Functional Safety Description

Application Technique
Safety Function: Actuator Subsystems – Stop Category 0 or

Stop Category 1 via a Configurable Safety Relay and
PowerFlex 527 Drive with Hardwired Safe Torque-off
Products: Guardmaster 440C-CR30 Configurable Safety Relay, PowerFlex 527 Drive
Safety Rating: CAT. 3, PLe to ISO 13849-1: 2008
Topic Page
Important User Information 2
General Safety Information 3
Introduction 4
Safety Function Realization: Risk Assessment 5
Stop Safety Function 5
Safety Function Requirements 5
Functional Safety Description 6
Bill of Material 7
Setup and Wiring 7
Configuration 9
Calculation of the Performance Level 19
Verification and Validation Plan 21
Verification of the Configuration 24
Additional Resources 27
Safety Function: Actuator Subsystems – Stop Category 0 or Stop Category 1 via a Configurable Safety Relay and PowerFlex 527 Drive with Hardwired Safe Torque-off
Important User Information

Read this document and the documents listed in the additional resources section about installation, configuration, and
operation of this equipment before you install, configure, operate, or maintain this product. Users are required to
familiarize themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws,
and standards.
Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance are required
to be carried out by suitably trained personnel in accordance with applicable code of practice.
If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may be
impaired.
In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the
use or application of this equipment.
The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and
requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or
liability for actual use based on the examples and diagrams.
No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or
software described in this manual.
Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation,
Inc., is prohibited.
Throughout this manual, when necessary, we use notes to make you aware of safety considerations.
WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous environment,
which may lead to personal injury or death, property damage, or economic loss.
ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, property
damage, or economic loss. Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.
IMPORTANT Identifies information that is critical for successful application and understanding of the product.
Labels may also be on or inside the equipment to provide specific precautions.
SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous
voltage may be present.
BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may
reach dangerous temperatures.
ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people to
potential Arc Flash. Arc Flash will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL
Regulatory requirements for safe work practices and for Personal Protective Equipment (PPE).
2 Rockwell Automation Publication SAFETY-AT143A-EN-P - August 2015

General Safety Information
IMPORTANT This application example is for advanced users and assumes that you are trained and experienced in safety system requirements.
Risk Assessments
ATTENTION: Perform a risk assessment to make sure that all task and hazard combinations have been identified and addressed.
The risk assessment can require additional circuitry to reduce the risk to a tolerable level. Safety circuits must consider safety-
distance calculations, which are not part of the scope of this document.
Contact Rockwell Automation to learn more about our safety-risk assessment services.
Safety Distance Calculations
ATTENTION: While safety distance or access time calculations are beyond the scope of this document, compliant safety circuits
must often consider a safety distance or access time calculation.
Non-separating safeguards provide no physical barrier to prevent access to a hazard. Publications that offer guidance for
calculating compliant safety distances for safety systems that use non-separating safeguards, such as light curtains, scanners,
two-hand controls, or safety mats, include the following:
EN ISO 13855:2010 (Safety of Machinery – Positioning of safeguards with respect to the approach speeds of parts
of the human body)
ANSI B11:19 2010 (Machines – Performance Criteria for Safeguarding)
Separating safeguards monitor a moveable, physical barrier that guards access to a hazard. Publications that offer guidance
for calculating compliant access times for safety systems that use separating safeguards, such as gates with limit switches or
interlocks (including SensaGuard™ switches), include the following:
EN ISO 14119:2013 (Safety of Machinery – Interlocking devices associated with guards - Principles for design and
selection)
EN ISO 13855:2010 (Safety of Machinery – Positioning of safeguards with respect to the approach speeds of parts
of the human body)
ANSI B11:19 2010 (Machines – Performance Criteria for Safeguarding)
In addition, consult relevant national or local safety standards to assure compliance.
Rockwell Automation Publication SAFETY-AT143A-EN-P - August 2015 3

