Application Guide. TwinSAFE. Version: Date:

Size: px

Start display at page:

Download "Application Guide. TwinSAFE. Version: Date:"

Earl Blankenship
6 years ago
Views:

1 Application Guide TwinSAFE Version:.9. Date:

3 Table of contents Table of contents Foreword 7. Notes on the documentation 7.. Intended audience 7.. Origin of the document 7..3 Currentness 7..4 Product features 7..5 Disclaimer 7..6 Trademarks 7..7 Patent Pending 8..8 Copyright 8..9 Delivery conditions 8. Safety instructions 8.. Delivery state 8.. Operator's obligation to exercise diligence 8..3 Purpose and area of application 9..4 Description of safety symbols 9..5 Explanation of terms 0..6 Documentation issue status Circuit examples. ESTOP function variant (Category 3, PL d).. Parameters of the safe input and output terminals.. Block formation and safety loops 3..3 Calculation 3. ESTOP function variant (Category 3, PL d) 7.. Parameters of the safe input and output terminals 7.. Block formation and safety loops 8..3 Calculation 8.3 ESTOP function variant 3 (Category 4, PL e) 3.3. Parameters of the safe input and output terminals 3.3. Block formation and safety loops Calculation 4.4 ESTOP function variant 4 (Category 4, PL e) 9.4. Parameters of the safe input and output terminals 9.4. Block formation and safety loops Calculation 30 Application Guide TwinSAFE - version.9.

4 Table of contents.5 ESTOP function variant 5 (Category 4, PL e) Parameters of the safe input and output terminals Block formation and safety loops Calculation 36.6 ESTOP function variant 6 (Category 3, PL d) 4.6. Parameters of the safe input and output terminals (SIL ) 4.6. Block formation and safety loops Calculation 4.7 ESTOP function variant 7 (Category 4, PL e) Parameters of the safe input and output terminals Block formation and safety loops Calculation 48.8 Protective door function variant (Category 3, PL d) Parameters of the safe input and output terminals Block formation and safety loops Calculation 54.9 Protective door function variant (Category 4, PL e) Parameters of the safe input and output terminals Block formation and safety loops Calculation 60.0 Protective door function with range monitoring (Category 4, PL e) Parameters of the safe input and output terminals Block formation and safety loops Calculation 67. Protective door function with guard lock (Category 4, PL e) 7.. Parameters of the safe input and output terminals 7.. Block formation and safety loops Calculation 73. Two-hand controller (Category 4, PL e) 79.. Parameters of the safe input and output terminals 79.. Block formation and safety loops Calculation 80.3 Laser scanner (Category 3, PL d) Parameters of the safe input and output terminals Block formation and safety loops Calculation 85 Application Guide TwinSAFE - version.9.

5 Table of contents.4 Light grid (Category 4, PL e) Parameters of the safe input and output terminals Block formation and safety loops Calculation 90.5 Safety switching mat / safety bumper (Category 4, PL e) Parameters of the safe input and output terminals Block formation and safety loops Calculation 95.6 Muting (Category 4, PL e) Parameters of the safe input and output terminals Block formation and safety loops Calculation 00.7 All-pole disconnection of a potential group with downstream non-reactive standard terminals (Category 4, PL e) Notes on prevention of feedback Parameters of the safe input and output terminals Block formation and safety loops Calculation 0.8 Single-pole disconnection of a potential group with downstream non-reactive standard terminals with fault exclusion (Category 4, PL e) 5.8. Notes on prevention of feedback 7.8. Parameters of the safe input and output terminals Block formation and safety loops Calculation 0.9 Networked system (Category 4, PL e) 5.9. Parameters of the safe input and output terminals 6.9. Block formation and safety loops Calculation 7.0 Drive option AX580 with SS stop function (Category 4, PL e) 3.0. Parameters of the safe input and output terminals 3.0. Block formation and safety loops Calculation 3. Drive option AX5805 with SS stop function (Category 4, PL e) 37.. Parameters of the safe input and output terminals 37.. Block formation and safety loops Calculation 38 Application Guide TwinSAFE - version.9. 3

6 Table of contents. Direct wiring of the TwinSAFE outputs to TwinSAFE inputs (single-channel) (Category, PL c) 4.. Parameters of the safe input and output terminals 4.. Block formation and safety loops Calculation 43.3 Direct wiring of the TwinSAFE outputs to TwinSAFE inputs (dual-channel) (Category 3, PL d) Parameters of the safe input and output terminals Block formation and safety loops Calculation 47.4 ESTOP function (Category 3, PL d) Parameters of the safe input and output terminals (SIL ) Block formation and safety loops Calculation 50.5 Speed monitoring (Category 3, PL d) Structure and diagnosis FMEA Parameters of the safe output terminal Block formation and safety loops Calculation 59.6 Speed monitoring (via IO-link) (Category 3, PL d) Structure and diagnosis FMEA Parameters of the safe output terminal Block formation and safety loops Calculation 70.7 STO function with EL7x-904 (Category 3, PL d) Parameters of the safe input and output terminals Block formation and safety loops Safety function Calculation 78.8 STO-Function with IndraDrive (Category 4, PL e) 8.8. Parameters of the safe input and output terminals Block formation and safety loops Safety function Calculation Technical Note from company Bosch Rexroth AG 88 4 Application Guide TwinSAFE - version.9.

7 Table of contents.9 Temperature measurement with TwinSAFE SC (Category 3, PL d) 9.9. Diagram of the structure Structure and diagnosis FMEA Parameters of the safe output terminal Block formation and safety loops Calculation Level measurement with TwinSAFE SC (Category 3, PL d) Diagram of the structure Structure and diagnosis FMEA Parameters of the safe output terminal Block formation and safety-loops Calculation 05.3 Pressure measurement with TwinSAFE SC (Category 3, PL d).3. Diagram of the structure 3.3. Structure and diagnosis FMEA Parameters of the safe output terminal Block formation and safety-loops Calculation 5.3 Monitoring lifting device (Category 3, PL d).3. Diagram of the structure 3.3. Structure and diagnosis FMEA Structure within the logic Parameters of the safe output terminal Block formation and safety-loops Calculation 8 Application Guide TwinSAFE - version.9. 5

8 Table of contents 3 Planning a safety project with TwinSAFE components Identifying the risks and hazards Determining the PL r / SIL Specification of the safety functions Specification of the measures Implementation of the safety functions Proof of achievement of the Performance Level Validation of the safety functions Instructions for checking the SF Acceptance 40 4 Technical report TÜV SÜD 4 5 Appendix 4 5. Beckhoff Support and Service Beckhoff branches and partner companies Beckhoff Support Beckhoff company headquarters 4 6 Application Guide TwinSAFE - version.9.

9 Foreword Foreword. Notes on the documentation.. Intended audience This description is only intended for the use of trained specialists in control and automation engineering who are familiar with the applicable national standards. It is essential that the following notes and explanations are followed when installing and commissioning these components. The responsible staff must ensure that the application or use of the products described satisfy all the requirements for safety, including all the relevant laws, regulations, guidelines and standards... Origin of the document This documentation was originally written in German. All other languages are derived from the German original...3 Currentness Please check whether you are using the current and valid version of this document. The current version can be downloaded from the Beckhoff homepage at In case of doubt, please contact the technical Support (see chapter 5. Beckhoff Support and Service)..4 Product features Only the product features specified in the current user documentation are valid. Further information given on the product pages of the Beckhoff homepage, in s or in other publications is not authoritative...5 Disclaimer The documentation has been prepared with care. The products described are, however, constantly under development. For that reason the documentation is not in every case checked for consistency with performance data, standards or other characteristics. In the event that it contains technical or editorial errors, we retain the right to make alterations at any time and without warning. No claims for the modification of products that have already been supplied may be made on the basis of the data, diagrams and descriptions in this documentation...6 Trademarks Beckhoff, TwinCAT, EtherCAT, Safety over EtherCAT, TwinSAFE, XFC and XTS are registered trademarks of and licensed by Beckhoff Automation GmbH Other designations used in this publication may be trademarks whose use by third parties for their own purposes could violate the rights of the owners. Application Guide TwinSAFE - version.9. 7

10 Foreword..7 Patent Pending The EtherCAT Technology is covered, including but not limited to the following patent applications and patents: EP59097, EP789857, DE , DE with corresponding applications or registrations in various other countries. The TwinCAT Technology is covered, including but not limited to the following patent applications and patents: EP085348, US66745 with corresponding applications or registrations in various other countries. EtherCAT is registered trademark and patented technology, licensed by Beckhoff Automation GmbH, Germany..8 Copyright Beckhoff Automation GmbH & Co. KG, Germany. The reproduction, distribution and utilization of this document as well as the communication of its contents to others without express authorization are prohibited. Offenders will be held liable for the payment of damages. All rights reserved in the event of the grant of a patent, utility model or design...9 Delivery conditions In addition, the general delivery conditions of the company Beckhoff Automation GmbH & Co. KG apply.. Safety instructions.. Delivery state All the components are supplied in particular hardware and software configurations appropriate for the application. Modifications to hardware or software configurations other than those described in the documentation are not permitted, and nullify the liability of Beckhoff Automation GmbH & Co. KG... Operator's obligation to exercise diligence The operator must ensure that the TwinSAFE products are only used as intended the TwinSAFE products are only operated in sound condition and in working order. the TwinSAFE products are operated only by suitably qualified and authorized personnel. the personnel is instructed regularly about relevant occupational safety and environmental protection aspects, and is familiar with the operating instructions and in particular the safety instructions contained herein. the operating instructions are in good condition and complete, and always available for reference at the location where the TwinSAFE products are used. none of the safety and warning notes attached to the TwinSAFE products are removed, and all notes remain legible. 8 Application Guide TwinSAFE - version.9.

11 Foreword..3 Purpose and area of application The Application Guide provides the user with examples for the calculation of safety parameters for safety functions according to the standards DIN EN ISO and EN 606 or EN 6508:00 (if applicable), such as are typically used on machines. In the examples an EL904 is taken as an example for a safe input or an EL904 for a safe output. This is to be considered an example; of course other safe inputs or outputs can be used, such as an EP908 or an EL90. The appropriate parameters, which can be taken from the respective product documentation, must then be used in the calculation. Application samples Attention These samples provide the user with example calculations. They do not release him from his duty to carry out a risk and hazard analysis and to apply the directives, standards and laws that need to be considered for the application...4 Description of safety symbols The following safety symbols are used in these operating instructions. They are intended to alert the reader to the associated safety instructions. Serious risk of injury! DANGER Failure to follow the safety instructions associated with this symbol directly endangers the life and health of persons. Caution - Risk of injury! WARNING Failure to follow the safety instructions associated with this symbol endangers the life and health of persons. Personal injuries! CAUTION Failure to follow the safety instructions associated with this symbol can lead to injuries to persons. Damage to the environment or devices Attention Failure to follow the instructions associated with this symbol can lead to damage to the environment or equipment. Tip or pointer Note This symbol indicates information that contributes to better understanding. Application Guide TwinSAFE - version.9. 9

12 Foreword..5 Explanation of terms Designation B0D CCF dop DCavg hop MTTFD nop PFH PL PLr TZyklus T λd T0D TwinSAFE SC Explanation Mean number of cycles after 0% of the components have dangerously failed Failures with a common cause Mean operating time in days per year Average diagnostic coverage Mean operating time in hours per day Mean time to dangerous failure Mean number of annual actuations Probability of a dangerous failure per hour Performance Level Required Performance Level Mean time between two successive cycles of the system (given in minutes in the following examples, but can also be given in seconds) Lifetime of the device (for TwinSAFE devices typically 0 years) Dangerous failure rate given in FIT (failure rate in 0 9 component hours) Operating time - maximum operating time for e.g. electromechanical components The TwinSAFE SC technology (SC - Single Channel) enables a signal from a standard terminal to be packaged in a FSoE telegram and transmitted via the standard fieldbus to the TwinSAFE logic. As a result, falsifications on the transmission path can be excluded. Within the TwinSAFE logic, this signal is checked with a second independent signal. With this comparison result, an analog value is obtained which has typically a level of category 3 and PL d. This technology does not support digital input signals and cannot be used in a single-channel structure (only one TwinSAFE SC channel). 0 Application Guide TwinSAFE - version.9.

13 Foreword..6 Documentation issue status Version Comment.9. Note in chapter.7 and.8 added.9.0 Chapter.8 updated Chapter 3 Planning a safety project added.8.0 TwinSAFE SC examples added Example for Bosch Rexroth IndraDrive drives family Name SIL Communication replaced by TwinSAFE SC Examples.5 and.6 updated General revision of all chapters.7.0 Chapter "Direct wiring of the TwinSAFE outputs to TwinSAFE inputs (single channel)" revised Preface updated Chapter "Purpose and area of application" expanded Structure diagram chapters.5 and.6 updated Chapter.7 added Chapters..3.,.3.3.,.4.3.,.5.3.,.7.3. and.9.3. substantiated (notes on direct/indirect reading back removed) Note texts added in chapter.9.6. Letter of conformity updated Graphics in chapters.5 and.6 updated Purpose and area of applications added.6. Chapters.5 and.6 added.6.0 Chapters.7 and.8 revised.5.0 Company address amended.4.0 Chapter.4 added Documentation versions added Document origin added Formatting changed.3. Headers extended with categories and performance levels Note in Chapter.6 moved.3.0 Terms of delivery removed..0 Correction to Chapter.6..0 First released version Application Guide TwinSAFE - version.9.

14 Circuit examples. ESTOP function variant (Category 3, PL d) The emergency stop button is connected via two normally closed contacts to an EL904 safe input terminal. The testing and the monitoring of the discrepancy of the two signals are activated. The restart and the feedback signal are wired to standard terminals and are transferred to TwinSAFE via the standard PLC. The contactors K and K are connected in parallel to the safe output. Current measurement and testing of the output are active for this circuit. K K Emergency stop button S Restart S Logical connection in the EL6900 K K.. Parameters of the safe input and output terminals EL904 Parameter Sensor test channel active Sensor test channel active Sensor test channel 3 active Sensor test channel 4 active Logic channel and Logic channel 3 and 4 Single Logic Single Logic EL904 Parameter Current measurement active Output test pulses active Application Guide TwinSAFE - version.9.

15 .. Block formation and safety loops... Safety function K S EL904 EL6900 EL904 K..3 Calculation..3. PFH / MTTF d /B0 d values Component EL904 PFH.E-09 EL904 PFH.5E-09 EL6900 PFH.03E-09 S B0d 00,000 S B0d 0,000,000 K B0d,300,000 K B0d,300,000 Days of operation (dop) 30 Hours of operation / day (hop) 6 Cycle time (minutes) (TZyklus) 0080 (x per week) (7 days, 4 hours) Lifetime (T) 0 years 7500 hours..3. Diagnostic Coverage DC Component S with testing/plausibility DCavg99% K/K with testing and EDM (actuation x per week) DCavg60% K/K with testing and EDM (actuation x per shift) DCavg90%..3.3 Calculation for safety function Calculation of the PFH and MTTFd values from the B0d values: From: n op d op h op 60 T Zyklus and: MTTF d B0 d 0, n op Application Guide TwinSAFE - version.9. 3

16 Inserting the values, this produces: S: n op , MTTF d ,y h 0,,90 K/K: n op , MTTF d ,3y h 0,,90 and the assumption that S, K and K are each single-channel: MTTF d λ d produces for PFH 0, n op ( DC) B0 d S: PFH DC MTTF d 0,99,50E 4566, 8760 K/K: actuation x per week PFH 0,60 7,69E , K/K: actuation x per shift PFH 0,90,9E , The following assumptions must now be made: Safety switch S: According to BIA report /008, error exclusion to up 00,000 cycles is possible, provided the manufacturer has confirmed this. If no confirmation exists, S is included in the calculation as follows. Relays K and K are both connected to the safety function. The non-functioning of a relay does not lead to a dangerous situation, but it is discovered by the feedback. Furthermore, the B0d values for K and K are identical. There is a coupling coefficient between the components that are connected via two channels. Examples are temperature, EMC, voltage peaks or signals between these components. This is assumed to be the worst-case estimation, where ß 0%. EN 606 contains a table with which this ß-factor can be precisely determined. Further, it is assumed that all usual measures have been taken to prevent both channels failing unsafely at the same time due to an error (e.g. overcurrent through relay contacts, overtemperature in the control cabinet). This produces for the calculation of the PFH value for safety function : 4 Application Guide TwinSAFE - version.9.

17 PFH ges PFH (S) + PFH (EL904) + PFH (EL6900) + PFH (EL904) + β PFH (K) + PFH (K) + ( β) (PFH (K) PFH (K) ) T Since the portion ( β) (PFH (K) PFH (K) ) T is smaller than the rest by the power of ten, it is neglected in this and all further calculations for the purpose of simplification. to: 7,96E + 7,96E PFH ges,5e,e 09,03E 09,5E 09 0% 3,4E 09 in the case of actuation x per week or:,9e,9e PFH ges,5e,e 09,03E 09,5E 09 0% 3,4E 09 in the case of actuation x per shift The MTTFd value for safety function (based on the same assumption) is calculated with: MTTF d ges MTTF d n as: n i MTTF d ges MTTF d (S) MTTF d (EL904) MTTF d (EL6900) MTTF d (EL904) (MTTF d (K)) with: MTTF d (S) B0 d(s) 0, n op MTTF d (K) B0 d(k) 0, n op If only PFH values are available for EL904, EL904 and EL6900, the following estimation applies: MTTF d (ELxxxx) Hence: MTTF d (EL904) MTTF d (EL6900) ( DC(ELxxx)) PFH(ELxxx) ( DC(EL904)) PFH(EL904) ( DC(EL6900)) PFH(EL6900) ( 0,99),E 09 h 8760h y ( 0,99),03E 09 h 8760h y 0,0 9,7E 06 y 0,0 9,0E 06 y 08,8y 08,6y Application Guide TwinSAFE - version.9. 5

18 MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),5E 09 h 8760h y 0,0,E 05 y 93,y MTTF Dges 333,98y 4566,y 08,8y 08,6y 93,y ,3y DC avg bzw.: DC avg 99% + 99% + 99% + 99% + 60% + 60% 4566, 08,8 08,6 93, , ,3 4566, 08,8 08,6 93, , ,3 99% + 99% + 99% + 99% + 90% + 90% 4566, 08,8 08,6 93, , ,3 4566, 08,8 08,6 93, , ,3 98,96% 98,99% Measures for attaining category 3! CAUTION This structure is possible up to category 3 at the most, since an error in the feedback path of the relays may be undiscovered. In order to attain category 3, all rising and falling edges must be evaluated together with the time dependence in the controller for the feedback expectation! Implement a restart lock in the machine! CAUTION The restart lock is NOT part of the safety chain and must be implemented in the machine! Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC Category B DC none none low medium low medium high MTTF d low a - a b b c - medium b - b c c d - high - c c d d d e 6 Application Guide TwinSAFE - version.9.

19 . ESTOP function variant (Category 3, PL d) The emergency stop button is connected via two normally closed contacts to an EL904 safe input terminal. The testing of the two signals is activated. The signals are not tested for discrepancy. The restart and the feedback signal are wired to standard terminals and are transferred to TwinSAFE via the standard PLC. The contactors K and K are connected in parallel to the safe output. Current measurement and testing of the output are active for this circuit. K K Emergency stop button S Restart S Logical connection in the EL6900 K K.. Parameters of the safe input and output terminals EL904 Parameter Sensor test channel active Sensor test channel active Sensor test channel 3 active Sensor test channel 4 active Logic channel and Logic channel 3 and 4 Single Logic Single Logic EL904 Parameter Current measurement active Output test pulses active Application Guide TwinSAFE - version.9. 7

20 .. Block formation and safety loops... Safety function K S EL904 EL6900 EL904 K..3 Calculation..3. PFH / MTTF d /B0 d values Component EL904 PFH.E-09 EL904 PFH.5E-09 EL6900 PFH.03E-09 S B0d 00,000 S B0d 0,000,000 K B0d,300,000 K B0d,300,000 Days of operation (dop) 30 Hours of operation / day (hop) 6 Cycle time (minutes) (TZyklus) 0080 (x per week) Lifetime (T) 0 years 7500 hours..3. Diagnostic Coverage DC Component S with testing / without plausibility K/K with testing and EDM (actuation x per week) K/K with testing and EDM (actuation x per shift) DCavg90% DCavg60% DCavg90%..3.3 Calculation for block Calculation of the PFH and MTTFd values from the B0d values: From: n op d op h op 60 T Zyklus and: 8 Application Guide TwinSAFE - version.9.

21 MTTF d B0 d 0, n op Inserting the values, this produces: S: n op ,90 MTTF d ,y h 0,,90 K/K: n op ,90 MTTF d ,3y h 0,,90 and the assumption that S, K and K are each single-channel: MTTF d λ d produces for PFH 0, n op ( DC) B0 d S: PFH DC MTTF d 0,90,50E , 8760 K/K: actuation x per week PFH 0,60 7,69E , K/K: actuation x per shift PFH 0,90,9E , The following assumptions must now be made: Safety switch S: According to BIA report /008, error exclusion to up 00,000 cycles is possible, provided the manufacturer has confirmed this. If no confirmation exists, S is included in the calculation as follows. Relays K and K are both connected to the safety function. The non-functioning of a relay does not lead to a dangerous situation, but it is discovered by the feedback. Furthermore, the B0d values for K and K are identical. Application Guide TwinSAFE - version.9. 9

22 There is a coupling coefficient between the components that are connected via two channels. Examples are temperature, EMC, voltage peaks or signals between these components. This is assumed to be the worst-case estimation, where ß 0%. EN 606 contains a table with which this ß-factor can be precisely determined. Further, it is assumed that all usual measures have been taken to prevent both channels failing unsafely at the same time due to an error (e.g. overcurrent through relay contacts, overtemperature in the control cabinet). This produces for the calculation of the PFH value for block : PFH ges PFH (S) + PFH (EL904) + PFH (EL6900) + PFH (EL904) + β PFH (K) + PFH (K) + ( β) (PFH (K) PFH (K) ) T Since the portion ( β) (PFH (K) PFH (K) ) T is smaller than the rest by the power of ten, it is neglected in this and all further calculations for the purpose of simplification. to: 7,96E + 7,96E PFH ges,5e 0,E 09,03E 09,5E 09 0% 3,65E 09 in the case of actuation x per week or:,9e,9e PFH ges,5e 0,E 09,03E 09,5E 09 0% 3,65E 09 in the case of actuation x per shift The MTTFd value for safety function (based on the same assumption) is calculated with: MTTF d ges MTTF d n as: n i MTTF d ges MTTF d (S) MTTF d (EL904) MTTF d (EL6900) MTTF d (EL904) MTTF d (K) with: MTTF d (S) B0 d(s) 0, n op MTTF d (K) B0 d(k) 0, n op 0 Application Guide TwinSAFE - version.9.

23 If only PFH values are available for EL904, EL904 and EL6900, the following estimation applies: MTTF d (ELxxxx) Hence: MTTF d (EL904) ( DC(ELxxx)) PFH(ELxxx) ( DC(EL904)) PFH(EL904) ( 0,99),E 09 h 8760h y 0,0 9,7E 06 y 08,8y MTTF d (EL6900) ( DC(EL6900)) PFH(EL6900) ( 0,99),03E 09 h 8760h y 0,0 9,0E 06 y 08,6y MTTF d (EL904) MTTF Dges ( DC(EL904)) PFH(EL904) ( 0,99),5E 09 h 8760h y 4566,y 08,8y 08,6y 93,y ,3y 333,98y 0,0,E 05 y 93,y DC avg bzw.: DC avg 90% + 99% + 99% + 99% + 60% + 60% 4566, 08,8 08,6 93, , ,3 4566, 08,8 08,6 93, , ,3 90% + 99% + 99% + 99% + 90% + 90% 4566, 08,8 08,6 93, , ,3 4566, 08,8 08,6 93, , ,3 98,89% 98,9% Application Guide TwinSAFE - version.9.

24 Measures for attaining category 3! CAUTION This structure is possible only up to category 3 at the most on account of a possible sleeping error. In order to attain category 3, all rising and falling edges must be evaluated together with the time dependence in the controller for the feedback expectation! Implement a restart lock in the machine! CAUTION The restart lock is NOT part of the safety chain and must be implemented in the machine! Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC Category B DC MTTF d none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e Application Guide TwinSAFE - version.9.

25 .3 ESTOP function variant 3 (Category 4, PL e) The emergency stop button is connected via two normally closed contacts to an EL904 safe input terminal. The testing of the two signals is activated. These signals are checked for discrepancy. The restart and the feedback signal are wired to standard terminals and are transferred to TwinSAFE via the standard PLC. Furthermore, the output of the ESTOP function block and the feedback signal are wired to an EDM block. This checks that the feedback signal assumes the opposing state of the ESTOP output within the set time. The contactors K and K are connected in parallel to the safe output. Current measurement and testing of the output are active for this circuit. K K Emergency stop button S Restart S Logical connection in the EL6900 K K.3. Parameters of the safe input and output terminals EL904 Parameter Sensor test channel active Sensor test channel active Sensor test channel 3 active Sensor test channel 4 active Logic channel and Logic channel 3 and 4 Single Logic Single Logic Application Guide TwinSAFE - version.9. 3

26 EL904 Parameter Current measurement active Output test pulses active.3. Block formation and safety loops.3.. Block K S EL904 EL6900 EL904 K.3.3 Calculation.3.3. PFH / MTTF d /B0 d values Component EL904 PFH EL904 PFH EL6900 PFH.E-09.5E-09.03E-09 S B0d 00,000 S B0d 0,000,000 K B0d,300,000 K B0d,300,000 Days of operation (dop) 30 Hours of operation / day (hop) 6 Cycle time (minutes) (TZyklus) Lifetime (T) 0080 (x per week) 0 years 7500 hours.3.3. Diagnostic Coverage DC Component S with testing/plausibility K/K with testing and EDM (actuation x per week) K/K with testing and EDM (actuation x per shift) DCavg99% DCavg90% DCavg99% 4 Application Guide TwinSAFE - version.9.

27 Calculation for safety function Calculation of the PFH and MTTFd values from the B0d values: From: n op d op h op 60 T Zyklus and: MTTF d B0 d 0, n op Inserting the values, this produces: S: n op ,90 MTTF d ,y h 0,,90 K/K: n op ,90 MTTF d ,3y h 0,,90 and the assumption that S, K and K are each single-channel: MTTF d λ d produces for PFH 0, n op ( DC) B0 d S: PFH DC MTTF d 0,99,50E 4566, 8760 K/K: actuation x per week PFH 0,90,9E , K/K: actuation x per shift PFH 0,99,9E , Application Guide TwinSAFE - version.9. 5

28 The following assumptions must now be made: Safety switch S: According to BIA report /008, error exclusion to up 00,000 cycles is possible, provided the manufacturer has confirmed this. If no confirmation exists, S is included in the calculation as follows. Relays K and K are both connected to the safety function. The non-functioning of a relay does not lead to a dangerous situation, but it is discovered by the feedback. Furthermore, the B0d values for K and K are identical. There is a coupling coefficient between the components that are connected via two channels. Examples are temperature, EMC, voltage peaks or signals between these components. This is assumed to be the worst-case estimation, where ß 0%. EN 606 contains a table with which this ß-factor can be precisely determined. Further, it is assumed that all usual measures have been taken to prevent both channels failing unsafely at the same time due to an error (e.g. overcurrent through relay contacts, overtemperature in the control cabinet). This produces for the calculation of the PFH value for safety function : PFH ges PFH (S) + PFH (EL904) + PFH (EL6900) + PFH (EL904) + β PFH (K) + PFH (K) + ( β) (PFH (K) PFH (K) ) T Since the portion ( β) (PFH (K) PFH (K) ) T is smaller than the rest by the power of ten, it is neglected in this and all further calculations for the purpose of simplification. to:,9e,9e PFH ges,5e,e 09,03E 09,5E 09 0% 3,4E 09 in the case of actuation x per week or,9e,9e PFH ges,5e,e 09,03E 09,5E 09 0% 3,4E 09 in the case of actuation x per shift 6 Application Guide TwinSAFE - version.9.

29 The MTTFd value for safety function (based on the same assumption) is calculated with: MTTF d ges MTTF d n as: n i MTTF d ges MTTF d (S) MTTF d (EL904) MTTF d (EL6900) MTTF d (EL904) MTTF d (K) with: MTTF d (S) B0 d(s) 0, n op MTTF d (K) B0 d(k) 0, n op If only PFH values are available for EL904, EL904 and EL6900, the following estimation applies: MTTF d (ELxxxx) ( DC(ELxxx)) PFH(ELxxx) Hence: MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),E 09 h 8760h y 0,0 9,7E 06 y 08,8y MTTF d (EL6900) ( DC(EL6900)) PFH(EL6900) ( 0,99),03E 09 h 8760h y 0,0 9,0E 06 y 08,6y MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),5E 09 h 8760h y 0,0,E 05 y 93,y MTTF Dges 4566,y 08,8y 08,6y 93,y ,3y 333,98y DC avg or: DC avg 99% + 99% + 99% + 99% + 90% + 90% 4566, 08,8 08,6 93, , ,3 4566, 08,8 08,6 93, , ,3 99% + 99% + 99% + 99% + 99% + 99% 4566, 08,8 08,6 93, , ,3 4566, 08,8 08,6 93, , ,3 98,99% 99,00% Application Guide TwinSAFE - version.9. 7

30 Measures for attaining category 4! CAUTION This structure is possible up to category 4 at the most. In order to attain category 4, all rising and falling edges must be evaluated together with the time dependence in the controller for the feedback expectation! Implement a restart lock in the machine! CAUTION The restart lock is NOT part of the safety chain and must be implemented in the machine! Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the limit values shown in this table. Category B DC MTTF d none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e 8 Application Guide TwinSAFE - version.9.

