Rockwell Automation TechED 2018 - SS07 - Lab Manual - Developing Safety Applications Using The Guardmaster 440C-CR30 PDF

Developing Safety Applications using the
Guardmaster 440C-CR30 Software Configurable

Safety Relay
For Classroom Use Only!

Important User Information
This documentation, whether, illustrative, printed, “online” or electronic (hereinafter “Documentation”) is intended for use only as
a learning aid when using Rockwell Automation approved demonstration hardware, software and firmware. The Documentation
should only be used as a learning tool by qualified professionals.
The variety of uses for the hardware, software and firmware (hereinafter “Products”) described in this Documentation, mandates
that those responsible for the application and use of those Products must satisfy themselves that all necessary steps have been
taken to ensure that each application and actual use meets all performance and safety requirements, including any applicable
laws, regulations, codes and standards in addition to any applicable technical documents.
In no event will Rockwell Automation, Inc., or any of its affiliate or subsidiary companies (hereinafter “Rockwell Automation”) be
responsible or liable for any indirect or consequential damages resulting from the use or application of the Products described in
this Documentation. Rockwell Automation does not assume responsibility or liability for damages of any kind based on the
alleged use of, or reliance on, this Documentation.
No patent liability is assumed by Rockwell Automation with respect to use of information, circuits, equipment, or software
described in the Documentation.
Except as specifically agreed in writing as part of a maintenance or support contract, equipment users are responsible for:
• properly using, calibrating, operating, monitoring and maintaining all Products consistent with all Rockwell Automation
or third-party provided instructions, warnings, recommendations and documentation;
• ensuring that only properly trained personnel use, operate and maintain the Products at all times;
• staying informed of all Product updates and alerts and implementing all updates and fixes; and
• all other factors affecting the Products that are outside of the direct control of Rockwell Automation.
Reproduction of the contents of the Documentation, in whole or in part, without written permission of Rockwell Automation is
prohibited.
Throughout this manual we use the following notes to make you aware of safety considerations:
Identifies information about practices or circumstances that can cause an explosion in a hazardous
environment, which may lead to personal injury or death, property damage, or economic loss.
Identifies information that is critical for successful application and understanding of the product.
Identifies information about practices or circumstances that can lead to personal injury or death, property
damage, or economic loss. Attentions help you:
• identify a hazard
• avoid a hazard
• recognize the consequence
Labels may be located on or inside the drive to alert people that dangerous voltage may be present.
Labels may be located on or inside the drive to alert people that surfaces may be dangerous temperatures.
The Guardmaster 440C-CR30 Software Configurable Safety Relay Lab
Contents
Before you begin ........................................................................................................................................... 4
About this lab .................................................................................................................................................................................... 4
Tools & prerequisites ........................................................................................................................................................................ 4
Network Set-up ................................................................................................................................................................................. 5
E-Stop Application......................................................................................................................................... 6
Build and Download the Configuration File to the CR30................................................................................................................. 16
Operation of the Configured Safety Circuit ..................................................................................................................................... 21
Gate Switch and E-Stop Application ........................................................................................................... 24

Configuring the Indicator LEDs ....................................................................................................................................................... 35
Build and Download the Configuration File to the CR30................................................................................................................. 36
Logix Controller Tags, Faceplate, and AOI for 440C-CR30 Safety Relay ...................................................................................... 38
Operation of the Configured Safety Circuit ..................................................................................................................................... 41
Verification and Validation, Including Fault Detection and Visualization......................................................................................... 45
Manual Reset of E-Stop with Automatic Reset of Gate Switch....................................................................................................... 56
I/O Expansion via Single Wire Safety ......................................................................................................... 64

Operating the I/O Expansion via Single Wire Safety ...................................................................................................................... 68
Guard Locking Application .......................................................................................................................... 69

Operating the Guard Lock Application ............................................................................................................................................ 73
Zone Control Application ............................................................................................................................. 78

Operating the Safety Zone Control Application............................................................................................................................... 85
Input Signal via Ethernet ............................................................................................................................. 88

Operating the Input Signal via Ethernet Application ....................................................................................................................... 90
Maintenance Mode...................................................................................................................................... 95

Operating the Maintenance Mode Application ................................................................................................................................ 98
3 of 106
Before you begin
About this lab

The Guardmaster™ 440C-CR30 Software Configurable Safety Relay (CR30) is a new safety logic device from Rockwell
Automation™. In the context of a machine safety application, the CR30 fills the same purpose as a safety monitoring relay or
safety PLC – it monitors the status of several safety input devices and through simple logic configuration can control multiple
independent outputs. It is certified for use in safety applications up to and including Safety Integrity Level (SIL) 3 and
Performance Level (PL) e in which the de-energized state is the safe state.
The CR30 is based on the Micro800™ platform. The housing is red to signify it as a ‘safety device’ and to distinguish it from the
gray-colored ‘standard controllers’.
The CR30 has 22 embedded safety rated inputs and outputs and accepts up to two plug-in modules, each of which has 4
standard inputs and 4 standard outputs. The CR30 can be configured using a personal computer (PC) running the Allen-
Bradley™ Connected Components Workbench™ (CCW), or using the 440C-ENET Add-on Profile (AOP) version 2.01 or higher
in Studio 5000 Logix Designer.
This lab provides an introduction to the CR30 and includes several example applications.
This lab takes approximately 90 minutes to complete.
Tools & prerequisites

