BECKHOFF EK1960 Twin Safe Compact Controller Instruction Manual

EK1960 Twin Safe Compact Controller
Instruction Manual

EK1960 Twin Safe Compact Controller

Notes on the documentation

1.1 Disclaimer
Beckhoff products are subject to continuous further development. We reserve the right to revise the operating instructions at any time and without prior announcement. No claims for the modification of products that have already been supplied may be made on the basis of the data, diagrams and descriptions in these operating instructions.
In these operating instructions we define all permissible use cases whose properties and operating conditions we can guarantee. The use cases we define are fully tested and certified. Use cases beyond this, which are not described in these operating instructions, require the approval of Beckhoff Automation GmbH & Co KG.
1.1.1 Trademarks
Beckhoff® , TwinCAT® , EtherCAT® , EtherCAT G ®, EtherCAT G10 ®, EtherCAT P® , Safety over EtherCAT®, TwinSAFE ® , XFC® , XTS® and XPlanar ® are registered and licensed trademarks of Beckhoff Automation GmbH.
The use of other brand names or designations by third parties may lead to an infringement of the rights of the owners of the corresponding designations.
1.1.2 Patents
The EtherCAT technology is protected by patent rights through the following registrations and patents with corresponding applications and registrations in various other countries:

• EP1590927
• EP1789857
• EP1456722
• EP2137893
• DE102015105702

EtherCAT® is a registered trademark and patented technology, licensed by Beckhoff Automation GmbH.
Safety over EtherCAT® is a registered trademark and patented technology, licensed by Beckhoff Automation GmbH.
1.1.3 Limitation of liability
All components in this product as described in the operating instructions are delivered in a specific configuration of hardware and software, depending on the application regulations. Modifications and changes to the hardware and/or software configuration that go beyond the documented options are prohibited and nullify the liability of Beckhoff Automation GmbH & Co. KG.
The following is excluded from the liability:

• Failure to observe these operating instructions
• Improper use
• Use of untrained personnel
• Use of unauthorized spare parts

1.1.4 Copyright
© Benchoff Automation GmbH & Co. KG, Germany.
The distribution and reproduction of this document as well as the use and communication of its contents without express authorization are prohibited.
Offenders will be held liable for the payment of damages. All rights reserved in the event of the grant of a patent, utility model or design.
1.2 Version numbers

•  In chapter Technical data [? 24] link to download page of certificates added
•  Chapter “Firmware update of TwinSAFE products” removed
•  Appendix adapted and expanded
•  Name of EtherCAT connectors corrected
1.3.1| •  Layout corrected at chapter Sample program for parameterization
1.3.0| •  Description of Module Fault Link active parameter added
• Description of Multiple Download added
• Description of input and output signals expanded
• Description of error response times added
• Version history of TwinSAFE product added
• Description of firmware update added
1.2.0| •  Description of inductive load and free-wheeling diode changed
•  New features Twin CAT 3.1 Build 4022 added
•  Diagnosis history described
•  Reaction times Bumper Mode and ambient conditions added
•  Description TwinSAFE SC updated
•  Description of Behavior when restarting added
•  Project design limits adjusted
•  Note to the permissible loads on the relay contacts added
1.1.0| • Note to the input and output process image added
• Description for Sync Manager configuration added
• Twin SAFE SC description updated
1.0.0| • Certificate added
• General document revision
• Description of input module 9 and 10 updated
0.7.0| • Load characteristics for inductive loads added
• Backup/Restore flow chart added
0.6.1| • User administration screenshots updated
• State and Diag of the Twin SAFE group updated
0.6.0| •   Safety parameters adopted from review report
0.5.0| • Safety parameters revised
• Parameter values revised
• Diag messages added
0.4.0| • Safety concept requirements for the manual implemented
0.3.0| • Update of the designation of the contact points
• Addendum: illustration of the Tw Insafe compact controller without relay option
0.2.0| • Extension of the general description
• Description of diagnostic and status LEDs added
0.1.0| • Migration, layout adaptation

Correctness
Please check whether you are using the current and valid version of this document. The current version can be downloaded from the Benchoff homepage at http://www.beckhoff.de/twinsafe. In case of doubt, please contact Technical Support (see Benchoff Support and Service [} 13]).
Origin of the document
The original documentation is written in German. All other languages are derived from the German original.
Product features
Only the product properties specified in the current operating instructions are valid. Further information given on the product pages of the Benchoff homepage, in emails or in other publications is not authoritative.
1.3 Version history of the TwinSAFE product
This version history lists the software and hardware version numbers. You will also find a description of the changes to previous versions contained in each case. See the following table.
Updated hardware and software
The TwinSAFE products are subject to a cyclical revision. We reserve the right to revise and change the TwinSAFE products at any time and without notice.
These hardware and/or software changes do not give rise to any claims for changes to products that have already been delivered.

linked RUN signal.
• Time stamp for diagnostic messages corrected.
• FB Muting: After an FB error in the backwards operating mode, the FB error can be acknowledged without restarting the Tw Insafe group.
• An error acknowledgement is now required after a user has logged in to the Logic without deleting the project.
• Support of Module Fault Link active parameter added.
• Firmware and vendor data CRCs can be read out in Coe objects.
2017-07-14| 02| 01| • Optimized safety mat function
• Added support for backup/restore mode
• Protective circuit of the outputs changed
2017-05-02| 01| 00| • First Release

1.4 Staff qualification
These operating instructions are intended exclusively for trained specialists in control technology and automation with the relevant knowledge.
The trained specialist personnel must ensure that the applications and use of the described product meet all safety requirements. This includes all applicable and valid laws, regulations, provisions and standards.
Trained specialists
Trained specialists have extensive technical knowledge from studies, apprenticeships or technical training. Understanding of control technology and automation is available. Trained specialists can:

• Independently identify, avoid and eliminate sources of hazard.
• Apply relevant standards and directives.
• Implement specifications from accident prevention regulations.
• Evaluate, prepare and set up the workplaces.
• Evaluate, optimize and execute work independently.

1.5 Safety and instruction
Read the contents that refer to the activities you have to perform with the product. Always read the chapter For your safety in the operating instructions.
Observe the warnings in the chapters so that you can handle and work with the product as intended and safely.
1.5.1 Explanation of symbols
Various symbols are used for a clear arrangement:
1. The numbering indicates an action that should be taken.
• The bullet point indicates an enumeration.
[…] The square brackets indicate cross-references to other text passages in the document.
[1] The number in square brackets indicates the numbering of a referenced document.
1.5.1.1 Pictograms
In order to make it easier for you to find text passages, pictograms and signal words are used in warning notices:
DANGER
Failure to observe will result in serious or fatal injuries.
WARNING
Failure to observe may result in serious or fatal injuries.
CAUTION
Failure to observe may result in minor or moderate injuries.
NOTE
Notes
Notes are used for important information on the product. The possible consequences of failure to observe these include:

• Malfunctions of the product
• Damage to the product
• Damage to the environment

Information
This sign indicates information, tips and notes for dealing with the product or the software.
1.6 Beckhoff Support and Service
Support
Beckhoff Support offers technical advice on the use of individual Beckhoff products and system planning. The employees support you in the programming and commissioning of sophisticated automation systems.

Training
Training in Germany takes place in our training center at the Beckhoff headquarters in Verl, at subsidiaries or, by arrangement, at the customer’s premises.