31 .4 ESTOP function variant 4 (Category 4, PL e) The emergency stop button with two normally closed contacts, the restart and the feedback loop are connected to safe channels of an EL904 input terminal. The testing of the signals is activated. The two emergency stop signals are tested for discrepancy. The contactors K and K are connected in parallel to the safe output. Current measurement and testing of the output are active for this circuit. Restart S Emergency stop button K K S Logical connection in the EL6900 K K.4. Parameters of the safe input and output terminals EL904 (applies to all EL904 used) Parameter Sensor test channel active Sensor test channel active Sensor test channel 3 active Sensor test channel 4 active Logic channel and Logic channel 3 and 4 Single Logic Single Logic EL904 Parameter Current measurement active Output test pulses active Application Guide TwinSAFE - version.9. 9

32 .4. Block formation and safety loops.4.. Safety function K S EL904 EL6900 EL904 S EL904 K.4.3 Calculation.4.3. PFH / MTTF d /B0 d values Component EL904 PFH.E-09 EL904 PFH.5E-09 EL6900 PFH.03E-09 S B0d 00,000 S B0d 0,000,000 K B0d,300,000 K B0d,300,000 Days of operation (dop) 30 Hours of operation / day (hop) 6 Cycle time (minutes) (TZyklus) 0080 (x per week) Lifetime (T) 0 years 7500 hours.4.3. Diagnostic Coverage DC Component S with testing/plausibility S with plausibility K/K with testing and EDM (actuation x per shift) DCavg99% DCavg90% DCavg99% Calculation for safety function Calculation of the PFH and MTTFd values from the B0d values: From: n op d op h op 60 T Zyklus and: MTTF d B0 d 0, n op 30 Application Guide TwinSAFE - version.9.

33 Inserting the values, this produces: S: n op ,90 MTTF d ,y h 0,,90 S: n op ,90 MTTF d ,0y 4E0h 0,,90 K/K: n op ,90 MTTF d ,3y h 0,,90 and the assumption that S, S, K and K are each single-channel: MTTF d λ d produces for PFH 0, n op ( DC) B0 d S: PFH S: PFH DC MTTF d 0,99,50E 4566, ,90,50E 45660, K/K: actuation x per shift PFH 0,99,9E , Application Guide TwinSAFE - version.9. 3

34 The following assumptions must now be made: Safety switch S: According to BIA report /008, error exclusion to up 00,000 cycles is possible, provided the manufacturer has confirmed this. If no confirmation exists, S is included in the calculation as follows. Relays K and K are both connected to the safety function. The non-functioning of a relay does not lead to a dangerous situation, but it is discovered by the feedback. Furthermore, the B0d values for K and K are identical. There is a coupling coefficient between the components that are connected via two channels. Examples are temperature, EMC, voltage peaks or signals between these components. This is assumed to be the worst-case estimation, where ß 0%. EN 606 contains a table with which this ß-factor can be precisely determined. Further, it is assumed that all usual measures have been taken to prevent both channels failing unsafely at the same time due to an error (e.g. overcurrent through relay contacts, overtemperature in the control cabinet). This produces for the calculation of the PFH value for safety function : PFH ges PFH (S) + PFH (EL904) + PFH (EL6900) + PFH (EL904) + β PFH (K) + PFH (K) + ( β) (PFH (K) PFH (K) ) T + PFH (S) + PFH (EL904) Since the portion ( β) (PFH (K) PFH (K) ) T is smaller than the rest by the power of ten, it is neglected in this and all further calculations for the purpose of simplification. to:,9e,9e PFH ges,5e,e 09,03E 09,5E 09 0% +,5E,E 09 4,53E 09 in the case of actuation x per shift The MTTFd value for safety function (based on the same assumption) is calculated with: MTTF d ges MTTF d n as: n i MTTF d ges MTTF d (S) MTTF d (EL904) MTTF d (EL6900) MTTF d (EL904) MTTF d (K) + MTTF d (S) MTTF d (EL904) with: MTTF d (S) B0 d(s) 0, n op MTTF d (S) B0 d(s) 0, n op MTTF d (K) B0 d(k) 0, n op 3 Application Guide TwinSAFE - version.9.

35 If only PFH values are available for EL904, EL904 and EL6900, the following estimation applies: MTTF d (ELxxxx) ( DC(ELxxx)) PFH(ELxxx) Hence: MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),E 09 h 8760h y 0,0 9,7E 06 y 08,8y MTTF d (EL6900) ( DC(EL6900)) PFH(EL6900) ( 0,99),03E 09 h 8760h y 0,0 9,0E 06 y 08,6y MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),5E 09 h 8760h y 0,0,E 05 y 93,y MTTF Dges 5,y 4566,y 08,8y 08,6y 93,y ,3y 45660,0y 08,8y DC avg or: DC avg 99% + 99% + 99% + 99% + 90% + 90% + 90% + 99% 4566, 08,8 08,6 93, , , ,0 08,8 4566, 08,8 08,6 93, , , ,0 08,8 99% + 99% + 99% + 99% + 99% + 99% + 90% + 99% 4566, 08,8 08,6 93, , , ,0 08,8 4566, 08,8 08,6 93, , , ,0 08,8 98,99% 99,0% Application Guide TwinSAFE - version.9. 33

36 Category Note This structure is possible up to category 4 at the most. Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the limit values shown in this table. Category B DC MTTF d none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e 34 Application Guide TwinSAFE - version.9.

37 .5 ESTOP function variant 5 (Category 4, PL e) The emergency stop button with two normally closed contacts, the restart and the feedback loop are connected to safe channels of an EL904 input terminal. The testing of the signals is activated. The two emergency stop signals are tested for discrepancy. Contactors K and K are wired to different output channels. The A connections of the two contactors are fed together to ground. The current measurement of the output channels is deactivated for this circuit. The testing of the outputs is active. Restart S Emergency stop button K K S Logical connection in the EL6900 K K.5. Parameters of the safe input and output terminals EL904 (applies to all EL904 used) Parameter Sensor test channel active Sensor test channel active Sensor test channel 3 active Sensor test channel 4 active Logic channel and Logic channel 3 and 4 Single Logic Single Logic EL904 Parameter Current measurement active Output test pulses active No Application Guide TwinSAFE - version.9. 35

38 .5. Block formation and safety loops.5.. Safety function K S EL904 EL6900 EL904 S EL904 K.5.3 Calculation.5.3. PFH / MTTF d /B0 d values Component EL904 PFH.E-09 EL904 PFH.5E-09 EL6900 PFH.03E-09 S B0d 00,000 S B0d 0,000,000 K B0d,300,000 K B0d,300,000 Days of operation (dop) 30 Hours of operation / day (hop) 6 Cycle time (minutes) (TZyklus) 0080 (x per week) Lifetime (T) 0 years 7500 hours.5.3. Diagnostic Coverage DC Component S with testing/plausibility S with plausibility K/K with testing and EDM (actuation x per shift) DCavg99% DCavg90% DCavg99% Calculation for safety function Calculation of the PFH and MTTFd values from the B0d values: From: n op d op h op 60 T Zyklus and: MTTF d B0 d 0, n op 36 Application Guide TwinSAFE - version.9.

39 Inserting the values, this produces: S: n op ,90 MTTF d ,y h 0,,90 S: n op ,90 MTTF d ,0y 4E0h 0,,90 K/K: n op ,90 MTTF d ,3y h 0,,90 and the assumption that S, S, K and K are each single-channel: MTTF d λ d produces for PFH 0, n op ( DC) B0 d S: PFH S: PFH DC MTTF d 0,99,50E 4566, ,90,50E 45660, K/K: actuation x per shift PFH 0,99,9E , Application Guide TwinSAFE - version.9. 37

40 The following assumptions must now be made: Safety switch S: According to BIA report /008, error exclusion to up 00,000 cycles is possible, provided the manufacturer has confirmed this. If no confirmation exists, S is included in the calculation as follows. Relays K and K are both connected to the safety function. The non-functioning of a relay does not lead to a dangerous situation, but it is discovered by the feedback. Furthermore, the B0d values for K and K are identical. There is a coupling coefficient between the components that are connected via two channels. Examples are temperature, EMC, voltage peaks or signals between these components. This is assumed to be the worst-case estimation, where ß 0%. EN 606 contains a table with which this ß-factor can be precisely determined. Further, it is assumed that all usual measures have been taken to prevent both channels failing unsafely at the same time due to an error (e.g. overcurrent through relay contacts, overtemperature in the control cabinet). This produces for the calculation of the PFH value for safety function : PFH ges PFH (S) + PFH (EL904) + PFH (EL6900) + PFH (EL904) + β PFH (K) + PFH (K) + ( β) (PFH (K) PFH (K) ) T + PFH (S) + PFH (EL904) Since the portion ( β) (PFH (K) PFH (K) ) T is smaller than the rest by the power of ten, it is neglected in this and all further calculations for the purpose of simplification. to:,9e,9e PFH ges,5e,e 09,03E 09,5E 09 0% +,5E,E 09 4,53E 09 in the case of actuation x per shift The MTTFd value for safety function (based on the same assumption) is calculated with: MTTF d ges MTTF d n as: n i MTTF d ges MTTF d (S) MTTF d (EL904) MTTF d (EL6900) MTTF d (EL904) MTTF d (K) + MTTF d (S) MTTF d (EL904) with: MTTF d (S) B0 d(s) 0, n op MTTF d (S) B0 d(s) 0, n op MTTF d (K) B0 d(k) 0, n op 38 Application Guide TwinSAFE - version.9.

41 If only PFH values are available for EL904, EL904 and EL6900, the following estimation applies: MTTF d (ELxxxx) Hence: MTTF d (EL904) ( DC(ELxxx)) PFH(ELxxx) ( DC(EL904)) PFH(EL904) ( 0,99),E 09 h 8760h y 0,0 9,7E 06 y 08,8y MTTF d (EL6900) ( DC(EL6900)) PFH(EL6900) ( 0,99),03E 09 h 8760h y 0,0 9,0E 06 y 08,6y MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),5E 09 h 8760h y 0,0,E 05 y 93,y MTTF Dges 5,y 4566,y 08,8y 08,6y 93,y ,3y 45660,0y 08,8y DC avg or: DC avg 99% + 99% + 99% + 99% + 90% + 90% + 90% + 99% 4566, 08,8 08,6 93, , , ,0 08,8 4566, 08,8 08,6 93, , , ,0 08,8 99% + 99% + 99% + 99% + 99% + 99% + 90% + 99% 4566, 08,8 08,6 93, , , ,0 08,8 4566, 08,8 08,6 93, , , ,0 08,8 98,99% 99,0% Application Guide TwinSAFE - version.9. 39

42 Category Note This structure is possible up to category 4 at the most. Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the limit values shown in this table. Category B DC MTTF d none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e 40 Application Guide TwinSAFE - version.9.

43 .6 ESTOP function variant 6 (Category 3, PL d) The emergency stop button with two normally closed contacts, the restart and the feedback loop are connected to safe channels of an EL904 input terminal. The testing of the signals is activated. The two emergency stop signals are tested for discrepancy. Contactors K and K are wired to different output channels. The A connections of the two contactors are fed together to ground. The current measurement of the output channels is deactivated for this circuit. The testing of the outputs is not active. Restart S Emergency stop button K K S Logical connection in the EL6900 K K Category Note This structure is possible only up to category 3 at the most on account of a possible sleeping error. Since the EL904 terminal has only SIL in this application, the entire chain has only SIL!.6. Parameters of the safe input and output terminals (SIL ) EL904 (applies to all EL904 used) Parameter Sensor test channel active Sensor test channel active Sensor test channel 3 active Sensor test channel 4 active Logic channel and Logic channel 3 and 4 Single Logic Single Logic Application Guide TwinSAFE - version.9. 4

44 EL904 Parameter Current measurement active Output test pulses active No No.6. Block formation and safety loops.6.. Safety function K S EL904 EL6900 EL904 S EL904 K.6.3 Calculation.6.3. PFH / MTTF d /B0 d values Component EL904 PFH EL904 PFH EL6900 PFH.E-09.5E-09.03E-09 S B0d 00,000 S B0d 0,000,000 K B0d,300,000 K B0d,300,000 Days of operation (dop) 30 Hours of operation / day (hop) 6 Cycle time (minutes) (TZyklus) Lifetime (T) 0080 (x per week) 0 years 7500 hours.6.3. Diagnostic Coverage DC Component S with testing/plausibility S with plausibility K/K without testing and with EDM via a safe input DCavg99% DCavg90% DCavg90% 4 Application Guide TwinSAFE - version.9.

45 Calculation for safety function Calculation of the PFH and MTTFd values from the B0d values: From: n op d op h op 60 T Zyklus and: MTTF d B0 d 0, n op Inserting the values, this produces: S: n op ,90 MTTF d ,y h 0,,90 S: n op ,90 MTTF d ,0y 4E0h 0,,90 K/K: n op , MTTF d ,3y h 0,,90 and the assumption that S, S, K and K are each single-channel: MTTF d λ d produces for PFH 0, n op ( DC) B0 d S: PFH S: PFH DC MTTF d 0,99,50E 4566, ,90,50E 45660, K/K: actuation x per shift PFH 0,99,9E , Application Guide TwinSAFE - version.9. 43

46 The following assumptions must now be made: Safety switch S: According to BIA report /008, error exclusion to up 00,000 cycles is possible, provided the manufacturer has confirmed this. If no confirmation exists, S is included in the calculation as follows. Relays K and K are both connected to the safety function. The non-functioning of a relay does not lead to a dangerous situation, but it is discovered by the feedback. Furthermore, the B0d values for K and K are identical. There is a coupling coefficient between the components that are connected via two channels. Examples are temperature, EMC, voltage peaks or signals between these components. This is assumed to be the worst-case estimation, where ß 0%. EN 606 contains a table with which this ß-factor can be precisely determined. Further, it is assumed that all usual measures have been taken to prevent both channels failing unsafely at the same time due to an error (e.g. overcurrent through relay contacts, overtemperature in the control cabinet). This produces for the calculation of the PFH value for safety function : PFH ges PFH (S) + PFH (EL904) + PFH (EL6900) + PFH (EL904) + β PFH (K) + PFH (K) + ( β) (PFH (K) PFH (K) ) T + PFH (S) + PFH (EL904) Since the portion ( β) (PFH (K) PFH (K) ) T is smaller than the rest by the power of ten, it is neglected in this and all further calculations for the purpose of simplification. to:,9e,9e PFH ges,5e,e 09,03E 09,5E 09 0% +,5E,E 09 4,53E 09 in the case of actuation x per shift The MTTFd value for safety function (based on the same assumption) is calculated with: MTTF d ges MTTF d n as: n i MTTF d ges MTTF d (S) MTTF d (EL904) MTTF d (EL6900) MTTF d (EL904) MTTF d (K) + MTTF d (S) MTTF d (EL904) with: MTTF d (S) B0 d(s) 0, n op MTTF d (S) B0 d(s) 0, n op MTTF d (K) B0 d(k) 0, n op 44 Application Guide TwinSAFE - version.9.

47 If only PFH values are available for EL904, EL904 and EL6900, the following estimation applies: MTTF d (ELxxxx) ( DC(ELxxx)) PFH(ELxxx) Hence: MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),E 09 h 8760h y 0,0 9,7E 06 y 08,8y MTTF d (EL6900) ( DC(EL6900)) PFH(EL6900) ( 0,99),03E 09 h 8760h y 0,0 9,0E 06 y 08,6y MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),5E 09 h 8760h y 0,0,E 05 y 93,y MTTF Dges 5,y 4566,y 08,8y 08,6y 93,y ,3y 45660,0y 08,8y DC avg 99% + 99% + 99% + 99% + 90% + 90% + 90% + 99% 4566, 08,8 08,6 93, , , ,0 08,8 4566, 08,8 08,6 93, , , ,0 08,8 98,99% Application Guide TwinSAFE - version.9. 45

48 Category Note This structure is possible only up to category 3 at the most on account of a possible sleeping error. Since the EL904 terminal has only SIL in this application, the entire chain has only SIL! Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC Category B DC MTTF d none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e 46 Application Guide TwinSAFE - version.9.

49 .7 ESTOP function variant 7 (Category 4, PL e) The emergency stop button with two normally closed contacts, the restart and the feedback loop are connected to safe channels of an EL904 input terminal. The testing of the emergency stop button is deactivated on both channels. The sensor test is activated for the restart button and the feedback loop. The two emergency stop signals are tested for discrepancy. The contactors K and K are connected in parallel to the safe output. Current measurement and testing of the output are active for this circuit. Restart S Emergency stop button K K S Logical connection in the EL6900 K K.7. Parameters of the safe input and output terminals. EL904 Parameter Sensor test channel active Sensor test channel active Sensor test channel 3 active Sensor test channel 4 active Logic channel and Logic channel 3 and 4 not used No No Single Logic Single Logic. EL904 Parameter Sensor test channel active Sensor test channel active Sensor test channel 3 active Sensor test channel 4 active Logic channel and Logic channel 3 and 4 not used not used not used Single Logic Single Logic Application Guide TwinSAFE - version.9. 47

50 EL904 Parameter Current measurement active Output test pulses active.7. Block formation and safety loops.7.. Safety function K S EL904 EL6900 EL904 S EL904 K.7.3 Calculation.7.3. PFH / MTTF d /B0 d values Component EL904 PFH EL904 PFH EL6900 PFH.E-09.5E-09.03E-09 S B0d 00,000 S B0d 0,000,000 K B0d,300,000 K B0d,300,000 Days of operation (dop) 30 Hours of operation / day (hop) 6 Cycle time (minutes) (TZyklus) Lifetime (T) 0080 (x per week) 0 years 7500 hours.7.3. Diagnostic Coverage DC Component S with plausibility S with testing K/K with testing and EDM (actuation x per shift) DCavg90% DCavg90% DCavg99% 48 Application Guide TwinSAFE - version.9.

51 Calculation for safety function Calculation of the PFH and MTTFd values from the B0d values: From: n op d op h op 60 T Zyklus and: MTTF d B0 d 0, n op Inserting the values, this produces: S: n op ,90 MTTF d ,y h 0,,90 S: n op ,90 MTTF d ,0y 4E0h 0,,90 K/K: n op ,90 MTTF d ,3y h 0,,90 and the assumption that S, S, K and K are each single-channel: MTTF d λ d produces for PFH 0, n op ( DC) B0 d S: PFH DC MTTF d 0,90,50E , 8760 S: PFH 0,90,50E 45660, K/K: actuation x per shift and direct feedback PFH 0,99,9E , Application Guide TwinSAFE - version.9. 49

52 The following assumptions must now be made: Safety switch S: According to BIA report /008, error exclusion to up 00,000 cycles is possible, provided the manufacturer has confirmed this. If no confirmation exists, S is included in the calculation as follows. Relays K and K are both connected to the safety function. The non-functioning of a relay does not lead to a dangerous situation, but it is discovered by the feedback. Furthermore, the B0d values for K and K are identical. There is a coupling coefficient between the components that are connected via two channels. Examples are temperature, EMC, voltage peaks or signals between these components. This is assumed to be the worst-case estimation, where ß 0%. EN 606 contains a table with which this ß-factor can be precisely determined. Further, it is assumed that all usual measures have been taken to prevent both channels failing unsafely at the same time due to an error (e.g. overcurrent through relay contacts, overtemperature in the control cabinet). This produces for the calculation of the PFH value for safety function : PFH ges PFH (S) + PFH (EL904) + PFH (EL6900) + PFH (EL904) + β PFH (K) + PFH (K) + ( β) (PFH (K) PFH (K) ) T + PFH (S) + PFH (EL904) Since the portion ( β) (PFH (K) PFH (K) ) T is smaller than the rest by the power of ten, it is neglected in this and all further calculations for the purpose of simplification. to:,9e,9e PFH ges,5e 0,E 09,03E 09,5E 09 0% +,5E,E 09 4,75E 09 in the case of actuation x per shift The MTTFd value for safety function (based on the same assumption) is calculated with: MTTF d ges MTTF d n as: n i MTTF d ges MTTF d (S) MTTF d (EL904) MTTF d (EL6900) MTTF d (EL904) MTTF d (K) + MTTF d (S) MTTF d (EL904) with: MTTF d (S) B0 d(s) 0, n op MTTF d (S) B0 d(s) 0, n op MTTF d (K) B0 d(k) 0, n op 50 Application Guide TwinSAFE - version.9.

53 If only PFH values are available for EL904, EL904 and EL6900, the following estimation applies: MTTF d (ELxxxx) Hence: MTTF d (EL904) ( DC(ELxxx)) PFH(ELxxx) ( DC(EL904)) PFH(EL904) ( 0,99),E 09 h 8760h y 0,0 9,7E 06 y 08,8y MTTF d (EL6900) ( DC(EL6900)) PFH(EL6900) ( 0,99),03E 09 h 8760h y 0,0 9,0E 06 y 08,6y MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),5E 09 h 8760h y 0,0,E 05 y 93,y MTTF Dges 5,y 4566,y 08,8y 08,6y 93,y ,3y 45660,0y 08,8y DC avg or: DC avg 90% + 99% + 99% + 99% + 90% + 90% + 90% + 99% 4566, 08,8 08,6 93, , , ,0 08,8 4566, 08,8 08,6 93, , , ,0 08,8 90% + 99% + 99% + 99% + 99% + 99% + 90% + 99% 4566, 08,8 08,6 93, , , ,0 08,8 4566, 08,8 08,6 93, , , ,0 08,8 98,94% 98,95% Application Guide TwinSAFE - version.9. 5

54 Category Note This structure is possible up to category 4 at the most. Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the limit values shown in this table. Category B DC MTTF d none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e 5 Application Guide TwinSAFE - version.9.

55 .8 Protective door function variant (Category 3, PL d) The protective door uses a combination of normally closed and normally open contacts on the safe inputs of an EL904. The testing of the inputs is active and the signals are tested for discrepancy (00 ms). The feedback loop is read in via a standard input and transferred to TwinSAFE via the standard PLC. The contactors K and K are connected in parallel to the safe output. Current measurement and testing of the output are active for this circuit. OPEN S K K S CLOSED Logical connection in the EL6900 K K.8. Parameters of the safe input and output terminals EL904 (applies to all EL904 used) Parameter Sensor test channel active Sensor test channel active Sensor test channel 3 active Sensor test channel 4 active Logic channel and Logic channel 3 and 4 Single Logic Single Logic EL904 Parameter Current measurement active Output test pulses active Application Guide TwinSAFE - version.9. 53

56 .8. Block formation and safety loops.8.. Safety function S K EL904 EL6900 EL904 S K.8.3 Calculation.8.3. PFH / MTTF d /B0 d values Component EL904 PFH.E-09 EL904 PFH.5E-09 EL6900 PFH.03E-09 S B0d,000,000 S B0d,000,000 K B0d,300,000 K B0d,300,000 Days of operation (dop) 30 Hours of operation / day (hop) 6 Cycle time (minutes) (TZyklus) 5 (4x per hour) Lifetime (T) 0 years 7500 hours.8.3. Diagnostic Coverage DC Component S/S with testing/plausibility K/K with testing and EDM DCavg99% DCavg90% Calculation for safety function Calculation of the PFH and MTTFd values from the B0d values: From: n op d op h op 60 T Zyklus and: MTTF d B0 d 0, n op Inserting the values, this produces: 54 Application Guide TwinSAFE - version.9.

57 S: n op MTTF d ,3y h 0, 470 S: n op MTTF d ,7y 9074h 0, 470 K/K: n op MTTF d ,y h 0, 470 and the assumption that S, S, K and K are each single-channel: MTTF d λ d produces for PFH 0, n op ( DC) B0 d S: DC MTTF d PFH 0,99 679,3 8760,68E 9 S: PFH 0,99 8,4E 0 358, K/K: PFH 0,90 883, 8760,9E 8 The following assumptions must now be made: The door switches S/S are always actuated in opposite directions. Since the switches have different values, but the complete protective door switch consists of a combination of normally closed and normally open contacts and both switches must function, the poorer of the two values (S) can be taken for the combination! Relays K and K are both connected to the safety function. The non-functioning of a relay does not lead to a dangerous situation, but it is discovered by the feedback. Furthermore, the B0d values for K and Application Guide TwinSAFE - version.9. 55

58 K are identical. There is a coupling coefficient between the components that are connected via two channels. Examples are temperature, EMC, voltage peaks or signals between these components. This is assumed to be the worst-case estimation, where ß 0%. EN 606 contains a table with which this ß-factor can be precisely determined. Further, it is assumed that all usual measures have been taken to prevent both channels failing unsafely at the same time due to an error (e.g. overcurrent through relay contacts, overtemperature in the control cabinet). This produces for the calculation of the PFH value for safety function : PFH ges β PFH (S) + PFH (S) + ( β) (PFH (S) PFH (S) ) T + PFH (EL904) + PFH (EL6900) + PFH (EL904) + β PFH (K) + PFH (K) + ( β) (PFH (K) PFH (K) ) T Since the portions ( β) (PFH (S) PFH (S) ) T and ( β) (PFH (K) PFH (K) ) T are smaller than the rest by the power of ten, they are neglected in this and all further calculations for the purpose of simplification to:,68e 09,68E 09 PFH ges 0%,E 09,03E 09,5E 09 0%,9E 08,9E 08 4,85E 09 The MTTFd value for block (based on the same assumption) is calculated with: MTTF d ges MTTF d n as: n i MTTF d ges MTTF d (S) MTTF d (EL904) MTTF d (EL6900) MTTF d (EL904) MTTF d (K) with: MTTF d (S) B0 d(s) 0, n op MTTF d (S) B0 d(s) 0, n op MTTF d (K) B0 d(k) 0, n op 56 Application Guide TwinSAFE - version.9.

59 If only PFH values are available for EL904, EL904 and EL6900, the following estimation applies: MTTF d (ELxxxx) Hence: MTTF d (EL904) ( DC(ELxxx)) PFH(ELxxx) ( DC(EL904)) PFH(EL904) ( 0,99),E 09 h 8760h y 0,0 9,7E 06 y 08,8y MTTF d (EL6900) ( DC(EL6900)) PFH(EL6900) ( 0,99),03E 09 h 8760h y 0,0 9,0E 06 y 08,6y MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),5E 09 h 8760h y 0,0,E 05 y 93,y MTTF Dges 79,4y 679,3y 08,8y 08,6y 93,y 883,y 99% + 99% + 99% + 99% + 99% + 90% + 90% 679,3 358,7 08,8 08,6 93, 883, 883, DC avg 679,3 358,7 08,8 08,6 93, 883, 883, 96,6% Application Guide TwinSAFE - version.9. 57

60 Measures for attaining category 3! CAUTION This structure is possible only up to category 3 at the most on account of a possible sleeping error. In order to attain category 3, all rising and falling edges must be evaluated together with the time dependence in the controller for the feedback expectation! Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC Category B DC MTTF d none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e 58 Application Guide TwinSAFE - version.9.

61 .9 Protective door function variant (Category 4, PL e) The protective door uses a combination of normally closed and normally open contacts on the safe inputs of an EL904. The testing of the inputs is active and the signals are tested for discrepancy (00 ms). The feedback loop is read in via a safe input. The contactors K and K are connected in parallel to the safe output. Current measurement and testing of the output are active for this circuit. OPEN S K K S CLOSED Logical connection in the EL6900 K K.9. Parameters of the safe input and output terminals EL904 (applies to all EL904 used) Parameter Sensor test channel active Sensor test channel active Sensor test channel 3 active Sensor test channel 4 active Logic channel and Logic channel 3 and 4 Single Logic Single Logic EL904 Parameter Current measurement active Output test pulses active Application Guide TwinSAFE - version.9. 59

62 .9. Block formation and safety loops.9.. Safety function S K EL904 EL6900 EL904 EL904 S K.9.3 Calculation.9.3. PFH / MTTF d /B0 d values Component EL904 PFH.E-09 EL904 PFH.5E-09 EL6900 PFH.03E-09 S B0d,000,000 S B0d,000,000 K B0d,300,000 K B0d,300,000 Days of operation (dop) 30 Hours of operation / day (hop) 6 Cycle time (minutes) (TZyklus) 5 (4x per hour) Lifetime (T) 0 years 7500 hours.9.3. Diagnostic Coverage DC Component S/S with testing/plausibility K/K with testing and EDM DCavg99% DCavg99% Calculation for block Calculation of the PFH and MTTFd values from the B0d values: From: n op d op h op 60 T Zyklus and: MTTF d B0 d 0, n op 60 Application Guide TwinSAFE - version.9.

63 Inserting the values, this produces: S: n op MTTF d ,3y h 0, 470 S: n op MTTF d ,7y 9074h 0, 470 K/K: n op MTTF d ,y h 0, 470 and the assumption that S, S, K and K are each single-channel: MTTF d λ d produces for PFH 0, n op ( DC) B0 d S: DC MTTF d PFH 0,99 679,3 8760,68E 9 S: PFH 0,99 8,4E 0 358, K/K: PFH 0,99,9E , 8760 Application Guide TwinSAFE - version.9. 6

64 The following assumptions must now be made: The door switches S/S are always actuated in opposite directions. Since the switches have different values, but the complete protective door switch consists of a combination of normally closed and normally open contacts and both switches must function, the poorer of the two values (S) can be taken for the combination! Relays K and K are both connected to the safety function. The non-functioning of a relay does not lead to a dangerous situation, but it is discovered by the feedback. Furthermore, the B0d values for K and K are identical. There is a coupling coefficient between the components that are connected via two channels. Examples are temperature, EMC, voltage peaks or signals between these components. This is assumed to be the worst-case estimation, where ß 0%. EN 606 contains a table with which this ß-factor can be precisely determined. Further, it is assumed that all usual measures have been taken to prevent both channels failing unsafely at the same time due to an error (e.g. overcurrent through relay contacts, overtemperature in the control cabinet). This produces for the calculation of the PFH value for safety function : PFH ges β PFH (S) + PFH (S) + ( β) (PFH (S) PFH (S) ) T + PFH (EL904) + PFH (EL6900) + PFH (EL904) + β PFH (K) + PFH (K) + ( β) (PFH (K) PFH (K) ) T + PFH (EL904) Since the portions ( β) (PFH (S) PFH (S) ) T and ( β) (PFH (K) PFH (K) ) T are smaller than the rest by the power of ten, they are neglected in this and all further calculations for the purpose of simplification to:,68e 09,68E 09 PFH ges 0%,E 09,03E 09,5E 09 0%,9E 09,9E 09,E 09 4,80E 09 The MTTFd value for safety function (based on the same assumption) is calculated with: MTTF d ges MTTF d n as: n i MTTF d ges MTTF d (S) MTTF d (EL904) MTTF d (EL6900) MTTF d (EL904) MTTF d (K) + MTTF d (EL904) with: MTTF d (S) B0 d(s) 0, n op MTTF d (S) B0 d(s) 0, n op MTTF d (K) B0 d(k) 0, n op 6 Application Guide TwinSAFE - version.9.

