Altivar 320

NVE50467 04/2019

Altivar 320
Variable Speed Drives

Manual de Funções de Segurança

04/2019
NVE50467.03
www.schneider-electric.com

As informações fornecidas nesta documentação contêm descrições gerais e/ou características técnicas
do desempenho dos produtos aqui contidos. Esta documentação não se destina a substituir e não deve
ser usada para determinar a adequação ou confiabilidade desses produtos para aplicações específicas
do usuário. É dever de qualquer usuário ou integrador realizar a análise, avaliação e teste de risco
adequada e completa dos produtos em relação à aplicação ou uso específico relevante. Nem a
Schneider Electric nem nenhuma de suas afiliadas ou subsidiárias serão responsáveis ou responsáveis
pelo uso indevido das informações aqui contidas. Se você tiver alguma sugestão de melhorias ou
alterações ou tiver encontrado erros nesta publicação, por favor, notifique-nos.
Você concorda em não reproduzir, exceto para seu próprio uso pessoal, não comercial, tudo ou parte
deste documento em qualquer meio sem permissão da Schneider Electric, dada por escrito. Você
também concorda em não estabelecer quaisquer links de hipertexto para este documento ou seu
conteúdo. A Schneider Electric não concede nenhum direito ou licença para o uso pessoal e não
comercial do documento ou seu conteúdo, exceto por uma licença não exclusiva para consultá-lo em
uma base "como está", por sua conta e risco. Todos os direitos reservados.
Todas as normas de segurança estaduais, regionais e locais pertinentes devem ser observadas ao instalar
e utilizar este produto. Por razões de segurança e para ajudar a garantir o cumprimento dos dados
documentados do sistema, apenas o fabricante deve realizar reparos nos componentes.
Quando os dispositivos são usados para aplicações com requisitos técnicos de segurança, as instruções
pertinentes devem ser seguidas.
A não utilização do software Schneider Electric ou software aprovado com nossos produtos de hardware
pode resultar em danos, danos ou resultados operacionais inadequados.
A não observância dessas informações pode resultar em ferimentos ou danos no equipamento.
© 2019 Schneider Electric. All rights reserved.

2 NVE50467 04/2019
 Table of Contents

Safety Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
About the Book. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Chapter 1 General Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Chapter 2 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Safety Function STO (Safe Torque Off) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Safety Function SS1 (Safe Stop 1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Safety Function SLS (Safely-Limited Speed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Safety Function SMS (Safe Maximum Speed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Safety Function GDL (Guard Door Locking) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Chapter 3 Calculation of Safety Related Parameters . . . . . . . . . . . . . . . . . . . . . . . . . 39
SLS Type 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
SLS Type 2, Type 3, Type 4, Type 5, and Type 6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
SS1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
SMS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
GDL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Chapter 4 Behavior of Safety Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Detected Fault Inhibition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Priority Between Safety Functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Factory Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Configuration Download . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Priority Between Safety Functions and No Safety-Related Functions. . . . . . . . . . . . . . . . . . 54
Monitoring of The Stator Frequency Consistency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Chapter 5 Safety Functions Visualization via HMI. . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Status of Safety Functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Dedicated HMI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Error Code Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Chapter 6 Technical Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

NVE50467 04/2019 3
 Electrical Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Getting and Operating the Safety Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Safety Function Capability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Debounce Time and Response Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Chapter 7 Certified Architectures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Multi-drive with the Safety Module Type Preventa XPS AF - Case 1 . . . . . . . . . . . . . . . . . . 79
Multi-drive with the Safety Module Type Preventa XPS AF - Case 2 . . . . . . . . . . . . . . . . . . 80
Multi-drive Without the Safety Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Single Drive with the Safety Module Type Preventa XPS AV - Case 1. . . . . . . . . . . . . . . . . 82
Single Drive with the Safety Module Type Preventa XPS AV - Case 2. . . . . . . . . . . . . . . . . 83
Single Drive with the Safety Module Type Preventa XPS AF - Case 1. . . . . . . . . . . . . . . . . 84
Single Drive with the Safety Module Type Preventa XPS AF - Case 2. . . . . . . . . . . . . . . . . 85
Single Drive According to IEC 61508 and IEC 60204-1 - Case 1 . . . . . . . . . . . . . . . . . . . . . 86
Single Drive According to IEC 61508 and IEC 60204-1 - Case 2 . . . . . . . . . . . . . . . . . . . . . 87
Single Drive According to IEC 61508 and IEC 62061 with Safety Function GDL . . . . . . . . . 88
Multi-drive Chaining According to IEC 61508 and IEC 62061 with Safety Function GDL. . . 89

Chapter 8 Commissioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Safety Functions Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Configure Safety Functions Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Visualization and Status of Safety Functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Copying Safety Related Configuration from Device to PC and from PC to Device . . . . . . . . 99
Machine Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Chapter 9 Services and Maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Power and MCU Replacement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Changing Machine Equipment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Safety Information

Important Information

NOTICE
Read these instructions carefully, and look at the equipment to become familiar with the device before
trying to install, operate, service, or maintain it. The following special messages may appear throughout
this documentation or on the equipment to warn of potential hazards or to call attention to information
that clarifies or simplifies a procedure.

4 NVE50467 04/2019
 PLEASE NOTE
Electrical equipment should be installed, operated, serviced, and maintained only by qualified
personnel. No responsibility is assumed by Schneider Electric for any consequences arising out of the
use of this material.
A qualified person is one who has skills and knowledge related to the construction and operation of
electrical equipment and its installation, and has received safety training to recognize and avoid the
hazards involved.

Qualification Of Personnel
Only appropriately trained persons who are familiar with and understand the contents of this manual and
all other pertinent product documentation are authorized to work on and with this product. In addition,
these persons must have received safety training to recognize and avoid hazards involved. These
persons must have sufficient technical training, knowledge and experience and be able to foresee and
detect potential hazards that may be caused by using the product, by changing the settings and by the
mechanical, electrical and electronic equipment of the entire system in which the product is used. All
persons working on and with the product must be fully familiar with all applicable standards, directives,
and accident prevention regulations when performing such work.
Intended Use
This product is a drive for three-phase synchronous, asynchronous motors and intended for industrial
use according to this manual. The product may only be used in compliance with all applicable safety
standard and local regulations and directives, the specified requirements and the technical data. The
product must be installed outside the hazardous ATEX zone. Prior to using the product, you must
perform a risk assessment in view of the planned application. Based on the results, the appropriate
safety measures must be implemented. Since the product is used as a component in an entire system,
you must ensure the safety of persons by means of the design of this entire system (for example,
machine design). Any use other than the use explicitly permitted is prohibited and can result in hazards.

Product Related Information

Read and understand these instructions before performing any procedure with this drive.

DANGER

NVE50467 04/2019 5
 HAZARD OF ELECTRIC SHOCK, EXPLOSION OR ARC FLASH
 Only appropriately trained persons who are familiar with and understand the contents of this
manual and all other pertinent product documentation and who have received safety training to
recognize and avoid hazards involved are authorized to work on and with this drive system.
Installation, adjustment, repair and maintenance must be performed by qualified personnel.
 The system integrator is responsible for compliance with all local and national electrical code
requirements as well as all other applicable regulations with respect to grounding of all equipment.
 Many components of the product, including the printed circuit boards, operate with mains
voltage.
 Only use properly rated, electrically insulated tools and measuring equipment.
 Do not touch unshielded components or terminals with voltage present.
 Motors can generate voltage when the shaft is rotated. Prior to performing any type of work on
the drive system, block the motor shaft to prevent rotation.
 AC voltage can couple voltage to unused conductors in the motor cable. Insulate both ends of
unused conductors of the motor cable.
 Do not short across the DC bus terminals or the DC bus capacitors or the braking resistor
terminals.
 Before performing work on the drive system:
 Disconnect all power, including external control power that may be present. Take into account
that the circuit breaker or main switch does not de-energize all circuits.
 Place a Do Not Turn On label on all power switches related to the drive system.
 Lock all power switches in the open position.
 Wait 15 minutes to allow the DC bus capacitors to discharge.
 Follow the instructions given in the chapter "Verifying the Absence of Voltage" in the
installation manual of the product.
 Before applying voltage to the drive system:
 Verify that the work has been completed and that the entire installation cannot cause hazards.
 If the mains input terminals and the motor output terminals have been grounded and short-
circuited, remove the ground and the short circuits on the mains input terminals and the motor
output terminals.
 Verify proper grounding of all equipment.
 Verify that all protective equipment such as covers, doors, grids is installed and/or closed.
Failure to follow these instructions will result in death or serious injury.
Damaged products or accessories may cause electric shock or unanticipated equipment operation.

DANGER
ELECTRIC SHOCK OR UNANTICIPATED EQUIPMENT OPERATION
Do not use damaged products or accessories.
Failure to follow these instructions will result in death or serious injury.
Contact your local Schneider Electric sales office if you detect any damage whatsoever.
This equipment has been designed to operate outside of any hazardous location. Only install this
equipment in zones known to be free of a hazardous atmosphere.

DANGER
POTENTIAL FOR EXPLOSION
Install and use this equipment in non-hazardous locations only.
Failure to follow these instructions will result in death or serious injury.
Your application consists of a whole range of different interrelated mechanical, electrical, and electronic
components, the drive being just one part of the application. The drive by itself is neither intended to nor
capable of providing the entire functionality to meet all safety-related requirements that apply to your
application. Depending on the application and the corresponding risk assessment to be conducted by
you, a whole variety of additional equipment is required such as, but not limited to, external encoders,
external brakes, external monitoring devices, guards, etc.
As a designer/manufacturer of machines, you must be familiar with and observe all standards that apply
to your machine. You must conduct a risk assessment and determine the appropriate Performance
Level (PL) and/or Safety Integrity Level (SIL) and design and build your machine in compliance with all
applicable standards. In doing so, you must consider the interrelation of all components of the machine.
In addition, you must provide instructions for use that enable the user of your machine to perform any
type of work on and with the machine such as operation and maintenance in a safe manner.

6 NVE50467 04/2019
 The present document assumes that you are fully aware of all normative standards and requirements
that apply to your application. Since the drive cannot provide all safety-related functionality for your
entire application, you must ensure that the required Performance Level and/or Safety Integrity Level is
reached by installing all necessary additional equipment.

WARNING
FUNCIONAMENTO INSUFICIENTE DO NÍVEL/NÍVEL DE INTEGRIDADE DE SEGURANÇA E/OU
OPERAÇÃO DE EQUIPAMENTOS NÃO INTENCIONAIS
1. Realize uma avaliação de risco de acordo com a EN ISO 12100 e todas as outras normas
aplicáveis à sua aplicação.
2. Use componentes redundantes e/ou caminhos de controle para todas as funções de controle
críticas identificadas em sua avaliação de risco.
3. Se as cargas móveis podem resultar em riscos, por exemplo, cargas escorregadas ou em
queda, opere a unidade no modo de loop fechado.
4. Verifique se a vida útil de todos os componentes individuais utilizados em seu aplicativo é
suficiente para a vida útil pretendida do seu aplicativo geral.
5. Realizar testes de comissionamento extensivos para todas as situações potenciais de erro
para verificar a eficácia das funções relacionadas à segurança e funções de monitoramento
implementadas, por exemplo, mas não se limitando a, monitoramento de velocidade por meio
de codificadores, monitoramento de curto-circuito para todos os equipamentos conectados,
operação correta de freios e guardas.
6. Realize testes de comissionamento extensivos para todas as situações potenciais de erro
para verificar se a carga pode ser levada a uma parada segura sob todas as condições.
O não cumprimento dessas instruções pode resultar em morte, ferimentos graves ou danos no
equipamento.
A specific application note NHA80973 is available on hoisting machines and can be downloaded on
se.com.
Drive systems may perform unexpected movements because of incorrect wiring, incorrect settings,
incorrect data or other errors.

WARNING
OPERAÇÃO DE EQUIPAMENTOS NÃO PREVISTOS
1. Instale cuidadosamente a fiação de acordo com os requisitos da EMC.
2. Não opere o produto com configurações ou dados desconhecidos ou
inadequados. ,05, realize um teste abrangente de comissionamento.
O não cumprimento dessas instruções pode resultar em morte, ferimentos graves ou danos no
equipamento.

WARNING
PERDA DE CONTROLE
1. O projetista de qualquer esquema de controle deve considerar os modos de falha potenciais
dos caminhos de controle e, para funções críticas de controle, fornecer um meio de alcançar
um estado seguro durante e após uma falha no caminho.
Exemplos de funções críticas de controle são parada de emergência, parada de sobretravel, queda de
energia e reinício.
2. Caminhos de controle separados ou redundantes devem ser fornecidos para funções críticas
de controle.
3. Os caminhos de controle do sistema podem incluir links de comunicação. Deve-se considerar
as implicações de atrasos ou falhas de transmissão não previstas do link.
4. Observe todas as normas de prevenção de acidentes e diretrizes locais de segurança (1).
5. Cada implementação do produto deve ser testada individual e minuciosamente para uma
operação adequada antes de ser colocada em serviço.
O não cumprimento dessas instruções pode resultar em morte, ferimentos graves ou danos no
equipamento.
(1) For USA: Additional information, refer to NEMA ICS 1.1 (latest edition), Safety Guidelines for the
Application, Installation, and Maintenance of Solid State Control and to NEMA ICS 7.1 (latest edition),
Safety Standards for Construction and Guide for Selection, Installation and Operation of Adjustable-
Speed Drive Systems.

The temperature of the products described in this manual may exceed 80 °C (176 °F) during operation.

WARNING
NVE50467 04/2019 7
 HOT SURFACES
 Ensure that any contact with hot surfaces is avoided.
 Do not allow flammable or heat-sensitive parts in the immediate vicinity of hot surfaces.
 Verify that the product has sufficiently cooled down before handling it.
 Verify that the heat dissipation is sufficient by performing a test run under maximum load
conditions.
Failure to follow these instructions can result in death, serious injury, or equipment damage.
Machines, controllers, and related equipment are usually integrated into networks. Unauthorized
persons and malware may gain access to the machine as well as to other devices on the
network/fieldbus of the machine and connected networks via insufficiently secure access to software
and networks.

WARNING
ACESSO NÃO AUTORIZADO À MÁQUINA VIA SOFTWARE E REDES
1. Em sua análise de risco e risco, considere todos os riscos resultantes do acesso e operação
na rede/fieldbus e desenvolva um conceito adequado de segurança cibernética.
2. Verifique se a infraestrutura de hardware e a infraestrutura de software em que a máquina
está integrada, bem como todas as medidas e regras organizacionais que abrangem o
acesso a essa infraestrutura consideram os resultados da análise de riscos e riscos e são
implementadas de acordo com as melhores práticas e padrões que abrangem a segurança
de TI e segurança cibernética (tais como: série ISO/IEC 27000, Critérios Comuns para
Avaliação de Segurança da Tecnologia da Informação, ISO/IEC 15408, IEC 62351, ISA/IEC
62443, NIST Cybersecurity Framework, Information Security Forum - Padrão de Boas
Práticas para Segurança da Informação).
3. Verifique a eficácia de seus sistemas de segurança de TI e segurança cibernética usando
métodos apropriados e comprovados.
O não cumprimento dessas instruções pode resultar em morte, ferimentos graves ou danos no
equipamento.

WARNING
PERDA DE CONTROLE
Realize um teste de comissionamento abrangente para verificar se o monitoramento de comunicação
detecta corretamente interrupções de comunicação
O não cumprimento dessas instruções pode resultar em morte, ferimentos graves ou danos no
equipamento.

NOTICE
DESTRUIÇÃO DEVIDO À TENSÃO DA REDE INCORRETA
Antes de ligar e configurar o produto, verifique se ele está aprovado para a tensão da rede.
A não orealização dessas instruções pode resultar em danos no equipamento.

8 NVE50467 04/2019
 About the Book

At a Glance

Document Scope
The purpose of this document is to provide information about safety functions incorporated in Altivar
320. These functions allow you to develop applications oriented in the protection of man and machine.
FDT/DTM (field device tool / device type manager) is a new technology chosen by several companies in
automation.
To install the Altivar 32 DTM, you can download and install our FDT: SoMove lite on
www.schneiderelectric.com. It is including the Altivar 320 DTM.
The content of this manual is also accessible through the ATV320 DTM online help.

