safety-at167_-en-p

Application Technique
Safe-monitored Access via a 442G Access Box and a Guardmaster

440C-CR30 Configurable Safety Relay Safety Function
Products: 442G Access Box, Guardmaster 440C-CR30 Configurable Safety Relay, 100S-C Contactors
Safety Rating: Cat. 4, PLe to ISO 13849-1: 2015
Topic Page
Important User Information 2
General Safety Information 3
Introduction 4
Use Sample Project Files 4
Safety Function Realization: Risk Assessment 5
Safety Functions 5
Safety Function Requirements 5
Functional Safety Description 6
Bill of Material 7
Setup and Wiring 7
Configuration 13
Calculation of the Performance Level 21
Verification and Validation Plan 23
Additional Resources 24
Safe-monitored Access via a 442G Access Box and a Guardmaster 440C-CR30 Configurable Safety Relay Safety Function
Important User Information

Read this document and the documents listed in the additional resources section about installation, configuration, and
operation of this equipment before you install, configure, operate, or maintain this product. Users are required to
familiarize themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws,
and standards.
Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance are
required to be carried out by suitably trained personnel in accordance with applicable code of practice.
If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may
be impaired.
In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from
the use or application of this equipment.
The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and
requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or
liability for actual use based on the examples and diagrams.
No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or
software described in this manual.
Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation,
Inc., is prohibited.
Throughout this manual, when necessary, we use notes to make you aware of safety considerations.
WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous environment, which may lead to personal
injury or death, property damage, or economic loss.
ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, property damage, or economic loss.
Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.
IMPORTANT Identifies information that is critical for successful application and understanding of the product.
Labels may also be on or inside the equipment to provide specific precautions.
SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous voltage may be present.
BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may reach dangerous temperatures.
ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people to potential Arc Flash. Arc Flash will
cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL Regulatory requirements for safe work practices and for
Personal Protective Equipment (PPE).
2 Rockwell Automation Publication SAFETY-AT167A-EN-P - June 2019

General Safety Information

Contact Rockwell Automation to learn more about our safety risk assessment services.
IMPORTANT This application example is for advanced users and assumes that you are trained and experienced in safety system requirements.
ATTENTION: Perform a risk assessment to make sure that all task and hazard combinations have been identified and addressed. The risk assessment can require
additional circuitry to reduce the risk to a tolerable level. Safety circuits must consider safety distance calculations, which are not part of the scope of this
document.
Safety Distance Calculations
ATTENTION: While safety distance or access time calculations are beyond the scope of this document, compliant safety circuits must often consider a safety
distance or access time calculation.
Non-separating safeguards provide no physical barrier to help prevent access to a hazard. Publications that offer guidance
for calculating compliant safety distances for safety systems that use non-separating safeguards, such as light curtains,
scanners, two-hand controls, or safety mats, include the following:
EN ISO 13855:2010 (Safety of Machinery – Positioning of safeguards with respect to the approach speeds of
parts of the human body)
EN ISO 13857:2008 (Safety of Machinery – Safety distances to help prevent hazardous zones being reached by
upper and lower limbs)
ANSI B11:19 2010 (Machines – Performance Criteria for Safeguarding)
Separating safeguards monitor a movable, physical barrier that guards access to a hazard. Publications that offer guidance
for calculating compliant access times for safety systems that use separating safeguards, such as gates with limit switches
or interlocks (including SensaGuard™ switches), include the following:
EN ISO 14119:2013 (Safety of Machinery – Interlocking devices associated with guards - Principles for design
and selection)
EN ISO 13855:2010 (Safety of Machinery – Positioning of safeguards with respect to the approach speeds of
parts of the human body)
EN ISO 13857:2008 (Safety of Machinery – Safety distances to help prevent hazardous zones being reached by
upper and lower limbs)
ANSI B11:19 2010 (Machines – Performance Criteria for Safeguarding)
In addition, consult relevant national or local safety standards to assure compliance.
Rockwell Automation Publication SAFETY-AT167A-EN-P - June 2019 3

