840 d funções e safety integrated

Description of Functions 10/2004 Edition
sinumerik
& simodrive
SINUMERIK 840D
SIMODRIVE 611 digital
SINUMERIK Safety Integrated

Valid for
Control
SINUMERIK 840D powerline
SINUMERIK 840D powerline (export version)
Drive
SIMODRIVE 611 digital
Software version
6.4
6.5
7.1
7.2
10.04 Edition
SINUMERIK 840D/
SIMODRIVE 611digital
Description of FunctionsDescription of FunctionsDescription of FunctionsDescription of FunctionsDescription of FunctionsDescription of FunctionsDescription of FunctionsDescription of FunctionsDescription of FunctionsDescription of FunctionsDescription of FunctionsDescription of FunctionsDescription of FunctionsDescription of FunctionsDescription of FunctionsDescription of Functions
M
Brief Description 1
General Information
about Integrated
Safety Systems 2
Safety-Related Functions 3
Data Description 4
Commissioning 5
Alarms 6
Engineering Examples 7
Application Examples 8
Appendix A
Index I

SINUMERIK documentation
Printing history
Brief details of this edition and previous editions are listed below.
The status of each edition is shown by the code in the “Remarks” columns.
Status code in the “Remarks” column:
A New documentation.. . . . .
B Unrevised reprint with new Order No.. . . . .
C Revised edition with new status.. . . . .
If factual changes have been made on the page since the last edition,
this is indicated by a new edition coding in the header on that page.
Edition Order No. Remarks
04.96 6FC5 297-0AB80-0BP0 A
08.97 6FC5 297-0AB80-0BP1 C
04.99 6FC5 297-5AB80-0BP0 C
05.00 6FC5 297-5AB80-0BP0 C
07.02 6FC5 297-6AB80-0BP1 C
11.03 6FC5 297-6AB80-0BP2 C
10.04 6FC5 297-7AB80-0BP0 C
Trademarks
SIMATICr, SIMATIC HMIr, SIMATIC NETr, SIROTECr, SINUMERIKr and SIMODRIVEr are registered
trademarks of Siemens AG. Other names in this publication might be trademarks whose use by a third party
for his own purposes may violate the rights of the registered holder.
More information is available on the internet at:
http://www.ad.siemens.com/sinumerik
This publication was produced with Interleaf V 7
 Siemens AG, 2004. All rights reserved
Other functions not described in this documentation might be
executable in the control. This does not, however, represent an
obligation to supply such functions with a new control or when
servicing.
We have checked that the contents of this publication agree with the
hardware and software described here. Nevertheless, differences
might exist and therefore we cannot guarantee that they are
completely identical. The information given in this publication is
reviewed at regular intervals and any corrections that might be
necessary are made in the subsequent printings. Suggestions for
improvement are welcome at all times.
Subject to change without prior notice
Siemens–AktiengesellschaftOrder No. 6FC5 297-7AB80-0BP0
Printed in the Federal Republic of Germany
3ls

v
 Siemens AG 2004 All Rights Reserved
SINUMERIK 840D/SIMODRIVE 611 digital SINUMERIK Safety Integrated (FBSI) – 10.2004 Edition
Foreword
Structure of the documentation
The SINUMERIK documentation is organized in 3 parts:
S General Documentation
S User Documentation
S Manufacturer/Service Documentation
You can obtain more detailed information about SINUMERIK 840D/810D as well as
documentation for all SINUMERIK controls from your local SIEMENS office.
Target group
This documentation is intended for manufacturers/end users of machine tools and
production machines who use SINUMERIK 840D and SIMODRIVE 611digital and
the integrated safety functions (SINUMERIK Safety Integrated).
Hotline
If you have any questions, please contact our hotline:
A&D Technical Support Tel.: +49 (0) 180 / 5050 – 222
Fax: +49 (0) 180 / 5050 – 223
email: http://www.siemens.com/automation/support–request
Please send any queries regarding the documentation (suggestions, corrections) to
the following fax number or email address:
Fax: +49 (0) 9131 / 98 – 2176
email: motioncontrol.docu@erlf.siemens.de
Fax form: Refer to the reply form at the end of the document.
SINUMERIK Internet address
http://www.siemens.com/motioncontrol

Foreword 10.04
vi
SINUMERIK 840D powerline
From 09.2001,
S SINUMERIK 840D powerline and
S SINUMERIK 840DE powerline
have been available with improved performance. A list of the available powerline
modules is provided in the following hardware description:
Reference: /PHD/, SINUMERIK 840D Configuration Manual
Objective
This Description of Functions provides all of the information regarding the safety
functions integrated in the SINUMERIK 840D and SIMODRIVE 611 digital that are
relevant for start–up (commissioning) and configuration.
Standard scope
The main areas covered by this Description of Functions are as follows:
S General Information about Integrated Safety Systems
S Description of safety functions
S Lists and description of all of the signals and data
S Start–up (commissioning)
S Description of alarms
S One configuration example
Separate documents are available for user–oriented activities. These include, for
example, generating part programs and handling controls.
Separate information is also available for operations that the machine tool
manufacturer must carry–out. These include, for example, configuring/engineering,
installation and programming the PLC.
Notes on how to use this manual
The following reference guides are provided in this Description of Funcitons:
S Overall table of contents
S Attachment with abbreviations and references
S Index
If you require information about a certain term, please look in the Attachment for
the specific Chapter Index for the particular term. Both the chapter number and the
page number are listed where you will find this particular information.

Foreword10.04
vii
Documentation, Edition 03/01
Note
The documentation Edition 03/01 describes the scope of functions for the following products
and software release:
SINUMERIK 840D with software release 6.1
SIMODRIVE 611digital with software release 5.1.10
When compared to Edition 05/00, in Edition 03/01, the main functions for
SINUMERIK 840D/611digital have been added:
Consecu-
tive No.
New functions in SINUMERIK 840D/611digital
1 SPL start without axial safety enable (Chapter 3)
2 New system variables (Chapter 3)
3 Actual value crosswise data comparison error (Chapter 3)
4 Supplements to machine data (Chapter 4)
5 Supplements to alarms (Chapter 6)
Note
The documentation Edition 07/02 describes the scope of functions for the following products
and software release:
SINUMERIK 840D with software release 6.3.21
SIMODRIVE 611digital with software release 5.1.14
Consecu-
tive No.
1 NCU onboard I/Os (Chapter 3)
2 Internal NC pulse cancellation (Chapter 3)
3 SPL block, brake test, safe brake test (Chapter 8)
4 Disable SPL block (software relay) (Chapter 3)
5 Improved diagnostics (Chapter 5)
6 PROFIsafe (Chapter 3)

Foreword 10.04
viii
Note
The documentation Edition 11/03 describes the functionality for the following products and
software release:
SINUMERIK 840D with software release 6.4
Consecu-
tive No.
1 ProgEvent (Chapter 3.10.10)
2 STOP E (Chapter 3)
3 Acceptance test support (Chapter 5.4)
4 Drive bus failure (Chapter 3.13)
Note
The documentation Edition 10/04 describes the functionality for the following products and
software release:
SINUMERIK 840D with software release 6.4, 6.5, 7.1, 7.2
Consecu-
tive No.
1 Setpoint changeover (from SW 7.2) (Chapter 3.11.8)
2 Deleting the external SPL outputs for SPL system faults (from SW 6.5)
Chapter 3.10
3 PROFIsafe net (useful) data expansion filtering (Chapter 3.12)
Supplement to ordering data
In this documentation you will find the symbol shown on the left with a reference to an
ordering data option. The function described will only be able to be used if the control
contains the designated option.

