Application Guide Twin Safe en

Application guide
TwinSAFE
Version: 1.3.1
Date:
2012-02-01
Table of contents
Table of contents
1 Foreword
1.1
1.2
Notes on the manual
1.1.1
Disclaimer
1.1.2
Trademarks
1.1.3
Patent Pending
1.1.4
Copyright
Safety instructions
1.2.1
Delivery state
1.2.2
Operator's obligation to exercise diligence
1.2.3
Description of safety symbols
1.2.4
Explanation of terms
2 Circuit examples
2.1
2.2
2.3
2.4
2.5
2.6
2.7
ESTOP function variant 1 (Category 3, PL d)
2.1.1
Parameters of the safe input and output terminals
2.1.2
Block formation and safety loops
2.1.3
Calculation
13
2.2.1
13
2.2.2
14
2.2.3
Calculation
14
ESTOP function variant 3 (Category 4, PL e)
19
2.3.1
19
2.3.2
20
2.3.3
Calculation
20
25
2.4.1
25
2.4.2
26
2.4.3
Calculation
26
31
2.5.1
31
2.5.2
32
2.5.3
Calculation
32
37
2.6.1
37
2.6.2
38
2.6.3
Calculation
38
Application Guide TwinSAFE
43
1
Table of contents
2.8
2.9
2.7.1
43
2.7.2
44
2.7.3
Calculation
44
Protective door function variant 1 (Category 3, PL d)
49
2.8.1
49
2.8.2
50
2.8.3
Calculation
50
Protective door function variant 2 (Category 4, PL e)
55
2.9.1
55
2.9.2
56
2.9.3
Calculation
56
2.10 Protective door function with area monitoring (Category 4, PL e)

2.10.1 Parameters of the safe input and output terminals
62
2.10.2 Block formation and safety loops
62
2.10.3 Calculation
63
2.11 Protective door function with tumbler (Category 4, PL e)
68
68
69
2.11.3 Calculation
69
2.12 Two-hand control (Category 4, PL e)
75
75
76
2.12.3 Calculation
76
2.13 Laser scanner (Category 3, PL e)
80
80
81
2.13.3 Calculation
81
2.14 Light curtain (Category 4, PL e)
85
85
86
2.14.3 Calculation
86
2.15 Safety switching mat / safety bumper (Category 4, PL e)
90
90
91
2.15.3 Calculation
91
2.16 Muting (Category 4, PL e)
61
95
95
96
2.16.3 Calculation
96
Table of contents
2.17 Feeding in a potential group (Category 4, PL e)
101
102
102
2.17.3 Calculation
102
107
108
109
2.18.3 Calculation
109
2.19 Networked plant (Category 4, PL e)
114
115
115
2.19.3 Calculation
115
2.20 Drive option AX5801 with stop function SS1 (Category 4, PL e)
120
121
121
2.20.3 Calculation
121
2.21 Drive option AX5805 with stop function SS2 (Category 4, PL e)
126
126
127
2.21.3 Calculation
127
2.22 Direct wiring of the TwinSAFE outputs to TwinSAFE inputs (single-channel)

(Category 1, PL c)
131
131
131
2.22.3 Calculation
131
2.23 Direct wiring of the TwinSAFE outputs to TwinSAFE inputs (2-channel)

(Category 3, PL d)
134
134
134
2.23.3 Calculation
135
3 Technical report TV Sd
137
4 Appendix
138
4.1
Beckhoff Support and Service
138
4.1.1
Beckhoff branches and partner companies Beckhoff Support
138
4.1.2
Beckhoff company headquarters
138
Foreword
1 Foreword
1.1 Notes on the manual
This description is only intended for the use of trained specialists in control and automation technology
who are familiar with the applicable national standards. It is essential that the following notes and
explanations are followed when installing and commissioning these components.
The responsible staff must ensure that the application or use of the products described satisfy all the
requirements for safety, including all the relevant laws, regulations, guidelines and standards.
1.1.1
Disclaimer
The documentation has been prepared with care. The products described are, however, constantly under
development. For that reason the documentation is not in every case checked for consistency with
performance data, standards or other characteristics.
In the event that it contains technical or editorial errors, we retain the right to make alterations at any time
and without warning.
No claims for the modification of products that have already been supplied may be made on the basis of
the data, diagrams and descriptions in this documentation.
1.1.2
Trademarks
Beckhoff , TwinCAT , EtherCAT , Safety over EtherCAT , TwinSAFE and XFC are registered
trademarks of and licensed by Beckhoff Automation GmbH.
Other designations used in this publication may be trademarks whose use by third parties for their own
purposes could violate the rights of the owners.
1.1.3
Patent Pending
The EtherCAT Technology is covered, including but not limited to the following patent applications and
patents: EP1590927, EP1789857, DE102004044764, DE102007017835 with corresponding applications
or registrations in various other countries.
The TwinCAT Technology is covered, including but not limited to the following patent applications and
patents: EP0851348, US6167425 with corresponding applications or registrations in various other
countries.
1.1.4
Copyright
Beckhoff Automation GmbH.

The reproduction, distribution and utilization of this document as well as the communication of its contents
to others without express authorization are prohibited. Offenders will be held liable for the payment of
damages. All rights reserved in the event of the grant of a patent, utility model or design.
Foreword
1.2 Safety instructions

1.2.1
Delivery state
All the components are supplied in particular hardware and software configurations appropriate for the
application. Modifications to hardware or software configurations other than those described in the
documentation are not permitted, and nullify the liability of Beckhoff Automation GmbH.
1.2.2
Operator's obligation to exercise diligence
The operator must ensure that

the TwinSAFE products are only used as intended
the TwinSAFE products are only operated in sound condition and in working order.
the TwinSAFE products are operated only by suitably qualified and authorized personnel.
the personnel is instructed regularly about relevant occupational safety and environmental
protection aspects, and is familiar with the operating instructions and in particular the safety
instructions contained herein.
the operating instructions are in good condition and complete, and always available for reference
at the location where the TwinSAFE products are used.
none of the safety and warning notes attached to the TwinSAFE products are removed, and all
notes remain legible.
Foreword
1.2.3
Description of safety symbols
The following safety symbols are used in these operating instructions. They are intended to alert the
reader to the associated safety instructions.
Serious risk of injury!
DANGER
Failure to follow the safety instructions associated with this symbol directly endangers
the life and health of persons.
Caution Risk of injury!
WARNING
Failure to follow the safety instructions associated with this symbol endangers the life
and health of persons.
Personal injuries!
CAUTION
Failure to follow the safety instructions associated with this symbol can lead to injuries
to persons.
Damage to the environment or devices
Attention
Failure to follow the instructions associated with this symbol can lead to damage to the
environment or equipment.
Tip or pointer
Notice
1.2.4
This symbol indicates information that contributes to better understanding.
Explanation of terms
Designation
Explanation
B10d
Mean number of cycles after 10% of the components have dangerously

failed
CCF
Common Cause Failure
dop
Mean operating time in days per year
DCavg
Average diagnostic coverage
hop
Mean operating time in hours per day
MTTFd
Mean Time To dangerous Failure
nop
Mean number of annual actuations
PFH
Probability of a dangerous failure per hour
PL
Performance Level
PLr
Required Performance Level
Tcycle
Mean time between two successive cycles of the system (given in

minutes in the following examples, but can also be given in seconds)
Circuit examples
2 Circuit examples
2.1 ESTOP function variant 1 (Category 3, PL d)
The emergency stop button is connected via two break contacts to an EL1904 safe input terminal. The
testing and monitoring of the discrepancy of the two signals are activated. The restart and the feedback
signal are wired to standard terminals and are transferred to TwinSAFE via standard PLC. The contactors
K1 and K2 are connected in parallel to the safe output. Current measurement and testing of the output
are active for this circuit.
2.1.1
EL1904
Parameter
Sensor test channel 1 active
Logic channel 1 and 2
Value
Yes
Yes
Yes
Yes
Single Logic
Single Logic
EL2904
Parameter
Current measurement active
Output test pulses active
Value
Yes
Yes
Circuit examples
2.1.2
2.1.2.1
Block 1
K1
S1
EL1904
EL6900
EL2904
K2
2.1.3
Calculation
2.1.3.1
PFH / MTTFd /B10d values
Component
Value
EL1904 PFH
1.11E-09
EL2904 PFH
1.25E-09
EL6900 PFH
1.03E-09
S1 B10d
100,000
S2 B10d
10,000,000
K1 B10d
1,300,000
K2 B10d
1,300,000
Days of operation (dop)
230
Hours of operation / day (hop)
16
Cycle time (minutes) (Tcycle)
10080 (1x per week) (7 days, 24 hours)
Lifetime (T1)
20 years = 175200 hours
2.1.3.2
Diagnostic Coverage DC
Component
Value
S1 with testing/plausibility
DCavg=99%
K1/K2 with testing and EDM (actuation 1x per week)
DCavg=60%
K1/K2 with testing and EDM (actuation 1x per shift)
DCavg=90%
2.1.3.3
Calculation for block 1
Calculation of the PFH and MTTFd values from the B10d values:
From:

60

and:

10
0.1
Circuit examples
Inserting the values, this produces:

S1:
230 16 60
21.90
10080
100000

45662.1y 399999120h
0.1 21.90

K1/K2:
230 16 60
21.90
10080
1300000

593607.3y 5199997320h
0.1 21.90

and the assumption that S1, K1 and K2 are in each case single-channel:

results in a
!"
0.1 #1 $ %&' 1 $ DC

10
MTTF-
S1:
!"
1 $ 0.99
2.50E $ 11
45662.1 8760
K1/K2: Actuation 1x per week
!"
1 $ 0.60
7.69E $ 11
593607.3 8760
K1/K2: Actuation 1x per shift
!"
1 $ 0.90
1.92E $ 11
593607.3 8760
The following assumptions have to be made now:

Safety switch S1: According to BIA report 2/2008, error exclusion up to 100,000 cycles is possible,
provided the manufacturer has confirmed this. If no confirmation exists, S1 is included in the calculation
as follows.
Relays K1 and K2 are both connected to the safety function. The non-functioning of a relay does not lead
to a dangerous situation, but it is discovered by the feedback signal. Furthermore, the B10d values for K1
and K2 are identical.
There is a coupling coefficient between the components that are connected via two channels. Examples
are temperature, EMC, voltage peaks or signals between these components. This is assumed to be the
worst-case estimation, where =10%. EN 62061 contains a table with which this -factor can be
precisely determined. Further, it is assumed that all usual measures have been taken to prevent both
channels failing unsafely at the same time due to an error (e.g. overcurrent through relay contacts, over
temperature in the control cabinet).
Circuit examples
This produces for the calculation of the PFH value for block 1:
PFHtot= PFH(S1) + PFH(EL1904) + PFH(EL6900) + PFH(EL2904) + * (PFH(K1)+

PFH(K2))/2 + PFH(S2) + PFH(EL1904)
Since the portion (PFH(K1)* PFH(K2))*T1 is smaller than the rest by the power of ten, it is neglected
in this and all further calculations for the purpose of simplification.
to:
PFHtot= 2.50E-11 + 1.11E-09 + 1.03E-09 + 1.25E-09 + 10% * (7.96E-11+7.96E-11)/2 =
3.42E3.42E-09
in the case of actuation 1x per week

or
PFHtot= 2.50E-11+1.11E-09 + 1.03E-09 + 1.25E-09 + 10% * (1.92E-11+1.92E-11)/2=

3.42E3.42E-09
in the case of actuation 1x per shift
The MTTFd value for block 1 (based on the same assumption) is calculated with:
=
1
1
=<

=

;;
>?@
as:
1
1
1
1
1
=
+
+
+

;;
(A1)
(BC1904)
(BC6900)
(2904)
1
+
(
(D1))
with:
(S1) =
10 (A1)
0.1
(K1) =
10 (D1)
0.1
If only PFH values are available for EL1904 and EL6900, the following estimation applies:
(ELxxxx) =
(1 $ %&(BCFFF))
!"(BCFFF)
Hence:
(EL1904) =
10
(1 $ 0.99)
G1 $ %&(BC1904)H
0.01
=
=
= 1028.8y
!"(BC1904)
1.11E $ 09 @I 8760 IJ 9.72E $ 06 @J
Circuit examples
#EL6900'
#1 $ 0.99'
G1 $ %&#BC6900'H
0.01

1108.6y
!"#BC6900'
1.03E $ 09 @ 8760 IJ 9.02E $ 06 @J
I
#EL2904'
#1 $ 0.99'
G1 $ %&#BC2904'H
0.01

913.2y
!"#BC2904'
1.25E $ 09 @ 8760 IJ 1.1E $ 05 @J
I
MTTFd tot=
@
L
L
L
L
L
R
R
R
R
MNOOP.LQ LSPT.TQ LLST.OQ ULV.PQ NUVOSW.VQ
UU%
333.98X
UU%
UU%
UU%
OS%
OS%
R
R
R
R
LSPT.T LLST.O ULV.P NUVOSW.V NUVOSW.V
L
L
L
L
L
R
R
R
R
R
MNOOP.L LSPT.T LLST.O ULV.P NUVOSW.V NUVOSW.V
98.96%
UU%
UU%
UU%
UU%
US%
US%
R
R
R
R
R
L
L
L
L
L
L
R
R
R
R
R
98.99%
DCavg= MNOOP.L
L
or:
DCavg=
Measures for attaining category 3!

CAUTION
This structure is possible up to category 3 at the most, since an error in the feedback
path of the relays may be undiscovered. In order to attain category 3, all rising and
falling edges must be evaluated together with the time dependence in the controller for
the feedback expectation!
Implement a restart lock in the machine!

