ENG_125291.XML
Safety functions integrated in SINAMICS drives
SINAMICS drives are characterized by a large number of Safety Integrated Functions. In combination with the sensors and safety control required for the safety functionality, they ensure that highly-effective protection for persons and machines is implemented in a practice-oriented manner.
They comply with the requirements of the following safety categories:
- PL d and Category 3 according to ISO 13849-1
- SIL 2 according to IEC 61508 and IEC 61800-5-2
Note:
The Safe Brake Test (SBT) diagnostic function meets the requirements for Category 2 according to ISO 13849-1.
The PM240‑2 Power Modules, frame sizes FSD to FSG additionally offer STO acc. to IEC 61508 SIL 3 and ISO 13849‑1 PL e and Category 3.
The Safety Integrated functions are generally certified by independent institutes. You can obtain the corresponding test certificates and manufacturer's declarations from your Siemens contacts.
The Safety Integrated Functions that are currently available are described below. Their functional safety satisfies the requirements defined in the international standard IEC 61800-5-2 for variable-speed drive systems.
The safety functions integrated into the SINAMICS drive system can be roughly divided into four categories:
Functions for safely stopping a drive
- Safe Torque Off (STO)
- Safe Stop 1 (SS1)
- Safe Stop 2 (SS2)
- Safe Operating Stop (SOS)
Functions for safe brake management
- Safe Brake Control (SBC)
- Safe Brake Test (SBT) (this diagnostic function exceeds the scope of IEC 61800-5-2)
Functions for safely monitoring the motion of a drive
- Safely-Limited Speed (SLS)
- Safe Speed Monitor (SSM)
- Safe Direction (SDI)
- Safely-Limited Acceleration (SLA)
Functions for safely monitoring the position of a drive
- Safely-Limited Position (SLP)
- Safe Position (SP) (this function exceeds the scope of IEC 61800-5-2)
- Safe Cam (SCA)
Safe Torque Off (STO)
The STO function is the most common and basic drive-integrated safety function. It ensures that no torque-generating energy can continue to affect a motor and prevents unintentional start-ups.
Effect
This function is a mechanism that prevents the drive from restarting unexpectedly, in accordance with EN 60204-1, Section 5.4. The STO function suppresses the drive pulses (corresponds to Stop Category 0 according to EN 60204-1). The drive is reliably torque-free. This state is monitored internally in the drive.
Application
STO has the immediate effect that the drive cannot supply any torque-generating energy. STO can be used wherever the drive will naturally reach a standstill due to load torque or friction in a sufficiently short time or when "coasting down" of the drive will not have any relevance for safety.
STO makes it possible for persons to work safely when the protective door is open (restart interlock) and is used on machines/installations with moving axes, e.g. on handling or conveyor systems.
Customer benefits
Some of the advantages of the Safety Integrated Function STO over conventional safety technology with electromechanical switchgear include the elimination of separate components as well as of the work that would be required to wire and service them, i.e. no wearing parts as a result of the electronic shutdown. Because of the fast electronic switching times, the function provides a shorter reaction time than the conventional solution comprising electromechanical components. When STO is triggered, the converter remains connected to the network and can be fully diagnosed.
G_D211_XX_00304
Safe Stop 1 (SS1)
The SS1 function causes a motor to stop rapidly and safely and switches the motor to torque-free mode after coming to a standstill by activating STO.
Effect
The SS1 function can safely stop the drive in accordance with EN 60204-1, Stop Category 1. When the SS1 function is selected, the drive brakes autonomously along a quick-stop ramp and automatically activates the Safe Torque Off and Safe Brake Control functions (if configured) when the parameterized safety delay time expires.
If the variant "SS1 with external stop (SS1E)" is parameterized, the drive does not brake autonomously when the function is selected. In this case, the higher-level control must bring the drive to a standstill within a parameterized STO transition time. The SBR (Safe Brake Ramp) and SAM (Safe Acceleration Monitor) functions are not active. SS1E is a useful function for drives that need to be stopped as a group by the Motion Control system in order to prevent potential damage to the machine or product.
