SINAMICS S120

Safety Integrated
Function Manual · 11/2009

SINAMICS
s
Safety Integrated ___________________
Preface

___________________
Standards and regulations 1
General information about
___________________
SINAMICS Safety Integrated 2
SINAMICS
3
___________________
System features

S120 Safety Integrated Basic

Safety Integrated ___________________
Functions 4
Safety Integrated Extended
___________________
Functions 5
Function Manual
Control of the safety
___________________
functions 6

7
___________________
Commissioning

___________________
Application examples 8
Acceptance tests and
___________________
acceptance reports 9

A
___________________
Appendix A

Valid for:
Firmware Version 4.3 SP1

(FHS), 11/2009
6SL3097-4AR00-0BP0
Legal information
Legal information
Warning notice system
This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent
damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert
symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are
graded according to the degree of danger.

DANGER
indicates that death or severe personal injury will result if proper precautions are not taken.

WARNING
indicates that death or severe personal injury may result if proper precautions are not taken.

CAUTION
with a safety alert symbol, indicates that minor personal injury can result if proper precautions are not taken.

CAUTION
without a safety alert symbol, indicates that property damage can result if proper precautions are not taken.

NOTICE
indicates that an unintended result or situation can occur if the corresponding information is not taken into
account.
If more than one degree of danger is present, the warning notice representing the highest degree of danger will
be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to
property damage.
Qualified Personnel
The product/system described in this documentation may be operated only by personnel qualified for the specific
task in accordance with the relevant documentation for the specific task, in particular its warning notices and
safety instructions. Qualified personnel are those who, based on their training and experience, are capable of
identifying risks and avoiding potential hazards when working with these products/systems.
Proper use of Siemens products
Note the following:

WARNING
Siemens products may only be used for the applications described in the catalog and in the relevant technical
documentation. If products and components from other manufacturers are used, these must be recommended
or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and
maintenance are required to ensure that the products operate safely and without any problems. The permissible
ambient conditions must be adhered to. The information in the relevant documentation must be observed.

Trademarks
All names identified by ® are registered trademarks of the Siemens AG. The remaining trademarks in this
publication may be trademarks whose use by third parties for their own purposes could violate the rights of the
owner.
Disclaimer of Liability
We have reviewed the contents of this publication to ensure consistency with the hardware and software
described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the
information in this publication is reviewed regularly and any necessary corrections are included in subsequent
editions.

Siemens AG Order number: 6SL3097-4AR00-0BP0 Copyright © Siemens AG 2007,

Industry Sector Ⓟ 03/2010 2008, 2009.
Postfach 48 48 Technical data subject to change
90026 NÜRNBERG
GERMANY
Preface

SINAMICS documentation
The SINAMICS documentation is organized in 2 parts:
● General documentation/Catalogs
● Manufacturer/service documentation
A current overview of the documentation in the available languages is provided in the
Internet:
http://www.siemens.com/motioncontrol
Select the menu items "Support" --> "Technical Documentation" --> "Overview of
Publications."
The Internet version of DOConCD (DOConWEB) is available on the Internet:
http://www.automation.siemens.com/doconweb
Information on the range of training courses and FAQs (Frequently Asked Questions) is
available on the Internet:
http://www.siemens.com/motioncontrol
Follow the menu item "Support".

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 5
Preface

Usage phases and their tools/documents (as an example)

Table 1 Usage phases and the available documents/tools

Usage phase Document/tool

Orientation SINAMICS S Sales Documentation
Planning/configuration • SIZER configuration tool
• Configuration Manuals, Motors
Decision/ordering SINAMICS S Catalogs
Installation/assembly • SINAMICS S120 Equipment Manual for Control Units and
Additional System Components
• SINAMICS S120 Equipment Manual for Booksize/
Booksize Compact Power Units
• SINAMICS S120 Equipment Manual for Chassis Power
Units
• SINAMICS S120 Equipment Manual for AC Drives
Commissioning • STARTER parameterization and commissioning tool
• SINAMICS S120 Getting Started
• SINAMICS S120 Commissioning Manual
• SINAMICS S120 CANopen Commissioning Manual
• SINAMICS S120 Function Manual
• SINAMICS S120/S150 List Manual
Usage/operation • SINAMICS S120 Commissioning Manual
• SINAMICS S120/S150 List Manual
Maintenance/servicing • SINAMICS S120 Commissioning Manual
• SINAMICS S120/S150 List Manual
References • SINAMICS S120/S150 List Manual

Target group
This documentation is intended for machine manufacturers, plant manufacturers,
commissioning engineers, and service personnel who use the SINAMICS S drive system.

Benefits
The Safety Integrated Function Manual covers all information, procedures and operations
required for commissioning safety functions and servicing of SINAMICS S120.

Safety Integrated
6 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Preface

Search guides
The following guides are provided to help you locate information in this manual:
1. Contents
2. List of abbreviations
3. Index
Standard scope
The scope of the functionality described in this document can differ from the scope of the
functionality of the drive system that is actually supplied.
● Other functions not described in this documentation might be able to be executed in the
drive system. However, no claim can be made regarding the availability of these functions
when the equipment is first supplied or in the event of servicing.
● Functions can be described in the documentation that are not available in a particular
product version of the drive system. The functionality of the supplied drive system should
only be taken from the ordering documentation.
● Extensions or changes made by the machine manufacturer must be documented by the
machine manufacturer.
For reasons of clarity, this documentation does not contain all of the detailed information on
all of the product types. This documentation cannot take into consideration every
conceivable type of installation, operation and service/maintenance.

Technical Support
In case of questions, please contact us through the following hotline:

Europe/Africa
Phone +49 180 5050 - 222
Fax +49 180 5050 - 223
0.14 €/min. from German landlines, max. 0.42 €/min for calls from a mobile phone
Internet http://www.siemens.de/automation/support-request

America
Phone +1 423 262 2522
Fax +1 423 262 2200
E-mail mailto:[email protected]

Asia/Pacific
Phone +86 1064 757 575
Fax +86 1064 747 474
E-mail mailto:[email protected]

Note
Country-specific telephone numbers for technical support are provided under the following
Internet address:
http://www.siemens.com/automation/service&support

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 7
Preface

Questions on the manual

If you have any questions (suggestions, corrections) regarding this documentation,
please fax or e-mail us at:

Fax +49 9131 98 2176

E-mail mailto:[email protected]
A fax form is available in the appendix of this document.

Internet address for SINAMICS

http://www.siemens.com/sinamics

Internet address for Safety Integrated

http://www.siemens.com/safety
This address contains detailed application examples for Safety Integrated.

Notation
The following notation and abbreviations are used in this documentation:

Notation for parameters (examples):

● p0918 Adjustable parameter 918
● r1024 Display parameter 1024
● p1070[1] Adjustable parameter 1070, index 1
● p2098[1].3 Adjustable parameter 2098, index 1, bit 3
● p0099[0...3] Adjustable parameter 99 indices 0 to 3
● r0945[2](3) Display parameter 945 index 2 of drive object 3
● p0795.4 Adjustable parameter 795 bit 4

Notation for faults and alarms (examples):

● F12345 Fault 12345
● A67890 Alarm 67890

Safety Integrated
8 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Preface

ESD Notes

CAUTION

Electrostatic sensitive devices (ESD) are single components, integrated circuits or devices
that can be damaged by electrostatic fields or electrostatic discharges.
Regulations for the ESD handling:
During the handling of electronic components, pay attention to the grounding of the person,
workplace and packaging!
Electronic components may be touched by persons only when
• these persons are grounded using an ESD bracelet, or
• these persons in ESD areas with a conducting floor wear ESD shoes or ESD grounding
straps.
Electronic components should be touched only when this is unavoidable. The touching is
permitted only on the front panel or on the circuit board edge.
Electronic components must not be brought into contact with plastics or clothing made of
artificial fibers.
Electronic components may only be placed on conducting surfaces (table with ESD coating,
conducting ESD foamed material, ESD packing bag, ESD transport container).
Electronic components may not be placed near display units, monitors or televisions
(minimum distance from the screen > 10 cm).
Measurements must only be taken on boards when the measuring instrument is grounded
(via protective conductors, for example) or the measuring probe is briefly discharged before
measurements are taken with an isolated measuring device (for example, touching a bare
metal housing).

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 9
Preface

Safety notices

DANGER

• Commissioning is absolutely prohibited until it has been completely ensured that the
machine, in which the components described here are to be installed, is in full
compliance with the provisions of the EC Machinery Directive.
• SINAMICS devices and AC motors must only be commissioned by suitably qualified
personnel.
• The personnel must take into account the information provided in the technical customer
documentation for the product, and be familiar with and follow the specified danger and
warning notices.
• When electrical equipment and motors are operated, the electrical circuits automatically
conduct a dangerous voltage.
• When the machine or system is operated, hazardous axis movements can occur.
• All of the work carried-out on the electrical machine or system must be carried-out with it
in a no-voltage condition.
• SINAMICS devices with three-phase motors must only be connected to the power
supply via an AC-DC residual-current-operated device with selective switching once
verification has been provided that the SINAMICS device is compatible with the
residual-current-operated device in accordance with IEC 61800-5-1, Section 5.2.11.2.

WARNING

• The successful and safe operation of this equipment and motors is dependent on
correct transport, proper storage, installation and mounting as well as careful operator
control, service and maintenance.
• For special versions of the drive units and motors, information and data in the Catalogs
and quotations additionally apply.
• In addition to the danger and warning information provided in the technical customer
documentation, the applicable national, local, and plant-specific regulations and
requirements must be taken into account.
• Only protective extra-low voltages (PELV, DVC-A) that comply with EN 60204-1:2006
can be connected to the connections and terminals between 0 V and 48 V.

CAUTION

• The motors can have surface temperatures of over +80 °C.

• This is the reason that temperature-sensitive components, e.g. cables or electronic
components may neither be in contact nor be attached to the motor.
• When attaching the connecting cables, you must ensure that:
– they are not damaged,
– they are not under tension,
– they cannot come into contact with any rotating parts.

Safety Integrated
10 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Preface

CAUTION
• As part of routine tests, SINAMICS devices are subject to a voltage test in accordance
with EN 61800-5-1. Before the voltage test is performed on the electrical equipment of
industrial machines to EN 60204-1:2006, Section 18.4, all connectors of SINAMICS
equipment must be disconnected/unplugged to prevent the equipment from being
damaged.
• Motors should be connected-up according to the circuit diagram provided, otherwise
they can be destroyed.

Note
When operated in dry areas, SINAMICS devices with three-phase motors conform to the
Low-Voltage Directive 2006/95/EC.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 11
Preface

Safety Integrated
12 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
Table of contents

Preface ...................................................................................................................................................... 5
1 Standards and regulations ....................................................................................................................... 17
1.1 General information .....................................................................................................................17
1.1.1 Aims .............................................................................................................................................17
1.1.2 Functional safety ..........................................................................................................................18
1.2 Safety of machinery in Europe.....................................................................................................18
1.2.1 Machinery Directive .....................................................................................................................19
1.2.2 Harmonized European Standards ...............................................................................................19
1.2.3 Standards for implementing safety-related controllers ................................................................21
1.2.4 EN ISO 13849-1:2006 (previously EN 954-1)..............................................................................23
1.2.5 EN 62061 .....................................................................................................................................24
1.2.6 Series of standards EN 61508 (VDE 0803) .................................................................................26
1.2.7 Risk analysis/assessment............................................................................................................27
1.2.8 Risk reduction ..............................................................................................................................29
1.2.9 Residual risk.................................................................................................................................29
1.3 Machine safety in the USA...........................................................................................................30
1.3.1 Minimum requirements of the OSHA ...........................................................................................30
1.3.2 NRTL listing..................................................................................................................................30
1.3.3 NFPA 79.......................................................................................................................................31
1.3.4 ANSI B11 .....................................................................................................................................31
1.4 Machine safety in Japan ..............................................................................................................32
1.5 Equipment regulations .................................................................................................................32
1.6 Other safety-related issues ..........................................................................................................33
1.6.1 Information sheets issued by the Employer's Liability Insurance Association.............................33
1.6.2 Additional references ...................................................................................................................33
2 General information about SINAMICS Safety Integrated ......................................................................... 35
2.1 Supported functions .....................................................................................................................35
2.2 Preconditions for the Safety Extended Functions........................................................................37
2.3 Controlling the Safety Integrated functions..................................................................................38
2.4 Parameter, checksum, version, password...................................................................................39
2.5 DRIVE-CLiQ rules for Safety Integrated Functions .....................................................................42
3 System features....................................................................................................................................... 43
3.1 Certification ..................................................................................................................................43
3.2 Safety instructions........................................................................................................................43
3.3 Probability of failure of the safety functions .................................................................................46
3.4 Response times ...........................................................................................................................47
3.5 Residual risk.................................................................................................................................50

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 13
Table of contents

4 Safety Integrated Basic Functions ........................................................................................................... 53

4.1 Safe Torque Off (STO)................................................................................................................ 53
4.2 Safe Stop 1 (SS1, time controlled).............................................................................................. 57
4.3 Safe Brake Control (SBC) ........................................................................................................... 59
4.4 Safety faults ................................................................................................................................ 62
4.5 Forced dormant error detection .................................................................................................. 64
5 Safety Integrated Extended Functions ..................................................................................................... 65
5.1 Parking note ................................................................................................................................ 65
5.2 Safe Torque Off (STO)................................................................................................................ 65
5.2.1 Safe Torque Off with encoder ..................................................................................................... 65
5.2.2 Encoderless Safe Torque Off...................................................................................................... 65
5.3 Safe Stop 1 (SS1) ....................................................................................................................... 66
5.3.1 Safe Stop 1 with encoder (time and acceleration controlled) ..................................................... 66
5.3.2 Encoderless Safe Stop 1 (time and speed controlled)................................................................ 68
5.3.3 Integration ................................................................................................................................... 70
5.4 Safe Stop 2 (SS2) ....................................................................................................................... 71
5.5 Safe Operating Stop (SOS)......................................................................................................... 73
5.6 Safely-Limited Speed (SLS)........................................................................................................ 75
5.6.1 Safely-Limited Speed with encoder ............................................................................................ 75
5.6.2 Encoderless Safely Limited Speed ............................................................................................. 77
5.6.3 EPOS and Safely-Limited Speed................................................................................................ 80
5.7 Safe Speed Monitor (SSM) ......................................................................................................... 81
5.8 Safe Acceleration Monitor (SBR) ................................................................................................ 84
5.9 Safe Brake Ramp (SBR) ............................................................................................................. 86
5.10 Safety faults ................................................................................................................................ 88
5.11 Message buffer ........................................................................................................................... 92
5.12 Safe actual value acquisition ...................................................................................................... 94
5.13 Forced dormant error detection ................................................................................................ 100
6 Control of the safety functions ............................................................................................................... 105
6.1 Overview of F-DI/F-DOs and of their structure ......................................................................... 105
6.2 Control signals by way of terminals on the Control Unit and Motor/Power Module.................. 106
6.3 Control via TM54F..................................................................................................................... 110
6.3.1 TM54F design ........................................................................................................................... 110
6.3.2 F-DI function.............................................................................................................................. 111
6.3.3 Function of the F-DO................................................................................................................. 113
6.4 Activation via PROFIsafe .......................................................................................................... 115
6.4.1 Setting up PROFIsafe communication...................................................................................... 115
6.4.2 Structure of telegram 30............................................................................................................ 116
6.4.2.1 Structure of telegram 30 (Basic Functions)............................................................................... 116
6.4.2.2 Structure of telegram 30 (Extended Functions) ........................................................................ 118

Safety Integrated
14 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Table of contents

7 Commissioning ...................................................................................................................................... 121

7.1 Safety Integrated firmware versions ..........................................................................................121
7.2 Commissioning Safety Integrated functions ..............................................................................122
7.2.1 Prerequisites for commissioning the Safety Integrated function................................................123
7.2.2 Default settings for commissioning Safety Integrated functions without an encoder ................124
7.2.3 Standard commissioning of Safety Integrated functions ...........................................................126
7.2.4 Setting the sampling times.........................................................................................................127
7.3 Commissioning TM54F by means of STARTER/SCOUT..........................................................129
7.3.1 Basic sequence of commissioning.............................................................................................129
7.3.2 Configuration start screen..........................................................................................................130
7.3.3 TM54F configuration ..................................................................................................................132
7.3.4 Test stop ....................................................................................................................................134
7.3.4.1 Test stop modes of the TM54F ..................................................................................................134
7.3.4.2 Test stop mode 1 .......................................................................................................................135
7.3.4.3 Test stop mode 2 .......................................................................................................................136
7.3.4.4 Test stop mode 3 .......................................................................................................................137
7.3.4.5 Test stop mode parameters .......................................................................................................138
7.3.5 F-DI/F-DO configuration.............................................................................................................139
7.3.6 Control interface of the drive group ...........................................................................................141
7.4 Procedure for configuring PROFIsafe communication ..............................................................142
7.4.1 Extended Functions: Configuring PROFIsafe communication ..................................................142
7.4.2 Basic Functions: Configuring PROFIsafe communication.........................................................146
7.4.2.1 Configuring PROFIsafe via PROFIBUS.....................................................................................147
7.5 PROFIsafe via PROFINET ........................................................................................................156
7.5.1 Configuring PROFIsafe via PROFINET.....................................................................................156
7.5.2 Requirements for PROFIsafe communication ...........................................................................157
7.5.3 Configuring PROFIsafe via PROFINET.....................................................................................158
7.5.4 Initializing the drives...................................................................................................................163
7.6 PROFIsafe configuration with STARTER (Basic Functions) .....................................................163
7.7 Commissioning a linear/rotary axis ............................................................................................168
7.8 Modular machine concept Safety Integrated .............................................................................171
7.9 Information pertaining to component replacements...................................................................172
7.10 Information pertaining to series commissioning.........................................................................173
8 Application examples............................................................................................................................. 175
8.1 Input/output interconnections of a safety switching device with TM54F....................................175
8.2 Application examples .................................................................................................................178
9 Acceptance tests and acceptance reports ............................................................................................. 179
9.1 Safety logbook ...........................................................................................................................184
9.2 Acceptance reports ....................................................................................................................185
9.2.1 Plant description - Documentation part 1...................................................................................185
9.2.2 Description of safety functions - Documentation Part 2.............................................................187
9.2.2.1 Function table.............................................................................................................................187
9.2.2.2 Safety Integrated functions used ...............................................................................................187
9.2.2.3 Safety Integrated functions parameterized via TM54F..............................................................189
9.2.2.4 Safety equipment .......................................................................................................................190

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 15
Table of contents

9.3 Acceptance tests....................................................................................................................... 190

9.3.1 Basic Function........................................................................................................................... 191
9.3.1.1 Safe Torque Off......................................................................................................................... 191
9.3.1.2 Safe Stop 1 ............................................................................................................................... 193
9.3.1.3 Safe Brake Control.................................................................................................................... 195
9.3.2 Extended Functions .................................................................................................................. 196
9.3.2.1 Acceptance tests for Extended Functions................................................................................. 196
9.3.2.2 Safe Torque Off......................................................................................................................... 197
9.3.2.3 Safe Stop 1 ............................................................................................................................... 199
9.3.2.4 Safe Brake Control.................................................................................................................... 201
9.3.2.5 Safe Stop 2 ............................................................................................................................... 203
9.3.2.6 Safe Operating Stop.................................................................................................................. 205
9.3.2.7 Safely Limited Speed ................................................................................................................ 207
9.3.2.8 Safe Speed Monitor .................................................................................................................. 212
9.4 Completion of certificate............................................................................................................ 214
A Appendix A ............................................................................................................................................ 217
A.1 List of abbreviations .................................................................................................................. 217
A.2 Document structure................................................................................................................... 226
Index...................................................................................................................................................... 229

Safety Integrated
16 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
Standards and regulations 1
1.1 General information

1.1.1 Aims
Manufacturers and operating companies of equipment, machines, and products are
responsible for ensuring the required level of safety. This means that plants, machines, and
other equipment must be designed to be as safe as possible in accordance with the current
state of the art. To ensure this, companies describe in the various standards the current
state of the art covering all aspects relevant to safety. When the relevant Standards are
observed, this ensures that state-of-the-art technology has been utilized and, in turn, the
erector/builder of a plant or a manufacturer of a machine or a piece of equipment has fulfilled
his appropriate responsibility.
Safety systems are designed to minimize potential hazards for both people and the
environment by means of suitable technical equipment, without restricting industrial
production and the use of machines more than is necessary. The protection of man and
environment must be assigned equal importance in all countries, which is it is important that
rules and regulations that have been internationally harmonized are applied. This is also
designed to avoid distortions in the competition due to different safety requirements in
different countries.
There are different concepts and requirements in the various regions and countries of the
world when it comes to ensuring the appropriate degree of safety. The legislation and the
requirements of how and when proof is to be given and whether there is an adequate level of
safety are just as different as the assignment of responsibilities.
The most important thing for manufacturers of machines and companies that set up plants
and systems is that the legislation and regulations in the country where the machine or plant
is being operated apply. For example, the control system for a machine that is to be used in
the US must fulfill local US requirements even if the machinery construction company (OEM)
is based in the European Economic Area (EEA).

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 17
Standards and regulations
1.2 Safety of machinery in Europe

1.1.2 Functional safety

Safety, from the perspective of the object to be protected, cannot be split-up. The causes of
hazards and, in turn, the technical measures to avoid them can vary significantly. This is why
a differentiation is made between different types of safety (e.g. by specifying the cause of
possible hazards). "Functional safety" is involved if safety depends on the correct function.
To ensure the functional safety of a machine or plant, the safety-related parts of the
protection and control devices must function correctly. In addition, the systems must behave
in such a way that either the plant remains in a safe state or it is brought into a safe state if a
fault occurs. In this case, it is necessary to use specially qualified technology that fulfills the
requirements described in the associated Standards. The requirements to achieve functional
safety are based on the following basic goals:
● Avoiding systematic faults
● Controlling systematic faults
● Controlling random faults or failures
Benchmarks for establishing whether or not a sufficient level of functional safety has been
achieved include the probability of hazardous failures, the fault tolerance, and the quality that
is to be ensured by minimizing systematic faults. This is expressed in the Standards using
different terms. In IEC/EN 61508, IEC/EN 62061, IEC/EN 61800-5-2: "Safety Integrity Level"
(SIL) and
EN ISO 13849-1:2006: "Categories" and "Performance Level" (PL).

1.2 Safety of machinery in Europe

The EU Directives that apply to the implementation of products are based on Article 95 of the
EU contract, which regulates the free exchange of goods. These are based on a new global
concept ("new approach", "global approach"):
● EU Directives only specify general safety goals and define basic safety requirements.
● Technical details can be defined by means of standards by Standards Associations that
have the appropriate mandate from the commission of the European Parliament and
Council (CEN, CENELEC). These standards are harmonized in line with a specific
directive and listed in the official journal of the commission of the European Parliament
and Council. Legislation does not specify that certain standards have to be observed.
When the harmonized Standards are observed, it can be assumed that the safety
requirements and specifications of the Directives involved have been fulfilled.
● EU Directives specify that the Member States must mutually recognize domestic
regulations.
The EU Directives are equal. This means that if several Directives apply for a specific piece
of equipment or device, the requirements of all of the relevant Directives apply (e.g. for a
machine with electrical equipment, the Machinery Directive and the Low-Voltage Directive
apply).

Safety Integrated
18 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Standards and regulations
1.2 Safety of machinery in Europe

1.2.1 Machinery Directive

The basic safety and health requirements specified in Annex I of the Directive must be
fulfilled for the safety of machines.
The protective goals must be implemented responsibly to ensure compliance with the
Directive.
Manufacturers of a machine must verify that their machine complies with the basic
requirements. This verification is facilitated by means of harmonized standards.

1.2.2 Harmonized European Standards

The two Standards Organizations CEN (Comité Européen de Normalisation) and CENELEC
(Comité Européen de Normalisation Électrotechnique), mandated by the EU Commission,
drew-up harmonized European standards in order to precisely specify the requirements of
the EC directives for a specific product. These standards (EN standards) are published in the
official journal of the commission of the European Parliament and Council and must be
included without revision in domestic standards. They are designed to fulfill basic health and
safety requirements as well as the protective goals specified in Annex I of the Machinery
Directive.
When the harmonized standards are observed, it is "automatically assumed" that the
Directive is fulfilled. As such, manufacturers can assume that they have observed the safety
aspects of the Directive under the assumption that these are also covered in this standard.
However, not every European Standard is harmonized in this sense. Key here is the listing in
the official journal of the commission of the European Parliament and Council.
The European standards regarding the safety of machines are structured in a hierarchical
manner as follows:
● A standards (basic standards)
● B standards (group standards)
● C standards (product standards)

Type A standards/basic standards

A standards include basic terminology and definitions relating to all types of machine. This
includes EN ISO 12100 (previously EN 292) "Safety of Machines, Basic Terminology,
General Design Principles."
A standards are aimed primarily at the bodies responsible for setting the B and C standards.
The measures specified here for minimizing risk, however, may also be useful for
manufacturers if no applicable C standards have been defined.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 19
Standards and regulations
1.2 Safety of machinery in Europe

Type B standards/group standards

B standards cover all safety-related standards for various different machine types. B
standards are aimed primarily at the bodies responsible for setting C standards. They can
also be useful for manufacturers during the machine design and construction phases,
however, if no applicable C standards have been defined.
A further sub-division has been made for B standards:
● Type B1 standards for higher-level safety aspects (e.g. ergonomic principles, safety
clearances from sources of danger, minimum clearances to prevent parts of the body
from being crushed).
● Type B2 standards for protective safety devices are defined for different machine types
(e.g. EMERGENCY STOP devices, two-hand operating circuits, interlocking elements,
contactless protective devices, safety-related parts of controls).

Type C standards/product standards

C standards are product-specific standards (e.g. for machine tools, woodworking machines,
elevators, packaging machines, printing machines, etc.). Product standards list requirements
for specific machines. The requirements can, under certain circumstances, deviate from the
basic and group standards. Type C/product standards have the highest priority for machine
manufacturers who can assume that it fulfills the basic requirements of Annex I of the
Machinery Directive (automatic presumption of compliance). If no product standard has been
defined for a particular machine, type B standards can be applied when the machine is
constructed.
A complete list of the standards specified and the mandated draft standards are available on
the Internet at the following address:
http://www.newapproach.org/
Recommendation: Due to the rapid pace of technical development and the associated
changes in machine concepts, the standards (and C standards in particular) should be
checked to ensure that they are up to date. Please note that the application of a particular
standard may not be mandatory provided that all the safety requirements of the applicable
EU directives are fulfilled.

Safety Integrated
20 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Standards and regulations
1.2 Safety of machinery in Europe

1.2.3 Standards for implementing safety-related controllers

If the functional safety of a machine depends on various control functions, the controller must
be implemented in such a way that the probability of the safety functions failing is sufficiently
minimized. The standards EN ISO 13849-1:2006 (previously EN 954-1) and EN 62061
define principles for implementing safety-related machine controllers which, when properly
applied, ensure that all the safety requirements of the EC Machinery Directive are fulfilled.
These standards ensure that the relevant safety requirements of the Machinery Directive are
fulfilled.

$Q\DUFKLWHFWXUHV 'HILQHGDUFKLWHFWXUHVOLPLWHGPD[3/IRU
$OO6,/DVRI3/E HOHFWURQLFV

(1 (1,62
6DIHW\RIPDFKLQHU\ 6DIHW\RIPDFKLQHU\
)XQFWLRQDOVDIHW\RIVDIHW\ 6DIHW\UHODWHGSDUWVRIFRQWURO
UHOHYDQWHOHFWULFDOHOHFWURQLF
V\VWHPV
SURJUDPPDEOHHOHFWURQLFFRQWURO
V\VWHPV

6HFWRUVWDQGDUG(1IRU )RUGHYLDWLRQVIURPWKHGHILQHG
PDFKLQHVEHORZ(1 DUFKLWHFWXUHVUHIHUHQFHWR(1


8QLYHUVDOFRQFHSWIRUHOHFWULFDOHOHFWURQLFDQGSURJUDPPDEOHHOHFWURQLFV\VWHPVWKDW
H[HFXWHVDIHW\IXQFWLRQVDQGRUHQVXUHIXQFWLRQDOVDIHW\

(1
)XQFWLRQDOVDIHW\RIVDIHW\UHODWHGHOHFWULFDOHOHFWURQLFSURJUDPPDEOH
HOHFWURQLFV\VWHPVSDUWVWR

Figure 1-1 Standards for implementing safety-related controllers

The application areas of EN ISO 13849-1:2006, EN 62061, and EN 61508 are very similar.
To help users make an appropriate decision, the IEC and ISO associations have specified
the application areas of both standards in a joint table in the introduction to the standards.
Either EN ISO 13849-1:2006 or EN 62061 is applied, depending on the technology
(mechanical, hydraulic, pneumatic, electrical, electronic, programmable electronic), risk
classification, and architecture.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 21
Standards and regulations
1.2 Safety of machinery in Europe

Systems for executing safety-related control EN ISO 13849-1:2006 EN 62061

functions
A Non-electrical (e.g. hydraulic, pneumatic) X Not covered
B Electromechanical (e.g. relay and/or basic Restricted to the designated All architectures and max. up to
electronics) architectures (see comment 1) SIL 3
and max. up to PL = e
C Complex electronics (e.g. programmable Restricted to the designated All architectures and max. up to
electronics) architectures (see comment 1) SIL 3
and max. up to PL = d
D A standards combined with B standards Restricted to the designated X
architectures (see comment 1) See comment 3
and max. up to PL = e

E C standards combined with B standards Restricted to the designated All architectures and max.
architectures (see comment 1) up to SIL 3
and max. up to PL = d
F C standards combined with A standards X X
or
C standards combined with A standards and B See comment 2 See comment 3
standards
"X" indicates that the point is covered by this standard.
Comment 1:
Designated architectures are described in Annex B of EN ISO 13849-1:2006 and provide a simplified basis for the
quantification.
Comment 2:
For complex electronics: Using designated architectures in compliance with EN ISO 13849-1:2006 up to PL = d or every
architecture in compliance with EN 62061
Comment 3:
For non-electrical systems: Use parts that comply with EN ISO 13849-1:2006 as sub-systems.

Safety Integrated
22 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Standards and regulations
1.2 Safety of machinery in Europe

1.2.4 EN ISO 13849-1:2006 (previously EN 954-1)

A qualitative analysis (to EN 954-1) is not sufficient for modern controllers due to their
technology. Among other things, EN 954-1 does not take into account time behavior (e.g.
test interval and/or cyclic test, lifetime). This led to the probability-based approach of EN ISO
13849-1:2006 (probability of failure per time unit).
EN ISO 13849-1:2006 is based on the familiar categories used in EN 954-1. It now also
takes into account complete safety functions and all the devices required to execute these.
In addition to the qualitative approach of EN 954-1, EN ISO 13849-1:2006 now includes a
quantitative analysis of the safety functions. Performance levels (PL), which are based on
the categories, are used. The following safety-related characteristic quantities are required
for devices/equipment:
● Category (structural requirement)
● PL: Performance level
● MTTFd: Mean time to dangerous failure
● DC: Diagnostic coverage
● CCF: Common cause failure

The standard describes how the performance level (PL) is calculated for safety-related
components of the controller on the basis of designated architectures. In the event of any
deviations from this, EN ISO 13849-1:2006 refers to EN 61508.
When combining several safety-related parts to form a complete system, the Standard
explains how to determine the resulting PL.

Note
Since May 2007, EN ISO 13849-1:2006 has been harmonized as part of the Machinery
Directive. EN 954-1 will still apply until November 30, 2009.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 23
Standards and regulations
1.2 Safety of machinery in Europe

1.2.5 EN 62061
EN 62061 (identical to IEC 62061) is a sector-specific standard subordinate to IEC/EN
61508. It describes the implementation of safety-related electrical machine control systems
and looks at the complete lifecycle, from the conceptual phase to decommissioning.
The standard is based on the quantitative and qualitative analyses of safety functions,
whereby it systematically applies a top-down approach to implementing complex control
systems (known as "functional decomposition"). The safety functions derived from the risk
analysis are sub-divided into sub-safety functions, which are then assigned to real devices,
sub-systems, and sub-system elements. Both the hardware and software are covered.
EN 62061 also describes requirements regarding the implementation of application
programs.
A safety-related control systems comprises different sub-systems. From a safety
perspective, the sub-systems are described in terms of the SIL claim limit and PFHD
characteristic quantities.
Programmable electronic devices (e.g. PLCs or variable-speed drives) must fulfill EN 61508.
They can then be integrated in the controller as sub-systems. The following safety-related
characteristic quantities must be specified by the manufacturers of these devices.
Safety-related characteristic quantities for subsystems:
● SIL CL: SIL claim limit
● PFHD: Probability of dangerous failures per hour
● T1: Lifetime
Simple sub-systems (e.g. sensors and actuators) in electromechanical components can, in
turn, comprise sub-system elements (devices) interconnected in different ways with the
characteristic quantities required for determining the relevant PFHD value of the sub-system.
Safety-related characteristic quantities for subsystem elements (devices):
● λ: Failure rate
● B10 value: For elements that are subject to wear
● T1: Lifetime
For electromechanical devices, a manufacturer specifies a failure rate λ with reference to the
number of operating cycles. The failure rate per unit time and the lifetime must be
determined using the switching frequency for the particular application.

Safety Integrated
24 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Standards and regulations
1.2 Safety of machinery in Europe

Parameters for the sub-system, which comprises sub-system elements that must be defined
during the design phase:
● T2: Diagnostic test interval
● β: Susceptibility to common cause failure
● DC: Diagnostic coverage
The PFHD value of the safety-related controller is determined by adding the individual PFHD
values for subsystems.
The user has the following options when setting up a safety-related controller:
● Use devices and sub-systems that already comply with EN ISO 13849-1:2006, IEC/EN
61508, or IEC/EN 62061. The standard provides information specifying how qualified
devices can be integrated when safety functions are implemented.
● Develop own subsystems:
– Programmable, electronic systems and complex systems: Application of EN 61508 or
EN 61800-5-2.
– Simple devices and subsystems: Application of EN 62061.

EN 62061 does not include information about non-electric systems. The standard provides
detailed information on implementing safety-related electrical, electronic, and programmable
electronic control systems. EN ISO 13849-1:2006
must be applied for non-electrical systems.

Note
Details of simple sub-systems that have been implemented and integrated are now available
as "functional examples".

Note
IEC 62061 has been ratified as EN 62061 in Europe and harmonized as part of the
Machinery Directive.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 25
Standards and regulations
1.2 Safety of machinery in Europe

1.2.6 Series of standards EN 61508 (VDE 0803)

This series of standards describes the current state of the art.
EN 61508 is not harmonized in line with any EU directives, which means that an automatic
presumption of conformity for fulfilling the protective requirements of a directive is not
implied. The manufacturer of a safety-related product, however, can also use EN 61508 to
fulfill basic requirements of European directives in accordance with the latest conceptual
design, for example, in the following cases:
● If no harmonized standard exists for the application in question. In this case, the
manufacturer can use EN 61508, although no presumption of conformity exists here.
● A harmonized European standard (e.g. EN 62061, EN ISO 13849:2006, EN 60204-1)
references EN 61508. This ensures that the appropriate requirements of the directives
are fulfilled ("standard that is also applicable"). When manufacturers apply EN 61508
properly and responsibly in accordance with this reference, they can use the presumption
of conformity of the referencing standard.

