S120 Safety FCT Man 0620 en-US

Function Manual
SINAMICS
S120
Safety Integrated
Edition 06/2020 www.siemens.com/drives

Introduction 1
Fundamental safety
instructions 2
General information about
SINAMICS SINAMICS Safety Integrated 3
Overview of Safety
Integrated functions 4
S120
Safety Integrated Description of Safety
Integrated functions 5
Function Manual Control of the safety functions 6
Commissioning 7
Acceptance test 8
System features 9
Standards and regulations 10
Maintenance 11
Appendix A
Valid as of:
Firmware Version 5.2 SP3
06/2020
6SL3097-5AR00-0BP3
Legal information
Warning notice system
This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent
damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert
symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are
graded according to the degree of danger.
DANGER
indicates that death or severe personal injury will result if proper precautions are not taken.
WARNING
indicates that death or severe personal injury may result if proper precautions are not taken.
CAUTION
indicates that minor personal injury can result if proper precautions are not taken.
NOTICE
indicates that property damage can result if proper precautions are not taken.
If more than one degree of danger is present, the warning notice representing the highest degree of danger will be
used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to property
damage.
Qualified Personnel
The product/system described in this documentation may be operated only by personnel qualified for the specific
task in accordance with the relevant documentation, in particular its warning notices and safety instructions. Qualified
personnel are those who, based on their training and experience, are capable of identifying risks and avoiding
potential hazards when working with these products/systems.
Proper use of Siemens products
Note the following:
WARNING
Siemens products may only be used for the applications described in the catalog and in the relevant technical
documentation. If products and components from other manufacturers are used, these must be recommended or
approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and
maintenance are required to ensure that the products operate safely and without any problems. The permissible
ambient conditions must be complied with. The information in the relevant documentation must be observed.
Trademarks
All names identified by ® are registered trademarks of Siemens AG. The remaining trademarks in this publication
may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.
Disclaimer of Liability
We have reviewed the contents of this publication to ensure consistency with the hardware and software described.
Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the information in this
publication is reviewed regularly and any necessary corrections are included in subsequent editions.
Siemens AG Document order number: 6SL3097-5AR00-0BP3 Copyright © Siemens AG 2008 - 2020.

Digital Industries Ⓟ 06/2020 Subject to change All rights reserved
Postfach 48 48
90026 NÜRNBERG
GERMANY
Table of contents
1 Introduction.................................................................................................................................................11
1.1 The SINAMICS converter family ............................................................................................11
1.2 General information about SINAMICS documentation...........................................................12
1.3 Usage phases and their documents/tools ..............................................................................15
1.4 Where can the various topics be found?................................................................................16
1.5 Training and support ..............................................................................................................17
1.6 Using OpenSSL .....................................................................................................................18
1.7 General Data Protection Regulation ......................................................................................19
2 Fundamental safety instructions.................................................................................................................21
2.1 Fundamental safety instructions ............................................................................................21
2.1.1 General safety instructions.....................................................................................................21
2.1.2 Warranty and liability for application examples ......................................................................21
2.1.3 Security information ...............................................................................................................21
2.2 Fundamental safety instructions for Safety Integrated...........................................................23
2.3 Residual risk...........................................................................................................................26
3 General information about SINAMICS Safety Integrated ...........................................................................29
3.1 Supported functions ...............................................................................................................29
3.1.1 Safety Integrated Basic Functions .........................................................................................30
3.1.2 Safety Integrated Extended Functions ...................................................................................31
3.1.3 Safety Integrated Advanced Functions ..................................................................................32
3.2 Supported functions: HLA module .........................................................................................33
3.2.1 HLA: Safety Integrated Basic Functions ................................................................................33
3.2.2 HLA: Safety Integrated Extended Functions ..........................................................................34
3.2.3 HLA: Safety Integrated Advanced Functions .........................................................................35
3.3 Drive products with integrated safety functions......................................................................36
3.4 Examples of how the safety/diagnostic functions can be applied ..........................................37
3.5 General information about operating components with Safety Integrated activated..............39
3.6 Drive monitoring with or without encoder ...............................................................................40
4 Overview of Safety Integrated functions.....................................................................................................43
4.1 Safety Integrated Basic Functions .........................................................................................43
4.1.1 Safe Torque Off (STO)...........................................................................................................44
4.1.2 Safe Stop 1 (SS1) ..................................................................................................................45
4.1.3 Safe Brake Control (SBC) ......................................................................................................46
4.2 Safety Integrated Extended Functions ...................................................................................48
4.2.1 Preconditions for Safety Integrated Extended Functions .......................................................49
4.2.2 Control possibilities ................................................................................................................50
Safety Integrated
Function Manual, 06/2020, 6SL3097-5AR00-0BP3 3
Table of contents

4.2.4 Safe Stop 1 (SS1) ..................................................................................................................50
4.2.5 Safe Operating Stop (SOS)....................................................................................................53
4.2.6 Safe Stop 2 (SS2) ..................................................................................................................54
4.2.7 Safely Limited Speed (SLS) ...................................................................................................56
4.2.7.1 Selecting SLS when the motor is switched on .......................................................................58
4.2.7.2 Selecting SLS at low velocities ..............................................................................................60
4.2.7.3 Switching between monitoring thresholds..............................................................................60
4.2.8 Safe Speed Monitor (SSM) ....................................................................................................63
4.2.9 Safe Direction (SDI) ...............................................................................................................65
4.2.10 Safely-Limited Acceleration (SLA) .........................................................................................67
4.2.11 Safe Brake Test (SBT) ...........................................................................................................68
4.3 Safety Integrated Advanced Functions ..................................................................................69
4.3.1 Preconditions for Safety Integrated Advanced Functions ......................................................69
4.3.2 Safely-Limited Position (SLP) ................................................................................................70
4.3.3 Transferring safe position values (SP) ...................................................................................71
4.3.4 Safe referencing.....................................................................................................................71
4.3.5 Safe Cam (SCA) ....................................................................................................................73
5 Description of Safety Integrated functions..................................................................................................75
5.1 Safety Integrated basic functions ...........................................................................................76
5.1.1.1 Safe Torque Off (STO) for SINAMICS HLA ...........................................................................80
5.1.2 Safe Stop 1 (SS1, time controlled).........................................................................................81
5.1.2.1 SS1 with OFF3.......................................................................................................................81
5.1.2.2 SS1 with external stop ...........................................................................................................83
5.1.2.3 Function diagrams and parameters .......................................................................................84
5.1.3 Safe Brake Control (SBC) ......................................................................................................84
5.1.3.1 Description SBC.....................................................................................................................85
5.1.3.2 SBC for Motor Modules in the chassis format........................................................................87
5.1.3.3 Hardware required for SBC....................................................................................................89
5.1.3.4 Function diagrams and parameters .......................................................................................91
5.1.4 Safety faults ...........................................................................................................................92
5.1.5 Forced checking procedure (test stop)...................................................................................93
5.1.5.1 Forced checking procedure or test of the switch-off signal paths (test stop) for Safety
Integrated Basic .....................................................................................................................93
5.1.5.2 Forced checking procedure (test stop) with POWER ON .....................................................94
5.1.6 Function diagrams and parameters .......................................................................................95
5.2 Safety Integrated Extended Functions ...................................................................................96
5.2.1 License for Extended Functions or Advanced Functions .......................................................96
5.2.2 Differences between Extended Functions "with encoder" and "without encoder"..................96
5.2.2.1 Specifics relating to Safety Integrated Functions "without encoder" ......................................98
5.2.3 Safe Torque Off (STO).........................................................................................................103
5.2.4 Safe Stop 1 (SS1) ................................................................................................................103
5.2.4.1 Safe Stop 1 with encoder .....................................................................................................103
5.2.4.2 Safe Stop 1 without encoder ................................................................................................106
5.2.4.3 Safe Stop 1 with external stop .............................................................................................107
5.2.4.4 Function diagrams and parameters .....................................................................................108
5.2.5 Safe Brake Control (SBC) ....................................................................................................108
5.2.6 Safe Operating Stop (SOS)..................................................................................................109
5.2.7 Safe Stop 2 (SS2) ................................................................................................................111
Safety Integrated
4 Function Manual, 06/2020, 6SL3097-5AR00-0BP3
Table of contents
5.2.7.1 SS2 with external stop (SS2E).............................................................................................113

5.2.7.2 Safe Stop 2 Extended Stop and Retract (SS2ESR).............................................................115
5.2.7.3 Overview of important parameters .......................................................................................117
5.2.7.4 Interaction with EPOS ..........................................................................................................118
5.2.8 Safely-Limited Speed (SLS).................................................................................................118
5.2.8.1 Safely Limited Speed (SLS) .................................................................................................120
5.2.8.2 Safely Limited Speed without encoder.................................................................................123
5.2.8.3 Safely-Limited Speed without selection ...............................................................................124
5.2.8.5 EPOS and safe setpoint velocity limitation...........................................................................127
5.2.9 Safe Speed Monitor (SSM) ..................................................................................................127
5.2.9.1 Safe Speed Monitor with encoder ........................................................................................129
5.2.9.2 Safe Speed Monitor without encoder ...................................................................................131
5.2.10 Safe Direction (SDI) .............................................................................................................134
5.2.10.1 Safe Direction with encoder .................................................................................................135
5.2.10.2 Safe Direction without encoder ............................................................................................137
5.2.10.3 Safe Direction without selection ...........................................................................................139
5.2.11 Safely Limited Acceleration (SLA)........................................................................................140
5.2.11.1 Principle of operation ...........................................................................................................142
5.2.11.2 Transmission via PROFIsafe or SIC ....................................................................................143
5.2.12 Safe Brake Test (SBT) .........................................................................................................144
5.2.12.1 Communication via SIC/SCC ...............................................................................................152
5.2.13 Safe Acceleration Monitor (SAM).........................................................................................155
5.2.13.1 Description ...........................................................................................................................155
5.2.13.2 Calculating the SAM tolerance of the actual velocity ...........................................................156
5.2.14 Safe Brake Ramp (SBR) ......................................................................................................157
5.2.14.1 Introduction ..........................................................................................................................157
5.2.14.2 Time response .....................................................................................................................158
5.2.14.3 Parameterization ..................................................................................................................159
5.2.15 Reliable actual value acquisition with encoder system ........................................................160
5.2.15.1 Single-encoder system.........................................................................................................160
5.2.15.2 2-encoder system.................................................................................................................161
5.2.15.3 Encoder types for single and 2-encoder systems ................................................................163
5.2.15.4 Actual value synchronization................................................................................................166
5.2.15.5 Safe motion monitoring ........................................................................................................166
5.2.16 Safe actual value sensing without encoder..........................................................................167
5.2.16.1 Evaluation delay time without encoder.................................................................................168
5.2.16.2 Fault tolerance actual value acquisition without encoder ....................................................168
5.2.16.3 Voltage tolerance acceleration ............................................................................................169
5.2.16.4 Checking the settings...........................................................................................................169
5.2.17 Safe gearbox switchover......................................................................................................170
5.2.17.1 Gearbox switchover without increased position tolerance ...................................................172
5.2.17.2 Gearbox switchover with increased position tolerance ........................................................172
5.2.18 Forced checking procedure (test stop).................................................................................174
5.2.18.1 General ................................................................................................................................174
Safety Integrated
Table of contents
5.2.18.2 Performing a forced checking procedure (test stop) ............................................................175

5.2.18.3 Safety devices......................................................................................................................176
5.2.18.4 Forced checking procedure (test stop) F-DI/F-DO of TM54F ..............................................176
5.3 Safety Integrated Advanced Functions ................................................................................181
5.3.1 Note regarding PFH values..................................................................................................181
5.3.2 License for Extended Functions or Advanced Functions .....................................................181
5.3.3 Safely-Limited Position (SLP) ..............................................................................................181
5.3.3.1 Controlling the Safely-Limited Position function...................................................................183
5.3.3.2 Retraction.............................................................................................................................185
5.3.4 Transferring safe position values (SP) .................................................................................188
5.3.4.1 Ranges of values .................................................................................................................190
5.3.4.2 Synchronous transfer of safe position values ......................................................................191
5.3.5 Safe referencing...................................................................................................................192
5.3.5.1 General ................................................................................................................................192
5.3.5.2 Referencing types ................................................................................................................194
5.3.6 Safe Cam (SCA) ..................................................................................................................196
5.3.7 Forced checking procedure (test stop).................................................................................199
5.3.7.1 Performing a forced checking procedure (test stop) ............................................................200
5.3.7.2 Safety devices......................................................................................................................201
5.3.7.3 Forced checking procedure (test stop) F-DI/F-DO of TM54F ..............................................201
6 Control of the safety functions ..................................................................................................................207
6.1 Control possibilities ..............................................................................................................207
6.2 Control signals by way of terminals on the Control Unit and Motor / Power Module ...........208
6.2.1 Description of the two-channel structure..............................................................................209
6.2.2 Grouping drives....................................................................................................................210
6.2.3 Simultaneity and tolerance time of the two monitoring channels .........................................211
6.2.3.1 Tolerance time .....................................................................................................................212
6.2.4 Bit pattern test ......................................................................................................................214
6.2.5 STO via terminals of the Power Modules Blocksize.............................................................215
6.2.5.1 Terminals STO_A/STO_B and DIP switch ...........................................................................217
6.3 Activation via PROFIsafe .....................................................................................................218
6.3.1 Assigning Safety Integrated Functions to PROFIsafe..........................................................218
6.3.2 Enabling of the control via PROFIsafe .................................................................................219
6.3.3 Selecting a PROFIsafe telegram..........................................................................................220
6.3.4 Telegram format...................................................................................................................221
6.3.5 Process data ........................................................................................................................224
6.3.5.1 S_STW1 and S_ZSW1 (Basic Functions) ............................................................................224
6.3.5.2 S_STW2 and S_ZSW2 (Basic Functions) ............................................................................226
6.3.5.3 S_STW1 and S_ZSW1 (Extended/Advanced Functions).....................................................228
6.3.5.4 S_STW2 and S_ZSW2 (Extended/Advanced Functions).....................................................230
6.3.5.5 Additional process data........................................................................................................234
6.3.6 Function diagrams and parameters .....................................................................................237
6.4 Control via TM54F................................................................................................................238
6.4.1 Assigning Safety Integrated Functions to the F-DI/TM54F ..................................................239
6.4.2 Fault acknowledgment .........................................................................................................239
Safety Integrated
Table of contents
6.4.3 Overview of the F-DIs ..........................................................................................................239

6.4.4 Function of the F-DO............................................................................................................242
6.4.4.1 Overview of the F-DOs.........................................................................................................242
6.4.4.2 Signal sources......................................................................................................................242
6.5 Communication failure via PROFIsafe or with TM54F .........................................................245
6.5.1 STOP B as response to communication failure with PROFIsafe control .............................245
6.5.2 Initiating ESR for a communication failure ...........................................................................246
6.6 Control of the Extended/Advanced Functions via F-DI (for CU310-2) .................................248
6.6.1 Assigning Safety Integrated Functions to the F-DI/TM54F ..................................................249
6.6.2 F-DI function.........................................................................................................................249
6.6.2.1 Description ...........................................................................................................................249
6.6.2.2 F-DI features ........................................................................................................................250
6.6.3 Function of the F-DO............................................................................................................252
6.6.3.1 Description ...........................................................................................................................252
6.6.3.2 Signal sources for the F-DO.................................................................................................253
6.6.3.3 Safe state signal selection ...................................................................................................253
6.7 Motion monitoring without selection .....................................................................................255
6.8 Safety Info Channel and Safety Control Channel ................................................................257
6.8.1 Safety Info Channel (SIC) ....................................................................................................257
6.8.2 Safety Control Channel (SCC) .............................................................................................257
6.8.3 Possible telegram configuration (700, 701)..........................................................................257
6.8.4 Configuring...........................................................................................................................259
6.8.5 Applications..........................................................................................................................262
6.8.6 Send data for SIC and SCC .................................................................................................264
6.8.7 Receive data for SCC ..........................................................................................................267
7 Commissioning .........................................................................................................................................269
7.1 Safety Integrated firmware versions.....................................................................................269
7.2 Parameters, checksum, version...........................................................................................270
7.3 Handling the Safety password .............................................................................................272
7.4 DRIVE-CLiQ rules for Safety Integrated Functions..............................................................275
7.5 Forced checking procedure (test stop).................................................................................277
7.5.1 Setting the forced checking procedure (test stop)................................................................277
7.5.2 Executing the forced checking procedure (test stop) ...........................................................278
7.5.3 Examples for the instants in time that the forced checking procedure (test stop) is
performed.............................................................................................................................279
7.6 Safety Integrated and ESR ..................................................................................................280
7.7 Commissioning Safety Integrated functions.........................................................................282
7.7.1 General information..............................................................................................................282
7.7.2 Notes....................................................................................................................................283
7.7.3 Prerequisites for commissioning the Safety Integrated functions ........................................284
7.7.4 Default settings for commissioning Safety Integrated functions without encoder ................284
7.7.5 Setting the sampling times ...................................................................................................286
7.7.5.1 Rules ....................................................................................................................................286
Safety Integrated
Table of contents

7.8 Commissioning: Basic procedure.........................................................................................288
7.8.1 Making basic settings...........................................................................................................288
7.8.1.1 Starting the safety commissioning .......................................................................................288
7.8.1.2 Making basic safety settings ................................................................................................288
7.8.1.3 Accepting the settings in the drive .......................................................................................291
7.8.1.4 Changing the safety password.............................................................................................291
7.8.2 Basic Functions....................................................................................................................293
7.8.2.1 Commissioning with Startdrive.............................................................................................293
7.8.2.2 Commissioning via direct parameter access........................................................................295
7.8.3 Extended and Advanced Functions .....................................................................................297
7.8.3.1 SS1 (Extended Functions) ...................................................................................................298
7.8.4 General settings ...................................................................................................................299
7.8.4.1 Parameterizing the actual value acquisition / mechanical system .......................................299
7.8.4.2 Configuring the control of the safety functions .....................................................................302
7.8.4.3 Forced checking procedure (test stop).................................................................................304
7.8.4.4 Function status of the Safety Integrated settings .................................................................306
7.9 Commissioning CU310-2 .....................................................................................................308
7.9.1 Basic sequence of commissioning .......................................................................................308
7.9.2 Forced checking procedure (test stop) of the CU310-2 .......................................................308
7.9.2.1 Test mode 1: Evaluation of internal diagnostic signal (passive load)...................................310
7.9.2.2 Test mode 2: Read back F-DO in DI (relay circuit) ..............................................................311
7.9.2.3 Test mode 3: Read back F-DO into the DI (actuator with feedback signal) .........................312
7.9.2.4 Test stop mode parameters .................................................................................................313
7.10 Commissioning TM54F ........................................................................................................314
7.10.1 Basic sequence of commissioning .......................................................................................314
7.10.2 Forced checking procedure (test stop) of the TM54F ..........................................................314
7.10.2.1 Performing test stop .............................................................................................................316
7.10.2.2 Test mode 1: Evaluation of internal diagnostic signal (passive load)...................................317
7.10.2.3 Test mode 2: Read back F-DO in DI (relay circuit) ..............................................................318
7.10.2.4 Test mode 3: Read back F-DO into the DI (actuator with feedback signal) .........................319
7.10.2.5 Test stop mode: Function diagrams and parameters...........................................................320
7.11 PROFIsafe communication ..................................................................................................321
7.11.1 PROFIsafe via PROFIBUS ..................................................................................................321
7.11.2 PROFIsafe via PROFINET...................................................................................................322
7.11.3 PROFIsafe configuration with Startdrive ..............................................................................322
7.11.3.1 Selecting a PROFIsafe telegram..........................................................................................323
7.12 Modular machine concept Safety Integrated........................................................................325
7.13 Information pertaining to series commissioning ...................................................................326
7.14 Application examples ...........................................................................................................328
8 Acceptance test ........................................................................................................................................331
8.1 General information about the acceptance test ...................................................................332
8.1.1 Requirements.......................................................................................................................332
8.1.2 Requirements for the acceptance test .................................................................................333
8.1.3 Parts of the acceptance test.................................................................................................333
8.1.4 Documentation .....................................................................................................................333
8.1.5 More information ..................................................................................................................334
8.1.6 Acceptance test mode..........................................................................................................334
Safety Integrated
Table of contents
8.2 Contents and depth of the acceptance test..........................................................................335

8.2.1 Content of the complete acceptance test.............................................................................335
8.2.2 Content of the partial acceptance test..................................................................................337
8.2.3 Test scope for specific measures.........................................................................................339
8.2.4 Relevant checksums for the acceptance .............................................................................340
8.3 Acceptance test with Startdrive............................................................................................343
8.3.1 Notes....................................................................................................................................343
8.3.2 Preparing the acceptance test .............................................................................................344
8.3.3 Performing the acceptance test (example) ..........................................................................345
8.3.4 Completing the acceptance test with report .........................................................................346
8.3.5 Transferring acceptance test results ....................................................................................348
8.4 Safety logbook .....................................................................................................................349
9 System features........................................................................................................................................351
9.1 Latest information.................................................................................................................351
9.2 Certification ..........................................................................................................................353
9.3 Probability of failure of the safety functions (PFH value) .....................................................354
9.4 Response times ...................................................................................................................355
9.4.1 STO and SBC via terminals of the Power Modules Blocksize .............................................356
9.4.2 Control of Basic Functions via terminals on the Control Unit and Motor Module (CU310‑2
and CU320‑2).......................................................................................................................357
9.4.3 Control of Basic Functions via PROFIsafe (CU310‑2 and CU320‑2)...................................358
9.4.4 Control of Basic Functions via TM54F .................................................................................359
9.4.5 Control of Extended Functions with encoder via PROFIsafe (CU310‑2 and CU320‑2).......360
9.4.6 Control of Extended Functions with encoder via TM54F (CU310‑2 and CU320‑2) .............362
9.4.7 Control of Extended Functions with encoder via terminals (only CU310-2).........................363
9.4.8 Control of Extended Functions without encoder via PROFIsafe (CU310‑2 and CU320‑2)....364
9.4.9 Control of Extended Functions without encoder via terminals (only CU310‑2)....................366
9.4.10 Control of Extended Functions without encoder via TM54F (CU310‑2 and CU320‑2) ........367
9.4.11 Control of Advanced Functions with encoder via PROFIsafe (CU310‑2 and CU320‑2) ......368
9.4.12 Control of Advanced Functions with encoder via TM54F (CU310‑2 and CU320‑2) ............369
9.4.13 Control of Advanced Functions with encoder via terminals (only CU310-2) ........................370
9.4.14 Advanced Functions without encoder via PROFIsafe (CU310‑2 and CU320‑2)..................371
10 Standards and regulations........................................................................................................................373
10.1 General information..............................................................................................................373
10.1.1 Aims .....................................................................................................................................373
10.1.2 Functional safety ..................................................................................................................374
10.2 Safety of machinery in Europe .............................................................................................375
10.2.1 Machinery Directive..............................................................................................................375
10.2.2 Harmonized European Standards........................................................................................376
10.2.3 Standards for implementing safety-related controllers.........................................................377
10.2.4 DIN EN ISO 13849-1............................................................................................................379
10.2.5 EN 62061 .............................................................................................................................379
10.2.6 Series of standards IEC 61508 (VDE 0803) ........................................................................381
10.2.7 Risk analysis/assessment ....................................................................................................382
10.2.8 Risk reduction ......................................................................................................................384
10.2.9 Residual risk.........................................................................................................................384
10.2.10 EC declaration of conformity ................................................................................................384
Safety Integrated
Table of contents
10.3 Machine safety in the USA...................................................................................................385

10.3.1 Minimum requirements of the OSHA ...................................................................................385
10.3.2 NRTL listing..........................................................................................................................386
10.3.3 NFPA 79...............................................................................................................................387
10.3.4 ANSI B11 .............................................................................................................................387
10.4 Machine safety in Japan ......................................................................................................388
10.5 Equipment regulations .........................................................................................................389
10.6 Other safety-related issues ..................................................................................................390
10.6.1 Information sheets issued by the Employer's Liability Insurance Association......................390
10.6.2 Additional references ...........................................................................................................390
11 Maintenance .............................................................................................................................................391
11.1 Information pertaining to component replacements .............................................................391
11.1.1 Details on the replacement of individual components..........................................................391
11.1.2 Replacing motors for safety without encoder .......................................................................393
11.1.3 Parameters and function diagrams ......................................................................................393
11.2 Note regarding firmware update...........................................................................................394
11.3 Safety faults .........................................................................................................................395
11.3.1 Stop responses ....................................................................................................................395
11.3.2 Stop response priorities .......................................................................................................398
11.3.3 Acknowledging safety faults.................................................................................................400
11.4 Message buffer ....................................................................................................................402
A Appendix...................................................................................................................................................405
A.1 Modules available in Startdrive ............................................................................................405
A.2 List of abbreviations .............................................................................................................406
A.3 Documentation overview......................................................................................................418
A.4 Change history .....................................................................................................................419
A.5 Stop versions .......................................................................................................................420
Index.........................................................................................................................................................423
Safety Integrated
Introduction 1
1.1 The SINAMICS converter family
With the SINAMICS converter family, you can solve any individual drive task in the low-voltage,
medium-voltage and DC voltage range. From converters to motors and controllers, all Siemens
drive components are perfectly matched to each other and can be easily integrated into your
existing automation system. With SINAMICS you are prepared for digitization. You benefit from
highly efficient engineering with a variety of tools for the entire product development and
production process. And you also save space in the control cabinet – thanks to the integrated
safety technology.
You can find additional information about SINAMICS at the following address (http://
www.siemens.com/sinamics).
Safety Integrated
Introduction
1.2 General information about SINAMICS documentation
SINAMICS documentation
The SINAMICS documentation is organized in the following categories:
● General documentation/catalogs
● User documentation
● Manufacturer/service documentation
Standard scope
The scope of the functionality described in this document can differ from that of the drive system
that is actually supplied.
● Other functions not described in this documentation might be able to be executed in the
drive system. However, no claim can be made regarding the availability of these functions
when the equipment is first supplied or in the event of service.
● The documentation can also contain descriptions of functions that are not available in a
particular product version of the drive system. Please refer to the ordering documentation
only for the functionality of the supplied drive system.
● Extensions or changes made by the machine manufacturer must be documented by the
machine manufacturer.
For reasons of clarity, this documentation does not contain all of the detailed information on all
of the product types, and cannot take into consideration every conceivable type of installation,
operation and service/maintenance.
Target group
This documentation is intended for machine manufacturers, commissioning engineers, and
service personnel who use the SINAMICS drive system.
Benefits
This manual provides all of the information, procedures and operator actions required for the
particular usage phase.
Siemens MySupport/Documentation
You can find information on how to create your own individual documentation based on
Siemens content and adapt it for your own machine documentation at the following address
(https://support.industry.siemens.com/My/ww/en/documentation).
Safety Integrated
Introduction
Additional information
You can find information on the topics below at the following address (https://
support.industry.siemens.com/cs/de/en/view/108993276):
● Ordering documentation/overview of documentation
● Additional links to download documents
● Using documentation online (find and search in manuals/information)
Questions relating to the technical documentation

Please send any questions about the technical documentation (e.g. suggestions for
improvement, corrections) to the following email address
(mailto:docu.motioncontrol@siemens.com).
FAQs
You can find Frequently Asked Questions about SINAMICS under Product Support (https://
support.industry.siemens.com/cs/de/en/ps/faq).
Siemens Support while on the move

With the "Siemens Industry Online Support" app, you can access more than 300,000
documents for Siemens Industry products – any time and from anywhere. The app supports
you in the following areas, for example:
● Resolving problems when executing a project
● Troubleshooting when faults develop
● Expanding a system or planning a new system
Furthermore, you have access to the Technical Forum and other articles that our experts have
drawn up:
● FAQs
● Application examples
● Manuals
● Certificates
● Product announcements and much more
The "Siemens Industry Online Support" app is available for Apple iOS and Android.
Data matrix code on the rating plate

The data matrix code on the rating plate contains the specific device data. This code can be
read-in with any smartphone and technical information for the appropriate device can be
displayed via the "Industry Online Support" mobile app.
Safety Integrated
Introduction
Websites of third-party companies

This document includes hyperlinks to websites of third-party companies. Siemens is not
responsible for and shall not be liable for these websites or their content, as Siemens has not
checked the information contained in the websites and is not responsible for the content or
information they provide. The use of such websites is at the user's own risk.
Safety Integrated
Introduction
1.3 Usage phases and their documents/tools
1.3 Usage phases and their documents/tools
Usage phase Document/tool

Orientation SINAMICS S Sales Documentation
Planning/configuration ● SIZER Engineering Tool
● Configuration Manuals, Motors
Deciding/ordering SINAMICS S120 catalogs
● SINAMICS S120 and SIMOTICS (Catalog D 21.4)
● SINAMICS Converters for Single-Axis Drives and SIMOTICS Motors (Catalog D 31)
● SINAMICS Converters for Single-Axis Drives – Built-In Units (D 31.1)
● SINAMICS Converters for Single-Axis Drives – Distributed Converters (D 31.2)
● SINAMICS S210 Servo Drive System (D 32)
● SINUMERIK 840 Equipment for Machine Tools (Catalog NC 62)
Installation/assembly ● SINAMICS S120 Equipment Manual for Control Units and Supplementary System
Components
● SINAMICS S120 Equipment Manual for Booksize Power Units
● SINAMICS S120 Equipment Manual for Chassis Power Units
● SINAMICS S120 Equipment Manual for Chassis Power Units, Liquid-cooled
● SINAMICS S120 Equipment Manual water-cooled chassis power units for common
cooling circuits
● SINAMICS S120 Equipment Manual for Chassis Power Units, Air-cooled
● SINAMICS S120 Equipment Manual for AC Drives
● SINAMICS S120 Equipment Manual Combi
● SINAMICS S120M Equipment Manual Distributed Drive Technology
● SINAMICS HLA System Manual Hydraulic Drives
Commissioning ● Startdrive Commissioning Tool
● SINAMICS S120 Getting Started with Startdrive
● SINAMICS S120 Commissioning Manual with Startdrive
● SINAMICS S120 Function Manual Drive Functions
● SINAMICS S120 Safety Integrated Function Manual
● SINAMICS S120 Function Manual Communication
● SINAMICS S120/S150 List Manual
Usage/operation ● SINAMICS S120 Commissioning Manual with Startdrive
Maintenance/servicing ● SINAMICS S120 Commissioning Manual with Startdrive
References ● SINAMICS S120/S150 List Manual
Safety Integrated
Introduction
1.4 Where can the various topics be found?
1.4 Where can the various topics be found?
Software Manual
Alarms Described in order of ascending numbers SINAMICS S120/S150 List Manual
Parameters Described in order of ascending numbers SINAMICS S120/S150 List Manual
Function block di‐ Sorted according to topic SINAMICS S120/S150 List Manual
agrams Described in order of ascending numbers
Drive functions SINAMICS S120 Function Manual Drive Functions
Communication topics SINAMICS S120 Function Manual Communication2)
Safety Integrated Basic and Extended Functions SINAMICS S120 Safety Integrated Function Manual
Basic Functions SINAMICS S120 Function Manual Drive Functions
Commissioning Of a simple SINAMICS S120 drive with Getting Started1)
STARTER
Commissioning With STARTER SINAMICS S120 Commissioning Manual1)
Commissioning Of a simple SINAMICS S120 drive with Getting Started with Startdrive2)
Startdrive
Commissioning With Startdrive SINAMICS S120 Commissioning Manual with Startdrive2)
Web server SINAMICS S120 Function Manual Drive Functions
Hardware Manual
Control Units ● Control Units ● DRIVE‑CLiQ HUB SINAMICS S120 Equipment Manual for Control Units
and expansion Modules and Supplementary System Components
● Option Boards
components
● Terminal Modules ● VSM10
● Encoder system
connection
Booksize ● Line connection ● DC link compo‐ SINAMICS S120 Equipment Manual for Booksize
power units nents Power Units
● Line Modules
● Motor Modules ● Braking resistors
● Control cabinet de‐
sign
Chassis power units SINAMICS S120 Equipment Manual for Chassis Power
Units, air, liquid or water cooled
AC drive components SINAMICS S120 Equipment Manual for AC Drives
S120 Combi components SINAMICS S120 Equipment Manual Combi
Diagnostics via STARTER SINAMICS S120 Commissioning Manual1)
LEDs Startdrive SINAMICS S120 Commissioning Manual with Start‐
drive2)
Meaning of the LEDs Equipment Manuals
High Frequency Drive components SINAMICS S120 System Manual High Frequency Drives
1)
Up to firmware version 5.1 SP1
2)
From firmware version 5.2
Safety Integrated
Introduction
1.5 Training and support
1.5 Training and support
Training
You can find information on SITRAIN at the following address (http://www.siemens.com/
sitrain). SITRAIN offers training courses for products, systems and solutions in drive and
automation technology from Siemens.
Technical Support
To ask a technical question or create a support request, click on "Support Request" at the
following address (https://support.industry.siemens.com/cs/ww/en/sc/4868) and select
"Create Request".
Safety Integrated
Introduction
1.6 Using OpenSSL
1.6 Using OpenSSL

Many SINAMICS products include OpenSSL. The following applies to these products:
● This product contains software (https://www.openssl.org/) that has been developed by the
OpenSSL project for use in the OpenSSL toolkit.
● This product contains cryptographic software (mailto:eay@cryptsoft.com) created by Eric
Young.
● This product contains software (mailto:eay@cryptsoft.com) developed by Eric Young.
Safety Integrated
Introduction
1.7 General Data Protection Regulation
Compliance with the General Data Protection Regulation

Siemens respects the principles of data protection, in particular the data minimization rules
(privacy by design).
For this product, this means:
The product does not process neither store any person-related data, only technical function
data (e.g. time stamps). If the user links these data with other data (e.g. shift plans) or if he
stores person-related data on the same data medium (e.g. hard disk), thus personalizing these
data, he has to ensure compliance with the applicable data protection stipulations.
Safety Integrated
Introduction
Safety Integrated
Fundamental safety instructions 2
2.1 Fundamental safety instructions
2.1.1 General safety instructions
WARNING
Danger to life if the safety instructions and residual risks are not observed
If the safety instructions and residual risks in the associated hardware documentation are not
observed, accidents involving severe injuries or death can occur.
● Observe the safety instructions given in the hardware documentation.
● Consider the residual risks for the risk evaluation.
WARNING
Malfunctions of the machine as a result of incorrect or changed parameter settings
As a result of incorrect or changed parameterization, machines can malfunction, which in turn
can lead to injuries or death.
● Protect the parameterization against unauthorized access.
● Handle possible malfunctions by taking suitable measures, e.g. emergency stop or
emergency off.
2.1.2 Warranty and liability for application examples

Application examples are not binding and do not claim to be complete regarding configuration,
equipment or any eventuality which may arise. Application examples do not represent specific
customer solutions, but are only intended to provide support for typical tasks.
As the user you yourself are responsible for ensuring that the products described are operated
correctly. Application examples do not relieve you of your responsibility for safe handling when
using, installing, operating and maintaining the equipment.
2.1.3 Security information

Siemens provides products and solutions with industrial security functions that support the
secure operation of plants, systems, machines and networks.
Safety Integrated
Fundamental safety instructions
2.1 Fundamental safety instructions
In order to protect plants, systems, machines and networks against cyber threats, it is
necessary to implement – and continuously maintain – a holistic, state-of-the-art industrial
security concept. Siemens’ products and solutions constitute one element of such a concept.
Customers are responsible for preventing unauthorized access to their plants, systems,
machines and networks. Such systems, machines and components should only be connected
to an enterprise network or the internet if and to the extent such a connection is necessary and
only when appropriate security measures (e.g. firewalls and/or network segmentation) are in
place.
For additional information on industrial security measures that may be implemented, please
visit
https://www.siemens.com/industrialsecurity (https://www.siemens.com/industrialsecurity).
Siemens’ products and solutions undergo continuous development to make them more secure.
Siemens strongly recommends that product updates are applied as soon as they are available
and that the latest product versions are used. Use of product versions that are no longer
supported, and failure to apply the latest updates may increase customer’s exposure to cyber
threats.
To stay informed about product updates, subscribe to the Siemens Industrial Security RSS
Feed under
https://www.siemens.com/industrialsecurity (https://new.siemens.com/global/en/products/
services/cert.html#Subscriptions).
Further information is provided on the Internet:
Industrial Security Configuration Manual (https://support.industry.siemens.com/cs/ww/en/
view/108862708)
WARNING
Unsafe operating states resulting from software manipulation
Software manipulations, e.g. viruses, Trojans, or worms, can cause unsafe operating states
in your system that may lead to death, serious injury, and property damage.
● Keep the software up to date.
● Incorporate the automation and drive components into a holistic, state-of-the-art industrial
security concept for the installation or machine.
● Make sure that you include all installed products into the holistic industrial security concept.
● Protect files stored on exchangeable storage media from malicious software by with
suitable protection measures, e.g. virus scanners.
● On completion of commissioning, check all security-related settings.
Safety Integrated
2.2 Fundamental safety instructions for Safety Integrated

Additional safety information and residual risks not specified in this chapter are included in the
relevant sections of this Function Manual.
DANGER
Risk minimization through Safety Integrated
Safety Integrated can be used to minimize the level of risk associated with machines and
plants.
Machines and plants can only be operated safely in conjunction with Safety Integrated,
however, when the machine manufacturer:
● Precisely knows and observes this technical user documentation - including the
documented limitations, safety information and residual risks.
● Carefully constructs and configures the machine/plant. A careful and thorough acceptance
test must then be performed by qualified personnel and the results documented.
● Implements and validates all the measures required in accordance with the machine/plant
risk analysis by means of the programmed and configured Safety Integrated Functions or
by other means.
The use of Safety Integrated does not replace the machine/plant risk assessment carried out
by the machine manufacturer as required by the EC machinery directive.
In addition to using Safety Integrated Functions, further risk reduction measures must be
implemented.
NOTICE
Danger to life as a result of inactive Safety Integrated Functions after powering up
The Safety Integrated Functions are only activated after the system has completely powered
up. System startup is a critical operating state with increased risk. When accidents occur, this
can result in death or severe injury.
● Make sure that the machine is safe during the system start-up.
WARNING
Danger to life as a result of undesirable motor movement when automatically restarting
The Emergency Stop function must bring the machine to a standstill according to Stop
Category 0 or 1 (STO or SS1) (EN 60204-1).
It is not permissible that the motor automatically restarts after an Emergency Stop, as this
represents danger to life as a result of the associated undesirable motor motion.
When individual safety functions (Safety Integrated Extended Functions or Safety Integrated
Advanced Functions) are deactivated, an automatic restart is permitted under certain
circumstances depending on the risk analysis (except when Emergency Stop is reset). An
automatic start is permitted when a protective door is closed, for example.
● For the cases listed above, ensure that an automatic restart is absolutely not possible.
Safety Integrated
WARNING
Danger to life as a result of undesirable motor motion when the system powers up and the
drives are activated after changing or replacing hardware and/or software
After hardware and/or software components have been modified or replaced, it is only
permissible for the system to run up and the drives to be activated with the protective devices
closed. Personnel shall not be present within the danger zone.
● It may be necessary to carry out a partial or complete acceptance test or a simplified
functional test after having made certain changes or replacements.
● Before personnel may re-enter the hazardous area, all of the drives should be tested to
ensure that they exhibit stable control behavior by briefly moving them in both the plus and
minus directions (+/-).
● When switching on carefully observed the following:
The Safety Integrated Functions are only available and can only be selected after the
system has completely powered up.
WARNING
Parameterizing the encoder system
Encoder faults are detected using different hardware and software monitoring functions.
● It is not permissible to disable these monitoring functions (i.e. the encoder monitoring in the
Sensor Module) and they must be parameterized carefully. Depending on the fault type
and responding monitoring function, stop function Category 0 or 1 in accordance with
EN 60204-1 (fault response functions STOP A or STOP B in accordance with Safety
Integrated) is selected (see "Table 11-1 Overview of stop responses (Page 395)").
Note
EDS switchover for safe motion monitoring
An encoder which is used for safety functions must not be switched over when a drive data set
(DDS) is switched over.
The safety functions check the safety-relevant encoder data for changes when data sets are
switched over. If a change is detected, fault F01670 is displayed with a fault value of 10, which
results in a non-acknowledgeable STOP A.
● The safety-relevant encoder data in the various data sets must therefore be identical.
Safety Integrated
WARNING
Converter operation despite active messages
With activated safety functions, there are a number of system messages that still permit the
drive to be traversed. In these cases, you must ensure that the causes of the messages are
corrected immediately. These messages include, among others, the following:
● A01774 SI Motion CU: Test stop required
A01697 SI Motion: Motion monitoring test required
Perform the required test stop.
● F13000 licensing is insufficient.
Purchase the license required for operation of the Extended/Advanced Functions or
activate a Trial License.
● A01669 (F, N) SI Motion: Unsuitable combination of motor and power unit.
The motor / power unit combination can result in decreased robustness (incorrect
detection of errors) in the system when operating with SI Motion.
Safety Integrated
2.3 Residual risk
2.3 Residual risk

The fault analysis enables machine manufacturers to determine the residual risk at their
machine with regard to the drive unit. The following residual risks are known:
WARNING
Danger due to short, limited movements
If two power transistors simultaneously fail in the power unit (one in the upper and one in the
lower inverter bridge), then this can cause cause brief, limited movement.
The maximum movement can be:
● Synchronous rotary motors: Max. movement = 180° / no. of pole pairs
● Synchronous linear motors: Max. movement = pole width
NOTICE
Material damage due to overshooting the speed or position that briefly violates the limit value.
Violation of limits may briefly lead to a speed higher than the speed setpoint, or the axis may
pass the defined position to a certain extent, depending on the dynamic response of the drive
and on parameter settings.
● Design your machine appropriately.
Safety Integrated
2.3 Residual risk
WARNING
Residual risk for a single-encoder system
Within a single-encoder system:
a) A single electrical fault in the encoder
b) A break of the encoder shaft (or loose encoder shaft coupling), or a loose encoder housing
will cause the encoder signals to remain static (that is, they no longer follow a movement while
still returning a correct level), and prevent fault detection while the drive is in stop state (for
example, drive in SOS state).
Generally, the drive is held by the active closed-loop control. Especially for drives with
suspended load, from a closed-loop control perspective, it is conceivable that drives such as
these move without this being detected.
The risk of an electrical fault in the encoder as described under a) is only present for few
encoder types employing a specific principal of operation.
● All of the faults described above must be included in the risk analysis of the machine
manufacturer. Additional safety measures have to be taken for drives with suspended/
vertical or pulling loads - e.g. in order to exclude faults under a):
– Use of an encoder with analog signal generation
– Use of a two-encoder system
● Failsafe detection of slip on the encoder shaft - or a broken encoder shaft connection.
You can implement failsafe detection of slip on the encoder shaft or a broken motor-
encoder shaft by checking the plausibility of the acquired safety-relevant actual value with
respect to the expected setpoint. If the actual value does not lie within a configurable
tolerance bandwidth around the setpoint within a defined time, then it can be assumed that
there is either slip - or that there is a broken connection between the encoder and the
motor. You must ensure this monitoring functionality in the safety user program according
to SIL 2 or PL d.
● For excluding the fault under b):
– Perform an FMEA regarding encoder shaft breakage (or slip of the encoder shaft
coupling) as well as loose encoder housings and use a fault exclusion process
according to IEC 61800-5-2, or
– Implementation of a two-encoder system (the encoders must not be mounted on the
same shaft).
Safety Integrated
2.3 Residual risk
Safety Integrated
General information about SINAMICS Safety
Integrated 3
3.1 Supported functions
All of the Safety Integrated Functions available under SINAMICS S120 are listed in this chapter.
The safety functions listed here conform to:
● Safety Integrity Level (SIL) 2 according to IEC 61508
● Category 3 according to DIN EN ISO 13849‑1
● Performance level (PL) d according to DIN EN ISO 13849-1
The safety functions correspond to the functions according to DIN EN 61800‑5‑2 (under the
assumption that they are defined there).
Note
Parallel use of Safety Integrated Functions
All Safety Integrated Functions can be used simultaneously.
Exception: If SOS and SLS are activated simultaneously, SOS has higher priority and overrides
the SLS reaction.
SINAMICS makes a distinction between the following function groups:

● Safety Integrated Basic Functions (Page 30)
● Safety Integrated Extended Functions (Page 31)
● Safety Integrated Advanced Functions (Page 32)
Safety Integrated
General information about SINAMICS Safety Integrated
3.1.1 Safety Integrated Basic Functions

The Safety Integrated Basic Functions are part of the standard scope of the drive and can be
used without an additional license. These functions are always available. These functions do
not require an encoder and/or do not place any special requirements on the encoder used.
● Safe Torque Off (STO)
Safe Torque Off is a safety function to avoid unexpected startup in accordance with
EN 60204‑1. STO prevents the supply of power to the motor, which can produce a torque.
This is equivalent to stop category 0.
● Safe Stop 1 (SS1, time-controlled)
Safe Stop 1 is based on the "Safe Torque Off" function. This means that a Category 1 stop
in accordance with EN 60204-1 can be implemented.
● Safe Brake Control (SBC)
Safe Brake Control is used to safely control a holding brake.1) 2)
Note regarding Power/Motor Modules in the chassis format: For the chassis format, SBC is
1)
only supported by Power/Motor Modules with article number ...3 or higher. A Safe Brake
Adapter is also needed for this design.
2)
Note regarding Power/Motor Modules in the blocksize format: Blocksize Power Modules also
require a Safe Brake Relay for this function.
Safety Integrated
3.1.2 Safety Integrated Extended Functions

The Safety Integrated Extended Functions require an additional Safety Extended license.
Extended Functions with encoder require an encoder with safety capability (see Chapter
"Reliable actual value acquisition with encoder system (Page 160)").
Safe Torque Off is a safety function to avoid unexpected starting in accordance with
EN 60204‑1.
● Safe Stop 1 (SS1, time and acceleration controlled)
● Safe Brake Control (SBC)
Safe Brake Control is used to safely control a holding brake.1) 2)
● Safe Operating Stop (SOS)
Safe Operating Stop is used to protect against unintentional movement. The drive is in
closed-loop control mode and is not disconnected from the power supply.
● Safe Stop 2 (SS2)
Safe Stop 2 is used to safely brake the motor with a subsequent transition into the "Safe
Operating Stop" state (SOS). This means that a Category 2 stop in accordance with EN
60204-1 can be implemented.
● Safely-Limited Speed (SLS)
Safely-Limited Speed ensures that the drive does not exceed a preset speed/velocity limit.
● Safe Speed Monitor (SSM)
Safe Speed Monitor is used for safely identifying when a speed limit is undershot in both
directions of motion, e.g. to identify zero speed. A failsafe output signal is available for
further processing.
● Safe Direction (SDI)
Safe Direction is used to safely monitor the direction of motion.
● Safe gearbox stage switchover
The "Safe gearbox stage switchover" function facilitates reliable switching between different
gearbox stages. The switchover is only possible via PROFIsafe.
● Safely-Limited Acceleration (SLA)
Safely-Limited Acceleration monitors (the same as SLS) the acceleration, and intervenes
when a limit value is violated. SLA cannot prevent that the acceleration threshold is briefly
exceeded.
● Safe Brake Test (SBT)
The diagnostic function "Safe Brake Test" function (SBT) checks the required holding
torque of a brake (operating or holding brake).
Note regarding Power/Motor Modules in the chassis format: For the chassis format, SBC is
1)
only supported by Power/Motor Modules with article number ...3 or higher. A Safe Brake
Adapter is also needed for this design.
2)
Note regarding Power/Motor Modules in the blocksize format: Blocksize Power Modules also
require a Safe Brake Relay for this function.
Safety Integrated
3.1.3 Safety Integrated Advanced Functions

The Safety Integrated Advanced Functions require an additional Safety Advanced license.
Advanced Functions with encoder require an encoder with safety capability (see Chapter
● Safely Limited Position (SLP)
Safely Limited Position ensures that a freely definable traversing range is not left.
● Transferring safe position values (SP)
The "Transfer safe position values (SP)" function enables you to transfer a safe position to
the higher-level control via PROFIsafe.
● Safe Cam (SCA)
The "Safe Cam" function outputs a safe signal if the drive is within a specified position range.
It facilitates the realization of safe axis-specific range detection.
Safety Integrated
3.2 Supported functions: HLA module

SINAMICS HLA supports the following Safety Integrated Functions:
● Safety Integrated Basic Functions
● Safety Integrated Extended Functions
● Safety Integrated Advanced Functions
Note
Only "linear" axis type permitted
For SINAMICS HLA, only the "linear" axis type is permitted.
Note
Commissioning
SINAMICS HLA can only be commissioned with STARTER.
Comparison, description of electric ↔ hydraulic drives

In the Safety Integrated Function Manual, Safety Integrated Functions are described from the
perspective of an electric drive. However, these descriptions essentially also apply in the same
way for hydraulic systems. You will find parameters and messages for the drive object HLA in
the SINAMICS S120/S150 List Manual.
See also
HLA: Safety Integrated Basic Functions (Page 33)
HLA: Safety Integrated Extended Functions (Page 34)
HLA: Safety Integrated Advanced Functions (Page 35)
3.2.1 HLA: Safety Integrated Basic Functions

The Safety Integrated Basic Functions are part of the standard scope of the drive and can be
used without an additional license. These functions are always available. These functions do
not require an encoder and/or do not place any special requirements on the encoder used.
EN 60204‑1. STO prevents the supply of power to the valve, which can produce a force. It
is equivalent to Stop Category 0.
● Safe Stop 1 (SS1, time-controlled)
Safety Integrated
3.2.2 HLA: Safety Integrated Extended Functions

SINAMICS HLA supports the following Safety Integrated Functions:
● The Safety Integrated Extended Functions require an additional Safety Extended license.
Extended Functions with encoder require an encoder with safety capability (see Chapter
Note
Only Safety Integrated with encoder is possible
SINAMICS HLA only supports Safety Integrated Extended Functions with encoder.
These functions require an additional safety license. Extended Functions with encoder
require an encoder with safety capability.
Note
Encoder types for SINAMICS HLA
The following encoder types are permissible for SINAMICS HLA:
● Single-encoder systems
– DRIVE-CLiQ encoder with safety capability
– sin/cos encoder connected via SME20/25, SME120/125 or SMC20 (1 VPP, pure
analog signal processing)
● 2-encoder systems
– Encoders with DRIVE-CLiQ connection
– sin/cos encoder connected via SME20/25, SME120/125 or SMC20 (1 VPP, pure
analog signal processing)
– HTL/TTL encoder connected via SMC30 (not in connection with SINUMERIK)
– TTL encoder connected via the onboard interface of the HLA module (not in
connection with SINUMERIK)
– Safe Torque Off (STO)

EN 60204‑1.
– Safe Stop 1 (SS1, time and acceleration controlled)
Safe Stop 1 is based on the "Safe Torque Off" function. This means that a Category 1
stop in accordance with EN 60204-1 can be implemented.
– Safe Operating Stop (SOS)
Safe Operating Stop provides protection against unwanted movements. The drive is in
closed-loop control mode and is not disconnected from the power supply.
– Safe Stop 2 (SS2)
Safe Stop 2 is used to safely brake the valve with a subsequent transition into the "Safe
Operating Stop" state (SOS). This means that a Category 2 stop in accordance with EN
60204-1 can be implemented.
– Safely-Limited Speed (SLS)
Safely-Limited Speed ensures that the drive does not exceed a preset speed limit.
Safety Integrated
– Safe Speed Monitor (SSM)

Safe Speed Monitor is used for safely identifying when a speed limit is undershot in both
directions of motion, e.g. to identify zero speed. A failsafe output signal is available for
further processing.
– Safe Direction (SDI)
Safe Direction is used to safely monitor the direction of motion.
– Safely-Limited Acceleration (SLA)
Safely-Limited Acceleration monitors (the same as SLS) the acceleration, and
intervenes when a limit value is violated. SLA cannot prevent that the acceleration
threshold is briefly exceeded.
3.2.3 HLA: Safety Integrated Advanced Functions

The Safety Integrated Advanced Functions require an additional Safety Advanced license.
Advanced Functions with encoder require an encoder with safety capability (see Chapter
● Safely Limited Position (SLP)
Safely Limited Position ensures that a freely definable traversing range is not left.
● Transferring safe position values (SP)
The "Transfer safe position values (SP)" function enables you to transfer a safe position to
the higher-level control via PROFIsafe.
● Safe Cam (SCA)
It facilitates the realization of safe axis-specific range detection.
Safety Integrated
3.3 Drive products with integrated safety functions
3.3 Drive products with integrated safety functions

$SSOLFDWLRQV $SSOLFDWLRQVZLWKYDULDEOHVSHHG +LJK3HUIRUPDQFHDQG
ZLWKIL[HG 0RWLRQ&RQWURO
VSHHG $SSOLFDWLRQV
6,1$0,&6
6,1$0,&6
6,1$0,&6
6,1$0,&6
6,1$0,&6
6,1$0,&6
6,1$0,&6
6,1$0,&6
0RWRUVWDUWHU
0RWRUVWDUWHU
(7SUR
(7SUR
6,0$7,&
6,0$7,&
6,0$7,&
(76
*&
*'
)&
*
6
6
6
*
*
,QWHJUDWHGVDIHW\IXQFWLRQVDFFRUGLQJWR,(&
672 <HV <HV <HV <HV <HV <HV <HV <HV <HV <HV <HV
6DIH7RUTXH2II
66 <HV <HV <HV <HV <HV <HV <HV

6DIH6WRS
6%& <HV <HV <HV <HV <HV <HV
6DIH%UDNH&RQWURO
626
<HV <HV <HV <HV <HV
6DIH2SHUDWLQJ6WRS
66
<HV <HV <HV <HV <HV
6DIH6WRS
6/6 <HV <HV <HV <HV <HV <HV <HV
6DIHO\/LPLWHG6SHHG
660 <HV
<HV <HV <HV <HV <HV <HV
6DIH6SHHG0RQLWRU
6',
<HV <HV <HV <HV <HV <HV <HV
6DIH'LUHFWLRQ
6/3
<HV <HV <HV <HV
6DIHO\/LPLWHG3RVLWLRQ
6&$
<HV <HV <HV <HV
6DIH&DP
6/$ <HV <HV
6DIHO\/LPLWHG$FFHOHUDWLRQ
,QWHJUDWHGVDIHGLDJQRVWLFIXQFWLRQ
6%7 <HV <HV <HV <HV
6DIH%UDNH7HVW
)DLOVDIHLQWHUIDFHV
352),%86352),1(7ZLWK
<HV <HV <HV <HV <HV <HV <HV <HV <HV <HV <HV
352),VDIHSURILOH
<HVZLWKH[WHUQDO
)DLOVDIHLQSXWV <HV <HV <HV <HV <HV <HV <HV <HV
FRPSRQHQWV
)DLOVDIHRXWSXWV <HV <HV <HV <HV <HV <HV <HV
&HUWLILFDWLRQV
(1,62 &DW &DW &DW &DW &DW &DW &DW &DW &DW &DW <HV
3/H 3/H 3/G 3/G 3/G 3/G 3/G 3/G 3/G 3/G

,(& 6,/ 6,/ 6,/ 6,/ 6,/ 6,/ 6,/ 6,/ 6,/ 6,/ 6,/
1)3$ <HV <HV <HV <HV <HV <HV

157/OLVWHG <HV <HV <HV
2QO\IRU6,1$0,&66%RRNVL]H
2QO\IRU&86ZLWK6DIH%UDNH5HOD\ &RQWHQWRI
:LWK&KDVVLVDQG&DELQHW0RGXOHVZLWK6DIH%UDNH$GDSWHU WKLV
&8&86,027,21'&8$&8$:LWK6DIH%UDNH5HOD\
PDQXDO
&8**:LWKXVHRIWKH70)
&82QERDUGLQWHUIDFHVRU70)
1RWDYDLODEOHIRU6,1$0,&6+/$
672YLDWHUPLQDOVRI3RZHU0RGXOH30&DW3/H6,/
672YLDWKH&RQWURO8QLWWHUPLQDOVDQGDOORWKHUVDIHW\IXQFWLRQV&DW3/G6,/
2QO\ZLWK&86&RQWURO8QLW
Safety Integrated
3.4 Examples of how the safety/diagnostic functions can be applied
Safety function Application examples Possible solution

STO It is only permissible to open a protective door if ● Select STO in the converter via a terminal
the motor torque has been switched off. or via PROFIsafe.
● The pulses are suppressed and the motor
coasts to a standstill.
A central Emergency Stop button ensures that Evaluating the Emergency Stop button in a
several drives cannot unintentionally start. central controller, selecting STO in the convert‐
er via PROFIsafe.
SS1 A drive must brake as quickly as possible after the Select SS1 in the converter using a failsafe in‐
Emergency Stop button has been pressed. It is not put or via PROFIsafe .
permissible that the stationary motor undesirably
accelerates.
SBC Safe control of a motor holding brake must be SBC is (if configured) initiated together with
guaranteed to guarantee the motor is at a stand‐ STO. The Motor Module / Safe Brake Relay /
still. Safe Brake Adapter then carries out the action
and safely controls the outputs for the brake.
SOS The standstill position of the motor must be moni‐ Select SOS, e.g. through SS2, in order to mon‐
tored and ensured. itor the standstill position of the motor after
braking.
SS2 A drive must brake as quickly as possible after the Select SS2 in the converter using a failsafe in‐
Emergency Stop button has been pressed. The put or via PROFIsafe.
standstill position of the motor must be monitored
and ensured.
SLS The machine operator must be able to enter the Selecting SLS in the converter. The converter
machine after the protective door has been limits and monitors the velocity of the horizontal
opened and slowly move a horizontal conveyor conveyor.
with an acknowledgment button in the danger
zone.
A spindle drive, depending on the selection of the Selecting SLS and the corresponding SLS lev‐
cutting tool, must not exceed a specific maximum el in the converter via PROFIsafe.
speed.
SSM A centrifuge may only be filled below a velocity If the Extended Functions are enabled, SSM is
defined by the user. always available1). The function does not have
to be selected.
The converter safely monitors the centrifuge
speed and enables the process to advance to
the next step using the "SSM status" bit.
1)
Exception: Motion monitoring without selec‐
tion (Page 255)
Safety Integrated
Safety function Application examples Possible solution

SDI A protective door must only be opened if a drive Selecting SDI in the converter; enable the pro‐
moves in the safe direction (away from the opera‐ tective doors via status bit (PROFIsafe) of the
tor). converter.
When replacing the plates of the pressure cylin‐ Selecting SDI in the converter. Disabling the
ders, the drive must only move in the safe direction hazardous direction of rotation.
of rotation.
Once the protection against jamming has been
triggered, a roller shutter gate must only be able to
start moving in one direction.
At an operational limit switch, the trolley of a crane
must only start in the opposite direction.
Safe gearbox stage For a machine equipped with selector gearbox it The "Safe gearbox stage switchover" function
switchover must be ensured that the switchover is actually ensures safe switchover between the gearbox
performed. stages.
SLA In the setup mode, it is not permissible that the Selecting SLA in the converter. The converter
drive exceeds the permissible acceleration. limits and monitors the acceleration of the ma‐
chine.
SLP The drive must not exit the specified position rang‐ Selection of SLP in the converter; inhibits the
es. range that is not permitted.
SP It is necessary to transmit a "safe position," for ex‐ The selection of SP in the converter enables
ample, in the following use cases: you to transfer a safe position (i.e. absolute or
● Safe cam sequencer relative position) to the higher-level controller
via PROFIsafe.
● Calculation of the safe velocity
● Safety concepts across axes
– Multi-dimensional protection areas
● Zone concepts
– Safe response depending on the position
of the axes
– Different reaction to sensors
SCA It is only permissible that a protective door is ● Select SCA
opened if a drive is in a certain position range.
● Interlock protective door in response to the
SCA feedback signals via PROFIsafe
The drive must only be traversed with reduced ● Select SCA
speed when it located in a certain position range. ● Activate a SLS stage in response to the
SCA feedback signals via PROFIsafe
Diagnostic function Application examples Possible solution

SBT The effect of a brake is reduced through wear. The diagnostic function "Safe Brake Test SBT"
detects whether a brake is provided the re‐
quired braking effect.
Safety Integrated
3.5 General information about operating components with Safety Integrated activated
3.5 General information about operating components with Safety

Integrated activated
It is not permissible to withdraw and insert components. Malfunctions can occur when
components are withdrawn or inserted that are used for Safety Integrated. However, this does
not mean that the fail-safe state is exited. For example, PROFIsafe communication is not
reestablished after this event.
Withdrawing and inserting components used for Safety Integrated (power units, Sensor
Modules, TM54F) during operation and in the deactivated state is not permissible. Activating
the components always requires a POWER ON (see Chapter "Modular machine concept
Safety Integrated (Page 325)").
Safety Integrated
3.6 Drive monitoring with or without encoder

If motors without a (safety-capable) encoder are being used, not all Safety Integrated Functions
can be used.
Note
Definition: "Without encoder"
When "without encoder" is used in this manual, then this always means that either no encoder
or no safety-capable encoder is being used.
In operation without encoder the actual speed values are calculated from the measured
electrical actual values. Therefore, speed monitoring is also possible during operation without
encoder.
Table 3-1 Overview of Safety Integrated Functions
Functions Abbr. With With‐ Brief description

en‐ out en‐
coder coder
Basic Safe Torque Off STO Yes Yes Safe torque off
Functions Safe Stop 1 SS1 Yes Yes Safe stopping process in accordance with Stop Cat‐
egory 1
Safe Brake Control SBC Yes Yes Safe brake control
Extended Safe Torque Off STO Yes Yes 1)
Safe torque off
Functions Safe Stop 1 SS1 Yes Yes1) Safe stopping process in accordance with Stop Cat‐
egory 1
Safe Brake Control SBC Yes Yes1) Safe brake control
Safe Operating Stop SOS Yes No Safe monitoring of the standstill position
Safe Stop 2 SS2 Yes No Safe stopping process in accordance with Stop Cat‐
egory 2
Safely-Limited Speed SLS Yes Yes1) Safe monitoring of the maximum speed
Safe Speed Monitor SSM Yes Yes 1)
Safe monitoring of the minimum speed
Safe Direction SDI Yes Yes1) Safe monitoring of the direction of motion
Safe gearbox stage switchover – Yes No –
Safe referencing SR Yes No Safe referencing
Safely-Limited Acceleration SLA Yes No Safely limited acceleration
Safe Acceleration Monitor SAM Yes Yes 1)
Safe monitoring of drive acceleration
Safe Brake Ramp SBR Yes Yes1) Safe braking ramp
Diagnostic function Safe SBT Yes No Safe test of the required holding torque
Brake Test of a brake
Safety Integrated
Functions Abbr. With With‐ Brief description

en‐ out en‐
coder coder
Advanced Safely-Limited Position SLP Yes No Safely limited position
Functions Transfer safe SP Yes Yes 1)
Transfer safe position values
position values
Safe Cam SCA Yes No Safe cam
1)
The use of this safety function without an encoder is permitted only for the following motors:
- Induction motors
- SIMOTICS A-1FU synchronous motors (previously: SIEMOSYN)
- Synchronous reluctance motors
The configuration of the Safety Integrated Functions and the selection of monitoring with or
without encoder is realized in the safety screens of the Startdrive commissioning tool.
Safety Integrated
Safety Integrated
Overview of Safety Integrated functions 4
4.1 Safety Integrated Basic Functions
Note
Basic Functions do not require an encoder
The Safety Integrated Basic Functions are functions for safely stopping the drive. You do not
require an encoder.
Note
Application of the Basic Functions
Basic Functions are available in all control modes with and without encoder for synchronous
and induction motors without any restrictions.
Note
Control via TM54F
If you want to control the Safety Integrated Basic Functions via TM54F, set p9601.6 = 1.
This chapter should provide first users with a quick overview of the principle mode of operation
of safety functions.
The entry into the description of the safety functions is based on the definition according to
standard EN 61800-5-2 and some simple examples for using the function.
The description of the functions is simplified, as far as possible to clearly shown essential
properties and setting options.
You will find more information on the functions in the following chapters:
● Safe Torque Off (STO) (Page 44)
● Safe Stop 1 (SS1) (Page 45)
● Safe Brake Control (SBC) (Page 46)
Safety Integrated
Overview of Safety Integrated functions
4.1.1 Safe Torque Off (STO)
Definition according to EN 61800-5-2:

"The STO function prevents energy from being v STO
supplied to the motor, which can generate a tor‐
que."
Examples of how the function can be used
Example Possible solution

It is only permissible to open a protective door if the ● Select STO in the converter.
motor torque has been switched off. ● The pulses are suppressed and the motor
coasts to a standstill.
How does STO function in detail?
The converter recogni‐ 6SHHG

zes the selection of‐ 672
STO via a fail-safe in‐
put or via the safe com‐ 7KHPRWRUWRUTXHLV
municationPROFI‐ VZLWFKHGRII
safe.
The converter then W
safely switches off the 'HVHOHFW672
torque of the connected )',RU
motor. 352),VDIHFRQWURO
ZRUG W
Details and parameterization

For further details and information on how to parameterize this function, refer to Chapter "Safe
Torque Off (STO) (Page 76)".
Safety Integrated
4.1.2 Safe Stop 1 (SS1)

"The function SS1 brakes the motor and v
STO
trips the function STO after a delay time."
∆t t
Example of how the function can be used

After an Emergency Stop button has been pressed, ● Wire the Emergency Stop button with a fail-
the drive must be braked as quickly as possible and safe input.
brought into the STO state.
● Select SS1 via the fail-safe input.
A central Emergency Stop button ensures that sev‐ ● Evaluating an emergency stop pushbutton in
eral drives are braked as quickly as possible and a central control.
● Select SS1 via PROFIsafe.
How does SS1 function in detail?
Overview 6DIH6WRSGHOD\
WLPH
The drive decelerates once "Safe Stop 1" has
been selected, and goes into the "Safe Torque 6SHHG
Off" state once the delay time has expired. 672
'HVHOHFW66 W
7HUPLQDOVRU
352),VDIH
FRQWUROZRUG
W
Select SS1
As soon as the converter identifies that SS1 has been selected via a terminal or via the
PROFIsafe safe communication, the following happens:
● If, when selecting SS1, the motor is already switched off, then until the SS1 delay time
expires, there is no response. STO becomes active after the time expires.
● If the motor is switched on when SS1 is selected, the inverter brakes the motor with the
OFF3 ramp-down time. After the delay time, STO is triggered automatically.
Safety Integrated

For further details and information on how to parameterize this function, see Section "Safe Stop
1 (SS1, time controlled) (Page 81)".
4.1.3 Safe Brake Control (SBC)

"The SBC function supplies a safe output v
signal to control a holding brake."

STO
SBC
t
Safe Brake Control (SBC)

The safe control of a motor holding brake must be SBC is (if configured) initiated together with
guaranteed in order to guarantee the motor is at a STO. The Motor Module / Safe Brake Relay /
standstill. Safe Brake Adapter then carries out the action
and safely controls the outputs for the brake.
How does SBC function in detail?
The converter recogni‐ 6SHHG

zes the selection of‐ 6726%&
STO via a fail-safe in‐
put or via the safe com‐ 7KHPRWRUWRUTXHLVVZLWFKHGRII
municationPROFI‐ 6%&FRQWUROVDEUDNHVDIHO\
safe.
The converter then W
safely switches off the 672GHVHOHFWLRQ
torque of the connected )',RU
motor. 352),VDIHFRQWURO
ZRUG W
SBC is (if configured) in‐
itiated together with
STO. The Motor Mod‐
ule / Safe Brake Relay /
Safe Brake Adapter
then carries out the ac‐
tion and safely controls
the outputs for the
brake.
Safety Integrated

For further details and information on how to parameterize this function, see Section "Safe
Brake Control (SBC) (Page 84)".
Safety Integrated
4.2 Safety Integrated Extended Functions

You will find more information on the functions in the following chapters:
● Safe Torque Off (STO) (Page 50)
● Safe Operating Stop (SOS) (Page 53)
● Safely Limited Speed (SLS) (Page 56)
● Safe Speed Monitor (SSM) (Page 63)
● Safe Direction (SDI) (Page 65)
● Safe Brake Test (SBT) (Page 68)
● Safely-Limited Acceleration (SLA) (Page 67)
Safety Integrated
4.2.1 Preconditions for Safety Integrated Extended Functions

● For operation of the Safety Integrated Extended Functions, one license is required for each
axis.
● To use Safety Integrated Advanced Functions, one license is required for each axis. The
license for Safety Integrated Advanced Functions also includes the license for Safety
Integrated Extended Functions.
● Overview of hardware components that support the Extended/Advanced Functions:
– Control Unit CU320-2
– SINAMICS HLA
– Motor Modules Booksize Compact
– Motor Modules booksize C/D type with article No.: -..C. or -..D.
– Motor Modules booksize with an article number ending: -...3 or higher
– Motor Modules chassis with an article number ending: -...3 or higher
– Motor Modules cabinet with an article number ending: -...2 or higher
– Power Modules blocksize
– Control Unit Adapter CUA31 as of article number: 6SL3040-0PA00-0AA1
– For the safety functions with encoder:
Motors with sin/cos encoder and encoder evaluation with DRIVE-CLiQ interface or via
Sensor Module SMC20, SME20/25/120/125, square wave signal encoder with SMC30,
EnDat-2.2 encoder with SMC40
The list of approved encoders can be found on the Internet at:
Approved encoders (https://support.industry.siemens.com/cs/ww/en/)
Enter the number 33512621 there as search term or contact your local Siemens office.
Safety Integrated
4.2.2 Control possibilities

The following options are available for controlling Safety Integrated Extended Functions:
● PROFIsafe
● TM54F
● Onboard F-DI (CU310-2)
● Permanent selection (Safety Integrated Functions without selection)
Details on the control options can be found in Chapter "Control of the safety functions
(Page 207)".
For the control options and the functionality for "Safe Torque Off" (STO), see Section "Safe

"The function SS1 brakes the motor, moni‐ v
STO
tors the magnitude of the motor deceleration
within specified limits, and after a delay time
or violation of a speed threshold, initiates
the STO function."
∆t t

After an Emergency Stop button has been pressed, ● Wire the Emergency Stop button with a fail-
the drive must be braked as quickly as possible and safe input.
● Select SS1 via the fail-safe input.
● SS1 brakes the drive and then brings it into
the STO state.
A central Emergency Stop button ensures that sev‐ ● Evaluating an emergency stop pushbutton in
eral drives are braked as quickly as possible and a central control.
● Select SS1 via PROFIsafe.
● SS1 brakes the drives and then brings them
into the STO state.
Safety Integrated
Overview 6SHHG
0RQLWRULQJ
Using the SS1 function, the converter brakes
the motor and monitors the absolute speed. 672
If the motor speed is low enough or the delay
time has expired, the converter safely switches W
'HVHOHFW66
off the motor torque using STO .
)',RU
352),VDIH
FRQWUROZRUG
W
Select SS1
As soon as the converter identifies that SS1 has been selected via a failsafe input or via
● If the motor has already been switched off when selecting SS1 then the converter safely
switches off the motor torque (STO).
● If the motor is switched on when SS1 is selected, the converter brakes the motor with the
AUS3 ramp-down time.
Monitoring modes
For the Extended Functions with or without encoder, you can choose between 2 different
monitoring modes of the function SS1:
● Safe Brake Ramp (SBR)
● Safe Acceleration Monitor (SAM)
Safety Integrated
Brake ramp monitoring Acceleration monitoring

(with or without encoder) (with or without encoder)
6SHHG 6SHHG
6%5
6$0
6WDQGVWLOO 672
6KXWGRZQ 672
PRQLWRULQJ VSHHG
W
6KXWGRZQ
'HOD\WLPHIRUEUDNLQJ VSHHG66 W
'HVHOHFW UDPS
66 66GHVHOHFWLRQ
)',RU )',RU
352),VDIH 352),VDIH
FRQWUROZRUG
W W
FRQWUROZRUG
672
672DFWLYH
DFWLYH
)'2RU )'2RU
352),VDIH 352),VDIH
W VWDWXVZRUG
W
VWDWXVZRUG
● Using the SBR (Safe Brake Ramp) function, ● The converter monitors the speed of the motor
the converter monitors whether the motor with the SAM function.
speed decreases. ● The converter prevents the motor from accel‐
● The gradient of the SBR function can be set via erating again by having the monitoring function
the reference velocity and the ramp-down time. continuously track the speed as it decreases.
The SBR function only starts after the "Delay ● The converter reduces the monitoring thresh‐
for braking ramp". old until the "Shutdown speed" has been
● The SBR function starts with the speed set‐ reached.
point, which was present at the instant in time ● The converter safely switches off the motor tor‐
that SS1 was selected. que (STO), if one of the following conditions is
● If the converter detects that the speed has fall‐ fulfilled:
en below the speed threshold (standstill moni‐ – The speed has fallen below the shutdown
toring), it safely switches off the motor torque speed SS1.
(STO).
– The maximum time until the torque is
switched off has expired.
Note
SS1 with external stop (SS1E)
If you use SS1E, neither of the two monitoring functions (SBR, SAM) is active. The drive must
be shut down in SS1E within the delay time, for example, by a user program of a CPU. STO
becomes active after the delay time expires.

