Altivar 32
Variable Speed Drives
Safety Functions Manual
08/2014
S1A45606.03
www.schneider-electric.com
The information provided in this documentation contains general descriptions and/or technica l characteristics of the performance of the products contained herein. This documentation is not intended as a
substitute for and is not to be used for determining suitability or reliability of these products for specific user
applications. It is the duty of any such user or integrator to perform the appropriate and complete risk
analysis, evaluation and testing of the products with respect to the relevant specific application or use
thereof. Neither Schneider Electric nor any of its affiliates or subsidiaries shall be responsible or liable for
misuse of the information contained herein. If you have any suggestions for improvements or amendments
or have found errors in this publication, please notify us.
No part of this document may be reproduced in any form or by any means, electronic or mechanical,
including photocopying, without express written permission of Schneider Electric.
All pertinent state, regional, and local safety regulations must be observed when installing and using this
product. For reasons of safety and to help ensure compliance with documented system data, only the
manufacturer should perform repairs to components.
When devices are used for applications with technical safety requirements, the relevant instructions must
be followed.
Failure to use Schneider Electric software or approved software with our hardware products may result in
injury, harm, or improper operating results.
Failure to observe this information can result in injury or equipment damage.
© 2013 Schneider Electric. All rights reserved.
2 S1A45606 08/2014
Table of Contents
Safety Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
About the Book. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Chapter 1 Generalities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Standards and Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 2 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Safety Function STO (Safe Torque Off) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Safety Function SS1 (Safe Stop 1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Safety Function SLS (Safely-Limited Speed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 3 Calculation of Safety Related Parameters . . . . . . . . . . . . . . . . . . . . . . . . 29
SLS Type 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SLS Type 2, Type 3, Type 4, Type 5, and Type 6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SS1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 4 Behavior of Safety Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Detected Fault Inhibition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Priority Between Safety Functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Factory Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuration Download . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Priority Between Safety Functions and No Safety-Related Functions. . . . . . . . . . . . . . . . . .
Chapter 5 Safety Functions Visualization by HMI. . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Status of Safety Functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Dedicated HMI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Error Code Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 6 Technical Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Electrical Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Getting and Operating the Safety Function. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Safety Function Capability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Debounce Time and Response Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 7 Certified Architectures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Multi-drive with the Safety Module Type Preventa XPS AF - Case 1 . . . . . . . . . . . . . . . . . .
Multi-drive with the Safety Module Type Preventa XPS AF - Case 2 . . . . . . . . . . . . . . . . . .
Multi-drive Without the Safety Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Single Drive with the Safety Module Type Preventa XPS AV - Case 1. . . . . . . . . . . . . . . . .
Single Drive with the Safety Module Type Preventa XPS AV - Case 2. . . . . . . . . . . . . . . . .
Single Drive with the Safety Module Type Preventa XPS AF - Case 1. . . . . . . . . . . . . . . . .
Single Drive with the Safety Module Type Preventa XPS AF - Case 2. . . . . . . . . . . . . . . . .
Single Drive According to IEC 61508 and IEC 60204-1 - Case 1 . . . . . . . . . . . . . . . . . . . . .
Single Drive According to IEC 61508 and IEC 60204-1 - Case 2 . . . . . . . . . . . . . . . . . . . . .
Chapter 8 Commissioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Safety Functions Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure Safety Functions Panel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Visualization and Status of Safety Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Copying Safety Related Configuration from Device to PC and from PC to Device. . . . . . . .
Machine Signature. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 9 Services and Maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Power and MCU Replacement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Changing Machine Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
12
13
14
18
20
22
30
32
35
38
39
40
41
42
43
48
49
50
58
59
60
62
64
65
66
67
68
69
70
71
72
73
76
77
81
82
85
90
91
92
S1A45606 08/2014 3
4 S1A45606 08/2014
Safety Information
Important Information
NOTICE
Read these instructions carefully, and look at the equipment to become familiar with the device before
trying to install, operate, or maintain it. The following special messages may appear throug hout this
documentation or on the equipment to warn of potential hazards or to call attention to information that
clarifies or simplifies a procedure.
PLEASE NOTE
Electrical equipment should be installed, operated, serviced, and maintained only by qualified personnel.
No responsibility is assumed by Schneider Electric for any consequences arising out of the use of this
material.
A qualified person is one who has skills and knowledge related to the construction and operation of
electrical equipment and its installation, and has received safety training to recognize and avoid the
hazards involved.
S1A45606 08/2014 5
6 S1A45606 08/2014
At a Glance
Document Scope
Validity Note
About the Book
The purpose of this document is to provide information about safety functions incorporated in Altivar 32.
These functions allow you to develop applications oriented in the protection of man and machine.
FDT/DTM (field device tool / device type manager) is a new technology chosen by several companies in
automation.
To install the Altivar 32 DTM, you can download and install our FDT: SoMove lite on www.schneiderelectric.com. It is including the Altivar 32 DTM.
The content of this manual is also accessible through the ATV32 DTM online help.
This documentation is valid for the Altivar 32 drive.
The technical characteristics of the devices described in this document also appear online. To access this
information online:
Step Action
1 Go to the Schneider Electric home page www.schneider-electric.com
2 In the Search box type the reference of a product or the name of a product range.
z Do not include blank spaces in the model number/product range.
z To get information on grouping similar modules, use asterisks (*).