CAUTION
The restart lock is NOT part of the safety chain and must be implemented in the
machine!
MTTFd
Designation for each channel
low
medium
high
Range for each channel

3 years MTTFd < 10 years
30 years MTTFd 100 years
DCavg
Designation
none
low
medium
high
Range
DC < 60 %
60 % DC < 90 %
90 % DC < 99 %
99 % DC
11
Circuit examples
Category
none
none
low
medium
low
medium
high
low
medium
high
DC
MTTFd
12
Circuit examples

testing of the two signals is activated. The signals are not tested for discrepancy. The restart and the
feedback signal are wired to standard terminals and are transferred to TwinSAFE via the standard PLC.
The contactors K1 and K2 are connected in parallel to the safe output. Current measurement and testing
of the output are active for this circuit.
2.2.1
EL1904
Parameter
Value
Yes
Yes
Yes
Yes
Single Logic
Single Logic
EL2904
Parameter
Value
Yes
Yes
13
Circuit examples
2.2.2
2.2.2.1
Block 1
K1
S1
EL1904
EL6900
EL6900
K2
2.2.3
Calculation
2.2.3.1
Component
Value
EL1904 PFH
1.11E-09
EL2904 PFH
1.25E-09
EL6900 PFH
1.03E-09
S1 B10d
100,000
S2 B10d
10,000,000
K1 B10d
1,300,000
K2 B10d
1,300,000
230
16
10080 (1x per week)
Lifetime (T1)
2.2.3.2
Component
Value
S1 with testing / without plausibility
DCavg=90%
K1/K2 with testing and EDM (actuation 1x per

week and indirect feedback)
DCavg=60%
K1/K2 with testing and EDM (actuation 1x per shift

and direct feedback)
DCavg=90%
2.2.3.3
From:

60

and:
14
Circuit examples

10
0.1
Insertion of the values results in:

S1:
230 16 60
21.90
10080
100000

45662.1y 399999120h
0.1 21.90

K1/K2:
230 16 60
21.90
10080
1300000

593607.3y 5199997320h
0.1 21.90


1

results in a
!"
0.1 #1 $ %&' 1 $ DC

10
MTTF-
S1:
!"
1 $ 0.90
2.50E $ 10
45662.1 8760
K1/K2: actuation 1x per week
!"
1 $ 0.60
7.69E $ 11
593607.3 8760
K1/K2: actuation 1x per shift
!"
1 $ 0.90
1.92E $ 11
593607.3 8760

Safety switch S1: According to BIA report 2/2008, error exclusion to up to 100,000 cycles is possible,
as follows.
15
Circuit examples


PFH(K2))/2
to:
PFHtot= 2.50E-10 + 1.11E-09 + 1.03E-09 + 1.25E-09 + 10%* (7.96E-11+7.96E-11)/2 =

3.65E3.65E-09
in the case of actuation 1x per week and indirect feedback

or
PFHtot= 2.50E-10+1.11E-09 + 1.03E-09 + 1.25E-09 + 10%* (1.92E-11+1.92E-11)/2 =

3.65E3.65E-09
in the case of actuation 1x per shift and direct feedback
=
1
1
=<

;;

=
>?@
as:
1
1
1
1
1
=
+
+
+

;;
(A1)
(BC1904)
(BC6900)
(2904)
1
+
(
(D1))
with:
(S1) =
10 (A1)
0.1
(K1) =
10 (D1)
0.1
16
Circuit examples
#ELxxxx'
#1 $ %&#BCFFF''
!"#BCFFF'
Hence:
#EL1904'
#1 $ 0.99'
G1 $ %&#BC1904'H
0.01

1028.8y
@
I
!"#BC1904'
1.11E $ 09 I 8760 J 9.72E $ 06 @J
#EL6900'
#1 $ %&#BC6900''
#1 $ 0.99'
0.01

1108.6y
@
I
!"#BC6900'
1.03E $ 09 8760 J 9.02E $ 06 @J
I
#EL2904'
MTTFd tot=
#1 $ %&#BC2904''
#1 $ 0.99'
0.01

913.2y
!"#BC2904'
1.25E $ 09 @I 8760 IJ 1.1E $ 05 @J
@
L
L
L
L
L
R
R
R
R
US%
333.98X
UU%
UU%
UU%
OS%
OS%
R
R
R
R
L
L
L
L
L
R
R
R
R
R
98.89%
US%
UU%
UU%
UU%
US%
US%
R
R
R
R
R
L
L
L
L
L
L
R
R
R
R
R
98.92%
DCavg= MNOOP.L
L
or:
DCavg=

CAUTION
This structure is possible only up to category 3 at the most on account of a possible

sleeping error. In order to attain category 3, all rising and falling edges must be
evaluated together with the time dependence in the controller for the feedback
expectation!

CAUTION
machine!
MTTFd
low
medium
high

17
Circuit examples
DCavg
Designation
none
low
medium
high
Category
Range
DC < 60 %
60 % DC < 90 %
90 % DC < 99 %
99 % DC
none
none
low
medium
low
medium
high
low
medium
high
DC
MTTFd
18
Circuit examples
2.3 ESTOP function variant 3 (Category 4, PL e)

testing of the two signals is activated. These signals are checked for discrepancy. The restart and the
feedback signal are wired to standard terminals and are transferred to TwinSAFE via the standard PLC.
Furthermore, the output of the ESTOP function block and the feedback signal are wired to an EDM block.
This checks that the feedback signal assumes the opposing state of the ESTOP output within the set
time.
2.3.1
EL1904
Parameter
Value
Yes
Yes
Yes
Yes
Single Logic
Single Logic
19
Circuit examples
EL2904
Parameter
Value
Yes
Yes
2.3.2
2.3.2.1
Block 1
K1
S1
EL1904
EL6900
EL2904
K2
2.3.3
Calculation
2.3.3.1
Component
Value
EL1904 PFH
1.11E-09
EL2904 PFH
1.25E-09
EL6900 PFH
1.03E-09
S1 B10d
100,000
S2 B10d
10,000,000
K1 B10d
1,300,000
K2 B10d
1,300,000
230
16
10080 (1x per week)
Lifetime (T1)
2.3.3.2
Component
Value
DCavg=99%

DCavg=90%

DCavg=99%
2.3.3.3
20
Circuit examples
From:

60

and:

10
0.1

S1:
230 16 60
21.90
10080
100000

45662.1y 399999120h
0.1 21.90

K1/K2:
230 16 60
21.90
10080
1300000

593607.3y 5199997320h
0.1 21.90


1

results in a
!"
0.1 #1 $ %&' 1 $ DC

10
MTTF-
S1:
!"
1 $ 0.99
2.50E $ 11
45662.1 8760
K1/K2: actuation 1x per week
!"
1 $ 0.90
1.92E $ 11
593607.3 8760
K1/K2: actuation 1x per shift
!"
1 $ 0.99
1.92E $ 12
593607.3 8760
21
Circuit examples

as follows.

PFH(K2))/2
to:
PFHtot= 2.50E-11+1.11E-09 + 1.03E-09 + 1.25E-09 + 10%* (1.92E-11+1.92E-11)/2 =
3.42E3.42E-09
in the case of actuation 1x per week and indirect feedback

or
PFHtot= 2.50E-11+1.11E-09 + 1.03E-09 + 1.25E-09 + 10%* (1.92E-11+1.92E-11)/2 =
3.42E3.42E-09
in the case of actuation 1x per shift and direct feedback
=
1
1
=<

;;

=
>?@
as:
1
1
1
1
1
=
+
+
+

;;
(A1)
(BC1904)
(BC6900)
(2904)
1
+
(
(D1))
with:
(S1) =
22
10 (A1)
0.1
Circuit examples
#K1'
10 #D1'
0.1
#ELxxxx'
#1 $ %&#BCFFF''
!"#BCFFF'
Hence:
#EL1904'
#1 $ 0.99'
G1 $ %&#BC1904'H
0.01

1028.8y
@
I
!"#BC1904'
1.11E $ 09 8760 J 9.72E $ 06 @J
I
#EL6900'
#1 $ %&#BC6900''
#1 $ 0.99'
0.01

1108.6y
@
I
!"#BC6900'
1.03E $ 09 I 8760 J 9.02E $ 06 @J
#EL2904'
#1 $ %&#BC2904''
#1 $ 0.99'
0.01

913.2y
!"#BC2904'
1.25E $ 09 @I 8760 IJ 1.1E $ 05 @J
MTTFd tot=
@
L
L
L
L
L
R
R
R
R
UU%
333.98X
UU%
UU%
UU%
US%
US%
R
R
R
R
L
L
L
L
L
R
R
R
R
R
98.99%
UU%
UU%
UU%
UU%
UU%
UU%
R
R
R
R
R
L
L
L
L
L
L
R
R
R
R
R
99.00%
DCavg= MNOOP.L
L
or:
DCavg=

CAUTION
This structure is possible up to category 4 at the most. In order to attain category 4, all
rising and falling edges must be evaluated together with the time dependence in the
controller for the feedback expectation!

CAUTION
machine!
23
Circuit examples
MTTFd
low
medium
high

DCavg
Designation
none
low
medium
high
Range
DC < 60 %
60 % DC < 90 %
90 % DC < 99 %
99 % DC
For practical usability, the number of the ranges was limited to four. An accuracy of 5% is assumed for the limit
values shown in this table.
Category
none
none
low
medium
low
medium
high
low
medium
high
DC
MTTFd
24
Circuit examples

The emergency stop button with two break contacts, the restart and the feedback loop are connected to
safe channels of an EL1904 input terminal. The testing of the signals is activated. The two emergency
stop signals are tested for discrepancy. The contactors K1 and K2 are connected in parallel to the safe
output. Current measurement and testing of the output are active for this circuit.
2.4.1
EL1904 (applies to all EL1904 used)

Parameter
Value
Yes
Yes
Yes
Yes
Single Logic
Single Logic
EL2904
Parameter
Value
Yes
Yes
25
Circuit examples
2.4.2
2.4.2.1
Block 1
K1
S1
EL1904
EL6900
EL2904
S2
EL1904
K2
2.4.3
Calculation
2.4.3.1
Component
Value
EL1904 PFH
1.11E-09
EL2904 PFH
1.25E-09
EL6900 PFH
1.03E-09
S1 B10d
100,000
S2 B10d
10,000,000
K1 B10d
1,300,000
K2 B10d
1,300,000
230
16
10080 (1x per week)
Lifetime (T1)
2.4.3.2
Component
Value
DCavg=99%
S2 with plausibility
DCavg=90%

DCavg=90%

DCavg=99%
2.4.3.3
From:

60

and:
26
Circuit examples

10
0.1

S1:
230 16 60
21.90
10080
100000

45662.1y 399999120h
0.1 21.90

S2:
230 16 60
21.90
10080
10000000

4566210.0y 4E10h
0.1 21.90

K1/K2:
230 16 60
21.90
10080
1300000

593607.3y 5199997320h
0.1 21.90

and the assumption that S1, S2, K1 and K2 are in each case single-channel:

1

results in a
!"
0.1 #1 $ %&' 1 $ DC

10
MTTF-
S1:
!"
1 $ 0.99
2.50E $ 11
45662.1 8760
S2:
!"
1 $ 0.90
2.50E $ 12
4566210.0 8760
K1/K2: actuation 1x per shift and direct feedback
!"
1 $ 0.99
1.92E $ 12
593607.3 8760
27
Circuit examples

as follows.

PFH(K2))/2 + PFH(S2) + PFH(EL1904)
to:
PFHtot= 2.50E-11+1.11E-09 + 1.03E-09 + 1.25E-09 + 10%* (1.92E-11+1.92E-11)/2 +

2.50E-12 + 1.11E-09 = 4.53E4.53E-09
=
1
1
=<

;;

=
>?@
as:
1
1
1
1
1
=
+
+
+

;;
(A1)
(BC1904)
(BC6900)
(2904)
1
1
1
+
+
+
(
(D1))
(A2)
(BC1904)
with:
(S1) =
10 (A1)
0.1
(S2) =
10 (A2)
0.1
(K1) =
10 (D1)
0.1
28
Circuit examples
#ELxxxx'
#1 $ %&#BCFFF''
!"#BCFFF'
Hence:
#EL1904'
#1 $ 0.99'
G1 $ %&#BC1904'H
0.01

1028.8y
@
I
!"#BC1904'
1.11E $ 09 I 8760 J 9.72E $ 06 @J
#EL6900'
#1 $ %&#BC6900''
#1 $ 0.99'
0.01

1108.6y
!"#BC6900'
1.03E $ 09 @I 8760 IJ 9.02E $ 06 @J
#EL2904'
#1 $ %&#BC2904''
#1 $ 0.99'
0.01

913.2y
@
I
!"#BC2904'
1.25E $ 09 I 8760 J 1.1E $ 05 @J
MTTFd tot=
DCavgs=
@
L
L
L
L
L
L
L
R
R
R
R
R
R
MNOOP.LQ LSPT.TQ LLST.OQ ULV.PQ NUVOSW.VQ MNOOPLS.SQ LSPT.TQ
252.1X
UU%
UU%
UU%
UU%
US%
US%
US%
UU%
R
R
R
R
R
R
R
MNOOP.L LSPT.T LLST.O ULV.P NUVOSW.V NUVOSW.V MNOOPLS.S LSPT.T
L
L
L
L
L
L
L
L
R
R
R
R
R
R
R
98.99%
UU%
UU%
UU%
UU%
UU%
UU%
US%
UU%
R
R
R
R
R
R
R
L
L
L
L
L
L
L
L
R
R
R
R
R
R
R
99.0%
or:
DCavgs=
Category
This structure is possible up to category 4 at the most.
Notice
MTTFd
low
medium
high

DCavg
Designation
none
low
medium
high
Range
DC < 60 %
60 % DC < 90 %
90 % DC < 99 %
99 % DC
29
Circuit examples
Category
none
none
low
medium
low
medium
high
low
medium
high
DC
MTTFd
30
Circuit examples

stop signals are tested for discrepancy. Contactors K1 and K2 are wired to different output channels. The
A2 connections of the two contactors are fed together to ground. The current measurement of the output
channels is deactivated for this circuit. The testing of the outputs is active.
2.5.1

Parameter
EL2904
Parameter
Value
Yes
Yes
Yes
Yes
Single Logic
Single Logic
Value
No
Yes
31
Circuit examples
2.5.2
2.5.2.1
Block 1
K1
S1
EL1904
EL6900
EL2904
S2
EL1904
K2
2.5.3
Calculation
2.5.3.1
Component
Value
EL1904 PFH
1.11E-09
EL2904 PFH
1.25E-09
EL6900 PFH
1.03E-09
S1 B10d
100,000
S2 B10d
10,000,000
K1 B10d
1,300,000
K2 B10d
1,300,000
230
16
10080 (1x per week)
Lifetime (T1)
2.5.3.2
Component
Value
DCavg=99%
DCavg=90%

2.5.3.3
DCavg=90%
DCavg=99%
From:

60

and:
32
Circuit examples

10
0.1

S1:
230 16 60
21.90
10080
100000

45662.1y 399999120h
0.1 21.90

S2:
230 16 60
21.90
10080
10000000

4566210.0y 4E10h
0.1 21.90

K1/K2:
230 16 60
21.90
10080
1300000

593607.3y 5199997320h
0.1 21.90

and the assumption that S1, S2, K1 and K2 are each single-channel:

1

produces for
!"
0.1 #1 $ %&' 1 $ DC

10
MTTF-
S1:
!"
1 $ 0.99
2.50E $ 11
45662.1 8760
S2:
!"
1 $ 0.90
2.50E $ 12
4566210.0 8760
!"
1 $ 0.99
1.92E $ 12
593607.3 8760
33
Circuit examples

as follows.
channels failing unsafely at the same time due to an error (e.g. overcurrent through relay contacts,
overtemperature in the control cabinet).