65 If only PFH values are available for EL904, EL904 and EL6900, the following estimation applies: MTTF d (ELxxxx) ( DC(ELxxx)) PFH(ELxxx) Hence: MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),E 09 h 8760h y 0,0 9,7E 06 y 08,8y MTTF d (EL6900) ( DC(EL6900)) PFH(EL6900) ( 0,99),03E 09 h 8760h y 0,0 9,0E 06 y 08,6y MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),5E 09 h 8760h y 0,0,E 05 y 93,y MTTF Dges 5,7y 679,3y 08,8y 08,6y 93,y 883,y 08,8y 99% + 99% + 99% + 99% + 99% + 99% + 99% + 99% 679,3 358,7 08,8 08,6 93, 883, 883, 08,8 DC avg 679,3 358,7 08,8 08,6 93, 883, 883, 08,8 99,0% Application Guide TwinSAFE - version.9. 63

66 Category Note This structure is possible up to category 4 at the most. Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC Category B DC MTTF d none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e 64 Application Guide TwinSAFE - version.9.

.0 Protective door function with range monitoring (Category 4, PL e) The protective door uses a combination of normally closed and normally open contacts on the safe inputs of an EL904.

67 .0 Protective door function with range monitoring (Category 4, PL e) The protective door uses a combination of normally closed and normally open contacts on the safe inputs of an EL904. The testing of the inputs is active and the signals are tested for discrepancy (00 ms). The feedback loop is read in via a safe input. The proximity switches S3 and S4 are wired to safe inputs and detect, for example, when a dangerous machine part is in a safe position so that the protective door may be opened when the machine is running. The testing of these inputs is deactivated so that the static 4 V voltage of the sensors can be used. The contactors K and K are connected in parallel to the safe output. Current measurement and testing of the output are active for this circuit. OPEN S K K CLOSED S +4V +4V S3 S4 Logical connection in the EL6900 K K Proximity switch S3 Proximity switch S4 Actuator Moving machine part Safe position Unsafe position Protective door S, S Application Guide TwinSAFE - version.9. 65

68 .0. Parameters of the safe input and output terminals EL904 (upper EL904 on the drawing) Parameter Sensor test channel active Sensor test channel active Sensor test channel 3 active Sensor test channel 4 active Logic channel and Logic channel 3 and 4 Single Logic Single Logic EL904 (lower EL904 on the drawing) Parameter Sensor test channel active Sensor test channel active Sensor test channel 3 active Sensor test channel 4 active Logic channel and Logic channel 3 and 4 No No Single Logic Single Logic EL904 (applies to all EL904 used) Parameter Current measurement active Output test pulses active.0. Block formation and safety loops.0.. Safety function S K EL904 EL6900 EL904 S K S3 EL904 S4 66 Application Guide TwinSAFE - version.9.

69 .0.3 Calculation.0.3. PFH / MTTF d /B0 d values Component EL904 PFH.E-09 EL904 PFH.5E-09 EL6900 PFH.03E-09 S B0d,000,000 S B0d,000,000 S3 B0d 0,000,000 S4 B0d 0,000,000 K B0d,300,000 K B0d,300,000 Days of operation (dop) 30 Hours of operation / day (hop) 6 Cycle time (minutes) (TZyklus) 5 (4x per hour) Lifetime (T) 0 years 7500 hours.0.3. Diagnostic Coverage DC Component S/S with testing/plausibility S3/S4 with without testing / with plausibility K/K with testing and EDM DCavg99% DCavg90% DCavg99% Calculation for safety function Calculation of the PFH and MTTFd values from the B0d values: From: n op d op h op 60 T Zyklus and: MTTF d B0 d 0, n op Inserting the values, this produces: S: n op MTTF d ,3y h 0, 470 Application Guide TwinSAFE - version.9. 67

70 S: n op MTTF d ,7y 9074h 0, 470 S3: n op MTTF d ,9y 90739h 0, 470 S4: n op MTTF d ,9y 90739h 0, 470 K/K: n op MTTF d ,y h 0,,90 and the assumption that S, S, S3, S4, K and K are each single-channel: MTTF d λ d produces for PFH 0, n op ( DC) B0 d S: DC MTTF d PFH 0,99 679,3 8760,68E 9 S: PFH S3/S4: PFH 0,99 8,4E 0 358, ,90 8,4E , K/K: PFH 0,99 883, 8760,9E 9 68 Application Guide TwinSAFE - version.9.

71 The following assumptions must now be made: The door switches S/S are always actuated in opposite directions. Since the switches have different values, but the complete protective door switch consists of a combination of normally closed and normally open contacts and both switches must function, the poorer of the two values (S) can be taken for the combination! The proximity switches S3/S4 are monitored for plausibility (temporal/logical) and are type A systems according to EN6508 (simple components whose behavior under error conditions is fully known). The safe position is driven to once per shift. Relays K and K are both connected to the safety function. The non-functioning of a relay does not lead to a dangerous situation, but it is discovered by the feedback. Furthermore, the B0d values for K and K are identical. There is a coupling coefficient between the components that are connected via two channels. Examples are temperature, EMC, voltage peaks or signals between these components. This is assumed to be the worst-case estimation, where ß 0%. EN 606 contains a table with which this ß-factor can be precisely determined. Further, it is assumed that all usual measures have been taken to prevent both channels failing unsafely at the same time due to an error (e.g. overcurrent through relay contacts, overtemperature in the control cabinet). This produces for the calculation of the PFH value for safety function : PFH ges β PFH (S\S\EL904) + PFH (S3\S4\EL904) + ( β) (PFH (S\S\EL904) PFH (S3\S4\EL904) ) T + PFH (EL6900) + PFH (EL904) + β PFH (K) + PFH (K) + ( β) (PFH (K) PFH (K) ) T Since the portions ( β) (PFH (S\S\EL904) PFH (S3\S4\EL904) ) T and ( β) (PFH (K) PFH (K) ) T are smaller than the rest by the power of ten, they are neglected in this and all further calculations for the purpose of simplification. to: PFH (S\S\EL904) β PFH (S) + PFH (S) + PFH (EL904) 0%, 4E 09,68E ,4E 0,E 09 PFH (S3\S4\EL904) β PFH (S3) + PFH (S4) + PFH (EL904) 0%, 9E 09 8,4E 0 + 8,4E 0,E 09,4E 09,9E 09 PFH ges 0%, 53E 09,9E 09,9E 09,03E 09,5E 09 0% Application Guide TwinSAFE - version.9. 69

72 The MTTFd value for safety function (based on the same assumption) is calculated with: MTTF d ges MTTF d n as: n i MTTF d ges MTTF d (S) MTTF d (EL904) MTTF d (EL6900) MTTF d (EL904) MTTF d (K) with: MTTF d (S) B0 d(s) 0, n op MTTF d (S) B0 d(s) 0, n op MTTF d (S3) B0 d(s3) 0, n op MTTF d (S4) B0 d(s4) 0, n op MTTF d (K) B0 d(k) 0, n op If only PFH values are available for EL904, EL904 and EL6900, the following estimation applies: MTTF d (ELxxxx) ( DC(ELxxx)) PFH(ELxxx) Hence: MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),E 09 h 8760h y 0,0 9,7E 06 y 08,8y MTTF d (EL6900) ( DC(EL6900)) PFH(EL6900) ( 0,99),03E 09 h 8760h y 0,0 9,0E 06 y 08,6y MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),5E 09 h 8760h y 0,0,E 05 y 93,y 70 Application Guide TwinSAFE - version.9.

73 MTTF Dges 77,3y 679,3y 08,8y 08,6y 93,y 833,y DC avg 99% + 99% + 90% + 90% + 99% + 99% + 99% + 99% + 99% + 99% 679,3 358,7 3586,9 3586,9 08,8 08,8 08,6 93, 833, 833, 679,3 358,7 3586,9 3586,9 08,8 08,8 08,6 93, 833, 833, 98,85% Category Note This structure is possible up to category 4 at the most. The monitoring of sensors S3 and S4 must be temporally and logically programmed. Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the limit values shown in this table. Category B DC MTTF d none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e Application Guide TwinSAFE - version.9. 7

. Protective door function with guard lock (Category 4, PL e) The protective door has two contacts, S door closed and S door closed and locked, which are wired to safe inputs of an EL904.

74 . Protective door function with guard lock (Category 4, PL e) The protective door has two contacts, S door closed and S door closed and locked, which are wired to safe inputs of an EL904. The testing of the inputs is active. Checking of the signals for discrepancy cannot take place, because there is no temporal relationship between the signals. The feedback loop and the restart signal are read in via a safe input. The testing of the inputs is active here also. The contactors K and K are connected in parallel to the safe output. Current measurement and testing of the output are active for this circuit. The guard lock is switched via safe inputs in which testing is active. Testing and current measurement is active on the safe output for the guard lock. OPEN S K K Restart CLOSED S Logical connection in the EL6900 K Lock K Unlock.. Parameters of the safe input and output terminals EL904 (applies to all EL904 used) Parameter Sensor test channel active Sensor test channel active Sensor test channel 3 active Sensor test channel 4 active Logic channel and Logic channel 3 and 4 Single Logic Single Logic 7 Application Guide TwinSAFE - version.9.

75 EL904 (applies to all EL904 used) Parameter Current measurement active Output test pulses active.. Block formation and safety loops... Safety function S Lock EL904 EL6900 S EL904 Guard-Lock UnLock K EL904 EL904 Restart K..3 Calculation..3. PFH / MTTF d /B0 d values Component EL904 PFH EL904 PFH EL6900 PFH.E-09.5E-09.03E-09 S B0d,000,000 S B0d,000,000 Restart - B0d 0,000,000 Lock B0d 00,000 Unlock B0d 00,000 K B0d,300,000 K B0d,300,000 Guard lock B0d,000,000 Days of operation (dop) 30 Hours of operation / day (hop) 6 Cycle time (minutes) (TZyklus) Lifetime (T) 5 (4x per hour) 0 years 7500 hours Application Guide TwinSAFE - version.9. 73

76 ..3. Diagnostic Coverage DC Component S with testing S with testing and expectation Lock/unlock with testing/plausibility Restart K/K with testing and EDM Guard Lock DCavg90% DCavg99% DCavg99% DCavg99% DCavg99% DCavg99%..3.3 Calculation for safety function Calculation of the PFH and MTTFd values from the B0d values: From: n op d op h op 60 T Zyklus and: MTTF d B0 d 0, n op Inserting the values, this produces: S: n op MTTF d ,7y 9074h 0, 470 S: n op MTTF d ,7y 9074h 0, 470 Lock/Unlock: n op MTTF d ,9y 59508h 0, 470 K/K: n op MTTF d ,y h 0,,90 74 Application Guide TwinSAFE - version.9.

77 Restart: n op MTTF d ,5y h 0, 470 Guard lock: n op MTTF d ,7y 9073h 0, 470 and the assumption that S, S, S3, S4, K, K and the guard lock are each single-channel: MTTF d λ d produces for PFH 0, n op ( DC) B0 d S: PFH S: PFH Lock/Unlock: DC MTTF d 0,90 8,40E , ,99 8,40E 0 358, PFH 0,99,68E 08 67, Restart: PFH 0,90,68E , K/K: PFH 0,99,9E , 8760 Guard lock: PFH 0,99 8,40E 0 358, Application Guide TwinSAFE - version.9. 75

78 The following assumptions must now be made: The door switches S/S must both be actuated. Since the switches have different values, but the complete protective door switch consists of a combination of normally closed and normally open contacts and both switches must function, the poorer of the two values (S) can be taken for the combination! Relays K and K are both connected to the safety function. The non-functioning of a relay does not lead to a dangerous situation, but it is discovered by the feedback. Furthermore, the B0d values for K and K are identical. The guard lock is mechanically connected to the switch S in such a way that a separation of the coupling is impossible. The restart is monitored, so that a signal change is only valid once the door is closed. There is a coupling coefficient between the components that are connected via two channels. Examples are temperature, EMC, voltage peaks or signals between these components. This is assumed to be the worst-case estimation, where ß 0%. EN 606 contains a table with which this ß-factor can be precisely determined. Further, it is assumed that all usual measures have been taken to prevent both channels failing unsafely at the same time due to an error (e.g. overcurrent through relay contacts, overtemperature in the control cabinet). This produces for the calculation of the PFH value for safety function : PFH ges β PFH (S\Lock\Unlock\EL904\Zuhaltung) + PFH (S) + ( β) (PFH (S\Lock\Unlock\EL904\Zuhaltung) PFH (S) ) T + PFH (EL904) + PFH (EL6900) + PFH (EL904) + β PFH (K) + PFH (K) + ( β) (PFH (K) PFH (K) ) T + PFH (EL904) + PFH (Restart) Since the portions ( β) (PFH (x) PFH (y) ) T are smaller than the rest by the power of ten, they are neglected in this and all further calculations for the purpose of simplification. to: PFH (S\Lock\Unlock\EL904\Zuhaltung) PFH (S) + β PFH (Lock) + PFH (Unlock) + PFH (EL904) + PFH (Zuhaltung),68E 08,68E 08 8,4E 0 0%,5E ,4E 0 4, 6E 09 4,6E ,4E 09 PFH ges 0%,E 09,03E 09,5E 09 0%,9E 09,9E 09,E 09,68E 09 6, 96E Application Guide TwinSAFE - version.9.

79 The MTTFd value for safety function (based on the same assumption) is calculated with: MTTF d ges MTTF d n as: n i MTTF d ges MTTF d (S Lock Unlock EL904 Guardlock) MTTF d (EL904) MTTF d (EL6900) + MTTF d (EL904) MTTF d (K) MTTF d (EL904) MTTF d (Restart) with: MTTF d (S) B0 d(s) 0, n op MTTF d (S) B0 d(s) 0, n op MTTF d (Lock) B0 d(lock) 0, n op MTTF d (Unlock) B0 d(unlock) 0, n op MTTF d (Guard lock) B0 d(guard lock) 0, n op MTTF d (K) B0 d(k) 0, n op If only PFH values are available for EL904, EL904 and EL6900, the following estimation applies: MTTF d (ELxxxx) Hence: MTTF d (EL904) ( DC(ELxxx)) PFH(ELxxx) ( DC(EL904)) PFH(EL904) ( 0,99),E 09 h 8760h y 0,0 9,7E 06 y 08,8y MTTF d (EL6900) ( DC(EL6900)) PFH(EL6900) ( 0,99),03E 09 h 8760h y 0,0 9,0E 06 y 08,6y MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),5E 09 h 8760h y Application Guide TwinSAFE - version ,0,E 05 y 93,y

80 MTTF d (S Lock Unlock EL904 Guard lock) MTTF d (S) MTTF d (Lock) MTTF d (EL904) MTTF d (Guard lock) 57,8y 358,7y 67,9y 93,y 358,7y MTTF Dges 44,4y 57,8y 08,8y 08,6y 93,y 883,y 08,8y 6793,5y DC avg 99% + 99% + 99% + 99% + 99% + 99% + 99% + 99% + 99% + 99% + 99% + 99% + 90% 57,8 358,7 67,9 67,9 93, 358,7 08,8 08,6 93, 883, 883, 08,8 57,8 358,7 67,9 67,9 93, 358,7 08,8 08,6 93, 883, 883, 08,8 98,98% 6793,5 6793,5 Category Note This structure is possible up to category 4 at the most. Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC Category B DC MTTF d none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e 78 Application Guide TwinSAFE - version.9.

. Two-hand controller (Category 4, PL e) The two-hand buttons each consist of a combination of normally closed and normally open contacts on safe inputs of an EL904.

The feedback loop is read in via a safe input. The contactors K and K are connected in parallel to the safe output. Current measurement and testing of the output are active for this circuit.

81 . Two-hand controller (Category 4, PL e) The two-hand buttons each consist of a combination of normally closed and normally open contacts on safe inputs of an EL904. The testing of the inputs is active and the signals are tested for discrepancy (00 ms). In addition, the synchronous actuation of the two buttons is activated with a monitoring time of 500 ms. The feedback loop is read in via a safe input. The contactors K and K are connected in parallel to the safe output. Current measurement and testing of the output are active for this circuit. S K K S K Logical connection in the EL6900 K.. Parameters of the safe input and output terminals EL904 (applies to all EL904 used) Parameter Sensor test channel active Sensor test channel active Sensor test channel 3 active Sensor test channel 4 active Logic channel and Logic channel 3 and 4 Single Logic Single Logic EL904 Parameter Current measurement active Output test pulses active Application Guide TwinSAFE - version.9. 79

82 .. Block formation and safety loops... Safety function S K EL904 EL6900 EL904 EL904 S K..3 Calculation..3. PFH / MTTF d /B0 d values Component EL904 PFH.E-09 EL904 PFH.5E-09 EL6900 PFH.03E-09 S B0d 0,000,000 S B0d 0,000,000 K B0d,300,000 K B0d,300,000 Days of operation (dop) 30 Hours of operation / day (hop) 6 Cycle time (minutes) (TZyklus) (x per minute) Lifetime (T) 0 years 7500 hours..3. Diagnostic Coverage DC Component S/S with testing/plausibility K/K with testing and EDM DCavg99% DCavg99%..3.3 Calculation for safety function Calculation of the PFH and MTTFd values from the B0d values: From: n op d op h op 60 T Zyklus and: MTTF d B0 d 0, n op 80 Application Guide TwinSAFE - version.9.

83 Inserting the values, this produces: S/S: n op MTTF d ,8y h 0, 0800 K/K: n op MTTF d ,9y 55760h 0, 0800 and the assumption that S, S, K and K are each single-channel: MTTF d λ d produces for PFH 0, n op ( DC) B0 d DC MTTF d S/S: PFH 0,99,6E ,8y 8760 K/K: PFH 0,99 58,9 8760,93E 8 The following assumptions must now be made: Relays K and K are both connected to the safety function. The non-functioning of a relay does not lead to a dangerous situation, but it is discovered by the feedback. Furthermore, the B0d values for K and K are identical. There is a coupling coefficient between the components that are connected via two channels. Examples are temperature, EMC, voltage peaks or signals between these components. This is assumed to be the worst-case estimation, where ß 0%. EN 606 contains a table with which this ß-factor can be precisely determined. Further, it is assumed that all usual measures have been taken to prevent both channels failing unsafely at the same time due to an error (e.g. overcurrent through relay contacts, overtemperature in the control cabinet). Application Guide TwinSAFE - version.9. 8

84 This produces for the calculation of the PFH value for safety function : PFH ges β PFH (S) + PFH (S) + ( β) (PFH (S) PFH (S) ) T + PFH (EL904) + PFH (EL6900) + PFH (EL904) + β PFH (K) + PFH (K) + ( β) (PFH (K) PFH (K) ) T + PFH (EL904) Since the portions ( β) (PFH (S) PFH (S) ) T and ( β) (PFH (K) PFH (K) ) T are smaller than the rest by the power of ten, they are neglected in this and all further calculations for the purpose of simplification. to:,6e 09,6E 09 PFH ges 0%,E 09,03E 09,5E 09 0%,93E 08,93E 08,E 09 6,56E 09 The MTTFd value for safety function (based on the same assumption) is calculated with: MTTF d ges MTTF d n as: n i MTTF d ges MTTF d (S) MTTF d (EL904) MTTF d (EL6900) MTTF d (EL904) MTTF d (K) + MTTF d (EL904) with: MTTF d (S) B0 d(s) 0, n op MTTF d (S) B0 d(s) 0, n op MTTF d (K) B0 d(k) 0, n op If only PFH values are available for EL904, EL904 and EL6900, the following estimation applies: MTTF d (ELxxxx) ( DC(ELxxx)) PFH(ELxxx) Hence: MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),E 09 h 8760h y 0,0 9,7E 06 y 08,8y MTTF d (EL6900) ( DC(EL6900)) PFH(EL6900) ( 0,99),03E 09 h 8760h y 0,0 9,0E 06 y 08,6y 8 Application Guide TwinSAFE - version.9.

85 MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),5E 09 h 8760h y 0,0,E 05 y 93,y MTTF Dges 905,8y 08,8y 08,6y 93,y 58,9y 08,8y 45,4y DC avg 99% + 99% + 99% + 99% + 99% + 99% + 99% + 99% 905,8 905,8 08,8 08,6 93, 58,9 58,9 08,8 905,8 905,8 08,8 08,6 93, 58,9 58,9 08,8 99,0% Category Note This structure is possible up to category 4 at the most. Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC Category B DC MTTF d none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e Application Guide TwinSAFE - version.9. 83

86 .3 Laser scanner (Category 3, PL d) The laser scanner has two OSSD outputs (Output Signal Switching Device), which are wired to safe inputs of a EL904. The testing of the inputs is not active, since the OSSD outputs carry out their own test. Furthermore, the signals are checked for discrepancy (00 ms). The feedback loop is read in via a safe input. Testing is active for this input. The contactors K and K are connected in parallel to the safe output. Current measurement and testing of the output are active for this circuit. K K OSSD OSSD K K Logical connection in the EL Parameters of the safe input and output terminals EL904 (applies to all EL904 used) Parameter Sensor test channel active Sensor test channel active Sensor test channel 3 active Sensor test channel 4 active Logic channel and Logic channel 3 and 4 No No OSSD any pulse repetition Single Logic EL904 Parameter Current measurement active Output test pulses active 84 Application Guide TwinSAFE - version.9.

87 .3. Block formation and safety loops.3.. Safety function K Scanner EL904 EL6900 EL904 K.3.3 Calculation.3.3. PFH / MTTF d /B0 d values Component EL904 PFH.E-09 EL904 PFH.5E-09 EL6900 PFH.03E-09 Laser scanner PFHd 7.67E-08 K B0d,300,000 K B0d,300,000 Days of operation (dop) 30 Hours of operation / day (hop) 6 Cycle time (minutes) (TZyklus) 0 (6x per hour) Lifetime (T) 0 years 7500 hours.3.3. Diagnostic Coverage DC Component OSSD/ with testing (by scanner) / plausibility K/K with testing and EDM DCavg90% DCavg99% Calculation for safety function Calculation of the PFH and MTTFd values from the B0d values: From: n op d op h op 60 T Zyklus and: MTTF d B0 d 0, n op Application Guide TwinSAFE - version.9. 85

88 Inserting the values, this produces: K/K: n op MTTF d ,7y 5570h 0, 080 and the assumption that K and K are each single-channel: MTTF d λ d produces for PFH 0, n op ( DC) B0 d DC MTTF d K/K: PFH 0,99 588,7 8760,94E 9 The following assumptions must now be made: Relays K and K are both connected to the safety function. The non-functioning of a relay does not lead to a dangerous situation, but it is discovered by the feedback. Furthermore, the B0d values for K and K are identical. There is a coupling coefficient between the components that are connected via two channels. Examples are temperature, EMC, voltage peaks or signals between these components. This is assumed to be the worst-case estimation, where ß 0%. EN 606 contains a table with which this ß-factor can be precisely determined. Further, it is assumed that all usual measures have been taken to prevent both channels failing unsafely at the same time due to an error (e.g. overcurrent through relay contacts, overtemperature in the control cabinet). This produces for the calculation of the PFH value for safety function : PFH ges PFH (Scanner) + PFH (EL904) + PFH (EL6900) + PFH (EL904) + β PFH (K) + PFH (K) + ( β) (PFH (K) PFH (K) ) T Since the portion ( β) (PFH (K) PFH (K) ) T is smaller than the rest by the power of ten, it is neglected in this and all further calculations for the purpose of simplification. to: PFH ges 7,67E 08,E 09,03E 09,5E 09 0%,94E 09,94E 09 8,03E Application Guide TwinSAFE - version.9.

89 The MTTFd value for safety function (based on the same assumption) is calculated with: MTTF d ges MTTF d n as: n i MTTF d ges MTTF d (Scanner) MTTF d (EL904) MTTF d (EL6900) MTTF d (EL904) MTTF d (K) with: MTTF d (K) B0 d(k) 0, n op If only PFH values are available for EL904, EL904 and EL6900, the following estimation applies: MTTF d (ELxxxx) ( DC(ELxxx)) PFH(ELxxx) Hence: MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),E 09 h 8760h y 0,0 9,7E 06 y 08.8y MTTF d (EL6900) ( DC(EL6900)) PFH(EL6900) ( 0,99),03E 09 h 8760h y 0,0 9,0E 06 y 08,6y MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),5E 09 h 8760h y 0,0,E 05 y 93,y MTTF d (Scanner) ( DC(Scanner)) PFH(Scanner) ( 0,90) 7,67E 08 h 8760h y 0, 6,7E 04 y 48,8y MTTF Dges 87,8y 48,8y 08,8y 08,6y 93,y 588,7y DC avg 90% + 99% + 99% + 99% + 99% + 99% 48,8 08,8 08,6 93, 588,7 588,7 48,8 08,8 08,6 93, 588,7 588,7 94,38% Application Guide TwinSAFE - version.9. 87

90 Category Note This structure is possible up to category 3 at the most through the use of the type 3 (category 3) laser scanner. Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC Category B DC MTTF d none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e 88 Application Guide TwinSAFE - version.9.

91 .4 Light grid (Category 4, PL e) The light grid has two OSSD outputs (Output-Signal-Switching-Device), which are wired to safe inputs of an EL904. The testing of the inputs is not active, since the OSSD outputs carry out their own test. Furthermore, the signals are checked for discrepancy (00 ms). The feedback loop is read in via a safe input. Testing is active for this input. The contactors K and K are connected in parallel to the safe output. Current measurement and testing of the output are active for this circuit. K K OSSD OSSD K K Logical connection in the EL Parameters of the safe input and output terminals EL904 Parameter Sensor test channel active Sensor test channel active Sensor test channel 3 active Sensor test channel 4 active Logic channel and Logic channel 3 and 4 No No Asynchronous evaluation OSSD Single Logic EL904 Parameter Current measurement active Output test pulses active Application Guide TwinSAFE - version.9. 89

92 .4. Block formation and safety loops.4.. Safety function Lightgrid EL904 EL6900 EL904 K K.4.3 Calculation.4.3. PFH / MTTF d /B0 d values Component EL904 PFH.E-09 EL904 PFH.5E-09 EL6900 PFH.03E-09 Light grid PFHd.50E-08 K B0d,300,000 K B0d,300,000 Days of operation (dop) 30 Hours of operation / day (hop) 6 Cycle time (minutes) (TZyklus) 5 (x per hour) Lifetime (T) 0 years 7500 hours.4.3. Diagnostic Coverage DC Component OSSD/ with testing (by light grid) / plausibility K/K with testing and EDM DCavg99% DCavg99% Calculation for safety function Calculation of the PFH and MTTFd values from the B0d values: From: n op d op h op 60 T Zyklus and: MTTF d B0 d 0, n op 90 Application Guide TwinSAFE - version.9.

93 Inserting the values, this produces: K/K: n op MTTF d ,4y h 0, 4460 and the assumption that K and K are each single-channel: MTTF d λ d produces for PFH 0, n op ( DC) B0 d DC MTTF d K/K: PFH 0,99 94, ,88E 9 The following assumptions must now be made: Relays K and K are both connected to the safety function. The non-functioning of a relay does not lead to a dangerous situation, but it is discovered by the feedback. Furthermore, the B0d values for K and K are identical. There is a coupling coefficient between the components that are connected via two channels. Examples are temperature, EMC, voltage peaks or signals between these components. This is assumed to be the worst-case estimation, where ß 0%. EN 606 contains a table with which this ß-factor can be precisely determined. Further, it is assumed that all usual measures have been taken to prevent both channels failing unsafely at the same time due to an error (e.g. overcurrent through relay contacts, overtemperature in the control cabinet). This produces for the calculation of the PFH value for safety function : PFH ges PFH (Licht grid) + PFH (EL904) + PFH (EL6900) + PFH (EL904) + β PFH (K) + PFH (K) + ( β) (PFH (K) PFH (K) ) T Since the portion ( β) (PFH (K) PFH (K) ) T is smaller than the rest by the power of ten, it is neglected in this and all further calculations for the purpose of simplification. to: PFH ges,50e 08,E 09,03E 09,5E 09 0% 3,88E ,88E 09, 88E 08 Application Guide TwinSAFE - version.9. 9

94 The MTTFd value for safety function (based on the same assumption) is calculated with: MTTF d ges MTTF d n as: n i MTTF d ges MTTF d (Light grid) MTTF d (EL904) MTTF d (EL6900) MTTF d (EL904) MTTF d (K) with: MTTF d (K) B0 d(k) 0, n op If only PFH values are available for EL904, EL904 and EL6900, the following estimation applies: MTTF d (ELxxxx) Hence: MTTF d (EL904) ( DC(ELxxx)) PFH(ELxxx) ( DC(EL904)) PFH(EL904) ( 0,99),E 09 h 8760h y 0,0 9,7E 06 y 08.8y MTTF d (EL6900) ( DC(EL6900)) PFH(EL6900) ( 0,99),03E 09 h 8760h y 0,0 9,0E 06 y 08,6y MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),5E 09 h 8760h y 0,0,E 05 y 93,y MTTF d (Light grid) ( DC(Light grid)) PFH(Light grid) ( 0,99),50E 08 h 8760h y 0,0,3E 04 y 76,y MTTF Dges 5,3y 76,y 08,8y 08,6y 93,y 94,4y DC avg 99% + 99% + 99% + 99% + 99% + 99% 76, 08,8 08,6 93, 588,7 94,4 76, 08,8 08,6 93, 588,7 94,4 99,0% 9 Application Guide TwinSAFE - version.9.

