Motor controller
CMMP-AS-...-M0 – STO
Description
Safety function STO
as per EN 61800-5-2
8042945
1412a
CMMP-AS-...-M0 – STO
Translation of the original instructions
GDCP-CMMP-AS-M0-S1-EN
Identification of hazards and instructions on how to prevent them:
Danger
Immediate dangers which can lead to death or serious injuries.
Warning
Hazards that can cause death or serious injuries.
Caution
Hazards that can cause minor injuries or serious material damage.
Other symbols:
Note
Material damage or loss of function.
Recommendations, tips, references to other documentation.
Essential or useful accessories.
Information on environmentally sound usage.
Text designations:
Activities that may be carried out in any order.
1. Activities that should be carried out in the order stated.
– General lists.
è Result of an action/References to more detailed information.
2 Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a –
CMMP-AS-...-M0 – STO
Table of contents – CMMP-AS-...-M0 – STO
1 Safety and requirements for product use 7......................................
1.1 Safety 7..................................................................
1.1.1 General safety information 7..........................................
1.1.2 Intended use 7.....................................................
1.1.3 Possible incorrect application 8.......................................
1.1.4 Attainable safety level,
Safety function to EN ISO 13849-1 / EN 61800-5-2 8......................
1.2 Requirements for product use 8...............................................
1.2.1 Technical requirements 9............................................
1.2.2 Qualification of the specialists (requirements for the personnel) 9............
1.2.3 Diagnostic coverage (DC) 9...........................................
1.2.4 Range of application and certifications 9................................
2 Description of the safety function STO 10........................................
2.1 Product overview 10.........................................................
2.1.1 Purpose 10........................................................
2.1.2 Interface 10........................................................
2.2 Function and application 11....................................................
2.2.1 Description of the safety function STO 11................................
2.2.2 Overview of interface [X40] 12.........................................
2.2.3 Control ports STO-A, 0V-A / STO-B, 0V-B [X40] 13..........................
2.2.4 Acknowledgment contact C1, C2 [X40] 14................................
2.2.5 Auxiliary supply 24 V, 0 V [X40] 15......................................
2.3 Functionality in motor controller CMMP-AS-...-M0 15................................
2.4 Time behaviour 17...........................................................
2.4.1 Basic time behaviour STO 17..........................................
2.4.2 Time behaviour for activating STO during operation with restart 18............
2.4.3 Time behaviour for activating SS1 during operation with restart 19............
3 Mounting and installation 21..................................................
3.1 Mounting / dismantling 21.....................................................
3.2 Electrical installation 21.......................................................
3.2.1 Safety regulations 21................................................
3.2.2 Connection [X40] 22.................................................
3.2.3 Minimum wiring for commissioning [X40] 22..............................
Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English 3
CMMP-AS-...-M0 – STO
3.3 Typical circuits 23............................................................
3.3.1 Safe torque switch off (STO, “Safe Torque Off”) 23.........................
3.3.2 Delays and safe torque switch off (SS1, “Safe Stop 1”) 24...................
4 Commissioning 26...........................................................
4.1 Prior to commissioning 26.....................................................
4.2 Support by FCT 27...........................................................
4.2.1 Status display of the safety function 27..................................
4.2.2 Display log file of the motor controller 27................................
4.3 Performance test, validation 28.................................................
5 Operation 30...............................................................
5.1 Obligations of the operator 30.................................................
5.2 Maintenance and care 30......................................................
5.3 Protective functions 30.......................................................
5.3.1 Voltage monitoring 30................................................
5.3.2 Protection against overvoltage and reverse polarity 30......................
5.4 Diagnostics and troubleshooting 31.............................................
5.4.1 Status indicators 31.................................................
5.4.2 Error messages 31...................................................
6 Modification and replacement of the motor controller 33............................
6.1 Repair or replacement of the integrated protection circuit 33.........................
6.2 De-commissioning and waste management 33.....................................
6.3 Replacing the previous CMMP-AS series with the CMMP-AS-…-M0 33..................
A Technical appendix 35........................................................
A.1 Technical data 35............................................................
A.1.1 Safety engineering 35................................................
A.1.2 General, operating and environmental conditions CMMP-AS-...-M0 36..........
A.1.3 Electrical data [X40] 37...............................................
B Glossary 39................................................................
4 Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English
CMMP-AS-...-M0 – STO
Instructions on this documentation
This documentation is to ensure work with the STO safety function (“Safe torque off”) is performed
safely in accordance with EN 61800-5-2 for motor controller CMMP-AS-...-M0.
In addition, always observe the general safety regulations for the CMMP-AS-...-M0.
The general safety regulations for the CMMP-AS-...-M0 can be found in the hardware
documentation, GDCP-CMMP-M0-HW-... è Tab. 2.
Observe the information regarding safety and the requirements for product use in
section 1.2.
Product identification
This documentation refers to the following versions:
– Motor controller CMMP-AS-…-M0 from Rev 04
– Firmware 4.0.1501.1.2 and higher
The representation on the rating plate can be found in the hardware description,
GDCP-CMMP-M0-HW-...
Service
Please consult your regional Festo contact if you have any technical problems.
Specified standards/guidelines
Issue status
EN 60204-1:2006-06/A1:2009-02 EN ISO 13849-1:2008-06/AC:2009-03
EN 61800-5-1:2007-09 IEC 61131-2:2007-09
EN 61800-5-2:2007-10 IEC 61508-1/.../-7:2010-04
EN 62061:2005-04/AC:2010-02/A1:2013-02
Tab. 1 Standards/directives specified in the document
Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English 5
CMMP-AS-...-M0 – STO
Documentation
You will find additional information on the motor controller in the following documentation:
User documentation on the motor controller CMMP-AS-...-M0
Name, type Contents
Hardware description,
GDCP-CMMP-M0-HW-...
Mounting and installation for all variants/power classes
(1-phase, 3-phase), pin assignments, error messages,
maintenance.
Description of commissioning,
GDCP-CMMP-M0-FW-...
Description FHPP,
GDCP-CMMP-M3-M0-C-HP-...
Description of CiA 402 (DS 402),
GDCP-CMMP-M3-M0-C-CO-...
Description CAM-Editor,
Commissioning with FCT + functional description (firmware).
Overview of FHPP, fieldbus, safety engineering.
Control and parameterisation of the motor controller via the
FHPP Festo profile.
Control and parameterisation of the motor controller via the
device profile CiA 402 (DS 402).
Cam disc function (CAM) of the motor controller.
P.BE-CMMP-CAM-SW-...
Description of the safety function
STO, GDCP-CMMP-AS-M0-S1-...
Functional safety engineering for the motor controller with the
safety function STO.
Help for the FCT plug-in CMMP-AS User interface and functions of the CMMP-AS plug-in for the
Festo Configuration Tool.
è www.festo.com
Tab. 2 Documentation on the motor controller CMMP-AS-...-M0
6 Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English
1 Safety and requirements for product use
1 Safety and requirements for product use
1.1 Safety
1.1.1 General safety information
In addition, always observe the general safety regulations for the CMMP-AS-…-M0.
The general safety regulations for the CMMP-AS-...-M0 can be found in the hardware
documentation, GDCP-CMMP-M0-HW-... è Tab. 2, page 6.
Note
Loss of the safety function.
Non-observance of the environmental and connection conditions may lead to loss of
safety functions.
Observe the specified environmental and connection conditions, in particular the
input voltage tolerances è Technical data, Appendix A.1.