Introduction
This document explains how to wire, configure, verify, and validate a safety system that is designed to provide safe,
monitored, full-body access into a hard-guarded area only when hazardous motion within the area has ceased. The
primary components that are used are a 442G multifunctional access box (MAB), a Guardmaster® 440C-CR30
configurable safety relay, and two 100S safety contactors. The 440C-CR30 relay is configured by using the Studio 5000
Logix Designer® application.
The 440C-CR30 relay monitors and controls the MAB and two redundant 100S safety contactors. These devices
monitor a gate that helps prevent full-body access to an area while hazardous motion is present. When access to this area
is needed, access is requested by pressing an Unlock Request button on the cover of the MAB. The contactors that
provide power to the motor are immediately de-energized and hazardous motion coasts to an uncontrolled
stop category 0. Once the worst case hazardous motion run-down time has expired, the 440C-CR30 relay sends an
unlock command to the MAB, which then allows access. Hazardous motion cannot be resumed until the gate is closed
and locked.
Use Sample Project Files

Sample project files (AutoCAD, EPLAN, ACD, SISTEMA, and Verification and Validation checklist) are attached to
this document to help you implement this safety function.
To access these files, follows these steps.
1. If you are viewing the PDF file in a browser and do not see the Attachments link , download the PDF file and
open it in the Adobe Acrobat Reader application.
2. Right-click the Attachments link , and save the desired file.
3. Open the file in the appropriate application.

Safety Function Realization: Risk Assessment

The Performance Level required (PLr) is the result of a risk assessment and refers to the amount of the risk reduction to
be conducted by the safety-related parts of the control system. Part of the risk reduction process is to determine the safety
functions of the machine. In this application, the Performance Level required by the risk assessment is category 3,
Performance Level d (cat. 3, PLd), for each safety function. A safety system that achieves cat. 3, PLd, or higher, can be
considered control reliable. Each safety product has its own rating and can be combined to create a safety function that
meets or exceeds the PLr.
From: Risk Assessment (ISO 12100)
1. Identification of safety functions
2. Specification of characteristics of each function
3. Determination of required PL (PLr) for each safety function
To: Realization and PL Evaluation
Safety Functions
This application technique includes two safety functions:
• Prevention of access while hazardous motion is present (guard lock)
• Prevention of unexpected startup
Safety Function Requirements

This safety function allows entry to a guarded area where there can be hazardous motion only when that hazardous
motion is stopped. An MAB, monitored and controlled by the 440C-CR30 relay, keeps the access gate locked when
there is hazardous motion. To enter this area, the Unlock Request button on the cover of the MAB must be pressed and
released. The 440C-CR30 relay de-energizes the two 100S contactors to remove power from the motor, and hazardous
motion coasts to a stop category 0. The gate must be kept locked until hazardous motion has stopped. Testing must be
done by using the actual machinery that is being guarded to determine the worst-case time it takes before hazardous
motion has ceased. For the purposes of this document, assume that this worst time is 18 seconds. The gate, therefore, is
kept locked for 20 seconds after the contactors are de-energized to be certain that the motion has stopped. The
440C-CR30 relay unlocks the MAB and the access gate can be opened.
Once sure that no one is in the hazardous area, the operator closes the gate and rotates the MAB handle to extend the
bolt. Then pressing and releasing the Lock Request button causes the MAB to lock the gate. Hazardous motion can then
be resumed by pressing the Restart button. Hazardous motion cannot be restored until the gate is closed and locked.

The 440C-CR30 relay monitors the MAB, itself, and the contactors, for faults. When a fault is detected, the
440C-CR30 relay removes power from the motor that drives hazardous motion. The 440C-CR30 relay does not unlock
the MAB that prevents access to the guarded area until the fault has been cleared.
The safety functions in this application technique each meet or exceed the requirements for category 3, Performance
Level d (cat. 3, PLd), per ISO 13849-1 and control reliable operation per ANSI B11.19.
Functional Safety Description

