ENG_864364.XML
Safety functions integral to the SINAMICS drives
SINAMICS drives are characterized by a large number of Safety Integrated Functions. In combination with the sensors and safety control required for the safety functionality, they ensure that highly-effective protection for persons and machines is implemented in a practice-oriented manner.
They comply with the requirements of the following safety categories:
- PL e and category 3or 4 according to ISO 13849‑1
- SIL 3 according to IEC 61508 and IEC 61800-5-2
Note:
For Safe Brake Test (SBT) diagnostic function meets the requirements for Category 2 according to ISO 13849-1.
The Safety Integrated Functions are generally certified by independent institutes. You can obtain the corresponding test certificates and manufacturer's declarations from your Siemens contacts.
The Safety Integrated Functions that are currently available are described below. Their functional safety satisfies the requirements defined in the international standard IEC 61800-5-2 for variable-speed drive systems.
The safety functions integrated into the SINAMICS drive system can be roughly divided into three categories:
Functions for safely stopping a drive
- Safe Torque Off (STO)
- Safe Stop 1 (SS1)
- Safe Stop 2 (SS2)
- Safe Operating Stop (SOS)
Functions for safe brake management
- Safe Brake Control (SBC)
- Safe Brake Test (SBT) (this diagnostic function exceeds the scope of IEC 61800-5-2)
Functions for safely monitoring the motion of a drive
- Safely-Limited Speed (SLS)
- Safe Speed Monitor (SSM)
- Safe Direction (SDI)
- Safely-Limited Acceleration (SLA)
Functions for safely monitoring the temperature of a drive
- Safe Motor Temperature (SMT)
Safe Torque Off (STO)
The STO function is the most common and basic drive-integrated safety function. It ensures that no torque-generating energy can continue to affect a motor and prevents unintentional start-ups.
Effect
This function is a mechanism that prevents the drive from restarting unexpectedly, in accordance with IEC 60204-1, Section 5.4. The STO function suppresses the drive pulses (corresponds to Stop Category 0 according to IEC 60204-1). The drive is reliably torque-free. This state is monitored internally in the drive.
Application
STO has the immediate effect that the drive cannot supply any torque-generating energy. STO can be used wherever the drive will naturally reach a standstill due to load torque or friction in a sufficiently short time or when "coasting down" of the drive will not have any relevance for safety.
STO makes it possible for persons to work safely when the protective door is open (restart interlock) and is used on machines/installations with moving axes, e.g. on handling or conveyor systems.
Customer benefits
Some of the advantages of the integrated STO safety function over conventional safety technology with electromechanical switchgear include the elimination of separate components as well as of the work that would be required to wire and service them, i.e. no wearing parts as a result of the electronic shutdown. Because of the fast electronic switching times, the function provides a shorter reaction time than the conventional solution comprising electromechanical components. When STO is triggered, the converter remains connected to the network and can be fully diagnosed.
G_D211_XX_00304
Safe Stop 1 (SS1) and Safe Stop 1 with external stop (SS1E)
The SS1 function causes a motor to stop rapidly and safely and switches the motor to torque-free mode after coming to a standstill by activating STO.
Effect
The SS1 function can safely stop the drive in accordance with IEC 60204-1, Stop Category 1. When the SS1 function is selected, the drive brakes autonomously along a quick-stop ramp and automatically activates the Safe Torque Off and Safe Brake Control functions (if configured) when the parameterized safety delay time expires.
If "SS1 with external stop (SS1E)" is used, the drive does not brake autonomously when the function is selected. In this case, the higher-level control must bring the drive to a standstill within a parameterized STO transition time. SS1E is a useful function for drives that need to be stopped as a group by the Motion Control system in order to prevent potential damage to the machine or product.
Application
The SS1 function is used when, in the event of a safety-relevant incident, the drive must stop as quickly as possible with a subsequent transition into the STO state (e.g. EMERGENCY STOP). It is thus used to bring large centrifugal masses to a stop as quickly as possible for the safety of the operating personnel, or to brake motors at high speeds as quickly as possible. Examples of typical applications are saws, grinding machine spindles, centrifuges, winders and storage and retrieval machines.