PFH(K2))/2 + PFH(S2) + PFH(EL1904)
to:
PFHtot= 2.50E-11+1.11E-09 + 1.03E-09 + 1.25E-09 + 10%* (1.92E-11+1.92E-11)/2 +

2.50E-12 + 1.11E-09 = 4.53E4.53E-09
=
1
1
=<

;;

=
>?@
as:
1
1
1
1
1
=
+
+
+

;;
(A1)
(BC1904)
(BC6900)
(2904)
1
1
1
+
+
+
(
(D1))
(A2)
(BC1904)
with:
(S1) =
10 (A1)
0.1
(S2) =
10 (A2)
0.1
(K1) =
10 (D1)
0.1
34
Circuit examples
#ELxxxx'
#1 $ %&#BCFFF''
!"#BCFFF'
Hence:
#EL1904'
#1 $ 0.99'
G1 $ %&#BC1904'H
0.01

1028.8y
!"#BC1904'
1.11E $ 09 @ 8760 IJ 9.72E $ 06 @J
I
#EL6900'
#1 $ %&#BC6900''
#1 $ 0.99'
0.01

1108.6y
!"#BC6900'
1.03E $ 09 @ 8760 IJ 9.02E $ 06 @J
I
#EL2904'
MTTFd tot=
DCavgs=
#1 $ %&#BC2904''
#1 $ 0.99'
0.01

913.2y
@
I
!"#BC2904'
1.25E $ 09 I 8760 J 1.1E $ 05 @J
@
L
L
L
L
L
L
L
R
R
R
R
R
R
UU%
UU%
UU%
UU%
US%
US%
US%
UU%
R
R
R
R
R
R
R
L
L
L
L
L
L
L
L
R
R
R
R
R
R
R
252.1X
98.99%
or:
UU%
UU%
UU%
UU%
UU%
UU%
US%
UU%
R
R
R
R
R
R
LSPT.T LLST.O ULV.P NUVOSW.V NUVOSW.V MNOOPLS.S LSPT.T
L
L
L
L
L
L
L
R
R
R
R
R
R
R
DCavgs= MNOOP.L
L
99.0%
Category
Notice
MTTFd
low
medium
high

DCavg
Designation
none
low
medium
high
Range
DC < 60 %
60 % DC < 90 %
90 % DC < 99 %
99 % DC
35
Circuit examples
Category
none
none
low
medium
low
medium
high
low
medium
high
DC
MTTFd
36
Circuit examples

stop signals are tested for discrepancy. Contactors K1 and K2 are wired to different output channels. The
A2 connections of the two contactors are fed together to ground. The current measurement of the output
channels is deactivated for this circuit. The testing of the outputs is not active.
Category
Notice
2.6.1
This structure is possible for a maximum of category 3, due to a possible latent error.
The EL2904 terminal is only SIL2 in this example- therefore, the entire structure is only
SIL2.

Parameter
Value
Yes
Yes
Yes
Yes
Single Logic
Single Logic
37
Circuit examples
EL2904
Parameter
Value
No
No
2.6.2
2.6.2.1
Block 1
K1
S1
EL1904
EL6900
EL2904
S2
EL1904
K2
2.6.3
Calculation
2.6.3.1
Component
Value
EL1904 PFH
1.11E-09
EL2904 PFH
1.25E-09
EL6900 PFH
1.03E-09
S1 B10d
100,000
S2 B10d
10,000,000
K1 B10d
1,300,000
K2 B10d
1,300,000
230
16
10080 (1x per week)
Lifetime (T1)
2.6.3.2
Component
Value
DCavg=99%
DCavg=90%
K1/K2 without testing and with EDM via a safe

input
DCavg=90%
38
Circuit examples
2.6.3.3
From:

60

and:

10
0.1

S1:
230 16 60
21.90
10080
100000

45662.1y 399999120h
0.1 21.90

S2:
230 16 60
21.90
10080
10000000

4566210.0y 4E10h
0.1 21.90

K1/K2:
230 16 60
21.90
10080
1300000

593607.3y 5199997320h
0.1 21.90


1

results in a
!"
0.1 #1 $ %&' 1 $ DC

10
MTTF-
S1:
!"
1 $ 0.99
2.50E $ 11
45662.1 8760
S2:
!"
1 $ 0.90
2.50E $ 12
4566210.0 8760
!"
1 $ 0.99
1.92E $ 12
593607.3 8760
39
Circuit examples

Safety switch S1: According to BIA report 2/2008, error exclusion to up 100,000 cycles is possible,
as follows.
channels failing unsafely at the same time due to an error (e.g. overcurrent through relay contacts,
overtemperature in the control cabinet).

PFH(K2))/2 + PFH(S2) + PFH(EL1904)
to:
PFHtot= 2.50E-11+1.11E-09 + 1.03E-09 + 1.25E-09 + 10%* (1.92E-11+1.92E-11)/2 +

2.50E-12 + 1.11E-09 = 4.53E4.53E-09
=
1
1
=<

;;

=
>?@
as:
1
1
1
1
1
=
+
+
+

;;
(A1)
(BC1904)
(BC6900)
(2904)
1
1
1
+
+
+
(
(D1))
(A2)
(BC1904)
with:
(S1) =
10 (A1)
0.1
(S2) =
10 (A2)
0.1
(K1) =
10 (D1)
0.1
40
Circuit examples
#ELxxxx'
#1 $ %&#BCFFF''
!"#BCFFF'
Hence:
#EL1904'
#1 $ 0.99'
G1 $ %&#BC1904'H
0.01

1028.8y
@
I
!"#BC1904'
1.11E $ 09 8760 J 9.72E $ 06 @J
I
#EL6900'
#1 $ %&#BC6900''
#1 $ 0.99'
0.01

1108.6y
!"#BC6900'
1.03E $ 09 @I 8760 IJ 9.02E $ 06 @J
#EL2904'
#1 $ %&#BC2904''
#1 $ 0.99'
0.01

913.2y
@
I
!"#BC2904'
1.25E $ 09 I 8760 J 1.1E $ 05 @J
MTTFd tot=
@
L
L
L
L
L
L
L
R
R
R
R
R
R
UU%
UU%
UU%
UU%
US%
US%
US%
UU%
R
R
R
R
R
R
L
L
L
L
L
L
L
R
R
R
R
R
R
R
DCavgs= MNOOP.L
L
252.1X
98.99%
MTTFd
low
medium
high

DCavg
Designation
none
low
medium
high
Range
DC < 60 %
60 % DC < 90 %
90 % DC < 99 %
99 % DC
41
Circuit examples
Category
none
none
low
medium
low
medium
high
low
medium
high
DC
MTTFd
42
Circuit examples

safe channels of an EL1904 input terminal. The testing of the emergency stop button is deactivated on
both channels. The sensor test is activated for the restart button and the feedback loop. The two
emergency stop signals are tested for discrepancy. The contactors K1 and K2 are connected in parallel to
the safe output. Current measurement and testing of the output are active for this circuit.
2.7.1
1. EL1904
Parameter
Value
Yes
not used
No
No
Single Logic
Single Logic
2. EL1904
Parameter
Value
not used
not used
Yes
not used
Single Logic
Single Logic
43
Circuit examples
EL2904
Parameter
Value
Yes
Yes
2.7.2
2.7.2.1
Block 1
K1
S1
EL1904
EL6900
EL2904
S2
EL1904
K2
2.7.3
Calculation
2.7.3.1
Component
Value
EL1904 PFH
1.11E-09
EL2904 PFH
1.25E-09
EL6900 PFH
1.03E-09
S1 B10d
100,000
S2 B10d
10,000,000
K1 B10d
1,300,000
K2 B10d
1,300,000
230
16
10080 (1x per week)
Lifetime (T1)
2.7.3.2
Component
Value
DCavg=90%
DCavg=90%

DCavg=90%

DCavg=99%
44
Circuit examples
2.7.3.3
From:

60

and:

10
0.1

S1:
230 16 60
21.90
10080
100000

45662.1y 399999120h
0.1 21.90

S2:
230 16 60
21.90
10080
10000000

4566210.0y 4E10h
0.1 21.90

K1/K2:
230 16 60
21.90
10080
1300000

593607.3y 5199997320h
0.1 21.90


1

results in a
!"
0.1 #1 $ %&' 1 $ DC

MTTF10
S1:
!"
1 $ 0.90
2.50E $ 10
45662.1 8760
S2:
!"
1 $ 0.90
2.50E $ 12
4566210.0 8760
!"
1 $ 0.99
1.92E $ 12
593607.3 8760
45
Circuit examples

provided the manufacturer has confirmed this. If no confirmation exists, S1 is included in the calculation as
follows.

PFH(K2))/2 + PFH(S2) + PFH(EL1904)
to:
PFHtot= 2.50E-10+1.11E-09 + 1.03E-09 + 1.25E-09 + 10%* (1.92E-11+1.92E-11)/2 +

2.50E-12 + 1.11E-09 = 4.75E4.75E-09
=
1
1
=<

;;

=
>?@
as:
1
1
1
1
1
=
+
+
+

;;
(A1)
(BC1904)
(BC6900)
(2904)
1
1
1
+
+
+
(
(D1))
(A2)
(BC1904)
with:
(S1) =
10 (A1)
0.1
(S2) =
10 (A2)
0.1
(K1) =
10 (D1)
0.1
(ELxxxx) =
46
(1 $ %&(BCFFF))
!"(BCFFF)
Circuit examples
Hence:
#EL1904'
#1 $ 0.99'
G1 $ %&#BC1904'H
0.01

1028.8y
@
I
!"#BC1904'
1.11E $ 09 8760 J 9.72E $ 06 @J
I
#EL6900'
#1 $ %&#BC6900''
#1 $ 0.99'
0.01

1108.6y
@
I
!"#BC6900'
1.03E $ 09 I 8760 J 9.02E $ 06 @J
#EL2904'
#1 $ %&#BC2904''
#1 $ 0.99'
0.01

913.2y
!"#BC2904'
1.25E $ 09 @ 8760 IJ 1.1E $ 05 @J
I
MTTFd tot=
@
L
L
L
L
L
L
L
R
R
R
R
R
R
US%
252.1X
UU%
UU%
UU%
US%
US%
US%
UU%
R
R
R
R
R
R
L
L
L
L
L
L
L
R
R
R
R
R
R
R
98.94%
US%
UU%
UU%
UU%
UU%
UU%
US%
UU%
R
R
R
R
R
R
R
L
L
L
L
L
L
L
L
R
R
R
R
R
R
R
98.95%
DCavgs= MNOOP.L
L
or:
DCavgs=
Category
Notice
MTTFd
low
medium
high

DCavg
Designation
none
low
medium
high
Range
DC < 60 %
90 % DC < 99 %
90 % DC < 99 %
99 % DC
47
Circuit examples
Category
none
none
low
medium
low
medium
high
low
medium
high
DC
MTTFd
48
Circuit examples
2.8 Protective door function variant 1 (Category 3, PL d)

The protective door uses a combination of break and make contacts on the safe inputs of an EL1904. The
testing of the inputs is active and the signals are tested for discrepancy (200 ms). The feedback loop is
read via a standard input and transferred to TwinSAFE via the standard PLC. The contactors K1 and K2
are connected in parallel to the safe output. Current measurement and testing of the output are active for
this circuit.
2.8.1

Parameter
Value
Yes
Yes
Yes
Yes
Single Logic
Single Logic
EL2904
Parameter
Value
Yes
Yes
49
Circuit examples
2.8.2
2.8.2.1
Block 1
S1
K1
EL1904
EL6900
EL2904
S2
K2
2.8.3
Calculation
2.8.3.1
Component
Value
EL1904 PFH
1.11E-09
EL2904 PFH
1.25E-09
EL6900 PFH
1.03E-09
S1 B10d
1,000,000
S2 B10d
2,000,000
K1 B10d
1,300,000
K2 B10d
1,300,000
230
16
15 (4x per hour)
Lifetime (T1)
2.8.3.2
Component
Value
S1/S2 with testing/plausibility
DCavg=99%
K1/K2 with testing and EDM
DCavg=90%
2.8.3.3
From:

60

and:

50
10
0.1
Circuit examples

S1:
230 16 60
14720
15
1000000

679.3y 5951087h
0.1 14720

S2:
230 16 60
14720
15
2000000

1358.7y 11902174h
0.1 14720

K1/K2:
230 16 60
14720
1
1300000

883.2y 7736413h
0.1 14720


1

results in a
!"
0.1 #1 $ %&' 1 $ DC

10
MTTF-
S1:
!"
1 $ 0.99
1.68E $ 9
679.3 8760
S2:
!"
1 $ 0.99
8.4E $ 10
1358.7 8760
K1/K2:
!"
1 $ 0.90
1.29E $ 8
883.2 8760

The door switches S1/S2 are always actuated in opposite directions. Since the switches have different
values, but the complete protective door switch consists of a combination of break and make contacts
and both switches must function, the poorer of the two values (S1) can be taken for the combination!
51
Circuit examples
PFHtot= * (PFH(S1)+ PFH(S2))/2 + PFH(EL1904) + PFH(EL6900) + PFH(EL2904) + *

(PFH(K1)+ PFH(K2))/2
to:
PFHtot= 10%* (1.68E-09+1.68E-09)/2 +1.11E-09 + 1.03E-09 + 1.25E-09 + 10%* (1.29E08+1.29E-08)/2 = 4.85E4.85E-09
=
1
1
=<

=

;;
>?@
as:
1
1
1
1
1
=
+
+
+

;;
(A1)
(BC1904)
(BC6900)
(2904)
1
+
(
(D1))
with:
(S1) =
10 (A1)
0.1
(S2) =
10 (A2)
0.1
(K1) =
10 (D1)
0.1
(ELxxxx) =
52
(1 $ %&(BCFFF))
!"(BCFFF)
Circuit examples
Hence:
#EL1904'
#1 $ 0.99'
G1 $ %&#BC1904'H
0.01

1028.8y
!"#BC1904'
1.11E $ 09 @ 8760 IJ 9.72E $ 06 @J
I
#EL6900'
#1 $ %&#BC6900''
#1 $ 0.99'
0.01

1108.6y
!"#BC6900'
1.03E $ 09 @ 8760 IJ 9.02E $ 06 @J
I
#EL2904'
MTTFd tot=
DCavg=
#1 $ %&#BC2904''
#1 $ 0.99'
0.01