3 If you entered a reference, go to the Product Datasheets search results and click on the reference that
interests you.
If you entered the name of a product range, go to the Product Ranges search results and click on the product
range that interests you.
4 If more than one reference appears in the Products search results, click on the reference that interests you.
5 Depending on the size of your screen, you may need to scroll down to see the data sheet.
6 To save or print a data sheet as a .pdf file, click Download XXX product datasheet.
.
Related Documents
The characteristics that are presented in this manual should be the same as those characteristics that
appear online. In line with our policy of constant improvement, we may revise content over time to improve
clarity and accuracy. If you see a difference between the manual and online information, use the online
information as your reference.
Title of Documentation Reference Number
ATV32 Quick Start Guide S1A41715
ATV32 Quick Start Annex S1B39941
ATV32 Installation Manual S1A28686
ATV32 Programming Manual S1A28692
ATV32 Atex Manual S1A45605
ATV32 Safety Integrated Functions Manual S1A45606
ATV32 Modbus Manual S1A28698
ATV32 CANopen Manual S1A28699
ATV32 PROFIBUS DP Manual S1A28700
ATV32 Modbus TCP - EtherNet/IP Manual S1A28701
ATV32 DeviceNet Manual S1A28702
ATV32 EtherCAT Manual S1A28703
ATV32 PROFINET Manual HRB25668
ATV32 Communication Parameters Manual S1A44568
S1A45606 08/2014 7
Title of Documentation Reference Number
BMP Synchronous Motor Manual 0198441113981
ATV32 Certificates, See www.schneider-electric.com NA
You can download these technical publications and other technical information from our website at
www.schneider-electric.com.
Product Related Information
The information provided in this manual supplements the product manuals.
Carefully read the product manuals before using the product.
Read and understand these instructions before performing any procedure with this drive.
HAZARD OF ELECTRIC SHOCK, EXPLOSION, OR ARC FLASH
z Only appropriately trained persons who are familiar with and understand the contents of this manual
and all other pertinent product documentation and who have received safety training to recognize and
avoid hazards involved are authorized to work on and with this drive system. Installation, adjustment,
repair, and maintenance must be performed by qualified personnel.
z The system integrator is responsible for compliance with all local and national electrical code
requirements as well as all other applicable regulations with respect to grounding of all equipment.
z Many components of the product, including the printed circuit boards, operate with mains voltage. Do
not touch. Use only electrically insulated tools.
z Do not touch unshielded components or terminals with voltage present.
z Motors can generate voltage when the shaft is rotated. Before performing any type of work on the drive
system, block the motor shaft to prevent rotation.
z AC voltage can couple voltage to unused conductors in the motor cable. Insulate both ends of unused
conductors of the motor cable.
z Do not short across the DC bus terminals or the DC bus capacitors or the braking resistor terminals.
z Before performing work on the drive system:
z Disconnect all power, including external control power that may be present.
z Place a "Do Not Turn On" label on all power switches.
z Lock all power switches in the open position.
z Wait 15minutes to allow the DC bus capacitors to discharge. The DC bus LED is not an indicator
of the absence of DC bus voltage that can exceed 800 Vdc.
z Measure the voltage on the DC bus between the DC bus terminals using a properly rated voltmeter
to verify that the voltage is < 42Vdc.
z If the DC bus capacitors do not discharge properly, contact your local Schneider Electric
representative.
z Install and close all covers before applying voltage.
Failure to follow these instructions will result in death or serious injury.
DANGER
DANGER
UNINTENDED EQUIPMENT OPERATION
z Read and understand this manual before installing or operating the drive.
z Any changes made to the parameter settings must be performed by qualified personne l.
Failure to follow these instructions will result in death or serious injury.
WARNING
DAMAGED DRIVE EQUIPMENT
Do not operate or install any drive or drive accessory that appears damaged.
Failure to follow these instructions can result in death, serious injury, or equipment damage.
8 S1A45606 08/2014
WARNING
LOSS OF CONTROL
z The designer of any control scheme must consider the potential failure modes of control paths and,
for critical control functions, provide a means to achieve a safe state during and after a path failure.
Examples of critical control functions are emergency stop, overtravel stop, power outage, and restart.
z Separate or redundant control paths must be provided for critical control functions.System control
paths may include communication links. Consideration must be given to the implications of
unanticipated transmission delays or failures of the link.
z System control paths may include communication links. Consideration must be given to the
implications of unanticipated transmission delays or failures of the link.
z Observe all accident prevention regulations and local safety guidelines.(1)
z Each implementation of the product must be individually and thoroughly tested for proper operation
before being placed into service.
Failure to follow these instructions can result in death, serious injury, or equipment damage.
1. For USA: Additional information, refer to NEMA ICS 1.1 (latest edition), “Safety guidelines for the
application, installation, and maintenance of solid-State control” and to NEMA ICS 7.1 (latest edition),
“Safety standards for construction and guide for selection, installation, and operation of adjustable
speed drive systems.”
CAUTION
INCOMPATIBLE LINE VOLTAGE
Before turning on and configuring the drive, ensure that the line voltage is compatible with the supply
voltage range shown on the drive nameplate. The drive may be damaged if the line voltage is not
compatible.
