ADL300
English
Safety User manual
Rev. 1.2– 26-5-2017
1S9STOEN
SIEIDrive
1S9STOEN_26-5-17_ADL300_STO_STO Pag. 2/30
Contents
1 Safety instruction and informat ion for use ............................................................................... 3
1.1 Motivations for integrated safety function ............................................................................................... 3
1.2 Safe torque off function description ........................................................................................................ 3
1.3 Safety recommendations ........................................................................................................................ 4
2 Risk analysis and assessment ................................................................................................ 6
3 STO safety normative adherence ........................................................................................... 7
4 Safety system description ....................................................................................................... 8
4.1 Device functionality and architecture ...................................................................................................... 8
4.2 Safety function specifications ................................................................................................................. 9
4.3 Safety integrity level .............................................................................................................................. 12
4.4 Safety Fault Reaction System .............................................................................................................. 12
5 Installation and commissioning guidance .............................................................................. 14
5.1 Safety Function Integrated on ADL300 drive family ............................................................................. 14
5.2 Connections and use of the “SAFE TORQUE OFF” function .............................................................. 16
5.2.1 Control sequence ........................................................................................................................... 21
6 Operation and maintenance requirements ............................................................................ 22
6.1 Operations ............................................................................................................................................ 22
6.2 Maintenance ......................................................................................................................................... 23
6.3 Operational tests .................................................................................................................................. 23
6.4 Troubleshooting .................................................................................................................................... 23
7 Lift Applications .................................................................................................................... 24
7.1 Lift Application Design using 2 contactors for car stop ......................................................................... 24
7.2 Lift Application Design supporting car stop with one contactor ............................................................ 26
7.3 Lift Application Design supporting contactor-less car stop ................................................................... 28
Doc. release Issued by Doc. Changes Doc. Date
0.1 FNT First release 20/03/2012
0.2 FNT Contactor-less description 20/06/2012
1.0 FNT External consultant corrections and suggestions 27/06/2012
1.1 FNT Added single contactor diagram. 28/01/2013
1.2 BRI Add manual code, “prEN81-..” to “EN81-..”, pag 3 add EN81-50. 26/05/2017
1S9STOEN_26-5-17_ADL300_STO_STO Pag. 3/30
1 Safety instruction and infor m a t ion for use
1.1 Motivations f or integrated saf e t y function
As a result of automation, demand for increased production and reduced operat or physical effort,
control systems of machinery and plant items play an increasing r ole in the achievement of overall
safety. These control systems increasingly employ complex electrical/electronic/programmable
electronic devices and systems.
Prominent amongst these devices and systems are adjustable speed electrical power drive
systems (PDS) that are suitable for use in safety-related applications (PDS-SR).
Electronic protection are integrated into t he drive in order to perform safety function to minimise
or excrete hazards due to functional errors using m ac hinery.
Integrated saf ety function replaces external safety components. ST O integrated function can be
used as an alternative to motor contactors in order to control unexpected motor re-st art, whether
risk assessment permit it. Acc ording to previous paragraph safety integ rated function applicability
depends application and applicable standards.
The whole safety related part of the contr ol system, using t he drive integrat ed saf ety f unct ion, has
to work properly in normal and misuse state. It m us t be t r ouble-free and reach a safe stat e.
In order to check for those requirements, the whole safety related control system must be
analysed by means of FMECA, fault tree, etc.
1.2 Safe torque off function description
Safety function, “Safe T orque off” (ST O) is a safety function used to br eak off power and current
output onto the motor in order to prevent unexpected movements and voltages. ADL300 drive
family supports “Safe Torque Off” as an integrated feature.
This function does not disconnect the machine f rom electrical power supply. It shall be stressed
that safety equipped drive units are just one component in a safety control system whereas STO is
system level function. Parts and components of the system must be chosen, applied and
integrated appropriately to achieve the desired level of operational safety.
