Machine manufacturers and plant construction companies must ensurethat their machines or plants cannot cause danger due tomalfunctions in addition to the general risks of electric shock,heat or radiation.
In Europe, for example, compliance with the Machinery Directive2006/42/EC is legally stipulated by the EU framework directive foroccupational safety. In order to ensure compliance with thisdirective, it is recommended that the corresponding harmonizedEuropean standards are applied. This triggers the "assumption ofconformity" and gives manufacturers and operators the legalsecurity in terms of compliance with both national regulations andEU directives. The machine manufacturer uses the CE marking todocument compliance with all relevant directives and regulations inthe free movement of goods.
Safety-related standardsFunctional safety is specified in various standards. For example,ISO 12100 specifies standards pertaining to machine safety(risk assessment and risk reduction). IEC 61508 specifiesbasic requirements for electronic and programmable safety-relatedsystems. IEC 62061 (only applicable for electrical andelectronic control systems) and ISO 13849-1 define thefunctional and safety-related requirements of safety-orientedcontrol systems.
The above-mentioned standards define different safety requirementsthat the machine has to satisfy in accordance with the riskpotential, frequency of a dangerous situation, probability ofoccurrence and the opportunities for recognizing impendingdanger.
ISO 13849-1: Performance Level PL a ... e;Category B, 1 ... 4
IEC 62061: Safety Integrity Level SIL 1 ... 3
The trend toward greater complexity and higher modularity ofmachines has seen a shift in safety functions away from theclassical central safety functions (for example, shutdown of thecomplete machine using a main disconnecting means) and into themachine control system and the drives. This is often accompanied bya significant increase in productivity because the setup times areshortened. Depending on the type of machine, it may even bepossible to continue manufacturing other parts while the setup isin progress.
Integrated safety functions act much faster than those of aconventional design. The safety of a machine is increased furtherwith Safety Integrated. Furthermore, thanks to the faster method ofoperation, safety measures controlled by integrated safety systemsare perceived as less of a hindrance by the machine operator,therefore significantly reducing the motivation to consciouslybypass safety functions.
功能
Safety functions integral to the SINAMICS drivesSINAMICS drives are characterized by a large number of SafetyIntegrated Functions. In combination with the sensors and safetycontrol required for the safety functionality, they ensure thathighly-effective protection for persons and machines is implementedin a practice-oriented manner.
They comply with the requirements of the following safetycategories:
PL e and category 3or 4 according toISO 13849‑1
SIL 3 according to IEC 61508 andIEC 61800-5-2
Note:
For Safe Brake Test (SBT) diagnostic function meets therequirements for Category 2 according to ISO 13849-1.
The Safety Integrated Functions are generally certified byindependent institutes. You can obtain the corresponding testcertificates and manufacturer's declarations from your Siemenscontacts.
The Safety Integrated Functions that are currently available aredescribed below. Their functional safety satisfies the requirementsdefined in the international standard IEC 61800-5-2 forvariable-speed drive systems.
The safety functions integrated into the SINAMICS drive system canbe roughly divided into three categories:
- Functions forsafely stopping a drive
Safe Torque Off (STO)
Safe Stop 1 (SS1)
Safe Stop 2 (SS2)
Safe Operating Stop (SOS)
Safe Brake Control (SBC)
Safe Brake Test (SBT) (this diagnostic function exceeds thescope of IEC 61800-5-2)
Safely-Limited Speed (SLS)
Safe Speed Monitor (SSM)
Safe Direction (SDI)
Safely-Limited Acceleration (SLA)
Safe Motor Temperature (SMT)
The STO function is the most common and basic drive-integratedsafety function. It ensures that no torque-generating energy cancontinue to affect a motor and prevents unintentionalstart-ups.
Effect
This function is a mechanism that prevents the drive fromrestarting unexpectedly, in accordance with IEC 60204-1,Section 5.4. The STO function suppresses the drive pulses(corresponds to Stop Category 0 according to IEC 60204-1). Thedrive is reliably torque-free. This state is monitored internallyin the drive.
