0% found this document useful (0 votes)

51 views351 pages

Application Guide Twin Safe en

Twin safe

Uploaded by

cartena

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

51 views351 pages

Application Guide Twin Safe en

Twin safe

Uploaded by

cartena

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 351

Documentation | EN

Application Guide TwinSAFE

Examples for the calculation of safety parameters for safety functions

2022-06-22 | Version: 3.2.0

Table of contents

Table of contents
1 Foreword .................................................................................................................................................... 9
1.1 Notes on the documentation ............................................................................................................. 9
1.2 Safety instructions ........................................................................................................................... 10
1.2.1 Delivery state ................................................................................................................... 10
1.2.2 Operator's obligation to exercise diligence ...................................................................... 11
1.2.3 Purpose and area of application ...................................................................................... 11
1.2.4 Description of instructions ................................................................................................ 12
1.2.5 Explanation of terms ........................................................................................................ 13
1.3 Documentation issue status ............................................................................................................ 14

2 ESTOP functions ..................................................................................................................................... 15

2.1 ESTOP function variant 1 (category 3, PL d) .................................................................................. 15
2.1.1 Parameters of the safe input and output terminals .......................................................... 15
2.1.2 Block formation and safety loops ..................................................................................... 16
2.1.3 Calculation ....................................................................................................................... 16
2.2 ESTOP function variant 2 (category 3, PL d) .................................................................................. 21
2.2.1 Parameters of the safe input and output terminals .......................................................... 21
2.2.2 Block formation and safety loops ..................................................................................... 22
2.2.3 Calculation ....................................................................................................................... 22
2.3 ESTOP function variant 3 (category 4, PL e) .................................................................................. 27
2.3.1 Parameters of the safe input and output terminals .......................................................... 27
2.3.2 Block formation and safety loops ..................................................................................... 28
2.3.3 Calculation ....................................................................................................................... 28
2.4 ESTOP function variant 4 (category 4, PL e) .................................................................................. 33
2.4.1 Parameters of the safe input and output terminals .......................................................... 33
2.4.2 Block formation and safety loops ..................................................................................... 34
2.4.3 Calculation ....................................................................................................................... 34
2.5 ESTOP function variant 5 (category 4, PL e) .................................................................................. 39
2.5.1 Parameters of the safe input and output terminals .......................................................... 39
2.5.2 Block formation and safety loops ..................................................................................... 40
2.5.3 Calculation ....................................................................................................................... 40
2.6 ESTOP function variant 6 (category 3, PL d) .................................................................................. 45
2.6.1 Parameters of the safe input and output terminals (SIL 2)............................................... 45
2.6.2 Block formation and safety loops ..................................................................................... 46
2.6.3 Calculation ....................................................................................................................... 46
2.7 ESTOP function variant 7 (category 4, PL e) .................................................................................. 51
2.7.1 Parameters of the safe input and output terminals .......................................................... 51
2.7.2 Block formation and safety loops ..................................................................................... 52
2.7.3 Calculation ....................................................................................................................... 52
2.8 EK1960 digital inputs and outputs (category 4, PL e) ..................................................................... 57
2.8.1 Parameters of the safe input and output modules ........................................................... 58
2.8.2 Block formation and safety loops ..................................................................................... 58
2.8.3 Calculation ....................................................................................................................... 59
2.9 EK1960 digital inputs / relay outputs (category 4, PL e) ................................................................. 63
2.9.1 Parameters of the safe input and output modules ........................................................... 64

Application Guide TwinSAFE Version: 3.2.0 3

Table of contents

2.9.2 Block formation and safety loops ..................................................................................... 64

2.9.3 Calculation ....................................................................................................................... 65
2.10 ESTOP function (category 3, PL d) ................................................................................................. 69
2.10.1 Parameters of the safe input and output terminals (SIL 2)............................................... 69
2.10.2 Block formation and safety loops ..................................................................................... 70
2.10.3 Calculation ....................................................................................................................... 70

3 Access functions .................................................................................................................................... 74

3.1 Protective door function variant 1 (category 3, PL d) ...................................................................... 74
3.1.1 Parameters of the safe input and output terminals .......................................................... 74
3.1.2 Block formation and safety loops ..................................................................................... 75
3.1.3 Calculation ....................................................................................................................... 75
3.2 Protective door function variant 2 (category 4, PL e) ...................................................................... 79
3.2.1 Parameters of the safe input and output terminals .......................................................... 79
3.2.2 Block formation and safety loops ..................................................................................... 80
3.2.3 Calculation ....................................................................................................................... 80
3.3 Protective door function with range monitoring (Category 4, PL e)................................................. 84
3.3.1 Parameters of the safe input and output terminals .......................................................... 85
3.3.2 Block formation and safety loops ..................................................................................... 85
3.3.3 Calculation ....................................................................................................................... 86
3.4 Protective door function with tumbler (Category 4, PL e)................................................................ 91
3.4.1 Parameters of the safe input and output terminals .......................................................... 91
3.4.2 Block formation and safety loops ..................................................................................... 92
3.4.3 Calculation ....................................................................................................................... 92
3.5 Two-hand controller (Category 4, PL e) .......................................................................................... 98
3.5.1 Parameters of the safe input and output terminals .......................................................... 98
3.5.2 Block formation and safety loops ..................................................................................... 99
3.5.3 Calculation ....................................................................................................................... 99
3.6 Laser scanner (category 3, PL d) .................................................................................................. 103
3.6.1 Parameters of the safe input and output terminals ........................................................ 103
3.6.2 Block formation and safety loops ................................................................................... 104
3.6.3 Calculation ..................................................................................................................... 104
3.7 Light curtain (Category 4, PL e) .................................................................................................... 108
3.7.1 Parameters of the safe input and output terminals ........................................................ 108
3.7.2 Block formation and safety loops ................................................................................... 109
3.7.3 Calculation ..................................................................................................................... 109
3.8 Safety switching mat / safety bumper (Category 4, PL e) ............................................................. 113
3.8.1 Parameters of the safe input and output terminals ........................................................ 113
3.8.2 Block formation and safety loops ................................................................................... 114
3.8.3 Calculation ..................................................................................................................... 114
3.9 Muting (Category 4, PL e) ............................................................................................................. 118
3.9.1 Parameters of the safe input and output terminals ........................................................ 118
3.9.2 Block formation and safety loops ................................................................................... 119
3.9.3 Calculation ..................................................................................................................... 119
3.10 EK1960 safety mat inputs / digital outputs (category 2, PL d) ...................................................... 124
3.10.1 Parameters of the safe input and output modules ......................................................... 125
3.10.2 Block formation and safety loops ................................................................................... 125

4 Version: 3.2.0 Application Guide TwinSAFE

Table of contents

3.10.3 Calculation ..................................................................................................................... 126

3.11 EP1957 OSSD sensor for protective door (Category 4, PL e) ...................................................... 130
3.11.1 Parameters of the safe input and output modules ......................................................... 131
3.11.2 Block formation and safety loops ................................................................................... 131
3.11.3 Calculation ..................................................................................................................... 132

4 Potential groups .................................................................................................................................... 135

4.1 All-pole disconnection of a potential group with downstream interference-free standard terminals
(Category 4, PL e) ......................................................................................................................... 135
4.1.1 Notes on prevention of feedback ................................................................................... 137
4.1.2 Parameters of the safe input and output terminals ........................................................ 138
4.1.3 Block formation and safety loops ................................................................................... 139
4.1.4 Calculation ..................................................................................................................... 139
4.2 Single-pole disconnection of a potential group with downstream interference-free standard termi-
nals with fault exclusion (Category 4, PL e) .................................................................................. 144
4.2.1 Notes on prevention of feedback ................................................................................... 146
4.2.2 Parameters of the safe input and output terminals ........................................................ 148
4.2.3 Block formation and safety loops ................................................................................... 148
4.2.4 Calculation ..................................................................................................................... 149
4.3 EL2911 potential group with interference-free standard terminals (Category 4, PL e) ................. 153
4.3.1 Notes on prevention of feedback ................................................................................... 154
4.3.2 EL2911 parameters........................................................................................................ 156
4.3.3 Block formation and safety loops ................................................................................... 156
4.3.4 Calculation ..................................................................................................................... 157
4.4 EPP potential group with EPP9022-9060 (Category 4, PL e) ....................................................... 161
4.4.1 Notes on prevention of feedback ................................................................................... 164
4.4.2 EL2911 parameters........................................................................................................ 166
4.4.3 Block formation and safety loops ................................................................................... 166
4.4.4 Calculation ..................................................................................................................... 167

5 STO/SS1 functions ................................................................................................................................ 171

5.1 AX8xxx-x1xx STO function (Category 4, PL e) ............................................................................. 171
5.1.1 Parameters of the safe input and output modules ......................................................... 172
5.1.2 Block formation and safety loops ................................................................................... 172
5.1.3 Calculation ..................................................................................................................... 172
5.2 Drive option AX5801 with SS1 stop function (Category 4, PL e) .................................................. 177
5.2.1 Parameters of the safe input and output terminals ........................................................ 178
5.2.2 Block formation and safety loops ................................................................................... 178
5.2.3 Calculation ..................................................................................................................... 179
5.3 STO function with EL72x1-9014 (category 3, PL d) ...................................................................... 183
5.3.1 Parameters of the safe input and output terminals ........................................................ 184
5.3.2 Block formation and safety loops ................................................................................... 184
5.3.3 Calculation ..................................................................................................................... 185
5.4 STO function with IndraDrive (category 4, PL e)........................................................................... 188
5.4.1 Parameters of the safe input and output terminals ........................................................ 189
5.4.2 Block formation and safety loops ................................................................................... 190
5.4.3 Calculation ..................................................................................................................... 190
5.4.4 Technical Note from Bosch Rexroth AG ........................................................................ 194

Application Guide TwinSAFE Version: 3.2.0 5

Table of contents

6 Safe Motion functions........................................................................................................................... 198

6.1 Drive option AX5805 with SS2 stop function (Category 4, PL e) .................................................. 198
6.1.1 Parameters of the safe input and output terminals ........................................................ 198
6.1.2 Block formation and safety loops ................................................................................... 199
6.1.3 Calculation ..................................................................................................................... 199

7 Analog value processing with TwinSAFE SC..................................................................................... 203

7.1 Speed monitoring (category 3, PL d) ............................................................................................ 203
7.1.1 Structure and diagnosis ................................................................................................. 205
7.1.2 FMEA ............................................................................................................................. 206
7.1.3 Parameters of the safe output terminal .......................................................................... 207
7.1.4 Block formation and safety loops ................................................................................... 208
7.1.5 Calculation ..................................................................................................................... 208
7.2 Speed monitoring (via IO-Link) (category 3, PL d) ........................................................................ 214
7.2.1 Structure and diagnosis ................................................................................................. 215
7.2.2 FMEA ............................................................................................................................. 216
7.2.3 Parameters of the safe output terminal .......................................................................... 217
7.2.4 Block formation and safety loops ................................................................................... 218
7.2.5 Calculation ..................................................................................................................... 218
7.3 Temperature measurement with TwinSAFE SC (category 3, PL d).............................................. 224
7.3.1 Schematic diagram of the configuration......................................................................... 225
7.3.2 Structure and diagnosis ................................................................................................. 225
7.3.3 FMEA ............................................................................................................................. 225
7.3.4 Parameters of the safe output terminal .......................................................................... 226
7.3.5 Block formation and safety loops ................................................................................... 227
7.3.6 Calculation ..................................................................................................................... 227
7.4 Level measurement with TwinSAFE SC (category 3, PL d).......................................................... 233
7.4.1 Schematic diagram of the configuration......................................................................... 234
7.4.2 Structure and diagnosis ................................................................................................. 234
7.4.3 FMEA ............................................................................................................................. 234
7.4.4 Parameters of the safe output terminal .......................................................................... 235
7.4.5 Block formation and safety loops ................................................................................... 236
7.4.6 Calculation ..................................................................................................................... 236
7.5 Pressure measurement with TwinSAFE SC (category 3, PL d) .................................................... 242
7.5.1 Schematic diagram of the configuration......................................................................... 243
7.5.2 Structure and diagnosis ................................................................................................. 243
7.5.3 FMEA ............................................................................................................................. 243
7.5.4 Parameters of the safe output terminal .......................................................................... 244
7.5.5 Block formation and safety loops ................................................................................... 245
7.5.6 Calculation ..................................................................................................................... 245
7.6 Monitoring of lifting device (category 3, PL d) ............................................................................... 251
7.6.1 Structural image structure .............................................................................................. 252
7.6.2 Structure and diagnosis ................................................................................................. 252
7.6.3 FMEA ............................................................................................................................. 253
7.6.4 Structure within the logic ................................................................................................ 254
7.6.5 Parameters of the safe output terminal .......................................................................... 256
7.6.6 Block formation and safety loops ................................................................................... 257

6 Version: 3.2.0 Application Guide TwinSAFE

Table of contents

7.6.7 Calculation ..................................................................................................................... 257

8 Application-specific scenarios ............................................................................................................ 264

8.1 Networked system (Category 4, PL e) .......................................................................................... 264
8.1.1 Parameters of the safe input and output terminals ........................................................ 265
8.1.2 Block formation and safety loops ................................................................................... 265
8.1.3 Calculation ..................................................................................................................... 266
8.2 Direct wiring of the TwinSAFE outputs to TwinSAFE inputs (1-channel) (Category 2, PL c)........ 270
8.2.1 Parameters of the safe input and output terminals ........................................................ 270
8.2.2 Block formation and safety loops ................................................................................... 271
8.2.3 Calculation ..................................................................................................................... 271
8.3 Direct wiring of the TwinSAFE outputs to TwinSAFE inputs (2-channel) (Category 3, PL d) ....... 274
8.3.1 Parameters of the safe input and output terminals ........................................................ 274
8.3.2 Block formation and safety loops ................................................................................... 274
8.3.3 Calculation ..................................................................................................................... 275
8.4 Application example C9900-M800 ................................................................................................ 277
8.4.1 Description C9900-M800 ............................................................................................... 277
8.4.2 Calculation ..................................................................................................................... 278

9 Connection of PROFIsafe ..................................................................................................................... 293

9.1 Safe speed monitoring with PROFIsafe encoder (category 4, PL e) ............................................ 293
9.1.1 FMEA ............................................................................................................................. 295
9.1.2 Configuration in the engineering environment ............................................................... 295
9.1.3 Parameters of the safe output terminal .......................................................................... 303
9.1.4 Block formation and safety loops ................................................................................... 303
9.1.5 Calculation of safety function 1 (without drive)............................................................... 304
9.1.6 Calculation of safety function 2 (with drive).................................................................... 307
9.2 Safe area monitoring with PROFIsafe laser scanner (category 3, PL d) ...................................... 311
9.2.1 Configuration in the engineering environment ............................................................... 312
9.2.2 Parameters of the safe input and output terminal .......................................................... 322
9.2.3 Block formation and safety loops ................................................................................... 323
9.2.4 Calculation of safety function 1 ...................................................................................... 323
9.3 Safe control of an ABB robot via PROFIsafe (category 3, PL d)................................................... 327
9.3.1 FMEA ............................................................................................................................. 329
9.3.2 Configuration in the engineering environment ............................................................... 329
9.3.3 Parameters of the safe input terminal ............................................................................ 337
9.3.4 Block formation and safety loops ................................................................................... 338
9.3.5 Calculation of safety function 1 ...................................................................................... 338

10 Planning a safety project with TwinSAFE components .................................................................... 342

10.1 Identifying the risks and hazards................................................................................................... 342
10.2 Determining the PLr / SIL .............................................................................................................. 343
10.3 Specification of the safety functions .............................................................................................. 343
10.4 Specification of the measures ....................................................................................................... 343
10.5 Implementation of the safety functions.......................................................................................... 343
10.6 Proof of achievement of the Performance Level ........................................................................... 346
10.7 Validation of the safety functions .................................................................................................. 346
10.8 Instructions for checking the SF .................................................................................................... 346

Application Guide TwinSAFE Version: 3.2.0 7

Table of contents

10.9 Acceptance ................................................................................................................................... 347

11 Technical report – TÜV SÜD ................................................................................................................ 348

12 Support and Service ............................................................................................................................. 349

8 Version: 3.2.0 Application Guide TwinSAFE

Foreword

1 Foreword

1.1 Notes on the documentation

Intended audience

This description is only intended for the use of trained specialists in control and automation engineering who
are familiar with the applicable national standards.

It is essential that the following notes and explanations are followed when installing and commissioning
these components.

The responsible staff must ensure that the application or use of the products described satisfy all the
requirements for safety, including all the relevant laws, regulations, guidelines and standards.

Origin of the document

This is a translation of the original instructions which are written in German. All other languages are derived
from the German original.

Product features

Only the product features specified in the current user documentation are valid. Further information given on
the product pages of the Beckhoff homepage, in emails or in other publications is not authoritative.

Disclaimer

The documentation has been prepared with care. The products described are subject to cyclical revision. For
that reason the documentation is not in every case checked for consistency with performance data,
standards or other characteristics. We reserve the right to revise and change the documentation at any time
and without prior announcement. No claims for the modification of products that have already been supplied
may be made on the basis of the data, diagrams and descriptions in this documentation.

Trademarks

Beckhoff®, TwinCAT®, TwinCAT/BSD®, TC/BSD®, EtherCAT®, EtherCAT G®, EtherCAT G10®, EtherCAT P®,
Safety over EtherCAT®, TwinSAFE®, XFC®, XTS® and XPlanar® are registered trademarks of and licensed by
Beckhoff Automation GmbH. Other designations used in this publication may be trademarks whose use by
third parties for their own purposes could violate the rights of the owners.

Patent Pending

The EtherCAT Technology is covered, including but not limited to the following patent applications and
patents: EP1590927, EP1789857, EP1456722, EP2137893, DE102015105702 with corresponding
applications or registrations in various other countries.

EtherCAT® and Safety over EtherCAT® are registered trademarks and patented technologies, licensed by
Beckhoff Automation GmbH, Germany.

Application Guide TwinSAFE Version: 3.2.0 9

Foreword

© Beckhoff Automation GmbH & Co. KG, Germany.

The reproduction, distribution and utilization of this document as well as the communication of its contents to
others without express authorization are prohibited.
Offenders will be held liable for the payment of damages. All rights reserved in the event of the grant of a
patent, utility model or design.

Delivery conditions

In addition, the general delivery conditions of the company Beckhoff Automation GmbH & Co. KG apply.

Currentness

Please check whether you are using the current and valid version of this document. The current version can
be downloaded from the Beckhoff homepage at http://www.beckhoff.de/twinsafe. In case of doubt, please
contact Technical Support (see Beckhoff Services).

1.2 Safety instructions

1.2.1 Delivery state

All the components are supplied in particular hardware and software configurations appropriate for the
application. Modifications to hardware or software configurations other than those described in the
documentation are not permitted, and nullify the liability of Beckhoff Automation GmbH & Co. KG.

10 Version: 3.2.0 Application Guide TwinSAFE

Foreword

1.2.2 Operator's obligation to exercise diligence

The operator must ensure that
• the TwinSAFE products are only used as intended (see chapter Product description);
• the TwinSAFE products are only operated in sound condition and in working order.
• the TwinSAFE products are operated only by suitably qualified and authorized personnel.
• the personnel is instructed regularly about relevant occupational safety and environmental protection
aspects, and is familiar with the operating instructions and in particular the safety instructions contained
herein.
• the operating instructions are in good condition and complete, and always available for reference at the
location where the TwinSAFE products are used.
• none of the safety and warning notes attached to the TwinSAFE products are removed, and all notes
remain legible.

1.2.3 Purpose and area of application

The Application Guide provides the user with examples for the calculation of safety parameters for safety
functions according to the standards DIN EN ISO 13849-1 and EN 62061 or EN 61508:2010 (if applicable),
such as are typically used on machines.

In the examples an EL1904 is taken as an example for a safe input or an EL2904 for a safe output. This is to
be considered an example; of course other safe inputs or outputs can be used, such as an EP1908 or an
EL2912. The appropriate parameters, which can be taken from the respective product documentation, must
then be used in the calculation.

NOTE
Application samples
These samples provide the user with example calculations. They do not release him from his duty to carry
out a risk and hazard analysis and to apply the directives, standards and laws that need to be considered
for the application.

Application Guide TwinSAFE Version: 3.2.0 11

Foreword

1.2.4 Description of instructions

In these operating instructions the following instructions are used.
These instructions must be read carefully and followed without fail!

DANGER
Serious risk of injury!
Failure to follow this safety instruction directly endangers the life and health of persons.

WARNING
Risk of injury!
Failure to follow this safety instruction endangers the life and health of persons.

CAUTION
Personal injuries!
Failure to follow this safety instruction can lead to injuries to persons.

NOTE
Damage to the environment/equipment or data loss
Failure to follow this instruction can lead to environmental damage, equipment damage or data loss.

Tip or pointer
This symbol indicates information that contributes to better understanding.

12 Version: 3.2.0 Application Guide TwinSAFE

Foreword

1.2.5 Explanation of terms

Designation Explanation
B10D Mean number of cycles after 10% of the components have dangerously failed
CCF Failures with a common cause
dop Mean operating time in days per year
DCavg Average diagnostic coverage
hop Mean operating time in hours per day
MTTFD Mean time to dangerous failure
nop Mean number of annual actuations
PFHD Probability of a dangerous failure per hour
PL Performance Level
PLr Required Performance Level
Tcycle Mean time between two successive cycles of the system (given in minutes in the
following examples, but can also be given in seconds)
T1 The smaller value of proof test interval or service life (typically 20 years for TwinSAFE
devices)
λD Dangerous failure rate given in FIT (failure rate in 109 component hours)
T10D Operating time - maximum operating time for electromechanical components, for
example
TwinSAFE SC The TwinSAFE SC technology (SC - Single Channel) enables a signal from a standard
terminal to be packaged in a FSoE telegram and transmitted via the standard fieldbus
to the TwinSAFE Logic. As a result, falsifications on the transmission path can be
excluded. Within the TwinSAFE Logic, this signal is checked with a further independent
signal. This comparison result typically yields an analog value corresponding to a
category 3 and PL d.
This technology does not support digital input signals and cannot be used in a
single-channel structure (only one TwinSAFE SC channel).

Application Guide TwinSAFE Version: 3.2.0 13

Foreword

1.3 Documentation issue status

Version Comment
3.2.0 • In chapter Explanation of terms at T1 the explanation expanded
• Chapter Application example C9900-M800 added
• Confirmation of conformity updated
3.1.0 • Document structure corrected: Chapter Planning a safety project with TwinSAFE components
now included again
3.0.0 • PROFIsafe examples added
• Document structure revised
• Confirmation of conformity updated
2.2.0 • EPP9022-9060 example updated
2.1.0 • Migration
• Examples AX8xxx, EL2911, EP1957 and EPP9022-9060 added
• Information on training courses added
• Confirmation of conformity updated
2.0.0 • EK1960 examples added
• Calculation in chapter 2.26 corrected
1.9.1 • Note added in chapter 2.17 and 2.18
1.9.0 • Chapter 2.18 revised
• Chapter Planning a safety project, added
1.8.0 • TwinSAFE SC examples added
• Example for Bosch Rexroth IndraDrive drive family
• Designation SIL 2 communication replaced with TwinSAFE SC
• Examples 2.25 and 2.26 updated
• General revision of all chapters
1.7.0 • Chapter Direct wiring of the TwinSAFE outputs to TwinSAFE inputs (1-channel) revised
• Foreword updated
• Chapter Purpose and area of application expanded
• Structure diagram chapters 2.25 and 2.26 updated
• Chapter 2.27 added
• Chapters 2.2.3.2, 2.3.3.2, 2.4.3.2, 2.5.3.2, 2.7.3.2 and 2.19.3.2. substantiated (notes on direct /
indirect reading back removed)
• Note texts added in chapter 2.19
1.6.2 • Confirmation of conformity updated
• Graphics in chapters 2.25 and 2.26 updated
• Chapter Purpose and area of application added
1.6.1 • Chapters 2.25 and 2.26 added
1.6.0 • Chapters 2.17 and 2.18 revised
1.5.0 • Chapter 2.24 added
• Documentation versions added
• Document origin added
• Formatting changed
1.4.0 • Headers extended with categories and performance levels
• Note in Chapter 2.6 moved
1.3.0 • Terms of delivery removed
1.2.0 • Correction to Chapter 2.6
1.1.0 • First released version

14 Version: 3.2.0 Application Guide TwinSAFE

ESTOP functions

2 ESTOP functions

2.1 ESTOP function variant 1 (category 3, PL d)

The emergency stop button is connected via two normally closed contacts to an EL1904 safe input terminal.
The testing and the monitoring of the discrepancy of the two signals are activated. The restart and the
feedback signal are wired to standard terminals and are transferred to TwinSAFE via the standard PLC. The
contactors K1 and K2 are connected in parallel to the safe output. Current measurement and testing of the
output are active for this circuit.

2.1.1 Parameters of the safe input and output terminals

EL1904

Parameter Value
Sensor test channel 1 active Yes
Sensor test channel 2 active Yes
Sensor test channel 3 active Yes
Sensor test channel 4 active Yes
Logic channel 1 and 2 Single Logic
Logic channel 3 and 4 Single Logic

EL2904

Parameter Value
Current measurement active Yes
Output test pulses active Yes

Application Guide TwinSAFE Version: 3.2.0 15

ESTOP functions

2.1.2 Block formation and safety loops

2.1.2.1 Safety function 1

2.1.3 Calculation

2.1.3.1 PFHD / MTTFD / B10D – values

Component Value
EL1904 – PFHD 1.11E-09
EL2904 – PFHD 1.25E-09
EL6900 – PFHD 1.03E-09
S1 – B10D 100,000
S2 – B10D 10,000,000
K1 – B10D 1,300,000
K2 – B10D 1,300,000
Days of operation (dop) 230
Hours of operation / day (hop) 16
Cycle time (minutes) (Tcycle) 10080 (1x per week) (7 days, 24 hours)
Lifetime (T1) 20 years = 175200 hours

2.1.3.2 Diagnostic Coverage DC

Component Value
S1 with testing/plausibility DCavg=99%
K1/K2 with testing and EDM DCavg=60%
(actuation 1x per week)
K1/K2 with testing and EDM DCavg=90%
(actuation 1x per shift)

2.1.3.3 Calculation of safety function 1

Calculation of the PFHD and MTTFD values from the B10d values:

From:

d op * hop * 60
nop =
TZyklus

and:

16 Version: 3.2.0 Application Guide TwinSAFE

ESTOP functions

B10 D
MTTFD =
0,1* nop

Inserting the values, this produces:

230 *16 * 60
nop = = 21,90
10080

100.000
MTTFD = = 45662,1 y = 399999120h
0,1* 21,90

K1/K2

230 *16 * 60
nop = = 21,90
10080

1.300.000
MTTFD = = 593607,3 y = 5199997320h
0,1* 21,90

and the assumption that S1, K1 and K2 are each single-channel:

1
MTTFD =
lD

produces for

0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

S1
1 - 0,99
PFH = = 2,50 E - 11
45662,1*8760

K1/K2 actuation 1x per week

1 - 0,60
PFH = = 7,69 E - 11
593607,3*8760

K1/K2 actuation 1x per shift

1 - 0,90
PFH = = 1,92 E - 11
593607,3*8760

The following assumptions must now be made:

Safety switch S1: According to BIA report 2/2008, error exclusion to up 100000 cycles is possible, provided
the manufacturer has confirmed this. If no confirmation exists, S1 is included in the calculation as follows.

Relays K1 and K2 are both connected to the safety function. The non-functioning of a relay does not lead to
a dangerous situation, but it is discovered by the feedback. Furthermore, the B10d values for K1 and K2 are
identical.

Application Guide TwinSAFE Version: 3.2.0 17

ESTOP functions

determined. Further, it is assumed that all usual measures have been taken to prevent both channels failing
unsafely at the same time due to an error (e.g. overcurrent through relay contacts, overtemperature in the
control cabinet).

It follows for the calculation of the PFHD value for safety function 1:

PFH ( K 1) + PFH ( K 2)
PFH ges = PFH ( S 1) + PFH ( EL1904) + PFH ( EL 6900) + PFH ( EL 2904) + b * + (1 - b ) 2 * ( PFH ( K 1) * PFH ( K 2) ) * T 1
2

(1 - b ) 2 * ( PFH
( K 1) ( K 2) * PFH ) * T1
Since the portion is smaller than the rest by the power of ten, it is neglected in
this and all further calculations for the purpose of simplification.

to:

7,96 E - 11 + 7,96 E - 11
PFH ges = 2,5 E - 11 + 1,11E - 09 + 1,03E - 09 + 1, 25 E - 09 + 10% * = 3, 42 E - 09
2

in the case of actuation 1x per week

1,92 E - 11 + 1,92 E - 11
PFH ges = 2,5 E - 11 + 1,11E - 09 + 1,03E - 09 + 1, 25 E - 09 + 10% * = 3, 42 E - 09
2

in the case of actuation 1x per shift

The MTTFD value for block 1 (based on the same assumption) is calculated with:

n
1 1
=å
MTTFDges i =1 MTTFDn

as:

1 1 1 1 1 1
= + + + +
MTTFDges MTTFD ( S 1) MTTFD ( EL1904) MTTFD ( EL 6900) MTTFD ( EL 2904) MTTFD ( K 1)

with:

B10 D ( S 1)
MTTFD ( S 1) =
0,1* nop

B10 D ( K 1)
MTTFD ( K 1) =
0,1* nop

If only PFHD values are available for EL1904, EL2904 and EL6900, the following estimation applies:

(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

Hence:

(1 - DC( EL1904) ) (1 - 0,99) 0,01

MTTFD ( EL1904) = = = = 1028,8 y
PFH ( EL1904) 1 h 1
1,11E - 09 *8760 9,72 E - 06
h y y

18 Version: 3.2.0 Application Guide TwinSAFE

ESTOP functions

(1 - DC( EL 6900) ) (1 - 0,99) 0,01

MTTFD ( EL 6900) = = = = 1108,6 y
PFH ( EL 6900) 1 h 1
1,03E - 09 *8760 9,02 E - 06
h y y

(1 - DC( EL 2904) ) (1 - 0,99) 0,01

MTTFD ( EL 2904) = = = = 913, 2 y
PFH ( EL 2904) 1 h 1
1, 25 E - 09 *8760 1,1E - 05
h y y

1
MTTFDges = = 334,1 y
1 1 1 1 1
+ + + +
45662,1 y 1028,8 y 1108,6 y 913, 2 y 593607,3 y

99% 99% 99% 99% 60% 60%

+ + + + +
45662,1 y 1028,8 y 1108,6 y 913, 2 y 593607,3 y 593607,3 y
DCavg = = 98,96%
1 1 1 1 1 1
+ + + + +
45662,1 y 1028,8 y 1108,6 y 913, 2 y 593607,3 y 593607,3 y

or:

99% 99% 99% 99% 90% 90%

+ + + + +
45662,1 y 1028,8 y 1108,6 y 913, 2 y 593607,3 y 593607,3 y
DCavg = = 98,99%
1 1 1 1 1 1
+ + + + +
45662,1 y 1028,8 y 1108,6 y 913, 2 y 593607,3 y 593607,3 y

Application Guide TwinSAFE Version: 3.2.0 19

ESTOP functions

CAUTION
Measures for attaining category 3!
This structure is possible up to category 3 at the most, since an error in the feedback path of the relays may
be undiscovered. In order to achieve category 3, all rising and falling edges must be evaluated together
with the time dependence in the controller for the feedback expectation!

CAUTION
Implement a restart lock in the machine!
The restart lock is NOT part of the safety chain and must be implemented in the machine!

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

20 Version: 3.2.0 Application Guide TwinSAFE

ESTOP functions

2.2 ESTOP function variant 2 (category 3, PL d)

The emergency stop button is connected via two normally closed contacts to an EL1904 safe input terminal.
The testing of the two signals is activated. The signals are not tested for discrepancy. The restart and the
feedback signal are wired to standard terminals and are transferred to TwinSAFE via the standard PLC. The
contactors K1 and K2 are connected in parallel to the safe output. Current measurement and testing of the
output are active for this circuit.

2.2.1 Parameters of the safe input and output terminals

EL1904

EL2904

Parameter Value
Current measurement active Yes
Output test pulses active Yes

Application Guide TwinSAFE Version: 3.2.0 21

ESTOP functions

2.2.2 Block formation and safety loops

2.2.2.1 Safety function 1

2.2.3 Calculation

2.2.3.1 PFHD / MTTFD / B10D – values

2.2.3.2 Diagnostic Coverage DC

Component Value
S1 with testing / without plausibility DCavg=90%
K1/K2 with testing and EDM DCavg=60%
(actuation 1x per week)
K1/K2 with testing and EDM DCavg=90%
(actuation 1x per shift)

2.2.3.3 Calculation of safety function 1

Calculation of the PFHD and MTTFD values from the B10D values:

From:

d op * hop * 60
nop =
TZyklus

and:

22 Version: 3.2.0 Application Guide TwinSAFE

ESTOP functions

B10 D
MTTFD =
0,1* nop

Inserting the values, this produces:

S1:

230 *16 * 60
nop = = 21,90
10080

100.000
MTTFD = = 45662,1 y = 399999120h
0,1* 21,90

K1/K2:

230 *16 * 60
nop = = 21,90
10080

1.300.000
MTTFD = = 593607,3 y = 5199997320h
0,1* 21,90

and the assumption that S1, K1 and K2 are each single-channel:

1
MTTFD =
lD

produces for

0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

S1:

1 - 0,90
PFH = = 2,50 E - 10
45662,1*8760

K1/K2: actuation 1x per week

1 - 0,60
PFH = = 7,69 E - 11
593607,3*8760

K1/K2: actuation 1x per shift

1 - 0,90
PFH = = 1,92 E - 11
593607,3*8760

The following assumptions must now be made:

Application Guide TwinSAFE Version: 3.2.0 23

ESTOP functions

It follows for the calculation of the PFHD value for safety function 1:

PFH ( K 1) + PFH ( K 2)
PFH ges = PFH ( S 1) + PFH ( EL1904) + PFH ( EL 6900) + PFH ( EL 2904) + b * + (1 - b ) 2 * ( PFH ( K 1) * PFH ( K 2) ) * T 1
2

(1 - b ) 2 * ( PFH
( K 1) ( K 2) * PFH ) * T1
Since the portion is smaller than the rest by the power of ten, it is neglected in
this and all further calculations for the purpose of simplification.

to:

7,96 E - 11 + 7,96 E - 11
PFH ges = 2,5 E - 10 + 1,11E - 09 + 1,03E - 09 + 1, 25 E - 09 + 10% * = 3,65 E - 09
2

in the case of actuation 1x per week

1,92 E - 11 + 1,92 E - 11
PFH ges = 2,5 E - 10 + 1,11E - 09 + 1,03E - 09 + 1, 25 E - 09 + 10% * = 3,65 E - 09
2

in the case of actuation 1x per shift

Calculation of the MTTFD value for safety function 1 (under the same assumption):

n
1 1
=å
MTTFDges i =1 MTTFDn

as:

1 1 1 1 1 1
= + + + +
MTTFDges MTTFD ( S 1) MTTFD ( EL1904) MTTFD ( EL 6900) MTTFD ( EL 2904) MTTFD ( K 1)

with:

B10 D ( S 1)
MTTFD ( S 1) =
0,1* nop

B10 D ( K 1)
MTTFD ( K 1) =
0,1* nop

If only PFHD values are available for EL1904, EL2904 and EL6900, the following estimation applies:

(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

Hence:

24 Version: 3.2.0 Application Guide TwinSAFE

ESTOP functions

(1 - DC( EL1904) ) (1 - 0,99) 0,01

MTTFD ( EL1904) = = = = 1028,8 y
PFH ( EL1904) 1 h 1
1,11E - 09 *8760 9,72 E - 06
h y y

(1 - DC( EL 6900) ) (1 - 0,99) 0,01

MTTFD ( EL 6900) = = = = 1108,6 y
PFH ( EL 6900) 1 h 1
1,03E - 09 *8760 9,02 E - 06
h y y

(1 - DC( EL 2904) ) (1 - 0,99) 0,01

MTTFD ( EL 2904) = = = = 913, 2 y
PFH ( EL 2904) 1 h 1
1, 25 E - 09 *8760 1,1E - 05
h y y

1
MTTFDges = = 334,1 y
1 1 1 1 1
+ + + +
45662,1 y 1028,8 y 1108,6 y 913, 2 y 593607,3 y

90% 99% 99% 99% 60% 60%

+ + + + +
45662,1 y 1028,8 y 1108,6 y 913, 2 y 593607,3 y 593607,3 y
DCavg = = 98,89%
1 1 1 1 1 1
+ + + + +
45662,1 y 1028,8 y 1108,6 y 913, 2 y 593607,3 y 593607,3 y

or:

90% 99% 99% 99% 90% 90%

+ + + + +
45662,1 y 1028,8 y 1108,6 y 913, 2 y 593607,3 y 593607,3 y
DCavg = = 98,92%
1 1 1 1 1 1
+ + + + +
45662,1 y 1028,8 y 1108,6 y 913, 2 y 593607,3 y 593607,3 y

Application Guide TwinSAFE Version: 3.2.0 25

ESTOP functions

CAUTION
Measures for attaining category 3!
This structure is possible only up to category 3 at the most on account of a possible sleeping error. In order
to achieve category 3, all rising and falling edges must be evaluated together with the time dependence in
the controller for the feedback expectation.

CAUTION
Implement a restart lock in the machine!
The restart lock is NOT part of the safety chain and must be implemented in the machine!

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

26 Version: 3.2.0 Application Guide TwinSAFE

ESTOP functions

2.3 ESTOP function variant 3 (category 4, PL e)

The emergency stop button is connected via two normally closed contacts to an EL1904 safe input terminal.
The testing of the two signals is activated. These signals are checked for discrepancy. The restart and the
feedback signal are wired to standard terminals and are transferred to TwinSAFE via the standard PLC.
Furthermore, the output of the ESTOP function block and the feedback signal are wired to an EDM function
block. This checks that the feedback signal assumes the opposing state of the ESTOP output within the set
time.
The contactors K1 and K2 are connected in parallel to the safe output. Current measurement and testing of
the output are active for this circuit.

2.3.1 Parameters of the safe input and output terminals

EL1904

Application Guide TwinSAFE Version: 3.2.0 27

ESTOP functions

EL2904

Parameter Value
Current measurement active Yes
Output test pulses active Yes

2.3.2 Block formation and safety loops

2.3.2.1 Safety function 1

2.3.3 Calculation

2.3.3.1 PFHD / MTTFD / B10D – values

2.3.3.2 Diagnostic Coverage DC

Component Value
S1 with testing/plausibility DCavg=99%
K1/K2 with testing and EDM DCavg=90%
(actuation 1x per week)
K1/K2 with testing and EDM DCavg=99%
(actuation 1x per shift)

2.3.3.3 Calculation of safety function 1

Calculation of the PFHD and MTTFD values from the B10D values:

28 Version: 3.2.0 Application Guide TwinSAFE

ESTOP functions

From:

d op * hop * 60
nop =
TZyklus

and:

B10 D
MTTFD =
0,1* nop

Inserting the values, this produces:

S1:

230 *16 * 60
nop = = 21,90
10080

100.000
MTTFD = = 45662,1 y = 399999120h
0,1* 21,90

K1/K2:

230 *16 * 60
nop = = 21,90
10080

1.300.000
MTTFD = = 593607,3 y = 5199997320h
0,1* 21,90

and the assumption that S1, K1 and K2 are each single-channel:

1
MTTFD =
lD

produces for

0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

S1:

1 - 0,99
PFH = = 2,50 E - 11
45662,1*8760

K1/K2: actuation 1x per week

1 - 0,90
PFH = = 1,92 E - 11
593607,3*8760

K1/K2: actuation 1x per shift

1 - 0,99
PFH = = 1,92 E - 12
593607,3*8760

The following assumptions must now be made:

Application Guide TwinSAFE Version: 3.2.0 29

ESTOP functions

It follows for the calculation of the PFHD value for safety function 1:

PFH ( K 1) + PFH ( K 2)
PFH ges = PFH ( S 1) + PFH ( EL1904) + PFH ( EL 6900) + PFH ( EL 2904) + b * + (1 - b ) 2 * ( PFH ( K 1) * PFH ( K 2) ) * T 1
2

(1 - b ) 2 * ( PFH
( K 1) ( K 2) * PFH ) * T1
Since the portion is smaller than the rest by the power of ten, it is neglected in
this and all further calculations for the purpose of simplification.

to:

1,92 E - 11 + 1,92 E - 11
PFH ges = 2,5 E - 11 + 1,11E - 09 + 1,03E - 09 + 1, 25 E - 09 + 10% * = 3, 42 E - 09
2

in the case of actuation 1x per week

1,92 E - 12 + 1,92 E - 12
PFH ges = 2,5 E - 11 + 1,11E - 09 + 1,03E - 09 + 1, 25 E - 09 + 10% * = 3, 42 E - 09
2

in the case of actuation 1x per shift

Calculation of the MTTFD value for safety function 1 (under the same assumption):

n
1 1
=å
MTTFDges i =1 MTTFDn

as:

1 1 1 1 1 1
= + + + +
MTTFDges MTTFD ( S 1) MTTFD ( EL1904) MTTFD ( EL 6900) MTTFD ( EL 2904) MTTFD ( K 1)

with:

B10 D ( S 1)
MTTFD ( S 1) =
0,1* nop

B10 D ( K 1)
MTTFD ( K 1) =
0,1* nop

If only PFHD values are available for EL1904, EL2904 and EL6900, the following estimation applies:

30 Version: 3.2.0 Application Guide TwinSAFE

ESTOP functions

(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

Hence:

(1 - DC( EL1904) ) (1 - 0,99) 0,01

MTTFD ( EL1904) = = = = 1028,8 y
PFH ( EL1904) 1 h 1
1,11E - 09 *8760 9,72 E - 06
h y y

(1 - DC( EL 6900) ) (1 - 0,99) 0,01

MTTFD ( EL 6900) = = = = 1108,6 y
PFH ( EL 6900) 1 h 1
1,03E - 09 *8760 9,02 E - 06
h y y

(1 - DC( EL 2904) ) (1 - 0,99) 0,01

MTTFD ( EL 2904) = = = = 913, 2 y
PFH ( EL 2904) 1 h 1
1, 25 E - 09 *8760 1,1E - 05
h y y

1
MTTFDges = = 334,1 y
1 1 1 1 1
+ + + +
45662,1 y 1028,8 y 1108,6 y 913, 2 y 593607,3 y

99% 99% 99% 99% 90% 90%

+ + + + +
45662,1 y 1028,8 y 1108,6 y 913, 2 y 593607,3 y 593607,3 y
DCavg = = 98,99%
1 1 1 1 1 1
+ + + + +
45662,1 y 1028,8 y 1108,6 y 913, 2 y 593607,3 y 593607,3 y

or:

99% 99% 99% 99% 99% 99%

+ + + + +
45662,1 y 1028,8 y 1108,6 y 913, 2 y 593607,3 y 593607,3 y
DCavg = = 99,00%
1 1 1 1 1 1
+ + + + +
45662,1 y 1028,8 y 1108,6 y 913, 2 y 593607,3 y 593607,3 y

Application Guide TwinSAFE Version: 3.2.0 31

ESTOP functions

CAUTION
Measures for attaining category 4!
This structure is possible up to category 4 at the most. In order to attain category 4, all rising and falling
edges must be evaluated together with the time dependence in the controller for the feedback expectation!

CAUTION
Implement a restart lock in the machine!
The restart lock is NOT part of the safety chain and must be implemented in the machine!

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

32 Version: 3.2.0 Application Guide TwinSAFE

ESTOP functions

2.4 ESTOP function variant 4 (category 4, PL e)

The emergency stop button with two normally closed contacts, the restart and the feedback loop are
connected to safe channels of an EL1904 input terminal. The testing of the signals is activated. The two
emergency stop signals are tested for discrepancy. The contactors K1 and K2 are connected in parallel to
the safe output. Current measurement and testing of the output are active for this circuit.

2.4.1 Parameters of the safe input and output terminals

EL1904 (applies to all EL1904 used)

EL2904

Parameter Value
Current measurement active Yes
Output test pulses active Yes

Application Guide TwinSAFE Version: 3.2.0 33

ESTOP functions

2.4.2 Block formation and safety loops

2.4.2.1 Safety function 1

2.4.3 Calculation

2.4.3.1 PFHD / MTTFD / B10D – values

2.4.3.2 Diagnostic Coverage DC

Component Value
S1 with testing/plausibility DCavg=99%
S2 with plausibility DCavg=90%
K1/K2 with testing and EDM DCavg=99%
(actuation 1x per shift)

2.4.3.3 Calculation of safety function 1

Calculation of the PFHD and MTTFD values from the B10D values:

From:

d op * hop * 60
nop =
TZyklus

and:

34 Version: 3.2.0 Application Guide TwinSAFE

ESTOP functions

B10 D
MTTFD =
0,1* nop

Inserting the values, this produces:

S1:

230 *16 * 60
nop = = 21,90
10080

100.000
MTTFD = = 45662,1 y = 399999120h
0,1* 21,90

S2:

230 *16 * 60
nop = = 21,90
10080

10.000.000
MTTFD = = 4566210,0 y = 4 E10h
0,1* 21,90

K1/K2:

230 *16 * 60
nop = = 21,90
10080

1.300.000
MTTFD = = 593607,3 y = 5199997320h
0,1* 21,90

and the assumption that S1, S2, K1 and K2 are each single-channel:

1
MTTFD =
lD

produces for

0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

S1:

1 - 0,99
PFH = = 2,50 E - 11
45662,1*8760

S2:

1 - 0,90
PFH = = 2,50 E - 12
4566210,0 *8760

K1/K2: actuation 1x per shift

1 - 0,99
PFH = = 1,92 E - 12
593607,3*8760

The following assumptions must now be made:

Application Guide TwinSAFE Version: 3.2.0 35

ESTOP functions

It follows for the calculation of the PFHD value for safety function 1:

PFH ( K 1) + PFH ( K 2)
PFH ges = PFH ( S 1) + PFH ( EL1904) + PFH ( EL 6900) + PFH ( EL 2904) + b * + (1 - b ) 2 * ( PFH ( K 1) * PFH ( K 2) ) * T 1
2
+ PFH ( S 2) + PFH ( EL1904)

(1 - b ) 2 * ( PFH
( K 1) ( K 2) * PFH ) * T1
Since the portion is smaller than the rest by the power of ten, it is neglected in
this and all further calculations for the purpose of simplification.

to:

1,92 E - 12 + 1,92 E - 12
PFH ges = 2,5 E - 11 + 1,11E - 09 + 1,03E - 09 + 1, 25 E - 09 + 10% * + 2,5 E - 12 + 1,11E - 09 = 4,53E - 09
2

in the case of actuation 1x per shift

Calculation of the MTTFD value for safety function 1 (under the same assumption):

n
1 1
=å
MTTFDges i =1 MTTFDn

as:

1 1 1 1 1 1 1 1
= + + + + + +
MTTFDges MTTFD ( S 1) MTTFD ( EL1904) MTTFD ( EL 6900) MTTFD ( EL 2904) MTTFD ( K 1) MTTFD ( S 2) MTTFD ( EL1904)

with:

B10 D ( S 1)
MTTFD ( S 1) =
0,1* nop

B10 D ( S 2)
MTTFD ( S 2) =
0,1* nop

B10 D ( K 1)
MTTFD ( K 1) =
0,1* nop

If only PFHD values are available for EL1904, EL2904 and EL6900, the following estimation applies:

(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

36 Version: 3.2.0 Application Guide TwinSAFE

ESTOP functions

Hence:

(1 - DC( EL1904) ) (1 - 0,99) 0,01

MTTFD ( EL1904) = = = = 1028,8 y
PFH ( EL1904) 1 h 1
1,11E - 09 *8760 9,72 E - 06
h y y

(1 - DC( EL 6900) ) (1 - 0,99) 0,01

MTTFD ( EL 6900) = = = = 1108,6 y
PFH ( EL 6900) 1 h 1
1,03E - 09 *8760 9,02 E - 06
h y y

(1 - DC( EL 2904) ) (1 - 0,99) 0,01

MTTFD ( EL 2904) = = = = 913, 2 y
PFH ( EL 2904) 1 h 1
1, 25 E - 09 *8760 1,1E - 05
h y y

1
MTTFDges = = 252,1 y
1 1 1 1 1 1 1
+ + + + + +
45662,1 y 1028,8 y 1108,6 y 913, 2 y 593607,3 y 4566210,0 y 1028,8 y

99% 99% 99% 99% 90% 90% 90% 99%

+ + + + + + +
45662,1 y 1028,8 y 1108,6 y 913, 2 y 593607,3 y 593607,3 y 4566210,0 y 1028,8 y
DCavg = = 98,99%
1 1 1 1 1 1 1 1
+ + + + + + +
45662,1 y 1028,8 y 1108,6 y 913, 2 y 593607,3 y 593607,3 y 4566210,0 y 1028,8 y

or:

99% 99% 99% 99% 99% 99% 90% 99%

+ + + + + + +
45662,1 y 1028,8 y 1108,6 y 913, 2 y 593607,3 y 593607,3 y 4566210,0 y 1028,8 y
DCavg = = 99,00%
1 1 1 1 1 1 1 1
+ + + + + + +
45662,1 y 1028,8 y 1108,6 y 913, 2 y 593607,3 y 593607,3 y 4566210,0 y 1028,8 y

Application Guide TwinSAFE Version: 3.2.0 37

ESTOP functions

NOTE
Category
This structure is possible up to category 4 at the most.

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

38 Version: 3.2.0 Application Guide TwinSAFE

ESTOP functions

2.5 ESTOP function variant 5 (category 4, PL e)

The emergency stop button with two normally closed contacts, the restart and the feedback loop are
connected to safe channels of an EL1904 input terminal. The testing of the signals is activated. The two
emergency stop signals are tested for discrepancy. Contactors K1 and K2 are wired to different output
channels. The A2 connections of the two contactors are fed together to ground. The current measurement of
the output channels is deactivated for this circuit. The testing of the outputs is active.

