Ä.,4zä EDS94AYAD .
Please read these instructions and the documentation of the standard device before you start working! Observe the safety instructions given therein!
Safety engineering 1 1.1 Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.2 Drive-based safety with L-force | 9400 . . . . . . . . . . . . . . . . . . . . 1.1.3 Terms and abbreviations of the safety engineering . . . . . . . . . . 1.1.4 Important notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.
Safety engineering Basics Introduction 1.1 Basics 1.1.1 Introduction 1 1.1 1.1.1 With increasing automation, protection of persons against hazardous movements is becoming more important. Functional safety describes the measures needed by means of electrical or electronic equipment to reduce or remove danger caused by failures. During normal operation, safety equipment prevents people accessing hazardous areas. In certain operating modes, e.g.
1 1.1 1.1.3 1.1.3 1.1-2 Safety engineering Basics Terms and abbreviations of the safety engineering Terms and abbreviations of the safety engineering Abbreviation 9400 EC_S0 EC_S1 EC_S2 EC_FS Cat.
Safety engineering Basics Important notes 1.1.4 1 1.1 1.1.
1 1.1 1.1.5 Safety engineering Basics Safety instructions 1.1.5 Safety instructions 1.1.6 Application as directed The safety modules SMx (E94AYAx) may only be used together with Lenze drive controllers of the L-force | 9400 (E94A...) series. Any other use shall be deemed inappropriate! Installation/commissioning ƒ Only skilled personnel are permitted to install and commission the safety functions. ƒ All control components must comply with the demands of the hazard and risk analysis.
Safety engineering Basics Hazard and risk analysis Residual hazards 1 1.1 1.1.7 In case of a short-circuit of two power transistors a residual movement of the motor of up to 180 °/number of pole pairs may occur! (Example: 4-pole motor ⇒residual movement max. 180 °/2 = 90 °) This residual movement must be considered in the risk analysis, e.g. safe torque off for main spindle drives. 1.1.7 Hazard and risk analysis This documentation can only accentuate the need for a hazard analysis.
1 1.1 1.1.9 Active sensors Safety engineering Basics Overview of sensors Active sensors are units with two-channel semiconductor outputs (OSSD outputs). Drive-based safety integrated in this device series allows for test pulses < 1 ms to monitor the outputs and cables. P/N-switching sensors switch the positive and negative cable or signal and earth cable of a sensor signal. The outputs must switch simultaneously.
Safety engineering Device modules Slot 1.2 Device modules 1.2.1 Slot 1 1.2 1.2.1 The slot for the safety modules is marked in the documentation with M4. It is the lowest slot in the controller (see overview). 1.2.1.1 Mounting E94AYAX001 1.2.1.2 Dismounting E94AYCXX001H 1.2.1.3 Module exchange Every module exchange is detected by the basic device and documented in a logbook. When the module is replaced by the same type no restrictions arise.
1 Safety engineering 1.2 1.2.2 1.2.2 Device modules Function mode of the safety modules Function mode of the safety modules C00214 The code C00214 must comply with the plug-in safety module type so that the controller is able to operate. Disconnecting paths The transmission of the pulse width modulation is safely (dis-)connected by the safety module. Hence the drivers do not create a rotating field. The motor is safely switched to torqueless operation (STO).
Safety engineering Device modules Safety module SM300 1.2.3 Safety module SM300 1.2.3.1 Overview 1 1.2 1.2.3 The type designation of the safety module is E94AYAD.
1 1.2 1.2.3 1.2.3.3 Safety engineering Device modules Safety module SM300 Elements of the module SSP94SM317 Fig. 1.2-2 Pos. X82.1 X82.2 X82.3 X82.4 Displays Pos. MS EN Module view Description PROFIsafe target address switch (on the left housing side) Pluggable terminal strips for input and output signals Colour Green Yellow State Description On Drive-based safety is initialised faultlessly. Blinking Drive-based safety is initialised faultlessly.
Safety engineering Device modules Safety module SM300 Terminal assignment X82.1 Labelling 1 1.2 1.2.3 Description n. c. n. c. n. c. n. c. n. c. This terminal strip is not assigned. n. c. n. c. n. c. n. c. X82.2 Labelling Description - GND external supply + 24 V external supply via a safely separated power supply unit (SELV/PELV) n. c. n. c. n. c. This part of the terminal strip is not assigned. n. c. X82.3 X82.
1 1.2 1.2.3 Safety engineering Device modules Safety module SM300 Cable cross-sections and tightening torques [mm2] Type 1.2.3.4 Wire end ferrule, insulated 0.25 ... 0.5 Rigid 0.14 ... 1.5 [Nm] Spring terminal AWG [lb-in] 24 ... 20 Spring terminal 26 ... 16 Technical data The inputs are isolated and designed for a low-voltage supply of 24 V DC.