Validity Note
As instruções e informações originais fornecidas neste manual foram escritas em inglês (antes da
tradução opcional).
Esta documentação é válida para as unidades Altivar 320.
As características técnicas dos dispositivos descritos no presente documento também aparecem online.
Para acessar as informações online:
Step Action
1 Go to the Schneider Electric home page www.schneider-electric.com.
2 In the Search box type the reference of a product or the name of a product range.
 Do not include blank spaces in the reference or product range.
 To get information on grouping similar modules, use asterisks (*).
3 If you entered a reference, go to the Product Datasheets search results and click on the reference that
interests you.
If you entered the name of a product range, go to the Product Ranges search results and click on the
product range that interests you.
4 If more than one reference appears in the Products search results, click on the reference that interests
you.
5 Depending on the size of your screen, you may need to scroll down to see the datasheet.
6 To save or print a datasheet as a .pdf file, click Download XXX product datasheet.
The characteristics that are presented in the present document should be the same as those
characteristics that appear online. In line with our policy of constant improvement, we may revise
content over time to improve clarity and accuracy. If you see a difference between the document and
online information, use the online information as your reference.
Related Documents
Use your tablet or your PC to quickly access detailed and comprehensive information on all our products
on www.schneider-electric.com
The internet site provides the information you need for products and solutions
 The whole catalog for detailed characteristics and selection guides
 The CAD files to help design your installation, available in over 20 different file formats
 All software and firmware to maintain your installation up to date
 A large quantity of White Papers, Environment documents, Application solutions, Specifications... to
gain a better understanding of our electrical systems and equipment or automation And finally all the
User Guides related to your drive, listed below:
Title of Documentation Reference Number
Altivar 320 Getting Started NVE21763 (English), NVE21771 (French),
NVE21772 (German), NVE21773
(Spanish),
NVE21774 (Italian), NVE21776 (Chinese)
Altivar 320 Getting Started Annex (SCCR) NVE21777 (English)
Altivar 320 Installation Manual NVE41289 (English), NVE41290 (French),
NVE41291 (German), NVE41292
(Spanish),

NVE50467 04/2019 9
 NVE41293 (Italian), NVE41294 (Chinese)
Altivar 320 Programming manual NVE41295 (English), NVE41296 (French),
NVE41297 (German), NVE41298
(Spanish),
NVE41299 (Italian), NVE41300 (Chinese)
Altivar 320 Modbus Serial Link manual NVE41308 (English)
Altivar 320 Ethernet IP/Modbus TCP manual NVE41313 (English)
Altivar 320 PROFIBUS DP manual (VW3A3607) NVE41310 (English)
Altivar 320 DeviceNet manual (VW3A3609) NVE41314 (English)
Altivar 320 CANopen manual (VW3A3608, 618, 628) NVE41309 (English)
Altivar 320 POWERLINK Manual - VW3A3619 NVE41312 (English)
Altivar 320 EtherCAT manual - VW3A3601 NVE41315 (English)
Altivar 320 Communication Parameters NVE41316 (English)
Altivar 320 PROFINET manual NVE41311 (English)
Altivar 320 Safety Functions manual NVE50467 (English), NVE50468 (French),
NVE50469 (German), NVE50470
(Spanish),
NVE50472 (Italian), NVE50473 (Chinese)
You can download these technical publications and other technical information from our website at
https://www.schneider-electric.com/en/download

Terminology
The technical terms, terminology, and the corresponding descriptions in this manual normally use the
terms or definitions in the relevant standards.
In the area of drive systems this includes, but is not limited to, terms such as error, error message, failure,
fault, fault reset, protection, safe state, safety function, warning, warning message, and so on.
Among others, these standards include:
 IEC 61800 series: Adjustable speed electrical power drive systems
 IEC 61508 Ed.2 series: Functional safety of electrical/electronic/programmable electronic safety-
related
 EN 954-1 Safety of machinery - Safety related parts of control systems
 ISO 13849-1 & 2 Safety of machinery - Safety related parts of control systems
 IEC 61158 series: Industrial communication networks - Fieldbus specifications
 IEC 61784 series: Industrial communication networks - Profiles
 IEC 60204-1: Safety of machinery - Electrical equipment of machines – Part 1: General
requirements
In addition, the term zone of operation is used in conjunction with the description of specific hazards,
and is defined as it is for a hazard zone or danger zone in the EC Machinery Directive (2006/42/EC) and
in ISO 12100-1.
Contact Us
Select your country on:

www.schneider-electric.com/contact

Schneider Electric Industries SAS

Head Office
35, rue Joseph Monier
92500 Rueil-Malmaison
France

10 NVE50467 04/2019
NVE50467 04/2019 11
 Altivar 320

NVE50467 04/2019

General Information

Chapter 1 General Information

What Is in This Chapter?

This chapter contains the following topics:
Topic Page
Introduction 16
Certifications 18
Basics 19

12 NVE50467 04/2019
Introduction

Overview

WARNING
INEFFECTIVE SAFETY FUNCTIONS
 Verify that a risk assessment as per ISO 12100-1 and/or any other equivalent assessment has
been performed before this product is used.
 Verify that only persons who are trained and certified experts in safety engineering and who
are familiar with all safety-related standards, provisions, and regulations such as, but not limited to,
IEC 61800-5-2 work with this product.
 Verify that only persons who are thoroughly familiar with the safety-related applications and
the nonsafety-related applications as well as the hardware used to operate the machine/process,
work with this product.
Failure to follow these instructions can result in death, serious injury, or equipment damage.

WARNING
UNANTICIPATED EQUIPMENT OPERATION
 Only start the machine/process if there are no persons or obstructions in the zone of
operation.
 Only make modifications of any type whatsoever, including, but not limited to, parameters,
settings, configurations, hardware, if you fully understand all effects of such modifications.
 Verify that modifications do not compromise or reduce the Safety Integrity Level (SIL),
Performance Level (PL) and/or any other safety-related requirements and capabilities defined for
your machine/process.
 After modifications of any type whatsoever, restart the machine/process and verify the correct
operation and effectiveness of all functions by performing comprehensive tests for all operating
states, the defined safe state, and all potential error situations.
 If you have to commission or recommission the machine/process, perform a commissioning
test pursuant to all regulations, standards, and process definitions applicable to your
machine/process.
 Document all modifications in compliance with all regulations, standards, and process
definitions applicable to your machine/process.
Failure to follow these instructions can result in death, serious injury, or equipment damage.

WARNING
UNANTICIPATED EQUIPMENT OPERATION
 Connect the drive to be configured directly to the PC.
 Do not establish a connection via network/Fieldbus protocols from the PC to the drive to be
configured.
Failure to follow these instructions can result in death, serious injury, or equipment damage.
The safety functions incorporated in ATV320 are intended to maintain the safe condition of the
installation or prevent hazardous conditions arising at the installation. In some cases, further safety-
related systems external to the drive (for example a mechanical brake) may be necessary to maintain
the safe condition when electrical power is removed.
The safety functions are configured with SoMove software.
Integrated safety functions provide the following benefits:
 Additional standards-compliant safety functions
 No need for external safety-related devices
 Reduced wiring effort and space requirements Reduced costs
The ATV320 drives are compliant with the requirements of the standards in terms of implementation of
safety functions.
Safety Functions as Defined by IEC 61800-5-2
Definitions
Acronym Description
STO Safe Torque Off
Nenhuma potência que possa causar torque ou força é fornecida ao motor.
SLS Safely-Limited Speed
A função SLS impede que o motor exceda o limite de velocidade especificado. Se a velocidade do

NVE50467 04/2019 13
 motor exceder o valor limite de velocidade especificado, a função de segurança STO será acionada.
SS1 Safe Stop 1
1. inicia e monitora a taxa de desaceleração do motor dentro dos limites definidos para parar o
motor
 inicia a função Parada de Operação Segura quando a velocidade do motor está abaixo do
limite especificado
Safety Function Not Defined in IEC 61800-5-2
Definitions
Acronym Description
SMS Safe Maximum Speed
The SMS function prevents the speed of the motor from exceeding the specified speed limit. If the
motor speed exceeds the specified speed limit value, safety function STO is triggered. The SMS can
only be activated or deactivated with the commissioning software. When activated, the stator frequency
is constantly monitored irrespective of the mode of operation.
GDL Guard Door Locking
The GDL function allows you to release the guard door lock when the motor power is turned off.
Notation
The graphic display terminal (to be ordered separately - reference VW3A1101) menus are shown in
square brackets.
The integrated 7-segment display terminal menus are shown in round brackets.
Parameter names are displayed on the graphic display terminal in square brackets.
Parameter codes are displayed on the integrated 7-segment display terminal in round brackets.
Certifications

EC Declaration of Conformity
The EC Declaration of Conformity for the EMC Directive can be obtained on www.schneider-electric.com.

ATEX Certification
The ATEX certificate can be obtained on www.schneider-electric.com.

Functional Safety Certification

As funções integradas de segurança são compatíveis e certificadas de acordo com os sistemas de
acionamento elétrico de velocidade ajustável IEC 61800-5-2 - Funções de acionamento elétrico de
velocidade ajustável - Parte 5-2: Requisitos de segurança - Funcional.
A IEC 61800-5-2, como padrão de produto, estabelece considerações relacionadas à segurança dos PDS
relacionados à segurança do sistema de acionamento de energia (SRS) em termos do quadro da série de
normas IEC 61508 Ed.2.
O cumprimento da norma IEC 61800-5-2, para as funções de segurança descritas abaixo, facilitará a
incorporação de um PDS (SR) (Power Drive System adequado para uso em aplicações relacionadas à
segurança) em um sistema de controle relacionado à segurança usando os princípios da IEC 61508, ou
IEC 13849-1, bem como iEC 62061 para sistemas de processo e máquinas.
As funções de segurança definidas são:
1. Capacidade SIL2 e SIL3 em conformidade com a IEC 61800-5-2 e a série Ed.2 IEC 61508.
2. Nível d e e de desempenho em conformidade com o IEC 13849-1.
3. Em conformidade com a Categoria 3 e 4 da Norma Europeia IEC 13849-1 (EN 954-1).
Consulte também a capacidade de função de segurança.
O modo de operação de demanda de segurança é considerado de alta demanda ou modo de operação
contínuo de acordo com o padrão IEC 61800-5-2.
O certificado de segurança funcional é acessível em www.schneider-electric.com.

14 NVE50467 04/2019
 Basics

Functional Safety
Automação e engenharia de segurança são duas áreas completamente separadas no passado, mas
recentemente se tornaram cada vez mais integradas.
A engenharia e instalação de soluções complexas de automação são muito simplificadas por funções
integradas de segurança.
Normalmente, os requisitos de engenharia de segurança dependem da aplicação.
O nível de requisitos resulta do risco e do potencial de risco decorrente da aplicação específica.

IEC 61508 Standard

A IEC padrão 61508 A segurança funcional dos sistemas elétricos/eletrônicos/programáveis
relacionados à segurança eletrônica abrange a função relacionada à segurança.
Em vez de um único componente, toda uma cadeia de funções (por exemplo, de um sensor até as
unidades de processamento lógico ao atuador) é considerada como uma unidade.
Esta cadeia de funções deve atender aos requisitos do nível específico de integridade de segurança
como um todo.
Sistemas e componentes que podem ser usados em várias aplicações para tarefas de segurança com
níveis de risco comparáveis podem ser desenvolvidos nesta base.

SIL - Safety Integrity Level

O IEC 61508 padrão define 4 níveis de integridade de segurança (SIL) para funções de segurança.
O SIL1 é o nível mais baixo e o SIL4 é o nível mais alto.
Uma análise de risco e risco serve de base para determinar o nível de integridade de segurança
necessário.
Isso é usado para decidir se a cadeia de função relevante deve ser considerada como uma função de
segurança e qual potencial de risco deve cobrir.

PFH - Probability of a Dangerous Hardware Failure Per Hour

To maintain the safety function, the IEC 61508 standard requires various levels of measures for
avoiding and controlling detected faults, depending on the required SIL.
All components of a safety function must be subjected to a probability assessment to evaluate the
effectiveness of the measures implemented for controlling detected faults.
This assessment determined the PFH (Average frequency of dangerous failure) for a safety system.
This is the probability per hour that a safety system fails in a hazardous manner and the safety function
cannot be correctly executed.
Depending on the SIL, the PFH must not exceed certain values for the entire safety system.
The individual PFH values of a function chain are added. The result must not exceed the maximum
value specified in the standard.
Performance level Average frequency of dangerous failure (PFH) at high demand or continuous demand
4

PL - Performance Level
The standard ISO 13849-1 defines 5 Performance levels (PL) for safety functions.
a is the lowest level and e is the highest level.
Five levels (a, b, c, d, and e) correspond to different values of Average frequency of dangerous failure.
Performance level Probability of a dangerous Hardware Failure per Hour
e

NVE50467 04/2019 15
 c

HFT - Hardware Fault Tolerance and SFF - Safe Failure Fraction

Depending on the SIL for the safety system, the IEC 61508 standard requires a specific hardware fault
tolerance HFT in connection with a specific proportion of safe failures SFF (Safe Failure Fraction).
The hardware fault tolerance is the ability of a system to execute the required safety function in spite of the
presence of one or more hardware faults.
The SFF of a system is defined as the ratio of the rate of safe failures and dangerous detected failures to
the total failure rate of the system.
SFF = (Σλs + ΣλDd)/(Σλs + ΣλDd + ΣλDu)
According to IEC 61508, the maximum achievable SIL of a system is partly determined by the hardware
fault tolerance HFT and the safe failure fraction SFF of the system.
IEC 61508 distinguishes two types of subsystem (type A subsystem, type B subsystem).
These types are specified on the basis of criteria which the standard defines for the safety-relevant
components.
SFF HFT type A subsystem HFT type B subsystem

0 1 2 0 1 2

SIL1 SIL2 SIL3 ---- SIL1 SIL2

SIL2 SIL3 SIL4 SIL1 SIL2 SIL3

SIL3 SIL4 SIL4 SIL2 SIL3 SIL4

SIL3 SIL4 SIL4 SIL3 SIL4 SIL4

PFD - Probability of Failure on Demand
The standard IEC 61508 defines SIL using requirements grouped into two broad categories: hardware
safety integrity and systematic safety integrity. A device or system must meet the requirements for both
categories to achieve a given SIL.
The SIL requirements for hardware safety integrity are based on a probabilistic analysis of the device.
To achieve a given SIL, the device must meet targets for the maximum probability of dangerous failure
and a minimum Safe Failure Fraction. The concept of 'dangerous failure' must be rigorously defined for
the system in question, normally in the form of requirement constraints whose integrity is verified
throughout system development. The actual targets required vary depending on the likelihood of a
demand, the complexity of the device(s), and types of redundancy used.
The PFD (Probability of Failure on Demand) and RRF (Risk Reduction Factor) of low demand operation
for different SILs are defined in IEC 61508 are as follows:
SIL PFD PFD (power RRF
1 0.1 - 0.01 10-1 - 10-2 10 - 100
2 0.01 - 0.001 10-2 - 10-3 100 - 1000
3 0.001 - 0.0001 10-3 - 10-4 1000 - 10,000
4 0.0001 - 0.00001 10-4 - 10-5 10,000 - 100,000
In high demand or continuous operation, these changes to the following:
SIL PFH PFH (power RRF
1 0.00001 - 0.000001 10-5 - 10-6 100,000 - 1,000,000
2 0.000001 - 0.0000001 10-6 - 10-7 1,000,000 - 10,000,000
3 0.0000001 - 0.00000001 10-7 - 10-8 1000 - 10,000
4 0.00000001 - 0.000000001 10-8 - 10-9 100,000,000 - 1,000,0000,000
The hazards of a control system must be identified then analyzed in a risk analysis. These risks are
gradually mitigated until their overall contribution to the hazard is deemed to be acceptable. The
tolerable level of these risks is specified as a safety requirement in the form of a target probability of a
dangerous failure over a given period, stated as a discrete SIL level.

16 NVE50467 04/2019
Fault Avoidance Measures
Systematic errors in the specifications, in the hardware and the software, usage faults and maintenance
faults in the safety system must be avoided to the maximum degree possible. To meet these
requirements, IEC 61508 specifies a number of measures for fault avoidance that must be implemented
depending on the required SIL. These measures for fault avoidance must cover the entire life cycle of
the safety system, i.e. from design to decommissioning of the system.

NVE50467 04/2019 17
 Altivar 320

NVE50467 04/2019

Description

Chapter 2 Description

What Is in This Chapter?

This chapter contains the following topics:
Topic Page
Safety Function STO (Safe Torque Off) 24
Safety Function SS1 (Safe Stop 1) 26
Safety Function SLS (Safely-Limited Speed) 28
Safety Function SMS (Safe Maximum Speed) 35
Safety Function GDL (Guard Door Locking) 37

18 NVE50467 04/2019
Safety Function STO (Safe Torque Off)

Overview
The safety function STO (Safe Torque Off) does not remove power from the DC bus. The safety function
STO only removes power to the motor. The DC bus voltage and the mains voltage to the drive are still
present.

DANGER
HAZARD OF ELECTRIC SHOCK
 Do not use the safety function STO for any other purposes than its intended function.
 Use an appropriate switch, that is not part of the circuit of the safety function STO, to
disconnect the drive from the mains power.
Failure to follow these instructions will result in death or serious injury.
When the safety function STO is triggered, the power stage is immediately disabled. In the case of
vertical applications or external forces acting on the motor shaft, you may have to take additional
measures to bring the motor to a standstill and to keep it at a standstill when the safety function STO is
used, for example, by using a service brake.

