Hardware Manual E94AYAD__SM300 Safety module
advertisement
Ä.,4zä
EDS94AYAD
.,4z
Manual
L-force | 9400
E94AYAD - SM300
Safety module
Please read these instructions and the documentation of the standard device before you
start working!
Observe the safety instructions given therein!
Safety engineering
1
1.1
Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.2
Drive-based safety with L-force | 9400 . . . . . . . . . . . . . . . . . . . .
1.1.3
Terms and abbreviations of the safety engineering . . . . . . . . . .
1.1.4
Important notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5
Safety instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.6
Application as directed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.7
Hazard and risk analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.8
Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.9
Overview of sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1-1
1.1-1
1.1-1
1.1-2
1.1-3
1.1-4
1.1-4
1.1-5
1.1-5
1.1-5
1.2
Device modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.1
Slot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.2
Function mode of the safety modules . . . . . . . . . . . . . . . . . . . . .
1.2.3
Safety module SM300 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.4
Connection of safety sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2-1
1.2-1
1.2-2
1.2-3
1.2-8
1.3
Safety functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.1
Integration into the application of the controller . . . . . . . . . . .
1.3.2
Error states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.3
Safe torque off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.4
Safe stop 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.5
Safe PROFIsafe connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3-1
1.3-1
1.3-3
1.3-5
1.3-7
1.3-9
1.4
Acceptance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.4.1
Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.4.2
Periodic inspections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.4-1
1.4-1
1.4-1
Contents
1
Safety engineering
Contents
EDS94AYAD EN 2.2
1-1
Safety engineering
Basics
Introduction
1.1
Basics
1.1.1
Introduction
1
1.1
1.1.1
With increasing automation, protection of persons against hazardous
movements is becoming more important. Functional safety describes the
measures needed by means of electrical or electronic equipment to reduce
or remove danger caused by failures.
During normal operation, safety equipment prevents people accessing
hazardous areas. In certain operating modes, e.g. set-up mode, work needs
to be carried out in hazardous areas. In these situations the machine
operator must be protected by integrated drive and control measures.
Drive-based safety provides the conditions in the controls and drives to
optimise the safety functions. Planning and installation expenditure is
reduced. In comparison to the use of standard safety engineering,
drive-based safety increases machine functionality and availability.
1.1.2
Drive-based safety with L-force | 9400
The controllers of the L-force|9400 range can be equipped with a safety
module. The functional range of the safety module types varies in order to
optimally implement different applications.
”Drive-based safety” stands for applied safety functions, which can be used
for the protection of persons working on machines.
The motion functions are continued to be executed by the controller. The
safety modules monitor the safe compliance with the limit values and
provide the safe inputs and outputs. When the limit values are exceeded the
safety modules start the control functions according to EN 60204-1 directly
in the controller.
The safety functions are suitable for applications according to IEC 61508
SIL 3 and meet, depending on the module, the requirements of EN 954,
part 1 up to control category 4.
EDS94AYAD EN 2.2
1.1-1
1
1.1
1.1.3
1.1.3
1.1-2
Safety engineering
Basics
Terms and abbreviations of the safety engineering
Terms and abbreviations of the safety engineering
Abbreviation
9400
EC_S0
EC_S1
EC_S2
EC_FS
Cat.
OSSD
PS
PWM
S-DI
S-DO
SIL
SM
Optocoupler
supply
OFF state
ON state
Meaning
Lenze servo controller
Error-Class Stop 0
Error-Class Stop 1
Error-Class Stop 2
Error-Class Fail-Safe
Category according to EN 954-1
Output Signal Switching Device, tested signal output
PROFIsafe
Pulse width modulation
Safe input (Safe Digital Input)
Safe output (Safe Digital Output)
Safety Integrity Level according to IEC 61508
Safety module
Supply of optocouplers to control the driver
Signal state of the sensors when they are activated or respond
Signal state of the sensors in normal operation
Abbreviation
SDI
SLI
SLS
SOS
SS1
SS2
SSM
STO
Safety function
Safe direction
Safely limited increment
Safely limited speed
Safe operating stop
Safe stop 1
Safe stop 2
Safe speed monitor
Safe torque off
Formerly: safe standstill
EDS94AYAD EN 2.2
Safety engineering
Basics
Important notes
1.1.4
1
1.1
1.1.4
Important notes
The following pictographs and signal words are used in this documentation
to indicate dangers and important information:
Safety instructions
Structure of safety instructions:
Danger!
(characterises the type and severity of danger)
Note
(describes the danger and gives information about how to
prevent dangerous situations)
Pictograph and signal word
Meaning
Danger!
Danger of personal injury through dangerous electrical
voltage.
Reference to an imminent danger that may result in death or
serious personal injury if the corresponding measures are
not taken.
Danger!
Danger of personal injury through a general source of
danger.
Reference to an imminent danger that may result in death or
serious personal injury if the corresponding measures are
not taken.
Stop!
Danger of property damage.
Reference to a possible danger that may result in property
damage if the corresponding measures are not taken.
Application notes
Pictograph and signal word
Special safety instructions
and application notes for UL
and UR
Note!
Important note to ensure troublefree operation
Tip!
Useful tip for simple handling
Reference to another documentation
Pictograph and signal word
Meaning
Warnings!
Safety or application note for the operation of a
UL-approved device in UL-approved systems.
Possibly the drive system is not operated in compliance with
UL if the corresponding measures are not taken.
Warnings!
Safety or application note for the operation of a
UR-approved device in UL-approved systems.
Possibly the drive system is not operated in compliance with
UL if the corresponding measures are not taken.
EDS94AYAD EN 2.2
Meaning
1.1-3
1
1.1
1.1.5
Safety engineering
Basics
Safety instructions
1.1.5
Safety instructions
1.1.6
Application as directed
The safety modules SMx (E94AYAx) may only be used together with Lenze
drive controllers of the L-force | 9400 (E94A...) series.
Any other use shall be deemed inappropriate!
