Safety Application Note Rockwell Automation

Safety Application Note

A Modular Safety System Design Concept

Gobal E-Stop with Local Machine Guarding
This application note shows a modular safety design concept with separate but related e-stop and
guardlocking interlock functions. This concept is intended for modular manufacturing systems,
where the number of machines needed to complete the system varies. Each machine has its own
interlocks and e-stops. This design facilitates the expansion of the safety system, where the e-
stops are intended to stop the complete system, and the interlocks are only intended to stop their
local machine. The block diagram below characterizes this modular approach.

Module 1 Module 2 Module n

E-Stops E-Stops E-Stops

for for for
Machine 1 Machine 2 Machine n

Guarding Guarding Guarding

for for for
Machine 1 Machine 2 Machine n

The Guardlocking Interlock Circuit

There are several ways to implement the local machine interlock control. Figure 1 shows an
example using guardlocking interlocks and multiple safety rated AC drives. As an option,
guarding without locking can be substituted for guardlocking.

Guardlocking Safety Function

The guardlocking interlock has the following safety function:

1. The machine can only run when all the interlocks are closed and locked.

Modular Safety Relay Design Concept Rev B Page 1 of 8 April 9, 2007

Safety Application Note Rockwell Automation

2. Unlocking any interlock will initiate a machine shutdown sequence (if not already
shutdown).
3. While any interlock is open, the machine cannot operate.
4. The closing of any interlock shall not start the machine.
Reset Function

In this example, access to the machine is limited to partial body access. With this limitation, the
interlock safety system is set to automatic reset. The machine control logic must be designed to
prevent automatic restart of the machine when all the gates are closed. In this example, pressing
the start button can start the machine after the guards are closed and locked.

The guardlocking interlocks are chosen for three reasons: 1) the stopping time of the machine, 2)
vibration on the machine and 3) machine cycle interruption. The type of locking function chosen
is mechanical lock / power to unlock.

Stopping Time of Machine – If non-locking interlocks were used, the operator may be
able to open the guard and reach the hazard, as some of the moving parts have not come
to a complete stop. The Guardlocking interlocks keep the guards locked until the
machine has come to a stop.

Vibration – Although vibration is typically minimal and within the specification of the
safety components, the guardlocking approach prevents nuisance trips due to vibration on
the machine, as well as misalignment of the guard that may occur over time.

Machine Cycle Interruption – The best performance of the machine is maintained when
the production cycle is completed. Non-locking interlocks would allow operators to
inadvertently open a guard and stop the machine in the middle of a cycle. Guardlocking
interlocks can keep the guards closed until the machine has completed a full cycle.

Each machine may have multiple axes of movement. A risk assessment must be performed to
determine which axes might generate a hazardous condition. Those axes that may generate a
hazardous situation must be controlled by the safety system. In Figure 1, two safety rated drives
are part of the safety system – they are connected in parallel to the MSR127..

Machine Start Sequence

To start the machine, all the guards must be closed. The operator must release the Lock Release
button. If all the guards are closed and locked, the signals to the PLC through the 33/34 contacts
open. The signal from the safety relay contacts 41/42 also open. The drives are enabled. The
PLC can also get feedback from the drives over the DeviceNet communication - the drives are
ready to start. The operator presses the start button.

The PLC gets a negative feedback from each interlock (33/34) and the safety relay (41/42) as
indicators that the safety system is ready to go. This approach cannot distinguish between the
guard closed and a broken wire. Optionally, the 33/34 circuit on the MSR127 can be monitored
by the PLC as positive feedback that the safety system is ready.

Modular Safety Relay Design Concept Rev B Page 2 of 8 April 9, 2007

Safety Application Note Rockwell Automation

Machine Stop Sequence

The typical machine sequence is to bring the machine to a normal machine cycle stop (Stop
Category 2). To do this, the operator presses the Stop button. Through DeviceNet, the PLC
issues a stop command to the drives. To gain access to the machines, the operator presses the
Lock Release button (a maintained button). The PLC issues a lock release command which
applies power to all the solenoids. The PLC receives signals through the 33/34 contacts from all
the interlocks that they are unlocked. Operators can now open the guards. In addition, the safety
relay sends a signal to the PLC through the 41/42 contact to indicate that the machine is in a
safety stop.