Introduction
This safety function application technique is concerned primarily with the logic and output subsystems of a safety system.
This document illustrates how to combine a Guardmaster® 440C-CR30 configurable safety relay with a PowerFlex® 527
drive to provide a stop category 0 (remove power, coast to stop) or stop category 1 (controlled stop, remove power) via a
hardwired connection to the safe torque-off (STO) inputs of the drive.
In an actual application, any typical, safety-input device could be used as the input subsystem, if properly applied. A
SensaGuard™ switch, as in Safety Function: Door Monitoring Products: SensaGuard/ GSR DI, publication
SAFETY-AT069, is used as a convenient example of an input subsystem in this document.
Input Logic Output
440C-CR30
SensaGuard Configurable PowerFlex 527
Switch Safety Relay Drive
Subsystem 1 Subsystem 2 Subsystem 3

Safety Function Realization: Risk Assessment

The required performance level is the result of a risk assessment and refers to the amount of the risk reduction to be carried
out by the safety-related parts of the control system. Part of the risk reduction process is to determine the safety functions of
the machine. In this application, the performance level required (PLr) by the risk assessment is Category 3, Performance
Level d (CAT. 3, PLd), for each safety function. A safety system that achieves CAT. 3, PLd, or higher, can be considered
control reliable. Each safety product has its own rating and can be combined to create a safety function that meets or
exceeds the PLr.
From: Risk Assessment (ISO 12100)
1. Identification of safety functions
2. Specification of characteristics of each function
3. Determination of required PL (PLr) for each safety function
To: Realization and PL Evaluation
Stop Safety Function

This application technique includes two safety functions:
• Safety-related stop function initiated by a safeguard.
• Prevention of an unexpected startup.
Safety Function Requirements
Safety-related Stop Function Initiated by a Safeguard
When an input subsystem places a demand on the safety function, the safety function initiates and maintains a stop
command for the safety system to stop hazardous motion before a person can reach the hazardous area. The stop command
cannot be reset until the demand is removed.

Prevention of an Unexpected Start-up
The safety system cannot be reset, and hazardous motion cannot be restarted while there is a demand on the safety system.
Once the demand is removed and the stop command is reset, a second action (pressing a Start button) is required before the
hazardous motion can resume.
IMPORTANT The vendor must provide probability of failure per hour (PFH) and all relevant functional safety data for all subsystems of this
safety system necessary to prove that the overall safety functions meet the requirements for Performance Level d (PLd), per ISO
13849-1.
The safety functions in this application technique each meet or exceed the requirements for Category 3, Performance
Level d (CAT. 3, PLd), per ISO 13849-1 and control reliable operation per ANSI B11.19.
Considerations for Safety Distance and Stopping Performance
Based on the selection of a sensor subsystem, the risk assessment determines if a safety distance calculation is required.
Typically, a safety distance calculation is required if a non-separating sensor subsystem (such as a light curtain) is selected
for the safety function. For moveable separating safeguard systems, the overall system stopping-performance must be
calculated, measured, and compared to the calculated/measured access time.
When calculating a compliant safety distance for a non-separating safeguard system, see the Guardmaster 440C-CR30
Configurable Safety Relay User Manual, publication 440C-UM001, which provides the necessary response-time data.
When considering the overall system-stopping performance of a separating safeguard system, see the Guardmaster 440C-
CR30 Configurable Safety Relay User Manual, publication 440C-UM001, which provides response time data necessary
for calculating a theoretical overall system-stopping performance value in advance of performing actual tests and
measurements on the actual system.
The Guardmaster 440C-CR30 Configurable Safety Relay User Manual, publication 440C-UM001, also provides useful
guidance regarding the calculation of the safety-system response time.
Functional Safety Description

The Guardmaster 440C-CR30 configurable safety relay and PowerFlex 527 drives with integrated safe torque-off (STO)
use 1oo2 architecture to achieve the PFH value that is used in the PL calculation verification section of this document.
The Guardmaster 440C-CR30 configurable safety relay monitors its safety inputs for valid status and faults. The safety
relay monitors its internal circuitry for proper operation and faults. It monitors its inputs for valid status and faults. The
safety relay monitors its safety output contacts for proper, valid status and faults. When it receives a safety demand on its
inputs, or an invalid status or fault is detected, the safety relay deactivates its safety outputs and sends a safety stop
command.
The PowerFlex 527 drive monitors its STO inputs for valid status and faults. The drive monitors its internal safety circuits
and its outputs for valid status and faults. When the Guardmaster 440C-CR30 configurable safety relay de-energizes the
drive’s STO inputs, or an invalid state or fault is detected, the STO feature of the drive forces the drive output-power

