Altivar Process

NHA80947 09/2015

Altivar Process
Variable Speed Drives
ATV930, ATV950, ATV960, ATV980

Safety Functions Manual

09/2015
NHA80947.04

www.schneider-electric.com
 The information provided in this documentation contains general descriptions and/or technical character-
istics of the performance of the products contained herein. This documentation is not intended as a
substitute for and is not to be used for determining suitability or reliability of these products for specific user
applications. It is the duty of any such user or integrator to perform the appropriate and complete risk
analysis, evaluation and testing of the products with respect to the relevant specific application or use
thereof. Neither Schneider Electric nor any of its affiliates or subsidiaries shall be responsible or liable for
misuse of the information contained herein. If you have any suggestions for improvements or amendments
or have found errors in this publication, please notify us.
No part of this document may be reproduced in any form or by any means, electronic or mechanical,
including photocopying, without express written permission of Schneider Electric.
All pertinent state, regional, and local safety regulations must be observed when installing and using this
product. For reasons of safety and to help ensure compliance with documented system data, only the
manufacturer should perform repairs to components.
When devices are used for applications with technical safety requirements, the relevant instructions must
be followed.
Failure to use Schneider Electric software or approved software with our hardware products may result in
injury, harm, or improper operating results.
Failure to observe this information can result in injury or equipment damage.
© 2015 Schneider Electric. All rights reserved.

2 NHA80947 09/2015
 Table of Contents

Safety Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
About the Book. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Chapter 1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Chapter 2 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Safety Function STO (Safe Torque Off) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Status of Safety Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Chapter 3 Technical Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Electrical Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Safety Function Capability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Chapter 4 Certified Architectures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Process System SF - Case 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Process System SF - Case 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Process System SF - Case 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Process System SF - Case 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Process System SF - Case 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Process System SF - Case 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Process System SF - Case 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

NHA80947 09/2015 3
4 NHA80947 09/2015
 Safety Information

Important Information

NOTICE
Read these instructions carefully, and look at the equipment to become familiar with the device before
trying to install, operate, service, or maintain it. The following special messages may appear throughout
this documentation or on the equipment to warn of potential hazards or to call attention to information that
clarifies or simplifies a procedure.

PLEASE NOTE
Electrical equipment should be installed, operated, serviced, and maintained only by qualified personnel.
No responsibility is assumed by Schneider Electric for any consequences arising out of the use of this
material.
A qualified person is one who has skills and knowledge related to the construction and operation of
electrical equipment and its installation, and has received safety training to recognize and avoid the
hazards involved.

Qualification Of Personnel
Only appropriately trained persons who are familiar with and understand the contents of this manual and
all other pertinent product documentation are authorized to work on and with this product. In addition, these
persons must have received safety training to recognize and avoid hazards involved. These persons must
have sufficient technical training, knowledge and experience and be able to foresee and detect potential
hazards that may be caused by using the product, by changing the settings and by the mechanical,
electrical and electronic equipment of the entire system in which the product is used. All persons working
on and with the product must be fully familiar with all applicable standards, directives, and accident
prevention regulations when performing such work.

NHA80947 09/2015 5
Intended Use
This product is a drive for three-phase synchronous and asynchronous motors and intended for industrial
use according to this manual.The product may only be used in compliance with all applicable safety
regulations and directives, the specified requirements and the technical data.Prior to using the product, you
must perform a risk assessment in view of the planned application. Based on the results, the appropriate
safety measures must be implemented.Since the product is used as a component in an entire system, you
must ensure the safety of persons by means of the design of this entire system (for example, machine
design). Any use other than the use explicitly permitted is prohibited and can result in hazards. Electrical
equipment should be installed, operated, serviced, and maintained only by qualified personnel.

Product Related Information

Read and understand these instructions before performing any procedure with this drive.

DANGER
HAZARD OF ELECTRIC SHOCK, EXPLOSION OR ARC FLASH
z Only appropriately trained persons who are familiar with and understand the contents of this manual
and all other pertinent product documentation and who have received safety training to recognize and
avoid hazards involved are authorized to work on and with this drive system. Installation, adjustment,
repair and maintenance must be performed by qualified personnel.
z The system integrator is responsible for compliance with all local and national electrical code
requirements as well as all other applicable regulations with respect to grounding of all equipment.
z Many components of the product, including the printed circuit boards, operate with mains voltage. Do
not touch. Use only electrically insulated tools.
z Do not touch unshielded components or terminals with voltage present.
z Motors can generate voltage when the shaft is rotated. Prior to performing any type of work on the
drive system, block the motor shaft to prevent rotation.
z AC voltage can couple voltage to unused conductors in the motor cable. Insulate both ends of unused
conductors of the motor cable.
z Do not short across the DC bus terminals or the DC bus capacitors or the braking resistor terminals.
z Before performing work on the drive system:
 Disconnect all power, including external control power that may be present.
 Place a Do Not Turn On label on all power switches.
 Lock all power switches in the open position.
 Wait 15 minutes to allow the DC bus capacitors to discharge. The DC bus LED is not an indicator
of the absence of DC bus voltage that can exceed 800 Vdc.
Measure the voltage on the DC bus between the DC bus terminals (PA/+, PC/-) using a properly
rated voltmeter to verify that the voltage is <42 Vdc
 If the DC bus capacitors do not discharge properly, contact your local Schneider Electric represen-
tative. Do not repair or operate the product.
z Install and close all covers before applying voltage.
Failure to follow these instructions will result in death or serious injury.