The following software programs, hardware, and files are required for use with this lab.
 Software Programs:
 RSLinx Classic 3.7 or later
 Studio 5000 v30.00 or later
 FactoryTalk View ME Station v9.00 or later
 Hardware Devices
 ControlLogix Demo Box (CLX41)
 440C-CR30 Training Demo (CR30T)
 Files required:
 CR30_Training_Demo_Lab_L75.mer
 ENET_440C_Gate_Switch_and_Estop.ACD
 ENET_440C_Guard_Locking.ACD
 ENET_440C_Input_Signal_via_Ethernet.ACD
 ENET_440C_Maintenance_Mode.ACD
 ENET_440C_Single_IN_Restart.ACD
 ENET_440C_Start.ACD
 ENET_440C_Zone_Control.ACD
4 of 106
Network Set-up
Setup the interconnection between the demo hardware as shown below:
5 of 106
E-Stop Application
We will start with the implementation of a simple E-Stop circuit. The CR30 detects when the E-Stop is pushed and immediately
removes power from the actuators, causing the hazardous motion to stop. Furthermore, as long as the E-Stop is engaged, the
safety circuit will prevent any hazardous motion. The safety circuit must be manually reset after the E-Stop has been released.
We will use a simple push button with N.O. contacts for the reset.
An existing .ACD file has been created for you in the VMWare image.
1. Launch Studio 5000; double-click on the Studio 5000 desktop icon to start the program.
2. From the Open column, select the Existing Project  Project File icon.
Browse to the folder CR30 Lab Files on the desktop and open the project “ENET_440C_Start.ACD” which has
been created for you as a starting point for this lab.
6 of 106
3. In the I/O Configuration, right click on the Ethernet subnet and click New Module…
4. The Select Module Type window pops up. Type “440C” into the Search Text field.
7 of 106
5. Select the 440C-CR30… and click Create.
6. Type “MyCR30” into the Name field.
7. In the Ethernet Address section, click the Private Network radio button.
8. Set the last octet of the IP address to 78.
8 of 106
9. In the Module Definition section, click the Change… button.
10. On the Module Definition window that opens, click the + next to 440C-CR30-22BBB
11. Right click on <Empty>.
12. Click on DigitalIO and select 2080-IQ4OB4 Digital Combo.
One key feature of the CR30 is the ability to add Standard I/O through the use of Micro 800 plug-in modules
(bulletin 2080). These I/O can be used for signals in the safety circuit that are not safety rated, such as the reset
input, feedback monitoring, muting sensors, auxiliary outputs, etc. The CR30 in the demo includes one 2080-
IQ4OB4 with four inputs and four outputs in plug-in slot 2 (the right-hand slot).
13. Click OK.
9 of 106
14. Click Yes on the warning message that pops up.
15. Click OK on the New Module window to complete the 440C-CR30 module definition.
16. Click Close on the Select Module Type window.
The 440C-CR30 is now displayed in the Controller Organizer.
10 of 106
17. Right click on the 440C-CR30 and select Properties.
18. Select the Logic Configuration tab and click on “Edit Logic” to open the function block editor.
In order to build up the logic configuration of the CR30, we select Safety Monitoring Functions, Logic Blocks, and
Safety Output Functions from the Toolbox. The function block logic editor gives a visual representation of the
logic configuration.
11 of 106
19. Click and drag an Emergency Stop Safety Monitoring Function (SMF) from the Toolbox to the upper left hand
Safety Monitoring target block on the logic editor. (Another option is to double click on Emergency Stop in the
Toolbox – it will automatically load this SMF to the green highlighted function target block on the editor.)
Note that the logic editor has automatically assigned the next available terminals for both the inputs and the test
sources. Not only is terminal assignment automatic, but any necessary configuration of those I/O points is done
automatically by the software. Changing the terminals for each function is also easy as we will see in later labs.
12 of 106
20. In the Toolbox, double click Reset to add a Reset Safety Monitoring Function (SMF) to the logic editor (or click
and drag it to the target block below the Emergency Stop SMF).
21. On the Reset SMF 2, click on the input terminal EI_02. A simple selection table appears.
When we add the Reset SMF the logic editor automatically assigns the next available terminal, EI_02
(Embedded Input 02). In the demo case the reset button is wired into the plug-in module, so we need to change
the input terminal. The simple selection table that appears when we click on the input terminal shows all of the
inputs that could be used as the Reset input (and none of the terminals that can NOT be used for a reset input).
If a given terminal is already being used for something else, it is grayed out – for example, Embedded Safety
Inputs 00 and 01 (being used for the E-Stop inputs) and Multi-Purpose Terminals 12 and 13 (the test sources for
the E-Stop).
22. On the input terminal selection table, click on Plug-in 2 Inputs 2080-IQ4OB4 terminal 00 to select that input for
the Reset SMF. The input terminal will now be labeled P2_00 (Plug-in slot 2, input 00).
13 of 106
23. Now we will add the Safety Output Function (SOF) to our configuration. In the Toolbox under Safety Output
Function Blocks, click and drag Immediate OFF to the first Safety Output function target on the logic editor.
24. Click on the output connection of the E-Stop SMF – the blue dot on the right of the block. The dot will turn light
gray, indicating that it is selected.
25. Click on the input connection (blue dot on the left) of the Immediate OFF SOF block to connect it to E-Stop SMF
block. A connection line will appear and both connection dots will turn dark gray. Also, Pass Through blocks will
automatically appear in the Logic Level A and B columns.
14 of 106
Note that the logic editor has automatically assigned the first two available safety output terminals of the CR30,
EO_18 and EO_19 (Embedded Safety Outputs 18 and 19, respectively). When these outputs turn ON, the white
LED indicators on the CR30 demo labeled Safety Outputs 18 and 19 will turn ON. These outputs also drive the
two 700HPS control relays to the right of the CR30 on the DIN rail. The “PT” to the right of the terminal
assignment stands for Pulse Testing, a technique used to detect if the output terminal is short circuited to 24V or
another safety output terminal. Other output terminals have additional options for configuration besides Pulse
Testing, but for terminals 18 and 19 this is the only possible configuration.
26. This SOF (Safety Output Function) will use the Reset SMF (Safety Monitoring Function) that we configured as
SMF 2. In the SOF block, click the drop down menu next to Reset Input and select SMF 2.
27. We have now completed our logic configuration. Compare your logic to the below image to confirm that it is set
up correctly.
15 of 106
Build and Download the Configuration File to the CR30
1. Close the Logic Editor by clicking the X in the Logic Editor window.
Please note that if any errors exist in the configuration file when trying to close the Logic Editor, the following
window will pop-up. If this happens, click on cancel button and correct the errors listed in the Error List. You can
also compare your logic to the logic configuration shown on the previous page.
This is an example of what the Error List would look like if you had errors in your configuration.
16 of 106
2. Once the Logic Editor is closed, and there are no configuration errors, an Output window appears at the bottom
of the Module Properties. You should see the message “Build Succeeded”. Click the OK button.
3. Confirm that the demo case is plugged in and turned on.
4. Confirm that there is an Ethernet cable connected to the receptacle located in the lower right corner of the demo
case.
17 of 106
5. In the upper left of the Logix Designer window, click the controller icon just to the right of the text Offline and
select Download.
6. Click Download on the warning message that appears.
7. Verify the Logix controller is in Rem Run mode. If the controller is not in Rem Run mode after download, click the
controller icon next to Rem Prog and select Run Mode.
18 of 106
8. Note the yellow triangle warning next to the CR30 icon. This warning indicates the I/O is not responding because
there is a mismatch between the actual CR30 configuration and the one that the Logix controller is expecting.
9. Fix the mismatch by double clicking (or right click and select Properties) on the CR30 in the I/O Configuration
tree. Click on the Logic Configuration Tab.
10. The connection to the CR30 is attempted and a pop up window appears stating there are differences between
the project and what is actually in the CR30. Click  Download to the safety relay.
19 of 106
11. A pop-up window will ask if you want to change the relay to program mode; or, if there is a verified configuration
loaded on the CR30, the pop-up will include a warning that the project and verification ID (on the relay) will be
deleted. Either way, click Yes.
OR
12. A Download Complete message will pop up. Click Yes to change the CR30 back to Run mode.
The download succeeded pop-up window includes additional information. The configuration software calculates
the CRC (an error checking code) of the configuration file. After download, the CR30 calculates the CRC of that
configuration file. These two CRC codes should always match. This is an additional verification step to confirm
that the configuration on the CR30 matches what the user intended.
13. You may see this message. Click Yes to apply the changes to the module configuration.
20 of 106
14. After a successful download, the configuration is a match, and the I/O connection is successful.
Operation of the Configured Safety Circuit
1. Confirm that all of the selector switches on the demo panel are in the default left position.
2. Confirm that there are no cables or wires connected to any of the panel receptacles or jacks.
3. Twist the E-Stop button clockwise to confirm that it is released / clear.
4. In Module Properties window, observe that we are now connected to the CR30. Click on the Edit Logic button to
open the Logic Editor, and view our configuration online.
21 of 106
5. Confirm that the E-Stop SMF block and its input terminals are highlighted green, indicating that they are ON. (If
not, push the E-Stop and then twist clockwise to release it.)
The E-Stop SMF is ON, so the conditions for the Safety Output Function are true, but because it is configured for
manual reset it does not turn its outputs on yet. This “Ready for Reset” state is indicated by the SOF block
flashing green.
6. Press and release the blue Reset push button (labeled ‘R’).
A key feature of the CR30 is that when an SOF is configured for Manual reset mode, the reset signal must be
between 0.25 and 3 seconds long – otherwise that signal is ignored. This prevents the reset button from being
tied down. This also reduces the risk of an accidental bump of the reset button causing hazardous motion. The
key is that the reset button must be intentionally pushed and briefly held to be acknowledged as a reset signal.
22 of 106
7. After you push the reset button, you should see the white indicators for Safety Outputs 18 and 19 turn ON,
indicating that the machine can run. You will also see the SOF block in the Logic Editor change from flashing
green to solid green, and the output terminals highlighted green to indicate that they are ON.
8. Push the E-Stop button. This action opens the N.C. contacts of the E-Stop, which is detected by the CR30.
The safety outputs of the CR30 turn OFF. In the logic editor, observe that the Emergency Stop function block is
no longer highlighted green, along with all blocks and terminals to the right.
In a real application, the CR30 outputs turning OFF would cause the safety contactors to open, thus removing
power from the motor. (In the demo the safety contactors are simulated by the 700HPS safety control relays.)
The hazardous motion will coast to a stop. Stopped is considered a safe state in most machine safety
applications.
9. Twist the E-Stop clockwise to release it.
10. Press and release the blue Reset button to reset the safety circuit. (Remember that the reset signal must be
between 0.25 and 3 seconds long or it will be ignored.) The safety output indicators will turn ON.
We have now configured a CR30 for an Emergency Stop Safety Function and performed a basic functional test
of our safety circuit in just a few simple steps.
23 of 106
Gate Switch and E-Stop Application
We will now expand our safety circuit to include the monitoring of a moveable gate. Our system will consist of two safety
functions:
 Emergency Stop – If the E-Stop is pushed, power should be immediately removed from the actuators.
 Gate interlock – If the movable gate is opened, the safety system should detect it and immediately remove power from the
actuators.
As with most machine safety applications, removal of power will result in a safe state within a short period of time. It would be
appropriate to do safety distance calculations in determining the position of the moveable gate, as we want to make sure that the
machine would be in the safe state before a person could reach the hazard after opening the gate. It is assumed that the
moveable gate is the only way to access the hazard.
We will use a standard 800B E-Stop and a SensaGuard™ interlock switch as input devices for the two safety functions,
respectively. These devices are included in the demo and already wired to the CR30. When either of these devices turns off,
the CR30 will turn off its safety outputs. These safety outputs are connected to the coils of the 700HPS control relays. These
control relays disconnect line power from the actuators. (In an application with a larger electrical draw we would use safety
contactors instead of safety control relays.) The contacts of the two control relays are wired in series – either device dropping
out will disconnect line power. This way if one device fails, the other device will still cause the hazardous motion go to a safe
state. The CR30 monitors the status of the output device (the 700HPS) to detect unsafe device failures. (If a device failure is
detected, the CR30 will not turn on its outputs, thus reducing the risk of this device fault leading to an unsafe condition.)
Here is a basic wiring diagram of this circuit. The E-Stop is connected to CR30 inputs I-00 and I-01. Multipurpose terminals 12
and 13 provide test pulses so that the CR30 can detect cross faults between the two e-stop channels. OSSD outputs A and B of
the SensaGuard are connected to CR30 inputs I-02 and I-03. (These signals turn OFF when the gate opens.) Additional
commentary on the circuit is included throughout the lab steps. CR30 outputs 18 and 19 drive the coils of the control relays K1
and K2 (the 700HPS relays in the demo).
24 of 106
1. Close the Logic Editor window to return to the Module Properties.
2. In the upper right hand corner of the Logic Configuration tab, click the dropdown by “Connected” and select Go
Offline. The field will update to Edit. Note that we are still online with the Logix controller, but we are offline with
the CR30 so we can edit the configuration in the relay.
3. Just below the Logic Configuration tab, click on “Edit Logic” to open the function block editor.
4. Right click on the Reset block (SMF 2) and click Delete.
25 of 106
5. Right click on each Pass Through logic block and click Delete.
6. Click on the block below the Emergency Stop SMF to select it. The block will turn green.
7. In the Toolbox, double click the Gate Switch SMF to add it to the configuration as SMF 2, just below the
Emergency Stop SMF.
8. Click the plus next to Advanced Settings in the Gate Switch SMF on the logic editor.
The logic editor automatically selects a common gate switch configuration – a dual NC channel
electromechanical switch (e.g. a tongue interlock switch). The SensaGuard is an electronic interlock switch with
two OSSD outputs. In the advanced settings we can configure the SMF for two OSSD inputs instead of NC.
26 of 106
9. Under Advanced Settings, click the dropdown menu next to Inputs: and select 2 OSSD. Notice that this
automatically removes the Test Sources and Pulse Testing from the SMF, as these capabilities are not
necessary for OSSD input devices.
Note: another option would be to use the SensaGuard SMF instead of a Gate Switch SMF. The SensaGuard
SMF is preconfigured for dual OSSD inputs. We are using the Gate Switch SMF in this section of the lab to
show the “Advanced Settings” concept. Using the SensaGuard SMF would mean that we would not need to
modify any Advanced Settings.
10. Click the minus symbol to hide the Advanced Settings.
11. In the Toolbox, double click Reset to add it to the configuration as SMF 3. (Alternatively you can click and drag
the reset to the block under the gate switch in the logic editor.)
27 of 106
11. Click on the input terminal EI_04. A simple selection table appears.
12. Click on Plug-in 2 Inputs 2080-IQ4OB4 terminal 00 to select that input for the Reset SMF. The input terminal will
now be labeled P2_00 (Plug-in slot 2, input 00). This is the terminal to which the blue Reset button on the demo
panel is connected.
13. Next we will configure the logic. In the Toolbox under the Logic Functions, click and drag an AND logic block
onto the first Logic Level A function target.
In this application we want the act of pushing the Emergency Stop to disconnect power from the motor. We also
want the act of opening the moveable gate to disconnect power from the motor. People often incorrectly assume
that we would use OR logic to combine the two input devices for this type of application; however, we actually
use AND logic. This is easy to remember if we keep in mind that the job of the safety input device is to indicate
that “it is OK to run” – the device turns its outputs ON when it is OK to run, then turns its outputs OFF (or opens
its contacts) when the machine should go to a safe state. Therefore, if we want the safety outputs of the CR30
to turn ON, the E-Stop must be closed (e.g. N.C. E-Stop button is released / clear) AND the SensaGuard must
be ON (indicating that the moveable gate is closed).
28 of 106
14. Click on the output connection of the E-Stop SMF – the blue dot on the right of the block. The dot will turn light
gray, indicating that it is selected.
15. Click on the first input connection (blue dot) of the AND block to connect it to the E-Stop. A connection line will
appear and both connection dots will turn dark gray.
16. Click on the output connection of the Gate Switch SMF – the blue dot on the right of the block. The dot will turn
light gray, indicating that it is selected.
17. Click on the second input connection (blue dot) of the AND block to connect it to the Gate Switch SMF. A
connection line will appear and both dots will turn dark gray.
29 of 106
18. Click on the output connection (blue dot on the right) of the AND logic block to select it. The dot will turn light
gray.
19. Click on the input connection (blue dot on the left) of the Immediate OFF Safety Output Function (SOF) block to
connect it to the AND block. A connection line will appear and both connection dots will turn dark gray. Also, a
Pass Through block will automatically appear in the Logic Level B column.
20. This SOF (Safety Output Function) will use the Reset SMF (Safety Monitoring Function) that we configured as
SMF 3. In the SOF block, click the drop down menu next to Reset Input and select SMF 3.
30 of 106
Next we will set up Feedback Monitoring for this safety circuit. Feedback is the act of monitoring the output
device to confirm that it is off when the CR30 output driving that device is off. Safety rated output devices such
as safety contactors and the 700HPS safety control relay in this demo utilize mechanically linked contacts so
that an external device can monitor their status. Mechanical linkage means that all of the contacts are
mechanically linked so that when an N.O. contact is closed, the “linked” N.C. contact is mechanically held open.
A 24V signal sent through the N.C. contact will only get to the CR30 input if the N.C. contact is closed.
Therefore, if the CR30 detects 24V on inputs P02 and P03, the CR30 knows that the main motor contacts (the
N.O. channels) are OPEN, and therefore no power is reaching the motor (which is considered a safe state).
Review the circuit diagram below for additional clarification of this concept.
Top illustration – CR30 Outputs OFF, 24V through N.C. of K1 and K2 to CR30 P02 and P03
Lower left – CR30 Outputs ON
Lower right – CR30 Outputs OFF, K1 welded, no signal on P02, 24V on P03  CR30 detects failure of K1.
31 of 106
In traditional safety monitoring relay circuits, the N.C. auxiliary channels of the safety output devices were wired in
series to the feedback monitoring input of the relay – either output device failing would still be detected; we just
wouldn’t know which device had failed. While this technique would certainly be possible with the CR30, we would
typically take advantage of having more inputs by independently monitoring each output device as shown in the circuit
diagram. This means that the CR30 would know exactly which input device had failed, therefore reducing the time
necessary to troubleshoot the issue.
21. For the CR30, Feedback Monitoring is configured as a Safety Monitoring Function (SMF) that we subsequently
associate with a Safety Output Function (SOF). On the Logic editor, click on the next available Safety
Monitoring function block (just under SMF 3 Reset block). It will turn green to indicate that it is selected. You
may need to scroll the Logic window to the left and/or down to get this function target into the visible area.
22. In the Toolbox under Safety Monitoring Functions, double click on the Feedback Monitoring SMF to add this
function to the logic editor in the selected target block.
23. In the Feedback SMF, click on the dropdown next to Inputs and select 2 so that there are two input terminals.
In our circuit, we are independently monitoring two output devices (the two 700HPS relays). These output
devices will always be used in conjunction with each other – they are controlled by the same Safety Output
Function. (If two safety output devices were controlled by two separate Safety Output Functions, they would
utilize separate Feedback Monitoring SMFs.)
32 of 106
24. The software automatically assigns the next available terminals. In the demo, the feedback monitoring circuits
are wired into plug-in inputs 02 and 03. Click on the Feedback input terminals EI_04 and EI_05, changing them
to P2_02 and P2_03 (Plug-in 2 Inputs 02 and 03), respectively.
25. Now we will associate this Feedback SMF with the Safety Output Function. On the Immediate OFF SOF, click
the drop down menu next to Feedback and change it from None to SMF 4 (the Feedback Monitoring SMF that
we just configured).
33 of 106
26. We have now completed our logic configuration. Compare your logic to the below diagram to confirm that it is
set up correctly.
27. Close the Logic Editor Window.
An Output window appears at the bottom of the Module Properties. You should see the message “Build
Succeeded”. If there are any errors in the configuration file when trying to close the Logic Editor, a window will
pop-up stating Logic errors exist. (If there are any errors, click Cancel, and compare your logic to the logic
configuration shown above.)
34 of 106
Configuring the Indicator LEDs
1. The LEDs on the CR30 can be easily configured per the user’s preference to show more information than typical
status LEDs. Click on the Logic Configuration tab on the Module Properties window.
2. Click on LED Configuration towards the lower left.
3. Select the Type Filter and Value for each LED per the table below the image.
Input LEDs Type Filter Value Notes