Note
Damage to the motor controller due to incorrect handling.
Switch off the supply voltage before mounting and installation work. Switch on
supply voltage only when mounting and installation work are completely finished.
Observe the handling specifications for electrostatically sensitive devices.
1.1.2 Intended use
The CMMP-AS-...-M0 motor controller supports the following safety function:
– “Safe torque off ” (STO) with SIL 3 according to EN 61800-5-2 / EN 62061 / IEC 61508 or
category 4 / PL e according to EN ISO 13849-1.
The CMMP-AS-...-M0 motor controller is a product with safety-relevant functions and is intended for
installation in machines or automation systems and for use as follows:
– in excellent technical condition,
– in original status without unauthorised modifications,
– within the product's limits as defined by the technical data è Appendix A.1,
– in an industrial environment.
Note
In the event of damage caused by unauthorised manipulation or other than intended
use, the guarantee is invalidated and the manufacturer is not liable for damages.
Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English 7
1 Safety and requirements for product use
1.1.3 Possible incorrect application
The following misuses are among those not approved as intended use:
– use outdoors,
– use in the non-industrial area (residential areas),
– use in applications where switching off can result in hazardous movements or conditions.
Note
– The STO function is insufficient as the sole safety function for drives subject to
permanent torque or force (e. g. suspended loads).
– Bypassing of safety equipment is impermissible.
– Repairs to the motor controller are impermissible!
The STO (Safe Torque Off ) function does not provide protection against electric shock,
only against hazardous movements!
è Hardware documentation, GDCP-CMMP-M0-HW-...
1.1.4 Attainable safety level, Safety function to EN ISO 13849-1 / EN 61800-5-2
The CMMP-AS-...-M0 motor controller with integrated STO safety function fulfils the requirements of
– Category 4 / PL e to EN ISO 13849-1
– SIL CL 3 to EN 62061
and can be used in applications up to cat. 4 / PL e to EN ISO 13849-1 and SIL 3 to EN 61800-5-2 /
EN 62061 / IEC 61508.
The achievable safety level depends on the other components used to achieve a safety function.
1.2 Requirements for product use
Make this documentation available to the design engineer, installer and personnel responsible for
commissioning the machine or system in which this product is used.
Make sure that the specifications of the documentation are always complied with. When so doing,
also take into account the documentation for the other components (e. g. motors, cables, etc.).
Take into consideration the legal regulations applicable for the destination, as well as:
– regulations and standards,
– regulations of the testing organizations and insurers,
– national specifications.
For emergency stop applications, protection against automatic restart corresponding to the re
quired safety category must be furnished. Among other means, this can take place through an ex
ternal safety switching device.
8 Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English
1 Safety and requirements for product use
1.2.1 Technical requirements
General conditions for the correct and safe use of the product, which must be observed at all times:
Comply with the connection and environmental conditions of the motor controller (è Appendix A.1)
and all connected components specified in the technical data.
Only compliance with the limit values or load limits will enable operation of the product in compli
ance with the relevant safety regulations.
Observe the instructions and warnings in this documentation.
1.2.2 Qualification of the specialists (requirements for the personnel)
The device may only be set into operation by a qualified electrotechnician who is familiar with:
– the installation and operation of electrical control systems,
– the applicable regulations for operation of safety engineering systems,
– the applicable regulations on accident protection and industrial safety, and
– the documentation for the product.
1.2.3 Diagnostic coverage (DC)
Diagnostic coverage depends on the connection between the motor controller and the control loop
system as well as the implemented diagnostic measures è Section 5.4.
If a potentially dangerous malfunction is recognised during the diagnostics, appropriate measures
must be taken to maintain the safety level.
Note
Check whether cross-circuit detection of the input circle and the connection wiring is
required in your application.
If necessary, use a safety switching device with cross-circuit detection for activation of
the safety function.
1.2.4 Range of application and certifications
The motor controller with integrated STO safety function is a safety-related part of the control systems.
The motor controller carries the CE mark.
Standards and test values which the product must comply with and fulfils can be found in the section
“Technical data” (è Appendix A.1). The product-relevant EU directives can be found in the declaration
of conformity.
Certificates and the declaration of conformity for this product can be found at
è www.festo.com.
Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English 9
2 Description of the safety function STO
2 Description of the safety function STO
2.1 Product overview
2.1.1 Purpose
As processes become increasingly automated, protecting people from potentially hazardous move
ments is gaining in importance. Functional safety describes the measures offered by electrical or elec
tronic devices that are required to reduce or eliminate malfunction-induced hazards. In normal opera
tion, safety devices prevent human intervention in hazardous areas. In certain operating modes, during
set-up for example, people also need to be in hazardous areas. In such situations, the machine operat
or must be protected by drive and internal control measures.
The functional safety technology integrated in the motor controller provides the conditions required by
the controller and drive for optimised realisation of the safety functions. Planning and installation com
plexity is reduced. The use of integrated functional safety technology increases machine functionality
and availability over the levels achieved by conventional safety technology.
2.1.2 Interface
The CMMP-AS-...-M0 motor controller is equipped with a digital I/O interface [X40] for control of the
STO safety function.
1
1 Motor controller CMMP-AS-…-M0
0 V
24 V
C2
C1
0V-B
STO-B
0V-A
STO-A
3 Pin 1 of the interface [X40]
2
3
2 Digital I/O interface [X40] for control of the
STO function
Fig. 2.1 Motor controller CMMP-AS-...-M0
10 Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English
2 Description of the safety function STO
2.2 Function and application
The CMMP-AS-...-M0 motor controller exhibits the following safety-related features:
– “Safe Torque Off” function (STO),
– Potential-free acknowledgement contact for the operating status,
By using an appropriate external safety switching device and protective circuit for the CMMPAS...M0
motor controller, the “Safe Stop 1” function (SS1) can be realised.
2.2.1 Description of the safety function STO
Use the “Safe torque off” function (STO) whenever you have to reliably disconnect the energy supply to
the motor in your particular application.
The “Safe torque off” function switches off the driver supply for the power semiconductor, thus
preventing the power output stage from supplying the current required by the motor è Fig. 2.2.
DC +24 V
2
3
+VDC
STO-A
1
0 V
0V-A
STO-B
0V-B
C1
C2
1 Safety command device (e. g. switch, relay,
safety switching device)
2 Integrated safety function STO
6
dC
dC
dC
dC
>=1
4 Driver supply
5 Motor connection
6 Acknowledgment contact
3 Power output stage in CMMP-AS-…-M0
(only one phase shown)
Fig. 2.2 “Safe torque off ” - functional principle for CMMP-AS-…-M0
4
4
3x
U, V, W
5
-VDC
Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English 11
2 Description of the safety function STO
The power supply to the drive is reliably disconnected via the active safety function STO “Safe torque
off ”. The drive cannot generate any torque or force and so cannot perform any hazardous movements.
With suspended loads or other external forces, additional measures must be taken to ensure that the
load does not drop (e.g. mechanical holding brake). In the STO “Safe torque off” state, the standstill
position is not monitored.
The machine must be stopped in a safe manner, e. g. via a safety switching device.
Note
There is a risk that the drive will advance in case of multiple errors in the
CMMP-AS-…-M0.
Failure of the motor controller output phase during STO status (simultaneous short
circuit of 2 power semiconductors in different phases) may result in a limited detent
movement of the rotor. The rotation angle / path corresponds to a pole pitch. Examples:
– Rotary axis, synchronous machine, 8-pin è movement 45° at the motor shaft.