Service
The Beckhoff Service Center supports you with after-sales services such as on- site service, repair service or spare parts service.

Download area
In the download area you can obtain product information, software updates, the TwinCAT automation software, documentation and much more.

Headquarters
Beckhoff Automation GmbH & Co. KG Hülshorstweg 20
33415 Verl Germany

For the addresses of our worldwide locations, please visit our website at Global Presence.

For your safety

2.1 Duty of care
Read entire documentation for TwinSAFE component

• Twin SAFE application manual
• EL6910 Twin SAFE logic terminal operating manual
• Twin SAFE Logic FB documentation manual

The operator must comply with all the requirements and notes specified in these operating instructions in order to fulfill his duty of care. This includes in particular that you

• comply with the provisions defined in the chapter Limitation of liability [} 8].
• only operate the TwinSAFE component when it is in perfect working order.
• provide the operating instructions in a legible condition and complete at the place of use of the TwinSAFE component.
• do not remove the safety markings attached to the TwinSAFE component and maintain their legibility.

No disposal in domestic waste
Products marked with a crossed-out waste bin must not be disposed of with domestic waste. The device is considered waste electrical and electronic equipment when it is disposed of. Observe the national regulations for the disposal of waste electrical and electronic equipment.
2.2 Safety instructions
2.2.1 Before operation
Ensure traceability
Ensure the traceability of the TwinSAFE component via the serial number.
Use in machines according to the Machinery Directive
Only use the TwinSAFE component in machines that comply with the Machinery Directive. This is how you ensure safe operation.
Carry out commissioning test
Before commissioning, wiring faults to the sensors must be excluded. Before commissioning, carry out a commissioning test. After a successful commissioning test, you can use the TwinSAFE component for the intended safety-related task.
In case of wiring errors, the safety function of the product is at risk. Depending on the machine, death and danger to life, serious bodily injury and damage to the machine may result.
Use SELV/PELV power supply
Use a SELV/PELV power supply unit with an output-side voltage limit of Umax = 36 VDC to supply the TwinSAFE component with 24 VDC.
Failure to observe this will endanger the safety function of the product. Depending on the machine, death and danger to life, serious physical injury and damage to the machine may result.
Use permissible engineering tools and procedures
The TÜV SÜD certificate applies to the TwinSAFE component, the function blocks available in it, the documentation and the engineering tool. Approved engineering tools are TwinCAT 3.1, the TwinSAFE
Loader and CODESYS Safety for EtherCAT Safety Module.
Procedures or engineering tools that deviate from this are not covered by the certificate. This is especially true for externally generated xml files for the TwinSAFE import or externally generated automatic project creation procedures.
2.2.2 In operation
Interference due to emitted interference
Do not operate the following devices in the vicinity of the TwinSAFE component: for example, radio telephones, radios, transmitters or high- frequency systems.
TwinSAFE components comply with the requirements of the applicable electromagnetic compatibility standards with regard to interference emission and immunity. If you exceed the limits for emitted interference specified in the standards, the function of the TwinSAFE component may be impaired.
2.2.3 After operation
De-energize and switch off components before working on them
Check all safety-relevant equipment for functionality before working on the TwinSAFE component. Secure the working environment. Secure the machine or plant against being inadvertently started up. Observe the chapter Decommissioning [} 139].

System description Tw Insafe

3.1 Extension of the Beckhoff I/O system with safety functions

The Tw Insafe products from Benchoff enable convenient expansion of the Benchoff I/O system with safety components, and integration of all the cabling for the safety circuit within the existing fieldbus cable. Safe signals can be mixed with standard signals as required. The transfer of safety-related Tw Insafe telegrams is handled by the standard controller. Maintenance is simplified significantly thanks to faster diagnosis and simple replacement of components.
The following basic functionalities are included in the Tw Insafe components:
digital inputs (e.g. EL19xx, EP1908), digital outputs (e.g. EL29xx), drive components (e.g. AX5805) and logic units (e.g. EL6900, EL6910). For a large number of applications, the complete safety sensor and actuator technology can be wired on these components. The required logical link of the inputs and the outputs is handled by the EL69xx. In addition to Boolean operations, the EL6910 now also enables analog operations.
3.2 Safety concept
Tw Insafe: Safety and I/O technology in one system

• Extension of the familiar Beckhoff I/O system with Tw Insafe components
• Safe and non-safe components can be combined as required
• Logical link of the I/Os in the EL69xx TwinSAFE logic terminal
• Suitable for applications up to SIL 3 according to EN 61508:2010 and Cat 4, PL e according to EN ISO 13849-1:2015
• Safety-relevant networking of machines via bus systems
• In the event of an error, all Tw Insafe components always switch to the wattles and therefore safe state
• No safety requirements for the higher-level standard Twin CAT system

Safety over Ether CAT protocol (FSoE)

• Transfer of safety-relevant data via any media (“genuine black channel”)
• Tw Insafe communication via fieldbus systems such as Ether CAT, Light bus, PROFIBUS, PROFINET or Ethernet
• IEC 61508:2010 SIL 3 compliant
•  Foe is IEC standard (IEC 61784-3-12) and ETG standard (ETG.5100)

Fail-safe principle (fail stop)
The basic rule for a safety system such as Tw Insafe is that failure of a part, a system component or the overall system must never lead to a dangerous condition. The safe state is always the switched off and wattless state.
CAUTION
Safe state
For all Tw Insafe components the safe state is always the switched-off, wattles state.

Product description

4.1General description
EK1960 – Tw Insafe-Compact-Controller
The EK1960 is a Tw Insafe controller with 20 fail-safe inputs and 24 fail-safe outputs. The EK1960-2600 and EK1960-2608 variants feature an additional four relays, each with one make contact.
The EK1960 Tw Insafe compact controller is suitable for safety applications up to SIL 3 according to IEC 62061 and IEC 61508 and up to Cat. 4, PL e according to EN ISO 13849-1:2015. (See following list for restrictions):

• The single-channel relay output is suitable up to Cat. 2, PL d

• The two-channel relay output (use of two relay contacts in series) is suitable up to Cat. 3, PL d or Cat. 4, PL e, depending on the number of actuations. Cat. 4, PL e requires an actuation at least once per month, Cat. 3, PL d at least once per year.

• The safe input for the safety mat operation mode is limited to Cat. 2, PL d. Special proof tests are not necessary during the entire lifetime of the EK1960 on account of the high level of diagnostic coverage.
  The EK1960 can be used in three different application cases:

• As a stand-alone TwinSAFE compact controller without the use of an EtherCAT network with 20 inputs and 24 outputs. An extension with terminals to the right of the EK1960 on the E-bus is not possible in this operation mode.

• As a TwinSAFE compact controller integrated into an EtherCAT network. The EK1960 can be extended with standard and safety terminals on the E-bus connection and via the EtherCAT network.

•  As a Twin SAFE I/O module. The logic on the Twin SAFE compact controller is not used. The coupler can be addressed by a Twin SAFE logic terminal as an I/O module with 20 inputs and 24 outputs.