Application
STO has the immediate effect that the drive cannot supply anytorque-generating energy. STO can be used wherever the drive willnaturally reach a standstill due to load torque or friction in asufficiently short time or when "coasting down" of the drive willnot have any relevance for safety.
STO makes it possible for persons to work safely when theprotective door is open (restart interlock) and is used onmachines/installations with moving axes, e.g. on handling orconveyor systems.
Customer benefits
Some of the advantages of the integrated STO safety function overconventional safety technology with electromechanical switchgearinclude the elimination of separate components as well as of thework that would be required to wire and service them, i.e. nowearing parts as a result of the electronic shutdown. Because ofthe fast electronic switching times, the function provides ashorter reaction time than the conventional solution comprisingelectromechanical components. When STO is triggered, the converterremains connected to the network and can be fully diagnosed.
The SS1 function causes a motor to stop rapidly and safely andswitches the motor to torque-free mode after coming to a standstillby activating STO.
Effect
The SS1 function can safely stop the drive in accordance withIEC 60204-1, Stop Category 1. When the SS1 function isselected, the drive brakes autonomously along a quick-stop ramp andautomatically activates the Safe Torque Off and Safe Brake Controlfunctions (if configured) when the parameterized safety delay timeexpires.
If "SS1 with external stop (SS1E)" is used, the drive does notbrake autonomously when the function is selected. In this case, thehigher-level control must bring the drive to a standstill within aparameterized STO transition time. SS1E is a useful function fordrives that need to be stopped as a group by the Motion Controlsystem in order to prevent potential damage to the machine orproduct.
Application
The SS1 function is used when, in the event of a safety-relevantincident, the drive must stop as quickly as possible with asubsequent transition into the STO state (e.g. EMERGENCY STOP). Itis thus used to bring large centrifugal masses to a stop as quicklyas possible for the safety of the operating personnel, or to brakemotors at high speeds as quickly as possible. Examples of typicalapplications are saws, grinding machine spindles, centrifuges,winders and storage and retrieval machines.
Customer benefits
The targeted stopping of a drive by means of SS1 reduces the riskof danger, increases the productivity of a machine, and allows thesafety clearances in a machine to be reduced. The principle is tobring the drive actively to a standstill, compared with just usingthe STO function. Complex mechanical brakes that are susceptible towear are normally not required to brake the motor.
The SS2 function brings the motor to a standstill quickly andsafely and then activates the SOS function once the motor hasstopped.
Effect
The Safe Stop 2 function can safely stop the drive inaccordance with IEC 60204-1, Stop Category 2. When theSS2 function is selected, the drive brakes autonomously along aquick stop ramp. In contrast to SS1, the drive control remainsoperational afterwards, i.e. the motor can supply the full torquerequired to maintain zero speed. Standstill is safely monitored(Safe Operating Stop function).
If SS2 with external stop (SS2E) is used, the drive does not brakeautonomously when the function is selected. In this case, thehigher-level control must bring the drive to a standstill within aparameterized SOS (Safe Operating Stop) transition time. SS2E is auseful function for drives that need to be stopped as a group bythe Motion Control system in order to prevent potential damage tothe machine or product.
Application
As with SS1, the SS2 function ensures the quickest possibledeceleration of the motor. However, the motor power is not switchedoff. Instead, a control system prevents it from leaving thestandstill position – even if it is affected by external forces.Typical applications for SS2 include machine tools, forexample.
Customer benefits
The SS2 function ensures a rapid axis stop. Because the controlremains active, after the safety function is deselected, productiveoperation can continue without referencing. This ensures shortsetup and standstill times and high productivity.
With the SOS function, the stopped motor is held in position by thedrive control system and its position is monitored.
Effect
The SOS function constitutes safe standstill monitoring. The drivecontrol remains in operation. The motor can therefore deliver thefull torque to hold the current position. The actual position isreliably monitored. In contrast to safety functions SS1 and SS2,the speed setpoint is not influenced autonomously. After SOS hasbeen activated, the higher-level control must bring the drive to astandstill within a parameterized time and then hold the positionsetpoint.