Installation/commissioning
ƒ Only skilled personnel are permitted to install and commission the
safety functions.
ƒ All control components must comply with the demands of the hazard
and risk analysis.
ƒ Install the controllers in control cabinets with IP54 protection.
ƒ Wiring with insulated wire end ferrules or rigid cable is vital.
ƒ For modules without integrated short-circuit monitoring:
– All safety-relevant external cables (e.g. control cables for safety
functions, feedback contacts) outside the control cabinet must be
protected, e.g. by a cable duct.
– In this connection, make sure that short circuits cannot occur!
– For further measures see ISO 13849-2.
ƒ If external forces act on the drive axes, additional brakes are necessary.
The effect of the gravitational force on hanging loads must be
especially observed!
Danger!
If the request for the safety function is cancelled, the drive will
restart automatically.
You must provide external measures which ensure that the drive
only restarts after a confirmation (EN 60204).
Danger!
When the “safe torque off” (STO) function is used, an
”emergency-off” according to EN 60204 is not possible without
additional measures. There is no electrical isolation, no service
switch or repair switch between motor and controller!
“Emergency-off” requires an electrical isolation, e.g. by a central
mains contactor!
During operation
After the installation is completed, the operator must check the wiring of the
safety function.
The functional test must be repeated at regular intervals. The time intervals
to be selected depend on the application, the entire system and the
corresponding risk analysis. The inspection interval should not exceed one
year.
1.1-4
EDS94AYAD EN 2.2
Safety engineering
Basics
Hazard and risk analysis
Residual hazards
1
1.1
1.1.7
In case of a short-circuit of two power transistors a residual movement of the
motor of up to 180 °/number of pole pairs may occur! (Example: 4-pole
motor ⇒residual movement max. 180 °/2 = 90 °)
This residual movement must be considered in the risk analysis, e.g. safe
torque off for main spindle drives.
1.1.7
Hazard and risk analysis
This documentation can only accentuate the need for a hazard analysis. The
user of drive-based safety must concentrate on dealing with the standards
and legal position.
Before putting a machine into circulation, the manufacturer of the machine
must carry out a hazard analysis according to the Machinery Directive
89/392/EEC to find out the hazards related to the application of the
machine. To achieve a level of safety as high as possible the Machinery
Directive contains three principles:
ƒ Removing or minimising the hazards by the construction itself.
ƒ Taking the protective measures required against hazards that cannot
be removed.
ƒ Documentation of the existing residual risks and training of the user
regarding these risks.
The execution of the hazard analysis is specified in EN 1050, guidelines for
risk assessment. The result of the hazard analysis determines the category
of safety-based control modes according to EN 954-1 which the
safety-oriented parts of the machine control must comply with.
1.1.8
Standards
Safety regulations are confirmed by laws and other governmental
guidelines and measures and the prevailing opinion among experts, e.g. by
technical regulations.
The regulations and rules to be applied must be observed in accordance with
the application.
1.1.9
Overview of sensors
Passive sensors
Passive sensors are two-channel switching elements with contacts. The
connecting cables and the sensor function must be monitored.
The contacts must switch simultaneously. Nevertheless, safety functions
will be activated as soon as at least one channel is switched.
The switches must be wired according to the closed-circuit principle.
Examples of passive sensors:
ƒ Door contact switch
ƒ Emergency-off control units
EDS94AYAD EN 2.2
1.1-5
1
1.1
1.1.9
Active sensors
Safety engineering
Basics
Overview of sensors
Active sensors are units with two-channel semiconductor outputs (OSSD
outputs). Drive-based safety integrated in this device series allows for test
pulses < 1 ms to monitor the outputs and cables.
P/N-switching sensors switch the positive and negative cable or signal and
earth cable of a sensor signal.
The outputs must switch simultaneously. Nevertheless, safety functions will
be activated as soon as at least one channel is switched.
Examples of active sensors:
ƒ Lightgrid
ƒ Laser scanner
ƒ Control
Sensor inputs
For sensor inputs that are not used ”no sensor” must be parameterised. It is
monitored that no sensor signal is applied.
Connected deactivated sensors can create the false impression of safety
technology being provided. For this reason, a deactivation of sensors by
parameter setting only is not permissible and not possible.
1.1-6
EDS94AYAD EN 2.2
Safety engineering
Device modules
Slot
1.2
Device modules
1.2.1
Slot
1
1.2
1.2.1
The slot for the safety modules is marked in the documentation with M4. It
is the lowest slot in the controller (see overview).
1.2.1.1
Mounting
E94AYAX001
1.2.1.2
Dismounting
E94AYCXX001H
1.2.1.3
Module exchange
Every module exchange is detected by the basic device and documented in
a logbook.
When the module is replaced by the same type no restrictions arise.
When the module is replaced by a different type, the drive is inhibited by the
controller. The inhibit can only be deactivated when the parameter setting
of the required safety module complies with the plugged safety module.
EDS94AYAD EN 2.2
1.2-1
1
Safety engineering
1.2
1.2.2
1.2.2
Device modules
Function mode of the safety modules
Function mode of the safety modules
C00214
The code C00214 must comply with the plug-in safety module type so that
the controller is able to operate.
Disconnecting paths
The transmission of the pulse width modulation is safely (dis-)connected by
the safety module. Hence the drivers do not create a rotating field. The motor
is safely switched to torqueless operation (STO).
Xx
SMx
µC
3x
M
PWM
C
P
3x
SSP94SM320
Fig. 1.2-1
Disconnecting paths of the safety modules
SMx
xx
C
μC
PWM
P
M
Safety module SM100/SM300
Input / output terminal
Control section
Microcontroller
Pulse width modulation
Power section
Motor
Safety status
When the controller is switched off by a safety module, the ”Safe torque off”
status is set (C00183 = 101).
Fail-safe status
If internal errors of the safety modules are detected, the motor is safely
switched to torque-free operation (fail-safe status).
