The following safety functions are integrated in ACOPOSmulti inverter modules with SafeMC, and the following safety levels can be achieved using them:

Safety function

EN ISO 13849-1

EN 61508 / EN 62061

Safe encoder evaluation required?

Safe Torque Off (STO)

Pl e

SIL 3

No

Safe Operation Stop (SOS)

Pl d

SIL 2

Yes

Safe Stop 1 (SS1)

Pl e (time monitored) / Pl d

SIL 3 (time monitored) / SIL 2

no (time monitored) / yes

Safe stop 2 (SS2)

Pl d

SIL 2

Yes

Safely Limited Speed (SLS)

Pl d

SIL 2

Yes

Safe Maximum Speed (SMS)

Pl d

SIL 2

Yes

Safe Direction (SDI)

Pl d

SIL 2

Yes

Safe Limited Increment (SLI)

Pl d

SIL 2

Yes

Safe Brake Control (SBC)

Pl e

SIL 3

No

STO - Safe Torque Off

Safe Torque Off (STO) is the status when the drive motor is no longer supplied with power (i.e. free of torque and force). The power supply to the drive is safely cut off by safe activation of safe pulse disabling. The drive cannot generate any torque, and therefore any potentially dangerous movements.
STO is made available to SafeLOGIC as an integrated safety function and can therefore be requested directly via the network. This eliminates the need for external wiring.
The STO safety function is the basis of all other safety functions. It is the implementation of the bias current fail-safe and is applied every time an error occurs.
The STO safety function corresponds to stop category 0 in accordance to EN 602041/11.98 and fulfills the Safety Integrity Level 3 (SIL3) in accordance to EN 61508.

SOS - Safe Operating Stop

Safe Operating Stop (SOS) is the state in which safe stopping of the drive is monitored. The drive is supplied with power and can therefore generate torque and force. All control functions between the electronic controller and the drive motor are active. The axis stop is monitored using a configurable stop tolerance window. Both the position as well as the speed are monitored. An EnDat 2.2 safety encoder is required to safely determine the speed and position. If the stop monitoring limits are violated, safe pulse disabling is activated and the drive switches to an error state which must be confirmed.

SS1 - Safe Stop 1

During Safe Stop 1 (SS1), transition of a moving motor to standstill is monitored for safety. After decelerating, safe pulse disabling is activated and switches off the torque and power to the drive. Depending on the requirements for the safety function, either only the deceleration time or also the deceleration ramp can be monitored. If the monitoring limits are violated during deceleration, safe pulse disabling is activated immediately and an acknowledgeable error state is entered. An advantage of deceleration ramp monitoring is that, when an error occurs, the assumed remaining distance to standstill is reduced.
Safe Stop 1 (SS1) corresponds to stop category 1 in accordance with EN 60204-1/11.98 and fulfills SIL3 when time-based monitoring is used and SIL2 when speed-based monitoring is used in accordance with EN 61508.

SS2 - Safe Stop 2

During Safe Stop 2 (SS2), transition of a moving motor to stop is monitored for safety. Then the drive must be maintained at standstill by the standard application. As with SOS, this stop is monitored by the SafeMC module according to the configured tolerance window.
As with SS1, depending on the requirements for the safety function, either only the deceleration time or also the deceleration ramp can be monitored. If there are violations during ramp monitoring or subsequent standstill monitoring, safe pulse disabling is activated immediately and an acknowledgeable error state is entered.
The Safe Stop 2 (SS2) corresponds to stop category 2 in accordance with EN 60204-1/11.98 and fulfills SIL2 in accordance with EN 61508

SLS - Safe Limited Speed

With the SLS safety function, the drive is monitored to make sure the configurable limits for speed are not exceeded. Depending on the application, deceleration can also be monitored until the limit is reached. Depending on the requirements, monitoring of the deceleration ramp can be set to either only monitor the deceleration time or also the deceleration ramp. If a violation is detected during monitoring of the limits for speed, safe pulse disabling is activated immediately and an acknowledgeable error state is entered.
The SLS safety function fulfills SIL2 in accordance to EN 61508.

SMS - Safe Maximum Speed
The difference between SMS and SLS is that SMS cannot be actively initiated. It is either activated or deactivated by the configuration. When activated, the current speed is constantly monitored according to a defined limit. If the limit is exceeded, safe pulse disabling is activated immediately and an acknowledgeable error state is entered.

SDI – Safe Direction

The SDI safety function monitors the defined direction of movement. If the interval is violated, safe pulse disabling is activated immediately and an acknowledgeable error state is entered. Either the positive or the negative direction can be monitored.
The safe direction function can be activated in parallel with other safety functions.
For example, SLS can be limited to a certain direction.

SLI - Safely Limited Interval

With the SLI safety function, the movement is monitored for maintaining a defined number of increments.
The safe axis must be stopped when the function is activated. A position window is established, which is monitored safely. This position window depends on the configured safe interval.
If the interval is violated, safe pulse disabling is activated immediately and an acknowledgeable error state is entered.

SBC - Safe Brake Control

Safe Brake Control (SBC) sends a safe output signal to control an external brake. The SBC integrated safety function can be requested either explicitly via SafeLOGIC or when a module error occurs. Depending on the quality of the connected brake and its wiring, the function can fulfill SBC SIL3 in accordance to EN 61508.

Si prega di scegliere il Paese e la lingua

B&R Logo