transistors to a disabled state. The hazardous motion that is controlled by the drive coasts or ramps to a stop. This feature
does not provide electrical power isolation.
Hardwired Safety: Safe Torque-off Considerations for a Stop Category 1
In the event of a malfunction, it is possible that stop category 0 may occur. When designing the machine application, timing
and distance must be considered for a coast to stop, as well as the possibility of the loss of control of a vertical load. The
nature of a malfunction that causes this condition could be if a hardwired STO input to the drive were to go low (i.e. a wire
falls off ) before the drive has a chance to completely stop the motor. Use additional protective measures if this occurrence
might introduce unacceptable risks to personnel.
Bill of Material
The logic and output subsystems in this document use these products.
Cat. No. Description Quantity
440C-CR30-22BBB Guardmaster configurable safety relay 1
2080-IQ40B4 Sink/source in, 12…24V DC source out 1
800FP-R611PQ10V 800F reset, round, plastic 1
1606-XLP72E Compact power supply, 24…48V DC, class 2 1
25C-V2P5N104 PowerFlex 527 AC drive, with embedded EtherNet/IP™ and STO 1
Setup and Wiring

For detailed information on how to install and wire the devices described in this application technique, refer to the
publications listed in the Additional Resources on the back cover.
System Overview
Safety-related Stop Function Initiated by a Safeguard
The Guardmaster 440C-CR30 configurable safety relay monitors the status of a safety input device, for example a
SensaGuard switch. When the input device is tripped (guard door opened), the safety relay de-energizes its two safety
outputs and sends a safety stop command, which removes power from the PowerFlex 527 drive STO inputs. The drive
disables its output power transistors, and this action allows the driven hazardous motion to coast or ramp to a stop. The
overall system-stopping performance of the safety system must be determined by actual measurement. The worst-case stop
time must be used in the measurement of the overall system-stopping performance. All other response/reaction time data
that is required to calculate the overall system-stopping time can be taken from the product literature for the input, logic,
and output subsystems.

Prevention of an Unexpected Start-up
The Guardmaster 440C-CR30 configurable safety relay cannot be reset while its input device is in a tripped (guard door
open) state, the drive STO inputs remain off, and the hazardous motion cannot be restarted. When the input device is
returned to its safe state (guard door closed), and the reset button is pressed and released properly, the safety relay's safety
outputs energize and the drive STO inputs are powered. The hazardous motion can then be restarted by an additional,
separate action.
Electrical Schematic
Figure 1 - Stop Category 0 and 1
24V DC 0V DC - COM
Plug-in I/O
Initiate reset to Reset

440C-CR30 via PAC
Typical Safety Input Device

Actuator 24V DC
PowerFlex
527 Drive
0V DC
Gate control
Digital power supply
Common
22 pt Safety
PWR
24V DC Gate control
circuit
RUN 440C-CR30
FAULT
LOCK
COM
Initiate Configured Stop to PowerFlex

527 Drive via Controller(1)
(1)For a Stop Category 1, a controlled stop must be programmed via a Motion Servo Off (MSF) or Motion Axis Stop (MAS) motion instruction command.

Configuration
Verify that the 440C-CR30 safety relay is running firmware revision 7.00.00 or later. A free firmware update is available for
older units. The 440C-CR30 relay is configured by using Connected Components Workbench™ software, version 7.00.00
or later. A detailed description of each step is beyond the scope of this document. Knowledge of the Connected
Components Workbench software is assumed.
Configure the 440C-CR30 Relay

Follow these steps to configure the Guardmaster 440C-CR30 relay by using Connected Components Workbench
software. For more information about the 440C-CR30 relay, refer to the Guardmaster 440C-CR30 Configurable Safety
Relay User Manual, publication 440C-UM001.
1. In Connected Components Workbench software, select the 440C-CR30-22BBB configurable safety controller
from the Device Toolbox by double-clicking it.
2. Click OK.
3. Double-click the Guardmaster_440C_CR30 in the project organizer.