1.2-2
EDS94AYAD EN 2.2
Safety engineering
Device modules
Safety module SM300
1.2.3
Safety module SM300
1.2.3.1
Overview
1
1.2
1.2.3
The type designation of the safety module is E94AYAD.
Functions
ƒ Safe torque off (STO)
(previously: safe standstill, protection against unexpected start-up)
ƒ Safe stop 1 (SS1)
ƒ Connection of safety sensors
ƒ PROFIsafe safety bus connection
The SM300 supports the transmission of safe information on the PROFIsafe
protocol according to the specification ”PROFIsafe - Profile for Safety
Technology”, Version 1.30, of the PROFIBUS Nutzerorganisation (PNO). The
basic device transmits the PROFIsafe information to the SM300 for safe
evaluation.
The following applies to the SM300 safety module , version VA 1.xx:
ƒ The basic device must be equipped with a communication module
E94AYCPM (PROFIBUS-DP), SW version 0.9.
ƒ The safe parameter setting is not supported. For this reason, all
parameters are permanently set.
ƒ The stopping time of the SS1 cannot be parameterised. It is
permanently set to ts = 30 s.
ƒ This module does not support (safe) outputs.
Danger!
If the request for the safety function is cancelled, the drive will
restart automatically.
You must provide external measures which ensure that the drive
only restarts after a confirmation (EN 60204).
1.2.3.2
Safety category
The implemented safety functions meet the requirements of the standards:
ƒ Control category 3 according to EN 954-1
In order to comply with category 3, the external wiring and cable
monitoring must also meet the requirements of category 3.
EDS94AYAD EN 2.2
1.2-3
1
1.2
1.2.3
1.2.3.3
Safety engineering
Device modules
Safety module SM300
Elements of the module
SSP94SM317
Fig. 1.2-2
Pos.
X82.1
X82.2
X82.3
X82.4
Displays
Pos.
MS
EN
Module view
Description
PROFIsafe target address switch (on the left housing side)
Pluggable terminal strips for input and output signals
Colour
Green
Yellow
State
Description
On
Drive-based safety is initialised faultlessly.
Blinking
Drive-based safety is initialised faultlessly. Internal
communication to the standard device is not
possible.
Off
Drive-based safety is not initialised.
Acknowledgement is not possible.
On
Controller enabled
Off
Non-safe display ”STO”
On
System error:
z After a serious internal error, STO is activated.
z Can only be reset by switching the 24V supply.
Blinking
ME
Red
Flashing
Off
PS
DE
1.2-4
Red
Red
Error:
z After an internal error or an error at the safe
inputs, a standstill function is activated.
z The safety class is quit.
z Acknowledgement is possible.
Fault:
z A monitoring function has responded and
activated a standstill function.
z The safety class is not quit.
z Acknowledgement is possible.
Error-free operation
On
Error PROFIsafe:
z Communication is not possible.
z Acknowledgement is possible.
Blinking
No valid PROFIsafe configuration
Off
PROFIsafe is error-free.
On
The module is not accepted by the standard device
(see notes given in the documentation for the
standard device).
EDS94AYAD EN 2.2
Safety engineering
Device modules
Safety module SM300
Terminal assignment
X82.1
Labelling
1
1.2
1.2.3
Description
n. c.
n. c.
n. c.
n. c.
n. c.
This terminal strip is not assigned.
n. c.
n. c.
n. c.
n. c.
X82.2
Labelling
Description
-
GND external supply
+
24 V external supply via a safely separated power supply unit
(SELV/PELV)
n. c.
n. c.
n. c.
This part of the terminal strip is not assigned.
n. c.
X82.3
X82.4
AIE
Error confirmation input (Acknowledge Input Error)
CLA
Clock output for passive sensors, channel A (clock A)
CLB
Clock output for passive sensors, channel B (clock B)
Labelling
Description
GCL
GND clock output
GI2
GND IN I2A/I2B
I2B
Sensor input 2, channel B (only for passive sensors)
I2A
Sensor input 2, channel A (only for passive sensors)
GCL
GND clock output
GI1
GND I1A/I1B
I1B
Sensor input 1, channel B (only for passive sensors)
I1A
Sensor input 1, channel A (only for passive sensors)
n. c.
This terminal is not assigned.
Labelling
Description
GCL
GND clock output
GI4
GND I4A/I4B
I4B
Sensor input 4, channel B (only for active sensors)
I4A
Sensor input 4, channel A (only for active sensors)
n. c.
n. c.
n. c.
n. c.
This part of the terminal strip is not assigned.
Sensor input 3 is not available.
n. c.
EDS94AYAD EN 2.2
1.2-5
1
1.2
1.2.3
Safety engineering
Device modules
Safety module SM300
Cable cross-sections and tightening torques
[mm2]
Type
1.2.3.4
Wire end ferrule,
insulated
0.25 ... 0.5
Rigid
0.14 ... 1.5
[Nm]
Spring terminal
AWG
[lb-in]
24 ... 20
Spring terminal
26 ... 16
Technical data
The inputs are isolated and designed for a low-voltage supply of 24 V DC.
24 V
Detailed features of the inputs and outputs
Signal
Specification
I1A, I1B
I2A, I2B
I4A, I4B
AIE
PLC input, IEC-61131-2, 24 V, type 1
LOW signal
[V]
min.
typ.
max.
-3
0
5
24
Input current
[mA]
HIGH signal
[V]
15
Input current
[mA]
2
Input capacitance
[nF]
AIE
Pulse duration
[ms]
CLA, CLB
PLC output, IEC-61131-2, 24 V DC, 50 mA
LOW signal output voltage
[V]
HIGH signal output voltage
[V]
Tab. 1.2-1
15
104
300
17
0
0.8
24
29
[mA]
Width of the test pulse
[μs]
750
Test pulse rate
[s]
1.8
50
[kΩ]
Supply voltage of the module via a safely
separated power supply unit (SELV/PELV)
[V]
Input current
[A]
30
3.3
Output current
Cable resistance of a passive sensor
+, -
15
2
19,2
24
30
Technical data
The chapter ”Response times” must be observed as well ( 1.3.5.2).