Machinery, which includes hazardous motion that is driven by an electric motor, is hard-guarded by fences. A full-body
access gate is controlled by an MAB, Power to Release (PTR) version. The following sections describe a typical operation
cycle of the MAB guard locking system.
Run
Hazardous motion runs. The gate is closed and locked by the MAB. The OSSD outputs of the MAB to the Guardmaster
440C-CR30 configurable safety relay are true (high), which confirms that the gate is closed, bolted, and locked. The
440C-CR30 relay monitors the OSSD outputs of the MAB that are connected at terminals 08 and 09. The safety
outputs on terminals 18 and 19 of the 440C-CR30 relay are ON, and the K1 and K2 contactors remain energized. The
Unlock Command output to the MAB on terminal 16 is OFF (low).
Unlock Gate
When the operator presses and releases the Unlock request button on the cover of the MAB, this action notifies the
440C-CR30 relay, via the 2080-IQ4OB4 plug-in module terminal I-01, to turn its outputs (terminals 18 and 19) OFF,
de-energize the K1 and K2 contactors, and remove power from the motor. The 440C-CR30 relay receives confirmation
that K1 and K2 are de-energized when the feedback signal on Plug-in terminal I-03 goes true (high). When the feedback
signal is received, the 440C-CR30 relay starts a configured 20-second stop time delay. When the delay time has passed,
the 440C-CR30 relay turns ON the Unlock Command output on terminal 16. The MAB unlocks the gate. The OSSD
outputs of the MAB, connected to terminals 08 and 09, turn OFF. The handle of the MAB can now be rotated to retract
the bolt, and the gate can be opened.
Lock Gate
After the guarded area is checked to verify that no one remains inside, the gate can be closed and the MAB handle rotated
to extend the bolt. Pressing and releasing the Lock request button on the MAB cover instructs the 440C-CR30 relay, via
plug-in terminal I-02, to turn OFF the Unlock Command on terminal 16. The MAB locks the gate. The OSSD outputs
of the MAB, connected to terminals 08 and 09, turn ON to confirm that the gate is closed, the bolt is extended, and the
MAB is locked.
Start
The Restart button, which is connected to terminal 06 of the 440C-CR30 relay, is pressed and released. The
440C-CR30 relay turns ON output terminals 18 and 19, and energizes the coils of contactors K1 and K2. The N.O.
safety contacts of the K1 and K2 contactors close and restore power to the motor. The motion resumes.

Bill of Material
This application technique uses these products.
Cat. No. Description Quantity
442G-MABR-URM-C02 Lock module, 442G access box, power-to release, unique code, M23 connector, right-hand guard, two push buttons 1
442G-MABH-R Handle assembly, 442G access box, right-hinged door with bolt-locking mechanism 1
442G-MABE1 Escape release, 442G-MAB, standard shaft 1
442G-MABAMPH 442G-MAB mounting plate, handle assembly 1
442G-MABAMPL 442G-MAB mounting plate, lock module 1
889M-F19RM-2 M23, female, straight, 19-P, PUR cable, black, unshielded, IEC color-coded, no connector, 2 m (6.56 feet) 1
442G-MABASHFT 250 mm (9.84 in.) 442G-MAB, extended shaft 1
800FP-F3PX10V 800F push button, plastic, flush, green, no legend, plastic latch mount, one N.O. contact, no N.C. contact, low voltage, 1
standard pack (quantity 1)
Guardmaster 440C-CR30 software configured safety relay, PLe SIL 3, 22 safety I/O, embedded serial port, USB
440C-CR30-22BBB 1
programming port, two plug-in slots, 24V DC
440C-ENET Guardmaster Ethernet plug-in module, slot one only 1
2080-IQ4OB4 Four-channel digital input/output combination module 1
100S-C09EJ14BC 100S-C safety contactor, 9 A, 24V DC (with electric coil), bifurcated contact 2
Compact tower light, 30 mm (1.18 in.), 10 cm (3.94 in.) quick release mount pole, no network option, no cable, black
855D-Q10B24Y4Y3L5 1
24V AC/DC, red steady status indicator, green steady status indicator, amber flashing status indicator, no module
8000F two-position key selector switch, plastic, spring return from right, left key removal, key code 3825 (standard),
800FP-KR21PX10 1
one N.O. contact block, standard pack (quantity 1)
Setup and Wiring

