Unidrive M400 User Guide
57
Issue Number: 2
4.11 SAFE TORQUE OFF (STO)
The SAFE TORQUE OFF function provides a means for preventing the
drive from generating torque in the motor with a very high level of
integrity. It is suitable for incorporation into a safety system for a
machine. It is also suitable for use as a conventional drive enable input.
The safety function is active when either one or both STO inputs are in
the logic-low state as specified in the control terminal specification. The
function is defined according to EN 61800-5-2 and IEC 61800-5-2 as
follows. (In these standards a drive offering safety-related functions is
referred to as a PDS(SR)):
'
Power, that can cause rotation (or motion in the case of a linear motor),
is not applied to the motor. The PDS(SR) will not provide energy to the
motor which can generate torque (or force in the case of a linear motor)
'.
This safety function corresponds to an uncontrolled stop in accordance
with stop category 0 of IEC 60204-1. The SAFE TORQUE OFF function
makes use of the special property of an inverter drive with an induction
motor, which is that torque cannot be generated without the continuous
correct active behavior of the inverter circuit. All credible faults in the
inverter power circuit cause a loss of torque generation.
The SAFE TORQUE OFF function is fail-safe, so when the SAFE
TORQUE OFF input is disconnected the drive will not operate the motor,
even if a combination of components within the drive has failed. Most
component failures are revealed by the drive failing to operate. SAFE
TORQUE OFF is also independent of the drive firmware. This meets the
requirements of the following standards, for the prevention of operation
of the motor.
Data verification by TÜV Rheinland is pending.
SAFE TORQUE OFF can be used to eliminate electro-mechanical
contactors, including special safety contactors, which would otherwise
be required for safety applications.
The function can be used in safety-related machines or systems which
have been designed according to IEC 62061 or IEC 61508, or other
standards which are compatible with IEC 61508, since the analysis and
the integrity metrics used in EN 61800-5-2 are the same.
Note on response time of SAFE TORQUE OFF, and use with safety
controllers with self-testing outputs.
SAFE TORQUE OFF has been designed to have a response time of
greater than 1 ms, so that it is compatible with safety controllers whose
outputs are subject to a dynamic test with a pulse width not exceeding
1ms.
Two-channel SAFE TORQUE OFF
Two fully independent input channels are provided for the SAFE
TORQUE OFF function.Each input separately meets the requirements of
the standards as defined above, regardless of the state of the other
input. If either or both inputs are set at a logic low state, there are no
single faults in the drive which can permit the motor to be driven.
It is not necessary to use both channels in order for the drive to meet the
requirements of the standards. The purpose of the two channels is to
allow connection to machine safety systems where two channels are
required, and to facilitate protection against wiring faults. For example, if
each channel is connected to a safety-related digital output of a safety
related controller, computer or PLC, then on detection of a fault in one
output the drive can still be disabled safely through the other output.
Consequently, there are no single wiring faults which can cause a loss of
the safety function, i.e. inadvertent enabling of the drive.
31
SAFE TORQUE OFF function (drive enable)
34
Type
Positive logic only digital input
Voltage range
0 to +24 V
Absolute maximum applied
voltage
30 V
Logic Threshold
10 V
±5 V
Low state maximum voltage for
disable to SIL3 and PL e
5 V
Impedance
>4 mA @ 15 V, <15mA @30 V from IEC
61130-2, type 1
Low state maximum current for
disable to SIL3 and PL e
0.5 mA
Response time
Nominal: 12 ms
Maximum: 20 ms
The SAFE TORQUE OFF function may be used in a safety-related application in
preventing the drive from generating torque in the motor to a high level of
integrity. The system designer is responsible for ensuring that the complete
system is safe and designed correctly according to the relevant safety
standards. If the SAFE TORQUE OFF function is not required, these terminal
are used for enabling the drive.
41
Relay contacts
42
Default function
Drive OK indicator
Contact voltage rating
240 Vac, Installation over-voltage
category II
Contact maximum current rating
2 A AC 240 V
4 A DC 30 V resistive load
0.5 A DC 30 V inductive load (L/R = 40 ms)
Contact minimum recommended
rating
12 V 100 mA
Contact type
Normally open
Default contact condition
Closed when power applied and drive OK
Update period
4 ms
To prevent the risk of a fire hazard in the event of a fault, a
fuse or other over-current protection must be installed in the
relay circuit.
WARNING
Summary of Contents for Unidrive M400
Page 197: ......
Page 198: ...0478 0044 02 ...