Safety Application Example

PowerFlex 70 Safe-Off Control

EtherNet/IP Guard I/O Safety Module and
GuardLogix Integrated Safety Controller

Safety Rating: Category 3 (also see Achieving a Cat. 4

Safety Rating) according to EN954-1

Introduction...........................................................................................2
Important User Information..................................................................2
General Safety Information..................................................................3
Description ............................................................................................4
Setup and Wiring ..................................................................................5
Configure...............................................................................................8
Programming ......................................................................................13
Performance Data ...............................................................................17
Achieving a Cat. 4 Safety Rating .......................................................19
Additional Resources.........................................................................22
2

Introduction In September 2006, NFPA 79 added an exception to the requirement for

disconnection of an actuator any time an E-stop is invoked. Safety PLCs
and other programmable devices such as drives are now allowed to be
the final switching element, provided they are designed to relevant safety
standards. This change is also in effect in IEC 60204-1. With this
modification, manufacturers will see a significant cost savings in terms
of equipment, wiring, and cabinet space.
DriveGuard safety solutions for Allen-Bradley PowerFlex AC drives
prevent a drive from delivering rotational energy to motors by integrating
an optional safety board in series with the power switching signals.
Along with a separate dedicated enable input on the base drive, this
option provides a certified solution that meets EN954-1, Category 3
(safe-off and protection against restart).
Features and Benefits
This application setup offers the following features and benefits:
• This configuration increases the life of the drive because of the use
of soft stopping, such as removal of power to the gate firing circuits
of the drive’s output power devices.
• This configuration requires a smaller panel size by using a control
contactor included within the PowerFlex DriveGuard drives to
replace external power contactors.
• A drive with safe-off capabilities can offer increased productivity
through reduced downtime.

Important User Information

Solid state equipment has operational characteristics differing from those
of electromechanical equipment. Safety Guidelines for the Application,
Installation and Maintenance of Solid State Controls (publication
SGI-1.1 available from your local Rockwell Automation sales office or
online at http://literature.rockwellautomation.com) describes some
important differences between solid state equipment and hard-wired
electromechanical devices. Because of this difference, and also because
of the wide variety of uses for solid state equipment, all persons
responsible for applying this equipment must satisfy themselves that
each intended application of this equipment is acceptable.
In no event will Rockwell Automation, Inc. be responsible or liable for
indirect or consequential damages resulting from the use or application
of this equipment.
The examples and diagrams in this manual are included solely for
illustrative purposes. Because of the many variables and requirements
associated with any particular installation, Rockwell Automation, Inc.
cannot assume responsibility or liability for actual use based on the
examples and diagrams.
No patent liability is assumed by Rockwell Automation, Inc. with respect
to use of information, circuits, equipment, or software described in this
manual.
Publication SAFETY-AT017B-EN-P – July 2011
 3

Reproduction of the contents of this manual, in whole or in part, without

written permission of Rockwell Automation, Inc., is prohibited.
Throughout this manual, when necessary, we use notes to make you
aware of safety considerations.

Identifies information about practices or circumstances that

can cause an explosion in a hazardous environment,
which may lead to personal injury or death, property
damage, or economic loss.

Identifies information that is critical for successful

application and understanding of the product.

Identifies information about practices or circumstances that

can lead to personal injury or death, property damage, or
economic loss. Attentions help you identify a hazard, avoid
a hazard, and recognize the consequence.

Labels may be on or inside the equipment, for example, a

drive or motor, to alert people that dangerous voltage may
be present.

Labels may be on or inside the equipment, for example, a

drive or motor, to alert people that surfaces may reach
dangerous temperatures.

General Safety Information

This application example is for advanced users and
assumes that you are trained and experienced in safety
system requirements.

A risk assessment should be performed to make sure all

task and hazard combinations have been identified and
addressed. The risk assessment may require additional
circuitry to reduce the risk to a tolerable level. Safety
circuits must take into consideration safety distance
calculations which are not part of the scope of this
document.

Contact Rockwell Automation to find out more about our safety risk
assessment services.

