How-To Guide  ·  Allen-Bradley Compact 5000 Safety  ·  E-Stop Safety Circuit Design

E-Stop Safety Circuit: Compact GuardLogix 5380 + 5069-IB8S Wiring & Configuration Guide

Part Number: 5069-IB8S  ·  Compact GuardLogix 5380 · 5069-IB8S Safety Input · 5069-OBV8S Safety Output · Studio 5000

1. Introduction to Safety Systems

Functional safety is the part of overall equipment safety that depends on automatic protection systems operating correctly in response to hazardous conditions. In industrial automation, this means sensors detect a hazard, a safety controller processes the logic, and actuators remove the hazard — typically by removing power from dangerous motion or energy sources.

The international standards governing functional safety in machinery include:

All safety systems follow a fundamental principle: de-energize to trip. The safe state is power OFF. When the safety system detects a hazard (or when a fault occurs), it removes power from the hazardous outputs. This means a wire break, power loss, or component failure automatically results in the safe state — this is what engineers mean by "fail-safe" design.

An E-Stop circuit is the simplest and most common safety function. When an operator presses the E-Stop button, the safety system must reliably de-energize all hazardous motion within a defined time. The circuit must also detect its own faults (wire breaks, short circuits, stuck contacts) and go to the safe state when a fault is found.

2. Understanding SIL, Performance Level, and Category

Safety system reliability is quantified using two parallel frameworks. The IEC 61508 / IEC 62061 path uses Safety Integrity Levels (SIL), while the ISO 13849-1 path uses Performance Levels (PL) and Categories. Both approaches measure the same thing — how reliably the safety function will operate when demanded — but they use different metrics and terminology.

The Compact GuardLogix 5380 + 5069-IB8S + 5069-OBV8S system is certified for:

What this means in practical terms: the Compact GuardLogix 5380 system can be used in the highest safety applications for machine safety — including E-Stop, light curtains, safety gates, two-hand controls, safe speed monitoring, and safe torque off (STO) applications. The SIL 3 / PLe / Category 4 rating means the system can tolerate single faults without losing the safety function and has high diagnostic coverage to detect faults before they become dangerous.

3. System Hardware Overview

A complete E-Stop safety system using the Compact GuardLogix 5380 platform requires the following components. This bill of materials covers a basic single E-Stop station with dual-channel input and redundant contactor output:

4. How a Dual-Channel E-Stop Circuit Works

The fundamental difference between a basic E-Stop circuit and a safety-rated E-Stop circuit is redundancy with monitoring. A single-channel circuit has one wire path from the E-Stop button to the controller input. If the wire breaks, depending on the failure mode, the system may not detect the break — the input could remain in either state, and there is no way to verify it.

A dual-channel (redundant) circuit uses TWO separate NC (normally closed) contacts on the E-Stop button, each wired to a separate safety input channel on the 5069-IB8S. The safety controller continuously compares both channels:

1. Both channels ON (closed contacts): Normal state — the E-Stop is not pressed, current flows through both NC contacts, both inputs read TRUE. The safety function is satisfied.
2. Both channels OFF (open contacts): E-Stop pressed — both NC contacts open, both inputs read FALSE. The safety controller commands the safety outputs OFF (de-energize contactors).
3. Channels disagree (discrepancy): One channel is ON and the other is OFF. This indicates a fault — a wire break, short circuit, contact welding, or cross-wiring error. The safety controller triggers a discrepancy fault and commands outputs OFF.
4. Test pulse failure: The 5069-IB8S test output sends a brief pulse through the circuit. If the pulse doesn’t return (short to +24V detected), the module flags a test pulse fault and the channel is declared faulted.

The 5069-IB8S supports dual-channel input pairs on fixed channel assignments: channels 0+1, 2+3, 4+5, and 6+7. Each pair acts as one dual-channel safety input point. You cannot arbitrarily pair channels — channel 0 always pairs with channel 1, channel 2 with channel 3, and so on.