2.5.1 Parameters of the safe input and output terminals

EL1904 (applies to all EL1904 used)

EL2904

Parameter Value
Current measurement active No
Output test pulses active Yes

Application Guide TwinSAFE Version: 3.2.0 39

ESTOP functions

2.5.2 Block formation and safety loops

2.5.2.1 Safety function 1

2.5.3 Calculation

2.5.3.1 PFHD / MTTFD / B10D – values

2.5.3.2 Diagnostic Coverage DC

Component Value
S1 with testing/plausibility DCavg=99%
S2 with plausibility DCavg=90%
K1/K2 with testing and EDM DCavg=99%
(actuation 1x per shift)

2.5.3.3 Calculation of safety function 1

Calculation of the PFHD and MTTFd values from the B10d values:

From:

d op * hop * 60
nop =
TZyklus

and:

40 Version: 3.2.0 Application Guide TwinSAFE

ESTOP functions

B10 D
MTTFD =
0,1* nop

Inserting the values, this produces:

S1:

230 *16 * 60
nop = = 21,90
10080

100.000
MTTFD = = 45662,1 y = 399999120h
0,1* 21,90

S2:

230 *16 * 60
nop = = 21,90
10080

10.000.000
MTTFD = = 4566210,0 y = 4 E10h
0,1* 21,90

K1/K2:

230 *16 * 60
nop = = 21,90
10080

1.300.000
MTTFD = = 593607,3 y = 5199997320h
0,1* 21,90

and the assumption that S1, S2, K1 and K2 are each single-channel:

1
MTTFD =
lD

produces for

0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

S1:

1 - 0,99
PFH = = 2,50 E - 11
45662,1*8760

S2:

1 - 0,90
PFH = = 2,50 E - 12
4566210,0 *8760

K1/K2: actuation 1x per shift

1 - 0,99
PFH = = 1,92 E - 12
593607,3*8760

The following assumptions must now be made:

Application Guide TwinSAFE Version: 3.2.0 41

ESTOP functions

It follows for the calculation of the PFHD value for safety function 1:

PFH ( K 1) + PFH ( K 2)
PFH ges = PFH ( S 1) + PFH ( EL1904) + PFH ( EL 6900) + PFH ( EL 2904) + b * + (1 - b ) 2 * ( PFH ( K 1) * PFH ( K 2) ) * T 1
2
+ PFH ( S 2) + PFH ( EL1904)

(1 - b ) 2 * ( PFH
( K 1) ( K 2) * PFH ) * T1
Since the portion is smaller than the rest by the power of ten, it is neglected in
this and all further calculations for the purpose of simplification.

to:

1,92 E - 12 + 1,92 E - 12
PFH ges = 2,5 E - 11 + 1,11E - 09 + 1,03E - 09 + 1, 25 E - 09 + 10% * + 2,5 E - 12 + 1,11E - 09 = 4,53E - 09
2

in the case of actuation 1x per shift

Calculation of the MTTFD value for safety function 1 (under the same assumption):

n
1 1
=å
MTTFDges i =1 MTTFDn

as:

1 1 1 1 1 1 1 1
= + + + + + +
MTTFDges MTTFD ( S 1) MTTFD ( EL1904) MTTFD ( EL 6900) MTTFD ( EL 2904) MTTFD ( K 1) MTTFD ( S 2) MTTFD ( EL1904)

with:

B10 D ( S 1)
MTTFD ( S 1) =
0,1* nop

B10 D ( S 2)
MTTFD ( S 2) =
0,1* nop

B10 D ( K 1)
MTTFD ( K 1) =
0,1* nop

If only PFHD values are available for EL1904, EL2904 and EL6900, the following estimation applies:

(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

42 Version: 3.2.0 Application Guide TwinSAFE

ESTOP functions

Hence:

(1 - DC( EL1904) ) (1 - 0,99) 0,01

MTTFD ( EL1904) = = = = 1028,8 y
PFH ( EL1904) 1 h 1
1,11E - 09 *8760 9,72 E - 06
h y y

(1 - DC( EL 6900) ) (1 - 0,99) 0,01

MTTFD ( EL 6900) = = = = 1108,6 y
PFH ( EL 6900) 1 h 1
1,03E - 09 *8760 9,02 E - 06
h y y

(1 - DC( EL 2904) ) (1 - 0,99) 0,01

MTTFD ( EL 2904) = = = = 913, 2 y
PFH ( EL 2904) 1 h 1
1, 25 E - 09 *8760 1,1E - 05
h y y

1
MTTFDges = = 252,1 y
1 1 1 1 1 1 1
+ + + + + +
45662,1 y 1028,8 y 1108,6 y 913, 2 y 593607,3 y 4566210,0 y 1028,8 y

99% 99% 99% 99% 90% 90% 90% 99%

or:

99% 99% 99% 99% 99% 99% 90% 99%

Application Guide TwinSAFE Version: 3.2.0 43

ESTOP functions

NOTE
Category
This structure is possible up to category 4 at the most.

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

44 Version: 3.2.0 Application Guide TwinSAFE

ESTOP functions

2.6 ESTOP function variant 6 (category 3, PL d)

The emergency stop button with two normally closed contacts, the restart and the feedback loop are
connected to safe channels of an EL1904 input terminal. The testing of the signals is activated. The two
emergency stop signals are tested for discrepancy. Contactors K1 and K2 are wired to different output
channels. The A2 connections of the two contactors are fed together to ground. The current measurement of
the output channels is deactivated for this circuit. The testing of the outputs is not active.

CAUTION
Category
This structure is possible only up to category 3 at the most on account of a possible sleeping error.
Since the EL2904 terminal has only SIL2 in this application, the entire chain has only SIL2!

2.6.1 Parameters of the safe input and output terminals (SIL 2)

EL1904 (applies to all EL1904 used)

Application Guide TwinSAFE Version: 3.2.0 45

ESTOP functions

EL2904

Parameter Value
Current measurement active No
Output test pulses active No

2.6.2 Block formation and safety loops

2.6.2.1 Safety function 1

2.6.3 Calculation

2.6.3.1 PFHD / MTTFD / B10D – values

2.6.3.2 Diagnostic Coverage DC

Component Value
S1 with testing/plausibility DCavg=99%
S2 with plausibility DCavg=90%
K1/K2 without testing and with EDM via a safe input DCavg=90%

46 Version: 3.2.0 Application Guide TwinSAFE

ESTOP functions

2.6.3.3 Calculation of safety function 1

Calculation of the PFHD and MTTFD values from the B10D values:

From:

d op * hop * 60
nop =
TZyklus

and:

B10 D
MTTFD =
0,1* nop

Inserting the values, this produces:

S1:

230 *16 * 60
nop = = 21,90
10080

100.000
MTTFD = = 45662,1 y = 399999120h
0,1* 21,90

S2:

230 *16 * 60
nop = = 21,90
10080

10.000.000
MTTFD = = 4566210,0 y = 4 E10h
0,1* 21,90

K1/K2:

230 *16 * 60
nop = = 21,90
10080

1.300.000
MTTFD = = 593607,3 y = 5199997320h
0,1* 21,90

and the assumption that S1, S2, K1 and K2 are each single-channel:

1
MTTFD =
lD

produces for

0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

S1:

1 - 0,99
PFH = = 2,50 E - 11
45662,1*8760

S2:

Application Guide TwinSAFE Version: 3.2.0 47

ESTOP functions

1 - 0,90
PFH = = 2,50 E - 12
4566210,0 *8760

K1/K2: actuation 1x per shift

1 - 0,99
PFH = = 1,92 E - 12
593607,3*8760

The following assumptions must now be made:

It follows for the calculation of the PFHD value for safety function 1:

PFH ( K 1) + PFH ( K 2)
PFH ges = PFH ( S 1) + PFH ( EL1904) + PFH ( EL 6900) + PFH ( EL 2904) + b * + (1 - b ) 2 * ( PFH ( K 1) * PFH ( K 2) ) * T 1
2
+ PFH ( S 2) + PFH ( EL1904)

(1 - b ) 2 * ( PFH
( K 1) ( K 2) * PFH ) * T1
Since the portion is smaller than the rest by the power of ten, it is neglected in
this and all further calculations for the purpose of simplification.

to:

1,92 E - 12 + 1,92 E - 12
PFH ges = 2,5 E - 11 + 1,11E - 09 + 1,03E - 09 + 1, 25 E - 09 + 10% * + 2,5 E - 12 + 1,11E - 09 = 4,53E - 09
2

in the case of actuation 1x per shift

Calculation of the MTTFD value for safety function 1 (under the same assumption):

n
1 1
=å
MTTFDges i =1 MTTFDn

as:

1 1 1 1 1 1 1 1
= + + + + + +
MTTFDges MTTFD ( S 1) MTTFD ( EL1904) MTTFD ( EL 6900) MTTFD ( EL 2904) MTTFD ( K 1) MTTFD ( S 2) MTTFD ( EL1904)

with:

B10 D ( S 1)
MTTFD ( S 1) =
0,1* nop

B10 D ( S 2)
MTTFD ( S 2) =
0,1* nop

48 Version: 3.2.0 Application Guide TwinSAFE

ESTOP functions

B10 D ( K 1)
MTTFD ( K 1) =
0,1* nop

If only PFHD values are available for EL1904, EL2904 and EL6900, the following estimation applies:

(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

Hence:

(1 - DC( EL1904) ) (1 - 0,99) 0,01

MTTFD ( EL1904) = = = = 1028,8 y
PFH ( EL1904) 1 h 1
1,11E - 09 *8760 9,72 E - 06
h y y

(1 - DC( EL 6900) ) (1 - 0,99) 0,01

MTTFD ( EL 6900) = = = = 1108,6 y
PFH ( EL 6900) 1 h 1
1,03E - 09 *8760 9,02 E - 06
h y y

(1 - DC( EL 2904) ) (1 - 0,99) 0,01

MTTFD ( EL 2904) = = = = 913, 2 y
PFH ( EL 2904) 1 h 1
1, 25 E - 09 *8760 1,1E - 05
h y y

1
MTTFDges = = 252,1 y
1 1 1 1 1 1 1
+ + + + + +
45662,1 y 1028,8 y 1108,6 y 913, 2 y 593607,3 y 4566210,0 y 1028,8 y

99% 99% 99% 99% 90% 90% 90% 99%

Application Guide TwinSAFE Version: 3.2.0 49

ESTOP functions

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

50 Version: 3.2.0 Application Guide TwinSAFE

ESTOP functions

2.7 ESTOP function variant 7 (category 4, PL e)

The emergency stop button with two normally closed contacts, the restart and the feedback loop are
connected to safe channels of an EL1904 input terminal. The testing of the emergency stop button is
deactivated on both channels. The sensor test is activated for the restart button and the feedback loop. The
two emergency stop signals are tested for discrepancy. The contactors K1 and K2 are connected in parallel
to the safe output. Current measurement and testing of the output are active for this circuit.

2.7.1 Parameters of the safe input and output terminals

1. EL1904

Parameter Value
Sensor test channel 1 active Yes
Sensor test channel 2 active not used
Sensor test channel 3 active No
Sensor test channel 4 active No
Logic channel 1 and 2 Single Logic
Logic channel 3 and 4 Single Logic

2. EL1904

Parameter Value
Sensor test channel 1 active not used
Sensor test channel 2 active not used
Sensor test channel 3 active Yes
Sensor test channel 4 active not used
Logic channel 1 and 2 Single Logic
Logic channel 3 and 4 Single Logic

Application Guide TwinSAFE Version: 3.2.0 51

ESTOP functions

EL2904

Parameter Value
Current measurement active Yes
Output test pulses active Yes

2.7.2 Block formation and safety loops

2.7.2.1 Safety function 1

2.7.3 Calculation

2.7.3.1 PFHD / MTTFD / B10D – values

2.7.3.2 Diagnostic Coverage DC

Component Value
S1 with plausibility DCavg=90%
S2 with testing DCavg=90%
K1/K2 with testing and EDM DCavg=99%
(actuation 1x per shift)

52 Version: 3.2.0 Application Guide TwinSAFE

ESTOP functions

2.7.3.3 Calculation of safety function 1

Calculation of the PFHD and MTTFD values from the B10D values:

From:
d op * hop * 60
nop =
TZyklus

and:
B10 D
MTTFD =
0,1* nop

Inserting the values, this produces:

S1:
230 *16 * 60
nop = = 21,90
10080
100.000
MTTFD = = 45662,1 y = 399999120h
0,1* 21,90

S2:
230 *16 * 60
nop = = 21,90
10080
10.000.000
MTTFD = = 4566210,0 y = 4 E10h
0,1* 21,90

K1/K2:
230 *16 * 60
nop = = 21,90
10080
1.300.000
MTTFD = = 593607,3 y = 5199997320h
0,1* 21,90

and the assumption that S1, S2, K1 and K2 are each single-channel:
1
MTTFD =
lD

produces for
0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

S1:
1 - 0,90
PFH = = 2,50 E - 10
45662,1*8760

S2:
1 - 0,90
PFH = = 2,50 E - 12
4566210,0 *8760

K1/K2: actuation 1x per shift

1 - 0,99
PFH = = 1,92 E - 12
593607,3*8760

The following assumptions must now be made:

Application Guide TwinSAFE Version: 3.2.0 53

ESTOP functions

It follows for the calculation of the PFHD value for safety function 1:
PFH ( K 1) + PFH ( K 2)
PFH ges = PFH ( S 1) + PFH ( EL1904) + PFH ( EL 6900) + PFH ( EL 2904) + b * + (1 - b ) 2 * ( PFH ( K 1) * PFH ( K 2) ) * T 1
2
+ PFH ( S 2) + PFH ( EL1904)

(1 - b ) 2 * ( PFH
( K 1) ( K 2) * PFH ) * T1
Since the portion is smaller than the rest by the power of ten, it is neglected in
this and all further calculations for the purpose of simplification.

to:
1,92 E - 12 + 1,92 E - 12
PFH ges = 2,5 E - 10 + 1,11E - 09 + 1,03E - 09 + 1, 25 E - 09 + 10% * + 2,5 E - 12 + 1,11E - 09 = 4,75 E - 09
2

in the case of actuation 1x per shift

Calculation of the MTTFD value for safety function 1 (under the same assumption):
n
1 1
=å
MTTFDges i =1 MTTFDn

as:
1 1 1 1 1 1 1 1
= + + + + + +
MTTFDges MTTFD ( S 1) MTTFD ( EL1904) MTTFD ( EL 6900) MTTFD ( EL 2904) MTTFD ( K 1) MTTFD ( S 2) MTTFD ( EL1904)

with:
B10 D ( S 1)
MTTFD ( S 1) =
0,1* nop

B10 D ( S 2)
MTTFD ( S 2) =
0,1* nop

B10 D ( K 1)
MTTFD ( K 1) =
0,1* nop

If only PFHD values are available for EL1904, EL2904 and EL6900, the following estimation applies:
(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

Hence:
(1 - DC( EL1904) ) (1 - 0,99) 0,01
MTTFD ( EL1904) = = = = 1028,8 y
PFH ( EL1904) 1 h 1
1,11E - 09 *8760 9,72 E - 06
h y y

(1 - DC( EL 6900) ) (1 - 0,99) 0,01

MTTFD ( EL 6900) = = = = 1108,6 y
PFH ( EL 6900) 1 h 1
1,03E - 09 *8760 9,02 E - 06
h y y

54 Version: 3.2.0 Application Guide TwinSAFE

ESTOP functions

(1 - DC( EL 2904) ) (1 - 0,99) 0,01

MTTFD ( EL 2904) = = = = 913, 2 y
PFH ( EL 2904) 1 h 1
1, 25 E - 09 *8760 1,1E - 05
h y y

1
MTTFDges = = 252,1 y
1 1 1 1 1 1 1
+ + + + + +
45662,1 y 1028,8 y 1108,6 y 913, 2 y 593607,3 y 4566210,0 y 1028,8 y

90% 99% 99% 99% 90% 90% 90% 99%

+ + + + + + +
45662,1 y 1028,8 y 1108,6 y 913, 2 y 593607,3 y 593607,3 y 4566210,0 y 1028,8 y
DCavg = = 98,94%
1 1 1 1 1 1 1 1
+ + + + + + +
45662,1 y 1028,8 y 1108,6 y 913, 2 y 593607,3 y 593607,3 y 4566210,0 y 1028,8 y

or:
90% 99% 99% 99% 99% 99% 90% 99%
+ + + + + + +
45662,1 y 1028,8 y 1108,6 y 913, 2 y 593607,3 y 593607,3 y 4566210,0 y 1028,8 y
DCavg = = 98,95%
1 1 1 1 1 1 1 1
+ + + + + + +
45662,1 y 1028,8 y 1108,6 y 913, 2 y 593607,3 y 593607,3 y 4566210,0 y 1028,8 y

Application Guide TwinSAFE Version: 3.2.0 55

ESTOP functions

NOTE
Category
This structure is possible up to category 4 at the most.

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

56 Version: 3.2.0 Application Guide TwinSAFE

ESTOP functions

2.8 EK1960 digital inputs and outputs (category 4, PL e)

The emergency stop button S1 is wired with two normally closed contacts to safe inputs S9 and S10 on the
10-pole X6 connector. The first output group on the 10-pole X7 connector is configured as a clock source (for
FSOUT module 3, the parameter Diag TestPulse for Inputs active is set to TRUE). For inputs S9 and S10,
the parameter Channel x.Test pulse Diag Mode is configured based on the corresponding clock sources.

Contactors K5 and K6 are wired to outputs 7.5 and 7.6 on the second output module on X7. Terminal A2 of
the contactors is wired to the common ground of the 24 VDC supply of terminal X7. The feedback loops of the
two contactors are wired in series from pulse 3 to input S8.

Restart S2 is wired to safe input S7 without testing. A restart option must be available for the application,
although this is not included in the calculation.

Application Guide TwinSAFE Version: 3.2.0 57

ESTOP functions

2.8.1 Parameters of the safe input and output modules

EK1960

Parameter Value
FSOUT module 3 (X7.1 – X7.4) -
8020:01 ModuloDiagTestPulse 0x00
8020:02 MultiplierDiagTestPulse 0x02
8020:03 Standard Outputs active FALSE
8020:04 Diag Testpulse active TRUE
8020:05 Diag Testpulse for Inputs active TRUE
FSOUT Module 4 (X7.5 – X7.8) -
8030:01 ModuloDiagTestPulse 0x00
8030:02 MultiplierDiagTestPulse 0x02
8030:03 Standard Outputs active FALSE
8030:04 Diag Testpulse active TRUE
8030:05 Diag Testpulse for Inputs active FALSE
FSIN Module 4 -
80A1:04 Channel 2.InputFilterTime 0x000C
80A1:05 Channel 2.DiagTestPulseFilterTime 0x0002
80A1:06 Channel 2.Testpulse Diag Mode (X7.3) Testpulse Detection Output Module 3.Channel 3
FSIN Module 5 -
80B1:01 Channel 1.InputFilterTime 0x000C
80B1:02 Channel 1.DiagTestPulseFilterTime 0x0002
80B1:03 Channel 1.Testpulse Diag Mode (X7.1) Testpulse Detection Output Module 3.Channel 1
80B1:04 Channel 2.InputFilterTime 0x000C
80B1:05 Channel 2.DiagTestPulseFilterTime 0x0002
80B1:06 Channel 2.Testpulse Diag Mode (X7.2) Testpulse Detection Output Module 3.Channel 2

ESTOP FB Parameter

Parameter Value
Reset Time (ms) (Port EDM1) 1000
Discrepancy Time (ms) (Port EStopIn1/EStopIn2) 1000
Safe Inputs After Disc Error TRUE

2.8.2 Block formation and safety loops

2.8.2.1 Safety function 1

58 Version: 3.2.0 Application Guide TwinSAFE

ESTOP functions

2.8.3 Calculation

2.8.3.1 PFHD / MTTFD / B10D – values

Component Value
EK1960 digital input – PFHD 6.40E-11
EK1960 safety mat input - PFHD 8.84E-10
EK1960 logic – PFHD 5.18E-09
EK1960 digital output – PFHD 1.50E-10
EK1960 relay output (cat. 4, two-channel) - PFHD 1.46E-09 (actuation 1x per hour)
EK1960 relay – B10D 1,500,000 (DC13 24 VDC and Imax ≤ 2 A)
S1 – B10D 100,000
K5 – B10D 1,300,000
K6 – B10D 1,300,000
Days of operation (dop) 230
Hours of operation / day (hop) 16
Cycle time (minutes) (Tcycle) 10080 (1x per week)
Lifetime (T1) 20 years = 175200 hours

Safety-over-EtherCAT communication
The PFHD value of the Safety-over-EtherCAT (FSoE) communication is included in the PFHD value
of the EK1960 logic component.

2.8.3.2 Diagnostic Coverage DC

Component Value
S1 with testing and plausibility check DCavg=99%
K5/K6 with EDM monitoring (actuation 1x per week DCavg=99%
and evaluation of all rising and falling edges with
temporal monitoring) with testing

2.8.3.3 Calculation of safety function 1

Calculation of the performance level according to EN ISO 13849-1:2015

Calculation of the MTTFD values from the B10D values

From:
230 *16 * 60
nop = = 21,90
10080

and:
B10 D
MTTFD =
0,1* nop

Inserting the values, this produces:

S1
230 *16 * 60
nop = = 21,90
10080

Application Guide TwinSAFE Version: 3.2.0 59

ESTOP functions

100.000
MTTFD = = 45662 y
0,1* 21,90

K5/K6
230 *16 * 60
nop = = 21,90
10080
1.300.000
MTTFD = = 593607 y
0,1* 21,90

The total MTTFD value is calculated based on the following formula:

n
1 1
=å
MTTFDges i =1 MTTFDn

as:
1 1 1 1 1 1
= + + + +
MTTFDges MTTFD ( S 1) MTTFD ( EK 1960 - Input ) MTTFD ( EK 1960 - Logic ) MTTFD ( EK 1960 - Output ) MTTFD ( K 5)

If only PFHD values are available for EL1960 components, the following estimation applies:
(1 - DC( EK 1960 - xxx ) )
MTTFD ( EK 1960 - xxx ) =
PFH ( EK 1960 - xxx )

Hence:
(1 - DC( EK 1960 - Input ) ) (1 - 0,99) 0,01
MTTFD ( EK 1960 - Input ) = = = = 17836 y
PFH D ( EK 1960 - Input ) 1 h 1
6, 40 E - 11 *8760 5,60 E - 07
h y y

(1 - DC( EK 1960 - Logic ) ) (1 - 0,99) 0,01

MTTFD ( EK 1960 - Logic ) = = = = 220 y
PFH D ( EK 1960 - Logic ) 1 h 1
5,18 E - 09 *8760 4,54 E - 05
h y y

(1 - DC( EK 1960 - Output ) ) (1 - 0,99) 0,01

MTTFD ( EK 1960 - Output ) = = = = 7610 y
PFH D ( EK 1960 - Output ) 1 h 1
1,50 E - 10 *8760 1,31E - 06
h y y

1
MTTFDges = = 210 y
1 1 1 1 1
+ + + +
45662 y 17836 y 220 y 7610 y 593607 y

99% 99% 99% 99% 99% 99%

+ + + + +
45662 y 17836 y 220 y 7610 y 593607 y 593607 y
DCavg = = 99,00%
1 1 1 1 1 1
+ + + + +
45662 y 17836 y 220 y 7610 y 593607 y 593607 y

60 Version: 3.2.0 Application Guide TwinSAFE

ESTOP functions

NOTE
Category
This structure is possible up to category 4 at the most.

CAUTION
Implement a restart lock in the machine!
The restart lock is NOT part of the safety chain and must be implemented in the machine!

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

Application Guide TwinSAFE Version: 3.2.0 61

ESTOP functions

Calculation of PFHD values according to EN 62061

assuming that S1, K5 and K6 are single-channel:

1
MTTFD =
lD

produces for
0,1* nop * (1 - DC ) 1 - DC
PFH D = =
B10 D MTTFD

S1:
1 - 0,99
PFH D = = 2,50 E - 11
45662 *8760

K5/K6:
1 - 0,99
PFH D = = 1,92 E - 12
593607 *8760

The following assumptions must now be made:

Safety switch S1: According to BIA report 2/2008, error exclusion to up 100,000 cycles is possible, provided
the manufacturer has confirmed this. If no confirmation exists, S1 is included in the calculation as follows.

Relays K5 and K6 are both connected to the safety function. The non-functioning of a relay does not lead to
a dangerous situation, but it is discovered by the feedback. Furthermore, the B10D values for K5 and K6 are
identical.

It follows for the calculation of the PFHD value for safety function 1:
PFH Dges = PFH D ( S 1) + PFH D ( EK 1960 - Input ) + PFH D ( EK 1960 - Logic ) + PFH D ( EK 1960 - Output )
PFH D ( K 5) + PFH D ( K 6)
+b * + (1 - b ) 2 * ( PFH D ( K 5) * PFH D ( K 6) ) * T 1
2

(1 - b ) 2 * ( PFH
D ( K 5) D ( K 6) * PFH ) * T1
Since the portion is smaller than the rest by the power of ten, it is neglected
in this and all further calculations for the purpose of simplification.

to:
1,92 E - 12 + 1,92 E - 12
PFH Dges = 2,5 E - 11 + 6, 40 E - 11 + 5,18 E - 09 + 1,50 E - 10 + 10% *
2
= 5, 42 E - 09

Safety integrity level Probability of a dangerous failure per hour (PFHD)

3 ≥ 10-8 to < 10-7
2 ≥ 10-7 to < 10-6
1 ≥ 10-6 to < 10-5

NOTE
Safety integrity level
The application meets the requirements of safety integrity level SIL3 according to EN 62061.

62 Version: 3.2.0 Application Guide TwinSAFE

ESTOP functions

2.9 EK1960 digital inputs / relay outputs

(category 4, PL e)
The emergency stop button S1 is wired with two normally closed contacts to safe inputs S9 and S10 on the
10-pole X6 connector. The first output group on the 10-pole X7 connector is configured as a clock source (for
FSOUT module 3, the parameter Diag TestPulse for Inputs active is set to TRUE). For inputs S9 and S10,
the parameter Channel x.Test pulse Diag Mode is configured based on the corresponding clock sources.

The relay outputs Channel 1 and Channel 2 are connected in series and can then be used for safety-related
functions (e.g. to transmit an emergency stop message to an upstream or downstream machine). The EDM
is not wired to the ESTOP input, because the relay module performs the EDM monitoring, and in case of an
error it reports a module error for the relay module. The application can then respond to this module error, or
the TwinSAFE group can be configured such that a module error leads to a Com error.

Restart S2 is wired to safe input S7 without testing. A restart option must be available for the application,
although this is not included in the calculation.

Application Guide TwinSAFE Version: 3.2.0 63

ESTOP functions

2.9.1 Parameters of the safe input and output modules

EK1960

Parameter Value
FSOUT module 3 (X7.1 – X7.4) -
8020:01 ModuloDiagTestPulse 0x00
8020:02 MultiplierDiagTestPulse 0x02
8020:03 Standard Outputs active FALSE
8020:04 Diag Testpulse active TRUE
8020:05 Diag Testpulse for Inputs active TRUE
FSOUT relay module -
8060:03 Standard Outputs active FALSE
FSIN Module 5 -
80B1:01 Channel 1.InputFilterTime 0x000C
80B1:02 Channel 1.DiagTestPulseFilterTime 0x0002
80B1:03 Channel 1.Testpulse Diag Mode (X7.1) Testpulse Detection Output Module 3.Channel 1
80B1:04 Channel 2.InputFilterTime 0x000C
80B1:05 Channel 2.DiagTestPulseFilterTime 0x0002
80B1:06 Channel 2.Testpulse Diag Mode (X7.2) Testpulse Detection Output Module 3.Channel 2

ESTOP FB Parameter

Parameter Value
Reset Time (ms) (Port EDM1) 1000
Discrepancy Time (ms) (Port EStopIn1/EStopIn2) 1000
Safe Inputs After Disc Error TRUE

NOTE
Module error in the relay module
In case of an EDM error, a module error of the relay module is reported. This module then enters the safe,
switched-off state. The error acknowledgement can take place via the signal FSOUT Relais Module.Err
Ack.

NOTE
Switching frequency
To achieve PL e, the relay outputs must be activated at least once per month. This example assumes a
switching frequency of 1x per week.

2.9.2 Block formation and safety loops

2.9.2.1 Safety function 1

64 Version: 3.2.0 Application Guide TwinSAFE

ESTOP functions

2.9.3 Calculation

2.9.3.1 PFHD / MTTFD / B10D – values

Safety-over-EtherCAT communication
The PFHD value of the Safety-over-EtherCAT (FSoE) communication is included in the PFHD value
of the EK1960 logic component.

2.9.3.2 Diagnostic Coverage DC

Component Value
S1 with testing and plausibility check DCavg=99%
Two-channel relay output with EDM monitoring DCavg=99%
(actuation 1x per week and evaluation of all rising
and falling edges) with testing

2.9.3.3 Calculation of safety function 1

Calculation of the performance level according to EN ISO 13849-1:2015:

Calculation of the MTTFD values from the B10D values.

From:
230 *16 * 60
nop = = 21,90
10080

and:
B10 D
MTTFD =
0,1* nop

Inserting the values, this produces:

S1
230 *16 * 60
nop = = 21,90
10080

Application Guide TwinSAFE Version: 3.2.0 65

ESTOP functions

100.000
MTTFD = = 45662 y
0,1* 21,90

Relay

Both B10D and PFHD values are specified for the relay. In this case, the inferior of the two values is used to
calculate the MTTFD value (in this case the PFHD value – see below).
230 *16 * 60
nop = = 21,90
10080
1.500.000
MTTFD = = 684.931 y
0,1* 21,90

The total MTTFD value is calculated based on the following formula:

n
1 1
=å
MTTFDges i =1 MTTFDn

as:
1 1 1 1 1
= + + +
MTTFDges MTTFD ( S 1) MTTFD ( EK 1960 - Input ) MTTFD ( EK 1960 - Logic ) MTTFD ( EK 1960 - Relay )

If only PFHD values are available for EL1960 components, the following estimation applies:
(1 - DC( EK 1960 - xxx ) )
MTTFD ( EK 1960 - xxx ) =
PFH ( EK 1960 - xxx )

Hence:
(1 - DC( EK 1960 - Input ) ) (1 - 0,99) 0,01
MTTFD ( EK 1960 - Input ) = = = = 17836 y
PFH D ( EK 1960 - Input ) 1 h 1
6, 40 E - 11 *8760 5,60 E - 07
h y y

(1 - DC( EK 1960 - Logic ) ) (1 - 0,99) 0,01

MTTFD ( EK 1960 - Logic ) = = = = 220 y
PFH D ( EK 1960 - Logic ) 1 h 1
5,18 E - 09 *8760 4,54 E - 05
h y y

(1 - DC( EK 1960 - Relay ) ) (1 - 0,99) 0,01

MTTFD ( EK 1960 - Relay ) = = = = 781 y
PFH D ( EK 1960 - Relay ) 1 h 1
1, 46 E - 09 *8760 1, 28 E - 05
h y y

1
MTTFDges = = 169 y
1 1 1 1
+ + +
45662 y 17836 y 220 y 781 y

99% 99% 99% 99%

+ + +
45662 y 17836 y 220 y 781 y
DCavg = = 99,00%
1 1 1 1
+ + +
45662 y 17836 y 220 y 781 y

66 Version: 3.2.0 Application Guide TwinSAFE

ESTOP functions

NOTE
Category
This structure is possible up to category 4 at the most.

CAUTION
Implement a restart lock in the machine!
The restart lock is NOT part of the safety chain and must be implemented in the machine!

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

Application Guide TwinSAFE Version: 3.2.0 67

ESTOP functions

Calculation of PFHD values according to EN 62061:

with the assumption that S1 is single-channel:

1
MTTFD =
lD

produces for
0,1* nop * (1 - DC ) 1 - DC
PFH D = =
B10 D MTTFD

S1:
1 - 0,99
PFH D = = 2,50 E - 11
45662 *8760

The following assumptions must now be made:

It follows for the calculation of the PFHD value for safety function 1:
PFH Dges = PFH D ( S 1) + PFH D ( EK 1960 - Input ) + PFH D ( EK 1960 - Logic ) + PFH D ( EK 1960 - Relay )

to:
PFH Dges = 2,5 E - 11 + 6, 40 E - 11 + 5,18 E - 09 + 1, 46 E - 09
= 6,73E - 09

Safety integrity level Probability of a dangerous failure per hour (PFHD)

3 ≥ 10-8 to < 10-7
2 ≥ 10-7 to < 10-6
1 ≥ 10-6 to < 10-5

NOTE
Safety integrity level
The application meets the requirements of safety integrity level SIL3 according to EN 62061.

68 Version: 3.2.0 Application Guide TwinSAFE

ESTOP functions

2.10 ESTOP function (category 3, PL d)

The emergency stop button is connected via two normally closed contacts to an EL1904 safe input terminal.
The testing of both signals is switched off. These signals are tested for discrepancy inside the ESTOP
function block. The restart and the feedback signal from the contactors K1 and K2 are wired to standard
terminals and are transferred to TwinSAFE via the standard PLC. Furthermore, the output of the ESTOP
function block and the feedback signal are wired to an EDM function block. This checks that the feedback
signal assumes the opposing state of the ESTOP output within the set time.

Contactors K1 and K2 are wired to different output channels. The A2 connections of the two contactors are
fed back to the EL2904. The current measurement of the output channels is deactivated for this circuit. The
testing of the outputs is similarly inactive.

2.10.1 Parameters of the safe input and output terminals (SIL 2)

EL1904 (applies to all EL1904 used)

Parameter Value
Sensor test channel 1 active -
Sensor test channel 2 active -
Sensor test channel 3 active No
Sensor test channel 4 active No
Logic channel 1 and 2 Single Logic
Logic channel 3 and 4 Single Logic

Application Guide TwinSAFE Version: 3.2.0 69

ESTOP functions

EL2904

Parameter Value
Current measurement active No
Output test pulses active No

2.10.2 Block formation and safety loops

2.10.2.1 Safety function 1

2.10.3 Calculation

2.10.3.1 PFHD / MTTFD / B10D – values

2.10.3.2 Diagnostic Coverage DC

Component Value
S1 with plausibility DCavg=90%
K1/K2 with EDM monitoring (actuation 1x per week DCavg=90%
and evaluation of all rising and falling edges with
monitoring over time) with testing of the individual
channels

2.10.3.3 Calculation of safety function 1

Calculation of the PFHD and MTTFD values from the B10D values:

From:

70 Version: 3.2.0 Application Guide TwinSAFE

ESTOP functions

d op * hop * 60
nop =
TZyklus

and:
B10 D
MTTFD =
0,1* nop

Inserting the values, this produces:

S1:
230 *16 * 60
nop = = 21,90
10080
100.000
MTTFD = = 45662,1 y = 399999120h
0,1* 21,90

K1/K2:
230 *16 * 60
nop = = 21,90
10080
1.300.000
MTTFD = = 593607,3 y = 5199997320h
0,1* 21,90

and the assumption that S1, K1 and K2 are each single-channel:

1
MTTFD =
lD

produces for
0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

S1:
1 - 0,90
PFH = = 2,50 E - 10
45662,1*8760

K1/K2: Actuation 1x per week and indirect feedback

1 - 0,90
PFH = = 1,92 E - 11
593607,3*8760

The following assumptions must now be made:

Application Guide TwinSAFE Version: 3.2.0 71

ESTOP functions

(1 - b ) 2 * ( PFH
( K 1) ( K 2) * PFH ) * T1
Since the portion is smaller than the rest by the power of ten, it is neglected in
this and all further calculations for the purpose of simplification.

to:
1,92 E - 11 + 1,92 E - 11
PFH ges = 2,5 E - 10 + 1,11E - 09 + 1,03E - 09 + 1, 25 E - 09 + 10% * = 3,65 E - 09
2

Calculation of the MTTFD value for safety function 1 (under the same assumption):
n
1 1
=å
MTTFDges i =1 MTTFDn

as:
1 1 1 1 1 1
= + + + +
MTTFDges MTTFD ( S 1) MTTFD ( EL1904) MTTFD ( EL 6900) MTTFD ( EL 2904) MTTFD ( K 1)

with:
B10 D ( S 1)
MTTFD ( S 1) =
0,1* nop

B10 D ( K 1)
MTTFD ( K 1) =
0,1* nop

If only PFHD values are available for EL1904, EL2904 and EL6900, the following estimation applies:
(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

Hence:
(1 - DC( EL1904) ) (1 - 0,99) 0,01
MTTFD ( EL1904) = = = = 1028,8 y
PFH ( EL1904) 1 h 1
1,11E - 09 *8760 9,72 E - 06
h y y

(1 - DC( EL 6900) ) (1 - 0,99) 0,01

MTTFD ( EL 6900) = = = = 1108,6 y
PFH ( EL 6900) 1 h 1
1,03E - 09 *8760 9,02 E - 06
h y y

(1 - DC( EL 2904) ) (1 - 0,99) 0,01

MTTFD ( EL 2904) = = = = 913, 2 y
PFH ( EL 2904) 1 h 1
1, 25 E - 09 *8760 1,1E - 05
h y y

1
MTTFDges = = 334,1 y
1 1 1 1 1
+ + + +
45662,1 y 1028,8 y 1108,6 y 913, 2 y 593607,3 y

90% 99% 99% 99% 90% 90%

+ + + + +
45662,1 y 1028,8 y 1108,6 y 913, 2 y 593607,3 y 593607,3 y
DCavg = = 98,92%
1 1 1 1 1 1
+ + + + +
45662,1 y 1028,8 y 1108,6 y 913, 2 y 593607,3 y 593607,3 y

72 Version: 3.2.0 Application Guide TwinSAFE

ESTOP functions

CAUTION
Further measures for attaining Category 3!
This structure is possible up to category 3 at the most. In order to attain category 3, all rising and falling
edges must be evaluated together with the time dependence in the controller for the feedback expectation!
This is achieved via the implemented EDM function block.

CAUTION
Implement a restart lock in the machine!
The restart lock is NOT part of the safety chain and must be implemented in the machine!

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

Application Guide TwinSAFE Version: 3.2.0 73

Access functions

3 Access functions

3.1 Protective door function variant 1 (category 3, PL d)

The protective door uses a combination of normally closed and normally open contacts on the safe inputs of
an EL1904. The testing of the inputs is active and the signals are tested for discrepancy (200 ms). The
feedback loop is read in via a standard input and transferred to TwinSAFE via the standard PLC. The
contactors K1 and K2 are connected in parallel to the safe output. Current measurement and testing of the
output are active for this circuit.

3.1.1 Parameters of the safe input and output terminals

EL1904 (applies to all EL1904 used)

EL2904

Parameter Value
Current measurement active Yes
Output test pulses active Yes

74 Version: 3.2.0 Application Guide TwinSAFE

Access functions

3.1.2 Block formation and safety loops

3.1.2.1 Safety function 1

3.1.3 Calculation

3.1.3.1 PFHD / MTTFD / B10D – values

Component Value
EL1904 – PFHD 1.11E-09
EL2904 – PFHD 1.25E-09
EL6900 – PFHD 1.03E-09
S1 – B10D 1,000,000
S2 – B10D 2,000,000
K1 – B10D 1,300,000
K2 – B10D 1,300,000
Days of operation (dop) 230
Hours of operation / day (hop) 16
Cycle time (minutes) (Tcycle) 15 (4x per hour)
Lifetime (T1) 20 years = 175200 hours

3.1.3.2 Diagnostic Coverage DC

Component Value
S1/S2 with testing/plausibility DCavg=99%
K1/K2 with testing and EDM DCavg=90%

3.1.3.3 Calculation of safety function 1

Calculation of the PFHD and MTTFD values from the B10D values:

From:
d op * hop * 60
nop =
TZyklus

and:
B10 D
MTTFD =
0,1* nop

Inserting the values, this produces:

S1:

Application Guide TwinSAFE Version: 3.2.0 75

Access functions

230 *16 * 60
nop = = 14720
15
1.000.000
MTTFD = = 679,3 y = 5951087 h
0,1*14720

S2:
230 *16 * 60
nop = = 14720
15
2.000.000
MTTFD = = 1358,7 y = 11902174h
0,1*14720

K1/K2:
230 *16 * 60
nop = = 14720
15
1.300.000
MTTFD = = 883, 2 y = 7736413h
0,1*14720

and the assumption that S1, S2, K1 and K2 are each single-channel:
1
MTTFD =
lD

produces for
0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

S1:
1 - 0,99
PFH = = 1,68 E - 09
679,3*8760

S2:
1 - 0,99
PFH = = 8, 4 E - 10
1358,7 *8760

K1/K2:
1 - 0,90
PFH = = 1, 29 E - 08
883, 2 *8760

The following assumptions must now be made:

The door switches S1/S2 are always actuated in opposite directions. Since the switches have different
values, but the complete protective door switch consists of a combination of normally closed and normally
open contacts and both switches must function, the poorer of the two values (S1) can be taken for the
combination!

It follows for the calculation of the PFHD value for safety function 1:

76 Version: 3.2.0 Application Guide TwinSAFE

Access functions

PFH ( S 1) + PFH ( S 2)
PFH ges = b * + (1 - b ) 2 * ( PFH ( S 1) * PFH ( S 2) ) * T 1 + PFH ( EL1904) + PFH ( EL 6900) + PFH ( EL 2904)
2
PFH ( K 1) + PFH ( K 2)
+b * + (1 - b ) 2 * ( PFH ( K 1) * PFH ( K 2) ) * T 1
2

(1 - b ) 2 * ( PFH
( S 1) ( S 2) * PFH ) * T1
( K 1) ( K 2) (1 - b ) 2 * ( PFH * PFH ) * T1
Since the portions and are smaller than the rest
by the power of ten, they are neglected in this and all further calculations for the purpose of simplification.

to:
1,68 E - 09 + 1,68 E - 09 1, 29 E - 08 + 1, 29 E - 08
PFH ges = 10% * + 1,11E - 09 + 1,03E - 09 + 1, 25 E - 09 + 10% * = 4,85 E - 09
2 2

Calculation of the MTTFD value for safety function 1 (under the same assumption):
n
1 1
=å
MTTFDges i =1 MTTFDn

as:
1 1 1 1 1 1
= + + + +
MTTFDges MTTFD ( S 1) MTTFD ( EL1904) MTTFD ( EL 6900) MTTFD ( EL 2904) MTTFD ( K 1)

with:
B10 D ( S 1)
MTTFD ( S 1) =
0,1* nop

B10 D ( S 2)
MTTFD ( S 2) =
0,1* nop

B10 D ( K 1)
MTTFD ( K 1) =
0,1* nop

If only PFHD values are available for EL1904, EL2904 and EL6900, the following estimation applies:
(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

Hence:
(1 - DC( EL1904) ) (1 - 0,99) 0,01
MTTFD ( EL1904) = = = = 1028,8 y
PFH ( EL1904) 1 h 1
1,11E - 09 *8760 9,72 E - 06
h y y

(1 - DC( EL 6900) ) (1 - 0,99) 0,01

MTTFD ( EL 6900) = = = = 1108,6 y
PFH ( EL 6900) 1 h 1
1,03E - 09 *8760 9,02 E - 06
h y y

(1 - DC( EL 2904) ) (1 - 0,99) 0,01

MTTFD ( EL 2904) = = = = 913, 2 y
PFH ( EL 2904) 1 h 1
1, 25 E - 09 *8760 1,1E - 05
h y y

1
MTTFDges = = 179, 4 y
1 1 1 1 1
+ + + +
679,3 y 1028,8 y 1108,6 y 913, 2 y 883, 2 y

99% 99% 99% 99% 99% 90% 90%

+ + + + + +
679,3 y 1358,7 y 1028,8 y 1108,6 y 913, 2 y 883, 2 y 883, 2 y
DCavg = = 96, 26%
1 1 1 1 1 1 1
+ + + + + +
679,3 y 1358,7 y 1028,8 y 1108,6 y 913, 2 y 883, 2 y 883, 2 y

Application Guide TwinSAFE Version: 3.2.0 77

Access functions

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

78 Version: 3.2.0 Application Guide TwinSAFE

Access functions

3.2 Protective door function variant 2 (category 4, PL e)

The protective door uses a combination of normally closed and normally open contacts on the safe inputs of
an EL1904. The testing of the inputs is active and the signals are tested for discrepancy (200 ms). The
feedback loop is read in via a safe input. The contactors K1 and K2 are connected in parallel to the safe
output. Current measurement and testing of the output are active for this circuit.

3.2.1 Parameters of the safe input and output terminals

EL1904 (applies to all EL1904 used)

EL2904

Parameter Value
Current measurement active Yes
Output test pulses active Yes

Application Guide TwinSAFE Version: 3.2.0 79

Access functions

3.2.2 Block formation and safety loops

3.2.2.1 Safety function 1

3.2.3 Calculation

3.2.3.1 PFHD / MTTFD / B10D – values

3.2.3.2 Diagnostic Coverage DC

Component Value
S1/S2 with testing/plausibility DCavg=99%
K1/K2 with testing and EDM DCavg=99%

3.2.3.3 Calculation of safety function 1

Calculation of the PFHD and MTTFd values from the B10d values:

From:
d op * hop * 60
nop =
TZyklus

and:
B10 D
MTTFD =
0,1* nop

80 Version: 3.2.0 Application Guide TwinSAFE

Access functions

Inserting the values, this produces:

S1:
230 *16 * 60
nop = = 14720
15
1.000.000
MTTFD = = 679,3 y = 5951087 h
0,1*14720

S2:
230 *16 * 60
nop = = 14720
15
2.000.000
MTTFD = = 1358,7 y = 11902174h
0,1*14720

K1/K2:
230 *16 * 60
nop = = 14720
15
1.300.000
MTTFD = = 883, 2 y = 7736413h
0,1*14720

and the assumption that S1, S2, K1 and K2 are each single-channel:
1
MTTFD =
lD

produces for
0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

S1:
1 - 0,99
PFH = = 1,68 E - 09
679,3*8760

S2:
1 - 0,99
PFH = = 8, 4 E - 10
1358,7 *8760

K1/K2:
1 - 0,99
PFH = = 1, 29 E - 09
883, 2 *8760

The following assumptions must now be made:

Application Guide TwinSAFE Version: 3.2.0 81

Access functions

It follows for the calculation of the PFHD value for safety function 1:
PFH ( S 1) + PFH ( S 2)
PFH ges = b * + (1 - b ) 2 * ( PFH ( S 1) * PFH ( S 2) ) * T 1 + PFH ( EL1904) + PFH ( EL 6900) + PFH ( EL 2904)
2
PFH ( K 1) + PFH ( K 2)
+b * + (1 - b ) 2 * ( PFH ( K 1) * PFH ( K 2) ) * T 1 + PFH ( EL1904)
2

to:
1,68 E - 09 + 1,68 E - 09 1, 29 E - 09 + 1, 29 E - 09
PFH ges = 10% * + 1,11E - 09 + 1,03E - 09 + 1, 25 E - 09 + 10% * + 1,11E - 09 = 4,80 E - 09
2 2

Calculation of the MTTFD value for safety function 1 (under the same assumption):
n
1 1
=å
MTTFDges i =1 MTTFDn

as:
1 1 1 1 1 1 1
= + + + + +
MTTFDges MTTFD ( S 1) MTTFD ( EL1904) MTTFD ( EL 6900) MTTFD ( EL 2904) MTTFD ( K 1) MTTFD ( EL1904)

with:
B10 D ( S 1)
MTTFD ( S 1) =
0,1* nop

B10 D ( S 2)
MTTFD ( S 2) =
0,1* nop

B10 D ( K 1)
MTTFD ( K 1) =
0,1* nop

If only PFHD values are available for EL1904, EL2904 and EL6900, the following estimation applies:
(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

Hence:
(1 - DC( EL1904) ) (1 - 0,99) 0,01
MTTFD ( EL1904) = = = = 1028,8 y
PFH ( EL1904) 1 h 1
1,11E - 09 *8760 9,72 E - 06
h y y

(1 - DC( EL 6900) ) (1 - 0,99) 0,01

MTTFD ( EL 6900) = = = = 1108,6 y
PFH ( EL 6900) 1 h 1
1,03E - 09 *8760 9,02 E - 06
h y y

(1 - DC( EL 2904) ) (1 - 0,99) 0,01

MTTFD ( EL 2904) = = = = 913, 2 y
PFH ( EL 2904) 1 h 1
1, 25 E - 09 *8760 1,1E - 05
h y y

1
MTTFDges = = 152,7 y
1 1 1 1 1 1
+ + + + +
679,3 y 1028,8 y 1108,6 y 913, 2 y 883, 2 y 1028,8 y

99% 99% 99% 99% 99% 99% 99% 99%

+ + + + + + +
679,3 y 1358,7 y 1028,8 y 1108,6 y 913, 2 y 883, 2 y 883, 2 y 1028,8 y
DCavg = = 99,0%
1 1 1 1 1 1 1 1
+ + + + + + +
679,3 y 1358,7 y 1028,8 y 1108,6 y 913, 2 y 883, 2 y 883, 2 y 1028,8 y

82 Version: 3.2.0 Application Guide TwinSAFE

Access functions

NOTE
Category
This structure is possible up to category 4 at the most.

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

Application Guide TwinSAFE Version: 3.2.0 83

Access functions

3.3 Protective door function with range monitoring

(Category 4, PL e)
The protective door uses a combination of normally closed and normally open contacts on the safe inputs of
an EL1904. The testing of the inputs is active and the signals are tested for discrepancy (200 ms). The
feedback loop is read in via a safe input. The proximity sensors S3 and S4 are wired to safe inputs and
detect, for example, when a dangerous machine part is in a safe position so that the protective door may be
opened when the machine is running. The testing of these inputs is deactivated so that the static 24 V
voltage of the sensors can be used.

