PowerFlex 755/755T

Integrated Safety Functions

Option Module
Catalog Number 20-750-S4

User Manual Original Instructions

PowerFlex 755/755T Integrated Safety Functions Option Module User Manual

Important User Information

Read this document and the documents listed in the additional resources section about installation, configuration, and
operation of this equipment before you install, configure, operate, or maintain this product. Users are required to familiarize
themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws, and standards.

Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance are required to
be carried out by suitably trained personnel in accordance with applicable code of practice.

If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may be
impaired.

In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the use
or application of this equipment.

The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and
requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or liability for
actual use based on the examples and diagrams.

No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or software
described in this manual.

Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation, Inc., is
prohibited.

Throughout this manual, when necessary, we use notes to make you aware of safety considerations.

WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous environment,
which may lead to personal injury or death, property damage, or economic loss.

ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, property
damage, or economic loss. Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.

IMPORTANT Identifies information that is critical for successful application and understanding of the product.

Labels may also be on or inside the equipment to provide specific precautions.

SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous
voltage may be present.

BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may
reach dangerous temperatures.

ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people to potential
Arc Flash. Arc Flash will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL Regulatory
requirements for safe work practices and for Personal Protective Equipment (PPE).

2 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Table of Contents

Preface
Summary of Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Terminology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Product Firmware and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Chapter 1
About Safe Stop and Safe What Is the Integrated Safety Functions Option Module? . . . . . . . . 15
Monitor Functions Compatible Drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Compatible Safety Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Safety Application Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Safety Certification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Important Safety Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Stop Category Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Performance Level and Safety Integrity Level (SIL) CL3 . . . . . . 19
Proof Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
PFD and PFH Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
PFD and PFH Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Safety Data for Safe Torque Off . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Safety Data for Safe Feedback. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Safety Data for Safety I/O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Spurious Trip Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Safety Reaction Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Considerations for Safety Ratings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Encoder Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Supported Encoders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Encoder Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
General Encoder Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Digital AqB Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Sine/Cosine and Hiperface Diagnostics . . . . . . . . . . . . . . . . . . . . . 27
Contact Information If Safety Option Failure Occurs . . . . . . . . . . . . 28

Chapter 2
Installation Remove Power to the System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Access the Control Pod . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Set the SAFETY and Hardware ENABLE Jumpers . . . . . . . . . . . . . . 31
Install the Safety Option Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Feedback Installation Guidelines. . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
I/O Wiring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Cabling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Power Supply Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 3

Table of Contents

Chapter 3
Safety I/O Safety Inputs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Safety Input Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Latch Input Error Operation in Single Channel Mode. . . . . . . . 39
Single Channel Safety Input Status Data . . . . . . . . . . . . . . . . . . . . 40
Dual-channel Safety Input Operation . . . . . . . . . . . . . . . . . . . . . . . 41
Equivalent Dual-channel Input Operation. . . . . . . . . . . . . . . . . . . 42
Complementary Dual-channel Input Operation . . . . . . . . . . . . . 43
Standard Input Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Safety Input Safety Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Safety Input Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Determining Safety Input Alarm Type . . . . . . . . . . . . . . . . . . . . . . 48
Safety Input Alarm Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Input Delays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Use With PowerFlex 750-Series ATEX Option Module . . . . . . 50
Safety Outputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Safety Output with Test Pulse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Single-channel Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Latch Output Error Operation in Single Channel Mode . . . . . . 52
Dual-channel Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Latch Output Error Operation in Dual Channel Mode . . . . . . . 53
Safety Output Safety Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Commanding Safety and Test Outputs. . . . . . . . . . . . . . . . . . . . . . 57
Safety Output Alarms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Determining Safety Output Alarm Type . . . . . . . . . . . . . . . . . . . . 59
Safety Output Alarm Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Test Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Standard Output Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Test Output Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Power Supply Output. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Test Output Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Test Output Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Test Output Ready . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Chapter 4
Drive-based Safe Stop Safety Output Assembly Safe Stop Function Tags . . . . . . . . . . . . . . . . 65
Functions Safety Input Assembly Safe Stop Function Tags. . . . . . . . . . . . . . . . . . 66
Safety Function in Response to Connection Event . . . . . . . . . . . . . . . 68
Connection Loss Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Connection Idle Action. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Safe Torque Off Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Safe Torque Off Activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Safe Torque Off Reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Safe Torque Off Delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Safe Torque Off Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Safe Torque Off Stopping Action and Source . . . . . . . . . . . . . . . . 74

4 Rockwell Automation Publication 750-UM005C-EN-P - February 2021


Controller-based Safety
Functions
Standard I/O Mode –
Configuration, Programming,
and Operation
Rockwell Automation Publication 750-UM005C-EN-P - February 2021
Table of Contents
STO Safety Fault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Safe Stop 1 Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Safe Stop 1 Activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Safe Stop 1 Reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Safe Stop 1 Stopping Action and Source . . . . . . . . . . . . . . . . . . . . . 78
Timed Safe Stop 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Monitored Safe Stop 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
SS1 Safety Fault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Safe Brake Control Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Safe Brake Control Activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Safe Brake Control Reset. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Safe Brake Control Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Safe Brake Control Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
SBC Safety Fault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Connecting a Safety Brake . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Chapter 5
Drive Safety Instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Before Adding the Safety Instructions . . . . . . . . . . . . . . . . . . . . . . . 95
Drive Safety Instruction Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Pass-through Data Using Standard I/O Mode . . . . . . . . . . . . . . . . . . . 96
Pass-through Data Using Integrated Motion . . . . . . . . . . . . . . . . . . . . 98
SFX Instruction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
SFX Instruction Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Chapter 6
Safety Assembly Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Configure Safety in the Logix Designer Application . . . . . . . . . . . . . 104
Add a PowerFlex 755 Drive/755T Drive Product to the
Safety Controller Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Add an Option Module to a PowerFlex 755 Drive. . . . . . . . . . . 106
Using a 20-750-ENETR Dual-port EtherNet/IP Option
Module with a 20-750-S4 Option Module . . . . . . . . . . . . . . . . . . 124
Safety Configuration Signature and Ownership . . . . . . . . . . . . . 126
Reset Ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Safety Tags in Standard Routines . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Standard Tags in Safety Routines (tag mapping). . . . . . . . . . . . . 126
Standard and Safety Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Safety Function Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Pass-through Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Falling Edge Reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Understand Integrated Safety Drive Replacement. . . . . . . . . . . . . . . 130
Replace an Integrated Safety Drive in a GuardLogix System . . 130
PowerFlex 755 IO Mode Using SFX, SS1, and SLS Instructions. . 133
Studio 5000 Logix Designer Application Configuration . . . . . 133
5
Table of Contents

Programming Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Integrated Motion –
Configuration, Programming,
and Operation
Chapter 7
Safety Assembly Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Configure the Integrated Safety Function Option Module in
the Logix Designer Application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Add a PowerFlex 755 Drive to the Controller Project. . . . . . . . 144
Understand Module Properties Categories . . . . . . . . . . . . . . . . . . . . . 145
Module Properties>General Category. . . . . . . . . . . . . . . . . . . . . . 146
Module Properties>Connection and Safety Categories . . . . . . 149
Motion Safety>Actions Category . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Motion Safety>Primary Feedback Category . . . . . . . . . . . . . . . . 153
Motion Safety>Secondary Feedback Category . . . . . . . . . . . . . . 155
Motion Safety>Scaling Category. . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Motion Safety>Discrepancy Checking Category . . . . . . . . . . . . 157
Motion Safety>STO Category. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Motion Safety>SS1 Category. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Motion Safety>SBC Category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Motion Safety>Input Configuration Category . . . . . . . . . . . . . . 161
Motion Safety>Test Output Category . . . . . . . . . . . . . . . . . . . . . 162
Motion Safety>Output Configuration Category . . . . . . . . . . . . 163
Axis Properties > Actions > Safety Actions . . . . . . . . . . . . . . . . . 164
Module Properties > Associated Axes Motor and Load
Feedback Device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Generate the Safety Network Number (SNN) . . . . . . . . . . . . . . 166
Safety Configuration Signature and Ownership . . . . . . . . . . . . . 167
Reset Ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Replace an Integrated Safety Drive in a GuardLogix System . . 168
Motion Direct Commands in Motion Control Systems. . . . . . 169
Programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Motion and Safety Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Motion Safety Instances. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Safety Function Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Safe Monitor Network Communication. . . . . . . . . . . . . . . . . . . . 179
Explicit Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Application Example - Using SFX, SS1, and SLS Instructions
with Integrated Motion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Studio 5000 Logix Designer Application Configuration . . . . . 185
Programming Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Chapter 8
Monitoring and Monitor Status Using Status Indicators . . . . . . . . . . . . . . . . . . . . . . . . 195
Troubleshooting Module Status Indicator (DS1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Network Status Indicator (DS2) . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Motion Output Status Indicator (DS3) . . . . . . . . . . . . . . . . . . . . 197
Safety Fault Indicator (DS4). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

6 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Table of Contents

Safety Fault Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Understand Safety Faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Safety Supervisor State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Safety Core Fault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Safe Torque Off Fault. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Safe Stop 1 Fault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Safe Brake Control Fault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
SS2, SOS, SLS, SLP, and SDI Faults. . . . . . . . . . . . . . . . . . . . . . . . 202
Safety Feedback Faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Safety Fault Reset. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Monitor Status with a HIM or Software . . . . . . . . . . . . . . . . . . . . . . . 205
Fault Messages on HIM, Drive Module, and Connected
Components Workbench Software . . . . . . . . . . . . . . . . . . . . . . . . 205
Monitor Status Using Integrated Motion . . . . . . . . . . . . . . . . . . . . . . 210
Out-of-Box State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Recognize Out-of-Box State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Restore the Drive to Out-of-Box State. . . . . . . . . . . . . . . . . . . . . . 214

Appendix A
Safety Function Validation Safe Stop 1 (SS1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Checklist Safe Stop 2 (SS2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Safe Operating Speed (SOS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Safely-limited Speed (SLS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Safely-limited Position (SLP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Safe Direction (SDI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Safe Feedback Interface (SFX). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Safe Brake Control (SBC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

Appendix B
Specifications, Certifications, Integrated Safety Functions Option Module Specifications . . . . . . 233
and CE Conformity Electrical Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Environmental Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
CE Conformity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Machinery Directive (2006/42/EC) . . . . . . . . . . . . . . . . . . . . . . . 236
EMC Directive (2014/30/EU) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Waste Electrical and Electronic Equipment (WEEE) . . . . . . . . 237

Appendix C
Safety I/O Assemblies and Safety Assembly Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Safety Attributes Safety Feedback Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Safe Stop Function Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Explicit Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Example: Read SS1 Fault Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 7

Table of Contents

Appendix D
Parameter Data Parameters and Settings in a Linear List . . . . . . . . . . . . . . . . . . . . . . . . 253
Device Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Host Config Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

8 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Preface

This user manual explains how to use PowerFlex® 755 drives and PowerFlex
755T drive products in safety applications up to safety integrity level 3 (SIL 3),
performance level e (PLe), category 4.

This user manual is intended for people that design, install, configure, or
troubleshoot safety applications that use the Integrated Safety Functions
option module (catalog number 20-750-S4).

This user manual covers using network safety with drives in Standard I/O
mode and Integrated Motion mode. All chapters apply to both modes with the
following exceptions:
• Chapter 6 is specific to Standard I/O mode and can be skipped if you are
using Integrated Motion mode.
• Chapter 7 is specific to Integrated Motion mode and can be skipped if
you are using Standard I/O mode.

IMPORTANT You must have a basic understanding of electrical circuitry and familiarity
with PowerFlex 755 drives and PowerFlex 755T drive products. You must also
be trained and experienced in the creation, operation, and maintenance of
safety systems.

This user manual describes the safety requirements, including probability of

dangerous failure on demand (PFD) and average frequency of a dangerous
failure (PFH) per hour values and application verification information (see
PFD and PFH Data on page 21).

Summary of Changes This publication contains new and updated information as indicated in the
following table.

Topic Page
Added attention statement regarding ambient temperature to Environmental Specifications in 235
Appendix B.

Conventions This manual identifies parameter names by listing the parameter number first,
followed by the name in brackets. For example, P7 [STO Fault Type].

Both the Host Config and Device Config parameters exist for this option
module and the parameter numbers overlap. For example, there is a P3 [Device
Config Identity State] and a P3 [Host Config Safety State]. Host Config
parameters reside on the Host (that is, the drive) side of the option module and
are specific to supporting the option module. Device Config parameters reside
on the option module itself.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 9

Preface

Throughout this manual, the PowerFlex 755/755T Integrated Safety

Functions option module is also referred to as the Integrated Safety Functions
option module.

Throughout this manual, the PowerFlex 755TL low harmonic drives,

PowerFlex 755TR regenerative drives, PowerFlex 755TM drive systems are
also referred to as PowerFlex 755T drive products.

The PowerFlex 755 drive is used for the examples in this manual.

Terminology Table 1 defines the abbreviations that are used in this manual.
Table 1 - Abbreviations and Definitions
Abbreviation Full Term Definition
Timed SS1 Timed Safe Stop 1 Timed SS1 and Safe Stop 1 time-controlled (SS1-t) are synonymous. Both mean a safe stop where the
motor speed is decelerated to zero and once the maximum stop-time elapses, torque is removed from
SS1-t Safe Stop 1 time-controlled the motor.
• Safe Stop 1 time-controlled (SS1-t) is according to EN/IEC 61800-5-2.
Monitored SS1 Monitored Safe Stop 1 Monitored SS1 and Safe Stop 1 ramp-monitored (SS1-r) are synonymous. Both mean a safe stop where
the motor speed is reduced to standstill within deceleration limits and once standstill speed is reached
SS1-r Safe Stop 1 ramp-monitored or the maximum stop-time elapses, torque is removed from the motor.
• Safe Stop 1 ramp-monitored (SS1-r) is according to EN/IEC 61800-5-2.
1oo2 One out of Two Refers to the behavioral design of a dual-channel safety system.
Classification of the safety-related parts of a control system in respect of their resistance to faults and
CAT Category their subsequent behavior in the fault condition, and which is achieved by the structural arrangement
of the parts, fault detection, and/or by their reliability (source ISO 13849-1).
The maximum SIL rating that can be claimed for a safety-related electrical control system subsystem in
CL Claim Limit relation to architectural constraints and systematic safety integrity (source IEC 62061).
CIP™ Common Industrial Protocol Protocol for industrial automation applications and trademarked by ODVA, Inc.
EN European Norm The official European Standard.
A system, usually independent of the main control system, which is designed to shut down an
ESD Emergency Shutdown Systems operating system safely.
An assembly of devices and/or components working together for protective tripping or presence-
sensing purposes and includes as a minimum:
ESPE Electro-sensitive Protective Equipment • A sensing device.
• Controlling/monitoring devices.
• Output signal-switching devices (OSSD).
The HFT equals n, where n+1 faults could cause the loss of the safety function. An HFT of one means
HFT Hardware Fault Tolerance that two faults are required before safety is lost.
HIM Human Interface Module A module that is used to configure a device.
The International Electrotechnical Commission (IEC) is the organization that prepares and publishes
IEC International Electrotechnical Commission international standards for all electrical, electronic, and related technologies.
IGBT Insulated Gate Bi-polar Transistors Typical power switch that is used to control main current.
The International Organization for Standardization is an international standard-setting body that is
ISO International Organization for Standardization composed of representatives from various national standards organizations.
A set of contacts on a relay or switch that are closed when the relay is de-energized or the switch is de-
NC Normally Closed activated.
A set of contacts on a relay or switch that are open when the relay is de-energized or the switch is de-
NO Normally Open activated.
The component of the electro-sensitive protective equipment (ESPE) connected to the control system
OSSD Output Signal Switching Device of a machine. When the sensing device is actuated during normal operation, the device responds by
going to the OFF-state.

10 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Preface

Table 1 - Abbreviations and Definitions (Continued)

Abbreviation Full Term Definition
An electrical system where the voltage cannot exceed ELV under normal conditions, and under single-
PELV Protective Extra Low Voltage fault conditions, except earth faults in other circuits.
System for control, protection, or monitoring based on one or more programmable electronic devices,
PES Programmable Electronic Systems including all elements of the system such as power supplies, sensors and other input devices, data
highways and other communication paths, and actuators and other output devices.
PFD Probability of Dangerous Failure on Demand The average probability of a system to fail to perform its design function on demand.
PFH Average Frequency of a Dangerous Failure per hour The average frequency of a system to have a dangerous failure occur per hour.
PL Performance Level EN ISO 13849-1 safety rating
In permanent magnet (PM) motors, magnets mounted on or embedded in the rotor, couple with the
PM Permanent Magnet current-induced internal magnetic fields of the motor generated by electrical input to the stator.
SBC Safe Brake Control Controls safety discrete outputs that actuate a brake. Sets timing between brake and Safe Torque Off.
Monitors position of a motor to detect movement of more than a defined amount in the unintended
SDI Safe Direction direction.
A secondary circuit that is designed and protected so that, under normal and single fault conditions, its
SELV Safety Extra Low Voltage Circuit voltages do not exceed a safe value.
A GuardLogix® Drive Safety interface that scales feedback position into position units and feedback
SFX Safety Feedback Interface velocity into position units per time unit. Feedback Position and Velocity are read from a Safety Input
assembly to an integrated Safe Speed drive.
SIL Safety Integrity Level A measure of a products ability to lower the risk that a dangerous failure could occur.
SLP Safely-Limited Position Prevents the motor shaft from exceeding one or more specified position limits.
Monitors the speed of a motor and sets the SLS Limit output if the speed exceeds the Active Limit input
SLS Safely-Limited Speed value.
Uniquely identifies a network across all networks in the safety system. You are responsible for
SNN Safety Network Number assigning a unique number for each safety network or safety subnet within a system.
Prevents the motor from deviating more than a defined amount from the stopped position. The drive
SOS Safe Operating Stop provides energy to the motor to enable it to resist external forces.
Safe stop where the motor speed is decelerated to zero and once the maximum stop-time elapses,
torque is removed from the motor.
SS1-r Safe Stop 1 Ramp Monitored
Safe Stop 1 ramp-monitored (SS1-r) is according to EN/IEC 61800-5-2 and is Stop Category 1, as
defined in IEC 60204
Safe stop where the motor speed is reduced to standstill within deceleration limits and once standstill
speed is reached or the maximum stop-time elapses, torque is removed from the motor.
SS1-t Safe Stop 1 Time Controlled
Safe Stop 1 time-controlled (SS1-t) is according to EN/IEC 61800-5-2 and is Stop Category 1, as defined
in IEC 60204
The Safe Torque Off (STO) function is used to help prevent unexpected motor rotation during an
emergency while the drive remains connected to the power supply. When STO is activated, the torque
STO Safe Torque Off power cannot reach the drive, which stops and prevents any motor shaft rotation.
Safe Torque Off (STO) is according to EN/IEC 61800-5-2 and is Stop Category 0 as defined in IEC 60204.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 11

Preface

Product Firmware and Product firmware and release notes are available online within the Product
Compatibility and Download Center.
Release Notes
1. From the Search bar on http://www.ab.com, choose Compatibility and
Downloads.

2. Search for your product.

3. On the search results page, find the firmware and release notes for your
product. If no firmware/release notes are available, the module is still
shipping with its original firmware release.

IMPORTANT Both standard connections to the drive and safety connections to the card
must be closed to update the Integrated Safety Functions Module.

See the Product Compatibility and Download Center Quick Start Guide,
publication PCDC-QS001, for instructions on how to find and download
firmware and release notes.

12 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Preface

Additional Resources These documents contain additional information concerning related Rockwell
Automation products.

Resource
PowerFlex 750-Series Products with TotalFORCE® Control Installation
Instructions, publication 750-IN100
PowerFlex 755TM IP00 Open Type Kits Installation Instructions, publication
750-IN101
PowerFlex Drives with TotalFORCE Control Programming Manual, publication
750-PM100
PowerFlex 750-Series AC Drive Installation Instructions, publication 750-IN001
PowerFlex 750-Series AC Drives Programming Manual, publication 750-PM001
Enhanced PowerFlex 7-Class Human Interface Module (HIM) User Manual,
publication 20HIM-UM001
GuardLogix Safety Application Instruction Set Reference Manual,
publication 1756-RM095
Description
Provides the basic steps to install PowerFlex 755TL low harmonic drives, PowerFlex 755TR
regenerative drives, and PowerFlex 755TM drive systems.
Provides instructions to install IP00 Open Type kits in user-supplied enclosures.
Provides detailed information on:
• I/O, control, and feedback options
• Parameters and programming
• Faults, alarms, and troubleshooting
Provides information on how to install the Safe Torque Off option module in PowerFlex 750-
Series drive.
Provides information on how to mount, install, and configure PowerFlex 750-Series drives.
Provides information for using the 20-HIM-A6 HIM module to configure PowerFlex 750-Series
drives and the Safe Torque Off option module.
Provides information that describes the GuardLogix Safety Application Instruction set.

EtherNet/IP Network Devices User Manual, publication ENET-UM006 Describes how to configure and use EtherNet/IP devices to communicate on the EtherNet/IP
network.

EtherNet/IP Device Level Ring Application Technique, publication ENET-AT007
System Design for Control of Electrical Noise Reference Manual,
publication GMC-RM001
Safety Guidelines for the Application, Installation, and Maintenance of
Solid-State Control, publication SGI-1.1
GuardLogix 5580 and Compact GuardLogix 5380 Controller Systems Safety
Reference, publication 1756-RM012
ControlLogix® 5580 Controllers User Manual, publication 1756-UM543
CompactLogix™ 5380 Controllers User Manual, publication 5069-UM001
Product Certification s website, rok.auto/certifications
Describes Device Level Ring (DLR) topologies, configuration considerations, and diagnostic
methods.
Information, examples, and techniques that are designed to minimize system failures caused by
electrical noise.
Describes important differences between solid-state control and hardwired electromechanical
devices.
Provides information on safety application requirements for GuardLogix 5580 and Compact
GuardLogix 5380 controllers in Studio 5000 Logix Designer® applications.
Provides information on how to use standard ControlLogix 5580 controllers.
Provides information on how to use standard CompactLogix 5380 controllers.
Provides declarations of conformity, certificates, and other certification details.

You can view or download publications at rok.auto/literature.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 13

Preface

Notes:

14 Rockwell Automation Publication 750-UM005C-EN-P - February 2021


What Is the Integrated
Safety Functions Option
Module?
Rockwell Automation Publication 750-UM005C-EN-P - February 2021
Chapter 1
About Safe Stop and Safe Monitor Functions
This chapter provides information on safety considerations for the Integrated
Safety Functions option module.
Topic Page
What Is the Integrated Safety Functions Option Module? 15
Compatible Drives 17
Compatible Safety Controllers 17
Safety Application Requirements 18
Safety Certification 18
Proof Tests 20
PFD and PFH Definitions 20
PFD and PFH Data 21
Safety Reaction Time 23
Contact Information If Safety Option Failure Occurs 28
The Integrated Safety Functions option module provides a networked STO
(Safe Torque Off ) function via an EtherNet/IP® network. It is also equipped
for Integrated (drive-based) Timed SS1, Monitored SS1, and Safe Brake
Control, which operate in the drive and are activated through the network
safety connection.
The Integrated Safety Functions option module also supports select controller-
based EN/IEC 61800-5-2 safety functions operating in GuardLogix® 5580 or
Compact GuardLogix 5380 controllers that use the EtherNet/IP network to
communicate with the safety I/O. This support includes the new safety
function instructions that are provided on the Drive Safety tab in the Logix
Designer application.
The Integrated Safety Functions option module includes these features:
• Is designed to remove power from the gate firing circuits of the drive
output power devices (IGBTs). With the power removed, the drive
output power devices cannot turn on to generate AC power to the
motor.
• Can be used in combination with other safety devices to satisfy the
requirements of IEC 61508, EN/IEC 61800-5-2 SIL 3, ISO 13849-1
PLe, and Category 4 for Safe Torque Off (STO).
15
Chapter 1

When used for safe speed monitoring, the drive can be configured for single- or
dual-feedback to achieve the following safety ratings:
• Single-feedback configurations using safety encoders provide up to SIL
2 PLd capability.
• Dual-feedback configurations provide up to SIL 3 PLe capability when
discrepancy testing (either velocity, position, or both) is enabled. Safety
functions that use position check have up to SIL 2 PLd capability. In this
configuration, at least one encoder (the primary encoder) has to comply
with SIL 2, PL d. The second encoder can be a standard encoder.

IMPORTANT The Integrated Safety Functions option module is suitable for performing
mechanical work on the drive train or affected area of a machine only. It
does not provide electrical safety.

ATTENTION: The Integrated Safety Functions option module does not

remove dangerous voltages at the drive output. Before performing any
electrical work on the drive or motor, turn off the input power to the drive,
and follow all safety procedures. See Remove Power to the System on
page 30 for more information.

IMPORTANT Multiple safety option modules in a single drive are not allowed. Only one of
these safety option modules can be installed in the drive:
• PowerFlex® 750-Series Safe Torque Off option module
(catalog number 20-750-S)
• PowerFlex 750-Series Safe Speed Monitor option module
(catalog number 20-750-S1)
• PowerFlex 755/755T Integrated Safety - Safe Torque Off option module
(catalog number 20-750-S3)
• PowerFlex 755/755T Integrated Safety Functions option module (catalog
number 20-750-S4)

ATTENTION: If two output IGBTs fail in the drive, when the Integrated Safety
Functions option module has controlled the drive outputs to the Off state, the
drive can provide stored energy for up to 180° of rotation in a 2-pole motor
before torque production in the motor stops.

ATTENTION: The STO function only disables motor torque. A mechanical

force on the motor shaft such as suspended loads, back pressure in a pump or
fan, can cause motor rotation.

IMPORTANT Do not use this option module as a control for starting or stopping the drive.

16 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 1

Compatible Drives The Integrated Safety Functions option module is compatible with these
PowerFlex 755 drives and PowerFlex 755T drive products:
• PowerFlex 755 drives (v14.xxx or later)
• PowerFlex 755TL low harmonic drives (v4.xxx or later)
• PowerFlex 755TR regenerative drives (v4.xxx or later)
• PowerFlex 755TM common bus inverters (v4.xxx or later)

IMPORTANT The Integrated Safety Functions option module is not compatible with
PowerFlex 753 drives.

Integrated safety functions are controlled via the embedded Ethernet port on
the drive only. The 20-750-ENETR can still be used, but only in conjunction
with the embedded Ethernet port by being in Tap mode (safety messages must
go through the embedded Ethernet port on drive).

The following Add-on Profiles (AOPs) are needed depending on the drive and
type of control used:

Product Standard Control Integrated Motion

755 v5.03 (or later) v19.00.00 (or later)
755T v5.04 (or later) Future

Compatible Safety A GuardLogix safety controller is required for use of the Integrated Safety
Functions option module that is used in Network mode control (‘Safety’,
Controllers ‘Standard and Safety’, or ‘Motion and Safety’ used for Connection type). The
following GuardLogix controllers can be used:

Studio 5000 Logix Designer® Application Version /

Controller Controller Firmware
GuardLogix 5580 safety controller v31 (or later)
Compact GuardLogix 5380 safety controller v31 (or later)

IMPORTANT The Integrated Safety Functions option module is not supported by

GuardLogix 5570 and GuardLogix 5370 (or earlier) safety controllers.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 17

Chapter 1

Safety Application Create, record, and verify the safety signature as part of the required safety
application development process. The safety controller creates the safety
Requirements signature, which consists of an identification number, date, and time that
uniquely identifies the safety portion of a project. This signature covers all
safety logic, data, and safety I/O configuration.

If the Drive Safety Function Instructions are used in the safety application,
special consideration must be taken to verify the application. See Appendix A
for guidance on verifying the drive safety function instructions.

For safety system requirements, including information on the safety network

number (SNN), verifying the safety signature, and functional verification tests,
see the GuardLogix Controller Systems Safety Reference Manuals that are
listed in the Additional Resources on page 13.

Safety Certification The TÜV Rheinland group has approved the PowerFlex 755 Integrated Safety
Functions option module (catalog number 20-750-S4) as suitable for use in
integrated safety applications:
• Up to and including SIL 3 according to IEC 61508
• Up to and including SIL CL3 according to IEC 62061
• Up to and including PLe (Category 4) according to ISO 13849-1.

In these applications, the removal of motion-producing power is considered to

be the safe state. All components in the system must be chosen and applied
correctly to achieve the desired level of operator safeguarding.

Important Safety Considerations

You are responsible for these system safety considerations:

• Set-up, safety rating, and validation of any sensors or actuators
connected to the system.
• Complete a system-level risk assessment, and reassess the system anytime
a change is made.
• Certification of the system to the desired safety Performance Level/
Safety Integrity Level.
• Project management and proof testing.
• Programming the application software and the safety option module
configurations in accordance with the information in this manual.
• Access control to the system.
• Analyze all configuration settings and choose the proper setting to
achieve the required safety rating.
• Validation and documentation of all safety functions used.

IMPORTANT Only qualified, authorized personnel that are trained and experienced in
functional safety can plan, implement, and apply functional safety systems.

18 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 1

ATTENTION: When designing your system, consider how various personnel

can interact with the machine. Additional safeguard devices can be required
for your specific application.

ATTENTION: In circumstances where external influences (for example,

suspended loads that can fall) are present, additional measures (for
example, mechanical brakes) can be necessary to help prevent any hazard.

Stop Category Definitions

There are three stop categories:

• Stop Category 0 is achieved with immediate removal of power to the
machine actuators, which results in an uncontrolled coast-to-stop. An
STO accomplishes a Stop Category 0 stop.
• Stop Category 1 is achieved with a Ramp to Stop followed with
immediate removal of power to the machine actuators. This can be
achieved using SS1 with STO.
• Stop Category 2 is a controlled stop with power left available to the
machine actuators. This can be achieved using controller-based SS2 /
SOS with the PowerFlex 755T drive products.

IMPORTANT When designing the machine application, consider timing and distance for a
coast-to-stop (Stop Category 0 or Safe Torque Off). For more information on
stop categories and Safe Torque Off, see EN 60204-1 and EN/IEC 61800-5-2.

Performance Level and Safety Integrity Level (SIL) CL3

For safety-related control systems, Performance Level (PL), according to
ISO 13849-1, and SIL levels, according to IEC 61508 and EN 62061, include
a rating of the ability of the system to perform its safety functions. All safety-
related components of the control system must be included in both a risk
assessment and the determination of the achieved levels.

See the ISO 13849-1, IEC 61508, and EN 62061 standards for complete
information on requirements for PL and SIL determination.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 19

Chapter 1

Proof Tests IEC 61508 requires you to perform various proof tests of the equipment that is
used in the system. Proof tests are performed at user-defined times. For
example, proof tests can be once a year, once every 15 years, or whatever time
frame is appropriate.

The Integrated Safety Functions option module has a useful life of 20 years, no
proof test required. Other components of the system, such as safety I/O
devices, sensors, and actuators can have different useful life times.

IMPORTANT The time frame for the proof test interval depends on the specific
application.

PFD and PFH Definitions
Safety-related systems can be classified as operating in either a Low Demand
mode, or in a High Demand/Continuous mode.
• Low Demand mode: where the frequency of demands for operation,
made on a safety-related system, is no greater than one per year, or no
greater than twice the proof-test frequency.
• High Demand/Continuous mode: where the frequency of demands for
operation, made on a safety-related system, is greater than once per year,
or greater than twice the proof test interval.

The SIL value for a low-demand safety-related system is directly related to

order-of-magnitude ranges of its average probability of failure to perform its
safety function on demand or, simply, average probability of dangerous failure
on demand (PFDavg).

The SIL value for a High Demand/Continuous mode safety-related system is

directly related to the average frequency of a dangerous failure (PFH) per hour.

20 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 1

PFD and PFH Data These PFDavg and PFH calculations are based on the equations from Part 6 of
EN 61508 and show worst-case values.

Safety Data for Safe Torque Off

Table 2, and Table 3 provide PFDavg and PFH values for the Safe Torque Off
(STO) or Timed Safe Stop 1 functions. These values apply when Safety
Instance is set to ‘Safe Stop Only – No Feedback’.

Table 2 - PFD and PFH for PowerFlex 755 Drives STO and Timed SS1

Attribute Frames 1…7 Frame 8 Frame 9 Frame 10

PFD(average) 4.08E-5 1.81E-4 2.73E-4 3.64E-4
PFH (1/hour) 4.77E-10 2.09E-9 3.14E-9 4.19E-9
SIL 3 3 3 3
PL e e e e
Category 4 4 4 4
MTTFD years 204.1 (high) 93.3 (high) 69.1 (high) 55.1 (high)
DCavg% 97.5% (medium) 97.4% (high) 97.5% (high) 97.5% (high)
HFT 1 (1oo2) 1 (1oo2) 1 (1oo2) 1 (1oo2)
Mission time 20 years 20 years 20 years 20 years

Table 3 - PFD and PFH for PowerFlex 755T Drive Products STO and Timed SS1

Attribute Frames 5 and 6 Frames 7 and 8 Frame 9 Frame 10 Frame 11 Frame 12 Frame 13 Frame 14 Frame 15
PFD(average) 4.49E-5 2.56E-4 2.82E-4 3.08E-4 3.34E-4 3.60E-4 3.86E-4 4.38E-4 4.90E-4
PFH (1/hour) 5.24E-10 2.96E-9 3.25E-9 3.55E-9 3.85E-9 4.15E-9 4.45E-9 5.05E-9 5.65E-9
SIL 3 3 3 3 3 3 3 3 3
PL e e e e e e e e e
Category 4 4 4 4 4 4 4 4 4
MTTFD years 187.5 (high) 102.6 (high) 87.8 (high) 76.7 (high) 68.1 (high) 61.2 (high) 55.6 (high) 47 (high) 40.7 (high)
DCavg% 97.4% (high) 97.0% (high) 97.0% (high) 97.0% (high) 97.0% (high) 96.9% (high) 96.9% (high) 96.9% (high) 96.9% (high)
HFT 1 (1oo2) 1 (1oo2) 1 (1oo2) 1 (1oo2) 1 (1oo2) 1 (1oo2) 1 (1oo2) 1 (1oo2) 1 (1oo2)
Mission time 20 years 20 years 20 years 20 years 20 years 20 years 20 years 20 years 20 years

Safety Data for Safe Feedback

Table 4 provides PFDavg and PFH values to add to the PFDavg and PFH values
from Table 2 or Table 3 for safety functions that require safe encoder feedback.
Safety functions using safe encoder feedback include drive based Monitored
Safe Stop 1 and controller-based safety functions SS1, SS2, SOS, SLS, SLP, and
SDI.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 21

Chapter 1

In general, the PFDavg and PFH values from Table 4 should be added to
Table 2 and Table 3 when Safety Instance is set to ‘Single Feedback
Monitoring’ or ‘Dual Feedback Monitoring’.

When using Dual Feedback Monitoring, enable Discrepancy Testing.

Table 4 - PFD or PFH to Add When Safety Functions Use Safety Feedback
Dual Encoder
Attribute Single Encoder Feedback Feedback(1)
PFD (average) 6.75E-4 4.32E-5
PFH (1/hour) 7.70E-9 4.93E-10
SIL 2 3
PL d e
Category 3 4
MTTFD years 1446.7 (high) 1427.7 (high)
DCavg% 90.0% (medium) 99.0% (high)
HFT 1 (1oo2) 1 (1oo2)
Mission time 20 years 20 years
(1) Dual channel values apply with discrepancy checking configured.

The safe motion-monitoring option can be configured for single feedback or

dual feedback to achieve the following safety rating:
• Single feedback configurations provide up to SIL 2 PLd capability.
• Dual-feedback configurations provide up to SIL 3 PLe capability when
discrepancy testing (either velocity, position, or both) is enabled.

IMPORTANT Achievable safety rating depends on each system component. For Safe
Feedback, the safety rating of the selected encoders may limit the safety
rating of the system.

Safety Data for Safety I/O

The Integrated Safety Functions option module provides four safety inputs
and two safety outputs. Table 5 provides PFDavg and PFH values to add for
safety functions that use this Safety I/O.
Table 5 - PFD or PFH to Add When Safety Functions Use Safety I/O
Attribute Single Channel Safety I/O Dual Channel Safety I/O
PFD (average) 3.35E-4 2.49E-4
PFH (1/hour) 3.83E-9 2.84E-9
SIL 2 3
PL d e
Category 2 4
MTTFD years 1064.9 (high) 1998.0 (high)

22 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 1

Table 5 - PFD or PFH to Add When Safety Functions Use Safety I/O
Attribute Single Channel Safety I/O Dual Channel Safety I/O
DCavg% 96.4% (high) 94.2% (high)
HFT 0 (1oo1) 1 (1oo2)
Mission time 20 years 20 years

IMPORTANT Single channel safety I/O is only certified for use in functional safety
applications with process safety times greater than or equal to 300 ms; or
applications with demand rates less than or equal to 1 demand per 30
seconds.

IMPORTANT If single channel safety I/O is used, pulse testing (external pulse testing for
safety inputs, pulse testing for safety outputs) MUST be enabled on the
single channel I/O points.

Spurious Trip Rate

Table 6 shows the Spurious Trip Rate (STR) and Mean Time to Failure
Spurious (MTTF Spurious) values for the Integrated Safety Functions option
module, calculated according to the ISA TR-84 method.
Table 6 - STR and MTTF Spurious Values
Attribute Value
Spurious Trip Rate 3.00E-6
MTTFSpurious (years) 37.0

Safety Reaction Time The safety reaction time is the length of time from a safety-related event as
input to the system until the system is in the safe state. Table 7 shows the safety
reaction time from an input signal condition that triggers a safe stop, to the
initiation of the configured Stop Type. For details on how to calculate system
reaction times with GuardLogix controllers, see the GuardLogix Controller
Systems Safety Reference Manuals listed in the Additional Resources on
page 13.

Table 7 - Safety Reaction Time

Drive Family Network STO Reaction Time, Max
PowerFlex 755 drives (firmware revision 13 or later), Frames 1…10
PowerFlex 755TL low harmonic drives, Frames 7…15
15 ms
PowerFlex 755TR regenerative drives, Frames 7…15
PowerFlex 755TM, Frames 8…15
PowerFlex 755TL low harmonic drives, Frames 5 and 6 26 ms

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 23

Chapter 1

IMPORTANT An input signal condition that is present for less than the reaction time may
not result in the safety function being performed. Repeated requests of the
safety function for less than the reaction time can result in a spurious
detection of a fault.

IMPORTANT In network STO Mode, the safety reaction time in Table 7 does not include
the connection reaction time limit. See the GuardLogix Controller Systems
Safety Reference Manuals, listed in the Additional Resources on page 13, for
details.

Considerations for Safety The achievable safety rating of an application that uses the Integrated Safety
Functions option module that is installed in PowerFlex 755/755T drive
Ratings products is dependent upon many factors, drive options, and the type of motor.

A safety rating up to and including SIL 3, PLe, and Category 4 can be achieved.

Encoder Considerations This section describes factors to consider when using an encoder with the
Integrated Safety Functions option module.

Supported Encoders

Table 8 describes the supported encoder types based on the feedback card that
is used and the physical terminal it is connected to. You must determine the
safety capability of a system based on the supported encoder types and the
encoder diagnostics that are described in this chapter.
Table 8 - Supported Feedback Cards and Encoder Types
Primary Channel Secondary Channel
Feedback Option Achievable System Safety Rating
Encoder Type Encoder Motion Axis Encoder Type Encoder Motion Axis
Not Used Not Used SIL 2/PL d with safety rated encoder
20-750-UFB-1 Sine/Cosine
Digital AqB Load Feedback SIL 3/PL e
Motor Feedback
Not Used Not Used SIL 2/PL d with safety rated encoder
20-750-DENC-1 Digital AqB
Digital AqB Load Feedback SIL 3/PL e

Encoder Diagnostics

Depending on the encoder type, the module performs several diagnostic tests
on encoder signals to detect faults in the encoder. You must determine if the
combination of the selected encoder device type and the diagnostics that are
described in this chapter will satisfy the required safety function rating. The
use of non-safety, standard encoders my require further analysis and assessment
activties.

24 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 1

General Encoder Diagnostics

The following encoder diagnostics are available for all supported encoder
types:
• Encoder Voltage Monitoring (Configurable)
• Maximum Speed Limit (Configurable)
• Maximum Acceleration (Configurable)
• Maximum Encoder Input Frequency
• Dual Encoder Velocity and/or Position Discrepancy (Configurable)

IMPORTANT These diagnostics are based on the capability of the chosen encoder and its
rated limits. They do not provide a safety-rated safety function.

Encoder Voltage Monitoring

The voltage monitoring diagnostic samples the voltage being supplied to the
encoder to confirm that its level is within its configured range. If the voltage
monitoring diagnostic detects a voltage that is out of the configured range, the
safety feedback instance reports a voltage monitoring fault and causes the
module to enter the safe state.

The following voltage monitoring ranges are supported:

• 4.75…5.25V (Recommended setting when using 20-750-DENC-1 card
with the 12V Jumper in the ‘Storage’ position)
• 11.4…12.6V (Recommended setting when using 20-750-DENC-1 card
with the 12V Jumper in the ‘Enabled’ position)
• 7…12V (Recommended setting when using 20-750-UFB-1)

If a voltage range is not specified, then the voltage monitoring diagnostic is not
performed.

Maximum Speed Limit

The maximum speed limit diagnostic detects when encoder speed is above a
configured limit. If the speed of the encoder is greater than the configured max
speed limit, an exceeded max speed fault is reported by the safety feedback
instance. This causes the module to enter the safe state.

If the encoder being used specifies a maximum speed, set the maximum speed
limit configuration value to this value or lower. If the limit is configured as 0,
this diagnostic is not be performed.

Maximum Acceleration

The maximum acceleration diagnostic detects when encoder acceleration is

above a configured limit. If the module detects that the acceleration of the

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 25

Chapter 1

encoder has exceeded the configured limit, a max acceleration fault is reported
by the safety feedback instance. This causes the module to enter the safe state.

If the encoder being used specifies a maximum acceleration, set the maximum
acceleration configuration value to this value or lower. If the maximum
acceleration is configured as 0, this diagnostic is not performed.

Maximum Encoder Input Frequency

The maximum encoder input frequency diagnostic confirms that the safety
feedback signals do not exceed the maximum frequency (encoder counts per
second) supported by the module. This value is not configurable and has fixed
values based on the encoder type. Table 9 shows the maximum frequency based
on encoder type.
Table 9 - Maximum Frequency of Encoder Types
Encoder Type Max Frequency
Digital AqB 250 kHz
Sine/Cosine and Hiperface 163.8 kHz

If the module detects an encoder input frequency above the limit, a max
frequency fault is reported in the safety feedback instance and the module
enters the safe state.

Dual Encoder Velocity and/or Position Discrepancy

The dual encoder velocity and position discrepancy diagnostic confirms that
the position and/or velocity of the two encoders match within a configurable
tolerance. The position and velocity discrepancy limits are individually
configurable; setting the limit to a value of 0 disables the diagnostic check. If
the module detects that the difference between the position and/or velocity of
both encoders is outside the configured limit, a discrepancy error is reported in
both safety feedback instances and the module enters the safe state. This
diagnostic is only available when the module is configured in a dual feedback
configuration.

26 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 1

Digital AqB Diagnostics

The following diagnostic functions are implemented in the module to perform

diagnostics for digital AqB encoders:
• Inverse Signal Monitoring
• Quadrature Error Detection

Inverse Signal Monitoring

The inverse signal monitoring diagnostic confirms that the inverted and non-
inverted signals are always at opposite signal levels. If the module detects a non-
inverted signal, a feedback signal lost fault is reported in the safety feedback
instance and the module enters the safe state. This diagnostic is meant to detect
encoder wiring errors, such as open, short, or short to power.

Quadrature Error Detection

The quadrature error detection confirms that the A and B signals from the
digital AqB encoder do not change simultaneously. This diagnostic is also
referred to as an exclusive bit check. If the module detects a quadrature error,
the safety feedback instance reports a quadrature error fault and enters the safe
state. A simultaneous change indicates an error with the encoder wiring or an
issue with the encoder itself.

Sine/Cosine and Hiperface Diagnostics

The following diagnostic functions are implemented in the module to perform

diagnostics on Hiperface and or Sine/Cosine type encoders:
• Sin2 + Cos2 Vector Length Monitoring
• Zero-crossing Detection
• Signal Offset (Sine/Cosine Encoder Type Only)

Sin 2+ Cos2 Vector Length Monitoring

The Sin2 + Cos2 vector length monitoring diagnostic confirms that the sine
and cosine signals are sinusoidal and 90° apart. This diagnostic is meant to
detect errors in the wiring of the encoder and problems within the encoder
itself. Table 10 describes the tolerance of encoder output signal amplitudes for
this diagnostic. Table 11 describes the phase tolerance of the diagnostic. If the
module detects that the amplitude and or phase of the signals is out of range,
the safety feedback instance reports a Sin2 + Cos2 fault and the module is
placed in the safe state.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 27

Chapter 1

Table 10 - Sin2 + Cos2 Vector Length Monitoring Amplitude Range

Max Min
1.3 Vpp 0.7 Vpp

Table 11 - Sin2 + Cos2 Vector Length Monitoring Phase Tolerance

Tolerance
90º ± 20º

Zero-crossing Detection

The zero-crossing detection diagnostic confirms that the sine and cosine
signals have a similar offset to ground. The offset tripping point is ± 50 mV. If
the offset of the sine and cosine signals is greater than the tripping point, the
zero-crossing detection diagnostic will fail, a signal lost fault is reported in the
safety feedback instance, and the module is placed in the safe state.

Signal Offset

The signal offset diagnostic confirms that a Sine/Cosine type encoder is

producing the proper offset on the Sine and Cosine signals. This diagnostic is
not performed when the feedback device type is configured as Hiperface.

Table 12 describes the offset tolerance of the diagnostic. If the offset of the Sine
and or Cosine signals are outside the tolerance range, the safety feedback
instance reports a signal offset fault and the module is placed in the safe state.
Table 12 - Signal Offset Tolerance
Max Min
3.0V 2.0V

Contact Information If Safety
Option Failure Occurs
If you experience a failure with any safety-certified device, contact your local
Allen-Bradley distributor to request any of these actions:
• Return the device to Rockwell Automation so the failure is
appropriately logged for the catalog number that is affected and a record
is made of the failure.
• Request a failure analysis (if necessary) to determine the probable cause
of the failure.