For detailed information on how to install and wire, refer to the publications that are listed in the Additional Resources.
System Overview
The 440C-ENET module serves as an Ethernet gateway that integrates the Guardmaster 440C-CR30 configurable
safety relay into a ControlLogix® or GuardLogix® controller-based overall control system. A 440C-CR30 relay
configuration and integration Add-on Profile (AOP) for the Studio 5000 Logix Designer application, version 20 or later,
makes it easy to configure and monitor the entire 440C-CR30 relay safety function from a ControlLogix or GuardLogix
control system.
Whether the integrated control system is based on a ControlLogix or GuardLogix controller makes no difference to the
operation of this safety function. All of the data that is provided to the integrated control system is diagnostic or status
information, not safety information. The communication between the 440C-CR30 safety relay and the control system is
standard Ethernet communication, not CIP Safety® over Ethernet communication. The 440C-CR30 safety relay
maintains exclusive control over the safety function, as described previously in Functional Safety Description on page 6.

The diagnostic data that is provided is detailed and complete for the state of all terminals, safety monitoring functions,
logic level status, safety output functions, and fault codes. The Logic Editor within the Logix Designer application
automatically assigns named tags to the diagnostic data. The intent is to facilitate tight integration into the larger control
system by allowing more effective operation of the overall control system, not to share the safety tasks.
Safety Monitoring Function (SMF) Plug-in 2 Input/Output Safety Output Function (SOF)
It is beyond the scope of this document to describe how the overall control system uses the diagnostic information that is
provided for the safety function that is controlled by the 440C-CR30 relay.

Electrical Schematic–Inputs
(slot 1)
To PAC via Ethernet
24V DC – Class 2 DC COM
Restart
Retract
Bolt
Safety Output Channel A
Safety Output Channel B
Reset MAB Fault

(slot 2)
Unlock Request
See Note 1
Lock Request
Feedback
Note 1 UA: Connected to 24V internally in MAB.

Yel/Brn and W ht wires brought out in 889M-F19RM-X-cable.

Electrical Schematic–Outputs
(slot 1)
To PAC via Ethernet
24V DC – Class 2 DC COM
Unlock Cmd
See Note 2
External
Stop/Start
(slot 2)
Reset MAB Fault
Guard Unlocked
Guard Locked
Motor Powered
Note 2 K1 and K2 = 100S-C09EJ14BC. EJ contactors have integral transient suppression.

External transient suppression may be required when non-EJ contactors are used.
For electrical schematics in AutoCAD or EPLAN format, see the attached files.

Timing Diagram (Multifunctional Access Box (Power-To-Release))–Guardmaster 440C-CR30 Configurable Safety Relay)
Typical Gate Open, Close and Restart Sequence
24
Unlock Request (ULR)
0
energized
Contactors
de-energized
24
K1 K2 Feedback
0
powered
Motor
power removed
8 seconds
moving coast to stop
Hazardous Motion
stopped
timing
Lock SMF Stop Time 20 seconds (configured)
not timing/expired
on (unlock)
Lock Command to MAB
off (lock)
locked
MAB Lock
unlocked
24
MAB OSSDs
0
open
Guarded Gate manually
operated
closed
24
MAB Lock Request (LR)
0
24
Restart Button
0
ULR Configured Stop LR Start Button

Time Expired

Timing Diagram (Multifunctional Access Box (Power-To-Lock))–Guardmaster 440C-CR30 Configurable Safety Relay)
Typical Gate Open, Close and Restart Sequence
24
Unlock Request (ULR)
0
energized
Contactors
de-energized
24
K1 K2 Feedback
0
powered
Motor
power removed
8 seconds
moving coast to stop
Hazardous Motion
stopped
timing
Lock SMF Stop Time 20 seconds (configured)
not timing/expired
on (unlock)
Lock Command to MAB
off (lock)
locked
MAB Lock
unlocked
24
MAB OSSDs
0
open
Guarded Gate manually
operated
closed
24
MAB Lock Request (LR)
0
24
Restart Button
0
ULR Configured Stop LR Start Button
Time Expired