For further details and information on how to parameterize this function, see Chapter "Safe
Stop 1 (SS1) (Page 103)".
Safety Integrated
4.2.5 Safe Operating Stop (SOS)

"This SOS function is used for safe monitor‐ s SOS
ing of the standstill position of a drive."
∆t t

A protective door must only be opened if a motor is in ● Select SOS
the safe standstill state. ● A higher-level controller brakes the axis (e.g.
position-controlled) down to standstill within
the configured time between the selection of
SOS and when it becomes active.
● Standstill is then safely monitored via the
SOS function.
How does SOS function in detail?

The protected machine areas can be entered without having to shut down the machine as long
as SOS is active.
After SOS has been selected it becomes active after the parameterizable delay time has
expired. The drive must be braked to standstill within this delay time (e.g. by the controller).
Drive stopping is monitored using an SOS tolerance window. At the instant this function
becomes active, the current actual position is stored as the comparison position until SOS is
deselected again. Any delay time is cleared after SOS is deselected and the drive can be
immediately moved.
The drive is stopped with SS1 when the standstill tolerance window is violated.
Note
Contrary to SS1 and SS2, SOS does not automatically brake the drive
The control still enters the setpoint.
This means that in the user program of the control system, the system must respond to the
"SOS selected" bit so that the control system brings the drive to a standstill within the delay time.
Safety Integrated
2SHUDWRUDFWLRQV
;DFW
6HOHFW626 'HVHOHFW626
$FWXDOSRVLWLRQ
626
6WDQGVWLOOWROHUDQFH
W
626
'HOD\WLPH626
'LDJQRVWLFV
'HVHOHFW626
626DFWLYH
352),VDIH
626DFWLYH
6WDWXVZRUGELW
W
Figure 4-1 Standstill tolerance

Operating Stop (SOS) (Page 109)".

"The function SS2 brakes the motor, moni‐ v
SOS
tors the magnitude of the motor decelera‐
tion, and after a delay time, initiates the SOS
function."
Safety Integrated

A protective door must only be opened if a motor is in ● Select SS2 in the converter via a terminal or
the safe standstill state. via PROFIsafe .
● After braking, the converter goes into the
SOS state. Only then may the protective
door be released.
The safety function SS2 monitors the 6SHHG

load speed and initiates the SOS function 0RQLWRULQJ
if the SS2 delay time has expired.
626
With SS2, braking is monitored on the
OFF3 ramp. A faulty acceleration is de‐ W
tected and the drive then shuts down with 'HVHOHFW66
STO. )',RU
352),VDIH
FRQWUROZRUG
W
If you are operating the motor with closed-loop torque control, the converter switches to the
closed-loop speed control mode when SS2 is selected.
Note
SS2 with external stop (SS2E)
If you use SS2E, neither of the two monitoring functions (SBR, SAM) is active. The drive must
be shut down in SS2E within the delay time, for example, by a user program of a CPU. SOS
becomes active after the delay time expires.
Time response in detail

The failsafe logic (e.g. F‑CPU) selects the SS2 safety function via a failsafe input or via the
PROFIsafe safe communication.
● If, when selecting SS2, the motor is already at a standstill, after a delay time, the converter
activates the Safe Operating Stop function (SOS).
● If the drive is not at standstill when SS2 is selected, it is braked along the OFF3 ramp.
Braking is monitored with one of the following functions, depending on the setting in p9506:
– "Safe Acceleration Monitor (SAM)"
A faulty acceleration is therefore detected.
– "Safe Brake Ramp (SBR)"
In this way, a violation of the braking ramp is detected.
After a delay time, the converter activates the Safe Operating Stop function (SOS). This
function monitors the safe standstill of the drive.
Safety Integrated
Braking behavior
/RDGVSHHG 2SHUDWRUDFWLRQV
6HOHFW66 'HVHOHFW66
$FWXDOYDOXH
6$0
6$0VSHHGOLPLW 626
W
626
'HOD\WLPH66
'LDJQRVWLFV
'HVHOHFW66
66DFWLYH
6$06%5DFWLYH
626DFWLYH
352),VDIH
66DFWLYH
6WDWXVZRUGELW
626DFWLYH
6WDWXVZRUGELW
W
Figure 4-2 Braking behavior and diagnostics of the safety function SS2 (example of SS2 with SAM)

Stop 2 (SS2) (Page 111)".
4.2.7 Safely Limited Speed (SLS)

"The SLS function prevents the motor from v SLS
exceeding the specified speed limit."
Safety Integrated

The machine operator must be able to enter the ma‐ ● Select SLS in the converter via a fail-safe
chine after the protective door has been opened and input or PROFIsafe .
slowly move a horizontal conveyor with an acknowl‐
● The converter limits and monitors the veloci‐
edgment button in the danger zone.
ty of the horizontal conveyor.
A spindle drive, depending on the selection of the ● Select SLS and the corresponding SLSlevel
cutting tool, must not exceed a specific maximum in the converter via PROFIsafe.
velocity.
How does SLS function in detail?
1. The inverter recognizes the selection 'HOD\WLPH6/6

of SLS via a failsafe input or via the 6SHHG
6/6
PROFIsafe safe communication.
2. SLS allows a motor to reduce its pos‐
sibly inadmissibly high speed within a
defined time. W
SLS monitors the current speed.
The SLS setpoint limit can be trans‐
ferred to the higher-level motion con‐ 6/6
troller (e.g. SIMOTION), where the
speed setpoint can be limited. 'HVHOHFW6/6
)',RU
352),VDIH
FRQWUROZRUG
W
In addition, you can configure the setpoint limit provided by SLS as maximum speed in the
ramp-function generator. In this case, SLS limits the speed setpoint.
3. SLS monitors the absolute value of the current speed.

The SLS setpoint limit can be transferred to the higher-level motion controller (e.g. SIMO‐
TION), where the speed setpoint can be limited.
In addition, you can configure the setpoint limit provided by SLS as maximum speed in the
ramp-function generator. In this case, SLS limits the speed setpoint.
Note
SLS without selection
As an alternative to controlling via terminals and/or PROFIsafe, there is also the option to
parameterize the SLS function without selection. In this case, the SLS function is permanently
active after POWER ON. Details are provided in Chapter "Safely-Limited Speed without
selection (Page 124)".
Safety Integrated

For further details and information on how to parameterize this function, see Chapter "Safely-
Limited Speed (SLS) (Page 118)".
4.2.7.1 Selecting SLS when the motor is switched on
Selecting SLS when the motor is switched on

As soon as the converter detects the selection of SLS via a failsafe input or via PROFIsafe safe
communication, the following happens:
● To avoid a limit value being violated, the setpoint limit can be transferred to the higher-level
motion controller (e.g. SIMOTION). The higher-level motion controller can then limit the
velocity setpoint.
● If the speed setpoint limitation is interconnected to the ramp-function generator, the
converter limits the speed to a value below the SLS monitoring.
● For SLS without encoder, you can select whether the converter monitors motor braking
using the function SBR (Safe Brake Ramp) or not. For SLS with encoder, the SBR function
cannot be selected.
Safety Integrated
With braking ramp monitoring1) Without braking ramp monitoring

(only without encoder) (with or without encoder)
6SHHG 'HOD\WLPHIRUEUDNLQJ 6SHHG 'HOD\WLPHIRU6/6
UDPS FKDQJHRYHU
6HWSRLQW 6%5 6HWSRLQW
6/6 6/6
/LPLWDWLRQ /LPLWDWLRQ
W 'HVHOHFW6/6 W
'HVHOHFW6/6
)',RU )',RU
352),VDIHFRQWURO 352),VDIHFRQWURO
ZRUG ZRUG
W W
6/6DFWLYH 6/6DFWLYH
)'2RU )'2RU
352),VDIHVWDWXV 352),VDIHVWDWXV
ZRUG ZRUG
W W
● After the adjustable "delay time for the braking ● The converter monitors the load velocity after
ramp", using the SBR (Safe Brake Ramp) func‐ the "delay time for SLS switchover" has ex‐
tion, the converter monitors whether the veloc‐ pired.
ity decreases.
● The converter switches from SBR to SLS as
soon as one of the following two conditions is
fulfilled:
– The SBR monitoring ramp has reached the
value of the SLS monitoring.
This case is shown in the diagram above.
– After the actual velocity has reached the
value of the SLS monitoring threshold, the
system again waits for the "delay time for
braking ramp" until SLS becomes active.
Advantages: Advantage:
● Already when braking, the converter detects as ● Commissioning is simplified, because instead
to whether the load velocity decreases too of the subfunction SBR or SAM of the alterna‐
slowly. tive brake ramp monitoring, you only have to
● The feedback signal "SLS active" generally set the delay time.
comes earlier than without acceleration moni‐
toring.
1)
The automatic reduction of the speed only takes effect when the ramp-function generator is
interconnected to the speed setpoint limitation.
Safety Integrated
4.2.7.2 Selecting SLS at low velocities
Selecting SLS at low velocities

If the motor velocity when selecting SLS is less than the SLSlimit, then the drive responds as
follows:
9HORFLW\ 'HOD\WLPH6/6
6/6
/LPLWLQJ
6HWSRLQW
'HVHOHFW6/6 W
)',RU
352),VDIHFRQWURO
ZRUG
W
6/6DFWLYH
)'2RU
352),VDIHVWDWXV
ZRUG
W
Deselecting SLS
If the higher-level controller deselects SLS , then the converter deactivates limiting and
monitoring.
4.2.7.3 Switching between monitoring thresholds
Switching over monitoring limits

When SLS is active, you can switchover between 4 different speed levels. An exception is "SLS
without selection": In this case, there is only one limit.
Safety Integrated
Switching to a lower speed level
With braking ramp monitoring1) Without braking ramp monitoring

(only without encoder) (with or without encoder)
9HORFLW\ 9HORFLW\
6/6 6/6
/LPLWOHYHO 6%5 /LPLWOHYHO
6/6 6/6
/LPLWOHYHO /LPLWOHYHO
6HOHFW W 6HOHFW W
6/6OHYHO 6/6OHYHO
352),VDIH /HYHO 352),VDIH /HYHO
FRQWUROZRUG /HYHO /HYHO
FRQWUROZRUG
W W
$FWLYH $FWLYH
6/6OHYHO 6/6OHYHO
352),VDIH 352),VDIH
VWDWXVZRUG /HYHO /HYHO /HYHO /HYHO
VWDWXVZRUG
W W
● Once the "delay time for braking ramp" has ● The converter monitors the velocity with the
elapsed, the converter monitors the motor ve‐ lower SLS level after the "delay time for SLS
locity using the function SBR (Safe Brake changeover" has expired (this is the same de‐
Ramp). lay time that applies after selecting the function
● The converter switches over from SBR moni‐ SLS).
toring to level 2 of SLS monitoring as soon as
one of the following conditions is fulfilled:
– The SBR monitoring ramp has reached the
value of the SLS monitoring.
This case is shown in the diagram above.
– The load velocity has decreased down to
the value SLS monitoring and the "delay
time for braking ramp" has expired.
1)
The automatic reduction of the speed only takes effect when the ramp-function generator is
interconnected to the speed setpoint limitation.
Safety Integrated
Switching to a higher speed level

If you switch over from a lower to a higher speed level, the converter immediately monitors the
actual velocity against the higher velocity.
6SHHG
6/6
/LPLWOHYHO
6/6
/LPLWOHYHO
6/6OHYHO W
VHOHFWLRQ
352),VDIH /HYHO
FRQWUROZRUG /HYHO
W
$FWLYH
6/6OHYHO
352),VDIH /HYHO
/HYHO
VWDWXVZRUG
W
Safety Integrated
4.2.8 Safe Speed Monitor (SSM)

"The SSM function supplies a safe out‐ v
put signal to indicate whether the motor

speed is below a specified limit value."
0
t
Note
SSM is a pure signaling function
Contrary to other Safety Integrated functions, a violation of the SSM limit does not result in a
drive-based stop response.

A centrifuge may only be filled below a velocity de‐ ● SSM is activated by configuring the Safety
fined by the user. Integrated Extended Functions.
● The converter safely monitors the centrifuge
speed and enables the process to advance
to the next step using the "Status SSM" sta‐
tus bit.
How does SSM function in detail?
Requirements
The safety function SSM cannot be selected or deselected using external control signals. SSM
is active when you have set a monitoring velocity > 0 for SSM .
Evaluating the speed

The converter compares the load speed with the speed limit and signals if the limit value is
undershot to the high-level control.
Parameterizable hysteresis
The parameterizable hysteresis ensures that the SSM output signal does not jump between the
values "0" and "1" in the limit range.
Safety Integrated
6SHHG
660
+\VWHUHVLV
+\VWHUHVLV
660
6SHHGEHORZOLPLW
YDOXH
)'2RU
352),VDIHVWDWXVZRUG
W
Figure 4-3 Time response of the safety function SSM (Safe Speed Monitor)

Speed Monitor (SSM) (Page 127)".
Safety Integrated
4.2.9 Safe Direction (SDI)

"The SDI function prevents the motor shaft mov‐
ing in the wrong direction."
v
SDI

A protective door must only be opened if a drive ● Select SDI in the converter using a fail-safe
moves in the safe direction (away from the operator). input or PROFIsafe .
● Enable the locking mechanism of the protec‐
tive doors via the PROFIsafe status bit of the
converter.
When replacing the pressure cylinders of the plates, ● Select SDI in the converter using a fail-safe
the drive must only move in the safe direction of ro‐ input or PROFIsafe .
tation.
● In the converter, inhibit the direction of rota‐
Once the protection against jamming has been trig‐ tion that is not permitted.
gered, a roller shutter gate must only be able to start
moving in one direction.
At an operational limit switch, the trolley of a crane
must only be able to start in the opposite direction.
How does SDI function in detail?
SDI monitors the actual direction of rota‐ 6',GHOD\

tion. WLPH
6SHHG
The SDI setpoint limit can be transmitted
to the higher-level motion controller (e.g.
6', W
SIMOTION) to enable limitation of the ve‐
locity setpoint there.
6',GHVHOHFW
In addition, you can configure the set‐
)',RU
point limit provided by SDI as maximum
352),VDIH
speed in the ramp-function generator. In FRQWUROZRUG
this case, SDI limits the speed setpoint to W
the permissible direction.
You can select to block either the positive or the negative direction of rotation via 2 fail-safe
signals (F-DIs or PROFIsafe).
Safety Integrated
Selecting and deselecting SDI

As soon as the converter identifies that SDI has been selected via a failsafe input or via
● You can also set a delay time, within which you can ensure that the converter moves in the
enabled (safe) direction.
● You can also set a tolerance, within which the converter tolerates movement in the direction
that has not been enabled (unsafe). You can avoid the triggering of faults during braking
(overshoot) as well as in controlled standstill.
● After the delay time has expired, the converter monitors the direction of rotation of the motor.
● If the converter now moves in the blocked direction by more than the configured tolerance,
a message will be output and the defined stop response will be initiated.
6SHHG 'HOD\
6HWSRLQW
'HOD\ /LPLWDWLRQWR
6', VSHHGV
W
/LPLWDWLRQWRVSHHGV 6',
!
6',GHVHOHFW
)',RU
352),VDIHFRQWUROZRUG
W
6',DFWLYH
)'2RU
352),VDIHVWDWXVZRUG
W
'HVHOHFW6',
)',RU
352),VDIHFRQWUROZRUG
W
6',DFWLYH
)'2RU
352),VDIHVWDWXVZRUG
W
Figure 4-4 Time response of the safety function SDI (Safe Direction)
Note
SDI without selection
As an alternative to controlling via terminals and/or PROFIsafe, there is also the option of
parameterizing SDI without selection. In this case, SDI will be permanently active after
POWER ON. You will find details about this in Section "Safe Direction without selection
(Page 139)".

Direction (SDI) (Page 134)".
Safety Integrated
4.2.10 Safely-Limited Acceleration (SLA)

a
"The SLA function prevents the motor from
exceeding the defined acceleration limit."
SLA

In the setup mode, it is not permissible that the drive ● Select SLA in the converter via PROFIsafe.
exceeds the permissible acceleration. ● The converter limits and monitors the accel‐
eration of the machine.

For further details and information on how to parameterize this function, see Chapter "Safely
Limited Acceleration (SLA) (Page 140)".
Safety Integrated
4.2.11 Safe Brake Test (SBT)
The diagnostic function "Safe Brake Test" func‐ 0V

tion (SBT) checks the required holding torque of 6%7
a brake (operating or holding brake).
How does the SBT function in detail?

You can test linear axes and rotary axes. The drive purposely generates a force/torque against
the applied brake. If the brake is operating correctly, the axis motion remains within a
parameterized tolerance. If, however, a larger axis motion is detected, it must be assumed that
the braking force/torque has deteriorated and maintenance is required.
The "Safe Brake Test" function allows a safe test of up to two brakes:
● 1 motor holding brake and 1 external brake
● 2 external brakes
● 1 motor holding brake
● 1 external brake
The "Safe Brake Test" (SBT) diagnostic function is suitable for safety functions up to Category 2
according to ISO 13849‑1.

Brake Test (SBT) (Page 144)".
Safety Integrated
4.3 Safety Integrated Advanced Functions

You will find more information on the functions in the following chapters,
e.g. "Safety Integrated Advanced Functions (Page 181)".
4.3.1 Preconditions for Safety Integrated Advanced Functions

● For operation of the Safety Integrated Extended Functions, one license is required for each
axis.
● To use Safety Integrated Advanced Functions, one license is required for each axis. The
license for Safety Integrated Advanced Functions also includes the license for Safety
Integrated Extended Functions.
● Overview of hardware components that support the Extended/Advanced Functions:
– SINAMICS HLA
– Motor Modules Booksize Compact
– Motor Modules booksize C/D type with article No.: -..C. or -..D.
– Motor Modules booksize with an article number ending: -...3 or higher
– Motor Modules chassis with an article number ending: -...3 or higher
– Motor Modules cabinet with an article number ending: -...2 or higher
– Power Modules blocksize
– For the safety functions with encoder:
Motors with sin/cos encoder and encoder evaluation with DRIVE-CLiQ interface or via
Sensor Module SMC20, SME20/25/120/125, square wave signal encoder with SMC30,
EnDat-2.2 encoder with SMC40
The list of approved encoders can be found on the Internet at:
Approved encoders (https://support.industry.siemens.com/cs/ww/en/)
Enter the number 33512621 there as search term or contact your local Siemens office.
Safety Integrated
4.3.2 Safely-Limited Position (SLP)

s
"The SLP function prevents the motor shaft from
exceeding the specified position limit(s)."
SLP
The Safely-Limited Position function (SLP) is used to safely monitor the limits of two traversing
and/or positioning ranges, which are toggled between using a safe signal.

The drive must not exit the specified position ranges. ● Selection of SLP in the converter; inhibiting
the range that is not permitted.
● After the enabled range has been exited, a
parameterizable stop response is initiated.
Features
● Selection via terminals or PROFIsafe
● 2 position ranges, each defined by a limit switch pair
● Safe switchover between the two position ranges
● Settable stop response
● To run the motor out of the prohibited range, you must perform a special sequence (see
Chapter "Retraction (Page 185)").
Preconditions
● The function is only available with a suitable encoder.
● The drive has to be safely referenced (see Chapter "Safe referencing (Page 71)").

For further details and information on how to parameterize this function, see Section "Safely-
Limited Position (SLP) (Page 181)".
Safety Integrated
4.3.3 Transferring safe position values (SP)
The "Safe Position (SP)" function enables you to

transfer safe position values to the higher-level SP
fail-safe controller (F‑CPU) via PROFIsafe (tele‐
gram 901 or 902).
How does the SP function in detail?

On the F‑CPU side, you can also calculate the current speed from the change in position per
time. In telegram 902, the values are transferred in 32-bit format, in telegram 901, in 16-bit
format.
After parameter assignment, enabling and POWER ON, the function is automatically selected.
The drive transfers the value. Please observe the following:
● For use as the safe absolute position, the "Absolute position" must also be enabled and then
safely referenced.
● To allow the controller to continue using the transferred position, the actual position value
must be valid.
Using the time stamp that is also transferred, you can also calculate the velocity from the
position values. If you only want to calculate the speed, just enable the "Transfer of safe
position values" without the "Absolute position."

For further details and information on how to parameterize this function, see Chapter
"Transferring safe position values (SP) (Page 188)".
4.3.4 Safe referencing
The "safe referencing" function allows a safe absolute position to be defined. This safe position
is used for the following functions:
● Safely-Limited Position (SLP) (Page 70)
● Transferring safe position values (SP) (Page 71)
● Safe Cam (SCA) (Page 73)
Safety Integrated
General description
In most cases, an external control performs referencing to an absolute position. The converter
only performs this task in special cases (for example, EPOS).
● Referencing using an external control
Requirement: No movement of the drive
The reference position determined by the control is entered into parameter p9572 and is
declared to be valid using p9573 = 89.
● Referencing by EPOS
The SINAMICS EPOS function transfers, when referencing, the determined position directly
to Safety Integrated. This can also take place during motion.
● User agreement
The user agreement must be set (p9726 = p9740 = AC hex) within a certain time interval
after referencing (see Chapter "Referencing types (Page 194)").
Safety Integrated only evaluates the reference position if this is required by a function that has
been enabled (e.g. SLP). Using diagnostics bit r9723.17, Safety Integrated indicates whether
the drive has been referenced. Safety Integrated indicates the position of the drive in diagnostic
parameters r9708 and r9713. Bit r9722.23 is set when the axis is safely referenced.
Safety Integrated
4.3.5 Safe Cam (SCA)
Definition according to EN
61800-5-2:
s
SCA 3
The function "Safe Cam" (SCA) safe SCA 2
supplies a safety-related output sig‐ SCA 1 t

nal to indicate whether the motor
shaft position is within a defined
range. 1
0
t
How does the SCA function in detail?

It facilitates the realization of safe range detection for each individual axis.

Cam (SCA) (Page 196)".
Safety Integrated
Safety Integrated
Description of Safety Integrated functions 5
Two-channel parameterization
Parameterization of the Safety Integrated Functions must be performed in two channels; i.e.
there is one parameter each for the 1st and 2nd channel. These two parameters must be
identically parameterized.
For safety reasons, when using the Startdrive commissioning tool, only set the safety-related
parameters of the 1st channel while offline. Startdrive copies the parameter of the 2nd channel
automatically.
Because Startdrive sets the safety-related parameters of the 2nd channel by copying, only the
parameters of the 1st channel are given in this manual. You will find the relevant parameters of
the 2nd channel in the parameter description, e.g. in SINAMICS S120/S150 List Manual.
On faults and alarms, only the error number of the 1st channel is stated.
Safety Integrated
Description of Safety Integrated functions
5.1 Safety Integrated basic functions
Note
Basic Functions do not require an encoder
The Safety Integrated Basic Functions are functions for safely stopping the drive. You do not
require an encoder.
Note
Application of the Basic Functions
Basic Functions are available in all control modes with and without encoder for synchronous
Note
Control via TM54F
If you want to control the Safety Integrated Basic Functions via TM54F, set p9601.6 = 1.
Note
PFH values
The PFH values of the individual SINAMICS S120 safety components can be found at:
PFH values (https://support.industry.siemens.com/cs/ww/en/view/76254308)
In conjunction with a machine function or in the event of a fault, the "Safe Torque Off" (STO)
function is used to safely disconnect the torque-generating energy supply to the motor.
A restart is prevented by the two-channel pulse suppression. The switching on inhibited
prevents an automatic restart after deselection of STO.
The two-channel pulse suppression function integrated in the Motor Modules / Power Modules
is the basis for this function.
Functional features of "Safe Torque Off"

● The function is completely integrated in the drive. It can be selected via terminals, TM54F
or PROFIsafe from an external source.
● The function is drive-specific, i.e. it is available for each drive and must be individually
commissioned.
● The function must be enabled via parameter.
Safety Integrated
● When the "Safe Torque Off" function is selected, the following applies:
– The motor cannot be started accidentally.
– The pulse suppression safely disconnects the torque-generating energy supply to the
motor.
– The power unit and motor are not electrically isolated.
● The selection/deselection of the STO function also acknowledges the safety faults when the
Basic Functions are used. The standard acknowledgment mechanism must also be
performed.
● Extended acknowledgement:
The selection/deselection of STO can also acknowledge the safety messages of the
extended safety functions. This requires that the extended message acknowledgement is
configured (p9507.0 = 1).
If in addition to the "Extended Functions", the "Basic Functions via terminals" are also
enabled, in addition to selection/deselection of STO via PROFIsafe or TM54F,
acknowledgement is also possible by selection/deselection of STO via terminals.
● The status of the "Safe Torque Off" function is displayed using parameters (r9772, r9872,
r9773 and r9774).
● Effect on the "Setpoint speed limit effective" (r9733[0...2]):
For STO (≙ STOP A), a setpoint of 0 is specified in r9733[0...2].
WARNING
Unplanned motor motion
After the energy feed has been disconnected (STO active) the motor can undesirably move
(e.g. the motor can coast down), therefore presenting risk to persons.
● Take suitable measures to prevent undesirable movement, e.g. by using a brake with
safety-relevant monitoring. For additional information, see Chapter "Safe Brake Control
(SBC) (Page 84)".
WARNING
Danger due to short, limited movements
If two power transistors simultaneously fail in the power unit (one in the upper and one in the
lower inverter bridge), then this can cause cause brief, limited movement.
The maximum movement can be:
● Synchronous rotary motors: Max. movement = 180° / no. of pole pairs
● Synchronous linear motors: Max. movement = pole width
Safety Integrated
Enabling the "Safe Torque Off" function (Basic Functions)

The "Safe Torque Off" function is enabled via parameter p9601:
● STO for the Safety Integrated Basic Functions:
– p9601 = 1 hex (Basic Functions via onboard terminals)
– p9601 = 8 hex (Basic Functions via PROFIsafe)
– p9601 = 9 hex (Basic Functions via PROFIsafe and onboard terminals)
– p9601 = 40 hex (basic functions via TM54F)
– p9601 = 41 hex (basic functions via TM54F and onboard terminals)
Enabling the "Safe Torque Off" function (Extended Functions)

The "Safe Torque Off" function is enabled via parameter p9601:
● STO in the Safety Integrated Extended Functions (EF):
– p9601 = 4 hex (EF via TM54F)
– p9601 = 5 hex (EF via TM54F and basic functions via onboard terminals)
– p9601 = C hex (EF via PROFIsafe)
– p9601 = D hex (EF via PROFIsafe via onboard terminals)
– p9601 = 25 hex (EF without selection and basic functions via onboard terminals)
Selecting/deselecting "Safe Torque Off"

The following is executed when "Safe Torque Off" is selected:
● Each monitoring channel triggers safe pulse suppression via its switch-off signal path.
● A motor holding brake is closed (if connected and configured).
Deselecting "Safe Torque Off" represents an internal safety acknowledgment. The following is
executed if the cause of the fault has been removed:
● Each monitoring channel cancels safe pulse suppression via its switch-off signal path.
● The Safety requirement "Close motor holding brake" is canceled.
● Any pending STOP F or STOP A commands are canceled (see r9772).
● The messages in the fault memory must also be reset using the general acknowledgment
mechanism.
Note
No message for selection/deselection within the tolerance time (p9650)
If "Safe Torque Off" is selected and deselected through one channel within the tolerance
time p9650, the pulses are suppressed without a message being output.
However, if you want a message to be displayed, then you must reconfigure N01620 as an
alarm or fault using p2118 and p2119.
Safety Integrated
Restart after the "Safe Torque Off" function has been selected
1. Deselect the function.
2. Set drive enables.
3. After deselecting STO, wait until the converter is "ready to switch on".
4. Cancel the "switching on inhibited" and switch the drive back on.
– 1/0 edge at input signal "ON/OFF1" (cancel "switching on inhibited")
– 0/1 edge at input signal "ON/OFF1" (switch on drive)
Status for "Safe Torque Off"

The status of the function STO is displayed via r9772, r9872, r9773, and r9774. Alternatively,
you can display the status of the function via the configurable message N01620 (configuration
via p2118 and p2119).
Response time for the "Safe Torque Off" function

For the response times when the function is selected/deselected via input terminals, see the
table in Chapter "Response times (Page 355)".
Internal armature short-circuit with the "Safe Torque Off" function

The function "internal armature short-circuit" can be configured together with the "STO"
function.
The "STO" safety function has the higher priority when simultaneously selected. If the "STO"
function is initiated, then an activated "internal armature short-circuit" is disabled.
Function diagrams (see SINAMICS S120/S150 List Manual)
● 2810 SI Basic Functions - STO (Safe Torque Off), SS1 (Safe Stop 1)
● 2811 SI Basic Functions - STO (Safe Torque Off), safe pulse suppression
Overview of important parameters (see SINAMICS S120/S150 List Manual)
● p9601 SI enable functions integrated in the drive (Control Unit)

● r9720 CO/BO: SI Motion drive-integrated control signals
● r9722 CO/BO: SI Motion drive-integrated status signals (Control Unit)
● r9772 CO/BO: SI Status (Control Unit)
● r9773 CO/BO: SI Status (Control Unit + Motor Module)
● r9774 CO/BO: SI Status (group STO)
Safety Integrated
5.1.1.1 Safe Torque Off (STO) for SINAMICS HLA

For the HLA module, safe torque off (STO) corresponds to shutting off a safety-relevant shutoff
valve.
Special features of STO for HLA

● The shutoff valve controls the infeed to the hydraulic circuit. The shutoff valve is controlled
via an F-DO of SINAMICS HLA.
● For Safety Integrated Functions, it is absolutely necessary that a shutoff valve is connected
with the associated feedback signals.
● You configure the feedback signal contacts of the shutoff valve using parameter p9626.
● You can take into account the response times of the feedback signals using parameter
p9625.
● The shutoff valve is safely closed by selecting STO. If the shutoff valve signals a safe state
via the feedback signal(s), the "STO active/Power removed" state is displayed, and is output
at the configured safety-related output (PROFIsafe feedback signal telegram, F-DO on
TM54F).
9H[W
;
) '2
'LDJ'2
) '2
;
'LDJ'2
&RQWURO 6KXWRIIYDOYH
;
0
)HHGEDFN
1&FRQWDFW12FRQWDFW VLJQDOV
;
',
',
9
0
Figure 5-1 Interconnecting the shutoff valve (for an axis)
● F-DO is dynamized each time that STO is selected/deselected: "Diag DO+" and "Diag DO-"
are checked when switching F-DO+ and F-DO-.
● This makes it unnecessary to select forced checking procedure (test stop) explicitly.
● If an error occurs in the forced checking procedure (test stop), the converter will issue fault
F01632 or F30632.
Safety Integrated
● 2811 SI Basic Functions - STO (Safe Torque Off), safe pulse cancellation
● p9625[0...1] SI HLA shutoff valve wait time (CU)

● p9626 SI HLA shutoff valve feedback contacts configuration (CU)
● r9773 CO/BO: SI Status (Control Unit + Hydraulic Module)
● r9774 CO/BO: SI Status (group STO)
● r9780 SI monitoring cycle (Control Unit)
5.1.2 Safe Stop 1 (SS1, time controlled)
5.1.2.1 SS1 with OFF3

The "Safe Stop 1" (SS1) function allows the drive to be stopped in accordance with EN 60204-1,
Stop Category 1. The drive decelerates with the OFF3 ramp (p1135) once "Safe Stop 1" is
selected and switches to "Safe Torque Off" (STO) once the delay time set in p9652 has elapsed.
Note
Selection via terminals
The selection of the "Safe Stop 1" (time-controlled) function via terminals is parameterized by
setting a delay > 0 in p9652. In this case, the STO function can no longer be selected directly
via terminals, i.e. either STO or SS1 can be selected via terminals.
If the "Safe Stop 1" (time-controlled) function has been selected by parameterizing a delay time
in p9652, STO can no longer be selected directly via terminals.
Precondition
● The Basic Functions are enabled via terminals and/or PROFIsafe:
– p9601 = 1, 8 or 9 (hex)
● Enabling Basic Functions via TM54F
– p9601.6 = 1
● In order that the drive can brake down to a standstill even when selected through one
channel, the time in p9652 must be shorter than the sum of the parameters for the data
cross-check (p9650 and p9658). Otherwise the drive will coast down after the time
p9650 + p9658 has elapsed.
Safety Integrated
Functional features of Safe Stop 1

SS1 is enabled by p9652 (delay time) ≠ 0.
● Setting parameter p9652 has the following effect:
– p9652 = 0
SS1 is not enabled. Only STO can be selected via TM54F, the onboard terminals and/or
PROFIsafe.
– p9652 > 0
SS1 is enabled. Only SS1 can be selected via the onboard terminals; with PROFIsafe,
a selection of SS1 and STO is possible.
● When SS1 is selected, the drive is braked along the OFF3 ramp (p1135) and STO/SBC is
automatically initiated after the delay time has expired (p9652).
After the function has been selected, the delay timer runs down - even if the function is
deselected during this time. In this case, after the delay time has expired, the STO/SBC
function is selected and then again deselected immediately.
Note
Setting the delay time
So that the drive is able to travel down the OFF3 ramp completely and any motor holding
brake present can be applied, before the pulses have been safely deleted, the delay time
should be set as follows:
● Motor holding brake parameterized: Delay time p9652 ≥ p1135 + p1228 + p1217
● Motor holding brake not parameterized: Delay time p9652 ≥ p1135 + p1228
● The setting of parameter p1135 must be oriented towards the actual braking capability
of the drive.
● The timer (p9652) after whose expiration STO is activated, is implemented with two
channels, although deceleration along the OFF3 ramp is only one channel.
● Effect on "Speed setpoint limit effective" (r9733[0...2]):
If SS1 (≙ STOP B), setpoint 0 is specified in r9733[0...2].
Status of Safe Stop 1

The status of the "Safe Stop 1" (SS1) function is displayed using the parameters r9772, r9872,
r9773 and r9774.
As an alternative, the status of the function can be displayed using the configurable message
N01621 (configured using p2118 and p2119).
Safety Integrated
5.1.2.2 SS1 with external stop

In drive line-ups (e.g. drives that are mechanically connected via the material), the drive-
independent braking on the respective OFF3 ramp can cause problems. If the SS1E function
is used, the safe delay time (p9652) is started when the function is selected, but no OFF3 is
triggered. The higher-level controller still enters the setpoint. The controller receives the
information that SS1E has been selected via the Safety Info Channel.
WARNING
Any axis motion is possible
During the delay time (p9652), for "Safe Stop 1 (time-controlled) with external stop", any axis
movements are possible.
Differences between "SS1 with OFF3" and "SS1 with external stop"
"SS1 with OFF3" and "SS1 with external stop" have the following differences:
● In order to activate "Safe Stop 1 with external stop", additionally set p9653 = 1.
● When SS1E is selected, the drive is not braked along the OFF3 ramp, but after the delay
time has expired (p9652), only STO/SBC is automatically initiated.
Safety Integrated
5.1.2.3 Function diagrams and parameters
● 2811 SI Basic Functions - STO (Safe Torque Off), safe pulse cancellation
● p1135[0...n] OFF3 ramp-down time

● p1217 Motor holding brake closing time
● p1228 Pulse suppression delay time
● p9652 SI Safe Stop 1 delay time (Control Unit)
● r9772.0...23 CO/BO: SI Status (Control Unit)
● r9773.0...31 CO/BO: SI Status (Control Unit + Motor Module)
● r9774.0...31 CO/BO: SI Status (group STO)
Only for "Safe Stop 1 (time-controlled) with external stop"
● p9653 SI Safe Stop 1 drive-based braking response
The "Safe Brake Control" function (SBC) is used to safely control holding brakes that function
according to the closed-circuit principle (e.g. motor holding brake).
The opening and closing of the brake is controlled by the Motor Module / Power Module.
Terminals are available for this on the device in booksize format. A Safe Brake Relay is also
required for the "Safe Brake Control" in the blocksize format. A Safe Brake Adapter is required
in the chassis format (starting with article numbers ending with ...3). When the Power Module
is configured automatically, the Safe Brake Relay is detected and the motor holding brake type
is defaulted (p1278 = 0).
Brake activation via the brake connection on the Motor Module / Safe Brake Relay (SBR) / Safe
Brake Adapter (SBA) involves a safe, two-channel method.
Note
No SBC for SINAMICS HLA
SINAMICS HLA does not support Safe Brake Control.
Note
Controlling the brake via a relay for "Safe Brake Control"
If you use the "Safe Brake Control (SBC)" function, the use of relays/contactors can cause
faults in the brake control when brakes are switched.
Safety Integrated
WARNING
Undesirable motor motion due to defective brake
"Safe Brake Control" does not detect mechanical defects of the brake.
A cable break or a short-circuit in the brake winding is only detected when the state changes,
i.e. when the brake either opens and/or closes. In SINAMICS S120M, a cable break is only
identified when opening the brake.
For devices in chassis format with connected Safe Brake Adapter, the connecting cable
between the Safe Brake Adapter and the motor brake is not monitored for cable break or short-
circuit.
The aforementioned defects may trigger unwanted motor motion, which may result in physical
injury or death.
● In particular, ensure the brake is not powered from an external source. Information on this
topic can be found in EN 61800‑5‑2, Appendix D.
● During commissioning, test the brake using the diagnostic function "Safe Brake Test
(SBT)" (Extended Function): Additional information is provided in Chapter "Safe Brake
Test (SBT) (Page 144)".
5.1.3.1 Description SBC
Functional features of "Safe Brake Control"

● SBC is executed when "Safe Torque Off" (STO) is selected.
● In contrast to conventional brake control, SBC is executed via two channels.
● SBC is executed regardless of the brake control or mode set in p1215. However, SBC does
not make sense for p1215 = 0 or 3.
● The function must be enabled using parameters.
● When the state changes, electrical faults, such as a short-circuit in the brake winding or wire
breakage can be detected.
Enabling the "Safe Brake Control" function

The "Safe Brake Control" function is enabled via parameter p9602.
The SBC function can be used only together with STO. The selection of SBC alone is not
possible.
Safety Integrated
2-channel brake control
Note
Connecting the brake
The brake cannot be directly connected to the Motor Module in chassis format. A Safe Brake
Adapter is also required.
The brake is controlled from the Control Unit. Two signal paths are available for applying the
brake.
&RQWUROWHUPLQDO
&RQWURO8QLW0RWRU
0RGXOH6DIH%UDNH 3
5HOD\
7% &ORVHGFLUFXLWEUDNH
%5
&RQWURO %5
WHUPLQDO
%UDNHGLDJQRVWLFV 0RWRU
7%
%5
0 0
%5
Figure 5-2 2-channel brake control, blocksize (example)
The Motor / Power Module carries out a check to ensure that the "Safe Brake Control" function
is working properly and ensures that, if the Control Unit fails or is faulty, the brake current is
interrupted and the brake applied.
The brake diagnosis can only reliably detect a malfunction in either of the switches (TB+, TB-)
when the status changes, i.e. when the brake is released or applied.
If the Motor Module or Control Unit detects a fault, the brake current is switched off. The brake
then closes and a safe state is reached.
Safety Integrated
5.1.3.2 SBC for Motor Modules in the chassis format

To be able to set higher power in the brakes of devices of this format, an additional Safe Brake
Adapter (SBA) module is needed. For more information about connecting and wiring the Safe
Brake Adapter, refer to the "SINAMICS G130/G150/S120 Chassis/S120 Cabinet Modules/
S150 Safety Integrated" Function Manual.
Using parameter p9621, you can define via which digital input the relay (NO contacts) feedback
signal of the Safe Brake Adapter is routed to the Control Unit.
To evaluate the feedback signal contacts, you must maintain the wait times caused by the SBA.
Parameter p9622 is pre-assigned with the SBA-relay wait times:
● p9622[0] ≙ wait time, switching on
● p9622[1] ≙ wait time, switching off
Further functionality and the activation of the brake, i.e. reaching the safe status, are in this case
the same as the above described procedure for booksize devices.
Safe Brake Control with power units in a parallel connection
Note
SBC for parallel connection of power units
Safe Brake Control with power units in a parallel connection is available if r9771.14 = 1.
If you wish to use SBC with SBA for chassis format power units connected in parallel, then it is
only permissible that you connect precisely one SBA to a power unit in the parallel connection.
The Safe Brake Adapter and therefore the brake are controlled via this power unit.
There are two options for registering this power unit with the system:
● Automatic brake identification when commissioning the system for the first time
– Requirements:
- No Safety Integrated functions enabled
- p1215 = 0 (no motor holding brake available)
– During the first commissioning, SINAMICS checks at which power unit an SBA is
connected. If precisely one SBA is found, the number of the power unit is entered into
parameter p7015.
If several SBAs are found at the parallel-connected power units, message "F07935
drive: Motor holding brake configuration error" is output.
– For devices in the chassis format, if the SBA feedback signal (SBA_DIAG) is read in via
an input of the power unit, then in addition, this digital input is automatically entered into
parameter p9621.
● Manually defining the power unit
– Enter the component number of the power unit, to which the SBA is connected, into
parameter p7015. If no SBA is connected to the power unit, faults are detected when
controlling the motor holding brake and fault F01630 is output.
– In parameter p9621 (p9621 = BICO interconnection to r9872.3), enter the digital input of
the power unit to which the SBA is connected and via which the SBA feedback signal
(SBA_DIAG) is read in.
Safety Integrated
Note
Disconnecting the brake cable for service purposes
As long as the brake is permanently released and not actuated, it is possible to briefly
disconnect the brake cable, e.g. for service purposes, and not receive fault messages. In the
case of a fault, message F07935 is only output when the brake is controlled.
Safety Integrated
5.1.3.3 Hardware required for SBC

● Safe Brake Relay
The command for releasing or applying the brake is transferred to the Motor Module / Power
Module via DRIVE-CLiQ. The Motor Module / Safe Brake Relay then carries out the action
and appropriately activates the outputs for the brake.
3RZHU0RGXOH
30,)LQWHUIDFH
&DEOHKDUQHVV
6DIH%UDNH5HOD\
8
9
:
3(

H[W %5
9 0
0 0 a
0 %5
&75/
Figure 5-3 Interconnecting the Safe Brake Relay using Blocksize as an example
● Safe Brake Adapter

The brake cannot be directly connected to the Motor Module in the chassis format. The
connection terminals are only designed for 24 V DC with 150 mA; the Safe Brake Adapter
is required for higher currents and voltages.
Note
Additionally required hardware for other formats
A Safe Brake Relay is also required for the "Safe Brake Control" in the blocksize format. With
the chassis format (article numbers ending ...3 or higher), a Safe Brake Adapter is required. The
Safe Brake Adapter is available for a 230 V AC brake control voltage.
Safety Integrated
Safe Brake Adapter Motor Module /

SBA Power Module
230 V AC Control Interface
-X11 Module (CIM)
-X46
BR+ 1
1 BR output+
BR- 2 2 BR output-
Connecting cable
FB+ 3 6SL3060-4DX04-0AA0 3 FB input+
LEDs FB- 4 4 FB input-
230 V OK P24 5 -X42
K1 ON M 6 2 P24
K2 ON 3 M
-X15
External Fast AUX1 1
power supply de- AUX2 2
-X12
excitation
-X14
1 L SBA_BR_L 1
W2
U2
PE
V2
230 V CA 2 N SBA_BR_N 2
M
3~
Figure 5-4 Interconnecting the Safe Brake Adapter
Safety Integrated
● 2814 SI Basic Functions - SBC (Safe Brake Control), SBA (Safe Brake
Adapter)
● p0799 CU inputs/outputs, sampling time

● p1215 Motor holding brake configuration
● p7015 Par_circuit holding brake power unit data set
● p9602 SI enable safe brake control (Control Unit)
● p9621 BI: SI Safe Brake Adapter signal source (Control Unit)
● p9622[0...1] SI SBA relay wait times (Control Unit)
● r9771.14 SI common functions (Control Unit): SBC supported for parallel con‐
nection
Safety Integrated
5.1.4 Safety faults

The fault messages of the Safety Integrated Basic Functions are saved in the standard
message buffer and can be read out from there. By contrast, the fault messages of the Safety
Integrated Extended Functions are stored in a separate Safety message buffer (see Chapter
"Message buffer (Page 402)").
When faults associated with Safety Integrated Basic Functions occur, the following stop
responses can be initiated:
Table 5-1 Stop responses for Safety Integrated Basic Functions
Stop response Triggered ... Action Effect

STOP A cannot For all Safety faults with pulse Trigger safe pulse suppression The motor coasts to a standstill or is
be acknowl‐ suppression that cannot be ac‐ via the switch-off signal path for braked by the holding brake.
edged knowledged the relevant monitoring channel.
STOP A For all acknowledgeable Safety During operation with SBC:
faults Apply motor holding brake.
As a follow-up reaction of STOP
F
STOP A corresponds to Stop Category 0 in accordance with EN 60204-1.
With STOP A, the motor is switched directly to zero torque via the "Safe Torque Off (STO)" function.
A motor at standstill cannot be started again accidentally.
A moving motor coasts to standstill. This can be prevented by using external braking mechanisms, e.g.
holding or operating brake.
When STOP A is present, "Safe Torque Off" (STO) is active.
STOP F If an error occurs in the data Transition to STOP A. Follow-up response STOP A
cross-check. with adjustable delay (factory setting
without delay) if one of the safety
functions is selected
STOP F is permanently assigned to the data cross-check (DCC). In this way, errors are detected in the
monitoring channels.
After STOP F, STOP A is triggered.
When STOP A is present, "Safe Torque Off" (STO) is active.
WARNING
Uncontrolled movement of the axis.
With a vertical axis or a pulling load, there is a danger of uncontrolled movement of the axis
when STOP A/F if triggered.
This can cause serious injury or death to persons in the danger zone.
● If there is a hazard due to unwanted movement in your application, take measures to
counter it, for example, by using a brake with safe monitoring. For additional information,
see Chapter "Safe Brake Control (SBC) (Page 84)".
Safety Integrated
Acknowledging the Safety faults

There are several ways to acknowledge Safety faults:
● Acknowledgment through deselection of STO or SS1:
– Remove the cause of the fault.
– Deselect "Safe Torque Off" (STO) or "Safe Stop 1" (SS1).
– Acknowledge the fault.
If the Safety commissioning mode is exited when the Safety functions are switched off
(p0010 ≠ 95 when p9601 = 0), all Safety faults can be acknowledged.
Once safety commissioning mode has been selected again (p0010 = 95), all the faults that
were previously present reappear.
● The higher-level controller sets the signal "Internal Event ACK" via the PROFIsafe telegram
(STW bit 7). A falling edge in this signal resets the status "Internal Event" and so
acknowledges the fault.
● Acknowledgment by switching the drive unit off/on
Safety faults can also be acknowledged (as with all other faults) by switching the drive unit
off and then on again (POWER ON). If this action has not eliminated the fault cause, the fault
is displayed again immediately after power-up.
Description of faults and alarms
Note
References
The faults and alarms for SINAMICS Safety Integrated Functions are described in the following
document:
References: SINAMICS S120/S150 List Manual
5.1.5 Forced checking procedure (test stop)
5.1.5.1 Forced checking procedure or test of the switch-off signal paths (test stop) for Safety
Integrated Basic
The forced checking procedure (test stop) at the switch-off signal paths is used to detect
software/hardware faults at both monitoring channels in time and is automated by means of
activation/deactivation of the "Safe Torque Off" (STO) or "Safe Stop 1" (SS1) function.
To fulfill the requirements of ISO 13849-1 regarding timely error detection, the two switch-off
signal paths must be tested at least once within a defined time to ensure that they are
functioning properly. This functionality must be implemented using the forced checking
procedure (test stop), triggered either in the manual mode or by the automated process.
A timer ensures that forced checking procedure (test stop) is carried out in a timely fashion.
● p9659 SI forced checking procedure, timer.
Safety Integrated
A forced checking procedure (test stop) must be performed on the switch-off signal paths at
least once during the time set in this parameter.
Once this time has elapsed, an alarm is output and remains active until forced checking
procedure (test stop) is carried out.
The timer returns to the set value each time the STO/SS1 function is deactivated.
Note
Resetting the timer of the Basic Functions
When simultaneously using the Extended Functions, if the forced checking procedure (test
stop) is performed, then the timer of the Basic Functions is also reset.
While STO is selected by the Extended Functions, the terminals for the selection of the Basic
Functions are not checked for discrepancy. This means that the forced checking procedure
(test stop) of the Basic Functions must always be performed without the selection of STO or
SS1 by the Extended Functions. It is otherwise not possible to verify the correct control by the
terminals.
When the appropriate safety devices are implemented (e.g. protective doors), it can be
assumed that running machinery will not pose any risk to personnel. The user is therefore only
informed that the forced checking procedure (test stop) is due in the form of an alarm, which
requests the user to perform forced checking procedure (test stop) at the next possible
opportunity. This alarm does not affect machine operation.
The user must set the time interval for carrying out forced checking procedure (test stop) to
between 0.00 and 9000.00 hours depending on the application (factory setting: 8.00 hours).
Examples of when the forced checking procedure (test stop) must be performed:
● When the drives are at a standstill after the system has been switched on (POWER ON).
● When the protective door is opened.
● At defined intervals (e.g. every 8 hours).
● In automatic mode (time and event dependent).
● The maximum time interval is one year (8760 hours).
5.1.5.2 Forced checking procedure (test stop) with POWER ON

Forced checking procedure (test stop) can be automatically executed at POWER ON.
● If the forced checking procedure (test stop) as well as the test of the F‑DO for the CU310-2
are to be executed automatically, then set p9507.6 = 1. When testing the F-DO of the
CU310-2, you must parameterize p10042 and activate the test in p10046.
● If the forced checking procedure (test stop) of the F‑DI and F‑DO of the TM54F is to be
executed automatically, then set p10048 = 1.
● If you have parameterized the forced checking procedure (test stop) for POWER ON, you
can still initiate a forced checking procedure (test stop) at any time as part of the engineered
application.
Safety Integrated
● If the automatically initiated function cannot be correctly completed as a result of a problem

(e.g. communication failure), then after the problem has been resolved, the function is
automatically restarted.
● After the forced checking procedure (test stop) has been performed successfully, the
converter goes into the "Ready" state.
● Timer p9659 is automatically reset as a result of the forced checking procedure (test stop).
● The automatic forced checking procedure (test stop) for POWER ON does not influence the
Safety Integrated Functions.
5.1.6 Function diagrams and parameters
● 2800 SI Basic Functions - Parameter manager

● 2802 SI Basic Functions - Monitoring functions and faults/alarms
● 2890 SI TM54F - Overview
● 2891 SI TM54F - Parameter manager
● 2900 SI TM54F - Basic Functions control interface (p9601.2/3 = 0, p9601.6
= 1)
● 2901 SI TM54F - Basic Functions Safe State selection
● 2902 SI TM54F - Basic Functions assignment (F-DO 0 ... F-DO 3)
Safety Integrated
Note
PFH values
5.2.1 License for Extended Functions or Advanced Functions

● One license is required for each axis that is operated with Safety Integrated Extended or
Advanced Functions. You enter the associated license key with the "License Key" button in
Startdrive. Then activate the license key via "Activate".
As an alternative, you can enter the license key into parameter p9920 in the ASCII code. The
license key is activated using parameter p9921 = 1.
● For information on how to generate the license key for the product "SINAMICS Safety
Integrated Extended Functions" or "SINAMICS Safety Integrated Advanced Functions"
read the section "Licensing" in the SINAMICS S120 Function Manual. An insufficient license
is indicated via the following fault and LED:
– F13000 → licensing not sufficient
– LED RDY → flashes red with 2 Hz
● When purchasing your drive, you can already decide to use Safety Integrated Functions,
and you will then be provided with the required license(s) on the memory card supplied. In
this case, you do not have to explicitly activate the licenses.
● A trial license is available for test purposes; this allows you to use Safety Integrated
functions for a specific time without having a valid license.
Details on the trial license can be found in the "SINAMICS S120 Function Manual Drive
Functions", Chapter "Licensing".
5.2.2 Differences between Extended Functions "with encoder" and "without encoder"
If motors without a (safety-capable) encoder are being used, not all Safety Integrated Functions
can be used. You will find general information on this distinction in Chapter "Drive monitoring
with or without encoder (Page 40)."
Safety Integrated
Activation
For activation of the Safety Integrated Extended Functions "with encoder" and "without
encoder", set the parameters p9306 and p9506 (factory setting = 0). You can also make this
setting by selecting "with encoder" or "without encoder" on the Safety‑Integrated Startdrive
screen. To do this, in Startdrive, in the secondary navigation of the drive axis, select the "Drive
functions > Safety Integrated > Function selection" menu item
● Operation with encoder
p9506 = 0
or
p9506 = 2
● Operation without encoder
p9506 = 1
or
p9506 = 3
Monitoring with an encoder

The Safety Integrated Functions with encoder are configured with p9506 = 0 (factory setting)
or p9506 = 2 in the expert list or by selecting "with encoder" in the Safety screen.
● If p9506 = 0:
Braking is monitored with the "Safe Acceleration Monitor" function.
● If p9506 = 2:
Here, also for SS1, the monitoring function "Safe Brake Ramp" is active.
More detailed information on actual value acquisition with encoder can be found in Section
"Reliable actual value acquisition with encoder system (Page 160)".
Monitoring without an encoder

The Safety Integrated Functions without encoder are configured in the expert list using p9506
= 1 or p9506 = 3 or by selecting "without encoder" in the Safety screen form.
● For p9506 = 1, the following applies:
Here, also for SS1, the monitoring function "Safe Brake Ramp" is active.
● For p9506 = 3, the following applies:
Braking is monitored with the "Safe Acceleration Monitor" function. The behavior
corresponds to "monitoring with encoder".
Taking into account the slip of an induction motor

For Safety Integrated without encoder (depending on the drive load), as a result of slip
(deviations between electrical and mechanical speed), deviations can occur between the safely
determined electrical speed and the mechanical speed at the motor shaft.
Note
Sudden changes in the current and voltage curve (e.g. sudden change in the setpoint setting
and load) and very small absolute values with a high proportion of noise generally result in faults
of the safe encoderless actual value acquisition and must be avoided.
Safety Integrated
More detailed information on actual value acquisition without encoder can be found in Section
"Safe actual value sensing without encoder (Page 167)".
Note
Scope of functions
There are fewer Safety Integrated Extended Functions available "without encoder" than "with
encoder" (see Section "Drive monitoring with or without encoder (Page 40)").
Note
Safety Integrated Functions "without encoder" for group drives
The Safety Integrated Functions "without encoder" are also permissible for group drives
(multiple motors connected to one power unit).
"Parking" state for Safety Integrated Extended Functions with encoder
Note
Extended Functions with encoder and "parking"
When a drive object, for which Safety Integrated Extended Functions with encoder are enabled,
is switched to "Park" mode, the Safety Integrated software responds by selecting STO without
generating a separate message. This internal STO selection is displayed in parameter
r9772.19.
5.2.2.1 Specifics relating to Safety Integrated Functions "without encoder"
Basic Functions
● Basic Functions are available in all control modes with and without encoder for synchronous
● A safety-related encoder is not required for Basic Functions.
● The Safety Integrated Functions "without encoder" are also permitted for group drives
(multiple motors connected to one power unit).
Extended Functions
Extended Functions SS1, SLS, SDI, and SSM "without encoder" do not require safety-related
speed actual value sensing. If an encoder is used for the drive control, this has no influence on
the sensorless safety functions. You can use Extended Functions "without encoder" with the
following motor types:
● Induction motor in all control modes
● SIMOTICS A-1FU synchronous motors (previously: SIEMOSYN) with U/f control
● Synchronous reluctance motors in vector control
Safety Integrated
The Safety Integrated Functions "without encoder" are also permitted for group drives (multiple
motors connected to one power unit).
Note
Taking into account the slip of an induction motor
For Safety Integrated without encoder, the safely determined electrical speed (depending on
the drive load) may deviate from the mechanical speed at the motor shaft as a result of the slip
for induction motors (deviations between electrical and mechanical speed).
Restrictions
When using Extended Functions, observe the following restrictions:
Synchronous reluctance motors with Safety Integrated Functions "without encoder"

SINAMICS S120 supports synchronous reluctance motors with Safety Integrated Functions
"without encoder". Note the following information for this application case:
● Synchronous reluctance motors may only be operated with vector control.
● From the perspective of Safety Integrated, synchronous reluctance motors fall into the
"asynchronous motor" category.
● Technical details:
– Synchronous reluctance motors have no slip: The note "Slip of an induction motor must
be taken into account" mentioned above does not apply to synchronous reluctance
motors.
– The setting "Closed-loop controlled operation down to f = 0 Hz with test signal"
(p1750.5 = 1) is not permissible.
– If you activate the function "Closed-loop controlled operation down to f = 0 Hz with test
signal" (p1750.5 = 1), synchronous reluctance motors do not require current injection.
– Compared to induction motors, synchronous reluctance motors require a shorter time for
magnetization: This reduces the wait time when starting with active encoderless safety
monitoring, e.g. for SLS.
Inadmissible operating modes for Safety Integrated Functions "without encoder"

● No operation with SINAMICS Hydraulic Drive (HLA)
● Current controller clock cycles 31.25 µs and 62.5 μs (for Double Motor Modules with two
configured safety drives) are not permissible.
Safety Integrated
● For the independent setting of current controller clock cycle and pulse frequency in
conjunction with Safety Integrated "without encoder", the following system clock cycles are
not permitted:
– Double Motor Module: < 125 μs
– All other components: < 62.5 μs
– p9589 must be set = 3300 to allow the current controller clock cycle and pulse frequency
to be independently set.
● For all designs: Safety Integrated Functions "without encoder" only with parameter p1810 =
factory setting, this includes:
- No wobbling
- No fine setting of the pulse frequency
● For chassis format devices, the following also applies:
– For chassis format devices, operation without encoder is only permissible for induction
motors, however not for synchronous motors.
– No operation involving parallel connections
– Optimized pulse patterns cannot be selected for SIMOTICS FD
● No "shaft generator" functionality
● Induction motors up to 1000 kW
On very large machines, it may also be necessary to adjust the parameter p9585.
Critical operating modes for Safety Integrated Functions "without encoder"

When the safety functions are deactivated, the following technology functions are not
negatively influenced.
Using the following operating modes with the Safety Integrated Functions activated without
encoder can result in errors in the encoderless safe actual value sensing (see messages
C01711, C30711 with fault values 1040 ff.).
Safe, encoderless actual value sensing is based on the measurement of current and voltage
variables, which can influence the following functions. This does not result in unsafe states.
However, this fault can be expected to have a negative impact on availability.
Note
Irregular operating states
Note that in irregular operating states (e.g. "stalled motor"), the converter can fail with safety
faults. However, under no circumstances is an unsafe state reached.
Safety Integrated
● Current limiting of the power unit

When the current limiting of the power unit responds, then it can be assumed that this will
result in errors in the encoderless safe actual value sensing and in turn with an associated
stop response.
Note
When engineering the drive and when the parameterizing the current and torque limits, it
must be ensured that the power unit current limiting does not respond.
● Operation with pulling loads

It is not permissible that the converter is forced into regenerative operation as a result of
external forces.
Note
If a coupled drive comprises an electric drive that motors and one that regenerates (e.g. a
test stand), and the speeds of both drives are safely monitored, safety functions without
encoder can be used. This is because in the case of a fault, the motoring drive recognizes
when a limit value is violated. If, in this example, the motoring drive is an internal combustion
engine, which is not safely monitored, use of safety functions without an encoder for the
braking drive is not permissible.
Winders with a motoring and a braking drive can be assessed in the same way (both drives
are monitored).
● Motor data identification

When using the measuring functions (stationary and rotating measurement) to determine
the motor data, then it can be assumed that the encoderless safe actual value sensing will
have an error.
Note
The motor data identification should always be performed before commissioning the Safety
Integrated Functions.
● Data set switchover

The motor and drive data switchover can always be used for safety functions without
encoder. It is not possible to switch over between induction and synchronous motors (this
is interlocked). For several motor data sets it must be ensured that all motors have the same
number of pole pairs. If the number of pole pairs in r0313 is not the same value that was
taken into account when configuring the safe actual value sensing (gearbox), then the
calculated, safe actual speed no longer corresponds to the mechanical speed of the shaft.
When SLS is activated, the shaft can rotate faster than the configured limits.
● Alternating acceleration/deceleration
For alternating acceleration and deceleration, it must be ensured that the following
conditions are maintained.
– Within 1 s, only one acceleration and one braking ramp are permitted.
Therefore, for a cycle 0 → +nset → -nset → 0 – one period of at least 2 s is required.
● This also applies to positioning operation; it may be necessary that the position control
settings and traversing profiles must be adapted so that no overshoots occur in the speed
characteristic (e.g. reduce the dynamic response, use flatter braking ramps).
Safety Integrated
● Flying restart
A flying restart should not be performed in operation with the Safety Integrated Functions
active.
Note
If you must use this function, then before the flying restart, you can deactivate the Safety
Integrated Functions, and then reactivate them again after the flying restart has been
completed.
In this case, the user must check as to whether it is permissible that the safety functions are
deactivated during the flying restart.
It is only permissible to activate and deactivate Safety Integrated Functions using failsafe
signals.
● DC brake
When using this function, DC current is impressed to brake the drive: This can result in an
error in the encoderless, safe actual value sensing and in turn in an associated stop
response.
Note
If you must use this function, then before braking, you can deactivate the Safety Integrated
Functions, and then reactivate them again after braking has been completed.
In this case, the user must check as to whether it is permissible that the safety functions are
deactivated during braking.
It is only permissible to activate and deactivate Safety Integrated Functions using failsafe
signals.
● Closed-loop controlled operation down to f = 0 Hz with test signal (see corresponding

chapter in the SINAMICS S120 Function Manual Drive Functions)
If you use Safety Integrated without encoder simultaneously with the function "Closed-loop
controlled operation down to f = 0 Hz with test signal", the drive may react with an undesired
safety message and a stop reaction. In this case, you cannot use the combination described.
Recommendations for stable operation with active Extended Functions without encoder
The following preconditions must be fulfilled to avoid fault messages from the safe actual value
sensing without encoder:
● The motor and the power unit are adequately dimensioned for this application.
● Motor and power unit should fulfill the following condition: The ratio between the rated power
unit current (r0207[0]) and rated motor current (p0305) should be less than 5.
● Before commissioning the safety functions, we recommend that the motor data are
identified at standstill and a rotating measurement is carried out.
● For the basic commissioning, i.e. before the safety commissioning, the closed-loop control
should be optimally set. The following effects should be avoided:
- speed overshoots
- current peaks and/or discontinuous/unsteady current actual value over time
- voltage peaks and/or discontinuous/unsteady voltage actual value over time
- the lowest possible amount of noise in the current and voltage
Safety Integrated
Safety Integrated Extended Functions without encoder for Control Unit Adapter CUA31 and CUA32
In the case of the Control Unit Adapters CUA31 and CUA32, the Safety Integrated Extended
Functions without encoder are available as follows:
Control Article number Safety Integrated without encoder

Unit Not available for Available for
Adapter
CUA31 6SL3040-0PA01-0AA1 Version (function states) Version D or newer
A, B and C
CUA32 6SL3040-0PA01-0AA0 Version (function states) Version C or newer
A and B

For the control options and the functionality for "Safe Torque Off" (STO), see Section "Safe
5.2.4.1 Safe Stop 1 with encoder

For function SS1 of the Extended Safety Functions, braking monitoring is included.
● If p9506 = 0:
Braking is monitored with the "Safe Acceleration Monitor" function (see Chapter
"Description (Page 155)").
In this case, we also talk about "SS1 (time and acceleration controlled)".
● If p9506 = 2:
Here, also for SS1, the monitoring function "Safe Brake Ramp" is active (see Chapter "Safe
Brake Ramp (SBR) (Page 157)").
In this case, we also talk about "SS1 (speed controlled)".
The "Safe Stop 1" (SS1) function allows the drive to be stopped in accordance with EN 60204-1,
Stop Category 1. The drive brakes with the OFF3 ramp (p1135) once "Safe Stop 1" is selected
and switches to "Safe Torque Off" (STO) once the delay time has elapsed (p9556) or when the
shutdown speed is fallen below (p9560).
Functional features of Safe Stop 1 with encoder

● The delay time starts after the function has been selected. If SS1 is deselected within this
time, after the delay time has elapsed or after the velocity has fallen below the shutdown
speed, the STO function is selected and deselected again immediately; i.e. the SS1 function
is ended completely normally. It cannot be interrupted.
● Selection and monitoring of the acceleration (SAM) or the monitoring function "Safe Brake
Ramp" are implemented in two channels, but braking along the OFF3 ramp is only
implemented in one channel.
Safety Integrated
Note
Interrupting the ramp function with OFF2 by the higher-level controller
Activating SS1 can mean that the higher-level controller (PLC, motion controller), which
specifies the speed setpoint, interrupts the ramp function (e.g. with OFF2). The device behaves
in this way as a result of a fault reaction triggered by OFF3 activation. This fault reaction must
be avoided by assigning appropriate parameters or configurations.
Note
No OFF2 with SS1 and EPOS
If you use SS1 together with EPOS, the fault reaction to F07490 (EPOS: enable withdrawn
while traversing) OFF2 is not permitted. The response to this error message (OFF1, OFF2 or
OFF3) can be configured via p2100/p2101.
● Effect on "Speed setpoint limit effective" (r9733[0...2]):

If SS1 (≙ STOP B), setpoint 0 is specified in r9733[0...2].
Commissioning
The delay time (SS1 time) is set by entering parameter p9556. The wait time until safe pulse
suppression (STO) can be shortened by specifying a shutdown speed in p9560.
To enable the drive to brake to standstill after selection, the time in p9556 must be selected to
be large enough for the drive to be able to brake along the OFF3 ramp (p1135) from any speed
of the work process to below the shutdown speed (p9560).
Note
Setting the delay time
To enable the drive to travel the entire OFF3 ramp and close any existing motor holding brake,
you must set the delay time as follows:
● Motor holding brake parameterized: Delay time ≥ p1135 + p1228 + p1217
● Motor holding brake not parameterized: Delay time ≥ p1135 + p1228
The shutdown speed defined in p9560 must be set in such a way that coasting down (due to the
subsequent STO function) does not represent any risk for man and machine.
Responses: System error

1. STOP F with subsequent STOP B, followed by STOP A
2. Safety message C01711
Safety Integrated
Status for "Safe Stop 1"

The status of the "Safe Stop 1" function is displayed using the following parameters:
● r9722.1 CO/BO: SI Motion drive-integrated status signals, SS1 active
● r9722.0 CO/BO: SI Motion drive-integrated status signals, STO or safe pulse suppression
active
Safety Integrated
5.2.4.2 Safe Stop 1 without encoder

Two encoderless Safe Stop 1 (SS1) monitoring functions can be set with parameter p9506:
● p9506 = 3: Safe monitoring of acceleration (SAM) / delay time
The function is identical to "Safe Stop 1" with encoder, which was described in the previous
section.
In this case, we also talk about "SS1 (time and acceleration controlled)".
● p9506 = 1: Safe brake ramp monitoring (SBR)
In this case, there is no SS1 delay time active. The transition from SS1 to STO depends
entirely on the speed falling below the shutdown speed (p9560). You will find more
information on the function "Safe Brake Ramp (SBR)" in Chapter "Safe Brake Ramp (SBR)
(Page 157)." In this case, we also talk about "SS1 (speed controlled)".
Time sequence
6HOHFWLQJWKH66UDPS $FWLYDWLRQRI672 6WDUWGULYH8VHUDFWLRQ

8VHUDFWLRQ 8VHUDFWLRQ 6HW2))21VLJQDO
6HW66VLJQDO 1RQH
5HIHUHQFH
YHORFLW\ $FWLYDWLRQRI66UDPS 'HVHOHFWLQJWKH66UDPS
8VHUDFWLRQ 8VHUDFWLRQ
VSHHG
1RQH 5HVHW66VLJQDO
(QYHORSH
PRQLWRULQJUDPS
6WDWRU
VSHHG
2))UDPS 5RWRU
=HURVSHHG 672
VSHHG
GHWHFWLRQ
6HWSRLQW
VSHHG
W
6%5GHOD\WLPHS
'LDJQRVWLFV 0RQLWRULQJUDPS'URSRXWWLPH
672VHOHFWHG
672DFWLYH
66VHOHFWHG
66DFWLYH
352),VDIH
66DFWLYH
3RZHUUHPRYHG
W
Figure 5-5 Sequence for "Safe Stop 1" without encoder with SBR monitoring (p9506 = 1)
Safety Integrated
Functional feature of Safe Stop 1 without encoder

● Selection and monitoring of the brake ramp (SBR) or the acceleration (SAM) are
implemented in two channels, however braking at the OFF3 ramp is only through one
channel.
5.2.4.3 Safe Stop 1 with external stop
General description
NOTICE
● If there is a hazard due to unwanted motion in your application, take measures to counter
it, for example, by using a brake with safe monitoring. Further information can be found in
Section "Safe Brake Control (Page 108)".
With external stop, "Safe Stop 1" basically works exactly as described in the previous Chapters
"Safe Stop 1 with encoder (time and acceleration controlled)" and "Safe Stop 1 without encoder
(speed controlled)." Note, however, the following differences:
Differences between "Safe Stop 1 with OFF3" and "SS1 with external stop"
● In order to activate "Safe Stop 1 with external stop", additionally set p9507.3 = 1.
● When SS1 with external stop is selected, the drive is not braked along the OFF3 ramp: You
are responsible in applying suitable measures to brake the drive. After the delay time has
expired (p9556), only STO/SBC are automatically initiated. After the function has been
selected, the delay timer runs down - even if the function is deselected during this time. In
this case, after the delay time has expired, the STO/SBC function is selected and then again
deselected immediately.
● The brake ramp (SBR) and the acceleration (SAM) are not monitored and there is no
standstill detection.
● With this configuration, STO becomes active after the SS1 timer p9556 has expired; this
also applies if SBR has been configured.
● For additional information, see Chapter "Stop responses (Page 395)".
Safety Integrated
● 2819 SI Extended Functions - SS1, SS2, SOS, internal STOP B, C, D, F

● p9501 SI Motion enable safety functions (Control Unit)
● p9506 SI Motion function specification (Control Unit)
● p9560 SI Motion STO shutdown speed (Control Unit)
● r9722.0...31 CO/BO: SI Motion drive-integrated status signals
Only for SS1 (Extended Functions) with external stop
● p9507 SI Motion function configuration (Control Unit)

For the control options and the functionality for "Safe Brake Control" (STO), see Section "Safe
Brake Control (SBC) (Page 84)".
Note
No SBC for SINAMICS HLA
SINAMICS HLA does not support Safe Brake Control.
Safety Integrated
5.2.6 Safe Operating Stop (SOS)
This function serves for failsafe monitoring of the standstill position of a drive.
WARNING
Drive can be forced out of the SOS position by mechanical forces
A drive under position control can be forced out of the "Safe Operating Stop" (SOS) position
by mechanical forces that are greater than the maximum torque of the drive. This unwanted
drive movement then triggers a Category 1 Stop function according to EN 60204-1 (fault
response function STOP B). The alarms for SS1 and STO must be observed.
● If there is a hazard due to unwanted motion in your application, take measures to counter
it, for example, by using a brake with safe monitoring. For additional information, see
Chapter "Safe Brake Control (SBC) (Page 84)".
Note
In particular, the motor is energized while the SOS function is performing position control.
● Ensure that the motor cannot be touched while it is in the SOS state.
● Drive stopping is monitored using an SOS tolerance window (p9530).