EN 61508 covers all the aspects that must be taken into account when E/E/PES systems
(electrical, electronic, and programmable electronic System) are used in order to execute
safety functions and/or to ensure the appropriate level of functional safety. Other hazards
(e.g. electric shock) are, like EN ISO 13849:2006, not part of the standard.
EN 61508 has recently been declared the "International Basic Safety Publication", which
makes it a framework for other, sector-specific standards (e.g. EN 62061). As a result, this
standard is now accepted worldwide, particularly in North America and in the automotive
industry. Today, many regulatory bodies already stipulate it (e.g. as a basis for NRTL listing).
Another recent development with respect to EN 61508 is its system approach, which extends
the technical requirements to include the entire safety installation from the sensor to the
actuator, the quantification of the probability of hazardous failure due to random hardware
failures, and the creation of documentation covering all phases of the safety-related lifecycle
of the E/E/PES.

Safety Integrated
26 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Standards and regulations
1.2 Safety of machinery in Europe

1.2.7 Risk analysis/assessment

Risks are intrinsic in machines due to their design and functionality. For this reason, the
Machinery Directive requires that a risk assessment be performed for each machine and, if
necessary, the level of risk reduced until the residual risk is less than the tolerable risk.
To assess these risks, the following standards must be applied:
● EN ISO 12100-1 "Safety of Machinery - basic terminology, general principles for design"
● EN ISO 13849-1:2006 (previously EN 954-1) "Safety of machinery"
● EN ISO 14121-1 (previously EN 1050, Paragraph 5) "Safety of machinery - Risk
assessment"

EN ISO 12100-1 focuses on the risks to be analyzed and the design principles for minimizing
risk. EN ISO 14121-1 describes the iterative process for assessing and minimizing risk to
achieve the required level of safety.
The risk assessment is a procedure that allows hazards resulting from machines to be
systematically investigated. Where necessary, the risk assessment is followed by a risk
reduction procedure. When the procedure is repeated, this is known as an iterative process.
This can help eliminate hazards (as far as this is possible) and can act as a basis for
implementing suitable protective measures.
The risk assessment involves the following:
● Risk analysis
– Determining the limits of the machine (EN ISO 12100-1, EN ISO 14121-1 Paragraph 5)
– Identifying the hazards (EN ISO 12100-1, EN ISO 14121-1 Paragraph 6)
– Estimating the level of risk (EN 1050 Paragraph 7)
● Risk assessment (EN ISO 14121-1 Paragraph 8)

As part of the iterative process to achieve the required level of safety, a risk assessment is
carried out after the risk estimation. A decision must be made here as to whether the
residual risk needs to be reduced. If the risk is to be further reduced, suitable protective
measures must be selected and applied. The risk assessment must then be repeated.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 27
Standards and regulations
1.2 Safety of machinery in Europe

67$57

'HWHUPLQLQJWKHPDFKLQHOLPLWV

,GHQWLI\LQJWKHSRWHQWLDOKD]DUG
5LVNDQDO\VLV 5LVNDVVHVVPHQW

5LVNDVVHVVPHQW

5LVNHYDOXDWLRQ

<HV
,VWKHPDFKLQHVDIH" (1'

1R

5LVNUHGXFWLRQ

0LQLPL]LQJULVNVDQGVHOHFWLQJVXLWDEOHSURWHFWLYHPHDVXUHVDUHQRWSDUWRIWKHULVNDVVHVVPHQW

Figure 1-2 Iterative process to achieve the required level of safety to ISO 14121-1

Risks must be reduced by designing and implementing the machine accordingly (e.g. by
means of controllers or protective measures suitable for the safety-related functions).
If the protective measures involve the use of interlocking or control functions, these must be
designed in accordance with EN ISO 13849-1:2006. For electrical and electronic controls,
EN 62061 can be used as an alternative to EN ISO 13849-1:2006. Electronic controls and
bus systems must also comply with IEC/EN 61508.

Safety Integrated
28 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Standards and regulations
1.2 Safety of machinery in Europe

1.2.8 Risk reduction

Risk reduction measures for a machine can be implemented by means of safety-related
control functions in addition to structural measures. To implement these control functions,
special requirements graded according to the magnitude of the risk must be taken into
account. These are described in EN ISO 13849-1:2006 or, in the case of electrical controllers
(particularly programmable electronics), in EN 61508 or EN 62061. The requirements
regarding safety-related controller components are graded according to the magnitude of the
risk and the level to which the risk needs to be reduced.
EN ISO 13849-1:2006 defines a risk graph, which can be used instead of the categories to
create hierarchical Performance Levels (PL).
IEC/EN 62061 uses "Safety Integrity Level" (SIL) for classification purposes. This is a
quantified measure of the safety-related performance of a controller. The required SIL is also
determined in accordance with the risk assessment principle to ISO 14121 (EN 1050). Annex
A of the standard describes a method for determining the required Safety Integrity Level (SIL).
Regardless of which standard is applied, steps must be taken to ensure that all the machine
controller components required for executing the safety-related functions fulfill these
requirements.

1.2.9 Residual risk

In today's technologically advanced world, the concept of safety is relative. In practice, the
ability to ensure safety to the extent that risk is permanently excluded – "zero-risk guarantee" –
is impossible. The residual risk is the risk that remains once all the relevant protective
measures have been implemented in accordance with the latest state of the art.
Machine/plant documentation must always refer to the residual risk (user information to
EN ISO 12100-2).

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 29
Standards and regulations
1.3 Machine safety in the USA

1.3 Machine safety in the USA

A key difference in the legal requirements regarding safety at work between the USA and
Europe is that, in the USA, no legislation exists regarding machinery safety that is applicable
in all of the states and that defines the responsibility of the manufacturers/supplier. A general
requirement exists stating that employers must ensure a safe workplace.

1.3.1 Minimum requirements of the OSHA

The Occupational Safety and Health Act (OSHA) from 1970 regulates the requirement that
employers must offer a safe place of work. The core requirements of OSHA are specified in
Section 5 "Duties".
The requirements of the OSH Act are managed by the "Occupational Safety and Health
Administration" (also known as OSHA). OSHA employs regional inspectors who check
whether or not workplaces comply with the applicable regulations.
The OSHA regulations are described in OSHA 29 CFR 1910.xxx ("OSHA Regulations (29
CFR) PART 1910 Occupational Safety and Health"). (CFR: Code of Federal Regulations.)
http://www.osha.gov
The application of standards is regulated in 29 CFR 1910.5 "Applicability of standards".
The concept is similar to that used in Europe. Product-specific standards have priority over
general standards insofar as they cover the relevant aspects. Once the standards are
fulfilled, employers can assume that they have fulfilled the core requirements of the OSH Act
with respect to the aspects covered by the standards.
In conjunction with certain applications, OSHA requires that all electrical equipment and
devices that are used to protect workers be authorized by an OSHA-certified, "Nationally
Recognized Testing Laboratory" (NRTL) for the specific application.
In addition to the OSHA regulations, the current standards defined by organizations such as
NFPA and ANSI must be carefully observed and the extensive product liability legislation
that exists in the US taken into account. Due to the product liability legislation, it is in the
interests of manufacturing and operating companies that they carefully maintain the
applicable regulations and are "forced" to fulfill the requirement to use state-of-the-art
technology.
Third-party insurance companies generally demand that their customers fulfill the applicable
standards of the standards organizations. Self-insured companies are not initially subject to
this requirement but, in the event of an accident, they must provide verification that they
have applied generally-recognized safety principles.

1.3.2 NRTL listing

To protect employees, all electrical equipment used in the USA must be certified for the
planned application by a "Nationally Recognized Testing Laboratory" (NRTL) certified by the
OSHA. NRTLs are authorized to certify equipment and material by means of listing, labeling,
or similar. Domestic standards (e.g. NFPA 79) and international standards (e.g. IEC/EN 61508
for E/E/PES systems) are the basis for testing.

Safety Integrated
30 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Standards and regulations
1.3 Machine safety in the USA

1.3.3 NFPA 79
NFPA 79 (Electrical Standard for Industrial Machinery) applies to the electrical equipment of
industrial machines with rated voltages of less than 600 V A group of machines that operate
with one another in a coordinated fashion is also considered to be a machine.
For programmable electronics and communication buses, NFPA 79 states as a basic
requirement that these must be listed if they are to be used to implement and execute safety-
related functions. If this requirement is fulfilled, electronic controls and communication buses
can also be used for emergency stop functions, Categories 0 and 1 (refer to NFPA 79
9.2.5.4.1.4). Like EN 60204-1, NFPA 79 no longer specifies that the electrical energy must
be disconnected by electromechanical means for emergency stop functions.
The core requirements regarding programmable electronics and communication buses are:
system requirements (see NFPA 79 9.4.3)
1. Control systems that contain software-based controllers must:
– In the event of a single fault
(a) cause the system to switch to a safe shutdown mode
(b) prevent the system from restarting until the fault has been rectified
(c) prevent an unexpected restart
– Offer the same level of protection as hard-wired controllers
– Be implemented in accordance with a recognized standard that defines the
requirements for such systems.
2. IEC 61508, IEC 62061, ISO 13849-1/-2:2006, and IEC 61800-5-2 are specified as
suitable standards in a note.

Underwriter Laboratories (UL) has defined a special Category for "Programmable Safety
Controllers" for implementing this requirement (code NRGF). This category covers control
devices that contain software and are designed for use in safety-related functions.
A precise description of the category and a list of devices that fulfill this requirement can be
found on the Internet at the following address:
http://www.ul.com → certifications directory → UL Category code/ Guide information → search
for category "NRGF"

TUV Rheinland of North America, Inc. is also an NRTL for these applications.

1.3.4 ANSI B11

ANSI B11 standards are joint standards developed by associations such as the Association
for Manufacturing Technology (AMT) and the Robotic Industries Association (RIA).
The hazards of a machine are evaluated by means of a risk analysis/assessment. Risk
analysis is an important requirement in accordance with NFPA79, ANSI/RIA 15.06, ANSI
B11.TR-3 and SEMI S10 (semiconductors). The documented findings of a risk analysis can
be used to select a suitable safety system based on the safety class of the application in
question.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 31
Standards and regulations
1.4 Machine safety in Japan

1.4 Machine safety in Japan

The situation in Japan is different from that in Europe and the US. Legislation such as that
prescribed in Europe does not exist. Similarly, product liability does not play such an
important role as it does in the US.
Instead of legal requirements to apply standards have been defined, an administrative
recommendation to apply JIS (Japanese Industrial Standard) is in place: Japan bases its
approach on the European concept and uses basic standards as national standards (see
table).

Table 1- 1 Japanese standards

ISO/IEC number JIS number Comments

ISO12100-1 JIS B 9700-1 Earlier designation TR B 0008
ISO12100-2 JIS B 9700-2 Earlier designation TR B 0009
ISO14121- 1 / EN1050 JIS B 9702
ISO 13849-1:2006 JIS B 9705-1
ISO 13849-2:2006 JIS B 9705-1
IEC 60204-1 JIS B 9960-1 Without annex F or route map of the
European foreword
IEC 61508-0 to -7 JIS C 0508
IEC 62061 JIS number not yet assigned

1.5 Equipment regulations

In addition to the requirements of the guidelines and standards, company-specific
requirements must be taken into account. Large corporations in particular (e.g. automobile
manufacturers) make stringent demands regarding automation components, which are often
listed in their own equipment specifications.
Safety-related issues (e.g. operating modes, operator actions with access to hazardous
areas, EMERGENCY STOP concepts, etc.) should be clarified with customers early on so
that they can be integrated in the risk assessment/risk reduction process.

Safety Integrated
32 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Standards and regulations
1.6 Other safety-related issues

1.6 Other safety-related issues

1.6.1 Information sheets issued by the Employer's Liability Insurance Association

Safety-related measures to be implemented cannot always be derived from directives,
standards, or regulations. In this case, supplementary information and explanations are
required.
Some regulatory bodies issue publications on an extremely wide range of subjects.
Information sheets covering the following areas are available, for example:
● Process monitoring in production environments
● Axes subject to gravitational force
● Roller pressing machines
● Lathes and turning centers - purchasing/selling
These information sheets issued by specialist committees can be obtained by all interested
parties (e.g. to provide support in factories, or when regulations or safety-related measures
for plants and machines are defined). These information sheets provide support for the fields
of machinery construction, production systems, and steel construction.
You can download the information sheets from the following Internet address (website is in
German, although some of the sheets are available in English):
http://www.bg-metall.de/
Click the "Downloads" quick link and select the category "Informationblätter der
Fachausschüsse".

1.6.2 Additional references

● Safety Integrated: The Safety System for Industry (5th Edition and supplement), order no.
6ZB5 000-0AA01-0BA1
● Safety Integrated - Terms and Standards - Machine Safety Terminology (Edition
04/2007), order no. E86060-T1813-A101-A1

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 33
Standards and regulations
1.6 Other safety-related issues

Safety Integrated
34 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
General information about SINAMICS Safety
Integrated 2
2.1 Supported functions
All of the Safety Integrated functions available under SINAMICS S120 are listed in this
chapter. A distinction is made between Safety Integrated Basic Functions and Safety
Integrated Extended Functions.
The functions listed here are in conformance with the IEC 61508 standard, SIL2, in the high
demand mode, Category 3 and Performance Level d (PL d) according to ISO 13849-1
(2006), as well as IEC 61800-5-2.
The following Safety Integrated functions (SI functions) are available:
● Safety Integrated basic functions
These functions are part of the standard scope of the drive and can be used without
requiring an additional license:
– Safe Torque Off (STO)
STO is a safety function that prevents the drive from restarting unexpectedly, in
accordance with EN 60204-1:2006 Section 5.4.
– Safe Stop 1 (SS1, time controlled)
Safe Stop 1 is based on the "Safe Torque Off" function. This means that a Category 1
stop in accordance with EN 60204-1:2006 can be implemented.
– Safe Brake Control (SBC)
The SBC function permits the safe control of a holding brake.
Note regarding Power/Motor Modules in chassis format:
For the chassis format, SBC is only supported by Power/Motor Modules with order
number ...3 or higher.
Note regarding Power/Motor Modules in blocksize format:
blocksize Power Modules additionally require a Safe Brake Relay for this function.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 35
General information about SINAMICS Safety Integrated
2.1 Supported functions

● Safety Integrated Extended Functions

– Safe Torque Off (STO)
STO is a safety function that prevents the drive from restarting unexpectedly, in
accordance with EN 60204-1:2006 Section 5.4.
– Safe Stop 1 (SS1, time and acceleration controlled)
The SS1 function is based on the “Safe Torque Off” function. This means that a
Category 1 stop in accordance with EN 60204-1:2006 can be implemented.
– Safe Stop 2 (SS2)
The SS2 function brakes the motor safely with a subsequent transition to "Safe
Operating Stop" (SOS). This means that a Category 2 stop in accordance with EN
60204-1:2006 can be implemented.
– Safe Operating Stop (SOS)
SOS protects against unintentional movement. The drive is in closed-loop control
mode and is not disconnected from the power supply.
– Safely-Limited Speed (SLS)
The "Safely-Limited Speed" (SLS) protects against excessively high drive speeds.
– Safe Speed Monitor (SSM)
The SSM function safely monitors the speed limit and issues a safe output signal, but
without initiating a response function.
– Safe Acceleration Monitor (SBR)
The Safe Acceleration Monitor function safely monitors a drive when it accelerates.
It is a part of the SS1 and SS2 functions.
– Safe Brake Ramp (SBR)
The Safe Brake Ramp function safely monitors a braking ramp. It is a part of the SS1
encoderless and SLS encoderless functions.

Safety Integrated
36 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 General information about SINAMICS Safety Integrated
2.2 Preconditions for the Safety Extended Functions

2.2 Preconditions for the Safety Extended Functions

● A license is required to use the Safety Integrated Extended Functions. The associated
license key is entered in parameter p9920 in ASCII code. The license key is activated
using parameter p9921 = 1. For information on how to generate the license key for the
product "SINAMICS Safety Integrated Extended Functions", read the section "Licensing"
in the SINAMICS S120 Function Manual. An insufficient license is indicated via the
following alarm and LED:
– A13000 --> License not sufficient
– LED RDY --> Flashes greed/red at 0.5 Hz
● Control via PROFIsafe or TM54F
● An activated speed controller in the drive
● Overview of hardware components that support the Extended Functions:
– Control Unit CU320-2
– Motor Modules Booksize where the order number ends as follows: ...3 or higher
– Motor Modules Booksize Compact
– Motor Modules Chassis where the order number ends as follows: ...3 or higher
– Motor Modules Cabinet where the order number ends with ...2 or higher
– Power Modules Blocksize
– Control Unit adapter CUA31 with order no.: 6SL3040-0PA00-0AA1
– Control Unit adapter CUA32 with order no.: 6SL3040-0PA01-0AA0
– Sensor Module SMC20, SME20/25/120/125, SMI20
– Motors with integrated encoder and encoder evaluation with DRIVE-CLiQ interface

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 37
General information about SINAMICS Safety Integrated
2.3 Controlling the Safety Integrated functions

2.3 Controlling the Safety Integrated functions

The Safety Integrated functions can be controlled via terminals, via a PROFIsafe telegram
using PROFIBUS or PROFINET or, for the Extended Functions, via the TM54F Terminal
Module. In this case, control via terminals and TM54F or terminals and PROFIsafe can be
simultaneously selected.

NOTICE
Safety Integrated functions with SIMOTION
PROFISafe via PROFINET is not permitted with SIMOTION.

NOTICE
PROFIsafe or TM54F
Using a Control Unit, control is possible either via PROFIsafe or TM54F. Mixed operation is
not permissible

If induction motors are used, certain Safety Integrated functions can also be used without an
encoder. In encoderless operation the speed actual values are calculated from the measured
electrical ACTUAL values. As a consequence, speed monitoring down to n = 0 rpm is also
possible in encoderless operation.

Table 2- 1 Overview of Safety Integrated functions

Functions Abbreviation With Without Short description

encoder encoder
Basic Safe Torque Off STO Yes Yes Safe Torque Off
Functions Safe Stop 1 SS1 Yes Yes Safe stopping according to
stop category 1
Safe Brake SBC Yes Yes Safe Brake Control
Control
Extended Safe Torque Off STO Yes Yes Safe Torque Off
Functions Safe Stop 1 SS1 Yes Yes Safe stop according to stop
category 1
Safe Stop 2 SS2 Yes - Safe stop according to stop
category 2
Safe Operating SOS Yes - Safe monitoring of the
Stop standstill position
Safely-Limited SLS Yes Yes Safe monitoring of the
Speed maximum speed
Safe Speed SSM Yes - Safe monitoring of the
Monitor minimum speed
Safe Acceleration SBR Yes - Safe monitoring of the drive
Monitor acceleration
Safe Brake Ramp SBR - Yes Safe Brake Ramp
The Safety Integrated functions are selected and activated and the monitoring with or without
encoder is selected in the Safety screen forms of the STARTER or SCOUT tools.

Safety Integrated
38 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 General information about SINAMICS Safety Integrated
2.4 Parameter, checksum, version, password

2.4 Parameter, checksum, version, password

Properties of Safety Integrated parameters

The following applies to Safety Integrated parameters:
● The safety parameters are kept separate for each monitoring channel. For SINAMICS,
Safety Integrated functions are controlled through two channels via a terminal at the
Power Module and at the Control Unit. Both monitoring channels are tested to identify
whether they are functioning correctly.
● During startup, checksum calculations (Cyclic Redundancy Check, CRC) are performed
on the safety parameter data and checked. The display parameters are not contained in
the CRC.
● Data storage: The parameters are stored on the non-volatile memory card.
● Factory settings for safety parameters
A reset of the safety parameters to the factory setting on a drive-specific basis using
p0970 or p3900 and p0010 = 30 is only possible when the safety functions are not
enabled (p9301 = p9501 = p9601 = p9801 = p10010 = 0).
A complete reset of all parameters to the factory settings (p0976 = 1 and p0009 = 30 on
the Control Unit) is possible even when the safety functions are enabled (p9301 = p9501
= p9601 = p9801 = p10010 ≠ 0).
● They are password-protected against accidental or unauthorized changes.

NOTICE
The following safety parameters are not protected by the safety password:
• p9370 SI Motion acceptance test mode (Motor Module)
• p9570 SI Motion acceptance test mode (Control Unit)
• p9533 SI Motion SLS setpoint speed limitation
• p9705 BI: SI Motion Test stop signal source

Checking the checksum

For each monitoring channel, the safety parameters include one parameter for the actual
checksum for the safety parameters that have undergone a checksum check.
During commissioning, the actual checksum must be transferred to the corresponding
parameter for the setpoint checksum. This can be done for all checksums of a drive object at
the same time with parameter p9701.
Basic functions
● r9798 SI actual checksum SI parameters (Control Unit)
● p9799 SI setpoint checksum SI parameters (Control Unit)
● r9898 SI actual checksum SI parameters (Motor Module)
● p9899 SI setpoint checksum SI parameters (Motor Module)

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 39
General information about SINAMICS Safety Integrated
2.4 Parameter, checksum, version, password

Extended functions
● r9398[0...1] SI Motion actual checksum SI parameters (Motor Module)
● r9399[0...1] SI Motion setpoint checksum SI parameters (Motor Module)
● r9728[0...2] SI Motion actual checksum SI parameters
● p9729[0...2] SI Motion setpoint checksum SI parameters
During each ramp-up procedure, the actual checksum is calculated via the safety
parameters and then compared with the setpoint checksum.
If the actual and setpoint checksums are different, fault F01650/F30650 or F01680/F30680 is
output and an acceptance test requested.

Safety Integrated versions

The safety firmware has a separate version ID for the Control Unit and Motor Module.
For the basic functions:
● r9770 SI version, drive-autonomous safety functions (Control Unit)
● r9870 SI version (Motor Module)
For the extended functions:
● r9590 SI Motion version safe movement monitoring (Control Unit)
● r9390 SI Motion version safe movement monitoring (Motor Module)
● r9890 SI version (Sensor Module)
● r10090 SI version TM54F

Note
For detailed requirements regarding Safety Integrated firmware, see "Safety Integrated
firmware versions".

Safety Integrated
40 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 General information about SINAMICS Safety Integrated
2.4 Parameter, checksum, version, password

Password
The safety password protects the safety parameters against unintentional or unauthorized
access.
In commissioning mode for Safety Integrated (p0010 = 95), you cannot change safety
parameters until you have entered the valid safety password in p9761 for the drives or
p10061 for the TM54F.
● When Safety Integrated is commissioned for the first time, the following applies:
– Safety passwords = 0
– Default setting for p10061 = 0
– Default setting for p9761 = 0
In other words:
The safety password does not need to be set during first commissioning.
● In the case of a series commissioning of Safety or in the case of spare part installation,
the following applies:
– The safety password is retained on the memory card and in the STARTER project.
– No safety password is required in the case of spare part installation.
● Change password for the drives
– p0010 = 95 Commissioning mode
– p9761 = Enter "old safety password".
– p9762 = Enter "new password".
– p9763 = Confirm "new password".
– The new and confirmed safety password is valid immediately.
● Change password for the TM54F
– p0010 = 95 Commissioning mode
– p10061 = Enter "Old TM54F Safety Password" (factory setting "0")
– p10062 = Enter "new password"
– p10063 = Acknowledge "new password"
– The new and acknowledged safety password is valid immediately.
If you need to change safety parameters but you do not know the safety password, proceed
as follows:
1. Set the entire drive unit (Control Unit with all connected drives/components) to the factory
setting.
2. Recommission the drive unit and drives.
3. Recommission Safety Integrated.

Or contact your regional Siemens office and ask for the password to be deleted (complete
drive project must be made available).

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 41
General information about SINAMICS Safety Integrated
2.5 DRIVE-CLiQ rules for Safety Integrated Functions

Overview of important parameters for "Password" (see SINAMICS S120/S150 List Manual)
● p9761 SI password input
● p9762 SI password new
● p9763 SI password acknowledgement
● p10061 SI password input TM54F
● p10062 SI password new TM54F
● p10063 SI password acknowledgement TM54F

2.5 DRIVE-CLiQ rules for Safety Integrated Functions

Note
The Safety Integrated functions (Basic and Extended Functions) are generally governed by
the same DRIVE-CLiQ rules as specified in the chapter "Rules for wiring with DRIVE-CLiQ"
in
References: /FH1/ SINAMICS S120 Function Manual.
This specification also lists the exceptions for Safety Integrated components depending on
the firmware version.

The following rules are also valid particularly for the Safety Integrated functions:
● Maximum of 6 servo axes for default cycle time settings (monitoring cycle: 12 ms; current
controller cycle: ≥ 125 μs).
● Of which, a maximum of 6 servo axes in a DRIVE-CLiQ line.
● Maximum of 6 vector axes with default cycle time settings (monitoring cycle: 12 ms;
current controller cycle: ≥ 500 μs).
● The TM54F must be directly connected to a Control Unit via DRIVE-CLiQ. Motor Modules
or infeed must not be connected to a TM54F.
● A Double Motor Module, a DMC20, or DME20, a TM54F and a CUA32 each correspond
to two DRIVE-CLiQ participants.

Safety Integrated
42 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
System features 3
3.1 Certification
The safety functions of the SINAMICS S drive system meet the following requirements:
● Category 3 to ISO 13849-1:2006
● Performance Level (PL) d to EN ISO 13849-1:2006
● Safety integrity level 2 (SIL 2) to IEC 61508
In addition, most of the safety functions of the SINAMICS S have been certified by
independent institutes. An up-to-date list of certified components is available on request from
your local Siemens office.

3.2 Safety instructions

Note
Additional safety information and residual risks not specified in this section are included in
the relevant sections of this Function Manual.

DANGER

Safety Integrated can be used to minimize the level of risk associated with machines and
plants.
Machines and plants can only be operated safely in conjunction with Safety Integrated,
however, when the machine manufacturer
• Precisely knows and observes this technical user documentation - including the
documented limitations, safety information and residual risks;
• Carefully constructs and configures the machine/plant. A careful and thorough
acceptance test must then be performed by qualified personnel and the results
documented.
• Implements and validates all the measures required in accordance with the
machine/plant risk analysis by means of the programmed and configured Safety
Integrated functions or by other means.
The use of Safety Integrated does not replace the machine/plant risk assessment carried
out by the machine manufacturer as required by the EC machinery directive.
In addition to using Safety Integrated functions, further risk reduction measures must be
implemented.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 43
System features
3.2 Safety instructions

WARNING

The Safety Integrated functions cannot be activated until the system has been completely
powered up. System startup is a critical operating state with increased risk. No personnel
may be present in the immediate danger zone in this phase.
The drives of vertical axes must be in torque state.
A complete forced dormant error detection cycle is required after power on (see chapter
"Forced dormant error detection").

WARNING

EN 60204-1:2006
Emergency Stop function must bring the machine to a standstill in accordance with stop
category 0 or 1 (STO or SS1).
The machine must not restart automatically after EMERGENCY STOP.
When the safety functions (Basic or Extended Functions) are deactivated, an automatic
restart is permitted under certain circumstances depending on the risk analysis (except
when Emergency Stop is reset). An automatic start is permitted when a protective door is
closed, for example.

WARNING

After hardware and/or software components have been modified or replaced, all protective
equipment must be closed prior to system startup and drive activation. Personnel shall not
be present within the danger zone.
It may be necessary to carry out a partial or complete acceptance test (see chapter
"Acceptance test") after having made certain changes or replacements.
Before allowing anybody to re-enter the danger zone, you should test steady control
response by briefly moving the drives in forward and reverse direction (+/–).
To observe during power on:
The Safety Integrated functions are only available and can only be selected after the
system has completely powered up.

Safety Integrated
44 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 System features
3.2 Safety instructions

WARNING

• For a 1-encoder system, encoder faults are detected using different hardware and
software monitoring functions. It is not permissible to disable these monitoring functions
and they must be parameterized carefully. Depending on the fault type and responding
monitoring function, stop function category 0 or 1 to EN 60204-1:2006 (fault response
functions STOP A or STOP B to Safety Integrated) is selected.
• Stop function category 0 to EN 60204-1:2006 (STO or STOP A to Safety Integrated)
means that the drives are not decelerate but instead coast to a standstill (the time
required to coast to standstill depends on the kinetic energy). This must be included in
the logic of the protective door lock, for example, by means of logic operation of SSM
(n<nx).
• Safety Integrated functions cannot detect parameterization errors made by the machine
manufacturer. The required safety level can only be reached by by means of an
elaborate acceptance test.
• Motor Modules or the motor must be replaced with a device of the same type, as the
parameter settings will otherwise lead to an incorrect response of the Safety Integrated
functions. The corresponding drive must be re-calibrated after an encoder is replaced.

WARNING

If an internal or external fault occurs, none or only some of the parameterized safety
functions are available during the STOP-F response triggered by the fault. This must be
taken into account when a delay time between STOP F and STOP B is parameterized.
This applies in particular to vertical axes.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 45
System features
3.3 Probability of failure of the safety functions

3.3 Probability of failure of the safety functions

Probability of failure
The probability of the failure of safety functions must be specified in the form of a PHF value
(Probability of Failure per Hour) in accordance with IEC 61508, IEC 62061, and ISO 13849-1
(2006). The PFH value of a safety function depends on the safety concept of the drive unit
and its hardware configuration, as well as on the PFH values of other components used for
this safety function.
Corresponding PFH values are provided for the SINAMICS S120 drive system, depending
on the hardware configuration (number of drives, control type, number of encoders used).
The various integrated safety functions are not differentiated.
The PHF values can be requested from your local sales office.

Safety Integrated
46 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 System features
3.4 Response times

3.4 Response times

The Basic Functions are executed in the monitoring clock cycle (p9780). PROFIsafe
telegrams are evaluated in the PROFIsafe scan cycle, which corresponds to twice the
monitoring clock cycle (PROFIsafe scan cycle = 2 × r9780).

Controlling Basic Functions via terminals on the Control Unit and Motor Module
The following table lists the response times from the control via terminals until the response
actually occurs.

Table 3- 1 Response times for control via terminals on the Control Unit and the Motor Module

Function Typical Worst case

STO 2 x r9780 + p0799 4 x r9780 + p0799
SBC 4 x r9780 + p0799 8 x r9780 + p0799
SS1 (time controlled)
Selection (up until braking is initiated) 2 x r9780 + p0799 + 2 ms 4 x r9780 + p0799 + 2 ms
The following tables list the response times, when selecting the STO and SS1 functions,
between detecting a new selection at the Control Unit and initiating the particular brake
response.

Controlling Basic Functions via Profisafe

The following table lists the response times from receiving the PROFIsafe telegram at the
Control Unit up to initiating the particular response.

Table 3- 2 Response times when controlling via PROFIsafe

Function Typical Worst case

STO 5 x r9780 5 x r9780
SBC 4 x r9780 10 x r9780
SS1 (time controlled)
Selection - up until STO is initiated 5 x r9780 + p9652 5 x r9780 + p9652
SS1 (time controlled) selection
- up until SBC is initiated 6 x r9780 + p9652 10 x r9780 + p9652
SS1 (time controlled)
Selection (up until braking is initiated) 2 x r9780 + p0799 + 2 ms 4 x r9780 + p0799 + 2 ms

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 47
System features
3.4 Response times

Control of the Safety Extended Functions via PROFIsafe

The following table lists the response times from receiving the PROFIsafe telegram on the
Control Unit up to initiating the response.

Table 3- 3 Response times with control by way of PROFIsafe

Function Standard Worst case

STO 4 x p9500 + r9780 4 x p9500 + 3 x r9780
SBC 4 x p9500 + 2 x r9780 4 x p9500 + 6 x r9780
SS1 (time and acceleration controlled), 4 x p9500 + 2 ms 5 x p9500 + 2 ms
SS2 selection, speed limit value violated 2 x p9500 + 2 ms 4 x p9500 + r9780 + t_DP1)
SBR, safe acceleration monitoring responds 6 x r9500 p9500 + t_ACT1)
SOS standstill tolerance window violated 1.5 x p9500 + 2 ms 3 x p9500 + t_ACT1) + 2 ms
SLS speed limit violated 2) 2 x p9500 + 2 ms 3.5 x p9500 + t_ACT1) + 2 ms
SSM 3) 4 x p9500 4.5 x p9500 + t_ACT 1)
The specified response times involve internal SINAMICS response times. Program run times
in the F host as well as the transmission time via PROFIBUS or PROFINET are not taken
into account.

Controlling Safety Extended Functions via TM54F

The following table lists the response times between a signal occurring at the terminals up to
the initiation of the response.

Table 3- 4 Response times with control by way of TM54F

Function Standard Worst case

STO 2.5 x p9500 + r9780 + 1.5 ms 3 x p9500 + 3 x r9780 + 2 ms
SBC 2.5 x p9500 + 2 x r9780 + 1 ms 3 x p9500 + 6 x r9780 + 2 ms
SS1 (time and acceleration controlled), 2.5 x p9500 + 3 ms 4 x p9500 + 4 ms
SS2 selection, speed limit value violated 2 x p9500 + 2 ms 2.5 x p9500 + r9780 + t_DP*)
SBR, safe acceleration monitoring responds 2 x p9500 + 2 ms 2.5 x p9500 + r9780 + t_ACT 1)
SOS standstill tolerance window violated 1.5 x p9500 + 2 ms 3 x p9500 + t_ACT1) + 2 ms
SLS speed limit violated 2) 2 x p9500 + 2 ms 3.5 x p9500 + t_ACT1) + 2 ms
SSM 4) 3 x p9500 3.5 x p9500 + t_ACT 1)

CAUTION

Response time of the PM340 Power Module for STO, controlled via terminals:
5x r9780 + p0799

Safety Integrated
48 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 System features
3.4 Response times

Information on the tables:

*) t_DP = PROFIBUS cycle for isochronous PROFIBUS master,
otherwise 1 ms
1) t_ACT =Safety actual value acquisition cycle:
If p9311 = 9511 > 0, then the set time is added
If p9311 = 9511 = 0, then t_DP = PROFIBUS cycle is added if an isochronous PROFIBUS
master is being used, otherwise -> = 1 ms
2)SLS: Specification of the response time required for initiation of a braking reaction in the
drive, or for the output of the "SOS selected" message to the motion control system.
3) SSM:The data correspond to the times between the limit value being undershot up to
sending the information via PROFIsafe.
4) SSM: The data correspond to the times between the limit value being undershot up to

output of the information via the TM54F terminals.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 49
System features
3.5 Residual risk

3.5 Residual risk

The fault analysis enables the machine manufacturer to determine the residual risk at his
machine with regard to the drive unit. The following residual risks are known:

WARNING

Due to the intrinsic potential of hardware faults, electrical systems are subject to additional
residual risk, which can be expressed by means of the PFH value.

