gefran SIEIDrive ADL300 Safety User Manual

ADL300

English

Safety User manual

Rev. 1.2– 26-5-2017

1S9STOEN

SIEIDrive

1S9STOEN_26-5-17_ADL300_STO_STO Pag. 2/30

Contents

1 Safety instruction and informat ion for use ............................................................................... 3

1.1 Motivations for integrated safety function ............................................................................................... 3

1.2 Safe torque off function description ........................................................................................................ 3

1.3 Safety recommendations ........................................................................................................................ 4

2 Risk analysis and assessment ................................................................................................ 6

3 STO safety normative adherence ........................................................................................... 7

4 Safety system description ....................................................................................................... 8

4.1 Device functionality and architecture ...................................................................................................... 8

4.2 Safety function specifications ................................................................................................................. 9

4.3 Safety integrity level .............................................................................................................................. 12

4.4 Safety Fault Reaction System .............................................................................................................. 12

5 Installation and commissioning guidance .............................................................................. 14

5.1 Safety Function Integrated on ADL300 drive family ............................................................................. 14

5.2 Connections and use of the “SAFE TORQUE OFF” function .............................................................. 16

5.2.1 Control sequence ........................................................................................................................... 21

6 Operation and maintenance requirements ............................................................................ 22

6.1 Operations ............................................................................................................................................ 22

6.2 Maintenance ......................................................................................................................................... 23

6.3 Operational tests .................................................................................................................................. 23

6.4 Troubleshooting .................................................................................................................................... 23

7 Lift Applications .................................................................................................................... 24

7.1 Lift Application Design using 2 contactors for car stop ......................................................................... 24

7.2 Lift Application Design supporting car stop with one contactor ............................................................ 26

7.3 Lift Application Design supporting contactor-less car stop ................................................................... 28

Doc. release Issued by Doc. Changes Doc. Date

0.1 FNT First release 20/03/2012

0.2 FNT Contactor-less description 20/06/2012

1.0 FNT External consultant corrections and suggestions 27/06/2012

1.1 FNT Added single contactor diagram. 28/01/2013

1.2 BRI Add manual code, “prEN81-..” to “EN81-..”, pag 3 add EN81-50. 26/05/2017

1S9STOEN_26-5-17_ADL300_STO_STO Pag. 3/30

1 Safety instruction and infor m a t ion for use

1.1 Motivations f or integrated saf e t y function

As a result of automation, demand for increased production and reduced operat or physical effort,
control systems of machinery and plant items play an increasing r ole in the achievement of overall
safety. These control systems increasingly employ complex electrical/electronic/programmable
electronic devices and systems.
Prominent amongst these devices and systems are adjustable speed electrical power drive
systems (PDS) that are suitable for use in safety-related applications (PDS-SR).

Electronic protection are integrated into t he drive in order to perform safety function to minimise
or excrete hazards due to functional errors using m ac hinery.

Integrated saf ety function replaces external safety components. ST O integrated function can be
used as an alternative to motor contactors in order to control unexpected motor re-st art, whether
risk assessment permit it. Acc ording to previous paragraph safety integ rated function applicability
depends application and applicable standards.

The whole safety related part of the contr ol system, using t he drive integrat ed saf ety f unct ion, has
to work properly in normal and misuse state. It m us t be t r ouble-free and reach a safe stat e.

In order to check for those requirements, the whole safety related control system must be
analysed by means of FMECA, fault tree, etc.

1.2 Safe torque off function description

Safety function, “Safe T orque off” (ST O) is a safety function used to br eak off power and current
output onto the motor in order to prevent unexpected movements and voltages. ADL300 drive
family supports “Safe Torque Off” as an integrated feature.

This function does not disconnect the machine f rom electrical power supply. It shall be stressed
that safety equipped drive units are just one component in a safety control system whereas STO is
system level function. Parts and components of the system must be chosen, applied and
integrated appropriately to achieve the desired level of operational safety.

ADL300 is a specialized drive family intended for the Lift Market. Given this ADL300 STO
function will be primarily exploited to attain safety features permitted and described by C class
normative EN81-1, EN81-20, EN81-50. Specifically t he saf ety integ rated f unc tion allows getting rid
of one or two contactors and implementation of:

- Car safe stop suing one contactor design

- Car safe stop using contactor-less design

STO is integrated in the drive unit family ADL300, whereas safety capability could also be
implemented externally. When Safety is used power disconnection between the drive controller
and the motor, required to achieve a “safe stand-still”, is obtained without the use of external
contactors and or relays.

Function should not be mistaken with “Mains supply disconnection (isolating)and switch-off “,
section 5.3 isolation from power supply system, request ed by EN 60204-1.

1S9STOEN_26-5-17_ADL300_STO_STO Pag. 4/30

The mains supply switch-off function may performed only with the use of appropriate isolating
switching devices.

The feature of safety function are:

 Unexpected movements of the motor shall not be pos sible.
 Power and current to the motor are safely switched off.
 Drive unit is not disc onnected from DC-link, so short response time t o a re-start command is

possible

1.3 Safety recommendations

Specifications and instructions provided to support functional saf ety are essential part of function
itself. Comprehension and knowledge are mandatory requirement s for people getting involved in
installation and commissioning activities.

Only qualified personnel is allowed to execute any activities during installation and commissioning
procedures.

Qualified personnel

For the purposes of this Instr uction Manual, a “Qualified person” is someone who is skilled to the
installation, mounting, start-up and operation of the equipment and the hazards involved.

Qualified person should be:

• Trained for first aid em er gencies

• Trained in the proper care and use of protective equipment according to established saf ety

procedures.

• Trained and authorized to energize, de-energize, clear, ground and tag circuits and
equipment according to established safety procedures.