Failure to follow these instructions can result in injury or equipment damage.
NOTICE
RISK OF DERATED PERFORMANCE DUE TO CAPACITOR AGING
The product capacitor performances after a long time storage above 2 years can be degraded. In that
case, before using the product, apply the following procedure:
z Use a variable AC supply connected between L1 and L2 (even for ATVpppppN4 references).
z Increase AC supply voltage to have:
z 80% of rated voltage during 30 min
z 100% of rated voltage for another 30 min
Failure to follow these instructions can result in equipment damage.
S1A45606 08/2014 9
Qualification of personnel
Only appropriately trained persons who are familiar with and understand the contents of this manual and
all other pertinent product documentation are authorized to work on and with this product. In addition, these
persons must have received safety training to recognize and avoid hazards involved. These persons must
have sufficient technical training, knowledge and experience and be able to foresee and detect potential
hazards that may be caused by using the product, by changing the settings and by the mechanical,
electrical and electronic equipment of the entire system in which the product is used.
All persons working on and with the product must be fully familiar with all applicable standards, directives,
and accident prevention regulations when performing such work.
Intended use
The functions described in this manual are only intended for use with the basic product; you must read and
understand the appropriate product manual.The product may only be used in compliance with all
applicable safety regulations and directives, the specified requirements and the technical data.Prior to
using the product, you must perform a risk assessment in view of the planned application. Based on the
results, the appropriate safety measures must be implemented.Since the product is used as a component
in an entire system, you must ensure the safety of persons by means of the design of this entire system
(for example, machine design).
Operate the product only with the specified cables and accessories. Use only genuine accessories and
spare parts.Any use other than the use explicitly permitted is prohibited and can result in hazards.Electrical
equipment should be installed, operated, serviced, and maintained only by qualified personnel.The product
must NEVER be operated in explosive atmospheres (hazardous locations, Ex areas).
10 S1A45606 08/2014
Generalities
Chapter 1
Generalities
What Is in This Chapter?
This chapter contains the following topics:
Introduction 12
Standards and Terminology 13
Basics 14
Topic Page
S1A45606 08/2014 11
Introduction
Overview
The safety functions incorporated in Altivar 32 are intended to maintain the safe condition of the installation
or prevent hazardous conditions arising at the installation. In some cases, further safety-related systems
external to the drive (for example a mechanical brake) may be necessary to maintain the safe condition
when electrical power is removed.
The safety functions are configured with SoMove software.
Integrated safety functions provide the following benefits:
z Additional standards-compliant safety functions
z No need for external safety-related devices
z Reduced wiring effort and space requirements
z Reduced costs
The Altivar 32 drives are compliant with the requirements of the standards in terms of imp lementation of
safety functions.
Safety Functions as Defined by IEC 61800-5-2
Definitions
Acronym Description
STO Safe Torque Off
No power that could cause torque or force is supplied to the motor.
SLS Safely-Limited Speed
The SLS function prevents the motor from exceeding the specified speed limit. If the motor speed exceeds
the specified speed limit value, safety function STO is triggered.
SS1 Safe Stop 1
z initiates and monitors the motor deceleration rate within set limits to stop the motor
z initiates the Safe Operating Stop function when the motor speed is below the specified limit
Notation
DANGER
ELECTRIC SHOCK CAUSED BY INCORRECT USE
The safety function STO ([Safe Torque Off]) does not cause electric isolation. The DC bus voltage is
still present.
z Turn off the main voltage using an appropriate switch to achieve a voltage-free condition.
Failure to follow these instructions will result in death or serious injury.
The graphic display terminal (to be ordered separately - reference VW3A1101) menus are shown in square
brackets.
The integrated 7-segment display terminal menus are shown in ro und brackets.
Parameter names are displayed on the graphic display terminal in square brackets.
Parameter codes are displayed on the integrated 7-segment display terminal in round brackets.
12 S1A45606 08/2014
Standards and Terminology
Overview
The technical terms, terminology, and the corresponding descriptions in this manual normally use the
terms or definitions in the relevant standards.
In the area of drive systems this includes, but is not limited to, terms such as safety function, safe state,
fault, fault reset, failure, error, error message, warning, warning message, and so on.
Among others, these standards include:
z IEC 61800 series: Adjustable speed electrical power drive systems
z IEC 61508 Ed.2 series: Functional safety of electrical/electronic/programmable electronic safety-related
systems
z EN 954-1 Safety of machinery - Safety related parts of control systems
z EN ISO 13849-1 & 2 Safety of machinery - Safety related parts of control systems
z IEC 61158 series: Industrial communication networks - Fie ldbus specifications
z IEC 61784 series: Industrial communication networks - Pro files
z IEC 60204-1: Safety of machinery - Electrical equipment of machines – Part 1: General requirements
EC Declaration of Conformity
The EC Declaration of Conformity for the EMC Directive can be obtained on www.schneider-electric.com.
ATEX Certification
The ATEX certificate can be obtained on www.schneider-electric.com.
Functional Safety Certification
The integrated safety functions are compatible and certified according to IEC 61800-5-2 Ed.1 Adjustable
speed electrical power drive systems - Part 5-2: Safety requirements - Functional.