Foreword10.04
ix
Danger and warning concept
The following danger and warning symbols are used in this document.
Explanation of the symbols used:
!
Danger
This symbol indicates that death, severe personal injury or substantial property damage will
result if proper precautions are not taken.
!
Warning
This symbol indicates that death, severe personal injury or substantial property damage can
result if proper precautions are not taken.
!
Caution
This warning notice (with warning triangle) indicates that slight physical injury or some
material damage can result if proper precautions are not taken.
Caution
This warning notice (without a warning triangle) indicates that material damage can result if
proper precautions are not taken.
Notice
This warning notice indicates that an unwelcome event or unwanted situation can occur if
the relevant notice is ignored.
Other information
!
Important
This warning notice (without a warning triangle) indicates that material damage can result if
proper precautions are not taken.

Foreword 10.04
x
Note
This symbol always appears in this document where further, explanatory information is
provided.
Technical information
Trademarks
IBM is a registered trademark of the International Business Corporation. MS–DOS
and WINDOWSTM are registered trademarks of the Microsoft Corporation.
Type–examination certificate symbol
A type–examination certificate from the German Institute for Occupational Safety
(BIA) has been issued for SINUMERIK 840D/DE with Safety Integrated.
Type–examination certificate symbol
for SINUMERIK 840D/DE
with SIMODRIVE 611digital and

Foreword10.04
xi
Type–examination certificate for SINUMERIK 840D/611 digital
The appendices to the type–examination certificate are not included in this document.
If you require any data from these Appendices, please contact the department speci-
fied on the corrections/suggestions sheet (last page).