913.2y
@
I
!"#BC2904'
1.25E $ 09 I 8760 J 1.1E $ 05 @J
@
L
L
L
L
L
R
R
R
R
OWU.VQ LSPT.TQ LLST.OQ ULV.PQ TTV.PQ
179.4X
UU%
UU%
UU%
UU%
UU% US% US%
R
R
R
R
R
R
OWU.V LVNT.W LSPT.T LLST.O ULV.P TTV.P TTV.P
L
L
L
L
L
L
L
R
R
R
R
R
R
OWU.V LVNT.W LSPT.T LLST.O ULV.P TTV.P TTV.P
96.26%

CAUTION
This structure is possible only up to category 3 at the most on account of a possible

sleeping error. In order to attain category 3, all rising and falling edges must be
evaluated together with the time dependence in the controller for the feedback
expectation!
MTTFd
low
medium
high

DCavg
Designation
none
low
medium
high
Range
DC < 60 %
60 % DC < 90 %
90 % DC < 99 %
99 % DC
53
Circuit examples
Category
none
none
low
medium
low
medium
high
low
medium
high
DC
MTTFd
54
Circuit examples
2.9 Protective door function variant 2 (Category 4, PL e)

read in via a safe input. The contactors K1 and K2 are connected in parallel to the safe output. Current
measurement and testing of the output are active for this circuit.
2.9.1

Parameter
Value
Yes
Yes
Yes
Yes
Single Logic
Single Logic
EL2904
Parameter
Value
Yes
Yes
55
Circuit examples
2.9.2
2.9.2.1
Block 1
S1
K1
EL1904
EL6900
EL2904
EL1904
S2
K2
2.9.3
Calculation
2.9.3.1
Component
Value
EL1904 PFH
1.11E-09
EL2904 PFH
1.25E-09
EL6900 PFH
1.03E-09
S1 B10d
1,000,000
S2 B10d
2,000,000
K1 B10d
1,300,000
K2 B10d
1,300,000
230
16
15 (4x per hour)
Lifetime (T1)
2.9.3.2
Component
Value
DCavg=99%
DCavg=99%
2.9.3.3
From:

60

and:

56
10
0.1
Circuit examples

S1:
230 16 60
14720
15
1000000

679.3y 5951087h
0.1 14720

S2:
230 16 60
14720
15
2000000

1358.7y 11902174h
0.1 14720

K1/K2:
230 16 60
14720
15
1300000

883.2y 7736413h
0.1 14720


1

results in a
!"
0.1 #1 $ %&' 1 $ DC

10
MTTF-
S1:
!"
1 $ 0.99
1.68E $ 9
679.3 8760
S2:
!"
1 $ 0.99
8.4E $ 10
1358.7 8760
K1/K2:
!"
1 $ 0.99
1.29E $ 09
883.2 8760
57
Circuit examples
The following assumptions must now be made:

PFHtot= * (PFH(S1)+ PFH(S2))/2 + PFH(EL1904) + PFH(EL6900) + PFH(EL2904) + *

(PFH(K1)+ PFH(K2))/2 + PFH(EL1904)
to:
PFHtot= 10%* (1.68E-09+1.68E-09)/2 +1.11E-09 + 1.03E-09 + 1.25E-09 + 10%* (1.29E09+1.29E-09)/2 +1.11E-09 = 4.80E4.80E-09
=
1
1
=<

;;

=
>?@
as:
1
1
1
1
1
=
+
+
+

;;
(A1)
(BC1904)
(BC6900)
(2904)
1
1
+
+
(
(D1))
(BC1904)
with:
(S1) =
10 (A1)
0.1
(S2) =
10 (A2)
0.1
(K1) =
10 (D1)
0.1
58
Circuit examples
#ELxxxx'
#1 $ %&#BCFFF''
!"#BCFFF'
Hence:
#EL1904'
#1 $ 0.99'
G1 $ %&#BC1904'H
0.01

1028.8y
@
I
!"#BC1904'
1.11E $ 09 8760 J 9.72E $ 06 @J
I
#EL6900'
#1 $ %&#BC6900''
#1 $ 0.99'
0.01

1108.6y
!"#BC6900'
1.03E $ 09 @I 8760 IJ 9.02E $ 06 @J
#EL2904'
#1 $ %&#BC2904''
#1 $ 0.99'
0.01

913.2y
!"#BC2904'
1.25E $ 09 @I 8760 IJ 1.1E $ 05 @J
MTTFd tot=
UU%
@
L
L
L
L
L
L
R
R
R
R
R
OWU.VQ LSPT.TQ LLST.OQ ULV.PQ TTV.PQ LSPT.TQ
152.7X
UU%
UU%
UU%
UU% UU% UU%
UU%
R
R
R
R
R
R
LVNT.W LSPT.T LLST.O ULV.P TTV.P TTV.P LSPT.T
L
L
L
L
L
L
L
R
R
R
R
R
R
R
OWU.V LVNT.W LSPT.T LLST.O ULV.P TTV.P TTV.P LSPT.T
DCavg= OWU.V
L
99.0%
Category
Notice
MTTFd
low
medium
high

DCavg
Designation
none
low
medium
high
Range
DC < 60 %
60 % DC < 90 %
90 % DC < 99 %
99 % DC
59
Circuit examples
Category
none
none
low
medium
low
medium
high
low
medium
high
DC
MTTFd
60
Circuit examples
2.10 Protective door function with area monitoring

(Category 4, PL e)
read in via a safe input. The proximity switches S3 and S4 are wired to safe inputs and detect, for
example, when a dangerous machine part is in a safe position so that the protective door may be opened
when the machine is running. The testing of these inputs is deactivated so that the static 24 V voltage of
the sensors can be used.
61
Circuit examples

EL1904 (upper EL1904 on the drawing)
Parameter
Value
Yes
Yes
Yes
Yes
Single Logic
Single Logic
EL1904 (lower EL1904 on the drawing)

Parameter
Value
No
No
Yes
Yes
Single Logic
Single Logic

Parameter
Value
Yes
Yes

2.10.2.1 Block 1
S1
K1
EL1904
S2
EL6900
EL2904
K2
S3
EL1904
S4
62
Circuit examples
2.10.3 Calculation
2.10.3.1 PFH / MTTFd /B10d values
Component
Value
EL1904 PFH
1.11E-09
EL2904 PFH
1.25E-09
EL6900 PFH
1.03E-09
S1 B10d
1,000,000
S2 B10d
2,000,000
S3 B10d
20,000,000
S4 B10d
20,000,000
K1 B10d
1,300,000
K2 B10d
1,300,000
230
16
15 (4x per hour)
Lifetime (T1)
2.10.3.2 Diagnostic Coverage DC

Component
Value
DCavg=99%
S3/S4 with without testing / with plausibility
DCavg=90%
DCavg=99%
2.10.3.3 Calculation for block 1

From:

60

and:

10
0.1

S1:
230 16 60
14720
15
1000000

679.3y 5951087h
0.1 14720

63
Circuit examples
S2:
230 16 60
14720
15
2000000

1358.7y 11902174h
0.1 14720

S3:
230 16 60
14720
15
20000000

13586.9y 119021739h
0.1 14720

S4:
230 16 60
14720
15
20000000

13586.9y 119021739h
0.1 14720

K1/K2:
230 16 60
21.90
10080
1300000

883.2y 7736413h
0.1 21.90

and the assumption that S1, S2, S3, S4, K1 and K2 are in each case single-channel:

1

results in a
!"
0.1 #1 $ %&' 1 $ DC

10
MTTF-
S1:
!"
1 $ 0.99
1.68E $ 9
679.3 8760
S2:
!"
1 $ 0.99
8.4E $ 10
1358.7 8760
S3/S4:
!"
1 $ 0.90
8.4E $ 10
13586.9 8760
K1/K2:
!"
64
1 $ 0.99
1.29E $ 9
883.2 8760
Circuit examples

The proximity switches S3/S4 are monitored for plausibility (temporal/logical) and are type A systems
according to EN61508 (simple components whose behavior under error conditions is fully known). The
safe position is driven to once per shift.
to a dangerous situation, but it is discovered by the feedback. Furthermore, the B10d values for K1 and
K2 are identical.
PFHtot= * (PFH(S1|S2| EL1904)+ PFH(S3|S4| EL1904)) /2 + PFH(EL6900) +

PFH(EL2904) + * (PFH(K1)+ PFH(K2))/2
with
PFH(S1|S2| EL1904)= * (PFH(S1)+PFH(S2))/2 + PFH(EL1904)
PFH(S3|S4| EL1904)= * (PFH(S3)+ PFH(S4))/2 + PFH(EL1904)
to:
PFH(S1|S2| EL1904) = 10% *(1.68E-09+ 8.4E-10)/2 +1.11E-09 = 1.24E-09

PFH(S3|S4| EL1904) = 10% *(8.4E-10+ 8.4E-10)/2 +1.11E-09 = 1.19E-09
PFHtot= 10 % * (1.24E-09+1.19E-09) /2 + 1.03E-09 + 1.25E-09 + 10 % * (1.29E09+1.29E-09) /2 = 2.53E2.53E-09
=
1
1
=<

;;

=
>?@
as:
1
1
1
1
1
=
+
+
+

;;
(A1)
(BC1904)
(BC6900)
(BC2904)
1
+
(
(D1))
65
Circuit examples
with:
#S1'
10 #A1'
0.1
#S2'
10 #A2'
0.1
#S3'
10 #A3'
0.1
#S4'
10 #A4'
0.1
#K1'
10 #D1'
0.1
#ELxxxx'
#1 $ %&#BCFFF''
!"#BCFFF'
Hence:
#EL1904'
#1 $ 0.99'
G1 $ %&#BC1904'H
0.01

1028.8y
@
I
!"#BC1904'
1.11E $ 09 8760 J 9.72E $ 06 @J
I
#EL6900'
#1 $ %&#BC6900''
#1 $ 0.99'
0.01

1108.6y
@
I
!"#BC6900'
1.03E $ 09 I 8760 J 9.02E $ 06 @J
#EL2904'
#1 $ %&#BC2904''
#1 $ 0.99'
0.01

913.2y
@
I
!"#BC2904'
1.25E $ 09 I 8760 J 1.1E $ 05 @J
MTTFd tot=
UU%
@
L
L
L
L
L
R
R
R
R
OWU.VQ LSPT.TQ LLST.OQ ULV.PQ TVV.PQ
177.3X
UU%
US%
US%
UU%
UU%
UU%
UU% UU% UU%
R
R
R
R
R
R
R
R
LVNT.W LVNTO.U LVNTO.U LSPT.T LSPT.T LLST.O ULV.P TVV.P TVV.P
L
L
L
L
L
L
L
L
L
R
R
R
R
R
R
R
R
R
OWU.V LVNT.W LVNTO.U LVNTO.U LSPT.T LSPT.T LLST.O ULV.P TVV.P TVV.P
DCavg=OWU.V
L
66
98.85%
Circuit examples
Category
Notice
This structure is possible up to category 4 at the most. The monitoring of sensors S3

and S4 must be temporally and logically programmed.
MTTFd
low
medium
high

DCavg
Designation
none
low
medium
high
Range
DC < 60 %
60 % DC < 90 %
90 % DC < 99 %
99 % DC
Category
none
none
low
medium
low
medium
high
low
medium
high
DC
MTTFd
67
Circuit examples
2.11 Protective door function with tumbler (Category 4, PL e)

The protective door has two contacts, S1 door closed and S2 door closed and locked, which are wired
to safe inputs of an EL1904. The testing of the inputs is active. Checking of the signals for discrepancy
cannot take place, because there is no temporal relationship between the signals. The feedback loop and
the restart signal are read via a safe input. The testing of the inputs is active. The contactors K1 and K2
are connected in parallel to the safe output. Current measurement and testing of the output are active for
this circuit.
The tumbler is switched via 2 safe inputs in which testing is active. Testing and current measurement is
active on the safe output for the tumbler.
OPEN
S1
K1
K2
Restart
CLOSED
S2
Logical connection in
the EL6900
K1
Lock
K2
Unlock

Parameter
68
Value
Yes
Yes
Yes
Yes
Single Logic
Single Logic
Circuit examples

Parameter
Value
Yes
Yes

2.11.2.1 Block 1
S1
EL1904
EL6900
Lock
S2
EL2904
tumbler
UnLock
K1
EL2904
EL1904
Restart
K2
2.11.3 Calculation
Component
Value
EL1904 PFH
1.11E-09
EL2904 PFH
1.25E-09
EL6900 PFH
1.03E-09
S1 B10d
2,000,000
S2 B10d
Restart - B10d
2,000,000
10,000,000
Lock B10d
100,000
Unlock B10d
100,000
K1 B10d
1,300,000
K2 B10d
1,300,000
Tumbler B10d
2,000,000
230
16
15 (4x per hour)
Lifetime (T1)
69
Circuit examples

Component
Value
S1 with testing
DCavg=90%
S2 with testing and expectation
DCavg=99%
Lock/unlock with testing/plausibility
DCavg=99%
Restart
DCavg=99%
DCavg=99%
Tumbler
DCavg=99%

From:

60

and:

10
0.1

S1:
230 16 60
14720
15
2000000

1358.7y 11902174h
0.1 14720

S2:
230 16 60
14720
15
2000000

1358.7y 11902174h
0.1 14720

Lock/Unlock:
230 16 60
14720
15
100000

67.9y 595108h
0.1 14720

K1/K2:
230 16 60
21.90
10080
1300000

883.2y 7736413h
0.1 21.90

70
Circuit examples
Restart:
230 16 60
14720
15
10000000

6793.5y 59511060h
0.1 14720

Tumbler:
230 16 60
14720
15
2000000

1358.7y 11902173h
0.1 14720

and the assumption that S1, S2, S3, S4, K1, K2 and the tumbler are in each case single-channel:

1

results in a
!"
0.1 #1 $ %&' 1 $ DC

10
MTTF-
S1:
!"
1 $ 0.90
8.40E $ 09
1358.7 8760
S2:
!"
1 $ 0.99
8.40E $ 10
1358.7 8760
Lock/Unlock:
!"
1 $ 0.99
1.68E $ 08
67.9 8760
Restart:
!"
1 $ 0.90
1.68E $ 09
6793.5 8760
K1/K2:
!"
1 $ 0.99
1.29E $ 09
883.2 8760
Tumbler:
!"
1 $ 0.99
8.40E $ 10
1358.7 8760
71
Circuit examples