Safety Performance Rating

The rating of the interlocking design is Category 3 per EN954-1. A single fault will not lead to
the loss of the safety function. An accumulation of faults may lead to the loss of the safety
function. The safety rated drive is rated to Category 3. The series connection of multiple gates
is considered category 3, as a fault across one contact can be masked by opening and closing
another guard.

The rating utilizes fault exclusion of any single point failure of the interlocking switches, due to
the proper design, installation and operating procedures. The machine design limits the
withdrawal and insertion speeds of the actuator to within the manufacturer’s specification.
Mechanical stops prevent the guard from banging into and damaging the interlock. Operating
procedures are used to periodically prove the performance of the switch.

Figure 2 is similar to Figure 1, except the drives are replaced by dual contactors, and the
contactors are powered by the PLC. The outputs of the PLC are fed through the outputs of the
MSR127 safety relay. When the safety relay is satisfied, a signal is fed from the 41/42 contacts
of the MSR127 to the PLC. The PLC can then control the contactors. Since there is no electrical
speed reduction (i.e. braking), this approach performs a Category 0 (coast to) stop. Mechanical
braking can be added to achieve a Category 1 stop.

The E-Stop Circuit – Category 0 Stop

Figure 3 shows an example of a typical e-stop circuit for a machine. The machine may have
more than one E-Stop device (e.g., pushbutton, cable pull). If so, the dual channel e-stop devices
are connected in series and then connected to an MSR144RTP safety relay.

The MSR144RTP safety relay was chosen because it has easily expandable outputs. By itself,
the MSR144RTP has two safety outputs and two auxiliary outputs. Using ribbon cables,
MSR230P modules can be added to the MSR144RTP when additional machines are needed.
Similarly, MSR238P modules can be added when an off-time delay output is needed to achieve a
Category 1 stop.

The safety outputs (13/14 and 23/24) of the MSR144RTP are connected to the inputs of the
interlock safety relay (the MSR127TP). When the e-stop button is pressed, the machine executes
an uncontrolled (Category 0) coast to stop. This is because it opens the input to the safety relay
which immediately disables the drives.

Modular Safety Relay Design Concept Rev B Page 3 of 8 April 9, 2007

Safety Application Note Rockwell Automation

The MSR230P is used to communicate the e-stop safety function to other machines. If no
additional machines are used, then this module can be removed from the system. When
additional machines are used, two safety contacts (e.g., 13/14 and 23/24) from the MSR230P are
fed to the input of the e-stop safety relay of the previous machine. The other two safety contacts
(e.g. 33/34 and 43/44) are fed to the input of the e-stop safety relay on the next machine.

This design approach creates a domino affect when an e-stop is pressed. For multiple machines,
the maximum response time of the e-stop function will occur when an e-stop is pressed on the
first machine. The e-stop signal cascades through all the MSR144RTP relays. Take for example
a system with 5 machines, and the e-stop is pressed on the first machine. The response time for
both the MSR144RTP and the MSR127 is 15ms. Therefore the last machine will begin is
shutdown after a 90ms (6 x 15ms) delay.

The E-Stop Circuit – Category 1 Stop

If a Category 1 e-stop is preferred over a Category 0 e-stop, then the MSR238P can be added to
the e-stop relay. This is shown in Figure 4. When an e-Stop is pressed, dual diverse signals are
sent from the MSR144RTP (13/14 and 41/52) to the PLC to initiate a machine shutdown
sequence. After the timer in the MSR238P expires, the safety contacts (17/18, and 27/28) open
and the MSR127TP disables the drives.
Author:
Steve Dukich
Global Component Technical Specialist
Machine Safeguarding