Foreword 10.04
xii
Space for your notes

xiii
Table of Contents
1 Brief Description 1-19. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 General Information about Integrated Safety Systems 2-23. . . . . . . . . . . . . . . . . . . . .
2.1 Drives and CNC controls with integrated safety 2-23. . . . . . . . . . . . . . . . . . . . . .
2.1.1 Testing, certification 2-24. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.2 Concepts and comments regarding safety 2-25. . . . . . . . . . . . . . . . . . . . . . . . . .
2.3 Standards and Directives 2-27. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.3.1 Machinery Directive (98/37/EC) 2-27. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.3.2 Objectives and types of Standards 2-28. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.3.3 Risk analysis and assessment 2-31. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.4 Terminology definitions from EN 292–1 2-33. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.5 Categories according to EN 954–1 2-33. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.6 Position paper of the working group (WG) 226.03 in the
German Electrotechnical Commission (DKE) 2-35. . . . . . . . . . . . . . . . . . . . . . . .
2.7 Technical bulletin – ”vertical axes” 2-36. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.8 The Safety Standard IEC/EN 61508 2-37. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.9 Safety requirements for machinery in the US 2-38. . . . . . . . . . . . . . . . . . . . . . . .
2.9.1 OSHA 2-38. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.9.2 NFPA 79 2-39. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.9.3 ANSI B11 2-39. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.10 Safety requirements in Japan 2-41. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.11 Basics of SINUMERIK Safety Integrated 2-42. . . . . . . . . . . . . . . . . . . . . . . . . . .
2.11.1 Certification/EC type test 2-42. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.11.2 Basic features of SINUMERIK Safety Integrated 2-42. . . . . . . . . . . . . . . . . . . . .
2.11.3 Forced checking procedure 2-43. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.11.4 Monitoring clock cycle and crosswise data comparison clock cycle 2-45. . . . .
2.11.5 User agreement 2-46. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.11.6 Enabling the safety–related functions 2-47. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.12 Increasing the availability using integrated safety technology 2-49. . . . . . . . . .
2.13 Overview of the safety–related functions 2-50. . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.14 System prerequisites 2-51. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.14.1 Order numbers 2-53. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.15 Customer Support 2-57. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.16 Powering the control up and down 2-58. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.17 Fault analysis 2-60. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.18 Others 2-67. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.18.1 Applications 2-67. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.18.2 Information for OEM users 2-69. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.18.3 Overtemperature 2-70. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Table of Contents 10.04
xiv
3 Safety–related functions 3-73. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.1 Basic mechanisms of SI functions 3-73. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.1.1 Safe standstill – disconnecting the energy feed 3-73. . . . . . . . . . . . . . . . . . . . . .
3.1.2 Shutdown paths 3-74. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.1.3 Testing the shutdown paths 3-78. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.1.4 Overview of the machine data for the shutdown paths 3-84. . . . . . . . . . . . . . . .
3.1.5 Stop responses 3-85. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.1.6 Overview of the machine data for a stop response 3-96. . . . . . . . . . . . . . . . . . .
3.2 External STOPs 3-98. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.2.1 Test stop for external STOPs 3-102. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.2.2 Overview of the machine data for the ”external STOPs” function 3-107. . . . . . .
3.3 Safe standstill (SH) 3-108. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.3.1 Overview of the machine data for the SH function 3-109. . . . . . . . . . . . . . . . . . . .
3.4 Safe operating stop (SBH) 3-111. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.4.1 Selecting/de–selecting the safe operating stop 3-112. . . . . . . . . . . . . . . . . . . . . .
3.4.2 Effects when the limit is exceeded for SBH 3-115. . . . . . . . . . . . . . . . . . . . . . . . .
3.4.3 Overview of the machine data for the SBH function 3-117. . . . . . . . . . . . . . . . . .
3.5 Safely–reduced speed 3-118. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.5.1 Selecting/de–selecting safely reduced speed 3-120. . . . . . . . . . . . . . . . . . . . . . . .
3.5.2 Limiting the speed setpoint 3-123. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.5.3 Effects when the limit value is exceeded for SG 3-125. . . . . . . . . . . . . . . . . . . . .
3.5.4 SG specific stop responses 3-127. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.5.5 Override for safely–reduced speed 3-127. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.5.6 Example: Override for safely–reduced speed 3-131. . . . . . . . . . . . . . . . . . . . . . . .
3.5.7 Application example for SG 3-133. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.5.8 Overview of the machine data for the SG function 3-133. . . . . . . . . . . . . . . . . . .
3.6 Safe software limit switches (SE) 3-135. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.6.1 Effects when an SE responds 3-136. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.6.2 Overview of the machine data for the SE function 3-138. . . . . . . . . . . . . . . . . . . .
3.7 Safe software cams (SN) 3-139. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.7.1 Effects when SN responds 3-144. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.7.2 Application example for ”safe software cams” 3-145. . . . . . . . . . . . . . . . . . . . . . .
3.7.3 Overview of machine data for the SN function 3-149. . . . . . . . . . . . . . . . . . . . . . .
3.8 Safe braking ramp (SBR) 3-151. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.8.1 Overview of machine data for SBR 3-153. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.9 Safety–relevant input/output signals (SGE/SGA) 3-155. . . . . . . . . . . . . . . . . . . . .
3.9.1 Signal processing for the NCK monitoring channel 3-163. . . . . . . . . . . . . . . . . . .
3.9.2 Signal processing in the drive monitoring channel 3-166. . . . . . . . . . . . . . . . . . . .
3.9.3 Overview of machine data for SGE/SGA 3-168. . . . . . . . . . . . . . . . . . . . . . . . . . .
3.10 Safe programmable logic (SPL) 3-169. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.10.1 NCK–SPL program 3-174. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.10.2 Starting the NCK–SPL using the PROG_EVENT mechanism
(from SW 6.4.15) 3-176. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.10.3 Starting the NCK–SPL from the PLC user program 3-179. . . . . . . . . . . . . . . . . .
3.10.4 Linking the NCK–SPL to the I/O and monitoring channel 3-181. . . . . . . . . . . . . .
3.10.5 Diagnostics/commissioning 3-183. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.10.6 Safety software relay (from SW 6.3.30) 3-185. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.10.7 System variables for SINUMERIK 840D 3-192. . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.10.8 Behavior after power on/mode change/reset 3-195. . . . . . . . . . . . . . . . . . . . . . . .
3.10.9 SPL data on the PLC side 3-195. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Table of Contents10.04
xv
3.10.10 Direct communications between the NCK and PLC–SPL
(from SW 6.3.30) 3-198. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.10.11 PLC data block (DB 18) 3-201. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.10.12 Forced checking procedure of SPL signals 3-207. . . . . . . . . . . . . . . . . . . . . . . . . .
3.11 Encoder mounting arrangements 3-211. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.11.1 Encoder types 3-211. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.11.2 Adjustment, calibration, axis states and historical data 3-214. . . . . . . . . . . . . . . .
3.11.3 Overview of the data for mounting encoders 3-219. . . . . . . . . . . . . . . . . . . . . . . .
3.11.4 The use of selector gearboxes in conjunction with safety–related
functions 3-220. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.11.5 Example for safely entering the gearbox ratio 3-221. . . . . . . . . . . . . . . . . . . . . . .
3.11.6 Actual value synchronization (slip for 2–encoder systems) 3-230. . . . . . . . . . . .
3.11.7 Application: Spindle with 2 encoders and drive with slip 3-232. . . . . . . . . . . . . . .
3.11.8 Setpoint changeover (from SW 7.2) 3-235. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.12 SI I/Os using fail–safe modules connected to PROFIBUS–DP
(from SW 6.3.30) 3-239. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.12.1 Description of functions 3-239. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.12.2 System prerequisites 3-240. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.12.3 System structure 3-242. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.12.4 Configuring and parameterizing the ET 200S F I/O 3-243. . . . . . . . . . . . . . . . . . .
3.12.5 Parameterizing the F master (NCK) 3-249. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.12.6 Parameterizing the PROFIsafe communication (NCK) 3-249. . . . . . . . . . . . . . . .
3.12.7 Parameterizing the SPL–SGE/SGA interface (up to SW 7.1) 3-252. . . . . . . . . .
3.12.8 Parameterizing the SPL–SGE interface (NCK) (from SW 7.2) 3-253. . . . . . . . .
3.12.9 Parameterizing the SPL–SGA interface (NCK) (from SW 7.2) 3-257. . . . . . . . .
3.12.10 Module type (NCK) 3-260. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.12.11 Axial checksum (NCK) 3-260. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.12.12 Parameterizing the F master (PLC) 3-261. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.12.13 Response times 3-261. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.12.14 Functional limitations 3-264. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.13 Behavior of Safety Integrated when the drive bus fails 3-266. . . . . . . . . . . . . . . .
3.13.1 Behavior of the axial NCK monitoring channel 3-267. . . . . . . . . . . . . . . . . . . . . . .
3.13.2 Behavior without NCK–SPL 3-267. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.13.3 Behavior with NCK–SPL 3-267. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.13.4 Behavior of the drive monitoring channel 3-269. . . . . . . . . . . . . . . . . . . . . . . . . . .
3.13.5 SGE/SGA processing in the PLC 3-269. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.13.6 Limitations 3-270. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.13.7 Examples 3-270. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4 Data Description 4-273. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.1 Machine data for SINUMERIK 840D 4-273. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.1.1 Overview of the machine data 4-273. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.1.2 Description of machine data 4-277. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.2 Machine data for SIMODRIVE 611 digital 4-321. . . . . . . . . . . . . . . . . . . . . . . . . . .
4.2.1 Overview of the machine data 4-321. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.2.2 Description of machine data 4-324. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.3 Interface signals 4-342. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.3.1 Interface signals for SINUMERIK 840D 4-343. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.3.2 Description of the interface signals 4-343. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.4 System variables 4-353. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.4.1 System variables for SINUMERIK 840D 4-353. . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.4.2 Description of the system variables 4-356. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