If SOS is selected, setpoint 0 is specified in r9733[0...2].
Note
Size of the tolerance window
The size of the tolerance window should be slightly above the standard standstill monitoring
limit, otherwise the standard monitoring functions will no longer be effective.
Parameter r9731 displays the safe position accuracy (load side) that can be achieved as a
maximum, based on the acquisition of the actual value for the safe motion monitoring functions.
STOP B is the stop response after the standstill tolerance window has been violated.
When does SOS become effective

The SOS function comes into effect in the following cases:
● After SOS is selected and the delay time in p9551 has elapsed
The drive must be braked to standstill within this delay time (e.g. by the controller).
● As a consequence of SS2
● As a consequence of STOP C (corresponds to selection of SS2)
● As a consequence of STOP D (corresponds to selection of SOS)
● As a consequence of STOP E (corresponds to selecting SOS with additional activation of
the standard "Extended stop and retract (ESR)" function)
Safety Integrated
Responses
● Standstill tolerance violated in p9530
– STOP B with subsequent STOP A
– Safety message C01707
● System error
– STOP F
Note
Deactivating SOS during an external STOP A
If "Deactivating SOS/SLS during an external STOP A" (p9501.23 = 1) is released and SOS is
selected, SOS is deactivated during a STOP A.
3RVLWLRQYDOXHVRQ S
ORDGVLGH 7ROHUDQFH
S
7ROHUDQFH
U
3XOVHFDQFHOODWLRQ
U
672GHVHOHFWHG
U
672DFWLYH
U
626GHVHOHFWHG
U
626DFWLYH W
Figure 5-6 Signal flow: Deactivating SOS during an external STOP A
● 2819 SI Extended Functions - SS1, SS2, SOS, internal STOP B, C, D, F

● p9530 SI Motion standstill tolerance (Control Unit)
● p9551 SI Motion SLS(SG) switchover/SOS(SBH) delay time (CU)
● r9731 SI Motion safe positioning accuracy
Safety Integrated
Note
The "Safe Stop 2" (SS2) safety function can only be used with an encoder.
The safety function "Safe Stop 2" (SS2) is used to brake the motor of the OFF3 deceleration
ramp (p1135) safely with transition after the delay time (p9552) has expired in to the SOS state
(see Chapter "Safe Operating Stop (SOS) (Page 109)"). The delay time set must allow the drive
to brake to a standstill from every speed of the operating process within this time. The standstill
tolerance (p9530) may not be violated after this time.
After braking, the drives remain in speed control mode with the speed setpoint n = 0. The full
torque is available.
The default setpoint (e.g. from the setpoint channel, or from a higher-level controller) remains
inhibited as long as SS2 is selected.
The selection and monitoring of the acceleration (SAM) are realized through two channels –
however, braking along the OFF3 ramp, only through one channel.
If SS2 (≙ STOP C), setpoint 0 is specified in r9733[0...2].
Monitoring during braking

During braking, one of the following functions is active:
● If p9506 = 0:
Braking is monitored with the "Safe Acceleration Monitor" function (see Chapter
"Description (Page 155)").
● If p9506 = 2:
Here, also for SS1, the monitoring function "Safe Brake Ramp" is active (see Chapter "Safe
Brake Ramp (SBR) (Page 157)").
Interruption of the ramp function with OFF2

Activating SS2 can mean that the higher-level controller (PLC, motion controller) which
specifies the speed setpoint, interrupts the ramp function (e.g. with OFF2). The device behaves
in this way as a result of a fault reaction triggered by OFF3 activation. This fault reaction must
be avoided by assigning appropriate parameters or configurations.
Safety Integrated
Responses
● Speed limit violated (SAM):
– STOP A
● Standstill tolerance violated in p9530 (SOS):
– STOP B with subsequent STOP A
● System fault:
– STOP F with subsequent STOP A
● 2814 SI Basic Functions - SBC (Safe Brake Control), SBA (Safe Brake Adapter)

● p9530 SI Motion standstill tolerance (Control Unit)
● p9548 SI Motion SAM actual speed tolerance (Control Unit)
● p9552 SI Motion transition time STOP C to SOS (SBH) (Control Unit)1)
1)
STOP C corresponds to SS2.
See also
Safety Integrated and ESR (Page 280)
Safety Integrated
5.2.7.1 SS2 with external stop (SS2E)
Selecting SS2E
WARNING
Unexpected axis motion
When function "Safe Stop 2 with external stop" (SS2E) is active, during the delay time (p9553)
the speed follows the setpoint issued from the higher-level control system. As a consequence,
unexpected axis motion is possible, which can lead to severe injury and death.
● Prevent persons from entering the danger zone of the machine or plant during the delay
time (p9553), for example, by keeping protective devices interlocked.
66(GHVHOHFWLRQ
W
6SHHG
S W
66(DFWLYH
W
626DFWLYH
W
6$06%5DFWLYH
W
Figure 5-7 Selecting SS2E
With external stop, "Safe Stop 2" functions in principle exactly the same way as described in the
previous sections. Note, however, the following differences:
Differences between "Safe Stop 2 with OFF3" and "SS2 with external stop (SS2E)"
● If SS2 with external stop is selected, the drive does not brake the motor autonomously, but
follows the defined speed setpoint.
● During delay time p9553, the brake ramp (SBR) and the acceleration (SAM) are not
monitored and there is no standstill detection.
● SOS becomes active after the delay time p9553 expires.
When function SS2E is active, the higher-level control must issue the speed setpoint so that
at the latest after delay time p9553 expires, the motor has come to a complete standstill.
● In order to activate "Safe Stop 2 with external stop", set p9501.18 = 1.
● The PROFIsafe control word S_STW2.28 selects the SS2E function. PROFIsafe
S_STW2.28 is contained in telegrams 31, 901, 902, and 903.
Safety Integrated
● The PROFIsafe status word S_ZSW2.28 indicates whether the SS2E function is active.
PROFIsafe status word S_ZSW2.28 is contained in telegrams 31, 901, 902 and 903. The
associated diagnostics parameter is r9722.28.
In the "Safety Info Channel", status word S_ZSW3B.11 indicates whether function SS2E is
active. The associated diagnostics parameter is r10234.11.
Diagnostic parameters p9722.28 and p10234.11 are also set during an internal STOP D.
For SS2E (≙ STOP D), setpoint 0 is specified in r9733[0...2].
Deselecting SS2E while SS2E is active
66(GHVHOHFWLRQ
W
6SHHG
S W
66(DFWLYH
W
626DFWLYH
W
6$06%5DFWLYH
W
Figure 5-8 Deselecting SS2E while SS2E is active
After the function has been selected, the delay time starts to expire - even if the function is
deselected during this time. In this case, after the delay time has expired, the SOS function is
briefly active. Afterwards, the drive may accelerate the motor back to the speed setpoint.
Interrupting active SS2E with SS1 and SS2
'HVHOHFW66( 'HVHOHFW66(
W W
'HVHOHFW66 'HVHOHFW66
W W
6SHHG 6SHHG
2))UDPS 2))UDPS
S W S W
S
66(DFWLYH 66(DFWLYH
W W
66DFWLYH 66DFWLYH
W W
672DFWLYH 626DFWLYH
W W
6$06%5DFWLYH 6$06%5DFWLYH
W W
Figure 5-9 Interrupting SS2E using SS1 (shown at the left) and SS2 (shown at the right)
When selecting SS1, the drive brakes the motor along the OFF3 ramp and monitors the speed
using the SAM function. Function STO becomes active when the motor is at a standstill.
Safety Integrated
When selecting SS2, the drive also brakes the motor along the OFF3 ramp and monitors the
speed using the SAM function. Function SOS becomes active after time p9552.
5.2.7.2 Safe Stop 2 Extended Stop and Retract (SS2ESR)
WARNING
Unexpected axis motion
When function SS2ESR is active, during the delay time (p9554) the speed follows the setpoint
issued from the higher-level control system. As a consequence, unexpected axis motion is
possible, which can lead to severe injury and death.
● Prevent persons from entering the danger zone of the machine or system during the delay
time (p9554), for example, by keeping protective devices closed and interlocked.
In principle, Safe Stop 2 Extended Stop and Retract (SS2ESR) functions in exactly the same
way as SS2 described in the previous sections. Note, however, the following differences.
Selecting SS2ESR
'HVHOHFW66(65
W
6SHHG
S W
66(65DFWLYH
W
626DFWLYH
W
6$06%5DFWLYH
W
Figure 5-10 Selecting function SS2ESR
Differences between "Safe Stop 2 with OFF3" and SS2ESR

● If SS2ESR with external stop is selected, the drive does not brake the motor automatically,
but instead follows the defined speed setpoint: This can also result in fast retraction motion.
● During the delay time p9554, the brake ramp (SBR) and the acceleration (SAM) are not
monitored, and there is no standstill detection.
● SOS becomes active after the delay time p9554 has expired. If function SS2ESR is active,
the higher-level control system must define the speed setpoint such that the motor is
stopped no later than after the delay time p9554 has expired.
● To enable SS2ESR, set p9501.4 = 1.
● PROFIsafe control word S_STW2.29 selects function SS2ESR. PROFIsafe S_STW2.29 is
contained in telegrams 31, 901, 902 and 903.
Safety Integrated
● PROFIsafe status word S_ZSW2.27 indicates whether function SS2ESR is active.

PROFIsafe status word S_ZSW2.27 is contained in telegrams 31, 901, 902 and 903. The
associated diagnostics parameter is r9722.27. In the "Safety Info Channel," status word
S_ZSW3B.12 indicates whether the SS2ESR function is active. The associated diagnostics
parameter is r10234.12.
● In addition, in the "Safety Info Channel", status word S_ZSW1B.14 = 1 is set. This bit
corresponds to diagnostic parameter r9734.14.
● You can use p0890[1] to interconnect to an ESR integrated in the drive.
● SS2ESR has no effect on the "Setpoint speed limit effective" (r9733[0...2]). If SS2ESR is
enabled in p9501.4, then also a STOP E has no effect on r9733[0...2].
Deselecting SS2ESR while SS2ESR is active
'HVHOHFW66(65
W
6SHHG
S W
66(65DFWLYH
W
626DFWLYH
W
6$06%5DFWLYH
W
Figure 5-11 Deselecting SS2ESR while SS2ESR is active
After the function has been selected, the delay time starts to expire - even if the function is
deselected during this time. In this case, after the delay time has expired, the SOS function is
briefly active. Afterwards, the drive may accelerate the motor back to the speed setpoint.
Interrupting active SS2ESR with SS1 and SS2
'HVHOHFW66(65 'HVHOHFW66(65
W W
'HVHOHFW66 'HVHOHFW66
W W
6SHHG 6SHHG
2))UDPS 2))UDPS
S W S W
S
66(65DFWLYH 66(65DFWLYH
W W
66DFWLYH 66DFWLYH
W W
672DFWLYH 626DFWLYH
W W
6$06%5DFWLYH 6$06%5DFWLYH
W W
Safety Integrated
Figure 5-12 Interruption of function SS2ESR using functions SS1 (shown at the left) and SS2 (shown
at the right)
When selecting SS1, the drive brakes the motor along the OFF3 ramp and monitors the speed
using function SAM/SBR. Function STO becomes active when the motor is at a standstill.
When selecting SS2, the drive also brakes the motor along the OFF3 ramp and monitors the
speed using the SAM function. Function SOS becomes active after time p9552.
5.2.7.3 Overview of important parameters
● p2573 EPOS maximum delay

● p2594 CI: EPOS maximum speed, externally limited
● p2640 BI: EPOS intermediate stop (0 signal)
● p2645 CI: EPOS direct setpoint input/MDI, deceleration override
● p9552 SI motion transition time STOP C to SOS (SBH) (Control Unit)
● p9553 SI motion transition time STOP D to SOS (SBH) (Control Unit)
● p9554 SI Motion transition time STOP E to SOS (SBH) (Control Unit)
● r9720.0...27 CO/BO: SI Motion drive-integrated control signals
● r9733[0...2] CO: SI Motion speed setpoint limit active
Safety Integrated
5.2.7.4 Interaction with EPOS

Since the function SS2 – with its setpoint-independent braking – is not suitable for use with
EPOS, the Safe Operating Stop (SOS) function can be used with delay.
On selection of SOS, the EPOS function "intermediate stop" (p2640 = 0) ensures that EPOS is
able to stop the drive in its tracks and then keep it under control in this state before the SOS
becomes active. The maximum necessary braking time (from p2573 and p2645) must then be
entered in the delay time for SLS/SOS (p9551) with a safety margin: This ensures that the drive
is at a standstill before SOS is active.
To do this, proceed as follows:
1. Connect the EPOS function "intermediate stop" (p2640) with the control signal "Deselect
SOS" (r9720.3).
2. Enter the maximum necessary EPOS braking time (depending on the values set in p2573
and p2645) with a safety margin (approx. +5%) in the SOS delay time (p9551).
Since the STOP C stop response – with its setpoint-independent braking – is not suitable for use
with EPOS, the Safe Operating Stop (SOS) function can be used with delay.
On selection of SOS, the EPOS function "intermediate stop" (p2640 = 0) ensures that EPOS is
able to stop the drive in its tracks and then keep it under control in this state before the SOS
becomes active. The maximum required braking time (from p2573 and p2645) must then be
entered in the "Transition time STOP D to SOS" (p9553) with a small safety margin: This
ensures that the drive is at a standstill before SOS is active.
1. Parameterize "STOP D" as stop response.
2. Connect the EPOS function "intermediate stop" (p2640) with the control signal "Deselect
SOS" (r9720.3).
3. Enter the maximum required EPOS braking time (depending on the values set in p2573 and
p2645) with a safety margin (approx. +5%) in the "Transition time STOP D to SOS" (p9553).
5.2.8 Safely-Limited Speed (SLS)
Features
The Safely-Limited Speed (SLS) function is used to protect a drive against unintentionally high
speeds in both directions of rotation. This is achieved by monitoring the current drive speed up
to a speed limit.
Safely-Limited Speed prevents a parameterized speed limit from being exceeded. Limits must
be specified based on results of the risk analysis. Up to four different SLS speed limits can be
parameterized using parameter p9531[0..3]; it is possible to switch between them even if the
SLS is activated.
Safety Integrated
An override can also be added to SLS limit value 1. In operation, this override can be varied
using a PROFIsafe telegram.
Note
Deviation of the displayed speed limit
The SLS speed limit displayed in r9714[2] can deviate slightly from the specified SLS speed
limit. The reason for this is the internal resolution (r9732) of the speed values.
Note
Response in the event of a communication error
If p9580 ≠ 0 and SLS is active, in the event of communication failure, the parameterized ESR
reaction is only realized if, as SLS response, a STOP with delayed pulse suppression when the
bus fails has been parameterized (p9563[0...3] ≥ 10).
Note
Setpoint speed limit and SLS
● It makes sense to configure the set velocity limit if SLS is also parameterized. This is done
in a higher-level controller that evaluates the safety information channel, for example, or by
wiring r9733[0/1] to the speed limits of the ramp-function generator (p1051/p1052).
● It does not make sense to use the positive and negative setpoint limiting for SLS in
conjunction with standard telegram 105 and others: With this combination, the velocity
setpoint of the standard telegram is only effective after the setpoint limiting.
Deactivating SLS during an external STOP A

If "Deactivating SOS/SLS during an external STOP A" (p9501.23 = 1) is released and SLS is
selected, SLS is deactivated during a STOP A.
6SHHGRQORDGVLGH
3XOVHHQDEOHE\
XVHU
S>@
6/6OLPLWYDOXH
U
3XOVHFDQFHOODWLRQ
U
672GHVHOHFWHG
U
672DFWLYH
U
6/6GHVHOHFWHG
U
6/6DFWLYH
Figure 5-13 Signal flow: Deactivation of SLS during external STOP A
Safety Integrated
5.2.8.1 Safely Limited Speed (SLS)
Features
● When SLS is selected, the monitoring only takes effect after the configured delay time has
expired (p9551). Within this time, the actual speed must be below the (selected) limit. The
delay time is not effective when SLS is deselected.
● After switching to a lower limit value (p9531), the actual speed of the drive must have
dropped below the new limit within the delay time (p9551). The existing limit remains active
during the delay time. The lower limit value becomes active after the delay time expires. This
also applies to a reduction of the limit value via PROFIsafe.
● If the actual speed of the drive is higher than the new Safely-Limited Speed limit after the
delay time has elapsed, a message is generated with the parameterized stop response.
● The stop response (STOP A, STOP B, STOP C, STOP D or STOP E) is parameterized with
p9563.
● During changeover to a higher limit value, the delay time is not active and the high limit value
becomes immediately active. This also applies to increasing the limit value via PROFIsafe.
● 4 parameterizable limit values p9531[0...3]
● The first limit value can be entered via the PROFIsafe telegrams 901, 902 and 903 (for
p9501.24 = 1)
● In parameter p9533 enter the weighting factor to determine the setpoint limit from the
selected actual speed limit in percent. The active limit value is evaluated using this factor,
and is provided as setpoint limit in r9733.
– r9733[0] = p9531[x] · p9533 (converted from the load to the motor side)
– r9733[1] = -p9531[x] · p9533 (converted from the load to the motor side)
[x] = selected SLS stage
Conversion factor from the motor to the load side:
– Motor type = rotary and axis type = linear: p9522/(p9521 · p9520)
– Otherwise: p9522/p9521
● Limit value
– r9733[0] = p9531[x] · p9533; x = selected SLS limit value
– r9733[1] = -p9531[x] · p9533; x = selected SLS limit value
r9733 is used, for example, for transferring values to a higher-level controller, which can
then, for example, adjust traversing speeds to the SLS levels or at the setpoint channel
(p1051). r9733 is a part of the Safety Info Channel (SIC).
● The currently monitored limit value is displayed in parameter r9714[2].
Safety Integrated
Changeover of SLS limit values

The changeover is executed binary-coded via 2 F-DIs or 2 PROFIsafe control bits. The speed
selection status can be checked using parameters r9720.9/r9720.10. Parameters r9722.9 and
r9722.10 indicate the actual speed limit, bit r9722.4 must carry a "1" signal.
Table 5-2 Changeover of speed limits:
F-DI for bit 1 (r9720.10) F-DI for bit 0 (r9720.9) Speed limit SLS level
0 0 p9531[0] 1
0 1 p9531[1] 2
1 0 p9531[2] 3
1 1 p9531[3] 4
WARNING
Excessive speed during incorrect control of the Safely-Limited Speed limits via F-DI
For all control options except PROFIsafe, limit SLS1 is activated after 2 unacknowledged
discrepancy errors. This means that, for the 2 F-DIs for selecting the speed levels, the value
0 is the "safe state" (failsafe value).
● Therefore parametrize the SLS limits in ascending order, i.e. with limit SLS1 as the lowest
speed and limit SLS4 as the highest speed.
Responses
Speed limit value exceeded:
● Configured subsequent stop STOP A/B/C/D/E via p9563
● Safety message C01714
System fault:
● STOP F
● Safety messages C01711
Transferring the first limit value via PROFIsafe

SINAMICS offers the option of influencing the first SLS limit value via PROFIsafe:
● The transfer of the first SLS limit value via PROFIsafe is active if the speed level 1 in the
PROFIsafe telegram is selected and the bit "Enable transfer SLS (SG) limit via PROFIsafe"
(p9501.24) is set.
● S_SLS_LIMIT_A has the value range 1 ... 32767; the following applies:
– 32767 ≙ 100 % of the 1st SLS level
– The actually monitored limit value is calculated as follows:
SLS limit value = (S_SLS_LIMIT_A/32767) · p9531[0]
● Also in this case, speed levels 2, 3 and 4 can be parameterized and selected.
Safety Integrated
● In operation, the selected delay time cannot be changed. If you require various delay times
in your application, then you must realize this using a time-delayed transfer of the SLS limit
value using your control system (F‑CPU).
● If an incorrect SLS limit value is transferred, then the converter responds with the stop
response of speed level 1 parameterized in p9563 and the safety message C01711(1041).
Safety Integrated
5.2.8.2 Safely Limited Speed without encoder
Functions
2 different encoderless Safely-Limited Speed monitoring functions can be set with parameter
p9506:
● p9506 = 3: Safe monitoring of acceleration (SAM) / delay time
The function is identical to "Safely-Limited Speed with encoder" which was described in the
previous section.
● p9506 = 1: Safe brake ramp monitoring (SBR)
Note
Defaults
● For commissioning, also pay attention to the description in Chapter "Default settings for
commissioning Safety Integrated functions without encoder (Page 284)."
● Information about setting the SBR monitoring function can be found in Chapter "Safe Brake
Ramp (SBR) (Page 157)".
Monitoring the brake ramp

● If the speed setpoint limitation (r9733) was connected to the setpoint channel (p1051/
p1052) and then SLS was selected – or if you change over to a lower SLS level – the motor
is decelerated from the actual speed to below the value defined with r9733 along the OFF3
ramp. In this case, the drive may no longer follow the setpoint of the higher-level motion
controller.
● Parameter p9582 is used to set the delay time for the braking ramp monitoring.
● Monitoring of the brake ramp is activated once the delay time in p9582 has elapsed. If the
actual speed of the drive violates the brake ramp (SBR) during braking, safety message
C01706 is output and the drive is stopped with STOP A.
● The newly selected SLS limit value is also taken over as the new limit speed, if either
– The SBR ramp has reached the new SLS limit value, or
– The actual speed of the drive was below the new SLS limit value for at least the time set
in p9582.
● The "Safely-Limited Speed without encoder" function then monitors whether the actual
speed remains below the newly selected SLS limit value.
● The parameterized stop response (p9563[x]) is triggered if the SLS limit value is exceeded.
Configuring the limits

● The speed limits for Safely-Limited Speed without encoder are configured in exactly the
same way as described for Safely-Limited Speed with encoder.
● Only STOP A and STOP B may be configured as stop responses for "Safely-Limited Speed"
(SLS) without encoder.
Safety Integrated
Restart after OFF2/STO

If the drive has been switched off via STO, the following steps need to be carried out before a
restart can be performed:
1st case ● State after switching on

● SLS selected
● STO selected
● Pulse suppression active
● Deselect STO
● The drive enable must be issued within 5 seconds via a positive edge at OFF1, otherwise
STO is reactivated.
2nd ● Situation
case
● Traversing to standstill with SLS selected
● OFF1 is initiated, pulse cancellation becomes active (internal selection
STO)
● Select STO
● Deselect STO
STO activated internally via pulse suppression: This activation must be undone by se‐
lection/deselection.
STO is reactivated.
3rd case ● Situation
● Traversing to standstill with SLS selected
● OFF1 is initiated, pulse cancellation becomes active (internal selection
STO)
● Deselect SLS
lecting/deselecting SLS.
● Select SLS
The drive enable must be issued with a positive edge at OFF1 within 5 seconds, otherwise
STO is reactivated.
4th case ● Situation
● All Safety Integrated functions are deselected.
● After this the drive enable must be given by a positive edge at OFF1.
● In this case, the motor is not started safely.
5.2.8.3 Safely-Limited Speed without selection
Differences between Safely-Limited Speed with and without selection

● As an alternative to controlling via terminals and/or PROFIsafe, there is also the option to
parameterize the SLS function without selection (see Section "Motion monitoring without
selection (Page 255)").
● The function "SLS without selection" is selected with p9512.4 = 1.
Safety Integrated
● For "SLS without selection", only one SLS limit value can be parameterized (p9531[0]).
● The stop response is parameterized with p9563[0].
● For Safely-Limited Speed without selection there is no delay time. The function is always
active when operated with encoder. The function is always active at switch on when
operated with encoder.
Switching the motor on and off (without encoder)

The time response and diagnostic options are as follows in this SLS version:
6ZLWFKRIIPRWRU 6ZLWFKRQPRWRU
2))2))FRPPDQG 21FRPPDQG
6/6
6HWSRLQW
5DPSGRZQWLPH VHFRQGV
$FWXDO
2))
YDOXH
6WDQGVWLOOPRQLWRULQJ S
SS
W
'LDJQRVWLFV
6/6DFWLYH
U
6DIHSXOVHVXSSUHV
VLRQDFWLYH U
W
Figure 5-14 Time response of SLS without selection (example: Switching the motor on and off (without
encoder))
"SLS without selection" behaves as follows when switching off and switching on again:
● After switch-off, the motor behaves in accordance with the removed signal (OFF1, OFF2 or
OFF3).
● The "safe pulse cancellation" becomes active after the standstill limit is undershot. If a brake
has been parameterized, it is also closed.
● After the ON command, the converter cancels the "safe pulse cancellation" state and the
start procedure is initiated.
● If the minimum current has not been reached after 5 s, the converter returns into the "safe
pulse suppression" state and initiates alarm C01711.
Safety Integrated
● 2820 SI Extended Functions - SLS (Safely-Limited Speed)
● p9501.0 SI Motion enable safety functions (Control Unit):

Enable SOS/SLS (SBH/SG)
● p9512 Select SI Motion safety functions without selection (CU)
● p9531[0...3] SI Motion SLS (SG) limits (Control Unit)
● p9563[0...3] SI Motion SLS (SG)-specific stop response (Control Unit)
● p9580 SI Motion STO delay bus failure (Control Unit)
● p9581 SI Motion braking ramp reference value (Control Unit)
● p9582 SI Motion braking ramp delay time (Control Unit)
● p9583 SI Motion braking ramp monitoring time (Control Unit)
● r9707[0...2] CO: SI Motion diagnostics actual position value GX_XIST1
● r9714[0...2] CO: SI motion diagnostics velocity
● r9721.0...15 CO/BO: SI Motion status signals (Control Unit)
● r9722.0...31 CO/BO: SI Motion drive-integrated status signals (Control Unit)
Safety Integrated
5.2.8.5 EPOS and safe setpoint velocity limitation
Function description
If safe speed monitoring (SLS) or the safe direction motion monitoring (SDI) is also to be used
at the same time as the EPOS positioning function, EPOS must be informed about the activated
monitoring limits. Otherwise these speed monitoring limits can be violated by the EPOS
setpoint input. By monitoring the limit value, if violated, the drive is stopped therefore exiting the
intended motion sequence. In this case, the relevant safety faults are output first, and then the
sequential faults created by EPOS.
Using parameter r9733, the safety functions offer EPOS setpoint limiting values, which when
taken into account, prevent the safety limit value being violated.
In order to prevent a safety limit violation by the EPOS setpoint specification, you must transfer
the setpoint limit value (r9733) as follows to the maximum speed setpoint of EPOS (p2594):
● r9733[0] = p2594[1]
● r9733[1] = p2594[2]
In this regard you must set the delay time for SLS/SOS (p9551), so that the relevant safety
monitoring function only becomes active after the maximum required time for the speed to be
reduced below the limit. This required braking time is determined by the current speed, the jerk
limit in p2574 and the maximum delay in p2573.
● p2573 EPOS maximum delay

● p2574 EPOS jerk limitation
● p2593 CI: EPOS LU/revolution LU/mm
● p2594[0...2] CI: EPOS maximum speed, externally limited
● r9733[0...2] CO: SI Motion speed setpoint limit active
5.2.9 Safe Speed Monitor (SSM)
The "Safe Speed Monitor" (SSM) function provides a reliable method for detecting when a
speed limit has been fallen below (p9546) in both directions of rotation, e.g. for zero speed
detection. A failsafe output signal is available for further processing.
Safety Integrated
The function is activated automatically as soon as the Safety Integrated Extended Functions
are enabled with parameter p9501.0 = 1 and p9546 > 0. The SSM function is deactivated with
setting p9546 = 0.
Note
Relationship between SSM and SAM
If you enter "0" for p9568 (SAM shutdown threshold), the speed limit of the SSM function
(p9546) is simultaneously the lower limit for the Safe Acceleration Monitor function (SAM).
In this case, the effects of safe acceleration monitoring are therefore restricted if a relatively
high SSM velocity limit is set when using the SS1 and SS2 stop functions.
Note
Danger due to unwanted behavior of the STOP F on SSM
A STOP F is indicated by safety message C01711. STOP F only results in the subsequent
response STOP B / STOP A if one of the Safety Integrated Functions is active. If only the SSM
function without hysteresis (that is, p9501.16 = 0) is active, a STOP F cross-checking error
does not result in a STOP B / STOP A follow-up response.
● SSM is only valid as an active monitoring function if "Hysteresis and filtering" is
parameterized (p9501.16 = 1).
Note
Parameterization of hysteresis and actual value synchronization
You must carefully observe the following rules when parameterizing hysteresis and actual
value synchronization:
● If "SSM hysteresis" has been enabled (p9501.16 = 1), you must set parameters p9546 and
p9547 according to this rule:
p9547 ≤ 0.75 · p9546
● If "Actual value synchronization" has been enabled (p9501.3 = 1), you must also observe
this rule:
p9549 ≤ p9547
Features
● Safe monitoring of the speed limit specified in p9546
● Parameterizable hysteresis via p9547
● Variable PT1 filter via p9545
● Safe output signal
● No stop response
Safety Integrated
5.2.9.1 Safe Speed Monitor with encoder
Features of "Safe Speed Monitor" with encoder

The parameter p9546 "SI Motion SSM (SGA n < nx) speed limit n_x" is used to set the speed
limit. The abbreviation "SGA n < nx" indicates the safety function required for determining an
output signal when a parameterizable velocity limit has been undershot.
If the speed limit for the SSM feedback signal (n < n_x) is fallen below, the signal "Safe Speed
Monitor feedback signal active" (SGA n < n_x) is set. When the set threshold value has been
undershot, the "Safe Acceleration Monitor" (SAM) function is also deactivated (see p9568). If
p9568 = 0, then p9546 (SSM feedback signal) is also used as a minimum threshold for the SAM
monitoring.
A hysteresis can be configured for the SSM function via p9547. In this way, a more stable signal
characteristic of SSM can be achieved at speeds close to the monitoring threshold (p9546).
When hysteresis is configured, then the velocity (or speed) determined by the two channels
may not differ by more than the difference between p9546 and p9547. Otherwise it would be
theoretically possible that one channel returns a HIGH signal and the other a LOW signal for
SSM.
The output signal for SSM is smoothed by setting a filter time with a PT1 filter (p9545).
During safe motion monitoring, the "hysteresis and filtering" functions can be activated or
deactivated together using the enable bit p9501.16. In the default setting, the functions are
deactivated (p9501.16 = 0).
Note
Exception: SSM as an active monitoring function
If the "hysteresis and filtering" function is enabled, the SSM function is evaluated as an active
monitoring function and, after a STOP F, also results in a follow-up response STOP B/STOP A.
Note
Time-delayed SSM feedback
When "hysteresis and filtering" is activated with output signal SSM, a time-delayed SSM
feedback signal occurs for the axes. This is a characteristic of the filter.
The following diagram shows the characteristic of the safe output signal SSM when hysteresis
is active:
Safety Integrated
Safe output signal for SSM with hysteresis
Q [ S
+\VWHUHVLVS
+\VWHUHVLVS
Q [ S
660RXWSXWVLJQDO

W
Figure 5-15 Safe output signal for SSM with hysteresis
Safety Integrated
5.2.9.2 Safe Speed Monitor without encoder

Set p9506 = 1 or p9506 = 3 (factory setting = 0) to activate Safety Integrated Extended
Functions without encoder. You can also make this setting by selecting "Without encoder" on
the Safety screen in Startdrive.
Without an encoder, the "Safe Speed Monitor" essentially functions exactly the same as
described in the previous section under "Safe Speed Monitor with encoder".
Note
Defaults
For commissioning, also pay attention to the description in Chapter "Default settings for
Note
Setting of the OFF1 or OFF3 ramp-down time
If the OFF1 or OFF3 ramp-down time is too short or the difference between the SSM limit speed
and the shutdown speed is too small, the "speed below limit value" signal may not change to
1, because no actual speed value could be determined below the SSM limit before pulse
suppression occurred. In this case, the OFF1 or OFF3 ramp-down time or the margin between
SSM speed limit and shutdown speed should be increased.
Differences between Safe Speed Monitor with and without encoder

● For Safe Speed Monitor without encoder, after pulse suppression the drive is unable to
determine the current speed. 2 responses can be selected for this operating state with
parameter p9509.0:
– p9509.0 = 1
The status signal (SSM feedback signal) shows "0" (factory setting).
– p9509.0 = 0
The status signal (SSM feedback signal) is frozen. "Safe Torque Off" (STO) is selected
internally.
● Due to the less precise speed recognition, "Safe Speed Monitor without encoder" requires
a larger hysteresis (p9547) and, where applicable, a filter time (p9545) compared with the
function with encoder.
Safety Integrated
Sequence diagram
The following diagram shows the signal characteristic for the case p9509.0 = 0.
3XOVHV
2)) 6HOHFW672 HQDEOHG
$XWRPDWLF 'HVHOHFW672
6HOHFW672
PLQ
0RQLWRULQJ
660VSHHG
OLPLW
6SHHG
=HURVSHHGGHWHFWLRQ
W
7LPHUV
660IHHGEDFNVLJQDO
6DIHRXWSXWVLJQDO
352),VDIH
3RZHUUHPRYHG672 W
Figure 5-16 Safe Speed Monitor without encoder (p9509.0 = 0)
The speed remains below the limits of p9546 throughout the entire monitoring period.
Therefore, the SSM feedback signal remains r9722.15 = 1. After the command for pulse
suppression, the motor speed drops. The internal STO is set when the speed drops below the
zero speed detection level.
In this case, the SSM feedback signal remains HIGH; it is frozen. The drive cannot accelerate
again, due to the internal STO selection.
To restart the motor safely, the STO must be selected manually and deselected once more.
After the STO has been deselected, a 5 second time window is opened. If the pulse enable
takes place within this time window, the motor starts. If the pulse enable does not take place
within this 5 second time window, the internal STO becomes active again.
If p9509.0 = 1, the SSM monitoring is ended after the pulse suppression. The feedback signal
p9722.15 drops to 0. The SSM monitoring is only reactivated after a new pulse enable. In this
case, STO must not be selected and deselected to start the drive.
Safety Integrated
Restart after pulse cancellation for p9509.0 = 0

If the drive pulses have been suppressed using OFF1/OFF2/STO, the following steps must be
carried out for a restart:
1. Case ● State after switching on

● SSM active
● STO selected
● Deselect STO
STO is reactivated.
2. Case ● Situation
● SSM active
● Motor turning
● OFF1 triggered, pulses are suppressed
● Select STO
● Deselect STO
lecting/deselecting STO.
STO is reactivated.
Safety Integrated
● 2823 SI Extended Functions - SSM (Safe Speed Monitor)

● 2840 SI Extended Functions - SI Motion drive-integrated control signals/status
signals
● 2905 SI TM54F - Extended Functions control interface (p9601.2 = 1 & p9601.3
= 0)
● 2907 SI TM54F - Extended Functions assignment (F-DO 0 ... F-DO 3)
Overview of important parameters

● p9509 SI Motion behavior during pulse suppression (Control Unit)
● p9545 SI Motion SSM (SGA n < nx) filter time (Control Unit)
● p9546 SI Motion SSM (SGA n < nx) speed limit (CU)
● p9547 SI Motion SSM (SGA n < nx) speed hysteresis n_x (CU)
5.2.10 Safe Direction (SDI)
Note
Response to bus failure
If p9580 ≠ 0 and SDI is active, in the event of a communication failure, the parameterized ESR
reaction only occurs if a STOP with delayed pulse suppression when the bus fails has been
parameterized as the SDI response (p9566 ≥ 10).
You can find further information on SDI here:

● Safe Direction with encoder (Page 135)
● Safe Direction without encoder (Page 137)
● Safe Direction without selection (Page 139)
● Function diagrams and parameters (Page 140)
Safety Integrated
5.2.10.1 Safe Direction with encoder

The Safe Direction function (SDI) allows reliable monitoring of the direction of motion of the
drive. If this function is activated, the drive can only move in the enabled direction.
Principle of operation
After SDI has been selected via terminals or PROFIsafe, the delay time p9565 is started. During
this period, you have the option of ensuring that the drive is moving in the enabled direction.
After this, the Safe Direction function is active and the direction of motion is monitored.
If the drive now moves more than the configured tolerance (p9564) in the disabled direction,
message C01716 is output and the stop response defined in p9566 is initiated. To acknowledge
the messages you must first deselect SDI, remove the fault cause and then safely acknowledge
the messages. Only then can you reselect SDI.
Features
● Parameters r9720.12 and r9720.13 display whether the SDI function is selected.
● Parameters r9722.12 and r9722.13 display whether the SDI function is active.
● Parameter p9564 is used to set the tolerance within which a movement in a non-enabled
(safe) direction is tolerated.
● Parameter p9566 defines the stop response in the case of a fault.
● For control via TM54F, parameters p10030 and p10031 are used to define the terminals for
SDI.
● Parameters p10042 to p10045 are used to define whether the SDI status in the F-DO status
display of the TM54F will be taken into account.
● If "SDI positive" is selected, the following value is set automatically:
– r9733[1] = 0 (setpoint limitation negative)
● If "SDI negative" is selected, the following value is set automatically:
– r9733[0] = 0 (setpoint limitation positive)
● The absolute setpoint speed limit is available in r9733[2].
Safety Integrated
Enabling SDI
The "Safe Direction" function is enabled with p9501.17 = 1.
9HORFLW\ 6HOHFWLRQ $FWLYDWLRQ 'HVHOHFWLRQ
6',SRVLWLYH 6',SRVLWLYH 6',SRVLWLYH
$FWXDOYHORFLW\YDOXH
9HORFLW\VHWSRLQW

W
6',GHOD\WLPH 'LUHFWLRQPRQLWRULQJ
'HVHOHFW6',
SRVLWLYH
6',SRVLWLYHDFWLYH
'HVHOHFW6',QHJDWLYH
6',QHJDWLYHDFWLYH
Figure 5-17 Functional principle SDI with encoder
Safety Integrated
5.2.10.2 Safe Direction without encoder

Set p9506 = 1 or p9506 = 3 (factory setting = 0) to activate Safety Integrated Extended
Functions without encoder. You can also make this setting by selecting "Without encoder" on
the Startdrive safety screen.
Note
Defaults
For commissioning, also pay attention to the description in Chapter "Default settings for
Differences between SDI with encoder and SDI without encoder

● For Safe Direction without encoder, after pulse suppression the drive is unable to determine
the current speed. For this operating state, the behavior is defined in parameter p9509.8:
– p9509.8 = 1
The status signal displays "inactive".
– p9509.8 = 0
The status signal displays "active", and the drive takes on the state STO.
● Due to the less precise position recognition, "Safe Direction without encoder" requires a
larger tolerance (p9564) compared with the function with encoder.
Note
No detection of a change in direction by means of p1820 or p1821
If the direction of rotation is reversed via p1820 or p1821, then safe monitoring is still possible:
However, in this case, the setpoint limitation r9733 is calculated with the wrong direction of
rotation. A reversal of the rotational direction with p1820 or p1821 therefore does not make
sense.
Restart after pulse cancellation for p9509.8 = 0

If the drive has been switched off via OFF1/OFF2/STO etc., the following steps need to be
carried out before a restart can be performed:
1. Case ● State after switching on

● SDI selected
● STO selected
● Deselect STO
STO is reactivated.
Safety Integrated
● Traversing to standstill with SDI selected
● Initiate OFF1
● Pulses are canceled; internal selection STO becomes active
● Select STO
● Deselect STO
lecting/deselecting STO.
STO is reactivated.
● Traversing to standstill with SDI selected
● Initiate OFF1
● Pulses are canceled; internal selection STO becomes active
● Deselect SDI
STO activated internally via pulse suppression: This activation must be undone by de‐
selecting SDI.
● Select SDI
The drive enable must be issued within 5 seconds via a positive edge at OFF1, otherwise
STO is reactivated.
● All Safety Integrated functions are deselected.
● After this the drive enable must be given by a positive edge at OFF1.
● In this case, the motor is not started safely.
Acknowledgement of SDI with STOP C

When acknowledging SDI with STOP C, you must maintain the following sequence:
1. Correct the incorrect setpoint input.
2. Deselect SDI.
While the safety STOP is active, this ensures that the motor cannot travel in the direction
that has not been enabled while the SDI function is deselected.
3. Select SDI again.
The SDI limits are then set again.
4. Cancel the safety STOP as a result of "safe acknowledgment".
Safety Integrated
5.2.10.3 Safe Direction without selection
Differences between Safe Direction with and without selection

● As an alternative to controlling via terminals and/or PROFIsafe, there is also the option of
parameterizing SDI without selection. In this case, SDI will be permanently active after
POWER ON (with encoder) or will be active after switch-on (without encoder).
● The "SDI without selection" function is activated as follows:
– p9512.12 = 1 (SDI positive (CU) statically selected)
– p9512.13 = 1 (SDI negative (CU) statically selected)
● The stop response is parameterized with p9566[0].
Switching the motor on and off (without encoder)

The time response and diagnostic options are as follows in this SDI version:
6ZLWFKRIIWKHPRWRU 6ZLWFKRQPRWRU
2))FRPPDQG 21FRPPDQG
6HWSRLQW
5DPSIXQFWLRQ VHFRQGV
$FWXDO
JHQHUDWRUUDPSGRZQ
YDOXH
WLPH
=HURVSHHG
GHWHFWLRQ
W
6',
'LDJQRVWLFV
6',DFWLYH
6DIHSXOVHVXSSUHVVLRQ
DFWLYH W
Figure 5-18 Time response of SDI without selection (example: Switching the motor on and off (without
encoder))
"SDI without selection" behaves as follows when switching off and switching on again:
● After switch-off, the motor behaves in accordance with the canceled signal (OFF1, OFF2 or
OFF3).
● STO (≙ safe pulse cancellation) becomes active after the standstill limit is undershot.
● After the ON command, the converter cancels the "safe pulse suppression" state and the
start procedure is initiated.
● If the minimum current has not been reached after 5 seconds, the converter returns to the
"safe pulse suppression" state and initiates the safety message C01711(1041).
Safety Integrated
● 2824 SI Extended Functions - SDI (Safe Direction)

● 2840 SI Extended Functions - SI Motion drive-integrated control signals/status
signals
● 2905 SI TM54F - Extended Functions control interface (p9601.2 = 1 & p9601.3
= 0)
● 2906 SI TM54F - Extended Functions Safe State selection
● 2907 SI TM54F - Extended Functions assignment (F-DO 0 ... F-DO 3)
Overview of important parameters
● p1820[0...n] Reverse the output phase sequence

● p1821[0...n] Direction of rotation
● p9501.17 SI Motion enable safety functions (Control Unit): Enable SDI
● p9509 SI Motion behavior during pulse suppression (Control Unit)
● p9564 SI Motion SDI tolerance (Control Unit)
● p9565 SI Motion SDI delay time (Control Unit)
● p9566 SI Motion SDI stop response (Control Unit)
● p9580 SI Motion STO delay bus failure (Control Unit)
● r9733[0...2] CO: SI Motion setpoint speed limit effective
● p10017 SI Motion digital inputs debounce time (CPU 1)
● p10030[0...3] SI TM54F SDI positive input terminal (CPU 1)
● p10031[0...3] SI TM54F SDI negative input terminal (CPU 1)
● p10039[0...3] SI TM54F Safe State signal selection (CPU 1)
● p10042[0...5] SI TM54F F-DO signal sources (CPU 1)
● p10043[0...5] SI TM54F F-DO 1 signal sources
5.2.11 Safely Limited Acceleration (SLA)
Function "Safely-Limited Acceleration" (SLA) monitors that the motor does not violate the
defined acceleration limit (e.g. in the setup mode). SLA detects early on whether the speed is
increasing at an inadmissible rate (the drive accelerates uncontrollably) and initiates the stop
response.
Safety Integrated
SLA is effective when accelerating, however, not when braking.
Note
Safety function "Safely-Limited Acceleration" (SLA) can only be used with an encoder.
Note
Safety function "Safely-Limited Acceleration" (SLA) can only be used for 1-encoder systems.
Enabling SLA
● You enable the SLA function with p9501.20 = 1.
Selecting SLA
Select the SLA function using the PROFIsafe control word S_STW1.8 or S_STW2.8. Which
control word you use depends on the PROFIsafe telegram that you configured.
Once selected, the SLA function becomes immediately active without any delay.
You can use telegrams 30, 31, 901, 902 and 903 for SLA. These telegrams contain the control
words S_STW1.8 and S_STW2.8 and status words S_ZSW1.8 and S_ZSW2.8 for SLA.
Acceleration limit
● You define the acceleration limit to be monitored using parameter p9578. This limit value is
applicable for both the positive and negative directions of rotation.
● When setting p9578, the following rule must be complied with:
– p9578 ≥ 10 · r9790[1]
● The possible acceleration resolution is shown by the drive in r9790:
– r9790[0] = resolution, coarse
– r9790[1] = resolution, fine
The actual accuracy of the acceleration detection depends on the type of actual value
acquisition, the gear ratios as well as the quality of the encoder being used.
● The drive indicates the velocity limit corresponding to the actual acceleration in r9714[3].
● r9789 allows the diagnosis of the finer resolution acceleration monitoring offered Index 0
indicates the actual acceleration determined. Index 1 and 2 indicate the current limit values
of the SLA monitoring.
Filter time
If the determination of the acceleration leads to very noisy signals, the drive cannot reasonably
monitor the acceleration.
Safety Integrated
Remedy
● In this case, increase the "SLA filter time" (p9576).
Note that SLA reacts with a delay when you increase the filter time.
Stop response
If the SLA subsequently detects violation of the acceleration limit, the drive initiates the stop
response configured using p9579.
5.2.11.1 Principle of operation
The following diagram shows the principle of operation of SLA:
352),VDIHDQGGLDJQRVWLFV
6HOHFW6/$ 'HVHOHFW6/$
6B67:RUU
'HVHOHFW6/$
6B=6:RUU
6/$DFWLYH
W
6SHHG
! ! ! ! ! $FFHOHUDWLQJ
&XUUHQWVSHHGOLPLW6/$
! %UDNLQJ
6SHHG W
$FFHOHUDWLRQ
S
ದS
Figure 5-19 Safely-Limited Acceleration (SLA): Principle
Safety Integrated
5.2.11.2 Transmission via PROFIsafe or SIC
Transmission via PROFIsafe

Once SLA has been parameterized and selected, the monitoring results are transmitted in
status words S_ZSW1.8 or S_ZSW2.8 (see Chapter "Process data (Page 224)").
Note
If p9580 ≠ 0 and SLA is active, in the event of a communication failure, the parameterized ESR
reaction only occurs if a STOP with delayed pulse suppression when the bus fails has been
parameterized as the SLA response (p9579 ≥ 10).
Transfer via SIC

Once SLA has been parameterized and selected, the monitoring results are also transmitted in
SIC in status word S_ZSW1B.8 (Chapter "Safety Info Channel and Safety Control Channel
(Page 257)"). You will find this status word in telegrams 700 and 701.
● 2838 SLA (Safely-Limited Acceleration)

● p9576 SI Motion SLA filter time (CU)
● p9578 SI Motion SLA acceleration limit (CU)
● p9579 SI Motion SLA stop response (Control Unit)
● r9714[3] CO: SI Motion diagnostics velocity: Actual SLA velocity limit on the Control
Unit
● r9719.17 CO/BO: SI Motion control signals 2: Deselect SLA
● r9720.8 CO/BO: SI Motion drive-integrated control signals: Deselect SLA
● r9721.11 CO/BO: SI Motion status signals (Control Unit): SLA active
● r9722.8 CO/BO: SI Motion drive-integrated status signals (Control Unit): SLA active
● r9789 CO: SI Motion SLA acceleration acceleration diagnostics
● r9790 SI Motion acceleration resolution
Safety Integrated
5.2.12 Safe Brake Test (SBT)
Note
SBT only with encoder
The "Safe Brake Test" (SBT) diagnostic function can only be used with an encoder.
The diagnostic function "Safe Brake Test" function (SBT) checks the holding torque of a brake
(operating or holding brake). The drive purposely generates a configurable torque against the
applied brake. If the brake is operating correctly, the axis motion remains within a
parameterized tolerance. However, if larger axis motion is identified from the encoder actual
values, the brake is not in a position to provide the specified holding torque. The brake must
now be serviced or replaced.
Features
The Safe Brake Test function has the following properties:
● The parameters of the "SBT" function are protected by the safety password, and can only
be changed in the safety commissioning mode.
● Using this function, brakes can be tested that are directly connected to SINAMICS S120
(integrated brake control), but also externally controlled brakes (e.g. via a PLC).
● A maximum of 2 brakes can be tested:
– A motor holding brake, controlled by the integrated brake control of the SINAMICS, and
in addition, an externally controlled brake.
– 2 externally controlled brakes
– A motor holding brake, controlled by the integrated brake control of the SINAMICS.
– One externally controlled brake
Safety Integrated
● The following options are available to control the SBT function:

– BICO interconnection; this setting uses digital signals (e.g. DIs) to operate the "SBT"
function.
– Safety Control Channel (SCC) via PROFIBUS or PROFINET
Using SCC, the SBT function can be directly controlled from a higher-level control
system. You can find additional information about SCC and SIC data in Chapter "Safety
Info Channel and Safety Control Channel (Page 257)".
– The brake test can be automatically executed when the forced checking procedure (test
stop) is selected. With this setting, no additional signals are required for the control.
However, the test possibilities are restricted.
● The "Safe Brake Test" (SBT) diagnostic function is suitable for safety functions up to
Category 2 according to ISO 13849‑1.
Safe Brake Test (SBT) is suitable as diagnostics function for a brake that is controlled in a
safety-relevant fashion (e.g. via SBC). With one brake in a Category 2 application and with
2 brakes in a Category 3 application, a Performance Level of up to Category PL d can be
achieved with an adequate test rate.
You will find an application example of the calculation at this address (https://
support.industry.siemens.com/cs/ww/en/view/69870640).
Requirements
The following preconditions must be satisfied when using the "Safe Brake Test" function:
● The Safety Integrated Extended Functions must be enabled; also available for the Safety
Integrated Extended Functions without selection.
To acknowledge errors when exiting the brake test, "Extended Functions without selection
and Basic Functions via onboard terminals" must be activated (p9601 = 0025 hex).
● Safety Integrated Extended Functions with encoder have been enabled
You can find information about possible encoder concepts in Chapter "Reliable actual value
acquisition with encoder system (Page 160)".
● Speed control with encoder (p1300 = 21).
SBT is not possible with encoderless speed control (e.g. vector U/f control) and torque
control. In this case, alarm A01784 is output.
Note
SBT and SBC
The Safe Brake Control (SBC) function must be activated to control a motor holding brake in a
safety-relevant fashion.
However, this is not necessary to perform the brake test.
Safety Integrated
Enabling SBT
To enable the Safe Brake Test function, proceed as follows:
1. Enable the Safe Brake Control (SBC) function: p9602 = 1.
2. Select the SBT selection type with parameter p10203:
– =0
Selection of SBT via SCC
– =1
Selection of SBT via BICO
– =2
Selection of SBT for forced checking procedure (test stop)
3. Check the motor type; the following settings must apply: p10204 = r0108.12
Parameterizing the test sequences

For testing brake 1 [index 0] or 2 [index 1], initially enter those values which apply to both test
sequences:
● Brake type (p10202[0,1])
– = 0 (≙ block)
Make this setting if one of the brakes is either not available or is not to be tested.
– = 1 (≙ test motor holding brake)
For this setting, set p1215 = 1 in addition.
– = 2 (≙ test external brake)
● You define the holding torque of brakes using p10209.
● Test torque ramp time p10208[0,1]
Within this time, before starting the test sequence, the test torque is ramped up. And at the
end of the sequence, it is ramped down again within this time.
Note
When testing an external brake, whose mechanical design exhibits backlash (e.g. if there is
a gearbox located between the motor and external brake), it can make sense to extend the
ramp time (p10208) when ramping up and ramping down the test torque.
● The parameters for the telegram extension relevant for SCC/SIC can be performed
automatically by setting p60122 = 701. However, the telegram extension must have been
previously created. More detailed information on this can be found in Chapter "Safety Info
Channel and Safety Control Channel (Page 257)".
● If you control the brake test using BICO signals (p10203 = 1), set the following parameters
in addition:
p10230.0 Signal for selecting the brake test

p10230.1 Signal for starting the test sequence
p10230.2 Signal for selecting the brake to be tested
(= 0: Brake 1; = 1: Brake 2)
Safety Integrated
p10230.3 Signal for selecting the sign of the test torque

(= 0: positive; = 1: negative)
p10230.4 Signal to select the test sequence (= 0: sequence 1; = 1: sequence 2)
p10230.5 Feedback signal for the state of the external brake
(= 0: external brake open; = 1: external brake closed)
You can parameterize 2 test sequences for each brake. Each test sequence is characterized
by the following setting values:
● Brake test sequence 1
p10210[0,1] Test torque to be generated in % of the brake holding torque

p10211[0,1] Test duration in ms
p10212[0,1] Positional deviation to be tolerated in mm/degrees during the test
● Brake test sequence 2
p10220[0,1] Test torque to be generated in % of the brake holding torque

p10221[0,1] Test duration in ms
p10222[0,1] Positional deviation to be tolerated in mm/degrees during the test
● Perform a POWER ON after commissioning
NOTICE
Damage to the motor holding brake as a result of an incorrect setting
Brake wear increases if the motor holding brake is incorrectly set. This can damage the brake.
● Correctly adjust the opening and closing times of the motor holding brake.
● If you use an external brake, you are only permitted to close it when requested by signal
r10234.6 = 1. Following this, you are permitted to set the signal p10230.5 = 1 ("External
brake closed").
● If you use an internal brake, set the switching times in parameters p1216 ("Motor holding
brake opening time") and p1217 ("motor holding brake closing time"). Further information
can be found in the SINAMICS S120 Function Manual Drive Functions.
– Note that you must set the times p1216 and p1217 exactly according to the physical
behavior of the brake.
– In DRIVE-CLiQ motors, the values are preassigned automatically. Do not change these
default values.
Note
Closing the brake
p1216 ("Motor holding brake opening time") and p1217 ("Motor holding brake closing time") act
only if you are testing an internal brake. When testing an external brake, specify via SCC that
the brake is closed.
Safety Integrated
Note
SBT and EPOS
If EPOS is activated, you must activate "follow-up mode" (r2683.0) before you perform the
brake test so that the position monitoring does not react during the brake test.
Note
SBT and DSC
If you use SBT with SIMOTION, evaluate parameter r10234 (S_ZSW3B) and activate Safety
Control Channel control word 3B (S_STW3B). In SIMOTION, r10234.1 specifies that no
position monitoring or traversing may be active during the brake test.
Note
SBT and HLA
The "Safe Brake Test" (SBT) function is not available for SINAMICS HLA.
Starting SBT
1. Selection
You have the following options for the selection of the Safe Brake Test:
– Selection via BICO using a 0/1 signal edge at DI for p10230[0]
– Selected via fieldbus (SCC):
Select the brake test sequence with a 0/1 edge in S_STW3B bit 0
– Selected using forced checking procedure (test stop) of the Extended Functions:
Selection by signal at the intended DI
After the 0/1 edge at the digital input for p9705 or in S_STW1B bit 8, the drive initially
executes SBT automatically. Forced checking procedure (test stop) is then performed.
Note
When selected via DI (BICO) and selected via fieldbus (SCC, S_STW3B bit 0), then the
sequence of the subsequently described steps 2 to 5 must be carefully observed.
Note
Only brake 1 when selecting via forced checking procedure (test stop)
When selecting using forced checking procedure (test stop), only the internal motor holding
brake parameterized as brake 1 is tested with test sequence 1 in the direction
parameterized in p10218.
It is not possible to use the brake test together with the "Automatic test stop when powering
up" function.
The pulses must be enabled when SBT is selected. When selected, the speed actual value
must not exceed 1 % of the maximum speed (p1082) - and over the complete course of the
SBT, it must not exceed a value of 10 % of the maximum speed.
The brake(s) must be open.
2. Wait for feedback signal, r10231[0] = 1
Safety Integrated
3. Select brake and test sequence

Make the following decisions before starting the brake test sequence:
– The brake to be tested using DI for p10230[2] or S_STW3B bit 2
– Positive or negative direction of the test torque using DI for p10230[3] or S_STW3B bit 3
– Brake test sequence 1 or 2 using DI for p10230[4] or S_STW3B bit 4.
4. Start brake test
Start the brake test sequence using a 0/1 edge at the DI for p10230[1] or in S_STW3B bit 1.
5. Exit brake test
Note
Observe the sequence when exiting
When you exit the brake test, you must observe the following sequence.
– Withdraw "Begin brake test" via 1/0 edge at the digital input for p10230[1] or in S_STW3B
Bit 1.
– Wait for at least one monitoring cycle (p9500).
– Withdraw "Select brake test" via 1/0 edge at the digital input for p10230[0] or in
S_STW3B Bit 0.
Note
Observe the sequence when exiting
In addition, do not select STO and do not cancel the pulse enable at the same time as the brake
test is deselected. Maintain the following sequence:
- Deselect the brake test.
- Wait for at least one monitoring cycle (p9500).
- Only now is it permissible for you to select STO or to cancel the pulse enable.
Safety Integrated
Sequence
SBT has the following basic sequence:
0VHW %UDNHFORVHG
0RQLWRUSRVLWLRQWROHUDQFH
7HVWWRUTXH
PRQLWRULQJ
'LDJQRVWLFV
%UDNHWHVWWRUTXH PD[WHVW
WRUTXH
0ORDG
'LDJQRVLV 7HVWWRUTXH
6WDWLF 6LJQ
ORDGWRUTXH VHOHFW SRVLWLYH

W
5DPSWLPH 7HVW 5DPSWLPH
GXUDWLRQ
(QDEOH 6WDUWEUDNHWHVW (QDEOH
RSHUDWLRQ %UDNHWHVWVHOHFWHG RSHUDWLRQ
6HWSRLQWLQSXW 6HWSRLQWLQSXW
([WHUQDO 6HWSRLQWLQSXWGULYH QVHW ([WHUQDO
6HOHFWEUDNHWHVW 'HVHOHFWEUDNHWHVW
Figure 5-20 SBT: Time sequence
● After you have selected the brake test (0/1 edge in r10231.0), the drive determines the static
suspended load. This is the reason that all brakes must be open and the pulses enabled
when the brake test is selected.
– When testing a motor holding brake, which is directly controlled from the drive, the dive
automatically opens when the pulses are enabled and p1215 = 1.
– When testing an external brake, via p10234.6 or for SIC/SCC, via S_ZSW3B.6, a value
of 0 indicates that the external brake must be opened. Open the brake within 11 s,
otherwise the drive aborts the test and outputs a fault.
● Then select the brake, the test sequence and the test direction.
● Start the brake test/test sequence (0/1 edge in r10231.1):
– This activates the brake test.
– The drive closes the motor holding brake or requests closing of the external brake. The
request to close the brake is again indicated via p10234.6 = 1 or S_ZSW3B.6 = 1. Also
in this case, only a maximum of 11 seconds must elapse, otherwise the drive outputs a
fault.
● The test torque is specified during the SBT. When n = 0 is entered, the controller builds up
an appropriate test torque against the closed brake. The test torque is built up along a ramp.
The ramp is defined by the time of p10208.
● At the end of the test sequence, the brake is opened or there is a prompt to open the brake.
Safety Integrated
● After deselection of the test sequence (test sequence is switched off), another test
sequence can be started, e.g. with a different brake in a different direction, assuming that
the brake test is still selected.
● When the test sequence is active, the brake that is not being tested must remain open.
● After deselection of the SBT, the original speed setpoint takes effect again.
Cancel
A 1/0 edge of signal r10231.1 "Start brake test", interrupts the brake test. The converter issues
alarm A01782 after the brake test has been interrupted. You can then deselect the brake test
using a 1/0 signal edge of signal r10231.0.
Acknowledging alarms
You can only safely acknowledge the alarms relevant for the brake test (Failsafe Acknowledge,
e.g. using TM54F), and under certain circumstances, only acknowledge them when the brake
test is deselected. For "motion monitoring without selection," a POWER ON is required – or
STO/SS1 must be selected/deselected (if extended message acknowledgment is configured).
Safety Integrated
5.2.12.1 Communication via SIC/SCC
Test of a motor holding brake

The following figure shows the communication via SIC and SCC during the test of a motor
holding brake:
212))
W
6HOHFWEUDNHWHVW 6B67:%
W
6HOHFWGLUHFWLRQRIURWDWLRQ 6B67:%
W
6HOHFWWHVWVHTXHQFH 6B67:%
W
%UDNHVHOHFWLRQ 6B67:%
W
6WDUWEUDNHWHVW 6B67:%
W
&ORVHPRWRUKROGLQJEUDNH
S S W
7HVWWRUTXH
W
%UDNHWHVWVHOHFWHG 6B=6:%
W
6HWSRLQWLQSXWGULYHH[WHUQDO 6B=6:%
W
%UDNHWHVWDFWLYH 6B=6:%
W
$FWLYHEUDNH 6B=6:%
W
$FWXDOORDGVLJQ 6B=6:%
W
%UDNHWHVWUHVXOW 6B=6:%
W
%UDNHWHVWFRPSOHWHG 6B=6:%
W
S
Safety Integrated
Test of an external brake

The following figure shows the communication via SIC and SCC during the test of an external
brake:
212))
W
6HOHFWEUDNHWHVW 6B67:%
W
6HOHFWGLUHFWLRQRIURWDWLRQ 6B67:%
W
6HOHFWWHVWVHTXHQFH 6B67:%
W
%UDNHVHOHFWLRQ 6B67:%
W
6WDUWEUDNHWHVW 6B67:%
W
&ORVHH[WHUQDOEUDNH
W
([WHUQDOEUDNHVWDWXV6B67:%
W
7HVWWRUTXH
W
%UDNHWHVWVHOHFWHG 6B=6:%
W
6HWSRLQWLQSXWGULYHH[WHUQDO 6B=6:%
W
%UDNHWHVWDFWLYH 6B=6:%
W
$FWLYHEUDNH 6B=6:%
W
5HTXHVWFORVHEUDNH 6B=6:%
W
$FWXDOORDGVLJQ 6B=6:%
W
%UDNHWHVWUHVXOW 6B=6:%
W
%UDNHWHVWFRPSOHWHG 6B=6:%
W
S
Safety Integrated
● 2836 SI Extended Functions - SBT (Safe Brake Test)

● 2837 SI Extended Functions – Selection of active control word
● p1215 Motor holding brake configuration

● p1216 Motor holding brake opening time
● p1217 Motor holding brake closing time
● p9602 SI enable safe brake control (Control Unit)
● p10201 SI Motion SBT enable
● p10202[0...1] SI Motion SBT brake selection
● p10203 SI Motion SBT control selection
● p10204 SI Motion SBT motor type
● p10208[0...1] SI Motion SBT test torque ramp time
● p10209[0...1] SI Motion SBT brake holding torque
● p10210[0...1] SI Motion SBT test torque factor sequence 1
● p10211[0...1] SI Motion SBT test duration sequence 1
● p10212[0...1] SI Motion SBT position tolerance sequence 1
● p10218 SI Motion SBT test torque sign
● p10220[0...1] SI Motion SBT test torque factor sequence 2
● p10221[0...1] SI Motion SBT test duration sequence 2
● p10222[0...1] SI Motion SBT position tolerance sequence 2
● p10230[0...5] BI: SI Motion SBT control word
● r10231 SI Motion SBT control word diagnostics
● r10234.0...15 CO/BO: SI Safety Info Channel status word S_ZSW3B
● p10235 CI: SI Safety Control Channel control word S_STW3B
● r10240 SI Motion SBT test torque diagnostics
● r10241 SI Motion SBT load torque diagnostics
● r10251 CO/BO: SI Safety Control Channel control word S_STW1B diagnostics
● p60122 IF1 PROFIdrive SIC/SCC telegram selection
Safety Integrated
5.2.13 Safe Acceleration Monitor (SAM)
5.2.13.1 Description
The "Safe Acceleration Monitor" (SAM) function is used to safety monitor braking along the
OFF3 ramp. The function is active for SS1, SS2 or STOP B and STOP C.
Features
As long as the speed is less, the converter continuously adds the adjustable tolerance p9548
to the actual speed so that the monitoring tracks the speed. If the speed is temporarily higher,
the monitoring remains at the last value. The converter reduces the monitoring threshold until
the "Shutdown speed" has been reached.
SAM recognizes if the drive accelerates beyond the tolerance defined in p9548 during the ramp-
down phase, and generates a STOP A. The monitoring is performed as follows:
● Monitoring with SAM is activated for SS1 (or STOP B) and SS2 (or STOP C).
● The SAM limit value is frozen after the speed limit in p9568 is undershot.
● SAM monitoring continues until the transition time to SOS/STO expires.
Note
Relationship between SSM and SAM
If 0 is entered for p9568, the speed limit of the SSM function (p9546) is also used as minimum
limit value for the SAM function (safe acceleration monitoring). If the speed is below this limit,
SAM no longer triggers a response from the drive.
In this case, the effects of safe acceleration monitoring are therefore significantly restricted if a
relatively high SSM velocity limit is set when using the SS1 and SS2 stop functions.
Note
No direct selection of SAM
SAM is part of the Safety Integrated Extended Functions SS1 and SS2 or STOP B and STOP
C. SAM cannot be individually selected.
Responses
● Speed limit violated (SAM):
– STOP A
● System fault:
– STOP F with subsequent STOP A
Safety Integrated
5.2.13.2 Calculating the SAM tolerance of the actual velocity

● The following applies when parameterizing the SAM tolerance:
– The maximum speed increase after SS1 or SS2 is triggered results from the effective
acceleration (a) and the duration of the acceleration phase.
– The duration of the acceleration phase is equivalent to one monitoring cycle (MC p9500)
(delay from detecting an SS1 / SS2 until nset = 0)
● Calculating the SAM tolerance:
Actual velocity for SAM = acceleration · acceleration duration
The following setup rule is derived thereof:
– For a linear axis:
SAM tolerance [mm/min] = a [m/s2] · MC [s] · 1000 [mm/m] · 60 [s/min]
– For a rotary axis:
SAM tolerance [rpm] = a [rev/s2] · MC [s] · 60 [s/min]
● Recommendation
The SAM tolerance value entered should be approx. 20% higher than the calculated value.
● You set the tolerance such that the "overshoot" is tolerated that necessarily occurs when
standstill is reached after braking along the OFF3 ramp. However, it cannot be calculated
as to just how high this is.
Note
First monitoring cycle
For SAM, in the first "SI Motion monitoring cycle" (p9500) a higher SAM tolerance is taken into
account in order to compensate for possible settling operations without resulting in an incorrect
initiation. The increase factor is calculated as follows:
SI Motion monitoring cycle (p9500) / SI Motion actual value acquisition cycle (p9511)
Example:
SI Motion monitoring cycle (p9500) = 12 ms
SI Motion actual value acquisition cycle (p9511) = 1 ms
SAM tolerance (p9548) = 300 rpm
Actual speed = 250
Rotary axis
In the first cycle after activation of the monitoring, the SAM limit value is therefore:
Actual speed + SAM tolerance · (12 ms/1 ms) =
250 rpm + 300 rpm · 12 =
approx. 3850 rpm
● 2825 SAM (Safe Acceleration Monitor), SBR (Safe Brake Ramp)
Safety Integrated
● p9546 SI Motion SSM (SGA n < nx) speed limit (CU)

● p9548 SI Motion SAM actual speed tolerance (Control Unit)
● p9568 SI Motion SAM speed limit (Control Unit)
5.2.14 Safe Brake Ramp (SBR)
5.2.14.1 Introduction
The Safe Brake Ramp (SBR) function provides a safe method for monitoring the brake ramp.
The Safe Brake Ramp function is used to monitor braking with the functions "SS1 with/without
encoder," "SLS without encoder," SS2 and STOP B / STOP C (for Safety with encoder). For
SLS, you must connect the setpoint limitation of the Safety Integrated Functions (r9733) to the
ramp-function generator (p1051/p1052).
Features
The motor is decelerated with the OFF3 ramp as soon as SS1, SS2, or SLS is triggered.
Monitoring of the brake ramp is activated once the delay time in p9582 has elapsed. The drive
monitors the motor to ensure that it does not exceed the set braking ramp (SBR) when braking.
The safe monitoring of the brake ramp is deactivated
● For SS1:
– As soon as the speed drops below the shutdown speed (p9560).
Or:
– As soon as the delay time (p9556) has elapsed.
● For SS2:
As soon as the SS2 delay time (p9552) has elapsed.
● For SLS:
– As soon as the set brake ramp has reached the new SLS level
Or:
– As soon as the actual speed drops below the newly selected SLS level and has remained
there for the time parameterized in p9582.
Additional specific functions (e.g. STO, new SLS speed limit) are activated at this point,
depending on the Safety Integrated Function used.
Safety Integrated
5.2.14.2 Time response
PP 6HOHFW6/6 6HOHFW6/6OLPLW 6HOHFW6/6OLPLW 6HOHFW6/6

8VHUDFWLRQ 8VHUDFWLRQ 8VHUDFWLRQ 8VHUDFWLRQ
VHW6/6
VHW6/6OLPLW VHW6/6OLPLW VHW6/6OLPLW GHVHOHFW6/6
6SHHGVHWSRLQW
! 0RQLWRULQJUDPSDFWLYH
6SHHGDFWXDOYDOXH
(QYHORSHFXUYH
6/6OLPLWYDOXH
! 0RQLWRULQJUDPSDFWLYH
6/6VHWSRLQWOLPLW
(QYHORSHFXUYH
6/6OLPLWYDOXH
6/6VHWSRLQWOLPLW
(QYHORSHFXUYH
6/6OLPLWYDOXH !
6/6VHWSRLQWOLPLW

W
'LDJQRVWLFV
6/6VHOHFWHG
6/6DFWLYH
6%50RQLWRULQJDFWLYH
352),VDIH
6/6DFWLYH
6/6OLPLW
6/6OLPLW
W
! 6%5GHOD\WLPH
Figure 5-21 Example: Safe Brake Ramp without encoder (for SLS)
Safety Integrated
5.2.14.3 Parameterization
Parameterization of the brake ramp

p9581 (SI Motion braking ramp reference value) and p9583 (SI Motion brake ramp monitoring
time) are used to set the gradient of the brake ramp. Parameter p9581 determine the reference
speed and parameter p9583 define the ramp-down time. Parameter p9582 is used to set the
time which passes after the triggering of SS1, selection of SLS or SLS level changeover and the
start of brake ramp monitoring.
Note
SBR and OFF3 curve
The SBR curve should be aligned to the OFF3 curve. In addition, you should check that under
every load condition, the drive can follow this OFF3 ramp.
Note
Limitation of the SBR delay time
The SBR delay time (p9582) is limited to a minimum value of two SI Motion monitoring cycles
(2 · p9500), i.e. even if a value less than 2 · p9500 is parameterized for the delay time (p9582),
SBR only takes effect two safety cycles after an active SS1.
If a value greater than 2 · p9500 is parameterized for the delay time (p9582), SBR takes effect
after active SS1 after the time p9582. Ensure that you round off the SBR delay time to an integer
multiple of the safety cycle (p9500).
Responses to brake ramp violations (SBR)

