Safety-Integrated, Drive-Integrated Safety Functions; Safe Torque Off (Previously Known As "Safe Standstill") And Safe Stop 1 - Siemens SINAMICS G130 Engineering Manual

General Engineering Information for SINAMICS
Engineering Information
█

Safety-integrated, drive-integrated safety functions

Safe Torque Off (previously known as "Safe Standstill") and Safe Stop 1

General
The Safe Torque Off function (abbreviated to STO) is a mechanism for preventing the drive from unexpectedly
starting in compliance with EN60204-1 Section 5.4. Safe Torque Off enables stop category 0 to be implemented in
compliance with EN 60204-1 ("Uncontrolled Stop") with regard to the switching off of the energy supply to the drive
components of the machines.
Advantage: With STO motor-side contactors as additional switch-off paths are no longer required.
The Safe Stop 1 safety function (SS1) is a supplement to the Safe Torque Off function. With this function, it is
possible to implement stop category 1 in compliance with EN 60204-1. When Safe Stop 1 is activated, the drive
decelerates according to the fast stop ramp (OFF3) and then switches over into the Safe Torque Off mode.
These safety functions are part of the SINAMICS "Safety-Integrated" philosophy and are standard features of the
SINAMICS units S120 Booksize, S120 Chassis and Cabinet Modules, G130, G150 and S150. Both safety functions
are integrated in each drive unit. Thus no additional higher-level control is required.
Operating principle
The functions Safe Torque Off and Safe Stop 1 are activated by two separate, but mutually dependent signals. These
signals act on monitoring channels (signal switch-off paths, data cross-comparison) which are stored separately in
the firmware in both the Control Unit and the Motor Module. The two signals must be switched simultaneously. This
structure makes it possible to implement a two-channel function for maximum reliability and safety. The function uses
digital inputs (DI0-DI7) on the Control Unit and terminals labeled "EP – Enable Pulses" on the power unit. STO and
SS1 must be activated by parameter settings as the terminals will not work before.
When the function is selected, the drive unit is in a "safe state". The switching on inhibited function prevents the drive
unit from being restarted. The pulse suppression mechanism integrated in the Motor Modules is a prerequisite for this
function. This works by turning off the gating pulses to the power transistors (IGBTs).
When the function is selected, each monitoring channel triggers safe pulse suppression via its switch-off signal path.
When a fault is detected in one of the switch-off signal paths, the STO function is also activated and restarting is
"locked out" so that the motor cannot start accidentally.
Both functions are implemented individually for each drive axis within a Control Unit ("axial" function). In this way,
each drive can be controlled separately when multiple motors are configured for each CU. Functional groups can also
be created.
To fulfill the requirements of EN 954-1 regarding early error detection, the two switch-off signal paths must be tested
at least once within a defined time to ensure that they are functioning properly. For this purpose, forced dormant error
detection must be triggered manually by the user or automatically. Once this time has elapsed, an alarm is created
and remains present until forced dormant error detection is carried out. This alarm does not affect machine operation.
A self-test is also initiated and the time interval restarted with every normal selection. Depending on the operating
state of the machine, therefore, the message might not be visable.
The following boundary conditions should be taken in account when activating the safety functions:
Simultaneous activation / deactivation at Control Unit and power unit is required
Control with DC 24V is required
According to EN 61800-5-1 and UL 508, at the control terminals only the connection of protective extra
low voltage (PELV) is permissible
DC supply cables up to a length of 30 m are permissible
Unshielded signal cables up to a length of 30 m are permissible without additional circuitry for surge
voltage protection. For longer cable lengths, shielded cables must be used or a suitable circuitry for surge
voltage protection must be implemented.
The components must be protected against conductive pollution, e.g. through being installed in a cabinet
with degree of protection IP54B in compliance with EN 60529. On the precondition that conductive
pollution cannot occur, also lower degree of protection than IP54B can be chosen for the cabinet.
SINAMICS Engineering Manual – May 2008
150/396
© Siemens AG