4. To add the plug-in I/O module called for in this circuit, right-click the left plug-in module space and choose the
2080-IQ4OB4 module.
The I/O module is shown in standard gray, because it is not a safety I/O module. That is permissible in this
application, because it is not used to connect safety signals. Inputs such as Feedback and Reset button are not
considered strict, safety signals. Using the standard I/O for these non-safety signals can reserve the limited number of
safety inputs and outputs for true safety signals.
5. Click Edit Logic.
6. From the View pull-down menu, choose Toolbox.

The Toolbox appears.
Configure the Logic for a Stop Category 0
1. Drag the SensaGuard safety function and the Reset safety function to the Workspace.
2. Configure the input Safety Monitoring logic as shown in the graphic.

Connected Components Workbench software automatically assigns the first two available inputs, EI_00 and EI_01,
to the device. Leave those inputs as assigned. Connected Components Workbench software automatically assigns
the function name SMF 1 to this block. By default, the software assumes an electro-mechanical device and assigns
Test Sources. The SensaGuard switch has two OSSD outputs and does not require Test Sources.
3. Drag the Immediate OFF safety output function block to the Safety Output column of the Workspace.
4. Configure the Safety Output logic as shown in the graphic.
5. Connect the logic so that the complete logic string looks like this.

Configure the Logic for a Stop Category 1
1. Complete the previous steps 1...4 from the Stop Category 0 configuration on page 11.
2. Add the safety output block shown below to the Workspace and configure the Safety Output logic as shown.
3. The complete logic string looks like this.

Configure the Status Indicators
The 440C-CR30 configurable safety relay provides ten user-configurable input status indicators and six user-configurable
output status indicators. In many cases, they can be helpful in installing, commissioning, monitoring, and troubleshooting
a 440C-CR30 configurable safety relay system. They do not affect the operation of the system in any way, and it is not
necessary to configure them, but they are easy to configure and it is a recommended practice to use them.
1. Click Guardmaster_440C_CR30*.

2. Choose LED Configuration.
3. For the Type Filter, choose Terminal Status for LED 0 and Terminal 00 for Value.

4. Assign the Input and Output LEDs in the same manner.
SensaGuard OSSD 1 Status

SensaGuard
SensaGuard OSSDOSSD 2 Status
1 Status
SensaGuard Status
Reset Status
Output Channel 1 Status

Output Channel 2 Status
Safety Output 1 Status
Safety Output 2Status
Confirm the Validity of the Build
Follow these steps to confirm the validity of the logic by using the Build feature in Connected Components Workbench
software.
1. Click Guardmaster_440C_CR30 in the bar above the Workspace.

2. Click Build.

A Build Succeeded message confirms that the configuration is valid.
If an error or omission is discovered during a build, a message is displayed which details the error so that it can be
corrected. After you correct the error, you must perform the build again.
Save and Download the Project
Follow these steps to save and download the project.
1. From the File menu, choose Save as to save the project.
IMPORTANT Saving the project with a new name closes the workspace windows.
2. In the Project Organizer window, double-click Guardmaster_440C_CR30 to open the workspace.

3. Power up the 440C-CR30 safety relay.
4. Connect the USB cable to the 440C-CR30 relay.
5. Click Download.

6. In the Connection Browser, expand the AB_VBP-1 Virtual Chassis and select the Guardmaster 440C-CR30-
22BBB.
7. Click OK.
8. To change from Run to Program mode, click Yes.
9. When the download is complete, click Yes to change from Program to Run mode.
10. Click Edit Logic to see the online diagnostics.