WARNING
UNEXPECTED MOVEMENT
Drive systems may perform unexpected movements because of incorrect wiring, incorrect settings,
incorrect data or other errors.
z Carefully install the wiring in accordance with the EMC requirements.
z Do not operate the product with unknown or unsuitable settings or data.
z Perform a comprehensive commissioning test.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

6 NHA80947 09/2015
 Damaged products or accessories may cause electric shock or unanticipated equipment operation.

DANGER
ELECTRIC SHOCK OR UNANTICIPATED EQUIPMENT OPERATION
Do not use damaged products or accessories.
Failure to follow these instructions will result in death or serious injury.

Contact your local Schneider Electric sales office if you detect any damage whatsoever.

WARNING
LOSS OF CONTROL
z The designer of any control scheme must consider the potential failure modes of control paths and,
for critical control functions, provide a means to achieve a safe state during and after a path failure.
Examples of critical control functions are emergency stop, overtravel stop, power outage and restart.
z Separate or redundant control paths must be provided for critical control functions.
z System control paths may include communication links. Consideration must be given to the
implications of unanticipated transmission delays or failures of the link.
z Observe all accident prevention regulations and local safety guidelines (1).
z Each implementation of the product must be individually and thoroughly tested for proper operation
before being placed into service.
Failure to follow these instructions can result in death, serious injury, or equipment damage.

(1) For USA: Additional information, refer to NEMA ICS 1.1 (latest edition), Safety Guidelines for the
Application, Installation, and Maintenance of Solid State Control and to NEMA ICS 7.1 (latest edition),
Safety Standards for Construction and Guide for Selection, Installation and Operation of Adjustable-Speed
Drive Systems.

NOTICE
DESTRUCTION DUE TO INCORRECT MAINS VOLTAGE
Before switching on and configuring the product, verify that it is approved for the mains voltage
Failure to follow these instructions can result in equipment damage.

The metal surfaces of the product may exceed 100 °C (212 °F) during operation.

WARNING
HOT SURFACES
z Ensure that any contact with hot surfaces is avoided.
z Do not allow flammable or heat-sensitive parts in the immediate vicinity of hot surfaces.
z Verify that the heat dissipation is sufficient by performing a test run under maximum load conditions.
Failure to follow these instructions can result in death, serious injury, or equipment damage.

NHA80947 09/2015 7
8 NHA80947 09/2015
 About the Book

At a Glance

Document Scope
The purpose of this document is to provide information about the safety function incorporated in the drive.
The drive supports the STO safety function according to the IEC 61800-5-2 standard.

Validity Note
Original instructions and information given in this manual have been written in English (before optional
translation).
This documentation is valid for the Altivar Process drives and drive systems described in the Installation
manual.
The technical characteristics of the devices described in this document also appear online. To access this
information online:

Step Action
1 Go to the Schneider Electric home page www.schneider-electric.com.
2 In the Search box type the reference of a product or the name of a product range.
z Do not include blank spaces in the reference or product range.
z To get information on grouping similar modules, use asterisks (*).

3 If you entered a reference, go to the Product Datasheets search results and click on the reference that
interests you.
If you entered the name of a product range, go to the Product Ranges search results and click on the
product range that interests you.
4 If more than one reference appears in the Products search results, click on the reference that interests
you.
5 Depending on the size of your screen, you may need to scroll down to see the data sheet.
6 To save or print a data sheet as a .pdf file, click Download XXX product datasheet.

The characteristics that are presented in this manual should be the same as those characteristics that
appear online. In line with our policy of constant improvement, we may revise content over time to improve
clarity and accuracy. If you see a difference between the manual and online information, use the online
information as your reference.

Related Documents
Use your tablet or your PC to quickly access detailed and comprehensive information on all our products
on www.schneider-electric.com
The internet site provides the information you need for products and solutions
z The whole catalog for detailed characteristics and selection guides
z The CAD files to help design your installation, available in over 20 different file formats
z All software and firmware to maintain your installation up to date
z A large quantity of White Papers, Environment documents, Application solutions, Specifications... to
gain a better understanding of our electrical systems and equipment or automation
z And finally all the User Guides related to your drive, listed below:

Title of Documentation Reference Number

Altivar Process ATV900 Getting Started NHA61578 (English), NHA61579 (French),
NHA61580 (German), NHA61581 (Spanish),
EAV61724 (Italian), NHA61583 (Chinese)
Altivar Process ATV900 Getting Started Annex (SCCR) NHA61584 (English)
Altivar Process ATV960 Configuration guide / Handbook NHA37115 (English), NHA37114 (German)
Altivar Process ATV980 Configuration guide / Handbook NHA37117 (English), NHA37116 (German)

