Ethernet connectivity (2) o CPU: support new Ethernet / eX80 modules o Coprocessor: safety information for CPU Configuration Training

70 Chapter 3 - Introduction to the Safety ePAC SAFETY CPU MODULE The reference part number for Safety ePAC are ➢ BME P58 2040S, BME P58 4040S - Standalone CPU ➢ BME H582040S, BME H58 4040S, BME H58 6040S - Hot Standby CPU The main Safety CPU new hardware is based on M580 CPU with conformal coated and occupied two slots (slots 0 & 1) of the Ethernet backplane. Internally uses SPEAr 1380 microprocessor ARM® dual CortexTM -A9 architecture: ➢ Core 1 - dedicated to both safe & standard application o Process additional diagnostics o Process of safe and standard programs ➢ Core 2 - dedicated to communication o Processing of the communication Number Description 1 LED Display 2 MAC Address 3 Mini-B USB Connector 4 RJ45 Ethernet Port - Service port 5 RJ45 Ethernet Ports - Device Network ports 6 Product QR code 7 Slot of optional SD memory card Note: There is a GREEN LED (without marking) located under memory card door indicates that access to card is ongoing. It must be off to remove the SD-Card (CARDACT). Modicon M580 Safety

Chapter 3 - Introduction to the Safety ePAC 71 LEDS DISPLAY - SAFETY CPU MODULE Each LED on the main Safety ePAC CPU's front panel (1) has a dedicated function. The varying combinations of LEDs can offer diagnostics and troubleshooting information without have to connect to the Safety CPU. LED Description RUN CPU is managing its non-safety operation ERR CPU or system detected internal fault I/O External fault coming from I/O modules DL Firmware is currently being downloaded BACKUP Indicate inconsistent stored application (memory / SD card) ETH MS MOD STATUS: Ethernet port configuration status ETH NS NET STATUS: Ethernet connection status FORCED I/O At least one I/O points of digital module is forced SRUN CPU is managing its Safety operation SMOD CPU is in maintenance or safe operating mode Configuration Training

72 Chapter 3 - Introduction to the Safety ePAC EMBEDDED ETHERNET PORTS The Safety ePAC CPU is equipped with 3 embedded Ethernet ports: ➢ 1 x Service port (4) ➢ 2 x Device Network ports (5) SERVICE PORT The SERVICE port can be used for 2 purposes: ➢ Allows the diagnosis of Ethernet ports using port mirroring ➢ Provides access to external tools and devices (Programming tools, ConneXium Network Manager, HMI, SCADA) and Distributed I/O Devices. (Same role as DIO Device Network port) DEVICE NETWORK PORTS The role of the DEVICE NETWORK ports on Safety ePAC CPU can either be Distributed I/O (DIO) and/or Remote I/O (RIO). ➢ Distributed I/O mode (DIO), allows communication with modules or devices plugged on a distributed Ethernet bus using a non-deterministic DIO scanner embedded in the CPU. For Safety ePAC system, the Dual Ring Switches (DRS) or embedded X80 Ethernet switching module (BME NOS) are required. ➢ In Remote I/O (RIO) mode, the CPU uses a RIO scanner embedded within the CPU that allows deterministic I/O exchanges with modules or devices in the remote I/O network. Services provided by the CPU on the DEVICE NETWORK ports: ➢ RSTP, when used with RIO enables all remote I/O devices located on the ring to recover from a communication disruption within 50 ms. ➢ devices and drops diagnostics Modicon M580 Safety

Chapter 3 - Introduction to the Safety ePAC 73 SD MEMORY CARD (BMX RMS 004GPF) The SD memory card, BMX RMS 004GPF, is optional with 4 Gbyte memory size is used for application backup and data storage. It will not store any safe information and is not part of the safety loop. In some use case, the SD card will contain the user application files. The verification of the user application is done in the dynamic random-access memory (DDR) which is the only executable memory for the CPU core. Characteristic Value Global memory size 4 GB Application backup size 200 MB Data storage size 3.8 GB Write/erase cycles (typical) 100,000 -40 to +85°C Operating temperature range (–40 to +185 °F) 10 years File retention time Data storage directory only Memory zone for FTP access The memory card is of \"Industrial Grade\" and formatted for use with Schneider Electric M580 CPU only. Do not use the memory card with any other CPU or tool, or the card may not be recognised by the M580 CPU. The M580 CPUs include standalone, Redundant and Safety range of M580 CPUs. Note: Only the BMX RMS 004GPF SD memory card is supported by the M580 CPU. SD cards from the M340 CPU are NOT supported by the M580 CPU. To prevent any data lost, before removing SD memory card, generate a rising edge on the system bit %S65. Configuration Training