Green indicates that a block is True or that an input or output terminal is ON. Flashing green indicates that a Safety
Output Function is ready to be Reset. The complete safety system must be installed and powered up to fully utilize
the online diagnostics mode.
The online diagnostics mode of the 440C-CR30 relay can be very helpful during the verification process.
11. Review the information in Calculation of the Performance Level on page 19 and Verification and Validation Plan on
page 21 before proceeding with Verification of the Configuration on page 24.
Configure the PowerFlex 527 Drive
The PowerFlex 527 drive is configured by using the Studio 5000® environment, version 24 or later. A detailed description of
how to fully configure the PowerFlex 527 drive is beyond the scope of this document. Knowledge of the Studio 5000 Logix
Designer® application is assumed.
For a Stop Category 1, after a demand, an immediate controlled stop should be executed using a Motion Axis Stop or
Motion Servo Off command.
Calculation of the Performance Level

When properly implemented, the PowerFlex 527 drive with hardwired safe torque-off (STO) can be used in a safety
function that has a Performance Level required (PLr) rating of Category 3, Performance Level e (CAT. 3, PLe), according
to ISO 13849-1: 2008, as calculated by using the Safety Integrity Software Tool for the Evaluation of Machine Applications
(SISTEMA).
IMPORTANT To calculate the PL of your entire safety function, you must include the sensor subsystems along with the logic and actuator
subsystems shown here. Depending on the sensor subsystems and devices you choose, the overall safety rating of your system
could be reduced. An example that describes how to calculate the safety rating for a complete safety function appears in the
section titled Complete Safety Function PL Calculation Example on page 20.
The functional safety data for the Guardmaster 440C-CR30 configurable safety relay is provided from the Rockwell
Automation® SISTEMA library. The functional safety data for the PowerFlex 527 drive is from the PowerFlex 527
Adjustable Frequency AC Drive User Manual, publication 520-UM002,

Logic and Output Subsystems Calculation
This subsystem can be modeled as follows.
Input Logic Output
Determined by
the sensor 440C-CR30 PowerFlex 527 Drive
subsystems you Configurable with Safe Torque-off
choose Safety Relay
Subsystem 1 Subsystem 2 Subsystem 3
Complete Safety Function PL Calculation Example
The rest of the SISTEMA calculation in this document features a SensaGuard switch as an example of a typical safety-input
device. The functional safety data for the SensaGuard switch is provided from the Rockwell Automation SISTEMA
library.
For instance, here are the PowerFlex 527 "Safety-related stop function that is initiated by safeguard" SISTEMA calculation
results:

The PowerFlex 527 safety function achieves its necessary PLr.
Note: The PowerFlex 527 subsystem has a mission time of 10 years.
Verification and Validation Plan

Verification and validation play important roles in the avoidance of faults throughout the safety system design and
development process. ISO 13849-2 sets the requirements for verification and validation. The standard calls for a
documented plan to confirm that all safety functional requirements have been met.
Verification is an analysis of the resulting safety control system. The Performance Level (PL) of the safety control system is
calculated to confirm that the system meets the required Performance Level (PLr) specified. The SISTEMA software is
typically used to perform the calculations and assist with satisfying the requirements of ISO 13849-1.
Validation is a functional test of the safety control system to demonstrate that the system meets the specified requirements
of the safety function. The safety control system is tested to confirm that all safety-related outputs respond appropriately to
their corresponding safety-related inputs. The functional test includes normal operating conditions in addition to potential
fault injection of failure modes. A checklist is typically used to document the validation of the safety control system.
Before validating the system, confirm that the Guardmaster 440C-CR30 configurable safety relay has been wired and
configured in accordance with the installation instructions.
This document uses, as an example, a SensaGuard switch for an input device. Notice that all of the purposely-created faults
are created at the input terminals of the Guardmaster dual-input safety relay. All of the relay’s responses to these faults are
the same as they would be using any typical input device with OSSD outputs or an electro-mechanical input device using
the Guardmaster dual-input safety relay pulse test output feature.
Some of the SensaGuard switch’s reactions to these faults are unique to the SensaGuard switch, as some responses from
other OSSD devices might be unique to those devices.
IMPORTANT The following plan assumes a stop category 0 is being used. If your safety function requires a stop category 1, you must make
appropriate adaptations to the plan.