Modular Safety Relay Design Concept Rev B Page 4 of 8 April 9, 2007

Safety Application Note Rockwell Automation

+24V DC

From E-Stop Relay

Immediate Action
(Delayed Action)
L1 L2 L3 L1 L2 L3
11 12 11 12 13 MSR144-n 14
(17 MSR238-n 18)
21 22 21 22
23 MSR144-n 24
(27 MSR238-n 28) PowerFlex R S T PowerFlex R S T
33 34 33 34 AC Drive with AC Drive with
DriveGuard DriveGuard
A1 A2 A1 A2
DeviceNet DeviceNet
Dig. Comm Dig. Comm
Guardlocking Guardlocking S21 S11 S52 A1 13 23 33 41
Interlock Interlock Gate Control Gate Control
(e.g. Spartan (e.g. Spartan Power Supply Power Supply
MSR127TP
or 440G-MT) or 440G-MT) Safe-Off Option Safe-Off Option
440R-N23132
1 1
3 3
S22 S12 S34 A2 14 24 34 42
4 4
2 2
Gate Gate
Enable Control Enable Control
Circuit Circuit
U V W U V W
Remove Jumper Remove Jumper
Motor
Motor
Input Output DeviceNet
1756-IB16 1756-OW16I 1756-DNB
Lock Release 1769-IQ16 PLC 1769-OW8I 1769-SDN
1746-IB16 Processor 1746-OW4 1747-SDN
Start
1734-IB4 1734-OW2 1734-PDN
Stop 1793-IB6 1793-OW4 1794-ADN

Optional Signals
from MSR238P
for Cat. 1 Stop

24VC DC Com
Figure 1. Machine Guardlocking System with Safety Rated Drives

Modular Safety Relay Design Concept Rev B Page 5 of 8 April 9, 2007

Safety Application Note Rockwell Automation

+24V DC

From E-Stop Relay

11 12 11 12
13 MSR144-1 14
21 22 21 22
23 MSR144-1 24
33 34 33 34

A1 A2 A1 A2 L1 L2 L3 L1 L2 L3

Guardlocking Guardlocking S21 S11 S52 A1 13 23 33 41

Interlock Interlock
(e.g. Spartan (e.g. Spartan
MSR127TP
or 440G-MT) or 440G-MT)
440R-N23132

K1 K3
S22 S12 S34 A2 14 24 34 42

K2 K4

Lock Release
Input
1756-IB16
1769-IQ16 PLC
Output
1756-OW16I
1769-OW8I
M M
1746-IB16 Processor 1746-OW4
Start
1734-IB4 1734-OW2
Stop 1793-IB6 1793-OW4

K1 K3 K2 K4
24VC DC Com
100S Contactors
or 700S Relays
Figure 2. Machine Guardlocking System with Contactors

Modular Safety Relay Design Concept Rev B Page 6 of 8 April 9, 2007

Safety Application Note Rockwell Automation

+24V DC
To Machine
Interlock Relay

To Previsous Machine
E-Stop Relay

From E-stop Relay of

Previous Machine To Next Machine
33 MSR230-(n-1) 34 E-Stop Relay

43 MSR230-(n-1) 44
S11 S52 S21 X1 X2 A1 S33 S34 13 23 41 51 13 23 33 43

MSR144-n MSR230-n

From E-stop Relay of S12 S22 X3 X4 A2 Y2 Y1 14 24 42 52 14 24 34 44

Next Machine
13 MSR230-(n+1) 14

23 MSR230-(n+1) 24 To Next Machine

E-Stop Relay

To Previsous Machine
E-Stop Relay

To Machine
Interlock Relay

24VC DC Com
Figure 3. E-Stop Safety Circuit – Category 0 Stop

Modular Safety Relay Design Concept Rev B Page 7 of 8 April 9, 2007

Safety Application Note Rockwell Automation

+24V DC To PLC
Initiate a Stop
To Machine
Interlock Relay

To Previsous Machine
E-Stop Relay

From E-stop Relay of

Previous Machine To Next Machine
33 MSR230-(n-1) 34 E-Stop Relay

43 MSR230-(n-1) 44
S11 S52 S21 X1 X2 A1 S33 S34 13 23 41 51 17 27 35 13 23 33 43

MSR144-n MSR238-n MSR230-n

From E-stop Relay of S12 S22 X3 X4 A2 Y2 Y1 14 24 42 52 18 28 36 14 24 34 44

Next Machine
13 MSR230-(n+1) 14
23 MSR230-(n+1) 24 To Next Machine
E-Stop Relay

To Previsous Machine
E-Stop Relay
To Machine
Interlock Relay
To PLC
Initiate a Stop

24VC DC Com
Figure 4. E-Stop Safety Circuit – Category 1 Stop

Modular Safety Relay Design Concept Rev B Page 8 of 8 April 9, 2007