0 Terminal Status Terminal 00 E-Stop Channel 1
1 Terminal Status Terminal 01 E-Stop Channel 2
2 Terminal Status Terminal 02 Gate Switch OSSD A
3 Terminal Status Terminal 03 Gate Switch OSSD B
4 Not Used Not Used
5 Safety Monitoring Function Status SMF1 E-Stop SMF
6 Safety Monitoring Function Status SMF2 Gate Switch SMF
7 Safety Monitoring Function Status SMF3 Reset SMF
8 Safety Monitoring Function Status SMF4 Feedback Monitoring SMF
9 Not Used Not Used
Output LEDs
0 Safety Output Function SOF1 Safety Outputs 18 and 19
1-5 Not Used Not Used
35 of 106
Build and Download the Configuration File to the CR30
1. The next step is to download our configuration file to the CR30. Click the Apply button at the bottom of the
Module Properties window. Note that since we are still online with the Studio 5000 Logix Designer software, a
separate download to the Logix controller is not required.
A Download in progress window appears.
36 of 106
OR
3. After several seconds a Download Complete message will pop up. Click Yes to change the CR30 back to Run
mode.
4. Click Yes to apply the changes to the module configuration.
5. Save the Logix Designer project by clicking on the Save icon. Click Yes to upload the tag values.
37 of 106
Logix Controller Tags, Faceplate, and AOI for 440C-CR30 Safety Relay
This section shows the status information available from a 440C-CR30 Safety Relay, and the preconfigured status
and diagnostic displays or "Faceplates" for the CR30 using FactoryTalk View Machine Edition software. This
information from the relay dramatically simplifies both normal operation and also troubleshooting of the safety
system. The Logix controller can also send information to the 440C-CR30 Safety Relay that can be included in the
safety logic. This will be covered in a later section of the lab.
1. Double click on the Controller Tags.
2. Click the + next to MyCR30:I in the Controller Tags window.
The 440C tags are displayed. All of the relevant information is included – fault alarms; individual terminal status;
SMF, Logic Block, and SOF status; and individual fault information.
38 of 106
3. The 440C status tags are actively updated in Logix Designer.
We are now going to review the CR30 Faceplate that is available for download from the Sample Code website.
Included in the download are the preconfigured status display (Faceplate) for your HMI, the Add-On Instruction (AOI)
for your Logix program to drive the Faceplate, and a detailed set of instructions on how to implement them. The
required Add-On Instruction (AOI) for the CR30 Faceplate has been previously configured in this project. Note – the
AOI and Faceplate will continue to function regardless of the CR30 configuration.
39 of 106
4. The Panelview Plus 7 should be running the “CR30_Training_Demo_L75.mer” FactoryTalk View ME
application, and the main screen should be displayed.
5. Click on the Goto Display button to open the CR30 Faceplate. The home screen of the Faceplate provides an
overview of the CR30. See the table below for a detailed description of the Faceplate buttons. We will refer to
the Faceplate diagnostics later in this lab, but take some time now to navigate and familiarize yourself with the
Faceplate.
Button Icon Description

The Alarm button indicates a fault condition and activates fault diagnostic
Alarm views. A grey bell indicates normal status.
Built-In I/O This button displays Built in I/O Status.
HOME This button displays Home Screen.
SMF This button displays SMF Status.
SOF This button displays SOF Status.
Plug-in This button displays Plug-in I/O Status.