Test Output (Safety Pulse Test) Explained

The 5069-IB8S has dedicated Test Output channels on pins 8–15 of the RTB. These correspond to input channels 0–7 respectively. When configured for Safety Pulse Test mode, the test outputs send a brief voltage pulse (duration < 700 µs, period < 100 ms) through the E-Stop circuit instead of using a continuous external +24V source.

The purpose of test pulses is automatic short-circuit detection. If a field wire shorts to an external +24V source, the input would appear permanently ON even when the E-Stop contact is open — a dangerous undetected fault. The test pulse breaks this failure mode: the module expects the input to follow the pulse pattern. If the input stays high when the test pulse is low, the module detects a short circuit to +24V and flags a fault.

This provides automatic fault detection without manual proof testing. Without test pulses, you would need periodic manual testing to verify that the E-Stop circuit can actually detect a pressed button. With test pulses, the module continuously verifies circuit integrity every pulse cycle.

5. Wiring the E-Stop to the 5069-IB8S

This section provides the complete wiring for a dual-channel E-Stop using channels 0 and 1 on the 5069-IB8S with Safety Pulse Test mode enabled. This is the recommended configuration for Category 3 / Category 4 applications.

E-Stop Button Requirements

Dual-Channel Wiring Table (Channels 0+1, Safety Pulse Test Mode)

Pin Map Reference: 5069-IB8S RTB18

Wiring Best Practices

1. Use separate shielded cables for each channel where possible. Running both channel A and channel B in the same cable creates a common-cause failure risk — a single cable cut could take out both channels simultaneously, defeating the purpose of redundancy.
2. Route safety wiring separately from power wiring. Keep safety signal cables at least 200 mm from power conductors and VFD output cables to avoid induced noise.
3. Use the test outputs as the voltage source. Do NOT connect external +24V directly to the E-Stop contacts when using Safety Pulse Test mode. The test output is the sole voltage source — external voltage defeats the short-circuit detection.
4. Connect COM (pins 16/17) to the SA power supply 0V rail. The module’s internal return path runs through the SA– bus. An unconnected or floating COM causes erratic input readings.
5. Verify wire gauge compatibility. The 5069-RTB18 accepts 22–16 AWG (0.34–1.5 mm²) solid or stranded shielded copper wire. Use ferrules on stranded wire for spring-clamp RTBs.

Wiring Multiple E-Stop Stations in Series

You can wire up to 4 E-Stop stations on a single 5069-IB8S module — each E-Stop uses one dual-channel pair (channels 0+1, 2+3, 4+5, or 6+7). If you need multiple E-Stop buttons on the same safety zone (e.g., one at each operator station), wire them in series within each channel:

Test OUT 0 → E-Stop #1 NC contact 1 → E-Stop #2 NC contact 1 → E-Stop #3 NC contact 1 → Safety IN 0. Do the same for channel B using Test OUT 1 and Safety IN 1. Pressing any E-Stop in the series opens both channels simultaneously.

6. Wiring the Safety Contactors to the 5069-OBV8S

The 5069-OBV8S is an 8-channel bipolar safety output module. "Bipolar" means each output channel provides both the positive and negative drive terminals — the module sources current through the load and sinks it back, rather than relying on an external return path. This gives the module full control over the output circuit for diagnostics.

Like the safety input module, the 5069-OBV8S uses dual-channel output pairs: channels 0+1, 2+3, 4+5, and 6+7. Each pair drives two redundant safety contactors (K1 and K2) in the output circuit.

Dual-Channel Bipolar Output Wiring (Channels 0+1)

The motor or hazardous load connects through BOTH contactors in series. Both K1 and K2 must close for power to reach the motor. If either contactor opens (or fails to close), the motor is de-energized. This is the redundant output architecture required for Category 3 and Category 4.