Safety engineering 1 Device modules Safety module SM300 1.2.3.6 1.2 1.2.3 Test certificate SSP94TUEV3 Fig. 1.2-3 TÜV Certificate The type test was carried out by ’TÜV Rheinland Group’ and confirmed with a certificate. EDS94AYAD EN 2.2 Contents Specifications Test institute TÜV Industrie Service GmbH, ASI area Test report 968/EL 302.01/05 Test fundamentals EN 954-1, EN 60204-1, EN 50178, EN 61800-3, IEC 61508 Part 1-7 Object to be examined SM300, type E94AYAD VA1.
1 1.2 1.2.4 Safety engineering Device modules Connection of safety sensors 1.2.4 Connection of safety sensors 1.2.4.1 General The following applies to the sensors of the SM300, version VA 1.xx: ƒ Sensor type and function cannot be parameterised. ƒ The sensor signals are converted into PROFIsafe bit information and transmitted to the master control for processing. A local evaluation is not carried out. ƒ Unused sensor inputs must not be connected.
Safety engineering Device modules Connection of safety sensors 1.2 1.2.4 Sensor type Specification passive active Discrepancy time 30 s Input delay 4 ms Input filter time for test pulses Repetition rate of the test pulses 0 ms 15 ms is determined by the clock outputs CLA and CLB Error response Tab. 1.
1 1.2 1.2.4 1.2.4.2 Safety engineering Device modules Connection of safety sensors Connection of passive sensors The safe sensor inputs I1A, I1B and I2A, I2B are only suitable for equivalent switching passive sensors. To monitor passive sensors according to EN 954-1, cat. 3, the clock outputs CLA and CLB must be wired. Please observe the following: ƒ The clock outputs are only suitable for monitoring the passive sensors. ƒ Always connect ... – ...
Safety engineering Device modules Connection of safety sensors 1.2.4.3 1 1.2 1.2.4 Connection of active sensors The safe sensor input I4A and I4B is suitable for an active sensor. PN-switched input signals are permissible. The line monitoring must comply with the requirements of the category 3. Drive-based safety does not provide for line monitoring. These errors are detected: ƒ Non-equivalent input signals after the discrepancy time. P IA IB GI M S SSP94SM352 Fig. 1.
1 1.2 1.2.4 1.2.4.4 Safety engineering Device modules Connection of safety sensors Connection plans SM300 E94AYAD X82.1 X82.2 24 V ext. + AIE CLA CLB S2 GCL GCL GI2 GI4 I2B I4B I2A I4A GCL S4 GI1 I1B I1A S1 X82.3 X82.4 SSP94SM350 Fig. 1.2-6 Wiring example SM300 E94AYAD S1 S2 S4 24 V ext. 1.2-12 Safety module SM300, version VA1.xx passive sensor with channel A and B Lightgrid (active sensor) 24-V voltage supply (SELV/PELV) EDS94AYAD EN 2.
Safety engineering 1 Safety functions Integration into the application of the controller 1.3 Safety functions 1.3.1 Integration into the application of the controller 1.3 1.3.1 For the use of the functions, certain settings in the controller are required. Here, the Lenze PC software »Engineer« supports and guides you. When a safety function is required, the safety technology activates the corresponding safe monitoring function.
1 1.3 1.3.
Safety engineering 1 Safety functions Error states 1.3.2 1.3 1.3.2 Error states Detected errors or maloperation of the drive are assigned to error states with definite reactions. The reaction can be co-ordinated with the complete drive via the error states. Error status Features System error Error Trouble Event Fatal internal error Error Monitoring function LED ”ME” On Blinking Flashing Status of safety module Lockout (CPU stopped) Error status The control category ...
1 1.3 1.3.2 Logbook Safety engineering Safety functions Error states Error states are saved in the logbook of the standard device. The following is entered: ƒ Decimal error number without plain text ƒ A time mark for each event The available logbook entries can be displayed in the »Engineer« when an online connection has been established. Events which cause an error status are sent as a diagnostic telegram via PROFIBUS.
Safety engineering 1 Safety functions Safe torque off 1.3.3 Safe torque off 1.3.3.1 Description 1.3 1.3.3 Safe Torque Off / STO This function corresponds to a ”Stop 0” according to EN 60204. When this function is used, the power supply of the motor is immediately safely interrupted. The motor cannot create a torque and thus no dangerous movements of the drive can occur. Additional measures, e.g. mechanical brakes are needed against movements caused by external force.
1 1.3 1.3.3 1.3.3.4 Safety engineering Safety functions Safe torque off Activation How to activate the function: ƒ A PROFIBUS data telegram with corresponding PROFIsafe contents is transmitted to the basic device ( 1.3-12). 1.3-6 EDS94AYAD EN 2.
Safety engineering Safety functions Safe stop 1 1.3.4 Safe stop 1 1.3.4.1 Description 1 1.3 1.3.4 Safe Stop 1 / SS1 This function corresponds to a ”Stop 1” according to EN 60204. When this function is used, the motor is stopped within an adjustable stopping time. The complete function sequence cannot be deactivated. When the speed n = 0 is reached or the stopping time elapses, the power supply of the motor is immediately safely interrupted (STO), depending on which event occurs first.