WARNING

• Faults in the absolute track (C-D track), cyclic interchange of the drive phases (V-W-U
instead of U-V-W) and reversal of the control direction may cause acceleration of the
drive. Due to the fault, however, category 1 and 2 stop functions to EN 60204-1:2006
(fault response functions STOP B to D in accordance with Safety Integrated) are not
activated.
Stop function category 0 to EN 60204-1:2006 (fault response function STOP A to Safety
Integrated)) is not triggered until after the transition or delay time set in the parameter
has elapsed. These faults are detected when SBR is selected (fault reaction functions
STOP B/C) and stop function category 0 to EN 60204-1:2006 (fault reaction function
STOP A in accordance with Safety Integrated) is triggered as early as possible
regardless of this delay. Electrical faults (defective components or similar) may also lead
to the response stated above.
• Simultaneous failure of two power transistors (one in the upper and the other offset in
the lower inverter bridge) in the inverter may cause brief movement of the drive,
depending on the number of poles of the motor.
Maximum value of this movement:
Synchronous rotary motors: Max. movement = 180° / no. of pole pairs
Synchronous linear motors: max. movement = pole width

WARNING

• Violation of limits may briefly lead to a speed higher than the speed setpoint, or the axis
may pass the defined position to a certain extent, depending on the dynamic response
of the drive and on parameter settings.
• Mechanical forces greater than the maximum drive torque may force a drive currently
operated in position control mode out of Safe Operating Stop state (SOS) and trigger
stop function category 1 to EN 60204-1:2006 (fault reaction function STOP B).

Safety Integrated
50 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 System features
3.5 Residual risk

WARNING

Within a single-encoder system:

a) a single electrical fault in the encoder or
b) an encoder shaft breakage (or loose encoder shaft coupling), or a loose encoder housing
will cause a static state of the encoder signals (that is, they no longer follow a movement
while still returning a correct level), and prevent fault detection while the drive is in stop
state (for example, drive in SOS state).
Generally, the drive is held by the active closed-loop control. Especially for drives with
suspended load, from a closed-loop control perspective, it is conceivable that drives such
as these move without this being detected.
The risk of an electrical fault in the encoder as described under a) is only given for few
encoder types with specific function principle (for example, encoders with microprocessor
controlled signal generation such as the Heidenheim EQI, Hübner HEAG 159/160, or AMO
measuring systems with sin/cos signals).
The risk analysis of the machine manufacturer must include all of the faults described
above. Additional safety measures have to be taken for drives with suspended/vertical or
pulling loads - e.g. in order to exclude faults under a):
• Use of an encoder with analog signal generation
• Use of a two-encoder system
In order to exclude the fault described in b), for example:
• An FMEA regarding encoder shaft breakage (or slip of the encoder shaft coupling), and
a solution to prevent loose encoder housings, integration of a fault exclusion process to
CDV IEC 61800-5-2, or
• Implementation of a two-encoder system (the encoders must not be mounted on the
same shaft).

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 51
System features
3.5 Residual risk

Safety Integrated
52 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
Safety Integrated Basic Functions 4
Note
The Basic Functions are also described in the following manual:
Reference: /FH1/ SINAMICS S120 Function Manual Drive Functions.

4.1 Safe Torque Off (STO)

In conjunction with a machine function or in the event of a fault, the "Safe Torque Off" (STO)
function is used to safely disconnect the torque-generating energy feed to the motor.
When the function is selected, the drive unit is in a "safe status". The switching on inhibited
function prevents the drive unit from being restarted.
The two-channel pulse suppression function integrated in the Motor Modules / Power
Modules is a basis for this function.

Functional features of "Safe Torque Off"

● This function is integrated in the drive; this means that a higher-level controller is not
required.
● The function is drive-specific, i.e. it is available for each drive and must be individually
commissioned.
● The function must be enabled using parameters.
● When the "Safe Torque Off" function is selected, the following applies:
– The motor cannot be started accidentally.
– The pulse suppression safely disconnects the torque-generating energy feed to the
motor.
– The power unit and motor are not electrically isolated.
● By selecting/deselecting STO, if p9307.0/p9507.0 are set to 1, in addition to the fault
messages, the safety messages are also automatically withdrawn.
● A debounce function can be applied to the terminals of the Control Unit and the Motor
Module in order to prevent incorrect trips due to signal disturbances. The filter times are
set using parameters p9651 and p9851.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 53
Safety Integrated Basic Functions
4.1 Safe Torque Off (STO)

WARNING

Appropriate measures must be taken to ensure that the motor does not undesirably move
once the energy feed has been disconnected, e.g. against coasting down or for a
hanging/suspended axis, the "Safe Brake Control" (SBC) function should be enabled, also
refer to Chapter "Safe Brake Control".

CAUTION

If two power transistors simultaneously fail in the power unit (one in the upper and one in
the lower bridge), then this can cause brief momentary movement.
The maximum movement can be:
Synchronous rotary motors: Max. movement = 180 ° / No. of pole pairs
Synchronous linear motors: Max. movement = pole width

● The status of the "Safe Torque Off" function is displayed using parameters.

Enabling the "Safe Torque Off" function

The "Safe Torque Off" function is enabled via the following parameters:
● STO via terminals:
p9601.0 = 1, p9801.0 = 1
● STO via TM54F (only with "Extended Functions" option):
– p9601.2 = 1, p9801.2 = 1
– p9601.3 = 0, p9801.3 = 0
● STO via PROFIsafe:
– p9601.0 = 0, p9801.0 = 0
– Basic Functions: p9601.2 = 0, p9801.2 = 0
Extended Functions: p9601.2 = 1, p9801.2 = 1
– p9601.3 = 1, p9801.3 = 1
● STO via PROFIsafe and terminals:
– p9601.0 = 1, p9801.0 = 1
– Basic Functions: p9601.2 = 0, p9801.2 = 0
Extended Functions: p9601.2 = 1, p9801.2 = 1
– p9601.3 = 1, p9801.3 = 1

Safety Integrated
54 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Safety Integrated Basic Functions
4.1 Safe Torque Off (STO)

Selecting/deselecting "Safe Torque Off"

The following is executed when "Safe Torque Off" is selected:
● Each monitoring channel triggers safe pulse suppression via its switch-off signal path.
● A motor holding brake is closed (if connected and configured).
Deselecting "Safe Torque Off" represents an internal safety acknowledgement. The following
is executed:
● Each monitoring channel cancels safe pulse suppression via its switch-off signal path.
● The Safety requirement "Close motor holding brake" is canceled.
● Any pending STOP F or STOP A commands are canceled (see r9772 / r9872).
● The cause of the fault must be removed.
● The messages in the fault memory must be additionally reset using the general
acknowledgement mechanism.

Note
If "Safe Torque Off" is selected and de-selected through one channel within the time in
p9650/p9850, the pulses are suppressed without a message being output.
However, if you want a message to be displayed, then you must reconfigure
N01620/N30620 as an alarm or fault using p2118 and p2119.

Restart after the "Safe Torque Off" function has been selected
1. Deselect the function in each monitoring channel via the input terminals.
2. Issue drive enable signals.
3. Cancel the "switching on inhibited" and switch the drive back on.
– 1/0 edge at input signal "ON/OFF1" (cancel "switching on inhibited")
– 0/1 edge at input signal "ON/OFF1" (switch on drive)
4. Operate the drives again.

Status for "Safe Torque Off"

The status of the "Safe Torque Off" (STO) function is displayed using the parameters r9772,
r9872, r9773 and r9774.
As an alternative, the status of the functions can be displayed using the configurable
messages N01620 and N30620 (configured using p2118 and p2119).

Response time for the "Safe Torque Off" function

For the response times when the function is selected/deselected via input terminals, see the
table in "Response times".

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 55
Safety Integrated Basic Functions
4.1 Safe Torque Off (STO)

Examples booksize
Assumption:
Safety monitoring clock cycle CU (r9780) = 4 ms and
inputs/outputs sampling time (r0799) = 4 ms
tR_type = 2 x r9780 (4 ms) + r0799 (4 ms) = 12 ms
tR_max = 4 x r9780 (4 ms) + r0799 (4 ms) = 20 ms

Internal armature short-circuit with the "Safe Torque Off" function

The function "internal armature short-circuit" can be configured together with the "STO"
function. However, only one of the two functions can be selected, as an OFF2 is also always
triggered when STO is selected. This OFF2 disables the function "Internal armature short-
circuit".
The "STO" safety function has the higher priority when simultaneously selected. If the "STO"
function is initiated, then an activated "internal armature short-circuit" is disabled.

Overview of important parameters (see SINAMICS S120/S150 List Manual)

● r9720.0...10 CO/BO: SI Motion control signals integrated in the drive
● r9722.0...15 CO/BO: SI Motion status signals integrated in the drive
● r9772 CO/BO: SI Status (Control Unit)
● r9872 CO/BO: SI Status (Motor Module)
● r9773 CO/BO: SI Status (Control Unit + Motor Module)
● r9774 CO/BO: SI Status (group STO)
● p0799 CU inputs/outputs sampling time
● r9780 SI Monitoring clock cycle (Control Unit)
● r9880 SI Monitoring clock cycle (Motor Module)

Safety Integrated
56 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Safety Integrated Basic Functions
4.2 Safe Stop 1 (SS1, time controlled)

4.2 Safe Stop 1 (SS1, time controlled)

General description
A Category 1 stop in accordance with EN 60204-1:2006 can be implemented with function
"Safe Stop 1" (SS1). The drive decelerates with the OFF3 ramp (p1135) once "Safe Stop 1"
is selected and switches to "Safe Torque Off" once the delay time set in p9652/p9852 has
elapsed.

CAUTION
If the "Safe Stop 1" function (time-controlled) function has been selected by parameterizing
a delay in p9652/p9852, STO can no longer be selected directly via terminals.

Functional features of Safe Stop 1

SS1 is selected by setting p9652 and p9852 (delay time) not equal to "0"
● Setting parameter p9652/p9852 has the following effect:
– p9652/p9852 = 0: STO active
– p9652/p9852 > 0: SS1 active
● When SS1 is selected, the drive is braked along the OFF3 ramp (p1135) and STO/SBC is
automatically initiated after the delay time has expired (p9652/p9852).
After the function has been selected, the delay timer runs down - even if the function is
deselected during this time. In this case, after the delay time has expired, the STO/SBC
function is selected and then again de-selected immediately.
● The selection is realized through two channels - however braking along the OFF3 ramp,
only through one channel.
● A debounce function can be applied to the terminals of the Control Unit and the Motor
Module in order to prevent incorrect trips due to signal disturbances. The filter times are
set using parameters p9651 and p9851.

Enabling Safe Stop 1 function

The "Safe Stop 1" (SS1) function is enabled via the following parameters:
● SS1 via terminals or PROFIsafe:
– By entering the delay time in p9652 and p9852,

Prerequisite
The "Safe Torque Off" function must be enabled.
In order that the drive can brake down to a standstill even when selected through one
channel, the time in p9652/p9852 must be shorter than the sum of the parameters for the
data cross-check (p9650/p9850 and p9658/p9858).
The time in p9652/p9852 must be dimensioned so that after selection, the drive brakes to a
standstill.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 57
Safety Integrated Basic Functions
4.2 Safe Stop 1 (SS1, time controlled)

Status for Safe Stop 1

The status of the "Safe Stop 1" (SS1) function is displayed using the parameters r9772,
r9872, r9773 and r9774.
Alternatively, the status of the functions can be displayed using the configurable messages
N01621 and N30621 (configured using p2118 and p2119).

Overview of important parameters (see SINAMICS S120/S150 List Manual)

● p1135[0...n] OFF3 ramp-down time
● p9652 SI Safe Stop 1 delay time (Control Unit)
● r9720.0...10 CO/BO: SI Motion control signals integrated in the drive
● r9722.0...15 CO/BO: SI Motion status signals integrated in the drive
● r9772 CO/BO: SI Status (Control Unit)
● r9773 CO/BO: SI Status (Control Unit + Motor Module)
● r9774 CO/BO: SI Status (group STO)
● r9872 CO/BO: SI Status (Motor Module)
● p9852 SI Safe Stop 1 delay time (Motor Module)

Safety Integrated
58 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Safety Integrated Basic Functions
4.3 Safe Brake Control (SBC)

4.3 Safe Brake Control (SBC)

Description
The "Safe Brake Control" function (SBC) is used to control holding brakes that function
according to the closed-circuit principle (e.g. motor holding brake).
The command for releasing or applying the brake is transmitted to the Motor Module/Power
Module via DRIVE-CLiQ. he Motor Module/Safe Brake Relay then carries out the action and
activates the outputs for the brake.
Brake activation via the brake connection on the Motor Module/Safe Brake Relay involves a
safe, two-channel method.

Note
Chassis components with an order number ending from ...xxx3 and higher support this
function.

Note
To ensure that this function can be used for Blocksize Power Modules, a Safe Brake Relay
must be used (for more information, see the Equipment Manual).
When the Power Module is configured automatically, the Safe Brake Relay is detected and
the motor holding brake type is defaulted (p1278 = 0).

WARNING

The "Safe Brake Control" function does not detect electrical faults or mechanical defects.
The system does not detect whether a brake is e.g. worn or has a mechanical defect,
whether it opens or closes.
A cable break or a short-circuit in the brake winding is only detected when the state
changes, i.e. when the brake either opens or closes.

Functional features of "Safe Brake Control"

● When "Safe Torque Off" (STO) is selected or when safety monitoring functions respond,
SBC is executed with safe pulse suppression.
● Unlike conventional brake control, SBC is executed via p1215 through two channels.
● SBC is executed regardless of the brake control or mode set in p1215. SBC is not
recommended, however, when 1215 = 0 or 3.
● The function must be enabled using parameters.
● If SBC is enabled, each time "Safe Torque Off" is selected, the holding brake is closed
immediately with forced dormant error detection.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 59
Safety Integrated Basic Functions
4.3 Safe Brake Control (SBC)

● When the state changes, electrical faults, such as e.g. a short-circuit in the brake winding
or wire breakage can be detected.
● A debounce function can be applied to the terminals of the Control Unit and the Motor
Module in order to prevent incorrect trips due to signal disturbances. The filter times are
set using parameters p9651 and p9851.

Enabling the "Safe Brake Control" function

The "Safe Brake Control" function is enabled via the following parameters:
● p9602 SI enable safe brake control (Control Unit)
● p9802 SI enable safe brake control (Motor Module)
The "Safe Brake Control" function is not selected until at least one safety monitoring function
has been enabled (i.e. p9601 = p9801 ≠ 0).

Two-channel brake control

The brake is essentially controlled from the Control Unit. Two signal paths are available for
applying the brake.

&RQWUROWHUPLQDO

&RQWURO8QLW0RWRU
0RGXOH6DIH%UDNH 3
5HOD\
7% 6WDQGE\FXUUHQWEUDNH

%5
&RQWURO %5
WHUPLQDO
%UDNHGLDJQRVLV 0RWRU

7%
%5

0 0
%5

Figure 4-1 Two-channel brake control, blocksize

For the "Safe Brake Control" function, the Motor/Power Module assumes a monitoring
function to ensure that when the Control Unit fails or malfunctions the brake current is
interrupted therefore closing the brake.
The brake diagnosis can only reliably detect a malfunction in either of the switches (TB+, TB-)
when the status changes (when the brake is released or applied).
If the Motor Module or Control Unit detects a fault, the brake current is switched off and the
safe status is reached.

Safety Integrated
60 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Safety Integrated Basic Functions
4.3 Safe Brake Control (SBC)

Response time with the "Safe Brake Control" function

For the response times when the function is selected/deselected via input terminals, see the
table in "Response times".

Examples
Safety Integrated Basic Functions via terminals:
Safety monitoring clock cycle CU (r9780) = 4 ms and
inputs/outputs sampling time (r0799) = 4 ms
tR_typ = 4 x r9780 (4 ms) + r0799 (4 ms) = 20 ms
tR_max = 8 x r9780 (4 ms) + r0799 (4 ms) = 36 ms

NOTICE
When the brake is controlled via a relay with "Safe Brake Control":
If "Safe Brake Control" is used, it is not permissible to control the brake via a relay. This can
result in incorrect feedback regarding a brake fault.

Overview of important parameters (see SINAMICS S120/S150 List Manual)

● p0799 CU inputs/outputs sampling time
● r9780 SI Monitoring clock cycle (Control Unit)
● r9880 SI Monitoring clock cycle (Motor Module)

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 61
Safety Integrated Basic Functions
4.4 Safety faults

4.4 Safety faults

The fault messages for Safety Integrated Basic Functions are stored in the standard
message buffer and can be read from there. In contrast, the fault messages for Safety
Integrated Extended Functions are stored in a separate Safety message buffer (see chapter
"Message buffer").
When faults associated with Safety Integrated Basic Functions occur, the following stop
responses can be initiated:

Table 4- 1 Stop responses for Safety Integrated Basic Functions

Stop response Triggered ... Action Effect

STOP A cannot be For all non- Trigger safe pulse The motor coasts to a
acknowledged acknowledgeable suppression via the standstill or is braked by the
Safety faults with switch-off signal path for holding brake.
pulse suppression. the relevant monitoring
STOP A For all channel. During operation
acknowledgeable with SBC:
Safety faults apply motor holding
brake.
As a follow-up
reaction of STOP F.
STOP A is identical to stop Category 0 to EN 60204-1:2006.
With STOP A, the motor is switched directly to zero torque via the "Safe Torque
Off (STO)" function.
A motor at standstill cannot be started again accidentally.
A moving motor coasts to standstill. This can be prevented by using external
braking mechanisms, e.g. holding or operating brake.
When STOP A is present, "Safe Torque Off" (STO) is active.
STOP F If an error occurs in Transition to STOP A. Follow-up response STOP A
the data cross- with adjustable
check. delay (default setting without
delay) if one of the Safety
functions is selected
STOP F is permanently assigned to the data cross-check (DCC). In this way,
errors are detected in the monitoring channels.
After STOP F, STOP A is triggered.
When STOP A is present, "Safe Torque Off" (STO) is active.

WARNING

With a vertical axis or pulling load, there is a risk of uncontrolled axis movements when
STOP A/F is triggered. This can be prevented by using "Safe Brake Control (SBC)" and a
holding brake (not a safety brake!) with sufficient holding force.

Safety Integrated
62 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Safety Integrated Basic Functions
4.4 Safety faults

Acknowledging the Safety faults

Faults associated with Safety Integrated Basic Functions must be acknowledged as follows:
1. Remove the cause of the fault.
2. Deselect "Safe Torque Off" (STO).
3. Acknowledge the fault.
If the Safety commissioning mode is exited when the Safety functions are switched off
(p0010 = value not equal to 95 when p9601 = p9801 = 0), then all the Safety faults can be
acknowledged.
Once Safety commissioning mode has been selected again (p0010 = 95), all the faults that
were previously present reappear.

NOTICE
As for all other faults, the Safety faults can also be acknowledged by switching the drive
unit off and then on again (POWER ON).
If this action has not eliminated the fault cause, the fault is displayed again immediately
after power up.

Description of faults and alarms

Note
The faults and alarms for SINAMICS Safety Integrated functions are described in the
following document:
Reference: /LH1/ SINAMICS S120/S150 List Manual

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 63
Safety Integrated Basic Functions
4.5 Forced dormant error detection

4.5 Forced dormant error detection

Forced dormant error detection or test of the switch-off signal paths for Safety Integrated Basic Functions
The forced dormant error detection function at the switch-off signal paths is used to detect
software/hardware faults at both monitoring channels in time and is automated by means of
activation/deactivation of the "Safe Torque Off" function.
To fulfill the requirements of ISO 13849-1 (2006) regarding timely error detection, the two
switch-off signal paths must be tested at least once within a defined time to ensure that they
are functioning properly. This functionality must be implemented by means of forced dormant
error detection function, triggered either in manual mode or by the automated process.
A timer ensures that forced dormant error detection is carried out as quickly as possible.
● p9659 SI timer for the forced dormant error detection.
Forced dormant error detection must be carried out at least once during the time set in this
parameter.
Once this time has elapsed, an alarm is output and remains present until forced dormant
error detection is carried out.
The timer returns to the set value each time the STO function is deactivated.
When the appropriate safety devices are implemented (e.g. protective doors), it can be
assumed that running machinery will not pose any risk to personnel. For this reason, only an
alarm is output to inform the user that a forced dormant error detection run is due and to
request that this be carried out at the next available opportunity. This alarm does not affect
machine operation.
The user must set the time interval for carrying out forced dormant error detection to
between 0.00 and 9000.00 hours depending on the application (factory setting: 8.00 hours).
Examples of when to carry out forced dormant error detection:
● When the drives are at a standstill after the system has been switched on (POWER ON).
● When the protective door is opened.
● At defined intervals (e.g. every 8 hours).
● In automatic mode (time and event dependent).

NOTICE
The timer of the Basic Functions will be reset if the associated forced dormant error
detection is executed and the Extended Functions are used simultaneously.
The corresponding alarm of the Basic Functions is not triggered.
Discrepancy is not checked at the terminals used to select the Basic Functions as long as
STO is set by the Extended Functions. That is, the forced dormant error detection
procedure of the Basic Functions always has to be executed without simultaneous selection
of STO or SS1 by the Extended Functions. It is otherwise not possible to verify the correct
control through the terminals.

Safety Integrated
64 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
Safety Integrated Extended Functions 5
5.1 Parking note

Note
When a drive object for which Safety Integrated Extended Functions are enabled is switched
to "Park" mode, the Safety Integrated software responds by selecting STO without
generating a separate message. This internal STO selection is displayed in parameter
r9772.19.

5.2 Safe Torque Off (STO)

5.2.1 Safe Torque Off with encoder

In addition to the control options, specified under Safety Integrated Basic Functions, "Safe
Torque Off (STO) with encoder" can also be controlled via TM54F under Safety Integrated
Extended Functions.
The functionality of "Safe Torque Off (STO) with encoder" is described in Chapter, "Safety
Integrated basic functions".

5.2.2 Encoderless Safe Torque Off

Safe Torque Off without encoder

If an induction motor is being used, Safe Torque Off (STO) can also be used without an
encoder.

Function
Set p9306 = p9506 = 1 (factory setting = 0) to activate encoderless Safety Integrated
functions. You can also make this setting by selecting "Without encoder" on the safety
screen.

Difference between Safe Torque Off with and without an encoder

Depending on whether or not it has an encoder, STO demonstrates different restart behavior
in terms of SLS after STO/OFF2 (see the "Encoderless SLS Safely-Limited Speed" chapter).

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 65
Safety Integrated Extended Functions
5.3 Safe Stop 1 (SS1)

5.3 Safe Stop 1 (SS1)

5.3.1 Safe Stop 1 with encoder (time and acceleration controlled)

Safe Stop 1 with encoder

The "Safe Stop 1" (SS1) function allows the drive to be stopped in accordance with
EN 60204-1:2006, stop category 1. The drive brakes with the OFF3 ramp (p1135) once
"Safe Stop 1" is selected and switches to "Safe Torque Off" (STO) once the delay time has
elapsed (p9356/p9556) or when the shutdown speed is reached (p9360/p9560).

USP D6KXWGRZQVSHHGLVUHDFKHGEHIRUHWKHGHOD\
WLPHKDVH[SLUHG
QBDFW E6KXWGRZQVSHHGLVUHDFKHGDIWHUWKHGHOD\WLPH
KDVH[SLUHG

E
D

S 6KXWGRZQVSHHG
S 3XOVHFDQFHODWLRQ
666723% 3XOVHFDQFHODWLRQ

'HOD\WLPH W
3XOVHFDQFHODWLRQ
SS
D 66BDFWLYH $GGLWLRQDO3RZHUBUHPRYHG

E 66BDFWLYH $GGLWLRQDO3RZHUBUHPRYHG

Figure 5-1 Sequence with SS1 selection

Functional features of Safe Stop 1

● The delay time starts after the function is selected. If SS1 is deselected again within this
time, after the delay time has expired or after the shutdown speed has been undershot,
the STO function is selected and then immediately deselected again.
● The selection is realized through two channels - however braking along the OFF3 ramp,
only through one channel.
● The "Safe Acceleration Monitor" (SBR) function is activated when braking (see "Safe
Acceleration Monitor").

Safety Integrated
66 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Safety Integrated Extended Functions
5.3 Safe Stop 1 (SS1)

Note
Activating SS1 can mean that the device (PLC, motion controller) which issues the speed
setpoint interrupts the ramp function with OFF2.
The reason is a fault response of this device, which is initiated due to the activation of OFF3.
The fault response can be prevented using suitable parameterization or wiring, which then
signals the initiation of SS1 to this device.

Note
If you use SS1 under EPOS, then an OFF2 is not permitted as fault response to a following
error.

Commissioning
The delay time is set by entering parameters p9356 and p9556. The delay time until the
pulses are suppressed can be shortened by defining a shutdown speed in p9360 and p9560.
To enable the drive to decelerate to standstill, the time set in p9356/p9556 must be sufficient
to allow the drive to decelerate to below the shutdown speed in p9360/p9560 with the OFF3
ramp (p1135).
The shutdown speed defined in p9360/p9560 must be set in such a way that personal safety
or the safety of the machine is not compromised as of this speed and as a result of
subsequent coasting due to the pulses being suppressed.

Responses
Speed limit violated (SBR):
● STOP A
● Safety message C01706/C30706
System errors:
1. STOP F with subsequent STOP B, followed by STOP A
2. Safety message C01711/C30711

Status for "Safe Stop 1"

The status of the "Safe Stop 1" function is displayed using the following parameters:
● r9722.1 CO/BO: SI Motion status signals, SS1 active
● r9722.0 CO/BO: SI Motion status signals, STO active (power removed)

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 67
Safety Integrated Extended Functions
5.3 Safe Stop 1 (SS1)

5.3.2 Encoderless Safe Stop 1 (time and speed controlled)

If an induction motor is being used, the "Safe Stop 1" (SS1) Safety Integrated function can
also be activated without an encoder.

Function
The motor is immediately decelerated along the OFF3 ramp (OFF3 ramping) as soon as
SS1 is triggered. Monitoring is activated once the delay time in p9582/p9382 has elapsed
(SBR delay time). Monitoring ensures that the motor does not exceed the set braking ramp
(envelope (monitoring ramp)) during braking. As soon as the speed drops below the
shutdown speed (p9560/p9360; standstill detection), safe monitoring of the brake ramp is
deactivated and safe pulse suppression (STO) is activated.

Figure 5-2 Mode of operation of SS1 without encoder

Safety Integrated
68 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Safety Integrated Extended Functions
5.3 Safe Stop 1 (SS1)

Difference between Safe Stop 1 with and without an encoder

The SS1 function with an encoder monitors whether motor acceleration reaches
impermissible levels during the SS1 time. If the drive complies with acceleration monitoring
limits, STO is triggered when the shutdown speed is reached. If acceleration monitoring
limits are violated, messages C01706 and C30706 are output and the drive is stopped with
STOP A. If the motor does not reach the shutdown speed within the set braking time, STO is
still triggered and the drive coasts to a standstill. No message is issued.
The SS1 function without an encoder is a monitoring facility for ensuring the motor does not
exceed the set brake ramp. STO is triggered when the speed drops below the shutdown
speed. If the set brake ramp is violated (exceeded), messages C01706 and C30706 are
output and the drive is stopped with STO (STOP A).

Parameterization of the encoderless brake ramp

p9581/p9381 and p9583/p9383 are used to set the steepness of the brake ramp.
Parameters p9581/p9381 determine the reference speed and parameters p9583/p9383
define the monitoring period. Parameters p9582/p9382 are used to set the time between the
triggering of Safe Stop 1 and the start of brake ramp monitoring.

Restrictions
The following restrictions apply to the encoderless SS1 and encoderless SLS functions:

Cannot be used in conjunction with

1 SINAMICS chassis and cabinet formats
2 Synchronous motors
3 Torque control
4 SW gating unit

Cannot be used in conjunction with the following functions

1 Motor identification
2 Rotating measurement
3 Flying restart
4 Pole position identification
5 Vdc controller
6 DC braking
7 Measurement functions (frequency response measurement)
8 Current limitation (ILim)

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 69
Safety Integrated Extended Functions
5.3 Safe Stop 1 (SS1)

5.3.3 Integration

Overview of important parameters (see the SINAMICS S120/S150 List Manual)

● p1135[0...n] OFF3 ramp-down time
● p9301 SI Motion enable safety functions (Motor Module)
● p9501 SI Motion enable safety functions (Control Unit)
● p9306 SI Motion function specification (Motor Module)
● p9506 SI Motion function specification (Control Unit)
● p9348 SI Motion SBR actual velocity tolerance (Motor Module)
● p9548 SI Motion SBR actual velocity tolerance (Control Unit)
● p9356 SI Motion pulse cancelation delay time (Motor Module)
● p9556 SI Motion pulse cancelation delay time (Control Unit)
● p9360 SI Motion pulse cancelation shutdown speed (Motor Module)
● p9560 SI Motion pulse cancelation shutdown speed (Control Unit)
● p9381 SI Motion braking ramp reference value (Motor Module)
● p9581 SI Motion braking ramp reference value (Control Unit)
● p9382 SI Motion braking ramp delay time (Motor Module)
● p9582 SI Motion braking ramp delay time (Control Unit)
● p9383 SI Motion braking ramp monitoring time (Motor Module)
● p9583 SI Motion braking ramp monitoring time (Control Unit)
● r9722.0...15 CO/BO: SI Motion drive-integrated status signals

Safety Integrated
70 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Safety Integrated Extended Functions
5.4 Safe Stop 2 (SS2)

5.4 Safe Stop 2 (SS2)

General description
The "Safe Stop 2" (SS2) function is used to brake the motor safely along the OFF3
deceleration ramp (p1135) with subsequent transition to the SOS state (see "Safe Operating
Stop") after the delay time expires (p9352/p9552). The delay time set must allow for the drive
to brake down to a standstill within this time. The standstill tolerance (p9330/p9530) may not
be violated after this time.
After the braking operation is completed, the drives remain in the speed control mode with
the speed setpoint n = 0.
The safety function "Safe Stop 2" (SS2) can only be used with an encoder.

WARNING

For SS2, the full rated voltage is available at the motor (VDClink) and current flows through
the motor.

The default setpoint (e.g from the setpoint channel, or from a higher-level control) remains
inhibited as long as SS2 is selected. The "Safe Acceleration Monitor" (SBR) function is
selected during braking.

0D[GHOD\WLPH
SS

W
66VHOHFWLRQ 626VHOHFWLRQ

Figure 5-3 Sequence with SS2 selection

Note
If SS2 is activated, this can cause the device (PLC, motion controller) which specifies the
speed setpoint to interrupt the ramp function with OFF2.
The reason is a fault response of this device, which is initiated when OFF3 is activated.
The fault response can be prevented using suitable parameterization or wiring, which then
signals the initiation of SS2 to this device.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 71
Safety Integrated Extended Functions
5.4 Safe Stop 2 (SS2)

Responses
Speed limit violated (SBR):
● STOP A
● Safety message C01706/C30706
Standstill tolerance violated in p9330/p9530 (SOS):
● STOP B with subsequent STOP A
● Safety message C01707/C30707
System errors:
● STOP F with subsequent STOP A
● Safety message C01711/C30711

Overview of important parameters (see the SINAMICS S120/S150 List Manual)

● p1135[0...n] OFF3 ramp-down time
● p9301 SI Motion enable safety functions (Motor Module)
● p9501 SI Motion enable safety functions (Control Unit)
● p9330 SI Motion standstill tolerance (Motor Module)
● p9530 SI Motion standstill tolerance (Control Unit)
● p9348 SI Motion SBR actual velocity tolerance (Motor Module)
● p9548 SI Motion SBR actual velocity tolerance (Control Unit)
● p9352 SI Motion transition time STOP C to SOS (Motor Module)
● p9552 SI Motion transition time STOP C to SOS (Control Unit)
● r9722.0...15 CO/BO: SI Motion drive-integrated status signals

Safe Stop 2 in an EPOS application

The SOS function is used to enable the Safe Stop 2 function to be used with EPOS.
The "intermediate stop" function (p2640 = 0) causes the axis to be stopped when the SOS
function is triggered. When making the settings under p2573 (maximum deceleration) and
p2645 (deceleration override) for the deceleration caused by EPOS, it is essential to ensure
the drive can be stopped within the delay time for SOS activation → SOS active
(p9551/p9351)..

Overview of important parameters (see SINAMICS S List Manual)

● p2573 EPOS maximum deceleration
● p2640 BI: EPOS intermediate stop (0 signal)
● p2645 CI: EPOS direct setpoint input/MDI, deceleration override
● p9351 SI Motion SLS changeover delay time (Motor Module)
● p9551 SI Motion SLS(SG) changeover delay time (Control Unit)

Safety Integrated
72 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Safety Integrated Extended Functions
5.5 Safe Operating Stop (SOS)

5.5 Safe Operating Stop (SOS)

General description
This function serves for fail-safe monitoring of the standstill position of a drive.
Personnel can enter the protected machine areas without having to shut down the machine
as long as SOS is active.
Drive standstill is monitored by means of an SOS tolerance window (p9330 and p9530).
The SOS function is activated after SOS is selected and when the delay time set in
p9351/p9551 expires. The drive must be braked to standstill within this delay time (e.g. by
the controller). When this function is activated, the current actual position is saved as a
comparative position, until SOS is deselected again. Any delay time is cleared after SOS is
canceled and the drive can start up immediately.

6WDQGVWLOOWROHUDQFHZLQGRZ

QHJDWLYH SRVLWLYH
'LUHFWLRQRI 'LUHFWLRQRI
URWDWLRQ URWDWLRQ

;DFW ;DFW
3RVLWLRQZKHQ 6WDQGVWLOOWROHUDQFH
626LVVHOHFWHG SS

Figure 5-4 Standstill tolerance

Functional features of "Safe Operating Stop"

● The drive remains in the closed-loop control mode.
● A programmable standstill tolerance window is available.
● STOP B is the stop response after SOS has responded

Note
The size of the tolerance window should be slightly above the standard standstill monitoring
limit, otherwise the standard monitoring functions will no longer be effective.
Parameter r9731 displays the safe position accuracy (load side) that can be achieved as a
maximum due to the acquisition of the actual value for the safe motion monitoring functions.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 73
Safety Integrated Extended Functions
5.5 Safe Operating Stop (SOS)

Responses
Standstill tolerance violated in p9330/p9530:
● STOP B with subsequent STOP A
● Safety message C01707/C30707
System errors:
● STOP F
● Safety message C01711/C30711

Overview of important parameters (see the SINAMICS S120/S150 List Manual)

● p9301 SI Motion enable safety functions (Motor Module)
● p9501 SI Motion enable safety functions (Control Unit)
● p9330 SI Motion standstill tolerance (Motor Module)
● p9530 SI Motion standstill tolerance (Control Unit)
● p9351 SI Motion SLS changeover delay time (Motor Module)
● p9551 SI Motion SLS(SG) changeover delay time (Control Unit)
● r9722.0...15 CO/BO: SI Motion drive-integrated status signals
● r9731 SI Motion safe position accuracy

Safety Integrated
74 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Safety Integrated Extended Functions
5.6 Safely-Limited Speed (SLS)

5.6 Safely-Limited Speed (SLS)

The Safely Limited Speed (SLS) function is used to protect a drive against unintentionally
high speeds. This is achieved by monitoring the current drive speed up to a speed limit.
Safely Limited Speed prevents a parameterized speed limit from being exceeded. Limits
must be specified based on results of the risk analysis. Up to 4 different SLS speed limits
can be parameterized via parameter p9531[0..3].

