Probability Of Failure Of The Safety Function (Pfh Value); Response Time; Residual Risk; Safety Integrated Basic Functions - Siemens SINUMERIK 808D Function Manual

22.3.3

Probability of failure of the safety function (PFH value)

Probability of failure
The probability of the failure of safety functions must be specified in the form of a PFH value (Probability of Failure per Hour)
in accordance with IEC 61508, IEC 62061, and ISO 13849-1:2006. The PFH value of a safety function depends on the
safety concept of the drive unit and its hardware configuration, as well as on the PFH values of other components used for
this safety function.
Corresponding PFH values are provided for the SINAMICS V70 drive system, depending on the hardware configuration
(number of drives, control type, number of encoders used). The various integrated safety functions are not differentiated.
The PFH values can be requested from your local sales office.
22.3.4

Response time

Response time means the time from the control via terminals until the response actually occurs. The worst response time for
the STO function is 5 ms.
22.3.5

Residual risk

The fault analysis enables the machine manufacturer to determine the residual risk at this machine with regard to the drive
unit. The following residual risks are known:
WARNING
Due to the intrinsic potential of hardware faults, electrical systems are subject to additional residual risk, which can be
expressed by means of the PFH value.
WARNING
Simultaneous failure of two power transistors (one in the upper and the other offset in the lower inverter bridge) in the
inverter may cause brief movement of the drive, depending on the number of poles of the motor.
Maximum value of this movement:
Synchronous rotary motors: Max. movement = 180° / no. of pole pairs
22.4

Safety Integrated basic functions

22.4.1

Safe Torque Off (STO)

In conjunction with a machine function or in the event of a fault, the "Safe Torque Off" (STO) function is used to safely
disconnect the torque-generating energy feed to the motor.
When the function is selected, the drive unit is in a "safe status". The switching on inhibited function prevents the drive unit
from being restarted.
The two-channel pulse suppression function integrated in the Motor Modules/Power Modules is a basis for this function.
Functional features of "Safe Torque Off"
● This function is integrated in the drive; this means that a higher-level controller is not required.
● The function is drive-specific, i.e. it is available for each drive and must be individually commissioned.
● When the "Safe Torque Off" function is selected, the following applies:
– The motor cannot be started accidentally.
– The pulse suppression safely disconnects the torque-generating energy feed to the motor.
– The power unit and motor are not electrically isolated.
● By selecting/deselecting STO, in addition to the fault messages, the safety messages are also automatically withdrawn.
The STO function can be used wherever the drive naturally reaches a standstill due to load torque or friction in a sufficiently
short time or when "coasting down" of the drive will not have any relevance for safety.
Function Manual
01/2017
197