The contactors K1 and K2 are connected in parallel to the safe output. Current measurement and testing of
the output are active for this circuit.

84 Version: 3.2.0 Application Guide TwinSAFE

Access functions

3.3.1 Parameters of the safe input and output terminals

EL1904 (upper EL1904 on the drawing)

EL1904 (lower EL1904 on the drawing)

Parameter Value
Sensor test channel 1 active No
Sensor test channel 2 active No
Sensor test channel 3 active Yes
Sensor test channel 4 active Yes
Logic channel 1 and 2 Single Logic
Logic channel 3 and 4 Single Logic

EL2904 (applies to all EL2904 used)

Parameter Value
Current measurement active Yes
Output test pulses active Yes

3.3.2 Block formation and safety loops

3.3.2.1 Safety function 1

Application Guide TwinSAFE Version: 3.2.0 85

Access functions

3.3.3 Calculation

3.3.3.1 PFHD / MTTFD / B10D – values

Component Value
EL1904 – PFHD 1.11E-09
EL2904 – PFHD 1.25E-09
EL6900 – PFHD 1.03E-09
S1 – B10D 1,000,000
S2 – B10D 2,000,000
S3 – B10D 20,000,000
S4 – B10D 20,000,000
K1 – B10D 1,300,000
K2 – B10D 1,300,000
Days of operation (dop) 230
Hours of operation / day (hop) 16
Cycle time (minutes) (Tcycle) 15 (4x per hour)
Lifetime (T1) 20 years = 175200 hours

3.3.3.2 Diagnostic Coverage DC

Component Value
S1/S2 with testing/plausibility DCavg=99%
S3/S4 with without testing / with plausibility DCavg=90%
K1/K2 with testing and EDM DCavg=99%

3.3.3.3 Calculation of safety function 1

Calculation of the PFHD and MTTFD values from the B10D values:

From:
d op * hop * 60
nop =
TZyklus

and:
B10 D
MTTFD =
0,1* nop

Inserting the values, this produces:

S1:
230 *16 * 60
nop = = 14720
15
1.000.000
MTTFD = = 679,3 y = 5951087 h
0,1*14720

S2:
230 *16 * 60
nop = = 14720
15

86 Version: 3.2.0 Application Guide TwinSAFE

Access functions

2.000.000
MTTFD = = 1358,7 y = 11902174h
0,1*14720

S3:
230 *16 * 60
nop = = 14720
15
20.000.000
MTTFD = = 13586,9 y = 119021739h
0,1*14720

S4:
230 *16 * 60
nop = = 14720
15
20.000.000
MTTFD = = 13586,9 y = 119021739h
0,1*14720

K1/K2:
230 *16 * 60
nop = = 14720
15
1.300.000
MTTFD = = 883, 2 y = 7736413h
0,1*14720

and the assumption that S1, S2, S3, S4, K1 and K2 are each single-channel:
1
MTTFD =
lD

produces for
0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

S1:
1 - 0,99
PFH = = 1,68 E - 09
679,3*8760

S2:
1 - 0,99
PFH = = 8, 4 E - 10
1358,7 *8760

S3/S4:
1 - 0,90
PFH = = 8, 4 E - 10
13586,9 *8760

K1/K2:
1 - 0,99
PFH = = 1, 29 E - 09
883, 2 *8760

The following assumptions must now be made:

The proximity sensors S3/S4 are monitored for plausibility (temporal/logical) and are type A systems
according to EN 61508 (simple components whose behavior under error conditions is fully known). The safe
position is driven to once per shift.

Application Guide TwinSAFE Version: 3.2.0 87

Access functions

It follows for the calculation of the PFHD value for safety function 1:
PFH ( S 1/ S 2/ EL1904) + PFH ( S 3/ S 4/ EL1904)
PFH ges = b * + (1 - b ) 2 * ( PFH ( S 1/ S 2/ EL1904) * PFH ( S 3/ S 4/ EL1904) ) * T 1 + PFH ( EL 6900) + PFH ( EL 2904)
2
PFH ( K 1) + PFH ( K 2)
+b * + (1 - b ) 2 * ( PFH ( K 1) * PFH ( K 2) ) * T 1
2

(1 - b ) 2 * ( PFH
( S 1/ S 2/ EL1904) ( S 3/ S 4/ EL1904)* PFH ( K 1) ) * T1
( K 2) (1 - b ) 2 * ( PFH * PFH ) * T1
Since the portions and are smaller
than the rest by the power of ten, they are neglected in this and all further calculations for the purpose of
simplification.

to:
PFH ( S 1) + PFH ( S 2) 1,68 E - 09 + 8, 4 E - 10
PFH ( S 1/ S 2/ EL1904) = b * + PFH ( EL1904) = 10% * + 1,11E - 09 = 1, 24 E - 09
2 2
PFH ( S 3) + PFH ( S 4) 8, 4 E - 10 + 8, 4 E - 10
PFH ( S 3/ S 4/ EL1904) = b * + PFH ( EL1904) = 10% * + 1,11E - 09 = 1,19 E - 09
2 2
1, 24 E - 09 + 1,19 E - 09 1, 29 E - 09 + 1, 29 E - 09
PFH ges = 10% * + 1,03E - 09 + 1, 25 E - 09 + 10% * = 2,53E - 09
2 2

Calculation of the MTTFD value for safety function 1 (under the same assumption):
n
1 1
=å
MTTFDges i =1 MTTFDn

as:
1 1 1 1 1 1
= + + + +
MTTFDges MTTFD ( S 1) MTTFD ( EL1904) MTTFD ( EL 6900) MTTFD ( EL 2904) MTTFD ( K 1)

with:
B10 D ( S 1)
MTTFD ( S 1) =
0,1* nop

B10 D ( S 2)
MTTFD ( S 2) =
0,1* nop

B10 D ( S 3)
MTTFD ( S 3) =
0,1* nop

B10 D ( S 4)
MTTFD ( S 4) =
0,1* nop

B10 D ( K 1)
MTTFD ( K 1) =
0,1* nop

If only PFHD values are available for EL1904, EL2904 and EL6900, the following estimation applies:
(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

Hence:

88 Version: 3.2.0 Application Guide TwinSAFE

Access functions

(1 - DC( EL1904) ) (1 - 0,99) 0,01

MTTFD ( EL1904) = = = = 1028,8 y
PFH ( EL1904) 1 h 1
1,11E - 09 *8760 9,72 E - 06
h y y

(1 - DC( EL 6900) ) (1 - 0,99) 0,01

MTTFD ( EL 6900) = = = = 1108,6 y
PFH ( EL 6900) 1 h 1
1,03E - 09 *8760 9,02 E - 06
h y y

(1 - DC( EL 2904) ) (1 - 0,99) 0,01

MTTFD ( EL 2904) = = = = 913, 2 y
PFH ( EL 2904) 1 h 1
1, 25 E - 09 *8760 1,1E - 05
h y y

1
MTTFDges = = 179, 4 y
1 1 1 1 1
+ + + +
679,3 y 1028,8 y 1108,6 y 913, 2 y 883, 2 y

99% 99% 90% 90% 99% 99% 99% 99% 99% 99%
+ + + + + + + + +
679,3 y 1358,7 y 13586,9 y 13586,9 y 1028,8 y 1028,8 y 1108,6 y 913, 2 y 883, 2 y 883, 2 y
DCavg = = 98,85%
1 1 1 1 1 1 1 1 1 1
+ + + + + + + + +
679,3 y 1358,7 y 13586,9 y 13586,9 y 1028,8 y 1028,8 y 1108,6 y 913, 2 y 883, 2 y 883, 2 y

Application Guide TwinSAFE Version: 3.2.0 89

Access functions

NOTE
Category
This structure is possible up to category 4 at the most. The monitoring of sensors S3 and S4 must be tem-
porally and logically programmed.

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

90 Version: 3.2.0 Application Guide TwinSAFE

Access functions

3.4 Protective door function with tumbler

(Category 4, PL e)
The protective door has two contacts, S1 ‘door closed’ and S2 ‘door closed and locked’, which are wired to
safe inputs of an EL1904. The testing of the inputs is active. Checking of the signals for discrepancy cannot
take place, because there is no temporal relationship between the signals. The feedback loop and the restart
signal are read in via a safe input. The testing of the inputs is active here also. The contactors K1 and K2 are
connected in parallel to the safe output. Current measurement and testing of the output are active for this
circuit.

The tumbler is switched via 2 safe inputs in which testing is active. Testing and current measurement is
active on the safe output for the tumbler.

3.4.1 Parameters of the safe input and output terminals

EL1904 (applies to all EL1904 used)

Application Guide TwinSAFE Version: 3.2.0 91

Access functions

EL2904 (applies to all EL2904 used)

Parameter Value
Current measurement active Yes
Output test pulses active Yes

3.4.2 Block formation and safety loops

3.4.2.1 Safety function 1

3.4.3 Calculation

3.4.3.1 PFHD / MTTFD / B10D – values

Component Value
EL1904 – PFHD 1.11E-09
EL2904 – PFHD 1.25E-09
EL6900 – PFHD 1.03E-09
S1 – B10D 2,000,000
S2 – B10D 2,000,000
Restart - B10D 10,000,000
Lock – B10D 100,000
Unlock – B10D 100,000
K1 – B10D 1,300,000
K2 – B10D 1,300,000
Tumbler (guard lock) - B10D 2,000,000
Days of operation (dop) 230
Hours of operation / day (hop) 16
Cycle time (minutes) (Tcycle) 15 (4x per hour)
Lifetime (T1) 20 years = 175200 hours

92 Version: 3.2.0 Application Guide TwinSAFE

Access functions

3.4.3.2 Diagnostic Coverage DC

Component Value
S1 with testing DCavg=90%
S2 with testing and expectation DCavg=99%
Lock/unlock with testing/plausibility DCavg=99%
Restart DCavg=99%
K1/K2 with testing and EDM DCavg=99%
Tumbler DCavg=99%

3.4.3.3 Calculation of safety function 1

Calculation of the PFHD and MTTFD values from the B10D values:

From:
d op * hop * 60
nop =
TZyklus

and:
B10 D
MTTFD =
0,1* nop

Inserting the values, this produces:

S1:
230 *16 * 60
nop = = 14720
15
2.000.000
MTTFD = = 1358,7 y = 11902174h
0,1*14720

S2:
230 *16 * 60
nop = = 14720
15
2.000.000
MTTFD = = 1358,7 y = 11902174h
0,1*14720

Lock/Unlock:
230 *16 * 60
nop = = 14720
15
100.000
MTTFD = = 67,9 y = 595108h
0,1*14720

K1/K2:
230 *16 * 60
nop = = 14720
15
1.300.000
MTTFD = = 883, 2 y = 7736413h
0,1*14720

Restart:
230 *16 * 60
nop = = 14720
15
10.000.000
MTTFD = = 6793,5 y = 59511060h
0,1*14720

Application Guide TwinSAFE Version: 3.2.0 93

Access functions

Tumbler:
230 *16 * 60
nop = = 14720
15
2.000.000
MTTFD = = 1358,7 y = 11902174h
0,1*14720

and the assumption that S1, S2, S3, S4, K1, K2 and the tumbler are each single-channel:
1
MTTFD =
lD

produces for
0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

S1:
1 - 0,90
PFH = = 8, 40 E - 09
1358,7 *8760

S2:
1 - 0,99
PFH = = 8, 4 E - 10
1358,7 *8760

Lock/Unlock:
1 - 0,99
PFH = = 1,68 E - 08
67,9 *8760

Restart:
1 - 0,90
PFH = = 1,68 E - 09
6793,5 *8760

K1/K2:
1 - 0,99
PFH = = 1, 29 E - 09
883, 2 *8760

Tumbler:
1 - 0,99
PFH = = 8, 4 E - 10
1358,7 *8760

The following assumptions must now be made:

The door switches S1/S2 must both be actuated. Since the switches have different values, but the complete
protective door switch consists of a combination of normally closed and normally open contacts and both
switches must function, the poorer of the two values (S1) can be taken for the combination!

The tumbler is mechanically connected to the switch S2 in such a way that a separation of the coupling is
impossible.

The restart is monitored, so that a signal change is only valid once the door is closed.

94 Version: 3.2.0 Application Guide TwinSAFE

Access functions

It follows for the calculation of the PFHD value for safety function 1:
PFH ( S 2/ Lock /Unlock / EL 2904/ GuardLock ) + PFH ( S 1)
PFH ges = b * + (1 - b ) 2 * ( PFH ( S 2/ Lock /Unlock / EL 2904/ GuardLock ) * PFH ( S 1) ) * T 1 + PFH ( EL1904)
2
PFH ( K 1) + PFH ( K 2)
+ PFH ( EL 6900) + PFH ( EL 2904) + b * + (1 - b ) 2 * ( PFH ( K 1) * PFH ( K 2) ) * T 1 + PFH ( EL1904) + PFH ( Restart )
2

(1 - b ) 2 * ( PFH
( x) ( y) * PFH ) * T 1
Since the portions are smaller than the rest by the power of ten, they are
neglected in this and all further calculations for the purpose of simplification.

to:
PFH ( Lock ) + PFH (Unlock )
PFH ( S 2/ / Lock /Unlock / EL 2904/ GuardLock ) = PFH ( S 2) + b * + PFH ( EL 2904) + PFH ( GuardLock )
2
1,68 E - 08 + 1,68 E - 08
= 8, 4 E - 10 + 10% * + 1, 25 E - 09 + 8, 4 E - 10 = 4,61E - 09
2
4,61E - 09 + 8, 4 E - 09
PFH ges = 10% * + 1,11E - 09 + 1,03E - 09 + 1, 25 E - 09
2
1, 29 E - 09 + 1, 29 E - 09
+10% * + 1,11E - 09 + 1,68 E - 09
2
= 6,96 E - 09

Calculation of the MTTFD value for safety function 1 (under the same assumption):
n
1 1
=å
MTTFDges i =1 MTTFDn

as:
1 1 1 1 1 1 1 1
= + + + + + +
MTTFDges MTTFD ( S 2/ Lock /Unlock / EL 2904/ GuardLock ) MTTFD ( EL1904) MTTFD ( EL 6900) MTTFD ( EL 2904) MTTFD ( K 1) MTTFD ( EL1904) MTTFD ( Restart )

with:
B10 D ( S 1)
MTTFD ( S 1) =
0,1* nop

B10 D ( S 2)
MTTFD ( S 2) =
0,1* nop

B10 D ( Lock )
MTTFD ( Lock ) =
0,1* nop

B10 D (Unlock )
MTTFD (Unlock ) =
0,1* nop

B10 D ( GuardLock )
MTTFD ( GuardLock ) =
0,1* nop

B10 D ( K 1)
MTTFD ( K 1) =
0,1* nop

If only PFHD values are available for EL1904, EL2904 and EL6900, the following estimation applies:
(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

Hence:
(1 - DC( EL1904) ) (1 - 0,99) 0,01
MTTFD ( EL1904) = = = = 1028,8 y
PFH ( EL1904) 1 h 1
1,11E - 09 *8760 9,72 E - 06
h y y

Application Guide TwinSAFE Version: 3.2.0 95

Access functions

(1 - DC( EL 6900) ) (1 - 0,99) 0,01

MTTFD ( EL 6900) = = = = 1108,6 y
PFH ( EL 6900) 1 h 1
1,03E - 09 *8760 9,02 E - 06
h y y

(1 - DC( EL 2904) ) (1 - 0,99) 0,01

MTTFD ( EL 2904) = = = = 913, 2 y
PFH ( EL 2904) 1 h 1
1, 25 E - 09 *8760 1,1E - 05
h y y

1
MTTFD ( S 2/ Lock /Unlock / EL 2904/ GuardLock ) =
1 1 1 1
+ + +
MTTFD ( S 2) MTTFD ( Lock ) MTTFD ( EL 2904) MTTFD ( GuardLock )
1
= = 57,82 y
1 1 1 1
+ + +
1358,7 y 67,9 y 913, 2 y 1358,7 y
1
MTTFDges = = 44, 41 y
1 1 1 1 1 1 1
+ + + + + +
57,82 y 1028,8 y 1108,6 y 913, 2 y 883, 2 y 1028,8 y 6793,5 y

99% 99% 99% 99% 99% 99% 99% 99% 99% 99% 99% 99% 90%
+ + + + + + + + + + + +
57,82 y 1358,7 y 67,9 y 67,9 y 913, 2 y 1358,7 y 1028,8 y 1108,6 y 913, 2 y 883, 2 y 883, 2 y 1028,8 y 6793,5 y
DCavg =
1 1 1 1 1 1 1 1 1 1 1 1 1
+ + + + + + + + + + + +
57,82 y 1358,7 y 67,9 y 67,9 y 913, 2 y 1358,7 y 1028,8 y 1108,6 y 913, 2 y 883, 2 y 883, 2 y 1028,8 y 6793,5 y
= 98,98%

96 Version: 3.2.0 Application Guide TwinSAFE

Access functions

NOTE
Category
This structure is possible up to category 4 at the most.

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

Application Guide TwinSAFE Version: 3.2.0 97

Access functions

3.5 Two-hand controller (Category 4, PL e)

The two-hand buttons each consist of a combination of normally closed and normally open contacts on safe
inputs of an EL1904. The testing of the inputs is active and the signals are tested for discrepancy (200 ms).
In addition, the synchronous actuation of the two buttons is activated with a monitoring time of 500 ms.

The feedback loop is read in via a safe input. The contactors K1 and K2 are connected in parallel to the safe
output. Current measurement and testing of the output are active for this circuit.

3.5.1 Parameters of the safe input and output terminals

EL1904 (applies to all EL1904 used)

EL2904

Parameter Value
Current measurement active Yes
Output test pulses active Yes

98 Version: 3.2.0 Application Guide TwinSAFE

Access functions

3.5.2 Block formation and safety loops

3.5.2.1 Safety function 1

3.5.3 Calculation

3.5.3.1 PFHD / MTTFD / B10D – values

Component Value
EL1904 – PFHD 1.11E-09
EL2904 – PFHD 1.25E-09
EL6900 – PFHD 1.03E-09
S1 – B10D 20,000,000
S2 – B10D 20,000,000
K1 – B10D 1,300,000
K2 – B10D 1,300,000
Days of operation (dop) 230
Hours of operation / day (hop) 16
Cycle time (minutes) (Tcycle) 1 (1x per minute)
Lifetime (T1) 20 years = 175200 hours

3.5.3.2 Diagnostic Coverage DC

Component Value
S1/S2 with testing/plausibility DCavg=99%
K1/K2 with testing and EDM DCavg=99%

3.5.3.3 Calculation of safety function 1

Calculation of the PFHD and MTTFD values from the B10D values:

From:
d op * hop * 60
nop =
TZyklus

and:
B10 D
MTTFD =
0,1* nop

Inserting the values, this produces:

S1/S2:

Application Guide TwinSAFE Version: 3.2.0 99

Access functions

230 *16 * 60
nop = = 220.800
1
20.000.000
MTTFD = = 905,8 y = 7.934.783h
0,1* 220.800

K1/K2:
230 *16 * 60
nop = = 220.800
1
1.300.000
MTTFD = = 58,9 y = 515.760h
0,1* 220.800

and the assumption that S1, S2, K1 and K2 are each single-channel:
1
MTTFD =
lD

produces for
0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

S1/S2:
1 - 0,99
PFH = = 1, 26 E - 09
905,8 y *8760

K1/K2:
1 - 0,99
PFH = = 1,94 E - 08
58,9 y *8760

The following assumptions must now be made:

It follows for the calculation of the PFHD value for safety function 1:
PFH ( S 1) + PFH ( S 2)
PFH ges = b * + (1 - b ) 2 * ( PFH ( S 1) * PFH ( S 2) ) * T 1 + PFH ( EL1904) + PFH ( EL 6900)
2
PFH ( K 1) + PFH ( K 2)
+ PFH ( EL 2904) + b * + (1 - b ) 2 * ( PFH ( K 1) * PFH ( K 2) ) * T 1 + PFH ( EL1904)
2

(1 - b ) 2 * ( PFH
( S 1) ( S 2) * PFH ) * T1
( K 1) ( K 2)(1 - b ) 2 * ( PFH * PFH ) * T1
Since the portions and are smaller than the rest
by the power of ten, they are neglected in this and all further calculations for the purpose of simplification.

to:
1, 26 E - 09 + 1, 26 E - 09 1,94 E - 08 + 1,94 E - 08
PFH ges = 10% * + 1,11E - 09 + 1,03E - 09 + 1, 25 E - 09 + 10% * + 1,11E - 09
2 2
= 6,56 E - 09

Calculation of the MTTFD value for safety function 1 (under the same assumption):

100 Version: 3.2.0 Application Guide TwinSAFE

Access functions

n
1 1
=å
MTTFDges i =1 MTTFDn

as:
1 1 1 1 1 1 1
= + + + + +
MTTFDges MTTFD ( S 1) MTTFD ( EL1904) MTTFD ( EL 6900) MTTFD ( EL 2904) MTTFD ( K 1) MTTFD ( EL1904)

with:
B10 D ( S 1)
MTTFD ( S 1) =
0,1* nop

B10 D ( S 2)
MTTFD ( S 2) =
0,1* nop

B10 D ( K 1)
MTTFD ( K 1) =
0,1* nop

If only PFHD values are available for EL1904, EL2904 and EL6900, the following estimation applies:
(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

Hence:
(1 - DC( EL1904) ) (1 - 0,99) 0,01
MTTFD ( EL1904) = = = = 1028,8 y
PFH ( EL1904) 1 h 1
1,11E - 09 *8760 9,72 E - 06
h y y

(1 - DC( EL 6900) ) (1 - 0,99) 0,01

MTTFD ( EL 6900) = = = = 1108,6 y
PFH ( EL 6900) 1 h 1
1,03E - 09 *8760 9,02 E - 06
h y y

(1 - DC( EL 2904) ) (1 - 0,99) 0,01

MTTFD ( EL 2904) = = = = 913, 2 y
PFH ( EL 2904) 1 h 1
1, 25 E - 09 *8760 1,1E - 05
h y y

1
MTTFDges = = 45, 4 y
1 1 1 1 1 1
+ + + + +
905,8 y 1028,8 y 1108,6 y 913, 2 y 58,9 y 1028,8 y

99% 99% 99% 99% 99% 99% 99% 99%

+ + + + + + +
905,8 y 905,8 y 1028,8 y 1108,6 y 913, 2 y 58,9 y 58,9 y 1028,8 y
DCavg = = 99,0%
1 1 1 1 1 1 1 1
+ + + + + + +
905,8 y 905,8 y 1028,8 y 1108,6 y 913, 2 y 58,9 y 58,9 y 1028,8 y

Application Guide TwinSAFE Version: 3.2.0 101

Access functions

NOTE
Category
This structure is possible up to category 4 at the most.

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

102 Version: 3.2.0 Application Guide TwinSAFE

Access functions

3.6 Laser scanner (category 3, PL d)

The laser scanner has two OSSD outputs (Output-Signal-Switching-Device), which are wired to safe inputs
of an EL1904. The testing of the inputs is not active, since the OSSD outputs carry out their own test.
Furthermore, the signals are checked for discrepancy (200 ms). The feedback loop is read in via a safe
input. Testing is active for this input. The contactors K1 and K2 are connected in parallel to the safe output.
Current measurement and testing of the output are active for this circuit.

3.6.1 Parameters of the safe input and output terminals

EL1904 (applies to all EL1904 used)

Parameter Value
Sensor test channel 1 active No
Sensor test channel 2 active No
Sensor test channel 3 active Yes
Sensor test channel 4 active Yes
Logic channel 1 and 2 OSSD arbitrary types of pulse
Logic channel 3 and 4 Single Logic

EL2904

Parameter Value
Current measurement active Yes
Output test pulses active Yes

Application Guide TwinSAFE Version: 3.2.0 103

Access functions

3.6.2 Block formation and safety loops

3.6.2.1 Safety function 1

3.6.3 Calculation

3.6.3.1 PFHD / MTTFD / B10D – values

Component Value
EL1904 – PFHD 1.11E-09
EL2904 – PFHD 1.25E-09
EL6900 – PFHD 1.03E-09
Laser scanner – PFHD 7.67E-08
K1 – B10D 1,300,000
K2 – B10D 1,300,000
Days of operation (dop) 230
Hours of operation / day (hop) 16
Cycle time (minutes) (Tcycle) 10 (6x per hour)
Lifetime (T1) 20 years = 175200 hours

3.6.3.2 Diagnostic Coverage DC

Component Value
OSSD1/2 with testing (by scanner) / plausibility DCavg=90%
K1/K2 with testing and EDM DCavg=99%

3.6.3.3 Calculation of safety function 1

Calculation of the PFHD and MTTFD values from the B10D values:

From:
d op * hop * 60
nop =
TZyklus

and:
B10 D
MTTFD =
0,1* nop

Inserting the values, this produces:

K1/K2:

104 Version: 3.2.0 Application Guide TwinSAFE

Access functions

230 *16 * 60
nop = = 22.080
10
1.300.000
MTTFD = = 588,7 y = 5.157.012h
0,1* 22.080

and the assumption that K1 and K2 are each single-channel:

1
MTTFD =
lD

produces for
0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

K1/K2:
1 - 0,99
PFH = = 1,94 E - 09
588,7 y *8760

The following assumptions must now be made:

It follows for the calculation of the PFHD value for safety function 1:
PFH ( K 1) + PFH ( K 2)
PFH ges = PFH ( Scanner ) + PFH ( EL1904) + PFH ( EL 6900) + PFH ( EL 2904) + b * + (1 - b ) 2 * ( PFH ( K 1) * PFH ( K 2) ) * T 1
2

(1 - b ) 2 * ( PFH
( K 1) ( K 2) * PFH ) * T1
Since the portion is smaller than the rest by the power of ten, it is neglected in
this and all further calculations for the purpose of simplification.

to:
1,94 E - 09 + 1,94 E - 09
PFH ges = 7,67 E - 08 + 1,11E - 09 + 1,03E - 09 + 1, 25 E - 09 + 10% *
2
= 8,03E - 08

Calculation of the MTTFD value for safety function 1 (under the same assumption):
n
1 1
=å
MTTFDges i =1 MTTFDn

as:
1 1 1 1 1 1
= + + + +
MTTFDges MTTFD ( Scanner ) MTTFD ( EL1904) MTTFD ( EL 6900) MTTFD ( EL 2904) MTTFD ( K 1)

with:
B10 D ( K 1)
MTTFD ( K 1) =
0,1* nop

If only PFHD values are available for EL1904, EL2904 and EL6900, the following estimation applies:

Application Guide TwinSAFE Version: 3.2.0 105

Access functions

(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

Hence:
(1 - DC( EL1904) ) (1 - 0,99) 0,01
MTTFD ( EL1904) = = = = 1028,8 y
PFH ( EL1904) 1 h 1
1,11E - 09 *8760 9,72 E - 06
h y y

(1 - DC( EL 6900) ) (1 - 0,99) 0,01

MTTFD ( EL 6900) = = = = 1108,6 y
PFH ( EL 6900) 1 h 1
1,03E - 09 *8760 9,02 E - 06
h y y

(1 - DC( EL 2904) ) (1 - 0,99) 0,01

MTTFD ( EL 2904) = = = = 913, 2 y
PFH ( EL 2904) 1 h 1
1, 25 E - 09 *8760 1,1E - 05
h y y

(1 - DC( Scanner ) ) (1 - 0,90) 0,1

MTTFD ( Scanner ) = = = = 148,8 y
PFH ( Scanner ) 1 h 1
7,67 E - 08 *8760 6,72 E - 04
h y y

In accordance with the limitation of the MTTFD to 100 years for components with a category 3 structure (for
category 4 the limit is 2500 years) introduced in EN ISO 13849-1, the value is limited to 100 years for the
further processing of the MTTFD of the scanner.

MTTFD ( Scanner ) = 100 y

1
MTTFDges = = 68, 2 y
1 1 1 1 1
+ + + +
100 y 1028,8 y 1108, 6 y 913, 2 y 588, 7 y

90% 99% 99% 99% 99% 99%

+ + + + +
100 1028,8 1108, 6 913, 2 588, 7 588, 7
DCavg = = 93,5%
1 1 1 1 1 1
+ + + + +
100 1028,8 1108, 6 913, 2 588, 7 588, 7

106 Version: 3.2.0 Application Guide TwinSAFE

Access functions

NOTE
Category
This structure is possible up to category 3 at the most through the use of the type 3 (category 3) laser scan-
ner.

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Area
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

Application Guide TwinSAFE Version: 3.2.0 107

Access functions

3.7 Light curtain (Category 4, PL e)

The light curtain has two OSSD outputs (Output-Signal-Switching-Device), which are wired to safe inputs of
an EL1904. The testing of the inputs is not active, since the OSSD outputs carry out their own test.
Furthermore, the signals are checked for discrepancy (200 ms). The feedback loop is read in via a safe
input. Testing is active for this input. The contactors K1 and K2 are connected in parallel to the safe output.
Current measurement and testing of the output are active for this circuit.

3.7.1 Parameters of the safe input and output terminals

EL1904

Parameter Value
Sensor test channel 1 active No
Sensor test channel 2 active No
Sensor test channel 3 active Yes
Sensor test channel 4 active Yes
Logic channel 1 and 2 Asynchronous evaluation OSSD
Logic channel 3 and 4 Single Logic

EL2904

Parameter Value
Current measurement active Yes
Output test pulses active Yes

108 Version: 3.2.0 Application Guide TwinSAFE

Access functions

3.7.2 Block formation and safety loops

3.7.2.1 Safety function 1

3.7.3 Calculation

3.7.3.1 PFHD / MTTFD / B10D – values

Component Value
EL1904 – PFHD 1.11E-09
EL2904 – PFHD 1.25E-09
EL6900 – PFHD 1.03E-09
Light curtain – PFHD 1.50E-08
K1 – B10D 1,300,000
K2 – B10D 1,300,000
Days of operation (dop) 230
Hours of operation / day (hop) 16
Cycle time (minutes) (Tcycle) 5 (12x per hour)
Lifetime (T1) 20 years = 175200 hours

3.7.3.2 Diagnostic Coverage DC

Component Value
OSSD1/2 with testing (by light curtain) / DCavg=99%
plausibility
K1/K2 with testing and EDM DCavg=99%

3.7.3.3 Calculation of safety function 1

Calculation of the PFHD and MTTFD values from the B10D values:

From:
d op * hop * 60
nop =
TZyklus

and:
B10 D
MTTFD =
0,1* nop

Inserting the values, this produces:

K1/K2:

Application Guide TwinSAFE Version: 3.2.0 109

Access functions

230 *16 * 60
nop = = 44.160
5
1.300.000
MTTFD = = 294, 4 y = 2.578.944h
0,1* 44.160

and the assumption that K1 and K2 are each single-channel:

1
MTTFD =
lD

produces for
0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

K1/K2:
1 - 0,99
PFH = = 3,88 E - 09
294, 4 y *8760

The following assumptions must now be made:

It follows for the calculation of the PFHD value for safety function 1:

PFH ( K 1) + PFH ( K 2)
PFH ges = PFH ( Lightcurtain ) + PFH ( EL1904) + PFH ( EL 6900) + PFH ( EL 2904) + b * + (1 - b ) 2 * ( PFH ( K 1) * PFH ( K 2) ) * T 1
2

(1 - b ) 2 * ( PFH
( K 1) ( K 2) * PFH ) * T1
Since the portion is smaller than the rest by the power of ten, it is neglected in
this and all further calculations for the purpose of simplification.

to:

3,88 E - 09 + 3,88 E - 09
PFH ges = 1,50 E - 08 + 1,11E - 09 + 1,03E - 09 + 1, 25 E - 09 + 10% *
2
= 1,88 E - 08

Calculation of the MTTFD value for safety function 1 (under the same assumption):
n
1 1
=å
MTTFDges i =1 MTTFDn

as:
1 1 1 1 1 1
= + + + +
MTTFDges MTTFD ( Lightcurtain ) MTTFD ( EL1904) MTTFD ( EL 6900) MTTFD ( EL 2904) MTTFD ( K 1)

with:
B10 D ( K 1)
MTTFD ( K 1) =
0,1* nop

110 Version: 3.2.0 Application Guide TwinSAFE

Access functions

If only PFHD values are available for EL1904, EL2904 and EL6900, the following estimation applies:
(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

Hence:
(1 - DC( EL1904) ) (1 - 0,99) 0,01
MTTFD ( EL1904) = = = = 1028,8 y
PFH ( EL1904) 1 h 1
1,11E - 09 *8760 9,72 E - 06
h y y

(1 - DC( EL 6900) ) (1 - 0,99) 0,01

MTTFD ( EL 6900) = = = = 1108,6 y
PFH ( EL 6900) 1 h 1
1,03E - 09 *8760 9,02 E - 06
h y y

(1 - DC( EL 2904) ) (1 - 0,99) 0,01

MTTFD ( EL 2904) = = = = 913, 2 y
PFH ( EL 2904) 1 h 1
1, 25 E - 09 *8760 1,1E - 05
h y y

(1 - DC( Lightcurtain ) ) (1 - 0,99) 0,01

MTTFD ( Lightcurtain ) = = = = 76,1 y
PFH ( Lightcurtain ) 1 h 1
1,50 E - 08 *8760 1,31E - 04
h y y

1
MTTFDges = = 51,3 y
1 1 1 1 1
+ + + +
76,1 y 1028,8 y 1108,6 y 913, 2 y 294, 4 y

99% 99% 99% 99% 99% 99%

+ + + + +
76,1 y 1028,8 y 1108,6 y 913, 2 y 294, 4 y 294, 4 y
DCavg = = 99,00%
1 1 1 1 1 1
+ + + + +
76,1 y 1028,8 y 1108,6 y 913, 2 y 294, 4 y 294, 4 y

Application Guide TwinSAFE Version: 3.2.0 111

Access functions

NOTE
Category
This structure is possible up to category 4 at the most through the use of the type 4 (category 4) light cur-
tain.

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

112 Version: 3.2.0 Application Guide TwinSAFE

Access functions

3.8 Safety switching mat / safety bumper

(Category 4, PL e)
Safety switching mats or safety bumpers work according to the cross-circuit principle. The contact surfaces
of the device are wired to safe inputs of an EL1904. The testing of the inputs is active and the signals are
tested for discrepancy (200 ms). As soon as a cross-circuit between the signals is detected (safety mat is
stepped on), a logical 0 is signaled by the EL1904 input terminal. If the cross-circuit is no longer present, a
logical 1 is signaled. The feedback loop is read in via a safe input. The testing of the input is active here also.
The contactors K1 and K2 are connected in parallel to the safe output. Current measurement and testing of
the output are active for this circuit.

3.8.1 Parameters of the safe input and output terminals

EL1904 (applies to all EL1904 used)

Parameter Value
Sensor test channel 1 active Yes
Sensor test channel 2 active Yes
Sensor test channel 3 active Yes
Sensor test channel 4 active Yes
Logic channel 1 and 2 Cross-circuit is not a module error
Logic channel 3 and 4 Single Logic

EL2904

Parameter Value
Current measurement active Yes
Output test pulses active Yes

Application Guide TwinSAFE Version: 3.2.0 113

Access functions

3.8.2 Block formation and safety loops

3.8.2.1 Safety function 1

3.8.3 Calculation

3.8.3.1 PFHD / MTTFD / B10D – values

Component Value
EL1904 – PFHD 1.11E-09
EL2904 – PFHD 1.25E-09
EL6900 – PFHD 1.03E-09
Safety switching mat – B10D 6.00E06
K1 – B10D 1,300,000
K2 – B10D 1,300,000
Days of operation (dop) 230
Hours of operation / day (hop) 16
Cycle time (minutes) (Tcycle) 1 (1x per minute)
Lifetime (T1) 20 years = 175200 hours

3.8.3.2 Diagnostic Coverage DC

Component Value
Switching outputs (mat) with testing/plausibility DCavg=99%
K1/K2 with testing and EDM DCavg=99%

3.8.3.3 Calculation of safety function 1

Calculation of the PFHD and MTTFd values from the B10d values:

From:
d op * hop * 60
nop =
TZyklus

and:
B10 D
MTTFD =
0,1* nop

Inserting the values, this produces:

K1/K2:

114 Version: 3.2.0 Application Guide TwinSAFE

Access functions

230 *16 * 60
nop = = 220.800
1
1.300.000
MTTFD = = 58,9 y = 515.760h
0,1* 220.800

Safety mat:
230 *16 * 60
nop = = 220.800
1
6,00 E 06
MTTFD = = 271,7 y = 2.380.434h
0,1* 220.800

and the assumption that K1 and K2 are each single-channel:

1
MTTFD =
lD

produces for
0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

K1/K2:
1 - 0,99
PFH = = 1,94 E - 08
58,9 y *8760

Safety mat:
1 - 0,99
PFH = = 4, 20 E - 09
271,7 y *8760

The following assumptions must now be made:

It follows for the calculation of the PFHD value for safety function 1:
PFH ( K 1) + PFH ( K 2)
PFH ges = PFH ( SafetyMat ) + PFH ( EL1904) + PFH ( EL 6900) + PFH ( EL 2904) + b * + (1 - b ) 2 * ( PFH ( K 1) * PFH ( K 2) ) * T 1
2

(1 - b ) 2 * ( PFH
( K 1) ( K 2)* PFH ) * T1
Since the portion is smaller than the rest by the power of ten, it is neglected in
this and all further calculations for the purpose of simplification.

to:
1,94 E - 08 + 1,94 E - 08
PFH ges = 4, 20 E - 09 + 1,11E - 09 + 1,03E - 09 + 1, 25 E - 09 + 10% *
2
= 9,53E - 09

Calculation of the MTTFD value for safety function 1 (under the same assumption):
n
1 1
=å
MTTFDges i =1 MTTFDn

as:

Application Guide TwinSAFE Version: 3.2.0 115

Access functions

1 1 1 1 1 1
= + + + +
MTTFDges MTTFD ( SafetyMat ) MTTFD ( EL1904) MTTFD ( EL 6900) MTTFD ( EL 2904) MTTFD ( K 1)

with:
B10 D ( K 1)
MTTFD ( K 1) =
0,1* nop

If only PFHD values are available for EL1904, EL2904 and EL6900, the following estimation applies:
(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

Hence:
(1 - DC( EL1904) ) (1 - 0,99) 0,01
MTTFD ( EL1904) = = = = 1028,8 y
PFH ( EL1904) 1 h 1
1,11E - 09 *8760 9,72 E - 06
h y y

(1 - DC( EL 6900) ) (1 - 0,99) 0,01

MTTFD ( EL 6900) = = = = 1108,6 y
PFH ( EL 6900) 1 h 1
1,03E - 09 *8760 9,02 E - 06
h y y

(1 - DC( EL 2904) ) (1 - 0,99) 0,01

MTTFD ( EL 2904) = = = = 913, 2 y
PFH ( EL 2904) 1 h 1
1, 25 E - 09 *8760 1,1E - 05
h y y

1
MTTFDges = = 42,3 y
1 1 1 1 1
+ + + +
271,7 y 1028,8 y 1108,6 y 913, 2 y 58,9 y

99% 99% 99% 99% 99% 99%

+ + + + +
271,7 y 1028,8 y 1108,6 y 913, 2 y 58,9 y 58,9 y
DCavg = = 99,00%
1 1 1 1 1 1
+ + + + +
271,7 y 1028,8 y 1108,6 y 913, 2 y 58,9 y 58,9 y

116 Version: 3.2.0 Application Guide TwinSAFE

Access functions

NOTE
Category
This structure is possible up to category 4 at the most.

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

Application Guide TwinSAFE Version: 3.2.0 117

Access functions

3.9 Muting (Category 4, PL e)

The light curtain has two OSSD outputs (Output-Signal-Switching-Device), which are wired to safe inputs of
an EL1904. The testing of the inputs is not active, since the OSSD outputs carry out their own test.
Furthermore, the signals are checked for discrepancy (200 ms). The feedback loop is read in via a safe
input. The muting switches and the enable switch are also wired to safe inputs. Testing is active for these
inputs.
The contactors K1 and K2 are connected in parallel to a safe output. The muting lamp is also wired to a safe
output. Current measurement and testing of the output are active for this circuit.

3.9.1 Parameters of the safe input and output terminals

EL1904 (upper terminal on the drawing)

EL1904 (lower terminal on the drawing)

118 Version: 3.2.0 Application Guide TwinSAFE

Access functions

EL2904

Parameter Value
Current measurement active Yes
Output test pulses active Yes

3.9.2 Block formation and safety loops

3.9.2.1 Safety function 1

3.9.3 Calculation

3.9.3.1 PFHD / MTTFD / B10D – values

Component Value
EL1904 – PFHD 1.11E-09
EL2904 – PFHD 1.25E-09
EL6900 – PFHD 1.03E-09
S1 – B10D 100,000
Light curtain – PFHD 1.50E-08
MS1 – B10D 100,000
MS2 – B10D 100,000
MS3 – B10D 100,000
MS4 – B10D 100,000
K1 – B10D 1,300,000
K2 – B10D 1,300,000
Days of operation (dop) 230
Hours of operation / day (hop) 8
Cycle time (minutes) (Tcycle) 60 (1x per hour)
Lifetime (T1) 20 years = 175200 hours

Application Guide TwinSAFE Version: 3.2.0 119

Access functions

3.9.3.2 Diagnostic Coverage DC

Component Value
OSSD1/2 with testing (by light curtain) / DCavg=99%
plausibility
MS1/2/3/4 with testing/plausibility DCavg=90%
K1/K2 with testing and EDM DCavg=99%
S1 with testing DCavg=90%

3.9.3.3 Calculation of safety function 1

Calculation of the PFHD and MTTFD values from the B10D values:

From:
d op * hop * 60
nop =
TZyklus

and:
B10 D
MTTFD =
0,1* nop

Inserting the values, this produces:

S1:
230 *16 * 60
nop = = 1840
60
100.000
MTTFD = = 543,5 y = 4761060h
0,1*1840

K1/K2:
230 *16 * 60
nop = = 1840
60
1.300.000
MTTFD = = 7065, 2 y = 61891152h
0,1*1840

MS1/MS2/MS3/S4:
230 *16 * 60
nop = = 1840
60
100.000
MTTFD = = 543,5 y = 4761060h
0,1*1840

and the assumption that S1, K1 and K2 are each single-channel:

1
MTTFD =
lD

produces for
0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

S1:
1 - 0,90
PFH = = 2,10 E - 08
543,5 *8760

120 Version: 3.2.0 Application Guide TwinSAFE

Access functions

K1/K2:
1 - 0,99
PFH = = 1,62 E - 10
7065, 2 *8760

MS1/MS2/MS3/S4:
1 - 0,90
PFH = = 2,10 E - 08
543,5 *8760

The following assumptions must now be made:

It follows for the calculation of the PFHD value for safety function 1:
PFH ( K 1) + PFH ( K 2)
PFH ges = PFH ( Lightcurtain ) + PFH ( EL1904) + PFH ( EL 6900) + PFH ( EL 2904) + b * + (1 - b ) 2 * ( PFH ( K 1) * PFH ( K 2) ) * T 1
2
PFH ( MS 1) + PFH ( MS 2) PFH ( MS 3) + PFH ( MS 4)
+b * + (1 - b ) 2 * ( PFH ( MS 1) * PFH ( MS 2) ) * T 1 + b * + (1 - b ) 2 * ( PFH ( MS 3) * PFH ( MS 4) ) * T 1
2 2
+ PFH ( EL1904) + PFH ( S 1)

(1 - b ) 2 * ( PFH
( x) ( y) * PFH ) * T 1
Since the portions are smaller than the rest by the power of ten, they are
neglected in this and all further calculations for the purpose of simplification.

to:
1,62 E - 10 + 1,62 E - 10 2,10 E - 08 + 2,10 E - 08
PFH ges = 1,50 E - 08 + 1,11E - 09 + 1,03E - 09 + 1, 25 E - 09 + 10% * + 10% *
2 2
2,10 E - 08 + 2,10 E - 08
+10% * + 1,11E - 09 + 2,10 E - 08
2
= 4, 47 E - 08

Calculation of the MTTFD value for safety function 1 (under the same assumption):
n
1 1
=å
MTTFDges i =1 MTTFDn

as:
1 1 1 1 1 1
= + + + +
MTTFDges MTTFD ( Lightcurtain ) MTTFD ( EL1904) MTTFD ( EL 6900) MTTFD ( EL 2904) MTTFD ( K 1)
1 1 1 1
+ + + +
MTTFD ( MS 1) MTTFD ( MS 3) MTTFD ( EL1904) MTTFD ( S 1)

with:
B10 D ( K 1)
MTTFD ( K 1) =
0,1* nop

If only PFHD values are available for EL1904, EL2904 and EL6900, the following estimation applies:
(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

Hence:

Application Guide TwinSAFE Version: 3.2.0 121

Access functions

(1 - DC( EL1904) ) (1 - 0,99) 0,01

MTTFD ( EL1904) = = = = 1028,8 y
PFH ( EL1904) 1 h 1
1,11E - 09 *8760 9,72 E - 06
h y y

(1 - DC( EL 6900) ) (1 - 0,99) 0,01

MTTFD ( EL 6900) = = = = 1108,6 y
PFH ( EL 6900) 1 h 1
1,03E - 09 *8760 9,02 E - 06
h y y

(1 - DC( EL 2904) ) (1 - 0,99) 0,01

MTTFD ( EL 2904) = = = = 913, 2 y
PFH ( EL 2904) 1 h 1
1, 25 E - 09 *8760 1,1E - 05
h y y

(1 - DC( Lightcurtain ) ) (1 - 0,99) 0,01

MTTFD ( Lightcurtain ) = = = = 76,1 y
PFH ( Lightcurtain ) 1 h 1
1,50 E - 08 *8760 1,31E - 04
h y y

(1 - DC( MS 1/ MS 3) ) (1 - 0,90) 0,1

MTTFD ( MS 1/ MS 3) = = = = 543,6 y
PFH ( MS 1/ MS 3) 1 h 1
2,10 E - 08 *8760 1,84 E - 04
h y y

1
MTTFDges = = 44,0 y
1 1 1 1 1 1 1 1 1
+ + + + + + + +
76,1 y 1028,8 y 1108,6 y 913, 2 y 7065, 2 y 543,6 y 543,6 y 1028,8 y 543,5 y

99% 99% 99% 99% 99% 99% 90% 90% 90% 90% 99% 99%
+ + + + + + + + + + +
76,1 y 1028,8 y 1108,6 y 913, 2 y 7065, 2 y 7065, 2 y 543,6 y 543,6 y 543,6 y 543,6 y 1028,8 y 543,5 y
DCavg =
1 1 1 1 1 1 1 1 1 1 1 1
+ + + + + + + + + + +
76,1 y 1028,8 y 1108,6 y 913, 2 y 7065, 2 y 7065, 2 y 543,6 y 543,6 y 543,6 y 543,6 y 1028,8 y 543,5 y
= 96,51%

122 Version: 3.2.0 Application Guide TwinSAFE

Access functions

NOTE
Category
This structure is possible up to category 4 at the most through the use of the type 4 (category 4) light cur-
tain.

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

Application Guide TwinSAFE Version: 3.2.0 123

Access functions

3.10 EK1960 safety mat inputs / digital outputs

(category 2, PL d)
The safety mat is wired to safe input S17 (or 8.7) on the X8 10-pole connector. The first output group on the
10-pole X7 connector is configured as a clock source (for FSOUT module 3, the parameter Diag TestPulse
for Inputs active is set to TRUE). For input S16, the parameter Channel x.Testpulse Diag Mode is configured
based on the corresponding clock source.

CAUTION
Safety mat wiring
Only safety mats that operate according to the principle of resistance change (resistance value: 8k2) are
supported. The ground connection of the safety mat must be connected to the ground of the EK1960 supply
voltage according to the above drawing.

124 Version: 3.2.0 Application Guide TwinSAFE

Access functions

3.10.1 Parameters of the safe input and output modules

EK1960

Parameter Value
FSOUT module 3 (X7.1 – X7.4) -
8020:01 ModuloDiagTestPulse 0x00
8020:02 MultiplierDiagTestPulse 0x02
8020:03 Standard Outputs active FALSE
8020:04 Diag Testpulse active TRUE
8020:05 Diag Testpulse for Inputs active TRUE
FSOUT Module 4 (X7.5 – X7.8) -
8030:01 ModuloDiagTestPulse 0x00
8030:02 MultiplierDiagTestPulse 0x02
8030:03 Standard Outputs active FALSE
8030:04 Diag Testpulse active TRUE
8030:05 Diag Testpulse for Inputs active FALSE
FSIN Module 8 (X8.5 – X8.6) -
80E1:04 Channel 2.InputFilterTime 0x0014
80E1:05 Channel 2.DiagTestPulseFilterTime 0x0002
80E1:06 Channel 2.Testpulse Diag Mode (X7.3) Testpulse Detection Output Module 3.Channel 3
FSIN Module 9 (X8.7 – X8.8) -
80F0:03 Input Mode Bumper Mode Channel 1 (1)
80F1:01 Channel 1.InputFilterTime 0x0014
80F1:02 Channel 1.DiagTestPulseFilterTime 0x0002
80F1:03 Channel 1.Testpulse Diag Mode External test pulses (0)

MON FB parameter

Parameter Value
Reset Time (ms) (Port EDM1) 1000

3.10.2 Block formation and safety loops

3.10.2.1 Safety function 1

Application Guide TwinSAFE Version: 3.2.0 125

Access functions

3.10.3 Calculation

3.10.3.1 PFHD / MTTFD / B10D – values

Component Value
EK1960 digital input – PFHD 6.40E-11
EK1960 safety mat input - PFHD 8.84E-10
EK1960 logic – PFHD 5.18E-09
EK1960 digital output – PFHD 1.50E-10
Safety mat – B10D 6,000,000
K5 – B10D 1,300,000
K6 – B10D 1,300,000
Days of operation (dop) 230
Hours of operation / day (hop) 16
Cycle time (minutes) (Tcycle) 60 (1x per hour)
Lifetime (T1) 20 years = 175200 hours

Safety-over-EtherCAT communication
The PFHD value of the Safety-over-EtherCAT (FSoE) communication is included in the PFHD value
of the EK1960 logic component.

