motion control systems - safe, innovative motion control · as ecologically.with simodrive 611...

kapitel 5

Motion Control Systems -

Safe, Innovative Motion Control

5.1 SINUMERIK Safety IntegratedThe Safety Package for Machine Tools

5.2 Safely Operating Universal Drives

5.3 SIMOTION Safety UnitThe safety package for metal forming technology

5.4 Technical Support & Engineering forSafety Integrated - Motion Control Systems

Introduction

We have extremely high demands tofulfill when it comes to our MotionControl systems and variable-speeddrives for machine tool and productionmachines: They integrate all of therequirements relating to production,market and industry sector. For ourcustomers, this plays a significant rolein increasing quality and productivity.Certified safety functions represent anintegral component of our standardproducts and in addition to affordinghighly effective protection for man andmachine, they also have a significantpositive impact on increasing the pro-ductivity of our customers.

Test and certification

(excerpt from [Reinert, D.; Schaefer,M.; Umbreit, M.: Antriebe und CNC-Steuerungen mit integrierter Sicher-heit. In: ETZ-Heft 11/98], Fachaufsatzder Berufsgenossenschaft)

There is no mandatory test whichmust be applied for drive systems with integrated safety.This applies forapplications in the area of machinetools, robots, automated productionsystems, food and beverage machineryetc. However, for specific machineswhich come under Annex IV

of the Machinery Directive (e.g.presses, woodworking machines), itmay be mandatory that the machine istested which in turn means that it isnecessary to test the drive system.

Independent of this, tests can bemade on a voluntary basis. Generally,the users and machinery constructioncompanies request that an indepen-dent testing body tests these compo-nents even if testing is not mandatory.The reason for this is the complexity of the drive systems with integratedsafety functionality. Users themselvescannot simply evaluate whether thesystems are in compliance with theprotective goals of the MachineryDirective and the appropriate Stan-dards.

Tests carried-out on these types ofcomplex systems should alwaysaccompany development.This meansthat they should already start in theconceptual phase.This avoids develop-ment mistakes and the testing costsare reduced.

Hazardous analysis and risk evaluation

In accordance with the MachineryDirective 98/37/EEC, the manufactureror organization marketing a specificmachine or a safety component isresponsible in carrying-out a hazardanalysis.The objective of this is todetermine all of the hazards associatedwith the machine or the safety compo-nent.The manufacturer must designand build the machine or safety com-ponent taking into account his analy-sis. A risk evaluation indicates theremaining risks which must then beappropriately documented.

5/2 Safety Integrated Application Manual Siemens AG

555Drives and CNC control systemswith integrated safety

Safety measures must be provided onmachines to protect personnel againstpotentially hazardous machine motion.These are mainly used to preventhazardous machine movement whenprotective devices are in the openposition.These functions include moni-toring positions, e.g. end positions,monitoring speeds and stopping orshutdown in hazardous situations.

Up until now, external devices weremainly used to implement these safetymeasures.These include contactors,switches, cams and monitoringdevices. When a hazardous situation isidentified, these devices generallyresult in switching operations usingcontacts in the power circuit, whichstop the potentially hazardous motion -refer to Fig. 5/1.

When integrating safety functions,drive systems and CNC controls areused to realize safety tasks in additionto the actual machine function.Extremely short response times canbe achieved due to the short data pathfrom sensing the safety relevant infor-mation, e.g. speed or position, up toevaluation. Generally, systems withintegrated safety technology respondextremely quickly when limit valuesare exceeded or violated, e.g. positionor speed limit values.This can beextremely significant for the requiredmonitoring result.The integrated safetytechnology can directly control thepower semiconductors in the drivecontrol unit without using electro-mechanical switching operations in thepower circuit.This also means that thesystem is less prone to faults and dis-turbances.The wiring and cablingcosts are reduced as a result of theintegration.

Safety Integrated Application Manual Siemens AG 5/3

5555.1 SINUMERIK Safety Integrated The Safety Package for Machine Tools

Fig. 5/2The basic SINUMERIK/SIMODRIVE system

Drivecontrolunit

Externalsafetytechnology

Externalsafetytechnology

M

DrivecontrolunitIntegratedsafetytechnology

M

CNC

Fig. 5/1External safety technology, integrated safety technology

Additional current information is alsoprovided in the Description of Func-tions for SINUMERIK 840D SafetyIntegrated.

Functional scope

“SINUMERIK Safety Integrated” offersprototype-tested safety functions.These are used to implement highly-effective protection for both personneland machines and that in a practicalway. All of the safety functions fulfillthe requirements of control Category 3according to EN 954-1 and are a per-manent part of the basic system, alsorefer to Fig. 5/1. Neither additional sen-sors nor evaluation units are required.

This means:

Lower installation costs at the machineand a low-profile electrical cabinet.

The functionality includes:

• Functions to safely monitor speed,standstill and position

• Functions to safely logically combineand interlock signals

Sensors and actuators, for example,EMERGENCY STOP pushbuttons, lightcurtains, valves or brakes, can bedirectly coupled to a two-channel I/Oor to fail-safe modules.The logicalcombination and the responses arerealized internally using safety-relatedtechnology. All safety-relevant systemerrors always result in the potentiallyhazardous motion being safely broughtto a standstill, or the power feed to themotor is quickly and contactlessly dis-connected.The drives are alwaysstopped, optimally adapted to theoperating state of the machine. Forexample, in the setting-up mode, withthe protective door open, the drive isstopped as quickly as possible (this isthe optimum procedure for personnelprotection), and in the automatic mode

with the protective door closed, themachine is shut down in a path-relatedfashion (this is optimum for machineryprotection).

In all of the operating modes, thesafety functions are available and cancommunicate with the process itselfvia safety-related input/output signals.The complete functional scope wascertified in the form of a prototype testby the BIA [German Statutory Indus-trial Accident Insurance Association] in St. Augustin.

Also refer to Section 8.7 “BG test cer-tification - prototype test certificates.”

This means the following:

A high degree of personnel protectionin the setting-up mode and additionalprotection for the machine, tool andworkpiece in the automatic mode.

These safety functions offer anintelligent system intervention,previously unknown, directly down to the electrical drives and measuringsystems. Reliable function, fastresponse and a broad acceptancemean that these certified safetysystems are highly effective.

Basic structure

A two-channel system structure withdiversity is created using the existing-multi-processor structure.The safetyfunctions are redundantly incorporatedin the NC, drive and internal PLC.Theprocess quantities and safety-relevantsystem data are cross-monitored; alsorefer to Fig. 5/3.

5.1.1 Brief description


Measuringsystem

Incremental

or absoluteDrive powermodule

Shutdownpath

Feedback signals

Feedback signals

Shutdownpath

Crosswisedatacomparison

Crosswisedatacomparison

Bus

Bus

I/O

I/O

PLCcomputer

Type 3

NCcomputer

Type 1

Drivecomputer

Type 2

Graphic 5/3The CPUs form a two-channel system structure with diversity.

555555Safety-related software and hardwarefunctions are tested at defined timeinternals using an automated forcedchecking procedure. Also refer toSection 5.1.11. “Basic information onthe application.”

The special feature of this safetyconcept is that Category 3 acc. to EN 954-1 can be implemented withjust one measuring system - the stan-dard motor measuring system. A sec-ond sensor is not required. However,it can be incorporated as an additionaldirect measuring system (e.g. linearscale).

Safer and more flexible

Using this innovative safety technology,it has been shown that new machineoperator control concepts can beimplemented in line with thoserequired in practice.This means that anew standard of machines has beencreated, which is safer and more flexi-ble in operation and which increasesthe plant availability.

The new safety concept is the result of close cooperation with the “Iron andMetal II” Committee of the GermanTrade Association in Mainz and the“German Statutory Industrial AccidentInsurance Association” BIA in St.Augustin and Siemens AG, MotionControl Systems Division, in Erlangen.

The Motion Control Systems businessdivision belonging to the “Automationand Drives Group” develops, manufac-tures and markets numerical controlsand drive systems under theSINUMERIK and SIMODRIVE productnames.These systems are especiallyused for complex and high-dynamicmotion control and positioningapplications when special demandsare placed on precision.

CNC controlSINUMERIK 840D – compacthigh technology

SINUMERIK 840D is a CNC control forup to 31 axes. It is an integral compo-nent of the modular SIMODRIVE 611drive system.Thus, communicationswith the drive modules are realizedthrough the shortest path.

Based on the modular SIMODRIVE 611system, a module has been conceivedin the form of SINUMERIK 840D,which provides significant technicaladvantages over comparable individualsolutions.

The highlights include:

• Up to 31 axes can be positioned

• Precision better than 1 µm

• Integrated SIMATIC S7-300-CPUwith PROFIBUS-DP interface

• Only 50 mm wide in the SIMOD-RIVE 611digital packaging design

• Scalable processor performance

• Integrated, certified safety functions

SIMODRIVE 611 digital AC drive converters

SIMODRIVE 611digital is a flexibleconfigurable drive converter system,which is fully aligned to the technicalrequirements placed on state-of-the-artmachines, both economically as wellas ecologically. With SIMODRIVE 611digital, Siemens is offering a driveconverter system with digital closed-loop control, which is guaranteed tofulfill the highest requirements regard-ing dynamic performance, speedcontrol range and smooth runningcharacteristics.

As a result of the modular drive con-verter system design, drive configura-tions with almost any number of axesor main spindles can be implemented.The axis modules are designed for1FT6, 1FK6, 1FK7 and 1FN feedmotors as well as 1PH main spindleand 1FE built-in synchronous motors.


5.1.2 Equipment components

Fig. 5/4SINUMERIK 840D – NCU and NCU box


The SIMODRIVE 611digital driveconverter system offers the followingadvantages:

• It fulfills the requirements for theEMC Directive and EMC compatiblesupplies

• Low line supply stressing as a resultof sinusoidal current operation andregenerative feedback

• Compact design using low-losspower semiconductors

• High level of functionality in thesmallest space using highlyintegrated control electronics

The digital control modules of theSIMODRIVE 611digital are used inconjunction with the 1FT6/1FK6/1FK7SIMODRIVE AC servomotors and 1FNlinear motors for feed drives and 1FEand 1PH motors for main spindle dri-ves.They evaluate the optical sine-cosine encoders, which are integratedin the 1FT6/1FK6/1/FK7 or 1PHmotors.This means that up to 4.2million increments/motor revolutionscan be achieved as measuring circuitresolution. For 1FN motors, a linearincremental or absolute-coded measur-ing system with EnDat interface isrequired to sense the position, speedactual value and pole position. 1FEmotors require a hollow shaft encoderwith sinusoidal-cosinusoidal signals forthe closed-loop speed and positioncontrol. For control modules withdirect position sensing, a direct mea-suring system can be connected.Thecertified safety functions are availablefor all encoder versions.