Verification and Validation Checklist

General Machinery Information
Machine Name/Model Number
Machine Serial Number
Customer Name
Test Date
Tester Name(s)
Schematic Drawing Number
Input Devices 440N-Z21SS2AN9
GuardMaster 440C-CR30 Configurable Safety Relay 440C-CR30-22BBB
Variable Frequency Drive 25C-V2P5N104 (PowerFlex 527 drive)
Safety Wiring and Relay Configuration Verification
Test Step Verification Pass/Fail Changes/Modifications
1 Confirm that all component specifications are suitable for the application. See Basic
Safety Principles and Well-tried Safety Principles from ISO 13849-2
2 Visually inspect the safety relay circuit to confirm that it is wired as documented in the
schematics.
3 Confirm that the configuration in the 440C-CR30 configurable safety relay is the
correct, intended configuration.
Normal Operation Verification - The safety system responds properly to all normal Start, Stop, Reset, and safety inputs.
Test Step Verification Pass/Fail Changes/Modifications
1 Confirm that no one is in the guarded area.
2 Confirm that the hazardous motion is stopped.
3 Confirm that the door is closed.
4 Apply power to the safety system.
5 Confirm that the terminal 00, terminal 01, and SMF1 input status indicators on the
440C-CR30 configurable safety relay are green. Confirm that all output status
indicators are OFF. Confirm that the Power and Run status indicators are green.
Monitor the 440C-CR30 configurable safety relay for proper status by using Connected
Components Workbench software.
6 Press and release the 440C-CR30 configurable safety relay reset button. Confirm that
the terminal 20, terminal 21, and SOF1 output status indicators are green. Monitor the
status indicators for proper operation, and monitor the 440C-CR30 configurable safety
relay for proper status by using Connected Components Workbench software.
7 Confirm that the hazardous motion does not start on powerup.
8 Press and release the external drive Start button. Confirm that the hazardous motion
begins and the machine begins to operate.
9 Press the external Stop button. The machine must stop in its normal, configured
manner. The safety system must not respond.
10 Press and release the external Start button. Confirm that the hazardous motion starts
and the machine begins to operate.
11 Open the guarded door. The safety system must trip. The hazardous motion must stop
within less than the calculated stop time. Monitor the status indicators for proper
operation and monitor the 440C-CR30 configurable safety relay for proper status by
using Connected Components Workbench software.

12 Press and release the 440C-CR30 configurable safety relay Reset button. The 440C-
CR30 configurable safety relay must not respond. Monitor the status indicators for
proper operation, and monitor the 440C-CR30 configurable safety relay for proper
status by using Connected Components Workbench software
13 Close the guarded door. The machine must not start. The 440C-CR30 configurable
safety relay must not respond. Monitor the status indicators for proper operation, and
monitor the 440C-CR30 configurable safety relay for proper status by using Connected
Components Workbench software.
14 Press and release the 440C-CR30 configurable safety relay Reset button. The SOF1 of
the 440C-CR30 configurable safety relay must energize. The hazardous motion must
not start. Monitor the status indicators for proper operation, and monitor the 440C-
CR30 configurable safety relay for proper status by using Connected Components
Workbench software.
15 Press and release the external Start button. Confirm that the motor starts and the
machine begins to operate.
Validation of Safe Response to Abnormal Operation - The safety system responds properly to all foreseeable faults with corresponding diagnostics.
Input Device, 440C-CR30 Configurable Safety Relay Tests
Test Step Validation Pass/Fail Changes/Modifications
1 To find a safety function application technique that uses the type of input device you
plan to use along with a Guardmaster 440C-CR30 configurable safety relay, refer to:
http://www.marketing.rockwellautomation.com/safety-solutions/en/
MachineSafety/OurSafetySolutions/safety_functions
Use the input section of that validation procedure as a guide to test your input device.
Validation of Safe Response to Abnormal Operation - The safety system responds properly to all foreseeable faults with corresponding diagnostics.
PowerFlex 527 Drive, 440C-CR30 Configurable Safety Relay Tests
Test Step Validation Pass/Fail Changes/Modifications
1 While the machine continues to run, break the connection between terminal EO_20 of
the 440C-CR30 configurable safety relay and the S1 of the PowerFlex 527 drive. The
PowerFlex 527 drive must fault. The hazardous motion must coast to a stop.
2 Press the external Stop button. Restore the connection. To resume the hazardous
motion, press the external Start button.
3 While the machine continues to run, connect S1 of the PowerFlex 527 drive to 24V DC.
After approximately 18 seconds, the 440C-CR30 configurable safety relay must trip.
The PowerFlex 527 drive STO must fault. The hazardous motion coasts to a stop.The red
Fault status indicator on the 440C-CR30 configurable safety relay is ON.
4 Disconnect the S1 of the PowerFlex 527 drive from 24V DC. Press and release the 440C-
CR30 configurable safety relay Reset button. The 440C-CR30 configurable safety relay
must not respond.
5 Cycle power to the 440C-CR30 configurable safety relay. The safety relay powers up.
The red Fault status indicator on the 440C-CR30 configurable safety relay is OFF.
6 Press and release the 440C-CR30 configurable safety relay Reset button. Press the
external Start button. The hazardous motion must resume.
7 While the machine continues to run, short the S1 of the PowerFlex 527 drive to DC
COM. The 440C-CR30 configurable safety relay and PowerFlex 527 drive must trip. The
red Fault status indicator on the 440C-CR30 configurable safety relay is ON.
8 Disconnect the S1 of the PowerFlex 527 drive from DC COM. Press and release the
440C-CR30 configurable safety relay Reset button. The 440C-CR30 configurable safety
relay must not respond.