Publication SAFETY-AT017B-EN-P-July 2011

4

Description This application example shows how to control a PowerFlex 70 drive

with DriveGuard Safe-Off, via a GuardLogix integrated safety controller
and an EtherNet/IP Guard I/O safety module. An emergency stop
pushbutton and a Trojan gate interlock switch are used as safety inputs
within this safety system.
Safety Function
The EtherNet/IP Guard I/O safety module uses its test pulse outputs to
continually send pulses over the E-stop and interlock switch safety
circuits in order to detect faults. These faults include shorts to 24V DC
and between channels.
The GuardLogix safety controller monitors the status of the E-stop
pushbutton and safety interlock switch. When the interlock conditions
defined within programming logic are satisfied, the safety outputs of the
EtherNet/IP Guard I/O safety module can be enabled. These safety
outputs are used to control the Safe-Off and Drive Enable inputs on the
PowerFlex 70 drive.
This example meets the requirements of Category 3 according to
EN954-1, which is Safe-Off and protection against restart.
Example Bill of Material
This application example uses these components.
Part Number Description Quantity

1791ES-IB8XOBV4 Safety I/O module with solid state outputs 1

1756-L61S GuardLogix safety controller 1

1756-LSP GuardLogix safety partner 1

1756-A4 4 slot chassis 1

1756-ENBT/A Ethernet module 1

1756-PA72 ControlLogix power supply 1

440K-T11365 Trojan Interlock, 2NC + 1NO, MBB, QD, Fully Flex 1

A t t
800FM-MT44 E-stop Button 40mm, maintained, twist to release 1
ti ti
800F P-F4 800F pushbutton, red 1

800F P-F0 800F pushbutton, amber 1

20AB4P2A3NYNNG1 PowerFlex 70 drive 1

20A-DG01 DriveGuard Safe-Off board 1

Publication SAFETY-AT017B-EN-P – July 2011

 5

Setup and Wiring For detailed information on installing and wiring, refer to the product
manuals listed in the Additional Resources.
System Overview
GuardLogix Controller

EtherNet/IP Guard I/O

EtherNet/IP

Fault Reset
PowerFlex 70
Emergency Stop with DriveGuard

Circuit Reset

Trojan Interlock Switch

Wiring
This diagram shows the appropriate wiring.

Publication SAFETY-AT017B-EN-P-July 2011

6

Wiring Considerations
The following wiring considerations should be addressed for your
application:

The common for the digital input board on the PowerFlex

70 must be tied to the output common for the 1791ES-
IB8XOBV4 module.

This application example requires that a digital input on

the PowerFlex 70 drive be configured for Drive Enable.
This input must be controlled by the Guard I/O Safety
module.

The Drive Enable digital input on the PowerFlex 70 drive is

a solid state circuit. For this reason, the safety outputs on
the Guard I/O safety module must not be configured for
Safety Pulse Test as it may interfere with the operation of
the digital input.

If your risk assessment determines you must pulse test your safety
output circuits in order to catch shorts of P terminal to 24V or M terminal
to 0V, refer to Achieving a Cat. 4 Safety Rating, for an alternative wiring
schematic.

Publication SAFETY-AT017B-EN-P – July 2011

 7

Reaction to Faults
Based on the wiring and safety module configuration shown in this
application example, this section details how the safety module responds
to line faults incurred between the safety outputs and the PowerFlex 70
drive:

Channel-to-channel Short
Channel Start Fault Immediate Reaction Immediate Detection
P HI ch-ch LO Yes*
M HI ch-ch LO Yes*
Short to 24V
Channel Start Fault Immediate Reaction Immediate Detection
P HI Short HI Undetectable
M HI HI
P HI LO
M HI Short LO Yes*
Short to 0V
Channel Start Fault Immediate Reaction Immediate Detection
P HI Short LO Yes*
M HI LO
P HI HI
M HI Short HI Undetectable
Wire OFF
Channel Start Fault Immediate Reaction Immediate Detection
P HI off LO Yes**
M HI LO
P HI LO
M HI off LO Yes**
* These faults result in the output status going LO. The error remains for
the duration of the Output Error Latch Time configured in the module
properties.
** These faults result in the output status remaining HI. The feedback of
the ROUT instruction detects this type of fault.

Publication SAFETY-AT017B-EN-P-July 2011

8

Fault Exclusion Affecting Category Rating

There is a combination of undetected faults that could cause a dangerous
failure of the safety function in this application. The accumulation of the
following two faults would disable your safety system from stopping the
PowerFlex 70 drive:
• Short of P terminal to 24V
• Short of M terminal to 0V

If a P terminal short to 24V and/or an M terminal short to

0V are faults that must be detected as determined by your
risk assessment, refer to Achieving a CAT 4 Safety Rating,
for an alternative wiring scheme.

