Rockwell Automation Allen-Bradley 442G Multifunctional Access... User guide
Application Technique
Safe-monitored Access via a 442G Access Box and a Guardmaster
GLP Safety Relay Safety Function
Products: 442G Access Box, Guardmaster GLP Safety Relay, 100S-C Contactors
Safety Rating: Cat. 3, PLd to ISO 13849-1: 2015
Topic Page
Important User Information 2
General Safety Information 3
Introduction 4
Safety Function Realization: Risk Assessment 5
Safety Functions 5
Safety Function Requirements 5
Functional Safety Description 6
Bill of Material 7
Setup and Wiring 7
Configuration 11
Calculation of the Performance Level 12
Verification and Validation Plan 15
Additional Resources 16
2Rockwell Automation Publication SAFETY-AT166A-EN-P - June 2019
Safe-monitored Access via a 442G Access Box and a Guardmaster GLP Safety Relay Safety Function
Important User Information
Read this document and the documents listed in the additional resources section about installation, configuration, and
operation of this equipment before you install, configure, operate, or maintain this product. Users are required to
familiarize themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws,
and standards.
Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance are
required to be carried out by suitably trained personnel in accordance with applicable code of practice.
If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may
be impaired.
In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from
the use or application of this equipment.
The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and
requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or
liability for actual use based on the examples and diagrams.
No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or
software described in this manual.
Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation,
Inc., is prohibited.
Throughout this manual, when necessary, we use notes to make you aware of safety considerations.
Labels may also be on or inside the equipment to provide specific precautions.
WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous environment, which may lead to personal
injury or death, property damage, or economic loss.
ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, property damage, or economic loss.
Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.
IMPORTANT Identifies information that is critical for successful application and understanding of the product.
SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous voltage may be present.
BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may reach dangerous temperatures.
ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people to potential Arc Flash. Arc Flash will
cause severe injury or death.Wear proper Personal Protective Equipment (PPE). Follow ALL Regulatory requirements for safe work practices and for
Personal Protective Equipment (PPE).
Rockwell Automation Publication SAFETY-AT166A-EN-P - June 2019 3
Safe-monitored Access via a 442G Access Box and a Guardmaster GLP Safety Relay Safety Function
General Safety Information
Contact Rockwell Automation to learn more about our safety risk assessment services.
Safety Distance Calculations
Non-separating safeguards provide no physical barrier to prevent access to a hazard. Publications that offer guidance for
calculating compliant safety distances for safety systems that use non-separating safeguards, such as light curtains,
scanners, two-hand controls, or safety mats, include the following:
EN ISO 13855:2010 (Safety of Machinery – Positioning of safeguards with respect to the approach speeds of
parts of the human body)
EN ISO 13857:2008 (Safety of Machinery – Safety distances to prevent hazardous zones being reached by upper
and lower limbs)
ANSI B11:19 2010 (Machines – Performance Criteria for Safeguarding)
Separating safeguards monitor a movable, physical barrier that guards access to a hazard. Publications that offer guidance
for calculating compliant access times for safety systems that use separating safeguards, such as gates with limit switches
or interlocks (including SensaGuard™ switches), and guard locks, include the following:
EN ISO 14119:2013 (Safety of Machinery – Interlocking devices associated with guards - Principles for design
and selection)
EN ISO 13855:2010 (Safety of Machinery – Positioning of safeguards with respect to the approach speeds of
parts of the human body)
EN ISO 13857:2008 (Safety of Machinery – Safety distances to prevent hazardous zones being reached by upper
and lower limbs)
ANSI B11:19 2010 (Machines – Performance Criteria for Safeguarding)
In addition, consult relevant national or local safety standards to verify compliance.
IMPORTANT This application example is for advanced users and assumes that you are trained and experienced in safety system requirements.
ATTENTION: Perform a risk assessment to make sure that all task and hazard combinations have been identified and addressed. The risk assessment can require
additional circuitry to reduce the risk to a tolerable level. Safety circuits must consider safety distance calculations, which are not part of the scope of this
document.
ATTENTION: While safety distance or access time calculations are beyond the scope of this document, compliant safety circuits must often consider a safety
distance or access time calculation.