Configuration
This document describes one example of how a 440C-CR30 relay can be configured by using the Studio 5000 Logix
Designer application. A detailed description of each step is beyond the scope of this document. Knowledge of the Logix
Designer application is assumed.
Before You Begin
Verify that you are using the Studio 5000 Logix Designer application, version 20 or later, with the 440C-ENET Add-on
Profile (AOP), version 3.01 or later, installed. If necessary, you can download the AOP from the Product Compatibility
and Download Center (PCDC) at https://compatibility.rockwellautomation.com/Pages/home.aspx.
Verify that the 440C-CR30 safety relay is running firmware revision 10 or later. (A free firmware update is available for
older units.) Verify that a 440C-ENET EtherNet/IP™ plug-in module has been installed in slot 1 of the 440C-CR30
relay. This document also assumes that the 440C-ENET Ethernet module has previously been assigned an IP address by
using the BOOTP-DHCP utility. This assignment allows a 440C-CR30 relay to be configured by using the Logic
Editor within the Logix Designer application.
Configure the Multifunctional Access Box (MAB)
This document presumes that the MAB device configuration DIP switches are at the original factory settings.
Function of the Switches
Factory settings are

shown.
1 2 3 4 5 6
A B C D
Detail Switch Function

On: Device is configured for standalone operation (factory setting)
A 1+2
Off: Device is configured for series operation
On: Guard lock monitoring is deactivated
B 3+4
Off: Guard lock monitoring is activated (factory setting)
On: DIP switch configuration enabled
C 5
Off: DIP switch configuration inhibited (factory setting)
On: Release monitoring is activated (factory setting)
D 6 Off: Release monitoring is deactivated
Create Your Project
For a Studio 5000 Logix Designer project file that you can use, open the attached ACD file. Or, you can create your own
project by using following the steps:
1. Add the 440C-CR30-22BBB relay and 440C-ENET module to your Logix Designer project.
2. From the Logic Configuration tab of the safety relay Module Properties dialog box, click Edit Logic.
3. Configure the inputs and outputs as shown.
Changes to the default settings are circled in the logic that is shown in the following graphic.

The logic for this project is divided into the following sections: Motion Control, Lock Control, and MAB Fault Reset.
Two versions of the Lock Control configuration are shown, one for a Power to Release (PTR) MAB and one for a power-
to-lock (PTL) MAB.
Motion Control
Non-default settings are circled. The input (SMF) and output (SOF) blocks are renamed to make their function in the
application clearer.
Lock Control (PTR)
application clear.

Lock Control (PTL)
application clear.
MAB Fault Reset
application clear.

The complete logic (PTR version) is shown in the following graphic.

Build the Configuration
To complete the configuration of the 440C-CR30 safety relay in the Logix Designer application, follow these steps.
1. On the toolbar, click Build.

A dialog box appears and indicates that the build was successful.
If an error or omission is discovered during a build, a message is displayed which details the error so that it can be
corrected. After you correct the error, you must perform the build again.
2. To close the Logic Editor window, click the X in the upper-right corner.
3. To close the Output dialog box, on the Module Properties dialog box, click the X in the upper-right corner.
Configure the Status Indicators
The 440C-CR30 relay lets you configure ten input status indicators and six output status indicators. These status
indicators can be helpful while testing the system during installation and commissioning. They are also useful for
monitoring the system in operation.
To configure status indicators to show the status of the Guardmaster 440C-CR30 safety relay, follow these steps:
1. On the Logic Configuration tab of the Module Properties dialog box, select LED Configuration.
2. Choose the Type Filter and Value for each LED as shown in the graphic.
3. To close the Module Properties dialog box, click OK.

Download the Configuration
The Logix Designer application does not automatically download the configuration to the 440C-CR30 relay when it
downloads the configuration to the controller. Therefore, you must manually download to both the controller and the
440C-CR30 relay separately.
Download to the Controller
Follow these steps.
1. Download the project to your controller.
2. When the Download dialog box appears, confirm that you want to download.

Download to the 440C-CR30 Safety Relay
Follow these steps.
1. Right-click 440C-CR30-22BBB in the Controller Organizer and choose Properties.