3.10.3.2 Diagnostic Coverage DC

Component Value
Safety mat with testing DCavg=90%
K5/K6 with EDM monitoring (actuation 1x per hour DCavg=99%
and evaluation of all rising and falling edges with
temporal monitoring) with testing

3.10.3.3 Calculation of safety function 1

Calculation of the performance level according to EN ISO 13849-1:2015:

Calculation of the MTTFD values from the B10D values.

From:
d op * hop * 60
nop =
TZyklus

and:
B10 D
MTTFD =
0,1* nop

Inserting the values, this produces:

Safety switching mat:

230 *16 * 60
nop = = 3680
60
6.000.000
MTTFD ( SwitchingMat ) = = 16304 y
0,1* 3680

126 Version: 3.2.0 Application Guide TwinSAFE

Access functions

K5/K6:
230 *16 * 60
nop = = 3680
60
1.300.000
MTTFD = = 3532 y
0,1* 3680

The total MTTFD value is calculated based on the following formula:

n
1 1
=å
MTTFDges i =1 MTTFDn

as:
1 1 1 1 1 1
= + + + +
MTTFDges MTTFD ( SwitchingMat ) MTTFD ( EK 1960 - InputSwitchingMat ) MTTFD ( EK 1960 - Logic ) MTTFD ( EK 1960 - Output ) MTTFD ( K 5)

If only PFHD values are available for EL1960 components, the following estimation applies:
(1 - DC( EK 1960 - xxx ) )
MTTFD ( EK 1960 - xxx ) =
PFH ( EK 1960 - xxx )

Hence:
(1 - DC( EK 1960 - InputSwitchingMat ) ) (1 - 0,90) 0,1
MTTFD ( EK 1960 - InputSwitchingMat ) = = = = 12913 y
PFH D ( EK 1960 - InputSwitchingMat ) 1 h 1
8,84 E - 10 *8760 7,74 E - 06
h y y

(1 - DC( EK 1960 - Logic ) ) (1 - 0,99) 0,01

MTTFD ( EK 1960 - Logic ) = = = = 220 y
PFH D ( EK 1960 - Logic ) 1 h 1
5,18 E - 09 *8760 4,54 E - 05
h y y

(1 - DC( EK 1960 - Output ) ) (1 - 0,99) 0,01

MTTFD ( EK 1960 - Output ) = = = = 7610 y
PFH D ( EK 1960 - Output ) 1 h 1
1,50 E - 10 *8760 1,31E - 06
h y y

1
MTTFDges = = 196 y
1 1 1 1 1
+ + + +
16304 y 12913 y 220 y 7610 y 3532 y

90% 90% 99% 99% 99% 99%

+ + + + +
16304 y 12913 y 220 y 7610 y 3532 y 3532 y
DCavg = = 98,76%
1 1 1 1 1 1
+ + + + +
16304 y 12913 y 220 y 7610 y 3532 y 3532 y

Application Guide TwinSAFE Version: 3.2.0 127

Access functions

NOTE
Category
This structure is possible up to category 2 at the most.

CAUTION
Implement a restart lock in the machine!
The restart lock is NOT part of the safety chain and must be implemented in the machine!

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

128 Version: 3.2.0 Application Guide TwinSAFE

Access functions

Calculation of PFHD values according to EN 62061:

assuming that the safety mat, K5 and K6 are all single-channel:

1
MTTFD =
lD

produces for
0,1* nop * (1 - DC ) 1 - DC
PFH D = =
B10 D MTTFD

Safety switching mat:

1 - 0,90
PFH D = = 7,00 E - 10
16304 *8760

K5/K6:
1 - 0,99
PFH D = = 3, 23E - 10
3532 *8760

The following assumptions must now be made:

It follows for the calculation of the PFHD value for safety function 1:
PFH Dges = PFH D ( SwitchingMat ) + PFH D ( EK 1960 - InputSwitchingMat ) + PFH D ( EK 1960 - Logic ) + PFH D ( EK 1960 - Output )
PFH D ( K 5) + PFH D ( K 6)
+b * + (1 - b ) 2 * ( PFH D ( K 5) * PFH D ( K 6) ) * T 1
2

to:
3, 23E - 10 + 3, 23E - 10
PFH Dges = 7,00 E - 10 + 8,84 E - 10 + 5,18 E - 09 + 1,50 E - 10 + 10% *
2
= 6,94 E - 09

Safety integrity level Probability of a dangerous failure per hour (PFHD)

3 ≥ 10-8 to < 10-7
2 ≥ 10-7 to < 10-6
1 ≥ 10-6 to < 10-5

NOTE
Safety integrity level
The application meets the requirements of safety integrity level SIL2 according to EN 62061, since the max-
imum achievable SIL for the safety mat input is limited to SIL 2.

Application Guide TwinSAFE Version: 3.2.0 129

Access functions

3.11 EP1957 OSSD sensor for protective door

(Category 4, PL e)
The OSSD Safety Sensor (in this case, for example, a proximity limit switch with a defined behavior under
error conditions (PDDB) according to EN 60947-5-3) is connected to the EP1957 via an M12 connection and
can be used, for example, for a protective door application. The power supply is on pins 1 and 3 of the M12
connection (PowerModeA). The sensor checks the wiring between the sensor and the EP1957 by means of
test pulses on the two OSSD channels and switches both OSSD signals to the safe state in case of error.
The two OSSD inputs are monitored for discrepancy within the logic.

The two actuators K1 and K2 are switched according to the protective door state. The feedback loop of the
two actuators is wired to a safe input. The test pulses are activated for this input.

130 Version: 3.2.0 Application Guide TwinSAFE

Access functions

3.11.1 Parameters of the safe input and output modules

EP1957

Parameter Value
FSOUT Module 1 Settings Common -
8000:04 Diag Testpulse active TRUE
8000:07 Module Fault Link active TRUE
FSOUT Module 2 Settings Common -
8010:04 Diag Testpulse active TRUE
8010:07 Module Fault Link active TRUE
FSIN Module 1 Settings Common -
8040:04 Diag Testpulse active FALSE
8040:05 Module Fault Link active TRUE
8040:0C Input Power Mode PowerMode A: Pin1(+) / Pin3(-)
FSIN Module 1 Settings Channel -
8041:01 Channel 1.InputFilterTime 0x000A (1ms)
8041:02 Channel 1.DiagTestPulseFilterTime 0x0002 (0.2 ms)
8041:04 Channel 2.InputFilterTime 0x000A (1ms)
8041:05 Channel 2.DiagTestPulseFilterTime 0x0002 (0.2 ms)
FSIN Module 4 Settings Common -
8070:04 Diag Testpulse active TRUE
8070:05 Module Fault Link active TRUE
8070:0C Input Power Mode Diag TestPulse
FSIN Module 4 Settings Channel -
8071:01 Channel 1.InputFilterTime 0x000A (1ms)
8071:02 Channel 1.DiagTestPulseFilterTime 0x0002 (0.2 ms)

MON FB parameter

Parameter Value
Reset Time (ms) (Port EDM1) 1000
Discrepancy Time (ms) (port MonIn1/MonIn2) 500
Safe Inputs After Disc Error TRUE

3.11.2 Block formation and safety loops

3.11.2.1 Safety function 1

Application Guide TwinSAFE Version: 3.2.0 131

Access functions

3.11.3 Calculation

3.11.3.1 PFHD / MTTFD / B10D – values

Component Value
EP1957 – PFHD 6.50E-09
Safety sensor – PFHD 1.00E-08 (Cat. 4 / PL e)
(certified according to EN 60947-5-3 and
EN ISO 13849)
K1 – B10D 1,300,000
K2 – B10D 1,300,000
Days of operation (dop) 230
Hours of operation / day (hop) 8
Cycle time (minutes) (Tcycle) 15 (4x per hour)
Lifetime (T1) 20 years = 175200 hours

3.11.3.2 Diagnostic Coverage DC

Component Value
Safety sensor with OSSD outputs DCavg=99%
K1/K2 with testing and EDM DCavg=99%

3.11.3.3 Calculation of safety function 1

Calculation of the PFHD and MTTFD values from the B10D values:

From:
d op * hop * 60
nop =
TZyklus

and:
B10 D
MTTFD =
0,1* nop

Inserting the values, this produces:

K1/K2:
230 *8 * 60
nop = = 7360
15
1.300.000
MTTFD = = 1766,3 y = 15472788h
0,1* 7360

and the assumption that K1 and K2 are each single-channel:

1
MTTFD =
lD

produces for
0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

132 Version: 3.2.0 Application Guide TwinSAFE

Access functions

K1/K2
1 - 0,99
PFH = = 6, 46 E - 10
1766,3*8760

The following assumptions must now be made:

The contactors K1 und K2 are both connected to the safety function. The non-functioning of a contactor does
not lead to a dangerous situation, but it is discovered by the feedback. Furthermore, the B10D values for K1
and K2 are identical.

It follows for the calculation of the PFHD value for safety function 1:
PFH ( K 1) + PFH ( K 2)
PFH ges = PFH ( SafetySensor ) + PFH ( EP1957) + b * + (1 - b ) 2 * ( PFH ( K 1) * PFH ( K 2) ) * T 1
2

(1 - b ) 2 * ( PFH
( x) ( y) * PFH ) * T 1
Since the portions are smaller than the rest by the power of ten, they are
neglected in this and all further calculations for the purpose of simplification.

to:
6, 46 E - 10 + 6, 46 E - 10
PFH ges = 1,00 E - 08 + 6,50 E - 09 + 10% *
2
= 1,66 E - 08

Calculation of the MTTFD value for safety function 1 (under the same assumption):
n
1 1
=å
MTTFDges i =1 MTTFDn

as:
1 1 1 1
= + +
MTTFDges MTTFD ( SafetySensor ) MTTFD ( EP1957) MTTFD ( K 1)

If only PFHD values are available for EP1957 and safety sensor, the following estimation applies:
(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

Hence:
(1 - DC( EP1957) ) (1 - 0,99) 0,01
MTTFD ( EP1957) = = = = 175 y
PFH ( EP1957) 1 h 1
6,50 E - 09 *8760 5,69 E - 05
h y y

(1 - DC( SafetySensor ) ) (1 - 0,99) 0,01

MTTFD ( SafetySensor ) = = = = 114 y
PFH ( SafetySensor ) 1 h 1
1,00 E - 08 *8760 8,76 E - 05
h y y

1
MTTFDges = = 66 y
1 1 1
+ +
114 y 175 y 1766,3 y

DC DC DC DC
+ + +
MTTFD ( SafetySensor ) MTTFD ( EP1957) MTTFD ( K 1) MTTFD ( K 2)
DCavg =
1 1 1 1
+ + +
MTTFD ( SafetySensor ) MTTFD ( EP1957) MTTFD ( K 1) MTTFD ( K 2)

Application Guide TwinSAFE Version: 3.2.0 133

Access functions

99% 99% 99% 99%

+ + +
114 y 175 y 1766,3 y 1766,3 y
DCavg = = 99,00%
1 1 1 1
+ + +
114 y 175 y 1766,3 y 1766,3 y

NOTE
Category
This structure is possible up to category 4 at the most.

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

Safety integrity level according to Table 3 EN62061

Safety integrity level Probability of a dangerous failure per hour (PFHD)
3 ≥ 10-8 to < 10-7
2 ≥ 10-7 to < 10-6
1 ≥ 10-6 to < 10-5

NOTE
Safety integrity level
The application meets the requirements of safety integrity level SIL3 according to EN 62061.

134 Version: 3.2.0 Application Guide TwinSAFE

Potential groups

4 Potential groups

4.1 All-pole disconnection of a potential group with

downstream interference-free standard terminals
(Category 4, PL e)
The protective door uses a combination of normally closed and normally open contacts on the safe inputs of
an EL1904. The testing of the inputs is active and the signals are tested for discrepancy (200 ms). The
contactors K1 and K2 are connected in parallel to the safe output. Current measurement and testing of the
output are active for this circuit.

The diagnostic information from the KL/EL9110 (24 V is present on the power contacts) is negated, ANDed
with the feedback signals from contactors K1, K2, K3 and K4 and applied to the EDM input.

The supply to the power contacts (24 V and also 0 V) of the potential group is switched off with the NO
contacts of contactors K1 and K2. The 0 V potentials of the load employed (in this case K3 and K4) must
always be fed back to the potential group.

NOTE
Safety consideration
The EL/KL9110 and EL/KL2xxx terminals used are not an active part of the safety controller. Accordingly,
the safety level attained is defined only through the higher-level safety controller. The standard terminals
are not incorporated in the calculation.
The external wiring of the standard terminals can lead to limitations in the maximum attainable safety lev-
els.

NOTE
Power supply unit requirements
The standard terminals must be supplied with 24 V by an SELV/PELV power supply unit with an output volt-
age limit Umax of 60 V in the event of a fault.

CAUTION
Prevention of feedback
Feedback can be prevented by various measures (see further information below):

• No switching of loads with a separate power supply

• Ground feedback and all-pole disconnection (used in this example)
or
cable short-circuit fault exclusion (separate sheathed cable, wiring only inside control cabinet, dedicated
earth connection per conductor)

NOTE
Interference-free Bus Terminals
A list of the interference-free Bus Terminals can be found in the Beckhoff Information System under
http://infosys.beckhoff.de.

Application Guide TwinSAFE Version: 3.2.0 135

Potential groups

NOTE
Maximum attainable safety level
Avoid feedback through ground feedback and all-pole disconnection:
DIN EN ISO 13849-1: max. cat. 4 PL e
IEC 61508: max. SIL3
EN 62061: max. SIL3

CAUTION
Time delay
Switching off the power supply for the potential group can delay the shutdown of the downstream contac-
tors and actuators. This delay depends on the downstream actuators, loads and lines and must be taken
into account by the user in the safety assessment.

136 Version: 3.2.0 Application Guide TwinSAFE

Potential groups

4.1.1 Notes on prevention of feedback

4.1.1.1 No switching of loads with a separate power supply

Loads that have their own power supply must not be switched by standard terminals, since in this case
feedback via the load cannot be ruled out.

Exceptions to the general requirement are allowed only if the manufacturer of the connected load guarantees
that feedback to the control input cannot occur.

4.1.1.2 Option 1: Ground feedback and all-pole shutdown (used in this

example)
The ground connection of the connected load must be fed back to the safely switched ground of the
respective output terminal or potential group. (Here: K1 – correct wiring, K2 – incorrect wiring)

Application Guide TwinSAFE Version: 3.2.0 137

Potential groups

4.1.1.3 Option 2: Cable short-circuit fault exclusion

If option 1 is not feasible, the ground feedback and all-pole disconnection can be dispensed with if the
danger of feedback due to a cable short-circuit can be excluded by other measures. The following measures
can be implemented as an alternative.

Alternative 1: Load connection via separate sheathed cables

The non-safely switched potential of the standard terminal may not be conducted
together with other potential-conducting lines inside the same sheathed cable
Alternative 2: Wiring only inside the control cabinet
All loads connected to the non-safe standard terminals must be located in the same
control cabinet as the terminals. The cables are routed entirely inside the control cabinet.
Alternative 3: Dedicated ground connection per conductor
All conductors connected to the non-safe standard terminals are protected by a separate
ground connection.
Alternative 4: Permanent (fixed) wiring, protected from external damage
All conductors connected to the non-safe standard terminals are permanently installed
and protected from external damage, e.g. through a cable channel or an armored
conduit.

CAUTION
Fault exclusion
The machine builder or the user is solely responsible for the correct execution and evaluation of the applied
alternatives.

4.1.2 Parameters of the safe input and output terminals

EL1904 (applies to all EL1904 used)

138 Version: 3.2.0 Application Guide TwinSAFE

Potential groups

EL2904

Parameter Value
Current measurement active Yes
Output test pulses active Yes

4.1.3 Block formation and safety loops

4.1.3.1 Safety function 1

4.1.4 Calculation

4.1.4.1 PFHD / MTTFD / B10D – values

Component Value
EL1904 – PFHD 1.11E-09
EL2904 – PFHD 1.25E-09
EL6900 – PFHD 1.03E-09
S1 – B10D 1,000,000
S2 – B10D 2,000,000
K1 – B10D 1,300,000
K2 – B10D 1,300,000
K3 – B10D 1,300,000
K4 – B10D 1,300,000
Days of operation (dop) 230
Hours of operation / day (hop) 8
Cycle time (minutes) (Tcycle) 15 (4x per hour)
Lifetime (T1) 20 years = 175200 hours

Application Guide TwinSAFE Version: 3.2.0 139

Potential groups

4.1.4.2 Diagnostic Coverage DC

Component Value
S1/S2 with testing/plausibility DCavg=99%
K1/K2 with testing and EDM DCavg=99%
K3/K4 with EDM DCavg=90%

4.1.4.3 Calculation of safety function 1

Calculation of the PFHD and MTTFD values from the B10D values:

From:
d op * hop * 60
nop =
TZyklus

and:
B10 D
MTTFD =
0,1* nop

Inserting the values, this produces:

S1:
230 *8 * 60
nop = = 7360
15
1.000.000
MTTFD = = 1358,7 y = 11902212h
0,1* 7360

S2:
230 *8 * 60
nop = = 7360
15
2.000.000
MTTFD = = 2717, 4 y = 23804424h
0,1* 7360

K1/K2/K3/K4:
230 *8 * 60
nop = = 7360
15
1.300.000
MTTFD = = 1766,3 y = 15472788h
0,1* 7360

and the assumption that S1, S2, K1, K2, K3 and K4 are each single-channel:
1
MTTFD =
lD

produces for
0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

S1
1 - 0,99
PFH = = 8, 40 E - 10
1358,7 *8760

140 Version: 3.2.0 Application Guide TwinSAFE

Potential groups

1 - 0,99
PFH = = 4, 20 E - 10
2717, 4 *8760

K1/K2
1 - 0,99
PFH = = 6, 46 E - 10
1766,3*8760

K3/K4
1 - 0,90
PFH = = 6, 46 E - 09
1766,3*8760

The following assumptions must now be made:

The contactors K1, K2, K3 und K4 are all connected to the safety function. The non-functioning of a
contactor does not lead to a dangerous situation, but it is discovered by the feedback. Furthermore, the B10D
values for K1, K2, K3 and K4 are identical.

It follows for the calculation of the PFHD value for safety function 1:
PFH ( S 1) + PFH ( S 2)
PFH ges = b * + (1 - b ) 2 * ( PFH ( S 1) * PFH ( S 2) ) * T 1 + PFH ( EL1904) + PFH ( EL 6900) + PFH ( EL 2904)
2
PFH ( K 1) + PFH ( K 2) PFH ( K 3) + PFH ( K 4)
+b * + (1 - b ) 2 * ( PFH ( K 1) * PFH ( K 2) ) * T 1 + b * + (1 - b ) 2 * ( PFH ( K 3) * PFH ( K 4) ) * T 1
2 2

(1 - b ) 2 * ( PFH
( x) ( y) * PFH ) * T 1
Since the portions are smaller than the rest by the power of ten, they are
neglected in this and all further calculations for the purpose of simplification.

to:
8, 40 E - 10 + 4, 20 E - 10
PFH ges = 10% * + 1,11E - 09 + 1,03E - 09 + 1, 25 E - 09
2
6, 46 E - 10 + 6, 46 E - 10 6, 46 E - 09 + 6, 46 E - 09
+10% * + 10% *
2 2
= 4,16 E - 09

Calculation of the MTTFD value for safety function 1 (under the same assumption):
n
1 1
=å
MTTFDges i =1 MTTFDn

as:
1 1 1 1 1 1 1
= + + + + +
MTTFDges MTTFD ( S 1) MTTFD ( EL1904) MTTFD ( EL 6900) MTTFD ( EL 2904) MTTFD ( K 1) MTTFD ( K 3)

If only PFHD values are available for EL1904, EL2904 and EL6900, the following estimation applies:
(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

Hence:

Application Guide TwinSAFE Version: 3.2.0 141

Potential groups

(1 - DC( EL1904) ) (1 - 0,99) 0,01

MTTFD ( EL1904) = = = = 1028,8 y
PFH ( EL1904) 1 h 1
1,11E - 09 *8760 9,72 E - 06
h y y

(1 - DC( EL 6900) ) (1 - 0,99) 0,01

MTTFD ( EL 6900) = = = = 1108,6 y
PFH ( EL 6900) 1 h 1
1,03E - 09 *8760 9,02 E - 06
h y y

(1 - DC( EL 2904) ) (1 - 0,99) 0,01

MTTFD ( EL 2904) = = = = 913, 2 y
PFH ( EL 2904) 1 h 1
1, 25 E - 09 *8760 1,1E - 05
h y y

1
MTTFDges = = 206,7 y
1 1 1 1 1 1
+ + + + +
1358,7 y 1028,8 y 1108,6 y 913, 2 y 1766,3 y 1766,3 y

99% 99% 99% 99% 99% 99% 99% 90% 90%

+ + + + + + + +
1358,7 y 2717, 4 y 1028,8 y 1108,6 y 913, 2 y 1766,3 y 1766,3 y 1766,3 y 1766,3 y
DCavg =
1 1 1 1 1 1 1 1 1
+ + + + + + + +
1358,7 y 2717, 4 y 1028,8 y 1108,6 y 913, 2 y 1766,3 y 1766,3 y 1766,3 y 1766,3 y
= 97,39%

142 Version: 3.2.0 Application Guide TwinSAFE

Potential groups

NOTE
Category
This structure is possible up to category 4 at the most.

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

Safety integrity level according to Table 3 EN62061

Safety integrity level Probability of a dangerous failure per hour (PFHD)
3 ≥ 10-8 to < 10-7
2 ≥ 10-7 to < 10-6
1 ≥ 10-6 to < 10-5

Application Guide TwinSAFE Version: 3.2.0 143

Potential groups

4.2 Single-pole disconnection of a potential group with

downstream interference-free standard terminals
with fault exclusion (Category 4, PL e)
The protective door uses a combination of normally closed and normally open contacts on the safe inputs of
an EL1904. Testing of the inputs is active, and the signals are checked for discrepancy (200 ms in this case).
The contactors K1 and K2 are connected in parallel to the safe output. Current measurement and testing of
the output are active for this circuit.
The feedback signals of the contactors K1, K2, K3 and K4 are applied to the EDM input.

Only the 24 V supply to the power contacts of the potential group is switched off with the make contacts of
contactors K1 and K2. The 0 V connection of the power contacts is fed directly back to the 0 V of the power
supply.

The 0 V potentials of all loads and devices that are used have to be at or connected to the same potential.

NOTE
Power supply unit requirements
The standard terminals must be supplied with 24 V by an SELV/PELV power supply unit with an output volt-
age limit Umax of 60 V in the event of a fault.

CAUTION
Prevention of feedback
Feedback can be prevented by various measures (see further information below):
• No switching of loads with a separate power supply
• Ground feedback and all-pole disconnection
or
cable short-circuit fault exclusion (separate sheathed cable, wiring only inside control cabinet, dedicated
earth connection per conductor)
(used in this example)

NOTE
Interference-free Bus Terminals
A list of the interference-free Bus Terminals can be found in the Beckhoff Information System under
http://infosys.beckhoff.de.

144 Version: 3.2.0 Application Guide TwinSAFE

Potential groups

NOTE
Maximum attainable safety level
Avoiding feedback through short-circuit fault exclusion:
DIN EN ISO 13849-1: max. cat. 4 PL e
IEC 61508: max. SIL3
EN 62061: max. SIL2

NOTE
Fault exclusion
Due to the "line short circuit" fault exclusion in the wiring from the interference-free standard output termi-
nals EL/KL2xxx to the load (K3, K4 in this case), a power feed terminal with diagnostic function is not re-
quired in this case. Power feed terminals of type EL/KL9xxx can therefore be used.
The 0 V potentials of the load (K3, K4 in this case) have to be identical to the 0 V potential of the power
supply for the potential group.

Application Guide TwinSAFE Version: 3.2.0 145

Potential groups

4.2.1 Notes on prevention of feedback

4.2.1.1 No switching of loads with a separate power supply

Loads that have their own power supply must not be switched by standard terminals, since in this case
feedback via the load cannot be ruled out.

Exceptions to the general requirement are allowed only if the manufacturer of the connected load guarantees
that feedback to the control input cannot occur.

4.2.1.2 Option 1: Ground feedback and all-pole disconnection

The ground connection of the connected load must be fed back to the safely switched ground of the
respective output terminal or potential group. (Here: K1 – correct wiring, K2 – incorrect wiring)

146 Version: 3.2.0 Application Guide TwinSAFE

Potential groups

4.2.1.3 Option 2: Cable short-circuit error exclusion (used in this example)

Alternative 1: Load connection via separate sheathed cables

CAUTION
Fault exclusion
The machine builder or the user is solely responsible for the correct execution and evaluation of the applied
alternatives.

Application Guide TwinSAFE Version: 3.2.0 147

Potential groups

4.2.2 Parameters of the safe input and output terminals

EL1904 (applies to all EL1904 used)

EL2904

Parameter Value
Current measurement active Yes
Output test pulses active Yes

4.2.3 Block formation and safety loops

4.2.3.1 Safety function 1

148 Version: 3.2.0 Application Guide TwinSAFE

Potential groups

4.2.4 Calculation

4.2.4.1 PFHD / MTTFD / B10D – values

4.2.4.2 Diagnostic Coverage DC

Component Value
S1/S2 with testing/plausibility DCavg=99%
K1/K2 with testing and EDM DCavg=99%
K3/K4 with EDM DCavg=90%

4.2.4.3 Calculation of safety function 1

Calculation of the PFHD and MTTFD values from the B10D values:

From:
d op * hop * 60
nop =
TZyklus

and:
B10 D
MTTFD =
0,1* nop

Inserting the values, this produces:

S1:
230 *8 * 60
nop = = 7360
15
1.000.000
MTTFD = = 1358,7 y = 11902212h
0,1* 7360

S2:
230 *8 * 60
nop = = 7360
15

Application Guide TwinSAFE Version: 3.2.0 149

Potential groups

2.000.000
MTTFD = = 2717, 4 y = 23804424h
0,1* 7360

K1/K2/K3/K4:
230 *8 * 60
nop = = 7360
15
1.300.000
MTTFD = = 1766,3 y = 15472788h
0,1* 7360

and the assumption that S1, S2, K1, K2, K3 and K4 are each single-channel:
1
MTTFD =
lD

produces for
0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

S1
1 - 0,99
PFH = = 8, 40 E - 10
1358,7 *8760

S2
1 - 0,99
PFH = = 4, 20 E - 10
2717, 4 *8760

K1/K2
1 - 0,99
PFH = = 6, 46 E - 10
1766,3*8760

K3/K4
1 - 0,90
PFH = = 6, 46 E - 09
1766,3*8760

The following assumptions must now be made:

It follows for the calculation of the PFHD value for safety function 1:
PFH ( S 1) + PFH ( S 2)
PFH ges = b * + (1 - b ) 2 * ( PFH ( S 1) * PFH ( S 2) ) * T 1 + PFH ( EL1904) + PFH ( EL 6900) + PFH ( EL 2904)
2
PFH ( K 1) + PFH ( K 2) PFH ( K 3) + PFH ( K 4)
+b * + (1 - b ) 2 * ( PFH ( K 1) * PFH ( K 2) ) * T 1 + b * + (1 - b ) 2 * ( PFH ( K 3) * PFH ( K 4) ) * T 1
2 2

150 Version: 3.2.0 Application Guide TwinSAFE

Potential groups

(1 - b ) 2 * ( PFH
( x) ( y) * PFH ) * T 1
Since the portions are smaller than the rest by the power of ten, they are
neglected in this and all further calculations for the purpose of simplification.

to:
8, 40 E - 10 + 4, 20 E - 10
PFH ges = 10% * + 1,11E - 09 + 1,03E - 09 + 1, 25 E - 09
2
6, 46 E - 10 + 6, 46 E - 10 6, 46 E - 09 + 6, 46 E - 09
+10% * + 10% *
2 2
= 4,16 E - 09

Calculation of the MTTFD value for safety function 1 (under the same assumption):
n
1 1
=å
MTTFDges i =1 MTTFDn

as:
1 1 1 1 1 1 1
= + + + + +
MTTFDges MTTFD ( S 1) MTTFD ( EL1904) MTTFD ( EL 6900) MTTFD ( EL 2904) MTTFD ( K 1) MTTFD ( K 3)

If only PFHD values are available for EL1904, EL2904 and EL6900, the following estimation applies:
(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

Hence:
(1 - DC( EL1904) ) (1 - 0,99) 0,01
MTTFD ( EL1904) = = = = 1028,8 y
PFH ( EL1904) 1 h 1
1,11E - 09 *8760 9,72 E - 06
h y y

(1 - DC( EL 6900) ) (1 - 0,99) 0,01

MTTFD ( EL 6900) = = = = 1108,6 y
PFH ( EL 6900) 1 h 1
1,03E - 09 *8760 9,02 E - 06
h y y

(1 - DC( EL 2904) ) (1 - 0,99) 0,01

MTTFD ( EL 2904) = = = = 913, 2 y
PFH ( EL 2904) 1 h 1
1, 25 E - 09 *8760 1,1E - 05
h y y

1
MTTFDges = = 206,7 y
1 1 1 1 1 1
+ + + + +
1358,7 y 1028,8 y 1108,6 y 913, 2 y 1766,3 y 1766,3 y

99% 99% 99% 99% 99% 99% 99% 90% 90%

Application Guide TwinSAFE Version: 3.2.0 151

Potential groups

NOTE
Category
This structure is possible up to category 4 at the most.

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

Safety integrity level according to Table 3 EN62061

Safety integrity level Probability of a dangerous failure per hour (PFHD)
3 ≥ 10-8 to < 10-7
(*)
2 ≥ 10-7 to < 10-6
1 ≥ 10-6 to < 10-5
( )
* In accordance with EN 62061 chapter 6.7.7.2, SILCL in restricted to a maximum of SIL2 in relation to
structural constraints for a subsystem that has an HFT of 0 and for which fault exclusions have been applied
to faults that could lead to a dangerous failure.

152 Version: 3.2.0 Application Guide TwinSAFE

Potential groups

4.3 EL2911 potential group with interference-free

standard terminals (Category 4, PL e)
The protective door uses a combination of NC and NO contacts and is wired to safe inputs of the EL2911.
Testing of the inputs is active, and the signals are checked for discrepancy (500 ms in this case). The 24 V
supply of the power contacts of the potential group is switched off at the safe output. The 0 V connection of
the power contacts is fed directly back to the 0 V of the power supply of the EL2911.

The EL2911 monitors a feedback to the 24 VDC to the power contacts and enters the module error state as
soon as a voltage higher than 5 V is read in the switched-off state.

The feedback loop of the contactors K3 and K4 is connected to a safe input of the EL2911.

The 0 V potentials of all loads and devices that are used have to be at or connected to the same potential.

NOTE
Safety consideration
The EL2xxx terminals used are not an active part of the safety controller. Accordingly, the safety level at-
tained is defined only through the higher-level safety controller. The standard terminals are not incorpo-
rated in the calculation, but they must be interference-free.
The external wiring of the standard terminals can lead to limitations in the maximum attainable safety lev-
els.

CAUTION
Power supply unit requirements
The standard terminals must be supplied with 24 VDC by an SELV/PELV power supply unit with an output
voltage limit Umax of 36 V in the event of a fault.

CAUTION
Prevention of feedback
Feedback can be prevented by various measures (see further information below):
• No switching of loads with a separate power supply
• Cable short-circuit fault exclusion (separate non-metallic sheathed cable, wiring only inside control cabi-
net, dedicated earth connection per conductor, fixed installation)

Application Guide TwinSAFE Version: 3.2.0 153

Potential groups

CAUTION
Interference-free EtherCAT Terminals
In the potential group connected through the EL2911, only interference-free standard terminals must be
used. A list of the interference-free EtherCAT Terminals can be found in the Beckhoff Information System
under
http://infosys.beckhoff.de.

CAUTION
Maximum attainable safety level
Avoiding feedback through short-circuit fault exclusion:
DIN EN ISO 13849-1: max. cat. 4 PL e
IEC 61508: max. SIL3
EN 62061: max. SIL2

CAUTION
Potential 0V
The 0 V potentials of the load (in this case K3, K4) must be identical to the 0 V potential of the power supply
of the EL2911.

4.3.1 Notes on prevention of feedback

4.3.1.1 No switching of loads with a separate power supply

Loads that have their own power supply must not be switched by standard terminals, since in this case
feedback via the load cannot be ruled out.

154 Version: 3.2.0 Application Guide TwinSAFE

Potential groups

CAUTION
Manufacturer's data
Exceptions to the general requirement are allowed only if the manufacturer of the connected load guaran-
tees that feedback to the control input cannot occur.

4.3.1.2 Cable short-circuit fault exclusion

The danger of feedback on account of a cable short-circuit must be ruled out through further measures. The
following measures can be implemented as an alternative.

Alternative 1: Load connection via separate sheathed cables

The non-safely switched potential of the standard terminal may not be conducted
together with other potential-conducting lines inside the same sheathed cable
Alternative 2: Wiring only inside the control cabinet
All loads connected to the non-safe standard terminals must be located in the same
control cabinet as the terminals. The cables are routed entirely inside the control cabinet.
Alternative 3: Dedicated earth connection per conductor
All conductors connected to the non-safe standard terminals are protected by a separate
ground connection.
Alternative 4: Permanent (fixed) wiring, protected from external damage
All conductors connected to the non-safe standard terminals are permanently installed
and protected from external damage, e.g. through a cable duct or an armored conduit.

CAUTION
Fault exclusion
The machine manufacturer or the user is solely responsible for the correct execution and evaluation of the
applied alternatives.

Application Guide TwinSAFE Version: 3.2.0 155

Potential groups

4.3.2 EL2911 parameters

EL2911

Parameter Value
FSOUT Settings Common -
0x8000:04 – Diag Testpulse active TRUE
0x8000:12 – Output Cross Circuit Detection Delay 1000 ms
FSIN Settings Common -
0x8010:02 - MultiplierDiagTestPulse 0x01
0x8010:04 – Diag TestPulse active TRUE
FSIN Settings Channel -
0x8011:01 – Channel 1.InputFilterTime 0x0014 (2 ms)
0x8011:02 – Channel 1.DiagTestPulseFilterTime 0x0002 (0.2 ms)
0x8011:04 – Channel 2.InputFilterTime -
0x8011:05 – Channel 2.DiagTestPulseFilterTime -
0x8011:07 – Channel 3.InputFilterTime 0x0014 (2 ms)
0x8011:08 – Channel 3.DiagTestPulseFilterTime 0x0002 (0.2 ms)
0x8011:0A – Channel 4.InputFilterTime 0x0014 (2 ms)
0x8011:0B – Channel 4.DiagTestPulseFilterTime 0x0002 (0.2 ms)

FB MON

Parameter Value
Reset Time (ms) (Port EDM1) 1000
Discrepancy Time (ms) (port MonIn1/MonIn2) 500
Safe Inputs After Disc Error TRUE

4.3.3 Block formation and safety loops

4.3.3.1 Safety function 1

156 Version: 3.2.0 Application Guide TwinSAFE

Potential groups

4.3.4 Calculation

4.3.4.1 PFHD / MTTFD / B10D – values

Component Value
EL2911 – PFHD 4.50E-09
S1 – B10D 1,000,000
S2 – B10D 2,000,000
K3 – B10D 1,300,000
K4 – B10D 1,300,000
Days of operation (dop) 230
Hours of operation / day (hop) 8
Cycle time (minutes) (Tcycle) 15 (4x per hour)
Lifetime (T1) 20 years = 175200 hours

4.3.4.2 Diagnostic Coverage DC

Component Value
S1/S2 with testing/plausibility DCavg=99%
K3/K4 with EDM DCavg=90%

4.3.4.3 Calculation of safety function 1

Calculation of the PFHD and MTTFD values from the B10D values:

From:
d op * hop * 60
nop =
TZyklus

and:
B10 D
MTTFD =
0,1* nop

Inserting the values, this produces:

S1:
230 *8 * 60
nop = = 7360
15
1.000.000
MTTFD = = 1358,7 y = 11902212h
0,1* 7360

S2:
230 *8 * 60
nop = = 7360
15
2.000.000
MTTFD = = 2717, 4 y = 23804424h
0,1* 7360

K3/K4:
230 *8 * 60
nop = = 7360
15

Application Guide TwinSAFE Version: 3.2.0 157

Potential groups

1.300.000
MTTFD = = 1766,3 y = 15472788h
0,1* 7360

and the assumption that S1, S2, K3 and K4 are each single-channel:
1
MTTFD =
lD

produces for
0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

S1
1 - 0,99
PFH = = 8, 40 E - 10
1358,7 *8760

S2
1 - 0,99
PFH = = 4, 20 E - 10
2717, 4 *8760

K3/K4
1 - 0,90
PFH = = 6, 46 E - 09
1766,3*8760

The following assumptions must now be made:

The contactors K3 und K4 are both connected to the safety function. The non-functioning of a contactor does
not lead to a dangerous situation, but it is discovered by the feedback. Furthermore, the B10D values for K3
and K4 are identical.

It follows for the calculation of the PFHD value for safety function 1:
PFH ( S 1) + PFH ( S 2)
PFH ges = b * + (1 - b ) 2 * ( PFH ( S 1) * PFH ( S 2) ) * T 1 + PFH ( EL 2911)
2
PFH ( K 3) + PFH ( K 4)
+b * + (1 - b ) 2 * ( PFH ( K 3) * PFH ( K 4) ) * T 1
2

(1 - b ) 2 * ( PFH
( x) ( y) * PFH ) * T 1
Since the portions are smaller than the rest by the power of ten, they are
neglected in this and all further calculations for the purpose of simplification.

to:
8, 40 E - 10 + 4, 20 E - 10 6, 46 E - 09 + 6, 46 E - 09
PFH ges = 10% * + 4,50 E - 09 + 10% *
2 2
= 5, 21E - 09

Calculation of the MTTFD value for safety function 1 (under the same assumption):

158 Version: 3.2.0 Application Guide TwinSAFE

Potential groups

n
1 1
=å
MTTFDges i =1 MTTFDn

as:
1 1 1 1
= + +
MTTFDges MTTFD ( S 1) MTTFD ( EL 2911) MTTFD ( K 3)

If only PFHD values are available for EL2911, the following estimation applies:
(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

Hence:
(1 - DC( EL 2911) ) (1 - 0,99) 0,01
MTTFD ( EL 2911) = = = = 253 y
PFH ( EL 2911) 1 h 1
4,50 E - 09 *8760 3,94 E - 05
h y y

1
MTTFDges = = 190 y
1 1 1
+ +
1358,7 y 253 y 1766,3 y

DC DC DC DC DC
+ + + +
MTTFD ( S 1) MTTFD ( S 2) MTTFD ( EL 2911) MTTFD ( K 3) MTTFD ( K 4)
DCavg =
1 1 1 1 1
+ + + +
MTTFD ( S 1) MTTFD ( S 2) MTTFD ( EL 2911) MTTFD ( K 3) MTTFD ( K 4)

99% 99% 99% 90% 90%

+ + + +
1358,7 y 2717, 4 y 253 y 1766,3 y 1766,3 y
DCavg = = 97,35%
1 1 1 1 1
+ + + +
1358,7 y 2717, 4 y 253 y 1766,3 y 1766,3 y

Application Guide TwinSAFE Version: 3.2.0 159

Potential groups

NOTE
Category
This structure is possible up to category 4 at the most.

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

Safety integrity level according to Table 3 EN62061

Safety integrity level Probability of a dangerous failure per hour (PFHD)
3 ≥ 10-8 to < 10-7
(*)
2 ≥ 10-7 to < 10-6
1 ≥ 10-6 to < 10-5
( )
* In accordance with EN 62061 chapter 6.7.7.2, SILCL is restricted to a maximum of SIL2 in relation to
structural constraints for a subsystem that has an HFT of 0 and for which fault exclusions have been applied
to faults that could lead to a dangerous failure.

160 Version: 3.2.0 Application Guide TwinSAFE

Potential groups

4.4 EPP potential group with EPP9022-9060

(Category 4, PL e)
The protective door uses a combination of NC and NO contacts and is wired to safe inputs of the first
EL2911 (1). Testing of the inputs is active, and the signals are checked for discrepancy (500 ms in this
case). The 24 V supply Up of the potential group is switched off at the safe output of the second EL2911 (2).
The 0 V connection is fed directly back to the 0 V of the power supply of the EL2911. The 0 V potentials of
the two EL2911s are at the same potential or are bridged.

The feedback loop of the contactors K3 and K4 is connected to a safe input of the EL2911.

The 0 V potentials of all loads and devices that are used have to be at or connected to the same potential.

Diagnostics

No fault exclusion can be used for the EtherCAT p cable because Us and Up are located in a common
sheathed cable and there is no dedicated earth connection per cable.

Firstly, for diagnosis of whether there is a feedback or cross-circuit on the EtherCAT p cable, the voltages Us
and Up are measured by the EPP9022-9060 EtherCAT p Box and transmitted by TwinSAFE SC as an
analog value to the EL2911. Corruption of the analog signals on the communication path is thus ruled out.
Secondly, the EL2911 monitors a feedback to the 24 VDC of the safe output and enters the module error state
as soon as a voltage higher than 5 V is read in the switched-off state.

NOTE
Safety consideration
The EPP2xxx boxes used are not an active part of the safety controller. Accordingly, the safety level at-
tained is defined only through the higher-level safety controller. The standard boxes are not incorporated in
the calculation.
The external wiring of the standard boxes can lead to limitations in the maximum attainable safety level
(See also Notes on prevention of feedback [} 164]).

CAUTION
Power supply unit requirements
The standard terminals must be supplied with 24 VDC by an SELV/PELV power supply unit with an output
voltage limit Umax of 36 V in the event of a fault.

Application Guide TwinSAFE Version: 3.2.0 161

Potential groups

CAUTION
Maximum safety response time
The maximum time for detecting a fault (Fault Detection Time) occurs when detecting of a fault by reading
the feedback circuits of the contactors K3 and K4, as this time is typically very much longer than detection
by reading back the voltages on the EL2911 and the EPP9022-9060. The time is set in the safety logic and
should be set large enough to enable fast error detection, but so that the availability of the machine is also
ensured.
The Fault Reaction Time results from the input filter time of the EL2911 (the safe input to which the feed-
back loop is connected), double the cycle time of the logic program running on the EL2911 (can also be
read from the CoE objects) and the release time of the contactors K3 and K4 after the voltage at the output
of the EL2911 has been switched off. The time is strongly dependent on the actuators employed.
These two times added together result in the Safety Response Time.

SafetyResponseTime = FaultDetectionTime + FaultReactionTime

= EDMtime + InputfilterTimeEL 2911 + 2 * LogicCycleTime + SwitchOffTimeAktuators

This Safety Response Time must be referred to and checked by the user or machine manufacturer for the
safety assessment of his application.

Safety application

If the safe output of the EL2911 (2) for Up is switched off, the analog value for Up transmitted via
TwinSAFE SC must signal a value smaller than 5 V. If this is not the case, both EL2911 outputs (1) + (2)
must be switched off. This is implemented, for example, via an EDM function block, which is programmed in
a TwinSAFE group with the outputs Us and Up and thus switches off the entire group and all outputs
configured within it in case of error.

Furthermore, in the case of a module error, the EL2911 (2) for Up and the EL2911 (1) for Us must be
switched off.

CAUTION
Implementation of the safety application
The user or machine manufacturer is solely responsible for the correct implementation and testing of the
safety application.

162 Version: 3.2.0 Application Guide TwinSAFE

Potential groups

Example of a safety application

NOTE
Feedback loop
For clarity the feedback loop of the actuators K3 and K4 is not shown, but it must be taken into account by
the user.

NOTE
Maximum attainable safety level
Avoiding feedback through short-circuit fault exclusion:
DIN EN ISO 13849-1: max. cat. 4 PL e
IEC 61508: max. SIL3
EN 62061: max. SIL2

NOTE
Potential 0 V
The 0 V potentials of the load (in this case K3, K4) must be identical to the 0 V potential of the power supply
of both EL2911s.

Application Guide TwinSAFE Version: 3.2.0 163

Potential groups

4.4.1 Notes on prevention of feedback

4.4.1.1 No switching of loads with a separate power supply

Loads that have their own power supply must not be switched by standard boxes, since in this case
feedback via the load cannot be ruled out.

CAUTION
Manufacturer's data
Exceptions to the general requirement are allowed only if the manufacturer of the connected load guaran-
tees that feedback to the control input cannot occur.

164 Version: 3.2.0 Application Guide TwinSAFE

Potential groups

4.4.1.2 Cable short-circuit fault exclusion

The danger of feedback on account of a cable short-circuit must be ruled out through further measures. The
following measures can be implemented as an alternative.

Alternative 1: Load connection via separate sheathed cables

The non-safely switched potential of the standard terminal may not be conducted
together with other potential-conducting lines inside the same sheathed cable
Alternative 2: Wiring only inside the control cabinet
All loads connected to the non-safe standard terminals must be located in the same
control cabinet as the terminals. The cables are routed entirely inside the control cabinet.
Alternative 3: Dedicated earth connection per conductor
All conductors connected to the non-safe standard terminals are protected by a separate
ground connection.
Alternative 4: Permanent (fixed) wiring, protected from external damage
All conductors connected to the non-safe standard terminals are permanently installed
and protected from external damage, e.g. through a cable duct or an armored conduit.

CAUTION
Fault exclusion
The machine manufacturer or the user is solely responsible for the correct execution and evaluation of the
applied alternatives.

Application Guide TwinSAFE Version: 3.2.0 165

Potential groups

4.4.2 EL2911 parameters

EL2911 (applies to all EL2911s)

FB MON

Parameter Value
Reset Time (ms) (Port EDM1) 1000
Discrepancy Time (ms) (port MonIn1/MonIn2) 500
Safe Inputs After Disc Error TRUE

4.4.3 Block formation and safety loops

4.4.3.1 Safety function 1

166 Version: 3.2.0 Application Guide TwinSAFE

Potential groups

4.4.4 Calculation

4.4.4.1 PFHD / MTTFD / B10D – values

4.4.4.2 Diagnostic Coverage DC

Component Value
S1/S2 with testing/plausibility DCavg=99%
K3/K4 with EDM DCavg=90%

4.4.4.3 Calculation of safety function 1

Calculation of the PFHD and MTTFD values from the B10D values:

From:
d op * hop * 60
nop =
TZyklus

and:
B10 D
MTTFD =
0,1* nop

Inserting the values, this produces:

S1:
230 *8 * 60
nop = = 7360
15
1.000.000
MTTFD = = 1358,7 y = 11902212h
0,1* 7360

S2:
230 *8 * 60
nop = = 7360
15
2.000.000
MTTFD = = 2717, 4 y = 23804424h
0,1* 7360

K3/K4:
230 *8 * 60
nop = = 7360
15

Application Guide TwinSAFE Version: 3.2.0 167

Potential groups

1.300.000
MTTFD = = 1766,3 y = 15472788h
0,1* 7360

and the assumption that S1, S2, K3 and K4 are each single-channel:
1
MTTFD =
lD

produces for
0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

S1
1 - 0,99
PFH = = 8, 40 E - 10
1358,7 *8760

S2
1 - 0,99
PFH = = 4, 20 E - 10
2717, 4 *8760

K3/K4
1 - 0,90
PFH = = 6, 46 E - 09
1766,3*8760

The following assumptions must now be made:

It follows for the calculation of the PFHD value for safety function 1:
PFH ( S 1) + PFH ( S 2)
PFH ges = b * + (1 - b ) 2 * ( PFH ( S 1) * PFH ( S 2) ) * T 1 + PFH ( EL 2911) + PFH ( EL 2911)
2
PFH ( K 3) + PFH ( K 4)
+b * + (1 - b ) 2 * ( PFH ( K 3) * PFH ( K 4) ) * T 1
2

(1 - b ) 2 * ( PFH
( x) ( y) * PFH ) * T 1
Since the portions are smaller than the rest by the power of ten, they are
neglected in this and all further calculations for the purpose of simplification.

to:
8, 40 E - 10 + 4, 20 E - 10 6, 46 E - 09 + 6, 46 E - 09
PFH ges = 10% * + 4,50 E - 09 + 4,50 E - 09 + 10% *
2 2
= 9,71E - 09

Calculation of the MTTFD value for safety function 1 (under the same assumption):

168 Version: 3.2.0 Application Guide TwinSAFE

Potential groups

n
1 1
=å
MTTFDges i =1 MTTFDn

as:
1 1 1 1 1
= + + +
MTTFDges MTTFD ( S 1) MTTFD ( EL 2911) MTTFD ( EL 2911) MTTFD ( K 3)

If only PFHD values are available for EL2911, the following estimation applies:
(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

Hence:
(1 - DC( EL 2911) ) (1 - 0,99) 0,01
MTTFD ( EL 2911) = = = = 253 y
PFH ( EL 2911) 1 h 1
4,50 E - 09 *8760 3,94 E - 05
h y y

1
MTTFDges = = 108 y
1 1 1 1
+ + +
1358,7 y 253 y 253 y 1766,3 y

DC DC DC DC DC DC
+ + + + +
MTTFD ( S 1) MTTFD ( S 2) MTTFD ( EL 2911) MTTFD ( EL 2911) MTTFD ( K 3) MTTFD ( K 4)
DCavg =
1 1 1 1 1 1
+ + + + +
MTTFD ( S 1) MTTFD ( S 2) MTTFD ( EL 2911) MTTFD ( EL 2911) MTTFD ( K 3) MTTFD ( K 4)

99% 99% 99% 99% 90% 90%

+ + + + +
1358,7 y 2717, 4 y 253 y 253 y 1766,3 y 1766,3 y
DCavg = = 98,00%
1 1 1 1 1 1
+ + + + +
1358,7 y 2717, 4 y 253 y 253 y 1766,3 y 1766,3 y

Application Guide TwinSAFE Version: 3.2.0 169

Potential groups

NOTE
Category
This structure is possible up to category 4 at the most.

