Safety-Integrated / Drive-Integrated Safety Functions; Safety Integrated Basic Functions Safe Torque Off (Sto) Und Safe Stop 1 (Ss1) - Siemens SINAMICS G130 Engineering Manual

General Engineering Information for SINAMICS
Engineering Information

3.2 Safety-integrated / Drive-integrated safety functions

3.2.1

Safety Integrated Basic Functions Safe Torque Off (STO) und Safe Stop 1 (SS1)

General
The Safe Torque Off function (abbreviated to STO) is a mechanism to prevent unintentional start of the drive. STO
enables the implementation of stop category 0 ("Uncontrolled stop") with regard to the disconnection of power to the
drive components of the machine.
Advantage: Motor-side contactors as additional switch-off paths are no longer required when STO is available.
The Safe Stop 1 function (abbreviated to SS1) is based on the Safe Torque Off function. It enables the drive to be
stopped in accordance with stop category 1. When Safe Stop 1 is activated, the drive decelerates along the fast-stop
ramp (OFF3 ramp) and then switches to the Safe Torque Off state when the programmed delay expires.
These two safety functions are part of the SINAMICS Safety Integrated philosophy. As basic safety functions, they
are standard features of the drive systems SINAMICS G130, G150, SINAMICS S120 Booksize, S120 Chassis, S120
Cabinet Modules and S150. In contrast to the extended safety functions, they are not subject to a license. They are
integrated into each individual drive, i.e. they do not require a higher-level control.
Further information about Safety Integrated, the Safety Integrated Basic Functions and the Safety Integrated
Extended Functions can be found in function manuals "SINAMICS S120 Safety Integrated" and "SINAMICS G130 /
G150 / S120 Chassis / S120 Cabinet Modules / S150 Safety Integrated".
Operating principle
The functions Safe Torque Off and Safe Stop 1 are activated by two separate signals. These signals act on
independent monitoring channels (e.g. signal switch-off paths, data storage, data cross-check) which are stored
separately in the firmware in both the Control Unit and the Motor Module. The two signals must be switched
simultaneously. This structure makes it possible to implement a two-channel function for maximum reliability and
safety.
The STO and SS1 functions use predefined digital inputs on the Control Unit and terminals labeled "EP – Enable
Pulses" on the power unit. STO and SS1 must first be enabled through appropriate parameter settings in the
firmware as part of the drive commissioning process before STO and SS1 can be activated by means of the
terminals.
After the functions have been enabled in the firmware and activated by means of the terminals, the drive unit is in the
"safe state". Converter restart is locked out by a switching-on-inhibited function, a mechanism which is based on a
pulse suppression function integrated in the Motor Modules and implemented by cancelation of the power
semiconductor gating pulses.
When the function is activated, each monitoring channel triggers safe pulse suppression via its switch-off signal path.
When a fault is detected in one of the switch-off signal paths, the STO function is also activated and restarting is
"locked out" so that the motor cannot start accidentally.
Both functions are implemented individually for each drive axis within a Control Unit ("axial" function). In this way,
each drive can be controlled separately when multiple motors are configured for each CU. Functional groups can also
be created.
To fulfill the requirements regarding early error detection, the two switch-off signal paths must be tested at least once
within a defined time to ensure that they are functioning properly. For this purpose, forced dormant error detection
must be triggered manually by the user or automatically. Once this time has elapsed, an alarm is created and
remains present until forced dormant error detection is carried out. This alarm does not affect machine operation. A
self-test is also initiated and the time interval restarted with every normal activation. Depending on the operating state
of the machine, therefore, the message might not be visable.
The following boundary conditions should be taken in account when activating the safety functions:
§ Simultaneous activation / deactivation at Control Unit and power unit is required
§ Control with DC 24 V is required
§ According to IEC 61800-5-1 and UL 508, it is only permissible to connect safety extra-low voltage (PELV)
to the control terminals.
§ DC supply cables up to a length of 10 m are permissible
§ Unshielded signal cables up to a length of 30 m are permissible without additional circuitry for surge
voltage protection. For longer cable lengths, shielded cables must be used or a suitable circuitry for surge
voltage protection must be implemented.
§ The components must be protected against conductive pollution, e.g. through being installed in a cabinet
with degree of protection IP54B in compliance with EN 60529. On the precondition that conductive
pollution cannot occur, also lower degree of protection than IP54B can be chosen for the cabinet.
SINAMICS Engineering Manual – November 2015
254/528
Ó Siemens AG