Various drive-related versions can beimplemented using the modularSIMODRIVE 611digital drive convertersystem, and combined as required in adrive group.

1FK6/1FK7 and 1FT6 servomotors

These represent the optimum solutionwhen the highest dynamic perfor-mance and precision are demanded.Users hold simple and good controlla-bility, combined with features such asfreedom of maintenance and highoverload capability in especially highesteem.

1FK6/1FK7 and 1FT6 three-phaseservomotors are compact permanent-magnet synchronous motors, whichhave been especially developed foroperation with the SIMODRIVE 611-digital drive converter system.The fullydigital closed-loop control and the newintegrated encoder system (motormeasuring system) fulfill high demandsplaced on the dynamic, speed controlrange, smooth running and positioningaccuracy.

Special speed-controlled 1PH induction motors

Based on the Transvector control (field-vector control), which was developedand patented by Siemens, an inductionmotor can be just as simply controlledas a DC motor. An induction motorcontrolled by SIMODRIVE 611digitalhas many advantages over DC motors,such as freedom of maintenance andfull availability of the rated torque evenat standstill. 1PH motors are equippedwith a high-quality encoder system forclosed-loop speed control and posi-tioning.

Fig. 5/5SIMODRIVE 611digital drive convertersystem

Fig. 5/6Digital control module

5551PM main-spindle motors with hollow shaft

The 1PM4 liquid-cooled motors andthe 1PM6 air-cooled motors areespecially designed so that they canbe directly mounted onto mechanicalspindles.The hollow shaft allows thefeed of cooling-lubricating medium forinternally cooled tools.The motorshave an integrated hollow-shaft mea-suring system to detect the motorspeed and indirect position.

1FN linear motors

1FN three-phase linear motors,together with SIMODRIVE 611digital,form a harmonized linear drive systemfor the requirements of the machinetool industry.The motors consist of aprimary section and a secondarysection with rare-earth magnets. Whensuitable measuring systems are used,the motors can be positioned in thenanometer range.The high traversingvelocities and the extremely highdynamic performance which can be achieved with the motors, are justsome of the highlights worth mention-ing.

1FE build-in synchronous motors

1FE motors are water-cooled synchro-nous motors, which are supplied ascomponents.They are predominantlyused for main-spindle applications.These motors are mainly used togetherwith the SIMODRIVE 611digital drivemodule where the highest demandsare placed on the machining quality,precision, smooth running characteris-tics and extremely short acceleratingtimes.


555

Fig. 5/71FT6 servomotors

Fig. 5/81PH build-in induction motor

Fig. 5/111PH7 induction motor

Fig. 5/91FN3 linear motor

Fig. 5/101FE build-in synchronous motor

Fig. 5/12System components and connection systems

Accessories

The Siemens SINUMERIK andSIMODRIVE automation systems aredesigned for all types of machine toolsand processing equipment. With itsfamily of MOTION-CONNECT cables,Siemens is offering the matching pre-assembled cables, cables sold by themeter and connectors which are ide-ally suited to the particular application.

The customer benefits of Siemens pre-assembled cables include:

• System functionality and compatibili-ty are guaranteed

• EC EMC Directives are fulfilled

• Insulation in accordance with VDE

• In conformance with DESINA

• No mounting problems

• No special tools are required

• MOTION-CONNECT 800, 700, 500provide a tailored solution for everyapplication

• Perfect functioning of the completesystem is guaranteed

The supplementary system compo-nents such as encoders, hand wheels,operator control and handheld pro-gramming devices are also harmonizedwith the overall system.

SIMODRIVE sensor measuring sys-tems for measuring distances, anglesand velocities are available fromSiemens as either incrementalencoders or absolute encoders. For theincremental encoders, the interfacesare harmonized with the particularcontrol system. Absolute-valueencoders are available in versions withSSI, EnDat and PROFIBUS-DP.Theencoders can be quickly and easilycommissioned as they can be parame-terized. High machine availability isachieved using system-tested compo-nents.

The original Siemens accessories are an essential component ofSINUMERIK Safety Integratedapplications.

Also refer to Section 5.1.12 “Orderingdata and documentation” and theFunction Description SINUMERIKSafety Integrated.

SIMODRIVE 611digital

• Safety Integrated is available fordigital drives

• The Performance and well as theStandard 2 control of 611digital canbe used

• The control boards must always beordered with DMS measuring circuit

• At least one measuring system mustalways be used

SINUMERIK

For SINUMERIK, Safety Integrated isavailable for the 840C and 840D typesin conjunction with SIMODRIVE 611digital. In this particular case, all of theCPU versions can be used.

• Inputs/outputs for safety-relatedsignals (safety-related I/O).1. NC and PLC peripherals (I/O) forma 2-channel I/O structure, or2. Fail-safe modules are coupledthrough PROFIBUS with the extend-ed PROFIsafe protocol (not with840C)

• SINUMERIK Safety Integrated is a software option and comprises a basic and an axis option. In thiscase, the basic option already hasthe axis option for 4 drives.

• For the SI functions, CPU systemresources (NC, PLC, drive) arerequired, which are dependent onthe scope of the functions used andthe number drives. In borderlinecases, it may be necessary to use a higher performance NC-CPU.

Encoders and measuring circuit

• Generally, every measuring systemcan be used which fulfills themeasuring circuit specifications ofSIMODRIVE 611digital.

• 1-encoder concept: At least onemeasuring system is required, whichis generally covered using the indi-rect motor measuring system (IMS)as either incremental or absoluteencoder.

• 2-encoder concept: A secondmeasuring system is not required;however, it can be integrated asdirect measuring system (DMS).

• The measuring circuit cables mustbe in conformance with the SIMODRIVE 611 digital specifica-tions. This means that they musthave twisted and shielded pairs.

SIMATIC

• All of the standard SIMATICcomponents can be used.

• I/O for safety-related signals (safety-related I/O).1. NC and PLC peripherals (I/O) forma 2-channel I/O structure2. Fail-safe modules are coupledthrough PROFIBUS with theextended PROFIsafe profile

HMI

• The operator and display units (OPs)are not embedded in the safetyconcept. They are only used todisplay safety-relevant data fordiagnostics and commissioning.


5.1.3 System requirements

555

The safe stopping process is not anautonomous function, but describes aprocedure which can be implementedusing “SINUMERIK Safety Integrated”functions.The safe stopping processsafely stops the motion and brings thedrive to a standstill when a monitoringfunction or a sensor responds (e.g.light curtain).

All safety-relevant faults and errors inthe system or if an appropriate sensorresponds, always result in a coordi-nated, safe shutdown of the hazardousmotion. Depending on the systemengineering specifications, the powerto the motor can be quickly discon-nected.This power disconnectionbetween the drive converter andmotor, required in special cases(where the drives go into a torque-freecondition), is realized contactlessly andcan be initiated on an axis-for-axisbasis with extremely short responsetime.Thus, it is no longer necessary todischarge the DC link in the drive.Thedrives are always shut down in anoptimum fashion, according to theactual operating status of the machine.

The integrated functions are supple-mented by activating external brakingmechanisms, and, for safety shut-down, results in the shortest possiblebraking travel. External braking mecha-nisms can include, for example:

• External mechanical brake, holdingor operating brake

• External electrical brake, such asarmature short-circuit brake.

Principally, the line contactor is nolonger required if the machine has amain switch, which allows it to beelectrically disconnected from thesupply.

Stop responses

A high degree of fail-safety is obtainedas a result of the two-channel monitor-ing structure with its permanent cross-monitoring. If differences occurbetween the two monitoring channels,alarms and stop responses are auto-matically initiated.The stop responsesshould safely shut down the drivescorresponding to the particular require-ments at the machine. A differentiationis made between the stop versions,STOP A, B, C, D, E, F and the test

stop.The system can specify a presetstop response type when a fault/erroroccurs or the machine OEM canconfigure the required response. Whenthe limit values, defined using themachine data are violated, the stopresponses of the machine OEM canbe initiated. Stops A, C, D and E canalso be selected externally, event-related using safety-relevant inputs(SGE).The stop versions are imple-mented as follows:


5.1.4 Safe stoppingprocess

555

Setpointinput "0"

Setpointinput "0"

Path-relatedas a group

Retractionconditions

StopB

StopF

StopC

StopD

StopE

SBH(standstill in closed-loop position control)

SH(drive is in a no-torque condition)

StopA

Only when a fault is present

Stop Category acc. to EN60204 Part 1

20 1

Fig.5/13Stop versions for different stopping types


• Stop A

Using Stop A (this corresponds to StopCat. 0 acc. to EN 60204, withoutelectrical isolation), the drive can bedirectly switched into a no-torquecondition using the “Safe Standstill”function. A drive that is at standstillcan no longer undesirably start. A drivewhich is still moving coasts down.Thiscan be prevented by using an externalbraking mechanism such as armatureshort-circuit, holding and operatingbrakes.The axis-specific alarm resultsin a mode stop which means that as aresult of the response in one axis, allof the axes and spindles in a modegroup are also shut down. At the endof Stop A, the axis is at a “safe stand-still”.

• Stop B

The drive is braked along the currentlimit in the closed-loop speed con-trolled mode and goes into the “safestandstill” state (this corresponds tothe stop Category 1 according to EN 60204, without electrical isolation).

• Stop C

The drive is braked along the currentlimit in the closed-loop speedcontrolled mode and goes into the“safe operating stop” state.

• Stop D

The drive, as group, including thesynchronous axes, is braked path-related and goes into the “safeoperating stop” state.

• Stop E

The drive, as group, including retrac-tion motion, is braked path-related andgoes into the “safe operating stop”state.

• Stop F

The stop F response is permanentlyassigned to the cross-monitoring resultand data comparison.This means thatfaults/errors in the drive and on thecontrol side are detected. Dependingon the configuration, a Stop B or Aresponse is initiated. “Safe standstill”is effective at the end.

When configuring the stop responses,personnel protection has topmostpriority.The optimum stop responsefor machine protection can be config-ured in the automatic mode with theprotective door closed.The goal isalways to optimally stop the machinein any particular situation.

Example 1: Grinding machine withopen protective door (setting-upoperation):

• Feed drives with Stop C:The drives, for each individual axis,are braked along the current limit asquickly as possible and then go intothe “safe operating stop.”Thus, theyremain in the closed-loop positioncontrolled mode.

• Grinding wheel drive with externalStop A: In this particular mode, the drive isalways maintained in a torque-freecondition via the external Stop Awith “safe standstill”.

Example 2: Grinding machine in theautomatic mode:

• Feed drives with Stop E:The drives, as a group, execute aretraction movement (cut them-selves free) and are braked along thecontour via a ramp and go into the“safe operating stop”state. They remain in the closed-loop position-controlled mode.