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

Safety integrity level according to Table 3 EN62061

Safety integrity level Probability of a dangerous failure per hour (PFHD)
3 ≥ 10-8 to < 10-7
(*)
2 ≥ 10-7 to < 10-6
1 ≥ 10-6 to < 10-5
( )
* In accordance with EN 62061 chapter 6.7.7.2, SILCL is restricted to a maximum of SIL2 in relation to
structural constraints for a subsystem that has an HFT of 0 and for which fault exclusions have been applied
to faults that could lead to a dangerous failure.

170 Version: 3.2.0 Application Guide TwinSAFE

STO/SS1 functions

5 STO/SS1 functions

5.1 AX8xxx-x1xx STO function (Category 4, PL e)

The protective door is wired with an NC/NO contact combination to safe inputs of an EL1904. The test
pulses of the inputs are activated. Within the TwinSAFE logic the protective door is connected to an FB Mon
and the directly switching output is used to inform the NC controller that, for example in 500 ms, an STO will
be executed and a stop ramp is therefore to be driven.

After 500 ms, for example, the AX8xxx-x1xx will be informed via the delayed-switching output that STO is to
be activated.

In this example it is assumed that, with the opening of the door and the delayed switching of the AX8xxx-
x1xx, the machine is in a safe state after STO before the hazard point can be reached by the user.

The machine manufacturer must assess the machine and the application.

If another application is to be executed on the drive, this can be implemented through a customer-specific
logic application on the AX8xxx-x1xx.

Application Guide TwinSAFE Version: 3.2.0 171

STO/SS1 functions

5.1.1 Parameters of the safe input and output modules

EL1904

Parameter Value
Sensor test channel 1 active Yes
Sensor test channel 2 active Yes
Sensor test channel 3 active -
Sensor test channel 4 active -
Logic channel 1 and 2 Single Logic
Logic channel 3 and 4 Single Logic

MON FB parameter

Parameter Value
Discrepancy Time (ms) (port MonIn1/MonIn2) 200
Safe Inputs After Disc Error TRUE
MON Delay Time 500

5.1.2 Block formation and safety loops

5.1.2.1 Safety function 1

5.1.3 Calculation

5.1.3.1 PFHD / MTTFD / B10D – values

Component Value
EL1904 – PFHD 1.11E-09
EL6910 – PFHD 1.79E-09
AX8xxx-x1xx - PFHD 3.04E-09
S1 – B10D 1,000,000
S2 – B10D 2,000,000
K1 – B10D 1,300,000
K2 – B10D 1,300,000
Days of operation (dop) 230
Hours of operation / day (hop) 16
Cycle time (minutes) (Tcycle) 15 (4x per hour)
Lifetime (T1) 20 years = 175200 hours

172 Version: 3.2.0 Application Guide TwinSAFE

STO/SS1 functions

5.1.3.2 Diagnostic Coverage DC

Component Value
S1 with testing and plausibility check DCavg=99%
AX8xxx-x1xx STO function DCavg>99%

5.1.3.3 Calculation of safety function 1

Calculation of the performance level according to EN ISO 13849-1:2015

Calculation of the MTTFD values from the B10D values

From:
230 *16 * 60
nop = = 14720
15

and:
B10 D
MTTFD =
0,1* nop

Inserting the values, this produces:

S1
230 *16 * 60
nop = = 14720
15
1.000.000
MTTFD = = 679 y
0,1*14720

S2
230 *16 * 60
nop = = 14720
15
2.000.000
MTTFD = = 1358 y
0,1*14720

The total MTTFD value is calculated based on the following formula:

n
1 1
=å
MTTFDges i =1 MTTFDn

as:
1 1 1 1 1
= + + +
MTTFDges MTTFD ( S 1) MTTFD ( EL1904) MTTFD ( EL 6910) MTTFD ( AX 8 xxx - x1xx )

If only PFHD values are available for EL1904, EL6910 and AX8xxx-x1xx, the following estimation applies:
(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

Hence:
(1 - DC( EL1904) ) (1 - 0,99) 0,01
MTTFD ( EL1904) = = = = 1028,8 y
PFH ( EL1904) 1 h 1
1,11E - 09 *8760 9,72 E - 06
h y y

(1 - DC( EL 6910) ) (1 - 0,99) 0,01

MTTFD ( EL 6910) = = = = 637 y
PFH ( EL 6910) 1 h 1
1,79 E - 09 *8760 15,68 E - 06
h y y

Application Guide TwinSAFE Version: 3.2.0 173

STO/SS1 functions

(1 - DC( AX 8 xxx - x1xx ) ) (1 - 0,99) 0,01

MTTFD ( AX 8 xxx - x1xx ) = = = = 375 y
PFH D ( AX 8 xxx - x1xx ) 1 h 1
3,04 E - 09 *8760 2,66 E - 05
h y y

1
MTTFDges = = 149 y
1 1 1 1
+ + +
679 y 1028 y 637 y 375 y

DC DC DC DC DC
+ + + +
MTTFD ( S 1) MTTFD ( S 2) MTTFD ( EL1904) MTTFD ( EL 6910) MTTFD ( AX 8 xxx - x1xx )
DCavg =
1 1 1 1 1
+ + + +
MTTFD ( S 1) MTTFD ( S 2) MTTFD ( EL1904) MTTFD ( EL 6910) MTTFD ( AX 8 xxx - x1xx )

99% 99% 99% 99% 99%

+ + + +
679 y 1358 y 1028 y 637 y 375 y
DCavg = = 99,00%
1 1 1 1 1
+ + + +
679 y 1358 y 1028 y 637 y 375 y

NOTE
Category
This structure is possible up to category 4 at the most.

CAUTION
Implement a restart lock in the machine!
The restart lock is NOT part of the safety chain and must be implemented in the machine!

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

174 Version: 3.2.0 Application Guide TwinSAFE

STO/SS1 functions

Application Guide TwinSAFE Version: 3.2.0 175

STO/SS1 functions

Calculation of PFHD values according to EN 62061

with the assumption that S1 and S2 are each single-channel:

1
MTTFD =
lD

produces for
0,1* nop * (1 - DC ) 1 - DC
PFH D = =
B10 D MTTFD

S1:
1 - 0,99
PFH D = = 1,68 E - 09
679 *8760

S2:
1 - 0,99
PFH D = = 8, 41E - 10
1358 *8760

The following assumptions must now be made:

It follows for the calculation of the PFHD value for safety function 1:
PFH D ( S 1) + PFH D ( S 2)
PFH Dges = b * + (1 - b ) 2 * ( PFH D ( S 1) * PFH D ( S 2) ) * T 1 + PFH D ( EL1904) + PFH D ( EL 6910) + PFH D ( AX 8 xxx - x1xx )
2

(1 - b ) 2 * ( PFH
( S 1) ( S 2) * PFH ) * T1
Since the portion is smaller than the rest by the power of ten, it is neglected in
this and all further calculations for the purpose of simplification.

to:
1,68 E - 09 + 8, 41E - 10
PFH Dges = 10% * + 1,11E - 09 + 1,79 E - 09 + 3,04 E - 09
2
= 6,07 E - 09

Safety integrity level Probability of a dangerous failure per hour (PFHD)

3 ≥ 10-8 to < 10-7
2 ≥ 10-7 to < 10-6
1 ≥ 10-6 to < 10-5

NOTE
Safety integrity level
The application meets the requirements of safety integrity level SIL3 according to EN 62061.

176 Version: 3.2.0 Application Guide TwinSAFE

STO/SS1 functions

5.2 Drive option AX5801 with SS1 stop function

(Category 4, PL e)
By activating the emergency stop button inputs EStopIn1 and EStopIn2 of FB ESTOP are switched to state
“0”, resulting in outputs EStopOut and EStopDelOut of FB ESTOP being switched to state “0”. As a result, a
quick stop command is issued to the PLC and therefore the AX5000 via EtherCAT. The output EStopDelOut
of the ESTOP FB ensures that, after the expiry of a specified delay time (in this case e.g. 1000 ms), the 24 V
supply of the safety option AX5801 is interrupted and the internal relays of the AX5801 are thus de-
energized. The two channels (motors) are switched torque-free via the internal switch-off paths of the
AX5000.

Testing and checking for discrepancy are activated for the input signals. The testing of the outputs is also
active. The relays of the 4 AX5801 option cards are wired in parallel to a safe output of the EL2904. The
feedback loops are wired in series to a safe input. The restart signal is wired to a non-safe input.

Application Guide TwinSAFE Version: 3.2.0 177

STO/SS1 functions

5.2.1 Parameters of the safe input and output terminals

EL1904 (applies to all EL1904 used)

EL2904

Parameter Value
Current measurement active Yes
Output test pulses active Yes

5.2.2 Block formation and safety loops

5.2.2.1 Safety function 1

178 Version: 3.2.0 Application Guide TwinSAFE

STO/SS1 functions

5.2.3 Calculation

5.2.3.1 PFHD / MTTFD / B10D – values

Component Value
EL1904 – PFHD 1.11E-09
EL2904 – PFHD 1.25E-09
EL6900 – PFHD 1.03E-09
AX5801 – B10D 780,000
S1 – B10D 100,000
Days of operation (dop) 230
Hours of operation / day (hop) 8
Cycle time (minutes) (Tcycle) 60 (1x per hour)
Lifetime (T1) 20 years = 175200 hours

5.2.3.2 Diagnostic Coverage DC

Component Value
S1 with testing/plausibility DCavg=99%
AX5801 DCavg=99%

5.2.3.3 Calculation of safety function 1

Calculation of the PFHD and MTTFD values from the B10D values:

From:
d op * hop * 60
nop =
TZyklus

and:
B10 D
MTTFD =
0,1* nop

Inserting the values, this produces:

S1:
230 *8 * 60
nop = = 1840
60
100.000
MTTFD = = 543,5 y = 4761060h
0,1*1840

AX5801:
230 *8 * 60
nop = = 1840
60
780.000
MTTFD = = 4239,1 y = 37134516h
0,1*1840
B10 D 780.000
T10 D = = 423 y
nop 1840 1
y

Application Guide TwinSAFE Version: 3.2.0 179

STO/SS1 functions

and the assumption that S1 is single-channel:

1
MTTFD =
lD

produces for
0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

S1:
1 - 0,99
PFH = = 2,10 E - 09
543,5 *8760

AX5801:
1 - 0,99
PFH = = 2,70 E - 10
4239,1*8760

The following assumptions must now be made:

It follows for the calculation of the PFHD value for safety function 1:
4 * PFH ( AX 5801) + 4 * PFH ( AX 5801)
PFH ges = PFH ( S 1) + PFH ( EL1904) + PFH ( EL 6900) + PFH ( EL 2904) + b *
2
2
+4 * (1 - b ) * ( PFH ( AX 5801) * PFH ( AX 5801) ) * T 1

(1 - b ) 2 * ( PFH
( x) ( y) * PFH ) * T 1
Since the portion is smaller than the rest by the power of ten, it is neglected in
this and all further calculations for the purpose of simplification.

to:
4 * 2,70 E - 10 + 4 * 2,70 E - 10
PFH ges = 2,10 E - 09 + 1,11E - 09 + 1,03E - 09 + 1, 25 E - 09 + 10% * = 5,60 E - 09
2

Calculation of the MTTFD value for safety function 1 (under the same assumption):
n
1 1
=å
MTTFDges i =1 MTTFDn

as:
1 1 1 1 1 1 1 1 1
= + + + + + + +
MTTFDges MTTFD ( S 1) MTTFD ( EL1904) MTTFD ( EL 6900) MTTFD ( EL 2904) MTTFD ( AX 5801) MTTFD ( AX 5801) MTTFD ( AX 5801) MTTFD ( AX 5801)

with:
B10 D ( S 1)
MTTFD ( S 1) =
0,1* nop

B10 D ( AX 5801)
MTTFD ( AX 5801) =
0,1* nop

If only PFHD values are available for EL1904, EL2904 and EL6900, the following estimation applies:

180 Version: 3.2.0 Application Guide TwinSAFE

STO/SS1 functions

(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

Hence:
(1 - DC( EL1904) ) (1 - 0,99) 0,01
MTTFD ( EL1904) = = = = 1028,8 y
PFH ( EL1904) 1 h 1
1,11E - 09 *8760 9,72 E - 06
h y y

(1 - DC( EL 6900) ) (1 - 0,99) 0,01

MTTFD ( EL 6900) = = = = 1108,6 y
PFH ( EL 6900) 1 h 1
1,03E - 09 *8760 9,02 E - 06
h y y

(1 - DC( EL 2904) ) (1 - 0,99) 0,01

MTTFD ( EL 2904) = = = = 913, 2 y
PFH ( EL 2904) 1 h 1
1, 25 E - 09 *8760 1,1E - 05
h y y

1
MTTFDges = = 173,8 y
1 1 1 1 1 1 1 1
+ + + + + + +
543,5 y 1028,8 y 1108,6 y 913, 2 y 4239,1 y 4239,1 y 4239,1 y 4239,1 y

99% 99% 99% 99% 99% 99% 99% 99% 99% 99% 99% 99%
+ + + + + + + + + + +
543,5 y 1028,8 y 1108,6 y 913, 2 y 4239,1 y 4239,1 y 4239,1 y 4239,1 y 4239,1 y 4239,1 y 4239,1 y 4239,1 y
DCavg =
1 1 1 1 1 1 1 1 1 1 1 1
+ + + + + + + + + + +
543,5 y 1028,8 y 1108,6 y 913, 2 y 4239,1 y 4239,1 y 4239,1 y 4239,1 y 4239,1 y 4239,1 y 4239,1 y 4239,1 y
= 99,00%

Application Guide TwinSAFE Version: 3.2.0 181

STO/SS1 functions

NOTE
Category
This structure is possible up to category 4 at the most.

CAUTION
Implement a restart lock in the machine!
The restart lock is NOT part of the safety chain and must be implemented in the machine!

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

182 Version: 3.2.0 Application Guide TwinSAFE

STO/SS1 functions

5.3 STO function with EL72x1-9014 (category 3, PL d)

The following application example shows how the EL72x1-9014 can be wired together with an EL2904 in
order to implement an STO function according to EN 61800-5-2.

A protective door (S1 and S2) and a restart signal (S3) are logically linked on an ESTOP function block. The
EStopOut signal is transferred to the NC controller, with which, for example, the Enable signal of the
EL72x1-9014 can be switched. The STO input of the EL72x1-9014 is operated via the delayed output
EStopDelOut. The EL72x1-9014 supplies the information that the STO function is active via the standard
controller. This information is transferred to the EDM input of the ESTOP function block and additionally to
the EDM function block in order to generate an expectation for this signal.

CAUTION
Implement a restart lock in the machine!
The restart lock is NOT part of the safety chain and must be implemented in the machine!
If the risk analysis returns the result that a restart is to be realized in the safety controller, then the restart
must also be placed on a safe input.

Application Guide TwinSAFE Version: 3.2.0 183

STO/SS1 functions

WARNING
Wiring only inside the control cabinet
The wiring between the EL2904 and the STO input of the EL72x1-9014 must be located in the same control
cabinet in order to be able to assume a fault exclusion for the cross-circuit or external power supply of the
wiring between EL2904 and EL72x1-9014.
The evaluation of this wiring and the evaluation of whether the fault exclusion is permissible must be done
by the machine manufacturer or user.

NOTE
Calculation EL72x1-9014
The EL72x1-9014 is not taken into account in the calculation of the Performance Level according to
DIN EN ISO 13849-1 since it behaves interference-free to the safety function.
The PFHD value goes into the calculation according to EN 62061 with a value of 0.

5.3.1 Parameters of the safe input and output terminals

EL1904

EL2904

Parameter Value
Current measurement active No
Output test pulses active Yes

5.3.2 Block formation and safety loops

5.3.2.1 Safety function 1

184 Version: 3.2.0 Application Guide TwinSAFE

STO/SS1 functions

5.3.3 Calculation

5.3.3.1 PFHD / MTTFD / B10D – values

Component Value
EL1904 – PFHD 1.11E-09
EL2904 – PFHD 1.25E-09
EL6900 – PFHD 1.03E-09
EL72x1-9014 - PFHD 0.00
S1 – B10D 1,000,000
S2 – B10D 2,000,000
Days of operation (dop) 230
Hours of operation / day (hop) 16
Cycle time (minutes) (Tcycle) 15 (4x per hour)
Lifetime (T1) 20 years = 175200 hours

5.3.3.2 Diagnostic Coverage DC

Component Value
S1/S2 with testing/plausibility DCavg=99%
EL2904 with testing DCavg=99%

5.3.3.3 Calculation of safety function 1

Calculation of the PFHD and MTTFD values from the B10D values:

From:
d op * hop * 60
nop =
TZyklus

and:
B10 D
MTTFD =
0,1* nop

Inserting the values, this produces:

S1:
230 *16 * 60
nop = = 14720
15
1.000.000
MTTFD = = 679,3 y = 5951087 h
0,1*14720

S2:
230 *16 * 60
nop = = 14720
15
2.000.000
MTTFD = = 1358,7 y = 11902174h
0,1*14720

and the assumption that S1 and S2 are each single-channel:

1
MTTFD =
lD

Application Guide TwinSAFE Version: 3.2.0 185

STO/SS1 functions

produces for
0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

S1:
1 - 0,99
PFH = = 1,68 E - 09
679,3*8760

S2:
1 - 0,99
PFH = = 8, 4 E - 10
1358,7 *8760

The following assumptions must now be made:

It follows for the calculation of the PFHD value for safety function 1:
PFH ( S 1) + PFH ( S 2)
PFH ges = b * + (1 - b ) 2 * ( PFH ( S 1) * PFH ( S 2) ) * T 1 + PFH ( EL1904) + PFH ( EL 6900) + PFH ( EL 2904) + PFH ( EL 72 x1- 9014)
2

(1 - b ) 2 * ( PFH
( S 1) ( S 2) * PFH ) * T1
Since the portion is smaller than the rest by the power of ten, it is neglected in
this and all further calculations for the purpose of simplification.

to:
1,68 E - 09 + 1,68 E - 09
PFH ges = 10% * + 1,11E - 09 + 1,03E - 09 + 1, 25 E - 09 + 0,00 = 3,558 E - 09
2

Calculation of the MTTFD value for safety function 1 (under the same assumption):
n
1 1
=å
MTTFDges i =1 MTTFDn

as:
1 1 1 1 1
= + + +
MTTFDges MTTFD ( S 1) MTTFD ( EL1904) MTTFD ( EL 6900) MTTFD ( EL 2904)

with:
B10 D ( S 1)
MTTFD ( S 1) =
0,1* nop

B10 D ( S 2)
MTTFD ( S 2) =
0,1* nop

If only PFHD values are available for EL1904, EL6900 and EL2904, the following estimation applies:
(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

Hence:

186 Version: 3.2.0 Application Guide TwinSAFE

STO/SS1 functions

(1 - DC( EL1904) ) (1 - 0,99) 0,01

MTTFD ( EL1904) = = = = 1028,8 y
PFH ( EL1904) 1 h 1
1,11E - 09 *8760 9,72 E - 06
h y y

(1 - DC( EL 6900) ) (1 - 0,99) 0,01

MTTFD ( EL 6900) = = = = 1108,6 y
PFH ( EL 6900) 1 h 1
1,03E - 09 *8760 9,02 E - 06
h y y

(1 - DC( EL 2904) ) (1 - 0,99) 0,01

MTTFD ( EL 2904) = = = = 913, 2 y
PFH ( EL 2904) 1 h 1
1, 25 E - 09 *8760 1,1E - 05
h y y

1
MTTFDges = = 225, 2 y
1 1 1 1
+ + +
679,3 y 1028,8 y 1108,6 y 913, 2 y

99% 99% 99% 99% 99%

+ + + +
679,3 y 1358,7 y 1028,8 y 1108,6 y 913, 2 y
DCavg = = 99,00%
1 1 1 1 1
+ + + +
679,3 y 1358,7 y 1028,8 y 1108,6 y 913, 2 y

Application Guide TwinSAFE Version: 3.2.0 187

STO/SS1 functions

CAUTION
Category
This structure is possible up to category 3 at the most.

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

5.4 STO function with IndraDrive (category 4, PL e)

The following example shows the application of the safe EL2904 outputs in conjunction with a BOSCH
Rexroth IndraDrive for realizing an STO function on this drive.

As an example, a protective door is wired to a safe input (in this case EL1904) together with a restart signal
in two-channel mode. Within the TwinSAFE Logic, these signals are used at an ESTOP function block.
Switching of the ESTOP function block is delayed and is used for the two safe EL2904 outputs. The
EStopOut output can be used to stop the drive electrically via the NC controller .

One output of the EL2904 is wired to STO input X49.1 of the Bosch Rexroth IndraDrive, the other output is
wired to X49.3. The corresponding GND connection (X49.2) is taken back to the EL2904 to illustrate that the
EL2904 and the IndraDrive use the same ground potential of the 24 V supply.

188 Version: 3.2.0 Application Guide TwinSAFE

STO/SS1 functions

CAUTION
Implement a restart lock in the machine!
The restart lock is NOT part of the safety chain and must be implemented in the machine!

5.4.1 Parameters of the safe input and output terminals

EL1904

EL2904

Parameter Value
Current measurement active No
Output test pulses active Yes

Application Guide TwinSAFE Version: 3.2.0 189

STO/SS1 functions

5.4.2 Block formation and safety loops

5.4.2.1 Safety function 1

5.4.3 Calculation

5.4.3.1 PFHD / MTTFD / B10D – values

Component Value
EL1904 – PFHD 1.11E-09
EL2904 – PFHD 1.25E-09
EL6900 – PFHD 1.03E-09
Bosch Rexroth IndraDrive1) - PFHD 0.50E-09
Bosch Rexroth IndraDrive1) - MTTFD > 200 years
S1 – B10D 1,000,000
S2 – B10D 2,000,000
Days of operation (dop) 230
Hours of operation / day (hop) 16
Cycle time (minutes) (Tcycle) 15 (4x per hour)
Lifetime (T1) 20 years = 175200 hours
1)
Please note the information provided in the Bosch Rexroth user documentation

5.4.3.2 Diagnostic Coverage DC

Component Value
S1/S2 with testing/plausibility DCavg=99%
EL2904 with testing DCavg=99%
Bosch Rexroth IndraDrive1) DCavg=99%
1)
Please note the information provided in the Bosch Rexroth user documentation

5.4.3.3 Calculation of safety function 1

Calculation of the PFHD and MTTFD values from the B10D values:

From:
d op * hop * 60
nop =
TZyklus

and:

190 Version: 3.2.0 Application Guide TwinSAFE

STO/SS1 functions

B10 D
MTTFD =
0,1* nop

Inserting the values, this produces:

S1:
230 *16 * 60
nop = = 14720
15
1.000.000
MTTFD = = 679,3 y = 5951087 h
0,1*14720

S2:
230 *16 * 60
nop = = 14720
15
2.000.000
MTTFD = = 1358,7 y = 11902174h
0,1*14720

and the assumption that S1 and S2 are each single-channel:

1
MTTFD =
lD

produces for
0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

S1:
1 - 0,99
PFH = = 1,68 E - 09
679,3*8760

S2:
1 - 0,99
PFH = = 8, 4 E - 10
1358,7 *8760

The following assumptions must now be made:

Further, it is assumed that all usual measures have been taken to prevent both channels failing unsafely at
the same time due to an error (e.g. overcurrent through relay contacts, overtemperature in the control
cabinet).

(1 - b ) 2 * ( PFH
( S 1) ( S 2) * PFH ) * T1
Since the portion is smaller than the rest by the power of ten, it is neglected in
this and all further calculations for the purpose of simplification.

to:

Application Guide TwinSAFE Version: 3.2.0 191

STO/SS1 functions

1,68 E - 09 + 8, 40 E - 10
PFH ges = 10% * + 1,11E - 09 + 1,03E - 09 + 1, 25 E - 09 + 0,50 E - 09 = 4,016 E - 09
2

NOTE
Calculation according to EN 62061
This value corresponds to SIL3, according to EN 62061, Table 3.

Calculation of the MTTFD value for safety function 1 (under the same assumption):
n
1 1
=å
MTTFDges i =1 MTTFDn

as:
1 1 1 1 1 1
= + + + +
MTTFDges MTTFD ( S 1) MTTFD ( EL1904) MTTFD ( EL 6900) MTTFD ( EL 2904) MTTFD ( IndraDrive )

with:
B10 D ( S 1)
MTTFD ( S 1) =
0,1* nop

MTTFD ( IndraDrive ) = 200 y

If only PFHD values are available for EL1904, EL6900 and EL2904, the following estimation applies:
(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

Hence:
(1 - DC( EL1904) ) (1 - 0,99) 0,01
MTTFD ( EL1904) = = = = 1028,8 y
PFH ( EL1904) 1 h 1
1,11E - 09 *8760 9,72 E - 06
h y y

(1 - DC( EL 6900) ) (1 - 0,99) 0,01

MTTFD ( EL 6900) = = = = 1108,6 y
PFH ( EL 6900) 1 h 1
1,03E - 09 *8760 9,02 E - 06
h y y

(1 - DC( EL 2904) ) (1 - 0,99) 0,01

MTTFD ( EL 2904) = = = = 913, 2 y
PFH ( EL 2904) 1 h 1
1, 25 E - 09 *8760 1,1E - 05
h y y

1
MTTFDges = = 105,9 y
1 1 1 1 1
+ + + +
679,3 y 1028,8 y 1108,6 y 913, 2 y 200 y

99% 99% 99% 99% 99% 99%

+ + + + +
679,3 y 1358,7 y 1028,8 y 1108,6 y 913, 2 y 200 y
DCavg = = 99,00%
1 1 1 1 1 1
+ + + + +
679,3 y 1358,7 y 1028,8 y 1108,6 y 913, 2 y 200 y

NOTE
Category
This structure is possible up to category 4 at the most.

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

192 Version: 3.2.0 Application Guide TwinSAFE

STO/SS1 functions

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

Safety integrity level according to Table 3 EN62061

Safety integrity level Probability of a dangerous failure per hour (PFHD)
3 ≥ 10-8 to < 10-7
2 ≥ 10-7 to < 10-6
1 ≥ 10-6 to < 10-5

Application Guide TwinSAFE Version: 3.2.0 193

STO/SS1 functions

5.4.4 Technical Note from Bosch Rexroth AG

194 Version: 3.2.0 Application Guide TwinSAFE

STO/SS1 functions

Application Guide TwinSAFE Version: 3.2.0 195

STO/SS1 functions

196 Version: 3.2.0 Application Guide TwinSAFE

STO/SS1 functions

Application Guide TwinSAFE Version: 3.2.0 197

Safe Motion functions

6 Safe Motion functions

6.1 Drive option AX5805 with SS2 stop function

(Category 4, PL e)
The protective door is connected with a combination of normally closed and normally open contacts to an
EL1904 safe input terminal. Testing and checking for discrepancy are activated for the input signals. The
output is linked on the AX5805.

The feedback signals are checked via the control and status word returned by the drive option.

6.1.1 Parameters of the safe input and output terminals

EL1904 (applies to all EL1904 used)

198 Version: 3.2.0 Application Guide TwinSAFE

Safe Motion functions

AX5805

Parameter Value
-

6.1.2 Block formation and safety loops

6.1.2.1 Safety function 1

6.1.3 Calculation

6.1.3.1 PFHD / MTTFD / B10D – values

Component Value
EL1904 – PFHD 1.11E-09
EL6900 – PFHD 1.03E-09
AX5805 – PFHD 5.15E-09 (see list of approved motors)
S1 – B10D 1,000,000
S2 – B10D 2,000,000
Days of operation (dop) 230
Hours of operation / day (hop) 8
Cycle time (minutes) (Tcycle) 60 (1x per hour)
Lifetime (T1) 20 years = 175200 hours

6.1.3.2 Diagnostic Coverage DC

Component Value
S1/S2 with testing/plausibility DCavg=99%

6.1.3.3 Calculation of safety function 1

Calculation of the PFHD and MTTFD values from the B10D values:

From:
d op * hop * 60
nop =
TZyklus

and:
B10 D
MTTFD =
0,1* nop

Inserting the values, this produces:

Application Guide TwinSAFE Version: 3.2.0 199

Safe Motion functions

S1:
230 *8 * 60
nop = = 1840
60
1.000.000
MTTFD = = 5434,8 y = 47608848h
0,1*1840

S2:
230 *8 * 60
nop = = 1840
60
2.000.000
MTTFD = = 10869,6 y = 95217696h
0,1*1840

and the assumption that S1 and S2 are each single-channel:

1
MTTFD =
lD

produces for
0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

S1:
1 - 0,99
PFH = = 2,10 E - 10
5434,8 *8760

S2:
1 - 0,99
PFH = = 1,05 E - 10
10869,6 *8760

The following assumptions must now be made:

It follows for the calculation of the PFHD value for safety function 1:
PFH ( S 1) + PFH ( S 2)
PFH ges = b * + (1 - b ) 2 * ( PFH ( S 1) * PFH ( S 2) ) * T 1 + PFH ( EL1904) + PFH ( EL 6900)
2
+ PFH ( AX 5805) + PFH ( AX 5805) + PFH ( AX 5805) + PFH ( AX 5805)

(1 - b ) 2 * ( PFH
( x) ( y) * PFH ) * T 1
Since the portion is smaller than the rest by the power of ten, it is neglected in
this and all further calculations for the purpose of simplification.

to:
2,10 E - 10 + 1,05 E - 10
PFH ges = 10% * + 1,11E - 09 + 1,03E - 09 + 4 * 5,15 E - 09 = 2, 28 E - 08
2

Calculation of the MTTFD value for safety function 1 (under the same assumption):

200 Version: 3.2.0 Application Guide TwinSAFE

Safe Motion functions

n
1 1
=å
MTTFDges i =1 MTTFDn

as:
1 1 1 1 1 1 1 1
= + + + + + +
MTTFDges MTTFD ( S 1) MTTFD ( EL1904) MTTFD ( EL 6900) MTTFD ( AX 5805) MTTFD ( AX 5805) MTTFD ( AX 5805) MTTFD ( AX 5805)

with:
B10 D ( S 1)
MTTFD ( S 1) =
0,1* nop

B10 D ( S 2)
MTTFD ( S 2) =
0,1* nop

If only PFHD values are available for EL1904, AX5805 and EL6900, the following estimation applies:
(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

Hence:
(1 - DC( EL1904) ) (1 - 0,99) 0,01
MTTFD ( EL1904) = = = = 1028,8 y
PFH ( EL1904) 1 h 1
1,11E - 09 *8760 9,72 E - 06
h y y

(1 - DC( EL 6900) ) (1 - 0,99) 0,01

MTTFD ( EL 6900) = = = = 1108,6 y
PFH ( EL 6900) 1 h 1
1,03E - 09 *8760 9,02 E - 06
h y y

(1 - DC( AX 5805) ) (1 - 0,99) 0,01

MTTFD ( AX 5805) = = = = 221,7 y
PFH ( AX 5805) 1 h 1
5,15 E - 09 *8760 4,51E - 05
h y y

1
MTTFDges = = 49,8 y
1 1 1 1 1 1 1
+ + + + + +
5434,8 y 1028,8 y 1108,6 y 221,7 y 221,7 y 221,7 y 221,7 y

99% 99% 99% 99% 99% 99% 99% 99%

+ + + + + + +
5434,8 y 10869,6 y 1028,8 y 1108,6 y 221,7 y 221,7 y 221,7 y 221,7 y
DCavg =
1 1 1 1 1 1 1 1
+ + + + + + +
5434,8 y 10869,6 y 1028,8 y 1108,6 y 221,7 y 221,7 y 221,7 y 221,7 y
= 99,00%

Application Guide TwinSAFE Version: 3.2.0 201

Safe Motion functions

NOTE
Category
This structure is possible up to category 4 at the most.

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

202 Version: 3.2.0 Application Guide TwinSAFE

Analog value processing with TwinSAFE SC

7 Analog value processing with TwinSAFE SC

7.1 Speed monitoring (category 3, PL d)

The speed of a drive is to be monitored. This drive has a safety function (in this case, for example, STO),
which is activated via a corresponding input. This input is conducted through one working contact of each of
two contactors. The position and speed signals are transmitted via two different communication paths to the
EL6910 TwinSAFE Logic and processed there according to the illustrated logic. The sin/cos encoder is wired
to an EL5021-0090, and the position information is transferred via TwinSAFE SC communication and
EtherCAT. The drive speed is also transferred to the EL6910 TwinSAFE Logic, via the standard PROFINET
communication (any other fieldbus is also possible) and the standard PLC.

A speed (Speed FB) is calculated from the position value within the safety-related EL6910 logic. The speed
of the drive is scaled via the FB so that the value matches the calculated speed. These two speed values are
checked by a Compare FB for equality and monitored by a Limit FB for a maximum value. Since the two
speed values (one calculated directly and the other calculated in the safety-related EL6910 logic) are never
100% equal at any time, the difference between the two speed values must lie within the tolerance band of
10% in order to still meet the condition of equality. If the current speed value lies below the threshold
specified in the Limit FB, the STO output is set to logical 1 and the drive can rotate. If the limit is exceeded or
the comparison is invalid, the output is set to logic 0, and the drive is switched torque-free or the safety
function integrated in the drive is activated. The entire calculation and scaling are performed at the SIL3/PL e
safety level in the safety-related EL6910 logic. Using this method, a safety-related result is created from two
non-safety-related signals.

An emergency stop function is additionally implemented by an ESTOP function block (not shown in the
diagram for reasons of clarity), which prevents the restart and also takes over the control of contactors K1
and K2.

The IsValid signal of the Compare function block must be used for shutdown in the event of a fault.

Application Guide TwinSAFE Version: 3.2.0 203

Analog value processing with TwinSAFE SC

Structure

Structural image structure

204 Version: 3.2.0 Application Guide TwinSAFE

Analog value processing with TwinSAFE SC

Logic

7.1.1 Structure and diagnosis

The input signals from the drive and the encoder are standard signals, which are dynamic and different. The
drive supplies a speed value, the encoder supplies a sin/cos signal, which is evaluated by a standard
terminal and packed and transmitted in a safe telegram (FSoE with modified polynomial - TwinSAFE SC).

This terminal (EL5021-0090) supplies a position value that is converted within the safe logic to a speed
value, then scaled and compared with the speed value of the drive. Equality means in this case that the
difference signal lies within the tolerance window of 10%.

The encoder signal is transmitted via the standard fieldbus using the black channel principle. This value is
checked for plausibility against the drive speed that is transmitted via the standard fieldbus. Errors in one of
the two channels are detected by means of the comparison of the two diverse speed and position signals
within the safe logic and lead to the activation of STO of the drive.

Application Guide TwinSAFE Version: 3.2.0 205

Analog value processing with TwinSAFE SC

7.1.2 FMEA
Error assumption Expectations Checked
The speed value, e.g. via This is detected via the second value and the plausibility
PROFINET, freezes check in the EL6910 (other fieldbus and TwinSAFE SC
communication between EL5021-0090 and EL6910).
In addition, the standard-communication watchdog should
be enabled for speed 0.
Speed value via EtherCAT and This is detected via the watchdog within the TwinSAFE SC
TwinSAFE SC communication communication.
freezes Plausibility check: Dynamic speed values are also expected
when the motor is started.
Speed values are copied in A distorted value within the TwinSAFE SC communication
succession in the standard PLC leads to an invalid CRC within the telegram and thus to
immediate shutdown of the group and the outputs.
The data types of the two speed values have a different
length (e.g. 4 bytes and 11 bytes)
Speed value is distorted, e.g. via This is detected via the second value and the plausibility
PROFINET check in the EL6910 (other fieldbus and TwinSAFE SC
communication between EL5021-0090 and EL6910)
There is no longer any connection Detected within the EL6910 via the plausibility check with
between the motor and the the speed value of the drive.
encoder Plausibility check: Dynamic speed values are also expected
when the motor is started.
Encoder supplies an incorrect Detected within the EL6910 via the plausibility check with
position value the speed value of the drive
Drive supplies incorrect speed This is detected via the second value and the plausibility
value check in the EL6910 (other fieldbus and TwinSAFE SC
communication between EL5021-0090 and EL6910)

206 Version: 3.2.0 Application Guide TwinSAFE

Analog value processing with TwinSAFE SC

Error assumption Expectations Checked

Communication error 61784-3 for This is detected through the plausibility check of the speed
standard communication: values together with the TwinSAFE SC communication
Corruption within the EL6910
Communication error 61784-3 for This is detected through the plausibility check of the speed
standard communication: values together with the TwinSAFE SC communication
Unintentional repetition within the EL6910. In addition, the standard-communication
watchdog should be enabled for speed 0.
Communication error 61784-3 for This is detected through the plausibility check of the speed
standard communication: values together with the TwinSAFE SC communication
Wrong sequence within the EL6910
Communication error 61784-3 for This is detected through the plausibility check of the speed
standard communication: values together with the TwinSAFE SC communication
Loss within the EL6910
Communication error 61784-3 for This is detected through the plausibility check of the speed
standard communication: values together with the TwinSAFE SC communication
Unacceptable delay within the EL6910. In addition, the standard-communication
watchdog should be enabled for speed 0.
Communication error 61784-3 for This is detected through the plausibility check of the speed
standard communication: values together with the TwinSAFE SC communication
Insertion within the EL6910
Communication error 61784-3 for not relevant for standard, only for safety communication.
standard communication:
Masquerading
Communication error 61784-3 for This is detected through the plausibility check of the speed
standard communication: values together with the TwinSAFE SC communication
Addressing within the EL6910
Communication error for standard This is detected through the plausibility check of the speed
communication: values together with the TwinSAFE SC communication
Recurrent memory errors in within the EL6910
switches

7.1.2.1 Note on TwinSAFE SC communication:

The TwinSAFE SC communication uses the identical mechanisms for error detection as the Safety-over-
EtherCAT communication, the difference being that a different polynomial is used to calculate the checksum
and this polynomial is sufficiently independent of the polynomial previously used for Safety-over-EtherCAT.

The identical mechanisms are active, such as the black channel principle (bit error probability 10-2).

The quality of the data transmission is not crucial, because ultimately all transmission errors are detected via
the comparison in the safe logic, since this would lead to inequality.

7.1.3 Parameters of the safe output terminal

EL2904

Parameter Value
Current measurement active Yes
Output test pulses active Yes

Application Guide TwinSAFE Version: 3.2.0 207

Analog value processing with TwinSAFE SC

7.1.4 Block formation and safety loops

7.1.4.1 Safety function 1

7.1.5 Calculation

7.1.5.1 PFHD / MTTFD / B10D – values

Component Value
EL1904 – PFHD 1.11E-09
EL2904 – PFHD 1.25E-09
EL6910 – PFHD 1.79E-09
Drive – MTBF 516,840 (59a)
Encoder – MTTF 549,149
EL5021-0090 - MTBF 1,205,000
K1 – B10D 1,300,000
K2 – B10D 1,300,000
Days of operation (dop) 230
Hours of operation / day (hop) 16
Cycle time (minutes) (Tcycle) 10080 (1x per week)
Lifetime (T1) 20 years = 175200 hours

7.1.5.2 Diagnostic Coverage DC

Component Value
Drive and encoder with EL5021-0090 and plausibility DCavg=90% (alternatively in calculation: 99%)
within the logic
K1/K2 with EDM monitoring (actuation 1x per week DCavg=99%
and evaluation of all rising and falling edges with
monitoring over time) with testing of the individual
channels

7.1.5.3 Calculation of safety function 1

For clarity, the safety factor is calculated according to EN 62061 as well as EN 13849. Calculation according
to one standard is sufficient in practice.

Calculation of the PFHD and MTTFD values from the B10D values:

From:

208 Version: 3.2.0 Application Guide TwinSAFE

Analog value processing with TwinSAFE SC

d op * hop * 60
nop =
TZyklus

and:
B10 D
MTTFD =
0,1* nop

Calculation of the PFHD and MTTFD values from the MTBF values:

Note: Repair times can be neglected, therefore the following applies:

MTTFD = 2 * MTBF

1
MTTFD =
lD

with
0,1 0,1* nop
lD » =
T10 D B10 D

produces for
0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

Inserting the values, this produces:

Drive
MTTFD = 2 * MTBF = 2 * 59 y = 1.033.680h = 118 y

1 - DC 1 - 0,9
PFH = = = 9,67 E - 08
MTTFD 1.033.680h

Encoder
MTTFD = 2 * MTTF = 2 * 549149h = 1.098.298h = 125 y

1 - DC 1 - 0,9
PFH = = = 9,10 E - 08
MTTFD 1.098.298h

EL5021-0090
MTTFD = 2 * MTBF = 2 *1.205.000h = 2.410.000h = 275 y

1 - DC 1 - 0,9
PFH = = = 4,15 E - 08
MTTFD 2.410.000h

Input subsystem 1
PFH ( Input1) = PFH ( Encoder ) + PFH ( EL 5021- 0090) = 9,10 E - 08 + 4,15 E - 08 = 13, 25 E - 08

K1/K2:
230 *16 * 60
nop = = 21,90
10080
1.300.000
MTTFD = = 593607,3 y = 5199997320h
0,1* 21,90

and the assumption that K1 and K2 are each single-channel:

K1/K2: Actuation 1x per week and direct feedback

Application Guide TwinSAFE Version: 3.2.0 209

Analog value processing with TwinSAFE SC

1 - 0,99
PFH = = 1,92 E - 12
593607,3*8760

The following assumptions must now be made:

The input signals from the encoder with EL5021-0090 and drive have different measuring procedures,
deliver differently scaled values and are both involved in the safety function. A malfunction of a channel does
not lead to a dangerous situation, but is detected by comparing the two values in the TwinSAFE Logic and
leads to shutdown.

There is a coupling coefficient between the components that are connected via two channels. Examples are
temperature, EMC, voltage peaks or signals between these components. This is assumed to be the worst-
case estimation, where β =10%. EN 62061 contains tables (Table F.1: Criteria for determining the CCF, and
Table F.2: Estimation of the CCF factor(β)), which can be used to determine the β factor precisely. For the
input subsystem, an estimated value of 2% can be achieved if the table for calculating the β factor is
modified accordingly. In the following calculation, the worst case is assumed with 10%.

It follows for the calculation of the PFHD value for safety function 1
PFH ( Input1) + PFH ( Drive )
PFH ges = b * + (1 - b ) 2 * ( PFH ( Input1) * PFH ( Drive ) ) * T 1 + PFH ( EL 6910) + PFH ( EL 2904)
2
PFH ( K 1) + PFH ( K 2)
+b * + (1 - b ) 2 * ( PFH ( K 1) * PFH ( K 2) ) * T 1
2

(1 - b ) 2 * ( PFH
( K 1) ( K 2) * PFH ) * T1
( Input 1) (1 - b ) 2 * ( PFH
( Antrieb ) * PFH ) * T1
Since the portions and are smaller than the
rest by the power of ten, they are neglected in this and all further calculations for the purpose of
simplification.
13, 25 E - 08 + 9,67 E - 08 1,92 E - 12 + 1,92 E - 12
PFH ges = 10% * + 1,79 E - 09 + 1, 25 E - 09 + 10% *
2 2
= 1, 45 E - 08

NOTE
EN 62061
According to EN 62061, the input subsystem is evaluated with an SFF or a DC of 90%. This limits the maxi-
mum SIL value that can be achieved to 2, according to table 5 of EN 62061.

Alternative calculation of the MTTFD value for safety function 1 according to EN 13849 (under the same
assumption):
n
1 1
=å
MTTFDges i =1 MTTFDn

The inferior value is taken from the input subsystem (in this case a combination of encoder and
EL5021-0090):
1 1 1 1 1 1
= + + + +
MTTFDges MTTFD ( Encoder ) MTTFD ( EL 5021- 0090) MTTFD ( EL 6910) MTTFD ( EL 2904) MTTFD ( K 1)

with:

If only PFHD values are available for EL2904 and EL6910, the following estimation applies:
(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

210 Version: 3.2.0 Application Guide TwinSAFE

Analog value processing with TwinSAFE SC

Hence:
(1 - DC( EL 6910) ) (1 - 0,99) 0,01
MTTFD ( EL 6910) = = = = 637 y
PFH ( EL 6910) 1 h 1
1,79 E - 09 *8760 15,68 E - 06
h y y

(1 - DC( EL 2904) ) (1 - 0,99) 0,01

MTTFD ( EL 2904) = = = = 913, 2 y
PFH ( EL 2904) 1 h 1
1, 25 E - 09 *8760 1,1E - 05
h y y

1
MTTFDges = = 69,9 y
1 1 1 1 1
+ + + +
125 y 275 y 637 y 913 y 593607 y

DC DC DC DC DC DC DC
+ + + + + +
MTTFD ( Encoder ) MTTFD ( EL 5021- 0090) MTTFD ( Drive ) MTTFD ( EL 6910) MTTFD ( EL 2904) MTTFD ( K 1) MTTFD ( K 2)
DCavg =
1 1 1 1 1 1 1
+ + + + + +
MTTFD ( Encoder ) MTTFD ( EL 5021- 0090) MTTFD ( Drive ) MTTFD ( EL 6910) MTTFD ( EL 2904) MTTFD ( K 1) MTTFD ( K 2)

90% 90% 90% 99% 99% 99% 99%

+ + + + + +
125 y 275 y 118 y 637 y 913 y 593607 y 593607 y
DCavg = = 90,78%
1 1 1 1 1 1 1
+ + + + + +
125 y 275 y 118 y 637 y 913 y 593607 y 593607 y

Alternatively with DC = 99%

99% 99% 99% 99% 99% 99% 99%
+ + + + + +
125 y 275 y 118 y 637 y 913 y 593607 y 593607 y
DCavg = = 99,00%
1 1 1 1 1 1 1
+ + + + + +
125 y 275 y 118 y 637 y 913 y 593607 y 593607 y

Application Guide TwinSAFE Version: 3.2.0 211

Analog value processing with TwinSAFE SC

CAUTION
Category
This structure is possible up to category 3 at the most.

WARNING
Standstill
When the motor is stopped, an error such as the freezing of an encoder signal is detected only if a move-
ment is requested. The machine manufacturer or user must take this into account.

CAUTION
Implement a restart lock in the machine!
The restart lock is NOT part of the safety chain and must be implemented in the machine!

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

Alternative with DC = 99% for the input subsystem:

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

212 Version: 3.2.0 Application Guide TwinSAFE

Analog value processing with TwinSAFE SC

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

Safety integrity level according to Table 3 EN62061

Safety integrity level Probability of a dangerous failure per hour (PFHD)
3 ≥ 10-8 to < 10-7
2 ≥ 10-7 to < 10-6
1 ≥ 10-6 to < 10-5

Application Guide TwinSAFE Version: 3.2.0 213

Analog value processing with TwinSAFE SC

7.2 Speed monitoring (via IO-Link) (category 3, PL d)

The speed signals are transmitted in two different ways to the EL6910 TwinSAFE Logic and processed
according to the logic shown. The IO-Link encoder is wired to an EL6224-0090, and the speed information is
transmitted via a TwinSAFE SC communication. The drive speed is also transferred to the EL6910
TwinSAFE Logic, via the standard PROFINET communication (any other fieldbus is also possible) and the
standard PLC.

The two speeds are scaled by the Scale FB within the safety-related EL6910 logic so that the values match
each other. These two speed values are checked by a Compare FB for equality and monitored by a Limit FB
for a maximum value. Since the two speed values are never 100% equal at any time, the difference between
the two speed values must lie within the tolerance band of 10% in order to still meet the condition of equality.
If the current speed value lies below the threshold specified in the Limit FB, the STO output is set to logical 1
and the drive can rotate. If the limit is exceeded or the comparison is invalid, the output is set to logic 0, and
the drive is switched torque-free or the safety function integrated in the drive is activated. The entire
calculation and scaling are performed at the SIL3/PL e safety level in the safety-related EL6910 logic. Using
this method, a safety-related result is created from two non-safety-related signals.

The IsValid signal of the Compare function block must be used for shutdown in the event of a fault.

IO-link structure

214 Version: 3.2.0 Application Guide TwinSAFE

Analog value processing with TwinSAFE SC

Structural image structure

Logic

7.2.1 Structure and diagnosis

The input signals read from the drive and the encoder are standard signals, but they are very different. The
drive supplies a speed value, the encoder supplies an IO-Link signal, which is evaluated by a standard
terminal and packed and transmitted in a safe telegram (FSoE with modified polynomial - TwinSAFE SC).
This terminal (EL6224-0090) supplies a speed value that is scaled within the safe logic and compared with
the speed value of the drive. Equality means in this case that the difference signal lies within the tolerance
window of 10%.

Application Guide TwinSAFE Version: 3.2.0 215

Analog value processing with TwinSAFE SC

The IO-link encoder signal is transmitted via the standard fieldbus using the black channel principle. This
value is checked for plausibility against the drive speed that is transmitted via the standard fieldbus. Errors in
one of the two channels are detected by comparing the two diverse speed signals within the safe logic and
lead to the activation of STO of the drive.