Application
The SS1 function is used when, in the event of a safety-relevant incident, the drive must stop as quickly as possible with a subsequent transition into the STO state (e.g. EMERGENCY STOP). It is thus used to bring large centrifugal masses to a stop as quickly as possible for the safety of the operating personnel, or to brake motors at high speeds as quickly as possible. Examples of typical applications are saws, grinding machine spindles, centrifuges, winders and storage and retrieval machines.
Customer benefits
The targeted stopping of a drive by means of SS1 reduces the risk of danger, increases the productivity of a machine, and allows the safety clearances in a machine to be reduced. The principle is to bring the drive actively to a standstill, compared with just using the STO function. Complex mechanical brakes that are susceptible to wear are normally not required to brake the motor.
G_D211_XX_00305
Safe Stop 2 (SS2)
The SS2 function brings the motor to a standstill quickly and safely and then activates the SOS function once the motor has stopped.
Effect
The Safe Stop 2 function can safely stop the drive in accordance with EN 60204-1, Stop Category 2. When the SS2 function is selected, the drive brakes autonomously along a quick stop ramp. In contrast to SS1, the drive control remains operational afterwards, i.e. the motor can supply the full torque required to maintain zero speed. Standstill is safely monitored (Safe Operating Stop function).
If the variant "SS2 with external stop (SS2E)" is parameterized, the drive does not brake autonomously when the function is selected. In this case, the higher-level control must bring the drive to a standstill within a parameterized Safe Operating Stop transition time. The SBR (Safe Brake Ramp) and SAM (Safe Acceleration Monitor) functions are not active. SS2E is a useful function for drives that need to be stopped as a group by the Motion Control system in order to prevent potential damage to the machine or product.
Application
As with SS1, the SS2 function ensures the quickest possible deceleration of the motor. However, the motor power is not switched off. Instead, a control system prevents it from leaving the standstill position – even if it is affected by external forces. Typical applications for SS2 include machine tools, for example.
Customer benefits
The SS2 function ensures a rapid axis stop. Because the control remains active, after the safety function is deselected, productive operation can continue without referencing. This ensures short setup and standstill times and high productivity.
G_D211_XX_00306
Safe Operating Stop (SOS)
With the SOS function, the stopped motor is held in position by the drive control system and its position is monitored.
Effect
The SOS function constitutes safe standstill monitoring. The drive control remains in operation. The motor can therefore deliver the full torque to hold the current position. The actual position is reliably monitored. In contrast to safety functions SS1 and SS2, the speed setpoint is not influenced autonomously. After SOS has been activated, the higher-level control must bring the drive to a standstill within a parameterized time and then hold the position setpoint.
Application
SOS is an ideal solution for all those applications for which the machine or parts of the machine must be at a safe standstill for certain steps, but the drive must also supply a holding torque. It is ensured that despite counter torque the drive remains in its current position. In contrast to SS1 and SS2, the drive does not brake autonomously in this case. It expects the higher-level controller to ramp down the relevant axes as a coordinated group within an adjustable delay time. This can be used to prevent any damage to the machine or product. Typical applications for SOS include winders, converting and packaging machines and machine tools.
Customer benefits
No mechanical components are necessary to keep the axis in position despite any counterforce that may occur. Due to the short switching times and the fact that the drive control always remains active, setup and downtimes are reduced. Recalibration of the axis after exiting the SOS function is not necessary. The axis can immediately be moved again after deactivation of the SOS function.
G_D211_XX_00207
Safe Brake Control (SBC)
The SBC function permits the safe control of a holding brake. SBC is always activated in parallel with STO.
Effect
A holding brake which is active in a de-energized state is controlled and monitored using safe two-channel technology. Due to the two-channel control, the brake may still be activated in the event of an insulation fault in the control cable. Errors of this kind are detected early by means of test pulses.
Note:
Safe Brake Control does not detect mechanical faults in the brake itself, such as worn brake linings. For Motor Modules in booksize format, the terminals for the motor brake are integrated. An additional Safe Brake Relay is required for Power Modules in blocksize format. An additional Safe Brake Adapter is necessary for Power Modules in chassis format.