• Grinding wheel drive with Stop D:The drive is braked along a ramp andis therefore held by the torque loadbelow the sparking limit. The drivegoes into the “safe operating stop”state and is kept in the closed-loopposition-controlled mode.

Safe standstill – SH

When a fault occurs or in conjunctionwith a machine function, the “safestandstill” is used to safely disconnectthe power feed to the motor.This isrealized for each axis and the power isdisconnected contactlessly.The basisfor the “safe standstill” function is thesafe pulse cancellation, which is inte-grated in the SIMODRIVE 611digitaldrive modules.

The machine OEM must take theappropriate measures to stop axismovement after the power feed hasbeen disconnected from the motor(e.g. to prevent hanging axes drop-ping).

Features

• A motor cannot accidentally start.

• The power feed to the motor issafely interrupted.

• The motor is neither disconnectedfrom the drive module nor from thedrive converter DC link.

Fig. 5/6 shows four basic possibilitiesof bringing a motor into a no-torquecondition.These differ in their principleof operation.

555

Fig. 5/14Safe standstill - the power is electronically disconnected

Central1. Main switch2. Line contactor

Supply feed

Axis-specific3. Gating pulses4. Gating voltage

M M

Drive 1 Drive 2

4

3

2

1

① Main switch:Mode of operation ➩ centralEvery machine must be equipped withat least one switch that permits themachine to be completely electricallyisolated from the line supply.This isgenerally realized using the mainswitch.This measure protects person-nel working on the equipment againstelectric shock. When open, this switchmust be secured so that it cannot beaccidentally closed.

② Integrated line contactor:Mode of operation ➩ centralThe complete drive converter can beelectrically isolated from the linesupply using the line contactor in therectifier/feed module. With referenceto the drive converter, this measurerepresents a Category 0 Stop. In thepast, with an integrated line contactor,for EMERGENCY STOP, the drive con-verter was brought, in conjunction witha Category 1 Stop, into a no-torquecondition. However, electrical isolation

is not mandatory for EMERGENCYSTOP.

(Also refer to the Application Manual,Section 1, Page 1/14)

③ Pulse cancellation in the gatingunitMode of operation ➩ axis-specificThe fastest way to bring individualaxes into a no-torque condition is tocancel the pulses using the gatingunit. However, this measure whenapplied on its own, is not safety-rele-vant.

④ Control voltage of the optocou-plerMode of operation ➩ axis-specificWhen the control voltage of optocou-plers is disconnected, when a faultcondition occurs, gating unit pulseswhich are still present cannot be con-verted into a torque in the drive powersection. However, this measure is,when applied by itself, not safety-rele-vant. It is not possible to electricallyisolated the drive converter DC link

(600 V) from the motor.This is also notrequired for “functional safety”.

Conclusion:Measures 3 and 4 are physically de-coupled and together form an effectiveand safety-relevant method of cancel-ing the drive converter pulses on anaxis-for-axis basis.They form the basisfor “safe standstill” and can be inde-pendently initiated from the drive andthe NC.The concept is rounded-off byintegrating into cyclic tasks (forcedchecking procedure).

This means that a total safety-relatedconcept is created from individualmeasures, which completely fulfills therequirements for EMERGENCY STOP.It is no longer mandatory to open theline contactor.

However, when carrying-out work (e.g. service, maintenance...) on livecomponents, the equipment mustalways be isolated from the linesupply.


555

Comment regarding EmergencyStop in the US

The NFPA 79 has been recently revisedand has been in force since the middleof 2002. For the first time, NFPA 79permits software, electronics and bussystems to be used for EmergencyStop. However, contrary to the EEC,for stop Category 1, it is also necessaryto subsequently electrically isolate theequipment from the line supply.Thiscan be simply engineered as a USversion.

Safe operating stop - SBH

This function is used to safely monitorthe standstill position of an axis orspindle. In this case, the drives remainfully functional in the closed-loopposition controlled or closed-loopspeed controlled mode.

Features

• The axis remains in the closed-loopcontrolled mode.

• Standstill tolerance window whichcan be parameterized.

• Configurable stop response whenthe monitoring function responds(Stop B or A).

Safe braking - SBR

With this function, the expectation that after a stop command, the actualvelocity must be reduced, is used asbasis (the speed characteristic is moni-tored).

When a stop command is initiated, thecurrent velocity plus a velocity toler-ance, specified using a machine data,is activated as velocity limit.This limitis compared with the actual velocity(must be less than or remain the same)and is cyclically corrected.This meansthat the system quickly detects if theaxis re-accelerates during braking; asubsequent response is then initiated.

Features

• If an axis re-accelerates duringbraking, then this is detected asquickly as possible.

• The “safe braking ramp” is automati-cally activated if a Stop B or C wasinitiated..

• When the “safe braking ramp”responds, Stop A is directly initiated.

Example, Emergency Stop

Safety-related signals and the requiredresponses are logically combined inter-nally using safety-related technology.The electric drives are safely shutdown and are then disconnected fromthe power source via the electronics.An undesirable restart is also safelyprevented. External potentially haz-ardous energy sources, for example,hydraulic systems or lasers etc. can beswitched-out using safety-related out-puts associated with the integratedEMERGENCY STOP logic and down-stream actuators (power contactors,valves).The coordinated safe stoppingprocess prevents or reduces subse-quent damage (e.g. crash) whenshutting down and also permits a fast,simple restart.

Test stop

With the test stop, for each monitoringchannel, the complete shutdown pathis tested with the external circuitry.

When executing the test, the compara-tors and stop modules of the twomonitoring channels, which areresponsible for the stop function, areexecuted one after the other. Also referto Section 5.1.11 on the subject offorced checking procedure.

Safely reduced speed - SG

The “safely reduced speed” function isused to safely monitor the speed of adrive.

To realize this, the actual speed of thedrive is cyclically compared, in themonitoring clock cycle, with the speedlimit, selected via safety-related inputs.The speed limits are defined in themachine data.

Various applications and operatingstatuses at the machine can be moni-tored using the speed limits for safely-reduced speed 1, safely-reduced speed2, safely-reduced speed 3 or safely-reduced speed 4. Further, the limitvalues safely-reduced speed 2 andsafely-reduced speed 4 can be gradedin 16 steps using “safety-relatedinputs” (4 bits).The entry is made in %(1 to 100%) and is saved in a table inthe machine data.Thus, a total of 34freely selectable speed limits areavailable for each drive.This allowspersonnel and machine protection tobe implemented in the setting-upmode and also in the automatic mode.

Comment: For changeover gearboxes,the correct gearbox ratio must beselected!

Features

• Safe monitoring of the load sidespeed limits.

• The monitoring limits are adapted tovarious operating statuses (e.g. test,setting-up, automatic mode).

• Configurable safely reduced speed-specific stop responses.


5.1.5 Monitoring speedand position

555Safely reduced speed-specific set-point limiting

With this function, for the first time, inaddition to the speed actual value, thespeed setpoint is also taken intoconsideration.The “safely reducedspeed-specific setpoint limiting” auto-matically limits the setpoint to thecurrently effective limit of the safelyreduced speed. If this value changesfor a drive, then the setpoint limit isautomatically corrected. If the drivesoperate in a group, then the functionacts on all of the coupled drives.Thismeans that the machined contour isalways maintained.

Applications

• When testing NC programs (operat-ing mode 3), e.g. when the protec-tive door is opened. This means thatno test-specific changes have to bemade to program parameters.

• If, for example, a safety zone isentered using the traversing keys,where lower safely reduced speedlimits are active, the axis is notstopped, but the speed is automati-cally reduced to the speed setpointwhich is effective there.

Features

• The setpoint is limited in one channelin the NCK.

• This is effective when traversing thedrives using traversing keys or whenexecuting NC programs.

• The limit value lies X% below theactive safely reduced speed limit.

• The axes involved are instantaneouslyaccelerated or braked, interpolating.

• This function is only executed if theprogrammed setpoint lies above theactive safely reduced speed limit.

• If the programmed setpoint is lessthan the active safely reduced speedlimit, then the drives traverse asspecified in the program.

Safe software limit switch - SE

A working zone/protective zone demar-cation or traversing range limiting canbe implemented for each axis usingthis “safe software limit switch.”Thismeans, for example, that hardwarelimit switches are not required on themechanical system.Two limit switchpairs per axis are available. Each limitswitch pair consists of a positiveswitch (safe limit switch 1+ and safelimit switch 2+) and a negative switch(safe limit switch 1– and safe limitswitch 2–). It is possible to togglebetween safe limit switch 1 and safelimit switch 2 via the safety-relatedinputs.

Features

• End positions can be safely definedand evaluated per software.

• Configurable stop responses whenend positions are reached.

• Stop response when passing endpositions is realized internally in thesoftware.

Safe software cam - SN

Safe range identification can be imple-mented for each axis using the safesoftware cam function.This meansthat today's “hardware solution” canbe replaced

4 cam pairs (safe software cam 1 tosafe software cam 4) are available foreach axis. Each cam pair comprises apositive cam (safe software cams 1+,2+, 3+ and 4+) and a negative cam(safe software cams 1–, 2–, 3– and 4–).Each cam signal can be individuallyconfigured via the machine data.Thecam signals are output via safety-related outputs.

Features

• Cam positions can be safely definedand evaluated using software.

• Safety ranges are defined.

• Safe cam-dependent changeover ofsafety functions (e.g. safe position-dependent changeover) of the safelyreduced speed stages

555


Safe programmable logic - SPL

The “safe programmable logic” allows,for the first time, safety-related sensorsand actuators to be directly connectedand logically combined.The logic isredundantly incorporated in the NCand in the internal PLC.This meansthat all safety-related sensors andactuators, e.g. EMERGENCY STOP or interlocking concepts for protectivedoors can be configured using theSINUMERIK Safety Integrated soft-ware. EMERGENCY STOP, in conjunc-tion with “safe standstill”, can now beimplemented by the evaluation logicup to power disconnection,contactlessly and using safety-relatedtechnology. Discrete hardware contactscan be eliminated which is reflected ina simplified cabinet design. Only thepower contacts (e.g. contactors) arerequired to directly control the externalactuators.

Features

• Universal, programmable logicutilizing safety-related technology

• The logic is immediately activatedafter run-up

• Cyclically executed, independent ofthe user program

• Integrated timer for forced checkingprocedure

• Effective in all operating modes.

Safety-related I/O - SGE/SGA

The safety-related input and outputsignals represent the interface to theprocess.They are digital signals whichare entered into the system or are out-put from the system through twochannels.The safety-related inputs andoutputs need not be routed via hard-ware terminals.

In conjunction with the safe program-mable logic, when required, they canbe internally processed as softwaresignal.