WARNING
INSUFFICIENT DECELERATION OR UNINTENDED EQUIPMENT OPERATION
 Verify that using the safety function STO does not result in unsafe conditions.
 If standstill is required in your application, ensure that the motor comes to a secure standstill
when the safety function STO is used.
Failure to follow these instructions can result in death, serious injury, or equipment damage.
This function brings the machine safely into a no-torque state and / or prevents it from starting accidentally.
The safe torque-off (safety function STO) function can be used to effectively implement the prevention
of unexpected start-up functionality, thus making stops safe by preventing the power only to the motor,
while still maintaining power to the main drive control circuits.
The principles and requirements of the prevention of unexpected start-up are described in the standard EN
1037:1995+A1.
The digital input STO is assigned to this safety function and cannot be modified.
If a paired terminal line in 2 channels is required to trigger safety function STO, the function can also be
enabled by the safety-related digital inputs.
The safety function STO is configured with the commissioning software.
The safety function STO status can be displayed using the HMI of the drive or using the commissioning
software.

Safety Function STO Standard Reference

The safety function STO is defined in section 4.2.2.2 of standard IEC 61800-5-2 (edition 1.0 2007.07):
Power, that can cause rotation (or motion in the case of a linear motor), is not applied to the
motor.The PDS(SR) (power drive system suitable for use in safety-related applications) will not
provide energy to the motor which can generate torque (or force in the case of a linear motor).
NVE50467 04/2019 19
  NOTE 1: This safety function corresponds to an uncontrolled stop in accordance with stop category 0
of IEC 60204-1.
 NOTE 2: This safety function may be used where power removal is required to prevent an
unexpected start-up.
 NOTE 3: In circumstances where external influences (for example, falling of suspended loads) are
present, additional measures (for example, mechanical brakes) may be necessary to prevent any
hazard.
 NOTE 4: Electronic equipment and contactors do not provide adequate protection against electric
shock, and additional insulation measures may be necessary.

Safety Function (SF) Level Capability for Safety Function STO

Configuration SIL PL
Safety Integrity Level according to Performance Level according to
IEC 61508 ISO 13849-1
STO with or without safety module SIL 2 PL d
STO & DI3 with or without safety module SIL 3 PL e
DI3 and DI4 SIL 2 PL d
DI5 and DI6 SIL 2 PL d
Emergency Operations
Standard IEC 60204-1 introduces 2 emergency operations:
 Emergency switching-off:
This function requires external switching components, and cannot be accomplished with drive based
functions such as safe torque-off (STO).
 Emergency stop:
An emergency stop must operate in such a way that, when it is activated, the hazardous movement
of the machinery is stopped and the machine is unable to start under any circumstances, even after
the emergency stop is released.
An emergency stop shall function either as a stop category 0 or as a stop category 1.
Stop category 0 means that the power to the motor is turned off immediately. Stop category 0 is
equivalent to the safe torque-off (STO) function, as defined by standard EN 61800-5-2.
In addition to the requirements for stop (see 9.2.5.3 of IEC 60204-1), the emergency stop function
has the following requirements:
 it shall override all other functions and operations in all modes.
 This reset shall be possible only by a manual action at that location where the command has been
initiated. The reset of the command shall not restart the machinery but only permit restarting.
 For the machine environment (IEC 60204-1 and machinery directive), when safety function STO is
used to manage an emergency stop category 0, the motor must not restart automatically when
safety function STO has been triggered and deactivated (with or without a power cycle). This is the
reason why an additional safety module is required if the machine restarts automatically after the
safety function STO has been deactivated.
Safety Function SS1 (Safe Stop 1)

Overview
The safety function SS1 (Safe Stop 1) monitors the deceleration according to a dedicated deceleration
ramp and safely shuts off the torque once standstill has been achieved.
When the safety function SS1 is triggered, it overrides all other functions (except STO function that has
priority) and operations in all modes.
The unit of the SS1 deceleration ramp is in Hz/s. The setting of the ramp is done with two parameters:
[SS1 ramp unit] SSrU (Hz/s) to give the unit of the ramp in 1 Hz/s, 10 Hz/s, and 100 Hz/s [SS1RampValue]
SSrt (0.1) to set the value of the ramp
Ramp calculation:
Ramp = SSrU*SSrt
Example: If SSrU = 10 Hz/s and SSrt = 5.0 the deceleration ramp is 50 Hz/s.
The safety function SS1 is configured with the commissioning software, for more information see
Commissioning (seepage91).
The safety function SS1 status can be displayed using the HMI of the drive or using the commissioning
software.

Behavior on Activation of the SS1 Function

20 NVE50467 04/2019
 When SS1 function is triggered, it monitors the deceleration of the motor according to the specified
monitoring ramp until standstill is reached and verifies if the motor speed is not above a monitored limit
value depending on the specified monitoring ramp and the parameter [SS1 trip threshold] SStt.
If the monitored limit value is exceeded:
An error is triggered and the error code [Safety function fault] SAFF is displayed.
Safety function STO is triggered.

After the [Standstill level] SSSL has been reached, the safety function STO is triggered.
SS1 function continues to be active if the request has been removed before the standstill has been
reached.
NOTE: The error detection depends on [Stator Frequency] StFr.

: SS1 trip threshold, : SS1 deceleration ramp (dV/dT), : STO function triggered, : Error and
STO function triggered
Behavior on Deactivation of the SS1 Function
After an SS1 stop, send a new run command (even if the run command is set on level command).

SS1 Standard Reference

The SS1 function is defined in section 4.2.2.2 of standard IEC 61800-5-2:
The PDS(SR) (Power drive system suitable for use in safety-related applications) either:
 Initiates and controls the motor deceleration rate within set limits to stop the motor and initiates the
STO function (see 4.2.2.2) when the motor speed is below a specified limit; or
 Initiates and monitors the motor deceleration rate within set limits to stop the motor and initiates the
STO function when the motor speed is below a specified limit; or
 Initiates the motor deceleration and initiates the STO function after an application-specific time delay.

NOTE: This safety function corresponds to a controlled stop in accordance with stop category 1 of IEC
60204-1.

Safety Function (SF) Level Capability for Safety Function SS1

Function Configuration SIL PL
Safety Integrity Level Performance Level
According to IEC 61508 According to ISO 13849-1
SS1 type C STO with Preventa module SIL2 PL d
STO and DI3 with Preventa module SIL 3 PL e
SS1 type B DI3 and DI4 SIL 2 PL d
DI5 and DI6 SIL 2 PL d
Emergency Stop Category 1

NVE50467 04/2019 21
 An emergency stop must operate in such a way that, when it is activated, the hazardous movement of
the machinery is stopped and the machine is unable to start under any circumstances, even after the
emergency stop is released.
An emergency stop shall function either as a stop category 0 or as a stop category 1.
Stop category 1 is a controlled shut-down, whereby the energy supply to the motor is maintained to
perform the shut-down, and the energy supply is only interrupted when the shut-down has been
completed. Stop category 1 is equivalent to the [Safe Stop 1] SS1 function, as defined by standard EN
61800-5-2.
In addition to the requirements for stop (see 9.2.5.3 of IEC 60204-1), the emergency stop function has
the following requirements:
 it shall override all other functions and operations in all modes.
 This reset shall be possible only by a manual action at that location where the command has been
initiated. The reset of the command shall not restart the machinery but only permit restarting.
For the machine environment (IEC 60204-1 and machinery directive), when safety function SS1 is used
to manage an emergency stop category 1, the motor must not restart automatically when safety function
SS1 has been triggered and deactivated (with or without a power cycle). This is the reason why an
additional safety module is required if the machine restarts automatically after the safety function SS1
has been deactivated.
Safety Function SLS (Velocidade seguramente limitada)

Overview
Esta função é usada para limitar a velocidade de um motor.
Existem 6 tipos de função SLS:
1. SLS tipo 1: Limita a velocidade do motor à velocidade real do motor.
2. SLS tipo 2: Limita a velocidade do motor a um conjunto de valores usando um parâmetro.
3. SLS tipo 3: Mesmo que o tipo 2 com comportamento específico se a velocidade do motor estiver acima do valor do
limiar definido usando um parâmetro.
4. SLS tipo 4: Limita a velocidade do motor a um conjunto de valores usando um parâmetro. A direção da rotação pode
ser alterada enquanto a função de segurança estiver ativa.
5. SLS tipo 5: O mesmo tipo 4 com o comportamento específico se a velocidade do motor estiver acima do valor do
limiar definido usando um parâmetro.
6. SLS tipo 6: O mesmo tipo 4 com comportamento específico se a velocidade do motor estiver acima do valor do limiar
definido usando um parâmetro.
NOTA: O parâmetro SLS tipos 2 e 3 (SLwt) [SLS Tempo de espera] para permitir que o motor funcione
sob o SSSL [nível de parada] por um determinado tempo após a ativação da função de segurança SLS.
A função de segurança SLS é configurada com o software de comissionamento, para obter mais
informações consulte comissionamento (verpage91).
O status da função de segurança SLS pode ser exibido usando o HMI da unidade ou usando o software
de comissionamento.

Comportamento na ativação da função de segurança SLS Tipo 1

22 NVE50467 04/2019
 : Erro e função STO acionados: Limite superior de referência: função STO acionada

Quando a função de segurança é ativada:

1. Se o [Stator Frequency] StFr estiver acima do SLtt [limiar de tolerância SLS], a função de segurança STO será
acionada e um erro for acionado com o código de erro [falha da função de segurança] SAFF.
2. Se o StFr [Frequência do Estator] estiver sob o [limiar de tolerância SLS] SLtt, a frequência do estator está limitada à
frequência de estator real. A frequência de referência só variará entre este valor e o nível de paralisação SSSL.
Enquanto a função é ativada:
3. Se o StFr diminuir e atingir a frequência SSSL [nível de paralisação] , a função de segurança STO será acionada.
4. Se o [Stator Frequency] StFr aumentar e atingir o SLtt [limiar de tolerância SLS], a função de segurança STO será
acionada e um erro é acionado com o código de erro [falha da função de segurança] SAFF.
Comportamento na ativação da função de segurança SLS Tipo 2

: Limiar de viagem SS1: Erro e função STO acionados: Limite superior de referência: STO

função acionada: Rampa de desaceleração SS1 (dV/dT), : Tempo levado para a [Frequência do
Estator ]
StFr para se tornar maior que o SSSL

: [Frequência do Estator] StFr está acima [Set Point] SLSP

: [Frequência do Estator] StFr está entre o SSSL [nível de paralisação] e o SLSP [Set Point]

: [Frequência do Estator] StFr está abaixo do [nível de paralisação] SSSL e [SLS tempo de espera]
(SLwt) ≠ 0

Quando a função é ativada:

1. Se o [StAtor Frequency] StFr estiver acima do SLSP [Set point], a unidade desacelera de acordo com a rampa de
desaceleração do SS1 até que o SLSP [Set point] seja atingido.( ver caso A)
2. Se o [Stator Frequency] StFr estiver abaixo do SLSP, a referência atual não será alterada, mas limitada ao SLSP [Set
point]. ver caso B)
3. Se o StFr [StAtor Frequency] ainda estiver abaixo da frequência SSSL [nível de paralisação] após [tempo de espera
SLS] (SLwt) ter transcorrido, a função de segurança STO será acionada.( ver caso C)
Enquanto a função é ativada:
4. A frequência de referência só pode variar entre o SLSP [Set point] e o nível de paralisação SSSL.
5. Se o StFr [StAtor Frequency ] diminuir e atingir a frequência SSSL [nível de paralisação], a função de segurança STO
será acionada.
6. Se o [Stator Frequency ] StFr aumentar e atingir o [limiar de tolerância SLS] SLtt, o
função de segurança O STO é acionado e um erro é acionado com o código de erro [Falha na função de segurança]
A SAFF.
Behavior on Activation of the Safety Function SLS Type 3
NVE50467 04/2019 23
 SLS type 3 has the same behavior as SLS type 2 except that If the [Stator Frequency] StFr is above the
[SLS tolerance threshold] SLtt, the safety function SS1 is triggered instead of decelerating to the [Set point]
SLSP (see case A)

: SS1 trip threshold, : Error and STO function triggered, : Reference upper limit, : STO

function triggered, : SS1 deceleration ramp (dV/dT), : Time taken for the [Stator Frequency] StFr to become
greater than SSSL

: [Stator Frequency] StFr is above [SLS tolerance threshold] SLtt

: [Stator Frequency] StFr is between [Set Point] SLSP and [SLS tolerance threshold] SLtt

: [Stator Frequency] StFr is between [Standstill level] SSSL and [Set Point] SLSP

:[Stator Frequency] StFr is below [Standstill level] SSSL and [SLS wait time] (SLwt) ≠ 0
When the function is activated:
 If the [Stator Frequency] StFr is above the [SLS tolerance threshold] SLtt, the safety function SS1 is
triggered. (see case A).
 If the [Stator Frequency] StFr is between the [SLS tolerance threshold] SLtt and the [Set point] SLSP, the
drive decelerates according to SS1 deceleration ramp until the [Set point] SLSP has been reached.(see
case B).
 If the [Stator Frequency] StFr is below the [Set point] SLSP the current reference is not changed but
limited to the [Set point] SLSP.(see case C)
 If the [Stator Frequency] StFr is still below the [Standstill level] SSSL frequency after [SLS wait time] SLwt
has elapsed, the safety function STO will be triggered.(see case D)

While the function is activated:

 The reference frequency can only vary between the [Set point] SLSP and the [Standstill level]
SSSL.
 If the [Stator Frequency ] StFr decreases and reaches the [Standstill level] SSSL frequency, the safety
function STO is triggered.
 If the [Stator Frequency ] StFr increases and reaches the [SLS tolerance threshold] SLtt, the
safety function STO is triggered and an error is triggered with the error code [Safety function fault]
SAFF.
Behavior on Activation of the Safety Function SLS Type 4

24 NVE50467 04/2019
 Error and STO function triggered, SS1 trip threshold, SS1 deceleration ramp (dv/dt),
reference upper limit

: [Stator Frequency] StFr is above [SLS tolerance threshold] SLtt

: [Stator Frequency] StFr is between [Set Point] SLSP and [SLS tolerance threshold] SLtt

: [Stator Frequency] StFr is below [Set Point] SLSP

NOTE: If the SLTT ≤ SLSP for SLS type 4, SAFF fault is triggered.
When the function is activated:
 If the [Stator Frequency] StFr is above the [SLS tolerance threshold] SLtt, the safety function
STO is triggered with the error code [Safety function fault] SAFF.(see case A)
 If the [Stator Frequency] StFr is between the [SLS tolerance threshold] SLtt and the [Set point] SLSP, the
drive decelerates according to SS1 deceleration ramp until the [Set point] SLSP has been reached.(see
case B)
 If the [Stator Frequency] StFr is below the [Set point] SLSP, the current reference is not changed but
limited to the [Set point] SLSP.(see case C).

While the function is activated:

 The reference frequency can vary between the [Set point] SLSP in both forward and reverse directions.
 If the [Stator Frequency] StFr increases and reaches [SLS tolerance threshold] SLtt, the safety function
STO is triggered and an error is triggered with the error code [Safety function fault] SAFF.
Behavior on Activation of the Safety Function SLS Type 5

NVE50467 04/2019 25
 : Error and STO function triggered, : SS1 trip threshold, : SS1 deceleration ramp (dv/dt), :
Reference upper limit

: [Stator Frequency] StFr is above [SLS tolerance threshold] SLtt

: [Stator Frequency] StFr is between [Set Point] SLSP and [SLS tolerance threshold] SLtt

: [Stator Frequency] StFr is below [Set Point] SLSP

When the function is activated:
 If the [Stator Frequency] StFr is above the [SLS tolerance threshold] SLtt, the drive decelerates according
to SS1 deceleration ramp until the [Set point] SLSP has been reached. (see case A)
 If the [Stator Frequency] StFr is between the [SLS tolerance threshold] SLtt and the [Set point] SLSP, the
drive decelerates according to SS1 deceleration ramp until the [Set point] SLSP has been reached.(see
case B)
 If the [Stator Frequency] StFr is below the [Set point] SLSP, the current reference is not changed but
limited to the [Set point] SLSP.(see case C).

While the function is activated:

 The reference frequency can vary between the [Set point] SLSP in both forward and reverse directions.
 If the [Stator Frequency] StFr increases and reaches [SLS tolerance threshold] SLtt, the safety function
STO is triggered and an error is triggered with the error code [Safety function fault] SAFF.
Behavior on Activation of the Safety Function SLS Type 6

: Error and STO function triggered, : SS1 trip threshold, : SS1 deceleration ramp (dV/dT) :
Reference upper limit, : STO function triggered.