5.6.1 Safely-Limited Speed with encoder

Features
● A selected speed limit is activated once SLS has been selected and after the delay time
(p9351/p9551) has elapsed. When switching over to a lower speed limit value, the speed
must be braked to below the new maximum limit value within this delay time.
● However, if the ACTUAL speed is higher than the new speed limit value after the delay
time has expired, an appropriate signal is generated with the parameterized stop
response.
● The stop responses are parameterized using p9363/p9563.
● The delay time is not active when switching over to a higher speed limit value.
● 4 parameterizable speed limit values p9331[0...3] and p9531[0...3]
v
S>@S>@
v2

S>@S>@
v1

t
6/6VHOHFWLRQ
6/6VHOHFWLRQ
6/6LVDFWLYH
6/6LVDFWLYH
%UDNLQJWLPH
SS
Delay time
Figure 5-5 Delay time SLS speed limit value

A speed setpoint limit can be set as percentage in p9533. This value is used to calculate a
speed setpoint limit r9733, depending on the selected speed limit p9531[x].
Contrary to parameterizing the safely-limited values, these parameters specify the limit value
on the motor side and not on the load side.
● r9733[0] = p9531[x] * p9533; x = selected SLS stage
● r9733[1] = - p9531[x] * p9533; x = selected SLS stage

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 75
Safety Integrated Extended Functions
5.6 Safely-Limited Speed (SLS)

Changeover of speed limits

The changeover is controlled binary-coded via two F-DIs. The speed selection status can be
checked using parameters r9720.9/r9720.10. Parameters r9722.9 and r9722.10 indicate the
actual speed limit, bit r9722.4 must carry a "1" signal.

Table 5- 1 Changeover of speed limits:

F-DI for bit 0 (r9720.9) F-DI for bit 1 (r9720.10) Speed limit
0 0 p9331[0]/p9531[0]
0 1 p9331[1]/p9531[1]
1 0 p9331[2]/p9531[2]
1 1 p9331[3]/p9531[3]
The changeover from a lower to a higher speed limit takes effect without any delay.
The changeover from a higher to a lower limit triggers a delay time which can be set at the
corresponding parameter (p9351 and p9551).
To ensure that the drive reaches the reduced speed below the new speed limit value once
the delay time has elapsed, it must be decelerated accordingly within the delay time by
means of the higher-level motion control/setpoint channel.

CAUTION

SLS level 1 must be defined as the lowest speed limit value.

SLS level 1 is activated after two unacknowledged discrepancy errors; in other words, 0 is
the fail-safe value for the 2 F-DIs for speed level selection. The SLS levels to be switched
between should, therefore, always be parameterized in ascending order, e.g. with SLS level
1 as the lowest speed and SLS level 4 as the highest.

Responses
Speed limit value exceeded:
● Configured subsequent stop STOP A / B / C / D by means of p9363/p9563
● Safety message C01714/C30714
System errors:
● STOP F
● Safety messages C01711/C30711

Safety Integrated
76 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Safety Integrated Extended Functions
5.6 Safely-Limited Speed (SLS)

5.6.2 Encoderless Safely Limited Speed

If an induction motor is being used, Safely Limited Speed (SLS) can also be activated
without an encoder.

Features
After SLS has been triggered, measures should be taken to ensure the motor is immediately
decelerated with the OFF3 ramp from the current speed to below the selected SLS [1...4]
speed limit. Monitoring is activated after delay time p9582/p9382 (SI Motion brake ramp
delay time Control Unit/Motor Module) has elapsed. Monitoring ensures the motor does not
exceed the set brake ramp (SBR) during braking.
The new SLS speed limit is accepted as the new limit speed if either the brake ramp has
reached the new SLS speed limit or the actual speed of the drive was below the new SLS
speed limit for at least as long as p9582 (SI Motion brake ramp delay time Control Unit).
The SLS function then monitors whether the new actual speed remains below the selected
SLS speed limit. The programmed STOP response is triggered as soon as the limit speed is
exceeded.

Configuring the limits

Speed limits for encoderless SLS are configured in exactly the same way as described for
SLS with an encoder.

Differences between SLS with and without an encoder

The SLS with encoder function monitors whether the motor remains under the set limit
speed. During deceleration to a lower limit speed, SBR also monitors whether the drive has
dropped below the lower limit speed within the delay time specified. If this is not the case,
messages C01714 and C30714 are output.
The SLS without encoder function monitors whether the motor remains under the set limit
speed during operation. During deceleration to a lower limit speed, SLS acts as a monitor to
ensure the motor does not exceed the set brake ramp. If the brake ramp is violated,
messages C01707 and C30707 are output and the drive is stopped with STOP A or STOP B
(depending on the setting made).

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 77
Safety Integrated Extended Functions
5.6 Safely-Limited Speed (SLS)

reference
n

frequency Selection of SS1-ramp: Activation of STO: Deselection of SS1-ramp: Starting drive:

user action: user action: user action: user action:
- set SS1 signal - none - clear SS1 signal - set OFF1/ON signal

Activation of SS1-ramp: set point

user action: frequency
- none

envelope
(monitoring ramp)

stator
frequency
OFF3 ramping
rotor
standstill STO
frequency
detection

SBR delay
time

Monitoring ramp down time

diagnosis

STO selected

STO active

SS1 selected

SS1 active
PROFIsafe

SS1 active

Power removed

Figure 5-6 Signal profile for encoderless SLS

SBR delay = p9582

In this example, "set point frequency" represents the higher SLS speed 2 and "standstill
detection" represents the lower SLS speed 1.

Safety Integrated
78 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Safety Integrated Extended Functions
5.6 Safely-Limited Speed (SLS)

Restart after OFF2

If the drive has been switched off via OFF2/STO, the following steps need to be carried out
before a safe restart can be performed:
1st scenario:
● SLS not selected, OFF2 is active (STO active)
● Deselect STO.
● Rising edge at OFF1
2nd scenario:
● Switch-on status: Encoderless SLS selected, STO selected, OFF2 active
● Deselect STO.
● Unless there is a drive enable via a positive edge at OFF1 within 5 seconds, a safety fault
will be output as speed monitoring will be impossible.
3rd scenario:
● Switch-on status: Encoderless SLS selected, STO not selected, OFF2 active
● Unless there is a drive enable via a positive edge at OFF1 within 5 seconds after ramping
up is complete, a safety fault will be output as speed monitoring will be impossible.

Parameterization of the encoderless brake ramp

p9581/p9381 and p9583/p9383 are used to set the steepness of the brake ramp.
Parameters p9581/p9381 determine the reference speed and parameters p9583/p9383
define the monitoring period. Parameters p9582/p9382 are used to set the time between the
triggering of Safe Stop 1 and the start of brake ramp monitoring.

Restrictions
The following restrictions apply to the encoderless SS1 and encoderless SLS functions:

Cannot be used in conjunction with

1 SINAMICS chassis and cabinet formats
2 Synchronous motors
3 Torque control
4 SW gating unit

Cannot be used in conjunction with the following functions

1 Motor identification
2 Rotating measurement
3 Flying restart
4 Pole position identification
5 Vdc controller
6 DC braking
7 Measurement functions (frequency response measurement)
8 Current limitation (ILim)

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 79
Safety Integrated Extended Functions
5.6 Safely-Limited Speed (SLS)

5.6.3 EPOS and Safely-Limited Speed

When using the EPOS positioning function, if a Safely-Limited Speed monitoring (SLS) is to
be used at the same time, then EPOS must be informed about the activated speed
monitoring limit, as otherwise this can be violated by the setpoint input from EPOS. Further,
this violation can cause the SLS monitoring to stop the drive - therefore interrupting the
intended motion sequence.
With its parameter p9733, the SLS function provides a setpoint limit value which, when taken
into account, prevents the SLS limit value from being violated.
This means that the setpoint limit value in p9733 must therefore be transferred to the input
for the maximum setpoint speed/velocity of EPOS (p2594) in order to prevent an SLS limit
value violation as a result of the EPOS setpoint input.

Overview of important parameters (see the SINAMICS S120/150 List Manual)

● p2593 CI: EPOS LU/revolution LU/mm
● p2594 CI: EPOS maximum speed, externally limited
● r9733(0,1) CO: SI Motion setpoint speed limit effective

Safety Integrated
80 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Safety Integrated Extended Functions
5.7 Safe Speed Monitor (SSM)

5.7 Safe Speed Monitor (SSM)

General description
The "Safe Speed Monitor" function is used for reliably detecting when a velocity limit value
has been undershot (p9346/p9546) (e.g. for standstill detection) in both directions. A fail-safe
output signal is available for further processing.
The function is activated automatically as soon as the Extended Functions are enabled with
p9301.0 = p9501.0 = 1.

NOTICE
If 0 is entered for p9368/p9568, the velocity limit of the SSM function (p9346/p9546) is also
used as a shutdown limit for the SBR function (safe acceleration monitoring), if the
shutdown speed of SBR is set to 0 (also refer to Chapter "Safe Brake Ramp").
In this case, the effects of safe acceleration monitoring are therefore restricted if a relatively
high SSM/SBR velocity limit is set when using the SS1 and SS2 stop functions.

WARNING

STOP F (indicated by fault C01711/C30711) only results in a follow-up response (STOP B /

STOP A) if at least one of the Safety functions SOS or SLS is active or has been selected.
If only the SSM function is active, a STOP F crosswise comparison error does not result in
a follow-up response STOP B / STOP A.
If SSM is to be used as a safety function, at least one of the SOS or SLS functions must be
active/selected (e.g. by selecting a high SLS level).

Functional features of "Safe Speed Monitor"

The parameter p9346/p9546 "SI Motion SSM (SGA n < nx) velocity limit n_x (CU)" is used to
set the velocity limit. The abbreviation "SGA n < nx" indicates the safety function required for
determining an output signal when a parameterizable velocity limit has been undershot.
If the velocity limit for the "Safe Speed Monitor" feedback signal (n < n_x) is undershot, the
"SSM feedback signal active" signal (SGA n < n_x) is set. When the set threshold value has
been undershot, the "Safe Acceleration Monitor" (SBR) function is also deactivated (see
p9368/p9568). If p9368 = p9568 = 0, then p9346/p9546 applies (SSM feedback signal) - also
as safe acceleration monitoring for SBR.
The hysteresis for the SSM output signal is set in parameter p9347/p9547 "SI Motion SSM
velocity hysteresis n_x". If the maximum permissible velocity tolerance is overshot (i.e. one
channel displays a velocity less than p9546 - p9547, while the other channel displays a
velocity greater than p9546), a STOP F is issued. As an additional function, parameters
p9347/p9547 are used to define the maximum tolerance of the velocity actual values
between the two channels.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 81
Safety Integrated Extended Functions
5.7 Safe Speed Monitor (SSM)

In addition, the output signal for SSM can be smoothed by means of a PT1 filter by setting a
filter time p9345/9545.
During safe motion monitoring, the hysteresis and filtering functions can be activated or
deactivated jointly using the enable bit p9301.16 (Motor Modules) and p9501.16 (CU). In the
default setting, the functions are deactivated (p9301.16/p9501.16 = 0).

NOTICE
Exception
The activated "hysteresis and filtering" function is evaluated as activated monitoring
function and, after a STOP F, also results in a subsequent STOP B/STOP A response.

The following diagram shows the characteristic of the safe output signal SSM when the
hysteresis is active:

660RXWSXWVLJQDO


Q>PPPLQ@

S SS SS S

Figure 5-7 Safe output signal for SSM with hysteresis

Due to the hysteresis, the safe output signal for SSM can also lie above the parameterized
velocity limit at 1.

Note
When the hysteresis and filtering are activated with output signal SSM, the axes behave in a
time-delayed manner. This is a characteristic of the filter.

Safety Integrated
82 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Safety Integrated Extended Functions
5.7 Safe Speed Monitor (SSM)

Features
● Safe monitoring of the speed limit specified in p9346 and p9546
● Parameterizable hysteresis via p9347 and p9547
● Variable PT1 filter via p9345 and p9545
● Fail-safe output signal
● No stop response
● This function is not available for speed monitoring without an encoder.

Overview of important parameters (see the SINAMICS S120/S150 List Manual)

● p9345 SI Motion SSM (SGA n < nx) filter time (Motor Module)
● p9545 SI Motion SSM (SGA n < nx) filter time (Control Unit)
● p9346 SI Motion SSM velocity limit (Motor Module)
● p9546 SI Motion SSM (SGA n < nx) velocity limit n_x (CU)
● p9347 SI Motion velocity hysteresis (crosswise) (Motor Module)
● p9547 SI Motion velocity hysteresis (crosswise) (Control Unit)
● p9368 SI Motion SBR velocity limit (Motor Module)
● p9568 SI Motion SBR velocity limit (CU)
● r9722.0...15 CO/BO: SI Motion drive-integrated status signals

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 83
Safety Integrated Extended Functions
5.8 Safe Acceleration Monitor (SBR)

5.8 Safe Acceleration Monitor (SBR)

Safe Acceleration Monitor with encoder

The "Safe Acceleration Monitor" (SBR) function is used to safely monitor drive acceleration.
This function is part of the SS1 (time and acceleration-controlled) and SS2 (or STOP B and
STOP C) safety functions.

Features
A STOP A is generated if any drive acceleration within the ramp-down phase exceeds the
tolerance defined in p9348/p9548. The monitoring function is activated for SS1 (or STOP B)
and SS2 (or STOP C) and is deactivated after the speed drops below the value set in
p9368/p9568.

NOTICE
If 0 is entered for p9368/p9568, the speed limit of the SSM function (p9346/p9546) is also
used as shutdown limit for the SBR function (safe acceleration monitoring). The SBR is
deactivated if the speed is below this limit.
In this case, the effects of safe acceleration monitoring are therefore greatly restricted if a
relatively high SSM/SBR velocity limit is set when using the SS1 and SS2 stop functions.

Q
6WRSSLQJOLPLWYDOXH
6SHHG
7ULJJHULQJRI6666
WROHUDQFH
S Q
S DFW

Q
[

W
0RQLWRULQJF\FOH
SS

Figure 5-8 Characteristics of the shutdown limit for SBR

Safety Integrated
84 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Safety Integrated Extended Functions
5.8 Safe Acceleration Monitor (SBR)

Calculating the SBR tolerance of the ACTUAL speed:

● The following applies when parameterizing the SBR tolerance:
– The maximum speed increase after SS1 / SS2 is triggered is derived from the
effective acceleration (a) and the duration of the acceleration phase.
– The duration of the acceleration phase is equivalent to one monitoring clock cycle
(p9300/p9500) MC (delay from detecting an SS1 / SS2 until nset = 0):
● SBR tolerance:
Actual speed SBR = acceleration * acceleration duration
The following setup rule is derived thereof:
– At linear axes:
SBR tolerance [mm/min] = a [m/s2] * MC [s] * 1000 [mm/m] * 60 [s/min]
– At rotary axes:
SBR tolerance [rev/min] = a [rev/s2] * MC [s] * 60 [s/min]
● Recommendation:
The SBR tolerance value entered should be approx. 20% higher than the calculated
value.

Responses
Speed limit violated (SBR):
● STOP A
● Safety message C01706/C30706
System errors:
● STOP F with subsequent STOP A
● Safety message C01711/C30711

Features
● Element of the SS1 (time and acceleration controlled) and SS2 functions
● Parameterizable, minimum shutdown speed to be monitored

Overview of important parameters (see the SINAMICS S120/S150 List Manual)

● p9346 SI Motion SSM velocity limit (Motor Module)
● p9546 SI Motion SSM (SGA n < nx) velocity limit n_x (CU)
● p9348 SI Motion SBR actual velocity tolerance (Motor Module)
● p9548 SI Motion SBR actual velocity tolerance (Control Unit)
● p9368 SI Motion SBR velocity limit (Motor Module)
● p9568 SI Motion SBR velocity limit (CU)

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 85
Safety Integrated Extended Functions
5.9 Safe Brake Ramp (SBR)

5.9 Safe Brake Ramp (SBR)

If an induction motor is being used, the "Safe Brake Ramp" (SBR) Safety Integrated function
can be activated without an encoder. The Safe Brake Ramp (SBR) function provides a safe
method for monitoring the brake ramp. The Safe Brake Ramp function, safe brake ramp
monitoring (SBR) is always used to monitor braking when using the SS1 encoderless and
SLS encoderless functions.

Functional features of Safe Brake Ramp without encoder

The motor is immediately decelerated along the OFF3 ramp as soon as SS1 or SLS is
triggered. Monitoring of the brake ramp (envelope (monitoring ramp)) is activated after delay
time p9582/p9382 (SI Motion brake ramp delay time (SBR delay time), Control Unit/Motor
Module) has elapsed. Monitoring ensures that the motor does not exceed the set brake ramp
(SBR) when braking. As soon as the speed drops below the shutdown speed (p9560/p9360;
standstill detection), safe monitoring of the brake ramp is deactivated. Additional specific
functions (e.g. STO, new SLS speed limit, etc.) are activated at this point, depending on the
Safety Integrated function used

reference
n

frequency Selection of SS1-ramp: Activation of STO: Deselection of SS1-ramp: Starting drive:

user action: user action: user action: user action:
- set SS1 signal - none - clear SS1 signal - set OFF1/ON signal

Activation of SS1-ramp: set point

user action: frequency
- none

envelope
(monitoring ramp)

stator
frequency
OFF3 ramping
rotor
standstill STO
frequency
detection

SBR delay
time

Monitoring ramp down time

diagnosis

STO selected

STO active

SS1 selected

SS1 active
PROFIsafe

SS1 active

Power removed

Figure 5-9 Safe Brake Ramp without encoder

Safety Integrated
86 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Safety Integrated Extended Functions
5.9 Safe Brake Ramp (SBR)

Parameterization of the encoderless brake ramp

p9581/p9381 (SI Motion brake ramp reference value, Control Unit/Motor Module) and
p9583/p9383 (SI Motion brake ramp monitoring time, Control Unit/Motor Module) are used to
set the steepness of the brake ramp. Parameters p9581/p9381 determine the reference
speed and parameters p9583/p9383 define the monitoring period. Parameters p9582/p9382
are used to set the time between the triggering of Safe Stop 1 and the start of brake ramp
monitoring.

Responses to brake ramp violations (SBR)

● Safety messages C01706 (SI Motion CU: SBR limit exceeded) and C30706 (SI Motion MM:
SBR limit exceeded)
● Drive stopped with STOP A

Features
● Part of the encoderless SS1 and encoderless SLS functions
● Parameterizable safe brake ramp

Overview of important parameters (see the SINAMICS S120/S150 List Manual)

● p9360 SI Motion pulse suppression shutdown speed (Motor Module)
● p9560 SI Motion pulse suppression shutdown speed (Control Unit)
● p9381 SI Motion brake ramp reference value (Motor Module)
● p9581 SI Motion brake ramp reference value (Control Unit)
● p9382 SI Motion brake ramp delay time (Motor Module)
● p9582 SI Motion brake ramp delay time (Control Unit)
● p9383 SI Motion brake ramp monitoring time (Motor Module)
● p9583 SI Motion brake ramp monitoring time (Control Unit)

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 87
Safety Integrated Extended Functions
5.10 Safety faults

5.10 Safety faults

Stop responses
Faults with Safety Integrated Extended Functions and violation of limits can trigger the
following stop responses:

Table 5- 2 Overview, stop responses

Stop response Triggered ... Action Effect

STOP A For all acknowledgeable Immediate pulse cancelation Drive coasts down
safety faults with pulse
disable.
STOP B Examples: Immediate input of speed STOP B with subsequent STOP A.
- standstill tolerance violated
setpoint = 0 and start of timer The drive decelerates along the
in p9330/p9530 (SOS). tB. OFF3 ramp and then switches to
Once tB or nact < nshutdown, STOP A.
- Configured subsequent stop STOP A is triggered.
p9363/p9563 for SLS.
- Subsequent response of
STOP F.
STOP C Configurable subsequent stop Immediate input of speed The drive decelerates along the
p9363/p9563 with SLS. setpoint = 0 and start of timer OFF3 ramp; SOS is then selected.
tC.
Once tC has elapsed, SOS is
selected.
STOP D Configurable subsequent stop Timer tD starts. The drive must be decelerated by
p9363/p9563 with SLS. No drive-integrated response. the higher-level control (within the
drive group)!
SOS is activated on expiration
of tD. Once tD has elapsed, SOS is
selected.
An automatic response is only
triggered if the standstill tolerance
window is violated in SOS.
STOP F If a fault occurs in the Timer tF1 (Basic Functions) or If a safety function (SOS, SLS) has
crosswise data comparison. tF2 (Extended Functions) been selected or if a hysteresis has
Follow-up response STOP B. No drive response been configured for SSM, transition
to STOP A after tF1 (Basic
Functions) has elapsed or
STOP B after tF2 (Extended
Functions) has elapsed.

Safety Integrated
88 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Safety Integrated Extended Functions
5.10 Safety faults

Note
A delay time between STOP F and STOP B should only be set if an additional response is
initiated during this time when the "Internal Event" (p9722.7) message signal is evaluated.
Further, when using the delay time, a monitoring function should always be selected (e.g.
SLS with a high limit speed) or the hysteresis of SSM should be configured.
When hysteresis is activated for SSM, then this should be considered to be an activated
monitoring function.

On delays at the stop response transitions

● tB: p9356/p9556
● tC: p9352/p9552
● tD: p9353/p9553
● tF1: p9658/p9858
● tF2: p9355/p9555
● nshutdown: p9360/p9560

Stop response priorities

Table 5- 3 Stop response priorities

Priority classes Stop response

Highest priority STOP A
..... STOP B
... STOP C
.. STOP D
Lowest priority STOP F

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 89
Safety Integrated Extended Functions
5.10 Safety faults

Priorities of stop responses and Extended Functions

Table 5- 4 Priorities of stop responses and Extended Functions

Highest priority ... ... ... Lowest

Stop response/ priority
Extended Function STOP A STOP B STOP C STOP D STOP F
Highest STO STOP A / STO STO STO STO STO
priority
..... SS1 STOP A STOP B / SS1 SS1 SS1 SS1
... SS2 STOP A STOP B STOP C / SS2 SS2 SS2 / STOP B2)
.. SOS STOP A1) STOP B1) SOS SOS STOP B2)
Lowest SLS STOP A3) STOP B3) STOP C4) STOP D4) STOP B2)
priority
1) The SOS monitoring function remains active, although the fault response in the event of a fault can no longer be
triggered because it is already present.
2) STOP B is the subsequent stop of STOP F, which is activated after a parameterizable time. STOP F alone does not
have any effect; the active safety function is still present.
3) The SLS monitoring function remains active, although the fault response in the event of a fault can no longer be
triggered because it is already present.
4) SLS remains active during the braking phase, after which the system switches to SOS.

The table above specifies which stop response or safety function is set when a STOP is
triggered when a safety function is active. The STOPs are arranged here from left to right in
descending order of priority (STOP A-F).
No overall priority is assigned in the individual safety functions. SOS remains active, for
example, even if STO is requested. The safety functions that cause the drive to decelerate
(STO, SS1, SS2) are specified from top to bottom in descending order of priority.
If a field contains two entries, the stop responses and safety functions have the same
priority. Explanation:
● STOP A corresponds to STO
● STOP B corresponds to SS1
● STOP C corresponds to SS2
● When the SS2 function is active, STOP F results in subsequent stop B. SS2 remains
active.

Examples for illustrating the information in the table:

1. Safety function SS1 has just been selected. STOP A remains active; a STOP B operation
that is currently in progress is not interrupted by this. Any remaining STOP C-F would be
replaced by SS1.
2. The SLS safety function is selected. This selection does not modify the function of STOP
A-D. A STOP F now triggers a STOP B because a safety function has been activated.
3. Stop response, STOP C is selected. If the STO or SS1 safety functions are active, this
does not have any effect. If SS2 is active, this braking ramp is retained. If SOS is active,
SOS remains effective, which is also the end status of STOP C. When SLS is selected,
the drive is decelerated with STOP C.

Safety Integrated
90 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Safety Integrated Extended Functions
5.10 Safety faults

Acknowledging the safety faults

General

NOTICE
The safety faults can also be acknowledged (as with all other faults) by switching the drive
unit off and then on again (POWER ON).
If this action has not eliminated the fault cause, the fault is displayed again as soon as the
system has been rebooted.

Acknowledgement via TM54F

Parameter p10006 "SI acknowledgement internal event input terminal" allows faults to be
acknowledged in the safety drives and in TM54F itself.
The "safe fault acknowledgement" mechanism functions as follows:
The safe input F-DI on the TM54F parameterized with the function p10006 "Safety Integrated
acknowledgement internal event input terminal" is energized. This allows faults that occurred
in the firmware installed in the Control Unit or Motor Module to be acknowledged by means
of a safe input signal. The falling edge at this input resets the status "Internal Event" in the
drives and, if used, in the TM54F.
To prevent safety faults from being acknowledged unintentionally or incorrectly, the signal at
the TM54F F DI terminal, which was parameterized for acknowledgement purposes, must be
at level "0" in the idle state. To trigger the acknowledgement (falling edge at F DI), the signal
must first be set to "1" and then back to "0". If the required idle state is not reached, an alarm
is output.
After "safe fault acknowledgement", an acknowledgement must be issued on the Control
Unit in order to:
● Delete the TM54F faults from the fault buffer
● Reset the pending, red "Ready" LED on the TM54F

Acknowledgement via PROFIsafe

The higher-level controller sets the signal "Internal Event ACK" via the PROFIsafe telegram
(STW bit 7) separately for each drive object. A falling edge in this signal sets the status
"Internal Event" in the relevant drive, which acknowledges the fault.
Faults in the drive objects (DOs) cannot be acknowledged by the higher-level controller in
the line-up but must instead be acknowledged separately for each individual drive object.

Description of faults and alarms

Note
The faults and alarms for SINAMICS Safety Integrated are described in the following
documentation:
Reference: /LH1/ SINAMICS S120/S150 List Manual

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 91
Safety Integrated Extended Functions
5.11 Message buffer

5.11 Message buffer

In addition to the fault buffer for F... faults and the alarm buffer for A... alarms (see the
corresponding chapter in: /IH1/ SINAMICS S120 Commissioning Manual), specifically for
Safety Integrated Extended Functions, there is also a message buffer for C... safety
messages.
The fault messages for the Safety Integrated Basic Functions are stored in the standard fault
buffer (see chapter "Buffer for faults and alarms" in /IH1/: SINAMICS S120 Commissioning
Manual).
The message buffer for safety messages is similar to the fault buffer for fault messages.
The message buffer comprises the message code, message value, and message time
(received/resolved). The following diagram shows how the message buffer is structured:

0HVVDJHWLPH 0HVVDJH 0HVVDJHWLPH 0HVVDJHWLPH 0HVVDJHWLPH

0HVVDJH UHFHLYHG 0HVVDJH YDOXHIRU UHFHLYHG UHVROYHG UHVROYHG
FRGH LQPV YDOXH IORDWYDOXHV LQGD\V LQPV LQGD\V

0HVVDJH U>@ U>@ U>@ U>@ U>@ U>@ U>@

0HVVDJH U>@ U>@ U>@ U>@ U>@ U>@ U>@

&XUUHQW
PHVVDJH
LQFLGHQW

0HVVDJH U>@ U>@ U>@ U>@ U>@ U>@ U>@

0HVVDJH U>@ U>@ U>@ U>@ U>@ U>@ U>@

VW 0HVVDJH U>@ U>@ U>@ U>@ U>@ U>@ U>@

DFNQRZOHGJHG
PHVVDJH
LQFLGHQW

0HVVDJH U>@ U>@ U>@ U>@ U>@ U>@ U>@

0HVVDJH U>@ U>@ U>@ U>@ U>@ U>@ U>@

WK 0HVVDJH U>@ U>@ U>@ U>@ U>@ U>@ U>@

DFNQRZOHGJHG
PHVVDJH
LQFLGHQW
>ROGHVW@

0HVVDJH U>@ U>@ U>@ U>@ U>@ U>@ U>@

Figure 5-10 Structure of the message buffer

When a safety message is present, the bit 2139.5 = 1 ("Safety message present") is set.
The entry in the message buffer is delayed. For this reason, the message buffer should not
be read until a change in the buffer (r9744) has been detected after "Safety message
present" is output.
The messages must be acknowledged via the fail-safe inputs F-DI of the TM54F or via
PROFIsafe.

Safety Integrated
92 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Safety Integrated Extended Functions
5.11 Message buffer

Properties of the safety message buffer:

● The entries appear in the buffer according to the time at which they occurred.
● If a new message case occurs, the message buffer is reorganized accordingly.
The history is recorded in the "Acknowledged message case" 1 to 7.
● If the cause of at least one message in "Current message case" is rectified and
acknowledged, the message buffer is reorganized accordingly. Messages that have not
been rectified remain in "Current message case".
● If "Current message case" contains eight messages and a new message is output, the
message in the parameters in index 7 is overwritten with the new message.
● r9744 is incremented each time the message buffer changes.
● A message value (r9749, r9753) can be output for a message. The message value is
used to diagnose the message more accurately (refer to the message description for
more details).

Deleting the message buffer:

The message buffer can be deleted as follows: p9752 = 0. Parameter p9752 (SI message
cases, counter) is also reset to 0 at POWER ON. This also clears the fault memory.

Overview of important parameters (see the SINAMICS S120/S150 List Manual)

● r2139.0...12 CO/BO: Status word, faults/alarms 1
● r9744 SI message buffer changes, counter
● p9752 SI message cases, counter
● r9747[0...63] SI message code
● r9748[0...63] SI message time received in milliseconds
● r9749[0...63] SI message value
● p9752 SI message cases, counter
● r9753[0...63] SI message value for float values
● r9754[0...63] SI message time received in days
● r9755[0...63] SI message time removed in milliseconds
● r9756[0...63] SI message time removed in days

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 93
Safety Integrated Extended Functions
5.12 Safe actual value acquisition

5.12 Safe actual value acquisition

Supported encoder systems

The Safety functions used to monitor motion (e.g. SS1, SS2, SOS, SLS and SSM) require
safe actual value acquisition.
For safe speed/position sensing...
● Single-encoder systems or
● Two-encoder systems
...can be used.

Single-encoder system
In a single-encoder system, only the motor encoder is used to safely acquire the drive actual
values. This motor encoder must be appropriately qualified (see encoder types). The safety-
relevant actual values are generated either directly in the encoder or in the Sensor Module
and are transferred to the Control Unit by way of fail-safe communication via DRIVE-CLiQ.
For motors without a DRIVE-CLiQ interface, the connection is established by means of
additional Sensor Modules (SMC or SME).
Even if the drive is operating in the closed-loop torque controlled mode, motion monitoring
functions may be selected as long as it is guaranteed that the encoder signals can be
evaluated.

Special feature in the case of linear motors

The motor encoder (linear scale) of linear motors also acts as load measuring system. Only
one measuring system is required for this reason. The system is connected by means of a
Sensor Module or directly via DRIVE-CLiQ.

NOTICE
When specifying the standstill tolerance window, observe that fail-safe position monitoring
within a single-encoder system only works at a rough resolution with 4 pulses per
revolution.

Safety Integrated
94 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Safety Integrated Extended Functions
5.12 Safe actual value acquisition

( (QFRGHU
'5,9(&/L4 0 0RWRU

0DFKLQHWDEOH /LQHDUVFDOH
(
6HQVRU0RGXOH
( 0
QRWDSSOLFDEOHIRUPRWRUZLWK
'5,9(&/L4LQWHUIDFH %DFNODVK

Figure 5-11 Example of an S120 single-encoder system

Two-encoder system
The fail-safe actual values for a drive are provided by two separate encoders. The actual
values are transferred to the Control Unit by means of fail-safe communication via DRIVE-
CLiQ.
For motors without a DRIVE-CLiQ interface, the connection is established by means of
additional Sensor Modules (SMC or SME).
Each measuring system requires a separate connection or a separate Sensor Module.

( (QFRGHU
'5,9(&/L4 0 0RWRU

0DFKLQHWDEOH /LQHDUVFDOH
(
6HQVRU0RGXOH
( 0
QRWUHTXLUHGIRUPRWRUZLWK
'5,9(&/L4LQWHUIDFH %DFNODVK

Figure 5-12 Example of an S120 two-encoder system on a linear axis via a ballscrew

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 95
Safety Integrated Extended Functions
5.12 Safe actual value acquisition

( (QFRGHU
0 0RWRU
'5,9(&/L4

( 0
6HQVRU0RGXOH
QRWUHTXLUHGIRUPRWRUZLWK
'5,9(&/L4LQWHUIDFH

(

Figure 5-13 Example of an S120 two-encoder system on a rotary axis

Encoder types
Incremental encoders or absolute encoders can be used for safe detection of the position
values on a drive.
Safe actual value acquisition relies on redundant evaluation of the incremental channels A/B
that supply sin/cos signals of 1 Vpp.
The absolute position values can be transferred via the serial EnDat interface or an SSI
interface to the controller.

Encoder types for a single-encoder system

In single-encoder systems, encoders with photoelectric sampling only are permitted for safe
actual value acquisition. These optical encoders must supply sin/cos signals of 1 Vpp on the
incremental channels A/B.

Note
Basic absolute encoders (e.g. ECI, EQI) that offer an EnDat interface with additional sin/cos
tracks, but operate according to an inductive measuring principle internally, are not permitted
for single-encoder systems.

Safety Integrated
96 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Safety Integrated Extended Functions
5.12 Safe actual value acquisition

Encoder types for two-encoder systems

With a two-encoder system, the required redundancy can also be achieved using less highly
qualified encoders. In this case, therefore, encoders with a microprocessor in the signal path
can also be used. Each encoder output signal must also supply sin/cos signals of 1 Vpp on
the incremental channels A/B.
In addition to the permissible motors with integrated encoder with a DRIVE-CLiQ connection,
in principle, encoders that can be connected to the following Sensor Modules can be used
for safe actual value acquisition:
● SMC20
● SME20/SME25
● SME120/SME125

Note
Also for a two-encoder system, motors with integrated resolver with DRIVE-CLiQ connection
have not been enabled for Safety Integrated.

