Legal framework

Machine manufacturers and plant construction companies must ensurethat their machines or plants cannot cause danger due tomalfunctions in addition to the general risks of electric shock,heat or radiation.

In Europe, for example, compliance with the Machinery Directive2006/42/EC is legally stipulated by the EU framework directive foroccupational safety. In order to ensure compliance with thisdirective, it is recommended that the corresponding harmonizedEuropean standards are applied. This triggers the "assumption ofconformity" and gives manufacturers and operators the legalsecurity in terms of compliance with both national regulations andEU directives. The machine manufacturer uses the CE marking todocument compliance with all relevant directives and regulations inthe free movement of goods.

Safety-related standards

Functional safety is specified in various standards. For example,EN ISO 12100 specifies standards pertaining to machinesafety (risk assessment and risk reduction). IEC 61508specifies basic requirements for electronic and programmablesafety-related systems. EN 62061 (only applicable forelectrical and electronic control systems) andEN ISO 13849-1 define the functional and safety-relatedrequirements of safety-oriented control systems.

The above-mentioned standards define different safety requirementsthat the machine has to satisfy in accordance with the risk,frequency of a dangerous situation, probability of occurrence andthe opportunities for recognizing impending danger.

  • EN ISO 13849-1: Performance Level PLa ... e; Category B, 1 ... 4

  • EN 62061: Safety Integrity Level SIL 1 ... 3

Trend toward integrated safety systems

The trend toward greater complexity and higher modularity ofmachines has seen a shift in safety functions away from theclassical central safety functions (for example, shutdown of thecomplete machine using a main disconnecting means) and into themachine control system and the drives. This is often accompanied bya significant increase in productivity because the setup times areshortened. Depending on the type of machine, it may even bepossible to continue manufacturing other parts while the setup isin progress.

Safety Integrated Functions act much faster than those of aconventional design. The safety of a machine is increased furtherwith Safety Integrated. Furthermore, thanks to the faster method ofoperation, safety measures controlled by integrated safety systemsare perceived as less of a hindrance by the machine operator,therefore significantly reducing the motivation to consciouslybypass safety functions.


Safety functions integrated in SINAMICS drives

SINAMICS drives are characterized by a large number of SafetyIntegrated Functions. In combination with the sensors and safetycontrol required for the safety functionality, they ensure thathighly-effective protection for persons and machines is implementedin a practice-oriented manner.

They comply with the requirements of the following safetycategories:

  • PL d and Category 3 according toEN ISO 13849-1

  • SIL 2 according to IEC 61508 andIEC 61800-5-2


The Safe Brake Test (SBT) diagnostic function meets therequirements for Category 2 according toEN ISO 13849-1.

The PM240‑2 Power Modules, frame sizes FSD to FSG additionallyoffer STO acc. to IEC 61508 SIL 3 andEN ISO 13489‑1 PL e and Category 3.


The Safety Integrated functions are generally certified byindependent institutes. You can obtain the corresponding testcertificates and manufacturer's declarations from your Siemenscontacts.

The Safety Integrated Functions that are currently available aredescribed below. Their functional safety satisfies the requirementsdefined in the international standard IEC 61800-5-2 forvariable-speed drive systems.

The safety functions integrated into the SINAMICS drive system canbe roughly divided into four categories:

    Functions forsafely stopping a drive
    • Safe Torque Off (STO)

    • Safe Stop 1 (SS1)

    • Safe Stop 2 (SS2)

    • Safe Operating Stop (SOS)

    Functions for safebrake management
    • Safe Brake Control (SBC)

    • Safe Brake Test (SBT) (this diagnostic function exceeds thescope of IEC 61800-5-2)

    Functions forsafely monitoring the motion of a drive
    • Safely-Limited Speed (SLS)

    • Safe Speed Monitor (SSM)

    • Safe Direction (SDI)

    • Safely-Limited Acceleration (SLA)

    Functions forsafely monitoring the position of a drive
    • Safely-Limited Position (SLP)

    • Safe Position (SP) (this function exceeds the scope ofIEC 61800-5-2)

    • Safe Cam (SCA)

Safe Torque Off (STO)

The STO function is the most common and basic drive-integratedsafety function. It ensures that no torque-generating energy cancontinue to affect a motor and prevents unintentionalstart-ups.