Customer benefits
The targeted stopping of a drive by means of SS1 reduces the risk of danger, increases the productivity of a machine, and allows the safety clearances in a machine to be reduced. The principle is to bring the drive actively to a standstill, compared with just using the STO function. Complex mechanical brakes that are susceptible to wear are normally not required to brake the motor.
G_D211_XX_00305
Safe Stop 2 (SS2) and Safe Stop 2 with external stop (SS2E)
The SS2 function brings the motor to a standstill quickly and safely and then activates the SOS function once the motor has stopped.
Effect
The Safe Stop 2 function can safely stop the drive in accordance with IEC 60204-1, Stop Category 2. When the SS2 function is selected, the drive brakes autonomously along a quick stop ramp. In contrast to SS1, the drive control remains operational afterwards, i.e. the motor can supply the full torque required to maintain zero speed. Standstill is safely monitored (Safe Operating Stop function).
If SS2 with external stop (SS2E) is used, the drive does not brake autonomously when the function is selected. In this case, the higher-level control must bring the drive to a standstill within a parameterized SOS (Safe Operating Stop) transition time. SS2E is a useful function for drives that need to be stopped as a group by the Motion Control system in order to prevent potential damage to the machine or product.
Application
As with SS1, the SS2 function ensures the quickest possible deceleration of the motor. However, the motor power is not switched off. Instead, a control system prevents it from leaving the standstill position – even if it is affected by external forces. Typical applications for SS2 include machine tools, for example.
Customer benefits
The SS2 function ensures a rapid axis stop. Because the control remains active, after the safety function is deselected, productive operation can continue without referencing. This ensures short setup and standstill times and high productivity.
G_D211_XX_00306
Safe Operating Stop (SOS)
With the SOS function, the stopped motor is held in position by the drive control system and its position is monitored.
Effect
The SOS function constitutes safe standstill monitoring. The drive control remains in operation. The motor can therefore deliver the full torque to hold the current position. The actual position is reliably monitored. In contrast to safety functions SS1 and SS2, the speed setpoint is not influenced autonomously. After SOS has been activated, the higher-level control must bring the drive to a standstill within a parameterized time and then hold the position setpoint.
Application
SOS is an ideal solution for all those applications for which the machine or parts of the machine must be at a safe standstill for certain steps, but the drive must also supply a holding torque. It is ensured that despite counter torque the drive remains in its current position. In contrast to SS1 and SS2, the drive does not brake autonomously in this case. It expects the higher-level controller to ramp down the relevant axes as a coordinated group within an adjustable delay time. This can be used to prevent any damage to the machine or product. Typical applications for SOS include winders, converting and packaging machines and machine tools.
Customer benefits
No mechanical components are necessary to keep the axis in position despite any counterforce that may occur. Due to the short switching times and the fact that the drive control always remains active, setup and downtimes are reduced. Recalibration of the axis after exiting the SOS function is not necessary. The axis can immediately be moved again after deactivation of the SOS function.
G_D211_XX_00207
Safe Brake Control (SBC)
The SBC function permits the safe control of a holding brake. SBC is always activated in parallel with STO.
Effect
A holding brake which is active in a de-energized state is controlled and monitored using safe two-channel technology. Due to the two-channel control, the brake may still be activated in the event of an insulation fault in the control cable. Errors of this kind are detected early by means of test pulses.
Note:
Safe Brake Control does not detect mechanical faults in the brake itself, such as worn brake linings. For Motor Modules in booksize format, the terminals for the motor brake are integrated. An additional Safe Brake Relay is required for Power Modules in blocksize format. An additional Safe Brake Adapter is necessary for Power Modules in chassis format.
Application
The SBC function is used in conjunction with the functions STO or SS1 to prevent the movement of an axis in the torque-free state, e.g. because of gravity.
