SIEMENS
3/10
Siemens D 21.4 · 2017
Safety Integrated
Safety Integrated
3
■
Function
The operating principle of Safety Integrated
Two independent switch-off signal paths
Two independent switch-off signal paths are available. All
switch-off signal paths are low active. This ensures that the
system is always switched to a safe state if a component fails or
in the event of cable breakage. If a fault is discovered in the
switch-off signal paths, the STO or SS1 function (depending on
parameter settings) is activated and a system restart inhibited.
Two-channel monitoring structure
All the main hardware and software functions for Safety Integrated
are implemented in two independent monitoring channels (e.g.
switch-off signal paths, data management, data comparison).
A cyclic crosswise comparison of the safety-relevant data in the
two monitoring channels is carried out.
The monitoring functions in each monitoring channel work on the
principle that a defined state must prevail before each action is
carried out and a specific acknowledgement must be made after
each action. If these expectations of a monitoring channel are
not fulfilled, the drive coasts to a standstill (two channel) and an
appropriate message is output.
Forced dormant error detection using test stop
The functions and switch-off signal paths must be tested at least
once within a defined time in order to meet requirements as per
EN ISO 13849-1 and IEC 61508 in terms of timely fault detection.
This must be implemented either in cyclic manual mode or the test
stop must be automatically initiated as part of the process. The
test stop cycle is monitored, and after a specific time has been
exceeded, an alarm is output. A test stop does not require a
POWER ON. The acknowledgment is set by canceling the test
stop request.
Examples of when forced dormant error detection must be
performed:
•
When the drives are at a standstill after the system has been
switched on
•
Before the protective door is opened
•
At defined intervals (e.g. every 8 hours)
•
In automatic mode, time and event-driven
Safe speed/position sensing
Incremental encoders or absolute encoders can be used for
safe sensing of the position values on a drive.
Safe actual value sensing relies on redundant evaluation of the
incremental tracks A/B that supply sin/cos signals of 1 V
pp
. Only
encoders of the type whose A/B track signals are created and
processed using purely analog techniques can be used.
HTL/TTL incremental encoders may also be used. In this case,
safe actual value sensing is achieved by using two independent
encoders. The minimum possible speed resolution must also be
taken into account.
The encoder signals are input via Sensor Modules.
As an alternative, motors with an integrated DRIVE-CLiQ inter-
face can be used. The speed or position actual values are
generated directly in the motor as safe values and are trans-
ferred to the Control Unit over safe communication via
DRIVE-CLiQ.
Certified built-on rotary encoders with DRIVE-CLiQ interface
may also be used (see
).
The encoder must be mechanically attached in such a manner
that the encoder shaft is unable to unplug or slide off. For notes
on this, see IEC 61800-5-2: 2016, Table D.16.
A list of Siemens motors that fulfill the electrical and mechanical
requirements is available at:
The following can be used for safe speed/position sensing:
•
Single-encoder systems or
•
Dual-encoder systems
Single-encoder system
Example: Single-encoder system
In a single-encoder system, the motor encoder is used exclusively
for safe actual value sensing.
Dual-encoder system
Example: Dual-encoder system
In the case of the dual-encoder system, the safe actual values
for a drive are provided by two separate encoders. The actual
values are transferred to the Control Unit over DRIVE-CLiQ.
When motors without a DRIVE-CLiQ connection are used, a
Sensor Module must be provided.
HTL/TTL incremental encoders can be used as an alternative
with a dual-encoder system. Either two HTL/TTL encoders, one
dual-HTL/TTL encoder or one HTL/TTL encoder and one sin/cos
encoder can be used.
E = encoder
M = motor
Sensor Module
(not applicable for motor
with DRIVE-CLiQ interface)
Backlash
Machine table
G_D211_EN_00216b
M
DRIVE-CLiQ
E
M
G_D211_EN_00217b
E = encoder
M = motor
Sensor Module
(not applicable for motor
with DRIVE-CLiQ interface)
DRIVE-CLiQ
DRIVE-CLiQ
E
M
E
© Siemens AG 2017