7.2.2 FMEA
Error assumption Expectations Checked
The speed value, e.g. via This is detected via the second value and the plausibility
PROFINET, freezes check in the EL6910 (TwinSAFE SC communication
between EL6224-0090 and EL6910).
In addition, the standard-communication watchdog should
be enabled for speed 0.
Speed value via EtherCAT and This is detected via the watchdog within the TwinSAFE SC
TwinSAFE SC communication communication.
freezes Plausibility check: Dynamic speed values are also expected
when the motor is started.
Speed values are copied in A distorted value within the TwinSAFE SC communication
succession in the standard PLC leads to an invalid CRC within the telegram and thus to
immediate shutdown of the group and the outputs
The data types of the two speed values have a different
length (e.g. 4 bytes and 11 bytes)
Speed value is distorted, e.g. via This is detected via the second value and the plausibility
PROFINET check in the EL6910 (TwinSAFE SC communication
between EL6224-0090 and EL6910)
There is no longer any connection Detected within the EL6910 via the plausibility check with
between the motor and the the speed value of the drive
encoder Plausibility check: Dynamic speed values are also expected
when the motor is started.
Encoder supplies an incorrect Detected within the EL6910 via the plausibility check with
position value the speed value of the drive
Drive supplies incorrect speed This is detected via the second value and the plausibility
value check in the EL6910 (TwinSAFE SC communication
between EL6224-0090 and EL6910)

216 Version: 3.2.0 Application Guide TwinSAFE

Analog value processing with TwinSAFE SC

Error assumption Expectations Checked

7.2.2.1 Note on TwinSAFE SC communication:

The identical mechanisms are active, such as the black channel principle (bit error probability 10-2).

The quality of the data transmission is not crucial, because ultimately all transmission errors are detected via
the comparison in the safe logic, since this would lead to inequality.

7.2.3 Parameters of the safe output terminal

EL2904

Parameter Value
Current measurement active Yes
Output test pulses active Yes

Application Guide TwinSAFE Version: 3.2.0 217

Analog value processing with TwinSAFE SC

7.2.4 Block formation and safety loops

7.2.4.1 Safety function 1

7.2.5 Calculation

7.2.5.1 PFHD / MTTFD / B10D – values

Component Value
EL1904 – PFHD 1.11E-09
EL2904 – PFHD 1.25E-09
EL6910 – PFHD 1.79E-09
Drive – MTBF 516,840 (59y)
Encoder – MTTF 1,208,880 (138y)
EL6224-0090 - MTBF 1,200,000
K1 – B10D 1,300,000
K2 – B10D 1,300,000
Days of operation (dop) 230
Hours of operation / day (hop) 16
Cycle time (minutes) (Tcycle) 10080 (1x per week)
Lifetime (T1) 20 years = 175200 hours

7.2.5.2 Diagnostic Coverage DC

Component Value
Drive and encoder with EL6224-0090 and DCavg=90% (alternatively in calculation: 99%)
plausibility within the logic
K1/K2 with EDM monitoring (actuation 1x per week DCavg=99%
and evaluation of all rising and falling edges with
monitoring over time) with testing of the individual
channels

7.2.5.3 Calculation of safety function 1

For clarity, the safety factor is calculated according to EN 62061 as well as EN 13849. Calculation according
to one standard is sufficient in practice.

Calculation of the PFHD and MTTFD values from the B10D values:

From:

218 Version: 3.2.0 Application Guide TwinSAFE

Analog value processing with TwinSAFE SC

d op * hop * 60
nop =
TZyklus

and:
B10 D
MTTFD =
0,1* nop

Calculation of the PFHD and MTTFD values from the MTBF values:

Note: Repair times can be neglected, therefore the following applies:

MTTFD = 2 * MTBF

1
MTTFD =
lD

with
0,1 0,1* nop
lD » =
T10 D B10 D

produces for
0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

Inserting the values, this produces:

Drive
MTTFD = 2 * MTBF = 2 * 59 y = 1.033.680h = 118 y

1 - DC 1 - 0,9
PFH = = = 9,67 E - 08
MTTFD 1.033.680h

Encoder
MTTFD = 2 * MTTF = 2 *1.208.880h = 2.417.760h = 276 y

1 - DC 1 - 0,9
PFH = = = 4,13E - 08
MTTFD 2.417.760h

EL6224-0090
MTTFD = 2 * MTBF = 2 *1.200.000h = 2.400.000h = 273 y

1 - DC 1 - 0,9
PFH = = = 4,17 E - 08
MTTFD 2.400.000h

Input system 1
PFH ( Input1) = PFH ( Encoder ) + PFH ( EL 6224 - 0090) = 4,13E - 08 + 4,17 E - 08 = 8,30 E - 08

K1/K2:
230 *16 * 60
nop = = 21,90
10080
1.300.000
MTTFD = = 593607,3 y = 5199997320h
0,1* 21,90

and the assumption that K1 and K2 are each single-channel:

K1/K2: Actuation 1x per week and direct feedback

Application Guide TwinSAFE Version: 3.2.0 219

Analog value processing with TwinSAFE SC

1 - 0,99
PFH = = 1,92 E - 12
593607,3*8760

The following assumptions must now be made:

The input signals from the encoder with EL6224-0090 and drive have different measuring procedures,
deliver differently scaled values and are both involved in the safety function. A malfunction of a channel does
not lead to a dangerous situation, but is detected by comparing the two values in the TwinSAFE Logic and
leads to shutdown.

(1 - b ) 2 * ( PFH
( K 1) ( K 2) * PFH ) * T1
( Input 1) (1 - b ) 2 * ( PFH
( Antrieb ) * PFH ) * T1
Since the portions and are smaller than the
rest by the power of ten, they are neglected in this and all further calculations for the purpose of
simplification.
8,30 E - 08 + 9,67 E - 08 1,92 E - 12 + 1,92 E - 12
PFH ges = 10% * + 1,79 E - 09 + 1, 25 E - 09 + 10% *
2 2
= 1, 2 E - 08

NOTE
EN 62061
According to EN 62061, the input subsystem is evaluated with an SFF or a DC of 90%. This limits the maxi-
mum SIL value that can be achieved to 2, according to table 5 of EN 62061.

Alternative calculation of the MTTFD value for safety function 1 according to EN 13849 (under the same
assumption):
n
1 1
=å
MTTFDges i =1 MTTFDn

The inferior value is taken from the input subsystem (in this case the drive):
1 1 1 1 1
= + + +
MTTFDges MTTFD ( Antrieb ) MTTFD ( EL 6910) MTTFD ( EL 2904) MTTFD ( K 1)

with:

If only PFHD values are available for EL2904 and EL6910, the following estimation applies:
(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

Hence:

220 Version: 3.2.0 Application Guide TwinSAFE

Analog value processing with TwinSAFE SC

(1 - DC( EL 6910) ) (1 - 0,99) 0,01

MTTFD ( EL 6910) = = = = 637 y
PFH ( EL 6910) 1 h 1
1,79 E - 09 *8760 15,68 E - 06
h y y

(1 - DC( EL 2904) ) (1 - 0,99) 0,01

MTTFD ( EL 2904) = = = = 913, 2 y
PFH ( EL 2904) 1 h 1
1, 25 E - 09 *8760 1,1E - 05
h y y

1
MTTFDges = = 89,7 y
1 1 1 1
+ + +
118 y 637 y 913 y 593607 y

DC DC DC DC DC DC DC
+ + + + + +
MTTFD ( Encoder ) MTTFD ( EL 6244 - 0090) MTTFD ( Antrieb ) MTTFD ( EL 6910) MTTFD ( EL 2904) MTTFD ( K 1) MTTFD ( K 2)
DCavg =
1 1 1 1 1 1 1
+ + + + + +
MTTFD ( Encoder ) MTTFD ( EL 6224 - 0090) MTTFD ( Antrieb ) MTTFD ( EL 6910) MTTFD ( EL 2904) MTTFD ( K 1) MTTFD ( K 2)

90% 90% 90% 99% 99% 99% 99%

+ + + + + +
276 y 273 y 118 y 637 y 913 y 593607 y 593607 y
DCavg = = 91,30%
1 1 1 1 1 1 1
+ + + + + +
276 y 273 y 118 y 637 y 913 y 593607 y 593607 y

Alternatively with DC = 99%

99% 99% 99% 99% 99% 99% 99%
+ + + + + +
276 y 273 y 118 y 637 y 913 y 593607 y 593607 y
DCavg = = 99,00%
1 1 1 1 1 1 1
+ + + + + +
276 y 273 y 118 y 637 y 913 y 593607 y 593607 y

Application Guide TwinSAFE Version: 3.2.0 221

Analog value processing with TwinSAFE SC

CAUTION
Category
This structure is possible up to category 3 at the most.

CAUTION
Implement a restart lock in the machine!
The restart lock is NOT part of the safety chain and must be implemented in the machine!

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

222 Version: 3.2.0 Application Guide TwinSAFE

Analog value processing with TwinSAFE SC

Alternative with DC = 99% for the input subsystem:

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

Safety integrity level according to Table 3 EN62061

Safety integrity level Probability of a dangerous failure per hour (PFHD)
3 ≥ 10-8 to < 10-7
2 ≥ 10-7 to < 10-6
1 ≥ 10-6 to < 10-5

Application Guide TwinSAFE Version: 3.2.0 223

Analog value processing with TwinSAFE SC

7.3 Temperature measurement with TwinSAFE SC

(category 3, PL d)
This example shows how a temperature measurement can be realized with the TwinSAFE SC technology.
To this end, two measuring points are equipped with temperature sensors, one with a type K thermocouple
wired to a standard EL3312 EtherCAT Terminal and the other with a PT1000 measuring resistance wired to
an EL3214-0090 TwinSAFE SC EtherCAT Terminal.

These two signals are compared or checked for plausibility by means of a Compare function block within the
safe EL6910 TwinSAFE Logic. The signal is then checked via the Limit function block. The result of the Limit
function block and the IsValid output of the Compare function block is used to switch off contactors K1 and
K2 via the function block Mon.

To keep things clear the contactor control is not shown in this example, but the user should keep it in mind.

CAUTION
Emergency stop / contactor monitoring
In addition to the function shown above, contactor monitoring, e.g. via an EDM function block for K1 and
K2, and possibly an emergency stop function, must be implemented by the user!

224 Version: 3.2.0 Application Guide TwinSAFE

Analog value processing with TwinSAFE SC

7.3.1 Schematic diagram of the configuration

7.3.2 Structure and diagnosis

The signals that are read at the two measuring points are standard signals, which use different technologies.
At least one signal is transmitted via the TwinSAFE SC technology to the safe TwinSAFE Logic, so that
distortions of this signal are detected in the PC or on the communication path. The test for equality of these
two signals, within the permissible tolerances, is carried out in the safe TwinSAFE Logic.

The individual error assumptions and associated expectations are listed in the following FMEA table.

7.3.3 FMEA
Error assumption Expectations Checked
Temperature value via the The value is detected by the second value and via the
standard fieldbus freezes plausibility check in the EL6910.
Temperature value via the This is detected via the watchdog within the TwinSAFE SC
TwinSAFE SC communication communication and via the plausibility check in the EL6910.
freezes
Temperature values are copied to A distorted value within the TwinSAFE SC communication
each other in the standard PLC leads to an invalid CRC within the telegram and thus to
immediate shutdown of the group and the outputs.
Temperature value via standard The value is detected by the second value and via the
fieldbus is distorted plausibility check in the EL6910.
The connection between the This is detected via the plausibility check with the second
sensor and the EtherCAT temperature value within the EL6910.
Terminal has been lost
PT1000 delivers incorrect This is detected via the plausibility check with the second
temperature value temperature value within the EL6910.
Thermocouple delivers incorrect This is detected via the plausibility check with the second
temperature value temperature value within the EL6910.

Application Guide TwinSAFE Version: 3.2.0 225

Analog value processing with TwinSAFE SC

Error assumption Expectations Checked

Communication error 61784-3 for This is detected through the plausibility check of the
standard communication: temperature values and via the TwinSAFE SC
Corruption communication within the EL6910
Communication error 61784-3 for This is detected through the plausibility check of the
standard communication: temperature values and via the TwinSAFE SC
Unintentional repetition communication within the EL6910
Communication error 61784-3 for This is detected through the plausibility check of the
standard communication: temperature values and via the TwinSAFE SC
Wrong sequence communication within the EL6910
Communication error 61784-3 for This is detected through the plausibility check of the
standard communication: temperature values and via the TwinSAFE SC
Loss communication within the EL6910
Communication error 61784-3 for This is detected through the plausibility check of the
standard communication: temperature values and via the TwinSAFE SC
Unacceptable delay communication within the EL6910
Communication error 61784-3 for This is detected through the plausibility check of the
standard communication: temperature values and via the TwinSAFE SC
Insertion communication within the EL6910
Communication error 61784-3 for not relevant for standard, only for safety communication.
standard communication:
Masquerading
Communication error 61784-3 for This is detected through the plausibility check of the
standard communication: temperature values and via the TwinSAFE SC
Addressing communication within the EL6910
Communication error for standard This is detected through the plausibility check of the
communication: temperature values and via the TwinSAFE SC
Recurrent memory errors in communication within the EL6910
switches

7.3.3.1 Note on TwinSAFE SC communication:

The identical mechanisms are active, such as the black channel principle (bit error probability 10-2).

The quality of the data transmission is not crucial, because ultimately all transmission errors are detected via
the comparison in the safe TwinSAFE Logic, since this would lead to inequality.

7.3.4 Parameters of the safe output terminal

EL2904

Parameter Value
Current measurement active No
Output test pulses active Yes

226 Version: 3.2.0 Application Guide TwinSAFE

Analog value processing with TwinSAFE SC

7.3.5 Block formation and safety loops

7.3.5.1 Safety function 1

7.3.6 Calculation

7.3.6.1 PFHD / MTTFD / B10D – values

Component Value
EL2904 – PFHD 1.25E-09
EL6910 – PFHD 1.79E-09
PT1000 – MTTFD 7,618 a (according to Table C.5
EN ISO 13849-1:2015)
Thermocouple type K – FIT 1900 (number of errors in 109 hours)
EL3214-0090 - MTBF 890,000
EL3312 - MTBF 1,661,253
K1 – B10D 1,300,000
K2 – B10D 1,300,000
Days of operation (dop) 230
Hours of operation / day (hop) 16
Cycle time (minutes) (Tcycle) 10080 (1x per week)
Lifetime (T1) 20 years = 175200 hours

7.3.6.2 Diagnostic Coverage DC

Component Value
Temperature values via TwinSAFE SC and DCavg=90% (alternatively in calculation: 99%)
plausibility check within the logic
K1/K2 with EDM monitoring (actuation 1x per week DCavg=99%
and evaluation of all rising and falling edges with
monitoring over time) with testing of the individual
channels

7.3.6.3 Calculation of safety function 1

For clarity, the safety factor is calculated according to EN 62061 as well as EN 13849. Calculation according
to one standard is sufficient in practice.

Calculation of the PFHD and MTTFD values from the B10D values:

From:

Application Guide TwinSAFE Version: 3.2.0 227

Analog value processing with TwinSAFE SC

d op * hop * 60
nop =
TZyklus

and:
B10 D
MTTFD =
0,1* nop

Calculation of the PFHD and MTTFD values from the MTBF values:

Note: Repair times can be neglected, therefore the following applies:

MTTFD = 2 * MTBF

1
MTTFD =
lD

with
0,1 0,1* nop
lD » =
T10 D B10 D

produces for
0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

Inserting the values, this produces:

PT1000
MTTFD = 7618 y = 66.733.680h

1 - DC 1 - 0,9
PFH = = = 1,50 E - 09
MTTFD 66.733.680h

EL3214-0090
MTTFD = 2 * MTBF = 2 *890.000h = 1.780.000h = 203 y

1 - DC 1 - 0,9
PFH = = = 5,62 E - 08
MTTFD 1.780.000h

Input system 1
PFH ( Input1) = PFH ( PT 1000) + PFH ( EL 3214 - 0090) = 1,50 E - 09 + 5,62 E - 08 = 5,77 E - 08

Thermocouple
1 1
MTTFD = = *109 h = 526.315h = 60 y
lD 1900 FIT
1 - DC 1 - 0,9
PFH = = = 19,0 E - 08
MTTFD 526.315h

EL3312
MTTFD = 2 * MTBF = 2 *1.661.253h = 3.322.506h = 379 y

1 - DC 1 - 0,9
PFH = = = 3,0 E - 08
MTTFD 3.322.506h

Input system 2
PFH ( Input 2) = PFH (ThermoCouple ) + PFH ( EL 3312) = 19,0 E - 08 + 3,0 E - 08 = 22,0 E - 08

228 Version: 3.2.0 Application Guide TwinSAFE

Analog value processing with TwinSAFE SC

K1/K2:
230 *16 * 60
nop = = 21,90
10080
1.300.000
MTTFD = = 593607,3 y = 5199997320h
0,1* 21,90

and the assumption that K1 and K2 are each single-channel:

K1/K2: Actuation 1x per week and direct feedback

1 - 0,99
PFH = = 1,92 E - 12
593607,3*8760

The following assumptions must now be made:

The input signals from PT1000 with EL3214-0090 and thermocouple with EL3312 use different measuring
procedures. Both provide a temperature value and are involved in the safety function. A malfunction of a
channel does not lead to a dangerous situation, but is detected by comparing the two values in the
TwinSAFE Logic and leads to shutdown.

It follows for the calculation of the PFHD value for safety function 1
PFH ( Input1) + PFH ( Input 2)
PFH ges = b * + (1 - b ) 2 * ( PFH ( Input1) * PFH ( Input 2) ) * T 1 + PFH ( EL 6910) + PFH ( EL 2904)
2
PFH ( K 1) + PFH ( K 2)
+b * + (1 - b ) 2 * ( PFH ( K 1) * PFH ( K 2) ) * T 1
2

(1 - b ) 2 * ( PFH
( K 1) ( K 2) * PFH ) * T1
( Input 1) (1 - b ) 2 * ( PFH
( Input 2) * PFH ) * T1
Since the portions and are smaller than the
rest by the power of ten, they are neglected in this and all further calculations for the purpose of
simplification.

to:
5,77 E - 08 + 22,0 E - 08 1,92 E - 12 + 1,92 E - 12
PFH ges = 10% * + 1,79 E - 09 + 1, 25 E - 09 + 10% *
2 2
= 1,693E - 08

NOTE
EN 62061
According to EN 62061, the input subsystem is evaluated with an SFF or a DC of 90%. This limits the maxi-
mum SIL value that can be achieved to 2, according to table 5 of EN 62061.

Alternative calculation of the MTTFD value for safety function 1 according to EN 13849 (under the same
assumption)
n
1 1
=å
MTTFDges i =1 MTTFDn

Application Guide TwinSAFE Version: 3.2.0 229

Analog value processing with TwinSAFE SC

The inferior value is taken from the input subsystem:

1 1 1 1 1 1
= + + + +
MTTFDges MTTFD (ThermoCouple ) MTTFD ( EL 3312) MTTFD ( EL 6910) MTTFD ( EL 2904) MTTFD ( K 1)

If only PFHD values are available for EL2904 and EL6910, the following estimation applies:
(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

Hence:
(1 - DC( EL 6910) ) (1 - 0,99) 0,01
MTTFD ( EL 6910) = = = = 637 y
PFH ( EL 6910) 1 h 1
1,79 E - 09 *8760 15,68 E - 06
h y y

(1 - DC( EL 2904) ) (1 - 0,99) 0,01

MTTFD ( EL 2904) = = = = 913, 2 y
PFH ( EL 2904) 1 h 1
1, 25 E - 09 *8760 1,1E - 05
h y y

1
MTTFDges = = 45,5 y
1 1 1 1 1
+ + + +
60 y 379 y 637 y 913 y 593.607 y

DC DC DC DC DC DC DC DC
+ + + + + + +
MTTFD ( PT 1000) MTTFD ( EL 3214) MTTFD (Thermocouple ) MTTFD ( EL 3312) MTTFD ( EL 6910) MTTFD ( EL 2904) MTTFD ( K 1) MTTFD ( K 2)
DCavg =
1 1 1 1 1 1 1 1
+ + + + + + +
MTTFD ( PT 1000) MTTFD ( EL 3214) MTTFD (Thermocouple ) MTTFD ( EL 3312) MTTFD ( EL 6910) MTTFD ( EL 2904) MTTFD ( K 1) MTTFD ( K 2)

Used with DC=90%

90% 90% 90% 90% 99% 99% 99% 99%
+ + + + + + +
7618 y 203 y 60 y 379 y 637 y 913 y 593607 y 593607 y
DCavg = = 91,11%
1 1 1 1 1 1 1 1
+ + + + + + +
7618 y 203 y 60 y 379 y 637 y 913 y 593607 y 593607 y

Alternatively with DC = 99%

99% 99% 99% 99% 99% 99% 99% 99%
+ + + + + + +
7618 y 203 y 60 y 379 y 637 y 913 y 593607 y 593607 y
DCavg = = 99,00%
1 1 1 1 1 1 1 1
+ + + + + + +
7618 y 203 y 60 y 379 y 637 y 913 y 593607 y 593607 y

230 Version: 3.2.0 Application Guide TwinSAFE

Analog value processing with TwinSAFE SC

CAUTION
Category
This structure is possible up to category 3 at the most.

DC=90% for the input subsystem

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

Application Guide TwinSAFE Version: 3.2.0 231

Analog value processing with TwinSAFE SC

Alternative with DC = 99% for the input subsystem

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

Safety integrity level according to Table 3 EN62061

Safety integrity level Probability of a dangerous failure per hour (PFHD)
3 ≥ 10-8 to < 10-7
2 ≥ 10-7 to < 10-6
1 ≥ 10-6 to < 10-5

232 Version: 3.2.0 Application Guide TwinSAFE

Analog value processing with TwinSAFE SC

7.4 Level measurement with TwinSAFE SC

(category 3, PL d)
This example shows how a level measurement of a container can be realized with the TwinSAFE SC
technology. Two different measuring methods are used for this purpose. One is an ultrasonic sensor with a
0 - 10 V interface, which is wired to a TwinSAFE SC EtherCAT Box EP3174-0092, is used, and the other is a
level probe with a 4-20 mA interface, which is wired to a standard EL3152 EtherCAT Terminal.

These two signals are compared or checked for plausibility by means of a Compare function block within the
safe EL6910 TwinSAFE Logic. The signal from the EP3174-0092 is scaled by the Scale function block first
so that both signals have an identical value range. The signal is then checked via the Limit function block.
The result of the Limit function block and the IsValid output of the Compare function block is used to switch
off contactors K1 and K2 via the function block Mon. In addition, the StuckAtError output of the Scale
function block can be connected to a Mon input. Freezing of the signal can be detected with this
configuration.

To keep things clear the contactor control is not shown in this example, but the user should keep it in mind.

Application Guide TwinSAFE Version: 3.2.0 233

Analog value processing with TwinSAFE SC

7.4.1 Schematic diagram of the configuration

7.4.2 Structure and diagnosis

The individual error assumptions and associated expectations are listed in the following FMEA table.

7.4.3 FMEA
Error assumption Expectations Checked
Filling level value via the standard The value is detected by the second value and via the
fieldbus freezes plausibility check in the EL6910.
Filling level value via the This is detected via the watchdog within the TwinSAFE SC
TwinSAFE SC communication communication and via the plausibility check in the EL6910.
freezes
Filling level values are copied to A distorted value within the TwinSAFE SC communication
each other in the standard PLC leads to an invalid CRC within the telegram and thus to
immediate shutdown of the group and the outputs.
Filling level value via standard The value is detected by the second value and via the
fieldbus is distorted plausibility check in the EL6910.
The connection between the This is detected via the plausibility check with the second
sensor and the EtherCAT filling level value within the EL6910.
Terminal has been lost
Ultrasonic sensor supplies This is detected via the plausibility check with the second
incorrect filling level value filling level value within the EL6910.
Level probe supplies incorrect This is detected via the plausibility check with the second
filling level value filling level value within the EL6910.

234 Version: 3.2.0 Application Guide TwinSAFE

Analog value processing with TwinSAFE SC

Error assumption Expectations Checked

Communication error 61784-3 for This is detected through the plausibility check of the filling
standard communication: level values and via the TwinSAFE SC communication
Corruption within the EL6910
Communication error 61784-3 for This is detected through the plausibility check of the filling
standard communication: level values and via the TwinSAFE SC communication
Unintentional repetition within the EL6910
Communication error 61784-3 for This is detected through the plausibility check of the filling
standard communication: level values and via the TwinSAFE SC communication
Wrong sequence within the EL6910
Communication error 61784-3 for This is detected through the plausibility check of the filling
standard communication: level values and via the TwinSAFE SC communication
Loss within the EL6910
Communication error 61784-3 for This is detected through the plausibility check of the filling
standard communication: level values and via the TwinSAFE SC communication
Unacceptable delay within the EL6910
Communication error 61784-3 for This is detected through the plausibility check of the filling
standard communication: level values and via the TwinSAFE SC communication
Insertion within the EL6910
Communication error 61784-3 for not relevant for standard, only for safety communication.
standard communication:
Masquerading
Communication error 61784-3 for This is detected through the plausibility check of the filling
standard communication: level values and via the TwinSAFE SC communication
Addressing within the EL6910
Communication error for standard This is detected through the plausibility check of the filling
communication: level values and via the TwinSAFE SC communication
Recurrent memory errors in within the EL6910
switches

7.4.3.1 Note on TwinSAFE SC communication:

The identical mechanisms are active, such as the black channel principle (bit error probability 10-2).

The quality of the data transmission is not crucial, because ultimately all transmission errors are detected via
the comparison in the safe TwinSAFE Logic, since this would lead to inequality.

7.4.4 Parameters of the safe output terminal

EL2904

Parameter Value
Current measurement active No
Output test pulses active Yes

Application Guide TwinSAFE Version: 3.2.0 235

Analog value processing with TwinSAFE SC

7.4.5 Block formation and safety loops

7.4.5.1 Safety function 1

7.4.6 Calculation

7.4.6.1 PFHD / MTTFD / B10D – values

Component Value
EL2904 – PFHD 1.25E-09
EL6910 – PFHD 1.79E-09
Ultrasonic sensor – MTBF 195 a (1,708,200 h)
Level probe – MTTF 732 a (6,412,320 h)
EP3174-0092 - MTBF 600,000 h
EL3152 - MTBF 2,507,303 h
K1 – B10D 1,300,000 h
K2 – B10D 1,300,000 h
Days of operation (dop) 230
Hours of operation / day (hop) 16
Cycle time (minutes) (Tcycle) 10080 (1x per week)
Lifetime (T1) 20 years = 175200 hours

7.4.6.2 Diagnostic Coverage DC

Component Value
Filling level values via TwinSAFE SC and plausibility DCavg=90% (alternatively in calculation: 99%)
check within the logic
K1/K2 with EDM monitoring (actuation 1x per week DCavg=99%
and evaluation of all rising and falling edges with
monitoring over time) with testing of the individual
channels

7.4.6.3 Calculation of safety function 1

For clarity, the safety factor is calculated according to EN 62061 as well as EN 13849. Calculation according
to one standard is sufficient in practice.

Calculation of the PFHD and MTTFD values from the B10D values:

From:

236 Version: 3.2.0 Application Guide TwinSAFE

Analog value processing with TwinSAFE SC

d op * hop * 60
nop =
TZyklus

and:
B10 D
MTTFD =
0,1* nop

Calculation of the PFHD and MTTFD values from the MTBF values:

Note: Repair times can be neglected, therefore the following applies:

MTTFD = 2 * MTBF

1
MTTFD =
lD

with
0,1 0,1* nop
lD » =
T10 D B10 D

produces for
0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

Inserting the values, this produces:

Ultrasonic sensor
MTTFD = 2 * MTBF = 2 *195 y = 390 y = 3.416.400h

1 - DC 1 - 0,9
PFH = = = 2,93E - 08
MTTFD 3.416.400h

EP3174-0092
MTTFD = 2 * MTBF = 2 * 600.000h = 1.200.000h = 136 y

1 - DC 1 - 0,9
PFH = = = 8,33E - 08
MTTFD 1.200.000h

Input system 1
PFH ( Input1) = PFH (Ultrasonic ) + PFH ( EP 3174 - 0092) = 2,93E - 08 + 8,33E - 08 = 11, 26 E - 08

Level probe
MTTFD = 2 * MTTF = 2 * 732 y = 1.464 y = 12.824.640h

1 - DC 1 - 0,9
PFH = = = 7,79 E - 09
MTTFD 12.824.640h

EL3152
MTTFD = 2 * MTBF = 2 * 2.507.303h = 5.014.606h = 572 y

1 - DC 1 - 0,9
PFH = = = 1,99 E - 08
MTTFD 5.014.606h

Input system 2
PFH ( Input 2) = PFH ( Level Pr obe ) + PFH ( EL 3152) = 7,79 E - 09 + 1,99 E - 08 = 2,77 E - 08

Application Guide TwinSAFE Version: 3.2.0 237

Analog value processing with TwinSAFE SC

K1/K2:
230 *16 * 60
nop = = 21,90
10080
1.300.000
MTTFD = = 593607,3 y = 5199997320h
0,1* 21,90

and the assumption that K1 and K2 are each single-channel:

K1/K2: Actuation 1x per week and direct feedback

1 - 0,99
PFH = = 1,92 E - 12
593607,3*8760

The following assumptions must now be made:

The input signals from the ultrasonic sensor with EP3174-0092 and the level probe with EL3152 use different
measuring procedures. Both provide a filling level and are involved in the safety function. A malfunction of a
channel does not lead to a dangerous situation, but is detected by comparing the two values in the
TwinSAFE Logic and leads to shutdown.

to:
11, 26 E - 08 + 2,77 E - 08 1,92 E - 12 + 1,92 E - 12
PFH ges = 10% * + 1,79 E - 09 + 1, 25 E - 09 + 10% *
2 2
= 1,005 E - 08

NOTE
EN 62061
According to EN 62061, the input subsystem is evaluated with an SFF or a DC of 90%. This limits the maxi-
mum SIL value that can be achieved to 2, according to table 5 of EN 62061.

Alternative calculation of the MTTFD value for safety function 1 according to EN 13849 (under the same
assumption)
n
1 1
=å
MTTFDges i =1 MTTFDn

238 Version: 3.2.0 Application Guide TwinSAFE

Analog value processing with TwinSAFE SC

The inferior value is taken from the input subsystem:

1 1 1 1 1 1
= + + + +
MTTFDges MTTFD (UltraSonicSensor ) MTTFD ( EP 3174 - 0092) MTTFD ( EL 6910) MTTFD ( EL 2904) MTTFD ( K 1)

If only PFHD values are available for EL2904 and EL6910, the following estimation applies:
(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

Hence:
(1 - DC( EL 6910) ) (1 - 0,99) 0,01
MTTFD ( EL 6910) = = = = 637 y
PFH ( EL 6910) 1 h 1
1,79 E - 09 *8760 15,68 E - 06
h y y

(1 - DC( EL 2904) ) (1 - 0,99) 0,01

MTTFD ( EL 2904) = = = = 913, 2 y
PFH ( EL 2904) 1 h 1
1, 25 E - 09 *8760 1,1E - 05
h y y

1
MTTFDges = = 79, 46 y
1 1 1 1 1
+ + + +
390 y 136 y 637 y 913 y 593.607 y

DC DC DC DC DC DC DC DC
+ + + + + + +
MTTFD (UltraSonic ) MTTFD ( EP 3174 - 0092) MTTFD ( Level Pr obe ) MTTFD ( EL 3152) MTTFD ( EL 6910) MTTFD ( EL 2904) MTTFD ( K 1) MTTFD ( K 2)
DCavg =
1 1 1 1 1 1 1 1
+ + + + + + +
MTTFD (UltraSonic ) MTTFD ( EP 3174 - 0092) MTTFD ( Level Pr obe ) MTTFD ( EL 3152) MTTFD ( EL 6910) MTTFD ( EL 2904) MTTFD ( K 1) MTTFD ( K 2)

Used with DC=90%

90% 90% 90% 90% 99% 99% 99% 99%
+ + + + + + +
390 y 136 y 1464 y 572 y 637 y 913 y 593607 y 593607 y
DCavg = = 91,33%
1 1 1 1 1 1 1 1
+ + + + + + +
390 y 136 y 1464 y 572 y 637 y 913 y 593607 y 593607 y

Alternatively with DC = 99%

99% 99% 99% 99% 99% 99% 99% 99%
+ + + + + + +
390 y 136 y 1464 y 572 y 637 y 913 y 593607 y 593607 y
DCavg = = 99,00%
1 1 1 1 1 1 1 1
+ + + + + + +
390 y 136 y 1464 y 572 y 637 y 913 y 593607 y 593607 y

Application Guide TwinSAFE Version: 3.2.0 239

Analog value processing with TwinSAFE SC

CAUTION
Category
This structure is possible up to category 3 at the most.

DC=90% for the input subsystem

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

240 Version: 3.2.0 Application Guide TwinSAFE

Analog value processing with TwinSAFE SC

Alternative with DC = 99% for the input subsystem

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

Safety integrity level according to Table 3 EN62061

Safety integrity level Probability of a dangerous failure per hour (PFHD)
3 ≥ 10-8 to < 10-7
2 ≥ 10-7 to < 10-6
1 ≥ 10-6 to < 10-5

Application Guide TwinSAFE Version: 3.2.0 241

Analog value processing with TwinSAFE SC

7.5 Pressure measurement with TwinSAFE SC

(category 3, PL d)
This example shows how a pressure measurement of a container can be realized with the TwinSAFE SC
technology. To this end, two measuring points are equipped with pressure sensors, one with a pressure
sensor with IO-Link interface wired to a standard EL6224 EtherCAT Terminal and the other with a pressure
sensor with 4-20 mA interface wired to an EL3124-0090 TwinSAFE SC EtherCAT Terminal.

These two signals are compared or checked for plausibility by means of a Compare function block within the
safe EL6910 TwinSAFE Logic. The signal from the EP6224 is scaled by the Scale function block first so that
both signals have an identical value range. The signal is then checked via the Limit function block. The result
of the Limit function block and the IsValid output of the Compare function block is used to switch off
contactors K1 and K2 via the function block Mon. In addition, the StuckAtError output of the Scale function
block can be connected to a Mon input. Freezing of the signal can be detected with this configuration.

To keep things clear the contactor control is not shown in this example, but the user should keep it in mind.

WARNING
Pressure safety valve (PSV)
The application shown above cannot be used as a replacement for a pressure safety valve according to the
EC Pressure Equipment Directive.

242 Version: 3.2.0 Application Guide TwinSAFE

Analog value processing with TwinSAFE SC

7.5.1 Schematic diagram of the configuration

7.5.2 Structure and diagnosis

The individual error assumptions and associated expectations are listed in the following FMEA table.

7.5.3 FMEA
Error assumption Expectations Checked
Pressure value via the standard The value is detected by the second value and via the
fieldbus freezes plausibility check in the EL6910.
Pressure value via the TwinSAFE This is detected via the watchdog within the TwinSAFE SC
SC communication freezes communication and via the plausibility check in the EL6910.
Pressure values are copied to A distorted value within the TwinSAFE SC communication
each other in the standard PLC leads to an invalid CRC within the telegram and thus to
immediate shutdown of the group and the outputs.
Pressure value via standard The value is detected by the second value and via the
fieldbus is distorted plausibility check in the EL6910.
The connection between the This is detected via the plausibility check with the second
sensor and the EtherCAT pressure value within the EL6910.
Terminal has been lost
Pressure sensor (4..20 mA) This is detected via the plausibility check with the second
supplies incorrect pressure value pressure value within the EL6910.
Pressure sensor (IO-Link) This is detected via the plausibility check with the second
supplies incorrect pressure value pressure value within the EL6910.

Application Guide TwinSAFE Version: 3.2.0 243

Analog value processing with TwinSAFE SC

Error assumption Expectations Checked

Communication error 61784-3 for This is detected through the plausibility check of the
standard communication: pressure values and via the TwinSAFE SC communication
Corruption within the EL6910
Communication error 61784-3 for This is detected through the plausibility check of the
standard communication: pressure values and via the TwinSAFE SC communication
Unintentional repetition within the EL6910
Communication error 61784-3 for This is detected through the plausibility check of the
standard communication: pressure values and via the TwinSAFE SC communication
Wrong sequence within the EL6910
Communication error 61784-3 for This is detected through the plausibility check of the
standard communication: pressure values and via the TwinSAFE SC communication
Loss within the EL6910
Communication error 61784-3 for This is detected through the plausibility check of the
standard communication: pressure values and via the TwinSAFE SC communication
Unacceptable delay within the EL6910
Communication error 61784-3 for This is detected through the plausibility check of the
standard communication: pressure values and via the TwinSAFE SC communication
Insertion within the EL6910
Communication error 61784-3 for not relevant for standard, only for safety communication.
standard communication:
Masquerading
Communication error 61784-3 for This is detected through the plausibility check of the
standard communication: pressure values and via the TwinSAFE SC communication
Addressing within the EL6910
Communication error for standard This is detected through the plausibility check of the
communication: pressure values and via the TwinSAFE SC communication
Recurrent memory errors in within the EL6910
switches

7.5.3.1 Note on TwinSAFE SC communication:

The identical mechanisms are active, such as the black channel principle (bit error probability 10-2).

The quality of the data transmission is not crucial, because ultimately all transmission errors are detected via
the comparison in the safe TwinSAFE Logic, since this would lead to inequality.

7.5.4 Parameters of the safe output terminal

EL2904

Parameter Value
Current measurement active No
Output test pulses active Yes

244 Version: 3.2.0 Application Guide TwinSAFE

Analog value processing with TwinSAFE SC

7.5.5 Block formation and safety loops

7.5.5.1 Safety function 1

7.5.6 Calculation

7.5.6.1 PFHD / MTTFD / B10D – values

Component Value
EL2904 – PFHD 1.25E-09
EL6910 – PFHD 1.79E-09
Pressure sensor 1 (4-20 mA) – MTTF 124 a (1,086,240 h)
Pressure sensor 2 IO-Link – MTTF 201 a (1,760,760 h)
EL3124-0090 - MTBF 950,000 h
EL6224 - MTBF 1,607,919 h
K1 – B10D 1,300,000 h
K2 – B10D 1,300,000 h
Days of operation (dop) 230
Hours of operation / day (hop) 16
Cycle time (minutes) (Tcycle) 10080 (1x per week)
Lifetime (T1) 20 years = 175200 hours

7.5.6.2 Diagnostic Coverage DC

Component Value
Pressure values via TwinSAFE SC and plausibility DCavg=90% (alternatively in calculation: 99%)
check within the logic
K1/K2 with EDM monitoring (actuation 1x per week DCavg=99%
and evaluation of all rising and falling edges with
monitoring over time) with testing of the individual
channels

7.5.6.3 Calculation of safety function 1

For clarity, the safety factor is calculated according to EN 62061 as well as EN 13849. Calculation according
to one standard is sufficient in practice.

Calculation of the PFHD and MTTFD values from the B10D values:

From:

Application Guide TwinSAFE Version: 3.2.0 245

Analog value processing with TwinSAFE SC

d op * hop * 60
nop =
TZyklus

and:
B10 D
MTTFD =
0,1* nop

Calculation of the PFHD and MTTFD values from the MTBF values:

Note: Repair times can be neglected, therefore the following applies:

MTTFD = 2 * MTBF

1
MTTFD =
lD

with
0,1 0,1* nop
lD » =
T10 D B10 D

produces for
0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

Inserting the values, this produces:

Pressure sensor 1 (4-20 mA)

MTTFD = 2 * MTTF = 2 *124 y = 248 y = 2.172.480h

1 - DC 1 - 0,9
PFH = = = 4,60 E - 08
MTTFD 2.172.480h

EL3124-0090
MTTFD = 2 * MTBF = 2 * 950.000h = 1.900.000h = 216 y

1 - DC 1 - 0,9
PFH = = = 5, 26 E - 08
MTTFD 1.900.000h

Input system 1
PFH ( Input1) = PFH (Pr essureSensor1) + PFH ( EL 3124 - 0090) = 4,60 E - 08 + 5, 26 E - 08 = 9,86 E - 08

Pressure sensor 2 (IO-Link)

MTTFD = 2 * MTBF = 2 *1.760.760h = 3.521.520h = 402 y

1 - DC 1 - 0,9
PFH = = = 2,84 E - 08
MTTFD 3.521.520h

EL6224
MTTFD = 2 * MTBF = 2 *1.607.919h = 3.215.838h = 367 y

1 - DC 1 - 0,9
PFH = = = 3,11E - 08
MTTFD 3.215.838h

Input system 2
PFH ( Input 2) = PFH (Pr essureSensor 2) + PFH ( EL 6224) = 2,84 E - 08 + 3,11E - 08 = 5,95 E - 08

246 Version: 3.2.0 Application Guide TwinSAFE

Analog value processing with TwinSAFE SC

K1/K2:
230 *16 * 60
nop = = 21,90
10080
1.300.000
MTTFD = = 593607,3 y = 5199997320h
0,1* 21,90

and the assumption that K1 and K2 are each single-channel:

K1/K2: Actuation 1x per week and direct feedback

1 - 0,99
PFH = = 1,92 E - 12
593607,3*8760

The following assumptions must now be made:

The input signals from pressure sensor 1 with EL3124-0090 and pressure sensor 2 with EL6224 use
different measuring procedures. Both supply a pressure value and are involved in the safety function. A
malfunction of a channel does not lead to a dangerous situation, but is detected by comparing the two values
in the TwinSAFE Logic and leads to shutdown.

to:
9,86 E - 08 + 5,95 E - 08 1,92 E - 12 + 1,92 E - 12
PFH ges = 10% * + 1,79 E - 09 + 1, 25 E - 09 + 10% *
2 2
= 1,094 E - 08

NOTE
EN 62061
According to EN 62061, the input subsystem is evaluated with an SFF or a DC of 90%. This limits the maxi-
mum SIL value that can be achieved to 2, according to table 5 of EN 62061.

Alternative calculation of the MTTFD value for safety function 1 according to EN 13849 (under the same
assumption)
n
1 1
=å
MTTFDges i =1 MTTFDn

Application Guide TwinSAFE Version: 3.2.0 247

Analog value processing with TwinSAFE SC

The inferior value is taken from the input subsystem:

1 1 1 1 1 1
= + + + +
MTTFDges MTTFD ( PressureSensor ) MTTFD ( EL 3124 - 0090) MTTFD ( EL 6910) MTTFD ( EL 2904) MTTFD ( K 1)

If only PFHD values are available for EL2904 and EL6910, the following estimation applies:
(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

Hence:
(1 - DC( EL 6910) ) (1 - 0,99) 0,01
MTTFD ( EL 6910) = = = = 637 y
PFH ( EL 6910) 1 h 1
1,79 E - 09 *8760 15,68 E - 06
h y y

(1 - DC( EL 2904) ) (1 - 0,99) 0,01

MTTFD ( EL 2904) = = = = 913, 2 y
PFH ( EL 2904) 1 h 1
1, 25 E - 09 *8760 1,1E - 05
h y y

1
MTTFDges = = 88, 27 y
1 1 1 1 1
+ + + +
248 y 216 y 637 y 913 y 593.607 y

DC DC DC DC DC DC DC DC
+ + + + + + +
MTTFD ( Pressure1) MTTFD ( EL 3124 - 0090) MTTFD ( Pressure 2) MTTFD ( EL 6224) MTTFD ( EL 6910) MTTFD ( EL 2904) MTTFD ( K 1) MTTFD ( K 2)
DCavg =
1 1 1 1 1 1 1 1
+ + + + + + +
MTTFD ( Pressure1) MTTFD ( EL 3124 - 0090) MTTFD ( Pressure 2) MTTFD ( EL 6224) MTTFD ( EL 6910) MTTFD ( EL 2904) MTTFD ( K 1) MTTFD ( K 2)

Used with DC=90%

90% 90% 90% 90% 99% 99% 99% 99%
+ + + + + + +
248 y 216 y 402 y 367 y 637 y 913 y 593607 y 593607 y
DCavg = = 91, 41%
1 1 1 1 1 1 1 1
+ + + + + + +
248 y 216 y 402 y 367 y 637 y 913 y 593607 y 593607 y

Alternatively with DC = 99%

99% 99% 99% 99% 99% 99% 99% 99%
+ + + + + + +
248 y 216 y 402 y 367 y 637 y 913 y 593607 y 593607 y
DCavg = = 99,00%
1 1 1 1 1 1 1 1
+ + + + + + +
248 y 216 y 402 y 367 y 637 y 913 y 593607 y 593607 y

248 Version: 3.2.0 Application Guide TwinSAFE

Analog value processing with TwinSAFE SC

CAUTION
Category
This structure is possible up to category 3 at the most.

DC=90% for the input subsystem

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

Application Guide TwinSAFE Version: 3.2.0 249

Analog value processing with TwinSAFE SC

Alternative with DC = 99% for the input subsystem

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

Safety integrity level according to Table 3 EN62061

Safety integrity level Probability of a dangerous failure per hour (PFHD)
3 ≥ 10-8 to < 10-7
2 ≥ 10-7 to < 10-6
1 ≥ 10-6 to < 10-5

250 Version: 3.2.0 Application Guide TwinSAFE

Analog value processing with TwinSAFE SC

7.6 Monitoring of lifting device (category 3, PL d)

A lifting device, consisting of two winches with deflection rollers for moving a lifting table, is to be monitored
from a safety point of view. The functions "slack rope detection" and "overload" are to be realized. Two
deflection rollers, each with an SG sensor, are mounted at the top of the posts on each side, i.e. there are
four SG sensors in total. One of these two sensors of one side is read in with a TwinSAFE SC terminal
EL3356-0090. The other SG sensor is wired to an EL3751. This provides an SG mV/V signal, which must be
converted into a weight value in the safe logic so that it can be compared with the value of the EL3356-0090.

Safety function 1 - Overload

A maximum permissible payload is specified for the lifting device. This must be monitored. After the
plausibility check of the signals of the EL3751 and EL3356-0090, the result is limited with the limit function
block in the EL6910.

Based to the customer's risk and hazard analysis, this safety function must be evaluated with PL c according
to EN 13849-1:2015.

The safety function is set up in a category 3 structure.

Safety function 2 - Slack rope detection

Slack rope detection is used to detect whether the lifting slide has got stuck mechanically somewhere or is
on the floor. In both cases, the system must be switched off immediately. In addition, it also detects whether
a rope has snatched.

Based to the customer's risk and hazard analysis, this safety function must be evaluated with PL c according
to EN 13849-1:2015.

The safety function is set up in a category 3 structure.

Additional function - without safety requirements

Synchronism can be checked by incremental comparison of the encoder values of winch 1 and 2. This
prevents the lifting slide from being pulled sideways by the two winches at an early stage.

Application Guide TwinSAFE Version: 3.2.0 251

Analog value processing with TwinSAFE SC

7.6.1 Structural image structure

7.6.2 Structure and diagnosis

The read-in signals of the SG sensors are standard signals, which are recorded differently on each side. The
first SG sensor is wired to an EL3356-0090 SG terminal, which packs the determined weight value into a
safe telegram (FSoE with modified polynomial - TwinSAFE SC) and transmits it to the EL6910. The second
SG sensor is wired to an EL3751 terminal, which performs an SG mV/V measurement. This signal is sent to
the EL6910 via the standard communication path. This signal is converted to a weight value within the safe
logic before the plausibility check.

The same procedure is used for the second side of the lifting unit with SG sensors 3 and 4. A different
polynomial is used for the TwinSAFE SC communication of the second EL3356-0090 compared to the first
side. This enables detection of situations where the data of the two TwinSAFE SC connections have been
copied to each other.

252 Version: 3.2.0 Application Guide TwinSAFE

Analog value processing with TwinSAFE SC

7.6.3 FMEA
Error assumption Expectations Checked
SG signal via standard fieldbus This is detected via the second value and the plausibility
freezes check in the EL6910 (TwinSAFE SC communication
between EL3356-0090 and EL6910).
SG signal via TwinSAFE SC This is detected via the second value and the plausibility
communication freezes check in the EL6910 and via the watchdog within the
TwinSAFE SC communication.
SG values are copied to each A distorted value within the TwinSAFE SC communication
other in the standard PLC leads to an invalid CRC within the telegram and thus to
immediate shutdown of the group and the outputs.
The data types of the two SG values have a different
length, since one of the two is packed in the TwinSAFE SC
telegram (e.g. 4 bytes and 11 bytes)
SG signal via standard fieldbus is This is detected via the second value and the plausibility
distorted check in the EL6910 (TwinSAFE SC communication
between EL3356-0090 and EL6910)
Mechanical connection between This is detected via the plausibility check with the second
lifting slide and winch no longer SG signal within the EL6910.
exists
EL3356-0090 delivers incorrect This is detected via the plausibility check with the SG value
SG value of the EL3751 within the EL6910
EL3751 returns incorrect SG value This is detected via the plausibility check with the SG value
of the EL3356-0090 within the EL6910

Application Guide TwinSAFE Version: 3.2.0 253

Analog value processing with TwinSAFE SC

Error assumption Expectations Checked

Communication error 61784-3 for This is detected through the plausibility check of the SG
standard communication: values together with the TwinSAFE SC communication
Corruption within the EL6910
Communication error 61784-3 for This is detected through the plausibility check of the SG
standard communication: values together with the TwinSAFE SC communication
Unintentional repetition within the EL6910
Communication error 61784-3 for This is detected through the plausibility check of the SG
standard communication: values together with the TwinSAFE SC communication
Wrong sequence within the EL6910
Communication error 61784-3 for This is detected through the plausibility check of the SG
standard communication: values together with the TwinSAFE SC communication
Loss within the EL6910
Communication error 61784-3 for This is detected through the plausibility check of the SG
standard communication: values together with the TwinSAFE SC communication
Unacceptable delay within the EL6910
Communication error 61784-3 for This is detected through the plausibility check of the SG
standard communication: values together with the TwinSAFE SC communication
Insertion within the EL6910
Communication error 61784-3 for not relevant for standard, only for safety communication.
standard communication:
Masquerading
Communication error 61784-3 for This is detected through the plausibility check of the SG
standard communication: values together with the TwinSAFE SC communication
Addressing within the EL6910
Communication error for standard This is detected through the plausibility check of the SG
communication: values together with the TwinSAFE SC communication
Recurrent memory errors in within the EL6910
switches

7.6.3.1 Note on TwinSAFE SC communication:

The identical mechanisms are active, such as the black channel principle (bit error probability 10-2).