The door switches S1/S2 must both be actuated. Since the switches have different values, but the
complete protective door switch consists of a combination of break and make contacts and both switches
must function, the poorer of the two values (S1) can be taken for the combination!
K2 are identical.
The tumbler is mechanically connected to the switch S2 in such a way that a separation of the coupling is
impossible.
The restart is monitored, so that a signal change is only valid once the door is closed.
PFHtot= * (PFH(S2|Lock|UNlock|EL2904|Tumbler)+ PFH(S1))/ 2 + PFH(EL1904) +

PFH(EL6900) + PFH(EL2904) + * (PFH(K1)+ PFH(K2))/2+PFH(EL1904) +
PFH(Restart)
with
PFH(S2|Lock|UNlock|EL2904|Tumbler) = PFH(S2)+ * (PFH(Lock)+PFH(Unlock))/2 +

PFH (EL2904) + PFH (Tumbler)
to:
PFH(S2|Lock|UNlock|EL2904|Tumbler) = 8.4E-10 + 10%* (1.68E-08+1.68E-08)/2 +

1.25E-09 + 8.40E-10 = 4.61E-09
PFHtot= 10 %* (4.61E-09+8.40E-09)/2 + 1.11E-09 + 1.03E-09 + 1.25E-09 + 10%*
(1.29E-09+1.29E-09)/2 + 1.11E-09 + 1.68E-09 = 6.96E6.96E-09
=
1
1
=<

;;

=
>?@
as:
1
1
1
=
+

;;
(A2|Cjkl|mnojkl|BC2904|pqrosqt)
(BC1904)
1
1
1
+
+
+

(BC6900)
(BC2904) (
(D1))
1
1
+
+
(
(BC1904)) (
(uvwsrxs))
72
Circuit examples
with:
#S1'
10 #A1'
0.1
#S2'
10 #A2'
0.1
#Lock'
10 #Cjkl'
0.1
#Unlock'
10 #mojkl'
0.1
#Tumbler'
#K1'
10 #A4'
0.1
10 #D1'
0.1
#ELxxxx'
#1 $ %&#BCFFF''
!"#BCFFF'
Hence:
#EL1904'
#1 $ 0.99'
G1 $ %&#BC1904'H
0.01

1028.8y
@
I
!"#BC1904'
1.11E $ 09 8760 J 9.72E $ 06 @J
I
#EL6900'
#1 $ %&#BC6900''
#1 $ 0.99'
0.01

1108.6y
@
I
!"#BC6900'
1.03E $ 09 I 8760 J 9.02E $ 06 @J
#EL2904'
#1 $ %&#BC2904''
#1 $ 0.99'
0.01

913.2y
!"#BC2904'
1.25E $ 09 @I 8760 IJ 1.1E $ 05 @J
73
Circuit examples
#S2|Lock|UNlock|EL2904|Tumbler'
1
1
1
1
4
4
4

#A2'
#Cjkl'
#BC2904'
#
qyzovx'
1

57.82X
1
1
1
1
4 67.9X 4 913.2X 4
1358.7X
1358.7X
@
MTTFd tot=
UU%
L
L
L
L
L
L
R
R
R
R
R
NW.TPQ LSPT.TQ LLST.OQ ULV.PQ TTV.PQ OWUV.NQ
46.42X
UU% UU% UU% UU%

UU%
UU%
UU%
UU% UU% UU%
UU%
US%
R
R
R
R
R
R
R
R
R
R
R
LVNT.W OW.U OW.U ULV.P LVNT.W LSPT.T LLST.O ULV.P TTV.P TTV.P LSPT.T OWUV.N
L
L
L
L
L
L
L
L
L
L
L
L
R
R
R
R
R
R
R
R
R
R
R
R
NW.TP LVNT.W OW.U OW.U ULV.P LVNT.W LSPT.T LLST.O ULV.P TTV.P TTV.P LSPT.T OWUV.N
DCavg= NW.TP
L
98.98%
Category
Notice
MTTFd
low
medium
high

DCavg
Designation
none
low
medium
high
Category
Range
DC < 60 %
60 % DC < 90 %
90 % DC < 99 %
99 % DC
none
none
low
medium
low
medium
high
low
medium
high
DC
MTTFd
74
Circuit examples
2.12 Two-hand control (Category 4, PL e)

The two-hand buttons each consist of a combination of break and make contacts on safe inputs of an
EL1904. The testing of the inputs is active and the signals are tested for discrepancy (200 ms). In
addition, the synchronous actuation of the two buttons is activated with a monitoring time of 500 ms.
The feedback loop is read in via a safe input. The contactors K1 and K2 are connected in parallel to the
safe output. Current measurement and testing of the output are active for this circuit.

Parameter
Value
Yes
Yes
Yes
Yes
Single Logic
Single Logic
EL2904
Parameter
Value
Yes
Yes
75
Circuit examples

2.12.2.1 Block 1
S1
K1
EL1904
EL6900
EL2904
EL1904
S2
K2
2.12.3 Calculation
Component
Value
EL1904 PFH
1.11E-09
EL2904 PFH
1.25E-09
EL6900 PFH
1.03E-09
S1 B10d
20,000,000
S2 B10d
20,000,000
K1 B10d
1,300,000
K2 B10d
1,300,000
230
16
1 (1x per minute)
Lifetime (T1)

Component
Value
DCavg=99%
DCavg=99%

From:

60

and:

76
10
0.1
Circuit examples

S1/S2:
230 16 60
220800
1
20000000

905.8y 7934783h
0.1 220800

K1/K2:
230 16 60
220800
1
1300000

58.9y 515760h
0.1 220800


1

results in a
!"
0.1 #1 $ %&' 1 $ DC

10
MTTF-
S1/S2:
!"
1 $ 0.99
1.26E $ 09
905.8y 8760
K1/K2:
!"
1 $ 0.99
1.93E $ 8
58.9 8760

K2 are identical.
77
Circuit examples
PFHtot= * (PFH(S1)+PFH(S2))/2 + PFH(EL1904) + PFH(EL6900) + PFH(EL2904) + *

(PFH(K1)+PFH(K2))/2 +PFH(EL1904)
to:
PFHtot= 10%* (1.26E-09+1.26E-09) / 2 +1.11E-09 + 1.03E-09 + 1.25E-09 + 10%*

(1.93E-08+1.93E-08) / 2 + 1.11E-09 = 6.56E6.56E-09
=
1
1
=<

;;

=
>?@
as:
1
1
1
1
1
=
+
+
+

;;
(A1)
(BC1904)
(BC6900)
(BC2904)
1
1
+
+
(
(D1))
(BC1904)
with:
(S1) =
10 (A1)
0.1
(S2) =
10 (A2)
0.1
(K1) =
10 (D1)
0.1
(ELxxxx) =
(1 $ %&(BCFFF))
!"(BCFFF)
Hence:
(EL1904) =
(1 $ 0.99)
G1 $ %&(BC1904)H
0.01
=
=
= 1028.8y
@
I
!"(BC1904)
1.11E $ 09 I 8760 J 9.72E $ 06 @J
(EL6900) =
(1 $ %&(BC6900))
(1 $ 0.99)
0.01
=
=
= 1108.6y
!"(BC6900)
1.03E $ 09 @I 8760 IJ 9.02E $ 06 @J
78
Circuit examples
#EL2904'
#1 $ %&#BC2904''
#1 $ 0.99'
0.01

913.2y
@
I
!"#BC2904'
1.25E $ 09 8760 J 1.1E $ 05 @J
I
MTTFd tot=
DCavg=
@
L
L
L
L
L
L
R
R
R
R
R
USN.TQ LSPT.TQ LLST.OQ ULV.PQ NT.UQ LSPT.TQ
UU% UU%
UU%
UU%
UU% UU% UU% UU%
R
R
R
R
R
R
R
USN.T USN.T LSPT.T LLST.O ULV.P NT.U NT.U LSPT.T
L
L
L
L
L
L
L
L
R
R
R
R
R
R
R
USN.T USN.T LSPT.T LLST.O ULV.P NT.U NT.U LSPT.T
45.4X
99.0%
Category
Notice
MTTFd
low
medium
high

DCavg
Designation
none
low
medium
high
Category
Range
DC < 60 %
60 % DC < 90 %
90 % DC < 99 %
99 % DC
none
none
low
medium
low
medium
high
low
medium
high
DC
MTTFd
79
Circuit examples
2.13 Laser scanner (Category 3, PL e)

The laser scanner has two OSSD outputs (Output Signal Switching Device), which are wired to safe
inputs of an EL1904. The testing of the inputs is not active, since the OSSD outputs carry out their own
test. Furthermore, the signals are checked for discrepancy (200 ms). The feedback loop is read via a safe
input. Testing is active for this input. The contactors K1 and K2 are connected in parallel to the safe

Parameter
EL2904
Parameter
80
Value
No
No
Yes
Yes
OSSD any pulse repetition
Single Logic
Value
Yes
Yes
Circuit examples

2.13.2.1 Block 1
K1
Scanner
EL1904
EL6900
EL2904
K2
2.13.3 Calculation
Component
Value
EL1904 PFH
1.11E-09
EL2904 PFH
1.25E-09
EL6900 PFH
1.03E-09
Laser scanner PFHd
7.67E-08
K1 B10d
1,300,000
K2 B10d
1,300,000
230
16
10 (6x per hour)
Lifetime (T1)

Component
Value
OSSD1/2 with testing (by scanner) / plausibility
DCavg=90%
DCavg=99%

From:

60

and:

10
0.1
81
Circuit examples

K1/K2:
230 16 60
22080
10
1300000

588.7y 5157012h
0.1 22080

and the assumption that K1 and K2 are in each case single-channel:

1

results in a
!"
0.1 #1 $ %&' 1 $ DC

10
MTTF-
K1/K2:
!"
1 $ 0.99
1.94E $ 9
588.7 8760

K2 are identical.
PFHtot= PFH(Scanner) + PFH(EL1904) + PFH(EL6900) + PFH(EL2904) + * (PFH(K1)+

PFH(K2))/2
to:
PFHtot= 7.67E-08 +1.11E-09 + 1.03E-09 + 1.25E-09 + 10%* (1.94E-09+1.94E-09)/2=

8.03E8.03E-08
=
1
1
=<

;;

=
>?@
82
Circuit examples
as:
1
1
1
1

4
4

;;
#Akrvx'
#BC1904'
#BC6900'
1
1
4
4

#BC2904' #
#D1''
with:
#K1'
10 #D1'
0.1
#ELxxxx'
#1 $ %&#BCFFF''
!"#BCFFF'
Hence:
#EL1904'
#1 $ 0.99'
G1 $ %&#BC1904'H
0.01

1028.8y
!"#BC1904'
1.11E $ 09 @I 8760 IJ 9.72E $ 06 @J
#EL6900'
#1 $ %&#BC6900''
#1 $ 0.99'
0.01

1108.6y
@
I
!"#BC6900'
1.03E $ 09 I 8760 J 9.02E $ 06 @J
#EL2904'
#1 $ %&#BC2904''
#1 $ 0.99'
0.01

913.2y
@
I
!"#BC2904'
1.25E $ 09 I 8760 J 1.1E $ 05 @J
#Scanner'
#1 $ 0.90'
G1 $ %&#Akrvx'H
0.1

148.8y
@
I
!"#Akrvx'
7.67E $ 08 I 8760 J 6.72E $ 04 @J
MTTFd tot=
DCavg=
@
L
L
L
L
L
R
R
R
R
LMT.TQ LSPT.TQ LLST.OQ ULV.PQ NTT.WQ
US%
UU%
UU%
UU% UU% UU%
R
R
R
R
R
LMT.T LSPT.T LLST.O ULV.P NTT.W NTT.W
L
L
L
L
L
L
R
R
R
R
R
LMT.T LSPT.T LLST.O ULV.P NTT.W NTT.W
87.8X
94.38%
Category
Notice
This structure is possible up to category 3 at the most through the use of the type 3
(category 3) laser scanner.
83
Circuit examples
MTTFd
low
medium
high

DCavg
Designation
none
low
medium
high
Category
Range
DC < 60 %
60 % DC < 90 %
90 % DC < 99 %
99 % DC
none
none
low
medium
low
medium
high
low
medium
high
DC
MTTFd
84
Circuit examples
2.14 Light curtain (Category 4, PL e)

The light curtain has two OSSD outputs (Output-Signal-Switching-Device), which are wired to safe inputs
of an EL1904. The testing of the inputs is not active, since the OSSD outputs carry out their own test.
Furthermore, the signals are checked for discrepancy (200 ms). The feedback loop is read via a safe
input. Testing is active for this input. The contactors K1 and K2 are connected in parallel to the safe
K1
K2
OSSD 1
OSSD 2
K1
K2
the EL6900

EL1904
Parameter
Value
No
No
Yes
Yes
OSSD asynchronous analysis
Single Logic
EL2904
Parameter
Value
Yes
Yes
85
Circuit examples

2.14.2.1 Block 1
K1
Light
EL1904
curtain
EL6900
EL2904
K2
2.14.3 Calculation
Component
Value
EL1904 PFH
1.11E-09
EL2904 PFH
1.25E-09
EL6900 PFH
1.03E-09
Light curtain PFHd
1.50E-08
K1 B10d
1,300,000
K2 B10d
1,300,000
230
16
5 (12x per hour)
Lifetime (T1)

Component
Value
OSSD1/2 with testing (by light curtain) / plausibility
DCavg=99%
DCavg=99%

From:

60

and:

86
10
0.1
Circuit examples

K1/K2:
230 16 60
44160
5
1300000

294.4y 2578944h
0.1 44160


1

results in a
!"
0.1 #1 $ %&' 1 $ DC

10
MTTF-
K1/K2:
!"
1 $ 0.99
3.88E $ 9
294.4 8760

K2 are identical.
PFHtot= PFH(light curtain) + PFH(EL1904) + PFH(EL6900) + PFH(EL2904) + *

to:
PFHtot= 1.50E-08 +1.11E-09 + 1.03E-09 + 1.25E-09 + 10%* (3.88E-09+3.88E-09)/2 =

1.88E1.88E-08
=
1
1
=<

;;

=
>?@
87
Circuit examples
as:
1
1
1
1

4
4

;;
#C|ks}jxrt'
#BC1904'
#BC6900'
1
1
4
4

#BC2904' #
#D1''
with:
#K1'
10 #D1'
0.1
#ELxxxx'
#1 $ %&#BCFFF''
!"#BCFFF'
Hence:
#EL1904'
#1 $ 0.99'
G1 $ %&#BC1904'H
0.01

1028.8y
!"#BC1904'
1.11E $ 09 @I 8760 IJ 9.72E $ 06 @J
#EL6900'
#1 $ %&#BC6900''
#1 $ 0.99'
0.01

1108.6y
@
I
!"#BC6900'
1.03E $ 09 I 8760 J 9.02E $ 06 @J
#EL2904'
#1 $ %&#BC2904''
#1 $ 0.99'
0.01

913.2y
@
I
!"#BC2904'
1.25E $ 09 I 8760 J 1.1E $ 05 @J
#Light curtain'
76.1y
MTTFd tot=
UU%
#1 $ 0.99'
G1 $ %&#C|ts kqxsr|'H
0.01

@
I
!"#C|ts kqxsr|'
1.50E $ 08 I 8760 J 1.31E $ 04 @J
L
L
L
L
L
R
R
R
R
WO.LQ LSPT.TQ LLST.OQ ULV.PQ PUM.MQ
UU%
UU%
UU% UU% UU%
R
R
R
R
LSPT.T LLST.O ULV.P NTT.W PUM.M
L
L
L
L
L
R
R
R
R
R
WO.L LSPT.T LLST.O ULV.P NTT.W PUM.M
DCavg= WO.L
L
88
51.3X
99.0%
Circuit examples
Category
Notice
(category 4) light curtain.
MTTFd
low
medium
high

DCavg
Designation
none
low
medium
high
Category
Range
DC < 60 %
60 % DC < 90 %
90 % DC < 99 %
99 % DC
none
none
low
medium
low
medium
high
low
medium
high
DC
MTTFd
89
Circuit examples
2.15 Safety switching mat / safety bumper (Category 4, PL e)

Safety switching mats or safety bumpers work according to the cross-circuit principle. The contact
surfaces of the device are wired to safe inputs of an EL1904. The testing of the inputs is active and the
signals are tested for discrepancy (200 ms). As soon as a cross-circuit between the signals is detected
(switching mat is stepped on), a logical 0 is signalled by the EL1904 input terminal. If the cross-circuit is
no longer present, a logical 1 is signalled. The feedback loop is read in via a safe input. The testing of the
input is active here also. The contactors K1 and K2 are connected in parallel to the safe output. Current
measurement and testing of the output are active for this circuit.