1.2.3.5
Commissioning
ƒ Settings in or at the module:
– PROFIsafe target address switch
ƒ Required settings in the basic device:
– C00214, type of safety module
ƒ Integration of the SM300 into the drive application
ƒ During commissioning and after the replacement of a module it is vital
to check the safety function.
1.2-6
EDS94AYAD EN 2.2
Safety engineering
1
Device modules
Safety module SM300
1.2.3.6
1.2
1.2.3
Test certificate
SSP94TUEV3
Fig. 1.2-3
TÜV Certificate
The type test was carried out by ’TÜV Rheinland Group’ and confirmed with
a certificate.
EDS94AYAD EN 2.2
Contents
Specifications
Test institute
TÜV Industrie Service GmbH, ASI area
Test report
968/EL 302.01/05
Test fundamentals
EN 954-1, EN 60204-1, EN 50178, EN 61800-3, IEC 61508 Part 1-7
Object to be examined
SM300, type E94AYAD VA1.xx of the 9400 Servo Drives range
Test result
The module meets the requirements according to EN 954-1,
category 3.
Special conditions
The safety instructions in the corresponding user documentation
must be observed.
Place of issue
Cologne
Issue date
30.06.2005
1.2-7
1
1.2
1.2.4
Safety engineering
Device modules
Connection of safety sensors
1.2.4
Connection of safety sensors
1.2.4.1
General
The following applies to the sensors of the SM300, version VA 1.xx:
ƒ Sensor type and function cannot be parameterised.
ƒ The sensor signals are converted into PROFIsafe bit information and
transmitted to the master control for processing. A local evaluation is
not carried out.
ƒ Unused sensor inputs must not be connected. The PROFIsafe bit of a
non-connected input is in the OFF state.
Note!
Make sure that an internal contact function test is carried out at
the safe inputs:
Safe input in the ON state
ƒ A LOW level at one channel puts the input in the OFF state.
The discrepancy monitoring starts simultaneously.
ƒ A LOW level must be detected at both channels within the
discrepancy time, otherwise a discrepancy error will be
reported.
ƒ To be able to confirm the discrepancy error, a LOW level must
be detected before at both channels.
Safe input in the OFF state
ƒ A HIGH level at one channel starts the discrepancy monitoring.
ƒ A HIGH level must be detected at both channels within the
discrepancy time, otherwise a discrepancy error will be
reported.
ƒ To be able to confirm the discrepancy error, a HIGH level must
be detected before at both channels.
1.2-8
EDS94AYAD EN 2.2
Safety engineering
Device modules
Connection of safety sensors
1.2
1.2.4
Sensor type
Specification
passive
active
Discrepancy time
30 s
Input delay
4 ms
Input filter time for test pulses
Repetition rate of the test
pulses
0 ms
15 ms
is determined by the clock
outputs CLA and CLB
Error response
Tab. 1.2-2
1
> 50 ms
EC_S1
Confirmation via PROFIsafe or AIE input
Specification of sensor connections
Explanations
Discrepancy time
ƒ Maximum time in which both channels of a safe input may have
non-equivalent states without the safety engineering noticing an error.
Input delay
ƒ Time between the recognition of the signal change and the effective
evaluation of an input signal. As a result, multiple and short signal
changes due to contact bounce of the components are not taken into
account.
Input filter time
ƒ Time in which the interference pulses and test pulses are not detected
by e.g. active sensors that are switched on.
EDS94AYAD EN 2.2
1.2-9
1
1.2
1.2.4
1.2.4.2
Safety engineering
Device modules
Connection of safety sensors
Connection of passive sensors
The safe sensor inputs I1A, I1B and I2A, I2B are only suitable for equivalent
switching passive sensors.
To monitor passive sensors according to EN 954-1, cat. 3, the clock outputs
CLA and CLB must be wired. Please observe the following:
ƒ The clock outputs are only suitable for monitoring the passive sensors.
ƒ Always connect ...
– ... CLA with the A channel of the sensor input via the sensor.
– ... CLB with the B channel of the sensor input via the sensor.
– ... GCL with GIx of the sensor input.
ƒ The sensor inputs are tested cyclically through short LOW operation.
These errors are detected:
ƒ Short circuit to supply voltage.
ƒ Short circuit between the input signals when different clock outputs
are used.
ƒ Non-equivalent input signals after the discrepancy time.
These errors are not detected:
ƒ Short circuit between the input signals when the same clock outputs
are used.
Avoid unrecognisable errors by the installation, e.g. by separated cable
routing.
VCC
CLA
CLB
GCL
GI2
I2B
I2A
S2
û
û
SM300
E94AYAD
GCL
GI1
I1B
I1A
S1
SSP94SM351
Fig. 1.2-4
Ways to detect errors
8
1.2-10
Unrecognisable errors
EDS94AYAD EN 2.2
Safety engineering
Device modules
Connection of safety sensors
1.2.4.3
1
1.2
1.2.4
Connection of active sensors
The safe sensor input I4A and I4B is suitable for an active sensor.
PN-switched input signals are permissible.
The line monitoring must comply with the requirements of the category 3.
Drive-based safety does not provide for line monitoring.
These errors are detected:
ƒ Non-equivalent input signals after the discrepancy time.
P
IA
IB
GI
M
S
SSP94SM352
Fig. 1.2-5
Functional example of PN-switching sensor
S
P
M
EDS94AYAD EN 2.2
Sensor
Positive path
Negative path
1.2-11
1
1.2
1.2.4
1.2.4.4
Safety engineering
Device modules
Connection of safety sensors
Connection plans
SM300
E94AYAD
X82.1
X82.2
24 V ext.
+
AIE
CLA
CLB
S2
GCL
GCL
GI2
GI4
I2B
I4B
I2A
I4A
GCL
S4
GI1
I1B
I1A
S1
X82.3
X82.4
SSP94SM350
Fig. 1.2-6
Wiring example SM300
E94AYAD
S1
S2
S4
24 V ext.
1.2-12
Safety module SM300, version VA1.xx
passive sensor with channel A and B
Lightgrid (active sensor)
24-V voltage supply (SELV/PELV)
EDS94AYAD EN 2.2
Safety engineering
1
Safety functions
Integration into the application of the controller
1.3
Safety functions
1.3.1
Integration into the application of the controller
1.3
1.3.1
For the use of the functions, certain settings in the controller are required.
