This walkthrough details how to configure safety for multiple Beckhoff AMP8000 series drives, but can be used for a single drive or AX8000 series drives as well. This only covers a simple STO application with the intention of the PLC handling reset of safety, drives, and error acknowledgment programmatically.
We will be using the information from TwinSAFE Tutorial 11: Safe Addressing for AMP and AMI, and TwinSAFE Tutorial 1: SafeMotion Wizard – Creating and configuring a Safe Motion project with SLS.
Load In IO
The drives and safety IO will need to have been scanned or added into your IO tree and axes created in a MOTION project. After downloading the Drive Manager 2 (DM2) software from Beckhoff, a project can be added to the TwinCAT solution. See Beckhoff’s Quick commissioning guide | EN TE5950 TC3 Drive Manager 2 for more information on setting up DM2.
With the system still in config mode, a new DM2 project can be created by right-clicking on the solution and selecting ‘Add’. Then, in the project tree, you can select the new project, and it will search for drives. In the popup, you should see every drive currently connected to the PLC.
In this example, DM2 was able to automatically find all of these drives shown below. You can click “Check all” at the top for both options to enable automatic scanning of the motors and have ‘Scan motor in Pre-Op’ selection.
The other setting shown will be system specific, follow the specs for your motors. Any additional gear box ratio and settings for the motor should be applied.
Then, make sure you Activate Config to push configuration settings and scaling from the DM2 project to the motors.
Create and Expose PLC Variables
Create a PLC project if you haven’t already. Our safety program will require input from the PLC. In either a global variable list (GVL) or a program (PRG), make your four output address variables.
OUT_bSafetyResetSignal AT %Q*: BOOL;
OUT_bSafetyRun AT %Q*: BOOL;
OUT_bSafetyErrorAck AT %Q*: BOOL;
OUT_bSafetyDriveErrorAck AT %Q*: BOOL;Build, so that the variables generate in the instance of the PLC project and can later be used for linking.
Every TwinSAFE program for an EL6910 or newer logics is required to have “RUN” and “ERRACK” signals linked to standard signals, which we are calling OUT_bSafetyRun and OUT_bSafetyErrorAck, as error acknowledgement is not automatic in TwinSAFE. Without these, the TwinSAFE Group our function blocks are in will not execute. Additionally, we have created a reset signal (OUT_bSafetyResetSignal) that we can use in the PLC to reset our function blocks when specific conditions are met. This could be from an external push button, an HMI screen, or some other code condition.
Lastly, specific to the fact that we are making a safety program for Beckhoff Motors with embedded safety cards, we have a separate error acknowledgment signal (OUT_bSafetyDriveErrorAck) for the drives. This is because many types of drives require explicit error acknowledgement, and it may be that this needs to be distinct from error acknowledgment of the entire TwinSAFE group. The operating manual for your specific drive’s safety card is the best reference.
Creating the Standard EL6910 Safety Project
Click the blue cog icon in the top left of the TwinCAT toolbar to swap the system back into config mode and select yes on the popup to activate free run. This will allow for proper scanning of terminals.
Now, a standard TwinSAFE project can be created by right clicking on the safety node and selecting ‘Add New Item’. In the window, select “TwinCAT Safety Project Preconfigured Inputs” to create a project with preconfigured inputs.
In the project’s Target System, s elect the terminal you will use as your safety controller. For this example, here is the relevant safety IO.
We have an EtherCAT coupler, a power supply terminal, a safety digital input/output card, a standard digital output card, a standard digital input card, a dedicated safety controller card, and a license key terminal followed by a bus end cap. For more information about each terminal, see Beckhoff’s EtherCAT terminals overview.
After selecting the Target system from the drop down, you need to ensure the Safe Address matches the hardware address for the terminal. This example uses an EL6910, so the hardware address was set via the dipswitch on the physical terminal and when scanned in, we see it reads the number expected in the hardware address field.
NOTE: If you forgot to set the hardware address on any of your safety terminals (EK1914, EL2911, EL6910, or any ELx9xxx series terminals), please pause now and safely power down your system so that the physical terminals can be accessed. Read the operating manual for each terminal for information on how to set the hardware address. Remember, each address must be unique within the network and 0 is not a valid TwinSAFE address.