9 Cycle power to the 440C-CR30 configurable safety relay and the PowerFlex 527 drive.
The 440C-CR30 configurable safety relay responds. The red Fault status indicator on
the 440C-CR30 configurable safety relay is OFF.
10 Press and release the 440C-CR30 configurable safety relay Reset button. Press the
external Start button. The hazardous motion resumes.
11...21 Repeat steps 1…10 using EO_21 in place of EO_20, and S2 in place of S1.
IMPORTANT In addition to the verification and validation steps that are provided here, consult the application technique for your input
subsystem for the steps that are required to validate the input device. Safety function application techniques are available at http:/
/marketing.rockwellautomation.com/safety/en/safety_functions.
Verification of the Configuration

You must confirm the verification of the 440C-CR30 configuration for each individual application by using the Verify
command in the configuration software. If the 440C-CR30 configurable safety relay is not verified, it will fault after 24
hours of operation.
ATTENTION: The verification process must be documented in the safety system's technical file.
To confirm the verification of the configuration, follow these steps.
1. Make sure that the 440C-CR30 relay is powered up and connected to your workstation via the USB cable.
2. Confirm that the upper right-hand corner of the Connected Components Workbench Project tab shows that the
440C-CR30 relay is connected. If it is not, click Connect to Device to establish the software connection.

3. Click Verify.
4. Answer all questions and check each box, if completed.
IMPORTANT All boxes must be marked to Generate the Verification ID.
5. Click Generate.
6. To proceed with the verification, click Yes.
After about ten seconds, a pop-up window appears to confirm that the Verify process was successful.
7. To change to Run mode, click Yes.

8. Record the Safety Verification ID in the machine documentation.
This process is the feedback to the 440C-CR30 relay that the system verification and functional tests have been
completed. The unique verification ID can be used to check if changes have been made to a configuration file. Any
change to the configuration removes the Safety Verification ID. Subsequent Verify actions generate a different
verification ID. The Safety Verification ID is displayed in Connected Components Workbench software only when
you are connected to the 440C-CR30 relay. The Safety Verification ID can be displayed on the IN and OUT input
and output status indicators of the 440C-CR30 safety relay at any time by pushing and holding the MEM/ID
button below the USB receptacle.