– Linear motor, pole pitch 20 mm è movement 20 mm at the moving part.
2.2.2 Overview of interface [X40]
The front of the motor controller features an 8-pin connection [X40] for control ports, an acknowledg
ment contact and a 24 V auxiliary supply for external sensors è Section 3.2.
The safety function STO is requested solely via the two digital control ports STO-A and STO-B. A safety
circuit for additional interfaces on the CMMP-AS-...-M0 motor controller is neither required nor inten
ded.
Cross-circuit detection in the input circuit is not carried out by the motor controller.
The status of the motor controller is reported back to an external safety switching device through a
potential-free acknowledgment contact (normally open). This enables a downwards-compatible activa
tion to be realised in a mixed configuration, comprising a CMMP-AS (previous series with “Safe stop”
functionality via the connection [X3]) and the CMMP-AS-…-M0 è Section 6.3.
The interface [X40] permits the direct connection of active and passive sensors, since a 24 V supply
voltage (auxiliary supply) with corresponding reference potential is lead out.
12 Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English
2 Description of the safety function STO
Ports Description
STO-A (Pin 1)
0V-A (Pin 2)
STO-B (Pin 3)
0V-B (Pin 4)
C1 (Pin 5)
C2 (Pin 6)
Control port A for the STO function with corresponding reference potential.
– Request for “Safe torque off ” (STO) at Low (0 signal), together with STO_B.
Control port B for the STO function with corresponding reference potential.
– Request for “Safe Torque Off” (STO) at Low (0 signal), together with STO_A.
Acknowledgment contact for the “Safe torque off” (STO) status, e. g. to an external
controller.
1)
1)
– Acknowledgment contact opened: “Safe torque off ” (STO) not active
– Acknowledgment contact closed: “Safe torque off” (STO) active
24 V (Pin 7)
0 V (Pin 8)
1) Control inputs 24 V, high active, based on EN 61131-2, deviating signal level è Appendix A, Tab. A.5
Auxiliary supply, e.g. for safety peripherals (DC 24 V logic supply of the motor
controller).
Tab. 2.1 Function of the [X40] connections
The connections are electrically isolated from each other in groups and from the 24 V supply to the
motor controller è Appendix A.1.3, Tab. A.8.
2.2.3 Control ports STO-A, 0V-A / STO-B, 0V-B [X40]
The safety function STO (safe torque off) is requested via the two control ports STO-A and STO-B.
These permit the direct connection of safe semiconductor outputs (electronic safety switching devices,
active safety sensors, e. g.light curtains with OSSD signals) and of switch contacts (safety switching
devices with relay outputs, passive safety sensors, e. g. forced position switches) è e. g. Sec
tion 3.3.1, Fig. 3.1.
To request the safety function STO (safe torque off), the 24 V control voltage at both control ports
STO-A and STO-B is switched off (0 V).
If the two control ports are switched off simultaneously or within a defined discrepancy time, the STO
function is active. If both channels are not actuated simultaneously, the STO function is nevertheless
active at the first request. If a channel is not switched off, it is interpreted as an error and results in an
error message being issued.
For control ports STO-A and STO-B, an undervoltage monitor is integrated to eliminate the possibility of
invalid voltage ranges for the downstream electronics, as well as an overvoltage monitor to protect
against overvoltage.
Tab. A.5 in Appendix A.1.3 describes the technical data for the control ports.
Tolerance ranges are defined for the input voltage range of control ports STO-A and STO-B. The amount
of energy stored in the motor controller components (e. g. capacitors) depends on the input voltage
level. During switch-off procedures this amount of energy must be discharged. Consequently, switch-off
time values for the transition to the safe state (STO) and the tolerance time vis-a-vis OSSD signals (buf
fer time) depend on the input level.
The time response requirements are contained in the technical specifications in the Appendix A.1.3.
The time response itself is described in Section 2.4.
Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English 13
2 Description of the safety function STO
Discrepancy time
The transition between the safe and the unsafe state is initiated via level changes at the control ports
STO-A and STO-B of the motor controller. According to the safety function specification, the two levels
must be identical otherwise an error message will be generated. The finite state machine in the motor
controller internally monitors the driver supply voltage after the control ports have been activated. Due
to component tolerances or bouncing safety controller ports, for example, these level changes do not
normally occur precisely at the same time. The firmware tolerates this for as long as the second input
occurs within a defined time, the so-called discrepancy time. If this time is exceeded, the motor control
ler generates an error message.
A discrepancy time of 100 ms is specified.
Always switch STO-A and STO-B simultaneously.
Test pulse
Test pulses from safety controls are tolerated within a certain range and therefore do not cause a re
quest of the STO function.
The tolerance to test pulses from sensors with OSSD signals is rated for the operating range specified
in accordance with Appendix A.1.3, Tab. A.6. The permissible test pulse length is dependent upon the
control voltage level at inputs STO-A and STO-B.
Example: Input voltage for STO-A and STO-B = 24 V
è OSSD signals with a max. test pulse length of 3.5 ms are tolerated.
2.2.4 Acknowledgment contact C1, C2 [X40]
In the event of a non-active STO function the acknowledgment contact is open. This is the case, for
example, if the control voltage is present at STO-A and STO-B, if only one of the two control voltages
STO-A or STO-B is present, if the 24 V logic power supply is switched off, or if the supply voltage fails.
In the event of an active STO function the relay contact is closed.
The acknowledgment contact has a single channel and should only be used for monitoring
purposes.
Tab. A.7 in appendix A.1.3 describes the electrical data, Tab. A.6 the time response of the
acknowledgment contact.
When the 24 V supply to the basic device is turned on and off, the switching status of the
relay may - due to the internal supply voltages powering up at a different speed - deviate
briefly (approx. 100 ms) from the state of the control ports STO-A and STO-B.
In order to guarantee the DC and SFF values specified in appendix A.1.1, the state of the
C1/C2 acknowledgment contact needs to be registered for each request of the safety
function.
When the safety function has been requested, a change in signal must occur at the
acknowledgment contact within an application-specific time. A safety-related response
must be initiated in the event of a violation.
14 Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English
2 Description of the safety function STO
2.2.5 Auxiliary supply 24 V, 0 V [X40]
The CMMP-AS-...-M0 motor controller supplies a 24 V auxiliary supply at [X40]. This can be employed
when using the acknowledgment contact C1/C2 or to supply external, active sensors.
Tab. A.8 Appendix A.1.3 describes the electrical data for the auxiliary supply.
2.3 Functionality in motor controller CMMP-AS-...-M0
The following functions in the CMMP-AS-...-M0 motor controller are not certified to EN 61800-5-2. They
are functional supplements and offer additional diagnostics options.
Error messages generated by the integrated protection circuit, such as exceeding the discrepancy time,
are detected and analysed by the non-safety finite state machine of the motor controller. If the condi
tions for an error status are recognised, an error message is generated. In this case, it cannot always be
guaranteed that power end stage has been safely switched off.
The integrated protection circuit exclusively controls the provisioning of the driver supply for the
CMMP-AS-...-M0 motor controller. Although input voltage levels are monitored area by area, the integ
rated protection circuit does not have its own error analysis function and is unable to display errors.
Note
When error messages are acknowledged, all acknowledgeable errors regarding
functional safety are also always acknowledged è Section 5.4.2.
The CMMP-AS-...-M0 motor controller monitors the status of the control ports STO-A and STO-B.