4Rockwell Automation Publication SAFETY-AT166A-EN-P - June 2019
Safe-monitored Access via a 442G Access Box and a Guardmaster GLP Safety Relay Safety Function
Introduction
This document explains how to wire, configure, verify, and validate a safety system that is designed to provide safe,
monitored access into a hard-guarded area only after hazardous motion within the area has ceased. The system includes,
and is specific to, a multifunctional access box (MAB), a Guardmaster® GLP safety relay, and 100S contactors as its
primary devices. The GLP safety relay monitors two proximity sensors to determine the speed of hazardous motion and
the state of the MAB to determine when the monitored motion is at a safe speed before allowing access to the guarded
area by unlocking the MAB. The GLP safety relay monitors the proximity sensors, the MAB, and itself for faults. When
a fault is detected, the GLP does not unlock the MAB to prevent access to the guarded area until the fault is corrected.
Access Components of the Safety Function
The component files (AutoCAD, EPLAN, SISTEMA, and Verification and Validation checklist) that are attached to
this document help you implement this safety function. To access these components, click the Attachments link , and
right-click and save the component that you want to use. If the PDF file opens in a browser and you don't see the
Attachments link , download the PDF file and then reopen the file with the Adobe Acrobat Reader application.
Rockwell Automation Publication SAFETY-AT166A-EN-P - June 2019 5
Safe-monitored Access via a 442G Access Box and a Guardmaster GLP Safety Relay Safety Function
Safety Function Realization: Risk Assessment
The required Performance Level (PLr) is the result of a risk assessment and refers to the amount of the risk reduction to
be conducted by the safety-related parts of the control system. Part of the risk reduction process is to determine the safety
functions of the machine. In this application, the Performance Level that is required by the risk assessment is category 3,
Performance Level d (cat. 3, PLd), for each safety function. A safety system that achieves cat. 3, PLd, or higher, can be
considered control reliable. Each safety product has its own rating and can be combined to create a safety function that
meets or exceeds the PLr.
Safety Functions
This application technique includes two safety functions:
•Safe-monitored access
•Prevention of unexpected startup
Safety Function Requirements
An MAB-controlled, locked gate helps prevent access to a guarded area where there can be hazardous motion. When
access is required, pressing and releasing an Unlock Request button removes power to the motor that drives hazardous
motion and signals the GLP speed monitoring relay that the gate must be unlocked when the monitored speed drops to
the configured safe maximum speed. When the speed monitoring relay confirms that the monitored speed is at or below
the configured safe maximum speed, the GLP sends unlock commands to the MAB. The gate can then be opened.
Hazardous motion cannot be restored until the gate is closed and locked. Once the gate is closed and locked, pressing and
releasing the Restart button energizes the two contactors, which restores power to the motor.
The safety functions in this application technique each meet or exceed the requirements for category 3, Performance
Level d (cat. 3, PLd), per ISO 13849-1 and control reliable operation per ANSI B11.19.
From: Risk Assessment (ISO 12100)
1. Identification of safety functions
2. Specification of characteristics of each function
3. Determination of required PL (PLr) for each safety function
To: Realization and PL Evaluation
6Rockwell Automation Publication SAFETY-AT166A-EN-P - June 2019
Safe-monitored Access via a 442G Access Box and a Guardmaster GLP Safety Relay Safety Function
Functional Safety Description
A process that includes hazardous motion that is driven by an electric motor is hard-guarded by fences.
Hazardous motion can be stopped and started by using an external Stop/Start switch without providing access to the
guarded area. Pressing and releasing the Stop button immediately de-energizes the two 100S contactors. Hazardous
motion coasts to a stop (stop category 0). The gate remains locked. Pressing and releasing the Start button re-energizes
the two 100S contactors, which restores power to the motor and hazardous motion begins.
Full-body access to the area is provided via a gate. The gate is locked by an MAB guard lock, which helps prevent access
while hazardous motion is present. The GLP safety relay monitors the OSSD outputs of the MAB to confirm that the
MAB is closed and locked. The GLP safety relay senses the speed of hazardous motion by monitoring two proximity
sensors that monitor a rotating target disk mounted as directly to hazardous motion as reasonably practical.
When access is required, pressing the Unlock Request button trips the Guardmaster 440R SI relay, which turns off its
safety outputs and de-energizes the K1 and K2 contactors. This action removes power from the motor and hazardous
motion coasts to a stop. The SI relay deactivates its single wire safety (SWS) output, which prepares the GLP safety relay
to send an Unlock Command to the MAB when hazardous motion is at or below the configured maximum safe speed.
