ATV32 Safety Functions Manual EN S1A45606 07

Altivar 32
S1A45606 01/2017
Altivar 32
Variable Speed Drives
Safety Functions Manual

01/2017
S1A45606.07
www.schneider-electric.com
The information provided in this documentation contains general descriptions and/or technical character-
istics of the performance of the products contained herein. This documentation is not intended as a
substitute for and is not to be used for determining suitability or reliability of these products for specific user
applications. It is the duty of any such user or integrator to perform the appropriate and complete risk
analysis, evaluation and testing of the products with respect to the relevant specific application or use
thereof. Neither Schneider Electric nor any of its affiliates or subsidiaries shall be responsible or liable for
misuse of the information contained herein. If you have any suggestions for improvements or amendments
or have found errors in this publication, please notify us.
No part of this document may be reproduced in any form or by any means, electronic or mechanical,
including photocopying, without express written permission of Schneider Electric.
All pertinent state, regional, and local safety regulations must be observed when installing and using this
product. For reasons of safety and to help ensure compliance with documented system data, only the
manufacturer should perform repairs to components.
When devices are used for applications with technical safety requirements, the relevant instructions must
be followed.
Failure to use Schneider Electric software or approved software with our hardware products may result in
injury, harm, or improper operating results.
Failure to observe this information can result in injury or equipment damage.
© 2017 Schneider Electric. All Rights Reserved.
2 S1A45606 01/2017
Table of Contents
Safety Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
About the Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Chapter 1 Generalities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Chapter 2 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Safety Function STO (Safe Torque Off) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Safety Function SS1 (Safe Stop 1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Safety Function SLS (Safely-Limited Speed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Safety Function SMS (Safe Maximum Speed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Safety Function GDL (Guard Door Locking) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Chapter 3 Calculation of Safety Related Parameters . . . . . . . . . . . . . . . . . . . . . . . . . 33
SLS Type 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
SLS Type 2, Type 3, Type 4, Type 5, and Type 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
SS1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
SMS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
GDL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Chapter 4 Behavior of Safety Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Detected Fault Inhibition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Priority Between Safety Functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Factory Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Configuration Download . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Priority Between Safety Functions and No Safety-Related Functions. . . . . . . . . . . . . . . . . . 48
Chapter 5 Safety Functions Visualization by HMI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Status of Safety Functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Dedicated HMI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Error Code Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Chapter 6 Technical Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Electrical Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Getting and Operating the Safety Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Safety Function Capability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Debounce Time and Response Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Chapter 7 Certified Architectures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Multi-drive with the Safety Module Type Preventa XPS AF - Case 1 . . . . . . . . . . . . . . . . . . 71
Multi-drive with the Safety Module Type Preventa XPS AF - Case 2 . . . . . . . . . . . . . . . . . . 72
Multi-drive Without the Safety Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Single Drive with the Safety Module Type Preventa XPS AV - Case 1 . . . . . . . . . . . . . . . . . 74
Single Drive with the Safety Module Type Preventa XPS AV - Case 2 . . . . . . . . . . . . . . . . . 75
Single Drive with the Safety Module Type Preventa XPS AF - Case 1 . . . . . . . . . . . . . . . . . 76
Single Drive with the Safety Module Type Preventa XPS AF - Case 2 . . . . . . . . . . . . . . . . . 77
Single Drive According to IEC 61508 and IEC 60204-1 - Case 1 . . . . . . . . . . . . . . . . . . . . . 78
Single Drive According to IEC 61508 and IEC 60204-1 - Case 2 . . . . . . . . . . . . . . . . . . . . . 79
Single Drive According to IEC 61508 and IEC 62061 with Safety Function GDL . . . . . . . . . 80
S1A45606 01/2017 3
Chapter 8 Commissioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Safety Functions Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Configure Safety Functions Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Visualization and Status of Safety Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Copying Safety Related Configuration from Device to PC and from PC to Device . . . . . . . . 89
Machine Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Conversion of the Safety Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Chapter 9 Services and Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Power and MCU Replacement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Changing Machine Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
4 S1A45606 01/2017
Safety Information
Important Information
NOTICE
Read these instructions carefully, and look at the equipment to become familiar with the device before
trying to install, operate, or maintain it. The following special messages may appear throughout this
documentation or on the equipment to warn of potential hazards or to call attention to information that
clarifies or simplifies a procedure.
PLEASE NOTE
Electrical equipment should be installed, operated, serviced, and maintained only by qualified personnel.
No responsibility is assumed by Schneider Electric for any consequences arising out of the use of this
material.
A qualified person is one who has skills and knowledge related to the construction and operation of
electrical equipment and its installation, and has received safety training to recognize and avoid the
hazards involved.
S1A45606 01/2017 5
6 S1A45606 01/2017
About the Book
At a Glance
Document Scope
The purpose of this document is to provide information about safety functions incorporated in Altivar 32.
These functions allow you to develop applications oriented in the protection of man and machine.
FDT/DTM (field device tool / device type manager) is a new technology chosen by several companies in
automation.
To install the Altivar 32 DTM, you can download and install our FDT: SoMove lite on www.schneider-
electric.com. It is including the Altivar 32 DTM.
The content of this manual is also accessible through the ATV32 DTM online help.
Validity Note
The original user manual is written in English language.
This documentation is valid for the Altivar 32 drive.
The technical characteristics of the devices described in this document also appear online. To access this
information online:
Step Action
1 Go to the Schneider Electric home page www.schneider-electric.com.
2 In the Search box type the reference of a product or the name of a product range.
 Do not include blank spaces in the model number/product range.
 To get information on grouping similar modules, use asterisks (*).
3 If you entered a reference, go to the Product Datasheets search results and click on the reference that
interests you.
If you entered the name of a product range, go to the Product Ranges search results and click on the
product range that interests you.
4 If more than one reference appears in the Products search results, click on the reference that interests
you.
5 Depending on the size of your screen, you may need to scroll down to see the data sheet.
6 To save or print a data sheet as a .pdf file, click Download XXX product datasheet.
The characteristics that are presented in this manual should be the same as those characteristics that
appear online. In line with our policy of constant improvement, we may revise content over time to improve
clarity and accuracy. If you see a difference between the manual and online information, use the online
information as your reference.
S1A45606 01/2017 7
Related Documents
Title of Documentation Reference Number

ATV32 Quick Start Guide S1A41715
ATV32 Quick Start Annex S1B39941
ATV32 Installation Manual S1A28686
ATV32 Programming Manual S1A28692
ATV32 Atex Manual S1A45605
ATV32 Safety Integrated Functions Manual S1A45606
ATV32 Modbus Manual S1A28698
ATV32 CANopen Manual S1A28699
ATV32 PROFIBUS DP Manual S1A28700
ATV32 Modbus TCP - EtherNet/IP Manual S1A28701
ATV32 DeviceNet Manual S1A28702
ATV32 EtherCAT Manual S1A28703
ATV32 PROFINET Manual HRB25668
ATV32 Communication Parameters Manual S1A44568
BMP Synchronous Motor Manual 0198441113981
ATV32 Certificates, See www.schneider-electric.com NA
You can download these technical publications and other technical information from our website at
http://www.schneider-electric.com/en/download
Product Related Information

The information provided in this manual supplements the product manuals.
Carefully read the product manuals before using the product.
Read and understand these instructions before performing any procedure with this drive.
DANGER
HAZARD OF ELECTRIC SHOCK, EXPLOSION, OR ARC FLASH
 Only appropriately trained persons who are familiar with and understand the contents of this manual
and all other pertinent product documentation and who have received safety training to recognize and
avoid hazards involved are authorized to work on and with this drive system. Installation, adjustment,
repair, and maintenance must be performed by qualified personnel.
 The system integrator is responsible for compliance with all local and national electrical code
requirements as well as all other applicable regulations with respect to grounding of all equipment.
 Many components of the product, including the printed circuit boards, operate with mains voltage. Do
not touch. Use only electrically insulated tools.
 Do not touch unshielded components or terminals with voltage present.
 Motors can generate voltage when the shaft is rotated. Before performing any type of work on the drive
system, block the motor shaft to prevent rotation.
 AC voltage can couple voltage to unused conductors in the motor cable. Insulate both ends of unused
conductors of the motor cable.
 Do not short across the DC bus terminals or the DC bus capacitors or the braking resistor terminals.
 Before performing work on the drive system:
 Disconnect all power, including external control power that may be present.
 Place a "Do Not Turn On" label on all power switches.
 Lock all power switches in the open position.
 Wait 15minutes to allow the DC bus capacitors to discharge. The DC bus LED is not an indicator
of the absence of DC bus voltage that can exceed 800 Vdc.
 Measure the voltage on the DC bus between the DC bus terminals using a properly rated voltmeter
to verify that the voltage is < 42Vdc.
 If the DC bus capacitors do not discharge properly, contact your local Schneider Electric
representative.
 Install and close all covers before applying voltage.
Failure to follow these instructions will result in death or serious injury.
8 S1A45606 01/2017
DANGER
UNINTENDED EQUIPMENT OPERATION
 Read and understand this manual before installing or operating the drive.
 Any changes made to the parameter settings must be performed by qualified personnel.
WARNING
DAMAGED DRIVE EQUIPMENT
Do not operate or install any drive or drive accessory that appears damaged.
Failure to follow these instructions can result in death, serious injury, or equipment damage.
WARNING
LOSS OF CONTROL
 The designer of any control scheme must consider the potential failure modes of control paths and,
for critical control functions, provide a means to achieve a safe state during and after a path failure.
Examples of critical control functions are emergency stop, overtravel stop, power outage, and restart.
 Separate or redundant control paths must be provided for critical control functions.System control
paths may include communication links. Consideration must be given to the implications of
unanticipated transmission delays or failures of the link.
 System control paths may include communication links. Consideration must be given to the
implications of unanticipated transmission delays or failures of the link.
 Observe all accident prevention regulations and local safety guidelines.(1)
 Each implementation of the product must be individually and thoroughly tested for proper operation
before being placed into service.
1. For USA: Additional information, refer to NEMA ICS 1.1 (latest edition), “Safety guidelines for the
application, installation, and maintenance of solid-State control” and to NEMA ICS 7.1 (latest edition),
“Safety standards for construction and guide for selection, installation, and operation of adjustable
speed drive systems.”
CAUTION
INCOMPATIBLE LINE VOLTAGE
Before turning on and configuring the drive, ensure that the line voltage is compatible with the supply
voltage range shown on the drive nameplate. The drive may be damaged if the line voltage is not
compatible.
Failure to follow these instructions can result in injury or equipment damage.
NOTICE
RISK OF DERATED PERFORMANCE DUE TO CAPACITOR AGING
The product capacitor performances after a long time storage above 2 years can be degraded. In that
case, before using the product, apply the following procedure:
 Use a variable AC supply connected between L1 and L2 (even for
ATV[gs70][gs70][gs70][gs70][gs70]N4 references).
 Increase AC supply voltage to have:
 80% of rated voltage during 30 min
 100% of rated voltage for another 30 min
Failure to follow these instructions can result in equipment damage.
S1A45606 01/2017 9
Qualification of personnel
Only appropriately trained persons who are familiar with and understand the contents of this manual and
all other pertinent product documentation are authorized to work on and with this product. In addition, these
persons must have received safety training to recognize and avoid hazards involved. These persons must
have sufficient technical training, knowledge and experience and be able to foresee and detect potential
hazards that may be caused by using the product, by changing the settings and by the mechanical,
electrical and electronic equipment of the entire system in which the product is used.
All persons working on and with the product must be fully familiar with all applicable standards, directives,
and accident prevention regulations when performing such work.
Intended use
The functions described in this manual are only intended for use with the basic product; you must read and
understand the appropriate product manual.The product may only be used in compliance with all
applicable safety regulations and directives, the specified requirements and the technical data.Prior to
using the product, you must perform a risk assessment in view of the planned application. Based on the
results, the appropriate safety measures must be implemented.Since the product is used as a component
in an entire system, you must ensure the safety of persons by means of the design of this entire system
(for example, machine design).
Operate the product only with the specified cables and accessories. Use only genuine accessories and
spare parts.Any use other than the use explicitly permitted is prohibited and can result in hazards.Electrical
equipment should be installed, operated, serviced, and maintained only by qualified personnel.The product
must NEVER be operated in explosive atmospheres (hazardous locations, Ex areas).
10 S1A45606 01/2017
Altivar 32
S1A45606 01/2017
Chapter 1
Generalities
Generalities
What Is in This Chapter?

This chapter contains the following topics:
Topic Page
Introduction 12
Certifications 13
Basics 14
S1A45606 01/2017 11
Introduction
Overview
The safety functions incorporated in Altivar 32 are intended to maintain the safe condition of the installation
or prevent hazardous conditions arising at the installation. In some cases, further safety-related systems
external to the drive (for example a mechanical brake) may be necessary to maintain the safe condition
when electrical power is removed.
The safety functions are configured with SoMove software.
Integrated safety functions provide the following benefits:
 Additional standards-compliant safety functions
 No need for external safety-related devices
 Reduced wiring effort and space requirements
 Reduced costs
The Altivar 32 drives are compliant with the requirements of the standards in terms of implementation of
safety functions.
Safety Functions as Defined by IEC 61800-5-2

Definitions
Acronym Description
STO Safe Torque Off
No power that could cause torque or force is supplied to the motor.
SLS Safely-Limited Speed
The SLS function prevents the motor from exceeding the specified speed limit. If the motor speed exceeds
the specified speed limit value, safety function STO is triggered.
SS1 Safe Stop 1
 initiates and monitors the motor deceleration rate within set limits to stop the motor
 initiates the Safe Operating Stop function when the motor speed is below the specified limit
Safety Function Not Defined in IEC 61800-5-2

Definitions
Acronym Description
SMS Safe Maximum Speed
The SMS function prevents the speed of the motor from exceeding the specified speed limit. If the motor
speed exceeds the specified speed limit value, safety function STO is triggered. The SMS can only be
activated or deactivated with the commissioning software. When activated, the stator frequency is
constantly monitored irrespective of the mode of operation.
GDL Guard Door Locking
The GDL function allows you to release the guard door lock when the motor power is turned off.
Notation
The graphic display terminal (to be ordered separately - reference VW3A1101) menus are shown in square
brackets.
The integrated 7-segment display terminal menus are shown in round brackets.
Parameter names are displayed on the graphic display terminal in square brackets.
Parameter codes are displayed on the integrated 7-segment display terminal in round brackets.
12 S1A45606 01/2017
Certifications
EC Declaration of Conformity
The EC Declaration of Conformity for the EMC Directive can be obtained on www.schneider-electric.com.
ATEX Certification
The ATEX certificate can be obtained on www.schneider-electric.com.
Functional Safety Certification

The integrated safety functions are compatible and certified according to IEC 61800-5-2 Ed.1 Adjustable
speed electrical power drive systems - Part 5-2: Safety requirements - Functional.
IEC 61800-5-2, as a product standard, sets out safety-related considerations of Power Drive System
Safety Related PDS (SR)s in terms of the framework of the IEC 61508 Ed.2 series of standards.
Compliance with the IEC 61800-5-2 standard, for the safety functions described below, will facilitate
incorporation of a PDS (SR) (Power Drive System suitable for use in safety-related applications) into a
safety-related control system using the principles of IEC 61508, or IEC 13849-1, as well as IEC 62061 for
process systems and machinery.
The defined safety functions are:
 SIL2 and SIL3 capability in compliance with IEC 61800-5-2 and the IEC 61508 Ed.2 series.
 Performance Level d and e in compliance with IEC 13849-1.
 Compliant with Category 3 and 4 of European standard IEC 13849-1 (EN 954-1).
Also refer to safety function Capability.