NHA80947 09/2015 9
 Title of Documentation Reference Number
Altivar Process Drive Systems – Installation manual NHA37119 (English), NHA37121 (French),
NHA37118 (German), NHA37122 (Spanish),
NHA37123 (Italian), NHA37130 (Chinese),
NHA37124 (Dutch), NHA37126 (Polish),
NHA37127 (Portuguese), NHA37128
(Russian), NHA37129 (Turkish),
Altivar Process ATV930, ATV950, ATV960 Installation Manual NHA80932 (English), NHA80933 (French),
NHA80934 (German), NHA80935 (Spanish),
NHA80936 (Italian), NHA80937 (Chinese)
Altivar Process ATV930, ATV950, ATV960 Programming Manual NHA80757 (English), NHA80758 (French),
NHA80759 (German), NHA80760 (Spanish),
NHA80761 (Italian), NHA80762 (Chinese)
Altivar Process ATV900 Modbus Serial Link Manual (Embedded) NHA80939 (English)
Altivar Process ATV900 Ethernet Manual (Embedded) NHA80940 (English)
Altivar Process ATV900 PROFIBUS DP manual (VW3A3607) NHA80941 (English)
Altivar Process ATV900 DeviceNet manual (VW3A3609) NHA80942 (English)
Altivar Process ATV900 PROFINET manual (VW3A3627) NHA80943 (English)
Altivar Process ATV900 CANopen Serial Link Manual (VW3A3608, NHA80945 (English)
618, 628)
Altivar Process ATV900 EtherCAT manual - VW3A3601 NHA80946 (English)
Altivar Process ATV900 Communication Parameters NHA80944 (English)
Altivar Process ATV900 Service Instructions NHA80954 (English)
Altivar Process ATV900 Safety Functions manual NHA80947 (English), NHA80948 (French),
NHA80949 (German), NHA80950 (Spanish),
NHA80951 (Italian), NHA80953 (Chinese)

You can download these technical publications and other technical information from our website at
http://download.schneider-electric.com

Terminology
The technical terms, terminology, and the corresponding descriptions in this manual normally use the
terms or definitions in the relevant standards.
In the area of drive systems this includes, but is not limited to, terms such as error, error message, failure,
fault, fault reset, protection, safe state, safety function, warning, warning message, and so on.
Among others, these standards include:
z IEC 61800 series: Adjustable speed electrical power drive systems
z IEC 61508 Ed.2 series: Functional safety of electrical/electronic/programmable electronic safety-related
z EN 954-1 Safety of machinery - Safety related parts of control systems
z EN ISO 13849-1 & 2 Safety of machinery - Safety related parts of control systems.
z IEC 61158 series: Industrial communication networks - Fieldbus specifications
z IEC 61784 series: Industrial communication networks - Profiles
z IEC 60204-1: Safety of machinery - Electrical equipment of machines – Part 1: General requirements

In addition, the term zone of operation is used in conjunction with the description of specific hazards, and
is defined as it is for a hazard zone or danger zone in the EC Machinery Directive (2006/42/EC) and in
ISO 12100-1.

EC Declaration of Conformity
The EC Declaration of Conformity can be obtained on www.schneider-electric.com

10 NHA80947 09/2015
Certification for functional safety
The integrated safety function is compatible and certified following IEC 61800-5-2 Ed.1 Adjustable speed
electrical power drive systems – Part 5-2 : Safety requirements – Functional
IEC 61800-5-2 as a product standard, sets out safety-related considerations of Power Drive Systems
Safety Related PDS (SR) s in terms of the framework of IEC 61508 series Ed.2 of standards.
Compliance with IEC 61800-5-2 standard, for the following described safety function, will facilitate the
incorporation of a PDS(SR) (Power Drive System with safety-related functions) into a safety-related control
system using the principles of IEC 61508, 60204 or the ISO 13849-1, as well as the IEC 62061 for process-
systems and machinery.
The defined safety function is
z SIL 3 capability in compliance with IEC 61800-5-2 and IEC 61508 series Ed.2
z Performance Level e in compliance with ISO 13849-1
z Compliant with the Category 3 and 4 of European standard ISO 13849-1

Also refer to Safety function capability.

The safety demand mode of operation is considered in high demand or continuous mode of operation
according to the IEC 61800-5-2 standard.
The certificate for functional safety is accessible on www.schneider-electric.com

NHA80947 09/2015 11
12 NHA80947 09/2015
 Altivar Process

NHA80947 09/2015

Chapter 1
Overview

Overview

What Is in This Chapter?

This chapter contains the following topics:
Topic Page
Definitions 14
Basics 15

NHA80947 09/2015 13
Definitions

Safety Function In Altivar Process

The safety function incorporated in Altivar Process, helps to detect unsafe conditions of the installation and
prevent hazardous conditions arising at the installation.
In some cases, further safety-related systems external to the drive (for example a mechanical brake) may
be necessary to maintain the safe condition when electrical power is removed.
Safety integrated function provides the following benefits:
z Replacement of external safety-related equipment
z Reduced wiring efforts and space requirements
z Reduced costs

The Altivar Process drives are compliant with normative requirements to implement the safety function.

STO (Safe Torque Off)

No power that could cause torque or force is supplied to the motor.

Notation
The graphic display terminal menus and parameters are shown in square brackets, with capital letters for
the menus and lowercase characters for the parameters.
Example: [COMMUNICATION]
Example: [Fallback speed]

14 NHA80947 09/2015
Basics

Functional Safety
Automation and safety engineering are two areas that were completely separate in the past but have
recently become more and more integrated.
The engineering and installation of complex automation solutions are greatly simplified by integrated safety
functions.
Usually, the safety engineering requirements depend on the application.
The level of requirements results from the risk and the hazard potential arising from the specific application.