Application
SOS is an ideal solution for all those applications for which themachine or parts of the machine must be at a safe standstill forcertain steps, but the drive must also supply a holding torque. Itis ensured that despite counter torque the drive remains in itscurrent position. In contrast to SS1 and SS2, the drive does notbrake autonomously in this case. It expects the higher-levelcontroller to ramp down the relevant axes as a coordinated groupwithin an adjustable delay time. This can be used to prevent anydamage to the machine or product. Typical applications for SOSinclude winders, converting and packaging machines and machinetools.
Customer benefits
No mechanical components are necessary to keep the axis in positiondespite any counterforce that may occur. Due to the short switchingtimes and the fact that the drive control always remains active,setup and downtimes are reduced. Recalibration of the axis afterexiting the SOS function is not necessary. The axis can immediatelybe moved again after deactivation of the SOS function.
The SBC function permits the safe control of a holding brake. SBCis always activated in parallel with STO.
Effect
A holding brake which is active in a de-energized state iscontrolled and monitored using safe two-channel technology. Due tothe two-channel control, the brake may still be activated in theevent of an insulation fault in the control cable. Errors of thiskind are detected early by means of test pulses.
Note:
Safe Brake Control does not detect mechanical faults in the brakeitself, such as worn brake linings. For Motor Modules in booksizeformat, the terminals for the motor brake are integrated. Anadditional Safe Brake Relay is required for Power Modules inblocksize format. An additional Safe Brake Adapter is necessary forPower Modules in chassis format.
Application
The SBC function is used in conjunction with the functions STO orSS1 to prevent the movement of an axis in the torque-free state,e.g. because of gravity.
Customer benefits
Again, the function saves the use of external hardware and theassociated wiring.
The SBT diagnostic function carries out a brake function test atregular intervals or before personnel enter the danger zone.
Effect
A good way to check the proper functioning of brakes that havebecome worn is to apply a torque to the closed brake. Drive systemsthat have two brakes, e.g. motor brake and external brake, can betested with different torque values.
Application
The SBT diagnostic function is suitable for implementing a safebrake in combination with the SBC function.
Customer benefits
The function detects faults or wear in the brake mechanics.Automatically testing the effectiveness of brakes reducesmaintenance costs and increases the safety and availability of themachine or plant.
The SLS function monitors the drive to ensure that it does notexceed a preset speed or velocity limit.
Effect
The SLS function monitors the drive against a parameterized speedlimit. Four different limit values can be selected. As in the caseof SOS, the speed setpoint is not influenced independently. AfterSLS has been selected, the higher-level control must bring thedrive down below the selected speed limit within a parameterizabletime. If the speed limit is exceeded, a customizabledrive-integrated fault reaction occurs.
The SLS limit stage 1 can be multiplied by a factor that istransferred in 16-bit resolution via PROFIsafe. This allows analmost unlimited number of limits to be specified.
Application
The SLS function is used if people are in the danger zone of amachine and their safety can only be guaranteed by reduced speed.Typical application cases include those in which an operator mustenter the danger zone of the machine for the purposes ofmaintenance or setting up, such as a winder in which the materialis manually threaded by the operator. To prevent injury to theoperator, the roller may only spin at a safely reduced speed. SLSis often also used as part of a two-stage safety concept. While aperson is in a less critical zone, the SLS function is activated,and the drives are only stopped safely in a smaller area withhigher potential risk. SLS can be used not only for operatorprotection, but also for machinery protection, e.g. if a maximumspeed must not be exceeded.
Customer benefits
The SLS function can contribute to a significant reduction indowntime, or greatly simplify or even accelerate setup. The overalleffect achieved is a higher availability of the machine. Moreover,external components such as speed monitors can be omitted.
The SSM function warns when a drive is working below an adjustablespeed limit. As long as it remains below the threshold, thefunction issues a safety-related signal.