Here, the Lenze PC software »Engineer« supports and guides you.
When a safety function is required, the safety technology activates the
corresponding safe monitoring function. However, the standstill function is
only directly executed with the ”safe torque off” (STO) function. Other safety
functions in which a controller action is required will need to be safely
monitored.
The actions of the drive (e.g. braking, braking to standstill, keeping the
standstill position) must be implemented in the basic device.
Depending on the design of the basic device, the user applications are
created by means of programming according to IEC 61131 or parameter
setting. For this purpose the system block InterfaceSafetyModule or the
control word SM_dwControl must be implemented into the control
configuration of the controller.
The connection to a user application serves to achieve the following:
1. Activation of the safety function in the safety module, e.g. SS1 the
monitoring starts.
2. The safety module transmits the information to the basic device that
the function has been activated using the corresponding bit in the
control word SM_dwControl.
3. The application must evaluate the control word and start the motion
sequence, e.g. braking etc.
Internal communication
Safety module and basic device communicate via an internal interface.
The request for a safety function is contained within the control word, the
information of which must be processed by the application.
Informatio
n
Bit
Byte
7
6
5
4
3
2
1
0
4
SDIp
-
-
-
-
-
SS1
STO
5
-
-
-
-
-
-
-
SDIn
6
-
-
-
-
-
-
-
-
7
-
-
-
-
-
-
-
-
SM_
wState
8
-
-
-
EC_S1
EC_S0
-
-
STO
9
-
-
-
-
-
-
-
-
SM_wIo_
State
10
-
AIE
-
-
SD-In4
-
SD-In2
SD-In1
11
-
-
-
-
-
-
-
-
Tab. 1.3-1
Communication telegram from the safety module to the basic device.
SM_
dwControl
EDS94AYAD EN 2.2
Offset
1.3-1
1
1.3
1.3.1
Safety engineering
Safety functions
Integration into the application of the controller
Details SM_dwControl
Name
Value Description
IEC 61800-5-2
STO
0
No request
Safe Torque Off
1
Request of the function
0
No request
SS1
Safe Stop 1
1
Request of the function
SDIp
1
Safe positive direction of rotation enabled (fixed)
Safe Direction
SDIn
1
Safe negative direction of rotation enabled (fixed)
Safe Direction
-
0
Reserved for future extensions
Details SM_wState
Name
EC_S1
EC_S0
STO
Description
IEC 61800-5-2
0
Normal operation
-
1
Stop category 1 error activated
0
Normal operation
1
Stop category 0 error activated
0
Normal operation
1
Pulse inhibit activated
Safe Torque Off
Details SM_wIo_State
Name
Value Description
SD-I1
0
Sensor input 1 in the OFF state, at least one channel
1
Sensor input 1 in the ON state
0
Sensor input 2 in the OFF state, at least one channel
1
Sensor input 2 in the ON state
0
Sensor input 4 in the OFF state, at least one channel
1
Sensor input 4 in the ON state
0
Idle state
SD-I2
SD-I4
AIE
0 1 Error confirmed
1
Temporary status
If the communication with the basic device is interrupted, e.g. by switching
off the basic device, a fault is activated and the LED ”ME” begins blinking. The
required confirmation can be executed via AIE or PROFIsafe. Further
information can be obtained from the chapter ”Error status”.
1.3-2
EDS94AYAD EN 2.2
Safety engineering
1
Safety functions
Error states
1.3.2
1.3
1.3.2
Error states
Detected errors or maloperation of the drive are assigned to error states with
definite reactions. The reaction can be co-ordinated with the complete drive
via the error states.
Error status
Features
System error
Error
Trouble
Event
Fatal internal error
Error
Monitoring function
LED ”ME”
On
Blinking
Flashing
Status of safety
module
Lockout (CPU stopped) Error status
The control category
... has been
according to EN 954-1 abandoned
...
... has been
abandoned
Normal operation
... has not been
abandoned
Reaction
The motor
The motor is stopped via
immediately switches z STO or
to torque-free
z SS1
operation via
z STO
Confirmation after
deactivated event
z
Connection and
disconnection of
the 24-V supply at
the safety module
Response to the
confirmation
z
z
The module is reset.
The PROFIsafe communication is
interrupted.
Tab. 1.3-2
Pulse at AIE
(0.3 s < t < 10 s)
z via PROFIsafe
z Connection and
disconnection of
the 24-V supply at
the safety module
z
Pulse at AIE
(0.3 s < t < 10 s)
z via PROFIsafe
z
The module is not
reset.
z The PROFIsafe
communication is
not interrupted.
z
Overview of error states
If errors occur in the PROFIsafe communication, the data is deactivated from
the PROFIsafe driver. The STO function is activated.
After the PROFIsafe communication is reinitialised, the drive is
automatically enabled again if no standstill function is selected.
Note!
If the system error also occurs after switching the 24-V supply,
please contact the service.
EDS94AYAD EN 2.2
1.3-3
1
1.3
1.3.2
Logbook
Safety engineering
Safety functions
Error states
Error states are saved in the logbook of the standard device. The following is
entered:
ƒ Decimal error number without plain text
ƒ A time mark for each event
The available logbook entries can be displayed in the »Engineer« when an
online connection has been established.
Events which cause an error status are sent as a diagnostic telegram via
PROFIBUS.