Help The Help button provides information for the current view.
40 of 106
Operation of the Configured Safety Circuit
The safety circuit should now be fully operational. In order for the safety circuit to allow the potentially hazardous
motion, all of the safety devices must be clear and then the safety circuit must be reset. The following steps walk
through that process.
1. Confirm that all of the selector switches on the demo panel are in the default left position.
2. Confirm that there are no cables or wires connected to any of the panel receptacles or jacks.
3. Twist the E-Stop button clockwise to confirm that it is released / clear.
4. Double click on the CR30 in the I/O Configuration tree to show the Module Properties window.
5. Click on the Logic Configuration tab, and click Edit Logic to show the Logic editor.
6. Confirm that the E-Stop SMF block and its input terminals are highlighted green, indicating that they are ON. (If
not, push the E-Stop and then twist to release it.)
41 of 106
7. Back in the demo case, slide the SG-1 SensaGuard
actuator to the left (towards the sensor) until the
SensaGuard LED indicator turns green, indicating that
the actuator is detected (and therefore that the
moveable gate is closed, thus preventing access to the
hazard). When the SensaGuard LED is solid green, its
OSSD outputs are ON. (The SensaGuard indicator
LED is red if it does not detect the actuator.)
8. In the Logic Editor, confirm that the Gate Switch SMF block is highlighted green, indicating that it is ON.
Because both this SMF and the E-Stop SMF are ON, the AND block should also be ON (highlighted in green).
The conditions for the Safety Output Function are true, but because it is configured for manual reset it does not
turn its outputs on yet. This “Ready for Reset” state is indicated by the SOF block flashing green.
9. Press and release the blue Reset push button (labeled ‘R’). Remember that the reset signal must be between
0.25 and 3 seconds long.
After you push the reset button, you should see the white indicators for Safety Outputs 18 and 19 turn ON,
indicating that the machine can run. You will also see the SOF block in the Logic Editor change from flashing
green to solid green, and the output terminals highlighted green to indicate that they are ON.
42 of 106
10. Slide the SensaGuard actuator away from the sensor until the SensaGuard’s LED changes from green to red.
The safety outputs of the CR30 turn OFF. In the Logic Editor, observe that the Gate Switch function block is no
longer highlighted green, along with all blocks and terminals to the right. (The E-Stop function should still be
highlighted green, as that SMF is ON.)
11. Observe the Controller Tags MyCR30:I.PtxxData. The first two are the status of the E-Stop input terminals
while the next two are the input terminals connected to the SensaGuard.
12. Slide the SensaGuard actuator back to the left towards the sensor until the SensaGuard LED changes from red
to green. The Pt02Data and Pt03Data tags change from 0 (off) to 1 (on).
43 of 106
13. Press and release the blue Reset button to reset the safety circuit. (Remember that the reset signal must be
between 0.25 and 3 seconds long or it will be ignored.) The safety output indicators will turn ON.
14. We configured the indicator LEDs on the CR30. LEDs 0 and 1 correspond to safety input terminals 00 and 01,
while LED 5 indicates the status of SMF 1, the E-Stop SMF. Output LED 0 indicates the status of Safety Output
Function (SOF) 1. Observe the LEDs as you push the E-Stop button and then twist to release the E-Stop. (You
will need to push the reset button to turn the output ON.)
15. LEDs 2 and 3 correspond to safety input terminals 02 and 03 while LED 6 indicates the status of SMF 2, the
Gate Switch SMF. Observe these LEDs as you slide the SensaGuard actuator away from and then towards the
sensor.
16. Press and release the blue Reset button to reset the safety circuit.
44 of 106
Verification and Validation, Including Fault Detection and Visualization
One critical step in the implementation of safety design is the physical verification and validation of the safety system
design. This process starts fairly basic, for example, push the E-Stop button and confirm that the system goes to a
safe state (typically stopped). Basic functional testing is very important because it will occasionally uncover issues
with the safety system implementation, from simple wiring issues to system components not behaving as originally
expected. That said, basic functional testing alone is not enough. If the system is intended to detect and react to
certain faults, during validation those faults should be introduced into the circuit so that it is possible to confirm the
intended system reaction. For example, in a dual channel E-Stop circuit arrangement the purpose of pulse testing
the input channels is to be able to detect a cross-fault between those channels. During validation we temporarily
introduce that short circuit between the channels. We then confirm that the safety logic device (the CR30 in this
application) both detects the fault and correctly reacts by going to the safe state. In this section we will walk through
some examples of system validation.
1. Confirm that Safety Outputs 18 and 19 are ON. (If not, twist the E-Stop to confirm that it is released, confirm that
the SensaGuard actuator is close enough to the sensor for it to turn ON, and then push and release the reset
button. The CR30 outputs should turn ON.)
2. In the demo to the right of the E-Stop and Reset

buttons there are a couple of selector switches that
can be used to simulate faults on the E-Stop circuitry.
Rotate the selector switch labeled “Open Wire Fault IN
01” from the default left position to the right position.
This disconnects channel 2 of the E-Stop from CR30

input I-01. In the simplified schematic below, we see
the CR30 multipurpose terminals (MP12 and MP13)
on the left that generate the pulse tested signals.
These signals travel through the N.C. contacts of the
E-Stop to the CR30 input terminals I-00 and I-01. The
Open Wire fault simulator selector switch opens the
second channel.
Because one of the input channels of the E-Stop turns OFF (opens), the E-Stop SMF turns OFF, thus turning
OFF safety outputs 18 and 19. Furthermore, the CR30 expects both input channels of the E-Stop to change
state at the same time. Since only one channel changes state, this causes the E-Stop SMF to fault. This type of
fault is referred to as a discrepancy fault – two related conditions did not follow the expected behavior relative to
one another.
45 of 106
3. In the Logic Editor, note that the E-Stop SMF block is now highlighted RED, indicating a fault and the tooltip with
an explanation of the fault appears until it is acknowledged. This explanation appearing automatically is a new
feature in firmware revision 10. Previously, you would have had to move the mouse over the instruction for an
explanation of the fault, and many users were not aware that this detailed information was available.
4. We will now review the information that is displayed on the Faceplate. On the PanelView Plus 7 screen, click on
the Goto Display button to open it. Observe that the Minor Fault indicator is ON, and the Alarm button is flashing.
46 of 106
5. Click on the flashing Alarm button for additional information. Notice that the explanation of the fault on the
Faceplate is identical to the fault annunciation in the Logic Editor and the fault codes located in the user manual.
6. Click on the arrow on the bottom right of the faceplate to display the recommended action.
47 of 106
7. In Logix Designer, there is a simple alarm bit called MyCR30:I.MinorFault. This can be used to detect if there
are any minor (recoverable) faults in the CR30. Furthermore, additional fault information is provided in the tags:
 MyCR30:I.MinorFaultInstance  which function block is faulted (e.g. SMF 2 or SMF 5)
 MinorFaultType  which type of function block is faulted (e.g. SMF or SOF)
 MinorFaultCode  what is the fault (e.g. cross fault or open wire fault)
Together these tags provide complete details about the most recent fault detected by the CR30.
MinorFaultType 16#10 (hex 10) means that it is an SMF (as opposed to an SOF) that is faulted.
MinorFaultInstance 1 means that function block number 1 is faulted, i.e. SMF 1, which is the E-Stop function.
MinorFaultCode 16#0020 (hex 0020) is the specific fault code. This is defined in the User Manual. A portion of
that information is shown on the following page. Note that fault code 0020 is a discrepancy fault. Also note that
the Faceplate and User Manual provides recommended troubleshooting techniques for each type of fault. (See
the screen shot on the next page.)
48 of 106
49 of 106
8. Correct the wiring fault by turning the Open Wire Fault selector switch back to the left. This reconnects the
second E-Stop channel.
9. Try to reset the safety circuit by pushing the blue reset button. Are you able to reset the safety circuit?
Most faults require some type of testing procedure so that the CR30 can confirm that the fault has truly been
corrected before it will resume normal operation. In the case of a discrepancy fault, we must perform a
functional test of the safety input device.
10. To perform a functional test of the E-Stop device, push the E-Stop and then twist to release it.
The CR30 detects that both channels turn OFF at the same time and then they both turn ON at the same time.
This provides confirmation to the CR30 that the wiring fault has been cleared. In the Logic Editor, note that the
E-Stop SMF block is now highlighted green, indicating that it is ON.
The fault tags in Logix Designer are now showing 0 to indicating no minor faults are present. You can also
observe the recommended action in the faceplate.
11. Press and release the reset button to reset the safety circuit. (Remember that the button must be engaged for at
least 0.25 seconds, but less than 3 seconds.) Safety outputs 18 and 19 should turn ON.
12. Rotate the selector switch labeled “Open Wire Fault IN 01” from left to right and then immediately back to the
left.
13. This disconnects channel 2 of the E-Stop and then quickly reconnects it. There is no discrepancy fault if the wire
is disconnected for less than the configured maximum discrepancy time (which is still the default 100ms).
However, there is still a fault. When one channel turns off and then turns back on while the other channel
remains on it is called an Open Wire Fault (or a Contact Bounce Fault). The safety relay goes to the safe state
because one of the input channels turned off, but we do not want to be able to reset the relay until it has
confirmed that the fault is clear.
50 of 106
The MinorFaultCode tag is now 0008. The User Manual and Faceplate defines this as a Contact Bounce Fault.
14. Perform a functional test of the E-Stop device by pushing the E-Stop and then twisting to release it.
The fault indications in the Logic Editor, in Logix Designer, on the Faceplate, and on the CR30 LEDs all clear.
15. Press and release the reset button to reset the safety circuit. Safety outputs 18 and 19 should turn ON.
16. Next we will simulate a cross fault between the two channels of the E-Stop. Rotate the Cross Fault selector
switch from the default left position to the right position. This short circuits the two channels together – reference
the simplified circuit schematic.
This timing diagram shows how the CR30 uses test pulses on the terminals MP12 and MP13 to detect a cross
fault. These terminals are configured as test outputs that carry 24V with very short “OFF” pulses. These signals
pass through the E-Stop contacts and return to CR30 inputs I-00 and I-01. When the CR30 briefly turns the test
output off (pulse), it checks the status of that terminal – it should be OFF. If channel 1 is shorted to channel 2,
the terminal will show 24V instead of OFF. The CR30 detects this and causes the system to go to a safe state.
MP12 - Ch. 1 Test pulses