Safety Manual complements and integrates instruction manuals for ADL300 drive family. It
contains additional safety information complying with Machinery Directive for supporting use of
drive safety-related functions. Use of this functions as a par t of machinery control system shall be
possible only after this document has been caref ully understood.

Warning!

Improper installation and commissioning of safety related part s of the contr ol system, can cause
an uncontrolled re-starting of t he drive unit. This may cause death, serious injuries and significant
material damage.

Safety function control system s hall only be installed and commissioned by qualified personnel.

Emergency stop function (according to EN60204) must operate and take PDS into a safe state
independently from the operational status of drive unit. Saf ety integrated system is not affected
from operational status of the internal/external parts not related to s afety.

Resetting emergency stop safety function must not result in uncontrolled re-start of the motor.
PDS can be re-started only when STO function is no longer active. In order to comply with
EN60204, drive will re-start only after operator manual confirmation.

1S9STOEN_26-5-17_ADL300_STO_STO Pag. 5/30

In circumstances where external influences (with vertical loads for example) are present, additional
measures (mechanical brakes for example) m ight be necessary to prevent any hazards.

Procedures to check the saf et y funct ion periodically accor ding to t he result of risk assessment and
prescriptions in §6.2 must be set-up.

STO integrated safety function is single f ault safe system (within the drive unit). No sing le fault or
component failure can cause a loss of safety state, inducing drive to produce motor t or que.
Wiring and connections of the system must appropriately implemented and tested in order to
support same fault tolerance (1) at system level.

Warning!

In the event of the failure of two output IGBTs in the drive, when Safe Torque Off has been
activated, the drive may provide energy for up to 180° of r otation in a 2-pole motor before torq ue
production in the motor ceases.

In case of induction motor, no movement is possible even when several faults occur (in the IGBT
power stage). That is, no failure on IGBT drivers, in absence of controlled pulses coming from
regulation, can generate curr ent able t o est ablish r ot ating field.

It must be checked if t his condit ion can caus e a dangerous machine movement.

Warning!

When the saf ety function is activated (motor unable to produce torque) , the DC-link (high voltage
dc bus) of the drive is still connected to mains supply.
In this case drive control is deactivated and after mot or coasting to standstill or already stopped,
high voltage are present on motor and drive term inals.

For authorised personnel to work on live parts, drive shall be electrical isolated from m ains supply
(mains switch) and appropriate time shall be elapsed (more t han 5minutes) to allow high-voltage
DC-link to discharge.

This is called “Mains supply disconnection (isolating )and switch-off “, isolation f rom power supply
system, requested by EN 60204-1.

The mains supply switch-off function may performed only with the use of appropriate isolating
switching devices.

1S9STOEN_26-5-17_ADL300_STO_STO Pag. 6/30

2 Risk analysis and assessment

According to Machinery Directive 2006/42 EC, it is mandatory for the manufacturer of the
machines to carry out risk analysis in order to identif y the hazards r elat ed t o t he m ac hine.

Risk analysis should be developed according to Standard EN 12100 - Saf ety of Machinery- Risk
assessment.

Risk assessment procedure is intended to prevent and identify:

 degree of injury
 frequency/duration of r isk exposure
 possibility of turning away

In order to define risk level and to obtain a correct classificat ion concerning Safety category, SIL
(Safety integrity level), standards EN61800-5-2, IEC 61508, EN ISO 13849-1 should be used and
applied.
These standards give information and procedure according to design principle and risk
assessment for safety related part of control systems.

In the case of STO safety function the risk as sessment must consider the fact that the motor
coast to a standstill at STO activation. A mechanical brake may be requested in some
applications. Latching devices preventing access to dangerous parts might also be necessary
enabling automatically STO function.

EN81-1 intended for safety in lift applications specifies, functions, safety integrity level and
conFiguretions to be used to attain given system level funct ionalities.

Liability :
The Manufacturer shall be responsible f or the safety of the machinery, in term of :

 risk analysis of hazards originating from machinery.
 implementation of measures either t o m inimize or eliminate any risks.
 documentation of residual risk.
 production of whole machinery documentation.

The User/Operator is responsible for safety concerning application and use.

Safety function implementation and selection according to application. STO safety
function integration:

 Risk analysis and risk assessment according to EN 12100.
 Risk reduction by machine design.
 Risk reduction by protective equipment.
 Identification of saf ety requirements.
 SIL, Category selection.

1S9STOEN_26-5-17_ADL300_STO_STO Pag. 7/30

3 STO safety normative adherence

“Safe Torque Off” integrated safety function meets the following standard requirements:

 safety integrity level SIL3 according t o EN 61508 and EN61800-5-2

Safe Torque Of f function can be exploited specifically for Lift Market to support:

- Single contactor operation for Car st op EN81-1 §12.7.3 b)

- Contactor-less operation for Car stop EN81-1 and EN81-20 5.9.2.5.3 d)

In case of activation or fault detec tion t he safety function STO avoids t orque production onto the
motor, which eventually could cause mechanical movements.

1S9STOEN_26-5-17_ADL300_STO_STO Pag. 8/30

4 Safety system description

Safe Torque Off safety function is integrated into the drive family ADL300, and is managed by
means of two enable signals “ENABLE” and “SAFETY ENABLE”.

4.1 Device functionality and architecture

The system herein examined are Power Drive Systems (PDs) also called Inverter. A PDS is power
device connected one side to the mains (three-phase system) and on ot her s ide t o t he m ot or
power lines. Motor and other devices which are related to the system functionalities (relays, cables
The PDS makes the motor move according t o t he s et t ings operator has defined.
From the electrical point of view PDS takes power from m ains t o the motor lines.
Inverter device family called ADL300 is subject of this document. From the safety and main
functionality points of view all devices of the family can be modeled as the same thing, herein
represented in Figure 1.