74 Chapter 3 - Introduction to the Safety ePAC CPU SPECIFICATIONS – BME P58 2040S & BME H58 2040S The following table shows the functional characteristics of the Safety ePAC CPU: Max number of Local RacksI/Os BME P58 2040S Max number of Remote I/O drops of 2 racks BME H58 2040S Integrated P58(4) / H58(1) Digital AnalogMemory 8x2 Expert 2048 Max. network modules (+1 embedded Ethernet CPU) 512 Comm. Ports 72 2+1 DI Devices + DI Modules 1 x Service Memory In + Out (Kbyte) 2 x Device Non-safety memory program (Mbyte) Non-safety Data (Kbyte) 64 Safety memory program (Mbyte) 2+2 Safety Data (Kbyte) Data Storage (Gbyte) 8 Boolean application execution (Kinstr/ms) Certification 768 2 512 4 10(1) SIL 3 / PL e Note: (1) As the safe tasks (MasterCore / SafeCore) must exchange data through backplane, there is a negative impact on performances; takes 1ms to transfer 10 Kbyte. Safety ePAC CPU module is TÜV certified up to SIL 3 (IEC 61511) / SIL CL3 (IEC 62061) / PL e (IEC 13849-1). Modicon M580 Safety

Chapter 3 - Introduction to the Safety ePAC 75 CPU SPECIFICATIONS - BME P58 4040S & BME H58 4040S The following table shows the functional characteristics of the Safety ePAC CPU: Max number of Local RacksI/Os BME P58 4040S Max number of Remote I/O drops of 2 racks BME H58 4040S Integrated P58(8) / H58(1) Digital AnalogMemory 16 x 2 Expert 4096 Max. network modules (+1 embedded Ethernet CPU) 1024 144 Comm. Ports 4+1 1 x Service DI Devices + DI Modules 2 x Device Memory In + Out (Kbyte) Non-safety memory program (Mbyte) 64 Non-safety Data (Kbyte) 2+2 Safety memory program (Mbyte) Safety Data (Kbyte) 16 Data Storage (Gbyte) 2048 Boolean application execution (Kinstr/ms) Certification 4 1024 4 40(1) SIL 3 / PL e Note: (1) As the safe tasks (MasterCore / SafeCore) must exchange data through backplane, there is a negative impact on performances; takes 1ms to transfer 10 Kbyte. Safety ePAC CPU module is TÜV certified up to SIL 3 (IEC 61511) / SIL CL3 (IEC 62061) / PL e (IEC 13849-1). Configuration Training

76 Chapter 3 - Introduction to the Safety ePAC CPU SPECIFICATIONS - BME H58 6040S The following table shows the functional characteristics of the Safety ePAC CPU: Max number of Local RacksI/Os BME H58 6040S Max number of Remote I/O drops of 2 racks 1 Integrated Digital 31 x 2 AnalogMemory 6144 Expert 1536 Max. network modules (+1 embedded Ethernet CPU) 216 8+1 Comm. Ports 1 x Service 2 x Device DI Devices + DI Modules 64(1) Memory In + Out (Kbyte) 2+2 Non-safety memory program (Mbyte) Non-safety Data (Kbyte) 64 Safety memory program (Mbyte) 4096 Safety Data (Kbyte) Data Storage (Gbyte) 16 Boolean application execution (Kinstr/ms) 1024 Certification 4 50(2) SIL 3 / PL e Note: (1) As the safe tasks (MasterCore / SafeCore) must exchange data through backplane, there is a negative impact on performances; takes 1ms to transfer 10 Kbyte. Safety ePAC CPU module is TÜV certified up to SIL 3 (IEC 61511) / SIL CL3 (IEC 62061) / PL e (IEC 13849-1). Modicon M580 Safety

Chapter 3 - Introduction to the Safety ePAC 77 SAFETY COPROCESSOR MODULE BME P58 CPRO S3 The reference part number for the Safety Coprocessor module is BME P58 CPRO S3. The Safety Coprocessor module occupied two slots (slot 2 and 3) of the Ethernet backplane, installed next to the main Safety CPU, and is based on a depopulated M580 CPU. All communication links except the safety one are removed. Similarly, all superfluous components are removed such as the NVRAM and the SD card connection. The coprocessor module is used for SIL3 application and will ensures spatial isolation for dual safety code execution. Internally uses SPEAr 1380 microprocessor using only Core 1 for processing of: ➢ The safety application ➢ The board's diagnostics Number Description 1 LED Display 2 Product QR code Note: The main Safety CPU will NOT operate without the Safety Coprocessor module. Configuration Training