: [Stator Frequency] StFr is above [SLS tolerance threshold] SLtt

: [Stator Frequency] StFr is between [Set Point] SLSP and [SLS tolerance threshold] SLtt

: [Stator Frequency] StFr is below [Set Point] SLSP

When the function is activated:
 If the [Stator Frequency] StFr is above the [SLS tolerance threshold] SLtt, the drive decelerates according
to SS1 deceleration ramp until SSSL is reached then the safety function STO is triggered (see case A).
 If the [Stator Frequency] StFr is between the [SLS tolerance threshold] SLtt and the [Set point] SLSP, the
drive decelerates according to SS1 deceleration ramp until the [Set point] SLSP has been reached.(see
case B)
 If the [Stator Frequency] StFr is below the [Set point] SLSP, the current reference is not changed but
limited to the [Set point] SLSP.(see case C).

While the function is activated:

The reference frequency can vary between the [Set point] SLSP in both forward and reverse directions.
 If the [Stator Frequency] StFr increases and reaches [SLS tolerance threshold] SLtt, the safety function
STO is triggered and an error is triggered with the error code [Safety function fault] SAFF.
Behavior on Deactivation of the Safety Function SLS for All SLS Types
26 NVE50467 04/2019
 If... Then ...
The drive is still running when the function is deactivated The reference frequency of the active channel is
applied.
Safety function STO has been triggered and the drive is not A new run command must be applied.
in fault state.
The safety function SLS type 2, 3, 4 is deactivated while the The safety function SLS remains activated until the
drive decelerates to the [Set point] SLSP according to SS1 [Set point] SLSP has been reached.
deceleration ramp. STO is triggered when [Standstill level] SSSL is
The safety function SLS type 3 is deactivated while the reached and a new run command must be applied.
safety function SS1 has been triggered
a stop command is applied The safety function SLS remains active and the drive
decelerates until standstill is reached.
For SLS type 1, 2, or 3 STO function is triggered
when the [Stator Frequency] StFr decreases and
reaches the [Standstill level] SSSL frequency.
an error is detected The safety function SLS remains active and the
drive stops according to the configured error
response. For SLS type 1, 2, or 3 STO function will
be triggered after the [Standstill level] SSSL frequency
has been reached.The drive can be reset after the
cause is cleared.
SLS Standards References
The safety function SLS is defined in section 4.2.3.4 of standard IEC 61800-5-2 The SLS function helps to
prevent the motor from exceeding the specified speed limit.

Safety Function (SF) Level for Safety Function SLS

Configuration SIL PL
Safety Integrity Level According to Performance level According to ISO
IEC 61508 13849-1
DI3 and DI4 SIL 2 PL d
DI5 and DI6 SIL 2 PL d
Safety Function SMS (Safe Maximum Speed)

Overview
This function prevents the speed of the motor from exceeding the specified safe maximum speed limit.
The safety function SMS is configured using commissioning software, for details, refer commissioning
(seepage91).
[SMS Activation] SMSA parameter is used to activate or deactivate the SMS function.
Two speed limits can be set using the following parameters
[SMS Low Limit] SMLL: To select the lower speed limit.
 [SMS High Limit] SMLH: To select the higher speed limit

[SMS Low Limit] SMLL or [SMS High Limit] SMLH is considered as safe maximum speed limit based on
the [SMS Assignment] SMLS selection.
When [SMS Assignment] SMLS is selected as L34 or L56 (digital input 3 and 4 or digital input 5 and 6),
 If the digital inputs are in low state (0), [SMS Low Limit] SMLL is considered as the safe maximum
speed limit.
 If the digital inputs are in high state (1), [SMS High Limit] SMLH is considered as the safe maximum
speed limit.
When [SMS Assignment] SMLS is selected as NO, [SMS Low Limit] SMLL is considered as the safe
maximum speed limit.
NOTE:
 The SMS function does not adjust the speed reference.
 The speed reference should be adjusted through an active speed reference channel according to
[SMS Low Limit] SMLL or [SMS High Limit] SMLH.
The status of safety function SMS is displayed on graphical display terminal of the drive and Monitoring
tab of the commissioning software.

NVE50467 04/2019 27
Behavior on Activation of the Safety Function SMS

Error and STO function triggered

While the function is activated
 If digital inputs (DIx and DIy) are in low state (0) and [Stator Frequency] StFR increases and reaches
[SMS Low Limit] SMLL, STO is triggered and an error is triggered with an error code [Safety function
fault] SAFF.
 If digital inputs (DIx and DIy) are in high state (1) and [Stator Frequency] StFR increases and reaches
[SMS High Limit] SMLH, STO is triggered and an error is triggered with an error code [Safety function
fault] SAFF.
 If digital inputs (DIx and DIy) are not assigned and [Stator Frequency] StFR increases and reaches
[SMS Low Limit] SMLL, STO is triggered and an error is triggered with an error code [Safety function
fault] SAFF.

SMS Standard References

The safety function SMS is not defined in IEC 61800-5-2. The SMS function prevents the speed of the
motor from exceeding the specified speed limit. If the motor speed exceeds the specified speed limit
value, safety function STO is triggered. The SMS can only be activated or deactivated with the
commissioning software. When activated, the stator frequency is constantly monitored irrespective of
the mode of operation.

Safety Function (SF) Level for Safety Function SMS

Configuration SIL Safety Integrity Level According to IEC PL Performance level According to ISO
61508 13849-1
DI3 and DI4 SIL 2 PL d
DI5 and DI6 SIL 2 PL d
No SIL 2 PL d
Safety Function GDL (Guard Door Locking)

Overview
This function allows you to release the guard door lock after specified delay when the motor power is
turned off. The front door of the machine can be opened only after the motor is stopped, this function
helps to ensure the safety of the machine operator.

28 NVE50467 04/2019
 For details on certified wiring diagram, refer Single Drive According to IEC 61508 and IEC 62061 for
GDL Function (seepage88).
[GDL Assignment] GDLA parameter is used to activate or deactivate the GDL function.
GDL function uses LO1 parameter.
Two delays can be configured using following parameters.
 [Guard Door Locking Long Delay] GLLD: Long delay after any stop command (such as STO, ramp
stop, DC injection, and so on) other than SS1 stop to make sure that the machine is stopped.
 [Guard Door Locking Short Delay] GLSD: Short delay after SS1 ramp to make sure that the machine is
stopped.
NOTE: [Guard Door Locking Long Delay] GLLD and [Guard Door Locking Short Delay] GLSD are defined
based on the characteristics of the machine.
The safety function GDL is configured using the commissioning software, for details, refer
Commissioning (seepage91).
The status of the safety function GDL is displayed on graphical display terminal of the drive and
Monitoring tab of the commissioning software.

Behavior on Activation of the Safety Function GDL

SS1 stop, Freewheel stop, Ramp stop, STO function triggered

While the function is activated,
 If the safety function SS1 is triggered, digital output (DQ) changes to high state (1) after [GDL Short
Delay] GLSD and guard door lock is released.
 If the freewheel stop or safety function STO is triggered, digital output (DQ) changes to high state (1)
after [GDL Long Delay] GLLD and guard door lock is released.
 If the ramp stop is triggered, digital output (DQ) changes to high state (1) after [GDL Long Delay]
GLLD and guard door lock is released.

GDL Standard References

The safety function GDL is not defined in IEC 61800-5-2. The GDL function allows you to release the
guard door lock when the motor power is turned off.

Safety Function (SF) Level for Safety Function GDL

Configuration SIL Safety Integrity Level According to IEC PL Performance level According to ISO
61508 13849-1
STO with safety module SIL 1 PL c

NVE50467 04/2019 29
 Altivar 320

NVE50467 04/2019

Calculation of Safety Related Parameters

Chapter 3 Calculation of Safety Related Parameters

What Is in This Chapter?

This chapter contains the following topics:
Topic Page
SLS Type 1 40
SLS Type 2, Type 3, Type 4, Type 5, and Type 6 42
SS1 46
SMS 49
GDL 50

30 NVE50467 04/2019
SLS Type 1

Collect Application Data

Before starting to configure the SLS function, you must collect the following data:
Code Description Unit Comment
FrS [Rated motor freq.] Hz See motor nameplate
nSp [Rated motorspeed] rpm See motor nameplate
ppn Motor pole pair number – See motor nameplate
Max Frequency Maximum motor frequency for normal Hz This value is equal to [High speed]
operation HSP or lower
Calculate the rated motor slip frequency Fslip (Hz).:

To Configure the Function

Overview of diagram

: Error and STO function triggered, : Reference upper limit, : STO function triggered
Standstill Level
The recommended standstill level is: SSSL = Fslip
If the application requires a different standstill level, it can be set accordingly with the SSSL parameter.
Motor Frequency Limit Threshold
The recommended value of the parameter is SLtt = 1.2 x Max Frequency + Fslip
Testing and Adjusting the Configuration
When configuration is complete, test the SLS function to verify it behaves as expected.
If an error is triggered with the error code [Safety function fault] SAFF apply the following troubleshooting
rules
Context Drive Status Adjustment
SLS activated and  SAFF error code Motor frequency has reached the motor frequency limit
motor running at  SFFE.7 = 1 threshold.
the fixed setpoint The cause of the detected error can be due to frequency
frequency instability. Investigate and correct the cause. The value of
SLtt can be modifed to increase the tolerance threshold to
the instability of the drive system.
Example
Code Description Unit

NVE50467 04/2019 31
 FrS [Rated motor freq.] 50 Hz
nSp [Rated motorspeed] 1350 rpm
ppn Motor pole pair number 2
Max Frequency Maximum motor frequency on normal operation. This value is 50 Hz
generally equal to [High speed] HSP or lower
With these numerical values, the configuration of SLS type 1 is:

SSSL = Fslip = 5 Hz
SLtt = 1.2 x Max Frequency + Fslip = 1.2 x 50 + 5 = 65 Hz

32 NVE50467 04/2019
SLS Type 2, Type 3, Type 4, Type 5, and Type 6

Collect Application Data

Antes de começar a configurar o SLS function, you must collect the following data:
Code Description Unit Comment
FrS [Rated motor freq.] Hz See motor nameplate
nSp [Rated motor speed] rpm See motor nameplate
ppn Motor pole pair number – See motor nameplate
Max Frequency Maximum motor frequency on Hz This value is equal to [High speed] HSP or lower.
normal operation
SS1 deceleration Rampa de desaceleração Hz –
ramp para aplicar quando rampa
SS1 é acionada
Calcule a frequência de deslizamento do motor nominal Fslip (Hz).

Para configurar a função

Overview of diagram

: SS1 limiar de viagem, : Erro e STO função acionada, : Limite superior de referência, : STO

função acionada, : SS1 rampa de desaceleração (dV/dT), : Tempo levado para o [Stator Frequency ]
StFr para se tornar maior do que SSSL

: [Stator Frequency] StFr está acima [Set Point] SLSP

: [Stator Frequency] StFr é entre [Standstill level] SSSL e [Set Point] SLSP

: [Stator Frequency] StFr está abaixo [Standstill level] SSSL e [SLS wait time] (SLwt) ≠ 0
Nível de paralisação
O nível de paralisação recomendado é: SSSL = Fslip
Se o aplicativo exigir um nível de paralisação diferente, ele pode ser definido de acordo com o parâmetro
SSSL.
Valor da rampa e unidade de rampa
Pôr SSrt (ramp value) e SSrU (ramp unit) parâmetros de acordo com a rampa de desaceleração para
aplicar quando a função de segurança SS1 é acionada.
Cálculo da rampa: Rampa = SSrU*SSrt
NVE50467 04/2019 33
 Exemplo 1: Se SSrU = 1 Hz/s e SSrt = 500,0 a rampa de desaceleração é de 500,0 Hz/s e a precisão é
0,1 Hz
Exemplo 2: Se SSrU = 10 Hz/s e SSrt = 50,0 a rampa de desaceleração é de 500 Hz/s e a precisão é
de 1 Hz
Use a tabela para definir a precisão correta de acordo com a rampa de desaceleração para aplicar
quando a função de segurança SS1 for acionada:
Min Max Accuracy SSrt SSrU
0.1 Hz/s 599 Hz/s 0.1 Hz/s 1 Hz/s SS1 deceleration ramp
599 Hz/s 5990 Hz/s 1 Hz/s 10 Hz/s SS1 deceleration ramp/10
5990 Hz/s 59900 Hz/s 10 Hz/s 100 Hz/s SS1 deceleration ramp/100
SLS Setpoint
Defina o parâmetro de ponto de configuração do SLS (SLSP) to: SLSP= Fsetpoint (SLS)
Limite de frequência e rampa do motor
O limite de limite de frequência do motor recomendado é SLtt = 1.2 x SLSP + Fslip e o recomendado
SS1 limite de rampa é: SStt = 0.2 x Max Frequency

SLS Wait time

Definir o [SLS wait time] (SLwt) maior do que 0 ms para permitir que o motor para executar sob o
[standstill level] SSSL por um determinado tempo após a função de segurança SLS ter sido ativado.
NOTA: Quando o SLS Type 4 estiver configurado, [SLS tempo de espera] (SLwt) deve ser definido
como 0 caso contrário, um erro é acionado e o código de erro [falha da função de segurança] SAFF é
exibido

34 NVE50467 04/2019
Testando e ajustando a configuração
Quando a configuração estiver concluída, teste a função SLS para verificar se ela se comporta como
Esperado.
Se um erro é acionado com o código de erro [falha da função de segurança] SAFF, aplique as seguintes
regras de solução de problemas
Context Drive Status Adjustment
SLS rampa  SAFF error code A frequência do motor atingiu o limite de frequência do motor.
ativada e  SFFE.3 = 1 A causa do erro detectado pode ser devido à instabilidade de frequência.
desaceleração Investigue e corrija a causa. O valor do SLtt pode ser modificado para
em andamento aumentar o limiar de tolerância à instabilidade do sistema de acionamento.

SLS ativado e  SAFF error code A estabilização da frequência do motor no SLSP demora muito e atingiu a
fim da rampa  SFFE.3 = 1 or condição de detecção de erro da função de segurança.
na frequência  SFFE.7 = 1
SLSP

: Detecção de erro da função de segurança, Tosc: T oscillation, F:

Frequency
As oscilações devem ser menores do que SLtt antes do tempo
T(oscillation) Decorrido.
Se a condição não for seguida, um erro será acionado e o código de erro
[falha da função de segurança] SAFF será exibido
A relação entre SStt and T(oscillation) is:

A frequência do motor atingiu o limite de frequência do motor.

A causa do erro detectado pode ser devido à instabilidade de frequência.
Investigue e corrija a causa. O valor do SStt pode ser modificado para
aumentar o limiar de tolerância às oscilações do sistema de acionamento.
SLS ativado e  SAFF error code A frequência do motor atingiu o limite de frequência do motor.
motor  SFFE.7 = 1 A causa do erro detectado pode ser devido à instabilidade de frequência.
correndo em Investigue e corrija a causa. O valor do SLtt pode ser modificado para
Frequência aumentar o limiar de tolerância à instabilidade do sistema de acionamento.
SLSP
Example
Code Description Unit
FrS Rated motor frequency 50 Hz
nSp Rated motor speed 1350 rpm
ppn Motor pole pair number 2
Max Frequency Maximum motor frequency on normal operation. This value is equal to 50 Hz
[High speed] HSP or lower
Fsetpoint(SLS) Motor frequency setpoint 15 Hz
SS1 deceleration ramp Deceleration ramp to apply when SS1 is triggered 20 Hz/s
Com esses valores numéricos, a configuração do tipo SLS 2, 3, and 4 is:

SSSL = Fslip = 5 Hz
SSrU = 1 Hz/s and SSrt = 20.0 for SS1 deceleration ramp = 20 Hz/s (accuracy is 0.1 Hz)
SLSP = Fsetpoint(SLS) = 15 Hz

NVE50467 04/2019 35
 SLtt = 1.2 x SLSP + Fslip = 1.2 x 15 + 5 = 23 Hz
SStt =0.2 x Max Frequency = 0.2 * 50 = 10 Hz

Neste exemplo, as oscilações de frequência são permitidas para ser maior do que SLtt para 350 ms.

36 NVE50467 04/2019
SS1

Collect Application Data

Before configuring the SS1 function, you must collect the following data:
Code Description Unit Comment
FrS Rated motor frequency Hz From motor
nSp Rated motor speed rpm From motor
ppn Motor pole pair number – From motor
Max Frequency Maximum motor frequency Hz This value is equal to [High speed] HSP or lower
on normal operation
Calculate the rated motor slip frequency Fslip (Hz).