ADL300 is a specialized drive family intended for the Lift Market. Given this ADL300 STO
function will be primarily exploited to attain safety features permitted and described by C class
normative EN81-1, EN81-20, EN81-50. Specifically t he saf ety integ rated f unc tion allows getting rid
of one or two contactors and implementation of:
- Car safe stop suing one contactor design
- Car safe stop using contactor-less design
STO is integrated in the drive unit family ADL300, whereas safety capability could also be
implemented externally. When Safety is used power disconnection between the drive controller
and the motor, required to achieve a “safe stand-still”, is obtained without the use of external
contactors and or relays.
Function should not be mistaken with “Mains supply disconnection (isolating)and switch-off “,
section 5.3 isolation from power supply system, request ed by EN 60204-1.
1S9STOEN_26-5-17_ADL300_STO_STO Pag. 4/30
The mains supply switch-off function may performed only with the use of appropriate isolating
switching devices.
The feature of safety function are:
Unexpected movements of the motor shall not be pos sible.
Power and current to the motor are safely switched off.
Drive unit is not disc onnected from DC-link, so short response time t o a re-start command is
possible
1.3 Safety recommendations
Specifications and instructions provided to support functional saf ety are essential part of function
itself. Comprehension and knowledge are mandatory requirement s for people getting involved in
installation and commissioning activities.
Only qualified personnel is allowed to execute any activities during installation and commissioning
procedures.
Qualified personnel
For the purposes of this Instr uction Manual, a “Qualified person” is someone who is skilled to the
installation, mounting, start-up and operation of the equipment and the hazards involved.
Qualified person should be:
• Trained for first aid em er gencies
• Trained in the proper care and use of protective equipment according to established saf ety
procedures.
• Trained and authorized to energize, de-energize, clear, ground and tag circuits and
equipment according to established safety procedures.
Safety Manual complements and integrates instruction manuals for ADL300 drive family. It
contains additional safety information complying with Machinery Directive for supporting use of
drive safety-related functions. Use of this functions as a par t of machinery control system shall be
possible only after this document has been caref ully understood.
Warning!
Improper installation and commissioning of safety related part s of the contr ol system, can cause
an uncontrolled re-starting of t he drive unit. This may cause death, serious injuries and significant
material damage.
Safety function control system s hall only be installed and commissioned by qualified personnel.
Emergency stop function (according to EN60204) must operate and take PDS into a safe state
independently from the operational status of drive unit. Saf ety integrated system is not affected
from operational status of the internal/external parts not related to s afety.
Resetting emergency stop safety function must not result in uncontrolled re-start of the motor.
PDS can be re-started only when STO function is no longer active. In order to comply with
EN60204, drive will re-start only after operator manual confirmation.
1S9STOEN_26-5-17_ADL300_STO_STO Pag. 5/30
In circumstances where external influences (with vertical loads for example) are present, additional
measures (mechanical brakes for example) m ight be necessary to prevent any hazards.
Procedures to check the saf et y funct ion periodically accor ding to t he result of risk assessment and
prescriptions in §6.2 must be set-up.
STO integrated safety function is single f ault safe system (within the drive unit). No sing le fault or
component failure can cause a loss of safety state, inducing drive to produce motor t or que.
Wiring and connections of the system must appropriately implemented and tested in order to
support same fault tolerance (1) at system level.
Warning!
In the event of the failure of two output IGBTs in the drive, when Safe Torque Off has been
activated, the drive may provide energy for up to 180° of r otation in a 2-pole motor before torq ue
production in the motor ceases.
In case of induction motor, no movement is possible even when several faults occur (in the IGBT
power stage). That is, no failure on IGBT drivers, in absence of controlled pulses coming from
regulation, can generate curr ent able t o est ablish r ot ating field.
It must be checked if t his condit ion can caus e a dangerous machine movement.
Warning!
When the saf ety function is activated (motor unable to produce torque) , the DC-link (high voltage
dc bus) of the drive is still connected to mains supply.
In this case drive control is deactivated and after mot or coasting to standstill or already stopped,
high voltage are present on motor and drive term inals.
For authorised personnel to work on live parts, drive shall be electrical isolated from m ains supply
(mains switch) and appropriate time shall be elapsed (more t han 5minutes) to allow high-voltage
DC-link to discharge.
This is called “Mains supply disconnection (isolating )and switch-off “, isolation f rom power supply
system, requested by EN 60204-1.
The mains supply switch-off function may performed only with the use of appropriate isolating
switching devices.