Actual value synchronization

6DIHDFWXDOSRVLWLRQYDOXH $FWXDOSRVLWLRQ
RQORDGVLGH YDOXH
6HQVRU

$FWXDOSRVLWLRQ
YDOXH
6HQVRU

'HYLDWLRQEHWZHHQ
DFWXDOSRVLWLRQYDOXHVLVQRW
JUHDWHUWKDQWKHVOLS
LQHDFK.'9F\FOHS U

W
.'9F\FOH U

Figure 5-14 Example diagram of actual value synchronization

The mean value of the actual values of both encoders is calculated cyclically after actual
value synchronization (p9301.3 = p9501.3 = 1) was activated. The maximum slip defined in
p9349/p9549 is monitored within the crosswise comparison clock cycle (r9724). If "actual
value synchronization" is not enabled, the value parameterized in p9342/p9542 is used as
tolerance value for the crosswise comparison.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 97
Safety Integrated Extended Functions
5.12 Safe actual value acquisition

Two read parameters are available for safe motion monitoring:

r9730: SI Motion safe maximum velocity
Displays the maximum speed (load side) permissible due to the acquisition of actual values
for safe motion monitoring functions. The maximum velocity for actual value acquisition
depends on the actual value update clock cycle (p9311/p9511). Parameters p9311/p9511
are used to set the clock cycle time of the actual value acquisition for safe motion monitoring.
A slower clock cycle reduces the maximum permissible velocity, but also reduces the load
on the Control Unit for safe actual value acquisition.
The maximum permissible velocity which, if overshot, can trigger faults in safe actual value
acquisition, is displayed in parameter r9730.
With a default value of p9311/p9511 (0 ms), the isochronous PROFIBUS clock cycle is used
(or 1 ms in non-isochronous mode).

NOTICE
Changing the EDS with safe motion monitoring
An encoder which is used for Safety functions must not be switched over when a data set is
switched over.
The Safety functions check the safety-relevant encoder data for changes when data sets
are switched over. If a change is detected, fault F01670 is displayed with a fault value of
10, which results in a non-acknowledgeable STOP A. The safety-relevant encoder data in
the various data sets must therefore be identical.

r9731: SI Motion safe position accuracy

Displays the greatest position accuracy (load side) that can be ensured due to the
acquisition of the actual value for the safe motion monitoring functions.
Both parameters (r9730/r9731) depend on the relevant encoder type.

Overview of important parameters (see the SINAMICS S120/S150 List Manual)

● p9301.3 SI Motion enable safety functions (Motor Module),
enable actual value synchronization
● p9501.3 SI Motion enable safety functions (Control Unit),
enable actual value synchronization
● p9302 SI Motion axis type (Motor Module)
● p9502 SI Motion axis type (Control Unit)
● p9311 SI Motion actual value sensing clock cycle (Motor Module)
● p9511 SI Motion actual value sensing clock cycle (Control Unit)
● p9315 SI Motion encoder coarse position value configuration (Motor Module)
● p9515 SI Motion encoder coarse position value configuration (Control Unit)
● p9316 SI Motion motor encoder configuration safety functions (Motor Module)
● p9516 SI Motion motor encoder configuration safety functions (Control Unit)
● p9317 SI Motion linear scale grid division (Motor Module)

Safety Integrated
98 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Safety Integrated Extended Functions
5.12 Safe actual value acquisition

● p9517 SI Motion linear scale grid division (Control Unit)

● p9318 SI Motion encoder pulses per revolution (Motor Module)
● p9518 SI Motion encoder pulses per revolution (Control Unit)
● p9319 SI Motion fine resolution Gn_XIST1 (Motor Module)
● p9519 SI Motion fine resolution G1_XIST1 (Control Unit)
● p9320 SI Motion spindle pitch (Motor Module)
● p9520 SI Motion spindle pitch (Control Unit)
● p9321[0...7] SI Motion gearbox encoder/load denominator (Motor Module)
● p9521[0...7] SI Motion gearbox encoder/load denominator (Control Unit)
● p9322[0...7] SI Motion gearbox encoder/load numerator (Motor Module)
● p9522[0...7] SI Motion gearbox encoder/load numerator (Control Unit)
● p9323 SI Motion redundant coarse position value valid bits (Motor Module)
● p9324 SI Motion redundant coarse position value fine resolution (Motor Module)
● p9325 SI Motion redundant coarse position value relevant bits (Motor Module)
● p9523 SI Motion redundant coarse position value valid bits (Control Unit)
● p9524 SI Motion redundant coarse position value fine resolution (Control Unit)
● p9525 SI Motion redundant coarse position value relevant bits (Control Unit)
● p9326 SI Motion encoder assignment (Motor Module)
● p9526 SI Motion encoder assignment second channel
● p9342 SI Motion actual value comparison tolerance (crosswise) (Motor Module)
● p9542 SI Motion actual value comparison tolerance (crosswise) (Control Unit)
● p9349 SI Motion slip velocity tolerance (Motor Module)
● p9549 SI Motion slip velocity tolerance (Control Unit)
● r9713[0...3] SI Motion diagnostics position action value load side
● r9724 SI Motion crosswise comparison clock cycle
● r9730 SI Motion safe maximum velocity
● r9731 SI Motion safe position accuracy

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 99
Safety Integrated Extended Functions
5.13 Forced dormant error detection

5.13 Forced dormant error detection

Forced dormant error detection and function test through test stop
The functions and switch-off signal paths must be tested at least once within a defined time
interval in order to meet requirements as per EN ISO 13849-1 (2006) and IEC 61508 in
terms of timely fault detection.
The maximum permissible interval for forced dormant error detection with the Basic and
Extended Functions is 9000 hours or once a year.
This functionality must be implemented by means of test stop triggering either in cyclic
manual mode or by the automated process.
The test stop cycle is monitored. On expiration of the programmed timer, the alarm A01697:
"SI Motion: Test of motion monitoring required" is generated and a status bit is set which can
be transferred to an output or to a PZD bit via BICO. This alarm does not affect machine
operation.
The test stop must be initiated application-specific and be executed at a time which suits
application requirements. This functionality is implemented by means of a single-channel
parameter p9705 which can be wired via BICO either to an input terminal on the drive unit
(CU), or to an IO-PZD in the drive telegram.
● p9559 SI Motion Forced dormant error detection timer (Control Unit)
● p9705 BI: SI Motion Test stop signal source
● r9723.0 CO/BO: SI Motion diagnostics signals integrated in the drive
A test stop does not require POWER ON. The acknowledgment is set by canceling the test
stop request.
When the appropriate safety devices are implemented (e.g. protective doors), it can be
assumed that running machinery will not pose any risk to personnel. For this reason, only an
alarm is output to inform the user that a forced dormant error detection run is due and to
request that this be carried out at the next available opportunity.
Examples of when to carry out forced dormant error detection:
● When the drives are at a standstill after the system has been switched on.
● Before the protective door is opened.
● At defined intervals (e.g. every 8 hours).
● In automatic mode (time and event dependent)

Note
STO is triggered when a test stop is carried out for the Safety functions. It is not permissible
to select STO before selecting the test stop and the axis must not be in operation.
When using blocksize Power Modules, the test stop must be initiated at closed-loop
controlled standstill (speed setpoint of 0, current is flowing through the motor).

Safety Integrated
100 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Safety Integrated Extended Functions
5.13 Forced dormant error detection

Forced dormant error detection F-DI/F-DO of TM54F through test stop

An automatic test stop function is available for forced dormant error detection within the
F-DIs/DOs test.
To ensure that the test stop function of the TM54F can be used, the F-DIs that are used
must be interconnected in accordance with the following wiring example. The digital inputs of
F-DI0 to F-DI4 must be connected to the "L1+" power supply. The digital inputs of F-DI5 to
F-DI9 must be connected to the "L2+" power supply.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 101
Safety Integrated Extended Functions
5.13 Forced dormant error detection

 
3
0 0
; ;
;




'5,9(&/L4VRFNHW

'5,9(&/L4VRFNHW
  9 HOHFWU



0
0
0
0

;

  9


3B 0
0 0
7HUPLQDO0RGXOH70)
0
0

;
 /

 0

; ;
 / / 

 ',  ',  

 ',  0 0 ',  

 ',  ) ',  ) ', ',  

 
 ',  ',  

 ',  ) ',  ) ', ',  

0 0
 
 ',  ',  

 0 0 

; ;
 ',  ',  

 ',  0 0 ',  

 ',  ) ',  ) ', ',  

 ',    ',  

 ',  0 0 ',  
) ',  ) ',

 ',    ',  

 ',  ) ',  ',  

) ',
0 0
 ',    ',  

 ',   7KHLQYHUVLRQ ',  

 FDQEHSDUDPHWHUL]HG 
0 0

; ;
 
',  ', 
0 0
 '2  )B '2 )B '2 '2  
9 9
 '2  '2  
0 0

; ;
 
',  ', 
0 B) '2 0

'2  ) B'2 '2   /
9 9
 '2  
'2 
0 0

Figure 5-15 Example of the TM54F wiring

Safety Integrated
102 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Safety Integrated Extended Functions
5.13 Forced dormant error detection

The F-DIs must be registered for the test stop by means of p10041.

CAUTION
The F-DI states are frozen for the duration of the test (approx. 100 ms)!

In order to be able to use the test stop function, the F-DOs being used must be
interconnected in accordance with the connection example shown above and the forced
feedback signals of the two relays must be connected to the corresponding digital input
(DI 20 to DI 23).
The corresponding F-DOs must be registered for the test stop by means of p10046.

NOTICE
F-DOs which are not registered for evaluation by means of p10046 are set to "0" for the
duration of the test stop ("fail-safe values").
Maximum test stop period: 19 * p10000 + 2 * 20 ms + 6 * p10001

WARNING

If the connected devices do not support the test stop function for specific F-DIs or F-DOs,
the relevant F-DIs/F-DOs must be operated dynamically, e.g. by means of switch operation,
or through specific machine functions.

The test stop must be executed at a suitable time. That is, it must be initiated application-
specific. This functionality is implemented by means of a parameter p10007 which can be
wired via BICO either to an input terminal on the drive unit (CU), or to an IO-PZD in the drive
telegram.
The test stop cycle is monitored. On expiration of the programmed timer, the alarm A35014:
"TM54F: Test stop required" is output.
● p10001 SI delay time for test stop at F-DO 0 ... 3
● p10003 SI forced dormant error detection timer
● p10007 BI: SI input terminal forced dormant error detection F-DO 0 ... 3
● p10041 SI F-DI test enable
● p10046 SI test sensor feedback input DI 20 ... 23
A test stop does not require POWER ON. The acknowledgment is set by canceling the test
stop request.
Additional instructions for performing the test stops are provided in Chapter "Commissioning
TM54F using STARTER/Scout → Test stop".

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 103
Safety Integrated Extended Functions
5.13 Forced dormant error detection

Safety Integrated
104 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
Control of the safety functions 6
6.1 Overview of F-DI/F-DOs and of their structure

General description
The safety-oriented input and output terminals (F-DI and F-DO) act as an interface between
the internal Safety Integrated functionality and the process.
A dual-channel signal applied to an F-DI (Fail-safe Digital Input, safety-oriented digital input =
safe input terminal pair) controls the active monitoring of the activation/deactivation of safety
functions. This function also depends on the status of sensors (e.g. switches).
An F-DO (Fail-safe Digital Output, safety-oriented digital output = safe output terminal pair)
delivers a dual-channel signal representing feedback from the safety functions. It is suitable,
for example, for the safety-oriented control of actuators (e.g. line contactor). See also the
figures "F-DI 0 ... 4 overview", "F-DI 5 ... 9 overview" and "F-DO overview (without showing
the main contacts on the contactors)".

Dual-channel processing of I/O signals

A dual-channel structure is implemented for data input/output and for processing safety-
oriented I/O signals. All requests and feedback signals for safety-oriented functions should
be entered or tapped using both channels.

The following options are available for controlling Safety Integrated functions
● Control via terminals on the Control Unit and Motor Module (only STO, SS1 (time
controlled) and SBC).
● Control by means of TM54F terminals
● Control via PROFIsafe
Only one of the two control modes can be selected for each drive object, that is, either
TM54F or PROFIsafe. Control by means of terminals on the Control Unit and Motor Module
can be activated alongside with one of the other two options.

NOTICE
Per single Control Unit, either control via PROFIsafe or TM54F is permitted. Mixed
operation is not permitted.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 105
Control of the safety functions
6.2 Control signals by way of terminals on the Control Unit and Motor/Power Module

6.2 Control signals by way of terminals on the Control Unit and

Motor/Power Module

Features
● Only for the STO, SS1 (time-controlled) and SBC functions
● Dual-channel structure via two digital inputs (Control Unit/power unit)
● Adjustable input filter for suppressing faults due to non-symmetrical test signals using
parameters p9851/p9651 (SI Safe Stop 1 delay time)
● Different terminal blocks depending on the format
● Automatic ANDing of up to 12 digital inputs (p9620[0...7]) on the Control Unit for chassis
format power units connected in parallel

Overview of the safety function terminals for SINAMICS S120

The different power unit formats of SINAMICS S120 have different terminal designations for
the inputs of the safety functions. These are shown in the following table.

Table 6- 1 Inputs for safety functions

Module 1st switch-off signal path 2nd switch-off signal path EP terminals
(p9620[0])
Control Unit X122.1....6 / X132.1…6
CU320-2 DP DI 0...7/16/17/20/21
Single Motor Module (see CU320-2 DP) X21.3 and X21.4 (on the X21.3
booksize/booksize Motor Module) X21.4
compact
Single Motor Module/ (see CU320-2 DP) X41.1 and X41.2 X41.1
Power Module in X41.2
chassis format
Double Motor Module (see CU320-2 DP) X21.3 and X21.4 (motor X21.3
booksize/booksize connection X1)/X22.3 and X21.4
compact X22.4 (motor connection X2) X22.3
(on the Motor Module) X22.4
Power Module (see CU320-2 DP) X210.3 and X210.4 (on the X210.3
blocksize with CUA31/CUA32) X210.4
CUA31/CUA32
For further information about the terminals, see the Equipment Manuals.

Safety Integrated
106 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Control of the safety functions
6.2 Control signals by way of terminals on the Control Unit and Motor/Power Module

Terminals for STO, SS1 (time-controlled), SBC

The functions are separately selected/deselected for each drive using two terminals.
1. Switch-off signal path, Control Unit
The desired input terminal is selected via BICO interconnection (BI: p9620[0]).
2. Switch-off signal path Motor Module/Power Module
The input terminal is the "EP" terminal ("Enable Pulses")
The EP terminal is periodically interrogated with a sampling time, which is rounded off to
an integer multiple of the current controller cycle; however, it is a minimum of 1 ms.
(example: ti = 400 µs, tEP => 3 x ti = 1.2 ms)
Both terminals must be operated simultaneously, otherwise a fault will be issued.

&RQWURO8QLW 0RWRU0RGXOH

'5,9(&/L4 '5,9(&/L4

;[
;[ %,
',[
S
U[
0

'5,9(&/L4 *

&RQWURO8QLWPRQLWRULQJFKDQQHO
;; 8 0
 7HPS 9 a
0RWRU0RGXOHPRQLWRULQJFKDQQHO :
 7HPS
 (39 %5
 %5
(30

Figure 6-1 Example: Terminals for "Safe Torque Off", example for Motor Modules booksize and CU320-2 DP

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 107
Control of the safety functions
6.2 Control signals by way of terminals on the Control Unit and Motor/Power Module

Grouping drives
To ensure that the function works for more than one drive at the same time, the terminals for
the corresponding drives must be grouped together as follows:
1. Switch-off signal path
By connecting the binector input to the joint input terminal on the drives in one group.
2. Switch-off signal path (Motor Module/Power Module with CUA3x)
By appropriately wiring the terminals for the individual Motor Modules/Power Modules
with CUA31/CUA32 assigned to the group.

Note
The grouping must be identical in both monitoring channels.
If a fault in a drive results in a "Safe Torque Off" (STO), this does not automatically mean
that the other drives in the same group also switch to "Safe Torque Off" (STO).

The assignment is checked during the test for the switch-off signal paths. The operator
selects "Safe Torque Off" for each group. The check is drive-specific.

Example: Terminal groups

It must be possible to select/deselect "Safe Torque Off" separately for group 1 (drive 1 and 2)
and group 2 (drive 3 and 4).
For this purpose, the same grouping for "Safe Torque Off" must be performed on both the
Control Unit and the Motor Modules.

Safety Integrated
108 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Control of the safety functions
6.2 Control signals by way of terminals on the Control Unit and Motor/Power Module

6HOHFWLRQ
GHVHOHFWLRQ 6HOHFWLRQ
GHVHOHFWLRQ &RQWURO8QLW 0 (3 0(3 0(3 0 (3
*URXS
*URXS 'ULYH
S
',
; 'ULYH /LQH 6LQJOH 'RXEOH 6LQJOH
U
S 0RGXOH 0RWRU 0RWRU 0RWRU
0 0RGXOH 0RGXOH 0RGXOH

'ULYH
S
',
; 'ULYH
U
S
0

'ULYH 'ULYH 'ULYH

  

*URXS  *URXS 

Figure 6-2 Example: Grouping terminals with Motor Modules booksize and CU320-2 DP

Information on the parallel connection of chassis type Motor Modules

When chassis type Motor Modules are connected in parallel, a safe AND element is created
on the parallel drive object. The number of indexes in p9620 corresponds to the number of
parallel chassis components in p0120.

Simultaneity and tolerance time of the two monitoring channels

The "Safe Torque Off" function must be selected/deselected simultaneously in both
monitoring channels using the input terminals and is only effective for the associated drive.
1 signal: Deselecting the function
0 signal: Selecting the function
"Simultaneously" means:
The changeover must be complete in both monitoring channels within the parameterized
tolerance time.
● p9650 SI SGE changeover tolerance time (Control Unit)
● p9850 SI SGE changeover tolerance time (Motor Module)
If the "Safe Torque Off" function is not selected/deselected within the tolerance time, this is
detected by the cross-comparison, and fault F01611 or F30611 (STOP F) is output. In this
case, the pulses have already been canceled as a result of the selection of "Safe Torque
Off" on one channel.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 109
Control of the safety functions
6.3 Control via TM54F

6.3 Control via TM54F

6.3.1 TM54F design

Terminal Module TM54F is a terminal expansion module for snap-on rail mounting to DIN
EN 60715. The TM54F features fail-safe digital I/O for controlling the Safety Integrated
Extended Functions.
Each Control Unit can be assigned only one TM54F which is connected via DRIVE-CLiQ.

NOTICE
The TM54F may not be interconnected in series with the Motor Modules and must be
operated on a separate DRIVE-CLiQ line (separate port on the Control Unit). Other
Terminal and Sensor Modules can be connected to this DRIVE-CLiQ line.

TM54F features the following terminals:

Table 6- 2 Overview of the TM54F interfaces

Type Number
Fail-safe digital outputs (F-DO) 4
Fail-safe digital inputs (F-DI) 10
Sensor 1) power supplies, dynamic response supported 2) 2
Sensor1) power supply, no dynamic response 1
Digital inputs for checking the F-DO with activated forced dormant error 4
detection
1) Sensors: Fail-safe devices for command operations and status logging (e.g. Emergency

Stop pushbuttons, safety door locks, position switches, and light arrays / light curtains).
2) Dynamic response: The sensor power supply is cycled on and off by the TM54F when the

forced dormant error detection is active for the sensors, cable routing, and the evaluation
electronics.
The TM54F provides 4 fail-safe digital outputs and 10 fail-safe digital inputs. A fail-safe
digital output consists of a 24 V DC switching output, an output switching to ground and a
digital input for reading back the switching state. A fail-safe digital input consists of two digital
inputs.

Note
You have the following options of acknowledging TM54F faults after troubleshooting:
• POWER ON
• Falling edge in signal "Internal Event ACK" with subsequent alarm acknowledgement on
the Control Unit.

Safety Integrated
110 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Control of the safety functions
6.3 Control via TM54F

For different signal states within a fail-safe F-DI of the TM54F, the signal states of the two
digital inputs of the F-DI are frozen at logical 0 (safety function selected) until a safe
acknowledgement has been carried out using an F-DI via parameter p10006 (SI
acknowledgement, internal event input terminal).
The monitoring time (p10002) for the discrepancy of the two digital inputs of an F-DI must,
under certain circumstances, be selected high enough so that switching operations do not
initiate an undesirable response and then require a safe acknowledgement. Therefore, the
signal states at the two related digital inputs (F-DI) must have the same state within this
monitoring time, otherwise the following fault message will be output F35151 TM54F:
Discrepancy error. This requires safe acknowledgement.

6.3.2 F-DI function

Description
Fail-safe digital inputs (F-DI) consist of two digital inputs. The cathode (M) of the optocoupler
is routed to the second digital input in order to allow the connection of an M-switching F-DO
output (the anode must be connected to 24 V DC).
Parameter p10040 is used to determine whether an F-DI is operated as NC/NC or NC/NO
contact. The status of DI can be read at parameter r10051 for the drive objects TM54F_MA
and TM54F_SL. The same bits of both drive objects are logically linked by AND operation
and return the status of the relevant F-DI.
Test signals from controls can be filtered out using parameters p9651/p9851 so that faults
are not incorrectly interpreted.
Explanation of terms:
NC contact / NC contact: to select the safety function, a "zero level" must be present on both
inputs.
NC contact / NO contact: to select the safety function, a "zero level" at input 1 and a "1 level"
at input 2 must be present.
The signal states at the two associated digital inputs (F-DI) must assume the same status
configured in p10040 within the monitoring time set in p10002.
In order to enable forced dormant error detection, connect the digital inputs of F-DI 0 ... 4
with the dynamic voltage supply L1+ and the digital inputs with F-DI 5 ... 9 to L2+ (for
additional information on forced dormant error detection, see the corresponding function
description in the chapter "Extended Functions").
In the SINAMICS S120/150 List Manual, function diagrams 2850, or 2851, show an overview
of the fail-safe inputs F-DI 0 .... 4, or F-DI 5 ... 9.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 111
Control of the safety functions
6.3 Control via TM54F

F-DI features
● Fail-safe configuration with two digital inputs per F-DI
● Input filter for test signals with an adjustable suppression time (p9651/p9851)
● Configurable connection of NC/NC or NC/NO contacts by means of parameter p10040
● Status parameter r10051
● Adjustable time window for monitoring discrepancy at both digital inputs by means of
parameter p10002 for all F-DIs (details in Chapter: Input/output interconnections for a
safety switching device with TM54F)
● Second digital input with additional tap of the optocoupler cathode for connecting an
M-switching output of a fail-safe controller.

WARNING

In contrast to mechanical switching contacts (e.g. Emergency Stop switches), leakage

currents can still flow through semiconductor switches even when they are switched off.
This can lead to false switching states if digital inputs are not connected correctly.
The conditions for digital inputs/outputs specified in the relevant manufacturer
documentation must be observed.

WARNING

In accordance with IEC 61131 Part 2, Chapter 5.2 (2008), only outputs that have a
maximum residual current of 0.5 mA when "OFF" can be used to connect TM54F digital
inputs with digital semiconductor outputs.

The inclusion of additional load resistors makes it possible to use digital outputs with larger
residual currents to connect TM54F inputs.

Overview of important parameters (see the SINAMICS S120/S150 List Manual)

● p9651 SI STO/SBC/SS1 debounce time (Control Unit)
● p9851 SI STO/SBC/SS1 debounce time (Control Unit)
● p10002 SI discrepancy monitoring time
● p10040 SI F-DI input mode
● r10051.0...9 CO/BO: SI status of digital inputs

Safety Integrated
112 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Control of the safety functions
6.3 Control via TM54F

6.3.3 Function of the F-DO

Description
Fail-safe digital outputs (F-DO) consist of two digital outputs plus one digital input that
checks the switching state for forced dormant error detection. The first digital input switches
24 V DC, and the second switches M of the X514 voltage supply.
The status of each F-DO can be read at parameter r10052. The status of the associated DIs
can be read at parameter r10053 for the drive objects of the slave (TM54F_SL).
In order to enable forced dormant error detection, connect the corresponding digital input for
the forced feedback signals of the relays (additional information on forced dormant error
detection is provided in the chapter "Extended functions").
In the SINAMICS S120/150 List Manual, function diagram 2853 provides an overview of the
fail-safe outputs F-DO 0...3, and the associated checking inputs F-DI 20...23.

F-DO signal sources

A drive group contains several drives with similar characteristics. The groups are
parameterized at the p10010 and p10011 parameters.
The following signals are available for interconnecting (p10042 to p10045) each one of the
four drive groups with the F-DO:
● STO active (power removed)
● SS1 active
● SS2 active
● SOS active
● SLS active
● SSM feedback active
● SOS selected
● Internal event (no active safety fault)
● Safe state
The following signals can be requested by means of p10039[0...3] for each drive group
(index 0 corresponds with drive group 1 etc.):
● STO active (power removed)
● SS1 active
● SS2 active
● SOS active
● SLS active

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 113
Control of the safety functions
6.3 Control via TM54F

3XOVHFDQFHOHG 

66DFWLYH
 
66DFWLYH 'ULYHJURXS[
S>[@ 6DIHVWDWH
626DFWLYH S>[@

6/6DFWLYH 

 

Figure 6-3 Safe state selection

The same signals (high-active) of each drive or drive group are logically linked by means of
AND operation. The different signals selected through p10039 are logically linked by means
of OR operation. Result of these logic operations is the "Safe State" for each drive group.
Each F-DO supports the interconnection of up to 6 signals by way of indexing (p10042[0...5]
to p10045[0...5]) and their output as logical AND operation.

F-DO features
● Each F-DO with fail-safe configuration consisting of two digital outputs plus one digital
input for checking the switching state for forced dormant error detection
● Status parameters r10052/r10053

Function diagrams (see SINAMICS S120/S150 List Manual)

● 2853 TM54F (F-DO 0 ... F-DO 3, DI 20 ... DI 23)
● 2856 TM54F Safe State selection
● 2857 TM54F assignment (F-DO 0 ... F-DO 3)

Overview of important parameters (see the SINAMICS S120/S150 List Manual)

● p10042[0..5] SI F-DO 0 signal sources
● p10045[0..5] SI F-DO 3 signal sources
● r10052.0...3 CO/BO: SI status of digital outputs
● r10053.0...3 CO/BO: SI digital inputs 20 ... 23

Safety Integrated
114 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Control of the safety functions
6.4 Activation via PROFIsafe

6.4 Activation via PROFIsafe

As an alternative to controlling Safety Integrated functions via terminals or TM54F, they can
also be controlled via PROFIsafe. PROFIsafe telegram 30 is used for communication using
PROFIBUS and PROFINET.
The structure of the associated control and status words is described further below (see
chapter "Description of telegram 30").

Control possibilities
The following options are available for controlling Safety Integrated Functions:
● Using terminals on the Control Unit and the Motor/Power Modules
● Using PROFIsafe (Telegram 30) via PROFIBUS or PROFINET
● Using PROFIsafe and terminals on the Control Unit and the Motor/Power Modules
● For S120 Cabinet Modules, S150 and G150 also using option K82

6.4.1 Setting up PROFIsafe communication

For PROFIsafe communication, SINAMICS devices require a PROFIBUS or a PROFINET
interface.
Every drive with configured PROFIsafe in the drive unit represents a PROFIsafe slave
(F slave) with a fail-safe communication to the F host via PROFIBUS or PROFINET and is
assigned its own PROFIsafe telegram.
In so doing, a PROFIsafe safety channel, a so-called safety slot is created using the HW
Config tool from SIMATIC Manager Step 7. It is then possible to also control the Basic
Functions using PROFIsafe telegram 30. The structure of the associated control and status
words is described further below (see Tables "PROFIsafe-STW" and "PROFIsafe-ZSW").
The PROFIsafe telegram 30 is placed in front of the standard telegram for communication
(e.g. telegram 2).

Note
Licensing for Safety Integrated Basic Functions via PROFIsafe
No license is required to use Basic Functions. This also applies to control via PROFIsafe.
However, for Extended Functions, you require an appropriate license that will be charged for.

Enabling PROFIsafe
The Safety Integrated Functions are enabled via PROFIsafe using bit 3 of parameters p9601
and p9801:
p9601.3 = p9801.3 = 1
All parameters involved in PROFIsafe communication are password protected against
undesirable changes and secured using a checksum. The telegrams are configured using a
configuration tool (e.g. HW Config + F-Configuration Pack or SCOUT) on the F host.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 115
Control of the safety functions
6.4 Activation via PROFIsafe

Safety Integrated Basic Functions via PROFIsafe and terminals

Control of the Basic Functions via terminals on the Control Unit and on the Motor/Power
Module (parameters p9601.0 = p9801.0 = 1) may be enabled in parallel. In this way, the
STO and SS1 functions (time controlled) can be selected via PROFIsafe telegram 30 as well
as in parallel via the onboard terminals of the Control Unit and Motor Module/Power Module.

1st channel: Control Unit Terminals PROFIsafe telegram 30

2nd channel: Motor/Power Module Terminals PROFIsafe telegram 30
STO has priority over SS1, i.e. if SS1 and STO are simultaneously initiated, then STO is
executed.

6.4.2 Structure of telegram 30

6.4.2.1 Structure of telegram 30 (Basic Functions)

PROFIsafe control word (STW)

S_STW1, PZD1 in telegram 30, output signals
See function diagram [2840].

Table 6- 3 Description of the PROFIsafe STW

Bit Meaning Comments

0 STO 1 Deselect STO
0 Select STO
1 SS1 1 Deselect SS1
0 Select SS1
2 SS2 0 –1
3 SOS 0 –1
4 SLS 0 –1
5 Reserved - –
6 Reserved - –
7 Internal Event ACK 1/0 Acknowledgement
0 No acknowledgement
8 Reserved - –
- –
9 Select SLS bit 0 - –2
10 Select SLS bit 1 -
11...15 Reserved - –
1 Inactive signals for Basic Functions; are set to 0.
2A static zero signal must be continuously present

Safety Integrated
116 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Control of the safety functions
6.4 Activation via PROFIsafe

PROFIsafe status word (ZSW)

S_ZSW1, PZD1 in telegram 30, input signals
See function diagram [2840].

Table 6- 4 Description of the PROFIsafe status word (ZSW)

Bit Meaning Comments

0 STO active 1 STO active
0 STO not active
1 SS1 active 1 SS1 active
0 SS1 not active
2 SS2 active 0 –1
3 SOS active 0 –1
4 SLS active 0 –1
5 Reserved - –
6 Reserved - –
7 Internal Event 1 No internal event
0 Internal event
8 Reserved - –
9 Active SLS level bit 0 - –1
10 Active SLS level bit 1 -
11 SOS selected 0 –1
12...14 Reserved - –
15 SSM (speed) 0 –1
1 Inactive signals for Basic Functions; are set to 0.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 117
Control of the safety functions
6.4 Activation via PROFIsafe

6.4.2.2 Structure of telegram 30 (Extended Functions)

PROFIsafe control word (STW)

S_STW1, PZD1 in telegram 30, output signals
See function diagram [2840].

Table 6- 5 Description of the PROFIsafe STW

Bit Meaning Comments

0 STO 1 Deselect STO
0 Select STO
1 SS1 1 Deselect SS1
0 Select SS1
2 SS2 1 Deselect SS2
0 Select SS2
3 SOS 1 Deselect SOS
0 Select SOS
4 SLS 1 Deselect SLS
0 Select SLS
5 Reserved - -
6 Reserved - -
7 Internal Event ACK 1/0 Acknowledgement
0 No acknowledgement
8 Reserved - -
- -
9 Select SLS bit 0 - Select speed limit for SLS (2 bits) 1
10 Select SLS bit 1 -
11...15 Reserved - -
1A static zero signal must be continuously available

Safety Integrated
118 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Control of the safety functions
6.4 Activation via PROFIsafe

PROFIsafe status word (ZSW)

S_ZSW1, PZD1 in telegram 30, input signals
See function diagram [2840].

Table 6- 6 Description of the PROFIsafe status word (ZSW)

Bit Meaning Comments

0 STO active 1 STO active
0 STO not active
1 SS1 active 1 SS1 active
0 SS1 not active
2 SS2 active 1 SS2 active
0 SS2 not active
3 SOS active 1 SOS active
0 SOS not active
4 SLS active 1 SLS active
0 SLS not active
5 Reserved - -
6 Reserved - -
7 Internal event 1 No internal event
0 Internal event
8 Reserved - -
- -
9 Active SLS level bit 0 - Display of the speed limit for SLS (2 bits)
10 Active SLS level bit 1 -
11 SOS selected 1 (SOS selected
0 (SOS not selected
12...14 Reserved - -
15 SSM (speed) 1 SSM (speed below limit value)
0 SSM (speed higher than/equal to limit)

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 119
Control of the safety functions
6.4 Activation via PROFIsafe

Safety Integrated
120 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
Commissioning 7
7.1 Safety Integrated firmware versions

Firmware versions for Safety Integrated

The safety firmware installed on the Control Unit and the safety firmware installed on the
Motor Module each have separate version IDs. The parameters listed below can be used to
read the version IDs from the relevant hardware.
Read the overall firmware version via:
● r0018 Control Unit firmware version

The following firmware data can be read for the basic functions:
● r9770[0...3] SI version, drive-autonomous safety functions (Control Unit)
● r9870[0...3] SI version, drive-autonomous safety functions (Motor Module)

The following firmware data can be read for the extended functions:
● r9590[0...3] SI Motion version safety motion monitoring (Control Unit)
● r9390[0...3] SI Motion version safety motion monitoring (Motor Module)
● r9890[0...2] SI version (Sensor Module)
● r10090[0...3] SI TM54F version

Basic Functions and Extended Functions

Basic and/or Extended Functions that have been enabled are checked to determine whether
the parameter for the automatic firmware update is set (p7826 = 1).
This means that at each boot, the firmware version of the DRIVE-CLiQ components involved
is checked in comparison to the firmware version of the Control Unit and, if required,
updated.
During the acceptance test for the Safety Integrated basic functions, the safety firmware
versions of the Motor Modules must be read, logged, and checked against the list below.
During the acceptance test for the Safety Integrated extended functions, the safety firmware
versions of the Motor Modules, Sensor Modules and, if necessary, the Terminal Module
TM54F required for the safety functions are read, logged, and checked against the list below.
When the extended functions are used, the firmware requirements for the basic functions
must also be fulfilled at all times.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 121
Commissioning
7.2 Commissioning Safety Integrated functions

The list of permissible safety firmware version combinations, which must be used as a
reference during the test, can be found under "Product Support" at the following address:
http://support.automation.siemens.com/WW/view/en/28554461
The testing procedure is described at the end of the chapter.

Procedure for checking the safety firmware version combinations

The document in the link provided contains tables listing the permissible safety firmware
version combinations for the different safety function classes (SINAMICS basic functions,
SINAMICS extended functions, SINUMERIK Safety Integrated).
The safety firmware version relevant for the safety function can be read from the Control
Unit. The row containing this version number specifies the associated, permissible safety
firmware versions of the relevant drive components. These versions must be compatible with
the versions installed on your system.