The safety demand operating mode is considered to be high demand or continuous mode of operation
according to the IEC 61800-5-2 standard.
The functional safety certificate is accessible on www.schneider-electric.com.
S1A45606 01/2017 13
Basics
Functional Safety
Automation and safety engineering are two areas that were completely separate in the past but have
recently become more and more integrated.
The engineering and installation of complex automation solutions are greatly simplified by integrated safety
functions.
Usually, the safety engineering requirements depend on the application.
The level of requirements results from the risk and the hazard potential arising from the specific application.
IEC 61508 Standard

The standard IEC 61508 Functional safety of electrical/electronic/programmable electronic safety-related
systems covers the safety-related function.
Instead of a single component, an entire function chain (for example, from a sensor through the logical
processing units to the actuator) is considered as a unit.
This function chain must meet the requirements of the specific safety integrity level as a whole.
Systems and components that can be used in various applications for safety tasks with comparable risk
levels can be developed on this basis.
SIL - Safety Integrity Level

The standard IEC 61508 defines 4 safety integrity levels (SIL) for safety functions.
SIL1 is the lowest level and SIL4 is the highest level.
A hazard and risk analysis serves as a basis for determining the required safety integrity level.
This is used to decide whether the relevant function chain is to be considered as a safety function and
which hazard potential it must cover.
PFH - Probability of a Dangerous Hardware Failure Per Hour

To maintain the safety function, the IEC 61508 standard requires various levels of measures for avoiding
and controlling detected faults, depending on the required SIL.
All components of a safety function must be subjected to a probability assessment to evaluate the
effectiveness of the measures implemented for controlling detected faults.
This assessment determined the PFH (Average frequency of dangerous failure) for a safety system.
This is the probability per hour that a safety system fails in a hazardous manner and the safety function
cannot be correctly executed.
Depending on the SIL, the PFH must not exceed certain values for the entire safety system.
The individual PFH values of a function chain are added. The result must not exceed the maximum value
specified in the standard.
Performance level Average frequency of dangerous failure (PFH) at high demand or continuous demand
4
14 S1A45606 01/2017
PL - Performance Level
The standard ISO 13849-1 defines 5 Performance levels (PL) for safety functions.
a is the lowest level and e is the highest level.
Five levels (a, b, c, d, and e) correspond to different values of Average frequency of dangerous failure.
Performance level Probability of a dangerous Hardware Failure per Hour

e
HFT - Hardware Fault Tolerance and SFF - Safe Failure Fraction

Depending on the SIL for the safety system, the IEC 61508 standard requires a specific hardware fault
tolerance HFT in connection with a specific proportion of safe failures SFF (Safe Failure Fraction).
The hardware fault tolerance is the ability of a system to execute the required safety function in spite of the
presence of one or more hardware faults.
The SFF of a system is defined as the ratio of the rate of safe failures and dnagerous detected failures to
the total failure rate of the system.
SFF = (Σλs + ΣλDd)/(Σλs + ΣλDd + ΣλDu)
According to IEC 61508, the maximum achievable SIL of a system is partly determined by the hardware
fault tolerance HFT and the safe failure fraction SFF of the system.
IEC 61508 distinguishes two types of subsystem (type A subsystem, type B subsystem).
These types are specified on the basis of criteria which the standard defines for the safety-relevant
components.
SFF HFT type A subsystem HFT type B subsystem

0 1 2 0 1 2
SIL1 SIL2 SIL3 ---- SIL1 SIL2
SIL2 SIL3 SIL4 SIL1 SIL2 SIL3
S1A45606 01/2017 15
PFD - Probability of Failure on Demand
The standard IEC 61508 defines SIL using requirements grouped into two broad categories: hardware
safety integrity and systematic safety integrity. A device or system must meet the requirements for both
categories to achieve a given SIL.
The SIL requirements for hardware safety integrity are based on a probabilistic analysis of the device. To
achieve a given SIL, the device must meet targets for the maximum probability of dangerous failure and a
minimum Safe Failure Fraction. The concept of 'dangerous failure' must be rigorously defined for the
system in question, normally in the form of requirement constraints whose integrity is verified throughout
system development. The actual targets required vary depending on the likelihood of a demand, the
complexity of the device(s), and types of redundancy used.
The PFD (Probability of Failure on Demand) and RRF (Risk Reduction Factor) of low demand operation
for different SILs are defined in IEC 61508 are as follows:
SIL PFD PFD (power RRF

1 0.1 - 0.01 -1
10 - 10 -2 10 - 100
2 0.01 - 0.001 -2
10 - 10-3 100 - 1000
3 0.001 - 0.0001 -3
10 - 10-4 1000 - 10,000
4 0.0001 - 0.00001 -4
10 - 10 -5 10,000 - 100,000
In high demand or continuous operation, these changes to the following:
SIL PFH PFH (power RRF

1 0.00001 - 0.000001 10-5 - 10-6 100,000 - 1,000,000
2 0.000001 - 0.0000001 10-6 - 10-7 1,000,000 - 10,000,000
3 0.0000001 - 0.00000001 10-7 - 10-8 1000 - 10,000
4 0.00000001 - 0.000000001 10-8 - 10-9 100,000,000 - 1,000,0000,000
The hazards of a control system must be identified then analyzed in a risk analysis. These risks are
gradually mitigated until their overall contribution to the hazard is deemed to be acceptable. The tolerable
level of these risks is specified as a safety requirement in the form of a target probability of a dangerous
failure over a given period, stated as a discrete SIL level.
Fault Avoidance Measures

Systematic errors in the specifications, in the hardware and the software, usage faults and maintenance
faults in the safety system must be avoided to the maximum degree possible. To meet these requirements,
IEC 61508 specifies a number of measures for fault avoidance that must be implemented depending on
the required SIL. These measures for fault avoidance must cover the entire life cycle of the safety system,
i.e. from design to decommissioning of the system.
16 S1A45606 01/2017
Altivar 32
S1A45606 01/2017
Chapter 2
Description
Description

Topic Page
Safety Function STO (Safe Torque Off) 18
Safety Function SS1 (Safe Stop 1) 20
Safety Function SLS (Safely-Limited Speed) 22
Safety Function SMS (Safe Maximum Speed) 29
Safety Function GDL (Guard Door Locking) 31
S1A45606 01/2017 17
Safety Function STO (Safe Torque Off)
Overview
The safety function STO (Safe Torque Off) does not remove power from the DC bus. The safety function
STO only removes power to the motor. The DC bus voltage and the mains voltage to the drive are still
present.
DANGER
HAZARD OF ELECTRIC SHOCK
 Do not use the safety function STO for any other purposes than its intended function.
 Use an appropriate switch, that is not part of the circuit of the safety function STO, to disconnect the
drive from the mains power.
When the safety function STO is triggered, the power stage is immediately disabled. In the case of vertical
applications or external forces acting on the motor shaft, you may have to take additional measures to bring
the motor to a standstill and to keep it at a standstill when the safety function STO is used, for example, by
using a service brake.
WARNING
INSUFFICIENT DECELERATION OR UNINTENDED EQUIPMENT OPERATION
 Verify that using the safety function STO does not result in unsafe conditions.
 If standstill is required in your application, ensure that the motor comes to a secure standstill when the
safety function STO is used.
This function brings the machine safely into a no-torque state and / or prevents it from starting accidentally.
The safe torque-off (safety function STO) function can be used to effectively implement the prevention of
unexpected start-up functionality, thus making stops safe by preventing the power only to the motor, while
still maintaining power to the main drive control circuits.
The principles and requirements of the prevention of unexpected start-up are described in the standard EN
1037:1995+A1.
The logic input STO is assigned to this safety function and cannot be modified.
If a paired terminal line in 2 channels is required to trigger safety function STO, the function can also be
enabled by the safety-related logic inputs.
The safety function STO is configured with the commissioning software.
The safety function STO status can be displayed using the HMI of the drive or using the commissioning
software.
18 S1A45606 01/2017
Safety Function STO Standard Reference
The safety function STO is defined in section 4.2.2.2 of standard IEC 61800-5-2 (edition 1.0 2007.07):
Power, that can cause rotation (or motion in the case of a linear motor), is not applied to the motor.The
PDS(SR) (power drive system suitable for use in safety-related applications) will not provide energy to the
motor which can generate torque (or force in the case of a linear motor).
 NOTE 1: This safety function corresponds to an uncontrolled stop in accordance with stop category 0
of IEC 60204-1.
 NOTE 2: This safety function may be used where power removal is required to prevent an unexpected
start-up.
 NOTE 3: In circumstances where external influences (for example, falling of suspended loads) are
present, additional measures (for example, mechanical brakes) may be necessary to prevent any
hazard.
 NOTE 4: Electronic equipment and contactors do not provide adequate protection against electric
shock, and additional insulation measures may be necessary.
Safety Function (SF) Level Capability for Safety Function STO
Configuration SIL PL
Safety Integrity Level according to Performance Level according to
IEC 61508 ISO 13849-1
STO with or without safety module SIL 2 PL d
STO & LI3 with or without safety module SIL 3 PL e
LI3 and LI4 SIL 2 PL d
Emergency Operations
Standard IEC 60204-1 introduces 2 emergency operations:
 Emergency switching-off:
This function requires external switching components, and cannot be accomplished with drive based
functions such as safe torque-off (STO).
 Emergency stop:
An emergency stop must operate in such a way that, when it is activated, the hazardous movement of
the machinery is stopped and the machine is unable to start under any circumstances, even after the
emergency stop is released.
An emergency stop shall function either as a stop category 0 or as a stop category 1.
Stop category 0 means that the power to the motor is turned off immediately. Stop category 0 is
equivalent to the safe torque-off (STO) function, as defined by standard EN 61800-5-2.
In addition to the requirements for stop (see 9.2.5.3 of IEC 60204-1), the emergency stop function has
the following requirements:
 it shall override all other functions and operations in all modes.
 This reset shall be possible only by a manual action at that location where the command has been
initiated. The reset of the command shall not restart the machinery but only permit restarting.
 For the machine environment (IEC 60204-1 and machinery directive), when safety function STO is
used to manage an emergency stop category 0, the motor must not restart automatically when safety
function STO has been triggered and deactivated (with or without a power cycle). This is the reason
why an additional safety module is required if the machine restarts automatically after the safety
function STO has been deactivated.
S1A45606 01/2017 19
Safety Function SS1 (Safe Stop 1)
Overview
The safety function SS1 (Safe Stop 1) monitors the deceleration according to a dedicated deceleration
ramp and safely shuts off the torque once standstill has been achieved.
When the safety function SS1 is triggered, it overrides all other functions (except STO function that has
priority) and operations in all modes.
The unit of the SS1 deceleration ramp is in Hz/s. The setting of the ramp is done with two parameters:
[SS1 ramp unit] SSrU (Hz/s) to give the unit of the ramp in 1 Hz/s, 10 Hz/s, and 100 Hz/s
[SS1RampValue] SSrt (0.1) to set the value of the ramp
Ramp calculation:
Ramp = SSrU*SSrt
Example: If SSrU = 10 Hz/s and SSrt = 5.0 the deceleration ramp is 50 Hz/s.
The safety function SS1 is configured with the commissioning software, for more information see
Commissioning (see page 81).
The safety function SS1 status can be displayed using the HMI of the drive or using the commissioning
software.
Behavior on Activation of the SS1 Function

When SS1 function is triggered, it monitors the deceleration of the motor according to the specified
monitoring ramp until standstill is reached and verifies if the motor speed is not above a monitored limit
value depending on the specified monitoring ramp and the parameter [SS1 trip threshold] SStt.
If the monitored limit value is exceeded:
 An error is triggered and the error code [Safety function fault] SAFF is displayed.
 Safety function STO is triggered.
After the [Standstill level] SSSL has been reached, the safety function STO is triggered.
SS1 function continues to be active if the request has been removed before the standstill has been
reached.
NOTE: The error detection depends on [Stator Frequency] StFr.
: SS1 trip threshold, : SS1 deceleration ramp (dV/dT), : STO function triggered, : Error and
STO function triggered
20 S1A45606 01/2017
Behavior on Deactivation of the SS1 Function
After an SS1 stop, send a new run command (even if the run command is set on level command).
SS1 Standard Reference

The SS1 function is defined in section 4.2.2.2 of standard IEC 61800-5-2:
The PDS(SR) (Power drive system suitable for use in safety-related applications) either:
 Initiates and controls the motor deceleration rate within set limits to stop the motor and initiates the STO
function (see 4.2.2.2) when the motor speed is below a specified limit; or
 Initiates and monitors the motor deceleration rate within set limits to stop the motor and initiates the STO
function when the motor speed is below a specified limit; or
 Initiates the motor deceleration and initiates the STO function after an application-specific time delay.
NOTE: This safety function corresponds to a controlled stop in accordance with stop category 1 of IEC
60204-1.
Safety Function (SF) Level Capability for Safety Function SS1
Function Configuration SIL PL