In case of malfunction or damage, no attempts at repair should be made. The

option module should be returned to the manufacturer for repair. Do not
dismantle the option module.

For more information about replacing drives, see Replace an Integrated Safety
Drive in a GuardLogix System on page 130 and Replace an Integrated Safety
Drive in a GuardLogix System on page 168.

28 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 2

Installation

This chapter provides installation, jumper settings, and wiring for the
Integrated Safety Functions option module.

Topic Page
Remove Power to the System 30
Access the Control Pod 30
Set the SAFETY and Hardware ENABLE Jumpers 31
Install the Safety Option Module 32
I/O Wiring 34
Cabling 34

ATTENTION: The following information is a guide for proper installation.

Rockwell Automation does not assume responsibility for the compliance or
the noncompliance to any code, national, local, or otherwise for the proper
installation of this equipment. A hazard of personal injury and/or equipment
damage exists if codes are ignored during installation.

IMPORTANT Installation must be in accordance with the instructions in this user manual
and the installation instructions for your drive.
Only qualified, authorized personnel that are trained and experienced in
functional safety can plan, implement, and apply functional safety systems.

IMPORTANT During installation and maintenance, check your drive firmware release
notes for known anomalies and verify that there are not safety-related
anomalies.

The Integrated Safety Functions option module is intended to be part of the

safety-related control system. Before installation, perform a risk assessment that
compares the Integrated Safety Functions option module specifications and all
foreseeable operational and environmental characteristics of the control
system.

A safety analysis is required to determine how often to test the safety function
for proper operation during the life of the machine.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 29

Chapter 2

Remove Power to the System Before performing any work on the drive, remove all power to the system.

ATTENTION:
• Electrical Shock Hazard. Verify that all sources of AC and DC power are de-
energized and locked out or tagged out in accordance with the requirements
of ANSI/NFPA 70E, Part II.
• To avoid an electric shock hazard, verify that the voltage on the bus
capacitors has discharged before performing any work on the drive. Measure
the DC bus voltage at the +DC and -DC terminals or test points. The voltage
must be zero. For the location of the terminal block and test point sockets,
see the manual for your drive:
• PowerFlex® 750-Series AC Drive Installation Instructions,
publication 750-IN001
• PowerFlex 750-Series Products with TotalFORCE® Control Installation
Instructions, publication 750-IN100
• PowerFlex 755TM IP00 Open Type Kits Installation Instructions,
publication 750-IN101
• In Safe Torque Off mode, hazardous voltages may still be present at the
motor. To avoid an electric shock hazard, disconnect power to the motor and
verify that the voltage is zero before performing any work on the motor.

Access the Control Pod The option module is installed in the drive control pod. Different drives have
different ways to access the control pod. To access the control pod, follow these
steps.

1. Remove the door or cover.

2. Loosen the retention screw on the HIM cradle.
3. Lift the cradle until the latch engages.

See the installation instructions for your drive for more information.

Figure 1 - Access the Control Pod.

Drives in Cabinet Enclosures

Panel-mounted Drives

30 Rockwell Automation Publication 750-UM005C-EN-P - February 2021


Set the SAFETY and Hardware
ENABLE Jumpers
Rockwell Automation Publication 750-UM005C-EN-P - February 2021
Chapter 2
The PowerFlex 755/755T drive products ship with the safety jumper
(SAFETY) installed.
If the Integrated Safety Functions option module is installed, the control board
SAFETY jumper must be removed. If the SAFETY jumper is not removed, a
‘Safety Jumper In’ fault occurs.
IMPORTANT PowerFlex 755 drives (frames 8…10) control boards do not have a SAFETY
jumper.
If the Integrated Safety Functions option module is installed, the control board
hardware ENABLE jumper must be installed. If the hardware ENABLE
jumper is not installed, a ‘HW Enbl Jmpr Out’ fault occurs (only frames 1…7
of PowerFlex 755 drives and all frame sizes of PowerFlex 755T drive products).
Figure 2 - PowerFlex 755 Drives Jumper Locations, Frames 1…7
SAFETY Jumper
(jumper is removed)
PowerFlex 755 AC Drive
Hardware ENABLE Jumper
(jumper in place)
Figure 3 - PowerFlex 755T Drive Products Jumper Locations (all frame sizes)
SAFETY Jumper
(jumper is removed)
PowerFlex 755T Drive Products
Hardware ENABLE Jumper
(jumper in place)
31
Chapter 2

Install the Safety Option To install the Integrated Safety Functions option module in a drive port, follow
these steps:
Module
1. Firmly press the module edge connector into the desired port.

IMPORTANT The Integrated Safety Functions option module can be installed in

ports 4, 5, or 6 when used in Standard I/O mode. When used in an
Integrated Motion application, the Integrated Safety Functions
option module must be installed in Port 6.

2. Tighten the top and bottom retaining screws.

– Recommended torque = 0.45 N•m (4.0 lb•in)
– Recommended screwdriver = T15 Hexalobular

IMPORTANT Do not overtighten the retaining screws.

IMPORTANT Only one safety option module can be installed in a drive. Multiple
safety option modules or duplicate safety option module
installations are not supported.

Figure 4 - PowerFlex 755 Drives, Frames 1…7

32 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 2

Feedback Installation Guidelines

Follow these guidelines for the Integrated Safety Functions option module.

Feedback Devices

The Integrated Safety Functions option module can be used with one of the
following feedback devices when safe feedback monitoring is used:
• Dual-incremental Encoder module, catalog number 20-750-DENC-1
• Universal Feedback module catalog number 20-750-UFB-1

Only one feedback card can be used in conjunction with the Integrated Safety
Functions module. For information on the supported encoder types for a given
feedback device, see Encoder Considerations in Chapter 1.

Port Assignment

Follow these guidelines for port assignment:

• The Integrated Safety Functions option module and the feedback device
must be installed on the same backplane using ports 4, 5, or 6.
• When used in an Integrated Motion application, the Integrated Safety
Functions option module must be installed in port 6.
• Only one safety option module can be installed in a drive. Multiple
safety options or duplicate safety option installations are not supported.

Jumper Settings

Follow these guidelines for jumper settings:

• Verify the hardware enable jumper (ENABLE) on the main control
board is installed. See Figure 2 or Figure 3 for location. If not installed,
the drive will fault when powered up.
• Verify the safety enable jumper (SAFETY) on the main control board is
removed (Frames 1…7 only). See Figure 2 or Figure 3 for location.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 33

Chapter 2

I/O Wiring This section describes the onboard safety I/O and wiring considerations. A
power supply must be connected between the SP and SC terminals in order for
the safety I/O to be used. See Power Supply Requirements on page 35 for
information on selecting a power supply.

IMPORTANT External 24V power is only required to the module when hardwired safety is
used. It is NOT required when the module is used for networked safety
operation.

Table 13 - Terminal Designation

Terminal Name Description

To1 Test Output 1 Test 24V DC output 1
To1
Si2 Si2 Safety Input 2 Safety 24V DC input 2
SC SC Safety Common Safety power common
Si3 Si3 Safety Input 3 Safety 24V DC input 3
To0 To0 Test Output 0 Test 24V DC output 0

NC NC No Connection
So0 So0 Safety Output 0 Safety 24V DC output 0
SC SC Safety Common Safety power common
So1 So1 Safety Output 1 Safety 24V DC output 1
Si0 Safety Input 0 Safety 24V DC input 0
Si0
SC SC Safety Common Safety power common
Si1 Si1 Safety Input 1 Safety 24V DC input 1
SC SC Safety Common Safety power common (required if safety I/O used)
SP SP Safety Power Safety 24V DC power (required if safety I/O used)

For examples of wiring devices to the safety I/O, see the Guard I/O™ EtherNet/
IP Safety Modules User Manual, publication
1791ES-UM001.

For technical specifications of the safety I/O, see Integrated Safety Functions
Option Module Specifications in Appendix B.

Cabling Follow these guidelines for cabling:

• Safety wiring must be protected against external damage by cable ducts,
conduit, armored cable, or other means.
• Shielded cable is required.
• When installed in a PowerFlex 755 Frame 8 or larger drive, an EMC
Core Kit, catalog number 20-750-EMCSSM1-F8, is required.

34 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 2

Power Supply Requirements

IMPORTANT The external power supply must conform to the Directive 2006/95/EC Low
Voltage by applying the requirements of EN61131-2 Programmable
Controllers, Part 2 - Equipment Requirements and Tests, and one of the
following:
• EN60950 - SELV (Safety Extra Low Voltage)
• EN60204 - PELV (Protective Extra Low Voltage)
• IEC 60536 Safety Class III (SELV or PELV)
• UL 508 Limited Voltage Circuit
• 24V DC ±10% must be supplied by a power supply that complies with
IEC 60204 and IEC 61558-1.

For more information, see the guidelines in Industrial Automation Wiring and
Grounding Guidelines, publication 1770-4.1.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 35

Chapter 2

Notes:

36 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 3

Safety I/O

This chapter provides information that is related to the embedded safety inputs
and outputs on the Integrated Safety Functions option module.

Topic Page
Safety Inputs 37
Safety Outputs 50

Safety Inputs Read this section for information about safety inputs and their operation
modes. The safety inputs can be used in a single or dual-channel configuration
for monitoring a safety input device. A safety input can also be configured for
external pulse testing with an associated test output.

Safety Input Operation

The Integrated Safety Functions option module provides two modes of

operation for its safety inputs: Safety Input with External Pulse Tests and
Standard Input.

The safety inputs also support configuring a sample delay time. You can
configure both on→off and off→on sample delay times for each input point. You
can also configure a latch error time, which specifies the minimum amount of
time that a safety input alarm is reported.

Safety Input with External Pulse Tests Operation

A test output can be used in combination with a safety input for short-circuit
detection. Configure the test output as a pulse test source and configure the
safety input as ‘Used with Test Output’. Test Output 0 is associated with safety
inputs 0 and 2. Test Output 1 is associated with safety inputs 1 and 3.

When the external input contact is closed, a test pulse is output from the test
output terminal to diagnose the field wiring and input circuitry. By using this
function, short circuits between input signal lines and the power supply
(positive side), and short circuits between redundant input signal lines of one
external device can be detected. Safe wiring by customer action is required.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 37

Chapter 3

Table 14 - Typical External Pulse Width and Period

Pulse Width Period

500 μs 300 ms

Figure 5 - Test Pulse in a Cycle

ON

Typical Pulse
Typical Pulse
TestPeriod
Test Period OFF
OFF
300 ms
300ms

Typical
Typical
Pulse
Pulse
Width
Width
500 μs
100µs

IMPORTANT When using external pulse testing in single-channel mode, the demand rate
of the input must be greater than 30 seconds.

Figure 6 - Short-circuit Between Input Signal Lines

To1
Si2
SC
Si3
To0 External Contact

NC
So0
SC
External
So1 Contact

External
Si0 Contact

SC
Si1
SC Short Circuit Between Input Signal Lines

SP
Short Circuit Between Input Signal Lines and
Power Supply (positive side)

38 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 3

Latch Input Error Operation in Single Channel Mode

The safety input subsystem allows for a configurable time for which an alarm
state is held. This is referred to as Input Latch Error Time. In single channel
mode, the input latch error time describes the period between when the alarm
condition is removed and when the safety input stops reporting the alarm.
Figure 7 shows the operation of input latch error time in single channel mode.
See Safety Input Alarm Recovery on page 49 for information on removing an
alarm.

Figure 7 - Single Channel Input Latch Error Behavior (not to scale)

Normal Operation
Pulse Test ON
Output OFF
Pulse Test
Occurs
External Device ON
OFF

Safety Input ON
Terminal OFF

Safety Input ON
Value OFF

Safety Input OK
Status ALARM

Alarm Operation

Pulse Test ON
Output OFF Pulse Test
Occurs
External Device ON
OFF

Safety Input ON
Terminal OFF

Safety Input ON
Value OFF

Safety Input OK Alarm Detected

Status ALARM

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 39

Chapter 3

Single Channel Safety Input Status Data

Figure 8 describes the status and value that is reported by the Safety IO
subsystem for normal and alarm states. In normal operation, the Safety Input
value reported is the value being read on the input terminal. The Safety Input
status is on. When a fault is detected, the Safety Input value and status are
forced off.

Figure 8 - Single Channel Normal Operation and Alarm Detection (not to scale)

Normal Operation
Pulse Test ON
Output OFF
Pulse Test
ON Occurs
External Device
OFF

Safety Input ON
Terminal OFF

Safety Input ON
Value OFF

Safety Input OK
Status ALARM

Alarm Operation

Pulse Test ON
Output OFF Pulse Test
Occurs
External Device ON
OFF

Safety Input ON
Terminal OFF

Safety Input ON
Value OFF

Safety Input OK Alarm Detected

Status ALARM

40 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 3

Dual-channel Safety Input Operation

To support redundant safety devices, the consistency between signals on two

input points can be evaluated. This is referred to as Dual-channel operation.
Two modes are available when using dual-channel inputs: equivalent and
complementary.

When using either dual-channel input mode, the time from when a
discrepancy is created and when the discrepancy is reported can be configured.
This is referred to as Discrepancy Time. The configured discrepancy time is
0 (deactivated)…65,530 ms in increments of 1 ms.

IMPORTANT The dual-channel function is used with two consecutive inputs that are
paired together, this process starts at an even input number, such as
inputs 0 and 1; 2 and 3; and so on.

IMPORTANT Do not set the discrepancy time longer than necessary. The purpose of
the discrepancy time is to allow for normal differences between contact
switching when demands are placed on safety inputs. For discrepancy
checking to operate correctly, only one demand on the safety input is
expected during the discrepancy time. If the discrepancy time is set too
high, and multiple demands occur during this time, then both safety
input channels will alarm.

Table 15 shows the relation between physical input terminal states and the data
and status reported by the Safety Input subsystem.
Table 15 - Terminal Input Status and Controller I/O Data
Dual-channel Mode Input Terminal Controller Input Data and Status Dual-channel Dual-channel
Si0 Si1 Safety Safety Safety Safety Resultant Input
Input 0 Data Input 1 Data Input 0 Status Input 1 Status Data Status
Dual-channels, Equivalent OFF OFF OFF OFF OK ON OFF OK
OFF ON OFF OFF ALARM OFF OFF Alarm
ON OFF OFF OFF ALARM OFF OFF Alarm
ON ON ON ON OK ON ON OK
Dual-channels, Complementary OFF OFF OFF ON ALARM OFF OFF Alarm
OFF ON OFF ON OK ON OFF OK
ON OFF ON OFF OK ON ON OK
ON ON OFF ON ALARM OFF OFF Alarm

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 41

Chapter 3

Equivalent Dual-channel Input Operation

In Equivalent mode, both inputs of a pair must typically be in the same

(equivalent) state. When a transition occurs in one channel of the pair, before
the transition of the second channel of the pair, a discrepancy occurs. If the
second channel transitions to the appropriate state before the discrepancy time
elapses, the inputs are considered equivalent.

If the second transition does not occur before the discrepancy time elapses, the
channels transition to the alarm state. In the alarm state, the input and status
for both channels are set low (off ). When configured as an equivalent dual
pair, the data bits for both channels are sent to the controller as equivalent,
both high or both low.

Figure 9 shows the operation of dual channel equivalent inputs under normal
and alarm conditions.

Figure 9 - Equivalent, Normal Operation, and Alarm Detection (not to scale)

Normal Operation Discrepancy
Time
Safety Input 0 ON
Terminal OFF

Safety Input 1 ON
Terminal OFF

Safety Input 0 ON
Value OFF

Safety Input 1 ON
Value OFF

Dual Channel OK
Status ALARM

Alarm Operation Discrepancy

Time
Safety Input 0 ON
Terminal OFF

Safety Input 1 ON
Terminal OFF

Safety Input 0 ON
Value OFF

Safety Input 1 ON
Value OFF

Dual Channel OK Alarm Detected

Status ALARM

42 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 3

Complementary Dual-channel Input Operation

In Complementary mode, the inputs of a pair are typically in the opposite

(complementary) state. When a transition occurs in one channel of the pair
before the transition of the second channel of the pair, a discrepancy occurs. If
the second channel transitions to the appropriate state before the discrepancy
time elapses, the inputs are considered complementary.

If the second transition does not occur before the discrepancy time elapses, the
channels transition to the alarm state. The alarm state of complementary
inputs is the even-numbered input turned off and the odd-numbered input
turned on. If in the alarm state, both channel status bits are set low. When
configured as a complementary dual-channel pair, the data bits for both
channels are sent to the controller in complementary, or opposite states.

Figure 10 shows the operation of dual-channel complementary inputs under

normal and alarm conditions.

Figure 10 - Complementary, Normal Operation and Alarm Detection (not to scale)

Normal Operation Discrepancy
Time
Safety Input 0 ON
Terminal OFF

Safety Input 1 ON
Terminal OFF

Safety Input 0 ON
Value OFF

Safety Input 1 ON
Value OFF

Dual Channel OK
Status ALARM

Alarm Operation
Discrepancy
Time
Safety Input 0 ON
Terminal OFF

Safety Input 1 ON
Terminal OFF

Safety Input 0 ON
Value OFF

Safety Input 1 ON
Value OFF

Alarm Detected
Dual Channel OK
Status ALARM

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 43

Chapter 3

Standard Input Operation

When a safety input is configured for standard input operation, no diagnostics

are performed on the input. Unlike safety inputs, a standard input cannot be
used with pulse testing and can only be used in single channel mode. A
standard input can still be configured to have an onoff and offon filter
time.

IMPORTANT Do not use standard inputs for safety purposes.

Table 16 - Standard Input Value Attribute

Parameter Value Description
Service Code 0x0E Get Attribute Single
Class 0x3D Safety Discrete Input Point Object
Instance i+1 Safety Input Instance (where i is the number of the safety input being used as a
standard input)
Data Type BYTE 8 Bits
Attribute 0xA Filtered Input Value
0 = Input OFF
1 = Input ON

Safety Input Safety Data

The Safety Input data of the Integrated Safety Functions module can be
monitored through:
• Safety Input Assembly
• DPI™ Parameters
• CIP™ Messaging

IMPORTANT Only the Safety Input Value and Status in the Safety Input Assembly can be
considered safety data. Input values read through DPI parameters or CIP
messages are not safety data. Do not use standard inputs for safety purposes.

The following Safety Input data is available in the Integrated Safety Functions
Module:
• Safety Input Status
• Safety Input Value
• Safety Input Valid

Each safety input point reports its own status, value, and valid attributes.

IMPORTANT If a safety input is configured for standard input mode, its associated safety
data is forced in the safe state.

44 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 3

Safety Input Status

The safety input status indicates whether an alarm is present in the safety input
point. The safety input status is provided in the safety input assembly, as shown
in Table 17. Table 18 describes the attributes for reading the safety status via
CIP messaging.

The safety input status is also provided in the first four bits of device parameter
P13 [Safety IO Status].
Table 17 - Safety Input Assembly Tags for Safety Input Status
Safety Input Assembly Tag Name Type/[bit] Description
(safety controller to S4 option)
module:SI.InputStatus SINT A collection of safety input values and status for each
safety input
module:SI.In01Status [4] Status of Safety Input 0
0 = Alarm
1 = OK
module:SI.In01Status [5] Status of Safety Input 1
0 = Alarm
1 = OK
module:SI.In02Status [6] Status of Safety Input 2
0 = Alarm
1 = OK
module:SI.In03Status [7] Status of Safety Input 3
0 = Alarm
1 = OK

Table 18 - MSG Configuration for Safety Input Status

Parameter Value Description
Service Code 0x0E Get attribute single
Class 0x3D Safety Discrete Input Point Object
Instance i+1 Where i is the number of the safety input
Data Type USINT Unsigned integer value
Attribute 0x4 Safety Status
4 0 = Alarm
1 = OK

Safety Input Value

The safety input value is the value of the input after safety and on/off delay
evaluations when the safety input is not in the alarm state. If the safety input is
in the alarm state, this value will always be 0.

The safety input value is provided in the safety input assembly, as shown in
Table 19. Table 20 describes the attributes for reading the safety value via CIP
messaging. The safety input value is also provided in the first four bits of device
parameter P12 [Safety IO Values].

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 45

Chapter 3

Table 19 - Safety Input Assembly Tags for Safety Input Values

Safety Input Assembly Tag Name Type/[bit] Description
(safety controller to S4 option)
module:SI.InputStatus SINT A collection of safety input values and status for each
safety input
module:SI.In00Data [0] Value of Safety Input 0
0 = OFF
1 = ON
module:SI.In01Data [1] Value of Safety Input 1
0 = OFF
1 = ON
module:SI.In02Data [2] Value of Safety Input 2
0 = OFF
1 = ON
module:SI.In03Data [3] Value of Safety Input 3
0 = OFF
1 = ON

Table 20 - MSG Configuration for Safety Input Value

Parameter Value Description
Service Code 0x0E Get attribute single
Class 0x3D Safety Discrete Input Point Object
Instance i+1 Where i is the number of the safety input
Data Type USINT Unsigned integer value
Attribute 0x7 Safety Input Logical Value
7 0 = OFF
1 = ON

Safety Input Valid

When set, the safety input valid attribute indicates that the safety input is
configured for safety use and producing valid data. If this value is not set, the
data that is associated with the safety input is no longer valid safety data.

IMPORTANT The Safety Input Valid attribute should be checked before using safety input
data in a safety application.

The safety input valid attribute is provided in the safety input assembly, as
shown in Table 21. Table 22 describes the attributes for reading the safety value
via CIP messaging.

46 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 3

Table 21 - Safety Input Assembly Tags for Safety Input Valid

Safety Input Assembly Tag Name Type/[bit] Description
(safety controller to S4 option)
module:SI.IOSupport SINT A collection of bits describing safety IO functionality
Safety Input 0 Valid
module:SI.In00Valid [0] 0 = Data invalid
1 = Data valid
Safety Input 1 Valid
module:SI.In01 Valid [1] 0 = Data invalid
1 = Data valid
Safety Input 2 Valid
module:SI.In02 Valid [2] 0 = Data invalid
1 = Data valid
Safety Input 3 Valid
module:SI.In03 Valid [3] 0 = Data invalid
1 = Data valid

Table 22 - MSG Configuration for Safety Input Valid

Configuration Item Value Description
Service Code 0x0E Get attribute single
Class 0x3D Safety Discrete Input Point Object
Instance i+1 Where i is the number of the safety input
Data Type USINT Unsigned integer value
Attribute 0x64 Safety Input Valid
100 0 = Data invalid
1 = Data Valid

Safety Input Alarms

The safety input logic can detect configuration, circuit, and discrepancy errors
for each safety input. When an error is detected, the associated safety input
data is put into the safe state, and the alarm type attribute is set.

Configuration Error

A configuration error occurs when a safety input’s configuration data is invalid.

If this error occurs, check to make sure that the configuration attributes for the
safety input are valid. A configuration error can also occur if the safety input is
selected for external pulse testing and the associated test output’s configuration
is not valid for this mode.

Circuit Error

A circuit error occurs in a safety input when a pulse test fails. There are two
types of circuit errors that can be reported:
• Internal Circuit Error
• External Circuit Error

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 47

Chapter 3

An internal circuit error occurs when an internal pulse test fails. This means
that circuitry inside the module has failed. An internal circuit error may not be
recoverable; replacing the module may be required.

An external circuit error occurs when pulse testing by the safety input’s
associated test output fails. This error indicates the input circuitry external to
the card has failed.

Discrepancy and Dual Channel Errors

The discrepancy and dual channel errors are related, as a discrepancy can only
occur when the safety input is in dual channel mode. A discrepancy error
occurs when one of the dual channel safety inputs is not reporting the expected
safety input value. The safety input with the unexpected value reports the
discrepancy error. The other associated safety input will also be put in the safe
state and report a dual channel error alarm.

Determining Safety Input Alarm Type

To determine if a safety input is reporting an alarm, examine the safety input’s

input status attribute (see Safety Input Status on page 45 for information on
accessing this attribute). If the input is reporting an alarm, the alarm type can
be accessed through DPI parameters or CIP messaging.

Determine Safety Input Alarm Type with DPI Parameters

To read an alarm type of safety input with DPI parameters, follow these steps:

1. Set device parameter P14 [Input Alarm Indx] to the integer value i +1,
where i is the number of the safety input.
2. Read device parameter P15 [Input Alarm].

Determine Safety Input Alarm Type with CIP Messaging

The safety input alarm type can also be read via CIP messaging. See Table 21
for the attributes that are required to read the alarm type.

48 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 3

Table 23 - MSG Configuration for Safety Input Alarm Type

Parameter Value Description
Service Code 0x0E Get attribute single
Class 0x3D Safety Discrete Input Point Object
Instance i+1 Where i is the number of the safety input
Data Type USINT Unsigned integer value
Attribute 0x6E Safety Input Alarm Type
110 0 = No Alarm
1 = Configuration Error
2 = External Circuit Error
3 = Internal Circuit Error
4 = Discrepancy Error
5 = Dual Channel error

Safety Input Alarm Recovery

If an error is detected, the safety input data remains in the off state. Follow this
procedure to activate the safety input data.

1. Remove the cause of the error.

2. Place the safety input (or safety inputs if in dual channel mode) into the
safe state.
The safety input status turns on (alarm cleared) after the input-error
latch time has elapsed.

TIP If the latch error time has expired, but the safety input is not yet in the safe
state, the alarm will not be cleared. Once the safety input is in the safe state,
the alarm will clear immediately.

Input Delays

Each safety input has a configurable filter time for sampling the input. Both the
onoff and offon filter values can be configured. Unlike other
configuration values, these values can be configured in standard input mode

Off–on Delay

An input signal is treated as logic 0 during the on-delay time (0…126 ms, in
increments of 1 ms) after the rising edge of the input contact. The input only
turns on if the input contact remains on after the on-delay time has elapsed.
This delay helps prevent rapid changes of the input data due to contact bounce.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 49

Chapter 3

Figure 11 - Off-on Delay

ON
Input Signal OFF

ON
Safety Input Value
OFF
On-delay

On-off Delay

An input signal is treated as logic 1 during the off-delay time (0…126 ms, in
increments of 1 ms) after the falling edge of the input contact. The input only
turns off if the input contact remains off after the off delay time has elapsed.
This delay helps prevent rapid changes of the input data due to contact bounce.

Figure 12 - On-off Delay

Input Signal ON
OFF

ON
Safety Input Value
OFF

Off-delay

Use With PowerFlex 750-Series ATEX Option Module

The 20-750-ATEX option can be wired to an S4 safety input. This is a general-

purpose safety input, so the user is responsible for the GuardLogix
programming logic to tie the input to the SO.STOOutput tag. See the
PowerFlex 750-Series ATEX Option Module User Manual, publication
750-UM003, for more information.

Safety Outputs Read this section for information about safety outputs. The safety outputs can
operate in single channel mode or dual channel mode. In either mode, the
safety output can also be configured to run pulse test diagnostics.

Safety Output with Test Pulse

When the safety output is on, the safety output can be configured to pulse test
the safety output channel. By using this function, you can continuously test the
ability of the safety output to remove power from the output terminals of the
module. If an error is detected, the safety output data and individual safety
output status turn to the safe state.

50 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 3

Figure 13 - Test Pulse in a Cycle

ON
Typical Pulse
Test Period
300 ms OFF

Typical
Pulse
Width
500 μs

Table 24 - Typical External Pulse Width and Period

Pulse Width Period

500 μs 300 ms

IMPORTANT To help prevent the test pulse from causing the connected device to
malfunction, pay careful attention to the input response time of the device
that is connected to the output.

Single-channel Mode

IMPORTANT When using pulse testing in single channel mode, the demand rate of the
output must be greater than 30 seconds.

In single-channel mode, when the safety output is requested to the on state, the
output will turn on if there is no alarm. If an alarm is detected on the channel,
the safety output data and safety output status turn off, and commanding the
output will have no effect.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 51

Chapter 3

Figure 14 - Single-channel Setting (not to scale)

Normal Operation
Safety Output ON
Terminal OFF

Safety Output ON
Value OFF

Safety Output ON
Status OFF

Alarm Operation
Safety Output ON
Terminal OFF

Safety Output ON
Value OFF
Alarm Detected
Safety Output ON
Status OFF

Latch Output Error Operation in Single Channel Mode

The safety output subsystem allows for a latch error time to be configured. The
latch error time is the minimum time an output alarm will be held before the
alarm can be cleared. This latch error time is used by all safety outputs.
Figure 15 shows the behavior of the safety output latch time in single channel
mode. See Safety Output Alarm Recovery on page 60 for information on
clearing alarms.

Figure 15 - Single Channel Output Latch Error Behavior

Output
Latch Error
Time

Safety Output 0 ON
Value OFF

Safety Output OK
Status ALARM

Alarm
Alarm Detected Condition
Removed and Alarm Cleared
Safety Output
Value in Safe
State

52 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 3

Dual-channel Mode

When the data of both channels is in the on state, and neither channel has an
alarm, the outputs are turned on. The status is normal. If an alarm is detected
on one channel, the safety output data and individual safety output status turn
off for both channels.

Figure 16 shows the operation of dual channel outputs under normal and alarm
conditions.

Figure 16 - Dual-channel Setting (Not to Scale)

Normal Operation
Safety Output 0 ON
OFF

Safety Output 1 ON
OFF

Dual Channel ON
Output Status OFF

Alarm Operation

Safety Output 0 ON
Value OFF

Safety Output 1 ON
Value OFF
Alarm Detected
Dual Channel ON
Output Status OFF

Latch Output Error Operation in Dual Channel Mode

In dual channel mode, the output latch error time describes the period between
when the alarm condition is removed and when the dual channel safety output
stops reporting the alarm. Figure 17 shows the normal operation of output
latch error time in dual channel mode. When one or both of the associated
output points has an alarm (such as a Pulse Test Failure), and there is a
discrepancy between the two channels, the alarm and discrepancy must be
cleared before the latch error timer begins counting. Figure 18 shows this
special case operation. See Safety Output Alarm Recovery on page 60 for
information on removing an alarm.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 53

Chapter 3

Figure 17 - Dual Channel Output Latch Error Behavior

Output
Latch Error
Time
Safety Output 0 ON
Value OFF

Safety Output 1 ON
Value OFF

Dual Channel OK
Safety Output ALARM
Status
Dual Channel OK
Safety Output ALARM
Status

Alarm Detected Alarm Alarm Cleared

Condition
Removed and
Output Values
in Safe State

Figure 18 - Dual Channel Output Latch Error Behavior With Alarm and Discrepancy (not to scale)

Dual Channel
Equivalent Mode

Output
Latch Error
Safety Output 0 ON Time
Value OFF

Safety Output 1 ON
Value OFF

Dual Channel OK
Safety Output ALARM
Status
Discrepancy
Removed

Alarm Cleared
Alarm Detected
Discrepancy
Detected

54 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 3

Safety Output Safety Data

The Safety Output data of the Integrated Safety Functions module can be
monitored through:
• Safety Input Assembly
• DPI Parameters
• CIP Messaging

The following Safety Output data is available in the Integrated Safety

Functions Module:
• Safety Output Status
• Safety Output Ready
• Output Monitor Value

Each safety output point reports its own status, monitor value, and ready
attributes.

Safety Output Status

The safety output status indicates whether an alarm is present in the safety
output point. The safety output status is provided in the safety input assembly,
as shown in Table 25. Table 26 describes the attributes for reading the safety
status via CIP messaging. The safety output status is also provided in bits 6 and
7 of device parameter P13 [Safety IO Status].
Table 25 - Safety Input Assembly Tags for Safety Output Status
Safety Input Assembly Tag Name Type / [bit] Description
(safety controller to S4 option)
module:SI.OutputStatus SINT A collection of safety output status, safety output
monitor values, and test output status
module:SI.Out00Status [4] Status of Safety Output 0
0 = Alarm
1 = OK
module:SI.Out01Status [5] Status of Safety Output 1
0 = Alarm
1 = OK

Table 26 - MSG Configuration for Safety Output Status

Parameter Value Description
Service Code 0x0E Get attribute single
Class 0x3B Safety Discrete Output Point Object
Instance i+1 Where i is the number of the safety output
Data Type USINT Unsigned integer value
Attribute 0x5 Safety Status
5 0 = Alarm
1 = OK

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 55

Chapter 3

Safety Output Ready

When set, the safety output ready attribute indicates that the safety output is
configured for safety use and ready to be commanded.

IMPORTANT Check the Safety Output Ready attribute before commanding the safety
output.

The safety output ready attribute is provided in the safety input assembly, as
shown in Table 27. Table 28 describes the attributes for the Safety Output
Ready attribute via CIP messaging.
Table 27 - Safety Input Assembly Tags for Safety Output Ready
Safety Input Assembly Tag Name Type/[bit] Description
(safety controller to S4 option)
module:SI.IOSupport SINT A collection of bits describing safety IO
functionality
module:SI.Out00Ready [4] Safety Output 0 Ready
0 = Not Ready
1 = Ready
module:SI.Out01Ready [5] Safety Output 1 Ready
0 = Not Ready
1 = Ready

Table 28 - MSG Configuration for Safety Output Ready

Parameter Value Description
Service Code 0x0E Get attribute single
Class 0x3B Safety Discrete Output Point Object
Instance i+1 Where i is the number of the safety output
Data Type USINT Unsigned integer value
Attribute 0x64 Safety Status
100 0 = Not Ready
1 = Ready

Output Monitor Value

IMPORTANT Safety Output Monitor Value is not safety data and has no defined safe state.
Use Output Monitor Value for diagnostic purposes only.

The output monitor value of a safety output is the value of the output that is
read by module. It is expected that the output monitor value is the same as the
commanded safety output value in normal operation. The output monitor
value can be used to diagnose output alarms.

The output monitor value is provided in the safety input assembly, as shown in
Table 29. Table 30 describes the attributes for reading the output monitor

56 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 3

value via CIP messaging. The output monitor value is also provided in bits 6
and 7 of DPI device parameter P12 [Safety IO Values].
Table 29 - Safety Input Assembly Tags for Safety Output Monitor Value
Safety Input Assembly Tag Name Type/[bit] Description
(safety controller to S4 option)
module:SI.OutputStatus SINT A collection of safety output status, safety output
monitor values, and test output status
module:SI.Out00Monitor [0] Output Monitor Value of Safety Output 0
0 = OFF
1 = ON
module:SI.Out01Monitor [1] Output Monitor Value of Safety Output 1
0 = Not Ready
1 = Ready

Table 30 - MSG Configuration for Safety Output Monitor Value

Parameter Value Description
Service Code 0x0E Get attribute single
Class 0x3B Safety Discrete Output Point Object
Instance i+1 Where i is the number of the safety output
Data Type USINT Unsigned integer value
Attribute 0x4 Output Monitor Value
4 0 = OFF
1 = ON

Commanding Safety and Test Outputs

The value of a safety and test outputs can be commanded by setting tags in the
safety output assembly. Table 31 shows the output command tags of the
module.
Table 31 - Safety Input Assembly Tags for Safety Output Ready
Safety Input Assembly Tag Name Type/[bit] Description
(safety controller to S4 option)
module:SO.SafetyIOCommands SINT A collection of safety status bits for commanding
IO values
module:SO.Out00Output [0] Commanded Safety Output 0 Value
0 = OFF
1 = ON
module:SO.Out01Output [1] Commanded Safety Output 1 Value
0 = OFF
1 = ON

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 57

Chapter 3

Safety Output Alarms

The Safety Output logic can detect the following errors:

• Configuration
• Circuit
• Dual Channel Discrepancy (Dual Channel Configuration Only)
• Partner Channel (Dual Channel Configuration Only)

When an error is detected, the associated safety output data is put into the safe
state and the Alarm Type attribute is set.

Configuration Error

A configuration error occurs when a safety output’s configuration data is

invalid. If this error occurs, verify that the configuration attributes for the
safety outputs are valid.

Circuit Error

When a safety output is configured for use with test pulses, a circuit error
occurs when a pulse test fails. There are three types of circuit errors that can be
reported:
• Stuck Low
• Stuck High
• Cross Connection

A stuck low error occurs when the output is expected to be in the on state, but
the feedback indicates the output is in the off state.

A stuck high error occurs when a pulse test expects the output to be in the off
state but the output does not transition to the off state during the pulse test
interval.

A cross connection error occurs when a pulse test of one safety output causes
another safety output to change value. This usually indicates that two outputs
are shorted together.

If a circuit error occurs in a safety output, check the wiring of the safety outputs
for errors.

Dual Channel Discrepancy Error

When the safety outputs are configured for dual channel mode, a dual channel
discrepancy error occurs when there is a mismatch in the commanded output
values of the dual channel outputs. Both outputs will report a Dual Channel
Discrepancy error.

58 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 3

Partner Channel Error

When the safety outputs are configured for dual channel mode, and one of the
safety outputs experiences a circuit or configuration error, the other safety
output will report a Partner Channel error.

TIP The safety output data will still be placed in the safe state when a Partner
Channel error occurs.

Determining Safety Output Alarm Type

To determine if a safety output is reporting an alarm, examine the safety
output’s output status attribute. See Safety Output Safety Data on page 55 for
information on safety output status. If the output is reporting an alarm, the
alarm type can be accessed through DPI parameters or CIP messaging.

Determine Safety Input Alarm Type with DPI Parameters

To read an alarm type of safety output with DPI parameters, follow these steps.

1. Set device parameter P16 [Output Alarm Indx] to the integer value i +1,
where i is the number of the safety output
2. Read device parameter P17 [Output Alarm].

Determine Safety Output Alarm Type with CIP Messaging

The safety input alarm type can also be read via CIP messaging. See Table 32
for the attributes that are required to read the alarm type.
Table 32 - MSG Configuration for Safety Output Alarm Type
Parameter Value Description
Service Code 0x0E Get attribute single
Class 0x3B Safety Discrete Output Point Object
Instance i+1 Where i is the number of the safety output
Data Type USINT Unsigned integer value
Attribute 0x6E Safety Output Alarm Type
110 0 = No Alarm
1 =Configuration
3 = Stuck Low
4 = Stuck High
5 = Partner Channel
8 = Dual Channel
9 = Cross Connection

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 59

Chapter 3

Safety Output Alarm Recovery

If an alarm is detected, the safety outputs are switched to the safe state and
remain in the safe state. Follow this procedure to activate the safety output data
again.

1. Remove the cause of the alarm.

2. Command the safety output (or safety outputs in dual channel mode)
into the safe state.
3. Allow the output-error latch time to elapse and monitor the output
ready attribute and the output status attribute to determine when the
output can be commanded again.

TIP If the latch error time has expired, but the safety output is not yet
commanded to the safe state, the alarm will not be cleared. Once the safety
output is commanded to the safe state, the alarm will clear immediately.

Test Output The test outputs of the Integrated Safety Function module can be configured
in the following modes:
• Standard Output
• Test Output
• Power Supply Output

ATTENTION: Test Output points that are configured as Pulse Test or Power
Supply become active whenever you apply input power to the module. These
configured functions are independent of the I/O connections to the module.

ATTENTION: If a module with Test Outputs configured as Pulse Test or Power

Supply is incorrectly installed in an application where actuators are con-
nected to these Test Output points, the actuators are activated when input
power is applied.
To prevent this possibility, follow these procedures.
• When installing or replacing a module, be sure that the module is correctly
configured for the application or in the out-of-box condition before applying
input power.
• Reset modules to their out-of-box condition when removing them from an
application.
• Be sure that all modules in replacement stock are in their out-of-box
condition.

60 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 3

ATTENTION: Do not use test outputs as safety outputs. Test outputs do not
function as safety outputs.

Standard Output Mode

When a test output is configured for standard output mode, the test output
point operates as a general purpose output. The output can be commanded
through the safety output assembly. Table 33 shows the tags in the safety
output assembly to command test outputs when in standard output mode.

Table 33 - Safety Output Assembly Tags for Test Output Commands

Safety Input Assembly Tag Type / [bit] Description

Name
module:SO.SafetyIOCommands SINT A collection of safety status bits for commanding IO values
module: SO.Test00Output [2] Test Output 0 Value
0 = OFF
1 = ON
module: SO.Test01Output [3] Test Output 1 Value
0 = OFF
1 = ON

Test Output Mode

When in test output mode, the test output point operates in conjunction with
a safety input to perform pulse testing on the external safety input circuitry.
Please see the Safety Input with External Pulse Tests Operation section for
information on this mode. Commanding the output point via the safety output
assembly will have no effect in this mode.

Power Supply Output

In power supply output mode, the output point is forced on, and will only shut
off in the case of a critical fault. Commanding the output point via the safety
output assembly will have no effect in this mode.

Test Output Data The Test Output data of the Integrated Safety Functions module can be
monitored through:
• Safety Input Assembly
• DPI Parameters
• CIP Messaging

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 61

Chapter 3

The following Test Output data is available in the Integrated Safety Functions
module:
• Test Output Status
• Test Output Ready

Each test output point reports its own status and ready attributes.

IMPORTANT Test Output data is not safety data and cannot be used for safety
applications.

Test Output Status

The test output status indicates whether an alarm is present in the test output
point. When in standard output mode, the status will always be OK, unless
there is a critical fault, in that case, the status is forced to Alarm. In all other
modes test output status is set to Alarm.

The test output status is provided in the safety input assembly, as shown in
Table 34. Table 35 describes the attributes for reading the test output status via
CIP messaging. The test output status is also provided in bits 4 and 5 of device
parameter P13 [Safety IO Status].
Table 34 - Safety Input AssemblyTags for Test Output Status
Safety Input Assembly Tag Name Type/[bit] Description
(safety controller to S4 option)
module:SI.OutputStatus SINT A collection of safety output and test output data
module:SI.Test00Status [4] Status of Test Output 0
0 = Alarm
1 = OK

module:SI.Test01Status [5] Status of Test Output 1

0 = Alarm
1 = OK

Table 35 - MSG Configuration for Test Output Alarm Type

Parameter Value Description
Service Code 0x0E Get attribute single
Class 0x9 Discrete Output Point Object
Instance i+1 Where i is the number of the test output
Data Type USINT Unsigned integer value
Attribute 0x4 Output Status
4 0 = Alarm
1 = OK

62 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 3

Test Output Ready

When set, the test output ready attribute indicates that the test output is
configured for standard output mode, and is ready to be commanded. In other
modes, the test output ready attribute is forced to the safe (alarm) state.

IMPORTANT The Test Output Ready attribute should be checked before commanding the
test output.

The test output ready attribute is provided in the safety input assembly, as
shown in Table 36. Table 37 describes the attributes for ready the test output
ready attribute via CIP messaging.
Table 36 - Safety Input Assembly Tags for Test Output Ready
Safety Input Assembly Tag Name Type/ Description
(safety controller to S4 option) [bit]
module:SI.IOSupport SINT A collection of bits describing safety IO functionality
module:SI.Test00Ready [6] Test Output 0 Ready
0 = Not Ready
1 = Ready

module:SI.Test01Ready [7] Test Output 1 Ready

0 = Not Ready
1 = Ready

Table 37 - MSG Configuration for Test Output Ready

Parameter Value Description
Service Code 0x0E Get attribute single
Class 0x9 Discrete Output Point Object
Instance i+1 Where i is the number of the test output
Data Type USINT Unsigned integer value
Attribute 0x82 Output Ready
130 0 = Not Ready
1 = Ready

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 63

Chapter 3

Notes:

64 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 4

Drive-based Safe Stop Functions

Use this chapter to learn more about the Safe Torque Off, Timed Safe Stop 1,
Monitored Safe Stop 1, and Safe Brake Control stopping functions that are
built into the Integrated Safety Functions option module.

IMPORTANT The information in this section describes Safety Stop Functions operating in
the drive. For information on using the Drive Safety instructions operating in
the GLX controller, see Chapter 5.