xvi
5 Commissioning 5-367. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.1 Commissioning SINUMERIK 840D 5-368. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.1.1 Commissioning conditions 5-368. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.1.2 First commissioning 5-370. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.1.3 Series commissioning 5-373. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.1.4 Upgrading software 5-374. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.1.5 Changing data 5-374. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.2 Acceptance report 5-376. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.3 Conventional acceptance test 5-380. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.4 NCK acceptance test support 5-382. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.4.1 Scope of the test list 5-383. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.4.2 Internal mechanisms to support the test procedure 5-384. . . . . . . . . . . . . . . . . . .
5.4.3 Trace techniques 5-387. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.4.4 Basic operating information and instructions 5-390. . . . . . . . . . . . . . . . . . . . . . . .
5.5 Diagnostics 5-391. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.5.1 Troubleshooting procedure 5-391. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.5.2 Diagnostics support by configuring your own extended alarm text 5-396. . . . . .
5.5.3 Servo trace bit graphics for Safety Integrated 5-399. . . . . . . . . . . . . . . . . . . . . . .
5.5.4 Bit graphics for SI signals in the servo trace 5-403. . . . . . . . . . . . . . . . . . . . . . . . .
6 Alarms 6-409. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.1 Alarms for Sinumerik 840digital 6-409. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.2 Alarms for SIMODRIVE 611 digital 6-463. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.3 PLC alarms 6-478. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.4 Reducing the number of alarms 6-479. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.4.1 Suppressing alarms 6-479. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.4.2 Assigning priorities to alarms 6-480. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7 Engineering Examples 7-483. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.1 General information on engineering 7-483. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.2 Circuit examples 7-485. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.2.1 Control and drive components 7-486. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.2.2 Engineering 7-487. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.3 Safety Integrated with SPL 7-490. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.3.1 Starting configuration in the OB100 7-492. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.3.2 Starting the NCK–SPL and PLC–SPL 7-494. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.3.3 Declaring variables 7-498. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.3.4 Connecting–up the drives 7-508. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.3.5 Emergency Stop 7-512. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.3.6 Test stop 7-519. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.3.7 Protective door interlocking 7-531. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.3.8 De–selecting SBH using the key–operated switch 7-533. . . . . . . . . . . . . . . . . . . .
7.3.9 SG changeover 7-534. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.3.10 NCK–SPL 7-536. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.3.11 PLC blocks 7-539. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.3.12 Appendix 7-547. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.4 Safety Integrated without SPL 7-551. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.4.1 Connecting–up the drives 7-551. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Table of Contents10.04
xvii
7.4.2 Emergency Stop and connecting–up the I/R module 7-552. . . . . . . . . . . . . . . . .
7.4.3 Test stop 7-554. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.4.4 Protective door interlocking 7-555. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.4.5 De–selecting SBH using the key–operated switch/SG changeover using the
door safety contactor 7-556. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.5 External STOPs 7-558. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.6 Application example with PROFIsafe connection 7-562. . . . . . . . . . . . . . . . . . . . .
7.6.1 Software prerequisites 7-562. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.6.2 Functional scope of the application 7-562. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.6.3 Connecting–up the sensors and actuators 7-563. . . . . . . . . . . . . . . . . . . . . . . . . .
7.6.4 Parts list for the configured ET 200S line–up 7-563. . . . . . . . . . . . . . . . . . . . . . . .
7.6.5 Signal assignment and significance 7-564. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.6.6 Individual functions of the application 7-571. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.6.7 Configuring and connecting–up the ET 200S I/O 7-572. . . . . . . . . . . . . . . . . . . . .
7.6.8 Parameterization Sinumerik 840D NCK 7-580. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.6.9 Programming the NCK–SPL 7-582. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.6.10 Programming the PLC–SPL 7-585. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.6.11 Modified limitations with PROFIsafe 7-590. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8 Application Examples 8-591. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.1 Conventional brake control (single–channel from the PLC) 8-591. . . . . . . . . . . .
8.2 Two–channel brake control with SI (SPL) 8-593. . . . . . . . . . . . . . . . . . . . . . . . . . .
8.3 Safe brake test (SBT) 8-598. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.3.1 Applications 8-598. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.3.2 Parameterization 8-598. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.3.3 Sequence 8-602. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.3.4 Limitations 8-606. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.3.5 Activating 8-607. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.3.6 Examples 8-607. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.4 Safe cams at the modulo limit 8-609. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.5 SPL functionality without real drives 8-616. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.6 Direction detection when retracting from SE 8-618. . . . . . . . . . . . . . . . . . . . . . . . .
8.7 Replacing a motor or encoder 8-621. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.8 Example for combining SI with ESR 8-627. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
A Abbreviations A-633. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
B Terminology B-637. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
C References C-639. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Index I-643. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

xviii
Space for your notes

1-19
Brief Description
SINUMERIK Safety Integrated provides safety functions that have been certified
in an EC type examination.These functions can be used to implement practical and
highly effective protection for operating personnel and machinery. With the excep-
tion of the brake test (control Category 2, refer to Chapter 8.3 ”Function test of the
mechanical braking system”), all of the safety functions fulfill the requirements of
control Category 3 acc. to EN 954–1 and are a fixed component of the basic
system. No additional sensors or evaluation units are needed. This means less
installation and costs at the machine and a more transparent electrical cabinet.
Included in the scope of functions are, for example:
S Functions for safely monitoring speed, zero speed (standstill) and position
S Functions for the safe logical combination of signals
Directly connecting two–channel I/O signals
It is now possible to connect sensors and actuators, for example EMERGENCY
STOP buttons, light curtains, valves and brakes, directly to the two–channel I/O.
Logic operations and responses are performed internally using safety–related
technology.
Highly effective safety concept
Fully–digital systems now make it possible to implement safety systems in which
electronics and software play the major role. Full integration into the control and
drive technology means that the safety functions are now an inseparable part of
the basic system. They provide a previously unknown, intelligent and direct link
right through the system to the electric drives and measuring systems. Reliable
operation, fast response and wide acceptance mean that this certified safety con-
cept is extremely effective.
Redundant configuration of the safety function
A two–channel, diverse system structure is formed on the basis of an existing mul-
ti–processor structure. The safety functions have been configured redundantly in
the NC, drive and internal PLC.
The process quantities and safety–relevant system data are subject to crosswise
data comparison. Safety–relevant software and hardware functions are checked at
defined intervals by an automatic forced checking procedure.
1

Brief Description 10.04
1-20
The special feature of this safety concept: Using SINUMERIK Safety Integrated,
with only one measuring system – the standard motor measuring system – control
Category 3 according to EN 954–1 (SIL2 acc. to IEC 61508) can be implemented.
A second sensor is not necessary but can be added as an additional, direct mea-
suring system (e.g. linear scale).
Sensing Evaluating Responding
I/O
I/O
Bus
Bus
Crosswise
data
comparison
PLC
computer
Type 3
Feedback signals
Feedback signals
Crosswise
data
comparison
Signal
encoder Drive
computer
Type 2
Shutdown paths
Incremental
or absolute
Drive
power
module
NC
computer
Type 1
Mastering extreme conditions professionally
Safety–relevant faults/errors in the system always cause potentially hazardous
movement to be brought to a standstill or the energy feed to the motor to be dis-
connected.
When a fault occurs, the energy feed to the motor is contactlessly disconnected.
This can be initiated on an axis–for–axis basis with a very short response time.
The drive DC link does not have to be discharged.
The drives are brought to a standstill in the optimum way, adapted to the operating
conditions of the machine. For example, each axis can be brought to a standstill
separately in the setting–up mode when the protective door is open. This ensures
a high degree of protection for the personnel when setting–up the machine and
additional protection of the machine, tool and workpiece in the automatic mode.