Power

driver

IGBT

Enable

Regulation board

SAFETY PART

Mains

Power

outputs

Power

Supply & monitor

U,V

,W HIGH

U

,V,

W LOW

Analog
Switch

PBuffer

Safety

Enable

Power isolated area

U

,V,

W HIGH

U,

V,

W LOW

Figure 1 block diagram of PDs ADL300.

All ADL300 PDs are integ rated PD devices featuring different power ratings, dimensions as well as
enclosures. Though f r om the f unc tional and electrical points of view all devices are made up of the
same fundamental four par t s:

1. Regulation board

2. Driver board

3. IGBT power module

4. Safet y part

Follows a brief description of four part s :

 Regulation boar d: exists as separate PCB, main purpose of this board is to generate

coordinated PWM pulses going to the IGBT gates. PWM pulses are controlled and
generated by the software according to t he settings to provide given voltage, current,
motor speed, motor acceleration, etc options. PWM pulses can be cancelled out
directly onto the regulation board by means of a PWM inhibit signal which acts directly

1S9STOEN_26-5-17_ADL300_STO_STO Pag. 9/30

of the hardware PWM generator. Of course the onboard software sees the enable
signal when asserted and stops the (software) generation. A power supply stage,
providing voltages for all digital circ uits and EXP-SFTY-ADV board is included on this
board.

 Safety part: exists an isolated isle integrated onto t he regulation PCB. This part takes

in the output PWM signals coming f rom regulation and accor ding to its ENABLE signal
(SAFETY ENABLE) makes pulses pass/not pass on the output connector going to the
IGBT driver.

 IGBT driver: exists as separate PCB. IGBT driver is the interface system between

signals coming from Safety part and the power part. This subsystem comprises an
opto-isolation isle, a conditioning part, connected t o m ains supply driving IG BT gates.

 IGBT Module: I GBT is the actual power module comprising heatsink, f ans, electrical

shield, electric power wires.

From the operator point of view system is managed by means of either remote PC like interface
connected to the PDs or us ing an onboard keypad. Both way operator may set/change parameters
that modify the system functions accordingly: speed, torque, position, acceleration, etc. All
functions are translated and implemented by means of a different gate command sequence
arriving to the IGBT gates.

4.2 Safety function specifications

Safety function “Safe T orque Off ” used in ADL300 family assures that drives saf ely disable motor
movements taking off torque onto the motor.

STO function becomes active whenever either

ENABLE or SAFETY ENABLE are deactivated (zero

voltage applied or open wires and no current flowing). The other way STO function is disable
(drive enabled) when both enable signals are ass erted (DC 24v applied). Functional logic diagr am
is shown is Table 1.

ENABLE

SAFETY ENABLE

STO STATUS

Disabled (open/0v)

Disabled (open/0v)

Enabled (Torque off)

Enabled (24v) Disabled (open/0v)

Enabled (torque off)

[Safety interlock block]

Disabled (open/0v)

Enabled (24v)

Enabled (torque off)

Enabled (24v)

Enabled (24v)

Disabled (drive operating)

Table 1 Static Funct i onal T abl e f or Safe Torque Off Function.

Though STO f unction activates when either of the mentioned sig nals is deactivated, STO Safety
Integrity Level cannot be guaranteed as long as bot h signals are not deactivated.

Whenever STO function is enabled PDS will no longer provide torque onto the motor, meaning
that motor will come to a stop safely. Time event sequence that takes motor stopped depends
onto motor inertia as shown in Figure 1. STO function only specifies times at which torque is no
longer applied onto the motor (Ttoff) and time elapsed bef or e signal feedback assertion (Tfbk).

1S9STOEN_26-5-17_ADL300_STO_STO Pag. 10/30

Torque On

signal

Ttoff

Tfbon

Tmotoff

Feedback relay activated

Motor safely

stopped

Motor Torque

Off

One

/both

control signals

disabled

Figure 2 Time event diagram for STO function.

- T

toff

time from control sig nal disabled to STO function activation

- T

fbon

time from STO function activation to feedback sig nal changing state

- T

motoff

time from STO function activation to motor stop: depends on m ot or / load iner t ia

Name

Description

Max delay [ms]

Ttoff

Time between ENABLE/SAFETY ENABLE signal deactivation and safety
channel activation (the same for both ENABLE and SAFETY ENABLE)

14

Tfbk

Time between SAFETY ENABLE and SAFETY FEEDBACK change of status

20

Tton

Time between ENABLE signal activation and drive activation (Drive Active)

8

Tiblk

In case SAFETY ENABLE is issued before ENABLE maximum allowed time
before system goes into interblock

8

Table 2 Safety Intervention times.

Looking at the Enable signals evolving dynamically in time, the allowed input conFiguretions are
less than those highlighted in Table 1: in order to prevent pwm pulses to be applied suddenly
ENABLE signal will always follow SAFETY ENABLE or, at least be applied before 4m s within it.
Should ENABLE come fir st before SAFETY ENABLE, ADL dr ive goes into interlock block and it
will be necessary to disable and issue ENABLE high again in order to reactivate ADL.

Following figures are describing the dynamics of STO. function:

1S9STOEN_26-5-17_ADL300_STO_STO Pag. 11/30

Enable

signal

Ttoff

TFBK

Feedback relay activated

One

/

both

enable signals

disabled

Safety Enable

signal

Ttoff

Figure 3 Dynamic view of ac t i vation of STO Safety F unction.

Enable

signal

TFBK

Feedback relay activated

Enablle Signal

Activated

Safety Enable

signal

Tton

Figure 4 Dynamic view of deac t i vation of STO Safety F unction.

