SIEMENS
2/9
Siemens D 11 · 2015
■
Function
(continued)
2
Highlights
Safety Integrated
Basic Functions and Extended Functions
The Safety Integrated functions of the SINAMICS drive system
are grouped into Basic Functions and Extended Functions.
•
Basic Functions
- Safe Torque Off (STO)
- Safe Brake Control (SBC)
- Safe Stop 1 (SS1)
•
Extended Functions
- Safe Stop 1 (SS1) with SBR or SAM
- Safe Stop 2 (SS2) with SAM
- Safe Operating Stop (SOS)
- Safely Limited Speed (SLS)
- Safe Speed Monitor (SSM)
- Safe Direction (SDI)
- Safely Limited Position (SLP)
- Safe Position (SP)
- Safe Brake Test (SBT)
For the Extended Functions Safe Stop 1 (SS1) and Safe Stop 2
(SS2) with SAM, safe acceleration monitoring (SAM) is performed
during braking to identify any faults already during the braking
phase.
If Safe Stop 1 is used as an encoderless function, a Safe Brake
Ramp (SBR) can be configured as an alternative.
The Basic Functions – activated via on-board terminals on the
device or via PROFIsafe – do not require an encoder.
Activation of the integrated safety functions
The safety functions for SINAMICS drives can be activated via ter-
minals, e.g. for use of a conventional safety circuit.
For standalone safety solutions for small to medium sized applica-
tions, it is frequently sufficient that the various sensing components
are directly hardwired to the drive.
For integrated safety solutions, the safety-relevant sequences
are generally processed and coordinated in the fail-safe SIMATIC
controller. Here, the system components communicate via the
PROFINET or PROFIBUS fieldbus. The safety functions are con-
trolled via the safe PROFIsafe communication protocol.
SINAMICS drives can be easily integrated into the plant or system
topology.
PROFIsafe
SINAMICS drives support the PROFIsafe profile based on
PROFIBUS as well as on PROFINET.
PROFIsafe is an open communications standard that supports
standard and safety-related communication over the same commu-
nication path (wired or wireless). A second, separate bus system is
therefore not necessary. The telegrams that are sent are continually
monitored to ensure safety-relevant communication.
Possible errors such as telegrams that have been lost, repeated or
received in the incorrect sequence are avoided. This is done by
consecutively numbering the telegrams in a safety-relevant fashion,
monitoring their reception within a defined time and transferring an
ID for transmitter and receiver of a telegram.
A CRC (cyclic redundancy check) data security mechanism is also
used.
The operating principle of Safety Integrated
Two independent switch-off signal paths
Two independent switch-off signal paths are available. All switch-off
signal paths are low active. This ensures that the system is always
switched to a safe state if a component fails or in the event of cable
breakage. If an error is discovered in the switch-off signal paths, the
Safe Torque Off or Safe Stop 1 function is activated (depending on
the parameterization) and a system restart inhibited.
Two-channel monitoring structure
All the main hardware and software functions for Safety Integrated
are implemented in two independent monitoring channels
(e.g. switch-off signal paths, data management, data comparison).
A cyclic crosswise comparison of the safety-relevant data in the two
monitoring channels is carried out.
The monitoring functions in each monitoring channel work on the
principle that a defined state must prevail before each action is car-
ried out and a specific acknowledgement must be made after each
action. If these expectations of a monitoring channel are not ful-
filled, the drive coasts to a standstill (two channel) and an appropri-
ate message is output.
Forced dormant error detection using test stop
The functions and switch-off signal paths must be tested at least
once within a defined time in order to meet requirements as per
EN ISO 13849-1 and IEC 61508 in terms of timely fault detection.
This must be implemented either in cyclic manual mode or the test
stop must be automatically initiated as part of the process. The test
stop cycle is monitored, and after a specific time has been ex-
ceeded, an alarm is output. A test stop does not require a POWER
ON. The acknowledgment is set by canceling the test stop request.
Examples of when forced dormant error detection must be
performed:
•
When the drives are at a standstill after the system has been
switched on
•
Before the protective door is opened
•
At defined intervals (e.g. every 8 hours)
•
In automatic mode, time and event-driven
Safe actual value sensing with or without encoders
A drive monitor with encoder is necessary for operation of a series
of safety functions.
For applications with encoderless mode or with encoders that have
no safety capability, the safety functions can also be implemented
without encoder. It is not possible to use all safety functions in this
case.
The encoderless safety functions can be implemented on request
for chassis format units.
In operation without encoder, the actual speed values are calcu-
lated from the measured electrical actual values. Therefore, speed
monitoring is also possible during operation without encoder.
An encoder that is used for the purposes of motor control has no
significance for the safety function here.
Safety Integrated Extended Functions "without encoder" must not
be used if the motor, after it has been switched off, can still be
accelerated by the mechanical elements of the connected machine
component.
In the hoisting gear of a crane, for example, the suspended load
can accelerate the motor as soon as the motor is switched off. In
this case, the safety functions "without encoder" are not permitted.
A horizontal conveyor, on the other hand, is always braked to a
standstill due to friction as soon as the motor is switched off. In this
case, the safety functions "without encoder" can be used without
any restriction.
© Siemens AG 2015