Customer benefits
Again, the function saves the use of external hardware and the associated wiring.
G_D211_XX_00276
Safe Brake Test (SBT)
The SBT diagnostic function carries out a brake function test at regular intervals or before personnel enter the danger zone.
Effect
A good way to check the proper functioning of brakes that have become worn is to apply a torque to the closed brake. Drive systems that have two brakes, e.g. motor brake and external brake, can be tested with different torque values.
Application
The SBT diagnostic function is suitable for implementing a safe brake in combination with the SBC function.
Customer benefits
The function detects faults or wear in the brake mechanics. Automatically testing the effectiveness of brakes reduces maintenance costs and increases the safety and availability of the machine or plant.
G_D211_XX_00311
Safely-Limited Speed (SLS)
The SLS function monitors the drive to ensure that it does not exceed a preset speed or velocity limit.
Effect
The SLS function monitors the drive against a parameterized speed limit. Four different limit values can be selected. As in the case of SOS, the speed setpoint is not influenced independently. After SLS has been selected, the higher-level control must bring the drive down below the selected speed limit within a parameterizable time. If the speed limit is exceeded, a customizable drive-integrated fault reaction occurs.
The SLS limit stage 1 can be multiplied by a factor that is transferred in 16-bit resolution via PROFIsafe. This allows an almost unlimited number of limits to be specified.
Application
The SLS function is used if people are in the danger zone of a machine and their safety can only be guaranteed by reduced speed. Typical application cases include those in which an operator must enter the danger zone of the machine for the purposes of maintenance or setting up, such as a winder in which the material is manually threaded by the operator. To prevent injury to the operator, the roller may only spin at a safely reduced speed. SLS is often also used as part of a two-stage safety concept. While a person is in a less critical zone, the SLS function is activated, and the drives are only stopped safely in a smaller area with higher potential risk. SLS can be used not only for operator protection, but also for machinery protection, e.g. if a maximum speed must not be exceeded.
Customer benefits
The SLS function can contribute to a significant reduction in downtime, or greatly simplify or even accelerate setup. The overall effect achieved is a higher availability of the machine. Moreover, external components such as speed monitors can be omitted.
G_D211_XX_00307
Safe Speed Monitor (SSM)
The SSM function warns when a drive is working below an adjustable speed limit. As long as it remains below the threshold, the function issues a safety-related signal.
Effect
If a speed value drops below a parameterized limit, a safety-related signal is generated. This can, for example, be processed in a safety control unit to respond to the event by programming, depending on the situation.
Application
With the SSM function, in the simplest case, a safety door can be unlocked if the speed drops below a non-critical level. Another typical example is that of a centrifuge that may be filled only when it is operating below a configured speed limit.
Customer benefits
Unlike SLS, there is no drive-integrated fault reaction when the speed limit is exceeded. The safe feedback can be evaluated in a safety control unit, allowing the user to respond appropriately to the situation.
G_D211_XX_00209
Safe Direction (SDI)
The SDI function ensures that the drive can only move in the selected direction.
Effect
Deviation from the direction of motion currently being monitored is detected reliably and the configured drive-integrated fault reaction is initiated. It is possible to select which direction of rotation is to be monitored.
Application
The SDI function is used when the drive may only move in one direction. A typical application is to permit the operator access to a danger zone, as long as the machine is rotating in the safe direction, i.e. away from the operator. In this state, the operator can feed material into the work zone or remove material from the work zone without danger.
Customer benefits
The function saves the use of external components such as speed monitors and the associated wiring. The release of a danger zone while the machine is moving away from the operator increases productivity. Without the SDI function, the machine must be safely stopped during material loading and removal.
G_D211_XX_00308
Safely-Limited Acceleration (SLA)
The SLA function monitors that the drive does not exceed a preset acceleration limit value.
Effect
The SLA function monitors that the motor does not violate the defined acceleration limit (e.g. in setup mode). SLA detects early on whether the speed is increasing at an inadmissible rate (the drive accelerates uncontrollably) and initiates the stop response.