1S9STOEN_26-5-17_ADL300_STO_STO Pag. 12/30

4.3 Safety integrity level

PDS STO function provides two independent saf ety channels/paths. A fault on a channel should
not interfere with operation on the other channel.

Safety architecture has been designed to be fault t olerant with a fault tolerance of 1. This means
that whatever failure occurs in the system safety is still guaranteed.

Each channel will be activated/deactivated by a different input. Inputs are saf ely separated and far
from each other to guar antee electrical and functional isolation.

Inputs will be called respectively:

- ENABLE

- SAFETY ENABLE

A limit on probability of r andom failure per hour (PFH) should be calculated on a time-span of 20
years (mission time). PFH is less than 1x10

-9

. Safety Integrity Level classification according to

EN61800-5-2/EN61508 is SIL3.

4.4 Safety Fault Reaction System

Hardware mechanisms on both Regulation and Safety circuits have been established to detect
and react to a fault detection.

Signals DRIVE OK and SAFETY OK are provided to issue fault alarms to external monitoring
devices.

Normal behavior of these signals is described in ADL300 User Manual:

• SAFETY OK signals are internally connected to a fixed hardware controlled relay which
diagnoses and identifies failures into the safety circuit. SAFETY OK relay behavior is
described in Table 4. Asserting an alarm on a SAFETY OK signal means the feedback
signal status does not comply with behavior described in Table 4.

• DRIVE OK relay behavior is software conFigureble. Default conFiguretion acts so that r elay
is closed if drive ADL300 is ready for receiving an ENABLE signal. DRIVE OK

conFiguretion must be mandatorily changed into Digital Input Monitor for ENABLE
signal in case of contactor-less applications (§ 7.2 Lift Application Design supporting

contactor-less car stop.).

In case hardware/software onto Regulation boar d detects som e f aults it will assert a Saf ety Failure
Alarm, preventing drive from restarting again till the alarm is manually cleared by qualified
personnel.

In order to make failures more evident and take system to a safe state independently of external
monitoring device, safet y f unction has been des igned so that most of the detected failures actually
block the ADL300 when drive is being normally operated. All detected failures shall raise alarm
issues by means of feedback signals.

Regualtion board executes all possible int egrity checks anytime before starting generat ing PWM
pulses:

- Check ENABLE signal

- Check SAFETY ENABLE signal

- Check SAFETY OK consistency

1S9STOEN_26-5-17_ADL300_STO_STO Pag. 13/30

Should any of the previous checks be f ailed ADL300 will not start generating PWM pulses. Only
qualified personnel aft er perf orming all necessary maintenance procedures ar e authorized to clear
the alarm into the drive alarm menu.

Feedback signals are designed to react to fault detection in a time no longer t han 10ms.

Terminal
name

Signal name

Function Description

Electrical limits and range

EN+

+SAFETY ENABLE

+24v for disabling the safety
function

(IN) +12…+35v with respect to EN-

EN-

-SAFETY ENABLE

0v COM for disabling the safety
function

(IN) 0v

OK1

SAFETY OK1

Normally closed contact for Safety
feedback (contact 1)

250mA maximum DC current

OK2

SAFETY OK2

Normally closed contact for Safety
feedback (contact 2)

250mA maximum DC current

Table 3 Description of Signal s onto Safety Connector.

SAFETY ENABLE+/-

SAFETY OK CONTACTS

Open/0v

Closed

+24vDC

Open

Table 4 Feedback relay contact status as function of enable input.

1S9STOEN_26-5-17_ADL300_STO_STO Pag. 14/30

5 Installation and commissioning guidance

STO integrated safet y function must be reg arded as a part of safety related contr ol system of a
machine. Only risk analysis and assessment of the m achine as in §2 can verify adequacy of the
safety control system.

Risk analysis and assessment shall be developed with full knowledge of STO characteristics and
limits.

Installation and commissioning shall be perform ed only by qualified personnel fully aware of the
risks generally and specifically involved in the operations (see §1).

Generally speaking installation sustaining highest int egrity levels requires some basic principles:

- Both enable signals shall be used with full wiring redundancy in order to sustain fault tolerance
equal or greater than 1

- Both feedback signals shall be used in order t o maximise failure detection capabilities

- Dynamic principle exploited for all signals

- All devices used to assist/monitor/actuat e safety related signals shall claim a compliant safety
integrity level

Operators shall tak e machine into operations only af ter f unctional and safety test s have been fully
performed to verify compliance with respect to risk analysis.

5.1 Safety Function Integrated on ADL300 drive family

Family drives ADL300 support safe tor que off funct ion as a standard integr ated functi on tested on
each unit shipped from authorized manufact ur ing plants.

It must be understood and accepted by the users that safety function can not be accessed,
modified or maintained outside of the condition herein described. Only authorized production
facilities can access the integrated safety function in order to assure safe integ r it y.

ADL300V-SWWW-PPP-(X)-CC-(O)
Where:

• V: Regulation Version, [A]= Advanced, [B] = Basic

• S: mechanical size of the device [1],[2]…[5]

• WWW: Output power (kW)

• PPP: coding braking unit/Keyboard [KBL] = keypad and brakeunit

• X: [F] = internal EMI filter

• CC: Power supply type [4] = 400vAc treephase, [2T] = 200vAc treephase, [2M] = 200vAc

singlephase

• O: Optional features, C= CAN

Example:

• ADL300A-2110-KBL-4 = ADL300 Adavanced, size 2, power 11kW, 400vAC power supply,

Keypad, brake unit, without filter, without CAN

• ADL300B-2110-KBL-F-4-C =ADL300 Basic, size 2, power 11kW, 400vAC power supply,

Keypad, brake unit, with filter, with CAN

1S9STOEN_26-5-17_ADL300_STO_STO Pag. 15/30

Every apparatus is equipped with identification label as follows:

1S9STOEN_26-5-17_ADL300_STO_STO Pag. 16/30

5.2 Connections and use of the “SAFE TORQUE OFF” function

The “SAFE TORQUE OFF” function shall be used to prevent unexpected starting from standstill of
the motor. In case motor is running, stands t ill condition should be achieved with controlled brak ing,
before “SAFE TORQUE OFF” function being activated.
The safety function break s off power and current onto the drive outputs and makes mot or coast.
The motor has to be taken to standstill by means a dedicated function.