Contactor Feedback (Mirror Contacts)

Safety contactors (such as the Allen-Bradley 100S series) include mirror contacts — mechanically linked auxiliary contacts that provide feedback on the contactor’s actual state. Mirror contacts are NC (normally closed) when the contactor is de-energized and NO (normally open) when the contactor is energized. They are mechanically linked to the main contacts so they cannot disagree.

1. Wire K1 mirror contact (NC) to a standard digital input on a 5069-IB16 (e.g., input 0). When K1 is de-energized, this input reads TRUE (closed). When K1 is energized, this input reads FALSE (open).
2. Wire K2 mirror contact (NC) to another standard digital input (e.g., input 1).
3. In the safety logic, verify that when the safety output commands ON, both feedback inputs transition to FALSE within a defined time. If the safety controller commands OFF but a feedback input remains FALSE (indicating the contactor is still energized), this is a contactor welding fault — the contactor is mechanically stuck closed.
4. On a welding fault, the safety program should latch a fault and prevent re-energizing the output pair until maintenance clears the fault and replaces the contactor.

7. Studio 5000 Safety Project Configuration

Configuring a Compact GuardLogix 5380 safety project in Studio 5000 Logix Designer involves setting up the controller, adding safety I/O modules, configuring dual-channel modes, and establishing the Safety Network Number (SNN). Follow these steps:

Create the Safety Project

1. Open Studio 5000 Logix Designer and create a new project. Select the appropriate Compact GuardLogix 5380 controller — for example, 5069-L306ERS2 (SIL 2) or 5069-L306ERMS3 (SIL 3).
2. The project automatically includes a Safety Task with a default period of 10 ms and a watchdog of 250 ms. The Safety Task is where all safety logic must reside. You cannot create additional safety tasks — there is exactly one per project.
3. The MainTask (continuous task) is also created automatically for standard (non-safety) logic such as HMI communication, data logging, and non-safety motor control.

Add the 5069-IB8S Safety Input Module

1. Right-click the controller in the I/O Configuration tree → New Module → search for 5069-IB8S and select it.
2. Set the slot number to match the physical position on the DIN rail (e.g., Slot 1 if it is the first I/O module after the controller).
3. Open module properties → Safety tab → configure each channel pair:
4. Set Input Mode = "Dual Channel" for each pair you are using (e.g., channels 0+1). This tells the module to cross-compare both channels and report a DualChannelStatus bit.
5. Set Input Point Mode = "Safety Pulse Test" for automatic short-circuit detection. This enables the test output pulses on pins 8–15.
6. Set Test Output Mode = "Pulse Test" — the module automatically sends test pulses; no user program action is needed.
7. Set Discrepancy Time — the maximum time allowed for both channels to agree after a state change. Typical values: 0.5–3 seconds. If the channels disagree longer than this time, the module declares a discrepancy fault. Use a shorter time for faster fault detection; use a longer time if the E-Stop contacts have different mechanical response times.

Add the 5069-OBV8S Safety Output Module

1. Right-click the controller → New Module → search for 5069-OBV8S and select it.
2. Set the slot number (e.g., Slot 2).
3. Open module properties → Safety tab → configure output mode: Bipolar with dual-channel pairs.
4. Enable Safety Pulse Test for the output channels if supported by your firmware revision.

Safety Network Number (SNN)

Every safety device on a CIP Safety network must have a unique Safety Network Number (SNN). The SNN uniquely identifies the safety network segment and prevents accidental cross-communication between safety devices on different networks.

For local I/O (modules on the same DIN rail as the controller), Studio 5000 assigns the SNN automatically based on the controller’s SNN. You generally do not need to change it unless you are replacing a controller or moving modules between systems.

Key Safety Tags

Replace X and Y with the actual slot numbers of the 5069-IB8S and 5069-OBV8S in your I/O configuration. For example, if the input module is in Slot 1 and the output module is in Slot 2, use Local:1:I and Local:2:O.