Application
The SBC function is used in conjunction with the functions STO or SS1 to prevent the movement of an axis in the torque-free state, e.g. because of gravity.
Customer benefits
Again, the function saves the use of external hardware and the associated wiring.
G_D211_XX_00276
Safe Brake Test (SBT)
The SBT diagnostic function carries out a brake function test at regular intervals or before personnel enter the danger zone.
Effect
A good way to check the proper functioning of brakes that have become worn is to apply a torque to the closed brake. Drive systems that have two brakes, e.g. motor brake and external brake, can be tested with different torque values.
Application
The SBT diagnostic function is suitable for implementing a safe brake in combination with the SBC function.
Customer benefits
The function detects faults or wear in the brake mechanics. Automatically testing the effectiveness of brakes reduces maintenance costs and increases the safety and availability of the machine or plant.
G_D211_XX_00311
Safely-Limited Speed (SLS)
The SLS function monitors the drive to ensure that it does not exceed a preset speed or velocity limit.
Effect
The SLS function monitors the drive against a parameterized speed limit. Four different limit values can be selected. As in the case of SOS, the speed setpoint is not influenced independently. After SLS has been selected, the higher-level control must bring the drive down below the selected speed limit within a parameterizable time. If the speed limit is exceeded, a customizable drive-integrated fault reaction occurs.
The SLS limit stage 1 can be multiplied by a factor that is transferred in 16-bit resolution via PROFIsafe. This allows an almost unlimited number of limits to be specified.
Application
The SLS function is used if people are in the danger zone of a machine and their safety can only be guaranteed by reduced speed. Typical application cases include those in which an operator must enter the danger zone of the machine for the purposes of maintenance or setting up, such as a winder in which the material is manually threaded by the operator. To prevent injury to the operator, the roller may only spin at a safely reduced speed. SLS is often also used as part of a two-stage safety concept. While a person is in a less critical zone, the SLS function is activated, and the drives are only stopped safely in a smaller area with higher potential risk. SLS can be used not only for operator protection, but also for machinery protection, e.g. if a maximum speed must not be exceeded.
Customer benefits
The SLS function can contribute to a significant reduction in downtime, or greatly simplify or even accelerate setup. The overall effect achieved is a higher availability of the machine. Moreover, external components such as speed monitors can be omitted.
G_D211_XX_00307
Safe Speed Monitor (SSM)
The SSM function warns when a drive is working below an adjustable speed limit. As long as it remains below the threshold, the function issues a safety-related signal.
Effect
If a speed value drops below a parameterized limit, a safety-related signal is generated. This can, for example, be processed in a safety control unit to respond to the event by programming, depending on the situation.
Application
With the SSM function, in the simplest case, a safety door can be unlocked if the speed drops below a non-critical level. Another typical example is that of a centrifuge that may be filled only when it is operating below a configured speed limit.
Customer benefits
Unlike SLS, there is no drive-integrated fault reaction when the speed limit is exceeded. The safe feedback can be evaluated in a safety control unit, allowing the user to respond appropriately to the situation.
G_D211_XX_00209
Safe Direction (SDI)
The SDI function ensures that the drive can only move in the selected direction.
Effect
Deviation from the direction of motion currently being monitored is detected reliably and the configured drive-integrated fault reaction is initiated. It is possible to select which direction of rotation is to be monitored.
Application
The SDI function is used when the drive may only move in one direction. A typical application is to permit the operator access to a danger zone, as long as the machine is rotating in the safe direction, i.e. away from the operator. In this state, the operator can feed material into the work zone or remove material from the work zone without danger.
Customer benefits
The function saves the use of external components such as speed monitors and the associated wiring. The release of a danger zone while the machine is moving away from the operator increases productivity. Without the SDI function, the machine must be safely stopped during material loading and removal.
G_D211_XX_00308
Safely-Limited Acceleration (SLA)
The SLA function monitors that the drive does not exceed a preset acceleration limit value.
Effect
The SLA function monitors that the motor does not violate the defined acceleration limit (e.g. in setup mode). SLA detects early on whether the speed is increasing at an inadmissible rate (the drive accelerates uncontrollably) and initiates the stop response.