Features

• Safety-related functions can beselected and canceled

• Limit values can be selected andchanged-over

• Status signals can be fed back

• Cam signals can be output

• Sensors can be directly connected

• Actuators can be directly connected.


5.1.6 Logically combiningsafety-related processsignals

Signal-geber

LeistungsteilCrosswisedatacomparison

Safety-related input

Max. 64 safety-relatedactuators can be connected

(e.g. protective doorinterlocking, motor brakes,…)

Max. 64 safety-related signalscan be directly connected

(e.g. mode switch, light grids,EMERGENCY STOP, …)

NCK logic

PLCinterlockinglogic

Safety-related input Safety-related output

Safety-related output

Fig. 5/15Basic structure - safe programmable logic

555

In order to integrate sensors andactuators in a safety-related fashion,their process signals must be fed tothe “safe programmable logic” SPL for further processing.

The following connection types areavailable:

1. Using separate hardware I/Ofrom the PLC and NC withdegree of protection IP20

2. Via PROFIsafe with the ET200S-PROFIsafe I/O modules with degree of protection IP20

3. Via PROFIsafe as direct,safe communications with a safety-related PROFIsafe sensor / actuator

This applies for process signals from:

• Sensors, for example, switches,protective door contacts, EMER-GENCY STOP pushbuttons, lightcurtains, laser scanners

• Actuators, for example, load contac-tors, valves, interlocking solenoids,brakes

These are directly connected withoutusing any external evaluation devicesand transferred to the “SINUMERIKSafety Integrated” platform.

Signal encoder versions for thesensors

1. Monovalent concept with NC / NC contacts

This version is predominantlyused for de-activation, for examplefor emergency stop or protectivedoor contacts.The signals are checked for plausibility.

2. Monovalent concept with NO / NO contacts

This version is predominantlyused for activation. For example,for an enable button. When the enable button is pressed, safety functions, for example, are acti-vated or drives are enabled.The signals are checked forplausibility.

3. Antivalent concept withNC / NO contacts

This version allows sensors to be combined which both activateas well as de-activate such asthose which are used astraversing buttons for drives.The signals are checked forplausibility.

An advantage of this version is that a short-circuit or broken conductorresults in a non-plausible state.

Version 3, the antivalent concept,covers the requirements of versions 1.and 2.This is recommended in theVDW DESINA project.

Comments regarding the mechani-cal sensor design

A differentiation must be madebetween the following cases:

1. The sensor (e.g. safety interlocking) is a safety-related component and is certified.This means that a fault situationcan be excluded - no additional measures are required.

2. The sensor is a component, whichhas been well-proven in operation,in accordance with EN 954-2A fault can be excluded under the following conditions:

• Regular maintenance according to the manufacturers specifications

• A sensor is regularly replacedafter its product lifetime has expired

• Fault detection is realized usingdownstream electronics with cyclictests using dynamic update by the process (e.g. protective door), orusing a forced checking procedure.

3. The sensor is a standard compo-nent.A fault cannot be excluded.

• The two signal-generating elements(e.g. switching contacts of a push-button) of the sensor must be mechanically de-coupled – or two separate sensors must be used.

• Faults are detected using the downstream electronics with cyclictests using dynamic update by theprocess (e.g. protective door), orusing a forced checking procedure.


5.1.7 Integrating sen-sors/actuators - basics

555

Comments on the mechanicalactuator design

A differentiation should be madebetween the following cases:

1. The actuator (e.g. safe motor starter)is a safety-related component and iscertified.This means that a fault situationcan be excluded - no additionalmeasures are required.

2. The actuator is a component, whichhas been well-proven in operation,in accordance with EN 954-2 (e.g.valve)A fault can be excluded under the following conditions:

• Regular maintenance according tothe manufacturers specifications

• An actuator is regularly replacedafter the product lifetime has expired

• Fault detection is realized usingdownstream electronics with cyclictests using dynamic update by theprocess (e.g. protective door) orusing a forced checking procedure.

3.The actuator is a standard compo-nent.A fault cannot be excluded.

• Two separate mechanically de-coupled actuators are required.

• Faults are detected using the down-stream electronics with cyclic testsusing dynamic update by theprocess (e.g. protective door), orusing a forced checking procedure.


Fig. 5/16Sensor-actuator integration via the S7 I/O and the DMP module of the NC

Bus Drive bus

SGE /SGA

Central

coupling

Sensors andactuators viathe I/O

"Safety Integrated" platform

Drive

Sensors andactuators viaspecificinterfaces

M

Brake

Encoder

PLC I/O NC I/O

NCIntegrated PLC

Sensors and actuators

Motor

Safety-related inputs/safety-related outputs

Fig. 5/17 Sensor-actuator iintegration via ET 200S PROFIsafe

Central anddistributedcoupling

PROFIBUSwith PROFIsafe

Safe I/Ovia ET 200S

"Safety Integrated" platform

Drive

Sensors andactuators viaspecificinterfaces

M

Brake

Encoder

NCIntegrated PLC

Sensors andactuators viathe I/O

Sensors and actuators

Motor

Safety-related inputs/safety-related outputs

555

Basic structure

The sensors and actuators are directlycoupled to the standard I/O modulesof the PLC and NC without using anyexternal evaluation units.The signalsare then available to the “SINUMERIKSafety Integrated” platform via sepa-rate buses.The 2 from 2 evaluation isalways used when integrating sensors.

Features

• Standard I/O modules

• Separate hardware channels

• Separate buses

Sensor-actuator integration accord-ing to the 3-terminal concept

Integrating sensors

For sensors which are connected viathe I/O of the PLC and NC, a 3-termi-nal concept can be used as basis. Ifthe signals are read from a sensorthrough 2 channels, then a single-chan-nel test output for control Category 3is sufficient.Thus, to integrate the sen-sor in a safety-related fashion, threeterminals at the I/O periphery arerequired.

2 inputs + 1 test output

Integrating actuators

For actuators which are connectedthrough the I/O of the PLC and NC, a3-terminal concept can also be used as basis. If an actuator is controlledthrough 2 channels, then it is sufficientto read back the process signal throughone channel

to fulfill control Category 3.This meansthat 3 terminals are also required atthe I/O peripherals in order to integratethe actuator in a safety-related fashion.

2 outputs + 1 test input

Cross-circuit fault safety

If the connecting cables are routed,protected in the cabinet or parts of thesystem, then it can be assumed thatfaults are extremely improbable (short-circuit, cross-circuit,...). Asdefined in EN 954-2, so-called faultexclusion can be assumed for theconnecting cable.This means that it is completely adequate if the sensoris connected-up accordance with the 3-terminal concept.

The measures applied for cross-circuitfault safety are independent of thecontrol category (3 or 4).

Safety-related hardware inputsignals

All safety-related process signals (sensors, e.g. EMERGENCY STOP,protective door, light curtain...) mustbe configured redundantly and sepa-rately connected as “safety-relatedinputs” to the 2-channel inputs of thePLC and NC. In this case, it is notpermissible that the input terminalsare directly jumpered.


Fig. 5/18Sensor-actuator integration via the S7 I/O and the DMP module of the NC

5555.1.8 Sensor-actuatorintegration via separatehardware I/O from thePLC and NC

Bus

System with:• NC control• Integrated PLC• Drive• Motors• Measuring system

Drive bus

Separate hardware

via separate buses

DMP module for NCK I/O

S7-ET 200M for PLC I/O

Application example:Emergency Stop

Features

• The sensor is controlled from a PLCtest output with 24 V through a com-mon connection and fed to the safe-ty-related control via the two inputschannels 1 and 2.

• Faults (P and M short-circuit) can bedetected in the connecting cables inconjunction with the crosswise datacomparison and the forced checkingprocedure.

• A pure short-circuit between the twoinputs from channel 1 and channel 2cannot be detected using the 3-ter-minal concept.

It must be ensured that the signalstate of the “safety-related inputs”does not differ. Depending on the tol-erance timer (approx. < 1 sec.) whenthe tolerance time is exceeded, amonitoring function responds and themachine is automatically shut down.

Comment 1:

For sensors, which only have pureelectronic outputs, i.e. no contacts,which is partially possible for light cur-tains, the circuit at the PLC and NCinputs stays the same. However, thetest output of the PLC is directly con-nected to the special test input at thesensor.The 3-terminal concept isessentially kept.

Comment 2:

If a safety component (e.g. EmergencyStop button) is not used as sensor,then the two signal-generating ele-ments (e.g. switching contacts for apushbutton) must be mechanically de-coupled.

Sensor integration according to the4-terminal concept

If it cannot be completely guaranteedthat the connecting cables are pro-tected against crushing (e.g. cables forHHUs), or if higher requirements aredemanded as a result of the particularapplication, then a pure cross-circuitfault (neither P nor M short circuit)must be assumed in the hazard analy-sis.This means that the sensor mustbe connected using the 4-terminal con-cept. In this case, two separate cablesare connected to the two signal-gener-ating elements (e.g. contacts). 4 termi-nals are required at the I/O peripheryto integrate the sensor in a safety-related fashion.

2 inputs + 2 test outputs

Cross-circuit fault safety

Using this technique, with standardmodules, it is possible to implementcomplete fault detection functionalityfor the sensor connecting cables.Theconnecting cables do not have to berouted in any special way.

Safety-related hardware input sig-nals

The basic principle corresponds to thatof the 3-terminal concept.The extendedmeasures are designed to detect across-circuit fault (i.e. no connection to M or P potential) between the twocables.

Fig. 5/19Sensor integration using the 3-terminal concept – example for Emergency Stop


555Application example:Emergency Stop

Features

• The sensor is directly controlledfrom two PLC test outputs, eachwith 24 V and is fed to the safety-related control through the two input channels 1 and 2.

• Test output 1 is delayed with respectto test output 2 by tx. This results,as expected response, in a uniquesignal characteristic at the inputchannels 1/2.

• A 1-channel test routine in the PLCchecks this expected response. Thistest can be made as part of theforced checking procedure.

• In conjunction with the crosswisedata comparison and the forcedchecking procedure, all faults (P and M short-circuit) including apure short-circuit (cross-circuit fault)can be detected in the connectingcables.

Comment 1:

The concept presented here can onlybe used with sensors using contactsand in closed conductor circuits(closed-circuit principle). For electronicsignals, the sensor must implementthe cable monitoring function.

Comment 2:

If a safety component (e.g. EmergencyStop button) is not used as sensor,then the two signal generating ele-ments (e.g. switching contacts forpushbuttons) must be mechanicallyde-coupled.

Safety-related hardware output sig-nals - P/P switching

For P/P switching versions, two actua-tors always switch in series in the loadcircuit. Both channels (NC and PLC)control the actuators with a positivevoltage (24 V) (positive-positive switch-ing). Commercially available contactorswith positively-driven feedback signalcontacts can be used, for example toswitch motors.

