The Fail-Safe Principle (Fail Stop) - Beckhoff EL2912 Operating Instructions Manual

System description
TwinSAFE logic component, e.g. EL6910
• Processing of the safety-related application and communication with the TwinSAFE terminals
• No safety requirements for higher-level control system
• TwinSAFE enables a network with up to 65,535 TwinSAFE components.
• TwinSAFE logic component can establish up to 512 connections (TwinSAFE connections).
• Several TwinSAFE logic components can be operated in a network
• Suitable for applications up to SIL 3 according to IEC 61508:2010 and category 4 / PL e according to
EN ISO 13849-1:2015.
TwinSAFE I/O components
• The TwinSAFE I/O components are available in the formats Bus Terminal, EtherCAT Terminal,
EtherCAT plug-in module, EtherCAT Box and TwinSAFE Drive option card
• All common safety sensors and actuators can be connected
• Operation with a TwinSAFE logic component
• Typically meet the requirements of IEC 61508:2010 up to SIL 3 and EN ISO 13849-1:2015 up to
Category 4, PL e. More detailed information can be found in the respective user documentation
3.2.3

The fail-safe principle (Fail Stop)

The basic rule for a safety system such as TwinSAFE is that failure of a part, a system component or the
overall system must never lead to a dangerous condition.
Safe state!
The safe state of the TwinSAFE system is always the switched-off and de-energized state.
18
CAUTION
Version: 2.0.0 EL2912 and EL2912-2200