Configure Set the Network IP Address for the 1791ES-IB8XOBV4

Module
The module ships with the rotary switches set to 999 and DHCP enabled.
To support the hardware configuration shown above, use the following
configuration.
Set the network address using one of the following methods:
• Adjust the three switches on the front of the module.
• Use a Dynamic Host Configuration Protocol (DHCP) server, such as
Rockwell Automation BootP/DHCP Server Utility.
• Retrieve the IP address from nonvolatile memory.
Using the Rotary Switches to Set the Network IP Address
The module reads the switches first to determine if the switches are set to
a valid number.
Set the network address by adjusting the three switches on the front of
the module.
Valid settings range from 001…254. When the switches are set to a valid
number, the module’s IP address is 192.168.1.xxx (xxx represents the
number set on the switches).

The module’s subnet mask is 255.255.255.0 and the gateway address is

set to 0.0.0.0. When the module is reading the network address set on the
switches, the module does not have a host name assigned to it nor does it
use any Domain Name System.
If the switches are set to an invalid number (such as 000 or a value
greater than 254), the module checks to see if DHCP is enabled. If
DHCP is enabled, the module asks for an address from a DHCP server.
Publication SAFETY-AT017B-EN-P – July 2011
 9

The DHCP server also assigns other transport control protocol (TCP)
parameters.
Using the Rockwell Automation BootP/DHCP Server Utility
Follow these steps to use the Rockwell Automation BootP/DHCP Server
Utility to set the Network IP Address.

1. Identify the target module by the MAC address listed on the

EtherNet/IP Guard I/O safety module.
The MAC address is displayed in the BootP/DHCP Server Utility as
shown.

2. Select the entry with the MAC address that corresponds with your
target module to define the address and Transport Control
Parameters for the module.

3. After the new IP address is displayed in the BootP/DHCP Server

Utility, disable BootP/DHCP.

If DHCP is not enabled, the module uses the IP address (along with
other TCP configurable parameters) stored in nonvolatile memory.

Publication SAFETY-AT017B-EN-P-July 2011

10

Configuring the 1791ES-IB8XOBV4 Guard I/O Safety

Module in RSLogix 5000 Software
In the RSLogix 5000 project, the 1791ES-IB8XOBV4 module is added
to the I/O Configuration under the 1756-ENBT EtherNet/IP bridge
module, as shown.

Set the Module Properties

The 1791ES-IB8XOBV4 module is configured as follows.

1. On the General tab of the 1791ES-IB8OBV4 Module Properties

dialog box, configure the following fields:
• Name: Unique module name
• IP Address: IP address of target module

Publication SAFETY-AT017B-EN-P – July 2011

 11

2. Click Change to open the Module Definition dialog box.

3. Configure the module as shown below.

Combined Status consolidates all eight input status bits into a

single status bit. The same is true for Output Data. For status bits
for individual input/output/test points, choose an alternative
Input/Output Status data format.

4. Make edits on the Connection and Safety tabs to match your

application requirements.
This example uses the default data in the Connection and Safety
tabs shown below. The data should be changed based on the
throughput requirements of your system.

Publication SAFETY-AT017B-EN-P-July 2011

12

Edit the Module’s Input Configuration

1. Select the Input Configuration tab.

2. Select one of the following under Point Mode:

• Standard – Input circuits not tested internally
• Safety – Input circuits tested internally
• Safety Pulse Test – Input circuits tested internally and wired
to a Test Source for Pulse-Testing

3. Select Inputs 0 and 1 for the E-stop.

These are configured as Safety Pulse Test and utilize Test Sources
0 and 1, respectively.

4. Select Inputs 2 and 3 for the Interlock Switch.

These are configured as Safety Pulse Test and utilize Test Sources
0 and 1, respectively.

5. Select Inputs 4 and 5 for the Safety Circuit and Fault Reset
buttons.
These are not safety inputs so they are configured as Standard.

6. Select Input 7 to monitor the feedback from the Safe-Off relay in

the PowerFlex 70 drive.
This is a Standard input.

Edit the Module’s Test Output Configuration

1. Select the Test Output tab.

2. Configure Test Outputs 0 and 1 as Pulse Test.

Publication SAFETY-AT017B-EN-P – July 2011

 13

3. Configure Output 7 as a Power Supply for the monitoring circuit.

Edit the Module’s Output Configuration

1. Select the Output tab.

2. Configure Output points 6 and 7 as Safety outputs because they are

used to control the Safe-Off relay and Drive Enable digital input in
the PowerFlex 70 drive.