1 1.3 1.3.4 1.3.4.2 Safety engineering Safety functions Safe stop 1 Conditions Condition for using the function: ƒ The basic device must be equipped with a communication module E94AYCPM (PROFIBUS-DP), SW version 0.9 and connected to the PROFIBUS. ƒ The basic device must receive PROFIBUS data telegrams from a master controller. Danger! If the request for the safety function is cancelled, the drive will restart automatically.
Safety engineering Safety functions Safe PROFIsafe connection 1.3.5 Safe PROFIsafe connection 1.3.5.1 Conditions 1 1.3 1.3.5 The SM300 supports the transmission of safe information on the PROFIsafe protocol according to the specification ”PROFIsafe - Profile for Safety Technology”, Version 1.30, of the PROFIBUS Nutzerorganisation (PNO). The basic device transmits the PROFIsafe information to the SM300 for safe evaluation.
1 1.3 1.3.5 1.3.5.2 Safety engineering Safety functions Safe PROFIsafe connection Response times In order to detect the response time to a safety function the entire system must be considered. The following is relevant: ƒ Response time of the connected sensors. ƒ Input delay of the safety inputs. ƒ Internal processing time. ƒ Monitoring time for the cyclic service in the PROFIBUS. ƒ Monitoring time of the PROFIsafe in the safety PLC. ƒ Processing time in the safety PLC.
Safety engineering 1 Safety functions Safe PROFIsafe connection 1.3 1.3.5 Response time to an event in the safety sensors (PROFIsafe input data) Time interval (Fig. 1.3-1) t1 Response time of the sensors t2 Input delay of the safe inputs t3 [ms] according to manufacturer information passive sensors: 4 + 15 active sensors: 0 + 15 Processing time in drive-based safety 24 PROFIsafe input data ready for transmission to ...
1 Safety engineering 1.3 1.3.5 1.3.5.3 Safety functions Safe PROFIsafe connection Description Addressing An unambiguous PROFIsafe target address ensures that a data telegram reaches the correct node. The valid address within the range between 1 and 1023 can be set via the DIP switch . The address 0 is invalid and causes an error in the module. DIP switch Labelling Value of the address bit Tab. 1.
Safety engineering 1 Safety functions Safe PROFIsafe connection PROFIsafe data 1.3 1.3.5 In the PROFIsafe data one bit each is used to control a certain safety function. The structure of the PROFIsafe data is described in the PROFIsafe profile. The length of the PROFIsafe data (PROFIsafe message) in slot 1 permanently amounts to 8 bytes in the SM300.
1 1.3 1.3.5 Safety engineering Safety functions Safe PROFIsafe connection Control byte Only the bits specified of the PROFIsafe control byte are supported: Offset Bit Byte 7 6 5 4 3 2 1 0 4 - - - activate _FV - - - - Tab. 1.3-10 Structure of the PROFIsafe control byte Details of the control byte Name Value Description activate_FV 1 PROFIsafe input data The PROFIsafe output data is deactivated. Thus, the STO function is activated. 0 The function is deactivated.
Safety engineering 1 Safety functions Safe PROFIsafe connection Status byte 1.3 1.3.5 Only the bits specified of the PROFIsafe status byte are supported: Offset Bit Byte 7 6 5 4 - - - Tab. 1.3-14 4 3 2 FV_activate COM-Failure COM-Failure d WD-Timeout CRC 1 0 - - Structure of the PROFIsafe status byte Details of the status byte Name PROFIsafe parameters Value Description COM-Failur 0 e CRC 1 Status is not active. COM-Failur 0 e WD-Timeo 1 ut Status is not active.
1 1.3 1.3.5 Safety engineering Safety functions Safe PROFIsafe connection Diagnostic information Error number Description 64 The Profisafe target address set does not comply with the parameter F_Dest_Add. 65 The F_Dest_Add parameter has the invalid value 0x0000 or 0xFFFF. 66 The F_Source_Add parameter has the invalid value 0x0000 or 0xFFFF. 67 The F_WD_Time parameter has the invalid value 0 ms. 68 The F_SIL parameter does not have the valid value 0 ... 2.
Safety engineering Acceptance Description 1.4 Acceptance 1.4.1 Description 1 1.4 1.4.1 The machine manufacturer must check and prove the operability of the safety functions used. Inspector The machine manufacturer must authorise a person with expertise and knowledge of the safety functions to carry out the test. Protocol The test result of every safety function must be documented and signed.
EDS94AYAD 2.2 10/2006 © 2006 TD14 Lenze Drive Systems GmbH Hans-Lenze-Straße 1 D-31855 Aerzen Germany +49 (0) 51 54 82-0 Service 00 80 00 24 4 68 77 (24 h helpline) ¬ Service +49 (0) 51 54 82-1112 E-Mail Internet Lenze@Lenze.de www.Lenze.