Safety Integrity Level Performance Level
According to IEC 61508 According to ISO 13849-1
SS1 type C STO with Preventa module SIL2 PL d
STO and LI3 with Preventa module SIL 3 PL e
SS1 type B LI3 and LI4 SIL 2 PL d
Emergency Stop Category 1

An emergency stop must operate in such a way that, when it is activated, the hazardous movement of the
machinery is stopped and the machine is unable to start under any circumstances, even after the
emergency stop is released.
An emergency stop shall function either as a stop category 0 or as a stop category 1.
Stop category 1 is a controlled shut-down, whereby the energy supply to the motor is maintained to perform
the shut-down, and the energy supply is only interrupted when the shut-down has been completed.
Stop category 1 is equivalent to the [Safe Stop 1] SS1 function, as defined by standard EN 61800-5-2.
In addition to the requirements for stop (see 9.2.5.3 of IEC 60204-1), the emergency stop function has the
following requirements:
 it shall override all other functions and operations in all modes.
 This reset shall be possible only by a manual action at that location where the command has been
initiated. The reset of the command shall not restart the machinery but only permit restarting.
For the machine environment (IEC 60204-1 and machinery directive), when safety function SS1 is used to
manage an emergency stop category 1, the motor must not restart automatically when safety function SS1
has been triggered and deactivated (with or without a power cycle). This is the reason why an additional
safety module is required if the machine restarts automatically after the safety function SS1 has been
deactivated.
S1A45606 01/2017 21
Safety Function SLS (Safely-Limited Speed)
Overview
This function is used to limit the speed of a motor.
There are 6 types of SLS function:
 SLS type 1: Limits the motor speed to the actual motor speed.
 SLS type 2: Limits the motor speed to a value set using a parameter.
 SLS type 3: Same as type 2 with specific behavior if the motor speed is above threshold value set using
a parameter.
 SLS type 4: Limits the motor speed to a value set using a parameter. The direction of rotation can be
changed while the safety function is active.
 SLS type 5: Same as type 4 with the specific behavior if the motor speed is above threshold value set
using a parameter.
 SLS type 6: Same as type 4 with specific behavior if the motor speed is above threshold value set using
a parameter.
NOTE: SLS types 2 and 3 use (SLwt) [SLS Wait time] parameter to allow the motor to run under the
[standstill level ] SSSL for a given time after the safety function SLS has been activated.
The safety function SLS is configured with the commissioning software, for more information see
commissioning (see page 81).
The status of the safety function SLS can be displayed using the HMI of the drive or using the
commissioning software.
Behavior on Activation of the Safety Function SLS Type 1
: Error and STO function triggered, : Reference upper limit, : STO function triggered
When the safety function is activated:

 If the [Stator Frequency] StFr is above the [SLS tolerance threshold] SLtt, the safety function
STO is triggered and an error is triggered with the error code [Safety function fault] SAFF.
 If the [Stator Frequency] StFr is under the [SLS tolerance threshold] SLtt, the stator frequency
is limited to the actual stator frequency. The reference frequency will only vary between this value and
the standstill level SSSL.
While the function is activated:
 If the[Stator Frequency] StFr decreases and reaches the [Standstill level] SSSL frequency, the
safety function STO is triggered.
 If the [Stator Frequency] StFr increases and reaches [SLS tolerance threshold] SLtt, the safety
function STO is triggered and an error is triggered with the error code [Safety function fault] SAFF.
22 S1A45606 01/2017
: SS1 trip threshold, : Error and STO function triggered, : Reference upper limit, : STO
function triggered, : SS1 deceleration ramp (dV/dT), : Time taken for the [Stator Frequency ]
StFr to become greater than SSSL
: [Stator Frequency] StFr is above [Set Point] SLSP
: [Stator Frequency] StFr is between [Standstill level] SSSL and [Set Point] SLSP
: [Stator Frequency] StFr is below [Standstill level] SSSL and [SLS wait time] (SLwt) ≠ 0
When the function is activated:

 If the [Stator Frequency ] StFr is above the [Set point] SLSP, the drive decelerates according to
SS1 deceleration ramp until the [Set point] SLSP is reached.(see case A)
 If the [Stator Frequency] StFr is below the SLSP the current reference is not changed but limited to
the [Set point] SLSP.(see case B)
 If the [Stator Frequency] StFr is still below the [Standstill level] SSSL frequency after [SLS wait
time] (SLwt ) has elapsed, the safety function STO will be triggered.(see case C)
 The reference frequency can only vary between the [Set point] SLSP and the standstill level SSSL.
 If the [Stator Frequency ] StFr decreases and reaches the [Standstill level] SSSL frequency,
 If the [Stator Frequency ] StFr increases and reaches the [SLS tolerance threshold] SLtt, the
safety function STO is triggered and an error is triggered with the error code [Safety function fault]
SAFF.
S1A45606 01/2017 23
SLS type 3 has the same behavior as SLS type 2 except that If the [Stator Frequency] StFr is above
the [SLS tolerance threshold] SLtt, the safety function SS1 is triggered instead of decelerating to the
[Set point] SLSP (see case A)
function triggered, : SS1 deceleration ramp (dV/dT), : Time taken for the [Stator Frequency] StFr
to become greater than SSSL
: [Stator Frequency] StFr is above [SLS tolerance threshold] SLtt
: [Stator Frequency] StFr is between [Set Point] SLSP and [SLS tolerance threshold] SLtt
:[Stator Frequency] StFr is below [Standstill level] SSSL and [SLS wait time] (SLwt) ≠ 0
SS1 is triggered. (see case A).
 If the [Stator Frequency] StFr is between the [SLS tolerance threshold] SLtt and the [Set point]
SLSP, the drive decelerates according to SS1 deceleration ramp until the [Set point] SLSP has
been reached.(see case B).
 If the [Stator Frequency] StFr is below the [Set point] SLSP the current reference is not changed
but limited to the [Set point] SLSP.(see case C)
 If the [Stator Frequency] StFr is still below the [Standstill level] SSSL frequency after [SLS wait
time] SLwt has elapsed, the safety function STO will be triggered.(see case D)

 The reference frequency can only vary between the [Set point] SLSP and the [Standstill level]
SSSL.
 If the [Stator Frequency ] StFr decreases and reaches the [Standstill level] SSSL frequency, the
 If the [Stator Frequency ] StFr increases and reaches the [SLS tolerance threshold] SLtt, the
safety function STO is triggered and an error is triggered with the error code [Safety function fault]
SAFF.
24 S1A45606 01/2017
Error and STO function triggered, SS1 trip threshold, SS1 deceleration ramp (dv/dt),
reference upper limit
: [Stator Frequency] StFr is below [Set Point] SLSP

NOTE: If the SLTT ≤ SLSP for SLS type 4, SAFF fault is triggered.
STO is triggered with the error code [Safety function fault] SAFF.(see case A)
been reached.(see case B)
 If the [Stator Frequency] StFr is below the [Set point] SLSP, the current reference is not changed
but limited to the [Set point] SLSP.(see case C).

 The reference frequency can vary between the [Set point] SLSP in both forward and reverse
directions.
S1A45606 01/2017 25
: Error and STO function triggered, : SS1 trip threshold, : SS1 deceleration ramp (dv/dt), :
Reference upper limit

 If the [Stator Frequency] StFr is above the [SLS tolerance threshold] SLtt, the drive decelerates
according to SS1 deceleration ramp until the [Set point] SLSP has been reached. (see case A)

directions.
26 S1A45606 01/2017
: Error and STO function triggered, : SS1 trip threshold, : SS1 deceleration ramp (dV/dT) :
Reference upper limit, : STO function triggered.

 If the [Stator Frequency] StFr is above the [SLS tolerance threshold] SLtt, the drive decelerates
according to SS1 deceleration ramp until 0 Hz has been reached (see case A).

directions.
S1A45606 01/2017 27
Behavior on Deactivation of the Safety Function SLS for All SLS Types
If... Then ...

The drive is still running when the function is deactivated The reference frequency of the active channel is
applied.
Safety function STO has been triggered and the drive is not A new run command must be applied.
in fault state.
The safety function SLS type 2, 3, 4 is deactivated while the The safety function SLS remains activated until the
drive decelerates to the [Set point] SLSP according to SS1 [Set point] SLSP has been reached.
deceleration ramp. STO is triggered when [Standstill level] SSSL is
The safety function SLS type 3 is deactivated while the safety reached and a new run command must be applied.
function SS1 has been triggered
a stop command is applied The safety function SLS remains active and the drive
decelerates until standstill is reached.
For SLS type 1, 2, or 3 STO function is triggered when
the [Stator Frequency] StFr decreases and reaches
the [Standstill level] SSSL frequency.
an error is detected The safety function SLS remains active and the drive
stops according to the configured error response.
For SLS type 1, 2, or 3 STO function will be triggered
after the [Standstill level] SSSL frequency has been
reached.The drive can be reset after the cause is
cleared.
SLS Standards References

The safety function SLS is defined in section 4.2.3.4 of standard IEC 61800-5-2 The SLS function helps to
prevent the motor from exceeding the specified speed limit.
Safety Function (SF) Level for Safety Function SLS
Configuration SIL PL
Safety Integrity Level According to Performance level According to ISO
IEC 61508 13849-1
28 S1A45606 01/2017
Safety Function SMS (Safe Maximum Speed)
Overview
This function prevents the speed of the motor from exceeding the specified safe maximum speed limit.
The safety function SMS is configured using commissioning software, for details, refer commissioning
(see page 81).
[SMS Activation] SMSA parameter is used to activate or deactivate the SMS function.
Two speed limits can be set using the following parameters
 [SMS Low Limit] SMLL: To select the lower speed limit.
 [SMS High Limit] SMLH: To select the higher speed limit
[SMS Low Limit] SMLL or [SMS High Limit] SMLH is considered as safe maximum speed limit based
on the [SMS Assignment] SMLS selection.
When [SMS Assignment] SMLS is selected as L34 or L56 (logical input 3 and 4 or logical input 5 and 6),
 If the logical inputs are in low state (0), [SMS Low Limit] SMLL is considered as the safe maximum
speed limit.
 If the logical inputs are in high state (1), [SMS High Limit] SMLH is considered as the safe maximum
speed limit.
When [SMS Assignment] SMLS is selected as NO, [SMS Low Limit] SMLL is considered as the safe
maximum speed limit.
NOTE:
 The SMS function does not adjust the speed reference.
 The speed reference should be adjusted through an active speed reference channel according to [SMS
Low Limit] SMLL or [SMS High Limit] SMLH.
The status of safety function SMS is displayed on graphical display terminal of the drive and Monitoring
tab of the commissioning software.
S1A45606 01/2017 29
Behavior on Activation of the Safety Function SMS
Error and STO function triggered

While the function is activated
 If logical inputs (LIx and LIy) are in low state (0) and [Stator Frequency] StFR increases and reaches
[SMS Low Limit] SMLL, STO is triggered and an error is triggered with an error code [Safety function
fault] SAFF.
 If logical inputs (LIx and LIy) are in high state (1) and [Stator Frequency] StFR increases and reaches
[SMS High Limit] SMLH, STO is triggered and an error is triggered with an error code [Safety function
fault] SAFF.
 If logical inputs (LIx and LIy) are not assigned and [Stator Frequency] StFR increases and reaches
[SMS Low Limit] SMLL, STO is triggered and an error is triggered with an error code [Safety function
fault] SAFF.
SMS Standard References

The safety function SMS is not defined in IEC 61800-5-2. The SMS function prevents the speed of the
motor from exceeding the specified speed limit. If the motor speed exceeds the specified speed limit value,
safety function STO is triggered. The SMS can only be activated or deactivated with the commissioning
software. When activated, the stator frequency is constantly monitored irrespective of the mode of
operation.
Safety Function (SF) Level for Safety Function SMS
Configuration SIL Safety Integrity Level According to IEC PL Performance level According to ISO
61508 13849-1
No SIL 2 PL d
30 S1A45606 01/2017
Safety Function GDL (Guard Door Locking)
Overview
This function allows you to release the guard door lock after specified delay when the motor power is turned
off. The front door of the machine can be opened only after the motor is stopped, this function helps to
ensure the safety of the machine operator.
For details on certified wiring diagram, refer Single Drive According to IEC 61508 and IEC 62061 for GDL
Function (see page 80).
[GDL Assignment] GDLA parameter is used to activate or deactivate the GDL function.
GDL function uses LO1 parameter.
Two delays can be configured using following parameters.
 [Guard Door Locking Long Delay] GLLD: Long delay after any stop command (such as STO, ramp
stop, DC injection, and so on) other than SS1 stop to make sure that the machine is stopped.
 [Guard Door Locking Short Delay] GLSD: Short delay after SS1 ramp to make sure that the machine
is stopped.
NOTE: [Guard Door Locking Long Delay] GLLD and [Guard Door Locking Short Delay] GLSD are
defined based on the characteristics of the machine.
The safety function GDL is configured using the commissioning software, for details, refer Commissioning
(see page 81).
The status of the safety function GDL is displayed on graphical display terminal of the drive and Monitoring
tab of the commissioning software.
Behavior on Activation of the Safety Function GDL
SS1 stop, Freewheel stop, Ramp stop, STO function triggered

While the function is activated,
 If the safety function SS1 is triggered, logical output (LO) changes to high state (1) after [GDL Short
Delay] GLSD and guard door lock is released.
 If the freewheel stop or safety function STO is triggered, logical output (LO) changes to high state (1)
after [GDL Long Delay] GLLD and guard door lock is released.
 If the ramp stop is triggered, logical output (LO) changes to high state (1) after [GDL Long Delay]
GLLD and guard door lock is released.
GDL Standard References

The safety function GDL is not defined in IEC 61800-5-2. The GDL function allows you to release the guard
door lock when the motor power is turned off.
Safety Function (SF) Level for Safety Function GDL
Configuration SIL Safety Integrity Level According to IEC PL Performance level According to ISO
61508 13849-1
STO with safety module SIL 1 PL c
S1A45606 01/2017 31
32 S1A45606 01/2017
Altivar 32
S1A45606 01/2017
Chapter 3
Calculation of Safety Related Parameters
Calculation of Safety Related Parameters