The feedback signal from the load cir-cuit should be derived as directly aspossible from the actual process quan-tity. For example, it is preferable to usea feedback signal from the hydraulicpressure using a pressure sensor or acheckback signal from the movedmechanical system (endstop) using aBero instead of using an indirect feed-back signal from the hydraulic value.

Fig. 5/20Sensor integration using the 4-terminal concept – example for Emergency Stop


555

Application example:400 V load voltage

• The 400 V load voltage of standardinduction motors is safely discon-nected

• The 400 V load voltage of distributedunits is safely disconnected

Features

• The load circuit is always controlledthrough two channels

• There are always two actuators - thismeans that the load is always inter-rupted or switched through twochannels

• Commercially available (standard)components can be used as actua-tors, e.g. contactors, valves as twodevices are always used.

• The positively-driven checkback sig-nal contacts (NC contacts) of the ac-tuators are permanently connectedto 24 V, are switched in series andare read back from the PLC throughone channel.

• Faults in the control and at both ofthe actuators can be detected inconjunction with the forced checkingprocedure

• When an actuator fails, the load canstill be disconnected through thesecond channel

• The actuator can be switched purelyvia the PLC through one channel de-pendent on the process.

Safety-related hardware output sig-nals – P/M switching

For P/M switching versions, only a sin-gle actuator switches the load circuit.The NC channel controls the actuatorwith a positive voltage (24 V); the PLCchannel controls the actuator with Mpotential (positive M switching).Thiscontrol version is always required ifthere is only one solenoid to directlycontrol the load circuit.This is, forexample, the case for:

• Tumbler solenoids on protectivedoors

• Holding brakes integrated in motors

• Operating brakes hydraulically con-trolled through valves (e.g. for linearmotors)

The feedback signal from the load cir-cuit should be derived as directly aspossible from the actual process quan-tity. For example, it is preferable to usethe direct feedback from the hydraulicpressure using a pressure sensor orthe feedback signal of the movedmechanical system (endstop) using aBero instead of using the indirect feed-back signal from the hydraulic valve. Ifthere is only one actuator in the loadcircuit, as is the case here, then addi-tional measures are required, for exam-ple, the actuator must be subject to acyclic function test.

Comment:

If there is no feedback signal contactavailable, then it is possible to proceedas described in the application exam-ple “safe brake control – P/M switch-ing”.

• In conjunction with the forced check-ing procedure, faults in the controland at the actuator can be detected.

• If the actuator fails, the load can nolonger be safely shut down throughthe specific path. In this particularcase, depending on the hazard analy-sis and the type of actuator, addition-al measures must be applied; thesecan include, e.g. central shutdown orextended test measures.

• The actuator can be solely switchedvia the PLC through a single channel,depending on the process.

Fig. 5/21400 V load circuit – P/P switching – example of a standard asynchronous motor

24 V

Feedback

Indirect positionmonitoring ofthe load usingpositively-drivencontacts

24 Vload circuitindirect400 V

M

M

Load circuit400 V

Drive bus

Channel 2 / NC

Bus

Channel 1 / PLC

S7-ET 200M

DMP modules

DODI

DO

Electronics output - P



555Application example: Safety-relatedbrake control – P/M switching

The basic principle is described in theSection “Safety-related hardware out-put signals – P/M switching”.

The “safe brake control” is part of the“safe brake management” function.

For a description, also refer to Section5.1.10 “Protection against vertical axesdropping."

Features

• The load circuit is always controlledthrough 2 channels.

• There is only one brake (actuator).The process quantity, in this particu-lar case, the braking torque, is onlyapplied through one channel.

• The feedback signal is formed fromthe ground-side connection of thesolenoid coil. This means that M andP short-circuits can be detected. Thisalso means that the 3-terminal con-cept can be used.

• The output from channel 1 isswitched with a delay tx with re-spect to channel 2. This results, asexpected response, a clear signalcharacteristic at the feedback signalinput.

• A single-channel test routine in thePLC checks this expected responseand this could be executed as partof the forced checking procedure.

• A safe brake test is provided as ex-tended test measure. This tests theactual braking torque available. Thisfunction is available with the “safebrake management.”The braketorque test is incorporated in theforced checking procedure for thetest stop (testing the shutdownpaths).

• During power failures or when cablesare interrupted, the brake is mechan-ically brought into a safe condition asa result of the return springs.

• Only components, proved in opera-tion in compliance with EN 954-2may be used as actuators.

555

Fig. 5/2224 V load circuit – P/M switching – example of Safe brake Control

24 V/max.

2 A load

circuit, brake

Feedback

to monitor

the cable

tx

The holding

torque is

monitored using

a brake test

Relay output – M

Electronics output – PDrive bus

Channel 2 / NC

Bus

Channel 1 / PLC

S7-ET 200M

DMP modules

Relay moduleDI

DO


Safety-related hardware outputsignals – P/M switching with inter-mediate relay stage

With this example, contrary to the pre-viously described direct P/M switchingversion, the load circuit is controlledthrough an additional intermediaterelay stage to amplify the current.Theintermediate relay stage must be usedif there is no 2 A output module of theNC I/O and/or no S7 relay module avail-able or if the load current to beswitched is > 2 A.

The outputs used in the NC and PLCare standard outputs where the inter-mediate relay stage is switched P/P.

Caution!

When using the intermediate relaystage, in comparison to the best case(fast, contact-free NC path switching),the response time is extended by therelay switching time.This results inlonger response times which in turnmeans that the axes drop further (sag)when faults develop.

Application example: 24 V load volt-age > 2 A

• Load power supply from distributedunits with > 2 A

• Brakes with > 2 A

Features

• Principally, the same features applyas for the direct P/M switching con-trol.

• The control in the 24 V load circuitremains P/M switching as shown inFig. 5/22.

• It is not absolutely necessary to inte-grate positively-driven checkback sig-nal contacts of the intermediate re-lay stage. This means that standardrelays can be used which do nothave positively driven feedback sig-nal contacts. However, in this case,the prerequisite is that the feedbacksignal from the M potential of theload circuit is incorporated.

• Erroneous functions in the load cir-cuit path are detected as a result ofthe direct feedback signal from theM potential, e.g.- if the relay does not switch/drop-out (e.g. because the relay,contacts do not open)

- short-circuits on the 24 V controlcables and the load circuit.


Fig. 5/2324 V load circuit – P/M switching with intermediate relay stage for > 2 A

Load circuit

24V/>2A

tx

Feedback

Indirect position

monitoring of

the load via 24 V

feedback

M

M

P

M

Electronics output – P


24 V load circuit

Drive bus

Channel 2 / NC

Bus

Channel 1 / PLC

S7-ET 200M

DMP modules

DODI

DO

555


555

Basic structure

The sensors and actuators are directlyconnected, without any external evalu-ation units, to the safe inputs andoutputs of the ET 200S PROFIsafe.The signals are then available to the“SINUMERIK Safety Integrated” plat-form through safe communicationswith PROFIsafe.The sensor/actuatorintegration is significantly simplified by using ET 200S PROFIsafe.

It is:

• Simpler to install

• Has a modular design

• Can be more flexibly used

• Has more transparent documenta-tion

Features

• Fail-safe ET 200S modules for F-DIinputs, for F-DO outputs and forgroup shutdown operations usingthe PM-E F Power Module

• Safe communications viaPROFIBUS-DP using the PROFIsafeprofile

• Standard design concept where, forcontrol Category 3, safety-relatedand non-safety-related modules canbe used together

• Fail-safe motor starter through thePM-D F Power Module with 6 loadgroups

• “Distributed Safety” engineering toolfrom SIMATIC S7

Fig. 5/24Sensor-actuator integration through ET 200S PROFIsafe

PROFIBUSwith

PROFIsafe

System mit:• NC control• Integrated PLC• Drive• Motors• Measuring system

ET 200S PROFIsafe

Safe communications

Safe inputs

Safe outputs

Fail-safe motor starter

5.1.9 Sensor/actuatorintegration through thefail-safe ET 200SPROFIsafe modules

Sensor integration using fail-safeinputs of an F-DI (2-from-2 evalua-tion)

A 2-from-2 evaluation means that thesensor has two signal-generating ele-ments (e.g. contacts) which areprocessed using a two-channel evalua-tion logic.For each F-DI, up to 4 sensors can beconnected (e.g. Emergency Stop push-buttons).Connection system: 2 inputs + 2 testoutputs

Application example: EmergencyStop and enable

• Emergency Stop pushbutton withNC/NC contact

• Enable button with NO/NO contact

Features

• The F-DI supplies the sensor from re-dundant voltage sources with 2 testoutputs and reads back the sensorsignals via inputs.

• The F-DI checks the plausibility ofthe signals and monitors the ca-bles/conductors to the sensor. Afterit detects a fault/error, F-DI outputs afault signal.

Actuator integration through fail-safe outputs of an F-DO up to 2A(P/M switching)

P/M switching (positive-ground switch-ing) using an F-DO means that the loadcircuit is redundantly controlled throughelectronic outputs.This is implementedusing actuators, e.g. load contactors,which are generally available twice andtherefore safely interrupt the loadcircuit in a series circuit configuration.The feedback signal from the loadcircuit should be derived as directly aspossible from the process quantity. Forexample, the direct feedback signal ofthe hydraulic pressure through a pres-sure sensor or the feedback signal ofthe moved mechanical system (end-stop) using a Bero is preferred over anindirect feedback signal from thehydraulic valve. If there is only oneactuator in the load circuit (e.g. for aholding brake, valve for a hydraulicoperating brake), then additional mea-sures are required, for example, the

actuator should be subject to cyclicfunction tests.

For each F-DO, up to 4 actuators canbe connected using this connectionsystem.

Connection system: 2 outputs + 1 testinput or as an equivalent, extendedfunction tests


• The 400 V load voltage of a standardasynchronous motor is safely discon-nected

• The 400 V load voltage of a distrib-uted unit is safely disconnected

Features

• The F-DO controls the actuator withthe positive potential (24 V) with onechannel and the ground potential (0 V), with the other channel. Thismeans that it is positive-groundswitching


Fig. 5/25Sensor integration via fail-safe inputs – example of Emergency Stop and enable button

Two open

conductor loops

(activation)

Emergency Stop button

Enable button

Test outputs

NO/NO

contact

F-DIIM 151-1

High Feature

PROFIBUSwithPROFIsafe

ET 200S PROFIsafe

NC/NC

contact

Two-circuit

closed-circuit

principle (de-activated)

555• The feedback signal (test input) of

the positively-driven contacts is real-ized through a standard input of a DIof the ET 200S.

• The expected response can bechecked, for control category 3 in the PLC through 1 channel.