8. Writing the Safety Logic

The safety logic for an E-Stop circuit is straightforward but must follow strict rules. All safety logic runs in the Safety Task — never in the standard continuous task. Safety tags can only be written by safety routines. Standard (non-safety) routines can read safety tags for HMI display but cannot write to them.

Complete Safety Routine: E-Stop with Manual Reset

The following ladder logic implements a basic E-Stop circuit with manual reset. This example assumes the 5069-IB8S is in Slot 1 and the 5069-OBV8S is in Slot 2:

Logic Explanation

1. Rung 0 reads the dual-channel status. The DualChannelStatus.Pt00 bit is managed by the 5069-IB8S firmware — it is TRUE only when both channels 0 and 1 agree and are both ON (contacts closed).
2. Rung 1 monitors for faults on either channel. If the module detects a discrepancy, test pulse failure, or communication fault, the per-channel fault bits are set.
3. Rung 2 implements the manual reset requirement using a One-Shot (ONS) instruction. The operator must press and release a dedicated reset button — holding the button does not continuously pulse the reset.
4. Rung 3 is a seal-in (latch) circuit. The output enables on a valid reset pulse (E-Stop OK + reset + no faults) and stays sealed in as long as E-Stop remains OK and no faults exist. If the E-Stop is pressed or a fault occurs, the seal breaks and the output de-energizes.
5. Rung 4 drives both channels of the output pair. Both Pt00.Data and Pt01.Data must be commanded together for the dual-channel output to energize.

9. Safety Signature and Validation

After completing and testing the safety program, you must generate a Safety Task Signature. The signature is a CRC-based checksum that locks the safety program — any modification to the safety logic, safety tags, safety I/O configuration, or safety task properties will invalidate the signature and require re-generation.

The safety signature serves two critical purposes:

1. Tamper detection: The signature proves that the safety program has not been modified since it was validated. During commissioning, the safety engineer records the signature. During periodic audits, the recorded signature is compared against the controller’s current signature. A mismatch means the program was changed.
2. Validation record: The signature, along with the date and the engineer’s name, becomes part of the safety validation documentation required by IEC 61508 and IEC 62061.

Generating the Safety Signature

1. Go online with the controller and verify that the safety program is operating correctly with all E-Stop stations tested.
2. Right-click the Safety Task in the Controller Organizer → Properties → Safety tab.
3. Click "Generate Signature". Studio 5000 calculates the CRC and displays the signature as a multi-digit hexadecimal number with a timestamp.
4. Record the signature in your safety validation documentation. Include the date, time, project name, firmware revision, and the name of the engineer who validated the system.
5. Lock the controller (optional but recommended). After generating the signature, you can set the controller key switch to RUN or use the software lock to prevent online edits. This is recommended for production systems to prevent accidental changes.

10. System Reaction Time

The system reaction time is the total elapsed time from when a hazard is detected (E-Stop pressed) to when the hazardous energy is removed (contactors open, motor de-energized). This is critical for safety distance calculations and must be documented in the safety validation.

The total reaction time is the sum of delays through each component in the safety chain:

Reaction Time Formula

T_reaction = T_{input_filter} + T_{input_SRT} + T_{safety_task_period} + T_{task_execution} + T_{output_SRT} + T_{output_delay} + T_mechanical

Example Calculation

With a 50 ms input filter enabled, the worst case increases to 90 ms. With slower contactors (30 ms release time), it reaches approximately 105 ms.

11. Troubleshooting

The following table covers the most common issues encountered when commissioning and operating a dual-channel E-Stop circuit with the Compact GuardLogix 5380 system:

LED Status Indicators

12. Related Guides

Explore more Compact 5000 and safety-related guides from PLC Exchange:

Reference Documentation

The following Rockwell Automation publications were used as references for this guide. These are the official manufacturer documents for the hardware covered in this article.