Topic Page
SLS Type 1 34
SLS Type 2, Type 3, Type 4, Type 5, and Type 6 36
SS1 40
SMS 42
GDL 43
S1A45606 01/2017 33
SLS Type 1
Collect Application Data

Before starting to configure the SLS function, you must collect the following data:
Code Description Unit Comment

FrS [Rated motor freq.] Hz See motor nameplate
nSp [Rated motorspeed] rpm See motor nameplate
ppn Motor pole pair number – See motor nameplate
Max Frequency Maximum motor frequency for normal Hz This value is equal to [High speed]
operation HSP or lower
Calculate the rated motor slip frequency Fslip (Hz).:
To Configure the Function

Overview of diagram
: Error and STO function triggered, : Reference upper limit, : STO function triggered
Standstill Level
The recommended standstill level is: SSSL = Fslip
If the application requires a different standstill level, it can be set accordingly with the SSSL parameter.
Motor Frequency Limit Threshold
The recommended value of the parameter is SLtt = 1.2 x Max Frequency + Fslip
34 S1A45606 01/2017
Testing and Adjusting the Configuration
When configuration is complete, test the SLS function to verify it behaves as expected.
If an error is triggered with the error code [Safety function fault] SAFF apply the following troubleshooting
rules
Context Drive Status Adjustment

SLS activated and motor  SAFF error code Motor frequency has reached the motor frequency limit
running at the fixed  SFFE.7 = 1 threshold.
setpoint frequency The cause of the detected error can be due to frequency
instability. Investigate and correct the cause. The value of
SLtt can be modifed to increase the tolerance threshold to
the instability of the drive system.
Example
Code Description Unit

FrS [Rated motor freq.] 50 Hz
nSp [Rated motorspeed] 1350 rpm
ppn Motor pole pair number 2
Max Frequency Maximum motor frequency on normal operation. This 50 Hz
value is generally equal to [High speed] HSP or
lower
With these numerical values, the configuration of SLS type 1 is:
SSSL = Fslip = 5 Hz
SLtt = 1.2 x Max Frequency + Fslip = 1.2 x 50 + 5 = 65 Hz
S1A45606 01/2017 35
SLS Type 2, Type 3, Type 4, Type 5, and Type 6

Before starting to configure the SLS function, you must collect the following data:

FrS [Rated motor freq.] Hz See motor nameplate
nSp [Rated motor speed] rpm See motor nameplate
ppn Motor pole pair number – See motor nameplate
Max Frequency Maximum motor frequency Hz This value is equal to [High speed] HSP or lower.
on normal operation
SS1 deceleration ramp Deceleration ramp to apply Hz –
when SS1 ramp is triggered
Calculate the rated motor slip frequency Fslip (Hz).

Nsp x ppn
Fslip = FrS -
60

Overview of diagram
function triggered, : SS1 deceleration ramp (dV/dT), : Time taken for the [Stator Frequency ]
StFr to become greater than SSSL
: [Stator Frequency] StFr is above [Set Point] SLSP
: [Stator Frequency] StFr is below [Standstill level] SSSL and [SLS wait time] (SLwt) ≠ 0
Standstill Level
36 S1A45606 01/2017
Ramp Value and Ramp Unit
Set SSrt (ramp value) and SSrU (ramp unit) parameters according to the deceleration ramp to apply when
the safety function SS1 is triggered.
Ramp calculation: Ramp = SSrU*SSrt
Example 1: If SSrU = 1 Hz/s and SSrt = 500.0 the deceleration ramp is 500.0 Hz/s and the accuracy is
0.1 Hz
Example 2: If SSrU = 10 Hz/s and SSrt = 50.0 the deceleration ramp is 500 Hz/s and the accuracy is 1 Hz
Use the table to set the correct accuracy according to the deceleration ramp to apply when the safety
function SS1 is triggered:
Min Max Accuracy SSrt SSrU

0.1 Hz/s 599 Hz/s 0.1 Hz/s 1 Hz/s SS1 deceleration ramp
599 Hz/s 5990 Hz/s 1 Hz/s 10 Hz/s SS1 deceleration ramp/10
SLS Setpoint
Set the SLS setpoint parameter (SLSP) to: SLSP= Fsetpoint (SLS)
Motor Frequency and ramp Limit Threshold
The recommended motor frequency limit threshold is SLtt = 1.2 x SLSP + Fslip and the recommended SS1
ramp limit threshold is: SStt = 0.2 x Max Frequency
SLS Wait time

Set the [SLS wait time] (SLwt) greater than 0 ms to to allow the motor to run under the [standstill level]
SSSL for a given time after the safety function SLS has been activated.
NOTE: When SLS Type 4 is configured, [SLS wait time] (SLwt) must be set to 0 otherwise an error is
triggered and the error code [Safety function fault] SAFF is displayed
S1A45606 01/2017 37
When configuration is complete, test the SLS function to verify that it behaves as expected.
If an error is triggered with the error code [Safety function fault] SAFF, apply the following
troubleshooting rules

SLS activated  SAFF error code Motor frequency has reached the motor frequency limit threshold.
and  SFFE.3 = 1 The cause of the detected error can be due to frequency instability. Investigate
deceleration and correct the cause. The value of SLtt can be modified to increase the tolerance
ramp in threshold to the instability of the drive system.
progress
SLS activated  SAFF error code Motor frequency stabilization at SLSP takes too long and has reached the safety
and end of  SFFE.3 = 1 function error detection condition.
ramp at SLSP or
frequency  SFFE.7 = 1
: Safety function error detection, Tosc: T oscillation, F: Frequency

The oscillations must be lower than SLtt before the time T(oscillation) elapses.
If the condition is not followed, an error is triggered and the error code [Safety
function fault] SAFF is displayed
The relationship between SStt and T(oscillation) is:
Motor frequency has reached the motor frequency limit threshold.

The cause of the detected error can be due to frequency instability. Investigate
and correct the cause. The value of SStt can be modified to increase the tolerance
threshold to the oscillations of the drive system.
SLS activated  SAFF error code Motor frequency has reached the motor frequency limit threshold.
and motor  SFFE.7 = 1 The cause of the detected error can be due to frequency instability. Investigate
running at and correct the cause. The value of SLtt can be modified to increase the tolerance
SLSP threshold to the instability of the drive system.
frequency
Example

FrS Rated motor frequency 50 Hz
nSp Rated motor speed 1350 rpm
Max Frequency Maximum motor frequency on normal operation. This value is equal to [High 50 Hz
speed] HSP or lower
Fsetpoint(SLS) Motor frequency setpoint 15 Hz
SS1 deceleration ramp Deceleration ramp to apply when SS1 is triggered 20 Hz/s
With these numerical values, the configuration of SLS type 2, 3, and 4 is:
1350 x 2
Fslip = 50 - = 5 Hz
60
SSSL = Fslip = 5 Hz
SSrU = 1 Hz/s and SSrt = 20.0 for SS1 deceleration ramp = 20 Hz/s (accuracy is 0.1 Hz)
SLSP = Fsetpoint(SLS) = 15 Hz
38 S1A45606 01/2017
SLtt = 1.2 x SLSP + Fslip = 1.2 x 15 + 5 = 23 Hz
SStt = 0.2 x Max Frequency = 0.2 * 50 = 10 Hz
In this example, the frequency oscillations are allowed to be higher than SLtt for 350 ms.
S1A45606 01/2017 39
SS1

Before configuring the SS1 function, you must collect the following data:

FrS Rated motor frequency Hz From motor
nSp Rated motor speed rpm From motor
ppn Motor pole pair number – From motor
Max Frequency Maximum motor frequency on Hz This value is equal to [High speed] HSP or lower
normal operation
Calculate the rated motor slip frequency Fslip (Hz).

Overview of diagram
: SS1 trip threshold, : SS1 deceleration ramp (dV/dT), : STO function triggered, : Error and
STO function triggered
Standstill Level
Ramp Value and Ramp Unit
Set SSrt (ramp value) and SSrU (ramp unit) parameters according to the deceleration ramp to apply when
the safety function SS1 is triggered.
Ramp Calculation: Ramp = SSrU*SSrt
Example 1: If SSrU = 1 Hz/s and SSrt = 500.0 the deceleration ramp is 500.0 Hz/s and the accuracy is
0.1 Hz
Example 2: If SSrU = 10 Hz/s and SSrt = 50.0 the deceleration ramp is 500 Hz/s and the accuracy is 1 Hz
40 S1A45606 01/2017
Use the table to set the correct accuracy according to the deceleration ramp to apply when the safety
function SS1 is triggered:
Min Max Accuracy SSrU SSrt

0.1 Hz/s 599 Hz/s 0.1 Hz/s 1 Hz/s SS1 deceleration ramp
Ramp Limit Threshold

The SS1 ramp trip threshold is calculated by: SStt = 0.2 x Max Frequency
This value is equal to [High speed] HSP or lower

When configuration is complete, test the safety function SS1 to verify that it behaves as expected.
If an error is triggered with the error code [Safety function fault] SAFF, apply the following
troubleshooting rules

SS1 activated and the  SAFF error code Motor frequency has reached the motor frequency limit
[Standstill level] SSSL  SFFE.3 = 1 threshold.
has not yet been reached The cause of the detected error can be due to frequency
instability. Investigate and correct the cause. The value of
SStt can be modified to increase the tolerance threshold to
the instability of the drive system.
Example

FrS Rated motor frequency 50 Hz
nSp Rated motor speed 1350 rpm
Max Frequency Maximum motor frequency on normal operation 50 Hz
SS1 deceleration ramp Deceleration ramp to apply when SS1 is triggered 20 Hz/s
With these numerical values, the configuration of SS1 is:
SSSL = Fslip = 5 Hz
SSrU = 1 Hz/s and SSrt = 20.0 for SS1 deceleration ramp = 20 Hz/s (accuracy is 0.1 Hz)
SStt = 0.2 x Max Frequency = 0.2 x 50 = 10 Hz
S1A45606 01/2017 41
SMS

Before starting to configure the SMS function, you must collect the following data:

PPn Motor pole pair number – See motor nameplate
Max output frequency in Hz = ((Max velocity in rpm)/60)* PPn
Error and STO function triggered

SMLL > Max output frequency
SMLH > Max output frequency
42 S1A45606 01/2017
GDL

Before starting to configure the GDL function, you must collect the following data:

GLSD [GDL Short Delay] s Maximum delay after SS1 ramp to stop the
machine.
GLLD [GDL Long Delay] s Maximum delay after STO function activation or
normal deceleration ramp command to stop the
machine.
SS1 stop, Freewheel stop, Ramp stop, STO function triggered

When GDL configuration is complete
 Activate safety function SS1 and verify that logical output changes to high state (1) when the machine
is stopped.
 Activate safety function STO and verify that the logical output changes to high state (1) when the
machine is stopped.
S1A45606 01/2017 43
44 S1A45606 01/2017
Altivar 32
S1A45606 01/2017
Chapter 4
Behavior of Safety Functions
Behavior of Safety Functions

Topic Page
Limitations 46
Detected Fault Inhibition 46
Priority Between Safety Functions 46
Factory Settings 46
Configuration Download 47
Priority Between Safety Functions and No Safety-Related Functions 48
S1A45606 01/2017 45
Limitations
Type of Motor
The safety functions SLS, SS1, and SMS on ATV32 are only applicable for asynchronous motors with
open-loop control profile.
The safety function STO and GDL can be used with synchronous and asynchronous motors.
Prerequisites for Using Safety Functions

Following conditions have to be fulfilled for correct operation:
 The motor size is adequate for the application and is not at the limit of its capacity.
 The drive size has been correctly chosen for the line supply, sequence, motor, and application and is
not at the limit of their capacities as stated in the catalog.
 If required, the appropriate options are used.
Example: dynamic braking resistor or motor choke.
 The drive is correctly set up with the correct speed loop and torque characteristics for the application;
the reference frequency profile applied to the drive control loop is followed.
Requirements on Logical Inputs

 Sink mode is not used with the safety function. If you use the safety function, you need to wire the logic
inputs in source mode.
 PTC on LI6 is incompatible with the safety function set on this input. If you are using the safety function
on LI6, do not set the PTC switch to PTC
 If you are using the pulse input, you cannot set the safety function on LI5 at the same time.
Detected Fault Inhibition
When a safety function has been configured, the error [Safety Function Fault] SAFF cannot be inhibited
by the function [Fault Inhibit assign.] InH
Priority Between Safety Functions
1. The safety function STO has the highest priority. If the safety function STO is triggered, a Safe Torque
Off is performed regardless of which other functions are active.
2. The safety function SS1 has medium priority in relation to the other safety functions.
3. The safety function SLS and GDL has the lowest priority.
Factory Settings
If the safety functions are configured and you restore the factory settings, only the parameters which are
not safety-related will be reset to the factory setting. The settings of safety-related parameters can only be
reset using the commissioning software, for more information see Commissioning (see page 81).
46 S1A45606 01/2017
Configuration Download
You can transfer a configuration in all situations. If a safety function has been configured, the functions
using these same logic inputs will not be configured.
For example: If the downloaded configuration has functions (Preset speed,...) on LI3-4-5-6 and if the drive
has a safety function configured on these logic inputs, safety function will not be erased. It is the functions
that have the same logic input as safety functions that are not transferred. Multiconfiguration/multimotor
and macro configuration obey the same rules.
S1A45606 01/2017 47
Priority Between Safety Functions and No Safety-Related Functions
Priority Table
o: Compatible functions
x: Incompatible functions
: The function indicated by the arrow has priority over the other.
Drive Function SLS SS1 STO SMS

[HIGH SPEED HOISTING]
HSH-
[+/- SPEED] UPd-
[Skip Frequency] JPF o o
[Low speed time out] tLS o o o
[MULTIMOTORS] MMC- Configuration must be consistent with the 3 o Configuration

motors must be
consistent with
the 3 motors
[PRESET SPEEDS] PSS- o
[PID REGULATOR] PId- o o
[RAMP] rPt- profile o
[Freewheel stop ass. ]nSt o
[Fast stop assign.] FSt : SLS ramp o

: SLS steady
[TRAVERSE CONTROL] tr0-
[EXTERNAL FAULT] EtF- : NST : NST : NST : NST

x: DCI x: DCI : DCI x: DCI
: fast, ramp, fallback, : fast, ramp, : fast, ramp, : fast, ramp,
maintain fallback, fallback, fallback,
maintain maintain maintain
[AUTOMATIC RESTART]
Atr-
[FAULT RESET] rSt-
[JOG] JOG-
[STOP CONFIGURATION] Stt-

[Ramp stop] rMP : SLS ramp
: SLS steady
[Fast stop] FSt : SLS ramp
: SLS steady
[DC injection] dCI x x x
[+/-SPEED AROUND REF.]

