Example Usage of Danfoss VLT Library for IFA SISTEMA

Disclaimer THE SISTEMA LIBRARY IS SOLELY FOR GUIDING PURPOSES. THE DATA PRESENTED DOES NOT REPRESENT GUARANTEED PERFORMANCE. THE DOCUMENTATION FOR ALL COMPONENTS USED SHALL BE OBSERVED. ALWAYS CONTACT DANFOSS SALES ORGANIZATION TO DETERMINE YOUR ACTUAL NEED. THE USER HAS THE FULL AND SOLE RESPONSIBILITY AND LIABILITY THAT SAFETY FUNCTIONS IN USER PRODUCTS FULFIL ALL REQUIREMENTS. IN NO EVENT SHALL DANFOSS POWER ELECTRONICS A/S BE LIABLE FOR ANY DAMAGE OR LOSSES RELATED TO THE USE OF THE SISTEMA LIBRARY. DANFOSS POWER ELECTRONICS A/S RESERVES THE RIGHT, TO MAKE ANY CHANGES ANY TIME WITHOUT ANY ANNOUNCEMENT. IN CASE OF DIFFERENCES BETWEEN THE DATA PROVIDED IN THE LIBRARY AND OTHER PUBLICATIONS OF DANFOSS POWER ELECTRONICS A/S, E.G. DOCUMENTATION, THE CONTENT OF THE OTHER DOCUMENTATION HAS ALWAYS PRIORITY! Copyright 2010 Danfoss Power Electronics A/S

1 /16

Table of Contents
Example 1
Emergency stop of FC300 w/o Safe Stop - Category B, PL b

3 5 7 9 11 13 15

Example 2
Emergency stop of FC300 with Safe Stop - Category 1, PL c

Example 3
Emergency stop of FC300 with Safe Stop using safety relay - Category 3, PL d

Example 4
Emergency stop of FC300 with Safe Stop using safety relay with delayed output - Category 3, PL d

Example 5
Emergency Stop of frequency converter with Safe Stop, Safety Relay and output contactor - Category 4, PL e

Example 6
Emergency Stop of multiple drives - Category 3, PL d

Example 7
Emergency stop of VLT2800 - Category B, PL b Important!

The information given in this publication gives guidance on the application of Danfoss Power Electronics Safe Torque Off, and also some general background material on the design of safety-related systems for machinery control. This publication is not intended to form a complete guide to the subject. The information provided is believed to be correct and to reflect accepted practice at the time of writing. It is the responsibility of the designer of the end product or application to ensure that it is safe and in compliance with the relevant regulations. The design of safety-related systems requires specialist knowledge. To ensure that a complete control system is safe it is necessary for the whole system to be designed according to recognised safety principles. The use of individual sub-systems such as drives with Safe Torque Off functions, which are intended for safety-related applications, does not in itself ensure that the complete system is safe.

2 /16

Example 1: Emergency stop of FC300 w/o Safe Stop - Category B, PL b

FC 300 Frequency Converter Emergency Stop Device Control Signal Normal Stop (Terminal 27)

Functional diagram

3 /16

Safety Function: STO (safe torque off) according to IEC 61800-5-2 Stop category 0 according to IEC60204-1 Following a stop or emergency stop command the drive is halted. Functional Description: In case of emergency, the Emergency Stop Device is activated. The Control Signal is disconnected from the drive. The drive is halted. Design Features: This circuit can be used up to PL b according to ISO 13849-1. The used drive is a standard drive without functional safety. For PL b the complete safety function has to be calculated (MTTFd). Basic safety principles have to be used. Implementation in SISTEMA using the Danfoss library: Use the subsystem FC300 Normal Stop (Terminal 27). All parameters are set in the library there is no need to edit.