Entries
Area
Description
Error status, note
Error
number
Stop functions
0 0x00 Not used
-
1 0x01 Internal error, STO error is active
STO error
2 0x02 Internal error, SS1 error is active
SS1 error
PROFIsafe
33 0x21 Invalid PROFIsafe target address
STO error
34 0x22 PROFIsafe communication error
STO, no error status
no diagnostic
telegram via
PROFIBUS
35 0x23 PROFIsafe monitoring time activated
36 0x24 PROFIsafe deactivated
37 0x25 PROFIsafe has left DataExchange
38 0x26 Invalid data in the PROFIsafe user area
39 0x27 Wrong parameters received from F-PLC
Inputs
49 0x31 Discrepancy error - input SD-In1
SS1 error
50 0x32 Discrepancy error - input SD-In2
52 0x34 Discrepancy error - input SD-In4
54 0x36 Discrepancy error - input AIE
STO error
Test functions
81 0x51 Internal short circuit in one of the inputs
SS1 error
82 0x52 Short circuit in one of the clock outputs CLA or CLB
93 0x5D Internal error of the safe switch-off logic
STO error
Safety functions
97 0x61 SS1: The drive has not reached zero speed within the
stopping time (30 s).
Tab. 1.3-3
1.3-4
STO error
Description for the numerical entries
EDS94AYAD EN 2.2
Safety engineering
1
Safety functions
Safe torque off
1.3.3
Safe torque off
1.3.3.1
Description
1.3
1.3.3
Safe Torque Off / STO
This function corresponds to a ”Stop 0” according to EN 60204.
When this function is used, the power supply of the motor is immediately
safely interrupted. The motor cannot create a torque and thus no dangerous
movements of the drive can occur. Additional measures, e.g. mechanical
brakes are needed against movements caused by external force.
Priority function: none
Subordinated function: SS1
'1'
0
0
t
n
1
0
t
t1
SMxDIASTO
’1’
tx
t
1.3.3.2
Input signal of the request of a safety function
Logic signal level ”1” / ”true”
Speed characteristic n of the motor
Action instant
Time axis
Conditions
Condition for using the function:
ƒ The basic device must be equipped with a communication module
E94AYCPM (PROFIBUS-DP), SW version 0.9 and connected to the
PROFIBUS.
ƒ The basic device must receive PROFIBUS data telegrams from a master
controller.
Danger!
If the request for the safety function is cancelled, the drive will
restart automatically.
You must provide external measures which ensure that the drive
only restarts after a confirmation (EN 60204).
1.3.3.3
Settings
This function does not have any parameters to be set.
EDS94AYAD EN 2.2
1.3-5
1
1.3
1.3.3
1.3.3.4
Safety engineering
Safety functions
Safe torque off
Activation
How to activate the function:
ƒ A PROFIBUS data telegram with corresponding PROFIsafe contents is
transmitted to the basic device ( 1.3-12).
1.3-6
EDS94AYAD EN 2.2
Safety engineering
Safety functions
Safe stop 1
1.3.4
Safe stop 1
1.3.4.1
Description
1
1.3
1.3.4
Safe Stop 1 / SS1
This function corresponds to a ”Stop 1” according to EN 60204.
When this function is used, the motor is stopped within an adjustable
stopping time. The complete function sequence cannot be deactivated.
When the speed n = 0 is reached or the stopping time elapses, the power
supply of the motor is immediately safely interrupted (STO), depending on
which event occurs first. The motor cannot create torque and thus no
dangerous movements of the drive can occur. Additional measures, e.g.
mechanical brakes are needed against movements caused by external force.
Priority function: STO
Subordinated function: None
'1'
0
0
t
tS
n
1
0
t1
t2
t
SMxDIASS1
’1’
tx
tS
––
--t
EDS94AYAD EN 2.2
Input signal of the request of a safety function
Logic signal level ”1” / ”true”
Speed characteristic n of the motor
Action instant
Monitored stopping time
Normal operation
Incorrect operation
Time axis
1.3-7
1
1.3
1.3.4
1.3.4.2
Safety engineering
Safety functions
Safe stop 1
Conditions
Condition for using the function:
ƒ The basic device must be equipped with a communication module
E94AYCPM (PROFIBUS-DP), SW version 0.9 and connected to the
PROFIBUS.
ƒ The basic device must receive PROFIBUS data telegrams from a master
controller.
Danger!
If the request for the safety function is cancelled, the drive will
restart automatically.
You must provide external measures which ensure that the drive
only restarts after a confirmation (EN 60204).
1.3.4.3
Settings
This function does not have any parameters to be set.
Permanently set parameters:
ƒ The stopping time amounts to ts = 30 s.
Tip!
In many applications the stopping time is < 30 s. Thus STO is
already activated and the SS1 function is stopped when ”0”
speed is reached.
In order to determine the maximum response time consider the
stopping time (30 s).
This time can only be reduced by setting the STO function
through the safe control after the application-specific stopping
time.
1.3.4.4
Activation
How to activate the function:
ƒ A PROFIBUS data telegram with corresponding PROFIsafe contents is
transmitted to the basic device ( 1.3-12).
1.3-8
EDS94AYAD EN 2.2
Safety engineering
Safety functions
Safe PROFIsafe connection
1.3.5
Safe PROFIsafe connection
1.3.5.1
Conditions
1
1.3
1.3.5
The SM300 supports the transmission of safe information on the PROFIsafe
protocol according to the specification ”PROFIsafe - Profile for Safety
Technology”, Version 1.30, of the PROFIBUS Nutzerorganisation (PNO). The
basic device transmits the PROFIsafe information to the SM300 for safe
evaluation.
Condition for using the function:
ƒ The basic device must be equipped with a communication module
E94AYCPM (PROFIBUS-DP), SW version 0.9 and connected to the
PROFIBUS.
ƒ The basic device must receive PROFIBUS data telegrams from a master
controller.
EDS94AYAD EN 2.2
1.3-9
1
1.3
1.3.5
1.3.5.2
Safety engineering
Safety functions
Safe PROFIsafe connection
Response times
In order to detect the response time to a safety function the entire system
must be considered. The following is relevant:
ƒ Response time of the connected sensors.
ƒ Input delay of the safety inputs.