Application
The SLA function is used, e.g., for SIMATIC Safe Kinematics.
Customer benefits
The function monitors for maximum permissible acceleration in setup mode and safe monitoring of the tool center point with different kinematics.
G_D211_XX_00363
Safely-Limited Position (SLP)
The SLP function monitors the axis to ensure that it remains within the permissible traversing range.
Effect
When SLP is activated, the traversing range limited by the configured software limit switches is safely monitored. If the permitted traversing range is exited, a configurable fault reaction occurs. It is possible to toggle between two traversing ranges, even when the machine is in operation.
Application
SLP is used for applications in which machine operators have to enter a protection area, e.g. for feeding in and removing material. Safe monitoring of the axis position ensures that the axis cannot move into the protection area released for operators and so place them in danger, for example, on storage and retrieval machines, gantry cranes or machining centers.
Customer benefits
SLP can be used for highly-effective protection area monitoring. The function does away with the use of external components such as hardware limit switches and the associated wiring expense. Due to the short reaction time following a limit overshoot, safety clearances can be reduced.
G_D211_XX_00310
Safe Position (SP)
The SP function transfers the actual position values determined safely in the drive over safe PROFIsafe communication to a safety control.
Effect
In contrast to the SLP function that monitors the current actual position value against a limit and, in the case of an overshoot, activates a drive-integrated fault reaction, SP transfers the current actual position values to the safety control. Position monitoring is implemented in the safety program of the control. Extended PROFIsafe telegrams are available for transferring the position values. The position values can be transferred in 16-bit or 32-bit resolution, as required. A time stamp is also transferred with the position values.
Application
Tailor-made safety concepts can be created using the SP function. It is ideal for use on machines that require flexible safety functions. It is extremely versatile and can be used, for example, to implement safe, axis-specific range detection by means of safe cams. The SP function can also be used to implement multi-axis safety concepts, multi-dimensional protection areas and zone concepts.
Customer benefits
Position monitoring or speed monitoring is implemented in the safety program of the control, so the user has the flexibility for implementing tailor-made safety functions. The reaction to a limit overshoot must also be specified in the safety program. This means a higher initial programming outlay, but it does offer the opportunity for initiating different fault reactions depending on the situation.
G_D211_XX_00309
Safe Cam (SCA)
The SCA function enables safety-related monitoring of the position.
Effect
The SCA function outputs a safe signal if the drive is within a specified position range. It facilitates the realization of safe axis-specific range detection. Up to 30 safe cams can be parameterized per axis.
Application
It is only permissible that a protective door is opened if a drive is in a certain position range. The drive may only be traversed with reduced speed when it is located in a certain position range.
Customer benefits
The function enables safety-related switchover of safety functions. With SCA, safe electronic cam controllers can be implemented without additional hardware. With SCA, work and protection zone delimitations are reliably detected.
G_D211_XX_00360
Basic Functions, Extended Functions, and Advanced Functions
With SINAMICS G converters, the safety functions are basically implemented without encoders.
With SINAMICS S drives, the safety functions are implemented with encoders – individual safety functions can also be operated without encoders.
The Safety Integrated Functions are grouped into Basic Functions, Extended Functions, and Advanced Functions.
The Basic Functions are included in the standard scope of supply.
The Extended Functions must be activated by a license 1). The Advanced Functions for SINAMICS S120 must also be activated via a license.
The electronic Certificate of License is the paperless delivery form for runtime options for SINAMICS and contains information about the type of rights of use purchased for the software.
- Basic Functions
- Safe Torque Off (STO)
- Safe Brake Control (SBC)
- Safe Stop 1 (SS1)
- Extended Functions
- Safe Stop 1 (SS1) with SBR or SAM
- Safe Stop 2 with external stop (SS2E)
- Safe Stop 2 (SS2) with SBR or SAM
- Safe Operating Stop (SOS)
- Safely-Limited Speed (SLS)
- Safe Speed Monitor (SSM)
- Safe Direction (SDI)
- Safely-Limited Acceleration (SLA)
- Safe Brake Test (SBT) diagnostic function
- Advanced Functions
- Safely-Limited Position (SLP)
- Safe Position (SP)
- Safe Cam (SCA)
The license for Safety Integrated Advanced Functions also includes the license for Safety Integrated Extended Functions.