78 Chapter 3 - Introduction to the Safety ePAC SAFETY COPROCESSOR SPECIFICATIONS The Safety Coprocessor CPU module is a depopulated M580 CPU with: ➢ LEDs front panel display ➢ No connector on the front side ➢ No communication link from the front face On the back of the module, there will be two connectors for the Ethernet backplane: ➢ X-Bus connectivity - 24Vdc, 3.3Vdc supply and diagnostics (1) ➢ Ethernet connectivity - dedicated safety link for information exchange (2) The Safety Coprocessor specification are: ➢ 1 SPEAr 1380 microprocessor running at 500 MHz core speed ➢ 256MB DDR3 (Double Data Rate type three SDRAM) ➢ 32-bits + ECC (Error-correcting code memory) data bus, 533MHz bus ➢ 256MB SLC Nand flash Modicon M580 Safety

Chapter 3 - Introduction to the Safety ePAC 79 LEDS DISPLAY - SAFETY COPROCESSOR MODULE Each LED on the Safety Coprocessor module's front panel has a dedicated function. The varying combinations of LEDs can offer diagnostics and troubleshooting information. LED Description ERR System detected internal fault DL Firmware is currently being downloaded SRUN System is managing its Safety operation SMOD System is in maintenance or safe operating mode Configuration Training

80 Chapter 3 - Introduction to the Safety ePAC MODES OF OPERATION The default behaviour of the Safety ePAC is to perform Safety Functions in order to achieve and to maintain the Safe state of a process. Nevertheless, user must be able to debug and to maintain the project. Therefore, the Safety ePAC is able to run in two operating modes: ➢ Safety Mode ➢ Maintenance Mode Functions available in the EcoStruxure™ Control Expert V15 for Safety depend on the current mode of the CPU to which EcoStruxure™ Control Expert V15 for Safety is connected. The Safety Mode is used to control the safety project, whereas the Maintenance Mode is for debugging and modifying the safety project. In Maintenance Mode, the I/O and CPU modules are still executing the diagnostics and will establish the Safe state if a fault is detected. Only the application program and the application data which may be modified in Maintenance Mode. SAFETY AND NON-SAFETY CONTROLLER The non-safety part (BPCS) and safety part (SIS) are running in the same controller. From the EcoStruxure™ Control Expert V15 for Safety Project Browser, by clicking on the MAST or SAFE task, you will be able to access the BPCS or SIS respectively. When connected to the safety part (SIS), you will be able to switch the modes of operation between Safety or Maintenance. Modicon M580 Safety

Chapter 3 - Introduction to the Safety ePAC 81 SAFETY AND MAINTENANCE MODES Safety mode in EcoStruxure™ Control Expert V15 for Safety means that software is connected to a Safety part of CPU, which is running a safety application that cannot be modified. In this Safety mode, the CPU is performing safety functions to achieve and maintain the safe state of a process. Maintenance mode in EcoStruxure™ Control Expert V15 for Safety means that software is connected online to a Safety part of CPU, which is running a safety application in debugging or modifying mode. STATEMENT OF HAZARD E.G. EQUIPMENT INCOMPATIBILITY The online operations performed from EcoStruxure™ Control Expert V15 for Safety to a running safety controller (e.g. program change when a safety CPU is RUN, device test, and operating status change between RUN and STOP) have to be executed after the user manual has been carefully read and the safety has been ensured. Following the operating procedure predetermined at designing, the operation has to be performed by an instructed person. When changing a program while a safety CPU is in RUN, it may cause a program breakdown in some operating conditions. Fully understand the precautions before use. Failure to follow these instructions can result in injury or equipment damage. Note: In SAFETY mode, possible to upload, download, run and stop the project. In MAINTENANCE mode, dual execution of SAFE task code is performed, BUT the results are NOT compared. When disconnected from EcoStruxure™ Control Expert V15 for Safety, the safety controller automatically switch back to SAFETY mode. Configuration Training