2. Choose the Logic Configuration tab.
3. When the warning dialog box appears, choose Download to the safety relay.
4. When the download completes, to return to Run mode, click Yes.
Verify the Configuration
You must confirm the verification of the 440C-CR30 configuration for each individual application by using the Verify
command in the configuration software. This process is the feedback to the 440C-CR30 relay that the system
verification and functional tests have been completed. If the configuration of the 440C-CR30 safety relay is not verified,
the relay faults after 24 hours of operation.
See Verification and Validation Plan on page 23 and the Guardmaster Configurable Safety Relay User Manual,
publication 440C-UM001, for information on the verification process.

Monitor the 440C-CR30 Safety Relay
1. To see the online diagnostics, click Edit Logic.
Green indicates that a block is True or that an input or output terminal is ON. The complete safety system must be
installed and powered up to fully use the online diagnostics mode. The online diagnostics mode of the
440C-CR30 relay can be helpful during the verification process.
2. Review the information in Calculation of the Performance Level on page 21 and Verification and Validation Plan
on page 23 before proceeding with Verify the Configuration on page 19.

Calculation of the Performance Level

When properly implemented, these safety functions can achieve a safety rating of category 4, Performance Level e (cat. 4,
PLe), according to ISO 13849-1: 2015, as calculated by using the Safety Integrity Software Tool for the Evaluation of
Machine Applications (SISTEMA).
The SISTEMA file that is referenced in this safety function application technique is attached to this document.
The PFH for electromechanical systems can be calculated differently based on the version of ISO 13849 supported by
SISTEMA. ISO 13849-1:2015, which changed the maximum MTTFd from 100 to 2500 years, is supported starting in
version 2.0.3 of SISTEMA. As a result, the same SISTEMA data file that is opened in two different versions of
SISTEMA can yield different calculated results.
The SISTEMA calculations for each safety function in this MAB, 440C-CR30 relay, and Studio 5000® project yield the
following results.
The result of the calculations for the prevention of access while hazardous motion is present (guard lock) safety function
are shown in the graphic.
The prevention of access while hazardous motion is present (guard lock) safety function can be modeled as follows.
Input Logic Output
100S
Contactor
K1
Multifunctional 440C-CR30
Access Configurable
Box Safety Relay
100S
Contactor
K2
Subsystem 1 Subsystem 2 Subsystem 3

IMPORTANT The PFH for this complete safety function, with the sensor, logic, and actuator subsystems, is 3.6E-8. The PL for the complete safety function is PLe.
The overall Performance Level and PFHd for this Safety Function is shown in the graphic.
The result of the calculations for the prevention of unexpected startup safety function are shown in the graphic.
The prevention of unexpected startup safety function can be modeled as follows.
Input Logic Output
100S
Contactor
Multifunctional 440C-CR30 K1
Access Configurable
Box Safety Relay
100S
Contactor
K2
Subsystem 1 Subsystem 2 Subsystem 3
IMPORTANT The PFH for this complete safety function, with the sensor, logic, and actuator subsystems, is 3.6E-8. The PL for the complete safety function is PLe.
The overall Performance Level and PFHd for this safety function are shown in the graphic.

Functional Safety Data Required for Determining the Performance Level of Electromechanical Devices
Because the 100S safety contactors are electromechanical devices, the functional safety data that are required for the
Performance Level calculation includes the following:
• Mean Time to Failure, dangerous (MTTFd)
• Diagnostic Coverage (DCavg)
• Common Cause Failure (CCF)
The functional safety evaluations of the electromechanical devices include the following:
• How frequently they are operated
• Whether they are effectively monitored for faults
• Whether they are properly specified and installed
SISTEMA calculates the MTTFd by using B10d data that are provided for the contactors along with the estimated
frequency of use (8760 times a year), entered during the creation of the SISTEMA project.
The DCavg (99%) for the contactors is selected from the Output Device table of ISO 13849-1 Annex E, Direct
Monitoring.
The CCF value is generated by using the scoring process that is outlined in Annex F of ISO 13849-1. The complete CCF
scoring process must be performed when actually implementing an application. A minimum score of 65 must be
achieved.
Verification and Validation Plan

