DOC-0017-04-EN: AC20 Series - Hardware Installation Manual
70 (154)
DOC-0017-04-EN-A 22.03.2023
2. General Requirements of Category 3:
- A single failure will not lead to loss of the STO safety function.
- Failure of more than one component can lead to the loss of the STO safety function.
- Most but not all single component failures will be detected. Diagnostic Coverage (DC) is
required to be at least 60% (i.e., the minimum required for ‘low’ diagnostic coverage).
- Detected component failures will result in the STO function being applied without
intervention from the user.
- The risk associated with the loss of STO safety function caused by multiple failures must
be understood and accepted by the user.
- The user must undertake a risk analysis and specify suitable components that, when
connected together, meet the risk assessment requirements.
-
Mean Time To Failure (dangerous) (MTTFd) of each STO channel must be ≥ 30 years.
-
Common Cause Failure (CCF) score must be ≥ 65 according to A
nnex F of the standard.
3. Performance Level (PL) d:
-
Average probability of dangerous failure per hour (PFH) must be ≤ 10
-6
EN61800-5-2:2017 (Adjustable speed electrical power drive systems) &
EN61508:2010 (Functional safety of electrical/electronic/programmable
electronic safety-related systems)
STO aligns to the following aspects of this standard:
Safety Integrity Level (SIL) 2:
-
Probability of dangerous random hardware failures per hour (PFH) must be ≤ 1
0
-6
- Subsystems type A according to EN61508-2:2010 para 7.4.4.1.2.
8.3 Specification
Safety
As assessed to EN ISO13849-1:2015 and EN61800-5-2:2017, the inverter has the following related safety
values:
PL (STO):
d
SIL (STO):
2
PFH (STO):
4.6 x 10
-10
1/h
†
Mission Time:
Maximum 20 years
Fault Detection Time:
(Time delay from unequal input
logic levels to activation of STO)
Maximum 5sec
During input inequality, the motor torque is disabled by the single
channel within 15 msec.
STO Response Time:
(Time from STO user input
initiating removal of energy to the
motor)
Maximum 15msec
STO Input Pulse Time:
(Active low OSSD from external
safety control unit)
Maximum 1.5msec
STO Failure:
If an STO ‘Trip 31’ code cannot be acknowledged, then defects
could be present in the product or in the external STO wiring.
Any reported STO fault will require system analysis to establish the
cause.
Damaged units will need to be exchanged.
†
= Note that in assessment of the danger point, the total failure rate is determined by the sum of the failure of all parts