ƒ Internal processing time.
ƒ Monitoring time for the cyclic service in the PROFIBUS.
ƒ Monitoring time of the PROFIsafe in the safety PLC.
ƒ Processing time in the safety PLC.
ƒ Delay times due to further components.
0
1
S
t1
t2
t3
μC
t5
SF
PROFIBUS
t=0
tps
2
μC
t4
lcu12x_352
Fig. 1.3-1
Response times to the request of a safety function
μC
S
SF
1.3-10
Basic device
Safety module
Safety PLC
Microcontroller
Safety sensor technology
Activated safety function
EDS94AYAD EN 2.2
Safety engineering
1
Safety functions
Safe PROFIsafe connection
1.3
1.3.5
Response time to an event in the safety sensors (PROFIsafe input data)
Time interval (Fig. 1.3-1)
t1
Response time of the sensors
t2
Input delay of the safe inputs
t3
[ms]
according to manufacturer
information
passive sensors:
4 + 15
active sensors:
0 + 15
Processing time in drive-based safety
24
PROFIsafe input data ready for transmission to ...
tPs PROFIsafe cycle time
Σ
according to manufacturer
information
PROFIsafe input data ready for processing in the safety PLC
...
Tab. 1.3-4
Σ
Response time to an event in the sensors
Response time to a PROFIsafe control word (PROFIsafe output data)
Time interval (Fig. 1.3-1)
t4
Processing time in the safety PLC
tPs PROFIsafe cycle time
t5
[ms]
must be calculated
according to manufacturer
information
Processing time in drive-based safety
14
Safety function starts after ...
Σ
Tab. 1.3-5
Response time in case of PROFIsafe request
Information on how to calculate the processing time and transmission time
of the PROFIsafe can be found in the documentation of the safety PLC used.
Note!
When the PROFIsafe communication is disturbed, it is changed
to the fail-safe state after the PROFIsafe monitoring time
(F_WD_Time) has elapsed. ( Tab. 1.3-16)
Example
ƒ After an event has occurred at a safe input, the message is fed back to
drive-based safety via the safety PLC.
ƒ Drive-based safety activates a safety function.
ƒ Hence, the maximum response time to the event is calculated as
follows:
tmax response = t1 + t2 + t3 + max {tWD; tPS + t4 + tPs + t5}
When calculating the maximum response time, include the times of the
safety functions, e.g. in case of SS1 the stopping time (30 s) until STO is
active.
EDS94AYAD EN 2.2
1.3-11
1
Safety engineering
1.3
1.3.5
1.3.5.3
Safety functions
Safe PROFIsafe connection
Description
Addressing
An unambiguous PROFIsafe target address ensures that a data telegram
reaches the correct node.
The valid address within the range between 1 and 1023 can be set via the DIP
switch . The address 0 is invalid and causes an error in the module.
DIP switch
Labelling
Value of the address bit
Tab. 1.3-6
1
2
3
4
5
6
7
8
9
0
1
2
4
8
16
32
64
128
256
512
Address setting
Note!
The combination ”safety module SM300 from version VA 1.08
and communication module PROFIBUS from version VB 0.93”
offers the opportunity to avoid the error that occurs when an
address is set to 0. For this purpose, a defined PROFIsafe target
address must be saved in C13897 or 14897 in the PROFIBUS
communication module.
PROFIsafe frame
The PROFIsafe data is transmitted in the first slot of a PROFIBUS data
telegram.
This must be observed for the hardware configuration of the safety PLC!
PROFIBUS data telegram
Header
1.3-12
PROFIsafe data
Data
Slot 1
Slot 2
Trailer
EDS94AYAD EN 2.2
Safety engineering
1
Safety functions
Safe PROFIsafe connection
PROFIsafe data
1.3
1.3.5
In the PROFIsafe data one bit each is used to control a certain safety function.
The structure of the PROFIsafe data is described in the PROFIsafe profile. The
length of the PROFIsafe data (PROFIsafe message) in slot 1 permanently
amounts to 8 bytes in the SM300. They are composed according to the
following structure:
Offset
Bit
Byte
7
6
5
4
3
2
1
0
0
1
PROFIsafe process data
(safe user data)
2
3
4
Control byte or status byte
5
Consecutive number
6
CRC2
(Signature consists of PROFIsafe process data and PROFIsafe parameters)
7
Tab. 1.3-7
Structure of the PROFIsafe data
The meaning of the PROFIsafe process data is separately described for
PROFIsafe output data and PROFIsafe input data. All described bits are
evaluated.
Unassigned bits are reserved for future functions and marked with ”-”. These
bits must transmitted with ”0”.
PROFIsafe output data
The PROFIsafe output data is transmitted from the control to the safety
module.
Offset
Bit
Byte
7
6
5
4
3
2
1
0
0
-
-
-
-
-
-
SS1
STO
1
-
-
-
-
-
-
-
-
2
-
-
-
-
-
-
PS_AIE
-
3
-
-
-
-
-
-
-
-
Tab. 1.3-8
Structure of the PROFIsafe output data
Details of the PROFIsafe output data
Name
Value Description
STO
0
The STO function is activated.
1
The function is deactivated.
0
The SS1 function is activated. The complete function sequence cannot be
deactivated.
1
The function is deactivated.
0
Idle state
SS1
PS_AIE
0 1 Activation of fault acknowledgement
The bit must be set for at least one PROFIsafe cycle.
EDS94AYAD EN 2.2
-
0
Reserved for future extensions
Tab. 1.3-9
Detailed specification of the PROFIsafe output data
1.3-13
1
1.3
1.3.5
Safety engineering
Safety functions
Safe PROFIsafe connection
Control byte
Only the bits specified of the PROFIsafe control byte are supported:
Offset
Bit
Byte
7
6
5
4
3
2
1
0
4
-
-
-
activate
_FV
-
-
-
-
Tab. 1.3-10
Structure of the PROFIsafe control byte
Details of the control byte
Name
Value Description
activate_FV 1
PROFIsafe input data
The PROFIsafe output data is deactivated. Thus, the STO function is
activated.