IEC 61508 Standard

The standard IEC 61508 Functional safety of electrical/electronic/programmable electronic safety-related
systems covers the safety-related function.
Instead of a single component, an entire function chain (for example, from a sensor through the logical
processing units to the actuator) is considered as a unit.
This function chain must meet the requirements of the specific safety integrity level as a whole.
Systems and components that can be used in various applications for safety tasks with comparable risk
levels can be developed on this basis.

EN ISO 13849 Standard

This European Standard specifies the validation process, including both analysis and testing, for the safety
functions and categories for the safety-related parts of control systems. Descriptions of the safety functions
and the requirements for the categories are given in ISO 13849-1 which deals the general principles for
design. Some requirements for validation are general and some are specific to the technology used. EN
ISO 13849-2 also specifies the conditions under which the validation by testing of the safety-related parts
of control systems should be carried out.

SIL - Safety Integrity Level

The standard IEC 61508 defines 4 safety integrity levels (SIL) for safety functions.
SIL1 is the lowest level and SIL4 is the highest level.
A hazard and risk analysis serves as a basis for determining the required safety integrity level.
This is used to decide whether the relevant function chain is to be considered as a safety function and
which hazard potential it must cover.

PFH - Probability of a Dangerous Hardware Failure Per Hour

To maintain the safety function, the IEC 61508 standard requires various levels of measures for avoiding
and controlling detected errors, depending on the required SIL.
All components of a safety function must be subjected to a probability assessment to evaluate the
effectiveness of the measures implemented for controlling detected faults.
This assessment determined the PFH (Probability of a dangerous Failure per Hour) for a safety system.
This is the probability per hour that a safety system fails in a hazardous manner and the safety function
cannot be correctly executed.
Depending on the SIL, the PFH must not exceed certain values for the entire safety system.
The individual PFH values of a function chain are added. The result must not exceed the maximum value
specified in the standard.

Safety Probability of a dangerous Failure per Hour (PFH) at high demand or

Integrity continuous demand
Level
4 10-9 ...< 10-8
3 10-8 ...< 10-7
2 10-7 ...< 10-6
1 10-6 ...< 10-5

NHA80947 09/2015 15
PL - Performance Level
The standard IEC 13849-1 defines 5 Performance levels (PL) for safety functions.
Level a is the lowest level and e is the highest level.
Five levels (a, b, c, d, and e) correspond to different values of average probability of dangerous failure per
hour.

Performance Probability of a dangerous Hardware Failure per Hour

level
e 10-8 ...< 10-7
d 10-7 ...< 10-6
c 10-6 ...< 3*10-6
b 3*10-6 ...< 10-5
a 10-5 ...< 10-4

HFT - Hardware Fault Tolerance and SFF - Safe Failure Fraction

Depending on the SIL for the safety system, the IEC 61508 standard requires a specific hardware fault
tolerance HFT in connection with a specific proportion of safe failures SFF (Safe Failure Fraction).
The hardware fault tolerance is the ability of a system to execute the required safety function in spite of the
presence of one or more hardware faults.
The SFF of a system is defined as the ratio of the rate of safe failures to the total failure rate of the system.
According to IEC 61508, the maximum achievable SIL of a system is partly determined by the hardware
fault tolerance HFT and the safe failure fraction SFF of the system.
IEC 61508 distinguishes two types of subsystem (type A subsystem, type B subsystem).
These types are specified on the basis of criteria which the standard defines for the safety-relevant
components.

SFF HFT type A subsystem HFT type B subsystem

0 1 2 0 1 2
< 60% SIL1 SIL2 SIL3 — SIL1 SIL2
60% <... < 90% SIL2 SIL3 SIL4 SIL1 SIL2 SIL3
90% <... < 99 % SIL3 SIL4 SIL4 SIL2 SIL3 SIL4
> 99% SIL3 SIL4 SIL4 SIL3 SIL4 SIL4

Fault Avoidance Measures

Systematic errors in the specifications, in the hardware and the software, usage faults and maintenance
faults in the safety system must be avoided to the maximum degree possible. To meet these requirements,
IEC 61508 specifies a number of measures for fault avoidance that must be implemented depending on
the required SIL. These measures for fault avoidance must cover the entire life cycle of the safety system,
i.e. from design to decommissioning of the system.

16 NHA80947 09/2015
 Altivar Process

NHA80947 09/2015

Chapter 2
Description

Description

What Is in This Chapter?

This chapter contains the following topics:
Topic Page
Safety Function STO (Safe Torque Off) 18
Limitations 20
Status of Safety Function 21

NHA80947 09/2015 17
Safety Function STO (Safe Torque Off)

Overview

DANGER
ELECTRIC SHOCK CAUSED BY INCORRECT USE
The safety function STO (Safe Torque Off) does not cause electric isolation. The DC bus voltage is still
present.
z Turn off the mains voltage using appropriate switch to achieve a voltage-free condition.
Failure to follow these instructions will result in death or serious injury.