SrE-
[POSITIONING BY SENSORS] : SLS ramp : Position is
LPO-
& position is not respected not respected
[RP input] PFrC o: if the safety function is not o: if the safety o: if the safety o: if the safety
assigned to LI5 function is not function is not function is not
assigned to LI5 assigned to LI5 assigned to LI5
[Underload Detection] ULF
[Overload Detection] OLC
[Rope slack config.] rSd x x x x

[UnderV. prevention] StP x x
48 S1A45606 01/2017
[AUTO DC INJECTION] AdC- x x x
[DC injection assign.] dCI x x x
[Load sharing] LbA o: If the [Stator Frequency]

StFr is above the
frequency limit threshold,
the error SAFF is triggered.
[Motor control type] Ctt
[Standard] Std x x o x
[SVC V] UUC o o o o
[V/F Quad.] UFq x x o x
[Energy Sav.] nLd x x o x
[Sync. mot.] SYn x x o x
[V/F 5pts] UF5 x x o x
[OUTPUT PHASE LOSS] OPL x: Motor output phase loss is x: Motor output o x: Motor output
detected by the safety phase loss is phase loss is
function detected by the detected by the
safety function safety function
[Output cut] OAC x x x x
[Dec ramp adapt.] brA o :If the [Stator Frequency] o :If the [Stator o
StFr is above the Frequency]
Frequency limit threshold, StFr is
the error SAFF is triggered. above the
Frequency limit
threshold, the
error SAFF is
triggered.
[REF. OPERATIONS] OAI- o
[2 wire] 2C o: Run command on o: Run o: Run o: Run

transition command on command on command on
Run command on level is transition transition transition
not compatible Run Run Run
command on command on command on
level is not level is not level is not
compatible compatible compatible
[PTC MANAGEMENT] PtC- o: inactive if the safety o: inactive if the o: inactive if the o: inactive if the
function is not assigned to safety function safety function safety function
LI6 is not assigned is not assigned is not assigned
to LI6 to LI6 to LI6
[FORCED LOCAL] LCF- o
[LI CONFIGURATION] o: inactive if the safety o: inactive if the o:inactive if the o:inactive if the
function is assigned to logic safety function safety function safety function
input is assigned to is assigned to is assigned to
logic input logic input logic input
[MULTIMOTORS/CONFIG]. o: except safety-related o: except o: except o: except
MMC- parameters safety-related safety-related safety-related
parameters parameters parameters
[FAULT INHIBITION] InH x x x x
[Profile] CHCF Logic input used by safety Logic input used Logic input Logic input
function cannot be switched by safety used by safety used by safety
function cannot function cannot function cannot
be switched be switched be switched
S1A45606 01/2017 49
[Macro configuration] CFG : Macro configuration : Macro : Macro : Macro
could be overlapped if configuration configuration configuration
safety function use a logical could be could be could be
input requested by the overlapped if overlapped if overlapped if
macro configuration safety function safety function safety function
use a logical use a logical use a logical
input requested input requested input requested
by the macro by the macro by the macro
configuration configuration configuration
[Motor short circuit] SCF1 o
[Ground short circuit] SCF3 o
[Overspeed] SOF o
[Sync. mot.] SYn x x o x

[Configuration Transfer] o: except safety-related o: except o: except o: except
parameters safety-related safety-related safety-related
parameters parameters parameters
[Energy Sav.] nLd x x o x
For more information about these functions, see ATV32 Programming manual.
50 S1A45606 01/2017
Altivar 32
S1A45606 01/2017
Chapter 5
Safety Functions Visualization by HMI
Safety Functions Visualization by HMI

Topic Page
Status of Safety Functions 52
Dedicated HMI 52
Error Code Description 53
S1A45606 01/2017 51
Status of Safety Functions
Description
The status of the safety functions can be displayed using the HMI of the drive or using the commissioning
software. HMI of the drive can be the local HMI on the product or the graphic display terminal or the remote
display terminal. There is one register for each safety function. See introduction (see page 12) for more
information about the safety functions.
To access these registers with an HMI: [2 MONITORING] MOn- --> [MONIT. SAFETY] SAF-
 [STO status] StOS: Status of the safety function STO (Safe Torque Off)
 [SLS status] SLSS: Status of the safety function SLS (Safely-Limited Speed)
 [SS1 status] SS1S: Status of the safety function SS1 (Safe Stop 1)
 [SMS status] SMSS: Status of the safety function SMS (Safe Maximum Speed)
 [GDL status] GDLS: Status of the safety function GDL (Guard Door Locking)
The status registers are not approved for any type of safety-related use.
For more information about these registers, see ATV32ATV320 Visualization and Status of Safety
Functions (see page 88) on www.schneider-electric.com.
Dedicated HMI
Description
When a safety function has been triggered, some information is displayed.
Example with the local HMI of the product when the safety function SS1 has been triggered:
: Display alternately the name of the safety function SS1 and the current display parameter as long as
the motor decelerates according to the specified monitoring ramp until standstill is reached, After the
[Standstill level] SSSL has been reached, the safety function STO is triggered and displayed
52 S1A45606 01/2017
Error Code Description
Description
When an error is detected by the safety function, the drive displays [Safety function fault] (SAFF). This
detected error can only be reset after powering the drive OFF/ON.
for more information, you can access to the registers to find out the possible reasons for triggering.
These registers can be displayed using the graphic display terminal or the commissioning software:
[DRIVE MENU] --> [MONITORING] --> [DIAGNOSTICS] --> [MORE FAULT INFO]
SFFE [Safety Function Error Register]
Bit Description
Bit0=1 Logic inputs debounce time-out (verify value of debounce time LIDT according to the
application)
Bit1 Reserved
Bit2=1 Motor speed sign has changed during SS1 ramp
Bit3=1 Motor speed has reached the frequency limit threshold during SS1 ramp.
Bit4 Reserved
Bit5 Reserved
Bit6=1 Motor speed sign has changed during SLS limitation
Bit7=1 Motor speed has reached the frequency limit threshold during SLS.
Bit8 Reserved
Bit9 Reserved
Bit10 Reserved
Bit11 Reserved
Bit12 Reserved
Bit13=1 Not possible to measure the motor speed (verify the motor wiring connection)
Bit14=1 Motor ground short-circuit detected (verify the motor wiring connection)
Bit15=1 Motor phase to phase short-circuit detected (verify the motor wiring connection)
This register is reset after powering OFF/ON.

This register can also be accessed from [DRIVE MENU] --> [MONITORING] --> [MONIT. SAFETY]
S1A45606 01/2017 53
SAF1 [Safety Fault Register 1]
This is an application control error register.
Bit Description
Bit0=1 PWRM consistency detected error
Bit1=1 Safety functions parameters detected error
Bit2=1 Application auto test has detected an error
Bit3=1 Diagnostic verification of safety function has detected an error
Bit4=1 Logical input diagnostic has detected an error
Bit5=1 SMS or GDL safety function detected error, for details refer { SF04} Safety Fault Subregister
04 (see page 57).
Bit6=1 Application watchdog management active
Bit7=1 Motor control detected error
Bit8=1 Internal serial link core detected error
Bit9=1 Logical input activation detected error
Bit10=1 Safe Torque Off function has triggered an error
Bit11=1 Application interface has detected an error of the safety functions
Bit12=1 Safe Stop 1 function has detected an error of the safety functions
Bit13=1 Safely Limited Speed function has triggered an error
Bit14=1 Motor data is corrupted
Bit15=1 Internal serial link data flow detected error
SAF2 [Safety Fault Register 2]

This is a motor control error register.
Bit Description
Bit0=1 Consistency stator frequency verification has detected an error
Bit1=1 Stator frequency estimation detected error
Bit2=1 Motor control watchdog management is active
Bit3=1 Motor control hardware watchdog is active
Bit4=1 Motor control auto test has detected an error
Bit5=1 Chain testing detected error
Bit6=1 Internal serial link core detected error
Bit7=1 Direct short-circuit detected error
Bit8=1 PWM driver detected error
Bit9=1 GDL safety function internal error
Bit10 Reserved
Bit11=1 Application interface has detected an error of the safety functions
Bit12 Reserved
Bit13 Reserved
Bit14=1 Motor data is corrupted
Bit15=1 Internal serial link data flow detected error
54 S1A45606 01/2017
SF00 [Safety Fault Subregister 00]
This is an application auto test error register.
Bit Description
Bit0 Reserved
Bit1=1 Ram stack overflow
Bit2=1 Ram address integrity detected error
Bit3=1 Ram data access detected error
Bit4=1 Flash checksum detected error
Bit5 Reserved
Bit6 Reserved
Bit7 Reserved
Bit8 Reserved
Bit9=1 Fast task overflow
Bit10=1 Slow task overflow
Bit11=1 Application task overflow
Bit12 Reserved
Bit13 Reserved
Bit14=1 PWRM line is not activated during initialization phase
Bit15=1 Application hardware watchdog is not running after initialization

This is a logical input diagnostics error register
Bit Description
Bit0=1 Management - state machine detected error
Bit1=1 Data required for test management are corrupted
Bit2=1 Channel selection detected error
Bit3=1 Testing - state machine detected error
Bit4=1 Test request is corrupted
Bit5=1 Pointer to test method is corrupted
Bit6=1 Incorrect test action provided
Bit7=1 Detected error in results collecting
Bit8=1 LI3 detected error.Cannot activate safety function
Bit9=1 LI4 detected error. Cannot activate safety function
Bit10=1 LI5 detected error. Cannot activate safety function
Bit11=1 LI6 is detected error. Cannot activate safety function
Bit12=1 Test sequence updated while a diagnostic is in progress
Bit13=1 Detected error in test pattern management
Bit14 Reserved
Bit15 Reserved
S1A45606 01/2017 55
This is an application watchdog management detected error register.
Bit Description
Bit0=1 Fast task detected error
Bit1=1 Slow task detected error
Bit2=1 Application task detected error
Bit3=1 Background task detected error
Bit4=1 Safety function fast task/input detected error
Bit5=1 Safety function slow task/input detected error
Bit6=1 Safety function application task/inputs detected error
Bit7=1 Safety function application task/treatment detected error
Bit8=1 Safety function background task detected error
Bit9 Reserved
Bit10 Reserved
Bit11 Reserved
Bit12 Reserved
Bit13 Reserved
Bit14 Reserved
Bit15 Reserved
Bit Description
Bit0=1 Debounce time out
Bit1=1 Input not consistent
Bit2=1 Consistency verification - state machine detected error
Bit3=1 Consistency verification - debounce timeout corrupted
Bit4=1 Response time data detected error
Bit5=1 Response time corrupted
Bit6=1 Undefined consumer queried
Bit7=1 Configuration detected error
Bit8=1 Inputs are not in nominal mode
Bit9 Reserved
Bit10 Reserved
Bit11 Reserved
Bit12 Reserved
Bit13 Reserved
Bit14 Reserved
Bit15 Reserved
56 S1A45606 01/2017
This is a [Safe Torque Off] STO detected error register
Bit Description
Bit0=1 No signal configured
Bit1=1 State machine detected error
Bit2=1 Internal data detected error
Bit3 Reserved
Bit4 Reserved
Bit5 Reserved
Bit6 Reserved
Bit7 Reserved
Bit8=1 SMS overspeed detected error
Bit9=1 SMS internal detected error
Bit10 Reserved
Bit11 Reserved
Bit12=1 GDL internal detected error 1
Bit13=1 GDL internal detected error 2
Bit14 Reserved
Bit15 Reserved

This is a [Safe Stop 1] SS1 detected error register
Bit Description
Bit1=1 Motor speed sign has changed during stop
Bit2=1 Motor speed has reached the frequency limit threshold.
Bit3=1 Theoretical motor speed corrupted
Bit4=1 Unauthorized configuration
Bit5=1 Theoretical motor speed computation detected error
Bit6 Reserved
Bit7=1 Speed sign verification: consistency detected error
Bit8=1 Internal SS1 request corrupted
Bit9 Reserved
Bit10 Reserved
Bit11 Reserved
Bit12 Reserved
Bit13 Reserved
Bit14 Reserved
Bit15 Reserved
S1A45606 01/2017 57
This is a [Safely Limited Speed] SLS detected error register
Bit Description
Bit1=1 Motor speed sign changed during limitation
Bit2=1 Motor speed has reached the frequency limit threshold
Bit3=1 Data corruption
Bit4 Reserved
Bit5 Reserved
Bit6 Reserved
Bit7 Reserved
Bit8 Reserved
Bit9 Reserved
Bit10 Reserved
Bit11 Reserved
Bit12 Reserved
Bit13 Reserved
Bit14 Reserved
Bit15 Reserved

This is an application watchdog management detected error register.
Bit Description
Bit0 Reserved
Bit1 Reserved
Bit2 Reserved
Bit3 Reserved
Bit4 Reserved
Bit5 Reserved
Bit6 Reserved
Bit7 Reserved
Bit8 Reserved
Bit9 Reserved
Bit10 Reserved
Bit11 Reserved
Bit12 Reserved
Bit13 Reserved
Bit14 Reserved
Bit15 Reserved
58 S1A45606 01/2017
This is an application watchdog management detected error register
Bit Description
Bit0=1 PWM task detected error
Bit1=1 Fixed task detected error
Bit2=1 ATMC watchdog detected error
Bit3=1 DYNFCT watchdog detected error
Bit4 Reserved
Bit5 Reserved
Bit6 Reserved
Bit7 Reserved
Bit8 Reserved
Bit9 Reserved
Bit10 Reserved
Bit11 Reserved
Bit12 Reserved
Bit13 Reserved
Bit14 Reserved
Bit15 Reserved
SF09 Safety Fault Subregister 09