The quality of the data transmission is not crucial, because ultimately all transmission errors are detected via
the comparison in the safe logic, since this would lead to inequality.

7.6.4 Structure within the logic

The logic in the EL6910 is divided into three parts. In the first section, the SG values are scaled and verified.
It also contains the restart lock and the shutdown of contactors K1 and K2 via an ESTOP function block.

In the second section, the total load is determined and compliance with maximum and minimum values is
monitored via a limit function block. The result is transferred to the ESTOP function block of the first section.

In the third section, each individual signal is monitored for compliance with a minimum value. These four
signals are ANDed and linked to the ESTOP function block of the first section.

254 Version: 3.2.0 Application Guide TwinSAFE

Analog value processing with TwinSAFE SC

Section 1

Section 2

Application Guide TwinSAFE Version: 3.2.0 255

Analog value processing with TwinSAFE SC

Section 3

7.6.5 Parameters of the safe output terminal

EL2904

Parameter Value
Current measurement active No
Output test pulses active Yes

256 Version: 3.2.0 Application Guide TwinSAFE

Analog value processing with TwinSAFE SC

7.6.6 Block formation and safety loops

7.6.6.1 Safety function 1/2

7.6.7 Calculation

7.6.7.1 PFHD / MTTFD / B10D – values

Component Value
EL2904 – PFHD 1.25E-09
EL6910 – PFHD 1.79E-09
SG sensors 1-4 – MTTFD 160 y (1,401,600 h)
(AST 3570951.1 CAL/10t/D50d11/L205/1.5 mV/V)
EL3356-0090 - MTBF 780,733 h
EL3751 - MTBF 513,333 h
K1 – B10D 1,300,000 h
K2 – B10D 1,300,000 h
Encoder MTBF 107.5 y (914,700 h)
Days of operation (dop) 230
Hours of operation / day (hop) 16
Cycle time (minutes) (Tcycle) 10080 (1x per week)
Lifetime (T1) 20 years = 175200 hours

7.6.7.2 Diagnostic Coverage DC

Component Value
SG values via TwinSAFE SC and plausibility check DCavg=90% (alternatively in calculation: 99%)
within the logic
K1/K2 with EDM monitoring (actuation 1x per week DCavg=99%
and evaluation of all rising and falling edges with
monitoring over time) with testing of the individual
channels

Application Guide TwinSAFE Version: 3.2.0 257

Analog value processing with TwinSAFE SC

7.6.7.3 Calculation of safety function 1/2

For clarity, the safety factor is calculated according to EN 62061 as well as EN 13849. Calculation according
to one standard is sufficient in practice.

Calculation of the PFHD and MTTFD values from the B10D values:

From:
d op * hop * 60
nop =
TZyklus

and:
B10 D
MTTFD =
0,1* nop

Calculation of the PFHD and MTTFD values from the MTBF values:

Note: Repair times can be neglected, therefore the following applies:

MTTFD = 2 * MTBF

1
MTTFD =
lD

with
0,1 0,1* nop
lD » =
T10 D B10 D

produces for
0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

Inserting the values, this produces:

SG sensor 1
MTTFD = 1.401.600h = 160 y

1 - DC 1 - 0,9
PFH = = = 7,13E - 08
MTTFD 1.401.600h

EL3356-0090
MTTFD = 2 * MTBF = 2 * 780.733h = 1.561.466h = 178 y

1 - DC 1 - 0,9
PFH = = = 6, 40 E - 08
MTTFD 1.561.466h

Input system 1
PFH ( Input1) = PFH ( DMS 1) + PFH ( EL 3356 - 0090) = 7,13E - 08 + 6, 40 E - 08 = 13,53E - 08

SG sensor 2
MTTFD = 1.401.600h = 160 y

1 - DC 1 - 0,9
PFH = = = 7,13E - 08
MTTFD 1.401.600h

EL3751
MTTFD = 2 * MTBF = 2 * 513.333h = 1.026.666h = 117 y

258 Version: 3.2.0 Application Guide TwinSAFE

Analog value processing with TwinSAFE SC

1 - DC 1 - 0,9
PFH = = = 9,74 E - 08
MTTFD 1.026.666h

Input system 2
PFH ( Input 2) = PFH ( DMS 2) + PFH ( EL 3751) = 7,13E - 08 + 9,74 E - 08 = 16,87 E - 08

For input system 3 the values calculated for input system 1 apply. For input system 4 the values calculated
for input system 2 apply.

K1/K2:
230 *16 * 60
nop = = 21,90
10080
1.300.000
MTTFD = = 593607,3 y = 5199997320h
0,1* 21,90

and the assumption that K1 and K2 are each single-channel:

K1/K2: Actuation 1x per week and direct feedback

1 - 0,99
PFH = = 1,92 E - 12
593607,3*8760

The following assumptions must now be made:

The input signals from SG sensor 1 with EL3356-0090 and SG sensor 2 with EL3751 have a different
internal structure, supply different values (weight value and mV/V value) and are both involved in the safety
function. A malfunction of a channel does not lead to a dangerous situation, but is detected by comparing the
two values in the TwinSAFE Logic and leads to shutdown. An identical configuration is used for SG sensors
3 and 4. The sum of the four sensors provides the weight value for the overload shut down. If the value of an
SG sensor falls below a minimum load value, the slack rope shutdown feature is triggered.

It follows for the calculation of the PFHD value for safety function 1 / 2
PFH ( Input1) + PFH ( Input 2)
PFH ( DMS 1/ 2) = b * + (1 - b ) 2 * ( PFH ( Input1) * PFH ( Input 2) ) * T 1
2
13,53E - 08 + 16,87 E - 08
= 10% * = 1,52 E - 08
2
PFH ( Input 3) + PFH ( Input 4)
PFH ( DMS 3/ 4) = b * + (1 - b ) 2 * ( PFH ( Input 3) * PFH ( Input 4) ) * T 1
2
13,53E - 08 + 16,87 E - 08
= 10% * = 1,52 E - 08
2
PFH ( K 1) + PFH ( K 2)
PFH ( K 1/ K 2) = b * + (1 - b ) 2 * ( PFH ( K 1) * PFH ( K 2) ) * T 1
2
1,92 E - 12 + 1,92 E - 12
= 10% * = 1,92 E - 13
2

Application Guide TwinSAFE Version: 3.2.0 259

Analog value processing with TwinSAFE SC

(1 - b ) 2 * ( PFH
( x) ( y) * PFH ) * T 1
Since the portions are smaller than the rest by the power of ten, they are
neglected in this and all further calculations for the purpose of simplification.
PFH ges = PFH ( DMS 1/ 2) + PFH ( DMS 3/ 4) + PFH ( EL 6910) + PFH ( EL 2904) + PFH ( K 1/ K 2)
= 1,52 E - 08 + 1,52 E - 08 + 1,79 E - 09 + 1, 25 E - 09 + 1,92 E - 13
= 3,344 E - 08

NOTE
EN 62061
According to EN 62061, the input subsystem is evaluated with an SFF or a DC of 90%. This limits the maxi-
mum SIL value that can be achieved to 2, according to table 5 of EN 62061.

Alternative calculation of the MTTFD value for safety function 1 / 2 according to EN 13849 (under the same
assumption)
n
1 1
=å
MTTFDges i =1 MTTFDn

The inferior value is taken from the input subsystem:

1 1 1 1 1 1
= + + + +
MTTFDges MTTFD ( DMSsensor 2) MTTFD ( EL 3751) MTTFD ( EL 6910) MTTFD ( EL 2904) MTTFD ( K 1)

If only PFHD values are available for EL2904 and EL6910, the following estimation applies:
(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

Hence:
(1 - DC( EL 6910) ) (1 - 0,99) 0,01
MTTFD ( EL 6910) = = = = 637 y
PFH ( EL 6910) 1 h 1
1,79 E - 09 *8760 15,68 E - 06
h y y

(1 - DC( EL 2904) ) (1 - 0,99) 0,01

MTTFD ( EL 2904) = = = = 913, 2 y
PFH ( EL 2904) 1 h 1
1, 25 E - 09 *8760 1,1E - 05
h y y

1
MTTFDges = = 57, 26 y
1 1 1 1 1
+ + + +
160 y 117 y 637 y 913 y 593.607 y

260 Version: 3.2.0 Application Guide TwinSAFE

Analog value processing with TwinSAFE SC

DC DC DC DC DC DC
+ + + + +
MTTFD ( DMS 1) MTTFD ( EL 3356) MTTFD ( DMS 2) MTTFD ( EL 3751) MTTFD ( DMS 1) MTTFD ( EL 3356)
DC DC DC DC DC DC
+ + + + + +
MTTFD ( DMS 2) MTTFD ( EL 3751) MTTFD ( EL 6910) MTTFD ( EL 2904) MTTFD ( K 1) MTTFD ( K 2)
DCavg =
1 1 1 1 1 1
+ + + + +
MTTFD ( DMS 1) MTTFD ( EL 3356) MTTFD ( DMS 2) MTTFD ( EL 3751) MTTFD ( DMS 1) MTTFD ( EL 3356)
1 1 1 1 1 1
+ + + + + +
MTTFD ( DMS 2) MTTFD ( EL 3751) MTTFD ( EL 6910) MTTFD ( EL 2904) MTTFD ( K 1) MTTFD ( K 2)

Used with DC=90%

90% 90% 90% 90% 90% 90% 90% 90% 99% 99% 99% 99%
+ + + + + + + + + + +
160 y 178 y 160 y 117 y 160 y 178 y 160 y 117 y 637 y 913 y 593607 y 593607 y
DCavg =
1 1 1 1 1 1 1 1 1 1 1 1
+ + + + + + + + + + +
160 y 178 y 160 y 117 y 160 y 178 y 160 y 117 y 637 y 913 y 593607 y 593607 y
= 90, 42%

Alternatively with DC = 99%

99% 99% 99% 99% 99% 99% 99% 99% 99% 99% 99% 99%
+ + + + + + + + + + +
160 y 178 y 160 y 117 y 160 y 178 y 160 y 117 y 637 y 913 y 593607 y 593607 y
DCavg =
1 1 1 1 1 1 1 1 1 1 1 1
+ + + + + + + + + + +
160 y 178 y 160 y 117 y 160 y 178 y 160 y 117 y 637 y 913 y 593607 y 593607 y
= 99,00%

Application Guide TwinSAFE Version: 3.2.0 261

Analog value processing with TwinSAFE SC

CAUTION
Category
This structure is possible up to category 3 at the most.

DC=90% for the input subsystem

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

262 Version: 3.2.0 Application Guide TwinSAFE

Analog value processing with TwinSAFE SC

Alternative with DC = 99% for the input subsystem

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

NOTE
Result
The result with category 3, PL d meets or exceeds the requirements of the risk and hazard analysis (PL c).

Application Guide TwinSAFE Version: 3.2.0 263

Application-specific scenarios

8 Application-specific scenarios

8.1 Networked system (Category 4, PL e)

2 plants are connected via Ethernet here. The path can also be implemented by a Wireless Ethernet
connection. Each station switches the outputs K1 / K2 on only if the second machine does not signal an
emergency stop. The signals from the emergency stop button, the restart and the feedback loop are wired to
safe inputs. The output of the ESTOP block is linked to an AND function block and additionally signaled to
the respective other machine via the network. The ESTOP output of the respective other machine is linked to
the AND function block and the output of the AND gate then switches the contactors on the safe output
terminal.

Testing and checking for discrepancy are activated for the input signals. The testing of the outputs is also
active.

NOTE
Start / restart
If a machine has more than one operating station, measures must be provided to ensure that the initiation
of commands from different operating stations does not lead to a hazardous situation.

NOTE
Contactor monitoring
If the result of the risk and hazard analysis shows that a contactor check is necessary when switching the
contactors of the respective remote controller, this is to be done using an EDM function block.

264 Version: 3.2.0 Application Guide TwinSAFE

Application-specific scenarios

8.1.1 Parameters of the safe input and output terminals

EL1904 (applies to all EL1904 used)

EL2904

Parameter Value
Current measurement active Yes
Output test pulses active Yes

8.1.2 Block formation and safety loops

8.1.2.1 Safety function 1

Application Guide TwinSAFE Version: 3.2.0 265

Application-specific scenarios

8.1.3 Calculation

8.1.3.1 PFHD / MTTFD / B10D – values

Component Value
EL1904 – PFHD 1.11E-09
EL2904 – PFHD 1.25E-09
EL6900 – PFHD 1.03E-09
Safety-over-EtherCAT (FSoE) – PFHD 1.00E-09
S1 – B10D 1,000,000
S2 – B10D 2,000,000
K1 – B10D 1,300,000
K2 – B10D 1,300,000
Days of operation (dop) 230
Hours of operation / day (hop) 8
Cycle time (minutes) (Tcycle) 15 (4x per hour)
Lifetime (T1) 20 years = 175200 hours

8.1.3.2 Diagnostic Coverage DC

Component Value
S1 with testing/plausibility DCavg=99%
S2 with plausibility DCavg=90%
K1/K2 with testing and EDM DCavg=99%
(actuation 1x per shift)

8.1.3.3 Calculation of safety function 1

Calculation of the PFHD and MTTFD values from the B10D values:

From:
d op * hop * 60
nop =
TZyklus

and:
B10 D
MTTFD =
0,1* nop

Inserting the values, this produces:

S1:
230 *8 * 60
nop = = 7360
15
1.000.000
MTTFD = = 1358,7 y = 11902212h
0,1* 7360

S2:
230 *8 * 60
nop = = 7360
15
2.000.000
MTTFD = = 2717, 4 y = 23804424h
0,1* 7360

266 Version: 3.2.0 Application Guide TwinSAFE

Application-specific scenarios

K1/K2:
230 *8 * 60
nop = = 7360
15
1.300.000
MTTFD = = 1766,3 y = 15472788h
0,1* 7360

and the assumption that S1, S2, K1 and K2 are each single-channel:
1
MTTFD =
lD

produces for
0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

S1:
1 - 0,99
PFH = = 8, 40 E - 10
1358,7 *8760

S2:
1 - 0,90
PFH = = 4, 20 E - 09
2717, 4 *8760

K1/K2: actuation 1x per shift and direct feedback

1 - 0,99
PFH = = 6, 46 E - 10
1766,3*8760

The following assumptions must now be made:

It follows for the calculation of the PFHD value for safety function 1:
PFH ( K 1) + PFH ( K 2)
PFH ges = PFH ( S 1) + b * + (1 - b ) 2 * ( PFH ( K 1) * PFH ( K 2) ) * T 1 + PFH ( S 2) + PFH ( EL1904) + PFH ( EL 6900) + PFH ( EL 2904)
2
+ PFH ( FSoE ) + PFH ( S 1) + PFH ( EL1904) + PFH ( EL 6900)

(1 - b ) 2 * ( PFH
( K 1) ( K 2) * PFH ) * T1
Since the portion is smaller than the rest by the power of ten, it is neglected in
this and all further calculations for the purpose of simplification.

to:
6, 46 E - 10 + 6, 46 E - 10
PFH ges = 8, 40 E - 10 + 10% * + 4, 20 E - 09 + 1,11E - 09 + 1,03E - 09 + 1, 25 E - 09
2
+1,00 E - 09 + 8, 40 E - 10 + 1,11E - 09 + 1,03E - 09
= 1, 25 E - 08

Calculation of the MTTFD value for safety function 1 (under the same assumption):

Application Guide TwinSAFE Version: 3.2.0 267

Application-specific scenarios

n
1 1
=å
MTTFDges i =1 MTTFDn

as:
1 1 1 1 1 1 1
= + + + + +
MTTFDges MTTFD ( S 1) MTTFD ( K 1) MTTFD ( S 2) MTTFD ( EL1904) MTTFD ( EL 6900) MTTFD ( EL 2904)
1 1 1 1
+ + + +
MTTFD ( FSoE ) MTTFD ( S 1) MTTFD ( EL1904) MTTFD ( EL 6900)

with:
B10 D ( S 1)
MTTFD ( S 1) =
0,1* nop

B10 D ( S 2)
MTTFD ( S 2) =
0,1* nop

B10 D ( K 1)
MTTFD ( K 1) =
0,1* nop

If only PFHD values are available for EL1904, EL2904 and EL6900, the following estimation applies:
(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

Hence:
(1 - DC( EL1904) ) (1 - 0,99) 0,01
MTTFD ( EL1904) = = = = 1028,8 y
PFH ( EL1904) 1 h 1
1,11E - 09 *8760 9,72 E - 06
h y y

(1 - DC( EL 6900) ) (1 - 0,99) 0,01

MTTFD ( EL 6900) = = = = 1108,6 y
PFH ( EL 6900) 1 h 1
1,03E - 09 *8760 9,02 E - 06
h y y

(1 - DC( EL 2904) ) (1 - 0,99) 0,01

MTTFD ( EL 2904) = = = = 913, 2 y
PFH ( EL 2904) 1 h 1
1, 25 E - 09 *8760 1,1E - 05
h y y

(1 - DC( FSoE ) ) (1 - 0,99) 0,01

MTTFD ( FSoE ) = = = = 1141,6 y
PFH ( FSoE ) 1 h 1
1,00 E - 09 *8760 8,76 E - 06
h y y

1
MTTFDges = = 123,1 y
1 1 1 1 1 1 1 1 1 1
+ + + + + + + + +
1358,7 y 1766,3 y 2717, 4 y 1028,8 y 1108,6 y 913, 2 y 1141,6 y 1358,7 y 1028,8 y 1108,6 y

99% 99% 99% 90% 99% 99% 99% 99% 99% 99% 99%
+ + + + + + + + + +
1358,7 y 1766,3 y 1766,3 y 2717, 4 y 1028,8 y 1108,6 y 913, 2 y 1141,6 y 1358,7 y 1028,8 y 1108,6 y
DCavg =
1 1 1 1 1 1 1 1 1 1 1
+ + + + + + + + + +
1358,7 y 1766,3 y 1766,3 y 2717, 4 y 1028,8 y 1108,6 y 913, 2 y 1141,6 y 1358,7 y 1028,8 y 1108,6 y
= 98,99%

268 Version: 3.2.0 Application Guide TwinSAFE

Application-specific scenarios

NOTE
Category
This structure is possible up to category 4 at the most.

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

Application Guide TwinSAFE Version: 3.2.0 269

Application-specific scenarios

8.2 Direct wiring of the TwinSAFE outputs to TwinSAFE

inputs (1-channel) (Category 2, PL c)
The output of an EL2904 is wired directly to a safe input of an EL1904; the test pulses and current
measurement of the outputs and the sensor test of the inputs are thereby deactivated. This means that no
cyclic tests are possible for cross-circuits and external feed on the line.

On account of their high internal diagnostics, the EL2904 and EL1904 are to be evaluated as individual
components with Category 2, SIL2 and PL d, since only a single-channel structure is used externally. The
total performance level of output and input is to be evaluated with PL c at the most on account of chapter
6.2.5 DIN EN ISO 13849-1:2016-06.

The test setup required for Category 2 is integrated in the EL2904. When switching on the output of the
EL2904, a check is performed to ascertain whether 24 V are actually read back. When switching off, a check
is performed to ascertain whether 0 V are actually read back. If an error is detected, the EL2904 enters the
error state, which is also signaled to the higher level safety controller. This module error of the EL2904 must
be evaluated in the machine controller. To do this the parameter ModuleFault is ComError is to be switched
on for the connection to the EL2904, as a result of which the TwinSAFE group switches to the safe state and
signals a ComError in the event of a module error.

8.2.1 Parameters of the safe input and output terminals

EL1904

Parameter Value
Sensor test channel 1 active No
Sensor test channel 2 active No
Sensor test channel 3 active No
Sensor test channel 4 active No
Logic channel 1 and 2 Single Logic
Logic channel 3 and 4 Single Logic

270 Version: 3.2.0 Application Guide TwinSAFE

Application-specific scenarios

EL2904

Parameter Value
Current measurement active No
Output test pulses active No

8.2.2 Block formation and safety loops

8.2.2.1 Safety function 1

8.2.3 Calculation

8.2.3.1 PFHD / MTTFD / B10D – values

Component Value
EL1904 – PFHD 1.11E-09
EL2904 – PFHD 1.25E-09
Days of operation (dop) 230
Hours of operation / day (hop) 8
Cycle time (minutes) (Tcycle) 60 (1x per hour)
Lifetime (T1) 20 years = 175200 hours

8.2.3.2 Diagnostic Coverage DC

Component Value
EL1904/EL2904 DCavg=60%
On account of the internal diagnostics of the
terminals (such as monitoring of the field voltage,
temperature, etc.) and the checking of the EL2904
for the correctness of the switched output each time
the signal state changes

8.2.3.3 Calculation of safety function 1

It follows for the calculation of the PFHD value for safety function 1:
PFH ges = PFH ( EL1904) + PFH ( EL 2904)

to:
PFH ges = 1,11E - 09 + 1, 25 E - 09 = 2,36 E - 09

Application Guide TwinSAFE Version: 3.2.0 271

Application-specific scenarios

Calculation of the MTTFD value for safety function 1:

n
1 1
=å
MTTFDges i =1 MTTFDn

as:
1 1 1
= +
MTTFDges MTTFD ( EL1904) MTTFD ( EL 2904)

If only PFHD values are available for EL1904 and EL2904, the following estimation applies:
(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

Hence:
(1 - DC( EL1904) ) (1 - 0,60) 0, 4
MTTFD ( EL1904) = = = = 41152 y
PFH ( EL1904) 1 h 1
1,11E - 09 *8760 9,72 E - 06
h y y

(1 - DC( EL 2904) ) (1 - 0,60) 0, 4

MTTFD ( EL 2904) = = = = 36364 y
PFH ( EL 2904) 1 h 1
1, 25 E - 09 *8760 1,1E - 05
h y y

1
MTTFDges = = 19305 y
1 1
+
41152 y 36364 y

60% 60%
+
41152 y 36364 y
DCavg = = 60%
1 1
+
41152 y 36364 y

272 Version: 3.2.0 Application Guide TwinSAFE

Application-specific scenarios

NOTE
Category
This structure is possible up to category 2 at the most.

CAUTION
Achieving the safety level
For the Attainment of the safety level the user must ensure that a testing of the wiring is carried out within
his application and will be done 100 times more often than the safety function is called.

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

Application Guide TwinSAFE Version: 3.2.0 273

Application-specific scenarios

8.3 Direct wiring of the TwinSAFE outputs to TwinSAFE

inputs (2-channel) (Category 3, PL d)
Two outputs of an EL2904 are wired directly to two safe inputs of an EL1904; the test pulses and current
measurement of the outputs and the sensor test of the inputs are thereby deactivated. On the input side,
both signals are checked for discrepancy within the TwinSAFE Logic. Hence, both signals are checked for
their value, but no tests are active on the cable, so that possible external feeds are detected when switching
the outputs.

8.3.1 Parameters of the safe input and output terminals

EL1904

EL2904

Parameter Value
Current measurement active No
Output test pulses active No

8.3.2 Block formation and safety loops

8.3.2.1 Safety function 1

274 Version: 3.2.0 Application Guide TwinSAFE

Application-specific scenarios

8.3.3 Calculation

8.3.3.1 PFHD / MTTFD / B10D – values

8.3.3.2 Diagnostic Coverage DC

Component Value
EL1904/EL2904 DCavg=90%

8.3.3.3 Calculation of safety function 1

It follows for the calculation of the PFHD value for safety function 1:
PFH ges = PFH ( EL1904) + PFH ( EL 2904)

to:
PFH ges = 1,11E - 09 + 1, 25 E - 09 = 2,36 E - 09

Calculation of the MTTFD value for safety function 1 (under the same assumption):
n
1 1
=å
MTTFDges i =1 MTTFDn

as:
1 1 1
= +
MTTFDges MTTFD ( EL1904) MTTFD ( EL 2904)

If only PFHD values are available for EL1904 and EL2904, the following estimation applies:
(1 - DC( ELxxxx ) )
MTTFD ( ELxxxx ) =
PFH ( ELxxxx )

Hence:
(1 - DC( EL1904) ) (1 - 0,90) 0,1
MTTFD ( EL1904) = = = = 10288,1 y
PFH ( EL1904) 1 h 1
1,11E - 09 *8760 9,72 E - 06
h y y

(1 - DC( EL 2904) ) (1 - 0,90) 0,1

MTTFD ( EL 2904) = = = = 9090,9 y
PFH ( EL 2904) 1 h 1
1, 25 E - 09 *8760 1,1E - 05
h y y

Application Guide TwinSAFE Version: 3.2.0 275

Application-specific scenarios

1
MTTFDges = = 4826,3 y
1 1
+
10288,1 y 9090,9 y

90% 90% 90% 90%

+ + +
10288,1 y 10288,1 y 9090,9 y 9090,9 y
DCavg = = 90%
1 1 1 1
+ + +
10288,1 y 10288,1 y 9090,9 y 9090,9 y

NOTE
Category
This structure is possible up to category 3 at the most.

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Range
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

276 Version: 3.2.0 Application Guide TwinSAFE

Application-specific scenarios

8.4 Application example C9900-M800

8.4.1 Description C9900-M800

The product C9900-M800 is a push button extension for Control Panels from Beckhoff. The relevant push
buttons (see table below) are read in with a safety component (FB6901-1918 see Z10 62386 037 Rev. 1).
These signals are then packed into a PROFIsafe telegram by the FB6901-1918 safety component and
transferred to the PROFINET interface by the standard control on the push button extension.

1 2

3 4 5 6 7 8 9 10

Push button Description PROFIsafe signals Signals FB6901-1918

1 (SW700) Standard - -
2 (SW701) Standard - -
3 (SW702) Standard - -
4 (SW703) Standard - -
5 (SW704) Standard - -
6 (SW705.2) Illuminated push button PROFIsafe_2B[0].4 SW705_SafeIn2
yellow
(1x make contact)
7 (SW706) Standard - -
8 (SW707) Standard - -
9 (SW708) Standard - -
10 (SW709.1/.2) Key switch SSG10, PROFIsafe_2B[0].2 SW709_SafeIn4
left non-latching, right PROFIsafe_2B[0].3 SW709_SafeIn3
latching
(2x make contacts)
11 (SW710.1/.2) Emergency stop button PROFIsafe_2B[0].0 SW710_SafeIn1
(2x break contacts) PROFIsafe_2B[0].1 SW710_SafeIn5

Application Guide TwinSAFE Version: 3.2.0 277

Application-specific scenarios

Other PROFIsafe signals

ModuleFault_SafeIn1_2 PROFIsafe_2B[0].5 FSIN Module1.Module Fault
ModuleFault_SafeIn3_4 PROFIsafe_2B[0].6 FSIN Module2.Module Fault
ModuleFault_SafeIn5 PROFIsafe_2B[0].7 FSIN Module3.Module Fault
ModuleFault_ErrAck PROFIsafe_1B[0].0 FSIN Module1.Err Ack
FSIN Module2.Err Ack
FSIN Module3.Err Ack

8.4.2 Calculation

8.4.2.1 General
The push button and switch signals are read in by the FB6901-1918 as 1-channel signals, processed within
the SIL 3-certified FB6901-1918 and transferred to the PROFIsafe telegram. The calculation of the safety-
related parameters thus takes place from the push button to the transfer to the safe protocol. For further
evaluation on the higher-level safety controller, assumptions are made and alternative calculations are
created from them. Thus, except for safety subfunction 3, all examples are Cat.2 functions.

8.4.2.2 Parameters FB6901-1918

Parameter Value
Lifetime [a] 20
Proof test interval [a] Not required
PFHD 3.4 E-09
PFDavg 5.1E-05
MTTFD 1780 a
DC 97.5% (CAT4)
Performance Level PL e
Category 4
SFF >99%
HFT 1
Element classification Type B
Residual error rate Bus Communication 1E-09

The residual error rate of the bus communication of 1E-09 (1% of SIL 3) is already considered in the
characteristics of FB6901-1918 and therefore does not have to be included again in the following
calculations.

278 Version: 3.2.0 Application Guide TwinSAFE

Application-specific scenarios

8.4.2.3 Parameters push button SW710

Parameter Operating element Switching element
Lifetime 50,000 cycles 1,000,000 cycles
B10 65,000 cycles 1,300,000 cycles
B10D 130,000 cycles 2,600,000 cycles
Actuations / [a] (nop) 12
Version 2x break contacts

The key figures of the switching element are much larger than the key figures of the operating element,
therefore the worse values are used here for the calculation.

WARNING
Verify value
The number of actuations is an assumption on the part of the customer. This value must be verified and, if
necessary, adjusted by the customer in the course of the final calculation of the safety function.

8.4.2.4 Parameters push button SW709

Parameter Operating element Switching element
Lifetime 50,000 cycles 1,000,000 cycles
B10 71,660 cycles 1,300,000 cycles
B10D - -
Actuations / [a] (nop) 52
Version 2x make contacts

The key figures of the switching element are much larger than the key figures of the operating element,
therefore the worse values are used here for the calculation.

8.4.2.5 Parameters push button SW705

Parameter Operating element Switching element
Lifetime 1,000,000 cycles 1,000,000 cycles
B10 1,300,000 cycles 1,300,000 cycles
B10D - -
Actuations / [a] (nop) 8760
Version 1x make contact

The key figures of the switching element are identical, so it is not relevant which of the values is used.

Application Guide TwinSAFE Version: 3.2.0 279

Application-specific scenarios

8.4.2.6 Parameters of the FB6910-1918

Index Description Value
80x00:01 ModuloDiagTestPulse 0x00
80x00:02 MultiplierDiagTestPulse 0x01
80x00:04 Diag Testpulse active TRUE
80x00:05 Module Fault Link active TRUE

80x1:01 Channel 1.InputFilterTime 0x0014 (20) x 0.1 msec

80x1:02 Channel 1.DiagTestPulseFilterTime 0x0002 (2) x 0.1 msec
80x1:04 Channel 2.InputFilterTime 0x0014 (20) x 0.1 msec
80x1:05 Channel 2.DiagTestPulseFilterTime 0x0002 (2) x 0.1 msec

The parameters of FB6901-1918 have been left at the default settings.

The test pulses of all channels are switched on and via the parameter Module Fault Link active all input
modules are set to the ModuleFault state in case of a fault.

280 Version: 3.2.0 Application Guide TwinSAFE

Application-specific scenarios

8.4.2.7 Assumptions for the Diagnostic Coverage DC

Component DC value
SW710.1 90%
1-channel evaluation of the emergency stop signal with test pulses
(Category 2 Structure)
The emergency stop button is designed as a break contact and is thus checked by
cyclic tests. The test rate is thus more than 100 times higher than the requirement of
the safety function.
SW710.2 90%
1-channel evaluation of the emergency stop signal with test pulses
(Category 2 Structure)
Explanation see SW710.1

Alternative for emergency stop button DC value

For SW710.1 and SW710.2, a 2-channel evaluation with plausibility check is 99%
performed in the higher-level safety controller
(Category 4 Structure)

1-channel components DC value

SW709.1 60%
1-channel evaluation of the key switch (position 1) with test pulses
(Category 2 Structure)
The wiring of the make contact is only checked with test pulses in the actuated state.
The connection between the switch and the safe input is realized inside the housing,
thus no short circuits can occur due to external influences. Due to the high
diagnostics of the FB6901-1918, environmental conditions such as voltage,
temperature, etc. are monitored and thus a value of 60% can be assumed for the DC.
WARNING The safety function must be defined by the user so that the NOT-
switched state is the safe state.
SW709.2 60%
1-channel evaluation of the key switch (position 2) with test pulses
(Category 2 Structure)
Reason and warning see SW709.1
SW705.2 60%
1-channel evaluation of the reset button with test pulses
(Category 2 Structure)
Reason and warning see SW709.1
Note If the rising and falling edges and the time behavior of the reset button are
monitored in the higher-level controller (in the range of 0.5 s - 5 s between
rising and falling edges), a DC of 90% can be assumed instead of a DC of 60%.

WARNING
Perform plausibility check and cross comparison
For the alternative calculation of the emergency stop button with the assumption of a DC of 99%, it is
mandatory that a plausibility check / cross comparison of the two signals of the SW710 switch in the higher-
level safety controller is performed.

Application Guide TwinSAFE Version: 3.2.0 281

Application-specific scenarios

8.4.2.8 Block formation and safety loops

8.4.2.8.1 Overview
MBLP FB6901-1918

SW710.1 FB6901-1918_1

SW710.2 FB6901-1918_5

PROFIsafe
PROFINET / PROFIsafe

PLC Siemens
SW709.1 FB6901-1918_3 Logic
PLC

Black-Channel

SW709.2 FB6901-1918_4

SW705.2 FB6901-1918_2

282 Version: 3.2.0 Application Guide TwinSAFE

Application-specific scenarios

8.4.2.8.2 General formulas for calculating MTTFD and PFHD

Estimation if only one B10 value is available (see table C.1 DIN EN ISO 13849-1):

Actuations per year:

Derivation MTTFD from B10D:

Calculation Total MTTFD:

Calculation Total DC:

Calculation PFHD from MTTFD and DC:

Calculation of total PFHD (for 1-channel structures):

Calculation of total PFHD (for 2-channel structures):

Application Guide TwinSAFE Version: 3.2.0 283

Application-specific scenarios

8.4.2.8.3 Safety subfunctions 1/2 (SW710.1 / SW710.2)

The safety subfunction 1/2 consists of one channel of the emergency stop button (here SW710.1 or
SW710.2), together with FB6901-1918 and the signal in the PROFIsafe telegram.

The calculation for the two individual channels is identical, so this is only calculated once here.

WARNING
Implement measures
The extension of this block diagram to include the higher-level controller and the switched actuator system
together with the monitoring of the feedback loop and the implementation of the restart lock must be carried
out by the customer.

Calculation of the PFHD and MTTFD values from the B10D values:

Calculation MTTFD and DC:

Calculation PFH:

284 Version: 3.2.0 Application Guide TwinSAFE

Application-specific scenarios

WARNING
Use in category 2
This structure of the safety subfunction can be used in category 2.

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
middle 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DCavg
Designation Range
none DC < 60 %
low 60 % ≤ DC < 90 %
middle 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

Application Guide TwinSAFE Version: 3.2.0 285

Application-specific scenarios

8.4.2.8.4 Safety subfunction 3 (SW710.1 and SW710.2)

Safety subfunction 3 consists of two channels of the emergency stop button (here SW710.1 and SW710.2),
together with FB6901-1918 and the 2 signals in the PROFIsafe telegram.

WARNING
Perform plausibility check and set up restart lock
A plausibility check of the two signals must be performed in the higher-level safety controller and the restart
lock must also be implemented by the customer

The two channels of the emergency stop button are designed as break contacts and are tested via test
pulses. The plausibility check of the two signals is performed in the higher-level controller. To simplify the
calculation, the worse of the two values can be used for the combination (see also D.2 of DIN EN ISO
13849-1:2016). Here in this case the values are identical.

Calculation of the PFHD and MTTFD values from the B10D values:

Calculation MTTFD and DC:

Calculation PFH:

286 Version: 3.2.0 Application Guide TwinSAFE

Application-specific scenarios

Since the portion is smaller than the rest by the power of

ten, it is neglected in this calculation for the purpose of simplification.

Application Guide TwinSAFE Version: 3.2.0 287

Application-specific scenarios

WARNING
Use up to a maximum of category 4
This structure of the safety subfunction can be used in category 4.

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
middle 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DCavg
Designation Range
none DC < 60 %
low 60 % ≤ DC < 90 %
middle 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

288 Version: 3.2.0 Application Guide TwinSAFE

Application-specific scenarios

8.4.2.8.5 Safety subfunctions 4/5 (SW709.1 and SW709.2)

The safety subfunctions 4 and 5 consist of a channel of the key switch (here SW709.1 or SW709.2), together
with FB6901-1918 and the signal in the PROFIsafe telegram.

The calculation for the two individual channels is identical, so this is only calculated once here.

WARNING
Maintain safe state
The safety function must be defined by the user so that the NOT-switched state is the safe state.

Calculation of the PFHD and MTTFD values from the B10D values:

Calculation B10D:

Calculation MTTFD and DC:

Calculation PFH:

Application Guide TwinSAFE Version: 3.2.0 289

Application-specific scenarios

WARNING
Use in category 2
This structure of the safety subfunction can be used in category 2.

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
middle 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DCavg
Designation Range
none DC < 60 %
low 60 % ≤ DC < 90 %
middle 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

290 Version: 3.2.0 Application Guide TwinSAFE

Application-specific scenarios

8.4.2.8.6 Safety subfunction 6 (SW705.2)

Safety subfunction 6 consists of one channel of the reset button (here SW705.2), together with FB6901-1918
and the signal in the PROFIsafe telegram.

Calculation of the PFHD and MTTFD values from the B10D values:

Calculation B10D:

Calculation MTTFD and DC:

NOTE
DC value
If the rising and falling edges and the time behavior of the reset button are monitored in the higher-level
controller (in the range of 0.5 s - 5 s between rising and falling edges), a DC of 90% can be assumed in-
stead of a DC of 60%.

Calculation PFH:

Application Guide TwinSAFE Version: 3.2.0 291

Application-specific scenarios

WARNING
Use in category 2
This structure of the safety subfunction can be used in category 2.

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
middle 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DCavg
Designation Range
none DC < 60 %
low 60 % ≤ DC < 90 %
middle 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

292 Version: 3.2.0 Application Guide TwinSAFE

Connection of PROFIsafe

9 Connection of PROFIsafe

9.1 Safe speed monitoring with PROFIsafe encoder

(category 4, PL e)
The speed of a drive is to be monitored. This drive has a safety function (in this case, for example, STO),
which is activated via a corresponding input. This input is/these inputs are conducted via a NO contact of two
contactors. A safe absolute rotary encoder from TR-Electronic is used to safely measure the speed. It is
certified for applications up to Performance Level e. The safety-relevant data is transmitted via PROFInet
with the help of PROFIsafe. The speed data is transmitted via the safety-relevant protocol PROFIsafe to the
EL6910 as the PROFIsafe master and monitored there with the help of the available pre-certified function
blocks for analog value processing.

If the current speed value lies below the threshold specified in the Limit FB, the STO output is set to logical 1
and the drive can rotate. If the limit is exceeded, the output is set to logic 0 and the drive is switched torque-
free or the safety function integrated in the drive is activated. The entire calculation and scaling are
performed at safety level SIL3/PL e in the safety-related EL6910 logic.

An ESTOP function block also implements an emergency stop function (not shown in the graph to reduce
complexity), which prevents restarting and also assumes control of the contactors K1 and K2.

Structure

Application Guide TwinSAFE Version: 3.2.0 293

Connection of PROFIsafe

Structure diagram configuration

Logic

Correct configuration of the overall system

The following restrictions apply when transmitting PROFIsafe within EtherCAT.

PROFIsafe telegram only via E-bus and PROFINET/PROFIBUS

On account of the PROFIsafe policy, the use of PROFIsafe is permitted only via the PROFIBUS
and PROFINET fieldbuses or via a backplane bus, in this case for example the E-bus. The use of
PROFIsafe via other fieldbuses is impermissible for reasons connected with patent law. This must
be ensured through the use of the EL9930 segment end terminal.
The following Siemens AG patents are relevant according to the PROFIsafe profile:
- EP1267270-A2 Method for data transfer
- WO00/045562-A1 Method and device for determining the reliability of data carriers
- WO99/049373-A1 Shortened data message of an automation system
- EP1686732 Method and system for transmitting protocol data units
- EP1802019 Identification of errors in data transmission
- EP1921525-A1 Method for operation of a safety-related system
- EP13172092.2 Method and system for detection of errors

Depending on the architecture of the application, appropriate measures must therefore be taken. Details of
the correct configuration of the overall system with regard to PROFIsafe can be found in the documentation
for the EL6910 and EL9930.

294 Version: 3.2.0 Application Guide TwinSAFE

Connection of PROFIsafe

Use of external safe encoders

Further requirements must be met when using an external encoder.

CAUTION
Use of external safe encoders
When using an external safe encoder, the current version of the documentation must always be observed.
Here you will find all the requirements for assembly, operation and repair, which must be met so that the
encoder can be used correctly in a safety-relevant application.

9.1.1 FMEA
Error assumption Expectations Checked
Speed value freezes The speed in the encoder is determined safely
(Performance Level e) and transmitted safely via
PROFIsafe. Freezing of the telegram is detected via the
watchdog of the safe communication protocol.
Speed value is falsified The speed in the encoder is determined safely
(Performance Level e) and transmitted safely via
PROFIsafe. Falsification of the telegram is detected via the
safe communication protocol.
There is no longer any connection Can be detected via a plausibility check with a standard
between the motor and the drive signal. Thus, both the standard speed of the drive can
encoder be used for a plausibility check as well as a Boolean
information about whether the drive should be rotating.
Alternatively, the position signal of the safe telegram can be
used as the input signal of the function block safeScaling in
order to be able to detect this error case with the help of the
output StuckAtError (e.g. in combination with the evaluation
of the information as to whether the drive is being actively
decelerated).

Plausibility check: Dynamic speed values are also expected

when the motor is started.

9.1.2 Configuration in the engineering environment

In addition to the connection of TwinSAFE components, the additional connection of an encoder via
PROFIsafe/PROFInet is considered in the context of this application example. All necessary configuration
steps for the implementation are described in detail below.

For the configuration of the safety-relevant parameters of the encoder, an additional application is required to
perform the parameterization of the device and to determine the CRC checksum of the iParameters, which
ultimately has to be additionally configured within TwinCAT.

9.1.2.1 Encoder configuration

An additional application is required for the parameterization of the encoder. The current version can be
obtained from the manufacturer's website.

Application Guide TwinSAFE Version: 3.2.0 295

Connection of PROFIsafe

Here the necessary parameters have to be configured according to the application, so that the CRC
checksum can be calculated correctly (F_iPar_CRC in the illustration).

9.1.2.2 Configuration of TwinCAT I/O

First, a new TwinCAT project is created and the EtherCAT segment is configured.

In addition, the configuration of the PROFInet segment is generated by adding a PROFInet I/O controller.

296 Version: 3.2.0 Application Guide TwinSAFE

Connection of PROFIsafe

In the same way as the configuration of the EtherCAT segment, an automatic scan can also be initiated in
the case of the PROFInet controller or the configuration can be generated manually. In this way, the encoder
can also be added manually.

The following information must be observed for the successful use of the encoder via PROFIsafe.

Application Guide TwinSAFE Version: 3.2.0 297

Connection of PROFIsafe

CAUTION
Data type WORD!
An additional configuration may have to be done when using WORD data types within the process image.

If no EL9930 is used within the configuration to limit the PROFIsafe segment, the swapping of the high and
low byte portions must be configured as part of the I/O configuration of the PROFIsafe device for the sig-
nals with WORD data type contained in the process image. This is done by checking the Swap LOBYTE
and HIBYTE checkbox directly on the data values (on the Flags tab).

CAUTION
iParameters
The identical iParameters as on the Alias Device must be configured on the PROFIsafe I/O device so that
communication can start correctly.

You can then continue with the configuration of the safety project. At this point, the following initial situation is
assumed.

9.1.2.3 Configuration of TwinCAT safety project connections

Before configuring the PROFIsafe connection, a safety project is created first and the required alias devices
for the available EtherCAT components are imported. In addition, the target system is mapped to the EL6910
of the EtherCAT segment (via the Target System node).

298 Version: 3.2.0 Application Guide TwinSAFE

Connection of PROFIsafe

You can then continue with the configuration of the PROFIsafe connection to the TR encoder. This
connection is implemented as usual via an Alias Device. A Custom PROFIsafe Connection can be created
via the context menu of the node Alias Devices selecting Add and New item….

After opening the Alias Device, PROFIsafe Master must first be selected as the mode of the connection on
the Connection tab.

On the Linking tab, the linking mode must be set to Automatic so that the TR encoder considered here can
be selected via the Map to Physical Device button.

Application Guide TwinSAFE Version: 3.2.0 299

Connection of PROFIsafe

In addition to mapping to the physical device, the safe address of the encoder must also be entered on the
Linking tab (13 in this example).

If all settings have been made correctly, the safe process image of the encoder can be viewed on the
Process Image tab (with the entry Velocity, which is relevant in this example).

300 Version: 3.2.0 Application Guide TwinSAFE

Connection of PROFIsafe

The Safety Parameters tab provides the parameters for the PROFIsafe master connection.

Fig. 1: Safety Parameter Encoder

All parameters for the PROFIsafe connection must be set correctly here. These include the two addresses
F_Source_Add (target system) and F_Dest_Add (safe address of PROFIsafe device). In addition, the CRC
of the iParameters must be configured. This can be taken from the additional application for configuring the
encoder (see section Encoder Configuration)

Application Guide TwinSAFE Version: 3.2.0 301

Connection of PROFIsafe

In the case of a PROFIsafe device, the parameters must be set both within the Alias Device and directly for
the device in the I/O configuration. The reading of the data from the I/O device and the transfer to the I/O
device can be initiated via the corresponding buttons on the Safety Parameters tab. Both data must match
for a PROFIsafe connection to be successfully established.

Parameter Description
F_Check_Seq_Nr Setting (0/1) to indicate whether the sequence number of the connection should be
checked.
F_Check_iPar Setting (0/1) to indicate whether the parameterization should take place via an iPar
server.
F_SIL Selecting the required SIL level (SIL1, SIL2, SIL3, NoSIL)
F_CRC_Length Display of the CRC length
F_Block_ID always 0
F_Par_Version PROFIsafe version used (typically V2 mode)
F_Source_Add Setting the PROFIsafe source address
F_Dest_Add Setting the PROFIsafe destination address
F_WD_Time Setting the watchdog time
F_iPar_CRC i-parameter(s) for the PROFIsafe slave
F_Par_CRC Calculated CRC across all parameters

After completion of the configuration of the parameters, they must be transferred to the I/O configuration by
clicking the button Update IO TreeItem final.

After completion of the configuration of the connections, you can continue with the implementation of the
actual safety function.

9.1.2.4 Implementing a TwinCAT safety project

In the context of the safety function for monitoring the speed of a drive considered in this example, the safe
speed value received via PROFIsafe is used to compare it to a specified limit value and to react
appropriately if this limit value is exceeded.

A safeLimit function block is used to check the speed value. The speed value received via PROFIsafe is a
16-bit integer value (see the Process Image tab of the Alias Device for the PROFIsafe connection).
Accordingly, the data type of the input AnalogIn must be configured as INT for the inserted safeLimit function
block.

The input can then be linked to the Velocity signal of the PROFIsafe connection.

The InLimit signal resulting from the safeLimit function block indicates whether the speed is below the
configured maximum limit. It can be used further to additionally evaluate a possibly existing emergency stop
switch with a safeEstop function block, for example.

302 Version: 3.2.0 Application Guide TwinSAFE

Connection of PROFIsafe

As the illustration shows, the EstopOut output of the safeEstop function block switches the two contactors K1
and K2, which in turn control the STO safety function of the drive. The feedback from the contactors is used
as an EDM input of the safeEstop function block.

In addition to the function blocks already described, a safeEdm function block is used to check the correct
behavior of the contactors K1 and K2. Here, the time intervals for the switch-on and switch-off check are
configured according to the contactors used.

9.1.3 Parameters of the safe output terminal

EL2904

Parameter Value
Current measurement active Yes
Output test pulses active Yes

9.1.4 Block formation and safety loops

9.1.4.1 Safety function 1 (without drive)

Safety function 1 considers the safety loop starting from the TR encoder to the contactors K1/K2 for the
application example described so far. The downstream STO inputs are not considered in this safety function.

Application Guide TwinSAFE Version: 3.2.0 303

Connection of PROFIsafe

9.1.4.2 Safety function 2 (with drive)

Safety function 2 considers the safety loop starting from the TR encoder for the application example
described so far. The STO functionality is controlled by safe communication. For this purpose, a drive with
corresponding characteristic safety values is assumed within the context of the calculation.

9.1.5 Calculation of safety function 1 (without drive)

9.1.5.1 PFHD / MTTFD / B10D – values

Component Value
TR Encoder1) – PFHD 1.46E-09
EL2904 – PFHD 1.25E-09
EL6910 – PFHD 1.79E-09
K1 – B10D 1,300,000
K2 – B10D 1,300,000
Days of operation (dop) 230
Hours of operation / day (hop) 16
Cycle time (minutes) (Tcycle) 10080 (1x per week)
Lifetime (T1) 20 years = 175200 hours
1)
Please note the information provided in the current user documentation

9.1.5.2 Diagnostic Coverage DC

Component Value
TR Encoder1) DCavg=95%
K1/K2 with EDM monitoring (actuation 1x per week DCavg=99%
and evaluation of all rising and falling edges with
monitoring over time) with testing of the individual
channels

1)
Please note the information provided in the current user documentation

9.1.5.3 Calculation of safety function 1

For clarity, the safety factor is calculated according to EN 62061 as well as EN ISO 13849-1. Calculation
according to one standard is sufficient in practice.

Calculation of the PFHD and MTTFD values from the B10D values:

From:
d op * hop * 60
nop =
TZyklus

and:

304 Version: 3.2.0 Application Guide TwinSAFE

Connection of PROFIsafe

B10 D
MTTFD =
0,1* nop

produces for
0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

Inserting the values, this produces:

K1/K2:
230 *16 * 60
nop = = 21,90
10080
1.300.000
MTTFD = = 593607,3 y = 5199997320h
0,1* 21,90

and the assumption that K1 and K2 are each single-channel:

K1/K2: Actuation 1x per week and direct read back

1 - 0,99
PFH = = 1,92 E - 12
593607,3*8760

The following assumptions must now be made:

There is a coupling coefficient between the components that are connected via two channels. Examples are
temperature, EMC, voltage peaks or signals between these components. This is assumed to be the worst-
case estimation, where β =10%. EN 62061 contains tables (Table F.1: Criteria for determining the CCF, and
Table F.2: Estimation of the CCF factor(β)), which can be used to determine the β factor precisely. For the
output subsystem, an estimated value of 2% can be achieved if the table for calculating the β factor is
modified accordingly. In the following calculation, the worst case is assumed with 10%.