95 Category Note This structure is possible up to category 4 at the most through the use of the type 4 (category 4) light grid. Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC Category B DC MTTF d none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e Application Guide TwinSAFE - version.9. 93

96 .5 Safety switching mat / safety bumper (Category 4, PL e) Safety switching mats or safety bumpers work according to the cross-circuit principle. The contact surfaces of the device are wired to safe inputs of an EL904. The testing of the inputs is active and the signals are tested for discrepancy (00 ms). As soon as a cross-circuit between the signals is detected (safety mat is stepped on), a logical 0 is signaled by the EL904 input terminal. If the cross-circuit is no longer present, a logical is signaled. The feedback loop is read in via a safe input. The testing of the input is active here also. The contactors K and K are connected in parallel to the safe output. Current measurement and testing of the output are active for this circuit. K K K K Logical connection in the EL Parameters of the safe input and output terminals EL904 (applies to all EL904 used) Parameter Sensor test channel active Sensor test channel active Sensor test channel 3 active Sensor test channel 4 active Logic channel and Logic channel 3 and 4 Cross-circuit is not a module error Single Logic EL904 Parameter Current measurement active Output test pulses active 94 Application Guide TwinSAFE - version.9.

97 .5. Block formation and safety loops.5.. Safety function Safety mat EL904 EL6900 EL904 K K.5.3 Calculation.5.3. PFH / MTTF d /B0 d values Component EL904 PFH.E-09 EL904 PFH.5E-09 EL6900 PFH.03E-09 Switching mat B0d 6.00E06 K B0d,300,000 K B0d,300,000 Days of operation (dop) 30 Hours of operation / day (hop) 6 Cycle time (minutes) (TZyklus) (x per minute) Lifetime (T) 0 years 7500 hours.5.3. Diagnostic Coverage DC Component Switching outputs (mat) with testing/plausibility K/K with testing and EDM DCavg99% DCavg99% Calculation for safety function Calculation of the PFH and MTTFd values from the B0d values: From: n op d op h op 60 T Zyklus and: MTTF d B0 d 0, n op Application Guide TwinSAFE - version.9. 95

98 Inserting the values, this produces: K/K: n op MTTF d ,9y 5576h 0, 0800 Switching mat: n op MTTF d 6,00E06 7,7y h 0, 0800 and the assumption that K and K are each single-channel: MTTF d λ d produces for PFH 0, n op ( DC) B0 d DC MTTF d K/K: PFH 0,99,94E 08 58, Switching mat: PFH 0,99 4,0E 09 7, The following assumptions must now be made: Relays K and K are both connected to the safety function. The non-functioning of a relay does not lead to a dangerous situation, but it is discovered by the feedback. Furthermore, the B0d values for K and K are identical. There is a coupling coefficient between the components that are connected via two channels. Examples are temperature, EMC, voltage peaks or signals between these components. This is assumed to be the worst-case estimation, where ß 0%. EN 606 contains a table with which this ß-factor can be precisely determined. Further, it is assumed that all usual measures have been taken to prevent both channels failing unsafely at the same time due to an error (e.g. overcurrent through relay contacts, overtemperature in the control cabinet). This produces for the calculation of the PFH value for safety function : PFH ges PFH (switching mat) + PFH (EL904) + PFH (EL6900) + PFH (EL904) + β PFH (K) + PFH (K) + ( β) (PFH (K) PFH (K) ) T 96 Application Guide TwinSAFE - version.9.

99 Since the portion ( β) (PFH (K) PFH (K) ) T is smaller than the rest by the power of ten, it is neglected in this and all further calculations for the purpose of simplification. to:,94e 08,94E 08 PFH ges 4,0E 09,E 09,03E 09,5E 09 0% 9, 53E 09 The MTTFd value for block (based on the same assumption) is calculated with: MTTF d ges MTTF d n as: n i MTTF d ges MTTF d (Switching mat) MTTF d (EL904) MTTF d (EL6900) MTTF d (EL904) + MTTF d (K) with: MTTF d (K) B0 d(k) 0, n op If only PFH values are available for EL904, EL904 and EL6900, the following estimation applies: MTTF d (ELxxxx) ( DC(ELxxx)) PFH(ELxxx) Hence: MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),E 09 h 8760h y 0,0 9,7E 06 y 08.8y MTTF d (EL6900) ( DC(EL6900)) PFH(EL6900) ( 0,99),03E 09 h 8760h y 0,0 9,0E 06 y 08,6y MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),5E 09 h 8760h y 0,0,E 05 y 93,y MTTF Dges 4,3y 7,7y 08,8y 08,6y 93,y 58,9y DC avg 99% + 99% + 99% + 99% + 99% + 99% 7,7 08,8 08,6 93, 58,9 58,9 7,7 08,8 08,6 93, 58,9 58,9 99,0% Application Guide TwinSAFE - version.9. 97

100 Category Note Category 4 is attainable due to the structure of the circuit. Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC Category B DC MTTF d none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e 98 Application Guide TwinSAFE - version.9.

101 .6 Muting (Category 4, PL e) The light grid has two OSSD outputs (Output-Signal-Switching-Device), which are wired to safe inputs of an EL904. The testing of the inputs is not active, since the OSSD outputs carry out their own test. Furthermore, the signals are checked for discrepancy (00 ms). The feedback loop is read in via a safe input. The muting switches and the enable switch are also wired to safe inputs. Testing is active for these inputs. The contactors K and K are connected in parallel to a safe output. The muting lamp is also wired to a safe output. Current measurement and testing of the output are active for this circuit. OSSD OSSD K K K S K MS MS Logical connection in the EL6900 MS3 MS4.6. Parameters of the safe input and output terminals EL904 (upper terminal on the drawing) Parameter Sensor test channel active Sensor test channel active Sensor test channel 3 active Sensor test channel 4 active Logic channel and Logic channel 3 and 4 No No Asynchronous evaluation OSSD Single Logic EL904 (lower terminal on the drawing) Parameter Sensor test channel active Sensor test channel active Sensor test channel 3 active Sensor test channel 4 active Logic channel and Logic channel 3 and 4 Single Logic Single Logic Application Guide TwinSAFE - version.9. 99

102 EL904 Parameter Current measurement active Output test pulses active.6. Block formation and safety loops.6.. Safety function Light curtain EL904 EL6900 EL904 K K MS MS MS EL904 S MS.6.3 Calculation.6.3. PFH / MTTF d /B0 d values Component EL904 PFH EL904 PFH EL6900 PFH.E-09.5E-09.03E-09 S B0d 00,000 Light curtain PFHd.50E-08 MS B0d 00,000 MS B0d 00,000 MS3 B0d 00,000 MS4 B0d 00,000 K B0d,300,000 K B0d,300,000 Days of operation (dop) 30 Hours of operation / day (hop) 8 Cycle time (minutes) (TZyklus) Lifetime (T) 60 (x per hour) 0 years 7500 hours 00 Application Guide TwinSAFE - version.9.

103 .6.3. Diagnostic Coverage DC Component OSSD/ with testing (by light curtain) / plausibility MS//3/4 with testing/plausibility K/K with testing and EDM S with testing DCavg99% DCavg90% DCavg99% DCavg90% Calculation for safety function Calculation of the PFH and MTTFd values from the B0d values: From: n op d op h op 60 T Zyklus and: MTTF d B0 d 0, n op Inserting the values, this produces: S: n op MTTF d ,5y h 0, 840 K/K: n op MTTF d , y 6895h 0, 840 MS/MS/MS3/S4: n op MTTF d ,5y h 0, 840 and the assumption that S, K and K are each single-channel: MTTF d λ d Application Guide TwinSAFE - version.9. 0

104 produces for PFH 0, n op ( DC) B0 d S: DC MTTF d PFH 0,90 543,5 8760,0E 8 K/K: PFH 0,99,6E , 8760 MS/MS/MS3/S4: PFH 0,90 543,5 8760,0E 8 The following assumptions must now be made: Relays K and K are both connected to the safety function. The non-functioning of a relay does not lead to a dangerous situation, but it is discovered by the feedback. Furthermore, the B0d values for K and K are identical. There is a coupling coefficient between the components that are connected via two channels. Examples are temperature, EMC, voltage peaks or signals between these components. This is assumed to be the worst-case estimation, where ß 0%. EN 606 contains a table with which this ß-factor can be precisely determined. Further, it is assumed that all usual measures have been taken to prevent both channels failing unsafely at the same time due to an error (e.g. overcurrent through relay contacts, overtemperature in the control cabinet). This produces for the calculation of the PFH value for safety function : PFH ges PFH (Lichtvorhang) + PFH (EL904) + PFH (EL6900) + PFH (EL904) + β PFH (K) + PFH (K) + ( β) (PFH (K) PFH (K) ) T + β PFH (MS) + PFH (MS) + ( β) (PFH (MS) PFH (MS) ) T + β PFH (MS3) + PFH (MS4) + ( β) (PFH (MS3) PFH (MS4) ) T + PFH (EL904) + PFH (S) Since the portions ( β) (PFH (x) PFH (y) ) T are smaller than the rest by the power of ten, they are neglected in this and all further calculations for the purpose of simplification. to:,6e 0,6E 0 PFH ges,50e 08,E 09,03E 09,5E 09 0% 0%,0E 08 +,0E 08,0E 08 +,0E 08 0%,E 09 +,0E 08 4, 47E 08 0 Application Guide TwinSAFE - version.9.

105 The MTTFd value for safety function (based on the same assumption) is calculated with: MTTF d ges MTTF d n as: n i MTTF d ges MTTF d (Light curtain) MTTF d (EL904) MTTF d (EL6900) MTTF d (EL904) + MTTF d (K) MTTF d (MS) MTTF d (MS3) MTTF d (EL904) MTTF d (S) with: MTTF d (K) B0 d(k) 0, n op If only PFH values are available for EL904, EL904 and EL6900, the following estimation applies: MTTF d (ELxxxx) ( DC(ELxxx)) PFH(ELxxx) Hence: MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),E 09 h 8760h y 0,0 9,7E 06 y 08.8y MTTF d (EL6900) ( DC(EL6900)) PFH(EL6900) ( 0,99),03E 09 h 8760h y 0,0 9,0E 06 y 08,6y MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),5E 09 h 8760h y 0,0,E 05 y 93,y MTTF d (Light Curtain) ( DC(Light Curtain)) PFH(Light Curtain) ( 0,99),50E 08 h 8760h y 0,0,3E 04 y 76,y MTTF d (MS/MS3) ( DC(MS/MS3)) PFH(MS/MS3) ( 0,90),0E 8 h 8760h y 0,,84E 04 y 543,6y MTTF Dges 76,y 08,8y 08,6y 93,y 7065,y 543,6y 543,6y 08,8y 543,5y 44,0y DC avg 99% + 99% + 99% + 99% + 99% + 99% + 90% + 90% + 90% + 90% + 99% + 99% 76, 08,8 08,6 93, 7065, 7065, 543,6 543,6 543,6 543,6 08,8 76, 08,8 08,6 93, 7065, 7065, 543,6 543,6 543,6 543,6 08,8 Application Guide TwinSAFE - version ,5 543,5 96,5%

106 Category Note This structure is possible up to category 4 at the most through the use of the type 4 (category 4) light curtain. Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the limit values shown in this table. Category B DC MTTF d none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e 04 Application Guide TwinSAFE - version.9.

107 .7 All-pole disconnection of a potential group with downstream non-reactive standard terminals (Category 4, PL e) The protective door uses a combination of normally closed and normally open contacts on the safe inputs of an EL904. The testing of the inputs is active and the signals are tested for discrepancy (00 ms). The contactors K and K are connected in parallel to the safe output. Current measurement and testing of the output are active for this circuit. The diagnostic information from the KL/EL90 (4 V is present on the power contacts) is negated, ANDed with the feedback signals from contactors K, K, K3 and K4 and applied to the EDM input. The supply to the power contacts (4V and also 0 V) of the potential group is switched off with the NO contacts of contactors K and K. The 0 V potentials of the load employed (in this case: K3 and K4) is always fed back to the potential group. Safety consideration Note The EL/KL90 and EL/KLxxx terminals used are not an active part of the safety controller. Accordingly, the safety level attained is defined only through the higher-level safety controller. The standard terminals are not incorporated in the calculation. The external wiring of the standard terminals can lead to limitations in the maximum attainable safety levels. Power supply unit requirements Note The standard terminals must be supplied with 4 V by an SELV/PELV power supply unit with an output voltage limit Umax of 60 V in the event of a fault. Prevention of feedback Attention Feedback can be prevented by various measures (see further information below): No switching of loads with a separate power supply Ground feedback and all-pole disconnection (used in this example) or Cable short-circuit fault exclusion (separate sheathed cable, wiring only inside control cabinet, dedicated earth connection per conductor) Non-reactive standard bus terminals Note You can find a list of non-reactive bus terminals in the Beckhoff Information System under Application Guide TwinSAFE - version.9. 05

Maximum attainable safety level Attention Avoid feedback through ground feedback and all-pole disconnection: DIN EN ISO 3849-: max. cat. 4 PL e IEC 6508: max. SIL3 EN 606: max.

108 Maximum attainable safety level Attention Avoid feedback through ground feedback and all-pole disconnection: DIN EN ISO 3849-: max. cat. 4 PL e IEC 6508: max. SIL3 EN 606: max. SIL3 Open S K K Close S Logical connection in EL6900 K K K3 K4 4V 0V K I/O RUN K I/O ERR BECKHOFF BK9000 KLxx BECKHOFF KLxx BECKHOFF KL9xxx BECKHOFF KLxx BECKHOFF KLxx BECKHOFF KL900 BECKHOFF K3 K4 Time delay CAUTION By switching off the voltage supply of the potential group, the shutdown of the downstream contactors and actuators may be delayed. This delay depends on the downstream actuators, loads and cables and has to be considered by the user in the safety analysis. 06 Application Guide TwinSAFE - version.9.

109 .7. Notes on prevention of feedback.7.. No switching of loads with a separate power supply Loads that have their own power supply must not be switched by standard terminals, since in this case feedback via the load cannot be ruled out. external power supply safe disconnection (-channel, all poles) 5 5 load 30V ~ 4V 6 6 4V 0V SELV/PELV power supply potential supply terminal standard terminal Exceptions to the general requirement are allowed only if the manufacturer of the connected load guarantees that feedback to the control input cannot occur..7.. Option : Ground feedback and all-pole disconnection (used in this example) The ground connection of the connected load must be fed back to the safely switched ground of the respective output terminal or potential group. (In this case: K correct wiring, K incorrect wiring) safe disconnection (-channel, all poles) V ~ 4V 4V 0V K K SELV/PELV power supply potential supply terminal standard terminal Application Guide TwinSAFE - version.9. 07

110 .7..3 Option : Cable short-circuit fault exclusion If option from chapter.7.. is not feasible, the ground feedback and all-pole disconnection can be dispensed if the danger of feedback due to a cable short-circuit can be excluded by other measures. The following measures can be implemented as an alternative. safe disconnection (-channel, one pole) 5 5 protected cable routing 30V ~ 4V 6 6 4V 0V K K SELV/PELV power supply potential supply terminal standard terminal Alternative: Load connection via separate sheathed cables The non-safely switched potential of the standard terminal may not be conducted together with other potential-conducting cores inside the same sheathed cable. Alternative: Wiring only inside the control cabinet All loads connected to the non-safe standard terminals must be located in the same control cabinet as the terminals. The cables are routed entirely inside the control cabinet. Alternative3: Dedicated earth connection per conductor All conductors connected to the non-safe standard terminals are protected by a separate ground connection. 08 Application Guide TwinSAFE - version.9.

111 .7. Parameters of the safe input and output terminals EL904 (applies to all EL904 used) Parameter Sensor test channel active Sensor test channel active Sensor test channel 3 active Sensor test channel 4 active Logic channel and Logic channel 3 and 4 Single Logic Single Logic EL904 Parameter Current measurement active Output test pulses active Application Guide TwinSAFE - version.9. 09

112 .7.3 Block formation and safety loops.7.3. Safety function S EL904 EL6900 EL904 K EL/KLxxx... K3 S K Not taken into account, because non-reactive K4.7.4 Calculation.7.4. PFH / MTTF d /B0 d values Component EL904 PFH.E-09 EL904 PFH.5E-09 EL6900 PFH.03E-09 S B0d,000,000 S B0d,000,000 K B0d,300,000 K B0d,300,000 K3 B0d,300,000 K4 B0d,300,000 Days of operation (dop) 30 Hours of operation / day (hop) 8 Cycle time (minutes) (Tcycle) 5 (4x per hour) Lifetime (T) 0 years 7500 hours.7.4. Diagnostic Coverage DC Component S/S with testing/plausibility K/K with testing and EDM K3/K4 with EDM DCavg99% DCavg99% DCavg90% 0 Application Guide TwinSAFE - version.9.

113 Calculation for safety function Calculation of the PFH and MTTFd values from the B0d values: From: n op d op h op 60 T Zyklus and: MTTF d B0 d 0, n op Inserting the values, this produces: S: n op MTTF d ,7y 90h 0, 7360 S: n op MTTF d ,4y h 0, 7360 K/K/K3/K4: n op MTTF d ,3y h 0, 7360 and the assumption that S, S, K, K, K3 and K4 are each single-channel: MTTF d λ d produces for PFH 0, n op ( DC) B0 d DC MTTF d S: PFH 0,99 8,40E 0 358, Application Guide TwinSAFE - version.9.

114 S: PFH 0,99 4,0E 0 77, K/K: PFH 0,99 6,46E 0 766, K3/K4: PFH 0,90 766, ,46E 9 The following assumptions must now be made: The door switches S/S are always actuated in opposite directions. Since the switches have different values, but the complete protective door switch consists of a combination of normally closed and normally open contacts and both switches must function, the poorer of the two values (S) can be taken for the combination! The contactors K, K, K3 und K4 are all connected to the safety function. The non-functioning of a contactor does not lead to a dangerous situation, but it is discovered by the feedback. Furthermore, the B0d values for K, K, K3 and K4 are identical. There is a coupling coefficient between the components that are connected via two channels. Examples are temperature, EMC, voltage peaks or signals between these components. This is assumed to be the worst-case estimation, where ß 0%. EN 606 contains a table with which this ß-factor can be precisely determined. Further, it is assumed that all usual measures have been taken to prevent both channels failing unsafely at the same time due to an error (e.g. overcurrent through contactor contacts, overtemperature in the control cabinet). This produces for the calculation of the PFH value for safety function : PFH ges β PFH (S) + PFH (S) + ( β) (PFH (S) PFH (S) ) T + PFH (EL904) + PFH (EL6900) + PFH (EL904) + β PFH (K) + PFH (K) + ( β) (PFH (K) PFH (K) ) T + β PFH (K3) + PFH (K4) + ( β) (PFH (K3) PFH (K4) ) T Since the portions ( β) (PFH (x) PFH (y) ) T are smaller than the rest by the power of ten, they are neglected in this and all further calculations for the purpose of simplification. to: 8,40E 0 + 4,0E 0 PFH ges 0%,E 9,03E 9,5E 9 6,46E 0 + 6,46E 0 6,46E 9 + 6,46E 9 0% 0% 4, 6E 9 Application Guide TwinSAFE - version.9.

115 The MTTFd value for safety function (based on the same assumption) is calculated with: MTTF d ges MTTF d n as: n i MTTF d ges MTTF d (S) MTTF d (EL904) MTTF d (EL6900) MTTF d (EL904) MTTF d (K) + MTTF d (K3) If only PFH values are available for EL904, EL904 and EL6900, the following estimation applies: MTTF d (ELxxxx) ( DC(ELxxx)) PFH(ELxxx) Hence: MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),E 09 h 8760h y 0,0 9,7E 06 y 08,8y MTTF d (EL6900) ( DC(EL6900)) PFH(EL6900) ( 0,99),03E 09 h 8760h y 0,0 9,0E 06 y 08,6y MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),5E 09 h 8760h y 0,0,E 05 y 93,y MTTF dges 06,7y 358,7y 08,8y 08,6y 93,y 766,3y 766,3y DC avgs DC + DC + DC + DC + DC MTTF d (S) MTTF d (S) MTTF d (EL904) MTTF d (EL6900) MTTF d (EL904) DC + + DC + DC + DC MTTF d (K) MTTF d (K) MTTF d (K3) MTTF d (K4) MTTF d (S) MTTF d (S) MTTF d (EL904) MTTF d (EL6900) + MTTF d (EL904) MTTF d (K) MTTF d (K) MTTF d (K3) MTTF d (K4) DC avgs 0,99 + 0,99 + 0,99 + 0,99 + 0,99 358,7 77,4 08,8 08,6 93, + 0,99 + 0,99 + 0,90 + 0,90 766,3 766,3 766,3 766,3 358,7 77,4 08,8 08,6 93, 766,3 766,3 766,3 766,3 0, ,39% Application Guide TwinSAFE - version.9. 3

116 Category Note This structure is possible up to category 4 at the most. Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the limit values shown in this table. Category B DC MTTF d none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e Safety integrity level according to Tab. 3 EN606 Safety integrity level Probability of a dangerous failure per hour (PFH D) to < to < to < Application Guide TwinSAFE - version.9.

117 .8 Single-pole disconnection of a potential group with downstream non-reactive standard terminals with fault exclusion (Category 4, PL e) The protective door uses a combination of normally closed and normally open contacts on the safe inputs of an EL904. The testing of the inputs is active and the signals are tested for discrepancy (here 00 ms). The contactors K and K are connected in parallel to the safe output. Current measurement and testing of the output are active for this circuit. The feedback signals from contactors K, K, K3 and K4 and applied to the EDM input. Only the 4 V supply to the power contacts of the potential group is switched off with the NO contacts of contactors K and K. The 0 V connection of the power contacts is fed directly back to the 0 V of the power supply. The 0 V potentials of all loads and devices used must be at the same potential. Safety consideration Note The EL/KL9xxx and EL/KLxxx terminals used are not an active part of the safety controller. Accordingly, the safety level attained is defined only through the higher-level safety controller. The standard terminals are not incorporated in the calculation. The external wiring of the standard terminals can lead to limitations in the maximum attainable safety levels. Power supply unit requirements Note The standard terminals must be supplied with 4V by an SELV/PELV power supply unit with an output voltage limit Umax of 60 V in the event of a fault. Prevention of feedback Attention Feedback can be prevented by various measures (see further information below): No switching of loads with a separate power supply Ground feedback and all-pole disconnection or Cable short-circuit fault exclusion (separate sheathed cable, wiring only inside control cabinet, dedicated earth connection per conductor) (used in this example) Non-reactive standard bus terminals Note You can find a list of non-reactive bus terminals in the Beckhoff Information System under Application Guide TwinSAFE - version.9. 5

118 Maximum attainable safety level Attention Avoiding feedback through short-circuit fault elimination: DIN EN ISO 3849-: max. cat. 4 PL e IEC 6508: max. SIL3 EN 606: max. SIL Open S K K Close S Logical connection inside the EL6900 K K K3 K4 4V 0V K I/O RUN K I/O ERR BECKHOFF BK9000 KLxx BECKHOFF KLxx BECKHOFF KL9xxx BECKHOFF KLxx BECKHOFF KLxx BECKHOFF KL900 BECKHOFF protected cable routing K3 K4 Fault exclusion Attention Due to the fault exclusion "cable short circuit" in the wiring from the non-reactive standard output terminals EL/KLxxx to the load (here K3, K4), a power supply terminal with diagnostic function is not required anymore. Thus potential supply terminals of type EL/KL9xxx can be used. The 0 V potentials of the load (here K3, K4) must be identical to the 0 V potential of the voltage supply of the potential group. Time delay CAUTION By switching off the voltage supply of the potential group, the shutdown of the downstream contactors and actuators may be delayed. This delay depends on the downstream actuators, loads and cables and has to be considered by the user in the safety analysis. 6 Application Guide TwinSAFE - version.9.

119 .8. Notes on prevention of feedback.8.. No switching of loads with a separate power supply Loads that have their own power supply must not be switched by standard terminals, since in this case feedback via the load cannot be ruled out. external power supply safe disconnection (-channel, all poles) 5 5 load 30V ~ 4V 6 6 4V 0V SELV/PELV power supply potential supply terminal standard terminal Exceptions to the general requirement are allowed only if the manufacturer of the connected load guarantees that feedback to the control input cannot occur..8.. Option : Ground feedback and all-pole disconnection The ground connection of the connected load must be fed back to the safely switched ground of the respective output terminal or potential group. (In this case: K correct wiring, K incorrect wiring) safe disconnection (-channel, all poles) V ~ 4V 4V 0V K K SELV/PELV power supply potential supply terminal standard terminal Application Guide TwinSAFE - version.9. 7

120 .8..3 Option : Cable short-circuit error exclusion (used here in the example) If option from chapter.8.. is not feasible, the ground feedback and all-pole disconnection can be dispensed with if the danger of feedback due to a cable short-circuit can be excluded by other measures. The following measures can be implemented as an alternative. safe disconnection (-channel, one pole) 5 5 protected cable routing 30V ~ 4V 6 6 4V 0V K K SELV/PELV power supply potential supply terminal standard terminal Alternative : Load connection via separate sheathed cables The non-safely switched potential of the standard terminal may not be conducted together with other potential-conducting cores inside the same sheathed cable. Alternative : Wiring only inside the control cabinet All loads connected to the non-safe standard terminals must be located in the same control cabinet as the terminals. The cables are routed entirely inside the control cabinet. Alternative 3: Dedicated earth connection per conductor All conductors connected to the non-safe standard terminals are protected by a separate ground connection. Alternative 4: Cable permanently (fixed) installed and protected against external damage. All conductors connected to the non-safe standard terminals are permanently fixed and, e.g. protected against external damage by a cable duct or armored pipe. Fault exclusion CAUTION The machine manufacturer or the user is solely responsible for the correct execution and evaluation of the applied alternatives. 8 Application Guide TwinSAFE - version.9.

121 .8. Parameters of the safe input and output terminals EL904 (applies to all EL904 used) Parameter Sensor test channel active Sensor test channel active Sensor test channel 3 active Sensor test channel 4 active Logic channel and Logic channel 3 and 4 Single Logic Single Logic EL904 Parameter Current measurement active Output test pulses active Application Guide TwinSAFE - version.9. 9

122 .8.3 Block formation and safety loops.8.3. Safety function S EL904 EL6900 EL904 K EL/KLxxx... K3 S K Not taken into account, because non-reactive K4.8.4 Calculation.8.4. PFH / MTTF d /B0 d values Component EL904 PFH.E-09 EL904 PFH.5E-09 EL6900 PFH.03E-09 S B0d,000,000 S B0d,000,000 K B0d,300,000 K B0d,300,000 K3 B0d,300,000 K4 B0d,300,000 Days of operation (dop) 30 Hours of operation / day (hop) 8 Cycle time (minutes) (TZyklus) 5 (4x per hour) Lifetime (T) 0 years 7500 hours.8.4. Diagnostic Coverage DC Component S/S with testing/plausibility K/K with testing and EDM K3/K4 with EDM DCavg99% DCavg99% DCavg90% 0 Application Guide TwinSAFE - version.9.

123 Calculation for safety function Calculation of the PFH and MTTFd values from the B0d values: From: n op d op h op 60 T Zyklus and: MTTF d B0 d 0, n op Inserting the values, this produces: S: n op MTTF d ,7y 90h 0, 7360 S: n op MTTF d ,4y h 0, 7360 K/K/K3/K4: n op MTTF d ,3y h 0, 7360 and the assumption that S, S, K, K, K3 and K4 are each single-channel: MTTF d λ d produces for PFH 0, n op ( DC) B0 d DC MTTF d S: PFH 0,99 8,40E 0 358, Application Guide TwinSAFE - version.9.

124 S: PFH 0,99 4,0E 0 77, K/K: PFH 0,99 6,46E 0 766, K3/K4: PFH 0,90 766, ,46E 9 The following assumptions must now be made: The door switches S/S are always actuated in opposite directions. Since the switches have different values, but the complete protective door switch consists of a combination of normally closed and normally open contacts and both switches must function, the poorer of the two values (S) can be taken for the combination! The contactors K, K, K3 und K4 are all connected to the safety function. The non-functioning of a contactor does not lead to a dangerous situation, but it is discovered by the feedback. Furthermore, the B0d values for K, K, K3 and K4 are identical. There is a coupling coefficient between the components that are connected via two channels. Examples are temperature, EMC, voltage peaks or signals between these components. This is assumed to be the worst-case estimation, where ß 0%. EN 606 contains a table with which this ß-factor can be precisely determined. Further, it is assumed that all usual measures have been taken to prevent both channels failing unsafely at the same time due to an error (e.g. overcurrent through contactor contacts, overtemperature in the control cabinet). This produces for the calculation of the PFH value for safety function : PFH ges β PFH (S) + PFH (S) + ( β) (PFH (S) PFH (S) ) T + PFH (EL904) + PFH (EL6900) + PFH (EL904) + β PFH (K) + PFH (K) + ( β) (PFH (K) PFH (K) ) T + β PFH (K3) + PFH (K4) + ( β) (PFH (K3) PFH (K4) ) T Since the portions ( β) (PFH (x) PFH (y) ) T are smaller than the rest by the power of ten, they are neglected in this and all further calculations for the purpose of simplification. to: 8,40E 0 + 4,0E 0 PFH ges 0%,E 9,03E 9,5E 9 6,46E 0 + 6,46E 0 6,46E 9 + 6,46E 9 0% 0% 4, 6E 9 Application Guide TwinSAFE - version.9.