This is a motor control auto test detected error register.
Bit Description
Bit0 Reserved
Bit1=1 Ram stack overflow
Bit2=1 Ram address integrity detected error
Bit3=1 Ram data access detected error
Bit4=1 Flash checksum error
Bit5 Reserved
Bit6 Reserved
Bit7 Reserved
Bit8 Reserved
Bit9=1 1 ms task overflow
Bit10=1 PWM task overflow
Bit11=1 Fixed task overflow
Bit12 Reserved
Bit13 Reserved
Bit14=1 Unwanted interruption
Bit15=1 Hardware WD is not running after initialization
S1A45606 01/2017 59
This is a motor control direct short-circuit detected error register
Bit Description
Bit0=1 Ground short circuit - configuration detected error
Bit1=1 Phase to phase short circuit - configuration detected error
Bit2=1 Ground short circuit
Bit3=1 Phase to phase short circuit
Bit4 Reserved
Bit5 Reserved
Bit6 Reserved
Bit7 Reserved
Bit8 Reserved
Bit9 Reserved
Bit10 Reserved
Bit11 Reserved
Bit12 Reserved
Bit13 Reserved
Bit14 Reserved
Bit15 Reserved

This is a motor control dynamic verification of activity detected error register
Bit Description
Bit0=1 Application requested a diagnostic of direct short-circuit
Bit1=1 Application requested consistency verification of stator frequency estimation (voltage and
current)
Bit2=1 Application requested diagnostic of SpdStat provided by motor control
Bit3 Reserved
Bit4 Reserved
Bit5 Reserved
Bit6 Reserved
Bit7 Reserved
Bit8=1 Motor control diagnostic of direct short circuit is enabled
Bit9=1 Motor control consistency verification of stator frequency estimation is enabled
Bit10=1 Motor control diagnostic of SpdStat provided by motor control is enabled
Bit11 Reserved
Bit12 Reserved
Bit13 Reserved
Bit14 Reserved
Bit15 Reserved
60 S1A45606 01/2017
Altivar 32
S1A45606 01/2017
Chapter 6
Technical Data
Technical Data

Topic Page
Electrical Data 62
Getting and Operating the Safety Function 63
Safety Function Capability 64
Debounce Time and Response Time 67
S1A45606 01/2017 61
Electrical Data
Logic Type
The drive logic inputs and logic outputs can be wired for logic type 1 or logic type 2.
Logic Type Active State

1 The output draws current (Sink)
Current flows to the input
2 The output supply flows from the input current
Current (Source)
Safety functions must only be used in source mode.

Signal inputs are protected against reverse polarity, outputs are protected against short-circuits. The inputs
and outputs are galvanically isolated.
Cabling Label
62 S1A45606 01/2017
Getting and Operating the Safety Function
Logic Input
General-purpose logic inputs can be used to trigger a safety function. Logic inputs have to be combined in
pairs to obtain a redundant request. There are only 4 general-purpose logic inputs that can be linked to
safety functions (LI3, LI4, LI5, LI6).The pairs of logic inputs are fixed and are:
 LI3 and LI4
 LI5 and LI6
 Another combination is only possible for the STO function: LI3 and STO
Pairs of logic inputs can only be assigned once when they are linked to a safety function. When you set a
safety function on an logic input you cannot set another function (safety or other) on this logic input. If you
set a non-safety function on an logic input you cannot set a safety function on this logic input.
The SISTEMA Software

The SISTEMA software allows machine developers and testers of safety-related machine controls to
evaluate the safety standard or level of their machine in the context of IEC 13849-1. The tool allows you to
model the structure of safety-related control components based on the designated architectures, allowing
automated calculation of the reliability standards with various levels of detail, including that of the
Performance Level (PL).
The Altivar 32 Libraries are available from www.schneider-electric.com.
Preventa Safety Relays

Used for the creation of complex safety functions in machines, allowing management of the I/O, and also
for protecting both the operator and the machine.
The Preventa range of products feature microprocessor-based technology using the redundancy principle,
and are essential to ensure safe operation of dangerous machinery.
S1A45606 01/2017 63
Safety Function Capability
PDS (SR) safety functions are part of an overall system

If the qualitative and quantitative safety objectives determined by the final application require some
adjustments to ensure safe use of the safety functions, the integrator of the BDM (Basic Drive Module) is
responsible for these additional changes (for example, managing the mechanical brake on the motor).
Also, the output data generated by the use of safety functions (fault relay activation, error codes or
information on the display, etc.) is not considered to be safety-related data.
Machine Application Function Configuration
STO SS1 type C (5) SLS/STO/SS

1 / SMS type
B (6)
STO STO and LI3 STO with Preventa STO and LI3 with LI3 LI5
XPS ATE or Preventa LI4 LI6
XPS AV or XPS AV or
equivalent equivalent
IEC 61800-5-2 / SIL2 SIL3 SIL2 SIL3 SIL2
IEC 61508 /
Standard
IEC 62061 (1) SIL2 SIL3 CL SIL2 CL SIL3 CL SIL2 CL

IEC 62061 (2) Category 3 Category 4 Category 3 Category 4 Category 3
ISO 13849-1 (3) PL d PL e PL d PL e PL d
IEC 60204-1 (4) Category stop 0 Category stop 0 Category stop 1 Category stop 1
(1) Because the IEC 62061 standard concerns integration, this standard distinguishes the overall safety
function (which is classified SIL2 or SIL3 for ATV32 according to the diagrams Process system SF - Case 1
and Process system SF - Case 2 from components which constitute the safety function (which is classified
SIL2 CL or SIL3 CL for ATV32).
(2) According to table 6 of IEC 62061 (2005).
(3) According to table 4 of EN 13849-1 (2008).
(4) If protection against supply interruption or voltage reduction and subsequent restoration is needed
according to IEC 60204-1, a safety module type Preventa XPS AF or equivalent must be used.
(5) SS1 type C: the power drive initiates the motor deceleration and initiates the STO function after an
application specific time delay.
(6) SS1 type B: the power drive initiates and monitors the motor deceleration rate within set limits to stop
the motor and initiates the STO function when the motor speed is below a specified limit.
Process Application Function Configuration
STO SS1 type C (2) SLS / STO / SS1 / SMS

type B (3)
STO STO and LI3 STO with Preventa STO and LI3 LI3 LI4 LI5 LI6
XPS ATE or XPS AV with Preventa
or equivalent XPS AV or
equivalent
IEC 61800-5-2 SIL2 SIL3 SIL2 SIL3 SIL2
Standard
IEC 61508
IEC 62061 (1) SIL2 CL SIL3 CL SIL2 CL SIL3 CL SIL2 CL
function (which is classified SIL2 or SIL3 for ATV32 according to diagrams CASE 1 and CASE 2 from
components which constitute the safety function (which is classified SIL2 CL or SIL3 CL for ATV32).
(2) SS1 type C: the power drive initiates the motor deceleration and initiates the STO function after an
application specific time delay.
(3) SS1 type B: the power drive initiates and monitors the motor deceleration rate within set limits to stop
the motor and initiates the STO function when the motor speed is below a specified limit.
64 S1A45606 01/2017
Input Signal Safety Functions
Input signals safety functions Units Value for LI3 to LI6 Value for STO
Logic 0 (Ulow) V <5 <2
Logic 1 (Uhigh) V > 11 > 17
Impedance (24V) kΩ 3.5 1.5
Debounce time ms <1 <1
Response time of safety function ms < 10 < 10
Summary of the Reliability Study
Function Standard Input STO input STO input & LI3 LI3 & LI4 or LI5 & LI6
STO IEC 61508 Ed.2 SFF 96.7% 96% 94.8%
PFD10y 7.26.10-4 4.00.10-4 2.44.10-3
PFD1y 7.18.10-5 3.92.10-5 2.33.10-4
PFHequ_1y 8.20 FIT (1) 4.47 FIT (1) 26.6 FIT (1)
Type B B B
HFT 1 1 0
DC 93.1% 91.5% 90%
SIL capability 2 3 2
IEC 62061 (1) SIL CL capability 2 3 2
IEC 62061 (3) Category 3 4 3
ISO 13849-1 (4) PL d e d
3
MTTFd in years 13900 L1 3850L2 29300 4290
SS1 type B IEC 61508 Ed.2 SFF 93.3%
SLS PFD10y 2.72.10-3
SMS
PFHequ_10y 31.1 FIT (1)
Type B
HFT 0
DC 78.7%
SIL capability 2
IEC 62061 (2) SIL CL capability 2
IEC 62061 (3) Category 3
ISO 13849-1 (4) PL d
3
MTTFd in years 3670
Function Standard Input STO input STO input & LI3 LO1
GDL IEC 61508 Ed.2 SFF 85%
PFDequ1y 8,2.10-4
PFDequ10y 8,2.10-3
PFH 187 FIT(1)
Type B
HFT 0
DC 71%
SIL capability 1
IEC 62061 (2) SIL CL capability 1
IEC 62061 (3) Category 2
ISO 13849-1 (4) PL c
3
MTTFd in years 609
S1A45606 01/2017 65
(1) FIT: Failure In Time = 10-9 failure per hour.
function (which is classified SIL2 or SIL3 for ATV32 according to diagrams Process system SF - Case 1
and Process system SF - Case 2, from components which constitute the safety function (which is classified
SIL2 CL or SIL3 CL for ATV32).
(3) According to table 6 of IEC 62061 (2005).
(4) According to table 4 of EN 13849-1 (2008).
Preventive annual activation of the safety function is recommended.
However, the safety levels can be obtained (with lower margins) without annual activation.
For the machine environment, a safety module is required for the STO function.
To avoid the use of a safety module, the Restart function parameters must be part of the safety function.
Please refer to the description of advantages of the safety module.
NOTE: The table above is not sufficient to evaluate the PL of a PDS. The PL evaluation has to be done at
the system level. The fitter or the integrator of the BDM (Basic Drive Module) has to do the system PL
evaluation by including sensors data with numbers from the table above.
66 S1A45606 01/2017
Debounce Time and Response Time
Description
On the ATV32 there are 2 parameters to configure logic inputs for safety function (LI3, LI4, LI5, LI6).
The consistency of each pair of logical input is verified continuously.
[LI debounce time] LIdt: A logical state difference between LI3/LI4 or LI5/LI6 is allowed during
debounce time, otherwise a detected error is activated.
[LI response time] LIrt: The logic input response time manages the safety function activation shift.
: Logic input Response Time

: Logic input Debounce Time
S1A45606 01/2017 67
68 S1A45606 01/2017
Altivar 32
S1A45606 01/2017
Chapter 7
Certified Architectures

Topic Page
Introduction 70
Multi-drive with the Safety Module Type Preventa XPS AF - Case 1 71
Multi-drive with the Safety Module Type Preventa XPS AF - Case 2 72
Multi-drive Without the Safety Module 73
Single Drive with the Safety Module Type Preventa XPS AV - Case 1 74
Single Drive with the Safety Module Type Preventa XPS AV - Case 2 75
Single Drive with the Safety Module Type Preventa XPS AF - Case 1 76
Single Drive with the Safety Module Type Preventa XPS AF - Case 2 77
Single Drive According to IEC 61508 and IEC 60204-1 - Case 1 78
Single Drive According to IEC 61508 and IEC 60204-1 - Case 2 79
Single Drive According to IEC 61508 and IEC 62061 with Safety Function GDL 80
S1A45606 01/2017 69
Introduction
NOTE: For certification relating to functional aspects, only the PDS(SR) (Power Drive System suitable for
use in safety-related applications) will be considered, not the complete system into which it is integrated to
help to ensure the functional safety of a machine or a system/process.
These are the certified architectures:
 Multi-drive with the Safety module type Preventa XPS AF - Case 1
 Multi-drive with the Safety module type Preventa XPS AF - Case 2
 Multi-drive without the Safety module
 Single drive with the Safety module type Preventa XPS AV - Case 1
 Single drive with the Safety module type Preventa XPS AV - Case 2
 Single drive with the Safety module type Preventa XPS AF - Case 1
 Single drive with the Safety module type Preventa XPS AF - Case 2
 Single drive according to IEC 61508 and IEC 60204-1 - Case 1
 Single drive according to IEC 61508 and IEC 60204-1 - Case 2
The safety functions of a PDS(SR) (Power Drive System suitable for use in safety-related applications) are
part of an overall system.
If the qualitative and quantitative safety-related objectives determined by the final application require some
adjustments to ensure safe use of the safety functions, the integrator of the BDM (Basic Drive Module) is
responsible for these additional changes (for example, managing the mechanical brake on the motor).
Also, the output data generated by the use of safety functions (fault relay activation, error codes or
information on the display, etc.) is not considered to be a safety-related data.
70 S1A45606 01/2017
Multi-drive with the Safety Module Type Preventa XPS AF - Case 1
Multi-drive with the Safety Module Type Preventa XPS AF According to EN 954-1, IEC 13849-1 and IEC 60204-1 (Machine)
The following configurations apply to the diagram:
 STO category 4, PL e/SIL3 Machine with Safety module type Preventa XPS AF or equivalent and LI3
set to STO
 SLS category 3, PL d/SIL2 or SS1 type B category 3 on LI5/LI6
Or
 STO category 4, PL e/SIL3 Machine with Safety module type Preventa XPS AF or equivalent and LI3
set to STO
 LI4 and LI5/LI6 not set to a safety function
(1) Braking resistor, if used, (2) Standardized coaxial cable, type RG174/U according to MIL-C17 or KX3B
according to NF C 93-550, external diameter 2.54 mm /0.09 in., maximum length 15 m / 49.21 ft. The cable
shielding must be earthed, (3) Line choke, if used, (4) Multi-drives is possible with another drive (Example:
ATV71 with PWR connection or Lexium servo drives)
NOTE: For more information about the control terminal characteristics, please refer to the installation
manual.
S1A45606 01/2017 71
Multi-drive with the Safety Module Type Preventa XPS AF - Case 2
Multi-drive with the Safety Module Type Preventa XPS AF According to EN 954-1, IEC 13849-1 and IEC 60204-1 (Machine)
The following configurations apply to the diagram below:
 STO category 3, PL d/SIL2 Machine with Safety module type Preventa XPS AF or equivalent
 SLS category 3, PL d/SIL2 or SS1 type B category 3 on LI3/LI4 or LI5/LI6
(1) Braking resistor, if used, (2) Standardized coaxial cable, type RG174/U according to MIL-C17 or KX3B
according to NF C 93-550, external diameter 2.54 mm /0.09 in., maximum length 15 m / 49.21 ft. The cable
shielding must be earthed, (3) Line choke, if used, (4) Multi-drives is possible with another drive (Example:
ATV71 with PWR connection or Lexium servo drives).
manual.
72 S1A45606 01/2017
Multi-drive Without the Safety Module
Multi-drive Without the Safety Module Type Preventa XPS AF According to IEC 61508
 STO SIL2 on STO
 SLS SIL2 or SS1 type B SIL2 on LI3/LI4 or LI5/LI6
Or
 STO SIL2 on STO
 SLS or SS1 type B on LI3/LI4
 LI5/LI6 not set to a safety function
Or
 STO SIL2 on STO
 LI3/LI4 and LI5/LI6 not set to a safety function
Or
 STO SIL3 on STO and LI3
 SLS SIL2 or SS1 type B SIL2 on LI5/LI6
 LI4 not set to a safety function
Or
(1) Braking resistor, if used, (2) Line chokes, if used.