“overwritten”
MP13 - Ch. 2 by 24V from other
channel
Cross Fault
at vertical line
I-00 Input Ch. 1
I-01 Input Ch. 2
51 of 106
17. Note that in Logic Editor, the E-Stop SMF block is now highlighted red, indicating a fault and the tooltip with an
explanation of the fault appears until it is acknowledged. Test source A and B are also highlighted red because
this wiring fault is actually detected by the Test Sources.
The MinorFaultCode tag in Logix Designer is now 0001. The User Manual and Faceplate defines this as a
Pulse Test Failure, a reflection of the methodology that the CR30 uses to detect a cross fault (or a fault to 24V).
18. Rotate the selector switch back to the left to remove the wiring fault. Does this clear the SMF fault in the CR30?
While the SMF is still faulted, notice that Test Sources A and B are no longer highlighted red. The Test Source
terminals are no longer individually faulted because they are no longer shorted together; however, the overall
SMF requires a functional test of the safety input device in order for the CR30 to confirm that the wiring fault has
been cleared.
19. Push the E-Stop and then twist to release it. The CR30 detects that both channels turn OFF at the same time
and then they both turn ON at the same time, thus confirming that the wiring fault has been cleared. In the Logic
Editor, note that the E-Stop SMF block is now highlighted green, indicating that it is ON.
20. Push the reset button to reset the safety circuit. Safety outputs 18 and 19 should turn ON.
52 of 106
Now we will simulate a potential output device failure to confirm the reaction of the CR30. As we described in
the previous section as we set up the Feedback Monitoring SMF, the CR30 monitors the status of safety output
device via the N.C. auxiliary contact that is mechanically linked to main N.O. contact. If the CR30 can detect a
signal through the N.C. contact it confirms that the N.O. contact is OPEN, and thus there is no power to the
motor (and therefore no hazardous motion). Reference the circuit illustration below. (Additional details are
shown in the illustrations in the previous section on page 31).
One potential failure of safety output device is for the main contacts to become welded shut. If this happens, this
device cannot open and disconnect the main motor power. For this reason we have redundant output devices –
if K1 welds shut, K2 can still open, thus disconnecting the motor power. If an N.O. contact welds shut, the
mechanically linked N.C. auxiliary contact is mechanically held open, even if power is removed from the
contactor coil. With the N.C. contact open, the 24V signal does not reach the CR30 input (P02), thus allowing
the CR30 to detect this fault. Note that this method for detecting the fault only works if the safety outputs of the
CR30 are OFF, thus de-energizing the coil and opening the N.O. contacts. If the CR30 outputs are ON, the coils
of K1 and K2 are energized, and the N.C. auxiliary contacts are supposed to be open.
21. In this demo we can simulate this fault with the selector switch under the 2080 Plug-In label near the middle of
the demo. Rotate this selector switch from the left hand position (labeled Output Feedback) to the right hand
position (labeled External Sensors). This disconnects the feedback channels of both 700HPS relays, simulating
the condition of the N.C. channel being open (which in a real application would be the result of the N.O. channel
being welded shut).
Do you notice any reaction by the CR30? The fault we are simulating is not detectable when the safety outputs
of the CR30 are ON, so this fault is not yet detected and therefore there is no reaction by the CR30.
22. Push the E-Stop. This causes the outputs to turn OFF, thus de-energizing the coils of each contactor.
23. Twist the E-Stop to release it. In the Logic Editor, the E-Stop SMF block highlights green to show that it is ON.
53 of 106
24. Push the blue reset button. Does the safety circuit reset?
At this point the CR30 has its Safety Outputs OFF; therefore, under normal conditions it should detect 24V on
the feedback monitoring input terminals that are monitored by the Feedback SMF. While we are simulating this
fault, there is no 24V signal and therefore the Feedback Monitoring SMF is OFF. On the Safety Output Function,
note that the input terminal is ON (green) but the SOF is not flashing green. Since the associated Feedback
SMF is OFF, the SOF cannot be reset (and therefore the safety outputs stay OFF). In a real application the
solution to this device failure would be the replacement of the failed device. Once the failed device has been
replaced, the N.C. channel would be closed, thus allowing the safety circuit to be reset.
25. Clear the fault simulation by rotating the selector switch back to the left hand position (labeled Output Feedback).
This reconnects the N.C. monitoring channels of the 700HPS relays (K1 and K2 in the schematic on the previous
page). In the Logic Editor the input terminals of the Feedback SMF will highlight green to indicate that they are
ON.
26. Push the blue reset button to reset the safety circuit.
We have now completed a functional test of the safety system as well as validating the reaction of the system to
several potential faults. A thorough validation and verification plan would include additional fault testing, but at
least you now have a basic understanding of the purpose of this process along with a few examples. In a real
application it would be important to document the testing that we have completed and include it in the machine’s
documentation files.
27. Once the initial verification and validation testing is complete we confirm the verification on the CR30. Close the
Logic Editor and return to the Module Properties window.
28. In the Module properties window, under the Logic Configuration tab, click Verify to begin the verification process.
54 of 106
29. A pop-up window appears. Read the questions to further develop your understanding of the system verification
process and then check each checkbox.
30. Click Generate to create the unique verification ID.
31. Click Yes on the pop-up window to change the safety relay to Program Mode.
32. Click Yes on the pop-up window that appears (after several seconds) to change the safety relay back to Run
mode.
33. Click OK to close the Verification screen.
This Verification process is the feedback to the CR30 that the functional testing has been completed. The
verification ID can be used to check if any later changes have been made to a configuration file. The Verification
ID is displayed in the Logic Configuration tab of the Module Properties window. It is also displayed in the tags in
Logix Designer. In a real application, this ID would be recorded in the machine’s documentation.
Please note that every individual application MUST be finalized with the Verify command. If the CR30
is not verified, it will fault after 24 hours of operation and will NOT operate. It is easy to know
whether or not the application running on the CR30 has been verified – if the RUN LED is green, the
CR30 is running a verified project. If the RUN LED is flashing green, the CR30 is running a
configuration that is not verified.
34. On the CR30 itself, push and hold the small Verification ID button (MEM/ID) just below the USB receptacle. The
Verification ID is displayed on the LEDs. The input LEDs display the digit, while the output LEDs display the
position of that digit within the four digit ID. This process can be used to check the Verification ID of a CR30 at
any time. (If the current configuration file running on the CR30 has not been verified, output LEDs 1-4 all turn
ON along with input LED 0, i.e. ID = ‘0000’.)
55 of 106
Manual Reset of E-Stop with Automatic Reset of Gate Switch
In the previous section of the lab, the E-Stop and the Gate switch Safety Monitoring Functions (SMFs) are both
configured for Manual Reset. There are certain applications that require mixed conditions, for example, the E-Stop
Safety Monitoring Function (SMF) must be configured as a Manual reset, while the Safety Gate Safety Monitoring
Function (SMF) can be configured as an Automatic Reset. We can accomplish this by using the Input AND with
Restart instruction.
For this section of the lab, we will use the project “ENET_440C_Single_IN_Restart.ACD” which has been created as
the starting point.
1. In Studio 5000 Logix Designer, save and close the existing ACD project and click File, and select Open…
2. Click on the project “ENET_440C_Single_IN_Restart.ACD” and select Open.
3. In the I/O Configuration window, right click on the 440C-CR30 and select Properties.
56 of 106
4. Select the Logic Configuration tab and click on “Edit Logic” to open the function block editor and view the
Maintenance Mode logic that has been pre-configured.
5. Compare the logic to the diagram below to confirm that it is the correct configuration.
6. Close the Logic Editor window and return to the Module Properties window.
57 of 106
select Download.
9. Click Yes on the pop-up window to switch the controller to Run mode.
58 of 106
59 of 106
OR
60 of 106
17. In Module Properties window, note that we are now connected to the CR30. Click on the Edit Logic button to
18. Twist the E-Stop clockwise to confirm that it is released.
19. Slide the SG-1 SensaGuard actuator to the left until the SensaGuard indicator LED turns green, indicating that
its outputs are ON.
61 of 106
20. In the Logic Editor, confirm that the Gate Switch SMF block is highlighted green, indicating that it is ON. Notice
that both this SMF and the E-Stop SMF are ON, but the AND block is OFF (gray). The input condition for the
AND with Restart is true, but it does not turn its output ON until it receives a signal from the Restart SMF.
21. Press and release the blue Reset push button (labeled ‘R’). Remember that the reset signal must be between
0.25 and 3 seconds long. You should see the white indicators for Safety Outputs 18 and 19 turn ON, indicating
that the machine can run. You will also see the SOF block in the Logic Editor change from gray to solid green,
and the output terminals highlighted green to indicate that they are ON.
22. Slide the SensaGuard actuator away from the sensor until the SensaGuard’s LED changes from green to red.
The safety outputs of the CR30 turn OFF. In the Logic Editor, observe that the Gate Switch function block is no
longer highlighted green, along with all blocks and terminals to the right. (The E-Stop function is still highlighted
green, as that SMF is ON.)
62 of 106
23. Slide the SensaGuard actuator to the left until the SensaGuard indicator LED turns green. You should see the
white indicators for Safety Outputs 18 and 19 turn ON automatically, indicating that the machine can run. You
will also see the SOF block in the Logic Editor change from gray to solid green, and the output terminals
highlighted green to indicate that they are ON.
24. Push the E-Stop button. This action causes the safety outputs of the CR30 to turn OFF. In the logic editor,
notice that the Emergency Stop function block is no longer highlighted green, along with all blocks and terminals
to the right.
26. Press and release the blue Reset button to turn ON the AND with Restart output. (Remember the signal must be
between 0.25 and 3 s). The Safety Output Function (SOF 1) and output indicators will turn ON.
27. Close the Logic Editor and return to the Module Properties window.
You have now finished a complete implementation of a basic safety application using the CR30 Software
Configurable Safety Relay. Continue on to the next section to learn about additional 440C-CR30 safety relay
functionality.
63 of 106
I/O Expansion via Single Wire Safety
The CR30 features up to ten safety rated outputs (four embedded safety outputs plus up to six multi-purpose terminals
configured as outputs). Some applications may require more safety rated outputs. Other applications may require the use of dry
contact relay outputs instead of the embedded solid state outputs. Both of these situations can be addressed by using the Single
Wire Safety (SWS) capability of the CR30 in combination with the GSR family of safety monitoring relays. SWS is a simple,
dynamic signal that allows one safety device to safely indicate the status of its safety outputs to another safety device over a
single signal wire. SWS is rated PLe (with a Category 4 architecture) per ISO 13849-1 and SIL 3 per IEC 62061.
The CR30 can use an output configured as SWS to control a GSR Expansion Module (EM) with four sets of dry contacts. When
the CR30 turns its SWS output on, the connected GSR EM closes its output contacts. Up to ten GSR EM modules can be driven
by a single SWS output of the CR30.
This capability represents an easy and efficient method of expanding the I/O count of the CR30. The demo includes a GSR EM
to show this functionality.
1. In the Logic Configuration tab of the Module Properties window, click the dropdown by “Connected” and select
Go offline. The field will update to Edit.
64 of 106
2. Click on “Edit Logic” to open the function block editor.
3. On the existing Safety Output Function (SOF), we will add an additional output and configure it for Single Wire
Safety (SWS). Note that there is a third, blank output terminal. Click on this terminal and select Embedded
Safety Outputs terminal 20 to add it as a third output terminal of this SOF.
4. Next we will change the configuration of this output terminal from Pulse Tested (PT) to Single Wire Safety
(SWS). Click on the “PT” next to the output terminal EO_20 and select SWS from the drop down menu.
We have successfully added a SWS output to our CR30 circuit. Output terminal 20 is connected to the SWS
input of the GSR EM. When the CR30 output terminal 20 turns ON (generating the SWS signal), the GSR EM
will close its contacts.
65 of 106
5. Now we will download the configuration file to the CR30 and show this feature in operation. Close the Logic
Editor window to return to the Module Properties window. Note that closing the Logic Editor causes the software
to Build the project and (hopefully) indicate a successful build.
6. Click on Apply to download the configuration to the CR30. Note that since we are still online with the Studio 5000
Logix Designer software, a separate download to the Logix controller is not required.
A Download in progress window appears. You will also see the message “Build Succeeded” in the Output
window of the Module Properties.
If there were any errors in the configuration file, they would be listed in this window. (If there are any errors,
compare your logic to the logic configuration shown on the previous page.)
Note - You can also click on the Build Safety Relay button in the Logic Editor Toolbar to identify the cause of the
error(s).
66 of 106
OR
8. After several seconds a Download succeeded message will pop up. Click Yes to change the CR30 back to Run
mode.
67 of 106
Operating the I/O Expansion via Single Wire Safety
2. Slide the SG-1 SensaGuard actuator to the left until the SensaGuard indicator LED turns green, indicating that
its outputs are ON.
3. Push the blue reset button to reset the safety circuit. Remember that the signal must be between 0.25 and 3 s.
The safety outputs turn ON. Note that the GSR EM Logic IN and OUT LEDs turn ON, the latter indicating that