125 The MTTFd value for safety function (based on the same assumption) is calculated with: MTTF d ges MTTF d n as: n i MTTF d ges MTTF d (S) MTTF d (EL904) MTTF d (EL6900) MTTF d (EL904) MTTF d (K) + MTTF d (K3) If only PFH values are available for EL904, EL904 and EL6900, the following estimation applies: MTTF d (ELxxxx) ( DC(ELxxx)) PFH(ELxxx) Hence: MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),E 09 h 8760h y 0,0 9,7E 06 y 08,8y MTTF d (EL6900) ( DC(EL6900)) PFH(EL6900) ( 0,99),03E 09 h 8760h y 0,0 9,0E 06 y 08,6y MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),5E 09 h 8760h y 0,0,E 05 y 93,y MTTF dges 358,7y 08,8y 08,6y 93,y 766,3y 766,3y 06,7y DC avgs DC + DC + DC + DC + DC MTTF d (S) MTTF d (S) MTTF d (EL904) MTTF d (EL6900) MTTF d (EL904) DC + + DC + DC + DC MTTF d (K) MTTF d (K) MTTF d (K3) MTTF d (K4) MTTF d (S) MTTF d (S) MTTF d (EL904) MTTF d (EL6900) + MTTF d (EL904) MTTF d (K) MTTF d (K) MTTF d (K3) MTTF d (K4) DC avgs 0,99 + 0,99 + 0,99 + 0,99 + 0,99 358,7 77,4 08,8 08,6 93, + 0,99 + 0,99 + 0,90 + 0,90 766,3 766,3 766,3 766,3 358,7 77,4 08,8 08,6 93, 766,3 766,3 766,3 766,3 0, ,39% Application Guide TwinSAFE - version.9. 3

126 Category Note This structure is possible up to category 4 at the most. Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the limit values shown in this table. Category B DC MTTF d none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e Safety integrity level according to Tab. 3 EN606 Safety integrity level Probability of a dangerous failure per hour (PFH D) to < 0-7 (*) 0-7 to < to < 0-5 ( *) In accordance with EN606 chapter , SILCL in restricted to a maximum of SIL in relation to structural constraints for a subsystem that has an HFT of 0 and for which fault exclusions have been applied to faults that could lead to a dangerous failure. 4 Application Guide TwinSAFE - version.9.

127 .9 Networked system (Category 4, PL e) plants are connected via Ethernet here. The path can also be implemented by a Wireless Ethernet connection. Each station switches the outputs K / K on only if the second machine does not signal an emergency stop. The signals from the emergency stop button, the restart and the feedback loop are wired to safe inputs. The output of the ESTOP block is linked to an AND function block and additionally signaled to the respective other machine via the network. The ESTOP output of the respective other machine is linked to the AND function block and the output of the AND gate then switches the contactors on the safe output terminal. Testing and checking for discrepancy are activated for the input signals. The testing of the outputs is also active. Machine Machine RT Ethernet or Wireless Ethernet Restart S Emergency stop button S K K Restart S Emergency stop button S K K Logical link Logical link K K K K Start / restart Note If the result of the risk and hazard analysis shows that a contactor check is necessary when switching the contactors of the respective remote controller, this is to be done using an EDM function block. Application Guide TwinSAFE - version.9. 5

128 Contactor monitoring Note If the result of the risk and hazard analysis shows that a contactor check is necessary when switching the contactors of the respective remote controller, this is to be done using an EDM function block..9. Parameters of the safe input and output terminals EL904 (applies to all EL904 used) Parameter Sensor test channel active Sensor test channel active Sensor test channel 3 active Sensor test channel 4 active Logic channel and Logic channel 3 and 4 Single Logic Single Logic EL904 Parameter Current measurement active Output test pulses active.9. Block formation and safety loops.9.. Safety function K S S EL904 EL6900 EL904 Safety over EtherCAT K S EL904 EL Application Guide TwinSAFE - version.9.

129 .9.3 Calculation.9.3. PFH / MTTF d /B0 d values Component EL904 PFH.E-09 EL904 PFH.5E-09 EL6900 PFH.03E-09 Safety over EtherCAT (FSoE).00E-09 S B0d,000,000 S B0d,000,000 K B0d,300,000 K B0d,300,000 Days of operation (dop) 30 Hours of operation / day (hop) 8 Cycle time (minutes) (TZyklus) 5 (4x per hour) Lifetime (T) 0 years 7500 hours.9.3. Diagnostic Coverage DC Component S with testing/plausibility S with plausibility K/K with testing and EDM (actuation x per shift) DCavg99% DCavg90% DCavg99% Calculation for safety function Calculation of the PFH and MTTFd values from the B0d values: From: n op d op h op 60 T Zyklus and: MTTF d B0 d 0, n op Inserting the values, this produces: S: n op MTTF d ,7y 90h 0, 7360 Application Guide TwinSAFE - version.9. 7

130 S: n op MTTF d ,4y h 0, 7360 K/K: n op MTTF d ,3y h 0, 7360 and the assumption that S, S, K and K are each single-channel: MTTF d λ d produces for PFH 0, n op ( DC) B0 d S: PFH S: PFH DC MTTF d 0,99 8,40E 0 358, ,90 4,0E 09 77, K/K: actuation x per shift and direct feedback PFH 0,99 6,46E 0 766, The following assumptions must now be made: Safety switch S: According to BIA report /008, error exclusion to up cycles is possible, provided the manufacturer has confirmed this. If no confirmation exists, S is included in the calculation as follows. Relays K and K are both connected to the safety function. The non-functioning of a relay does not lead to a dangerous situation, but it is discovered by the feedback. Furthermore, the B0d values for K and K are identical. There is a coupling coefficient between the components that are connected via two channels. Examples are temperature, EMC, voltage peaks or signals between these components. This is assumed to be the worst-case estimation, where ß 0%. EN 606 contains a table with which this ß-factor can be precisely determined. Further, it is assumed that all usual measures have been taken to prevent both channels failing unsafely at the same time due to an error (e.g. overcurrent through relay contacts, overtemperature in the control cabinet). 8 Application Guide TwinSAFE - version.9.

131 This produces for the calculation of the PFH value for safety function : PFH ges PFH (S) + β PFH (K) + PFH (K) + ( β) (PFH (K) PFH (K) ) T + PFH (S) + PFH (EL904) + PFH (EL6900) + PFH (EL904) + PFH (FSoE) + PFH (S) + PFH (EL904) + PFH (EL6900) Since the portion ( β) (PFH (K) PFH (K) ) T is smaller than the rest by the power of ten, it is neglected in this and all further calculations for the purpose of simplification. to: 6,46E 0 + 6,46E 0 PFH ges 8,40E 0 0% + 4,0E 09,E 09,03E 09,5E 09,00E 9 + 8,40E 0,E 09,03E 09, 5E 08 The MTTFd value for safety function (based on the same assumption) is calculated with: MTTF d ges MTTF d n as: n i MTTF d ges MTTF d (S) MTTF d (K) MTTF d (S) MTTF d (EL904) MTTF d (EL6900) + MTTF d (EL904) MTTF d (FSoE) MTTF d (S) MTTF d (EL904) MTTF d (EL6900) with: MTTF d (S) B0 d(s) 0, n op MTTF d (S) B0 d(s) 0, n op MTTF d (K) B0 d(k) 0, n op If only PFH values are available for EL904, EL904 and EL6900, the following estimation applies: MTTF d (ELxxxx) Hence: MTTF d (EL904) ( DC(ELxxx)) PFH(ELxxx) ( DC(EL904)) PFH(EL904) ( 0,99),E 09 h 8760h y 0,0 9,7E 06 y 08,8y MTTF d (EL6900) ( DC(EL6900)) PFH(EL6900) ( 0,99),03E 09 h 8760h y 0,0 9,0E 06 y 08,6y Application Guide TwinSAFE - version.9. 9

132 MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),5E 09 h 8760h y 0,0,E 05 y 93,y MTTF d (FSoE) ( DC(FSoE)) PFH(FSoE) ( 0,99),00E 09 h 8760h y 0,0 8,76E 06 y 4,6y MTTF Dges 358,7y 766,3y 77,4y 08,8y 08,6y 93,y 358,7y 4,6y 08,8y 08,6y 3,y DC avg 99% + 99% + 99% + 90% + 99% + 99% + 99% + 99% + 99% + 99% + 99% 358,7 766,3 766,3 77,4 08,8 08,6 93, 358,7 4,6 08,8 08,6 358,7 766,3 766,3 77,4 08,8 08,6 93, 358,7 4,6 08,8 08,6 98,99% Category Note This structure is possible up to category 4 at the most. Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the limit values shown in this table. Category B DC MTTF d none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e 30 Application Guide TwinSAFE - version.9.

.0 Drive option AX580 with SS stop function (Category 4, PL e) By activating the emergency stop button inputs EStopIn and EStopIn of FB ESTOP are switched to state 0, resulting in outputs EStopOut

133 .0 Drive option AX580 with SS stop function (Category 4, PL e) By activating the emergency stop button inputs EStopIn and EStopIn of FB ESTOP are switched to state 0, resulting in outputs EStopOut and EStopDelOut of FB ESTOP being switched to state 0. As a result, a quick stop command is issued to the PLC and therefore the AX5000 via EtherCAT. The output EStopDelOut of the ESTOP FB ensures that, after the expiry of a specified delay time (in this case e.g. 000 ms), the 4 V supply of the safety option AX580 is interrupted and the internal relays of the AX580 are thus de-energized. The two channels (motors) are switched torque-free via the internal switch-off paths of the AX5000. Testing and checking for discrepancy are activated for the input signals. The testing of the outputs is also active. The relays of the 4 AX580 option cards are wired in parallel to a safe output of the EL904. The feedback loops are wired in series to a safe input. The restart signal is wired to a non-safe input. Restart S Logical connection PLC / NC Emergency stop button S Feedback loop EDM AX580 AX580 AX580 AX580 AX5000 AX5000 AX5000 AX5000 Application Guide TwinSAFE - version.9. 3

134 .0. Parameters of the safe input and output terminals EL904 (applies to all EL904 used) Parameter Sensor test channel active Sensor test channel active Sensor test channel 3 active Sensor test channel 4 active Logic channel and Logic channel 3 and 4 Single Logic Single Logic EL904 Parameter Current measurement active Output test pulses active.0. Block formation and safety loops.0.. Safety function EL904 AX580 EL904 AX580 EL904 AX580 EL904 AX580 S EL904 EL6900 EL904 EL904 AX580 EL904 AX580 EL904 AX580 EL904 AX Calculation.0.3. PFH / MTTF d /B0 d values Component EL904 PFH EL904 PFH EL6900 PFH.E-09.5E-09.03E-09 AX580 B0d 780,000 S B0d 00,000 Days of operation (dop) 30 Hours of operation / day (hop) 8 Cycle time (minutes) (TZyklus) Lifetime (T) 60 (x per hour) 0 years 7500 hours 3 Application Guide TwinSAFE - version.9.

135 .0.3. Diagnostic Coverage DC Component S with testing/plausibility AX580 DCavg99% DCavg99% Calculation for safety function Calculation of the PFH and MTTFd values from the B0d values: From: n op d op h op 60 T Zyklus and: MTTF d B0 d 0, n op Inserting the values, this produces: S: n op MTTF d ,5y h 0, 840 AX580: n op MTTF d ,y h 0, 840 T 0D B0 D n op y y and the assumption that S is single-channel: MTTF d λ d produces for PFH 0, n op ( DC) B0 d S: DC MTTF d PFH 0,99 543,5 8760,0E 9 Application Guide TwinSAFE - version.9. 33

136 AX580: PFH 0,99,70E 0 439, 8760 The following assumptions must now be made: Safety switch S: According to BIA report /008, error exclusion to up 00,000 cycles is possible, provided the manufacturer has confirmed this. If no confirmation exists, S is included in the calculation as follows. There is a coupling coefficient between the components that are connected via two channels. Examples are temperature, EMC, voltage peaks or signals between these components. This is assumed to be the worst-case estimation, where ß 0%. EN 606 contains a table with which this ß-factor can be precisely determined. Further, it is assumed that all usual measures have been taken to prevent both channels failing unsafely at the same time due to an error (e.g. overcurrent through relay contacts, overtemperature in the control cabinet). This produces for the calculation of the PFH value for safety function : PFH ges PFH (S) + PFH (EL904) + PFH (EL6900) + PFH (EL904) + β 4 PFH (AX580) + 4 PFH (AX580) + 4 ( β) (PFH (AX580) PFH (AX580) ) T Since the portions ( β) (PFH (x) PFH (y) ) T are smaller than the rest by the power of ten, they are neglected in this and all further calculations for the purpose of simplification. to: 4,70E 0 + 4,70E 0 PFH ges,0e 09,E 09,03E 09,5E 09 0% 5, 60E 09 The MTTFd value for safety function (based on the same assumption) is calculated with: MTTF d ges MTTF d n as: n i MTTF d ges MTTF d (S) MTTF d (EL904) MTTF d (EL6900) MTTF d (EL904) MTTF d (AX580) + MTTF d (AX580) MTTF d (AX580) MTTF d (AX580) with: MTTF d (S) B0 d(s) 0, n op MTTF d (AX580) B0 d(ax580) 0, n op 34 Application Guide TwinSAFE - version.9.

137 If only PFH values are available for EL904, EL904 and EL6900, the following estimation applies: MTTF d (ELxxxx) ( DC(ELxxx)) PFH(ELxxx) Hence: MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),E 09 h 8760h y 0,0 9,7E 06 y 08,8y MTTF d (EL6900) ( DC(EL6900)) PFH(EL6900) ( 0,99),03E 09 h 8760h y 0,0 9,0E 06 y 08,6y MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),5E 09 h 8760h y 0,0,E 05 y 93,y MTTF Dges 73,8y 543,5y 08,8y 08,6y 93,y 439,y 439,y 439,y 439,y DC avg 99% 543,5 + 99% 08,8 + 99% 08,6 + 99% 93, + 99% 439, + 99% 439, + 99% 439, + 99% 439, + 99% 439, + 99% 439, + 99% 439, + 99% 439, 543,5 08,8 08,6 93, 439, 439, 439, 439, 439, 439, 439, 439, 99,0% Application Guide TwinSAFE - version.9. 35

138 Category Note This structure is possible up to category 4 at the most. Implement a restart lock in the machine! CAUTION The restart lock is NOT part of the safety chain and must be implemented in the machine! Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC Category B DC MTTF d none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e 36 Application Guide TwinSAFE - version.9.

139 . Drive option AX5805 with SS stop function (Category 4, PL e) The protective door is connected with a combination of normally closed and normally open contacts to an EL904 safe input terminal. Testing and checking for discrepancy are activated for the input signals. The output is linked on the AX5805. The feedback signals are checked via the control and status word returned by the drive option. OPEN Logical connection in the EL6900 S S CLOSED Control / status word AX5805 AX5805 AX5805 AX5805 AX5000 AX5000 AX5000 AX Parameters of the safe input and output terminals EL904 (applies to all EL904 used) Parameter Sensor test channel active Sensor test channel active Sensor test channel 3 active Sensor test channel 4 active Logic channel and Logic channel 3 and 4 Single Logic Single Logic Application Guide TwinSAFE - version.9. 37

140 AX5805 Parameter -.. Block formation and safety loops... Safety function S EL904 EL6900 EL904 AX5805 AX5805 AX5805 AX5805 S..3 Calculation..3. PFH / MTTF d /B0 d values Component EL904 PFH.E-09 EL6900 PFH.03E-09 AX5805 PFH 5.5E-09 (see list of permitted motors) S B0d,000,000 S B0d,000,000 Days of operation (dop) 30 Hours of operation / day (hop) 8 Cycle time (minutes) (TZyklus) 60 (x per hour) Lifetime (T) 0 years 7500 hours..3. Diagnostic Coverage DC Component S/S with testing/plausibility DCavg99%..3.3 Calculation for safety function Calculation of the PFH and MTTFd values from the B0d values: From: n op d op h op 60 T Zyklus and: MTTF d B0 d 0, n op 38 Application Guide TwinSAFE - version.9.

141 Inserting the values, this produces: S: n op MTTF d ,8y h 0, 840 S: n op MTTF d ,6y h 0, 840 and the assumption that S and S are each single-channel: MTTF d λ d produces for PFH 0, n op ( DC) B0 d S: PFH S: PFH DC MTTF d 0,99,0E , ,99,05E , The following assumptions must now be made: The door switches S/S are always actuated in opposite directions. Since the switches have different values, but the complete protective door switch consists of a combination of normally closed and normally open contacts and both switches must function, the poorer of the two values (S) can be taken for the combination! There is a coupling coefficient between the components that are connected via two channels. Examples are temperature, EMC, voltage peaks or signals between these components. This is assumed to be the worst-case estimation, where ß 0%. EN 606 contains a table with which this ß-factor can be precisely determined. Further, it is assumed that all usual measures have been taken to prevent both channels failing unsafely at the same time due to an error (e.g. overcurrent through relay contacts, overtemperature in the control cabinet). This produces for the calculation of the PFH value for safety function : PFH ges β PFH (S) + PFH (S) + ( β) (PFH (S) PFH (S) ) T + PFH (EL904) + PFH (EL6900) + PFH (AX5805) + PFH (AX5805) + PFH (AX5805) + PFH (AX5805) Since the portions ( β) (PFH (x) PFH (y) ) T are smaller than the rest by the power of ten, they are neglected in this and all further calculations for the purpose of simplification. to: Application Guide TwinSAFE - version.9. 39

142 PFH ges 0%,0E 0,05E 0,E 09,03E (5,5E 09), 8E 08 The MTTFd value for safety function (based on the same assumption) is calculated with: MTTF d ges MTTF d n as: n i MTTF d ges MTTF d (S) MTTF d (EL904) MTTF d (EL6900) MTTF d (AX5805) MTTF d (AX5805) + MTTF d (AX5805) MTTF d (AX5805) with: MTTF d (S) B0 d(s) 0, n op MTTF d (S) B0 d(s) 0, n op If only PFH values are available for EL904, AX5805 and EL6900, the following estimation applies: MTTF d (ELxxxx) ( DC(ELxxx)) PFH(ELxxx) Hence: MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),E 09 h 8760h y 0,0 9,7E 06 y 08,8y MTTF d (EL6900) ( DC(EL6900)) PFH(EL6900) ( 0,99),03E 09 h 8760h y 0,0 9,0E 06 y 08,6y MTTF d (AX5805) ( DC(AX5805)) PFH(AX5805) ( 0,99) 5,5E 09 h 8760h y 0,0 4,5E 05 y,7y 40 Application Guide TwinSAFE - version.9.

143 MTTF Dges 49,8y 5434,8y 08,8y 08,6y,7y,7y,7y,7y DC avg 99% + 99% + 99% + 99% + 99% + 99% + 99% + 99% 5434,8 0869,6 08,8 08,6,7,7,7,7 5434,8 0869,6 08,8 08,6,7,7,7,7 99,0% Category Note This structure is possible up to category 4 at the most. Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC Category B DC MTTF d none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e Application Guide TwinSAFE - version.9. 4

144 . Direct wiring of the TwinSAFE outputs to TwinSAFE inputs (single-channel) (Category, PL c) The output of an EL904 is wired directly to a safe input of an EL904; the test pulses and current measurement of the outputs and the sensor test of the inputs are thereby deactivated. Hence, cyclic checks for cross-circuit and external feed on the cable are not possible. On account of their high internal diagnostics, the EL904 and EL904 are to be evaluated as individual components with Category, SIL and PL d, since only a single-channel structure is used externally. The total performance level of output and input is to be evaluated with PL c at the most on account of chapter 6..5 DIN EN ISO 3849-: The test setup required for Category is integrated in the EL904. When switching on the output of the EL904, a check is performed to ascertain whether 4 V are actually read back. When switching off, a check is performed to ascertain whether 0 V are actually read back. If an error is detected, the EL904 enters the error state, which is also signaled to the higher level safety controller. This module error of the EL904 must be evaluated in the machine controller. To do this the parameter ModuleFault is ComError is to be switched on for the connection to the EL904, as a result of which the TwinSAFE group switches to the safe state and signals a ComError in the event of a module error. Cat., PL c EL904 EL904.. Parameters of the safe input and output terminals EL904 Parameter Sensor test channel active Sensor test channel active Sensor test channel 3 active Sensor test channel 4 active Logic channel and Logic channel 3 and 4 No No No No Single Logic Single Logic 4 Application Guide TwinSAFE - version.9.

145 EL904 Parameter Current measurement active Output test pulses active No No.. Block formation and safety loops... Safety function EL6900 EL904 EL904 EL Calculation..3. PFH / MTTF d /B0 d values Component EL904 PFH EL904 PFH.E-09.5E-09 Days of operation (dop) 30 Hours of operation / day (hop) 8 Cycle time (minutes) (TZyklus) Lifetime (T) 60 (x per hour) 0 years 7500 hours..3. Diagnostic Coverage DC Component EL904/EL904 On account of the internal diagnostics of the terminals (such as monitoring of the field voltage, temperature, etc.) and the checking of the EL904 for the correctness of the switched output each time the signal state changes DCavg60%..3.3 Calculation for safety function This produces for the calculation of the PFH value for safety function : PFH ges PFH (EL904) + PFH (EL904) to: PFH ges,e 09,5E 09, 36E 09 Application Guide TwinSAFE - version.9. 43

146 The MTTFd value for safety function (based on the same assumption) is calculated with: MTTF d ges MTTF d n as: n i MTTF d ges MTTF d (EL904) MTTF d (EL904) If only PFH values are available for EL904 and EL904, the following estimation applies: MTTF d (ELxxxx) ( DC(ELxxx)) PFH(ELxxx) Hence: MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,60),E 09 h 8760h y 0,4 9,7E 06 y 45 y MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,60),5E 09 h 8760h y 0,4,E 05 y y MTTF Dges 45y 36364y 9305 y DC avg 60% + 60% % 44 Application Guide TwinSAFE - version.9.

147 Category Note This structure is possible up to category at the most. Attainment of the safety level Attention For the Attainment of the safety level the user must ensure that a testing of the wiring is carried out within his application and will be done 00 times more often than the safety function is called. Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC Cat B DC MTTF d none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e Application Guide TwinSAFE - version.9. 45

148 .3 Direct wiring of the TwinSAFE outputs to TwinSAFE inputs (dual-channel) (Category 3, PL d) Two outputs of an EL904 are wired directly to two safe inputs of an EL904; the test pulses and current measurement of the outputs and the sensor test of the inputs are thereby deactivated. On the input side, both signals are checked for discrepancy within the TwinSAFE logic. Hence, both signals are checked for their value, but no tests are active on the cable, so that possible external feeds are detected when switching the outputs..3. Parameters of the safe input and output terminals EL904 Parameter Sensor test channel active Sensor test channel active Sensor test channel 3 active Sensor test channel 4 active Logic channel and Logic channel 3 and 4 No No No No Single Logic Single Logic EL904 Parameter Current measurement active Output test pulses active No No.3. Block formation and safety loops.3.. Safety function EL6900 EL904 EL904 EL904 EL904 EL Application Guide TwinSAFE - version.9.

149 .3.3 Calculation.3.3. PFH / MTTF d /B0 d values Component EL904 PFH.E-09 EL904 PFH.5E-09 Days of operation (dop) 30 Hours of operation / day (hop) 8 Cycle time (minutes) (TZyklus) 60 (x per hour) Lifetime (T) 0 years 7500 hours.3.3. Diagnostic Coverage DC Component EL904/EL904 DCavg90% Calculation for safety function This produces for the calculation of the PFH value for block : PFH ges PFH (EL904) + PFH (EL904) to: PFH ges,e 09,5E 09, 36E 09 The MTTFd value for safety function (based on the same assumption) is calculated with: MTTF d ges MTTF d n as: n i MTTF d ges MTTF d (EL904) MTTF d (EL904) If only PFH values are available for EL904 and EL904, the following estimation applies: MTTF d (ELxxxx) ( DC(ELxxx)) PFH(ELxxx) Hence: MTTF d (EL904) MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( DC(EL904)) PFH(EL904) ( 0,9),E 09 h 8760h y ( 0,9),5E 09 h 8760h y 0, 9,7E 06 y 0,,E 05 y 088,y 9090,9y Application Guide TwinSAFE - version.9. 47

150 MTTF Dges 088,y 9090,9y 486,3y DC avg 90% + 90% + 90% + 90% 088, 088, 9090,9 9090,9 088, 088, 9090,9 9090,9 90% Category Note This structure is possible up to category 3 at the most. Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC Category B DC MTTF d none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e 48 Application Guide TwinSAFE - version.9.

151 .4 ESTOP function (Category 3, PL d) The emergency stop button is connected via two normally closed contacts to an EL904 safe input terminal. The testing of both signals is switched off. These signals are tested for discrepancy inside the ESTOP function block. The restart and the feedback signal from the contactors K and K are wired to standard terminals and are transferred to TwinSAFE via the standard PLC. Furthermore, the output of the ESTOP function block and the feedback signal are wired to an EDM block. This checks that the feedback signal assumes the opposing state of the ESTOP output within the set time. Contactors K and K are wired to different output channels. The A connections of the two contactors are fed back to the EL904. The current measurement of the output channels is deactivated for this circuit. The testing of the outputs is similarly inactive. K K ESTOP-Button S Restart S Logical connection in EL6900 K K Application Guide TwinSAFE - version.9. 49

152 .4. Parameters of the safe input and output terminals (SIL ) EL904 (applies to all EL904 used) Parameter Sensor test channel active - Sensor test channel active - Sensor test channel 3 active No Sensor test channel 4 active Logic channel and Logic channel 3 and 4 No Single Logic Single Logic EL904 Parameter Current measurement active Output test pulses active No No.4. Block formation and safety loops.4.. Safety function K S EL904 EL6900 EL904 K.4.3 Calculation.4.3. PFH / MTTFd /B0d values Component EL904 PFH EL904 PFH EL6900 PFH.E-09.5E-09.03E-09 S B0d 00,000 S B0d 0,000,000 K B0d,300,000 K B0d,300,000 Days of operation (dop) 30 Hours of operation / day (hop) 6 Cycle time (minutes) (TZyklus) Lifetime (T) 0080 (x per week) 0 years 7500 hours 50 Application Guide TwinSAFE - version.9.

153 .4.3. Diagnostic Coverage DC Component S with plausibility K/K with EDM monitoring (actuation x per week and evaluation of all rising and falling edges with monitoring over time) with testing of the individual channels DCavg90% DCavg90% Calculation for safety function Calculation of the PFH and MTTFd values from the B0d values: From: n op d op h op 60 T Zyklus and: MTTF d B0 d 0, n op Inserting the values, this produces: S: n op ,90 MTTF d ,y h 0,,90 K/K: n op ,90 MTTF d ,3y h 0,,90 and the assumption that S, K and K are each single-channel: MTTF d λ d produces for PFH 0, n op ( DC) B0 d S: PFH DC MTTF d 0,90,50E , 8760 K/K: Actuation x per week and indirect feedback PFH 0,90,9E , Application Guide TwinSAFE - version.9. 5

154 The following assumptions must now be made: Safety switch S: According to BIA report /008, error exclusion to up 00,000 cycles is possible, provided the manufacturer has confirmed this. If no confirmation exists, S is included in the calculation as follows. Relays K and K are both connected to the safety function. The non-functioning of a relay does not lead to a dangerous situation, but it is discovered by the feedback. Furthermore, the B0d values for K and K are identical. There is a coupling coefficient between the components that are connected via two channels. Examples are temperature, EMC, voltage peaks or signals between these components. This is assumed to be the worst-case estimation, where ß 0%. EN 606 contains a table with which this ß-factor can be precisely determined. Further, it is assumed that all usual measures have been taken to prevent both channels failing unsafely at the same time due to an error (e.g. overcurrent through relay contacts, overtemperature in the control cabinet). This produces for the calculation of the PFH value for safety function : PFH ges PFH (S) + PFH (EL904) + PFH (EL6900) + PFH (EL904) + β PFH (K) + PFH (K) + ( β) (PFH (K) PFH (K) ) T Since the portion ( β) (PFH (K) PFH (K) ) T is smaller than the rest by the power of ten, it is neglected in this and all further calculations for the purpose of simplification. to:,9e,9e PFH ges,5e 0,E 09,03E 09,5E 09 0% 3, 64E 09 The MTTFd value for safety function (based on the same assumption) is calculated with: MTTF d ges MTTF d n as: n i MTTF d ges MTTF d (S) MTTF d (EL904) MTTF d (EL6900) MTTF d (EL904) MTTF d (K) with: MTTF d (S) B0 d(s) 0, n op 4566,y MTTF d (K) B0 d(k) 0, n op ,3y 5 Application Guide TwinSAFE - version.9.

155 If only PFH values are available for EL904, EL904 and EL6900, the following estimation applies: MTTF d (ELxxxx) ( DC(ELxxx)) PFH(ELxxx) Hence: MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),E 09 h 8760h y 0,0 9,7E 06 y 08,8y MTTF d (EL6900) ( DC(EL6900)) PFH(EL6900) ( 0,99),03E 09 h 8760h y 0,0 9,0E 06 y 08,6y MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),5E 09 h 8760h y 0,0,E 05 y 93,y MTTF Dges 334,y 4566,y 08,8y 08,6y 93,y ,3y DC avg 90% + 99% + 99% + 99% + 90% + 90% 4566, 08,8 08,6 93, , ,3 4566, 08,8 08,6 93, , ,3 98,9% Application Guide TwinSAFE - version.9. 53

156 Category CAUTION This structure is possible only up to category 3 at the most on account of a possible sleeping error. Since the EL904 terminal has only SIL in this application, the entire chain has only SIL! Further measures for attaining Category 3! CAUTION This structure is possible up to category 3 at the most. In order to attain category 3, all rising and falling edges must be evaluated together with the time dependence in the controller for the feedback expectation! This is achieved via the implemented EDM function block. Implement a restart lock in the machine! CAUTION The restart lock is NOT part of the safety chain and must be implemented in the machine! Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the limit values shown in this table. Category B DC MTTF d none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e 54 Application Guide TwinSAFE - version.9.