This function brings the machine safely into a no-torque state and / or prevents it from starting accidentally.
The safe torque-off (safety function STO) function can be used to effectively implement the prevention of
unexpected start-up functionality, thus making stops safe by preventing the power only to the motor, while
still maintaining power to the main drive control circuits. The principles and requirements of the prevention
of unexpected start-up are described in the standard EN 1037:1995+A1.
The logic inputs (STOA and STOB) are always assigned to this function.
The safety function STO status can be displayed using the HMI of the drive or using the commissioning
software.

(1) Motor speed - (2) Actual speed - (3) STOA and STOB - STO Activation - (4) Time
NOTE: If delay between STOA and STOB is greater than 1 s, the safety function STO is triggered and an
error is triggered with the error code [Safety Function Error] SAFF.

Safety Function STO Standard Reference

The safety function STO is defined in section 4.2.2.2 of standard IEC 61800-5-2 (edition 1.0 2007.07):
Power that can cause rotation (or motion in the case of a linear motor), is not applied to the motor.The
PDS(SR) (power drive system suitable for use in safety-related applications) will not provide energy to the
motor which can generate torque (or force in the case of a linear motor).
z NOTE 1: This safety function corresponds to an uncontrolled stop in accordance with stop category 0
of IEC 60204-1.
z NOTE 2: This safety function may be used where power removal is required to prevent an unexpected
start-up.
z NOTE 3: In circumstances where external influences (for example, falling of suspended loads) are
present, additional measures (for example, mechanical brakes) may be necessary to prevent any
hazard.
z NOTE 4: Electronic equipment and contactors do not provide adequate protection against electric
shock, and additional insulation measures may be necessary.

18 NHA80947 09/2015
Safety Function (SF) Level Capability for Safety Function STO

Configuration SIL PL
Safety Integrity Level according Performance Level according
to IEC 61-508 to ISO-13849
STO with and without Safety module (such SIL3 PLe
as Preventa module)

Emergency Operations
Standard IEC 60204-1 introduces 2 emergency operations:
z Emergency switching-off:
This function requires external switching components, and cannot be accomplished with drive based
functions such as safe torque-off (STO).
z Emergency stop:
An emergency stop must operate in such a way that, when it is activated, the hazardous movement of
the machinery is stopped and the machine is unable to start under any circumstances, even after the
emergency stop is released.
An emergency stop shall function either as a stop category 0 or as a stop category 1.
Stop category 0 means that the power to the motor is turned off immediately. Stop category 0 is
equivalent to the safe torque-off (STO) function, as defined by standard EN 61800-5-2.
In addition to the requirements for stop (see 9.2.5.3 of IEC 60204-1), the emergency stop function has
the following requirements:
 It shall override all other functions and operations in all modes.
 This reset shall be possible only by a manual action at that location where the command has been
initiated. The reset of the command shall not restart the machinery but only permit restarting.
 For the machine environment (IEC 60204-1 and machinery directive), when safety function STO is
used to manage an emergency stop category 0, the motor must not restart automatically when safety
function STO has been triggered and deactivated (with or without a power cycle).
If the drive configuration enable automatic machine restart after the safety function STO has been
deactivated, an additional safety module (such as Preventa module) is required.
If the use of an additional safety module is not possible, the drive control must be configured in 2
wires transition (tCC = 2C and tCt = trn) or 3 wires (tCC = 3C).

NHA80947 09/2015 19
Limitations

Type Of Motor
The safety function STO can be used with synchronous and asynchronous motors.

Prerequisites for Using Safety Functions

Following conditions have to be fulfilled for correct operation:
z The motor size is adequate for the application and is not at the limit of its capacity.
z The drive size has been correctly chosen for the supply mains, sequence, motor, and application and
is not at the limit of its capacity as stated in the catalog.
z If required, the appropriate options are used.
Example: output filter.
z The drive is correctly set up with the correct speed loop and torque characteristics for the application;
the reference frequency profile applied to the drive control loop is followed.

Disable Error Detection

When the safety function is used, the error code [Safety Function Error] SAFF cannot be disabled by
the function [Disable Error Detection] InH.

Status of Safety Function

Description

If... Then ...

Safe Torque Off (STO) is not active the orange LED is OFF
STO is triggered the power bridge is locked by redundant hardware
the orange LED is steady ON
STO is displayed
[Safety Function Error] SAFF the power bridge is locked
detected fault occurs (1) the orange LED is steady ON
the red LED is steady ON
the Graphic Display terminal displays StO then
SAFF

(1) Possible causes are exceeded delay between STOA and STOB signals > 1 s and internal hardware
detected error.

20 NHA80947 09/2015
 Altivar Process

NHA80947 09/2015

Chapter 3
Technical Data

Technical Data

What Is in This Chapter?

This chapter contains the following topics:
Topic Page
Electrical Data 24
Safety Function Capability 25

NHA80947 09/2015 23
Electrical Data

Logic Type
Safety function must only be used in Source mode: current flows to input.
STOA and STOB inputs and signal inputs are protected against reverse polarity.

Cabling Label

Also refer to the Installation manual available on www.schneider-electric.com

Input Signal Safety Function

Input Signals Safety Function Units Value for STO

Logic 0 (Ulow) Vdc < 5 or open
Logic 1 (Uhigh) Vdc > 11
Current (at 19 Vdc) mA 11
Delay between STOA and STOB s <1
Response time of safety function ms < 10

For options with a safety relay (e.g. VW3AP1503) the IO specification of the relay has to be considered.
Therefore additional information can be found in the datasheet of the safety relay.

