Festo CMMT-AS-C2-3A-...-S1 Series Скачать руководство пользователя страница 4

Страница: 4 / 16

5.3

Safety sub-functions

5.3.1

Function and application

The servo drive CMMTAS...S1 has the following safetyrelated performance fea
tures:
–

Safe torque off (STO)

–

Safe brake control (SBC)

–

Safe stop 1 (SS1) with use of a suitable external safety relay unit and appro
priate wiring of the servo drive

–

Diagnostic outputs STA and SBA for feedback of the active safety subfunc
tion

5.3.2

Safety sub-function STO

Function and application of STO

The safety subfunction STO switches off the driver supply for the power semicon
ductor, thus preventing the power output stage from supplying the energy
required by the motor. The power supply to the drive is safely disconnected when
the safety subfunction STO is active. The drive cannot generate torque and so
cannot perform any hazardous movements. With suspended loads or other
external forces, additional measures must be taken to prevent movements being
performed (e.g. mechanical clamping units). In the STO state, the standstill posi
tion is not monitored.
The machines must be stopped and locked in a safe manner. This especially
applies to vertical axes without automatic locking mechanics, clamping units or
counterbalancing.

NOTICE!

If there are multiple errors in the servo drive, there is a danger that the drive will
move. Failure of the servo drive output stage during the STO status (simultaneous
short circuit of 2 power semiconductors in different phases) may result in a lim
ited detent movement of the rotor. The rotation angle/travel corresponds to a
pole pitch. Examples:
•

Rotating motor, synchronous machine, 8pin

Movement

45° at the motor

shaft

•

Linear motor, pole pitch 20 mm

Movement

20 mm at the moving part

STO request

The safety subfunction STO is requested on 2 channels by simultaneously switch
ing off the control voltage at both control inputs #STOA and #STOB.

STO feedback via STA diagnostic contact

The status of the safety subfunction STO can be reported to the safety relay unit
via the STA diagnostic output.
The STA diagnostic output indicates whether the safe status has been reached for
the safety subfunction STO. The STA diagnostic output switches to high level
only when STO is active on 2 channels via the control inputs #STOA and #STOB.

#STO-A

#STO-B

STA

Low level

High level

Low level

High level

Low level

High level

Low level

High level

Low level

Tab. 7 Level of STA
If protective functions are triggered on both channels (STOA and STOB), e.g. if
the voltage at STOA and STOB is too high, the internal protective functions
switch off and STA likewise delivers a high level signal.
Recommendation: The safety relay unit should check the status of the diagnostic
output whenever there is a STO request. The level of STA must change according
to the logic table. The safety relay unit can cyclically test the signals #STOA and
#STOB for high level with low test pulses and for low level with high test pulses.

5.3.3

Safety sub-function SBC

Function and application of SBC

The safety subfunction SBC provides safe output signals for the control of brakes
(holding brakes or clamping units). The brakes are controlled on 2 channels by
switching off the voltage at the following outputs:
–

Safe output BR+/BR– [X6B] for the holding brake of the motor

–

Safe output BREXT/GND [X1C] for the external brake/clamping unit

The holding brake and/or clamping unit engage and slow the motor or axis. The
purpose of this is to slow down dangerous movements by mechanical means. The
braking time is dependent on how quickly the brake engages and how high the
energy level is in the system.
The use of

just one brake

is only possible when performance requirements are

low

Tab. 49 Safety reference data for the safety subfunction SBC. To do this,

connect the brake either to BR+/BR–

to BREXT.

NOTICE!

If there are suspended loads, they usually drop if SBC is requested simultan
eously with STO. This can be traced back to the mechanical inertia of the holding
brake or clamping unit and is thus unavoidable. Check whether safety subfunc
tion SS1 is better suited to your application.

SBC may only be used for holding brakes or clamping units which engage in the
deenergised state. Ensure the lines are installed in a protected manner.

SBC request

The safety subfunction SBC is requested on 2 channels by simultaneously switch
ing off the control voltage at both control inputs #SBCA and #SBCB:

–

The #SBCA request switches off the power to the signals BR+/BR.

–

The #SBCB request switches off the power to the signal BREXT.

In the event of a power failure in the logic voltage supply of the servo drive, power
is also cut off to the brake outputs.

SBC feedback via SBA diagnostic contact

The 2channel switching of the brake is indicated via the SBA output. SBA is used
to report the status of the safety subfunction SBC for diagnostic purposes,
e.g. by reporting it to an external safety relay unit.
The SBA diagnostic output indicates whether the safe status has been reached for
the safety subfunction SBC. It is set if the following two conditions are fulfilled:
–

Switching off of both brake outputs is requested (#SBCA = #SBCB = low
level)

–

The internal diagnostic functions have determined that there is no internal
error and both brake outputs are deenergised (switched off).

Testing the safety sub-function SBC

Test inputs #SBCA and #SBCB separately from each other and together. The dia
gnostic feedback may only be set to high level when inputs #SBCA and #SBCB
are both requested. If the signal behaviour does not correspond to expectations,
the system must be put into a safe condition within the reaction time. It is essen
tial that time monitoring be provided in the safety relay unit.
The safety subfunction SBC with feedback via SBA must be tested at least 1x
within the space of 24 h.
•

Test SBA feedback based on the SBCA and SBCB level according to the fol
lowing table.

#SBC-A (BR+)

#SBC-B (BR-Ext)

SBA

Low level

High level

Low level

High level

Low level

High level

Low level

High level

Low level

Tab. 8 Testing all SBC levels
While you are testing the safety subfunction SBC, discrepancy error detection
may be activated in the CMMTAS if the test lasts longer than 200 ms. If a corres
ponding error message is output by the basic unit, you will need to acknowledge
it.

Evaluation of SBA

Recommendation: Evaluation with every actuation.
•

Check SBA feedback whenever there is a request.

Requirements for the brake

Requirements for the brake

Description Safety subfunction

Brake test

•

Check whether a brake test is required. The DGUV information sheet “Gravity
loaded axis” provides information on this.

5.3.4

Safety sub-function SS1

Together with a suitable safety relay unit, the following can be achieved:
–

Safe stop 1 time controlled (SS1t); triggering of motor deceleration and, after
an applicationspecific time delay, triggering of the safety subfunction STO

Safety subfunction SS1

Description Safety subfunction

5.3.5

Error exclusion

Put suitable measures in place to prevent wiring errors:
–

Exclude wiring errors in accordance with EN 6180052

–

Configure the safety relay unit to monitor the outputs and wiring up to the
servo drive

5.3.6

Safety relay unit

Use suitable safety relay units with the following characteristics:
–

2channel outputs with
–