Consequently, the motor controller firmware detects the request for the safety function STO (safe
torque off) and various non-safety functions are then performed:
– Detection of deactivated driver supply for the power semiconductor via the integrated protection
circuit,
– Deactivation of the drive controller and activation of the power semiconductor (PWM),
– The holding brake controller is deactivated (if configured),
– Finite state machine on the motor controller with activation analysis (discrepancy time),
– Detection of application-specific error conditions,
– Hardware diagnostics,
– Status and error display via display, digital outputs, fieldbuses etc.
Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English 15
2 Description of the safety function STO
Note
If one of the control ports STO-A or STO-B is deactivated with an active output stage, it
will result in uncontrolled coasting of the drive.
If uncontrolled coasting can result in a hazard or damage, additional measures are
required.
Note
A clamping unit is actuated by the non-safety-relevant firmware of the CMMP-AS-...-M0
motor controller.
The holding brakes used by Festo motors are not suitable for active deceleration - only for
holding a position!
The safe state can be requested when the power semiconductor (PWM) is activated. The two driver
supply voltage states are detected and analysed in 10 ms cycles. If they are unequal over a prolonged
period, an error message is triggered è Section 5.4.2. The safety function presupposes that the two
signals have the same status. Unequal signals are tolerated only during a transition period, the socalled “discrepancy time” è Section 2.2.3.
The finite state machine in the CMMP-AS-...-M0 motor controller has its own status in parallel to the
integrated protection circuit. Due to the discrepancy time analysis, this finite state machine may reach
the “Safe status” only with a considerable delay. Accordingly, this state can also be signalled via digital
outputs or a fieldbus only with a considerable delay. The power end stage itself is then, however,
“safely switched off”. This finite state machine is processed within the 10 ms cycle.
This generally results in a graded response speed as per Tab. 2.2:
Function
Switching time from
Response time Reaction
T_STO-A/B_OFF è Section A.1.3, Tab. A.5
high to low
Switching time from
T_STO-A/B_ON è Section A.1.3, Tab. A.5
low to high
Detection of driver
supply failure
Activation of holding
brake
Signal analysis and
status display
t
125 μs Activation of the power semiconductor (PWM)
Response
is switched off
t
10 ms Activation of the holding brake after detection
Response
of the driver supply failure
t
10 ms Status transitions in the internal finite state
Response
machine, triggering an error message and
showing the status on the display if necessary
Tab. 2.2 Detection and response times of the driver supply voltage
16 Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English
2 Description of the safety function STO
2.4 Time behaviour
Functionally, the STO-A and STO-B inputs are identical. The switch sequence of
STO-A/STO-B is interchangeable across all diagrams.
2.4.1 Basic time behaviour STO
Fig. 2.3 displays the basic time behaviour of the integrated protection circuit. The time specifications
can be found in table Tab. 2.3.
[X40]
STO-A
1
0
Closed
Open
1
0
T_STO-A/B_OFF
T_STO-A/B_ON
STO - “Safe torque off” active
T_C1/C2_ON
T_C1/C2_OFF
STO-B
Status C1/C2
CMMP-AS-…-M0
Display
“Safety status”
(internal)
T_STO-A/B_OFF + 10 ms
Dependent on the
operating status
“Standard”
STO
requested
“H” – STO reached
T_DRIVE_V
STO reached
T_STO-A/B_ON + 10 ms
Dependent on the
operating status
T_DRIVE_V
STO
“Standard”
requested
Fig. 2.3 Basic time behaviour when activating and deactivating the safety function STO
Time Description Value
T_STO-A/B_OFF STO-A/B – Switching time from High to Low è Section A.1.3, Tab. A.5
T_STO-A/B_ON STO-A/B – Switching time from Low to High è Section A.1.3, Tab. A.5
T_C1/C2_ON C1/2 – Switching time closing è Section A.1.3, Tab. A.7
T_C1/C2_OFF C1/2 – Switching time opening è Section A.1.3, Tab. A.7
T_DRIVE_V Deceleration of the CMMP-AS-...-M0 0 … 10 ms
Tab. 2.3 Time specifications to Fig. 2.3
Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English 17
2 Description of the safety function STO
2.4.2 Time behaviour for activating STO during operation with restart
Fig. 2.4 displays the time behaviour starting from interruption of the control voltage to STO-A/B ,as well
as the sequence required to allow the device to restart. The time specifications can be found in
Tab. 2.4. Notes:
– The holding brake is activated via the motor controller, not a safety function.
– The coasting of the motor, irrespective of brake activation/deactivation, is displayed.
– The setpoint value is only activated when the holding brake delay T_BRAKE_V has expired.
[X40]
STO-A / STO-B
1
0
~ C1/C2
(STO status)
on
off
STO - “Safe torque off” active
T_STO-A/B_OFF
T_STO-A/B_ON
CMMP-AS-…-M0
Controller enable
DIN5
1
0
T_DIN5_LOW
T_DIN5_SU
Speed
Holding brake
(optional)
“Output stage
enable” (internal)
24 V
0 V
T_DRIVE_V
1
0
T_BRAKE_V_OFFT_DRIVE_VT_BRAKE_V_ON
Fig. 2.4 Time behaviour when activating the safety function STO with restart
Time Description Value
T_STO-A/B_OFF STO-A/B – Switching time from High to Low è Section A.1.3, Tab. A.5
T_STO-A/B_ON STO-A/B – Switching time from Low to High è Section A.1.3, Tab. A.5
T_DIN5_LOW Time for which the DIN5 must be Low before
0 ms
STO-A/B is switched on again
T_DIN5_SU Time for which the DIN5 must be Low after
20 ms
switching on STO-A/B again and status change of
the integrated protection circuit
T_DRIVE_V Deceleration of the CMMP-AS-...-M0 0 … 10 ms
T_BRAKE_V_ON Switch off delay of the holding brake Dependent on the brake
T_BRAKE_V_OFF Switch on delay of the holding brake Dependent on the brake
1) Physical delay until the brake closes.
2) Minimum time: Physical time delay until the brake opens. This time can be parameterised in the controller via a larger value.
Tab. 2.4 Time specifications to Fig. 2.4
1)
2)
18 Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English
2 Description of the safety function STO
2.4.3 Time behaviour for activating SS1 during operation with restart
The time behaviour in Fig. 2.5 is based on the typical circuit for SS1 in Section 3.3.2, starting from con
trol signal S1 for K1. The time specifications can be found in Tab. 2.5.
Safety switching device
S1
1
0
K1
(} DIN5)
K1_V
(} STO-A/STO-B)
Closed
Open
Closed
Open
T_K1
T_K1
T_K1_V
[X40]
~ C1/C2
(STO status)
CMMP-AS-…-M0
Controller enable
DIN5
on
off
T_STO-A/B_OFF
1
0
T_DRIVE_V
STO - “Safe torque off”
T_STO-A/B_ON
T_DIN5_SU
Speed
Holding brake
(optional)
“Output stage
enable” (internal)
24 V
0 V
1
0
T_BRAKE_V_ON
T_DRIVE_V
T_BRAKE_V_OFF
Fig. 2.5 Time behaviour when activating the safety function SS1 (external switching) with restart
Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English 19
2 Description of the safety function STO
Time Description Value
T_K1 Delay between the switching of S1 and the closing
of the undelayed contact K1
T_K1_V Delay between S1 and the opening of the relapse
delayed contact K1
è Data sheet for the safety
switching device
Can be set on the safety
switching device
T_STO-A/B_OFF STO-A/B – Switching time from High to Low è Section A.1.3, Tab. A.5
T_STO-A/B_ON STO-A/B – Switching time from Low to High è Section A.1.3, Tab. A.5
T_DRIVE_V Deceleration of the CMMP-AS-...-M0 0 … 10 ms
T_DIN5_SU Time for which the DIN5 must be Low after
20 ms
switching on STO-A/B again and status change of
the integrated protection circuit
T_BRAKE_V_ON Switch off delay of the holding brake Dependent on the brake
T_BRAKE_V_OFF Switch on delay of the holding brake Dependent on the brake
1) Physical delay until the brake closes.
