SIEMENS
2/9
Siemens D 31 · 2015
2
■
Function
Highlights
Safety Integrated
Basic Functions and Extended Functions
The Safety Integrated functions of the SINAMICS drive system
are grouped into Basic Functions and Extended Functions.
•
Basic Functions
- Safe Torque Off (STO)
- Safe Brake Control (SBC)
- Safe Stop 1 (SS1)
•
Extended Functions
- Safe Stop 1 (SS1) with SBR or SAM
- Safe Stop 2 (SS2) with SAM
- Safe Operating Stop (SOS)
- Safely Limited Speed (SLS)
- Safe Speed Monitor (SSM)
- Safe Direction (SDI)
- Safely-Limited Position (SLP)
- Safe Position (SP)
- Safe Brake Test (SBT)
For the Extended Functions Safe Stop 1 (SS1) and Safe Stop 2
(SS2) with SAM, safe acceleration monitoring (SAM) is per-
formed during braking to identify any faults already during the
braking phase.
If Safe Stop 1 is used as an encoderless function, a Safe Brake
Ramp (SBR) can be configured as an alternative.
The Basic Functions – activated via on-board terminals on the
device or via PROFIsafe – do not require an encoder.
Activation of the integrated safety functions
The safety functions for SINAMICS drives can be activated via
terminals, e.g. for use of a conventional safety circuit.
For standalone safety solutions for small to medium sized appli-
cations, it is frequently sufficient that the various sensing compo-
nents are directly hardwired to the drive.
For integrated safety solutions, the safety-relevant sequences
are generally processed and coordinated in the fail-safe
SIMATIC controller. Here, the system components communicate
via the PROFINET or PROFIBUS fieldbus. The safety functions
are controlled via the safe PROFIsafe communication protocol.
SINAMICS drives can be easily integrated into the plant or
system topology.
PROFIsafe
SINAMICS drives support the PROFIsafe profile based on
PROFIBUS as well as on PROFINET.
PROFIsafe is an open communications standard that supports
standard and safety-related communication over the same
communication path (wired or wireless). A second, separate bus
system is therefore not necessary. The telegrams that are sent
are continually monitored to ensure safety-relevant communica-
tion.
Possible errors such as telegrams that have been lost, repeated
or received in the incorrect sequence are avoided. This is done
by consecutively numbering the telegrams in a safety-relevant
fashion, monitoring their reception within a defined time and
transferring an ID for transmitter and receiver of a telegram. A
CRC (cyclic redundancy check) data security mechanism is
also used.
The operating principle of Safety Integrated
Two independent switch-off signal paths
Two independent switch-off signal paths are available. All
switch-off signal paths are low active. This ensures that the
system is always switched to a safe state if a component fails or
in the event of cable breakage. If an error is discovered in the
switch-off signal paths, the "Safe Torque Off" or Safe Stop 1
function is activated (depending on the parameterization) and
a system restart inhibited.
Two-channel monitoring structure
All the main hardware and software functions for Safety Integrated
are implemented in two independent monitoring channels (e.g.
switch-off signal paths, data management, data comparison). A
cyclic crosswise comparison of the safety-relevant data in the two
monitoring channels is carried out.
The monitoring functions in each monitoring channel work on the
principle that a defined state must prevail before each action is
carried out and a specific acknowledgement must be made after
each action. If these expectations of a monitoring channel are
not fulfilled, the drive coasts to a standstill (two channel) and an
appropriate message is output.
Forced dormant error detection using test stop
The functions and switch-off signal paths must be tested at least
once within a defined period to establish whether they are working
properly in order to meet the requirements of EN ISO 13849-1 and
IEC 61508 in terms of timely error detection. This must be imple-
mented either in cyclic manual mode or the test stop must be
automatically initiated as part of the process. The test stop cycle is
monitored, and after a specific time has been exceeded, an alarm
is output. A test stop does not require a power on. The acknowl-
edgment is set by canceling the test stop request.
Examples of when forced dormant error detection must be
performed:
•
When the drives are at a standstill after the system has been
switched on
•
Before the protective door is opened
•
At defined intervals (e.g. every 8 hours)
•
In automatic mode, time and event-driven
Safe actual value sensing with or without encoders
A drive monitor with encoder is necessary for operation of a
series of safety functions.
For applications with encoderless mode or with encoders that
have no safety capability, the safety functions can also be imple-
mented without encoder. It is not possible to use all safety func-
tions in this case.
In operation without encoder, the actual speed values are calcu-
lated from the measured electrical actual values. Therefore,
speed monitoring is also possible during operation without
encoder.
Safety Integrated Extended Functions "without encoder" must
not be used if the motor, after it has been switched off, can still
be accelerated by the mechanical elements of the connected
machine component.
In the hoisting gear of a crane, for example, the suspended load
can accelerate the motor as soon as the motor is switched off.
In this case, the safety functions "without encoder" are not per-
mitted.
A horizontal conveyor, on the other hand, is always braked to a
standstill due to friction as soon as the motor is switched off.
In this case, the safety functions "without encoder" can be used
without any restriction.
© Siemens AG 2014