The inputs of the EK1960 can be used as digital 24 V inputs. They can be fed to the safe input either with static 24 VDC or with a clock from one of the Twin SAFE outputs of the EK1960 or via an external clock source via, for example, a switch contact. Inputs 17 to 20 can additionally be switched to a safety mat operation mode (Bumper Mode On) . Only safety mats operating according to the resistance-change principle are supported. The safety mats can also be cascaded in accordance with the manufacturer’s specifications. The inputs can be parameterized in groups of two.
The outputs can be parameterized in groups of four. It is possible to set the mark-to-space-ratio and the activation as a clock source for the safe inputs. The EK1960 without relay option has a dummy cap on X4.

4.2 Product designations

contacts (NO)
EK1960-2608| EK1960 with EtherCAT M8 connections – with four potential-free contacts (NO)
ZS2003-0001| Spare part, power supply spring contact strip, 4-pole Contact spacing 3.5 mm
ZS2003-0002| Spare part, input/output spring contact strip, 10-pole Contact spacing 3.5 mm
ZS2003-0003| Spare part, relay contact spring contact strip, 10-pole Contact spacing 5.0 mm (EK1960-260x only)

4.3 Inputs and outputs of the EK1960
NOTE
Fuses for the EK1960
Fuses must be provided for the power supplies of the EK1960 2 A each for US and UP (X3) and 5 A each for UP1 to UP6 (X5, X7, X9).

(RJ45 or M8)
EtherCAT OUT (X2)| | EtherCAT 2| EtherCAT connection 2 (EtherCAT OUT)
(RJ45 or M8)
Power (X3)| 1| Us| Control voltage 24 VDC (SELV/PELV)
Supply of power for internal logic and E-bus connection
2| 0 V| GND
3| Up| Peripheral voltage 24 VDC (SELV/PELV)
Supply of power for relays and inputs in the safety mat operation mode
4| 0 V| GND
Relais (X4) (EK1960-260x only)| 1| 4.1| Input to Relay 1 make contact
(Channel7.FSOUT RelaisModule.Channel1.Output)
2| 4.2| Input to Relay 2 make contact
(Channel7.FSOUT RelaisModule.Channel2.Output)
3| 4.3| Input to Relay 3 make contact
(Channel7.FSOUT RelaisModule.Channel3.Output)
4| 4.4| Input to Relay 4 make contact
(Channel7.FSOUT RelaisModule.Channel4.Output)
5| n.c.| not used
6| n.c.| not used
7| 4.5| Output to Relay 1 make contact
(Channel7.FSOUT RelaisModule.Channel1.Output)
8| 4.6| Output to Relay 2 make contact

(Channel7.FSOUT RelaisModule.Channel2.Output)

9| 4.7| Output to Relay 3 make contact
(Channel7.FSOUT RelaisModule.Channel3.Output)
10| 4.8| Output to Relay 4 make contact
(Channel7.FSOUT RelaisModule.Channel4.Output)
Output (X5)| 1| 5.1| Output 1 from UP1
(Channel1.FSOUT Module 1.Channel1.Output)
2| 5.2| Output 2 from UP1
(Channel1.FSOUT Module 1.Channel2.Output)
3| 5.3| Output 3 from UP1(Channel1.FSOUT Module 1.Channel3.Output)
4| 5.4| Output 4 from UP1
(Channel1.FSOUT Module 1.Channel4.Output)
5| UP1| Peripheral voltage UP1 24 VDC (SELV/PELV)
6| 5.5| Output 5 from UP2
(Channel2.FSOUT Module 2.Channel1.Output)
7| 5.6| Output 6 from UP2
(Channel2.FSOUT Module 2.Channel2.Output)
8| 5.7| Output 7 from UP2
(Channel2.FSOUT Module 2.Channel3.Output)
9| 5.8| Output 8 from UP2
(Channel2.FSOUT Module 2.Channel4.Output)
10| UP2| Peripheral voltage UP2 24 VDC (SELV/PELV)
Input (X6)| 1| 6.1| Input 1
(Channel8.FSIN Module 1.Channel1.Input)
2| 6.2| Input 2
(Channel8.FSIN Module 1.Channel2.Input)
3| 6.3| Input 3
(Channel9.FSIN Module 2.Channel1.Input)
4| 6.4| Input 4
(Channel9.FSIN Module 2.Channel2.Input)
5| 6.5| Input 5
(Channel10.FSIN Module 3.Channel1.Input)
plug| contact| Name| Description
---|---|---|---
| 6| 6.6| Input 6
(Channel10.FSIN Module 3.Channel2.Input)
7| 6.7| Input 7
(Channel11.FSIN Module 4.Channel1.Input)
8| 6.8| Input 8
(Channel11.FSIN Module 4.Channel2.Input)
9| 6.9| Input 9
(Channel12.FSIN Module 5.Channel1.Input)
10| 6.10| Input 10
(Channel12.FSIN Module 5.Channel2.Input)
Output (X7)| 1| 7.1| Output 9 from UP3
(Channel3.FSOUT Module 3.Channel1.Output)
2| 7.2| Output 10 from UP3
(Channel3.FSOUT Module 3.Channel2.Output)
3| 7.3| Output 11 from UP3
(Channel3.FSOUT Module 3.Channel3.Output)
4| 7.4| Output 12 from UP3
(Channel3.FSOUT Module 3.Channel4.Output)
5| UP3| Peripheral voltage UP3 24 VDC (SELV/PELV)
6| 7.5| Output 13 from UP4
(Channel4.FSOUT Module 4.Channel1.Output)
7| 7.6| Output 14 from UP4
(Channel4.FSOUT Module 4.Channel2.Output)
8| 7.7| Output 15 from UP4
(Channel4.FSOUT Module 4.Channel3.Output)
9| 7.8| Output 16 from UP4
(Channel4.FSOUT Module 4.Channel4.Output)
10| UP4| Peripheral voltage UP4 24 VDC (SELV/PELV)
Input (X8)| 1| 8.1| Input 11
(Channel13.FSIN Module 6.Channel1.Input)
2| 8.2| Input 12
(Channel13.FSIN Module 6.Channel2.Input)
3| 8.3| Input 13
(Channel14.FSIN Module 7.Channel1.Input)
4| 8.4| Input 14
(Channel14.FSIN Module 7.Channel2.Input)
5| 8.5| Input 15
(Channel15.FSIN Module 8.Channel1.Input)
6| 8.6| Input 16
(Channel15.FSIN Module 8.Channel2.Input)
7| 8.7| Input 17
(digital – Digital Mode On, safety mat operation mode (resistance change) – Bumper Mode On ) (Channel16.FSIN Module 9.Channel1.Input)
8| 8.8| Input 18
(digital – Digital Mode On , safety mat operation mode (resistance change) – Bumper Mode On ) (Channel16.FSIN Module 9.Channel2.Input)
9| 8.9| Input 19
(digital – Digital Mode On, safety mat operation mode (resistance change) – Bumper Mode On ) (Channel17.FSIN Module 10.Channel1.Input)
10| 8.10| Input 20 (digital – Digital Mode On , safety mat operation mode (resistance change) – Bumper Mode On ) (Channel17.FSIN Module 10.Channel2.Input)
Output (X9)| 1| 9.1| Output 17 from UP5
(Channel5.FSOUT Module 5.Channel1.Output)
2| 9.2| Output 18 from UP5
Channel5.FSOUT Module 5.Channel2.Output)
3| 9.3| Output 19 from UP5
(Channel5.FSOUT Module 5.Channel3.Output)
4| 9.4| Output 20 from UP5
(Channel5.FSOUT Module 5.Channel4.Output)
5| UP5| Peripheral voltage UP5 24 VDC (SELV/PELV)
6| 9.5| Output 21 from UP6
(Channel6.FSOUT Module 6.Channel1.Output)

NOTE
Protected wiring If the wiring of the outputs or the connected actuators leaves the control cabinet, the user must ensure that the wiring is protected.