● Safety message C01706 (SI Motion: SAM/SBR limit exceeded)
● Drive stopped with STOP A
● With p9516.4 = 1 ("No STOP A after encoder error with 1-encoder safety"), set the following
response:
– After an encoder error in the 1-encoder system, the drive triggers a STOP F, but not an
immediate STOP A.
– If safety functions are selected, the STOP F is followed by a time-controlled subsequent
stop STOP B or STOP A - i.e. without monitoring with SBR or SAM.
You can use this behavior if, after an encoder error, coasting down would be harmful and
you should instead use the switchover to encoderless operation with encoderless braking.
Features
● Part of the "SS1 with/without encoder", "SS2 with encoder", "SLS without encoder" and
"STOP B/STOP C (for safety with encoder)" functions.
● Parameterizable safe brake ramp
Safety Integrated
● 2825 SAM (Safe Acceleration Monitor), SBR (Safe Brake Ramp)
● p9516 SI Motion encoder configuration safety functions (Control Unit)

● p9560 SI Motion STO shutdown speed (Control Unit)
● p9581 SI Motion braking ramp reference value (Control Unit)
● p9582 SI Motion braking ramp delay time (Control Unit)
● p9583 SI Motion braking ramp monitoring time (Control Unit)
5.2.15 Reliable actual value acquisition with encoder system
The following encoder systems can in principle be used for safety-relevant speed/position
acquisition:
or
Note
Rules for connecting an encoder
Note when connecting an encoder the valid rules: See SINAMICS S120 Drive Functions
Function Manual.
5.2.15.1 Single-encoder system

In a single-encoder system, only the motor encoder is used to safely acquire the drive actual
values. This motor encoder must be appropriately suitable (see encoder types). The actual
values are generated in a safety-relevant fashion either directly in the encoder or in the Sensor
Module and are transferred to the Control Unit via DRIVE-CLiQ.
For motors without a DRIVE-CLiQ interface, the connection is made using additional Sensor
Modules.
Safety Integrated
Even if the drive is operating in the closed-loop torque controlled mode, motion monitoring
functions may be selected as long as it is guaranteed that the encoder signals can be evaluated.
Note
No monitoring of the braking ramp with SAM or SBR in the case of encoder error in the 1-
encoder system
With p9516.4 = 1 ("No STOP A after encoder error with 1-encoder safety"), set the following
response:
● After an encoder error in the 1-encoder system, the drive triggers a STOP F, but not an
immediate STOP A.
● If safety functions are selected, the STOP F is followed in this case by a time-controlled
subsequent stop STOP B1); i.e. a stop response without monitoring with SBR or SAM.
You can use this behavior if, after an encoder error, coasting down would be harmful and you
want instead to use the switchover to encoderless operation with encoderless braking.
1)
If you have selected one of the Basic Functions contained in the Extended Functions, the
subsequent stop is STOP A.
Special feature in the case of linear motors

The motor encoder (linear scale) of linear motors also acts as load measuring system. Only one
measuring system is required for this reason. The system is connected by means of a Sensor
Module or directly via DRIVE-CLiQ.
( (QFRGHU
'5,9(&/L4 0 0RWRU
0DFKLQHWDEOH /LQHDUVFDOH
6HQVRU0RGXOH
( 0
QRWDSSOLFDEOHIRUPRWRUZLWK
'5,9(&/L4LQWHUIDFH %DFNODVK
Figure 5-22 Example of a single-encoder system
5.2.15.2 2-encoder system

The failsafe actual values for a drive are provided by two separate encoders. The actual values
are transferred to the Control Unit via DRIVE-CLiQ.
For motors without a DRIVE-CLiQ interface, the connection is made using additional Sensor
Modules (see encoder types).
Safety Integrated
'5,9(&/L4
( (QFRGHU
0 0RWRU
0DFKLQHWDEOH /LQHDUVFDOH
(
6HQVRU0RGXOH
( 0
'5,9(&/L4LQWHUIDFH %DFNODVK
Figure 5-23 Example of a 2-encoder system on a linear axis via a ball screw
( (QFRGHU
0 0RWRU
'5,9(&/L4
( 0
6HQVRU0RGXOH
'5,9(&/L4LQWHUIDFH
(
Figure 5-24 Example of a 2-encoder system on a rotary axis
When parameterizing a 2-encoder system with Safety Integrated, you must align parameters
p9315 to p9329 with parameters r0401 to r0474.
Note
Assignment of the encoder parameters
Parameters p95xx are assigned to the 1st encoder; parameters p93xx to the 2nd encoder.
Note
Transfer of the values from the encoder commissioning
To accept the values from the parameters filled during the encoder commissioning to the safety
parameterization, set parameter p9700 = 46 (2E hex). This copy function is only possible if you
are connected online with the drive unit.
Safety Integrated
Table 5-3 Encoder parameters and corresponding safety parameters for 2-encoder systems
Safety parameters Designation Encoder parameters

p9315/p9515 SI Motion coarse position value configuration
p9315.0/p9515.0 Up-counter r0474[x].0
p9315.1/p9515.1 Encoder CRC, least significant byte first r0474[x].1
p9315.2/p9515.2 Redundant coarse position value, most significant bit left-jus‐ r0474[x].2
tified
p9315.16/p9515.16 DRIVE-CLiQ encoder p0404[x].10
p9316/p9516 SI Motion encoder configuration, safety functions
p9316.0/p9516.0 Motor encoder, rotary/linear p0404[x].0
p9316.1/p9516.1 Actual position value, sign change p0410[x]
p9317/p9517 SI Motion linear scale grid division p0407
p9318/p9518 SI Motion encoder pulses per revolution p0408
p9319/p9519 SI Motion fine resolution G1_XIST1 p0418
p9320/p9520 SI Motion leadscrew pitch Startdrive encoder parameteriza‐
tion dialog
p9321/p9521 SI Motion gearbox encoder Startdrive encoder parameteriza‐
tion dialog
p9322/p9522 SI Motion gearbox encoder Startdrive encoder parameteriza‐
tion dialog
p9323/p9523 SI Motion redundant coarse position value valid bits r0470
p9324/p9524 SI Motion redundant coarse position value fine resolution bits r0471
p9325/p9525 SI Motion redundant coarse position value relevant bits r0472
p9326/p9526 SI Motion encoder assignment Startdrive encoder parameteriza‐
tion dialog
p9328/p9528 SI Motion Sensor Module node identifier –
p9329/p9529 SI Motion Gx_XIST1 coarse position safety most significant For DRIVE‑CLiQ encoders:
bit p0415 = r0470 – r0471
For SMx modules: p0415 = 14
5.2.15.3 Encoder types for single and 2-encoder systems

Incremental encoders or absolute encoders can be used for safe acquisition of the position
values on a drive.
The absolute position values can be transferred via the serial EnDat interface or an SSI
interface to the controller. However, these are not evaluated by the safety functions.
Safety Integrated
In systems with encoders with SINAMICS Safety Integrated (single and 2-encoder systems),
the following encoders are permitted for safe actual value acquisition:
● Encoders with sin/cos 1 Vpp signals
– 1 and 2-encoder systems
– Connected to the SINAMICS SME20/25, SME120/125 and SMC20 Sensor Modules
– The encoders must contain purely analog signal processing and creation. This is
necessary to be able to prevent the A/B track signals with valid levels from becoming
static ("freezing").
● HTL/TTL encoders
– Can only be used for 2-encoder systems. In this case, one encoder must be an HTL/TTL
encoder. The other encoder can be a sin/cos encoder or an HTL/TTL encoder.
– Connected to an SMC30 Sensor Module Cabinet or to the onboard interface of the C
U310‑2, CUA32, SINAMICS HLA or SINAMICS S120 Combi.
– An HTL/TTL encoder connected to the onboard interface of CU310‑2, CUA32,
SINAMICS HLA or SINAMICS S120 Combi must not be operated as first encoder.
– Note the lowest possible velocity resolution (r9732[1]) for an HTL/TTL encoder system.
– When using 2 HTL/TTL encoders, these must be connected to separate power supplies.
● EnDat-2.2 encoder with SMC40
● DRIVE-CLiQ encoder
Note
Encoders with integrated DRIVE-CLiQ interface
These encoders must be certified at least according to IEC 61800‑5‑2 (SIL2) or ISO 13849‑1
(Performance Level d / Category 3).
A Failure Mode Effects Analysis (FMEA) for securing the encoder on the motor shaft or on the
linear drive must be performed. The result must be that the risk of the encoder mounting
loosening is defined as a fault that can be ruled out (see DIN EN 61800‑5‑2, 2008, Table D.16).
The encoder would no longer correctly map the motion if its mounting were to become loose.
You can implement failsafe detection of slip on the encoder shaft or a broken motor-encoder
shaft by checking the plausibility of the acquired safety-relevant actual value with respect to the
expected setpoint. If the actual value does not lie within a configurable tolerance bandwidth
around the setpoint within a defined time, then it can be assumed that there is either slip - or that
there is a broken connection between the encoder and the motor. You must ensure this
monitoring functionality in the safety user program according to SIL 2 or PL d.
It should be noted that the machine manufacturer has sole responsibility for the fulfillment of the
above-described requirements. Information on the internal realization of the encoder must
come from the encoder manufacturer. The FMEA must be created by the machine
manufacturer.
Safety Integrated
Siemens motors with and without DRIVE-CLiQ connection, which can be used for Safety
Integrated Functions, are listed under:
Siemens motors for Safety Integrated (https://support.industry.siemens.com/cs/ww/en/view/
33512621)
For these motors, the encoder mounting on the motor shaft can be considered to be safety
relevant, and faults associated with an encoder becoming loose ruled out.
Note
Basic absolute encoders with EnDat interface and additional sin/cos tracks
Basic absolute encoders (e.g. EQI) that offer an EnDat interface with additional sin/cos tracks,
but operate according to an inductive measuring principle internally, are not permitted for
SINAMICS Safety Integrated.
Note
Encoder types for SINAMICS HLA
The following encoder types are permissible for SINAMICS HLA:
– DRIVE-CLiQ encoder with safety capability
– sin/cos encoder connected via SME20/25, SME120/125 or SMC20 (1 VPP, pure analog
signal processing)
– Encoders with DRIVE-CLiQ connection
– sin/cos encoder connected via SME20/25, SME120/125 or SMC20 (1 VPP, pure analog
signal processing)
– HTL/TTL encoder connected via SMC30 (not in connection with SINUMERIK)
– TTL encoder connected via the onboard interface of the HLA module (not in connection
with SINUMERIK)
Safety Integrated
5.2.15.4 Actual value synchronization

6DIHDFWXDOSRVLWLRQYDOXH $FWXDOSRVLWLRQYDOXH&8
ORDGVLGH U>@
$YHUDJHRIWKHWZR
DFWXDOSRVLWLRQYDOXHV
,QWHUQDO
PHDVXUHG
$FWXDOSRVLWLRQYDOXH
YDOXH
6HFRQGFKDQQHO
8SGDWHSRLQWVDQG U>@
GLVSOD\DEOHFXUYH
'LIIHUHQFHEHWZHHQ
$FWXDOSRVLWLRQ
YDOXHV
W
'DWDFURVVFKHFNF\FOH U
1)
This deviation cannot be larger than the position difference that can arise at maximum slip (p9549)
during a cross-check cycle (r9724).
Figure 5-25 Example diagram of actual value synchronization
The mean value of the actual values of both channels is calculated cyclically after actual value
synchronization (p9501.3 = 1) has been activated, for example, for systems or machines with
slip. The maximum slip defined in p9549 is monitored in the cross-check cycle (r9724). The
maximum slip defined in p9549 is monitored once per cross-check cycle (r9724).
If "Actual value synchronization" is not enabled, the value parameterized in p9542 is used as
tolerance value for the cross-checking.
5.2.15.5 Safe motion monitoring

The properties of the actual value acquisition determine not only the encoders used, but also
the values for safe motion monitoring that can be achieved in the best case.
● Safe maximum speed (r9730)
The maximum speed (load side) that is permissible due to the acquisition of actual values
for safe motion monitoring functions is indicated in r9730. This parameter shows the load
velocity up to which the safety-relevant encoder actual values (redundant coarse encoder
position) can still be correctly sensed as a result of the particular encoder parameterization.
The actual value acquisition clock (p9511) determines the frequency at which the actual
values are acquired. The longer the clock cycle, the higher the "safe maximum velocity." On
the other hand, a longer actual value acquisition clock cycle places a greater load on the
Control Unit. You must consider this circumstance when setting the optimum for your
application.
For SINAMICS S120M, only the values 2 and 0 ms are allowed for the actual value
acquisition cycle clock (p9511). In both cases, the frequency converter calculates with an
actual value acquisition cycle clock of 2 ms regardless of the PROFIBUS DP/PN cycle clock.
● Safe positioning accuracy (r9731)
This positioning accuracy can be achieved in the best case by acquiring the actual values.
If a 2-encoder system is used, the accuracy of the poorer encoder is indicated based on the
number of encoder pulses.
Safety Integrated
● p9501.3 SI Motion enable safety-related functions Enable actual value synchroni‐

zation
● p9502 SI Motion axis type (Control Unit)
● p9511 SI Motion actual value acquisition clock (Control Unit)
● p9515 SI Motion encoder coarse position value configuration (Control Unit)
● p9516 SI Motion encoder configuration safety functions (Control Unit)
● p9517 SI Motion linear encoder grid division (Control Unit)
● p9518 SI Motion encoder pulses per revolution (Control Unit)
● p9519 SI Motion fine resolution G1_XIST1 (Control Unit)
● p9520 SI Motion leadscrew pitch (Control Unit)
● p9521[0...7] SI Motion gearbox encoder (motor)/load denominator (Control Unit)
● p9522[0...7] SI Motion gearbox encoder (motor)/load numerator (Control Unit)
● p9523 SI Motion redundant coarse position value valid bits (Control Unit)
● p9524 SI Motion redundant coarse position value fine resolution bits (CU)
● p9525 SI Motion redundant coarse position value relevant bits (CU)
● p9526 SI Motion encoder assignment second channel
● p9542 SI Motion actual value comparison tolerance (crosswise) (Control Unit)
● p9549 SI Motion slip velocity tolerance (Control Unit)
● p9700 SI Motion copy function
● r9713[0...5] CO: SI Motion diagnostics actual position value load side
● r9714[0...2] CO: SI Motion diagnostics velocity
● r9724 SI Motion, cross-check cycle
● r9730 SI Motion safe maximum speed
● r9731 SI Motion safe positioning accuracy
● r9732[0...1] SI Motion velocity resolution
5.2.16 Safe actual value sensing without encoder
Parameters p9585, p9586, p9588 and p9589 are available to guarantee safe motion
monitoring for Safety Extended Functions without encoder depending on the situation in your
specific application. In most cases, you can work with the default values.
Safety Integrated
5.2.16.1 Evaluation delay time without encoder

If, during the start phase, the actual value acquisition is still not operating correctly, the
converter outputs messages; however these still do not represent any safety problems. In order
to avoid this, increase this value of parameter Delay time of the evaluation encoderless
(p9586). In this way, you determine the "Evaluation delay time without encoder" (p9586):
● To determine the minimum delay time of p9586, record the starting behavior of the drive
system (with motor and the intended load). The trace function allows the value for p9586 to
be determined.
● In order to avoid fault responses, deselect the "SDI without encoder" and "SLS without
encoder" functions.
● Activate the trace function using the "OFF2 → inactive" trigger, and the following as the
signals to be recorded: At least one motor current phase and OFF2. After the ON command,
record this motor phase current until Irated is reached. Enter the time required to reach Imin (+
10% reserve) in p9586.
● Perform application-specific startup characteristics for the drive. Establish from the trace
recording the time after which the peak current of the induction or reluctance motor or the
pulse pattern of the rotor position identification finishes, and the current of p9588 which
exceeds the "Minimum current actual value acquisition without encoder".
● Enter the measured time + approx. 10 % into p9586.
● Activate the "SDI without encoder" and "SLS without encoder" functions. Restart the
machine, and keep the trace function activated.
● Now it is no longer permissible that messages are output.
● Alternatively, you can change the value of p9586 in small steps and then monitor the system
response. You have found a suitable value if unnecessary messages/signals no longer
occur.
5.2.16.2 Fault tolerance actual value acquisition without encoder

Using parameter Fault tolerance actual value acquisition encoderless (p9585), you can set the
tolerance of the plausibility monitoring of current and voltage angle.
● For synchronous motors, p9585 = 4 must be parameterized.
● Reducing this value can have a negative impact on the actual value acquisition and the
plausibility check.
● Increasing the value results in a longer evaluation delay.
● For devices in the chassis format, Safety Integrated without encoder can be used with
induction motors up to a maximum of 1000 kW: For very large motors, it may be necessary
to increase the value in parameter p9585. For chassis format devices, parameter p9585 is
preassigned a value of "2".
● For the factory setting (= -1), for synchronous motors, the calculation automatically uses the
value 4, for asynchronous or reluctance motors, the value 0.
● The diagnostics parameter r9786[0...2] shows you the values of the plausibility angle,
voltage angle and current angle currently measured by the converter. These values allow
you to optimize what you enter into p9585.
Safety Integrated
5.2.16.3 Voltage tolerance acceleration

● The field Voltage tolerance acceleration (p9589) is used to suppress acceleration peaks. An
increase in this percentage value means that voltage peaks must have a greater amplitude
during acceleration to avoid influencing the actual value acquisition.
Note
Settings for reluctance motors
When operating a reluctance motor, the controller settings selected are usually more
dynamic. If in this case - for a factory setting of p9589 - the drive issues message C01711
with fault value 1043, then you can apply the following remedy:
● Increase p9589.
Experience has shown that a value between 500 % and 1000 % provides robust
behavior in this case.
● Set the value of voltage tolerance acceleration (p9589) as follows:

– The diagnostics parameter r9784[0...1] shows the parameterized and the actual
measured acceleration value. These values allow you to optimize what you enter into
p9589.
– Record the following parameters with the trace function in the current controller cycle:
- r9784[0]: Target acceleration value
- r9784[1]: Actual acceleration value
- r9714[0]: load side actual velocity value on the Control Unit
- r0063: Actual speed value
– Accelerate the motor, if possible until it reaches the rated speed.
– Check whether r9714[0] and r0063 match in the range 0 … rated speed.
– Set p9589 such that r9784[1] touches r9784[0] a maximum of twice per second in the
range 0 … rated speed.
- If message C01711 with fault value 1043 occurs, you have to increase p9589.
- The value must be decreased if acceleration has resulted in an excessive safety actual
speed.
– Check once again whether r9714[0] and r0063 match in the range 0 … rated speed.
5.2.16.4 Checking the settings

If you change one of the following parameters, you have to check and set the encoderless
actual value acquisition once again:
● PROFIdrive isochronous mode asynchronous participation:
p2049 = 1
● Current controller sampling time for servo control:
p0115[0] = 187.5 µs, 150 µs, 100 µs, 93.75 µs, 75 µs, 50.0 µs or 37.5 µs
● Current controller sampling time for vector control:
p0115[0] = 375 µs, 312.5 µs, 218.75 µs, 200 µs, 187.5 µs, 175 µs, 156.25 µs, 150 µs or
137.5 µs
Safety Integrated
● p9585 SI Motion actual value acquisition without encoder fault tolerance (CU)
● p9586 SI Motion actual value acquisition without encoder delay time (CU)
● p9587 SI Motion actual value acquisition without encoder filter time (CU)
● p9588 SI Motion actual value acquisition without encoder minimum current (CU)
● p9589 SI Motion actual value acquisition without encoder acceleration limit (CU)
● r9732[0...1] SI Motion velocity resolution
5.2.17 Safe gearbox switchover
"Safe gearbox switchover" allows you to switch between 8 gearbox ratios in operation.
Switchover between gearbox ratios is only possible via PROFIsafe (p9601.3 = 1).
Parameterizing "Safe gearbox switchover"

Before you can use "Safe gearbox switchover", you must parameterize the following values:
● Gear ratios
You can set up to 8 different gearbox ratios using parameter p9521 (denominator) and
p9522 (numerator).
● Direction of rotation reversal
Using parameter p9539, you can set as to whether a direction of rotation reversal is involved
for the particular gearbox.
● Position tolerance
As a result of the motion that can possibly occur when switching over the gearbox, it may be
necessary to increase the tolerance threshold for the duration of the switchover operation.
Using parameter p9539, you set how the tolerance is calculated when switching over the
gearbox:
– Without actual value synchronization: p9542 · p9543
– With actual value synchronization: p9549 · p9543
Safety Integrated
Selection
Proceed as follows to enable the "Safe gearbox switchover" function:
1. Set p9501.26 = 1
– If control via PROFIsafe is not parameterized, then the converter outputs fault F01681
with the appropriate fault value.
– If you activate the "Safe gearbox switchover" function on a converter, which does not
support the function, then the converter outputs fault F01682 with fault value 39.
2. Switch off the drive unit and then on again (POWER ON).
Diagnostics
The selected gearbox stage is displayed for diagnostic purposes in parameter r9720, bits 24 to
26.
The selected gearbox stage is displayed for diagnostic purposes in parameter r9720, bit 27.
"Safe gearbox switchover" and referencing

The gearbox stage switchover means that the reference position and the user agreement are
lost. This means that after a gearbox switchover, initial referencing is required, to return to the
"safely referenced" state (see Chapter "General (Page 192)").
Safety Integrated
5.2.17.1 Gearbox switchover without increased position tolerance

In order to switch over the gearbox stage, where no increased tolerance is required for the
crosswise comparison of the actual positions, proceed as follows:
1. Set the new gearbox stage using bits 0 to 2 in byte 3 of S_STW2.
2. The actual values are then synchronized once automatically. This synchronization is used
to compensate any possible difference that occurs between the position actual values of the
two monitoring channels as a result of the switchover operation.
The new gearbox stage is then active.
3RVLWLRQWROHUDQFH
,QFUHDVHG
6WDQGDUG
352),VDIH6B67:
*HDUER[VWDJHFKDQJH
E\WHELW
W
6DIHW\0RWLRQ0RQLWRULQJ 0D[LPXPU
6LQJOH
DFWXDOYDOXH
V\QFKURQL]DWLRQ
&RQYHUVLRQWRWKH
ORDGVLGHZLWKQHZ
JHDUER[IDFWRUV
6DIHO\
UHIHUHQFHG
W
Figure 5-26 Gearbox switchover from stage "0" to "1" without increased position tolerance
5.2.17.2 Gearbox switchover with increased position tolerance

In order to switch over the gearbox stage, where increased tolerance is required for the
crosswise comparison of the actual positions, proceed as follows:
Note
Maximum duration of the increased position tolerance
It is not permissible that the increased position tolerance is set for longer than 2 min. If this time
is exceeded, the converter outputs message C01711 with fault value 1015 (≙ STOP F).
Safety Integrated
1. Set the increased position tolerance using bit 3 (= 1) in byte 3 of S_STW2.

2. Set the new gearbox stage using bits 0 to 2 in byte 3 of S_STW2.
3. Set the position tolerance back to the normal value using bit 3 (= 0) in byte 3 of S_STW2.
4. The actual values are then synchronized once automatically. This synchronization is used
to compensate any possible difference that occurs between the position actual values of the
two monitoring channels as a result of the switchover operation.
The new gearbox stage is then active.
3RVLWLRQWROHUDQFH
,QFUHDVHG
6WDQGDUG
352),VDIH6B67:
*HDUER[VWDJHFKDQJH
E\WHELW
*HDUER[VWDJH
E\WHELW
W
6DIHW\0RWLRQ0RQLWRULQJ 0D[LPXPU
6LQJOH
DFWXDOYDOXH
V\QFKURQL]DWLRQ
&RQYHUVLRQWRWKH
ORDGVLGHZLWKQHZ
JHDUER[IDFWRUV
6DIHO\
UHIHUHQFHG
W
Figure 5-27 Gearbox switchover with increased position tolerance
Safety Integrated
● p9501.26 SI Motion enable safety functions (Control Unit): Enable reliable gearbox
switchover
● p9521[0...7] SI Motion gearbox encoder (motor)/load denominator (Control Unit)
● p9522[0...7] SI Motion gearbox encoder (motor)/load numerator (Control Unit)
● p9539[0...7] SI Motion gearbox direction of rotation reversal (Control Unit)
● p9542 SI Motion actual value comparison tolerance (cross-check) (Control Unit)
● p9543 SI Motion gearbox switching position tolerance factor (CU)
● p9549 SI Motion slip velocity tolerance (Control Unit)
5.2.18.1 General
The functions and switch-off signal paths must be tested at least once within a defined period
to establish whether they are working properly in order to meet the requirements of EN ISO
13849-1 and IEC 61508 in terms of timely error detection.
The maximum permissible interval for the forced checking procedure (test stop) for Basic and
Extended/Advanced Functions is 8760 hours; i.e. the forced checking procedure (test stop)
must be performed at least once per year.
This functionality must be implemented by initiating forced checking procedure (test stop)
cyclically either manually or as part of an automated process.
The test stop cycle is monitored. When the parameterized timer expires (also after POWER
ON / warm restart), alarm A01697: "SI Motion: Test of motion monitoring required" is generated
and a status bit is set which can be transferred to an output or to a PZD bit via BICO. This alarm
does not affect machine operation.
See also
Forced checking procedure (test stop) of the CU310-2 (Page 308)
Forced checking procedure (test stop) of the TM54F (Page 314)
Safety Integrated
5.2.18.2 Performing a forced checking procedure (test stop)

Forced checking procedure (test stop) can be executed at the following points in time:
1. Forced checking procedure (test stop) can be initiated application-specifically and can
therefore be executed at a time that suits application requirements.
This functionality is implemented by means of a single-channel parameter p9705, which can
be wired via BICO either to an input terminal on the drive unit (Control Unit) - or to a bit of any
arbitrary PZD.
In addition, it is possible to select the test stop via the Safety Control Channel (see Chapter
"Safety Control Channel (SCC) (Page 257)").
– p9559 SI Motion Forced checking procedure timer (Control Unit)
– p9705 BI: SI Motion test stop signal source
– r9723.0 CO/BO: SI Motion diagnostics signals integrated in the drive
If the test stop is executed as described, the action does not require a POWER ON. The
acknowledgment is set by canceling the test stop request.
2. Forced checking procedure (test stop) can be automatically executed at POWER ON.
– To perform an automatic test stop of the Safety Integrated Extended/Advanced
Functions as well as an automatic test of the F‑DO for the CU310-2, set p9507.6 = 1.
When testing the F-DO of the CU310-2, you must parameterize p10042 and activate the
test in p10046.
Note
Automatic forced checking procedure (test stop) and SBT
Automatic forced checking procedure (test stop) of the Safety Integrated Extended/
Advanced Functions is possible together with the "Brake test for test stop selection"
function (p10203 = 2).
– To perform automatic forced checking procedure (test stop) of the F‑DI and F‑DO of the
TM54F, set p10048 = 1.
– Even if you have parameterized forced checking procedure (test stop) for POWER ON,
you can still initiate a test stop at any time through the application.
– If the automatically initiated function cannot be correctly completed as a result of a
problem (e.g. communication failure), the function will be automatically restarted after
the problem has been resolved.
– After the forced checking procedure (test stop) has been performed successfully, the
– Timer p9559 is reset as a result of the automatic forced checking procedure (test stop).
– The automatic forced checking procedure (test stop) for POWER ON does not influence
the Safety Integrated Functions.
In all cases, the scope of forced checking procedure (test stop) function is identical.
Safety Integrated
5.2.18.3 Safety devices

opportunity.
● Before the protective door is opened.
Note
Preconditions
STO is triggered when a test stop is carried out for the Safety functions. It is not permissible that
STO is selected before selecting the test stop.
When blocksize Power Modules are used, the test stop must be triggered under controlled
standstill conditions (speed setpoint setting of 0, current is flowing through the motor).
5.2.18.4 Forced checking procedure (test stop) F-DI/F-DO of TM54F

An automatic test stop function is available for the forced checking procedure (test stop) to test
the F-DI/F-DO.
To ensure that the test stop function of the TM54F can be used, the F-DIs that are used must
be interconnected according to the following wiring example. The digital inputs of F-DI 0 to F-
DI 4 must connected to the "L1+" power supply. The digital inputs of F-DI 5 to F-DI 9 must
connected to the "L2+" power supply.
Safety Integrated
Connection example for TM54F

3
0 0
; ;
;

9 (OHFWURQLFV
'5,9(&/L4VRFNHW
'5,9(&/L4VRFNHW

0
0
0
0
;

9

3B 0
0 0 7HUPLQDO0RGXOH70)
0
0
;
/
0
; ;
/ /
', ',
', 0 0 ',
)', )',
', ',

', ',
)', )',
', ',
0 0

', ',
0 0
; ;
', ',
', 0 0 ',
', )', )', ',

', ',
', 0 0 ',
)', )',

', ',
', )', )', ',

', 0 0 ',

', ',
0 0
; ;

', ',
0 0
'2 '2
9 )'2 )'2 9
'2 '2
0 0
; ;

', ',
0 0
'2 '2 /
9 )'2 )'2 9
'2 '2
0 0
7KHLQYHUVLRQFDQEHSDUDPHWHUL]HGS
Figure 5-28 Connection example for TM54F
Safety Integrated
Details on F-DIs and F-DOs

● The F-DIs must be registered for the test stop using p10041.
Note
F-DI not operational during the test
The F-DI states are frozen for the duration of the test!
● Ensure that the states of the F-DIs are not evaluated during the test.
● The associated F-DOs must be registered for the test stop using p10046.
Note
F-DOs during the time period of the test stop
F-DOs, which are not registered for evaluation using p10046, are set to "0" for the duration
of the test stop ("failsafe values").
Maximum test stop time period is: TTest stop = TFDIs + TFDOs
● Testing F-DIs: TFDIs = 3 · r10015 + 3 · X ms
(X = 20 ms or r10015 or p10017 - the greatest time value of the 3 values determines the
waiting time X)
● Test of the F-DOs: TFDOs = 8 · r10015 + 6 · Y ms
(Y = p10001 or r10015 or p10017 - the longest time of the 3 values determines the wait
time Y)
The Safety Integrated Functions of the TM54F are executed in the sampling time displayed
in r10015. This sampling time corresponds to the lowest value of the communication
sampling time entered in p10000[0..5].
Note
Manual dynamization required for specific F-DIs or F-DOs
It is possible that this test stop function cannot be used for certain F-DIs or F-DOs because of
the devices that are connected.
● Ensure dynamic operation of the affected F-DIs/F-DOs by other means, e.g. switch
operation or triggering certain machine functions.
Safety Integrated
Performing a forced checking procedure (test stop)

● The test stop should be executed at a suitable point in time. This is the reason that it must
be initiated by the application or carried out at POWER ON. This functionality is
implemented using parameter p10007, which can be wired via BICO either to an input
terminal on the drive unit (CU), or to a bit of any arbitrary PZD.
● Forced checking procedure (test stop) can be automatically executed at POWER ON.
– If an automatic test stop of F‑DI and F‑DO of the TM54F is to be executed, then set
p10048 = 1.
– Even if you have parameterized the test stop for POWER ON, you can still initiate a test
stop at any time through the application.
problem (e.g. communication failure), then after the problem has been resolved, the
function is automatically restarted.
– After forced checking procedure (test stop) has been successfully executed, the TM54F
goes into the "Ready" state.
– The automatic test stop for POWER ON does not influence the Safety Integrated
Functions.
ON / warm restart), alarm A35014: "TM54F: Test stop required" is output.
● p10001 SI wait time for test stop at F-DO 0 ... 3

● p10003 SI Motion forced checking procedure timer
● p10007 BI: SI Motion forced checking procedure F-DO signal source
● p10041 SI TM54F F-DI enable for test
● p10046 SI Motion F-DO feedback signal input activation
Forced checking procedure (test stop) does not require a POWER ON, but it can be
automatically performed at POWER ON: The acknowledgment is set by canceling the test stop
request.
Note
Forced checking procedure (test stop) of the CU310-2
The description applies analogously to forced checking procedure (test stop) of the F-DO on
the CU310-2. You will find more instructions for carrying out test stops in Chapter "Forced
checking procedure (test stop) of the CU310-2 (Page 308)".
Note
Manual checking of F-DIs and/or F-DOs
If there are F-DIs and/or F-DOs that you do not wish to have checked automatically, or that
cannot be checked automatically (e.g. F‑DIs of the CU310-2), the correct function of the
connected sensor/actuator and its response should be checked at suitable intervals by
actuating it.
Safety Integrated
More information
Additional instructions for performing the test stops are provided in Chapters:
● Forced checking procedure (test stop) of the TM54F (Page 314)
● Forced checking procedure (test stop) of the CU310-2 (Page 308)
Safety Integrated
5.3.1 Note regarding PFH values
Note
PFH values
5.3.2 License for Extended Functions or Advanced Functions

● One license is required for each axis that is operated with Safety Integrated Extended or
Advanced Functions. You enter the associated license key with the "License Key" button in
Startdrive. Then activate the license key via "Activate".
As an alternative, you can enter the license key into parameter p9920 in the ASCII code. The
license key is activated using parameter p9921 = 1.
● For information on how to generate the license key for the product "SINAMICS Safety
Integrated Extended Functions" or "SINAMICS Safety Integrated Advanced Functions"
read the section "Licensing" in the SINAMICS S120 Function Manual. An insufficient license
is indicated via the following fault and LED:
– F13000 → licensing not sufficient
– LED RDY → flashes red with 2 Hz
● When purchasing your drive, you can already decide to use Safety Integrated Functions,
and you will then be provided with the required license(s) on the memory card supplied. In
this case, you do not have to explicitly activate the licenses.
● A trial license is available for test purposes; this allows you to use Safety Integrated
functions for a specific time without having a valid license.
Details on the trial license can be found in the "SINAMICS S120 Function Manual Drive
Functions", Chapter "Licensing".
5.3.3 Safely-Limited Position (SLP)
The Safely-Limited Position function (SLP) is used to safely monitor the limits of two traversing
or positioning ranges which can be switched over by a safe signal.
Safety Integrated
Preconditions
For the Safely-Limited Position function, the following requirements must be met:
● The use of one or two suitable encoders for the extended safety functions with encoder (see
also Chapter "Reliable actual value acquisition with encoder system (Page 160)").
● Determining the absolute position of the drive by referencing during commissioning and
after all actions after which a safe absolute reference can no longer be guaranteed (POWER
ON, parking)
A description of safe referencing is provided in Chapter "General (Page 192)".
As soon as SLP is active, maintaining the limits of the active positioning range is safely
monitored. With a safety signal you can switch between 2 position ranges. Each position range
is limited by its previously defined limit switch pair. When passing the position of one of the two
limit switches, a parameterizable stop response (STOP A, STOP B, STOP C, STOP D or
STOP E) is triggered and safety message C01715 is output.
To acknowledge this fault, you can either switch over to a range whose limits have not been
violated, or you can deselect the SLP function. After acknowledgment, the drive can then be
traversed again in the permissible range.
Traversing in the permissible range can be realized in a safety-related fashion using the
"Retract" function (available for TM54F) (see Chapter "Retraction (Page 185)").
Features
● Selection via safe terminals (TM54F or onboard F-DI) or PROFIsafe
● Definition of the position range using 2 limit switch pairs (p9534 and p9535)
● Safe switchover between 2 different position ranges (not available for PROFIsafe telegram
30)
● Adjustable stop response (p9562)
Enabling the Safely-Limited Position function

● The "Safely-Limited Position" function is enabled with p9501.1 = 1.
● After the enable, POWER ON at the converter.
Note
No actual value synchronization for SLP
It is not permissible to simultaneously enable the SLP function and the actual value
synchronization (p9501.3 = 1). In this case, the drive outputs fault F01688.
Safety Integrated
Control and status signals from the SLP

Selecting SLP and switching over between the position ranges is realized via an F-DI or a
PROFIsafe control bit. SLP selection can be checked using parameter r9720.6. The selected
position range can be checked using parameter r9720.19. Status bit r9722.6 is set if SLP is
active. The active position range is displayed by r9722.19. Maintaining the upper or lower active
SLP limit can be checked using r9722.30 and r9722.31.
Note
Jumps in the display
There is no hysteresis available for r9722.30 and r9722.31. Small fluctuations in the area
around the range limit can result in the display jumping back and forth.
5.3.3.1 Controlling the Safely-Limited Position function
Controlling SLP
You have 2 options to select/deselect the Safely-Limited Position function and to switch over
the range limits:
PROFIsafe
● SLP is selected/deselected using control words S_STW1.6 or S_STW2.6.
● Switchover between the two limit switch pairs using control word S_STW2.19.
● S_ZSW2.23 indicates whether the actual position is "safe"; for instance, the bit is only set
after the axis was "safely referenced".
● Whether SLP is active is indicated in bit 6 of the status words S_ZSW1.6 or S_ZSW2.6. The
bit is not set until SLP is selected and the axis is in the "safely referenced" state.
● Which SLP limit switch pair is active is indicated in status word S_ZSW2.19. This indication
is only valid if SLP is itself active.
● S_ZSW2.30 and S_ZSW2.31 indicate whether the upper or lower limit of the active position
range is maintained.
Note
Extended Functions via PROFIsafe
The status signal "SLP active" (S_ZSW1.6 or S_ZSW2.6) is not the same as the diagnostic
signal "SLP active" (r9722.6), but is the AND logic operation of "SLP active" (r9722.6) and
"safely referenced" (r9722.23).
The other SLP status signals S_ZSW2.19 "SLP active position range", S_ZSW2.30 "upper SLP
limit maintained" and S_ZSW2.31 "lower SLP limit maintained" match the corresponding bits in
r9722.
Safety Integrated
Note
Restrictions for PROFIsafe telegram 30
The use of PROFIsafe telegram 30 (with the 16-bit words S_STW1 and S_ZSW1) has the
following restrictions:
● Only position range 1 is available.
● A switchover to position range 2 is not possible.
● The status feedback signals "safely referenced", "active position range", "upper SLP limit
maintained" and "lower SLP limit maintained" are not available.
F-DI
The function can be selected via the F-DI of the TM54F or via onboard F-DI (CU310-2):
● Parameter p10032 is used to predefine the terminal for the SLP selection.
● The terminals to select the SLP position range are defined in parameter p10033.
● The status signal "SLP active" can be used directly as signal source, or linked via the safe
state signal (p10039) with an F-DO (p10042).
Note
Extended Functions via TM54F or onboard terminals
The safe status signal "SLP active" is not the same as the diagnostic signal "SLP active"
(r9722.6), but is the AND logic operation of "SLP active" (r9722.6) and "safely referenced"
(r9722.23).
On the other hand, the status signal "Active SLP area" corresponds to the signal "SLP active
position range" (r9722.19 ).
Note
If p9580 ≠ 0 and SLP is active, in the event of communication failure the parameterized ESR
reaction is only realized if, as an SLP response, a STOP with delayed pulse suppression when
the bus fails has been parameterized (p9562[0...1] ≥ 10).
Safety Integrated
5.3.3.2 Retraction
After a limit of the active traversing range has been exceeded, the drive must be brought back
to the permissible range. A safety acknowledgment would, in this case, only retrigger the safety
messages; the drive would be prevented from moving. If a switchover to the other traversing
range does not come into question, then the only thing that remains is to deselect SLP.
However, this would have the disadvantage that it is not monitored as to whether the drive is
moving in the direction of the permissible traversing range.
Therefore, it is recommended that a retract function is implemented as follows:
Safety commissioning
1. Completely parameterize SLP.
2. Completely parameterize SDI.
3. Perform an acceptance test for both functions.
The next steps differ depending on the control type.
Control via PROFIsafe

● Implement a user program in your F-CPU with the following steps to implement a retract
function:
– Select SDI positive in the case that the lower SLP limit is violated, or SDI negative if the
upper SLP limit is violated
– Wait until the selected SDI is active, then deselect SLP
– Safe acknowledgment of the limit violation
– Movement of the drive with suitable setpoint inputs into the range that has been enabled
– Select SLP
– Wait until SLP is active, then deselect SDI
● Proceed as follows for an SLP limit violation:
– Activate this program for retraction, for example, using an F‑DI of the F-CPU
Note
FAQ retraction
You will find a description of how retraction can be implemented via a fail-safe control and
PROFIsafe communication in the Internet at:
Retraction (https://support.industry.siemens.com/cs/ww/en/view/65128501)
Safety Integrated
Control via F‑DI (TM54F or onboard terminals)

1. Using parameters p10009, parameterize an F-DI, with which you can select/deselect the
internal retract logic function.
2. Parameterize two F-DIs for the selection/deselection of the SDI positive and SDI negative
functions in an independent acceptance test.
3. Proceed as follows for an SLP limit violation:
– Switch the signal at the F-DI "retract" from 0 to 1 (the signal edge is evaluated). The
retract function is active at all drives that are safely referenced and where presently a
limit value has been violated. When the retract function is active, SLP is inactive and
depending on which limit which has been violated, either SDI positive or SDI negative is
selected.
– Safe acknowledgment of the limit violation
– Move the drive into the range that has been enabled using the appropriate setpoint
inputs.
– Switch the signal at the F-DI "retract" from 1 to 0 (the signal edge is evaluated): As a
consequence, SDI is again deselected and SLP is active again.
2SHUDWRUDFWLRQV
5HWUDFWLRQPRGH
DFWLYDWHG
'HVHOHFW6/3 5HWUDFWLRQ
6HOHFW6',QHJDWLYH
$FNQRZOHGJHVDIHO\
6HOHFW6/3 'HVHOHFW6',QHJDWLYH
3RVLWLRQ 6HOHFW6/3
%ORFNHG
%ORFNHG E\6',QHJDWLYH %ORFNHGE\
E\6/3 6/3
8SSHU6/3OLPLWYDOXH

/RZHU6/3OLPLWYDOXH
%ORFNHG %ORFNHGE\6/3
E\6/3
'LDJQRVWLFV W
6/3DFWLYH
6DIHO\UHIHUHQFHG
6',QHJDWLYHDFWLYH
6/3XSSHUOLPLW
PDLQWDLQHG
W
6WRSUHVSRQVHWULJJHUHG 7UDYHUVHWKHPRWRULQWKHSHUPLWWHGUDQJH
Figure 5-29 Time behavior of SLP and retraction
Safety Integrated
● 2822 SI functions - SLP (Safely-Limited Position)

● 2840 SI functions - SI Motion drive-integrated control signals/status signals
● 2893 SI TM54F - Failsafe digital inputs (F-DI 0 ... F-DI 4)
● 2895 SI TM54F - Failsafe digital outputs (F-DO 0 ... 3),
digital inputs (DI 20 ... 23)
● 2905 SI TM54F - control interface (p9601.2 = 1 & p9601.3 = 0)
● 2906 SI TM54F - safe state selection
● 2907 SI TM54F assignment (F-DO0 ... F-DO3)
● 2870 SI functions - CU310-2 (F-DI 0 ... F-DI 2)
● 2873 SI functions CU310-2 failsafe digital output (F-DO 0)
● 2875 SI functions - CU310-2 control interface
● 2876 SI functions - CU310-2 safe state selection
● 2877 SI functions, CU310-2 assignment (F-DO 0)

● p9534[0...1] SI Motion SLP (SE) upper limit values (Control Unit)
● p9535[0...1] SI Motion SLP (SE) lower limit values (Control Unit)
● p9544 SI Motion actual value comparison tolerance (referencing) (CU)
● p9562[0...1] SI Motion SLP (SE) stop response (Control Unit)
● p10009 SI Motion SLP retraction F-DI (CPU 1)
● p10032[0...3] SI TM54F SLP input terminal (CPU 1)
● p10033[0...3] SI TM54F SLP position range input terminal (CPU 1)
● p10039[0...3] SI TM54F Safe State signal selection (CPU 1)
● p10109 SI Motion SLP retraction F-DI (CPU 2)
● p10132 SI Motion SLP input terminal (CPU 2)
● p10133 SI Motion SLP position range input terminal (CPU 2)
● p10139 SI Motion Safe State signal selection (CPU 2)
Safety Integrated
5.3.4 Transferring safe position values (SP)
The function "Transfer safe position values (SP)" enables you to transfer a safe position (i.e.
absolute or relative position) to the higher-level controller via PROFIsafe. Transfer of the safe
relative position (Safe Position SP) can be used to calculate the safe speed in a higher-level
controller. Its use for safe position monitoring is only permissible if the reference to the absolute
position was established at the controller level. In this case, the "safely referenced" bit of
SINAMICS S120 (r9722.23) cannot be used.
Enabling the "Transfer safe position values" function

The following steps are required to enable the "Transfer safe position values" function:
● Enabling Safety Integrated Functions
– p9601 = 12 = C hex (≙ Extended Functions via PROFIsafe)
or
– p9601 = 13 = D hex (≙ Extended Functions via PROFIsafe and Basic Functions via
onboard terminals)
● Enable "Transfer the safe absolute position with the possibility of calculating the velocity by
the controller"
– Select one of the PROFIsafe telegrams 901 or 902 (p60022, p9611, p9811)
– p9501.2 = 1 (≙ enable absolute position)
– p9501.25 = 1 (≙ enable transfer of safe position via PROFIsafe)
Note
No actual value synchronization when SP is enabled
If the transfer safe position value function is used, it is not permissible to enable actual value
synchronization (p9501.3 = 1): In this case, the drive outputs fault F01688.
● Enable the "Transfer safe relative position" only to calculate the speed by the controller
– Select one of the PROFIsafe telegrams 901 or 902
– p9501.25 = 1
● After the enable, POWER ON the converter.
Safety Integrated
After parameter assignment, release and POWER ON, the function is automatically selected
and the values transferred. Please observe the following:
● Transfer of safe absolute position values
– If the transfer of the safe relative position has been enabled through p9501.25 = 1 and
p9501.2 = 0, the validity of the safe relative position is displayed by the set bit
S_ZSW2.22.
– If the transfer of the safe absolute position has been enabled using p9501.25 = 1 and
p9501.2 = 1, S_ZSW2.22 is only set when the drive has also been safely referenced.
● Transfer of safe relative position values (e.g. for calculating the velocity)
– Only S_ZSW2.22 (r9722.22, actual position value valid) must be set to calculate the
speed.
Setting the modulo value for rotary axes

● P9505 is used to define the modulo range of a safety rotary axis (p9502 = 1) when the
transfer of a safe absolute position (p9501.2 = 1 and p9501.25 = 1) is enabled.
Parameterizing the modulo value can result in a jump in the position actual value if the range
that can be represented overflows. p9505 must therefore only be parameterized in steps of
2n × 360° (n = 1, 2, 3, …). In all other cases, the converter issues alarm A01794. This alarm
can be hidden in the case that the possible jump in the position actual value can be tolerated
in the particular application – or this does not present a problem.
● The modulo function is deactivated if p9505 = 0. This parameter has no relevance for a
safety linear axis (p9502 = 0) or when the transfer of a safe relative position (p9501.2 = 0 and
p9501.25 = 1) is enabled.
● If SLP is also enabled (p9501.1 = 1), the modulo function must be deactivated (p9505 = 0).
Speed calculation
The control must calculate the speed from the position change:
● Pos diff = Pos new - Pos old
● Cycle diff = cycle counter new - cycle counter old
● Timediff = Cyclediff · Safetycycle
(If Cyclediff = 0, the speed that was last calculated must be used.)
● v = Pos diff/time diff
● Format v
Acceptance test
An acceptance test is not required for the "Transfer safe position values" function, but the
function that was implemented with the aid of SP must be accepted in the higher-level
controller.
Safety Integrated
5.3.4.1 Ranges of values
Transfer formats and value range

● 32-bit
The values are transferred in telegram 902 as 32-bit values with the following value ranges:
Table 5-4 Value range and resolution (32 bits)
Linear axis Rotary axis

Position values ±737280000 ±737280000
Unit 1 μm 0.001 °
Comment Monitoring ±737.280 m with an ≙ 2048 revolutions
accuracy of 1 μm
● 16-bit
To transfer the position values in telegram 901 in the 16-bit format, you must scale the
values using p9574. In this case, you must select the scaling factor so that the value of the
actual position value does not exceed the 16-bit format. If the actual position value exceeds
the range that can be displayed with 16 bits (±32767), a STOP F is initiated and message
C01711 is output with fault value 7001. Depending on the scaling factor, this means that
ranges with different sizes can be monitored with varying accuracy. Example:
– Scaling factor: 1000
– Unit: 1 μm (linear axis)
– Position value: ±32767 mm
It may therefore be precisely monitored in a range of ±32.767 m to an accuracy of 1 mm.
Note
Scaling to 16 bits
The scaling is performed by dividing the mean value of r9708[0] and r9708[1] with this
scaling factor.
Example: For a position of -29.999 mm signaled in r9708[0] and r9708[1] and a scaling
factor of p9574 = 1000, a numerical value of -29 is signaled to the controller.
Value range r9708

The diagnostics information in parameter r9708 is displayed with the following properties:

Position values ±737280000 ±737280000
Unit 1 μm 0.001 °
accuracy of 1 μm
Safety Integrated
What is shown in parameter r9713 is identical to the values of r9708; however, in SINAMICS-
internal calculation units.
5.3.4.2 Synchronous transfer of safe position values

For axes that have to transfer their position values synchronously due to their application,
proceed as follows:
Note
Only available for CU320-2
This feature is not available for CU310-2.
Selection and enabling

1. For all axes that must transfer their position synchronously at the same time, parameterize
the following:
– Activating synchronous position transmission: p9501.29 = 1
– Enabling SP via PROFIsafe: p9501.25 = 1
2. Set the same fieldbus cycle (DP/PN cycle) and the same SI Motion monitoring cycle (tSI) for
all relevant axes.
The DP/PN cycle must be an even multiple of the SI Motion monitoring cycle. Example for
setting the cycles:
Current controller cycle = 0.125 ms

(p115[0])
SI Motion actual value acquis‐ = 1.0 ms
ition cycle (p9511)
SI Motion monitoring cycle = 2.0 ms
(p9500)
Fieldbus-cycle (DP/PN cycle) = 4.0 ms
● Activate clock synchronized PROFIdrive communication for all affected axes.
Note
Acceptance test required
If you change the fieldbus cycle after safety acceptance has already taken place, you must
carry out a new safety acceptance test.
Activation
The synchronous transmission of safe positions function is always active after release. An
selection/deselection, e.g. via the cyclic PROFIsafe control word, is not necessary.
Safety Integrated
Status feedback
The drive gives a cyclic status feedback "SP valid" in the status word S_ZSW2.22.
This bit is also cleared during parameterization of the synchronous position transfer if the
position cannot be synchronous to the other axes.
F-Host safety program checks

The following points must be checked by the safety program of the F-Host:
● Synchronism of the counters (S_CYCLE_COUNT) of all axes involved in the cycle pattern
used
● Correct adjustment of the counters of the individual axes in the cycle pattern used
● 2840 SI Motion drive-integrated control signals / status signals

● p9505 SI Motion SP modulo value (Control Unit)
● r9708[0...5] SI Motion diagnostics safe position
5.3.5 Safe referencing
5.3.5.1 General
The "safe referencing" function allows a safe absolute position to be defined. This safe position
is used for the following functions:
● Safely-Limited Position (SLP) (Page 181)
● Transferring safe position values (SP) (Page 188)
● Safe Cam (SCA) (Page 196)
Safety Integrated
General description
In most cases, an external control performs referencing to an absolute position. The converter
only performs this task in special cases (for example, EPOS).
● Referencing using an external control
Requirement: No movement of the drive
The reference position determined by the control is entered into parameter p9572 and is
declared to be valid using p9573 = 89.
● Referencing by EPOS
The SINAMICS EPOS function transfers, when referencing, the determined position directly
to Safety Integrated. This can also take place during motion.
● User agreement
The user agreement must be set (p9726 = p9740 = AC hex) within a certain time interval
after referencing (see Chapter "Referencing types (Page 194)").
Safety Integrated only evaluates the reference position if this is required by a function that has
been enabled (e.g. SLP). Using diagnostics bit r9723.17, Safety Integrated indicates whether
the drive has been referenced. Safety Integrated indicates the position of the drive in diagnostic
parameters r9708 and r9713. Bit r9722.23 is set when the axis is safely referenced.
The diagnostics information in parameter r9708 is displayed with the following properties:

Position values ±737280000 ±737280000
Unit 1 μm 0.001 °
accuracy of 1 μm
What is shown in parameter r9713 is identical to the values of parameter r9708; however, in
SINAMICS-internal calculation units.
Safety Integrated
5.3.5.2 Referencing types

SINAMICS distinguishes between 2 types of referencing:
● Initial referencing
For initial safe referencing, or in the event of a fault during a subsequent referencing, the
following steps are necessary:
– The reference position determined by the controller is entered in parameter p9572 and
is declared to be valid with p9573 = 89. This step is not required for closed-loop position
control with EPOS.
– Referencing has been correctly implemented (r9723.17 = 1)
– Confirm the actual position value: Within 4 s, set parameters p9726 = p9740 = AC hex
- If you do not set p9740 = AC hex within 4 s after setting p9726 = AC hex, the converter
outputs messages C01711 (value: 1002), C30711(value: 0) and any subsequent
messages. User confirmation is cleared in safety channels.
- If you do not set p9726 = AC hex within 4 s after setting p9740 = AC hex, the converter
outputs messages C01711 (value: 0), C30711(value: 1002) and any subsequent
messages. User confirmation is cleared in safety channels.
After correctly setting this "user agreement", the drive is "safely referenced"
(r9722.23 = 1)
Note
No automatic user agreement permitted
Please note that the operator must be capable of assigning the determined position to
the real position of the axis before setting the user agreement. This can be performed,
for example, by a visual inspection of the axis position. Under no circumstances must
these parameters ever be set fully automatically by a control system without agreement
by the user. This would only be permissible if the reference position can be safely sensed
by means of a safe sensor.
● Subsequent referencing
Subsequent referencing involves referencing with a safety-relevant history (i.e. with an
internally buffered user agreement) after a POWER ON or after deselecting "parking axis".
– The position determined by the controller is entered in parameter p9572 and is declared
to be valid with p9573 = 89. This step is not required for closed-loop position control with
EPOS and use of an absolute encoder.
– After the drive has been referenced, Safety Integrated automatically performs a
plausibility check.
– If the deviation between the actual absolute position and the previous standstill position
saved from Safety Integrated in the NVRAM is within the tolerance p9544, then the drive
goes into the state "safely referenced" (r9722.23 = 1).
Safety Integrated
Note
Protection of the reference position
The parameters "SI Motion reference position" (p9572) and "Accept SI Motion reference
position" (p9573) are not subject to the safety password protection und the safety CRC check.
● Implement appropriate measures for your system to ensure that these parameters cannot
be changed inadvertently.
Safety Integrated
● 2821 SI functions - safe referencing
● p9572 SI Motion reference position (Control Unit)

● p9573 Accept SI Motion reference position (Control Unit)
● r9723.0...17 CO/BO: SI Motion diagnostics signals integrated in the drive
● p9726 SI motion, user agreement, select/deselect
● p9740 SI motion, user agreement, select/deselect MM
5.3.6 Safe Cam (SCA)
With the "Safe Cam" function (SCA), you implement safe electronic cams, safe zone sensing,
or a working area limitation/protection zone delimitation for a specific axis, to replace a
hardware-based solution. You parameterize up to 30 output cams for each axis. You enable
each output cam individually.
Note
The "Safe Cam" (SCA) safety function can only be used with an encoder.
Safety Integrated
Defining the output cam positions

● You define the output cam positions to be monitored using the parameters p9536[x] and
p9537[x] (where x = 0 ... 29).
Note that the defined output cams must have a certain minimum length: p9536[x] -
p9537[x] ≥ p9540 + p9542
If you violate this rule, the drive will output the message F01686 ("SI Motion: Cam position
parameterization not permissible").
● Owing to variations in the cycle and signal propagation times, the output cam signals of the
two monitoring channels do not switch simultaneously and not precisely at the same
position. For this reason, enter a tolerance band for all output cam types via parameter
p9540. Within this tolerance band, the monitoring channels can have different signal states
for the same output cam:
U 6&$WROHUDQFH 6&$WROHUDQFH
S S

[
S>[@ S>[@
3RVLWLRQ 3RVLWLRQ
0LQXVFDP 3OXVFDP
Figure 5-30 Parameterize output cam and tolerance
Note
The smallest possible tolerance range should be selected for the SCA function
(< 5 ... 10 mm). It makes sense to parameterize the cam tolerance to be greater than or
equal to the actual value tolerance.
● Reference the axis using the "General (Page 192)" function.
Enabling SCA
● You enable the SCA function with p9501.28 = 1.
● You enable each output cam individually with p9503.x = 1 (where x = 0 ... 29).
WARNING
Safe referencing
The enabled output cam signals are output immediately after POWER ON. However, this
output only safe after safe referencing has been performed. The cams are only considered as
being safe if they were safely referenced.
● Reference the axis using the "General (Page 192)" function.
Safety Integrated
Select SCA
Select the SCA function using the PROFIsafe control word S_STW2.23. For SCA, you must
use telegram 903, in which control word S_STW2 and status word S_ZSW_CAM1 are available
for SCA.
Cam synchronization
For transmission of the output cam status word via PROFIsafe to the F host, the output cam
signals of the two monitoring channels are synchronized. Monitoring is also performed as to
whether a different output cam signal from the second channel is plausible. If the drive detects
an error, it outputs the message C01711 with the fault value 1014.
As the position tolerance for monitoring the output cam positions, the tolerance for the cross-
check of the actual position between the two monitoring channels in p9542 ("Actual value
comparison tolerance") is used.
Transmission via PROFIsafe

After SCA has been parameterized and selected, the monitoring results are transmitted in
status word S_ZSW_CAM1 (see Chapter "Additional process data (Page 234)").
● 2826 SCA (Safe Cam)

● 2844 S_ZSW_CAM1 Safety status word Safe Cam 1

● p9503 SI Motion SCA (SN) enable (Control Unit)
● p9505 SI Motion SP modulo value (Control Unit)
● p9536[0...29] SI Motion SCA (SN) plus cam position (Control Unit)
● p9537[0...29] SI Motion SCA (SN) minus cam position (Control Unit)
● p9540 SI Motion SCA (SN) tolerance (Control Unit)
● r9703.0...31 CO/BO: SI Motion SCA status signal (Control Unit)
● r9720.23 CO/BO: SI Motion drive-integrated control signals:
Deselect SCA
● r9727 SI Motion user agreement inside the drive
● r9771.22 SI shared functions: SCA supported
Safety Integrated
The functions and switch-off signal paths must be tested at least once within a defined period
to establish whether they are working properly in order to meet the requirements of EN ISO
13849-1 and IEC 61508 in terms of timely error detection.
The maximum permissible interval for the forced checking procedure (test stop) for Basic and
Extended/Advanced Functions is 8760 hours; i.e. the forced checking procedure (test stop)
must be performed at least once per year.
This functionality must be implemented by initiating forced checking procedure (test stop)
cyclically either manually or as part of an automated process.
ON / warm restart), alarm A01697: "SI Motion: Test of motion monitoring required" is generated
and a status bit is set which can be transferred to an output or to a PZD bit via BICO. This alarm
does not affect machine operation.
See also
Forced checking procedure (test stop) of the CU310-2 (Page 308)
Forced checking procedure (test stop) of the TM54F (Page 314)
Safety Integrated
5.3.7.1 Performing a forced checking procedure (test stop)

Forced checking procedure (test stop) can be executed at the following points in time:
1. Forced checking procedure (test stop) can be initiated application-specifically and can
therefore be executed at a time that suits application requirements.
This functionality is implemented by means of a single-channel parameter p9705, which can
be wired via BICO either to an input terminal on the drive unit (Control Unit) - or to a bit of any
arbitrary PZD.
In addition, it is possible to select the test stop via the Safety Control Channel (see Chapter
"Safety Info Channel and Safety Control Channel (Page 257)").
– p9559 SI Motion Forced checking procedure timer (Control Unit)
– p9705 BI: SI Motion test stop signal source
– r9723.0 CO/BO: SI Motion diagnostics signals integrated in the drive
If the test stop is executed as described, the action does not require a POWER ON. The
acknowledgment is set by canceling the test stop request.
2. Forced checking procedure (test stop) can be automatically executed at POWER ON.
– To perform an automatic test stop of the Safety Integrated Extended/Advanced
Functions as well as an automatic test of the F‑DO for the CU310-2, set p9507.6 = 1.
When testing the F-DO of the CU310-2, you must parameterize p10042 and activate the
test in p10046.
Note
Automatic forced checking procedure (test stop) and SBT
Automatic forced checking procedure (test stop) of the Safety Integrated Extended/
Advanced Functions is possible together with the "Brake test for test stop selection"
function (p10203 = 2).
– To perform automatic forced checking procedure (test stop) of the F‑DI and F‑DO of the
TM54F, set p10048 = 1.
– Even if you have parameterized forced checking procedure (test stop) for POWER ON,
you can still initiate a test stop at any time through the application.
problem (e.g. communication failure), the function will be automatically restarted after
the problem has been resolved.
– After the forced checking procedure (test stop) has been performed successfully, the
– The automatic forced checking procedure (test stop) for POWER ON does not influence
the Safety Integrated Functions.
In all cases, the scope of forced checking procedure (test stop) function is identical.
Safety Integrated
5.3.7.2 Safety devices

opportunity.
● Before the protective door is opened.
Note
Preconditions
STO is triggered when a test stop is carried out for the Safety functions. It is not permissible that
STO is selected before selecting the test stop.
When blocksize Power Modules are used, the test stop must be triggered under controlled
standstill conditions (speed setpoint setting of 0, current is flowing through the motor).
5.3.7.3 Forced checking procedure (test stop) F-DI/F-DO of TM54F

An automatic test stop function is available for the forced checking procedure (test stop) to test
the F-DI/F-DO.
To ensure that the test stop function of the TM54F can be used, the F-DIs that are used must
be interconnected according to the following wiring example. The digital inputs of F-DI 0 to F-
DI 4 must connected to the "L1+" power supply. The digital inputs of F-DI 5 to F-DI 9 must
connected to the "L2+" power supply.
Safety Integrated
Connection example for TM54F

3
0 0
; ;
;

9 (OHFWURQLFV
'5,9(&/L4VRFNHW
'5,9(&/L4VRFNHW

0
0
0
0
;

9

3B 0
0 0 7HUPLQDO0RGXOH70)
0
0
;
/
0
; ;
/ /
', ',
', 0 0 ',
)', )',
', ',

', ',
)', )',
', ',
0 0

', ',
0 0
; ;
', ',
', 0 0 ',
', )', )', ',

', ',
', 0 0 ',
)', )',

', ',
', )', )', ',

', 0 0 ',

', ',
0 0
; ;

', ',
0 0
'2 '2
9 )'2 )'2 9
'2 '2
0 0
; ;

', ',
0 0
'2 '2 /
9 )'2 )'2 9
'2 '2
0 0
7KHLQYHUVLRQFDQEHSDUDPHWHUL]HGS
Figure 5-31 Connection example for TM54F
Safety Integrated
Details on F-DIs and F-DOs

● The F-DIs must be registered for the test stop using p10041.
Note
F-DI not operational during the test
The F-DI states are frozen for the duration of the test!
● Ensure that the states of the F-DIs are not evaluated during the test.
● The associated F-DOs must be registered for the test stop using p10046.
Note
F-DOs during the time period of the test stop
F-DOs, which are not registered for evaluation using p10046, are set to "0" for the duration
of the test stop ("failsafe values").
Maximum test stop time period is: TTest stop = TFDIs + TFDOs
● Testing F-DIs: TFDIs = 3 · r10015 + 3 · X ms
(X = 20 ms or r10015 or p10017 - the greatest time value of the 3 values determines the
waiting time X)
● Test of the F-DOs: TFDOs = 8 · r10015 + 6 · Y ms
time Y)
The Safety Integrated Functions of the TM54F are executed in the sampling time displayed
in r10015. This sampling time corresponds to the lowest value of the communication
sampling time entered in p10000[0..5].
Note
Manual dynamization required for specific F-DIs or F-DOs
It is possible that this test stop function cannot be used for certain F-DIs or F-DOs because of
the devices that are connected.
● Ensure dynamic operation of the affected F-DIs/F-DOs by other means, e.g. switch
operation or triggering certain machine functions.
Safety Integrated

● The test stop should be executed at a suitable point in time. This is the reason that it must
be initiated by the application or carried out at POWER ON. This functionality is
implemented using parameter p10007, which can be wired via BICO either to an input
terminal on the drive unit (CU), or to a bit of any arbitrary PZD.
● Forced checking procedure (test stop) can be automatically executed at POWER ON.
– If an automatic test stop of F‑DI and F‑DO of the TM54F is to be executed, then set
p10048 = 1.
– Even if you have parameterized the test stop for POWER ON, you can still initiate a test
stop at any time through the application.
problem (e.g. communication failure), then after the problem has been resolved, the
function is automatically restarted.
– After forced checking procedure (test stop) has been successfully executed, the TM54F
goes into the "Ready" state.
– The automatic test stop for POWER ON does not influence the Safety Integrated
Functions.
ON / warm restart), alarm A35014: "TM54F: Test stop required" is output.
● p10001 SI wait time for test stop at F-DO 0 ... 3

● p10041 SI TM54F F-DI enable for test
Forced checking procedure (test stop) does not require a POWER ON, but it can be
automatically performed at POWER ON: The acknowledgment is set by canceling the test stop
request.
Note
Forced checking procedure (test stop) of the CU310-2
The description applies analogously to forced checking procedure (test stop) of the F-DO on
the CU310-2. You will find more instructions for carrying out test stops in Chapter "Forced
checking procedure (test stop) of the CU310-2 (Page 308)".
Note
Manual checking of F-DIs and/or F-DOs
If there are F-DIs and/or F-DOs that you do not wish to have checked automatically, or that
cannot be checked automatically (e.g. F‑DIs of the CU310-2), the correct function of the
connected sensor/actuator and its response should be checked at suitable intervals by
actuating it.
Safety Integrated
More information
Additional instructions for performing the test stops are provided in Chapters:
● Forced checking procedure (test stop) of the TM54F (Page 314)
● Forced checking procedure (test stop) of the CU310-2 (Page 308)
Safety Integrated
Safety Integrated
Control of the safety functions 6
6.1 Control possibilities
The following options for controlling Safety Integrated Functions are available:
Control via: Basic Extended Advanced

Terminals (on the Control Unit and Motor/Power Mod‐ x ‑ ‑
ule)
PROFIsafe based on PROFIBUS or PROFINET x x x
TM54F x x x
Control without selection ‑ SLS, SDI -
Onboard F‑DI/F‑DO (CU310‑2) x1)
x x
1)
Only the F-DI 0 can be used for the control. The F‑DO is not available.
Note
PROFIsafe or TM54F
Using a Control Unit, control is possible either via PROFIsafe or TM54F. Mixed operation is not
permissible.
The safety-oriented input and output terminals (F-DI and F-DO) act as an interface between the
SINAMICS S120 Safety Integrated functionality and the process.
A dual-channel signal applied to an F-DI (Fail-safe Digital Input, safety-oriented digital input =
safe input terminal pair) controls the active monitoring of the activation/deactivation of safety
functions.
An F-DO (Fail-safe Digital Output, safety-oriented digital output = safe output terminal pair)
delivers a dual-channel signal representing feedback from the safety functions.
Dual-channel processing of I/O signals

A dual-channel structure is implemented for data input/output and for processing safety-
oriented I/O signals. All requests and feedback signals for safety-oriented functions should be
entered or tapped using both channels.
Safety Integrated
Control of the safety functions
6.2 Control signals by way of terminals on the Control Unit and Motor / Power Module
6.2 Control signals by way of terminals on the Control Unit and Motor /
Power Module
Features
● Only for the Basic Functions
● Two-channel structure via two digital inputs (e.g. Control Unit / power unit)
● A debounce function can be applied to the terminals of the Control Unit and the Motor
Module to prevent incorrect trips due to signal disturbances or test signals. The filter times
are set using parameter p9651.
● Different terminal blocks depending on the format
● Automatic ANDing of up to eight digital inputs (p9620[0...7]) on the Control Unit for chassis
format power units connected in parallel
● The F-DI 0 is available on the CU310-2
Overview of the safety function terminals for SINAMICS S120

The different power unit formats of SINAMICS S120 have different terminal designations for the
inputs of the safety functions. These are shown in the following table.
Table 6-1 Inputs for safety functions
Module 1st switch-off signal path 2nd switch-off signal path (EP terminals)
(p9620[0])
Control Unit CU320‑2 X122.1....6/X132.1…6 –
DI 0...7/16/17/20/21
Single Motor Module Book‐ (see CU320‑2) X21.3 and X21.4
size/Booksize Compact (on the Motor Module)
Single Motor Module/ (see CU320‑2) X41.1 and X41.2
Power Module Chassis
Double Motor Module Book‐ (see CU320‑2) X21.3 and X21.4 (motor connection X1)
size/Booksize Compact X22.3 and X22.4 (motor connection X2)
(on the Motor Module)
Power Module Blocksize (see CU320‑2) X210.3 and X210.4 (on the CUA31/
with CUA31/CUA32 CUA32)
Control Unit CU310-2 X120.3 X120.4 and X120.51)
X121.1...4
Power Module Chassis with (see CU310‑2) X41.1 and X41.2
CU310-2
Safety Integrated
Module 1st switch-off signal path 2nd switch-off signal path (EP terminals)
(p9620[0])
Power Module blocksize (see CU310‑2) STO_A and STO_B
with CU310-2 (for additional information, see Chapter
"STO via terminals of the Power Modules
Blocksize (Page 215)")
Controller Extension X122.1...6 –
SIMOTION CX32‑2 DI 0...3/16/17
1)
Please note: On the CU310-2, you must use the EP terminal (DI 17) as a switch-off signal path. Use
any free digital input (DI) as the 2nd switch-off signal path.
See the equipment manuals for additional information about the terminals.
Note
Function of the EP terminals
The EP terminals are only evaluated if the Safety Integrated Basic Functions are released via
onboard terminals.
Parallel connection of Motor Modules in chassis format

When Motor Modules in chassis format are connected in parallel, a safe AND element is
created on the parallel drive object. The number of indexes in p9620 corresponds to the number
of parallel chassis components in p0120.
6.2.1 Description of the two-channel structure

The functions are separately selected/deselected for each drive using two terminals.
● Switch-off signal path, Control Unit (CU310-2/CU320-2)
The desired input terminal is selected via BICO interconnection (BI: p9620[0]).
● Switch-off signal path, Motor Module / Power Module (with CUA3x or CU310-2)
The input terminal is the "EP" terminal ("Enable Pulses").
Both terminals must be energized within the tolerance time p9650, otherwise a fault will be
output.
Safety Integrated
&RQWURO8QLW 0RWRU0RGXOH
'5,9(&/L4 '5,9(&/L4
;[
;[ %,
',[
S>@
&RQWURO8QLW U[
PRQLWRULQJFKDQQHO 0
'5,9(&/L4 *
;; 8 0
7HPS 9 a
:
7HPS
(39 %5
0RWRU0RGXOH
PRQLWRULQJFKDQQHO %5
(30
Figure 6-1 Example: Terminals for "Safe Torque Off": Example of Motor Modules Booksize and CU320-2
6.2.2 Grouping drives
Grouping drives (not for CU310-2)