The correct use of “SAFE TORQUE OFF” function has to be made using two safety related
signals and usual START drive commands and sequence:

•

ENABLE

•

SAEFTY ENABLE

In all cases where application/highest SIL level is required feedback system should be used. Two
feedback signals are allowed for system fault det ection as described in §4.4 Safety Fault Reaction
System.

Following is a simplified diagram showing all electrical connection necessary for using STO saf ety
function.

Two set of interface connector s ar e used onto ADL300 drives.

1. Regulation Enable and Feedback Drive OK

2. Safet y Dedicated Connector

Safety system is activated by means of dedicated connections hosted at the bottom of ADL300
case made up of 4 poles input connector hosted on the s afety board.

DCOM

EN+

EN HW

+ 24v -

ENABLE

SAFETY

CONNECTOR

ADL300

RO1O

RO1C

+24v-

SAFETY
ENABLE

K

REGULATION

DRIVE OK

SAFETY

OK

EN- OK1 OK2

Figura 5 Simplified connecti on di agram for S T O function.

1S9STOEN_26-5-17_ADL300_STO_STO Pag. 17/30

Safety connector layout is shown in Figure 6

Figure 6 Safety Connector Layout

Table 3 is a description of signals onto Safety Connector.

Terminal

name

Signal name Function Description Electrical limits and range

EN+ +SAFETY ENABLE

+24v for disabling the safety

function

(IN) +12…+35v with respect

to EN-

EN- -SAFETY ENABLE

0v COM for disabling the safety

function

(IN) 0v

OK1 SAFETY OK1

Normally closed contact for Safety

feedback (contact 1)

250mA maximum DC current

OK2 SAFETY OK2

Normally closed contact for Safety

feedback (contact 2)

250mA maximum DC current

Table 5 Description of Signal s onto Safety Connector.

Concerning the Regulation signals, the inter face is more complex given the number of available
conFiguretions for ADL300:

- ADL300 Basic the ENABLE signal is f ixed onto the regulation board interface is shown in

Figure 8 and Table 6.

- ADL300 Advanced, ENABLE and feedback s ignals are placed onto the ADL-IO expansion

card. ADL-I/O optional cards are listed in Appendix A.2 of Specification and Installation
User manual. Figure 10 and Table 7 show a sam ple example of ADL300 conFiguretion and
safety related pin description.

1S9STOEN_26-5-17_ADL300_STO_STO Pag. 18/30

Figure 7 Fixed Connector Layout f or A DL300.

TB4

Name

Description

1

RO4O

Dig Out 4

2

RO4C

Dig Out 4

3

RO3O

Dig Out 3

4

RO3C

Dig Out 3

5

RO2O

Dig Out 2

6

RO2C

Dig Out 2

7

RO1O

Dig Out 1

8

RO1C

Dig Out 1

Figure 8 Standard PinOut for ADL300 Basic

Regulation connector description with regard to signals related to safety function for ADL300
Basic.

TB3

Name

Description

1

DI 8

Dig In 8

2

DI 7

Dig In 7

3

DI 6

Dig In 6

4

DI 5

Dig In 5

5

DI 4

Dig In 4

6

DI 3

Dig In 3

7

DI 2

Dig In 2

8

DI 1

Dig In 1

9

EN_HW

ENABLE

10

DICOM

11

0V

0v power
supply

12

24V

Power supply

TB2

Name

Description

1

DI F2

2

DI F1

3

DI
CM

4

COS-

5

COS+

6 SIN-

7 SIN+

8 Z- 9

Z+ 10

B- 11

B+ 12

A- 13

A+ 14

0VE

15

+VE

1S9STOEN_26-5-17_ADL300_STO_STO Pag. 19/30

Pin name

Function

TB3 9 - EN HW

Drive ENABLE signal. 24v DC should be applied

TB3 11 - DCOM

COM for ENABLE signal.

TB4 7- RO 1O

DRIVE OK feedback relay

TB4 8- RO 1C

COM fo r DRIVE OK feedback relay

Table 6 Connector pin-out concerning s af ety related function onto ADL300 B asic.

Figure 9 ADL300 with option card conFiguretions.

Following figure show the safety related pin names and positions on EXP-IO-D5R3. ENABLE
signal always uses the EN HW name.

1S9STOEN_26-5-17_ADL300_STO_STO Pag. 20/30

Figure 10 An example for regulation IO c onFiguretion: EXP-IO-D5R3.

Regulation connector description with regard to signals related to safety function for ADL300
Advanced.

Pin name

Function

9 - EN HW

Drive ENABLE signal. 24v DC should be applied

11 - 0v

COM for ENABLE signal.

56- RO 1O

DRIVE OK feedback relay

57- RO 1C

COM fo r DRIVE OK feedback relay

Table 7 Connector pin-out concerning saf et y related function onto ADL300 EX P-IO-D5R3.

Two signal inputs are provided to enable/disable STO function onto t he ADL300. Both inputs are
controlled so that:

• STO function is enabled (ADL300 disabled)when either input is not excited (voltage not

applied on input).