Topic Page
Safety Output Assembly Safe Stop Function Tags 65
Safety Input Assembly Safe Stop Function Tags 66
Connection Action 68
Safe Torque Function 69
Safe Stop 1 Function 76
Connecting a Safety Brake 91

Safety Output Assembly Safe
Stop Function Tags
Table 38 - Safety Output Assembly Tags for Safety Stop Functions
Safety Output Assembly Tag Name
(safety controller to S4 option)
module:SO.SafetyStopFunctions
module:SO.STOOutput
module:SO.SBCOutput
The safety output assembly for Integrated Safe Speed consists of 48 Logix tags:
• 35 tags for pass thru status and faults
• 8 tags for safety stop function commands
• 5 tags for safety I/O commands
Type/[bit] Description
SINT A collection of bits used to activate (request) safety
functions as described in this table.
[0] Control Safe Torque Off (STO):
0 = Disable Torque
1 = Enable Torque
[1] If Safe Brake Control (SBC) is configured:
0 = Engage Brake (So0 and So1 OFF)
1 = Release Brake (So0 and So1 ON)
If Safe Brake Control is not configured, this tag must
be set to 0. If set to 1, will cause SBC fault.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 65

Chapter 4
Table 38 - Safety Output Assembly Tags for Safety Stop Functions (Continued)
Safety Output Assembly Tag Name
(safety controller to S4 option)
module:SO.SS1Request
module:SO.SS2Request
module:SO.SOSRequest
module:SO.SMTRequest
module:SO.ResetRequest
Safety Input Assembly Safe
Stop Function Tags
Table 39 - Safety Input Assembly Tags for Safety Stop Functions
Safety Input Assembly Tag Name
(S4 option to safety controller)
module:SI.ConnectionStatus
module:SI.RunMode
module:SI.ConnectionFaulted
module:SI.FeedbackPosition
module:SI.FeedbackVelocity
module:SI.SecondaryFeedbackPosition
module:SI.SecondaryFeedbackVelocity
module:SI.StopStatus
module:SI.STOActive
66
Type/[bit] Description
[2] If Safe Stop 1 (SS1) is configured:
0 = No Request
1 = Request Safe Stop 1
If Safe Stop 1 is not configured, this tag must be set
to 0. If set to 1, will cause SS1 fault.
[3] Reserved for future use. This tag must be set to 0; will
cause SS2 fault if set to 1.
[4] Reserved for future use. This tag must be set to 0; will
cause SOS fault if set to 1.
[5] Reserved for future use. This tag must be set to 0; will
cause SMT fault if set to 1.
[7] A 01 transition is required to reset Safety Faults. If
Restart Type is ‘Manual’, a 0 1 transition is
required to restart a Safety Stop Functions.
The safety input assembly for Integrated Safe Speed consists of 56 Logix tags:
• 3 tags for connection status
• 28 tags for safety feedback and stop function status
• 25 tags for safety I/O status
Type/[bit] Description
SINT A collection of the following bits.
[0] Safety Connection
0= Idle
1 = Run
[1] Safety Connection
0=Normal
1= Faulted
DINT Primary Feedback Position from drive-module safety
instance. Value is in encoder counts.
REAL Primary Feedback Velocity from drive-module safety
instance. Value is in Rev/s or Meter/s.
DINT Secondary Feedback Position from drive-module safety
instance. Value is in encoder counts.
Secondary channel may only be used for discrepancy
comparison with primary channel.
REAL Secondary Feedback Velocity from drive-module safety
instance. Value is in Rev/s or Meter/s.
Secondary channel may only be used for discrepancy
comparison with primary channel.
SINT A collection of the following bits.
[0] Safe Torque Off (STO) function status
0 = Permit Torque
1 = Disable Torque
Rockwell Automation Publication 750-UM005C-EN-P - February 2021
 Chapter 4

Table 39 - Safety Input Assembly Tags for Safety Stop Functions

Safety Input Assembly Tag Name Type/[bit] Description
(S4 option to safety controller)
module:SI.SBCActive [1] Safe Brake Control (SBC) function status:
0 = Release Brake (So0 and So1 ON)
1 = Engage Brake (So0 and So1 OFF)
module:SI.SS1Active [2] Safe Stop 1 (SS1) function status:
0 = SS1 not Active
1 = SS1 Active
module:SI.SS2Active [3] Reserved for future use; always 0.
module:SI.SOSStandstill [4] Reserved for future use; always 0.
module:SI.SMTOvertemp [4] Reserved for future use; always 0.
module:SI.SafetyFault [6] 1 = Safe Stop Fault present
module:SI.RestartRequired [7] 1 = Fault Reset or Stop Restart is required
module:SI.SafeStatus SINT A collection of the following bits.
module:SI.TorqueDisabled [0] 0 = Torque Permitted
1 = Torque Disabled
module:SI.BrakeEngaged [1] 0 = Brake Released (So0 and So1 ON)
1 = Brake Engaged (So0 and So1 OFF)
module:SI.MotionStatus SINT A collection of the following bits.
module:SI.MotionPositive [0] 1 = Feedback Velocity > Primary Feedback Standstill
Speed
module:SI.MotionNegative [1] 1 = Feedback Velocity < Primary Feedback Standstill
Speed
module:SI.FunctionSupport SINT A collection of the following bits.
module:SI.PrimaryFeedbackValid [0] 0 = Secondary Feedback not configured or Faulted
1 = Secondary Feedback Value is valid
module:SI.SecondaryFeedbackValid [1] 0 = Secondary Feedback not configured or Faulted
1 = Secondary Feedback Value is valid
module:SI.DiscrepancyCheckingActive [2] 1 = Feedback Velocity Discrepancy checking is active
not faulted
module:SI.SBCReady [3] 0 = Drive-based SBC function is not configured or
faulted
1 = Drive-based SBC function is configured and
ready for operation
module:SI.SS1Ready [4] 0 = Drive-based SS1 function is not configured or
faulted
1 = Drive-based SS1 function is configured and ready
for operation
module:SI.SS2Ready [5] Reserved for future use; always 0.
module:SI.SOSReady [6] Reserved for future use; always 0.
module:SI.SMTReady [7] Reserved for future use; always 0.

IMPORTANT Review the CONNECTION_STATUS Data section of the GuardLogix 5580 and
Compact GuardLogix 5380 Controller Systems Safety Reference Manual,
publication 1756-RM012, for information on how to use the connection
status tags.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 67

Chapter 4

ATTENTION: Safety I/O connections and produced/consumed connections

cannot be automatically configured to fault the controller if a connection is
lost and the system transitions to the safe state. If you must detect a device
fault so that the system maintains the required SIL level, you must monitor
the Safety I/O CONNECTION_STATUS bits and initiate the fault via program
logic.

Safety Function in Response
to Connection Event
The module allows for a safety function to be executed when the safety
connection to the module is lost or the connection enters the idle state. This
operation is referred to as the connection action. There are two configurable
connection actions that are defined as follows:
• Connection Loss Action - The safety function to be executed if the
network connection from the module to the safety controller is lost or
closed.
• Connection Idle Action - The safety function to be executed if the safety
controller connected to the module enters program mode.

In both of theses cases, the safety function must be executed by the drive/
module. Therefore, only the drive-based safety functions may be used in these
cases.

Connection Loss Action

When the connection loss event is detected, the following attributes will be set:
• In Standard Control Mode
– Host: P3 [Safety State] = Idle
– Host: P4 [Safety Status] Conn Closed = 1

• In Motion Control Mode

– axis.AxisSafetyState = 2
– axis.SafetyOutputConnectionClosedStatus = 1

The following drive-based safety functions are supported as a connection loss

action:
• STO
• SS1

A safety function will operate as configured when activated by a connection

loss and the Connection Loss bit will be set in its activation attribute. See the
following sections for information on the safety function operation.

In standard control mode, change the Comm Flt Action parameter of the
EtherNet/IP® module in the drive from its default value of ‘Fault’ to another
applicable setting in order for the drive to initiate the stopping action. In the

68 Rockwell Automation Publication 750-UM005C-EN-P - February 2021


Safe Torque Off Function
Rockwell Automation Publication 750-UM005C-EN-P - February 2021
Chapter 4
PowerFlex 755 drive, this is done using parameter 54. In the PowerFlex 755T
drive, this done using port 0 parameter 360. If this parameter is not changed,
the safety function that is triggered by the connection loss may fault.
Connection Idle Action
When the connection idle event is detected, the following attributes will be set:
• In Standard Control Mode
– Host: P4 [Safety Status] Conn Idle = 1
• In Motion Control Mode
– axis.SafetyOutputConnectionIdleStatus = 1
The following drive-based safety functions are supported as a connection idle
action:
• STO
• SS1
A safety function will operate as configured when activated by a connection
idle and the Connection Idle bit will be set in its activation attribute. See the
following sections for information on Safety Function operation.
In standard control mode, change P55 [Idle Flt Action] of the EtherNet/IP
port in the drive from its default value of ‘Fault’ to another applicable setting in
order for the drive to initiate the stopping action. If this parameter is not
changed, the safety function that is triggered by the connection loss may fault.
The Safe Torque Off (STO) function provides a method, with sufficiently low
probability of failure, to force the power-transistor control signals to a disabled
state. When the command to execute the STO function is received from the
GuardLogix controller, all drive output-power transistors are released from the
ON-state. This results in a condition where the drive is coasting.
Safe Torque Off (STO) will prevent the motor from applying torque to a
system but in some systems torque is also applied to the mechanical system by a
suspended load, unbalanced load, back pressure, and so on. In such a system,
application of a mechanical brake is required to hold the load while motor
torque is disabled by STO. See Safe Brake Control Function beginning on page
83 for information on using a mechanical brake with the Integrated Safety
Functions Module.
69
Chapter 4

Safe Torque Off Activation

Safe Torque Off can be initiated by one or more sources:

• STO Output – Setting the Safety Output Assembly Tag
(module:SO.STOOutput = 1)
• SS1 Complete – Completion of a Safe Stop 1
• Stop Fault – Any Safety Fault
• Limit Fault – Reserved for future use
• Limit Active – Reserved for future use
• Connection Loss – Loss of connection to the safety controller
• Connection Idle – Safety controller in program mode

When STO is activated, all sources of activation are stored in an attribute as a

bit mask. The attribute can then be read to determine the causes of a STO
activation. Figure 19 shows the operation of the STO activation attribute. The
STO Activation attribute can be read with explicit messaging (see attribute 265
in Table 18 on page 247.

Figure 19 - Safe Torque Off Activation

STO Activation
STO Output
STO Output
SS1 Complete
SS1 Complete
Safety Stop Fault
Safety Stop Fault
Safety Limit Fault Logical STO Active STO to Torque Disabled
Safety Limit Fault OR SBC Delay
Safety Limit Active
Safety Limit Active
Connection Loss (1) Connection Loss Negative Value: Delay = |Value|
Connection Idle (2) Positive Value: Delay = 0
Connection Idle Safety Fault: Delay = 0

(1) Connection Loss Action = STO

(2) Connection Idle Action = STO

Safe Torque Off Reset

After torque is disabled due to a STO activation, the STO function must be
reset in order to enable torque. When the STO function must be reset, the
following attribute values are set:
• module:SI.STOActive = 1
• module:SI.RestartRequired = 1

• In Standard Control Mode

– Host: P4 [Safety Status] STO Active = 1
– Host: P4 [Safety Status] Restart Req = 1

70 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 4

• In Motion Control Mode

– axis.SafeTorqueOffActiveStatus = 1
– axis.SafetyResetRequiredStatus = 1

The steps to reset the STO function depend on the cause of STO activation
and the Restart/Cold Start Type configured in the module.

Safety Fault STO Activation Reset

IMPORTANT When the STO function is activated by a Safety Fault, the cause of the safety
fault must be removed before STO can be reset, regardless of the configured
restart type.

Once the cause of the fault is removed, a 0→1 transition on the

module:SO.ResetRequest tag will reset the STO function to the Torque
Enabled state.

Connection Loss/Idle STO Activation Reset

If the STO function is activated by a connection loss/idle event, the

connection must be reestablished and running before the STO function can be
reset. The function must be reset based on the configured Cold Start type.

STO Automatic Cold Start/Restart Type Operation

If there are no Safety Faults and no safety demands, the STO function can be
reset.

STO Manual Cold Start/Restart Type Operation

If there are no Safety Faults and no safety demands present in the module, the
STO function can be reset by a 1→0 transition on the module:SO.STOOutput
tag then a 0→1 transition on module:SO.ResetRequest tag.

TIP Setting module:SO.STOOutput = 1 and module:SO.RequestReset = 1 in the

same program scan will enable torque.

Safe Torque Off Delay

A delay to provide time for the drive to stop the load in response to STO
Active can be programmed. This delay time is referred to as STO Delay. If no
delay is desired, set the STO Delay to 0. The STO Delay must be a positive
integer value.

If Safe Brake Control is being used, the STO delay must be 0. If an STO delay
is desired with the use of the Safe Brake Control function, see Safe Brake
Control Function beginning on page 83 for information on configuring STO

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 71

Chapter 4

to SBC delay. In the case of STO activation by a safety fault, any configured
delay is ignored, and torque is disabled instantly.

Safe Torque Off Operation

The operation of the STO function and its attributes is dependent on the
configuration of the STO function and the activation reason. For all STO
activations besides safety fault, the operation of STO is dependent on STO
Delay. For STO activations caused by a safety fault, the operation ignores STO
Delay. See the following sections for more information.

Figure 20 - STO Without Delay

SO.STO Output (1) Disable Torque

STO Activation(2) 0x00 0x01 =STO Output

SI.STO Active (3) Disable Torque

SI.Torque Disabled (3) Torque Disabled

SI.Restart Required (3) Restart Required

SO. Reset Required (1) Required If Restart Type = Manual

(1) Safety Output Assembly (2) Safe Stop Function Attribute (3) Safety Input Assembly

Restart Type = Automatic Restart Type - Manual

Safe Torque Off With Delay Operation

When the STO Delay is configured for a positive non-zero value, the delay is
inserted between STO Active and Torque Disabled. The STO Delay is meant
to serve as a delay between the configured STO drive stopping action and
when torque is disabled. The delay allows the drive to complete the stop before
torque is disabled. This is effectively a Timed Safe Stop 1 function. See Safe
Torque Off Stopping Action and Source on page 74 for information on
configuring a drive stop type in response to a STO activation.

Figure 21 shows the timing of STO status and torque attributes in response to
a STO activation, along with the restart type behavior, when STO Delay is
configured.

72 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 4

Figure 21 - STO with Delay

Velocity STO Delay

SO. STO Output (1) Disable Torque

STO Activation (2) 0x00 0x01 = STO Output

SI.STO Active(3) STO Active

P4 [Safety Status] STO Active

STO Active (4)
SI.TorqueDisabled (3) Torque Disabled

SI.RestartRequired (3) Restart Required

SO.ResetRequest (1) Required If Restart Type = Manual

(1) Safety Output Assembly (3) Safety Input Assembly
(2) Safe Stop Function Attribute (4) DPI™ Parameter

Restart Type = Automatic Restart Type = Manual

IMPORTANT The Safe Brake Control (SBC) Mode must be set to ‘Not Used’ to permit STO
Delay. If Mode is not set to ‘Not Used’, Delay is set to zero.

Safe Torque Off Safety Fault Operation

When a safety fault occurs in the module, the STO function is forced to the
Safe State, which is the Torque Disabled state. In this case, the configured STO
Delay value is bypassed and torque is immediately disabled. Figure 22 shows
the timing of STO and torque attributes in response to STO activation by a
Safety Fault.

Clearing a Safety Fault requires correcting the fault condition, then a 0→1
transition on Request Reset.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 73

Chapter 4

Figure 22 - STO with Safety Fault

SI. Safety Fault (1) Safety Fault

STO Activation (2) 0x04 = Safety Stop Fault

SI.STO Active(3) Disable Torque

SI.Torque Disabled (3) Torque Disabled

SI.Restart Required (3) Restart Required

SO.Reset Request (1) Always Required to Reset a Fault Fault Cleared

(1) Safety Output Assembly (2) Safe Stop Function Attribute (3) Safety Input Assembly

ATTENTION: In the case of STO activation by a safety fault, the configured

STO Delay time is ignored, and torque is immediately disabled.

Safe Torque Off Stopping Action and Source

In response to an STO activation, the type of stop and the source responsible
for controlling the stop are configurable. These configuration attributes are
defined as:
• STO Stopping Action – Configures what stopping action to perform in
response to a STO activation.
• STO Stopping Action Source – Configures where the stopping action is
performed (drive-based or controller-based).

When STO is activated, the drive control will initiate the selected stop type if:
• The STO Action Source is configured as Drive or
• There is currently not a Standard I/O connection through the
Embedded EtherNet/IP port to the drive control or
• There is currently a Standard I/O connection through the Embedded
EtherNet/IP port to the drive control but it is in Idle mode (the
controller is in program mode)

Otherwise, the controller that owns the Standard I/O connection is expected
to respond when STO is activated. In this case, the configured STO Stopping
Action is ignored, and the stopping logic must be programmed in the
controller that owns the Standard I/O connection.

74 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 4

If the STO Stopping Action Source is Controller, or the STO Stopping Action
is configured for a non-default value, a STO Delay may need to be specified in
order for the Stopping Action to be completed before torque is disabled.

See the drive's reference manual for information on its supported stop modes.

IMPORTANT You are responsible for providing logic in the controller standard task to
implement a stop action when the STO Action Source is configured as
Controller.

IMPORTANT If STO Delay is zero, there is no time for the drive to complete a stop before
torque is disabled. In that case, the stop action is effectively ‘Coast’ (default).

STO Safety Fault

When the module experiences a STO Fault, the module is placed in the safe
state and the cause of the fault is recorded. If the STO function detects a fault,
it will set the following attributes:
• module:SI.SafetyFault = 1
• module:SI.RestartRequired = 1
• STO Fault Type

• In Standard Control Mode

– Device: P7 [STO Fault Type] = varies depnding on the cause of the
fault. See description of STO Fault Type in Table 105 on page 254.
– Host: P4 [Safety Status] Safety Fault = 1
– Host: P4 [Safety Status] Restart Req = 1
– Host: P5 [Safety Faults] STO Fault = 1
– 755 Port 0: P933 [Start Inhibits], bit 7 = ‘Safety’
755T Port 0: P351 [M Start Inhibits], bit 8 = ‘Safety’
– 755 Port 0: P951 [Last Fault Code] = ‘Safety Brd Flt’
755T Port 0: P610 [Last Fault Code] = ‘Safety Brd Flt’

• In Motion Control Mode

– Axis.SafetyFault = 1
– axis.SafeTorqueOffActiveInhibit = 1
– axis.SafetyFaultStatus = 1
– axis.SafetyResetRequiredStatus = 1
– axis.STOFault = 1

For more information on STO Fault Types and troubleshooting methods, see
Understand Safety Faults on page 199.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 75

Chapter 4

Safe Stop 1 Function The Safe Stop 1 (SS1) function signals the configured SS1 Stop Action Source
to initiate a stopping action, then the safety module monitors the stop. When
the Safe Stop 1 is complete, STO is activated and torque is disabled. If the drive
does not complete the stop within the limits that are configured in the Safe
Stop 1 function, an SS1 Fault is annunciated.

Safe Stop 1 Activation

Safe Stop 1 can be initiated by one or more sources:

• SS1 Request – Setting the Safety Output Assembly Tag
(module:SO.SS1Request = 1)
• Limit Active – Reserved for future use
• Connection Loss – Loss of connection to the safety controller
• Connection Idle – Safety controller in program mode

When SS1 is activated, all sources of activation are stored in an attribute as a bit
mask and the attribute can then be read to determine the causes of an SS1
activation. Figure 23 shows the operation of the SS1 activation attribute. The
SS1 Activation attribute can be read with explicit messaging (see attribute 289
in Table 18 on page 247).

Unlike the STO function, SS1 does not get activated by a safety fault.

Figure 23 - Safe Stop 1 Activation

SS1 Activation
SS1 Request
SS1 Request
Safety Limit Active
Safety Limit Active Logical SS1 Active
Connection Loss (1) OR
Connection Loss
Connection Idle (2)
Connection Idle

(1) Connection Loss Action = SS1

(2) Connection Idle Action = SS1

76 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 4

Safe Stop 1 Reset

After an SS1 action is complete, the SS1 function must be reset in order to
enable torque. When the STO Function needs to be reset, the following
attribute values are set:
• module:SI.SS1Active = 1
• module:SI.RestartRequired = 1

• In Standard Control Mode:

– Host: P4 [Safety Status] SS1 Active = 1
– Host: P4 [Safety Status] Restart Required = 1

• In Motion Control Mode:

– axis:SS1ActiveStatus = 1
– axis.SafetyResetRequiredStatus = 1

The steps to reset the SS1 function depend on the cause of SS1 activation and
the Restart/Cold Start Type configured in the module.

Connection Loss/Idle SS1 Activation Reset

If the SS1 function is activated by a connection loss/idle event, the connection

must be reestablished and running before the SS1 function can be reset. The
function must be reset based on the configured Cold Start type.

SS1 Automatic Cold Start/Restart Type Operation

If there are no Safety Faults present in the module, the SS1 function can be
reset by a 1→0 transition on the module:SO.SS1Request tag.

SS1 Manual Cold Start/Restart Type Operation

If there are no Safety Faults in the module, the SS1 function can be reset by a
1→0 transition on the module:SO. SS1Request tag then a 0→1 transition on
module:SO.ResetRequest tag.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 77

Chapter 4

Safe Stop 1 Stopping Action and Source

In response to an SS1 activation, the type of stop and the source responsible for
controlling the stop is configurable. These configuration attributes are defined
as:
• SS1 Stopping Action – Configures what stopping action to perform in
response to an SS1 Activation.
• SS1 Stopping Action Source – Configures where the stopping action is
performed (drive-based or controller-based).

When SS1 is activated the drive control will initiate the selected stop type if:
• The SS1 Action Source is configured as Drive
• There is currently not a Standard I/O connection through the
Embedded EtherNet/IP port to the drive control
• There is currently a Standard I/O connection through the Embedded
EtherNet/IP port to the drive control but it is in Idle mode (the
controller is in program mode)

Otherwise, the controller that owns the Standard I/O connection is expected
to respond when SS1 is activated. In this case, the configured SS1 Stopping
Action is ignored, and the stopping logic must be programmed in the
controller that owns the Standard I/O connection.

See the drive's reference manual for information on its supported stop modes.

IMPORTANT You are responsible for providing logic in the controller standard task to
implement a stop action when the SS1 action source is Controller.

Timed Safe Stop 1

A Timed Safe Stop 1 involves initiating motor deceleration and initiating the
STO function after the configured time delay.

Timed Safe Stop 1 Operation

When the module is configured for Timed Safe Stop 1 Mode, the Safe Stop 1
function is initiated by setting the module:SO.SS1Request safety output tag.
This sets the ‘SS1 Request’ bit in the SS1 Activation attribute and sets the
module:SI.SS1Active safety input tag. When the SS1 Active bit is set, the SS1
Stop Action will be executed by the source indicated by the SS1 Stop Action
Source. See Safe Stop 1 Stopping Action and Source for more information.

The SS1 function waits for the configured SS1 Max Stop Time, then sets the
SS1 Complete flag in the STO Activation attribute, which sets STO Active to
Disable Torque. In Timed Safe Stop 1 mode, speed and deceleration are not
monitored so this mode does not require Safety Feedback. Figure 24 shows the

78 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 4

timing of SS1 status and torque attributes in response to an SS1 activation,

along with the restart type behavior.

Figure 24 - Timed Safe Stop 1

Velocity SS1 Ext Max Stop Time

SO.SS1Request(1)

SS1 Activation(2) 0x00 0x01 = SS1 Request 0x00

SI.SS1Active(3) Active

STO Activation(2) 0x00 0x02 = SS1 Complete 0x00

SI.STOActive(3) Disable Torque

SI.TorqueDisabled(3) Torque Disabled

SI.RestartRequired(3) Restart Required

SI.RequestReset(1) Required if Restart Type = Manual

(1) Safety Output Assembly (3) Safety Input Assembly

(2) Safe Stop Function Attribute

Restart Type = Automatic Restart Type = Manual

Monitored Safe Stop 1

A Monitored Safe Stop 1 involves monitoring motor feedback deceleration

rate and time, then initiating an STO activation when the motor feedback
speed is below a specified limit.

Monitored Safe Stop 1 Operation

When the module is configured for Monitored Safe Stop 1 Mode, the Safe
Stop 1 function is initiated by setting the module:SO.SS1Request safety output
tag. This sets the ‘SS1 Request’ bit in the SS1 Activation attribute, and also sets
the module:SI.SS1Active safety input tag. When the SS1 Active bit is set, the
SS1 Stop Action will be executed by the configured SS1 Stop Action Source.
See Safe Stop 1 Stopping Action and Source for more information.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 79

Chapter 4

After the SS1 Active bit is set, the configured SS1 Decel Monitor Delay timer
begins. After the configured Decel Monitor Delay expires, an internal speed
ramp value is computed every time that the encoder is sampled. If the
magnitude of module:SI.FeedbackVelocity exceeds the sum of the internal
ramp plus Decel Speed Tolerance, the SS1 Fault Type attribute is set to
‘Deceleration Rate’ and the SS1 Fault attribute is set to Faulted.

Figure 25 describes the equations that are used for computing the deceleration
reference rate and tolerance.

Figure 25 - SS1 Deceleration Reference Rate and Tolerance Calculation

Decel Reference Speed
Decel Reference Rate = ----------------------------------------------
1000 × Stop Delay

If Time Units = Seconds,

Decel Reference Rate × Position Scaling
SS1 Decel Ref Rate = – ----------------------------------------------------------------------------------------------
Feedback Resolution

Decel Reference Tolerance × Position Scaling

SS1 Decel Tolerance = -----------------------------------------------------------------------------------------------------------
Feedback Resolution

If Time Units = Minutes,

Decel Reference Rate × Position Scaling
SS1 Decel Ref Rate = – ------------------------------------------------------------------------------------------
Feedback Resolution × 60
l

TIP A Configured Decel Reference Rate of 0 disables the ramp check. SS1 will
fault if the drive does not slow to less than the Standstill Speed.

If the magnitude of module:SI.FeedbackVelocity is not less than the configured

Standstill Speed before Max Stop Time expires, the SS1 Fault Type is set to
‘Maximum Time’ and the SS1 Fault attribute is set to ‘Faulted’. Figure 26
describes the equations that are used for computing the standstill speed.

Figure 26 - SS1 Standstill Speed Calculation

If Time Units = Seconds,
Standstill Speed × Position Scaling-
SS1 Standstill Speed = ----------------------------------------------------------------------------------
Feedback Resolution

If Time Units = Minutes,

Standstill Speed × Position Scaling-
SS1 Standstill Speed = ------------------------------------------------------------------------------
Feedback Resolution × 60
Where Standstill Speed, Position Scaling, and Feedback Resolution are
user-configured alues.

When the magnitude of module:SI.FeedbackVelocity is less than the Standstill

Speed, the SS1 Complete flag in the STO Activation attribute is set, and STO
Active is set. If STO Delay is positive (and SBC Mode = Not Used) or if STO

80 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 4

to SBC Delay is negative (and STO Activates SBC = Linked), then the Torque
Disabled attribute is set after the configured time delay. Otherwise, the Torque
Disabled attribute is set immediately.

Figure 27 shows the timing of the Monitored SS1 operation, along with the
restart type behavior.

Figure 27 - Monitored Safe Stop 1

Velocity SS1 Max Stop Time

SS1 Decel Ref Rate

SS1
Decel
Monitor
Delay

Standstill Speed

SO.SS1Request(1) SS1 Request

SS1 Activation(2) 0x00 0x00

0x01 = SS1 Request

SI.SS1Active(3) SS1 Active

STO Activation(2) 0x00 0x02 = SS1 Complete 0x00

SI.STOActive(3) Disable Torque

SI.TorqueDisabled(3) Torque Disabled

SI.RestartRequired(3) Restart Required

SI.RequestReset(1) Required if Restart Type = Manual

(1) Safety Output Assembly (3) Safety Input Assembly

(2) Safe Stop Function Attribute
Restart Type = Automatic Restart Type = Manual

TIP Speed units are configured by the ‘Position Units’ and ‘Time Units’ AOP
Controls on the Scaling page.

TIP A Configured Decel Reference Rate of 0 disables the ramp check. SS1 will
fault if the drive does not slow to less than the Standstill Speed within Max
Stop Time.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 81

Chapter 4

SS1 Safety Fault

When an SS1 Safety Fault occurs, the STO function is activated immediately
and torque is disabled. Figure 27 describes the timing of attributes when an SS1
fault occurs during SS1 execution. Figure 28 describes the operation of SS1
when an SS1 fault is detected.

The ‘Safe State’ of the SS1 function is the Torque Disabled state. If the SS1
function detects a fault, it will set:
• module:SI.SafetyFault = 1
• module:SI.RestartRequired = 1
• SS1 Fault Type

• In Standard Control Mode

– Device: P10 [SS1 Fault Type] = varies depending on the cause of the
fault. See descriptions of faults in Table 105 on page 255 .
– Host: P4 [Safety Status] Safety Fault = 1
– Host: P4 [Safety Status] Restart Req = 1
– Host: P5 [Safety Faults] SS1 Fault = 1
– 755 Port 0: P933 [Start Inhibits], bit 7= ‘Safety’
755T Port 0: P351 [M Start Inhibits], bit 8 = ‘Safety’
– 755 Port 0: P951 [Last Fault Code] = ‘Safety Brd Flt’
755T Port 0: P610 [Last Fault Code] = ‘Safety Brd Flt’

• In Motion Control Mode

– axis.SafetyFault = 1
– axis.SafeTorqueOffActiveInhibit = 1
– axis.SafetyFaultStatus = 1
– axis.SafetyResetRequiredStatus = 1
– axis.SS1Fault = 1

Clearing a Safety Fault requires correcting the fault condition and a 0→1
transition on Request Reset. For more information on SS1 Safety Faults, see
Understand Safety Faults on page 199.

82 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 4

Figure 28 - Safe Stop 1 Fault Operation

Velocity SS1 Max Stop Time

SS1 Max Stop Time

Fault Occurs
(Feedback Velocity > Expected Velocity)

Coast to S
top
Standstill Speed

SO.SS1Request(1) SS1 Request

SS1 Activation(2) 0x00 0x01 = SS1 Request 0x00

SI.SS1Active(3) SS1 Active

S1.SafetyFault(1) Safety Fault

SS1 Fault Type (2) 1 = No Fault 3 = Deceleration Rate

STO Activation(2) 0x00 0x04 = Safety Stop Fault 0x00

SI.STOActive(3) Disable Torque

SI.TorqueDisabled(3) Torque Disabled

SI.RestartRequired(3) Restart Required

SO.RequestReset(1) Always Required to Reset a Fault

(1) Safety Output Assembly (3) Safety Input Assembly

(2) Safe Stop Function Attribute

Safe Brake Control Function The Safe Brake Control function (SBC) function utilizes the module’s safety
outputs to control an electromechanical brake that is attached to the motor.
The SBC function releases the brake to allow motion or engages the brake to
prevent motion.

Safe Brake Control Activation

Safe Brake Control can be initiated by one or more sources:

• SBC Output – Clearing the Safety Output Assembly Tag
(module:SO.SBCOutput = 0)
• STO Active – If STO Activates, SBC is configured as ‘Linked’
• Safe Stop Fault – Any Safety Fault
• Safe Limit Fault – Reserved for future use

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 83

Chapter 4

When SBC is activated, all sources of activation are stored in an attribute as a

bit mask, and the attribute can then be read to determine the causes of an SBC
activation. Figure 29 shows the operation of the SBC activation attribute. The
SBC Activation attribute can be read with explicit messaging (see attribute 365
in Table 18 on page 247.

Figure 29 - Safe Brake Control Activation

SBC Activation
SBC Output
SBC Output
(1)
STO Active
STO Active SBC Active STO to Brake Engaged
Logical
Safety Stop Fault OR SBC Delay
Safety Stop Fault
Safety Limit Fault
Safety Limit Fault Positive Value: Delay = |Value|
Negative Value: Delay = 0
(1) STO Activates SBC = Linked Safety Fault: Delay = 0

If the SBC Activation bit mask indicates that only STO Active is the source of
activation, then the STO to SBC Delay is executed. If the activation is not by
STO Active, or other activation bits are also set, the STO to SBC Delay is not
executed and the brake is immediately engaged.

Safe Brake Control Reset

After the brake is engaged due to an SBC activation, the SBC function must be
reset in order to release the brake. When the SBC function must be reset, the
following attribute values are set:
• module:SI.SBCActive = 1
• module:SI.RestartRequired = 1

• In Standard Control Mode

– Host: P4 [Safety Status] SBCActive = 1
– Host: P4 [Safety Status] Restart Req = 1

• In Motion Control Mode

– axis.SBCActiveStatus= 1
– axis.SafetyResetRequiredStatus = 1

The steps to reset the SBC function depend on the cause of SBC activation
and the Restart/Cold Start Type configured in the module.

84 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 4

Safety Fault SBC Activation Reset

IMPORTANT When the SBC function is activated by a Safety Fault, the cause of the safety
fault must be removed before the SBC function can be reset, regardless of
the configured restart type.

Once the fault is removed, a 0→1 transition on module:SO.ResetRequest tag

will reset the SBC function to the Brake Released state.

SBC Automatic Cold Start/Restart Type Operation

If there are no Safety Faults in the module, the STO function can be reset by a
0→1 transition on the module:SO.SBCOutput tag.

SBC Manual Cold Start/Restart Type Operation

If Restart Type is set to ‘Manual’ and there are no Safety Faults in the module,
the SBC function can be reset by a 0→1 transition on the
module:SO.SBCOutput tag, then a 0→1 transition on
module:SO.ResetRequest tag.

TIP Setting module:SO.SBCOutput = 1 and module:SO.RequestReset = 1 in the

same scan will enable torque.

Safe Brake Control Modes

SBC Mode specifies if the SBC functionality is used and how the safety
outputs controlling the brake operate. The mode also changes the instances of
the CIP objects controlling the safety outputs. The following modes are
supported by the module.

Not Used

In ‘Not Used’ mode, the SBC function will not be used by the application. The
associated safety outputs are not under SBC control, and can be configured
independently. The safety outputs are mapped to the following CIP objects:
• So0: Safety Discrete Output Point Object Instance 1
• So1: Safety Discrete Output Point Object Instance 2
• Safety Dual Channel Output Object Instance 1

Used, No Test Pulses

In ‘Used, No Test Pulses’ mode, the associated safety outputs are not pulse
tested. The associated safety outputs are under SBC control and cannot be
configured independently. The safety outputs are mapped to the following CIP
objects:
• So0: Safety Discrete Output Point Object Instance 3

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 85

Chapter 4

• So1: Safety Discrete Output Point Object Instance 4

• Safety Dual Channel Output Object Instance 2

Used, Test Pulses

In ‘Used, Test Pulses’ mode, the associated safety outputs are tested with a
500 µs pulse every 300 ms when the brake is in the released state (outputs
energized). Pulse tests of So0 and So1 outputs are shifted in time, allowing So0
to So1 shorts to be detected. There is no difference in implementation of
Safety Outputs pulse testing in SBC control versus direct control.

In the ‘Used, Test Pluses’ mode, the safety outputs are under SBC control and
cannot be configured independently. The safety outputs are mapped to the
same CIP objects as the ‘Used, No Test Pulses’ mode.

For more information on the pulse testing that is performed by the SBC
function, see Latch Output Error Operation in Single Channel Mode on
page 52.

IMPORTANT If the Safe Brake Mode is set to ‘Not Used’, then setting the Safety Output tag
module:SO.SBCOutput = 1 sets the SBC Fault and sets the SBC Fault Type to
‘Config’.

IMPORTANT If the Safe Brake Mode is set to ‘Not Used’, then the state of the two safety
outputs So0 and So1 are controlled by Safety Output Assembly tags;
otherwise, the two Safety Outputs are controlled by the Safe Brake Function.

IMPORTANT If the Safe Brake Mode is set to ‘Used’, then the Safety Input Assembly tags
associated with safety outputs will be forced to:
module:SI.Out00Monitor = 0
module:SI.Out01Monitor = 0
module:SI.Out00Status = 0
module:SI.Out01Status = 0
module:SI.Out00Ready = 0
module:SI.Out01Ready = 0

Safe Brake Control Operation

Safe Brake Control (SBC) operation can be activated by the safety output
assembly or by STO.

86 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 4

SBC Operation when Activated by Safety Output Assembly

When the SBC function is activated by clearing the module:SO.SBCOutput

tag, the associated safety outputs are deenergized, forcing the brake to engage,
and torque is still enabled. Figure 30 shows the timing of SBC attributes when
the SBC function is executed independently.

Figure 30 - SBC Operation by Safety Output Assembly

SO.SBCOutput (1) Engage Brake

SI.TorqueDisabled (3) Torque Enabled

SBC Activation(2) 0x00 0x01 = SBC Output

SI.SBCActive(3) Engage Brake

SI.BrakeEngaged(3) Brake Engaged

So0 and So1(4) Brake Engaged

SO.ResetRequest (1) Restart Required

Required If Restart Type = Manual

(1) Safety Output Assembly (3) Safety Input Assembly

(2) Safe Stop Function Attribute (4) 24V DC Safety Output

Restart Type = Automatic Restart Type = Manual

STO Activates SBC Operation

If the SBC function is configured to link STO and SBC activation, any STO
activation will cause the SBC function to be activated as well. The brake is
engaged (deenergized) by the SBC function when torque is disabled by the
STO function.

If the SBC function is configured to link STO activation to SBC activation,

you can configure an STO to SBC Delay time where:
• STO to SBC Delay > 0 configures a delay between when STO is
activated and the brake is released. Figure 31 describes this operation.
• STO to SBC Delay < 0 configures the brake to engage when STO is
activated and delays disabling torque. Figure 32 describes this operation.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 87

Chapter 4

Figure 31 - SBC Linked to STO with Positive Delay

SI. STO Active(1) Disable Torque

SI.TorqueDisabled(1) Torque Disabled

SBC Activation(2) 0x00 0x02 = STO Active

SI.SBCActive(1) Engage Brake

(STO to SBC Delay) > 0

SI.BrakeEngaged (1) Brake Engaged

So0 and So1(3) Brake Engaged

SO.RequestReset (4) Required If Restart Type = Manual

(1) Safety Output Assembly (3) 24V DC Safety Output

(2) Safe Stop Function Attribute (4) Safety Output Assembly

Restart Type = Automatic Restart Type = Manual

Figure 32 - SBC Linked to STO with Negative Delay

SI. STO Active(3) Disable Torque

SI.TorqueDisabled(3) Torque Disabled

SBC Activation(2) 0x00 0x02 = STO Active

SI.SBCActive(3) Engage Brake

(STO to SBC Delay) <0

SI.BrakeEngaged (3) Brake Engaged

So0 and So1(4 Brake Engaged

SO.RequestReset (5) Required If Restart Type = Manual

(1) Safety Output Assembly (3) Safety Input Assembly (5) Safety Output Assembly
(2) Safe Stop Function Attribute (4) 24V DC Safety Output

Restart Type = Automatic Restart Type = Manual

SBC Safety Fault Operation

The operation of SBC under a safety fault condition is dependent on its

configuration. If the SBC function is not configured for use, the SBC function
is not activated when a safety fault occurs. If configured for use, a safety fault
will force the SBC function to the safe state, but the sequence of events leading

88 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 4

to the safe state changes. The ‘Safe State’ of the SBC function is the ‘Brake
Engaged’ state.

SBC not Linked to STO Safety Fault Operation

When a safety fault is detected in the module (and the SBC function is
configured to not be linked to STO activation), the SBC function will be
activated with the SBC activation reason being ‘Safety Stop Fault’. The SBC
function can be reset once the safety fault is cleared. Figure 33 shows the
timing of SBC and torque attributes in response to a safety fault in this
scenario.

Figure 33 - SBC Operation Under Safety Fault Condition (not linked to STO)

SI.SafetyFault (1) Safety Fault

SBC Activation(2) 0x00 0x04 = Safety Stop Fault

SI.SBCActive(3)

SI.BrakeEngaged(3) Brake Engaged

SI.TorqueDisabled(3) Torque Disabled

SI.RestartRequired(3) Disable Torque

SO.ResetRequest(1) Reset Fault

(1) Safety Output Assembly (2) Safe Stop Function Attribute (5) Safety Input Assembly

STO Linked to SBC Safety Fault Operation

When a safety fault is detected in the module and the SBC function is
configured to link STO and SBC activation, the SBC function will be
activated with the SBC activation reason being ‘STO Active’ and ‘Safety Stop
Fault’. The SBC and STO function can be reset once the safety fault is cleared.

Figure 34 and Figure 35 show the operation of the SBC function under a safety
fault condition when linked to STO.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 89

Chapter 4

Figure 34 - SBC Operation under Safety Fault Condition (linked to STO with positive delay)

SI.SafetyFault(2) Safety Fault

STO Activation(1) 0x00 0x04 = Safety Stop Fault

SI.STOActive(2) Disable Torque

SI.TorqueDisabled(2) Torque Disabled

SBC Activation(1) 0x00 0x06 = STO Active, Safety Stop Fault

SI.SBCActive (2) Engage Brake

(STO to SBC Delay) >0

SI.BrakeEngaged (2) Brake Engaged

So0 and So1 (3) Brake Engaged

SO.RequestReset (4) Always Required to Reset a Fault Fault Cleared

(1) Safe Stop Function Attribute (3) 24V DC Safety Output
(2) Safety Input Assembly (4) 2Safety Output Assembly

Figure 35 - SBC Operation under Safety Fault Condition (linked to STO with negative delay)

SI.SafetyFault(2) Safety Fault

STO Activation(1) 0x00 0x04 = Safety Stop Fault

SI.STOActive(2) Disable Torque

SI.TorqueDisabled(2) Torque Disabled

SBC Activation(1) 0x00 0x06 = STO Active, Safety Stop Fault

SI.SBCActive (1) Engage Brake

(STO to SBC Delay) <0

SI.BrakeEngaged (2) Brake Engaged

So0 and So1 (3) Brake Engaged

SO.RequestReset (4) Always Required to Reset a Fault Fault Cleared

(1) Safe Stop Function Attribute (3) 24V DC Safety Output
(2) Safety Input Assembly (4) 2Safety Output Assembly

90 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 4

SBC Safety Fault

When the module experiences an SBC Fault, the module is placed in the safe
state and the cause of the fault is recorded.

If SBC function detects a fault, it will set:

• module:SI.SafetyFault = 1
• module:SI.RestartRequired = 1
• module:SI.SBCReady = 0

• In Standard Control Mode

– Host P4 [Safety Status] Safety Fault = 1
– Host P4 [Safety Status] Restart Req = 1
– Host P5 [Safety Faults] SBC Fault = 1

• In Motion Control Mode

• axis.SafetyFaultStatus = 1
• axis.SafetyResetRequiredStatus = 1
• axis.SBCFault = 1

For more information on SBC fault types and troubleshooting methods, see
the Understand Safety Faults chapter beginning on page 199.

Connecting a Safety Brake The safety brake control function uses the safety outputs So0 and So1 to
control a safety brake.

The design of a safety brake circuit is application-dependent and is based on

the following factors:
• Choice of safety brake for the application
• If the brake provides feedback in the application
• If the application uses single or dual channel

The safety brake function interfaces to the safety brake through the two safety
outputs So0 and So1. So0 and So1 are 24V DC, 1 A sourcing outputs.
Figure 36 shows a wiring example for connecting a brake to the module.

Usually the voltage and current rating of the safety brake is much higher than
the 24V DC and 1 A that the safety outputs can directly control. To support
brakes with that require higher voltage and higher current, an interposing
safety relay such as the 700S-CF Safety Control Relay is required.

Safety brakes typically require a voltage suppression device. Most safety brakes
provide a suppression device as an option or they specify a diode or MOV to
use. Use the recommended suppression devices.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 91

Chapter 4

The drive-based SBC function does not implement checking of brake

feedback; however, the available safety inputs can be used to send the status of
brake feedback to the safety controller that is programmed with a diagnostic
check.

TIP The controller-based SBC instruction does perform a diagnostic check of

brake feedback while drive-based SBC does not. However, drive-based SBC
can be configured to complete a Safe Stop 1 before engaging the brake in
reaction to a Comm Loss or a Comm Idle.

Figure 36 - Safety Brake Wiring

Test Output 1 To1

24V DC
Safety Input 2 Si2 SELV/PELV
Safety Common SC Supply
Safety Input 3 Si3
Test Output 0 To0 + -
not used NC
Safety Output 0 So0
Safety Common SC
Safety Output 1 So1

Safety Input 0 Si0 K1

Safety Common SC M
Safety Input 1 Si1
Safety Common SC
BR1
Safety Power SP

92 Rockwell Automation Publication 750-UM005C-EN-P - February 2021


Drive Safety Instructions
Rockwell Automation Publication 750-UM005C-EN-P - February 2021
Chapter 5
Controller-based Safety Functions
Use this chapter to become familiar with the GuardLogix® controller-based
Drive Safety instructions and how they interact with PowerFlex® 755/755T
drive products with a 20-750-S4 Integrated Safety Functions option module.
Topic Page
Drive Safety Instructions 93
Pass-through Data Using Standard I/O Mode 96
Pass-through Data Using Integrated Motion 98
SFX Instruction 99
See the GuardLogix Safety Application Instruction Set Reference Manual,
publication 1756-RM095, for more information on the Drive Safety
instructions and TÜV Rheinland certification.
The Drive Safety instructions (see Table 40 on page 94) are designed to work
with the 20-750-S4 option module. They are available in the Studio 5000
Logix Designer® application, version 31.00 or later, in the Drive Safety
instruction element group that is enabled when the Safety Program -
MainRoutine is open (see Figure 37 on page 94 ).
Controller-based safety functions operate in GuardLogix 5580 or Compact
GuardLogix 5380 controllers and use the EtherNet/IP™ network to
communicate with the safety I/O. Drive Safety instructions use safety
feedback, provided by PowerFlex 755/755T drive products to the Safety Task
of the controller, to perform safe monitoring functions.
93
Chapter 5

Table 40 - Drive Safety Instructions

Safety Instruction Description
Safety Feedback Interface SFX The SFX function scales feedback position into position units and
feedback velocity into position units per time unit. SFX is used with
other Drive Safety instructions.SFX also provides unwind for rotary
applications and position homing.
Safe Stop 1 SS1 The SS1 function monitors the motor deceleration rate within set
limits during motor stopping and provides an indication to initiate
Safe Torque Off (STO) function when the motor speed is below the
specified limit.
Safe Stop 2 SS2 The SS2 function monitors the motor deceleration rate within set
limits during motor stopping and initiates the Safe Operating Stop
(SOS) function when the motor speed is below the specified limit.
Safe Operational Stop SOS The SOS function prevents the motor from deviating more than a
defined amount from the stopped position.
Safely-limited Speed SLS The SLS function prevents the motor from exceeding the specified
speed limit.
Safely-limited Position SLP The SLP function prevents the motor shaft from exceeding the
specified position limits.
Safe Direction SDI The SDI function prevents the motor shaft from moving in the
unintended direction.
Safe Brake Control SBC The SBC function provides safe output signals to control an external
brake.

Figure 37 - Drive Safety Tab and Instructions

Drive Safety Instructions

Drive Safety Tab

Drive Safety Example

94 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 5

Before Adding the Safety Instructions

Before adding drive safety instructions to your Logix Designer application, you
must have PowerFlex 755/755T drive products with 20-750-S4 options
installed in your project.

Drive Safety Instruction Example

Drive Safety instructions provide the following information. In this example,

the Safely-limited Speed (SLS) instruction is shown.

Figure 38 - SLS Drive Safety Instruction

Outputs
Configurable
Inputs

Inputs

Pass Through

Outputs

Table 41 - Drive Safety Instruction Definitions

Instruction Information Description
Configurable Inputs Safety function parameters that are used to define how the safety function
operates.
Inputs • Feedback SFX is the link to the SFX instruction for an axis.
• Request initiates the safe monitoring function.
• Reset initiates a safety instruction reset.
Pass Through Safety Output Assembly Object tags pass safety function status information from
the Safety Task of the safety controller to the safety instance of the drive module.
The status is made available to the motion controller. In standard I/O mode,
datalinks must also be configured to provide status information to the standard
controller.
Outputs • Fault Type is the instruction fault code that indicates the type of fault that
occurred.
• Diagnostic Code provides additional details on the fault.
• O1 - Output 1 indicates the status of the instruction. When ON (1), it indicates
that the input conditions are satisfied.
• RR - Reset Required indicates when a reset is needed to restart the instruction
or to clear faults.
• FP - Fault Present indicates whether a fault is present in the instruction.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 95

Chapter 5

Pass-through Data Using The Drive Safety instructions provide safety function monitoring in the safety
task of a controller. Control of the drive is done in the main program within
Standard I/O Mode the standard (main) task of a controller. For the main program to receive safety
status information from the Drive Safety instruction, tag data in the safety
output assembly for the drive module (safety task) is passed to the drive and
then data linked to tags in the main task.

