SIEMENS
SINAMICS G150 NEMA
Engineering information
4
Siemens D11.7
(Part 1) – 2013
Emergency Stop compared to Safety Integrated functions
4/13
4/19
The principle of operation of Safety Integrated
Two independent shutdown paths
There are two shutdown paths that are independent of
one another.
All shutdown paths are low active. This therefore ensures
that when a component fails or there is a wire break, then
the system always goes into the safe state. When a fault is
detected in the shutdown paths, the Safe Torque Off or Safe
Stop 1 function (depending on the parameterization, also
refer to the table on the Page 3/13) is activated and a restart
is prevented.
Two-channel monitoring structure
All of the hardware and software functions important for
Safety Integrated are implemented in two independent
monitoring channels (e.g. shutdown paths, data
management, data comparison). The safety-relevant
data in the two monitoring channels is cyclically compared
crosswise.
The monitoring functions in each monitoring channel are
based on the principle that before a particular action, there
must be a defined state, and after the action there must be
a specific feedback. If this expectation is not fulfilled in a
monitoring channel, then the drive is shutdown through two
channels and the appropriate signal output.
Forced checking procedure using a test stop
In order to fulfill the requirements of ISO 13849-1 (previously
EN 954-1) and IEC 61508 regarding early fault detection,
the functions and the shutdown paths must be tested within
a specific time period at least once to ensure that they are
operating correctly. This must be realized either cyclically
and manually or the test stop must be automatically initiated
as part of the process.
The test stop cycle is monitored, and after a specific time
has been exceeded, an alarm is output.
A test stop does not require a power on. The acknowledgment
is realized when deselecting the test stop request. When
the machine is operational, it can be assumed that there is
no risk for personnel as a result of the appropriate safety
equipment (e.g. protective doors). As a consequence, the
user is only made aware of the forced checking procedure
that is required using an alarm, and is requested to perform
the forced
checking procedure at the next possible opportunity.
Examples for performing the forced checking procedure:
• When the drives are stationary after switching-on
the system
• Before opening the protective door
• In a specified rhythm (e.g. every 8 hours)
• In the automatic mode, time and event-triggered
What is the difference between options K82 STO/SS1 and
N57 Emergency OFF category 0 respectively N59/N60
Emergency STOP category 1?
STO and Emergency OFF cat. 0 both result in a coast to stop,
and SS1 and Emergency STOP cat. 1 both result in a fast
ramp down with subsequent removal of power. All these
designs incorporate safety relays.
Differences between these options are the standards and
specifications that are being met. Safety Integrated functions
include strict requirements related to design, wiring, testing
and start-up, and associated certification by qualified
personnel at various stages. There are requirements for
redundancy in certain circuits and components. These
requirements apply to components and circuitry both inside
the drive enclosure as well as outside in the plant.
The requirements met with Emergency OFF/Emergency
STOP are not as extensive.
Safety integrated