When the safe slow speed is reached, the GLP relay sends the Unlock Command and de-energizes contactors K3 and K4.
When the MAB receives the Unlock commands, it unlocks the gate. Then, rotating the MAB handle retracts the bolt,
which allows access to the guarded area. The amber Guard Unlocked stack light flashes to show that the gate is unlocked.
Power cannot be restored to the motor until the gate is closed, the MAB handle is rotated to extend the bolt, and the gate
locked by pressing and releasing the Lock Request (GLP Reset) button on the MAB cover. The Lock Request signal is
routed to the GLP relay via two N.C. contacts on the K1 and K2 contactors. Upon receipt of the Lock request, the GLP
relay ceases the Unlock commands. The MAB locks the gate. The amber Guard Unlocked stack light turns OFF. At the
same time, the GLP relay energizes the coils of the K3 and K4 contactors and their N.O. contacts close. Pressing the
Restart button energizes the 100S contactors; their N.O. contacts close, and power to the motor is restored.
The scope of this document is limited to the safe monitored access and prevention of unexpected startup safety
functions. When full-body access is allowed, additional safety functions may be necessary to prevent harm to personnel
while they are in the guarded area. Which, if any, additional safety functions are required is determined by a risk
assessment and is beyond the scope of this document.
The optional escape release handle, which is mounted to be accessible only from inside the safeguarded area, is one of the
parts that is listed in this document.
Use of the escape release is regarded as a non-standard event and faults the MAB. The MAB must be reset before
operation of the guarded machine can be resumed. A Reset MAB Fault button is included in the circuit diagram. The
MAB reset process is described in the Multi-functional Access Box User Manual, publication 442G-UM001.
IMPORTANT If the risk assessment determines that there is a likelihood of entrapment, then an escape release is required, according to ISO 14119.
Rockwell Automation Publication SAFETY-AT166A-EN-P - June 2019 7
Safe-monitored Access via a 442G Access Box and a Guardmaster GLP Safety Relay Safety Function
Bill of Material
This application technique uses these products.
Setup and Wiring
For detailed information on how to install and wire, refer to the publications that are listed in the Additional Resources.
System Overview
This document assumes that an external Stop-Start switch is installed. That switch removes and restores the three-phase
power that is controlled by contactors K1 and K2. When the three-phase power is removed, hazardous motion coasts,
uncontrolled, to a stop category 0. The external Stop/Start switch does not act upon the safety circuit in any other way. If
a subsequent Unlock request is not initiated by pressing and releasing the Unlock Request button, the gate remains
locked. When the external switch restores three-phase power, the motor and hazardous motion resumes.
The following sections describe an unlock gate, lock gate, and start operating sequence for the MAB system.
Unlock Gate
When the motor runs in the locked guarded area, pressing and releasing the Unlock Request button causes the SI relay to
turn off its safety outputs. The K1 and K2 contactors are de-energized and the motor coasts, uncontrolled, to a stop
Cat. No. Description Quantity
440R-S12R2 440R single-function safety relays, one dual-channel universal input, one N.C. contact, solid-state, two N.O. contacts,
one SWS output, 24V DC, removable, configured automatic, manual, or manual-monitored reset
1
800FP-F5PX11V 800F push button, plastic, flush, yellow, no legend, plastic latch mount, one N.O. contact, one N.C. contact, low
voltage, standard pack (quantity 1)
1
442G-MABH-R Handle assembly, 442G access box, right-hinged door with bolt-locking mechanism 1
442G-MABE1 Escape release, 442G-MAB, standard shaft 1
442G-MABAMPH 442G-MAB mounting plate, handle assembly 1
442G-MABAMPL 442G-MAB mounting plate, lock module 1
889M-F19RM-2 M23, female, straight, 19-P, PUR cable, black, unshielded, IEC color coded, no connector, 2 m (6.56 feet) 1
442G-MABR-URM-C02 Lock module, 442G access box, power-to release, unique Code, M23 connector, right-hand guard, two push buttons 1
