You are on page 1of 92

Industrial

Hydraulics

Electric Drives
and Controls

Linear Motion and


Assembly Technologies

Pneumatics

Service
Automation

Rexroth IndraDrive
Integrated Safety Technology

Functional and Application Description

Mobile
Hydraulics

R911297838
Edition 01

About this Documentation

Title

Integrated Safety Technology

Rexroth IndraDrive
Integrated Safety Technology

Type of Documentation
Document Typecode
Internal File Reference
Purpose of Documentation

Record of Revisions

Copyright

Functional and Application Description


DOK-INDRV*-SI*-VRS**-FK01-EN-P
Document Number, 120-2400-B308-01/EN
This documentation is used to

make oneself familiar with the subject of "Integrated Safety


Technology",

get to know the IndraDrive system with integrated safety technology,

employ and commission application-related safety functions,

enable you to recognize and fix errors and

enable you to replace the hardware and update the firmware.

Description

Release
Date

Notes

DOK-INDRV*-SI*-VRS**-FK01-EN-P

03.2004

First edition

2004 Bosch Rexroth AG


Copying this document, giving it to others and the use or communication
of the contents thereof without express authority, are forbidden. Offenders
are liable for the payment of damages. All rights are reserved in the event
of the grant of a patent or the registration of a utility model or design
(DIN 34-1).

Validity

Published by

The specified data is for product description purposes only and may not
be deemed to be guaranteed unless expressly confirmed in the contract.
All rights are reserved with respect to the content of this documentation
and the availability of the product.
Bosch Rexroth AG
Bgm.-Dr.-Nebel-Str. 2 D-97816 Lohr a. Main
Telephone +49 (0)93 52/40-0 Tx 68 94 21 Fax +49 (0)93 52/40-48 85
http://www.boschrexroth.com/
Dept. ED

Note

This document has been printed on chlorine-free bleached paper.

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Integrated Safety Technology

About this Documentation

Title

Type of documentation

Document typecode

Part number

Rexroth IndraDrive M
Drive Controllers
Power Section

Project Planning Manual

DOK-INDRV*-HMS+HMD****-PR01-EN-P

R911295014

Rexroth IndraDrive
Drive Controllers
Control Section

Project Planning Manual

DOK-INDRV*-CSH********-PR01-EN-P

R911295012

Electromagnetic
Compatibility (EMC) in
Drive and Systems

Project Planning Manual

DOK-GENERL-EMV********-PR02-EN-P

R911259814

Rexroth IndraDrive
Drive Controllers

Parameter Description

DOK-INDRV*-GEN-**VRS**-PA01-EN-P

R911297317

Rexroth IndraDrive
Drive Controllers

Troubleshooting Guide

DOK-INDRV*-GEN-**VRS**-WA01-EN-P

R911297319

Fig.:

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Further documentations

About this Documentation

Integrated Safety Technology

Notes

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Integrated Safety Technology

Contents I

Contents
1

What is "Integrated Safety Technology"?


1.1

1-1

Product Presentation..................................................................................................................... 1-1

Safety Instructions for Electric Drives and Controls

2-1

2.1

Introduction ................................................................................................................................... 2-1

2.2

Explanations.................................................................................................................................. 2-2

2.3

Hazards by Improper Use ............................................................................................................. 2-3

2.4

General Information ...................................................................................................................... 2-3

2.5

Protection Against Dangerous Movements .................................................................................. 2-5

Important directions for use


3.1

3-1

Appropriate use............................................................................................................................. 3-1


Introduction .............................................................................................................................. 3-1
Areas of use and application.................................................................................................... 3-2

3.2

Inappropriate use .......................................................................................................................... 3-2

Safety Technology Fundamentals

4-1

4.1

General Information ...................................................................................................................... 4-1

4.2

Hazard Analysis and Risk Management ....................................................................................... 4-1

4.3

Safety-Relevant Standards and Regulations ................................................................................ 4-3


Standards Relevant to Components........................................................................................ 4-3
Standards Relevant to Machines ............................................................................................. 4-3
Overview of the Required Safety Categories in C Standards.................................................. 4-4

4.4

Definition of Terms ........................................................................................................................ 4-4

Drive System with Safety Related Starting Lockout

5-1

5.1

General Information ...................................................................................................................... 5-1

5.2

Safety Function ............................................................................................................................. 5-1


Safety Related Starting Lockout .............................................................................................. 5-1

5.3

Forced Dynamization .................................................................................................................... 5-2

5.4

Command Value Selection Requirements .................................................................................... 5-2

5.5

Selecting the Starting Lockout ...................................................................................................... 5-2

5.6

Examples of Application................................................................................................................ 5-3

Drive System with Integrated Safety Functions


6.1

6-1

Basic Structure.............................................................................................................................. 6-1


Comparison with Conventional Safety Technology ................................................................. 6-2

6.2

Overview of Safety Functions ....................................................................................................... 6-3

DOK-INDRV*-SI*-VRS**-FK01-EN-P

II Contents

Integrated Safety Technology

"Safety Related Stopping Process" Safety Functions.............................................................. 6-4


Safely Monitored Shutdown ..................................................................................................... 6-6
Safety Related Homing Procedure (via Two Channels) .......................................................... 6-6
Safety Function "Movement with Safety Related Speed" ........................................................ 6-8
"Safety Related Feedback" Safety Functions ........................................................................ 6-10
6.3

I/O Reaction Times ..................................................................................................................... 6-12

6.4

Functional Principle of Integrated Safety Technology ................................................................ 6-12


Dual-Channel Structure ......................................................................................................... 6-13
Cross Data Comparison......................................................................................................... 6-14
Dynamization ......................................................................................................................... 6-15

6.5

Demands on the Controls ........................................................................................................... 6-15

6.6

Activating the Safety Functions................................................................................................... 6-16

6.7

Feedback, Status (Safe/Unsafe) to Peripherals ......................................................................... 6-20


Safe Feedback to a Safety PLC............................................................................................. 6-21
Safety Related Control of a Door Locking Device ................................................................. 6-22

6.8

Examples of Application.............................................................................................................. 6-24


Overall View........................................................................................................................... 6-24
Selecting Normal/Special Mode with Position Monitoring of a Safety Door with Door
Locking Device....................................................................................................................... 6-25
Enabling Control with Three Settings .................................................................................... 6-27
Command Device with Automatic Reset (Safety Related Jog Button) .................................. 6-28
Temporary Inspections or Visual Checks in the Danger Zone .............................................. 6-29
Working When Drive is without Torque/Force ....................................................................... 6-31
Drive Groups for Different Danger Zones .............................................................................. 6-35
Safety Related Activation of the Locking Device of Several Protective Doors ...................... 6-37

Commissioning Safety Technology

7-1

7.1

General Information ...................................................................................................................... 7-1

7.2

Commissioning the Drive with Safety Technology Inactive .......................................................... 7-1

7.3

Commissioning Safety Technology............................................................................................... 7-2


Entering a Safety Technology Device Identifier....................................................................... 7-2
Selecting the Required Safety Functions................................................................................. 7-2
Specifying/Programming the Required Input Signals to Select the Safety Functions ............. 7-2
Specifying/Programming the Required Output Signals for Feedback of Safety
Functions.................................................................................................................................. 7-3
Setting the Safety Function Parameters .................................................................................. 7-4

7.4

Setting the System Behavior......................................................................................................... 7-6

7.5

Activating Safety Technology........................................................................................................ 7-6


Safety Parameter Plausibility Check........................................................................................ 7-6
Synchronizing the System Memory and Storing the New Parameters.................................... 7-7
Completing Commissioning ..................................................................................................... 7-7

7.6

The Safety System in Parameterization Mode and After Initialization.......................................... 7-7

7.7

Deactivating Safety Technology ................................................................................................... 7-8

7.8

Modification Status and Modification History ................................................................................ 7-8

Acceptance Test
8.1

8-1

Acceptance Procedure.................................................................................................................. 8-1

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Integrated Safety Technology

Contents III

Complete Acceptance Test...................................................................................................... 8-1


Partial Acceptance Test ........................................................................................................... 8-1
8.2

Checklist for Acceptance Test ...................................................................................................... 8-1

Error Messages, Warnings and Error Elimination

9-1

9.1

Firmware Code.............................................................................................................................. 9-1

9.2

Errors ............................................................................................................................................ 9-1

9.3

Warnings in Operating Mode "Normal Operation" ........................................................................ 9-1

9.4

Status Messages........................................................................................................................... 9-2

9.5

Modification Status of the Safety Memory .................................................................................... 9-2

9.6

Tracing the Modification History.................................................................................................... 9-2

10 Firmware Update, Replacing the Power and Control Sections

10-1

10.1 Firmware Update......................................................................................................................... 10-1


10.2 Replacing the Power Section...................................................................................................... 10-1
10.3 Replacing the Control Section .................................................................................................... 10-1

11 Declaration of Conformity and Mark Certificate

11-1

11.1 "Starting Lockout" Optional Module ............................................................................................ 11-1


11.2 "Safety Technology I/O" Optional Module................................................................................... 11-3

12 Index

DOK-INDRV*-SI*-VRS**-FK01-EN-P

12-1

IV Contents

Integrated Safety Technology

DOK-INDRV*-SI*-VRS**-FK01-EN-P

What is "Integrated Safety Technology"? 1-1

Integrated Safety Technology

What is "Integrated Safety Technology"?

1.1

Product Presentation
The control sections of the IndraDrive drive range can be equipped with a
"Starting lockout" optional module or a "Safety technology I/O" optional
module. In this way, IndraDrive is equipped with integrated safety
technology, which provides the user with an electronic starting lockout as
well as a universally programmable monitor for safety related
motion/stopping process.
"Integrated safety technology" refers to application-related safety
functions that are applicable for personal protection on machines in
accordance with EN 954 category 3.
The "Starting lockout" optional module provides the following applicationrelated safety function:
Safety related starting lockout (stop category 0 according to
EN 60204-1).
The "Safety technology I/O" optional module provides the following
application-related safety functions:
Safety related standstill (stop category 1 according to EN 60204-1).
Safety related operational stop (stop category 2 according to
EN 60204-1).
Safety related drive interlock (stop category 1 according to EN 602041).
Safely monitored stopping (for functions "Safety related standstill",
"Safety related operational stop", "Safety related drive interlock")
Safety related reduced speed
Safety related limited maximum velocity
Safely monitored acceleration/deceleration ramp (in preparation)
Safety related limited increment
Safety related direction of motion
Safety related limited absolute end position (in preparation)
Safety related homing (required for "Safety related limited absolute
position"
Safety related limited absolute position (in preparation)
Safety related diagnostic outputs
Safety related control of a door locking device
Safety related brake management (in preparation)
The safety functions can be selected via 24 V inputs on the drive
controller.
The safety technology has been tested and certified by an EU prototype
test of the SIBE Switzerland certification authority (http://www.sibe.ch)
(see "Declaration of Conformity and Mark Certificate").

DOK-INDRV*-SI*-VRS**-FK01-EN-P

1-2 What is "Integrated Safety Technology"?

Integrated Safety Technology

The integrated safety technology is independent of the kind of master


communication, the higher-level control unit and the supply modules. It is
available as an optional module for the standard drive system. The
following requirements can be implemented in the machine or system:
Measures according to EN 292-2 if accessing the danger zone is
required; for example, for equipping, teaching or material withdrawal.
Requirements for safety-related parts of control units in accordance
with EN 954-1 Category 3, as stipulated in EN 1010-1 (printing and
paper processing machines), EN 12415 (turning machines) and
EN 12417 (machining centers).
Control functions in the case of an error according to EN 60204-1 (see
"Using Diversity").

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Safety Instructions for Electric Drives and Controls 2-1

Integrated Safety Technology

Safety Instructions for Electric Drives and Controls

2.1

Introduction
Dangerous movements! Danger to life, danger
of injury, severe bodily injury or property
damage!
WARNING

This documentation is only intended for information.


For commissioning the safety technology or carrying
out an acceptance test, this documentation is not
complete and does not contain all relevant and
required data.

Read these instructions before the initial startup of the equipment in order
to eliminate the risk of bodily harm or material damage. Follow these
safety instructions at all times.
Do not attempt to install or start up this equipment without first reading all
documentation provided with the product. Read and understand these
safety instructions and all user documentation of the equipment prior to
working with the equipment at any time. If you do not have the user
documentation for your equipment, contact your local Bosch Rexroth
representative to send this documentation immediately to the person or
persons responsible for the safe operation of this equipment.
If the equipment is resold, rented or transferred or passed on to others,
then these safety instructions must be delivered with the equipment.

WARNING

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Improper use of this equipment, failure to follow


the safety instructions in this document or
tampering with the product, including disabling
of safety devices, may result in material
damage, bodily harm, electric shock or even
death!

2-2 Safety Instructions for Electric Drives and Controls

2.2

Integrated Safety Technology

Explanations
The safety instructions describe the following degrees of hazard
seriousness. The degree of hazard seriousness informs about the
consequences resulting from non-compliance with the safety instructions.
Warning symbol with signal
word

Degree of hazard seriousness according


to ANSI Z 535

Death or severe bodily harm will occur.

DANGER

Death or severe bodily harm may occur.

WARNING

Bodily harm or material damage may occur.

CAUTION
Fig. 2-1:

Hazard classification (according to ANSI Z 535)

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Safety Instructions for Electric Drives and Controls 2-3

Integrated Safety Technology

2.3

Hazards by Improper Use


Dangerous movements! Danger to life, severe
bodily harm or material damage by
unintentional motor movements!
DANGER

2.4

General Information
Bosch Rexroth AG is not liable for damages resulting from failure to
observe the warnings provided in this documentation.
Read the operating, maintenance and safety instructions in your
language before starting up the machine. If you find that you cannot
completely understand the documentation for your product, please ask
your supplier to clarify.
Proper and correct transport, storage, assembly and installation as
well as care in operation and maintenance are prerequisites for
optimal and safe operation of this equipment.
Only persons who are trained and qualified for the use and operation
of the equipment may work on this equipment or within its proximity.
The persons are qualified if they have sufficient knowledge of the
assembly, installation and operation of the equipment as well as an
understanding of all warnings and precautionary measures noted in
these instructions.
Furthermore, they must be trained, instructed and qualified to
switch electrical circuits and equipment on and off in accordance
with technical safety regulations, to ground them and to mark them
according to the requirements of safe work practices. They must
have adequate safety equipment and be trained in first aid.
Only use spare parts and accessories approved by the manufacturer.
Follow all safety regulations and requirements for the specific
application as practiced in the country of use.
The equipment is designed for installation in industrial machinery.
The ambient conditions given in the product documentation must be
observed.
Use only safety features and applications that are clearly and explicitly
approved in the Project Planning Manual.
For example, the following areas of use are not permitted: construction
cranes, elevators used for people or freight, devices and vehicles to
transport people, medical applications, refinery plants, transport of
hazardous goods, nuclear applications, applications sensitive to high
frequency, mining, food processing, control of protection equipment
(also in a machine).