NVE50467 04/2019 37
 To Configure the Function
Overview of diagram

: SS1 trip threshold, : SS1 deceleration ramp (dV/dT), : STO function triggered, : Error
and STO function triggered
Standstill Level
The recommended standstill level is: SSSL = Fslip
If the application requires a different standstill level, it can be set accordingly with the SSSL parameter.
Ramp Value and Ramp Unit
Set SSrt (ramp value) and SSrU (ramp unit) parameters according to the deceleration ramp to apply
when the safety function SS1 is triggered.
Ramp Calculation: Ramp = SSrU*SSrt
Example 1: If SSrU = 1 Hz/s and SSrt = 500.0 the deceleration ramp is 500.0 Hz/s and the accuracy is
0.1 Hz
Example 2: If SSrU = 10 Hz/s and SSrt = 50.0 the deceleration ramp is 500 Hz/s and the accuracy is 1
Hz
Use the table to set the correct accuracy according to the deceleration ramp to apply when the safety
function SS1 is triggered:
Min Max Accuracy SSrU SSrt
0.1 Hz/s 599 Hz/s 0.1 Hz/s 1 Hz/s SS1 deceleration ramp
599 Hz/s 5990 Hz/s 1 Hz/s 10 Hz/s SS1 deceleration ramp/10
5990 Hz/s 59900 Hz/s 10 Hz/s 100 Hz/s SS1 deceleration ramp/100
Ramp Limit Threshold
The SS1 ramp trip threshold is calculated by: SStt = 0.2 x Max Frequency
This value is equal to [High speed] HSP or lower
Testing and Adjusting the Configuration
When configuration is complete, test the safety function SS1 to verify that it behaves as expected.
If an error is triggered with the error code [Safety function fault] SAFF, apply the following troubleshooting
rules
Context Drive Status Adjustment
SS1 activated and  SAFF error code Motor frequency has reached the motor frequency limit
the [Standstill level]  SFFE.3 = 1 threshold.
SSSL has not yet The cause of the detected error can be due to frequency
been reached instability. Investigate and correct the cause. The value of
SStt can be modified to increase the tolerance threshold to
the instability of the drive system.

38 NVE50467 04/2019
Example
Code Description Unit
FrS Rated motor frequency 50 Hz
nSp Rated motor speed 1350 rpm
ppn Motor pole pair number 2
Max Frequency Maximum motor frequency on normal operation 50 Hz
SS1 deceleration ramp Deceleration ramp to apply when SS1 is triggered 20 Hz/s
With these numerical values, the configuration of SS1 is:

SSSL = Fslip = 5 Hz
SSrU = 1 Hz/s and SSrt = 20.0 for SS1 deceleration ramp = 20 Hz/s (accuracy is 0.1 Hz)
SStt =0.2 xMax Frequency= 0.2 x 50 = 10Hz
SMS

Collect Application Data

Before starting to configure the SMS function, you must collect the following data:
Code Description Unit Comment
PPn Motor pole pair number – See motor nameplate
Max output frequency in Hz = ((Max velocity in rpm)/60)* PPn

To Configure the Function

Error and STO function triggered

SMLL > Max output frequency
SMLH > Max output frequency
GDL

Collect Application Data

Before starting to configure the GDL function, you must collect the following data:
Code Description Unit Comment

NVE50467 04/2019 39
 GLSD [GDL Short Delay] s Maximum delay after SS1 ramp to stop
the machine.
GLLD [GDL Long Delay] s Maximum delay after STO function
activation or normal deceleration ramp
command to stop the machine.
To Configure the Function

SS1 stop, Freewheel stop, Ramp stop, STO function triggered

Testing and Adjusting the Configuration

When GDL configuration is complete
 Activate safety function SS1 and verify that digital output changes to high state (1) when the machine is
stopped.
 Activate safety function STO and verify that the digital output changes to high state (1) when the
machine is stopped.
Altivar 320

NVE50467 04/2019

Behavior of Safety Functions

Chapter 4 Behavior of Safety Functions

What Is in This Chapter?

This chapter contains the following topics:
Topic Page
Limitations 52
Detected Fault Inhibition 53
Priority Between Safety Functions 53
Factory Settings 53
Configuration Download 53
Priority Between Safety Functions and No Safety-Related Functions 54
Monitoring of The Stator Frequency Consistency 57

40 NVE50467 04/2019
Limitations

Type of Motor
The safety function STO and GDL (long delay) can be used for synchronous and asynchronous motors.
On ATV320, the safety functions SLS, SS1, SMS and GDL (short delay) are only applicable for
asynchronous motors. For the possible [Motor Control Type] CTT settings, refer to the Priority Table
(seepage54).

Prerequisites for Using Safety Functions

Following conditions have to be fulfilled for correct operation:
 The motor size is adequate for the application and is not at the limit of its capacity.
 The drive size has been correctly chosen for the line supply, sequence, motor, and application and is
not at the limit of their capacities as stated in the catalog.
 If required, the appropriate options are used.
Example: dynamic braking resistor or motor choke.
 The drive is correctly set up with the correct speed loop and torque characteristics for the application;
the reference frequency profile applied to the drive control loop is followed. The maximum output
frequency is 200 Hz.

Allowed and Unallowed Application for Safety Function

Applications with acceleration of the load after disabling the output power bridge are not allowed (for
example, applications with long/permanent regenerative braking cycles).
Typical allowed application

Typical unallowed application

Examples: Vertical Conveyors, Vertical hoist, Lifts, or Winders.

Requirements on Digital Inputs

 Sink mode is not used with the safety function. If you use the safety function, you need to wire the digital
inputs in source mode.
 PTC on DI6 is incompatible with the safety function set on this input. If you are using the safety function
on DI6, do not set the PTC switch to PTC
 If you are using the pulse input, you cannot set the safety function on DI5 at the same time.
 If an output signal switching device (OSSD) is used with ATV320, the outputs of the device can only be
wired to DI3/DI4 or DI5/DI6 if [DI response time] LIRT is set to a value higher than 1 ms. STO/DI3 cannot
be wired to OSSD outputs.

NVE50467 04/2019 41
 Detected Fault Inhibition
When a safety function has been configured, the error [Safety Function Fault] SAFF cannot be inhibited
by the function [Fault Inhibit assign.] InH

Priority Between Safety Functions

1. The safety function STO has the highest priority. If the safety function STO is triggered, a Safe
Torque Off is performed regardless of which other functions are active.
2. The safety function SS1 has medium priority in relation to the other safety functions.
3. The safety function SLS and GDL has the lowest priority.

Factory Settings
If the safety functions are configured and you restore the factory settings, only the parameters which are
not safety-related will be reset to the factory setting. The settings of safety-related parameters can only
be reset using the commissioning software, for more information see Commissioning (seepage91).

Configuration Download
You can transfer a configuration in all situations. If a safety function has been configured, the functions
using these same digital inputs will not be configured.
For example: If the downloaded configuration has functions (Preset speed,...) on DI3-4-5-6 and if the
drive has a safety function configured on these digital inputs, safety function will not be erased. It is the
functions that have the same digital input as safety functions that are not transferred.
Multiconfiguration/multimotor and macro configuration obey the same rules.

42 NVE50467 04/2019
Priority Between Safety Functions and No Safety-Related Functions

Priority Table o: Compatible functions x:

Incompatible functions
: The function indicated by the arrow has priority over the other.

Drive Function SLS SS1 STO SMS GDL

[HIGH SPEED HOISTING] o
HSH-

[+/- SPEED] UPd- o

[Skip Frequency] JPF o o o

[Low speed time out] tLS o o o o

[MULTIMOTORS] MMC- Configuration must be consistent with o Configuratio o

the 3 motors n must be
consistent
with the 3
motors
[PRESET SPEEDS] PSS- o o

[PID REGULATOR] PId- o o o

[RAMP] rPt- profile o o

[Freewheel stop ass. ]nSt o o

[Fast stop assign.] FSt : SLS ramp o o

: SLS steady

[TRAVERSE CONTROL] o
tr0-
[EXTERNAL FAULT] : NST : NST : NST : NST o
EtF- x: DCI x: DCI : DCI x: DCI
: fast, ramp, fallback, : fast, ramp, : fast, ramp, : fast, ramp,
maintain fallback, fallback, fallback,
maintain maintain maintain

[AUTOMATIC RESTART] o
Atr-

[FAULT RESET] rSt- o

[JOG] JOG- o

[STOP CONFIGURATION] Stt-

[Ramp stop] rMP : SLS ramp o

: SLS steady

[Fast stop] FSt : SLS ramp o

: SLS steady

[DC injection] dCI x x x o

[+/-SPEED AROUND REF.] o

SrE-
[POSITIONING BY : SLS ramp o
SENSORS] LPO- : Position is
& position is not
not respected
respected
[RP input] PFrC o: if the safety function o: if the o: if the o: if the o
is not assigned to DI5 safety safety safety
function is function is function is
not assigned not assigned not assigned
to to DI5 to DI5
DI5
[Underload Detection] ULF o

NVE50467 04/2019 43
 Drive Function SLS SS1 STO SMS GDL
[Overload Detection] OLC o

[Rope slack config.] rSd x x x x o

[UnderV. prevention] StP x x o

[AUTO DC INJECTION] x x x o
AdC-
[DC injection assign.] dCI x x x o

[Load sharing] LbA o: If the [Stator o

Frequency] StFr is
above the frequency
limit threshold, the
error SAFF is
triggered.
[Motor control type] Ctt
[Standard] Std x x o x o
[SVC V] UUC o o o o o
[V/F Quad.] UFq x x o x o
[Energy Sav.] nLd x x o x o
[Sync. mot.] SYn x x o x o: long delay x:
short delay
[V/F 5pts] UF5 x x o x o
[OUTPUT PHASE LOSS] x: Motor output phase x: Motor o x: Motor o
OPL loss is detected by output phase output
the safety function loss is phase loss
detected by is detected
the safety by the safety
function function
[Output cut] OAC x x x x o
[Dec ramp adapt.] brA o :If the [Stator o :If the o o
Frequency] StFr is [Stator
above the Frequency Frequency]
limit threshold, the StFr is
error SAFF is above the
triggered. Frequency
limit
threshold,
the error
SAFF is
triggered.
[REF. OPERATIONS] o o
OAI-
[2 wire] 2C o: Run command on o: Run o: Run o: Run o
transition command on command command
Run command on transition on transition on transition
level is not compatible Run Run Run
command on command on command on
level is not level is not level is not
compatible compatible compatible

[PTC MANAGEMENT] o: inactive if the o: inactive if o: inactive if o: inactive if o

PtC- safety function is not the safety the safety the safety
assigned to DI6 function is function is function is
not assigned not assigned not assigned
to to DI6 to DI6
DI6
[FORCED LOCAL] LCF- o o

[LI CONFIGURATION] o: inactive if the o: inactive if o: inactive if o: inactive if o

safety function is the safety the safety the safety
assigned to digital function is function is function is
input assigned to assigned to assigned to
digital input digital input digital input
Drive Function SLS SS1 STO SMS GDL

44 NVE50467 04/2019
 [MULTIMOTORS/CONFIG]. o: except safety- o: except o: except o: except o
MMC- related parameters safety-related safetyrelated safetyrelated
parameters parameters parameters

[FAULT INHIBITION] InH x x x x o

[Profile] CHCF Digital input used by Digital input Digital input Digital input o
safety function cannot used by used by used by
be switched safety safety safety
function function function
cannot be cannot be cannot be
switched switched switched
[Macro configuration] CFG : Macro configuration : Macro : Macro o
could be overlapped if configuration configuration
safety function use a : Macro could be could be
digital input requested configuration overlapped if overlapped if
by the macro could be safety safety
configuration overlapped if function use function use
safety a digital a digital
function use input input
a digital input requested requested
requested by by the by the
the macro macro macro
configuration configuration configuration
[Motor short circuit] SCF1 o o

[Ground short circuit] SCF3 o o

[Overspeed] SOF o o

[Sync. mot.] SYn x x o x o

[Configuration Transfer] o: except safety- o: except o: except o: except o: except

related parameters safety-related safetyrelated safetyrelated safetyrelated
parameters parameters parameters parameters

[Energy Sav.] nLd x x o x o

For more information about these functions, see Programming manual.
Monitoring of The Stator Frequency Consistency

Description
If at least one of the safety function SS1, SLS and SMS is configured, the drive monitors the difference
between the estimated stator frequency and the internal computed stator frequency, in order to control
the consistency.
If this frequency difference, displayed by the parameter SDIF, reaches 4.5 Hz (absolute value), an
internal timer is activated.
While the difference remains higher than 4.5 Hz, the timer increases.
If the difference decreases below 4.5 Hz, the timer decreases (the timer is not reset).
If the timer reaches 500 ms, a SAFF error is triggered and the bit 0 of the SAF2 register is raised.

NVE50467 04/2019 45
 NOTE: The parameter SDIF can be displayed on the scope of the DTM. SDIF displays 0 Hz if SS1, SLS
and SMS are not configured..

Remedies
Verify the settings of the drive such as, the acceleration (ACC), the deceleration (DEC), the motor
nameplate, the autotuning, etc.
Verify the configuration of the motor control parameters in order to reduce the oscillations of SDIF value.
If this error is triggered without running the motor, an internal hardware error is the probable cause.
Contact your local Schneider Electric representative.

46 NVE50467 04/2019
 Altivar 320

NVE50467 04/2019

Safety Functions Visualization via HMI

Chapter 5 Safety Functions Visualization via HMI

What Is in This Chapter?

This chapter contains the following topics:
Topic Page
Status of Safety Functions 60
Dedicated HMI 60
Error Code Description 61

NVE50467 04/2019 47
Status of Safety Functions

Description
The status of the safety functions can be displayed using the HMI of the drive or using the
commissioning software. HMI of the drive can be the local HMI on the product or the graphic display
terminal or the remote display terminal. There is one register for each safety function. See introduction
(seepage16) for more information about the safety functions.
To access these registers with an HMI: [2 MONITORING] MOn- --> [MONIT. SAFETY] SAF-
 [STO status] StOS: Status of the safety function STO (Safe Torque Off)
 [SLS status] SLSS: Status of the safety function SLS (Safely-Limited Speed)
 [SS1 status] SS1S: Status of the safety function SS1 (Safe Stop 1)
 [SMS status] SMSS: Status of the safety function SMS (Safe Maximum Speed)
 [GDL status] GDLS: Status of the safety function GDL (Guard Door Locking)

The status registers are not approved for any type of safety-related use.
For more information about these registers, see ATV320 Visualization and Status of Safety Functions
(seepage98) on www.schneider-electric.com.

Dedicated HMI

Description
When a safety function has been triggered, some information is displayed.
Example with the local HMI of the product when the safety function SS1 has been triggered:

: Display alternately the name of the safety function SS1 and the current display parameter as long as
the motor decelerates according to the specified monitoring ramp until standstill is reached, After the
[Standstill level] SSSL has been reached, the safety function STO is triggered and displayed
Error Code Description

Description
When an error is detected by the safety function, the drive displays [Safety function fault] (SAFF). This
detected error can only be reset after powering the drive OFF/ON. for more information, you can access
to the registers to find out the possible reasons for triggering. These registers can be displayed using
the graphic display terminal or the commissioning software:
[DRIVE MENU] --> [MONITORING] --> [DIAGNOSTICS] --> [MORE FAULT INFO]

SFFE [Safety Function Error Register]

Bit Description
Bit0=1 Digital inputs debounce time-out (verify value of debounce time LIDT according to the
application)
Bit1 Reserved
Bit2=1 Motor speed sign has changed during SS1 ramp
Bit3=1 Motor speed has reached the frequency limit threshold during SS1 ramp.
Bit4 Reserved
Bit5 Reserved
Bit6=1 Motor speed sign has changed during SLS limitation
Bit7=1 Motor speed has reached the frequency limit threshold during SLS.
48 NVE50467 04/2019
 Bit8 Reserved
Bit9 Reserved
Bit10 Reserved
Bit11 Reserved
Bit12 Reserved
Bit13=1 Not possible to measure the motor speed (verify the motor wiring connection)
Bit14=1 Motor ground short-circuit detected (verify the motor wiring connection)
Bit15=1 Motor phase to phase short-circuit detected (verify the motor wiring connection)
This register is reset after powering OFF/ON.
This register can also be accessed from [DRIVE MENU] --> [MONITORING] --> [MONIT. SAFETY]
SAF1 [Safety Fault Register 1]
This is an application control error register.
Bit Description
Bit0=1 PWRM consistency detected error
Bit1=1 Safety functions parameters detected error
Bit2=1 Application auto test has detected an error
Bit3=1 Diagnostic verification of safety function has detected an error
Bit4=1 Digital input diagnostic has detected an error
Bit5=1 SMS or GDL safety function detected error, for details refer SF04 [Safety Fault
Subregister 04] (seepage65).
Bit6=1 Application watchdog management active
Bit7=1 Motor control detected error
Bit8=1 Internal serial link core detected error
Bit9=1 Digital input activation detected error
Bit10=1 Safe Torque Off function has triggered an error
Bit11=1 Application interface has detected an error of the safety functions
Bit12=1 Safe Stop 1 function has detected an error of the safety functions
Bit13=1 Safely Limited Speed function has triggered an error
Bit14=1 Motor data is corrupted
Bit15=1 Internal serial link data flow detected error
This register is reset after powering OFF/ON.