• The F-DO monitors the controlcables/conductors of the actuator -when a fault/error develops, the out-puts are switched into a safe condi-tion.

• When a contactor fails, the load canbe disconnected using the secondchannel.

Versions:

• The two load contactors can also be controlled in parallel directlybetween the P and M channels.

• A motor starter in ET 200S PROFIsafe can completely replacethe discrete circuit through two loadcontactors.


• The 24 V load voltage of actuators upto max. 2 A is safely disconnected -e.g. for brakes

• The 24 V load voltage of distributedunits or load groups up to max. 10 Ais safely disconnected

Feature – 24 V load voltage up tomax. 10 A

• Using the two channels, the PM-E Fcontrols the actuator directly, P/Mswitching. The 24 V / 10 A backplanebus is available externally at termi-nals.

• The feedback signal (test input) ofthe positively-driven contacts is real-ized via a standard input of a DI ofET 200S.

• The expected response can bechecked, for control category 3,in the PLC through 1 channel.


555

Fig. 5/2724 V load circuit – P/M switching up to 2 A and up to 10 A

Load circuit,

24V/max.

2 A, brake

Safe Control

via PM-E-F

(relay output)

Feedback

Load circuit,

24V/max. 10 A

Position

monitoring

of the load

DIF-DOIM 151-1

High Feature


ET 200S PROFIsafe

PM-E F

Safe control

via F-DO

(electronics output)

Holding torque

is monitored

using a brake test

Fig. 5/26400 V load circuit – P/M switching / motor starter – example of a standard asynchronous motor

Safe shutdown

through PM-D F

with 6 load groups

in ET 200S PROFIsafe

Fail-safe

motor starter

Replaces

a discrete

circuit

24 V load

circuit,

indirect

400V

Feedback

Indirect position

monitoring of

the load using

positively-driven

contacts

PM

400V load circuit

Electronics output – P

Electronics output – M

DIF-DOIM 151-1

High Feature


ET 200S PROFIsafe


Features – safety-related brakecontrol up to max. 2 A

• The F-DO directly controls the twochannels of the actuator P/M-switch-ing.

• There is no feedback signal for theholding torque. This is the reasonthat a safety-related brake test isprovided as extended test measure.This checks the available brakingtorque. This function is available withthe “safe brake management.”Thebraking torque check is incorporatedin the forced checking procedure forthe test stop (testing the shutdownpaths).

Also refer to Section 5.1.11.

• During power failures or when cablesare interrupted, the brake is mechan-ically brought into a safe condition asa result of the return springs.

• Only components, proved in opera-tion in compliance with prEN 954-2may be used as actuators.

Application example:Protective door

The special feature of an applicationwith a protective door is the couplingwith additional process signals using“safe programmable logic.”Generally,the release must be safely preventeduntil all of the process parameters arein a safe condition.

For instance, the protective door mayonly be opened, if

• A spindle which is coasting down isat a low, non-hazardous speed or isat a standstill.

• A vertical axis, after the brake testwith defective brake is moved into asafe position (clamped position).

• A unit with hazardous energy levelsis brought into a safe condition, forexample, a laser or a hydraulic sys-tem

Features

• The release solenoid is directly andsafely controlled from the F-DO (P/Mswitching)

• The position monitoring of the re-lease mechanism is fed back throughone channel and a standard DI

• The expected response can bechecked, for control Category 3 in the PLC through 1 channel

• The protective door position isentered through two channels via the F-DI.

Fig. 5/28Sensor-actuator integration using protective door interlocking as an example

2-channel control;

feedback through

1 channel

2-channel

feedback

Protective door

interlocking

Release

solenoid

Protective

door contact

Position

monitoring,

release

Position

monitoring,

protective door

DIF-DOF-DIIM 151-1

High Feature

Feedback


ET 200S PROFIsafe

555555Actuator integration through fail-safe outputs of a PM-E F up to 10 A(P/M switching)

Using a PM-E F, 24 V load voltages upto 10 A can be switched through aninternal, safe relay combination, P/Mswitching:

• Through the 24 V backplane bus andstandard DOs as load group insertedlocated to the right of the PM-E F

• Through terminals for distributedload groups

In addition, the PM-E F has two safety-related electronic outputs, each 2 A,comparable to F-DO.

This results in a total module current of max. 14 A: 10 A relay output (24 V backplane bus/terminal) + 2 x 2 Aelectronic outputs

Application example: 24 V load volt-age for a valve group up to 10 A

Generally, valves do not have a directcheckback signal.This means thatextended measures are required tosecure the process sequence, forexample:

• Feedback signal of the hydraulicpressure, controlled by the valve,using a pressure sensor

• Checkback signal from the mechani-cal system moved by the valve (end-stop) e.g. using a Bero proximityswitch

Depending on the hazard analysis, itmay also be necessary to connect twovalves in series - comparable to con-tactors in the 400 V load circuit - or touse a safety valve.

However, the basic control principlesremain.

Also refer to Fig. 5/17 “24 V load circuit -P/M switching up to 2 A and up to 10 A”

Features

• The valves are selectively controlledthrough standard DOs.

• The PM-E F shuts down the standardDOs, supplied by it, through the 24 Vbackplane bus (P/M switching).

• The feedback signal (test input) fromthe process sequence can be real-ized using sensors, which are con-nected through a standard input (DI).

• The expected response can bechecked, for control Category 3 inthe PLC through 1 channel.

• Erroneous functions in the load cir-cuit path are detected by the PM-E-Fand the feedback signal, e.g.- When the valves do not switch/

drop-out (they jam)- Short-circuits on the 24 V- control cables and the load circuit.

Fig.5/2924 V load circuit with group shutdown up to 10 A – example of a valve block

24 V/max. 10 A

load circuit

M potential

Feedback

Safe

shutdown

through PM-E-F

Selective

control

via DO

Position

monitoring,

e.g. using

additional

measures

Pressure sensor

Limit switch

...

per valve

Valve group

DIIM 151-1

High Feature


ET 200S PROFIsafe

DOPM-E F



General requirements

When drives are shut down, axes ormechanical systems can drop due togravity. With vertical linear axes (hang-ing axes) or for rotary axes or spindleswith a non-symmetrical weight distrib-ution, this can therefore result inpotentially hazardous movement.Thismeans that these axes and mechanicalsystems must be safely held at stand-still using suitable measures. Mea-sures to achieve this can include, forexample:

a) Sometimes active

Holding brakeOperating brakeElectric drive

b) Permanently active

Mechanical weight equalization

c) Active in exceptional cases

Locking studsVarious types of supports

The measure or measures which is/areselected depends on the type of workwhich is to be carried-out in the haz-ardous area. Is work to be directlycarried-out under a suspended load oronly close to it? Also the time spent inthe hazardous area must be taken intoaccount in the design phase as thismay make it necessary to combineseveral measures.The hazard analysisalways forms the basis and this mustbe carefully carried-out for everymachine.The overall concept must bedesigned so that it fulfills the require-ments for personnel protection accord-ing to the EEC Machinery Directive.

Comment:

When carrying-out work on live partsand components (with the exceptionof safety extra-low voltage), electricalisolation from the line supply is alwaysrequired.

Requirements from the GermanTrade Association data sheet (EM II, Mainz)

The requirements placed on machineswith the appropriate hazard potentialare described in this data sheet.

Here are some of the most importantrequirements as excerpt:

• Safe, redundant holding system to “protect against vertical axesfalling”

• Test of the mechanical brakes(control Category 2 acc. to EN 954-1)

• Protection against undesirablerestarting of the electric drive (control Category 3 acc. to EN 954-1)

• Acceptance test using a form sheet

The actual document can be viewed in the Internet under

www.smbg.de/sites/institutionen/fachausschuss.htm

Concept to protect against verticalaxes falling

The existing systems - electrical driveand mechanical brake - form togetherthe safe, redundant holding system.The safety concept of SINUMERIKSafety Integrated integrates thesestandard components so that theireffect is safety-relevant.

Fig. 5/30Protection against vertical axes falling

Protection against axes droppingin control category 3 according to EN 954-1

Safe, redundant holding system

The existing safe drive is consideredas a full, safe holding system

The existing mechanical brake, togetherwith the "safe brake management" isconsidered a complete, safe holdingsystem

Safe brakemanagementSafe drive +

PROFIBUS

M

5.1.10 Protection againstvertical axes falling

555


5551. A safe drive is achieved using

safety functions, e.g.:• “Safe stopping process”• “Safe operating stop”• “Safely reduced speed”

2. A safe brake function is achievedusing the “safe brake manage-ment” with the subfunctions:• “Safe brake control”• “Safe brake test”

The safe drive forms the 1st holdingsystem and is mainly active - themechanical brake forms, as safety-related brake function, the 2nd holdingsystem and is (open) in the standbymode.

When the drive fails, the brake is auto-matically and safely activated andassumes the function of holding themechanical system. It is not absolutelynecessary to use a second brake.

This means, that for the first time,there is an extensive and integratedsolution available to provide “protec-tion against vertical axes dropping”(as well as rotary axes or spindles withnon-symmetrical weight distribution).

With this functionality, the risk whenworking with hanging loads, is signifi-cantly reduced therefore playing animportant role in personnel protection.Not only this, machine damage as aresult of dropping axes is essentiallyavoided and the availability of machinesand systems increased.

Depending on the particular require-ment, the safe redundant holdingsystem can be used in the followingapplications:

1. The drive is active, the brakeis open and in the standby-modeObjective: The distance that the axis drops is minimized to < 25 mm

•the drive can move or is stationary

•The brake is automaticallyand safely closed as soon asthe drive fails, e.g. as a resultof a system fault

Result:Depending on the speed/ velocity,direction of motion, system response time, brake closing time and friction of the mechanical system, an unavoidable sagging of the vertical axis occurs.

2. The drive and the brake aresimultaneously active (drive withadapted control parameters/ filters)Objective: Minimize the distance that the axis drops to < 1 mm

•The drive is stationary, the brakeis closed

•Automatic signal as soon as oneof the two holding systems fails

•The holding system, which isstill intact, now exclusivelyholds the mechanical system

Result:The vertical axes do not drop through any significant distance which is relevant for personnel protection.

Comments:

• Acceptance certificateThe distance which an axis dropsshould be measured and document-ed in the acceptance certificate!

• Drive shutdown as a result of theoperationThe drive is also shut down as afunction of the operation, indepen-dent of system faults. For example,for an Emergency Stop. In this case,the brake is closed before the driveis shut down and the vertical axis ismechanically clamped. This involvesa specific operation which meansthat the vertical axis does not dropby a value which is significantregarding personnel protection (< 1 mm).

Safe brake management - SBM

The reliability of a mechanical brake isa significant component when protect-ing vertical axes from dropping. Analy-ses of accidents indicated that bothfaults in the control as well as in themechanical system of the brake wereresponsible for vertical axes dropping.The analysis also indicated that theseaccidents could have been avoided byusing safety technology.