24 NHA80947 09/2015
Safety Function Capability

PDS (SR) safety functions are part of an overall system

If the qualitative and quantitative safety objectives determined by the final application require some
adjustments to help ensure safe use of the safety functions, the integrator of the BDM (Basic Drive Module)
is responsible for these additional changes (for example, managing the mechanical brake on the motor).
Also, the output data generated by the use of safety functions (activation of the digital input set to
[Operating State Fault], error codes or information on the display, etc.) is not considered to be a safety-
related data.

Machine Application Function Configuration

Standard STO
IEC 61800-5-2 / IEC 61508 SIL3
IEC 62061 (1) SIL3 CL
ISO 13849-1 (2) Category 3 PLe
IEC 60204-1 (3) Category stop 0
(1) Because the IEC 62061 standard concerns integration, this standard distinguishes the overall safety function
(which is classified SIL3) from components which constitute the safety function (Altivar Process is one component
which is classified SIL3 CL).
(2) According to table 4 of EN 13849-1 (2008).
(3) If protection against supply interruption or voltage reduction and subsequent restoration is needed according to
IEC 60204-1, a safety module type Preventa XPS AF or equivalent must be used.

Process Application Function Configuration

Standard STO
IEC 61800-5-2 / IEC 61508 SIL3
IEC 62061 SIL3 CL

Summary Of The Reliability Study

Standard Input ATV930 ATV950 ATV960

ATV980
IEC 61508 Ed.2 SFF 91.5%
PFH in /h 4.10-10
PFD 2.10-6
Type A
HFT 1
T1 (proof test interval) in hours 8760
SIL capability 3
IEC 62061 SIL CL capability 3
ISO 13849-1 (1) PL e
Category 3
MTTFd in years 5000
DC avg 90%
(1) According to table 4 of EN 13849-1 (2008)

Preventive annual activation of the safety function is recommended.

However, the safety levels can be obtained (with lower margins) without annual activation.
For the machine environment, a safety module is required for the STO function.
NOTE: The table above is not sufficient to evaluate the PL of a PDS. The PL evaluation has to be done at
the system level. The system integrator has to evaluate the random integrity as well as the systematic
integrity at system level according to IEC61508, IEC 62061, ISO13849 or applicable product standard.

NHA80947 09/2015 25
Summary Of The Reliability Study For Drive Systems Options

Standard Input ATV960 / ATV980 With Option

VW3 AP 1502 VW3 AP 1503 ETO
IEC 61508 Ed.2 PFH in /h 5.10 -8
5.10 -8
2.10-6
PFD 2.10-6 4.10-4 4.10-5
Type A A A
HFT 1 1 0
T1 (proof test interval) in hours 8760 8760 8760
SIL capability 3 3 1
IEC 62061 SIL CL capability 3 3 1
ISO 13849-1 (1) PL e e c
Category 3 3 1
MTTFd in years > 100 (high) > 100 (high) > 100 (high)
DC avg > 90% (Medium) > 90% (Medium) 0%
(1) According to table 4 of EN 13849-1 (2008)

Preventive annual activation of the safety function is recommended.

However, the safety levels can be obtained (with lower margins) without annual activation.
For the machine environment, a safety module is required for the STO function.
NOTE: The table above is not sufficient to evaluate the PL of a PDS. The PL evaluation has to be done at
the system level. The system integrator has to evaluate the random integrity as well as the systematic
integrity at system level according to IEC61508, IEC 62061, ISO13849 or applicable product standard.

26 NHA80947 09/2015
 Altivar Process

NHA80947 09/2015

Chapter 4
Certified Architectures

Certified Architectures

What Is in This Chapter?

This chapter contains the following topics:
Topic Page
Introduction 28
Process System SF - Case 1 29
Process System SF - Case 2 30
Process System SF - Case 3 32
Process System SF - Case 4 33
Process System SF - Case 5 35
Process System SF - Case 6 37
Process System SF - Case 7 40

NHA80947 09/2015 27
Introduction

Certified Architectures
NOTE: For certification relating to functional aspects, only the PDS(SR) (Power Drive System suitable for
use in safety-related applications) will be considered, not the complete system into which it is integrated to
help to ensure the functional safety of a machine or a system/process.
These are the certified architectures:
z Process system SF - Case 1
z Process system SF - Case 2
z Process system SF - Case 3
z Process system SF - Case 4
z Process system SF - Case 5
z Process system SF - Case 6
z Process system SF - Case 7

The safety functions of a PDS(SR) (Power Drive System suitable for use in safety-related applications) are
part of an overall system.
If the qualitative and quantitative safety-related objectives determined by the final application require some
adjustments to ensure safe use of the safety functions, the integrator of the BDM (Basic Drive Module) is
responsible for these additional changes (for example, managing the mechanical brake on the motor).
Also, the output data generated by the use of safety functions (activation of the digital input set to
[Operating State Fault], error codes or information on the display, etc.) is not considered to be a safety-
related data.