WARNING
Active loads
The use of active loads (with their own power supply) is not permissible unless the manufacturer of the load ensures the non-reactivity of the power supply to the control signal.

DANGER
Clocked signals within a sheathed cable
Are clocked signals of different output modules used within a sheathed cable, a failure of a module, such as cross-circuit or external power supply must lead to a switch off of all these modules. This switch off must be performed by the  user program.
From firmware version 03 and revision -0021 the parameter Module Fault Link active is available. If the parameter is set to TRUE for all modules involved, all these modules are set to the error state in the event of a module error. This  parameter is set to TRUE by default.

4.4 Connection technology
4.4.1 Power supply spring contact strip
The power supply spring contact strip is required for the X3 connection.

Conductor cross-sectional area – fine wire (with wire- end ferrules with plastic collars)| 0.25 – 0.75 mm²
Conductor cross-sectional area – fine wire (with wire- end ferrules without plastic collars)| 0.25 – 1.5 mm²
Strip length| 8 – 9 mm

4.4.2 Input and output spring contact strip
The input and output spring contact strip is required for the connection X5 to X9.

Conductor cross-sectional area – fine wire (with wire- end ferrules with plastic collars)| 0.25 – 0.75 mm²
Conductor cross-sectional area – fine wire (with wire- end ferrules without plastic collars)| 0.25 – 1.5 mm²
Strip length| 8 – 9 mm

4.4.3 Relay contact spring contact strip
The relay contact spring contact strip is required for the connection X4 (EK1960-260x only).

Conductor cross-sectional area – fine wire (with wire- end ferrules with plastic collars)| 0.25 – 1.5 mm²
Conductor cross-sectional area – fine wire (with wire- end ferrules without plastic collars)| 0.25 – 2.5 mm²
Strip length| 9 – 10 mm

4.5 Intended use
WARNING
Caution – Risk of injury!
The TwinSAFE compact controller may only be used for the purposes described below!

The TwinSAFE compact controller expands the application range of the Beckhoff EtherCAT system by functions that enable it to be used in the field of machine safety as well. The TwinSAFE compact controller is designed for machine safety functions and the directly associated industrial automation tasks. It is therefore approved only for applications with a defined fail-safe state. This safe state is the wattles state.
The EK1960 TwinSAFE compact controller is suitable for operation as

• Stand-alone Safety Controller
• a safety controller within an EtherCAT network
• a safety I/O device within an EtherCAT network with, for example, an EL6910 as TwinSAFE Master

WARNING
System limits
The TÜV-Süd certificate applies to the EK1960, the function blocks available in it, the documentation and the engineering tool. Approved engineering tools are Twin CAT 3.1, TwinSAFE Loader and CODESYS Safety for EtherCAT Safety Module. Any deviations from the procedures or tools, particularly externally generated xml files for TwinSAFE import or externally generated automatic project creation procedures, are not covered by the certificate.
WARNING
Power supply
The TwinSAFE compact controller must be supplied with 24 VDC by an SELV/PELV power supply unit with an output voltage limit Umax of 36 VDC. Failure to observe this can result in a loss of security.
WARNING
Commissioning test
Before the EK1960 can be used for the safety task, the user must carry out a commissioning test so that sensor and actuator wiring errors can be ruled out.
CAUTION
Note the Machinery Directive
The TwinSAFE compact controller may only be used in machines within the meaning of the Machinery Directive.
CAUTION
Ensure traceability
The buyer has to ensure the traceability of the device via the serial number.

4.6 Technical data
The current certificates of all TwinSAFE products with the underlying standards and directives can be found at https://www.beckhoff.com/en- en/support/download-finder/certificates-approvals/.

area of 0.75 mm² are used)
Cable length between output and actuator| 30 m (if cables with a cross- sectional area of 0.75 mm² are used)
---|---
Minimum/maximum logic cycle time| approx. 1 ms / according the project size
Fault response time| ≤ watchdog times
Watchdog time| min. 2 ms, max. 60,000 ms
Input process image| Dynamic, according to the TwinSAFE configuration in Twin CAT 3
Output process image| Dynamic, according to the TwinSAFE configuration in Twin CAT 3
Supply voltage (SELV/PELV)| 24 VDC (–15% / +20%)
Provide a 2 A fuse for US and UP
E-bus power supply (5 V)| max. 500 mA (In the case of higher current consumption, please use the EL9410 power feed terminals in  addition!)
Signal voltage inputs| see Characteristic curve of the inputs [? 32]
Output module (4 channels)| 24 VDC (–15% / +20%) SELV/PELV for UP1 to UP6 max. 2 A  per channel min. 30 mA with a test pulse length of 400 µs  and resistive load Simultaneity factor 50% per module  Provide 5 A fuse for each UPx Diagnostic thresholds:

4 V -> high signal is detected
< 2.4 V -> low signal is detected
Permissible actuators| • inductive loads (see also Load characteristic curve – inductive load [? 34]) (A free-wheeling diode must be  provided on the load)
• resistive loads
• capacitive loads
Current consumption of the modular electronics at 24 VDC (without current consumption of sensors/actuators)| US typ. 80 mA UP typ. 2 mA
UP1 to UP6 each typ. 2 mA
Dimensions (W x H x D)| 230.5 mm x 100 mm x 58.6 mm
Weight| approx. 560 g (EK1960-260x) / approx. 500 g (EK1960-000x)
Permissible ambient temperature (operation)| -25 °C to +55 °C
Permissible ambient temperature (transport/ storage)| -40 °C to +70 °C
Permissible humidity| 5% to 95%, non-condensing
permissible air pressure (operation/storage/transport)| 750 hPa to 1100 hPa (this corresponds to an altitude of approx. -690 m to 2450 m above sea level, assuming an international standard atmosphere)
Product designation| EK1960
Climate category according to EN 60721-3-3| 3K3 (the deviation from 3K3 is possible only with optimal  environmental conditions and also applies only to the  technical data which are specified differently in this  documentation)
Permissible level of contamination according to EN 60664-1| level of contamination 2 (comply with the chapter Cleaning [? 136])
Inadmissible operating conditions| TwinSAFE controllers must not be used under the following operating conditions:
| •   under the influence of ionizing radiation (exceeding the natural background radiation)
•   in corrosive environments
•   in an environment that leads to impermissible soiling of the controller
---|---
Vibration / shock resistance| conforms to EN 60068-2-6 / EN 60068-2-27
EMC immunity/emission| conforms to EN 61000-6-2 / EN 61000-6-4
Shocks| 15 g with pulse duration 11 ms in all three axes
Protection class as per IEC 60529| IP20
Permitted operating environment| In the control cabinet or terminal box, with minimum protection class IP54 according to IEC 60529
Correct installation position| see chapter Installation position and minimum distances [? 43]
Technical approvals| CE, TÜV SÜD

NOTE
Protective circuit No protective circuit is integrated in the output circuit of the EK1960, so it is necessary to provide a freewheeling diode on the actuator for inductive loads. However, it must be borne in mind that the free- wheeling  diode may prolong the switch-off times of the actuator.
The protective circuit must limit the induced voltage at the output to an amount of less than 29V. Thus,  R/Ccircuits and varistors are typically unsuitable.