IEC 61800-5-2, as a product standard, sets out safety-related considerations of Power Drive System
Safety Related PDS (SR)s in terms of the framework of the IEC 61508 Ed.2 series of standards.
Compliance with the IEC 61800-5-2 standard, for the safety functions described below, will facilitate
incorporation of a PDS (SR) (Power Drive System suitable for use in safety-related applications) into a
safety-related control system using the principles of IEC 61508, or ISO 13849, as well as IEC 62 061 for
process systems and machinery.
The defined safety functions are:
z SIL2 and SIL3 capability in compliance with IEC 61800-5-2 and the IEC 61508 Ed.2 series.
z Performance Level d and e in compliance with ISO 13849-1.
z Compliant with Category 3 and 4 of European standard ISO 13849-1 (EN 954-1).
Also refer to safety function Capability.
The safety demand operating mode is considered to be high demand or continuous mode of operation
according to the IEC 61800-5-2 standard.
The functional safety certificate is accessible on www.schneider-electric.com.
S1A45606 08/2014 13
Basics
Functional Safety
Automation and safety engineering are two areas that were completely separate in the past but have
recently become more and more integrated.
The engineering and installation of complex automation solutions are greatly simplified by integrated safety
functions.
Usually, the safety engineering requirements depend on the application.
The level of requirements results from the risk and the hazard potential arising from the specific application.
IEC 61508 Standard
The standard IEC 61508 Functional safety of electrical/electronic/programmable electronic safety-related
systems covers the safety-related function.
Instead of a single component, an entire function chain (for example, from a sensor through the logical
processing units to the actuator) is considered as a unit.
This function chain must meet the requirements of the specific safety integrity level as a whole.
Systems and components that can be used in various applications for safety tasks with comparable risk
levels can be developed on this basis.
SIL - Safety Integrity Level
The standard IEC 61508 defines 4 safety integrity levels (SIL) for safety functions.
SIL1 is the lowest level and SIL4 is the highest level.
A hazard and risk analysis serves as a basis for determining the required safety integrity level.
This is used to decide whether the relevant function chain is to be considered as a safety function and
which hazard potential it must cover.
PFH - Probability of a Dangerous Hardware Failure Per Hour
To maintain the safety function, the IEC 61508 standard requires various levels of measures for avoiding
and controlling detected faults, depending on the required SIL.
All components of a safety function must be subjected to a probability assessment to evaluate the
effectiveness of the measures implemented for controlling detected faults.
This assessment determined the PFH (Probability of a dangerous Failure per Hour) for a safety system.
This is the probability per hour that a safety system fails in a hazardous manner and the safety function
cannot be correctly executed.
Depending on the SIL, the PFH must not exceed certain values for the entire safety system.
The individual PFH values of a function chain are added. The result must not exceed the maximum value
specified in the standard.
Performance level Probability of a dangerous Failure per Hour (PFH) at high demand or continuous demand
4
3
2
1
14 S1A45606 08/2014
PL - Performance Level
The standard IEC 13849-1 defines 5 Performance levels (PL) for safety functions.
a is the lowest level and e is the highest level.
Five levels (a, b, c, d, and e) correspond to different values of average probability of dangerous failure per
hour.
Performance level Probability of a dangerous Hardware Failure per Hour
e
d
c
b
a
HFT - Hardware Fault Tolerance and SFF - Safe Failure Fraction
Depending on the SIL for the safety system, the IEC 61508 standard requires a specific hardware fault
tolerance HFT in connection with a specific proportion of safe failures SFF (Safe Failure Fraction).
The hardware fault tolerance is the ability of a system to execute the required safety function in spite of the
presence of one or more hardware faults.
The SFF of a system is defined as the ratio of the rate of safe failures to the total failure rate of the system.
According to IEC 61508, the maximum achievable SIL of a system is partly determined by the hardware
fault tolerance HFT and the safe failure fraction SFF of the system.
IEC 61508 distinguishes two types of subsystem (type A subsystem, type B subsystem).
These types are specified on the basis of criteria which the standard defines for the safety-relevant
components.
SFF HFT type A subsystem HFT type B subsystem
PFD - Probability of Failure on Demand
The standard IEC 61508 defines SIL using requirements grouped into two broad categories: hardware
safety integrity and systematic safety integrity. A device or system must meet the requirements for both
categories to achieve a given SIL.
The SIL requirements for hard ware s af ety i ntegri ty are based on a probabilistic analysis of the device. To
achieve a given SIL, the device must meet targets for the maximum probability of dangerous failure and a
minimum Safe Failure Fraction. The concept of ’dangerous failure’ must be rigorously defined for the
system in question, normally in the form of requirement constraints whose integrity is verified throughout
system development. The actual targets required vary depending on the likelihood of a demand, the
complexity of the device(s), and types of redundancy used.