157 EL690 Circuit examples.5 Speed monitoring (Category 3, PL d) The speed of a drive is to be monitored. This drive has a safety function (in this case, for example, STO), which is activated via a corresponding input. This input is conducted through one working contact of each of two contactors. The position and speed signals are transmitted via two different communication paths to the EL690 TwinSAFE logic and processed there according to the illustrated logic. The Sin/Cos encoder is connected to an EL and the position information is transmitted by TwinSAFE SC communication over EtherCAT. The speed of the drive is transferred to the EL690 TwinSAFE logic over the standard PROFINET communication (any other fieldbus is also possible) and the standard PLC. A speed (FB Speed) is calculated from the position value within the safety-related EL690 logic. The speed of the drive is scaled via the FB so that the value matches the calculated speed. These two speed values are checked by the FB Compare for equality and monitored by the FB Limit for a maximum value. Since the two speed values (one calculated directly and the other calculated in the safety-related EL690 logic) are never 00% equal at any time, the difference between the two speed values should be within a tolerance band of 0% in order to still to meet the condition of equality. If the current speed value is below the threshold specified in the FB Limit, the STO output is set to logical and the drive can rotate. If the limit is exceeded or if the comparison fails, the output is set to logical 0 and the drive is switched to torque-free or the safety function integrated in the drive is activated. The entire calculation and scaling is performed at the SIL3/PL e safety level in the safety-related EL690 logic. Using this method, a safetyrelated result is created from two non-safety-related signals. An emergency stop function is additionally implemented by an ESTOP function block (not shown in the diagram for reasons of clarity), which prevents the restart and also takes over the control of contactors K and K. The IsValid signal of the Compare function block must be used to switch off in case of a fault. Structure 4Vdc PLC K K fieldbus e.g. PROFInet fieldbus e.g. EtherCAT STO Speed standard communication - Speed K K Drive TwinSAFE SC position value Logic see below EL Motor Encoder Sin/Cos Vss Application Guide TwinSAFE - version.9. 55

Diagram of the structure motor motor shaft Encoder sin/cos EL50-0090 black channel encoder signal PC EL690 EL904 actuator motor cable Drive standard fieldbus actual speed Logic TwinSAFE

158 Diagram of the structure motor motor shaft Encoder sin/cos EL black channel encoder signal PC EL690 EL904 actuator motor cable Drive standard fieldbus actual speed Logic TwinSAFE SC Communication Position value EStopInx STO - Drive Standard Communication - Speed Restart Estop In Estop In STO - Drive K/K Feedback K/K Application Guide TwinSAFE - version.9.

159 .5. Structure and diagnosis The input signals from the drive and the encoder are standard signals, which are dynamic and different. The drive supplies a speed value and the encoder a sin/cos signal, which is evaluated by a standard terminal, packaged in a safe telegram (FSoE with changed polynomial - TwinSAFE SC) and transmitted. This terminal (EL ) supplies a position value that is converted within the safe logic to a speed value, then scaled and compared with the speed value of the drive. Equality means in this case that the difference signal lies within the tolerance window of 0%. The encoder signal is transmitted via the standard fieldbus using the black channel principle. This value is checked for plausibility against the drive speed that is transmitted via the standard fieldbus. Errors in one of the two channels are detected by means of the comparison of the two diverse speed and position signals within the safe logic and lead to the activation of STO of the drive..5. FMEA Error assumption Expectations Checked Speed value over e.g. PROFINET itself freezes Speed value over EtherCAT and TwinSAFE SC communication freezes Speed values are copied in succession in the standard PLC Speed value via e.g. PROFINET is corrupted There is no longer any connection between the motor and the encoder Encoder supplies an incorrect position value Drive supplies incorrect speed value Communication error for standard communication: Corruption Communication error for standard communication: Unintentional repetition Communication error for standard communication: Wrong sequence Detected via the second value and the plausibility check in the EL690 (other fieldbus and TwinSAFE SC communication between EL and EL690). In addition, the standard communication watchdog should be activated for the speed 0. Detected by the watchdog within the TwinSAFE SC communication. Plausibility check: Dynamic speed values are also expected when the motor is started. A corrupt value within the TwinSAFE SC communication results in an invalid CRC inside the telegram and thus the immediate cut-off of the group and the outputs The data types of the two speed values have a different length (e.g. 4 bytes and bytes) Detected via the second value and the plausibility check in the EL690 (other fieldbus and TwinSAFE SC communication between EL and EL690). Detected within the EL690 via the plausibility check with the speed value of the drive. Plausibility check: Dynamic speed values are also expected when the motor is started. Detected within the EL690 via the plausibility check with the speed value of the drive Detected via the second value and the plausibility check in the EL690 (other fieldbus and TwinSAFE SC communication between EL and EL690). Detected within the EL690 via the plausibility check of the speed values with the TwinSAFE SC communication Detected within the EL690 via the plausibility check of the speed values with the TwinSAFE SC communication. In addition, the standard communication watchdog should be activated for the speed 0. Detected within the EL690 via the plausibility check of the speed values with the TwinSAFE SC communication Application Guide TwinSAFE - version.9. 57

160 Error assumption Expectations Checked Communication error for standard communication: Loss Communication error for standard communication: Unacceptable delay Communication error for standard communication: Insertion Communication error for standard communication: Masquerading Communication error for standard communication: Addressing Communication error for standard communication: Recurrent memory errors in switches Detected within the EL690 via the plausibility check of the speed values with the TwinSAFE SC communication Detected within the EL690 via the plausibility check of the speed values with the TwinSAFE SC communication. In addition, the standard communication watchdog should be activated for the speed 0. Detected within the EL690 via the plausibility check of the speed values with the TwinSAFE SC communication not relevant for standard, only for safety communication. Detected within the EL690 via the plausibility check of the speed values with the TwinSAFE SC communication Detected within the EL690 via the plausibility check of the speed values with the TwinSAFE SC communication.5.. Note about TwinSAFE SC communication: The TwinSAFE SC communication uses the identical mechanisms for error detection as the Safety-over- EtherCAT communication, the difference being that a different polynomial is used to calculate the checksum and this polynomial is sufficiently independent of the polynomial previously used for Safetyover-EtherCAT. The identical mechanisms are active, such as the black channel principle (bit error probability 0 - ). The quality of the data transmission is not crucial, because ultimately all transmission errors are detected via the comparison in the safe logic, since this would lead to inequality. 58 Application Guide TwinSAFE - version.9.

161 .5.3 Parameters of the safe output terminal EL904 Parameter Current measurement active Output test pulses active.5.4 Block formation and safety loops.5.4. Safety function Input Encoder Drive EL EL690 EL904 K K.5.5 Calculation.5.5. PFH / MTTF d /B0 d values Component EL904 PFH EL904 PFH EL690 PFH Drive MTBF.E-09.5E-09.79E-09 56,840 (59a) Encoder MTTF 549,49 EL MTBF,05,000 K B0d,300,000 K B0d,300,000 Days of operation (dop) 30 Hours of operation / day (hop) 6 Cycle time (minutes) (TZyklus) Lifetime (T) 0080 (x per week) 0 years 7500 hours Application Guide TwinSAFE - version.9. 59

162 .5.5. Diagnostic Coverage DC Component Drive and encoder with EL and plausibility within the logic K/K with EDM monitoring (actuation x per week and evaluation of all rising and falling edges with monitoring over time) without testing of the individual channels DCavg 90% (alternative in the calculation: 99%) DCavg 99% Calculation of safety function For clarification, the safety parameter is calculated according to both EN606 and EN3849. Calculation according to one standard is sufficient in practice. Calculation of the PFH and MTTFd values from the B0d values: From: n op d op h op 60 T Zyklus and: MTTF d B0 d 0, n op Calculation of the PFH and MTTFd values from the MTBF values: Note: Repair times can be neglected, therefore the following applies: MTTF d MTBF MTTF d λ d with λ d 0, T 0d 0, n op B0 d produces for PFH 0, n op ( DC) B0 d DC MTTF d Inserting the values, this produces: Drive: MTTF d MTBF h 8y PFH DC 0,9 9,67E 08 MTTF d h Encoder: MTTF d MTTF h 5y PFH DC 0,9 9,0E 08 MTTF d h 60 Application Guide TwinSAFE - version.9.

163 EL MTTF d MTBF h h 75y PFH DC 0,9 4,5E 08 MTTF d h Input subsystem PFH (Input) PFH (Encoder) + PFH (EL ) 9,0E ,5E 08 3,5E 08 K/K: n op ,90 MTTF d y h 0,,90 and the assumption that K and K are each single-channel: K/K: Actuation x per week and direct feedback PFH 0,99,9E , The following assumptions must now be made: Relays K and K are both connected to the safety function. The non-functioning of a relay does not lead to a dangerous situation, but it is discovered by the feedback. Furthermore, the B0d values for K and K are identical. The input signals from encoder with EL and drive have different measuring methods, provide differently scaled values and are both involved in the safety function. A non-functioning of a channel does not lead to a dangerous situation, but is detected by the comparison of the two values in the TwinSAFE logic and leads to a shutdown. There is a coupling coefficient between the components that are connected via two channels. Examples are temperature, EMC, voltage peaks or signals between these components. This is assumed to be the worst-case estimation, where ß 0%. EN 606 contains tables (Table F. criteria for the determination of the CCF and Table F. estimation of the CCF factor (β)) with which this β factor can be determined exactly. For the input subsystem an estimated value of % can be achieved by processing the table to calculate the β factor. In the following calculation, the worst case is assumed to be 0%. Further, it is assumed that all usual measures have been taken to prevent both channels failing unsafely at the same time due to an error (e.g. overcurrent through relay contacts, overtemperature in the control cabinet) Application Guide TwinSAFE - version.9. 6

164 This produces for the calculation of the PFH value for safety function : PFH ges β (PFH (Input) + PFH (Drive) ) + ( β) (PFH (Input) PFH (Drive) ) T + PFH (EL690) + PFH (EL904) + β PFH (K) + PFH (K) + ( β) (PFH (K) PFH (K) ) T Since the portions ( β) (PFH (K) PFH (K) ) T and ( β) (PFH (Input) PFH (Drive) ) T are smaller than the rest by the power of ten, they are neglected in this and all further calculations for the purpose of simplification. 3,5E ,67E 08,9E,9E PFH ges 0%,79E 9,5E 9 0%,46E 08,79E 09,5E 9,9E 3 PFH ges, 45E 08 EN 606 Note In accordance with EN 606, the input subsystem is evaluated with an SFF or a DC of 90%. This restricts the achievable SIL value according to table 5 of EN 606 to a maximum SIL. Alternative calculation of the MTTFd value according to EN3849 for safety function (with the same assumption), with: MTTF d ges MTTF d n n i From the input subsystem, the poorer value is taken (here the combination of encoder and EL : MTTF d ges MTTF d (Encoder) MTTF d (EL ) MTTF d (EL690) MTTF d (EL904) + MTTF d (K) with: If only PFH values are available for EL904 and EL690, the following estimation applies: MTTF d (ELxxxx) Hence: ( DC(ELxxx)) PFH(ELxxx) MTTF D (EL690) ( DC (EL690)) PFH (EL690) ( 0,99),79E 09 h 8760h y 0,0 5,68E 06 y 637 y MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),5E 09 h 8760h y 0,0,E 05 y 93y 6 Application Guide TwinSAFE - version.9.

165 MTTF D ges 69,9 y DC avgs DC MTTF d (Encoder) + DC MTTF d (EL ) + DC MTTF d (Drive) + DC MTTF d (EL690) + DC MTTF d (EL904) + DC MTTF d (K) + DC MTTF d (K) MTTF d (Encoder) MTTF d (EL ) MTTF d (Drive) MTTF d (EL690) MTTF d (EL904) MTTF d (K) MTTF d (K) DC avgs 0,9 + 0,9 + 0,9 + 0,99 + 0,99 + 0,99 + 0, Alternatively with DC 99% DC avgs 0,99 + 0,99 + 0,99 + 0,99 + 0,99 + 0,99 + 0, ,007 0,08 90,78% 0,06 0,08 99,% Application Guide TwinSAFE - version.9. 63

166 Category CAUTION This structure is possible up to category 3 at the most. Standstill WARNING When the motor is stopped, an error such as the freezing of an encoder signal is detected only if a movement is requested. The machine manufacturer or user must take this into account. Implement a restart lock in the machine! CAUTION The restart lock is NOT part of the safety chain and must be implemented in the machine! Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the limit values shown in this table. Category B DC MTTF d none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e 64 Application Guide TwinSAFE - version.9.

167 Alternative with DC 99% for the input subsystem: Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Name Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the limit values shown in this table. Category B DC MTTF d none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e Safety integrity level according to Tab. 3 EN606 Safety integrity level Probability of a dangerous failure per hour (PFH D) to < to < to < 0-5 Application Guide TwinSAFE - version.9. 65

168 EL690 Circuit examples.6 Speed monitoring (via IO-link) (Category 3, PL d) The speed of a drive is to be monitored. This drive has a safety function (in this case, for example, STO), which is activated via a corresponding input. This input is conducted through one working contact of each of two contactors. The speed signals are transmitted in two different ways to the EL690 TwinSAFE logic and processed there according to the illustrated logic. The IO-link encoder is wired to an EL and the speed information is transmitted via TwinSAFE SC communication over PROFINET, for example. The speed of the drive is transferred to the EL690 TwinSAFE logic over the standard PROFINET communication (any other fieldbus is also possible) and the standard PLC. The two speeds are scaled by the FB Scale within the safety-related EL690 logic so that the values match each other. These two speed values are checked by the FB Compare for equality and monitored by the FB Limit for a maximum value. Since the two speed values are never 00% equal at any time, the difference between the two speed values should be within a tolerance band of 0% in order to still to meet the condition of equality. If the current speed value is below the threshold specified in the FB Limit, the STO output is set to logical and the drive can rotate. If the limit is exceeded or if the comparison fails, the output is set to logical 0 and the drive is switched to torque-free or the safety function integrated in the drive is activated. The entire calculation and scaling are performed at the SIL3/PL e safety level in the safety-related EL690 logic. Using this method, a safety-related result is created from two non-safetyrelated signals. An emergency stop function is additionally implemented by an ESTOP function block (not shown in the diagram for reasons of clarity), which prevents the restart and also takes over the control of contactors K and K. The IsValid signal of the Compare function block must be used to switch off in case of a fault. IO-Link structure 4Vdc PLC K K fieldbus e.g. PROFInet fieldbus e.g. EtherCAT STO Speed standard communication - speed TwinSAFE SC speed K K Drive EL IO-Link Master Logic see below standard communication speed over IO-link Motor Encoder 66 Application Guide TwinSAFE - version.9.

169 Diagram of the structure Motor motor shaft Encoder IO-Link EL BlackChannel speed PC EL690 EL904 actuator motor cable Drive standard fieldbus actual speed logic EStopInx TwinSAFE SC Communication Speed STO - Drive Standard Communication - Speed Restart Estop In Estop In STO - Drive K/K Feedback K/K Application Guide TwinSAFE - version.9. 67

170 .6. Structure and diagnosis The input signals read from the drive and the encoder are standard signals, but they are very different. The drive supplies a speed value and the encoder an IO-Link signal, which is evaluated by a standard terminal, packaged in a safe telegram (FSoE with changed polynomial - TwinSAFE SC) and transmitted. This terminal (EL ) supplies a position value that is scaled within the safe logic and compared with the speed value of the drive. Equality means in this case that the difference signal lies within the tolerance window of 0%. The IO-link encoder signal is transmitted via the standard fieldbus using the black channel principle. This value is checked for plausibility against the drive speed that is transmitted via the standard fieldbus. Errors in one of the two channels are detected immediately within the safe logic and lead to the activation of the STO of the drive..6. FMEA Error assumption Expectations Checked Speed value over e.g. PROFINET itself freezes Speed value over EtherCAT and TwinSAFE SC communication freezes Speed values are copied in succession in the standard PLC Speed value via e.g. PROFINET is corrupted There is no longer any connection between the motor and the encoder Encoder supplies an incorrect position value Drive supplies incorrect speed value Communication error for standard communication: Corruption Communication error for standard communication: Unintentional repetition Communication error for standard communication: Wrong sequence Detected via the second value and the plausibility check in the EL690 (TwinSAFE SC communication between EL and EL690) In addition, the standard communication watchdog should be activated for the speed 0. Detected by the watchdog within the TwinSAFE SC communication. Plausibility check: Dynamic speed values are also expected when the motor is started. A corrupt value within the TwinSAFE SC communication results in an invalid CRC inside the telegram and thus the immediate cut-off of the group and the outputs The data types of the two speed values have a different length (e.g. 4 bytes and bytes) Detected via the second value and the plausibility check in the EL690 (TwinSAFE SC communication between EL and EL690) Detected within the EL690 via the plausibility check with the speed value of the drive Plausibility check: Dynamic speed values are also expected when the motor is started. Detected within the EL690 via the plausibility check with the speed value of the drive Detected via the second value and the plausibility check in the EL690 (TwinSAFE SC communication between EL and EL690) Detected within the EL690 via the plausibility check of the speed values with the TwinSAFE SC communication Detected within the EL690 via the plausibility check of the speed values with the TwinSAFE SC communication. In addition, the standard communication watchdog should be activated for the speed 0. Detected within the EL690 via the plausibility check of the speed values with the TwinSAFE SC communication 68 Application Guide TwinSAFE - version.9.

171 Error assumption Expectations Checked Communication error for standard communication: Loss Communication error for standard communication: Unacceptable delay Communication error for standard communication: Insertion Communication error for standard communication: Masquerading Communication error for standard communication: Addressing Communication error for standard communication: Recurrent memory errors in switches Detected within the EL690 via the plausibility check of the speed values with the TwinSAFE SC communication Detected within the EL690 via the plausibility check of the speed values with the TwinSAFE SC communication. In addition, the standard communication watchdog should be activated for the speed 0. Detected within the EL690 via the plausibility check of the speed values with the TwinSAFE SC communication not relevant for standard, only for safety communication. Detected within the EL690 via the plausibility check of the speed values with the TwinSAFE SC communication Detected within the EL690 via the plausibility check of the speed values with the TwinSAFE SC communication.6.. Note about TwinSAFE SC communication: The TwinSAFE SC communication uses the identical mechanisms for error detection as the Safety-over- EtherCAT communication, the difference being that a different polynomial is used to calculate the checksum and this polynomial is sufficiently independent of the polynomial previously used for Safetyover-EtherCAT. The identical mechanisms are active, such as the black channel principle (bit error probability 0- ). The quality of the data transmission is not crucial, because ultimately all transmission errors are detected via the comparison in the safe logic, since this would lead to inequality. Application Guide TwinSAFE - version.9. 69

172 .6.3 Parameters of the safe output terminal EL904 Parameter Current measurement active Output test pulses active.6.4 Block formation and safety loops.6.4. Safety function Input Encoder Drive EL EL690 EL904 K K.6.5 Calculation.6.5. PFH / MTTF d /B0 d values Component EL904 PFH EL904 PFH EL690 PFH Drive MTBF Encoder MTTF.E-09.5E-09.79E-09 56,840 (59y) (38y) EL MTBF,00,000 K B0d,300,000 K B0d,300,000 Days of operation (dop) 30 Hours of operation / day (hop) 6 Cycle time (minutes) (TZxklus) Lifetime (T) 0080 (x per week) 0 years 7500 hours 70 Application Guide TwinSAFE - version.9.

173 .6.5. Diagnostic Coverage DC Component Drive and encoder with EL and plausibility within the logic K/K with EDM monitoring (actuation x per week and evaluation of all rising and falling edges with monitoring over time) without testing of the individual channels DCavg 90% (alternative in the calculation: 99%) DCavg99% Calculation of safety function For clarification, the safety parameter is calculated according to both EN606 and EN3849. Calculation according to one standard is sufficient in practice. Calculation of the PFH and MTTFd values from the B0d values: From: n op d op h op 60 T Zyklus and: MTTF d B0 d 0, n op Calculation of the PFH and MTTFd values from the MTBF values: Note: Repair times can be neglected, therefore the following applies: MTTF d MTBF MTTF d λ d with λ d 0, T 0d 0, n op B0 d produces for PFH 0, n op ( DC) B0 d DC MTTF d Inserting the values, this produces: Drive MTTF d MTBF h 8y PFH DC 0,9 9,67E 08 MTTF d h Encoder MTTF d MTTF h 38y PFH DC 0,9 8,7E 08 MTTF d h Application Guide TwinSAFE - version.9. 7

174 EL MTTF d MTBF h h 73y PFH DC 0,9 4,7E 08 MTTF d h Input subsystem PFH (Input) PFH (Encoder) + PFH (EL ) 8,7E ,7E 08,44E 08 K/K: n op ,90 MTTF d y h 0,,90 and the assumption that K and K are each single-channel: K/K: Actuation x per week PFH 0,99,9E , The following assumptions must now be made: Relays K and K are both connected to the safety function. The non-functioning of a relay does not lead to a dangerous situation, but it is discovered by the feedback. Furthermore, the B0d values for K and K are identical. The input signals from encoder with EL and drive have different measuring methods, provide differently scaled values and are both involved in the safety function. A non-functioning of a channel does not lead to a dangerous situation, but is detected by the comparison of the two values in the TwinSAFE logic and leads to a shutdown. There is a coupling coefficient between the components that are connected via two channels. Examples are temperature, EMC, voltage peaks or signals between these components. This is assumed to be the worst-case estimation, where ß 0%. EN 606 contains tables (Table F. criteria for the determination of the CCF and Table F. estimation of the CCF factor (β)) with which this β factor can be determined exactly. For the input subsystem an estimated value of % can be achieved by processing the table to calculate the β factor. In the following calculation, the worst case is assumed to be 0%. Further, it is assumed that all usual measures have been taken to prevent both channels failing unsafely at the same time due to an error (e.g. overcurrent through relay contacts, overtemperature in the control cabinet) This produces for the calculation of the PFH value for safety function : PFH ges β (PFH (Input) + PFH (Drive) ) + ( β) (PFH (Input) PFH (Drive) ) T + PFH (EL690) + PFH (EL904) + β PFH (K) + PFH (K) + ( β) (PFH (K) PFH (K) ) T Since the portions ( β) (PFH (K) PFH (K) ) T and ( β) (PFH (Input) PFH (Drive) ) T are smaller than the rest by the power of ten, they are neglected in this and all further calculations for the purpose of simplification. 7 Application Guide TwinSAFE - version.9.

175 ,44E ,67E 08,9E,9E PFH ges 0%,79E 9,5E 9 0%,06E 08,79E 09,5E 9,9E 3 PFH ges, 4E 08 EN 606 Note In accordance with EN 606, the input subsystem is evaluated with an SFF or a DC of 90%. This restricts the achievable SIL value according to table 5 of EN 606 to a maximum SIL. Alternative calculation of the MTTFd value according to EN3849 for safety function (with the same assumption), with: MTTF d ges MTTF d n n i From the input subsystem, the poorer value is taken (here the combination of encoder and EL ): MTTF d ges MTTF d (Encoder) MTTF d (EL ) MTTF d (EL690) MTTF d (EL904) + MTTF d (K) with: If only PFH values are available for EL904 and EL690, the following estimation applies: MTTF d (ELxxxx) Hence: ( DC(ELxxx)) PFH(ELxxx) MTTF D (EL690) ( DC (EL690)) PFH (EL690) ( 0,99),79E 09 h 8760h y 0,0 5,68E 06 y 637 y MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),5E 09 h 8760h y 0,0,E 05 y 93y MTTF d ges DC avgs ,65 y DC MTTF d (Encoder) + DC MTTF d (EL ) + DC MTTF d (Drive) + DC MTTF d (EL690) + DC MTTF d (EL904) + DC MTTF d (K) + DC MTTF d (K) MTTF d (Encoder) MTTF d (EL ) MTTF d (Drive) MTTF d (EL690) MTTF d (EL904) MTTF d (K) MTTF d (K) DC avgs 0,9 + 0,9 + 0,9 + 0,99 + 0,99 + 0,99 + 0, Alternatively with DC99% DC avgs 0,99 + 0,99 + 0,99 + 0,99 + 0,99 + 0,99 + 0, ,000 0,00 90,90% 0,08 0,00 99,09% Application Guide TwinSAFE - version.9. 73

176 Category CAUTION This structure is possible up to category 3 at the most. Standstill WARNING When the motor is stopped, an error such as the freezing of an encoder signal is detected only if a movement is requested. The machine manufacturer or user must take this into account. Implement a restart lock in the machine! CAUTION The restart lock is NOT part of the safety chain and must be implemented in the machine! Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the limit values shown in this table. Category B DC MTTFd none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e 74 Application Guide TwinSAFE - version.9.

177 Alternative with DC 99% for the input subsystem: Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the limit values shown in this table. Category B DC MTTF d none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e Safety integrity level according to Tab. 3 EN606 Safety integrity level Probability of a dangerous failure per hour (PFH D) to < to < to < 0-5 Application Guide TwinSAFE - version.9. 75

.7 STO function with EL7x-904 (Category 3, PL d) The following application example shows how the EL7x-904 can be wired together with an EL904 in order to implement an STO

The EStopOut signal is transferred to the NC controller, with which, for example, the Enable signal of the EL7x-904 can be switched.

The EL7x-904 supplies the information that the STO function is active via the standard controller.

178 .7 STO function with EL7x-904 (Category 3, PL d) The following application example shows how the EL7x-904 can be wired together with an EL904 in order to implement an STO function according to EN A safety door (S and S) and a restart signal (S3) are logically linked on an ESTOP function block. The EStopOut signal is transferred to the NC controller, with which, for example, the Enable signal of the EL7x-904 can be switched. The STO input of the EL7x-904 is operated via the delayed output EStopDelOut. The EL7x-904 supplies the information that the STO function is active via the standard controller. This information is transferred to the EDM input of the ESTOP function block and additionally to the EDM function block in order to generate an expectation for this signal. Controller PLC / NC Restart S3 logical connection in PLC / NC logical connection in EL69xx Opened S S EStopOut -> NC STO active -> EDM Closed EStopDelOut -> STO NC -> Drive Disable Feedback M 3~ EL904 EL7x-904 STO-Signal 76 Application Guide TwinSAFE - version.9.

179 Implement a restart lock in the machine! CAUTION The restart lock is NOT part of the safety chain and must be implemented in the machine! If the risk analysis gives the result that a restart has to be done within the safety controller, the restart must also be applied to a safe input. Wiring only inside the control cabinet! WARNING The wiring between the EL904 and the STO input of the EL7x-904 must be located in the same control cabinet in order to be able to assume a fault exclusion for the cross-circuit or external power supply of the wiring between EL904 and EL7x The evaluation of this wiring and the evaluation of whether the fault exclusion is permissible must be done by the machine manufacturer or user. Calculation EL7x-904 Note The EL7x-904 is not taken into account in the calculation of the Performance Level according to DIN EN ISO since it behaves non-reactively to the safety function. The PFH value goes into the calculation according to EN 606 with a value of Parameters of the safe input and output terminals EL904 Parameter Sensor test channel active Sensor test channel active Sensor test channel 3 active Sensor test channel 4 active Logic channel and Logic channel 3 and 4 Single Logic Single Logic EL904 Parameter Current measurement active Output test pulses active No Application Guide TwinSAFE - version.9. 77

180 .7. Block formation and safety loops.7.3 Safety function S EL904 EL6900 EL904 EL7x-904 S non-reactive.7.4 Calculation.7.4. PFH / MTTFd /B0d values Component EL904 PFH.E-09 EL904 PFH.5E-09 EL6900 PFH.03E-09 EL7x PFH 0.00 S B0d,000,000 S B0d,000,000 Days of operation (dop) 30 Hours of operation / day (hop) 6 Cycle time (minutes) (TZyklus) 5 (4x per hour) Lifetime (T) 0 years 7500 hours.7.4. Diagnostic Coverage DC Component S/S with testing/plausibility EL904 with testing DCavg99% DCavg99% Calculation for safety function Calculation of the PFH and MTTFd values from the B0d values: off: n op d op h op 60 T Zyklus and: MTTF d B0 d 0, n op 78 Application Guide TwinSAFE - version.9.

181 Inserting the values, this produces: S: n op MTTF d ,3y h 0, 470 S: n op MTTF d ,7y 9074h 0, 470 and the assumption that S and S are each single-channel: MTTF d λ d produces for PFH 0, n op ( DC) B0 d DC MTTF d S: PFH 0,99 679,3 8760,68E 9 S: PFH 0,99 8,4E 0 358, The following assumptions must now be made: The door switches S/S are always actuated in opposite directions. Since the switches have different values, but the complete protective door switch consists of a combination of normally closed and normally open contacts and both switches must function, the poorer of the two values (S) can be taken for the combination! There is a coupling coefficient between the components that are connected via two channels. Examples are temperature, EMC, voltage peaks or signals between these components. This is assumed to be the worst-case estimation, where ß 0%. EN 606 contains a table with which this ß-factor can be precisely determined. Further, it is assumed that all usual measures have been taken to prevent both channels failing unsafely at the same time due to an error (e.g. overcurrent through relay contacts, overtemperature in the control cabinet). Application Guide TwinSAFE - version.9. 79

182 This produces for the calculation of the PFH value for safety function : PFH ges β PFH (S) + PFH (S) + ( β) (PFH (S) PFH (S) ) T + PFH (EL904) + PFH (EL6900) + PFH (EL904) + PFH (EL70 904) Since the portion ( β) (PFH (S) PFH (S) ) T is smaller than the rest by the power of ten, it is neglected in this and all further calculations for the purpose of simplification. to: PFH ges 0%,68E 09,68E 09,E 09,03E 09,5E ,00 3, 558E 09 The MTTFd value for safety function (based on the same assumption) is calculated with: MTTF d ges MTTF d n for: n i MTTF d ges MTTF d (S) MTTF d (EL904) MTTF d (EL6900) MTTF d (EL904) with: MTTF d (S) B0 d(s) 0, n op MTTF d (S) B0 d(s) 0, n op If only PFH values are available for EL904, EL904 and EL6900, the following estimation applies: MTTF d (ELxxxx) ( DC(ELxxx)) PFH(ELxxx) Hence: MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),E 09 h 8760h y 0,0 9,7E 06 y 08,8y MTTF d (EL6900) ( DC(EL6900)) PFH(EL6900) ( 0,99),03E 09 h 8760h y 0,0 9,0E 06 y 08,6y MTTF d (EL904) ( DC(EL904)) PFH(EL904) ( 0,99),5E 09 h 8760h y 0,0,E 05 y 93,y 80 Application Guide TwinSAFE - version.9.