2) Minimum time: Physical time delay until the brake opens. This time can be parameterised in the controller via a larger value.
Tab. 2.5 Time specifications to Fig. 2.5
1)
2)
20 Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English
3 Mounting and installation
3 Mounting and installation
3.1 Mounting / dismantling
The protection circuit is integrated in the CMMP-AS-…-M0 motor controller and cannot be dismantled.
Information regarding installation of the CMMP-AS-...-M0 can be found in the hardware
documentation, GDCP-CMMP-M0-HW-... è Tab. 2.
3.2 Electrical installation
3.2.1 Safety regulations
The requirements of EN 60204-1 must be fulfilled during installation.
Warning
Danger of electric shock from voltage sources without protective measures.
Use only PELV (protective extra-low voltage) circuits to EN 60204-1 for the electric
logic supply.
Also take into account the general requirements for PELV circuits in accordance with
EN 60204-1.
Only use power sources which guarantee reliable electrical isolation of the operating
voltage in accordance with EN 60204-1.
Through the use of PELV circuits, protection from electric shock (protection from direct and indirect
contact) in accordance with EN 60204-1 is ensured (Electrical equipment of machines. General require
ments). A 24 V power supply unit used in the system must satisfy the requirements of EN 60204-1 for
DC power supply (behaviour during power interruptions, etc.).
The cable is connected via a plug, making it easier to replace the motor controller.
Make sure that no jumpers or the like can be inserted parallel to the safety wiring, e. g.
through the use of the maximum wire cross section of 1.5 mm² or suitable wire end
sleeves with insulating collars.
Use twin wire end sleeves for looping through lines between neighbouring devices.
ESD protection
At non-allocated plug connectors, there is the danger that damage may occur to the device or to other
system parts as a result of ESD (electrostatic discharge). Earth the system parts before installation and
use appropriate ESD equipment (e. g. shoes, earthing straps etc.).
Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English 21
3 Mounting and installation
3.2.2 Connection [X40]
The CMMP-AS-...-M0 motor controller has a combined interface for the integrated safety function for
control and acknowledgment via the plug connector [X40].
– Design on the device: PHOENIX MINICOMBICON MC 1.5/8-GF-3.81 BK
– Plug (included in scope of delivery): PHOENIX MINICOMBICON MC 1.5/8-STF-3.81 BK, connection
corresponds to section A.1.3, Tab. A.10
Plug
Pin Designation Value Description
8 0V 0 V Reference potential for auxiliary power supply.
7 24 V DC +24 V Auxiliary power supply (DC 24 V logic supply of the
motor controller carried out).
6 C2 – Feedback contact for the status “STO” on an external
5 C1
controller.
4 0V-B 0 V Reference potential for STO-B.
3 STO-B 0 V / 24 V Control port B for the function STO.
2 0V-A 0 V Reference potential for STO-A.
1 STO-A 0 V / 24 V Control port A for the function STO.
Tab. 3.1 Pin allocation [X40] (representation of the plug connector on the device)
To ensure the STO “Safe Torque Off ” functions correctly, the control ports STO-A and STO-B are to be
connected in two channels with parallel wiring è Section 3.3.1, Fig. 3.1.
This interface can be part of an emergency stop circuit or a protective door arrangement, for example.
3.2.3 Minimum wiring for commissioning [X40]
For initial start-up of the motor controller without safety equipment, the CMMP-AS-…-M0 motor con
troller can be equipped with an emergency stop switch ( 2 ) with minimum wiring as per Fig. 3.1.
Note
Never bypass safety functions.
Carry out the minimum wiring of the inputs STO-A/STO-B and 0V-A/0V-B for the initial start-up so that it
will be forcibly removed when the final protection wiring is executed.
22 Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English
3 Mounting and installation
3.3 Typical circuits
3.3.1 Safe torque switch off (STO, “Safe Torque Off”)
L230VAC
N230VAC
PE
DC 24 V
DC 0 V
S1
13
3
13
S1
2
24
1 3 2 4
1
-X40
STO-A
5 6
C1
0V-A
0V-B
STO-B
CMMP-AS-…-3A-M0
Only the relevant connections are drawn!
1 Motor controller with safety function
(only relevant connections shown)
2 Emergency stop switches
Safety acknowledgment T1
Input PLC:
C2
Controller enable
Output PLC:
-X1
DIN 5
Output stage enable
Output PLC:
219
DIN 4
T1
Without cross-circuit detection!
3 Protective door
4 Light curtain
5 Safety relay
-X9
1 2 7 8 9
N
L1
PE
+24V
GND24V
or
S1
sender receiver
or
S1
Safety coupling
switch device
42
13
OSSD1
OSSD2
42
13
42
4
5
Fig. 3.1 Connection of the integrated safety function, example of a single-phase
CMMP-AS-...-3A-M0 motor controller
The safety function “Safe torque off” (STO) can be requested via various devices. Switch 1 can be used
e.g. as an emergency stop switch, a light curtain or a safety switching device. The safety request is
made in 2 channels via switch S1 and routes to the 2-channel switch-off of the output stage. Once the
output stage has been switched off, it is output by the floating contact C1/C2.
Notes with regard to a typical circuit:
– The motor controller with integrated safety function does not feature any cross-circuit detection.
In the case of direct light curtain wiring, the light curtain detects cross-circuits if designed to do so.
– When using safety switch devices, the contacts C1, C2 can be integrated in the feedback circuit of
the safety switch device.
– The typical circuit exhibits a 2-channel structure, which is suitable for categories 3 and 4 with addi
tional measures.
– Which additional measures are required depends on the range of applications and the safety
concept of the machine.
Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English 23
3 Mounting and installation
3.3.2 Delays and safe torque switch off (SS1, “Safe Stop 1”)
The safety function “Safe Stop 1” (SS1, type C) can be requested via various devices è Fig. 3.2. The
switch S1 in Fig. 3.2 can be, for example, an emergency stop switch, a safety door switch or a light cur
tain. The safety request is made in 2-channels via switch S1 and to the safety switch device. The safety
switch device switches off the controller enable. If the controller enable of the motor controller is
switched off, the movement is automatically delayed and, if the brake is configured, brake activation is
expected before the control circuit is switched off. After a time set in the safety switch device, the
2-channel output stage is switched off via STO-A/B. Once the output stage has been switched off, it is
output by the floating contact C1-C2.
L230VAC
N230VAC
PE
DC 24 V
DC 0 V
5
S1
OSSD1
or
or
OSSD2
4
3
S1
S1
sender receiver
2
1
1 Motor controller with safety function
(only relevant connections shown)
2 Safety relay
Input PLC:
Safety coupling
switch device
input circuit
Safety feedback
-X40
1 3 2 4
STO-A
3 Light curtain
4 Protective door
5 Emergency stop switches
STO-B
Controller enable
Output PLC:
Feedback circuit
CMMP-AS-…-3A-M0
output stages enable
Output PLC:
-X9
-X1
1 2 7 8 9
219
5 6
C1
C2
0V-A
0V-B
Only the relevant connections are drawn!