012012
SIL1 SIL2 SIL3 ---- SIL1 SIL2
SIL2 SIL3 SIL4 SIL1 SIL2 SIL3
SIL3 SIL4 SIL4 SIL2 SIL3 SIL4
SIL3 SIL4 SIL4 SIL3 SIL4 SIL4
S1A45606 08/2014 15
The PFD (Probability of Failure on Demand) and RRF (Risk Reduction Factor) of low demand operation
for different SILs are defined in IEC 61508 are as follows:
SIL PFD PFD (power RRF
1 0.1 - 0.01
2 0.01 - 0.001
3 0.001 - 0.0001
4 0.0001 - 0.00001
In continuous operation, these changes to the following:
SIL PFD PFD (power RRF
1 0.00001 - 0.000001
2 0.000001 - 0.0000001
3 0.0000001 - 0.00000001
4 0.00000001 - 0.000000001
The hazards of a control system must be identified then analyzed in a risk analysis. These risks are
gradually mitigated until their overall contribution to the hazard is deemed to be acceptable. The tolerable
level of these risks is specified as a safety requirement in the form of a target probability of a dangerous
failure over a given period, stated as a discrete SIL level.
Fault Avoidance Measures
Systematic errors in the specifications, in the hardware and the software, usage faults and maintenance
faults in the safety system must be avoided to the maximum degree possible. To meet these requirements,
IEC 61508 specifies a number of measures for fault avoidance that must be implemented depending on
the required SIL. These measures for fault avoidance must cover the entire life cycle of the safety system,
i.e. from design to decommissioning of the system.
10
10
10
10
10
10
10
10
-1
-2
-3
-4
-5
-6
-7
-8
- 10
- 10
- 10
- 10
- 10
- 10
- 10
- 10
-2
-3
-4
-5
-6
-7
-8
-9
10 - 100
100 - 1000
1000 - 10,000
10,000 - 100,000
100,000 - 1,000,000
1,000,000 - 10,000,000
1000 - 10,000
100,000,000 - 1,000,0000,000
16 S1A45606 08/2014
Description
Chapter 2
Description
What Is in This Chapter?
This chapter contains the following topics:
Safety Function STO (Safe Torque Off) 18
Safety Function SS1 (Safe Stop 1) 20
Safety Function SLS (Safely-Limited Speed) 22
Topic Page
S1A45606 08/2014 17
Safety Function STO (Safe Torque Off)
Overview
ELECTRIC SHOCK CAUSED BY INCORRECT USE
The safety function STO (Safe Torque Off) does not cause electric isolation. The DC bus voltage is still
present.
z Turn off the mains voltage using an appropriate switch to achieve a voltage-free condition.
Failure to follow these instructions will result in death or serious injury.
This function brings the machine safely into a no-torque state and / or prevents it from starting accidentally.
The safe torque-off (safety function STO) function can be used to effectively implement the prevention of
unexpected start-up functionality, thus making stops safe by preventing the power only to the motor, while
still maintaining power to the main drive control circuits.
The principles and requirements of the prevention of unexpected start-up are described in the standard EN
1037:1995+A1.
The logic input STO is assigned to this safety function and cannot be modified.
If a paired terminal line in 2 channels is required to trigger safety function STO, the function can also be
enabled by the safety-related logic inputs.
The safety function STO is configured with the commissioning software.
The safety function STO status can be displayed using the HMI of the drive or using the commissioning
software.
DANGER
18 S1A45606 08/2014
Safety Function STO Standard Reference
The safety function STO is defined in section 4.2.2.2 of standard IEC 61800-5-2 (edition 1.0 2007.07):
Power, that can cause rotation (or motion in the case of a linear motor), is not applied to the motor.The
PDS(SR) (power drive system suitable for use in safety-related applications) will not provide energy to the
motor which can generate torque (or force in the case of a linear motor).
z NOTE 1: This safety function corresponds to an uncontrolled stop in accordance with stop category 0
of IEC 60204-1.
z NOTE 2: This safety function may be used where power removal is required to prevent an unexpected
start-up.
z NOTE 3: In circumstances where external influences (for example, falling of suspended loads) are
present, additional measures (for example, mechanical brakes) may be necessary to prevent any
hazard.
z NOTE 4: Electronic equipment and contactors do not provide adequate protection against electric
shock, and additional insulation measures may be necessary.
Safety Function (SF) Level Capability for Safety Function STO
Configuration SIL
STO with or without safety module SIL 2 PL d
STO & LI3 with or without safety module SIL 3 PL e
LI3 and LI4 SIL 2 PL d
LI5 and LI6 SIL 2 PL d
Emergency Operations
Standard IEC 60204-1 introduces 2 emergency operations:
z Emergency switching-off:
z Emergency stop:
PL
Safety Integrity Level according
to IEC 61-508
Performance Level according
to ISO-13849
This function requires external switching components, and cannot be accomplished with drive based
functions such as safe torque-off (STO).
An emergency stop must operate in such a way that, when it is activated, the hazardous movement of
the machinery is stopped and the machine is unable to start under any circumstances, even after the
emergency stop is released.
An emergency stop shall function either as a stop category 0 or as a stop category 1.
Stop category 0 means that the power to the motor is turned off immediately. Stop category 0 is
equivalent to the safe torque-off (STO) function, as defined by standard EN 61800-5-2.
In addition to the requirements for stop (see 9.2.5.3 of IEC 60204-1), the emergency stop function has
the following requirements:
z it shall override all other functions and operations in all modes.
z This reset shall be possible only by a manual action at that location where the command has been
initiated. The reset of the command shall not restart the machinery but only permit restarting.
z For the machine environment (IEC 60204-1 and machinery directive), when safety function STO is
used to manage an emergency stop category 0, the motor must not restart automatically when safety
function STO has been triggered and deactivated (with or without a power cycle). This is the reason
why an additional safety module is required if the machine restarts automatically after the safety
function STO has been deactivated.