To make the Safe Address match the hardware address, select the green reload button next to the hardware address box to make sure the number in the field is correct, and then the green arrow button to push the number to the safe address field.
Additionally, for this project we are going to select the two checkmarks for Connection Inputs/Outputs for visible traceability. This allows for an exact interpretation of the links.
‘Save-All’ with CTRL+SHIFT+S or via the top menu bar before leaving this page.
Add Relevant Alias Devices
With our safety controller configured to hold a project, you can now import in your PLC variables, and any additional safety terminals. Importantly, you do not want to add any of the drives to this safety project. They will instead be added via the safe motion wizard later.
To do this, right-click on our newly created safety project’s Alias Devices folder. From here, you can click on New Item and make both of the additional digital Inputs. You should name both of them appropriately. Then, you can import any safety terminals you will use in the safety project from your IO.
As shown above, two of the inputs we need were created already by choosing to make a preconfigured safety project. Since we already created the PLC variables we need to link to, we can do that as well. For each alias device created, open its page and click the symbol to link each to its corresponding PLC variable.
Now, the blocks inside the standard safety project can be made.
Write the .SAL
First, you add a safeEStop and safeAnd block. This is for our single dual channel EStop. Then, create variables that match those below. It is important that this layout of this is not deviated from for reasons discussed below.
bPLCRestart and bPLCDriveErrorAck will be the two additional standard digital input variables we created. In order to have the drive error acknowledgment signal properly reset the entire safety system, it must be the first input on the safeAnd block as it is a standard input. Beckhoff has documentation on TwinSAFE Logic and Function Blocks if you want to learn more.
bChannelA and bChannelB represent both channels of the E-Stop, and will be physically wired through the EL2911. By clicking on the EStopIn1 port you can open the properties tab and change the channel interface from Single-Channel Both Activated to Two-Channel and set a discrepancy time.
For now, we will not do the Variable Mapping as there is more to add in. Save All and then Verify the project. Errors are expected and can be ignored for now.
Safe Addressing for AMP and AMI
Beckhoff AMP and AMI drives have internal TwinSAFE cards that like their physical terminal counterparts, also require unique safe addresses. These drives do not have physical hardware switches though and must be set a different way. AX8xxx drives do have physical hardware switches to set and this section can be skipped for such hardware.
With the system in config mode, and free run activated, navigate to the TwinSAFE toolbar. If you do not have this toolbar added, you can do so from right-clicking in the toolbar area and clicking to add TwinCAT Safety, or under View on the menu bar, View>Toolbars>TwinCAT Safety.
Click ‘Download Safe Address’. In the popup, select all the drives you need to set the safe address of.
Click ’Next‘. Now you need to assign a unique safe address within the network for each drive. Remember, address 0 is not a valid TwinSAFE address. In this example, the Terminal number was arbitrarily decided to be made the drive’s address. When finished, click Next.
Input the default TwinSAFE username (Administrator) and password (TwinSAFE) to the window and select all the devices to download the safe addresses.
Read through and finish verifying you work, closing the window with the ‘Finish’ button when you are done.
Now, you need to power cycle your system (specifically, the drives) so that upon system startup, the drives will load the correct FSOE address.
To check and make sure the address was set, in the IO tree navigate to any drive and go to the CoE – Online tab. Click Update All to refresh the information there. Scroll down until you see Safe Address and expand it. By default, the FSOE address was 1, it should now be what you set it to.
In this picture, we can see the FSOE was set to 4
Create Safe Motion Wizard Safety Project
If you have not followed the above steps for Safe Addressing AND powered cycled your motors for AMP or AMI systems, do not continue.
Now that you have your standard safety project and safe addresses on your drives, you can run the Beckhoff TwinSAFE Motion Wizard. This requires >=v1.3.0 of the Safety Editor. Start the wizard from the drop-down option under TwinSAFE>Wizards>Start Safe Motion Wizard….
Then, in the popup that opens, select your drives under Target Type if they do not automatically populate. Check all of the drives as the project targets.