This is especially useful when the user's program is in a separate controller from
the safety program that is in a safety controller. Figure 39 shows how this works
for the SLS instruction.

IMPORTANT Pass-through data is for status information only and does not impact
configured safety functions.

Figure 39 - Pass-through Data Path (Standard I/O Mode)

Safety Task Programming PowerFlex 755 Drive

SLS Active status is

Safety sent to the drive.
Device

Safety demand initiates

monitoring of the SLS
safety function. SLS Active status is passed
to the Standard Task via
Datalinks.

SLS Active is set high (1).

Standard Task Programming

Controller-based Instruction Example

SLS Active Status initiates
change of motion speed.

SLS Active status and safety faults are passed to the standard task via user-
configured datalinks (inputs) to the following host config parameters in the
Integrated Safety Functions option module:
• P4 [Safety Status]
• P5 [Safety Faults]

TIP Other safety parameters may also need to be data linked depending on your
application.

96 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 5

Table 42 - SLS Tag Information

Safety Output Assembly Tag Axis Tag
module:SO.SLSActive Drive:I.SafetyStatus SLSActive
module:SO.SLSLimit Drive:I.SafetyStatus SLSLimit
module:SO.SLSFault Drive:I.SafetyStatus SLSFault

TIP The words module and drive (italic) in these tag names represent the
module and drive name that is assigned in the Logix Designer application.

The following steps correspond to the activity in Figure 39.

1. Safety device reports a request to the safety zone. Initiates monitoring by

the SLS instruction (Safety Task).
2. SLS Active status is passed to the Standard program (Safety Task to
Standard Task via the drive).
3. The Standard program adjusts the speed of the drive to below the SLS
Active Limit during the Check Delay (Standard Task).
4. If the drive speed exceeds the SLS Active Limit (Safety Task) during SLS
monitoring, the SLS Limit output is set.
– Optionally, a stopping safety function can be initiated within the
safety program.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 97

Chapter 5

Pass-through Data Using The Drive Safety instructions provide safety function monitoring in the safety
task of the controller. Control of the drive is done in the motion programming
Integrated Motion within the standard task of the controller. For the main program to receive
status information from the Drive Safety instruction, tag data in the output
assembly for the drive module (safety task) are passed to the drive and then to
the corresponding tag in the axis structure (standard task).

This is especially useful when the motion program is in a separate controller

from the safety program that is in a safety controller. Figure 40 shows how this
works for the SLS instruction.

IMPORTANT Pass-through data is for status information only and does not impact
configured safety functions.

Figure 40 - Pass-through Data Path

Safety Task Programming PowerFlex 755 Drive

SLS Active status is

Safety sent to the drive.
Device

Safety demand initiates

monitoring of the SLS
safety function. SLS Active status is passed
to the Standard Task.

SLS Active is set high (1).

Standard Task Programming

Controller-based Instruction Example

SLS Active Status initiates
change of motion speed.

Table 43 - SLS Tag Information

Safety Output Assembly Tag Axis Tag
module:SO.SLSActive Axis.SLSActiveStatus
module:SO.SLSLimit Axis.SLSLimitStatus
module:SO.SLSFault Axis.SLSFault

TIP The words module and axis (italic) in these tag names represent the module
and axis name that is assigned in the Logix Designer application.

98 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 5

The following steps correspond to the activity in Figure 40.

1. Safety device reports a request to the safety zone.

Initiates monitoring by the SLS instruction (Safety Task).
2. SLS Active status is passed to the motion program (Safety Task to
Standard Task via the drive).
3. The motion program adjusts the speed of the drive to below the SLS
Active Limit during the Check Delay (Standard Task).
4. If the drive speed exceeds the SLS Active Limit (Safety Task) during SLS
monitoring, the SLS Limit output is set.
– Optionally, a stopping safety function can be initiated within the
safety program.

SFX Instruction The Safety Feedback Interface (SFX) instruction scales feedback position into
position units and feedback velocity into speed units per unit of time.
Feedback position and velocity are read from the safety input assembly and
become inputs to the instruction. The SFX instruction also sets a reference
position from a home input and performs position unwind in rotary
applications. Typically, one SFX instruction is used per safety drive. This
instruction provides the position and velocity feedback that is used by other
safety instructions, also used by the same safety drive.

The PowerFlex 755/755T drive provides safe position and velocity feedback.
Up to SIL 3 PLe safety rating can be achieved by using dual feedback with
velocity and/or position discrepancy checking.

The outputs of the SFX instruction are used as inputs to other Drive safety
instructions. For any drive with an Integrated Safety Functions option module
to execute a controller-based safety function, an SFX instruction is required.
Although the SFX instruction is a safety instruction, it alone does not perform
a safety function.

In Figure 41, the SS1 instruction uses the Actual Speed output from the SFX
instruction during execution of the SS1 safety function.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 99

Chapter 5

Figure 41 - SFX Instruction Feeds Data to SS1 Instruction

Feedback Position Actual Position

(counts) (position units)
PowerFlex 755/
755T Drive
Feedback Velocity Actual Speed
(feedback units/second) (position units/second
or position units/minute)

SFX Instruction Example

In this SFX example, an encoder has 512 feedback counts per motor revolution
and is scaled for position to have 512 counts per motor revolution.

The SFX instruction scales the applicable safety instructions with feedback
position units from the safety encoder/motor, into position feedback units
used in applicable safety instructions. It also scales feedback velocity units from
the safety encoder/motor into position feedback units per time unit.

Scaling Setup

When configuring the SFX instruction, calculate the value for ‘Position
Scaling’ so that the ‘Actual Position’ and ‘Actual Speed’ output from the
instruction matches the ‘Actual Position’ and ‘Actual Velocity’ in the motion
controller.

Values from ‘Axis Properties>Scaling and Motion Safety>Primary Feedback’

are required to calculate the instruction input.

The Feedback Resolution is determined based on the feedback device and the
Effective Resolution of the feedback. This information is configured on the
‘Module Properties>Motion Safety>Primary Feedback’ category.

100 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 5

Figure 42 - Effective Resolution Parameter

In this example, the motor is used in a rotary application where the unwind is
set to roll over each motor revolution. Therefore, the unwind of ‘512 Counts/
Rev’ was added in the SFX instruction appropriately.

Figure 43 - Scaling

Homing

Setting the ‘Actual Position’ output to the ‘Home Position input’ (homing) of
the instruction is required if using a position-based drive safety instruction like

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 101

Chapter 5

Safely-limited Position (SLP). If a position-based drive safety instruction is not

being used on an axis, homing the SFX instruction is not required.

The data in the Primary Feedback category, Scaling category, and motor
unwind value is used to populate the SFX instruction.

Figure 44 - SFX Instruction Example

Position Scaling value from Figure 43.

Feedback Resolution value from Figure 42.

Unwind value as specified for the motor used in

this example.
Used only with position-based
drive safety instructions

See the GuardLogix Safety Application Instruction Set

Reference Manual, publication 1756-RM095

See the GuardLogix Safety Application Instruction Set Reference Manual,

publication 1756-RM095, for more information on the drive safety
instructions.

102 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 6

Standard I/O Mode – Configuration,

Programming, and Operation

This chapter provides information for network installation and operation of

the Integrated Safety Functions option module in Standard I/O mode. If using
Integrated Motion mode, see Chapter 7.

Topic Page
Safety Assembly Tags 103
Configure Safety in the Logix Designer Application 104
Programming 126
Safety Function Operation 128
Pass-through Data 129

Safety Assembly Tags Using network safety, a GuardLogix® 5580 or Compact GuardLogix 5380
safety controller controls the PowerFlex® 755/755T Safe Torque Off function
through the SO.SafeTorqueOff tag in the safety output assembly.

The SO.SafetyStopFunctions tags are sent from the GuardLogix safety output
assembly to the PowerFlex 755 safety output assembly to control the safety
functions.

The SO.Output00Output, SO.Output01Output, SO.Test00Output, and

SO.Test01Output tags are sent from the GuardLogix safety output assembly to
the PowerFlex 755 safety output assembly to control the safety and test outputs
on the Integrated Safety Functions option module.

The SI.StopStatus tags are sent from the PowerFlex 755 to the GuardLogix
safety input assembly and indicate the PowerFlex 755 safety control status.

The SI.OutputStatus, SI.InputStatus, and SI.IOSupport tags are sent from the
PowerFlex 755/755T drive product to the GuardLogix safety input assembly
and indicate the status of the safety inputs, safety outputs, and test outputs.

The SI.ConnectionStatus tags indicate the safety input connection status.

See Appendix C for more information about assembly tags.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 103

Chapter 6

Configure Safety in the Logix
Designer Application
This section provides instructions for how to add and configure an Integrated
Safety Functions option module in a PowerFlex 755/ 755T drive product to an
existing project in the Logix Designer application. This chapter is specific to
safety and does not cover all aspects of drive configuration. The PowerFlex 755
drive is used for the examples in this chapter.

Before you can configure your option module in the Logix Designer
application:
• You must have a safety controller project with an EtherNet/IP® network
connection configured. See the documentation for your controller,
drive, and Ethernet adapter for information on configuring those
products (see Additional Resources on page 13).

• You must add a PowerFlex 755/755T drive product and 20-750-S4

option module to your project.

• If using speed monitoring functions, install a 20-750-DENC-1 or

20-750-UFB-1 option module in port 4, 5, or 6.

Add a PowerFlex 755 Drive/755T Drive Product to the Safety

Controller Project
1. Select the Ethernet network in the I/O Configuration folder and select
New Module.

2. Select from the following drive products and click Create.

• PowerFlex 755 HiPwr-EENET
• PowerFlex 755-EENET
• PowerFlex 755T

104 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 6

TIP If you want to use a 20-750-ENETR Dual-port EtherNet/IP option module

with the PowerFlex 755/755T Integrated Safety Functions option module,
you must select PowerFlex 755-EENET or PowerFlex 755 HiPwr-EENET from
this list. Later in this procedure, you will use the Synchronize command so
that the module reflects an ENETR module and will work with the PowerFlex
755/755T Integrated Safety Functions option module.

This example uses the PowerFlex 755-EENET.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 105

Chapter 6

Add an Option Module to a PowerFlex 755 Drive

1. In the Device Definition dialog box, enter the connection type that you
want to use. Select from one of the following types. The ‘Standard and
Safety’ connection is used in this example.
Connection Type Description Requires Controller Firmware Revision
Standard Control is managed by this controller. V31 or later
Safety is managed by another controller.
Standard and Safety Both control and network safety V31.012 or later
connections are managed by this
controller. A Standard and Safety
connection can only be made from a
GuardLogix 5580 or Compact GuardLogix
5380 controller.
Safety Only Network safety connection is managed by V31 or later
this controller. Control is managed by
another controller. A Safety connection can
only be made from a GuardLogix 5580 or
Compact GuardLogix 5380 controller.

106 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 6

2. When a network safety connection is selected, the 20-750-S3 Network

STO option is selected by default. Click the Safety Peripheral pull-
down menu and select 20-750-S4.

3. If feedback is being used (indicated by the selection in Safety Instance 1),

enter a feedback device for the Safety Feedback Module.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 107

Chapter 6

4. Scroll down and enter additional Device Definition data for the drive
product being used.

Generate the Safety Network Number (SNN)

The assignment of a time-based SNN is automatic when you create a

GuardLogix safety controller project and add new Safety I/O devices.

Manual manipulation of an SNN is required in the following situations:

• If safety consumed tags are used
• If the project consumes safety input data from a device whose
configuration is owned by some other device
• If a safety project is copied to another hardware installation within the
same routable Safety system

If an SNN is assigned manually, the SNN has to be unique.

IMPORTANT If you assign an SNN manually, make sure that the system expansion does
not result in duplication of SNN and node address combinations.
A warning appears if your project contains duplicate SNN and node address
combinations. You can still verify the project, but Rockwell Automation
recommends that you resolve the duplicate combinations.

108 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 6

To edit the SNN, follow these steps.

a. In the Device Definition dialog box, click Edit to the right of the
Safety Network Number.
b. Select either Time-based or Manual.
If you select Manual, enter a value from 1…9999 decimal.
c. Click Generate.
d. Click OK.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 109

Chapter 6

Electronic Keying

The electronic keying options are for the standard connection to the drive.
Electronic Keying
Indicates that all keying attributes must match to establish communication. If any attribute
Exact Match does not match precisely, communication with the device does not occur.
Lets the installed device accept the key of the device that is defined in the project when the
installed device can emulate the defined device. With Compatible Module, you can typically
replace a device with another device that has the following characteristics:
• Same catalog number
Compatible Module
• Same or higher Major Revision
• Minor Revision as follows:
– If the Major Revision is the same, the Minor Revision must be the same or higher.
– If the Major Revision is higher, the Minor Revision can be any number.
Indicates that the keying attributes are not considered when attempting to communicate
with a device. With Disable Keying, communication can occur with a device other than the
type specified in the project.

ATTENTION: Be extremely cautious when using

Disable Keying; if used incorrectly, this option can lead
to personal injury or death, property damage, or
economic loss.
Disable Keying We strongly recommend that you do not use
Disable Keying. If you use Disable Keying, you must
take full responsibility for understanding whether the
device being used can fulfill the functional
requirements of the application.
ATTENTION: Disable Keying is not permitted for safety
devices.

5. Click Peripherals in the navigation tree and click the arrow in the top
left corner to expand the Network SSM *S4 section. The port location
can be changed if needed (uses ports 4, 5 or 6). The electronic keying
options that are specified here are for the safety connection with the
safety controller. ‘Exact Match’ or ‘Compatible Module’ must be used.

110 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 6

6. Click the Add new peripheral pull-down menu to add any additional
peripherals, such as feedback devices to use with the safety option
module.

In this example, a ‘20-750-UFB-1 Universal Feedback’ option module

has been added.

7. Click Connection Format in the navigation tree to open the

Connection Format page.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 111

Chapter 6

The Input and Output tabs are for setting the datalinks between the
drive and the controller that is performing control. Add P4 [Safety
Status] and P5 [Safety Faults] to provide pass-thru data from the safety
task/safety controller to the main task/standard controller. Enter
additional datalinks as desired for your application.

The Safety Output and Safety Input tabs show the fixed safety data
between the drive and safety controller.
8. If Automatic Device Configuration (ADC) will be used, click
Automatic Device Configuration in the navigation tree to open the
Automatic Device Configuration page. The 20-750-S4 option module
has Host configuration parameters that can be set using the ADC
process.

9. Click OK to use the Automatic Device Configuration settings.

TIP You can click the Device Definition button from the Overview page to reopen
the Device Definition dialog box and make edits to the previous steps.

112 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 6

10. Click Create to create the drive and have it added to the I/O
Configuration folder. Save the project to save any edits and double-click
the drive in the I/O Configuration folder to reopen the drive properties
window.
11. Click Connection in the navigation tree to open the Connection page.
The safety output connection, safety input connection, and standard
connection configuration information is shown on this page. The
Requested Packet Interval (RPI) and Connection Reaction Time
Limit can be set according to the application.

The RPI for the Safety Output connection is fixed based on the period
of the safety task in the controller.

The Connection Reaction Time Limit sets the maximum age of safety
packets on the associated connection. If the age of the data that is used

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 113

Chapter 6

by the consuming device exceeds the connection reaction time limit, a

connection fault occurs.

For safety output connections, the Max Observed Network Delay

displays the value that is generated by the output module. For safety
input connections, it displays the value that is generated by the
controller. The Max Observed Network Delay value is updated
automatically at a rate similar to the rate used by the Max Scan Time.
The Max Observed Network Delay displays ‘??’ when the status is
Faulted or Connecting.
12. Click Safety Configuration in the navigation tree to open the Safety
Configuration pages.

Primary Feedback, Scaling, Secondary Feedback, and Discrepancy

Checking will only be displayed if a feedback device is selected for the
Safety Feedback Module on the Device Definition Identity page (shown
on page 107).
Ownership indicates whether the current controller owns the
configuration of the safety module. The value is read directly from the
module and is available only online. When working offline, the label is
unavailable and a value does not appear. The value is updated when you
open the page and when you change to or from Run mode.
• Local is displayed when the current controller owns the module
configuration.
• Remote (SNN: nnnn_nnnn_nnnn, Address: mm) is displayed
when another device owns the module configuration. SNN:
nnnn_nnnn_nnnn is the owning device. Address: mm is the node or
slot number.
• read fails,?? is typically displayed when the module status is faulted
or connecting.

Reset Ownership resets the ownership of the safety module. If the reset
ownership is confirmed, the module enters its out-of-box state

114 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 6

(configuration). The module is not owned. It becomes owned by the

first originator that successfully configures the module.
13. Click Actions under Safety Configuration in the navigation tree to
open the Actions page.

Use the settings on the Actions page to:

• Define the action to take when the safety connection is lost.
• Define the action to take when the safety connection goes idle.
• Define the restart and cold start behavior.
Restart is the restart behavior while operating. A cold start is the restart
behavior when applying controller power or controller mode changes to
‘Run’.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 115

Chapter 6

14. Click STO under Safety Configuration in the navigation tree to open
the STO page. The Delay value is the time delay between the STO
Active condition and Safe Torque Disabled. This allows the drive to
bring the motor to a controlled stop before disabling torque.

15. Click SS1 under Safety Configuration in the navigation tree to open
the SS1 page. Use the settings to configure the drive-based Safe Stop 1
(SS1) function, which decelerates the motor and then initiates a Safe
Torque Off (STO) in the drive.

116 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 6

Property Description
Specifies the mode of the SS1 function. The Mode selection determines which
parameters on the tab are available to configure. The available options are:
• Not Used
• Timed SS1
Mode • Monitored SS1
TIP Monitored SS1 is unavailable when Safety Instance 1 on
the Identity page is set to ‘Safe Stop, No Feedback’.
The delay time before deceleration is monitored. Valid values are 0...65535.
Stop Monitor Delay
This option is not available when ‘Mode’ is ‘Timed SS1’.
Stop Delay The stop delay time used when the SS1 function is initiated by a stop type condition.
Displays the SS1 maximum stop time. This value is the sum of ‘Stop Delay ‘and ‘Stop
Max Stop Time Monitor Delay’.
Specifies the deceleration speed to monitor for SS1.
Decel Reference Speed
This parameter is unavailable when ‘Mode’ is ‘Timed SS1’.
The minimum rate of deceleration while stopping.
TIP Changing the Stop Delay value recalculates the Decel
Decel Reference Rate
Reference Rate.
This parameter is unavailable when ‘Mode’ is ‘Timed SS1’.
Decel Speed Tolerance The speed tolerance that is applied to the deceleration ramp check.
Standstill Speed The speed limit that is used to declare motion as stopped.

16. Click Input Configuration under Safety Configuration in the

navigation tree to open the Input Configuration page. If the general-
purpose safety inputs on the 20-750-S4 option module will be used,
configure the input points to match the application.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 117

Chapter 6

Property Description
The physical input points available for configuration (terminals Si0, Si1, Si2,
Point and Si3).
Specifies the type of operation for the input. Available options are:
• Single Channel
Point Operation - Type • Dual Channel Equivalent
• Dual Channel Complementary
The time in milliseconds that a discrepancy must exist before a discrepancy
alarm is raised. Valid values are 0...65535.
Point Operation - Discrepancy Time
This property is unavailable when ‘Point Operation - Type’ is set to ‘Single
Channel’.
Specifies the mode of the input. Available options are:
• Not Used
• Safety Pulse Test- The associated test output point shown in the ‘Test
Source’ field will be used to pulse test the external wiring of the safety
input.
Point Mode • Safety Semiconductor Input - The time in milliseconds that a discrepancy
must exist between two corresponding safety inputs before an alarm is
generated.
• Safety Standard Input - The safety input will be treated as a standard
input. No diagnostics are run. When using a safety input as a standard
input, the ‘Point Operation Type’must be set to ‘Single Channel’.
Specifies the Test Output associated with the input. This property is only
Test Source available when ‘Point Mode’ is set to ‘Used with Test Output’.
Input Delay Time (ms) Specifies the filter time in milliseconds for off to on transition of the input.
Off On Valid values are 0...65535.
Input Delay Time (ms) Specifies the filter time in milliseconds for on to off transition of the input.
On  Off Valid values are 0...65535.
Specifies the amount of time in milliseconds an Input error will be latched. If
Input Error Latch Time the error is no longer present after this time, the error condition can be reset.

17. Click Output Configuration under Safety Configuration in the

navigation tree to open the Actions page. If the safety outputs on the
20-750-S4 option module will be used, configure the output points to
match the application. Safety outputs cannot be used if Safe Brake
control is enabled.

118 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 6

Property Description
Point The physical output points available for configuration (terminals So0 and So1).
Specifies the type of operation for the output. Available options are:
Point Operation - Type • Single Channel
• Dual Channel
Specifies the mode of the output. Available options are:
• Not Used
Point Mode • Safety
• Safety Pulse Test
Specifies the amount of time in milliseconds an Output error will be latched. If the
Output Error Latch Time error is no longer present after this time, the error condition can be reset.

18. Click Test Output under Safety Configuration in the navigation tree
to open the Actions page. If the test outputs on the 20-750-S4 option
module will be used, configure the test output points to match the
application.

Property Description
Point The physical test output point being configured (Terminals To1 and To0).
Specifies the mode of the test output. Available options are:
• Not Used - test point is not used
Point Mode • Standard Output - used as a standard safety output
• Pulse Test Output - used to test a safety input for short circuit detection
• Power Supply Output - used as a 24V DC power supply for an external input circuit

19. Click SBC under Safety Configuration in the navigation tree to open
the Actions page. If the drive-based Safe Brake Control on the
20-750-S4 option module will be used, configure SBC to match the
application.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 119

Chapter 6

Property Description
Specifies the mode of the SBC function. Available options are:
• Not Used
Mode • Safety
• Safety Pulse Test
Identifies if Safe Torque Off (STO) activation triggers the SBC function. Available options
are:
STO Activates SBC • Unselected
• Selected - the brake is engaged during an STO event, based on the ‘STO to SBC Delay’
attribute. Only valid when ‘Mode’ is set to ‘Safety’ or ‘Safety Pulse Test’.
Specifies the time in milliseconds from when the Safe Torque Off function is active to when
STO to SBC Delay (ms) the brake is engaged. For positive values, the brake will engage after the delay has expired.
For negative values, the brake will engage immediately and torque will be disabled after
the delay has expired.

TIP Primary Feedback, Scaling, Secondary Feedback, and Discrepancy Checking

will only be displayed if a feedback device is selected for the Safety
Feedback Module on the Device Definition Identity page (shown on
page 107). Skip to if these are not used.

120 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 6

20. Enter the information for the device that is being used for the primary
feedback. Red boxes indicate items that need to be updated if the feature
is used in your application. The properties available on this page are
determined by the safety feedback device selected when the drive
module was created.

The Maximum Speed and Maximum Acceleration diagnostics are based

on the capability of the chosen encoder and its rated limits. They do not
provide a safety-rated safety function.

21. Enter scaling information to configure the feedback position and time in
terms of counts per position unit in the safe monitoring functions.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 121

Chapter 6

22. Enter the information for the device being used for the secondary
feedback. Red boxes indicate items that need to be updated if the feature
is used in your application. The properties available on this page are
determined by the safety feedback device selected when the drive
module was created.

The Maximum Speed and Maximum Acceleration diagnostics are based

on the capability of the chosen encoder and its rated limits. They do not
provide a safety-rated safety function.

23. Enter discrepancy checking information to determine the checking

mode and the allowed discrepancy between feedback channels.
Discrepancy checking is only used with dual-feedback monitoring and is
required for SIL 3 PL e.

122 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 6

24. Configure the rest of the drive as needed for the application:
• Parameters – Parameters for all ports in the drive.
• DeviceLogix™ – DeviceLogix program editor.
• Wizards – Simplified startup and application configuration.

25. Click OK. The drive will be displayed in the ‘I/O Configuration’ folder
in the Logix Designer application.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 123

Chapter 6

Using a 20-750-ENETR Dual-port EtherNet/IP Option Module with a

20-750-S4 Option Module
When using a PowerFlex 755 drive with 20-750-ENETR and 20-750-S4
option modules, the drive must be added to the Controller Organizer as a
PowerFlex 755-EENET module instead of a PowerFlex 755-ENETR module.
See page 105 for more information.)

1. Make sure that the jumper on the 20-750-ENETR option module is in

the Tap position.
2. Select Synchronize from the Connect menu. (The Connection to the
PowerFlex 755/755T drive product must be ‘Standard’ or ‘Standard and
Safety’ in order for Synchronize option to be selectable.)

3. If necessary, select your drive in the Synchronize - Identifying Device

dialog box, and then click Continue.

124 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 6

4. After selecting Synchronize, select the check box for Use Physical. This
will match the project’s configuration to the physical configuration of
the drive.

TIP If you have already configured parameters offline, you can select the Use
Project check box associated with the Parameters Category so that your
parameters will not be overwritten during the synchronization. Selecting
Use Project sets the parameters in the drive to match the parameter
configuration of the offline project.

5. Select Continue.
6. After the synchronization is completed, verify that the 20-750-ENETR
option module appears as EtherNet/IP *ENETR (TAP), indicating that
the option module is in tap mode.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 125

Chapter 6

Safety Configuration Signature and Ownership

The connection between the controller and the drive is based on the following
criteria:
• Drive catalog number must be for PowerFlex 755 drives
• Drive Safety Network Number (SNN) (displayed in drive module
General tab)
• GuardLogix slot number
• GuardLogix safety network number
• Path from the GuardLogix 5580 safety controller or Compact
GuardLogix 5380 safety controller to the PowerFlex 755 drive
• Configuration signature (displayed on the Safety tab of the drive
Module Properties dialog box)

If any differences are detected, the safety connection between the safety
controller and the drive is not established (for a new drive/system) or lost (for
an existing drive/system). A yellow icon appears next to the drive in the
controller project tree to indicate a lost or unestablished connection.
Configuration Ownership has to be reset to establish a new connection or to
reestablish an existing connection.

Reset Ownership

To reset ownership, see Restore the Drive to Out-of-Box State on page 214.

Programming Safety Tags in Standard Routines

Tags that are classified as safety tags are either controller-scoped or program-
scoped.
• Controller-scoped safety tags are read by either standard or safety logic
or other communication devices.
• Controller-scoped safety tags are written only by safety logic or another
GuardLogix safety controller.

Program-scoped safety tags are accessible only by local safety routines. These
routines reside within the safety program.

Standard Tags in Safety Routines (tag mapping)

Controller-scoped standard tags can be mapped into safety tags, providing a

mechanism to synchronize standard and safety actions. In the Logix Designer
application, click Logic > Map Safety Tags... to open the Safety Tag Mapping
window.

126 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 6

ATTENTION: When using standard data in a safety routine, you are

responsible to verify that the data is used in an appropriate manner. The use
of standard data in a safety tag does not make it safety data.
Do not directly control a safety output with standard tag data.

Standard and Safety Tasks

Control systems built using Rockwell Automation® Integrated Architecture®

components have separate control and safety functions. In a typical control
application with standard and safety connections, control and safety tasks run
in the following Logix 5000™ controllers:
• Control functions operate in the main task / main program of a
standard ControlLogix® controller.
• The safety task, operating in a GuardLogix controller, communicates
with the drive module with a safety connection over the EtherNet/IP
network.
• The main task, operating in either of these controllers, communicates
with the drive with a standard connection over the EtherNet/IP
network.
• The standard and safety controllers communicate safety-related
information via pass-through data (datalinked parameters) in the
Integrated Safety Function option module.

The PowerFlex 755/755T drive products, with the Integrated Safety Function
option module, provides integrated safety functions. Safety functionality
operates independently of the inverters and feedback that is used for motion.
The Integrated Safety Function option module receives encoder safety
feedback from the feedback option module for use with the integrated safety
functions. The safety feedback is supplied to the controller safety task over the
safety connection for use with controller-based safety functions that may
operate in the controller.

A standard (control) and safety system can be configured so that a safety

function operates in the controller. This type of configuration is referred to as a

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 127

Chapter 6

‘controller-based’ safety function. The system can also be configured so that

some safety functions operate in the drive module with the initiation and
monitoring of the function in the safety task. This type of safety function is
referred to as ‘drive-based’ safety. A control system can have both controller-
based and drive-based safety functions.

Safety Function Operation The following example describes how a standard and safety control system
operates and how main and safety tasks are coordinated. In typical standard
and safety system applications, an E-stop switch is used to stop the system. In
the example, the switch is used to initiate the process that brings the drive to a
controlled stop before removing power. This type of stop is called Stop
Category 1.

The main task and drive inverter are responsible for bringing the motor to a
Category 1 stop. At the same time, to make sure that the Stop Category 1 is
correctly executed by the control system, the safety task initiates a Monitored
SS1 safety function. The SS1 safety function can be configured to use the
drive-based SS1 function or it can be configured to use the controller-based
SS1 function.

This sequence of events represents the steps required for a Monitored SS1
drive-based safety function.

1. The safety task reads the E-stop input and detects the switch actuation.
2. The safety task communicates an SS1 request by setting the bit:
module:SO.SS1Request tag of the drive. This bit is also present in P4
[Safety Status], which is data linked with the standard controller via the
standard connection.
3. The request is available to the standard controller main task via the
module:I.P4_SafetyStatus_SS1Active tag.

GuardLogix Safety Controller Logix 5000 Standard Controller

When a single controller is used for

Safety Task main task and safety task. Main Task

Sa
nio

fet
ink ct

y
tal ne

Co
Da Con

nn
ect
ng rd
usi anda

i on
St

Safety Status and Fault

Data in S4 parameters
(to send via Datalinks)
Safety I/O Standard I/O
Assembly Assembly
PowerFlex 755/755T
Drive Product

128 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 6

4. The main task controls the drive to bring the motor to a stop within the
Monitored SS1 limits for speed and time.
5. While the drive is stopping, the SS1 function (in the motion-safety
instance) monitors the motor speed to make sure it remains below the
speed limit and maximum stopping time.
6. When the drive reaches standstill speed, the 20-750-S4 activates the Safe
Torque Off function.

This sequence of events represents the steps that are required for a Monitored
SS1 controller-based safety function.

1. The safety task reads the E-stop input and detects the switch actuation.
2. The safety task activates the SS1 safety instruction running in the safety
task.
3. The SS1 instruction communicates an SS1 active by setting the bit:
module:SO.SS1Active tag of the drive (inverter) motion-safety instance.
4. The motion-safety instance in the drive communicates to the drive
motion core of the Axis Safety Status.
5. The motion core communicates with the motion controller running the
motion task by updating the motion axis tag axis.SS1ActiveStatus.
6. The motion task controls the axis to bring the motor to a stop within the
Monitored SS1 limits for speed and time.
7. While all events are occurring, the motion-safety instance updates the
Feedback Velocity tag, module:S1.FeedbackVelocity, in the safety
controller. The SS1 function running in the safety task receives the
speed scaled by the SFX safety instruction and makes sure that the axis
remains below the speed limit and maximum stopping time.
8. When the axis reaches standstill speed the SS1 safety instruction outputs
SS1 complete.

The safety task communicates to the drive motion safety instance to activate
STO by clearing the bit: module:SO.STOOutput tag of the drive.

Pass-through Data Some of the safety data (parameters) in the 20-750-S4 module must be
communicated with the standard controller. The safety controller only
requests safety functions and monitors. If, for example, a controller-based
safety function is to be performed (such as SLS), this request and the status /
fault data that is associated with it must be passed on to the standard controller.
This data comes from 20-750-S4 parameters that are data linked to the
standard controller where the associated tags are used by the main program.
This data is referred to as pass-through data.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 129

Chapter 6

Falling Edge Reset

ISO 13849-1 stipulates that instruction reset functions must occur on falling
edge signals. To comply with this requirement, a One Shot Falling (OSF)
instruction is used on the reset rung. Then, the OSF instruction Output Bit tag
is used as the reset bit for the STO output or enable rungs.

Understand Integrated
Safety Drive Replacement
GuardLogix controllers retain I/O device configuration onboard and are able
to download the configuration to the replacement device.
IMPORTANT If the replacement card/module was used before, clear the existing
configuration before installing the card/module on a safety network by
resetting the card/module to the out-of-box state. See Out-of-Box State
on page 214 for more information.

Replacing an entire PowerFlex 755 drive or PowerFlex 755T drive product on

an integrated safety network is more involved than replacing standard devices
because of the safety network number (SNN). The device number and SNN is
the safety Device ID of the device. Safety devices require this complex
identifier to make sure that duplicate device numbers do not compromise
communication between the safety devices. The SNN is also used to provide
integrity on the initial download to the PowerFlex 755 drive or PowerFlex
755T drive product.

When the Logix Designer application is online, the Safety tab of the Module
Properties dialog box displays the current configuration ownership. When the
opened project owns the configuration, Local is displayed.

A communication error is displayed if the module read fails. See Replace an

Integrated Safety Drive in a GuardLogix System on page 130 for integrated
safety drive replacement examples.

Replace an Integrated Safety Drive in a GuardLogix System

When you replace an integrated safety drive, the replacement device must be
configured properly and the replacement drives operation be user-verified.

ATTENTION: During drive replacement or functional test, the safety of the

system must not rely on any portion of the affected drive.

Two options for safety drive replacement are available on the Safety tab of the
Controller Properties dialog box in the Logix Designer application:

130 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 6

• Configure Only When No Safety Signature Exists

• Configure Always

Figure 45 - Safety Drive Replacement Options

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 131

Chapter 6

Configure Only When No Safety Signature Exists

This setting instructs the GuardLogix controller to automatically configure a

safety drive only when the safety task does not have a safety task signature, and
the replacement drive is in an out-of-box condition, meaning that a safety
network number does not exist in the safety drive.

If the safety task has a safety task signature, the GuardLogix controller
automatically configures the replacement CIP Safety I/O device only if the
following is true:
• The device already has the correct safety network number.
• The device electronic keying is correct.
• The node or IP address is correct.

For detailed information, see the GuardLogix 5580 Controllers User Manual,
publication 1756-UM543 or Compact GuardLogix 5380 Controllers User
Manual, publication 5069-UM001.

Configure Always

When the Configure Always feature is enabled, the controller automatically

checks for and connects to a replacement drive that meets all of the following
requirements:
• The controller has configuration data for a compatible drive at that
network address
• The drive has an SNN that matches the configuration

ATTENTION: Enable the Configure Always feature only if the entire

integrated safety control system is not being relied on to maintain SIL 3
behavior during the replacement and functional testing of a PowerFlex 755/
755T drive product.
If other parts of the integrated safety control system are being relied upon to
maintain SIL 3, make sure that the controller’s Configure Always feature is
disabled.
It is your responsibility to implement a process to make sure proper safety
functionality is maintained during device replacement.

ATTENTION: Do not place any devices in the out-of-box condition on any

integrated safety network when the Configure Always feature is enabled,
except while following the device replacement procedure in the GuardLogix
user manual appropriate for your Logix 5000 controller:
• GuardLogix 5580 Controllers User Manual, publication 1756-UM543
• Compact GuardLogix 5580 Controllers User Manual, publication
5069-UM001.

132 Rockwell Automation Publication 750-UM005C-EN-P - February 2021


PowerFlex 755 IO Mode Using
SFX, SS1, and SLS Instructions
Rockwell Automation Publication 750-UM005C-EN-P - February 2021
Chapter 6
In this example, a PowerFlex 755 drive (equipped with embedded Ethernet)
controls an induction motor with a 1024 PPR incremental encoder. A Dual
Incremental Encoder option module (catalog number 20-750-DENC-1) and an
Integrated Safety Function option module (catalog number 20-750-S4) are used
to interface to a GuardLogix 5580 safety controller (catalog number 1756-
L84ES).
This example shows the programming and configuration required for three of
the most common safe monitoring functions:
• Safe Feedback (SFX safety instruction)
• Safe Stop 1 (SS1 safety instruction)
• Safe Limited Speed (SLS safety instruction)
An 800FP push button is configured as an emergency stop. It is monitored using
a DCS ESTOP Instruction and is wired to one dual-channel S4 Safety Input.
This input can generate Safe Stop 1 at any time during operation of the drive.
A Guard Locking Switch (catalog number TLS-Z GD2) is mapped to one of the
S4 Safety Outputs. This switch can be opened when the Safe Stop 1 is complete
and when the Safe Limited Speed is below the required speed for an operator to
access the machine function.
The Safety Reset and Home Request functions are programmed with the other
two S4 Safety inputs. These do not need to be safety-rated devices. For the
purpose of this example, other inputs and outputs are toggled for simplicity. At
any time, you can implement additional safety or IO devices as required based on
the machine risk assessment.
Both the standard programming and safety programming must be completed
for a successful implementation.
Studio 5000 Logix Designer Application Configuration
Figure 46 - Studio 5000® Logix Designer Application Configuration Example
133
Chapter 6

Figure 47 - Studio 5000 Connection Set to Standard and Safety

Studio 5000 Connection is set to ‘Standard and Safety’ since the GuardLogix
controller will provide both in this example.

Figure 48 - Studio 5000 Powerflex 755 EENET Configuration

134 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 6

Figure 49 - Studio 5000 Safety Primary Feedback Configuration

Figure 50 - Studio 5000 Safety Scaling Configuration

Figure 51 - Studio 5000 Input Configuration

• Inputs 0 and 1 are used with an OSSD Estop input from the 800FP.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 135

Chapter 6

• Input 2 is a standard digital input from a push button to safety reset the
S4 module.
• Input 3 is a standard digital input from a push button to set the SFX
home.

Figure 52 - Studio 5000 Output Configuration

• Output 1 is used with the guard locking switch TLS-Z GD2 to open the
gate door.

Programming Example

This example illustrates configuration of the safety input, logic, and output
routines.

TIP Configure your system based on the required safety level devices and ratings.

Safety Input

The DCS Instruction is responsible for evaluating the dual-input validity into
the GuardLogix safety controller.

Figure 53 - DCS Instruction with the S4 is Mapped to the 800FP

136 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 6

Safety Logic

The Safety Logic is used to configure when a safety reset occurs, the home
trigger, and the execution of the SFX instruction (which must have primary
feedback valid for it to execute properly).

Both the Safe Stop 1 and Safe Limited Speed use the SFX instruction for
correct monitoring of feedbacks. The Safe Stop 1 requests when the 800FP
inputs are removed. The Safe Limited Speed requests, in this example, with the
toggling of the Examine On tag.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 137

Chapter 6

Figure 54 - Safety Logic Example

138 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 6

Safety Output

The Safe Torque Off output must be true in order for any of the preceding safe
monitoring functions (namely SFX, SS1, and SLS) to function.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 139

Chapter 6

Figure 55 - Safety Output Example

The PowerFlex 755 S4 safety actions can be configured based on the required
reaction to various machine requirements. In this instance, the STO request is
executed by the PowerFlex 755 in causing a disable and coast reaction.
However, the request to the SS1 (requested by the GuardLogix Safety Task) is
executed by the GuardLogix Standard Task with the use of pass-through tags.
In this case, the Stop command is used to control stop the motor, as shown by
the programming example.

Figure 56 - Safety Output Programming Example

The Safe Limited Speed (and any other safe monitoring instruction requests
besides STO, SS1, and SS2) are handled with the use of pass-through tags in
the GuardLogix Standard Task. The GuardLogix Safety Task uses pass-

140 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 6

through tags to the Standard I/O Routine to change the speed reference for the
SLS request, as shown in the programming example.

Figure 57 - The Use of Datalink is Required to Pass Data from the S4 Safety Function to the
Standard I/O Routine

Figure 58 - Standard I/O Routine That Starts and Stops the PowerFlex 755

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 141

Chapter 6

Figure 59 - Standard I/O Routine That Runs the Drive at Velocity and Changes to Safe Limited
Speed Velocity When Requested by the Safety Task

Figure 60 - Standard I/O Routine That Commands the Drive to Zero Velocity Once the SS1
Request is Made by the Safety Task

Figure 61 - Standard I/O Routine That Monitors When at Zero Speed and Stops the Drive

142 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 7

Integrated Motion – Configuration,

Programming, and Operation

This chapter provides information for network installation and operation of

the Integrated Safety Functions option module when used in Integrated
Motion mode. If using Standard I/O mode, see Chapter 6.

Topic Page
Safety Assembly Tags 143
Configure the Integrated Safety Function Option Module in the Logix Designer Application 144
Understand Module Properties Categories 145
Programming 176

Safety Assembly Tags Using network safety, a GuardLogix® 5580 or Compact GuardLogix 5380
safety controller controls the PowerFlex® 755 Safe Torque Off function
through the SO.SafeTorqueOff tag in the safety output assembly.

The SO.SafetyStopFunctions tags are sent from the GuardLogix safety output
assembly to the PowerFlex 755 safety output assembly to control the safety
functions.

The SO.Output00Output, SO.Output01Output, SO.Test00Output, and

SO.Test01Output tags are sent from the GuardLogix safety output assembly to
the PowerFlex 755 safety output assembly to control the safety and test outputs
on the Integrated Safety Functions option module.

The SI.StopStatus tags are sent from the PowerFlex 755 to the GuardLogix
safety input assembly and indicate the PowerFlex 755 safety control status.

The SI.OutputStatus, SI.InputStatus, and SI.IOSupport tags are sent from the
PowerFlex 755/755T drive product to the GuardLogix safety input assembly
and indicate the status of the safety inputs, safety outputs, and test outputs.

The SI.ConnectionStatus tags indicate the safety input connection status.

See Appendix C for more information about assembly tags.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 143

Chapter 7
Configure the Integrated
Safety Function Option
Module in the Logix Designer
Application
144 Rockwell Automation Publication 750-UM005C-EN-P - February 2021
This section provides instructions for how to add and configure an Integrated
Safety Functions option module in a PowerFlex 755 drive to an existing project
in the Logix Designer application. This chapter is specific to safety and does
not cover all aspects of drive configuration.
Before you can configure your option module in the Logix Designer
application:
• You must have a safety controller project with an EtherNet/IP network
connection configured and Time Sync enabled. See the documentation
for your controller, drive, and Ethernet adapter for information on
configuring those products in Additional Resources on page 13.
• When using a PowerFlex 755 drive in Integrated Motion Mode, the
Integrated Safety Functions option module must be installed in port 6.
• If using speed monitoring functions, install a 20-750-DENC-1 or
20-750-UFB-1 card in port 4 or port 5.
Add a PowerFlex 755 Drive to the Controller Project
1. Right-click Ethernet network and choose New Module.
2. Select a PowerFlex 755 drive for Integrated Motion on EtherNet/IP®
networks (catalog number ends in –CM-S4 for drives with the
Integrated Safety Functions option.
 Chapter 7

Understand Module The Integrated Safety Function module and its safe speed monitor functions
are configured in the Studio 5000 Logix Designer® application. Follow these
Properties Categories guidelines when configuring your safety application.

IMPORTANT For access to Motion Safety module properties, the Connection pull-down
menu in the Module Definition dialog box must be configured for Motion
and Safety or Safety Only.

Right-click your safety drive module and choose Properties. The Module
Properties dialog box appears.

Figure 62 - Module Properties

Module Properties Category Page

General page 146
Connection and Safety page 149
Motion Safety
Actions page 152
Primary Feedback page 153
Secondary Feedback page 155
Scaling page 156
Discrepancy Checking page 157
STO page 158
SS1 page 159
SBC page 160
Input Configuration page 161
Test Output page 162
Output Configuration page 163
Associated Axes Motor and Load Feedback Device page 165

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 145

Chapter 7

Module Properties > General Category

Follow these steps to configure the Module Definition dialog box properties.

1. Select the General category and click Change to open the Module
Definition dialog box.

2. From the Revision pull-down menu, choose the drive firmware revision.
3. From the Electronic Keying pull-down menu, choose the type of
electronic keying. See Table 44 for more details.

146 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 7

Table 44 - Electronic Keying Methods

Electronic Keying
Indicates that all keying attributes must match to establish communication. If any attribute
Exact Match does not match precisely, communication with the device does not occur.
Lets the installed device accept the key of the device that is defined in the project when the
installed device can emulate the defined device. With Compatible Module, you can typically
replace a device with another device that has the following characteristics:
• Same catalog number
Compatible Module
• Same or higher Major Revision
• Minor Revision as follows:
– If the Major Revision is the same, the Minor Revision must be the same or higher.
– If the Major Revision is higher, the Minor Revision can be any number.
Indicates that the keying attributes are not considered when attempting to communicate
with a device. With Disable Keying, communication can occur with a device other than the
type specified in the project.

ATTENTION: Be extremely cautious when using

Disable Keying; if used incorrectly, this option can lead
to personal injury or death, property damage, or
economic loss.
Disable Keying We strongly recommend that you do not use
Disable Keying. If you use Disable Keying, you must
take full responsibility for understanding whether the
device being used can fulfill the functional
requirements of the application.
ATTENTION: Disable Keying is not permitted for safety
devices.

4. From the Connection pull-down menu,

choose the Connection mode for your
motion application. See Table 45 for
definitions.

TIP When ‘Safety’ appears in the Connection mode, integrated safety is implied.

Table 45 - Module Connection Definitions

Connection Mode Safety Options Description
Motion and Safety Integrated mode Motion connections and integrated safety functions are managed by this controller.
• Motion connections are managed by this controller.
Motion Only Integrated mode
• Integrated safety functions are managed by another controller that has a Safety-only connection to the drive.
• Integrated safety functions are managed by this controller.
Safety Only (1) Integrated mode
• Motion connections are managed by another controller that has a Motion-only connection to the drive.
(1) When the Connection mode is Safety Only, you do not need to configure a motion axis.