For the Extended Functions SS1 and SS2 with SAM, Safe Acceleration Monitor (SAM) is performed during braking to identify any faults already during the braking phase.
With SS1 and SS2, a Safe Brake Ramp (SBR) can be configured as an alternative. SS1 can also be parameterized with an external stop (SS1E).
The Basic Functions – activated via on-board terminals on the device, TM54F Terminal Module (only for SINAMICS S) or via PROFIsafe – do not require an encoder.
1) Only applies to SINAMICS G Control Unit CU250S-2 and SINAMICS S.
Available for SINAMICS G via hardware versions "-F".
Activation of the Safety Integrated Functions
The safety functions for SINAMICS drives can be activated via terminals, e.g. for use of a conventional safety circuit.
For standalone safety solutions for small to medium-sized applications, it is frequently sufficient that the various sensing components are directly hardwired to the drive.
For integrated safety solutions, the safety-relevant sequences are generally processed and coordinated in the fail-safe SIMATIC controller. Here, the system components communicate via the PROFINET or PROFIBUS fieldbus. The safety functions are controlled via the safe PROFIsafe communication protocol.
SINAMICS drives can be easily integrated into the plant or system topology.
PROFIsafe
SINAMICS drives support the PROFIsafe profile based on PROFINET as well as on PROFIBUS.
PROFIsafe is an open communications standard that supports standard and safety-related communication over the same communication path (wired or wireless). A second, separate bus system is therefore not necessary. The telegrams that are sent are continually monitored to ensure safety-relevant communication.
Possible errors such as telegrams that have been lost, repeated or received in the incorrect sequence are avoided. This is done by consecutively numbering the telegrams in a safety-relevant fashion, monitoring their reception within a defined time and transferring an ID for transmitter and receiver of a telegram. A CRC (cyclic redundancy check) data security mechanism is also used.
The operating principle of Safety Integrated
Two independent switch-off signal paths
Two independent switch-off signal paths are available. All switch-off signal paths are low active. This ensures that the system is always switched to a safe state if a component fails or in the event of cable breakage. If a fault is discovered in the switch-off signal paths, the STO or SS1 function (depending on parameter settings) is activated and a system restart inhibited.
Two-channel monitoring structure
All the main hardware and software functions for Safety Integrated are implemented in two independent monitoring channels (e.g. switch-off signal paths, data management, data comparison). A cyclic crosswise comparison of the safety-relevant data in the two monitoring channels is carried out.
The monitoring functions in each monitoring channel work on the principle that a defined state must prevail before each action is carried out and a specific acknowledgement must be made after each action. If these expectations of a monitoring channel are not fulfilled, the drive coasts to a standstill (two channel) and an appropriate message is output.
Forced dormant error detection using test stop
The functions and switch-off signal paths must be tested at least once within a defined time in order to meet requirements as per ISO 13849-1 and IEC 61508 in terms of timely fault detection. This must be implemented either in cyclic manual mode or the test stop must be automatically initiated as part of the process. The test stop cycle is monitored, and after a specific time has been exceeded, an alarm is output. A test stop does not require a POWER ON. The acknowledgment is set by canceling the test stop request.
Examples of when forced dormant error detection must be performed:
- When the drives are at a standstill after the system has been switched on
- Before the protective door is opened
- At defined intervals (e.g. every 8 hours)
- In automatic mode, time and event-driven
Safe speed/position sensing without/with encoder
Safe actual value sensing without encoder
A drive monitor with encoder is necessary for operation of a series of safety functions.
For applications with encoderless mode or with encoders that have no safety capability, the safety functions can also be implemented without encoder. It is not possible to use all safety functions in this case.
In operation without encoder, the actual speed values are calculated from the measured electrical actual values. This means that speed monitoring is also possible during operation without an encoder.
Safe actual value sensing with encoder
Incremental encoders or absolute encoders can be used for safe sensing of the position values on a drive.