SAF2 [Safety Fault Register 2]

This is a motor control error register.
Bit Description
Bit0=1 Consistency stator frequency verification has detected an error (seepage57).
Bit1=1 Stator frequency estimation detected error
Bit2=1 Motor control watchdog management is active
Bit3=1 Motor control hardware watchdog is active
Bit4=1 Motor control auto test has detected an error
Bit5=1 Chain testing detected error
Bit6=1 Internal serial link core detected error
Bit7=1 Direct short-circuit detected error
Bit8=1 PWM driver detected error
Bit9=1 GDL safety function internal error
Bit10 Reserved
Bit11=1 Application interface has detected an error of the safety functions
Bit12 Reserved
Bit13 Reserved
Bit14=1 Motor data is corrupted
Bit15=1 Internal serial link data flow detected error
This register is reset after powering OFF/ON.
NVE50467 04/2019 49
 SF00 [Safety Fault Subregister 00]
This is an application auto test error register.
Bit Description
Bit0 Reserved
Bit1=1 Ram stack overflow
Bit2=1 Ram address integrity detected error
Bit3=1 Ram data access detected error
Bit4=1 Flash checksum detected error
Bit5 Reserved
Bit6 Reserved
Bit7 Reserved
Bit8 Reserved
Bit9=1 Fast task overflow
Bit10=1 Slow task overflow
Bit11=1 Application task overflow
Bit12 Reserved
Bit13 Reserved
Bit14=1 PWRM line is not activated during initialization phase
Bit15=1 Application hardware watchdog is not running after initialization
This register is reset after powering OFF/ON.

SF01 [Safety Fault Subregister 01]

This is a digital input diagnostics error register
Bit Description
Bit0=1 Management - state machine detected error
Bit1=1 Data required for test management are corrupted
Bit2=1 Channel selection detected error
Bit3=1 Testing - state machine detected error
Bit4=1 Test request is corrupted
Bit5=1 Pointer to test method is corrupted
Bit6=1 Incorrect test action provided
Bit7=1 Detected error in results collecting
Bit8=1 DI3 detected error.Cannot activate safety function
Bit9=1 DI4 detected error. Cannot activate safety function
Bit10=1 DI5 detected error. Cannot activate safety function
Bit11=1 DI6 is detected error. Cannot activate safety function
Bit12=1 Test sequence updated while a diagnostic is in progress
Bit13=1 Detected error in test pattern management
Bit14 Reserved
Bit15 Reserved
This register is reset after powering OFF/ON.
SF02 [Safety Fault Subregister 02]
This is an application watchdog management detected error register.
Bit Description
Bit0=1 Fast task detected error
Bit1=1 Slow task detected error
Bit2=1 Application task detected error
Bit3=1 Background task detected error
Bit4=1 Safety function fast task/input detected error
Bit5=1 Safety function slow task/input detected error
Bit6=1 Safety function application task/inputs detected error
Bit7=1 Safety function application task/treatment detected error
50 NVE50467 04/2019
 Bit8=1 Safety function background task detected error
Bit9 Reserved
Bit10 Reserved
Bit11 Reserved
Bit12 Reserved
Bit13 Reserved
Bit14 Reserved
Bit15 Reserved
This register is reset after powering OFF/ON. SF03
[Safety Fault Subregister 03]
Bit Description
Bit0=1 Debounce time out
Bit1=1 Input not consistent
Bit2=1 Consistency verification - state machine detected error
Bit3=1 Consistency verification - debounce timeout corrupted
Bit4=1 Response time data detected error
Bit5=1 Response time corrupted
Bit6=1 Undefined consumer queried
Bit7=1 Configuration detected error
Bit8=1 Inputs are not in nominal mode
Bit9 Reserved
Bit10 Reserved
Bit11 Reserved
Bit12 Reserved
Bit13 Reserved
Bit14 Reserved
Bit15 Reserved
This register is reset after powering OFF/ON.
SF04 [Safety Fault Subregister 04]
This is a [Safe Torque Off] STO detected error register
Bit Description
Bit0=1 No signal configured
Bit1=1 State machine detected error
Bit2=1 Internal data detected error
Bit3 Reserved
Bit4 Reserved
Bit5 Reserved
Bit6 Reserved
Bit7 Reserved
Bit8=1 SMS overspeed detected error
Bit9=1 SMS internal detected error
Bit10 Reserved
Bit11 Reserved
Bit12=1 GDL internal detected error 1
Bit13=1 GDL internal detected error 2
Bit14 Reserved
Bit15 Reserved
This register is reset after powering OFF/ON.

SF05 [Safety Fault Subregister 05]

This is a [Safe Stop 1] SS1 detected error register
Bit Description
NVE50467 04/2019 51
 Bit0=1 State machine detected error
Bit1=1 Motor speed sign has changed during stop
Bit2=1 Motor speed has reached the frequency limit threshold.
Bit3=1 Theoretical motor speed corrupted
Bit4=1 Unauthorized configuration
Bit5=1 Theoretical motor speed computation detected error
Bit6 Reserved
Bit7=1 Speed sign verification: consistency detected error
Bit8=1 Internal SS1 request corrupted
Bit9 Reserved
Bit10 Reserved
Bit11 Reserved
Bit12 Reserved
Bit13 Reserved
Bit14 Reserved
Bit15 Reserved
This register is reset after powering OFF/ON.
SF06 [Safety Fault Subregister 06]
This is a [Safely Limited Speed] SLS detected error register
Bit Description
Bit0=1 State machine detected error
Bit1=1 Motor speed sign changed during limitation
Bit2=1 Motor speed has reached the frequency limit threshold
Bit3=1 Data corruption
Bit4 Reserved
Bit5 Reserved
Bit6 Reserved
Bit7 Reserved
Bit8 Reserved
Bit9 Reserved
Bit10 Reserved
Bit11 Reserved
Bit12 Reserved
Bit13 Reserved
Bit14 Reserved
Bit15 Reserved
This register is reset after powering OFF/ON.

SF07 [Safety Fault Subregister 07]

This is an application watchdog management detected error register.
Bit Description
Bit0 Reserved
Bit1 Reserved
Bit2 Reserved
Bit3 Reserved
Bit4 Reserved
Bit5 Reserved
Bit6 Reserved
Bit7 Reserved
Bit8 Reserved

52 NVE50467 04/2019
 Bit9 Reserved
Bit10 Reserved
Bit11 Reserved
Bit12 Reserved
Bit13 Reserved
Bit14 Reserved
Bit15 Reserved
This register is reset after powering OFF/ON.
SF08 [Safety Fault Subregister 08]
This is an application watchdog management detected error register
Bit Description
Bit0=1 PWM task detected error
Bit1=1 Fixed task detected error
Bit2=1 ATMC watchdog detected error
Bit3=1 DYNFCT watchdog detected error
Bit4 Reserved
Bit5 Reserved
Bit6 Reserved
Bit7 Reserved
Bit8 Reserved
Bit9 Reserved
Bit10 Reserved
Bit11 Reserved
Bit12 Reserved
Bit13 Reserved
Bit14 Reserved
Bit15 Reserved
This register is reset after powering OFF/ON.

SF09 Safety Fault Subregister 09

This is a motor control auto test detected error register.
Bit Description
Bit0 Reserved
Bit1=1 Ram stack overflow
Bit2=1 Ram address integrity detected error
Bit3=1 Ram data access detected error
Bit4=1 Flash checksum error
Bit5 Reserved
Bit6 Reserved
Bit7 Reserved
Bit8 Reserved
Bit9=1 1 ms task overflow
Bit10=1 PWM task overflow
Bit11=1 Fixed task overflow
Bit12 Reserved
Bit13 Reserved
Bit14=1 Unwanted interruption
Bit15=1 Hardware WD is not running after initialization
This register is reset after powering OFF/ON.
SF10 [Safety Fault Subregister 10]
This is a motor control direct short-circuit detected error register
Bit Description
NVE50467 04/2019 53
 Bit0=1 Ground short circuit - configuration detected error
Bit1=1 Phase to phase short circuit - configuration detected error
Bit2=1 Ground short circuit
Bit3=1 Phase to phase short circuit
Bit4 Reserved
Bit5 Reserved
Bit6 Reserved
Bit7 Reserved
Bit8 Reserved
Bit9 Reserved
Bit10 Reserved
Bit11 Reserved
Bit12 Reserved
Bit13 Reserved
Bit14 Reserved
Bit15 Reserved
This register is reset after powering OFF/ON.

SF11 [Safety Fault Subregister 11]

This is a motor control dynamic verification of activity detected error register
Bit Description
Bit0=1 Application requested a diagnostic of direct short-circuit
Bit1=1 Application requested consistency verification of stator frequency estimation (voltage
and current)
Bit2=1 Application requested diagnostic of SpdStat provided by motor control
Bit3 Reserved
Bit4 Reserved
Bit5 Reserved
Bit6 Reserved
Bit7 Reserved
Bit8=1 Motor control diagnostic of direct short circuit is enabled
Bit9=1 Motor control consistency verification of stator frequency estimation is enabled
Bit10=1 Motor control diagnostic of SpdStat provided by motor control is enabled
Bit11 Reserved
Bit12 Reserved
Bit13 Reserved
Bit14 Reserved
Bit15 Reserved
This register is reset after powering OFF/ON.
Altivar 320

NVE50467 04/2019

Technical Data

Chapter 6 Technical Data

What Is in This Chapter?

This chapter contains the following topics:
Topic Page
Electrical Data 70
54 NVE50467 04/2019
 Getting and Operating the Safety Function 71
Safety Function Capability 72
Debounce Time and Response Time 75

NVE50467 04/2019 55
Electrical Data

Logic Type
The drive digital inputs and digital outputs can be wired for logic type 1 or logic type 2.
Logic Type Active State
1 The output draws current (Sink)
Current flows to the input
2 The output supply flows from the input current
Current (Source)
Safety functions must only be used in source mode.
Signal inputs are protected against reverse polarity, outputs are protected against short-circuits. The inputs
and outputs are galvanically isolated.

ATV320B Cabling Label

ATV320C Cabling Label

Getting and Operating the Safety Function

Digital Input
General-purpose digital inputs can be used to trigger a safety function. Digital inputs have to be
combined in pairs to obtain a redundant request. There are only 4 general-purpose digital inputs that
can be linked to safety functions (DI3, DI4, DI5, DI6).The pairs of digital inputs are fixed and are:
 DI3 and DI4

56 NVE50467 04/2019
  DI5 and DI6
 Another combination is only possible for the STO function: DI3 and STO
Pairs of digital inputs can only be assigned once when they are linked to a safety function. When you
set a safety function on an digital input you cannot set another function (safety or other) on this digital
input. If you set a non-safety function on an digital input you cannot set a safety function on this digital
input.

The SISTEMA Software

The SISTEMA software allows machine developers and testers of safety-related machine controls to
evaluate the safety standard or level of their machine in the context of IEC 13849-1. The tool allows you
to model the structure of safety-related control components based on the designated architectures,
allowing automated calculation of the reliability standards with various levels of detail, including that of
the Performance Level (PL).
The ATV320 Libraries are available from www.schneider-electric.com.

Preventa Safety Relays

Used for the creation of complex safety functions in machines, allowing management of the I/O, and
also for protecting both the operator and the machine.
The Preventa range of products feature microprocessor-based technology using the redundancy
principle, and are essential to ensure safe operation of dangerous machinery.

NVE50467 04/2019 57
Safety Function Capability

PDS (SR) safety functions are part of an overall system

If the qualitative and quantitative safety objectives determined by the final application require some
adjustments to ensure safe use of the safety functions, the integrator of the BDM (Basic Drive Module) is
responsible for these additional changes (for example, managing the mechanical brake on the motor).
Also, the output data generated by the use of safety functions (fault relay activation, error codes or
information on the display, etc.) is not considered to be safety-related data.

Machine Application Function Configuration

STO SS1 type C (5) SLS/STO/SS1
type B/ SMS
(6)
STO STO and DI3 STO with Preventa STO and DI3 with DI3 DI5
XPS ATE or Preventa DI4 DI6
XPS AV or XPS AV or
equivalent equivalent
Standard

IEC 61800-5-2 / SIL2 SIL3 SIL2 SIL3 SIL2

IEC 61508 /
IEC 62061 (1) SIL2 SIL3 CL SIL2 CL SIL3 CL SIL2 CL
IEC 62061 (2) Category 3 Category 4 Category 3 Category 4 Category 3
ISO 13849-1 (3) PL d PL e PL d PL e PL d
IEC 60204-1 (4) Category stop 0 Category stop 0 Category stop 1 Category stop 1

(1) Because the IEC 62061 standard concerns integration, this standard distinguishes the overall safety
function (which is classified SIL2 or SIL3 for ATV320 according to the diagrams Process system SF - Case
1 and Process system SF - Case 2 from components which constitute the safety function (which is
classified SIL2 CL or SIL3 CL for ATV320).
(2) According to IEC 62061: 2005+ A1:2013/A2:2015.
(3) According to EN 13849-1:2015.
(4) If protection against supply interruption or voltage reduction and subsequent restoration is needed
according to IEC 60204-1, a safety module type Preventa XPS AF or equivalent must be used.
(5) SS1 type C: the power drive initiates the motor deceleration and initiates the STO function after an
application specific time delay.
(6) SS1 type B: the power drive initiates and monitors the motor deceleration rate within set limits to
stop the motor and initiates the STO function when the motor speed is below a specified limit.

Process Application Function Configuration

STO SS1 type C (2) SLS / STO / SS1 type B/
SMS (3)
STO STO and DI3 STO with Preventa STO and DI3 DI3 DI4 DI5 DI6
XPS ATE or XPS AV with Preventa
or equivalent XPS AV or
equivalent
IEC 61800-5-2 SIL2 SIL3 SIL2 SIL3 SIL2
Standar

IEC 61508
IEC 62061 (1) SIL2 CL SIL3 CL SIL2 CL SIL3 CL SIL2 CL
d

(1) Because the IEC 62061 standard concerns integration, this standard distinguishes the overall safety
function (which is classified SIL2 or SIL3 for ATV320 according to diagrams CASE 1 and CASE 2 from
components which constitute the safety function (which is classified SIL2 CL or SIL3 CL for ATV320).
(2) SS1 type C: the power drive initiates the motor deceleration and initiates the STO function after an
application specific time delay.
(3) SS1 type B: the power drive initiates and monitors the motor deceleration rate within set limits to
stop the motor and initiates the STO function when the motor speed is below a specified limit.
Input Signal Safety Functions
Input signals safety functions Units Value for DI3 to DI6 Value for STO
Logic 0 (Ulow) V <5 <2
Logic 1 (Uhigh) V > 11 > 17

58 NVE50467 04/2019
 Impedance (24V) kΩ 3.5 1.5
Debounce time ms <1 <1
Response time of safety function ms < 10 < 10
Summary of the Reliability Study
Function Standard STO input STO input & DI3 DI3 & DI4 or DI5 & DI6
STO IEC 61508 Ed.2 SFF 96% 96% 95%
SS1 type C
PFD10y 8.10-4 5.10-4 3.10-3
(With
Preventa PFD1y 8.10-5 5.10-5 3.10-4
XPS ATE or
XPS AV or PFHequ_1y 9 FIT (1) 6 FIT (1) 34 FIT (1)
equivalent) Type B B B
(3)
HFT 1 1 0
DC 92% 90% 88%
SIL capability 2 3 2
IEC 62061 (2) SIL CL capability 2 3 2
IEC 60204-1 Category stop 0 for STO 0 for STO 0 for STO
1 for SS1 1 for SS1 1 for SS1 Type
Type C Type C C
ISO 13849-1 (4) PL d e d
Category 3 3 3
MTTFd in years 14000 “L1” 3000 4000
“L2” 31000
SS1 type B IEC 61508 Ed.2 SFF 90%
SLS
PFD10y 4.10-3
SMS
PFHequ_10y 43 FIT (1)
Type B
HFT 0
DC 74%
SIL capability 2
IEC 62061 (2) SIL CL capability 2
IEC 60204-1 Category stop 1 for SS1 Type B
ISO 13849-1 (4) PL d
Category 3
MTTFd in years 2000
Function Standard DQ R1 and R2

GDL IEC 61508 Ed.2 SFF 91% 94%

2
PFDequ1y 2.10 2.10-2

PFDequ10y 2.10-3 2.10-3

PFH 52 FIT(1) 37 FIT(1)

Type B B

HFT 0 0

DC 72% 78%

SIL capability 1 1

IEC 62061 (2) SIL CL capability 1 1

ISO 13849-1 (4) PL c c

Category 2 2

MTTFd in years 600 600

(1) FIT: Failure In Time = 10-9 failure per hour.
NVE50467 04/2019 59
 (2) Because the IEC 62061 standard concerns integration, this standard distinguishes the overall safety
function (which is classified SIL2 or SIL3 for ATV320 according to diagrams Process system SF - Case 1
and Process system SF - Case 2, from components which constitute the safety function (which is classified
SIL2 CL or SIL3 CL for ATV320).
(3) The SS1 Type C values are only given for the drive modules.
(4) According to EN 13849-1:2015.
Preventive annual activation of the safety function is recommended.
However, the safety levels can be obtained (with lower margins) without annual activation.
For the machine environment, a safety module is required for the STO function.
To avoid the use of a safety module, the Restart function parameters must be part of the safety function.
Please refer to the description of advantages of the safety module.
NOTE: The table above is not sufficient to evaluate the PL of a PDS. The PL evaluation has to be done
at the system level. The fitter or the integrator of the BDM (Basic Drive Module) has to do the system PL
evaluation by including sensors data with numbers from the table above.
Debounce Time and Response Time

Description
On the ATV320 there are 2 parameters to configure digital inputs for safety function (DI3, DI4, DI5, DI6).
The consistency of each pair of digital input is verified continuously.
[DI debounce time] LIdt: A logical state difference between DI3/DI4 or DI5/DI6 is allowed during
debounce time, otherwise a detected error is activated.
[DI response time] LIrt: The digital input response time manages the safety function activation shift.