Effect
If a speed value drops below a parameterized limit, asafety-related signal is generated. This can, for example, beprocessed in a safety control unit to respond to the event byprogramming, depending on the situation.
Application
With the SSM function, in the simplest case, a safety door can beunlocked if the speed drops below a non-critical level. Anothertypical example is that of a centrifuge that may be filled onlywhen it is operating below a configured speed limit.
Customer benefits
Unlike SLS, there is no drive-integrated fault reaction when thespeed limit is exceeded. The safe feedback can be evaluated in asafety control unit, allowing the user to respond appropriately tothe situation.
The SDI function ensures that the drive can only move in theselected direction.
Effect
Deviation from the direction of motion currently being monitored isdetected reliably and the configured drive-integrated faultreaction is initiated. It is possible to select which direction ofrotation is to be monitored.
Application
The SDI function is used when the drive may only move in onedirection. A typical application is to permit the operator accessto a danger zone, as long as the machine is rotating in the safedirection, i.e. away from the operator. In this state, the operatorcan feed material into the work zone or remove material from thework zone without danger.
Customer benefits
The function saves the use of external components such as speedmonitors and the associated wiring. The release of a danger zonewhile the machine is moving away from the operator increasesproductivity. Without the SDI function, the machine must be safelystopped during material loading and removal.
The SLA function monitors that the drive does not exceed a presetacceleration limit value.
Effect
The SLA function monitors that the motor does not violate thedefined acceleration limit (e.g. in setup mode). SLA detects earlyon whether the speed is increasing at an inadmissible rate (thedrive accelerates uncontrollably) and initiates the stopresponse.
Application
The SLA function is used, e.g., for SIMATIC Safe Kinematics. SLAcan only be used in safety systems with an encoder.
Customer benefits
The function monitors for maximum permissible acceleration in setupmode and safe monitoring of the tool center point with differentkinematics.
Safe Motor Temperature (SMT) prevents the motor temperature fromexceeding a specified limit.
Effect
SMT works in conjunction with the signal from a PTC thermistor oftype A in accordance with IEC 60947‑8 andDIN VDE 0898‑1‑401. When the limit temperature specificto the PTC thermistor is exceeded, the thermistor's electricalresistance increases suddenly. This is securely recorded by the SMTfunction and STO (Safe Torque Off) is triggered as the subsequentresponse. This ensures that the motor does not receive any moreenergy from the converter, and the motor temperature cannotincrease further.
Application
SMT is used to protect against overtemperature of a motor inexplosive environments (ATEX), e.g. in the chemical industry, inpaper mills, or in paint shops.
Customer benefits
This function obviates the need for external components such asthermistor motor protection relays and the associated wiringinvestment and space demands in the control cabinet. Motorprotection is strictly required in ATEX applications. The SMTfunction makes it easy to integrate such requirements so they areimplemented in the drive.
With SINAMICS S drives the safety functions are implementedwith encoders - individual safety functions can also be operatedwithout encoders.
The Safety Integrated Functions are grouped into Basic Functionsand Extended Functions.
The Basic Functions are included in the standard scope ofsupply.
The Extended Functions must be activated by a license.
The electronic license certificate is the paperless type ofdelivery for runtime options with SINAMICS. It contains informationabout the type of usage rights obtained with the software.
Basic Functions
Safe Torque Off (STO)
Safe Brake Control (SBC)
Safe Stop 1 (SS1)
Safe Stop 1 with external stop (SS1E)
Safe Motor Temperature (SMT)
Extended Functions
Safe Stop 1 with external stop (SS1E) with SBR or SAM
Safe Stop 1 (SS1) with SBR or SAM
Safe Stop 2 with external stop (SS2E)
Safe Stop 2 (SS2)
Safe Operating Stop (SOS)
Safely-Limited Speed (SLS)
Safe Speed Monitor (SSM)
Safe Direction (SDI)
Safely-Limited Acceleration (SLA)
Safe Brake Test (SBT) diagnostic function
For the Extended Functions SS1 and SS2 with SAM, Safe AccelerationMonitor (SAM) is performed during braking to identify any faultsalready during the braking phase.