1S9STOEN_26-5-17_ADL300_STO_STO Pag. 6/30
2 Risk analysis and assessment
According to Machinery Directive 2006/42 EC, it is mandatory for the manufacturer of the
machines to carry out risk analysis in order to identif y the hazards r elat ed t o t he m ac hine.
Risk analysis should be developed according to Standard EN 12100 - Saf ety of Machinery- Risk
assessment.
Risk assessment procedure is intended to prevent and identify:
degree of injury
frequency/duration of r isk exposure
possibility of turning away
In order to define risk level and to obtain a correct classificat ion concerning Safety category, SIL
(Safety integrity level), standards EN61800-5-2, IEC 61508, EN ISO 13849-1 should be used and
applied.
These standards give information and procedure according to design principle and risk
assessment for safety related part of control systems.
In the case of STO safety function the risk as sessment must consider the fact that the motor
coast to a standstill at STO activation. A mechanical brake may be requested in some
applications. Latching devices preventing access to dangerous parts might also be necessary
enabling automatically STO function.
EN81-1 intended for safety in lift applications specifies, functions, safety integrity level and
conFiguretions to be used to attain given system level funct ionalities.
Liability :
The Manufacturer shall be responsible f or the safety of the machinery, in term of :
risk analysis of hazards originating from machinery.
implementation of measures either t o m inimize or eliminate any risks.
documentation of residual risk.
production of whole machinery documentation.
The User/Operator is responsible for safety concerning application and use.
Safety function implementation and selection according to application. STO safety
function integration:
Risk analysis and risk assessment according to EN 12100.
Risk reduction by machine design.
Risk reduction by protective equipment.
Identification of saf ety requirements.
SIL, Category selection.
1S9STOEN_26-5-17_ADL300_STO_STO Pag. 7/30
3 STO safety normative adherence
“Safe Torque Off” integrated safety function meets the following standard requirements:
safety integrity level SIL3 according t o EN 61508 and EN61800-5-2
Safe Torque Of f function can be exploited specifically for Lift Market to support:
- Single contactor operation for Car st op EN81-1 §12.7.3 b)
- Contactor-less operation for Car stop EN81-1 and EN81-20 5.9.2.5.3 d)
In case of activation or fault detec tion t he safety function STO avoids t orque production onto the
motor, which eventually could cause mechanical movements.
1S9STOEN_26-5-17_ADL300_STO_STO Pag. 8/30
4 Safety system description
Safe Torque Off safety function is integrated into the drive family ADL300, and is managed by
means of two enable signals “ENABLE” and “SAFETY ENABLE”.
4.1 Device functionality and architecture
The system herein examined are Power Drive Systems (PDs) also called Inverter. A PDS is power
device connected one side to the mains (three-phase system) and on ot her s ide t o t he m ot or
power lines. Motor and other devices which are related to the system functionalities (relays, cables
The PDS makes the motor move according t o t he s et t ings operator has defined.
From the electrical point of view PDS takes power from m ains t o the motor lines.
Inverter device family called ADL300 is subject of this document. From the safety and main
functionality points of view all devices of the family can be modeled as the same thing, herein
represented in Figure 1.
Power
driver
IGBT
Enable
Regulation board
SAFETY PART
Mains
Power
outputs
Power
Supply & monitor
U,V
,W HIGH
U
,V,
W LOW
Analog
Switch
PBuffer
Safety
Enable
Power isolated area
U
,V,
W HIGH
U,
V,
W LOW
Figure 1 block diagram of PDs ADL300.
All ADL300 PDs are integ rated PD devices featuring different power ratings, dimensions as well as
enclosures. Though f r om the f unc tional and electrical points of view all devices are made up of the
same fundamental four par t s:
1. Regulation board
2. Driver board
3. IGBT power module
4. Safet y part
Follows a brief description of four part s :
Regulation boar d: exists as separate PCB, main purpose of this board is to generate
coordinated PWM pulses going to the IGBT gates. PWM pulses are controlled and
generated by the software according to t he settings to provide given voltage, current,
motor speed, motor acceleration, etc options. PWM pulses can be cancelled out
directly onto the regulation board by means of a PWM inhibit signal which acts directly
1S9STOEN_26-5-17_ADL300_STO_STO Pag. 9/30
of the hardware PWM generator. Of course the onboard software sees the enable
signal when asserted and stops the (software) generation. A power supply stage,
providing voltages for all digital circ uits and EXP-SFTY-ADV board is included on this
board.