5. From the Safety Instance pull-down menu,

choose the integrated safety type. See
Table 46 on page 149 for definitions. If ‘Safe
Stop Only mode’ is selected, skip to step 7.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 147

Chapter 7

6. When using ‘Single’ or ‘Dual Feedback Monitoring’ mode, use these

steps to add a safety feedback device.
a. Right-click the drive under Peripheral Devices, and then click New
Peripheral Device… to bring up the Peripheral Device Definition
dialog box.

b. Select the Port.

c. Select the catalog number of the feedback option module installed in
the Peripheral Device pull-down menu.
d. Check Safe Feedback and click OK to close the Peripheral Device
Definition dialog box.

7. Click Safety Definition to configure the Integrated Safety Functions

module's revision and electronic keying settings. See Table 44 on
page 147 for information on electronic keying.

8. Click OK to close the Safety Definition dialog box.

9. Click OK to close the Module Definition dialog box.

148 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 7

Table 46 - Motion Safety Instance Definitions

Motion Safety Instance Mode
Safe Stop Only -
No Feedback
Single Feedback Monitoring
Dual Feedback Monitoring
Module Connection Options
• Motion and Safety
• Safety only
Description
STO function and Timed SS1 Safe Stop functions are available.
Primary feedback is used in the safety object for safe monitoring.
In addition to primary feedback, an external feedback device is used to provide error checking of the
primary feedback device. A secondary encoder is considered part of the encoder diagnostics and the
data it produces is not rated safety data.

Module Properties > Connection and Safety Categories

Follow these steps to configure the Safety Output and Safety Input requested
packet interval (RPI) values.

1. Click Connection.

From the Connection category you can observe the status of the Safety
Output and Safety Input RPI values. The default values are shown.

IMPORTANT The Safety Output and Safety Input values, when viewed from the
Connection category, is for status only. To set the Safety Output and
Safety Input values, continue with step 2 through step 6.

2. To set the Safety Output value, right-click Safety Task in the Controller
Organizer and click Properties.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 149

Chapter 7

3. Click the Configuration tab.

The default safety task Period value (and output RPI) is 20 ms.

IMPORTANT The ‘Period’ is the interval at which the safety task executes. The
‘Watchdog’ must be less than the period.

For more safety task information, see the GuardLogix 5580 and
Compact GuardLogix 5380 Controller Systems Safety Reference
Manual, publication 1756-RM012.
4. Click OK.
5. To set the Safety Input RPI and other safety connection attributes, select
the Safety category on the module properties page and click
Advanced.... See Table 47 on page 151 for information on other safety
connection attributes.

The default Safety Input RPI value is 10 ms. Edit as appropriate for your
application.

150 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 7

Table 47 - Advanced Reaction Connection Time Limit Configuration Settings

Advanced Reaction
Connection Time Description
Limit Configuration
Settings
The RPI specifies the period that data updates over a connection. For example, an input
module produces data at the RPI that you assign. For safety input connections, you can set
the RPI on the Safety tab of the Module Properties dialog box. The RPI is entered in 1 ms
increments, with a range of 6…500 ms. The default is 10 ms.
The Connection Reaction Time Limit is adjusted immediately when the RPI is changed via
Requested Packet the Logix Designer application.
Interval (RPI)
For safety output connections, the RPI is fixed at the safety task period. If the
corresponding Connection Time Reaction Limit is not satisfactory, you can adjust the
safety task period via the Safety Task Properties dialog box of the safety controller. See the
user manual for the controller.
For typical applications, the default RPI is sufficient.
The Timeout Multiplier determines the number of RPIs to wait for a packet before
declaring a connection timeout. This value translates into the number of messages that
can be lost before a connection error is declared. For example, a Timeout Multiplier of 1
Timeout Multiplier indicates that messages must be received during each RPI interval. A Timeout Multiplier
of 2 indicates that one message can be lost as long as at least one message is received in
two times the RPI (2 x RPI).
The Network Delay Multiplier defines the message transport time that the safety protocol
enforces. The Network Delay Multiplier specifies the round-trip delay from the producer to
the consumer and the acknowledge back to the producer. You can use the Network Delay
Network Delay Multiplier to reduce or increase the Connection Reaction Time Limit in cases where the
Multiplier enforced message transport time is significantly less or more than the RPI. For example, to
adjust the Network Delay Multiplier is helpful when the RPI of an output connection is the
same as a lengthy safety task period.
The Connection Reaction Time Limit is the maximum age of safety packets on the
associated connection. If the age of the data that is used by the consuming device exceeds
the Connection Reaction Time Limit, a connection fault occurs. The following equations
Connection Reaction determine the Connection Reaction Time Limit:
Time Limit Input Connection Reaction Time Limit = Input RPI x [Timeout Multiplier + Network Delay
Multiplier]
Output Connection Reaction Time Limit = Safety Task Period x [Timeout Multiplier +
Network Delay Multiplier - 1]

IMPORTANT If the drive is used with an induction motor, there is a general rule of no
repeated (three or more) start/stops with less than 10 seconds between
them (assumes the highest RPI of 500 ms is used). Otherwise a safety
connection loss can occur. If less than 10 seconds is needed, a lower RPI can
be used per the following formula:
RPI (ms) * 19 = Min. Repeated Start/Stop time (seconds)
For example, a 50 ms RPI equates to a minimum of 0.95 seconds required
between repeated start/stops.

6. Click Apply.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 151

Chapter 7

Motion Safety > Actions Category

The Actions category provides fault behavior options. Determine the preferred
machine function when a connection loss or connection idle condition occurs.
Safe Torque-off (STO) means that the drive immediately disables the motor
power outputs causing a coast condition for the motor and load. Safe Stop 1
(SS1) means that the drive decelerates the load to zero speed before removing
the motor power outputs causing a controlled stop for the motor and load.
Table 48 describes the attributes and the values available on the Actions page.

Follow these steps to configure the Actions to Take Upon Conditions dialog
box. For more information on connection action operation, please see Safety
Function in Response to Connection Event on page 68.

1. Select the Motion Safety >Actions category.

Table 48 - Motion Safety Actions

Attribute Description Values Description
• Connection loss is caused by removal of the Drive-based Safe Stop 1 function is initiated and operates according
SS1
Ethernet cable from the drive. to the SS1 configuration.
Connection Loss Action • The loss could also be an indication of excessive
traffic, causing the drive to lose synchronization to STO Torque is removed according to the STO configuration.
the grandmaster clock/motion controller.

Connection idle is caused by the safety output task Drive-based Safe Stop 1 function is initiated and operates according
SS1
Connection Idle Action becoming disabled because the controller is in Remote to the SS1 configuration.
Program mode. STO Torque is removed according to the STO configuration.

Restart type means that the safety function resets and
will be ready for subsequent operation when the reset
Restart Type
conditions are met. See specific function for more
detail.
Cold start type means that the configured safety
Cold Start Type function is ready for operation immediately after the
controller enters run mode.
Restart allowed after safety function completes and function
Automatic request is removed. If restart is required due to a fault, the fault
condition must also be removed.
Manual Restart is allowed after a 01 transition of SO.ResetRequest bit.
Restart allowed after safety function completes and function
Automatic request is removed. If restart is required due to a fault, the fault
condition must also be removed.
Manual Restart is allowed after a 01 transition of SO.ResetRequest bit.

152 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 7

2. From the Connection Loss Action

and Connection Idle Action pull-
down menus, choose SS1 or STO
as required for your application.
3. From the Restart Type and Cold Start Type pull-down menus, choose
Automatic or Manual as required for your application.
4. Click Apply.

Motion Safety > Primary Feedback Category

Configure primary feedback if you intend to use any drive-based or controller-
based safety function that monitors motion. There are many different
combinations of feedback for motion control and safety that can be
configured.

Follow these steps to configure the Primary Feedback.

1. Select the Motion Safety >Primary Feedback category.

2. From the Device pull-down menu, choose the feedback device that was
defined as the Safety Feedback device during module configuration.
3. From the Type pull-down menu, choose the feedback type.
Table 49 shows the valid feedback types based on the module
configuration.
4. Set the remaining Primary Feedback attributes. See Table 50 for the
descriptions of these attributes.
5. Click Apply.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 153

Chapter 7

Table 49 - Feedback Options

Feedback Option
20-750-UFB-1 20-750-DENC-1
Sine/Cosine

Feedback Instance
Primary Digital AqB
Hiperface

Secondary Digital AqB Digital AqB

Table 50 - Safety Feedback Configuration Attributes

Attribute Description
Specify the units of the encoder. Default value is revolutions (Rev) that supports rotary
Units motors. When using a linear encoder, select Meter.
Resolution Units Cycles per Encoder Unit. Default value is Cycles/Revolution (Rev).
Used in the Effective Resolution calculation. The actual motor encoder cycle
Cycle Resolution resolution. This is the raw encoder cycle resolution of the motor or encoder device
type.
Used in the Effective Resolution calculation. The safety primary-feedback interpolated
Cycle Interpolation counts as oppose to the motion axis-feedback interpolated counts. For the Integrated
Safety Functions module, this value is 4 and cannot be changed.
The product of cycle resolution and cycle interpolation for the primary safety function
Effective Resolution evaluation.

Based on encoder rotation and evaluation requirements. Choose

Polarity between Normal (default) or Inverted as appropriate for your
application.

The velocity average time attribute is a moving-average window of time for which the
velocity samples are averaged. A small value results in more deviation in the velocity
Velocity Average Time evaluation. A large value results in less deviation in the velocity evaluation, but also
adds more delay to the resulting evaluation. Consider this delay with system
requirements for over-speed response.
The voltage monitor attribute indicates the valid range of the feedback's power
Voltage Monitor supply. If a voltage outside of the range is detected, a Safety Feedback Fault will occur.
See Table 50 to find the correct voltage monitoring range based on feedback device.
This value sets the maximum speed of the encoder. If a speed above the limit is
Maximum Speed(1) detected, a Safety Feedback fault will occur. If set to 0.0, the speed check is disabled.
Used in the safe-monitoring process to indicate to the safety controller that the motor
has stopped rotating. The system is at standstill when the speed detected is less than
Standstill Speed or equal to the configured Standstill Speed. The Standstill Speed parameter defines
the speed limit before the drive determines standstill has been reached.
This value sets the maximum acceleration of the encoder. If an acceleration above the
Maximum Acceleration(1) limit is detected, a Safety Feedback fault will occur. If set to 0.0, the acceleration check
is disabled.
(1) These diagnostics are based on the capability of the chosen encoder and its rated limits. They do not provide a safety-rated
safety function.

154 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 7

Table 51 - Voltage Monitoring Values for Feedback Device

Feedback Devices
20-750-UFB 20-750-DENC
Not monitored Not monitored
7…12V 4.75…5.25V
Primary 4.75V…5.25V 7…12V

Feedback Instance
11.4…12.6V
Not monitored Not monitored
7…12V 4.75…5.25V
Secondary 4.75…5.25V 7…12V
11.4…12.6V

Motion Safety > Secondary Feedback Category

If the Safety Instance is configured for Dual Feedback monitoring, the

Secondary Feedback must be configured. The attributes for the Secondary
Feedback configuration are the same as the Primary Feedback. See the Motion
Safety > Primary Feedback Category section for information on the attributes
that can be configured for the Secondary Feedback Instance.

IMPORTANT The secondary feedback is intended to provide diagnostic coverage of the

primary encoder. The data produced by the secondary feedback device is not
safety data.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 155

Chapter 7

Motion Safety > Scaling Category

The Primary Feedback category set safety resolution in terms of counts per
encoder unit. The Scaling category configures the position and time to be used
in terms of counts per position unit in the safe monitoring functions.

Figure 63 - Scaling Category (default settings)

Table 52 - Scaling Category Attributes

Attribute Description
Feedback The number of counts per motor revolution, which is determined by the Primary Feedback
Resolution category.
Position Units The position units for this safety application. Enter text for the name of your units.
The evaluation of position per unit of time for a velocity
Time evaluation. Choose between Seconds (default) and Minutes as
appropriate for your application.
The conversion constant showing the counts per position units. This is the number of counts for
Position one of your position units.

156 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 7

Motion Safety > Discrepancy Checking Category

Discrepancy checking is only used in applications where the ‘Module

Definition>Safety Instance’ is configured for ‘Dual Feedback Monitoring’. Its
purpose is to perform an evaluation of the speed and position discrepancy
between primary and secondary feedback. A ratio can also be configured that
describes the expected gear ratio of primary to secondary feedback.

If primary feedback and secondary feedback differ in position or velocity for

the configured time period, a discrepancy fault occurs.

Figure 64 - Discrepancy Checking Dialog Box (default attributes)

IMPORTANT When setting discrepancy tolerances in terms of the velocity deadband

attribute, consider that configuring a high gear-ratio between primary
feedback and secondary feedback can lead to unexpected dual-feedback
position faults. This is because a very large primary feedback movement
translates into very small secondary feedback increments.

When ‘Module Definition>Safety Instance’ is configured for Single Feedback

Monitoring, the discrepancy checking mode is set to the default value of ‘Not
Used’, and cannot be changed. When configured for Dual Feedback
Monitoring, the discrepancy checking mode is set to ‘Dual Velocity Check’. In
the Dual Feedback Monitoring configuration, the ‘Dual Position’ and
‘Velocity/Postion Check’ modes are also available.

Use the ‘Dual Velocity Check’ mode to measure the difference between
primary feedback speed and secondary feedback speed. Use ‘Dual Position
Check’ mode to measure the difference between primary feedback position

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 157

Chapter 7

and secondary feedback position. Use the ‘Velocity/Position Check’ mode if

position and velocity checking are needed.

Follow these steps to configure the Discrepancy Checking attribute.

1. From the Mode pull-down menu, choose the appropriate discrepancy

checking mode for your application.
2. Set the remaining Discrepancy Checking attributes.
Attribute Description
The amount of time (ms) specified for velocity deadband to be evaluated
Time and trigger a safety fault condition.
The gear ratio of one primary feedback revolution to one secondary
Ratio feedback revolution.
The velocity units of the difference between primary and secondary
Velocity Deadband feedback speed for the velocity discrepancy check.
The position units of the difference between primary and secondary
Position Deadband feedback position for the position discrepancy check.

3. Click Apply.

Motion Safety > STO Category

The STO category provides a disable and coast fault action. However, if a
torque disable delay is needed following a STO Active command, you can enter
a value in the Delay field (see Safe Torque Off With Delay Operation on
page 72 for more information.)

Figure 65 - Motion Safety STO

158 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 7

STO becomes active if any of the following inputs to STO are asserted:
• STO Output = 0
• Safety Connection Loss and Connection Loss Action = STO
• Safety Connection is Idle and Connection Idle Action = STO
• Drive-based SS1 Function is Complete (= 1)
• Safety Stop Fault = 1
• Critical Safety fault occurs

STO Output is a tag in the safety output assembly used to activate the STO
function and is written by the GuardLogix controller. When any source for
STO is asserted, STO Active becomes high to indicate that the STO function
is operating.

STO Delay follows this sequence of events.

1. STO becomes active and the STO delay timer begins.

2. The STO delay timer expires.
Torque producing power is removed from the inverter output.
• If STO is activated by a Safety Stop fault or Critical Safety fault,
torque is removed immediately without the STO delay.
• If STO is reset by removing all inputs, torque is immediately
permitted without delay.

Motion Safety > SS1 Category

The ‘Motion Safety > SS1’ category is configured when a Timed or Monitored
Safe Stop 1 condition is desired.

‘Timed SS1’ mode is available when the module is configured with or without
safety feedback monitoring. The ‘Monitored SS1’ mode is only available when
the module is configured for feedback monitoring (for more information on
the drive-based Safe Stop 1 function, see Safe Stop 1 Function on page 76.)

Timed SS1 is a fixed time for the motor to stop before removing
torque. Motor feedback is not monitored. ‘Stop Delay’ is the
only parameter used for ‘Timed SS1’ and determines the ‘Max
Stop Time’.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 159

Chapter 7

Figure 66 - SS1 Dialog Box (Timed SS1, default)

Monitored SS1 is a ramped safe-stop where the motion safety instance

monitors the speed ramp to standstill speed, while either the motion task or
the drive controls the deceleration to standstill speed. When standstill is
reached, the motion safety instance removes torque from the motor.

Figure 67 - SS1 Dialog Box (Monitored SS1)

Motion Safety > SBC Category

The ‘Motion Safety > SBC Category’ is configured when Safe Brake Control
functionality is desired in an application.

The default mode for SBC is ‘Not Used’. If the SBC functionality is desired,
setting the mode to ‘Used’, ‘Test Pulses’, or ‘Used, No Test Pulses’, will enable
the SBC function. When configured for ‘Used, Test Pulses mode’, pulse testing

160 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 7

of the physical brake outputs are performed. For more information on the
drive-based SBC function, see Safe Brake Control Function on page 83.

See Table 53 for descriptions of the SBC attributes.

Table 53 - SBC Attributes

Attribute Description
Determines if an STO event engages the brake. If set to ‘Not Linked’, an STO event does not
STO Activates SBC engage the brake. If set to ‘Linked’, the brake is engaged during an STO event based on the
‘STO to SBC Delay’ attribute. This attribute is only valid when the ‘Mode’ is set to ‘Used’.
The delay of brake engagement in milliseconds. If the value is a positive number, the delay
specifies the time between when STO is activated and the brake is engaged. If the value is a
STO to SBC Delay negative number, the brake is engaged immediately after STO is activated, and the delay
specifies the time between STO activation and when torque is actually disabled. This attribute
is only valid when ‘STO Activates SBC’ is set to’ Linked’.

Motion Safety > Input Configuration Category

The Input Configuration category allows configuration of the safety input

instances of the device.

The Point Operation of a safety input configures the type of input operation
and its discrepancy time. See Table 54 for descriptions of these attributes.

The Point Mode configures the mode of the safety input. Table 55 describes
the valid values of this attribute.

The Input Delay Time configures the delay in sample time after a state change
of the input. See Input Delays on page 49 for more information. The Input

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 161

Chapter 7

Error Latch Time attribute configures the time that a discrepancy must exist
before a Safety Input alarm is generated. See Latch Input Error Operation in
Single Channel Mode on page 39 for more information.

Table 54 - Safety Input Point Operation Attributes

Attribute Description
Determines the operation mode of the Safety Input. See Safety Inputs beginning on page 37
Type
for more information on the types of safety input operation.
The time in milliseconds that a discrepancy must exist between two corresponding safety
Discrepancy Time inputs before an alarm is generated. See Dual-channel Safety Input Operation on page 41 for
more information on discrepancy time.

Table 55 - Safety Input Point Mode Values

Value Description
Not Used The safety input will not be used.
The associated test output point shown in the ‘Test Source’ field will be used to pulse
Used with Test Output test the external wiring of the safety input. See Standard Input Operation on page 44
for more information.
The time in milliseconds that a discrepancy must exist between two corresponding
Used without Test Output safety inputs before an alarm is generated. See Dual-channel Safety Input Operation
on page 41 for more information on discrepancy time.
The safety input will be treated as a standard input. No diagnostics are run. When
Used as Standard Input using a safety input as a standard input, the ‘Point Operation Type’ must be set to
‘Single Channel’.

Motion Safety > Test Output Category

The Test Output category allows for configuration of the Test Outputs of the
device. See Table 56 for descriptions of the attributes. For more information on
test output operation, see Test Output on page 60.

162 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 7

TIP If a safety input’s Point Mode is configured for ‘Used with Test
Output’, the Test Output indicated by the ‘Test Source’ field must
have its ‘Point Mode’ configured as ‘Pulse Test Output’.

Table 56 - Test Output Point Mode Values

Value Description
Not Used The safety input will not be used.
Standard Output The test output will be treated as a standard output No diagnostics are run.
Pulse Test Output The test output is used as a pulse test output for the associated safety input.
Power Supply Output The test output is used as a power supply output.

Motion Safety > Output Configuration Category

The Output Configuration category allows the safety outputs of the device to
be configured. The Point Operation Type of the safety output configures the
type of safety output according to Table 57.

The Point Mode of the safety output configures the mode of the safety output
according to Table 58.

The Output Error Latch Time attribute configures the time that a
discrepancy must exist before a Safety Output alarm is generated (see Safety
Outputs on page 50 for more information).
TIP If SBC mode is set to used, the safety outputs are under control of
the SBC function, and cannot be separately configured.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 163

Chapter 7

Table 57 - Point Operation Type Values

Value Description
The safety output operates in single channel mode. See Single-channel Mode on page
Single Channel
51 for more information.
The safety output operates in dual channel mode with its partner safety output. See
Dual Channel Dual-channel Mode on page 53 for more information.

Table 58 - Point Mode Values

Value Description
The safety output is not used. The ‘Point Operation Type’ must be set to ‘Single
Not Used Channel’ if the Point Mode is set to ‘Not Used’.
Used without Test Pulses The safety output is used. No pulse test diagnostics are performed.
Used with Test Pulses The safety output is used. Pulse testing of the safety output is performed periodically.

Axis Properties > Actions > Safety Actions

To set the stop action taken in response to a safety function activation, open the
Axis Properties and select the Actions page. The Safety Actions section of this
page is used to select Safe Torque Off and Safe Stopping actions and sources.

Make sure that these settings will allow the drive to complete a stop without
causing a safety function fault during normal operation. See the Stopping
Action section for the specific safety function in Chapter 4 for more
information.

164 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 7

Figure 68 on page 165 shows the Actions page. Table 59 on page 165 describes
the Safety Action attributes.

Figure 68 - Axis Properties > Actions Page

Table 59 - Safety Actions Attributes Descriptions

Attribute
Safe Torque Off Action
Safe Torque Off Action Source
Safe Stopping Action
Safe Stopping Action Source
Description
Specifies the stopping action that will be executed in response to a STO Activation.
This selection is only valid when ‘Safe Torque Off Action Source’ is set to
‘Connected Drive’.
Specifies which controller or drive product is responsible for initiating and
performing the stop action specified in the ‘Safe Torque Off Action’ attribute.
Specifies the stopping action that will be executed in response to a Safe Stop
Activation. This selection is only valid when ‘Safe Stopping Action Source’ is set to
‘Connected Drive’.
Specifies which controller or drive product is responsible for initiating and
performing the stop action specified in the ‘Safe Stopping Action’ attribute.

Module Properties > Associated Axes Motor and Load Feedback

Device

Special consideration must be taken when setting Motor and Load feedback
devices on the Associated Axes page. Table 60 on page 166 shows the correct
Motor/Load feedback device selection based on the physical terminal the
encoder is connected to per the supported feedback card.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 165

Chapter 7

Table 60 - Motor/Load Feedback Device Selection

Terminal Safety Feedback Device Selection Motor/Load Feedback Device Selection
– SN
+ SN
Port X Primary Port X Channel B
– CS
+ SN
–A
20-750-UFB-1
A
–B
Port X Secondary Port X Channel A
B
–Z
Z
0A
0A–
0B
Port X Primary Port X Channel A
0B–
0Z
0Z–
20-750-DENC-1
1A
1A–
1B
Port X Secondary Port X Channel B
1B–
1Z
1Z–
Port X indicates the DPI™ port where the encoder card is installed.

Generate the Safety Network Number (SNN)

The assignment of a time-based SNN is automatic when you create a

GuardLogix safety controller project and add new Safety I/O devices.

Manual manipulation of an SNN is required in the following situations:

• If safety consumed tags are used
• If the project consumes safety input data from a device whose
configuration is owned by some other device
• If a safety project is copied to another hardware installation within the
same routable Safety system

If an SNN is assigned manually, the SNN has to be unique.

166 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 7

IMPORTANT If you assign an SNN manually, make sure that the system expansion does
not result in duplication of SNN and node address combinations.
A warning appears if your project contains duplicate SNN and node address
combinations. You can still verify the project, but Rockwell Automation
recommends that you resolve the duplicate combinations.

To edit the SNN, follow these steps.

1. To open the Safety Network Number dialog box, click to the right
of the Safety Network Number.
2. Select either Time-based or Manual.
If you select Manual, enter a value from 1…9999 decimal.
3. Click Generate.
4. Click OK.

Safety Configuration Signature and Ownership

The connection between the controller and the drive is based on the following
criteria:
• Drive catalog number must be for PowerFlex 755 drives
• Drive Safety Network Number (SNN) (displayed in drive module
General tab)
• GuardLogix slot number
• GuardLogix safety network number
• Path from the GuardLogix 5580 safety controller or Compact
GuardLogix 5380 safety controller to the PowerFlex 755 drive
• Configuration signature (displayed on the Safety tab of the drive
Module Properties dialog box)

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 167

Chapter 7

If any differences are detected, the safety connection between the safety
controller and the drive is not established (for a new drive/system) or lost (for
an existing drive/system). A yellow icon appears next to the drive in the
controller project tree to indicate a lost or unestablished connection.
Configuration Ownership has to be reset to establish a new connection or to
reestablish an existing connection.

Reset Ownership

To reset ownership, see Restore the Drive to Out-of-Box State on page 214.

Replace an Integrated Safety Drive in a GuardLogix System

When you replace an integrated safety drive, the replacement device must be
configured properly and the replacement drives operation be user-verified.

ATTENTION: During drive replacement or functional test, the safety of the

system must not rely on any portion of the affected drive.

Two options for safety drive replacement are available on the Safety tab of the
Controller Properties dialog box in the Logix Designer application:
• Configure Only When No Safety Signature Exists
• Configure Always

Figure 69 - Safety Drive Replacement Options

Configure Only When No Safety Signature Exists

This setting instructs the GuardLogix controller to automatically configure a

safety drive only when the safety task does not have a safety task signature, and

168 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 7

the replacement drive is in an out-of-box condition, meaning that a safety

network number does not exist in the safety drive.

If the safety task has a safety task signature, the GuardLogix controller
automatically configures the replacement CIP Safety I/O device only if the
following is true:
• The device already has the correct safety network number.
• The device electronic keying is correct.
• The node or IP address is correct.

For detailed information, see the GuardLogix 5580 Controllers User Manual,
publication 1756-UM543 or Compact GuardLogix 5380 Controllers User
Manual, publication 5069-UM001.

Configure Always

When the Configure Always feature is enabled, the controller automatically

checks for and connects to a replacement drive that meets all of the following
requirements:
• The controller has configuration data for a compatible drive at that
network address.
• The drive has an SNN that matches the configuration.

ATTENTION: Enable the ‘Configure Always’ feature only if the entire

integrated safety control system is not being relied on to maintain SIL 3
behavior during the replacement and functional testing of a PowerFlex 755/
755T drive product.
If other parts of the integrated safety control system are being relied upon to
maintain SIL 3, make sure that the controller’s ‘Configure Always’ feature is
disabled.
It is your responsibility to implement a process to make sure proper safety
functionality is maintained during device replacement.

ATTENTION: Do not place any devices in the out-of-box condition on any

integrated safety network when the ‘Configure Always’ feature is enabled,
except while following the device replacement procedure in the GuardLogix
user manual appropriate for your Logix 5000™ controller:
• GuardLogix 5580 Controllers User Manual, publication 1756-UM543.
• Compact GuardLogix 5580 Controllers User Manual, publication
5069-UM001.

Motion Direct Commands in Motion Control Systems

You can use the Motion Direct Command (MDC) feature to initiate motion
while the controller is in Program mode, independent of application code that

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 169

Chapter 7

is executed in Run mode. These commands let you perform a variety of

functions, for example, move an axis, jog an axis, or home an axis.

A typical use might involve a machine integrator testing different parts of the
motion system while the machine is being commissioned or a maintenance
engineer, under certain restricted scenarios in accordance with safe machine
operating procedures, wanting to move an axis (like a conveyor) to clear a jam
before resuming normal operation.

ATTENTION: To avoid personal injury or damage to equipment, follow these

rules regarding Run mode and Program mode.
• Allow only authorized, trained personnel with knowledge of safe machine
operation to use Motion Direct Commands.
• Use additional supervisory methods, like removing the controller key
switch, to maintain the safety integrity of the system after returning the
safety controller to Run mode.

Understand STO Bypass When Using Motion Direct Commands

If a Safety-only connection between the GuardLogix safety controller and the

PowerFlex 755/755T drive product was established at least once after it was
received from the factory, then it does not allow motion while the safety
controller is in Program mode by default.

This is because the safety task is not executed while the GuardLogix safety
controller is in Program mode. This applies to applications running in a single-
safety controller (with Motion and Safety connections). When an integrated
safety drive has a Motion connection to a standard controller and a separate
Safety connection to a dual-safety controller, the standard controller can
transition to Program mode while the safety controller stays in Run mode and
continues to execute the safety task.

However, PowerFlex 755/755T drive systems are designed with a bypass

feature for the STO function in single-safety controller configurations. You can
use the MDC feature to allow motion while following all necessary and
prescribed steps per your machine’s safety operating procedures.

ATTENTION: Consider the consequences of allowing motion through the use

of MDC when the controller is in Program mode. You must acknowledge
warning messages in the Logix Designer application that warn of the drive
bypassing the STO function and unintended motion can occur. The integrated
safety drive does not respond to requests of the STO function if MDC mode is
entered.
It is your responsibility to maintain machine safety integrity while executing
motion direct commands. One alternative is to provide ladder logic for
Machine Maintenance mode that leaves the controller in Run mode with
safety functions executing.

170 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 7

Logix Designer Application Warning Messages

When the controller is in Run mode, executing safety functions, the

PowerFlex 755 drive follows the commands that it receives from the safety
controller. The controller reports ‘Safety State = Running’ and ‘Axis State =
Stopped/Running’, as shown in Figure 70.

Figure 70 - Safety State Indications When Controller is in Run Mode (safety task executing)

When the controller transitions to Program mode, the integrated safety drive is
in the safe state (torque is not permitted). The controller reports ‘Safety State
= Not Running’ and ‘Axis State = Start Inhibited’, as shown in Figure 71).

Figure 71 - Safety State Indications After Controller Transitions to Program Mode

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 171

Chapter 7

When you issue a motion direct command to an axis to produce torque in

Program mode, for example MSO or MDS, with the safety connection present
to the drive, a warning message is presented before the motion direct command
is executed, as shown in Figure 72.

Figure 72 - STO Bypass Prompt When the Safety Controller is in Program Mode

IMPORTANT The warning in Figure 72 is displayed only the first time a motion direct
command is issued.

After you acknowledge the warning message by clicking Yes, torque is

permitted by the drive and a warning message is indicated in the software as
shown in Figure 73. The controller reports ‘Safety State = Not Running
(Torque Permitted)’, ‘Axis State = Stopped/Running’ and ‘Persistent Warning
= Safe Torque Off bypassed’.

IMPORTANT Switch the controller to Run mode to exit Motion Direct Command mode
and end the STO function bypass.

172 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 7

Figure 73 - Safety State Indications After Controller Transitions to Program Mode

(MDC executing)

IMPORTANT The persistent warning message text ‘Safe Torque Off bypassed’ appears
when a motion direct command is executed.
The warning message persists even after the dialog is closed and
reopened as long as the integrated safety drive is in STO Bypass mode.
The persistent warning message is removed only after the integrated
safety drive's Safety State is restored to the Running state.

Torque Permitted in a Multi-workstation Environment

The warning in Figure 74 is displayed to notify a second user working in a

multi-workstation environment that the first user has placed the integrated
safety drive in the STO state and that the current action is about to bypass the
STO state and permit torque.

Figure 74 - STO Bypass Prompt When MDC is Issued in Multi-workstation Environment

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 173

Chapter 7

Warning Icon and Text in Axis Properties

In addition to the other warnings that require your acknowledgement, the

Logix Designer application also provides warning icons and persistent warning
messages in other Axis Properties dialog boxes when the integrated safety drive
is in STO Bypass mode.

Figure 75 - Axis and Safe State Indications on the Hookup Services Dialog Box

Figure 76 - Axis and Safe State Indications on Motion Direct Commands Dialog Box

174 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 7

Figure 77 - Axis and Safe State Indications on the Motion Console Dialog Box

Functional Safety Considerations

ATTENTION: Before maintenance work can be performed in Program mode,

the developer of the application must consider the implications of allowing
motion through motion direct commands. Consider developing logic for
runtime maintenance operations to meet the requirements of machine
safety operating procedures.

ATTENTION: Motion is allowed and the STO function is not available when
motion direct commands are used in Program mode.
Motion direct commands issued when the controller is in Program mode
cause the drive to bypass the STO Active condition.
It is your responsibility to implement additional preventive measures to
maintain safety integrity of the machinery during execution of motion direct
commands in Program mode.

ATTENTION: To avoid personal injury and damage to equipment in the event

of unauthorized access or unexpected motion during authorized access,
return the controller to Run mode and remove the key before leaving the
machine unattended.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 175

Chapter 7

Programming Motion and Safety Tasks

Motion systems built using Rockwell Automation® Integrated Architecture™

components have separate motion and safety functions. In a typical control
application with motion and safety connections, motion and safety tasks run in
the following Logix 5000 controllers:
• Motion functions operate in a motion task of any ControlLogix® or
CompactLogix™ (Logix 5000) controller
• Safety functions operate in a safety task of only GuardLogix 5580 or
Compact GuardLogix 5380 controllers
• Motion tasks and safety tasks can operate in the same GuardLogix
controller or in separate controllers
• The safety task, operating in a GuardLogix controller, communicates
with the drive module with a safety connection over the EtherNet/IP®
network. See Safety Task in Figure 79 on page 179.
• The motion task, operating in any of these controllers, communicates
with the drive module Associated Axes with a motion connection over
the EtherNet/IP network. See Motion Task in Figure 79 on page 179.
• The PowerFlex 755 and PowerFlex 755T drives and drive products
contain one inverter for control of one motor and one motion axis.
• Feedback from position encoders, supplied to the motion tasks, is also
associated with the axis.

Motion Safety Instances

The PowerFlex 755/755T drive products, with the Integrated Safety Function
option module, contain one Motion Safety instance to provide integrated
safety functions. The safety instance operates independently of the inverters
and feedback used for motion. The drive module safety instance receives
encoder safety feedback for use with the integrated safety functions. The safety
feedback is also supplied to the controller safety task over the safety connection
for use with controller-based safety functions that may operate in the
controller.

A motion and safety system can be configured so that a safety function operates
in the controller. This type of configuration is referred to as a controller-based
safety function. The system can also be configured so that the safety function
operates in the drive module with the initiation and monitoring of the
function in the safety task. This type of safety function is referred to as drive-
based safety. A motion system can have both controller-based and drive-based
safety functions.

Safety Function Operation

In this example we describe how a motion and safety control system operates
and how motion and safety tasks are coordinated. In typical motion and safety

176 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 7

system applications, an E-stop switch is used to stop the system. In the

following example, the switch is used to initiate the process that brings the axis
to a controlled stop before removing power. This type of stop is called Stop
Category 1. The motion task and drive inverter are responsible for bringing the
axis to a Category 1 stop. At the same time, to make sure that the Stop
Category 1 is correctly executed by the motion system, the safety task initiates a
Monitored SS1 safety function. The SS1 safety function can be configured to
use the drive-based SS1 function or it can be configured to use the controller-
based SS1 function.

This sequence of events represents the steps required for a Monitored SS1
drive-based safety function.

1. The safety task reads the E-stop input and detects the switch actuation.
2. The safety task communicates an SS1 request by setting the bit:
module:SO.SS1Request tag of the drive (inverter) motion-safety
instance.
3. The motion-safety instance in the drive communicates to the drive
motion core of the Axis Safety Status.
4. The motion core communicates with the motion controller running the
motion task by updating the motion axis tag axis.SS1ActiveStatus.
5. The motion task controls the axis to bring the motor to a stop within the
Monitored SS1 limits for speed and time.
6. While the axis is stopping, the SS1 function (in the motion-safety
instance) monitors the axis speed to make sure it remains below the
speed limit and maximum stopping time.
7. When the axis reaches standstill speed, the motion-safety core activates
the Safe Torque Off function.

This sequence of events represents the steps required for a Monitored SS1
controller-based safety function.

1. The safety task reads the E-stop input and detects the switch actuation.
2. The safety task activates the SS1 safety instruction running in the safety
task.
3. The SS1 instruction communicates an SS1 active by setting the bit:
module:SO.SS1Active tag of the drive (inverter) motion-safety instance.
4. The motion-safety instance in the drive communicates to the drive
motion core of the Axis Safety Status.
5. The motion core communicates with the motion controller running the
motion task by updating the motion axis tag axis.SS1ActiveStatus.
6. The motion task controls the axis to bring the motor to a stop within the
Monitored SS1 limits for speed and time.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 177

Chapter 7

7. While all events are occurring, the motion-safety instance updates the
Feedback Velocity tag, module:S1. FeedbackVelocity, in the safety
controller. The SS1 function running in the safety task receives the
speed scaled by the SFX safety instruction and makes sure the axis
remains below the speed limit and maximum stopping time.
8. When the axis reaches standstill speed the SS1 safety instruction outputs
SS1 complete.

The safety task communicates to the drive motion safety instance to activate
STO by clearing the bit: module:SO.STOOutput tag of the drive motion-
safety instance.

This figure shows how the safety task and motion tasks communicate with the
drive.

Figure 78 - Safe Monitor System Communication

PowerFlex 755/755T
Drive Product
CIP Motion™ Motion (1)
Control Hardware Protocol Controller
(motion task)

Integrated
Motion Core

Motion
Safety Instance Motion Core Safety (1)
CIP Safety™ Controller
Protocol (safety task)

Power Hardware

Primary
Servo Motor Secondary
Encoder
(SIL 2, PL d) Encoder(2)

(1) Motion and Safety connections can be made from a single Safety controller or two separate Motion and Safety controllers.
(2) The secondary encoder is required to meet a SIL 3 system rating.

178 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 7

Safe Monitor Network Communication

The safe monitor network executes motion and safety tasks by using CIP
protocol.

Figure 79 - Motion and Safety Connections

GuardLogix Safety Controller Logix 5000 Motion Controller

Safety Task When a single controller is used for

motion task and safety task. Motion Task

S af sages on
ety it Mes ect
i
Con Explic nn
ne
cti n Co
on tio
Mo
Safety fault and status sent
to motion controller axis tags.
Motion Safety Motion Axis
Instance Motion Core
PowerFlex 755/755T
Drive Product

Motion Connection

The motion connection communicates drive motion and safety status to the
motion task. The motion connection also receives motion commands from the
motion task in the motion controller. Data is exchanged at a periodic rate over
the connection. To configure the drive-module motion connection Axis
Properties in the Logix Designer application, see the PowerFlex 750-Series AC
Drives Programming Manual, publication 750-PM001-EN-P or the
PowerFlex Drives with TotalFORCE® Control Programming Manual,
publication 750-PM100-EN-P.

Some of the axis tags are updated from fault and safety status provided by the
safety instance in the drive module. The safety instance sends this status to the
motion core and then on to the motion controller. Axis tags show the updated
status. See Figure 79 for an illustration on how status is sent to the motion
controller.

IMPORTANT Axis tags are for status only and are not used by the safety function.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 179

Chapter 7
Table 61 - Motion Connection Axis Tags
Axis Tag Name
(motion controller)
Axis.AxisSafetyState
Axis.AxisSafetyDataA
Axis.AxisSafetyDataB
Axis.AxisSafetyStatus
Axis.SafetyFaultStatus
Axis.SafetyResetRequestStatus
Axis.SafetyResetRequiredStatus
Axis.SafeTorqueOffActiveStatus
Axis.SafeTorqueDisabledStatus
Axis.SBCActiveStatus
Axis.SBCEngagedStatus
Axis.SS1ActiveStatus
Axis.SS2ActiveStatus
Axis.SOSActiveStatus
Axis.SOSStandstillStatus
Axis.SMTActiveStatus
Axis.SMTOvertemperatureStatus
Axis.SSMActiveStatus
Axis.SSMStatus
180
Motion Connection Safety Output Assembly Tag Name
Data Type Description (safety controller)
Attribute #
760 DINT Drive module Safety Supervisor state. See the Safety Supervisor None
State on page 184 for more details.
986 DINT 32-bit data container holding general-purpose safety data passed module:SO.SafetyDataA[instance]
from the safety controller.
987 DINT 32-bit data container holding general-purpose safety data passed module:SO.SafetyDataA[instance]
from the safety controller.
761 DINT Collection of bits indicating the status of the standard safety func- See individual bits below.
tions for the axis as reported by Drive Safety Instance.
[0] BOOL Any Safe Stop Fault occurring in the Safety Instance. none
0 = Not Faulted
1 = Safety Fault
[1] BOOL Indicates that the state of the reset request output from the safety module:SO.ResetRequest[inst]
controller (in the safety output assembly) connected with the
drive safety instance. This is the reset input to the safety instance
in the drive module.
0 = Reset Request OFF
1 = Reset Request ON
[2] BOOL Indicates that the drive-module safety instance associated with none
this Axis requires a reset of the safety function.
0 = Normal
1 = Reset Required
[3] BOOL Indicates that the state of the STO output from the safety control- module:SO.STOOuput[inst]
ler, which is the STO input to the drive-module safety instance
associated with this axis.
0 = STO Output Is active
1 = STO is not active, STO is not requested
[4] BOOL Indicates that the drive-module safety instance Torque Disabled none
Status.
0 = Axis power structure is not inhibited by the safety instance
1 = Axis power structure is inhibited
[5] BOOL Indicates that the SBC function is active and the sequence to set module:SO.SBCActive
the Safety Brake has started. This function is only available as a
controller-based function.
0 = SBC Function is not Active
1 = SBC Function is Active
[6] BOOL Indicates that the External Safety Brake is engaged by the control- module:SO.SBCBrakeEngaged
ler-based SBC function.
0 = Brake is Engaged
1 = Brake is Released
[7] BOOL Indicates that the controller-based or the drive-based SS1 func- module:SO.SSActive[inst]
tion is active.
0 = SS1 Function is not Active
1 = SS1 Function is Active
[8] BOOL Indicated that the controller-based SS2 function is active. module:SO.SSActive [inst]
0 = SS2 Function is not Active
1 = SS2 Function is Active
[9] BOOL Indicates that the controller-based SOS function is active. module:SO.SOSActive[inst]
0 = SOS Function is not Active
1 = SOS Function is Active
[10] BOOL Indicates that the controller-based SOS function has detected module:SO.SOSLimit[inst]
standstill according to the function configuration.
0 = monitored axis is not at Standstill
1 = monitored axis is at standstill
[11] BOOL Always 0. This function is not available none
[12] BOOL Always 0. This function is not available. none
[16] BOOL For use with a controller-based SSM function. module:SO.SSMActive[inst]
[17] BOOL For use with a controller-based SSM function. module:SO.SSMStatus[inst]
Rockwell Automation Publication 750-UM005C-EN-P - February 2021
 Chapter 7

Table 61 - Motion Connection Axis Tags (Continued)

Axis Tag Name Motion Connection Safety Output Assembly Tag Name
(motion controller) Data Type Description (safety controller)
Attribute #
Axis.SLSActiveStatus [18] BOOL Indicates that the controller-based SLS function is active. module:SO.SLSActive[inst]
0 = SLS Function is not Active
1 = SLS Function is Active
Axis.SLSLimitStatus [19] BOOL Indicates that the controller-based SLS function has detected the module:SO.SLSILimit[inst]
monitored axis speed above the limit setpoint.
0 = axis is below setpoint speed
1 = axis is greater than or equal to the setpoint speed
Axis.SLAActiveStatus [20] BOOL Always 0. This function is not available. none
Axis.SLALimitStatus [21] BOOL Always 0. This function is not available. none
Axis.SDIActiveStatus [22] BOOL Indicates that the controller-based SDI function is active. module:SO.SDIActive[inst]
0 = SDI Function is not Active
1 = SDI Function is Active
Axis.SDILimitStatus [23] BOOL Indicates that the controller-based SDI function detected motion module:SO.SDILimit[inst]
greater than the limit in the unintended direction.
0 = Limit not reached
1 = Unintended motion
Axis.SafePositiveMotionStatus [24] BOOL Always 0. This function is not available. none
Axis.SafeNegativeMotionStatus [25] BOOL Always 0. This function is not available. none
Axis.SCAActiveStatus [26] BOOL For use with a controller-based SCA function. module:SO.SCAActive[inst]
Axis.SCAStatus [27] BOOL For use with a controller-based SCA function. module:SO.SCAStatus[inst]
Axis.SLPActiveStatus [28] BOOL Indicates that the controller-based SLP function is active. module:SO.SLPActive[inst]
0 = SLP Function is not Active
1 = SLP Function is Active
Axis.SLPLimitStatus [29] BOOL Indicates that the controller-based SLP function has detected the module:SO.SLPLimit[inst]
monitored axis position outside of the setpoint limits.
0 = axis position is within the limits
1 = axis position is outside of the limits
Axis.SafetyOutputConnectionClosedStatus [30] BOOL Indicates the safety connection status from the controller to the none
drive module.
0 = connection open
1 = connection closed
Axis.SafetyOutputConnectionIdleStatus [31] BOOL Indicates the safety connection status from the controller to the none
drive module.
0 = connection active
1 = connection idle
Axis.AxisSafetyStatusRA 762 DINT Collection of bits indicating the status of Rockwell Automation See individual bits below.
specific safety functions for the axis as reported by Drive Safety
Instance.
Axis.SafeBrakeIntegrityStatus [0] BOOL Status of an external safety brake controlled by SBC instruction. module:SO.SBCIntegrity[inst]
The brake status, released or engaged, is undetermined.
0 = SBC fault
1 = No faults detected
Axis.SafeFeedbackHomedStatus [1] BOOL Status of the controller-based SFX position homing function. module:SO.SFHome[inst]
Axis.AxisSafetyFaults 763 DINT Collection of bits indicating the Safety Fault status of the drive- See individual bits below.
module safety instances and integrated safety functions.
Axis.SafetyCoreFault [0] BOOL Indicates an internal fault occurred within the drive-module None (use explicit message)
safety instance. In the case of dual-axis inverters, both safety
instances fault.
0 = Normal Operation
1 = Fault
Axis.SafetyFeedbackFault [2] BOOL Indicates a fault occurred with the safety feedback or with the None (use explicit message)
safety dual-channel feedback.
0 = Normal Operation
1 = Fault

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 181

Chapter 7

Table 61 - Motion Connection Axis Tags (Continued)

Axis Tag Name Motion Connection Safety Output Assembly Tag Name
(motion controller) Data Type Description (safety controller)
Attribute #
Axis.SafeTorqueOffFault [3] BOOL Indicates a fault occurred within the STO function of the drive- None (use explicit message)
module safety instance.
0 = Normal Operation
1 = Fault
Axis.SS1Fault [4] BOOL Indicates that a fault occurred with the drive-based or a controller- module:SO.SSFault[inst]
based SS1 function.
0 = Normal Operation
1 = Fault
Axis.SS2Fault [5] BOOL Indicates that a fault occurred with the drive-based SS2 function. module:SO.SSFault[inst]
0 = Normal Operation
1 = Fault
Axis.SOSFault [6] BOOL Indicates that a fault occurred with the drive-based SOS function. module:SO.SOSFault[inst]
0 = Normal Operation
1 = Fault
Axis.SBCFault [7] BOOL Indicates that a fault occurred with the controller-based SS2 func- module:SO.SBCFault[inst]
tion.
0 = Normal Operation
1 = Fault
Axis.SMTFault [8] BOOL Always 0. This function is not available. –
Axis.SSMFault [16] BOOL Controller-based SSM fault. module:SO.SSMFault[inst]
0 = Normal Operation
1 = Fault
Axis.SLSFault [17] BOOL Controller-based SLS fault. module:SO.SLSFault[inst]
0 = Normal Operation
1 = Fault
Axis.SLAFault [18] BOOL Always 0. This function is not available. –
Axis.SDIFault [19] BOOL Controller-based SDI fault. module:SO.SDIFault[inst]
0 = Normal Operation
1 = Fault
Axis.SCAFault [20] BOOL Controller-based SCA fault. module:SO.SCAFault[inst]
0 = Normal Operation
1 = Fault
Axis.SLPFault [21] BOOL Controller-based SLP fault. module:SO.SLPFault[inst]
0 = Normal Operation
1 = Fault
Axis.SafetyValidatorFault [30] BOOL Always 0. This function is not available. –
Axis.SafetyUNIDFault [31] BOOL Always 0. This function is not available. –
Axis.AxisSafetyFaultsRA 764 DINT Collection of bits indicating the safety fault status of Rockwell See individual bits below.
Automation safety functions.
Axis.SFXFault [1] BOOL Controller-based SFX fault. module:SO.SFXFault[inst]
0 = Normal Operation
1 = Fault
Axis.AxisSafetyAlarms 753 DINT Reserved for future use. –

Pass-through Data

Some of the Motion Connection axis tags are updated from information that is
received from the Safety Connection. This data originates in the safety
controller as Safety Output assembly tags and are passed through the drive and
on to the motion controller where the corresponding axis tag is updated. These
data are called pass-through data.