To ensure that the function works for more than one drive at the same time, the terminals for the
corresponding drives must be grouped together as follows:
1. Switch-off signal path
Connect the p9620 parameters of all drives that belong to a group with a single DI (r0722.x)
of the CU320‑2.
2. Switch-off signal path (Motor Module / Power Module with CUA3x)
Wire the terminals for the individual Motor Modules / Power Modules, belonging to the
group, with CUA31/CUA32.
Note
Parameterization of the grouping
The grouping must be configured (DI on Control Unit) and wired (EP terminals) identically in
both monitoring channels.
Note
Response of STO for grouping
If a fault in a drive results in a "Safe Torque Off" (STO), this does not automatically mean that
the other drives in the same group also switch to "Safe Torque Off" (STO).
Safety Integrated
The assignment is checked during the test for the switch-off signal paths. The operator selects
"Safe Torque Off" for each group. The check is drive-specific.
Example: Terminal groups

It must be possible to select/deselect "Safe Torque Off" separately for group 1 (drives 1 and 2)
and group 2 (drives 3 and 4). For this purpose, the same grouping for "Safe Torque Off" must
be realized both for the Control Unit and the Motor Modules.
&RQWURO8QLW 0 (3 0(3 0(3 0 (3

6HOHFWLRQ
GHVHOHFWLRQ 'ULYH
6HOHFWLRQGHVHOHFWLRQ *URXS S>@
*URXS ',
; 'ULYH /LQH 6LQJOH 'RXEOH 6LQJOH
U
S>@ 0RGXOH 0RWRU 0RWRU 0RWRU
0 0RGXOH 0RGXOH 0RGXOH
'ULYH
S>@
', 'ULYH 'ULYH 'ULYH
; 'ULYH
U
S>@
0
*URXS *URXS
Figure 6-2 Example: Grouping terminals with Motor Modules Booksize and CU320-2
6.2.3 Simultaneity and tolerance time of the two monitoring channels
The monitoring functions must be selected/deselected simultaneously in both monitoring

channels via the input terminals and only have an effect on the associated drive.
● 1 signal: Deselecting the function
● 0 signal: Selecting the function
The time delay that is unavoidable due to mechanical switching, for example, can be adapted
via parameters. The tolerance time, within which selection/deselection of the two monitoring
channels must occur if they are to be considered "simultaneous," is set in the following
parameters:
● p9650 (Basic Functions)
● p10002 (Extended/Advanced Functions)
Safety Integrated
6.2.3.1 Tolerance time
Note
Parameterization of the tolerance time
In order to avoid that faults are incorrectly initiated, at these inputs the tolerance time must
always be set shorter than the shortest time between two switching events (ON/OFF, OFF/ON).
● If the monitoring functions are not selected/deselected within the tolerance time, this is
detected by the cross-check, and the following fault (STOP F) is output.
– F01611 (Basic Functions)
– C01770 (Extended/Advanced Functions)
For STO: In this case, the pulses have already been canceled as a result of the selection of
"Safe Torque Off" on one channel.
Note
Timing between the switching operations in the Basic Functions
Message F01611 with fault value 1000 is output if switching operations occur too frequently.
The cause depends on the type of control:
● Persistent signal changes occurred at the F-DI.
● STO was permanently triggered via PROFIsafe (also as subsequent response).
Within the time 5 · p9650, there must be at least two switching operations at the terminals
or via PROFIsafe with a minimum time between them of p9650.
● If the "Safe Stop 1" of the Basic Functions is not selected within the tolerance time in two
channels, this is detected by the cross-check, and fault F01611 (STOP F) is output. After the
set "SI Safe Stop 1 delay time" (p9652), the pulses are suppressed.
Note
In order that the drive can brake down to a standstill even when selected through one
channel, the time in p9652 must be shorter than the sum of the parameters for the data
cross-check (p9650 and p9658). Otherwise, the drive will coast down after the time p9650
+ p9658 has elapsed.
Further notes for setting the discrepancy time (also see the following diagram "Discrepancy
time") are provided in the "SINAMICS S120/S150 List Manual" for the following message:
● F01611 (Basic Functions)
● C01770 (Extended/Advanced Functions)
Safety Integrated
7' 7'
75 75
6ZLWFKLQJLQWHUYDO 76
7REHPDLQWDLQHG 76 ! 7' ! 75 W
TS Switching interval
TD Discrepancy time
TR Response time
Figure 6-3 Discrepancy time
● p9650 SI SGE switchover discrepancy time (Control Unit)

● p9652 SI Safe Stop 1 delay time (Control Unit)
● p9658 SI transition time STOP F to STOP A (Control Unit)
● p10002 SI Motion F-DI switchover discrepancy time (CPU 1)
Safety Integrated
6.2.4 Bit pattern test
Bit pattern test of fail-safe outputs

The converter normally responds immediately to signal changes in its fail-safe inputs. This is
not desired in the following case: Several control modules test their fail-safe outputs using bit
pattern tests (on/off tests), in order to identify faults due to either short-circuit or cross-circuit
faults. When you interconnect a fail-safe input of the converter with a fail-safe output of a control
module, the converter responds to these test signals.
,QSXWVLJQDOV
)', %LWSDWWHUQWHVW
W
6DIHW\IXQFWLRQ
$FWLYH
,QDFWLYH
W
)DXOW)
W
Figure 6-4 Converter response to a bit pattern test
Note
Debounce time for unwanted triggering of Safety Integrated functions
If the test pulses cause an unwanted triggering of the Safety Integrated functions, these test
pulses can be suppressed using the F-DI input filter (p9651 for Basic Functions or p10017 for
Extended/Advanced Functions). To do this, a value must be entered in p9651 or p10017 that
is greater than the duration of a test pulse.
● p9651 SI STO/SBC/SS1 debounce time (Control Unit)

Safety Integrated
6.2.5 STO via terminals of the Power Modules Blocksize
PM240-2 Power Modules, FSD to FSG

The Safe Torque Off (STO) safety function is used to safely disconnect the power feed to the
motor that generates the torque.
Using PM terminals - STO_A and STO_B - as well as 2 DIP switches, you can use the "Safe
Torque Off" (STO) function for the CU310-2 Control Units or the CU320-2 with CUA32 using the
Power Module hardware. This hardware-based STO can be used up to PL e according to
EN 13849‑1 and SIL3 according to IEC 61508 with the appropriate application engineering.
Power Module Control Unit

PM240-2 FSD … FSG CU310‑2 CU320-2 with CUA32
Requirements
● You can only use the STO terminals of the Power Module with the SINAMICS S120 Control
Units if you do not use any safety functions on the Control Unit.
If you use both safety function packages (STO terminals on the Power Module and Basic/
Extended/Advanced Functions) simultaneously, they will interfere with each other.
● A higher-level control system is required to select the STO safety function.
● The parameters of the digital outputs for the STO feedback are correctly assigned. The
converter signals to the higher-level control system that the STO safety function is being
controlled via 2 digital outputs.
For converters FSD…FSG, you must interconnect the feedback signals "STO is active" with
2 digital outputs of the Control Unit:
– r1838.3
– r1838.4
● The higher-level control system monitors the selection of the STO safety function and the
feedback from the converter.
● Forced checking procedure (test stop)
The higher-level control system regularly selects the STO safety function and evaluates the
converter feedback signal. We recommend that you implement a time monitoring function
in the higher-level control system, which issues an alarm if a test stop is overdue.
Note
Diagnostics
The state of the switch-off signal paths can be monitored using 2 digital outputs of the Control
Unit. You can find additional information in the SINAMICS S120/S150 List Manual.
You can find details on the clamps and DIP switchers here: Terminals STO_A/STO_B and DIP
switch (Page 217)
Safety Integrated
Prerequisites for SIL 2/PL d

● Suitable higher-level controllers
– SIRIUS 3SK1
1-channel static feedback circuit
– SIRIUS 3SK2
2-channel dynamic feedback circuit
– MSS 3RK3
– SIMATIC
Feedback circuit monitoring in the safety program
● Forced checking procedure (test stop) once per year
Prerequisites for SIL 3/PL e

● Suitable higher-level controllers
– SIRIUS 3SK2
– MSS 3RK3
– 2-channel dynamic feedback circuit
– SIMATIC
Feedback circuit monitoring in the safety program
● Forced checking procedure (test stop) every 3 months
For the forced checking procedure, the STO feedback must be time-delayed.
Application examples
You can find application examples in the Service and Support Portal (https://
Safety Integrated
6.2.5.1 Terminals STO_A/STO_B and DIP switch
Terminals STO_A/STO_B
Table 6-2 Terminals STO_A/STO_B for the safety function "Safe Torque Off"
Terminal Signal name Technical data

Terminal: 1 STO_A/STO_B Voltage: 24 V DC (20.4 … 28.8 V)
Current consumption: max. 1.0 A

2 M Ground

● Type: Screw-type terminal 2 (see Manual SINAMICS S120 AC Drive, Chapter "Screw terminals")
● Maximum connectable cross-section: 2.5 mm2
DIP switch
Table 6-3 DIP switches for the safety function "Safe Torque Off" via terminals of the Power Module
DIP switch Application
To use Safety Integrated of the CU310-2, deactivate the function "STO via
Power Module terminals" by setting both the DIP switches for the interface
STO_A/STO_B to the "0" position.
To enable the "Safe Torque Off" safety function via Power Module termi‐
nals, you must set both DIP switches to the "1" position.
Safety Integrated
6.3 Activation via PROFIsafe

As an alternative to controlling Safety Integrated Functions via terminals, TM54F or on-board
terminals on the CU310-2, they can also be controlled via PROFIsafe. For communication via
PROFIBUS and PROFINET, use one of the following PROFIsafe telegrams: 30, 31, 901, 902
and 903
Control via PROFIsafe is available for both Safety Integrated Basic Functions, Safety
Integrated Extended Functions and the Safety Integrated Advanced Functions.
Note
Timing between the switching operations
Message F01611 with fault value 1000 is output if switching operations occur too frequently.
The cause depends on the type of control:
● Persistent signal changes occurred at the F-DI.
● STO was permanently triggered via PROFIsafe (also as subsequent response).
Within the time 5 · p9650, there must be at least two switching operations at the terminals or via
PROFIsafe with a minimum time between them of p9650.
6.3.1 Assigning Safety Integrated Functions to PROFIsafe

The following table provides you with an overview of which Safety Integrated functions you can
control with which PROFIsafe telegram.
Table 6-4 Assigning Safety Integrated functions to PROFIsafe telegrams
Safety function PROFIsafe telegram

30 31 901 902 903
STO x x x x x
SS1 x x x x x
SOS x x x x x
SS2 x x x x x
SS2E - x x x x
SLS x x x x x
SSM 1)
x x x x x
SDI x x x x x
SLP x 2)
x x x x
SCA - - - - x
SLA x x x x x
SP - - x x -
Safe gearbox stage switchover - x x x x
1)
As feedback signal in S_ZSW1 and S_ZSW2
2)
Without safety-related switchover between 2 different position ranges
Safety Integrated
6.3.2 Enabling of the control via PROFIsafe

For PROFIsafe communication, SINAMICS devices require a PROFIBUS or a PROFINET
interface. Every drive with configured PROFIsafe in the drive unit represents a PROFIsafe
slave (F slave or F device) with a fail-safe communication to the F host via PROFIBUS or
PROFINET and is assigned its own PROFIsafe telegram.
In this case, a PROFIsafe channel, known as a safety slot, is created using the Startdrive
commissioning tool and transferred to HW Config (alternatively, this safety slot can be created
by the SIMATIC Manager Step 7 using HW Config). The Safety Integrated Functions can then
be additionally controlled via the PROFIsafe telegrams 30, 31, 901, 902 and 903. The structure
of the associated control and status words is described below (see Chapter "Telegram format
(Page 221)"). The selected PROFIsafe telegrams for Safety Integrated are placed in front of the
standard telegram for communication (e.g. telegram 2).
Enabling PROFIsafe
The Safety Integrated Functions are enabled via PROFIsafe using parameters p9601:
● Basic Functions: p9601 = 8 hex or 9 hex
● Extended/Advanced Functions: p9601 = C hex or D hex
Note
License requirement for Safety Integrated Functions via PROFIsafe
No license is required to use Basic Functions. This also applies for control via PROFIsafe.
However, for Extended Functions or Advanced Functions, you require an appropriate license
that will be charged for.
All parameters involved in PROFIsafe communication are password protected against

undesirable changes and secured using a checksum. The telegram configuration is performed
in the hardware configuration in the F‑host (see Chapters "PROFIsafe via PROFIBUS
(Page 321)" and "PROFIsafe via PROFINET (Page 322)").
Safety Integrated Basic Functions via PROFIsafe and via terminals

Control of the Basic Functions via terminals on the Control Unit and on the Motor/Power Module
(parameters p9601.0 = 1) may be enabled in parallel. In order to be able to select SS1, an SS1
delay time p9652 > 0 must be configured. With PROFIsafe, both SS1 and STO can be selected.
Only SS1 is available for control via terminal.
Safety Integrated
STO takes priority over SS1, i.e. STO becomes active if SS1 and STO are simultaneously
selected.
Note
Double Motor Module in the case of PROFIsafe and a sampling time of 62.5 µs
In the case of a Double Motor Module, the converter issues message F01625 "Sign-of-life error
in safety data" if you also select the following options:
● Control of the Safety Integrated Basic Functions via PROFIsafe
● "Sampling times for internal control loops" p0115[0] = 62.5 µs
● "Current controller dynamics higher" (p1810.11 = 1)
In addition, message F30802 "Power unit: Time slice overflow" may occur.
The following options are available to you to remedy this problem:
● Use a Single Motor Module
● Deactivate "Current controller dynamics higher" (p1810.11 = 0)
● Increase the "Sampling times for internal control loops" (p0115[0]).
● Control the Safety Integrated Basic Functions via terminals.
6.3.3 Selecting a PROFIsafe telegram

Proceed as follows to define the PROFIsafe telegram:
1. In parameter p60022 select the required telegram.
2. In parameter p9611, select the same telegram number.
Note
Compatibility mode
If you set p9611 = 998 for p60022 = 0 (for instance, if you have upgraded the safety project
to firmware V4.5), then the PROFIsafe telegram 30 is also set as for p60022 = 30 and
p9611 = 30.
PROFIsafe configuration
The PROFIsafe address is required for control of the safety functions via PROFIsafe.
Note
You can only change communication parameters in Startdrive in the setting dialog.
1. Click the icon "Telegram configuration"

The properties of the PROFINET interface are displayed in the Inspector window. The
"Cyclic data traffic" setting range is active. Here you define the telegrams for the drive
objects.
2. Click the <Add telegram> entry in the telegram configuration of "Drive axis_x".
Safety Integrated
3. Select the "Add safety telegram" option in the drop-down list of the entry:
Startdrive then inserts the "Safe actual value" and "Safe setpoint" lines. The relevant
PROFIsafe telegrams are preassigned.
4. Open the new "Safe setpoint" screen form (for Drive axis_x) in the Inspector window.
5. Correct the PROFIsafe address of the drive in the "F-address" field.
6. In the function view, switch back to the "control" screen form.
The value of the F-address is displayed in the "PROFIsafe address" (p9610) field. A
preassigned PROFIsafe telegram is displayed in the "PROFIsafe telegram no." drop-down
list.
7. Click "Accept values" to transfer the telegram from the default settings into the Safety
programming.
8. Select the desired stop response for a failure of the PROFIsafe communication in the
"PROFIsafe failure response" (p9612) drop-down list.
Note
Unique PROFIsafe addresses
You must ensure the unique assignment of the PROFIsafe address throughout the network and
the CPU.
● The failsafe I/O of PROFIsafe address type 1 is addressed clearly by its failsafe destination
address.
● The failsafe destination address of the failsafe I/O (drive units in this case) must be unique
for the entire failsafe I/O throughout the network and the CPU (system-wide). The failsafe
I/O of PROFIsafe address type 2, e.g. modules of the ET 200SP type, must also be taken
into account.
● Note also the corresponding documentation in the TIA Portal online help in Section
"SIMATIC Safety - Configuration and programming". (SDR001)
6.3.4 Telegram format
The PROFIsafe telegram received at the Control Unit is displayed in r9768, and the PROFIsafe
telegram to be sent, in parameter r9769.
Structure of telegram 30
Telegram 30 transfers safety control word 1 (S_STW1) and safety status word 1 (S_ZSW1) as
user data. It is structured as follows:
Output data Input data

PZD1 S_STW1 S_ZSW1
Safety Integrated
Telegram 31 transfers safety control word 2 (S_STW2) and safety status word 2 (S_ZSW2) as
user data. It is structured as follows:

PZD1 S_STW2 S_ZSW2
PZD2

Telegram 901 transfers the S_STW2, the variable SLS limit (S_SLS_LIMIT_A), the S_ZSW2,
the active SLS value of level 1 (S_SLS_LIMIT_A_ACTIVE), a counter value
(S_CYCLE_COUNT) and the safe position value in 16-bit format (S_XIST16) as user data. It is
structured as follows:

PZD1 S_STW2 S_ZSW2
PZD2
PZD3 S_SLS_LIMIT_A S_SLS_LIMIT_A_ACTIVE
PZD4 – S_CYCLE_COUNT
PZD5 – S_XIST16

Telegram 902 transfers the following user data:
● S_STW2
● Variable SLS limit (S_SLS_LIMIT_A)
● S_ZSW2
● Active SLS value of level 1 (S_SLS_LIMIT_A_ACTIVE)
● One count value (S_CYCLE_COUNT)
● The safe position value in 32-bit format (S_XIST32).
Telegram 902 is structured as follows:

PZD1 S_STW2 S_ZSW2
PZD2
PZD3 S_SLS_LIMIT_A S_SLS_LIMIT_A_ACTIVE
PZD4 – S_CYCLE_COUNT
PZD5 – S_XIST32
PZD6
Safety Integrated
Telegram 902 can only be used, if the higher-level controller (F-host) can process 32-bit values.
Note
Telegram 902 for SIEMENS products
STEP7 Safety in the TIA Portal can process this value. However, Distributed Safety in older
STEP 7 version cannot do this.

Telegram 903 transmits the following user data: S_STW2, S_SLS_LIMIT_A, S_ZSW2,
S_ZSW_CAM1 and S_SLS_LIMIT_A_ACTIVE.
Telegram 903 is structured as follows:

PZD1 S_STW2 S_ZSW2
PZD2
PZD3 S_SLS_LIMIT_A S_ZSW_CAM1
PZD4 –
PZD5 – S_SLS_LIMIT_A_ACTIVE
Safety Integrated
6.3.5 Process data
6.3.5.1 S_STW1 and S_ZSW1 (Basic Functions)
Safety control word 1 (S_STW1)

S_STW1, output signals
see function chart [2806].
Table 6-5 Description of safety-control word1 (S_STW1)
Byte Bit Meaning Remarks

0 0 STO 1 Deselect STO
0 Select STO
1 SS1 1 Deselect SS1
0 Select SS1
2 SS2 0 –1)
3 SOS 0 –1)
4 SLS 0 –1)
5 Reserved – –
6 SLP 0 –1)
7 Internal Event ACK 1/0 Acknowledgment
0 No acknowledgment
1 0 SLA 0 –1)
1 Select SLS bit 0 0 –1)
2 Select SLS bit 1 0
3 Reserved – –
4 SDI positive 0 –1)
5 SDI negative 0
6, 7 Reserved – –
1)
Signals not relevant for Basic Functions: Should be set to "0".
Safety Integrated
Safety status word 1 (S_ZSW1)

S_ZSW1, input signals
see function diagram [2806].
Table 6-6 Description of safety status word 1 (S_ZSW1)

0 0 STO active 1 STO active
0 STO not active
1 SS1 active 1 SS1 active
0 SS1 not active
2 SS2 active 0 –1)
3 SOS active 0 –1)
4 SLS active 0 –1)
5 Reserved – –
6 SLP active 0 –1)
7 Internal Event 1 Internal event
0 No internal event
1 0 SLA active 0 –1)
1 Active SLS level bit 0 0 –1)
2 Active SLS level bit 1 0
3 SOS selected 0 –1)
4 SDI positive active 0 –1)
5 SDI negative active 0 –1)
6 Reserved – –
7 SSM (speed below limit value) 0 –1)
1)
Signals not relevant for Basic Functions: It is not permissible that they are evaluated.
Safety Integrated
6.3.5.2 S_STW2 and S_ZSW2 (Basic Functions)

Table 6-7 Description of safety-control word 2 (S_STW2)

0 Select STO
0 Select SS1
2 SS2 0 –1)
3 SOS 0 –1)
4 SLS 0 –1)
5 Reserved – –
6 SLP 0 –1)
0 No acknowledgment
1 Select SLS bit 0 0 –1)
2 Select SLS bit 1 0
3 Reserved – –
4 SDI positive 0 –1)
5 SDI negative 0 –1)
2 0 ... 2 Reserved – –
3 Select SLP position range 0 –1)
4 ... 6 Reserved – –
7 SCA 0 –1)
3 0 Select gearbox stage, bit 0 0 –1)
1 Select gearbox stage, bit 1 0 –1)
2 Select gearbox stage, bit 2 0 –1)
3 Gearbox stage switchover 0 –1)
4 SS2E 0 –1)
5, 6, 7 Reserved – –
1)
Signals not relevant to Basic Functions should be set to "0".
Safety Integrated


0 STO not active
0 SS1 not active
2 SS2 active 0 –1)
3 SOS active 0 –1)
4 SLS active 0 –1)
5 Reserved – –
6 SLP active 0 –1)
0 No internal event
1 Active SLS level, bit 0 0 –1)
2 Active SLS level, bit 1 0
3 Reserved – –
4 SDI positive active 0 –1)
5 SDI negative active 0 –1)
7 SSM (speed) 0 –1)
2 0 ... 2 Reserved – –
3 SLP active position range 0 –1)
6 Safe position valid 0 –1)
7 Safely referenced 0 –1)
3 0 ... 2 F-DI 0 ... 22) 0 –1)
3 Reserved – –
4 SS2E active 0 –1)
5 SOS selected 0 –1)
6 SLP upper limit maintained 0 –1)
7 SLP lower limit maintained 0 –1)
1)
Signals not relevant for Basic Functions: It is not permissible that they are evaluated.
2)
Only valid for CU310-2.
Safety Integrated
6.3.5.3 S_STW1 and S_ZSW1 (Extended/Advanced Functions)

see function chart [2842].
Table 6-9 Description of safety-control word1 (S_STW1)

0 Select STO
0 Select SS1
0 Select SS2
3 SOS 1 Deselect SOS
0 Select SOS
4 SLS 1 Deselect SLS
0 Select SLS
5 Reserved – –
6 SLP 1)
1 Deselect SLP
0 Select SLP
0 No acknowledgment
1 0 SLA 1 Deselect SLA
0 Select SLA
1 Select SLS bit 0 – Select speed limit for SLS (2 bits)
2 Select SLS bit 1 –
3 Reserved – –
4 SDI positive 1 Deselect SDI positive
0 Select SDI positive
5 SDI negative 1 Deselect SDI negative
0 Select SDI negative
1)
Signals not relevant for Extended Functions: It is not permissible that they are evaluated.
Safety Integrated


0 STO not active
0 SS1 not active
0 SS2 not active
3 SOS active 1 SOS active
0 SOS not active
4 SLS active 1 SLS active
0 SLS not active
5 Reserved – –
6 SLP active1) 1 SLP active
0 SLP not active
– The status signal "SLP active" is not the same as
the diagnostic signal "SLP active" (r9722.6), but
is the AND logic operation of "SLP active"
(r9722.6) and "safely referenced" (r9722.23).
0 No internal event
1 0 SLA active 1 SLA active
0 SLA not active
1 Active SLS level bit 0 – Display of the speed limit for SLS (2 bits)
2 Active SLS level bit 1 –
3 SOS selected 1 SOS selected
0 SOS deselected
4 SDI positive active 1 SDI positive active
0 SDI positive not active
5 SDI negative active 1 SDI negative active
0 SDI negative not active
6 Reserved – –
7 SSM (speed) 1 SSM (speed below limit value)
0 SSM (speed higher than/equal to limit)
1)
Safety Integrated
6.3.5.4 S_STW2 and S_ZSW2 (Extended/Advanced Functions)

Table 6-11 Description of safety-control word 2 (S_STW2)

0 Select STO
0 Select SS1
0 Select SS2
3 SOS 1 Deselect SOS
0 Select SOS
4 SLS 1 Deselect SLS
0 Select SLS
5 Reserved – –
6 SLP 1
1 Deselect SLP
0 Select SLP
0 No acknowledgment
1 0 SLA 1 Deselect SLA
0 Select SLA
1 Select SLS bit 0 – Select speed limit for SLS (2 bits)
2 Select SLS bit 1 –
3 Reserved – –
4 SDI positive 1 Deselect SDI positive
0 Select SDI positive
5 SDI negative 1 Deselect SDI negative
0 Select SDI negative
2 0 ... 2 Reserved – –
3 Select SLP position range1) 1 Select SLP area 2 (SLP2)
0 Select SLP area 1 (SLP1)
4 ... 6 Reserved – –
7 SCA1) 1 Deselect SCA
0 Select SCA
Safety Integrated

3 0 Select gearbox stage, bit 0 – Select gearbox stage (3 bits)
1 Select gearbox stage, bit 1 –
2 Select gearbox stage, bit 2 –
3 Gearbox stage switchover 1 With increased position tolerance
0 Without increased position tolerance
4 SS2E 1 Deselect SS2E
0 Select SS2E
5 SS2ESR 1 Deselect SS2ESR
0 Select SS2ESR
1)


0 STO not active
0 SS1 not active
0 SS2 not active
3 SOS active 1 SOS active
0 SOS not active
4 SLS active 1 SLS active
0 SLS not active
5 Reserved – –
6 SLP active 1
1 SLP active
0 SLP not active
– The status signal "SLP active" is not the same as
the diagnostic signal "SLP active" (r9722.6), but
is the AND logic operation of "SLP active"
(r9722.6) and "safely referenced" (r9722.23).
0 No internal event
Safety Integrated

1 0 SLA active 1 SLA active
0 SLA not active
1 Active SLS level bit 0 – Display of the speed limit for SLS (2 bits)
2 Active SLS level bit 1 –
3 Reserved – –
4 SDI positive active 1 SDI positive active
0 SDI positive not active
5 SDI negative active 1 SDI negative active
0 SDI negative not active
6 Reserved – –
7 SSM (speed) 1 SSM (speed below limit value)
0 SSM (speed higher than/equal to limit)
2 0 ... 2 Reserved – –
3 SLP active position range 1)
1 SLP area 2 (SLP2) active
0 SLP area 1 (SLP1) active
- The status signal "SLP active position range" al‐
ways corresponds to the diagnostic signal "SLP
active position range" (r9722.19).
4, 5 Reserved - -
6 Safe position valid 1 Safe position valid
0 Safe position invalid
7 Safely referenced 1 Safe position is applicable as "safely referenced"
0 Safe position is not applicable as "safely refer‐
enced"
1)
Safety Integrated

3 0 F-DI 0 2)
1 F-DI 0 inactive
0 F-DI 0 active
1 F-DI 12) 1 F-DI 1 inactive
0 F-DI 1 active
2 F-DI 2 2)
1 F-DI 2 inactive
0 F-DI 2 active
3 SS2ESR 1 SS2ESR active
0 SS2ESR not active
4 SS2E active 1 SS2E active
0 SS2E not active
5 SOS selected 1 SOS selected
0 SOS deselected
6 SLP upper limit maintained1) 1 SLP: Upper limit maintained
0 SLP: Upper limit not maintained
– The status signal "upper SLP limit maintained"
always corresponds to the diagnostic signal "up‐
per SLP limit maintained" (r9722.30).
7 SLP lower limit maintained1) 1 SLP: Lower limit maintained
0 SLP: Lower limit not maintained
– The status signal "lower SLP limit maintained"
always corresponds to the diagnostic signal "low‐
er SLP limit maintained" (r9722.31).
1)
2)
Only valid for CU310-2.
Safety Integrated
6.3.5.5 Additional process data
S_SLS_LIMIT_A
● PZD3 in telegrams 901, 902 and 903, output signals
● SLS limit value input
● Value range 1 ... 32767; 32767 ≙ 100% of the 1st SLS level
S_SLS_LIMIT_A_ACTIVE
● PZD3 in telegrams 901, 902 and 903, output signals
● Active SLS limit value
● Value range 1 ... 32767; 32767 ≙ 100%
● Must only be evaluated if SLS 1 active and p9501.24 = 1.
S_CYCLE_COUNT
● PZD4 in telegrams 901 and 902, input signals
● Counter for the safety cycle
● Value range -32768 ... +32767
● May only be evaluated if the transfer of safe position values is active (p9501.25 = 1) and the
position value is valid (r9722.22 = r9722.23 = 1).
S_XIST16
● PZD5 in telegram 901, input signals
● Current actual position value (16 bits)
● Value range ±32767
● Scaling using p9574
Note
Scaling
It is not permissible that the position value transferred in S_XIST16 exceeds the value range
that can be represented. This is the reason that the safe position value of the drive (r9713[0])
can be allocated a scaling factor. The position value is divided by this factor before transfer.
As a consequence, a wider value range can be transferred with a reduced accuracy.
Example: For a position of -29.999 mm signaled in r9708[0] and r9708[1] and a scaling
factor of p9x74 = 1000, a numerical value of -29 is signaled to the controller.
● S_XIST16 must only be evaluated if the transfer of safe position values is active
(p9501.25 = 1) and the position value is valid (r9722.22 = r9722.23 = 1).
Safety Integrated
S_XIST32
● PZD5 and PZD6 in telegram 902, input signals
● Current actual position value (32 bits)
● Value range ±737280000
● Unit: 1 μm (linear axis), 0.001 ° (rotary axis)
● S_XIST32 must only be evaluated if the transfer of safe position values is active
(p9501.25 = 1) and the position value is valid (r9722.22 = r9722.23 = 1).
S_ZSW_CAM1
S_ZSW_CAM1, Safe Cam
Table 6-13 Description of Safety status word Safe Cam (S_ZSW_CAM1)

0 0 Position at cam 1 1 Position is at cam 1
0 Position is not at cam 1
1 Position at cam 2 1 Position is at cam 2
Safety Integrated

Safety Integrated

6 SCA active 1 SCA is active
0 SCA is not active
7 Validity of the values from SCA 1 Values from SCA are valid
0 Values from SCA are not valid
6.3.6 Function diagrams and parameters
● 2840 SI functions - SI Motion drive-integrated control signals/status signals

● 2858 SI functions, control via PROFIsafe (p9601.2 = p9601.3 = 1)
● p9562[0...1] SI Motion SLP (SE) stop response (Control Unit)

● p9563[0...3] SI Motion SLS (SG)-specific stop response (Control Unit)
● p9566 SI Motion SDI stop response (Control Unit)
● p9580 SI Motion stop response delay bus failure (Control Unit)
● p9610 SI PROFIsafe address (Control Unit)
● p9611 SI PROFIsafe telegram selection (Control Unit)
● p9612 SI PROFIsafe failure response (Control Unit)
● p60022 Selecting a PROFIsafe telegram
Safety Integrated
6.4 Control via TM54F
Note
Commissioning TM54F
● TM54F is not yet available in Startdrive.
● You can find information on commissioning with STARTER in older editions of this manual.
The TM54F is a terminal expansion module for snapping onto a DIN EN 60715 mounting rail:
The TM54F features failsafe digital inputs and outputs for controlling and signaling the states
of the Safety Integrated Basic, Extended and Advanced Functions.
Note
DRIVE-CLiQ line of the TM54F
● A TM54F must be connected directly to a Control Unit via DRIVE-CLiQ.
● Each Control Unit can be assigned only one TM54F which is connected via DRIVE-CLiQ.
● Additional DRIVE-CLiQ nodes can be operated at the TM54F, such as Sensor Modules and
Terminal Modules (excluding an additional TM54F). It is not permissible that Motor Modules
and Line Modules are connected to a TM54F.
● In the case of a CU310-2 Control Unit, it is not possible to connect the TM54F to the DRIVE-
CLiQ line of a Power Module. The TM54F can only be connected to the sole DRIVE‑CLiQ
X100 socket of the Control Unit.
Overview of the TM54F interfaces
Type Number
Failsafe digital outputs (F-DO) 4
Failsafe digital inputs (F-DI) 10
Sensor power supplies, dynamic response supported
1) 2)
2
Sensor1) power supply, no dynamic response 1
Digital inputs for checking the F-DO for the forced checking procedure (test stop) 4
1)
Sensors: Failsafe devices for command operations and sensing (e.g. Emergency Stop pushbuttons,
safety door locks, position switches, and light arrays / light curtains).
2)
Dynamic response: The sensor power supply is switched on and off by the TM54F when the forced
checking procedure (test stop) is active for the sensors, cable routing, and the evaluation electronics.
The TM54F provides four failsafe digital outputs and ten failsafe digital inputs. A failsafe digital
output consists of a 24 VDC switching output, an output switching to ground and a digital input
for reading back the switching state. A failsafe digital input is made up of 2 digital inputs.
● 2890 SI TM54F - overview
Safety Integrated
6.4.1 Assigning Safety Integrated Functions to the F-DI/TM54F

control with which F‑DI/F‑DO (onboard or TM54F).
Table 6-14 Assigning Safety Integrated functions to F-DI/F-DO (onboard or TM54F)
Safety function Onboard F-DI/F-DO TM54F F-DI/F-DO

STO x x
SS1 x x
SOS x x
SS2 x x
SS2E - -
SLS x x
SSM 1)
x x
SDI x x
SLP x x
SCA - -
SLA - -
SP - -
Safe gearbox stage switchover - -
1)
6.4.2 Fault acknowledgment

You have the following options of acknowledging TM54F faults after troubleshooting:
● POWER ON
● Falling edge of the signal "Internal Event ACK" with subsequent acknowledgment on the
Control Unit ("fail-safe acknowledgment")
6.4.3 Overview of the F-DIs
Description
Failsafe digital inputs (F-DI) consist of 2 digital inputs. At the 2nd digital input, the cathode (M)
of the optocoupler is additionally brought out to enable connection of an output of a failsafe
controller grounded through a switch. (The anode must be connected to 24 V DC.)
Parameter p10040 is used to determine whether an F-DI is operated as NC/NC or NC/NO
contact. The status of each DI can be read at parameter r10051. The bits of both drive objects
are logically AND'ed and return the status of the relevant F-DI.
Test signals from F-DOs and interference pulses can be filtered out using the input filter
(p10017), so that they do not cause any faults.
Safety Integrated
Explanation of terms:
NC contact / NC contact: To select the safety function, a "zero level" must be present at both
inputs.
NC contact / NO contact: To select the safety function, a "zero level" must be present at input
1 and a "1 level" at input 2.
The signal states at the two associated digital inputs (F-DI) must assume the same status
configured in p10040 within the monitoring time set in p10002.
To enable the forced checking procedure (test stop), connect the digital inputs of F-DI 0 ... 4 of
the TM54F to the dynamic voltage supply L1+ and the digital inputs to F-DI 5 ... 9 to L2+.
Additional information for the forced checking procedure (test stop) is provided in Chapter
"General (Page 174)".
Table 6-15 Overview of the failsafe inputs in the SINAMICS S120/S150 List Manual:
Module Function diagram Inputs

TM54F 2893 F-DI 0 ... 4
2894 F-DI 5 ... 9
F-DI features
● Failsafe configuration with 2 digital inputs per F-DI
● Input filter to block test signals with an adjustable suppression time (p10017), see Chapter
"Bit pattern test (Page 214)".
● Configurable connection of NC/NC or NC/NO contacts by means of p10040
● Status parameter r10051
● Adjustable time window for monitoring discrepancy at both digital inputs by means of
parameter p10002 for all F-DIs
Note
Discrepancy time
To avoid that fault messages are incorrectly triggered ("nuisance tripping"), at these inputs the
discrepancy time must always be set less than the shortest time between 2 switching events
(ON/OFF, OFF/ON) (see also the following diagram "Discrepancy time").
Further notes for setting the discrepancy time are contained in the "SINAMICS S120/S150 List
Manual" for the following messages:
Safety Integrated
7' 7'
75 75
TD Discrepancy time
TR Response time
● Second digital input with additional tap of the optocoupler cathode for connecting a ground-
switching output of a failsafe controller.
● The signal states of the two digital inputs of the F-DIs are frozen at logical 0 (safety function
selected) when different signal states are present within a failsafe F-DI until a safe
acknowledgment has been carried out by means of an F-DI via parameter p10006 (SI
acknowledgment internal event input terminal).
● The monitoring time (p10002) for the discrepancy of the two digital inputs of an F-DI may
have to be increased so that switching operations do not trigger an undesired response,
thereby necessitating a safe acknowledgment. Therefore, the signal states at the two
associated digital inputs (F-DI) must have the same state within this monitoring time,
otherwise the following fault will be output F35151 "TM54F: Discrepancy error". This
requires safe acknowledgment.
WARNING
Unwanted movement due to incorrect signal states as a result of diagnostic currents in the
switched-off state (logical state "0" or "OFF")
Unlike mechanical switching contacts, e.g. emergency stop switches, diagnostic currents can
also flow when the semiconductor is in the switched-off state. If interconnection with digital
inputs is faulty, the diagnostic currents can result in incorrect switching states. Incorrect signal
states of digital inputs can cause unwanted movements of machine parts and result in serious
injury or death.
● Observe the conditions of digital inputs and digital outputs specified in the relevant
manufacturer documentation.
● Check the conditions of the digital inputs and digital outputs with regard to currents in the
"OFF" state and if necessary connect the digital inputs to suitably dimensioned, external
resistors to protect against the reference potential of the digital inputs.
More information on this topic is available on the Internet at: Parameterizing and configuring
safety hardware (https://support.industry.siemens.com/cs/ww/en/view/39700013)
Safety Integrated

● p10002 SI TM54F F-DI switchover discrepancy time

● p10017 SI TM54F digital inputs debounce time
● p10040 SI TM54F F-DI input mode
● r10051.0...9 CO/BO: SI TM54F digital inputs, status
6.4.4 Function of the F-DO
6.4.4.1 Overview of the F-DOs

Failsafe digital outputs (F-DO) consist of 2 digital outputs and 1 digital input that checks the
switching state for forced checking procedure (test stop). The 1st digital output switches 24 V
DC, and the 2nd switches the ground of the power supply of X514 (TM54F).
The status of each F-DO can be read at parameter r10052. The status of the associated DI can
be read at parameter r10053 (only available for TM54F_SL (TM54F Slave Module)).
The actuator connected to the F-DO can also be tested under specific conditions as part of
forced checking procedure (test stop). See Chapter "Forced checking procedure (test stop) of
the TM54F (Page 314)".
Table 6-16 Overview of the failsafe outputs in the SINAMICS S120/S150 List Manual:
Module Function diagram Outputs Associated checking in‐

puts
TM54F 2895 F-DO 0 ... 3 DI 20 ... 23
6.4.4.2 Signal sources

A drive group contains several drives with similar characteristics. The groups are
parameterized at the p10010 and p10011 parameters.
The following signals are available for interconnecting (p10042, ..., p10045) each one of the
four drive groups with the F-DO:
● STO active ● SS1 active

● SS2 active ● SOS active
● SLS active ● SSM feedback active
● Safe State ● SOS selected
● Active SLS level bit 0 ● Active SLS level bit 1
Safety Integrated
● SDI positive active ● SDI negative active

● SLP active ● Active SLP area
● Internal event
The following (safe state) signals can be requested via p10039[0...3] for each drive group
(index 0 corresponds with drive group 1 etc.):
● STO active (power removed/pulses sup‐ ● SS1 active

pressed)
● SS2 active ● SOS active
● SLS active ● SLP active
● SDI positive active ● SDI negative active
3XOVHGHOHWHG
66DFWLYH

66DFWLYH 'ULYHJURXS[
6DIHVWDWH
626DFWLYH S>[@
6/6DFWLYH
S>[@
6',SRVLWLYHDFWLYH
6',QHJDWLYHDFWLYH

6/3DFWLYH

Figure 6-6 Safe state selection (example Extended/Advanced Functions)
The same signals (high-active) of each drive or drive group are logically linked by means of
AND operation. The different signals selected via p10039 are logically OR'ed. Result of these
logic operations is the "Safe State" for each drive group. You will find details in the SINAMICS
S120/S150 List Manual in function diagrams 2901 (Basic Functions) and 2906 (Extended/
Advanced Functions).
Each F-DO supports the interconnection of up to 6 signals by way of indexing (p10042[0...5] to
p10045[0...5]) and their output as logical AND operation.

● 2895 SI TM54F - Failsafe digital outputs (F-DO 0 ... 3),
digital inputs (DI 20 ... 23)
● 2900 SI TM54F - Basic Functions control interface (p9601.2/3 = 0,
p9601.6 = 1)
● 2901 SI TM54F - Basic Functions Safe State selection
● 2902 SI TM54F - Basic Functions assignment (F-DO 0 ... F-DO 3)
● 2905 SI TM54F - Extended/Advanced Functions control interface
(p9601.2 = 1 & p9601.3 = 0)
Safety Integrated
● 2906 SI TM54F - Extended/Advanced Functions safe state selection

● 2907 SI TM54F - Extended/Advanced Functions assignment (F-DO 0 ... F-DO 3)
● p10039[0...3] SI TM54F Safe State signal selection

● r10051.0...9 CO/BO: SI TM54F digital inputs, status
● r10052.0...3 CO/BO: SI TM54F digital outputs, status
● r10053.0...3 CO/BO: SI TM54F digital inputs 20 ... 23, status
Safety Integrated
6.5 Communication failure via PROFIsafe or with TM54F
Factory setting for the response to communication failure

In the following cases, the drive responds with a STOP A.
● PROFIsafe communication to the higher-level control has failed.
● DRIVE-CLiQ communication with the TM54F has failed.
6.5.1 STOP B as response to communication failure with PROFIsafe control
Communication failure for PROFIsafe control

If, for a communication failure, the axis coasting down can result in subsequent damage, as
response to the communication failure, instead of a STOP A, you can select that the axis is
stopped along a ramp.
Communication failure
In this context, communication failure can mean the following:
● Interruption or disturbance in PROFIsafe communication
● The higher-level controller (F-CPU) is in the STOP state
Requirement
You have released the Safety Integrated Extended or Advanced Functions.
Drive response
Parameter p9612 defines the drive stop response when PROFIsafe communication fails:
● p9612 = 0: STOP A
● p9612 = 1: STOP B
Note
For the selected STOP B stop response, in order to ensure that the OFF3 ramp is actually
maintained, when just using the Safety Basic Functions, the following must be carefully
observed:
● The selected transition time from STOP F to STOP A (p9658) must be greater than or equal
to the SS1 delay time (p9652).
● If a higher-level control system responds to the drive fault by withdrawing the controller
enable signals, for faults F01611 and F30611, the message type must be changed to alarm
(p2118, p2119).
Safety Integrated
6.5.2 Initiating ESR for a communication failure
ESR in the event of a communication error

If braking the axis along the braking ramp for a communication failure can result in subsequent
damage, the braking operation can be delayed by a maximum of 800 ms. During this delay time,
the converter can suitably stop the axis using the "Extended stop and retract (ESR)" function.
If communication with the higher-level motion control is working (for example, if the TM54F fails
or the SIMATIC F-CPU with separate motion control fails), retraction can also be performed
during the delay time by the controller. This assumes that retraction is configured on the
controller side, see, S_ZSW1B, bit 14 (r9734.14) "ESR retract requested".
Communication failure
In this context, communication failure can mean the following:
● Interruption or disturbance in PROFIsafe communication
● The higher-level controller (SIMATIC F-CPU) is in the STOP state
● Interruption of disturbance in the DRIVE-CLiQ communication for control via TM54F
Preconditions
The following preconditions apply to the drive response subsequently described:
● You have released the Safety Integrated Basic/Extended/Advanced Functions.
● Function module "Extended stop and retract" is activated and enabled.
Drive response
For a communication failure, the converter responds corresponding to the settings of the ESR
function module.
For communication failure, a maximum delay time of (p9580) 800 ms can be set. After this time
has elapsed, the frequency converter activates the "Safe Torque Off" function.
Depending on the setting, either stop responses or safety functions can prevent the ESR
response. You must set the safety functions as follows in order that you do not influence the
ESR response:
Func‐ Precondition for the ESR response after communication failure Setting
tion
SLP As SLP response, a STOP is parameterized with delayed pulse suppression when the bus fails p9562[0...1] ≥ 10
SLS As SLS response, a STOP is parameterized with delayed pulse suppression when the bus fails p9563[0...3] ≥ 10
SDI As SDI response, a STOP is parameterized with delayed pulse suppression when the bus fails p9566 ≥ 10
SLA As SLA response, a STOP is parameterized with delayed pulse suppression when the bus fails p9579 ≥ 10
--- Adequate STOP F to STOP B transition time if additional faults occur when the communication p9555 ≥ p9580
fails
Safety Integrated
Func‐ Precondition for the ESR response after communication failure Setting
tion
--- Adequate STOP F to STOP A transition time if additional faults occur when communication fails. p9658 ≥ p9580
--- Check whether the effective setpoint speed limiting (CO: r9733) is set to zero when STOP F is p9507.1
active.
Safety Integrated
6.6 Control of the Extended/Advanced Functions via F-DI (for CU310-2)

The following terminals are provided on the CU310-2:
Table 6-17 Interface overview of the CU310-2
Type Number
Failsafe digital outputs (F-DO) 1
Failsafe digital inputs (F-DI) 3
Sensor 1)
power supply, no dynamic response 1
Digital input for checking the F-DO for the forced checking procedure (test 1
stop)
1)
Sensors: Failsafe devices for command operations and sensing (e.g. Emergency Stop pushbuttons,
safety door locks, position switches, and light arrays / light curtains).
The CU310-2 has 1 failsafe digital output and 3 failsafe digital inputs. A failsafe digital output
consists of a 24 VDC switching output, an output switching to ground and a digital input for
reading back the switching state. A failsafe digital input is made up of 2 digital inputs.
Note
Fault acknowledgment
You have the following options of acknowledging CU310-2 faults after removing the fault:
● POWER ON
● Falling edge of the signal "Internal Event ACK" with subsequent acknowledgment on the
Control Unit ("failsafe acknowledgment").
The signal states of the two digital inputs of the F-DI are frozen at logical 0 (safety function
selected) when different signal states are present within a failsafe F-DI, until a safe
acknowledgment has been performed through an F-DI via parameter p10006 (SI
acknowledgment internal event input terminal) or the extended message acknowledgment has
been performed.
The monitoring time (p10002) for the discrepancy of the two digital inputs of an F-DI may have
to be increased so that switching operations do not trigger an undesired response, thereby
necessitating a safe acknowledgment. The signal states at the two related digital inputs (F-DI)
will need to have the same state within this monitoring time or fault C01770/C30770 will be
triggered, "discrepancy error" (CU310-2). This requires safe acknowledgment.
Note
Discrepancy time
The discrepancy time must be set so that it is always less than the smallest expected switching
interval of the signal at this F-DI (see also the following diagram "Discrepancy time").
Further notes for setting the discrepancy time are contained in the "SINAMICS S120/S150 List
Manual" for the following messages:
Safety Integrated
7' 7'
75 75
TD Discrepancy time
TR Response time
6.6.1 Assigning Safety Integrated Functions to the F-DI/TM54F

control with which F‑DI/F‑DO (onboard or TM54F).
Table 6-18 Assigning Safety Integrated functions to F-DI/F-DO (onboard or TM54F)
Safety function Onboard F-DI/F-DO TM54F F-DI/F-DO

STO x x
SS1 x x
SOS x x
SS2 x x
SS2E - -
SLS x x
SSM 1)
x x
SDI x x
SLP x x
SCA - -
SLA - -
SP - -
Safe gearbox stage switchover - -
1)
6.6.2 F-DI function
6.6.2.1 Description
Failsafe digital inputs (F-DI) consist of 2 digital inputs. At the 2nd digital input, the cathode (M)
of the optocoupler is additionally brought out to enable connection of an output of an failsafe
control grounded through a switch. (The anode must be connected to 24 V DC.)
Safety Integrated
Parameter p10040 is used to determine whether an F-DI is operated as NC/NC or NC/NO

contact. The status of each DI can be read at parameter r10051. The same bits of both drive
objects are logically linked by AND operation and return the status of the relevant F-DI.
Test signals from F-DOs and interference pulses can be filtered out using the input filter
(p10017), so that they do not cause any faults.
Explanation of terms:
NC contact / NC contact: To select the safety function, a "zero level" must be present at both
inputs.
NC contact / NO contact: To select the safety function, a "zero level" must be present at input
1 and a "1 level" at input 2.
The signal states at the two associated digital inputs (F-DI) must assume the same status
configured in p10040 within the monitoring time set in p10002.
The digital inputs of the CU310-2 cannot be dynamized by a test stop.
Table 6-19 Overview of the failsafe inputs in the SINAMICS S120/S150 List Manual:
Module Function diagram Inputs

CU310-2 2870 F-DI 0 ... 2
6.6.2.2 F-DI features

● Failsafe configuration with 2 digital inputs per F-DI
● Input filter to block test signals with an adjustable suppression time (p10017), see Chapter
"Bit pattern test (Page 214)".
● Configurable connection of NC/NC or NC/NO contacts by means of parameter p10040
● Status parameter r10051
Safety Integrated
● Adjustable time window for monitoring discrepancy at both digital inputs by means of
parameter p10002 for all F-DIs
Note
Discrepancy time
To avoid incorrect triggering of fault messages, at these inputs the discrepancy time must
always be set less than the shortest time between 2 switching events (ON/OFF, OFF/ON).
Further notes for setting the discrepancy time (also see the following diagram "Discrepancy
time") are provided in the "SINAMICS S120/S150 List Manual" for the following message:
– F01611 (Basic Functions)
– C01770 (Extended/Advanced Functions)
7' 7'
75 75
TD Discrepancy time
TR Response time
● 2nd digital input with additional tap of the optocoupler cathode for connecting an output of
a failsafe control grounded through a switch.
WARNING
Unwanted movement due to incorrect signal states as a result of diagnostic currents in the
switched-off state (logical state "0" or "OFF")
Unlike mechanical switching contacts, e.g. emergency stop switches, diagnostic currents
can also flow when the semiconductor is in the switched-off state. If interconnection with
digital inputs is faulty, the diagnostic currents can result in incorrect switching states.
Incorrect signal states of digital inputs can cause unwanted movements of machine parts
and result in serious injury or death.
● Observe the conditions of digital inputs and digital outputs specified in the relevant
manufacturer documentation.
● Check the conditions of the digital inputs and digital outputs with regard to currents in
the "OFF" state and if necessary connect the digital inputs to suitably dimensioned,
external resistors to protect against the reference potential of the digital inputs.
More information on this topic is available on the Internet at:

Parameterizing and configuring safety hardware (https://support.industry.siemens.com/cs/ww/
en/view/39700013)
Safety Integrated
● p10002 SI Motion F-DI switchover discrepancy time (CPU 1)

● p10040 SI Motion, F-DI input mode (CPU 1)
● r10051.0...2 CO/BO: SI Motion digital inputs status (CPU 1)
6.6.3 Function of the F-DO
6.6.3.1 Description
The failsafe digital output (F-DO) comprises 2 digital outputs plus one digital input that checks
the switching state for forced checking procedure (test stop). The 1st digital output switches 24
V DC, and the 2nd switches M of the X130 (CU310‑2) voltage supply.
The status of each F-DO can be read at parameter r10052. The status of the associated DI22
can be read using parameter r0722.22.
The actuator connected to the F-DO can also be tested under specific conditions as part of
forced checking procedure (test stop). See Chapter "Forced checking procedure (test stop) of
the CU310-2 (Page 308)".
Table 6-20 Overview of the failsafe outputs in the SINAMICS S120/S150 List Manual:
Module Function diagram Outputs Associated checking in‐

puts
CU310-2 2873 F-DO 0 DI 22
F-DO features
● Each F-DO with failsafe configuration consisting of 2 digital outputs plus one digital input for
checking the switching state for the forced checking procedure (test stop)
● Status parameters r10051/r10052
Safety Integrated
Note
Display using r0747.16
If digital outputs DO16+ and DO16- act as F-DO, parameter r0747 "CU, digital outputs status",
bit 16 "DO 16 (- / X130.7, 8)" does not display the level defined by Safety Integrated. Instead,
it displays the ineffective setpoint state according to BICO signal source p0746 "BI: CU signal
source for terminal DO 16".
6.6.3.2 Signal sources for the F-DO

For the CU310-2, the following signals are available for interconnecting (p10042, ..., p10045)
on the F-DO:
● STO active
● SS1 active
● SS2 active
● SOS active
● SLS active
● SSM feedback active
● Safe State
● SOS selected
● Internal event
● Active SLS level bit 0
● Active SLS level bit 1
● SDI positive active
● SDI negative active
● SLP active
● Active SLP area
For the F-DO, up to 6 signals can be interconnected via indexes (p10042[0...5]); these are then
output AND'ed.
6.6.3.3 Safe state signal selection

For the CU310-2, the following (Safe State) signals can be requested via p10039[0...3]:
● STO active (power removed/pulses suppressed)
● SS1 active
● SS2 active
● SOS active
● SLS active
Safety Integrated
● SDI positive active

● SDI negative active
● SLP active
3XOVHVVXSSUHVVHG
66DFWLYH

66DFWLYH
626DFWLYH S>[@
6DIHVWDWH
6/6DFWLYH
S>[@
6',SRVLWLYHDFWLYH
6',QHJDWLYHDFWLYH

6/3DFWLYH

Figure 6-9 Safe state selection
The same signals (high-active) are logically AND'ed. The different signals selected via p10039
are logically OR'ed. Result of these logic operations is the "Safe State". Details can be found
in function block diagram 2876, see SINAMICS S120/S150 List Manual.

● 2873 SI functions CU310-2 failsafe digital output (F-DO 0)
● 2875 SI functions - CU310-2 control interface
● 2876 SI functions - CU310-2 safe state selection
● 2877 SI functions, CU310-2 assignment (F-DO 0)
● p10039 SI Safe State signal selection (CPU 1)

● p10042[0...5] SI F-DO 0 signal sources
● r10051.0...2 CO/BO: SI Digital inputs status (CPU 1)
● r10052.0 CO/BO: SI Digital output status (CPU 1)
Safety Integrated
6.7 Motion monitoring without selection

parameterize several Safety functions without selection. For this mode, after parameterization
and a POWER ON, these functions are permanently selected.
Example
"SLS without selection" can be used to monitor the maximum velocity, for example. This
monitoring function prevents the drive from exceeding a mechanical speed limit. When using
the "without selection" function, you do not have to use an F-DI and you do not have to use an
F‑CPU.
Features
● The function "Motion monitoring without selection" is available in the following versions:
p9601 Meaning Scope of functions Comment

0024 Drive-integrated motion monitoring ● SLS ● p9501.0 = 1
hex functions without selection are ena‐ ● SDI ● p9501.17 = 1
bled
0025 Drive-integrated motion monitoring ● SLS ● p9501.0 = 1
hex functions without selection with STO ● SDI ● p9501.17 = 1
via terminals are enabled
● STO ● Basic Functions
● SS1 ● Basic Functions
● SBC ● Basic Functions
● The functions "SLS without selection" and "SDI without selection positive/negative" are
selected with p9512.
● The functions without selection are available in the versions "with encoder" and "without
encoder" (selection via p9506).
● The functions without selection are parameterized and enabled in the same way as the
versions with control via PROFIsafe/terminals.
Acknowledging safety faults

Carefully observe the following cases for acknowledging Safety faults:
● Motion monitoring functions without selection integrated in the drive
Acknowledging Safety faults is only possible with POWER ON.
● Motion monitoring functions without selection integrated in the drive and Basic Functions via
onboard terminals
Acknowledging safety faults is possible with POWER ON or selecting/deselecting STO SS1
(see "Extended acknowledgment" in Chapter "Safe Torque Off (STO) (Page 76)").
Safety Integrated
Differences
Differences in the response of the functions to the versions with control via PROFIsafe/
terminals are described in the sections for commissioning the individual functions:
● "Safely-Limited Speed (SLS) (Page 118)"
● "Safe Direction (SDI) (Page 134)"
● p9501.0 SI Motion enable safety functions (Control Unit)

● p9512 Select SI Motion safety functions without selection (CU)
Safety Integrated
6.8 Safety Info Channel and Safety Control Channel
6.8.1 Safety Info Channel (SIC)

The Safety Info Channel (SIC) enables Safety Integrated functionality status information of the
drive (S_ZSW1B, S_ZSW2B, S_ZSW3B, and S_V_LIMIT_B) to be transmitted to the higher-
level controller.
6.8.2 Safety Control Channel (SCC)

Using the Safety Control Channel (SCC), control information (S_STW1B and S_STW3B) can
be sent from the higher-level control to the Safety functions of the drive.
6.8.3 Possible telegram configuration (700, 701)

The predefined PROFIdrive telegrams 700 and 701 are available for the transfer of the SIC and
the SCC:
Telegram 700
The predefined PROFIdrive telegram 700 is available for the transfer of the SIC:
Table 6-21 Structure of telegram 700
Receive data Send data Parameter

PZD1 – S_ZSW1B r9734
PZD2 – S_V_LIMIT_B r9733[2]
PZD3 –
You will find further information on communication via PROFIdrive in the Manual "SINAMICS
S120 Communications Function Manual," Chapter "Communication according to PROFIdrive."
Telegram 701
The predefined PROFIdrive telegram 701 is available for the transfer of the SIC and the SCC:
Table 6-22 Structure of telegram 701
Receive data Parameter Send data Parameter

PZD1 S_STW1B p10250 S_ZSW1B r9734
PZD2 S_STW3B p10235 S_ZSW2B r9743
PZD3 – – S_V_LIMIT_B r9733[2]
PZD4 – –
PZD5 – – S_ZSW3B r10234
Safety Integrated
Note
Update of the send data
The send data S_ZSW2B and S_ZSW3B are only updated if the Safety Integrated Extended/
Advanced Functions are enabled.
You will find further information on communication via PROFIdrive in the Manual
"SINAMICS S120 Communications Function Manual," Chapter "Communication according to
PROFIdrive."
Safety Integrated
6.8.4 Configuring
Configuration principle (diagram)

The following diagram shows the principle when configuring for telegrams 700 and 701:
Safety Integrated
7HOHJUDPFRQILJXUDWLRQ
6WDQGDUG
<HV
WHOHJUDP67'
UHTXLUHG"
)UHH%,&2 <HV
LQWHUFRQQHFWLRQ 1R
UHTXLUHG"
1R S
S S
S 67'
S 5HVHUYHGZRUGVUHFHLYH
S S 67'
S 5HVHUYHGZRUGVWUDQVPLW
1R 6,&6&&
UHTXLUHG"
<HV
6HW6,&6&&
S
1R
S "
<HV
,QWHUFRQQHFWIUHH
%,&2V
Figure 6-10 Telegram configuration procedure
Safety Integrated
Configuration principle (detail)

● Parameter p2070 is used to define at which location (after how many words) the SCC starts
in receive words r2050/r2060.
● Parameter p2071 is used to define at which location (after how many words) the SIC starts
in send words p2051/p2061.
● If, using p0922 = 999 and p2079 = x, a fixed telegram is to be parameterized with PZD
extension, then you can appropriately adapt p2070 and p2071.
● For p0922 = p2079 = x, p2070 and p2071 are locked to prevent changes being made.
● When writing to parameter p0922 or p2079, parameters p2070 and p2071 are appropriately
preassigned (with the length of the standard telegram). All BICO interconnections in
r2050[...]/r2060[...] and p2051[...]/p2061[...] are deleted and reassigned to telegram x. In so
doing, p60122 is also set = 999.
● When changing from a fixed telegram (p0922 = p2079 = x) to a free telegram (p0922 = 999),
p2070 and p2071 remain unchanged, however they are released so that they can be
changed. The value of p60122 is kept.
● If p10235 and p10250 are manually changed, fault F01786 is output without any drive
response. This fault can be acknowledged by the standard message acknowledgment.
Note
Effects in r2050[...]/r2060[...] and p2051[...]/p2061[...] when changes are made to p2070,
p2071 and p60122
● If you change p2070 and p2071, all BICO interconnections in r2050[...]/r2060[...] and
p2051[...]/p2061[...] will be deleted (starting with the end of the currently set standard
telegram). In so doing, p60122 is also set = 999.
● If you change p60122 to a value ≠ 999, then (starting with the indices set in p2070 or p2071)
all BICO interconnections are deleted in r2050[...]/r2060[...] and p2051[...]/p2061[...] and
the new telegram set for SIC/SCC.
Safety Integrated
6.8.5 Applications
You can attach the telegrams 700 and 701 as an extension to your telegram. You can only
select one of the two telegrams.
Application Action by the user Effect

Standard telegram + SIC/ ● Specify standard telegram; e.g. p0922 = ● p2079 = p0922 = 106
SCC 106 ● r2050 and p2051 are appropriately preas‐
signed and completely locked so that changes
cannot be made.
● In p2070 and p2071, the number of transmit/
receive words are occupied and cannot be
changed (e.g: p2070 = 11 and p2071 = 15).
● Select SIC/SCC; e.g. p60122 = 701 ● The telegram extension for SCC/SIC is direct‐
ly attached to the standard telegram in r2050
and p2051.
S
U>@
S (PSIDQJHQ
>@ 7OJ >@ >@ >@ >PD[@
S 7OJ
S
S
S>@
S 6HQGHQ
>@ 7OJ >@ >@ 7OJ >@ >PD[@
S
Standard telegram + free ● Define standard telegrams with possible ● r2050 and p2051 are appropriately preas‐
telegram configuration telegram extension; e.g. p0922 = 999 and signed. Areas that are not preassigned, can
with BICO + SIC/SCC p2079 = 106 be freely interconnected.
● p2070 = 11, p2071 = 15 are preassigned cor‐
responding to p0922 and cannot be changed.
● Reserve space for the telegram extension ● Words r2050[11...12] and p2051[15] are re‐
with free BICO wiring, e.g. 2 words in the served for the telegram extension and can be
receive direction and 1 word in the send freely interconnected.
direction:
– p2070 = 11 + 2 = 13
– p2071 = 15 + 1 = 16
● Select SIC/SCC; e.g. p60122 = 701 ● The telegram extension for SIC/SCC is inser‐
ted from r2050[13…] and p2051[16…].
● In r2050 and p2051, the words for SIC/SCC
are preassigned accordingly and locked. The
other words can be freely connected.
S
S U>@ >@ 7OJ >@ >@ >@ 7OJ >PD[@
S (PSIDQJHQ
S
S S>@
S
>@ 7OJ >@ >@ 7OJ >PD[@
6HQGHQ
S
Safety Integrated
Application Action by the user Effect

Changing the standard ● Specify a new telegram; e.g. p0922 = 105 ● r2050 and p2051 are deleted and re-assigned
telegram (without free accordingly.
telegram configuration)
● Select SIC/SCC; e.g. p60122 = 701 ● The telegram extension for SCC is added after
the standard telegram.
● r2050 and p2051 are preassigned correspond‐
ing to p0922 and SIC/SCC are completely
locked so that they cannot be changed.
Changing the standard ● Change standard telegram (see above) –
telegram (with free tele‐ ● Now continue as described in the "Stand‐
gram configuration)
ard telegram + free telegram configura‐
tion with BICO + SIC/SCC"
Change of the SIC/SCC ● Change SIC/SCC; now, e.g. p60122 = ● Starting with the indices set in p2070 or
telegram 700 p2071, all BICO interconnections are deleted
in r2050[...] and p2051[...].
● The telegram extension for SIC is inserted into
parameter p2071 according to p2051.
Adding further "Free tele‐ ● Change the values in p2070 or p2071. ● When changing from a fixed telegram (p0922
gram configuration with = p2079 = x) to a free telegram (p0922 = 999),
BICO" words p2070 and p2071 remain unchanged, howev‐
er they are released so that they can be
changed. The value of p60122 is kept.
● Select SIC/SCC; e.g. p60122 = 701 ● SIC/SCC is reconfigured.
● Now specify the new free telegram con‐ –
figuration (see above).
Note
Parameter interdependencies
● Values for p2070 or p2071, which fall below the length of the standard telegram, will be
rejected and cannot be entered.
● Write access in p60122 is rejected if excessively high values are set in p2070 or p2071 so
that attaching a SCC/SIC telegram would mean that the maximum permissible PZD lengths
would be exceeded.
Safety Integrated
6.8.6 Send data for SIC and SCC
S_ZSW1B
SI Motion Safety Info Channel status word
Table 6-23 Description S_ZSW1B
Bit Meaning Remarks Parameter

0 STO active 1 STO active r9734.0
0 STO not active
1 SS1 active 1 SS1 active r9734.1
0 SS1 not active
2 SS2 active 1 SS2 active r9734.2
0 SS2 not active
3 SOS active 1 SOS active r9734.3
0 SOS not active
4 SLS active 1 SLS active r9734.4
0 SLS not active
5 SOS selected 1 SOS selected r9734.5
0 SOS deselected
6 SLS selected 1 SLS selected r9734.6
0 SLS deselected
7 Internal event 1 Internal event r9734.7
0 No internal event
8 SLA active 1 SLA active r9734.8
0 SLA not active
9 Active SLS level bit 0 – Display of the speed limit for SLS (2 bits) r9734.9
10 Active SLS level bit 1 – r9734.10
11 Reserved – – –
12 SDI positive selected 1 SDI positive selected r9734.12
0 SDI positive deselected
13 SDI negative selected 1 SDI negative selected r9734.13
0 SDI negative deselected
14 ESR retract requested 1 ESR retract requested r9734.14
0 ESR retract not requested
15 Safety message active 1 Safety message active r9734.15
0 No safety message active
Safety Integrated
S_ZSW2B
Safety Info Channel status word 2
Table 6-24 Description of S_ZSW2B

0...3 Reserved – – –
4 SLP selected position range 1 SLP area 2 selected r9743.4
0 SLP area 1 selected
5, 6 Reserved – – –
7 SLP selected and user agreement 1 SLP selected and user agreement set r9743.7
0 SLP selected or user agreement not set
8 SDI positive 1 SDI positive selected r9743.8
0 SDI positive deselected
9 SDI negative 1 SDI negative selected r9743.9
0 SDI negative deselected
10, 11 Reserved – – –
12 Test stop active 1 Test stop active r9743.12
0 Test stop not active
13 Test stop required 1 Test stop required r9743.13
0 Test stop not required
14 Reference position required 1 Reference position required r9743.14
0 Reference position not required
15 Reference trigger command identified 1 Reference trigger command identified or refer‐ r9743.15
or reference position valid ence position valid
0 No reference trigger command identified or refer‐
ence position invalid
Safety Integrated
S_ZSW3B
Safety Info Channel status word 3
Table 6-25 Description of S_ZSW3B

0 Brake test 1 Brake test selected r10234.0
0 Brake test deselected
1 Setpoint input, drive/external1) 1 Setpoint specification for the drive r10234.1
0 Setpoint specification, external (controller)
2 Active brake 1 Test brake 2 active r10234.2
0 Test brake 1 active
3 Brake test active 1 Test active r10234.3
0 Test inactive
4 Brake test result 1 Test successful r10234.4
0 Test error
5 Brake test completed 1 Test run r10234.5
0 Test incomplete
6 External brake request 1 Close brake r10234.6
0 Open brake
7 Current load sign 1 Negative sign r10234.7
0 Positive sign
8...10 Reserved – – –
11 SS2E 1 SS2E active r10234.11
0 SS2E not active
12 SS2ESR 1 SS2ESR active r10234.12
0 SS2ESR not active
13 Reserved – – –
14 Acceptance test SLP (SE) selected 1 Acceptance test SLP (SE) selected r10234.14
0 Acceptance test SLP (SE) deselected
15 Acceptance test mode selected 1 Acceptance test mode selected r10234.15
0 Acceptance test mode deselected
1)
Setpoint input for the drive: The speed setpoint is entered by the function SBT.
External setpoint input (open-loop control): The "normal" speed setpoint is effective.
S_V_LIMIT_B
SLS speed limit with 32-bit resolution and sign bit.
● The SLS speed limit is available in r9733[2].
● The SLS speed limit is standardized via p2000.
S_V_LIMIT_B = 4000 0000 hex ≐ speed in p2000
Safety Integrated
6.8.7 Receive data for SCC
S_STW1B
Safety Control Channel control word 1
Table 6-26 Description of S_STW1B

0...7 Reserved – – –
8 Extended/Advanced Functions forced 1 Extended/Advanced Functions forced checking r10251.8
checking procedure (test stop) procedure (test stop)
0 Extended/Advanced Functions forced checking
procedure (test stop)
9...12 Reserved – – –
13 Close brake from control 1 "Close brake from control" selected r10251.13
0 "Close brake from control" deselected
14, 15 Reserved – – –
S_STW3B
Safety Control Channel control word 3
Table 6-27 Description of S_STW3B

0 Select brake test 1 Brake test selected r10231.0
0 Brake test deselected
1 Start brake test 1 Start brake test requested r10231.1
0 Start brake test not requested
2 Brake selection 1 Test brake 2 selected r10231.2
0 Test brake 1 selected
3 Select direction of rotation 1 Negative direction selected r10231.3
0 Positive direction selected
4 Select test sequence 1 Test sequence 2 selected r10231.4
0 Test sequence 1 selected
5 Status of external brake 1 External brake closed r10231.5
0 External brake open
6...15 Reserved – – –
● r9733[0...2] CO: SI Motion setpoint speed limit effective

Safety Integrated
● r10231 SI Motion SBT control word diagnostics

● r10251.8...12 CO/BO: SI Safety Control Channel control word S_STW1B diagnostics
● p60122 IF1 PROFIdrive SIC/SCC telegram selection
Safety Integrated
Commissioning 7
7.1 Safety Integrated firmware versions
Firmware versions for Safety Integrated

The safety firmware installed on the Control Unit and the safety firmware installed on the Motor
Module each have separate version IDs. The parameters listed below can be used to read the
version IDs from the relevant hardware.
● Read the overall firmware version via:
– r0018 Control Unit firmware version
● The following firmware data can be read for the Basic Functions:
– r9770[0...3] SI version, drive-autonomous safety functions (Control Unit)
– r9870[0...3] SI version, drive-autonomous safety functions (Motor Module)
● The following firmware information can be read for the Extended/Advanced Functions:
– r9590[0...3] SI Motion version safety motion monitoring (Control Unit)
– r9390[0...3] SI Motion version safety motion monitoring (Motor Module)
– r9890[0...2] SI version (Sensor Module)
or
r0148[0...n] for DQI encoders
– r10090[0...3] SI TM54F version
Basic Functions and Extended/Advanced Functions

For Basic and/or Extended or Advanced Functions that have been enabled, a check is made
to see whether the parameter for the automatic firmware update is set (p7826 = 1).
This means that at each boot, the firmware version of the DRIVE-CLiQ components involved
is checked in comparison to the firmware version of the Control Unit and, if required, updated.
Otherwise, the message F01664 (SI CU: No automatic firmware update) is output.
In the acceptance test of the Safety Integrated Basic Functions, the Safety Firmware Versions
(r9770, r9870) must be read out and recorded.
In the acceptance test of the Safety Integrated Extended/Advanced Functions, the Safety
Firmware Versions of the Motor Modules (r9590, r9390), the Sensor Modules (r9890 or
r0148[0...n] for DQI encoders), and, if necessary, the Terminal Module TM54F (r10090)
participating in the safety functions must be read out and recorded.
Safety Integrated
Commissioning
7.2 Parameters, checksum, version
Properties of Safety Integrated parameters