7.2 Commissioning Safety Integrated functions

The Safety functions are commissioned using the screen forms in the STARTER. You will
find these functions for each drive under "Functions" -> "Safety Integrated".
The password "0" is set by default.

NOTICE
For safety-relevant reasons, using the STARTER commissioning tool from V4.1.5 onwards
(or SCOUT) you can only set the safety-relevant parameters of the SINAMICS S120
Control Unit offline. In order to set the safety-relevant parameters of the Motor Module,
establish an online connection to SINAMICS S120 and transfer the parameters by clicking
on the "Copy parameters" button in the start screen of the configuration.

Note
Activating changed safety parameters
When exiting the commissioning mode (p0010 = 0), most of the changed parameters
immediately become active. However, for some parameters, a POWER ON is required.
In this case, a STARTER message will inform you about this.
When performing an acceptance test, a POWER ON is always required.

Safety Integrated
122 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Commissioning
7.2 Commissioning Safety Integrated functions

7.2.1 Prerequisites for commissioning the Safety Integrated function

Prerequisites for commissioning the safety functions (Basic Functions)

1. Commissioning of the drives must be complete.
2. Non-safe pulse suppression must be present, e.g. via
OFF1 = "0" or OFF2 = "0".
If the motor holding brake is connected and parameterized, the holding brake is applied.
3. The terminals for "Safe Torque Off" must be wired.
4. For operation with SBC, the following applies:
A motor with a motor holding brake must be connected to the appropriate terminal of the
module.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 123
Commissioning
7.2 Commissioning Safety Integrated functions

7.2.2 Default settings for commissioning Safety Integrated functions without an

encoder
Additional default settings are required before commissioning Safety functions without an
encoder. The ramp-function generator is automatically created if a vector drive is configured.
Please continue up to the ramp-function generator configuration. If a servodrive is
configured, proceed as follows to call the ramp-function generator:
1. Activate the ramp-function generator: In the configured project, call the "Drive Navigator"
offline, select the device configuration and click on "Configure drive". In the next window,
under the function modules, select "Extended setpoint channel". With "Continue",
proceed with the configuration and when completed, exit with "Complete". The ramp-
function generator is now active and can be parameterized.
2. If the project window, open the ramp-function generator by double-clicking on Drive
unit → Drives → Servo → Setpoint channel → Ramp-function generator:

Figure 7-1 Ramp-function generator

Safety Integrated
124 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Commissioning
7.2 Commissioning Safety Integrated functions

3. Clicking on the button with the ramp opens the following window:

Figure 7-2 Ramp-function generator ramp

4. Here, enter the data to define the ramp-function generator ramp.

Activating Safety Integrated
1. Open the Safety Integrated selection window under Drive
unit → Drives → Functions → Safety Integrated and select the required Safety function:

Figure 7-3 Safety Integrated selection

2. In the drop-down menu below, select "[1] Safety without encoder".

3. Then, open the configuration window and set the actual value acquisition cycle (p9511) to
the value of the current controller cycle (p0115) (e.g. 125 µsec).
4. Click on "gear factor", set the actual value tolerance (p9542) to 5 mm and the number of
motor revolutions to the pole pair number (r0313).
5. Open SS1 and set the shutdown speed to >0.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 125
Commissioning
7.2 Commissioning Safety Integrated functions

6. Call the Safely-Limited Speed, change all of the stop responses to "[0]STOP A" or
"[1]STOP B" and close the window.
7. The user-specific Safety settings can now be performed.
8. Click on "Copy parameters".
9. Switch off/switch on the drive to accept the changes.
10.The motor measurements must then be performed, whereby the "SLS" function must first
be deselected. First perform the measurements while the drive is stationary (zero speed)
and then the measurements with the drive rotating.

Note
If message C01711 is output while the drive is ramping up, under certain circumstances,
the ramp gradient must be optimized or the ramp-up must be set softer using an
extended ramp-function generator (with rounding-off).

7.2.3 Standard commissioning of Safety Integrated functions

Standard commissioning of the safety functions

1. A commissioned project that has been uploaded to STARTER can be transferred to
another drive unit still keeping the existing Safety parameterization.
2. If the source and target devices have different software versions, the reference
checksums (p9799, p9899) may have to be adapted. This is indicated by the faults
F01650 (fault value: 1000) and F30650 (fault value: 1000).
3. Once the project has been downloaded to the target device, an acceptance must be
carried out. This is indicated by fault F01650 (fault value: 2004). Additional information on
the acceptance test is provided in the Function Manual "Safety Integrated" in Chapter
"Acceptance test and acceptance report".

Safety Integrated
126 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Commissioning
7.2 Commissioning Safety Integrated functions

7.2.4 Setting the sampling times

Terminology
The software functions installed in the system are executed cyclically at different sampling
times (p0115, p0799, p4099).
Safety functions are executed within the monitoring clock cycle (p9300/p9500) and TM54F is
executed within the sampling time (p10000).
Communication on PROFIBUS is handled cyclically by means of the communication clock
cycle.
During the PROFIsafe scan cycle, the PROFIsafe telegrams issued by the master are
evaluated.

Rules
● The monitoring clock cycle (p9300/p9500) can be set between 500 μs to 25 ms.

Note
The monitoring clock cycle must be the same on all drives.

However, the calculation time required for the Extended Functions in the Control Unit
depends on the monitoring clock cycle, that is, shorter clock cycles extend the calculation
time. The availability of a specific monitoring clock cycle therefore depends on calculation
time resources of the Control Unit.
Calculation time resources on the Control Unit are influenced primarily by the number of
drives, the number of drives with enabled Extended Functions, the connected DRIVE-
CLiQ components, the selected DRIVE-CLiQ topology, the use of a CBE20 and by the
selected technological functions.
● Isochronous PROFIBUS
– The monitoring cycle (p9300/p9500) must be an integer multiple of the actual value
update clock cycle. p9311/p9511 or when p9311/p9511 = 0, the isochronous
PROFIBUS communication clock cycle is used for actual value acquisition.
– The current controller cycle must be no more than a quarter of the length of the actual
value update clock cycle.
– The sampling time of the current controller (p0115[0]) must be at least 125 µs.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 127
Commissioning
7.2 Commissioning Safety Integrated functions

● Non-isochronous PROFIBUS
– The monitoring cycle must be an integer multiple of the actual value update clock
cycle. In non-isochronous mode, this is p9311/p9511 or 1 ms (when p9311/9511 = 0).
– The sampling time of the current controller (p0115[0]) must be at least 125 µs.
● The sampling time of the TM54F must be the same as the monitoring clock cycle
(p10000 = p9300/p9500).

Note
The Safety functions are executed in the monitoring clock cycle (p9780). PROFIsafe
telegrams are evaluated in the PROFIsafe scan cycle, which corresponds to twice the
monitoring clock cycle (PROFIsafe scan cycle = 2 × r9780).

Overview of important parameters (see the S120/S150 List Manual)

● p9300 SI Motion monitoring clock cycle (Motor Module) (only Extended Functions)
● p9500 SI Motion monitoring clock cycle (Control Unit) (only Extended Functions)
● p9311 SI Motion actual value sensing clock cycle (Motor Module)
● p9511 SI Motion actual value sensing clock cycle (Control Unit)
● r9780 SI monitoring clock cycle (Control Unit)
● r9880 SI monitoring clock cycle (Motor Module)
● p10000 SI sampling time (TM54F)

Safety Integrated
128 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Commissioning
7.3 Commissioning TM54F by means of STARTER/SCOUT

7.3 Commissioning TM54F by means of STARTER/SCOUT

7.3.1 Basic sequence of commissioning

The following conditions must be met before you can configure the TM54F:
● Concluded initial commissioning of all drives

Table 7- 1 Configuration sequence

Step Execution
1 Insert the TM54F
2 Configure the TM54F and generate the drive groups
3 Configure the drive groups
4 Configure the inputs
5 Configure the outputs
6 Copy the parameters to the second drive object (TM54F_SL)
7 Change the safety password
8 Activate the configuration by selecting "Activate settings"
9 Save the project in STARTER
10 Save the project in the drive by selecting "Copy RAM to ROM"
11 Execute POWER ON
12 Acceptance test

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 129
Commissioning
7.3 Commissioning TM54F by means of STARTER/SCOUT

7.3.2 Configuration start screen

Description

Figure 7-4 Configuration start screen TM54F

The following functions can be selected in the start screen:

● Configuration
Opens the "Configuration" screen
● Inputs
Opens the "Inputs" screen
● Outputs
Opens the "Outputs" screen
● Drive group 1 ... 4
Opens the corresponding screen of drive group 1 to 4
● Copy parameters
To copy the configuration to the second drive object (TM54F_SL), press "Copy
parameters".

Safety Integrated
130 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Commissioning
7.3 Commissioning TM54F by means of STARTER/SCOUT

● Change/activate settings
– Change settings
You can select this button and enter the TM54F password in order to edit the
configuration data. The button function changes to "Activate settings".
– Activate settings
This function activates your parameter settings and initiates calculation of the actual
CRC and the corresponding transfer to the target CRC.
The parameters are activated after restart, and you are requested to carry out the
acceptance test.
A message is output requesting you to save the project and then restart the system.
It is also required to carry out an acceptance test.
● Change password (p10061 ... p10063)
In order to change the password, enter the old password (factory setting: 0) and then
enter and confirm the new password.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 131
Commissioning
7.3 Commissioning TM54F by means of STARTER/SCOUT

7.3.3 TM54F configuration

Configuration screen of TM54F for Safety Integrated

Figure 7-5 TM54F configuration

Functions of this screen:

● Assigning drive objects (p10010)
Select a drive object to be assigned to a drive group.
● Drive groups (p10011)
Each configured safety drive can be assigned to a drive group using a drop-down list box.
The list box displays the drives and their names.
● Discrepancy time (p10002)
The signal states at the two terminals of an F-DI are monitored in order to determine
whether these have assumed the same logical state within the discrepancy time.

Safety Integrated
132 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Commissioning
7.3 Commissioning TM54F by means of STARTER/SCOUT

● Safety sampling time (p10000)

The Safety sampling time corresponds to the sampling time of TM54F.

Note
The Safety clock cycle (p10000) of the TM54F must be the same as the monitoring clock
cycle set in p9300/p9500.

● F-DI input filter (p10017)

Parameterizing the debounce time of the F-DIs and single-channel DIs of the TM54F.
The debounce time is rounded-off to whole ms and then accepted. The debounce time
specifies the maximum duration of a fault pulse at the F-DIs during which time it is not
interpreted as a safety-relevant signal.
● F-DI selection (p10006)
The Extended Functions enter a safety alarm in a special alarm buffer upon the detection
of internal errors or violation of limits. This alarm must be acknowledged safely. You can
assign an F-DI terminal pair for safe acknowledgment.
● Signal source, forced dormant error detection (p10007)
Select an input terminal to start the test stop: The test stop is started with a 0/1 signal at
the input terminal and is then only possible if the drive is not in commissioning mode.
● Test cycle, dynamization F-DO (p10003)
Fail-safe I/O must be tested at defined intervals in order to validate their fail-safety (test
stop, or forced dormant error detection). The TM54F module is provided with a function
block which is selected by means of a BICO source to execute this forced dormant error
detection (e.g. switch the L1+ and L2+ sensor power supply). Each selection triggers a
timer in order to monitor the test cycle. An alarm is set on expiration of the monitored
time.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 133
Commissioning
7.3 Commissioning TM54F by means of STARTER/SCOUT

7.3.4 Test stop

7.3.4.1 Test stop modes of the TM54F

Testing the fail-safe inputs and outputs

Fail-safe I/O must be tested at defined intervals in order to validate their fail-safety (test stop,
or forced dormant error detection). The TM54F module is provided with a function block
which is selected by means of a BICO source to execute this forced dormant error detection
(e.g. switch the L1+ and L2+ sensor power supply). Each selection triggers a timer in order
to monitor the test cycle. An alarm is set on expiration of the monitored time.
Three test stop modes can be selected using the TM54F safety module. After a time interval
has expired, the user is notified using an alarm that a test stop must be performed for the
F-DI/DO of the TM54F. The various test stop modes and the required test sequences are
described in the following.

Preparing to perform a test stop

Before the parameterizing and configuring point in time, the circuit used for the F-DO of the
TM54F for the selected test stop mode must be derived and correspondingly parameterized.
After the forced dormant error detection interval timer has expired, an alarm notifies the user
that a test stop must be performed for the F-DI/DO of the TM54F.
The test stop should be started e.g. using a control signal or a switch using a signal
interconnected with BICO.
The alarm is only cleared once the test stop has been performed.

Safety Integrated
134 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Commissioning
7.3 Commissioning TM54F by means of STARTER/SCOUT

7.3.4.2 Test stop mode 1

Test stop mode 1

Figure 7-6 F-DO circuit, test stop mode 1

This mode only knows the internal feedback signal (= signal level at the DO terminal) used to
test the F-DO output transistors.

DO+ DO- Expected response, DIAG signal

Step 1 OFF OFF LOW
Step 2 ON ON LOW
Step 3 OFF ON LOW
Step 4 ON OFF HIGH
Step 5 OFF OFF LOW
Test sequence for test stop mode 1
This monitoring function can be used to verify the ability of the F-DO output transistors to
switch (off) - even if the actuator itself does not provide a feedback signal.
Before testing the F-DOs, the F-DIs are tested by switching off the power supply (L1+, L2+).
The system waits for the parameterized delay time p10001 (SI delay time for test stop)
between the individual test steps before the expected response is checked.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 135
Commissioning
7.3 Commissioning TM54F by means of STARTER/SCOUT

7.3.4.3 Test stop mode 2

Test stop mode 2

Figure 7-7 F-DO circuit, test stop mode 2

This mode only uses the external feedback signal (DI) to test the F-DO output transistors
and to test the actuator itself.

DO+ DO- Expected response, DI signal

Step 1 OFF OFF HIGH
Step 2 ON ON LOW
Step 3 OFF ON LOW
Step 4 ON OFF LOW
Step 5 OFF OFF HIGH
Test sequence for test stop mode 2
For a circuit with two relays with positively driven feedback signal contacts (fault exclusion)
or an actuator with separate feedback signal (e.g. a solenoid valve), this sequence can be
used to ensure that both the F-DO output transistors as well as the actuator can be switched
off.
Before testing the F-DOs, the F-DIs are tested by switching off the power supply (L1+, L2+).
The system waits for the parameterized delay time p10001 (SI delay time for test stop)
between the individual test steps before the expected response is checked.

Safety Integrated
136 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Commissioning
7.3 Commissioning TM54F by means of STARTER/SCOUT

7.3.4.4 Test stop mode 3

Test stop mode 3

Figure 7-8 F-DO circuit, test stop mode 3

This mode only uses the external feedback signal (DI) to test the F-DO output transistors
and to test the actuator itself.

DO+ DO- Expected response, DI signal

Step 1 OFF OFF HIGH
Step 2 ON ON LOW
Step 3 OFF ON HIGH
Step 4 ON OFF HIGH
Step 5 OFF OFF HIGH
Test sequence for test stop mode 3
Before testing the F-DOs, the F-DIs are tested by switching off the power supply (L1+, L2+).
The system waits for the parameterized delay time p10001 (SI delay time for test stop)
between the individual test steps before the expected response is checked.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 137
Commissioning
7.3 Commissioning TM54F by means of STARTER/SCOUT

7.3.4.5 Test stop mode parameters

Overview of important parameters (see the SINAMICS S120/S150 List Manual)

● p10001 SI delay time for test stop at DO 0 ... DO 3
● p10003 SI forced dormant error detection timer
● p10007 BI: SI forced dormant error detection F-DO 0 ... 3 signal source
● p10017 SI digital inputs, debounce time
● p10046 SI test sensor feedback input DI 20 ... 23
● p10047[0...3] SI select test mode for test stop

Safety Integrated
138 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Commissioning
7.3 Commissioning TM54F by means of STARTER/SCOUT

7.3.5 F-DI/F-DO configuration

Inputs screen F-DI

Figure 7-9 Inputs screen

NC/NO contact (p10040)

Terminal property F-DI 0-9 (p10040.0 = F-DI 0, ... p10040.9 = F-DI 9), only the property of
the second (lower) digital input is set. Always connect an NC contact to digital input 1
(upper). Digital input 2 can be configured as NO contact.
Activate test mode (p10041)
A check mark at an F-DI defines whether the pair of digital inputs is to be integrated in the
forced dormant error detection test of the assigned power supply (L1+ or L2+) (for additional
information, see chapter "Forced dormant error detection", under Extended Functions).

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 139
Commissioning
7.3 Commissioning TM54F by means of STARTER/SCOUT

LED in F-DI screen

The LED downstream of the AND element indicates the logical state (inactive: gray, active:
green, discrepancy error: red).

Outputs screen F-DO

Figure 7-10 Outputs screen

Signal source for F-DO (p10042 - p10045)

An AND element with 6 inputs is interconnected with each output terminal pair of an F-DO;
the signal sources for the AND inputs can be selected:
● If a signal source is not connected to an input, then the input is set to HIGH (default),
exception: If a signal source is not connected at any input, then the output signal = 0
● Status signals of the drive of drive group 1 to 4
For additional information on status signals, see chapter "F-DO overview" in the "Control
by means of TM54F terminals".
Select test sensor feedback signal (p10046 [0..3]) and select test mode for test stop
(p10047 [0..3])
The test of the feedback line for the dynamization can be activated at each F-DO and the
test mode can be selected for the test stop (for additional information, see Chapter "Forced
dormant error detection" under Extended Functions).

Safety Integrated
140 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Commissioning
7.3 Commissioning TM54F by means of STARTER/SCOUT

LED in the F-DO screen

The LED downstream of the AND element indicates the logical state (inactive: gray, active:
green).
The LED of the digital inputs DI20 to DI23 indicate the status of the digital input (inactive:
gray, active: green).

7.3.6 Control interface of the drive group

Figure 7-11 Screen, drive group

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 141
Commissioning
7.4 Procedure for configuring PROFIsafe communication

Functions of this screen:

● Selection of an F-DI for the STO, SS1, SS2, SOS and SLS functions and for SLS speed
limits (bit coded) (p10022 to p10028).
A separate screen is available for each drive group. An F-DI can be assigned several
functions in several drive groups.
● Configuration of the "Safe State" signal (p10039)
A safety output signal "Safe State" can be generated for each drive group from the
following status signals:
– STO active (Power_removed)
– SS1 active
– SS2 active
– SOS active
– SLS active
The status signals from the same functions for different drives of a drive group are
logically AND'ed. The status signals of the individual functions (STO active, SS1 active,
etc.) are ORed.
The "Safe State" signals can be assigned to a an F-DO.

7.4 Procedure for configuring PROFIsafe communication

7.4.1 Extended Functions: Configuring PROFIsafe communication

Example configuration
The next sections deal with a sample configuration of PROFIsafe communication between a
SINAMICS S120 drive unit and higher-level SIMATIC F-CPU operating as PROFIBUS
master.
The configuration and operation of fail-safe communication (F communication) is based on
the following software and hardware requirements:
Software:
● STEP 7 V5.4 SP41) or higher
● S7 F Configuration Pack V5.5 SP31) or higher
● S7 Distributed Safety Programming V5.4 SP31) or higher
● STARTER V4.1.5 +SSP V4.3 + Drive ES-Basic 1) or SCOUT V4.1.5 HF6 + SSP V4.3 or
higher
1) When using a SIMATIC F-CPU
Hardware:
● Safety-CPU (F-CPU), e.g. SIMATIC CPU 317F-2

Safety Integrated
142 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Commissioning
7.4 Procedure for configuring PROFIsafe communication

Topology (network view of the project)

Components participating in F communication via PROFIBUS are basically wired as follows:

352),%86 &38ZLWK
0DVWHU 6DIHW\IXQFWLRQV

)KRVW

352),VDIH

)VODYH )VODYH
6,1$0,&6

352),%86 REMHFW
REMHFW

6ODYH
'ULYH
'ULYH
6

0 0

Figure 7-12 Example of a PROFIsafe topology

Configuring PROFIsafe communication

The next sections describe the configuration of PROFIsafe communication between a
SIMATIC F-CPU and a drive unit.
Create an F-CPU such as CPU 317F-2 and a SINAMICS S120 drive, e.g. a CU 320
according to the hardware that is installed.
1. Create the SINAMICS S120 as a DP slave and the connected F CPU as the associated
DP master.
2. In the DP slave properties, the PROFIsafe slots can be inserted by choosing "Insert
object" on the "Configuration" tab and configured under "PROFIsafe".
3. The telegram configuration for F communication is displayed in the DP slave properties
(SINAMICS S120), "Configuration" tab.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 143
Commissioning
7.4 Procedure for configuring PROFIsafe communication

Figure 7-13 Example: PROFIsafe configuration (HW Config)

4. Double-click the icon of the SINAMICS drive unit and select the "Details" tab in the
"Configuration" tab.
5. Click "PROFIsafe…" and then define the F parameters which are important to F
communication.
Setting F parameters:

Figure 7-14 PROFIsafe properties (HW Config)

Safety Integrated
144 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Commissioning
7.4 Procedure for configuring PROFIsafe communication

The following range of values is valid for the lower two parameters:
F_Dest_Add: 1-65534
F_Dest_Add determines the PROFIsafe destination address of the drive object.
Any value within the range is allowed, however, it must be entered once again in the safety
configuration of the drive in the SINAMICS drive unit. The F_Dest_Add value must be set in
p9610 (Control Unit) and in p9810 (Motor Module). You can handle these settings quite
comfortably using the PROFIsafe STARTER screen (see the picture below). The PROFIsafe
target address must be entered in hexadecimal format.

Figure 7-15 PROFIsafe STARTER configuration

F_WD_Time: 10- 65535

A valid current safety telegram must be received from the F-CPU within the monitoring time.
The drive will otherwise switch to the safe state.
The monitoring time should be of sufficient length to ensure not only that the communication
functions tolerate telegram delays, but also that the fault response is triggered quickly
enough if a fault occurs (e.g. interruption of the communication connection).
For additional information on fails-afe parameters, refer to the online help of the "PROFIsafe
properties" dialog box ("Help" button).
You must then compile the configuration data of the F-CPU in HW Config.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 145
Commissioning
7.4 Procedure for configuring PROFIsafe communication

7.4.2 Basic Functions: Configuring PROFIsafe communication

The next sections deal with a sample configuration of PROFIsafe communication between a
SINAMICS S120 drive unit and higher-level SIMATIC F-CPU operating as PROFIBUS
master.
In this case, a safety channel that only runs via the IF1 interface must be generated. Mixed
operation of interfaces IF1 and IF2 is not supported.
HW Config can then be used to configure PROFIsafe telegram 30 (sub-module ID = 30) for
the drive objects (abbreviation: DO).

Requirements for PROFIsafe communication

The following minimum software and hardware requirements apply for the configuration and
operation of safety-oriented communication (F communication):
Software tools:
● SIMATIC Manager STEP 7 V5.4 SP41 or higher
● S7 F Configuration Pack V5.5 SP31 or higher
● S7 Distributed Safety Programming V5.4 SP31 or higher
● STARTER V4.1.5 + SSP V4.3 or SIMOTION SCOUT V4.1.5 + SSP V4.3 or higher
● Drive ES Basic V5.4 SP41 or higher
● SINAMICS Firmware version 4.3 or higher
Hardware:
● A controller with safety functions (in our example, SIMATIC F-CPU 317F-21)
● SINAMICS S120 (in our example, a CU320-2)
● Correct installation of the devices
1) When using a SIMATIC F-CPU

NOTICE
If only one software tool or one hardware component is older than specified in this
document or is missing, then PROFIsafe cannot be configured via PROFIBUS or
PROFINET.

Safety Integrated
146 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Commissioning
7.4 Procedure for configuring PROFIsafe communication

7.4.2.1 Configuring PROFIsafe via PROFIBUS

Topology (network view of the project)

Components participating in F communication via PROFIBUS are basically wired as follows:

352),%86 &38ZLWK
0DVWHU 6DIHW\IXQFWLRQV

)KRVW

352),VDIH

)VODYH )VODYH
6,1$0,&6

352),%86
REMHFW
REMHFW

6ODYH
'ULYH
'ULYH
6

0 0

Figure 7-16 Example of a PROFIsafe topology

Configuring PROFIsafe communication using an example with a Siemens F-CU

The next sections describe a configuration of PROFIsafe communication between a
SIMATIC F-CPU and a drive unit. It is helpful to regularly save intermediate states.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 147
Commissioning
7.4 Procedure for configuring PROFIsafe communication

Creating a safety master

1. Create an F-CPU such as CPU 317F-2 and a drive, e.g. a SINAMICS S120 in
accordance with the hardware installed.
To do this, start SIMATIC Manager and create a new project.

Figure 7-17 Creating a new project

2. Create a SIMATIC S300 Station under "Insert".

Figure 7-18 Creating a new station

3. The HW Config tool opens by double-clicking on SIMATIC S300(1), and then on

"Hardware".

Figure 7-19 Calling HW Config

Safety Integrated
148 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Commissioning
7.4 Procedure for configuring PROFIsafe communication

4. First create a mounting rail ((0)UR) under HW Config in the lefthand window:
From the standard catalog under SIMATIC 300/RACK-300, drag the mounting rail to the
upper lefthand field (the cursor has a "+" character).

Figure 7-20 Creating a mounting rail

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 149
Commissioning
7.4 Procedure for configuring PROFIsafe communication

5. Select a safety-capable CPU under SIMATIC 300/CPU 300:

Here, e.g. CPU 317F-2, V2.6, drag into the RACK on the highlighted slot 2.

Figure 7-21 Creating an F host (master)

Safety Integrated
150 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Commissioning
7.4 Procedure for configuring PROFIsafe communication

6. In the rack: The "Properties - PROFIBUS interface DP" window is opened by double-
clicking on line X2. Under the tab "Parameter", click on "Properties..." in the interface
field.

Figure 7-22 Setting the PROFIBUS interface

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 151
Commissioning
7.4 Procedure for configuring PROFIsafe communication

7. Set the PROFIBUS interface under the "Parameter" tab, set the address, and with the
"Properties..." button, set the network settings, the transmission rate (e.g. 12 Mbit/s), the
profile (DP) and then acknowledge with "OK". This sets up the master.

Figure 7-23 Setting the PROFIBUS profile

Safety Integrated
152 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Commissioning
7.4 Procedure for configuring PROFIsafe communication

Creating a safety slave (drive)

1. The drive can either be selected in the catalog window under PROFIBUS-DP/SINAMICS /
SINAMICS S120/SINAMICS S120 CU320 or by installing a GSD file. Using the lefthand
mouse key, drag the "SINAMICS S120 CU320" drive to the PROFIBUS line in the upper
lefthand window (the cursor has a + character) and release the mouse key. In the
following properties window, set the PROFIBUS address of the drive and exit the
following window with "OK".

Figure 7-24 Selecting a drive

Figure 7-25 Drive created

2. Double-clicking on the drive symbol opens the properties of the DP slave (here:
(7)SINAMICS S120). The telegrams for F communication are selected and displayed (e.g.
Siemens telegram 105) under "Configuration". Select the PROFIsafe telegram 30 under the
option column. As a result, the "PROFIsafe..." button at the center left is activated.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 153
Commissioning
7.4 Procedure for configuring PROFIsafe communication

Figure 7-26 PROFIBUS DP slave properties

3. The F parameters important for F communication are set using the "PROFIsafe…" button.

Figure 7-27 Setting the F parameters

The PROFIsafe mode is selected using parameters F_CRC_Length and P_Par_Version.

The PROFIsafe address is set using parameter F_Dest_Add.

Safety Integrated
154 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Commissioning
7.4 Procedure for configuring PROFIsafe communication

Selecting the PROFIsafe mode

The two PROFIsafe modes V1.0 and V2.0 can be selected.
● In the "F parameter" window, first click on the value that is to be changed.
● Then on the button "Change value..."
● In the window that then opens, select the required value and confirm your selection.
● Using these parameters, you can select either PROFIBUS mode version V1.0 or V2.0:
– PROFIsafe V1.0 mode: F_CRC_Length = 2 byte-CRC, then P_Par_Version: 0
– PROFIsafe V2.0 mode: F_CRC_Length = 3 byte-CRC, then P_Par_Version: 1
The following value ranges can be set for the last two parameters of the list:
1. PROFIsafe destination address F_Dest_Add: 1-65534
F_Dest_Add determines the PROFIsafe destination address of the drive object.
Any value within the range is allowed, although it must be manually entered again in the
Safety configuration of the drive in the SINAMICS drive unit. The F_Dest_Add value must be
set in p9610 (Control Unit) and in p9810 (Motor Module). This can be done in a user-friendly
fashion via the PROFIsafe STARTER screen form (refer to the following diagram). The
PROFIsafe destination address of the F parameters must be entered here in the
hexadecimal format (C8H in the example).

Figure 7-28 STARTER screen section from Safety Integrated: Setting the PROFIsafe address

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 155
Commissioning
7.5 PROFIsafe via PROFINET

2. PROFIsafe monitoring time F_WD_Time: 10-65535

A valid current safety telegram must be received from the F-CPU within the monitoring time.
The drive will otherwise switch to the safe state.
The monitoring time should be of sufficient length to ensure not only that the communication
functions tolerate telegram delays, but also that the fault response is triggered quickly
enough if a fault occurs (e.g. interruption of the communication connection).
For additional information on F parameters, refer to the online help of the ("Help subjects"
button).
Right clicking on the drive opens a context menu, select "Open object with STARTER", the
STARTER commissioning tool opens.

7.5 PROFIsafe via PROFINET

7.5.1 Configuring PROFIsafe via PROFINET

The next sections deal with a sample configuration of PROFIsafe communication between a
SINAMICS S120 drive unit and a higher-level SIMATIC F-CPU operating as PROFINET
master.
In this case, a safety channel that only runs via the IF1 interface must be generated. Mixed
operation of interfaces IF1 and IF2 is not supported.
HW Config can then be used to configure PROFIsafe telegram 30 (sub-module ID = 30) for
the drive objects (abbreviation: DO).

Safety Integrated
156 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Commissioning
7.5 PROFIsafe via PROFINET

7.5.2 Requirements for PROFIsafe communication

Requirements for PROFIsafe communication

The following minimum software and hardware requirements apply for the configuration and
operation of safety-oriented communication (F communication):
Software tools:
● SIMATIC Manager STEP 7 V5.4 SP41 or higher
● S7 F Configuration Pack V5.5 SP31 or higher
● S7 Distributed Safety Programming V5.4 SP31 or higher
● STARTER V4.1.5 + SSP V4.3 or SIMOTION SCOUT V4.1.5 + SSP V4.3 or higher
● Drive ES Basic V5.4 SP41 or higher
● SINAMICS Firmware version 4.3 or higher
Hardware:
● A controller with safety functions (in our example, SIMATIC F-CPU 317F-21)
● SINAMICS S120 (in our example, a CU320-2)
● Correct installation of the devices
1) When using a SIMATIC F-CPU

NOTICE
If only one software tool or one hardware component is older than specified in this
document or is missing, then PROFIsafe cannot be configured via PROFIBUS or
PROFINET.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 157
Commissioning
7.5 PROFIsafe via PROFINET

7.5.3 Configuring PROFIsafe via PROFINET

Configuring PROFIsafe communication using SINAMICS S120 as an example

Configuring PROFIsafe via PROFINET is almost identical to configuring "PROFIsafe via
PROFIBUS".
The difference is that the SINAMICS drive unit and SIMATIC F-CPU are in the same
PROFINET subnet instead of in the same PROFIBUS subnet.
1. In HW Config, create a PROFINET-capable F-CPU, e.g. CPU 317F-2 PN/DP,
corresponding to the hardware that has been installed. Create a PROFINET subnet and
configure the F-CPU as an IO controller. Information about configuring an IO controller of
F-CPU 317F-2 can be found in this reference: SIMATIC PROFINET IO Getting Started:
Collection.
2. In the standard module catalog, under PROFINET IO, choose the module that you want
to connect to the PROFINET IO subnet as an IO device, e.g. a CU320-2.
3. Drag the module to the line of the PROFINET IO subnet. The IO device is inserted.
The Properties -> Ethernet Interface SINAMICS-S120-2 window opens. A suggested IP
address will already be displayed here and the subnet selected. Confirm with "OK" to
accept the setting.
4. Save and compile the settings in HW Config, and then load them to the target device.

This sets up a PROFINET connection between the F-CPU and the SINAMICS S120 drive.

Safety Integrated
158 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Commissioning
7.5 PROFIsafe via PROFINET

Figure 7-29 Configuration of the PROFINET connection in HW Config

1. With a right click, the context menu of the drive object is opened and when selecting
"Object properties", the "Properties - Drive object" window is opened. The PROFIsafe
telegram via PROFINET is selected in this window. "PROFIsafe telegram 30" can be
selected under the "Options" table from the selection list.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 159
Commissioning
7.5 PROFIsafe via PROFINET

The following screenshot shows the "Options" tab for the DO:

Figure 7-30 Drive object option "PROFIsafe telegram"

In the overview for the SINAMICS drive, a PROFIsafe slot that needs to be configured is
displayed under "Drive object".

Figure 7-31 Defining PROFIsafe for a drive

Safety Integrated
160 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Commissioning
7.5 PROFIsafe via PROFINET

1. Under the drive module, select "PROFIsafe" and using the righthand mouse key, call up
the properties of the PROFIsafe slot.
2. Define the address area of the PROFIsafe telegram under the "Addresses" tab. The start
address for inputs and output is the same. To confirm your entries, choose "OK".

Figure 7-32 Setting PROFINET addresses

3. On the "PROFIsafe" tab, you can define the F parameters required for F communication.
If the "PROFIsafe…" tab is inactive, then you can activate this button for control using the
"Activate..." button.

Figure 7-33 Setting F parameters

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 161
Commissioning
7.5 PROFIsafe via PROFINET

Setting F parameters
The following range of values is valid for the the two last parameters of the list:
PROFIsafe destination address F_Dest_Add: 1-65534
F_Dest_Add determines the PROFIsafe destination address of the drive object.
Any value within the range is allowed, although it must be manually entered again in the
Safety configuration of the drive in the SINAMICS drive unit. The F_Dest_Add value must be
set in p9610 (Control Unit) and in p9810 (Motor Module). This can be done in a user-friendly
fashion via the PROFIsafe STARTER screen form (refer to the diagram in the chapter,
Commissioning PROFIsafe via PROFIBUS).
PROFIsafe monitoring time F_WD_Time: 10- 65535
A valid current safety telegram must be received from the F-CPU within the monitoring time.
The drive will otherwise switch to the safe state.
The monitoring time should be of sufficient length to ensure not only that the communication
functions tolerate telegram delays, but also that the fault response is triggered quickly
enough if a fault occurs (e.g. interruption of the communication connection).

Note
When you close the "PROFIsafe properties" dialog box, the fail-safe addresses (F-Dest_Add
and F-Source_Add) are checked to ensure that they are unique. This function is only
available, however, when the PROFINET link between SINAMICS S120 and SIMATIC
F-CPU has already been established.