manual.
S1A45606 01/2017 73
Single Drive with the Safety Module Type Preventa XPS AV - Case 1
Single Drive with the Safety Module Type Preventa XPS AV According to EN 954-1, IEC 13849-1 and IEC 60204-1 (Machine)
 SS1 type C category 3, PL d/SIL2 on STO with Safety module type Preventa XPS AV or equivalent
Or
 SS1 type C category 3, PL d/SIL2 on STO with Safety module type Preventa XPS AV or equivalent
Or
 SS1 type C category 3, PL d/SIL2 on STO and LI3 with Safety module type Preventa XPS AV or
equivalent
(1) Channel 1 logic, (2) Channel 2 logic, (3) Output 1, (4) Output 2, (5) Emergency stop, (6) Start, (7) Time
delay stop, (8) Braking resistor, if used, (9) Line chokes, if used
manual.
74 S1A45606 01/2017
Single Drive with the Safety Module Type Preventa XPS AV - Case 2
Single Drive with the Safety Module Type Preventa XPS AV According to EN 954-1, IEC 13849-1 and IEC 60204-1 (Machine)
 SS1 type C category 4, PL e/SIL3 on STO and LI3 with Safety module type Preventa XPS AV or
equivalent
 SLS category 3, PL d/SIL2 or SS1 type B category 3 PL d/SIL2 on LI5/LI6
(1) Channel 1 logic, (2) Channel 2 logic, (3) Output 1, (4) Output 2, (5) Emergency stop, (6) Time delay
stop, (7) Braking resistor, if used, (8) Line chokes, if used.
manual.
S1A45606 01/2017 75
Single Drive with the Safety Module Type Preventa XPS AF - Case 1
Single Drive with the Safety Module Type Preventa XPS AF According to EN 954-1, IEC 13849-1, IEC 62061 and 60204-1
(Machine)
 STO category 3, PL d/SIL2 on STO with Safety module type Preventa XPS AF or equivalent
 SLS category 3, PL d/SIL2 or SS1 type B category 3 on LI3/LI4 or LI5/LI6
Or
Or

manual.
76 S1A45606 01/2017
Single Drive with the Safety Module Type Preventa XPS AF - Case 2
Single Drive with the Safety Module Type Preventa XPS AF According to EN 954-1, IEC 13849-1, IEC 62061 and 60204-1
(Machine)
 STO category 4, PL e/SIL3 on STO with Safety module type Preventa XPS AF or equivalent and LI3
set to STO
(1) Start, (2) Braking resistor, if used, (3) Line chokes if used.
manual.
S1A45606 01/2017 77
Single Drive According to IEC 61508 and IEC 60204-1 - Case 1
Single Drive According to IEC 61508 and IEC 60204-1 Without Protection Against Supply Interruption or Voltage Reduction and
Subsequent Rotation
 STO SIL2 on STO
 STO or SLS SIL2 or SS1 type B SIL2 on LI3/LI4 or LI5/LI6
Or
 STO SIL2 on STO
 STO or SLS or SS1 type B on LI3/LI4
Or
 STO SIL2 on STO
Or
Or
(1) Braking resistor, if used, (2) Line chokes if used.

manual.
78 S1A45606 01/2017
Single Drive According to IEC 61508 and IEC 60204-1 - Case 2
Single Drive According to IEC 61508 and IEC 60204-1 Without Protection Against Supply Interruption or Voltage Reduction and
Subsequent Rotation
 STO SIL2 on LI3 and LI4
Or
 STO SIL2 on LI3 and LI4
Wiring Diagram

manual.
S1A45606 01/2017 79
Single Drive According to IEC 61508 and IEC 62061 with Safety Function GDL
Certified Wring Diagram

GDL category 2, PL c/SIL1is applicable to the following wiring diagram.
(1) Standardized coaxial cable, type RG174/U according to MIL-C17 or KX3B according to NF C 93-550, external
diameter 2.54 mm /0.09 in. maximum length 15 m / 49.21 ft. The cable shielding must be grounded
(2) Guard door lock
80 S1A45606 01/2017
Altivar 32
S1A45606 01/2017
Chapter 8
Commissioning
Commissioning

Topic Page
Safety Functions Tab 82
Configure Safety Functions Panel 83
Visualization and Status of Safety Functions 88
Copying Safety Related Configuration from Device to PC and from PC to Device 89
Machine Signature 92
Conversion of the Safety Configuration 93
S1A45606 01/2017 81
Safety Functions Tab
Introduction
To access the safety function configuration, click the Safety Functions tab. This screen is read-only,
allowing you to see all current safety function configurations.
The Safety Functions tab provides access to:
 an outline of the safety function features available on the ATV32 (accessible online/offline)
 the status of all I/O in connected mode
 general information about the machine (online/offline).
It also provides access to the following dialog boxes:

 Configuration
 Configure (only available in connected mode)
 Reset Configuration
 Copy from DEVICE to PC
 Copy from PC to DEVICE
 Convert...
 Password Configuration
 Modify Password
 Reset Password
Pre-Condition
Before configuring the safety-related parameters, make sure that the device firmware and the DTM version
are the same.
Steps to Configure the Safety Functions
If... Then ...

you are not in online mode In the menu bar, click Communication → Connect to Device or click the Connect to
Device icon
you are online mode Click the Configure button in the Safety Functions tab.
Once connected:
Step Action Comment

1 Click the Configure button in the A Define Configuration Password dialog box appears:
Safety Functions tab.  Type the new configuration password in Enter New Password box
 Retype the new configuration password in Confirm New Password
box.
 Click Ok
NOTE:
Your password:
 Should have only numeric value, choose the value between
1...9999.
 Should not exceed more than 4 digits.
 Should not have the value 0.
Result: Opens the Configuration of Safety Functions window.
If... Then ...

you have already defined type your safety function configuration password in Enter Configuration Password box,
the password click Ok.
Result: Opens the Configuration of Safety Functions window.
82 S1A45606 01/2017
Configure Safety Functions Panel
Overview
The Configuration of Safety Functions panel includes the Information, STO, SLS, SS1, SMS, GDL, and
Input/Output tabs.
Information Tab
The information tab allows you to define and display product system information
Information filled in automatically by SoMove:

 Date (format depends on the PC local and linguistic options)
 Device Type
 Drive Reference
Information filled in manually:

 Device Serial No (number)
 Machine Name
 Company Name
 End-User Name
 Comments
Safe Torque Off (STO) Tab

For more information about STO function, see STO description (see page 18).
For this function, only the associated set of inputs should be selected in the box. The parameter to be
managed is: STOA.
Code Name/Description Factory

Setting
StO [Safe Torque Off]
StOA [STO function activation] [No]
nO [No: Not assigned]
L34 [LI3 and LI4]: logical input 3/4 low state
L3PW [LI3 and STO]: logical input 3/STO low state
This parameter is used to configure the channel used to trigger the STO function. If you set STOA=No,
STO function is always active but just on STO input
S1A45606 01/2017 83
Safely Limited Speed (SLS) Tab
For more information about SLS function, see SLS description (see page 22).
Code Name/Description Adj. Range Factory

Setting
SLS [Safely-Limited Speed]
SLSA [SLS function activation] [No]
nO
[No]: Not assigned
L34
[LI3 and LI4]: logical input 3/4 low state
L56
[LI5 and LI6]: logical input 5/6 low state
This parameter is used to configure the channel used to trigger the SLS function.
SLt [Safely Limited speed Type Element] [Type1]
This parameter is used to select the SLS type.

tYp1 [Type1] : SLS type 1
tYp4 [Type4]: SLS type 4
Refer to function description to have information about behavior of different type.
SLSP [SLS set point] parameter 0...599 Hz 0 Hz
This parameter is only visible if SLT = Type2 or SLT = Type3 or SLT = Type 4
SLSP is used to set the maximum speed
SLtt [SLS tolerance threshold] parameter 0...599 Hz 0 Hz
The behavior of this parameter depends on the value of SLT, see above
SLwt [SLS Wait Time] parameter 0...5000 ms 0 Hz
This parameter is used to set the maximum time for StFr to be greater than SSSL.
When SLwt is reached, STO function is triggered.
Unit of this parameter is 1 ms.
For example
If the value is set to 2000 units, then the SLS wait time in second is:
2000*1 ms = 2 s
This parameter can be modified only if SLT = Type 2 or SLT = Type 3
For SLS type 1 and SLS type 4, SLwt is always set to 0
SSrt [SS1 ramp value] parameter 1 to 5990 1
The unit depends on the SSRU parameter. Use this parameter to set the value of the SS1 deceleration
ramp.
SS1 ramp = SSRT*SSRU example: If SSRT = 250 and SSRU = 1 Hz/s then the deceleration ramp = 25
Hz/s.
This parameter is similar to the SS1 safety function, for more information see SS1 (see page 40).
SSrU [SS1 ramp unit] parameter [1 Hz/s]
1H
[1 Hz/s]
10H
[10 Hz/s]
100H
[100 Hz/s]
This parameter is used to set the SSrt unit.
This parameter is similar to the SS1 safety function configured, for more information see SS1
(see page 40).
SStt [SS1 trip threshold] 0...599 Hz 0 Hz
This parameter sets the tolerance zone around the deceleration ramp in which the frequency may vary.
This parameter is similar to the SS1 safety function configured in another tab.
SSSL [SLS/SS1 standstill level] parameter 0...599 Hz 0 Hz
This parameter adjusts the frequency at which the drive should go into STO state at the end of the SS1
ramp.
This parameter is similar to the SS1 safety function configured in another tab.
84 S1A45606 01/2017
Safe Stop 1 (SS1) Tab
For more information about SS1 function, see SS1 description (see page 20).

Setting
SS1 [Safe Stop 1]
SS1A [Safe Stop 1 Activation] [No]
nO [No]: Not assigned
These parameters are used to configure the channel used to trigger the SS1 function.
SSrt [SS1 ramp value] 1 to 800 1
The unit depends on the SSRU parameter. Use this parameter to set the value of the SS1 deceleration
ramp.
SS1 ramp = SSRT*SSRU example: If SSRT = 250 and SSRU = 1 Hz/s then the deceleration ramp =
25 Hz/s.
This parameter is similar to the SLS safety function configured in another tab.
SSrU [SS1 ramp unit] [1 Hz/s]
1H [1 Hz/s]
10H [10 Hz/s]
100H [100 Hz/s]
This parameter is used to set the SSRT unit.
SStt [SS1 trip threshold] parameter 0...599 Hz 0 Hz
This parameter sets the tolerance zone around the deceleration ramp in which the frequency may vary.
This parameter is similar to the SLS safety function configured,
SSSL [SLS/SS1 standstill level] parameter 0...599 Hz 0 Hz
This parameter adjusts the frequency at which the drive should go into STO state at the end of the SS1
ramp.
Safe Maximum Speed (SMS) Tab

For more information about SMS function, see SMS description (see page 29).

Setting
SMS [Safe Maximum Speed]
SMSA [SMS Activation] [No]
NO [No]: SMS function is not active.
Yes [Yes]: SMS function is active
This parameter is used to configure the channel used to trigger the SMS function.
SMLS [SMS Assignment] [NO]
This parameter is used to select the safe maximum speed limit.
NO [No]: [SMS Low Limit] SMLL is selected as the safe maximum speed limit.
L34 [LI3 and LI4]
 If logical inputs 3/4 are in low state (0), [SMS Low Limit] SMLL is selected as the safe maximum
speed limit.
 If logical inputs 3/4 are in high state (1), [SMS High Limit] SMLH is selected as the safe maximum
speed limit.
L56 [LI5 and LI6]
 If logical inputs 5/6 are in low state (0), [SMS Low Limit] SMLL is selected as the safe maximum
speed limit.
 If logical inputs 5/6 are high state (1), [SMS High Limit] SMLH is selected as the safe maximum
speed limit.
SMLL [SMS Low Limit] 0...599 Hz 0 Hz
This parameter is used to set the lower speed limit.
SMLH [SMS High Limit] 0...599 Hz 0 Hz
This parameter is used set the higher speed limit.
S1A45606 01/2017 85
Guard Door Locking (GDL) Tab
For more information about GDL function, see GDL description (see page 31).