182 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 7

The pass-through data includes items such as status and faults for controller-
based safety functions. Two general-purpose 32-bit words are provided in the
output assembly from the safety controller and appear as AxisSafetyDataA and
Axis SafetyDataB in the motion controller associated axis.

Safety Data A and B are provided for the safety and motion application for
additional safety program status. A typical use of Safety Data A and Safety
Data B can be to indicate the value of a safety limit that is currently in effect for
the motion application to control the motion accordingly.

IMPORTANT Axis tags are for status only and are not used by the safety function.

Safety Connection

The safety controller communicates with the safety instance in the drive
module over the safety connection. Cyclic data are passed in each direction
over the safety connection that appears in Safety Controller tag structures
called input and output assembly. The safety connection cyclic rate is
configured in the Logix Designer application.

The Safety Input Assembly tag structure is data from the drive module safety
instance to the safety controller. The Safety Output Assembly tag structure is
data from the safety controller to the drive module safety instance.

Explicit Messages

Use explicit messages to communicate with a drive and obtain additional fault,
status, or configuration information that is not available in the Safety I/O Tag
structure. Attribute data is useful for additional diagnostic information. An
explicit message can be sent by any controller on the network and used to read
any drive module attribute. See Motion Connection on page 179 for the drive-
module safety attribute names and numbers that can be used by an MSG
instruction. See Figure 79 on page 179 to see how explicit messages are part of
motion and safety communication.

When an explicit message is used, a class ID must be specified. The class ID

identifies the safety object type in the drive module that is accessed.

Table 62 - Object Classes Available in Motion Safety Instances

Object Class Motion Safety Instances
Safety Supervisor 1
Safe Stop Functions 1
Safety Feedback 2
Dual-channel Safety Feedback 1

IMPORTANT Explicit messages must not be used for any safety-related function.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 183

Chapter 7
Application Example - Using
SFX, SS1, and SLS Instructions
with Integrated Motion
184 Rockwell Automation Publication 750-UM005C-EN-P - February 2021
Safety Supervisor State
In the drive module, the connection to the safety instance or instances is
controlled by a safety supervisor. The supervisor status can be read by the
motion controller through the motion connection and the safety controller
through the Safety Input Assembly or by an explicit message.
The safety supervisor state provides information on the state of the integrated
safety connection and the mode of operation. There is only one safety
supervisor object per drive module.
Table 63 - Safety Supervisor State: MSG
Parameter Value Description
Service Code 0x0E Get attribute single
Class 0x39 Safety supervisor
Drive-module safety instance
Instance 1 associated with an axis
Attribute 0x0B Device status
Data Type SINT Short integer
Table 64 - Safety Supervisor States
Value Safety Supervisor State Definition Safety Mode
2 Configured (no safety connection) No active connections Integrated
4 Running Normal running state Integrated
7 Configuring Transition state Integrated
Hard-wired STO mode with
8 Not Configured Hard-wired (out of the box)
torque disabled
Not Configured (torque permitted) Hard-wired STO mode with
51 Hard-wired (out of the box)
torque permitted
52 Running (torque permitted) STO bypass state Integrated
In this example, a PowerFlex 755 drive (equipped with embedded Ethernet)
controls a servo motor (catalog number MPL-B430P-M). A Universal Feedback
option module (catalog number 20-750-UFB-1) and an Integrated Safety
Function option module (catalog number 20-750-S4) are used to interface to a
GuardLogix 5580 safety controller (catalog number 1756-L84ES).
This example shows the programming and configuration required for three of
the most common safe monitoring functions:
• Safe Feedback
• Safe Stop 1
• Safe Limited Speed
An 800FP push button is configured as an emergency stop. It is monitored using
a DCS ESTOP Instruction and is wired to one dual-channel S4 Safety Input.
This input can generate Safe Stop 1 at any time during operation of the drive.
 Chapter 7

A Guard Locking Switch (catalog number TLS-Z GD2) is mapped to one of the
S4 Safety Outputs. This switch can be opened when the Safe Stop 1 is complete
and when the Safe Limited Speed is below the required speed for an operator to
access the machine function.

The Safety Reset and Home Request functions are programmed with the other
two S4 Safety inputs. These do not need to be safety-rated devices. For the
purpose of this example, other inputs and outputs are toggled for simplicity. At
any time, you can implement additional safety or IO devices as required based on
the machine risk assessment.

Both the standard motion programming and safety programming must be

completed for a successful implementation.

Studio 5000 Logix Designer Application Configuration

Figure 80 - Studio 5000 Logix Designer Application Configuration Example

Figure 81 - Studio 5000 Connection Set to Motion and Safety

Studio 5000 Connection is set to ‘Motion And Safety’ since the GuardLogix
controller will provide both in this example. The Safety Instance is set to ‘Single
Feedback Monitoring’ in order to use Safe Limited Speed, which supports
monitoring Safe Stop 1 and safe feedback.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 185

Chapter 7

Figure 82 - Peripheral Device Definition

This PowerFlex 755 drive is configured with the 20-750-UFB-1 in port 4. The
Safe Feedback checkbox must be checked for proper configuration and
agreement with the safety switches on the Universal Feedback option module.

IMPORTANT The 20-750-S4 and 20-750-UFB-1 must reside in the same backplane board.

Figure 83 - Primary Feedback Configuration

Since the MPL-B430P-M device is used for the primary safety channel, the
normal cycles per revolution are 1024 and must be configured in the Primary
Feedback tab.

Figure 84 - Studio 5000 Safety Scaling Configuration Example

186 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 7

Figure 85 - Studio 5000 Safety Input Configuration Example

• Inputs 0 and 1 are used with an OSSD Estop input from the 800FP.
• Input 2 is a standard digital input from a push button to safety reset the
S4 module.
• Input 3 is a standard digital input from a push button to set the SFX
home.

Figure 86 - Studio 5000 Output Configuration Example

Programming Example

This example illustrates configuration of the safety input, logic, and output
routines.

TIP Configure your system based on the required safety level devices and ratings.

Safety Input

The DCS Instruction is responsible for evaluating the dual-input validity into
the GuardLogix safety controller.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 187

Chapter 7

Figure 87 - DCS Instruction with the S4 is Mapped to the 800FP

Figure 88 - DCS Instruction Evaluates Dual-input Validity

Safety Logic

The Safety Logic is used to configure when a safety reset occurs, the home
trigger, and the execution of the SFX instruction (which must have primary
feedback valid for it to execute properly).

Both the Safe Stop 1 and Safe Limited Speed use the SFX instruction for
correct monitoring of feedbacks. The Safe Stop 1 requests when the 800FP
inputs are removed. The Safe Limited Speed requests, in this example, with the
toggling of the Examine On tag.

188 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 7

Figure 89 - Safety Logic Example

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 189

Chapter 7

Safety Output

The Safe Torque Off output must be true in order for any of the preceding safe
monitoring functions (namely SFX, SS1, and SLS) to function.

Figure 90 - Safety Output Example

The PowerFlex 755 S4 safety actions can be configured based on the required
reaction to various machine requirements. In this instance, the STO request is
executed by the PowerFlex 755 in causing a disable and coast reaction.
However, the request to the SS1 (requested by the GuardLogix Safety Task) is
executed by the GuardLogix Motion Controller (not the Safety Controller)
with the use of pass-through tags. In this case, the Motion Axis Stop is used to
control stop the motor, as shown by the programming example.

190 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 7

Figure 91 - Safety Output Programming Example

The Safe Limited Speed (and any other safe monitoring instruction requests
besides STO, SS1, and SS2) are handled with the use of pass-through tags in
the GuardLogix Motion Controller. The GuardLogix Safety Controller uses
pass-through tags to the Motion Controller to use the Motion Change
Dynamics instruction for the SLS request, as shown in the programming
example.

Figure 92 - Motion Instructions Used to Motion Servo On and Motion Servo Off

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 191

Chapter 7

Figure 93 - Motion Instructions to Run the Motor at a Specific Velocity

192 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 7

Figure 94 - Use of the Motion Change Dynamics Instruction to Change from Normal Operating
Speed to Safe Limited Speed and Back based on the Safety Task Request

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 193

Chapter 7

Figure 95 - Use of the Motion Axis Stop Instruction to Bring the Motor to 0 Speed Once the SS1
Request is Made From the Safety Task

When the stop is complete and 0 speed, the Motion Servo Off is given to open
the position loop and stop modulating the drive. The Safety Task then uses the
STO Output off to put the drive and motor into a Safe Torque Off state.

194 Rockwell Automation Publication 750-UM005C-EN-P - February 2021


Monitor Status Using Status
Indicators
Rockwell Automation Publication 750-UM005C-EN-P - February 2021
Chapter 8
Monitoring and Troubleshooting
This chapter provides information for monitoring and troubleshooting the
Integrated Safety Functions option module.
Topic Page
Monitor Status Using Status Indicators 195
Monitor Status with a HIM or Software 205
The option module has four status indicators to provide status of the module,
safety network, and motion output of the drive:
• Module status (DS1)
• Network status (DS2)
• Motion output status (DS3)
• Safety fault (DS4)
IMPORTANT Status indicators are not reliable for safety functions. Use status indicators
only for general diagnostics during commissioning or troubleshooting. Do
not attempt to use status indicators to determine operational status.
195
Chapter 8

Module Status Indicator (DS1)

Table 65 provides information for the module status indicator.

Table 65 - Module Status LED (DS1)

For Safety Supervisor State (1) Status Indicator Description or Problem

No power Off No power is applied to drive
Device self-test (1) Flashing red/green Device is performing its power-on self-test
Waiting for TUNID (8)
Flashing red/green Module is not configured
Configuring (7)
Executing (5) Green Module is not configured
Idle state (2) Flashing green Standby (drive is not configured)
Abort (5) Flashing red Recoverable fault detected by drive
Firmware update in progress (if DS2 is also
Firmware update in progress Flashing red flashing red)
Critical fault (6) Red Non-recoverable fault detected by drive
(1) The numbers in parentheses are the values in the Host Config P3 [Safety State] parameter.

Network Status Indicator (DS2)

Table 66 provides information for the network status indicator.

Table 66 - Network Status LED (DS2)

State Status Indicator Description or Problem
Device is not online or device is not powered – check Module
Not powered/not online Off Status LED
Self-test Flashing red/green Device is performing its power-on test
Setting safety network Fast flashing red/green Replace device
number
Device is online but has no connections in the established
No connection Flashing green state
Connected Green Device is online and has connections in the established state
Connection timeout Flashing red One or more I/O connections are in the timed-out state
Firmware update is in Flashing red Firmware update in progress (If DS1 is also flashing red)
progress
Failed communications device – device has detected an
Critical link failure Red error and it is not able to communicate on the network

196 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 8

Motion Output Status Indicator (DS3)

Table 67 provides information for the motion output status indicator.

Table 67 - Motion Output Status LED (DS3)

State Status Indicator Problem
Torque disabled Off Torque is disabled
Torque permitted Solid green STO circuit is permitting torque
Circuit fault Flashing red STO circuit is faulted

Safety Fault Indicator (DS4)

Table 68 provides information for the safety fault status indicator.
Table 68 - Safety Fault LED (DS4)
State Status Indicator Problem
No fault Solid green Safety functions and safety IO are operational
Safety functions fault Flashing red There is a safety function fault and or safety IO alarm
Critical Fault Solid red The module has experienced a serious critical fault

Safety Fault Names The Motion Safety instance in the Integrated Safety Functions option module
reports faults to the drive through the AxisSafetyFaults and
AxisSafetyFaultsRA tags. Each bit in these tags indicates a specific fault. This
information is used by the drive to log and display faults.

The Logix Designer application displays axis faults and status. When an axis is
selected in the Controller Organizer, axis faults and status are displayed in the
QuickView® software window.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 197

Chapter 8

Figure 96 - Axis Faults and Status

The safety faults named in Table 69 appear as Safety Faults when they occur. In
addition, if any of these faults are present, a safety fault appears under the axis
fault. Corresponding axis tags are set with any of the faults.

Table 69 - Safety Fault Names

Fault Name Description
SafetyCoreFault Internal fault in the drive’s safety processor
STOFault A fault was detected by the Safe Torque Off function
SS1Fault (1) A fault was detected by the Safe Stop 1 function
SS2Fault A fault was detected by the Safe Stop 2 function
SOSFault A fault was detected by the Safe Operating Stop function
SBCFault (1) A fault was detected by the Safe Brake Control function
SSM Fault A fault was detected by the Safe Speed Monitor function
SLSFault A fault was detected by the Safely-limited Speed function
SDIFault A fault was detected by the Safe Direction function
SCA Fault A fault was detected by the Safe Cam function
SLPFault A fault was detected by the Safe Limited Position function
The Safety processor has detected a problem with one or more of the safety
SafetyFeedbackFault feedback devices associated with the axis.
(1) A safety function fault bit can be set because the fault was detected by the internal drive safety function (if it is configured), or
by the connected safety controller. Read the safety function’s fault attribute from the drive to determine if the fault was
generated by the drive or received from the safety controller.

198 Rockwell Automation Publication 750-UM005C-EN-P - February 2021


Understand Safety Faults
Rockwell Automation Publication 750-UM005C-EN-P - February 2021
Chapter 8
To obtain more detailed information about any faults that are detected in the
drive, most faults have a corresponding fault-type attribute. These attributes
are read by using an MSG instruction in the ladder program to read the specific
attribute information, or by reading the corresponding DPI™ parameter.
Details of the various fault-type attributes are described in the following
sections.
See Explicit Messages on page 251 on for an example of using the MSG
instruction to read status.
Safety Supervisor State
The Safety Supervisor State provides information on the state of the safety
connection and the mode of operation. It can be read in the user's Logix
program using explicit messaging via the MSG instruction.
Table 70 - Safety Supervisor State: MSG
Parameter Value Description
Service Code 0x0E Get Attribute Single
Class 0x39 Safety Supervisor
Instance 1 –
Attribute 0x0B Device Status
Data Type SINT Unsigned Short Integer
For P3 [Safety State] information, see Table 78 on page 207.
Safety Core Fault
The Motion Safety instance has detected a non-recoverable fault or internal
error. When this happens, the Motion Safety instance reboots itself and
attempts to re-establish normal operation.
If this fault persists through power cycles, return the drive and safety module
for repair. In case of malfunction or damage, no attempts at repair should be
made. Do not dismantle the option module.
199
Chapter 8

Safe Torque Off Fault

The Safe Torque Off (STO) function detected a fault. The safe stop function
records the specific fault type in the STO Fault Type attribute. The STO Fault
Type attribute is also recorded in P7 [STO Fault Type]. Table 71 describes the
parameters for an MSG instruction. Table 72 describes the fault types.

Table 71 - Safe Torque Off Fault Type: MSG

Parameter Value Description
Service Code 0x0E Get attribute single
Class 0x5A Safety stop functions
Instance 1 Drive-module safety instance
Attribute 0x108 STO fault type
Data Type SINT Short integer

Table 72 - STO Fault Types

STO Fault STO Fault Type Name Description
Type Value
3 Circuit Err Internal STO diagnostics has found an issue with STO circuitry.
4 Stuck Low Internal STO health and/or power input stuck low.
5 Stuck High Internal STO health and/or power input stuck high.

200 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 8

Safe Stop 1 Fault

The Safe Stop 1 (SS1) function detected a fault. The safe stop function records
the specific fault type in the Safe Stop Fault attribute. The SS1 Fault Type is
also recorded in P10 [SS1 Fault Type]. Table 74 describes the parameters for an
MSG instruction. The drive immediately disables torque, ignoring STO delay,
if an SS1 fault is detected. If the SS1 Fault Type is reported as 1 (no fault), the
SS1 fault was generated by the connected safety controller and reported to the
drive over the safety connection.
Table 73 - Safe Stop 1 Fault Type: MSG
Parameter Value Description
Service Code 0x0E Get attribute single
Class 0x5A Safety stop functions
Instance 1 Drive-module safety instance
Attribute 0x11c SS1 fault type
Data Type SINT Short integer

Table 74 - SS1 Fault Types

SS1 Fault SS1 Fault Type Name Description
Type Value
1 No Fault No Fault is present
The drive-based SS1 function has been requested when it has
2 Config been configured as ‘not used’.
Applies only when SS1 is configured for Monitored SS1 mode.
3 Decel Rate The SS1 function has detected that the feedback speed is not
decelerating as fast as expected.
Applies only when SS1 is configured for Monitored SS1 mode.
4 Maximum Time The SS1 function has detected that the device has not reached
standstill speed within the maximum stopping time.
The Monitored SS1 function was requested when the
101 Feedback Invalid associated safety feedback is not valid.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 201

Chapter 8

Safe Brake Control Fault

The Safe Brake Control (SBC) function detected a fault. The safe stop
function records the specific fault type in the SBC Fault Type attribute. The
SBC fault type is also recorded in P11 [SBC Fault Type]. Table 75 describes
the parameters for an MSG instruction. Table 76 describes the fault types.

Table 75 - SBC Fault Type: MSG

Parameter Value Description
Service Code 0x0E Get attribute single
Class 0x5A Safety stop functions
Instance 1 Drive-module safety instance
Attribute 0x16C SBC fault type
Data Type SINT Short integer

Table 76 - SBC Fault Types

STO Fault STO Fault Type Name
Type Value
1 No Fault
2 Config
3 Over Current
4 Stuck Low
5 Stuck High
6 Cross Conn
7 Relay Fail
Description
No Fault is present.
The drive-based SBC function has been requested when it has
been configured as ‘not used’.
The current on an output controlling the safety brake has
exceeded the maximum.
An output controlling the safety brake is stuck low.
An output controlling the safety brake is stuck high.
The outputs controlling the safety brake are cross connected.
A relay of the outputs controlling the safety brake has failed.

SS2, SOS, SLS, SLP, and SDI Faults

The Integrated Safety Functions option module does not support drive-based
SS2, SOS, SLS, SLP, and SDI safe stop/safety limit functions. If the drive
reports one of these faults, then the fault was detected by the safety controller
and reported to the drive over the safety output connection, or the request tag
was set through the safety output assembly. Additional information for these
faults must be obtained from the safety controller that is associated with the
drive. In addition, the safety controller is responsible for issuing a torque
disable request.

202 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 8

Safety Feedback Faults

When configured for safety feedback, the device performs periodic diagnostics
to make sure that the feedback device is operating correctly. Explicit messaging
can be used to read the fault type information from the drive. For example, if an
error is detected, the Safe Feedback object (class code 0x58) updates the Safe
Feedback Fault Type attribute (attribute ID 0x09) with the reason for the fault.
Table 77 - Safety Feedback Faults
Safe Feedback Safe Feedback Fault
Fault Type Description
Type Name
Value
1 No Fault No Fault is present.
2 Config The encoder's configuration is invalid.
The encoder speed has exceeded the configured maximum
3 Max Speed speed.
The encoder acceleration has exceeded the configured
4 Max Accel maximum acceleration.
5 Sin²+Cos² The encoder has failed the vector length or aspect ratio checks.
The encoder has exceeded the maximum number of quadrature
6 Quadrature signal errors.
The associated dual channel feedback instance has reported a
7 Discrepancy discrepancy.
The associated dual channel feedback instance has detected a
8 Partner fault in the other encoder.
The associated dual channel feedback instance has detected a
9 Voltage fault in the other encoder.
10 SignalNoise The encoder signals have noise that is preventing operation.
11 Signal Lost The encoder signals are not present.
12 Data Lost Stopped receiving data from a Digital Encoder.
13 Device Fail The encoder device has failed.
The frequency of the encoder has exceeded the maximum level
107 Max Freq for this product.
The offset of the Sine/Cosine signal from ground is outside the
108 SinCosOffset required level.
The encoder position count has exceeded the maximum value
109 Pos Rollover that can be represented in this product.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 203

Chapter 8

Safety Fault Reset

If the drive motion safety instance detects a fault, the input assembly tag
module:SI.SafetyFault is set to 1. The associated axis.SafetyFault tag is also set
to 1.

A Safety Fault can result from the SS1 stopping function, STO function, safety
feedback, SBC function, or other safety diagnostics.

To clear (reset) the Safety Fault, the fault conditions must be removed first and
then a transition from logic 0 to 1 of the module:SO.ResetRequest tag is
required. It is only the 0 to 1 transition that clears the fault.

To clear an axis fault that is associated with a Safety Fault, first clear the Safety
Fault from the safety task of your application, then clear the axis fault using the
MAFR command from the motion application. If the drive is not in integrated
motion, then first clear the safety fault in the safety task and then clear the
drive fault by writing to the O.LogicCommand_ClearFaults bit.

See Figure 97 on page 205 for more information about the Integrated Safety
Functions option module state restart functionality.

204 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 8

Figure 97 - Reset Safe Stop Fault Diagram

SO.SafeTorqueOff (bit 0) Disable Torque Permit Torque

SO.Reset (bit 7) Reset Request

SI.TorqueDisabled (bit 0) Torque Disabled

SI.SafetyFault (bit 6) No Fault Faulted

SI.ResetRequired (bit 7) Reset Required

P4 [Host Config] Safety Status (bit 0)--->Safety Fault Faulted

P4 [Host Config] Safety Status (bit 1)--->Safety Reset Reset Request

P4 [Host Config] Safety Status (bit 2)--->Restart Req Reset Required

P4 [Host Config] Safety Status (bit 3)--->STO Active Disable Torque

P4 [Host Config] Safety Status (bit 4)--->Trq Disabled Torque Disabled

P5 [Host Config] Safety Status (bit 3)--->STO Fault No Fault Faulted

Drive Start Inhibits (bit 7)1--->Safety Start Inhibited

Drive Fault Status B (bit 9) 2--->SafetyBrdFlt Faulted

A B C D E F
A. Set SO.SafeTorqueOff = 1 C. Set SO.SafeTorqueOff = 0 E. Set SO.SafeTorqueOff = 1
B. Fault Detected D. Set SO.Reset = 1 F. PF 755 Clear Fault (I/O Mode) or MAFR (CIP Motion™)

Monitor Status with a HIM or This section describes safety-related status information available for viewing
with a HIM, Drive Module Properties in the Logix Designer application, or
Software Connected Components Workbench™ software.

Fault Messages on HIM, Drive Module, and Connected Components

Workbench Software

The only message that is displayed for any fault originating from the module is
‘SAFETY BRD FAULT’ with a fault code of F211 for PowerFlex 755 drives
and a code of F87 for PowerFlex 755T drives. This fault is displayed by the
HIM, drive module, and Connected Components Workbench software. To
determine the cause of the fault, examine the bits set in P4 [Safety Status] in
Connected Components Workbench, or by examining the
SO.PassThruStopFaults and SO.PassThruLimitFaults in the Logix Designer

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 205

Chapter 8

application. After determining the fault type, see the Understand Safety Faults
section for more information on the fault.

Safety board faults are also stored in the drive fault queue:

Figure 98 - Drive Fault Queue

Further information on the cause of the fault is also recorded in the Integrated
Safety Functions module events queue:

Figure 99 - Mobile Events Queue

ATTENTION: The status data that are described in this section is STANDARD
data (not SAFETY data) and cannot be used as part of a safety function.

For diagnostic purposes, you can also view status attributes by accessing the
following Host Config parameters. These parameters are different than the
‘Device Config’ parameters from a HIM, Connected Components
Workbench software, or the Logix Designer application:
• P3 [Safety State]
• P4 [Safety Status]
• P5 [Safety Faults]
• P6 [Safe Status Mfg]
• P7 [Safe Faults Mfg]

206 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 8

See Table 78 through Table 84 for a description of these parameters.

Table 78 - P3 [Safety State]
Value Display Text Description
1 Testing Device is performing test diagnostics
2 Idle No active connections
3 Test Flt A fault has occurred while executing test diagnostics
4 Executing Normal running state
5 Abort A major recoverable fault has occurred
6 Critical Flt A critical fault has occurred
7 Configuring Transition state
8 Waiting Out-of-box state
51 Wait w Trq Out-of-box state
52 Exec w Trq STO bypass state

Table 79 - P4 [Safety Status]

Bit Display Text Description
0 Safety Fault Indicates the existence of a safety fault.
0 = no fault
1 = faulted
1 Safety Reset A transition from 0 to 1 resets the safety function.
2 Restart Req Indicates whether a manual restart is required following a stop function.
0 = restart not required
1 = restart required
3 STO Active Indicates whether STO control is active.
0 = Not Active (Permit Torque)
1 = Active (Disable Torque)
4 Trq Disable Displays the status of STO control.
0 = Torque Permitted
1 = Torque Disabled
5 SBC Active Indicates whether the Safe Brake Control function is active.
0 = Not Active
1 = Active
6 Brak Engage Indicates whether the Safe Brake Control function has engaged the brake.
0 = Brake Released
1 = Brake Engaged
7 SS1 Active Indicates whether the Safe Stop 1 function is active.
0 = Not Active
1 = Active
8 SS2 Active Indicates whether the Safe Stop 2 function is active.
0 = Not Active
1 = Active
9 SOS Active Indicates whether the Safe Operating Stop function is active.
0 = Not Active
1 = Active
10 SOS StndStll Indicates whether the Safe Operating Stop function is comparing the actual feedback
value to the set point.
0 = Not comparing
1 = Comparing
11 SMT Active Indicates whether the Safe Motor Temperature function is active.
Reserved for future use. Always 0.
12 SMT OvrTemp Indicates whether the Safe Motor Temperature function has detected a temperature above
the limit.
Reserved for future use. Always 0.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 207

Chapter 8

Table 79 - P4 [Safety Status] (Continued)

Bit Display Text Description
16 SSM Active Indicates if the Safe Speed Monitoring function is active.
0 = Not Active
1 = Active
17 SSM Limit Indicates the status of the Safe Speed Monitoring function.
0 = Speed is below limit
1 = Speed is above limit
18 SLS Active Indicates if the Safely Limited Speed function is active.
0 = Not Active
1 = Active
19 SLS Limit Indicates if the speed exceeds the SLS limit.
0 = Speed within limit
1 = Speed exceeds limit
20 SLA Active Indicates if the Safely Limited Acceleration function is active.
Reserved for future use. Always 0.
21 SLA Limit Indicates if the acceleration exceeds the SLA limit.
Reserved for future use. Always 0.
22 SDI Active Indicates if the Safe Direction function is active.
0 = Not Active
1 = Active
23 SDI Limit Indicates if the Safe Direction function has detected movement in the prohibited direction.
0 = Direction OK
1 = Prohibited Direction
24 Pos Motion The feedback device indicates a positive position value.
25 Neg Motion The feedback device indicates a negative position value.
26 SCA Active Same as event description.
27 SCA Status Same as event description.
28 SLP Active Same as event description.
29 SLP Status Same as event description.
30 Conn Closed No active connection of an output assembly from the safety controller exists.
31 Conn Idle An active output assembly connection exists but the safety controller is in Program mode.

208 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 8

Table 80 - P5 [Safety Faults]

Bit Display Text Description
1 Core Fault The module has detected an unrecoverable fault.
2 Fdbk Fault A fault is present in a safety feedback device.
3 STO Fault This bit indicates the fault status of the STO function.
0 = no fault
1 = faulted
The cause of the fault is recorded in device P7 [STO Fault Type].
4 SS1 Fault This bit indicates the fault status of the SS1 function.
0 = No fault
1 = Faulted
The cause of the fault is recorded in device P1 [SS1 Fault Type].
5 SS2 Fault This bit indicates the fault status of the SS2 function.
0 = No fault
1 = Faulted
6 SOS Fault This bit indicates the fault status of the SOS function.
0 = No fault
1 = Faulted
7 SBC Fault This bit indicates the fault status of the SBC function.
0 = No fault
1 = Faulted
8 SMT Fault This bit indicates the fault status of the SMT function.
Reserved for future use. Always 0.
16 SSM Fault This bit indicates the fault status of the SSM function.
0 = No fault
1 = Faulted
17 SLS Fault This bit indicates the fault status of the SLS function.
0 = No fault
1 = Faulted
18 SLA Fault This bit indicates the fault status of the SLA function.
Reserved for future use. Always 0.
19 SDI Fault This bit indicates the fault status of the SDI function.
0 = No fault
1 = Faulted
20 SCA Fault This bit indicates the fault status of the SCA function.
0 = No fault
1 = Faulted
21 SLP Fault This bit indicates the fault status of the SLP function.
0 = No fault
1 = Faulted
30 VAL Fault The Safety Validator Object has detected a fault.
31 UNID Fault The Safety Validator Object has detected a fault relating to the Unique Identifier number.

Table 81 - P6 [Safe Status MFG]

Bit Display Text Description
0 Brak Intgrty Indicates the brake controlled by the Safe Brake Control function has integrity.
1 Fdbk Homed Indicates the Safety Feedback homing has been completed and the Safety Feedback
position is tracking from a known reference position.

Table 82 - P7 [Safe Faults Mfg]

Bit Display Text Description
1 SFX Fault The Safety Feedback Interface Add On Instruction has experienced a fault.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 209

Chapter 8

Table 83 - P8 [Safety Data A]

Data Type Display Text Description
DWORD Safety Data A User-defined data sent from Safety Controller.

Table 84 - P9 [Safety Data B]

Data Type Display Text Description
DWORD Safety Data B User-defined data sent from Safety Controller.

Monitor Status Using This section describes safety-related status information available in the
Integrated Motion Axis tags in the motion controller. These tags can be
Integrated Motion monitored by user programs in the motion controller and they can be
examined when the Logix Designer application is online with the motion
controller.

Table 85 - Motion Connection Axis Tags

Axis Tag Name (motion controller) MDAO Attribute Data Type Description
or [bit]

Axis.CIPStartInhibits 676 DINT A bit map that specifies the current state of all standard conditions that inhibits
starting of the axis.
Axis.SafeTorqueOffActiveInhibit [5] BOOL Indicates if the Safe Torque Off function is inhibiting the axis from starting.
0 = STO is not inhibiting axis
1 = STO is inhibiting axis
Axis.AxisSafetyState 760 DINT Drive module Safety Supervisor state. See Safety Supervisor State on page 199
for more details.
Axis.AxisSafetyStatus 761 DINT Collection of bits indicating the status of the standard safety functions for the
axis as reported by Drive Safety Instance.

210 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 8

Table 85 - Motion Connection Axis Tags (Continued)

Axis Tag Name (motion controller) MDAO Attribute Data Type Description
or [bit]

Axis.SafetyFaultStatus [0] BOOL Indicates that a fault was detected by a drive-based a safety function.
0 = No Fault
1 = Faulted
Axis.SafetyResetRequestStatus [1] BOOL Indicates the state of the module:SO.ResetRequest controller output tag. A
transition from 0 to 1 resets drive-based safety functions.
Axis.SafetyResetRequiredStatus [2] BOOL Indicates that the drive-module safety instance that is associated with this Axis
requires a reset of the safety function.
0 = Normal
1 = Reset Required
Axis.SafeTorqueOffActiveStatus [3] BOOL Set if the drive-based STO function is active (to disable torque).
Axis.SafeTorqueDisabledStatus [4] BOOL Set if the drive-based STO function has disabled torque.
Axis.SBCActiveStatus [5] BOOL Set if the drive-based SBC instruction is active (to engage brake) or if the
controller-output tag module:SO.SBCBrakeEngaged is set.
Axis.SBCEngagedStatus [6] BOOL Set if the drive-based SBC instruction has engaged the brake OR if the
controller-output tag module:SO.SBCBrakeEngaged is set.
Axis.SS1ActiveStatus [7] BOOL Set if the drive-based SS1 instruction is active OR if the module:SO.SS1Active
controller tag is set.
Axis.SS2ActiveStatus [8] BOOL Indicates the status of the module:SO.SS2Status controller output tag. See the
controller-based SS2 instruction.
Axis.SOSActiveStatus [9] BOOL Indicates the status of the module:SO.SS2Status controller output tag. See the
controller-based SS2 instruction.
Axis.SOSStandstillStatus [10] BOOL Indicates the status of the module:SO.SOSStandstill controller output tag. See
the controller-based SOS instruction.
Axis.SMTActiveStatus [11] BOOL Reserved for future use. Always 0.
Axis.SMTOvertemperatureStatus [12] BOOL Reserved for future use. Always 0.
Axis.SSMActiveStatus [16] BOOL Indicates the state of the module:SO.SSMActive controller output tag.
Axis.SSMStatus [17] BOOL Indicates the state of the module:SO.SSMStatus controller output tag.
Axis.SLSActiveStatus [18] BOOL Indicates the state of the module:SO.SLSActive controller output tag.
Axis.SLSLimitStatus [19] BOOL Indicates the state of the module:SO.SLSLimit controller output tag.
Axis.SLAActiveStatus [20] BOOL Indicates the state of the module:SO.SLAActive controller output tag.
Reserved for future use. Always 0.
Axis.SLALimitStatus [21] BOOL Indicates the state of the module:SO.SLALimit controller output tag.
Reserved for future use. Always 0.
Axis.SDIActiveStatus [22] BOOL Indicates the state of the module:SO.SDIActive controller output tag. See the
controller-based SDI instruction.
Axis.SDILimitStatus [23] BOOL Indicates the state of the module:SO.SDILimit controller output tag. See the
controller-based SDI instruction.
Axis.SafePositiveMotionStatus [24] BOOL Set if the primary feedback velocity is greater than Standstill Speed.
Axis.SafeNegativeMotionStatus [25] BOOL Set if the primary feedback velocity is less than Standstill Speed.
Axis.SCAActiveStatus [26] BOOL Indicates the state of the module:SO.SCAActive controller output tag.
Axis.SCAStatus [27] BOOL Indicates the state of the module:SO.SCAStatus controller output tag.
Axis.SLPActiveStatus [28] BOOL Indicates the state of the module:SO.SLPActive controller output tag. See the
controller-based SLP instruction.
Axis.SLPLimitStatus [29] BOOL Indicates the state of the module:SO.SLPStatus controller output tag. See the
controller-based SLP instruction.
Axis.SafetyOutputConnectionClosedStatus [30] BOOL No active connection of an output assembly from the safety controller exists.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 211

Chapter 8

Table 85 - Motion Connection Axis Tags (Continued)

Axis Tag Name (motion controller) MDAO Attribute Data Type Description
or [bit]

Axis.SafetyOutputConnectionIdleStatus [31] BOOL An active output assembly connection exists but the safety controller is in
Program mode.
Axis.AxisSafetyStatusRA 762 DINT Collection of bits indicating the status of Rockwell Automation specific safety
functions for the axis as reported by Drive Safety Instance.
Axis.SafeBrakeIntegrityStatus [0] BOOL Indicates the state of the module:SO.SBCIntegrity controller output tag. See the
controller-based SBC instruction description.
Axis.SafeFeedbackHomedStatus [1] BOOL Indicates the state of the module:SO.SFHomed controller output tag. See the
controller-based SFX instruction description.
Axis.AxisSafetyFaults 763 BOOL Collection of bits indicating the Safety Fault status of the drive-module safety
instances and integrated safety functions.
Axis.SafetyCoreFault [0] BOOL Internal SSM fault. Cycle drive power to reset. If the fault reoccurs, replace the
option module.
Axis.SafetyFeedbackFault [2] BOOL A feedback fault was detected.
Axis.SafeTorqueOffFault [3] BOOL This bit indicates the fault status of the STO function (0 = no fault, 1 = faulted).
The cause of the fault is recorded in P7 [Device Config STO Fault Type].
Axis.SS1Fault [4] BOOL The drive-based SS1 function has detected a fault OR the controller-output tag
module:SO.SS1Fault is set. Enters ‘Safe Stop 1 (SS1)’ in the Axis Properties
Faults and Alarms Log. Cleared by a Motion Axis Fault Reset (MAFR). For Drive-
based SS1 Fault, see P10 [SS1 Fault Type] for more information. For controller-
based SS1, see the SS1 instruction description.
Axis.SS2Fault [5] BOOL Set if the module:SO.SS2Fault controller output tag is set. Enters ‘Safe Stop 2
(SS2)’ in the Axis Properties Faults and Alarm Log. Cleared by a Motion Axis
Fault Reset (MAFR). See the controller-based SS1 instruction description.
Axis.SOSFault [6] BOOL Set if the module:SO.SOSFault controller output tag is set. Enters ‘Safe
Operating Stop (SOS)’ in the Axis Properties Faults and Alarms Log. Cleared by a
Motion Axis Fault Reset (MAFR). See the controller-based SOS instruction
description.
Axis.SBCFault [7] BOOL Set when the drive-based SBC function has detected a fault or the controller-
output tag module:SO.SBCFault is set. Enters ‘Safe Brake Control (SBC)’ in the
Axis Properties Faults and Alarms Log. Cleared by a Motion Axis Fault Reset
(MAFR). For a drive-based SBC Fault, see P11 [SBC Fault Type] for more
information. For a controller-based SBC Fault, see the SBC instruction
description.
Axis.SMTFault [8] BOOL Reserved for future use. Always 0.
Axis.SSMFault [16] BOOL Set if the module:SO.SSMFault controller output tag is set. Enters ‘Safe Speed
Monitor (SSM)’ in the Axis Properties Faults and Alarms Log. Cleared by a
Motion Axis Fault Reset (MAFR).
Axis.SLSFault [17] BOOL Set if the module:SO.SLSFault controller output tag is set. Enters ‘Safe Limited
Speed (SLS)’ in the Axis Properties Faults and Alarms Log. Cleared by a Motion
Axis Fault Reset (MAFR). See the controller-based SLS instruction description.
Axis.SLAFault [18] BOOL Reserved for future use. Always 0.
Axis.SDIFault [19] BOOL Set if the module:SO.SDIFault controller output tag is set. Enters ‘Safely Limited
Direction (SDI)’ in the Axis Properties Faults and Alarms Log. Cleared by a
Motion Axis Fault Reset (MAFR). See the controller-based SDI instruction
description.
Axis.SCAFault [20] BOOL Set if the module:SO.SCAFault controller output tag is set. Enters ‘Safe Cam
(SCA)’ in P45 [SDI Fault] in the Axis Properties Faults and Alarms Log. Cleared
by a Motion Axis Fault Reset (MAFR).
Axis.SLPFault [21] BOOL Set if the module:SO.SLPFault controller output tag is set. Enters ‘Safely
Limited Position (SLP)’ in P46 [SLP Fault] in the Axis Properties Faults and
Alarms Log. Cleared by a Motion Axis Fault Reset (MAFR). See the controller-
based SLP instruction description.

212 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 8

Table 85 - Motion Connection Axis Tags (Continued)

Axis Tag Name (motion controller) MDAO Attribute Data Type Description
or [bit]

Axis.SafetyValidatorFault [30] BOOL The Safety Validator Object has detected a fault.
Axis.SafetyUNIDFault [31] BOOL The Safety Validator Object has detected a fault relating to the Unique
Identifier number.
Axis.AxisSafetyFaultsRA 764 DINT Collection of bits indicating the safety fault status of Rockwell Automation
safety functions.
Axis.SFXFault [1] BOOL Set if the module:SO.SFXFault controller output tag is set. Enters ‘SFX’ in the
Axis Properties Faults and Alarms Log. Cleared by a Motion Axis Fault Reset
(MAFR). See the controller-based SFX instruction description.
Axis.AxisSafetyAlarms 753 DINT Reserved for future use.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 213

Chapter 8

Out-of-Box State This section describes the out-of-box state.

Recognize Out-of-Box State

You can determine if the drive is in the out-of-box state by using a diagnostic
parameter or by using the Logix Designer application.

IMPORTANT Only authorized personnel can reset ownership. The safety connection
must be inhibited before the reset. If any active connection is detected, the
safety reset is rejected.

The safety control state can be read from P3 [Host Config Safety State] via the
HIM or Connected Components Workbench software. You can also use an
MSG command in Logix Designer application to read the Safety Supervisor
Status.

If the state is ‘Waiting’ (8), then the safety control is in the out-of-box state.

Restore the Drive to Out-of-Box State

Use the Safety Reset [#14] Diagnostic Item (only online)

Before you can reset the drive to out-of-box state, the value of the Safety Reset
[#14] diagnostic item must be ‘Ready’ (1) or the reset is not allowed. Set the
Safety Reset [#14] diagnostic item to ‘Reset’ (2) by using a HIM or Connected
Components Workbench software.

Reset the Drive by Using the Logix Designer Application

After the integrated safety connection configuration is applied to the

PowerFlex® 755 drive at least once, you can follow these steps to restore your
PowerFlex 755 drive to the out-of-box state while online.

1. Right-click the PowerFlex 755 drive you created, and choose Properties.

214 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Chapter 8

2. Click the Connection tab.

3. Check Inhibit Module.

4. Click Apply.
5. Click the Safety Tab.

6. Click Reset Ownership.

7. Click the Connection tab.
8. Clear the Inhibit Module checkbox.
9. Click Apply.
10. Click OK.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 215

Chapter 8

Notes:

216 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Appendix A

Safety Function Validation Checklist

Use this appendix to validate your drive safety instructions. Each instruction
has a checklist with test commands and results to verify for normal operation
and abnormal operation scenarios.

Topic Page
Safe Stop 1 (SS1) 218
Safe Stop 2 (SS2) 220
Safe Operating Speed (SOS) 223
Safely-limited Speed (SLS) 225
Safely-limited Position (SLP) 226
Safe Direction (SDI) 228
Safe Feedback Interface (SFX) 229
Safe Brake Control (SBC) 231

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 217

Appendix A

Safe Stop 1 (SS1) Use this SS1 instruction checklist to verify normal operation and the abnormal
operation scenarios.

IMPORTANT Perform I/O verification and validation before validating your safety ladder
program. SFX instruction must be verified within your application.
When possible, use immediate operands for instructions to reduce the
possibility of systematic errors in your ladder program.
Instruction operands must be verified for your safety ladder program.

Table 86 - SS1 Instruction Checklist

Test Type Test Description Test Status
Initiate a Start command.
• Verify that the machine is in a normal machine run condition
• Verify proper machine status and safety application program status
Operate the machine at the desired operating system speed.
Set up a trend with expected time scale and the following tags to graphically capture this information:
• SFX_Name.ActualSpeed
• SS1_Name.SpeedLimit
• SS1_Name.DecelerationRamp
• SS1_Name.O1
Normal Operation Initiate SS1 demand.
Make sure that the instruction output SS1_Name.01 turns off without generating a fault and that the drive initiates an STO
instruction.
• Verify that the STO instruction de-energizes the motor for a normal safe condition.
While the system is stopped with the sensor subsystems in a safe state, initiate a Start command.
• Verify that the STO instruction remains de-energized for a normal safe condition
• Verify proper machine status and safety application program status
While the system is stopped with the SS1 demand removed, initiate a Reset command of the STO and SS1 instructions.
• Verify that the STO instruction remains de-energized
• Verify proper machine status and safety application program status
Change the actual motion deceleration rate within the motion task that is associated with this SS1 function so that it is slower than
the calculated speed limit used by the SS1 instruction.
Initiate a Start command.
• Verify that the machine is in a normal machine run condition
• Verify proper machine status and safety application program status
Operate machine at the desired operating system speed.
Set up a trend with expected time scale and the following tags to graphically capture this information:
• SFX_Name.ActualSpeed
• SS1_Name.SpeedLimit
• SS1_Name.DecelerationRamp
Abnormal Operation 1 • SS1_Name.O1
Initiate SS1 demand.
Make sure that the instruction generates a deceleration fault and that the drive initiates an STO instruction.
• Verify that the STO instruction de-energizes the motor for a normal safe condition
While the system is stopped with the sensor subsystems in a safe state, initiate a Start command.
• Verify that the STO instruction remains de-energized for a normal safe condition
• Verify proper machine status and safety application program status
While the system is stopped with the SS1 demand removed, initiate a Reset command of the STO and SS1 instructions.
• Verify that the STO instruction remains de-energized
• Verify proper machine status and safety application program status

218 Rockwell Automation Publication 750-UM005C-EN-P- February 2021

 Appendix A

Table 86 - SS1 Instruction Checklist (Continued)

Test Type Test Description Test Status
Change the motion deceleration rate within the motion task that is associated with this SS1 function so that the stop delay time is
exceeded without triggering a deceleration fault.
Initiate a Start command.
• Verify that the machine is in a normal machine run condition
• Verify proper machine status and safety application program status
Operate machine at desired operating system speed.
Set up a trend with expected time scale and the following tags to graphically capture this information:
• SFX_Name.ActualSpeed
• SS1_Name.SpeedLimit
• SS1_Name.DecelerationRamp
Abnormal Operation 2 • SS1_Name.O1
Initiate SS1 demand.
Make sure that the instruction generates a maximum time fault and that the drive initiates an STO instruction.
• Verify that the STO instruction de-energizes the motor for a normal safe condition
While the system is stopped with the sensor subsystems in a safe state, initiate a Start command.
• Verify that the STO instruction remains de-energized for a normal safe condition
• Verify proper machine status and safety application program status
While the system is stopped with the SS1 demand removed, initiate a Reset command of the STO and SS1 instructions.
• Verify that the STO instruction remains de-energized
• Verify proper machine status and safety application program status

Rockwell Automation Publication 750-UM005C-EN-P- February 2021 219

Appendix A

Safe Stop 2 (SS2) Use this SS2 instruction checklist to verify normal operation and the abnormal
operation scenarios.