To prevent the test pulse from causing the drive enable

digital input to malfunction, Rockwell Automation
recommends that the safety outputs are configured as
Safety.

Programming This section details how to program your GuardLogix project based on
the wiring and configuration detailed in the previous sections. The
programming code for this application example was generated using the
Safety Accelerator Toolkit for GuardLogix Systems publication,
IASIMP-QS005. This toolkit provides easy-to-use system design,
programming, and diagnostic tools to assist you in the rapid development
and deployment of your safety systems using Rockwell Automation’s
GuardLogix controller, Guard I/O, and safety devices.

Publication SAFETY-AT017B-EN-P-July 2011

14

Safety Tags
The safety logic shown below requires the creation and use of the
following safety tags.

Safety Logic
The following code should be programmed in a routine within your
Safety Task in the GuardLogix controller.

Emergency Stop Safety Logic

The E-stop instruction provides SIL 3 level diagnostics for a dual-
channel emergency stop function. The E-stop monitors input channels for
consistency and detects and traps faults (inconsistency greater than
500 ms).
The Reset Type is configured as Automatic for continuous monitoring of
input device states. Using Automatic reset functionally moves the Safety
Output Reset function from the E-stop instruction (Circuit Reset) to the
Safety Output logic. Because the Circuit Reset function is not performed
Publication SAFETY-AT017B-EN-P – July 2011
 15

within this instruction, a dummy tag named None is used as a

placeholder.

Input status is not monitored because the input data will go LO

if the channel faults. The safety code in the safety output
routine will prevent outputs from restarting if the E-stops reset
automatically.

The InputOK status is used as one of the permissives in the safety output
routines.

Gate Switch Safety Logic

The RIN instruction provides SIL 3 level diagnostics for a channel
Redundant Input function. The RIN monitors input channels for
consistency and detects and traps faults (inconsistency greater than
500 ms). In this application, the RIN instruction monitors the status of
the two channels from the Trojan interlock switch.

Publication SAFETY-AT017B-EN-P-July 2011

16

Safety Input Interlock Rung

This rung includes the safety device input interlocks, with tag names
Sts_Zone1_EStop_InputOK and Sts_Zone1_GateSwitch_InputOK, that
energize the Sts_Zone1_InputsOK OTE instruction. These interlock tags
are driven by the individual safety device input logic rungs shown
earlier. The Sts_Zone1_InputsOK tag is then included in the Output
Enable Rung which drives the ROUT instruction.

Output Enable Rung

This rung provides the operator action required to reset or enable the
safety zone output. The operator action is a HI transition of
Cmd_Zone1_SafetyReset. It latches the output enable until either a
demand is placed on a safety input, there is an input channel or output
channel fault, or a feedback fault on the output circuit. The
Sts_Zone1_InputsOK will go LO in the event of a demand on any safety
input(s) or fault on any safety input channel(s) within the zone.
The CombinedOutputStatus will go LO if any output channel on the
1791ES Guard I/O module faults or there is a connection timeout to the
I/O module. The .FP feedback fault present drops out the output enable
in the event of a feedback fault, so that reset or enable cannot occur
without operator action.

Publication SAFETY-AT017B-EN-P – July 2011

 17

Safety Output Rungs

This rung controls the dual outputs on the 1791ES Guard I/O module
named CellGuard1. The ROUT instruction outputs, O1 and O2, are used
to drive the safety outputs 06 and 07 (Tags: CellGuard1:O.Pt06Data and
CellGuard1:O.Pt07Data) which are wired to the PowerFlex 70 Safe-Off
relay and Drive Enable digital input.

Reassignment of the feedback and output channels must

be made to match your unique safety wiring configuration.

Performance Data Worst-case Reaction Time Based on Safety System

Typically, both channels are HI coming from the interlock switch and the
E-stop. If any one channel goes LO, the corresponding filter timer
configured in the 1791ES-IB8OBV4 module starts. If the channel is still
LO when the filter times out, the output is turned OFF.

Publication SAFETY-AT017B-EN-P-July 2011

18

Worst case, the time it takes to occur is the sum of the A to E path as
described below.