This function is a mechanism that prevents the drive fromrestarting unexpectedly, in accordance with EN 60204-1,Section 5.4. The STO function suppresses the drive pulses(corresponds to Stop Category 0 according to EN 60204-1). Thedrive is reliably torque-free. This state is monitored internallyin the drive.


STO has the immediate effect that the drive cannot supply anytorque-generating energy. STO can be used wherever the drive willnaturally reach a standstill due to load torque or friction in asufficiently short time or when "coasting down" of the drive willnot have any relevance for safety.

STO makes it possible for persons to work safely when theprotective door is open (restart interlock) and is used onmachines/installations with moving axes, e.g. on handling orconveyor systems.


Some of the advantages of the Safety Integrated Function STO overconventional safety technology with electromechanical switchgearinclude the elimination of separate components as well as of thework that would be required to wire and service them, i.e. nowearing parts as a result of the electronic shutdown. Because ofthe fast electronic switching times, the function provides ashorter reaction time than the conventional solution comprisingelectromechanical components. When STO is triggered, the converterremains connected to the network and can be fully diagnosed.

Safe Stop 1 (SS1)

The SS1 function causes a motor to stop rapidly and safely andswitches the motor to torque-free mode after coming to a standstillby activating STO.


The SS1 function can safely stop the drive in accordance withEN 60204-1, Stop Category 1. When the SS1 function isselected, the drive brakes autonomously along a quick-stop ramp andautomatically activates the Safe Torque Off and Safe Brake Controlfunctions (if configured) when the parameterized safety delay timeexpires.

If the variant "SS1 with external stop (SS1E)" is parameterized,the drive does not brake autonomously when the function isselected. In this case, the higher-level control must bring thedrive to a standstill within a parameterized STO transition time.The SBR (Safe Brake Ramp) and SAM (Safe Acceleration Monitor)functions are not active. SS1E is a useful function for drives thatneed to be stopped as a group by the Motion Control system in orderto prevent potential damage to the machine or product.

The SS1 function is used when, in the event of a safety-relevantincident, the drive must stop as quickly as possible with asubsequent transition into the STO state (e.g. EMERGENCY STOP). Itis thus used to bring large centrifugal masses to a stop as quicklyas possible for the safety of the operating personnel, or to brakemotors at high speeds as quickly as possible. Examples of typicalapplications are saws, grinding machine spindles, centrifuges,winders and storage and retrieval machines.

The targeted stopping of a drive by means of SS1 reduces the riskof danger, increases the productivity of a machine, and allows thesafety clearances in a machine to be reduced. The principle is tobring the drive actively to a standstill, compared with just usingthe STO function. Complex mechanical brakes that are susceptible towear are normally not required to brake the motor.

Safe Stop 2 (SS2)

The SS2 function brings the motor to a standstill quickly andsafely and then activates the SOS function once the motor hasstopped.

The Safe Stop function can safely stop the drivein accordance with EN 60204-1, Stop Category 2. When the SS2function is selected, the drive brakes autonomously along a quickstop ramp. In contrast to SS1, the drive control remainsoperational afterwards, i.e. the motor can supply the full torquerequired to maintain zero speed. Standstill is safely monitored(Safe Operating Stop function).

If the variant "SS2 with external stop (SS2E)" is parameterized,the drive does not brake autonomously when the function isselected. In this case, the higher-level control must bring thedrive to a standstill within a parameterized Safe Operating Stoptransition time. The SBR (Safe Brake Ramp) and SAM (SafeAcceleration Monitor) functions are not active. SS2E is a usefulfunction for drives that need to be stopped as a group by theMotion Control system in order to prevent potential damage to themachine or product.

As with SS1, the SS2 function ensures the quickest possibledeceleration of the motor. However, the motor power is not switchedoff. Instead, a control system prevents it from leaving thestandstill position – even if it is affected by external forces.Typical applications for SS2 include machine tools, forexample.