Remember: any related non-safety standards should be fulfilled for the application and its components application designer should have responsibility for choosing liable components if the frequency converter that is used in application has a Safe Stop function it is strongly recommended to use it even if the safety requirements could be fulfilled with Normal Stop to fulfill PL d the MTTFd and DC for the whole safety function has to be calculated Idle current principle has to be used. Drive must be configured to stop if voltage at terminal 27 disappears. This circuit meets Category B, for there are fundamental Safety principles used, such as proper sizing and Design, proper earthing connection as well as resistance to Environment stress, etc. To reach Category 1, would be proven components required. A Standard frequency converter indicated here contains complex programmable circuits. These apply to EN ISO 13849-2 but not as good components. The components Emergency stop switch with switching contact element and could be regarded as proven components. But as the weakest link in the chain is the Standard input of FC300 safety integrity is limited, even in total max. Category B and PL d is feasible.

4 /16

Example 2: Emergency stop of FC300 with Safe Stop - Category 1, PL c

VDC FC 300 Frequency Converter

Emergency Stop Device

Safe Stop (Terminal 37) Control Signal Normal Stop (Terminal 27)

Functional diagram

5 /16

Safety Function: STO (safe torque off) according to IEC 61800-5-2 Stop category 0 according to IEC 60204-1 Following a stop or emergency stop command the drive is halted. Functional Description: In case of emergency, the Emergency Stop Device is activated. Drive Safe Stop function is activated. The drive is halted. Design Features: Circuit can be used up to category 3 and PL d. Safe stop function is activated via one positive switching signal. For PL d the complete safety functions have to be calculated (MTTFd). Basic safety principles have to be used. Device used for activation of safe stop must be suitable for the chosen category and PL. The control signal is used for normal control of the drive. Safe stop input should not be used for regular stopping of the drive. Implementation in SISTEMA using the Danfoss library: Use the subsystem FC300 Safe Stop (Terminal 37). All parameters are set in the library there is no need to edit. The operational control path via terminal 27 does not need to be modeled in SISTEMA. That path does not contribute to the safety function.

Remember: any related non-safety standards should be fulfilled for the application and its components application designer should have responsibility for choosing liable components the cable shown as orange on Figure 2.1 has to be short-circuit protected according to ISO 13849-2 table D.4. to fulfill PL d the MTTF and Dc for the whole safety function has to be calculated the emergency stop device must be usable in applications up to Category 3, PL d

6 /16

Example 3: Emergency stop of FC300 with Safe Stop using safety relay Category 3, PL d
Setup
Mains VDD

Emergency Stop Device

FC 300 Frequency Converter

Safety Relay Control Signal

Safe Stop (Terminal 37) Normal Stop (Terminal 27)

Functional diagram

7 /16

Safety Function: STO (safe torque off) according to IEC 61800-5-2 Stop category 0 according to IEC60204-1 Following a stop or emergency stop command the drive is halted. Functional Description: In case of emergency, the Emergency Stop Device is activated. Drive Safe Stop function is activated. The drive is halted. Design Features: Circuit can be used up to category 3 and PL d. Safe stop function is activated via one positive switching signal. For PL d the complete safety function has to be calculated (MTTFd). Basic safety principles have to be used. Device used for activation of safe stop and safety relay must be suitable for the chosen category and PL. The control signal is used for normal control of the drive. Safe stop input should not be used for regular stopping of the drive. Implementation in SISTEMA using the Danfoss library: Use the subsystem FC300 Safe Stop (Terminal 37). All parameters are set in the library there is no need to edit something. The operational control path via terminal 27 does not need to be modeled in SISTEMA. That path does not contribute to the safety function.

Remember: any related non-safety standards should be fulfilled for the application and its components application designer should have responsibility for choosing liable components the cable shown as orange on Figure 2.1 has to be short-circuit protected according to ISO 13849-2 table D.4. to fulfill PL d the MTTFd and DC for the whole safety function has to be calculated This setup can be used if a dual positive switching device is used. Depending on the safety relay it is also possible to connect several activation devices to one safe stop.