It follows for the calculation of the PFHD value for safety function 1

PFH ( K 1) + PFH ( K 2)
PFH ges = PFH ( Encoder ) + PFH ( EL 6910) + PFH ( EL 2904) + b * + (1 - b ) 2 *( PFH ( K 1) * PFH ( K 2) ) * T 1
2

(1 - b ) 2 * ( PFH
( K 1) * PFH
( K 2) ) * T1
Since the portions are smaller than the rest by the power of ten, they are
neglected in this and all further calculations for the purpose of simplification.

1,94 E - 09 + 1,94 E - 09
PFH ges = 1, 46 E - 09 + 1, 79 E - 09 + 1, 25 E - 09 + 10% *
2
PFH ges = 4, 69 E - 09

The MTTFDvalue according to EN 13849 for safety function 1 is calculated with:

n
1 1
=å
MTTFDges i =1 MTTFDn

to:

Application Guide TwinSAFE Version: 3.2.0 305

Connection of PROFIsafe

1 1 1 1 1
= + + +
MTTFDges MTTFD ( Encoder ) MTTFD( EL 6910) MTTFD ( EL 2904) MTTFD ( K 1)

with:

If only PFHD values are available for EL2904 and EL6910, the following estimation applies:

(1 - DC ( x))
MTTFd ( x ) =
PFH ( x)

Hence:
(1 - DC( EL 6910) ) (1 - 0,99) 0,01
MTTFD ( EL 6910) = = = = 637 y
PFH ( EL 6910) 1 h 1
1,79 E - 09 *8760 15,68 E - 06
h y y

(1 - DC( EL 2904) ) (1 - 0,99) 0,01

MTTFD ( EL 2904) = = = = 913, 2 y
PFH ( EL 2904) 1 h 1
1, 25 E - 09 *8760 1,1E - 05
h y y

The value of the encoder can be taken from the current user documentation:

MTTFd ( Encoder ) = 421 y

1
MTTFDges = = 198 y
1 1 1 1
+ + +
421 y 637 y 913 y 593607 y

DC DC DC DC DC
+ + + +
MTTFD ( Encoder ) MTTFD ( EL 6910) MTTFD ( EL 2904) MTTFD ( K 1) MTTFD ( K 2)
DCavg =
1 1 1 1 1
+ + + +
MTTFD ( Encoder ) MTTFD ( EL 6910) MTTFD ( EL 2904) MTTFD ( K 1) MTTFD ( K 2)

95% 99% 99% 99% 99%

+ + + +
DCavg = 421 637 913 593607 593607 = 97,12%
1 1 1 1 1
+ + + +
421 637 913 593607 593607

306 Version: 3.2.0 Application Guide TwinSAFE

Connection of PROFIsafe

CAUTION
Implement a restart lock in the machine!
The restart lock is NOT part of the safety chain and must be implemented in the machine!

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Area
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

9.1.6 Calculation of safety function 2 (with drive)

9.1.6.1 PFHD / MTTFD / B10D – values

Component Value
TR Encoder1) – PFHD 1.46E-09
EL2904 – PFHD 1.25E-09
EL6910 – PFHD 1.79E-09
AX8xxx-x1xx – PFHD 3.04E-09
Days of operation (dop) 230
Hours of operation / day (hop) 16
Cycle time (minutes) (Tcycle) 10080 (1x per week)
Lifetime (T1) 20 years = 175200 hours
1)
Please note the information provided in the current user documentation

Application Guide TwinSAFE Version: 3.2.0 307

Connection of PROFIsafe

9.1.6.2 Diagnostic Coverage DC

Component Value
TR Encoder1) DCavg=95%
AX8xxx-x1xx STO function DCavg>99%

1)
Please note the information provided in the current user documentation

9.1.6.3 Calculation of safety function 2

It follows for the calculation of the PFHD value for safety function 2:

PFH ges = PFH ( Encoder ) + PFH ( EL 6910) + PFH ( AX 8 xxx - x1xx )

PFH ges = 1, 46 E - 09 + 1, 79 E - 09 + 3, 04 E - 09
PFH ges = 6, 29 E - 09

The MTTFDvalue according to EN 13849 for safety function 1 is calculated with:

n
1 1
=å
MTTFDges i =1 MTTFDn

to:

1 1 1 1
= + +
MTTFDges MTTFD ( Encoder ) MTTFD( EL 6910) MTTFD ( AX 8 xxx - x1xx )

with:

If only PFHD values exist for AX8xxx-x1xx and EL6910, the following estimation applies:

(1 - DC ( x))
MTTFd ( x ) =
PFH ( x)

Hence:
(1 - DC( EL 6910) ) (1 - 0,99) 0,01
MTTFD ( EL 6910) = = = = 637 y
PFH ( EL 6910) 1 h 1
1,79 E - 09 *8760 15,68 E - 06
h y y

(1 - DC( AX 8 xxx - x1xx ) ) (1 - 0,99) 0,01

MTTFD ( AX 8 xxx - x1xx ) = = = = 375 y
PFH D ( AX 8 xxx - x1xx ) 1 h 1
3,04 E - 09 *8760 2,66 E - 05
h y y
Fig. 2:

The value of the encoder can be taken from the current user documentation:

MTTFd ( Encoder ) = 421 y

1
MTTFDges = = 151 y
1 1 1
+ +
421 y 637 y 375 y

308 Version: 3.2.0 Application Guide TwinSAFE

Connection of PROFIsafe

DC DC DC
+ +
MTTFD ( Encoder ) MTTFD ( EL 6910) MTTFD ( AX 8 xxx - x1xx )
DCavg =
1 1 1
+ +
MTTFD ( Encoder ) MTTFD ( EL 6910) MTTFD ( AX 8 xxx - x1xx )

95% 99% 99%

+ +
DCavg = 421 637 375 = 97,56%
1 1 1
+ +
421 637 375

Application Guide TwinSAFE Version: 3.2.0 309

Connection of PROFIsafe

CAUTION
Implement a restart lock in the machine!
The restart lock is NOT part of the safety chain and must be implemented in the machine!

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Area
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

310 Version: 3.2.0 Application Guide TwinSAFE

Connection of PROFIsafe

9.2 Safe area monitoring with PROFIsafe laser scanner

(category 3, PL d)
The hazard area of a machine is to be monitored by means of a safety laser scanner. This hazard can be
switched off by two contactors. The contactors are connected to an output of an EL2904. A microScan3
safety laser scanner from SICK is used for safe area monitoring. It is certified for applications up to
Performance Level d. The relevant data are transmitted via the safety-relevant protocol PROFIsafe to the
EL6910 as the PROFIsafe master and monitored there with the help of the available pre-certified function
blocks.

If the two switch-off paths of the set monitoring case (two signals within the PROFIsafe protocol) signal logic
1, then the protective field is free and the two contactors are switched on. If the protective field is occupied,
the two switch-off paths signal logic 0 and the contactors are switched off. The entire evaluation is carried
out in the safety-related logic EL6910 at the safety level SIL3 / PL e.

Any necessary restart lock can be realized via the reset input of the fbMon. The feedback loop is read in via
a safe input. Testing is active for this input.

Structure

Structure diagram configuration

Application Guide TwinSAFE Version: 3.2.0 311

Connection of PROFIsafe

Logic

Correct configuration of the overall system

The following restrictions apply when transmitting PROFIsafe within EtherCAT.

PROFIsafe telegram only via E-bus and PROFINET/PROFIBUS

Use of external safe sensors

Further requirements must be observed when using an external safe sensor.

CAUTION
Use of external safe sensors
When using an external safe sensor, the current version of the documentation must always be observed.
Here you will find all the requirements for assembly, operation and repair, which must be met so that the
sensor can be used correctly in a safety-relevant application.

9.2.1 Configuration in the engineering environment

In addition to the connection of TwinSAFE components, the additional connection of a safety laser scanner
via PROFIsafe/PROFInet is considered in the context of this application example. All necessary
configuration steps for the implementation are described in detail below.

312 Version: 3.2.0 Application Guide TwinSAFE

Connection of PROFIsafe

An additional application is required to configure the safety laser scanner. This determines the range of
functions of the safety laser scanner, the communication settings in PROFInet/PROFIsafe and the CRC
checksum of the iParameters, which ultimately has to be additionally configured within TwinCAT.

9.2.1.1 Configuration of safety laser scanners

An additional application is required to configure the safety laser scanner. The current version can be
obtained from the manufacturer's website.

Here the necessary functions and parameters have to be configured according to the application, so that the
CRC checksum can be calculated correctly (F_iPar_CRC in the illustration).

9.2.1.2 Configuration of TwinCAT I/O

The current GSDML file of the safety laser scanner must be inserted into the Profinet device directory under
TwinCAT\3.1\Config\Io\Profinet prior to starting the TwinCAT configuration.

Subsequently, a new TwinCAT project is created and the EtherCAT segment is configured.

Application Guide TwinSAFE Version: 3.2.0 313

Connection of PROFIsafe

In addition, the configuration of the PROFInet segment is generated by adding a PROFInet I/O controller.

314 Version: 3.2.0 Application Guide TwinSAFE

Connection of PROFIsafe

The following information must be observed for the successful use of the Sick laser scanner via PROFIsafe.

CAUTION
Data type WORD!
An additional configuration may have to be done when using WORD data types within the process image.

CAUTION
iParameter
The identical iParameters as on the Alias Device must be configured on the PROFIsafe I/O device so that
communication can start correctly.

You can then continue with the configuration of the safety project. At this point, the following initial situation is
assumed.

Application Guide TwinSAFE Version: 3.2.0 315

Connection of PROFIsafe

9.2.1.3 Configuration of TwinCAT safety project connections

You can then continue with the configuration of the PROFIsafe connection to the safety laser scanner. This
connection is implemented as usual via an Alias Device. A Custom PROFIsafe Connection can be created
via the context menu of the node Alias Devices selecting Add and New item….

316 Version: 3.2.0 Application Guide TwinSAFE

Connection of PROFIsafe

After opening the Alias Device, PROFIsafe Master must first be selected as the mode of the connection on
the Connection tab.

On the Linking tab, the Linking mode must be set to Automatic so that the Sick safety laser scanner
considered here can be selected via the Map to Physical Device button.

Application Guide TwinSAFE Version: 3.2.0 317

Connection of PROFIsafe

In addition to mapping to the physical device, the safe address of the safety laser scanner must also be
entered on the Linking tab (20 in this example).

If all settings have been made correctly, the safe process image of the safety laser scanner can be viewed
on the Process Image tab. The names can be adapted via the Edit button. The assignment of the interface
as well as the description of the individual signals must be taken from the manufacturer's latest
documentation.

318 Version: 3.2.0 Application Guide TwinSAFE

Connection of PROFIsafe

The Safety Parameters tab provides the parameters for the PROFIsafe master connection.

Application Guide TwinSAFE Version: 3.2.0 319

Connection of PROFIsafe

After completion of the configuration of the parameters, they must be transferred to the I/O configuration by
clicking the button Update IO TreeItem final.

After completion of the configuration of the connections, you can continue with the implementation of the
actual safety function.

9.2.1.4 Implementing a TwinCAT safety project

The safe process image received via PROFIsafe is used within the scope of the safety function for area
monitoring by means of a safety laser scanner considered in this example. The inputs that absolutely must
be evaluated as well as the outputs to be switched on arise from the configuration of the safety laser
scanner.

320 Version: 3.2.0 Application Guide TwinSAFE

Connection of PROFIsafe

In this example, the monitoring case 1 is switched on without any further condition by means of the
safeDecoupler function block.

The safety laser scanner monitors the hazard area parameterized in the device and sends the result of the
monitoring in the signals switch-off paths 01 and 02. These two signals are evaluated by means of the
safeMon function block. The switch-off paths are logic 1 if the hazard area is free and monitored in a safety-
oriented manner.

Application Guide TwinSAFE Version: 3.2.0 321

Connection of PROFIsafe

As the illustration shows, with logic 1 at the inputs MonIn1 and MonIn2 and EDM1, the two contactors K1
and K2, which execute the safety function, are switched via the output MonOut of the function block
safeMon. The feedback from the contactors is used as the EDM1 input of the function block safeMon.

Any necessary restart lock can be realized via the reset input of the function block safeMon.

9.2.2 Parameters of the safe input and output terminal

EL2904

Parameter Value
Current measurement active Yes
Output test pulses active Yes

EL1904

322 Version: 3.2.0 Application Guide TwinSAFE

Connection of PROFIsafe

9.2.3 Block formation and safety loops

9.2.3.1 Safety function 1

Safety function 1 considers the safety loop from the safety laser scanner to the contactors K1/K2 for the
application example described so far.

9.2.4 Calculation of safety function 1

9.2.4.1 PFHD / MTTFD / B10D – values

Component Value
Laser scanner1) – PFHD, SIL, Cat, PL 8E-08, SIL 2, Cat. 3, PL d
EL2904 – PFHD 1.25E-09
EL6910 – PFHD 1.79E-09
K1 – B10D 1,300,000
K2 – B10D 1,300,000
Days of operation (dop) 230
Hours of operation / day (hop) 16
Cycle time (minutes) (Tcycle) 10 (6x per hour)
Lifetime (T1) 20 years = 175200 hours
1)
Please note the information provided in the current user documentation

9.2.4.2 Diagnostic Coverage DC

Component Value
Laser scanner with testing (by scanner)1) DCavg=90%
K1/K2 with EDM monitoring with testing of the DCavg=99%
individual channels

1)
Please note the information provided in the current user documentation

9.2.4.3 Calculation of safety function 1

For clarity, the safety factor is calculated according to EN 62061 as well as EN ISO 13849-1. Calculation
according to one standard is sufficient in practice.

Calculation of the PFHD and MTTFD values from the B10D values:

From:
d op * hop * 60
nop =
TZyklus

Application Guide TwinSAFE Version: 3.2.0 323

Connection of PROFIsafe

and:
B10 D
MTTFD =
0,1* nop

produces for
0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

Inserting the values, this produces:

K1/K2:
230 *16 * 60
nop = = 22.080
10
1.300.000
MTTFD = = 588,7 y = 5.157.012h
0,1* 22.080

and the assumption that K1 and K2 are each single-channel:

K1/K2: Actuation 10/hour and direct read back

1 - 0,99
PFH = = 1,94 E - 09
588,7 y *8760

The following assumptions must now be made:

There is a coupling coefficient between the components that are connected via two channels. Examples are
temperature, EMC, voltage peaks or signals between these components. This is assumed to be the worst-
case estimation, where β =10%. EN 62061 contains tables (Table F.1: Criteria for determining the CCF, and
Table F.2: Estimation of the CCF factor(β)), which can be used to determine the β factor precisely. For the
output subsystem, an estimated value of 2% can be achieved if the table for calculating the β factor is
modified accordingly. In the following calculation, the worst case is assumed with 10%.

It follows for the calculation of the PFHD value for safety function 1
PFH ( K 1) + PFH ( K 2 )
PFH ges = PFH ( Scanner ) + PFH ( EL 6910) + PFH ( EL 2904) + b * 2
+ (1 - b ) 2 * ( PFH ( K 1) * PFH ( K 2) ) * T 1

PFH ges = 8 E - 08 + 1, 79 E - 09 + 1, 25 E - 09 + 10% * 1,94 E -09+21,94 E -09 = 8,32 E - 08

The MTTFDvalue according to EN 13849 for safety function 1 is calculated with:

n
1 1
=å
MTTFDges i =1 MTTFDn

to:
1 1 1 1 1
= + + +
MTTFDges MTTFD ( Scanner ) MTTFD ( EL 6910) MTTFD ( EL 2904) MTTFD ( K 1)

with:

324 Version: 3.2.0 Application Guide TwinSAFE

Connection of PROFIsafe

If only PFHD values exist for scanners, EL2904 and EL6910, the following estimation applies:

(1 - DC ( x))
MTTFd ( x ) =
PFH ( x)

Hence:
(1 - DC( EL 6910) ) (1 - 0,99) 0,01
MTTFD ( EL 6910) = = = = 637 y
PFH ( EL 6910) 1 h 1
1,79 E - 09 *8760 15,68 E - 06
h y y

(1 - DC( EL 2904) ) (1 - 0,99) 0,01

MTTFD ( EL 2904) = = = = 913, 2 y
PFH ( EL 2904) 1 h 1
1, 25 E - 09 *8760 1,1E - 05
h y y
(1- DC( Scanner ) )
MTTFD ( Scanner ) = PFH ( Scanner ) = 8 E -(108-0,90)
1 *8760 h = 142 y
h y

MTTFD ( Scanner ) = 100 y

1
MTTFDges = = 69, 6 y
1 1 1 1
+ + +
100 y 637 y 913 y 588 y

DC DC DC DC DC
+ + + +
MTTFD ( Scanner ) MTTFD ( EL 6910) MTTFD ( EL 2904) MTTFD ( K 1) MTTFD ( K 2)
DCavg =
1 1 1 1 1
+ + + +
MTTFD ( Scanner ) MTTFD ( EL 6910) MTTFD ( EL 2904) MTTFD ( K 1) MTTFD ( K 2)

90% 99% 99% 99% 99%

+ + + +
DCavg = 100 637 913 588 588 = 93, 4%
1 1 1 1 1
+ + + +
100 637 913 588 588

Application Guide TwinSAFE Version: 3.2.0 325

Connection of PROFIsafe

CAUTION
Implement a restart lock in the machine!
The restart lock is NOT part of the safety chain and must be implemented in the machine!

NOTE
Category
This structure is possible up to category 3 at the most through the use of the type 3 (category 3) laser scan-
ner.

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Area
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

326 Version: 3.2.0 Application Guide TwinSAFE

Connection of PROFIsafe

9.3 Safe control of an ABB robot via PROFIsafe

(category 3, PL d)
An ABB robot is connected to a TwinSAFE controller as a PROFIsafe device. The ABB robot with the
SafeMove functionality is certified for applications up to Performance Level d. The safety-relevant data are
transmitted via PROFInet with the help of PROFIsafe. The emergency stop is transmitted to the robot from
the EL6910 as PROFIsafe master via the safety-relevant protocol PROFIsafe. The robot is configured to
perform a category-0 stop. The safe state is signaled back to the EL6910 via the PROFIsafe connection,
where it is further processed with the available pre-certified function blocks.

The example considers the emergency stop safety function. The emergency stop switch is wired to an
EL1904 in a two-channel configuration with two normally closed contacts. The testing of the signals is
activated. The input signals are monitored for discrepancy. The entire evaluation is carried out in the safety-
related logic EL6910 at the safety level SIL 3 / PL e.

Structure

Application Guide TwinSAFE Version: 3.2.0 327

Connection of PROFIsafe

Structure diagram configuration

Logic

Correct configuration of the overall system

The following restrictions apply when transmitting PROFIsafe within EtherCAT.

PROFIsafe telegram only via E-bus and PROFINET/PROFIBUS

328 Version: 3.2.0 Application Guide TwinSAFE

Connection of PROFIsafe

Use of external PROFIsafe robots

Further requirements must be observed when using an external PROFIsafe robot.

CAUTION
Use of external PROFIsafe robots
When using an external PROFIsafe robot, the current version of the documentation must always be ob-
served. Here you will find all the requirements for assembly, operation and repair, which must be met so
that the robot can be used correctly in a safety-relevant application.

9.3.1 FMEA

Use of external PROFIsafe robots

Further requirements with regard to FMEA must also be observed when using an external PROFIsafe robot.

9.3.2 Configuration in the engineering environment

9.3.2.1 Robot configuration

An additional application is required to configure the robot. The current version can be obtained from the
manufacturer's website.

Application Guide TwinSAFE Version: 3.2.0 329

Connection of PROFIsafe

Here the necessary functions and parameters have to be configured according to the application, so that, for
example, the CRC checksum can be calculated correctly. Security-oriented communication is only possible if
the settings of the safe process images match.

9.3.2.2 Configuration of TwinCAT I/O

First, a new TwinCAT project is created and the EtherCAT segment is configured.

In addition, the configuration of the PROFInet segment is generated by adding a PROFInet I/O controller.

330 Version: 3.2.0 Application Guide TwinSAFE

Connection of PROFIsafe

The device configuration must be extended by the PROFIsafe safety module.

Application Guide TwinSAFE Version: 3.2.0 331

Connection of PROFIsafe

The following information must be observed for the successful use of the ABB robot via PROFIsafe.

CAUTION
Data type WORD!
An additional configuration may have to be done when using WORD data types within the process image.

CAUTION
iParameters
The identical iParameters as on the Alias Device must be configured on the PROFIsafe I/O device so that
communication can start correctly.

You can then continue with the configuration of the safety project. At this point, the following initial situation is
assumed.

332 Version: 3.2.0 Application Guide TwinSAFE

Connection of PROFIsafe

9.3.2.3 Configuration of TwinCAT safety project connections

You can then continue with the configuration of the PROFIsafe connection to the ABB robot. This connection
is implemented as usual via an Alias Device. A Custom PROFIsafe Connection can be created via the
context menu of the node Alias Devices selecting Add and New item….

Application Guide TwinSAFE Version: 3.2.0 333

Connection of PROFIsafe

After opening the Alias Device, PROFIsafe Master must first be selected as the mode of the connection and
the watchdog for the communication on the Connection tab.

On the Linking tab, the linking mode must be set to Automatic so that the ABB robot considered here can be
selected via the Map to Physical Device button.

In addition to mapping to the physical device, the safe address of the encoder must also be entered on the
Linking tab (21 in this example).

334 Version: 3.2.0 Application Guide TwinSAFE

Connection of PROFIsafe

If all settings have been made correctly, the safe process image of the ABB robot can be set on the Process
Image tab and edited according to the setting from the robot's application tool.

The Safety Parameters tab provides the parameters for the PROFIsafe master connection. If necessary, the
values must be adapted to the application with the help of the Edit button.

Application Guide TwinSAFE Version: 3.2.0 335

Connection of PROFIsafe

After completion of the configuration of the parameters, they must be transferred to the I/O configuration by
clicking the button Update IO TreeItem final.

After completion of the configuration of the connections, you can continue with the implementation of the
actual safety function.

336 Version: 3.2.0 Application Guide TwinSAFE

Connection of PROFIsafe

9.3.2.4 Implementing a TwinCAT safety project

Within the context of the safety function considered in this example, an emergency stop switch with 2
normally closed contacts is read in safely via an EL1904 in a 2-channel configuration. Testing of the inputs is
activated. The inputs are evaluated via the safeEstop function block with discrepancy monitoring activated.

As the illustration shows, the signal for controlling the ABB robot via PROFIsafe is switched via the EStopOut
output of the safeEstop function block. The feedback from the ABB robot is used as an EDM input of the
safeEstop function block.

9.3.3 Parameters of the safe input terminal

EL1904

Application Guide TwinSAFE Version: 3.2.0 337

Connection of PROFIsafe

9.3.4 Block formation and safety loops

9.3.4.1 Safety function 1

Safety function 1 considers the safety loop from the emergency stop switch S1 to the ABB robot for the
application example described so far.

9.3.5 Calculation of safety function 1

9.3.5.1 PFHD / MTTFD / B10D – values

Component Value
ABB robot, SafeMove function1) – 1.19E-07, PL d, 52y, medium
PFHD, PL, MTTFD, DCavg
EL1904 – PFHD 1.11E-09
EL6910 – PFHD 1.79E-09
S1 – B10D 100,000
Days of operation (dop) 230
Hours of operation / day (hop) 16
Cycle time (minutes) (Tcycle) 10080 (1x per week)
Lifetime (T1) 20 years = 175200 hours
1)
Please note the information provided in the current user documentation

9.3.5.2 Diagnostic Coverage DC

Component Value
ABB robot, SAFEMove function1) DCavg=90%
S1 with testing/plausibility DCavg=99%

1)
Please note the information provided in the current user documentation

9.3.5.3 Calculation of safety function 1

For clarity, the safety factor is calculated according to EN 62061 as well as EN ISO 13849-1. Calculation
according to one standard is sufficient in practice.

Calculation of the PFHD and MTTFD values from the B10D values:

From:
d op * hop * 60
nop =
TZyklus

338 Version: 3.2.0 Application Guide TwinSAFE

Connection of PROFIsafe

and:
B10 D
MTTFD =
0,1* nop

produces for
0,1* nop * (1 - DC ) 1 - DC
PFH = =
B10 D MTTFD

Inserting the values, this produces:

S1:
230 *16 * 60
nop = = 21,90
10080
100.000
MTTFD = = 45662,1 y = 399999120h
0,1* 21,90

and the assumption that S1 is single-channel:

S1: Actuation 1x per week and direct read back

1 - 0,99
PFH = = 2,50 E - 11
45662,1*8760

It follows for the calculation of the PFHD value for safety function 1
PFH ges = PFH ( S 1) + PFH ( EL1904) + PFH ( EL 6910) + PFH ( Roboter )

PFH ges = 2, 5 E - 11 + 1,11E - 9 + 1, 79 E - 9 + 1,19 E - 7 = 1, 22 E - 7

The MTTFDvalue according to EN 13849 for safety function 1 is calculated with:

n
1 1
=å
MTTFDges i =1 MTTFDn

to:
1 1 1 1 1
= + + +
MTTFDges MTTFD ( S 1) MTTFD ( EL1904) MTTFD ( EL 6910) MTTFD ( Roboter )

with:

If only PFHD values are available for EL1904 and EL6910, the following estimation applies:

(1 - DC ( x))
MTTFd ( x ) =
PFH ( x)

Hence:
(1 - DC( EL1904) ) (1 - 0,99) 0,01
MTTFD ( EL1904) = = = = 1028,8 y
PFH ( EL1904) 1 h 1
1,11E - 09 *8760 9,72 E - 06
h y y

(1 - DC( EL 6910) ) (1 - 0,99) 0,01

MTTFD ( EL 6910) = = = = 637 y
PFH ( EL 6910) 1 h 1
1,79 E - 09 *8760 15,68 E - 06
h y y

The value of the robot can be taken from the current user documentation:
MTTFD ( Roboter ) = 52 y

Application Guide TwinSAFE Version: 3.2.0 339

Connection of PROFIsafe

1
MTTFDges = = 45,88 y
1 1 1 1
+ + +
45662,1 y 1028,8 y 637 y 52 y
DC DC DC DC
+ + +
MTTFD ( S 1) MTTFD ( EL1904) MTTFD ( EL 6910) MTTFD ( Roboter )
DCavg =
1 1 1 1
+ + +
MTTFD ( S 1) MTTFD ( EL1904) MTTFD ( EL 6910) MTTFD ( Roboter )
99% 99% 99% 90%
+ + +
45662,1 y 1028,8 y 637 y 52 y
DCavg = = 91%
1 1 1 1
+ + +
45662,1 y 1028,8 y 637 y 52 y

340 Version: 3.2.0 Application Guide TwinSAFE

Connection of PROFIsafe

CAUTION
Implement a restart lock in the machine!
The restart lock is NOT part of the safety chain and must be implemented in the machine!

NOTE
Category
Due to the safety data of the robot used, this structure is possible up to Category 3 at the most.

MTTFD
Designation for each channel Range for each channel
low 3 years ≤ MTTFD < 10 years
medium 10 years ≤ MTTFD < 30 years
high 30 years ≤ MTTFD ≤ 100 years

DC
Name Area
none DC < 60 %
low 60 % ≤ DC < 90 %
medium 90 % ≤ DC < 99 %
high 99 % ≤ DC

NOTE
Diagnostic coverage
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the
limit values shown in this table.

Application Guide TwinSAFE Version: 3.2.0 341

Planning a safety project with TwinSAFE components

10 Planning a safety project with TwinSAFE

components
This chapter provides an overview of the general planning process for a safety project using TwinSAFE
components.

CAUTION
Machinery Directive
This description applies only to machines as defined by the Machinery Directive.

CAUTION
Standards
The relevant standards must be available to the user. The following description cannot replace the stan-
dard. Typically, the current version of EN ISO 13849-1 and EN ISO 13849-2 or EN 62061 should be avail-
able as a minimum. Further useful information can be found in IFA report 2/2017.

NOTE
Type C standard
Before you start the following process, you should check whether a type C standard is available for your
machine. If this is the case, please follow the steps and instructions given there. If no type C standard is
available, you can use the process described below as a guide for the steps to be performed.

10.1 Identifying the risks and hazards

DIN EN ISO 12100 defines an iterative process for risk minimization, for eliminating hazards or for reducing
the risk at machines. It describes the process of risk minimization in a three-step method. In the first step, the
machine should be designed to be inherently safe. If this is not possible, technical protective measures can
be taken to minimize the risk. In the last step, user information about the residual risk can be provided.

In the first step, the risks and hazards and thus the safety functions must be identified. Machine
manufacturers require precise knowledge of the operation of their machine in order to identify risks and
hazards. Referring to Annex B of EN ISO 12100:2010 is helpful for this purpose.

This risk and hazard analysis should be carried out by persons with knowledge in different areas
(mechanics, electrics, hydraulics, software, maintenance, ...). All operating modes and conditions must be
taken into account, including commissioning, maintenance/servicing, normal operation and
decommissioning. The reasons for or against a particular decision should also be documented. Make sure
that your arguments and justifications are understandable and conclusive.

In this context, it is particularly important to note that safety measures must not yet be taken into account
when assessing the risk.

When all persons involved in the process agree with the result of the analysis, it should be signed by all
involved.

342 Version: 3.2.0 Application Guide TwinSAFE

Planning a safety project with TwinSAFE components

10.2 Determining the PLr / SIL

For each safety function (SF) of the machine identified in the risk and hazard analysis, the machine
manufacturer or user must determine the required Performance Level or SIL Level.
The SIL level is determined based on the description in Annex A of EN 62061
The performance level is determined based on the risk graph for determining the PLr according to
EN ISO 13849-1. Information on the risk graph can be found in Annex A of EN ISO 13849-1:2015.

10.3 Specification of the safety functions

For each safety function identified, it is necessary to specify how the risk should be reduced in accordance
with the EN ISO 12100 strategy for risk reduction.

Risks and hazards whose residual risk is to be reduced by inherently safe design or user information must
be specified, but are not part of this description.
The following explanations refer only to safety functions, the residual risk of which is to be reduced by
technical protective measures.

For these safety functions, the iterative design process for safety-related parts of the control system (SRP/
CS) is carried out in accordance with EN ISO 13849-1:2015.

10.4 Specification of the measures

The machine manufacturer should compile a detailed description of each identified safety function (SF)
whose residual risk is to be reduced by means of technical protection measures. This description contains
information about the hazard, the type of measures taken to reduce the hazard and the required
Performance Level or SIL Level for this safety function.

For each SF, the description of the measures must include the category according to EN ISO 13849-1 and
the components to be used, together with their safety parameters (MTTFD, DC, CCF, SFF).

Information on operating states and characteristics is required. These include the operating modes, the cycle
time, the response times or process safety time, the ambient conditions, the frequency of execution, the
operating times, the behavior of the machine in the event of energy loss and more. More detailed information
on this can be found in chapter 5.2 of EN 62061 and chapter 5 of EN ISO 13849-1:2015.

The machine manufacturer must specify and document the description of the safety-related program for the
TwinSAFE Logic, since it forms the basis for the implementation. In addition to selecting the TwinSAFE
components, the function blocks to be used and the sensors and actuators, the parameterization of the
components must also be specified, since this can influence the maximum achievable Performance Level.

Examples for the implementation of safety functions and the parameterization of the TwinSAFE components
can be found in this manual.

10.5 Implementation of the safety functions

The function blocks are configured in TwinCAT according to the specified safety functions. Predefined
function blocks are available for the typical safety functions, which can be interconnected in a graphical
editor. Safe input and output components provide the interface to sensors and actuators.

Once the entire safety logic and the parameterization of the safe inputs and outputs have been implemented,
a download to the TwinSAFE logic can take place.

A valid user name and password must be provided for the download, together with the serial number of the
device.

Application Guide TwinSAFE Version: 3.2.0 343

Planning a safety project with TwinSAFE components

The download of the safety program is verified by comparing the CRC of the loaded project (online CRC)
and the calculated CRC from the Safety Editor (offline CRC). The comparison is carried out by TwinCAT on
the one hand and by the user on the other. The user confirms the comparison by ticking the checkbox and
re-entering the password.

The Safety CRC toolbar in TwinCAT can be used at any time to check whether the online CRC matches the
offline CRC, i.e. whether data has been changed in the editor or on the TwinSAFE logic. The following table
is taken from the EL6910 documentation.

344 Version: 3.2.0 Application Guide TwinSAFE

Planning a safety project with TwinSAFE components

CAUTION
Checking the checksums
The user must verify that the online CRC and the offline CRC match. This is the only way to ensure that a
download was carried out after the project was created or modified.

Once all specified safety functions have been implemented in the TwinSAFE logic, the implemented logic is
printed.

In addition to the entire logic, the parameters and the safety addresses of all safety components used, the
printout also contains the calculated project checksum, which is shown on the cover sheet. The programmer
and the customer can document the acceptance of the safety functions with date and signature on the cover
sheet.

Application Guide TwinSAFE Version: 3.2.0 345

Planning a safety project with TwinSAFE components

10.6 Proof of achievement of the Performance Level

Once the safety project for the identified safety functions (SF) has been realized, the Performance Level
achieved for these SFs is calculated and verified. Examples for such calculations and verifications can be
found in this manual in chapter 2.

10.7 Validation of the safety functions

Extract from EN ISO 13849-2:2013, Chapter 4.1: validation guidelines.

The referenced chapters have already been changed over to the chapter numbers of EN ISO 13849-1:2015,
although EN ISO 13849-1:2006 is still referenced in EN ISO 13849-2:2013.

The purpose of the validation procedure is to confirm that the design of the safety-related parts of the control
system (SRP/CS) supports the specification of the safety requirements of the machines.

The validation must show that each SRP/CS meets the requirements of EN ISO 13849-1:2015, particularly
with regard to:
a) the specified safety characteristics of the safety functions, as intended by the design;
b) the requirements for the specified Performance Level (see EN ISO 13849-1:2015, 4.5):
1. the requirements for the specified category (see EN ISO 13849-1:2015, 6.2),
2. the measures for controlling and avoiding systematic failures (see EN ISO 13849-1:2015,
Annex G),
3. the software requirements, if applicable (see EN ISO 13849-1:2015, 4.6), and
4. the ability to provide a safety function under the expected conditions;
c) the ergonomic design of the user interface, e.g. to discourage the user to act in a dangerous
manner by circumventing the SRP/CS (see EN ISO 13849-1:2015, 4.8).

The validation should be carried out by persons who not involved in the SRP/CS design.
NOTE "Independent person" does not necessarily mean that a test by a third party is necessary.

Further information about the validation can be found in EN ISO 13849-2:2013, for example in Figure 1,
overview of the validation procedure, and in EN ISO 13849-1:2015.

10.8 Instructions for checking the SF

All implemented safety functions (SF) have to be checked for correctness. This includes both normal
operation and the function in the event of a fault. Some of the test cases can be read from the defined safety
function with its described measures for risk minimization. For each function, the possible fault scenarios
must be defined and checked accordingly. This information must be recorded in a test specification or
acceptance protocol.
◦ The following list shows some fault scenarios to be considered:
◦ Discrepancy error of two safe inputs
◦ Line interruption of the fieldbus used
◦ Feedback (EDM) error of the actuators
◦ Failure of the power supply
◦ Cross-circuit / external feed / line interruption in the wiring
◦ Violation of a defined limit, e.g. speed limit for axis functions and checking of the defined error
behavior
◦ ...

The validation must also ensure that all hazards identified by the risk assessment are covered by appropriate
measures and that these measures have actually been implemented.

346 Version: 3.2.0 Application Guide TwinSAFE

Planning a safety project with TwinSAFE components

This applies especially to the life cycle phases of installation/assembly and maintenance. It must be ensured
that any necessary changes or extensions to the safety project are only made after the design engineer
(machine manufacturer) has been notified and the safety specification has been changed by the
manufacturer. A check to see whether an extension of the test specification is necessary must also be
carried out. This applies in particular to machines that are assembled and put into operation at the end
customer's premises.

The test must cover the following points as a minimum:

◦ I/O Check of the safe inputs and outputs
◦ Verification of the parameterization of all safety components (watchdog times, sensor tests, FSoE
address, etc.)
◦ Check of the safety functions during normal operation
◦ Check of the safety functions in the event of an error
◦ Check of the safe drive functions during normal operation
◦ Check of the safe drive functions outside the defined safety limits
◦ Check of the safe drive functions in the event of a power failure
◦ ...

10.9 Acceptance
The following list contains points which are required for the acceptance of the safety project. This list is not
exhaustive. These points must be checked after the initial start-up and after each software modification of
the TwinSAFE project.

◦ Implementation or changes only by qualified personnel

◦ Printout of the TwinSAFE project
◦ Checking of the entire safety project for correctness according to the previous chapter
◦ Comparison of the online CRC of the TwinSAFE project with the offline CRC to ensure that a
download took place after the changes to the safety project
◦ Implementation and printout of the acceptance protocol
◦ Signature by programmer and customer
◦ This information should be added to the machine documentation
◦ ...

Application Guide TwinSAFE Version: 3.2.0 347

Technical report – TÜV SÜD

11 Technical report – TÜV SÜD

348 Version: 3.2.0 Application Guide TwinSAFE

Support and Service

12 Support and Service

Beckhoff and their partners around the world offer comprehensive support and service, making available fast
and competent assistance with all questions related to Beckhoff products and system solutions.

Beckhoff's branch offices and representatives

Please contact your Beckhoff branch office or representative for local support and service on Beckhoff
products!

The addresses of Beckhoff's branch offices and representatives round the world can be found on her internet
pages: https://www.beckhoff.com

You will also find further documentation for Beckhoff components there.

Beckhoff Support

Support offers you comprehensive technical assistance, helping you not only with the application of
individual Beckhoff products, but also with other, wide-ranging services:
• support
• design, programming and commissioning of complex automation systems
• and extensive training program for Beckhoff system components
Hotline: +49 5246 963 157
Fax: +49 5246 963 9157
e-mail: [email protected]

Beckhoff Service

The Beckhoff Service Center supports you in all matters of after-sales service:
• on-site service
• repair service
• spare parts service
• hotline service
Hotline: +49 5246 963 460
Fax: +49 5246 963 479
e-mail: [email protected]

Beckhoff Headquarters

Beckhoff Automation GmbH & Co. KG

Huelshorstweg 20
33415 Verl
Germany
Phone: +49 5246 963 0
Fax: +49 5246 963 198
e-mail: [email protected]
web: https://www.beckhoff.com

Application Guide TwinSAFE Version: 3.2.0 349

More Information:
www.beckhoff.com/TwinSAFE

Beckhoff Automation GmbH & Co. KG

Hülshorstweg 20
33415 Verl
Germany
Phone: +49 5246 9630
[email protected]
www.beckhoff.com

Proworx 32: Ladder Logic Block Library
100% (1)
Proworx 32: Ladder Logic Block Library
1,190 pages
GSOV25: Applications
100% (1)
GSOV25: Applications
4 pages
33003788K01000 PDF
No ratings yet
33003788K01000 PDF
472 pages
1-Budgets - The Hidden Barrier To Successs in The Information Age
100% (1)
1-Budgets - The Hidden Barrier To Successs in The Information Age
3 pages
1756-CN2R Control Net Interface Module In607 - En-P
No ratings yet
1756-CN2R Control Net Interface Module In607 - En-P
36 pages
S4-M96 - 2400 Electrical Diagrams
No ratings yet
S4-M96 - 2400 Electrical Diagrams
62 pages
GX IEC Developer V7.03 - Reference Manual SH (NA) - 080589-D (11.08)
No ratings yet
GX IEC Developer V7.03 - Reference Manual SH (NA) - 080589-D (11.08)
786 pages
Twincat 3 PLC Lib Tc2 Mc2 en
No ratings yet
Twincat 3 PLC Lib Tc2 Mc2 en
117 pages
2 FT Batch Recipe Editor User Guide
No ratings yet
2 FT Batch Recipe Editor User Guide
211 pages
Batch User Guide
No ratings yet
Batch User Guide
600 pages
S 7 Canopener
No ratings yet
S 7 Canopener
3 pages
PCS 7 V7.1 Engineering System - 03 - 2009
No ratings yet
PCS 7 V7.1 Engineering System - 03 - 2009
746 pages
03 Minerals Library Loop Objects 5p1s3
No ratings yet
03 Minerals Library Loop Objects 5p1s3
39 pages
Catalog ISO14119
No ratings yet
Catalog ISO14119
25 pages
DeviceNet The Ultimate Step-By-Step Guide
From Everand
DeviceNet The Ultimate Step-By-Step Guide
Gerardus Blokdyk
No ratings yet
ATEX Wall Chart Reduced PDF
100% (1)
ATEX Wall Chart Reduced PDF
1 page
Safety Sr001 en e
0% (1)
Safety Sr001 en e
8 pages
Beckhoff IEC61131 3
No ratings yet
Beckhoff IEC61131 3
176 pages
Safety PLC Vs Standard PLC
No ratings yet
Safety PLC Vs Standard PLC
4 pages
En Safety Handbook 08v2
100% (1)
En Safety Handbook 08v2
396 pages
Programming Safety PLC
No ratings yet
Programming Safety PLC
236 pages
Sinumerik Manual
100% (1)
Sinumerik Manual
214 pages
S7-PLCSIM Advanced in Der Cloud en
No ratings yet
S7-PLCSIM Advanced in Der Cloud en
24 pages
ArchestrA Training Manual Class 1
No ratings yet
ArchestrA Training Manual Class 1
314 pages
P LLS
No ratings yet
P LLS
56 pages
Strructured Text Programs Linkovi PDF
No ratings yet
Strructured Text Programs Linkovi PDF
21 pages
Rsnetworx For Devicenet PDF
No ratings yet
Rsnetworx For Devicenet PDF
58 pages
FTHistorian Student Manual 3-8-2018
No ratings yet
FTHistorian Student Manual 3-8-2018
509 pages
Logix AOI For Modbus TCP - The Reynolds Company - Blog
No ratings yet
Logix AOI For Modbus TCP - The Reynolds Company - Blog
3 pages
Pendants Hand Wheels
No ratings yet
Pendants Hand Wheels
88 pages
3BSE036904-510 A en System 800xa Operations 5.1
No ratings yet
3BSE036904-510 A en System 800xa Operations 5.1
284 pages
SINAMICS G120 PN at S7-1200 DOCU V1d0 en PDF
No ratings yet
SINAMICS G120 PN at S7-1200 DOCU V1d0 en PDF
63 pages
IGS Sever Using OPC UA
No ratings yet
IGS Sever Using OPC UA
5 pages
Man 8037 Inst
100% (1)
Man 8037 Inst
508 pages
CHS PUB 9 303768.PDF Ingles
No ratings yet
CHS PUB 9 303768.PDF Ingles
30 pages
Cem V8 Objects 000 en
No ratings yet
Cem V8 Objects 000 en
705 pages
S7-CPs Industrila Enternet Configurations
No ratings yet
S7-CPs Industrila Enternet Configurations
320 pages
c4g Motion Programming
No ratings yet
c4g Motion Programming
322 pages
Siemens S7 1200 Symbolic Addressing Ethernet
No ratings yet
Siemens S7 1200 Symbolic Addressing Ethernet
14 pages
MFX - 44
No ratings yet
MFX - 44
22 pages
ET200
No ratings yet
ET200
354 pages
PCS 7 FoundationFieldbus en en-US
No ratings yet
PCS 7 FoundationFieldbus en en-US
72 pages
8251 USART (Programmable Communication Interface)
No ratings yet
8251 USART (Programmable Communication Interface)
10 pages
Manual de Aplicação EtherNet-IP Scanner-Adapter RW 6.08
No ratings yet
Manual de Aplicação EtherNet-IP Scanner-Adapter RW 6.08
112 pages
TF6100 TC3 Opc-Ua en
No ratings yet
TF6100 TC3 Opc-Ua en
207 pages
CPU 410 en en-US
No ratings yet
CPU 410 en en-US
422 pages
En 13849-1 Safety Checklist
No ratings yet
En 13849-1 Safety Checklist
9 pages
TwinCAT MC Camming
No ratings yet
TwinCAT MC Camming
71 pages
Türk Standardi: TS EN 982+A1
100% (1)
Türk Standardi: TS EN 982+A1
27 pages
Allen Bradley PLC 5 Manual
No ratings yet
Allen Bradley PLC 5 Manual
109 pages
Pcs7 Compendium Part B en-US en-US
No ratings yet
Pcs7 Compendium Part B en-US en-US
186 pages
CP342-5 DP Master Slave en
No ratings yet
CP342-5 DP Master Slave en
12 pages
STEP7 Safety Programming
No ratings yet
STEP7 Safety Programming
50 pages
Application Guide Twin Safe en
No ratings yet
Application Guide Twin Safe en
348 pages
Application Guide Twin Safe en
No ratings yet
Application Guide Twin Safe en
140 pages
El 1904
No ratings yet
El 1904
244 pages
Content Creation Revolution with chatGPT
From Everand
Content Creation Revolution with chatGPT
Maria Cowen
No ratings yet
Securing ChatGPT: Best Practices for Protecting Sensitive Data in AI Language Models
From Everand
Securing ChatGPT: Best Practices for Protecting Sensitive Data in AI Language Models
Matthew C. Smith
No ratings yet
Gray Hat Hacking the Ethical Hacker's
From Everand
Gray Hat Hacking the Ethical Hacker's
Çağatay Şanlı
5/5 (1)
Cybersecurity for Executives: A Guide to Protecting Your Business
From Everand
Cybersecurity for Executives: A Guide to Protecting Your Business
Matthew C. Smith
No ratings yet
ChatGPT for Business: Strategies for Success
From Everand
ChatGPT for Business: Strategies for Success
Matthew C. Smith
1/5 (1)
Using React Hooks, UseEffect To Make Reoccurring API Calls - by Johee Chung - Medium
No ratings yet
Using React Hooks, UseEffect To Make Reoccurring API Calls - by Johee Chung - Medium
11 pages
CP6600 en
No ratings yet
CP6600 en
39 pages
How To Setup React and Tailwind CSS With Vite in A Project
No ratings yet
How To Setup React and Tailwind CSS With Vite in A Project
14 pages
How To Add App Launcher Icons in Flutter - by Neila - Medium
No ratings yet
How To Add App Launcher Icons in Flutter - by Neila - Medium
3 pages
How To NPM Unistall Unused Packages in Node - Js - by VithalReddy - stackFAME - Medium
No ratings yet
How To NPM Unistall Unused Packages in Node - Js - by VithalReddy - stackFAME - Medium
2 pages
ICA0173Presentation PDF
No ratings yet
ICA0173Presentation PDF
19 pages
Acer Aspire One d270 Quanta Ze7 Rev c3c SCH 1
No ratings yet
Acer Aspire One d270 Quanta Ze7 Rev c3c SCH 1
42 pages
Construction Management Strategy: Chatswood Chase Shopping Centre Expansion and Redevelopment, Chatswood NSW
No ratings yet
Construction Management Strategy: Chatswood Chase Shopping Centre Expansion and Redevelopment, Chatswood NSW
13 pages
Vol 4
No ratings yet
Vol 4
216 pages
Ee324 - Electrical Machines and Drives
No ratings yet
Ee324 - Electrical Machines and Drives
6 pages
Plastic Pollution Lesson Plan
No ratings yet
Plastic Pollution Lesson Plan
3 pages
Thayer Vietnam's New Maritime Strategy - Ends, Ways and Means
100% (1)
Thayer Vietnam's New Maritime Strategy - Ends, Ways and Means
3 pages
Guia de Servicio TXV S R404 (SER04-33)
No ratings yet
Guia de Servicio TXV S R404 (SER04-33)
3 pages
Otd Chapter 2 Final Report
No ratings yet
Otd Chapter 2 Final Report
30 pages
Lidar Presentation
No ratings yet
Lidar Presentation
16 pages
Polyflow Offshore Pull Through Procedure
No ratings yet
Polyflow Offshore Pull Through Procedure
8 pages
Notams 03.07.2024
No ratings yet
Notams 03.07.2024
64 pages
Marina Bay Sands
No ratings yet
Marina Bay Sands
5 pages
GDS Online Engagement Application: Personal Details
No ratings yet
GDS Online Engagement Application: Personal Details
3 pages
All Flange Tables
No ratings yet
All Flange Tables
23 pages
Me53 Design of Machine Elements L T P C
No ratings yet
Me53 Design of Machine Elements L T P C
2 pages
Flexible Low - Cost SSP Technology
No ratings yet
Flexible Low - Cost SSP Technology
17 pages
Introduction To Computing and Information Technology 1: Important Note
No ratings yet
Introduction To Computing and Information Technology 1: Important Note
18 pages
Unit 3 Multimedia Authoring Tool
No ratings yet
Unit 3 Multimedia Authoring Tool
19 pages
Technical Specifications of Distance Relays For 66 KV Lines SL No Particulars Specifications
No ratings yet
Technical Specifications of Distance Relays For 66 KV Lines SL No Particulars Specifications
4 pages
Og Gas Hauler1200x 21sept 2011
No ratings yet
Og Gas Hauler1200x 21sept 2011
82 pages
Two Marks-8051.docx - 1570617188187
No ratings yet
Two Marks-8051.docx - 1570617188187
4 pages
Portfolio - Aditya Panchal
No ratings yet
Portfolio - Aditya Panchal
26 pages
Faq 266
No ratings yet
Faq 266
4 pages
A698A698M
No ratings yet
A698A698M
5 pages
Technology - A Cornerstone of Modern Life
No ratings yet
Technology - A Cornerstone of Modern Life
2 pages
Learning Simio Lab Series
No ratings yet
Learning Simio Lab Series
16 pages
IDfbc976cd6-1995 Volvo 2 4 Engine Cooling Hose Diagram
No ratings yet
IDfbc976cd6-1995 Volvo 2 4 Engine Cooling Hose Diagram
2 pages
DE Assignment - 2
No ratings yet
DE Assignment - 2
4 pages