the output contacts are closed (ON).
4. Push the E-Stop. Note that the GSR EM turns its outputs OFF (open) as indicated by its OUT LED.
6. Push the reset button to reset the safety circuit. The GSR EM turns ON.
Single Wire Safety (SWS) is a convenient way to expand the safety I/O count of the CR30. In addition to two
SWS outputs, two of the CR30 safety inputs can be configured as SWS inputs, allowing them to respond to SWS
outputs generated by GSR safety monitoring relays. This can be useful for adding a few additional safety input
devices to a CR30 project, or to take advantage of specialty functionality in the GSR relays (such as speed
monitoring using proximity sensor inputs with the GSR GLP). Furthermore, two CR30 units can be
interconnected using SWS for a project that cannot fit onto a single CR30.
68 of 106
Guard Locking Application
If it is not possible to stop the hazardous motion in a particular application very quickly it might be possible for a person to open a
monitored gate and get into the hazard before it has stopped. One potential solution is guard locking, the practice of locking the
access gate until the system is in a known safe state, then releasing the lock and allowing access. A typical guard locking switch
will also provide the interlock function – confirming that the gate is closed. In this demo we feature the new 440G-LZ guard
locking switch for partial body access applications. Many guard locking applications today utilize electromagnetic technology for
locking the access gate. This solution has two drawbacks – one, the electromagnet constantly draws a relatively large amount of
power to hold the gate locked, and two, if the switch loses power, the gate unlocks, but the hazardous motion may still be moving
(due to inertia). The 440G-LZ solves both of these challenges. This switch features a bi-stable solenoid which does not require
power to hold either state (locked or unlocked). Switching the solenoid from locked to unlocked is powered by capacitors in the
switch, meaning that there is never a large inrush from the external power supply. The second challenge is solved inherently – if
the switch loses power while it is in the locked state, the bi-stable solenoid still holds the bolt in the locked position. Thus a
power loss does not lead to the loss of the locking function.
The 440G-LZ also solves a challenge of tongue interlock based guard locking switches. In that type of switch it is not possible to
know if the locking mechanism is broken unless one actually opens the monitored gate. (Some guard locking switches might not
even be able to detect the break at that point.) The 440G-LZ solves this challenge by utilizing the actuator to actively monitor the
locking bolt. If the bolt were to break (highly unlikely), the switch would detect it and immediately go to the safe state, as
opposed to not detecting it until someone opened the door while the machine was running.
In this application we will set up a simple guard locking circuit with delayed access. Through testing and analysis, we have
determined that the hazardous motion will always come to a safe state within 2 seconds of the safety outputs turning OFF,
therefore we will allow the 440G-LZ switch to unlock two seconds after turning OFF the safety outputs.
We will use the project “ENET_440C_Guard_Locking.ACD” as the starting point for this section of the lab.
1. In Studio 5000, Logix Designer, close the existing ACD project and click File, and select Open…
2. Click on the project “ENET_440C_Guard_Locking.ACD” and select Open.
69 of 106
3. Here is a screen shot of the logic for the Guard Locking application. We will review this configuration in detail in
the next section of the lab.
70 of 106
We are using a single channel N.C. selector switch (SS) as an input device to signal the CR30 that the system
should be in the run mode (with the gate locked). Turning this SS to the left hand N.O. position will turn ON this
CR30 input and initiate a machine shutdown. For this function we will use the SS labeled “Unlock Request” in
the IN 4/5 area of the panel. The N.C. channel connects 24V to the CR30 input I-11.
In this application, the 440G-LZ guard locking interlock switch is the Gate Switch input. (The SensaGuard in the
demo is not a part of this application.) For the purposes of gate monitoring, the function and operation of the
440G-LZ is the same as a SensaGuard – the two OSSDs are ON when the gate is closed. (For the 440G-LZ,
the gate must also be locked for the OSSD to be ON.)
Based on the risk assessment of this application it was determined that the hazardous motion could take up to
two seconds to stop after the CR30 safety outputs turn OFF. Therefore we want to unlock the gate no sooner
than two seconds after turning off the safety outputs. We are using a Power-to-Release model of the 440G-LZ,
which means that it must receive a 24V signal to unlock the gate. If there is no signal on the unlock pin, the gate
is locked. In order to generate this signal we will use the Lock Control SMF instruction. The Lock Control
function block is designed to issue an unlock request to a guard locking safety device.
The Lock Request input (LR) turns OFF the ULC (Unlock Control Output), which for our application is the reset
button (P2_00). Our single channel N.C. selector switch (EI_11) will control the Unlock Request input (ULR),
which requests a power-to-release electromagnetic solenoid (or similar device) to unlock. It turns the Unlock
Command (ULC) output ON after the Stop Time has expired. The Stop Time (timer) starts when the Hazard
Feedback turns ON (which happens when the safety outputs turn OFF, initiating the machine stop). The Hazard
Feedback and Stop Time are configured in the next step.
71 of 106
The Stop Time must be set to a value that allows the hazard to stop before sending the unlock request, which is
2s (2 seconds) for our application.
When the ULR Latch configuration is set to ON, the Unlock Request input is latched even during hazardous
motion, that is, when the Hazard Feedback input is OFF. In effect, this enables the use of a momentary push
button (or other signal) to initiate the unlock command – the physical Unlock Request signal does NOT have to
be maintained if the Latch is turned ON in the configuration. When the Hazard Feedback turns ON, the Stop
Timer starts. Once the Stop Timer expires, the Unlock Command (ULC) will go active (turn ON).
If the ULR Latch configuration is set to OFF, the Unlock Request input is ignored during hazardous motion, that
is, when the Hazard Feedback input is OFF.
Whenever the unlock command of a Power-to-Release 440G-LZ is ON, it is unlocked, and therefore its safety
outputs are OFF. If the 440G-LZ outputs are OFF, the CR30 is turning OFF its primary outputs to stop the
hazardous motion. Prior to the Lock Control SMF, we needed an external method for disconnecting the ON
Delay SOF output from the 440G-LZ unlock input. We accomplished this by connecting the signal through the
N.O. channel of the Unlock Request Selector Switch. When we want to start the machine, we rotate the selector
switch back to the left position (locked). The N.O. channel opens, disconnecting the unlock signal, which cause
the 440G-LZ to attempt to lock. The 440G-LZ can only lock if the gate is closed. It monitors the actuator to
determine if the gate is closed. Once the 440G-LZ locks, it turns its outputs ON, allowing the machine to start.
We now accomplish this by using the Lock Request input in the Lock Control SMF – passing the unlock signal
through an external contact is no longer required (although the demo is wired as described above and shown
below).
72 of 106
Operating the Guard Lock Application
select Download.
73 of 106
74 of 106
OR
75 of 106
13. Twist the E-Stop clockwise to confirm that it is clear.
14. Confirm that the 440G-LZ actuator is locked in position and cannot slide up the track. This mechanism would
hold the gate locked.
76 of 106
15. Verify the Unlock Request SS (under the IN 4/5 label) is in the right hand N.O. position.
16. Push the reset button to reset the safety circuit. The safety outputs should turn ON.
17. Rotate the Unlock Request SS (under the IN 4/5 label) to the left, then immediately back to the right to request
access and initiate a machine stop.
18. The CR30 immediately turns its safety outputs OFF, initiating a stop of the hazardous motion.
19. After two seconds, Immediate_OFF_2 SOF will turn ON. The locking bolt will retract into the 440G-LZ switch
and it is possible to open the gate (slide the actuator up and away from the switch). The LED turns red.
20. While you are physically holding the actuator up, push the reset button. Notice that the LEDs on the 440G-LZ
change to flashing green, indicating that the switch has been instructed to lock (because the unlock request
signal turned OFF), but the actuator is not in range. The switch will not attempt to fire the locking bolt unless it
detects the actuator.
21. Allow the actuator to slide back down into the closed position. You will see and hear the bolt fire into the
actuator. Confirm that it is no longer possible to slide the actuator up and down.
This completes the Guard Locking Application.
77 of 106
Zone Control Application
In some applications it is possible to improve productivity by splitting the machine or production line into separate safety zones.
This allows one part of the machine to continue operating while another part of the machine is in a safe state. From a safety
perspective it is possible to do this as long as we determine that an access point in safety zone A does not allow access to a
hazard in safety zone B. Therefore zone B can continue running when zone A is in a safe state and a user can access zone A.
This may require physical guarding between the zones. Safety input devices for zone A will only cause zone A to go to a safe
state. Safety input devices for zone B will only cause zone B to go to a safe state. There may also be global safety input
devices that cause all zones to go to a safe state, such as a global E-Stop.
The overall benefit of utilizing safety zones is increased productivity. It is possible to implement a multi-zone safety circuit with
the CR30. This lab walks through the steps, building on the safety logic we have developed over the previous labs.
2. In the Module Properties window, click the dropdown by “Connected” and select Go offline.
3. Click on the Edit Logic button to open the logic editor.
78 of 106
4. We will continue building on our existing Guard Locking project by adding the SensaGuard labeled SG-1 on the
demo. On the Toolbox, click the SensaGuard SMF and drag it to the next available Safety Monitoring function
target block on the logic editor, under the Lock Control SMF 6.
The Logic Editor automatically assigns the next available input terminals, EI_02 and EI_03. Conveniently, these
are the terminals that the local SensaGuard is connected to.
5. On the Toolbox under Logic Functions, click the AND block and drag it to the Logic Level A block to the right of
the SensaGuard SMF.
Safety zone 2 will evaluate both the Global E-Stop as well as the SensaGuard which is monitoring access to
zone 2 via a moveable gate. The first input of this AND LLA 7 block will be the E-Stop (SMF 1).
6. Click the first blue input connection dot of the AND block LLA 7 to select it. The dot will turn light gray.
79 of 106
7. Click the output connection of the Emergency Stop SMF to connect it to the second AND block. The connection
line will appear.
80 of 106
8. The second input of the AND block LLA 7 will be the SensaGuard, SMF 7. Click the output terminal of SMF 7
and the second input terminal of the LLA 7 AND block to connect them.
9. In the Toolbox under Safety Output Functions, click Immediate OFF and drag it to the next available Safety
Output function target block. This will become SOF 3.
The Logic Editor automatically assigned the next available output terminals, EO_20 and EO_21. These are the
outputs we want to use. These outputs drive the white indicator LEDs on the demo panel near the middle of the
demo (labeled Safety Outputs 20 and 21).
10. In the SOF 7 block next to Reset Input, click the dropdown menu and select SMF 3.
We are using the same Reset SMF for this Safety Output Function (SOF) as for SOF 1. In a real application this
would be acceptable if the reset button was positioned such that the operator would have complete visibility to
both safety zones before pressing the button. (Other zoning application may require separate reset inputs.)
81 of 106
11. Click the blue input connection dot of SOF 7 to select it.
12. Click the blue output connection dot of the LLA 7 AND block to connect it to SOF 7.
13. Scroll up to the top of the Logic Editor.
14. Click on the SOF1 Immediate_OFF_1 function block.
15. Double click on the “Immediate_OFF_1” text. A box appears around the text indicating that it can be edited.
16. Delete the existing text and type “Zone 1” (with a space between Zone and 1) into the field. The box is now
framed in red, indicating an error in the text.
82 of 106
17. Move the mouse pointer away and then back over the red box. After the pointer is in one place for about a
second a pop up message appears indicating the reason for the error.
The space “ “ in the name is the reason for the error. Names must follow IEC Name Standards:
 Begin with letter or underscore
 Followed by letters, digits, and single underscore characters
Starting a name with a number will result in an error. Including special characters, spaces, or consecutive
underscores in the name will also cause an error. Furthermore, each name can only be used once is a CR30
configuration file.
It is possible to save a project with “bad” names; however, these naming errors must be corrected before
downloading the configuration to a CR30. The names are stored right on the CR30, so if the configuration is
uploaded to another PC from the CR30 the names are maintained.
Safety Monitoring Functions (SMF) and Safety Output Functions (SOF) can be renamed.
18. Double click in the red box and enter “Zone_1” for the name (using an underscore “_” and no spaces) and hit
enter. The red frame disappears and we see the new name of the SOF.
This SOF controls a pair of safety outputs that enable / disable hazardous motion in Zone 1.
83 of 106
19. Double click on the Immediate_OFF_3 text in SOF 7 and rename it “Zone_2”.
This pair of outputs enables / disables hazardous motion in Zone 2.
20. Compare your configuration to the image to confirm the correct settings. The logic is complete.
84 of 106
Operating the Safety Zone Control Application
1. Close the Logic Editor window and return to the Module Properties window. Note that closing the Logic Editor
causes the software to Build the project and (hopefully) indicate a successful build.
2. Click Apply to download the configuration to the CR30.
3. Click Yes to change the relay to program mode.
4. Once the download is complete, click Yes to change the relay back to run mode.
5. A pop-up window appears. Click Yes to apply changes to the module configuration.
6. Click on the Save icon to save your project.
7. Click on the Edit Logic button to observe the online diagnostic information. (For example, SMF and input
terminals highlighted green to indicate that they are ON.)