S1A45606 08/2014 19
Safety Function SS1 (Safe Stop 1)
Overview
The safety function SS1 (Safe Stop 1) monitors the deceleration according to a dedicated deceleration
ramp and safely shuts off the torque once standstill has been achieved.
When the safety function SS1 is triggered, it overrides all othe r fu nctions (except STO function that has
priority) and operations in all modes.
The unit of the SS1 deceleration ramp is in Hz/s. The setting of the ramp is done with two parameters:
[SS1 ramp unit] SSrU (Hz/s) to give the unit of the ramp in 1 Hz/s, 10 Hz/s, and 100 Hz/s
[SS1RampValue] SSrt (0.1) to set the value of the ramp
Ramp calculation:
Ramp = SSrU*SSrt
Example: If SSrU = 10 Hz/s and SSrt = 5.0 the deceleration ramp is 50 Hz/s.
The safety function SS1 is configured with the commissioning software, for more information see
Commissioning (see page 75).
The safety function SS1 status can be displayed using the HMI of the drive or using the commissioning
software.
Behavior on Activation of the SS1 Function
When SS1 function is triggered, it monitors the deceleration of the motor according to the specified
monitoring ramp until standstill is reached and verifies if the motor speed is not above a monitored limit
value depending on the specified monitoring ramp and the parameter [SS1 trip threshold] SStt.
If the monitored limit value is exceeded:
z An error is triggered and the error code [Safety function fault] SAFF is displayed.
z Safety function STO is triggered.
After the [Standstill level] SSSL has been reached, the safety function STO is triggered.
SS1 function continues to be active if the request has been removed before the standstill has been
reached.
NOTE: The error detection depends on [Stator Frequency] StFr.
: SS1 trip threshold, : SS1 deceleration ramp (dV/dT), : STO function triggered, : Error and
STO function triggered
20 S1A45606 08/2014
Behavior on Deactivation of the SS1 Function
After an SS1 stop, send a new run command (even if the run command is set on level command).
SS1 Standard Reference
The SS1 function is defined in section 4.2.2.2 of standard IEC 61800-5-2:
The PDS(SR) (Power drive system suitable for use in safety-related applications) either:
z Initiates and controls the motor deceleration rate within set limits to stop the motor and initiates the STO
function (see 4.2.2.2) when the motor speed is below a specified limit; or
z Initiates and monitors the motor deceleration rate within set limits to stop the motor and initiates the STO
function when the motor speed is below a specified limit; or
z Initiates the motor deceleration and initiates the STO function after an application-specific time delay.
NOTE: This safety function corresponds to a controlled stop in accordance with stop category 1 of IEC
60204-1.
Safety Function (SF) Level Capability for Safety Function SS1
Function Configuration SIL
SS1 type C STO with Preventa module SIL2 PL d
SS1 type B LI3 and LI4 SIL 2 PL d
Emergency Stop Category 1
An emergency stop must operate in such a way that, when it is activated, the hazardous movement of the
machinery is stopped and the machine is unable to start under any circumstances, even after the
emergency stop is released.
An emergency stop shall function either as a stop category 0 or as a stop category 1.
Stop category 1 is a controlled shut-down, whereby the energy supply to the motor is maintained to perform
the shut-down, and the energy supply is only interrupted when the shut-down has been completed.
Stop category 1 is equivalent to the [Safe Stop 1] SS1 function, as defined by standard EN 61800-5-2.
In addition to the requirements for stop (see 9.2.5.3 of IEC 60204-1), the emergency stop function has the
following requirements:
z it shall override all other functions and operations in all modes.
z This reset shall be possible only by a manual action at that location where the command has been
initiated. The reset of the command shall not restart the machinery but only permit restarting.
For the machine environment (IEC 60204-1 and machinery directive), when safety function SS1 is used to
manage an emergency stop category 1, the motor must not restart automatically when safety function SS1
has been triggered and deactivated (with or without a power cycle). This is the reason why an addition al
safety module is required if the machine restarts automatically after the safety function SS1 has been
deactivated.
PL
Safety Integrity Level
According to IEC 61-508
STO and LI3 with Preventa module SIL 3 PL e
LI5 and LI6 SIL 2 PL d
Performance Level
According to ISO-13849
S1A45606 08/2014 21
Safety Function SLS (Safely-Limited Speed)
Overview
This function is used to limit the speed of a motor.
There are 6 types of SLS function:
z SLS type 1: Limits the motor speed to the actual motor speed.
z SLS type 2: Limits the motor speed to a value set using a parameter.
z SLS type 3: Same as type 2 with specific behavior if the motor speed is above threshold value set using
a parameter.
z SLS type 4: Limits the motor speed to a value set using a parameter. The direction of rotation can be
changed while the safety function is active.
z SLS type 5: Same as type 4 with the specific behavior if the motor speed is above threshold value set
using a parameter.
z SLS type 6: Same as type 4 with specific behavior if the motor speed is above threshold value set using
a parameter.
NOTE: SLS types 2 and 3 use (SLwt) [SLS Wait time] parameter to allow the motor to run under the
[standstill level ] SSSL for a given time after the safety function SLS has been activated.