Click ‘Next’. For the safety feedbacks, on the AMP8xxxx system there is only the default encoder option available for all drives, and only on channel A. Choose the option appropriate for your hardware.
An AX8xxx system might have options for channel A and B, as well as options on what encoder can be selected on each. If only using one channel on AX8xxxx systems, select No Safety Encoder for the unused channel.
Click ‘Next’. For selecting safety function(s), we only desire STO functionality and will therefore touch nothing. This is auto-selected for all of our drives.
Click ‘Next’. The project can be given a name on the configuration page. We will call it Safe Motion.
Click ‘Next’. On the assignment step, click on the “…” button to select the drives. This will create the FSOE connections in the standard safety project to allow communication between it and the safe motion project.
Click ‘Next’. For the Safe Address page, a few incorrect states can be noted. As the system should be connected, you should not see the red boxes. The wizard should automatically load in the correct TwinSAFE address from the drives.
If this is being performed offline, manually putting the FSOE addresses here would suffice.
Troubleshooting Note: If addresses show up as zero, and we have communication to the drive under the EtherCAT master (free run turned on), it is possible that the safe addresses were not set properly either via safe addressing download or dipswitch. Cancel the wizard and perform necessary checks, do not try and continue with an FSOE address of zero on any device.
The following is incorrect:
This is correct:
Click ‘Next’. Read and acknowledge the safety warning and exit the wizard by clicking the ‘Finish’ button.
There should be a popup that the safe motion wizard project was created successfully, and the master project was updated successfully.
Finishing the Standard EL6910 Safety Project
As promised, we now return to the standard safety project for variable mapping.
In the standard safety project we created before, you should now see new custom FSOE connections for each of the drives. This is why we did not manually add the drives to this project earlier.
Open up the .SAL and click on the bottom tab for Variable Mapping. The following picture shows all the mappings with explanations of each piece to follow.
The first two variables are the standard I/O variables from the PLC defined by the preconfigured project. They should already be mapped for you.
Next, the bPLCRestart signal to our safeEStop block is mapped to the corresponding alias device digital input created earlier. As previously mentioned, this allows for the PLC to issue a signal for restart of the safeEstop block and ensuing error acknowledgement, presumably after an EStop press.
bChannelA and bChannelB are the two inputs from our physical EStop, run through the EL2911 safety terminal and activate our safeEStop block.
The EStopOut signal from the safeEStop block is mapped to a multitude of devices. Notably, both ChA STO and SS1 bits for each drive. You can hold down CTRL+Click to select a multitude of variables. In addition to the drives, another standard variable was created to see the EStop signal status in the PLC (not necessary for functionality), and the signal was mapped to the coupler (also not necessary). This was done for the ability to add other functionality desired later.
The safeAnd block then takes in the EStop signal, expected to be high, with drive error acknowledgment from the PLC. This lets the PLC acknowledge drive errors and if the EStop has been reset since it was last pressed, the bSafetyErrorAck then pushes the error acknowledgment to the drive. CTRL+Click to select all the error acks on each drive.
Save-All when done.
Finishing the Safe Motion Wizard Project
Looking at the newly created safe motion wizard project, there is nothing in the SALs we need to touch as the wizard handles it all. For this example, since we have multiple AMP8xxx series drives, we need to do multisettings. If you only had one drive, this part is not necessary, and you can skip to the last section.
Multi-Settings
In the safe motion wizard project, there is a last bit of configuration to be done before everything fits nicely together. If we open the Multi-settings.sms, we see all the drives we previously added. If we horizontally scroll to the right, we can see that Run and Err_Ack don’t have all the same links as the first motor.
You need to click the “…” on each and add the run and err ack links. Then it should look like this when it is finished.
Completing and Downloading
With the projects complete, you can now verify the main project and then perform a multi-download.
Now activate the configuration.
Using the login feature on the PLC, you can now toggle the ErrAck and Run signals. You will now be able to move the motors via the MOTION project, or Drive Manager 2.
Ready to take your Automation project to the next level?
Contact us today to learn more about our solutions and how we can help you achieve your goals.