Application
The SLA function is used, e.g., for SIMATIC Safe Kinematics. SLA can only be used in safety systems with an encoder.
Customer benefits
The function monitors for maximum permissible acceleration in setup mode and safe monitoring of the tool center point with different kinematics.
G_D211_XX_00363
Safe Motor Temperature (SMT)
Safe Motor Temperature (SMT) prevents the motor temperature from exceeding a specified limit.
Effect
SMT works in conjunction with the signal from a PTC thermistor of type A in accordance with IEC 60947‑8 and DIN VDE 0898‑1‑401. When the limit temperature specific to the PTC thermistor is exceeded, the thermistor's electrical resistance increases suddenly. This is securely recorded by the SMT function and STO (Safe Torque Off) is triggered as the subsequent response. This ensures that the motor does not receive any more energy from the converter, and the motor temperature cannot increase further.
Application
SMT is used to protect against overtemperature of a motor in explosive environments (ATEX), e.g. in the chemical industry, in paper mills, or in paint shops.
Customer benefits
This function obviates the need for external components such as thermistor motor protection relays and the associated wiring investment and space demands in the control cabinet. Motor protection is strictly required in ATEX applications. The SMT function makes it easy to integrate such requirements so they are implemented in the drive.
G_D211_XX_00590
Basic Functions and Extended Functions
With SINAMICS S drives the safety functions are implemented with encoders - individual safety functions can also be operated without encoders.
The Safety Integrated Functions are grouped into Basic Functions and Extended Functions.
The Basic Functions are included in the standard scope of supply.
The Extended Functions must be activated by a license.
The electronic license certificate is the paperless type of delivery for runtime options with SINAMICS. It contains information about the type of usage rights obtained with the software.
- Basic Functions
- Safe Torque Off (STO)
- Safe Brake Control (SBC)
- Safe Stop 1 (SS1)
- Safe Stop 1 with external stop (SS1E)
- Safe Motor Temperature (SMT)
- Extended Functions
- Safe Stop 1 with external stop (SS1E) with SBR or SAM
- Safe Stop 1 (SS1) with SBR or SAM
- Safe Stop 2 with external stop (SS2E)
- Safe Stop 2 (SS2)
- Safe Operating Stop (SOS)
- Safely-Limited Speed (SLS)
- Safe Speed Monitor (SSM)
- Safe Direction (SDI)
- Safely-Limited Acceleration (SLA)
- Safe Brake Test (SBT) diagnostic function
For the Extended Functions SS1 and SS2 with SAM, Safe Acceleration Monitor (SAM) is performed during braking to identify any faults already during the braking phase.
With SS1 and SS2, a Safe Brake Ramp (SBR) can be configured as an alternative.
The Basic Functions – activated via on-board terminals on the device or via PROFIsafe – do not require an encoder.
Activation of the integrated safety functions
The safety functions for SINAMICS drives can be activated via terminals, e.g. for use of a conventional safety circuit.
For standalone safety solutions for small to medium-sized applications, it is frequently sufficient that the various sensing components are directly hardwired to the drive.
For integrated safety solutions, the safety-relevant sequences are generally processed and coordinated in the fail-safe SIMATIC controller. Here, the system components communicate via the PROFINET or PROFIBUS fieldbus. The safety functions are controlled via the safe PROFIsafe communication protocol.
SINAMICS drives can be easily integrated into the plant or system topology.
PROFIsafe
SINAMICS drives support the PROFIsafe profile based on PROFINET as well as on PROFIBUS.
PROFIsafe is an open communications standard that supports standard and safety-related communication over the same communication path (wired or wireless). A second, separate bus system is therefore not necessary. The telegrams that are sent are continually monitored to ensure safety-relevant communication.
Possible errors such as telegrams that have been lost, repeated or received in the incorrect sequence are avoided. This is done by consecutively numbering the telegrams in a safety-relevant fashion, monitoring their reception within a defined time and transferring an ID for transmitter and receiver of a telegram. A CRC (cyclic redundancy check) data security mechanism is also used.