Safe actual value sensing relies on redundant evaluation of the incremental tracks A/B that supply sin/cos signals of 1 Vpp. Only encoders of the type whose A/B track signals are created and processed using purely analog techniques can be used.
HTL/TTL incremental encoders may also be used. In this case, safe actual value sensing is achieved by using two independent encoders. The minimum possible speed resolution must also be taken into account.
The encoder signals are input via Sensor Modules.
As an alternative, motors with an integrated DRIVE-CLiQ interface can be used. The speed or position actual values are generated directly in the motor as safe values and are transferred to the Control Unit over safe communication via DRIVE-CLiQ.
Certified built-on rotary encoders with DRIVE-CLiQ interface may also be used (see
https://support.industry.siemens.com/cs/document/65402168).
The encoder must be mechanically attached in such a manner that the encoder shaft is unable to unplug or slide off. For notes on this, see IEC 61800-5-2: 2016, Table D.16.
A list of Siemens motors that fulfill the electrical and mechanical requirements is available at:
https://support.industry.siemens.com/cs/document/33512621
The following can be used for safe speed/position sensing:
- Single-encoder systems or
- Dual-encoder systems
Single-encoder system
G_D211_XX_00216
Example: Single-encoder system
In a single-encoder system, the motor encoder is used exclusively for safe actual value sensing.
Dual-encoder system
G_D211_XX_00217
Example: Dual-encoder system
In the case of the dual-encoder system, the safe actual values for a drive are provided by two separate encoders. The actual values are transferred to the Control Unit over DRIVE-CLiQ. When motors without a DRIVE-CLiQ connection are used, a Sensor Module must be provided.
HTL/TTL incremental encoders can be used as an alternative with a dual-encoder system. Either two HTL/TTL encoders, one dual-HTL/TTL encoder or one HTL/TTL encoder and one sin/cos encoder can be used.
The safety functions are listed below with criteria for actual value sensing:
|
Functions
|
Abbreviation
|
With encoder
|
Without encoder
|
Description
|
Basic Functions
|
Safe Torque Off
|
STO
|
Yes
|
Yes
|
Safe Torque Off
|
Safe Stop 1
|
SS1
|
Yes
|
Yes 1)
|
Safe stopping process in accordance with stop category 1
|
Safe Brake Control
|
SBC
|
Yes
|
Yes
|
Safe Brake Control
|
Extended Functions
|
Safe Torque Off
|
STO
|
Yes
|
Yes
|
Safe Torque Off
|
Safe Stop 1
|
SS1
|
Yes
|
Yes 1)
|
Safe stopping process in accordance with stop category 1
|
Safe Brake Control
|
SBC
|
Yes
|
Yes
|
Safe Brake Control
|
Safe Operating Stop
|
SOS
|
Yes
|
No
|
Safe monitoring of the standstill position
|
Safe Stop 2
|
SS2
|
Yes
|
No
|
Safe stopping process in accordance with stop category 2
|
Safely-Limited Speed
|
SLS
|
Yes
|
Yes 1)
|
Safe monitoring of the maximum speed
|
Safe Speed Monitor
|
SSM
|
Yes
|
Yes 1)
|
Safe monitoring of the minimum speed
|
Safe Direction
|
SDI
|
Yes
|
Yes 1)
|
Safe monitoring of the direction of motion
|
Safely-Limited Acceleration
|
SLA
|
Yes
|
No
|
Safely-Limited Acceleration
|
Safe Brake Test
|
SBT
|
Yes
|
No
|
Diagnostic function for safe testing of the required holding torque of a brake
|
Advanced Functions
|
Safely-Limited Position
|
SLP
|
Yes
|
No
|
Safely-Limited Position
|
Safe Position
|
SP
|
Yes
|
Yes 2)
|
Safe transfer of position values
|
Safe Cam
|
SCA
|
Yes
|
No
|
Safe cams
|
1) The use of this safety function without encoder is permitted with asynchronous (induction) motors or with reluctance motors.
2) Only for the transmission of relative position values. An encoder is required to transmit absolute position values.