DIN 5
T1
N
L1
DIN 4
PE
+24V
GND24V
Fig. 3.2 Sample circuit “Delay and safe torque off” (SS1, “Safe Stop 1”), example of a single-phase
CMMP-AS-...-3A-M0 motor controller
24 Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English
3 Mounting and installation
Notes with regard to a typical circuit:
– The safety switching device used must switch off the controller enable (X1-9, DIN5) without a delay
and the inputs STO-A and STO-B (X40-1, -3) with a delay.
– The required delay is application-dependent and must be defined specific to the application con
cerned. The delay must be designed so that the drive is decelerated to zero, even at maximum
speed, via the quick stop ramp in the CMMP-AS-...-M0, before STO-A/B are switched off.
– The electrical installation is executed in accordance with the requirements of EN 60204-1. For ex
ample, the safety switching device and the motor controller are located in the same control cabinet,
so that faults can be excluded for a cross-circuit or earth fault between the cables (acceptance test
on the control cabinet for faultless wiring).
– The typical circuit exhibits a 2-channel structure, which is suitable for categories 3 and 4 with addi
tional measures.
– Which additional measures are required depends on the range of applications and the safety
concept of the machine.
Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English 25
4 Commissioning
4 Commissioning
Note
The term “commissioning” does not mean the first time the machine is used as intended
by the end customer. It refers to commissioning by the manufacturer during setup of the
machine.
Note
Loss of the safety function!
Lack of the safety function can result in serious, irreversible injuries, e.g. due to uncon
trolled movements of the connected actuators.
Only operate the safety function when all of the safety measures have been imple
mented.
The safety function must be tested and a corresponding validation procedure must
be carried out prior to intended use è Section 4.3.
Incorrect wiring or the use of incorrect external components, which have not been
selected in accordance with the safety category, can result in a loss of the safety function.
Carry out a risk evaluation for your application and select the circuitry and components accordingly.
Note the examples è Section 3.3.
4.1 Prior to commissioning
Carry out the following steps in preparation for commissioning:
1. Make sure the motor controller is correctly mounted (è Section 3.1).
2. Check the electrical installation (connecting cable, pin allocation è Section 3.2). Are all protective
earth conductors connected?
26 Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English
4 Commissioning
4.2 Support by FCT
No parametrisation is required for the safety function integrated in the motor controller.
4.2.1 Status display of the safety function
The status of the safety function is displayed in the FCT, è Tab. 4.1.
Properties Display Status
Status:
Status display
Input X40.STOA:
Display of the input status
Input X40.STOB:
Display of the input status
Output X40.C1/C2:
Display of the relay contact
Tab. 4.1 Status of the safety function
4.2.2 Display log file of the motor controller
Error and status messages are logged in the permanent diagnostic memory of the CMMP-AS-...-M0 in a
non-volatile manner. You can read these messages under the online “Diagnostics” tab è Fig. 4.1.
Green Normal mode (no STO requested)
Yellow STO requested and achieved
Red Safety circuit error
Grey Safety function requested, STO-A = Low
Green No safety function requested, STO-A = High
Grey Safety function requested, STO-B = Low
Green No safety function requested, STO-B = High
Orange Safety function active, relay contact closed
Grey Safety function inactive, relay contact open
Fig. 4.1 FCT-plug-in CMMP-AS: “Diagnostics” tab
Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English 27
4 Commissioning
4.3 Performance test, validation
Note
The STO function must be validated after the installation and after any modification to
the installation.
This validation must be documented by the person performing commissioning. To assist
you with the commissioning, questions for risk minimisation are summarised below in
the form of sample checklists.
The checklists below are no substitute for safety training.
No guarantee can be provided for the completeness of the checklist.
No. Questions Applicable Com
pleted
1. Were all operating conditions and interventions taken into
account?
2. Has the “3-step method” for risk minimisation been applied, i. e.
1. Inherently safe design, 2. Technical and poss. additional
safety measures, 3. User information about the residual risk?
3. Were the hazards eliminated or the hazard risk reduced as far as
practically possible?
4. Can it be guaranteed that the implemented measures will not
pose new hazards?
5. Have the users been adequately informed and warned about the
residual risks?
6. Can it be guaranteed that the operators' working conditions
have not deteriorated due to the safety measures taken?
7. Are the safety measures taken mutually compatible? Yes 0 No 0 0
8. Was adequate consideration given to the potential con
sequences of using a machine designed for commercial/indus
trial purposes in a non-commercial/industrial area?
9. Can it be guaranteed that the implemented measures will not
severely impair the machine's ability to perform its function?
Yes 0 No 0 0
Yes 0 No 0 0
Yes 0 No 0 0
Yes 0 No 0 0
Yes 0 No 0 0
Yes 0 No 0 0
Yes 0 No 0 0
Yes 0 No 0 0
Tab. 4.2 Questions for validation in accordance with EN ISO 12100-1:2010 (example)
28 Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English
4 Commissioning
No. Questions Applicable Com
pleted
1. Has a risk assessment been conducted? Yes 0 No 0 0
2. Have an error list and a validation plan been drawn up? Yes 0 No 0 0
3. Was the validation plan, including analysis and inspection,
Yes 0 No 0 0
processed and a validation report compiled?
The validation procedure must include the following inspections
as a minimum:
a) Inspection of components: Is a CMMP-AS-…-M0 used
Yes 0 No 0 0
(inspection using the rating plates)
b) Is the wiring correct (check against the wiring diagram)? Yes 0 No 0 0
Have any short-circuit bypasses been removed? Yes 0 No 0 0
Has a safety switch device been wired to X40? Yes 0 No 0 0
Is the safety switch device certified and wired in accordance
Yes 0 No 0 0
with the application's requirements?
c) Functional inspections: Yes 0 No 0 0
Pressing the emergency stop button on the unit. Is the drive
Yes 0 No 0 0
shut down?
If only STO-A is activated - is the drive shut down
Yes 0 No 0 0
immediately and the “discrepancy time violation” error
(Display 52-1) reported in the CMMP-AS-...-M0 after the
discrepancy time has lapsed?
If only STO-B is activated - is the drive shut down
Yes 0 No 0 0
immediately and the “discrepancy time violation” error
(Display 52-1) reported in the CMMP-AS-...-M0 after the
discrepancy time has lapsed?
Is a short circuit detected between STO-A and STO-B or has a
Yes 0 No 0 0
suitable fault exclusion been defined?
Only when using a safety switching device with evaluation of
Yes 0 No 0 0
the acknowledgment contact C1/C2:
Is the drive shut down in the event of a short-circuit from C1
to C2?
Is a restart inhibited? I. e. no movement occurs when the
Yes 0 No 0 0
emergency stop button is pressed and the enable signals are
active unless a start command is acknowledged beforehand.
Tab. 4.3 Questions for validation in accordance with EN ISO 13849-1 and -2 (example)
Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English 29
5 Operation
5 Operation
5.1 Obligations of the operator
The operational capability of the safety device is to be checked at adequate intervals. It is the respons
ibility of the operator to choose the type of check and time intervals in the specified time period. The
check is to be conducted so the flawless functioning of the safety device in interaction with all the com
ponents can be verified.
5.2 Maintenance and care
The CMMP-AS-...-M0 motor controller with integrated safety function is maintenance-free.