4.6.1 Technical data – relay option

Product designation

|

EK1960- 260x

---|---
Contacts| 1 NO / 1 NC
Make contact material (NO)| AgNi + 0.2 µm Au
Feedback contact material (NC)| AgNi + 5 µm Au
Coil voltage| 24VDC
Maximum continuous current, NO contact (when used in safety applications)| DC13 (24 VDC) I = 2 A
AC15 (230 VAC) I = 3 A
Maximum switching current (NO contact)| 8 A
Minimum switching current (NO contact)| 10 mA (AgNi)
Switching capacity according to IEC/EN 60947-5-1 AC15 DC13| **** 250 VAC / 3 A 24 VDC / 2 A
Switching frequency (maximum)| 20 switching cycles / s
Response time| ≤ 15 ms (typically 10 ms)
Release time| ≤ 5 ms (typically 2 ms)

NOTE
Allowed loads of the relay option
The potential-free contacts of the relay option (X4) may only be connected to resistive and inductive loads.
Capacitive loads are not permissible.

Load limit curve

Operating lifetime for contact material AgNi

Fig. 4: Operating lifetime of the AgNi NO contact for DC1, DC13, AC1 and AC15
Reduction factor for inductive loads

4.7 Safety parameters
In the following tables the safety parameters are shown separately for inputs, logic and outputs. The PFH values for the inputs, logic and outputs used must be added together for the complete safety loop. The Safety-over-EtherCAT communication is included in the logic part.

Type B

1. Special proof tests are not necessary during the entire lifetime of the EK1960 TwinSAFE compact controller on account of the high level of diagnostic coverage.
2. Classification according to IEC 61508-2:2010 (see chapters 7.4.4.1.2 and 7.4.4.1.3)
   The EK1960 TwinSAFE compact controller can be used for safety-related applications within the meaning of IEC 62061:2005/A2:2015 up to SILCL3 and IEC 61508:2010 up to SIL 3 and EN ISO 13849-1:2015 up to Cat. 4, PL e. (See following note for restrictions):

CAUTION
EK1960 category and performance level restrictions

• The single-channel relay output is suitable up to Cat. 2, PL d

• The two-channel relay output (use of two relay contacts in series) is suitable up to Cat. 3, PL d or Cat. 4,
  PL e, depending on the number of actuations. Cat. 4, PL e requires an actuation at least once per month, Cat. 3, PL d at least once per year.

• The safe input for the safety mat operation mode is limited to Cat. 2, PL d.

Further information on calculating or estimating the MTTFD value from the PFHD value can be found in the TwinSAFE application manual or in EN ISO 13849-1:2015, Table K.1.
Relay output safety parameters (Cat. 4 – two-channel)
The following table contains the safety parameters for the two-channel relay output. This must be added to the logic and input value to determine the total PFH value.
One actuation of the relay per hour is assumed for the calculation.

Relay output safety parameters (Cat. 2 – single-channel)
The following table contains the safety parameters for the single-channel relay output. This must be added to the logic and input value to determine the total PFH value.
One actuation of the relay per hour is assumed for the calculation.

B10D relay option values

Digital input safety parameters
The following table contains the safety parameters for the digital input of the EK1960. This must be added to the logic and input value to determine the total PFH value.

Safety mat input safety parameters
The following table contains the safety parameters for the analog input in the safety mat operation mode of the EK1960. This must be added to the logic and input value to determine the total PFH value.

Logic safety parameters
The following table contains the safety parameters for the logic module of the EK1960. This must be added to the input and output value to determine the total PFH value. The Safety-over-EtherCAT communication is included in the logic part.

Logic parameters

|

Value

---|---
PFHD| 5.18 E-09
PFDG| 4.32 E-05
MTTFD| high
DCavg| high
Performance Level| PL e
Category| 4

Output safety parameters
The following table contains the safety parameters for the digital output of the EK1960. This must be added to the input and logic value to determine the total PFH value.

Digital output parameters|

Value

---|---
PFHD| 1.5 E-10
PFDG| 2.62 E-07
MTTFD| high
DCavg| high
Performance Level| PL e
Category| 4
SIL| 3

Examples of safety loops

Characteristic numbers

| Sample 1| Sample 2| Sample 3|

Sample 4

---|---|---|---|---
Safety mat input| PLd, Cat. 2| 8.48 E-10| 8.48 E-10| | 8.48 E-10| 8.48 E-10
Digital input| PLe, Cat. 4| 6.4 E-11| | 6.4 E-11| |
Logic| PLe, Cat. 4| 5.18 E-09| 5.18 E-09| 5.18 E-09| 5.18 E-09| 5.18 E-09
Digital output| PLe, Cat. 4| 1.5 E-10| 1.5 E-10| 1.5 E-10| |
Relay output (Cat. 4)| PLe, Cat. 4| 1.46 E-09| | | 1.46 E-09|
Relay output (Cat. 2)| PLd, Cat. 2| 7.25 E-10| | | | 7.25 E-10
| | | | | |
Overall result

PFH D / Performance Level / Category

| | | 6.18 E-09

PLd, Cat. 2

| 5.39 E-09

PLe, Cat. 4

| 7.49 E-09

PLd, Cat. 2

| 6.75 E-09

PLd, Cat. 2

4.8 Error response times
The error response times depend, among other things, on the logic program used and the settings of the Multiplier Diag Test Pulse and Modulo Diag Test Pulse parameters.
An error reaction for the tests of the I/O signals is realized by a weighted counter, therefore the switch-off does not occur immediately at the first error of the diagnostic tests.
The maximum error reaction time results from the duration of the longest lasting test, this is the RAM test and this is several hours.

4.9 Characteristic curve of the inputs
The characteristic curve of the inputs of the EK1960 is similar to type 3 according to EN 61131-2.

4.10 Test pulses for the outputs
The output signals of each module of the EK1960 can be determined via the parameter Diag TestPulse Active. The test pulses generated have a length of 400 µs, which is multiplied by the factor MultiplierDiagTestPulse. This factor should be set to at least 2 for outputs with no load or only a small load, so that a test pulse length of 800 µs results. The frequency of the test pulses results from the processing of the input and output modules and the cycle time of the internal  logic. For example, if the logic has a cycle time of 2 ms and a ModuloDiagTestpulse of 0, a typical time b results in accordance with the following calculation.
For each output module the resulting time is: module time = (4 cycles feedback test + (4 cycles diagnostic test (ModuloDiagTestPulse + 1))) internal cycle time 1.25 4 outputs = (4 + (4 1)) 2 ms 1.25 4 = 80 ms
For the relay module the resulting time is:
Relay module time = 100 internal cycle time 1.25
The input modules each require one cycle. This results in a total time b of: b = 6 x module time + 1x relay module time + 10 x internal cycle time x 1.25 (for the input modules)
Inserting the values, this produces: b= (6 80 ms) + (100 2 ms 1.25) + (10 2 ms * 1.25) = 480 ms + 250 ms + 25 ms = 755 ms
The test pulse sequence is shown in the following table, where the time b typically elapses between a channel test and a module switch test. The tests start over once they have been performed for all four channels.
If the parameter Diag TestPulse for Inputs active is set in addition, all outputs of the module are switched on and the test pulses shown here are similarly applied to the individual output channels. These signals can then be used as clocked signals for the safe inputs. The module switch test is not performed in this operation mode; instead, the four channels are tested directly in succession, leading to the time interval b between the tests of the individual channels.