A
B
C

D
E
A – Input Module Delay – 16 ms + on/off delay filters
B – Input Connection Reaction Time Limit (CTRL)
The Connection Reaction Time Limit is configured in the 1791ES
Module Properties within RSLogix 5000 software. The Input
Connection defaults to 4 x RPI.
C – GuardLogix Delay
The maximum delay for the GuardLogix controller is:
Period + Task Watchdog
D – Output Connection Reaction Time Limit
E – Output Module Delay = 6ms
Worst Case Reaction Time = A + B + C + D + E

Publication SAFETY-AT017B-EN-P – July 2011

 19

Typical Reaction Time of Safety System

Typically, both channels are HI coming from the interlock switch and the
E-stop. If any one channel goes LO, the corresponding filter timer
configured in the 1791ES-IB8OBV4 module starts. If the channel is still
LO when the filter times out, the output is turned OFF.
Typically, the time it takes to occur is the sum of the A to E path as
described below.

A
B
C

D
E
A – Input Module delay / (max/2) = 8ms + on/off delay filters
B – Input Connection Reaction Time / Input RPI
C – GuardLogix Delay
The typical delay time for the GuardLogix controller is:
(Period / 2) + Task Scan Time
D – Output Connection Reaction Time / Output RPI = Task Period
E – Output Module Delay / (max / 2) = 3ms
Typical Reaction Time = A + B + C + D + E

Achieving a Cat. 4 Safety Rating

In order to achieve Cat. 4, modifications must be made to the bill of
materials, software configuration, and wiring schematic.
The Category 3 solution used a drive enable digital input to the drive and
the relay as switching signals to disconnect power to the motor. In that
solution, we had no means to monitor the status of the Drive Enable
digital input. In the Cat. 4 solution, we replace the Drive Enable input
with a safety contactor.

Publication SAFETY-AT017B-EN-P-July 2011

20

Modified Bill of Materials

A Cat. 4 solution requires a safety contactor which disconnects power to
the motor that the PowerFlex 70 is controlling under a hazardous
condition.

Catalog Number Description Quantity

100S-C43DJ14BC Bulletin 100S Safety Contactor 1

Choose a safety contactor that is rated for your application requirements.

Modified Wiring Schematic
This wiring diagram, using a safety contactor, illustrates turning off
power to the motor under a hazardous condition. The safety contactor is
turned on via the outputs from the EtherNet/IP Guard I/O module and
feedback from this contactor is linked from the Safe-Off relay contactor
and is feedback into Input 7 of the EtherNet/IP Guard I/O module.

Publication SAFETY-AT017B-EN-P – July 2011

 21

Modified Configuration
The safety Output Configuration for the Guard I/O module can now be
configured for Safety Pulse Test. With Safety Pulse Test configured,
shorts of the P terminal to 24V and shorts of the M terminal to 0V can be
detected during system operation.

Publication SAFETY-AT017B-EN-P-July 2011

22

Additional Resources For more information about the products used in this example refer to
these Resources.

Resource Description

CompactBlock Guard I/O EtherNet/IP

Provides installation instructions for the
Safety Modules
1791ES-IB8XOBV4 module
Publication 1791ES-IN001

Provides operation and troubleshooting

Guard I/O Ethernet/P Safety Modules
information for the 1791 ES-IB8XOBV4
Publication 1791ES-UM001
module

GuardLogix Safety Application Describes the Safety Application

Instruction Set Instruction Set for the GuardLogix
Publication 1756-RM095 Controller

GuardLogix Controller Systems Explains how the GuardLogix controller

Publication 1756-RM03 can be used in safety applications

DriveGuard Safe-Off Option for Provides installation, operation, and

PowerFlex 70 Drives troubleshooting information for PowerFlex
Publication PFLEX-UM001 70 drives with Safe-Off

Safety Accelerator Toolkit for Describes how to use GuardLogix Safety

GuardLogix Systems System Design Tools available on the
Quick Start Publication IASIMP-QS005 SAFETY-CL002 CD

You can view or download publications at

http://literature.rockwellautomation.com. To order paper copies of
technical documentation, contact your local Rockwell Automation
distributor or sales representative.

Publication SAFETY-AT017B-EN-P – July 2011

 23

Notes:

Publication SAFETY-AT017B-EN-P-July 2011

24

Allen-Bradley, ControLogix, DriveGuard, GuardLogix, PowerFlex, and Rockwell Automation

are trademarks of Rockwell Automation, Inc.

Trademarks not belonging to Rockwell Automation are property of their respective companies.

Publication SAFETY-AT017B-EN-P
SAFETY-AT017B-EN-P––July
July2011
2011
Supersedes publication SAFETY-AT017A-EN-P – July 2008 Copyright © 2011 Rockwell Automation, Inc. All rights reserved. Printed in USA.