800FP-F3PX10V 800F push button, plastic, flush, green, no legend, plastic latch mount, one N.O. contact, no N.C. contact, low voltage,
standard pack (quantity 1)
1
100S-C16EJ14BC 100S-C safety contactor, 16 A, 24V DC (with electric coil), bifurcated contact 2
440R-GL2S2P Monitoring safety relay, one dual-channel input, two PNP proximity sensors, one N.C. solid-state auxiliary output 1
872C-D8NP18-E2 Proximity sensor, three-wire DC standard barrel, 18 mm (.71 in.) diameter, tubular, nickel-plated brass, standard,
8 mm (.32 in.) sensing distance, unshielded, normally open, source (PNP) output, PVC cable (5 cond)
2
889D-F4NE-5 DC Micro (M12), female, straight, four-pin, PVC cable, red, unshielded, IEC color coded, no connector, 5 m (16.4 ft) 2
700-HPS2Z24 Safety control relay, 700-HP general-purpose PCB PIN style relay, 8 A, 2 pole, DPDT, 24V DC (package quantity of 10) 2
700-HN123 Mini eight-pin screw terminal socket, touch-safe terminal construction, incorporates coil and contact separation
(package quantity of 10)
2
700-ADL1R Diode with LED surge suppressor, 6...24V DC (package quantity of 10) 2
855EP-B24L5 Control tower stack light, pre-assembled, 10 cm (3.94 in.) pole mount with cap, black housing, 24V AC/DC full-
voltage, amber flashing status indicator
1
8Rockwell Automation Publication SAFETY-AT166A-EN-P - June 2019
Safe-monitored Access via a 442G Access Box and a Guardmaster GLP Safety Relay Safety Function
category 0. At the same time, the SI relay deactivates its SWS output. In response, the GLP safety relay prepares to turn its
safety outputs OFF and its Unlock commands ON when the proximity sensor inputs to the GLP safety relay confirm
that hazardous motion is at or below the configured safe speed of 0.5 Hz. When the speed of hazardous motion has
dropped to 0.5 Hz, the GLP safety relay initiates its Frequency Measuring Time delay of 10.1 seconds. This delay is to
verify that the speed really is at or below the configured safe speed. When this time has elapsed, without the monitored
speed exceeding 0.5 Hz, the GLP safety relay turns its safety outputs, X14 and X24, OFF, which de-energizes the K3 and
K4 contactors. The N.O. contacts of K3 and K4 open and break the connection between the Stop-Start circuit and K1
and K2. This action helps prevent a Restart until the K3 and K4 contactors are energized. The GLP safety relay turns its
Unlock Command outputs ON. The 51 Unlock command powers the solenoid of the MAB and unlocks the gate. The
K3 and K4 contactors cannot be re-energized until the gate is closed and locked. The L 61 Unlock command powers the
Guard Unlocked flashing amber stack light to show that the gate is unlocked. The handle of the MAB can now be
rotated to retract the bolt, and the gate can be opened.
Lock Gate
Once the required task is complete, and it is confirmed that no one remains in the guarded area, the gate is closed and the
handle of the MAB is rotated to extend the bolt. Pressing and releasing the Lock Request button on the MAB cover
requests the GLP safety relay to end the Unlock commands. The Lock Request button connects to terminal S44 of the
GLP safety relay via the two N.C. contacts of K1 and K2 contactors, which closed when the Unlock was requested. The
gate cannot be locked if these contacts are not closed. The GLP safety relay turns the Unlock Command outputs OFF.
The amber stack light turns OFF to show that the gate is locked. The solenoid of the MAB drops out and the gate is
locked. Once the OSSD outputs of the MAB confirm to the GLP safety relay that the gate is closed, and the bolt is
extended and locked, the GLP safety relay turns its safety outputs ON. This action energizes the K3 and K4 contactors.
Their N.O. contacts close and restore the connection between 24V DC and the Restart circuit.
Start
Pressing the Restart button energizes the K1 and K2 contactors. Their N.O. contacts close and restore power to the
motor. Hazardous motion begins.
Rockwell Automation Publication SAFETY-AT166A-EN-P - June 2019 9
Safe-monitored Access via a 442G Access Box and a Guardmaster GLP Safety Relay Safety Function
Electrical Schematic
For an electrical schematic in AutoCAD or ePLAN format, see the attached files.