Protected cable insulation

The STO safety function is triggered via 2 redundant inputs. These two circuits have to be wired according
to protective cable insulation.
If short circuits and cross circuits can occur with safety-related signals and if they are not detected by
upstream devices, protected cable installation as per ISO 13849-2 is required.
In the case of an unprotected cable installation, the two signals (both channels) of a safety function in short
circuit state may be connected to external voltage if a cable is damaged. In this case, the safety function
is no longer operative.
Wire both STO inputs only with the shielded, twisted cables with a pitch of 25...50 mm (1 in. and 2 in.),
connecting the shielding to Ground at each end se shielded cables for the signal lines.
Ground loops may cause problems in machines. In this case the shield has to be connected to ground on
drive side only.

28 NHA80947 09/2015
Process System SF - Case 1

Single Drive Connection Diagram

This connection diagram applies for a single drive configuration according to IEC 61508 capability
SIL3, IEC 60204-1 stop category 0 without protection against supply interruption or voltage
reduction and subsequent rotation.

(1) Line chokes, if used.

Multidrive Connection Diagram

This connection diagram applies for multidrive configuration according to IEC 61508 capability
SIL3, IEC 60204-1 stop category 0 without protection against supply interruption or voltage
reduction and subsequent rotation.

(1) Line chokes, if used.

NHA80947 09/2015 29
Process System SF - Case 2

Single Drive with Safety Module Type Preventa XPS-AF Connection Diagram
This connection diagram applies for a single drive configuration with the safety module type
Preventa XPS- AF according to ISO 13849-1 category 3 PLe, IEC 62061 and 60204-1 stop category 0

(1) Line chokes, if used.

30 NHA80947 09/2015
Multidrive with Safety Module Type Preventa XPS-AF Connection Diagram
This connection diagram applies for a multidrive configuration with the safety module type
Preventa XPS- AF according to ISO 13849-1 category 3 PLe, IEC 62061 and 60204-1 stop category 0.

(1) Line chokes, if used.

NHA80947 09/2015 31
Process System SF - Case 3

Connection Diagram For Single Drive with Safety Module Type Preventa XPS-AV
This Connection diagram applies for a single drive configuration with the Safety Module Type
Preventa XPS AV According to ISO 13849-1 category 3 PLe and IEC 60204-1 stop category 1.

NOTE: This diagram is an wiring configuration using DI1 assigned to forward operation.
(1) Line chokes, if used.

32 NHA80947 09/2015
Process System SF - Case 4

Single Drive Systems Connection Diagram

This connection diagram applies for a single Altivar Process Drive Systems configuration, without
options according to IEC 61508 capability SIL3, ISO 13849-1 category 3 PL e, IEC 60204-1 stop
category 0 without protection against supply interruption or voltage reduction and subsequent
rotation.

Legend:
z A: Drive Systems enclosure with certified Drive Systems components assembly
 A01: Control block of the Drive System

z S62: External Emergency Stop button (not included within the certification)
z (1): If S62 external emergency stop is installed, the link between terminals STOA and +24V, and
between terminals STOB and +24V has to be removed.
NOTE: An EMERGENCY STOP is requested. This request leads to a category 0 stop. The power stage is
immediately disabled via the inputs STOA and STOB of the safety function STO. Power can no longer be
supplied to the motor. If the motor has not yet stopped at this point in time, it coasts down in an uncontrolled
way (uncontrolled stop).

NHA80947 09/2015 33
Multi drive Drive Systems Connection Diagram
This connection diagram applies for multidrive Altivar Process Drive Systems configuration,
without options, according to IEC 61508 capability SIL 3, ISO 13849-1 category 3 PL e, IEC 60204-1
stop category 0 without protection against supply interruption or voltage reduction and
subsequent rotation.

Legend:
z A1, A2: Drive Systems enclosures with certified Drive Systems components assembly
 A01: Control block of the Drive System

z S62: External Emergency Stop button (not included within the certification)
NOTE: An EMERGENCY STOP is requested. This request leads to a category 0 stop. The power stage is
immediately disabled via the inputs STOA and STOB of the safety function STO. Power can no longer be
supplied to the motor. If the motor has not yet stopped at this point in time, it coasts down in an uncontrolled
way (uncontrolled stop).

34 NHA80947 09/2015
Process System SF - Case 5

Single Drive Systems Connection Diagram with Option Safe Torque Off STO - SIL3 Stop category 0
This connection diagram applies for a single Altivar Process Drive Systems configuration, with
option VW3AP1502 (Safe Torque Off STO - SIL 3 Stop Category 0) according to IEC 61508 capability
SIL3, ISO 13849-1 category 3 PL e, IEC 60204-1 stop category 0 without protection against supply
interruption or voltage reduction and subsequent rotation.

Legend:
z A1: Drive Systems enclosure with certified architecture, with built-in Drive Systems components
assembly and with option VW3AP1502.
 A01: Control block of the Drive System
 S61: Emergency Stop button mounted in the enclosure door

z S62: External Emergency Stop button (not included within the certification)
z (1): If S62 external emergency stop is installed, the wire link between terminals X205:11 and X205:1,
and between terminals X205:12 and X205:1 has to be removed.
z Kx: optional additional contacts within the safety path (not included within the certification). These
contacts have to be taken into account separately for the safety path calculation
NOTE: An EMERGENCY STOP is requested. This request leads to a category 0 stop. The power stage is
immediately disabled via the inputs STOA and STOB of the safety function STO. Power can no longer be
supplied to the motor. If the motor has not yet stopped at this point in time, it coasts down in an uncontrolled
way (uncontrolled stop).