The safety function SLS is configured with the commissioning software, for more information see
commissioning (see page 75).
The status of the safety function SLS can be displayed using the HMI of the drive or using the
commissioning software.
Behavior on Activation of the Safety Function SLS Type 1
: Error and STO function triggered, : Reference upper limit, : STO function triggered
When the safety function is activated:
z If the [Stator Frequency] StFr is above the [SLS tolerance threshold] SLtt, the safety function
STO is triggered and an error is triggered with the error code [Safety function fault] SAFF.
z If the [Stator Frequency] StFr is under the [SLS tolerance threshold] SLtt, the stator
frequency is limited to the actual stator frequency. The reference frequency will only vary between this
value and the standstill level SSSL.
While the function is activated:
z If the[Stator Frequency] StFr decreases and reaches the [Standstill level] SSSL frequency, the
safety function STO is triggered.
z If the [Stator Frequency] StFr increases and reaches [SLS tolerance threshold] SLtt, the
safety function STO is triggered and an error is triggered with the error code [Safety function fault]
SAFF.
22 S1A45606 08/2014
Behavior on Activation of the Safety Function SLS Type 2
: SS1 trip threshold, : Error and STO function triggered, : Reference upper limit, : STO
function triggered, : SS1 deceleration ramp (dV/dT), : Time taken fo r the [Stator Frequency ]
StFr to become greater than SSSL
: [Stator Frequency] StFr is above [Set Point] SLSP
: [Stator Frequency] StFr is between [Standstill level] SSSL and [Set Point] SLSP
: [Stator Frequency] StFr is below [Standstill level] SSSL and [SLS wait time] (SLwt) ≠ 0
When the function is activated :
z If the [Stator Frequency ] StFr is above the [Set point] SLSP, the drive decelerates according
to SS1 deceleration ramp until the [Set point] SLSP is reached.(see case A)
z If the [Stator Frequency] StFr is below the SLSP the current reference is not changed but limited
to the [Set point] SLSP.(see case B)
z If the [Stator Frequency] StFr is still below the [Standstill level] SSSL frequency after [SLS
wait time] (SLwt ) has elapsed, the safety function STO will be triggered.(see case C)
While the function is activated:
z The reference frequency can only vary between the [Set point] SLSP and the standstill level SSSL.
z If the [Stator Frequency ] StFr decreases and reaches the [Standstill level] SSSL frequency,
safety function STO is triggered.
z If the [Stator Frequency ] StFr increases and reaches the [SLS tolerance threshold] SLtt, the
safety function STO is triggered and an error is triggered with the error code [Safety function fault]
SAFF.
S1A45606 08/2014 23
Behavior on Activation of the Safety Function SLS Type 3
SLS type 3 has the same behavior as SLS type 2 except that If the [Stator Frequency] StFr is above
the [SLS tolerance threshold] SLtt, the safety function SS1 is triggered instead of decelerating to the
[Set point] SLSP (see case A)
: SS1 trip threshold, : Error and STO function triggered, : Reference upper limit, : STO
function triggered, : SS1 deceleration ramp (dV/dT), : Time taken for the [Stator Frequency]
StFr to become greater than SSSL
: [Stator Frequency] StFr is above [SLS tolerance threshold] SLtt
: [Stator Frequency] StFr is between [Set Point] SLSP and [SLS tolerance threshold] SLtt
: [Stator Frequency] StFr is between [Standstill level] SSSL and [Set Point] SLSP
:[Stator Frequency] StFr is below [Standstill level] SSSL and [SLS wait time] (SLwt) ≠ 0
When the function is activated :
z If the [Stator Frequency] StFr is above the [SLS tolerance threshold] SLtt, the safety function
SS1 is triggered. (see case A).
z If the [Stator Frequency] StFr is between the [SLS tolerance threshold] SLtt and the [Set
point] SLSP, the drive decelerates according to SS1 deceleration ramp until the [Set point] SLSP
has been reached.(see case B).
z If the [Stator Frequency] StFr is below the [Set point] SLSP the current reference is not changed
but limited to the [Set point] SLSP.(see case C)
z If the [Stator Frequency] StFr is still below the [Standstill level] SSSL frequency after [SLS wait
time] SLwt has elapsed, the safety function STO will be triggered.(see case D)
While the function is activated:
z The reference frequency can only vary between the [Set point] SLSP and the [Standstill level]
SSSL.
z If the [Stator Frequency ] StFr decreases and reaches the [Standstill level] SSSL frequency,
the safety function STO is triggered.
z If the [Stator Frequency ] StFr increases and reaches the [SLS tolerance threshold] SLtt, the
safety function STO is triggered and an error is triggered with the error code [Safety function fault]
SAFF.
24 S1A45606 08/2014
Behavior on Activation of the Safety Function SLS Type 4
Error and STO function triggered, SS1 trip threshold, SS1 deceleration ramp (dv/dt),
reference upper limit
: [Stator Frequency] StFr is above [SLS tolerance threshold] SLtt
: [Stator Frequency] StFr is between [Set Point] SLSP and [SLS tolerance threshold] SLtt
: [Stator Frequency] StFr is below [Set Point] SLSP
NOTE: If the SLTT ≤ SLSP for SLS type 4, SAFF fault is triggered.