IMPORTANT Perform I/O verification and validation before validating your safety ladder
program. SFX instruction must be verified within your application.
When possible, use immediate operands for instructions to reduce the
possibility of systematic errors in your ladder program.
Instruction operands must be verified for your safety ladder program.

Table 87 - SS2 Instruction Checklist

Test Type Test Description Test Status
Initiate a Start command.
• Verify that the machine is in a normal machine run condition
• Verify proper machine status and safety application program status
Operate machine at the desired operating system speed.
Set up a trend with expected time scale and the following tags to graphically capture this information:
• SFX_Name.ActualSpeed
• SS2_Name.SpeedLimit
• SS2_Name.DecelerationRamp
• SS2_Name.ActualPosition
• SS2_Name.StandstillSetPoint
Normal Operation
• SS2_Name.Output 1
Initiate SS2 demand.
Make sure that while the SS2 instruction is monitoring that the motor decelerates below the SS2_Name.SS2StandstillSpeed setting
and then maintains a speed below the SS2_Name.SOSStandstillSpeed (or for position mode, maintains the
SS2_Name.StandstillSetpoint without exceeding the SS2_Name.StandstillDeadband setting).
While the system is in standstill state and with the sensor subsystems in a safe state, remove the SS2 demand.
• Verify proper machine status and safety application program status.
Resume normal machine operation.
• Verify proper machine status and safety application program status.
Change the actual motion deceleration rate within the motion task that is associated with this SS2 function so that it is slower than
the calculated speed limit used by the SS2 instruction.
Initiate a Start command.
• Verify that the machine is in a normal machine run condition
• Verify proper machine status and safety application program status
Operate machine at the desired operating system speed.
Set up a trend with expected time scale and the following tags to graphically capture this information:
• SFX_Name.ActualSpeed
• SS2_Name.SpeedLimit
• SS2_Name.DecelerationRamp
• SS2_Name.ActualPosition
Abnormal Operation 1 • SS2_Name.StandstillSetPoint
• SS2_Name.Output 1
Initiate SS2 demand.
Make sure that the instruction generates a deceleration fault and that the drive initiates an STO instruction.
• Verify that the STO instruction de-energizes the motor for a normal safe condition
While the system is stopped with the sensor subsystems in a safe state, initiate a Start command.
• Verify that the STO instruction remains de-energized for a normal safe condition
• Verify proper machine status and safety application program status
While the system is stopped with the SS1 demand removed, initiate a Reset command of the STO and SS2 instructions.
• Verify that the STO instruction remains de-energized
• Verify proper machine status and safety application program status

220 Rockwell Automation Publication 750-UM005C-EN-P- February 2021

 Appendix A

Table 87 - SS2 Instruction Checklist (Continued)

Test Type Test Description Test Status
Change the motion deceleration rate within the motion task that is associated with this SS2 function so that the stop delay time is
exceeded without triggering a deceleration fault.
Initiate a Start command.
• Verify that the machine is in a normal machine run condition
• Verify proper machine status and safety application program status
Operate machine at desired operating system speed.
Set up a trend with expected time scale and the following tags to graphically capture this information:
• SFX_Name.ActualSpeed
• SS2_Name.SpeedLimit
• SS2_Name.DecelerationRamp
• SS2_Name.ActualPosition
Abnormal Operation 2 • SS2_Name.StandstillSetPoint
• SS2_Name.Output 1
Initiate SS2 demand.
Make sure that the instruction generates a maximum time fault and that the drive initiates an STO instruction.
• Verify that the STO instruction de-energizes for a normal safe condition
While the system is stopped with the sensor subsystems in a safe state, initiate a Start command.
• Verify that the STO instruction remains de-energized for a normal safe condition
• Verify proper machine status and safety application program status
While the system is stopped with the SS2 demand removed, initiate a Reset command of the STO and SS2 instructions.
• Verify that the STO instruction remains de-energized
• Verify proper machine status and safety application program status
Initiate a Start command.
• Verify that the machine is in a normal machine run condition
• Verify proper machine status and safety application program status
Operate the machine at maximum (normal) operating system speed.
Set up a trend with expected time scale and the following tags to graphically capture this information:
• SFX_Name.ActualSpeed
• SS2_Name.SpeedLimit
• SS2_Name.DecelerationRamp
• SS2_Name.ActualPosition
• SS2_Name.StandstillSetPoint
• SS2_Name.Output 1
Abnormal Operation 3 Initiate SS2 demand.
(Speed mode)
Make sure that while the SS2 instruction is monitoring, the motor decelerates below the SS2_Name.SS2StandstillSpeed setting and
then maintains a speed below the SS2_Name.SOSStandstillSpeed.
While the system is in the standstill state, initiate a motion command that violates the standstill speed.
• Verify that standstill speed fault is generated and STO is initiated
• Verify that the STO instruction de-energizes for a normal safe condition
While the system is stopped with the sensor subsystems in a safe state, initiate a Start command.
• Verify that the STO instruction remains de-energized for a normal safe condition
• Verify proper machine status and safety application program status
While the system is stopped with the SS2 demand removed, initiate a Reset command of the STO and SS2 instructions.
• Verify that the STO instruction remains de-energized
• Verify proper machine status and safety application program status

Rockwell Automation Publication 750-UM005C-EN-P- February 2021 221

Appendix A

Table 87 - SS2 Instruction Checklist (Continued)

Test Type Test Description Test Status
Initiate a Start command.
• Verify that the machine is in a normal machine run condition
• Verify proper machine status and safety application program status
Operate the machine at maximum (normal) operating system speed.
Set up a trend with expected time scale and the following tags to graphically capture this information:
• SFX_Name.ActualSpeed
• SS2_Name.SpeedLimit
• SS2_Name.DecelerationRamp
• SS2_Name.ActualPosition
• SS2_Name.StandstillSetPoint
• SS2_Name.Output 1
Abnormal Operation 4 Initiate SS2 demand.
(Position mode)
Make sure that while SS2 instruction is monitoring, the motor maintains the SS2_Name.StandstillSetPoint without exceeding the
SS2_Name.StandstillDeadband setting).
While the system is in the standstill state, initiate a motion command that violates the standstill deadband.
• Verify that standstill position fault is generated and STO is initiated
• Verify that the STO instruction de-energizes for a normal safe condition
While the system is stopped with the sensor subsystems in a safe state, initiate a Start command.
• Verify that the STO instruction remains de-energized for a normal safe condition
• Verify proper machine status and safety application program status
While the system is stopped with the SS2 demand removed, initiate a Reset command of the STO and SS2 instructions.
• Verify that the STO instruction remains de-energized
• Verify proper machine status and safety application program status

222 Rockwell Automation Publication 750-UM005C-EN-P- February 2021

 Appendix A

Safe Operating Speed (SOS) Use this SOS instruction checklist to verify normal operation and the
abnormal operation scenarios.

IMPORTANT Perform I/O verification and validation before validating your safety ladder
program. SFX instruction must be verified within your application.
When possible, use immediate operands for instructions to reduce the
possibility of systematic errors in your ladder program.
Instruction operands must be verified for your safety ladder program.

Table 88 - SOS Instruction Checklist

Test Type Test Description Test Status
Initiate a Start command.
• Verify that the machine is in a normal machine run condition
• Verify proper machine status and safety application program status
Operate machine at the desired operating system speed.
Set up a trend with expected time scale and the following tags to graphically capture this information:
• SFX_Name.ActualSpeed
• SFX_Name.ActualPosition
• SOS_Name.StandstillSpeed
• SOS_Name.StandstillDeadband
Normal Operation • SOS_Name.Output 1
Initiate SOS demand.
Make sure that while the SOS instruction maintains a speed below the SOS_Name.StandstillSpeed (or for position mode, maintains
position within the SOS_Name.StandstillDeadband setting).
While the system is in standstill state and with the sensor subsystems in a safe state, remove the SOS demand.
• Verify proper machine status and safety application program status
Resume normal machine operation.
• Verify proper machine status and safety application program status
Initiate a Start command.
• Verify that the machine is in a normal machine run condition
• Verify proper machine status and safety application program status
Operate machine at the desired operating system speed.
Set up a trend with expected time scale and the following tags to graphically capture this information:
• SFX_Name.ActualSpeed
• SFX_Name.ActualPosition
• SOS_Name.StandstillSpeed
• SOS_Name.StandstillDeadband
• SOS_Name.Output 1
Abnormal Operation 1 Initiate SOS demand.
(Speed mode)
Make sure that the SOS instruction maintains a speed below the SOS_Name.StandstillSpeed.
While the system is in the standstill state, initiate a motion command that violates the SOS_Name.StandstillSpeed.
• Verify that the standstill speed fault is generated and that the STO is initiated
• Verify that the STO instruction de-energizes for a normal safe condition
While the system is stopped with the sensor subsystems in a safe state, initiate a Start command.
• Verify that the STO instruction remains de-energized for a normal safe condition
• Verify proper machine status and safety application program status
While the system is stopped with the SOS demand removed, initiate a Reset command of the STO and SOS instructions.
• Verify that the STO instruction remains de-energized
• Verify proper machine status and safety application program status

Rockwell Automation Publication 750-UM005C-EN-P- February 2021 223

Appendix A

Table 88 - SOS Instruction Checklist (Continued)

Test Type Test Description Test Status
Initiate a Start command.
• Verify that the machine is in a normal machine run condition
• Verify proper machine status and safety application program status
Operate the machine at maximum (normal) operating system speed.
Set up a trend with expected time scale and the following tags to graphically capture this information:
• SFX_Name.ActualSpeed
• SFX_Name.ActualPosition
• SOS_Name.StandstillSpeed
• SOS_Name.StandstillDeadband
• SOS_Name.Output 1
Abnormal Operation 2 Initiate SOS demand.
(Position mode)
Make sure that the SOS instruction maintains position within the SOS_Name.StandstillDeadband setting.
While the system is in the standstill state, initiate a motion command that violates the SOS_Name.StandstillDeadband.
• Verify that standstill position fault is generated and STO is initiated
• Verify that the STO instruction de-energizes for a normal safe condition
While the system is stopped with the sensor subsystems in a safe state, initiate a Start command.
• Verify that the STO instruction remains de-energized for a normal safe condition
• Verify proper machine status and safety application program status
While the system is stopped with the SOS demand removed, initiate a Reset command of the STO and SOS instructions.
• Verify that the STO instruction remains de-energized
• Verify proper machine status and safety application program status

224 Rockwell Automation Publication 750-UM005C-EN-P- February 2021

 Appendix A

Safely-limited Speed (SLS) Use this SLS instruction checklist to verify normal operation and the abnormal
operation scenarios.

IMPORTANT Perform I/O verification and validation before validating your safety ladder
program. SFX instruction must be verified within your application.
When possible, use immediate operands for instructions to reduce the
possibility of systematic errors in your ladder program.
Instruction operands must be verified for your safety ladder program.

Table 89 - SLS Instruction Checklist

Test Type Test Description Test Status
Initiate a Start command.
• Verify that the machine is in a normal machine run condition
• Verify proper machine status and safety application program status
Operate the machine within the desired speed range.
Set up a trend with expected time scale and the following tags to graphically capture this information:
SFX_Name.ActualSpeed
SLS_Name.SLSLimit
SLS_Name.ActiveLimit
Normal Operation
SLS_Name.Output 1
Initiate SLS demand.
Verify that the drive achieves the speed below the SLS_Name.ActiveLimit without asserting the SLS_Name.SLSLimit output.
While the system is in SLS monitoring state and with the sensor subsystems in a safe state, remove the SLS demand.
• Verify proper machine status and safety application program status
Resume normal machine operation.
• Verify proper machine status and safety application program status
Initiate a Start command.
• Verify that the machine is in a normal machine run condition
• Verify proper machine status and safety application program status
Operate the machine within the normal speed range.
Set up a trend with expected time scale and the following tags to graphically capture this information:
SFX_Name.ActualSpeed
SLS_Name.SLSLimit
SLS_Name.ActiveLimit
SLS_Name.Output 1
Abnormal Operation 1
Initiate SLS demand.
Verify that the drive achieves the speed below the SLS_Name.ActiveLimit without asserting the SLS_Name.SLSLimit output.
While the system is in the SLS monitoring state, initiate a motion command that violates the SLS_Name.ActiveLimit.
• Verify that the SLS_Name.SLSLimit output is asserted and the programmed stop action is initiated
While the system is stopped with the sensor subsystems in a safe state, initiate a Start command.
• Verify proper machine status and safety application program status
While the system is stopped, initiate a Reset command.
• Verify proper machine status and safety application program status

Rockwell Automation Publication 750-UM005C-EN-P- February 2021 225

Appendix A

Safely-limited Position (SLP) Use this SLP instruction checklist to verify normal operation and the abnormal
operation scenarios.

IMPORTANT Perform I/O verification and validation before validating your safety ladder
program. SFX instruction must be verified within your application.
When possible, use immediate operands for instructions to reduce the
possibility of systematic errors in your ladder program.
Instruction operands must be verified for your safety ladder program.

Table 90 - SLP Instruction Checklist

Test Type Test Description Test Status
Initiate a Start command.
• Verify that the machine is in a normal machine run condition
• Verify proper machine status and safety application program status
Operate the machine within the desired position range.
Set up a trend with expected time scale and the following tags to graphically capture this information:
• SFX_Name.ActualPosition
• SLP_Name.SLPLimit
• SLP_Name.PositiveTravelLimit
• SLP_Name.NegativeTravelLimit
Normal Operation • SLP_Name.Output 1
Initiate SLP demand.
Verify that the drive achieves and maintains a position between the SLP_Name.PositiveTravelLimit and the
SLP_Name.NegativeTravelLimit without asserting the SLP_Name.SLPLimit output.
While the system is in SLP monitoring state and with the sensor subsystems in a safe state, remove the SLP demand.
• Verify proper machine status and safety application program status
Resume normal machine operation.
• Verify proper machine status and safety application program status
Initiate a Start command.
• Verify that the machine is in a normal machine run condition
• Verify proper machine status and safety application program status
Operate the machine within the desired position range.
Set up a trend with expected time scale and the following tags to graphically capture this information:
• SFX_Name.ActualPosition
• SLP_Name.SLPLimit
• SLP_Name.PositiveTravelLimit
• SLP_Name.NegativeTravelLimit
• SLP_Name.Output 1
Abnormal Operation 1
Initiate SLP demand.
Verify that the drive achieves and maintains a position between the SLP_Name.PositiveTravelLimit and the
SLP_Name.NegativeTravelLimit without asserting the SLP_Name.SLPLimit output.
While the system is in the SLP monitoring state, initiate a motion command that violates the SLP_Name.PositiveTravelLimit.
• Verify that SLP_Name.SLPLimit output is asserted and the programmed stop action is initiated
While the system is stopped with the sensor subsystems in a safe state, initiate a Start command.
• Verify proper machine status and safety application program status
While the system is stopped, initiate a Reset command.
• Verify proper machine status and safety application program status

226 Rockwell Automation Publication 750-UM005C-EN-P- February 2021

 Appendix A

Table 90 - SLP Instruction Checklist (Continued)

Test Type Test Description Test Status
Initiate a Start command.
• Verify that the machine is in a normal machine run condition
• Verify proper machine status and safety application program status
Operate the machine within the desired position range.
Set up a trend with expected time scale and the following tags to graphically capture this information:
• SFX_Name.ActualPosition
• SLP_Name.SLPLimit
• SLP_Name.PositiveTravelLimit
• SLP_Name.NegativeTravelLimit
• SLP_Name.Output 1
Abnormal Operation 2
Initiate SLP demand.
Verify that the drive achieves and maintains a position between the SLP_Name.PositiveTravelLimit and the
SLP_Name.NegativeTravelLimit without asserting the SLP_Name.SLPLimit output.
While the system is in the SLP monitoring state, initiate a motion command that violates the SLP_Name.NegativeTravelLimit.
• Verify that SLP_Name.SLPLimit output is asserted and the programmed stop action is initiated
While the system is stopped with the sensor subsystems in a safe state, initiate a Start command.
• Verify proper machine status and safety application program status
While the system is stopped, initiate a Reset command.
• Verify proper machine status and safety application program status

Rockwell Automation Publication 750-UM005C-EN-P- February 2021 227

Appendix A

Safe Direction (SDI) Use this SDI instruction checklist to verify normal operation and the abnormal
operation scenarios.

IMPORTANT Perform I/O verification and validation before validating your safety ladder
program. SFX instruction must be verified within your application.
When possible, use immediate operands for instructions to reduce the
possibility of systematic errors in your ladder program.
Instruction operands must be verified for your safety ladder program.

Table 91 - SDI Instruction Checklist

Test Type Test Description Test Status
Initiate a Start command.
• Verify that the machine is in a normal machine run condition
• Verify proper machine status and safety application program status
Operate the machine within the desired operating range.
Set up a trend with expected time scale and the following tags to graphically capture this information:
• SFX_Name.ActualPosition
• SDI_Name.SDILimit
• SDI_Name.PositionWindow
Normal Operation • SDI_Name.Output 1
Initiate SDI demand.
Verify that motion is in the intended direction and the SDI_Name.SDILimit output is not asserted.
While the system is in SDI monitoring state and with the sensor subsystems in a safe state, remove the SDI demand.
• Verify proper machine status and safety application program status
Resume normal machine operation.
• Verify proper machine status and safety application program status
Initiate a Start command.
• Verify that the machine is in a normal machine run condition
• Verify proper machine status and safety application program status
Operate the machine within the desired operating range.
Set up a trend with expected time scale and the following tags to graphically capture this information:
• SFX_Name.ActualPosition
• SDI_Name.SDILimit
• SDI_Name.PositionWindow
• SDI_Name.Output 1
Abnormal Operation 1 Initiate SDI demand.
Verify that motion is in the intended direction and the SDI_Name.SDILimit output is not asserted.
While the system is in the SDI monitoring state, initiate a motion command that violates the SDI_Name.PositionWindow in the
unintended direction.
• Verify that SDI_Name.SDILimit output is asserted and the programmed stop action is initiated
While the system is stopped with the sensor subsystems in a safe state, initiate a Start command.
• Verify proper machine status and safety application program status
While the system is stopped, initiate a Reset command.
• Verify proper machine status and safety application program status

228 Rockwell Automation Publication 750-UM005C-EN-P- February 2021

 Appendix A

Safe Feedback Interface Use this SFX instruction checklist to verify normal operation and the
abnormal operation scenarios.
(SFX)
IMPORTANT Perform I/O verification and validation before validating your safety ladder
program. SFX instruction must be verified within your application.
When possible, use immediate operands for instructions to reduce the
possibility of systematic errors in your ladder program.
Instruction operands must be verified for your safety ladder program.

Table 92 - SFX Instruction Checklist

Test Type Test Description Test Status
Initiate a Start command.
• Verify that the machine is in a normal machine run condition
• Verify proper machine status and safety application program status
Operate the machine within the normal operating range.

Normal Scaling Set up a trend with the expected time scale and the following tags to graphically compare the motion position and speed from the
Operation Main task to the scaled position and speed in the Safety task.
• Axis_Name.ActualPosition
• Axis_Name.ActualSpeed
• SFX_Name.ActualPosition
• SFX_Name.ActualSpeed
Verify that the standard and safety position and speed are correlated as expected.
Initiate a Start command.
Initiate a Homing procedure.
• Verify that the Home Position in the SFX instruction is set
Normal Homing Set up a trend with the expected time scale and the following tags to graphically compare the motion position and speed from the
Operation Main task to the scaled position and speed in the Safety task.
• Axis_Name.ActualPosition
• SFX_Name.ActualPosition
Verify that the standard and safety position are correlated as expected.
Initiate a Start command.
• Verify that the machine is in a normal machine run condition
• Verify proper machine status and safety application program status
Operate the machine within the normal operating range.
Set up a trend with the expected time scale and the following tags to graphically compare the motion position and speed from the
Main task to the scaled position and speed in the Safety task.
• Axis_Name.ActualPosition
• Axis_Name.ActualSpeed
• SFX_Name.ActualPosition
• SFX_Name.ActualSpeed
Abnormal Operation 1
Verify that the standard and safety position and speed are correlated as expected.
Disconnect the feedback between the motor/encoder and drive.
Verify the generation of a Fault Type: 100 Feedback Invalid by checking Device_Name.SI.PrimaryFeedbackValid tag.
Verify that the system fault action takes place as configured.
While the system is stopped with the sensor subsystems in a safe state, initiate a Start command.
• Verify proper machine status and safety application program status
While the system is stopped, initiate a Reset command.
• Verify proper machine status and safety application program status

Rockwell Automation Publication 750-UM005C-EN-P- February 2021 229

Appendix A

Table 92 - SFX Instruction Checklist (Continued)

Test Type Test Description Test Status
Initiate a Start command.
• Verify that the machine is in a normal machine run condition
• Verify proper machine status and safety application program status
Operate the machine within the normal operating range.
Set up a trend with the expected time scale and the following tags to graphically compare the motion position and speed from the
Main task to the scaled position and speed in the Safety task.
• Axis_Name.ActualPosition
• Axis_Name.ActualSpeed
• SFX_Name.ActualPosition
• SFX_Name.ActualSpeed
Abnormal Operation 2
Verify that the standard and safety position and speed are correlated as expected.
Disconnect the Ethernet cable between the controller and the drive.
Verify the generation of a Fault Type: 101 Connection Fault by checking the Device_Name.SI.ConnectionFaulted tag.
Verify that the system fault action takes place as configured
While the system is stopped with the sensor subsystems in a safe state, initiate a Start command.
• Verify proper machine status and safety application program status
While the system is stopped, initiate a Reset command.
• Verify proper machine status and safety application program status

230 Rockwell Automation Publication 750-UM005C-EN-P- February 2021

 Appendix A

Safe Brake Control (SBC) Use this SBC instruction checklist to verify normal operation and the
abnormal operation scenarios.

IMPORTANT Perform I/O verification and validation before validating your safety ladder
program.
When possible, use immediate operands for instructions to reduce the
possibility of systematic errors in your ladder program.
Instruction operands must be verified for your safety ladder program.

Table 93 - SBC Instruction Checklist

Test Type Test Description Test Status
Verify that the brake feedback is properly wired to the input module as documented.
Initiate a Start command.
• Verify that the machine is in a normal machine run condition
• Verify proper machine status and safety application program status
Set up a trend with expected time scale and the following tags to graphically capture this information:
• SBC_Name.BO1
• SBC_Name.BO2
• SBC_Name.TOR
• Device_Name.STOOutput
Normal Operation
Initiate an SBC request and initiate the STO event.
• Verify expected coordination of the STO output initiation and the SBC_Name.BO1 and SBC_Name.BO2 outputs
• Verify proper machine status and safety application program status
While the system is stopped, initiate a Start command.
• Verify that the system remains de-energized for a normal safe condition
• Verify proper machine status and safety application program status
While the system is stopped, initiate a Reset command.
• Verify that the system remains de-energized for a normal safe condition
• Verify proper machine status and safety application program status
Verify that brake feedback is properly wired to the input module as documented.
Initiate a Start command.
• Verify that the machine is in a normal machine run condition
• Verify proper machine status and safety application program status
Initiate machine function to make sure that the brake is released.
Set up a trend with expected time scale and the following tags to graphically capture this information:
• SBC_Name.BO1
• SBC_Name.BO2
• SBC_Name.TOR
Abnormal Operation • Device_Name:STOOutput
Remove brake feedback wires from the input module.
• Verify that the appropriate diagnostic code is generated
• Verify that the brake output SBC_Name.BO1 and SBC_Name.BO2 bits clear
• Verify the external brake engagement
While the system is stopped with the sensor subsystems in a safe state, initiate a Start command.
• Verify proper machine status and safety application program status
While the system is stopped, initiate a Reset command.
• Verify proper machine status and safety application program status

Rockwell Automation Publication 750-UM005C-EN-P- February 2021 231

Appendix A

Notes:

232 Rockwell Automation Publication 750-UM005C-EN-P- February 2021

 Appendix B

Specifications, Certifications, and CE

Conformity

This appendix provides general specifications for the Integrated Safety

Functions option module.

Topic Page
Integrated Safety Functions Option Module Specifications 233
Environmental Specifications 235
Certifications 236

Integrated Safety Functions
Option Module Specifications
These specifications apply to the Integrated Safety Functions option module.
For additional specifications, see these publications:
• PowerFlex® 755 AC Drives Technical Data, publication 750-TD001
• PowerFlex 750-Series Products with TotalFORCE® Control Technical
Data, publication 750-TD100

Table 94 - General Specifications

Attribute
Standards (when used with
PowerFlex 755 drives)
Safety ratings(when used with
PowerFlex 755 drives)
Standards (when used with
PowerFlex 755T drive products)
Safety ratings (when used with
PowerFlex 755T drive products)
Power supply (user I/O)
Conductor type
Conductor size (1)
Strip length
Recovery time (approximate
time before drive can start after
the torque enable request is
made)
(1) See the Industrial Automation Wiring and Grounding Guidelines, publication 1770-4.1.
(2) Safety outputs need additional fuse for reverse voltage protection of the control circuit. Install a 6 A slow-blow or 10 A fast-
acting fuse.
Value
IEC 61800-5-2, EN 61800-5-1, EN 61800-3, EN ISO 13849-1, EN 62061,
EN 60204-1, IEC 61508
SIL 3 according to EN 62061 / IEC 61508
SIL CL 3 according to IEC 61800-5-2 / EN 62061 / IEC 61508
Cat. 4 and PL e according to EN ISO 13849-1
EN 61800-5-2, EN 61800-5-1, EN 61800-3, EN ISO 13849-1, EN 62061,
EN 60204-1, IEC 61508
SIL 3 according to EN 62061 / IEC 61508
SIL CL 3 according to EN 61800-5-2 / EN 62061 / IEC 61508
Cat. 4 and PL e according to EN ISO 13849-1
24V DC ±10%, 0.8…1.1 x rated voltage(2) PELV or SELV
Multi-conductor shielded cable
0.3…0.8 mm2 (28…18 AWG)
10 mm (0.39 in.)
Network STO mode: 100 ms

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 233

Appendix B

Electrical Requirements
Table 95 - Safety Input Specifications
Attribute Value
Input type Current sinking
IEC 61131-2 (input type) Type 3
Voltage, on-state 11…30V DC
Voltage, off-state -3…5V DC
Current, on-state, minimum 2 mA
Current, off-state, maximum 1.5 mA
Input reaction time, maximum <10 ms + set values of ON/OFF delays

Table 96 - Safety Output Specifications

Attribute Value
Output type Current sourcing
Output current 1A
Test pulse width 500 μs
Test pulse period 300 ms
Maximum field capacitance 950 nF
Residual voltage, maximum 0.3V
Leakage current, maximum 0.1 mA
Output reaction time, maximum <10 ms + set values of ON/OFF delays
Short circuit protection Yes

Table 97 - Test Output Specifications

Attribute Value
Output type Current sourcing
Output current 0.5 A
Test pulse width 500 μS
Test pulse period 300 mS
Maximum field capacitance 100 nF
Residual voltage, maximum 0.3V
Leakage current, maximum 0.1 mA
Short circuit protection Yes

234 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Appendix B

Environmental Specifications
The installation must comply with all environmental, pollution degree, and
drive enclosure rating specifications required for the operating environment.
Category Specification
Ambient temperature
Storage temperature
For detailed information on environmental, pollution degree, and drive
Shock enclosure rating specifications, see the technical data publication for your
Operating drive.
Packaged for shipment • PowerFlex 750-Series AC Drives Technical Data,
publication 750-TD001
Vibration • PowerFlex 750-Series Products with TotalFORCE Control Technical Data,
Operating publication 750-TD100
Packaged for shipment • PowerFlex 755TM IP00 Open Type Kits Technical Data,
publication 750-TD101
Sinusoidal loose load
Random secured
Surrounding environment

ATTENTION: Failure to maintain the specified ambient temperature can

result in a failure of the safety function.

IMPORTANT Products with a safety function installed must be protected against

conductive contamination by one of the following methods:
• Select a product with an enclosure type of at least IP54,
NEMA/UL Type 12
• Provide an environmentally controlled location for the product that does
not contain conductive contamination

Table 98 - Environmental Pollution Degree Description (EN 61800-5-1)

Surrounding Environment Conductive Contamination Allowed by Acceptable Enclosures

Pollution Degree
Pollution degree 1 and 2
Pollution degree 3 and 4
Pollution Degree
No possibility of conductive dust.
The possibility of conductive dust is
allowed.
All enclosures are acceptable.
Enclosure that meets or exceeds
IP54, NEMA/UL Type 12 is
required.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 235

Appendix B

Certifications Certification (1) Value

c-UL-us (2) UL Listed, certified for US and Canada
CE European Union and 2014/30/EU EMC Directive, compliant with:
EN 61800-3; PowerFlex 750-Series AC Drive, Emissions, and Immunity
European Union 2006/42/EC Machinery Directive:
EN ISO 13849-1; Safety Function
EN ISO 13849-2; Safety Function
EN 60204-1; Safety Function
EN 62061; Safety Function
EN 61800-5-2; Safety Function
C-Tick Australian Radiocommunications Act, compliant with:
EN 61800-3; categories C2 and C3
TÜV Certified by TÜV Rheinland for Functional Safety:
Up to SIL 3, according to EN 61800-5-2 and IEC 61508, and SIL CL3 according to
EN IEC 62061;
Up to Performance Level PLe and Category 4, according to EN ISO 13849-1;
When used as described in this PowerFlex 755 Integrated Safety Functions User Manual,
publication 750-UM004.
(1) See the Product Certification link at rok.auto/certifications for Declarations of Conformity, Certificates, and other
certifications details.
(2) Underwriters Laboratories Inc. has not evaluated the Integrated Safety Functions, or Safe Speed Monitor option modules for
functional safety.

CE Conformity CE Declarations of Conformity are available online at: rok.auto/certifications.

The PowerFlex 755/755T Integrated Safety Functions Option Module

(catalog number 20-750-S4), when installed and maintained in accordance
with the instructions in this document, is in conformity with the essential
requirements of these directives:
• 2006/42/EC Machinery Directive
• 2014/30/EU EMC Directive

The following standards have been applied to demonstrate conformity.

Machinery Directive (2006/42/EC)

• EN ISO 13849-1 Safety of machinery - Safety related parts of control
systems - Part 1: General principles for design
• EN 60204-1 Safety of machinery - Electrical equipment of machines -
Part 1: General requirements
• EN 62061 Safety of machinery - Functional safety of safety-related
electrical, electronic and programmable electronic control systems
• EN 61800-5-2 Adjustable speed electrical power drive systems - Part 5-
2: Safety requirement - Functional
• IEC 61508 Part 1…7 Functional safety of electrical/electronic/
programmable electronic safety-related systems

236 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Appendix B

EMC Directive (2014/30/EU)

• EN 61800-3 - Adjustable speed electric power drive systems - Part 3:
EMC requirements and specific test methods

Waste Electrical and Electronic Equipment (WEEE)

At the end of its life, this equipment should be collected separately from any
unsorted municipal waste.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 237

Appendix B

Notes:

238 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Appendix C

Safety I/O Assemblies and Safety Attributes

Controller axis tags are used by the motion controller motion task to read the
status of safety functions and coordinator motion. This appendix lists the
motion controller tags that are associated with the safety instances and with
safety functions operating in the safety task of the controller.

Topic Page
Safety Assembly Tags 240
Safety Feedback Attributes 245
Safe Stop Function Attributes 247

Safety attributes provide additional information not available through the tag
structure. Attributes are read using explicit messages.

IMPORTANT The controller axis tags and the safety attributes read by using explicit
messages must not be used in the operation of a safety function.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 239

Appendix C

Safety Assembly Tags Safety assembly tags are associated with a safety connection from a safety
controller to a drive module. The data in these tags are communicated at the
configured connection rate.

Safety Input Assembly tags contain the data that is transferred from the drive
to the GuardLogix® using CIP Safety™ protocol over EtherNet/IP®. This is the
network safety status data. Safety Output Assembly tags contain the data that
is transferred from the GuardLogix controller to the drive option module using
CIP Safety protocol over EtherNet/IP. This is the network safety control data.

CIP Safety protocol over EtherNet/IP transfers data with integrity up to SIL 3
and PL e.

TIP The Output and Input designations are relative to the GuardLogix controller.

Table 99 - Safety Input Assembly Tags

Safety Input Assembly Tag Name Type/[bit] Description
(input to safety controller)
module:SI.ConnectionStatus SINT See the following descriptions of individual bits.
module:SI.RunMode [0] Safety Connection 0= idle 1 = Run
module:SI.ConnectionFaulted [1] Safety Connection 0=normal 1= Faulted
module:SI.FeedbackPosition DINT Primary Feedback Position from drive-module safety instance. Value is in feedback counts.
module:SI.FeedbackVelocity REAL Primary Feedback Velocity from drive-module safety instance. Value is in revolutions/second.
module:SI.SecondaryFeedbackPosition DINT Secondary Feedback Position from drive-module safety instance. Value is in position counts.
module:SI.SecondaryFeedbackVelocity REAL Secondary Feedback Velocity from drive-module safety instance. Value is in revolutions/
second.
module:SI.StopStatus SINT See the following descriptions of individual bits.
module:SI.STOActive [0] Indicates STO function status.
0 = STO function not active (permit torque)
1 = STO function active (disable torque)
module:SI.SBCActive [1] Safe Brake Control (SBC) function status
0 = Release Brake (So0 and So1 ON)
1 = Engage Brake (So0 and So1 OFF)
module:SI.SS1Active [2] Indicates drive-based SS1 active status.
0 = SS1 function not active
1 = SS1 function active
module:SI.SS2Active [3] Always 0
module:SI.SOSStandstill [4] Always 0
module:SI.SMTOvertemp [5] Always 0
module:SI.SafetyFault [6] 1 = Safe Stop Fault present
module:SI.RestartRequired [7] 1 = Reset is required
module:SI.SafeStatus SINT See the following descriptions of individual bits.
module:SI.TorqueDisabled [0] 0 = Torque Permitted
1 = Torque Disabled
module:SI.BrakeEngaged [1] 0 = Brake Released (So0 and So1 ON)
1 = Brake Engaged (So0 and So1 OFF)
module:SI.MotionStatus SINT A collection of the following bits.

240 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Appendix C

Table 99 - Safety Input Assembly Tags (Continued)

Safety Input Assembly Tag Name Type/[bit] Description
(input to safety controller)
module:SI.MotionPositive [3] 1 = Feedback Velocity > Primary Feedback Standstill Speed
module:SI.MotionNegative [4] 1 = Feedback Velocity < Primary Feedback Standstill Speed
module:SI.FunctionSupport SINT See the following descriptions of individual bits.
module:SI.PrimaryFeedbackValid [0] 0 = Primary Feedback not configured or Faulted
1 = Primary Feedback Value is valid
module:SI.SecondaryFeedbackValid [1] See the following descriptions of individual bits.
module:SI.DiscrepancyCheckingActive [2] 1 = Feedback Velocity Discrepancy checking is active
module:SI.SBCReady [3] 0 = Drive-based SBC function is not configured or faulted
1 = Drive-based SBC function is configured and ready for operation
module:SI.SS1Ready [4] 0 = Drive-based SS1 function is not configured or faulted
1 = Drive-based SS1 function is configured and ready for operation
module:SI.SS2Ready [5] Always 0
module:SI.SOSReady [6] Always 0
module:SI.SMTReady [7] Always 0
Module:SI.OutputStatus SINT See the following descriptions of individual bits.
Module:SI.Out00Monitor [0] The readback value of Safety Output 0
Module:SI.Out01Monitor [1] The readback value of Safety Output 0
Module:SI.Out00Status [3] The status of Safety Output 1
Module:SI.Out01Status [4] The status of Test output 0
Module:SI.Test00Status [5] The status of Test output 1
Module:SI.InputStatus SINT See the following descriptions of individual bits.
Module:SI.In00Data [0] The value read from Safety Input 0
Module:SI.In01Data [1] The value read from Safety Input 1
Module:SI.In02Data [2] The value read from Safety Input 2
Module:SI.In03Data [3] The value read from Safety Input 3
Module:SI.In00Status [4] The status of safety input 0
Module:SI.In01Status [5] The status of safety input 1
Module:SI.In02Status [6] The status of safety input 2
Module:SI.In03Status [7] The status of safety input 3
Module:SI.IOSupport SINT See the following descriptions of individual bits.
Module:SI.In00Valid [0] Safety Input 0 producing valid data
Module:SI.In01Valid [1] Safety Input 1 producing valid data
Module:SI.In02Valid [2] Safety Input 2 producing valid data
Module:SI.In03Valid [3] Safety Input 3 producing valid data
Module:SI.Out00Ready [4] Safety Output 0 Ready
Module:SI.Test01Ready [5] Safety Output 1 Ready
Module:SI.Test00Ready [6] Test Output 0 Ready
Module:SI.Test01Ready [7] Test Output 1 Ready

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 241

Appendix C

Table 100 - Safety Output Assembly Tags

Safety Output Assembly Tag Name Type/[bit] Description
(output to safety controller)
module:SO.PassThruDataA[instance] DINT 32-bit data container holding general-purpose safety data passed from the safety controller.
module:SO.PassThruDataB[instance] DINT 32-bit data container holding general-purpose safety data passed from the safety controller.
module:SO.PassThruStopStatus[instance] SINT See the following descriptions of Safe Stop Function Status bits.
module:SO.SBCIntegrity[instance] [0] Status of an external Safety Brake controlled by SBC function.
0 = SBC fault. The brake status, released or engaged, is undetermined.
1 = No faults detected.
module:SO.SBCActive[instance] [1] Indicates that the SBC function is active and the sequence to set the Safety Brake has
started. This function is only available as a controller-based function.
0 = SBC Function is not Active
1 = SBC Function is Active
module:SO.SBCBrakeEngaged[instance] [2] Indicates that the External Safety Brake is engaged by the controller-based SBC function.
0 = Brake is Engaged
1 = Brake is Released
module:SO.SS1Active[instance] [3] Indicates that the controller-based SS1 function is active.
0 = SS1 Function is not Active
1 = SS1 Function is Active
module:SO.SS2Active[instance] [4] Indicated that the controller-based SS2 function is active.
0 = SS2 Function is not Active
1 = SS2 Function is Active
module:SO.SOSActive[instance] [5] Indicates that the controller-based SOS function is active.
0 = SOS Function is not Active
1 = SOS Function is Active
module:SO.SOSStandstill[instance] [6] Indicates that the controller-based SOS function has detected Standstill according to the
function configuration.
0 = Monitored axis is not at Standstill
1 = Monitored axis is at Standstill
module:SO.PassThruSpeedLimitStatus[instance] SINT See the following descriptions of Limit Function Status bits.
module:SO.SSMActive[inst] [0] For use with a controller-based SSM function.
module:SO.SSMStatus[inst] [1] For use with a controller-based SSM function.
module:SO.SLSActive[instance] [2] Indicates that the controller-based SLS function is active.
0 = SLS Function is not active
1 = SLS Function is active
module:SO.SLSLimit[instance] [3] Indicates that the controller-based SLS function has detected the monitored axis speed
above the limit setpoint.
0 = axis is below setpoint speed
1 = axis is greater than or equal to the setpoint speed
module:SO.SDIActive[instance] [6] Indicates that the controller-based SDI function is active.
0 = SDI Function is not active
1 = SDI Function is active
module:SO.SDILimit[instance] [7] Indicates that the controller-based SDI function detected motion greater than the limit in
the unintended direction.
0 = Limit not reached
1 = Unintended motion
module:SO.PassThruPositionLimitStatus[instance] SINT See the following descriptions of individual bits, indicating the Monitoring Function Limit
status of controller-based functions.
module:SO.SCAActive[inst] [0] For use with a controller-based SCA function.
module:SO.SSMStatus[inst] [1] For use with a controller-based SSM function.

242 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Appendix C

Table 100 - Safety Output Assembly Tags (Continued)

Safety Output Assembly Tag Name Type/[bit] Description
(output to safety controller)
module:SO.SLSActive[instance] [2] Indicates that the controller-based SLS function is active.
0 = SLS Function is not active
1 = SLS Function is active
module:SO.SLSLimit[instance] [3] Indicates that the controller-based SLS function has detected the monitored axis speed
above the limit setpoint.
0 = axis is below setpoint speed
1 = axis is greater than or equal to the setpoint speed
module:SO.SDIActive[instance] [6] Indicates that the controller-based SDI function is active.
0 = SDI Function is not active
1 = SDI Function is active
module:SO.SDILimit[instance] [7] Indicates that the controller-based SDI function detected motion greater than the limit in
the unintended direction.
0 = Limit not reached
1 = Unintended motion
module:SO.PassThruPositionLimitStatus[instance] SINT See the following descriptions of individual bits, indicating the Monitoring Function Limit
status of controller-based functions.
module:SO.SCAActive[inst] [0] For use with a controller-based SCA function.
module:SO.SCAStatus[inst] [1] For use with a controller-based SCA function.
module:SO.SLPActive[instance] [2] Indicates that the controller-based SLP function is active.
0 = SLP Function is not active
1 = SLP Function is active
module:SO.SLPLimit[instance] [3] Indicates that the controller-based SLP function has detected the monitored axis position
outside of the setpoint limits.
0 = axis position is within the limits
1 = axis position is outside of the limits
module:SO.SFHomed[instance] [7] Status of the controller-based SFX position homing function.
1 = SFX Homed
module:SO.PassThruStopFaults[instance] SINT See the following descriptions of individual bits, indicating the Safety Fault status of
controller-based safety functions.
module:SO.SFXFault[instance] [0] Indicates that a fault occurred with the controller-based SFX function.
0 = Normal Operation
1 = Fault
module:SO.SBCFault[instance] [1] Indicates that a fault occurred with the controller-based SBC function.
0 = Normal Operation
1 = Fault
module:SO.SS1Fault[instance] [2] Indicates that a fault occurred with the controller-based SS1 function.
0 = Normal Operation
1 = Fault
module:SO.SS2Fault[instance] [3] Indicates that a fault occurred with the controller-based SS2 function.
0 = Normal Operation
1 = Fault
module:SO.SOSFault[instance] [4] Not available, always 0.
module:SO.PassThruLimitFaults[instance] SINT See the following descriptions of individual bits, indicating the Safety Fault status of
controller-based safety functions.
module:SO.SSMFault[inst] [0] Controller-based SSM fault.
0 = Normal Operation
1 = Fault

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 243

Appendix C

Table 100 - Safety Output Assembly Tags (Continued)

Safety Output Assembly Tag Name Type/[bit] Description
(output to safety controller)
module:SO.SLSFault[instance] [1] Controller-based SLS fault.
0 = Normal Operation
1 = Fault
module:SO.SDIFault[instance] [2] Controller-based SDI fault.
0 = Normal Operation
1 = Fault
module:SO.SCAFault[inst] [3] Controller-based SCA fault.
0 = Normal Operation
1 = Fault
module:SO.SLPFault[instance] [4] Controller-based SLP fault.
0 = Normal Operation
1 = Fault
module:SO.SafetyStopFunctions[instance] SINT See the following descriptions of individual bits used to activate (request) safety functions.
module:SO.STOOutput[instance] [0] 0 = Activate STO Function
1 = Permit Torque
module:SO.SBCOutput[instance] [1] Drive-based function not available.
module:SO.SS1Request[instance] [2] 0 = Remove SS1 Request
1 = Activate Drive-based SS1 Function
module:SO.SS2Request[instance] [3] Drive-based function not available.
module:SO.SOSRequest[instance] [4] Drive-based function not available.
module:SO.SMTRequest[inst] [5] Drive-based function not available.
module:SO.ResetRequest[instance] [7] 0  1 transition resets drive-based Safe Stop function.
Module:SO.SafetyIOCommands SINT See the following descriptions of individual bits.
Module:SO.Out00Output [0] Command Safety Output 0
Module:SO.Out01Output [1] Command Safety Output 1
Module:SO.Test00Output [2] Command Test Output 0
Module:SO.Test01Output [3] Command Test Output 1

244 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Appendix C

Safety Feedback Attributes Safety feedback attributes provide configuration and status information for
safety feedback. The module has two safety feedback instances. The safety
feedback instances contain safety feedback attributes and safety feedback
configuration data. The following attributes can be read.