DOK-INDRV*-SI*-VRS**-FK01-EN-P

2-4 Safety Instructions for Electric Drives and Controls

Integrated Safety Technology

The information given in the documentation of the product with regard


to the use of the delivered components contains only examples of
applications and suggestions.
The machine and installation manufacturer must
make sure that the delivered components are suited for his
individual application and check the information given in this
documentation with regard to the use of the components,
make sure that his application complies with the applicable safety
regulations and standards and carry out the required measures,
modifications and complements.
Startup of the delivered components is only permitted once it is sure
that the machine or installation in which they are installed complies
with the national regulations, safety specifications and standards of the
application.
Operation is only permitted if the national EMC regulations for the
application are met.
The instructions for installation in accordance with EMC requirements
can be found in the documentation "EMC in Drive and Control
Systems".
The machine or installation manufacturer is responsible for
compliance with the limiting values as prescribed in the national
regulations.
Technical data, connections and operational conditions are specified in
the product documentation and must be followed at all times.

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Safety Instructions for Electric Drives and Controls 2-5

Integrated Safety Technology

2.5

Protection Against Dangerous Movements


Dangerous movements can be caused by faulty control of the connected
motors. Some common examples are:
improper or wrong wiring of cable connections
incorrect operation of the equipment components
wrong input of parameters before operation
malfunction of sensors, encoders and monitoring devices
defective components
software or firmware errors
Dangerous movements can occur immediately after equipment is
switched on or even after an unspecified time of trouble-free operation.
The monitoring in the drive components will normally be sufficient to avoid
faulty operation in the connected drives. Regarding personal safety,
especially the danger of bodily injury and material damage, this alone
cannot be relied upon to ensure complete safety. Until the integrated
monitoring functions become effective, it must be assumed in any case
that faulty drive movements will occur. The extent of faulty drive
movements depends upon the type of control and the state of operation.

Dangerous movements! Danger to life, risk of


injury, severe bodily harm or material damage!
DANGER

Ensure personal safety by means of qualified and


tested higher-level monitoring devices or measures
integrated in the installation. Unintended machine
motion is possible if monitoring devices are disabled,
bypassed or not activated.
Pay attention to unintended machine motion or other
malfunction in any mode of operation.
Keep free and clear of the machines range of motion
and moving parts. Possible measures to prevent
people from accidentally entering the machines range
of motion:
- use safety fences
- use safety guards
- use protective coverings
- install light curtains or light barriers
Fences and coverings must be strong enough to
resist maximum possible momentum, especially if
there is a possibility of loose parts flying off.
Mount the emergency stop switch in the immediate
reach of the operator. Verify that the emergency stop
works before startup. Dont operate the machine if the
emergency stop is not working.
Isolate the drive power connection by means of an
emergency stop circuit or use a starting lockout to
prevent unintentional start.

DOK-INDRV*-SI*-VRS**-FK01-EN-P

2-6 Safety Instructions for Electric Drives and Controls

Integrated Safety Technology

Make sure that the drives are brought to a safe


standstill before accessing or entering the danger
zone. Safe standstill can be achieved by switching off
the power supply contactor or by safe mechanical
locking of moving parts.
Secure vertical axes against falling or dropping after
switching off the motor power by, for example:
- mechanically securing the vertical axes
- adding an external braking/ arrester/ clamping
mechanism
- ensuring sufficient equilibration of the vertical axes
The standard equipment motor brake or an external
brake controlled directly by the drive controller are
not sufficient to guarantee personal safety!
Disconnect electrical power to the equipment using a
master switch and secure the switch against
reconnection for:
- maintenance and repair work
- cleaning of equipment
- long periods of discontinued equipment use
Prevent the operation of high-frequency, remote
control and radio equipment near electronics circuits
and supply leads. If the use of such equipment cannot
be avoided, verify the system and the installation for
possible malfunctions in all possible positions of
normal use before initial startup. If necessary, perform
a special electromagnetic compatibility (EMC) test on
the installation.

Injury and/or property damage caused by


deviation from standstill position!
WARNING

Even if the control of the power section has been safely


locked, momentary axis motion, depending on the
number of poles of the motor, can be triggered, when
three errors are occurring simultaneously in the power
section with the voltage DC bus being active:
breakdown of a power semiconductor
breakdown of another semiconductor
In this case two of six semiconductors are affected in
such a way that the motor shaft is aligning
Example synchronous motor: For a 6-pole synchronous
motor the motion can be a maximum of 30 degrees. For
a directly driven ballscrew, e.g. 20 mm per revolution, this
corresponds to a one-time maximum linear motion of
1.67 mm.
When an asynchronous motor is used, the short circuits
in two separate circuits of the power section have almost
no effect because the exciter field breaks down when the
inverter is shut down and has completely died down after
approx. 1 s.

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Safety Instructions for Electric Drives and Controls 2-7

Integrated Safety Technology

Lethal injury and/or property damage caused by


coasting motors!
DANGER

DOK-INDRV*-SI*-VRS**-FK01-EN-P

If a danger zone has not been protected by a separating


protective device with locking device and if drive enable
is removed when the energy supply is interrupted (e.g.
actuating E-Stop), axes cannot be safely shut down; i. e.
motors are coasting in an uncontrolled way.

2-8 Safety Instructions for Electric Drives and Controls

Integrated Safety Technology

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Important directions for use 3-1

Integrated Safety Technology

Important directions for use

3.1

Appropriate use

Introduction
Rexroth products represent state-of-the-art developments and
manufacturing. They are tested prior to delivery to ensure operating safety
and reliability.
The products may only be used in the manner that is defined as
appropriate. If they are used in an inappropriate manner, then situations
can develop that may lead to property damage or injury to personnel.
Note:

Bosch Rexroth AG, as manufacturer, is not liable for any


damages resulting from inappropriate use. In such cases, the
guarantee and the right to payment of damages resulting from
inappropriate use are forfeited. The user alone carries all
responsibility of the risks.

Before using Rexroth products, make sure that all the pre-requisites for
an appropriate use of the products are satisfied:

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Personnel that in any way, shape or form uses our products must first
read and understand the relevant safety instructions and be familiar
with appropriate use.

If the product takes the form of hardware, then they must remain in
their original state, in other words, no structural changes are
permitted. It is not permitted to decompile software products or alter
source codes.

Do not mount damaged or faulty products or use them in operation.

Make sure that the products have been installed in the manner
described in the relevant documentation.

3-2 Important directions for use

Integrated Safety Technology

Areas of use and application


Drive controllers made by Rexroth are designed to control electrical
motors and monitor their operation.
Control and monitoring of the motors may require additional sensors and
actors.
Note:

The drive controllers may only be used with the accessories


and parts specified in this document. If a component has not
been specifically named, then it may not be either mounted or
connected. The same applies to cables and lines.
Operation is only permitted in the specified configurations and
combinations of components using the software and firmware
as specified in the relevant function descriptions.

Every drive controller has to be programmed before starting it up, making


it possible for the motor to execute the specific functions of an application.
The drive controllers of the IndraDrive family are designed for use in
single or multiple-axis drive and control applications.
To ensure an application-specific use, the drive controllers are available
with differing drive power and different interfaces.
Typical applications of drive controllers belonging to the IndraDrive family
are:

handling and mounting systems,

packaging and foodstuff machines,

printing and paper processing machines,

machine tools and

wood processing machines

The drive controllers may only be operated under the assembly,


installation and ambient conditions as described here (temperature,
system of protection, humidity, EMC requirements, etc.) and in the
position specified.

3.2

Inappropriate use
Using the drive controllers outside of the above-referenced areas of
application or under operating conditions other than described in the
document and the technical data specified is defined as inappropriate
use".
Drive controllers may not be used if

they are subject to operating conditions that do not meet the above
specified ambient conditions. This includes, for example, operation
under water, in the case of extreme temperature fluctuations or
extremely high maximum temperatures or if

Bosch Rexroth AG has not specifically released them for that


intended purpose. Please note the specifications outlined in the
general safety instructions!

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Safety Technology Fundamentals 4-1

Integrated Safety Technology

Safety Technology Fundamentals

4.1

General Information
The operational safety of a machine depends largely upon the extent of
hazardous motions generated by this machine. In Normal mode (also
called Production mode or Automatic mode) of a machine, protective
devices prevent personnel from accessing danger zones. Protective
devices also prevent parts from being ejected outwards.
In the Special mode of machines and installations (also called Manual
mode or Setup mode), it is often necessary for operators to access
danger zones when it is impossible to de-energize the entire installation.
In such situations, machine operators must be protected by mechanisms
internal to the drive and the control unit.
The integrated Rexroth safety technology offers the user the
requirements, on the control unit and drive side, for implementing
functions of personal and machine protection with a minimum of planning
and installation work required. Compared to conventional safety
technology, integrated safety technology considerably increases the
functionality and uptime of the machine.

4.2

Hazard Analysis and Risk Management


Before he is allowed to put a machine into circulation, the manufacturer of
the machine has to carry out a hazard analysis according to the
98/37/EWG Machinery Directive in order to determine the hazards
associated with the use of the machine. In order to attain a degree of
safety that is as high as possible, the manufacturer must implement the
following fundamentals, in the order given, in the selection of solutions:
1. eliminate or minimize the hazards due to construction measures,
2. take the required protective measures against hazards that cannot be
eliminated and
3. document the remaining risks and inform the user of these risks.
The hazard analysis is a multilevel, iterative process. The process is
described in detail in EN 1050 [4] Guidelines for risk management.
Within the scope of this documentation, it is possible to provide only a
very short overview of the subject of hazard analysis. The user of
integrated safety technology therefore has to familiarize himself with the
standards and legal status.
The hazard analysis carried out provides you the requirements for
determining the category for safety-related control units according to
EN 954 1, with which the safety-related parts of the machine control must
comply. For more information about the categories, other than the
standard itself, see the Z document of the Swiss SIBE certification
authority (http://www.sibe.ch or via email to nsbiv@sibe.ch) "Classification
of Controls, Explanations Regarding Risk Management and EN 954-1"
Z9714dVers03.
The safety-related parts of the IndraDrive drive range with the "Integrated
safety technology" option satisfy category 3 of EN 954-1.
The certification of optional modules "Starting lockout" and "Safety
technology I/O" by the accredited Swiss SIBE certification authority
ensures the user that the solution satisfies the technical requirements. In
addition, the safety functions that are implemented in this manner using
the IndraDrive drive range do not have to be scrutinized further.

DOK-INDRV*-SI*-VRS**-FK01-EN-P

4-2 Safety Technology Fundamentals

Integrated Safety Technology

Category 1)

Short description of requirements

System behavior 2)

Principles for attaining


safety

The safety-related parts of control units


and/or their protective devices, as well as
their components, must be designed,
constructed, selected, assembled and
combined, according to the respective
standards, in such a way that they can
resist the influences to be expected.

An error occurring can


cause the safety function to
be lost.

Predominantly
characterized by selection
of components.

Requirements of category B must be


fulfilled.

An error occurring can


cause the safety function to
be lost, but it is less
probable that an error
occurs than in category B.

Predominantly
characterized by selection
of tested components.

An error occurring can


cause the safety function to
be lost between the points
of time the safety function is
checked. The loss of the
safety function is
recognized by the check.

Predominantly
characterized by selection
of tested components and
by testing the safety
functions using the control.

When a single error occurs,


the safety function is always
maintained. Some but not
all errors are recognized.
An accumulation of
unrecognized errors can
cause the safety function to
be lost.

Predominantly
characterized by the
structure.

When errors occur, the


safety function is always
maintained.

Predominantly
characterized by the
structure.

The errors are recognized


in time in order to prevent
the safety function from
being lost.

All errors are discovered on


time; no accumulation of
undetected errors.

Proved components and proved safety


principles must be used.
2

The requirements of B and the use of


proved safety principles must be fulfilled.
In appropriate intervals, the safety
function must be checked by the machine
control unit.

The requirements of B and the use of


proved safety principles must be fulfilled.
Safety-related parts must be designed in
such a way that a single error in each of
those parts does not cause the safety
function to be lost and that single errors
are recognized whenever this can be
implemented in an appropriate way.

The requirements of B and the use of


proved safety principles must be fulfilled.
Safety-related parts must be designed in
such a way that an individual error in each
of those parts does not cause the safety
function to be lost and that the individual
error is recognized at or before the next
requirement of the safety function. If this
is impossible, an accumulation of errors
mustnt cause the safety function to be
lost.
1):
2):
Fig. 4-1:

The tests can be started


automatically or manually.

An accumulation of
unrecognized errors can
cause the safety function to
be lost.

The categories are not destined to be used in any given sequence or


hierarchical order with regard to the safety-related requirements.
The risk management will show whether the total or partial loss of the safety
function(s) due to errors can be accepted.

Summary of requirements for safety categories (excerpt from


EN 954-1: 1996, section 6)

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Safety Technology Fundamentals 4-3

Integrated Safety Technology

4.3

Safety-Relevant Standards and Regulations


The user can find a short overview of the relevant standards for the use of
safety-related control units below. As regards the relevant standards, this
documentation does not claim completeness.

Standards Relevant to Components


Product group

Standard

Title

Date of issue

Electric drives

pr EN 61800-5-2)

Adjustable Speed Electrical Power Drive


Systems, Part 5-2: Functional Safety
Requirements

200x

Simple controls

EN 954-1

Safety of Machinery, Safety-Related Parts of


Control Systems

1996

Complex controls

IEC 61508-1 to
IEC 61508-7

Functional Safety
Safety Systems

1998 to
2000

Fig. 4-2:

Standards relevant to components

Standards Relevant to Machines


Standard

Title

Date of issue

EN 60204-1

Safety of Machinery,
Electric Equipment of Machines

1998

EN 292-1 and -2

Safety of Machinery,
Basic Concepts, General Principles for Design

2000

EN 1050

Safety of Machinery, Directives for Risk Management

1996

EN 954-1

Safety of Machinery,
Safety-Related Parts of Control Systems

1996

EN 1921

Safety of Integrated Manufacturing Systems

1996

EN 775

Manipulating industrial robots: safety

1993

EN 1037

Safety of Machinery,
Prevention of Unexpected Start-Up

1995

DIN V VDE 0801

Principles for Microcomputers in Systems with Safety Applications

1990

EN 12415

Machine Tools Safety Small Numerically Controlled Turning Machines


and Turning Centres

2000

EN 12417

Machine Tools Safety Machining Centres

2001

EN 1010-1

Safety of Machinery,
Safety Requirements for Construction of Printing and Paper Processing
Machines

1993

Draft
IEC 62061

Safety of Machinery,
Electrical, Electronic and Programmable Electronic Control Systems

200x

prEN 848-3

Safety of Wood Processing Machines

200x

EN 999

Safety of Machinery,
The positioning of protective equipment in respect of approach speed of
parts of the human body
Safety of Machinery,
Interlocking devices associated with guards - Principles for design and
selection
Fig. 4-3:
Standards relevant to machines

1998

EN 1088

DOK-INDRV*-SI*-VRS**-FK01-EN-P

1995

4-4 Safety Technology Fundamentals

Integrated Safety Technology

Overview of the Required Safety Categories in C Standards


Below you find an overview of the required safety categories for safetyrelated parts of control units in C standards.
EN 12417

EN 12415

EN 1010

EN 775

Processing
centers

Automatic
lathes

Printing
Industrial
and paper
robots
processing
machines

Automated
Wood
manufacturing processing
systems
machines

Enabling control

Category 3

Category 3

Category 3

Category 3

Category 3

Speed reduction,
incl. protection
against unexpected
start-up (n=0)

Category 3

Category 3

Category 3

Category 3

Category 3

Category 3

Category 3

Category 3

Category 3

Category 3

Category 3

Category 3
(electronic)

Category 1 for
maintenance
doors

Category 1
(with contacts)

Category 3

Limitation of end
positions

Category 3

Emergency stop

Category 1
(with contacts)

Category 1
(with
contacts)

acc. to
acc. to
EN 60204-1 EN 60204-1

Category 3
(electronic)

Category 3
(electronic)

4.4

prEN 848-3

Category B and Category B and


enabling
enabling
control device
control device

Category B and
enabling
control device

Locking of protective
equipment

EN 1921

Category 3

Category 1
(with contacts)
Category 3
(electronic)

Fig. 4-4:

Requirements for safety-related control units in C standards

Note:

Standards EN 775 and EN 1921 do not contain any direct


reference to EN 954-1; the requirements, however, can be
compared to those of this standard.

Definition of Terms
Electric drive system

With regard to safety technology, an electric drive system is the total of


hardware and software components that have an influence on the
sequence of motions of the machine. The electric drive system consists,
for example, of drive controllers, plug-in control units, supply modules,
motors and encoders. When errors occur in operation, they are detected
in time and the drive goes to a safe status.

Integrated safety technology

"Integrated safety technology" includes the hardware and software


features that allow safety-relevant drive functions to be made available. A
maximum of safety for persons and machines can therefore be made
available. Integrated safety technology is state-of-the-art for safety-related
control units of category 3 according to EN 954-1 in the field of highlydynamic drives.

Safety related

In connection with drive functions (e.g. Safety related standstill, Safety


related reduced speed, etc.), "safety related" means that the behavior of
the control unit parts in the case of errors complies with the requirements
according to EN 954-1 category 3. An error does not lead to loss of
safety. Errors must be detected in time; the drive goes to a safe status.

Stopping process

The stopping process is the decrease of motion until standstill is reached.


The process starts when the signal for the stopping process is released
and ends when the motion has come to a standstill.

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Integrated Safety Technology

Safety Technology Fundamentals 4-5

Standstill

Standstill is the status in which the mechanical component is at rest and


the drive is no longer supplied with energy; it is torque-free or force-free.

Operational stop

Operational stop is the status in which the mechanical component is kept


at rest and the drive is supplied with energy; it is with torque or with force.

Reduced speed

In function "Reduced speed", control-related measures are used to limit


the speed values that have been prescribed manually or using a program.

Safety related reduced speed

The use of the "Safety related reduced speed" measure implies that a
person can escape the danger caused by hazardous motions in time. In
general, this can be supposed if the resulting speed does not exceed
15 m/min in the case of hazardous motions without the danger of bruising
and cutting, and 2 m/min in the case of hazardous motions with the
danger of bruising and cutting.
In accordance with the Machinery Directive (98/37/EG), the machine
manufacturer has to carry out hazard analysis and then risk management.
With these data, the values for reduced velocities have to be determined.
The following list contains guide values for different types of machines
(excerpt from standards and working papers on safety measures for
Special mode). The abbreviation "SS" stands for "Safety related reduced
speed" and abbreviation "SI" stands for "Safety related reduced
increment".
Machining centers
Axes:

SS=2 m/min + jog switch

Spindle: SS=nn rpm + jog switch + enabling control device (select


nn in such a manner that a standstill is attained after 2 rpm)
Automatic lathes
Axes:

SS=2 m/min + jog switch, SI=6 mm + jog switch

Spindle: SS=50 rpm (1 rot/s) + jog switch + enabling control device


Drilling and milling machines
Axes:

SS=2 m/min + jog switch

Spindle: SS=nn rpm + jog switch + enabling control device (select


nn in such a manner that a standstill is attained after 2 rpm)
Robots
SS=15 m/min + jog switch
Automated manufacturing systems
SS=2 m/min (15 m/min) + jog switch + emergency stop
Printing and paper processing machines
General:
SI=25 mm+ jog switch
SS=5 m/min (max. 10 m/min) + jog switch

or

"In particular":
SI=75 mm+ jog switch
SS=5 m/min (max. 10 m/min) + jog switch

or

Limited incremental dimension

The limited increment is a change in position; it starts in standstill, a


specified distance/angle is traveled and it ends in standstill.

Limited absolute position

The limited absolute position is the absolute position at which a motion


must have come to standstill.

Jog switch

The jog switch is a control device that requires continuous activation of


the control element in order to enable motion. The jog switch is a
command switch with automatic reset.

Enabling control

The enabling control is an additional manually activated command device.


It is used in connection with a start control (jog switch) which requires
continuous activation to permit movement.
The enabling control is a command switch with automatic reset. An
enabling control can be a command device with 2 or 3 positions; the
command system with 3 positions is preferable.

DOK-INDRV*-SI*-VRS**-FK01-EN-P

4-6 Safety Technology Fundamentals

Integrated Safety Technology

Separating protective device


(EN 292-1)

A separating protective device is the part of a machine that is used as a


kind of physical barrier for protecting people. Depending on its design, the
separating protective device can be a housing, a cover, a screen, a door,
a shell, etc.

Locked separating protective


device with locking device
(EN 292-1)

The locked separating protective device with locking device guarantees


that:
the hazardous machine functions against which the protective
equipment provides protection can be executed only when the
protective equipment is closed and locked,
the separating protective device remains closed and locked, even if a
stop command was activated, until the risk of injury caused by
hazardous machine functions is past, and
the endangering machine functions, with the protective device closed
and locked, can be carried out but are not activated just by closing the
separating protective device.

Operating mode switch

The operating mode switch determines the operating mode relevant for
safe operation, such as:
Normal mode (Production mode, Automatic mode, etc.) and
Special mode (Manual mode, tool or workpiece changing and cleaning
procedure, as long as movement is required)
The selected kind of control has to be on a higher level than all other
control functions except for the one for the emergency command device.
The operating mode switch can be replaced by other means of selection
which allow only certain groups of operators to carry out certain machine
functions (e.g. access code for certain numerical control functions etc.).
Each position of the operating mode switch may correspond to only one
control or operating mode. (For details, see Machinery Directive
98/37/EG, Appendix I, Section 1.2.5.)

Stop categories according to


EN 60204-1

Category 0: Stopping by immediately switching off the power to the


drives.
Category 1: Controlled stopping, whereby the power to the drives is
continued in order to achieve stopping. The power is interrupted only
after the standstill has been attained.
Category 2: Controlled stopping where the power to the drives is
continued.

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Drive System with Safety Related Starting Lockout 5-1

Integrated Safety Technology

Drive System with Safety Related Starting Lockout

5.1

General Information
Optional module "Starting lockout" has 24 V inputs for selection using two
channels and a potential-free changeover contact (all 3 connections
accessible) for dual-channel feedback.
Note:

5.2

For the connection conditions and the technical data of the


optional module, please see the Project Planning Manual for
the controller.

Safety Function
The safety function is implemented for personal protection in accordance
with EN 954 category 3.

Safety Related Starting Lockout


The "Safety related starting lockout" corresponds to stop category 0
according to EN 60204-1.
In the "Safety related starting lockout" safety function, the power supply to
the drive is safely interrupted. The drive cannot produce any torque/force
and therefore any hazardous movements. It is selected via two channels,
either with a break-contact/make-contact combination or a breakcontact/break-contact combination.
When the starting lockout is active, "AS" is shown on the display of the
IndraDrive controller operating panel.
Note:

Before selecting the starting lockout, the drive system must be


brought to a standstill using the command value selection!

Lethal injuries and/or damage to material


caused by unintended axis motion!

DANGER

DOK-INDRV*-SI*-VRS**-FK01-EN-P

If external force influences are to be expected with


the "the safety related starting lockout" safety
function, e.g. in the case of a vertical axis, this
motion has to be safely prevented by additional
measures, e.g. a mechanical brake or weight
compensation.

5-2 Drive System with Safety Related Starting Lockout

5.3

Integrated Safety Technology

Forced Dynamization
The goal of forced dynamization is to detect static error conditions, socalled "sleeping errors" during selection and in the interrupting circuits.
Both the control section in standard design and the option "starting
lockout" have their own interrupting circuits.
Note:

Manual dynamization is required after switching on the drive


system and within e.g. 8 hours (activate the starting lockout).

After the drive control is started, a life counter starts. The life counter is
reset each time that the starting lockout is selected. When the life counter
expires, a warning requesting that forced dynamization be carried out
(activate the starting lockout) is sent to the higher-level control.
P-0-0103, Time interval of forced dynamization can be used to set the
time interval for the life counter. When the time interval is exceeded, the
drive generates warning E3110 Time interval for forced dynamization
exceeded.
The operating hours of the power section for which the "starting lockout"
function was selected the last time are saved in parameter P-0-0102,
Oper. hours power section at last activat. of start. lockout.
A history of the time intervals set by the user in P-0-0103, Time interval
for forced dynamization is stored in parameter P-0-0104, Change
history time interval of forced dynamization.

5.4

Command Value Selection Requirements


Note:

Before selecting the starting lockout, the drive system must be


brought to a standstill using the command value selection!

The "Safety related starting lockout" corresponds to stop category 0


according to EN 60204-1.
If the starting lockout is selected at the same time that the drive is
enabled, the drive generates error F8027 Starting lockout while drive
enabled.

5.5

Selecting the Starting Lockout


The starting lockout is selected using two channels, either with a switch
with two break contacts or one break/make contact on each 9-pin D-Sub
plug on the optional module.
Selection using break contacts or break/make contacts can be configured
in parameter P-0-0101, Configuration for starting lockout selector.
The plausibility of the selection signals is checked by the firmware. If the
state is not permitted, the drive generates error F3130 Error when
checking input signals.
One channel from the switch can be guided via the PLC I/O; the second
channel should then be connected directly to the safety technology
optional module.
Both channels from the switch can be guided via I/Os of a safety related
PLC.
Both channels can be guided via the safety contacts of a door monitoring
module. A potential-free contact is available for the feedback to the
monitoring module.

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Drive System with Safety Related Starting Lockout 5-3

Integrated Safety Technology

Note:

5.6

For applications of category 3 according to EN 954-1, guiding


both channels via a standard PLC is not permitted!

Examples of Application
24 V
F1*

24 VE
S2

ASn
ASQ

Control
section

Power
section

Channel 2

ASQ1
ASQ2
AS-A
S1

AS-B

Channel 1

0 VE

0V

DF0048v3.EPS

For information about F1*, see switch contacts S1/S2


Fig. 5-1:
Selecting the starting lockout using switches with break/make
contacts

+24 V
F1*

24 VE
S2

ASn
ASQ

Control
section

Power
section

Channel 2

ASQ1
ASQ2
AS-A
S1
0V

AS-B

Channel 1

0 VE
DF0049v3.EPS

For information about F1*, see switch contacts S1/S2


Fig. 5-2:
Selecting the starting lockout using switches with two break contacts

DOK-INDRV*-SI*-VRS**-FK01-EN-P

5-4 Drive System with Safety Related Starting Lockout

Integrated Safety Technology

open
0 V +24 V +24 V

F1*
closed
Ch2

Ch1

Monitoring module with


cross connection detection
between Ch1 and Ch2
Feedback loop

24 VE
ASn
ASQ

Control
section

Power
section

Channel 2

ASQ1
ASQ2
AS-A
AS-B
0V

Channel 1

0 VE
DF0050v2.EPS

For information about F1*, see switch contacts of safety module


Fig. 5-3:
Selecting the starting lockout using a safety module

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Drive System with Safety Related Starting Lockout 5-5

Integrated Safety Technology

Note:

According to EN 954-1, the signal processing of a standard


PLC must be viewed as having one channel; therefore, the
following wiring is not permitted!

+24 V

24 VE

AS

ASn
ASQ

Control
section

Power
section

Channel 2

Inputs

Outputs

PLC

ASQ1
ASQ2
AS-A
AS-B

Channel 1

0 VE

0V

DF0051v2.EPS

Fig. 5-4:

Selecting the starting lockout using a standard PLC (negative


example)

+24 V

F1*

AS
24 VE
ASn
ASQ

Control
section

Channel 2

Outputs

PLC

Inputs

Power
section

ASQ1
ASQ2
AS-A
AS-B

0V

Channel 1

0 VE
DF0052v2.EPS

For information about F1*, see switch contacts of starting lockout


Fig. 5-5:
Selecting the starting lockout using switches with break/make
contacts and standard PLC

DOK-INDRV*-SI*-VRS**-FK01-EN-P

5-6 Drive System with Safety Related Starting Lockout

Integrated Safety Technology

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Drive System with Integrated Safety Functions 6-1

Integrated Safety Technology

Drive System with Integrated Safety Functions

6.1

Basic Structure
The IndraDrive drive system (axis / spindle / roller) is made up of the
components control section, power section and motor.
IndraDrive provides "integrated safety technology" using the interaction of
hardware and software components.
Processing and
error reaction

Selection and
feedback of
safety related
functions

Control
section

Safety
related
action

Power
section

I/O
Channel 1
Processor A

I/O
Channel 2
Processor B

Channel 1

Channel 2

Safety related function active


DF0015v2.EPS

Fig. 6-1:

Schematic diagram of IndraDrive with integrated safety technology

Note:

All motors with 1Vss signal-equipped encoders that are


supported by the encoder interface can be used for integrated
safety technology.
All motors with resolvers that are supported by the encoder
interface can be used for integrated safety technology.
Encoders with a TTL interface cannot be used for integrated
safety technology.
Encoders with only a serial interface cannot be used for
integrated safety technology.

In order for integrated safety technology to be used, one "Safety


technology I/O" optional module per axis, combined with software
components (firmware parts in the drive) is necessary.
Note:

DOK-INDRV*-SI*-VRS**-FK01-EN-P

For the connection conditions and the technical data of the


optional module, please see the Project Planning Manual for
the control section.

6-2 Drive System with Integrated Safety Functions


Fields of application

Integrated Safety Technology

Typical fields of application of the IndraDrive system are:

handling and mounting systems

packaging and food processing machines

printing and paper converting machines

machine tools

wood processing machines

Comparison with Conventional Safety Technology


A drive and control system with integrated safety technology differs from
systems with conventional safety technology by the fact that the safety
functions are directly integrated in the intelligent drives as hardware and
software. This increases the functionality in all operating modes with a
maximum of safety (short reaction times).
The following components of conventional safety technology are not
included in drive and control systems with integrated safety technology:
motor standstill monitor for monitoring the safety related standstill
speed monitor for monitoring safety related reduced speeds
power contactors between controllers and motors
limit switch or position cam for detection of range
Note:

The integrated safety technology is not destined to replace


conventional safety technology, such as emergency stop
switching devices and safety door monitors.

Using integrated safety technology increases the available personnel and


machine safety because the total reaction time of the system in the case
of an error event, for example, is considerably reduced with regard to
comparable systems with conventional safety technology. The safety
signals are transferred using conventional wiring in a high diversity of
designs. Master communication (SERCOS interface, PROFIBUS, CAN,
etc.) can be used to transfer a channel.

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Drive System with Integrated Safety Functions 6-3

Integrated Safety Technology

6.2

Overview of Safety Functions


Application-related safety functions are implemented for personal
protection in accordance with EN 954-1 category 3.
Note:

When selecting a safety function, the drive system is to be


brought to the corresponding state using command value
selection.

Safety functions can be classified into 3 groups:


1. "Safety related stopping process" safety functions:
safety related standstill,
safety related operational stop and
safety related drive interlock
Note:

The functions "safety related standstill", "safety related


operational stop" and "safety related drive interlock" contain
safely monitored shutdown.

2. "Movement with safety related speed" safety functions:


safety related limited maximum velocity,
safety related reduced speed,
safety related direction of motion,
safety related limited increment,
safety related limited absolute position and
safety related homing procedure
3. "Safety related feedback" safety functions:
safety related diagnostic outputs and
safety related control of a door locking device

DOK-INDRV*-SI*-VRS**-FK01-EN-P

6-4 Drive System with Integrated Safety Functions

Integrated Safety Technology

"Safety Related Stopping Process" Safety Functions


Safety Related Standstill
"Safety related standstill" corresponds to stop category 1 according to
EN 60204-1.
A programmable time (P-0-3220) is available for the transfer to the safe
state. The power supply to the drive is interrupted (two channels) when
this time elapses (at the latest). If the standstill is attained before the time
elapses, i.e. the speed is within the standstill window (P-0-3233), the
selected safety function goes into effect.
The drive cannot produce any torque/force and therefore any hazardous
movements. No monitors are active in "Safety related standstill".
When the stop is active, "SH" is shown on the display of the IndraDrive
controller control panel.
Note:

The "Safety related standstill" function is deselected by


actuating an enabling control!

Lethal injury and/or property damage caused by


unintended axis motion!

DANGER

If external force influences are to be expected in the


"Safety related standstill" safety function, e.g. in the
case of a vertical axis, this motion has to be safely
prevented by additional measures, e.g. a mechanical
brake or weight compensation.

Safety Related Operational Stop


"Safety related operational stop" corresponds to stop category 2
according to EN 60204-1.
For specific applications, it is necessary to stop the drive system at a
natural point in the production process.
A programmable time (P-0-3220) is available for the transfer to the safe
state. After the time elapses, the standstill monitor is activated, i.e. the
drive comes to a standstill. However, the power supply is not interrupted;
all control functions between the electronic control and the drive are
retained.
In the case of the "Safety related operational stop" safety function, a dualchannel monitor prevents the drive from carrying out hazardous motions
due to errors.
When the operational stop is active, "SBH" is shown on the display of the
IndraDrive controller control panel.
Activation of a monitor triggers an error reaction that brings the drive
system to a standstill. The corresponding error message is F7030 Pos.
window for safety rel. operational stop exceeded.
The allowed deviations from the standstill position (P-0-3230) are
password-protected and cannot be changed by unauthorized external
intervention. After removing the safety related operational stop, e.g. by
closing a protective device and executing the start command, the working
motion of a drive can be immediately continued at the point of
interruption.
Note:

The "Safety related operational standstill"


deselected by actuating an enabling control!

function

is

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Drive System with Integrated Safety Functions 6-5

Integrated Safety Technology

Safety Related Drive Interlock


"Safety related drive interlock" corresponds to stop category 1 according
to EN 60204-1.
Safety function "Safety related drive interlock" corresponds to "Safety
related standstill"; however, it is not revoked by actuating an enabling
control.
When the drive interlock is active, "ASP" is shown on the display of the
IndraDrive controller control panel.
It is used, for example, in spindle drives when manually changing tools
and in handling axes for manual movement.
Note:

Function "Safety related drive interlock" can also be selected


in normal operation, depending on the model.

Lethal injury and/or property damage caused by


unintended axis motion!

DANGER

If external force influences are to be expected for the


"Safety related starting lockout" safety function, e.g.
in the case of a vertical axis, this motion has to be
safely prevented by additional measures, e.g. a
mechanical brake or weight compensation.

Injury and/or property damage caused by


unintended axis motion!
WARNING

A short circuit in each of two separate circuits of the


power section can provoke momentary axis motion
depending on the number of poles of the motor.
Example synchronous motor: For a 6-pole synchronous
motor the motion can be a maximum of 30 degrees. For
a directly driven ballscrew, e.g. 20 mm per revolution, this
corresponds to a one-time maximum linear motion of
1.67 mm.
When an asynchronous motor is used, the short circuits
in two separate circuits of the power section have almost
no effect because the exciter field breaks down when the
inverter is shut down and has completely died down after
approx. 1 s.

DOK-INDRV*-SI*-VRS**-FK01-EN-P

6-6 Drive System with Integrated Safety Functions

Integrated Safety Technology

Safely Monitored Shutdown


Safety related standstill and
safety related drive interlock

The transition to safety related standstill or to safety related drive interlock


can alternatively be controlled by the drive or the control unit
(parameterized via P-0-3210, Safety technology control word).
The shutdown is chronologically monitored by each channel.
After the stopping process (P-0-3233, Velocity threshold for safety
related stopping process) the selected safety function takes effect.
With P-0-3220, Tolerance time transition from normal operation the
time for transition from normal operation to the completed stopping
process has to be determined. If this time is exceeded, the error message
F7050 Time for stopping process exceeded is generated.
With P-0-3225, Tolerance time transition from safety rel. oper. the
time for transition from special mode "motion with safety related speed" to
the completed stopping process has to be determined. If this time is
exceeded, the error message F7050 Time for stopping process
exceeded is generated.

Safety related operational stop

The transition to safety related operational stop is controlled by the control


unit.
After the time for transition from normal operation to the completed
stopping process is over (P-0-3220, Tolerance time transition from
normal operation) the monitoring window for the position reached after
stopping process takes effect (P-0-3230, Monitoring window for safety
related operational stop).
After the time for transition from special mode "motion with safety related
speed" to the completed stopping process is over (P-0-3225, Tolerance
time transition from safety rel. oper.) the monitoring window for the
position reached after stopping process takes effect (P-0-3230,
Monitoring window for safety related operational stop).

Safety Related Homing Procedure (via Two Channels)


Brief Description
Note:

The function "safety related homing procedure" has to be


carried out before selecting the safety function "safety related
limited absolute position"!

The function "safety related homing procedure" is a homing procedure


with additional cam/switch for safely determining the reference position.
Functional Features

The function has the following features:


function is selected via 2 inputs:
the reference cam input at the drive controller and
an input at the optional safety technology module
The home switch consists of an N/C-N/O combination, the N/O
controlling the standard input at the drive controller.
establishing the position data reference via two channels by the
commands
S-0-0148, C0600 Drive-controlled homing procedure command
or
P-0-3228, C4000 Homing procedure command channel 2
For absolute measuring systems the homing procedure has to be
carried out, too; only the input at the optional module is to be assigned.
The reference cam can be replaced by a manually operated switch
with which the correct absolute position is confirmed.

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Integrated Safety Technology

Drive System with Integrated Safety Functions 6-7

Pertinent Parameters

The following parameters are used in conjunction with the function "safety
related homing procedure":
P-0-3228, C4000 Homing procedure command channel 2
S-0-0148, C0600 Drive-controlled homing procedure command
P-0-3210, Safety technology control word
P-0-3213, Safety technology status
P-0-3231, Safety related reference position channel 2
P-0-3229, Tolerance window for safety related homing procedure
S-0-0147, Homing parameter
S-0-0052, Reference distance 1
S-0-0051, Position feedback 1 value
S-0-0053, Position feedback 2 value
P-0-3280, Actual position value, channel 2
P-0-3240, Control word for safety related motion 1
P-0-3250, Control word for safety related motion 2
P-0-3260, Control word for safety related motion 3
P-0-3270, Control word for safety related motion 4

Pertinent Diagnostic Messages

In conjunction with the function "safety related homing procedure", the


diagnostic message C4001 Error during safety related homing
procedure is used.

Operating Principle
There are two options of starting the safety related homing procedure via
two channels:
By directly writing "11" to parameter P-0-3228, C4000 Homing
procedure command channel 2.
Note:

In order that the parameterized reference event is fulfilled (cf.


P-0-3210, Safety technology control word), an NCcontrolled motion has to be carried out because the drive does
not carry out an automatic motion when the command
P-0-3228, C4000 Homing procedure command channel 2 is
executed.

Automatically at the start of command S-0-0148, C0600 Drivecontrolled homing procedure command in conjunction with the
parameterized function "safety related limited absolute position". (The
command S-0-0148, C0600 Drive-controlled homing procedure
command at the beginning also starts the command P-0-3228, C4000
Homing procedure command channel 2 which then runs in parallel.)
Note:

DOK-INDRV*-SI*-VRS**-FK01-EN-P

It is assumed in this case that the home switch of channel 2


was mechanically mounted in such a way that it is actuated
with the travel motion to be expected or during the concluding
positioning.

6-8 Drive System with Integrated Safety Functions

Integrated Safety Technology

Safety Function "Movement with Safety Related Speed"


Safety Related Limited Maximum Velocity
In the case of the "Safety related limited maximum velocity" safety
function, a dual-channel monitor prevents the drive from exceeding the
prescribed speed limit value (P-0-3234).
Activation of a monitor triggers an error reaction that brings the drive
system to a standstill. The corresponding error message is F7020 Safety
related maximum velocity exceeded.
The velocity limit value is password-protected and cannot be changed by
unauthorized external intervention. This monitor is active in every
operating mode.

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Drive System with Integrated Safety Functions 6-9

Integrated Safety Technology

Safety Related Reduced Speed


A programmable time (P-0-3220) is available for the transfer to the safe
state. After the time elapses, the speed monitor is activated.
In the case of the "Safety related reduced speed" safety function, a dualchannel monitor prevents the drive from exceeding the prescribed speed
limit values (P-0-3244, P-0-3254, P-0-3264, P-0-3274).
When the movement monitor is active, "SBB" is shown on the display of
the IndraDrive controller control panel.
Activation of a monitor triggers an error reaction that brings the drive
system to a standstill. The corresponding error message is F7013
Velocity threshold exceeded.
The velocity limit values are password-protected and cannot be changed
by unauthorized external intervention.
Movement is enabled by actuating an enabling control. The activation
time of the enabling control is monitored (P-0-3222); it is adjustable. If the
activation time is exceeded, error message F3142 Time for
acknowledgment exceeded is generated.
Note:

Two additional safety switches (S1, S2) can be used to select


up to four parameter sets.

Safely Monitored Acceleration/Deceleration Ramp


Note:

This function is in preparation for FWA-INDRV*-MPH-03!

Safety Related Direction of Motion


The "Safety related direction of motion" safety function guarantees that
movement is possible in only one direction. In addition, a safely reduced
speed is active.
A programmable time (P-0-3220) is available for the transition to the safe
state. After the time elapses, the speed monitor and the monitor of the
direction of movement are activated (dual-channel monitoring).
Activation of a monitor triggers an error reaction that brings the drive
system to a standstill. The corresponding error message is F7031
Incorrect direction of motion.
The speed limit values (P-0-3244, P-0-3254, P-0-3264, P-0-3274), the
direction of movement specified in the control word (P-0-3240, P-0-3250,
P-0-3260, P-0-3270) and a standstill window (P-0-3232) for the nonenabled direction of movement are password-protected and cannot be
changed by unauthorized external intervention.
Movement is enabled by actuating an enabling control. The activation
time of the enabling control is monitored (P-0-3222); it is adjustable.

DOK-INDRV*-SI*-VRS**-FK01-EN-P

6-10 Drive System with Integrated Safety Functions

Integrated Safety Technology

Safety Related Limited Increment


In the case of the "Safety related limited increment" safety function, a
dual-channel monitor prevents the drive from moving by more than a
maximum increment. In addition, a safely reduced speed is active.
Activation of a monitor triggers an error reaction that brings the drive
system to a standstill. The corresponding error message is F7010 Safety
related limited increment exceeded.
The speed limit values (P-0-3244, P-0-3254, P-0-3264, P-0-3274) and the
limit values (+/-) for the maximum increment (P-0-3243, P-0-3253,
P-0-3263, P-0-3273) are password-protected and cannot be changed by
unauthorized external intervention.
Movement is started by actuating an enabling control. The activation time
is monitored (P-0-3222); it is adjustable.
Within the window (maximum increment), movement can be carried out in
small steps in both directions when the enabling control device is
pressed.
Note:

Two additional safety switches (S1, S2) can be used to select


up to four parameter sets.

Safety Related Limited Absolute Position


In the case of the "Safety related limited absolute position" safety function,
a dual-channel monitor prevents the drive from moving beyond the
prescribed absolute position limit values (+/-). In addition, a safely
reduced speed is active.
The limit values (+/-) for the absolute position and the safely reduced
speed are password-protected and cannot be changed by unauthorized
external intervention.
Movement is started by actuating an enabling control. The activation time
is monitored; it is adjustable.
Note:

"Safety related homing" must be executed before selecting the


"Safety related limited absolute position" safety function.

Note:

One additional safety switch (S1) can be used to select up to


two parameter sets.

Safety Related Limited Absolute End Position


Note:

This function is in preparation for FWA-INDRV*-MPH-03!

Safety Related Brake Management


Note:

This function is in preparation for FWA-INDRV*-MPH-03!

"Safety Related Feedback" Safety Functions


Safety Related Diagnostic Outputs
Using safety related diagnostic outputs, "safely detected states" are
transmitted from the drive to other system components (e.g. activation of
safety relays, safety PLC) in order to initiate, from these system
components, a reaction to the process.

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Drive System with Integrated Safety Functions 6-11

Integrated Safety Technology

Safety Related Control of a Door Locking Device


A diagnostic master that detects the safe state of several axes within a
protection zone can be activated in a drive controller; this also ensures
that the safety door remains shut.
In safety function "Safety related control of a door locking device", two
channels are used to ensure that a locked separating protective device
remains shut when all of the axes in this zone are in a safe state. The
position of the door is also monitored.
Note:

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Monitoring the position of the locked separating protective


device is still required.

6-12 Drive System with Integrated Safety Functions

6.3

Integrated Safety Technology

I/O Reaction Times


Selection

Transfer

Selection Inputfilter

10 ms

System
control

Default
error
reaction

Inspection of
channel
states
P-0-3221
2 ms

Time for transition


from normal
operation
P-0-3220

Safety related status

Safety related
technology function
Monitoring active
P-0-32xx

2 ms

1 ms

1 ms

1 ms

F3xxx

F7xxx

F7xxx

best possible
deceleration

fastest possible
deceleration

fastest possible
deceleration
DF000093v02_en.EPS

Fig. 6-2:

6.4

I/O reaction times

Functional Principle of Integrated Safety Technology


In a standard drive, the axis / spindle / roller is moved according to the
command values of the control. In this case, incorrect drive motion can be
caused by operating errors, incorrect installation in the system, defects in
components or materials, or failures in the system. Incorrect drive motion
even if the errors occur only for a short time and occasionally can
endanger persons standing in the danger zone of the drive motion.
Therefore, measures that limit the effects of errors on the drive motion to
a minimum must be undertaken. The remaining risk of danger to persons
is then considerably reduced.
During the operation, the safety functions are monitored by the drive
system. To do this, three principles for discovering sleeping errors were
realized in the system:
dual-channel data processing with structure by diversity
cross comparison of the safety-relevant data
dynamization of static states
These measures guarantee that a single error cannot cause the safety
functions to be lost.
The degree to which this is sufficient for an existing system or machine is
to be determined by the manufacturer of the system or machine using a
hazard analysis according to Appendix I of guideline 98/37/EG.

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Drive System with Integrated Safety Functions 6-13

Integrated Safety Technology

Dual-Channel Structure
All safety-relevant data are transmitted and processed by two
independent channels. The basic control unit in the drive represents the
first monitoring channel, the control system on the optional module
represents the second channel.

I/O10n
Selection
Channel 2 I1..4n

Safety technolgy
optional module

Power
section

Cross data
comparison

Selection
Channel 1

Encoder
system

Drive control

I1..4

O10
I10

DF0016v2.EPS

Fig. 6-3:

Schematic diagram of the dual-channel structure

Note:

The inputs and outputs of channel 1 are symbolically


designated with "I1 to I4", "O10" and "I10". The purpose of
these symbols is to illustrate the interaction with the
corresponding inputs and outputs of the second channel.
The physical inputs and outputs of channel 1 can be specified
for various hardware layouts (see Fig. 6-7: Directly activating
both channels on the drive controller and Fig. 6-8: Directly
and indirectly activating the channels on the drive controller).
The physical inputs and outputs of channel 2 are present on
the "I/O safety technology" optional module.

DOK-INDRV*-SI*-VRS**-FK01-EN-P

6-14 Drive System with Integrated Safety Functions

Integrated Safety Technology

Cross Data Comparison


The respective monitoring functions for realizing the safety functions are
processed independently in the basic control unit and in the safety
module. To make sure these functions use correct (identical) limit values,
a cross data comparison is required. If a deviation of the monitored
parameters is detected in one of the two channels, this causes the
respective error reaction and the drive system goes to the safe status.
Cyclic cross data comparison

Cross data comparison is started with the "initialization" of the drive


control. As soon as the operating mode has been reached, cross data
comparison starts. If safety parameters of one or both channels are not
identical during operation and if the power is on, the stopping process of
the axis/axes is initiated.

Additional cross data


comparison

When one or more safety functions are also activated, an additional cross
data comparison is carried out using the selection.

Errors detected by cross data


comparison

The following errors are detected by cross data comparison:


safety function activated on only one system
wrong safety function activated
different monitoring parameters used
safety function does not work (life counter)
accidental hardware errors
accidental software errors

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Drive System with Integrated Safety Functions 6-15

Integrated Safety Technology

Dynamization
The purpose of dynamization is to detect static error conditions, so-called
"sleeping errors" in the safety-relevant circuits. Dynamization occurs
automatically at specified intervals; the user can not notice this.
Dynamization of the inputs

A safety function is selected using a break contact / make contact


combination so that one channel of a safety function is always selected
(the function is activated/deactivated by switching over).
Within the drive, the active channel (make contact) is cyclically checked.
A safety master automatically carries out dynamization (via A30) for all
activated inputs.
The dynamization is synchronized via E30.
Safety technology
function 1

I1
I1n

I/O30
Safety technology
funct. 2
I1
I1n
I/O30

I1
I1n
I/O30

Channel 1

Axis 1

Channel 2
Channel 2 (Master)
Channel 1

Axis 2

Channel 2
Channel 2 (Slave)

Channel 1

Axis 3

Channel 2
Channel 2 (Slave)
DF0044v1.EPS

Fig. 6-4:
Dynamization of the interrupting
circuits

Dynamization of the inputs via I/O

Both the control section in standard design and the optional module
"safety technology I/O" have their own interrupting circuits.
Within the drive, the activation of an interrupting circuit is cyclically
checked.

6.5

Demands on the Controls


The control must be aware of the operating modes (normal operation /
special mode) as well as of their safety functions.
It ensures that the drive is interpolated within the prescribed time and
within the limits prescribed by the safety functions.
To do this, the control must be able to recognize the selection of a safety
function so that it can react at any time to a switchover to safety related
operation (e.g. read P-0-3215, Selected safety technology mode from
the drive). For online monitoring of the safety technology states the binary
status signals provided by P-0-3213, Safety technology status can be
read by the control unit.
The transition to safety related standstill, to safety related drive interlock
and to safety related operational stop can alternatively be controlled by
the drive or the control unit (parameterized via P-0-3210, Safety
technology control word).

DOK-INDRV*-SI*-VRS**-FK01-EN-P

6-16 Drive System with Integrated Safety Functions

Integrated Safety Technology

The transition to safety related stopping process in the case of error takes
place according to the settings in parameters P-0-0117, Activation of NC
reaction on error and P-0-0119, Best possible deceleration.
Note:

6.6

The control must react to the selection of a safety function with


the corresponding command value selection!

Activating the Safety Functions


Safety functions are always selected using two channels.
Configurable combinations of safety functions, corresponding to the four
available dual-channel inputs, can be selected using a break contact /
make contact combination.
To select the first channel, a choice of four 24 V inputs
on the basic device,
on a control that guides them to the drive via the master
communication or
on an I/O extension are to be allocated.
Four 24 V inputs are available on the optional module to select the
second channel.
The assignment of the inputs for selection is implemented by means of
the DriveTop commissioning software.
Operating mode "Normal mode" or "Special mode" can be selected using
the operating mode selection switch. In Special mode, an enabling control
can be used to switch between the safety functions for stopping and for
movement.
The following status diagram illustrates how the three states can be
selected using the two actuating mechanisms.

Normal mode
Operating mode
selection switch

Operating mode
selection switch+
enabling control

Special mode
motion

Special mode
stopping process
Enabling control

DC0003v1.EPS

Fig. 6-5:

Status diagram

"Safety related standstill" or "Safety related operational stop" can be


configured in "Stopping special mode", depending on the application
(selection using the operating mode selection switch).

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Drive System with Integrated Safety Functions 6-17

Integrated Safety Technology

A "Safety related reduced speed" and/or a "Safety related limited


increment" can be configured in "Movement special mode", depending on
the application (selection using the enabling control in Special mode).
Note:

If the enabling control is activated in Normal mode, the


reduction of the command value selection can be effective. By
switching to Special mode, the drive-internal monitors for safe
movement are activated.

In the figure above, 2 dual-channel inputs are assigned (operating mode


selection switch and enabling control). Of the 4 available dual-channel
inputs, 2 are still free. These can be used, for example, to switch between
the parameters for "Safety related reduced speed" via the process; in this
manner, up to 4 different parameter sets can be selected.
A parameter set for "Safety related reduced speed" makes it possible to
simultaneously activate a monitor of the movement direction and/or a
monitor of the absolute position.
A parameter set for "Safety related limited increment" makes it possible to
simultaneously activate a monitor of the movement direction and/or a
monitor of the absolute position.
Note:

DOK-INDRV*-SI*-VRS**-FK01-EN-P

"Safety related homing" must be executed before selecting


"Safety related limited absolute position". "Safety related
homing" requires an input on the optional module. Then one
input is still available, for example to switch two instead of four
parameter sets for "Safety related reduced speed".

Fig. 6-6:

NM:
SM:
SS:
SOS:
SRS:
SA:
SD:
SI:
SP:
SBM:
:
:

Off
Off

NM
SM
SM

Safety related limited abs. position

SM
SM
SM
SM
SM
SM
SM
-

SRS1 + SA1 + SD1 + SI1

SRS2 + SA2 + SD2 + SI2

SRS1 + SA1 + SD1 + SI1 + SP1

SRS2 + SA2 + SD2 + SI2 + SP2

SRS3 + SA3 + SD3 + SI3

SRS4 + SA4 + SD4 + SI4

Safety related limited max. speed

Safety related limited abs. end position

Safely monitored stopping for SS / SOS

Safely monitored stopping for drive interlock


-

Off

On

On

On

On

On

On

NM

Normal mode
Special mode
Safety related standstill (no torque)
Safety related operation stop (control loops are active)
Safety related reduced speed
Safely monitored acceleration/deceleration ramp
Safety related direction of motion
Safety related limited increment
Safety related limited absolute position
Safety related brake management
Input for control element is not queried
No input for control element available (max. 4 inputs)

Special mode
with
motion

Position

Position

Position

On

Off

On

Off

On

Off

Safety
switch 1

selection switch

Safety related limited max. speed

Drive interlock
Special mode
with
SS or SOS
stopping process Safety related
stopping process
SOS + SBM

Normal
mode

Safety related functions

On

On

Position

Safety
switch 2

On

Off

Activated

Off

Activated

Activated

Activated

Position

Home

switch

Off

Off

Off

Off

Off

On

Off

Off

Position

Drive
interlock

Control elements for selecting/deselecting safety related functions


Enabling
control

Operating mode

6-18 Drive System with Integrated Safety Functions


Integrated Safety Technology

The following table shows sensible combinations of safety function


selections.

DL0001v2.EPS

Combinations of safety function selections

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Drive System with Integrated Safety Functions 6-19

Integrated Safety Technology

There are two possibilities for activating the safety functions:


Selection of safety functions via
24 V inputs on drive controller

Processing and
error reaction

Selection and
feedback of
safety related
functions

Control
section

Safety
related
action

Power
section

I/O
Channel 1
Processor A

I/O
Channel 2
Processor B

Channel 1

Channel 2

Safety related function active


DF0015v2.EPS

Fig. 6-7:

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Directly activating both channels on the drive controller

6-20 Drive System with Integrated Safety Functions

Selection of safety functions via


master communication (e. g.
SERCOS interface)

Integrated Safety Technology

Selection and feedback


of safety related
functions

Processing and
error reaction

Control

Control
section
S
E
R
C
O
S

I/O

Channel 1

S
E
R
C
O
S

Safety
related
action

Power
section

Channel 1
Processor A

I/O
Channel 2
Processor B

Channel 1

Channel 2

Safety
technology
active

Safety
technology
active
DF0017v1.EPS

->
->:
Fig. 6-8:

Note:

6.7

Channel 1 is indirectly activated via the master communication


interface of the control unit (CNC; PLC)
Channel 2 is directly activated via the input interface of the drive
controller
Directly and indirectly activating the channels on the drive controller

Selection on the optional module is made using a D-SUB plug


connection.

Feedback, Status (Safe/Unsafe) to Peripherals


Safety-relevant feedback always takes place using two channels (EN 9541, category 3). Feedback for diagnostic purposes can take place using
one channel.
For the feedback of the first channel, either a 24 V output
on the basic device or
on a control
that receives them from the drive via the master communication is to be
allocated.
A 24 V driver or a relay contact is available on the optional module for the
feedback of the second channel (one side of the relay contact is internally
set to 0 V).

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Drive System with Integrated Safety Functions 6-21

Integrated Safety Technology

Safe Feedback to a Safety PLC


PLC
Control section

"Safety technology
I/O" optional
module

O10

I/O10n

In

DA0002v4.EPS

Channel 1:
O10 (control section)
Channel 2:
I/O10n (O10, 24 V driver is active on "Safety technology I/O"
optional module)
Fig. 6-9:
Safe status message to a safety PLC

Note:

DOK-INDRV*-SI*-VRS**-FK01-EN-P

The two outputs O10 and I/O10n work inversely!

6-22 Drive System with Integrated Safety Functions

Integrated Safety Technology

Safety Related Control of a Door Locking Device


Lethal injury caused by axes / spindles coasting
due to an error!

DANGER

Provide an interlocked protective device with locking


device that only allows unlocking the protective
device when the stopping process has been
completed (see EN 1088).
If the protective device is unlocked without the
stopping process having been completed, coasting
has to be prevented by additional measures [e.g. by
using a motor holding brake (to be used only in case
of an emergency), an emergency bleeder or a
service brake] or the protective device has to be
positioned in such a way that spindles / axes have
stopped before they can be reached (EN 999).

A diagnosis master can be activated to control a door locking device.


The diagnosis master recognizes the "Safety related status" of its own
drive, as well as of other drives that are interconnected using cable I/O20.
The "safe status" is reported via a shared status output. This output is a
dual-channel output (O10/O10n). O10n switches internally to 0 V.
The activation is monitored internally by I10n. To monitor the locking
device, a second input (I10) must be allocated on the basic device or on a
control that guides this input to the drive via the master communication.

Control

O10

+24 V

section

"Safety technology
I/O" optional module

I/O10n

0V

Control
section

"Safety technology
I/O" optional module

I10
I/O20

To further axes of the


same danger zone
DA0001v5.EPS

Channel 1:
O10 (control section)
Channel 2:
I/O10n (24 V input and driver for relay contact are active on
"Safety technology I/O" optional module)
Fig. 6-10: Activation of a door locking device

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Drive System with Integrated Safety Functions 6-23

Integrated Safety Technology

The axes report the attainment of the safety related status and permit the
safety master to activate the safety status output (O10/O10n), e.g. for a
door locking device.
Note:

In the case of an encoder error in a drive, it is impossible to


report a safe status. If the safety status is used to directly
activate a safety door, manual safety door unlocking has to be
operated in the respective axis (see P-0-3218, Manually
unlocking the safety door).

All axes of a hazard zone must be interconnected via I/O20 using a bus.
Note:

DOK-INDRV*-SI*-VRS**-FK01-EN-P

This application cannot recognize the status of an axis that is


equipped with optional module "Starting lockout". If optional
modules "Starting lockout" and "Safety technology I/O" are
used in a shared hazard zone, the magnet responsible for
locking must be activated using relay contact ASQ/ASQ1 of
the starting lockout!

6-24 Drive System with Integrated Safety Functions

6.8

Integrated Safety Technology

Examples of Application

Overall View
Functionality and connections for integrated safety technology on
IndraDrive drive controller

Combination of safety
functions - configurable
using parameters

Mastercommunication
interface (1)
Connection
per drive
I1

I2n

Enabling
control
Switch for drive
interlock

Safety related motion


Safety related reduced speed
+Safety related dir. of rotation
+Safety related limited abs. pos.
or
Safety related limited increment
+Safety related dir. of rotation
+Safety related limited abs. pos.

I3

Configuirable for
the inputs

Controlelements

Safety related standstill or


Safety rel. operational standstill or
Safety related drive interlock

I2

Safety Switch 1

Process

Safety rel. stopping process

I1n

Operating mode
selection switch

I3n
I4
I4n

Safety Switch 2
Home switch
connection for safety related absolute
position required

I/O, sequence and pulse


can be configured

REF

Input/Outputacknowledgement

I/O20
NC/PLC superordinate control

To further axes of the same


danger zone
Alternative 1
Acknowledgement
on PLC

Dynamization

I/O30

O10

Safety related feedback

I/O10

with acknowledgement on PLC


or
activation of a door
locking device

+24 V
Alternative 2
Door locking device

O10
I10n

I/O10n

O10n
I10

0V
DF0034v7.EPS

1:

Alternatively, channel 1 can be selected using the master


communication.
I1, ... , I4:
Channel 1 for selection and reference input
I1n, ... , I4n: Channel 2 for selection and reference input (inverted)
Fig. 6-11: Overall view

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Drive System with Integrated Safety Functions 6-25

Integrated Safety Technology

Note:

A maximum of 4 safety functions can be selected on the


inputs: I1 to I4 for channel 1 and I1n to I4n for channel 2.
Parameters are used for the configuration.

Selecting Normal/Special Mode with Position Monitoring of a Safety


Door with Door Locking Device
Position switch 2
open

IndraDrive
Control section

+24 V

Power
section

Locking device
Channel 1
O10

Safety related
control of a door
locking device

Category 3
closed

I/O10n
Position switch 1

Channel 2
Channel 2

I10

0V Channel 1

(NM)
Ch2

Operating mode
selection switch,
e.g. from
machine control
panel via PLC

Ch1

Monitoring module with


cross connection detection
between Ch1 and Ch2

Forced
dynamization
Channel 2
I/O30
Normal mode

Demands of conrols

NC program run
enablement

NC command value
limitation

0V

Safety related
standstill
Category 3

Special mode_n

Special mode

I1n

Channel 2

I1
Channel 1

DF0035v5.EPS

Fig. 6-12:

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Single-channel operating mode selection switch with position


monitoring of a safety door with door locking device

6-26 Drive System with Integrated Safety Functions

Integrated Safety Technology

Position switch 2

IndraDrive

open

Control section

+24 V
Locking device

Power
section

Channel 1
O10

Safety related
control of a door
locking device
Category 3
closed

I/O10n
Position switch 1

Channel 2
Channel 2
I10

0V

Channel 1

Operation mode
selection switch

(NM)
(SM)

Ch2

Ch1
Forced
dynamization

Monitoring module with


cross connection detection
between Ch 1 and Ch 2

Channel 2
I/O30

Safety related
standstill

Demands of controls

Category 3

NC program
run enablement

Special mode_n

NC command
value limitation

Special mode

I1n

Channel 2

I1
Channel 1

DF0079v2.EPS

Fig. 6-13:

Dual-channel operating mode selection switch


monitoring of a safety door with door locking device

with

position

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Drive System with Integrated Safety Functions 6-27

Integrated Safety Technology

Enabling Control with Three Settings


IndraDrive
Controlsection

Forced
dynamization

Power
section

Channel 2
I/O30

1 2 3
Safety related
motion
Category 3
Enabling

I2

Channel 1

No enabling
I2n

Channel 2

Pressure point
DF0037v3.EPS

Fig. 6-14:

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Enabling control with three settings

6-28 Drive System with Integrated Safety Functions

Integrated Safety Technology

Command Device with Automatic Reset (Safety Related Jog Button)


According to EN 12417, a dual-channel jog button, with a corresponding
evaluation according to category 3, is permissible without an enabling
control.
Note:

Possible command devices for starting a safely monitored


movement according to Table 2, parag. 14.1.1 of EN 12417
"Safety of Machines, Machining Centers":
- single-channel jog button (+/- direction) combined with a
dual-channel enabling control. Enabling controls are controlled
according to category 3 of EN 954-1.
- single-channel preselection switch (+/- direction) combined
with a dual-channel enabling control. The enabling control
device is simultaneously the jog button. Enabling controls are
controlled according to category 3 of EN 954-1.
- dual-channel jog button (+/- direction). The jog switch is
controlled according to category 3 of EN 954-1.

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Drive System with Integrated Safety Functions 6-29

Integrated Safety Technology

Temporary Inspections or Visual Checks in the Danger Zone


If "Safety related operational stop" is selected in Special mode, a
workpiece check can be carried out in the processing area / danger zone,
for example.

IndraDrive

Position monitoring of safety


door with locking device
(see extra illustration)

Control section

Power
section

(NM)
Ch2

Ch1

Operating mode
selection switch,
e.g from
machine control
panel via PLC

Monitoring module with


cross connection detection
between Ch1 and Ch2

Forced
dynamization
I/O30

Channel 2

Normal mode
Demands of controls

0V

Safety related
operational stop

NC program
run enablement

Special mode_n

Block command
value (0m/min)

Special mode

I1n

I1

Category 3
Channel 2

Channel 1
DF0036v6.EPS

Fig. 6-15:

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Safety related operational stop; the drive is monitored for standstill.

6-30 Drive System with Integrated Safety Functions

Integrated Safety Technology

In Special mode, movement for a visual inspection in the processing area


/ danger zone can be executed by actuating the enabling control
(selecting Safety related reduced speed) and using the movement
command.

IndraDrive
Position monitoring of safety
door with locking device
(see extra illustration)

Control section

(NM)
Ch2

Power
section

Ch1

M
Operation mode
selection switch,
e.g. from
machine control
panel via PLC

Monitoring module with


cross connection detection
between Ch1 and Ch2

Forced
dynamization
Channel 2
I/O30

Demands of controls
Normal mode
Block command
value input
(0m/min)

0V

Safe
operational stop
Category 3

Special mode_n

I1n

Channel 2

Effect
of EC
Special mode

I1

Channel 1

Enable command
value input
Effect
of EC
Limit command
value input
<2m/min)
Safety related
reduced speed

Jog command value

Category 3
Enabling control (EC)
(simplified representation)

Enabling
Enabling_n

I2
I2n

Channel 1
Channel 2

DF0038v6.EPS

Fig. 6-16:

Safety related operational stop / Safety related reduced speed; the


drive is monitored for standstill/movement

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Integrated Safety Technology

Drive System with Integrated Safety Functions 6-31

Working When Drive is without Torque/Force


If, for example, tools are to be changed manually, function "Drive
interlock" must be activated (separate switch in addition to the operating
mode selection switch and the enabling control); in this way, it is possible
to manually move the shaft using the tool spindle.
The power supply to the drive is interrupted safely. No standstill monitor is
active. The drive interlock cannot be disabled by actuating the enabling
control.

DOK-INDRV*-SI*-VRS**-FK01-EN-P

6-32 Drive System with Integrated Safety Functions

Integrated Safety Technology

IndraDrive
Position monitoring of safety
door with locking device
(see extra illustration)

Control section

(NM)
Ch2

Ch1

Power
section

M
Operating mode
selection switch,
e.g. from
machine control
panel via PLC

Monitoring module with


cross connection detection
between Ch1 and Ch2

Forced
dynamization
Channel 2
I/O30

Demands of controls
Block command
value input
(0m/min)

Normal mode
0V

Safety related
standstill
Category 3

Special mode_n

I1n

Channel 2

Effect
of EC
Special mode

I1

Channel 1

Enable command
value input
Effect
of EC
Limit command
value input
<2m/min)
Satey related
reduced speed

Jog command value

Category 3
Enabling control (EC)
(simplified representation)

Enabling
Enabling_n

I2
Channel 1
I2n

Block command
value input
(0m/min)

Safety related
drive interlock
Drive interlock

Drive interlock
switch

Channel 2

Drive interlock_n

I3

Category 3
Channel 1

I3n

Channel 2

DF0039v6.EPS

Fig. 6-17:

Safety related drive interlock; the power supply to the drive is


interrupted.

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Drive System with Integrated Safety Functions 6-33

Integrated Safety Technology

Position monitoring of safety


door with locking device
(see extra illustration)

IndraDrive
Control section

(NM)
Ch2

Operating mode
selection switch,
e.g. from
machine control
panel via PLC

Ch1

Monitoring module with


cross connection detection
between Ch1 and Ch2

Power
section

M
Forced
dynamization
Channel 2
I/O30

Normal mode
0V

Safety related
stopping process

Demands of controls

Category 3

Block command
value input
(0 m/min)

Special mode_n

Effect
of EC

Special mode

I1n

I1

Channel 1
Effect
of EC

Enable command
value input
Limit command
value input
(<2 m/min)

Channel 2

Safety related
reduced speed /
limited increment
Category 3
Enabling
control (EC)
simplified
representation

Jog command value

Enabling

Enabling_n

I2

I2n

Channel 1

Channel 2

Switching of
monitoring from
speed to increment
Safety
switch S1
Selection of speed
jogging or increment jogging

Safety related
limited increment

I3

Safety related
limited increment_n I3n

Channel 1

Channel 2

DF0040v6.EPS

Fig. 6-18:

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Safety related speed or Safety related limited increment; the drive is


monitored for speed/stop or increment/stop

6-34 Drive System with Integrated Safety Functions

Integrated Safety Technology

Position monitoring of safety


door with locking device
(see extra illustration)

IndraDrive
Control section

(NM)
Ch2

Ch1

Operating mode
selection switch,
e.g. from
machine control
panel via PLC

Monitoring module with


cross connection detection
between Ch 1 and Ch 2

power
section

M
Forced
dynamization
Channel 2
I/O30

Normal mode
Demands of controls
Blockcommand
value input
(0 m/min)

0V

Safety related
operational stop
Category 3

Special mode_n

I1n

Channel 2

Effect of
enabling
Special mode

I1

Enable command
value input

Channel 1
Effect of
enabling

Limit command
value input
Safety rel. red. speed

Safety related
jog button

Category 3
I2
Channel 1
Enabling

I2n
Channel 2
Enabling_n

Jog cmd. value


in + direction

Jog cmd. value


in - direction
DF0041v6.EPS

Fig. 6-19:

Command device with automatic reset (safety related jog button)

Note:

For information about the safety related jog keys, please see
"Command Device with Automatic Reset (Safety Related Jog
Button)".