8 /16

Example 4: Emergency stop of FC300 with Safe Stop using safety relay with delayed output - Category 3, PL d
Setup
VDD Mains

Emergency Stop Device FC 300 Frequency Converter Safety Relay Delayed output Normal output Safe Stop (Terminal 37) Normal Stop (Terminal 27)

Functional diagram

9 /16

Safety Function: SS1 (safe stop 1) with safe delay time according to IEC 61800-5-2 Stop category 1 according to IEC60204-1 Following a stop or emergency stop command the drive will ramp down as configured for function and after a safe delay time the drive will enter STO. Functional Description: In case of emergency, the Emergency Stop Device is activated. Drive Safe Stop function is activated. The drive is halted. Design Features: Circuit can be used up to category 3 and PL d. Safe stop function is activated via one positive switching signal. For PL d the complete safety function has to be calculated (MTTFd). Basic safety principles have to be used. Device used for activation of safe stop and safety relay must be suitable for the chosen category and PL. When activating the safety function a normal controlled stop will be performed. This is activated through terminal 27. After the safe delay time expires the STO will be triggered and terminal 37 will be set low. Ramp down will be performed as configured in the drive. If drive is not stopped after the safe delay time the activation of STO will coast the drive. The control signal is used for normal control of the drive. Safe stop input should not be used for regular stopping of the drive. Implementation in SISTEMA using the Danfoss library: Use the subsystem FC300 Safe Stop (Terminal 37). All parameters are set in the library there is no need to edit. The operational control path via terminal 27 does not need to be modeled in SISTEMA. That path does not contribute to the safety function.

Remember: any related non-safety standards should be fulfilled for the application and its components application designer should have responsibility for choosing liable components the cable shown as orange on Figure 2.1 has to be short-circuit protected according to ISO 13849-2 table D.4. to fulfill PL d the MTTFd and DC for the whole safety function has to be calculated the activation of STO after a safe delay time is the safety function, ramp down is performed operational and is not part of the safety function. This setup is created for cases when the ramp-down is preferable way to stop the drive in case of emergency. Ramping-down can avoid harm to equipment in case of emergency. However because the ramp-down is not safe, the Safe Stop is always triggered after expiring of delay time. Note that if the braking function is itself a safety requirement then this arrangement is not suitable, because braking requires all or most of the drive to be operational, i.e. it is not failsafe. Then a more complex braking supervision function is required or alternatively a fail-safe mechanical brake.

10 /16

Example 5: Emergency Stop of frequency converter with Safe Stop, Safety Relay and output contactor - Category 4, PL e
Setup
Mains

FC 300 Frequency Converter Safety Relay Emergency Stop Device Safe Stop (Terminal 37) Normal Stop (Terminal 27)

VDD K1

K1

Functional diagram
SB Stopping Devices CH Channel 1
BL FC300 Safe Stop (Terminal 37)
from Danfoss VLT library

SB Emergency Stop Device

SB Monitoring Safety Relay: MSR33

CH Channel 2
BL Output Contactor: 100S-C

11 /16

Safety Function: STO (safe torque off) according to IEC 61800-5-2 Stop category 0 according to IEC60204-1 Following a stop or emergency stop command the drive is halted. Functional Description: Where the safety control system must be designed to be in accordance wilt PL e ISO13849-1 it requires a two channel stop for the STO function, one channel can be implemented by the STO input on the drive and the other by a contactor, which may be connected in either the drive input or output power circuits. The contactor must be monitored through an auxiliary guided contact, shown as K1 in the diagram. In case of emergency, the Emergency Stop Device is activated. Drive Safe Stop function is activated. The drive is halted. Design Features: Circuit can be used up to category 4 and PL e. Safe stop function is activated via one positive switching signal. For PL e the complete safety function has to be calculated (MTTFd). Basic safety principles have to be used. Device used for activation of safe stop and safety relay must be suitable for the chosen category and PL. The control signal is used for normal control of the drive. Safe stop input should not be used for regular stopping of the drive. Implementation in SISTEMA using the Danfoss library: Use the subsystem FC300 Safe Stop (Terminal 37). All parameters are set in the library there is no need to edit something. The operational control path via terminal 27 does not need to be modeled in SISTEMA. That path does not contribute to the safety function.