: Digital input Response Time

: Digital input Debounce Time

60 NVE50467 04/2019
 Altivar 320

NVE50467 04/2019

Certified Architectures

Chapter 7 Certified Architectures

What Is in This Chapter?

This chapter contains the following topics:
Topic Page
Introduction 78
Multi-drive with the Safety Module Type Preventa XPS AF - Case 1 79
Multi-drive with the Safety Module Type Preventa XPS AF - Case 2 80
Multi-drive Without the Safety Module 81
Single Drive with the Safety Module Type Preventa XPS AV - Case 1 82
Single Drive with the Safety Module Type Preventa XPS AV - Case 2 83
Single Drive with the Safety Module Type Preventa XPS AF - Case 1 84
Single Drive with the Safety Module Type Preventa XPS AF - Case 2 85
Single Drive According to IEC 61508 and IEC 60204-1 - Case 1 86
Single Drive According to IEC 61508 and IEC 60204-1 - Case 2 87
Single Drive According to IEC 61508 and IEC 62061 with Safety Function GDL 88
Multi-drive Chaining According to IEC 61508 and IEC 62061 with Safety Function GDL 89

NVE50467 04/2019 61
Introduction

Certified Architectures
NOTE: For certification relating to functional aspects, only the PDS(SR) (Power Drive System suitable
for use in safety-related applications) will be considered, not the complete system into which it is
integrated to help to ensure the functional safety of a machine or a system/process.
These are the certified architectures:
 Multi-drive with the Safety module type Preventa XPS AF - Case 1
 Multi-drive with the Safety module type Preventa XPS AF - Case 2
 Multi-drive without the Safety module
 Single drive with the Safety module type Preventa XPS AV - Case 1
 Single drive with the Safety module type Preventa XPS AV - Case 2
 Single drive with the Safety module type Preventa XPS AF - Case 1
 Single drive with the Safety module type Preventa XPS AF - Case 2
 Single drive according to IEC 61508 and IEC 60204-1 - Case 1
 Single drive according to IEC 61508 and IEC 60204-1 - Case 2

The safety functions of a PDS(SR) (Power Drive System suitable for use in safety-related applications) are
part of an overall system.
If the qualitative and quantitative safety-related objectives determined by the final application require
some adjustments to ensure safe use of the safety functions, the integrator of the BDM (Basic Drive
Module) is responsible for these additional changes (for example, managing the mechanical brake on
the motor).
Also, the output data generated by the use of safety functions (fault relay activation, error codes or
information on the display, etc.) is not considered to be a safety-related data.

62 NVE50467 04/2019
 Multi-drive with the Safety Module Type Preventa XPS AF - Case 1

Multi-drive with the Safety Module Type Preventa XPS AF According to EN 954-1, IEC 13849-1 and IEC 60204-1 (Machine)
The following configurations apply to the diagram:
 STO category 4, PL e/SIL3 Machine with Safety module type Preventa XPS AF or equivalent and DI3
set to STO
 SLS category 3, PL d/SIL2 or SS1 type B category 3 on DI5/DI6

Or
 STO category 4, PL e/SIL3 Machine with Safety module type Preventa XPS AF or equivalent and DI3
set to STO
 DI4 and DI5/DI6 not set to a safety function

(1) Braking resistor, if used, (2) Cable and wiring following IEC60079-14. STO cables must be shielded
and tun apart from the supply cable. (3) Line choke, if used, (4) Multi-drives is possible with another
drive (For Example: ATV71 with PWR connection or Lexium servo drives).
NOTE: For more information about the control terminal characteristics, please refer to the installation
manual.
Multi-drive with the Safety Module Type Preventa XPS AF - Case 2

Multi-drive with the Safety Module Type Preventa XPS AF According to EN 954-1, IEC 13849-1 and IEC 60204-1 (Machine)
The following configurations apply to the diagram below:
 STO category 3, PL d/SIL2 Machine with Safety module type Preventa XPS AF or equivalent
 SLS category 3, PL d/SIL2 or SS1 type B category 3 on DI3/DI4 or DI5/DI6

NVE50467 04/2019 63
 (1) Braking resistor, if used, (2) Cable and wiring following IEC60079-14. STO cables must be shielded
and run apart from the supply cable. (3) Line choke, if used, (4) Multi-drives is possible with another
drive (For Example: ATV71 with PWR connection or Lexium servo drives).
NOTE: For more information about the control terminal characteristics, please refer to the installation
manual.
Multi-drive Without the Safety Module

Multi-drive Without the Safety Module Type Preventa XPS AF According to IEC 61508
The following configurations apply to the diagram below:
STO SIL2 on STO
 SLS SIL2 or SS1 type B SIL2 on DI3/DI4 or DI5/DI6

Or
 STO SIL2 on STO
 SLS or SS1 type B on DI3/DI4
 DI5/DI6 not set to a safety function
Or
 STO SIL2 on STO
 DI3/DI4 and DI5/DI6 not set to a safety function
Or
 STO SIL3 on STO and DI3
 SLS SIL2 or SS1 type B SIL2 on DI5/DI6 DI4 not set to a safety function
Or
 STO SIL3 on STO and DI3
 DI4 and DI5/DI6 not set to a safety function

64 NVE50467 04/2019
 (1) Braking resistor, if used, (2) Line chokes, if used.
NOTE: For more information about the control terminal characteristics, please refer to the installation
manual.
Single Drive with the Safety Module Type Preventa XPS AV - Case 1

Single Drive with the Safety Module Type Preventa XPS AV According to EN 954-1, IEC 13849-1 and IEC 60204-1 (Machine)
The following configurations apply to the diagram below:
 SS1 type C category 3, PL d/SIL2 on STO with Safety module type Preventa XPS AV or equivalent
Or
 SS1 type C category 3, PL d/SIL2 on STO with Safety module type Preventa XPS AV or equivalent
 SLS category 3, PL d/SIL2 or SS1 type B category 3 on DI3/DI4
 DI5/DI6 not set to a safety function
Or
 SS1 type C category 3, PL d/SIL2 on STO and DI3 with Safety module type Preventa XPS AV or
equivalent
 DI3/DI4 and DI5/DI6 not set to a safety function

NVE50467 04/2019 65
 (1) Channel 1 logic, (2) Channel 2 logic, (3) Output 1, (4) Output 2, (5) Emergency stop, (6) Start, (7) Time
delay stop, (8) Braking resistor, if used, (9) Line chokes, if used
NOTE: For more information about the control terminal characteristics, please refer to the installation
manual.
Single Drive with the Safety Module Type Preventa XPS AV - Case 2

Single Drive with the Safety Module Type Preventa XPS AV According to EN 954-1, IEC 13849-1 and IEC 60204-1 (Machine)
The following configurations apply to the diagram below:
 SS1 type C category 4, PL e/SIL3 on STO and DI3 with Safety module type Preventa XPS AV or
equivalent
 SLS category 3, PL d/SIL2 or SS1 type B category 3 PL d/SIL2 on DI5/DI6
 DI4 not set to a safety function

66 NVE50467 04/2019
 (1) Channel 1 logic, (2) Channel 2 logic, (3) Output 1, (4) Output 2, (5) Emergency stop, (6) Time delay
stop, (7) Braking resistor, if used, (8) Line chokes, if used.
NOTE: For more information about the control terminal characteristics, please refer to the installation
manual.
Single Drive with the Safety Module Type Preventa XPS AF - Case 1

Single Drive with the Safety Module Type Preventa XPS AF According to EN 954-1, IEC 13849-1, IEC 62061 and 60204-1
(Machine)
The following configurations apply to the diagram below:
 STO category 3, PL d/SIL2 on STO with Safety module type Preventa XPS AF or equivalent SLS
category 3, PL d/SIL2 or SS1 type B category 3 on DI3/DI4 or DI5/DI6
Or
 STO category 3, PL d/SIL2 on STO with Safety module type Preventa XPS AF or equivalent
 SLS category 3, PL d/SIL2 or SS1 type B category 3 on DI3/DI4 DI5/DI6 not set to a safety
function
Or
 STO category 3, PL d/SIL2 on STO with Safety module type Preventa XPS AF or equivalent
 DI3/DI4 and DI5/DI6 not set to a safety function

NVE50467 04/2019 67
 (1) Braking resistor, if used, (2) Line chokes, if used.
NOTE: For more information about the control terminal characteristics, please refer to the installation
manual.
Single Drive with the Safety Module Type Preventa XPS AF - Case 2

Single Drive with the Safety Module Type Preventa XPS AF According to EN 954-1, IEC 13849-1, IEC 62061 and 60204-1
(Machine)
The following configurations apply to the diagram below:
 STO category 4, PL e/SIL3 on STO with Safety module type Preventa XPS AF or equivalent and DI3
set to STO
 SLS category 3, PL d/SIL2 or SS1 type B category 3 on DI5/DI6
 DI4 not set to a safety function

68 NVE50467 04/2019
 (1) Start, (2) Braking resistor, if used, (3) Line chokes if used.
NOTE: For more information about the control terminal characteristics, please refer to the installation
manual.
Single Drive According to IEC 61508 and IEC 60204-1 - Case 1

Single Drive According to IEC 61508 and IEC 60204-1 Without Protection Against Supply Interruption or Voltage Reduction and
Subsequent Rotation
The following configurations apply to the diagram below:
 STO SIL2 on STO
 STO or SLS SIL2 or SS1 type B SIL2 on DI3/DI4 or DI5/DI6
Or
 STO SIL2 on STO
 STO or SLS or SS1 type B on DI3/DI4 DI5/DI6 not set to a safety function
Or
 STO SIL2 on STO
 DI3/DI4 and DI5/DI6 not set to a safety function
Or
 STO SIL3 on STO and DI3
 SLS SIL2 or SS1 type B SIL2 on DI5/DI6 DI4 not set to a safety function
Or
 STO SIL3 on STO and DI3
 DI4 and DI5/DI6 not set to a safety function

NVE50467 04/2019 69
 (1) Braking resistor, if used, (2) Line chokes if used.
NOTE: For more information about the control terminal characteristics, please refer to the installation
manual.
Single Drive According to IEC 61508 and IEC 60204-1 - Case 2

Single Drive According to IEC 61508 and IEC 60204-1 Without Protection Against Supply Interruption or Voltage Reduction
and Subsequent Rotation
The following configurations apply to the diagram below:
 STO SIL2 on DI3 and DI4
 SLS SIL2 or SS1 type B SIL2 on DI5/DI6

Or
 STO SIL2 on DI3 and DI4
 DI5/DI6 not set to a safety function

Wiring Diagram

70 NVE50467 04/2019
 (1) Braking resistor, if used, (2) Line chokes, if used.
NOTE: For more information about the control terminal characteristics, please refer to the installation
manual.
Single Drive According to IEC 61508 and IEC 62061 with Safety Function GDL

Certified Wiring Diagram

GDL category 2, PL c/SIL1is applicable to the following wiring diagram.

(1) Cable wiring following IEC60079-14. STO cables must be shielded and run apart from the supply cable.
(2) Guard door lock. The maximum current for the interlock system is 100 mA.

NVE50467 04/2019 71
 Multi-drive Chaining According to IEC 61508 and IEC 62061 with Safety Function GDL

Certified Wiring Diagram

GDL category 2, PL c/SIL1 is applicable to the following wiring diagram.

(1): Cable wiring following IEC60079-14. STO cables must be shielded and run apart from the supply cable.
(2): Guard door lock. The maximum current for the interlock system is 100 mA.
(3): Chaining of a total of N ATV320 drives.
(4): The maximum ATV320 voltage drop is 2.5 V. With N ATV320 drives and a 24 V supply voltage, the guard door
lock operating voltage must be lower than (24 V - 2.5 V x N).
(5): The maximum voltage between DQ+ and DQ- is 30 V.

NOTE: For more information about the control terminal characteristics, refer to the installation manual.

72 NVE50467 04/2019
 Altivar 320

NVE50467 04/2019

Commissioning

Chapter 8 Commissioning

What Is in This Chapter?

This chapter contains the following topics:
Topic Page
Safety Functions Tab 92
Configure Safety Functions Panel 93
Visualization and Status of Safety Functions 98
Copying Safety Related Configuration from Device to PC and from PC to Device 99
Machine Signature 102

NVE50467 04/2019 73
Safety Functions Tab

Introduction
To access the safety function configuration, click the Safety Functions tab. This screen is read-only,
allowing you to see all current safety function configurations.
The Safety Functions tab provides access to:
 an outline of the safety function features available on the ATV320 (accessible Online/Offline)
 the status of all I/O in connected mode
 general information about the machine (Online/Offline).

It also provides access to the following dialog boxes:

 Configuration
 Configure (only available in connected mode)

 Reset Configuration
 Copy from DEVICE to PC
 Copy from PC to DEVICE
 Password Configuration
 Modify Password
 Reset Password

Pre-Condition
Before configuring the safety-related parameters, make sure that the device firmware and the DTM version
are the same.

Steps to Configure the Safety Functions

If... Then ...
you are not in Online mode In the menu bar, click Communication → Connect to Device or click the Connect to
Device icon
you are Online mode Click the Configure button in the Safety Functions tab.
Once connected:
Step Action Comment
1 Click the Configure button in the Safety A Define Configuration Password dialog box appears:
Functions tab.  Type the new configuration password in Enter New
Password box
 Retype the new configuration password in Confirm
New Password box.
 Click OK

NOTE:
Your password:
 Should have only numeric value, choose the value
between
1...9999.
 Should not exceed more than 4 digits. Should not
have the value 0.
Result: Opens the Configuration of Safety Functions window.
If... Then ...
you have already defined the type your safety function configuration password in Enter Configuration Password
password box, click OK.
Result: Opens the Configuration of Safety Functions window.
Configure Safety Functions Panel

Overview
The Configuration of Safety Functions panel includes the Information, STO, SLS, SS1, SMS, GDL, and
Input/Output tabs.