Verification and validation play important roles in the avoidance of faults throughout the safety system design and
development process. ISO 13849-2 sets the requirements for verification and validation. The standard calls for a
documented plan to confirm that all safety functional requirements have been met.
Verification is an analysis of the resulting safety control system. The Performance Level (PL) of the safety control system
is calculated to confirm that the system meets the required Performance Level (PLr) specified. The SISTEMA software
is typically used to perform the calculations and assist with satisfying the requirements of ISO 13849-1.
Validation is a functional test of the safety control system to demonstrate that the system meets the specified
requirements of the safety function. The safety control system is tested to confirm that all safety-related outputs respond
appropriately to their corresponding safety-related inputs. The functional test includes normal operating conditions and
potential fault injection of failure modes. A checklist is typically used to document the validation of the safety control
system.
Before validating the system, confirm that the Guardmaster 440C-CR30 configurable safety relay has been wired and
configured in accordance with the installation instructions.
The 440C-CR30 configurable safety relay may be monitored "live" in Studio 5000. For the verification operation, this
can give an extra understanding of system operations. But bear in mind that in validation testing, faults are created which
may require power cycling the system to clear the fault. That connection to the 440C-CR30 configurable safety relay
must be re-established each time the system is powered up to continue monitoring.
For a validation checklist, see the attached spreadsheet.

Additional Resources
These documents contain more information about related products from Rockwell Automation.
Resource Description
Guardmaster Configurable Safety Relay User Manual, publication 440C-UM001 Provides detailed information on how to install, configure, operate, and troubleshoot a
Guardmaster 440C-CR30 configurable safety relay.
Guardmaster 440C-CR30 Software Configurable Safety Relay Quick Start Guide, Provides an example of how to configure a Guardmaster 440C-CR30 configurable safety
publication 440C-QS001 relay with a SensaGuard interlock switch, an E-stop button, and two safety-rated output
devices.
Rockwell Automation Functional Safety Data Sheet, publication SAFETY-SR001 Provides functional safety data for Rockwell Automation® products.
Multi-functional Access Box User Manual, publication 442G-UM001 Provides instructions on how to design, install, program, and troubleshoot systems that
use the 442G multifunctional access box.
Multifunctional Access Box Installation Instructions, publication 442G-IN001 Provides instructions on how to assemble and configure the handle of the 442G access
box. Describes how to mount the 442G access box, and also provides specifications for
the device.
Industrial Automation Wiring and Grounding Guidelines, publication1770-4.1 Provides general guidelines on how to install a Rockwell Automation industrial system.
Product Certifications website, rok.auto/certifications Provides declarations of conformity, certificates, and other certification details.
Download Safety Automation Builder® to help simplify machine safety design and
validation, and reduce time and costs. Integration with our risk assessment software
provides you with consistent, reliable, and documented management of the Functional
Safety Automation Builder and SISTEMA Library website, Safety Lifecycle.
The SISTEMA tool, also available for download from the Safety Automation Builder
page, automates calculation of the attained Performance Level from the safety-related
parts of a machine’s control system to (EN) ISO 13849-1.
You can view or download publications at http://www.rockwellautomation.com/global/literature-library/

overview.page.

Notes:

Rockwell Automation Support
Use the following resources to access support information.
Knowledgebase Articles, How-to Videos, FAQs, Chat,

Technical Support Center www.rockwellautomation.com/knowledgebase
User Forums, and Product Notification Updates.
www.rockwellautomation.com/global/support/get-support-
Local Technical Support Phone Numbers Locate the phone number for your country.
now.page
Find the Direct Dial Code for your product. Use the www.rockwellautomation.com/global/support/direct-
Direct Dial Codes code to route your call directly to a technical support dial.page
engineer.
Installation Instructions, Manuals, Brochures, and
Literature Library www.rockwellautomation.com/literature
Technical Data.
Product Compatibility and Download Center Get help determining how products interact, check
features and capabilities, and find associated www.rockwellautomation.com/global/support/pcdc.page
(PCDC) firmware.
Documentation Feedback
Your comments will help us serve your documentation needs better. If you have any suggestions on how to improve this document, complete the
How Are We Doing? form at http://literature.rockwellautomation.com/idc/groups/literature/documents/du/ra-du002_-en-e.pdf.
Safety Function Capabilities