The following applies to Safety Integrated parameters:
● The safety parameters are kept separate for each monitoring channel.
● During startup, checksum calculations (Cyclic Redundancy Check, CRC) are performed on
the safety parameter data and checked. The display parameters are not contained in the
CRC.
● Data storage: The parameters are stored on the non-volatile memory card.
● The safety parameterization is password-protected against accidental or unauthorized
changes.
● Factory settings for safety parameters
– The drive-specific reset of the Safety parameters to the factory setting with p3900 and
p0010 = 30, is only possible if the safety functions are not enabled (p9501 = p9601 =
p10010 = 0).
– Safety parameters can be reset to the factory setting with p0970 = 5. To do so, the Safety
Integrated password must be set. If Safety Integrated has been enabled, this can result
in error messages that require an acceptance test to be performed. Then save the
parameters and carry out a POWER ON.
– A complete reset of all parameters to the factory settings (p0976 = 1 and p0009 = 30 on
the Control Unit) is possible even when the safety functions are enabled
p9501 = p9601 = p10010 ≠ 0).
Note
You will find more detailed information on this password in Chapter "Handling the Safety
password (Page 272)."
Note
Safety parameters that are not protected
The following safety parameters are not protected by the safety password:
● p9370 SI Motion acceptance test mode (Motor Module)
● p9570 SI Motion acceptance test mode (Control Unit)
● p9533 SI Motion SLS speed setpoint limitation
● p9783 SI Motion synchronous motor current injection without encoder
Note
The password protection is only available online.
Safety Integrated
Commissioning
Checking the checksum

For each monitoring channel, the Safety parameters include 2 parameters for the reference
and actual checksum for the Safety parameters that have undergone a checksum check.
During commissioning, the actual checksum must be transferred to the corresponding
parameter for the reference checksum. This can be done for all checksums of a drive object at
the same time using parameter p9701 or using the corresponding Startdrive functionality.
● Basic Functions
● r9798 SI actual checksum SI parameters (Control Unit)

● p9799 SI reference checksum SI parameters (Control Unit)
● r9898 SI actual checksum SI parameters (Motor Module)
● p9899 SI reference checksum SI parameters (Motor Module)
● Extended/Advanced Functions (also contain the following checksum parameters)
● r9398[0...1] SI Motion actual checksum SI parameters (Motor Module)

● p9399[0...1] SI Motion reference checksum SI parameters (Motor Module)
● r9728[0...2] SI Motion actual checksum SI parameters
● p9729[0...2] SI Motion reference checksum SI parameters
During each ramp-up procedure, the actual checksum is calculated via the Safety parameters
and then compared with the reference checksum.
If the actual and reference checksums are different, fault F01650/F30650 or F01680/F30680 is
output.
● 2818 SI Extended/Advanced Functions - parameter manager
Safety Integrated
Commissioning
7.3 Handling the Safety password

The safety password protects safety parameters against maloperation. Always assign a strong
password, to enable protection.
Note
The safety password does not have the equivalent quality of a password (protection against
unauthorized access, e.g. by an attacker), but rather that of write protection (e.g. protection
against maloperation).
Note
The password protection is only available online.
Password reset
● You require a valid password to reset the password to the factory setting by resetting the
safety parameters.
● Please note that when the factory setting is reset throughout the complete device, then the
safety password is also deleted.
Details on handling the safety password

If a password is set, in commissioning mode for Safety Integrated (p0010 = 95), you cannot
change safety parameters until you have entered the valid safety password in p9761 for the
drives or p10061 for the TM54F. In addition to the specified parameters, a corresponding
functionality is available in Startdrive!
● When Safety Integrated is commissioned for the first time, the following applies:
– Default of p10061 = 0 (SI password entry TM54F)
– Default of p9761 = 0 (SI password entry drive)
This means:
You do not need to enter a safety password during the first commissioning.
● In the case of a series commissioning of Safety or in the case of spare part installation, the
following applies:
– The Safety password is retained on the memory card and in the Startdrive project.
– No safety password is required in the case of spare part installation.
Safety Integrated
Commissioning
● Change password for the drives

– p0010 = 95 Commissioning mode.
– p9761 = Enter "old safety password".
– p9762 = Enter "new password".
– p9763 = Confirm "new password".
– p0977 = 1; "Copy from RAM to ROM"
– The new and confirmed safety password is valid immediately.
● Change password for the TM54F
– p0010 = 95 Commissioning mode.
– p10061 = Enter "Old TM54F Safety Password" (factory setting "0")
– p10062 = Enter "new password"
– p10063 = Acknowledge "new password"
– p0977 = 1; "Copy from RAM to ROM"
– The new and acknowledged safety password is valid immediately.
● Change password with Startdrive
– Click "Enter password" in the Startdrive secondary navigation.
– Enter the current password.
– Enter the new password.
– Enter the new password again.
– Click "Change password" to accept the new password.
Safety Integrated
Commissioning
● Reset password with Startdrive

– Click "Enter password" in the Startdrive secondary navigation.
– In the subsequent dialog, first enter the old password.
– Set the new password = 0.
– Click "Change password" to accept the new password.
– SINAMICS S120 responds with the message "Please change the password!"
– Close the message.
– In the "Change password" dialog box, then click the "Cancel" button.
– The password has now been reset to the default "0."
● If the safety password is no longer available, you can no longer change the safety
configuration. You then have the following options:
– To commission the SINAMICS S120 completely as new:
- Restore the factory settings of the entire drive (Control Unit with all connected drives/
components).
- Commission the drive unit and the drives afresh.
- Commission Safety Integrated as new.
– To load another project into the drive (without a Safety password or with a known Safety
password). This is possible without a password because this operation is the same as
complete new commissioning.
– If neither option is acceptable to you, please contact "Technical Support" (see "Training
and support (Page 17)").
● 2818 SI Extended/Advanced Functions - parameter manager
● p9761 SI password input

● p9762 SI password new
● p9763 SI password acknowledgment
● p10061 SI TM54F password entry
● p10062 SI TM54F password new
● p10063 SI TM54F password confirmation
Safety Integrated
Commissioning
7.4 DRIVE-CLiQ rules for Safety Integrated Functions
Note
General DRIVE-CLiQ rules
For the Safety Integrated Functions (Basic, Extended and Advanced Functions) the general
DRIVE-CLiQ rules apply as a basic principle. You will find these rules in Section "Rules for
connection with DRIVE-CLiQ" in the following manual:
References: SINAMICS S120 Drive Functions Function Manual
This specification also lists the exceptions for Safety Integrated components depending on the
firmware version.
Note
Effect of the Safety monitoring clock cycle (p9500)
If you select a value of <12 ms for the Safety monitoring clock cycle, you can operate fewer than
the specified number of maximum axes at one Control Unit if you have demanding
configurations.
Rules for Safety Integrated Basic Functions

The following rule also applies particularly for Safety Integrated Basic Functions:
● Maximum of four drives per DRIVE-CLiQ line for control via PROFIsafe
Rules for Safety Integrated Extended/Advanced Functions

The following rules are also valid particularly for the Safety Integrated Extended/Advanced
Functions:
● Maximum of 6 servo axes for default clock cycle settings (Safety monitoring clock
cycle = 12 ms; current controller cycle = 125 μs); of which a maximum of 4 servo axes are
in one DRIVE-CLiQ line
● Maximum of six vector axes for the following cycle settings (Safety monitoring cycle = 12 ms;
current controller cycle = 500 μs)
● One Double Motor Module corresponds to 2 DRIVE-CLiQ nodes.
Safety Integrated
Commissioning
● On Double Motor Modules, on the drive objects, different values for p9511 are not permitted,
even if the values in p0115[0] are different.
● You can operate a maximum of 4 Motor Modules with Safety Extended Functions on one
DRIVE-CLiQ line. The following condition applies in this regard: TIReg (current controller
sampling time) = 125 μs for all axes. In addition to the 4 Motor Modules with Safety Extended
Functions, you can also operate the following modules on a DRIVE-CLiQ line:
– A Line Module if TIReg (current controller sampling time) ≥ 250 μs
– A Motor Module if TIReg (current controller sampling time) ≥ 125 μs
– A maximum of 7 Sensor Modules or DRIVE-CLiQ encoders
Exception: You can operate a maximum of 6 Motor Modules with Safety Extended
Functions on one DRIVE-CLiQ line if the number of connected S120M or S220 modules in
the line is ≥ 3.
Rules for "U/f control (vector control)",1)
Safety functionality Number of U/f axes

Basic Functions 12
Basic Functions via TM54F 6
Extended/Advanced Functions via PROFIsafe 11
Extended/Advanced Functions via TM54F 6
Motion monitoring without selection 122)
1)
The values specified in the table apply to Extended/Advanced Functions with and without encoder and
also for group drives connected in parallel.
2)
All axes U/f control, 500 µs, Safety Integrated with encoder
TM54F
● The TM54F connection must be established via the DRIVE-CLiQ directly at a Control Unit.
Only one TM54F Terminal Module can be assigned to each Control Unit.
● Additional DRIVE-CLiQ nodes can be operated at the TM54F, such as Sensor Modules and
Terminal Modules (excluding an additional TM54F). It is not permissible that Motor Modules
and Line Modules are connected to a TM54F.
● In the case of a CU310-2 Control Unit, it is not possible to connect the TM54F to the DRIVE-
CLiQ line of a Power Module. The TM54F can only be connected to the sole DRIVE-CLiQ
X100 socket of the Control Unit.
Safety Integrated
Commissioning
7.5 Forced checking procedure (test stop)

To meet the requirements of the DIN EN ISO 13849‑1 and IEC 61508 standards in terms of
timely fault detection, the converter must test its safety-related circuits regularly - at least once
a year - for correct functioning. The converter monitors the regular test of its safety-related
circuits that monitor the speed of the motor, and to safely interrupt the torque-generating energy
supply to the motor through the safe pulse suppression.
0RQLWRULQJWLPHIRU([WHQGHG
)XQFWLRQV
$
7 )RUFHGGRUPDQWHUURUGHWHFWLRQRIWKH
([WHQGHG)XQFWLRQVUHTXLUHG
6WDUWIRUFHGGRUPDQW 6WDUWIRUFHGGRUPDQWHUURUGHWHFWLRQRI
HUURUGHWHFWLRQ WKH([WHQGHG)XQFWLRQV
3RZHU21 6WDUWIRUFHGGRUPDQWHUURUGHWHFWLRQ
ุ
5HVHW RIWKH%DVLF)XQFWLRQV
7 )RUFHGGRUPDQWHUURUGHWHFWLRQRIWKH
672LV
DFWLYH %DVLF)XQFWLRQVUHTXLUHG
$
0RQLWRULQJWLPHIRU%DVLF
)XQFWLRQV
Figure 7-1 Monitoring the regular forced checking procedure (test stop) in the converter
Table 7-1 Monitoring the forced checking procedure (test stop)
Extended/Advanced Functions Basic Functions

r9765 contains the remaining monitoring time. r9660 contains the remaining monitoring time.
The converter signals that the monitoring time has The converter signals that the monitoring time has
come to an end with alarm A01697. come to an end with alarm A01699.
7.5.1 Setting the forced checking procedure (test stop)
Setting the forced checking procedure (test stop)

If you only use the "Basic Functions", you must take the following steps during commissioning:
1. Set monitoring time p9659 to a value to match your application.
2. Evaluate the warning A01699 in your higher-level control, e.g. r9773.31 with a digital output
or a bit in the status word of the field bus.
Safety Integrated
Commissioning
The circuits of "Basic Functions" are part of the circuits of "Extended/Advanced Functions". If
you use the "Extended/Advanced Functions", you must take the following steps during
commissioning:
1. Set monitoring time p9559 to a value to match your application.
2. Set the monitoring time p9659 to the maximum value.
3. Evaluate alarm A01697 in your higher-level controller, for example by interconnecting the
output of the time monitoring (r9723.0) with a digital output or a bit in the status word of the
fieldbus.
7.5.2 Executing the forced checking procedure (test stop)

If the converter signals alarm A01699 or A01697, you must initiate the forced checking
procedure (test stop) at the next opportunity.
These alarms do not affect the operation of your machine. You should shut down the drive
before performing the forced checking procedure (test stop).
Note
Internal selection of STO
Controlling the forced checking procedure (test stop) causes STO to be selected internally. In
this case, drives that were previously not stopped, or that do not have a holding brake, coast
down.
Initiating the forced checking procedure (test stop)

● Extended/Advanced Functions
– You define the signal with which the converter tests its circuits for speed monitoring.
Alternatively, the test can be performed automatically every time the power supply is
switched on (POWER ON).
– To ensure that the forced checking procedure (test stop) is performed without error, it is
not permissible that STO is active.
– If you select the forced checking procedure (test stop), the converter checks the
Extended/Advanced Functions and Basic Functions circuits.
● Basic Functions
The converter checks its circuits for interruption of the torque-generating energy feed to the
motor for one of the following conditions:
– After the power supply has been connected (POWER ON).
– Each time after selecting the function STO or SS1.
– For the forced checking procedure (test stop) of the Extended Functions.
Safety Integrated
Commissioning
Note
● You will find detailed information on forced checking procedure (test stop), in Chapter
"General (Page 174)."
● You will find a description of the forced checking procedure (test stop) of the TM54F in
Chapter "Forced checking procedure (test stop) of the TM54F (Page 314)."
7.5.3 Examples for the instants in time that the forced checking procedure (test stop) is
performed
● When the drives are at a standstill after the system has been switched on
● When the protective door is opened
● At defined intervals (e.g. every eight hours)
● Automatically, each time the power supply voltage is switched on (POWER ON).
● In the automatic mode, time and event-dependent
Note
Test stop of a CU310-2
The pulses must be enabled when conducting a test stop at a CU310-2: Here, the drive should
be switched on with Nset = 0.
Safety Integrated
Commissioning
7.6 Safety Integrated and ESR

The following table lists the options that SINAMICS Safety Integrated offers for ESR. There are
3 variants in which the converter triggers ESR:
1. STOP E
Internal response to a limit value violation + SLS, SDI, SLP, SLA with subsequent response
2. STOP F
Defect in a monitoring channel + programmed subsequent response with STOP B →
STOP A
3. Communication breakdown
Cable, CPU STOP, ...
Variant Basic Functions Extended/Advanced Functions

ESR integra‐ 1 ● STOP E: NOT POSSIBLE → SS1 immedi‐ ● STOP E (internal response to a limit value
ted in the ately responds with STOP B violation + SLS, SDI, SLP, SLA with sub‐
drive ("inter‐ sequent response)
nal" ESR)
● Is initiated when a limit value is violated, for
example
● For these functions, the following value is
monitored:
p0890[1] = r9721.15 (Safety Integrated
STOP E)
2 ● STOP F (defect in a monitoring channel + ● STOP F (defect in a monitoring channel +
programmed subsequent response with programmed subsequent response with
STOP B → STOP A) STOP B → STOP A)
● E. g. for a discrepancy at the input terminals ● In the transition time from STOP F to
● Basic Functions, set r9734.14 STOP B, you can request an ESR.
● p0890[4] = r9734.14 ● p0890[2] = r9723.1 (Safety Integrated

STOP F)
3 ● Communication breakdown: NOT POSSI‐ ● Communication error (cable, CPU
BLE STOP, ...)
● During the "Delay for bus failure" (p9580)
from STOP F to STOP B, you can request
an ESR.
● p0890[3] = r9723.2 (Safety Integrated com‐
munication failure)
● NOTE: As p9580 delays the initiation of
STO, you must explicitly select a safety
function with delay. For this function, pa‐
rameterize a STOP with delayed STO
when the bus fails (e.g. p9563 for SLS).
Safety Integrated
Commissioning
Variant Basic Functions Extended/Advanced Functions

ESR via a 1 ● STOP E: NOT POSSIBLE → SS1 immedi‐ ● STOP E (internal response to a limit value
control sys‐ ately responds with STOP B violation + SLS, SDI, SLP, SLA with sub‐
tem ("exter‐ sequent response)
nal" ESR)
● SS2ESR: STOP E explicitly requested by
control unit; S_STW2.29 and S_ZSW3B.12
● ESR integrated in the drive (p0890, …), is
not enabled when using the external ESR.
● ESR is requested via r9734.14.
● The motion control evaluates r9734.14
(SIC).
● Bit r9734.14 is used as trigger for the ex‐
ternal CPU, to initiate the external ESR. In
addition, bit r10234.12 (S_ZSW3B) is set if
the request was received via S_STW2.29.
This allows a distinction to be made be‐
tween cases where ESR was triggered by
a limit value being violated. The external
CPU then specifies the setpoint.
2 ● STOP F (defect in a monitoring channel + ● STOP F (defect in a monitoring channel +
programmed subsequent response with programmed subsequent response with
STOP B → STOP A) STOP B → STOP A)
● ESR integrated in the drive (p0890, …), is ● You can request an ESR in the time from
not enabled when using the external ESR. STOP F to STOP B.
● ESR is requested via r9734.14. ● ESR integrated in the drive (p0890, …), is
● The motion control evaluates r9734.14 not enabled when using the external ESR.
(SIC). ● ESR is requested via r9734.14.
● Bit r9734.14 is used as trigger for the exter‐ ● The motion control evaluates r9734.14
nal CPU, to initiate the external ESR. The (SIC).
external CPU then specifies the setpoint. ● Bit r9734.14 is used as trigger for the ex‐
ternal CPU, to initiate the external ESR.
The external CPU then specifies the set‐
point.
3 ● Communication breakdown: NOT POSSI‐ ● Communication breakdown: NOT POSSI‐
BLE BLE
Safety Integrated
Commissioning
7.7 Commissioning Safety Integrated functions
7.7.1 General information

1. In the Startdrive secondary navigation select "<Drive axis> > Drive functions > Safety
Integrated > Function selection".
2. To commission Safety Integrated Basic Functions, you can select the following settings in
the "Function selection" screen form. You can also simultaneously select the control version
of the safety functions:
– Basic Functions via onboard terminals
– Basic Functions via PROFIsafe
– Basic Functions via PROFIsafe and onboard terminals
3. To commission Safety Integrated Extended Functions, you can select the following settings
in the "Function selection" screen form. You can also simultaneously select the control
version of the safety functions – as well as a possible combination with the Basic Functions:
– Extended Functions via PROFIsafe
– Extended Functions via PROFIsafe and Basic Functions via onboard terminals
– Extended Functions without selection
– Extended Functions without selection and Basic Functions via onboard terminals
Note
Commissioning TM54F and CU310-2
TM54F, CU310-2 and PROFIBUS are not yet available in Startdrive.
Note
Configuration in Startdrive
● You can find examples for configuring the Safety Integrated Functions in the chapters
"Basic Functions (Page 293)" and "Extended Functions (Page 297)".
● You can find detailed information on configuring in Startdrive in the online help.
Safety slot
A safety slot must first be created in order to be able to control the Safety Integrated Functions
via PROFINET. The procedure for this is described in the following sections:
● "PROFIsafe via PROFINET (Page 322)"
Safety Integrated
Commissioning
Parameter view
You can parameterize the Safety Integrated Functions in Startdrive via the parameter view, but
making settings via the dialogs is more convenient and less prone to error.
Note
Password for the factory setting
The password "0" is set by default.
7.7.2 Notes
Note
Incompatible version in the Motor Module
If there is no compatible version in the Motor Module, the Control Unit will respond as follows
on transition to Safety commissioning mode (p0010 = 95):
● The Control Unit indicates the fault F01655 (SI CU: Aligning the monitoring functions). The
fault initiates fault response OFF2.
● The Control Unit triggers safe pulse suppression via its own Safety switch-off signal path.
● If parameterized (p1215, p9602), the motor holding brake is closed.
● The fault can only be acknowledged after the Safety functions have been blocked (p9601).
Note
Duplicate the parameters for the 2nd channel
When parameterizing the Safety Integrated Functions using Startdrive screen forms (online
and offline), you only set the values of one channel. Information on how you can copy the
parameters for the 2nd channel is provided in Chapter "Accepting the settings in the drive
(Page 291)".
Note
Behavior when copying
For the encoder parameters (p9515 to p9529), which are used for safe motion monitoring, the
following procedure applies when copying:
● The following applies to safety-related functions that have not been enabled (p9501 = 0):
The parameters are automatically set during startup in the same way as the corresponding
encoder parameters (e.g. p0410, p0474, ...).
● The following applies to safety-related functions that have been enabled (p9501 > 0):
The parameters are checked against their corresponding encoder parameters (e.g. p0410,
p0474, ...).
Further information can be found in the parameter descriptions in the SINAMICS S120/S150
List Manual.
Safety Integrated
Commissioning
Note
Copying a drive with enabled Safety Integrated Functions
If a drive with enabled Safety Integrated Functions is copied offline, fault F01656 can occur
when the project is downloaded. This behavior occurs whenever component numbers change
during copying (e.g. different DO number or hardware).
Take care to observe these limitations or perform Safety commissioning again.
Note
Activating changed safety parameters
When exiting the commissioning mode (p0010 = 0), most of the changed parameters
immediately become active.
However, for some parameters, a POWER ON is required. In this case, a drive message
(A01693 or A30693) will inform you.
7.7.3 Prerequisites for commissioning the Safety Integrated functions

● Commissioning of the drives must be complete.
● It is not permissible that the drive, on which the safety functions are to be commissioned
online, is in the "Operation" state.
● To commission the "Safe Brake Control" (SBC) function, the following also applies:
A motor with motor holding brake must be connected to the appropriate connection of the
Motor Module or to Safe Brake Relay/Safe Brake Adapter (SBR/SBA).
7.7.4 Default settings for commissioning Safety Integrated functions without encoder
Additional default settings are required before commissioning Safety Integrated Functions
without an encoder. The parameterization of the ramp-function generator is necessary, so that
in encoderless operation stepped signals do not occur.
1. The ramp-function generator is automatically created if a vector drive is configured.
Continue with point 3.
2. If a servo drive has been configured, activate the ramp-function generator as follows:
Activate the "Extended setpoint channel" function module.
3. Open the ramp-function generator and click the button showing the ramp.
4. Here, enter the data to define the ramp-function generator ramp.
5. Subsequently carry out a "motor data identification" to determine the motor data and to
improve the torque accuracy: Start with static measurements and then take rotating
measurements. You will find details in the relevant chapters on "Motor data identification" in
the "Function manual SINAMICS S120 drive functions."
Safety Integrated
Commissioning
Activating Safety Integrated

1. Open the Safety Integrated selection window and select the required safety control type.
2. In the drop-down list below that, select "[1] Safety without encoder and brake ramp (SBR)"
or "[3] Safety without encoder with acc_monitoring (SAM)/delay time."
3. Set the actual value acquisition cycle (p9511) to the value of the current controller cycle
(p0115[0]) (e.g. 125 µs).
4. Then click in the "Configuration" dialog on "Mechanical system configuration": Set the actual
value tolerance (p9542) to a higher value (e.g. 1 mm or 12 °).
When configuring the gearbox ratio, take into account the pole pair number of the motor.
Note
Interrelationship between the electrical ↔ mechanical speed
The encoderless safe actual value sensing calculates the electric speed of the drive. The
pole pair number (r0313) specifies the factor with which the electrical speed must be
multiplied in order to obtain the mechanical speed at the motor shaft.
5. Open SS1, and set the shutdown velocity > 0 (p9560). This is only absolutely necessary if
"Safety without encoder with braking ramp (SBR)" was selected.
6. Open SLS/SDI, and switch over all of the stop responses to "[0] STOP A" or "[1] STOP B"
(p9563[0...3], p9566) and then close the window.
7. You can now carry out the user-specific safety settings.
8. Using p9585, define the value for the "SI Motion fault tolerance actual value acquisition -
sensorless" (see Section "Safe actual value sensing without encoder (Page 167)").
9. Click the "Copy parameters" button.
10.Click the "Activate settings" button.
11.Switch the drive off and back on again to accept the changes.
Note
Response to message C01711/C30711
If during acceleration or deceleration, the drive outputs the message C01711/C30711
(message value 1041 to 1043), this indicates problems, for example, with values too high for
acceleration/deceleration. You have the following options to remedy this:
● Reduce the ramp gradient.
● Use the extended ramp-function generator (with rounding) to set a more gentle ramp up.
● Reduce the precontrol.
● Change the values of parameters p9586, p9587, p9588, p9589 and p9783 (see the
specifications in the SINAMICS S120/S150 List Manual).
Safety Integrated
Commissioning
7.7.5 Setting the sampling times
Terminology
The software functions installed in the system are executed cyclically at different sampling
times (p0115, p0799, p4099).
Safety functions are executed in the monitoring cycle (p9500) and the TM54F is executed with
the sampling time displayed in r10015. This sampling time corresponds to the lowest value of
the communication sampling time entered in p10000[0..5]. For Basic Functions, the cycle is
displayed in r9780.
Communication via PROFIBUS is performed cyclically via the communication cycle.
During the PROFIsafe scan cycle, the PROFIsafe telegrams issued by the master are
evaluated.
7.7.5.1 Rules
● The monitoring cycle (p9500) can be set between 500 μs to 25 ms.
Note
Setting an identical monitoring cycle
The monitoring cycle must be the same on all drives and the TM54F.
However, the calculation time required for the Extended/Advanced Functions in the Control
Unit depends on the monitoring cycle, that is, shorter cycles extend the calculation time. The
availability of a specific monitoring cycle therefore depends on calculation time resources of
the Control Unit.
CPU time resources on the Control Unit are influenced primarily by the number of drives, the
number of drives with enabled Extended/Advanced Functions, the connected DRIVE‑CLiQ
components, the selected DRIVE-CLiQ topology, the use of a CBE20 and by the selected
technological functions. You can determine the number of axes that can be controlled
(closed loop) using the "SIZER" tool.
Note
Influence of deactivated drives on the required CPU time
Please note that the deactivated drives also affect the required CPU time. In the case of
utilization limits being reached, it is sufficient to deactivate one drive. This drive must then
be deleted.
Safety Integrated
Commissioning
● PROFIsafe (via PROFIBUS/PROFINET)

– The monitoring cycle (p9500) must be an integer multiple of the actual value update
cycle. p9511 is generally used for the cycle time for actual value acquisition. If p9511 =
0 in isochronous operation the isochronous PROFIBUS communication cycle is used,
in non-isochronous operation the actual update cycle in this case is 1 ms.
– Actual value acquisition cycle ≥ 4 · current controller cycle
Recommendation: Actual value acquisition cycle ≥ 8 · current controller cycle.
Note
Actual value sensing cycle for safety functions without encoder
This is not applicable when using safety functions without encoder: In this case, the
actual value sensing cycle must be configured to be the same as the current controller
cycle.
Note
Actual value acquisition cycle clock for SINAMICS S120M
SINAMICS S120M only allows a fixed actual value acquisition cycle clock of 2 ms: For
SINAMICS S120M, only 2 ms or 0 will be accepted for p9511 (in the latter case, 2 ms is
accepted internally – regardless of the PROFIBUS DP‑/PN cycle clock).
– Depending on the set sampling time of the current controller (p0115[0]), the maximum
number of controllable drives will vary (see SINAMICS S120 Function Manual drive
functions, Chapter "System control, sampling times, and DRIVE-CLiQ wiring").
● TM54F
The sampling time of the TM54F must be set the same as the monitoring cycle of the Safety
Integrated function used (p10000[0..5] = p9500 or r9780).
Note
Relationship between the monitoring cycle and the PROFIsafe scan cycle
The safety functions are carried out in the monitoring cycle (r9780 for Basic Functions or
p9500 for Extended/Advanced Functions). PROFIsafe telegrams are evaluated in the
PROFIsafe scan cycle, which corresponds to twice the monitoring cycle.
● p9500 SI Motion monitoring clock cycle (Control Unit) (Extended and Advanced
Functions)
● p9511 SI Motion actual value acquisition clock (Control Unit)
● p10000[0..5] SI TM54F communication clock
Safety Integrated
Commissioning
7.8 Commissioning: Basic procedure
7.8.1 Making basic settings
7.8.1.1 Starting the safety commissioning
Requirement
For safety reasons, you can only set the safety-relevant parameters of the 1st channel offline
for Startdrive. To set the safety-relevant parameters of the 2nd channel, the drive must be
online. The settings are protected by a password.
Icon Description
Startdrive is not online.
Startdrive is online. The processing mode is not activated yet.
Startdrive is online. The processing mode is active. In addition to the safety marking,
a "pin" is displayed in the secondary navigation.
Activating safety settings

1. Click the "Go online" icon.
2. Click the icon in the toolbar of the parameterization editor.
The dialog for the password input opens.
3. Enter the password.
You only have to enter a new password at the first start to replace the default password.
4. Click "OK" to accept the settings.
The safety commissioning is activated.
7.8.1.2 Making basic safety settings
☐ "Drive axis > Parameter > Safety Integrated > Function selection"
Selecting the safety functionality
Note
You can select the safety functionality offline. The selection can be made online with active
Safety commissioning (processing mode).
Safety Integrated
Commissioning
1. Select the required functionality in the first drop-down list:

– No Safety Integrated Function
– Basic Functions
– Extended / Advanced Functions
If you select Basic Functions or Extended / Advanced Functions, a screen form with
additional setting options is displayed.
Note
Call of the Extended Functions and the Advanced Functions is identical. Startdrive shows
the functions for which you have purchased a license.
If you have a license for Advanced Functions, the Extended Functions are also
automatically included. If you have a license for Extended Functions only, only these
functions will be displayed.
Making the basic settings for the Safety Integrated Basic Functions
1. Select the setting "Basic Functions" in the first drop-down list:
Figure 7-2 Basic Functions
2. Select one of the following settings in the "Control type" drop-down list:
– via PROFIsafe
The "Basic functions via onboard terminals" option is automatically active.
– via onboard terminals
In the lower part of the screen form the corresponding functions are active.
3. Click the button for the required function.
The corresponding screen form is displayed.
4. Parameterize the function (see Chapter "Basic Functions (Page 293)").
Safety Integrated
Commissioning
Making the basic settings for the Safety Integrated Extended/Advanced Functions
1. Select the setting "Extended/Advanced Functions" in the first drop-down list.
Figure 7-3 Extended Functions
2. In the second drop-down list, select whether a safety-capable encoder is used:

– with encoder
– without encoder
3. Select one of the following settings in the "Control type" drop-down list:
– via PROFIsafe
The "Basic functions via onboard terminals" option is automatically active.
– without selection
Only for SBC, SBT, SDI and SLS. SBT only for Extended / Advanced Functions with an
encoder.
4. Activate or deactivate the "Basic functions via onboard terminals" option.
The associated Safety Integrated Functions are then active in the lower part of the screen
form:
– Stop functions
– Braking functions
– Motion monitoring
– Position monitoring (= Advanced Functions)
5. Click the button for the required Safety Integrated Function.
Parameterize the function (see Chapter "Extended and Advanced Functions (Page 297)").
Safety Integrated
Commissioning
7.8.1.3 Accepting the settings in the drive

After you have parameterized all safety functions, the drive must accept the settings.
Note
To accept the settings in the drive, it must be online.
1. To accept the settings and deactivate the safety functions, click the icon in the toolbar.
The following steps are executed:
– The parameter settings are copied from CPU 1 to CPU 2.
– Copy RAM to ROM is offered.
– Safety mode is deactivated, the icon now has a yellow border.
2. Go offline with the drive.
You can now continue with the further settings of the parameterization. The dialogs are no
longer deactivated.
7.8.1.4 Changing the safety password
❒ "Drive axis > Parameter > Safety Integrated > Enter password"
The safety password protects safety parameters against maloperation. Always assign a strong
password, to enable protection. To reset the password to the factory setting, you require the
valid password.
Note
The safety password does not have the equivalent quality of a password (protection against
unauthorized access, e.g. by an attacker), but rather that of write protection (e.g. protection
against maloperation).
Requirement
● The drive axis is ONLINE.
The safety password can only be read or changed in online mode.
Safety Integrated
Commissioning
Procedure
To change the safety password, proceed as follows:
1. Enter the current password at the top.
Figure 7-4 Entering the password
2. Enter the new password at the bottom.

3. Enter the new password again at the bottom.
4. Click "Change password" to accept the new password.
Safety Integrated
Commissioning
7.8.2 Basic Functions
7.8.2.1 Commissioning with Startdrive
Configuring Safety Functions

Proceed as follows to configure the Safety Integrated Functions STO, SS1 and SBC:
1. Call the "STO/SS1/SBC" safety functions.
Figure 7-5 Safety Integrated Basic Functions STO, SS1 and SBC
2. Click the button ("Select STO") to configure the STO function.

The "Control" screen form opens. The display of the screen form depends on the basic
settings of the Safety Integrated Basic Functions.
3. In this screen form, configure the controls via the fail-safe inputs and outputs and/or
PROFIsafe.
Figure 7-6 Example: Control of STO
4. Call "STO/SS1/SBC" again.
Safety Integrated
Commissioning
5. To configure the "SS1" function, set the delay time until the start of "STO" in the "Safe stop
1 delay time" field.
6. Then connect the signal source r9773.1 for the "STO active in the drive" function.
7. Click the button (brake control) to configure the "SBC" function.
Figure 7-7 Example: Brake control without motor holding brake
8. Click "Save project" in the toolbar to save the changes in the project.
9. Accept these settings in the drive: Chapter "Accepting the settings in the drive (Page 291)"
Result
You have configured the Safety Integrated Basic Functions.
Safety Integrated
Commissioning
7.8.2.2 Commissioning via direct parameter access

To commission the Basic Functions "STO", "SBC" and "SS1" via terminals, proceed as follows:
Table 7-2 Commissioning the "STO", "SBC" and "SS1" Basic Functions
No. Parameter Description/comments

1 p0010 = 95 Setting Safety Integrated commissioning mode.
● The following alarms and faults are output:
– A01698 (SI CU: Commissioning mode active)
During first commissioning only:
– F01650 (SI CU: Acceptance test required) with fault value = 130 (no Safety Integrated
parameters exist for the Motor Module).
– F30650 (SI MM: Acceptance test required) with fault value = 130 (no Safety Integrated
parameters exist for the Motor Module).
Acceptance test and test certificate, see step 17.
● The pulses are safely suppressed.
● An existing and parameterized motor holding brake has already been applied.
● In this mode, fault F01650 or F30650 with fault value = 2003 is output after a Safety Inte‐
grated parameter is changed for the first time.
This behavior applies for the entire duration of Safety Integrated commissioning, that means, the
"STO" function cannot be selected/deselected while Safety Integrated commissioning mode is
active because this would constantly force safe pulse suppression.
2 p9761 = "Value" Entering Safety Integrated password.
When Safety Integrated is commissioned for the first time, the following applies:
● Safety Integrated password = 0
● Default setting for p9761 = 0
This means that the Safety Integrated password does not need to be set during first commis‐
sioning.
3 p9601.0 = 1 Enabling "Safe Torque Off" function (STO).
4 p9602 = 1 Enabling "Safe Brake Control" function (SBC).
● SBC cannot be used alone, but only in conjunction with one of the STO and SS1 functions.
5 p9652 > 0 Enabling "Safe Stop 1" function (SS1).
● The "Safe Stop 1" function is not activated until at least one Safety Integrated monitoring
function has been enabled (i.e. p9601 ≠ 0).
Safety Integrated
Commissioning

6 p9620 = "fast DI on Set terminals for "Safe Torque Off (STO)".
CU" Wire terminal "EP" (enable pulses) on the Motor Module.
Terminal "EP" ● Control Unit monitoring channel:
By appropriately interconnecting BI: p9620 for the individual drives, the following is possible:
– Selecting/deselecting the STO
– Grouping the terminals for STO
● Motor Module monitoring channel:
By wiring the "EP" terminal accordingly on the individual Motor Modules, the following is
possible:
– Selecting/deselecting the STO
– Grouping the terminals for STO
Note:
The STO terminals must be grouped identically in both monitoring channels.
7 Set F-DI changeover tolerance time.
p9650 = "Value" F-DI changeover tolerance time on Control Unit
● The parameter is not changed until Safety Integrated commissioning mode has been exited
(i.e. when p0010 ≠ 95 is set).
● Due to the different runtimes in the two monitoring channels, an F-DI changeover (e.g.
selection/deselection of STO) does not take immediate effect. After an F-DI changeover,
dynamic data is not subject to a data cross-check during this tolerance time.
8 p9651 = "Value" Debounce time for the failsafe digital inputs to control STO/SBC/SS1
9 p9658 = "Value" Set transition period from STOP F to STOP A.
● STOP F is the stop response that is initiated when the data cross-check is violated as a result
of fault F01611 or F30611 (SI: Defect in a monitoring channel). STOP F initiates "No stop
response" as default setting.
● After the parameterized time has expired, STOP A (immediate Safety Integrated pulse in‐
hibit) is triggered by the fault F01600 or F30600 (SI: STOP A triggered).
The default setting for p9658 is 0 (i.e. STOP F immediately results in STOP A).
10 p9659 = "Value" Time for carrying out forced checking procedure and testing the Safety Integrated shutdown
paths.
● After this time has expired, the user is requested to test the switch-off paths as a result of
alarm A01699 (SI CU: Necessary to test the switch-off signal paths) (i.e. select/deselect
STO).
● The commissioning engineer can change the time required for carrying out the forced
checking procedure and testing the Safety Integrated shutdown paths.
11 Setting a new Safety Integrated password.
p9762 = "Value" Enter a new password.
p9763 = "Value" Confirm the new password.
● The new password is not valid until it has been entered in p9762 and confirmed in p9763.
● As of now, you must enter the new password in p9761 to change Safety Integrated param‐
eters.
● Changing the Safety Integrated password does not mean that you have to change the
checksums.
Safety Integrated
Commissioning

12 Parameterizing Safe Brake Adapter.
p9621 = "value" ● Set with p9621 the signal source for the Safe Brake Adapter.
p9622[0...1] = "val‐ ● Set with p9622 the wait times for switching on and switching off the Safe Brake Adapter relay.
ue"
13 Saving and copying the Safety Integrated Functions parameters.
p9700 = 57 hex After setting the specific parameters of the Safety Integrated Functions, they must be copied
p9701 = DC hex from the Control Unit into the Motor/Power Module and then activated:
● p9701 SI Motion confirm data change
14 p0010 = 0 Exiting Safety Integrated commissioning mode.
● The checksums are checked if at least one Safety Integrated monitoring function is enabled
(p9601 ≠ 0):
If the target checksum on the Control Unit has not been correctly adapted, then fault F01650
(SI CU: Acceptance test required) is output with fault code 2000 and it is not possible to exit
the Safety Integrated commissioning mode.
If the target checksum on Motor Modules has not been correctly adapted, then fault F01650
(SI CU: Acceptance test required) is output with fault code 2001 and it is not possible to exit
the Safety Integrated commissioning mode.
● If a Safety Integrated monitoring function has not been enabled (p9601 = 0), the Safety
Integrated commissioning mode is exited without the checksums being checked.
When the Safety Integrated commissioning mode is exited, the following is carried out:
● A POWER ON must be performed after the initial commissioning. This is indicated with the
A01693 message.
15 p0971 = 1 All drive parameters (entire drive group or only single axis) must be manually saved from RAM
p0977 = 1 to ROM. This data is not saved automatically!
16 POWER ON Carry out POWER ON.
After commissioning, a reset must be carried out with POWER ON.
17 - Carry out acceptance test and create test certificate.
Once Safety Integrated commissioning is complete, the commissioning engineer must carry out
an acceptance test for the enabled Safety Integrated monitoring functions.
The results of the acceptance test must be documented in an acceptance certificate.
7.8.3 Extended and Advanced Functions
The following is a description of how you commission the Safety Integrated Extended Functions
in Startdrive, using SS1 as an example. The screen forms shown here are examples from the
offline commissioning. To complete commissioning, you must subsequently establish an online
connection between Startdrive and the drive.
Safety Integrated
Commissioning
7.8.3.1 SS1 (Extended Functions)

Make the settings for the motor deceleration in the "SS1" screen form. The "SS1" function
brakes the motor, monitors the magnitude of the motor deceleration within specified limits, and
after a delay time or violation of a speed threshold, triggers the "STO" function.
Safe Stop 1 (example)
Figure 7-8 Safe Stop 1 (example)
Configuring the motor deceleration with internal braking response (OFF 3)

1. Select the "[0] SS1 with OFF 3" setting from the "Braking response" drop-down list.
The screen form is structured accordingly.
2. Select the monitoring type in the "Monitoring" drop-down list:
– with SAM
– with SBR
3. Click "Monitoring" and parameterize the alternative brake monitoring functions "SAM" and
"SBR" in the dialog.
4. Enter the required delay time in the "Delay time SS1 -> STO active" (p9556) input field.
5. Enter the required delay time in the "Safe stop 1 delay time" (p9652) input field.
6. Interconnect the signal source "STO active in the drive" (r9773.1).
7. If you want to receive an alarm acknowledgment via STO, activate the option with the same
name.
Safety Integrated
Commissioning
Configuring the motor deceleration with external stop
WARNING
1. Select the "[1] SS1E external stop" setting from the "Braking response" drop-down list.
The screen form is structured accordingly.
2. Enter the required delay time in the "Delay time SS1 -> STO active" (p9556) input field.
3. Enter the required delay time in the "Safe stop 1 delay time" (p9652) input field.
4. Interconnect the signal sink "STO active in the drive" (r9773.1).
5. If you want to receive an alarm acknowledgment via STO, activate the option with the same
name.
Completing parameter assignment

● Parameterize all the functions you have selected in a similar way.
● Accept these settings in the drive: Chapter "Accepting the settings in the drive (Page 291)"
7.8.4 General settings
7.8.4.1 Parameterizing the actual value acquisition / mechanical system

The actual value acquisition / mechanical system can only be parameterized for the Extended
Functions.
For parameterization of the actual value acquisition, only the parameters required for your
configuration are offered:
Param‐ Required for the configuration:

eter - Encoder system
- Motor type
- Axis type
① ② ③ ④ ⑤ ⑥ ⑦
Axis type p9502 x x x x x x x
Select the "Linear axis" or "Rotary axis / spindle" axis type.
Topology p9526 x x x x x – –
Select whether you are using a "1-encoder system" or a "2-
encoder system."
Safety Integrated
Commissioning

- Motor type
- Axis type
① ② ③ ④ ⑤ ⑥ ⑦
Modulo range - only for rotary axis / spindle p9505 x x x – – – –
Set the modulo value in degrees for rotary axes for the "Safe
Position" function here. This modulo value is taken into ac‐
count for safe homing and for the transfer of the safe position
via PROFIsafe when absolute position is enabled.
The safety functions are executed in the sampling time dis‐ p9500 x x x x x x x
played in the "Monitoring cycle".
The actual value acquisition cycle defines the cycle time in p9511 x x x x x x x
which the actual values for Safety Integrated are acquired.
● A slower cycle time reduces the maximum permissible ve‐
locity, but also reduces the load on the Control Unit for safe
actual value acquisition.
● The maximum permissible velocity which, if overshot, can
trigger faults in the safe actual value acquisition, is dis‐
played in r9730.
Setting criteria if the motion monitoring functions are executed
without an encoder:
● The actual value acquisition cycle must be set the same as
the current controller cycle (p0115).
The "Accept encoder data" button is available online and al‐ – x x x x x x x
lows you to update the safety parameters.
Depending on whether the configuration is a 1-encoder or 2-
encoder system, the appropriate encoder parameters are cop‐
ied from the basic system to the corresponding safety param‐
eters.
Direction of rotation reversal p9539[ x x x – – – –
Here, you can set whether a direction of rotation reversal is 0]
involved for the particular gearbox.
Pulse number p9518 x x x x x – –
This field shows the number of pulses of the encoder used.
Fine resolution p9519 x x x x x – –
This field shows the number of bits of the encoder control word
used.
Load revolutions / encoder revolutions p9521 x x x – – x x
In this section you can parameterize a gear ratio for the en‐ p9522
coders used. The gear ratio is the ratio of encoder revolutions
to revolutions of the drive shaft (load revolutions).
● "Number of load revolutions" allows you to enter the num‐
ber of load revolutions.
● "Number of encoder revolutions" allows you to enter the
number of encoder revolutions.
Safety Integrated
Commissioning

- Motor type
- Axis type
① ② ③ ④ ⑤ ⑥ ⑦
Gear ratio p9321 x – – – – – –
Sets the denominator and numerator for the gearbox between p9322
the encoder (or motor for encoderless monitoring functions)
and load.
Here, you parameterize the number of encoder pulses for the p9318 x – x – x – –
encoder that is used for safe motion monitoring on the Motor
Module.
Here, you parameterize the fine resolution for the encoder that p9319 x – x – x – –
is used for safe motion monitoring on the Motor Module.
The mean value of the actual values of both channels is cal‐ p9501. x – x – x – –
culated cyclically after actual value synchronization has been 3
activated, for example, for systems or machines with slip. The
maximum slip defined in p9549 is monitored once per cross-
check cycle (r9724).
If "Actual value synchronization" is not enabled, the value par‐
ameterized in p9542 is used as tolerance value for the cross-
checking.
Actual value tolerance p9542 x – x – x x x
Here, you set the tolerance for the crosswise comparison of
the actual position between the two monitoring channels
Velocity tolerance p9549 x – x – x – –
Here, you set the maximum tolerance for the crosswise com‐
parison of the actual velocity (only if actual value synchroniza‐
tion has been activated).
Leadscrew pitch p9520 – – – – – x –
Here, you set the transmission ratio between the encoder and
load in mm (linear axis with rotary encoder) (only available for
linear axis).
Pole pair number p0313 – – – – – x x
The safe actual value acquisition without encoder calculates
the electric speed of the drive. The pole pair number specifies
the factor with which the electrical speed must be multiplied in
order to obtain the mechanical speed at the motor shaft.
Legend for table header:
① 2-encoder, rotary, rotary

② 1-encoder, rotary, linear
③ 2-encoder, rotary, linear
④ 1-encoder, linear, linear
⑤ 2-encoder, linear, linear
⑥ Without encoder, linear
⑦ Without encoder, rotary
Safety Integrated
Commissioning
7.8.4.2 Configuring the control of the safety functions
❒ "Drive axis > Parameter > Safety Integrated > Control"
Control
In the "Control" screen form, you can parameterize the settings of the SINAMICS S120 for the
failsafe inputs and outputs or the control via PROFIsafe.
In this screen form, Startdrive shows only those parameters that you have to take into account
for the selected control mode.
Figure 7-9 Example: Control via PROFIsafe and F-DI
F-DI configuration
The signal states on the two terminals of an F-DI are then monitored whether they attain the
same logical signal state within the discrepancy time.
The time delay that is unavoidable due to mechanical switching, for example, can be adapted
via parameters. The time within which the selection or deselection must be performed in both
monitoring channels in order to qualify as "simultaneous", is specified with p9650.
Safety Integrated
Commissioning
For internal faults or limit value violations, the drive-internal safety functions issues safety faults.
1. Interconnect signal source p9620 for STO, SS1 or SBC to the Control Unit.
Only the fixed zero and digital inputs DI 0 ... 7, 16, 17, 20 and 21 are permissible as signal
sources.
2. Enter a discrepancy time in the "Discrepancy time" (p9650) field.
3. Enter a time for the input filter (debounce time) in the "F-DI input filter" (p9651) field.
The debounce time is rounded off to whole ms and then accepted. This debounce time
applies for the F-DIs and the readback input for the forced checking procedure. The
debounce time specifies the maximum time an interference pulse can be present at F-DIs
before being interpreted as a switching operation.
objects.
list.
programming.
Safety Integrated
Commissioning
Note
the CPU.
● The fail-safe I/O of PROFIsafe address type 1 is addressed clearly by its fail-safe
destination address.
● The fail-safe destination address of the fail-safe I/O (drive units in this case) must be unique
for the entire fail-safe I/O throughout the network and the CPU (system-wide). The fail-safe
into account.
Without selection - configuration

parameterize the "SDI" or the "SLS" functions without selection. In this case, the SDI function
is permanently active after POWER ON (with encoder) or becomes active after switching on
(without encoder) (see SDI (Extended Functions) (Page 65)). With the "SLS" function without
selection, there is no delay time and the function is permanently active after POWER ON (with
encoder), or it becomes active when switched on (without encoder) (see SLS (Extended
Functions) (Page 56)).
1. Select whether SLS or SDI should be selected permanently in the respective drop-down list.
7.8.4.3 Forced checking procedure (test stop)
❒ "Drive axis > Parameter > Safety Integrated > Test stop"
"Test stop” screen form

Parameterize the settings for the forced checking procedure (test stop) in the "Test stop"
screen form.
To meet the requirements of the DIN EN ISO 13849‑1 and IEC 61508 standards in terms of
timely fault detection, the converter must test its safety-related circuits regularly - at least once
a year - for correct functioning. The converter monitors the regular test of its safety-related
circuits that monitor the speed of the motor, and to safely interrupt the torque-generating energy
supply to the motor through the safe pulse suppression.
Safety Integrated
Commissioning
Test stop for Basic Functions
Figure 7-10 Example: Basic Functions
To parameterize the forced checking procedure (test stop) for the Basic Functions, proceed as
follows:
1. Enter the interval for performing dynamization and testing the safety shutdown paths in the
"Timer" (p9659) field.
Within the parameterized time, the "STO" function must be selected and deselected at least
once. The monitoring time is reset at every STO deselection.
2. Connect the "Test stop required" (r9773.31) signal sink to a digital output or to a bit in the
status word of the fieldbus.
Note
Resetting the timer of the Basic Functions
If the associated forced checking procedure (test stop) is performed, while simultaneously
using the Extended/Advanced Functions, the Basic Functions timer is also reset.
While STO is selected via the Extended/Advanced Functions, the terminals for the selection
of the Basic Functions are not checked for discrepancy. This means that the forced
checking procedure (test stop) of the Basic Functions must always be performed without the
selection of STO or SS1 via the Extended/Advanced Functions. It is otherwise not possible
to verify the correct control by the terminals.
Extended/Advanced Functions test stop
Note
If the "Basic functions via onboard terminals" option is active for the Extended/Advanced
Functions, you must make the test stop settings for the Basic Functions as well as for the
Extended/Advanced Functions.
Safety Integrated
Commissioning
Figure 7-11 Example: Extended and Advanced Functions
To parameterize the forced checking procedure (test stop) for the Extended Functions,
proceed as follows:
1. If the test stop is to be executed during ramp-up, establish a connection for "Execute test
stop automatically during ramp-up". The line in the button must be continuous.
- Or -
If the test stop is not to be executed automatically during ramp-up, select the signal (p9705)
that is to trigger the forced checking procedure. Make sure that the connection for "Execute
test stop automatically during ramp-up" is interrupted.
2. Enter the interval for performing the forced checking procedure and testing the safety
shutdown paths in the "Timer" (p9559) field.
Within the parameterized time, the "STO" function must be selected and deselected at least
once. The monitoring time is reset at every STO deselection.
3. Connect the "Test stop required" (r9723.0) signal sink to a digital output or to a bit in the
status word of the fieldbus.
Status display
The following elements show the current status of the forced checking procedure:
● Time remaining:
Shows the time remaining until the forced checking procedure and the test of the safety
shutdown paths are performed (r9660 for the Basic Functions, r9765 for the Extended
Functions).
● Test stop required:
Shows that a forced checking procedure (test stop) must be performed on the drive.
Evaluate alarm A01699 in your higher-level controller, for example, by connecting r9773.31
or r9723.0 to a digital output or a bit in the fieldbus status word (r9773.31 for the Basic
Functions, r9723.0 for the Extended/Advanced Functions).
7.8.4.4 Function status of the Safety Integrated settings
❒ "Drive axis > Parameter > Safety Integrated > Function status"
Safety Integrated
Commissioning
"Function status" screen form

The "Function Status" screen form displays a list of all Safety Integrated Functions on the left.
Figure 7-12 Example: Safety Integrated Function status
Display
All Safety Integrated Functions activated in Startdrive are identified by a green LED.
In addition, the most important information of the selected Safety Integrated Functions is
displayed.
The status information is displayed on the right-hand side of the screen form for:
● Test stop required
Indicates that a forced checking procedure (test stop) is required.
– "Timer test stop" (p9659): Time interval for performing the forced checking procedure
and testing the safety shutdown paths. Within the parameterized time, the STO must be
selected and deselected at least once. The monitoring time is reset at every STO
deselection.
– "Remaining time" (r9660 for the Basic Functions, r9765 for the Extended Functions)
shows the time remaining until the forced checking procedure and the test of the safety
shutdown paths are performed.
● Internal event
Is set when the first safety message occurs.
● Communication failure
The communication (PROFIsafe) has failed.
Safety Integrated
Commissioning
7.9 Commissioning CU310-2
7.9.1 Basic sequence of commissioning

The following preconditions must be met to configure Safety Integrated on the CU310-2:
● Concluded initial commissioning of all drives
● Connect the sensors to the F-DIs and an actuator to the F-DO (if used)
Configuration sequence
1. Configuring Safety functions of the CU310-2
2. Configuring inputs (if used)
3. Configuring outputs (if used)
4. Copy parameters to the 2nd drive object
5. Change the safety password
6. Activate the configuration by selecting "Activate settings"
7. Save the entire project to Startdrive
8. Save the project in the drive by selecting "Copy RAM to ROM"
9. Execute POWER ON
10.Acceptance test
Note
Commissioning CU310-2
● The CU310-2 is still not available in Startdrive.
7.9.2 Forced checking procedure (test stop) of the CU310-2
Testing failsafe inputs and outputs

Failsafe inputs and outputs must be tested for fail-safety at defined time intervals (forced
checking procedure or test stop). For this purpose, the CU310‑2 contains a function block that
executes this forced checking procedure (test stop) for the failsafe output when selected via a
BICO source. Each time a forced forced checking procedure (test stop) is performed without
error, a timer is started to monitor the time until the next required test. After this time interval
(p10003) has elapsed and every time the Control Unit is switched on, the user is informed by
the message A01774 that a forced checking procedure (test stop) must be performed.
● 3 modes can be selected for testing the output (see following chapter).
Safety Integrated
Commissioning
Note
Testing the sensors for the CU310-2
Unlike TM54F, the sensors connected to the F-DI of the CU310-2 cannot be tested as part of
the forced checking procedure (test stop). The user must cyclically test sensors connected to
the F-DIs. Then it is sufficient to actuate the particular sensor and to check the corresponding
function selection.

When parameterizing, proceed as follows:
1. Derive the suitable mode from the circuit used in your application (see figures in the
following chapters).
2. Use parameter p10047 to set the mode that is to be used.
3. Use parameter p10046 to define whether the digital output F‑DO 0 is to be tested.
4. Use parameter p10001 to set the time within which the digital output signals to the
corresponding digital inputs or DIAG inputs must be recognized.
5. With parameter p10003, set the interval within which the forced checking procedure (test
stop) is to be performed. After this interval has elapsed, the user is informed by the message
A01774 that the forced checking procedure (test stop) must be performed for the F‑DI/F‑DO.
6. Set the signal source which triggers the start using parameter p10007. This can be, for
example, a control signal or switch via a BICO switchable signal.
While being executed, message A01772 (test stop failsafe output active) is displayed. The
messages A01772 and A01774 only disappear again after the execution. If an error has been
detected by the forced checking procedure (test stop), fault F01773 is output. Using the test
sequence specified for each mode, you can see which error has occurred from the fault value
of the test step.
WARNING
Danger to life due to unwanted movement given improper use of the feedback DI of the F-DO
With the test sequence, unwanted movements of the drive can be caused if the DI of the F‑DO
is not only used for feedback with test stop/forced checking procedure but also for other
purposes.
● Only use the DI of the F-DO for the feedback signal with forced checking procedure (test
stop) - and not for other purposes.
Safety Integrated
Commissioning
Forced checking procedure (test stop): Duration

You can calculate the duration using this formula:
TTest stop = 8 · p9500 6 · p10001

= +
Test of Evaluation of the

the active F-DIs
F-DO
7.9.2.1 Test mode 1: Evaluation of internal diagnostic signal (passive load)
([W9
&8
'2
'2
$FWXDWRU
',$* '2
'2
0
Figure 7-13 F-DO circuit "Test mode 1: Evaluation of internal diagnostic signal (passive load)"
DO+ DO- Expected response, DIAG signal

OFF OFF LOW
ON ON LOW
OFF ON LOW
ON OFF HIGH
OFF OFF LOW
Test sequence for test mode 1
Safety Integrated
Commissioning
7.9.2.2 Test mode 2: Read back F-DO in DI (relay circuit)
9H[W
&8
'2
'2
',
',
'2
'2
0
Figure 7-14 F-DO circuit "Test mode 2: Read back F-DO in DI (relay circuit)"
DO+ DO- Expected response, DI signal

OFF OFF HIGH
ON ON LOW
OFF ON LOW
ON OFF LOW
OFF OFF HIGH
Safety Integrated
Commissioning
7.9.2.3 Test mode 3: Read back F-DO into the DI (actuator with feedback signal)
9H[W
&8
'2
'2
',
',
'2
'2
0
Figure 7-15 F-DO circuit "Test mode 3: Read back F-DO into the DI (actuator with feedback signal)"

OFF OFF HIGH
ON ON LOW
OFF ON HIGH
ON OFF HIGH
OFF OFF HIGH
Safety Integrated
Commissioning
7.9.2.4 Test stop mode parameters
● p9500 SI Motion monitoring clock cycle (Control Unit) (Extended and Advanced
Functions)
● p10001 SI Motion wait time for test stop at DO
● p10047 SI Motion F-DO test stop mode (processor 1)
Safety Integrated
Commissioning
7.10 Commissioning TM54F
7.10.1 Basic sequence of commissioning

The following conditions must be met before you can configure the TM54F:
● Initial commissioning of all drives has been completed.
● F-DIs and F-DOs of the TM54F that are to be used must be wired.
Configuration sequence
1. Insert the TM54F
2. Configure the TM54F and generate the drive groups
3. Configure Safety functions of the drive groups
4. Configure inputs, configure outputs
5. Copy parameters to the 2nd drive object (TM54F_SL)
6. Changing the safety password
7. Activate the configuration by selecting "Activate settings"
8. Save the entire project to Startdrive
9. Save the project in the drive by selecting "Copy RAM to ROM"
10.Execute POWER ON
11.Acceptance test
Note
Commissioning TM54F
● TM54F is not yet available in Startdrive.
7.10.2 Forced checking procedure (test stop) of the TM54F
Test failsafe inputs and outputs

Failsafe inputs and outputs must be tested for fail-safety at defined time intervals (forced
checking procedure (test stop)). The TM54F contains a function block that runs this forced
checking procedure (test stop) in the following cases:
● When selected via a BICO source
● Automatically, each time the power supply voltage is switched on (POWER ON)
Safety Integrated
Commissioning
To monitor the time until the next required test, a timer (p10003) is started after every error-free
forced checking procedure (test stop). The message A35014 "TM54F test stop necessary" is
set on expiration of the monitored time and each time the Control Unit is switched on.
The failsafe digital inputs can be selected for the forced checking procedure (test stop) 3 modes
can be selected for testing the output (see following chapter).
opportunity.
● When the drives are at a standstill after the system has been switched on
● Before opening the protective door
● At defined intervals (e.g. every 8 hours)
● In the automatic mode, time and event-dependent
● Automatically, each time the power supply voltage is switched on (POWER ON)

When parameterizing, proceed as follows:
1. Derive the suitable mode from the circuit used in your application (see figures in the
following chapters).
2. Use parameter p10047 to set the mode that is to be used.
3. Use parameter p10046 to define which digital outputs (F‑DO 0 to F‑DO 3) are to be tested.
Note the following:
Digital outputs that are not tested are shut down during the forced checking procedure (test
stop).
4. Use parameter p10041 to define which failsafe digital inputs are to be checked during the
test.
Inputs which do not have L1+ and L2+ power supplies may not be selected for the test.
It is only possible to test the sensors connected to the F-DIs, if these are supplied from L1+
or L2+. If F-DOs of preprocessing devices are connected, forced checking procedure (test
stop) cannot be used for this input.
corresponding digital inputs DI 20 ... DI 23 or DIAG inputs must be recognized. Select this
time depending on the maximum response time of the external F‑DO circuit.
6. With parameter p10003, set the interval within which the forced checking procedure (test
stop) is to be performed. After this interval has elapsed, the user is informed by message
A35014 that the forced checking procedure (test stop) must be performed for the TM54F.
7. Set the signal source which triggers the start using parameter p10007. This can be, for
example, a control signal or switch via a BICO switchable signal.
Alternatively, the forced checking procedure (test stop) can be performed automatically
every time the power supply is switched on (POWER ON) (p9507.6 = 1).
Safety Integrated
Commissioning
During execution, message A35012 (TM54F: Test stop active). The values of the F-DIs are
frozen for the duration of the forced checking procedure (test stop). The messages A35014 and
A35012 only disappear again after the execution. If an error is found during the test, fault
F35013 is output. Using the test sequence specified for each mode, you can see which error
has occurred from the fault value of the test step.
CAUTION
F-DO that are fed back must only be used for the forced checking procedure (test stop)
With the sequence, unwanted responses of the drive can be caused if the F-DO is not only
used for feedback with the forced checking procedure (test stop) - but also for other purposes.
● Note that the F-DO for feedback signals for the forced checking procedure (test stop) must
not be used other purposes.
F-DOs that are not registered for evaluation by means of p10046 are set to "0" for the duration
of the test ("failsafe values").
Forced checking procedure (test stop): Duration

The maximum time period for the test is: TTest stop = TFDIs + TFDOs
● Test of the FDIs: TFDIs = 3 · r10015 + 3 · X ms
(X = 20 ms or r10015 or p10017 - the longest time of the 3 values determines the waiting
time X)
● Test of the FDOs: TFDOs = 8 · r10015 + 6 · Y ms
time Y)
The safety functions of the TM54F are executed in the sampling time displayed in r10015. This
sampling time corresponds to the lowest value of the communication sampling time entered in
p10000[0..5].
7.10.2.1 Performing test stop
Performing test stop

Proceed as follows to parameterize the test stop:
1. Determine the appropriate test stop mode for the circuits used in your application (see
diagrams in the following sections).
2. Set the test stop mode which is to be used via parameter p10047.
3. Use parameter p10046 to define whether the digital output F‑DO 0 is to be tested.
4. Set the debounce time for the digital inputs using parameter p10017.
corresponding digital inputs or DIAG inputs must be recognized.
Safety Integrated
Commissioning
6. Use parameter p10003 to set the interval within which a test stop should be carried out. After
this time interval has expired, you will be notified via message A01774 that a test stop must
be performed for the F-DI/DO.
7. Set the signal source which triggers the start of the test stop using parameter p10007. This
can be, for example, a control signal or switch via a BICO switchable signal.
While the test stop is being carried out, the message A01772 (test stop failsafe inputs / outputs
active) appears. The messages A01772 and A01774 only disappear again after the test stop
has been performed. If an error is found during the test stop, fault F01773 is output. Using the
test sequence specified for each test stop mode, you can see which error has occurred from the
fault value of the test step.
Duration of test stop

You can calculate the duration of the test stop by using this formula:
TTest stop = 3 · p10000 + 2 · (3 ms + p10017) + 8 · p10000 + 6 · (p10001 + p10017)
Test of the Evaluation of the Test of the Evaluation of the

F-DIs inactive F-DIs F-DO active F-DIs
7.10.2.2 Test mode 1: Evaluation of internal diagnostic signal (passive load)
9H[W
70)
'2
'2
$FWXDWRU
',$* '2
'2
0
Figure 7-16 F-DO circuit "Test mode 1: Evaluation of internal diagnostic signal (passive load)"
Safety Integrated
Commissioning
L1+ L2+ Comment

OFF ON F-DIs 0 ... 4 Check for 0 V
OFF OFF F-DIs 5 ... 9 Check for 0 V
DO+ DO- Expected response, DIAG signal

OFF OFF LOW
ON ON LOW
OFF ON LOW
ON OFF HIGH
OFF OFF LOW
7.10.2.3 Test mode 2: Read back F-DO in DI (relay circuit)
9H[W
70)
'2
'2
',
',
'2
'2
0
Figure 7-17 F-DO circuit "Test mode 2: Read back F-DO in DI (relay circuit)"
L1+ L2+ Comment

ON ON F-DIs 5 ... 9 Check for 0 V
Safety Integrated
Commissioning

OFF OFF HIGH
ON ON LOW
OFF ON LOW
ON OFF LOW
OFF OFF HIGH
7.10.2.4 Test mode 3: Read back F-DO into the DI (actuator with feedback signal)
9H[W
70)
'2
'2
',
',
'2
'2
0
Figure 7-18 F-DO circuit "Test mode 3: Read back F-DO into the DI (actuator with feedback signal)"
L1+ L2+ Comment

ON ON F-DIs 5 ... 9 Check for 0 V

OFF OFF HIGH
ON ON LOW
OFF ON HIGH
Safety Integrated
Commissioning

ON OFF HIGH
OFF OFF HIGH
7.10.2.5 Test stop mode: Function diagrams and parameters
● 2892 SI TM54F - configuration, F-DI/F-DO Test
● r10015 SI TM54F sampling time

● p10001 SI TM54F wait time for test stop at DO 0 ... DO 3
● p10003 SI TM54F forced checking procedure timer
● p10007 BI: SI TM54F forced checking procedure F-DI/F-DO signal source
● p10017 SI TM54F digital inputs debounce time
● p10046 SI TM54F F-DO feedback signal input activation
● p10047[0...3] SI TM54F F-DO test stop mode
Safety Integrated
Commissioning
7.11 PROFIsafe communication
Requirements for PROFIsafe communication

The following minimum software and hardware requirements apply for the configuration and
operation of safety-oriented communication (F communication):
Software:
● SIMATIC Manager STEP 7 V5.5 SP1 or higher
● S7 F Configuration Pack V5.5 SP51) or higher
● S7 Distributed Safety Programming V5.4 SP51) or higher
● Startdrive V15 SP1
● Drive ES Basic V5.4 SP41) or higher2)
● Correct installation of the software
Hardware:
● A control with safety functions (in our example, SIMATIC F-CPU 317F-2)
● SINAMICS S120 (in our example, a CU320-2)
● Correct installation of the devices
1)
When using a SIMATIC F-CPU
2)
As an alternative to Drive ES Basic, you can commission the communication using the GSD file.
Note
Required software or hardware components
If a single software or hardware component is either older than those specified in this document
or is missing, PROFIsafe can no longer be configured via PROFIBUS or PROFINET.
7.11.1 PROFIsafe via PROFIBUS
Note
Startdrive
Please note that you cannot yet use this function with Startdrive.
You can find information on how to commission this function with STARTER in older editions
of this manual.
Safety Integrated
Commissioning
7.11.2 PROFIsafe via PROFINET
An example of how you can control the Safety Integrated Functions of the SINAMICS S120 with
SIMATIC S7-1500F via a PROFIsafe telegram can be found here (https://
7.11.3 PROFIsafe configuration with Startdrive
Activating PROFIsafe via the expert list

In order to activate the Safety Integrated Functions via PROFIsafe you must set p9601.3 = 1 in
the parameter view. Set Bit 0 to either "1" or "0", depending on whether you want to enable the
control via terminals in parallel via PROFIsafe or not. The value of p9601.2 is used to select as
to whether the Safety Integrated Basic Functions (= 0) or the Extended/Advanced Functions
(= 1) are used.
Note
In addition to configuring the PROFIsafe control, generally additional parameter changes are
required; these depend on which safety functions are used. You will find notes on this in
Chapter "Description of Safety Integrated functions (Page 75)".
Saving and copying the Safety Integrated function parameters

● After setting the specific parameters of the Safety Integrated Functions (e.g. the PROFIsafe
address), these settings must be copied from the Control Unit into the Motor/Power
Module: Accepting the settings in the drive (Page 291)
● Alternatively, you can perform this procedure using the parameter view:
– p9700 SI Motion copy function
– p9701 SI Motion confirm data change
Acceptance test
An acceptance test needs to be carried out once configuration and commissioning are
complete (see Section "Acceptance test (Page 331)").
Note
Changing the collective signature of the safety program
If F parameters of the SINAMICS drive are changed in HW Config, the global signature of the
safety program in the SIMATIC F‑CPU changes. This means that using the global signature it
is possible to identify whether safety-relevant settings have changed in the F-CPU
(F parameters of the SINAMICS slave). However, this global signature does not include the
safety-relevant drive parameters so that their change cannot be checked in this way.
Safety Integrated
Commissioning
7.11.3.1 Selecting a PROFIsafe telegram

Proceed as follows to define the PROFIsafe telegram:
1. In parameter p60022 select the required telegram.
2. In parameter p9611, select the same telegram number.
Note
Compatibility mode
If you set p9611 = 998 for p60022 = 0 (for instance, if you have upgraded the safety project
to firmware V4.5), then the PROFIsafe telegram 30 is also set as for p60022 = 30 and
p9611 = 30.
Note
You can only change communication parameters in Startdrive in the setting dialog.

objects.
list.
programming.
Safety Integrated
Commissioning
Note
the CPU.
● The failsafe I/O of PROFIsafe address type 1 is addressed clearly by its failsafe destination
address.
● The failsafe destination address of the failsafe I/O (drive units in this case) must be unique
for the entire failsafe I/O throughout the network and the CPU (system-wide). The failsafe
into account.
Safety Integrated
Commissioning
7.12 Modular machine concept Safety Integrated
7.12 Modular machine concept Safety Integrated

The modular machine concept for Safety Integrated Basic, Extended and Advanced Functions
provides support for commissioning modular machines. A complete machine, including all its
available options, is created in a topology. Only those components that are actually
implemented in the finished machine are later activated. Likewise, certain components can
also be deactivated to begin with and reactivated if they are required at a later stage.
With the modular machine concept, a distinction is made between the following applications:
● After the components with safety functions have been activated for the first time after series
commissioning, replacement of the hardware must be confirmed (see Section "Information
pertaining to component replacements (Page 391)").
● Once all the drives (including Safety Integrated Extended/Advanced Functions) have been
commissioned, they are to be deactivated (p0105) without changing the hardware.
They can only be activated again with a subsequent warm start or by means of POWER ON.
NOTICE
Deactivate with p0895 not permitted
Deactivation of drive objects or power unit components using parameter p0895 is not
permitted when the safety functions are enabled.
● The drive objects of the TM54F can be deactivated using parameter p0105. The TM54F
itself can only be deactivated when all the drives entered in p10010 "SI drive object
assignment" were deactivated separately by means of p0105 beforehand.
● When spare parts are required and the drive is deactivated (p0105) during the delivery
period for the required hardware component. When it is activated again on the following
restart or POWER ON and hardware replacement confirmation (see Chapter "Information
pertaining to component replacements (Page 391)").
● Component exchange on a Control Unit (e.g. to localize faults). For Safety Integrated, this
is the same as a hardware replacement. This must be connected after a restart or POWER
ON with a hardware replacement confirmation (see Chapter "Information pertaining to
component replacements (Page 391)").
● If a drive with enabled safety functions is copied offline, fault F01656 may be output when
the project is downloaded. This behavior occurs whenever component numbers change
during copying (e.g. different drive object number or hardware). In this case, please observe
the procedure when fault F01656 occurs (see SINAMICS S120/S150 List Manual).
Safety Integrated
Commissioning
7.13 Information pertaining to series commissioning

A commissioned project that has been uploaded to Startdrive can be transferred to another
drive unit keeping the existing safety parameterization.
1. Load the Startdrive project into the drive unit.
2. Make sure that nobody is in the danger zone, and only then switch on the machine.
3. Note the following warnings for "Extended/Advanced Functions via PROFIsafe":
– F01650 (fault value 2005) indicates the replacement of a Control Unit.
– A01695 indicates the replacement of a Sensor Module. As a consequence, a defect is
also signaled in a monitoring channel (C30711 with fault value 1031 and stop response
STOP F).
4. If you are using Startdrive, you must perform the following steps:
– Click on Acknowledge hardware replacement in the start screen of the safety functions.
– Faults F01650/F30650 are output (acceptance test required; see Chapter "Test scope
for specific measures (Page 339)").
– Continue with step 6.
5. If you are working with SINAMICS with a BOP or SIMOTION with HMI, then you must
perform the following steps:
– Activate "Safety Integrated commissioning" (p0010 = 95)
– Start the copy function for Node Identifier (p9700 = 1D hex)
– Confirm the hardware CRC on the drive object (p9701 = EC hex)
– Exit the "Safety Integrated commissioning" mode (p0010 = 0)
– Continue with step 6.
6. Perform steps 4 or 5 when replacing a Sensor Module at the drive object servo or vector, and
when replacing a Motor Module at drive object TM54F_MA (if installed).
7. Back up all parameters on the memory card (p0977 = 1).
8. Carry out a POWER ON (power off/on) for all components.
WARNING
Unwanted motion if components are replaced without a function test
After a component replacement, accidents resulting in serious injuries or death can be caused
by unwanted motion if no function test has been performed.
● You can find more detailed information in Chapters "Test scope for specific measures
(Page 339)" and "acceptance testing (Page 331)".
Safety message for series commissioning under Safety Integrated Extended/Advanced

Functions
If third-party motors with absolute encoders are being used, a situation may arise where a
Safety message prevents commissioning.
One reason for this may be that a different serial number of the absolute encoder is saved on
Safety Integrated
Commissioning
the memory card than that in the Control Unit which is to be commissioned. To acknowledge
the Safety message, you must first manually correct the serial number for the absolute encoder,
e.g. with Startdrive. The description can be found in Chapter "Information pertaining to
component replacements (Page 391)". You can then carry on with the commissioning.
Safety Integrated
Commissioning
7.14 Application examples

You can find application examples for SINAMICS S120 drives on the web page "SINAMICS
Application Examples (https://www.automation.siemens.com/mc-app/sinamics-application-
examples/Home/Index?language=en)". You will find efficient system approaches for optimized
interaction of SIMATIC control technology and SINAMICS drive technology here, as well as
much more.
The application examples provide you with:
● Reusable modules for scaling setpoints and actual values
● Explanation of the necessary configuring steps together with screenshots
● Security through already tested programs and modules for accessing parameters
● Significantly lower commissioning times
● Detailed documentation with parts lists of the hardware and software components being
used
Further, you can also find technological application examples, such as winders, traversing
arms and basic synchronous operation. Application examples also explain how to use free
function blocks (FBLOCKS), logic processing integrated in the drive with Drive Control Chart
(DCC) and Safety Integrated.
Safety Integrated
Commissioning
Finding and calling application examples

1. Call the following Internet site in your browser: SINAMICS Application Examples (https://
www.automation.siemens.com/mc-app/sinamics-application-examples/Home/Index?
language=en).
2. Set the desired filter settings.
The result list is updated with each filter setting.
If necessary, reset individual or all filters.