Information Tab
The information tab allows you to define and display product system information

74 NVE50467 04/2019
 Information filled in automatically by SoMove:
 Date (format depends on the PC local and linguistic options)
 Device Type
 Drive Reference

Information filled in manually:

 Device Serial No (number)
 Machine Name
 Company Name
 End-User Name
 Comments

Safe Torque Off (STO) Tab

For more information about STO function, see STO description (seepage24).
For this function, only the associated set of inputs should be selected in the box. The parameter to be
managed is: STOA.
Code Name/Description Factory
Setting
StO [Safe Torque Off]
StOA nO [STO function activation] [No]
L34 [No: Not assigned]
L56 L3PW [DI3 and DI4]: digital input 3/4 low state
[DI5 and DI6]: digital input 5/6 low state
[DI3 and STO]: digital input 3/STO low state
This parameter is used to configure the channel used to trigger the STO function. If you set
STOA=No, STO function is always active but just on STO input
Safely Limited Speed (SLS) Tab
For more information about SLS function, see SLS description (seepage28).
Code Name/Description Adj. Range Factory
Setting
SLS [Safely-Limited Speed]
SLSA nO [SLS function activation] [No]
L34 [No]: Not assigned
L56 [DI3 and DI4]: digital input 3/4 low state
[DI5 and DI6]: digital input 5/6 low state
This parameter is used to configure the channel used to trigger the SLS function.
SLt [Safely Limited speed Type Element] [Type1]

NVE50467 04/2019 75
 This parameter is used to select the SLS type.
tYp1 tYp2 [Type1] : SLS type 1
tYp3 tYp4 [Type2] : SLS type 2
tYp5 tYp6 [Type3] : SLS type 3
[Type4]: SLS type 4
[Type5]: SLS type 5
[Type6]: SLS type 6
Refer to function description to have information about behavior of different type.
SLSP [SLS set point] parameter 0...599 Hz 0 Hz
This parameter is only visible if SLT = Type2 or SLT = Type3 or SLT = Type 4
SLSP is used to set the maximum speed
SLtt [SLS tolerance threshold] parameter 0...599 Hz 0 Hz
The behavior of this parameter depends on the value of SLT, see above

SLwt [SLS Wait Time] parameter 0...5000 ms 0 Hz

This parameter is used to set the maximum time for StFr to be greate r than SSSL.
When SLwt is reached, STO function is triggered.
Unit of this parameter is 1 ms.
For example
If the value is set to 2000 units, then the SLS wait time in second is:
2000*1 ms = 2 s
This parameter can be modified only if SLT = Type 2 or SLT = Type 3
For SLS type 1 and SLS type 4, SLwt is always set to 0
SSrt [SS1 ramp value] parameter 1 to 5990 1
The unit depends on the SSRU parameter. Use this parameter to set thevalue of the SS1
ramp. deceleration en the
SS1 ramp = SSRT*SSRU example: If SSRT = 250 and SSRU = 1 Hz/sdeceleration ramp = 25 see
th Hz/s. SS1 (seepage46).
This parameter is similar to the SS1 safety function, for more information
SSrU [SS1 ramp unit] parameter [1 Hz/s]
1H [1 Hz/s]
10H [10 Hz/s]
100H [100 Hz/s]
This parameter is used to set the SSrt unit.
This parameter is similar to the SS1 safety function configured, for more information see
(seepage46). SS1
SStt [SS1 trip threshold] 0...599 Hz 0 Hz
This parameter sets the tolerance zone around the deceleration ramp inwhich the frequency may vary.
This parameter is similar to the SS1 safety function configured in tab.
another
SSSL [SLS/SS1 standstill level] parameter 0...599 Hz 0 Hz
This parameter adjusts the frequency at which the drive should go into STO state at the end of the
SS1 ramp.
This parameter is similar to the SS1 safety function configured in another
tab.
Safe Stop 1 (SS1) Tab
For more information about SS1 function, see SS1 description (seepage26).
Code Name/Description Adj. Range Factory
Setting
SS1 [Safe Stop 1]
SS1A nO [Safe Stop 1 Activation] [No]
[No]: Not assigned

L34 [DI3 and DI4]: digital input 3/4 low state

L56 [DI5 and DI6]: digital input 5/6 low state
These parameters are used to configure the channel used to trigger the SS1 function.
SSrt [SS1 ramp value] 1 to 5990 1
The unit depends on the SSRU parameter. Use this parameter to set thevalue of the SS1
ramp. deceleration hen the
SS1 ramp = SSRT*SSRU example: If SSRT = 250 and SSRU = 1 Hz/s tdeceleration ramp = r tab.
25 Hz/s.
This parameter is similar to the SLS safety function configured in anothe

76 NVE50467 04/2019
 SSrU [SS1 ramp unit] [1 Hz/s]
1H [1 Hz/s]
10H 100H [10 Hz/s]
[100 Hz/s]
This parameter is used to set the SSRT unit.
This parameter is similar to the SLS safety function configured in another tab.
SStt [SS1 trip threshold] parameter 0...599 Hz 0 Hz
This parameter sets the tolerance zone around the deceleration ramp inwhich the frequency may vary.
This parameter is similar to the SLS safety function configured,
SSSL [SLS/SS1 standstill level] parameter 0...599 Hz 0 Hz
This parameter adjusts the frequency at which the drive should go into STO state at the end of the
SS1 ramp.
This parameter is similar to the SLS safety function configured in another
tab.
Safe Maximum Speed (SMS) Tab
For more information about SMS function, see SMS description (seepage35).
Code Name/Description Adj. Range Factory
Setting
SMS [Safe Maximum Speed]
SMSA NO [SMS Activation] [No]
[No]: SMS function is not active.

Yes [Yes]: SMS function is active

This parameter is used to configure the channel used to trigger the SMS function.
SMLS NO [SMS Assignment] [NO]
This parameter is used to select the safe maximum speed limit.
[No]: [SMS Low Limit] SMLL is selected as the safe maximum speed limit.

L34 [DI3 and DI4]

 If digital inputs 3/4 are in low state (0), [SMS Low Limit] SMLL is selected as the safe
maximum speed limit.
 If digital inputs 3/4 are in high state (1), [SMS High Limit] SMLH is selected as the safe
maximum speed limit.
L56 [DI5 and DI6]
 If digital inputs 5/6 are in low state (0), [SMS Low Limit] SMLL is selected as the safe
maximum speed limit.
 If digital inputs 5/6 are high state (1), [SMS High Limit] SMLH is selected as the safe
maximum speed limit.
SMLL [SMS Low Limit] 0...599 Hz 0 Hz
This parameter is used to set the lower speed limit.

SMLH [SMS High Limit] 0...599 Hz 0 Hz

This parameter is used set the higher speed limit.

Guard Door Locking (GDL) Tab

For more information about GDL function, see GDL description (seepage37).
Code Name/Description Adj. Range Factory
Setting
GDL [Guard Door Locking]
GDLA nO [GDL Assignment] [No]
[No]: Guard door locking is not assigned
Yes [Yes]: Guard door locking is assigned

NOTE: GDLA can be set to [yes] only if LO1 parameter is set to [NO].
This parameter is used to configure the channel used to trigger the GDL function.
GLLD [GDL Long Delay] 1...3600 s 1s
This parameter is used to set the long delay for triggering the safety function GDL.
Maximum delay after STO function activation or normal deceleration ramp command to stop the
machine.

NOTE: GDL long delay should be greater than GDL short delay.
GLSD [GDL Short Delay] 1...3600 s 1s

NVE50467 04/2019 77
 This parameter is used to set the short delay for triggering the safety function
GDL.
Maximum delay after SS1 ramp to stop the machine.
Input/Output Configuration
The figure shows the Input/Output tab:

Code Name/Description Adj. Range Factory

Setting
IO [Input/Output]
LIdt [DI debounce time] 0...2000 ms 50
In most cases, the two digital inputs in a pair used for a safety function (DI3-DI4 or DI5-DI6 or STO-
DI3) will not be 100% synchronized. They will not change state at the same time. There is a small
delta between the two digital input transitions.
LIdt is the parameter used to set this delta. If the two digital inputs change state with a delta lasting
less than LIdt it is considered to be simultaneous transition of the digital inputs. If the delta lasts
longer than LIdt, the drive considers the digital Inputs are no longer synchronized and detected error
is triggered.
LIrt [DI response time] 0...50 ms 0
This parameter is used to filter short impulses on the digital input (only for DI3-DI4 or DI5-DI6, STO
not concerned). Some applications send short impulses on the line to test it. This parameter is used
to filter these short impulses. Commands are only taken into account if the duration is longer than
If the duration is shorter the drive considers that there is no command: the command is
filtered. LIrt.
Password Configuration - Modify Password
This function allows you to modify the configuration password in the drive.
To modify the configuration password
Step Action
1 In Safety Functions tab, click the Modify Password button
Result: opens the Modify Configuration Password dialog box.
2 In the Modify Configuration Password dialog box:
 Type the existing configuration password in Enter Current Password box
 Type the new configuration password in Enter New Password box
 Retype the new configuration password in Confirm New Password box Click Ok

NOTE: The password typed in Enter New Password box and Confirm New Password box should be
same.
NOTE:
Your password:
 Should contain only numeric value, choose the value between 1...9999.
 Should not exceed more than 4 digits. Should not have the value 0.
Result: modifies the configuration password.

Password Configuration - Reset Password

78 NVE50467 04/2019
 If you cannot remember the configuration password defined in the drive, you need to know the universal
password to reset the drive. To obtain this password, contact your Schneider Electric contact.
After this operation, the device reverts to no defined configuration password and the session is
automatically closed.
However, the function configuration remains unchanged.

Reset Configuration
This function is used to reset the configuration of the safety function to the factory settings.
To access the function, click the Reset Configuration button in the Safety Functions tab.
First enter the password, then confirm your choice.
After this action, all safety-related parameters are set to factory settings.
Visualization and Status of Safety Functions

Code Name/Description
MON- [Monitoring] menu - Visible on SoMove and keypad
StFr [Stator Frequency]
Displays the estimated stator frequency in Hz
SDIF [Stator Freq Consist]
Stator Frequency Consistency.
Displays the difference between the estimated stator frequency and the internal computed stator
frequency in Hz.
SAF- [MONIT. SAFETY] menu - Visible on SoMove and keypad
StOS [STO status]
Status of the Safe Torque Off safety function
IdLE StO [IdLE]: STO not in progress
FLt [Safe torque off]: STO in progress
[Fault]: STO in detected error
SLSS [SLS status]
Status of the Safely limited speed safety function
nO [Not config]: SLS not configured
IdLE SSI [IdLE]: SLS not in progress
StO [Safe stop 1]: SLS ramp in progress
FLt WAIt Strt [Safe torque off]: SLS safe torque off request in progress
[Fault]: SLS in detected error
[wAIT]: SLS waiting for activation
[Started]: SLS in transient state
SMSS [SMS status]
Status of the Safe Maximum Speed safety function
nO [Not Set]: SMS is not configured
SMS [Active]: SMS is in active state
FTI [Internal Err.]: SMS in internal detected error
FTO [Max Speed]: SMS in overspeed detected error
GDLS [GDL status]
Status of the guard door locking safety function
nO [Not Set]: GDL is not configured
OFF [Inactive]: GDL is in inactive state
STD [Short delay]: GDL in Short delay state.
LGD [Long delay]: GDL in long delay state.
ON FLT [Active]: GDL is in active state.
[Internal Err.]: GDL in internal detected error.
SS1S [SS1 status]
Status of the Safe Stop 1 safety function
nO [Not config]: SS1 not configured
IdLE SSI [IdLE]: SS1 not in progress
StO [Safe stop 1]: SS1 ramp in progress
FLt [Safe torque off]: SS1 Safe Torque Off request in progress
[Fault]: SS1 in detected error
SAF- [MONIT. SAFETY] menu - Visible ONLY on SoMove
SFtY [Safety drive status]
Safety function status of the drive
IStd [Standard drive]: Standard product without safety function configured
SAFE [Safety drive]: product with at least 1 safety function configured
NVE50467 04/2019 79
 Copying Safety Related Configuration from Device to PC and from PC to Device

Overview
This feature is used to copy/paste the tested safety-related configuration in several drives.
This feature allows you to:
 identify unique safety-related configuration on the drive copy the safety-
related configuration file from drive to PC.
 copy the safety-related configuration file from PC to drives

Architecture
The figure shows the architecture for copying the safety-related configuration from device to PC and PC
to device:

Identify Unique Safety Related Configuration

The identification of the safety-related configuration is done by using CRC, calculated using all
safetyrelated parameters
You can get the CRC value from My Device tab. Note down the CRC value after the drive is fully tested.

80 NVE50467 04/2019
Copy from Device to PC
To copy a configuration file from device to PC:
Step Action
1 In the Safety Functions tab, click the Copy from DEVICE to PC button

Result: opens the Copy from Device to PC dialog box.

2 Type the configuration password in Enter configuration Password box, click Ok.
Result: Displays the CRC1 value
3 Note the CRC1 value, click Save.
Result: opens the Save File... window.
4 In the Save File.. Window:
 Select/create the folder
 Type the name of the file in File name box.
 Click Save,
Result: Safety-related Parameters Successfully saved message appears on the screen, which
confirms that the file has been saved successfully in the desired path.
NOTE:
You cannot copy the configuration from device to PC if:
 the motor is powered.
 a function block is in Run state.
 the function Forced Local is active. a safety function is triggered.
Copy from PC to Device
To copy a file from PC to device:
Step Action

1 In the Safety Functions tab, click the Copy from PC to DEVICE button

Result: Warning box appears, read the following instruction before proceeding with copy from PC to
device operation.

NVE50467 04/2019 81
 2

Click Ok
Result: Opens the Open File... window.

3 In the Open File... Window

Select .sfty file.
Click Open

Result: Displays the CRC1 value

4 Verify whether the CRC1 value is same as the CRC1 value noted while copying the configuration from
device to PC if both CRC1 values are same then click Continue.
Result: Opens the Copy from PC to Device dialog box.

5 Type the password (49157) in the Enter copy password box, click Ok.
Result: Configuration is successfully copied from PC to device. A commissioning test must be done on
the safety function.
NOTE:
You cannot copy the configuration from PC to device if:
 the motor is powered.
 a function block is in Run state.
 the function Forced Local is active.
 the configuration of the safety function is already present in the device
Machine Signature

Overview
The purpose of the test is to verify proper configuration of the defined safety functions and test
mechanisms and to examine the response of dedicated monitoring functions to explicit input of values
outside the tolerance limits.
The test must cover all drive-specific Safety configured monitoring functions and global Safety integrated
functionality in ATV320.

Condition Prior to Acceptance Test

 The machine is wired up correctly.
 All safety-related devices such as protective door monitoring devices, light barriers, and emergency stop
switches are connected and ready for operation.
 All motor parameters and command parameters must be correctly set on the drive.

Acceptance Test Process

The acceptance test is configured with SoMove software.
Step Action Comment
1 Select the Device → Safety Function → Machine
Signature menu and follow the five steps below
2 General Information The information displayed here corresponds to the
To add this step to the final report select Add to the Identification section in the Safety Functions tab.
machine signature Click Next.

82 NVE50467 04/2019
 3 Function Summary This step is composed of sub-steps.
To add a function to the final report select Add to the Each sub-step relates to one of the following safety
machine signature functions:
Click Next  STO
 SLS SS1
In a function, sub-step the function diagram and
parameters values are displayed.
A text box allows you to enter additional text in this
step.

4 I/O Summary The information displayed here corresponds to the

To add a function to the final report select Add to the Digital Input summary folder of the Safety Functions
machine signature tab:
Click Next  The digital input that is assigned to a
safety function are displayed in red and show the
related safety function
 The digital input that is not assigned to a
safety function do not show any assignment and
are displayed in green
5 Test In this step, you tick the box when you have tested
To add a function to the final report select Add to the the safety functions to confirm that you have verified
machine signature the correct behavior of the functions for all devices.
Click Next
6 Key The checksum of the safety-related configuration is
Click Finish to create the report displayed as it is calculated for transmission to the
connected device when you click Apply.
This allows you to compare the checksum value with
the one displayed in the identification menu on the
graphic display terminal
Acceptance Report
SoMove creates the acceptance report.
This function provides a final report when one or several safety functions have been configured and
verified.This report is deemed to be a machine signature and certifies that all the safety functions are
operational.The acceptance report has been added as an optional document to be printed to a printer or
to a PDF file.
If the drive configuration is modified (not only applicable on the safety related parameters), you must
repeat the acceptance test.

NVE50467 04/2019 83
84 NVE50467 04/2019
 Altivar 320

NVE50467 04/2019

Services and Maintenance

Chapter 9 Services and Maintenance

What Is in This Chapter?

This chapter contains the following topics:
Topic Page
Maintenance 106
Power and MCU Replacement 106
Changing Machine Equipment 106

NVE50467 04/2019 85
Maintenance

Overview
By way of preventive maintenance, the Safety functions must be activated at least once a year. The drive
power supply must be turned off and then on again before carrying out this preventive maintenance. The
drive digital output signals cannot be considered to be safety-related signals. Install interference
suppressors on all inductive circuits near the drive or coupled to the same circuit (relays, contactors,
solenoid, valves, etc.).
NOTE: For more product information, see the installation manual and programming manual on
www.schneider-electric.com.

Power and MCU Replacement

Overview
You can replace the MCU (Motor Control Unit) part (APP + HMI card) and the power part.
Depending on the drive configuration (safety function active or not), the drive response will differ.
If you replace the power and you keep your MCU, you won't lose the configuration of the safety functions
but you need to repeat the Acceptance Test to avoid incorrect wiring or incorrect behavior of the safety
function.
If you replace the MCU you will lose your safety-related configuration. You need to reinstall your
Configuration on the new MCU and then repeat the Acceptance Test.
NOTE: For more product information, see the installation manual and programming manual
www.schneider-electric.com.

Changing Machine Equipment

Overview
If you need to change any part of the drive system (Motor, Emergency stop, etc.) you must repeat the
Acceptance Test.
NOTE: For more product information, see the installation manual and programming manual
www.schneider-electric.com.

86 NVE50467 04/2019
ATV320_Safety_Function_manual_EN_NVE50467_03 www.schneider-electric.com/contact
04/2019