Brief Description10.04
1-21
Activation of external braking mechanisms supplements the integrated functions
and results in the shortest possible braking distance when using the safe stopping
process. External braking mechanisms could include:
S An external mechanical brake
A holding or operating brake
S An external electrical brake
Armature short–circuit or eddy–current brake
Scope of functions
The safety–related functions are available in all of the operating modes and can
communicate with the process via safety–related input/output signals.
S Safe stopping process
When a monitoring function or a sensor responds (e.g. a light barrier), the
drives are safely controlled down to standstill.
S Safe operating stop (SBH)
Monitors the drives during standstill within an adjustable tolerance window.
The drives remain fully functional in the position controlled mode.
S Safe standstill (SH)
Drive pulses are cancelled so that the energy feed is safely and electronically
disconnected.
S Safely–reduced speed (SG)
Configured speed limits are monitored, e.g. when setting–up without using an
agreement button.
S Safe software limit switches (SE)
Variable traversing range limits can be configured on an axis–for–axis basis
S Safe software cams (SN)
Ranges can be detected on an axis–for–axis basis
S Safety–relevant input/output signals (SGE/SGA)
Interface to the process
S Safe programmable logic (SPL)
All of the safety–relevant signals are directly connected and logically combined.
S SG specific setpoint limiting
S Safe brake management (SBM)
Two–channel brake control and cyclic brake test
S Safety–relevant communication via standard bus
Distributed I/Os for process and safety signals are connected via PROFIBUS
using the PROFIsafe protocol.
S Safety–relevant software relay (SI relay)
This is designed for requirements of an EMERGENCY STOP function (and
similar requirements) with safe programmable logic.

Brief Description 10.04
1-22
Note
The function ”safe software limit switch” (SE) is also called ”safe limit position” and
the function ”safe software cams” (SN) is also called ”safe cams”.
Innovative safety technology setting new standards
SINUMERIK Safety Integrated has already been implemented successfully in
many thousands of different types of machines – also outside Europe.
National product liability laws and standard concepts of companies operating
worldwide mean that the requirements of the EC Machinery Directive can also be
fulfilled for the world market.
It has been proven that new practical machine operating concepts can be imple-
mented with this innovative safety technology.
The result is a new standard for machines which makes them safer and more flex-
ible and which also increases the availability of the entire plant.
Effective cooperation and competent partners
The new safety concept is the result of close cooperation between the ”Iron and
Metal II” Technical Committee of the German Employer’s Liability Assurance Asso-
ciation in Mainz, the German Institute for Occupational Safety in St. Augustin and
Siemens AG in Erlangen, Germany.
The advantages at a glance
Highly effective and practical personnel and machine protection with SINUMERIK
Safety Integrated. This innovative safety technology enables the following:
S Higher degree of safety
S Higher degree of cost effectiveness
S Higher degree of flexibility
S Higher degree of system availability

2-23
General Information about Integrated
Safety Systems
2.1 Drives and CNC controls with integrated safety
Extract from /6/
”...To protect personnel against hazardous motion, safety measures must be imple-
mented on machines. They are intended to prevent hazardous machine motion
while protective devices are open. These functions include monitoring positions,
e.g. end positions, monitoring velocities and standstill, or stopping in hazardous
situations.
Up until now, mainly external equipment and devices have been used to implement
safety measures. These include contactors, switches, cams, and monitoring de-
vices. If a hazardous situation is detected, these devices generally interrupt the
power circuit thus stopping the motion (Fig. 2-1).
By integrating safety functions, drive systems and CNC controls perform safety
functions in addition to their functional tasks. Very short response times can be
achieved because of the short data paths from acquisition of the safety–relevant
information – e.g. speed or position – up to evaluation. The systems with integra-
ted safety technology generally respond very quickly when the permissible limit
values are violated, e.g. position and velocity limit values. They can be of decisive
importance for the required monitoring result. The integrated safety technology can
directly access the power semiconductors in the drive controller without using elec-
tromechanical switching devices in the power circuit. This helps reduce the sus-
ceptibility to faults – and the integration also reduces the amount of cabling...”
2

General Information about Integrated Safety Systems
2.1 Drives and CNC controls with integrated safety
10.04
2-24
2.1.1 Testing, certification
Extract from /6/
”...There is no general testing requirement for drive systems with integrated safety.
This applies to applications involving machine tools, robots, automated manufac-
turing systems, food–production machinery and equipment etc.
For certain machines that are listed under Appendix IV of the Machinery Directive
(e.g. presses, woodworking machines) there may be requirement to test the
machine. This could mean that the associated drive systems also have to be tested.
Independent of this, tests can be conducted on a voluntary basis. Generally, users
and the machine manufacturers request that these components are tested by an
independent body, even if there is no test requirement. The reason for this is,
above all, the complexity of drive systems with integrated safety. Users themselves
are generally unable to judge whether the systems meet the protective goals of the
Machinery Directive and the appropriate Standards.
Testing such complex systems must always be conducted in parallel with the de-
velopment process. This means that testing should already start in the conceptual
phase. This can avoid mistakes in the development phase and reduce the costs
associated with testing.
The certificates that are acceptable for tests by the test and certification system of
the German Professional Association are EC–type examination certificates in com-
pliance with EC Directives according to ZH1/419 /5/ in conjunction with the appropri-
ate test symbol...”
M
CNC
M
External
safety system
safety system
External
Drive
control
unit
Drive
control
unit
Integrated
safety
system
Fig. 2-1 External safety system, integrated switching technology (extract from /6/)

2.2 Concepts and comments regarding safety
10.04
2-25
There are different concepts and requirements in the various regions and countries
of the world when it comes to ensuring the appropriate degree of safety. The legis-
lation and requirements of how and when proof is to be given and whether there is
an adequate level of safety are just as different as the assignment of responsibili-
ties. For instance, in Europe, the manufacturer of a piece of equipment as well as
the company operating the equipment must comply with certain requirements.
These requirements are regulated by the appropriate European Directives, legisla-
tion and Standards. On the other hand, in the US, there are regional and even lo-
cal requirements that differ. However, throughout the whole of the US, there is a
basic law that an employer must guarantee safety at the workplace. If injury or
damage occurs, as a result of the product liability, the manufacturer can be made
liable for the injury or damage associated with his particular product.
What is important for manufacturers of machines and companies that erect plants
and systems is that the local legislation and regulations always apply where the
machine or plant is being operated. For instance, the control system of a machine,
that is to be used in the US, must fulfill the local US requirements even if the ma-
chinery construction company (OEM) is based in Europe. Even if technical con-
cepts with which safety is to be achieved, are subject to technical principles, it is
still extremely important to observe whether legal issues are applicable with certain
specifications or residual risks.
Electrical and functional safety
A differentiation is made between various types of safety. For instance, by specify-
ing the particular cause of possible hazards. ”Electrical safety” is involved if protec-
tion should be provided against hazards resulting from electricity – or ”functional
safety” if safety depends on the correct function.
This is the reason that there are special Standards for the functional safety. In the
area of machine safety, EN 954 is applicable for special safety–relevant parts of
controls and therefore concentrates on the functional safety. In the basic IEC
61508 safety standard, IEC handles the functional safety of electrical, electronic
and programmable electronic systems independent of a specific application.
In order to achieve the functional safety of a machine or plant, it is necessary that
the safety–relevant parts of the protection and control devices function correctly.
And not only this, when faults develop, they behave so that either the plant remains
in a safe state, or is brought into a safe state.
In this case, it is necessary to use qualified technology that specifically fulfills the
requirements described in the associated standards. The requirements to achieve
functional safety are based on the following basic goals:
S Avoiding systematic faults
S Controlling systematic faults

10.04
2-26
S Controlling random faults or failures
The benchmark for the achieved functional safety is
– the probability of hazardous failures
– the fault tolerance, and
– the quality
These are intended to ensure that there are no systematic faults in the system.
This is expressed in the standard using different terms:
IEC 61508: ”Safety Integrity Level” (SIL)
EN 954: ”Categories”
DIN V 19250 and DIN V VDE 0801: ”Requirement classes”.