A1
A2
L12
S54
L11
P22
P12
AP
LOGIC
S22
S12
Y32
S44
X14
X24
51
L61
GLP
889M-F19RM-X
24V DC, Class 2, PELV
Brn
Brn
Blu
Blu
Blk
Blk
872C-D8NP18-E5 (2)
Red/Blu
Grn/Blk
Vio
Blu
Brn
440R-GL2S2P
SL2
Unlock Cmd
Lock Request
MAB cover Yel/Brn
UA
Wht/Grn
Pnk
OT
OL
Reset
MAB Fault
Gry/Pnk
M
L1 L2 L3
Note 2: K1 and K2 = 100S-C16EJ14BC - E J contactors have integral
transient suppression. External transient suppression may be
required when non-”EJ” contactors are used.
K3 and K4 = 700-HPSXZ24 DPDT Safety relays with 700-ADL12
suppressor -Red LED modules
OL: True when the door is closed, the bolt is
extended and locked.
OT: True when the door is closed and the bolt is
extended, locked or not.
OI: True when the MAB is faulted.
K1
K2
Status
to PAC
L
A1
A2 L11
S21
S11
S22
S12
Y32
S34
13
14
23
24
Status
to PAC
K1
K2
SI
0V DC
442G-MAB PTR Hardware Rev. A
- see Note 2
- see Note 1
Note 1: UA: Connected to 24V internally in MAB
2
0
K3
K4
LOGIC
SL1
K3
K4
A1
0
Restart
K1 K2
K3 K4
L
MAB cover
UA
R
R
AM
440R-S12R2
K3 K4 Status
to PAC
Status
to PAC
K1 K2
OI Wht/Yel
Status
to PAC Guard Unlocked
- see Note 2
External
Stop/Start
Status
to PAC
Unlock Request
24V DC, Class 2, PELV
Status
to PAC
Status
to PAC
Status
to PAC
Status
to PAC
Status
to PAC
0V DC
Unlock Request
Restart
MAB Cover
MAB Cover
LOGIC
Lock Request
External
Stop/Start
Guard Unlocked
Reset
MAB Fault
Unlock CMD
Hardware Rev. A
Status
to PAC
See Note 1
See Note 2
See Note 2
Note 1: UA: Connected to 24V internally in MAB.
OL: True when the door is closed, and the bolt is extended and locked.
OT: True when the door is closed and the bolt is extended, locked or not.
OI: True when the MAB is faulted.
K1 and K2 = 100S-C16EJ14BC–EJ contactors have integral transient suppression. External
transient suppression may be required when non-EJ contactors are used.
K3 and K4 = 700-HPSXZ24 DPDT safety relays with 700-ADL12 suppressor–red LED modules.
Note 2:
10 Rockwell Automation Publication SAFETY-AT166A-EN-P - June 2019
Safe-monitored Access via a 442G Access Box and a Guardmaster GLP Safety Relay Safety Function
Timing Diagram
Typical Gate Opened, Gate Closed, and Restart Sequence
Unlock Request (ULR)
SI Status
Single Wire Safety – SI
Contactors K1 and K2
K1–K2 Feedback – GLP Reset
Motor
Hazardous Motion
Frequency Measuring Time
Unlock Command
MAB Lock
MAB OSSDs
Contactors K3 and K4
K3–K4 Feedback – SI Reset
Guarded Gate
MAB Lock Request (LR)
Press Start Button
ULR Frequency Measuring
Time Expired LR
manually
operated
Drops to
safe speed
0.5 Hz
10.1 sec
Reset/Running
Tripped
Inactive
De-energized
Powered
Active
Energized
0
Power Removed
0
24
24
0
24
0
24
0
24
0
24
Moving
Timing
Not Timing/Expired
Off
Stopped
Unlocked
Locked
On
Energized
De-energized
Open
Closed and Latched
High for 0.25 sec. min. to 3 sec. max.
Rockwell Automation Publication SAFETY-AT166A-EN-P - June 2019 11
Safe-monitored Access via a 442G Access Box and a Guardmaster GLP Safety Relay Safety Function
Configuration
Follow these instructions to configure the components of your safety system.
Configure the GLP Safety Relay
Wiring must be complete before configuration can be completed. Follow these steps to configure the GLP safety relay.