82 Chapter 3 - Introduction to the Safety ePAC HOW TO SWITCH MODES To switch from Safety to Maintenance mode and vice-et-versa Select PLC » Safety / Maintenance or alternatively click the shortcuts buttons in the Api Toolbar. SAFETY VS. MAINTENANCE MODES Safety mode is used to make sure that the safety controller will perform the safety function with the performance required. As a consequence, the Safety mode will have some limitations as compared to the maintenance mode. The following table shows a comparison between Safety and Maintenance mode: Downloading changes Safety Maintenance Forcing/Modifying variables (Animation Tables & Operator Screen) # Debugging Mode * Setting a breakpoint Setting a watch point Uploading Transferring data to/from PAC Modifying animation Tables Modifying a Project Safety memory write protection CCOTF on Safety I/O modules * Only if generation of upload information for animation tables is disabled in Project Settings. # Possible to upload, download, run and stop the project in SAFETY mode. Use Application Password to define Operators' rights. In the hidden Exchange memory area, an interface variable is automatically used as a connection between a process (non-safe) variable and a safety variable, configured via the Interface tabs in the Process Data Editor and the Safety Data Editor. After the link is made, the transfer is executed as follows: ➢ At the beginning of each SAFE task, the non-safe variable values are copied to the safe variables. ➢ At the end of the SAFE task, the safe output variable values are copied to the non- safe variables. Modicon M580 Safety

Chapter 3 - Introduction to the Safety ePAC 83 BEHAVIOUR OF ECOSTRUXURE™ CONTROL EXPERT V15 FOR SAFETY STATUS BAR Following table shows the behaviour of EcoStruxure™ Control Expert V15 for Safety status message bar when MAST (Process) task and SAFE task are of different states: MAST SAFE Status Bar Comments Task Task Message When click-on menu PLC->Stop or from tools bar STOP STOP STOP Stop, both Tasks STOP STOP RUN RUN When click-on menu PLC->Run or from tools bar STOP HALT SAFE HALT RUN, both Tasks RUN RUN STOP RUN RUN RUN RUN RUN HALT SAFE HALT HALT STOP PROC HALT HALT RUN PROC HALT HALT HALT HALT START & STOP TASKS VIA PLC SCREEN The MAST (Process) task and SAFE task can be individually commanded to RUN or STOP via the \"PLC Screen\" of the CPU. Hints & Tips To stop a SAFE task, the Safety CPU has to switch into a Safety mode operation. Configuration Training

84 Chapter 3 - Introduction to the Safety ePAC NON-INTERFERING ETHERNET BACKPLANES The Safety ePAC uses the same range of backplanes as the M580 controller and are compliance to TÜV Rheinland. These non-interfering Ethernet backplanes reserve the legacy X-Bus connection and introduce Ethernet connectivity for the eX80 modules. Having both connectors onboard allow for the existing range of M340 / X80 non-interfering modules to be incorporated into Safety ePAC architecture. It is recommended to cover unused slots with the dust cover, BMX XEM 010. An Ethernet RIO (EIO) drop can be composed of one or two racks that can be either a X- bus rack or an Ethernet rack. The extended rack will use X-bus connection via a bus expansion module (BMX XBE 1000) for communication. The Safety ePAC: ➢ Allows extension of X80 / eX80 racks via X-bus connectivity (up to 8 racks) ➢ Allows each ERIO drop to support only one X80 / eX80 extension rack Note: The BME XBP **00 Ethernet backplanes can be used as extension racks anywhere in an M580 architecture; BUT be aware that only the X-bus connection is active on Ethernet racks. BACKPLANE REFERENCES (SINGLE PWS) The quantity of X-Bus and Ethernet slots found on a backplane differs between backplane size. The following table shows all the references including non-Harsh and Harsh version (with suffix \"H\"): ➢ Single Power Supply Racks Reference Description Ethernet & X-Bus X-Bus Slot only Slot BME XBP 0400 4 Slots Ethernet Backplane 40 BME XBP 0400H 80 BME XBP 0800 84 8 Slots Ethernet Backplane BME XBP 0800H BME XBP 1200 12 Slots Ethernet Backplane BME XBP 1200H Modicon M580 Safety

Chapter 3 - Introduction to the Safety ePAC 85 DUAL POWER SUPPLY BACKPLANES The non-interfering dual power supply Ethernet backplanes can be used with the TÜV certified SIL 3 redundant power supply modules: ➢ BMX CPS 4002S - 100..240Vac ➢ BMX CPS 4022S - 24..48Vdc ➢ BMX CPS 3522S - 125Vdc The above safety power modules supplied to the backplane racks: ➢ 40W for 24Vdc ➢ 15W for 3.3Vdc The backplane output voltages, 24Vdc, will never exceed 30V in order to be compliant with safety configuration up to SIL 3. Note: Existing power supply modules CANNOT be used with the Safety CPU. Dual power supply backplanes required firmware Version 1.10 and higher. Configuration Training