① Selectable options (e.g. S120): The number of available entries is displayed in the square
brackets.
② Reset individual filters
③ Reset all filters
Figure 7-19 Example: Filter settings
3. To view a tooltip on an entry, click the appropriate entry in the result list.
The required tooltip is then displayed in the Siemens Industry Online Support (SIOS).
Safety Integrated
Commissioning
Generally, you can download a detailed application description as PDF via the tooltip.
Safety Integrated
Acceptance test 8
Note
Responsibilities
The machine manufacturer is responsible for carrying out and documenting the acceptance
test: In Chapter "Acceptance test with Startdrive (Page 343)" you will find a suggestion for how
to carry out and document the acceptance test for the individual safety functions.
You can find further information on the acceptance test here:

● General information about the acceptance test (Page 332)
● Contents and depth of the acceptance test (Page 335)
● Acceptance test with Startdrive (Page 343)
● Safety logbook (Page 349)
Safety Integrated
Acceptance test
8.1 General information about the acceptance test

The EC Machinery Directive and DIN EN ISO 13849‑1 stipulate:
● You must check safety-related functions and machine parts after commissioning.
→ Acceptance test.
For SINAMICS Safety Integrated Functions (SI Functions) this specifically means: The
acceptance test is used to check the functionality of the Safety Integrated monitoring and
stop functions used in the drive. The test objective is to verify proper implementation of the
defined safety functions and test mechanisms (measures for forced checking procedure
(test stop)) and to examine the response of specific monitoring functions to explicitly entered
values outside tolerance limits. The test must cover all drive-specific Safety Integrated
motion monitoring functions and global Safety Integrated functionality of Terminal Module
TM54F (if used).
Note
Purpose of the acceptance test
The measured values (e.g. distance, time) and the system behavior identified (e.g. initiation
of a specific stop) can be used for checking the plausibility of the configured safety functions.
The objective of an acceptance test is to identify potential configuration errors and/or to
document the correct function of the configuration. The measured values are typical values
(not worst case values). They represent the behavior of the machine at the time of
measurement. These measurements cannot be used to derive real values (e.g. maximum
values for over-travel distances).
● You must create an "acceptance report" showing the test results.

→ Documentation.
8.1.1 Requirements
The acceptance test requirements (configuration check) for electrical drive safety functions
emanate from DIN EN 61800-5-2, Section 7.1 Point f). The acceptance test "configuration
check" is cited in this standard.
● Description of the application including a picture
● Description of the safety-relevant components (including software versions) that are used
in the application
● List of the PDS(SR) [Power Drive System(Safety Related)] safety functions used
● Results of all tests of these safety functions, using the specified testing procedure
● List of all safety-relevant parameters and their values in the PDS(SR)
● Checksum, test date and confirmation by testing personnel
A complete acceptance test is required when first commissioning Safety Integrated
functionality on a machine. The acceptance tests must be carried out for each individual drive.
Safety-related function expansions, transfer of the commissioning settings to other series
machines, hardware changes, software upgrades or similar activities permit the acceptance
test to be performed with a reduced scope if necessary. A summary of conditions which
determine the necessary test scope or proposals in this context is provided below.
Safety Integrated
Acceptance test
8.1.2 Requirements for the acceptance test

● The machine is properly wired.
● All safety equipment (such as protective door monitoring devices, light barriers, emergency
limit switches) are connected and ready for operation.
● Access rights to SI parameters must be protected by a password. This procedure must be
documented in the acceptance report - the password itself must not appear there.
● Commissioning of the open-loop and closed-loop control must be completed, as e.g. the
over-travel distance may otherwise change as a result of a changed dynamic response of
the drive control. These include, for example:
– Configuration of the setpoint channel
– Position control in the higher-level controller
– Drive control
8.1.3 Parts of the acceptance test

The acceptance test comprises 2 parts:
● Checking whether the safety functions in the converter are correctly set:
– Does the speed control handle the configured application cases in the machine?
– Do the set interface, times and monitoring functions match the configuration of the
machine?
● Checking whether the safety-relevant functions in the plant or machine function correctly.
This part of the acceptance test goes beyond the converter acceptance test:
– Are all safety equipment such as protective door monitoring devices, light barriers or
emergency-off switches connected and ready for operation?
– Does the higher-level control correctly respond to the safety-relevant feedback signals
of the converter?
– Do the converter settings match the configured safety-relevant function in the machine?
8.1.4 Documentation
The documentation consists of the following parts:
● Description of the safety-relevant components and functions of the machine or plant.
● Report of the acceptance test results.
● Report of the settings of the safety functions.
● The documentation must be signed by the person who carried out the acceptance test.
Safety Integrated
Acceptance test
8.1.5 More information
Note
More information
● See the information in Chapters "Description of Safety Integrated functions (Page 75)" and
"Commissioning (Page 269)".
● In Chapter "Acceptance test with Startdrive (Page 343)" you will find a suggestion for how
to carry out and document the acceptance test for the individual safety functions.
● An acceptance report template in electronic format is available at your local Siemens sales
office.
Note
PFH values
PFH (https://support.industry.siemens.com/cs/ww/en/view/76254308)
8.1.6 Acceptance test mode
Note on the acceptance test mode

The acceptance test mode can be activated for a definable period (p9558) by setting the
appropriate parameters (p9570). It tolerates specific limit violations during the acceptance test.
For instance, the setpoint speed limits are no longer active in the acceptance test mode. To
ensure that this state is not accidentally kept, the acceptance test mode is automatically exited
after the time set in p9558.
It is only worth activating acceptance test mode during the acceptance test of the SS2, SOS,
SDI, SLS and SLP functions. It has no effect on other functions.
Normally, SOS can be selected directly or via SS2. To be able to trigger violation of the SOS
standstill limits with acceptance test mode active (even in the "SS2 active" state), the setpoint
is enabled again by the acceptance test mode after deceleration and transition to SOS to allow
the motor to travel. When an SOS violation is acknowledged in the active acceptance test
mode, the current position is adopted as the new stop position so that an SOS violation is not
immediately identified again.
WARNING
Axis movement during the acceptance test
If a speed setpoint ≠ 0 is present, the active stop function SS2 is set, and the motor is at a
standstill (active SOS), the axis starts to move as soon as the acceptance test is activated. If
persons are in the danger zone, accidents causing death or severe injury can occur.
● Take suitable measures to ensure that nobody is in the danger zone during the acceptance
test.
Safety Integrated
Acceptance test
8.2 Contents and depth of the acceptance test
8.2.1 Content of the complete acceptance test
A) Documentation
Documentation of the machine and of safety functions
● Machine description (with overview)
● Specification of the controller (if this exists)
● Function table:
– Active monitoring functions depending on the operating mode and the protective door
– Other sensors with protective functions
– The table is part or is the result of the configuring work.
● SI functions for each drive
● Information about safety equipment
B) Function test diagnostic/safety functions

Detailed function test and evaluation of SI functions used. For some functions, trace recordings
of individual parameters can be used.
The Acceptance test wizard (Page 343) in Startdrive supports you with these actions.
● Encoder parameterization test
– Required when using the Extended/Advanced Functions with encoder
– Only required at an encoder replacement
● Test of the SI function "Safe Torque Off" (STO)
– Required when used in Basic and/or Extended Functions
● Test of the SI function "Safe Stop 1" (SS1)
– If the Extended Functions are used, individual parameters can be traced.
● Test of the SI function "Safe Brake Control" (SBC)
– Required when using Basic and/or Extended Functions
● Test of the SI function "Safe Stop 2" (SS2)
– For this purpose, individual parameters can be traced/recorded.
● Test of the SI function "Safe Operating Stop" (SOS)
Safety Integrated
Acceptance test
● Test of the SI function "Safely-Limited Speed" (SLS)

● Test of the SI function "Safe Direction" (SDI)
● Test of the SI function "Safe Speed Monitor" (SSM)
● Test of the SI function "Safely-Limited Position" (SLP)
● Testing the SI function "Safe Cam" (SCA)
● Testing the SI function "Safely-Limited Acceleration" (SLA)
● Testing the "Safe Brake Test" (SBT) diagnostics function
C) Function test of the forced checking procedure (test stop)

Test of the forced checking procedure (test stop) of the safety functions on each drive (for the
Basic and/or Extended/Advanced Functions) and the TM54F (if used).
● Test of the forced checking procedure (test stop) of the safety function on the drive
– If you are using Basic Functions, you need to activate and then deactivate STO once
again.
– If you are using Extended/Advanced Functions, you need to perform the forced checking
procedure (test stop).
● Forced checking procedure (test stop) of the TM54F (if available)
– Perform forced checking procedure (test stop) of the TM54F
● Forced checking procedure (test stop) of the CU310-2 (if available)
– Perform forced checking procedure (test stop) of the CU310-2
D) Conclusion of the report

Report of the commissioning status tested and countersignatures
● Inspection of SI parameters
● Logging of checksums (for each drive)
● Issuing of the safety password and documenting this process (do not specify the safety
password in the report!)
● RAM to ROM backup, upload of project data to Startdrive, and backup of the project
● Countersignature
Safety Integrated
Acceptance test
8.2.2 Content of the partial acceptance test
A) Documentation
Documentation of the machine and of safety functions
1. Extending/changing the hardware data
2. Extending/changing the software data (specify version)
3. Extending/changing the function table:
– Active monitoring functions depending on the operating mode and the protective door
– Other sensors with protective functions
– The table is part or is the result of the configuring work
4. Extending/changing the SI functions per drive
5. Extending/changing the specifications of the safety equipment
B) Function test diagnostic/safety functions

Detailed function test and evaluation of SI functions used. For some functions, trace recordings
of individual parameters can be used.
The Acceptance test wizard (Page 343) in Startdrive supports you with these actions.
1. Test of the SI function "Safe Torque Off" (STO)
– You do not need to prepare a trace recording for this test.
2. Test of the SI function "Safe Stop 1" (SS1)
3. Test of the SI function "Safe Brake Control" (SBC)
– Required when using Basic and/or Extended Functions
4. Test of the SI function "Safe Stop 2" (SS2)
5. Test of the SI function "Safe Operating Stop" (SOS)
6. Test of the SI function "Safely-Limited Speed" (SLS)
7. Test of the SI function "Safe Direction" (SDI)
Safety Integrated
Acceptance test
8. Test of the SI function "Safe Speed Monitor" (SSM)

9. Test of the SI function "Safely-Limited Position" (SLP)
10.Testing the SI function "Safe Cam" (SCA)
11.Testing the SI function "Safely-Limited Acceleration" (SLA)
12.Testing the "Safe Brake Test" (SBT) diagnostics function
C) Function test of the forced checking procedure (test stop)

Test of the forced checking procedure (test stop) of the safety functions on each drive (for the
Basic and/or Extended/Advanced Functions) and the TM54F (if used).
1. Test of the forced checking procedure (test stop) of the safety function on the drive
– If you are using Basic Functions, you need to activate and then deactivate STO once
again.
– If you are using Extended/Advanced Functions, you need to perform the forced checking
procedure (test stop).
2. Forced checking procedure (test stop) of the TM54F (if available)
– Perform forced checking procedure (test stop) of the TM54F
3. Forced checking procedure (test stop) of the CU310-2 (if available)
– Perform forced checking procedure (test stop) of the CU310-2
Safety Integrated
Acceptance test
D) Function test of actual value acquisition

1. General testing of actual value acquisition
– After exchanging the component, initial activation and brief operation in both directions.
WARNING
Axis movement during the acceptance test
The operation causes the machine to move.
● Take suitable measures to ensure that nobody is in the danger zone during the
acceptance test.
2. Test of failsafe actual value acquisition

– Only necessary when using Extended Advanced Functions
– If the motion monitoring functions are activated (e.g. SLS or SSM with hysteresis), briefly
operate the drive in both directions.
3. Encoder parameterization test
– Required when using the Extended/Advanced Functions with encoder
– Only required at an encoder replacement
E) Conclusion of the report

Report of the commissioning status tested and countersignatures
1. Extension of checksums (for each drive)
2. Countersignature
8.2.3 Test scope for specific measures
Scope of partial acceptance tests for specific measures

The measures and points specified in the table refer to the information given in Section Content
of the partial acceptance test (Page 337).
Table 8-1 Scope of partial acceptance tests for specific measures
Measure A) Documentation B) Functional testing C) Functional testing of D) Functional test‐ E) Conclu‐

of safety functions the forced checking ing of actual value sion of the re‐
procedure (test stop) acquisition port
Replacement of No No No Yes Yes
the encoder sys‐
tem
Replacement of Yes, Points 1 and 2 No No Yes Yes
an SMC/SME
Safety Integrated
Acceptance test
Measure A) Documentation B) Functional testing C) Functional testing of D) Functional test‐ E) Conclu‐

of safety functions the forced checking ing of actual value sion of the re‐
procedure (test stop) acquisition port
Replacement of Yes, Points 1 and 2 No No Yes Yes
a motor with
DRIVE-CLiQ
Replacement of Yes, Points 1 and 2 Yes, Points 1 or 2 and Yes, only Point 1 Yes, only Point 1 Yes
the following 3
hardware: Con‐
trol Unit, Motor
Module, Power
Module, or Safe
Brake Relay
Replacement of Yes, Points 1 and 2 Yes, but only testing Yes Yes, only Point 1 Yes
the TM54F of the selection of the
safety functions
Firmware modifi‐ Yes, only Point 2 Yes, if new safety Yes Yes, only Point 1 Yes
cation1)(CU / functions are to be
power unit / Sen‐ used
sor Modules)
Change to a sin‐ Yes, Points 4 and Yes, test the appropri‐ No Yes Yes
gle parameter of 5. ate function
a safety function
(e.g. SLS limit)
Transfer of Yes Yes, but only testing Yes Yes Yes
project data to of the selection of the
other machines safety functions
(series commis‐
sioning)
Other firmware Yes, only Point 2 Yes, if new safety Yes Yes, only Point 1 Yes
version1) on Si‐ functions are to be
motion D used
1)
Upgrading or downgrading
8.2.4 Relevant checksums for the acceptance
Checksums of the safety functions

The following checksums are available for every drive with activated safety functions.
Safety function/ Checksum Reason for changing the checksum

parameters
Basic Functions
p9799 Reference checksum (channel 1) Changing the safety parameters of basic functions
p9899 Reference checksum (channel 2)
Extended/Advanced Functions
p9799 Reference checksum (channel 1) Changing a safety parameter of the Extended/ Ad‐
p9899 Reference checksum (channel 2) vanced Functions
Safety Integrated
Acceptance test
Safety function/ Checksum Reason for changing the checksum

parameters
p9729[0] Reference checksum SI parameters for mo‐ Changing a safety parameter of the Extended/ Ad‐
tion monitoring (channel 1) vanced Functions, which does not refer to encoder da‐
ta.
p9729[1] Reference checksum SI parameters for ac‐ Changing encoder parameters (e.g. encoder pulse
tual values (channel 1) number, fine resolution, …) or mechanical settings
(e.g. gear unit, spindle pitch, …)
p9729[2] Reference checksum SI parameters for hard‐ As soon as a Sensor Module evaluated by safety inte‐
ware (channel 1) grated is replaced
p9399[0] Reference checksum SI parameters for mo‐ Changing a safety parameter of the Extended/ Ad‐
tion monitoring (channel 2) vanced Functions
p9399[1] Reference checksum SI parameters with Replacing safety-relevant hardware
hardware reference (channel 2)
TM54F
p10005[0] Reference checksum, hardware-independ‐ Changing a TM54F safety parameter
ent TM54F parameters (available for master
and slave modules)
p10005[1] Reference checksum, hardware-dependent Replacing a Motor Module which is controlled via the
TM54F parameters TM54F
All safety changes (functional or related to the hardware) are documented in the safety logbook
of the Control Unit. As soon as a safety parameter is changed, then the checksum in the Control
Unit also changes. As a consequence, it is sufficient to document the functional checksum of
the safety logbook (r9781[0]) and the associated time stamp (r9782[0]).
Note
For the functional checksum, it must be guaranteed that the components to be replaced are
replaced by identical components (the same MLFB).
The following diagram shows the functional reference checksums of the SINAMICS
components for the safety logbook of the Control Unit.
Safety Integrated
Acceptance test
'5,9(&/L4
70)
&RQWURO8QLW
0RWRU 0RWRU
0RGXOH 0RGXOH
&KHFNVXPV
70) &RQWURO8QLW %DVLF)XQFWLRQV ([WHQGHG)XQFWLRQV
0DVWHU U>@ S S

S>@ U>@ S S
6ODYH S>@
6DIHW\ S>@
S>@ ORJERRN S>@
Figure 8-1 Parameters for the functional reference checksums of SINAMICS components
Safety Integrated
Acceptance test
8.3 Acceptance test with Startdrive
8.3.1 Notes
Note
Conditions for the acceptance test
As far as possible, the acceptance tests are to be carried out at the maximum possible machine
speed and acceleration rates to determine the maximum braking distances and braking times
that can be expected.
Note
Acceptance test for Basic and Extended Functions
In the function selection, the Safety Integrated acceptance test offers you the testable functions
for selection, depending on the device type and its settings (Basic or Extended Functions,
control via PROFIsafe or terminals).
Note
Trace recordings
The trace recordings for the Extended Functions allow the analysis of the machine behavior
during the test execution. Here you use the signal characteristics to check whether the machine
behavior meets your expectations. The recorded signals allow, for example, the delay times
and over-travel distances to be evaluated.
Note
Non-critical alarms
When evaluating the alarm buffer you can tolerate the following alarms:
● A01697 SI Motion: Motion monitoring test required
● A35014 TM54F: Test stop required
These alarms occur after every system startup and can be evaluated as non-critical.
● A01699 SI CU: Shutdown path test required
This alarm occurs after the time in p9659 has expired.
You do not need to include these alarms in the acceptance report.
Note
No acceptance test with alarm A01796
If the alarm A01796 is active, the pulses are safely canceled, and an acceptance test is not
possible.
Safety Integrated
Acceptance test
8.3.2 Preparing the acceptance test
Establishing an overview of all drives

1. Click "Acceptance test" in the project tree.
2. Select the "Overview" screen form in the secondary navigation.
3. Click "Determine" to determine all drives with Safety Integrated Functions in your Startdrive
project.
4. The overview window lists all available drives with Safety Integrated Functions as well as
their respective test status.
Color coding of the test status:
– Gray: Safety Integrated Functions have been parameterized, but the acceptance test
has not yet been performed
– Red: Acceptance test failed
– Blue: Acceptance test in the initial state
– Green: Acceptance test successful
5. Click "Output" to generate an overview as a table in "xlsx" format. You can open this table
in Microsoft Excel and other spreadsheet programs (e.g. LibreOffice).
You can use the overview to track and/or document your work progress, especially for
projects with several drives.
Preparing the acceptance test

1. The drives to be tested have been fully parameterized and commissioned. Subsequent
changes require performing a new acceptance test.
2. Click "Acceptance test" in the project tree.
Those Safety Integrated Functions available in the drive unit are offered for selection.
Whereby, the selection considers whether Basic Functions, Extended Functions or
Advanced Functions were selected as well as the activation type (PROFIsafe or onboard
terminals).
3. Select in the secondary navigation for the desired drive unit all Safety Integrated Functions
to be tested.
The active functions are preselected automatically. This preselection can be changed and
functions selected or deselected.
4. Click "Accept" to specify the function selection for the Safety Integrated acceptance test.
Entries for the functions to be tested are displayed in the secondary navigation. Navigate
with these settings to the individual tests.
5. Establish an online connection to the drive unit to be tested.
Resetting test results

1. Click the "Reset test results" button to delete all the results of the tests previously performed
for this drive.
This restores the initial state from which you can perform the acceptance tests again.
Safety Integrated
Acceptance test
8.3.3 Performing the acceptance test (example)
Description
After accepting the function selection in the "Preparing the acceptance test (Page 344)" step,
the functions to be tested are displayed in the secondary navigation.
You can now perform the tests from top to bottom or in any required sequence.
The status of the individual tests is represented as follows:
● Blue: The test is initial and has not yet been tested.
● Green: The test was performed successfully.
● Red: The test was aborted with error. The test can be repeated by reselecting the function.
Structure of the acceptance test wizards

The listed wizards have the same structure for every acceptance test.
The upper area contains the workflow that represents the individual test steps and their status.
The states have the following meaning:
● Blue: Active test step.
● Green: Test step completed.
The instructions for the test steps are displayed in the area below the workflow. The test steps
must be performed by the user. After performing the instructions, click "Next" to advance to the
next step. At the end, the test is completed by clicking "Finish". The status of this test is then
updated in the secondary navigation.
The operator controls for the test steps are located in the lower area. This includes, for example,
the control panel for traversing the axis to be tested.
Starting and performing the acceptance test

1. Click one of the functions to be tested (SS1 in this case).
The wizard is started in the working area.
2. Enter a test designation. This designation also appears later in the acceptance report.
3. You can change the trace settings for this test or use the preassignment. The
preassignment is adequate for most applications.
A change permits adaptation to the mechanical conditions of the machine, e.g. when the
axis mechanical system exhibits a very high moment of inertia so that longer ramp-up times
for accelerating and braking are required.
4. Observe the safety information and notes on the start screen form of the acceptance test.
5. Once you have performed all preparations, click "Start test".
The wizard for the selected test opens.
Safety Integrated
Acceptance test
6. In the first step, the drive must be moved so that an emergency stop can be initiated.
Select in the "Move drive via" drop-down list whether the drive should be moved via the
control panel or via the user program of a higher-level control.
– Control panel:
If the drive is moved via the control panel, it is displayed in this screen form.
Activate the master control, enter a setpoint and start the motor in the desired direction
of rotation.
Click "Next" to advance to the next step.
– User program:
Start moving when the drive is moved from the user program.
Click "Next" to advance to the next step once the motor starts to turn.
7. Initiate emergency stop (SS1) on the selected drive. Click "Next" when the LED indicates
that SS1 is active.
The motor brakes on the OFF3 braking ramp. The transition to STO is made based on the
parameter assignment (e.g. after expiration of the delay time or when the shut-down speed
is undershot). If a brake parameterized via SBC is present, it is closed after transition to STO.
8. Return the master control when the drive is stationary. Click "Next".
9. The previous workflow is recorded and represented as trace.
Check the chronological and content workflow of the test based on the signal recording. In
this test, STO may be initiated only when the motor has almost become stationary.
Click "Next" provided the test workflow meets your expectations.
10.Alternatively: Cancel the test by clicking "Cancel" if the workflow does not meet your
expectations.
In this case, check the correctness of all input conditions and repeat the test, if necessary.
Sample scenario: STO is initiated, even though the motor speed is still high. In this case, a
possible cause could be incorrect parameterization, e.g. an insufficiently short delay time
from SS1 to STO or an excessively high shut-down speed.
11.Deselect SS1 and click "Next".
The test was performed successfully.
12.Click "Finish" to exit the wizard.
Result
The test status in the secondary navigation is updated.
Execute the wizards of all further functions similarly through the tests.
8.3.4 Completing the acceptance test with report
Description
The acceptance report can be created at any time, for example, even when individual tests
have not yet been performed or completed with faults. This allows the intermediate states also
to be documented.
Safety Integrated
Acceptance test
The actual final acceptance report, however, makes sense only when all tests have been
performed successfully.
Requirement
● All tests have been successfully completed. The individual tests are all identified positively
with a green tick.
Creating an acceptance report

1. The overview under "Create report" lists all drives and their current test status.
2. In the "Completion" screen form, select the drives for which you would like to create the
report.
You can select any number of drives, regardless of their test status.
The drive instances to which the results were transferred are also displayed in the list as
drop-down sub-entries. These drive instances are always included in the acceptance report
with the selection of the respective main drive.
3. Click on the "Create" button.
The "Save as" dialog opens.
4. When you select a drive, its drive name is preset as a suggestion for the file name for the
acceptance test as standard.
When you select multiple drives, a dialog for selecting the directory for storing the report
opens. For each drive selected, a report is saved with the name of the drive.
Optional: Creating a function table

You can use the function table to create a user-defined overview that is documented in the
acceptance report in addition to the results of acceptance test.
The overview is structured as follows:
Column Explanation
Operating mode Select one of the specified operating modes from the drop-down list to map the
desired scenario.
Description Enter an explanatory comment for the selected operating mode.
Protective device Select the protective mechanism to be used in the applicable scenario from the
drop-down list.
Version Enter an explanatory comment on the protective device being used.
Axis Select the respective drive axis from the drop-down list.
Monitoring Select the Safety Integrated Function being used from the drop-down list.
Result
The acceptance report is created as a table in "xlsx" format and can thus be opened in Microsoft
Excel and other spreadsheet programs (e.g. LibreOffice).
Safety Integrated
Acceptance test
The report comprises several individual tables. These include:

● Cover page: Introduction with the machine description
● Drive_x - overview: Documentation of the parameters and traces for this drive
● Drive_x - function test: Documentation of all test data for this drive
Test status color coding:
– Red: Failed
– Yellow: Not tested
– Green: Test successful
● Completion: Summary and signatures
Note
Correct display of the acceptance report
How the acceptance report is displayed is dependent on the Windows settings and
spreadsheet program used to call up the file.
● Microsoft Excel
The acceptance report is displayed correctly in Microsoft Excel when the following is
configured in the Windows display settings:
Control Panel > Appearance and Personalization > Display > Make text and other items
larger or smaller > Option "Smaller – 100%"
● LibreOffice
The acceptance report is displayed independently of the Windows settings and is thus
always correct.
8.3.5 Transferring acceptance test results

To simplify further acceptance tests, you can transfer the results of successful tests to drives
with the same functionality. The Safety Integrated acceptance test wizard lists the suitable
drives.
1. Open the "Result transfer" screen form for a drive for which you have successfully
completed the acceptance test.
2. Click on the "Determine" button to determine suitable drives.
After initial determination, the button changes to "Refresh".
3. Select the drives to which you want to transfer the results.
The selected drives become instances of the tested drive.
4. Click the "Accept" button.
The transfer status is displayed in the screen form.
Safety Integrated
Acceptance test
8.4 Safety logbook
8.4 Safety logbook

The "Safety Logbook" function is used to detect changes to safety parameters that affect the
associated CRC sums. CRCs are only generated when p9601 (SI enable, functions integrated
in the drive CU/Motor Module) is > 0.
Data changes are detected when the CRCs of the SI parameters change. Each SI parameter
change that is to become active requires the reference CRC to be changed so that the drive can
be operated without SI fault messages. In addition to functional safety changes, safety changes
as a result of hardware being replaced can be detected when the CRC has changed.
The following changes are recorded by the safety logbook:
● Functional changes are recorded in the checksum r9781[0]:
– Functional CRCs of the motion monitoring functions (p9729[0..1]), axis specific
(Extended and Advanced Functions)
– Functional cyclic redundancy checks of the basic safety functions integrated in the drive
(p9799, SI setpoint checksum SI parameters CU), for each axis.
– Functional CRCs of the TM54F (p10005[0]), global (Basic, Extended and Advanced
Functions)
– Enabling functions integrated in the drive (p9601), axis specific (Basic, Extended and
Advanced Functions)
● Hardware-dependent changes are recorded in the checksum r9781[1]:
– Hardware-dependent CRC of the motion monitoring functions (p9729[2]), axis specific
(Extended and Advanced Functions)
– Functional CRCs of the TM54F (p10005[1]), global (Basic, Extended and Advanced
Functions)
Safety Integrated
Acceptance test
8.4 Safety logbook
Safety Integrated
System features 9
9.1 Latest information
Important note for maintaining the operational safety of your system:
NOTICE
Danger to operational safety due to unwanted motion
Systems with safety-related characteristics are subject to special operational safety
requirements on the part of the operating company. If information on a lack of product safety
becomes known in the course of observing a product, this information is declared in various
ways. For this reason, we publish a special newsletter containing information on product
developments and features that are (or could be) relevant when operating safety-related
systems.
● You should subscribe to and carefully read the corresponding newsletter in order to obtain
the latest information and to allow you to modify your equipment accordingly.
To subscribe to the newsletter, please proceed as follows:

1. Go to the following Siemens internet site in your browser:
Siemens Drives (https://www.industry.siemens.com/newsletter/public/AllNewsletters.aspx)
2. Select the desired language for the Web page.
Note
Newsletter
You have to register and log in if you want to subscribe to any newsletters. You will be led
automatically through the registration process.
3. Click on "Login / registration".

4. Login with your access data. If you do not yet have a login and password, select "Yes, I
would like to register now".
You can subscribe to the individual newsletters in the following window.
5. Under the "All newsletters" heading on this page, you can see which newsletter is currently
available.
Safety Integrated
System features
9.1 Latest information
6. Open the topic "Products and solutions".

You will now be shown which newsletter is available for this particular subject area or topic.
You can subscribe to the appropriate newsletter by clicking on the "Subscribe" entry. If you
require more detailed information on the newsletters, then please use the supplementary
function on the website.
7. At the very least, register for the newsletters for the following product areas:
– Safety Integrated Newsletter
Safety Integrated
System features
9.2 Certification
9.2 Certification
The safety functions of the SINAMICS S drive system meet the following requirements:
● Category 3 to DIN EN ISO 13849‑1
● Performance level (PL) d according to DIN EN ISO 13849-1
● Safety integrity level 2 (SIL 2) according to IEC 61508 and EN 61800-5-2
In addition, most of the safety functions of the SINAMICS S have been certified by independent
institutes. An up-to-date list of certified components is available on request from your local
Siemens office.
Safety Integrated
System features
9.3 Probability of failure of the safety functions (PFH value)
9.3 Probability of failure of the safety functions (PFH value)

The probability of failure of safety functions must be specified in the form of a PFH value
(Probability of Failure per Hour) according to IEC 61508, IEC 62061 and DIN EN ISO 13849-1.
The PFH value of a safety function depends on the safety concept of the drive unit and its
hardware configuration, as well as on the PFH values of other components used for this safety
function.
Corresponding PFH values are provided for the SINAMICS S120 drive system, depending on
the hardware configuration (number of drives, control type, number of encoders used). The
various integrated safety functions are not differentiated.
● The PFH values of the individual SINAMICS S120 safety components can be found at:
● The PFH values of all safety components from Siemens are available in the "Safety
Evaluation Tool"; see:
Safety Evaluation Tool (http://www.industry.siemens.com/topics/global/en/safety-
integrated/machine-safety/safety-evaluation-tool/Pages/default.aspx)
Safety Integrated
System features
9.4 Response times
9.4 Response times

The Safety Integrated Basic Functions are executed in the monitoring cycle (p9780).
PROFIsafe telegrams are evaluated in the PROFIsafe scan cycle, which corresponds to twice
the monitoring clock cycle (PROFIsafe scan cycle = 2 · r9780).
Note
Actual value of the monitoring cycle (r9780)
You can only see the actual value of the monitoring cycle (r9780) if you are connected online
with the drive. However, you can use the following values to roughly calculate the response
times:
● If P0115[0] = 31.25 µs or 62.5 µs or 125 µs, then r9780 = 4 ms.
● If p0115[0] = 250 µs, then r9780 = 8 ms.
● If p0115[0] = 400 µs or 500 µs, then r9780 = 16 ms.
Note for understanding the tables

The drive system is the component that provides the safety functions. The designation "fault-
free drive system" means that the component that provides the safety functions does not have
a defect itself:
● Worst case for a fault-free drive system
For faults outside the drive system (e.g. faulty setpoint input from a control system, limit
value violations as a result of the behavior of the motor, closed-loop control, load, etc.), the
"Worst case for a fault-free drive system" response time is guaranteed.
● Worst case when a fault exists
For a single fault within the drive system (e.g. a defect in a switch-off signal path of the power
unit, in an encoder actual value measurement, in a microprocessor (Control Unit or Motor
Module) etc.), the "Worst case when a fault exists" response time is guaranteed.
Safety Integrated
System features
9.4 Response times
9.4.1 STO and SBC via terminals of the Power Modules Blocksize
The following table lists the response times from the control via terminals STO_A, STO_B of the
Power Modules Blocksize until the response actually occurs.
Table 9-1 Response times for control via terminals on the Control Unit and the Motor Module.
Function Worst case for

Drive system has no fault A fault is present
STO
Terminals STO_A, STO_B of the Power 20 ms –
Modules PM240-2 or PM240P-2 (HW
STO)
SBC
Terminals STO_A, STO_B of the Power 24 ms –
Modules PM240-2 or PM240P-2
Output time of the HW STO (r1838) –
feedback signals via a digital output 20 ms + 2 · p0799[0]
Safety Integrated
System features
9.4 Response times
9.4.2 Control of Basic Functions via terminals on the Control Unit and Motor Module
(CU310‑2 and CU320‑2)
The following table lists the response times from the control via terminals until the response
actually occurs.
Table 9-2 Response times for control via terminals on the Control Unit and the Motor Module.

STO 2 · r9780 + t_E 1)
3 · r9780 + t_E1)
SS1/SS1E (time-controlled)
Selection until STO is initiated 2 · r9780 + p9652 + t_E1) 3 · r9780 + p9652 + t_E1)
SS1/SS1E (time-controlled)
Selection until SBC is initiated 4 · r9780 + p9652 + t_E1) 8 · r9780 + p9652 + t_E1)
SS1 (time-controlled)
Selection until braking is initiated 3 · r9780 + 2 ms + t_E1) 4 · r9780 + 2 ms + t_E1)
SBC 4 · r9780 + t_E1) 8 · r9780 + t_E1)
1)
The following applies for t_E (debounce time of the digital input being used):
p9651 = 0 t_E1) = 2 · p0799 (default = 4 ms)

p9651 ≠ 0 t_E1) = p9651 + p0799 + 1 ms
1)
The minimum time for t_E is t_E_min = 2 ms.
Safety Integrated
System features
9.4 Response times
9.4.3 Control of Basic Functions via PROFIsafe (CU310‑2 and CU320‑2)

The following table lists the response times from receiving the PROFIsafe telegram at the
Control Unit up to initiating the particular response.
Note
Internal SINAMICS response times
The specified response times are internal SINAMICS response times. Program run times in the
F‑host and the transmission time via PROFIBUS or PROFINET are not taken into account.
When calculating the response times between the F-CPU and the converter, you must take into
account that faults in the communication can result in a safety function only being selected after
the PROFIsafe monitoring time (F_WD_Time) has expired. The PROFIsafe monitoring time
(F_WD_Time) must also be included in the calculation when an error occurs.
Table 9-3 Response times when controlling via PROFIsafe

STO 5 · r9780 + t_K 2)
5 · r9780 + t_K2)
SS1/SS1E (time controlled)
Selection until STO is initiated 5 · r9780 + p9652 + t_K2) 5 · r978 + p9652 + t_K2)
SS1/SS1E (time controlled)
Selection until SBC is initiated 6 · r9780 + p9652 + t_K2) 10 · r9780 + p9652 + t_K2)
SS1 (time controlled)
Selection until braking is initiated 5 · r9780 + 2 ms + t_K2) 5 · r9780 + 2 ms + t_K2)
SBC 6 · r9780 + t_K2)
10 · r9780 + t_K2)
2)
t_K is the time for internal communication within the SINAMICS module. t_K can be determined as follows:
Isochronous communication t_K = To (for To, see parameter r2064[4])

Non-isochronous communication t_K = 4 ms
Applies to modules on which p2048 (for communication via IF1) or p8848 (for
communication via IF2) do not exist.
t_K = value from p2048 or p8848
Applies to modules on which p2048 (for communication via IF1) or p8848 (for
communication via IF2) exist.
Safety Integrated
System features
9.4 Response times
9.4.4 Control of Basic Functions via TM54F

The following table lists the response times from the control via TM54F until the response
actually occurs.
Table 9-4 Response times for control via TM54F

STO 3 · r9780 + p10017 + 2 ms 3 · r9780 + p10017 + 2 ms
SS1/SS1E (time-controlled) 3 · r9780 + p9652 + p10017 + 2 ms 3 · r9780 + p9652 + p10017 + 2 ms
Selection until STO is initiated
SS1/SS1E (time-controlled) 4 · r9780 + p9652 + p10017 + 2 ms 8 · r9780 + p9652 + p10017 + 2 ms
Selection until SBC is initiated
SS1 (time-controlled) 3 · r9780 + p10017 + 4 ms 3 · r9780 + p10017 + 4 ms
Selection until braking is initiated
SBC 4 · r9780 + p10017 + 2 ms 8 · r9780 + p10017 + 2 ms
Safety Integrated
System features
9.4 Response times
9.4.5 Control of Extended Functions with encoder via PROFIsafe (CU310‑2 and
CU320‑2)
The following table lists the response times1)2) from receiving the PROFIsafe telegram at the

STO 5 · p9500 + r9780 + t_K
8) 6)
5 · p95008) + 2 · r9780 + t_K6)
SS1 (time controlled), SS1E, SS2E: Time from select‐
ing up to starting the safe timer
SS1 (acceleration controlled), SS2: Time from select‐
ing up to initiating braking
SOS: Time from selecting up to starting standstill mon‐
itoring 5 · p95008) + 2 ms + t_K6) 5 · p95008) + 2 ms + t_K6)
SBC 5 · p9500 + 2 · r9780 + t_K
8) 6)
5 · p95008) + 6 · r9780 + t_K6)
SBR or SAM (limit value violation until STO active) 2 · p9500 + r9780 2.5 · p9500 + r9780 + t_ACT5)
SOS standstill tolerance window violated 1.5 · p9500 + 2 ms 3 · p9500 + 2 ms + t_ACT5)
SLS speed limit violated 3)
2 · p9500 + 2 ms 3.5 · p9500 + 2 ms + t_ACT5)
SSM4) 4 · p9500 4.5 · p9500 + t_ACT5)
SDI (limit value violation until braking is initiated) 1.5 · p9500 + 2 ms 3 · p9500 + 2 ms + t_ACT5)
SLA: Selection or deselection 5 · p95008) + t_K 5 · p95008) + t_K
SLA: Limit value violation 3 · p9500 + 2 ms 4 · p9500 + 2 ms + t_act
1)
The specified response times are valid for Extended Functions with and without selection.
2)
The specified response times involve internal SINAMICS response times. Program run times in the F‑host and the
transmission time via PROFIBUS or PROFINET are not taken into account. When calculating the response times between
the F-CPU and the converter, you must take into account that faults in the communication can result in a safety function only
being selected after the PROFIsafe monitoring time (F_WD_Time) has expired. The PROFIsafe monitoring time
3)
SLS: Specification of the response time required to initiate a braking response in the drive - or for the output of the "SOS
selected" message to the motion control system.
4)
SSM: The data corresponds to the times between the limit value being undershot up to sending the information via
PROFIsafe.
5)
t_ACT:
For p9511 ≠ 0 t_ACT = p9511

For p9511 = 0 If an isochronous PROFIBUS master is available: t_ACT = PROFIBUS cycle
Otherwise: t_ACT = 1 ms
6)
t_K is the time for internal communication within the SINAMICS module; t_K can be determined as follows:
Safety Integrated
System features
9.4 Response times
For isochronous communication t_K = To (for To, see parameter r2064[4])

For non-isochronous t_K = 4 ms
communication (for modules, on which p2048 or p88487) does not exist)
t_K = value from p2048 or p88487)
(for modules on which p2048 or p88487) exists)
7)
p2048 applies to communication via IF1, p8848 to communication via IF2.
8)
This component will be reduced from 5 · p9500 to 3 · p9500 if an isochronous PROFIsafe telegram is used with optimally
timed execution on the F‑CPU.
Safety Integrated
System features
9.4 Response times
9.4.6 Control of Extended Functions with encoder via TM54F (CU310‑2 and CU320‑2)
The table below shows the response times1) from the occurrence of a signal at the terminals
until the response is initiated.

STO 3,5 · p9500 + r9780 + p10017 +4)
4 · p9500 + 2 · r9780 + p100174) +
1 ms 1 ms
SS1 (time and acceleration controlled),
SS1E (tme controlled),
SS2 selection until braking is initiated 3,5 · p9500 + p100174) + 3 ms 4 · p9500 + p100174) + 3 ms
SBC 3,5 · p9500 + 2 · r9780 + p100174) + 4 · p9500 + 6 · r9780 + p100174) +
1 ms 1 ms
SBR or SAM
(limit value violation until STO active) 2 · p9500 + r9780 2,5 · p9500 + r9780 + t_IST5)
SOS standstill tolerance window violated 1,5 · p9500 + 2 ms 3 · p9500 + 2 ms + t_IST5)
SLS speed limit violated 2) 2 · p9500 + 2 ms 3,5 · p9500 + 2 ms + t_IST5)
SSM3) 3 · p9500 3,5 · p9500 + t_IST5)
SDI
(limit value violation until braking is initiated) 1,5 · p9500 + 2 ms 3 · p9500 + 2 ms + t_IST5)
1)
The specified response times are valid for Extended Functions with and without selection!
2)
3)
SSM: The data corresponds to the times between the limit value being fallen below up to output of the information at the F-
DO.
4)
For CU310-2, use the parameter p10017 of the drive object "TM54F_xx" to calculate the response time, not that of the
control unit.
5)
For t_ACT, the following applies:
For p9511 ≠ 0 t_ACT = p9511

Safety Integrated
System features
9.4 Response times
9.4.7 Control of Extended Functions with encoder via terminals (only CU310-2)
Table 9-7 Response times when controlling the Extended Functions with encoder via safe onboard terminals (only
CU310-2)

STO 3,5 · p9500 + r9780 + t_E 5)
4 · p9500 + 2 · r9780 + t_E5)
SS1 (time and acceleration controlled),
SS1E (tme controlled),
SS2 selection until braking is initiated 3,5 · p9500 + 2 ms + t_E5) 4 · p9500 + 2 ms + t_E5)
SBC 3,5 · p9500 + 2 · r9780 + t_E5) 4 · p9500 + 9 · r9780 + t_E5)
SBR or SAM (limit value violation until STO active) 2 · p9500 + r9780 2,5 · p9500 + r9780 + t_IST4)
SOS standstill tolerance window violated 1,5 · p9500 + 2 ms 3 · p9500 + 2 ms + t_IST4)
SLS speed limit violated 2)
2 · p9500 + 2 ms 3,5 · p9500 + 2 ms + t_IST4)
SSM3) 3 · p9500 3,5 · p9500 + t_IST4)
SDI (limit value violation until braking is initiated) 1,5 · p9500 + 2 ms 3 · p9500 + 2 ms + t_IST4)
1)
2)
3)
SSM: The data corresponds to the times between the limit value being fallen below up to output of the information via the
TM54F terminals.
4)
t_ACT:
For p9511 ≠ 0 t_ACT = p9511

5)
For t_E, the following applies:
p10017 = 0 t_E = 2 · p0799

p10017 ≠ 0 t_E = p10017 + p0799 + 1 ms
Safety Integrated
System features
9.4 Response times
9.4.8 Control of Extended Functions without encoder via PROFIsafe (CU310‑2 and
CU320‑2)
The following table lists the response times1)2) from receiving the PROFIsafe telegram at the

STO 5 · p9500 + r9780 + t_K 4)
5 · p9500 + 2 · r9780 + t_K4)
SS1
(speed controlled/time and acceleration controlled),
SS1E (time controlled) 5 · p9500 + 2 ms + t_K4) 5 · p9500 + 2 ms + t_K4)
SBC 5 · p9500 + 2 · r9780 + t_K4) 5 · p9500 + 6 · r9780 + t_K4)
SBR or SAM (limit value violation until STO active) 3 · p9500 + r9780 + p9587 + 4 ms 3,5 · p9500 + r9780 + p9587 +
32 ms
SLS speed limit violated 3) Standard3) 3 · p9500 + p9587 + 6 ms 4,5 · p9500 + r9780 + p9587 +
32 ms
Start phase3) 3 · p9500 + p9587 + p95863) + 4,5 · p9500 + r9780 + p9587 +
6 ms p95863) + 32 ms
SSM6) 6 · p9500 + p9587 + 4 ms 6,5 · p9500 + p9587 + 32 ms
SDI (limit value violation until brak‐ Standard 3)
2,5 · p9500 + p9587 + 6 ms 4 · p9500 + r9780 + p9587 +
ing is initiated) 32 ms
Start phase3) 2,5 · p9500 + p9587 + p95863) + 4 · p9500 + r9780 + p9587 +
6 ms p95863) + 32 ms
SP7) 6 · p9500 + p9587 + 4 ms 6,5 · p9500 + p9587 + 32 ms
1)
2)
3)
Start phase: This describes the behavior after switching on (ON command with previously deleted pulses).
Standard: This behavior applies when the pulses have already been enabled.
There is a different behavior because, with the aid of p9586, the encoderless actual value acquisition after pulse enable can
only be activated after a delay.
4)
t_K is the time for internal communication within the SINAMICS module; t_K can be determined as follows:
Safety Integrated
System features
9.4 Response times

5)
p2048 applies to communication via IF1, p8848 to communication via IF2.
6)
SSM: The data corresponds to the times between the limit value being undershot up to sending the information via
PROFIsafe.
7)
SP: The data corresponds to the times between acquisition of the safe position and transfer of the safe position via
PROFIsafe.
Safety Integrated
System features
9.4 Response times
9.4.9 Control of Extended Functions without encoder via terminals (only CU310‑2)
CAUTION
Extension of the response times for SLS without encoder or SDI without encoder under certain
circumstances
If the safety functions SLS without encoder or SDI without encoder are already selected when
the gating pulses for the Power Module are enabled, then during the starting phase, it is
absolutely imperative that you take into account that the response times – when limit values
are violated and for system errors – are extended by the time value set in parameter p95862)
with respect to the standard values (see table above).
After the time interval set in p9586, the standard response times apply (see table above).
Table 9-9 Response times for control of the Extended Functions without encoder via terminals (only CU310‑2)

STO 3,5 · p9500 + r9780 + t_E 3)
4 · p9500 + 2 · r9780 + t_E3)
SS1 3,5 · p9500 + 2 ms + t_E3) 4 · p9500 + 2 ms + t_E3)
SS1E (time controlled)
SBC 3,5 · p9500 + 2 · r9780 + t_E3) 4 · p9500 + 9 · r9780 + t_E3)
SBR or SAM (limit value violation until STO active) 3 · p9500 + r9780 + p9587 + 4 ms 3,5 · p9500 + r9780 + p9587 +
32 ms
32 ms
Start phase2) 3 · p9500 + p95862) + p9578 + 6 4,5 · p9500 + r9780 + p95862) +
ms p9578 + 32 ms
SSM 4 · p9500 + p9587 + 4 ms 4,5 · p9500 + p9587 + 32 ms
SDI (limit value violation until Standard 2)
2,5 · p9500 + p9587 + 6 ms 4 · p9500 + r9780 + p9587 +
braking is initiated) 32 ms
6 ms p95862) + 32 ms
1)
2)
3)
For t_E, the following applies:
p10017 = 0 t_E = 2 · p0799

p10017 ≠ 0 t_E = p10017 + p0799 + 1 ms
Safety Integrated
System features
9.4 Response times
9.4.10 Control of Extended Functions without encoder via TM54F (CU310‑2 and
CU320‑2)
CAUTION
Extension of the response times for SLS without encoder or SDI without encoder under certain
circumstances
If the safety functions SLS without encoder or SDI without encoder are already selected when
the gating pulses for the Power Module are enabled, then during the starting phase, it is
absolutely imperative that you take into account that the response times – when limit values
are violated and for system errors – are extended by the time value set in parameter p95862)
with respect to the standard values (see table above).
After the time interval set in parameter p9586, the standard response times apply (see table
above).

STO 3,5 · p9500 + r9780 + p10017 +3)
4 · p9500 + 2 · r9780 + p100173) +
1 ms 1 ms
SS1
SS1E (time controlled) 3,5 · p9500 + p100173) + 3 ms 4 · p9500 + p100173) + 3 ms
SBC 3,5 · p9500 + 2 · r9780 + 4 · p9500 + 6 · r9780 + p100173) +
p100173) + 1 ms 1 ms
SBR or SAM (limit value violation until STO active) 3 · p9500 + +r9780 + p9587 + 4 3,5 · p9500 + r9780 + p9587 +
ms 32 ms
32 ms
Start phase2) 3 · p9500 + p9587 + p95862) + 6 4,5 · p9500 + r9780 + p9587 +
ms p95862) + 32 ms
SSM 4 · p9500 + p9587 + 4 ms 4,5 · p9500 + p9587 + 32 ms
SDI (limit value violation until brak‐ Standard 2)
2,5 · p9500 + p9587 + 6 ms 4 · p9500 + r9780 + p9587 +
ing is initiated) 32 ms
6 ms p95862) + 32 ms
1)
2)
3)
For CU310-2, use the parameter p10017 of the drive object "TM54F_xx" to calculate the response time, not that of the
control unit.
Safety Integrated
System features
9.4 Response times
9.4.11 Control of Advanced Functions with encoder via PROFIsafe (CU310‑2 and
CU320‑2)
The following table lists the response times1) from receiving the PROFIsafe telegram at the

SLP (limit value violation until a response is initiated) 1.5 · p9500 + 2 ms 3 · p9500 + 2 ms + t_ACT2)
SP4) with isochronous PROFIsafe telegram 3 · p9500 3 · p9500 + t_ACT2)
SCA: Time between violation of a cam start or end po‐
sition and output of the feedback message in
S_ZSW_CAM1 3.5 · p9500 4 · p9500 + t_ACT2)
1)
2)
t_ACT:

4)
PROFIsafe.
Safety Integrated
System features
9.4 Response times
9.4.12 Control of Advanced Functions with encoder via TM54F (CU310‑2 and CU320‑2)
The table below shows the response times after the appearance of a signal at the terminals.

SLP
(limit value violation until a response is initiated) 1,5 · p9500 + 2 ms 3 · p9500 + 2 ms + t_IST1)
1)
For t_ACT, the following applies:
For p9511 ≠ 0 t_ACT = p9511

Safety Integrated
System features
9.4 Response times
9.4.13 Control of Advanced Functions with encoder via terminals (only CU310-2)
The table below shows the response times after the appearance of a signal at the terminals.
Table 9-13 Response times when controlling the Advanced Functions with encoder via safe onboard terminals (only
CU310-2)

SLP (limit value violation until a response is initiated) 1,5 · p9500 + 2 ms 3 · p9500 + 2 ms + t_IST1)
1)
t_ACT:
For p9511 ≠ 0 t_ACT = p9511

Safety Integrated
System features
9.4 Response times
9.4.14 Advanced Functions without encoder via PROFIsafe (CU310‑2 and CU320‑2)
The following table lists the response times1) from receiving the PROFIsafe telegram at the

SP 2)
6 · p9500 + p9587 + 4 ms 6,5 · p9500 + p9587 + 32 ms
1)
2)
PROFIsafe.
Safety Integrated
System features
9.4 Response times
Safety Integrated
Standards and regulations 10
10.1 General information
10.1.1 Aims
Manufacturers and operating companies of equipment, machines, and products are
responsible for ensuring the required level of safety. This means that plants, machines, and
other equipment must be designed to be as safe as possible in accordance with the current
state of the art. For this purpose, companies describe in the various standards the current state
of the art covering all aspects relevant to safety. If it can be justifiably assumed that all of the
relevant standards are complied with, this ensures that state-of-the-art technology has been
utilized and, in turn, a plant builder or a manufacturer of a machine or a piece of equipment has
fulfilled his appropriate responsibility.
Safety systems are designed to minimize potential hazards for both people and the
environment by means of suitable technical equipment, without restricting industrial production
and the use of machines more than is necessary. The protection of man and environment must
be assigned equal importance in all countries based on internationally harmonized rules and
regulations. This is also intended to avoid competitive advantages or disadvantages due to
different safety requirements in different countries.
There are different concepts and requirements in the various regions and countries of the world
when it comes to ensuring the appropriate degree of safety. The legislation and the
requirements of how and when proof is to be given and whether there is an adequate level of
safety are just as different as the assignment of responsibilities.
The most important thing for manufacturers of machines and companies that set up plants and
systems is that the legislation and regulations in the country where the machine or plant is being
operated apply. For example, the control system for a machine that is to be used in the US must
fulfill local US requirements even if the machine manufacturer (OEM) is based in the European
Economic Area (EEA).
Safety Integrated
Standards and regulations
10.1 General information
10.1.2 Functional safety

Safety, from the perspective of the object to be protected, cannot be split-up. The causes of
hazards and, in turn, the technical measures to avoid them can vary significantly. This is why
a differentiation is made between different types of safety (e.g. by specifying the cause of
possible hazards). "Functional safety" is involved if safety depends on the correct function.
To ensure the functional safety of a machine or plant, the safety-related parts of the protection
and control devices must function correctly. In addition, the systems must behave in such a way
that either the plant remains in a safe state or it is brought into a safe state if a fault occurs. In
this case, it is necessary to use specially qualified technology that fulfills the requirements
described in the associated Standards. The requirements to implement functional safety are
based on the following basic goals:
● Avoiding systematic faults
● Controlling random faults or failures
Benchmarks for establishing whether or not a sufficient level of functional safety has been
achieved include the probability of hazardous failures, the fault tolerance, and the quality that
is to be ensured by avoiding systematic faults. This is expressed in the standards using specific
classification. In IEC/EN 61508, IEC/EN 62061 "Safety Integrity Level" (SIL) and
EN ISO 13849‑1 "Category" and "Performance Level" (PL).
Safety Integrated
10.2 Safety of machinery in Europe

The EU Directives that apply to the implementation of products are based on Article 95 of the
EU contract, which regulates the free exchange of goods. These are based on a new global
concept ("new approach", "global approach"):
● EU Directives only specify general safety goals and define basic safety requirements.
● Technical details can be defined by means of standards by Standards Associations that
have the appropriate mandate from the commission of the European Parliament and
Council (CEN, CENELEC). These standards are harmonized in line with a specific directive
and listed in the official journal of the commission of the European Parliament and Council.
Legislation does not specify that certain standards have to be observed. When the
harmonized Standards are observed, it can be assumed that the safety requirements and
specifications of the Directives involved have been fulfilled.
● EU Directives specify that the Member States must mutually recognize domestic
regulations.
The EU Directives are equal. This means that if several Directives apply for a specific piece of
equipment or device, the requirements of all of the relevant Directives apply (e.g. for a machine
with electrical equipment, the Machinery Directive and the Low-Voltage Directive apply).
10.2.1 Machinery Directive

The basic safety and health requirements specified in Annex I of the Directive must be fulfilled
for the safety of machines.
The protective goals must be implemented responsibly to ensure compliance with the Directive.
Manufacturers of a machine must verify that their machine complies with the basic
requirements. This verification is facilitated by means of harmonized standards.
IEC 61800‑5‑2 Adjustable-speed electrical power drive systems Part 5-2 is relevant for the
Machinery Directive: Safety requirements - Functional safety
Within the context of IEC 61508, IEC 61800‑5‑2 considers adjustable speed electric power
drive systems (PDS), which are suitable for use in safety-related applications (PDS(SR)).
IEC 61800‑5‑2 places demands on PDS(SR) as subsystems of a safety-related system. This
therefore permits the implementation of the electrical/electronic/programmable electronic
elements of a PDS(SR) taking into account the safety-relevant performance of the safety
function(s) of a PDS.
Manufacturers and suppliers of PDS(SR) can prove to users (e.g. integrators of control
systems, developers of machines and plants etc.) the safety-relevant performance of their
equipment by implementing the specifications stipulated in standard IEC 61800‑5‑2.
Safety Integrated
10.2.2 Harmonized European Standards

The two Standards Organizations CEN (Comité Européen de Normalisation) and CENELEC
(Comité Européen de Normalisation Électrotechnique), mandated by the EU Commission,
drew-up harmonized European standards in order to precisely specify the requirements of the
EC directives for a specific product. These standards (EN standards) are published in the
official journal of the commission of the European Parliament and Council and must be included
without revision in domestic standards. They are designed to fulfill basic health and safety
requirements as well as the protective goals specified in Annex I of the Machinery Directive.
When the harmonized standards are observed, it is "automatically assumed" that the Directive
is fulfilled. As such, manufacturers can assume that they have observed the safety aspects of
the Directive under the assumption that these are also covered in this standard. However, not
every European Standard is harmonized in this sense. Key here is the listing in the official
journal of the commission of the European Parliament and Council.
The European Safety of Machines standard is hierarchically structured. It is divided into:
● A standards (basic standards)
● B standards (group standards)
● C standards (product standards)
Type A standards/basic standards
A standards include basic terminology and definitions relating to all types of machine. This
includes EN ISO 12100 (previously EN 292-1) "Safety of Machines, Basic Terminology,
General Design Principles".
A standards are aimed primarily at the bodies responsible for setting the B and C standards.
The measures specified here for minimizing risk, however, may also be useful for
manufacturers if no applicable C standards have been defined.
Type B standards/group standards
B standards cover all safety-related standards for various different machine types. B standards
are aimed primarily at the bodies responsible for setting C standards. They can also be useful
for manufacturers during the machine design and construction phases, however, if no
applicable C standards have been defined.
A further sub-division has been made for B standards:
● Type B1 standards for higher-level safety aspects (e.g. ergonomic principles, safety
clearances from sources of danger, minimum clearances to prevent parts of the body from
being crushed).
● Type B2 standards for protective safety devices are defined for different machine types (e.g.
EMERGENCY STOP devices, two-hand operating circuits, interlocking elements,
contactless protective devices, safety-related parts of controls).
Type C standards/product standards
C standards are product-specific standards (e.g. for machine tools, woodworking machines,
elevators, packaging machines, printing machines etc.). Product standards cover machine-
specific requirements. The requirements can, under certain circumstances, deviate from the
basic and group standards. Type C/product standards have the highest priority for machine
manufacturers who can assume that it fulfills the basic requirements of Annex I of the
Machinery Directive (automatic presumption of compliance). If no product standard has been
Safety Integrated
defined for a particular machine, type B standards can be applied when the machine is
constructed.
A complete list of the standards specified and the mandated draft standards are available on
the Internet at the following address:
Standards (http://www.newapproach.org/)
Recommendation: Due to the rapid pace of technical development and the associated changes
in machine concepts, the standards (and C standards in particular) should be checked to
ensure that they are up to date. Please note that the application of a particular standard may not
be mandatory provided that all the safety requirements of the applicable EU directives are
fulfilled.
10.2.3 Standards for implementing safety-related controllers

If the functional safety of a machine depends on various control functions, the controller must
be implemented in such a way that the probability of safety functions failing in a dangerous
fashion is sufficiently minimized. The EN ISO 13849‑1 and IEC61508 standards define
principles for implementing safety-related machine controllers which, when properly applied,
ensure that all the safety requirements of the EC Machinery Directive are fulfilled. These
standards ensure that the relevant safety requirements of the Machinery Directive are fulfilled.
$Q\DUFKLWHFWXUHV 'HILQHGDUFKLWHFWXUHVUHVWULFWHGPD[LPXP
$OO6,/IURP3/E 3/IRUHOHFWURQLFV
(1 (1,62
6DIHW\RI0DFKLQHU\ 6DIHW\RI0DFKLQHU\
)XQFWLRQDOVDIHW\VDIHW\UHODWHG 6DIHW\UHODWHGSDUWVRIFRQWUROV\VWHPV
HOHFWULFDOHOHFWURQLFDQGSURJUDPPDEOH
HOHFWURQLFFRQWUROV\VWHPV
6HFWRU6WDQGDUG(1IRU )RUGHYLDWLRQVIURPWKHGHILQHG
WKHDUHDRIPDFKLQHVEHORZ(1 DUFKLWHFWXUHVUHIHUHQFHWR(1

8QLYHUVDOXVHIRUHOHFWULFDOHOHFWURQLFDQGSURJUDPPDEOHHOHFWURQLFV\VWHPVWKDWH[HFXWH
VDIHW\IXQFWLRQVRUJXDUDQWHHIXQFWLRQDOVDIHW\
(1
)XQFWLRQDOVDIHW\VDIHW\UHODWHGHOHFWULFDOHOHFWURQLFSURJUDPPDEOHHOHFWURQLFFRQWURO
V\VWHPV3DUWWR
Figure 10-1 Standards for implementing safety-related controllers
The application areas of EN ISO 13849-1, EN 62061, and EN 61508 are very similar. To help
users make an appropriate decision, the IEC and ISO associations have specified the
application areas of both standards in a joint table in the introduction to the standards.
EN ISO 13849‑1 or EN 62061 should be applied depending on the technology (mechanics,
hydraulics, pneumatics, electrics, electronics, programmable electronics), risk classification
and architecture.
Safety Integrated
Further, Standard IEC 61800‑5‑2 is applicable for variable-speed electric drives with integrated
safety functions. IEC 61800‑5‑2 defines requirements and gives recommendations for
designing and developing, integrating and validating safety-related applications regarding their
functional safety. IEC 61800‑5‑2 is applicable for adjustable speed electric power drive
systems, which are handled in other parts of IEC 61800 standards.
Systems for executing safety-related control EN ISO 13849-1 EN 62061

functions
A Non-electrical (e.g. hydraulic, pneumatic) X Not covered
B Electromechanical (e.g. relay and/or basic elec‐ Restricted to the designated ar‐ All architectures and max. up to
tronics) chitectures (see comment 1) and SIL 3
max. up to PL = e
C Complex electronics (e.g. programmable elec‐ Restricted to the designated ar‐ All architectures and max. up to
tronics) chitectures (see comment 1) and SIL 3
max. up to PL = d
D A standards combined with B standards Restricted to the designated ar‐ X
chitectures (see comment 1) and See comment 3
max. up to PL = e
E C standards combined with B standards Restricted to the designated ar‐ All architectures and max. up to
chitectures (see comment 1) and SIL 3
max. up to PL = d
F C standards combined with A standards X X
or
C standards combined with A standards and B See comment 2 See comment 3
standards
"X" indicates that the point is covered by this standard.
Comment 1:
Designated architectures are described in Annex B of EN ISO 13849-1 and provide a simplified basis for the quantification.
Comment 2:
For complex electronics: Using designated architectures in compliance with EN ISO 13849-1 up to PL = d or every architecture
in compliance with EN 62061.
Comment 3:
For non-electrical systems: Use components that comply with EN ISO 13849-1 as sub-systems.
Safety Integrated
10.2.4 DIN EN ISO 13849-1

A qualitative analysis according to DIN EN 13849-1 is not sufficient for modern control systems
due to their technology. Among other things, DIN EN ISO 13849‑1 does not take into account
time behavior (e.g. test interval and/or cyclic test, lifetime). This results in the probabilistic
approach in DIN EN ISO 13849-1 (probability of failure per unit time).
DIN EN ISO 13849‑1 considers complete safety functions and all the devices required to
execute these. With DIN EN ISO 13849‑1, safety functions are considered from both a
qualitative as well as a quantitative perspective. Performance levels (PL), which are based on
specific categories, are used. The following safety-related characteristic quantities are required
for devices/equipment:
● Category (structural requirement)
● PL: Performance level
● MTTFd: Mean time to dangerous failure
● DC: Diagnostic coverage
● CCF:
Common cause failure
The standard describes how the performance level (PL) is calculated for safety-related
components of the controller on the basis of designated architectures. For deviations from this,
DIN EN ISO 13849-1 refers to IEC 61508.
When combining several safety-related parts to form a complete system, the standard explains
how to determine the resulting PL.
Note
DIN EN ISO 13849‑1 and machinery directive
Since May 2007, DIN EN ISO 13849-1 has been harmonized as part of the Machinery Directive.
10.2.5 EN 62061
EN 62061 (this is identical to IEC 62061) is a sector-specific standard below IEC/EN 61508. It
describes the implementation of safety-related electrical control systems of machines and
takes into account the complete lifecycle - from the conceptual phase to de-commissioning.
The standard is based on the quantitative and qualitative analyses of safety functions,
whereby it systematically applies a top-down approach to implementing complex control
systems (known as "functional decomposition"). The safety functions derived from the risk
analysis are sub-divided into sub-safety functions, which are then assigned to real devices, sub-
systems, and sub-system elements. Both the hardware and software are covered. EN 62061
also describes the requirements placed on implementing application programs.
A safety-related control systems comprises different sub-systems. From a safety perspective,
the sub-systems are described in terms of the SIL claim limit and PFHD characteristic
quantities.
Safety Integrated
Programmable electronic devices (e.g. PLCs or variable-speed drives) must fulfill IEC 61508.
They can then be integrated in the controller as sub-systems. The following safety-related
characteristic quantities must be specified by the manufacturers of these devices.
Safety-related characteristic quantities for subsystems:
● SIL CL: SIL claim limit
● PFHD:
Probability of dangerous failures per hour
● T1:
Lifetime
Simple sub-systems (e.g. sensors and actuators) in electromechanical components can, in
turn, comprise sub-system elements (devices) interconnected in different ways with the
characteristic quantities required for determining the relevant PFHD value of the sub-system.
Safety-related characteristic quantities for subsystem elements (devices):
● λ:
Failure rate
● B10 value: For elements that are subject to wear
● T1:
Lifetime
For electromechanical devices, a manufacturer specifies a failure rate λ with reference to the
number of operating cycles. The failure rate per unit time and the lifetime must be determined
using the switching frequency for the particular application.
Parameters for the sub-system, which comprises sub-system elements, that must be defined
during the design phase:
● T2:
Diagnostic test interval
● β:
Susceptibility to common cause failure
● DC:
Diagnostic coverage
The PFHD value of the safety-related controller is determined by adding the individual PFHD
values for subsystems.
The user has the following options when setting up a safety-related controller:
● Use devices and sub-systems that already comply with EN ISO 13849-1, IEC/EN 61508, or
IEC/EN 62061. The standard provides information specifying how qualified devices can be
integrated when safety functions are implemented.
● Develop own subsystems:
– Programmable, electronic systems and complex systems: Application of IEC 61508 or
IEC 61800-5-2.
– Simple devices and subsystems: Application of EN 62061.
Safety Integrated
EN 62061 does not include information about non-electric systems. The standard provides
detailed information on implementing safety-related electrical, electronic, and programmable
electronic control systems. DIN EN ISO 13849-1 must be applied for non-electric systems.
Note
Function examples
Details of simple sub-systems that have been implemented and integrated are now available
as "functional examples".
Note
EN 62061 and machinery directive
IEC 62061 has been ratified as EN 62061 in Europe and harmonized as part of the Machinery
Directive.
10.2.6 Series of standards IEC 61508 (VDE 0803)

This series of standards describes the current state of the art.
IEC 61508 is not harmonized in line with any EU directives, which means that an automatic
presumption of conformity for fulfilling the protective requirements of a directive is not implied.
The manufacturer of a safety-related product, however, can also use IEC 61508 to fulfill basic
requirements of European directives in accordance with the latest conceptual design, for
example, in the following cases:
● If no harmonized standard exists for the application in question. In this particular case, the
manufacturer may use IEC 61508. although no presumption of conformity exists here.
● A harmonized European standard (e.g. EN 62061, EN ISO 13849, EN 60204-1) references
IEC 61508. This ensures that the appropriate requirements of the directives are fulfilled
("standard that is also applicable"). When manufacturers apply IEC 61508 properly and
responsibly in accordance with this reference, they can use the presumption of conformity
of the referencing standard.
IEC 61508 covers all the aspects that must be taken into account when E/E/PES systems
(electrical, electronic, and programmable electronic system) are used in order to execute safety
functions and/or to ensure the appropriate level of functional safety. Other hazards (e.g. electric
shock) are not part of the standard, similar to DIN ISO 13849.
IEC 61508 has recently been declared the "International Basic Safety Publication", which
makes it a framework for other sector-specific standards (e.g. EN 62061). As a result, this
standard is now accepted worldwide, particularly in North America and in the automotive
industry. Today, many regulatory bodies already stipulate it (e.g. as a basis for NRTL listing).
Another recent development with respect to IEC 61508 is its system approach, which extends
the technical requirements to include the entire safety installation from the sensor to the
actuator, the quantification of the probability of hazardous failure due to random hardware
failures, and the creation of documentation covering all phases of the safety-related lifecycle of
the E/E/PES.
Safety Integrated
10.2.7 Risk analysis/assessment