Visit rok.auto/safety for more information on our Safety System Development Tools, including Safety Functions.
Rockwell Automation maintains current product environmental information on its website at http://www.rockwellautomation.com/rockwellautomation/about-us/sustainability-ethics/product-environmental-compliance.page.
Allen-Bradley, ControlLogix, GuardLogix, Guardmaster, LISTEN.THINK.SOLVE., Rockwell Automation, Safety Automation Builder, SensaGuard, Studio 5000, and Studio 5000 Logix Designer are trademarks of Rockwell Automation, Inc.
CIP Safety and EtherNet/IP are trademarks of ODVA, Inc.
Trademarks not belonging to Rockwell Automation are property of their respective companies.
Rockwell Otomasyon Ticaret A.Ş., Kar Plaza İş Merkezi E Blok Kat:6 34752 İçerenköy, İstanbul, Tel: +90 (216) 5698400
Publication SAFETY-AT167A-EN-P - June 2019

Copyright © 2019 Rockwell Automation, Inc. All rights reserved. Printed in the U.S.A.

Sprache

Willkommen bei Scribd!

safety-at167_-en-p

Hochgeladen von

Dokumentinformationen

Beschreibung:

Copyright

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Beschreibung:

Copyright:

safety-at167_-en-p

Hochgeladen von

Beschreibung:

Copyright:

Verwandte Titel

Application Technique

Safe-monitored Access via a 442G Access Box and a Guardmaster

Important User Information

Labels may also be on or inside the equipment to provide specific precautions.

2 Rockwell Automation Publication SAFETY-AT167A-EN-P - June 2019

General Safety Information

Safety Distance Calculations

In addition, consult relevant national or local safety standards to assure compliance.

Rockwell Automation Publication SAFETY-AT167A-EN-P - June 2019 3

Use Sample Project Files

To access these files, follows these steps.

3. Open the file in the appropriate application.

4 Rockwell Automation Publication SAFETY-AT167A-EN-P - June 2019

Safety Function Realization: Risk Assessment

1. Identification of safety functions

2. Specification of characteristics of each function

3. Determination of required PL (PLr) for each safety function

To: Realization and PL Evaluation

Safety Function Requirements

Rockwell Automation Publication SAFETY-AT167A-EN-P - June 2019 5

Functional Safety Description

6 Rockwell Automation Publication SAFETY-AT167A-EN-P - June 2019

Setup and Wiring

Rockwell Automation Publication SAFETY-AT167A-EN-P - June 2019 7

8 Rockwell Automation Publication SAFETY-AT167A-EN-P - June 2019

To PAC via Ethernet

24V DC – Class 2 DC COM

Safety Output Channel A

Safety Output Channel B

Reset MAB Fault

Note 1 UA: Connected to 24V internally in MAB.

Rockwell Automation Publication SAFETY-AT167A-EN-P - June 2019 9

To PAC via Ethernet

24V DC – Class 2 DC COM

Reset MAB Fault

Note 2 K1 and K2 = 100S-C09EJ14BC. EJ contactors have integral transient suppression.

10 Rockwell Automation Publication SAFETY-AT167A-EN-P - June 2019

Typical Gate Open, Close and Restart Sequence

ULR Configured Stop LR Start Button

Rockwell Automation Publication SAFETY-AT167A-EN-P - June 2019 11

Typical Gate Open, Close and Restart Sequence

12 Rockwell Automation Publication SAFETY-AT167A-EN-P - June 2019

Before You Begin

Configure the Multifunctional Access Box (MAB)

Function of the Switches

Factory settings are

Detail Switch Function

Create Your Project

Rockwell Automation Publication SAFETY-AT167A-EN-P - June 2019 13

Lock Control (PTR)

14 Rockwell Automation Publication SAFETY-AT167A-EN-P - June 2019

Lock Control (PTL)

MAB Fault Reset

Rockwell Automation Publication SAFETY-AT167A-EN-P - June 2019 15

The complete logic (PTR version) is shown in the following graphic.

16 Rockwell Automation Publication SAFETY-AT167A-EN-P - June 2019

Build the Configuration

1. On the toolbar, click Build.

Configure the Status Indicators

3. To close the Module Properties dialog box, click OK.

Rockwell Automation Publication SAFETY-AT167A-EN-P - June 2019 17