Parameter
Value
Yes
Yes
Yes
Yes
Short cut is no module fault
Single Logic
EL2904
Parameter
Value
Yes
Yes
90
Circuit examples

2.15.2.1 Block 1
K1
Safety
EL1904
bumper
EL6900
EL2904
K2
2.15.3 Calculation
Component
Value
EL1904 PFH
1.11E-09
EL2904 PFH
1.25E-09
EL6900 PFH
1.03E-09
Switching mat B10d
6.00E06
K1 B10d
1,300,000
K2 B10d
1,300,000
230
16
1 (1x per minute)
Lifetime (T1)

Component
Value
Switching outputs (mat) with testing/plausibility
DCavg=99%
DCavg=99%

From:

60

and:

10
0.1
91
Circuit examples

K1/K2:
230 16 60
220800
1
1300000

58.9y 515761h
0.1 220800

Switching mat:
230 16 60
220800
1
6.00E06

271.7y 2380434h
0.1 220800


1

results in a
!"
0.1 #1 $ %&' 1 $ DC

10
MTTF-
K1/K2:
!"
1 $ 0.99
1.94E $ 08
58.9 8760
Switching mat:
!"
1 $ 0.99
4.20E $ 09
271.7 8760

K2 are identical.
PFHtot= PFH(switching mat) + PFH(EL1904) + PFH(EL6900) + PFH(EL2904) + *

92
Circuit examples
to:
PFHtot 4.20E-09+1.11E-09 + 1.03E-09 + 1.25E-09 + 10%* (1.94E-08+1.94E-08)/2 =

9.53E9.53E-09
=
1
1
=<

;;

=
>?@
as:
1
1
1
1
=
+
+

;;
(A|sk|t yrs)
(BC1904)
(BC6900)
1
1
+
+

(BC2904) (
(D1))
with:
(K1) =
10 (D1)
0.1
(ELxxxx) =
(1 $ %&(BCFFF))
!"(BCFFF)
Hence:
(EL1904) =
(1 $ 0.99)
G1 $ %&(BC1904)H
0.01
=
=
= 1028.8y
@
I
!"(BC1904)
1.11E $ 09 I 8760 J 9.72E $ 06 @J
(EL6900) =
(1 $ %&(BC6900))
(1 $ 0.99)
0.01
=
=
= 1108.6y
@
I
!"(BC6900)
1.03E $ 09 I 8760 J 9.02E $ 06 @J
(EL2904) =
(1 $ %&(BC2904))
(1 $ 0.99)
0.01
=
=
= 913.2y
!"(BC2904)
1.25E $ 09 @I 8760 IJ 1.1E $ 05 @J
@
MTTFd tot=
UU%
L
L
L
L
L
R
R
R
R
PWL.WQ LSPT.TQ LLST.OQ ULV.PQ NT.UQ
UU%
UU%
UU% UU% UU%
R
R
R
R
LSPT.T LLST.O ULV.P NT.U NT.U
L
L
L
L
L
R
R
R
R
R
PWL.W LSPT.T LLST.O ULV.P NT.U NT.U
DCavg= PWL.W
L
= 42.3X
= 99.0%
93
Circuit examples
Category
Category 4 is attainable due to the structure of the circuit.
Notice
MTTFd
low
medium
high

DCavg
Designation
none
low
medium
high
Category
Range
DC < 60 %
60 % DC < 90 %
90 % DC < 99 %
99 % DC
none
none
low
medium
low
medium
high
low
medium
high
DC
MTTFd
94
Circuit examples
2.16 Muting (Category 4, PL e)

The light curtain has two OSSD outputs (Output-Signal-Switching-Device), which are wired to safe inputs
of an EL1904. The testing of the inputs is not active, since the OSSD outputs carry out their own test.
Furthermore, the signals are checked for discrepancy (200 ms). The feedback loop is read via a safe
input. The muting switches and the enable switch are also wired to safe inputs. Testing is active for these
inputs.
The contactors K1 and K2 are connected in parallel to a safe output. The muting lamp is also wired to a
safe output. Current measurement and testing of the output are active for this circuit.

EL1904 (upper terminal on the drawing)
Parameter
Value
No
No
Yes
Yes
OSSD asynchronous analysis
Single Logic
EL1904 (lower terminal on the drawing)

Parameter
Value
Yes
Yes
Yes
Yes
Single Logic
Single Logic
95
Circuit examples
EL2904
Parameter
Value
Yes
Yes

2.16.2.1 Block 1
K1
MS
K2
MS
Lightcurtain
EL1904
EL6900
EL2904
MS
EL1904
S1
MS
2.16.3 Calculation
Component
Value
EL1904 PFH
1.11E-09
EL2904 PFH
1.25E-09
EL6900 PFH
1.03E-09
S1 B10d
100,000
Light curtain PFHd
1,50E-08
MS1 B10d
100,000
MS2 B10d
100,000
MS3 B10d
100,000
MS4 B10d
100,000
K1 B10d
1,300,000
K2 B10d
1,300,000
230
60 (1x per hour)
Lifetime (T1)
96
Circuit examples

Component
Value
OSSD1/2 with testing (by light curtain) / plausibility
DCavg=99%
MS1/2/3/4 with testing/plausibility
DCavg=90%
DCavg=99%
S1 with testing
DCavg=90%

From:

60

and:

10
0.1

S1:
230 8 60
1840
60
100000

543.5y 4761060h
0.1 1840

K1/K2:
230 8 60
1840
60
1300000

7065.2 61891152h
0.1 1840

MS1/MS2/MS3/S4:
230 8 60
1840
60
100000

543.5y 4761060h
0.1 1840


1

97
Circuit examples
results in a
!"
0.1 #1 $ %&' 1 $ DC

10
MTTF-
S1:
!"
1 $ 0.90
2.10E $ 8
543.5 8760
K1/K2:
!"
1 $ 0.99
1.62E $ 10
7065.2 8760
MS1/MS2/MS3/S4:
!"
1 $ 0.90
2.10E $ 8
543.5 8760

K2 are identical.
PFHtot= PFH(light curtain) + PFH(EL1904) + PFH(EL6900) + PFH(EL2904) + *

(PFH(K1)+PFH(K2))/2 + * (PFH(MS1)+PFH(MS2))/2 + *
(PFH(MS3)+PFH(MS4))/2 + PFH(EL1904) + PFH(S1)
to:
PFHtot= 1.50E-08 +1.11E-09 + 1.03E-09 + 1.25E-09 + 10%*(1.62E-10+1.62E-10) / 2 +
10%*(2.10E-08+2.10E-08) / 2 + 10%*(2.10E-08+2.10E-08) / 2 +1.11E-09 +

2.10E-08 = 4.47E4.47E-08
=
1
1
=<

;;

=
>?@
98
Circuit examples
as:
1
1
1
1

4
4

;;
#C|ts kqxsr|'
#BC1904'
#BC6900'
1
1
1
1
4
4
4
4

#BC2904' #
#D1'' #
#A1'' #
#A3''
1
1
4
4

#BC1904'
#A1'
with:
#K1'
10 #D1'
0.1
#ELxxxx'
#1 $ %&#BCFFF''
!"#BCFFF'
Hence:
#EL1904'
#1 $ 0.99'
G1 $ %&#BC1904'H
0.01

1028.8y
@
I
!"#BC1904'
1.11E $ 09 I 8760 J 9.72E $ 06 @J
#EL6900'
#1 $ %&#BC6900''
#1 $ 0.99'
0.01

1108.6y
!"#BC6900'
1.03E $ 09 @ 8760 IJ 9.02E $ 06 @J
#EL2904'
#1 $ %&#BC2904''
#1 $ 0.99'
0.01

913.2y
!"#BC2904'
1.25E $ 09 @I 8760 IJ 1.1E $ 05 @J
#Light curtain'
76.1y
#MS1/MS3'
#1 $ 0.99'
G1 $ %&#C|ts kqxsr|'H
0.01

!"#C|ts kqxsr|'
1.50E $ 08 @I 8760 IJ 1.31E $ 04 @J
#1 $ 0.90'
G1 $ %&#A1/A3'H
0.1

!"#A1/A3'
2.10E $ 8 @I 8760 IJ 1.84E $ 04 @J
543.6y
MTTFd tot=
@
L
L
L
L
L
L
L
L
L
R
R
R
R
R
R
R
R
WO.LQ LSPT.TQ LLST.OQ ULV.PQ WSON.PQ NMV.OQ NMV.OQ LSPT.TQ NMV.NQ
44.0X
99
Circuit examples
UU%
UU%
UU%
UU%
UU%
UU%
US% US% US% US%
UU%
UU%
R
R
R
R
R
R
R
R
R
R
LSPT.T LLST.O ULV.P WSON.P WSON.P NMV.O NMV.O NMV.O NMV.O LSPT.T NMV.N
L
L
L
L
L
L
L
L
L
L
L
R
R
R
R
R
R
R
R
R
R
R
WO.L LSPT.T LLST.O ULV.P WSON.P WSON.P NMV.O NMV.O NMV.O NMV.O LSPT.T NMV.N
DCavg= WO.L
L
96.51%
Category
Notice
(category 4) light curtain.
MTTFd
low
medium
high

DCavg
Designation
none
low
medium
high
Range
DC < 60 %
60 % DC < 90 %
90 % DC < 99 %
99 % DC
Category
none
none
low
medium
low
medium
high
low
medium
high
DC
MTTFd
100
Circuit examples

testing of the inputs is active and the signals are tested for discrepancy (200 ms). The contactors K1 and
K2 are connected in parallel to the safe output. Current measurement and testing of the output are active
for this circuit.
The diagnostic information from the KL/EL9110 (24 V is present on the power contacts) is negated,
afterwards combined with the feedback signals from contactors K1 and K2 through a Bool AND
composition and the result is applied to the EDM input.
The supply to the power contacts (24V and also 0 V) of the potential group is switched off with the NO
contacts of contactors K1 and K2 . The 0 V potentials of the load employed (in this case K3 and K4) must
always be fed back to the potential group.
Safety consideration
Notice
The safety consideration ends at K1/K2. The EL/KL9110 and EL/KL2xxx terminals
used are not taken into account for the calculation.
I/O RUN
BK9000
BECKHOFF
I/O ERR
KL2xx2 KL2xx2 KL9xxx KL2xx2 KL2xx2 KL9010

BECKHOFF BECKHOFF BECKHOFF BECKHOFF BECKHOFF BECKHOFF
101
Circuit examples

Parameter
Value
Yes
Yes
Yes
Yes
Single Logic
Single Logic
EL2904
Parameter
Value
Yes
Yes

2.17.2.1 Block 1
S1
K1
EL1904
EL6900
EL2904
EL1904
S2
K2
2.17.3 Calculation
Component
Value
EL1904 PFH
1.11E-09
EL2904 PFH
1.25E-09
EL6900 PFH
1.03E-09
S1 B10d
1,000,000
S2 B10d
2,000,000
K1 B10d
1,300,000
K2 B10d
1,300,000
230
15 (4x per hour)
Lifetime (T1)
102
Circuit examples

Component
Value
DCavg=99%
DCavg=99%

From:

60

and:

10
0.1

S1:
230 8 60
7360
15
1000000

1358.7y 11902212h
0.1 7360

S2:
230 8 60
7360
15
2000000

2717.4y 23804424h
0.1 7360

K1/K2:
230 8 60
7360
15
1300000

1766.3y 15472788h
0.1 7360


1

results in a
!"
0.1 #1 $ %&' 1 $ DC

10
MTTF-
103
Circuit examples
S1:
!"
1 $ 0.99
8.40E $ 10
1358.7 8760
S2:
!"
1 $ 0.99
4.20E $ 10
2717.4 8760
K1/K2:
!"
1 $ 0.99
6.46E $ 10
1766.3 8760

values, but the complete protective door switch consists of a combination of normally closed and normally
open contacts and both switches must function, the poorer of the two values (S1) can be taken for the
combination!
K2 are identical.
PFHtot= * (PFH(S1)+ PFH(S2))/2+ PFH(EL1904) + PFH(EL6900) + PFH(EL2904) + *

(PFH(K1)+ PFH(K2))/2 + PFH(EL1904)
to:
PFHtot= 10%*(8.40E-10+4.20E-10) / 2 +1.11E-09 + 1.03E-09 + 1.25E-09 + 10%*(6.46E10+6.46E-10) / 2 + 1.11E-09 = 4.63E4.63E-09
=
1
1
=<

;;