Risks are intrinsic in machines due to their design and functionality. For this reason, the
Machinery Directive requires that a risk assessment be performed for each machine and, if
necessary, the level of risk reduced until the residual risk is less than the tolerable risk. To
assess these risks, the following standards must be applied:
● EN ISO 12100 "Safety of Machinery - General Design Principles - Risk Assessment and
Minimizing Risks"
● EN ISO 13849-1 "Safety-related parts of control systems"
EN ISO 12100 focuses on the risks to be analyzed and the design principles for minimizing risk.
The risk assessment is a procedure that allows hazards resulting from machines to be
systematically investigated. Where necessary, the risk assessment is followed by a risk
reduction procedure. When the procedure is repeated, this is known as an iterative process.
This can help eliminate hazards (as far as this is possible) and can act as a basis for
implementing suitable protective measures.
The risk assessment involves the following:
● Risk analysis
– Determines the limits of the machine (EN ISO 12100)
– Identification of hazards (EN ISO 12100)
– Estimating the level of risk (EN 1050 Paragraph 7)
● Risk evaluation
As part of the iterative process to achieve the required level of safety, a risk assessment is
carried out after the risk estimation. A decision must be made here as to whether the residual
risk needs to be reduced. If the risk is to be further reduced, suitable protective measures must
be selected and applied. The risk assessment must then be repeated.
Safety Integrated
67$57
'HWHUPLQLQJWKHPDFKLQHOLPLWV
,GHQWLI\LQJWKHSRWHQWLDOKD]DUG
5LVNDQDO\VLV 5LVNDVVHVVPHQW
5LVNHVWLPDWLRQ
5LVNHYDOXDWLRQ
<HV
,VWKHPDFKLQHVDIH (1'
1R
5LVNUHGXFWLRQ
0LQLPL]LQJULVNVDQGVHOHFWLQJVXLWDEOHSURWHFWLYHPHDVXUHVDUHQRWSDUWRIWKHULVNDVVHVVPHQW
Figure 10-2 Iterative process for achieving safety
Risks must be reduced by designing and implementing the machine accordingly (e.g. by means
of controllers or protective measures suitable for the safety-related functions).
If the protective measures involve the use of interlocking or control functions, these must be
designed according to EN ISO 13849-1. For electrical and electronic control systems,
EN 62061 can be applied instead of EN ISO 13849-1. Electronic controllers and bus systems
must also comply with IEC 61508.
Safety Integrated
10.2.8 Risk reduction

Risk reduction measures for a machine can be implemented by means of safety-related control
functions in addition to structural measures. To implement these control functions, special
requirements must be taken into account, graded according to the magnitude of the risk. These
are described in EN ISO 13849-1 or, in the case of electrical controllers (particularly
programmable electronics), in EN 61508 or EN 62061. The requirements regarding safety-
related controller components are graded according to the magnitude of the risk and the level
to which the risk needs to be reduced.
EN ISO 13849-1 defines a risk flow chart that instead of categories results in hierarchically
graduated Performance Levels (PL).
IEC/EN 62061 uses "Safety Integrity Level" (SIL) for classification purposes. This is a
quantified measure of the safety-related performance of a controller. The required SIL is also
determined in accordance with the risk assessment principle according to ISO 12100 (EN
1050). Annex A of the standard describes a method for determining the required Safety
Integrity Level (SIL).
Regardless of which standard is applied, steps must be taken to ensure that all the machine
controller components required for executing the safety-related functions fulfill these
requirements.
10.2.9 Residual risk

In today's technologically advanced world, the concept of safety is relative. The ability to ensure
safety to the extent that risk is ruled out in all circumstances – "zero-risk guarantee" – is
practically impossible. The residual risk is the risk that remains once all the relevant protective
measures have been implemented in accordance with the latest state of the art.
Residual risks must be clearly referred to in the machine/plant documentation (user information
according to EN ISO 12100).
10.2.10 EC declaration of conformity

The EC Declaration of Conformity for the product can be obtained from your local Siemens
office or in the Internet at:
EC declaration of conformity (https://support.industry.siemens.com/cs/ww/en/view/67385845)
Safety Integrated
10.3 Machine safety in the USA

A key difference between the USA and Europe in the legal requirements regarding safety at
work is that, in the USA, no legislation exists regarding machinery safety that is applicable in all
of the states and that defines the responsibility of the manufacturer/supplier. A general
requirement exists stating that employers must ensure a safe workplace.
You can find further information in the following sections:
● Minimum requirements of the OSHA (Page 385)
● NRTL listing (Page 386)
● NFPA 79 (Page 387)
● ANSI B11 (Page 387)
10.3.1 Minimum requirements of the OSHA

The Occupational Safety and Health Act (OSHA) from 1970 regulates the requirement that
employers must offer a safe place of work. The core requirements of OSHA are specified in
Section 5 "Duties".
The requirements of the OSH Act are managed by the "Occupational Safety and Health
Administration" (also known as OSHA). OSHA employs regional inspectors who check whether
or not workplaces comply with the applicable regulations.
The OSHA regulations are described in OSHA 29 CFR 1910.xxx ("OSHA Regulations (29
CFR) PART 1910 Occupational Safety and Health"). (CFR: Code of Federal Regulations.)
OSHA (http://www.osha.gov)
The application of standards is regulated in 29 CFR 1910.5 "Applicability of standards". The
concept is similar to that used in Europe. Product-specific standards have priority over general
standards insofar as they cover the relevant aspects. Once the standards are fulfilled,
employers can assume that they have fulfilled the core requirements of the OSH Act with
respect to the aspects covered by the standards.
In conjunction with certain applications, OSHA requires that all electrical equipment and
devices that are used to protect workers be authorized by an OSHA-certified, "Nationally
Recognized Testing Laboratory" (NRTL) for the specific application.
In addition to the OSHA regulations, the current standards defined by organizations such as
NFPA and ANSI must be carefully observed and the extensive product liability legislation that
exists in the US taken into account. Due to the product liability legislation, it is in the interests
of manufacturing and operating companies that they carefully maintain the applicable
regulations and are "forced" to fulfill the requirement to use state-of-the-art technology.
Third-party insurance companies generally demand that their customers fulfill the applicable
standards of the standards organizations. Self-insured companies are not initially subject to
this requirement but, in the event of an accident, they must provide verification that they have
applied generally-recognized safety principles.
Safety Integrated
10.3.2 NRTL listing

To protect employees, all electrical equipment used in the USA must be certified for the planned
application by a "Nationally Recognized Testing Laboratory" (NRTL) certified by the OSHA.
NRTLs are authorized to certify equipment and material by means of listing, labeling, or similar.
Domestic standards (e.g. NFPA 79) and international standards (e.g. IEC/EN 61508 for E/E/
PES systems) are the basis for testing.
Safety Integrated
10.3.3 NFPA 79
Standard NFPA 79 (Electrical Standard for Industrial Machinery) applies to electrical
equipment on industrial machines with rated voltages of less than 600 V. A group of machines
that operate together in a coordinated fashion is also considered to be one machine.
For programmable electronics and communication buses, NFPA 79 states as a basic
requirement that these must be listed if they are to be used to implement and execute safety-
related functions. If this requirement is fulfilled, then electronic controls and communication
buses can also be used for Emergency Stop functions, Stop Categories 0 and 1 (refer to
NFPA 79 9.2.5.4.1.4). Just the same as EN 60204-1, NFPA 79 no longer specifies that the
electrical energy must be disconnected by electromechanical means for emergency stop
functions.
The core requirements regarding programmable electronics and communication buses in
accordance with NFPA 79 9.4.3:
1. Control systems that contain software-based controllers must:
– In the event of a single fault
(a) Initiate that the system switches to a safe shutdown mode
(b) Prevent the system from restarting until the fault has been rectified
(c) Prevent an unexpected restart
– Offer the same level of protection as hard-wired controllers
– Be implemented in accordance with a recognized standard that defines the requirements
for such systems.
2. IEC 61508, IEC 62061, ISO 13849-1, ISO 13849‑2 and IEC 61800-5-2 are specified as
suitable standards in a note.
Underwriter Laboratories Inc. (UL) has defined a special category for "Programmable Safety
Controllers" for implementing this requirement (code NRGF). This category covers control
devices that contain software and are designed for use in safety-related functions.
A precise description of the category and a list of devices that fulfill this requirement can be
found on the Internet at the following address:
NRGF (http://www.ul.com) → Online Certifications Directory → UL Category code/Guide
information → search for category "NRGF"
TUV Rheinland of North America, Inc. is also an NRTL for these applications.
10.3.4 ANSI B11

ANSI B11 standards are joint standards developed by associations such as the Association for
Manufacturing Technology (AMT) and the Robotic Industries Association (RIA).
The hazards of a machine are evaluated by means of a risk analysis/assessment. The risk
analysis is an important requirement in accordance with NFPA 79, ANSI/RIA 15.06, ANSI
B11.TR-3 and SEMI S10 (semiconductors). The documented results of a risk analysis can be
used to select a suitable safety system based on the safety class of the application in question.
Safety Integrated
10.4 Machine safety in Japan
10.4 Machine safety in Japan

The situation in Japan is different from that in Europe and the US. Legislation such as that
prescribed in Europe does not exist. Similarly, product liability does not play such an important
role as it does in the US.
Instead of legal requirements to apply standards have been defined, an administrative
recommendation to apply JIS (Japanese Industrial Standard) is in place. Japan bases its
approach on the European concept and uses basic standards as national standards:
Table 10-1 Japanese standards
ISO/IEC number JIS number Comment

ISO12100 (EN 1050) JIS B 9700, JIS B 9702 Earlier designation TR B 0008 and TR B 0009
ISO13849-1 JIS B 9705-1 -
ISO13849-2 JIS B 9705-1 -
IEC 60204-1 JIS B 9960-1 Without annex F or route map of the Europe‐
an foreword
IEC 61508-0 to -7 JIS C 0508 -
IEC 62061 - JIS number not yet assigned
Safety Integrated
10.5 Equipment regulations
10.5 Equipment regulations

In addition to the requirements of the guidelines and standards, company-specific
requirements must be taken into account. Large corporations in particular (e.g. automobile
manufacturers) make stringent demands regarding automation components, which are often
listed in their own equipment specifications.
Safety-related issues (e.g. operating modes, operator actions with access to hazardous areas,
EMERGENCY STOP concepts, etc.) should be clarified with customers early on so that they
can be integrated in the risk assessment/risk reduction process.
Safety Integrated
10.6 Other safety-related issues
10.6 Other safety-related issues
10.6.1 Information sheets issued by the Employer's Liability Insurance Association

Safety-related measures to be implemented cannot always be derived from directives,
standards, or regulations. In this case, supplementary information and explanations are
required.
Some regulatory bodies issue publications on an extremely wide range of subjects.
Note
These publications are in German. In some instances, they are also available in English and
French.
Information sheets covering the following areas are available, for example:
● Process monitoring in production environments
● Axes subject to gravitational force
● Roller pressing machines
● Lathes and turning centers - purchasing/selling
These information sheets issued by specialist committees can be obtained by all interested
parties (e.g. to provide support in factories, or when regulations or safety-related measures for
plants and machines are defined). These information sheets provide support for the fields of
machinery construction, production systems, and steel construction.
You can download the information sheets from the Internet address (http://www.bghm.de/)
(website is in German, although some of the sheets are available in English):
1. First select the area "Arbeitsschützer", followed by the menu item "Praxishilfen" and finally
"DGUV-Informationen".
10.6.2 Additional references

● Safety Integrated, The Safety Program for Industries of the World (5th Edition and
Supplement), Article No. 6ZB5 000-0AA01-0BA1
● Safety Integrated - Terms and Standards - Machine Safety Terminology (Edition 04/2007),
Article No. E86060-T1813-A101-A1
Safety Integrated
Maintenance 11
11.1 Information pertaining to component replacements
Note
Note additional safety instructions
Observe the instructions with regard to changing or replacing software components in Chapter
"Safety instructions (Page 23)"!
WARNING
After a component replacement, connections or functions can be defective so that death or
serious injury can result if a person enters the danger zone of the motors.
● After component replacement, always run a simplified function test.
You can find more detailed information in Chapters "Test scope for specific measures
(Page 339)" and "Acceptance test (Page 331)".
The faulty component was replaced according to safety regulations. The information relevant
from the perspective of Safety Integrated is provided in the following. For information about
component replacements, see "Example of component replacements" in the SINAMICS S120
Function Manual Drive Functions.
● Based on the NodeID and the saved CRC of the particular hardware component, the drive
identifies that a component has been replaced. You can take the responses of the drive and
the actions that have to be carried out from the table in the following section:
11.1.1 Details on the replacement of individual components
Replaced Control type Drive re‐ User action Diagnostic

component sponse Fault acknowl‐ Acknowledg‐ Save 3) parameters
(fault) edgment re‐ ment is re‐
quired1) quired that the
component has
been replaced2)
Basic Control Unit All F01641.0 = 1 Yes No Yes r9776.2 = 1
Functions Motor Module All F01641.1 = 1 Yes No Yes r9776.2 = 1
Power Module All F01641.2 = 1 Yes No Yes r9776.2 = 1
Safety Integrated
Maintenance
Replaced Control type Drive re‐ User action Diagnostic

component sponse Fault acknowl‐ Acknowledg‐ Save3) parameters
(fault) edgment re‐ ment is re‐
quired1) quired that the
component has
been replaced2)
Extended/ Control Unit All F01641.0 = 1 Yes No Yes r9776.2 = 1
Advanced Motor Module PROFIsafe, F01641.1 = 1 Yes No Yes r9776.2 = 1
Functions OnBoard F‑DI,
without selec‐
tion
TM54F F01640.1 = 1 Yes Yes Yes r9776.2 = 1
r9776.3 = 1
Power Module All F01641.2 = 1 Yes No Yes r9776.2 = 1
Sensor All F01641.3 = 1 Yes No Yes r9776.2 = 1
Module
(CPU 1)
Sensor All F01640.4 = 1 Yes Yes Yes r9776.2 = 1
Module r9776.3 = 1
(CPU 2)
Encoder4) All F01641.5 = 1 Yes No Yes r9776.2 = 1
F01641.6 = 1
TM54F All F01641 Yes No Yes r9776.2 = 1
(only on
TM54F_MA)
1)
The fault must be acknowledged each time a component is replaced using a standard acknowledgment (e.g. using a 0/1
signal at p2103). However, even without acknowledgment the drive can still be operated.
2)
The replacement of the components listed in the table must be acknowledged in order to ensure the new internal device
communications to be established. When replacing other components, acknowledgment is not required, as the new
communications to be established are automatically ensured.
To acknowledge a component replacement, perform the following sequence on all of the drive objects involved:
- Check whether the following preconditions are fulfilled:
- p0010 = 0
- It is not permissible for a firmware update to be active on the drive object.
- Set p9702 = 29 (= 1D hex)
- When the acknowledgement process is finished, p9702 jumps back to the value 0.
3)
The modified data must be saved after a component has been replaced:
- It is not permissible for a firmware update to be active on the drive object.
- Copy from RAM to ROM by setting p0977 = 1.
If the data is not saved, the fault is output again after the next POWER ON.
4)
Only for encoders with serial number (e.g. EnDat)
Safety Integrated
Maintenance
11.1.2 Replacing motors for safety without encoder

When using safety functions without encoder, the motor pole pair number plays a decisive role.
If a motor is replaced, then the behavior depends on the pole pair number: If a motor with a
higher pole pair number is used (other than that configured), the mechanical speed is less than
that calculated by Safety Integrated. If a motor with a lower pole pair number is used (e.g. when
a motor is replaced), the mechanical speed is higher than that calculated by Safety Integrated.
● After a replacement such as this, perform a test by comparing the safe actual speed (r9714)
with the normal speed (r0063 or the output frequency), and if required, correct the
configured pole pair number.
11.1.3 Parameters and function diagrams
● r9670 SI module identification Control Unit

● r9671[0...n] SI module identification Motor Module
● p9672 SI module identification Power Module
● p9673 SI module identification sensor channel 1
● p9702 Acknowledge SI component replacement
● r9776 SI diagnostics
● r9793[0...9] SI diagnostics component replacement
● r10070 SI TM54F module identification
Safety Integrated
Maintenance
11.2 Note regarding firmware update
11.2 Note regarding firmware update
WARNING
Firmware update without POWER ON and acceptance test
If the message A01007 "POWER ON required for DRIVE-CLiQ component" appears after a
firmware update, death or serious injury can be caused if a person enters the danger zone of
the motors.
● Then perform a partial acceptance test.
● Do not enter the danger zone of the motor until the acceptance test has been successfully
completed.
WARNING
After a component replacement, connections or functions can be defective so that death or
serious injury can result if a person enters the danger zone of the motors.
● Perform a POWER ON before resuming operation.
● After component replacement, always run a simplified function test.
You can find more detailed information in Chapters "Test scope for specific measures
(Page 339)" and "Acceptance test with Startdrive (Page 343)".
Safety Integrated
Maintenance
11.3 Safety faults
11.3 Safety faults
11.3.1 Stop responses
Possible stop responses

Faults with Safety Integrated Extended/Advanced Functions and violation of limits can initiate
the following stop responses:
Overview of stop responses
Table 11-1 Overview of stop responses

STOP A 1)
● For all acknowledgeable Immediate pulse suppression Drive coasts down
(corresponds to safety faults with pulse
STO2)) suppression
● Subsequent response of
STOP B
● Configurable subsequent
stop p9563 for SLS
stop p9566 for SDI
stop p9562 for SLP
stop p9579 for SLA
STOP B1) Examples: Immediate input of speed set‐ STOP B with subsequent STOP A.
(corresponds to ● Standstill tolerance viola‐ point = 0 and start of timer tB . The drive decelerates along the
SS13)) Once tB or nact < nshutdown has ex‐ OFF3 ramp and then switches to
ted in p9530 (SOS)
pired, STOP A is triggered. STOP A.
stop p9563 for SLS Note:
For "SS1 with external stop" (SS1E),
● Configurable subsequent braking is not performed along the
stop p9566 for SDI OFF3 ramp (see Chapter "Safe
● Configurable subsequent Stop 1 with external stop
stop p9562 for SLP (Page 107)")
● Subsequent response of
STOP F
stop p9579 for SLA
Safety Integrated
Maintenance
11.3 Safety faults

STOP C1) ● Configurable subsequent Immediate input of speed set‐ The drive decelerates along the
(corresponds to stop p9563 for SLS point = 0 and start of timer tC. OFF3 ramp; SOS is then selected.
SS24)) Once tC has elapsed, SOS is
stop p9566 for SDI selected.
stop p9562 for SLP
Configurable subsequent
stop p9579 for SLA
STOP D1) ● Configurable subsequent Timer tD starts. The drive must be decelerated by the
stop p9563 for SLS No drive-integrated response. higher-level controller (within the
drive group)!
● Configurable subsequent SOS is activated on expiration
stop p9566 for SDI of tD. Once tD has elapsed, SOS is selec‐
ted.
An automatic response is only trig‐
stop p9562 for SLP
gered if the standstill tolerance win‐
● Configurable subsequent dow is violated in SOS.
stop p9579 for SLA
STOP E1) ● Configurable subsequent SOS triggered after the expiry Controlling the drive-integrated ESR
stop p9563 for SLS of p9554 functionality
stop p9566 for SDI
stop p9562 for SLP
stop p9579 for SLA
STOP F1) If an error occurs in the data Timer tF1 (Basic Functions) or If a safety function (SOS, SLS) has
cross-check. tF2 (Extended/Advanced Func‐ been selected or if SSM with hyste‐
Follow-up response STOP B tions) resis has been enabled, transition to
or STOP A No drive response STOP A after tF1 (Basic Functions)
has elapsed or STOP B after tF2 (Ex‐
tended/Advanced Functions) has
elapsed.
1)
See also the following note "delayed pulse suppression when the bus fails".
2)
The behavior of the drive after STOP A is triggered corresponds (apart from the safety messages ) to the behavior after STO
is triggered. Note that the parameterization of STO applies equally for STOP A.
3)
The behavior of the drive after STOP B is triggered corresponds (apart from the safety messages ) to the behavior after SS1
is triggered. Monitoring with the aid of SAM or SBR, for example, works in exactly the same way. Note that the
parameterization of SS1 applies equally for STOP B.
4)
The behavior of the drive after STOP C is triggered corresponds (apart from the safety messages ) to the behavior after SS2
is triggered. Monitoring with the aid of SAM or SBR (for safety with encoder), for example, works in exactly the same way.
Note that the parameterization of SS2 applies equally for STOP C.
Safety Integrated
Maintenance
11.3 Safety faults
Note
Delayed pulse suppression when the bus fails
For SLP, SLS, SDI and SLA the stop responses are also available with delayed pulse
suppression when the bus fails (to prevent the drive from immediately responding with pulse
suppression when a communication error occurs):
● If p9580 ≠ 0 and SLS is active, in the event of a communication failure, the parameterized
ESR reaction only occurs if a STOP with delayed pulse suppression when the bus fails has
been parameterized as the SLS response (p9563[0...3] ≥ 10).
● If p9580 ≠ 0 and SDI is active, in the event of a communication failure, the parameterized
been parameterized as the SDI response (p9566 ≥ 10).
● If p9580 ≠ 0 and SLP is active, in the event of communication failure the parameterized ESR
reaction is only realized if, as an SLP response, a STOP with delayed pulse suppression
when the bus fails has been parameterized (p9562[0...1] ≥ 10).
● If p9580 ≠ 0 and SLA is active, in the event of a communication failure, the parameterized
been parameterized as the SLA response (p9579 ≥ 10).
The delay time (p9580) must not exceed 800 ms.
Note
Delay time between STOP F and STOP B
A delay time between STOP F and STOP B should only be set if an additional response is
initiated during this time when the "Internal Event" (r9722.7) message signal is evaluated.
Further, when using the delay time, a monitoring function should always be selected (e.g. SLS
with a high limit speed) or the hysteresis of SSM should be configured.
When hysteresis is activated for SSM, then this should be considered to be an activated
monitoring function.
Switch-on delays at the stop response transitions
tB p9556
tC p9552
tD p9553
tF1 p9658
tF2 p9555
nshutdown: p9560
Safety Integrated
Maintenance
11.3 Safety faults
Description of faults and alarms
Note
References
The faults and alarms for SINAMICS Safety Integrated are described in the following
documentation:
References: SINAMICS S120/S150 List Manual
11.3.2 Stop response priorities
Table 11-2 Stop response priorities
Priority classes Stop response

Highest priority STOP A
..... STOP B
... STOP C
.. STOP D
.. STOP E
Lowest priority STOP F
Priorities of stop responses and Extended Functions
Table 11-3 Priorities of stop responses and Extended Functions
Highest priority ... ... ... ... Lowest

Stop response/ priority
Extended Function
STOP A STOP B STOP C STOP D STOP E STOP F
Highest STO STOP A / STO STO STO STO STO STO
priority
..... SS1 STOP A STOP B / SS1 SS1 SS1 SS1 SS1
... SS2 STOP A STOP B STOP C/SS2 SS2 SS2 SS2/STOP B2)
... SS2E STOP A STOP B STOP C/SS2 SS2 SS2 SS2/STOP B2)
.. SOS STOP A1) STOP B1) SOS SOS STOP E/SOS STOP B2)
Lowest SLS, SLA STOP A 3)
STOP B 3)
STOP C 4)
STOP D 4)
STOP E 4)
STOP B2)
priority
1)
The SOS monitoring function remains active, although the fault response in the event of a fault can no longer be triggered
because it is already present.
2)
STOP B is the subsequent stop of STOP F, which is activated after a parameterizable time. STOP F alone does not have
any effect; the active safety function is still present.
3)
The SLS or SLA monitoring function remains active, although the fault response in the event of a fault can no longer be
triggered because it is already present.
4)
SLS or SLA remains active during the braking phase, after which the system switches to SOS.
Safety Integrated
Maintenance
11.3 Safety faults
The table above specifies which stop response / safety function is set if a STOP is triggered
when a safety function is active. The STOPs are arranged here from left to right in descending
order of priority (STOP A-F).
No overall priority is assigned in the individual safety functions. SOS remains active, for
example, even if STO is requested. The safety functions that cause the drive to decelerate
(SS1, SS2) are specified from top to bottom in descending order of priority.
If a field contains two entries, the stop responses and safety functions have the same priority.
Explanation:
● STOP A corresponds to selecting STO
● STOP B corresponds to selecting SS1
● STOP C corresponds to selecting SS2
● STOP D corresponds to selecting SOS
● STOP E corresponds to selecting SOS (for additional activation of the standard "Extended
stop and retract (ESR)" function)
● When the SS2 function is active, STOP F results in subsequent STOP B. SS2 remains
active.
Examples for illustrating the information in the table

● Safety function SS1 has just been selected. STOP A remains selected.
● By selecting a STOP with a higher priority, STOPs that are present with a lower priority will
be replaced. This means that when SS1 is selected (≙ STOP B), any STOPs C-F that are
present will be replaced.
● The SLS safety function is selected. This selection does not modify the function of STOP A-
D. A STOP F now triggers a STOP B because a safety function has been activated.
● Stop response, STOP C is selected. If the STO or SS1 safety functions are active, this does
not have any effect. If SS2 is active, this brake ramp is retained. If SOS is active, SOS
remains effective, which is also the end status of STOP C. When SLS is selected, the drive
is decelerated with STOP C.
Safety Integrated
Maintenance
11.3 Safety faults
11.3.3 Acknowledging safety faults
Note
Acknowledgment through Power Off/On
Safety faults can also be acknowledged (as with all other faults) by switching the drive unit off
and then on again (POWER ON).
If this action has not removed the fault cause, the fault is displayed again immediately after
ramp-up.
Acknowledgment via TM54F/CU310-2

Parameter p10006 "SI acknowledgement internal event input terminal" allows faults to be
acknowledged in the following objects:
● Safety drives
● The TM54F F-DI
● CU310‑2
The "safe fault acknowledgment" mechanism functions as follows:
The F-DI on the TM54F or on the CU310‑2 that was parameterized with the function p10006
"Safety Integrated acknowledgment internal event input terminal", is activated. In this way,
faults that have occurred on the drives or on the TM54F are acknowledged using a safe input
signal. The falling edge at this input resets the status "Internal Event" in the drives and, if used,
in the TM54F or the CU310‑2.
To prevent safety faults from being acknowledged unintentionally or incorrectly, the signal at
the F-DI terminal, which was parameterized for acknowledgment purposes, must be at level "0"
in the quiescent state. To trigger the acknowledgment (negative edge at F-DI), first set the
signal to "1" and then back to "0". If the required idle state is not reached, an alarm is output.
After "safe fault acknowledgment", when using a TM54F, an acknowledgment must be made
at the Control Unit. This acknowledgement has the following effect:
● TM54F faults are deleted from the fault buffer.
● The red Ready LED on the TM54F is reset.
Acknowledgment via PROFIsafe

The higher-level controller sets the signal "Internal Event ACK" via the PROFIsafe telegram
(STW bit 7) separately for each drive object. A falling edge in this signal resets the status
"Internal Event" in the relevant drive, which therefore acknowledges the fault.
Faults in the drive objects (DOs) cannot be acknowledged by the higher-level controller in the
line-up but must instead be acknowledged separately for each individual drive object.
Extended acknowledgment
If STO or SS1 is selected/deselected (and p9507.0 = 1 are set), then the safety messages are
canceled automatically.
Safety Integrated
Maintenance
11.3 Safety faults
If, in addition to the "Basic Functions via terminals", the "Extended/Advanced Functions" are
also enabled, then acknowledgment is also possible by selecting/deselecting STO via
PROFIsafe or terminals at the TM54F or at the CU310‑2.
Safety Integrated
Maintenance
11.4 Message buffer
11.4 Message buffer

In addition to the fault buffer for F... faults and the alarm buffer for A... alarms (see the relevant
section in SINAMICS S120 Commissioning Manual), a special message buffer for C... safety
messages is available for Safety Integrated Extended/Advanced Functions.
The fault messages for the Safety Integrated Basic Functions are stored in the standard fault
buffer (see chapter "Buffer for faults and alarms" in the SINAMICS S120 Commissioning
Manual).
Note
Messages of the Basic and the Extended/Advanced Functions
Set parameter p3117 = 1 if you need to save both the Basic Functions messages and the
Extended/Advanced Functions messages in the standard fault buffer.
The message buffer for safety messages is similar to the fault buffer for fault messages. The
message buffer comprises the message code, message value, and message time (received,
resolved), the component number for identifying the affected SINAMICS component and
diagnostics attributes.
0HVVDJH 0HVVDJHWLPH 0HVVDJH 0HVVDJH 0HVVDJHWLPH 0HVVDJHWLPH 0HVVDJH 6,FRPSRQHQW6,GLDJQRVWLFV

FRGH UHFHLYHGLQ YDOXH YDOXHIRUIORDW UHFHLYHGLQ UHVROYHG WLPH QXPEHU DWWULEXWH
PV YDOXHV GD\V LQPV UHVROYHG
LQGD\V
0HVVDJH U>@ U>@ U>@ U>@ U>@ U>@ U>@ U>@ U>@
&XUUHQW
PHVVDJH
FDVH
$FNQRZ
OHGJHG
PHVVDJH
FDVH
$FNQRZ
OHGJHG
PHVVDJH
FDVH
>ROGHVW@
Figure 11-1 Structure of the message buffer
Safety Integrated
Maintenance
11.4 Message buffer
When a safety message is present, bit r2139.5 is set to 1 ("safety message active"). The entry
in the message buffer is delayed. For this reason, the message buffer should not be read until
a change in the buffer (r9744) has been detected after "Safety message present" is output.
The messages must be acknowledged via a failsafe input F-DI of the TM54F/CU310‑2 or via
PROFIsafe.
Properties of the safety message buffer:
● The entries appear in the buffer according to the time at which they occurred.
● If a new message case occurs, the message buffer is reorganized accordingly. The history
is recorded in the "Acknowledged message case" 1 to 7.
● If the cause of at least one message in "Current message case" is rectified and
acknowledged, the message buffer is reorganized accordingly. Messages that have not
been rectified remain in "Current message case".
● If "Current message case" contains 8 messages and a new message for the current
message case is output, the message in the current message case parameters is
overwritten with the new message in index 7.
● r9744 is incremented each time the message buffer changes.
● A message value (r9749, r9753) can be output for a message. The message value is used
to diagnose the message more accurately (refer to the message description for more
details).
Deleting the message buffer:
The message buffer can be deleted as follows: p9752 = 0. Parameter p9752 (SI message
cases, counter) is also reset to 0 at POWER ON. This also clears the fault memory.
● r2139.0...15 CO/BO: Status word, faults/alarms 1

● r9744 SI message buffer changes, counter
● r9745[0...63] SI component
● r9747[0...63] SI message code
● r9748[0...63] SI message time received in milliseconds
● r9749[0...63] SI message value
● r9750[0...63] SI diagnostic attributes
● p9752 SI message cases, counter
● r9753[0...63] SI message value for float values
● r9754[0...63] SI message time received in days
● r9755[0...63] SI message time removed in milliseconds
● r9756[0...63] SI message time removed in days
Safety Integrated
Maintenance
11.4 Message buffer
Safety Integrated
Appendix A
A.1 Modules available in Startdrive
A list of the hardware and functions of the SINAMICS S120, which are supported by Startdrive
V15, are provided in the Service and Support Portal at the following link (https://
The following new functions are available with Startdrive V16: Link (https://
support.industry.siemens.com/cs/ww/en/view/109771625)
Safety Integrated
Appendix
A.2 List of abbreviations
Note
The following list of abbreviations includes all abbreviations and their meanings used in the
entire SINAMICS family of drives.
Abbreviation Derivation of abbreviation Meaning

A… Alarm Warning
AC Alternating Current Alternating current
ADC Analog Digital Converter Analog digital converter
AI Analog Input Analog input
AIM Active Interface Module Active Interface Module
ALM Active Line Module Active Line Module
AO Analog Output Analog output
AOP Advanced Operator Panel Advanced Operator Panel
APC Advanced Positioning Control Advanced Positioning Control
AR Automatic Restart Automatic restart
ASC Armature Short-Circuit Armature short-circuit
ASCII American Standard Code for Information American coding standard for the exchange of in‐
Interchange formation
AS-i AS-Interface (Actuator Sensor Interface) AS-Interface (open bus system in automation tech‐
nology)
ASM Asynchronmotor Induction motor
AVS Active Vibration Suppression Active load vibration damping
AWG American Wire Gauge American Wire Gauge (Standard for cross-sections
of cables)

BB Betriebsbedingung Operation condition
BERO - Contactless proximity switch
BI Binector Input Binector input
BIA Berufsgenossenschaftliches Institut für BG Institute for Occupational Safety and Health
Arbeitssicherheit
BICO Binector Connector Technology Binector connector technology
BLM Basic Line Module Basic Line Module
BO Binector Output Binector output
BOP Basic Operator Panel Basic operator panel
Safety Integrated
Appendix

C Capacitance Capacitance
C… - Safety message
CAN Controller Area Network Serial bus system
CBC Communication Board CAN Communication Board CAN
CBE Communication Board Ethernet PROFINET communication module (Ethernet)
CD Compact Disc Compact disc
CDS Command Data Set Command data set
CF Card CompactFlash Card CompactFlash card
CI Connector Input Connector input
CLC Clearance Control Clearance control
CNC Computerized Numerical Control Computer-supported numerical control
CO Connector Output Connector output
CO/BO Connector Output/Binector Output Connector/binector output
COB-ID CAN Object-Identification CAN Object Identification
CoL Certificate of License Certificate of License
COM Common contact of a change-over relay Center contact of a change-over contact
COMM Commissioning Commissioning
CP Communication Processor Communications processor
CPU Central Processing Unit Central processing unit
CRC Cyclic Redundancy Check Cyclic redundancy check
CSM Control Supply Module Control Supply Module
CU Control Unit Control Unit
CUA Control Unit Adapter Control Unit Adapter
CUD Control Unit DC Control Unit DC

DAC Digital Analog Converter Digital analog converter
DC Direct Current Direct current
DCB Drive Control Block Drive Control Block
DCBRK DC Brake DC braking
DCC Drive Control Chart Drive Control Chart
DCN Direct Current Negative Direct current negative
DCP Direct Current Positive Direct current positive
DDC Dynamic Drive Control Dynamic Drive Control
DDS Drive Data Set Drive Data Set
DHCP Dynamic Host Configuration Protocol Dynamic Host Configuration Protocol (Communica‐
tion protocol)
DI Digital Input Digital input
DI/DO Digital Input/Digital Output Digital input/output, bidirectional
Safety Integrated
Appendix

DIN Deutsches Institut für Normung Deutsches Institut für Normung (German Institute
for Standardization)
DMC DRIVE-CLiQ Hub Module Cabinet DRIVE-CLiQ Hub Module Cabinet
DME DRIVE-CLiQ Hub Module External DRIVE-CLiQ Hub Module External
DMM Double Motor Module Double Motor Module
DO Digital Output Digital output
DO Drive Object Drive object
DP Decentralized Peripherals Distributed I/O
DPRAM Dual Ported Random Access Memory Dual-Port Random Access Memory
DQ DRIVE-CLiQ DRIVE-CLiQ
DRAM Dynamic Random Access Memory Dynamic Random Access Memory
DRIVE-CLiQ Drive Component Link with IQ Drive Component Link with IQ
DSC Dynamic Servo Control Dynamic Servo Control
DSM Doppelsubmodul Double submodule
DTC Digital Time Clock Timer

EASC External Armature Short-Circuit External armature short-circuit
EDS Encoder Data Set Encoder data set
EEPROM Electrically Erasable Programmable Read‑Only Electrically Erasable Programmable Read-Only
Memory Memory
EGB Elektrostatisch gefährdete Baugruppen Electrostatic sensitive devices
EIP EtherNet/IP EtherNet Industrial Protocol (real-time Ethernet)
ELCB Earth Leakage Circuit Breaker Residual current operated circuit breaker
ELP Earth Leakage Protection Ground-fault monitoring
EMC Electromagnetic Compatibility Electromagnetic compatibility
EMF Electromotive Force Electromotive force
EMK Elektromotorische Kraft Electromotive force
EMV Elektromagnetische Verträglichkeit Electromagnetic compatibility
EN Europäische Norm European standard
EnDat Encoder-Data-Interface Encoder interface
EP Enable Pulses Pulse enable
EPOS Einfachpositionierer Basic positioner
ES Engineering System Engineering system
ESB Ersatzschaltbild Equivalent circuit diagram
ESD Electrostatic Sensitive Devices Electrostatic sensitive devices
ESM Essential Service Mode Essential service mode
ESR Extended Stop and Retract Extended stop and retract
Safety Integrated
Appendix

F… Fault Fault
FAQ Frequently Asked Questions Frequently Asked Questions
FBLOCKS Free Blocks Free function blocks
FCC Function Control Chart Function control chart
FCC Flux Current Control Flux current control
FD Function Diagram Function diagram
F-DI Failsafe Digital Input Fail-safe digital input
F-DO Failsafe Digital Output Fail-safe digital output
FEPROM Flash-EPROM Non-volatile write and read memory
FG Function Generator Function generator
FI - Fault current
FOC Fiber-Optic Cable Fiber-optic cable
FP Funktionsplan Function diagram
FPGA Field Programmable Gate Array Field Programmable Gate Array
F-PLC Fail-safe PLC Fail-safe PLC
FW Firmware Firmware

GB Gigabyte Gigabyte
GC Global Control Global control telegram (broadcast telegram)
GND Ground Reference potential for all signal and operating vol‐
tages, usually defined as 0 V (also referred to as M)
GSD Gerätestammdaten Device master data: Describe the features of a
PROFIBUS slave
GSV Gate Supply Voltage Gate supply voltage
GUID Globally Unique Identifier Globally Unique Identifier

HF High frequency High frequency
HFD Hochfrequenzdrossel Radio frequency reactor
HLA Hydraulic Linear Actuator Hydraulic linear actuator
HLG Hochlaufgeber Ramp-function generator
HM Hydraulic Module Hydraulic Module
HMI Human Machine Interface Human Machine Interface
HTL High-Threshold Logic Logic with high interference threshold
HTTP Hypertext Transfer Protocol Hypertext Transfer Protocol (communication proto‐
col)
Safety Integrated
Appendix

HTTP Hypertext Transfer Protocol Secure Hypertext Transfer Protocol Secure (communica‐
tion protocol)
HW Hardware Hardware

i. V. In Vorbereitung Under development: This property is currently not
available
I/O Input/Output Input/output
I2C Inter-Integrated Circuit Internal serial data bus
IASC Internal Armature Short-Circuit Internal armature short-circuit
IBN Inbetriebnahme Commissioning
ID Identifier Identification
IE Industrial Ethernet Industrial Ethernet
IEC International Electrotechnical Commission International Electrotechnical Commission
IF Interface Interface
IGBT Insulated Gate Bipolar Transistor Insulated gate bipolar transistor
IGCT Integrated Gate-Controlled Thyristor Semiconductor power switch with integrated control
electrode
IL Impulslöschung Pulse suppression
IP Internet Protocol Internet Protocol
IPO Interpolator Interpolator
ISO Internationale Organisation für Normung International Standards Organization
IT Isolé Terre Non-grounded three-phase line supply
IVP Internal Voltage Protection Internal voltage protection

JOG Jogging Jogging

KDV Kreuzweiser Datenvergleich Data cross-check
KHP Know-how protection Know-how protection
KIP Kinetische Pufferung Kinetic buffering
Kp - Proportional gain
KTY84-130 - Temperature sensor
Safety Integrated
Appendix

L
L - Symbol for inductance
LED Light Emitting Diode Light emitting diode
LIN Linearmotor Linear motor
LR Lageregler Position controller
LSB Least Significant Bit Least significant bit
LSC Line-Side Converter Line-side converter
LSS Line-Side Switch Line-side switch
LU Length Unit Length unit
LWL Lichtwellenleiter Fiber-optic cable

M - Symbol for torque
M Masse Reference potential for all signal and operating vol‐
tages, usually defined as 0 V (also referred to as
GND)
MB Megabyte Megabyte
MCC Motion Control Chart Motion Control Chart
MDI Manual Data Input Manual data input
MDS Motor Data Set Motor data set
MLFB Maschinenlesbare Fabrikatebezeichnung Machine-readable product code
MM Motor Module Motor Module
MMC Man-Machine Communication Man-machine communication
MMC Micro Memory Card Micro memory card
MRCD Modular Residual Current protection Device Modular Residual Current protection Device
MSB Most Significant Bit Most significant bit
MSC Motor-Side Converter Motor-side converter
MSCY_C1 Master Slave Cycle Class 1 Cyclic communication between master (class 1)
and slave
MSR Motorstromrichter Motor-side converter
MT Messtaster Probe

N. C. Not Connected Not connected
N… No Report No report or internal message
NAMUR Interessengemeinschaft Automatisierungstechnik User association of automation technology in the
der Prozessindustrie process industry
Safety Integrated
Appendix

NC Normally Closed (contact) NC contact
NC Numerical Control Numerical control
NEMA National Electrical Manufacturers Association Standardization association in USA (United States
of America)
NM Nullmarke Zero mark
NO Normally Open (contact) NO contact
NSR Netzstromrichter Line-side converter
NTP Network Time Protocol Standard for synchronization of the time of day
NVRAM Non-Volatile Random Access Memory Non-volatile read/write memory

OA Open Architecture Software component which provides additional
functions for the SINAMICS drive system
OAIF Open Architecture Interface Version of the SINAMICS firmware as of which the
OA application can be used
OASP Open Architecture Support Package Expands the commissioning tool by the correspond‐
ing OA application
OC Operating Condition Operation condition
OCC One Cable Connection One-cable technology
OEM Original Equipment Manufacturer Original equipment manufacturer
OLP Optical Link Plug Bus connector for fiber-optic cable
OMI Option Module Interface Option Module Interface

p… - Adjustable parameters
P1 Processor 1 CPU 1
P2 Processor 2 CPU 2
PB PROFIBUS PROFIBUS
PcCtrl PC Control Master control
PD PROFIdrive PROFIdrive
PDC Precision Drive Control Precision Drive Control
PDS Power unit Data Set Power unit data set
PDS Power Drive System Drive system
PE Protective Earth Protective ground
PELV Protective Extra Low Voltage Safety extra-low voltage
PFH Probability of dangerous failure per hour Probability of dangerous failure per hour
PG Programmiergerät Programming device
PI Proportional Integral Proportional integral
PID Proportional Integral Differential Proportional integral differential
Safety Integrated
Appendix

PLC Programmable Logical Controller Programmable logic controller
PLL Phase-Locked Loop Phase-locked loop
PM Power Module Power Module
PMI Power Module Interface Power Module Interface
PMSM Permanent-magnet synchronous motor Permanent-magnet synchronous motor
PN PROFINET PROFINET
PNO PROFIBUS Nutzerorganisation PROFIBUS user organization
PPI Point to Point Interface Point-to-point interface
PRBS Pseudo Random Binary Signal White noise
PROFIBUS Process Field Bus Serial data bus
PS Power Supply Power supply
PSA Power Stack Adapter Power Stack Adapter
PT1000 - Temperature sensor
PTC Positive Temperature Coefficient Positive temperature coefficient
PTP Point To Point Point-to-point
PWM Pulse Width Modulation Pulse width modulation
PZD Prozessdaten Process data

No entries

r… - Display parameters (read-only)
RAM Random Access Memory Memory for reading and writing
RCCB Residual Current Circuit Breaker Residual current operated circuit breaker
RCD Residual Current Device Residual current device
RCM Residual Current Monitor Residual current monitor
REL Reluctance motor textile Reluctance motor textile
RESM Reluctance synchronous motor Synchronous reluctance motor
RFG Ramp-Function Generator Ramp-function generator
RJ45 Registered Jack 45 Term for an 8-pin socket system for data transmis‐
sion with shielded or non-shielded multi-wire copper
cables
RKA Rückkühlanlage Cooling unit
RLM Renewable Line Module Renewable Line Module
RO Read Only Read only
ROM Read-Only Memory Read-only memory
RPDO Receive Process Data Object Receive Process Data Object
Safety Integrated
Appendix

RS232 Recommended Standard 232 Interface standard for cable-connected serial data
transmission between a sender and receiver (also
known as EIA232)
RS485 Recommended Standard 485 Interface standard for a cable-connected differen‐
tial, parallel, and/or serial bus system (data trans‐
mission between a number of senders and receiv‐
ers, also known as EIA485)
RTC Real Time Clock Real-time clock
RZA Raumzeigerapproximation Space-vector approximation

S1 - Continuous operation
S3 - Intermittent duty
SAM Safe Acceleration Monitor Safe acceleration monitoring
SBC Safe Brake Control Safe brake control
SBH Sicherer Betriebshalt Safe operating stop
SBR Safe Brake Ramp Safe brake ramp monitoring
SBT Safe Brake Test Safe brake test
SCA Safe Cam Safe cam
SCC Safety Control Channel Safety Control Channel
SCSE Single Channel Safety Encoder Single-channel safety encoder
SD Card SecureDigital Card Secure digital memory card
SDC Standard Drive Control Standard Drive Control
SDI Safe Direction Safe motion direction
SE Sicherer Software-Endschalter Safe software limit switch
SESM Separately-excited synchronous motor Separately excited synchronous motor
SG Sicher reduzierte Geschwindigkeit Safely limited speed
SGA Sicherheitsgerichteter Ausgang Safety-related output
SGE Sicherheitsgerichteter Eingang Safety-related input
SH Sicherer Halt Safe stop
SI Safety Integrated Safety Integrated
SIC Safety Info Channel Safety Info Channel
SIL Safety Integrity Level Safety Integrity Level
SITOP - Siemens power supply system
SLA Safely-Limited Acceleration Safely limited acceleration
SLM Smart Line Module Smart Line Module
SLP Safely-Limited Position Safely Limited Position
SLS Safely-Limited Speed Safely limited speed
SLVC Sensorless Vector Control Sensorless vector control
SM Sensor Module Sensor Module
SMC Sensor Module Cabinet Sensor Module Cabinet
Safety Integrated
Appendix

SME Sensor Module External Sensor Module External
SMI SINAMICS Sensor Module Integrated SINAMICS Sensor Module Integrated
SMM Single Motor Module Single Motor Module
SN Sicherer Software-Nocken Safe software cam
SOS Safe Operating Stop Safe operating stop
SP Service Pack Service pack
SP Safe Position Safe position
SPC Setpoint Channel Setpoint channel
SPI Serial Peripheral Interface Serial peripheral interface
SPS Speicherprogrammierbare Steuerung Programmable logic controller
SS1 Safe Stop 1 Safe Stop 1 (time-monitored, ramp-monitored)
SS1E Safe Stop 1 External Safe Stop 1 with external stop
SS2 Safe Stop 2 Safe Stop 2
SS2E Safe Stop 2 External Safe Stop 2 with external stop
SSI Synchronous Serial Interface Synchronous serial interface
SSL Secure Sockets Layer Encryption protocol for secure data transfer (new
TLS)
SSM Safe Speed Monitor Safe feedback from speed monitor
SSP SINAMICS Support Package SINAMICS support package
STO Safe Torque Off Safe torque off
STW Steuerwort Control word

TB Terminal Board Terminal Board
TEC Technology Extension Software component which is installed as an addi‐
tional technology package and which expands the
functionality of SINAMICS (previously OA applica‐
tion)
TIA Totally Integrated Automation Totally Integrated Automation
TLS Transport Layer Security Encryption protocol for secure data transfer (previ‐
ously SSL)
TM Terminal Module Terminal Module
TN Terre Neutre Grounded three-phase line supply
Tn - Integral time
TPDO Transmit Process Data Object Transmit Process Data Object
TSN Time-Sensitive Networking Time-Sensitive Networking
TT Terre Terre Grounded three-phase line supply
TTL Transistor-Transistor-Logic Transistor-transistor logic
Tv - Rate time
Safety Integrated
Appendix

UL Underwriters Laboratories Inc. Underwriters Laboratories Inc.
UPS Uninterruptible Power Supply Uninterruptible power supply
USV Unterbrechungsfreie Stromversorgung Uninterruptible power supply
UTC Universal Time Coordinated Universal time coordinated

VC Vector Control Vector control
Vdc - DC link voltage
VdcN - Partial DC link voltage negative
VdcP - Partial DC link voltage positive
VDE Verband der Elektrotechnik, Elektronik und Informa‐ Association of Electrical Engineering, Electronics
tionstechnik and Information Technology
VDI Verein Deutscher Ingenieure Verein Deutscher Ingenieure [Association of Ger‐
man Engineers]
VPM Voltage Protection Module Voltage Protection Module
Vpp Volt peak to peak Volt peak to peak
VSM Voltage Sensing Module Voltage Sensing Module

WEA Wiedereinschaltautomatik Automatic restart
WZM Werkzeugmaschine Machine tool

XML Extensible Markup Language Extensible markup language (standard language
for Web publishing and document management)

No entries
Safety Integrated
Appendix

ZK Zwischenkreis DC link
ZM Zero Mark Zero mark
ZSW Zustandswort Status word
Safety Integrated
Appendix
A.3 Documentation overview
A.3 Documentation overview

*HQHUDOGRFXPHQWDWLRQFDWDORJV
6,1$0,&6 * ' &RQYHUWHU&KDVVLV8QLWVN:XSWRN:
* ' 6,1$0,&6&RQYHUWHUVIRU6LQJOH$[LV'ULYHVDQG6,027,&60RWRUV
** ' &RQYHUWHU&KDVVLV8QLWV

&RQYHUWHU&DELQHW8QLWV
66 ' 6,1$0,&66&KDVVLV8QLWVDQG&DELQHW0RGXOHV
6,1$0,&66&RQYHUWHU&DELQHW8QLWV
6 ' 6,1$0,&66DQG6,027,&6
0DQXIDFWXUHUVHUYLFHGRFXPHQWDWLRQ
6,1$0,&6 * *HWWLQJ6WDUWHG
2SHUDWLQJ,QVWUXFWLRQV
/LVW0DQXDOV
* *HWWLQJ6WDUWHG
2SHUDWLQJ,QVWUXFWLRQV
,QVWDOODWLRQ0DQXDOV
)XQFWLRQ0DQXDO6DIHW\,QWHJUDWHG
/LVW0DQXDOV
* 2SHUDWLQJ,QVWUXFWLRQV
/LVW0DQXDO
* 2SHUDWLQJ,QVWUXFWLRQV
/LVW0DQXDO
*0 2SHUDWLQJ,QVWUXFWLRQV
6060 /LVW0DQXDOV
*/6/
6 (TXLSPHQW0DQXDO
*HWWLQJ6WDUWHG
)XQFWLRQ0DQXDO
/LVW0DQXDO
6 *HWWLQJ6WDUWHG
&RPPLVVLRQLQJ0DQXDO
)XQFWLRQ0DQXDO'ULYH)XQFWLRQV
)XQFWLRQ0DQXDO&RPPXQLFDWLRQIURPILUPZDUH9
)XQFWLRQ0DQXDO6DIHW\,QWHJUDWHG
)XQFWLRQ0DQXDO'&&
/LVW0DQXDO
(TXLSPHQW0DQXDOIRU&RQWURO8QLWVDQG6XSSOHPHQWDU\6\VWHP&RPSRQHQWV
(TXLSPHQW0DQXDOIRU%RRNVL]H3RZHU8QLWV
(TXLSPHQW0DQXDOIRU$LU&RROHG&KDVVLV3RZHU8QLWV
(TXLSPHQW0DQXDOIRU/LTXLG&RROHG&KDVVLV3RZHU8QLWV
(TXLSPHQW0DQXDOIRU:DWHU&RROHG&KDVVLV3RZHU8QLWVIRU&RPPRQ&RROLQJ&LUFXLWV
(TXLSPHQW0DQXDO&RPEL
(TXLSPHQW0DQXDOIRU&DELQHW0RGXOHV
(TXLSPHQW0DQXDOIRU$&'ULYHV
6,1$0,&660(TXLSPHQW0DQXDO'LVWULEXWHG'ULYH7HFKQRORJ\
6,1$0,&6+/$6\VWHP0DQXDO+\GUDXOLF'ULYH
6 2SHUDWLQJ,QVWUXFWLRQV
/LVW0DQXDO
6 6,1$0,&662SHUDWLQJ,QVWUXFWLRQV
0RWRUV &RQILJXUDWLRQ0DQXDOV0RWRUV
*HQHUDO &RQILJXUDWLRQ0DQXDO(0&,QVWDOODWLRQ*XLGHOLQH
Safety Integrated
Appendix
A.4 Change history
A.4 Change history

Significant changes with respect to the Manual, Edition 11/2017
New functions in Firmware V5.2 See Chapter

Acceptance test wizard in Startdrive Acceptance test with Startdrive (Page 343)
Safe Stop 2 Extended Stop and Retract Safe Stop 2 Extended Stop and Retract (SS2ESR)
(Page 115)
Commissioning with Startdrive ● Taken into account at many locations in the manual.
● Modules available in Startdrive (Page 405)
Revised/supplementary descriptions See Chapter

Acceptance test suggestions removed Former Chapter A.4
Note
An overview of the availability of hardware components and software functions is provided in
the appendix of the following literature:
● SINAMICS S120 Function Manual Drive Functions
Safety Integrated
Appendix
A.5 Stop versions
A.5 Stop versions

Safe stops are used to stop a drive and bring it to a standstill. The type of stop response that
occurs in the event of faults/errors can either be permanently specified by the system or
configured by the machine manufacturer.
In this way, the shutdown of the machine can be optimally adapted to the respective situation.
In the following list, STOP B can be compared to an SS1 and STOP C to an SS2.
6WRSFDWHJRU\DFFWR(13DUW

6723$ 6723% 6723& 6723' 6723( 6723)
:LWK
QVHW QVHW UHIHUHQFH 5HWUDFWLRQ
WRSDWK
6DIH2SHUDWLQJ6WRS626
'ULYHXQGHUFORVHGORRSFRQWURO
6DIH7RUTXH2II672
3XOVHVXSSUHVVLRQ
Figure A-1 Overview of the stop versions
STOP A
With STOP A (corresponds to a Stop Category 0 according to EN 60204-1, without electrical
isolation), the drive is switched directly to zero torque via the STO function. A drive that is still
running coasts to a standstill. A drive at standstill cannot be started again accidentally.
Application:
● E.g. for safety faults
Safety Integrated
Appendix
A.5 Stop versions
STOP B
The drive is braked at the current limit under speed control and brought to a safe standstill
(SOS) (corresponds to a Stop Category 1 according to EN 60204-1, without electrical isolation).
Application
● E.g. when SOS responds
STOP C
The drive is braked at the current limit under speed control and brought to a safe operating stop
(corresponds to a Stop Category 2 according to EN 60204-1).
A STOP C followed by a STOP A is normally selected in the case of an emergency stop
because this is the quickest way of stopping a drive.
Application:
● Operator protection
STOP D
The drives are braked together in a path-related (interpolatory) way on the contour and brought
to a safe operating stop (SOS).
Application:
● Protection for tool and workpiece (machine protection)
STOP E
The drives are braked together, including a jerk motion during which the tool and workpiece are
separated from one another, path-related and brought to a safe operating stop.
Application:
● Machine protection
STOP F
The STOP F is permanently assigned to the result and data cross-check and cannot be
changed by the user.
If a discrepancy is found in the monitoring channels of Safety Integrated, a STOP F is triggered.
Depending on the parameter assignment, a STOP A or STOP B response is triggered.
Applications:
● Detection of errors during the crosswise data and result comparison
● Detection of communication errors between SINUMERIK and the drive
● Detection of encoder errors
Safety Integrated
Appendix
A.5 Stop versions
Safety Integrated
Index
" B
"Siemens Industry Online Support" app, 13 Basic Functions
PROFIsafe and terminals, 219
SBC, 46, 84
2 SS1, 45, 50, 81
STO, 44, 76
2-channel brake control, 86
STO for HLA, 80
2-encoder system, 160
Stop responses, 92
TM54F, 43, 76
Bit pattern test, 214
A
Acceptance test, (See acceptance test)
Conclusion, 347 C
Creating an acceptance report, 347
Calculating the speed, 188
Executing, 345
Changing
Preconditions, 333
Password, 273
Preparing, 344
Commissioning
Record, 332
CU310-2, 308
Requirements, 332
Safety Integrated, 283
Reset, 344
TM54F, 314
Acknowledgment
Communication failure, 246
Extended, 400
ESR, 246
Actual value acquisition, 160, 299
Component replacement, 325
Actual value acquisition cycle clock
Effects, 391
S120M, 166
POWER ON and acceptance test, 391, 394
SINAMICS S120, 287
Required measures, 391
Actual value synchronization
Configuration
Encoder, 166
Control, 302
Advanced Functions
Copy, 325
License, 96, 181
Offline, 325
Preconditions, 96, 181
CPU time, 286
Alarm buffer, 402
Deactivated drive, 286
Alarm value, 402
CU310-2
Alarms
Commissioning, 308
Alarm buffer, 402
Alarm history, 402
Armature short-circuit
Restricted, 79
D
Assigning Safety Integrated functions to F-DI/F-DO Data matrix code, 13
(onboard or TM54F), 239, 249 Data set switchover, 24
Assigning Safety Integrated functions to PROFIsafe DDS
telegrams, 218 Switchover, 24
Deactivated drive
CPU time, 286
Delay time
SBR, 52
SS1, 104
Safety Integrated
Index
Double Motor Module Forced checking procedure

F01625, 220 Parameterizing, 304
F30802, 220 Forced checking procedure (test stop), 174, 199,
PROFIsafe, 220 277
Drive object Automatically when powering up, 94, 175, 179,
Activation/deactivation, 325 200, 204
DRIVE-CLiQ rules, 275 Basic Functions, 93
CU310-2, 308
Extended/Advanced Functions, 174, 199
E HLA, 80
Initiated by the application, 94, 175, 179, 200,
EDS
204
Switchover, 24
Interval, 315
Emergency Stop button, 45
TM54F, 314
EN 61800-5-2, 44
Function status
Enabling PROFIsafe, 219
Startdrive, 307
Encoder
Function test, 174, 199
Actual value synchronization, 166
Functional safety, 374
HTL/TTL, 164
Systems, 160
Types, 160
Types for HLA, 165
G
With sin/cos-1 Vpp signals, 164 Group drives, 276
ESR Group drives connected in parallel, 276
Communication failure, 246
Extended acknowledgment, 400
Extended Functions, 97 H
License, 96, 181
HLA, 33, 34
Parking, 98
HTL/TTL encoders, 164
Preconditions, 96, 181
Hydraulic Drive, 33, 34
Without encoder, 97
Extended/Advanced Functions
Deactivating/activating a drive object, 325
With encoder, 97
I
Increased position tolerance, 172
Internal armature short-circuit, 79
F
F01611
Fault value 1000, 212, 218
L
F01625, 220 License
F30802, 220 Advanced Functions, 96, 181
Fault acknowledgment on TM54F Basic Functions, 219
Safe, 396 Extended Functions, 96, 181, 219
Fault response, 395 Trial license, 96, 181
F-DI, 207 Limit value violation, 395
F-DI/F-DO (onboard or TM54F)
Safety Integrated Functions, 239, 249
F-DO, 207 M
Filter
Mechanical system, 299
On/off test, 214
Message buffer, 402
Firmware update
Modular machine concept, 325
POWER ON and acceptance test, 394
Safety Integrated
Index
Response times, 355

Advanced Functions with encoder via PROFIsafe
O (CU310‑2 and CU320‑2), 368
Advanced Functions with encoder via terminals
On/off test, 214
(only CU310-2), 370
Overview of Safety Integrated Functions, 40
Advanced Functions with encoder via TM54F
(CU310‑2 and CU320‑2), 369
Advanced Functions without encoder via
P PROFIsafe (CU310‑2 and CU320‑2), 371
Parameter view, 283 Basic Functions via PROFIsafe (CU310‑2 and
Parking, 98 CU320‑2), 358
Password Basic Functions via terminals on the Control Unit
Changing, 273 and the Motor Module, 357
PFH value, 354 Basic Functions via TM54F, 359
Position tolerance, 172 Extended Functions with encoder via PROFIsafe
Not increased, 172 (CU310‑2 and CU320‑2), 360
Preconditions Extended Functions with encoder via terminals
Advanced Functions, 96, 181 (only CU310-2), 363
Extended Functions, 96, 181 Extended Functions with encoder via TM54F
Probability of failure, 354 (CU310‑2 and CU320‑2), 362
Process data Extended Functions without encoder via
S_CYCLE_COUNT, 234 PROFIsafe (CU310‑2 and CU320‑2), 364
S_SLS_LIMIT_A, 234 Extended Functions without encoder via terminals
S_SLS_LIMIT_A_ACTIVE, 234 (only CU310‑2), 366
S_XIST16, 234 Extended Functions without encoder via TM54F
S_XIST32, 235 (CU310‑2 and CU320‑2), 367
Process data, control words STO via terminals of the Power Modules
S_STW1 (Basic Functions), 224 Blocksize, 356
S_STW1 (Extended/Advanced Functions), 228 Response to bus failure
S_STW1B, 267 SDI, 134
S_STW2 (Basic Functions), 226
S_STW2 (Extended/Advanced Functions), 230
S_STW3B, 267 S
Process data, status words
S_CYCLE_COUNT, 234
S_ZSW_CAM1 (Advanced Functions), 235
S_SLS_LIMIT_A, 234
S_ZSW1 (Basic Functions), 225
S_SLS_LIMIT_A_ACTIVE, 234
S_ZSW1 (Extended/Advanced Functions), 229
S_STW1
S_ZSW1B, 264
Basic Functions, 224
S_ZSW2 (Basic Functions), 227
Extended/Advanced Functions, 228
S_ZSW2 (Extended/Advanced Functions), 231
S_STW1B, 267
S_ZSW2B, 265
S_STW2
S_ZSW3B, 266
PROFIsafe, 207
Extended/Advanced Functions, 230
Activate, 322
S_STW3B, 267
Double Motor Module, 220
S_V_LIMIT_B, 266
SLS limit value, 120
S_XIST16, 234
PROFIsafe telegram
S_XIST32, 235
Safety Integrated Functions, 218
S_ZSW_CAM1
Advanced Functions, 235
S_ZSW1
R Basic Functions, 225
Residual risk, 26 Extended/Advanced Functions, 229
Safety Integrated
Index
S_ZSW1B, 264 SS2, 111

S_ZSW2 With external stop, 113
Basic Functions, 227 Safe Torque Off, 44
Extended/Advanced Functions, 231 Basic Functions, 76
S_ZSW2B, 265 Extended Functions, 50, 103
S_ZSW3B, 266 For HLA (Basic Functions), 80
S120M STO, 50, 76, 103
Actual value acquisition cycle clock, 166 Safely Limited Acceleration, 67
Safe Acceleration Monitor, 155 Safely Limited Speed, 56
SAM, 97 Safely-Limited Acceleration, 140
Safe actual value acquisition, 160 Safely-Limited Position, 70
Safe Brake Adapter Safely-Limited Speed, 118
Chassis format, 87 With encoder, 120
Safe Brake Control Without selection, 124
Chassis format, 87 Safety Control Channel, 257
Extended Functions, 108 Safety Evaluation Tool, 354
SBC, 84, 108 Safety Info Channel, 257
Safe Brake Ramp Safety Integrated
SBR, 97, 103, 111, 157 Commissioning, 283
Safe cam, (SCA) Functional safety, 374
Safe Cam, 196 Machinery Directive, 375
Safe Direction, 65, 135 Safety Integrated password, 272
With encoder, 135 Safety logbook, 349
Without selection, 139 Safety slot, 282
Safe gearbox switchover, 170 SAM
Safe motion direction, 135 For SS1, 52
Safe motion monitoring, 166 For SS2, 55
Safe Operating Stop, 53 SAM (Safe Acceleration Monitor), 155
SOS, 109 SBA, 87
Safe position SBC
Transfer, 188 Basic Functions, 46, 84
Safe referencing, 71, 192 Safe Brake Control, 46, 84
Safe Speed Monitor Safe Brake Control (Extended Functions), 108
General, 127 Select, 46
Restart, 133 SBR
SSM, 127 Delay time, 52
With encoder, 129 For SLS, 61
Without encoder, 131 For SS1, 52
Safe Stop 1 For SS2, 55
Basic Functions, 81 SBT
Extended Functions, 103 Brake wear, 38
Speed controlled, 106 SCA, 196
SS1, 81, 97, 103, 111 Description, 196
Time and acceleration controlled, 103 Enable, 197
Time-controlled, 81 Overview, 73
With encoder, 103 Referencing, 197
With external stop (Extended Functions), 107 S_ZSW_CAM1, 235
With OFF3 (Basic Functions), 81 Tolerance, 197
With OFF3 (Extended Functions), 103, 105 SCC
Without encoder, 106 See Safety Control Channel, 257
Safe Stop 2, 54, 111 SDI
Extended Stop and Retract, 115 Crane trolley, 38, 65
Safety Integrated
Index
General, 65 Safety concepts across axes, 38

Pressure cylinder, 38, 65 Zone concepts, 38
Protection against jamming, 38, 65 SS1
Response to bus failure, 134 Basic Functions, 45, 50, 81
Rolling shutter gate, 38, 65 Brake ramp monitoring, 106
Safe Direction, 65 Braking behavior, 52
Time response, 65 Delay, 61
With encoder, 135 Delay time, 52, 104
Without encoder, 137 Delay time SBR, 52
Without selection, 139 Enable, 52
Series commissioning with third-party motor, 327 Example, 37
SIC Monitoring mode, 51
See Safety Info Channel, 257 Principle of operation, 45, 51
Siemens Industry Online Support Protective door, 44, 50
App, 13 Safe Stop 1, 45, 50, 81, 103
SINAMICS S120M Safe Stop 1 (Basic Functions), 81
Actual value acquisition cycle clock, 287 Safe Stop 1 (Extended Functions), 103
Single-encoder system, 160 SBR, 106
SLA, 140 Shutdown speed, 52
Description, 140 Speed controlled, 106
Enable, 141 Time and acceleration controlled, 106
Safely Limited Acceleration, 67 Time response, 45, 51, 52
Setup mode:, 67 Tolerance, 52
SLP, 70 With encoder, 103
General, 70 With external stop (Basic Functions), 83
Safely-Limited Position, 70 With external stop (Extended Functions), 107
SLS With OFF3 (Basic Functions), 81
Deselect, 59 With OFF3 (Extended Functions), 103
Horizontal conveyors, 37, 57 Without encoder, 106
Level, 60 SS1E, 83
Limit value via PROFIsafe, 120, 121 SS1 with external stop (Basic Functions), 83
Monitoring threshold, 61 SS2, 54
Safely Limited Speed, 56 Braking behavior, 56
Select, 59 Diagnostics, 56
Speed limit values, 121 Enable, 56
Spindle drive, 37, 57 Principle of operation, 55
Switching over the monitoring threshold, 60 Protective door, 55
Time response, 57, 59 Safe Stop 2, 54, 55, 111
With encoder, 120 Select, 56
Without encoder, 123 Speed, 55
Without selection, 124 Time response, 55, 56
SOS, 53 With external stop, 113
Protective door, 53 SS2ESR, 115, 281
Safe Operating Stop, 109 SSM
SP, 188 Centrifuge, 37, 63
Calculation of the safe velocity, 38 Restart, 133
Different reaction to sensors, 38 Safe Speed Monitor, 127
Multi-dimensional protection areas, 38 Time response, 64
Safe cam sequencer, 38 With encoder, 129
Safe response depending on the position of the Without encoder, 131
axes, 38 Standstill monitoring, 52
Safety Integrated
Index
Startdrive Switching over the gear ratio

Accepting the settings in the drive, 291 Safe, 170
Activating Safety Integrated, 288
Actual value acquisition, 299
Advanced Functions basic settings, 290 T
Telegram
Basic settings for Basic Functions, 289
30, 221
Basic settings for Extended Functions, 290
31, 222
Changing the password, 292
700, 257
Configure control, 302
701, 257
F-DI configuration, 302
901, 222
Forced checking procedure, 304
902, 222
Function status, 307
903, 223
Inputs/outputs, 302
Test of switch-off signal paths, 93
Mechanical system, 299
Test stop
PROFIsafe configuration, 220, 303, 323
Automatically when powering up, 175, 200
Selecting the safety functionality, 288
Extended/Advanced Functions, 174, 199
SS1, 298
General, 277
STO, SS1 and SBC, 293
Initiated by the application, 175, 200
Test stop, 304
Parameterizing, 304
STO
Third-party motor with absolute encoder, 327
Basic Functions, 44, 76
Time and acceleration controlled, 106
Emergency Stop button, 37
Timer for forced dormant error detection
For HLA (Basic Functions), 80
interval, 316
Internal armature short-circuit, 79
TM54F, 207
Safe Torque Off, 44
Basic Functions, 43, 76
Safe Torque Off (Basic Functions), 50, 76, 103
Commissioning, 314
Select, 44
Transferring safe position, 188
STO terminals PM240-2 and PM240P-2
Trial license, 96, 181
DIP switch, 217
Requirements, 215
SIL 2/PL d, 216
SIL 3/PL e, 216
W
STO_A/STO_B, 217 Websites of third-party companies, 14
STOP A, 92, 395
STOP B, 395
STOP C, 395
STOP D, 395
STOP E, 395
STOP F, 92, 395
Stop response, 395
Priorities compared to Extended Functions, 398
Priority classes, 398
STOP A, 92
STOP F, 92
Stop responses
Basic Functions, 92
Switching operation
Timing, 212, 218
Switching over
SLS level, 60
Safety Integrated
Siemens:
www.siemens.com
Industry Online Support (service and support):
www.siemens.com/online-support
IndustryMall:
www.siemens.com/industrymall
Siemens AG
Digital Industries
Motion Control
P.O. Box 3180
D-91050 Erlangen
Germany
Scan the QR-Code

for product
information

S120 Safety FCT Man 0620 en-US

Uploaded by

Copyright:

Available Formats

S120 Safety FCT Man 0620 en-US

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

S120 Safety FCT Man 0620 en-US

Uploaded by

Copyright:

Available Formats

Function Manual

Edition 06/2020 www.siemens.com/drives

Function Manual Control of the safety functions 6

Standards and regulations 10

Siemens AG Document order number: 6SL3097-5AR00-0BP3 Copyright © Siemens AG 2008 - 2020.

4.2.3 Safe Torque Off (STO)...........................................................................................................50

5.2.7.1 SS2 with external stop (SS2E).............................................................................................113

5.2.18.2 Performing a forced checking procedure (test stop) ............................................................175

6.4.3 Overview of the F-DIs ..........................................................................................................239

7.7.5.2 Overview of important parameters .......................................................................................287

8.2 Contents and depth of the acceptance test..........................................................................335

10.3 Machine safety in the USA...................................................................................................385

1.2 General information about SINAMICS documentation

Questions relating to the technical documentation

Siemens Support while on the move

Data matrix code on the rating plate

Websites of third-party companies

1.3 Usage phases and their documents/tools

Usage phase Document/tool

1.4 Where can the various topics be found?

1.5 Training and support

1.6 Using OpenSSL

1.7 General Data Protection Regulation

Compliance with the General Data Protection Regulation

2.1.1 General safety instructions

2.1.2 Warranty and liability for application examples

2.1.3 Security information

2.2 Fundamental safety instructions for Safety Integrated

2.3 Residual risk

SINAMICS makes a distinction between the following function groups:

3.1.1 Safety Integrated Basic Functions

3.1.2 Safety Integrated Extended Functions

3.1.3 Safety Integrated Advanced Functions

3.2 Supported functions: HLA module

Comparison, description of electric ↔ hydraulic drives

3.2.1 HLA: Safety Integrated Basic Functions

3.2.2 HLA: Safety Integrated Extended Functions

– Safe Torque Off (STO)

– Safe Speed Monitor (SSM)

3.2.3 HLA: Safety Integrated Advanced Functions

3.3 Drive products with integrated safety functions

1)3$ <HV <HV     <HV <HV <HV <HV 

3.4 Examples of how the safety/diagnostic functions can be applied

Safety function Application examples Possible solution

Safety function Application examples Possible solution

Diagnostic function Application examples Possible solution

3.5 General information about operating components with Safety

3.6 Drive monitoring with or without encoder

Table 3-1 Overview of Safety Integrated Functions

Functions Abbr. With With‐ Brief description

Functions Abbr. With With‐ Brief description

4.1.1 Safe Torque Off (STO)

Definition according to EN 61800-5-2:

Examples of how the function can be used

Example Possible solution

How does STO function in detail?

The converter recogni‐ 6SHHG

Details and parameterization

4.1.2 Safe Stop 1 (SS1)

1)3$ <HV <HV <HV <HV <HV <HV