1. With power to the GLP safety relay turned OFF:
a. Set the LOGIC switch to 0.
b. Set the SL1 switch to 0.
c. Set the SL2/TIME switch to 0.
2. Apply Power to the GLP safety relay.
The PWR/Fault status indicator flashes red continuously.
3. Set the configuration, by setting the LOGIC switch to 2.
4. Leave the SL1 switch set to 0.
5. Leave the SL2 switch set to 0.
6. Monitor the flashing indicators on the GLP safety relay.
For details, see Guard-Locking Proximity Inputs Safety Relay User Manual, publication 440R-UM012.
7. Remove power to the GLP safety relay.
8. Pause, and then restore power to the GLP safety relay.
Switch 1
Setting
Lock/ Unlock Door Control
Out Configuration
Application Logic in
0 Configuration
1…8 Program mode X14 and X24 configured as OSSD Outputs
1 Guard Locking
Power to Release
Cat 1 Stop Logic in OFF
2 Logic in AND IN1
SLS1 Switch Setting Maximum SLOW Speed Frequency Measuring Time
0 0.5 Hz 10100 ms
SLS2/Time Switch
Setting
Safe Maximum Speed Configuration
1…4 and 8 (Configured from 9)
Time Configuration 5…8
(Configured from 0)
0 No limit 10%
Screwdriver Slot
Mechanical Stops
12 Rockwell Automation Publication SAFETY-AT166A-EN-P - June 2019
Safe-monitored Access via a 442G Access Box and a Guardmaster GLP Safety Relay Safety Function
Configure the MAB
Leave the MAB at the factory settings, as shown in the following table.
Function of the Switches
If the DIP switches are not at the factory settings, see the Multi-functional Access Box User Manual,
publication 442G-UM001, for directions on how to restore the original factory settings.
Calculation of the Performance Level
When properly implemented, these safety functions can achieve a safety rating of category 3, Performance Level d (cat. 3,
PLd), according to ISO 13849-1: 2015, as calculated by using the Safety Integrity Software Tool for the Evaluation of
Machine Applications (SISTEMA).
The SISTEMA file that is referenced in this safety function application technique is attached to this document.
The PFH for electromechanical systems may be calculated differently based on the version of ISO 13849 supported by
SISTEMA. ISO 13849-1:2015, which changed the maximum MTTFd from 100 to 2500 years, is supported starting in
version 2.0.3 of SISTEMA. As a result, the same SISTEMA data file that is opened in two different versions of
SISTEMA can yield different calculated results.
The Performance Level for all safety functions is shown in the graphic.
Detail Switch Function
A 1+2 On: Device is configured for standalone operation (factory setting)
Off: Device is configured for series operation
B 3+4 On: Guard lock monitoring is deactivated
Off: Guard lock monitoring is activated (factory setting)
C5
On: DIP switch configuration enabled
Off: DIP switch configuration inhibited (factory setting)
D6
On: Release monitoring is activated (factory setting)
Off: Release monitoring is deactivated
123456
ABCD
Factory settings are
shown.
Rockwell Automation Publication SAFETY-AT166A-EN-P - June 2019 13
Safe-monitored Access via a 442G Access Box and a Guardmaster GLP Safety Relay Safety Function
Safe Monitored Access Safety Function
The GLP safety relay monitors only the speed of the guarded hazard. It does not monitor the state of the K1 and K2
contactors. If neither the K1 or K2 contactors open their N.O. safety contacts upon demand, the motor and hazardous
motion do not slow. The GLP safety relay does not allow access to the hazardous area. If either the K1 or K2 contactors
do not respond to a demand and remain closed, the K1-K2 feedback in the Lock Request circuit helps prevent resetting
the GLP safety relay and locking the MAB and starting the motion.
The PL and category ratings of the individual subsystems are shown in the graphic.
The overall PL and PFHd of the safety function are in the following graphic.
The safe-monitored stop safety function can be modeled as follows.
Subsystem 1 Subsystem 2 Subsystem 3
Input Logic Output
872C
Proximity
Sensor
872C
Proximity
Sensor
Guardmaster
GLP Safety
Relay
442G
Multifunctional
Access Box
14 Rockwell Automation Publication SAFETY-AT166A-EN-P - June 2019
Safe-monitored Access via a 442G Access Box and a Guardmaster GLP Safety Relay Safety Function
Prevention of Unexpected Startup Safety Function
The status of both the K1-K2 contactors and the K3-K4 contactors is monitored in the prevention of unexpected startup
safety function.