183 MTTF dges 5,y 679,3y 08,8y 08,6y 93,y DC avg 99% + 99% + 99% + 99% + 99% 679,3 358,7 08,8 08,6 93, 679,3 358,7 08,8 08,6 93, 99,00% Category CAUTION This structure is possible up to category 3 at the most. Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC Category B DC MTTF d none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e Application Guide TwinSAFE - version.9. 8

.8 STO-Function with IndraDrive (Category 4, PL e) The following example shows the use of safe outputs of the EL904 together with a BOSCH Rexroth IndraDrive drive to realize a STO function on this.

184 .8 STO-Function with IndraDrive (Category 4, PL e) The following example shows the use of safe outputs of the EL904 together with a BOSCH Rexroth IndraDrive drive to realize a STO function on this. For example, a protective door is wired in two channels to a safe input (here EL904) together with a restart signal. Within the TwinSAFE logic, these signals are used on an ESTOP module. The delayswitching output of the ESTOP block is used for the two safe outputs of the EL904. The output EStopOut can be used to electrically stop the drive via the NC control. One output each of the EL904 is wired to the STO inputs X49. and X49.3 of the Bosch Rexroth IndraDrive. The corresponding GND contact (X49.) is here, for example, fed back to the EL904 to show that the EL904 and the IndraDrive use identical ground potential of the 4V supply. Opened S logical connection in EL69xx Closed S Restart Implement a restart lock in the machine! CAUTION The restart lock is NOT part of the safety chain and must be implemented in the machine! 8 Application Guide TwinSAFE - version.9.

185 .8. Parameters of the safe input and output terminals EL904 Parameter Sensor test channel active Sensor test channel active Sensor test channel 3 active Sensor test channel 4 active Logic channel and Logic channel 3 and 4 Single Logic Single Logic EL904 Parameter Current measurement active Output test pulses active No.8. Block formation and safety loops.8.3 Safety function S EL904 EL6900 EL904 IndraDrive S.8.4 Calculation.8.4. PFH / MTTFd /B0d values Component EL904 PFH EL904 PFH EL6900 PFH Bosch Rexroth IndraDrive ) - PFH Bosch Rexroth IndraDrive ) - MTTFD,E-09,5E-09,03E-09 0,50E-09 > 00 years S B0d S B0d Days of operation (dop) 30 Hours of operation / day (hop) 6 Cycle time (minutes) (TZykus) 5 (4x per hour) Lifetime (T) ) Please refer to the Bosch Rexroth user documentation 0 years 7500 hours Application Guide TwinSAFE - version.9. 83

186 .8.4. Diagnostic Coverage DC Component S/S with testing/plausibility DCavg99% EL904 with testing DCavg99% Bosch Rexroth IndraDrive ) DCavg99% ) Please refer to the Bosch Rexroth user documentation Calculation for safety function Calculation of the PFH and MTTFd values from the B0d values: off: n op d op h op 60 T Zyklus and: MTTF D B0 d 0, n op Inserting the values, this produces: S: n op MTTF D ,3 y h 0, 470 S: n op MTTF D ,7 y 9074 h 0, 470 and the assumption that S and S are each single-channel: MTTF D λ d produces for PFH 0, n op ( DC) B0 d DC MTTF D 84 Application Guide TwinSAFE - version.9.

187 S: PFH 0,99 679,3 8760,68E 9 S: PFH 0,99 8,4E 0 358, The following assumptions must now be made: The door switches S/S are always actuated in opposite directions. Since the switches have different values, but the complete protective door switch consists of a combination of normally closed and normally open contacts and both switches must function, the poorer of the two values (S) can be taken for the combination! There is a coupling coefficient between the components that are connected via two channels. Examples are temperature, EMC, voltage peaks or signals between these components. This is assumed to be the worst-case estimation, where ß 0%. EN 606 contains tables (Table F. criteria for the determination of the CCF and Table F. estimation of the CCF factor (β)) with which this β factor can be determined exactly. Further, it is assumed that all usual measures have been taken to prevent both channels failing unsafely at the same time due to an error (e.g. overcurrent through relay contacts, overtemperature in the control cabinet). This produces for the calculation of the PFH value for safety function : PFH ges β PFH (S) + PFH (S) +( β) (PFH (S) PFH (S) ) T + PFH (EL904) + PFH (EL6900) + PFH (EL904) + PFH (IndraDrive) Since the portion ( β) (PFH (S) PFH (S) ) T is smaller than the rest by the power of ten, it is neglected in this and all further calculations for the purpose of simplification. to: PFH ges 0% PFH ges 4, 06E 09,68E ,40E 0,E 9,03E 9,5E 9 + 0,50E 9 Calculation according to EN 606 Note According to EN 606 table 3, this value corresponds to a SIL3. Application Guide TwinSAFE - version.9. 85

188 Alternative calculation of the MTTFD value according to EN3849 for safety function (with the same assumption), with: MTTF D ges MTTF D n for: n i MTTF D ges MTTF D (S) MTTF D (EL904) MTTF D (EL6900) MTTF D (EL904) MTTF D (IndraDrive) with: MTTF D (S) B0 d(s) 0, n op 679,3 y MTTF D (IndraDrive) 00 y If only PFH values are available for EL904, EL904 and EL6900, the following estimation applies: MTTF D (ELxxxx) ( DC (ELxxxx)) PFH (ELxxxx) Hence: MTTF D (EL904) ( DC (EL904)) ( 0,99) 0,0 PFH (EL904),E 09 08,8y h 8760h 9,7E 06 y y MTTF D (EL6900) ( DC (EL6900)) PFH (EL6900) ( 0,99),03E 09 h 8760h y 0,0 9,0E 06 y 08,6y MTTF D (EL904) ( DC (EL904)) PFH (EL904) ( 0,99),5E 09 h 8760h y 0,0,E 05 y 93,y MTTF Dges 679,3y 08,8y 08,6y 93,y 00y 05,9 y DC avg 99% + 99% + 99% + 99% + 99% + 99% 679,3 358,7 08,8 08,6 93, ,3 358,7 08,8 08,6 93, 00 99,00% 86 Application Guide TwinSAFE - version.9.

189 Category Note This structure is possible up to category 4 at the most. Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC Category B DC MTTF d none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e Safety integrity level according to Tab. 3 EN606 Safety integrity level Probability of a dangerous failure per hour (PFH D) to < to < to < 0-5 Application Guide TwinSAFE - version.9. 87

190 .8.5 Technical Note from company Bosch Rexroth AG This technical note is right now only available in German language. Please contact Bosch Rexroth AG in case you need an English translation. 88 Application Guide TwinSAFE - version.9.

191 Application Guide TwinSAFE - version.9. 89

192 90 Application Guide TwinSAFE - version.9.

193 Application Guide TwinSAFE - version.9. 9

.9 Temperature measurement with TwinSAFE SC (Category 3, PL d) In this example we will show how a temperature measurement with the TwinSAFE SC technology can be realized.

194 .9 Temperature measurement with TwinSAFE SC (Category 3, PL d) In this example we will show how a temperature measurement with the TwinSAFE SC technology can be realized. For this purpose, two measuring points are equipped with temperature sensors, on the one hand with a thermocouple of type K, which is wired to a standard EtherCAT terminal EL33, and on the other hand a PT000 measuring resistor, which is wired to a TwinSAFE SC EtherCAT terminal EL Within the safe TwinSAFE EL690 logic, these two signals are compared or plausibilized using a Compare function block. The signal is then checked via the FB limit. The result of the FB limit and the IsValid output of the Compare function block are used to switch off the contactors K and K via the function block Mon. The monitoring of the contactor feedback is not shown in this example for the sake of clarity, but must be considered by the user Restart Thermo-Element Typ K PT000 K K Emergency stop / contactor feedback monitor CAUTION In addition to the function shown above, a contactor feedback monitor, e.g. via an EDM function block for K and K and, if necessary, an emergency stop function must be implemented by the user! 9 Application Guide TwinSAFE - version.9.

195 .9. Diagram of the structure PT000 EL BlackChannel Temperature PC EL690 EL904 Actuator Thermo couple Type K EL33 Standard Fieldbus Temperature.9. Structure and diagnosis The read signals from the two measuring points are standard signals using a different technology. At least one signal is transmitted via the TwinSAFE SC technology to the safe TwinSAFE logic so that falsifications of this signal in the PC or on the transmission path are detected. The check for equality of these two signals, within the permissible tolerances, is performed in the safe TwinSAFE logic. The individual fault assumptions and associated expectations are listed in the following FMEA table.9.3 FMEA Error assumption Expectations Checked Temperature value over standard fieldbus itself freezes Detected via the second value and the plausibility check in the EL690. Temperature value over TwinSAFE SC communication freezes Temperature values are copied in succession in the standard PLC Temperature value via the standard fieldbus is corrupted There is no longer any connection between the sensor and the EtherCAT terminal PT000 supplies an incorrect temperature value Thermocouple supplies an incorrect temperature value Communication error for standard communication: Corruption Communication error for standard communication: Unintentional repetition Detected by the watchdog within the TwinSAFE SC communication and by the plausibility check in the EL690. A corrupt value within the TwinSAFE SC communication results in an invalid CRC inside the telegram and thus the immediate switch-off of the group and the outputs Detected via the second value and the plausibility check in the EL690. Detected within the EL690 via the plausibility check with the second temperature value. Detected within the EL690 via the plausibility check with the second temperature value. Detected within the EL690 via the plausibility check with the second temperature value. Is detected via the plausibility check of the temperature values and via the TwinSAFE SC communication within the EL690. Is detected via the plausibility check of the temperature values and via the TwinSAFE SC communication within the EL690. Application Guide TwinSAFE - version.9. 93

196 Error assumption Expectations Checked Communication error for standard communication: Wrong sequence Communication error for standard communication: Loss Communication error for standard communication: Unacceptable delay Communication error for standard communication: Insertion Communication error for standard communication: Masquerading Communication error for standard communication: Addressing Communication error for standard communication: Recurrent memory errors in switches Is detected via the plausibility check of the temperature values and via the TwinSAFE SC communication within the EL690. Is detected via the plausibility check of the temperature values and via the TwinSAFE SC communication within the EL690. Is detected via the plausibility check of the temperature values and via the TwinSAFE SC communication within the EL690. Is detected via the plausibility check of the temperature values and via the TwinSAFE SC communication within the EL690. not relevant for standard, only for safety communication. Is detected via the plausibility check of the temperature values and via the TwinSAFE SC communication within the EL690. Is detected via the plausibility check of the temperature values and via the TwinSAFE SC communication within the EL Note about TwinSAFE SC communication: The TwinSAFE SC communication uses the identical mechanisms for error detection as the Safety-over- EtherCAT communication, the difference being that a different polynomial is used to calculate the checksum. This polynomial is sufficiently independent of the polynomial used for Safety-over-EtherCAT. The identical mechanisms are active, such as the black channel principle (bit error probability 0 - ). The quality of the data transmission is not crucial, because ultimately all transmission errors are detected via the comparison in the safe logic, since this would lead to inequality. 94 Application Guide TwinSAFE - version.9.

197 .9.4 Parameters of the safe output terminal EL904 Parameter Current measurement active Output test pulses active No.9.5 Block formation and safety loops.9.5. Safety function Input Input PT000 Thermo couple type K EL EL33 EL690 EL904 K K.9.6 Calculation.9.6. PFH / MTTF D /B0 D values Component EL904 PFH EL690 PFH,5E-09,79E-09 PT000 MTTFD 7.68 a (acc. to table C.5 EN ISO 3849-:05) Thermocouple Type K FIT 900 (Amount of errors in 0 9 hours) EL MTBF EL33 - MTBF K B0D K B0D Days of operation (dop) 30 Hours of operation / day (hop) 6 Cycle time (minutes) (TZyklus) Lifetime (T) 0080 (x per week) 0 years 7500 hours Application Guide TwinSAFE - version.9. 95

198 .9.6. Diagnostic Coverage DC Component Temperature values over TwinSAFE SC and plausibility check inside the logic K/K with EDM monitoring (actuation x per week and evaluation of all rising and falling edges with monitoring over time) with testing of the individual channels DCavg90% (Alternatively in calculation: 99%) DCavg99% Calculation safety function For clarification, the safety parameter is calculated according to both EN606 and EN3849. Calculation according to one standard is sufficient in practice. Calculation of the PFH and MTTFd values from the B0d values: From: n op d op h op 60 T Zyklus and: MTTF D B0 D 0, n op Calculation of the PFH and MTTFD values from the MTBF values: Note: Repair times can be neglected, therefore the following applies: MTTF D MTBF MTTF D λ D With: λ D 0, T 0D 0, n op B0 D results in: PFH 0, n op ( DC) B0 D DC MTTF D 96 Application Guide TwinSAFE - version.9.

199 Inserting the values, this produces: PT000 MTTF D 768 y h PFH DC 0,9,50E 09 MTTF D h EL MTTF D MTBF h h 03 y PFH DC 0,9 5,6E 08 MTTF D h Input subsystem PFH (Input) PFH (PT000) + PFH (EL ),5E ,6E 08 5,77E 08 Thermo couple MTTF D λ D 900 FIT 09 h h 60 y PFH DC 0,9 9,0E 08 MTTF D h EL33 MTTF D MTBF h h 379 y PFH DC 0,9 3,0E 08 MTTF D h Input subsystem PFH (Input) PFH (Thermocouple) + PFH (EL33) 9,0E ,0E 08,0E 08 K/K n op , MTTF D y h 0,,90 and the assumption that K and K are each single-channel: K/K: Actuation x per week and direct feedback PFH 0,99,9E , Application Guide TwinSAFE - version.9. 97

200 The following assumptions must now be made: Relays K and K are both connected to the safety function. The non-functioning of a relay does not lead to a dangerous situation, but it is discovered by the feedback. Furthermore, the B0d values for K and K are identical. The input signals from PT000 with EL and thermocouple with EL33 have different measuring methods, provide both temperature values and are both involved in the safety function. A nonfunctioning of a channel does not lead to a dangerous situation, but is detected by the comparison of the two values in the TwinSAFE logic and leads to a shutdown. There is a coupling coefficient between the components that are connected via two channels. Examples are temperature, EMC, voltage peaks or signals between these components. This is assumed to be the worst-case estimation, where ß 0%. EN 606 contains tables (Table F. criteria for the determination of the CCF and Table F. estimation of the CCF factor (β)) with which this β factor can be determined exactly. For the input subsystem an estimated value of % can be achieved by processing the table to calculate the β factor. In the following calculation, the worst case is assumed to be 0%. Further, it is assumed that all usual measures have been taken to prevent both channels failing unsafely at the same time due to an error (e.g. overcurrent through relay contacts, overtemperature in the control cabinet) This produces for the calculation of the PFH value for safety function : PFH ges β (PFH (Input) + PFH (Input) ) + ( β) (PFH (Input) PFH (Input) ) T + PFH (EL690) + PFH (EL904) + β PFH (K) + PFH (K) + ( β) (PFH (K) PFH (K) ) T Since the portions ( β) (PFH (K) PFH (K) ) T and ( β) (PFH (Input) PFH (Input) ) T are smaller than the rest by the power of ten, they are neglected in this and all further calculations for the purpose of simplification. to: 5,77E 08 +,0E 08,9E,9E PFH ges 0%,79E 9,5E 9 0%,3885E 08,79E 09,5E 9,9E 3 PFH ges, 693E 08 EN 606 Note In accordance with EN 606, the input subsystem is evaluated with an SFF or a DC of 90%. This restricts the achievable SIL value according to table 5 of EN 606 to a maximum SIL. 98 Application Guide TwinSAFE - version.9.

201 Alternative calculation of the MTTFd value according to EN3849 for safety function (with the same assumption), with: MTTF D ges MTTF D n n i From the input subsystem, the poorer value is taken: MTTF D ges MTTF D (Thermocouple) + MTTF D (EL33) + MTTF D (EL690) + MTTF D (EL904) + MTTF D (K) If only PFH values are available for EL904 and EL690, the following estimation applies: MTTF D (ELxxxx) ( DC (ELxxx)) PFH (ELxxx) Hence: MTTF D (EL690) ( DC (EL690)) PFH (EL690) ( 0,99),79E 09 h 8760h y 0,0 5,68E 06 y 637 y MTTF D (EL904) ( DC (EL904)) PFH (EL904) ( 0,99),5E 09 h 8760h y 0,0,E 05 y 93 y MTTF D ges ,5 y DC avg DC MTTF D (PT000) MTTF D (PT000) + + DC MTTF D (EL34) MTTF D (EL34) + + DC MTTF D (TC) MTTF D (TC) + + DC MTTF D (EL33) MTTF D (EL33) + + DC MTTF D (EL690) MTTF D (EL690) + + DC MTTF D (EL904) MTTF D (EL904) + + DC MTTF D (K) MTTF D (K) + + DC MTTF D (K) MTTF D (K) Used with DC90% DC avg 0,9 + 0,9 + 0,9 + 0,9 + 0,99 + 0,99 + 0,99 + 0, Alternatively with DC99% DC avg 0,99 + 0,99 + 0,99 + 0,99 + 0,99 + 0,99 + 0,99 + 0, ,046 0,070 9,% 0,068 0,070 99,6% Application Guide TwinSAFE - version.9. 99

202 Category CAUTION This structure is possible up to category 3 at the most. DC90% for the input subsystem Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the limit values shown in this table. Category B DC MTTFd none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e 00 Application Guide TwinSAFE - version.9.

203 Alternatively with DC99% for the input subsystem Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the limit values shown in this table. Category B DC MTTFd none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e Safety integrity level according to Tab. 3 EN606 Safety integrity level Probability of a dangerous failure per hour (PFH D) to < to < to < 0-5 Application Guide TwinSAFE - version.9. 0

204 .30 Level measurement with TwinSAFE SC (Category 3, PL d) In this example we will show how a level measurement with the TwinSAFE SC technology can be realized. Two different measurement methods are used for this purpose. On the one hand an ultrasonic sensor with a 0-0 V interface, which is wired to a TwinSAFE SC EtherCAT box EP is used, and on the other hand a level probe with 4-0 ma interface, which is wired to a standard EtherCAT terminal EL35. Within the safe TwinSAFE EL690 logic, these two signals are compared or plausibilized using a Compare function block. The signal from EP is previously scaled via the scale function block so that the two signals have an identical value range. The signal is then checked via the FB limit. The result of the FB limit and the IsValid output of the Compare function block are used to switch off the contactors K and K via the function block Mon. In addition, the StuckAtError output of the scale function block can also be placed on a Mon input. This means that a freezing of the signal can be detected. The monitoring of the contactor feedback is not shown in this example for the sake of clarity, but must be considered by the user Restart 0..0 V 4..0 ma K K Emergency stop / contactor feedback monitor CAUTION In addition to the function shown above, a contactor feedback monitor, e.g. via an EDM function block for K and K and, if necessary, an emergency stop function must be implemented by the user! 0 Application Guide TwinSAFE - version.9.

205 .30. Diagram of the structure Ultrasonic sensor 0..0 V EP BlackChannel Level PC EL690 EL904 Actuator Level probe 4..0 ma EL35 Standard Fieldbus Level.30. Structure and diagnosis The read signals from the two measuring points are standard signals using a different technology. At least one signal is transmitted via the TwinSAFE SC technology to the safe TwinSAFE logic so that falsifications of this signal in the PC or on the transmission path are detected. The check for equality of these two signals, within the permissible tolerances, is performed in the safe TwinSAFE logic. The individual fault assumptions and associated expectations are listed in the following FMEA table.30.3 FMEA Error assumption Expectations Checked Level value over standard fieldbus itself freezes Detected via the second value and the plausibility check in the EL690. Level value over TwinSAFE SC communication freezes Level values are copied in succession in the standard PLC Level value via the standard fieldbus is corrupted There is no longer any connection between the sensor and the EtherCAT terminal Ultrasonic sensor supplies an incorrect level value Level probe supplies an incorrect level value Communication error for standard communication: Corruption Communication error for standard communication: Unintentional repetition Communication error for standard communication: Wrong sequence Detected by the watchdog within the TwinSAFE SC communication and by the plausibility check in the EL690. A corrupt value within the TwinSAFE SC communication results in an invalid CRC inside the telegram and thus the immediate switch-off of the group and the outputs Detected via the second value and the plausibility check in the EL690. Detected within the EL690 via the plausibility check with the second level value. Detected within the EL690 via the plausibility check with the second level value. Detected within the EL690 via the plausibility check with the second level value. Is detected via the plausibility check of the level values and via the TwinSAFE SC communication within the EL690. Is detected via the plausibility check of the level values and via the TwinSAFE SC communication within the EL690. Is detected via the plausibility check of the level values and via the TwinSAFE SC communication within the EL690. Application Guide TwinSAFE - version.9. 03

206 Error assumption Expectations Checked Communication error for standard communication: Loss Communication error for standard communication: Unacceptable delay Communication error for standard communication: Insertion Communication error for standard communication: Masquerading Communication error for standard communication: Addressing Communication error for standard communication: Recurrent memory errors in switches Is detected via the plausibility check of the level values and via the TwinSAFE SC communication within the EL690. Is detected via the plausibility check of the level values and via the TwinSAFE SC communication within the EL690. Is detected via the plausibility check of the level values and via the TwinSAFE SC communication within the EL690. not relevant for standard, only for safety communication. Is detected via the plausibility check of the level values and via the TwinSAFE SC communication within the EL690. Is detected via the plausibility check of the level values and via the TwinSAFE SC communication within the EL Note about TwinSAFE SC communication: The TwinSAFE SC communication uses the identical mechanisms for error detection as the Safety-over- EtherCAT communication, the difference being that a different polynomial is used to calculate the checksum. This polynomial is sufficiently independent of the polynomial used for Safety-over-EtherCAT. The identical mechanisms are active, such as the black channel principle (bit error probability 0 - ). The quality of the data transmission is not crucial, because ultimately all transmission errors are detected via the comparison in the safe logic, since this would lead to inequality. 04 Application Guide TwinSAFE - version.9.

207 .30.4 Parameters of the safe output terminal EL904 Parameter Current measurement active Output test pulses active No.30.5 Block formation and safety-loops Safety function Input Input Ultrasonic sensor level probe EP EL35 EL690 EL904 K K.30.6 Calculation PFH / MTTF D /B0 D values Component EL904 PFH EL690 PFH,5E-09,79E-09 Ultrasonic sensor MTBF 95 a ( h) Level probe MTTF 73 a ( h) EP MTBF EL35 - MTBF K B0D K B0D h h h h Days of operation (dop) 30 Hours of operation / day (hop) 6 Cycle time (minutes) (TZyklus) Lifetime (T) 0080 (x per week) 0 years 7500 hours Application Guide TwinSAFE - version.9. 05

208 Diagnostic Coverage DC Component Level values over TwinSAFE SC and plausibility check inside the logic K/K with EDM monitoring (actuation x per week and evaluation of all rising and falling edges with monitoring over time) with testing of the individual channels DCavg90% (Alternatively in calculation: 99%) DCavg99% Calculation safety function For clarification, the safety parameter is calculated according to both EN606 and EN3849. Calculation according to one standard is sufficient in practice. Calculation of the PFH and MTTFd values from the B0d values: From: n op d op h op 60 T Zyklus and: MTTF D B0 D 0, n op Calculation of the PFH and MTTFD values from the MTBF values: Note: Repair times can be neglected, therefore the following applies: MTTF D MTBF MTTF D λ D with: λ D 0, T 0D 0, n op B0 D results in PFH 0, n op ( DC) B0 D DC MTTF D 06 Application Guide TwinSAFE - version.9.

209 Inserting the values, this produces: Ultrasonic sensor MTTF D MTBF 95 y 390 y h PFH DC 0,9,93E 08 MTTF D h EP MTTF D MTBF h h 36 y PFH DC 0,9 8,33E 08 MTTF D h Input subsystem PFH (Input) PFH (Ultrasonic) + PFH (EP ),93E ,33E 08,6E 08 Level probe MTTF D MTTF 73 y.464 y h PFH DC 0,9 7,79E 09 MTTF D h EL35 MTTF D MTBF h h 57 y PFH DC 0,9,99E 08 MTTF D h Input subsystem PFH (Input) PFH (level probe) + PFH (EL35) 7,79E 09,99E 08,77E 08 K/K n op , MTTF D y h 0,,90 and the assumption that K and K are each single-channel: K/K: Actuation x per week and direct feedback PFH 0,99,9E , Application Guide TwinSAFE - version.9. 07

210 The following assumptions must now be made: Relays K and K are both connected to the safety function. The non-functioning of a relay does not lead to a dangerous situation, but it is discovered by the feedback. Furthermore, the B0d values for K and K are identical. The input signals from ultrasonic sensor with EP and level probe with EL35 have different measuring methods, provide both level values and are both involved in the safety function. A nonfunctioning of a channel does not lead to a dangerous situation, but is detected by the comparison of the two values in the TwinSAFE logic and leads to a shutdown. There is a coupling coefficient between the components that are connected via two channels. Examples are temperature, EMC, voltage peaks or signals between these components. This is assumed to be the worst-case estimation, where ß 0%. EN 606 contains tables (Table F. criteria for the determination of the CCF and Table F. estimation of the CCF factor (β)) with which this β factor can be determined exactly. For the input subsystem an estimated value of % can be achieved by processing the table to calculate the β factor. In the following calculation, the worst case is assumed to be 0%. Further, it is assumed that all usual measures have been taken to prevent both channels failing unsafely at the same time due to an error (e.g. overcurrent through relay contacts, overtemperature in the control cabinet) This produces for the calculation of the PFH value for safety function : PFH ges β (PFH (Input) + PFH (Input) ) + ( β) (PFH (Input) PFH (Input) ) T + PFH (EL690) + PFH (EL904) + β PFH (K) + PFH (K) + ( β) (PFH (K) PFH (K) ) T Since the portions ( β) (PFH (K) PFH (K) ) T and ( β) (PFH (Input) PFH (Input) ) T are smaller than the rest by the power of ten, they are neglected in this and all further calculations for the purpose of simplification. to:,6e 08 +,77E 08,9E,9E PFH ges 0%,79E 9,5E 9 0% 7,05E 09,79E 09,5E 9,9E 3 PFH ges, 005E 08 EN 606 Note In accordance with EN 606, the input subsystem is evaluated with an SFF or a DC of 90%. This restricts the achievable SIL value according to table 5 of EN 606 to a maximum SIL. 08 Application Guide TwinSAFE - version.9.

211 Alternative calculation of the MTTFd value according to EN3849 for safety function (with the same assumption), with: MTTF D ges MTTF D n n i From the input subsystem, the poorer value is taken: MTTF D ges MTTF D (Ultrasonic sensor) + MTTF D (EP ) + MTTF D (EL690) + MTTF D (EL904) + MTTF D (K) If only PFH values are available for EL904 and EL690, the following estimation applies: MTTF D (ELxxxx) ( DC (ELxxx)) PFH (ELxxx) Hence: MTTF D (EL690) ( DC (EL690)) PFH (EL690) ( 0,99),79E 09 h 8760h y 0,0 5,68E 06 y 637 y MTTF D (EL904) ( DC (EL904)) PFH (EL904) ( 0,99),5E 09 h 8760h y 0,0,E 05 y 93 y MTTF D ges ,46 y DC avg DC DC DC DC DC DC DC DC MTTF D(UltraSonic) MTTF D(EP374) MTTF D(level probe) MTTF D(EL35) MTTF D(EL690) MTTF D(EL904) MTTF D(K) MTTF D(K) MTTF D(UltraSonic) MTTF D(EP374) MTTF D(level probe) MTTF D(EL35) MTTF D(EL690) MTTF D(EL904) MTTF D(K) MTTF D(K) Used with DC90% DC avg 0,9 + 0,9 + 0,9 + 0,9 + 0,99 + 0,99 + 0,99 + 0, Alternatively with DC99% DC avg 0,99 + 0,99 + 0,99 + 0,99 + 0,99 + 0,99 + 0,99 + 0, ,037 0,050 9,33% 0,0486 0,050 99,06% Application Guide TwinSAFE - version.9. 09

212 Category CAUTION This structure is possible up to category 3 at the most. DC90% for the input subsystem Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the limit values shown in this table. Category B DC MTTFd none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e 0 Application Guide TwinSAFE - version.9.

213 Alternatively with DC99% for the input subsystem Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the limit values shown in this table. Category B DC MTTFd none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e Safety integrity level according to Tab. 3 EN606 Safety integrity level Probability of a dangerous failure per hour (PFH D) to < to < to < 0-5 Application Guide TwinSAFE - version.9.

.3 Pressure measurement with TwinSAFE SC (Category 3, PL d) In this example we will show how a pressure measurement with the TwinSAFE SC technology can be realized.

214 .3 Pressure measurement with TwinSAFE SC (Category 3, PL d) In this example we will show how a pressure measurement with the TwinSAFE SC technology can be realized. For this purpose, two measuring points are equipped with pressure sensors, on the one hand with a pressure sensor with IO-Link interface, which is wired to a standard EtherCAT terminal EL64, and on the other hand a pressure sensor with 4..0 ma interface, which is wired to a TwinSAFE SC EtherCAT terminal EL Within the safe TwinSAFE EL690 logic, these two signals are compared or plausibilized using a Compare function block. The signal from EL64 is previously scaled via the scale function block so that the two signals have an identical value range. The signal is then checked via the FB limit. The result of the FB limit and the IsValid output of the Compare function block are used to switch off the contactors K and K via the function block Mon. In addition, the StuckAtError output of the scale function block can also be placed on a Mon input. This means that a freezing of the signal can be detected. The monitoring of the contactor feedback is not shown in this example for the sake of clarity, but must be considered by the user Restart IO-Link Pressure-Signal 4..0 ma Pressure-Signal K K Safety valve (PSV - Pressure Safety Valve) WARNUNG The application shown above cannot be used as a replacement for a safety valve according to the EC Pressure Equipment Directive. Emergency stop / contactor feedback monitor CAUTION In addition to the function shown above, a contactor feedback monitor, e.g. via an EDM function block for K and K and, if necessary, an emergency stop function must be implemented by the user! Application Guide TwinSAFE - version.9.