86 Chapter 3 - Introduction to the Safety ePAC BACKPLANE REFERENCES (REDUNDANT PWS) The number of X-Bus and Ethernet slots found on a backplane differs between backplane size. The following table shows all the references including non-Harsh and Harsh version (with suffix \"H\"): ➢ Redundant Power Supply Racks Reference Description Ethernet & X-Bus X-Bus Slot only Slot BME XBP 0602 6 Slots Ethernet Backplane with BME XBP 0602H Redundant Power Supply 60 BME XBP 1002 10 Slot Ethernet Backplane with 82 BME XBP 1002H Redundant Power Supply SUPPORT CONNECTIVITY FOR QUANTUM RACKS The Main Safety CPU and Coprocessor must be installed onto an Ethernet Backplane because Coprocessor needs to send safety information to Safety CPU via Ethernet communication. The following system connectivity are allowed: ➢ The main local CPU rack is allowed to extend up to 7 racks via X-bus connectivity (BME XBP and / or BMX XBP) ➢ Premium racks, TSX RKY, are NOT allowed as local extension rack from the main local CPU because all Premium I/O modules are interfering modules ➢ Quantum racks, 140 XBP, are allowed as non-safety remote drop rack o Quantum Safety SIL 3 remote drops are NOT allowed because \"BLACK CHANNEL\" used in Quantum Safety drop is different. Modicon M580 Safety

Chapter 3 - Introduction to the Safety ePAC 87 ETHERNET BACKPLANES TECHNOLOGY The Ethernet interface is the main communication medium in the backplane. All Ethernet modules on the backplane are attached to one of several ports, led to the Ethernet switch chip embedded inside the Ethernet Backplane. Note: The embedded Ethernet switch inside the Ethernet backplane has connectivity to some slots but not all slots have Ethernet connectivity. Some key features: ➢ Backplane bus speed of 100 Mbps with full duplex ➢ Straight connection between Ethernet connector and eX80 modules ➢ Better openness and flexibility for integration with third-party modules ➢ Preserved of legacy X-Bus connection offers easy migration from legacy hardware platform ➢ Point to point lane or peer to peer connections between Ethernet modules. A dedicated communication between peer modules provides: o Redundancy function between two same modules on the same backplane, e.g. CRA adapter module o Complex computations or safety data exchange Configuration Training

88 Chapter 3 - Introduction to the Safety ePAC Activity 1 - CREATE A SAFETY CONFIGURATION In this activity: • Create a Safety project with one safety RI/O drop without I/O modules • Learn to configure the Safety CPU and update CPU real-time clock • Identify two programming areas: MAST task (Process) and SAFE task (Safety). 1. Start EcoStruxure™ Control Expert V15 for Safety. a. From the Windows Start Menu, launch EcoStruxure™ Control Expert V15 for Safety. b. Create a New Project by selecting File » New from the EcoStruxure™ Control Expert V15 for Safety menu, or clicking the New Project button on the toolbar. 2. c. Select the appropriate Safety CPU and Rack according to the simulator being used. Modicon M580 Safety

Chapter 3 - Introduction to the Safety ePAC 89 d. Click the OK button to create the application. The application will create the new project and populate it with default items. The Project Browser will display to show the project contents. Observe the 2 different programming areas: (1) \"Program-PROCESS\" - for process control application (2) \"Program-SAFE\" - for safety application Note: More details understanding about these 2 programming areas will be discuss later in EcoStruxure™ Control Expert V15 for Safety Implementation. Configuration Training

90 Chapter 3 - Introduction to the Safety ePAC e. Double-click the Configuration item from the Project Browser. f. The Local Rack will be displayed, pre-populated with the CPU and the Power Supply. 2. Configure the IP address. b. Double click the embedded Ethernet modules of the CPU: 3. b. Go to the IP Config Tab, enter the following Main IP Address: 192.168.10.X1, where X is your group number (your instructor will indicate which number is corresponding to your group). The picture shown here is an example for Group 2: c. Set IP Address A to: 192.168.11.X1, this is use for communication on the Ethernet RIO network. d. Set the Subnet Mask to: 255.255.0.0 and change the Default Gateway to 192.168.10.X1. Modicon M580 Safety