Test

|

Time until next test

---|---
Module switch (all four channels are tested)| b
Channel 2 (only channel 2 is tested)| b
Module switch (all four channels are tested)| b
Channel 3 (only channel 3 is tested)| b
Module switch (all four channels are tested)| b
Channel 4 (only channel 4 is tested)| b
Module switch (all four channels are tested)| b (next test channel 1)

NOTE
Length of the test pulses
When setting the test pulses, make sure that the connected actuator is not switched due to the test pulse length.
The output signal must be 0 V for at least 200 µs within a test pulse. This is independent of the setting of the parameter Multi plier Diag Test Pulse.
Minimum load
The test pulse length of the outputs is set by default to 2 x 400 µs. This setting is suitable for typical actuators with and without a protective circuit. The test pulse length can typically be reduced to 400 µs with a resistive load and a current of at least 30 mA.
Please observe the violation counter in the diagnostic history. If messages are displayed for the corresponding output module, this means that the setting of the test pulse length is borderline and may need to be increased.
For electronic contactors that tend towards a capacitive behavior, it may be necessary to set the parameter Multiplier Diag Test Pulse to 3 or higher.

4.11 Load characteristic curve – inductive load
If an external freewheeling diode is not used for inductive loads, the permissible maximum load can be taken from the following characteristic curve.

4.12 Block diagram of the EK1960
The following block diagram shows the basic structure of the EK1960. The sub- modules shown exist several times according to the information on the sub- modules.

4.13 Address setting of the TwinSAFE compact controller

The TwinSAFE address of the controller must be set with the three rotary switches on the housing of the EK1960 TwinSAFE controller. TwinSAFE addresses between 1 and 4095 are available.

Rotary switch

|

Address

---|---

1 (top)

| 2 (center)|

3 (bottom)

0| 0| 1| 1
0| 0| 2| 2
0| 0| 3| 3
…| …| …| …
0| 0| F| 15
0| 1| 0| 16
0| 1| 1| 17
…| …| …| …
0| F| F| 255
1| 0| 0| 256
1| 0| 1| 257
…| …| …| …
F| F| F| 4095

WARNING
TwinSAFE address
Each TwinSAFE address must be unique within a network!
The address 0 is not a valid address.

4.14 Dimensions

Width: 230.5 mm
Height: 100 mm
Depth: 58.6 mm
4.15 Wiring examples
4.15.1 Inputs and outputs
Examples of the wiring of the individual connections of the EK1960 are shown in the following.
Power supply X3
The X3 connection is for the supply of power to the EK1960. The internal logic and the E-bus connection are supplied via US, while UP supplies the relays and the safe inputs (safety mat operation mode). The GND connections are internally bridged.

Potential-free relay contacts C4 (EK1960-260x)
The relay contacts (four relays each with one make contact) are fed out to the X4 connection. The area surrounded by the dotted line shows the make contacts of the individual relays.

Digital outputs X5, X7 and X9
Connection X5, X7 and X9 must be supplied with 24 VDC on contacts 5 and 10. These each supply four outputs. The connected actuator is not fed back to the EK1960; instead it is wired directly to GND.

Digital inputs X6, X8
The digital inputs are supplied with 24VDC signals. In the default setting, static or clocked signals are supported. Safe outputs of the EK1960 can also be selected as the clock signal source.

Safety mat connection example
Inputs 8.7 to 8.10 on connection X8 of the EK1960 can be configured for a safety mat operation mode. Only safety mats operating according to the resistance-change principle may be used. Only 8K2 (8.2 kΩ) termination resistors are supported.
CAUTION
Safety mat wiring
The ground connection of the safety mat used must be fed back to the EK1960 in accordance with the following diagram.

4.15.2 Clocked signals
All output groups (four outputs each) can be configured as clock outputs. The test pulses of the groups can be set accordingly via parameters.
If a sensor such as a key switch (represented here by S19 and S20) is two- channel wired within one single non-metallic sheathed cable, the two channels must be fed from different clock sources. This makes it possible to detect cross- circuits or external power supplies within the common non-metallic sheathed cable and to achieve a high level of diagnostic coverage.

Operation

5.1 Environmental conditions
Please ensure that the TwinSAFE components are only transported, stored and operated under the specified conditions (see technical data)!

WARNING
Risk of injury!
The TwinSAFE components must not be used under the following operating conditions.

• under the influence of ionizing radiation (that exceeds the level of the natural environmental radiation)
• in corrosive environments
• in an environment that leads to unacceptable soiling of the TwinSAFE component

NOTE
Electromagnetic compatibility
The TwinSAFE components comply with the current standards on electromagnetic compatibility with regard to spurious radiation and immunity to interference in particular.
However, in cases where devices such as mobile phones, radio equipment, transmitters or high-frequency systems that exceed the interference emissions limits specified in the standards are operated near TwinSAFE components, the function of the TwinSAFE components may be impaired.

5.2 Installation
5.2.1 Safety instructions
Before installing and commissioning the TwinSAFE components please read the safety instructions in the foreword of this documentation.
5.2.2 Transport/storage
Use the original packaging in which the components were delivered for transporting and storing the TwinSAFE components.

CAUTION
Note the specified environmental conditions
Please ensure that the digital TwinSAFE components are only transported and stored under the specified environmental conditions (see technical data).

5.2.3 Mechanical installation
5.2.3.1 De-energized condition

DANGER
Serious risk of injury!
Bring the bus system and the controller into a safe, de-energized state before installing, disassembling or wiring of the controller!

5.2.3.2 Control cabinet / terminal box
For operation, the TwinSAFE compact controller must be installed in a control cabinet or terminal box with IP54 protection class according to IEC 60529 as a minimum.
5.2.3.3 Installation position and minimum distances
For the prescribed installation position the mounting rail is installed horizontally and the mating surfaces of the TwinSAFE compact controller point towards the front (see illustration below). The controller is ventilated from below, which  enables optimum cooling of the electronics through convection. The direction indication “down” corresponds to the direction of positive acceleration due to gravity.

In order to ensure optimum convection cooling, the distances to neighboring devices and to control cabinet walls must not be smaller than those shown in the diagram.
5.2.3.4 Installation on mounting rails
The EK1960 is mounted on a DIN rail by inserting the device onto the DIN rail and then pressing it down onto the rail as shown in the diagram below. In the case of flat DIN rails it may be better to position the controller to the DIN rail  from below and to snap it upwards onto the rail.

The EK1960 is released from the DIN rail by opening the two clamps on top of or underneath the device. To do this, insert a screwdriver into the recess provided and open the clamp until it latches.

Once the two upper or lower clamps are unlocked, the device can be taken off the DIN rail in an upward or downward direction.

5.2.4 Electrical installation
5.2.4.1 Overvoltage protection
If protection against overvoltage is necessary in your system, provide an overvoltage protective circuit (surge filter) for the power supply to the TwinSAFE compact controller.
5.2.4.2 Wiring
The connectors support the push-in wiring of individual wires and fine-wire conductors with wire-end sleeves.
In the case of multi-wire and fine-wire conductors, the latch must be depressed to connect the conductor with the contact point.
Depress the latch with a screwdriver, insert the conductor and release the latch.