The PL and category ratings of the individual subsystems are shown in the following graphic.
The overall safety function and PFHd values are shown below.
The prevention of unexpected startup safety function can be modeled as follows.
Functional Safety Data Required for Determining the Performance Level of Electromechanical Devices
Because the contactors, K1, K2, K3, and K4, are electromechanical devices, the safety contactor data includes the
following:
•Mean Time to Failure, dangerous (MTTFd)
•Diagnostic Coverage (DCavg)
•Common Cause Failure (CCF)
Subsystem 1 Subsystem 2 Subsystem 3 Subsystem 4
Input Logic Output
Guardmaster
GLP Safety
Relay
442G
Multifunctional
Access Box
100S-C
Contactor
K1
100S-C
Contactor
K2
700-HPS Safety
Control Relay
K3
700-HPS Safety
Control Relay
K4
Rockwell Automation Publication SAFETY-AT166A-EN-P - June 2019 15
Safe-monitored Access via a 442G Access Box and a Guardmaster GLP Safety Relay Safety Function
The functional safety evaluations of the electromechanical devices include the following:
•How frequently they are operated
•Whether they are effectively monitored for faults
•Whether they are properly specified and installed
SISTEMA calculates the MTTFd by using B10d data that are provided for the contactors along with the estimated
frequency of use, entered during the creation of the SISTEMA project.
The K1 and K2 contactors control power to the motor that drives hazardous motion. It is presumed that an Unlock
command is requested once an hour, 24 hours a day for 365 days a year, or 8760 times a year. SISTEMA uses 8760 as the
frequency of operation when it calculates the MTTFd for the K1 and K2 contactors.
The K3 and K4 contactors are operated when access to the hazardous area is requested. The SISTEMA calculations for
the prevention of unexpected startup use this same number, 8760 operations a year, as the frequency of operation when
calculating the MTTFd for the K3 and K4 contactors.
The DCavg (99%) for the contactors is selected from the Output Device table of ISO 13849-1 Annex E, Direct
Monitoring.
The CCF value is generated by using the scoring process that is outlined in Annex F of ISO 13849-1. The complete CCF
scoring process must be performed when actually implementing an application. A minimum score of 65 must be
achieved.
Verification and Validation Plan
Verification and validation play important roles in the avoidance of faults throughout the safety system design and
development process. ISO 13849-2 sets the requirements for verification and validation. The standard calls for a
documented plan to confirm that all safety functional requirements have been met.
Verification is an analysis of the resulting safety control system. The Performance Level (PL) of the safety control system
is calculated to confirm that the system meets the required Performance Level (PLr) specified. The SISTEMA software
is typically used to perform the calculations and assist with satisfying the requirements of ISO 13849-1.
Validation is a functional test of the safety control system to demonstrate that the system meets the specified
requirements of the safety function. The safety control system is tested to confirm that all safety-related outputs respond
appropriately to their corresponding safety-related inputs. The functional test includes normal operating conditions and
potential fault injection of failure modes. A checklist is typically used to document the validation of the safety control
system.
Before validating the system, confirm that the Guardmaster safety relay has been wired and configured in accordance
with the installation instructions.
For a validation checklist, see the attached spreadsheet.
16 Rockwell Automation Publication SAFETY-AT166A-EN-P - June 2019
Safe-monitored Access via a 442G Access Box and a Guardmaster GLP Safety Relay Safety Function
Additional Resources
These documents contain more information about related products from Rockwell Automation.
You can view or download publications at http://www.rockwellautomation.com/global/literature-library/
overview.page.
Resource Description
System Design for the Control of Electrical Noise, publication GMC-RM001 Outlines the practices that minimize the possibility of noise-related failures and that
comply with noise regulations. Provides an overview of how electrical noise is
generated (sources), how the noise interferes with routine operation of drive
equipment (victims), and how to effectively control noise.
Multifunctional Access Box Installation Instructions, publication 442G-IN001
Provides instructions on how to assemble and configure the handle of the 442G access
box. Describes how to mount the 442G access box, and also provides specifications for
the device.
Multi-functional Access Box User Manual, publication 442G-UM001 Provides instructions on how to design, install, program, and troubleshoot systems that
use the 442G multifunctional access box.