The operating principle of Safety Integrated
Two independent switch-off signal paths
Two independent switch-off signal paths are available. All switch-off signal paths are low active. This ensures that the system is always switched to a safe state if a component fails or in the event of cable breakage. If a fault is discovered in the switch-off signal paths, the STO or SS1 function (depending on parameter settings) is activated and a system restart inhibited.
Two-channel monitoring structure
All the main hardware and software functions for Safety Integrated are implemented in two independent monitoring channels (e.g. switch-off signal paths, data management, data comparison). A cyclic crosswise comparison of the safety-relevant data in the two monitoring channels is carried out.
The monitoring functions in each monitoring channel work on the principle that a defined state must prevail before each action is carried out and a specific acknowledgement must be made after each action. If these expectations of a monitoring channel are not fulfilled, the drive coasts to a standstill (two channels) and an appropriate message is output.
Internal self-test
To meet the requirements of ISO 13849-1 and IEC 61508 in terms of timely error detection, the SINAMICS performs an internal self-test.
The internal self-test checks the shutdown paths for Safe Torque Off, safety functions and failsafe digital inputs and outputs cyclically.
The self-test does not require user interaction and does not influence the operation of the SINAMICS.
Safe speed/position sensing with encoder
Safe actual value sensing with encoder
Incremental encoders or absolute encoders can be used for safe sensing of the position values on a drive.
Safe actual value sensing relies on redundant evaluation of the incremental tracks A/B that supply sin/cos signals of 1 Vpp. Only encoders of the type whose A/B track signals are created and processed using purely analog techniques can be used.
As an alternative, motors with an integrated DRIVE-CLiQ interface can be used. The speed or position actual values are generated directly in the motor as safe values and are transferred to the Control Unit over safe communication via DRIVE-CLiQ.
Certified built-on rotary encoders with DRIVE-CLiQ interface may also be used (see
https://support.industry.siemens.com/cs/document/65402168).
The encoder must be mechanically attached in such a manner that the encoder shaft is unable to unplug or slide off. For notes on this, see IEC 61800-5-2: 2016, Table D.16.
A list of Siemens motors that fulfill the electrical and mechanical requirements is available at:
https://support.industry.siemens.com/cs/document/33512621
Safe encoder system
G_D211_XX_00216
Example: Safe encoder system
The motor encoder is used exclusively for safe actual value sensing.
The safety functions are listed below with criteria for actual value sensing:
| |
Functions
|
Abbreviation
|
Encoder required
|
Description
|
|
Basic Functions
|
Safe Torque Off
|
STO
|
No
|
Safe Torque Off
|
|
Safe Stop 1
|
SS1
|
No
|
Safe stopping process in accordance with stop category 1
|
|
Safe Brake Control
|
SBC
|
No
|
Safe Brake Control
|
|
Safe Motor Temperature
|
SMT
|
No
|
Safe motor temperature monitoring
|
|
Extended Functions
|
Safe Stop 1
|
SS1
|
Yes
|
Safe stopping process in accordance with stop category 1
|
|
Safe Operating Stop
|
SOS
|
Yes
|
Safe monitoring of the standstill position
|
|
Safe Stop 2
|
SS2
|
Yes
|
Safe stopping process in accordance with stop category 2
|
|
Safely-Limited Speed
|
SLS
|
Yes
|
Safe monitoring of the maximum speed
|
|
Safe Speed Monitor
|
SSM
|
Yes
|
Safe monitoring of the minimum speed
|
|
Safe Direction
|
SDI
|
Yes
|
Safe monitoring of the direction of motion
|
|
Safely-Limited Acceleration
|
SLA
|
Yes
|
Safely-Limited Acceleration
|
|
Safe Brake Test
|
SBT
|
Yes
|
Diagnostic function for safe testing of the required holding torque of a brake
|