5.3 Protective functions
5.3.1 Voltage monitoring
The input voltages at STO-A and STO-B are monitored. If the input voltage at STO-A or STO-B is too high
or too low, the driver supply for the power semiconductors of the motor controller are safely switched
off. The power output stage (PWM) is thus switched off.
5.3.2 Protection against overvoltage and reverse polarity
The control inputs STO-A and STO-B are protected against overvoltage and reverse polarity of the con
trol voltage è Section A.1.3, Tab. A.5.
The DC 24 V supply voltage of the motor controller lead out at [X40] is short-circuit proof.
30 Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English
5 Operation
5.4 Diagnostics and troubleshooting
5.4.1 Status indicators
Display on the motor controller
Display Description
“H”: The motor controller is in the “safe status”.
This does not have the same meaning as the information on the status of the safety
function STO (Safe Torque Off ).
For the “unsafe status”, no special display is intended; the standard status displays of
the motor controller are depicted.
Tab. 5.1 Seven-segment display on the motor controller
5.4.2 Error messages
When an error occurs, the motor controller shows an error message cyclically in the seven-segment
display on the front of the motor controller. The error message consists of an “E” (for Error), a main
index (xx) and a sub-index (y), e.g.: E 5 1 0.
Warnings have the same number as an error message. The difference is that a warning is displayed with
a prefixed and suffixed hyphen, e. g. - 1 7 0 -.
Tab. 5.2 lists the error messages that are relevant for the functional safety in combination with the STO
safety function.
The complete list of error messages can be found in the hardware documentation
GDCP-CMMP-M0-HW-... of the motor controller.
Where an error message cannot be acknowledged, the cause must first be remedied in accordance with
the recommended measures. Then reset the motor controller, and check whether the cause of the er
ror, and the error message, have been eliminated.
Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English 31
5 Operation
Error
Meaning Actions
message
1)
51-0
51-1
Reserved –
1)
Safety function: Driver function
defective
– Internal voltage error of the
Protection circuit defective. No action possible,
please contact Festo. If possible, replace with
another motor controller.
STO circuit
1)
51-2
51-3
52-1 Safety function: Discrepancy
Reserved –
1)
Reserved –
time has elapsed
Control ports STO-A and STO-B are not actuated
simultaneously.
Control ports STO-A and STO-B are not wired in the
same way.
Check discrepancy time.
52-2 Safety function: Failure of driver
supply with active PWM control
The safe status was requested with approved
power end stage. Check inclusion in the
safety-oriented interface.
1) The messages of error group 51 cannot be acknowledged.
Tab. 5.2 Error messages relating to the safety function
32 Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English
6 Modification and replacement of the motor controller
6 Modification and replacement of the motor controller
6.1 Repair or replacement of the integrated protection circuit
Repair of the integrated protection circuit is not permissible. If required, exchange the
complete motor controller.
6.2 De-commissioning and waste management
Observe the local regulations for environmentally appropriate disposal of electronic
modules.
6.3 Replacing the previous CMMP-AS series with the CMMP-AS-…-M0
CMMP-AS
The devices of the previous CMMP-AS series have an integrated STO “Safe torque off ” in accordance
with EN ISO 13849-1, Cat. 3 / PLd. The two-channel arrangement required by the STO function is
achieved via two separate switch-off paths:
– 1st switch-off path: Output stage enable via [X1.21], disconnection of the power output stage
(blocking of PWM signals). The power semiconductor drivers are no longer activated by pulse pat
terns.
– 2nd switch-off path: Interruption of the power supply to the six output stage power semiconductors
(IGBTs) via [X3] by means of a relay. The driver supply for the power semiconductors (IGBT opto
couplers) is disconnected by means of a relay. This prevents the pulse pattern (PWM signals) reach
ing the power semiconductors.
The CMMP-AS also has a floating feedback contact ( [X3] Pins 5 and 6) which, as a diagnostics output,
indicates the presence of the driver supply.
CMMP-AS-…-M0
The equipment in the CMMP-AS-...-M0 series features an STO “Safe torque off ” function in accordance
with EN 61800-5-2 SIL3 and EN ISO 13849-1, cat. 4 / PL e. The two switch-off paths are realised via
control ports STO-A [X40.1] and STO-B [X40.3]. The potential-free acknowledgement contact
( [X40] pin 5 and 6) is also present.
Modifications to the connection wiring
Converting an existing application with STO from CMMP-AS to CMMP-AS-...-M0 requires the following
modifications to be made to the connection wiring:
Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English 33
6 Modification and replacement of the motor controller
1st switch-off path:
Maintain wiring of output stage enable [X1.21] and run parallel to STO-A [X40.1].
In order to connect the reference potential, connect GNDA [X40.2] with 0 V [X40.8].
2nd switch-off path:
Now run the driver supply wiring [X3.RELAY] to STO-B [X40.3].
In order to connect the reference potential, connect GNDB [X40.4] with 0 V [X40.8].
Acknowledgment contact:
Reverse the connection for the acknowledgment contact [X3.5] and [X3.6] to [X40.5] and [X40.6].
Note
During operation, the acknowledgment contacts on the CMMP-AS and the
CMMP-AS-...-M0 exhibit compatible behaviour.
When the logic supply (24 V) is switched off, they behave differently:
– CMMP-AS: Contact closed.
– CMMP-AS-…-M0: Contact open.
Information for configuration
The CMMP-AS-...-M0 exhibits a higher peak power than the CMMP-AS. Higher positioning speeds can
therefore be reached depending on the application. Use of this feature represents an essential modific
ation to the machine.
Note
The parameter record of the CMMPAS must be transferred with the same values to the
parameter record of the CMMPAS...-M0. If these values are increased, which in turn
poses a new or enhanced risk, a new risk assessment must be performed on the
machine.
Note
Once the motor controller has been replaced, the safety function must be validated in
accordance with the machine manufacturer's specifications.
34 Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English
A Technical appendix
A Technical appendix
A.1 Technical data
A.1.1 Safety engineering
Safety data
Safety function STO – Safe restart interlock (STO, Safe Torque Off) as per
EN 61800-5-2 with SIL3
– Safe restart interlock (STO, Safe Torque Off) as per
EN ISO 13849-1 with category 4 and PL e
SIL SIL 3 Safety integrity level as per EN 61800-5-2 / IEC 61508
SIL CL 3 SIL claim limit, for a subsystem as per EN 62061
Category 4 Grading in categories as per EN ISO 13849-1
PM PL e Performance level as per EN ISO 13849-1
DCavg [%] 97 Average diagnostic coverage
HFT 1 Hardware failure tolerance
SFF [%] 99.2 Safe failure fraction
PFH 1.27x 10
PFD 2.54x 10–5Probability of dangerous failure on demand
T [Years] 20 Proof test interval
MTTFd [Years] 1370 Mean time to dangerous failure.
Tab. A.1 Technical data: Safety data
–10
Probability of dangerous failure per hour
Operating life per EN ISO 13849-1
Safety information
Product type testing The functional safety engineering of the product has been
certified by an independent testing body in accordance with
Section 1.1.4, see certificate è www.festo.com
Certificate issuing authority TÜV 01/205/5262.01/14
Proven component yes, for the STO safety function
Tab. A.2 Technical data: Safety information
Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English 35
A Technical appendix
A.1.2 General, operating and environmental conditions CMMP-AS-...-M0
The technical data for the CMMP-AS-...-M0 can be found in its entirety in the hardware
documentation GDCP-CMMP-M0-HW-...