5.2.4.3 Signal cables
Cable routing

NOTE
Route the signal cable separately
The signal cable must be routed separately from potential sources of interference, such as motor supply cables, 230 VAC power cables etc.!
Interference caused by cables routed in parallel can influence the signal form of the test pulses and thus cause diagnostic messages (e.g. sensor errors or OpenLoad errors).
D: Distance between the cable ducts should be as large as possible blue arrows: signal line red arrows: potential source of interference
The common routing of signals together with other clocked signals in a common cable also reduces the maximum propagation, since crosstalk of the signals can occur over long cable lengths and cause diagnostic messages.

5.3 Configuration of the controller in TwinCAT
CAUTION
Do not change CoE objects!
Do not make modifications to the CoE objects of the TwinSAFE compact controller. Any modifications of the CoE objects (e.g. via TwinCAT 3) will permanently set the controller to the Fail-Stop state or lead to unexpected behavior of the  controller!

5.3.1 Configuration requirements
Version 3.1 build 4020 or higher of the TwinCAT automation software is required for configuring the EL6910.
The current version is available for download from the Beckhoff website (www.beckhoff.de).
TwinCAT support
The EK1960 cannot be used under TwinCAT 2

5.3.2 Insertion of a controller
An EK1960 is inserted in exactly the same way as any other Beckhoff EtherCAT device. In the list, open Safety Terminals and select the EK1960.

Size of the process image
The process image of the EL6910 is adjusted dynamically, based on the TwinSAFE configuration created in TwinCAT 3.

5.3.3 Creating a safety project in TwinCAT 3
Further documentation
Information regarding the TwinSAFE-blocks, -groups and -connections can be found in the TwinSAFE-Logik-FB Documentation available on the Beckhoff website under http://www.beckhoff.de/german/download/twinsafe.htm.

5.3.3.1 Add new item
In TwinCAT 3 a new project can be created via Add New Item… in the context menu of the Safety node.

The project name and the directory can be freely selected.

5.3.3.2 TwinCAT Safety Project Wizard
In the TwinCAT Safety Project wizard you can then select the target system, the programming language, the author and the internal project name. Select the setting Hardware Safety PLC as the target system and the graphical editor as the  programming language. The author and the internal project name can be freely selected by the user.

5.3.3.3 Target System
After creating the project with the Project Wizard, the safety project can be assigned to the physical EK1960 TwinSAFE controller by selecting the Target System node.

The target system is set to EK1960 via the drop-down list and linked with the EK1960 controller via the link button next to Physical Device. If online ADS access to the controller is possible, the software version, serial number, online  project CRC and rotary switch address are automatically read from the controller. The rotary switch address must correspond to the Safe Address set by the user.

5.3.3.4 Alias devices
The communication between the safety logic and the I/O level is realized via an alias level. At this alias level (subnode Alias Devices) corresponding alias devices are created for all safe inputs and outputs, and also for standard signal  types. For the safe inputs and outputs, this can be done automatically via the I/O configuration.
The connection- and device-specific parameters are set via the alias devices.

If the automatic import is started from the I/O configuration, a selection dialog opens, in which the individual terminals to be imported can be selected. The alias devices are created in the safety project when the dialog is closed via OK.
Alternatively, the user can create the alias devices individually. To this end select Add and New item from the context menu, followed by the required device. 5.3.3.5 Parameterization of the alias device
The settings can be opened by double-clicking on the Alias Device in the safety project structure. The Linking tab contains the FSoE address, the checkbox for setting as External Device and the link to the physical I/O device. If an ADS online connection to the physical I/O device exists, the DIP switch setting is displayed. Re-reading of the setting can be started via the button . The links to the EL6910/EJ6910 process image are displayed under Full Name (input) and Full Name (output). The Connection tab shows the connection- specific parameters.

No
Parameter| Description| User interaction required
---|---|---
Conn ID| Connection ID: reallocated by the system, but can be changed by the user. A Conn ID must be unique within a configuration. Duplicate connection IDs result in an error message.| Check
Mode| Foe master: EL6910/EJ6910 is Foe master for this device. Foe slave: EL6910/EJ6910 is Foe slave for this device.| Check
Watchdog| Watchdog time for this connection. A Comerford is generated if the device fails to return a valid telegram to the EL6910/EJ6910 within the watchdog time.| Yes
Module Fault is Comerford| This checkbox is used to specify the behavior in the event of an error. If the checkbox is ticked and a module error occurs on the Alias Device, this also leads to a connection error and therefore to disabling of the TwinSAFE group, in which this connection is defined.| Yes
Comer rack| If Comer rack is linked to a variable, the connection must be reset via this signal in the event of a communication error.| Yes
Info data| The info data to be shown in the process image of the EL6910/EJ6910 can be defined via these checkboxes. Further information can be found in the documentation for TwinCAT function blocks for TwinSAFE Logic terminals.| Yes

The EL6910/EJ6910 support activation of a ComErrAck at each connection. If this signal is connected, the respective connection must be reset after a communication error via the signal Com ErrAck, in addition to the Erick of the TwinSAFE group. This signal is linked via the link button   next to COM ERR Ack. The following dialog can be used for selecting an alias device. The signal can be cancelled via the Clear button in the Map to dialog. The safety parameters matching the device are displayed under the Safety Parameters tab. They have to be set correctly to match the required performance level. Further information can be found in the TwinSAFE application manual. 5.3.3.6 Connection to AX5805/AX5806
There are separate dialogs for linking an AX5805 or AX5806 TwinSAFE Drive option card, which can be used to set the safety functions of the AX5000 safety drive options.
Creating and opening of an alias device for an AX5805 results in five tabs; the Linking, Connection and Safety Parameters tabs are identical to other alias devices. The General AX5805 Settings tab can be used to set the motor string and the SMS and SMA functions for one or two axes, depending on the added alias device. The Process Image tab can be used to set the different safety functions for the AX5805. The parameters under the General AX5805 Settings and Process Image tabs are identical to the parameters under the Safety Parameters tab. Offers user-friendly display and editing of the parameters. The parameters under the Safety Parameters tab can also be edited.
The parameters for this function can be set by selecting a function in the inputs or outputs and pressing the Edit button. New safety functions can be added in the process image by selecting an empty field (—) and pressing Edit.
The parameter list corresponding to the safety function can be shown; in addition, an optional diagram of the function can be shown. At present the diagram is still static and does not show the currently selected values. 5.3.3.7 External connection
An external Custom FSoE Connection can be created for a connection to a further EL69x0, EJ6910, KL6904 or third-party device. If a dedicated ESI file exists for a third-party device, the device is listed as a selectable safety device, and the Custom FSoE Connection option is not required. Before the connection can be used and linked further, the process image size must be parameterized. This can be set under the Process Image tab. Suitable data types for different numbers of safety data are provided in the dropdown lists for the input and output parameters. Once the size is selected, the individual signals within the telegram can be renamed, so that a corresponding plain text is displayed when these signals are used in the logic. If the signals are not renamed, the default name is displayed in the editor (Safe Data Byte 0[0], …). The connection is linked under the Linking tab. The Link button next to Full Name (input) and Full Name (output) can be used to select the corresponding variable. This can be a PLC variable, for example, which is then forwarded to the remote device or can be linked directly with the process image of an EtherCAT Terminal (e.g. EL69x0 or EL6695). Further information can be found in the TwinCAT documentation for the variable selection dialog. The Connection tab is used to set the connection-specific parameters. Detailed information about the individual settings can be found in the following table.