Safety part: exists an isolated isle integrated onto t he regulation PCB. This part takes
in the output PWM signals coming f rom regulation and accor ding to its ENABLE signal
(SAFETY ENABLE) makes pulses pass/not pass on the output connector going to the
IGBT driver.
IGBT driver: exists as separate PCB. IGBT driver is the interface system between
signals coming from Safety part and the power part. This subsystem comprises an
opto-isolation isle, a conditioning part, connected t o m ains supply driving IG BT gates.
IGBT Module: I GBT is the actual power module comprising heatsink, f ans, electrical
shield, electric power wires.
From the operator point of view system is managed by means of either remote PC like interface
connected to the PDs or us ing an onboard keypad. Both way operator may set/change parameters
that modify the system functions accordingly: speed, torque, position, acceleration, etc. All
functions are translated and implemented by means of a different gate command sequence
arriving to the IGBT gates.
4.2 Safety function specifications
Safety function “Safe T orque Off ” used in ADL300 family assures that drives saf ely disable motor
movements taking off torque onto the motor.
STO function becomes active whenever either
ENABLE or SAFETY ENABLE are deactivated (zero
voltage applied or open wires and no current flowing). The other way STO function is disable
(drive enabled) when both enable signals are ass erted (DC 24v applied). Functional logic diagr am
is shown is Table 1.
ENABLE
SAFETY ENABLE
STO STATUS
Disabled (open/0v)
Disabled (open/0v)
Enabled (Torque off)
Enabled (24v) Disabled (open/0v)
Enabled (torque off)
[Safety interlock block]
Disabled (open/0v)
Enabled (24v)
Enabled (torque off)
Enabled (24v)
Enabled (24v)
Disabled (drive operating)
Table 1 Static Funct i onal T abl e f or Safe Torque Off Function.
Though STO f unction activates when either of the mentioned sig nals is deactivated, STO Safety
Integrity Level cannot be guaranteed as long as bot h signals are not deactivated.
Whenever STO function is enabled PDS will no longer provide torque onto the motor, meaning
that motor will come to a stop safely. Time event sequence that takes motor stopped depends
onto motor inertia as shown in Figure 1. STO function only specifies times at which torque is no
longer applied onto the motor (Ttoff) and time elapsed bef or e signal feedback assertion (Tfbk).
1S9STOEN_26-5-17_ADL300_STO_STO Pag. 10/30
Torque On
signal
Ttoff
Tfbon
Tmotoff
Feedback relay activated
Motor safely
stopped
Motor Torque
Off
One
/both
control signals
disabled
Figure 2 Time event diagram for STO function.
- T
toff
time from control sig nal disabled to STO function activation
- T
fbon
time from STO function activation to feedback sig nal changing state
- T
motoff
time from STO function activation to motor stop: depends on m ot or / load iner t ia
Name
Description
Max delay [ms]
Ttoff
Time between ENABLE/SAFETY ENABLE signal deactivation and safety
channel activation (the same for both ENABLE and SAFETY ENABLE)
14
Tfbk
Time between SAFETY ENABLE and SAFETY FEEDBACK change of status
20
Tton
Time between ENABLE signal activation and drive activation (Drive Active)
8
Tiblk
In case SAFETY ENABLE is issued before ENABLE maximum allowed time
before system goes into interblock
8
Table 2 Safety Intervention times.
Looking at the Enable signals evolving dynamically in time, the allowed input conFiguretions are
less than those highlighted in Table 1: in order to prevent pwm pulses to be applied suddenly
ENABLE signal will always follow SAFETY ENABLE or, at least be applied before 4m s within it.
Should ENABLE come fir st before SAFETY ENABLE, ADL dr ive goes into interlock block and it
will be necessary to disable and issue ENABLE high again in order to reactivate ADL.
Following figures are describing the dynamics of STO. function:
Loading...