8. Confirm that all selector switches are in the default left position.
9. Confirm that no cables are connected to any of the receptacles or jacks.
11. Rotate the Unlock Request selector switch to the right-hand position.
12. Confirm that the 440G-LZ actuator is locked in position and cannot slide up the track. The indicator LED on this
switch should be green, confirming that the OSSD outputs are ON.
13. Slide the SensaGuard actuator to the left until the LED turns green, indicating the OSSD outputs are ON.
85 of 106
14. In the Logic Editor confirm that the Emergency Stop SMF 1, Gate Switch SMF 2 (440G-LZ), and SensaGuard
SMF 7 should all be highlighted green, indicating that they are ON. Unlock_Request SMF 5 should be grey,
indicating that it is OFF.
15. Both SOF 1 and SOF 7 should be flashing green, indicating that they are ready to be reset.
16. Press the reset button. (Remember the signal must be between 0.25 and 3 s.) Safety outputs 18-21 turn ON as
indicated by the terminals highlighting green in the Logic Editor and the white indicator LEDs on the panel
turning ON.
86 of 106
17. Slide the SensaGuard actuator to the right away from the sensor. Safety outputs 20 and 21 turn OFF. This
would cause the hazardous motion in Zone 2 to go to a safe state.
In this application safety outputs 18 and 19 would control Safety Zone 1. Safety outputs 20 and 21 would control
Safety Zone 2. The SensaGuard is monitoring a moveable gate that provides access to Safety Zone 2. It is not
possible for a person to reach Safety Zone 1 from this gate.
18. Does this have any effect on safety zone 1 (safety outputs 18 and 19)?
19. Slide the actuator back to the SensaGuard. Its OSSD outputs turn ON and its indicator LED turns green.
20. Push the reset button to reset the safety circuit for zone B. Outputs 20 and 21 turn ON.
21. Rotate the Unlock Request SS to the left and back to the right to request access to zone 1 via the moveable gate
that is locked and monitored by the 440G-LZ guard locking switch. Safety outputs 18 and 19 turn OFF
immediately. After two seconds the 440G-LZ unlocks, allowing access to zone 1. Does this have any effect on
zone 2 (outputs 20 and 21)?
22. Confirm that the 440G-LZ actuator is in the closed position (all the way down). When the actuator is detected by
the 440G-LZ switch, and the reset button is pressed, it attempts to lock by firing the bolt. If the lock is successful
it turns its OSSD outputs ON and changes the indicator LED to green.
23. Pushing the blue reset button also resets the safety circuit for Zone 1.
24. The E-Stop is configured as a global E-Stop. It controls both zones. Push the E-Stop button. Safety outputs 18,
19, 20, and 21 turn OFF. This would cause both zone 1 and zone 2 to go to the safe state.
25. After two seconds it is possible to unlock the gate. This requires rotating the Unlock Request SS to the left and
back to the right (connecting output P2_02 to the unlock pin of the 440G-LZ). You will hear the 440G-LZ retract
its bolt, unlocking the gate. Confirm that you can move the actuator up and down.
26. Lock the 440G-LZ by pressing the reset button and sliding the actuator down (simulating the closing of the
moveable gate). The switch locks the gate.
27. Once you have observed the behavior of this safety circuit, close the Logic Editor.
28. In the upper right hand corner of the Module Properties window, click the down arrow next to “Connected” and
select Go offline to disconnect from the CR30.
87 of 106
Input Signal via Ethernet
In some applications, we may want to include a standard signal from the standard controller into our safety logic. For example,
it’s common to use a communication input as a reset originating from an HMI screen. In order to do this on a traditional stand-
alone safety controllers it would be necessary to use a hard wired input terminal on the safety logic device connected to an
output terminal of the standard controller. The 440C-CR30 safety relay can receive this type of standard signal from the
standard controller via Ethernet (or serial). This section shows an example of this capability. We added an input into the control
logic of safety zone 2.
In this section, we expanded our configuration to include the Status In and Status Out blocks. The Status blocks allow us to
monitor any combination of function blocks for either faulted status or ready for reset status and use this information to drive an
output. This output can in turn, control a stack light to inform the operator / service personnel.
We will use the project “ENET_440C_Input_Signal_via_Ethernet.ACD” which has been created for you as a starting point for
this section of the lab.
2. Click on the project “ENET_440C_Input_Signal_via_Ethernet.ACD” and select Open.
88 of 106
3. Here is a screen shot of the logic for the Input Signal via Ethernet configuration.
The AND block now requires a signal via EtherNet/IP from the SoftLogix controller in addition to the E-Stop and
SensaGuard SMF in order to turn ON. This means that Zone 2 will only be enabled by the 440C-CR30 safety
relay when this signal from the Logix controller is turned ON.
The Status In SMF can detect either a “ready for reset” on an output function block or a “fault present” status on
a safety monitoring function block. We selected “ready for reset” for Status_In_1 SMF. We added a second
Status In SMF for “fault present” in this configuration.
The Status_In_2 block (SMF 10) is monitoring the SMF1, SMF2, SMF3, SMF4, SMF6, SMF7 and SOF1, SOF7
blocks for recoverable faults. If a recoverable fault occurs on any of these blocks, the output of Status_In_2 will
turn ON.
89 of 106
Operating the Input Signal via Ethernet Application
1. Now we will download the configuration file to the CR30 and show this feature in operation. Close the Logic
Editor and return to the Module Properties window.
select Download.
90 of 106
91 of 106
OR
12. Confirm that the SensaGuard and 440G-LZ actuators are in the closed and locked positions. Both switches
should be illuminating green LEDs to indicate that their OSSD outputs are on.
13. Confirm that all the selector switches on the demo are in the default left position except for the Unlock Request,
which should be in the right position.
92 of 106
14. Push the blue reset button to reset the safety circuit. Remember that the signal must be between 0.25 and 3 s.
Do all of the safety outputs turn on?
15. Zone 2 (outputs 20 and 21) now requires a signal from the Logix controller.
16. Select the Input Signal via Ethernet Application button on the PanelView Plus 7 to access the HMI screen
shown below in step 17.
17. Press the maintained button on the bottom of the HMI screen to toggle the button to the ON position. This button
has been configured to set the MyCR30:0.LogicDefinedData0 tag in the Logix controller to a 1. (the first Logix
output tag).
18. In the Logic Editor, note that SMF 8, the Logix_Output_00 SMF, has turned green to indicate that it is ON.
The ability to include standard signals in the safety logic via EtherNet/IP simplifies wiring and reduces I/O count
compared to traditional hardwired solutions. This capability increases the flexibility of the 440C-CR30 software
configurable safety relay.
19. Press the Reset button. Safety outputs 20 and 21 turn ON, indicating that Zone 2 is now enabled.
93 of 106
20. Push the E-Stop button. The safety outputs 18–20 turn OFF. Twist the E-Stop clockwise to release it.
Observe that both SOF 1 and SOF 7 are flashing indicating they are ready for a reset command.
The Status_In_1 block (SMF 9) detects that SOF 1 or SOF 7 is ready for reset and sends a command to the
Status_Out_1 block (SOF 9) to turn on its output. SOF9 is configured to pulse, so it flashes its output P2-00.
21. Press and release the blue Reset button to reset the safety circuit. The safety output indicators turn ON, and the
P2-00 indicator will turn OFF.
22. Next we will create a fault by rotating the selector switch labeled “Open Wire Fault IN 01” from the default left
position to the right position, and back to the left position.
The Status_In_2 block (SMF 10) is monitoring SMF 1 - 4, SMF 6 - 7, SOF 1, and SOF 2, and detects that SMF 1
is faulted and sends a command to the Status_Out_2 block (SOF 10) to turn on its output P2-01.
94 of 106
23. Clear the channel fault by pushing the E-Stop button and then twisting it clockwise to release it.
24. On the HMI screen, toggle the maintained button to the OFF position to change the LogicDefinedData0 tag
from 1 back to 0. The safety outputs 20 and 21 turn OFF.
Note: The Status In SMF / Status Out SOF combination is a great tool for monitoring and indicating
recoverable faults, such as the examples shown in this section. However, non-recoverable faults can NOT
be indicated with this function. One example of a non-recoverable fault is an output terminal with pulse
testing being short circuited to a 24V signal. This type a fault would require power-cycling the CR30 to clear.
The CR30 reacts to a non-recoverable fault by turning off the main output transistor, meaning that ALL output
terminals are turned OFF – including the Status Out SOF.
Maintenance Mode
In some applications we want our safety system to behave differently in different circumstances. In this section of the lab we will
work through an example. We have a moveable gate that allows access to hazardous motion. There is a SensaGuard monitoring
this access gate. When an operator opens the gate, the hazardous motion should stop. However, during our Risk Assessment
we determined that a properly trained maintenance person could safely access this hazard, even while it is running, as long as
that individual is holding an enabling switch (sometimes called a “grip switch” or “live man switch”). We would not want an
operator to use the enabling switch in an attempt to bypass the SensaGuard gate monitoring, so the safety logic only includes
the enabling switch when a key switch is in the “Maintenance Mode” position (labeled “Alt. Mode” on our demo). Only properly
trained maintenance personnel have access to this key.
When the “Alt. Mode” key switch is in the Run Mode position (to the left), it turns ON CR30 inputs 6 and 7 with its 2 N.C.
contacts. When it is in the “Alt. Mode” position (to the right) it turns OFF 6 and 7 and turns ON inputs 8 and 9 with its 2 N.O.
contacts. Multipurpose terminals 12 and 13 will provide test pulses for both channels.
We only have two levels of logic in the CR30, so applications like this sometimes require a bit of creativity to implement. The
safety outputs should turn ON for either of the following conditions:
 When the key switch is in the Run Mode position, safety outputs = E-Stop AND SensaGuard
 When the key switch is in the Alt. Mode position, safety outputs = E-Stop AND [SensaGuard OR Enabling switch]
We know that the key switch can only be in one position at a time; therefore, if input 6 and 7 are ON, inputs 8 and 9 will be OFF,
and vice versa. This allows us to change how we set up our logic. If the E-Stop is ON; AND [the SensaGuard OR “Alt.Mode”
inputs are ON]; AND [the SensaGuard OR “Run Mode” OR Enabling Switch inputs are ON] it is OK to run. This certainly appears
confusing on first glance, but as we set up the application and operate it using the demo you will see how it works.
We will use the project “ENET_440C_Maintenance_Mode.ACD” which has been created for you as a starting point
for this section of the lab. Note – this project also works with the existing CR30 Faceplate.
95 of 106
2. Click on the project “ENET_440C_Maintenance_Mode.acd” and select Open.
3. In the I/O Configuration window, right click on the 440C-CR30 and select Properties.
4. Select the Logic Configuration tab and click on “Edit Logic” to open the function block editor and view the
Maintenance Mode logic that has been pre-configured.
96 of 106
5. Here is a screen shot of the logic for Maintenance Mode. We will review this configuration in detail in the next
section of the lab.
97 of 106
Operating the Maintenance Mode Application
select Download.
98 of 106
99 of 106
OR
100 of 106
17. Confirm that all selector switches are in the default left position.
18. Confirm that no cables are connected to any of the receptacles or jacks.
19. Rotate the Selector Switch in the IN 2/3 area from the default left hand “Local SG 1” position to the right hand
“Ext”. (External Device) position.
This disconnects the SensaGuard from CR30 inputs 2 and 3 and connects the receptacle to those inputs.
20. For this lab, we will use the loose Enabling Switch. (It may be in the lid of the demo case.) Plug the Enabling
Switch into the receptacle under IN 2/3.
101 of 106
21. Under IN 4/5, rotate the larger selector switch from the default left hand 440G-LZ position to the middle SG 1
position. This disconnects the 440G-LZ from inputs 4 and 5 and then connects the local SensaGuard to those
inputs.
23. Slide the SensaGuard actuator to the left so that the SensaGuard turns its outputs ON.
25. Confirm that the SensaGuard actuator is in left position, and the Indicator LED is green.
26. Verify SOF 3 is flashing, indicating that it is ready to be reset.
27. Push the reset button to reset the safety circuit. Safety outputs 18 and 19 turn ON.
102 of 106
28. Review the logic for Run Mode. Note we are using the new Nesting capability which allows you to use the output
condition of a Logic Level function block as an input condition of a Logic Level function block on the same Logic
Level.
29. Move the SensaGuard actuator away from the sensor. The safety outputs turn OFF.
30. Slide the actuator back to the left until the SensaGuard LED turns green.
31. Reset the safety circuit.
103 of 106
32. Under the panel label IN 6/7 AND 8/9, rotate the Key Switch from the default left hand “Run Mode” position to
the right hand “Alt. Mode” position.
We are now in the alternative mode of operation, the “Maintenance Mode”. Only a properly trained maintenance
person would have access to this key.
33. Review the logic for Maintenance Mode. Note we are using the new Nesting capability which allows you to use
the output condition of a Logic Level function block as an input condition of a Logic Level function block on the
same Logic Level.
104 of 106
34. Squeeze the Enabling Switch to the middle position.
Don’t squeeze too hard – this would also OPEN the Enabling Switch contacts. There is a distinct middle
position. Observe the status of SMF 2 to determine if you have properly enabled the switch.
35. While continuing to squeeze the Enabling Switch, slide the SensaGuard actuator away from the sensor until the
LED turns red, indicating that its outputs are OFF.
The Safety Outputs of the CR30 stay on, meaning that the machine could still be operating with the gate open as
long as the enabling switch is squeezed.
36. Release the Enabling Switch. The safety outputs turn OFF.
37. Squeeze the Enabling Switch to the middle position and push the reset button. The safety outputs turn ON.
38. Slide the SensaGuard actuator back to the sensor.
39. Experiment with the Run Mode and Alt. Mode to confirm that the safety system behaves as expected. While the
system is in Run Mode, the Enabling Switch should have no effect on the Safety Outputs.
Congratulations! You have completed this lab.
105 of 106
Copyright© 2016 Rockwell Automation, Inc. All rights reserved.
106 of 106