NHA80947 09/2015 35
Multi drive Drive Systems Connection Diagram
This connection diagram applies for multidrive Altivar Process Drive Systems configuration, with
option VW3AP1502 (Safe Torque Off STO - SIL 3 Stop Category 0) according to IEC 61508 capability
SIL 3, ISO 13849-1 category 3 PL e, IEC 60204-1 stop category 0 without protection against supply
interruption or voltage reduction and subsequent rotation.

Legend:
z A1: Drive Systems enclosure with certified architecture, with built-in Drive Systems components
assembly and with option VW3AP1502.
 A01: Control block of the Drive System
 S61: Emergency Stop buttons mounted in the enclosure door

z S62: External Emergency Stop button (not included within the certification)
z Kx: optional additional contacts within the safety path (not included within the certification). These
contacts have to be taken into account separately for the safety path calculation.
NOTE: An EMERGENCY STOP is requested. This request leads to a category 0 stop. The power stage is
immediately disabled via the inputs STOA and STOB of the safety function STO. Power can no longer be
supplied to the motor. If the motor has not yet stopped at this point in time, it coasts down in an uncontrolled
way (uncontrolled stop).

36 NHA80947 09/2015
Process System SF - Case 6

Single Drive Systems Connection Diagram with Option Safe Torque Off STO - SIL3 Stop category 1
This connection diagram applies for a single Altivar Process Drive Systems configuration, with
option VW3AP1503 (Safe Torque Off STO - SIL 3 Stop Category 1) according to IEC 61508 capability
SIL 3, ISO 13849-1 category 3 PL e, IEC 60204-1 stop category 1.

Legend:
z A1: Drive Systems enclosure with certified architecture, with built-in Drive Systems components
assembly and with option VW3AP1503.
 A01: Control block of the Drive System
 K61: Safety relay for monitoring the Emergency Stop circuit: Preventa XPS-ATR
 S61: Emergency Stop buttons mounted in the enclosure door
 DIx: Internal I/O set to “fast stop”

z S62: External Emergency Stop button (not included within the certification)
z (1): If S62 external emergency stop is installed, the wire link between terminals X205:14 and X205:3,
and between terminals X205:15 and X205:4 has to be removed.
z Kx: optional additional contacts within the safety path (not included within the certification). These
contacts have to be taken into account separately for the safety path calculation.
z S63: Manual reset button
z (2): If a manual reset button is installed the wire link between the terminals S13/S14 on the safety relay
has to be removed.

NHA80947 09/2015 37
Example
an Emergency Stop is requested. This request leads to a stop category 1:
z The function "fast stop" is immediately started (undelayed) via the digital input DIx (single-channel, not
monitored). Any active movement is decelerated via the adjusted ramp.
z The power stage is disabled via the inputs STO_A and STO_B of the safety STO function after the delay
time set in the Emergency Stop Safety Module has elapsed. Power can no longer be supplied to the
motor. If the motor has not stopped yet when the delay time has elapsed, it coasts down in an
uncontrolled way (uncontrolled stop).

Multidrive Drive Systems Connection diagram with Safety Module

This connection diagram applies for a multidrive Altivar Process Drive Systems configuration with
a safety module stop category 1.

Legend:
z A1, A2: Drive Systems enclosure without options (certified - see case 4), with certified Drive Systems
components assembly.
 A01: Control block of the Drive System

z Ax: External functional safety path (not included within the certification) with following components:
 S2: External Emergency Stop button
 Kx: Safety module
 Sx: Manual reset button

Example
an Emergency Stop is requested if an Emergency Stop Safety Module, with stop category 1 is used. This
request leads to a stop category 1.
z The function "fast stop" is immediately started (undelayed) via the digital input DIx (single-channel, not
monitored). Any active movement is decelerated via the adjusted ramp.
z The power stage is disabled via the inputs STO_A and STO_B of the safety STO function after the delay
time set in the Emergency Stop Safety Module has elapsed. Power can no longer be supplied to the
motor. If the motor has not stopped yet when the delay time has elapsed, it coasts down in an
uncontrolled way (uncontrolled stop).
NOTE: The specified minimum current and the permissible maximum current of the relay outputs of the
Emergency Stop Safety Module must be observed.

38 NHA80947 09/2015
Process System SF - Case 7

Single Drive Systems Connection Diagram for ETO

This connection diagram applies for a single Altivar Process Drive Systems configuration, within
an Engineered to Order (ETO) purchase order. The connection diagram applies according to IEC
61508 capability SIL 1, ISO 13849-1 category 1 PL c, IEC 60204-1 stop category 0 without protection
against supply interruption or voltage reduction and subsequent rotation.

Legend:
z A1: Drive Systems enclosure with certified architecture for ETO with built-in Drive Systems components
assembly.
 A01: Control block of the Drive System
 S61: Emergency Stop button mounted in the enclosure door

z S62: External Emergency Stop button (not included within the certification)
z Kx: Optional additional contacts within the safety path (not included within the certification) These
contacts have to be taken into account separately for the safety path calculation.
z (1): If S62 external emergency stop is installed, the wire link has to be removed.

NHA80947 09/2015 39
ATV900_Safety_functions_manual_NHA80947_04

09/2015