With SS1 and SS2, a Safe Brake Ramp (SBR) can be configured as analternative.
The Basic Functions – activated via on-board terminals on thedevice or via PROFIsafe – do not require an encoder.
Activation of the integrated safety functionsThe safety functions for SINAMICS drives can be activated viaterminals, e.g. for use of a conventional safety circuit.
For standalone safety solutions for small to medium-sizedapplications, it is frequently sufficient that the various sensingcomponents are directly hardwired to the drive.
For integrated safety solutions, the safety-relevant sequences aregenerally processed and coordinated in the fail-safe SIMATICcontroller. Here, the system components communicate via thePROFINET or PROFIBUS fieldbus. The safety functions are controlledvia the safe PROFIsafe communication protocol.
SINAMICS drives can be easily integrated into the plant or systemtopology.
PROFIsafeSINAMICS drives support the PROFIsafe profile based onPROFINET as well as on PROFIBUS.
PROFIsafe is an open communications standard that supports standardand safety-related communication over the same communication path(wired or wireless). A second, separate bus system is therefore notnecessary. The s that are sent are continually monitored to ensuresafety-relevant communication.
Possible errors such as s that have been lost, repeated or receivedin the incorrect sequence are avoided. This is done byconsecutively numbering the s in a safety-relevant fashion,monitoring their reception within a defined time and transferringan ID for transmitter and receiver of a . A CRC (cyclic redundancycheck) data security mechanism is also used.
The operating principle of Safety IntegratedTwo independent switch-offsignal paths
Two independent switch-off signal paths are available. Allswitch-off signal paths are low active. This ensures that thesystem is always switched to a safe state if a component fails orin the event of cable breakage. If a fault is discovered in theswitch-off signal paths, the STO or SS1 function (depending onparameter settings) is activated and a system restartinhibited.
Two-channel monitoringstructure
All the main hardware and software functions for Safety Integratedare implemented in two independent monitoring channels (e.g.switch-off signal paths, data management, data comparison). Acyclic crosswise comparison of the safety-relevant data in the twomonitoring channels is carried out.
The monitoring functions in each monitoring channel work on theprinciple that a defined state must prevail before each action iscarried out and a specific acknowledgement must be made after eachaction. If these expectations of a monitoring channel are notfulfilled, the drive coasts to a standstill (two channels) and anappropriate message is output.
Internalself-test
To meet the requirements of ISO 13849-1 and IEC 61508 interms of timely error detection, the SINAMICS performs an internalself-test.
The internal self-test checks the shutdown paths for Safe TorqueOff, safety functions and failsafe digital inputs and outputscyclically.
The self-test does not require user interaction and does notinfluence the operation of the SINAMICS.
Safe speed/position sensing with encoderSafe actual value sensingwith encoder
Incremental encoders or absolute encoders can be used for safesensing of the position values on a drive.
Safe actual value sensing relies on redundant evaluation of theincremental tracks A/B that supply sin/cos signals of1 Vpp.Only encoders of the type whose A/B track signals are created andprocessed using purely analog techniques can be used.
As an alternative, motors with an integrated DRIVE-CLiQ interfacecan be used. The speed or position actual values are generateddirectly in the motor as safe values and are transferred to theControl Unit over safe communication via DRIVE-CLiQ.
Certified built-on rotary encoders with DRIVE-CLiQ interface mayalso be used (see
https://support.industry.siemens.com/cs/document/65402168).
The encoder must be mechanically attached in such a manner that theencoder shaft is unable to unplug or slide off. For notes on this,see IEC 61800-5-2: 2016, Table D.16.
A list of Siemens motors that fulfill the electrical and mechanicalrequirements is available at:
https://support.industry.siemens.com/cs/document/33512621
Safe encodersystem
Example: Safe encoder system
The motor encoder is used exclusively for safe actual valuesensing.
The safety functions are listed below with criteria for actualvalue sensing: