Safe Torque Off (STO) for medium-voltage converters

Function Manual

Edition

Medium-voltage

SINAMICS MV

www.siemens.com05/2020

Safe Torque off

Medium-voltage converters

SINAMICSSafe Torque Off (STO) for medium-voltage converters

Function Manual

05/2020A5E46164815A

Introduction 1

Safety instructions 2

Description 3

Preparation for use 4

Commissioning 5

Acceptance test 6

Operation 7

Maintenance 8

Technical specifications 9

Additional information A

Standards and regulations BSTO can be retrofitted to existing plant C

Legal informationWarning notice system

This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are graded according to the degree of danger.

DANGERindicates that death or severe personal injury will result if proper precautions are not taken.

WARNINGindicates that death or severe personal injury may result if proper precautions are not taken.

CAUTIONindicates that minor personal injury can result if proper precautions are not taken.

NOTICEindicates that property damage can result if proper precautions are not taken.If more than one degree of danger is present, the warning notice representing the highest degree of danger will be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to property damage.

Qualified PersonnelThe product/system described in this documentation may be operated only by personnel qualified for the specific task in accordance with the relevant documentation, in particular its warning notices and safety instructions. Qualified personnel are those who, based on their training and experience, are capable of identifying risks and avoiding potential hazards when working with these products/systems.

Proper use of Siemens productsNote the following:

WARNINGSiemens products may only be used for the applications described in the catalog and in the relevant technical documentation. If products and components from other manufacturers are used, these must be recommended or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and maintenance are required to ensure that the products operate safely and without any problems. The permissible ambient conditions must be complied with. The information in the relevant documentation must be observed.

TrademarksAll names identified by ® are registered trademarks of Siemens AG. The remaining trademarks in this publication may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.

Disclaimer of LiabilityWe have reviewed the contents of this publication to ensure consistency with the hardware and software described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the information in this publication is reviewed regularly and any necessary corrections are included in subsequent editions.

Siemens AGDivision Digital FactoryPostfach 48 4890026 NÜRNBERGGERMANY

A5E46164815AⓅ 06/2020 Subject to change

Copyright © Siemens AG 2019 - 2020.All rights reserved

Table of contents

1 Introduction...................................................................................................................................................7

1.1 About these instructions...........................................................................................................7

2 Safety instructions ........................................................................................................................................9

3 Description..................................................................................................................................................11

3.1 Delivery condition...................................................................................................................11

3.2 Function description STO.......................................................................................................11

3.3 Overview of the SINAMICS 3-point inverter...........................................................................12

3.4 System limit of the function "STO MV" (scope of certification)...............................................14

3.5 Function features of the STO Safety function ........................................................................153.5.1 Ongoing monitoring / suitability for bit pattern test .................................................................173.5.2 Synchronism of the switch-off signal paths/STO function ......................................................17

3.6 Functions................................................................................................................................183.6.1 Measures for achieving the necessary reliability....................................................................183.6.2 Basic location of the subfunctions..........................................................................................193.6.3 Switching sequences from the point of view of the plant operator .........................................203.6.3.1 Select STO.............................................................................................................................203.6.3.2 Deselecting the STO (restart) ................................................................................................213.6.4 Convenience function pulse inhibit - not safety-related..........................................................213.6.5 Activating "Safe Torque Off" ..................................................................................................243.6.5.1 Example: Activating the STO function via the mushroom pushbutton ...................................253.6.5.2 Example: Activating the STO function via F-PLC...................................................................263.6.6 Switching on the drive again after STO..................................................................................27

3.7 Application examples .............................................................................................................283.7.1 Overview - possible converter configurations ........................................................................283.7.1.1 Parallel connection of Motor Modules with Safe Torque Off ..................................................283.7.1.2 Multi-motor drive with Safe Torque Off ..................................................................................293.7.2 Details of the STO wiring .......................................................................................................303.7.2.1 Single-axis drive SM150 with internal STO activation............................................................303.7.2.2 Three-fold parallel connection SM150 with internal STO activation.......................................31

4 Preparation for use .....................................................................................................................................33

4.1 Wiring .....................................................................................................................................33

4.2 Considering the PFH value of the entire plant .......................................................................33

5 Commissioning ...........................................................................................................................................35

5.1 Parameterizing the safety relay..............................................................................................36

6 Acceptance test ..........................................................................................................................................37

6.1 Performing the STO acceptance and function test ................................................................386.1.1 Requirements.........................................................................................................................386.1.2 STO function test ...................................................................................................................38

Safe Torque Off (STO) for medium-voltage convertersFunction Manual, 05/2020, A5E46164815A 3

6.1.3 Cyclic function test .................................................................................................................396.1.4 Check safety functions ...........................................................................................................406.1.5 Documenting ..........................................................................................................................40

6.2 Suggestions for the acceptance test ......................................................................................406.2.1 Complete acceptance test......................................................................................................406.2.2 Partial acceptance test...........................................................................................................41

6.3 Reports...................................................................................................................................426.3.1 Plant description - Documentation part 1 ...............................................................................426.3.2 Completion of the report.........................................................................................................436.3.3 Countersignatures..................................................................................................................43

7 Operation....................................................................................................................................................45

7.1 Exceeding limit values............................................................................................................45

7.2 Error messages......................................................................................................................45

8 Maintenance ...............................................................................................................................................47

8.1 Service ...................................................................................................................................478.1.1 Servicing the Power Stack Adapter........................................................................................478.1.2 Check safety function.............................................................................................................47

8.2 Repairing................................................................................................................................47

9 Technical specifications..............................................................................................................................49

9.1 Technical specifications of the Safety components ...............................................................49

A Additional information .................................................................................................................................51

A.1 Information for installation and commissioning from IEC 61800-5-1......................................52

A.2 Information on safe application of the STO function from IEC 61800-5-2 .............................53

A.3 User information from EN ISO 13849-1 .................................................................................55

A.4 Information from the Machinery Directive 2006/42/EC ..........................................................55

A.5 Documentation for installation, use and maintenance from IEC 62061 .................................56

B Standards and regulations..........................................................................................................................59

B.1 Aims .......................................................................................................................................59

B.2 Functional safety ....................................................................................................................59

B.3 The valid international standards ...........................................................................................60

B.4 Machine safety in Europe.......................................................................................................60B.4.1 Machinery Directive................................................................................................................61B.4.2 Harmonized European Standards..........................................................................................61B.4.3 Standards for implementing safety-related controllers...........................................................63B.4.4 Standards...............................................................................................................................64B.4.4.1 EN ISO 13849-1.....................................................................................................................64B.4.4.2 EN 62061 ...............................................................................................................................65B.4.4.3 Series of standards IEC 61508 (VDE 0803) ..........................................................................66B.4.5 Risk analysis/assessment ......................................................................................................67B.4.6 Risk reduction ........................................................................................................................68B.4.7 Residual risk...........................................................................................................................69B.4.8 EU declaration of conformity ..................................................................................................69

Table of contents

Safe Torque Off (STO) for medium-voltage converters4 Function Manual, 05/2020, A5E46164815A

B.5 Machine safety in the USA.....................................................................................................69B.5.1 Minimum requirements of the OSHA .....................................................................................69B.5.2 NRTL listing............................................................................................................................70B.5.3 NFPA 79.................................................................................................................................70B.5.4 ANSI B11 ...............................................................................................................................71

B.6 Machine safety in Japan ........................................................................................................71

B.7 Equipment regulations ...........................................................................................................72B.7.1 Other safety-related issues ....................................................................................................72

C STO can be retrofitted to existing plant ......................................................................................................75

C.1 Description of the safety-related components........................................................................75

C.2 Installing components ............................................................................................................76

Index...........................................................................................................................................................79

Table of contents


Table of contents


Introduction 11.1 About these instructions

● The present documentation describes the "Safe Torque Off" (STO) function generally for NPC inverters (NPC = Neutral Point Clamped). Because a number of different NPC inverters exist, no specific type of inverter is described.

● The documentation is aimed at the following people who implement the Safety functions:

– System integrators

– Commissioning engineers

– Service personnel of the SINAMICS medium-voltage converter

● The documentation is the basis for integration of the safety-related STO function for 3-point inverters from the SINAMICS medium-voltage modular system. The STO function is supported by the certified component "Power Stack Adapter" (PSA) in the converter.

● The documentation is for use as the guidelines for integration of "Safe Torque Off" option. To use the "Safe Torque Off" option, you must consider the following:

– The functions described

– The notes on commissioning

– The suggestion for the acceptance tests.

In addition to this, we recommend that acceptance testing of the implemented overall function is performed by a notified body.

Naming convention:● In these instructions, the Power Stack Adapter is referred to as "PSA". You will find the type

designation and article number in chapter "Technical specifications of the Safety components (Page 49)".

● Term "converter" is used with the same meaning as the term "inverter".

● "Internal activation" in the document means STO activation via a triggering device, e.g. mushroom pushbutton."External activation" in the document means STO activation via a F-PLC (Fail-Safe Programmable Logic Controller) connected in front of the safety relay.

Retrofitting an existing converter with STOYou will find notes on retrofitting or converting an existing converter with the "Safe Torque Off" (STO) function in chapter "STO can be retrofitted to existing plant (Page 75)".

Text format featuresYou can find the following text format features in these instructions:

1. Handling instructions are always formatted as a numbered list. Always perform the steps in the order given.


● Lists are formatted as bulleted lists.

– Lists on the second level are hyphenated.

Note

The note provides you with additional information about the product itself, handling the product - and the relevant documentation.

Introduction1.1 About these instructions


Safety instructions 2Risk of death resulting from failure to observe the safety instructions and residual risks

If you fail to heed and comply with the safety instructions and residual risks in the associated converter documentation, accidents can occur. This can result in severe injury or death.

● Observe the safety instructions in the converter documentation.

● Consider the residual risks in the risk assessment.

Danger due to unexpected start-up of the drive after service workIf the function "Safe Torque Off" is not checked for proper function after service work, the drive can also start up unexpectedly after the "Safe Torque Off" function has been activated.

This can result in death, serious injury or material damage.

● On conclusion of service work on the components with safety function (e.g. replacement of components), you must verify and document correct functioning. To do this, perform a cyclic function test. You will find information on this in chapter "Cyclic function test" (Page 39).

Danger due to insufficient trainingAny operation and servicing that involves the "Safe Torque Off" function must be performed by trained qualified personnel only. The drive can start up unexpectedly due to improper operation. This can result in death, serious injury or material damage.

● Ensure that everyone operating or servicing the "Safe Torque Off" function is trained in the before they use it. Training must include studying the safety function and its incorporation into the production process. Documenting the training.

Danger due to coast down of the motorWhen the "Safe Torque Off" function is activated, the will motor coast down if it has not yet stopped.

Incorrect use can result in death, serious injury or substantial material damage.

● Put the appropriate safety measures in place in order to avoid danger to people resulting from the motor coasting down after disconnection of the power supply.


Danger of the motor jerking into motion from standstillWhen certain faults occur in the Power Module, brief jerking of the motor into motion from standstill cannot be ruled out. However, this does not result in a rotating field and continuous rotation. With incorrect use, however, jerking of the motor into motion from standstill can result in death, serious injury or substantial material damage.

● Adopt suitable protective measures to ensure that personnel is not endangered by the motor jerking into motion from standstill.

● Ensure that everyone operating the "Safe Torque Off" function is trained in the before they use it. Training must include studying the safety function and its incorporation into the production process. Documenting the training.

Danger due to the motor restartingDrive systems, in which power supply to the motor is also possible via the load, e.g. ship's drives, conveyors, fans, etc., cannot be protected against restart using the "Safe Torque Off" function. Sudden and unexpected restarting of the motor can result in death, serious injury or substantial material damage.

● Take appropriate countermeasures, such as mechanical braking.

Danger due to high voltageThe drive is not disconnected from the line power supply by the "Safe Torque Off" function. Dangerous voltages of over 1000 V are present on the motor and drive. High voltages can cause death or serious injury if the safety rules are not observed or if the equipment is handled incorrectly.

● Isolate the electrical equipment from the power supply at the main switch when it breaks down or stops, or when it needs to be serviced, repaired or cleaned.

● Do not undertake any work on electrical connections without previously putting all the necessary precautions in place. Observe the 5 safety rules before undertaking work on the equipment.

Safety instructions


Description 33.1 Delivery condition

NoteModification of the delivery condition

If the customer makes a change to the STO function after delivery, the functionality must be assured by the customer.

If the STO is installed at the factory, the following components are installed and wired in the converter:

● Power supply unit 6EP1334

● Safety relay 3SK1122-2CB41

● Power Stack Adapter (Page 49)

Converter in a simple circuitInstallation of the converter at the factory with the option "Safe Torque Off" includes a power supply unit, a safety relay and a PSA. Inside the converter, the components are wired as descried in chapter Single-axis drive SM150 with internal STO activation (Page 30).

The function of the installed safety relay with the PSA is tested before delivery. This test ensures correct wiring between the safety relay and PSA. All further plant-specific tests to achieve certified STO function must be defined by the plant integrator.

Converter for multiple motorsInstallation at the factory includes a power supply unit a safety relay in the controller cabinet. For each Motor Module, there should be a least one PSA that is connected to this safety relay. To be able to separate the transport units, the electrical connections at the cabinet interfaces must be disconnectable.

The Safe Torque Off function is tested for each Motor Module before delivery. This test ensures correct wiring between the PSA and connector in the Motor Module. All further tests to achieve certified STO function must be defined and performed.

You will find an example in chapter Three-fold parallel connection SM150 with internal STO activation (Page 31).

3.2 Function description STO"Safe Torque Off" is a function that prevents the drive from restarting unexpectedly according to EN 60204-1, Section 5.4. The safety-related STO function is integrated in the drive, and is independent of the operating functions of the drive.


In the event of an error or for the purpose of a machine function, this function is used to safely disconnect the torque-generating motor power supply from the converter.

There are 2 independent switch-off signal paths. Both switch-off signal paths are low active. This ensures that the system is always switched to a safe status if a component fails or in the event of cable breakage.

When the "Safe Torque Off" function is selected, the following apply:

● The motor cannot be started accidentally by the converter.

● The pulse disable safely disconnects the torque-generating motor power supply from the converter.

● The Motor Module and the motor are not electrically isolated.

3.3 Overview of the SINAMICS 3-point inverterSINAMICS MV 3-point inverter are converters that convert the three-phase line voltage with a constant amplitude and constant frequency into a three-phase voltage system with a variable amplitude and variable frequency.

The drive converters comprise various components that are combined independently of the device type. Each drive converter consists of at least a rectifier, an inverter and a closed-loop controller. The closed-loop controller and additional auxiliary components, rectifiers and inverters are installed in cabinets. The output-side filter is optional.

The components of the entire drive system and its essential interface signals are shown in the following figure. The dashed lines indicate optional interfaces and components.

NPC converter

Figure 3-1 Overview of the NPC converter

Description3.3 Overview of the SINAMICS 3-point inverter


Essential function of the closed-loop control and open-loop control hardware● Control Unit

Within the Control Unit, the digital control loops and the sequential control system of the converter are mapped. The Control Unit has a number of interfaces both to actuate/detect the necessary signals inside the converter and to establish communication with the plant automation outside the converter.

● Power Stack Adapter (PSA)The PSA is the interface between the Control Unit and the Power Module. The PSA controls the semiconductor units, performs current and voltage measurement in the converter and has further interfaces for internal measurement and monitoring systems.The control circuits of the power semiconductors are connected to the PSA via fiber-optic cables. For each semiconductor unit, a light switch-on signal is transmitted from the PSA to the corresponding power unit and an associated feedback signal from the power unit to the PSA.

Once it is activated, the "Safe Torque Off" safety function ensures that no light signal is transmitted from the PSA to the relevant power unit. The power units can therefore not be activated.

Description3.3 Overview of the SINAMICS 3-point inverter


3.4 System limit of the function "STO MV" (scope of certification)The Motor Modules of the SINAMICS MV platform with NPC technology feature a safety-related component Power Stack Adapter (PSA). The PSA includes the basic function "Safe Torque Off (STO)" if it is integrated into the cabinet system.

1

P5TR

P24 M

5V

OE

1

5V

5V R R

1

Figure 3-2 Block diagram PSA

The certification of the STO function refers to a motor with its power electronics. A PSA is assigned to each Motor Module. Each motor is powered from one or more Motor Modules onto one or more winding systems. To achieve the required Safety Integrated Level 3 (SIL), independent switch-off signal paths "A" and "B" are implemented on PSA 2. When STO is activated, the supply voltage of the light transmitters is interrupted by "switch-off signal path A" (in the figure "5V" to "P5TR"). Via "switch-off signal path b", each associated signal driver is shut down for the light transmission current.

Switch-off signal paths "A" and "B" are operated via a suitable series-connected safety relay or a safety component. The safety relay or the safety component are connected to the PSA via a shielded cable installed in a protected duct. The safety relay or safety component receives the STO status of the PSA via the feedback circuit "Feedback_STO".

Description3.4 System limit of the function "STO MV" (scope of certification)


NoteConvenience function not relevant to certification

To detect inconsistencies of the input signals STO_A and STO_B or hardware faults on the PSA, the switch-off signal paths "A" and "B" are monitored by the DSAC processor of the PSA. In case of a fault, a fault message is sent to the Control Unit. The process described is a convenience function and not safety-related functionality. The input signals "STO_A_MON" and "STO_B_MON" to the DSAC (ASIC with integrated processors) are decoupled from the safety-related part.

NoteImplementation of stop category 0

The Safe Torque Off function can be used to implement stop category 0 in accordance with EN 60204-1 "Uncontrolled stop" as regards isolation of the machine drive elements from the power supply. STO activation switches the drive via the converter so that it is without torque.

3.5 Function features of the STO Safety functionThe "Safe Torque Off" (STO) function is defined as follows according to the standard IEC 61800-5-2:

● The STO function prevents the supply of energy to the motor that can produce torque.

To show essential properties and setting options clearly, the description of the functions is as simplified as possible.

● The function is drive-independent and independent of the set operating modes of the converter, e.g. closed-loop control modes, with/without encoder, etc.

● The function is completely integrated in the drive. STO can be selected via terminals from an external source.

● The function is drive-specific. STO is therefore available for each drive or each Motor Module.

● When the STO function is selected, the following applies:

– The motor cannot start up accidentally of its own accord.

– The pulse disable safely disconnects the torque-generating motor power supply.

– The Motor Module and the motor are not electrically isolated.

The central components of the STO function are a certified safety relay, the Power Stack Adapter, and triggering device (e.g. mushroom pushbutton etc.). The triggering device must be provided by the customer.

To ensure that the connected motor cannot produce torque, the light transmitters to the control circuits of the power semiconductors are safety shut down by the STO function. The STO function is implemented on the PSA for the 3-point converter.

Description3.5 Function features of the STO Safety function


For the actual power unit control, up to 24 light transmitters are used in a safety-related manner ①. The remaining 12 light transmitters ② are reserved for other, non-safety-related functions, e.g. Braking Module and crowbar. For the reason, the STO function is only implemented for 24 light transmitters on the PSA.

① Safety-related interfaces (with STO)② Non-safety-related interfaces (Braking Module/crowbar)③ Non-safety-related interfaces (actual value acquisition/PSA links)

Figure 3-3 PSA interfaces

NoteCross-circuit detection

The safety relays perform a cross-circuit detection of your "detection" control circuits. For this reason, the cables for this are not connected.

In DC bus systems, electrically isolated input signals must be provided to select the STO function of different Motor Modules.

Before the fiber-optic cable interface with the Power Module is shut down via 2 delayed outputs, the Control Unit is informed of the selection of the STO function via an non-delayed output of



the safety relay. This procedure avoids unwanted fault messages when STO is selected and is not part of the safety function.

● The non-delayed information from the safety relay to the Control Unit is transferred as a pulse inhibit request from the Control Unit via DRIVE-CLiQ communication to the PSA. This puts the converter in a defined state before actual activation of the two shutdown channels.

● Activation of the STO function is detected on the PSA by the processor DSAC and signaled by the PSA to the SINAMICS Control Unit via the Ethernet-based "DRIVE-CLiQ" connection.

3.5.1 Ongoing monitoring / suitability for bit pattern testThe Power Stack Adapter normally responds immediately to signal changes in its fail-safe digital inputs "STO_A" and "STO_B". This reaction is not desired in the following case:

To reveal short-circuits or cross-circuit faults, some control modules, e.g. including the safety relay used, test their fail-safe outputs with "bit pattern tests" (light/dark tests). By interconnection of a fail-safe digital output of the PSA with a fail-safe digital output of the safety relay, the PSA would respond to these test pulses. However, a filter in the PSA inputs suppresses short-time test signals due to a bit pattern test or contact bounce. This operation has the advantage that the STO function "detecting" and "evaluating" is operated with a bit pattern test and is run during operation.

You will find information in the data sheet (https://mall.industry.siemens.com/mall/de/de/Catalog/product?mlfb=3SK1122-2CB41) and the manual (https://support.industry.siemens.com/cs/de/de/view/67585885) of the safety relay.

NoteSuppressing signals

Pulses up to a length of 7.5 ms are suppressed at the fail-safe digital inputs.

3.5.2 Synchronism of the switch-off signal paths/STO functionOn external selection of the STO function, in two channels via safe command devices or fail-safe programmable logic controllers (F-PLC), STO is requested at the safety relay. The safety relay triggers the safe function via 2 separate switch-off signal paths. For this purpose, the safety relay switches the relevant signals synchronously to the switch-off signal paths "A" and "B".

The PSA provides the information "Feedback_STO". If both channels "STO_A" and "STO_B" are deselected (low), the "Feedback_STO" circuit is fed back to the safety relay, starting from the safety relay, via the closed relay contacts of the PSA.



https://mall.industry.siemens.com/mall/de/de/Catalog/product?mlfb=3SK1122-2CB41

https://mall.industry.siemens.com/mall/de/de/Catalog/product?mlfb=3SK1122-2CB41

https://support.industry.siemens.com/cs/de/de/view/67585885

https://support.industry.siemens.com/cs/de/de/view/67585885

3.6 FunctionsA dual-channel structure is realized for data input/output and for processing fail-safe I/O signals. As the actuator, a forced NC contact according to ISO 23850 and EN 60947-1 or a certified fail-safe controller F-PLC can be used.

3.6.1 Measures for achieving the necessary reliability

Simultaneity and tolerance time of the two monitoring channelsThe function STO must be selected/deselected via the STO input terminals of the PSA (STO_A, STO_B). The function is only applied to the affected drive.

● 1 signal: Deselecting the function

● 0 signal: Selecting the functionWhen the STO function is selected, each channel triggers the safe function via its switch-off signal path. For this purpose, the safety relay or the F-PLC switches the relevant signals synchronously to the switch-off signal paths A and B.The PSA provides the information via the feedback circuit as to whether STO is "active" or "inactive" on the PSA. If both channels "STO_A" and "STO_B" have dropped out (low), the feedback circuit must be closed via the series-connected relay contacts between X340.5/X340.6 and X341.5/X341.6.

Description3.6 Functions


3.6.2 Basic location of the subfunctionsThe following illustration shows the location of the subfunctions "Detecting" - "Evaluating" - "Reacting".

STO_M_A

STO_B

STO_A

STO_M_B

STO_A_FB1

STO_B_FB2

Detecting: Local on the drive trainEvaluating: In the controller cabinet of the converter (24 V environment)Reacting: Near to the power semiconductors in the Power Module/converter cabinet

Figure 3-4 Details of the functions

Instructions for safe operation:

● Shielded cables between the controller cabinet and the converter cabinet

● Installing cables protected, e.g. protection from kinking, crushing, etc.

● Using the bit pattern test of the safety relay actively



3.6.3 Switching sequences from the point of view of the plant operator

3.6.3.1 Select STO

è

Figure 3-5 Shutting down the drive and selecting the STO



3.6.3.2 Deselecting the STO (restart)

Figure 3-6 Deactivation of the STO and restarting the drive

3.6.4 Convenience function pulse inhibit - not safety-related.The "pulse inhibit" function is not safety-related. It is a convenience function.

The non-delayed output of the safety relay is directly connected to an input of the Control Unit. The non-delayed signal of the output leas via the Control Unit to an external pulse inhibit. The drive is switched via the converter such that it is without torque.

If the STO feedback message is not correlated with the requested pulse inhibit/enable, an alarm F30085 is output. See function diagram 9845 below. The delay time of the safety relay on activation of the STO function of 0.5 s is already considered. In addition, a delay time/bounce



time of 0.3 s is set in parameter p17564[2]. After this delay time/bounce time has expired, the monitoring signals "STO_A_MON" and "STO_B_MON" are evaluated via the DSAC.

NoteAdjusting the delay time/bounce time

The 3SK1122 safety relay used has solid-state outputs. If other safety relays are used, the delay time/bounce time must be adapted accordingly.

When the STO/restart is deactivated, the delays and non-delayed outputs of the safety relay are switched on simultaneously. After the delay time/bounce time set in parameter p17564[2] has expired, the monitoring signals "STO_A_MON" and "STO_B_MON" are evaluated via the DSAC processor.



Figure 3-7 Function diagram 9845 - pulse inhibit external



3.6.5 Activating "Safe Torque Off"

WARNING

Danger to life due to unwanted start-up of the motor

The motor can start up unexpectedly This can result in death, injury and material damage.● After disconnection of the power supply take measures to prevent unwanted movement of

the motor depending on the risk assessment, e.g. mechanical braking.

STO can be activated in the "ready to start" condition or "during operation".

Activation of STO in the "ready to start" condition - drive is shut downRequirements for activation of STO in the ready to start condition (normal case):

● The drive has been shut down in operation.

● A pulse inhibit has additionally been triggered. You will find information in section "Convenience function pulse inhibit - not safety-related. (Page 21)"

● The switch-off signal paths "A" and "B" have been activated.

Figure 3-8 STO activation in the ready to start condition



Activation of STO while the drive is running - not preceded by shutdownOn activation of STO during operation, the drive behaves as follows:

● The drive goes internally into the pulse inhibit condition due to the leading information channel to the higher-level Control Unit.

● The switch-off signal paths "A" and "B" are activated synchronously.

● The drive coasts to a standstill. The duration depends on the inertia and load torque.

Figure 3-9 STO activation while the drive is running

3.6.5.1 Example: Activating the STO function via the mushroom pushbutton

STO_M_A

STO_B

STO_A

STO_M_B

STO_A_FB1

STO_B_FB2

Figure 3-10 Mushroom pushbutton with safety relay



Function description:

Detecting: The function is activated by the mushroom pushbuttonEvaluating: The safety relay processes the signalsReacting: The PSA responds in two channels. This ensures that no driving torque can

be produced by the converter.

3.6.5.2 Example: Activating the STO function via F-PLC

STO_M_A

STO_B

STO_A

STO_M_B

STO_A_FB1

STO_B_FB2

Figure 3-11 Triggering device with F-PLC and safety relay

Detecting: The function is activated in the control cabinet via the terminal block and acquired in the plant via the triggering device.

Evaluating: The customer F-PLC (Fail Safe - Programmable Logic Controller) processes the signals. The safety relay installed as standard diagnoses the STO func‐tion of the PSA every time it is operated and checks the cabling to the external F-PLC for a cross-circuit fault.

Reacting: The PSA responds in two channels. This ensures that no driving torque can be produced by the converter.



NoteF-PLC (Fail Safe - Programmable Logic Controller)

The configuration with a F-PLC does not correspond to the standard configuration of the converter. The F-PLC must be connected on the customer side.

3.6.6 Switching on the drive again after STOWhen the STO state is exited and the pulse inhibit is canceled, the drive is ready to start. The drive can be switched on again with a deliberate active operator action via the automation system/from the control room.



3.7 Application examples

3.7.1 Overview - possible converter configurations

3.7.1.1 Parallel connection of Motor Modules with Safe Torque OffMotor Modules connected in parallel are used to increase the power of the driving motor. For this purpose, a Control Unit can be connected to multiple PSAs and their safety relays on the motor side. Each subsystem has its own reacting and evaluating components.

Figure 3-12 Parallel connection of Motor Modules

Description3.7 Application examples


3.7.1.2 Multi-motor drive with Safe Torque OffThe SINAMICS MV modular system enables use of multiple motors with a common DC busbar and infeed. The figure shows schematically how a SINAMICS MV converter could be used a a multi-drive in a plant.

Figure 3-13 Schematic diagram: SINAMICS MV multi-motor drive with Safety System



3.7.2 Details of the STO wiring

3.7.2.1 Single-axis drive SM150 with internal STO activation

STO_M_A

STO_B

STO_A

STO_M_B

STO_A_FB1

STO_B_FB2

Figure 3-14 Example: SM150 - functional subareas of STO



3.7.2.2 Three-fold parallel connection SM150 with internal STO activationThe figure shows an example in which a safety relay interacts with 3 PSAs via STO circuits.

N

(L2

)

L1

PE

L+

L-

230 V

110 V

P24V

P24 M

STO_A

STO_B

STO_M_A

STO_M_B

P24V

P24 M

P24V

P24 M

STO_A

STO_B

STO_M_A

STO_M_B

STO_A

STO_B

STO_M_A

STO_M_B

STO_B_FB2

STO_A_FB1

STO_B_FB2

STO_A_FB1

STO_B_FB2

STO_A_FB1

L

N

Figure 3-15 Example: Three-fold parallel connection_PSA with STO control circuits

If the Motor Modules are connected in parallel to increase the power of the driving machine, the safety relay controls all the PSAs affected via "STO_A" and "STO_B" in parallel. The feedback circuits of the PSAs are connected in series in the feedback circuit of the safety relay.





Preparation for use 44.1 Wiring

Cable type● Shielded cable, Sabix D345 4x2x0.5mm²

● Capacitance per unit length: 30 nF/km

● SAB Bröckskes, Siemens article number 1010084

Cable lengthGiven the capacitances that may arise due to the cable installation, we recommend limiting the cable length as follows:

● Removal of the triggering device for the safety relay: 100 m

● Removal of the safety relay for the PSA: 100 m

The data on maximum cable length can be found in the data sheet/application manual of the safety relay. You will find further information in the Industry Mall (https://support.industry.siemens.com/cs/ww/en/view/91198365).

Wiring1. Connect the cable shield at both ends in the controller cabinet and the converter cabinet.

Install the cable in a protected duct.

2. Connect the shield between the safety relay and PSA to a suitable point in the cabinet connection area (customer terminals). The internal cabinet wiring is implemented in the factory. The maximum permissible cable length between the safety relay and the PSA results from the specification in the data sheet of the safety relay.In the cable length calculation consider the input capacitance of the switch-off signal path "STO_A" and "STO_B" at approx. 40 nF in each case.

4.2 Considering the PFH value of the entire plantThe probability of failure of safety functions must be specified in the form of a PFH value according to IEC 61508, IEC 62061 and DIN EN ISO 13849-1. The PFH value of a safety function depends on the safety concept of the drive unit and its hardware configuration, as well as on the PFH values of other components used for this safety function.

The PFH values of all SIEMENS Safety components are available in the "Safety Evaluation Tool" (www.siemens.de/safety-evaluation-tool).


https://support.industry.siemens.com/cs/ww/en/view/91198365

https://support.industry.siemens.com/cs/ww/en/view/91198365

http://www.siemens.de/safety-evaluation-tool

In the following table, you will find the values of the "probability of dangerous failure per hour" (PFH) of the factory-fitted components.

Component PFH value [1/h]Siemens 3SK1122-2CB41 safety relay 1.5*10-9

(acc. to data sheet)PSA 50*10-9

(calculated value)

Preparation for use4.2 Considering the PFH value of the entire plant


Commissioning 5The precondition for commissioning of STO is that actual commissioning of the drive has been completed.

If the converter is equipped with STO in the factory, the required components are already installed and wired.

For parallel connection of Motor Modules, set up the external cable connections from the controller cabinet with 3SK11 to the parallel controller cabinets as described in chapter "Wiring (Page 33)".

● The converter has to be integrated into the plant by the customer/plant integrator.

● A triggering device for activating the STO function is not provided. Both connections for the triggering device or the sensor inputs on the safety relay are jumpered with one wire jumper (Page 36) each. This deactivates the STO function. It is possible to release the drive.

● The customer/plant integrator is responsible for acceptance of the complete function.

Risk minimization through Safety IntegratedSafety Integrated can be used to reduce the level of risk associated with machines and plants.

Machines and plants can only be operated safely in conjunction with Safety Integrated in the following conditions:

● The machine manufacturer precisely knows this technical user documentation, including the documented limitations, safety information and residual risks. The machine manufacturer complies with the instructions in this documentation.

● The machine manufacturer carefully designs and configures the machine or plant. The machine manufacturer has the machine/plant carefully constructed and configured and an acceptance test carefully performed and the results documented by qualified personnel.

● The machine manufacturer implements and validates all the measures required in accordance with the machine or plant risk analysis by means of the programmed and configured Safety Integrated functions or by other means. The machine manufacturer validates these measures.

The use of Safety Integrated does not replace the machine/plant risk assessment carried out by the machine manufacturer as required by the EC Machinery Directive. In addition to using Safety Integrated Functions, further risk reduction measures must be implemented.


5.1 Parameterizing the safety relay

Switch positions of the 3SK1122 safety relay

DIP switch Switch position Function Factory setting1 Left Automatic start X

Right Monitored start 2 Left Cross-circuit detection deactivated

Right Cross-circuit detection activated X3 Left 2 x 1-channel sensor connection

Right 1 x 2-channel sensor connection X4 Left Start-up test ON

Right Start-up test OFF X

Time delay Factory settingPotentiometer for setting the delay time 0.5 sec

Terminal Explanation Connection Factory settingIN1 Sensor channel 1 NC 1

Triggering deviceJumper 1)

T1 Test output 1IN2 Sensor channel 2 NC 2

Triggering deviceJumper 1)

T2 Test output 21) With the jumpers inserted in the "Sensor channel 1" and "Sensor channel 2" the STO function is deactivated. It is possible to release the drive. Only by removing both jumpers and connecting a trig‐gering device or a fail-safe control is the safety-related function available.

Setting the delay time of the safety relayParameterize the safety relay in such a way that the connected sensor is controlled and monitored in two channels. Document the settings made on the safety relay.

We recommend the following delay time, which can be set on the potentiometer of the safety relay:

● Approx. 0.5 sec. Time from when the triggering device triggers or "STO" is requested at the input terminals of the safety relay until the light transmitter disable on the PSA.

This delay time is assumed in the further description.

Commissioning5.1 Parameterizing the safety relay


Acceptance test 6Necessity of an acceptance test

A complete acceptance test is required when first commissioning the "SINAMICS-Safety Integrated Function" on a machine. The acceptance test must be performed individually for each drive.

Whether a partial acceptance test is sufficient has to be decided for each installation (by the nominated person in control of an electrical installation). The following must be taken into account in this process:

● Safety-related functional expansions

● Transfer of the commissioning to other series machines

● Hardware changes

● Software upgrades etc.

A summary of conditions which determine the necessary test scope or proposals in this context is provided in chapter "Suggestions for the acceptance test (Page 40)".

RequirementsThe acceptance test requirements for electrical drive safety functions emanate from the standard "IEC 61800-5-2, chapter 7.1 section f". The term for the acceptance test in the standard is "configuration test". The standard stipulates the following:

● Description of the STO function, including an overview circuit diagram

● Description of the safety-related components (Page 75) that are used in the application

● Test execution (Page 38) and documentation (Page 40)

● Test date and confirmation (Page 42) by test personnel

Purpose of the acceptance testThe acceptance test verifies correct operation of the safety-related function with the components used. The EC Machinery Directive and DIN EN ISO 13849‑1 stipulate:

● "You must check safety-related functions and machine parts after commissioning."

Test execution and documentationThe acceptance test must only be performed by authorized persons. Authorized personnel are "persons authorized by the machine manufacturer", who, on account of their technical qualifications and knowledge of the safety functions, are in a position to perform the acceptance test in the correct manner.


The machine manufacturer is responsible for performing and documenting the acceptance test. In chapter "Suggestions for the acceptance test (Page 40)", you will find examples of how you can perform and document the acceptance tests for the STO safety function.

● The procedure shown is an example and a recommendation.

6.1 Performing the STO acceptance and function testNo special tools or test equipment are required to perform the acceptance test.

6.1.1 RequirementsTo perform the acceptance test, the following requirements must be met:

● The converter and the machine are correctly wired.

● All safety equipment, such as protective door monitoring devices, light barriers, emergency limit switches, are connected and ready for operation.

● Commissioning of the open-loop and closed-loop control has been completed. If commissioning is not completed, for example, overtravel may be changed as a result of changes to the dynamic response to the drive. These include, for example:

– Settings of the setpoint channel

– Position control in the higher-level controller

– Drive control

6.1.2 STO function testTesting the STO safety function includes the basic function and checking the switch-off signal paths "STO_A" and "STO_B".

Testing the basic function1. Make sure that the plant is ready to operate and can be started up.

2. Activate the safety function, e.g. with the triggering device.

3. Try to enable the plant and manually start the motor.

4. Make sure that the motor does not start.

5. Unlock the triggering device.

6. Acknowledge the fault message that occur.

7. Try to enable the plant again and manually start the motor.

8. Make sure that the motor has now started.

9. Document (Page 40) the test

Acceptance test6.1 Performing the STO acceptance and function test


Testing the STO activation channelsThe aim of the test is to separate the individual STO switch-off signal paths one after the other and to check activation of the STO safety function.

The following steps are performed to check the STO switch-off signal path "STO_A".

1. Make sure that only the auxiliary voltage is connected.

2. Pull out plug X340 on the PSA of the corresponding Motor Module. To do this, unscrew the locking screws on the connector.

3. Close all cabinet doors. Put the system in the ready-to-operate condition.

4. Unlock the triggering device. Acknowledge any fault messages that occur.

5. Try to enable the plant and manually start the motor.

6. Make sure that the motor does not start. A fault message must now be pending that is caused by connector X340 being pulled out.

7. Shut down the plant so that only the auxiliary voltage is connected.

8. Plug connector X340 in again. Tighten the locking screws on the connector.

9. Close all cabinet doors. Put the system in the ready-to-operate condition.

10.Unlock the triggering device. Acknowledge any fault messages that occur.

11.Try to enable the plant and manually start the motor.

12.Make sure that the motor has now started.

13.Document (Page 40) the test.

Repeat the test for STO switch-off signal path "STO_B", connector X341.

6.1.3 Cyclic function testPerform the test described in chapter "STO function test (Page 38)".

To meet the requirements for timely fault detection, a function test must be run within a time interval. Depending on the required safety integrity level (SIL) of the plant, the following time intervals result:

● SIL 3: Quarterly inspection

● SIL 2: Annual inspection

Acceptance test6.1 Performing the STO acceptance and function test


6.1.4 Check safety functionsThe function check of the safety function in the installation goes further than the acceptance test of the converter. Check the following:

● Are all safety equipment such as protective door monitoring devices, light barriers or emergency-off switches connected and ready for operation?

● Does the higher-level control correctly respond to the safety-related feedback signals of the converter?

● Do the inverter settings match the configured safety-related function in the machine?

6.1.5 DocumentingDocument the test performed. The documentation must contain the following:

● Description (Page 42) of the safety-related components and functions of the machine or plant.

● Record of the results (Page 43) of the acceptance test

● Record of the settings of the safety functions

The documentation must be signed by the person who carried out the acceptance test. Finally, the documentation must be countersigned (Page 43) by the commissioning engineer and the machine manufacturer or a notified body.

6.2 Suggestions for the acceptance test

6.2.1 Complete acceptance test

Documentation - plant-specific informationDocument the following:

● Machine including the safety functions

● Machine description with overview diagram

● Specification of the controller, if this exists

● Safety Integrated function of each drive

● Information about safety equipment

Function test of the safety functionDetailed functional testing of the Safety Integrated function used.

Acceptance test6.2 Suggestions for the acceptance test


For SINAMICS MV converters:

● Check that the previously listed documents are complete.

● Test of the Safety Integrated function "Safe Torque Off" as described in chapter "STO function test (Page 38)"

6.2.2 Partial acceptance test

DocumentationDocument the following:

● Supplement/change the hardware data

● Supplement/change the software data (specify version)

● Extending/changing the Safety Integrated function of each drive

● Extending/changing the specifications of the safety equipment

Function test of the safety functionDetailed functional testing of the Safety Integrated function used.

For SINAMICS MV converters:

● Check that the previously listed documents are complete.

● Test of the Safety Integrated function "Safe Torque Off" as described in chapter "STO function test (Page 38)"

If the safety function has not been modified, the function test is not required.

Acceptance test6.2 Suggestions for the acceptance test


6.3 Reports

6.3.1 Plant description - Documentation part 1

Acceptance test6.3 Reports


6.3.2 Completion of the reportSafety Integrated Function parameters

Defined test sequence observed.Result meets the specifications

Yes NoSafety Integrated Function (STO)

6.3.3 Countersignatures

Commissioning engineerThis confirms that the tests and checks have been carried out properly.

Date Name Company/dept. Signature

Machine manufacturer or notified bodyThis confirms that the parameters recorded above are correct.

Date Name Company/dept. Signature





Operation 77.1 Exceeding limit values

Safety function, e.g. for PSA internal faultThe STO switch-off signal function is ensured. For fast reduction of the supply voltage 5 V for the FO light transmitters via the switch-off signal path STO_A, the Power Stack Adapter has a fast discharge circuit. If the fast discharge circuit of the switch-off signal path STO_A fails on the Power Stack Adapter, the STO active state is no achieved within 20 ms. The switch-off time is extended to max. 250 ms. The switch-off signal path STO_B switches off within 20 ms.

7.2 Error messagesA malfunction of STO is indicated by the LED displays on the front of the 3SK1122 safety relay.


Operation7.2 Error messages


Maintenance 88.1 Service

8.1.1 Servicing the Power Stack AdapterThe Power Stack Adapter is maintenance-free. The service life is approx. 20 years.

8.1.2 Check safety functionPerform a function test at regular intervals to maintain the function.

You will find information on this in chapter "Cyclic function test (Page 39)".

8.2 RepairingThe Power Stack Adapter has to be replaced for safety reasons in case of a fault. Replacement of individual components of the PSA is not possible.

After replacement of the PSA, complete commissioning with an acceptance test and function test (Page 38).


Maintenance8.2 Repairing


Technical specifications 99.1 Technical specifications of the Safety components

Technical specifications of the Power Stack Adapter

Technical specificationsDesignation PSA SINAMICS XM/XL 4 (with STO)Article number 6SL3995-6AX00-0DA1Dimensions (mm) 114 x 570 x 370 (L x W x H)Weight (kg) 4.2, with packaging 5.4Installation altitude 5000 m above sea level: 100 % load capabilityOperating and storage conditionsAmbient temperature ● Operation

0 °C ... 55 °C, condensation not permissible● Storage

-25 °C ... 70 °CDegree of protection IP20

Information on the other Safety componentsYou will find the technical specifications in the data sheet of each component.

Installation altitudeObserve the permissible installation altitudes. You will find the installation altitudes in the data sheet of each component.

The factory-fitted safety relay 3SK1122 is approved for installation at up to 2000 m above mean sea level for example.

STO connectionsThe switch-off signal paths and feedback signals are wired to connectors X340 and X341.

Plugs Pin Assignment

Connector X340

1 Internal 24 V of the PSA2 Switch-off signal path STO channel A3 Switch-off signal path STO channel A ground connec‐

tion4 Internal ground of the PSA5 Feedback circuit channel A, connection 16 Feedback circuit channel A, connection 2


Plugs Pin Assignment

Connector X341

1 Internal 24 V of the PSA2 Switch-off signal path STO channel B3 Switch-off signal path STO channel B ground connec‐

tion4 Internal ground of the PSA5 Feedback circuit channel B, connection 16 Feedback circuit channel B, connection 2

Technical specifications9.1 Technical specifications of the Safety components


Additional information AThe documentation refers to the contents of the standards stated below.

IEC 61800-5-1, chapters 6.3, 6.4, 6.5Variable-speed electrical power drive systems – Part 5-1: Requirements regarding safety – electrical, thermal, and energy requirements

● Information for installation and commissioning (chapter 6.3 of the standard)

● Information on use (chapter 6.4 of the standard)

● Information on maintenance (chapter 6.5 of the standard)

IEC 61800-5-2, chapter 7.2Variable-speed electrical power drive systems – Part 5-2: Safety requirements – Functional safety

● Information on safe application of the STO function

EN ISO 13849-1, chapter 11Safety of Machinery – Safety-Related Parts of Control Systems – Part 1: General principles for design

● User information

Machinery Directive 2006/42/ECInformation on equipment and certification

IEC 62061, chapter 7.2Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control systems

● Documentation for installation, use and maintenance


A.1 Information for installation and commissioning from IEC 61800-5-1The documentation refers to the following sections of chapter 6.3 of the standard IEC 61800-5-1:● 6.3.2 Mechanical considerations

– You will find information on the mechanical considerations of the Power Stack Adapter in chapter "Description of the safety-related components (Page 75)".

– You will find information on installing the Power Stack Adapter here (Page 75).

● 6.3.3 Environment

– You will find information on operating and storage conditions in chapter "Technical specifications of the Safety components (Page 49)".

● 6.3.4 Handling and mounting

– The Power Stack Adapter must be installed by qualified personnel. You will find further information on handling in chapter "Acceptance test (Page 37)".

● 6.3.5 Motor and driven equipment

– Only motors that are suitable for operation on medium-voltage converters must ever be connected. Ensure that the safety instructions (Page 9) are observed.

● 6.3.6.2 Interconnection and wiring diagrams

– You will find information on connection and wiring diagrams in chapter "Application examples (Page 28)"

● 6.3.6.3 Conductor (cable) selection

– You will find information on selecting cables in section "Wiring (Page 33)".

● 6.3.6.4 Terminal capacity and identification

– You will find information in section "Technical specifications of the Safety components (Page 49)"

● 6.3.6.5 Protection requirements

– The PSA has degree of protection IP20.

– The PSA must be connected to a SELV circuit (Page 75).

● 6.3.6.6 Earthing

– You can find information on grounding in chapter "Installing components (Page 76)".

● 6.3.7 Overcurrent and short-circuit protection

– You will find information in section "Description of the safety-related components (Page 75)"

● 6.3.8 Motor overload protection

– The motor is controlled by the converter. The converter provides motor overload protection. The function is not safety-related.

● 6.3.9 Commissioning

– You will find information in chapter "Commissioning (Page 35)".

Additional informationA.1 Information for installation and commissioning from IEC 61800-5-1


The documentation refers to the following sections of chapter 6.4 of the standard IEC 61800-5-1:● 6.4.2 Adjustments

– You will find information on setting the safety relay in chapter "Parameterizing the safety relay (Page 36)". The settings listed must be considered in replacement/maintenance.

● 6.4.3 Labels, signs and signalsThe connector designation of the two STO switch-off and feedback channels X340/X341 are labeled on the PSA.You will find a description in section "Technical specifications of the Safety components (Page 49)".

The documentation refers to the following sections of chapter 6.5 of the standard IEC 61800-5-1:● 6.5.1 General

– Methods and diagrams: The PSA is maintenance-free. The safety function must be cyclically checked (Page 39).

– Setting procedures:You will find information on setting the safety relay in chapter "Parameterizing the safety relay (Page 36)". The settings listed in this section must be considered in replacement/maintenance.

A.2 Information on safe application of the STO function from IEC 61800-5-2

The documentation refers to the following sections of chapter 7.2 of the standard IEC 61800-5-2:● Section "a"

– Exceeding limit values:You will find a description in section "Exceeding limit values (Page 45)".

● Section "c"

– Environmental conditions:You will find information in chapter "Technical specifications of the Safety components (Page 49)".

– Operating conditionsYou will find information in chapter "Installing components (Page 76)".

Additional informationA.2 Information on safe application of the STO function from IEC 61800-5-2


● Section "d"

– Restriction relating to the environment:You will find information in chapter "Installing components (Page 76)".

– Restriction relating to the mission time:Here you will find information about the mission time (Page 47) of the PSA.

– Restrictions regarding all requirements on tests, calibration, or maintenance:The safety function must be cyclically checked (Page 39). There are no further restrictions regarding testing, calibration or maintenance.

– Restrictions regarding all limits of the application to prevent systematic failures:You will find information on the PSA here (Page 75). The delivery condition of the converter with the safety-related STO function is described in chapter "Delivery condition (Page 11)".

● Section "e"

– Guidelines for installation and commissioning:For safe and reliable installation, the customer, plant integrator and/or user is responsible. You will find information on mounting in chapters "Preparation for use (Page 33)" and "STO can be retrofitted to existing plant (Page 75)".The safety-related "Safe Torque Off" function described in this document enables the customer to use a certified single component. You will find suggestions for an acceptance test of the STO function in chapter "Acceptance test (Page 37)". You will find general information in chapter "Standards and regulations (Page 59)".

● Section "f"

– Requirements for the configuration test of the safety functions:The safety-related STO function is provided by the certified PSA component. The STO_A and STO_B switch-off signal paths of the PSA are controlled by a safety relay. The 3SK1122 safety relay is also supplied in the delivery condition of the inverter. The customer or the plant integrator is responsible for integration of the STO function into the customer plant.

– List of all safety-related parametersThe PSA cannot be parameterized. There is no safety function for the PSA.The safety relay can be parameterized. The parameter assignment in the delivery condition and the setting options are described in chapter "Parameterizing the safety relay (Page 36)".

● Section "g"

– Diagnostic tests that must be performed by the user or by parts of a plant:The safety-related function must always be checked by an acceptance test. You will find information in chapter "Acceptance test (Page 37)".

● Section "h"

– Routine actions that must be performed to maintain the functional safety:You will find information in section "Servicing the Power Stack Adapter (Page 47)"

– Maintenance procedures to be applied if faults or failures occur:You will find information in section "Repairing (Page 47)"

– Tools and procedures for maintenance and revalidation:You will find information in section "Acceptance test (Page 37)"

Additional informationA.2 Information on safe application of the STO function from IEC 61800-5-2


A.3 User information from EN ISO 13849-1The documentation refers to the following sections of chapter 11 of the standard IEC 13849-1● Response time

You will find information in section "Information on safe application of the STO function from IEC 61800-5-2 (Page 53)"

● Limits for operationYou will find information in section "Information on safe application of the STO function from IEC 61800-5-2 (Page 53)"

● Displays and alarmsYou will find information in section "Error messages (Page 45)"

● MaintenanceYou will find information in section "Information on safe application of the STO function from IEC 61800-5-2 (Page 53)"

● Checklists for maintenanceYou will find necessary measures and sample acceptance records in chapter "Acceptance test (Page 37)".

● Means for easy and reliable troubleshootingEasy troubleshooting within the suggested acceptance test is possible with a step-by-step procedure. You will find information in chapter "Acceptance test (Page 37)".

A.4 Information from the Machinery Directive 2006/42/EC● The inverter is supplied with a certified safety relay, a certified PSA and the associated

cabinet wiring.

● The wiring is inspected before delivery.

● The certified single components are integrated into the STO function on the plant at the end customer/plant integrator's site

● The PSA is only one component of the complete converter.For that reason, the pSA is not provided with the CE marking. Also no certificate in accordance with the Machinery Directive is issued for the PSA.

● The end customer/plant integrator is responsible for acceptance and certification of the safety function according to the Machinery Directive.

● The PSA can only be ordered from the customer as a spare part.

Additional informationA.4 Information from the Machinery Directive 2006/42/EC


A.5 Documentation for installation, use and maintenance from IEC 62061This documentation refers to the following sections of chapter 7.2 of the standard IEC 62061:● a) a comprehensive description of setting up, installation and mounting

– You will find information in section "Information for installation and commissioning from IEC 61800-5-1 (Page 52)"

● b) a declaration on the intended use of the SRECS and all measures that may be necessary to prevent reasonably foreseeable misuse:

– You will find information in section "Information on safe application of the STO function from IEC 61800-5-2 (Page 53)"

● c) information on the physical environment (e.g. lighting, vibration, noise level, atmospheric pollution), where appropriate

– You will find information in section "Technical specifications of the Safety components (Page 49)"

● d) overview (block) diagram(s), where appropriate

– You will find information in chapter "Description (Page 11)".

● e) circuit diagram(s)

– You will find information in chapter "Application examples (Page 28)".

● f) interval of the proof test or mission time

– Correct functioning must be checked at quarterly intervals for SIL3. You will find information in section "Cyclic function test (Page 39)"

● g) a description (including diagrams of mutual connections) of the interaction (where applicable) between the SRECS function(s) of the electrical machine control system

– You will find information in chapter "Application examples (Page 28)".

● h) a description of the necessary measures for ensuring disconnection of the SRECS function(s) from the function(s) of the electrical machine control system

– You will find information in chapter "Description (Page 11)".

● i) a description of the protection and the existing means for maintaining safety, where it is necessary to suspend the SRCF(s) (e.g. for manual programming, program verification)

– Not relevant.

Additional informationA.5 Documentation for installation, use and maintenance from IEC 62061


● j) information on programming, where applicable

– Not relevant

● k) description of the requirements for maintenance applicable to the SRECS, including the following points:

– 1) a logbook for recording machine maintenanceDepending on the necessary SIL level, the STO function must be checked at cyclic intervals. You will find information in section "Cyclic function test (Page 39)"

– 2) the routine actions that have to be performed to obtain the functional safety of the SRECS, including the routine replacement of components with a predefined mission time.In chapter "Acceptance test (Page 37)", all relevant processes are described to ensure functional safety of the device.

– 3) the maintenance procedure to be followed if faults or failures occur in the SRECS, including the following points:– procedure for error diagnostics and repairIn the case of a malfunction of the drive, you will find the necessary steps for eliminating the fault in chapter "Acceptance test (Page 37)". In the case of malfunctions, the fault must be located and eliminated.You will find information on repairs in section "Repairing (Page 47)".– procedure for confirming correct operation after repairsAfter repair, a "Acceptance test (Page 37)" must be performed.– requirements on maintenance records

– 4) the tools required for maintenance and recommissioning and the procedures for maintaining the tools and equipmentYou will find information in section "Performing the STO acceptance and function test (Page 38)"

– 5) definition for regular checks, maintenance for correction and corrective maintenance.You will find information in section "Cyclic function test (Page 39)"

See alsoAbout these instructions (Page 7)





Standards and regulations BB.1 Aims

The following requirement results from the responsibility that manufacturers and owners of technical equipment and products have for safety:

● To make plants, machines and other technical equipment as safe as possible in accordance with the latest technology.

In the standards, business partners describe state-of-the-art technology relating to all safety-significant aspects. When the relevant standards are complied with, it can be ensured that state-of-the-art technology is achieved. The plant erector or manufacturer of the machine has fulfilled its obligation in exercising due care.

Safety systems are designed to minimize potential hazards for both people and the environment by means of suitable technical equipment, without restricting industrial production and the use of machines more than is necessary. By applying rules and regulations that have been internationally harmonized, the protection of man and environment has to be put on an equal footing in all countries. At the same time, unfair competition due to different local safety requirements is to be avoided.

There are different concepts and requirements in the various regions and countries of the world when it comes to ensuring the appropriate degree of safety. The legislation and the requirements of how and when proof is to be given and whether there is an adequate level of safety are just as different as the assignment of responsibilities.

For manufacturers of machines and companies that erect plants and systems it is important that the local legislation and regulations always apply for that locality where the machine or plant is being operated. For example, the control system for a machine that is to be used in the US must meet local US requirements. Even if the machine manufacturer is based in the European Economic Area (EEA).

B.2 Functional safetyFrom the perspective of the object to be protected, safety is indivisible. The causes of danger and also the technical measures to prevent them can vary widely. This is the reason why a differentiation is made between various types of safety. For example, by stating the cause of possible hazards. "Functional safety" is involved if safety depends on the correct function.

To ensure the functional safety of a machine or plant, the safety-related parts of the protection and control devices must function correctly. In addition, the systems must behave in such a way that either the plant remains in a safe state or it is brought into a safe state if a fault occurs. In this case, it is necessary to use specially qualified technology that fulfills the requirements described in the associated standards. The requirements to achieve functional safety are based on the following basic goals:

● Avoiding systematic faults

● Controlling random faults or failures


Benchmarks for establishing whether or not a sufficient level of functional safety has been achieved include the probability of hazardous failures, the fault tolerance, and the quality that is to be ensured by avoiding systematic faults. This is expressed in the following standards using specific classification.

● IEC 61508/62061 "Safety Integrity Level" (SIL)

● EN ISO 13849-1 "Category" and "Performance Level" (PL)

B.3 The valid international standardsThe function is drive-independent. The Safe Torque Off option meets the following requirements:

● Safety integrity level SIL 3 according to IEC 61508-1 (ed 2), IEC 61508-2 (ed.2)

● Performance level e and category 3 according to EN ISO 13849-1: 2015 (Cat 3; PL e)

● Harmonized product standard for converters IEC 61800-5-2 (ed 2)

● Process industry: IEC 61511 (in consultation with the certification body only): Verification of the functional safety of safety instrumented systems for the process industry sector

● IEC 62061

B.4 Machine safety in EuropeThe EU Directives that apply to the implementation of products are based on Article 95 of the EU Treaty, which regulates the free exchange of goods. This is based on a new global approach ("new approach", "global approach"):

● EU Directives only specify general safety goals and define basic safety requirements.

● Technical details can be defined by means of standards by Standards Associations that have the appropriate mandate from the Commission of the European Parliament and Council (CEN, CENELEC). These Standards are harmonized under a specific Directive and are listed in the Official Journal of the Commission of the European Parliament and the Council. Legislation does not specify that certain standards have to be complied with. When the harmonized standards are observed, it can be assumed that the safety requirements and specifications of the directives involved have been fulfilled.

● EU Directives specify that the Member States must mutually recognize domestic regulations.

The EU Directives are all of equal importance. If several directives are applicable for a specific piece of equipment or machine, then the requirements of all of the relevant directives apply. For example, for a machine with electrical equipment, the Machinery Directive and the Low-Voltage Directive apply.

Standards and regulationsB.4 Machine safety in Europe


B.4.1 Machinery DirectiveThe basic safety and health requirements specified in Annex I of the Directive must be fulfilled for the safety of machines. The protective goals must be implemented responsibly to ensure compliance with the Directive.

Manufacturers of a machine must verify that their machine complies with the basic requirements. This verification is facilitated by means of harmonized standards.

B.4.2 Harmonized European StandardsThe two Standardization Organizations CEN (Comité Européen de Normalisation) and CENELEC (Comité Européen de Normalisation Électrotechnique), mandated by the EU Commission, drew-up harmonized European Standards in order to precisely specify the requirements of the EC directives for a specific product. These standards (EN standards) are published in the Official Journal of the commission of the European Parliament and Council and must be included without revision in domestic standards. They are designed to fulfill basic health and safety requirements as well as the protective goals specified in Annex I of the Machinery Directive.

When the harmonized standards are observed, it is "automatically presumed" that directive is complied with. The manufacturer can then trust that he has fulfilled the safety aspects of the directive, provided these are covered in the respective standard. However, not every European standard is harmonized in this sense. Key here is the listing in the official journal of the commission of the European Parliament and Council.

The European standards for machine safety are hierarchically structured. The body of standards is divided into

● Type A standards (basic standards)

● Type B standards (group standards)

● Type C standards (product standards)

Type A standards (basic standards)A standards include basic terminology and definitions relating to all types of machine. This includes EN ISO 12100 (previously EN 292-1) "Safety of Machines, Basic Terminology, General Design Principles".

Type A standards are aimed primarily at the bodies responsible for setting the type B and C standards. The measures specified here for minimizing risk, however, may also be useful for manufacturers if no applicable type C standards have been defined.

Type B standards (group standards)Type B standards cover all safety standards for various different machine types. Type B standards are aimed primarily at the bodies responsible for setting type C standards. They can also be useful for manufacturers during the machine design and construction phases, however, if no applicable type C standards have been defined.



Type B standards are further subdivided:

● Type B1 standards: For higher-level safety aspects, e.g.:

– Ergonomic principles

– Safety clearances against reaching sources of danger

– Minimum clearances to avoid crushing parts of the body

● Type B2 standards: For safety equipment, are intended for different types of machine, e.g.

– Emergency Stop devices

– Two-hand control devices

– Interlocks

– Electro-sensitive protective equipment

– Safety-related parts of control systems

Type C standards (product standards)C standards are product-specific standards, e.g. for:

● Machine tools

● Woodworking machines

● Elevators

● Packaging machines

● Printing machines, etc.

Product standards list requirements for specific machines. The requirements can, under certain circumstances, deviate from the basic and group standards. Type C standard has the highest priority for machine manufacturers. The machine manufacturer can assume that it fulfills the basic requirements of Annex I of the Machinery Directive (automatic presumption of compliance). If no product standard has been defined for a particular machine, type B standards can be applied when the machine is being constructed.

A complete list of all of the listed standards as well as the activities associated with standards - with mandated new standards for the future - are provided in the Internet (www.newapproach.org/).

Recommendation: Due to the rapid pace of technical development and the associated changes in machine concepts, the standards (and type C standards in particular) should be checked to ensure that they are up to date. Please note that the application of a particular standard may not be mandatory provided that all the safety requirements of the applicable EU directives are fulfilled.



http://www.newapproach.org/

B.4.3 Standards for implementing safety-related controllersIf the functional safety of a machine depends on various control functions, the controller must be implemented in such a way that the probability of safety functions failing in a dangerous fashion is sufficiently minimized. The standards EN ISO 13849-1 and IEC 61508 define guidelines for implementing safety-related machine controls. Application of these principles ensures that all the safety requirements of the EC Machinery Directive are fulfilled. These standards ensure that the relevant safety requirements of the Machinery Directive are fulfilled.

Figure B-1 Standards for implementing safety-related controllers

The application areas of EN ISO 13849-1, IEC 62061, and IEC 61508 are very similar. To help users make an appropriate decision, the IEC and ISO associations have specified the application areas of both standards in a joint table in the introduction to the standards. Either EN ISO 13849-1 or EN 62061 is applied depending on the technology, risk classification, or architecture.

Systems for executing safety-related control functions

EN ISO 13849-1 EN 62061

A Non-electrical (e.g. hydraulic, pneumat‐ic)

Covered by the standard Not covered

B Electromechanical (e.g. Relay and/or basic electronics)

Restricted to the designa‐ted architectures 1) and max. up to PL = e

All architectures and max. up to SIL 3

C Complex electronics (e.g. programma‐ble electronics)

Restricted to the designa‐ted architectures 1) and max. up to PL = d




Systems for executing safety-related control functions

EN ISO 13849-1 EN 62061

D Type A standards combined with type B standards

Restricted to the designa‐ted architectures 1) and max. up to PL = e

Covered by the standard3)

E Type C standards combined with type B standards

Restricted to the designa‐ted architectures 1) and max. up to PL = d


F Type C standards combined with type A standards

Covered by the standard Covered by the standard

Type C standards combined with type A standards and type B standards

2) 3)

1) Designated architectures are described in Annex B of EN ISO 13849-1 and provide a simplified basis for the quantification.2) For complex electronics: Using designated architectures in compliance with EN ISO 13849-1 up to PL = d or every architecture in compliance with EN 62061.3) For non-electrical systems: Use components that comply with EN ISO 13849-1 as subsystems.

B.4.4 Standards

B.4.4.1 EN ISO 13849-1

NoteEN ISO 13849-1 and Machinery Directive

Since May 2007, EN ISO 13849-1 has been harmonized as part of the Machinery Directive.

A qualitative analysis according to EN ISO 13849-1 is not sufficient for modern controllers due to their technology. Among other things, EN ISO 13849-1 does not take into account time behavior, e.g. test interval and/or cyclic test, lifetime. This results in the probabilistic basis in EN ISO 13849-1 (probability of failure per unit time). EN ISO 13849‑1 considers complete safety functions and all the devices required to execute these. EN ISO 13849-1 considers the safety functions quantitatively and qualitatively. Performance levels (PL), which are based on the categories, are used. The following safety-related characteristic quantities are required for devices/equipment:

● Category (structural requirement)

● PL: Performance Level

● MTTFd: Meantime to dangerous failure

● DC: Diagnostic Coverage

● CCF: Common cause failure

The standard describes how the PL is calculated for safety-related components of the controller on the basis of designated architectures . For deviations from this, EN ISO 13849-1 refers to IEC 61508.



When combining several safety-related parts to form a complete system, the standard explains how to determine the resulting PL.

B.4.4.2 EN 62061

NoteEN 62061 and Machinery Directive

IEC 62061 has been ratified as EN 62061 in Europe and harmonized as part of the Machinery Directive.

IEC 62061 is a sector-specific standard, positioned below IEC 61508. The standard IEC 62061 describes implementation of safety-related electrical control systems of machines. The standard takes into account the complete lifecycle - from the conceptual phase to de-commissioning. The standard is based on the quantitative and qualitative analyses of safety functions.

The standard systematically applies a top-down approach to implementing complex control systems, known as "Functional Decomposition".

Based on the safety functions emanating from the risk analysis, the safety functions are divided into sub-safety functions. The sub-safety functions are assigned to the devices, subsystems and subsystem elements. Both the hardware and software are covered.

IEC 62061 also describes the requirements placed on implementing application programs.

A safety-related control systems comprises different subsystems. The subsystems are described from a safety-related perspective using the characteristic quantities SIL claim limit and PFHD.

Programmable electronic devices (e.g. PLCs or variable-speed drives) must fulfill IEC 61508. The devices can then be integrated in the controller as subsystems. The following safety-related characteristic quantities must be specified by the manufacturers of these devices.

Safety-related characteristic quantities for subsystems:● SIL CL: SIL suitability SIL claim limit

● PFHD: Probability of hazardous failures per hour

● T1: Lifetime

Simple subsystems (e.g. sensors and actuators) in electromechanical components can, in turn, comprise subsystem elements/devices interconnected in different ways with the characteristic quantities required for determining the relevant PFHD value of the subsystem.

Safety-related characteristic quantities for subsystem elements/devices:● λ: Failure rate

● B10 value: for elements that are subject to wear

● T1: Lifetime

For electromechanical devices, a manufacturer specifies a failure rate λ with reference to the number of operating cycles. The failure rate per unit time and the lifetime must be determined using the switching frequency for the particular application.



The following parameters must be defined in designing the subsystem that comprises subsystem elements:

● T2: Diagnostic test interval

● β: Susceptibility to common cause failure

● DC: Diagnostic coverage

The PFHD value of the safety-related controller is determined by adding the individual PFHD values for subsystems.

Options for safety-related control:● Use of devices and subsystems that already meet the ISO 13849-1 or the IEC 61508 or

IEC 62061. The standard states how qualified devices can be integrated when safety functions are implemented.

● Develop own subsystems:

– Programmable, electronic systems and complex systems: Application of IEC 61508 or IEC 61800-5-2.

– Simple devices and subsystems: Application of IEC 62061.

Data on non-electrical systems is not included in IEC 62061. The standard provides detailed information on implementing safety-related electrical, electronic, and programmable electronic control systems. EN ISO 13849-1 must be applied to non-electrical systems.

B.4.4.3 Series of standards IEC 61508 (VDE 0803)This IEC 61508 series of standards describes the current state of the art.

IEC 61508 is not harmonized in line with any EU directives, Which means that an automatic presumption of conformity for fulfilling the protective requirements of a directive is not implied. However, the manufacturer of a safety-related product can use IEC 61508 to fulfill basic requirements from the European directives according to the new concept. For example, in the following cases:

● If no harmonized standard exists for the application in question. In this particular case, the manufacturer may use IEC 61508. Although no presumption of conformity applies here.

● A harmonized European standard, e.g. IEC 62061, EN ISO 13849, EN 60204-1, references IEC 61508. This ensures that the appropriate requirements of the directives are fulfilled ("standard that is also applicable"). When manufacturers apply IEC 61508 properly and responsibly in accordance with this reference, they can use the presumption of conformity of the referencing standard.

IEC 61508 handles, from a universal basis, all aspects that must be taken into consideration if electrical, electronic and programmable electronic systems (E/E/PES systems) are used in order to execute safety-related functions and to guarantee the appropriate level of functional safety. Other hazards, e.g. electric shock, are, as in EN ISO 13849, not part of the standard.

IEC 61508 has recently been declared the ""International Basic Safety Publication"", which makes it a framework for other sector-specific standards, e.g. IEC 62061. As a result, this standard is now accepted worldwide, particularly in North America and in the automotive industry. Today, many regulatory bodies already prescribe IEC 61508, e.g. as a basis for NRTL listing.



Its system approach is another new aspect of IEC 61508:

● Expansion of the technical requirements to the complete safety installation from the sensor to the actuator.

● Quantification of the probability of dangerous failure due to random hardware failures.

● Creation of documentation for each phase of the entire safety life cycle of the E/E/PES.

B.4.5 Risk analysis/assessmentRisks are intrinsic in machines due to their design and functionality. For this reason, the Machinery Directive requires that a risk assessment be performed for each machine and, if necessary, the level of risk reduced until the residual risk is less than the tolerable risk. The following standards must be applied for the techniques to evaluate and assess these risks:

● EN ISO 12100 "Safety of Machinery – General Design Principles - Risk Assessment and Minimizing Risks"

● EN ISO 13849-1 "Safety-related parts of control systems"

EN ISO 12100 focuses on the risks to be analyzed and the design principles for minimizing risk.

The risk assessment is a procedure that allows hazards resulting from machines to be systematically investigated. Where necessary, the risk assessment is followed by a risk reduction procedure. When the procedure is repeated, this is known as an iterative process. This can help eliminate hazards (as far as this is possible) and can act as a basis for implementing suitable protective measures.

The risk assessment involves the following:

● Risk analysis

– Determines the limits of the machine (EN ISO 12100)

– Identification of hazards (EN ISO 12100)

– Estimating the level of risk (EN 1050 Paragraph 7)

● Risk evaluation

As part of the iterative process to achieve the required level of safety, a risk assessment must be carried out after the risk estimation. A decision must be made here as to whether the residual risk needs to be reduced. If the risk has to be further reduced, suitable protective measures must be selected and applied. The risk assessment must then be repeated.



Figure B-2 Iterative process for achieving safety

Risks must be reduced by designing and implementing the machine accordingly, e.g. by means of controllers or protective measures suitable for the safety-related functions.

If the protective measures involve the use of interlocking or control functions, these must be designed according to EN ISO 13849-1. For electrical and electronic control systems, EN 62061 can be applied instead of EN ISO 13849-1. Electronic controllers and bus systems must also comply with IEC 61508.

B.4.6 Risk reductionRisk reduction measures for a machine can be implemented by means of safety-related control functions in addition to structural measures.

Graduated by the magnitude of the risk, special requirements must be considered for implementing control functions. The requirements are described in EN ISO 13849-1.

For electrical control systems, in particular, with programmable electronics, the requirements are stated in EN 61508 or EN 62061. Depending on the magnitude of the risk and the level to



which the risk needs to be reduced, the requirements relating to safety-related parts of control systems are graded.

● EN ISO 13849-1 defines a risk flow chart that instead of categories results in hierarchically graduated Performance Levels (PL).

● IEC/EN 62061 uses "Safety Integrity Level" (SIL) for classification. This is a quantified measure of the safety-related performance of a control system. The required SIL is also determined in accordance with the risk assessment principle according to ISO 12100 (EN 1050). Annex A of the standard describes a method for determining the required Safety Integrity Level (SIL).

Irrespective of the standard applied, it is in any case important that all parts of the machine control system that are involved in performing safety-related functions meet these requirements.

B.4.7 Residual riskIn today's technologically advanced world, the concept of safety is relative. The ability to ensure safety to the extent that accidents are ruled out in all circumstances – "zero-risk guarantee" – is practically impossible. The residual risk is the risk that remains once all the relevant protective measures have been implemented in accordance with the latest state of the art.

Residual risks must be clearly referred to in the machine/plant documentation (user information according to EN ISO 12100).

B.4.8 EU declaration of conformityYou will find the EU Declaration of Conformity for all SINAMICS MV converters in the LDA Portal (https://www.lda-portal.siemens.com/).

● Navigate to the corresponding converter, filter according to the entry type "Certificate" and then certificate type "Declaration of Conformity".Alternatively, contact the SIEMENS office in your region.

B.5 Machine safety in the USAA key difference between the USA and Europe in the legal requirements regarding safety at work is, that in the USA, no legislation exists regarding machinery safety that is applicable in all of the states and that defines the responsibility of the manufacturer/supplier. A general requirement exists stating that employers must ensure a safe workplace.

B.5.1 Minimum requirements of the OSHAThe Occupational Safety and Health Act (OSHA) from 1970 regulates the requirement that employers must offer a safe place of work. The core requirements of OSHA are specified in Section 5 "Duties".

Standards and regulationsB.5 Machine safety in the USA


https://www.lda-portal.siemens.com/

The requirements of the OSH Act are managed by the "Occupational Safety and Health Administration" (also known as OSHA). OSHA employs regional inspectors who check whether or not workplaces comply with the applicable regulations.

The OSHA rules relevant for industrial safety are described here (http://www.osha.gov):

● OSHA 29 CFR 1910.xxx ("OSHA Regulations (29 CFR) PART 1910 Occupational Safety and Health"). (CFR: Code of Federal Regulations.)

The application of standards is regulated in 29 CFR 1910.5 "Applicability of standards". The concept is similar to that used in Europe. Product-specific standards have priority over general standards insofar as they cover the relevant aspects. Once the standards are fulfilled, employers can assume that they have fulfilled the core requirements of the OSH Act with respect to the aspects covered by the standards.

For certain applications, OSHA requires that all electrical equipment and devices that are used to protect workers be authorized by an OSHA-certified, "Nationally Recognized Testing Laboratory" (NRTL) for the specific application.

In addition to the OSHA Regulations it is important to carefully observe the currently valid standards of organizations such as NFPA and ANSI as well as the extensive product liability legislation in the USA. Due to the product liability legislation, it is in the interests of manufacturing and operating companies that they carefully maintain the applicable regulations and are "forced" to fulfill the requirement to use state-of-the-art technology.

Third-party insurance companies generally demand that their customers fulfill the applicable standards of the standards organizations. Self-insured companies are not initially subject to this requirement but, in the event of an accident, they must provide verification that they have applied generally-recognized safety principles.

B.5.2 NRTL listingAll electrical equipment and devices that are used in the US to protect workers must be certified for the particular application by a "Nationally Recognized Testing Laboratory" (NRTL) certified by OSHA. NRTLs are authorized to certify equipment and material by means of listing, labeling, or similar. Domestic standards (e.g. NFPA 79) and international standards (e.g. IEC 61508 for E/E/PES systems) are the basis for testing.

B.5.3 NFPA 79Standard NFPA 79 (Electrical standard for Industrial Machinery) applies to electrical equipment on industrial machines with rated voltages of less than 600 V. A group of machines that operate together in a coordinated fashion is also considered to be one machine.

For programmable electronics and communication buses, NFPA 79 states as a basic requirement that these must be listed if they are to be used to implement and execute safety-related functions. If this requirement is fulfilled, electronic controls and communication buses can also be used for the emergency stop functions of the Stop Categories 0 and 1 (see NFPA 79 9.2.5.4.1.4). Like EN 60204‑1, NFPA 79 no longer specifies that the electrical energy must be disconnected by electromechanical means for emergency stop functions.

The core requirements placed on programmable electronics and communication buses include:System requirements (see NFPA 79 9.4.3)

Standards and regulationsB.5 Machine safety in the USA


http://www.osha.gov

If a single fault occurs, control systems that contain software-based controllers must:

● Put the system into a safe state to shut it down

● Prevent restarting until the fault has been eliminated

● Prevent unexpected start-up

● Provide protection comparable to hard-wired controls

● Be implemented in accordance with a recognized standard that defines the requirements for such systems.In a note, the following standards are specified as suitable standards:

– IEC 61508

– IEC 62061

– EN ISO 13849‑1

– EN ISO 13849‑2

– IEC 61800‑5‑2

"Underwriter Laboratories Inc. (UL)" has defined a special category for "Programmable Safety Controllers" for implementing this requirement (code NRGF). This category covers control devices that contain software and are designed for use in safety-related functions.

A precise description of the category and a list of devices that fulfill this requirement can be found on the Internet (http://www.ul.com) at the following address

After you have called up the site, select page: certifications directory → UL Category code/ Guide information → search for category "NRGF"

"TUV Rheinland of North America, Inc." is also an NRTL for these applications.

B.5.4 ANSI B11ANSI B11 standards are joint standards developed by associations such as the Association for Manufacturing Technology (AMT) and the Robotic Industries Association (RIA).

The hazards of a machine are evaluated by means of a risk analysis/assessment. The risk analysis is an important requirement in accordance with NFPA 79, ANSI/RIA 15.06, ANSI B11.TR-3 and SEMI S10 (semiconductors). The documented results of a risk analysis can be used to select a suitable safety system based on the safety class of the application in question.

B.6 Machine safety in JapanThe situation in Japan is different from that in Europe and the US. Legislation such as that prescribed in Europe does not exist. Similarly, product liability is not as important as it is in the US.

Standards and regulationsB.6 Machine safety in Japan


http://www.ul.com

There are no legal requirements to apply standards but an administrative recommendation to apply JIS (Japanese Industrial Standard): Japan bases its approach on the European concept and uses basic standards as its national standards.

Table B-1 Japanese standards

ISO/IEC number JIS number Comments ISO 12100 JIS B 9700 Earlier designation

TR B 0008 and TR B 0009 EN ISO 13849-1 JIS B 9705-1 EN ISO 13849-2 JIS B 9705-1 IEC 60204-1 JIS B 9960-1 Without annex F or route map of the European

foreword IEC 61508-0 to -7 JIS C 0508 IEC 62061 JIS number not yet assigned

B.7 Equipment regulationsIn addition to the requirements laid down in guidelines and standards, company-specific requirements must be taken into account. Large corporations in particular, e.g. automobile manufacturers, have stringent demands regarding automation components. These requirements are often listed in separate equipment regulations.

To be able to integrate safety-related topics into the risk assessment/reduction, these topics should be clarified with the customer at an early stage. The safety-related topics include:

● Operating modes

● Operator actions with access to the danger zone

● EMERGENCY STOP concept

B.7.1 Other safety-related issues

Information sheets from the various regulatory bodiesSafety-related measures to be implemented cannot always be derived from directives, standards, or regulations. To derive measures, additional instructions and explanations are required.

Some regulatory bodies issue publications on an extremely wide range of subjects. The publications are available in German and some of them in English and French.

Information sheets covering, e.g. the following subjects, are available:

● Process monitoring in production environments

● Axes subject to gravitational force

Standards and regulationsB.7 Equipment regulations


● Roller pressing machines

● Lathes and turning centers - purchasing/selling

The information sheets of the technical committees can be used by all interested groups. This includes:

● Providing advice in companies

● Drafting the standards

● Implementing safety measures on machines and plants.

These information sheets provide support for the fields of machinery construction, production systems, and steel construction.

You can download the information sheets from the Internet (https://www.bghm.de):

First select the area "Arbeitsschützer", followed by the menu item "Praxishilfen" and finally "DGUV-Informationen".



https://www.bghm.de



STO can be retrofitted to existing plant CThis section describes the principle of retrofitting STO components to an existing plant.

C.1 Description of the safety-related componentsFor the STO function, the following components are required:

Power supply unit for safety relay The power supply unit must meet the following requirements:

● SELV output voltage (Safety Extra Low Voltage)

● Output voltage limited to < 35 V. The output voltage must be complied with even during a fault.

The requirements stated are met by the following SIEMENS power supply units, for example:

● SITOP smart, article no.: 6EP1334-2BA20

● SITOP modular, article no.: 6EP1334-3BA10. SITOP modular is designed with a power input with a higher proof voltage.

NotePower supply to other components● The power supply unit can power other non-safety-related components. A separate power

supply unit just for safety-related circuits is not required. However, it is important that the SELV output voltage is limited to < 35 V by the power supply unit.

● If further components with SELV output voltage are connected to this power supply unit by the customer, it must be ensured that the SELV circuit is available without restriction.

Safety relayFor example the SIEMENS 3SK1122-2CB41 safety relay is suitable for this.

The safety relay must be parameterized in such a way that the connected sensor is controlled and monitored in two channels. The settings made on the safety relay must be documented.

You will find information on parameterization of the safety relay in chapter "Parameterizing the safety relay (Page 36)"

Power Stack Adapter PSAThe Power Stack Adapter is designed for installation in a control cabinet.

The PSA must only ever be used for the defined purpose as described in this document.


C.2 Installing componentsPreferred installation of the PSA combination with safety relay and power supply unit.

STO_M_A

STO_B

STO_A

STO_M_B

STO_A_FB1

STO_B_FB2

L1

N

(L2

)

PE

L

N L+

L-

230 V

110 V

Figure C-1 PSA combination with safety relay and power supply unit

Installing the safety relayInstall the safety relay in the controller cabinet. You will find information on the safety relay in section "Description of the safety-related components (Page 75)"

Installing the power supply unitInstall the power supply unit in the controller cabinet. You will find information on the power supply unit in section "Description of the safety-related components (Page 75)".

Installing the PSA

Note

The STO function described in this document, is only met with the PSA described in chapter "Technical specifications (Page 49)". Another PSA may have to be removed and replaced.

STO can be retrofitted to existing plantC.2 Installing components


Protective grounding/protective ground conductorThere is a M4 connecting screw on the housing for connecting the protective ground conductor. Make the electrical connection to the protective ground terminal of the PSA housing with a wire gauge that is suitable for the local installation conditions, but with a minimum conductor cross section of 2.5 mm².

WiringYou will find information about the wiring in chapter "Wiring (Page 33)".





Index

EEU declaration of conformity, 69


Index


Documents

Safe Torque Off (STO) for medium-voltage converters