• Bot h inputs will be properly excited (energized) in order for the STO f unction to be disabled

and ADL300 to normally operate. Table 1 specifies STO function behavior.

System also provides 2 feedback signals, which must be used according to manual and
installation guide in order to incr ease the safety integr ity level of the system. One feedback signal
is based on a open contact relay (DRIVE OK). The other feedback signal is an opto-isolated
normally closed SAFETY OK relay which switches according to Table 4.

If any of the feedback signals does not comply with anticipated behavior a detected failure should
be assumed and countermeasures applied.

1S9STOEN_26-5-17_ADL300_STO_STO Pag. 21/30

Electrical levels

ENABLE and SAFETY ENABLE input signals comply with following electrical character ist ics :

Nominal excitation voltage

24v

Min excitation voltage

18v

Max excitation voltage

36v

Max steady state current (25°C)

30mA

Disabling condition

Open circuit

Max in-rush peak current

50mA

Table 8 ENABLE-SAFETY E NABLE electrical level s.

SAFETY OK and DRIVE OK feedback relays characteristics are shown in

Nominal output voltage

24v

Maximum Voltage

125v

Maximum Isolation Voltage

400v

Max current (25°C)

350mA DC
250mArm AC

Table 9 SAFETY OK relay characteristics .

5.2.1 Control sequence

Normal use of STO saf ety function shall follow a predefined sequence as for enabling as well as
for disabling safety func t ion.

DISABLING SAFETY FUNCTION

Drive is in stop condition, both enable signals are disabled. In order to disable STO function
properly following action sequence applies:

1. SAFETY OK, DRIVE OK signals are c hecked for congruency

2. SAFETY ENABLE signal issued high (24v applied)

3. ENABLE is issued high (24v applied)

4. FEEDBACK signals DriveOK and SAFETY DISABLED are checked f or c ongruency

5. START c o m mand can now be issued to start motor and provide power

ENABLING SAFETY FUNCTION

Drive is running and powering a motor, both enable signals are enabled. I n order to activate EXP ­SFTY-ADV function properly following action sequence is applied:

1. STOP command is issued to stop motor and power generation

2.

ENABLE issued low

3.

Finally SAFETY ENABLE signal is issued low

Should ENABLE and SAFETY ENABLE be tied together (both electrically or logically) it must
assured that they delays exceeding 4ms is not intr oduced. In case of SAFETY ENABLE be issued
high before ENABLE drive will go into interblock mode and will allow motor to start before ENABLE
is correctly taken low and high again.

1S9STOEN_26-5-17_ADL300_STO_STO Pag. 22/30

6 Operation and maintenance requirem e nts

6.1 Operations

Operations must comply with electrical precautions and ranges so far claimed and explained.
Following a table of the most important electr ical dr ive precautions t o c om ply with:

Signals

Electrical safety constrains

SAFETY ENABLE+, SAFETY ENABLE-

Voltage shall not exceed 35v and shall not be inverted applied.

SAFETY OK1, SAFETY OK2

Voltage shall not exceed 125v. Current shall not exceed 250mA

Input ENABLE HW_EN, DCOM

Voltage shall not exceed 35v and shall not be inverted applied.

DRIVE OK-C, DRIVE OK-O

Voltage shall not exceed 125v. Current shall not exceed 250mA

Digital Inputs

Voltage shall not exceed 35v on any of the pins

Encoder inputs

Voltage shall not exceed 12v on any of the pins

+24v, 0v24

Voltage Supply 24vDC shall not exceed 35vDC. It shall not be inverted
applied. It shall not be an AC voltage.

PDS shall only be operated according to environmental conditions specified in device manual
herein reported.

Type

Operation

installed for stationary use

Storage

in the protective package

Transportation

in the protective package

Max Installation Site

Altitude

Up to 2000m

Air Temperature

-10…50°C

-25...55°C

(class 1k4 EN50178)

-25...55°C

(class 2k3 EN50178)

Relative Humidity

5...85%

(Class 3k3 as per EN50178)

5...95%

(Class 1k3 as per EN50178)

5...95%

(Class 1k3 as per EN50178)

No condensation or icing allowed.

Contamination Levels

(IEN 60721-3-3)

No conductive dust allowed.

Boards without coating:

Chemical gases: n.a.

Solid particles:

no conductive

Boards with coating:

Chemical gases: n.a.

Solid particles:

no conductive

Boards without coating:

Chemical gases: n.a.

Solid particles:

no conductive

Boards with coating:

Chemical gases: n.a.

Solid particles:

EN 60068-2-52: test Kb,

salt solution 5%, duration

test 24 h

Atmospheric Pressure

86 to 106 Kpa

(class 3K3 as per EN50178)

86 to 106 Kpa

(class 1K4 as per EN50178)

70 to 106 Kpa

(class 2K3 as per EN50178)

Vibration

(EN 60068-2-6)

(EN 60068-2-34)

Sinus 10...150Hz 2g

Random 5....200 0,005g

2

Hz

n.a n.a.

Shock (EN 60068-2-29)

no allowed n.a n.a.

Free Fall

n.a. 250mm 250mm

Approvals

CE

Degree of pollution

Pollution degree 2 or better (free from direct sunligth, vibration, dust, corrosive or

inflammable gases, fog, vapour oil and dripped water, avoid saline environment)

Degree of protection

IP20

IP54 for cabinet with externally mounted heatsink (size types 1007 and 3150)

EMC

EN 61800-3

Any differences with respect to claimed operating conditions could overstress the device and
diminish the safety integrity of t he system .