Allen-Bradley Guardmaster 442G Multifunctional Access Box Product Profile,
publication 442G-PP001
Provides an overview of the components and accessories available for the 442G
multifunctional access box.
MACHINERY SAFEBOOK 5: Safety related control systems for machinery–Principles,
standards and implementation, publication SAFEBK-RM002
Describes regulations and standards that are associated with safety-related control
systems for machinery. Provides application examples and lists products, tools, and
services available from Rockwell Automation.
Inductive Proximity Sensors Technical Data, publication PROX-TD001 Provides technical specifications for tubular sensors, rectangular sensors, cylinder
sensors, and ring and slot sensors.
Guard-Locking Proximity Inputs Safety Relay User Manual, publication 440R-UM012 Describes procedures that are used to install, wire, and troubleshoot the guard locking
with proximity (GLP) safety controller. Also describes the plug-in modules and
accessories available for the GLP safety controller.
Next Generation Guardmaster Safety Relay (GSR)Wiring Diagram,
publication SAFETY-WD001
Provides wiring diagrams for the Guardmaster (GSR) safety relays. Describes circuit
components, circuit status, operating principles, fault detection, and ratings for these
safety relays.
Industrial AutomationWiring and Grounding Guidelines, publication1770-4.1 Provides general guidelines on how to install a Rockwell Automation® industrial
system.
Product Certifications website, rok.auto/certifications Provides declarations of conformity, certificates, and other certification details.
Safety Automation Builder and SISTEMA Library website
Download Safety Automation Builder® to help simplify machine safety design and
validation, and reduce time and costs. Integration with our risk assessment software
provides you with consistent, reliable, and documented management of the Functional
Safety Lifecycle.
The SISTEMA tool, also available for download from the Safety Automation Builder
page, automates calculation of the attained Performance Level from the safety-related
parts of the control system of a machine to (EN) ISO 13849-1.
Rockwell Automation Publication SAFETY-AT166A-EN-P - June 2019 17
Safe-monitored Access via a 442G Access Box and a Guardmaster GLP Safety Relay Safety Function
Notes:
Allen-Bradley, Guardmaster, LISTEN. THINK. SOLVE. Rockwell Automation, Rockwell Software, Safety Automation Builder, and SensaGuard are trademarks of Rockwell Automation, Inc.
CTrademarks not belonging to Rockwell Automation are property of their respective companies.
Publication SAFETY-AT166A-EN-P - June 2019
Copyright © 2019 Rockwell Automation, Inc. All rights reserved. Printed in the U.S.A.
Rockwell Automation Support
Use the following resources to access support information.
Documentation Feedback
Your comments will help us serve your documentation needs better. If you have any suggestions on how to improve this document, complete the
How Are We Doing? form at http://literature.rockwellautomation.com/idc/groups/literature/documents/du/ra-du002_-en-e.pdf.
Technical Support Center Knowledgebase Articles, How-toVideos, FAQs, Chat,
User Forums, and Product Notification Updates. www.rockwellautomation.com/knowledgebase
Local Technical Support Phone Numbers Locate the phone number for your country. www.rockwellautomation.com/global/support/get-support-
now.page
Direct Dial Codes
Find the Direct Dial Code for your product. Use the
code to route your call directly to a technical support
engineer.
www.rockwellautomation.com/global/support/direct-
dial.page
Literature Library Installation Instructions, Manuals, Brochures, and
Technical Data. www.rockwellautomation.com/literature
Product Compatibility and Download Center
(PCDC)
Get help determining how products interact, check
features and capabilities, and find associated
firmware.
www.rockwellautomation.com/global/support/pcdc.page
Rockwell Otomasyon Ticaret A.Ş., Kar Plaza İş Merkezi E Blok Kat:6 34752 İçerenköy, İstanbul, Tel: +90 (216) 5698400
Rockwell Automation maintains current product environmental information on its website at http://www.rockwellautomation.com/rockwellautomation/about-us/sustainability-ethics/product-environmental-compliance.page.
Safety Function Capabilities
Visit rok.auto/safety for more information on our Safety System Development Tools, including Safety Functions.
This manual suits for next models
1
Table of contents
Other Rockwell Automation IP Access Controllers manuals