General technical data
Approvals
CE marking (see declaration of
conformity)
In accordance with EC Machinery Directive
In accordance with EU Low Voltage Directive
In accordance with EU EMC directive
The device is intended for use in an industrial environment. Meas
ures for interference suppression may need to be implemented in
residential areas.
Tab. A.3 Technical data, general
Operating and environmental conditions
Permissible setup altitude above sea level
with rated output [m] 1000
with power reduction [m] 1000 … 2000
Air humidity [%] 0 … 90 (non-condensing)
Protection class IP20
Degree of contamination in
accordance with EN 61800-5-1
2
The integrated safety equipment requires compliance with degree
of contamination 2 and thus a protected fitting space (IP54). This
must always be ensured through appropriate measures, e. g.
through installation in a control cabinet.
Operating temperature [°C] 0 … +40
Operating temperature
[°C] +40 … +50
with power reduction of
2.5 % per Kelvin
Storage temperature [°C] -25 … +70
Vibration and shock resistance
Operation in accordance with EN 61800-5-1, section 5.2.6.4
Transport in accordance with EN 61800-2, section 4.3.3
Tab. A.4 Technical data: Operating and environmental conditions
36 Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English
A Technical appendix
A.1.3 Electrical data [X40]
Control ports STO-A, 0V-A / STO-B, 0V-B
Nominal voltage [V] 24 (related to 0V-A/B)
Voltage range [V] 19.2 … 28.8
Permissible residual ripple [%] 2 (related to nominal voltage 24 V)
Overvoltage discharge [V] 31 (disconnect in case of error)
Nominal current [mA] 20 (typical; maximum 30)
Starting current [mA] 450 (typical, duration approx. 2 ms; max. 600 at 28.8 V)
Input voltage threshold
Switching on [V] Approx. 18
Switching off [V] Approx. 12.5
Switching time from High to
[ms] 10 (typical; maximal 20 at 28.8 V)
Low (STO-A/B_OFF)
Switching time from Low to
[ms] 5 (typical; maximum 7)
High (STO-A/B_ON)
Maximum positive test im
pulse length at logic 0
[μs] 300 (related to 24 V nominal voltage and intervals 2 s
between impulses)
Tab. A.5 Technical data: Electrical data for the inputs STO-A and STO-B
Switch-off time to power output stage inactive and maximum tolerance time for test pulse
Input voltage (STO-A/B) [V] 19 20 21 22 23 24 25 26 27 28
Typical switch-off time
[ms] 4.0 4.5 5.0 6.0 6.5 7.0 7.5 8.0 8.5 9.5
(STO-A/B_OFF)
Maximum tolerance time for
[ms] 2.0 2.0 2.0 2.5 3.0 3.5 4.5 5.0 5.5 6.0
test pulse at 24 V signal
Tab. A.6 Typical switch-off time and minimum tolerance time for test pulse (OSSD signals)
Acknowledgment contact C1, C2
Design Relay contact, normally open
Max. voltage [V DC] 30 (overvoltage-proof up to DC 60 V)
Nominal current [mA] 200 (not short-circuit proof)
Voltage drop [V] 1
Residual current (contact
[μA] 10
open)
Switching time closing
[ms] (STO-A/B_OFF 1) + 5 ms)
(T_C1/C2_ON)
Switching time opening
[ms] (STO-A/B_ON 1) + 5 ms)
(T_C1/C2_OFF)
1) STO-A/B_OFF, STO-A/B_ON è Tab. A.5
Tab. A.7 Technical data: Electrical data of the acknowledgment contact C1/C2
Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English 37
A Technical appendix
Auxiliary supply 24 V, 0 V – output
Design Logic supply voltage routed out of the motor controller (fed
in at [X9], not additionally filtered or stabilised). Reserve
polarity protected, overvoltage-proof up to DC 60 V.
Nominal voltage [V] 24
Nominal current [mA] 100 (short circuit proof, max 300 mA)
Voltage drop [V] 1 (for nominal current)
Tab. A.8 Technical data: Electrical data of the auxiliary supply output
Galvanic isolation
Galvanically isolated potential area STO-A / 0V-A
STO-B / 0V-B
C1 / C2
24 V / 0 V (Logic supply to the motor controller)
Tab. A.9 Technical data: Galvanic isolation
Cabling
Max. cable length [m] 30
Screening When wiring outside the control cabinet, use screened
cable. Guide screening into the control cabinet / attach to
the side of the control cabinet.
Cable cross section (flexible conductors, wire end sleeve with insulating collar)
One conductor [mm²] 0.25 … 0.5
Two conductors [mm²] 2 x 0.25 (with twin wire end sleeves)
Tightening torque M2 [Nm] 0.22 … 0.25
Tab. A.10 Technical data: Cabling
38 Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English
B Glossary
B Glossary
Term/abbreviation Description
Cat. Safety category in accordance with EN ISO 13849-1, Stages 1-4.
CCF Common Cause Failure in accordance with EN ISO 13849-1.
DC avg Average Diagnostic Coverage in accordance with IEC 61508 and
EN 61800-5-2.
Emergency off In accordance with EN 60204-1: Electrical safety in case of emergency by
switching off the electrical energy to all or part of the installation.
EMERGENCY STOP is to be used where a risk of electric shock or other
electrical risk exists.
Emergency stop In accordance with EN 60204-1: Functional safety in an emergency by
bringing a machine or moving parts to a standstill.
EMERGENCY STOP is used to stop a process or a motion if this creates a
danger.
FCT Festo Configuration Tool, software for configuration and commissioning.
HFT Hardware Fault Tolerance in accordance with IEC 61508.
MTTFd Mean Time To dangerous Failure: Time in years until the first dangerous
failure occurs with 100 % probability, in accordance with EN ISO 13849-1.
OSSD “Output Signal Switching Device”: Output signals with 24 V cycle rates for
error detection.
PFD Probability of Failure on Demand in accordance with IEC 61508.
PFH Probability of Dangerous Failures per Hour in accordance with IEC 61508.
PL Performance Level as per EN ISO 13849-1: Stages a … e.
Safety switching
device
SFF Safe Failure Fraction [%], ratio of the failure rates of safe and dangerous (but
SIL Safety Integrity Level, discrete stages for defining the requirements for the
SIL CL SIL claim limit, for a subsystem as per EN 62061.
STO Safe Torque Off in accordance with EN 61800-5-2.
T Duration of use in accordance with EN ISO 13849-1.
Tab. B.1 Terms and abbreviations
Device for executing safety functions or restoring the machine to a safe
status after the power supply to dangerous machine functions has been
switched off. The desired safety function is achieved only in combination with
other measures, although switch-off can occur on a motor controller, for
example.
recognisable) failures to the sum of all failures in accordance with IEC 61508.
safety integrity of safety functions in accordance with IEC 61508 and
EN 61800-5-2.
Festo – GDCP-CMMP-AS-M0-S1-EN – 1412a – English 39
Reproduction, distribution or sale of this document or communica
tion of its contents to others without express authorization is
prohibited. Offenders will be liable for damages. All rights re
served in the event that a patent, utility model or design patent is
registered.
Copyright:
Festo AG & Co. KG
Postfach
D-73726 Esslingen
Germany
Phone:
+49 711 347 0
Fax:
+49 711 347 2144
e-mail:
service_international@festo.com
Internet:
www.festo.com
Original: de
Loading...