1S9STOEN_26-5-17_ADL300_STO_STO Pag. 23/30

6.2 Maintenance

Expected operation life-time of the system is 20 year or 10milion operations. After one of the two
parameters is exceeded drive should be returned to manuf act urer.

Any malfunctions/failures shall summon users/assisting personnel to immediately inform
assistance and take proper actions to fix the problem.

Periodic maintenance is not necessary nor scheduled.

6.3 Operational tests

Qualified personnel shall periodically verify the drive unit as black-box unit. Assisting personnel
shall verify the input-output tables with respect to what is above specified. Periodic tes t will verify:

• Motor torque is deactivated when either

ENABLE or SAFETY ENABLE are activated

• Feedback signal are properly controlled as functions of

ENABLE/SAFETY ENABLE inputs.

Periodic test shall be performed at least once a YEAR.

6.4 Troubleshooting

Following is a troubleshoot ing table to be used in case of not pr oper functioning or doubts about
safety functionality.

Effect

Possible cause

Action

Drive is powered but does not work

Electrical level missing or inverted

onto ENABLE

Check ENABLE signal, for basic

version contacts 9=+24vDC,

10=COM

Electrical level missing or inverted
onto SAFETY ENABLE

Check SAFETY connector, contacts
1=+24vDC, 2=COM

SAFETY OK does not work

Check for Safety Failure Alarm. In

case of assertion contact Gefran

Service & Assistance

Drive has not been properly
connected.

Check ADL300 conFiguretion. See
ADL300 user manual.

Regulation Feedback signal (drive

OK) does not change status

according to table 1.

Drive has not been properly

connected.

Check ENABLE signal, for basic

version contacts 9=+24vDC,

10=COM

Safety feedback signal (SAFETY OK)
does not change status

Safety Enable signal does not
activate SAFETY circuits

Check electrical level and current
capability of SAFETY ENABLE signal.

Safety feedback signal (SAFETY OK)

does not change status according to

Table 4

Safety part might have failed

Qualified personnel might assess

ADL300 integrity

1S9STOEN_26-5-17_ADL300_STO_STO Pag. 24/30

7 Lift Applications

Following are some application examples specifically intended for Lif t Market which show how to
implement Safety functions accor ding to EN81-1 using ADL300 safety integrated function.

7.1 Lift Application Design us ing 2 contactors for c a r stop

Figure 11Safety connector position on the ADL300 Advanced and Basic versions.

In case of two external contactors used to disconnect motor wirings, no ADL300 safety feat ure is
used. It is important for inst allation per s onnel to remind to bypass the integrated safet y feature.

Integrated feature is disabled by powering the safety connector on ADL300 Basic/Advanced as
follows:

• apply a 24vDC to safet y connect or enable cont acts 1, 2.

1S9STOEN_26-5-17_ADL300_STO_STO Pag. 25/30

EN+

+ SAFETY ENABLE

+24v for disabling the safety function

EN-

-SAFETY ENABLE

0v COM for disabling the safety function

1S9STOEN_26-5-17_ADL300_STO_STO Pag. 26/30

7.2 Lift Application Design supporting car stop with one contactor

Figure 12 ADL300 Lift system reference design to use a single c ont actor onto the motor.

Figure 12 is a Lift ref erence design to be used to implement a Lif t System according to EN81-1

12.7.3 b) using one contactor and safety integrated function instead of 2 contactors.

Requirements to comply to refer ence des ign and EN81 12.7.3 b) are:

1. SYSTEM CONTROL UNIT shall use both one cont actor and ADL300 safet y integrated function
as means to stop cabin.

2. SAFETY CO NTROL UNIT will monito r b o th DRIVE OK and SAFETY OK relay.

3. ADL300 shall be enabled using both ENABLE and SAFETY ENABLE signals

4. Any time Motor comes to a st op SAFETY OK relay shall be monitored by SYSTEM CONTRO L
UNIT. In case of unexpected SAFETY O K relay status is f ound SYST EM CONTROL UNI T will
not issue a restart (K1, K2 remain open) unt il condition is cleared.

1S9STOEN_26-5-17_ADL300_STO_STO Pag. 27/30

Figure 13 ADL300 specific ref erence design to use a single contactor onto the motor.

Figure 13 is a more specific ADL300 design case using single contactor and AC motors.
According to previous prescriptions it can be noticed that:

1. The system cont r ol unit us es bot h K3M contactor and ADL300 safety integrated mechanism

2. The System contr ol unit will still be in charge for controlling K2M and K3M which in turn act on
both SAFETY ENABLE and ENABLE commands.

3. SAFETY OK relay is monitored by means of a series connections onto ENABLE (ENHW).

4. DRIVE OK is monitored by means of of a series connection onto L1 main command.

1S9STOEN_26-5-17_ADL300_STO_STO Pag. 28/30

7.3 Lift Application Design s upporting contactor-less car stop

Figure 14 ADL300 Lift system reference design to use onto the motor.

Figure 14 is a Lif t reference design to be used to implement a Lift System according to EN81-20

5.9.2.5.3 d) using no contactors and saf ety integrated f unction STO (EN61800-5-2- SIL3) instead

of 2 contactors.
In order to fulfil the contactor-less design one of the relays must be mandatorily configured as

Digital Input Monitor of ENHW (inverted) so that its status directly links to ENABLE signal status.
In Figure 14 the status DRIVE O K plays the role of inverted ENHW monitor (t he current flows in
both relays when car is stopped).

Generally speaking the feedback signal must always be monitored by the SYSTEM CONTROL
UNIT either parallel independently or in series.

Requirements to comply to ref er enc e design and EN81-20 5.9.2.5.3 d) are:

1S9STOEN_26-5-17_ADL300_STO_STO Pag. 29/30

1. SYSTEM CONTROL UNIT (SCU) shall use ADL300 saf ety integrated function STO as means
to stop cabin. Two separated and independent wirings shall be used to activate/deactivate
ENABLE and SAFETY ENABLE signals.