Table 101 - Safety Feedback Instance Numbers

Safety Feedback Instance Number Safety Feedback Device
1 Primary Feedback
2 Secondary Feedback

Table 102 - Safety Feedback Attributes (Class 0x58)

Attribute ID Attribute Name Attribute Description Values
Decimal (Hex)
1 (0x1) Velocity Data Type Determines the data type of feedback velocity and 1 = REAL (hard-coded)
feedback acceleration and all related attributes.
2 (0x2) Feedback Position Actual position of the feedback device. Feedback Counts
Safety data with a safe value defined by Position Safe State
Behavior
3 (0x3) Feedback Velocity Actual velocity of the feedback device. Feedback Units/s
Safety data with a safe value defined by Velocity Safe State
Behavior
4 (0x4) Feedback Acceleration Actual acceleration of the feedback device. Feedback Units/s²
Safety data with a safety state of 0.
5 (0x5) Feedback Mode Motion Feedback mode. 0 = Not Used (default)
1 = Used
8 (0x8) Feedback Fault Status of this motion feedback channel. 0 = No Fault
1 = Faulted
9 (0x9) Feedback Fault Reason Determines cause of the fault detected. 1 = No Fault
2 = Config
3 = Max Speed
4 = Max Accel
5 = Sin²+Cos²
6 = Quadrature
7 = Discrepancy
8 = Partner
9 = Voltage
10 = SignalNoise
11 = Signal Lost
12 = Data Lost
13 = Device Fail
107 = Max Freq
108 = SinCosOffset
109 = Pos Rollover

10 (0xA) Reset Feedback Fault Resets a motion feedback fault (read/write access). 0 to 1 transition will reset a safety feedback fault once the
fault condition is removed
11 (0xB) Position Safe State Behavior Defines behavior for value reporting when faulted. 2 = Hold Last Value
13 (0xD) Velocity Safe State Behavior Defines behavior for value reporting when faulted. 0 = Use Velocity Safe State Value (default)
14 (0xE) Velocity Safe State Value Safe Velocity Feedback and Acceleration Feedback value. Default = 0
16 (0x10) Feedback Unit Unit of measure for the feedback device. 0 = Revolution (default)
1 = Meter

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 245

Appendix C

Table 102 - Safety Feedback Attributes (Class 0x58) (Continued)

Attribute ID Attribute Name Attribute Description Values
Decimal (Hex)
17 (0x11) Feedback Type Identifies the type of feedback device. 0 = Not Specified (default)
1 = Digital Aqb
2 = Sine/Cosine
3 = Hiperface
18 (0x12) Feedback Polarity Feedback polarity of Normal provides increasing position 0 = Normal (default)
values when the feedback device is moved in position 1 = Inverted
according to the encoder manufacture specifications. For
feedback devices internal to Allen-Bradley® motors, the
Normal direction is clockwise rotation of the shaft when
facing the end of the motor shaft.
19 (0x13) Feedback Cycle Resolution This is the number of feedback cycles per revolution of the 0 = Default
encoder. For a Sin/Cos encoder, this is the number of
sinusoidal cycles per revolution.
20 (0x14) Feedback Cycle interpolation This value is the number of feedback counts per feedback Counts/Cycle
cycle. This value is always 4 for sin/cos or incremental Default = 0
encoders. 4 for Feedback Type=1/2/3
22 (0x16) Velocity Average Time A moving average filter is applied to velocity that is 0 = Disable Averaging (default)
provided by the Motion Safety instance of the drive. This 1...65565 ms
parameter specifies the window of time where the
average is taken. Feedback velocity is provided as a REAL
data type.
23 (0x17) Acceleration Average Time A moving average filter is applied to acceleration that is 0 = Disable Averaging (default)
provided by the safety feedback instance of the drive. This 1...65565 ms
parameter specifies the window of time where the
average is taken.
24 (0x18) Feedback Voltage Monitor Defines the expected range of encoder voltage supply. 0 = Voltage Monitoring Not Performed
1 = 4.75 V…5.15 V
2 = 7 V…12 V
3 = 11.4 V…12.6 V
26 (0x1A) Feedback Maximum Speed Absolute maximum speed for this feedback device. Feedback Units/s
Exceeding this speed is a fault. 0 = Disable Max Speed Check (Default)
27 (0x1B) Feedback Maximum Acceleration Absolute maximum acceleration for this feedback device. Feedback Units/s^2
Exceeding this acceleration is a fault. 0 = Disable Max Speed Check (Default)
31 (0x1F) Motion Positive Indicates positive motion. 0 = No Positive Motion
1 = Positive Motion
32 (0x20) Motion Negative Indicates negative motion. 0 = No Negative Motion
1 = Negative Motion
33 (0x21) Standstill Speed Defines what maximum magnitude of Feedback Velocity Feedback Units/s
is considered standstill. Feedback Velocity above standstill (Default of 0)
will set either Motion Negative or Motion Positive to 1.

246 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Appendix C

Safe Stop Function Safe-stop function attributes provide configuration and status information for
safety feedback.
Attributes
The module has one safe stop function instance. Safe-stop function attributes
provide status and configuration data. All attributes can be read using explicit
messages. Attributes that can be written are indicated in the table.
Configuration attributes can be read but cannot be written using an explicit
message.
Table 103 - Safe Stop Function Attributes (Class 0x5A)
Attribute ID Attribute Name Attribute Description Values
Decimal (Hex)
10 (0xA) Safety Reset Reset all safety functions. 0 to 1 transition required to reset
11 (0xB) Restart Type Selects safety function restart behavior while operating. 0 = Manual
1 = Automatic
12 (0xC) Cold Start Type Selects safety function restart behavior when applying controller power or 0 = Manual
mode change to Run. 1 = Automatic
20 (0x14) Safety Feedback Instance Instance ID of a Safety Feedback instance to provide position, velocity, and 0 = No feedback (default)
acceleration data used by safe stop functions.
21 (0x15) Safety Feedback Fault Copy of feedback status from the Safety Feedback instance. 0 = No Fault
1 = Faulted
30 (0x1E) Safety Function Fault Logical OR of all Fault attributes that reference this instance. 0 = No Fault
1 = Faulted
31 (0x1F) Safety Stop Fault Logical OR of all Stop Fault attributes in this instance. 0 = No Fault
1 = Faulted
32 (0x20) Safety Limit Fault Logical OR of all Limit Fault attributes that reference this instance. 0 = No Fault
No Limit Functions Supported
33 (0x21) Safety Limit Active Logical OR of all Limit Active attributes that reference this instance. 0 = No Limit
No Limit Functions Supported
34 (0x22) Restart Required A stop function has been activated and Restart Type is Manual. 0 = Restart Not Required
1 = Restart Required
40 (0x28) Safety Stop Status Collection of Safety Stop Status bits: Bit:
0 = Safety Function Fault
1 = Safety Reset Request
2 = Restart Required
3 = STO Active
4 = Torque Disabled
5 = SBC Active
6 = Brake Engaged
7 = SS1 Active
8 = SS2 Active
9 = SOS Active
10 = SOS Standstill
11 = SMT Active
12 = SMT OVertemp
41 (0x29) Safety Stop Faults Collection of Safety Stop Fault bits: Bit:
2 = Feedback Fault
3 = STO Fault
4 = SS1 Fault
5 = SS2 Fault
6 = SOS Fault
7 = SBC Fault
8 = SMT Fault

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 247

Appendix C

Table 103 - Safe Stop Function Attributes (Class 0x5A) (Continued)

Attribute ID Attribute Name Attribute Description Values
Decimal (Hex)
50 (0x32) Connection Loss Action Safety Output Connection is lost (or closed) and optional Connection Loss 0 = STO (default)
Action is Set to STO (default). 1 = SS1
51 (0x33) Connection Idle Action Safety Output Connection’s Run/Idle bit transitions from Run to Idle and 0 = STO (default)
Optional Connection Idle Action is Set to STO (default). 1 = SS1
101 (0x65) STO Delay Specify delay time from STO Active to Torque Disabled. This delay allows the Delay in milliseconds
time for an external brake to engage before torque disabled. Default = 0
110 (0x6E) SBC Ready Safe Break Control safety function is supported, configured, and ready for 0 = Not Ready
operation. SBC Function Not Supported
111 (0x6F) SS1 Ready Safe Stop 1 safety function is supported, configured, and ready for operation. 0 = Not Ready
1 = Ready
112 (0x70) SS2 Ready Safe Stop 2 safety function is configured and ready for activation. 0 = Not Ready
SS2 Function Not Supported
113 (0x71) SOS Ready Safe Operating Stop safety function is configured and ready for activation. 0 = Not Ready
SOS Function Not Supported
114 (0x72) SMT Ready Safe Motor Temperature safety function is configured and ready for activation. 0 = Not Ready
SMT Function Not Supported
260 (0x104) STO Mode Safe Torque Off mode. 1 = Used
2 = Permit Torque
261 (0x105) STO Output Enables or disables energy to the motor that can generate torque (or force if 0 = Disable Torque
linear motor). 1 = Permit Torque
Safety data with a safety state of 0.
262 (0x106) STO Active Output of STO Activation block. 0 = Permit Torque
1 = Disable Torque
263 (0x107) STO Fault Safe Torque Off fault. 0 = No Fault
1 = Faulted
264 (0x108) STO Fault Type Detailed information about a fault. 1 = No Fault
2 = Invalid Configuration
3 = Circuit Error
4 = Stuck At Low
5 = Stuck At High
6 = Cross Connection
102 = Hard-wired STO Input Discrepancy
104 = Hard-wired STO Input Active in
Network Safety
265 (0x109) STO Activation Bit string showing status of all inputs to the STO Activation block. Bit:
0 = STO Output Active
1 = SS1 Complete
2 = Safety Stop Fault
3 = Safety Limit Fault
4 = Safety Limit Action
5 = Connection Loss
6 = Connection Idle
266 (0x10A) Torque Disabled Status of Safe Torque Off. 0 = Torque Permitted
1 = Torque Disabled
280 (0x118) SS1 Mode Safe Stop 1 mode. 0 = Not Used
1 = Timed SS1 (default)
2 = Monitored SS1
281 (0x119) SS1 Request Select Safe Stop 1 request. 0 = No Request
1 = Request

248 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Appendix C

Table 103 - Safe Stop Function Attributes (Class 0x5A) (Continued)

Attribute ID Attribute Name Attribute Description Values
Decimal (Hex)
282 (0x11A) SS1 Active Safe Stop 1 function active. 0 = Not Active
1 = Active
283 (0x11B) SS1 Fault Safe Stop 1 fault. 0 = No Fault
1 = Faulted
284 (0x11C) SS1 Fault Type Describes detailed information about the Fault. 1 = No Fault
2 = Invalid Configuration
3 = Deceleration Rate
4 = Maximum Time
100 = STO Request during SS1
101 = SS1 Request while Feedback not valid
285 (0x11D) SS1 Max Stop Time Allowed time to stop. 0…65535 milliseconds
Default = 0
286 (0x11E) SS1 Standstill Speed Defines the speed below which motion is considered stopped. Feedback Units / s
Default = 0
287 (0x11F) SS1 Stop Monitor Delay Delay before deceleration is monitored. 0…65535 milliseconds
Default = 0
288 (0x120) SS1 Decel Ref Rate Minimum rate of deceleration while stopping. Feedback Units / s²
0 = No Decel Check (default)
289 (0x121) SS1 Activation The source of the SS1 activation. Bit:
0 = SS1 Request
0 = SS1 Request
1 = Safe Limit Active
2 = Connection Loss
3 = Connection Idle
290 (0x122) SS1 Decel Rev Tolerance Defines the speed tolerance that is applied to the deceleration ramp check. This Feedback Units/s2
attribute is optional in the implementation. Default = 0
291 (0x123) SS1 Ext Max Stop Time Allowed time to stop with extended range to support possibility of long stop 0…4294967296 ms
times. This attribute is optional in the implementation. Default = 0
292 (0x124) SS1 Max Stop Time Source Selects which Max Stop Time attribute determines the allowed time to stop. 0 = Max Stop Time
Must be supported if optional SS1 Ext Max Stop Time is supported. 1 = Ext Max Stop Time
303 (0x12F) SS2 Fault Safe Stop 2 fault. 0 = No Fault
1 = Faulted
304 (0x130) SS2 Fault Type Detailed information about a fault. 1 = No Fault
2 = Invalid Configuration
SS2 Function Not Supported
323 (0x143) SOS Fault Safe Operating Stop fault. 0 = No Fault
1 = Faulted
324 (0x144) SOS Fault Type Detailed information about a fault. 1 = No Fault
2 = Invalid Configuration
SOS Function Not Supported
341 (0x155) SMT Fault Safe Motor Temperature fault. 0 = No Fault
1 = Faulted
342 (0x156) SMT Fault Type Detailed information about a fault. 1 = No Fault
2 = Invalid Configuration
SMT Function Not Supported
360 (0x168) SBC Mode Safe Brake Control Mode. 0 = Not Used (default)
1 = Used, No Test Pulses
2 = Used, with Test Pulses

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 249

Appendix C

Table 103 - Safe Stop Function Attributes (Class 0x5A) (Continued)

Attribute ID Attribute Name Attribute Description Values
Decimal (Hex)
361 (0x169) SBC Output Commanded state of the SBC Outputs. 0 = Engage Brake (default)
1 = Release Brake Permit
362 (0x16A) SBC Active Indicates that the brake is currently engaged, and can be released. 0 = SBC Not Active
1 = SBC Active
363 (0x16B) SBC Fault Safe Brake Control fault. 0 = No Fault
1 = Faulted
364 (0x16C) SBC Fault Type Detailed information about a fault. 1 = No Fault
2 = Invalid Configuration
SBC Function Not Supported
365 (0x16D) SBC Activation Indicates the sources of SBC activation. 0 = SBC Output Active
1 = STO Active
2 = Safety Stop Fault
3 = Safety Limit Fault
366 (0x16E) SBC Brake Engaged Indicates the state of the signals controlling the SBC Output. 0 = Brake Released
1 = Brake Engaged
367 (0x16F) SBC Output Monitor Value Read back value of the safety outputs. 0 = Brake De-energized
1 = Brake Energized
368 (0x170) STO Activates SBC Configures Safe Brake Control to engage a mechanical brake when Safe Torque 0 = Not Linked (default)
Off disables torque. 1 = STO Engages a mechanical
369 (0x171) STO to SBC Delay When STO Activates SBC is set, this attribute configures a time delay between 0 = No Delay (default)
torque disabled and brake engaged.

250 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Appendix C

Explicit Messages Use explicit messages to communicate with a drive and obtain additional fault,
status, or configuration information that is not available in the Safety I/O Tag
structure. Attribute data is useful for additional diagnostic information.

IMPORTANT Explicit messages must not be used for any safety related function.

Example: Read SS1 Fault Type

In the drive module, the connection to the safety instance or instances is
controlled by a safety supervisor. The supervisor status can be read by the
motion controller through the motion connection and the safety controller
through the Safety Input Assembly or by an explicit message.
Table 104 - Safe Stop 1 Fault Type: MSG
Parameter Value Description
Service Code 0x0E Get attribute single
Class 0x5A Safety Stop Functions Object
Instance 1
Attribute 0x11C SS1 Fault Type
Data Type USINT Unsigned short integer

The 20-750-S4 option is accessed by a MSG command using CIP ‘Bridging

and Routing’. To access the S4 , the routing information has to be manually
appended to the Path in the MSG configuration. This means appending ‘, 1,
<port>’ where ‘1’ indicates that the message is routed across the PF755

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 251

Appendix C

backplane and <port> is the number of the backplane port where the 20-750-
S4 option is installed. This can be port 4, 5, or 6. In CIP Motion applications
the 20-750-S4 must be installed in port 6.

252 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Appendix D

Parameter Data

This appendix provides a description of the device parameters and host config
parameters.

Parameters and Settings in a This section describes the status parameters and their values in numerical
order.
Linear List

Device Parameters

You are not able to create datalinks to these Device parameters. If you need to
read them, you could use a message instruction.
Table 105 - Device Config Parameters
No. Display Name Values Description Data Type
Full Name
Description
1 Identity Status “Owned" (0) Indicates whether the safety option DWORD
Describes the status of module has an owner.
the module. 1 = owned
0 = not owned
“Configured" (1) Indicated whether the safety option
module has a configuration other than
out-of-box.
1 = configured
0 = out of box configuration
“Min Rec Flt" (8) If set (1), the safety option module has
detected a minor recoverable fault. The
device does not enter a faulted state.
“Min Unr Flt" (9) If set (1), the safety option module has
detected a minor unrecoverable fault.
The device does not enter a faulted state.
“Maj Rec Flt" (10) If set (1), the safety option module has
detected a major recoverable fault and is
in the major recoverable fault state.
“Maj Unr Flt" (11) If set (1), the safety option module has
detected a major unrecoverable fault is
in the major unrecoverable fault state.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 253

Appendix D

Table 105 - Device Config Parameters (Continued)

No. Display Name Values Description Data Type
Full Name
Description
2 Extended Status “Self Test” (0) A self test is in progress. USINT
Detailed description of
the module status “FW Update” (1) A firmware update is in progress.
based on Identity “IO Faulted” (2) At least one I/O connection is faulted.
State.
“No IO Conect” (3) No I/O connections are established.
“Config Err” (4) Non-volatile configuration is bad.
“Major Flt” (5) A major fault has occurred.
“IO In Run” (6) At least one I/O connection is in Run
mode.
“IO In Idle” (7) At least one I/O connection is in Idle
mode.
3 Identity State “Invalid” (0) The device is without power. USINT
State of the module.
“Self Test” (1) The device is executing self tests.
“Standby” (2) The device has incorrect or incomplete
configuration.
“Operational” (3) The device is currently operating in
normal fashion.
“Maj Rec Flt” (4) The device has experienced a fault that is
recoverable.
“Maj Unr Flt” (5) Device has encountered a fault that is
unrecoverable.
4 Max Data Age – Holds the largest data age detected in UINT
Maximum data age 128 μs increments.

5 Cons Flt Count – The number of faults detected in this UINT

Consumer connection hour from the consumer connection.
fault count
6 Prod Flt Count – The number of faults detected in this UINT
Producer connection hour from the producer connection.
fault count
7 STO Fault Type “No Fault” (1) STO functions are not faulted. USINT
Indicates the current
STO fault type of the “Circuit Err” (3) Internal STO circuitry error.
module. “Stuck Low” (4) Internal STO Health and/or Power input
stuck low.
“Stuck High” (5) Internal STO Health and/or Power input
stuck high.
“Discrepancy” (102) Hardwired input discrepancy.
“Mode Conflict” (104) Hardwired input is detected in Network
mode.

254 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Appendix D

Table 105 - Device Config Parameters (Continued)

No. Display Name Values Description Data Type
Full Name
Description
10 SS1 Fault Type “No Fault” (1) No fault being reported by the Safe Stop BYTE
The fault reported by 1 function.
the Safe Stop 1
function. “Config” (2) Invalid configuration of Safe Stop 1
function.
“Decel Rate” (3) Acceleration less than Decel Reference
Rate (Monitored SS1).
“Maximum Time” (4) Above Standstill Speed at Max Stop Time
(Monitored SS1).
“Fdbk Invalid” (101) A fault is present in the encoder.
11 SBC Fault Type “No Fault” (1) No fault is reported by the Safe Brake BYTE
The fault reported by Control function.
the Safe Brake Control
function. “Config” (2) Invalid configuration of the Safe Brake
Control.
“OverCurrent” (3) Current exceeded maximum on an
output controlling the Safety Brake.
“Stuck Low” (4) An output controlling the Safety Brake is
stuck low.
“Stuck High” (5) An output controlling the Safety Brake is
stuck high.
“Cross Conn” (6) The outputs controlling the Safety Brake
are cross-connected.
“Relay Fail” (7) A relay of the outputs controlling the
Safety Brake has failed.
12 Safety IO Values “In0 Value” (0) The value read from Input 0. BYTE
The values being read
from input and output “In1 Value” (1) The value read from Input 1.
points. “In2 Value” (2) The value read from Input 2.
“In3 Value” (3) The value read from Input 3.
“Tst0 Value” (4) The value of test output 0.
“Tst1 Value” (5) The value of test output 1.
“Out0 Value” (6) The value of output 0.
“Out1 Value” (7) The value of output 1.
13 Safety IO Status “In0 Status” (0) The status of input 0. BYTE
The status of the input
and output points. “In1 Status” (1) The status of input 1.
“In2 Status” (2) The status of input 2.
“In3 Status” (3) The status of input 3.
“Tst0 Status” (4) The status of test output 0.
“Tst1 Status” (5) The status of test output 1.
“Out0 Status” (6) The status of output 0.
“Out1 Status” (7) The status of output 1.
14 Input Alarm Index BYTE
The number of the
input instance whose
alarm type will be
displayed in parameter
15 - (Input Alarm).

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 255

Appendix D

Table 105 - Device Config Parameters (Continued)

No. Display Name Values Description Data Type
Full Name
Description
15 Input Alarm “No Alarm” (0) No alarm reported by the input instance. BYTE
The alarm being
reported by the input “Config” (1) The input instance's configuration is
instance specified in invalid.
parameter 14 - (Input “Ext Circuit” (2) External Pulse Test has failed.
Alarm Indx).
“Int Circuit” (3) Internal Pulse Test has failed.
“Discrepancy” (4) The Dual Channel function controlling
this instance is reporting an alarm.
“Dual Ch” (5) The Dual Channel function controlling
this instance has detected a fault in the
other channel.
16 Output Alarm Index BYTE
The number of the
output instance whose
alarm type will be
displayed in parameter
17 - (Output Alarm).

17 Output Alarm “No Alarm” (0) No alarm reported by the output BYTE
The alarm being instance.
reported by the output
instance specified in “Config” (1) The output instance's configuration is
parameter 16 - invalid.
(Output Alarm Indx). “OverCurrent” (2) Current exceeded maximum on the
output.
“ShortCircuit” (3) The output is stuck low.
“Stuck High” (4) The output is stuck high.
“Partner Err” (5) The Dual Channel function controlling
this instance has detected a fault in the
associated output instance.
“Relay Err” (6) Read back signal error during an
expected high state.
“Relay Fail” (7) The output relay has failed.
“Dual Ch” (8) The output values of the associated dual
channel instance are not the same.
“Cross Conn” (9) The outputs of the associated dual
channel instance are cross-connected.
20 Enc1 Position DWORD
The position count
being reported by the
primary encoder.
21 Enc1 Velocity REAL
Primary encoder
velocity in units/s. The
units of this value are
of the type reported by
parameter 24 - (En1
Unit).

256 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Appendix D

Table 105 - Device Config Parameters (Continued)

No. Display Name Values Description Data Type
Full Name
Description
22 Enc1 Accel REAL
Primary encoder
acceleration in units/
s². The units of this
value are of the type
reported by parameter
24 - (En1 Unit).
23 Enc1 Fault Type “No Fault” (1) No fault reported by the primary BYTE
The fault type being encoder.
reported by the
primary encoder. “Config” (2) The encoder's configuration is invalid.
“Max Speed” (3) The encoder speed has exceeded the
configured maximum speed.
“Max Accel” (4) The encoder acceleration has exceeded
the configured maximum acceleration.
“Sin²+Cos²” (5) The encoder has failed the vector length
or aspect ratio checks.
“Quadrature” (6) The encoder has exceeded the maximum
number of quadrature signal errors.
“Discrepancy” (7) The associated dual channel feedback
instance has reported a discrepancy.
“Partner” (8) The associated dual channel feedback
instance has detected a fault in the other
encoder.
“Voltage” (9) The encoder voltage supply has gone out
of the configured range.
“SignalNoise” (10) The encoder signals have noise that is
preventing operation.
“Signal Lost” (11) The encoder signals are not present.
“Data Lost” (12) Stopped receiving data from a Digital
Encoder.
“Device Fail” (13) The encoder device has failed.
“Max Freq” (107) The frequency of the encoder has
exceeded the maximum level for this
product.
“SinCosOffset” (108) The offset of the Sine/Cosine signal from
ground is outside the required level.
“Pos Rollover” (109) The encoder position count has exceeded
the maximum value that can be
represented in this product.
24 Enc1 Unit “Revolution” (0) Encoder units are represented in terms of BYTE
Primary encoder revolutions.
feedback units (set by
safety configuration). “Meter” (1) Encoder units are represented in terms of
meters.

30 Enc2 Position DWORD

The position count
being reported by the
secondary encoder.

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 257

Appendix D

Table 105 - Device Config Parameters (Continued)

No. Display Name Values Description Data Type
Full Name
Description
31 Enc2 Velocity REAL
Secondary encoder
velocity in Units/s. The
units of this value are
of the type reported by
P34 [Enc2 Unit].
32 Enc2 Accel REAL
Secondary encoder
acceleration in units/
s². The units of this
value are of the type
reported by P34 [Enc2
Unit].
33 Enc2 Fault Type “No Fault” (1) No fault reported by the secondary BYTE
The fault type being encoder.
reported by the
secondary encoder. “Config” (2) The encoder's configuration is invalid.
“Max Speed” (3) The encoder speed has exceeded the
configured maximum speed.
“Max Accel” (4) The encoder acceleration has exceeded
the configured maximum acceleration.
“Sin²+Cos²” (5) The encoder has failed the vector length
or aspect ratio checks.
“Quadrature” (6) The encoder has exceeded the maximum
number of quadrature signal errors.
“Discrepancy” (7) The associated dual channel feedback
instance has reported a discrepancy.
“Partner” (8) The associated dual channel feedback
instance has detected a fault in the other
encoder.
“Voltage” (9) The encoder voltage supply has gone out
of the configured range.
“SignalNoise” (10) The encoder signals have noise that is
preventing operation.
“Signal Lost” (11) The encoder signals are not present.
“Data Lost” (12) Stopped receiving data from a Digital
Encoder.
“Device Fail” (13) The encoder device has failed.
“Max Freq” (107) The frequency of the encoder has
exceeded the maximum level for this
product.
“SinCosOffset” (108) The offset of the Sine/Cosine signal from
ground is outside the required level.
“Pos Rollover” (109) The encoder position count has exceeded
the maximum value that can be
represented in this product.
34 Enc2 Unit “Revolution” (0) Encoder units are represented in terms of BYTE
Secondary encoder revolutions.
feedback units (set by
safety configuration). “Meter” (1) Encoder units are represented in terms of
meters.

258 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Appendix D

Host Config Parameters

These parameters are part of the host configuration parameters. Host

Parameters 3…9 provide status of the safety functions. These parameters can be
data linked to the controller input assembly to provide the fastest possible
update of safety status to the controller. In Integrated Motion operation, these
parameters are sent to the motion controller as part of the Motion Connection
Axis Tags.

Host Parameters 11…14 configure how the PowerFlex® 755 drive reacts to a
change in the status of the safety functions. These configuration parameters are
not part of the ‘Safety’ configuration, they are part of the PowerFlex 755 drive
configuration.

Table 106 - Host Config Parameters

Read-Write
No. Display Name Values

Data Type
Full Name
Description

1 Reserved

2 Reserved

3 Safety State RO DWORD

Provides information on the state of the safety connection and the mode of operation.
“Testing” (1) – The safety option module is in self-test
“Idle” (2) – No active connections (networked)
"Test Flt" (3) - Indicates a fault has occurred during testing of the safety module
“Executing” (4) – Normal running state (networked)
"Abort" (5) - Safety module is in a recoverable fault state
"Critical Flt" (6) - A critical fault has occurred
“Configuring” (7) – Transition state (networked)
“Waiting” (8) – Out-of-Box state (hardwired)
“Wait w Trq” (51) – Out-of-Box state (hardwired)
“Exec w Trq” (52) – STO Bypass state (networked)

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 259

Appendix D

Table 106 - Host Config Parameters (Continued)

No. Display Name Values

Read-Write

Data Type
Full Name
Description

4 Safety Status RO BOOL[32]

Indicates status of the safety functions.

SMT Ovr Temp

Options

Brak Engage

Safety Reset
Trq Disabled
SOS StndStil
Conn Closed

Safety Fault
Neg Motion

Restart Req
Pos Motion

SSM Active

SMT Active
SCA Status
SCA Active

SOS Active

SBS Active
SLA Active
SLP Status

SS2 Active
SS1 Active
SLP Active

SLS Active
SSM Limit
SDI Active
SLA Limit
Conn Idle

STO Activ
SLS Limit

Reserved
Reserved
Reserved
SDI Limit
Default 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Bit 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
Bit 0 “Safety Fault” – Indicates the existence of a safety fault, where 0 = no fault and 1 = faulted.
Bit 1 “Safety Reset” – A transition from 0 to 1 resets the safety function.
Bit 2 “Restart Req” – Indicates whether a manual restart is required following a stop function, where 0 = restart not required and 1 = restart required.
Bit 3 “STO Active” – Indicates whether STO control is active, where 0 = Not Active (Permit Torque) and 1 = Active (Disable Torque).
Bit 4 “Trq Disabled” – Displays the status of STO control, where 0 = Torque Permitted and 1 = Torque Disabled.
Bit 5 “SBC Active” – Indicates whether the Safe Brake Control function is active, where 0 = Not Active and 1 = Active.
Bit 6 “Brak Engage” – Indicates whether the Safe Brake Control function has engaged the brake, where 0 = Brake Released and 1 = Brake Engaged.
Bit 7 “SS1 Active” – Indicates whether the Safe Stop 1 function is active, where 0 = Not Active and 1= Active.
Bit 8 “SS2 Active” – Indicates whether the Safe Stop 2 function is active, where 0 = Not Active and 1 = Active.
Bit 9 “SOS Active” – Indicates whether the Safe Operating Stop function is active, where 0 = Not Active and 1 = Active.
Bit 10 “SOS StndStil” – Indicates whether the Safe Operating Stop function is comparing the actual feedback value to the set point, where
0 = Not comparing and 1 = Comparing.
Bit 11 “SMT Active” – Reserved for future use. Always 0.
Bit 12 “SMT Ovr Temp” – Reserved for future use. Always 0.
Bit 16 “SSM Active” – Indicates if the Safe Speed Monitoring function is active, where 0 = Not Active and 1 = Active.
Bit 17 “SSM Limit” – Indicates the status of the Safe Speed Monitoring function, where 0 = Speed is below limit and 1 = Speed is above limit.
Bit 18 “SLS Active” – Indicates if the Safely Limited Speed function is active , where 0 = Not Active and 1 = Active.
Bit 19 “SLS Limit” – Indicates if the speed exceeds the SLS limit, where 0 = Speed within limit and 1 = Speed exceeds limit.
Bit 20 “SLA Active” – Reserved for future use. Always 0.
Bit 21 “SLA Limit” – Reserved for future use. Always 0.
Bit 22 “SDI Active” – Indicates if the Safe Direction function is active, where 0 = Not Active and 1 = Active.
Bit 23 “SDI Limit” – Indicates if the Safe Direction function has detected movement in the prohibited direction, where 0 = Direction OK and
1 = Prohibited Direction.
Bit 24 “Pos Motion” – The feedback device indicates a positive position value.
Bit 25 “Neg Motion” – The feedback device indicates a negative position value.
Bit 26 “SCA Active” – The Safe Cam function is active.
Bit 27 “SCA Status” – The Safe Cam function has detected a motor shaft position outside the specified range.
Bit 28 “SLP Active” – The Safety Limited Position function is active.
Bit 29 “SLP Status” – The Safely Limited Position function has detected a position outside the specified range
Bit 30 “Conn Closed” – No active connection of an output assembly from the safety controller exists.
Bit 31 “Conn Idle” – An active output assembly connection exists but the safety controller is in Program mode.

260 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Appendix D

Table 106 - Host Config Parameters (Continued)

No. Display Name Values

Read-Write

Data Type
Full Name
Description

5 Safety Faults RO BOOL[32]

Indicates what type of safety fault has occurred.
UNID Fault

Fdbk Fault
Options

Core Fault
SSM Fault

SMT Fault
SCA Fault

SOS Fault
VAL Fault

SBC Fault
SLA Fault

STO Fault
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved

Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved

Reserved
SS2 Fault
SS1 Fault
SLP Fault

SLS Fault
SDI Fault
Default 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Bit 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0

Bit 1 “Core Fault” – The module has detected an unrecoverable fault.

Bit 2 “Fdbk Fault” – A fault is present in a safety feedback device.
Bit 3 “STO Fault” – Indicates the fault status of the STO function, where 0 = No Fault and 1 = Faulted. The cause of the fault is recorded in device P7 [STO
Fault Type].
Bit 4 “SS1 Fault” – Indicates the fault status of the SS1 function, where 0 = No Fault and 1 = Faulted. The cause of the fault is recorded in device P1 [SS1
Fault Type].
Bit 5 “SS2 Fault” – Indicates the fault status of the SS2 function, where 0 = No Fault and 1 = Faulted.
Bit 6 “SOS Fault” – Indicates the fault status of the SOS function, where 0 = No Fault and 1 = Faulted.
Bit 7 “SMT Fault” – Indicates the fault status of the SBC function, where 0 = No Fault and 1 = Faulted. Reserved for future use.
Bit 8 “SBC Fault” – Indicates the fault status of the SMT function, where 0 = No Fault and 1 = Faulted.
Bit 16 “SSM Fault” – Reserved for future use. Always 0.
Bit 17 “SLS Fault” – Indicates the fault status of the SLS function, where 0 = No Fault and 1 = Faulted.
Bit 18 “SLA Fault” – Reserved for future use. Always 0.
Bit 19 “SDI Fault” – Indicates the fault status of the SDI function, where 0 = No Fault and 1 = Faulted.
Bit 20 “SCA Fault” – Indicates the fault status of the SCA function, where 0 = No Fault and 1 = Faulted.
Bit 21 “SLP Fault” – Indicates the fault status of the SLP function, where 0 = No fault 1 = Faulted.
Bit 30 “VAL Fault” – The Safety Validator Object has detected a fault.
Bit 31 “UNID Fault” – The Safety Validator Object has detected a fault relating to the Unique Identifier number.

6 Safe Status Mfg RO BOOL[32]

Indicates status of the manufacturer specific safety functions.
“Brak Intgrty” (0) – Indicates that the brake controlled by the Safe Brake Control function has integrity.
“Fdbk Homed” (1) – Indicates the that Safety Feedback homing has been completed and the Safety Feedback position is tracking from a known reference
position.

7 Safe Faults Mfg RO BOOL[32]

Indicates status of the safety functions.
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved

Reserved
SFX Fault

Options

Default 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Bit 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0

Bit 1 “SFX Fault” – The Safety Feedback Interface Add On Instruction has experienced a fault.

8 Safety Data A Default: 0 RO DWORD

A 32-bit data container holding general purpose safety-data passed from the safety controller. Min/Max: -2147483648 / 2147483647

9 Safety Data B Default: 0 RO DWORD

A 32-bit data container holding general purpose safety-data passed from the safety controller. Min/Max: -2147483648 / 2147483647
10 Reserved RO USINT

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 261

Appendix D

Table 106 - Host Config Parameters (Continued)

No. Display Name Values

Read-Write

Data Type
Full Name
Description

11 STO Actn Src Default: 0 - Drive RW DWORD

Determines whether the drive or the controller initiates a stop when the Safety Status STO Active Options: 0 - Drive
bit is set. This does not apply when an SS1 or SS2 action initiates the STO function. 1 - Controller

12 STO Stp Actn Default: 0 - Coast RW DWORD

Selects a stop mode to initiate when the Safety Status STO Active bit is set. Options: 0 - Coast
1- Ramp
2 - Ramp to hold
3 - DC Brake
4 - DCBrkAutoOff
5 - Current Lmt
6 - Fast Brake
13 SS1/SS2 Actn Src Default: 0 - Drive RW DWORD
Determines whether the drive or the controller initiates a stop when the Safety Status SS1 Active Options: 0 - Drive
bit or the Safety Status SS2 Active bit is set. 1 - Controller

14 SS1 Stp Actn Default: 0 - Coast RW DWORD

Selects a stop mode to initiate when the Safety Status SS1 Active bit is set. Options: 0 - Coast
1- Ramp To Hold
2 - Ramp
3 - DC Brake
4 - DCBrkAutoOff
5 - Current Lmt
6 - Fast Brake

262 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Index

Numerics cycle
20-750-S 16 interpolation 154
resolution 154
20-750-S1 16
20-750-S3 16
D
diagnostic 206
A cosine 27
actions category 152 encoder 25
ADC 112 hiperface 27
additional resources 13 digital AqB encoder 27
assembly tag discrepancy 162
input 240 checking 157
output 242 error 48
attribute testing 22
time 162
feedback 245
automatic device configuration. See ADC documentation
axis tag 180 additional resources 13
DPI parameter 48, 59
drive replacement 130
C integrated safety 130
drive safety instruction 93
certification
drive safety instructions
TÜV Rheinland 93
checklist. See validation checklist adding instruction 95
example 95
CIP messaging 48, 59 homing 101
circuit error 47, 58 pass-through data 98
cold start type 152 SFX instruction 99
Compact GuardLogix 5380 controller 17, 93, tab 94
DS1 195, 196
143, 150, 167, 176
DS2 195, 196
compatible drive 17
DS3 195, 197
complementary mode 43
DS4 195, 197
configuration
dual channel
error 47, 58
ownership 126, 130, 168 discrepancy error 58
configure error 48
mode 51, 53, 164
action 152 dual feedback 22
discrepancy checking 157
general 145 configuration 16
module monitoring 22, 148, 155, 157
definition 146 dual velocity check 157
motion safety instance 149 duplicate device number 130
primary feedback 153
safety connection 147
safety input 149 E
safety output 149
effective resolution 154
scaling 156
secondary feedback 155 electronic keying 110, 146
STO 158 encoder diagnostic 25
configure always feature 169 encoder input frequency diagnostic 26
connection environmental pollution degree 235
idle 69 equivalent mode 42
idle action 68, 152 explicit message 183
loss 68
external pulse test 37
loss action 68, 152
reaction time limit 151 external pulse tests 37
continuous mode 20
controller-based
instruction 93
F
cosine diagnostic 27 failure analysis 28

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 263

Index

falling edge K
reset 130 kit catalog number
signal 130
fault 203 dual incremental encoder module (20-750-
DENC-1) 33
actions 152
EMC Core (20-750-EMCSSM1-F8) 34
code 211 205
universal feedback module (20-750-UFB-1)
message 205
name 198 33
recovery 49, 60
safety core 199 L
SS1 201
SS2, SOS, SBC, SLS, SLP, SDI 202 latch error time 52, 53
STO 200 LED
feedback module status 196
attribute 245 motion output status 197
resolution 156 network status 196
firmware revision 12 Logix Designer application 104, 145, 170, 174,
197
Logix 5000 127
G low demand mode 20
gate firing circuit 15
general 145
GuardLogix 5580 controller 17, 93, 103, 143, M
150, 167, 176 mapping
safety tag 126
maximum
H acceleration 154
hardware enable jumper 33 diagnostic 25
hazard prevention 19 encoder input frequency diagnostic 26
speed 154
high demand mode 20 speed limit diagnostic 25
hiperface diagnostic 27 mean time to failure spurious 23
homing 101 mechanical
brake 19
force
I back pressure 16
IGBT 15 suspended load 16
failure 16 mission time 21
input module
assembly tag 45, 46, 47, 55, 56, 57, 62, 63, definition 146
240 status 195
latch error time 39 monitored SS1 79, 159, 160
input valid (safety) 46 definition 10
integrated motion
STO bypass 170 and safety connection 179
STO mode connection 179
drive replacement 130 connection axis tag 180
STO state reset 204 output status 195
ISA TR-84 23 safety instance 149, 176, 178
task 176, 178
motion direct command
J STO bypass 170
warning message 171
jumper location
MSG command 214
Powerflex 755 drive 31
PowerFlex 755T drive product 31
jumper setting 29 N
network delay multiplier 151
network status 195
no test pulse mode 85
not used 85, 162, 163, 164

264 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Index

O release note 12
off state 16 replace 168
PowerFlex 755 drive
off-delay function 50
on an integrated safety network 130
on-delay function 49 requested packet interval. See RPI
one shot falling instruction. See OSF reset ownership 126
instruction resolution unit 154
OSF instruction 130 response time 51
out-of-box state restart type 152
restore 214 risk assessment 18, 19, 29
verify 214
RPI 113, 149, 150, 151
output
assembly tag 61, 65, 70, 76, 83, 86
output assembly tag 242 S
output monitor value 56
Safe Break Control. See SBC
safe direction instruction. See SDI
P safe operating speed. See SOS
diagnostic parameter safe stop function
safety state 207 See also SS1, SS2
safety status 207 safe stopping action source 165
safety fault 209 safe torque off. See STO
parameter safeguarding devices 19
host 259 safely-limited position instruction. See SLP
partner channel error 59 safely-limited speed. See SLS
pass-through data 98, 129, 182, 183 safety
and integrated motion 98 analysis 29
in standard I/O mode 96 brake 91
PFD 20, 21, 22 category 233
PowerFlex 755 drive 21 connection 147, 183
PowerFlex 755T drive product 21 control state 214
PFH 20, 21, 22 core fault 199
definition 11 DeviceID 130
PowerFlex 755 drive 21 digital output 50, 60
PowerFlex 755T drive product 21 enable jumper 33
polarity 154 fault 195
pollution degree 235 feedback 203
feedback fault 203
port 148
function 177, 178
position 156 safety input 37
deadband 158 function operation 128
unit 156 function testing 29
power supply output 163 input 37, 149
mode 61 input alarm 47
primary input alarm recovery 49
encoder 178 input assembly tag 66
feedback 153, 156 input status 45
probability of dangerous failure per hour. input valid 46
input value 45
See PFH jumper 31
probability of failure on demand. See PFD network number
product compatibility and download center
12
proof
test interval 20
testing 18
pulse test output 163

R
ratio 158
redundant channel safety device 41

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 265

Index

edit 167 SOS 223

output 149 fault 202
output alarm 58 validation checklist 223
output assembly tag 65 spurious trip rate 23
output data 55 SS1 76, 128, 129, 159, 177, 201, 218
output ready 56
output status 55 activation 76
output with test pulse 50 fault 201
performance level 18 reset 77
rating 18, 24 safety fault 82
reset 214 stopping action and source 78
routine 126 validation checklist 218
signature 18 SS1-r
supervisor definition 10
state 184, 199 SS1-t
status 214 definition 10
supervisor state 199 SS2 220
system requirement 18 fault 202
tag 126 validation checklist 220
tag mapping 126 standard data
tags 126 in a safety routine 127
task 176, 178 in a safety tag 127
SAFETY BRD FAULT 205 standard input 162
safety feedback interface instruction. See operation 44
SFX standard output 163
safety network number. See SNN mode 61
SBC 83, 119, 202, 231 standard tag 126
activated by STO 87 standstill speed 154, 160
activation 83 status
control mode 85 attributes 206
fault 91, 202 indicators 195
operation 86 LED
reset 84 module status (DS1) 196
validation checklist 231 motion output status (DS3) 197
scaling 156 network status (DS2) 196
SFX 100 STO 69, 70, 116, 158
SDI 228 action 165
fault 202 action source 165
validation checklist 228 activates SBC 87, 161
secondary delay 71, 72
encoder 178 fault 75, 200
feedback 155 operation 72
SFX 99, 178, 229 reset 70
instruction 99 state reset 204
scaling 100 stopping action 74
validation checklist 229 source 74
short circuit 37 to SBC Delay 161
signal offset diagnostic 28 STO fault message 206
sine diagnostic 27 Circuit Err(3) 200
Stuck High(5) 200
single channel mode 51, 164 Stuck Low(4) 200
single feedback 22 stop
configurations 16 category 19
monitoring 22, 148, 157 0 19
SLP 226 1 19
fault 202 category 1 177
validation checklist 226 category 2 19
SLS 225 stored energy 16
example 95 suspended load 19
fault 202 synchronize action 126
validation checklist 225 system
SNN 18, 108, 130, 166, 167, 169
safety considerations 18

266 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 Index

T
tap mode 17
test output 162
mode 61
ready 63
status 62
test pulse 50, 51
test pulses 164
test pulses mode 86
time 156, 158
timed
SS1 78, 159
SS1 definition 10
timeout multiplier 151
TÜV Rheinland 18
type 162

U
units 154
used
as standard input 162
no test pulse mode 85
test pulses mode 86
with test output 162
with test pulses 164
without pulse test 164
without test output 162

V
validation checklist 218, 220, 223, 225, 226,
228, 229, 231
velocity average time 154
velocity deadband 158
voltage monitor 154

W
Wait w Trq 214
waiting 214
warning icon 174
wiring 29
with test output 162
without test output 162
without test pulse 164

Z
zero crossing detection diagnostic 28

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 267

Index

Notes:

268 Rockwell Automation Publication 750-UM005C-EN-P - February 2021

 PowerFlex 755/755T Integrated Safety Functions Option Module User Manual

Rockwell Automation Publication 750-UM005C-EN-P - February 2021 269

Rockwell Automation Support
Use these resources to access support information.

Technical Support Center Find help with how-to videos, FAQs, chat, user forums, and product notification updates. rok.auto/support
Knowledgebase Access Knowledgebase articles. rok.auto/knowledgebase
Local Technical Support Phone Numbers Locate the telephone number for your country. rok.auto/phonesupport
Literature Library Find installation instructions, manuals, brochures, and technical data publications. rok.auto/literature
Product Compatibility and Download Center Download firmware, associated files (such as AOP, EDS, and DTM), and access product rok.auto/pcdc
(PCDC) release notes.

Documentation Feedback
Your comments help us serve your documentation needs better. If you have any suggestions on how to improve our
content, complete the form at rok.auto/docfeedback.

Waste Electrical and Electronic Equipment (WEEE)

At the end of life, this equipment should be collected separately from any unsorted municipal waste.

Rockwell Automation maintains current product environmental compliance information on its website at rok.auto/pec.

Allen-Bradley, Connected Components Workbench, CompactLogix, ControlLogix, DeviceLogix, DPI, Expanding Human Possibilities, Integrated Architecture, Guard I/O, GuardLogix, Logix 5000,
PowerFlex, QuickView, Rockwell Automation, Rockwell Software, Studio 5000, Studio 5000 Logix Designer, and TotalFORCE are trademarks of Rockwell Automation, Inc.
EtherNet/IP is a trademark of ODVA, Inc.
Trademarks not belonging to Rockwell Automation are property of their respective companies.

Rockwell Otomasyon Ticaret A.Ş. Kar Plaza İş Merkezi E Blok Kat:6 34752, İçerenköy, İstanbul, Tel: +90 (216) 5698400 EEE Yönetmeliğine Uygundur

Publication 750-UM005C-EN-P - February 2021

Supersedes Publication 750-UM005B-EN-P - September 2019 Copyright © 2021 Rockwell Automation, Inc. All rights reserved. Printed in the U.S.A.