2.3 Standards and Directives
10.04
2-27
2.3.1 Machinery Directive (98/37/EC)
The national Standards and Directives of all of the EC Member States that are in-
volved with how machines are technically implemented, have been harmonized. In
Germany, the contents of the Machinery Directive have been implemented as the
9th Decree regarding safety of equipment. For the Machinery Directive, this was
realized with the objective to achieve standard protective goals thus removing
trade barriers with a technical background. Corresponding to its definition ”a ma-
chine is an assembly of linked parts or components – at least one of which moves”
is extremely extensive. The range of applications was subsequently expanded to
include ”safety–related components” and ”exchangeable equipment” in the form of
revision Directives. The Machinery Directive involves the implementation of ma-
chines.
”Machinery” also covers an assembly of machines which, in order to achieve the
same end, are arranged and controlled so that they function as an integral whole.
This means that the Machinery Directive is applicable from a basic machine up to a
plant. The manufacturer must carefully observe the following principles when it
comes to integrating safety:
1. ”The design and construction of the machine must ensure that operation,
equipping and service, when correctly used, can be carried–out without
endangering persons.”
”The measures must...exclude...risks of accidents...”
2. ”When selecting the appropriate solutions, the manufacturer must apply the fol-
lowing basic principle – and more precisely, in the specified sequence:
S Eliminate or minimize hazards (integrating the safety concept into the devel-
opment and construction of the machine);
S Apply and use the necessary protective measures against hazards that can-
not be avoided;
S Inform the user about the residual hazards due to the fact that the safety
measures applied are not completely effective.”
The protective goals must be implemented with a high degree of responsibility in
order to fulfill the requirements for conformity with the Directive.
The manufacturer of a machine must provide proof that his machine is in com-
pliance with the basic requirements. This proof is made more simple by applying
harmonized Standards.
A certification process is demanded for machines that, according to Attachment IV
of the Machinery Directive, represent a higher potential hazard.

10.04
2-28
Manufacturer User
Machine protection
Article 100/100a
EC contract
(internal market)
Article 118/118a
EC contract (social
security)
Outline proposal
Safety and health protection of
employees (89/391/EEC)
Other applicable
Directives
Other separate
individual
Directives
Machinery
Directive
(98/37/EC)
Individual
Directive, use
of equipment
(89/655/EEC)
Harmonized
European Standards
National legal
requirements
Fig. 2-2 Requirements of the EC Directives
2.3.2 Objectives and types of Standards
Manufacturers and operating companies of equipment, machines and products are
responsible for the safety. This results in the requirement that plants, machines
and other equipment should be made as safe as possible according to state–of–
the–art technology. In this case, companies describe in the various Standards,
state–of–the–art technology that is relevant for safety.
In Europe, a differentiation is made between Standards, that are harmonized under
an European Directive and Standards that although ratified, are not harmonized
under a specific Directive – and other rules and regulations that are called ”domes-
tic standards” in the Directives.
Ratified Standards describe recognized state–of–the–art technology. This means
that a manufacturer can, by applying it, prove that he has fulfilled the recognized
state–of–the–art technology.
All of the Standards, that are ratified as European Standards, must be taken–over
unchanged in the domestic Standards of the Member States. This is independent
of whether they are harmonized under a particular Directive – or not. Existing do-
mestic Standards associated with the same subject must then be withdrawn.

10.04
2-29
Note
IEC 61508 ”Functional safety of electrical/electronic/programmable electronic
safety–related systems” is an important standard that is not harmonized under a
European Directive. The reason for this is that there is no appropriate harmonized
Standard. It is ratified as EN 61508. The German Standards DIN V VDE 0801 and
DIN V 19250 and 19251 were therefore withdrawn by August 2004.
The European Standards for Safety of machines is hierarchically structured as follows:
S A Standards (Basic Standards)
A Standards include basic terminology and definitions that are applicable for all
machines. This includes EN 292 ”Safety of machines, basic terminology, gen-
eral design principles.”
A Standards primarily address those setting the B and C Standards. However,
the techniques documented there regarding minimizing risks can also be helpful
to manufacturers if there are no applicable C Standards.
S B Standards (Group Standards)
These are all Standards with safety–related statements that can involve several
machine types.
B Standards also primarily address those setting C Standards. However, they
can also be helpful for manufacturers when designing and constructing a ma-
chine if there are no applicable C Standards. For B standards, another seg-
mentation is made – and more precisely as follows:
Type B1 Standards for higher–level safety aspects, e.g. basic ergonomic prin-
ciples, safety clearances from hazards, minimum clearances to avoid crushing
parts of the body.
Type B2 Standards for protective safety devices/guards – e.g. Emergency Stop
devices, two–hand operating circuits, interlocking elements, contactless protec-
tive devices, safety–related parts of controls.
S C Standards (Product Standards)
These involve Standards for specific machines. For instance, machine tools,
woodworking machines, packaging machines, printing machines to name just a
few.
Product Standards include requirements for specific machines. The require-
ments can, under certain circumstances, deviate from the Basic and Group
Standards. For machinery construction companies (e.g. OEMs), Type C Stan-
dards/Product Standards have absolutely the highest priority. The machinery
construction company can then assume that it fulfills the basic requirements of
Attachment I of the Machinery Directive (automatic presumption of compliance).

10.04
2-30
Safety Standards
A selection of Safety Standards is listed in table below:
Table 2-1 Important Safety Standards
Standard Description
DIN EN 292–1 Safety of Machinery, Parts 1 and 2
(new Standard, ISO 12100)
DIN EN 292–2/A1 Basic terminology, general principles for design
EN 775 (ISO 10218) Industrial robots, safety
EN 954–1 Safety–related parts of control systems
(new Standard, ISO 13849–1)
ISO 62061 Machine controls
DIN EN 1050 Risk assessment
(new Standard, ISO 14121)
EN 60204–1 Electrical equipment of machines
DIN EN 418 Emergency Stop protective safety devices/guards, functional as-
pects – principles for design
DIN V VDE 0801 Basic principles for computers in systems with safety–related
tasks
IEC 61508 Functional safety of electrical and electronic systems
Draft IEC 61800–5 Adjustable speed electric power drive systems
Note
As far as the EMC and Low–Voltage Directives are concerned, there is a list of the
relevant Standards in the Declaration of Conformance to be drawn–up.