For additional information about creating a safety program and accessing PROFIsafe user
data (e.g STW and ZSW) within the safety program, refer to the "SIMATIC, S7 Distributed
Safety - Configuring and Programming" Programming and Operating Manual.

Safety configuration (online) in the SINAMICS drive

The process of configuring the SINAMICS drive via PROFINET by means of Safety
Integrated screen forms is identical to that for configuration via PROFIBUS. Here, refer to the
following chapter, PROFIsafe configuration with STARTER.

Acceptance inspection
Once configuring and commissioning has been successfully completed, an acceptance test
of the drive safety functions must be carried out (see Chapter "Acceptance test and
acceptance report").

Note
If F parameters of the SINAMICS drive are changed in HW Config, the global signature of
the safety program in the SIMATIC F-CPU changes. In this way, the global signature can be
used to identify whether safety-relevant settings in the F-CPU (F parameters of the
SINAMICS slave) have changed. The global signature does not, however, contain any
changes to safety-relevant drive parameters set in SCOUT or STARTER.

Safety Integrated
162 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Commissioning
7.6 PROFIsafe configuration with STARTER (Basic Functions)

7.5.4 Initializing the drives

Initializing the drives

In order that the master control can communicate with the drives, e.g. a CU317F-2 PN/DP
with a SINAMICS S120, via PROFINET, the drives must have unique names (self-
explanatory names are advantageous) and must be assigned their own IP addresses and
set using STARTER or the PST initializing tool (so-called initialization).
Instructions regarding "initialization" can be found in the Commissioning Manual S120 (IH1)
in Chapter "Establishing online operation - STARTER via PROFINET IO".

7.6 PROFIsafe configuration with STARTER (Basic Functions)

The Safety Integrated Basic Functions can be commissioned using STARTER in three ways.
1. STO/SS1/SBC only via terminals
2. STO/SS1/SBC only via PROFIsafe
3. STO/SS1/SBC via PROFIsafe and terminals simultaneously
The STARTER screen forms for using the Safety Integrated Basic Functions using terminals,
PROFIsafe or terminals and PROFIsafe are described together here.

Safety slot
In order to use the Safety Integrated functions via PROFIBUS or PROFINET, a safety slot
must first be created using the SIMATIC Manager Step 7 and HW Config. The procedure to
do this was described in the previous chapters.

Expert list
The Safety Integrated Basic Functions can be individually and manually set using the expert
list – but the settings using the STARTER screen forms are more user friendly and you are
less prone to making mistakes.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 163
Commissioning
7.6 PROFIsafe configuration with STARTER (Basic Functions)

Calling Safety Integrated in STARTER using SINAMICS S120 as example

The STARTER screen form for "Safety Integrated" is called under Drives/Functions with a
double-click and can look like this (tree-type view depends on the specific project):

Figure 7-34 STARTER tree to call Safety Integrated

To use the full functionality of STARTER screen forms, there must be an online connection
between the drives, the controller and STARTER.
Selecting using the pulldown menu:

Figure 7-35 Safety Integrated selection

Safety Integrated
164 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Commissioning
7.6 PROFIsafe configuration with STARTER (Basic Functions)

Depending on the selection, different setting screen forms open:

Figure 7-36 STO/SBC/SS1 via terminals

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 165
Commissioning
7.6 PROFIsafe configuration with STARTER (Basic Functions)

Figure 7-37 STO/SBC/SS1 via PROFIsafe

Safety Integrated
166 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Commissioning
7.6 PROFIsafe configuration with STARTER (Basic Functions)

Figure 7-38 STO/SBC/SS1 via PROFIsafe and terminal

Activating PROFIsafe via the expert list

In order to activate Safety Integrated Basic Functions via PROFIsafe, in the expert list, bit 3
of p9601 and p9801 must be set to "1" and bit 2 to "0". Bit 0 must be set to either "1" or "0",
depending on whether the control via terminals is to be enabled in parallel via PROFIsafe or
not.

Saving and copying the Basic Function parameters

After setting the specific parameters for Safety Integrated functions (e.g. the PROFIsafe
address) using the "Copy parameters" button, these must be copied from the CU into the
Motor/Power Module and activated using the "Activate settings" button.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 167
Commissioning
7.7 Commissioning a linear/rotary axis

Acceptance test
An acceptance test must be performed after completing the configuration and after
commissioning (refer to the corresponding chapters in the Function Manuals supplied or in
the Safety Integrated documentation).

Note
If F parameters of the SINAMICS drive are changed in HW Config, the global signature of
the safety program in the SIMATIC F-CPU changes. This means that using the global
signature it is possible to identify whether safety-relevant settings have changed in the F-
CPU (F parameters of the SINAMICS slave). However, this global signature does not include
the safety-relevant drive parameters so that their change cannot be checked in this way.

7.7 Commissioning a linear/rotary axis

The next section outlines the safety commissioning procedure for a linear axis/rotary axis
when a TM54F is used.
1. Connect a PG to the drive and link it to the target device via STARTER.
2. In the STARTER project tree, select the required drive object and under Functions →
Safety Integrated open the start screen to configure Safety Integrated.
3. Click on the Change settings button. The window for selecting Safety Integrated opens.

Safety Integrated
168 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Commissioning
7.7 Commissioning a linear/rotary axis

4. It is only possible to change Safety parameters after entering the valid Safety password
(parameter p9761 for the drives or p10061 for the TM54F).

Figure 7-39 Safety Integrated commissioning of a linear/rotary axis

5. Select Motion Monitoring via TM54F from the list Select Safety Function.
6. Enable the the safety functions (p9501) via the list of Safety functions. Then click on the
Configuration button.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 169
Commissioning
7.7 Commissioning a linear/rotary axis

7. The safety configuration screen of the drive opens.

Figure 7-40 Safety configuration: Drive

8. For the drive, set the same Monitoring clock cycle (safety clock cycle) as for the TM54F
(see "TM54F Configuration").
9. Select the required Drive type (linear axis / rotary axis) (p9502). Continue at item 12 if
you have not changed the selected drive type.
10.Close the screen. Click on the Copy parameters and then click on Activate settings (exit
commissioning mode, p0010=0).
11.Execute the "Copy RAM to ROM" function for the Entire project by clicking the "Entire
project" button.
12.Perform a POWER ON. The new parameterization is now active.
13.Reconnect STARTER to the target device. The messages that are displayed indicate that
safety commissioning was not completed (different actual and target checksum) can be
ignored.
14.Load the project into the PG. The display of parameter units (rotary/linear axis) will be
updated accordingly in STARTER.
15.Complete the configuration by adapting the parameterization of the required monitoring
limits, timers, encoder settings, etc.

Safety Integrated
170 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Commissioning
7.8 Modular machine concept Safety Integrated

7.8 Modular machine concept Safety Integrated

The modular machine concept for Safety Integrated Basic Functions and Extended
Functions provides support for commissioning modular machines. A complete machine,
including all its available options, is created in a topology. Only those components that are
actually implemented in the finished machine are later activated. Likewise, certain
components can also be deactivated to begin with and reactivated if they are required at a
later stage.
With the modular machine concept, a distinction is made between the following applications:
● Once the components with Safety functions have been activated for the first time after
series commissioning, the hardware replacement needs to be confirmed (see
"Information about replacing components" in this manual).
● Once all the drives (including Safety Integrated Extended Functions) have been
commissioned, they are to be deactivated (p0105) without changing the hardware.
They can only be activated again with a subsequent warm start or by means of POWER
ON.
● The DOs of the TM54F can be deactivated by means of parameter p0105. The TM54F
itself can only be deactivated when all the drives entered in p10010 "SI drive object
assignment" were deactivated separately by means of p0105 beforehand.
● When spare parts are required and the drive is deactivated (p0105) during the delivery
period for the required hardware component. Reactivation with subsequent warm start or
POWER ON and confirmation of hardware replacement (see "Information about replacing
components" in this manual).
● Component exchange on a Control Unit (e.g. to localize faults). For Safety Integrated, this
is the same as a hardware replacement. After a warm start or POWER ON, the process
of exchanging hardware must be confirmed in order to complete it (see "Information
about replacing components" in this manual).

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 171
Commissioning
7.9 Information pertaining to component replacements

7.9 Information pertaining to component replacements

Replacing a component from the perspective of Safety Integrated

For information about component replacements, see "Example of component replacements"
in the SINAMICS S120 Function Manual FH1.

WARNING

Observe the instructions with regard to changing or replacing software components in the
chapter "Safety instructions".

1. The faulty component was replaced in accordance with safety regulations.

2. Switch on the machine, but first ensure that there are no persons in the danger zone.
3. Fault F35150 (communication error after replacing a Motor Module) or C30711 with fault
value 1031 (data transfer error after replacing a Sensor Module) is only output if you
control Extended Functions via TM54F.
4. With STARTER/SCOUT:
– Click on "Acknowledge hardware replacement" in the start screen of the Safety
functions.
5. If you are working without STARTER for SINAMICS with a BOP or for SIMOTION with
HMI:
– Start the copy function for Node Identifier (p9700 = 1D hex).
– Confirm the hardware CRC on the drive object (p9701 = EC hex)
Carry out these two tasks after having replaced a Sensor Module at drive object servo or
vector, and after having replaced a Motor Module at drive object TM54F_MA (if installed).
6. Back up all parameters on the memory card (p0977 = 1).
7. Carry out a POWER ON (power off/on) for all components.
8. The faults F01650/F30650 (acceptance test required) are output.
9. Carry out an acceptance text and acceptance report according to Chapter "Acceptance
test and acceptance report" and table "Effect of the acceptance test for certain
measures".

WARNING

Before anyone is allowed to enter the danger zone again and before operation is resumed,
select the STO function once and briefly move the drives affected by the component
replacement in plus and minus direction (+/-) with activated safety monitoring function
(SLS, if parameterized) in order to verify proper functionality.

Safety Integrated
172 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Commissioning
7.10 Information pertaining to series commissioning

7.10 Information pertaining to series commissioning

A commissioned project that has been uploaded to STARTER can be transferred to another
drive unit keeping the existing safety parameterization.
1. Load the STARTER project into the drive unit.
2. Switch on the machine, but first ensure that there are no persons in the danger zone.
3. Fault F35150 (communication error after replacing a Motor Module) or C30711 with fault
value 1031 (data transfer error after replacing a Sensor Module) is only output if you
control Extended Functions via TM54F.
4. With STARTER/SCOUT:
– Click on Acknowledge hardware replacement in the start screen of the Safety
functions.
5. If you are using SINAMICS with a BOP or SIMOTION with HMI, then you must perform
the following steps:
– Start the copy function for Node Identifier (p9700 = 1D hex)
– Confirm the hardware CRC on the drive object (p9701 = EC hex)
Carry out these two tasks after having replaced a Sensor Module at drive object servo or
vector, and after having replaced a Motor Module at drive object TM54F_MA (if installed).
6. Back up all parameters on the memory card (p0977 = 1).
7. Carry out a POWER ON (power off/on) for all components.
8. Faults F01650/F30650 are output (acceptance test required, see chapter "Acceptance
test and acceptance report", table "Effect of the acceptance tests for specific measures").

WARNING

Before anybody is allowed to enter the danger zone again and before operation is resumed,
you must select the STO function once and briefly move the drives affected by the
component replacement in plus and minus direction (+/-) with activated safety monitoring
function (SLS, if parameterized) in order to verify proper functionality.

Safety alarm for series commissioning under Safety Integrated Extended Functions
If third-party motors with absolute encoders are used, the situation may arise in which a
safety alarm prevents commissioning.
One reason for this may be that a different serial number of the absolute encoder is saved
on the memory card than that in the Control Unit which is to be commissioned. In order to be
able to acknowledge the safety alarm, the serial number of the absolute encoder must first
be manually corrected, e.g. using STARTER. Instructions on this are provided in the chapter
"Information about replacing components". You can then carry on with the commissioning.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 173
Commissioning
7.10 Information pertaining to series commissioning

Safety Integrated
174 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
Application examples 8
8.1 Input/output interconnections of a safety switching device with
TM54F

TM54F: interconnecting F-DO with safe input on safety switching device

Note
These typical circuit diagrams are only valid for version B of TM54F devices.

0
([W9

70)
;<
(TXLYDOHQW
' LQSXW

([WHUQDO
SXOOXS
6DIH
)'2 UHVLV LQSXW
WRU

N2KP
$QWLYDOHQW
' LQSXW

0

Figure 8-1 TM54F F-DO at equivalent/antivalent safe input on safety switching device
(e.g. safety PLC)

The external pull-up resistor is only required in exceptional cases, see below.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 175
Application examples
8.1 Input/output interconnections of a safety switching device with TM54F

TM54F: Interconnecting F-DI with a plus-minus switching output on a safety switching device

WARNING

In contrast to mechanical switching contacts (e.g. Emergency Stop switches), leakage

currents can still flow in semiconductor switches such as those usually used at digital
outputs even when they have been switched off. This can lead to false switching states if
digital inputs are not connected correctly.
The conditions for digital inputs/outputs specified in the relevant manufacturer
documentation must be observed.

Note
Test pulses from F-DOs
There are safety modules, whose F-DOs send test pulses for self-testing and for checking
the circuit (transmission route). These test pulses can trigger incorrect alarms, which then
require safe acknowledgement. In order to avoid these incorrect alarms, the discrepancy
time p10002 should be set long enough so that a fault of the safety function itself is
excluded. According to the experience that we have gained, a setting of approx. 150 ms has
proven itself in practice; however, it is necessary to take into account the function description
of the test pulses from the F-DOs of the safety control.

WARNING

In accordance with IEC 61131 Part 2, Chapter 5.2 (2008), when interconnecting the digital
inputs of the TM54F with digital semiconductor outputs, only outputs that have a maximum
residual current of 0.5 mA when in the "OFF" state can be used.

Debounce
Test signals from the controls can be filtered out using parameter p10017 (SI digital inputs,
debounce time) so that faults are not misinterpreted.
F-DI = safety-oriented dual-channel digital input
F-DO = safety-oriented dual-channel digital output
If digital outputs from another device (e.g. F-DOs on a safety PLC) with a residual current
greater than 0.5 mA in the "OFF" state are connected to the F-DIs of the TM54F, then F-DI
load resistors should be connected up in the channel involved.
The maximum permissible voltage for a TM54F F-DI when "OFF" is 5 V (in accordance with
IEC 61131-2, 2008).
The following two diagrams show exactly how the protective circuits for F-DIs with additional
load resistors are wired.

Safety Integrated
176 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Application examples
8.1 Input/output interconnections of a safety switching device with TM54F

0
([W9
/
70)

' ',

',

' ',

6DIHW\UHOHYDQW 0
RXWSXW /RDGUHVLVWRUVLIUHTXLUHG

Figure 8-2 TM54F F-DI at plus-minus switching safe output on safety switching device
(e.g. safety PLC)

TM54F: interconnecting F-DI with plus-plus switching output on safety switching device

0
([W9

70)

' ',

' ',

',

6DIHW\UHOHYDQW 0
RXWSXW  /RDGUHVLVWRUVLIUHTXLUHG

Figure 8-3 TM54F F-DI at plus-plus-switching safe output on a safety switching device
(e.g. safety PLC).

Dimensioning the load resistors - example 1:

According to the manufacturer's documentation, the leakage current of an F-DO of a safety
PLC for the P and F channels is 1 mA; in other words, it is around 0.5 mA higher than is
permissible for the F-DI.
The necessary load resistance is therefore R = 5 V/0.5 mA = 10 kΩ.
At the maximum supply voltage, the power loss for this resistor is:
P = (28.8 V)²/R = 83 mW. The resistor is to be permanently dimensioned for this power loss.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 177
Application examples
8.2 Application examples

Dimensioning the load resistors - example 2:

If additional conditions for the digital output (e.g. a minimum load or a maximum load
resistance) are specified in the manufacturer's documentation, then these must be taken into
account.
For example, a load between 12 Ω and 1 kΩ is specified for the SIMATIC ET200S I/O
module 4 F-DO (6ES7138-4FB02-0AB0).
Therefore, two additional load resistors with a continuous load capacity of at least
P = (28.8 V)²/R = 830 mW are required to connect an F-DO of this kind to a TM54F F-DI.
When using a regulated 24 V power supply (e.g. SITOP) a resistor with a significantly lower
power loss is sufficient.

Note
Open-circuit detection for a pull-up resistor
If the pull-up resistor is higher than 1 kΩ, then the open-circuit detection no longer reliably
functions and must be disabled.

8.2 Application examples

Application examples can be found at the following Siemens website:
http://support.automation.siemens.com/WW/view/en/20810941/136000t

Safety Integrated
178 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
Acceptance tests and acceptance reports 9
Requirements regarding an acceptance test are derived from the EC Machinery Directive
and ISO 13849-1 (2006). IEC 22G WG 10 is currently working on a "Functional safety"
standard which includes a detailed description of acceptance test requirements.
The machine manufacturer (OEM) is committed accordingly
● to carry out an acceptance test for safety-related functions and machine parts
● to issue an "Acceptance certificate" which describes the test results.
The acceptance test for systems with Safety Integrated functions (SI functions) is focused on
validating the functionality of Safety Integrated monitoring and stop functions implemented in
the drive system. The test objective is to verify proper implementation of the defined safety
functions and of test mechanisms (forced dormant error detection measures) and to examine
the response of specific monitoring functions to the explicit input of values outside tolerance
limits. The test must cover all drive-specific Safety Integrated motion monitoring functions
and global Safety Integrated functionality of Terminal Module TM54F (if used).

WARNING

A new acceptance test must be carried out if any changes were made to SI function
parameters and must be logged in the acceptance report.

Note
The acceptance test is designed to ensure that the safety functions are correctly
parameterized. The measured values (e.g. distance, time) and the system behavior identified
(e.g. initiation of a specific stop) can be used for checking the plausibility of the configured
safety functions. The objective of an acceptance test is to identify potential configuration
errors and/or to document the correct function of the configuration. The measured values are
typical values (not worst case values). They represent the behavior of the machine at the
time of measurement. These measurements cannot be used, for example, to derive
maximum values for over-travel.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 179
Acceptance tests and acceptance reports

Authorized person, acceptance report

The test of each SI function must be carried out by an authorized person and logged in the
acceptance report. The report must be signed by the person who carried out the acceptance
test. The acceptance report must be kept in the logbook of the relevant machine. Access
rights for SI parameters must be password protected and be documented accordingly in the
acceptance report. Authorized in this sense refers to a person who has the necessary
technical training and knowledge of the safety functions and is authorized by the machine
manufacturer to carry out the acceptance test.

Note
• Observe the information in the chapter "Procedures for initial commissioning".
• The acceptance report presented below is both an example and recommendation.
• An acceptance report template in electronic format is available at your local sales office.

Necessity of an acceptance test

A complete acceptance test (as described in this chapter) is required after initial
commissioning of Safety Integrated functionality on a machine. Safety-related function
expansions, transfer of the commissioning settings to other standard machines, hardware
changes, software upgrades or similar, permit the acceptance test to be possibly performed
with a reduced scope. A summary of conditions which determine the necessary test scope or
proposals in this context is provided below.
In order to define a partial acceptance test, it is necessary in the first instance to specify the
acceptance test objects, and in the second instance to define logical groups which represent
the elements of the acceptance test. The acceptance test must be carried out separately for
each individual drive (as far as the machine allows).

Prerequisites for the acceptance test

● The machine is properly wired.
● All safety equipment such as protective door monitoring devices, light barriers or
emergency limit switches are connected and ready for operation.
● Commissioning of the open-loop and closed-loop control should be completed, as e.g.
the over-travel distance may otherwise change as a result of a changed dynamic
response of the drive control. These include, for example:
– Configuration of the setpoint channel
– Position control in the higher-level controller
– Automatic speed control.

Safety Integrated
180 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Acceptance tests and acceptance reports

Information about the acceptance tests

Note
As far as possible, acceptance tests should be carried out at the maximum possible machine
speed and acceleration rates. This is so that the maximum braking distances and braking
times that can be expected can be determined.

Note on the acceptance test mode

The acceptance test mode can be activated for a parameterizable time (p9358/p9558) by
setting the appropriate parameters (p9370/p9570) and permits the intended limit value
violations for the acceptance test. For instance, the setpoint speed limits are no longer active
in the acceptance test mode. To ensure that this state is not accidentally kept, the
acceptance test mode is automatically exited after the time set in p9358/p9558.
Activation of the acceptance test mode is therefore only useful in conjunction with the test of
SOS and SLS functions; the acceptance test mode has no effect for other functions.
Normally, SOS can be either directly selected or via an SS2. In order to also be able to
initiate violation of the standstill limits in state SS2 when the acceptance test mode is active,
the acceptance test mode deactivates the braking ramp of SS2 so that the motor can be
moved. When an SOS violation is acknowledged in the active acceptance test mode, the
current position is adopted as the new stop position so that an SOS violation is not
immediately identified again.

WARNING

If a speed setpoint that is not zero is present, the active stop function SS2 is set, and the
motor is at a standstill (active SOS), the axis starts to move as soon as the acceptance test
is activated.

Content of the complete acceptance test

Documentation
Documentation of the machine and of safety functions
1. Machine description (with overview)
2. Specification of the controller (if this exists)
3. Configuration diagram
4. Function table:
– Active monitoring functions depending on the operating mode and the protective door,
– Other sensors with protective functions,
– The table is part or is the result of the configuring work.
5. SI functions for each drive
6. Information about safety equipment

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 181
Acceptance tests and acceptance reports

Function test Part 1

General function test, including a check of the wiring/programming
1. Test of shutdown paths
(Test of forced dormant error detection at the inputs and outputs)
2. It is necessary to test stop functions STO, SS1 and SS2 if these functions are used or if
STOP A, STOP B or STOP C is used.
3. Test the forced dormant error detection of the inputs and outputs
(when using a TM54F module)
4. Test of the emergency stop function and of safety circuits
5. Changeover test of SI functions

Function test Part 2

Detailed function test and valuation of SI functions used.
1. When checking the safety actual value acquisition: The correct function is checked by
briefly moving in both directions with the motion monitoring function active (SLS)
2. Testing the SI function "Safe Operating Stop" (SOS)
(with evaluated measurement diagram or measured values)
3. Test of the SI function "Safely Limited Speed" (SLS)
(with evaluated measurement diagram or measured values)
4. Test of the SI function "Safe Speed Monitor" (SSM)
(with evaluated measurement diagram or measured values)

Conclusion of the report

Report of the commissioning status tested and countersignatures
1. Inspection of SI parameters
2. Check that the existing safety firmware versions are permissible using the table under
Siemens "Product Support" on the Internet (see "Safety Integrated firmware versions")
3. Logging of checksums (for each drive)
4. Assigning and logging the Safety password
(do not disclose in the report!)
5. RAM to ROM backup, load the project into STARTER and backup of the project
6. Countersignature

Safety Integrated
182 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Acceptance tests and acceptance reports

Effect of the acceptance test on specific measures

Table 9- 1 Scope of the acceptance test depending on specific measures

Measure Documentation Function test Part 1 Function test Part 2 Conclusion of the
report
Replacement of the No No Check of the safety Supplement: Possibly
encoder system actual value new checksums and
acquisition * countersignature
Replacement of an Supplement of No Check of the safety Supplement: New
SMC/SME Module hardware actual value checksums and
data/configuration/soft acquisition * countersignature *
ware version data
Replacement of a Supplement of No Check of the safety Supplement: New
motor with DRIVE- hardware actual value checksums and
CLiQ data/configuration/soft acquisition * countersignature *
ware version data
Replacement of the Supplement of No Partially, if the system Supplement: Possibly
Control Unit / power hardware sampling times or the new checksums and
unit - hardware data/configuration/soft dynamic response countersignature
ware version data were changed (drive-
specific) *
Replacement of the Supplement; hardware Yes No Supplement and
Power Module or Safe data/configuration countersignature
Brake Relay
Replacing the TM54F Supplement of Yes No Yes
hardware
data/configuration/soft
ware version data
Replacement of SI- Supplement of Yes, No No
relevant I/O devices hardware with comment
(e.g. Emergency Stop data/configuration/soft restriction to replaced
switch) ware version data components
Firmware - upgrade Supplement Yes, Yes, Supplement;
(CU/power unit/ Version data including a note if the system scan new checksums and
Sensor Modules) informing of the time of cycle times or the countersignature might
implementation of the dynamic response be required
new functionality were changed or test
of the new functionality
Change to a single Supplementary SI No Partially, Supplement
limit (e.g. SLS limit) function per drive test of the changed New checksums and
limit countersignature
Enhancement of Supplementary SI Yes, with note Partially, Supplement;
functions (e.g. functions per drive or restriction to adapted test of any additional new checksums and
additional actuator, function table parts as required limits countersignature might
additional SLS stage) be required
Transfer of project Possibly supplement Yes, with note No, No, if data are
data to other machines to the machine if no changes were identical (check and
via series description (check of made to SI parameters adapt checksums) *
commissioning the firmware version)
*See Chapter "Information about replacing components"

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 183
Acceptance tests and acceptance reports
9.1 Safety logbook

9.1 Safety logbook

Description
The "Safety Logbook" function is used to detect changes to safety parameters that affect the
associated CRC sums. CRCs are only generated when p9601/p9801 (SI enable, functions
integrated in the drive CU/Motor Module) is > 0.
Data changes are detected when the CRCs of the SI parameters change. Each SI parameter
change that is to become active requires the reference CRC to be changed so that the drive
can be operated without SI fault messages. In addition to functional safety changes, safety
changes as a result of hardware being replaced can be detected when the CRC has
changed.
The following changes are recorded by the safety logbook:
● Functional changes are recorded in the checksum r9781[0]:
– Functional CRCs of the motion monitoring functions (p9729[0]), axial (Extended
Functions)
– Functional CRCs of the basic safety functions integrated in the drive (p9799, SI
setpoint checksum SI parameters CU), axial
– Functional CRCs of the TM54F (p10005[0]), global (Extended Functions)
– Enabling of functions integrated in the drive (p9601), axial (Basic and Extended
Functions)
● Hardware-dependent changes are recorded in the checksum r9781[1]:
– Hardware-dependent CRCs of the motion monitoring functions (p9729[2]), axial (ncSI,
Basic and Extended Functions)
– Hardware-dependent CRCs of the TM54F (p10005[1]), global (Extended Functions)

Safety Integrated
184 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Acceptance tests and acceptance reports
9.2 Acceptance reports

9.2 Acceptance reports

9.2.1 Plant description - Documentation part 1

Table 9- 2 Machine description and overview diagram

Designation
Type
Serial number
Manufacturer
End customer
Electrical drives
Other drives
Overview diagram of machine

Table 9- 3 Values of relevant parameters

Versions of the firmware and of Safety Integrated

Component Drive number Firmware version SI version
Parameters r0018 = r9590 =
Control Unit r9770 =
Drive number Firmware version SI version
Parameters r0128 = r9390 =
Motor Modules r9870 =
r0128 = r9390 =
r9870 =
r0128 = r9390 =
r9870 =
r0128 = r9390 =
r9870 =
r0128 = r9390 =
r9870 =
r0128 = r9390 =
r9870 =

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 185
Acceptance tests and acceptance reports
9.2 Acceptance reports

Drive number Firmware version SI version

Parameters r0148 = r9890 =
Sensor Modules r0148 = r9890 =
r0148 = r9890 =
r0148 = r9890 =
r0148 = r9890 =
r0148 = r9890 =
Drive number Firmware version SI version
Parameters r0158 = r10090 =
Terminal Modules r0158 = r10090 =
Safety Integrated checksums
Basic Functions Drive number SI reference checksum SI SI reference checksum SI
parameters (Control Unit) parameters (Motor Module)
p9799 = p9899 =
Extended Drive number SI Motion reference checksum SI Motion reference checksum
Functions SI parameters (Motor Module) SI parameters
p9399[0] = p9729[0] =
p9399[1] = p9729[1] =
p9729[2] =
Monitoring clock cycles of Safety Integrated
Drive number SI monitoring clock cycle SI monitoring clock cycle
Control Unit Motor Module
Basic Functions r9780 = r9880 =
r9780 = r9880 =
r9780 = r9880 =
r9780 = r9880 =
r9780 = r9880 =
r9780 = r9880 =
Drive number SI monitoring clock cycle SI monitoring clock cycle
Motor Module Control Unit
Extended p9300 = p9500 =
Functions p9300 = p9500 =
p9300 = p9500 =
p9300 = p9500 =
p9300 = p9500 =
p9300 = p9500 =
TM54F parameters p10000 =

Safety Integrated
186 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Acceptance tests and acceptance reports
9.2 Acceptance reports

9.2.2 Description of safety functions - Documentation Part 2

Note
This description of a system is for illustration purposes only. In each case, the actual settings
for the system concerned will need to be modified as required.

9.2.2.1 Function table

Table 9- 4 Example table: Active monitoring functions depending on the operating mode, the
protective doors or other sensors

Mode of operation Protective door Drive Status of monitoring

functions
Production closed and locked 1 deactivated
2 SLS enabled
unlocked 1 SOS
2 STO deactivated
Setup closed and locked 1 deactivated
2 SLS 1 enabled
unlocked 1 SLS 1 deselected,
2 enabled

9.2.2.2 Safety Integrated functions used

Table 9- 5 Example: functional overview of the safety functions

Drive SI function Limit active if

1 SOS 100 mm refer to the function table
SLS 1 200000 mm/min refer to the function table
SLS 2 50000 mm/min refer to the function table
2 SOS 100 mm refer to the function table
SLS 1 50 rpm refer to the function table
... ... ... ...
Comments:
All drives use the SI function SS1 for the EMERGENCY STOP functionality.
Drive 2 is equipped with a holding brake which is controlled by two channels via the
corresponding Motor Module output.

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 187
Acceptance tests and acceptance reports
9.2 Acceptance reports

Drive-specific data

Table 9- 6 Drive-specific data (excerpt)

SI function Parameter Motor Modules / CU Motor Module value / CU value

Enable safety functions p9301 / p9501 0000 bin
Axis type p9302 / p9502 0
Encoder assignment p9326 / p9526 1
Sensor Module node identifier p9328[0..11] 0000 hex
Enable drive-integrated p9801 / p9601 0000 bin
functions
PROFIsafe address p9810 / p9610 0000 hex
SOS standstill tolerance p9330 / p9530 1.000°
PLC limit values p9331[0..3] / p9531[0..3] 2000.00 mm/min
Actual value comparison p9342 / p9542 0.1000°
tolerance
SSM speed limit p9346 / p9546 20.00 mm/min / 20.00 1/min
SBR actual speed tolerance p9348 / p9548 300.00 1/min
STOP C -> SOS delay time p9352 / p9552 100.00 ms
STOP D -> SOS delay time p9353 / p9553 100.00 ms
STOP E -> SOS delay time p9354 / p9554 100.00 ms
STOP F -> STOP A p9355 / p9555 0.00 ms
delay time
STOP F -> STOP B delay time p9858 / p9658 0.00 µs
Safe Stop 1 delay time p9852 / 9652 0.00 µs
Pulse cancelation delay time p9356 / p9556 100.00 ms
Acceptance test mode time limit p9358 / p9558 40000.00 ms
PLC stop response p9363[0..3] / p9563[0..3] 2
Acceptance test mode p9370 / p9570 0000 hex
Acceptance test status r9371 / r9571 0000 hex
... ... ...

Safety Integrated
188 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Acceptance tests and acceptance reports
9.2 Acceptance reports

9.2.2.3 Safety Integrated functions parameterized via TM54F

Parameters for control by way of TM54F

Table 9- 7 Parameters for control via the TM54F (excerpt)

SI function Parameters Value

Sampling time p10000 12.00 ms
Monitoring time discrepancy * p10002 12.00 ms
Forced dynamic behavior timer p10003 8.00 h
Input terminal p10007 0
Forced dynamic behavior
F-DO 0...3
TM54F operating mode p10008 1
Special operation mode selection p10020[0...3] 1
Emergency Stop stop response p10021[0...3] 0
STO input terminal p10022[0...3] 0
SS1 input terminal p10023[0...3] 0
SS2 input terminal p10024[0...3] 0
SOS input terminal p10025[0...3] 0
PLC input terminal p10026[0...3] 0
EMERGENCY STOP input terminal p10038[0...3] 0
F-DI input mode p10040[0...3] 0
F-DI test enable p10041 0000 bin
F-DO 0 signal sources p10042[0...5] 0
F-DO 1 signal sources p10043[0...5] 0
F-DO 2 signal sources p10044[0...5] 0
F-DO 3 signal sources p10045[0...5] 0
Test sensor feedback p10046[0...5] 0
input DI 20...23
* Additional important information can be found in Chapter "Input/output interconnections of a
safety switching device with TM54F".

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 189
Acceptance tests and acceptance reports
9.3 Acceptance tests

9.2.2.4 Safety equipment

Protective door
The protective door is unlocked by means of single-channel request key
Protective door switch
The protective door is equipped with a safety door switch. The safety door switch returns the dual-
channel signal "Door closed and locked". Changeover and selection of safety functions in accordance
with the table shown above.
Mode selector switch
The "Production" and "Setup" modes are set by means of a mode selector switch. The key switch
features two contact levels. Changeover and selection of safety functions in accordance with the
table shown above.
EMERGENCY-STOP pushbutton
The dual-channel EMERGENCY-STOP pushbuttons are wired in series. The EMERGENCY STOP
signal activates SS1 for all drives and subsequently activates the external brakes and STO.
Test stop
Activation by means of:
• Machine power on
• Unlocking the protective door

9.3 Acceptance tests

Note
As far as possible, the acceptance tests are to be carried out at the maximum possible
machine speed and acceleration rates to determine the maximum braking distances and
braking times that can be expected.