0
The function is deactivated.
-
0
Reserved for future extensions
Tab. 1.3-11
Detail specification of the control byte
The PROFIsafe input data is transmitted to the control by the safety module.
Offset
Bit
Byte
7
6
5
4
3
2
1
0
0
-
-
-
-
-
-
Status
SS1
Status
STO
1
-
-
-
-
-
-
-
-
2
-
-
-
-
-
-
-
-
3
Error
-
-
-
SD-In4
-
SD-In2
SD-In1
Tab. 1.3-12
Structure of the PROFIsafe input data
Details of the PROFIsafe input data
Name
Value Description
STO
0
The STO function is not active.
1
The STO function is active and the drive is safely switched to torque-free
operation.
This bit is also set at the end of the stopping time by SS1.
0
The SS1 function is not active.
1
The SS1 function is active.
At the end of the function the STO bit is set.
SS1
SD-In1
0
1
SD-In2
0
1
SD-In4
0
1
Error
1.3-14
Sensor at I1A and I1B
Sensor at I2A and I2B
Sensor at I4A and I4B
0
Error status is not active.
At least one channel is in the OFF state
The channels A and B are in the ON state
At least one channel is in the OFF state
The channels A and B are in the ON state
At least one channel is in the OFF state
The channels A and B are in the ON state
1
Error status is active.
-
0
Reserved for future extensions
Tab. 1.3-13
Detailed specification of the PROFIsafe input data
EDS94AYAD EN 2.2
Safety engineering
1
Safety functions
Safe PROFIsafe connection
Status byte
1.3
1.3.5
Only the bits specified of the PROFIsafe status byte are supported:
Offset
Bit
Byte
7
6
5
4
-
-
-
Tab. 1.3-14
4
3
2
FV_activate COM-Failure COM-Failure
d
WD-Timeout
CRC
1
0
-
-
Structure of the PROFIsafe status byte
Details of the status byte
Name
PROFIsafe parameters
Value Description
COM-Failur 0
e CRC
1
Status is not active.
COM-Failur 0
e
WD-Timeo 1
ut
Status is not active.
FV_activate 0
d
1
The function is not active.
-
0
Reserved for future extensions
Tab. 1.3-15
Detail specification of the status byte
Status after communication error is active.
Status after time-out is active.
The PROFIsafe input data is deactivated.
These PROFIsafe parameters and contents are supported:
PROFIsafe parameters
Name
Description
Valid contents
F_Source_Add
PROFIsafe source address of the safety PLC
0x01 ... 0xFFFE
F_Dest_Add
PROFIsafe target address of the safety module
0x01 ... 0x3FF
F_WD_Time
PROFIsafe monitoring time of the safety module
110 ... 65535 ms
F_Check_SeqNo
Check sequence no. in CRC
0
F_Check_iPar
Check iparameters CRC3 in CRC
0
F_SIL
Supported SIL (Safety Integrity Level)
0Æ
1Æ
2Æ
F_CRC_Length
Length of CRC
1
F_Block_ID
Identification of the parameter type
0
F_Par_Version
Version of the safety layer
0
F_Par_CRC
Cyclic CRC
Is calculated
Tab. 1.3-16
Diagnostic messages
EDS94AYAD EN 2.2
SIL1
SIL2
SIL3
Supported PROFIsafe parameters
Incorrect configurations of the PROFIsafe parameters are reported to the
safety PLC by means of a diagnostic telegram ( PROFIBUS Communication
Manual).
1.3-15
1
1.3
1.3.5
Safety engineering
Safety functions
Safe PROFIsafe connection
Diagnostic information
Error number
Description
64
The Profisafe target address set does not comply with the parameter
F_Dest_Add.
65
The F_Dest_Add parameter has the invalid value 0x0000 or 0xFFFF.
66
The F_Source_Add parameter has the invalid value 0x0000 or 0xFFFF.
67
The F_WD_Time parameter has the invalid value 0 ms.
68
The F_SIL parameter does not have the valid value 0 ... 2.
69
The F_CRC_Length parameter does not have the valid value 2.
70
The version of the PROFIsafe parameter set is wrong.
71
CRC1 error
Tab. 1.3-17
GSE file
Information contents of byte 11
The GSE file contains all information on the configuration of the PROFIBUS
system. This makes the integration easy and user-friendly.
Tip!
You will find the current GSE file for this Lenze product in the
Internet in the ”Downloads” area under
http://www.Lenze.com
1.3-16
EDS94AYAD EN 2.2
Safety engineering
Acceptance
Description
1.4
Acceptance
1.4.1
Description
1
1.4
1.4.1
The machine manufacturer must check and prove the operability of the
safety functions used.
Inspector
The machine manufacturer must authorise a person with expertise and
knowledge of the safety functions to carry out the test.
Protocol
The test result of every safety function must be documented and signed.
Scope
A complete test comprises the following:
ƒ Documentation of the plant including the safety functions.
– Plant description and overview map
– Description of the safety devices
– Safety functions used
ƒ Functional test of all safety functions used.
ƒ Preparing the test report
– Documenting the functional test
– Controlling the parameters
– Signing
ƒ Preparing the appendix with test records
– Protocols from the plant
– External recording
1.4.2
Periodic inspections
The correct sequence of the safety-oriented functions must be checked in
periodic inspections. The risk analysis or applicable regulations determine
the time distances between the tests. The inspection interval should not
exceed one year.
EDS94AYAD EN 2.2
1.4-1
EDS94AYAD 2.2 10/2006
© 2006
TD14
Lenze Drive Systems GmbH
Hans-Lenze-Straße 1
D-31855 Aerzen
Germany
Service
¬ Service
+49 (0) 51 54 82-0
E-Mail
Internet
Lenze@Lenze.de
www.Lenze.com
00 80 00 24 4 68 77 (24 h helpline)
+49 (0) 51 54 82-1112
10
9
8
7
6
5
4
3
2
1