2. SCU will monitor b oth DRIVE OK and SAFETY OK relay.

3. ADL300 shall be enabled using both ENABLE and SAFETY ENABLE signals

4. Any time Motor comes to a stop SAFET Y OK relay and DRIVE OK shall be monitored by SCU,
switch from open status to closed status. In case of unexpected relay status (SAFETY OK,
DRIVE OK) is found SCU will not issue a restart (K1, K2 remain open) until condition is
cleared.

ADL300 will log any unexpected relay conditions. Operators witnessing unexpected relay
conditions shall return ADL300 unit for revamping.

It is highlighted here t hat wiring us ed for ENABLE and SAFETY ENABLE connections must be
protected against external damage (armouring, cable ducting) and protected by means sleeve
rated to 600V.

Separate wirings are necessary for f ault t oler ance of 1 to be supported at system level.
It should be noticed that any damage to wirings can tak e c onductors either to:

• Shor t cir cuit

• O pen c irc uit

Any of the above cases would prevent current from f lowing in conductors making Safety function
active. Same design philosophy should be used for feedback conductor s: current flow in wirings is
the normal condition, so that any damage would issue an alarm and be easily identified.

Following is a specific ADL300 design case using no contactors.

Figure 15 ADL300 contactor-less application design case

1S9STOEN_26-5-17_ADL300_STO_STO Pag. 30/30

With respect t o above presc r ipt ions we can notice that :

1. System Control Unit uses bot h ENABLE and SAFETY ENABLE signals by means of two

different relays (K2M, K3M)

2. SCU monitors both feedback relays: SAFETY OK and CONTACTORLESS OK ( which is

configured as Digital Inp Monitor ENHW)

3. Any time Motor comes to a st op SAFET Y O K r elay and CONTACT O RLESS OK shall be

monitored by SCU, switch from open status to closed st at us . I n c ase of unexpected relay
status (SAFETY OK, CONTACTORLESS OK) is found SCU will not issue a restart (K2M,
K3M, Emergency Failure remain open) until condition is cleared.

Gefran worldwide

GEFRAN S.p.A.

Via Sebina 74
25050 Provaglio d’Iseo (BS) ITALY
Ph. +39 030 98881
Fax +39 030 9839063
info@gefran.com
www.gefran.com

Drive & Motion Control Unit

Via Carducci 24
21040 Gerenzano [VA] ITALY
Ph. +39 02 967601
Fax +39 02 9682653
infomotion@gefran.com

Technical Assistance :

technohelp@gefran.com

Customer Service :

motioncustomer@gefran.com
Ph. +39 02 96760500
Fax +39 02 96760278

GEFRAN DEUTSCHLAND GMBH

Philipp-Reis-Straße 9a
D-63500 Seligenstadt
Ph. +49 (0) 61828090
Fax +49 (0) 6182809222
vertrieb@gefran.de

GEFRAN BENELUX NV

ENA 23 Zone 3, nr. 3910
Lammerdries-Zuid 14A
B-2250 OLEN
Ph. +32 (0) 14248181
Fax +32 (0) 14248180
info@gefran.be

GEFRAN SIEI - ASIA

31 Ubi Road 1
#02-07, Aztech Building,
Singapore 408694

Ph. +65 6 8418300
Fax +65 6 7428300
info@gefran.com.sg

SIEI AREG - GERMANY

Gottlieb-Daimler Strasse 17/3
D-74385 - Pleidelsheim
Ph. +49 (0) 7144 897360
Fax +49 (0) 7144 8973697
info@sieiareg.de

GEFRAN UK LTD

Unit 7, Brook Business Centre
54a Cowley Mill Road, Uxbridge,
UB8 2FX
Ph. +44 (0) 8452 604555
Fax +44 (0) 8452 604556
sales@gefran.co.uk

GEFRAN INDIA

Survey No. 191/A/1,
Chinchwad Station Road,
Chinchwad,
Pune-411033, Maharashtra
Ph. +91 20 6614 6500
Fax +91 20 6614 6501
gefran.india@gefran.in

SENSORMATE AG

Steigweg 8,
CH-8355 Aadorf, Switzerland
Ph. +41(0)52-2421818
Fax +41(0)52-3661884
http://www.sensormate.ch

GEFRAN MIDDLE EAST ELEKTRIK VE
ELEKTRONIK SAN. VE TIC. LTD. STI

Yesilkoy Mah. Ataturk
Cad. No: 12/1 B1 Blok K:12
D: 389 Bakirkoy /Istanbul
TURKIYE
Ph. +90212 465 91 21
Fax +90212 465 91 22

GEFRAN INC.

8 Lowell Avenue
WINCHESTER - MA 01890
Toll Free 1-888-888-4474
Fax +1 (781) 7291468
info.us@gefran.com

GEFRAN FRANCE SA

PARC TECHNOLAND
Bâtiment K - ZI Champ Dolin
3 Allée des Abruzzes
69800 Saint-Priest
Ph. +33 (0) 478770300
Fax +33 (0) 478770320
commercial@gefran.fr

GEFRAN SIEI

Drives Technology Co., Ltd
No. 1285, Beihe Road, Jiading
District, Shanghai, China 201807
Ph. +86 21 69169898
Fax +86 21 69169333
info@gefran.com.cn

GEFRAN BRASIL

ELETROELETRôNICA
Avenida Dr. Altino Arantes,
377 Vila Clementino
04042-032 SÂO PAULO - SP
Ph. +55 (0) 1155851133
Fax +55 (0) 1132974012
comercial@gefran.com.br