10.04
2-31
2.3.3 Risk analysis and assessment
General information
As a result of their design and functionality, machines and plants represent poten-
tial risks. This is the reason that the Machinery Directive demands that a risk as-
sessment is carried–out for every machine and, where necessary, risks are then
minimized until the residual risk is less than the tolerable risk. For the techniques to
evaluate these risks, the following Standards should be applied
S EN 292 ”Safety of Machinery – basic terminology, general principles for design”
and
S EN 1050 ”Safety of Machinery, general principles for assessing risk”.
EN 292 describes the risks to be considered and the principles for design to mini-
mize risks, EN 1050 the iterative process with risk assessment and risk minimiza-
tion to achieve the appropriate degree of safety.
Risk assessment
Risk assessment is a sequence of steps that allow hazards, as a result of ma-
chines, to be systematically investigated. Where necessary, a risk reduction proce-
dure follows risk assessment. When this procedure is repeated, an iterative pro-
cess is obtained (refer to Fig. 2-3), which can then be used to eliminate hazards as
far as possible and so that the appropriate protective measures can be taken.
The risk assessment involves the following
S Risk analysis
a) Determines the limits of the particular machine (EN 292, EN 1050 Para. 5)
b) Identifies the hazards (EN 292, EN 1050 Para. 6)
c) Techniques to estimate risk (EN 1050 Para. 7)
S Risk evaluation (EN 1050 Para. 8)
As part of the iterative process to achieve the appropriate degree of safety, after
the risk has been estimated, the risk is evaluated. In so doing, a decision must be
made as to whether risk minimization is required. If the risk is to be further re-
duced, suitable protective measures must be selected and also applied. The risk
assessment should then be repeated.

10.04
2-32
Fig. 2-3 Iterative process to achieve safety in compliance with EN 1050
Fault analysis for SINUMERIK Safety Integrated
With SINUMERIK Safety Integrated and its fault analysis
(refer to Chapter 2.17 ”Fault analysis”), the machinery construction company
(OEM) obtains a statement about the measures required in the control system and
the drive to control faults for either internal or external disturbances.
The machinery construction company (OEM) can then directly incorporate this in-
formation and data in his hazard analysis that is based on the EC Machinery Direc-
tive, Attachment 1.

2.4 Terminology definitions from EN 292–1
10.04
2-33
2.4 Terminology definitions from EN 292–1
Reliability and safety
The terms ”reliability” and ”safety” are defined as follows in EN 292–1:
Table 2-2 Reliability and safety
Term Definition
Reliability The ability of a product, a part or an apparatus to perform a required
function under specific conditions and for a specified period of time
without malfunction.
Safety The ability of a product to perform its function(s) and to be trans-
ported, erected, installed, maintained, disassembled and removed in
compliance with the conditions of its intended use as defined by the
manufacturer in the Operating Manual (and to which reference is
made in some cases for certain periods in the Operating Instructions)
without causing injury or ill–health.
2.5 Categories according to EN 954–1
The requirements placed on safety–related parts of controls are defined using five
categories as part of EN 954–1.
These categories represent a classification of the safety–related parts of a control
with reference to their resistance against faults and their behavior when a fault
condition occurs that is achieved as a result of the reliability and/or the structural
arrangement of the parts and components. A higher resistance with respect to
faults signifies a higher possible risk reduction. This is the reason that the catego-
ries are basically suitable to reduce the risk in a machine to an acceptable level
using control–related resources.

2.5 Categories according to EN 954–1
10.04
2-34
Table 2-3 Categories of safety–relevant parts of control systems
Cate-
gory
Summary of requirements System response1) Main principle
for provision
of safety
B The safety–relevant components of machine controls
and/or their protective equipment and components
must be designed, constructed, selected, assembled
and combined in compliance with all applicable stan-
dards such as to be capable of withstanding all poten-
tially hazardous influences.
If a fault/error occurs, it can lead to
loss of the safety functions.
by selecting
components
1 The requirements of B must be fulfilled. Use of compo-
nents and principles that have proven to be effective in
terms of safety.
As described for category B, but
with a greater safety–relevant reli-
ability of safety functions.
2 The requirements of B must be fulfilled. Use of prin-
ciples that have proven to be effective in terms of
safety.
The safety function(s) must be tested at appropriate
intervals by the machine control.
Note:
The suitability of the measure depends on the applica-
tion and type of the machine.
The occurrence of a fault/error can
lead to a loss in safety functions in
between tests.
The loss of safety function(s) is de-
tected in the course of testing.
Structure
based
safety.
The controls must be designed such that:
a single fault/error in the control system does not
cause a loss of the safety function, and
if it can be implemented in an appropriate way, individ-
ual faults/errors can be detected.
If a single fault/error occurs, the
safety function always remains oper-
ational.
Some, but not all, faults/errors are
detected.
An accumulation of undetected
faults/errors can lead to a loss of the
safety function(s).
safety.
A control must be designed such that:
a single fault/error in the control system does not
cause a loss of the safety function(s), and
the single fault/error is detected before or when the
safety function is required to take effect. If such a re-
sponse cannot be implemented, then the accumulation
of faults/errors may not result in a loss of the safety
function(s).
If faults/errors occur, the safety func-
tion always remains operational.
Faults/errors are detected promptly
enough to prevent any loss of safety
functions.
Structure
based
1): The risk assessment states whether the total or partial loss of the safety function(s) as a result of
faults/errors is acceptable.

2.6 Position paperoftheworkinggroup(WG)226.03inthe German Electrotechnical Commission (DKE)
10.04
2-35
Table 2-4 Overview of safety–relevant controls in C Standards (excerpt)
EN 12417
Machining centers
EN 12415
Lathes
EN 775
Industrial robots*
Agreement button Category 3 Category 3 Category 3
Speed reduction including
protection against unex-
Category 3 Category 3 Category 3
protection against unex-
pected starting (n=0) Category B and agreement
circuit
Interlocking of
protective safety devices/
Category 3 Category 3 Category 3
protective safety devices/
guards
Limiting of endstops – – Category 3
Emergency Stop acc. to EN 60204 Category 3 Category 3
2.6 Position paper of the working group (WG) 226.03 in the
German Electrotechnical Commission (DKE)
In the ”Safety–relevant functions of electric drive systems in machines” position
paper, the subject of ”functional safety” was agreed with German industry and
given a general definition.
Safety Integrated corresponds to the functions described in this position paper.
Table 2-5 Terms used
Terms from position paper
drawn up by WG 226.03 in the
DKE (German)
English Term used in this documenta-
tion (abbreviation)
Refer to
Chapter
Sicherer Halt Safe standstill SH 3.3
Sicherer Betriebshalt Safe operational stop SBH 3.4
Sicher reduzierte Geschwindigkeit Safely reduced speed SG 3.5
Sicheres Stillsetzen Safe stopping process Safe stopping process 3.2
Sicher begrenzte Absolutlage Safely limited absolute position SE 3.6
Safe Cam SN
SE
3.7
Sichere Ein–/Ausgangssignale Safe input/output signals SGEs/SGAs 3.9