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Integrated Safety Technology

Drive System with Integrated Safety Functions 6-35

Drive Groups for Different Danger Zones


The following figure shows two processing areas in one machine. Each of
these processing areas forms a separate danger zone.
The operating status is as follows:
Danger zone A is in Normal mode with drives A1, A2 and A3. The
access door is closed.
Danger zone B is in Special mode with an open safety door and with
drives B1, B2 and B3. One person is doing setup work or insertion
work in the danger zone.
The door locking device is released or blocked by the diagnostics master
of a drive that belongs to the corresponding danger zone. Using
bidirectional connection I/O20, all drives in the corresponding danger
zone are queried when switching from Normal to Special mode.
Using the enabling control (not shown in the figure), the person can now
move the drives in danger zone B.

DOK-INDRV*-SI*-VRS**-FK01-EN-P

6-36 Drive System with Integrated Safety Functions

Integrated Safety Technology

Danger zone A
Antrieb A2
Drive A2
M
M
3~
3~

Danger zone B
Antrieb A2
Drive B2
M
M
3~
3~

Drive A1A1
Antrieb

Drive
B1A1
Antrieb

M
3~

M
3~

Door locking
device

Antrieb
Drive
A3A3

Antrieb
Drive
B3A3

M
3~

M
3~
Door locking
device

Door closed in
normal mode

Door opened
in normal mode

Mains

I/O10 I/O20

Power supply
device

~
=

I/O20

I/O20

I/O10 I/O20

I/O20

I/O20

Drive A1
Safety
Master

Drive A2
Safety
Slave

Drive A3
Safety
Slave

Drive B1
Safety
Master

Drive B2
Safety
Slave

Drive B3
Safety
Slave

I1,I2,I3,I4

I1,I2,I3,I4

I1,I2,I3,I4

I1,I2,I3,I4

I1,I2,I3,I4

I1,I2,I3,I4

selection/feedback

Safety function

selection/feedback

Emergency
stop

Safety function

Monitoring
module

Drive group for danger zone A

Drive group for danger zone B


DF0045v6.EPS

Fig. 6-20:

Drive groups for different danger zones

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Drive System with Integrated Safety Functions 6-37

Integrated Safety Technology

Safety Related Activation of the Locking Device of Several Protective


Doors
+24 V

+24 V

Demand 2

PLC

I1

O10

Basic device

Ixx

Inputs

I2

O2

Outputs

Demand 1

O1
+24 V

Door locking
device 1

+24 V

Door locking
device 2

I/O10n

SI-OM
SI-OM

0V

0V
Basic device

I10

DF0046v1.EPS

Fig. 6-21:

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Safety related activation of the locking device of two protective


doors, with selection using standard PLC

6-38 Drive System with Integrated Safety Functions

Integrated Safety Technology

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Commissioning Safety Technology 7-1

Integrated Safety Technology

Commissioning Safety Technology

7.1

General Information
The safety technology is a dual-channel system in which a second
processor redundantly carries out the monitoring functions. The processor
uses the known data of encoder, mechanical system and scaling of the
main system and stores them in the system/parameter memory.
Changing data is not allowed any more after the safety functions have
been commissioned. They are detected and acknowledged by an
error/warning. After the system has been changed, it is necessary to
commission the safety functions again.
All direct safety technology parameters are characterized by double input
which is realized in such a way that individual parameters have to be
written by a list of two equal values. Tables are of double size, the same
table being attached as a copy. This allows a plausibility test of the data to
be carried out, also in the case of an input via SERCOS monitor.
All safety technology parameters must be write-protected by a password
to be assigned by the user. The safety technology is activated at the
same time that the password is assigned.

7.2

Commissioning the Drive with Safety Technology Inactive


When the machine is delivered, safety technology is inactive; the status of
P-0-3207, Safety technology password level is set to zero. "Normal"
commissioning of the drive can be carried out.
If safety technology is inactive, the system parameters are invalid and
there isnt any plausibility test and comparison of data. The safety
parameters are set to default values and write protection is disabled.
"INDRASAVE" is entered as the default password in P-0-3206, Safety
technology password. Under these circumstances, it is possible to
preload the safety parameters from a parameter file (when copying
installations).

DOK-INDRV*-SI*-VRS**-FK01-EN-P

7-2 Commissioning Safety Technology

7.3

Integrated Safety Technology

Commissioning Safety Technology


Safety technology is preferentially commissioned using the safety
technology assistant in the DriveTop commissioning software (command
Initial start-up of safety technology in menu Setup) or manually as
described below.

Entering a Safety Technology Device Identifier


A code for the device for which safety technology was commissioned is to
be stored in parameter P-0-3205, Safety technology device identifier
(e.g. machine type, unit, drive for ... axis/spindle).
This device code is required for identification to protect safety technology
data.

Selecting the Required Safety Functions


See "Overview of Safety Functions"

Specifying/Programming the Required Input Signals to Select the Safety


Functions
Parameter P-0-3211, Safety I/O control word makes available a list for
the function linking of the individual I/Os of the "Safety technology"
optional module (channel 2) with defined safety control signals.
Parameter P-0-3212, Safety technology control word, channel 1
makes available binary control signals for online control of the safety
functions of the controller. By means of this control word, the individual
control signals can be optionally programmed to existing real-time bits of
the master communication, hardware I/Os or I/O extensions.
Note:

The physical inputs for channel 1 must be specified separately


by setting suitable parameters.

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Commissioning Safety Technology 7-3

Integrated Safety Technology

Dynamization of the Inputs


Common dynamization for 24 V
inputs for channel 1 and
channel 2

The drive provides the dynamization signal. In P-0-3210, Safety


technology control word it is necessary to make a setting so that
dynamization is automatically carried out by a master safety
technology for all selected inputs (via the output of I/O30).
Dynamization is synchronized at the other drives via the inputs I/O30.
The PLC provides the dynamization signal. Dynamization is carried out
automatically for all selected inputs (via the output of the PLC). In
P-0-3210, Safety technology control word the output of I/O30 has to
be deactivated.

Separate dynamization for


inputs for channel 1 via master
communication

In P-0-3210, Safety technology control word it is necessary to activate


separate dynamization. In P-0-3212, Safety technology signal control
word, channel 1 it is necessary to provide, for channel 1, a bit as
substitute for E30. This bit has to be used by the application according to
the parameter setting in P-0-3223, Time interval for dynamization of
safety function selection and P-0-3224, Duration of dynamization
pulse of safety function selection; i.e. the PLC carries out dynamization
of the input signals for channel 1 and controls the provided bit in
P-0-3212, Safety technology signal control word, channel 1.

Parameters for monitoring the


dynamization signals

By means of parameter P-0-3223, Selection of time interval for


dynamization, it is possible to set the cycle time in which dynamization
takes place.
The pulse length of the dynamization signal can be set by means of
parameter P-0-3224, Selection of duration of dynamization pulse.

Specifying/Programming the Required Output Signals for Feedback of


Safety Functions
Parameter P-0-3214, Safety technology control word, channel 1
makes available binary status signals of the safety functions of the
controller. By means of this status word, the individual status signals can
be optionally programmed to existing real-time bits of the master
communication or hardware I/Os or I/O extensions.
Note:

The physical outputs for channel 1 must be specified


separately by setting suitable parameters.

All drives in a danger zone are interconnected via I/O20. In P-0-3210,


Safety technology control word the diagnosis master has to be
activated at one of these drives and the control for the feedback has to be
selected.
In P-0-3210, Safety technology control word it is possible to determine
the operating principle for the output E/A10 of channel 2.
If the X41 interfaces are connected via a ribbon cable, the I/O10 outputs
of the diagnosis slaves can be switched off in P-0-3210, Safety
technology control word. This line then is only used by the diagnosis
master.

DOK-INDRV*-SI*-VRS**-FK01-EN-P

7-4 Commissioning Safety Technology

Integrated Safety Technology

Setting the Safety Function Parameters


Parameterizing the Functions for "Safety Related
Stopping Process"
Safety related standstill (SH)

If "Safety related standstill" is set in P-0-3210, Safety technology control


word, the power supply to the drive is interrupted after the value set in
parameter P-0-3233, Velocity threshold for safety related stopping
process has been exceeded.
"Safety related standstill" is selected using the operating mode selection
switch (see P-0-3211, Safety technology I/O control word, channel 2
and P-0-3212, Safety technology control word, channel 1).
For further parameter settings, see section 7.4, Setting the System
Behavior.

Safety related operational stop


(SBH)

If "Safety related operational stop" is set in P-0-3210, Safety technology


control word, the drive is monitored for standstill. It is in control and
mustnt leave the position window defined in P-0-3230, Monitoring
window for safety related operational stop.
"Safety related operational stop" is selected using the operating mode
selection switch (see the signal control word for inputs P-0-3211, Safety
technology I/O control word, channel 2 and P-0-3212, Safety
technology control word, channel 1).
For further parameter settings, see section 7.4, Setting the System
Behavior.

Safety related drive interlock


(ASP)

A drive interlock is provided within the safety technology. In order to


activate the drive interlock, the corresponding "ASP" (drive interlock)
signal must have been programmed in P-0-3211, Safety technology I/O
control word, channel 2 and the respective bit must be activated in
P-0-3212, Safety signal control word of controller via I/O or master
communication.
P-0-3233, Velocity threshold for safety related stopping process
must be used to define a threshold for the standstill monitor.
For further parameter settings, see section 7.4, Setting the System
Behavior.

Parameterizing the Functions for "Safety Related


Motion"
Up to four different parameter sets can be created for the "Safety related
motion".
P-0-3240, Control word for safety related motion 1
P-0-3250, Control word for safety related motion 2
P-0-3260, Control word for safety related motion 3
P-0-3270, Control word for safety related motion 4
A parameter set can then be activated according to the combination of the
input signals from safety switch S1 and/or S2 (see P-0-3211, Safety
technology I/O control word, channel 2 and P-0-3212, Safety
technology control word, channel 1).
"Safety related motion" is selected by specifying the inputs of the enabling
control (see P-0-3211, Safety technology I/O control word, channel 2
and P-0-3212, Safety technology control word, channel 1).
For further parameter settings, see section 7.4, Setting the System
Behavior.

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Integrated Safety Technology

Commissioning Safety Technology 7-5

Safety related speed

By means of the following parameters, it is possible to define the limit


velocity that is monitored for the respective parameter set for motion:
P-0-3244, Safety related reduced speed 1
P-0-3254, Safety related reduced speed 2
P-0-3264, Safety related reduced speed 3
P-0-3274, Safety related reduced speed 4

Safety related limited increment

Using the following parameters, the set-up position range can be defined
starting at the time of selection using the enabling control for the
parameter set that is being monitored:
P-0-3243, Safety related limited increment 1
P-0-3253, Safety related limited increment 2
P-0-3263, Safety related limited increment 3
P-0-3273, Safety related limited increment 4

Safety related direction of


motion

By means of parameter P-0-3232, Monitoring window for safety


related direction of motion it is possible to parameterize a position
window for the incorrect direction of motion.

Safety related position

By means of the following parameters, the upper and lower position limits
can be defined for the respective parameter set that is monitored:
P-0-3241, Safety related limited absolute position 1, positive
P-0-3242, Safety related limited absolute position 1, negative
P-0-3251, Safety related limited absolute position 2, positive
P-0-3252, Safety related limited absolute position 2, negative
Note:

Safety related homing procedure

It is possible to configure only two ranges because only one


safety switch (S1) is available due to the limited number of
inputs (4); one input is required for the safety related reference
cam. (operating mode selection switch; enabling control; REF;
S1)
Safety switch (S1) not selected and enabling control device
(EC) selected: safety related position 1 is active
Safety switch (S1) selected and enabling control device (EC)
selected: safety related position 2 is active

The safety related homing procedure is the prerequisite for the "Safety
related limited absolute position" safety function.
Note:

In the case of absolute encoders, the S-0-0148, C0600 Drivecontrolled homing procedure command has to be started
for safety related homing.

In P-0-3210, Safety technology control word it is necessary to


parameterize whether homing is done by means of cam or switch.
In P-0-3231, Reference position for safety related reference it is
necessary to parameterize the reference position that has to be detected
when moving to the safe cam.
Note:

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Dynamization mustnt be carried out for the reference switch /


cam.

7-6 Commissioning Safety Technology

7.4

Integrated Safety Technology

Setting the System Behavior


Parameter P-0-3220, Tolerance time transition from normal operation
or P-0-3225, Tolerance time transition from safety rel. oper. is used to
define the maximum available amount of time after which the monitoring
of the selected safety function is activated.
In the case of drive-controlled shutdown, the safety function is activated
when standstill has been reached, but at the latest when P-0-3225,
Tolerance time transition from safety rel. oper. is over.
In the case of shutdown controlled by the control unit, the safety function
can be activated by the corresponding parameterization of P-0-3212,
Safety technology signal control word, channel 1 before the tolerance
time is over.
P-0-3233, Velocity threshold for safety related stopping process
must be used to define a threshold for the standstill detector.
Parameter P-0-3221, Max. tolerance time for different channel states
defines the maximum allowed time during which the states in both
monitoring channels may differ.
Parameter P-0-3222, Max. acknowledge time defines the maximum
period of time within which the enabling control device must be released
and pressed again. This time is used to monitor the enabling control for
unauthorized manipulation.

7.5

Activating Safety Technology


When parameterization has been completed, you must first change the
default password.
Note:

The safety technology is activated by changing the safety


password.

To change the safety password, first the default password


("INDRASAVE") and then (separated by blanks) the new password must
be entered twice (P-0-3206 = "INDRASAVE USERPW USERPW") in
parameter P-0-3206, Safety technology password.

Safety Parameter Plausibility Check


After the safety technology has been activated, the plausibility of the two
separately managed safety parameter sets (on the controller module and
on the optional module) are continuously monitored. If the system detects
different parameter values, a plausibility error message (E3106) is
generated. The error message is deleted only after the parameter
memory of the main system and that of the redundant safety system have
been synchronized.