With this as background, we are offer-ing our customers a solution with“safe brake management”.

The “Safe Brake Management”SBM (Safe Brake Management)comprises two function elements:

1. Safe brake controlSBC (Safe Brake Control)

2. Safe brake testSBT (Safe Brake Test)

Brakes which are generally used todayare not safety-related components. Byintegrating the standard brake (a com-ponent proven in operation) in thesafety concept of SINUMERIK SafetyIntegrated, a safe brake function isobtained.

The brake is safely controlled and issubject to a forced checking proce-dure. Extended test measures arerequired as there is no feedback signalfor the holding torque.The safe braketest can fulfill this requirement. Faultsin the control and in the brake mechan-ical system can be detected using theextended test measures.


Depending on the result of the hazardanalysis, there are various ways ofmounting the brake:

1. A brake in the motor- mechanical transmission elements with an overload factor > 2 (German

Trade Association EM II, Mainz)

2.A brake at the load- Mechanical transmission elementswith an overload factor < 2

3.A brake in the motor- and a brake at the load for special requirements

In case of doubt, the preferred solutionis to mount the brake at the load, e.g.on the linear guide instead of mount-ing it in or on the motor.

Safe brake control

The brake (operating or holding brake)is, in control Category 3 (acc. to EN954-1) safely and electrically con-trolled. Control is realized through 2channels (P/M switching) with:

• Safety-related outputs with separatePLC and NC hardware

• Fail-safe F-DO outputs in ET 200SPROFIsafe

Using these two versions, it is possibleto detect faults on the control lines, forexample, short-circuits, broken cableetc. Even if a channel fails, the brakecan still be controlled.

Also refer to Sections 5.1.8 and 5.1.9.

Comment:

Intermediate relay stages increase theresponse time when controlling thebrake - this increases the distance thatthe vertical axis drops.This is the rea-son, if possible, that a direct electroniccontrol is preferred.This is possible upto 2 A.

Safe brake test

The safe brake test cyclically tests asto whether the expected holdingtorque is still available. In this case, thedrive deliberately moves against theclosed brake and subjects this to a testtorque - when successful without theaxis moving. However, if the axis

moves, then it can be assumed thatthe brake holding torque is no longersufficient to hold the vertical axis.Thetest is canceled and a fault signal isoutput.The axis should then be tra-versed into a safe position and the ver-tical axis disengaged or clamped usingthe appropriate studs.This can also beautomatically realized.The protectivedoor remains interlocked until the“clamped position has been reached.This can be interrogated using ”safesoftware cams".The brake must beserviced if all conditions are fulfilled.

The safe brake test is executed as partof the forced checking procedurebefore testing the shutdown paths. If abrake defect is detected, the shut-down path test, which would result ina pulse cancellation, is no longer initi-ated, and a fault message is output.

The safe brake test is realized in con-trol Category 2.

Comment regarding stop Category1 according to EN 60204 for Emer-gency Stop

After regenerative braking, the stan-dard requires that the electric drivesare isolated from the power source asprotection against undesirable restart.However, Emergency Stop has thegoal of providing protection againstpotentially hazardous motion and notto protect against electric shock. EN60204 does not taken into accountthat safe drives for Emergency Stopwith stop Category 2 must at leastguarantee the same quality. For a stopCategory 2, safe drives after stopping,go into the “safe operating stop” andremain fully functional in the closed-loop controlled mode.

The following scenario with conven-tional technology will clearly show this:

1. For a vertical axis, the holdingtorque of the mechanical holdingbrake is zero as a result of a fault(control/mechanical system).An Emergency Stop is configured with stop Category 1 acc. to EN 60204.

2. For conventional safety concepts,faults in the brake control as well as in the mechanical brake system are not detected – it therefore involves a “dormant fault”.

3. An operator now pressesEmergency Stop!Result: The holding brake is defective and the drive is disconnected from thepower source as a result of stop Category 1.This means that the vertical axis drops down and, in conjunction with Emergency Stop,results in a potentially hazardous movement!

Here is the same scenario using safedrives

1. For a vertical axis, the holding torque of the mechanical holding brake is zero due to a fault in the mechanical system (a fault in the brake control is immediately and directly detected and the brake is closed through the second channel). Emergency Stop is configured, according to EN 60204 with stop Category 1 .

2. The fault is detected using a brake test. An appropriate fault signal is displayed.The protective door remains inter-locked and the axis must be movedto a safe position.

3. An operator now presses the Emergency Stop before the safe position is reached!Result:In spite of the fact that the Emer-gency Stop is activated, the drive with the defective brake is not disconnected from the powersource, but is safely stopped and then the standstill state is safely monitored using the safe operatingstop.There is no potentially hazardous motion.

555


555

Forced checking procedure, general

(taken from [Reinert, D.;Schaefer, M.; Umbreit, M.: Drives andCNC controls with integrated safety.In: ETZ Magazine 11/98],Technical Arti-cle of the German Trade Association)

A forced checking procedure must becarried-out for all steady-state (static)signals and data. Within the requestedtime (8 h), a state must change from alogical 1 to logical 0 or vice versa. If thestate, when a fault develops, remainsstatic, then this is detected, at the lat-est at the forced checking procedureand the subsequent comparison.

A forced checking procedure must be provided, e.g. for all of the compo-nents required for shutdown (e.g. con-tactors and power semiconductors),the so-called shutdown path and forthe stopping condition itself. Generally,the shutdown condition, e.g. if a limitvalue criterion is violated, cannot betested using another measure, such ascross-comparison, if the machine is inthe “good” condition.This also appliesto faults in the complete shutdownpath including the associated hardwareand software and the power switchingelements. By providing a test stop inan 8-hour cycle with comparison, andan appropriate expectation response,faults can be reliably detected, evenwhen the machine is in the “good”condition (in this case, good conditionmeans that the operator has not identi-fied a machine fault).

Forced checking procedure withSINUMERIK Safety Integrated

The forced checking procedure is usedto detect faults in the software andhardware of the two monitoring chan-nels. In this case, the safety-relevantcomponents in the two channels mustbe processed at least once within adefined time period and in all safety-

relevant branches. A fault in a monitor-ing channel results in deviations and isdetected by the crosswise data andresult comparison.

The user must initiate the forcedchecking procedure of the shutdownpath (test stop) or it must be automati-cally integrated into the process, and,more specifically as an example:

• With the axes stationary after thesystem or plant has been powered-up,

• When the protective door is opened,

• In a specified frequency (e.g. in an 8-hour cycle),

• In automatic operation, time andevent-dependent.

The forced checking procedure alsoincludes testing safety-relevant sen-sors and actuators. In this case, thecomplete signal change, including the“safe programmable logic” is checkedfor its correct functioning.

Comment:

For the duration of automatic operation(with the protective door closed), thefixed 8-hour cycle isn't mandatory. Inthis case, the forced checking proce-dure can be logically combined, after 8hours have expired, the next time thatthe protective door is opened. As aresult of the crosswise comparison,errors are detected in the safety-rele-vant data of the two monitoring chan-nels. For “changing” data, there aretolerance values specified by themachine data.The results of the twochannels can deviate within these tol-erances, without a response being ini-tiated. An example is the tolerance forcrosswise comparison of the actualpositions. Faults and errors, which aredetected as a result of the forcedchecking procedure and crosswisecomparison, result in a Stop Fresponse and initiate additional stopresponses (refer to Section 5.1.4 “Stop Responses”).

Acceptance test

(taken from [Position Paper DKE226.0.3: Safety-related functions ofelectric drive systems in machines.Status 1/98.], Position paper DKE – AK 226.03)

• Acceptance test, completeFor a complete acceptance test,all of the safety functions provided(i.e. maintaining the limit values,functions of the control transmitters,functions of the actuators) arechecked. In so doing, the faultresponse becomes physically effec-tive. It is checked that the safetyfunctions operate correctly.

• Acceptance test, partialFor a partial acceptance test, thosesafety functions are checked whichare involved when safety-relevantdata is changed.

According to the DKE position paper,the machinery manufacturer (OEM)must carry-out an acceptance test ofthe activated safety functions. Duringthe acceptance test, the entered limitvalues of the enabled SI functions aredeliberately exceeded in order to checkthe correct function and the associatedresponse.

The activated safety functions and theresults of the acceptance test shouldbe entered in an acceptance certifi-cate. A form for the acceptance certifi-cate as well as also integrated func-tions to generate the acceptancecertificate are available

* Deadman operation

This term originally comes from therailways.

Significance: The function only remainseffective as long as the actuating ele-ment (button) is pressed. If the actua-tion element is released, the functionis interrupted and the potentially haz-ardous motion is stopped.

5.1.11 Basic applicationprinciples

Application examples

By combining “SINUMERIK SafetyIntegrated” safety functions, com-pletely new operator control conceptscan be implemented at machines -fulfilling the widest range of require-ments.

• Setting-up operation with the protec-tive door openWith the protective door open, feedor spindle drives can be operatedwith a safely reduced speed or aresafely monitored at standstill. Thedrives are always monitored by theelectronics and do not have to bedisconnected from the power source.Working and protective zones can beimplemented using safety-relatedtechnology with functions to identifyranges and limit traversing ranges.An enabling switch in conjunctionwith SINUMERIK Safety Integratedis not mandatory. However, depend-ing on the requirement, it can beused, e.g. to change over safetyfunctions. In the standard case, thedrives may only be moved using jogkeys in deadman operation*.

• Test operation with the protectivedoor openFor the first time, a program can berun in the test mode where the com-plete program or program parts areexecuted with safely reduced speedin a so-called “dry-run”. In this case,the operator ensures that the pro-gram is continually executed bypressing a button, generally the startbutton. If a program error is identi-fied when testing, then the operatorcan hold the program by releasingthe start button or by pressing theEMERGENCY STOP button. Duringthis test phase, the safety functionsare active. They respond when limitvalues are violated, and automaticallyshut down the drives.

• Integrated, contactless EMERGENCYSTOPThe EMERGENCY STOP button canbe connected directly to the redun-dant input periphery of the PLC andNC or to the fail-safe ET 200SPROFIsafe input modules through itstwo contacts without having to useadditional evaluation logic. The logicalcombination and the required re-sponses are realized internally usingsafety-related technology. The elec-tric drives are safely shut down andare then contactlessly isolated fromthe power via the electronics. Arestart is safely prevented. Externalpower sources, for example, hydraulicsystems or lasers etc., can be shutdown using safety-related technolo-gy via the redundant or fail-safe out-put periphery from the integratedEMERGENCY STOP logic and down-stream actuators (power contactors,valves, ...).