Rockwell Automation TechED 2018 - SS07 - Lab Manual - Developing Safety Applications Using The Guardmaster 440C-CR30 PDF

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Rockwell Automation TechED 2018 - SS07 - Lab Manual - Developing Safety Applications Using The Guardmaster 440C-CR30 PDF

Încărcat de

Drepturi de autor:

Formate disponibile

Developing Safety Applications using the

Guardmaster 440C-CR30 Software Configurable

For Classroom Use Only!

Gate Switch and E-Stop Application ........................................................................................................... 24

I/O Expansion via Single Wire Safety ......................................................................................................... 64

Guard Locking Application .......................................................................................................................... 69

Zone Control Application ............................................................................................................................. 78

Input Signal via Ethernet ............................................................................................................................. 88

Maintenance Mode...................................................................................................................................... 95

About this lab

Tools & prerequisites

6. Type “MyCR30” into the Name field.

8. Set the last octet of the IP address to 78.

11. Right click on <Empty>.

12. Click on DigitalIO and select 2080-IQ4OB4 Digital Combo.

13. Click OK.

16. Click Close on the Select Module Type window.

The 440C-CR30 is now displayed in the Controller Organizer.

3. Confirm that the demo case is plugged in and turned on.

6. Click Download on the warning message that appears.

Operation of the Configured Safety Circuit

3. Twist the E-Stop button clockwise to confirm that it is released / clear.

9. Twist the E-Stop clockwise to release it.

4. Right click on the Reset block (SMF 2) and click Delete.

10. Click the minus symbol to hide the Advanced Settings.

27. Close the Logic Editor Window.

2. Click on LED Configuration towards the lower left.

Input LEDs Type Filter Value Notes

A Download in progress window appears.

4. Click Yes to apply the changes to the module configuration.

1. Double click on the Controller Tags.

2. Click the + next to MyCR30:I in the Controller Tags window.

Button Icon Description

Built-In I/O This button displays Built in I/O Status.

HOME This button displays Home Screen.

SMF This button displays SMF Status.

SOF This button displays SOF Status.

Plug-in This button displays Plug-in I/O Status.

3. Twist the E-Stop button clockwise to confirm that it is released / clear.

2. In the demo to the right of the E-Stop and Reset

This disconnects channel 2 of the E-Stop from CR30

MP12 - Ch. 1 Test pulses

I-00 Input Ch. 1

I-01 Input Ch. 2

30. Click Generate to create the unique verification ID.

33. Click OK to close the Verification screen.

2. Click on the project “ENET_440C_Single_IN_Restart.ACD” and select Open.

8. Click Download on the warning message that appears.

18. Twist the E-Stop clockwise to confirm that it is released.

25. Twist the E-Stop clockwise to release it.

9. Click Yes to apply the changes to the module configuration.

1. Twist the E-Stop clockwise to confirm that it is released.

5. Twist the E-Stop clockwise to release it.

2. Click on the project “ENET_440C_Guard_Locking.ACD” and select Open.

3. Click Download on the warning message that appears.

13. Twist the E-Stop clockwise to confirm that it is clear.

This completes the Guard Locking Application.

3. Click on the Edit Logic button to open the logic editor.

13. Scroll up to the top of the Logic Editor.

14. Click on the SOF1 Immediate_OFF_1 function block.

 Begin with letter or underscore

 Followed by letters, digits, and single underscore characters

This pair of outputs enables / disables hazardous motion in Zone 2.