Safety Integrated
190 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Acceptance tests and acceptance reports
9.3 Acceptance tests

9.3.1 Basic Functions

9.3.1.1 Safe Torque Off

"Safe Torque Off" (STO) function

Table 9- 8 "Safe Torque Off" function

No. Description Status

Note:
The acceptance test must be individually conducted for each configured control.
The control can be realized via terminals or via PROFIsafe.
1. Initial state
• Drive in "Ready" state (p0010 = 0)
• STO function enabled (onboard terminals, Control Unit and Motor Module/Power
Module/PROFIsafe)
• No Safety faults and alarms (r0945, r2122, r2132)
• r9772.17 = r9872.17 = 0 (STO deselection via terminal - Control Unit/Motor Module, via
terminal)
• r9772.20 = r9872.20 = 0 (STO deselection via PROFIsafe - Control Unit/Motor Module,
via PROFIsafe)
• r9772.0 = r9772.1 = 0 (STO deselected and inactive – Control Unit, via terminals)
• r9872.0 = r9872.1 = 0 (STO deselected and inactive – Motor Module, via terminals)
• r9773.0 = r9773.1 = 0 (STO deselected and inactive – drive, via terminals)
• r9720.0 = 0 (STO selected)
• r9722.0 = 0 (STO selected)
2. • r9772.20 = r9872.20 = (STO cause selection, via PROFIsafe)
3. • When terminals are grouped for "Safe Torque Off":
r9774.0 = r9774.1 = 0 (STO deselected and inactive - group)
Run the drive
Check whether the correct drive is operational
Select STO when issuing the traversing command
Check the following:
• The drive coasts to a standstill or is braked and stopped by the mechanical brake (if
available and configured (p1215, p9602, p9802)).
• No Safety faults and alarms (r0945, r2122, r2132)
• r9772.17 = r9872.17 = 1 (STO selection via terminal - Control Unit/Motor Module, via
terminals)
• r9772.20 = r9872.20 = 1 (STO selection via PROFIsafe - Control Unit/Motor Module, via
PROFIsafe)
• r9772.0 = r9772.1 = 1 (STO selected and active – Control Unit, via terminals)

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 191
Acceptance tests and acceptance reports
9.3 Acceptance tests

No. Description Status

• r9872.0 = r9872.1 = 1 (STO selected and active – Motor Module, via terminals)
• r9720.0 = 0 (STO selected)
• r9722.0 = 0 (STO selected)
4. • r9773.0 = r9773.1 = 1 (STO selected and active – drive, via terminals)
5. • When terminals are grouped for "Safe Torque Off":
r9774.0 = r9774.1 = 1 (STO selected and active - group)
Deselect STO
Check the following:
• No Safety faults and alarms (r0945, r2122, r2132)
• r9772.17 = r9872.17 = 0 (STO deselection via terminal - Control Unit/Motor Module, via
terminals)
• r9772.20 = r9872.20 = 0 (STO deselection via PROFIsafe - Control Unit/Motor Module,
via PROFIsafe)
• r9772.0 = r9772.1 = 0 (STO deselected and inactive – Control Unit, via terminals)
• r9872.0 = r9872.1 = 0 (STO deselected and inactive – Motor Module, via terminals)
• r9773.0 = r9773.1 = 0 (STO deselected and inactive – drive, via terminals)
• r9720.0 = 0 (STO selected)
• r9722.0 = 0 (STO selected)
• When terminals are grouped for "Safe Torque Off":
r9774.0 = r9774.1 = 0 (STO deselected and inactive - group)
• r0046.0 = 1 (drive in "switch-on inhibited" state)
Acknowledge "switch-on inhibited" and move the drive
Check that the correct drive is operational.
In so doing, the following is tested:
• Correct DRIVE-CLiQ wiring between Control Unit and Motor Modules
• Correct assignment of drive No. – Motor Module – motor
• The hardware is functioning properly
• The switch-off signal paths are wired correctly
6. • Correct assignment of the terminals for STO on the Control Unit
7. • Correct STO grouping (if available)
8. • Correct parameterization of the STO function
9. • Routine for forced dormant error detection of the switch-off signal paths (only via terminal)

Safety Integrated
192 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Acceptance tests and acceptance reports
9.3 Acceptance tests

9.3.1.2 Safe Stop 1

"Safe Stop 1" function (SS1, time-controlled)

Table 9- 9 "Safe Stop 1" function

No. Description Status
Note:
The acceptance test must be individually conducted for each configured control.
The control can be realized via terminals or via PROFIsafe.
1. Initial state
• Drive in "Ready" state (p0010 = 0)
• STO function enabled (onboard terminals CU and MM/PROFIsafe)
• Enable SS1 function (p9652 > 0, p9852 > 0)
• No Safety faults and alarms (r0945, r2122, r2132)
• r9772.22 = r9872.22 = 0 (SS1 deselection via terminal - Control Unit/Motor Module, via
PROFIsafe)
• r9772.23 = r9872.23 = 0 (SS1 deselection via PROFIsafe - Control Unit/Motor Module, via
PROFIsafe)
• r9772.0 = r9772.1 = 0 (STO deselected and inactive – CU, via terminals)
• r9872.0 = r9872.1 = 0 (STO deselected and inactive – MM, via terminals)
• r9773.0 = r9773.1 = 0 (STO deselected and inactive – drive, via terminals)
• r9720.1 = 0 (SS1 selected)
• r9722.1 = 0 (SS1 selected)
2. • r9772.2 = r9872.2 = 0 (SS1 not requested – CU and MM)
3. • When terminals are grouped for "Safe Torque Off":
r9774.0 = r9774.1 = 0 (STO deselected and inactive - group)
4. Run the drive
5. Check whether the correct drive is operational
Select SS1 when the run command is issued
Check the following:
• The drive is braked along the OFF3 ramp (p1135)
Before the SS1 delay time (p9652, p9852) expires, the following applies:
• r9772.22 = r9872.22 = 1 (STO selection via terminal - Control Unit/Motor Module, via
PROFIsafe)
• r9772.23 = r9872.23 = 1 (STO selection via PROFIsafe - Control Unit/Motor Module, via
PROFIsafe)
• r9772.0 = r9772.1 = 0 (STO deselected and inactive – CU, via terminals)
• r9872.0 = r9872.1 = 0 (STO deselected and inactive – MM, via terminals)
• r9772.2 = r9872.2 = 1 (SS1 active – CU and MM, via terminals)
• r9773.0 = r9773.1 = 0 (STO deselected and inactive – drive, via terminals)
• r9773.2 = 1 (SS1 active – drive, via terminals)

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 193
Acceptance tests and acceptance reports
9.3 Acceptance tests

No. Description Status

STO is initiated after the SS1 delay time expires (p9652, p9852).
• No Safety faults and alarms (r0945, r2122, r2132)
• r9772.0 = r9772.1 = 1 (STO selected and active – CU, via terminals)
• r9872.0 = r9872.1 = 1 (STO selected and active – MM, via terminals)
• r9772.2 = r9872.2 = 0 (SS1 inactive – CU and MM, via terminals)
• r9773.0 = r9773.1 = 1 (STO selected and active – drive, via terminals), r9720/r9722.0
• r9773.2 = 0 (SS1 inactive – drive, via terminals)
• r9720.1 = 0 (SS1 selected)
• r9722.1 = 0 (SS1 selected)
6. Canceling SS1
• No Safety faults and alarms (r0945, r2122, r2132)
• r9772.22 = r9872.22 = 0 (SS1 deselection via terminal - Control Unit/Motor Module, via
PROFIsafe)
• r9772.23 = r9872.23 = 0 (SS1 deselection via PROFIsafe - Control Unit/Motor Module, via
PROFIsafe)
• r9772.0 = r9772.1 = 0 (STO deselected and inactive – CU, via terminals)
• r9872.0 = r9872.1 = 0 (STO deselected and inactive – MM, via terminals)
• r9772.2 = r9872.2 = 0 (SS1 inactive – CU and MM, via terminals)
• r9773.0 = r9773.1 = 0 (STO deselected and inactive – drive, via terminals)
• r9773.2 = 0 (SS1 inactive – drive, via terminals)
• r9720.1 = 0 (SS1 selected)
• r9722.1 = 0 (SS1 selected)
7. • r0046.0 = 1 (drive in "switch-on inhibited" state)
Acknowledge "switch-on inhibited" and move the drive
8. Check whether the correct drive is operational
The following is tested:
• Correct parameterization of the SS1 function

Safety Integrated
194 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Acceptance tests and acceptance reports
9.3 Acceptance tests

9.3.1.3 Safe Brake Control

"Safe Brake Control" function (SBC)

Table 9- 10 "Safe Brake Control" function

No. Description Status

Note:
The acceptance test must be individually conducted for each configured control.
The control can be realized via terminals or via PROFIsafe.
1. Initial state
• Drive in "Ready" state (p0010 = 0)
• STO function enabled (onboard terminals CU and MM/TM54F/PROFIsafe)
• Enable SBC function (p9602 = 1, p9802 = 1)
• Brake as in sequence control (p1215 = 1)
• Mechanical brake is closed
• No Safety faults and alarms (r0945, r2122)
• r9772.04 = r9872.04 = 0 (SBC deselection via terminal - Control Unit/Motor Module, via
PROFIsafe)
• r9772.0 = r9772.1 = 0 (STO deselected and inactive – CU, via terminals)
• r9872.0 = r9872.1 = 0 (STO deselected and inactive – MM, via terminals)
• r9773.0 = r9773.1 = 0 (STO deselected and inactive – drive, via terminals)
• r9772.4 = r9872.4 = 0 (SBC not requested – CU and MM)
2. Run drive (applied brake is released)
3. Check whether the correct drive is operational
4. Select STO/SS1 during the traversing command.
5. Check the following:
• Drive is braked and stopped by the mechanical brake.
• No Safety faults or alarms (r0945, r2122)
• r9772.4 = r9872.4 = 1 (SBC selection via terminal - Control Unit/Motor Module, via
PROFIsafe)
• r9772.0 = r9772.1 = 1 (STO selected and active – CU, via terminals)
• r9872.0 = r9872.1 = 1 (STO selected and active – MM, via terminals)
• r9773.0 = r9773.1 = 1 (STO selected and active – drive, via terminals)
6. Deselect STO

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 195
Acceptance tests and acceptance reports
9.3 Acceptance tests

No. Description Status

7. Check the following:
• Brake as in sequence control (p1215 = 1)
• Mechanical brake is closed
• No Safety faults and alarms (r0945, r2122)
• r9772.4 = r9872.4 = 0 (SBC deselection via terminal - Control Unit/Motor Module, via
PROFIsafe)
• r9772.0 = r9772.1 = 0 (STO deselected and inactive – CU, via terminals)
• r9872.0 = r9872.1 = 0 (STO deselected and inactive – MM, via terminals)
• r9773.0 = r9773.1 = 0 (STO deselected and inactive – drive, via terminals)
8. • r0046.0 = 1 (drive in "switch-on inhibited" state)
9. Acknowledge "Switch-on inhibited" and run the drive
(vertical axis: mechanical brake is released)
Check whether the correct drive is operational.
In so doing, the following is tested:
• The brake is connected properly
• The hardware is functioning properly
• The SBC is parameterized correctly
• Routine for the forced dormant error detection of the brake control

9.3.2 Extended Functions

9.3.2.1 Acceptance tests for Extended Functions

If Safety Integrated functions are being used (these take the form of both Basic Functions
and Extended Functions), acceptance tests need to be carried out for any Basic Functions
as well as for Extended Functions.

Safety Integrated
196 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Acceptance tests and acceptance reports
9.3 Acceptance tests

9.3.2.2 Safe Torque Off

"Safe Torque Off" (STO) function

Table 9- 11 "Safe Torque Off" function

No. Description Status

Note:
The acceptance test must be individually conducted for each configured control.
The control can be realized via terminals or via PROFIsafe.
1. Initial state
• Drive in "Ready" state (p0010 = 0)
• STO function enabled (onboard terminals, Control Unit and Motor Module/Power
Module/PROFIsafe)
• No Safety faults and alarms (r0945, r2122, r2132)
• r9772.17 = r9872.17 = 0 (STO deselection via terminal - Control Unit/Motor Module, via
terminal)
• r9772.20 = r9872.20 = 0 (STO deselection via PROFIsafe - Control Unit/Motor Module,
via PROFIsafe)
• r9772.0 = r9772.1 = 0 (STO deselected and inactive – Control Unit, via terminals)
• r9872.0 = r9872.1 = 0 (STO deselected and inactive – Motor Module, via terminals)
• r9773.0 = r9773.1 = 0 (STO deselected and inactive – drive, via terminals)
• r9720.0 = 0 (STO selected)
• r9722.0 = 0 (STO selected)
2. • r9772.20 = r9872.20 = (STO cause selection, via PROFIsafe)
3. • When terminals are grouped for "Safe Torque Off":
r9774.0 = r9774.1 = 0 (STO deselected and inactive - group)
Run the drive
Check whether the correct drive is operational
Select STO when issuing the traversing command
Check the following:
• The drive coasts to a standstill or is braked and stopped by the mechanical brake (if
available and configured (p1215, p9602, p9802)).
• No Safety faults and alarms (r0945, r2122, r2132)
• r9772.17 = r9872.17 = 1 (STO selection via terminal - Control Unit/Motor Module, via
terminals)
• r9772.20 = r9872.20 = 1 (STO selection via PROFIsafe - Control Unit/Motor Module, via
PROFIsafe)
• r9772.0 = r9772.1 = 1 (STO selected and active – Control Unit, via terminals)
• r9872.0 = r9872.1 = 1 (STO selected and active – Motor Module, via terminals)
• r9720.0 = 0 (STO selected)
• r9722.0 = 0 (STO selected)

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 197
Acceptance tests and acceptance reports
9.3 Acceptance tests

No. Description Status

4. • r9773.0 = r9773.1 = 1 (STO selected and active – drive, via terminals)
5. • When terminals are grouped for "Safe Torque Off":
r9774.0 = r9774.1 = 1 (STO selected and active - group)
Deselect STO
Check the following:
• No Safety faults and alarms (r0945, r2122, r2132)
• r9772.17 = r9872.17 = 0 (STO deselection via terminal - Control Unit/Motor Module, via
terminals)
• r9772.20 = r9872.20 = 0 (STO deselection via PROFIsafe - Control Unit/Motor Module,
via PROFIsafe)
• r9772.0 = r9772.1 = 0 (STO deselected and inactive – Control Unit, via terminals)
• r9872.0 = r9872.1 = 0 (STO deselected and inactive – Motor Module, via terminals)
• r9773.0 = r9773.1 = 0 (STO deselected and inactive – drive, via terminals)
• r9720.0 = 0 (STO selected)
• r9722.0 = 0 (STO selected)
• When terminals are grouped for "Safe Torque Off":
r9774.0 = r9774.1 = 0 (STO deselected and inactive - group)
• r0046.0 = 1 (drive in "switch-on inhibited" state)
Acknowledge "switch-on inhibited" and move the drive
Check that the correct drive is operational.
In so doing, the following is tested:
• Correct DRIVE-CLiQ wiring between Control Unit and Motor Modules
• Correct assignment of drive No. – Motor Module – motor
• The hardware is functioning properly
• The switch-off signal paths are wired correctly
6. • Correct assignment of the terminals for STO on the Control Unit
7. • Correct STO grouping (if available)
8. • Correct parameterization of the STO function
9. • Routine for forced dormant error detection of the switch-off signal paths (only via terminal)

Safety Integrated
198 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Acceptance tests and acceptance reports
9.3 Acceptance tests

9.3.2.3 Safe Stop 1

"Safe Stop 1" function (SS1, time and acceleration controlled)

Table 9- 12 "Safe Stop 1" function

No. Description Status

Note:
The acceptance test must be individually performed for each configured control.
The control can, for example, be realized via terminals, via TM54F or via PROFIsafe.
1. Initial state
• Drive in the "Ready" state (p0010 = 0)
• Safety Integrated Extended Functions enabled (p9601.2 = 1)
• Safety functions enabled (p9501.0 = 1)
• No safety faults and alarms (r0945, r2122, r2132, r9747[0...7] )
2. Run the drive
3. Check whether the correct drive moves
4. Start trace (trigger r9720.1 = 0)
The following values are recorded (traced):
• Safe actual velocity (r9714)
• r9720.1 = 1
• r9722.0 = 1
• r9722.1 = 1
5. Select SS1 while the drive is moving
6. The drive must brake down to the speed limit configured in p1226 or p9360/p9560
7. Save / print the trace (see following example)
8. Canceling SS1
9. Acknowledge "Power-on inhibit" and run the drive
10. Ensure that the correct drive is running

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 199
Acceptance tests and acceptance reports
9.3 Acceptance tests

Example of the trace

Figure 9-1 Example Trace SS1

Safety Integrated
200 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Acceptance tests and acceptance reports
9.3 Acceptance tests

9.3.2.4 Safe Brake Control

"Safe Brake Control" function (SBC)

Table 9- 13 "Safe Brake Control" function

No. Description Status

Note:
The acceptance test must be individually conducted for each configured control.
The control can be realized via terminals or via PROFIsafe.
1. Initial state
• Drive in "Ready" state (p0010 = 0)
• STO function enabled (onboard terminals CU and MM/TM54F/PROFIsafe)
• Enable SBC function (p9602 = 1, p9802 = 1)
• Brake as in sequence control (p1215 = 1)
• Mechanical brake is closed
• No Safety faults and alarms (r0945, r2122)
• r9772.04 = r9872.04 = 0 (SBC deselection via terminal - Control Unit/Motor Module, via
PROFIsafe)
• r9772.0 = r9772.1 = 0 (STO deselected and inactive – CU, via terminals)
• r9872.0 = r9872.1 = 0 (STO deselected and inactive – MM, via terminals)
• r9773.0 = r9773.1 = 0 (STO deselected and inactive – drive, via terminals)
• r9772.4 = r9872.4 = 0 (SBC not requested – CU and MM)
2. Run drive (applied brake is released)
3. Check whether the correct drive is operational
4. Select STO/SS1 during the traversing command.
5. Check the following:
• Drive is braked and stopped by the mechanical brake.
• No Safety faults or alarms (r0945, r2122)
• r9772.4 = r9872.4 = 1 (SBC selection via terminal - Control Unit/Motor Module, via
PROFIsafe)
• r9772.0 = r9772.1 = 1 (STO selected and active – CU, via terminals)
• r9872.0 = r9872.1 = 1 (STO selected and active – MM, via terminals)
• r9773.0 = r9773.1 = 1 (STO selected and active – drive, via terminals)
6. Deselect STO

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 201
Acceptance tests and acceptance reports
9.3 Acceptance tests

No. Description Status

7. Check the following:
• Brake as in sequence control (p1215 = 1)
• Mechanical brake is closed
• No Safety faults and alarms (r0945, r2122)
• r9772.4 = r9872.4 = 0 (SBC deselection via terminal - Control Unit/Motor Module, via
PROFIsafe)
• r9772.0 = r9772.1 = 0 (STO deselected and inactive – CU, via terminals)
• r9872.0 = r9872.1 = 0 (STO deselected and inactive – MM, via terminals)
• r9773.0 = r9773.1 = 0 (STO deselected and inactive – drive, via terminals)
8. • r0046.0 = 1 (drive in "switch-on inhibited" state)
9. Acknowledge "Switch-on inhibited" and run the drive
(vertical axis: mechanical brake is released)
Check whether the correct drive is operational.
In so doing, the following is tested:
• The brake is connected properly
• The hardware is functioning properly
• The SBC is parameterized correctly
• Routine for the forced dormant error detection of the brake control

Safety Integrated
202 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Acceptance tests and acceptance reports
9.3 Acceptance tests

9.3.2.5 Safe Stop 2

"Safe Stop 2" function (SS2)

Table 9- 14 "Safe Stop 2" function

No. Description Status

Note:
The acceptance test must be individually performed for each configured control. The control can be realized, for example,
via terminals, the TM54F or via PROFIsafe.
1. Initial state
• Drive in the "Ready" state (p0010 = 0)
• Safety Integrated Extended Functions enabled (p9601.2 = 1)
• Safety functions enabled (p9501.0 = 1)
• No safety message (r0945, r2122, r2132, r9747)
2. Run the drive
3. Ensure that the correct drive is running
4. Start Trace (trigger SS2 selected r9720.2 = 0)
Trace recording of the following values:
• Safe actual velocity (r9714)
• r9720.2 = 0 (SS2 no deselection)
• r9722.2 = 1 (SS2 selected and active)
• r9722.3 = 1 (SOS selected and active)
5. Select SS2 while the drive is moving
6. The drive must decelerate to the standstill limit
7. Save / print the trace (see following example)
8. SS2 deselected and inactive
9. Drive returns to the setpoint

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 203
Acceptance tests and acceptance reports
9.3 Acceptance tests

Example of the trace

Figure 9-2 Example Trace SS2

Safety Integrated
204 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Acceptance tests and acceptance reports
9.3 Acceptance tests

9.3.2.6 Safe Operating Stop

"Safe Operating Stop" (SOS) function

Table 9- 15 "Safe Operating Stop" function

No. Description Status

Note:
The acceptance test must be individually performed for each configured control.
The control can, for example, be realized via terminals, via TM54F or via PROFIsafe.
1. Initial state
• Drive in the "Ready" state (p0010 = 0)
• Safety Integrated Extended Functions enabled (p9601.2 = 1)
• Safety functions enabled (p9501.0 = 1)
• No safety message (r0945, r2122, r2132, r9747)
2. Deactivate any speed setpoint limit in the higher-level controller
3. Start trace (trigger STO active r9721.0)
The trace records the following values:
• Safe actual position value (r9713[0/1])
• r9721.12 = 1 (STOP A or B active)
• r9722.0 = 1 (STO selected and active)
• r9722.3 = 1 (SOS selected and active)
4. Select SOS
5. Activate the acceptance test mode using p9370 = p9570 = 00AC (hex)
6. Run the drive beyond the standstill limit set in p9330/p9530
7. The drive must decelerate to the standstill limit
8. Save / print the trace (see following example)
9. Deactivate the acceptance test mode using p9370 = p9570 = 0000 (hex)

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 205
Acceptance tests and acceptance reports
9.3 Acceptance tests

Example of the trace

Figure 9-3 Example trace SOS

Safety Integrated
206 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Acceptance tests and acceptance reports
9.3 Acceptance tests

9.3.2.7 Safely Limited Speed

"Safely Limited Speed" (SLS) function

Table 9- 16 "Safely-Limited Speed" function

No. Description Status

Note:
The acceptance test must be individually performed for each configured control and every SLS speed limit used.
The control can be realized, for example, via terminals, the TM54F or via PROFIsafe.
1. Initial state
• Drive in the "Ready" state (p0010 = 0)
• Safety Integrated Extended Functions enabled (p9601.2 = 1)
• Safety Functions enabled (p9501.0 = 1)
• No safety message (r0945, r2122, r2132, r9747)
2. Deactivate any speed setpoint limit in the higher-level controller
3. Start Trace (trigger r9722.7 = 1/0 edge)
Trace recording of the following values:
• Safe actual velocity (r9714)
• Parameterized STOP X* active (r9721.13)
• r9720.3 = 0 (SOS selected)
• r9722.4 = 0 (SLS selected)
4. Select SLS
5. Activate the acceptance test mode using p9370 = p9570 = 00AC (hex)
6. Move the drive beyond the speed limit set in p9331/p9531
7. Initiated by the parameterized stop function, the drive must accelerate down to the
standstill limit
8. Save / print the trace (see following example)
9. Deactivate the acceptance test mode using p9370 = p9570 = 0000 (hex)
* STOP C = default, STOP A to STOP D can be parameterized

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 207
Acceptance tests and acceptance reports
9.3 Acceptance tests

Examples for traces

Example 1

Figure 9-4 Trace example: Switch over SLS level 2 to 1 with STOP A

Safety Integrated
208 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Acceptance tests and acceptance reports
9.3 Acceptance tests

Example 2

Figure 9-5 Trace example: Switch over SLS level 3 to 2 with STOP B

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 209
Acceptance tests and acceptance reports
9.3 Acceptance tests

Example 3

Figure 9-6 Trace example: Switch over SLS level 4 to 3 with STOP C

Safety Integrated
210 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Acceptance tests and acceptance reports
9.3 Acceptance tests

Example 4

Figure 9-7 Trace example: SLS active STOP D

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 211
Acceptance tests and acceptance reports
9.3 Acceptance tests

9.3.2.8 Safe Speed Monitor

Table 9- 17 "Safe Speed Monitor" function

No. Description Status

Note:
The acceptance test must be individually performed for each configured control.
The control can, for example, be realized via terminals, via TM54F or via PROFIsafe.
1. Initial state
• Drive in the "Ready" state (p0010 = 0)
• Safety Integrated Extended Functions enabled (p9601.2 = 1)
• Safety functions enabled (p9501.0 = 1)
• No safety message (r0945, r2122, r2132, r9747)
2. Start trace (trigger r9722.15 = 1/0 edge via bit trigger*)
Trace recording of the following values:
• Safe actual velocity (r9714)
• SSM (n below limit) r9722.15
3. Operate the drive above the speed limit set in p9346/p9546 plus the hysteresis set in
p9347/p9547
4. Operate the drive below the speed limit set in p9346/p9546 minus the hysteresis set in
p9347/p9547 (e.g. at standstill)
5. Save / print the trace (see following example)
* You can find details on this in the STARTER online help.

Safety Integrated
212 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Acceptance tests and acceptance reports
9.3 Acceptance tests

Example of the trace

Figure 9-8 Example trace SSM

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 213
Acceptance tests and acceptance reports
9.4 Completion of certificate

9.4 Completion of certificate

SI parameters

Specified values checked?

Yes No
Control Unit
Motor Module

Checksums

Drive Checksums on Checksums on the DO Motor Module

the DO
Control Unit
Name Drive number r9781[0/1]* p9798 p9898 p9399[0/1] p9729[0...2]

* Checksum for change monitoring, see Chapter "Safety logbook"

Safety logbook

Functional
Checksums r9781[0] =
Time stamp r9782[0] =

Safety Integrated
214 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Acceptance tests and acceptance reports
9.4 Completion of certificate

Data backup

Storage medium Storage location

Type Designation Date
Parameter
PLC program
Circuit diagrams

Countersignatures

Commissioning engineer
This confirms that the tests and checks have been carried out properly.

Date Name Company/dept. Signature

Machine manufacturer
This confirms that the parameters recorded above are correct.

Date Name Company/dept. Signature

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 215
Acceptance tests and acceptance reports
9.4 Completion of certificate

Safety Integrated
216 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
Appendix A A
A.1 List of abbreviations

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 217
Appendix A
A.1 List of abbreviations

Safety Integrated
218 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Appendix A
A.1 List of abbreviations

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 219
Appendix A
A.1 List of abbreviations

Safety Integrated
220 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Appendix A
A.1 List of abbreviations

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 221
Appendix A
A.1 List of abbreviations

Safety Integrated
222 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Appendix A
A.1 List of abbreviations

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 223
Appendix A
A.1 List of abbreviations

Safety Integrated
224 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Appendix A
A.1 List of abbreviations

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 225
Appendix A
A.2 Document structure

A.2 Document structure

6,1$0,&6GRFXPHQWDWLRQRYHUYLHZ
*HQHUDOGRFXPHQWDWLRQFDWDORJV
6,027,21
6,1$0,&6 6,1$0,&6 6,1$0,&6
6,1$0,&6
* * 6 6
* 6

' ' 30 '

,QYHUWHU&KDVVLV8QLWV 'ULYH&RQYHUWHU&KDVVLV8QLWV 6,027,216,1$0,&66DQG 6,1$0,&66&KDVVLV8QLWV
N:WRN: 'ULYH&RQYHUWHU&DELQHW8QLWV 0RWRUVIRU3URGXFWLRQ0DFKLQHV &KDVVLV)RUPDW8QLWVDQG&DELQHW0RGXOHV
6,1$0,&66
&RQYHUWHU&DELQHW8QLWV

0DQXIDFWXUHUVHUYLFHGRFXPHQWDWLRQ

6,1$0,&6 6,1$0,&6 6,1$0,&6 6,1$0,&6 6,1$0,&6

* * * * *0
60
*/
6/
*HWWLQJ6WDUWHG *HWWLQJ6WDUWHG 2SHUDWLQJ,QVWUXFWLRQV 2SHUDWLQJ,QVWUXFWLRQV 2SHUDWLQJ,QVWUXFWLRQV
2SHUDWLQJ,QVWUXFWLRQV 2SHUDWLQJ,QVWUXFWLRQV /LVW0DQXDO /LVW0DQXDO /LVW0DQXDO
/LVW0DQXDO +DUGZDUH,QVWDOODWLRQ0DQXDO
)XQFWLRQ0DQXDO6DIHW\,QWHJUDWHG
/LVW0DQXDO

0DQXIDFWXUHUVHUYLFHGRFXPHQWDWLRQ

6,1$0,&6 6,1$0,&6 6,1$0,&6 6,1$0,&6

6 6 6 6

(TXLSPHQW0DQXDO *HWWLQJ6WDUWHG (TXLSPHQW0DQXDOIRU&RQWURO8QLWVDQG 2SHUDWLQJ,QVWUXF

*HWWLQJ6WDUWHG &RPPLVVLRQLQJ0DQXDO $GGLWLRQDO&RPSRQHQWV WLRQV
)XQFWLRQ0DQXDO &RPPLVVLRQLQJ0DQXDOIRU&$1RSHQ (TXLSPHQW0DQXDOIRU%RRNVL]H3RZHU8QLWV /LVW0DQXDO
/LVW0DQXDO )XQFWLRQ0DQXDO'ULYH)XQFWLRQV (TXLSPHQW0DQXDOIRU&KDVVLV3RZHU8QLWV
)XQFWLRQ0DQXDO6DIHW\,QWHJUDWHG (TXLSPHQW0DQXDOIRU&KDVVLV/LTXLG
)XQFWLRQ0DQXDO'&& &RROHG3RZHU8QLWV
/LVW0DQXDO (TXLSPHQW0DQXDO&DELQHW0RGXOHV
(TXLSPHQW0DQXDO$&'ULYH

0DQXIDFWXUHUVHUYLFHGRFXPHQWDWLRQ
6,1$0,&6
0RWRUV

'2&RQ&' (QJLQHHULQJ0DQXDOV (0&

0RWRUV &RQILJXUDWLRQ
*XLGHOLQHV

Safety Integrated
226 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Suggested improvements
If you come across any misprints in this document, please let us know using this form. We
would also be grateful for any suggestions and recommendations for improvement.

7R )URP
6,(0(16$* 1DPH
,'70&06 $GGUHVVRI\RXU&RPSDQ\'HSW
32%R[ 

6WUHHW
'(UODQJHQ)HGHUDO5HSXE
OLFRI*HUPDQ\ 3RVWDOFRGH 
/RFDWLRQ

)D[GRFXPHQWDWLRQ 3KRQH 

PDLOWRGRFXPRWLRQFRQWURO#VLHPHQVFRP

KWWSZZZVLHPHQVFRPDXWRPDWLRQVHUYLFH VXSSRUW )D[ 


6XJJHVWLRQVDQGRUFRUUHFWLRQV

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 227
Acceptance tests and acceptance reports

Safety Integrated
228 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
Index

A D
Acceptance test Delay time, 67
SBC, 195, 201 DOs
SLS, 207 Deactivation/activation, 171
SOS, 205 DRIVE-CLiQ rules, 42
SS2, 203
Acceptance test SS1
SS1, 199 E
Activating PROFISAFE, 167
EDS, 98
Actual value acquisition, 94
Enabling PROFIsafe, 115
Actual value synchronization
Encoder
Encoder, 97
Actual value synchronization, 97
Alarm buffer, 92
Encoder system, 94
Alarm history, 92
Encoder systems, 94
Alarm value, 92
Encoder types, 96
Alarms
Extended Functions
Alarm buffer, 92
Deactivation/activation of DO, 171
Alarm history, 92

F
B
F parameters, 144, 154, 162
Basic Function SS1
F_Dest_Add, 162
Acceptance test SS1, 193
Fault acknowledgement on TM54F
Basic Function STO
Safe, 88
Acceptance test STO, 191, 197
Fault response, 88
Basic Functions via PROFIsafe and terminals, 116
F-DI, 105
F-DO, 105
Forced dormant error detection, 64, 100
C Forced dormant error detection interval timer, 134
Calling Safety Integrated, 164 Function of Safely-Limited Speed with encoder, 75
Change password Function test, 100
TM54F, 131 Functions
Commissioning Safe Torque Off, 53
General, 122
Linear axis, 168
PROFIsafe with STARTER, 142 H
Rotary axis,
Hotline, 7
Safety Integrated, 122
HW Config, 148
TM54F, 129
Component replacement, 171
Control
Safety Integrated, 115
I
Internal armature short-circuit, 56

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 229
Index

L Safe Acceleration Monitor with encoder

SBR with encoder, 84
License for Basic Functions, 115
Safe actual value acquisition, 94
Limit exceeded, 88
Safe Brake Control
Linear axis
SBC, 59
Commissioning, 168
Safe Operating Stop
SOS, 73
Safe Speed Monitor
M SSM, 81
Message buffer, 92 Safe Stop 1
Modular machine concept, 171 SS1, 57, 66
Motion monitoring Time and acceleration controlled,
Safe motion monitoring, 98 time controlled, 57
Motion monitoring functions Safe Stop 1 with encoder, 66
Safe motion monitoring, 40 Safe Torque Off
STO, 53
Safely-Limited Speed with encoder
O SLS with encoder, 75
Safety Integrated, 164
Overview, Safety Integrated functions
Acknowledging faults, 63
Overview, Safety functions, 38
Commissioning, 122
Password, 41
Safe Stop 1, 57
P Safe Torque Off, 53
PFH value, 46 Series commissioning, 126
Probability of failure, 46 Safety Integrated Basic Functions
Process data, control words Stop responses, 62
SI STW (PROFIsafe STW), 116, 118 Safety Integrated password, 41
Process data, status words Safety logbook, 184
SI ZSW (PROFIsafe ZSW), 117, 119 Safety Master
PROFIsafe, 116 Creating a safety slot, 148
PROFIsafe 2.0, 155 Safety slave, 153
PROFIsafe address of the drive Safety slot, 163
F_Dest_Add, 155 SBC
PROFIsafe slot, 143 Acceptance test, 195, 201
PROFIsafe topology, 147 Safe Brake Control, 59
PROFIsafe V1.0, 155 SBR
PROFIsafe version, 155 Safe Acceleration Monitor with encoder, 84
Series commissioning with third-party motor, 173
SINAMICS drive unit, 143
R Single-encoder system, 94
SLS
Residual risk, 51
Acceptance test, 207
Response times, 47
Safely Limited Speed, 75
Rotary axis
SLS speed limit values, 76
Commissioning, 168
SOS
Acceptance test, 205
Safe Operating Stop, 73
S SS1
Safe Acceleration Monitor Safe Stop 1, 57
SBR with encoder, 84 SS1 (time controlled)
Safe Stop 1, 57

Safety Integrated
230 Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0
 Index

SS2
Acceptance test, 203
Safe Stop 2, 71
SS2 in an EPOS application
Safe Stop 2 in an EPOS application, 72
SSM
Safe Speed Monitor, 81
STO
Safe Torque Off, 53
STOP A, 62, 88
STOP B, 88
STOP C, 88
STOP D, 88
STOP E, 88
STOP F, 62, 88
Stop response
Stop A, 62
Stop F, 62
Stop responses, 62
Priorities vis-à-vis extended functions, 90
Priority classes, 89
Support, 7

T
Test of shutdown paths, 64
Test stop, 100
Test stop mode 2, 136
Test stop mode 3, 137
Test stop modes, 134
Third-party motor with absolute encoder, 173
TM54F, 131
Change password, 131
Commissioning, 129
Two-channel brake control, 60
Two-encoder system, 94

Safety Integrated
Function Manual, (FHS), 11/2009, 6SL3097-4AR00-0BP0 231
Siemens AG Subject to change without prior notice
Industry Sector © Siemens AG 2009
Drive Technologies
Motion Control Systems
P.O. Box 3180
91050 ERLANGEN
GERMANY
www.siemens.com/motioncontrol