• Comment regarding EN 60204:The new national foreword of EN 60204 in principle allows EMERGENCY STOP to be imple-mented using software and electron-ics. However, it must be proven thatthe new specific standards, such ase.g. EN 954-1 or IEC 61508, aremaintained. This means that thenational foreword of EN 60204 nowmakes it possible to use innovativesafety technology bypassing Section9 of EN 60204, which is in someinstances no longer up-to-date.

Increased availability using inte-grated safety technology

Completely new operator conceptscan be implemented at machines withthe widest range of requirements bycombining the safety functions whichwere listed and described from Sec-tion 5.1.4 onwards.This means that anoperator can intervene, e.g. in themagazine or at the re-equipping station(setting-up) in parallel to ongoing pro-duction.

However, topmost priority is to provideoptimum protection for the operator.

The correct use and operation of themachine, specified as a result of theprocess, must remain.

The machine protection (machine itself,workpiece, tool, ...) can benefit to ahigh degree as a result of these newpossibilities.

As a result of the integrated safetytechnology, the trend is away fromsolutions which are distinguished bypure hardware and electromechanicalconcepts, to software and electronics.This means that the safety technologywith parts and components which aresubject to wear, will be successivelyreplaced.

Furthermore, integrated safety technol-ogy allows an intelligent system inter-vention directly down to the sensorsand actuators which was previouslyunknown. Completely new diagnosticpossibilities are created which permitpreventive fault detection and identifi-cation.Even for faults which suddenlyoccur during production, the risk ofpersonnel injury or machine damagecan be significantly reduced by quicklydetecting the fault and stopping in acoordinated, safety-related fashion.

Integrated safety technologypermits:

• Process operations to be optimized

• Sub-processes can run in parallel

• Simpler machinery infrastructures

• Machine operator control conceptsin-line with those required in practice.

Impact on the availability:

• Reduced fault potential

• Longer production uptimes

• Shorter production downtimes.

When consequentially used, integratedsafety technology offers a significantpotential to increase system availability.

5/32 Siemens AG Safety Integrated Application Manual

Siemens AG Safety Integrated Application Manual 5/33

444555

Please refer to Catalogs NC 60 and ST 70 for the Order Nos. for the I/O modules and additional acces-

sories.

5.1.12 Ordering data and documentation

Software option for SINUMERIK Safety Integrated

• Basic function for up to 4 axes/spindles 6FC5250 – 0AC10 – 0AA0

• Expansion function from the 5th axis/spindle 6FC6250 – 0AC11 – 0AA0

• Axis/spindle package for an additional 6FC5250 – 0AC12 – 0AA013 axes/spindles

Software

NCU modules

• NCU 561.2 6FC5356 – 0BB11 – 0AE0

• NCU 571.3 6FC5357 – 0BB11 – 0AE1

• NCU 572.3 6FC5357 – 0BB22 – 0AE0

• NCU 572.4 6FC5357 – 0BB23 – 0AE0

• NCU 573.4 6FC5357 – 0BB34 – 0AE0

SIMODRIVE 611 digital (closed-loop controls)

• Standard 2 - 2 axis 6SN1118 – 0DM23 – 0AA0

• Performance 1 - 1 axis 6SN1118 – 0DG23 – 0AA0

• Performance 1 - 2 axis 6SN1118 – 0DH23 – 0AA0

• High Standard - 2 axis 6SN1118 – 0DM33 – 0AA0

• High Performance - 1 axis 6SN1118 – 0DJ23 – 0AA0

• High Performance - 2 axis 6SN1118 – 0DK23 – 0AA0

Hardware

Function description

• German 6FC5297 – 6AB80 – 0AP1

• English 6FC5297 – 6AB80 – 0BP1

• French 6FC5297 – 6AB80 – 0DP1

Documentation

Protection against unexpectedstarting

For machines and plants, where unde-sirable starting can represent a dangerfor an operator when manually inter-vening in the hazardous area (e.g. dur-ing setting-up or service work), protec-tion against hazardous motionaccording to EN 60204-1 Section 5.4,“Equipment to avoid unexpected start-ing” must be provided.

Safe standstill provides effectiveprotection

The “SIMODRIVE 611 universal” and“SIMOVERT MASTERDRIVES” driveseries supports this specified functionusing a safety relay integrated in theAC drive.The “safe standstill” functioncan be implemented using this inte-grated relay in conjunction with anexternal circuit (refer to Section 7.3).

The “safe standstill” function, imple-mented for the SIMOVERT MASTER-DRIVES and SIMODRIVE 611 universaldrive units has been certified by theGerman Trade Association and fulfillsthe requirements of Category 3 acc.to EN 954-1.

The user enjoys the following benefits:

• The safety requirements can be simply implemented- Using the integrated relay and

the defined external circuit- Certified solution to avoid

unexpected starting

• Cost and space saving– Contactors on the motor side

are no longer required– Reduced engineering and wiring

costs– Less space is required in the

cabinet

• Time saving- Machinery acceptance procedures

by the various testing bodies aresimplified as the circuit principleshave already been certified


5.2 Safely Operating Universal Drives

Fig. 5/32SIMOVERT MASTERDRIVES Compact

Fig. 5/33SIMODRIVE 611 universal

Fig. 5/31SIMOVERT MASTERDRIVES Compact PLUS

Measures have to be applied to allproduction machines - especially onpresses - to protect the operatingpersonnel. These measures eliminateany potential hazards in the operatingprocess.This can be realized by secur-ing the machines using protectivedoors or light grids. However, if theoperator must frequently intervene inthe production process, the machineresponses must be checked, for exam-ple, using speed monitoring functions.For control and mechanical systemfailures, caused by faults, this thenavoids potentially hazardous motion of the machine.

The SIMOTION Safety Unit TM 121was developed in order to be able to handle such requirements.

It has been designed so that thefollowing safety requirements arefulfilled:

• EN 954-1 safety-related parts ofcontrol systems In this case, Category 4 is main-tained

• IEC 61508 Functional Safety ofelectrical/electronic/programmablesafety-related systems.SIL 3 is, in this case, fulfilled.

• EN 61496 Safety of Machinery,contactless protective devices.Excerpts from this have been takeninto account, i.e. a higher severitylevel, e.g. for mechanical loads orEMC.

This means that the prerequisites toimplement safety functions at themachine, including manually operatedpresses, are fulfilled and that through-out Europe.

Standard blocks are permanentlyincorporated in the control which arerequired to secure against hazards forall types of machines.These include,to name but a few, protective grids orprotective door monitoring functionsas well as emergency stop circuits. Inaddition, special versions have beenimplemented, which are used forspecific types of machines, such asmechanical hydraulic presses oredging presses .

These blocks are interconnected usinga parameterizing tool supplied with theequipment.


4445555.3 SIMOTION Safety Unit The safety package for metal forming technology

Fig. 5/34SIMOTION Safety Unit TM121C

Fig. 5/35SIMOTION Safety Unit - technical data

Release for general availability: 1st quarter 2003

Redundant (two-channel) electronic processor system with:

32 safety-related inputs, 24 V

8 safety-related outputs, 24 V, 2 A

8 standard outputs, 24 V, 0.5 A

2 safety-related frequency display, 24 V, 500 Hz

Supply:

24 V DC

Mechanical strength

A higher degree of severity is fulfilled than for mechanical loads in accordance with EN 61496

Example:Function blocks for mechanicalpresses

• 2-hand operations

• Safety-related cam inputs (run-up, run-down, transfer)

• Operating mode selection

• Emergency stop (“disconnect tobring into a no-voltage condition”),engage inhibit

• Coupling-brake combination control(with monitoring)

• Protective door/protective grid/lightcurtain

• Run monitor check (via a frequencyinput)


Fig. 5/36Typical parameterizing software mask

Fig. 5/37Safety Unit - topology

PLC(e.g. C7,S7-300)

NSWI/O

Safetyfunctions

Press automation(e.g. tool change)

Profi-*bus

B

SimotionSafetyUnit

SimotionSafetyUnit

Standalonesolution

A

*: with the second supply phase, general availability the middle of 2003


444555Spectrum of systems, products and services (for machine OEMsand end customers)

Service/description

Concept generationStarting from the hazard analysis andthe required customer operator controlphilosophy, the safety functions areadapted to the machine.

This involves, for example:

• Mode types

• Safety functions with the protectivedoors closed

• Safety functions with the protectivedoors open

• EMERGENCY STOP concept

• Investigation of safety-relevant,external signals and elements

Standard configuring/engineering

Starting from the concept generation,the following standard functions areintegrated in the machine circuit dia-grams

• Safe standstill, safe operating stop

• Safely reduced speed

• Safe software limit switches

• Safe software cams

In this case, external safety elements(e.g. door interlocking functions,EMERGENCY STOP pushbuttons) are either conventionally configured or they are logically combined using (safe programmable logic).

Configurable safe programmable logic

Starting from the standard software,the following objects are generated for the safe programmable logic:

• Function chart

• Logic program for the PLC area

• Logic program for the NC area

• Required data blocks(e.g. DB18)

These objects are embedded in theoverall system.

Commissioning

Starting from the configured softwarewhich was generated, safety functionsare commissioned.The customer pro-vides the machine so that the drivescan be traversed (moved) and the cabi-net is wired-up according to the engi-neering documentation.

Acceptance certificate

Starting from the existing engineeringdocumentation and completed com-missioning, an acceptance certificateis generated for the various safetyfunctions.

These include:

• Description of the machine (name,type, ...)

• Description of the safety and opera-tor control concepts

• Description of the axis-specific safe-ty functions

• Testing all of the safety functions in-cluding the safe programmable logic

• Documenting the test results

The customer receives the acceptancecertificate as hard copy and electroni-cally on a data medium.

Approval procedure

Support when administering and back-ing-up an approval procedure fromapproved bodies (e.g. German TradeAssociation/German Statutory Indus-trial Accident Insurance Association) or large end customers.

Workshop

Workshops on the subject of machinesafety are modified in line with individ-ual customer requirements and, whenrequired, can be held at the customersfacility.

Possible contents can include:

• Machinery Directive, general Stan-dards

• C-standards (machine-specific))

• Hazard analysis, risk evaluation

• Control Categories (according to EN 954-1)

• SINUMERIK Safety Integrated –function and system description

• Configuring, machine data

• Commissioning

• Acceptance certificate

Hotline

For acute problems during commis-sioning, experts on “SINUMERIKSafety Integrated” can be reachedunder the SINUMERIK Hotline No.(refer to Section 8.4).

Local service

Experts analyze faults and problemslocally.

The causes are removed and a solution concept is drawn-up andwhen required, implemented.

5.4 Technical Support & Engineering for Safety Integrated - Motion Control Systems

motion control systems - safe, innovative motion control · as ecologically.with simodrive 611...

Documents