Additional Resources
These documents contain more information about related products from Rockwell Automation.
Resource Description
Safety Function: Door Monitoring Products: SensaGuard/ GSR DI, publication SAFETY-AT069 Provides instructions on how to wire and configure a SensaGuard non-contact,
latching interlock and an E-Stop as input devices, a Guardmaster dual-input safety
relay as the Logic/Control, and two 100S safety contactors as the output devices to
create an integrated safety system.
Guardmaster 440C-CR30 Configurable Safety Relay User Manual, publication 440C-UM001D Provides instructions on how to design, install, configure, and troubleshoot control
systems that use the 440C-CR30 configurable safety relay.
Integrated Motion on the Ethernet/IP Network Reference Manual, publication MOTION- Provides details about the AXIS_CIP_DRIVE motion control axis attributes and the
RM003 Logix Designer application Control Modes.
Logix5000 Controllers Motion Instructions Reference Manual, publication MOTION-RM002 Provides details about the motion instructions that are available for a Logix5000™
controller.
PowerFlex 527 Adjustable Frequency AC Drive User Manual, publication 520-UM002 Provides detailed information on how to install, configure, operate, and maintain a
PowerFlex 527 adjustable frequency AC drive.
Micro800 Digital Input, Output, and Combination Plug-in Modules Wiring Diagrams, Provides instructions on how to wire a Micro800® digital input, output, or
publication 2080-WD011 combination plug-in module.
Guardmaster 440C-CR30 Configurable Safety Relay Wiring Diagram, publication 440C- Provides instructions on how to wire, install, configure, and operate a Guardmaster
WD001 440C-CR30 configurable safety relay.
Industrial Automation Wiring and Grounding Guidelines, publication 1770-4.1 Provides general guidelines on how to install a Rockwell Automation industrial
system.
Safety Products Catalog, publication S117-CA001 Provides information about Rockwell Automation safety products.
Website http://www.rockwellautomation.com/rockwellautomation/catalogs/
overview.page
Product Certifications website, available from the Product Certifications link on http:// Provides declarations of conformity, certificates, and other certification details.
www.ab.com
You can view or download publications at http://www.rockwellautomation.com/literature/. To order paper copies of

technical documentation, contact your local Allen-Bradley® distributor or Rockwell Automation sales representative.

Documentation Feedback
Your comments will help us serve your documentation needs better. If you have any suggestions on how to improve this
document, complete this form, publication RA-DU002, available at http://www.rockwellautomation.com/literature/.
For more information on

Safety Function Capabilities, visit:
http://marketing.rockwellautomation.com/safety/en/safety_functions
Rockwell Automation maintains current product environmental information on its website at

http://www.rockwellautomation.com/rockwellautomation/about-us/sustainability-ethics/product-environmental-compliance.page.
Allen-Bradley, Connected Components Workbench, Guardmaster, LISTEN. THINK. SOLVE, Logix5000, Micro800, PowerFlex, Rockwell Automation, Rockwell Software, SensaGuard, Studio 5000, and Studio 5000 Logix
Designer are trademarks of Rockwell Automation, Inc.
Trademarks not belonging to Rockwell Automation are property of their respective companies.
EtherNet/IP is a trademark of ODVA, Inc.
Rockwell Otomasyon Ticaret A.Ş., Kar Plaza İş Merkezi E Blok Kat:6 34752 İçerenköy, İstanbul, Tel: +90 (216) 5698400
Publication SAFETY-AT143A-EN-P - August 2015

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Printed in the U.S.A.

Functional Safety Description

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Functional Safety Description

Uploaded by

Copyright:

Available Formats

Application Technique

Safety Function: Actuator Subsystems – Stop Category 0 or

Safety Rating: CAT. 3, PLe to ISO 13849-1: 2008

Important User Information

Labels may also be on or inside the equipment to provide specific precautions.

2 Rockwell Automation Publication SAFETY-AT143A-EN-P - August 2015

General Safety Information

Safety Distance Calculations

In addition, consult relevant national or local safety standards to assure compliance.

Rockwell Automation Publication SAFETY-AT143A-EN-P - August 2015 3

Input Logic Output

Subsystem 1 Subsystem 2 Subsystem 3

4 Rockwell Automation Publication SAFETY-AT143A-EN-P - August 2015

Safety Function Realization: Risk Assessment

From: Risk Assessment (ISO 12100)

1. Identification of safety functions

2. Specification of characteristics of each function

3. Determination of required PL (PLr) for each safety function

To: Realization and PL Evaluation

Stop Safety Function

Safety Function Requirements

Safety-related Stop Function Initiated by a Safeguard

Rockwell Automation Publication SAFETY-AT143A-EN-P - August 2015 5

Prevention of an Unexpected Start-up

Considerations for Safety Distance and Stopping Performance