215 .3. Diagram of the structure Pressure sensor 4..0 ma EL BlackChannel Pressure PC EL690 EL904 Actuator Pressure sensor IO-Link EL64 Standard Feldbus Pressure.3. Structure and diagnosis The read signals from the two measuring points are standard signals using a different technology. At least one signal is transmitted via the TwinSAFE SC technology to the safe TwinSAFE logic so that falsifications of this signal in the PC or on the transmission path are detected. The check for equality of these two signals, within the permissible tolerances, is performed in the safe TwinSAFE logic. The individual fault assumptions and associated expectations are listed in the following FMEA table.3.3 FMEA Error assumption Expectations Checked Pressure value over standard fieldbus itself freezes Detected via the second value and the plausibility check in the EL690. Pressure value over TwinSAFE SC communication freezes Pressure values are copied in succession in the standard PLC Pressure value via the standard fieldbus is corrupted There is no longer any connection between the sensor and the EtherCAT terminal Pressure sensor (4..0mA) supplies an incorrect pressure value Pressure sensor (IO-Link) supplies an incorrect pressure value Communication error for standard communication: Corruption Detected by the watchdog within the TwinSAFE SC communication and by the plausibility check in the EL690. A corrupt value within the TwinSAFE SC communication results in an invalid CRC inside the telegram and thus the immediate switch-off of the group and the outputs Detected via the second value and the plausibility check in the EL690. Detected within the EL690 via the plausibility check with the second pressure value. Detected within the EL690 via the plausibility check with the second pressure value. Detected within the EL690 via the plausibility check with the second pressure value. Is detected via the plausibility check of the pressure values and via the TwinSAFE SC communication within the EL690. Application Guide TwinSAFE - version.9. 3

216 Error assumption Expectations Checked Communication error for standard communication: Unintentional repetition Communication error for standard communication: Wrong sequence Communication error for standard communication: Loss Communication error for standard communication: Unacceptable delay Communication error for standard communication: Insertion Communication error for standard communication: Masquerading Communication error for standard communication: Addressing Communication error for standard communication: Recurrent memory errors in switches Is detected via the plausibility check of the pressure values and via the TwinSAFE SC communication within the EL690. Is detected via the plausibility check of the pressure values and via the TwinSAFE SC communication within the EL690. Is detected via the plausibility check of the pressure values and via the TwinSAFE SC communication within the EL690. Is detected via the plausibility check of the pressure values and via the TwinSAFE SC communication within the EL690. Is detected via the plausibility check of the pressure values and via the TwinSAFE SC communication within the EL690. not relevant for standard, only for safety communication. Is detected via the plausibility check of the pressure values and via the TwinSAFE SC communication within the EL690. Is detected via the plausibility check of the pressure values and via the TwinSAFE SC communication within the EL Note about TwinSAFE SC communication: The TwinSAFE SC communication uses the identical mechanisms for error detection as the Safety-over- EtherCAT communication, the difference being that a different polynomial is used to calculate the checksum. This polynomial is sufficiently independent of the polynomial used for Safety-over-EtherCAT. The identical mechanisms are active, such as the black channel principle (bit error probability 0 - ). The quality of the data transmission is not crucial, because ultimately all transmission errors are detected via the comparison in the safe logic, since this would lead to inequality. 4 Application Guide TwinSAFE - version.9.

217 .3.4 Parameters of the safe output terminal EL904 Parameter Current measurement active Output test pulses active No.3.5 Block formation and safety-loops.3.5. Safety function Input Input Pressure sensor Pressure sensor EL EL64 EL690 EL904 K K.3.6 Calculation.3.6. PFH / MTTF D /B0 D values Component EL904 PFH EL690 PFH,5E-09,79E-09 Pressure sensor (4..0 ma) MTTF 4 a ( h) Pressure sensor IO-Link MTTF 0 a ( h) EL MTBF EL64 - MTBF K B0D K B0D h h h h Days of operation (dop) 30 Hours of operation / day (hop) 6 Cycle time (minutes) (TZyklus) Lifetime (T) 0080 (x per week) 0 years 7500 hours Application Guide TwinSAFE - version.9. 5

218 .3.6. Diagnostic Coverage DC Component Pressure values over TwinSAFE SC and plausibility check inside the logic K/K with EDM monitoring (actuation x per week and evaluation of all rising and falling edges with monitoring over time) with testing of the individual channels DCavg90% (Alternatively in calculation: 99%) DCavg99% Calculation safety function For clarification, the safety parameter is calculated according to both EN606 and EN3849. Calculation according to one standard is sufficient in practice. Calculation of the PFH and MTTFd values from the B0d values: From: n op d op h op 60 T Zyklus and: MTTF D B0 D 0, n op Calculation of the PFH and MTTFD values from the MTBF values: Note: Repair times can be neglected, therefore the following applies: MTTF D MTBF MTTF D λ D with λ D 0, T 0D 0, n op B0 D results in PFH 0, n op ( DC) B0 D DC MTTF D 6 Application Guide TwinSAFE - version.9.

219 Inserting the values, this produces: Pressure sensor (4-0mA) MTTF D MTTF 4 y 48 y h PFH DC 0,9 4,60E 08 MTTF D h EL MTTF D MTBF h h 6 y PFH DC 0,9 5,6E 08 MTTF D h Input subsystem PFH (Input) PFH (Pressure sensor) + PFH (EL ) 4,60E ,6E 08 9,86E 08 Pressure sensor (IO-Link) MTTF D MTBF h h 40 y PFH DC 0,9,84E 08 MTTF D h EL64 MTTF D MTBF h h 367 y PFH DC 0,9 3,E 08 MTTF D h Input subsystem PFH (Input) PFH (Pressure sensor) + PFH (EL64),84E ,E 08 5,95E 08 K/K n op , MTTF D y h 0,,90 and the assumption that K and K are each single-channel: K/K: Actuation x per week and direct feedback PFH 0,99,9E , Application Guide TwinSAFE - version.9. 7

220 The following assumptions must now be made: Relays K and K are both connected to the safety function. The non-functioning of a relay does not lead to a dangerous situation, but it is discovered by the feedback. Furthermore, the B0d values for K and K are identical. The input signals from pressure sensor with EL and pressure sensor with EL64 have different measuring methods, provide both pressure values and are both involved in the safety function. A non-functioning of a channel does not lead to a dangerous situation, but is detected by the comparison of the two values in the TwinSAFE logic and leads to a shutdown. There is a coupling coefficient between the components that are connected via two channels. Examples are temperature, EMC, voltage peaks or signals between these components. This is assumed to be the worst-case estimation, where ß 0%. EN 606 contains tables (Table F. criteria for the determination of the CCF and Table F. estimation of the CCF factor (β)) with which this β factor can be determined exactly. For the input subsystem an estimated value of % can be achieved by processing the table to calculate the β factor. In the following calculation, the worst case is assumed to be 0%. Further, it is assumed that all usual measures have been taken to prevent both channels failing unsafely at the same time due to an error (e.g. overcurrent through relay contacts, overtemperature in the control cabinet) This produces for the calculation of the PFH value for safety function : PFH ges β (PFH (Input) + PFH (Input) ) + ( β) (PFH (Input) PFH (Input) ) T + PFH (EL690) + PFH (EL904) + β PFH (K) + PFH (K) + ( β) (PFH (K) PFH (K) ) T Since the portions ( β) (PFH (K) PFH (K) ) T and ( β) (PFH (Input) PFH (Input) ) T are smaller than the rest by the power of ten, they are neglected in this and all further calculations for the purpose of simplification. to: 9,86E ,95E 08,9E,9E PFH ges 0%,79E 9,5E 9 0% 7,905E 09,79E 09,5E 9,9E 3 PFH ges, 094E 08 EN 606 Note In accordance with EN 606, the input subsystem is evaluated with an SFF or a DC of 90%. This restricts the achievable SIL value according to table 5 of EN 606 to a maximum SIL. 8 Application Guide TwinSAFE - version.9.

221 Alternative calculation of the MTTFd value according to EN3849 for safety function (with the same assumption), with: MTTF D ges MTTF D n n i From the input subsystem, the poorer value is taken: MTTF D ges MTTF D (PressureSensor) + MTTF D (EL ) + MTTF D (EL690) + MTTF D (EL904) + MTTF D (K) If only PFH values are available for EL904 and EL690, the following estimation applies: MTTF D (ELxxxx) ( DC (ELxxx)) PFH (ELxxx) Hence: MTTF D (EL690) ( DC (EL690)) PFH (EL690) ( 0,99),79E 09 h 8760h y 0,0 5,68E 06 y 637 y MTTF D (EL904) ( DC (EL904)) PFH (EL904) ( 0,99),5E 09 h 8760h y 0,0,E 05 y 93 y MTTF D ges ,7 y DC avg DC MTTF D (Pressure ) MTTF D (Pressure ) Used with DC90% DC avg + + DC MTTF D (EL34) MTTF D (EL34) + + DC MTTF D (Pressure ) MTTF D (Pressure ) + + DC MTTF D (EL64) MTTF D (EL64) 0,9 + 0,9 + 0,9 + 0,9 + 0,99 + 0,99 + 0,99 + 0, Alternatively with DC99% DC avg 0,99 + 0,99 + 0,99 + 0,99 + 0,99 + 0,99 + 0,99 + 0, DC MTTF D (EL690) MTTF D (EL690) + + 0,05 0,0654 9,4% 0,0637 0, ,97% DC MTTF D (EL904) MTTF D (EL904) + + DC MTTF D (K) MTTF D (K) + + DC MTTF D (K) MTTF D (K) Application Guide TwinSAFE - version.9. 9

222 Category CAUTION This structure is possible up to category 3 at the most. DC90% for the input subsystem Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the limit values shown in this table. Category B DC MTTFd none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e 0 Application Guide TwinSAFE - version.9.

223 Alternatively with DC99% for the input subsystem Designation for each channel low medium high MTTF d Range for each channel 3 years MTTFd < 0 years 0 years MTTFd < 30 years 30 years MTTFd 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the limit values shown in this table. Category B DC MTTFd none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e Safety integrity level according to Tab. 3 EN606 Safety integrity level Probability of a dangerous failure per hour (PFH D) to < to < to < 0-5 Application Guide TwinSAFE - version.9.

224 .3 Monitoring lifting device (Category 3, PL d) A lifting device consisting of winches with deflection pulleys for moving a lifting table, should be monitored in a safe way. The functions of slack rope detection and overload are to be implemented. There are deflection pulleys with a strain gauge (DMS) sensor on the top of each side of the post, thus in sum 4 strain gauge sensors. One of these two sensors on one side is read with a TwinSAFE SC terminal EL The other strain gauge sensor is wired to an EL375. This provides a strain gauge mv / V signal, which must be converted into a weight value in the safe logic so that it can be compared with the value of the EL x DMS x DMS Winch Winch x Encoder x Encoder Safety function - Overload A maximum permissible payload is specified for the lifting device. This must be monitored. For this purpose, after the plausibility check of the EL375 and EL signals, a limitation of the result is made with the limit FB in the EL690. According to the risk and hazard analysis of the customer, this safety function is to be assessed with PL c according to EN 3849-:05. The safety function is built up in a category 3 structure. Safety function - Slack rope detection A slack-rope detection is used to detect whether the lifting sled has been mechanically suspended or is standing on the ground. In either case, a turn off must be done immediately. In addition, it also detects whether a rope is torn. According to the risk and hazard analysis of the customer, this safety function is to be assessed with PL c according to EN 3849-:05. The safety function is built up in a category 3 structure. Additional function - without safety requirements By incremental comparison of the encoder values of winch and, a synchronous operation can be checked. This prevents an oblique movement of the lifting sled by the two winches at an early stage. Application Guide TwinSAFE - version.9.

225 .3. Diagram of the structure lift carriage pulley DMS sensor EL BlackChannel DMS signal PC EL690 EL904 Actuator mechanically linked lift carriage pulley DMS sensor EL375 Standard fieldbus DMS signal lift carriage pulley 3 mechanically linked DMS sensor 3 EL BlackChannel DMS signal mechanically linked lift carriage pulley 4 DMS sensor 4 EL375 Standard fieldbus DMS signal.3. Structure and diagnosis The read-in signals of the strain gauge sensors are standard signals that are recorded differently per side. The first strain gauge sensor is wired to a strain gauge terminal EL which packs the determined weight value into a safe telegram (FSoE with modified polynomial - TwinSAFE SC) and transmits it to the EL690. The second strain gauge sensor is wired to a terminal EL375, which performs a strain gauge mv / V measurement. This signal is sent to the EL690 via the standard communication path. This signal is converted into a weight value before the plausibility check within the safe logic. The second side of the lifting device with strain gauge sensor 3 and 4 is identical. For the TwinSAFE SC communication of the second EL a different polynomial compared to the first side is used. This is done to detect that the data of both TwinSAFE SC connections is not copied on each other. Application Guide TwinSAFE - version.9. 3

226 .3.3 FMEA Error assumption Expectations Checked Strain gauge signal over standard fieldbus itself freezes Detected via the second value and the plausibility check in the EL690 (TwinSAFE SC Communication between EL and EL690). Strain gauge signal over TwinSAFE SC communication freezes Strain gauge values are copied in succession in the standard PLC Strain gauge value via the standard fieldbus is corrupted There is no longer a mechanical connection between the lifting sled and the winch EL supplies an incorrect strain gauge value EL375 supplies an incorrect strain gauge value Communication error for standard communication: Corruption Communication error for standard communication: Unintentional repetition Communication error for standard communication: Wrong sequence Communication error for standard communication: Loss Communication error for standard communication: Unacceptable delay Communication error for standard communication: Insertion Communication error for standard communication: Masquerading Communication error for standard communication: Addressing Detected via the second value and the plausibility check in the EL690 and and via the watchdog within the TwinSAFE SC communication A corrupt value within the TwinSAFE SC communication results in an invalid CRC inside the telegram and thus the immediate switch-off of the group and the outputs. The data types of the two strain gauge values have a different length because one of the two is packaged in the TwinSAFE SC telegram (for example, 4 bytes and bytes) Detected via the second value and the plausibility check in the EL690 (TwinSAFE SC Communication between EL and EL690). Detected within the EL690 via the plausibility check with the second strain gauge value. Detected via the plausibility check with the strain gauge value of the EL375 within the EL690. Detected via the plausibility check with the strain gauge value of the EL within the EL690. Is detected via the plausibility check of the strain gauge values and via the TwinSAFE SC communication within the EL690. Is detected via the plausibility check of the strain gauge values and via the TwinSAFE SC communication within the EL690. Is detected via the plausibility check of the strain gauge values and via the TwinSAFE SC communication within the EL690. Is detected via the plausibility check of the strain gauge values and via the TwinSAFE SC communication within the EL690. Is detected via the plausibility check of the strain gauge values and via the TwinSAFE SC communication within the EL690. Is detected via the plausibility check of the strain gauge values and via the TwinSAFE SC communication within the EL690. not relevant for standard, only for safety communication. Is detected via the plausibility check of the strain gauge values and via the TwinSAFE SC communication within the EL Application Guide TwinSAFE - version.9.

227 Error assumption Expectations Checked Communication error for standard communication: Recurrent memory errors in switches Is detected via the plausibility check of the strain gauge values and via the TwinSAFE SC communication within the EL Note about TwinSAFE SC communication: The TwinSAFE SC communication uses the identical mechanisms for error detection as the Safety-over- EtherCAT communication, the difference being that a different polynomial is used to calculate the checksum. This polynomial is sufficiently independent of the polynomial used for Safety-over-EtherCAT. The identical mechanisms are active, such as the black channel principle (bit error probability 0 - ). The quality of the data transmission is not crucial, because ultimately all transmission errors are detected via the comparison in the safe logic, since this would lead to inequality..3.4 Structure within the logic The logic in the EL690 is divided into 3 parts. In the first section the strain gauge values are scaled and plausibilised. The restart interlock and the shutdown of the contactors K and K are also included with an ESTOP function block. In the second section, the total load is determined and monitored via a limit function block to a maximum and minimum. The result is passed to the ESTOP block of the first section. In the third section, each individual signal is monitored for a minimum value. These 4 signals are linked to the ESTOP block of the first section. Application Guide TwinSAFE - version.9. 5

228 Section Section 6 Application Guide TwinSAFE - version.9.

229 Section Parameters of the safe output terminal EL904 Parameter Current measurement active Output test pulses active No Application Guide TwinSAFE - version.9. 7

230 .3.6 Block formation and safety-loops.3.6. Safety function / Input DMS sensor EL K Input DMS sensor EL375 EL690 EL904 K Input3 DMS sensor 3 EL Input4 DMS sensor 4 EL Calculation.3.7. PFH / MTTF D /B0 D values Component EL904 PFH EL690 PFH Strain gauge Sensor -4 MTTFD (AST KAL/0t/D50d/L05/,5mV/V) EL MTBF EL375 - MTBF K B0D K B0D,5E-09,79E y ( h) h h h h Encoder MTBF 07,5 y ( h) Days of operation (dop) 30 Hours of operation / day (hop) 6 Cycle time (minutes) (Tzyklus) Lifetime (T) 0080 (x per week) 0 years 7500 hours 8 Application Guide TwinSAFE - version.9.

231 .3.7. Diagnostic Coverage DC Component Strain gauge values over TwinSAFE SC and plausibility check inside the logic K/K with EDM monitoring (actuation x per week and evaluation of all rising and falling edges with monitoring over time) with testing of the individual channels DCavg90% (Alternatively in calculation: 99%) DCavg99% Calculation safety function / For clarification, the safety parameter is calculated according to both EN606 and EN3849. Calculation according to one standard is sufficient in practice. Calculation of the PFH and MTTFD values from the B0D values: From: n op d op h op 60 T Zyklus und: MTTF D B0 D 0, n op Calculation of the PFH and MTTFD values from the MTBF values: Note: Repair times can be neglected, therefore the following applies: MTTF D MTBF MTTF D λ D with λ D 0, T 0D 0, n op B0 D results in PFH 0, n op ( DC) B0 D DC MTTF D Application Guide TwinSAFE - version.9. 9

232 Inserting the values, this produces: Strain gauge sensor MTTF D h 60 y PFH DC 0,9 7,3E 08 MTTF D h EL MTTF D MTBF h h 78 y PFH DC 0,9 6,40E 08 MTTF D h Input subsystem PFH (Input) PFH (DMS) + PFH (EL ) 7,3E ,40E 08 3,53E 08 Strain gauge sensor MTTF D h 60 y PFH DC 0,9 7,3E 08 MTTF D h EL375 MTTF D MTBF h h 7 y PFH DC 0,9 9,74E 08 MTTF D h Input subsystem PFH (Input) PFH (DMS) + PFH (EL375) 7,3E ,74E 08 6,87E 08 For input subsystem 3, the values as calculated for input subsystem apply. For input system 4, the values as calculated for input subsystem apply. K/K n op, MTTF D y h 0,,90 and the assumption that K and K are each single-channel: K/K: Actuation x per week and direct feedback PFH 0,99,9E , Application Guide TwinSAFE - version.9.

233 The following assumptions must now be made: Relays K and K are both connected to the safety function. The non-functioning of a relay does not lead to a dangerous situation, but it is discovered by the feedback. Furthermore, the B0D values for K and K are identical.. The input signals from strain gauge sensor with EL and strain gauge sensor with EL375 have a different internal structure, have different values (weight value and mv / V value) and are both involved in the safety function. A non-functioning of a channel does not lead to a dangerous situation, but is detected by the comparison of the two values in the TwinSAFE logic and leads to a shutdown. An identical design is used for strain gauge sensors 3 and 4. The sum of the 4 sensors provides the weight value for the overload cut-off. A lowering of the minimum load of a strain gauge sensor leads to slack rope shutdown. There is a coupling coefficient between the components that are connected via two channels. Examples are temperature, EMC, voltage peaks or signals between these components. This is assumed to be the worst-case estimation, where ß 0%. EN 606 contains tables (Table F. criteria for the determination of the CCF and Table F. estimation of the CCF factor (β)) with which this β factor can be determined exactly. For the input subsystem an estimated value of % can be achieved by processing the table to calculate the β factor. In the following calculation, the worst case is assumed to be 0%. Further, it is assumed that all usual measures have been taken to prevent both channels failing unsafely at the same time due to an error (e.g. overcurrent through relay contacts, overtemperature in the control cabinet). This produces for the calculation of the PFH value for safety function / PFH DMS / β (PFH (Input) + PFH (Input) ) + ( β) (PFH (Input) PFH (Input) ) T (3,53E 08 6,87E 08) PFH DMS / 0,,5E 08 PFH DMS 3/4 β (PFH (Input3) + PFH (Input4) ) + ( β) (PFH (Input3) PFH (Input4) ) T (3,53E 08 6,87E 08) PFH DMS 3/4 0,,5E 08 PFH K/K β (PFH (K) + PFH (K) ) + ( β) (PFH (K) PFH (K) ) T (,9E,9E ) PFH K/K 0,,9E 3 Since the portions ( β) (PFH (x) PFH (y) ) T are smaller than the rest by the power of ten, they are neglected in this and all further calculations for the purpose of simplification. PFH ges PFH (DMS /) + PFH (DMS 3/4) + PFH (EL690) + PFH (EL904) + PFH (K/K) PFH ges,5e 08,5E 08,79E 9,5E 9,9E 3 PFH ges 3, 344E 08 EN 606 Note In accordance with EN 606, the input subsystem is evaluated with an SFF or a DC of 90%. This restricts the achievable SIL value according to table 5 of EN 606 to a maximum SIL. Application Guide TwinSAFE - version.9. 3

234 Alternative calculation of the MTTFD value according to EN 3849 for safety function / (with the same assumption), with MTTF D ges MTTF D n n i From the input subsystem, the poorer value is taken: MTTF D ges MTTF D (DMS Sensor ) + MTTF D (EL375) + MTTF D (EL690) + MTTF D (EL904) + MTTF D (K) If only PFH values are available for EL904 and EL690, the following estimation applies: MTTF D (ELxxxx) ( DC (ELxxx)) PFH (ELxxx) Hence: MTTF D (EL690) ( DC (EL690)) PFH (EL690) ( 0,99),79E 09 h 8760h y 0,0 5,68E 06 y 637 y MTTF D (EL904) ( DC (EL904)) PFH (EL904) ( 0,99),5E 09 h 8760h y 0,0,E 05 y 93 y MTTF D ges ,6 y DC avg DC DC DC DC DC DC MTTF D(DMS) MTTF D(EL3356) MTTF D(DMS) MTTF D(EL375) MTTF D(DMS) MTTF D(EL3356) DC DC DC DC DC DC MTTF D(DMS) MTTF D(EL375) MTTF D(EL690) MTTF D(EL904) MTTF D(K) MTTF D(K) MTTF D(DMS) MTTF D(EL3356) MTTF D(DMS) MTTF D(EL375) MTTF D(DMS) MTTF D(EL3356) MTTF D(DMS) MTTF D(EL375) MTTF D(EL690) MTTF D(EL904) MTTF D(K) MTTF D(K) Used with DC90% DC avg 0,9 + 0,9 + 0,9 + 0,9 + 0,9 + 0,9 + 0,9 + 0,9 + 0,99 + 0,99 + 0,99 + 0, Alternatively with DC99% DC avg ,99 + 0,99 + 0,99 + 0,99 + 0,99 + 0,99 + 0,99 + 0,99 + 0,99 + 0,99 + 0,99 + 0, , , ,4% 0, , ,99% 3 Application Guide TwinSAFE - version.9.

235 Category CAUTION This structure is possible up to category 3 at the most. DC90% for the input subsystem Designation for each channel low medium high MTTF D Range for each channel 3 years MTTFD < 0 years 0 years MTTFD < 30 years 30 years MTTFD 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the limit values shown in this table. Category B DC MTTFD none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e Application Guide TwinSAFE - version.9. 33

236 Alternatively with DC99% for the input subsystem Designation for each channel low medium high MTTF D Range for each channel 3 years MTTFD < 0 years 0 years MTTFD < 30 years 30 years MTTFD 00 years DC avg Designation Range none DC < 60 % low 60 % DC < 90 % medium 90 % DC < 99 % high 99 % DC For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the limit values shown in this table. Category B DC MTTFD none none low medium low medium high low a - a b b c - medium b - b c c d - high - c c d d d e Result Note The result with category 3, PL d fulfills or exceeds the requirements of the risk and hazard analysis (PL c). 34 Application Guide TwinSAFE - version.9.

237 Planning a safety project with TwinSAFE components 3 Planning a safety project with TwinSAFE components This chapter provides an overview of the general planning process for a safety project using TwinSAFE components. Machinery Directive CAUTION This description applies only to machines as defined by the Machinery Directive. Standards CAUTION The relevant standards must be available to the user. The following description cannot replace the standard. Typically, the current version of EN ISO and EN ISO or EN 606 should be available as a minimum. Further useful information can be found in IFA report /07. Type C standard Note Before you start the following process, you should check whether a type C standard is available for your machine. If this is the case, please follow the steps and instructions given there. If no type C standard is available, you can use the process described below as a guide for the steps to be performed. 3. Identifying the risks and hazards DIN EN ISO 00 defines an iterative process for risk minimization, for eliminating hazards or for reducing the risk at machines. It describes the process of risk minimization in a three-step method. In the first step, the machine should be designed to be inherently safe. If this is not possible, technical protective measures can be taken to minimize the risk. In the last step, user information about the residual risk can be provided. In the first step, the risks and hazards and thus the safety functions must be identified. Machine manufacturers require precise knowledge of the operation of their machine in order to identify risks and hazards. Referring to Annex B of EN ISO 00:00 is helpful for this purpose. This risk and hazard analysis should be carried out by persons with knowledge in different areas (mechanics, electrics, hydraulics, software, maintenance,...). All operating modes and conditions must be taken into account, including commissioning, maintenance/servicing, normal operation and decommissioning. The reasons for or against a particular decision should also be documented. Make sure that your arguments and justifications are understandable and conclusive. In this context, it is particularly important to note that safety measures must not yet be taken into account when assessing the risk. When all persons involved in the process agree with the result of the analysis, it should be signed by all involved. Application Guide TwinSAFE - version.9. 35

238 Planning a safety project with TwinSAFE components 3. Determining the PLr / SIL For each safety function (SF) of the machine identified in the risk and hazard analysis, the machine manufacturer or user must determine the required Performance Level or SIL Level. The SIL Level is determined based on the description in Annex A of EN 606. The Performance Level is determined based on the risk graph for determining the PL r of EN ISO Information on the risk graph can be found in Annex A of EN ISO 3849-: Specification of the safety functions For each safety function identified, it is necessary to specify how the risk should be reduced in accordance with the EN ISO 00 strategy for risk reduction. Risks and hazards whose residual risk is to be reduced by inherently safe design or user information must be specified, but are not part of this description. The following explanations refer only to safety functions, the residual risk of which is to be reduced by technical protective measures. For these safety functions, the iterative design process for safety-related parts of the control system (SRP/CS) is carried out in accordance with EN ISO 3849-: Specification of the measures The machine manufacturer should compile a detailed description of each identified safety function (SF) whose residual risk is to be reduced by means of technical protection measures. This description contains information about the hazard, the type of measures taken to reduce the hazard and the required Performance Level or SIL Level for this safety function. For each SF, the description of the measures must include the category according to EN ISO and the components to be used, together with their safety parameters (MTTFD, DC, CCF, SFF). Information on operating states and characteristics is required. These include the operating modes, the cycle time, the response times or process safety time, the ambient conditions, the frequency of execution, the operating times, the behavior of the machine in the event of energy loss and more. More detailed information on this can be found in chapter 5. of EN 606 and chapter 5 of EN ISO 3849-:05. The machine manufacturer must specify and document the description of the safety-related program for the TwinSAFE Logic, since it forms the basis for the implementation. In addition to selecting the TwinSAFE components, the function blocks to be used and the sensors and actuators, the parameterization of the components must also be specified, since this can influence the maximum achievable Performance Level. Examples for the implementation of safety functions and the parameterization of the TwinSAFE components can be found in this manual. 36 Application Guide TwinSAFE - version.9.

Planning a safety project with TwinSAFE components 3.5 Implementation of the safety functions The function blocks are configured in TwinCAT according to the specified safety functions.

Safe input and output components provide the interface to sensors and actuators.

239 Planning a safety project with TwinSAFE components 3.5 Implementation of the safety functions The function blocks are configured in TwinCAT according to the specified safety functions. Predefined function blocks are available for the typical safety functions, which can be interconnected in a graphical editor. Safe input and output components provide the interface to sensors and actuators. Once the entire safety logic and the parameterization of the safe inputs and outputs have been implemented, a download to the TwinSAFE logic can take place. A valid user name and password must be provided for the download, together with the serial number of the device. The download of the safety program is verified by comparing the CRC of the loaded project (online CRC) and the calculated CRC from the Safety Editor (offline CRC). The comparison is carried out by TwinCAT on the one hand and by the user on the other. The user confirms the comparison by ticking the checkbox and re-entering the password. The Safety CRC toolbar in TwinCAT can be used at any time to check whether the online CRC matches the offline CRC, i.e. whether data has been changed in the editor or on the TwinSAFE logic. The following table is taken from the EL690 documentation. Application Guide TwinSAFE - version.9. 37

Planning a safety project with TwinSAFE components Checking the checksums CAUTION The user must verify that the online CRC and the offline CRC match.

240 Planning a safety project with TwinSAFE components Checking the checksums CAUTION The user must verify that the online CRC and the offline CRC match. This is the only way to ensure that a download was carried out after the project was created or modified. Once all specified safety functions have been implemented in the TwinSAFE logic, the implemented logic is printed. In addition to the entire logic, the parameters and the safety addresses of all safety components used, the printout also contains the calculated project checksum, which is shown on the cover sheet. The programmer and the customer can document the acceptance of the safety functions with date and signature on the cover sheet. 38 Application Guide TwinSAFE - version.9.

Data Sheet. Functional Safety Characteristic Safety Values for BE..(FS) Brakes * _0715*

Data Sheet. Functional Safety Characteristic Safety Values for BE..(FS) Brakes * _0715* Drive Technology \ Drive Automation \ System Integration \ Services *22292616_0715* Data Sheet Functional Safety Characteristic Safety Values for BE..(FS) Brakes Edition 07/2015 22292616/EN SEW-EURODRIVE