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Commissioning Safety Technology 7-7

Integrated Safety Technology

Synchronizing the System Memory and Storing the New Parameters


By executing command P-0-3204, C3000 Synchronize and store safety
technology IDN command, the system data are synchronized and
stored in the safety memory together with the safety technology data.
Note:

After commissioning the safety technology, a safety


acceptance test (test report) documenting the level of the
modification counter (P-0-3201) and the required acceptance
tests is necessary.

Completing Commissioning
At the end of commissioning, the new parameters of the safety functions
can be tested. To do this, select the safety functions one after the other
while triggering the activation of the monitors using command value
selection.

Loss of safety-relevant settings when the


control section is replaced!

CAUTION

Note:

7.6

Save the safety technology parameters on an


external storage medium (S-0-0192, IDN-list of
backup operation data) so that all safety-relevant
settings can be transferred to the new control section
when the old one is replaced.

A binary image of the safety technology data for channel 2 is


contained in parameter P-0-3208, Backup of safety techn.
data channel 2.

The Safety System in Parameterization Mode and After


Initialization
After the start button is reset, the drive system is in the "Safety related
standstill" operating mode, i.e. the final stage is switched off on two
channels and the corresponding acknowledgements and diagnostics are
set.
If the drive is switched from the operating mode to the parameterization
mode, the system is also automatically brought into the "Safety related
standstill" mode.
The system is initialized and the encoder evaluation is reset the next time
that the system is switched to the operating mode. The evaluation of the
safety selection inputs occurs only in the operating mode; if necessary,
the system switches to another operating state.

DOK-INDRV*-SI*-VRS**-FK01-EN-P

7-8 Commissioning Safety Technology

7.7

Integrated Safety Technology

Deactivating Safety Technology


By executing command S-0-0262, C07_x Load defaults procedure
command (with P-0-4090, Index for C07 Load defaults
procedure = 165 hex), the safety technology is deactivated. The system
parameters are then invalid; no plausibility test and comparison of data
takes place. The safety parameters are reset to their default values.

Loss of user-defined safety parameter settings


by executing command S-0-0262, C07_x Load
defaults procedure command!
CAUTION

7.8

Before the safety technology is deactivated using


command S-0-0262, C07_x Load defaults
procedure command, the safety parameters should
be saved to an external storage medium
(memcard / diskette).

Note:

The execution of command S-0-0262, C07_x Load defaults


procedure command cannot be undone. In the case of
changes to safety-relevant parameters, it is necessary to
subsequently carry out the safety technology commissioning
with safety technology acceptance test again!
If there arent any changes required, the safety technology can
be activated again according to the procedure for replacing the
control section.

Note:

At other drive modules that have been equipped with the


optional module "safety technology I/O", deactivating the
safety technology causes the error F3131.

Modification Status and Modification History


Modification status

Every change of the safety memory can be assigned to an unequivocal


modification status which must be documented within the scope of the
safety acceptance test. The modification status is stored in the following
parameters:
P-0-3201, Change counter of safety technology memory
P-0-3202, Operating hours at last change of memory

Modification history

In the case of an obligation to produce supporting documents, the last


states of the safety memory can be reproduced using parameter
P-0-3203, Memory image of safety memory via an external program.

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Acceptance Test 8-1

Integrated Safety Technology

Acceptance Test

8.1

Acceptance Procedure
A complete acceptance test must be carried out by authorized personnel
when commissioning the machine and for all software or hardware
modifications that are relevant to the functional safety (including
modifications made using telecommunication).
If only a few safety-relevant data have been modified, these must be
tested in a partial acceptance test.
In any case, the modifications and the execution of the test must be
logged (see "Checklist for Acceptance Test").

Complete Acceptance Test


In a complete acceptance test, all planned safety functions (e.g.
maintenance of limit values, functions of the control stations, functions of
the actuators) must be checked. Here, the reaction to errors is physically
effective. It must be checked whether the safety function works correctly.
To do this, the command value limits in the special mode must be lifted in
the higher-level control for the duration of the acceptance test.
The tests that are required for this purpose must be selected from the
following checklist and executed.

Partial Acceptance Test


In a partial acceptance test, only those safety functions that are affected
by the modification of the safety-relevant data must be checked.
The tests that are required for this purpose must be selected from the
following checklist and executed.

8.2

Checklist for Acceptance Test


Before the following safety tests can be executed, commissioning must
be complete.
Each test must be carried out for each individual axis/spindle/roller drive.
A printout with the currently effective safety functions and the associated
values can be generated using the safety technology assistant in the
DriveTop commissioning software (see the following example).

DOK-INDRV*-SI*-VRS**-FK01-EN-P

8-2 Acceptance Test

Integrated Safety Technology

DL000003v01_en.WMF

Fig. 8-1:

Example of a safety technology report / acceptance test

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Error Messages, Warnings and Error Elimination 9-1

Integrated Safety Technology

Error Messages, Warnings and Error Elimination

9.1

Firmware Code
Parameter P-0-3200, Safety firmware code contains the designation of
the safety firmware version.

9.2

Errors
The error handling of the safety technology is covered by the error
handling of the standard drive.
If error occurs, the drive is decelerated in the best possible or fastest way
and then goes to safety related standstill.

9.3

Note:

In the case of a feedback error, the safety technology can no


longer guarantee dual-channel safety. It is then impossible, for
example, to detect a coasting spindle. In this case, the safety
door may only be unlocked manually after an additional visual
check by the operators. The door is to be unlocked at the drive
that reports the encoder error. This drive then acknowledges
the safety and the master can open the safety door.
The P-0-3218, Manually unlocking the safety door
parameter allows manually unlocking the safety door in the
case of a feedback error.

Note:

For the causes and elimination of errors, please consult the


"Troubleshooting Guide".

Warnings in Operating Mode "Normal Operation"


Note:

DOK-INDRV*-SI*-VRS**-FK01-EN-P

The detection of errors on inactive safety functions leads to a


warning in normal operation.
For the causes and elimination of warnings, please consult the
"Troubleshooting Guide".

9-2 Error Messages, Warnings and Error Elimination

9.4

Integrated Safety Technology

Status Messages
Parameter P-0-3213, Safety technology status makes available binary
status signals for online monitoring of the safety states. By means of this
status word, the individual status signals can be optionally programmed to
existing real-time bits of the master communication or hardware I/Os or
I/O extensions.
Parameter P-0-3215, Selected safety technology mode makes
available in coded form the activated safety operating mode of the
individual monitoring channels.
Parameter P-0-3216, Active safety technology signals shows the
current status of the safety signals of the individual channels.
Parameter P-0-3217, I/O status channel 2 (optional safety technology
module) shows the current status of the inputs/outputs of the safety
module.

9.5

Modification Status of the Safety Memory


Every change of the safety memory can be assigned to an unequivocal
modification status which has to be documented together with the
password within the scope of the safety acceptance test.
Parameter P-0-3201, Change counter of safety technology memory is
incremented each time the safety memory is changed; this also applies to
the command S-0-0262, C07_x Load defaults procedure command.
Parameter P-0-3202, Operating hours at last change of memory
indicates the point of time the safety memory was changed last. It is part
of the safety memory.

9.6

Tracing the Modification History


In the case of an obligation to produce supporting documents, the last
states of the safety memory can be reproduced by calling the content of
parameter P-0-3203, Memory image of safety technology memory.
The content of the parameter is a hexadecimal list. By means of an
external program, it is possible to trace the prior states.

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Integrated Safety Technology

10

Firmware Update, Replacing the Power and Control Sections 10-1

Firmware Update, Replacing the Power and


Control Sections

10.1 Firmware Update


Note:

The firmware of the optional safety technology module and of


the controller are firmly linked. Each firmware update contains
the firmware of the optional safety technology module and of
the controller. If the controller firmware detects a version on
the optional safety technology module that is not suitable, the
supplied version is loaded.

In the case of a firmware update, the parameters should be retained.


If parameters are lost see "Replacing a control section without MMC".

10.2 Replacing the Power Section


When the power section is replaced, new safety
commissioning and a new acceptance test are not required.

technology

10.3 Replacing the Control Section


When a control section is delivered, its safety technology is inactive.
The status of P-0-3207, Safety technology password level, is set to
zero, while the value of Safety technology password (P-0-3206) is set to
"INDRASAVE". Various steps are required, depending on whether an
MMC is used or not.
Replacing a control section
without MMC

Note:

A control section that has already been in operation can be


brought into the above state by loading the defaults (see
"Deactivating safety Technology").

After replacing the control section, proceed as follows:


Switch the drive to parameter mode
Load the default parameters (S-0-0192) using a download file. (The
safety technology data for channel 2 are contained as a binary image
in parameter P-0-3208, Backup of safety techn. data channel 2.)
Switch the drive to operating mode
Check whether the safety parameters that are suitable for the drive
were loaded; to do this, check the information in P-0-3205, Safety
technology device identifier (machine type, unit, drive
for axis/spindle)

DOK-INDRV*-SI*-VRS**-FK01-EN-P

10-2 Firmware Update, Replacing the Power and Control Sections

Integrated Safety Technology

Prepare a log with the following content and append it to the safetyrelevant documentation of the machine:
Control section replaced on (date)
Change counter of safety technology memory (P-0-3201) at (value)
Operating hours at last change of memory (P-0-3202) at (value)
(Date), (name), (signature)
Replacing a control section with
MMC

After replacing the control section, proceed as follows:


If a new MMC is detected, a query "new MMC there" or "other MMC"
appears when the control panel is booted; the user must answer this
with "ENTER" or "ESC".
If the first query is answered "ENTER" and the safety technology on
the new hardware is already active, a second query appears on the
control panel: "load new safety ?". If the ENTER key is pressed, the
safety data are transferred from the MMC; if the ESC key is pressed,
the safety data are not transferred from the MMC the safety data of
the previously active safety technology configuration remain.
Switch the drive to operating mode
Check whether the safety parameters that are suitable for the drive
were loaded; to do this, check the information in P-0-3205, Safety
technology device identifier (machine type, unit, drive
for axis/spindle)
Prepare a log with the following content and append it to the safetyrelevant documentation of the machine:
Control section replaced on (date)
Change counter of safety technology memory (P-0-3201) at (value)
Operating hours at last change of memory (P-0-3202) at (value)
(Date), (name), (signature)
Note:

In order to be able to boot the drive without MMC after having


replaced the control section, you have to load the safety
technology parameters to the internal memory:
Switch the drive to parameter mode.
Execute the command P-0-4091, C2500 Copy IDN from
optional memory to internal memory.
Boot the drive.

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Declaration of Conformity and Mark Certificate 11-1

Integrated Safety Technology

11

Declaration of Conformity and Mark Certificate

11.1 "Starting Lockout" Optional Module

DX00003v01_ms.eps

Fig. 11-1:

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Declaration of Conformity, "Starting lockout" optional module


(CSH01.1...-L1-...)

11-2 Declaration of Conformity and Mark Certificate

Integrated Safety Technology

DX00002v01_de.eps

Fig. 11-2:

Mark
Certificate,
(CSH01.1...-L1-...)

"Starting

lockout"

optional

module

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Declaration of Conformity and Mark Certificate 11-3

Integrated Safety Technology

11.2 "Safety Technology I/O" Optional Module

DX00004v01_ms.eps

Fig. 11-3:

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Declaration of Conformity, "Safety technology I/O" optional module"


(CSH01.1...-S1-...)

11-4 Declaration of Conformity and Mark Certificate

Integrated Safety Technology

DX00001v01_de.eps

Fig. 11-4:

Mark Certificate, "Safety


(CSH01.1...-S1-...)

technology

I/O"

optional

module"

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Index 12-1

Integrated Safety Technology

12

Index
A
absolute position see limited absolute position
Appropriate use
Introduction 3-1

Appropriate uses
Uses 3-2

C
C-standards 4-4

D
drive system see electric drive system

E
electric drive system 4-4
Enabling control 4-5
Error message
plausibility 7-6

F
Fields of application 6-2

H
Hazard analysis 4-1

I
Inappropriate use 3-2
Consequences, Discharge of liability 3-1

Increment see Limited incremental dimension


Integrated safety technology 1-1, 4-4

J
Jog switch 4-5

L
limited absolute position 4-5
Limited incremental dimension 4-5
Locked separating protective device with locking device (EN 292-1) 4-6

M
Modification history 7-8

O
Operating mode switch 4-6
operational stop 4-5

P
Protective device see Locked separating protective device with locking device
(EN 292-1) see Separating protective device (EN 292-1)

DOK-INDRV*-SI*-VRS**-FK01-EN-P

12-2 Index

Integrated Safety Technology

R
reduced speed 4-5
Replacing a control section with MMC 10-2
Replacing a control section without MMC 10-1
Replacing the Control Section 10-1
Risk management 4-1

S
Safety acceptance test
modification status 7-8

Safety categories
requirements 4-2

safety functions
safely monitored shutdown 6-6
safety related homing procedure 6-6

Safety functions
overview 6-3
safety related brake management 6-10
safety related control of a door locking device 6-11
safety related diagnostic outputs 6-10
safety related limited absolute position 6-10
safety related limited increment 6-10
safety related operational stop 6-4
safety related reduced speed 6-9
safety related standstill 6-4

Safety Functions
safety related direction of motion 6-9
safety related limited absolute end position 6-10

Safety Instructions for Electric Drives and Controls 2-1


Safety related 4-4
Safety related reduced speed 4-5
safety technology see Integrated safety technology
Safety technology
cross data comparison 6-14
dual-channel structure 6-13
dynamization 6-15
functional principle 6-12

Separating protective device (EN 292-1) 4-6


Standards
relevant to components 4-3
relevant to machines 4-3

standstill 4-5
Starting lockout
command value selection requirements 5-2
examples of application 5-3
forced dynamization 5-2
general information 5-1
safety function 5-1
selecting the starting lockout 5-2

Stop categories according to EN 60204-1 4-6


Stopping process 4-4

U
Use See appropriate use and see inappropriate use

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Bosch Rexroth AG
Electric Drives and Controls
P.O. Box 13 57
97803 Lohr, Germany
Bgm.-Dr.-Nebel-Str. 2
97816 Lohr, Germany
Phone +49 93 52-40-50 60
Fax
+49 93 52-40-49 4 1
service.svc@boschrexroth.de
www.boschrexroth.com

R911297838

Printed in Germany
DOK-INDRV*-SI*-**VRS**-FK01-EN-P