No
Conn ID| Connection ID: reallocated by the system, but can be changed by the user. A Conn ID must be unique within a configuration. Duplicate connection IDs result in an error message| Check
Mode| FSoE master: EL6910/EJ6910 is FSoE master for this device. FSoE slave: EL6910/EJ6910 is FSoE slave for this device.| Check
Type| None: Setting for third-party equipment, for which no ESI file is available. KL6904: Setting for KL6904 (safety parameter inactive)
EL69XX: Setting for EL6900/EL6930/EL6910/EJ6910 (safety parameter inactive)| Yes
Watchdog| Watchdog time for this connection: A Comerford is generated, if the device fails to return a valid telegram to the EL6910 within the watchdog time.| Yes
Module Fault is Comerford| This checkbox is used to specify the behavior in the event of an error. If the checkbox is ticked and a module error occurs on the Alias Device, this also leads to a connection error and therefore to disabling of the TwinSAFE group, in which this connection is defined.| Yes
Safe Parameters (Appl.

Param)

| Device-specific parameters: The parameter length is automatically calculated from the number of characters that is entered. This information will typically be provided by the device manufacturer.| Yes
Comer rack| If Comer rack is linked to a variable, the connection must be reset via this signal in the event of a communication error.| Yes
Info data| The info data to be shown in the process image of the EL6910/EJ6910 can be defined via these checkboxes. Further information can be found in the documentation for Twin CAT function blocks for TwinSAFE Logic terminals.| Yes

5.3.3.8 Local safe inputs and outputs of the EK1960
An alias device must also be created for the local safe inputs and outputs of the EK1960. To do this, a new alias device is created and the EK1960 selected via Add New item. The name of the alias device can be freely assigned. After opening the alias device the Linking Mode must be set to Local. The result of this is that all settings that are not relevant for this mode are grayed out. Only the info data for inputs and outputs can be activated on the Connection tab. The corresponding parameters are set for each input and output module on the Safety Parameter tab. Overview of output parameters

All modules used are processed in succession in one logic cycle respectively. With Modulo=0 the test is carried out in each cycle in the respectively current module; with Modulo=1 only every second pass and so on.| 0
Multiplier Diag TestPulse| 80×0:02| Duration of the clocking 1 = 400 µs (this value will need to be increased according to the connected load if the outputs are open circuit or in the case of very small output currents)| 1
Standard Outputs active| 80×0:03| FALSE = standard outputs deactivated
TRUE = standard outputs are ANDed with the safe outputs| FALSE
Diag Test Pulse active| 80×0:04| FALSE: Clocking of the outputs deactivated TRUE: Clocking of the outputs activated| FALSE
Diag Test Pulse for Inputs active| 80×0:05| FALSE: Clocking of the outputs for local inputs deactivated
TRUE: Clocking of the outputs for local inputs activated. If TRUE is set here the parameter DiagTestPulseActive is also set to TRUE.| FALSE
Module Fault Link active| 80×0:07| In the event of a module error of this module, all other modules of this TwinSAFE component, where this parameter is also set to TRUE, are set to a module error.This parameter is available from FW03 and ESI revision -0021. For projects, which are created with a firmware smaller than 03 and a revision smaller than 0021, the behavior remains unchanged.| TRUE

WARNING
Parameter Diag TestPulse for Inputs active
If this parameter is activated, all outputs of this module are switched on and can be used as test pulses for controller inputs. In this setting the parameter Diag TestPulse Active must be set to TRUE.
Corresponding parameters exist under the indices 8000:0 to 8050:0 for the output modules 0 to 5. The module 8060:0 exists for the relay module.
The corresponding parameters are set for each input module on the Safety Parameter tab. Overview of input parameters

Digital Mode On and Bumper Mode On. All other modules are set to Digital Mode On and cannot be changed by the user.| –  Digital Mode On
–  Bumper Mode On
FSIN Module 1 Settings Channel| 8071:00| Settings for input module 1 (inputs 01 – 02)| –
Channel1. Input Filter time| 8071:01| Filter time for an input in the unit 100 µs. After the expiry of this time the signal state is transmitted to the logic on an edge change at the input. This value must be adapted to the length of the test pulses if they are used.| 10 (1 ms)
Channel1. Diag Test Pulse Filter Time| 8071:02| Filter time for an input in the unit 100 µs. This time must elapse before a measurement of the momentary signal state is carried out after an edge change. This value should be adapted to the length of the test pulses if they are used.| 3 (300 µs)
Channel1. TestPulse Diag Mode| 8071:03| The output channel from which the test pulse is expected must be set here| External Test pulse or drop-down list of the EK1960 outputs
Channel2. Input Filter time| 8071:04| Filter time for an input in the unit 100 µs. After the expiry of this time the signal state is transmitted to the logic on an edge change at the input. This value must be adapted to the length of the test pulses if they are used.| 10 (1 ms)
Channel2. Diag Test Pulse Filter Time| 8071:05| Filter time for an input in the unit 100 µs. This time must elapse before a measurement of the momentary signal state is carried out after an edge change. This value should be adapted to the length of the test pulses if they are used.| 3 (300 µs)
PrmName| Index| Meaning| Value
---|---|---|---
Channel2. TestPulse Diag Mode| 8071:06| The output channel from which the test pulse is expected must be set here| External Testpulse or drop-down list of the EK1960 outputs

Corresponding parameters are available for input modules 1 to 10 (inputs 01 to 20) under the indices 8071:0 to 80E1:0 (in 10hex steps – 8071, 8081, 8091, 80A1 and so on).
The input modules 9 and 10 have additional parameters under indices 80F0:0 and 8100:0 with which the operation modes Digital Mode On and Bumper Mode On can be set. The input modules 9 and 10 have a fault evaluation per channel when using the Bumper Mode, so there are also 2 separate Module Fault signals. When using the digital mode, both signals are set in the case of a module fault.
Module use within the safety logic
Other than with external alias devices, only the corresponding module (two inputs or four outputs) is assigned to the respective TwinSAFE group when selecting an input or output signal of the local alias device. All other modules can be assigned to further TwinSAFE groups. A decouple FB can be used to make the inputs of a module available to a further group.
5.3.3.9 Creating the safety application
The safety application is realized in the SAL worksheet pertaining to the TwinSAFE group (SAL – Safety Application Language).
The toolbox provides all the function blocks available on the EL6910/EJ6910. The function blocks can be moved from the toolbox into the SAL worksheet via drag and drop. Variables can be created by clicking next to a function block input or output, which can then be linked with alias devices in the Variable Mapping dialog. Once the pointer connector has been selected from the toolbox, connections between the input and output ports of the function blocks can be dragged with the mouse. 5.3.3.10 Networks
For structuring the safety application, several networks can be created within a sale worksheet. Right-click in the worksheet and select Add After and Network or Add Before and Network to create a network after or before the current network. The instance path to the FB port to be linked can be specified, in order to exchange signals between the networks. The instance path consists of the network name, the FB name and the FB port, each separated by a dot. The input of the instance path is case-sensitive.