=
>?@
104
Circuit examples
as:
1
1
1
1
1

4
4
4

;;
#A1'
#BC1904'
#BC6900'
#2904'
1
1
4
4
#
#D1''
#BC1904'
with:
#S1'
10 #A1'
0.1
#S2'
10 #A2'
0.1
#K1'
10 #D1'
0.1
#ELxxxx'
#1 $ %&#BCFFF''
!"#BCFFF'
Hence:
#EL1904'
#1 $ 0.99'
G1 $ %&#BC1904'H
0.01

1028.8y
@
I
!"#BC1904'
1.11E $ 09 8760 J 9.72E $ 06 @J
#EL6900'
#1 $ %&#BC6900''
#1 $ 0.99'
0.01

1108.6y
@
I
!"#BC6900'
1.03E $ 09 I 8760 J 9.02E $ 06 @J
#EL2904'
#1 $ %&#BC2904''
#1 $ 0.99'
0.01

913.2y
@
I
!"#BC2904'
1.25E $ 09 I 8760 J 1.1E $ 05 @J
MTTFd tot=
UU%
@
L
L
L
L
L
L
R
R
R
R
R
LVNT.WQ LSPT.TQ LLST.OQ ULV.PQ LWOO.VQ LSPT.TQ
190.7X
UU%
UU%
UU%
UU%
UU%
UU%
UU%
R
R
R
R
R
R
PWLW.M LSPT.T LLST.O ULV.P LWOO.V LWOO.V LSPT.T
L
L
L
L
L
L
L
R
R
R
R
R
R
R
LVNT.W PWLW.M LSPT.T LLST.O ULV.P LWOO.V LWOO.V LSPT.T
DCavg= LVNT.W
L
99.0%
105
Circuit examples
Category
Notice
MTTFd
low
medium
high

DCavg
Designation
none
low
medium
high
Category
Range
DC < 60 %
60 % DC < 90 %
60 % DC < 90 %
99 % DC
none
none
low
medium
low
medium
high
low
medium
high
DC
MTTFd
106
Circuit examples

testing of the inputs is active and the signals are tested for discrepancy (200 ms). The contactors K1 and
K2 are connected in parallel to the safe output. Current measurement and testing of the output are active
for this circuit.
The diagnostic information from the KL/EL9110 (24 V is present on the power contacts) is negated,
afterwards combined with the feedback signals from contactors K1 and K2 through a Bool AND
composition and the result is applied to the EDM input.
Only the 24 V supply to the power contacts of the potential group is switched off with the NO contacts of
contactors K1 and K2. The 0 V connection of the power contacts is fed directly back to the 0 V of the
power supply.
The 0 V potentials of the load employed (in this case K3 and K4) is always fed back to the potential
group.
Supply voltage must never be applied to an output!
CAUTION
The 24 V supply voltage must never be applied to an output of a digital output terminal!
This wiring error is not reliably detected by the system.
Cross-circuits between the outputs!

CAUTION
Cross-circuits between the outputs of different digital output terminals must be avoided
at all costs. These are not detected by the system.
In accordance with DIN EN ISO 13849-2, the following measures are necessary for the
assumption of the error exclusion external voltage:
Use of separately laid cables

Protection against external damage (e. g. by use of a cable duct)
Safety consideration
Notice
The safety consideration ends at K1/K2. The EL/KL9110 and EL/KL2xxx terminals
used are not taken into account for the calculation.
107
Circuit examples
I/O RUN
BK9000
BECKHOFF
I/O ERR
KL2xx2 KL2xx2 KL9xxx KL2xx2 KL2xx2 KL9010

BECKHOFF BECKHOFF BECKHOFF BECKHOFF BECKHOFF BECKHOFF

Parameter
Value
Yes
Yes
Yes
Yes
Single Logic
Single Logic
EL2904
Parameter
Value
Yes
Yes
108
Circuit examples
2.18.2
2.18.2.1 Block 1
S1
K1
EL1904
EL6900
EL2904
EL1904
S2
K2
2.18.3 Calculation
Component
Value
EL1904 PFH
1.11E-09
EL2904 PFH
1.25E-09
EL6900 PFH
1.03E-09
S1 B10d
1,000,000
S2 B10d
2,000,000
K1 B10d
1,300,000
K2 B10d
1,300,000
230
15 (4x per hour)
Lifetime (T1)

Component
Value
DCavg=99%
DCavg=99%

From:

60

and:

10
0.1
109
Circuit examples

S1:
230 8 60
7360
15
1000000

1358.7y 11902174h
0.1 7360

S2:
230 8 60
7360
15
2000000

2717.4y 23804424h
0.1 7360

K1/K2:
230 8 60
7360
15
1300000

1766.3y 15472788h
0.1 7360


1

results in a
!"
0.1 #1 $ %&' 1 $ DC

10
MTTF-
S1:
!"
1 $ 0.99
8.40E $ 10
1358.7 8760
S2:
!"
1 $ 0.99
4.20E $ 10
2717.4 8760
K1/K2:
!"
110
1 $ 0.99
6.46E $ 10
1766.3 8760
Circuit examples

K2 are identical.
PFHtot= * (PFH(S1)+ PFH(S2))/2+ PFH(EL1904) + PFH(EL6900) + PFH(EL2904) + *

(PFH(K1)+ PFH(K2))/2 + PFH(EL1904)
to:
PFHtot= 10%*(8.40E-10+8.40E-10) / 2 +1.11E-09 + 1.03E-09 + 1.25E-09 + 10%*(6.46E4.65E-09

10+6.46E-10)/ 2 +1.11E-09 = 4.65E-
=
1
1
=<

;;

=
>?@
as:
1
1
1
1
1
=
+
+
+

;;
(A1)
(BC1904)
(BC6900)
(2904)
1
1
+
+
(
(D1))
(BC1904)
with:
(S1) =
10 (A1)
0.1
(S2) =
10 (A2)
0.1
(K1) =
10 (D1)
0.1
111
Circuit examples
#ELxxxx'
#1 $ %&#BCFFF''
!"#BCFFF'
Hence:
#EL1904'
#1 $ 0.99'
G1 $ %&#BC1904'H
0.01

1028.8y
@
I
!"#BC1904'
1.11E $ 09 8760 J 9.72E $ 06 @J
#EL6900'
#1 $ %&#BC6900''
#1 $ 0.99'
0.01

1108.6y
!"#BC6900'
1.03E $ 09 @I 8760 IJ 9.02E $ 06 @J
#EL2904'
#1 $ %&#BC2904''
#1 $ 0.99'
0.01

913.2y
@
I
!"#BC2904'
1.25E $ 09 I 8760 J 1.1E $ 05 @J
MTTFd tot=
UU%
@
L
L
L
L
L
L
R
R
R
R
R
LVNT.WQ LSPT.TQ LLST.OQ ULV.PQ LWOO.VQ LSPT.TQ
190.7X
UU%
UU%
UU%
UU%
UU%
UU%
UU%
R
R
R
R
R
R
PWLW.M LSPT.T LLST.O ULV.P LWOO.V LWOO.V LSPT.T
L
L
L
L
L
L
L
R
R
R
R
R
R
R
LVNT.W PWLW.M LSPT.T LLST.O ULV.P LWOO.V LWOO.V LSPT.T
DCavg= LVNT.W
L
99.0%
Category
Notice
MTTFd
low
medium
high

DCavg
Designation
none
low
medium
high
112
Range
DC < 60 %
90 % DC < 99 %
90 % DC < 99 %
99 % DC
Circuit examples
Category
none
none
low
medium
low
medium
high
low
medium
high
DC
MTTFd
113
Circuit examples
2.19 Networked plant (Category 4, PL e)

In this case, 2 plants are connected via Ethernet. The path can also be implemented by a Wireless
Ethernet connection. Each station switches the outputs K1 / K2 on only if the second machine does not
signal an emergency stop. The signals from the emergency stop button, the restart and the feedback loop
are wired to safe inputs. The output of the ESTOP block is linked to an AND block and additionally
signalled to the other machine via the network. The ESTOP output of the other machine is linked to an
AND block and the AND output then switches the contactors on the safe output terminal.
Testing and checking for discrepancy are activated for the input signals. The testing of the outputs is also
active.
RT Ethernet or Wireless
Ethernet
114
Circuit examples

Parameter
Value
Yes
Yes
Yes
Yes
Single Logic
Single Logic
EL2904
Parameter
Value
Yes
Yes

2.19.2.1 Block 1
K1
Safety over
S2
S1
EL1904
EL6900
EL2904
EtherCAT
K2
S1
EL1904
EL6900
2.19.3 Calculation
Component
Value
EL1904 PFH
1.11E-09
EL2904 PFH
1.25E-09
EL6900 PFH
1.03E-09
Safety over EtherCAT
1.00E-09
S1 B10d
1,000,000
S2 B10d
2,000,000
K1 B10d
1,300,000
K2 B10d
1,300,000
230
15 (4x per hour)
Lifetime (T1)
115
Circuit examples

Component
Value
DCavg=99%
DCavg=90%

DCavg=99%

From:

60

and:

10
0.1

S1:
230 8 60
7360
15
1000000

1358.7y 11902212h
0.1 7360

S2:
230 8 60
7360
15
2000000

2717.4y 23804424h
0.1 7360

K1/K2:
230 8 60
7360
15
1300000

1766.3y 15472788h
0.1 7360


116
1

Circuit examples
results in a
!"
0.1 #1 $ %&' 1 $ DC

10
MTTF-
S1:
!"
1 $ 0.99
8.40E $ 10
1358.7 8760
S2:
!"
1 $ 0.90
4.20E $ 09
2717.4 8760
!"
1 $ 0.99
6.46E $ 10
1766.3 8760

as follows.
K2 are identical.
PFHtot= PFH(S1) + * (PFH(K1)+ PFH(K2))/2 + PFH(S2) + PFH(EL1904) +

PFH(EL6900) + PFH(EL2904) + PFH (S-o-E) + PFH(S1) + PFH(EL1904) +
PFH(EL6900)
to:
PFHtot= 8.40E-10+ 10%*(6.46E-10+6.46E-10) / 2 + 4.20E-09+1.11E-09 + 1.03E-09 +

1.25E-09 + 1.00E-09 + 8.40E-10+ 1.11E-09 + 1.03E-09= 1.25E1.25E-08
=
1
1
=<

;;

=
>?@
117
Circuit examples
as:
1
1
1
1
1

4
4
4

;;
#A1' #
#D1''
#A2'
#BC1904'
1
1
1
1
4
4
4
4

#BC6900'
#2904'
#A1'
#A $ j $ B'
1
1
4
4

#BC1904'
#BC6900'
with:
#S1'
10 #A1'
0.1
#S2'
10 #A2'
0.1
#K1'
10 #D1'
0.1
#ELxxxx'
#1 $ %&#BCFFF''
!"#BCFFF'
Hence:
#EL1904'
#1 $ 0.99'
G1 $ %&#BC1904'H
0.01

1028.8y
!"#BC1904'
1.11E $ 09 @I 8760 IJ 9.72E $ 06 @J
#EL6900'
#1 $ %&#BC6900''
#1 $ 0.99'
0.01

1108.6y
!"#BC6900'
1.03E $ 09 @I 8760 IJ 9.02E $ 06 @J
#EL2904'
#1 $ %&#BC2904''
#1 $ 0.99'
0.01

913.2y
@
I
!"#BC2904'
1.25E $ 09 I 8760 J 1.1E $ 05 @J
#S $ o $ E'
#1 $ %&#A $ j $ B''
#1 $ 0.99'
0.01

@
I
!"#A $ j $ B'
1.00E $ 09 I 8760 J 8.76E $ 06 @J
1141.6y
MTTFd tot=
118
@
L
L
L
L
L
L
L
L
L
L
R
R
R
R
R
R
R
R
R
LVNT.W LWOO.V PWLW.MQ LSPT.TQ LLST.OQ ULV.PQ LVNT.WQ LSPT.TQ LSPT.TQ LLST.OQ
121.6X
Circuit examples
UU%
UU%
UU%
US%
UU%
UU%
UU%
UU%
UU%
UU%
UU%
R
R
R
R
R
R
R
R
R
LWOO.V LWOO.V PWLW.M LSPT.T LLST.O ULV.P LVNT.W LSPT.T LSPT.T LLST.O
L
L
L
L
L
L
L
L
L
L
R
R
R
R
R
R
R
R
R
R
LVNT.W LWOO.V LWOO.V PWLW.M LSPT.T LLST.O ULV.P LVNT.W LSPT.T LSPT.T LLST.O
DCavg= LVNT.W
L
98.62%
Category
Notice
MTTFd
low
medium
high

DCavg
Designation
none
low
medium
high
Range
DC < 60 %
60 % DC < 90 %
90 % DC < 99 %
99 % DC
Category
none
none
low
medium
low
medium
high
low
medium
high
DC
MTTFd
119
Circuit examples
2.20 Drive option AX5801 with stop function SS1 (Category 4,

PL e)
By activating the emergency stop button inputs EStopIn1 and EStopIn2 of FB ESTOP are switched to
state 0, resulting in outputs EStopOut and EStopDelOut of FB ESTOP being switched to state 0. As
a result, a quick stop command is issued to the PLC and therefore the AX5000 via EtherCAT. The output
EStopDelOut of the ESTOP FB ensures that, after the expiry of a specified delay time (in this case e.g.
1000 ms), the 24 V supply of the safety option AX5801 is interrupted and the internal relays of the
AX5801 are thus de-energized. The two channels (motors) are switched torque-free via the internal
switch-off paths of the AX5000.
Testing and checking for discrepancy are activated for the input signals. The testing of the outputs is also
active. The relays of the 4 AX5801 option cards are wired in parallel to a safe output of the EL2904. The
feedback loops are wired in series to a safe input. The restart signal is wired to a non-safe input.
120
Circuit examples

Parameter
Value
Yes
Yes
Yes
Yes
Single Logic
Single Logic
EL2904
Parameter
Value
Yes
Yes

2.20.2.1 Block 1
S1
EL1904
EL6900
AX5801
EL2904
AX5801
EL2904
AX5801
EL2904
AX5801
EL2904
AX5801
EL2904
AX5801
EL2904
AX5801
EL2904
AX5801
EL2904
EL2904
2.20.3 Calculation
Component
Value
EL1904 PFH
1.11E-09
EL2904 PFH
1.25E-09
EL6900 PFH
1.03E-09
AX5801 B10d
780,000
S1 B10d
100,000
230
60 (1x per hour)
Lifetime (T1)
121
Circuit examples

Component
Value
DCavg=99%
AX5801
DCavg=99%

From:

60

and:

10
0.1

S1:
230 8 60
1840
60
100000

543.5y 4761060h
0.1 1840

AX5801:
230 8 60
1840
60
780000

4239.1y 37134516h
0.1 1840

and the assumption that S1 is single-channel:

1

results in a
!"
0.1 #1 $ %&' 1 $ DC

MTTF10
S1:
!"
1 $ 0.99
2.10E $ 9
543.5 8760
AX5801:
!"
122
1 $ 0.99
2.70E $ 10
4239.1 8760
Circuit examples

Safety switch S1: According to BIA report 2/2008, error exclusion to up 100,000 cycles is possible, provided
the manufacturer has confirmed this. If no confirmation exists, S1 is included in the calculation as follows.
PFHtot= PFH(S1)+ PFH(EL1904) + PFH(EL6900) + PFH(EL2904) + *

(4*PFH(AX5801)+ 4*PFH(AX5801))/2
to:
PFHtot = 2.10E-09 +1.11E-09 + 1.03E-09 + 1.25E-09 + 10%*(4*2.70E-10 + 4*2.70E10)/2 = 5.60E5.60E-09
=
1
1
=<

;;

=
>?@
as:
1
1
1
1
1
=
+
+
+

;;
(A1)
(BC1904)
(BC6900)
(BC2904)
1
1
1
+
+
+

(5801)
(5801)
(5801)
1
+

(5801)
with:
(S1) =
10 (A1)
0.1
(AX5801) =
10 (5801)
0.1
(ELxxxx)
(1 $ %&(BCFFF))
!"(BCFFF)
123
Circuit examples
Hence:
#EL1904'
#1 $ 0.99'
G1 $ %&#BC1904'H
0.01

1028.8y
@
I
!"#BC1904'
1.11E $ 09 8760 J 9.72E $ 06 @J
#EL6900'
#1 $ %&#BC6900''
#1 $ 0.99'
0.01

1108.6y
@
I
!"#BC6900'
1.03E $ 09 I 8760 J 9.02E $ 06 @J
#EL2904'
#1 $ %&#BC2904''
#1 $ 0.99'
0.01

913.2y
!"#BC2904'
1.25E $ 09 @ 8760 IJ 1.1E $ 05 @J
MTTFd tot=
@
L
L
L
L
L
L
L
L
R
R
R
R
R
R
R
NMV.NQ LSPT.TQ LLST.OQ ULV.PQ MPVU.LQ MPVU.LQ MPVU.LQ MPVU.LQ
173.8X
UU%
UU%
UU%
UU%
UU%
UU%
UU%
UU%
UU%
UU%
UU%
UU%
R
R
R
R
R
R
R
R
R
R
R
NMV.N LSPT.T LLST.O ULV.P MPVU.L MPVU.L MPVU.L MPVU.L MPVU.L MPVU.L MPVU.L MPVU.L
L
L
L
L
L
L
L
L
L
L
L
L
R
R
R
R
R
R
R
R
R
R
R
NMV.N LSPT.T LLST.O ULV.P MPVU.L MPVU.L MPVU.L MPVU.L MPVU.L MPVU.L MPVU.L MPVU.L
DCavg=
99.0%
Category
Notice

CAUTION
machine!
MTTFd
low
medium
high

DCavg
Designation
none
low
medium
high
124
Range
DC < 60 %
60 % DC < 90 %
90 % DC < 99 %
99 % DC
Circuit examples
Category
none
none
low
medium
low
medium
high
low
medium
high
DC
MTTFd
125
Circuit examples
2.21 Drive option AX5805 with stop function SS2 (Category 4,

PL e)
The protective door is connected with a combination of break and make contacts to an EL1904 safe input
terminal. Testing and checking for discrepancy are activated for the input signals. The output is linked on
the AX5805.
The feedback signals are checked via the control and status word returned by the drive option.
the EL6900
OPEN
S1
S2
CLOSED
AX5805
AX5000
AX5805
AX5000
AX5805
AX5000
AX5805
AX5000

Parameter
126
Value
Yes
Yes
Yes
Yes
Single Logic
Single Logic
Circuit examples
AX5805
Parameter
-
Value

2.21.2.1 Block 1
S1
EL1904
EL6900
EL2904
AX5805
AX5805
AX5805
AX5805
S2
2.21.3 Calculation
Component
Value
EL1904 PFH
1.11E-09
EL6900 PFH
1.03E-09
AX5805 PFH
5.15E-09
S1 B10d
1,000,000
S2 B10d
2,000,000
230
60 (1x per hour)
Lifetime (T1)

Component
Value
DCavg=99%

From:

60

and:

10
0.1
127
Circuit examples

S1:
230 8 60
1840
60
1000000

5434.8y 47608848h
0.1 1840

S2:
230 8 60
1840
60
2000000

10869.6y 95217696h
0.1 1840

and the assumption that S1 and S2 are in each case single-channel:

1

results in a
!"
0.1 #1 $ %&' 1 $ DC

10
MTTF-
S1:
!"
1 $ 0.99
2.10E $ 10
5434.8 8760
S2:
!"
1 $ 0.99
1.05E $ 10
10869.6 8760

PFHtot= * (PFH(S1)+ PFH(S2))/2 + PFH(EL1904) + PFH(EL6900) + PFH(AX5805) +

PFH(AX5805) + PFH(AX5805) + PFH(AX5805)
to:
PFHtot= 10%* (2.10E-10+1.05E-10) / 2 +1.11E-09 + 1.03E-09 + 5.15E-09 + 5.15E-09 +

5.15E-09 + 5.15E-09 = 2.28E2.28E-08
128
Circuit examples
=
1
1
<

;;

=
>?@
as:
1
1
1
1
1

4
4
4

;;
#A1'
#BC1904'
#BC6900'
#5805'
1
1
1
4
4
4

#5805'
#5805'
#5805'
with:
#S1'
10 #A1'
0.1
#S2'
10 #A2'
0.1
#ELxxxx'
#1 $ %&#BCFFF''
!"#BCFFF'
Hence:
#EL1904'
#1 $ 0.99'
G1 $ %&#BC1904'H
0.01

1028.8y
@
I
!"#BC1904'
1.11E $ 09 I 8760 J 9.72E $ 06 @J
#EL6900'
#1 $ %&#BC6900''
#1 $ 0.99'
0.01

1108.6y
!"#BC6900'
1.03E $ 09 @I 8760 IJ 9.02E $ 06 @J
#EL2904'
#1 $ %&#BC2904''
#1 $ 0.99'
0.01

913.2y
!"#BC2904'
1.25E $ 09 @I 8760 IJ 1.1E $ 05 @J
#AX5805'
#1 $ %&#AX5805''
#1 $ 0.99'
0.01

221.7y
@
I
!"#AX5805'
5.15E $ 09 I 8760 J 4.51E $ 05 @J
MTTFd tot=
@
L
L
L
L
L
L
L
R
R
R
R
R
R
NMVM.TQ LSPT.TQ LLST.OQ PPL.WQ PPL.WQ PPL.WQ PPL.WQ
49.8X
129
Circuit examples
UU%
UU%
UU%
UU%
UU% UU% UU% UU%
R
R
R
R
R
R
LVNT.W LSPT.T LLST.O PPL.W PPL.W PPL.W PPL.W
L
L
L
L
L
L
L
R
R
R
R
R
R
R
NMVM.T LVNT.W LSPT.T LLST.O PPL.W PPL.W PPL.W PPL.W
DCavg= NMVM.T
L
99.0%
Category
Notice
MTTFd
low
medium
high

DCavg
Designation
none
low
medium
high
Cat
Range
DC < 60 %
90 % DC < 99 %
90 % DC < 99 %
99 % DC
none
none
low
medium
low
medium
high
low
medium
high
DC
MTTFd
130
Circuit examples
2.22 Direct wiring of the TwinSAFE outputs to TwinSAFE

inputs (single-channel) (Category 1, PL c)
The output of an EL2904 is wired directly to a safe input of an EL1904; the test pulses and current
measurement of the outputs and the sensor test of the inputs are thereby deactivated. Hence, checks for
cross-circuit and external feed on the cable are not possible.

EL1904
Parameter
Value
No
No
No
No
Single Logic
Single Logic
EL2904
Parameter
Value
No
No

2.22.2.1 Block 1
EL6900
EL2904
EL2904
EL1904
2.22.3 Calculation
Component
Value
EL1904 PFH
1.11E-09
EL2904 PFH
1.25E-09
230
60 (1x per hour)
Lifetime (T1)
131
Circuit examples

Component
Value
EL1904/EL2904
DCavg=0%

PFHtot= PFH(EL1904) + PFH(EL2904)

to:
PFHtot= 1.11E-09 + 1.25E-09 = 2.36E2.36E-09

=
1
1
=<

;;

=
>?@
as:
1
1
1
=
+

;;
(BC1904)
(BC2904)
(1 $ %&(BCFFF))
!"(BCFFF)
(ELxxxx) =
Hence:
(EL1904) =
(1 $ 0)
G1 $ %&(BC1904)H
1
=
=
= 102881y
!"(BC1904)
1.11E $ 09 @ 8760 IJ 9.72E $ 06 @J
(EL2904) =
(1 $ %&(BC2904))
(1 $ 0)
1
=
=
= 90909.1y
!"(BC2904)
1.25E $ 09 @I 8760 IJ 1.1E $ 05 @J
MTTFd tot=
@
L
L
R
LSPTTLQ USUSU.LQ
S%
S%
USUSU.L
L
R
LSPTTL USUSU.L
DCavg= LSPTTL
L
132
= 48262.6X
= 0%
Circuit examples
Category
Notice
MTTFd
low
medium
high

DCavg
Designation
none
low
medium
high
Cat
Range
DC < 60 %
60 % DC < 90 %
90 % DC < 99 %
99 % DC
none
none
low
medium
low
medium
high
low
medium
high
DC
MTTFd
133
Circuit examples
2.23 Direct wiring of the TwinSAFE outputs to TwinSAFE

inputs (2-channel) (Category 3, PL d)
Two outputs of an EL2904 are wired directly to two safe inputs of an EL1904; the test pulses and current
measurement of the outputs and the sensor test of the inputs are thereby deactivated. On the input side,
both signals are checked for discrepancy within the TwinSAFE logic. Hence, both signals are checked for
their value, but no tests are active on the cable, so that possible external feeds are detected when
switching the outputs.

EL1904
Parameter
Value
No
No
No
No
Single Logic
Single Logic
EL2904
Parameter
Value
No
No

2.23.2.1 Block 1
134
EL6900
EL2904
EL2904
EL1904
EL2904
EL1904
Circuit examples
2.23.3 Calculation
Component
Value
EL1904 PFH
1.11E-09
EL2904 PFH
1.25E-09
230
60 (1x per hour)
Lifetime (T1)

Component
Value
EL1904/EL2904
DCavg=90%

PFHtot= PFH(EL1904) + PFH(EL2904)

to:
PFHtot= 1.11E-09 + 1.25E-09 = 2.36E2.36E-09

=
1
1
=<

;;

=
>?@
as:
1
1
1
=
+

;;
(BC1904)
(BC2904)
(ELxxxx) =
(1 $ %&(BCFFF))
!"(BCFFF)
Hence:
135
Circuit examples
#EL1904'
#1 $ 0.9'
G1 $ %&#BC1904'H
0.1

!"#BC1904'
1.11E $ 09 @ 8760 IJ 9.72E $ 06 @J
I
10288.1y

#EL2904'
MTTFd tot=
DCavg=
#1 $ 0.9'
G1 $ %&#BC2904'H
0.1

9090.9y
@
I
!"#BC2904'
1.25E $ 09 8760 J 1.1E $ 05 @J
@
L
L
R
LSPTT.LQ USUS.UQ
4826.3X
US%
US%
US%
US%
R
R
R
LSPTT.L LSPTT.L USUS.U USUS.U
L
L
L
L
R
R
R
LSPTT.L LSPTT.L USUS.U USUS.U
90%
Category
Notice
MTTFd
low
medium
high

DCavg
Designation
none
low
medium
high
Cat
Range
DC < 60 %
60 % DC < 90 %
90 % DC < 99 %
99 % DC
none
none
low
medium
low
medium
high
low
medium
high
DC
MTTFd
136
Technical report TV Sd
3 Technical report TV Sd
137
Appendix
4 Appendix
4.1 Beckhoff Support and Service
Beckhoff and their partners around the world offer comprehensive support and service, making available
fast and competent assistance with all questions related to Beckhoff products and system solutions.
4.1.1
Beckhoff branches and partner companies Beckhoff Support
Please contact your Beckhoff branch office or partner company for local support and service on Beckhoff
products!
The contact addresses for your country can be found in the list of Beckhoff branches and partner
companies: www.beckhoff.com. You will also find further documentation for Beckhoff components there.
4.1.2
Beckhoff company headquarters
Beckhoff Automation GmbH

Eiserstr. 5
33415 Verl
Germany
Phone: + 49 (0) 5246/963-0
Fax:
+ 49 (0) 5246/963-198
E-mail:
info@beckhoff.com
Web:
www.beckhoff.com
Beckhoff Support
Support offers you comprehensive technical assistance, helping you not only with the application of
individual Beckhoff products, but also with other, wide-ranging services:
world-wide support
design, programming and commissioning of complex automation systems
and extensive training program for Beckhoff system components
Hotline:
Fax:
E-mail:
+ 49 (0) 5246/963-157
+ 49 (0) 5246/963-9157
support@beckhoff.com
Beckhoff Service
The Beckhoff Service Center supports you in all matters of after-sales service:
on-site service
repair service
spare parts service
hotline service
Hotline:
Fax:
E-mail:
138
+ 49 (0) 5246/963-460
+ 49 (0) 5246/963-479
service@beckhoff.com

Application Guide Twin Safe en

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Application Guide Twin Safe en

Diunggah oleh

Hak Cipta:

Format Tersedia

Application guide

Notes on the manual

Operator's obligation to exercise diligence

Description of safety symbols

ESTOP function variant 1 (Category 3, PL d)

Parameters of the safe input and output terminals

Block formation and safety loops

ESTOP function variant 2 (Category 3, PL d)

Parameters of the safe input and output terminals

Block formation and safety loops

ESTOP function variant 3 (Category 4, PL e)

Parameters of the safe input and output terminals

Block formation and safety loops

ESTOP function variant 4 (Category 4, PL e)

Parameters of the safe input and output terminals

Block formation and safety loops

ESTOP function variant 5 (Category 4, PL e)

Parameters of the safe input and output terminals

Block formation and safety loops

ESTOP function variant 6 (Category 3, PL d)

Parameters of the safe input and output terminals

Block formation and safety loops

ESTOP function variant 7 (Category 4, PL e)