Setting
GDL [Guard Door Locking]
GDLA [GDL Assignment] [No]
nO [No]: Guard door locking is not assigned
Yes [Yes]: Guard door locking is assigned
NOTE: GDLA can be set to [yes] only if LO1 parameter is set to [NO].
This parameter is used to configure the channel used to trigger the GDL function.
GLLD [GDL Long Delay] 1...3600 s 1s
This parameter is used to set the long delay for triggering the safety function GDL.
Maximum delay after STO function activation or normal deceleration ramp command to stop the
machine.
NOTE: GDL long delay should be greater than GDL short delay.
GLSD [GDL Short Delay] 1...3600 s 1s
This parameter is used to set the short delay for triggering the safety function GDL.
Maximum delay after SS1 ramp to stop the machine.
Input/Output Configuration
The figure shows the Input/Output tab:

Setting
IO [Input/Output]
LIdt [LI debounce time] 0...2000 ms 50
In most cases, the 2 logical inputs in a pair used for a safety function (LI3-LI4 or LI5-LI6 or STO-LI3)
will not be 100% synchronized. They will not change state at the same time. There is a small delta
between the 2 logical input transitions.
LIdt is the parameter used to set this delta. If the 2 logical inputs change state with a delta lasting
less than LIdt it is considered to be simultaneous transition of the logical inputs. If the delta lasts
longer than LIdt, the drive considers the logical Inputs are no longer synchronized and detected
error is triggered.
LIrt [LI response time] 0...50 ms 0
This parameter is used to filter short impulses on the logical input (only for LI3-LI4 or LI5-LI6, STO not
concerned). Some applications send short impulses on the line to test it. This parameter is used to filter
these short impulses. Commands are only taken into account if the duration is longer than LIrt.
If the duration is shorter the drive considers that there is no command: the command is filtered.
86 S1A45606 01/2017
Password Configuration - Modify Password
This function allows you to modify the configuration password in the drive.
To modify the configuration password
Step Action
1 In Safety Functions tab, click the Modify Password button
Result: opens the Modify Configuration Password dialog box.
2 In the Modify Configuration Password dialog box:
 Type the existing configuration password in Enter Current Password box
 Type the new configuration password in Enter New Password box
 Retype the new configuration password in Confirm New Password box
 Click Ok
NOTE: The password typed in Enter New Password box and Confirm New Password box should be
same.
NOTE:
Your password:
 Should contain only numeric value, choose the value between 1...9999.
 Should not exceed more than 4 digits.
 Should not have the value 0.
Result: modifies the configuration password.
Password Configuration - Reset Password

If you cannot remember the configuration password defined in the drive, you need to know the universal
password to reset the drive. To obtain this password, contact your Schneider Electric contact.
After this operation, the device reverts to no defined configuration password and the session is
automatically closed.
However, the function configuration remains unchanged.
Reset Configuration
This function is used to reset the configuration of the safety function to the factory settings.
To access the function, click the Reset Configuration button in the Safety Functions tab.
First enter the password, then confirm your choice.
After this action, all safety-related parameters are set to factory settings.
S1A45606 01/2017 87
Visualization and Status of Safety Functions
Code Name/Description
SAF- [MONIT. SAFETY] menu - Visible on SoMove and keypad
StFr [Stator Frequency]
Displays the estimated stator frequency in Hz
StOS [STO status]
Status of the Safe Torque Off safety function
IdLE [IdLE]: STO not in progress
StO [Safe torque off]: STO in progress
FLt [Fault]: STO in detected error
SLSS [SLS status]
Status of the Safely limited speed safety function
nO [Not config]: SLS not configured
IdLE [IdLE]: SLS not in progress
SSI [Safe stop 1]: SLS ramp in progress
StO [Safe torque off]: SLS safe torque off request in progress
FLt [Fault]: SLS in detected error
WAIt [wAIT]: SLS waiting for activation
Strt [Started]: SLS in transient state
SMSS [SMS status]
Status of the Safe Maximum Speed safety function
nO [Not Set]: SMS is not configured
SMS [Active]: SMS is in active state
FTI [Internal Err.]: SMS in internal detected error
FTO [Max Speed]: SMS in overspeed detected error
GDLS [GDL status]
Status of the guard door locking safety function
nO [Not Set]: GDL is not configured
OFF [Inactive]: GDL is in inactive state
STD [Short delay]: GDL in Short delay state.
LGD [Long delay]: GDL in long delay state.
ON [Active]: GDL is in active state.
FLT [Internal Err.]: GDL in internal detected error.
SS1S [SS1 status]
Status of the Safe Stop 1 safety function
nO [Not config]: SS1 not configured
IdLE [IdLE]: SS1 not in progress
SSI [Safe stop 1]: SS1 ramp in progress
StO [Safe torque off]: SS1 Safe Torque Off request in progress
FLt [Fault]: SS1 in detected error
SAF- [MONIT. SAFETY] menu - Visible ONLY on SoMove
SFtY [Safety drive status]
Safety function status of the drive
IStd [Standard drive]: Standard product without safety function configured
SAFE [Safety drive]: product with at least 1 safety function configured
88 S1A45606 01/2017
Copying Safety Related Configuration from Device to PC and from PC to Device
Overview
This feature is used to copy/paste the tested safety-related configuration in several drives.
This feature allows you to:
 identify unique safety-related configuration on the drive
 copy the safety-related configuration file from drive to PC.
 copy the safety-related configuration file from PC to drives
Architecture
The figure shows the architecture for copying the safety-related configuration from device to PC and PC to
device:
S1A45606 01/2017 89
Identify Unique Safety Related Configuration
The identification of the safety-related configuration is done by using CRC, calculated using all safety-
related parameters
You can get the CRC value from My Device tab. Note down the CRC value after the drive is fully tested.
Copy from Device to PC

To copy a configuration file from device to PC:
Step Action
1 In the Safety Functions tab, click the Copy from DEVICE to PC button
Result: opens the Copy from Device to PC dialog box.

2 Type the configuration password in Enter configuration Password box, click Ok.
Result: Displays the CRC1 value
3 Note the CRC1 value, click Save.
Result: opens the Save File... window.
4 In the Save File.. Window:
 Select/create the folder
 Type the name of the file in File name box.
 Click Save,
Result: Safety-related Parameters Successfully saved message appears on the screen, which confirms
that the file has been saved successfully in the desired path.
NOTE:
You cannot copy the configuration from device to PC if:
 the motor is powered.
 a function block is in Run state.
 the function Forced Local is active.
 a safety function is triggered.
90 S1A45606 01/2017
Copy from PC to Device
WARNING
UNEXPECTED EQUIPMENT OPERATION
 Connect the PC using point-to-point connection.
 Copy from PC to Device operation should be performed only by qualified IEC61800-5-2 personnel
 Test the safety function configuration after copying the configuration from PC to device.
To copy a file from PC to device:
Step Action
1 In the Safety Functions tab, click the Copy from PC to DEVICE
button
Result: Warning box appears, read the following instruction before proceeding with copy from PC to
device operation.
2
Click Ok
Result: Opens the Open File... window.
3 In the Open File... Window
 Select .sfty file.
 Click Open
Result: Displays the CRC1 value

4 Verify whether the CRC1 value is same as the CRC1 value noted while copying the configuration from
device to PC if both CRC1 values are same then click Continue.
Result: Opens the Copy from PC to Device dialog box.
5 Type the password (49157) in the Enter copy password box, click Ok.
Result: Configuration is successfully copied from PC to device. A commisoning test must be done on the
safety function.
NOTE:
You cannot copy the configuration from PC to device if:
 the motor is powered.
 a function block is in Run state.
 the function Forced Local is active.
 the configuration of the safety function is already present in the device
S1A45606 01/2017 91
Machine Signature
Overview
The purpose of the test is to verify proper configuration of the defined safety functions and test mechanisms
and to examine the response of dedicated monitoring functions to explicit input of values outside the
tolerance limits.
The test must cover all drive-specific Safety configured monitoring functions and global Safety integrated
functionality in ATV32.
Condition Prior to Acceptance Test

 The machine is wired up correctly.
 All safety-related devices such as protective door monitoring devices, light barriers, and emergency
stop switches are connected and ready for operation.
 All motor parameters and command parameters must be correctly set on the drive.
Acceptance Test Process

The acceptance test is configured with SoMove software.
Step Action Comment

1 Select the Device → Safety Function → Machine
Signature menu and follow the five steps below
2 General Information The information displayed here corresponds to the
To add this step to the final report select Add to the Identification section in the Safety Functions tab.
machine signature
Click Next.
3 Function Summary This step is composed of sub-steps.
To add a function to the final report select Add to the Each sub-step relates to one of the following safety
machine signature functions:
Click Next  STO
 SLS
 SS1
In a function, sub-step the function diagram and

parameters values are displayed.
A text box allows you to enter additional text in this step.
4 I/O Summary The information displayed here corresponds to the
To add a function to the final report select Add to the Logic Input summary folder of the Safety Functions tab:
machine signature  The logic input that is assigned to a safety function
Click Next are displayed in red and show the related safety
function
 The logic input that is not assigned to a safety
function do not show any assignment and are
displayed in green
5 Test In this step, you tick the box when you have tested the
To add a function to the final report select Add to the safety functions to confirm that you have verified the
machine signature correct behavior of the functions for all devices.
Click Next
6 Key The checksum of the safety-related configuration is
Click Finish to create the report displayed as it is calculated for transmission to the
connected device when you click Apply.
This allows you to compare the checksum value with the
one displayed in the identification menu on the graphic
display terminal
Acceptance Report
SoMove creates the acceptance report.
This function provides a final report when one or several safety functions have been configured and
verified.This report is deemed to be a machine signature and certifies that all the safety functions are
operational.The acceptance report has been added as an optional document to be printed to a printer or
to a PDF file.
If the drive configuration is modified (not only applicable on the safety related parameters), you must repeat
the acceptance test.
92 S1A45606 01/2017
Conversion of the Safety Configuration
Introduction
This function allows you to import an old version of the safety configuration to the latest version of the DTM.
The safety-related parameters are automatically added to or removed from the imported configuration
based on the safety-related parameters available in the latest version of the DTM.
NOTE: This function is available for the DTM version 2.5 or later.
For example
When the safety configuration from version 2.3 is imported to version 2.5 of the DTM, the safety-related
parameters (for the safety function SMS, GDL, and so on) available in Version 2.5 are added to the
imported safety configuration.
Pre-condition
Before performing this operation, reset the safety configuration and safety password present in the
connected device.
Import and Convert the Old Version of the Safety Configuration

The table provides the procedure to import and convert an old version of the safety configuration to the
latest version of the DTM.
Step Action
1 In Safety tab, click the Convert button
Result: Opens the Open File dialog box.
2 In the Open File dialog box
 Select the safety configuration file (.sfty) you wish to import.
 Click Open
Result: Open the Enter Configuration Password dialog box.

3 In the Enter Configuration Password dialog box
 Enter the password of the selected safety configuration file.
 Click Ok
Result: Displays the Safety configuration is converted Successfully message in the Information tab.
4 Click OK
Result: Opens the Convert Result dialog box.
5
Click OK
S1A45606 01/2017 93
94 S1A45606 01/2017
Altivar 32
S1A45606 01/2017
Chapter 9
Services and Maintenance
Services and Maintenance

Topic Page
Maintenance 96
Power and MCU Replacement 96
Changing Machine Equipment 96
S1A45606 01/2017 95
Maintenance
Overview
By way of preventive maintenance, the Safety functions must be activated at least once a year. The drive
power supply must be turned off and then on again before carrying out this preventive maintenance. The
drive logic output signals cannot be considered to be safety-related signals. Install interference
suppressors on all inductive circuits near the drive or coupled to the same circuit (relays, contactors,
solenoid, valves, etc.).
NOTE: For more product information, see the installation manual and programming manual on
www.schneider-electric.com.
Power and MCU Replacement
Overview
You can replace the MCU (Motor Control Unit) part (APP + HMI card) and the power part.
Depending on the drive configuration (safety function active or not), the drive response will differ.
If you replace the power and you keep your MCU, you won't lose the configuration of the safety functions
but you need to repeat the Acceptance Test to avoid incorrect wiring or incorrect behavior of the safety
function.
If you replace the MCU you will lose your safety-related configuration. You need to reinstall your
Configuration on the new MCU and then repeat the Acceptance Test.
NOTE: For more product information, see the installation manual and programming manual
Changing Machine Equipment
Overview
If you need to change any part of the drive system (Motor, Emergency stop, etc.) you must repeat the
Acceptance Test.
NOTE: For more product information, see the installation manual and programming manual
96 S1A45606 01/2017
ATV32_Safety_manual_EN_S1A45606_07
01/2017

ATV32 Safety Functions Manual EN S1A45606 07

Uploaded by

Copyright:

Available Formats

ATV32 Safety Functions Manual EN S1A45606 07

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ATV32 Safety Functions Manual EN S1A45606 07

Uploaded by

Copyright:

Available Formats

Altivar 32

Safety Functions Manual

Title of Documentation Reference Number

Product Related Information

Failure to follow these instructions can result in equipment damage.

What Is in This Chapter?

Safety Functions as Defined by IEC 61800-5-2

Safety Function Not Defined in IEC 61800-5-2

Functional Safety Certification

Also refer to safety function Capability.

IEC 61508 Standard

SIL - Safety Integrity Level

PFH - Probability of a Dangerous Hardware Failure Per Hour

Performance level Probability of a dangerous Hardware Failure per Hour

HFT - Hardware Fault Tolerance and SFF - Safe Failure Fraction

SFF HFT type A subsystem HFT type B subsystem

SIL2 SIL3 SIL4 SIL1 SIL2 SIL3

SIL3 SIL4 SIL4 SIL2 SIL3 SIL4

SIL3 SIL4 SIL4 SIL3 SIL4 SIL4

SIL PFD PFD (power RRF

In high demand or continuous operation, these changes to the following:

SIL PFH PFH (power RRF

Fault Avoidance Measures

What Is in This Chapter?

Safety Function (SF) Level Capability for Safety Function STO

Behavior on Activation of the SS1 Function

SS1 Standard Reference

Safety Function (SF) Level Capability for Safety Function SS1

Function Configuration SIL PL

Emergency Stop Category 1

Behavior on Activation of the Safety Function SLS Type 1

When the safety function is activated:

: [Stator Frequency] StFr is above [Set Point] SLSP

When the function is activated:

: [Stator Frequency] StFr is above [SLS tolerance threshold] SLtt

While the function is activated:

: [Stator Frequency] StFr is above [SLS tolerance threshold] SLtt

: [Stator Frequency] StFr is below [Set Point] SLSP

While the function is activated:

: [Stator Frequency] StFr is above [SLS tolerance threshold] SLtt

: [Stator Frequency] StFr is below [Set Point] SLSP

While the function is activated:

: [Stator Frequency] StFr is above [SLS tolerance threshold] SLtt

: [Stator Frequency] StFr is below [Set Point] SLSP

While the function is activated:

If... Then ...

SLS Standards References

Safety Function (SF) Level for Safety Function SLS

Error and STO function triggered

SMS Standard References

Safety Function (SF) Level for Safety Function SMS

Behavior on Activation of the Safety Function GDL

SS1 stop, Freewheel stop, Ramp stop, STO function triggered

GDL Standard References

Safety Function (SF) Level for Safety Function GDL

Calculation of Safety Related Parameters

What Is in This Chapter?

Collect Application Data