When the function is activated :
z If the [Stator Frequency] StFr is above the [SLS tolerance threshold] SLtt, the safety function
STO is triggered with the error code [Safety function fault] SAFF.(see case A)
z If the [Stator Frequency] StFr is between the [SLS tolerance threshold] SLtt and the [Set
point] SLSP, the drive decelerates according to SS1 deceleration ramp until the [Set point] SLSP
has been reached.(see case B)
z If the [Stator Frequency] StFr is below the [Set point] SLSP, the current reference is not
changed but limited to the [Set point] SLSP.(see case C).
While the function is activated:
z The reference frequency can vary between the [Set point] SLSP in both forward and reverse
directions.
z If the [Stator Frequency] StFr increases and reaches [SLS tolerance threshold] SLtt, the
safety function STO is triggered and an error is triggered with the error code [Safety function fault]
SAFF.
S1A45606 08/2014 25
Behavior on Activation of the Safety Function SLS Type 5
: Error and STO function triggered, : SS1 trip threshold, : SS1 deceleration ramp (dv/dt), :
Reference upper limit
: [Stator Frequency] StFr is above [SLS tolerance threshold] SLtt
: [Stator Frequency] StFr is between [Set Point] SLSP and [SLS tolerance threshold] SLtt
: [Stator Frequency] StFr is below [Set Point] SLSP
When the function is activated :
z If the [Stator Frequency] StFr is above the [SLS tolerance threshold] SLtt, the drive
decelerates according to SS1 deceleration ramp until the [Set point] SLSP has been reached. (see
case A)
z If the [Stator Frequency] StFr is between the [SLS tolerance threshold] SLtt and the [Set
point] SLSP, the drive decelerates according to SS1 deceleration ramp until the [Set point] SLSP
has been reached.(see case B)
z If the [Stator Frequency] StFr is below the [Set point] SLSP, the current reference is not
changed but limited to the [Set point] SLSP.(see case C).
While the function is activated:
z The reference frequency can vary between the [Set point] SLSP in both forward and reverse
directions.
z If the [Stator Frequency] StFr increases and reaches [SLS tolerance threshold] SLtt, the
safety function STO is triggered and an error is triggered with the error code [Safety function fault]
SAFF.
26 S1A45606 08/2014
Behavior on Activation of the Safety Function SLS Type 6
: Error and STO function triggered, : SS1 trip threshold, : SS1 deceleration ramp (dV/dT) :
Reference upper limit, : STO function triggered.
: [Stator Frequency] StFr is above [SLS tolerance threshold] SLtt
: [Stator Frequency] StFr is between [Set Point] SLSP and [SLS tolerance threshold] SLtt
: [Stator Frequency] StFr is below [Set Point] SLSP
When the function is activated :
z If the [Stator Frequency] StFr is above the [SLS tolerance threshold] SLtt, the drive
decelerates according to SS1 deceleration ramp until 0 Hz has been reached (see case A).
z If the [Stator Frequency] StFr is between the [SLS tolerance threshold] SLtt and the [Set
point] SLSP, the drive decelerates according to SS1 deceleration ramp until the [Set point] SLSP
has been reached.(see case B)
z If the [Stator Frequency] StFr is below the [Set point] SLSP, the current reference is not
changed but limited to the [Set point] SLSP.(see case C).
While the function is activated:
z The reference frequency can vary between the [Set point] SLSP in both forward and reverse
directions.
z If the [Stator Frequency] StFr increases and reaches [SLS tolerance threshold] SLtt, the
safety function STO is triggered and an error is triggered with the error code [Safety function fault]
SAFF.
S1A45606 08/2014 27
Behavior on Deactivation of the Safety Function SLS for All SLS Types
If... Then ...
The drive is still running when the function is deactivated The reference frequency of the active channel is applied.
Safety function STO has been triggered and the drive is
not in fault state.
The safety function SLS type 2, 3, 4 is deactivated while
the drive decelerates to the [Set point] SLSP
according to SS1 deceleration ramp.
The safety function SLS type 3 is deactivated while the
safety function SS1 has been triggered
a stop command is applied The safety function SLS remains active and the drive
an error is detected The safety function SLS remains active and the drive stops
A new run command must be applied.
The safety function SLS remains activated until the [Set
point] SLSP has been reached.
STO is triggered when [Standstill level] SSSL is
reached and a new run command must be applied.
decelerates until standstill is reached.
For SLS type 1, 2, or 3 STO function is triggered when the
[Stator Frequency] StFr decreases and reaches the
[Standstill level] SSSL frequency.
according to the configured error response.
For SLS type 1, 2, or 3 STO function will be triggered after
the [Standstill level] SSSL frequency has been
reached.The drive can be reset after the cause is cleared.
SLS Standards References
The safety function SLS is defined in section 4.2.3.4 of standard IEC 61800-5-2 The SLS function helps to
prevent the motor from exceeding the specified speed limit.
Safety Function (SF) Level for Safety Function SLS
Configuration SIL
Safety Integrity Level According to IEC 61-508PLPerformance level According to ISO-13849
LI3 and LI4 SIL 2 PL d
LI5 and LI6 SIL 2 PL d
28 S1A45606 08/2014
Loading...