Remember: any related non-safety standards should be fulfilled for the application and its components application designer should have responsibility for choosing liable components the cable shown as orange on Figure 2.1 has to be short-circuit protected according to ISO 13849-2 table D.4. to fulfill PL d the MTTFd and DC for the whole safety function has to be calculated This setup can be used if a dual positive switching device is used. Depending on the safety relay it is also possible to connect several activation devices to one safe stop.

12 /16

Example 6: Emergency Stop of multiple drives - Category 3, PL d

Emergency Stop Device

Safety Relay

FC 300 Frequency Converter

FC 300 Frequency Converter

FC 300 Frequency Converter

Safe Stop (Terminal 37)

Safe Stop (Terminal 37)

Safe Stop (Terminal 37)

Functional diagram

13 /16

Safety Function: STO (safe torque off) according to IEC 61800-5-2 Stop category 0 according to IEC60204-1 Following a stop or emergency stop command the drive is halted. Functional Description: FC302 Safe Torque Off inputs may be connected directly together if it is required to control multiple drives from the same control line. Connecting inputs together increases the probability of a fault in the unsafe direction, since a fault in one drive might result in all drives becoming enabled. The probability of a fault is so low, at 8 x 10-10 per hour, that the resulting probability still meets the requirements for SIL2 for realistic numbers of drives. It is recommended that no more than 20 inputs should be connected in parallel if SIL2 is required.

Remember: any related non-safety standards should be fulfilled for the application and its components application designer should have responsibility for choosing liable components the cable shown as orange on Figure 2.1 has to be short-circuit protected according to ISO 13849-2 table D.4. to fulfill PL d the MTTFd and DC for the whole safety function has to be calculated This setup can be used if a dual positive switching device is used. Depending on the safety relay it is also possible to connect several activation devices to one safe stop.

14 /16

Example 7: Emergency stop of VLT2800 Category B, PL b

VLT2800 Frequency Converter Emergency Stop Device Control Signal Normal Stop (Terminal 27)

Functional diagram

15 /16

Safety Function: STO (safe torque off) according to IEC 61800-5-2 Stop category 0 according to IEC60204-1 Following a stop or emergency stop command the drive is halted. Functional Description: In case of emergency, the Emergency Stop Device is activated. The Control Signal is disconnected from the drive. The drive is halted. Design Features: This circuit can be used up to PL b according to ISO 13849-1. The used drive is a standard drive without functional safety. For PL b the complete safety function has to be calculated (MTTFd). Basic safety principles have to be used. Implementation in SISTEMA using the Danfoss library: Use the subsystem VLT2800 Normal Stop (Terminal 27). All parameters are set in the library there is no need to edit.

Remember: any related non-safety standards should be fulfilled for the application and its components application designer should have responsibility for choosing liable components if the frequency converter that is used in application has a Safe Stop function it is strongly recommended to use it even if the safety requirements could be fulfilled with Normal Stop to fulfill PL d the MTTFd and DC for the whole safety function has to be calculated Idle current principle has to be used. Drive must be configured to stop if voltage at terminal 27 disappears. This circuit meets Category B, for there are fundamental Safety principles used, such as proper sizing and Design, proper earthing connection as well as resistance to Environment stress, etc. To reach Category 1, would be proven components required. A Standard frequency converter indicated here contains complex programmable circuits. These apply to EN ISO 13849-2 but not as good components. The components Emergency stop switch with switching contact element and could be regarded as proven components. But as the weakest link in the chain is the Standard input of FC300 safety integrity is limited, even in total max. Category B and PL d is feasible.

16 /16