Rexroth IndraDrive Integrated Safety Technology Edition 01 Rexroth/Drives/Indradrive... · Rexroth...

R911297838Edition 01

Rexroth IndraDriveIntegrated Safety Technology

Functional and Application Description

IndustrialHydraulics

Electric Drivesand Controls

Linear Motion andAssembly Technologies Pneumatics

ServiceAutomation

MobileHydraulics

About this Documentation Integrated Safety Technology

DOK-INDRV*-SI*-VRS**-FK01-EN-P

Rexroth IndraDrive

Integrated Safety Technology

Functional and Application Description


Document Number, 120-2400-B308-01/EN

This documentation is used to

• make oneself familiar with the subject of "Integrated SafetyTechnology",

• get to know the IndraDrive system with integrated safety technology,

• employ and commission application-related safety functions,

• enable you to recognize and fix errors and

• enable you to replace the hardware and update the firmware.

Description ReleaseDate

Notes

DOK-INDRV*-SI*-VRS**-FK01-EN-P 03.2004 First edition

2004 Bosch Rexroth AG

Copying this document, giving it to others and the use or communicationof the contents thereof without express authority, are forbidden. Offendersare liable for the payment of damages. All rights are reserved in the eventof the grant of a patent or the registration of a utility model or design(DIN 34-1).

The specified data is for product description purposes only and may notbe deemed to be guaranteed unless expressly confirmed in the contract.All rights are reserved with respect to the content of this documentationand the availability of the product.

Bosch Rexroth AGBgm.-Dr.-Nebel-Str. 2 • D-97816 Lohr a. Main

Telephone +49 (0)93 52/40-0 • Tx 68 94 21 • Fax +49 (0)93 52/40-48 85

http://www.boschrexroth.com/

Dept. ED

This document has been printed on chlorine-free bleached paper.

Title

Type of Documentation

Document Typecode

Internal File Reference

Purpose of Documentation

Record of Revisions

Copyright

Validity

Published by

Note

Integrated Safety Technology About this Documentation


Title Type of documentation Document typecode Part number

Rexroth IndraDrive MDrive ControllersPower Section

Project Planning Manual DOK-INDRV*-HMS+HMD****-PR01-EN-P R911295014

Rexroth IndraDriveDrive ControllersControl Section

Project Planning Manual DOK-INDRV*-CSH********-PR01-EN-P R911295012

ElectromagneticCompatibility (EMC) inDrive and Systems

Project Planning Manual DOK-GENERL-EMV********-PR02-EN-P R911259814

Rexroth IndraDriveDrive Controllers

Parameter Description DOK-INDRV*-GEN-**VRS**-PA01-EN-P R911297317

Rexroth IndraDriveDrive Controllers

Troubleshooting Guide DOK-INDRV*-GEN-**VRS**-WA01-EN-P R911297319

Fig.: Further documentations

About this Documentation Integrated Safety Technology


Notes

Integrated Safety Technology Contents I


Contents

1 What is "Integrated Safety Technology"? 1-1

1.1 Product Presentation..................................................................................................................... 1-1

2 Safety Instructions for Electric Drives and Controls 2-1

2.1 Introduction ................................................................................................................................... 2-1

2.2 Explanations.................................................................................................................................. 2-2

2.3 Hazards by Improper Use ............................................................................................................. 2-3

2.4 General Information ...................................................................................................................... 2-3

2.5 Protection Against Dangerous Movements .................................................................................. 2-5

3 Important directions for use 3-1

3.1 Appropriate use............................................................................................................................. 3-1

Introduction .............................................................................................................................. 3-1

Areas of use and application.................................................................................................... 3-2

3.2 Inappropriate use .......................................................................................................................... 3-2

4 Safety Technology Fundamentals 4-1


4.2 Hazard Analysis and Risk Management ....................................................................................... 4-1

4.3 Safety-Relevant Standards and Regulations................................................................................ 4-3

Standards Relevant to Components........................................................................................ 4-3

Standards Relevant to Machines............................................................................................. 4-3

Overview of the Required Safety Categories in C Standards.................................................. 4-4

4.4 Definition of Terms........................................................................................................................ 4-4

5 Drive System with Safety Related Starting Lockout 5-1


5.2 Safety Function ............................................................................................................................. 5-1

Safety Related Starting Lockout .............................................................................................. 5-1

5.3 Forced Dynamization .................................................................................................................... 5-2

5.4 Command Value Selection Requirements.................................................................................... 5-2

5.5 Selecting the Starting Lockout ...................................................................................................... 5-2

5.6 Examples of Application................................................................................................................ 5-3

6 Drive System with Integrated Safety Functions 6-1

6.1 Basic Structure.............................................................................................................................. 6-1

Comparison with Conventional Safety Technology ................................................................. 6-2

6.2 Overview of Safety Functions ....................................................................................................... 6-3

II Contents Integrated Safety Technology


"Safety Related Stopping Process" Safety Functions.............................................................. 6-4

Safely Monitored Shutdown..................................................................................................... 6-6

Safety Related Homing Procedure (via Two Channels) .......................................................... 6-6

Safety Function "Movement with Safety Related Speed"........................................................ 6-8

"Safety Related Feedback" Safety Functions ........................................................................ 6-10

6.3 I/O Reaction Times ..................................................................................................................... 6-12

6.4 Functional Principle of Integrated Safety Technology ................................................................ 6-12

Dual-Channel Structure ......................................................................................................... 6-13

Cross Data Comparison......................................................................................................... 6-14

Dynamization ......................................................................................................................... 6-15

6.5 Demands on the Controls ........................................................................................................... 6-15

6.6 Activating the Safety Functions................................................................................................... 6-16

6.7 Feedback, Status (Safe/Unsafe) to Peripherals ......................................................................... 6-20

Safe Feedback to a Safety PLC............................................................................................. 6-21

Safety Related Control of a Door Locking Device ................................................................. 6-22

6.8 Examples of Application.............................................................................................................. 6-24

Overall View........................................................................................................................... 6-24

Selecting Normal/Special Mode with Position Monitoring of a Safety Door with DoorLocking Device....................................................................................................................... 6-25

Enabling Control with Three Settings .................................................................................... 6-27

Command Device with Automatic Reset (Safety Related Jog Button) .................................. 6-28

Temporary Inspections or Visual Checks in the Danger Zone .............................................. 6-29

Working When Drive is without Torque/Force ....................................................................... 6-31

Drive Groups for Different Danger Zones .............................................................................. 6-35

Safety Related Activation of the Locking Device of Several Protective Doors ...................... 6-37

7 Commissioning Safety Technology 7-1


7.2 Commissioning the Drive with Safety Technology Inactive .......................................................... 7-1

7.3 Commissioning Safety Technology............................................................................................... 7-2

Entering a Safety Technology Device Identifier....................................................................... 7-2

Selecting the Required Safety Functions................................................................................. 7-2

Specifying/Programming the Required Input Signals to Select the Safety Functions............. 7-2

Specifying/Programming the Required Output Signals for Feedback of SafetyFunctions.................................................................................................................................. 7-3

Setting the Safety Function Parameters .................................................................................. 7-4

7.4 Setting the System Behavior......................................................................................................... 7-6

7.5 Activating Safety Technology........................................................................................................ 7-6

Safety Parameter Plausibility Check........................................................................................ 7-6

Synchronizing the System Memory and Storing the New Parameters.................................... 7-7

Completing Commissioning ..................................................................................................... 7-7

7.6 The Safety System in Parameterization Mode and After Initialization.......................................... 7-7

7.7 Deactivating Safety Technology ................................................................................................... 7-8

7.8 Modification Status and Modification History ................................................................................ 7-8

8 Acceptance Test 8-1

8.1 Acceptance Procedure.................................................................................................................. 8-1

Integrated Safety Technology Contents III


Complete Acceptance Test...................................................................................................... 8-1

Partial Acceptance Test ........................................................................................................... 8-1

8.2 Checklist for Acceptance Test ...................................................................................................... 8-1

9 Error Messages, Warnings and Error Elimination 9-1

9.1 Firmware Code.............................................................................................................................. 9-1

9.2 Errors ............................................................................................................................................ 9-1

9.3 Warnings in Operating Mode "Normal Operation" ........................................................................ 9-1

9.4 Status Messages........................................................................................................................... 9-2

9.5 Modification Status of the Safety Memory .................................................................................... 9-2

9.6 Tracing the Modification History.................................................................................................... 9-2

10 Firmware Update, Replacing the Power and Control Sections 10-1

10.1 Firmware Update......................................................................................................................... 10-1

10.2 Replacing the Power Section...................................................................................................... 10-1

10.3 Replacing the Control Section .................................................................................................... 10-1

11 Declaration of Conformity and Mark Certificate 11-1

11.1 "Starting Lockout" Optional Module ............................................................................................ 11-1

11.2 "Safety Technology I/O" Optional Module................................................................................... 11-3

12 Index 12-1

IV Contents Integrated Safety Technology


Integrated Safety Technology What is "Integrated Safety Technology"? 1-1


1 What is "Integrated Safety Technology"?

1.1 Product Presentation

The control sections of the IndraDrive drive range can be equipped with a"Starting lockout" optional module or a "Safety technology I/O" optionalmodule. In this way, IndraDrive is equipped with integrated safetytechnology, which provides the user with an electronic starting lockout aswell as a universally programmable monitor for safety relatedmotion/stopping process.

"Integrated safety technology" refers to application-related safetyfunctions that are applicable for personal protection on machines inaccordance with EN 954 category 3.

The "Starting lockout" optional module provides the following application-related safety function:

• Safety related starting lockout (stop category 0 according toEN 60204-1).

The "Safety technology I/O" optional module provides the followingapplication-related safety functions:

• Safety related standstill (stop category 1 according to EN 60204-1).

• Safety related operational stop (stop category 2 according toEN 60204-1).

• Safety related drive interlock (stop category 1 according to EN 60204-1).

• Safely monitored stopping (for functions "Safety related standstill","Safety related operational stop", "Safety related drive interlock")

• Safety related reduced speed

• Safety related limited maximum velocity

• Safely monitored acceleration/deceleration ramp (in preparation)

• Safety related limited increment

• Safety related direction of motion

• Safety related limited absolute end position (in preparation)

• Safety related homing (required for "Safety related limited absoluteposition"

• Safety related limited absolute position (in preparation)

• Safety related diagnostic outputs

• Safety related control of a door locking device

• Safety related brake management (in preparation)

The safety functions can be selected via 24 V inputs on the drivecontroller.

The safety technology has been tested and certified by an EU prototypetest of the SIBE Switzerland certification authority (http://www.sibe.ch)(see "Declaration of Conformity and Mark Certificate").

1-2 What is "Integrated Safety Technology"? Integrated Safety Technology


The integrated safety technology is independent of the kind of mastercommunication, the higher-level control unit and the supply modules. It isavailable as an optional module for the standard drive system. Thefollowing requirements can be implemented in the machine or system:

• Measures according to EN 292-2 if accessing the danger zone isrequired; for example, for equipping, teaching or material withdrawal.

• Requirements for safety-related parts of control units in accordancewith EN 954-1 Category 3, as stipulated in EN 1010-1 (printing andpaper processing machines), EN 12415 (turning machines) andEN 12417 (machining centers).

• Control functions in the case of an error according to EN 60204-1 (see"Using Diversity").

Integrated Safety Technology Safety Instructions for Electric Drives and Controls 2-1


2 Safety Instructions for Electric Drives and Controls

2.1 Introduction

WARNING

Dangerous movements! Danger to life, dangerof injury, severe bodily injury or propertydamage!⇒ This documentation is only intended for information.⇒ For commissioning the safety technology or carrying

out an acceptance test, this documentation is notcomplete and does not contain all relevant andrequired data.

Read these instructions before the initial startup of the equipment in orderto eliminate the risk of bodily harm or material damage. Follow thesesafety instructions at all times.

Do not attempt to install or start up this equipment without first reading alldocumentation provided with the product. Read and understand thesesafety instructions and all user documentation of the equipment prior toworking with the equipment at any time. If you do not have the userdocumentation for your equipment, contact your local Bosch Rexrothrepresentative to send this documentation immediately to the person orpersons responsible for the safe operation of this equipment.

If the equipment is resold, rented or transferred or passed on to others,then these safety instructions must be delivered with the equipment.

WARNING

Improper use of this equipment, failure to followthe safety instructions in this document ortampering with the product, including disablingof safety devices, may result in materialdamage, bodily harm, electric shock or evendeath!

2-2 Safety Instructions for Electric Drives and Controls Integrated Safety Technology


2.2 Explanations

The safety instructions describe the following degrees of hazardseriousness. The degree of hazard seriousness informs about theconsequences resulting from non-compliance with the safety instructions.

Warning symbol with signalword

Degree of hazard seriousness accordingto ANSI Z 535

DANGER

Death or severe bodily harm will occur.

WARNING

Death or severe bodily harm may occur.

CAUTION

Bodily harm or material damage may occur.

Fig. 2-1: Hazard classification (according to ANSI Z 535)



2.3 Hazards by Improper Use

DANGER

Dangerous movements! Danger to life, severebodily harm or material damage byunintentional motor movements!

2.4 General Information

• Bosch Rexroth AG is not liable for damages resulting from failure toobserve the warnings provided in this documentation.

• Read the operating, maintenance and safety instructions in yourlanguage before starting up the machine. If you find that you cannotcompletely understand the documentation for your product, please askyour supplier to clarify.

• Proper and correct transport, storage, assembly and installation aswell as care in operation and maintenance are prerequisites foroptimal and safe operation of this equipment.

• Only persons who are trained and qualified for the use and operationof the equipment may work on this equipment or within its proximity.

• The persons are qualified if they have sufficient knowledge of theassembly, installation and operation of the equipment as well as anunderstanding of all warnings and precautionary measures noted inthese instructions.

• Furthermore, they must be trained, instructed and qualified toswitch electrical circuits and equipment on and off in accordancewith technical safety regulations, to ground them and to mark themaccording to the requirements of safe work practices. They musthave adequate safety equipment and be trained in first aid.

• Only use spare parts and accessories approved by the manufacturer.

• Follow all safety regulations and requirements for the specificapplication as practiced in the country of use.

• The equipment is designed for installation in industrial machinery.

• The ambient conditions given in the product documentation must beobserved.

• Use only safety features and applications that are clearly and explicitlyapproved in the Project Planning Manual.For example, the following areas of use are not permitted: constructioncranes, elevators used for people or freight, devices and vehicles totransport people, medical applications, refinery plants, transport ofhazardous goods, nuclear applications, applications sensitive to highfrequency, mining, food processing, control of protection equipment(also in a machine).



• The information given in the documentation of the product with regardto the use of the delivered components contains only examples ofapplications and suggestions.The machine and installation manufacturer must

• make sure that the delivered components are suited for hisindividual application and check the information given in thisdocumentation with regard to the use of the components,

• make sure that his application complies with the applicable safetyregulations and standards and carry out the required measures,modifications and complements.

• Startup of the delivered components is only permitted once it is surethat the machine or installation in which they are installed complieswith the national regulations, safety specifications and standards of theapplication.

• Operation is only permitted if the national EMC regulations for theapplication are met.The instructions for installation in accordance with EMC requirementscan be found in the documentation "EMC in Drive and ControlSystems".The machine or installation manufacturer is responsible forcompliance with the limiting values as prescribed in the nationalregulations.

• Technical data, connections and operational conditions are specified inthe product documentation and must be followed at all times.



2.5 Protection Against Dangerous Movements

Dangerous movements can be caused by faulty control of the connectedmotors. Some common examples are:

• improper or wrong wiring of cable connections

• incorrect operation of the equipment components

• wrong input of parameters before operation

• malfunction of sensors, encoders and monitoring devices

• defective components

• software or firmware errors

Dangerous movements can occur immediately after equipment isswitched on or even after an unspecified time of trouble-free operation.

The monitoring in the drive components will normally be sufficient to avoidfaulty operation in the connected drives. Regarding personal safety,especially the danger of bodily injury and material damage, this alonecannot be relied upon to ensure complete safety. Until the integratedmonitoring functions become effective, it must be assumed in any casethat faulty drive movements will occur. The extent of faulty drivemovements depends upon the type of control and the state of operation.

DANGER

Dangerous movements! Danger to life, risk ofinjury, severe bodily harm or material damage!⇒ Ensure personal safety by means of qualified and

tested higher-level monitoring devices or measuresintegrated in the installation. Unintended machinemotion is possible if monitoring devices are disabled,bypassed or not activated.

⇒ Pay attention to unintended machine motion or othermalfunction in any mode of operation.

⇒ Keep free and clear of the machine’s range of motionand moving parts. Possible measures to preventpeople from accidentally entering the machine’s rangeof motion:

- use safety fences

- use safety guards

- use protective coverings

- install light curtains or light barriers

⇒ Fences and coverings must be strong enough toresist maximum possible momentum, especially ifthere is a possibility of loose parts flying off.

⇒ Mount the emergency stop switch in the immediatereach of the operator. Verify that the emergency stopworks before startup. Don’t operate the machine if theemergency stop is not working.

⇒ Isolate the drive power connection by means of anemergency stop circuit or use a starting lockout toprevent unintentional start.



⇒ Make sure that the drives are brought to a safestandstill before accessing or entering the dangerzone. Safe standstill can be achieved by switching offthe power supply contactor or by safe mechanicallocking of moving parts.

⇒ Secure vertical axes against falling or dropping afterswitching off the motor power by, for example:

- mechanically securing the vertical axes

- adding an external braking/ arrester/ clampingmechanism

- ensuring sufficient equilibration of the vertical axes

The standard equipment motor brake or an externalbrake controlled directly by the drive controller arenot sufficient to guarantee personal safety!

⇒ Disconnect electrical power to the equipment using amaster switch and secure the switch againstreconnection for:

- maintenance and repair work

- cleaning of equipment

- long periods of discontinued equipment use

⇒ Prevent the operation of high-frequency, remotecontrol and radio equipment near electronics circuitsand supply leads. If the use of such equipment cannotbe avoided, verify the system and the installation forpossible malfunctions in all possible positions ofnormal use before initial startup. If necessary, performa special electromagnetic compatibility (EMC) test onthe installation.

WARNING

Injury and/or property damage caused bydeviation from standstill position!Even if the control of the power section has been safelylocked, momentary axis motion, depending on thenumber of poles of the motor, can be triggered, whenthree errors are occurring simultaneously in the powersection with the voltage DC bus being active:

• breakdown of a power semiconductor

• breakdown of another semiconductor

• In this case two of six semiconductors are affected insuch a way that the motor shaft is aligning

Example synchronous motor: For a 6-pole synchronousmotor the motion can be a maximum of 30 degrees. Fora directly driven ballscrew, e.g. 20 mm per revolution, thiscorresponds to a one-time maximum linear motion of1.67 mm.

When an asynchronous motor is used, the short circuitsin two separate circuits of the power section have almostno effect because the exciter field breaks down when theinverter is shut down and has completely died down afterapprox. 1 s.



DANGER

Lethal injury and/or property damage caused bycoasting motors!If a danger zone has not been protected by a separatingprotective device with locking device and if drive enableis removed when the energy supply is interrupted (e.g.actuating E-Stop), axes cannot be safely shut down; i. e.motors are coasting in an uncontrolled way.

Integrated Safety Technology Important directions for use 3-1


3 Important directions for use

3.1 Appropriate use

IntroductionRexroth products represent state-of-the-art developments andmanufacturing. They are tested prior to delivery to ensure operating safetyand reliability.

The products may only be used in the manner that is defined asappropriate. If they are used in an inappropriate manner, then situationscan develop that may lead to property damage or injury to personnel.

Note: Bosch Rexroth AG, as manufacturer, is not liable for anydamages resulting from inappropriate use. In such cases, theguarantee and the right to payment of damages resulting frominappropriate use are forfeited. The user alone carries allresponsibility of the risks.

Before using Rexroth products, make sure that all the pre-requisites foran appropriate use of the products are satisfied:

• Personnel that in any way, shape or form uses our products must firstread and understand the relevant safety instructions and be familiarwith appropriate use.

• If the product takes the form of hardware, then they must remain intheir original state, in other words, no structural changes arepermitted. It is not permitted to decompile software products or altersource codes.

• Do not mount damaged or faulty products or use them in operation.

• Make sure that the products have been installed in the mannerdescribed in the relevant documentation.

3-2 Important directions for use Integrated Safety Technology


Areas of use and applicationDrive controllers made by Rexroth are designed to control electricalmotors and monitor their operation.

Control and monitoring of the motors may require additional sensors andactors.

Note: The drive controllers may only be used with the accessoriesand parts specified in this document. If a component has notbeen specifically named, then it may not be either mounted orconnected. The same applies to cables and lines.

Operation is only permitted in the specified configurations andcombinations of components using the software and firmwareas specified in the relevant function descriptions.

Every drive controller has to be programmed before starting it up, makingit possible for the motor to execute the specific functions of an application.

The drive controllers of the IndraDrive family are designed for use insingle or multiple-axis drive and control applications.

To ensure an application-specific use, the drive controllers are availablewith differing drive power and different interfaces.

Typical applications of drive controllers belonging to the IndraDrive familyare:

• handling and mounting systems,

• packaging and foodstuff machines,

• printing and paper processing machines,

• machine tools and

• wood processing machines

The drive controllers may only be operated under the assembly,installation and ambient conditions as described here (temperature,system of protection, humidity, EMC requirements, etc.) and in theposition specified.

3.2 Inappropriate use

Using the drive controllers outside of the above-referenced areas ofapplication or under operating conditions other than described in thedocument and the technical data specified is defined as “inappropriateuse".

Drive controllers may not be used if

• they are subject to operating conditions that do not meet the abovespecified ambient conditions. This includes, for example, operationunder water, in the case of extreme temperature fluctuations orextremely high maximum temperatures or if

• Bosch Rexroth AG has not specifically released them for thatintended purpose. Please note the specifications outlined in thegeneral safety instructions!

Integrated Safety Technology Safety Technology Fundamentals 4-1


4 Safety Technology Fundamentals


The operational safety of a machine depends largely upon the extent ofhazardous motions generated by this machine. In Normal mode (alsocalled Production mode or Automatic mode) of a machine, protectivedevices prevent personnel from accessing danger zones. Protectivedevices also prevent parts from being ejected outwards.

In the Special mode of machines and installations (also called Manualmode or Setup mode), it is often necessary for operators to accessdanger zones when it is impossible to de-energize the entire installation.In such situations, machine operators must be protected by mechanismsinternal to the drive and the control unit.

The integrated Rexroth safety technology offers the user therequirements, on the control unit and drive side, for implementingfunctions of personal and machine protection with a minimum of planningand installation work required. Compared to conventional safetytechnology, integrated safety technology considerably increases thefunctionality and uptime of the machine.

4.2 Hazard Analysis and Risk Management

Before he is allowed to put a machine into circulation, the manufacturer ofthe machine has to carry out a hazard analysis according to the98/37/EWG Machinery Directive in order to determine the hazardsassociated with the use of the machine. In order to attain a degree ofsafety that is as high as possible, the manufacturer must implement thefollowing fundamentals, in the order given, in the selection of solutions:

1. eliminate or minimize the hazards due to construction measures,

2. take the required protective measures against hazards that cannot beeliminated and

3. document the remaining risks and inform the user of these risks.

The hazard analysis is a multilevel, iterative process. The process isdescribed in detail in EN 1050 [4] – Guidelines for risk management.Within the scope of this documentation, it is possible to provide only avery short overview of the subject of hazard analysis. The user ofintegrated safety technology therefore has to familiarize himself with thestandards and legal status.

The hazard analysis carried out provides you the requirements fordetermining the category for safety-related control units according toEN 954 1, with which the safety-related parts of the machine control mustcomply. For more information about the categories, other than thestandard itself, see the Z document of the Swiss SIBE certificationauthority (http://www.sibe.ch or via email to [email protected]) "Classificationof Controls, Explanations Regarding Risk Management and EN 954-1"Z9714dVers03.

The safety-related parts of the IndraDrive drive range with the "Integratedsafety technology" option satisfy category 3 of EN 954-1.

The certification of optional modules "Starting lockout" and "Safetytechnology I/O" by the accredited Swiss SIBE certification authorityensures the user that the solution satisfies the technical requirements. Inaddition, the safety functions that are implemented in this manner usingthe IndraDrive drive range do not have to be scrutinized further.

4-2 Safety Technology Fundamentals Integrated Safety Technology


Category 1) Short description of requirements System behavior 2) Principles for attainingsafety

B The safety-related parts of control unitsand/or their protective devices, as well astheir components, must be designed,constructed, selected, assembled andcombined, according to the respectivestandards, in such a way that they canresist the influences to be expected.

An error occurring cancause the safety function tobe lost.

Predominantlycharacterized by selectionof components.

1 Requirements of category B must befulfilled.

Proved components and proved safetyprinciples must be used.

An error occurring cancause the safety function tobe lost, but it is lessprobable that an erroroccurs than in category B.

Predominantlycharacterized by selectionof tested components.

2 The requirements of B and the use ofproved safety principles must be fulfilled.

In appropriate intervals, the safetyfunction must be checked by the machinecontrol unit.

An error occurring cancause the safety function tobe lost between the pointsof time the safety function ischecked. The loss of thesafety function isrecognized by the check.

Predominantlycharacterized by selectionof tested components andby testing the safetyfunctions using the control.

The tests can be startedautomatically or manually.


Safety-related parts must be designed insuch a way that a single error in each ofthose parts does not cause the safetyfunction to be lost and that single errorsare recognized whenever this can beimplemented in an appropriate way.

When a single error occurs,the safety function is alwaysmaintained. Some but notall errors are recognized.An accumulation ofunrecognized errors cancause the safety function tobe lost.

Predominantlycharacterized by thestructure.

An accumulation ofunrecognized errors cancause the safety function tobe lost.


Safety-related parts must be designed insuch a way that an individual error in eachof those parts does not cause the safetyfunction to be lost and that the individualerror is recognized at or before the nextrequirement of the safety function. If thisis impossible, an accumulation of errorsmustn’t cause the safety function to belost.

When errors occur, thesafety function is alwaysmaintained.

The errors are recognizedin time in order to preventthe safety function frombeing lost.

Predominantlycharacterized by thestructure.

All errors are discovered ontime; no accumulation ofundetected errors.

1): The categories are not destined to be used in any given sequence orhierarchical order with regard to the safety-related requirements.

2): The risk management will show whether the total or partial loss of the safetyfunction(s) due to errors can be accepted.

Fig. 4-1: Summary of requirements for safety categories (excerpt fromEN 954-1: 1996, section 6)



4.3 Safety-Relevant Standards and Regulations

The user can find a short overview of the relevant standards for the use ofsafety-related control units below. As regards the relevant standards, thisdocumentation does not claim completeness.

Standards Relevant to Components

Product group Standard Title Date of issue

Electric drives pr EN 61800-5-2) Adjustable Speed Electrical Power DriveSystems, Part 5-2: Functional SafetyRequirements

200x

Simple controls EN 954-1 Safety of Machinery, Safety-Related Parts ofControl Systems

1996

Complex controls IEC 61508-1 toIEC 61508-7

Functional SafetySafety Systems

1998 to2000

Fig. 4-2: Standards relevant to components

Standards Relevant to Machines

Standard Title Date of issue

EN 60204-1 Safety of Machinery,Electric Equipment of Machines

1998

EN 292-1 and -2 Safety of Machinery,Basic Concepts, General Principles for Design

2000

EN 1050 Safety of Machinery, Directives for Risk Management 1996

EN 954-1 Safety of Machinery,Safety-Related Parts of Control Systems

1996

EN 1921 Safety of Integrated Manufacturing Systems 1996

EN 775 Manipulating industrial robots: safety 1993

EN 1037 Safety of Machinery,Prevention of Unexpected Start-Up

1995

DIN V VDE 0801 Principles for Microcomputers in Systems with Safety Applications 1990

EN 12415 Machine Tools – Safety – Small Numerically Controlled Turning Machinesand Turning Centres

2000

EN 12417 Machine Tools – Safety – Machining Centres 2001

EN 1010-1 Safety of Machinery,Safety Requirements for Construction of Printing and Paper ProcessingMachines

1993

DraftIEC 62061

Safety of Machinery,Electrical, Electronic and Programmable Electronic Control Systems

200x

prEN 848-3 Safety of Wood Processing Machines 200x

EN 999 Safety of Machinery,The positioning of protective equipment in respect of approach speed ofparts of the human body

1998

EN 1088 Safety of Machinery,Interlocking devices associated with guards - Principles for design andselection

1995

Fig. 4-3: Standards relevant to machines



Overview of the Required Safety Categories in C StandardsBelow you find an overview of the required safety categories for safety-related parts of control units in C standards.

EN 12417

Processingcenters

EN 12415

Automaticlathes

EN 1010

Printingand paperprocessingmachines

EN 775

Industrialrobots

EN 1921

Automatedmanufacturingsystems

prEN 848-3

Woodprocessingmachines

Enabling control Category 3 Category 3 - Category 3 Category 3 Category 3

Category 3 Category 3 Category 3 Category 3 Category 3 Category 3Speed reduction,incl. protectionagainst unexpectedstart-up (n=0)

Category B andenablingcontrol device



Category 3 Category 3 Category 3 Category 3 Category 3 Category 3(electronic)

Locking of protectiveequipment

Category 1 formaintenancedoors

Category 1(with contacts)

Limitation of endpositions

- - Category 3 Category 3 -


Category 1(withcontacts)

acc. toEN 60204-1


Emergency stop

Category 3(electronic)


Category 3

acc. toEN 60204-1


Fig. 4-4: Requirements for safety-related control units in C standards

Note: Standards EN 775 and EN 1921 do not contain any directreference to EN 954-1; the requirements, however, can becompared to those of this standard.

4.4 Definition of Terms

With regard to safety technology, an electric drive system is the total ofhardware and software components that have an influence on thesequence of motions of the machine. The electric drive system consists,for example, of drive controllers, plug-in control units, supply modules,motors and encoders. When errors occur in operation, they are detectedin time and the drive goes to a safe status.

"Integrated safety technology" includes the hardware and softwarefeatures that allow safety-relevant drive functions to be made available. Amaximum of safety for persons and machines can therefore be madeavailable. Integrated safety technology is state-of-the-art for safety-relatedcontrol units of category 3 according to EN 954-1 in the field of highly-dynamic drives.

In connection with drive functions (e.g. Safety related standstill, Safetyrelated reduced speed, etc.), "safety related" means that the behavior ofthe control unit parts in the case of errors complies with the requirementsaccording to EN 954-1 category 3. An error does not lead to loss ofsafety. Errors must be detected in time; the drive goes to a safe status.

The stopping process is the decrease of motion until standstill is reached.The process starts when the signal for the stopping process is releasedand ends when the motion has come to a standstill.

Electric drive system

Integrated safety technology

Safety related

Stopping process



Standstill is the status in which the mechanical component is at rest andthe drive is no longer supplied with energy; it is torque-free or force-free.

Operational stop is the status in which the mechanical component is keptat rest and the drive is supplied with energy; it is with torque or with force.

In function "Reduced speed", control-related measures are used to limitthe speed values that have been prescribed manually or using a program.

The use of the "Safety related reduced speed" measure implies that aperson can escape the danger caused by hazardous motions in time. Ingeneral, this can be supposed if the resulting speed does not exceed15 m/min in the case of hazardous motions without the danger of bruisingand cutting, and 2 m/min in the case of hazardous motions with thedanger of bruising and cutting.

In accordance with the Machinery Directive (98/37/EG), the machinemanufacturer has to carry out hazard analysis and then risk management.With these data, the values for reduced velocities have to be determined.

The following list contains guide values for different types of machines(excerpt from standards and working papers on safety measures forSpecial mode). The abbreviation "SS" stands for "Safety related reducedspeed" and abbreviation "SI" stands for "Safety related reducedincrement".

Machining centers

• Axes: SS=2 m/min + jog switch

• Spindle: SS=nn rpm + jog switch + enabling control device (selectnn in such a manner that a standstill is attained after 2 rpm)

Automatic lathes

• Axes: SS=2 m/min + jog switch, SI=6 mm + jog switch

• Spindle: SS=50 rpm (1 rot/s) + jog switch + enabling control device

Drilling and milling machines

• Axes: SS=2 m/min + jog switch

• Spindle: SS=nn rpm + jog switch + enabling control device (selectnn in such a manner that a standstill is attained after 2 rpm)

Robots

• SS=15 m/min + jog switch

Automated manufacturing systems

• SS=2 m/min (15 m/min) + jog switch + emergency stop

Printing and paper processing machines

• General: SI=25 mm+ jog switch – or –SS=5 m/min (max. 10 m/min) + jog switch

• "In particular": SI=75 mm+ jog switch – or –SS=5 m/min (max. 10 m/min) + jog switch

The limited increment is a change in position; it starts in standstill, aspecified distance/angle is traveled and it ends in standstill.

The limited absolute position is the absolute position at which a motionmust have come to standstill.

The jog switch is a control device that requires continuous activation ofthe control element in order to enable motion. The jog switch is acommand switch with automatic reset.

The enabling control is an additional manually activated command device.It is used in connection with a start control (jog switch) which requirescontinuous activation to permit movement.

The enabling control is a command switch with automatic reset. Anenabling control can be a command device with 2 or 3 positions; thecommand system with 3 positions is preferable.

Standstill

Operational stop

Reduced speed

Safety related reduced speed

Limited incremental dimension

Limited absolute position

Jog switch

Enabling control



A separating protective device is the part of a machine that is used as akind of physical barrier for protecting people. Depending on its design, theseparating protective device can be a housing, a cover, a screen, a door,a shell, etc.

The locked separating protective device with locking device guaranteesthat:

• the hazardous machine functions against which the protectiveequipment provides protection can be executed only when theprotective equipment is closed and locked,

• the separating protective device remains closed and locked, even if astop command was activated, until the risk of injury caused byhazardous machine functions is past, and

• the endangering machine functions, with the protective device closedand locked, can be carried out but are not activated just by closing theseparating protective device.

The operating mode switch determines the operating mode relevant forsafe operation, such as:

• Normal mode (Production mode, Automatic mode, etc.) and

• Special mode (Manual mode, tool or workpiece changing and cleaningprocedure, as long as movement is required)

The selected kind of control has to be on a higher level than all othercontrol functions except for the one for the emergency command device.The operating mode switch can be replaced by other means of selectionwhich allow only certain groups of operators to carry out certain machinefunctions (e.g. access code for certain numerical control functions etc.).Each position of the operating mode switch may correspond to only onecontrol or operating mode. (For details, see Machinery Directive98/37/EG, Appendix I, Section 1.2.5.)

• Category 0: Stopping by immediately switching off the power to thedrives.

• Category 1: Controlled stopping, whereby the power to the drives iscontinued in order to achieve stopping. The power is interrupted onlyafter the standstill has been attained.

• Category 2: Controlled stopping where the power to the drives iscontinued.

Separating protective device(EN 292-1)

Locked separating protectivedevice with locking device

(EN 292-1)

Operating mode switch

Stop categories according toEN 60204-1

Integrated Safety Technology Drive System with Safety Related Starting Lockout 5-1


5 Drive System with Safety Related Starting Lockout


Optional module "Starting lockout" has 24 V inputs for selection using twochannels and a potential-free changeover contact (all 3 connectionsaccessible) for dual-channel feedback.

Note: For the connection conditions and the technical data of theoptional module, please see the Project Planning Manual forthe controller.

5.2 Safety Function

The safety function is implemented for personal protection in accordancewith EN 954 category 3.

Safety Related Starting LockoutThe "Safety related starting lockout" corresponds to stop category 0according to EN 60204-1.

In the "Safety related starting lockout" safety function, the power supply tothe drive is safely interrupted. The drive cannot produce any torque/forceand therefore any hazardous movements. It is selected via two channels,either with a break-contact/make-contact combination or a break-contact/break-contact combination.

When the starting lockout is active, "AS" is shown on the display of theIndraDrive controller operating panel.

Note: Before selecting the starting lockout, the drive system must bebrought to a standstill using the command value selection!

DANGER

Lethal injuries and/or damage to materialcaused by unintended axis motion!⇒ If external force influences are to be expected with

the "the safety related starting lockout" safetyfunction, e.g. in the case of a vertical axis, thismotion has to be safely prevented by additionalmeasures, e.g. a mechanical brake or weightcompensation.

5-2 Drive System with Safety Related Starting Lockout Integrated Safety Technology


5.3 Forced Dynamization

The goal of forced dynamization is to detect static error conditions, so-called "sleeping errors" during selection and in the interrupting circuits.Both the control section in standard design and the option "startinglockout" have their own interrupting circuits.

Note: Manual dynamization is required after switching on the drivesystem and within e.g. 8 hours (activate the starting lockout).

After the drive control is started, a life counter starts. The life counter isreset each time that the starting lockout is selected. When the life counterexpires, a warning requesting that forced dynamization be carried out(activate the starting lockout) is sent to the higher-level control.

P-0-0103, Time interval of forced dynamization can be used to set thetime interval for the life counter. When the time interval is exceeded, thedrive generates warning E3110 Time interval for forced dynamizationexceeded.

The operating hours of the power section for which the "starting lockout"function was selected the last time are saved in parameter P-0-0102,Oper. hours power section at last activat. of start. lockout.

A history of the time intervals set by the user in P-0-0103, Time intervalfor forced dynamization is stored in parameter P-0-0104, Changehistory time interval of forced dynamization.

5.4 Command Value Selection Requirements

Note: Before selecting the starting lockout, the drive system must bebrought to a standstill using the command value selection!

The "Safety related starting lockout" corresponds to stop category 0according to EN 60204-1.

If the starting lockout is selected at the same time that the drive isenabled, the drive generates error F8027 Starting lockout while driveenabled.

5.5 Selecting the Starting Lockout

The starting lockout is selected using two channels, either with a switchwith two break contacts or one break/make contact on each 9-pin D-Subplug on the optional module.

Selection using break contacts or break/make contacts can be configuredin parameter P-0-0101, Configuration for starting lockout selector.

The plausibility of the selection signals is checked by the firmware. If thestate is not permitted, the drive generates error F3130 Error whenchecking input signals.

One channel from the switch can be guided via the PLC I/O; the secondchannel should then be connected directly to the safety technologyoptional module.

Both channels from the switch can be guided via I/Os of a safety relatedPLC.

Both channels can be guided via the safety contacts of a door monitoringmodule. A potential-free contact is available for the feedback to themonitoring module.



Note: For applications of category 3 according to EN 954-1, guidingboth channels via a standard PLC is not permitted!

5.6 Examples of Application

��

��

�

��

��

��

��

��

��

��

� �

��

��

��

��

� ��

DF0048v3.EPS

For information about F1*, see switch contacts S1/S2Fig. 5-1: Selecting the starting lockout using switches with break/make

contacts

��

��

�

��

��

��

��

��

��

��

� �

��

��

��

��

� ��

DF0049v3.EPS

For information about F1*, see switch contacts S1/S2Fig. 5-2: Selecting the starting lockout using switches with two break contacts



��

��

�

��

��

��

��

��

��

��

��

� �

��

��

�� !�� "��

#�� #��

�$��

��

� ��

�� "�% ��$

DF0050v2.EPS

For information about F1*, see switch contacts of safety moduleFig. 5-3: Selecting the starting lockout using a safety module



Note: According to EN 954-1, the signal processing of a standardPLC must be viewed as having one channel; therefore, thefollowing wiring is not permitted!

��

��

�

��

��

��

��

��

��

��

� �

��

��

��

�

��

� ��

DF0051v2.EPS

Fig. 5-4: Selecting the starting lockout using a standard PLC (negativeexample)

��

��

�

��

��

��

��

��

��

��

� �

��

��

��

��

�

��

��

� ��

DF0052v2.EPS

For information about F1*, see switch contacts of starting lockoutFig. 5-5: Selecting the starting lockout using switches with break/make

contacts and standard PLC

Integrated Safety Technology Drive System with Integrated Safety Functions 6-1


6 Drive System with Integrated Safety Functions

6.1 Basic Structure

The IndraDrive drive system (axis / spindle / roller) is made up of thecomponents control section, power section and motor.

IndraDrive provides "integrated safety technology" using the interaction ofhardware and software components.

Controlsection

Channel 1Processor A

Channel 2Processor B

I/O

I/OM

Powersection

Safety related function active

Channel 1 Channel 2

Selection andfeedback ofsafety relatedfunctions

Processing anderror reaction

Safetyrelatedaction

DF0015v2.EPS

Fig. 6-1: Schematic diagram of IndraDrive with integrated safety technology

Note: All motors with 1Vss signal-equipped encoders that aresupported by the encoder interface can be used for integratedsafety technology.All motors with resolvers that are supported by the encoderinterface can be used for integrated safety technology.

Encoders with a TTL interface cannot be used for integratedsafety technology.

Encoders with only a serial interface cannot be used forintegrated safety technology.

In order for integrated safety technology to be used, one "Safetytechnology I/O" optional module per axis, combined with softwarecomponents (firmware parts in the drive) is necessary.

Note: For the connection conditions and the technical data of theoptional module, please see the Project Planning Manual forthe control section.

6-2 Drive System with Integrated Safety Functions Integrated Safety Technology


Typical fields of application of the IndraDrive system are:

• handling and mounting systems

• packaging and food processing machines

• printing and paper converting machines

• machine tools

• wood processing machines

Comparison with Conventional Safety TechnologyA drive and control system with integrated safety technology differs fromsystems with conventional safety technology by the fact that the safetyfunctions are directly integrated in the intelligent drives as hardware andsoftware. This increases the functionality in all operating modes with amaximum of safety (short reaction times).

The following components of conventional safety technology are notincluded in drive and control systems with integrated safety technology:

• motor standstill monitor for monitoring the safety related standstill

• speed monitor for monitoring safety related reduced speeds

• power contactors between controllers and motors

• limit switch or position cam for detection of range

Note: The integrated safety technology is not destined to replaceconventional safety technology, such as emergency stopswitching devices and safety door monitors.

Using integrated safety technology increases the available personnel andmachine safety because the total reaction time of the system in the caseof an error event, for example, is considerably reduced with regard tocomparable systems with conventional safety technology. The safetysignals are transferred using conventional wiring in a high diversity ofdesigns. Master communication (SERCOS interface, PROFIBUS, CAN,etc.) can be used to transfer a channel.

Fields of application



6.2 Overview of Safety Functions

Application-related safety functions are implemented for personalprotection in accordance with EN 954-1 category 3.

Note: When selecting a safety function, the drive system is to bebrought to the corresponding state using command valueselection.

Safety functions can be classified into 3 groups:

1. "Safety related stopping process" safety functions:

• safety related standstill,

• safety related operational stop and

• safety related drive interlock

Note: The functions "safety related standstill", "safety relatedoperational stop" and "safety related drive interlock" containsafely monitored shutdown.

2. "Movement with safety related speed" safety functions:

• safety related limited maximum velocity,

• safety related reduced speed,

• safety related direction of motion,

• safety related limited increment,

• safety related limited absolute position and

• safety related homing procedure

3. "Safety related feedback" safety functions:

• safety related diagnostic outputs and

• safety related control of a door locking device



"Safety Related Stopping Process" Safety Functions

Safety Related Standstill"Safety related standstill" corresponds to stop category 1 according toEN 60204-1.

A programmable time (P-0-3220) is available for the transfer to the safestate. The power supply to the drive is interrupted (two channels) whenthis time elapses (at the latest). If the standstill is attained before the timeelapses, i.e. the speed is within the standstill window (P-0-3233), theselected safety function goes into effect.

The drive cannot produce any torque/force and therefore any hazardousmovements. No monitors are active in "Safety related standstill".

When the stop is active, "SH" is shown on the display of the IndraDrivecontroller control panel.

Note: The "Safety related standstill" function is deselected byactuating an enabling control!

DANGER

Lethal injury and/or property damage caused byunintended axis motion!⇒ If external force influences are to be expected in the

"Safety related standstill" safety function, e.g. in thecase of a vertical axis, this motion has to be safelyprevented by additional measures, e.g. a mechanicalbrake or weight compensation.

Safety Related Operational Stop"Safety related operational stop" corresponds to stop category 2according to EN 60204-1.

For specific applications, it is necessary to stop the drive system at anatural point in the production process.

A programmable time (P-0-3220) is available for the transfer to the safestate. After the time elapses, the standstill monitor is activated, i.e. thedrive comes to a standstill. However, the power supply is not interrupted;all control functions between the electronic control and the drive areretained.

In the case of the "Safety related operational stop" safety function, a dual-channel monitor prevents the drive from carrying out hazardous motionsdue to errors.

When the operational stop is active, "SBH" is shown on the display of theIndraDrive controller control panel.

Activation of a monitor triggers an error reaction that brings the drivesystem to a standstill. The corresponding error message is F7030 Pos.window for safety rel. operational stop exceeded.

The allowed deviations from the standstill position (P-0-3230) arepassword-protected and cannot be changed by unauthorized externalintervention. After removing the safety related operational stop, e.g. byclosing a protective device and executing the start command, the workingmotion of a drive can be immediately continued at the point ofinterruption.

Note: The "Safety related operational standstill" function isdeselected by actuating an enabling control!



Safety Related Drive Interlock"Safety related drive interlock" corresponds to stop category 1 accordingto EN 60204-1.

Safety function "Safety related drive interlock" corresponds to "Safetyrelated standstill"; however, it is not revoked by actuating an enablingcontrol.

When the drive interlock is active, "ASP" is shown on the display of theIndraDrive controller control panel.

It is used, for example, in spindle drives when manually changing toolsand in handling axes for manual movement.

Note: Function "Safety related drive interlock" can also be selectedin normal operation, depending on the model.

DANGER

Lethal injury and/or property damage caused byunintended axis motion!⇒ If external force influences are to be expected for the

"Safety related starting lockout" safety function, e.g.in the case of a vertical axis, this motion has to besafely prevented by additional measures, e.g. amechanical brake or weight compensation.

WARNING

Injury and/or property damage caused byunintended axis motion!A short circuit in each of two separate circuits of thepower section can provoke momentary axis motiondepending on the number of poles of the motor.

Example synchronous motor: For a 6-pole synchronousmotor the motion can be a maximum of 30 degrees. Fora directly driven ballscrew, e.g. 20 mm per revolution, thiscorresponds to a one-time maximum linear motion of1.67 mm.

When an asynchronous motor is used, the short circuitsin two separate circuits of the power section have almostno effect because the exciter field breaks down when theinverter is shut down and has completely died down afterapprox. 1 s.



Safely Monitored ShutdownThe transition to safety related standstill or to safety related drive interlockcan alternatively be controlled by the drive or the control unit(parameterized via P-0-3210, Safety technology control word).

The shutdown is chronologically monitored by each channel.

After the stopping process (P-0-3233, Velocity threshold for safetyrelated stopping process) the selected safety function takes effect.

With P-0-3220, Tolerance time transition from normal operation thetime for transition from normal operation to the completed stoppingprocess has to be determined. If this time is exceeded, the error messageF7050 Time for stopping process exceeded is generated.

With P-0-3225, Tolerance time transition from safety rel. oper. thetime for transition from special mode "motion with safety related speed" tothe completed stopping process has to be determined. If this time isexceeded, the error message F7050 Time for stopping processexceeded is generated.

The transition to safety related operational stop is controlled by the controlunit.

After the time for transition from normal operation to the completedstopping process is over (P-0-3220, Tolerance time transition fromnormal operation) the monitoring window for the position reached afterstopping process takes effect (P-0-3230, Monitoring window for safetyrelated operational stop).

After the time for transition from special mode "motion with safety relatedspeed" to the completed stopping process is over (P-0-3225, Tolerancetime transition from safety rel. oper.) the monitoring window for theposition reached after stopping process takes effect (P-0-3230,Monitoring window for safety related operational stop).

Safety Related Homing Procedure (via Two Channels)

Brief Description

Note: The function "safety related homing procedure" has to becarried out before selecting the safety function "safety relatedlimited absolute position"!

The function "safety related homing procedure" is a homing procedurewith additional cam/switch for safely determining the reference position.

The function has the following features:

• function is selected via 2 inputs:

• the reference cam input at the drive controller and

• an input at the optional safety technology module

• The home switch consists of an N/C-N/O combination, the N/Ocontrolling the standard input at the drive controller.

• establishing the position data reference via two channels by thecommands

• S-0-0148, C0600 Drive-controlled homing procedure commandor

• P-0-3228, C4000 Homing procedure command channel 2

• For absolute measuring systems the homing procedure has to becarried out, too; only the input at the optional module is to be assigned.

• The reference cam can be replaced by a manually operated switchwith which the correct absolute position is confirmed.

Safety related standstill andsafety related drive interlock

Safety related operational stop

Functional Features



The following parameters are used in conjunction with the function "safetyrelated homing procedure":

• P-0-3228, C4000 Homing procedure command channel 2

• S-0-0148, C0600 Drive-controlled homing procedure command

• P-0-3210, Safety technology control word

• P-0-3213, Safety technology status

• P-0-3231, Safety related reference position channel 2

• P-0-3229, Tolerance window for safety related homing procedure

• S-0-0147, Homing parameter

• S-0-0052, Reference distance 1

• S-0-0051, Position feedback 1 value

• S-0-0053, Position feedback 2 value

• P-0-3280, Actual position value, channel 2

• P-0-3240, Control word for safety related motion 1




In conjunction with the function "safety related homing procedure", thediagnostic message C4001 Error during safety related homingprocedure is used.

Operating PrincipleThere are two options of starting the safety related homing procedure viatwo channels:

• By directly writing "11" to parameter P-0-3228, C4000 Homingprocedure command channel 2.

Note: In order that the parameterized reference event is fulfilled (cf.P-0-3210, Safety technology control word), an NC-controlled motion has to be carried out because the drive doesnot carry out an automatic motion when the commandP-0-3228, C4000 Homing procedure command channel 2 isexecuted.

• Automatically at the start of command S-0-0148, C0600 Drive-controlled homing procedure command in conjunction with theparameterized function "safety related limited absolute position". (Thecommand S-0-0148, C0600 Drive-controlled homing procedurecommand at the beginning also starts the command P-0-3228, C4000Homing procedure command channel 2 which then runs in parallel.)

Note: It is assumed in this case that the home switch of channel 2was mechanically mounted in such a way that it is actuatedwith the travel motion to be expected or during the concludingpositioning.

Pertinent Parameters

Pertinent Diagnostic Messages



Safety Function "Movement with Safety Related Speed"

Safety Related Limited Maximum VelocityIn the case of the "Safety related limited maximum velocity" safetyfunction, a dual-channel monitor prevents the drive from exceeding theprescribed speed limit value (P-0-3234).

Activation of a monitor triggers an error reaction that brings the drivesystem to a standstill. The corresponding error message is F7020 Safetyrelated maximum velocity exceeded.

The velocity limit value is password-protected and cannot be changed byunauthorized external intervention. This monitor is active in everyoperating mode.



Safety Related Reduced SpeedA programmable time (P-0-3220) is available for the transfer to the safestate. After the time elapses, the speed monitor is activated.

In the case of the "Safety related reduced speed" safety function, a dual-channel monitor prevents the drive from exceeding the prescribed speedlimit values (P-0-3244, P-0-3254, P-0-3264, P-0-3274).

When the movement monitor is active, "SBB" is shown on the display ofthe IndraDrive controller control panel.

Activation of a monitor triggers an error reaction that brings the drivesystem to a standstill. The corresponding error message is F7013Velocity threshold exceeded.

The velocity limit values are password-protected and cannot be changedby unauthorized external intervention.

Movement is enabled by actuating an enabling control. The activationtime of the enabling control is monitored (P-0-3222); it is adjustable. If theactivation time is exceeded, error message F3142 Time foracknowledgment exceeded is generated.

Note: Two additional safety switches (S1, S2) can be used to selectup to four parameter sets.

Safely Monitored Acceleration/Deceleration Ramp

Note: This function is in preparation for FWA-INDRV*-MPH-03!

Safety Related Direction of MotionThe "Safety related direction of motion" safety function guarantees thatmovement is possible in only one direction. In addition, a safely reducedspeed is active.

A programmable time (P-0-3220) is available for the transition to the safestate. After the time elapses, the speed monitor and the monitor of thedirection of movement are activated (dual-channel monitoring).

Activation of a monitor triggers an error reaction that brings the drivesystem to a standstill. The corresponding error message is F7031Incorrect direction of motion.

The speed limit values (P-0-3244, P-0-3254, P-0-3264, P-0-3274), thedirection of movement specified in the control word (P-0-3240, P-0-3250,P-0-3260, P-0-3270) and a standstill window (P-0-3232) for the non-enabled direction of movement are password-protected and cannot bechanged by unauthorized external intervention.

Movement is enabled by actuating an enabling control. The activationtime of the enabling control is monitored (P-0-3222); it is adjustable.



Safety Related Limited IncrementIn the case of the "Safety related limited increment" safety function, adual-channel monitor prevents the drive from moving by more than amaximum increment. In addition, a safely reduced speed is active.

Activation of a monitor triggers an error reaction that brings the drivesystem to a standstill. The corresponding error message is F7010 Safetyrelated limited increment exceeded.

The speed limit values (P-0-3244, P-0-3254, P-0-3264, P-0-3274) and thelimit values (+/-) for the maximum increment (P-0-3243, P-0-3253,P-0-3263, P-0-3273) are password-protected and cannot be changed byunauthorized external intervention.

Movement is started by actuating an enabling control. The activation timeis monitored (P-0-3222); it is adjustable.

Within the window (maximum increment), movement can be carried out insmall steps in both directions when the enabling control device ispressed.

Note: Two additional safety switches (S1, S2) can be used to selectup to four parameter sets.

Safety Related Limited Absolute PositionIn the case of the "Safety related limited absolute position" safety function,a dual-channel monitor prevents the drive from moving beyond theprescribed absolute position limit values (+/-). In addition, a safelyreduced speed is active.

The limit values (+/-) for the absolute position and the safely reducedspeed are password-protected and cannot be changed by unauthorizedexternal intervention.

Movement is started by actuating an enabling control. The activation timeis monitored; it is adjustable.

Note: "Safety related homing" must be executed before selecting the"Safety related limited absolute position" safety function.

Note: One additional safety switch (S1) can be used to select up totwo parameter sets.

Safety Related Limited Absolute End Position


Safety Related Brake Management


"Safety Related Feedback" Safety Functions

Safety Related Diagnostic OutputsUsing safety related diagnostic outputs, "safely detected states" aretransmitted from the drive to other system components (e.g. activation ofsafety relays, safety PLC) in order to initiate, from these systemcomponents, a reaction to the process.



Safety Related Control of a Door Locking DeviceA diagnostic master that detects the safe state of several axes within aprotection zone can be activated in a drive controller; this also ensuresthat the safety door remains shut.

In safety function "Safety related control of a door locking device", twochannels are used to ensure that a locked separating protective deviceremains shut when all of the axes in this zone are in a safe state. Theposition of the door is also monitored.

Note: Monitoring the position of the locked separating protectivedevice is still required.



6.3 I/O Reaction Times

�� !��

�� "�

�� !��#�� "�

$"� !�� !��" ��"��

��#��

� "�

��!��% ��&��'% ! ��

(��' ��)�

��#�**

�#***

+�� +��&��

�,***

!�� +��&��

�,***

!�� +��&��

��

� � ��

��

� ��

� "� � "� � "�

DF000093v02_en.EPS

Fig. 6-2: I/O reaction times

6.4 Functional Principle of Integrated Safety Technology

In a standard drive, the axis / spindle / roller is moved according to thecommand values of the control. In this case, incorrect drive motion can becaused by operating errors, incorrect installation in the system, defects incomponents or materials, or failures in the system. Incorrect drive motion–even if the errors occur only for a short time and occasionally – canendanger persons standing in the danger zone of the drive motion.

Therefore, measures that limit the effects of errors on the drive motion toa minimum must be undertaken. The remaining risk of danger to personsis then considerably reduced.

During the operation, the safety functions are monitored by the drivesystem. To do this, three principles for discovering sleeping errors wererealized in the system:

• dual-channel data processing with structure by diversity

• cross comparison of the safety-relevant data

• dynamization of static states

These measures guarantee that a single error cannot cause the safetyfunctions to be lost.

The degree to which this is sufficient for an existing system or machine isto be determined by the manufacturer of the system or machine using ahazard analysis according to Appendix I of guideline 98/37/EG.



Dual-Channel StructureAll safety-relevant data are transmitted and processed by twoindependent channels. The basic control unit in the drive represents thefirst monitoring channel, the control system on the optional modulerepresents the second channel.

Drive control

M

Powersection

I/O10n

SelectionChannel 2 I1..4n

Safety technolgyoptional module

O10I10

Encodersystem

Cross datacomparison

SelectionChannel 1 I1..4

DF0016v2.EPS

Fig. 6-3: Schematic diagram of the dual-channel structure

Note: The inputs and outputs of channel 1 are symbolicallydesignated with "I1 to I4", "O10" and "I10". The purpose ofthese symbols is to illustrate the interaction with thecorresponding inputs and outputs of the second channel.The physical inputs and outputs of channel 1 can be specifiedfor various hardware layouts (see Fig. 6-7: Directly activatingboth channels on the drive controller and Fig. 6-8: Directlyand indirectly activating the channels on the drive controller).

The physical inputs and outputs of channel 2 are present onthe "I/O safety technology" optional module.



Cross Data ComparisonThe respective monitoring functions for realizing the safety functions areprocessed independently in the basic control unit and in the safetymodule. To make sure these functions use correct (identical) limit values,a cross data comparison is required. If a deviation of the monitoredparameters is detected in one of the two channels, this causes therespective error reaction and the drive system goes to the safe status.

Cross data comparison is started with the "initialization" of the drivecontrol. As soon as the operating mode has been reached, cross datacomparison starts. If safety parameters of one or both channels are notidentical during operation and if the power is on, the stopping process ofthe axis/axes is initiated.

When one or more safety functions are also activated, an additional crossdata comparison is carried out using the selection.

The following errors are detected by cross data comparison:

• safety function activated on only one system

• wrong safety function activated

• different monitoring parameters used

• safety function does not work (life counter)

• accidental hardware errors

• accidental software errors

Cyclic cross data comparison

Additional cross datacomparison

Errors detected by cross datacomparison



DynamizationThe purpose of dynamization is to detect static error conditions, so-called"sleeping errors" in the safety-relevant circuits. Dynamization occursautomatically at specified intervals; the user can not notice this.

A safety function is selected using a break contact / make contactcombination so that one channel of a safety function is always selected(the function is activated/deactivated by switching over).

Within the drive, the active channel (make contact) is cyclically checked.

A safety master automatically carries out dynamization (via A30) for allactivated inputs.

The dynamization is synchronized via E30.

&�

&��

&'()�

&�

&��

&'()�

&�

&��

&'()�

��*��+ ��+*!��, �

��*��+ ��+*!��

��

��

�� -��.

��

��

�� -��/�.

��

��

�� -��/�.

��

��

��

DF0044v1.EPS

Fig. 6-4: Dynamization of the inputs via I/O

Both the control section in standard design and the optional module"safety technology I/O" have their own interrupting circuits.

Within the drive, the activation of an interrupting circuit is cyclicallychecked.

6.5 Demands on the Controls

The control must be aware of the operating modes (normal operation /special mode) as well as of their safety functions.

It ensures that the drive is interpolated within the prescribed time andwithin the limits prescribed by the safety functions.

To do this, the control must be able to recognize the selection of a safetyfunction so that it can react at any time to a switchover to safety relatedoperation (e.g. read P-0-3215, Selected safety technology mode fromthe drive). For online monitoring of the safety technology states the binarystatus signals provided by P-0-3213, Safety technology status can beread by the control unit.

The transition to safety related standstill, to safety related drive interlockand to safety related operational stop can alternatively be controlled bythe drive or the control unit (parameterized via P-0-3210, Safetytechnology control word).

Dynamization of the inputs

Dynamization of the interruptingcircuits



The transition to safety related stopping process in the case of error takesplace according to the settings in parameters P-0-0117, Activation of NCreaction on error and P-0-0119, Best possible deceleration.

Note: The control must react to the selection of a safety function withthe corresponding command value selection!

6.6 Activating the Safety Functions

Safety functions are always selected using two channels.

Configurable combinations of safety functions, corresponding to the fouravailable dual-channel inputs, can be selected using a break contact /make contact combination.

To select the first channel, a choice of four 24 V inputs

• on the basic device,

• on a control that guides them to the drive via the mastercommunication or

• on an I/O extension are to be allocated.

Four 24 V inputs are available on the optional module to select thesecond channel.

The assignment of the inputs for selection is implemented by means ofthe DriveTop commissioning software.

Operating mode "Normal mode" or "Special mode" can be selected usingthe operating mode selection switch. In Special mode, an enabling controlcan be used to switch between the safety functions for stopping and formovement.

The following status diagram illustrates how the three states can beselected using the two actuating mechanisms.

Normal mode

Special modemotion

Operating modeselection switch+enabling control

Special modestopping process

Operating modeselection switch

Enabling controlDC0003v1.EPS

Fig. 6-5: Status diagram

"Safety related standstill" or "Safety related operational stop" can beconfigured in "Stopping special mode", depending on the application(selection using the operating mode selection switch).



A "Safety related reduced speed" and/or a "Safety related limitedincrement" can be configured in "Movement special mode", depending onthe application (selection using the enabling control in Special mode).

Note: If the enabling control is activated in Normal mode, thereduction of the command value selection can be effective. Byswitching to Special mode, the drive-internal monitors for safemovement are activated.

In the figure above, 2 dual-channel inputs are assigned (operating modeselection switch and enabling control). Of the 4 available dual-channelinputs, 2 are still free. These can be used, for example, to switch betweenthe parameters for "Safety related reduced speed" via the process; in thismanner, up to 4 different parameter sets can be selected.

A parameter set for "Safety related reduced speed" makes it possible tosimultaneously activate a monitor of the movement direction and/or amonitor of the absolute position.

A parameter set for "Safety related limited increment" makes it possible tosimultaneously activate a monitor of the movement direction and/or amonitor of the absolute position.

Note: "Safety related homing" must be executed before selecting"Safety related limited absolute position". "Safety relatedhoming" requires an input on the optional module. Then oneinput is still available, for example to switch two instead of fourparameter sets for "Safety related reduced speed".



The following table shows sensible combinations of safety functionselections.

($�

��

�se

lect

ion

switc

h

��

��

"��

��

��*��+

��

��*��+

��

0�/�

��%

��*��+ ��

�� 1, �$�

�

��*��+ ��

�� "

�, $��

0�/� ��%

�� (�

�(� # ��

�2�� # �� # �0� # �&�

�2�� # �� # �0� # �&�

�2�� # �� # �0� # �&� # ��

�2�� # �� # �0� # �&� # ��

�2�) # ��) # �0) # �&)

�2�� # �� # �0� # �&�

��*��+ ��

�� 1, �$�

�

��*��+ ��

�� "

�, ��

$��

��*��+ ��

�� $

$��

*�� ' �(�

��*��+ ��

�� $

$��

*�� /� ��%

��

3��

�sw

itch

��

��

��*��+ ��

��$

$��

$��

��

��

��

� ��

��

��

��

��

��

4�

4� � ��

��

��

��

��

��

��

� � � (**

(**

(�

(�

(�

(�

(�

(� � � (** �

� � � � � (**

(�

(**

(�

(**

(� � � � �

� � � � � (�

(� � � � �

(**

(**

(�

(**

(**

(**

(**

(**

(�

�

��/��

��/��

��/��

� � �

��

��

��

��

��

(**

(**

� � �

��/��

4�5

4��

��5

�$��

��5

��*��+ �� -�� 6!�.

�(�5

��*��+ �� $�� $ -�� $� �� /�.

�2�5

��*��+ �� !� �$��

��5

��*��+ �� ' �� $

�05

��*��+ �� * ��

�&5

��*��+ ��

��

��

��5

��*��+ ��

�� "��!�� $��

��5

��*��+ �� "��%� ��

��

5

&�$!� *�� 6!��

5

4� �$!� *�� /��"�� -�

�1, � �$!��.

DL0001v2.EPS

Fig. 6-6: Combinations of safety function selections



There are two possibilities for activating the safety functions:

Controlsection



I/O

I/OM

Powersection

Safety related function active

Channel 1 Channel 2

Selection andfeedback ofsafety relatedfunctions


Safetyrelatedaction

DF0015v2.EPS

Fig. 6-7: Directly activating both channels on the drive controller

Selection of safety functions via24 V inputs on drive controller



Controlsection



SERCOS

I/O

Safetytechnologyactive

Safetytechnologyactive

Channel 1 Channel 2

I/O

SERCOS

Control

Channel 1

M

Powersection

Selection and feedbackof safety relatedfunctions


Safetyrelatedaction

DF0017v1.EPS

-> Channel 1 is indirectly activated via the master communicationinterface of the control unit (CNC; PLC)

->: Channel 2 is directly activated via the input interface of the drivecontroller

Fig. 6-8: Directly and indirectly activating the channels on the drive controller

Note: Selection on the optional module is made using a D-SUB plugconnection.

6.7 Feedback, Status (Safe/Unsafe) to Peripherals

Safety-relevant feedback always takes place using two channels (EN 954-1, category 3). Feedback for diagnostic purposes can take place usingone channel.

For the feedback of the first channel, either a 24 V output

• on the basic device or

• on a control

that receives them from the drive via the master communication is to beallocated.

A 24 V driver or a relay contact is available on the optional module for thefeedback of the second channel (one side of the relay contact is internallyset to 0 V).

Selection of safety functions viamaster communication (e. g.

SERCOS interface)



Safe Feedback to a Safety PLC

"Safety technologyI/O" optionalmodule

O10

I/O10n

I

In

PLC

Control section

DA0002v4.EPS

Channel 1: O10 (control section)Channel 2: I/O10n (O10, 24 V driver is active on "Safety technology I/O"

optional module)Fig. 6-9: Safe status message to a safety PLC

Note: The two outputs O10 and I/O10n work inversely!



Safety Related Control of a Door Locking Device

DANGER

Lethal injury caused by axes / spindles coastingdue to an error!⇒ Provide an interlocked protective device with locking

device that only allows unlocking the protectivedevice when the stopping process has beencompleted (see EN 1088). If the protective device is unlocked without thestopping process having been completed, coastinghas to be prevented by additional measures [e.g. byusing a motor holding brake (to be used only in caseof an emergency), an emergency bleeder or aservice brake] or the protective device has to bepositioned in such a way that spindles / axes havestopped before they can be reached (EN 999).

A diagnosis master can be activated to control a door locking device.

The diagnosis master recognizes the "Safety related status" of its owndrive, as well as of other drives that are interconnected using cable I/O20.

The "safe status" is reported via a shared status output. This output is adual-channel output (O10/O10n). O10n switches internally to 0 V.

The activation is monitored internally by I10n. To monitor the lockingdevice, a second input (I10) must be allocated on the basic device or on acontrol that guides this input to the drive via the master communication.

O10

I/O10n

0V

I10

+24 VControlsection

"Safety technologyI/O" optional module

To further axes of thesame danger zone

I/O20

Controlsection

"Safety technologyI/O" optional module

DA0001v5.EPS

Channel 1: O10 (control section)Channel 2: I/O10n (24 V input and driver for relay contact are active on

"Safety technology I/O" optional module)Fig. 6-10: Activation of a door locking device



The axes report the attainment of the safety related status and permit thesafety master to activate the safety status output (O10/O10n), e.g. for adoor locking device.

Note: In the case of an encoder error in a drive, it is impossible toreport a safe status. If the safety status is used to directlyactivate a safety door, manual safety door unlocking has to beoperated in the respective axis (see P-0-3218, Manuallyunlocking the safety door).

All axes of a hazard zone must be interconnected via I/O20 using a bus.

Note: This application cannot recognize the status of an axis that isequipped with optional module "Starting lockout". If optionalmodules "Starting lockout" and "Safety technology I/O" areused in a shared hazard zone, the magnet responsible forlocking must be activated using relay contact ASQ/ASQ1 ofthe starting lockout!



6.8 Examples of Application

Overall ViewFunctionality and connections for integrated safety technology onIndraDrive drive controller

��

��

��

��

�#

�#�

��

��

�-.#�

.��' "�&��

��+��'��

�� !�� &�)��/��

��

��

��!��% ��

��!��% ��

��

0��1�"� �� !�� !��% ��& �+�� 2 ��&

.��

�-.��

��

��

.��

��

��)� �

3�� /�' &�)�

.��

�-.��

��)� �

�/��&'�"

��

�� 4�

5�-�4�

� ��

��&��

��!' ��+�� !��

��

��

��!��% ��& ��&�� !��% ��6 �� &�� !��% ��& &�)� ��/

��

��!��% ��& ��& �& ��&��!��% ��& &�6 �! ��!��% ��& �"��& �+�6 ��6��!��% ��& �"��& ��"��!��% ��& &�6 �! ��!��% ��& �"��& �+�6 ��6

��-.7 ��2 �� & � �� +� ��!' ��&

�� /��&'�"�� 4��)�� ! � &��/�' &�)�

��"+�� ! ��!��%! �� !' ��+�� ' ��"��

�� !"#

�� &�)�

�-.�� $�� %� �� $� ! �� *�� ! �� "�&��'�� 8��

DF0034v7.EPS

1: Alternatively, channel 1 can be selected using the mastercommunication.

I1, ... , I4: Channel 1 for selection and reference inputI1n, ... , I4n: Channel 2 for selection and reference input (inverted)

Fig. 6-11: Overall view



Note: A maximum of 4 safety functions can be selected on theinputs: I1 to I4 for channel 1 and I1n to I4n for channel 2.Parameters are used for the configuration.

Selecting Normal/Special Mode with Position Monitoring of a SafetyDoor with Door Locking Device

O10

I/O10n

0VI10

+24 V

Locking device

Position switch 2

Ch2 Ch1 Operating modeselection switch,e.g. frommachine controlpanel via PLC

0 V

Channel 1

Safety relatedcontrol of a doorlocking device

Category 3

Channel 2

Channel 2

Channel 1

Forceddynamization

Channel 2I/O30

Safety relatedstandstill

Category 3

Channel 2

Channel 1

I1n

I1

Control section Powersection

M

IndraDriveopen

closed

NC program runenablement

NC command valuelimitation

Demands of conrols

Normal mode

Special mode_n

Special mode

Monitoring module withcross connection detectionbetween Ch1 and Ch2

Position switch 1

(NM)

DF0035v5.EPS

Fig. 6-12: Single-channel operating mode selection switch with positionmonitoring of a safety door with door locking device



O10

I/O10n

0VI10

+24 V

Locking device

Position switch 2

Ch2 Ch1

Channel 1

Safety relatedcontrol of a doorlocking device

Category 3

Channel 2

Channel 2

Channel 1

Forceddynamization

Channel 2I/O30


Category 3

Channel 2

Channel 1

I1n

I1


M

IndraDriveopen

closed

NC programrun enablement

NC commandvalue limitation

Demands of controls

Special mode_n

Special mode

Monitoring module withcross connection detectionbetween Ch 1 and Ch 2

Position switch 1

(SM)

(NM)

Operation modeselection switch

DF0079v2.EPS

Fig. 6-13: Dual-channel operating mode selection switch with positionmonitoring of a safety door with door locking device



Enabling Control with Three Settings

Forceddynamization

Channel 2I/O30

I2

I2n


M

IndraDrive

Enabling

No enabling

Safety relatedmotion

Category 3

Channel 1

Channel 2

12

3

Pressure point

DF0037v3.EPS

Fig. 6-14: Enabling control with three settings



Command Device with Automatic Reset (Safety Related Jog Button)According to EN 12417, a dual-channel jog button, with a correspondingevaluation according to category 3, is permissible without an enablingcontrol.

Note: Possible command devices for starting a safely monitoredmovement according to Table 2, parag. 14.1.1 of EN 12417"Safety of Machines, Machining Centers":- single-channel jog button (+/- direction) combined with adual-channel enabling control. Enabling controls are controlledaccording to category 3 of EN 954-1.

- single-channel preselection switch (+/- direction) combinedwith a dual-channel enabling control. The enabling controldevice is simultaneously the jog button. Enabling controls arecontrolled according to category 3 of EN 954-1.

- dual-channel jog button (+/- direction). The jog switch iscontrolled according to category 3 of EN 954-1.



Temporary Inspections or Visual Checks in the Danger ZoneIf "Safety related operational stop" is selected in Special mode, aworkpiece check can be carried out in the processing area / danger zone,for example.

� �

�� +��7��

�� &'()�

&��

&�

��

�

�� !�

��% �� /��!� -��'��.

0�� * ��

4��

�$�� 8�

�$��

��*��+ �� $�� $

��+ )

��

��

�� !�� "��

4� $��!� ��"��

($�� 9�,� *�� $�� /� �:�

-4�.

�� * ��*��+ �� %�� /�-�� 1�� !��.

��

DF0036v6.EPS

Fig. 6-15: Safety related operational stop; the drive is monitored for standstill.



In Special mode, movement for a visual inspection in the processing area/ danger zone can be executed by actuating the enabling control(selecting Safety related reduced speed) and using the movementcommand.


0 V

Forceddynamization

Channel 2I/O30

I1n

I1


M

IndraDrive

Block commandvalue input (0m/min)

Demands of controlsNormal mode

Special mode_n

Special mode

Safeoperational stop

Category 3

Channel 2

I2

I2n

Limit commandvalue input<2m/min)

Enabling

Enabling_n

Safety relatedreduced speed

Category 3

Channel 1

Enable commandvalue input

Jog command value

Channel 1

Enabling control (EC)(simplified representation)

Channel 2

Effectof EC

Ch2 Ch1

Position monitoring of safetydoor with locking device(see extra illustration)

Operation modeselection switch,e.g. frommachine controlpanel via PLC

(NM)

Effectof EC

DF0038v6.EPS

Fig. 6-16: Safety related operational stop / Safety related reduced speed; thedrive is monitored for standstill/movement



Working When Drive is without Torque/ForceIf, for example, tools are to be changed manually, function "Driveinterlock" must be activated (separate switch in addition to the operatingmode selection switch and the enabling control); in this way, it is possibleto manually move the shaft using the tool spindle.

The power supply to the drive is interrupted safely. No standstill monitor isactive. The drive interlock cannot be disabled by actuating the enablingcontrol.



0 V

Forceddynamization

Channel 2I/O30

I1n

I1


M

IndraDrive

Block commandvalue input(0m/min)

Demands of controlsNormal mode

Special mode_n

Special mode


Category 3

Channel 2

I2

I2n

Limit commandvalue input<2m/min)

Enabling

Enabling_n

Satey relatedreduced speed

Category 3

Channel 1


Jog command value

I3

I3n

Drive interlock

Drive interlock_n

Safety relateddrive interlock

Category 3

Channel 1

Block commandvalue input(0m/min)

Drive interlockswitch

Channel 2

Channel 2

Channel 1


Ch2 Ch1


Operating modeselection switch,e.g. frommachine controlpanel via PLC

(NM)

Enabling control (EC)(simplified representation)

Effectof EC

Effectof EC

DF0039v6.EPS

Fig. 6-17: Safety related drive interlock; the power supply to the drive isinterrupted.



0 V

Forceddynamization

Channel 2I/O30

I1n

I1


M

IndraDrive

Demands of controls

Normal mode

Special mode_n

Special mode

Safety relatedstopping process

Category 3

Channel 2

I2

I2n

Safety relatedreduced speed /limited increment

Category 3

Channel 1


Jog command value

I3

I3nChannel 2

Channel 1

Selection of speedjogging or increment jogging

Channel 2

Enabling

Enabling_n

Enablingcontrol (EC)simplifiedrepresentation

Channel 1

Safetyswitch S1

Safety relatedlimited increment_n

Safety relatedlimited increment

Block commandvalue input(0 m/min)

Switching ofmonitoring fromspeed to increment

Effectof EC

($�� 9�,�, *�� $�� /� �:�

(NM)

Effectof EC

Limit commandvalue input (<2 m/min)

Ch2 Ch1

�� * ��*��+ �� %�� /�-�� 1�� !��.

�� !�� "��

DF0040v6.EPS

Fig. 6-18: Safety related speed or Safety related limited increment; the drive ismonitored for speed/stop or increment/stop



0 V

Forceddynamization

Channel 2I/O30

I1n

I1

Control section powersection

M

IndraDrive

Block commandvalue input (0 m/min)

Demands of controls

Normal mode

Special mode

Safety relatedoperational stop

Category 3

Channel 2

I2

I2n

Limit commandvalue input

Safety rel. red. speed

Category 3

Channel 1


Enabling

Enabling_n

Jog cmd. valuein - direction

Jog cmd. valuein + direction

Channel 1

Channel 2

Safety relatedjog button

Special mode_n

Operating modeselection switch,e.g. frommachine controlpanel via PLC

(NM)

Monitoring module withcross connection detectionbetween Ch 1 and Ch 2

Ch2 Ch1


Effect ofenabling

Effect ofenabling

DF0041v6.EPS

Fig. 6-19: Command device with automatic reset (safety related jog button)

Note: For information about the safety related jog keys, please see"Command Device with Automatic Reset (Safety Related JogButton)".



Drive Groups for Different Danger ZonesThe following figure shows two processing areas in one machine. Each ofthese processing areas forms a separate danger zone.

The operating status is as follows:

• Danger zone A is in Normal mode with drives A1, A2 and A3. Theaccess door is closed.

• Danger zone B is in Special mode with an open safety door and withdrives B1, B2 and B3. One person is doing setup work or insertionwork in the danger zone.

The door locking device is released or blocked by the diagnostics masterof a drive that belongs to the corresponding danger zone. Usingbidirectional connection I/O20, all drives in the corresponding dangerzone are queried when switching from Normal to Special mode.

Using the enabling control (not shown in the figure), the person can nowmove the drives in danger zone B.



�� !$$�+&�)�

0�� "�� "�&�

;<

�� !��

0�/� ��!$ *�� 7��

0�/� ��*��+��

&�9&�9&)9&�

0�/� ��*��+��/�

&�9&�9&)9&�

0�/� �)��*��+��/�

&�9&�9&)9&�

0�/� ��*��+��

&�9&�9&)9&�

0�/� ��*��+��/�

&�9&�9&)9&�

0�/� �)��*��+��/�

&�9&�9&)9&�

��*��+ *!��

��-!��&

+�/

0�/� ��!$ *�� 7��

��+��$

��

&'(��

��" ��

�"

��" ��

�"

��" �)

�"

&'(�� &'(�� &'(��

0�/� ��

�"

0�/� ��

�"

0�/� �)

�"

��#��" ��

�"

��" ��

�"

��" �)

�"

&'(��&'(��

0�/� ��

�"

0�/� ��

�"

0�/� �)

�"

��#��$

&'(�� &'(��

0�� $�� "�� "�&�

0�� %�� /�

0�� %�� /�

��*��+ *!��

��-!��&

+�/

DF0045v6.EPS

Fig. 6-20: Drive groups for different danger zones



Safety Related Activation of the Locking Device of Several ProtectiveDoors

��

��

�**

.�

.�

3�"��& � 3�"��& �

��

��

3�� /�'&�)� �

� �

��

. ��

�

� �

�� &�)�

�� &�)�

��.(

��.(

3�� /�'&�)� �

�� .��

�-.��

��

DF0046v1.EPS

Fig. 6-21: Safety related activation of the locking device of two protectivedoors, with selection using standard PLC

Integrated Safety Technology Commissioning Safety Technology 7-1


7 Commissioning Safety Technology


The safety technology is a dual-channel system in which a secondprocessor redundantly carries out the monitoring functions. The processoruses the known data of encoder, mechanical system and scaling of themain system and stores them in the system/parameter memory.Changing data is not allowed any more after the safety functions havebeen commissioned. They are detected and acknowledged by anerror/warning. After the system has been changed, it is necessary tocommission the safety functions again.

All direct safety technology parameters are characterized by double inputwhich is realized in such a way that individual parameters have to bewritten by a list of two equal values. Tables are of double size, the sametable being attached as a copy. This allows a plausibility test of the data tobe carried out, also in the case of an input via SERCOS monitor.

All safety technology parameters must be write-protected by a passwordto be assigned by the user. The safety technology is activated at thesame time that the password is assigned.

7.2 Commissioning the Drive with Safety Technology Inactive

When the machine is delivered, safety technology is inactive; the status ofP-0-3207, Safety technology password level is set to zero. "Normal"commissioning of the drive can be carried out.

If safety technology is inactive, the system parameters are invalid andthere isn’t any plausibility test and comparison of data. The safetyparameters are set to default values and write protection is disabled."INDRASAVE" is entered as the default password in P-0-3206, Safetytechnology password. Under these circumstances, it is possible topreload the safety parameters from a parameter file (when copyinginstallations).

7-2 Commissioning Safety Technology Integrated Safety Technology


7.3 Commissioning Safety Technology

Safety technology is preferentially commissioned using the safetytechnology assistant in the DriveTop commissioning software (commandInitial start-up of safety technology in menu Setup) or manually asdescribed below.

Entering a Safety Technology Device IdentifierA code for the device for which safety technology was commissioned is tobe stored in parameter P-0-3205, Safety technology device identifier(e.g. machine type, unit, drive for ... axis/spindle).

This device code is required for identification to protect safety technologydata.

Selecting the Required Safety FunctionsSee "Overview of Safety Functions"

Specifying/Programming the Required Input Signals to Select the SafetyFunctions

Parameter P-0-3211, Safety I/O control word makes available a list forthe function linking of the individual I/Os of the "Safety technology"optional module (channel 2) with defined safety control signals.

Parameter P-0-3212, Safety technology control word, channel 1makes available binary control signals for online control of the safetyfunctions of the controller. By means of this control word, the individualcontrol signals can be optionally programmed to existing real-time bits ofthe master communication, hardware I/Os or I/O extensions.

Note: The physical inputs for channel 1 must be specified separatelyby setting suitable parameters.



Dynamization of the Inputs• The drive provides the dynamization signal. In P-0-3210, Safety

technology control word it is necessary to make a setting so thatdynamization is automatically carried out by a master safetytechnology for all selected inputs (via the output of I/O30).Dynamization is synchronized at the other drives via the inputs I/O30.

• The PLC provides the dynamization signal. Dynamization is carried outautomatically for all selected inputs (via the output of the PLC). InP-0-3210, Safety technology control word the output of I/O30 has tobe deactivated.

In P-0-3210, Safety technology control word it is necessary to activateseparate dynamization. In P-0-3212, Safety technology signal controlword, channel 1 it is necessary to provide, for channel 1, a bit assubstitute for E30. This bit has to be used by the application according tothe parameter setting in P-0-3223, Time interval for dynamization ofsafety function selection and P-0-3224, Duration of dynamizationpulse of safety function selection; i.e. the PLC carries out dynamizationof the input signals for channel 1 and controls the provided bit inP-0-3212, Safety technology signal control word, channel 1.

By means of parameter P-0-3223, Selection of time interval fordynamization, it is possible to set the cycle time in which dynamizationtakes place.

The pulse length of the dynamization signal can be set by means ofparameter P-0-3224, Selection of duration of dynamization pulse.

Specifying/Programming the Required Output Signals for Feedback ofSafety Functions

Parameter P-0-3214, Safety technology control word, channel 1makes available binary status signals of the safety functions of thecontroller. By means of this status word, the individual status signals canbe optionally programmed to existing real-time bits of the mastercommunication or hardware I/Os or I/O extensions.

Note: The physical outputs for channel 1 must be specifiedseparately by setting suitable parameters.

All drives in a danger zone are interconnected via I/O20. In P-0-3210,Safety technology control word the diagnosis master has to beactivated at one of these drives and the control for the feedback has to beselected.

In P-0-3210, Safety technology control word it is possible to determinethe operating principle for the output E/A10 of channel 2.

If the X41 interfaces are connected via a ribbon cable, the I/O10 outputsof the diagnosis slaves can be switched off in P-0-3210, Safetytechnology control word. This line then is only used by the diagnosismaster.

Common dynamization for 24 Vinputs for channel 1 and

channel 2

Separate dynamization forinputs for channel 1 via master

communication

Parameters for monitoring thedynamization signals



Setting the Safety Function Parameters

Parameterizing the Functions for "Safety RelatedStopping Process"If "Safety related standstill" is set in P-0-3210, Safety technology controlword, the power supply to the drive is interrupted after the value set inparameter P-0-3233, Velocity threshold for safety related stoppingprocess has been exceeded.

"Safety related standstill" is selected using the operating mode selectionswitch (see P-0-3211, Safety technology I/O control word, channel 2and P-0-3212, Safety technology control word, channel 1).

For further parameter settings, see section 7.4, Setting the SystemBehavior.

If "Safety related operational stop" is set in P-0-3210, Safety technologycontrol word, the drive is monitored for standstill. It is in control andmustn’t leave the position window defined in P-0-3230, Monitoringwindow for safety related operational stop.

"Safety related operational stop" is selected using the operating modeselection switch (see the signal control word for inputs P-0-3211, Safetytechnology I/O control word, channel 2 and P-0-3212, Safetytechnology control word, channel 1).


A drive interlock is provided within the safety technology. In order toactivate the drive interlock, the corresponding "ASP" (drive interlock)signal must have been programmed in P-0-3211, Safety technology I/Ocontrol word, channel 2 and the respective bit must be activated inP-0-3212, Safety signal control word of controller via I/O or mastercommunication.

P-0-3233, Velocity threshold for safety related stopping processmust be used to define a threshold for the standstill monitor.


Parameterizing the Functions for "Safety RelatedMotion"Up to four different parameter sets can be created for the "Safety relatedmotion".





A parameter set can then be activated according to the combination of theinput signals from safety switch S1 and/or S2 (see P-0-3211, Safetytechnology I/O control word, channel 2 and P-0-3212, Safetytechnology control word, channel 1).

"Safety related motion" is selected by specifying the inputs of the enablingcontrol (see P-0-3211, Safety technology I/O control word, channel 2and P-0-3212, Safety technology control word, channel 1).


Safety related standstill (SH)

Safety related operational stop(SBH)

Safety related drive interlock(ASP)



By means of the following parameters, it is possible to define the limitvelocity that is monitored for the respective parameter set for motion:

• P-0-3244, Safety related reduced speed 1




Using the following parameters, the set-up position range can be definedstarting at the time of selection using the enabling control for theparameter set that is being monitored:

• P-0-3243, Safety related limited increment 1




By means of parameter P-0-3232, Monitoring window for safetyrelated direction of motion it is possible to parameterize a positionwindow for the incorrect direction of motion.

By means of the following parameters, the upper and lower position limitscan be defined for the respective parameter set that is monitored:

• P-0-3241, Safety related limited absolute position 1, positive

• P-0-3242, Safety related limited absolute position 1, negative

• P-0-3251, Safety related limited absolute position 2, positive

• P-0-3252, Safety related limited absolute position 2, negative

Note: It is possible to configure only two ranges because only onesafety switch (S1) is available due to the limited number ofinputs (4); one input is required for the safety related referencecam. (operating mode selection switch; enabling control; REF;S1)Safety switch (S1) not selected and enabling control device(EC) selected: safety related position 1 is activeSafety switch (S1) selected and enabling control device (EC)selected: safety related position 2 is active

The safety related homing procedure is the prerequisite for the "Safetyrelated limited absolute position" safety function.

Note: In the case of absolute encoders, the S-0-0148, C0600 Drive-controlled homing procedure command has to be startedfor safety related homing.

In P-0-3210, Safety technology control word it is necessary toparameterize whether homing is done by means of cam or switch.

In P-0-3231, Reference position for safety related reference it isnecessary to parameterize the reference position that has to be detectedwhen moving to the safe cam.

Note: Dynamization mustn’t be carried out for the reference switch /cam.

Safety related speed

Safety related limited increment

Safety related direction ofmotion

Safety related position

Safety related homing procedure



7.4 Setting the System Behavior

Parameter P-0-3220, Tolerance time transition from normal operationor P-0-3225, Tolerance time transition from safety rel. oper. is used todefine the maximum available amount of time after which the monitoringof the selected safety function is activated.

In the case of drive-controlled shutdown, the safety function is activatedwhen standstill has been reached, but at the latest when P-0-3225,Tolerance time transition from safety rel. oper. is over.

In the case of shutdown controlled by the control unit, the safety functioncan be activated by the corresponding parameterization of P-0-3212,Safety technology signal control word, channel 1 before the tolerancetime is over.

P-0-3233, Velocity threshold for safety related stopping processmust be used to define a threshold for the standstill detector.

Parameter P-0-3221, Max. tolerance time for different channel statesdefines the maximum allowed time during which the states in bothmonitoring channels may differ.

Parameter P-0-3222, Max. acknowledge time defines the maximumperiod of time within which the enabling control device must be releasedand pressed again. This time is used to monitor the enabling control forunauthorized manipulation.

7.5 Activating Safety Technology

When parameterization has been completed, you must first change thedefault password.

Note: The safety technology is activated by changing the safetypassword.

To change the safety password, first the default password("INDRASAVE") and then (separated by blanks) the new password mustbe entered twice (P-0-3206 = "INDRASAVE USERPW USERPW") inparameter P-0-3206, Safety technology password.

Safety Parameter Plausibility CheckAfter the safety technology has been activated, the plausibility of the twoseparately managed safety parameter sets (on the controller module andon the optional module) are continuously monitored. If the system detectsdifferent parameter values, a plausibility error message (E3106) isgenerated. The error message is deleted only after the parametermemory of the main system and that of the redundant safety system havebeen synchronized.



Synchronizing the System Memory and Storing the New ParametersBy executing command P-0-3204, C3000 Synchronize and store safetytechnology IDN command, the system data are synchronized andstored in the safety memory together with the safety technology data.

Note: After commissioning the safety technology, a safetyacceptance test (test report) documenting the level of themodification counter (P-0-3201) and the required acceptancetests is necessary.

Completing CommissioningAt the end of commissioning, the new parameters of the safety functionscan be tested. To do this, select the safety functions one after the otherwhile triggering the activation of the monitors using command valueselection.

CAUTION

Loss of safety-relevant settings when thecontrol section is replaced!⇒ Save the safety technology parameters on an

external storage medium (S-0-0192, IDN-list ofbackup operation data) so that all safety-relevantsettings can be transferred to the new control sectionwhen the old one is replaced.

Note: A binary image of the safety technology data for channel 2 iscontained in parameter P-0-3208, Backup of safety techn.data channel 2.

7.6 The Safety System in Parameterization Mode and AfterInitialization

After the start button is reset, the drive system is in the "Safety relatedstandstill" operating mode, i.e. the final stage is switched off on twochannels and the corresponding acknowledgements and diagnostics areset.

If the drive is switched from the operating mode to the parameterizationmode, the system is also automatically brought into the "Safety relatedstandstill" mode.

The system is initialized and the encoder evaluation is reset the next timethat the system is switched to the operating mode. The evaluation of thesafety selection inputs occurs only in the operating mode; if necessary,the system switches to another operating state.



7.7 Deactivating Safety Technology

By executing command S-0-0262, C07_x Load defaults procedurecommand (with P-0-4090, Index for C07 Load defaultsprocedure = 165 hex), the safety technology is deactivated. The systemparameters are then invalid; no plausibility test and comparison of datatakes place. The safety parameters are reset to their default values.

CAUTION

Loss of user-defined safety parameter settingsby executing command S-0-0262, C07_x Loaddefaults procedure command!⇒ Before the safety technology is deactivated using

command S-0-0262, C07_x Load defaultsprocedure command, the safety parameters shouldbe saved to an external storage medium(memcard / diskette).

Note: The execution of command S-0-0262, C07_x Load defaultsprocedure command cannot be undone. In the case ofchanges to safety-relevant parameters, it is necessary tosubsequently carry out the safety technology commissioningwith safety technology acceptance test again!If there aren’t any changes required, the safety technology canbe activated again according to the procedure for replacing thecontrol section.

Note: At other drive modules that have been equipped with theoptional module "safety technology I/O", deactivating thesafety technology causes the error F3131.

7.8 Modification Status and Modification History

Every change of the safety memory can be assigned to an unequivocalmodification status which must be documented within the scope of thesafety acceptance test. The modification status is stored in the followingparameters:

• P-0-3201, Change counter of safety technology memory

• P-0-3202, Operating hours at last change of memory

In the case of an obligation to produce supporting documents, the laststates of the safety memory can be reproduced using parameterP-0-3203, Memory image of safety memory via an external program.

Modification status

Modification history

Integrated Safety Technology Acceptance Test 8-1


8 Acceptance Test

8.1 Acceptance Procedure

A complete acceptance test must be carried out by authorized personnelwhen commissioning the machine and for all software or hardwaremodifications that are relevant to the functional safety (includingmodifications made using telecommunication).

If only a few safety-relevant data have been modified, these must betested in a partial acceptance test.

In any case, the modifications and the execution of the test must belogged (see "Checklist for Acceptance Test").

Complete Acceptance TestIn a complete acceptance test, all planned safety functions (e.g.maintenance of limit values, functions of the control stations, functions ofthe actuators) must be checked. Here, the reaction to errors is physicallyeffective. It must be checked whether the safety function works correctly.To do this, the command value limits in the special mode must be lifted inthe higher-level control for the duration of the acceptance test.

The tests that are required for this purpose must be selected from thefollowing checklist and executed.

Partial Acceptance TestIn a partial acceptance test, only those safety functions that are affectedby the modification of the safety-relevant data must be checked.

The tests that are required for this purpose must be selected from thefollowing checklist and executed.

8.2 Checklist for Acceptance Test

Before the following safety tests can be executed, commissioning mustbe complete.

Each test must be carried out for each individual axis/spindle/roller drive.

A printout with the currently effective safety functions and the associatedvalues can be generated using the safety technology assistant in theDriveTop commissioning software (see the following example).

8-2 Acceptance Test Integrated Safety Technology


DL000003v01_en.WMF

Fig. 8-1: Example of a safety technology report / acceptance test

Integrated Safety Technology Error Messages, Warnings and Error Elimination 9-1


9 Error Messages, Warnings and Error Elimination

9.1 Firmware Code

Parameter P-0-3200, Safety firmware code contains the designation ofthe safety firmware version.

9.2 Errors

The error handling of the safety technology is covered by the errorhandling of the standard drive.

If error occurs, the drive is decelerated in the best possible or fastest wayand then goes to safety related standstill.

Note: In the case of a feedback error, the safety technology can nolonger guarantee dual-channel safety. It is then impossible, forexample, to detect a coasting spindle. In this case, the safetydoor may only be unlocked manually after an additional visualcheck by the operators. The door is to be unlocked at the drivethat reports the encoder error. This drive then acknowledgesthe safety and the master can open the safety door.The P-0-3218, Manually unlocking the safety doorparameter allows manually unlocking the safety door in thecase of a feedback error.

Note: For the causes and elimination of errors, please consult the"Troubleshooting Guide".

9.3 Warnings in Operating Mode "Normal Operation"

Note: The detection of errors on inactive safety functions leads to awarning in normal operation.For the causes and elimination of warnings, please consult the"Troubleshooting Guide".

9-2 Error Messages, Warnings and Error Elimination Integrated Safety Technology


9.4 Status Messages

Parameter P-0-3213, Safety technology status makes available binarystatus signals for online monitoring of the safety states. By means of thisstatus word, the individual status signals can be optionally programmed toexisting real-time bits of the master communication or hardware I/Os orI/O extensions.

Parameter P-0-3215, Selected safety technology mode makesavailable in coded form the activated safety operating mode of theindividual monitoring channels.

Parameter P-0-3216, Active safety technology signals shows thecurrent status of the safety signals of the individual channels.

Parameter P-0-3217, I/O status channel 2 (optional safety technologymodule) shows the current status of the inputs/outputs of the safetymodule.

9.5 Modification Status of the Safety Memory

Every change of the safety memory can be assigned to an unequivocalmodification status which has to be documented together with thepassword within the scope of the safety acceptance test.

Parameter P-0-3201, Change counter of safety technology memory isincremented each time the safety memory is changed; this also applies tothe command S-0-0262, C07_x Load defaults procedure command.

Parameter P-0-3202, Operating hours at last change of memoryindicates the point of time the safety memory was changed last. It is partof the safety memory.

9.6 Tracing the Modification History

In the case of an obligation to produce supporting documents, the laststates of the safety memory can be reproduced by calling the content ofparameter P-0-3203, Memory image of safety technology memory.The content of the parameter is a hexadecimal list. By means of anexternal program, it is possible to trace the prior states.

Integrated Safety Technology Firmware Update, Replacing the Power and Control Sections 10-1


10 Firmware Update, Replacing the Power andControl Sections

10.1 Firmware Update

Note: The firmware of the optional safety technology module and ofthe controller are firmly linked. Each firmware update containsthe firmware of the optional safety technology module and ofthe controller. If the controller firmware detects a version onthe optional safety technology module that is not suitable, thesupplied version is loaded.

In the case of a firmware update, the parameters should be retained.If parameters are lost see "Replacing a control section without MMC".

10.2 Replacing the Power Section

When the power section is replaced, new safety technologycommissioning and a new acceptance test are not required.

10.3 Replacing the Control Section

When a control section is delivered, its safety technology is inactive.The status of P-0-3207, Safety technology password level, is set tozero, while the value of Safety technology password (P-0-3206) is set to"INDRASAVE". Various steps are required, depending on whether anMMC is used or not.

Note: A control section that has already been in operation can bebrought into the above state by loading the defaults (see"Deactivating safety Technology").

After replacing the control section, proceed as follows:• Switch the drive to parameter mode

• Load the default parameters (S-0-0192) using a download file. (Thesafety technology data for channel 2 are contained as a binary imagein parameter P-0-3208, Backup of safety techn. data channel 2.)

• Switch the drive to operating mode

• Check whether the safety parameters that are suitable for the drivewere loaded; to do this, check the information in P-0-3205, Safetytechnology device identifier (machine type, unit, drivefor … axis/spindle)

Replacing a control sectionwithout MMC

10-2 Firmware Update, Replacing the Power and Control Sections Integrated Safety Technology


• Prepare a log with the following content and append it to the safety-relevant documentation of the machine:

• Control section replaced on (date)

• Change counter of safety technology memory (P-0-3201) at (value)

• Operating hours at last change of memory (P-0-3202) at (value)

• (Date), (name), (signature)

After replacing the control section, proceed as follows:• If a new MMC is detected, a query "new MMC there" or "other MMC"

appears when the control panel is booted; the user must answer thiswith "ENTER" or "ESC".

• If the first query is answered "ENTER" and the safety technology onthe new hardware is already active, a second query appears on thecontrol panel: "load new safety ?". If the ENTER key is pressed, thesafety data are transferred from the MMC; if the ESC key is pressed,the safety data are not transferred from the MMC – the safety data ofthe previously active safety technology configuration remain.

• Switch the drive to operating mode

• Check whether the safety parameters that are suitable for the drivewere loaded; to do this, check the information in P-0-3205, Safetytechnology device identifier (machine type, unit, drivefor … axis/spindle)

• Prepare a log with the following content and append it to the safety-relevant documentation of the machine:

• Control section replaced on (date)

• Change counter of safety technology memory (P-0-3201) at (value)

• Operating hours at last change of memory (P-0-3202) at (value)

• (Date), (name), (signature)

Note: In order to be able to boot the drive without MMC after havingreplaced the control section, you have to load the safetytechnology parameters to the internal memory:• Switch the drive to parameter mode.• Execute the command P-0-4091, C2500 Copy IDN from

optional memory to internal memory.• Boot the drive.

Replacing a control section withMMC

Integrated Safety Technology Declaration of Conformity and Mark Certificate 11-1


11 Declaration of Conformity and Mark Certificate

11.1 "Starting Lockout" Optional Module

DX00003v01_ms.eps

Fig. 11-1: Declaration of Conformity, "Starting lockout" optional module(CSH01.1...-L1-...)

11-2 Declaration of Conformity and Mark Certificate Integrated Safety Technology


DX00002v01_de.eps

Fig. 11-2: Mark Certificate, "Starting lockout" optional module(CSH01.1...-L1-...)

Integrated Safety Technology Declaration of Conformity and Mark Certificate 11-3


11.2 "Safety Technology I/O" Optional Module

DX00004v01_ms.eps

Fig. 11-3: Declaration of Conformity, "Safety technology I/O" optional module"(CSH01.1...-S1-...)

11-4 Declaration of Conformity and Mark Certificate Integrated Safety Technology


DX00001v01_de.eps

Fig. 11-4: Mark Certificate, "Safety technology I/O" optional module"(CSH01.1...-S1-...)

Integrated Safety Technology Index 12-1


12 Index

Aabsolute position see limited absolute positionAppropriate use

Introduction 3-1Appropriate uses

Uses 3-2

CC-standards 4-4

Ddrive system see electric drive system

Eelectric drive system 4-4Enabling control 4-5Error message

plausibility 7-6

FFields of application 6-2

HHazard analysis 4-1

IInappropriate use 3-2

Consequences, Discharge of liability 3-1Increment see Limited incremental dimensionIntegrated safety technology 1-1, 4-4

JJog switch 4-5

Llimited absolute position 4-5Limited incremental dimension 4-5Locked separating protective device with locking device (EN 292-1) 4-6

MModification history 7-8

OOperating mode switch 4-6operational stop 4-5

PProtective device see Locked separating protective device with locking device(EN 292-1) see Separating protective device (EN 292-1)

12-2 Index Integrated Safety Technology


Rreduced speed 4-5Replacing a control section with MMC 10-2Replacing a control section without MMC 10-1Replacing the Control Section 10-1Risk management 4-1

SSafety acceptance test

modification status 7-8Safety categories

requirements 4-2safety functions

safely monitored shutdown 6-6safety related homing procedure 6-6

Safety functionsoverview 6-3safety related brake management 6-10safety related control of a door locking device 6-11safety related diagnostic outputs 6-10safety related limited absolute position 6-10safety related limited increment 6-10safety related operational stop 6-4safety related reduced speed 6-9safety related standstill 6-4

Safety Functionssafety related direction of motion 6-9safety related limited absolute end position 6-10

Safety Instructions for Electric Drives and Controls 2-1Safety related 4-4Safety related reduced speed 4-5safety technology see Integrated safety technologySafety technology

cross data comparison 6-14dual-channel structure 6-13dynamization 6-15functional principle 6-12

Separating protective device (EN 292-1) 4-6Standards

relevant to components 4-3relevant to machines 4-3

standstill 4-5Starting lockout

command value selection requirements 5-2examples of application 5-3forced dynamization 5-2general information 5-1safety function 5-1selecting the starting lockout 5-2

Stop categories according to EN 60204-1 4-6Stopping process 4-4

UUse See appropriate use and see inappropriate use

Printed in GermanyDOK-INDRV*-SI*-**VRS**-FK01-EN-PR911297838

Bosch Rexroth AGElectric Drives and ControlsP.O. Box 13 5797803 Lohr, GermanyBgm.-Dr.-Nebel-Str. 297816 Lohr, GermanyPhone +49 93 52-40-50 60Fax +49 93 52-40-49 [email protected]

Rexroth IndraDrive Integrated Safety Technology Edition 01 Rexroth/Drives/Indradrive... · Rexroth...

Documents

Transcript of Rexroth IndraDrive Integrated Safety Technology Edition 01 Rexroth/Drives/Indradrive... · Rexroth...