2.7 Technical bulletin – ”vertical axes”
10.04
2-36
2.7 Technical bulletin – ”vertical axes”
This Technical Bulletin aims to summarize the know–how and experience available
with regard to improved safety at work for activities at or close to vertical axes.
This is realized by applying practical control measures to prevent axes falling due
to the force of gravity. The Technical Bulletin is based on the experience of
manufacturers of industrial robots, including linear robots and handling systems, by
drive and control systems manufacturers and by the users of those systems, par-
ticularly in automobile production and the German Trade Association.
The Technical Bulletin shows typical hazardous situations with regard to vertical
axes and gives suitable solutions for risk reduction by applying appropriate control
measures. Other measures against preventing axes falling, which are not consid-
ered in this bulletin, remain unaffected. Consideration is given to vertical axes
driven by electric motors as well as inclined axes with a motor–integrated brake or
an external brake which could fall due to gravity in case of a brake failure.
www.smbg.de/Sites/downloads/005–MFS–E Vertikalachsen.pdf

2.8 The Safety Standard IEC/EN 61508
10.04
2-37
2.8 The Safety Standard IEC/EN 61508
The series of Standards EN 61508 (functional safety, safety–related electrical,
electronic, programmable electronic systems) that was used with the IEC 61508
through the European CENELEC Standards Organization, was ratified by
CENELEC in 2001. This has been transferred into the German Standards as
DIN EN 61508 (VDE 0803). These Standards describe state–of–the–art technol-
ogy; however, they only have to be observed on a voluntary basis and they are not
binding. DIN V VDE 0801 will be withdrawn in 2004.
EN 61508 is not harmonized under a particular European Directive. This means
that it cannot be used as a basis for automatic presumption that the protective
goals of a Directive are fulfilled. However, the manufacturer of a safety–related
product can use EN 61508 to fulfill basic requirements from the European Direc-
tives according to the new concept. For instance in the following cases:
S There is no harmonized Standard for the application involved. In this particular
case, the manufacturer may use EN 61508. However, it has no presumption of
conformity.
S In a harmonized European Standard (e.g. EN 954, EN 60204–1) reference is
made to IEC/EN 61508. This therefore ensures that the requirement of the di-
rective involved is also maintained (”Standard that is also applicable”). If the
manufacturer correctly applies EN 61508 in the sense of this reference and
conscious of his responsibility, then he uses the presumption of conformity of
the referencing standard.
Certification according to IEC 61508 is a prerequisite for an NRTL listing.

2.9 Safety requirements for machinery in the US
10.04
2-38
2.9.1 OSHA
An essential difference in the legal requirements regarding safety at work between
the US and Europe is the fact that in the US, there is no legislation regarding ma-
chinery safety that is applicable in all of the states and that defines the responsibil-
ity of the manufacturers/supplier. On the other hand, there is a general requirement
that the employer must offer a safe workplace. This is regulated in the Occupa-
tional Safety and Health Act (OSHA) from 1970.
The requirements of the OSH Act are administered by the Occupational Safety and
Health Administration (also known as OSHA). OSHA employs regional inspectors
that check whether the workplaces are in compliance with the valid regulations.
The regulations of OSHA, relevant for safety at work, are described in OSHA 29
CFR 1910.xxx (”OSHA Regulations (29 CFR) PART 1910 Occupational Safety and
Health”). (CFR: Code of Federal Regulations).
The application and use of the Standards is regulated in 29 CFR 1910.5 ”Applica-
bility of standards”. The concept is similar to that used in Europe. Standards for
specific products have priority over general Standards if the aspects involved are
handled there. When the Standard is fulfilled, the employer can assume that he
has fulfilled the core requirements of the OSM act regarding the aspects handled
by the Standards.
Additional Standards
In addition to the OSHA regulations, it is important that the current standards from
organizations such as NFPA and ANSI are carefully observed as well as the exten-
sive product liability legislation that exists in the US. As a result of the product li-
ability legislation, it is in their own interests that manufacturing and operating com-
panies carefully maintain the applicable regulations and are more or less ”forced”
to fulfill the requirement to use state–of–the–art technology.
Third–party insurance companies generally demand that their customers fulfill the
applicable standards of the Standards Organizations. Initially, self–insured compa-
nies do not have this requirement, but, in the case of an accident, they must prove
that they have applied the generally recognized safety principles.
NFPA 70 (known as the National Electric Code (NEC)) and NFPA 79 (Electrical
Standard for Industrial Machinery) are two especially important Standards for
safety. Both describe the basic requirements placed on the characteristics, fea-
tures and implementation of electrical equipment. The National Electric Code
(NFPA 70) is predominantly applicable for buildings but also for electrical connec-
tions of machines and partial–machines. NFPA 79 is valid for machinery. This
means that there is a grey area in the demarcation between both standards for
large machines that comprise sub or partial machines. For example, large con-
veyor systems can be considered as a part of the building – so that NFPA 70
and/or NFPA 79 should be applied.

10.04
2-39
2.9.2 NFPA 79
This Standard applies for the electrical equipment of industrial machines and ma-
chinery with rated voltages of less than 600V. (A group of machines that operate
with one another in a coordinated fashion is also considered to be a machine.)
The new edition of NFPA 79 – 2002 includes some basic requirements for pro-
grammable electronics and buses if these are being used to implement and exe-
cute safety–relevant functions. If these requirements are fulfilled, then electronic
controls and buses can also be used for Emergency Stop functions, Stop Catego-
ries 0 and 1 (refer to NFPA 79 – 2002 9.2.5.4.1.4). Contrary to EN 60204–1,
NFPA 79 specifies that for Emergency Stop functions, the electrical energy must
be disconnected using electro–mechanical elements.
The core requirements placed on programmable electronics and buses include:
System requirements (refer to NFPA 79 – 2002 9.4.3)
S Control systems that must include software–based controllers,
(1) If an individual fault occurs,
– the system is shut down and brought into a safe state
– restart is prevented until the fault has been removed
– unexpected starting is prevented
(2) Provide protection comparable to hard–wired controls
(3) Implemented corresponding to a recognized Standard that defines requirements
for such systems.
In a note, IEC 61508 is specified as a suitable Standard.
Requirements placed on programmable equipment (refer to NFPA 79 – 2002 11.3.4)
S Software and firmware–based controllers, that are used in safety–relevant func-
tions, must be listed for such an application (i.e. certified by an NRTL).
A note states that IEC 61508 provides the requirements to design such a
controller.
2.9.3 ANSI B11
There are a series of additional Standards regarding safety in industrial environ-
ments under ANSI B11. These offer additional instructions to achieve the required
level of safety.
A series of ANSI Standards is listed in Table 2-6:

10.04
2-40
Table 2-6 ANSI Standards (excerpt)
Number Contents
ANSI B11.6 (2001) Safety Requirements for Manual turning Machines
ANSI B11.8 (2001) Safety Requirements for Manual milling and boring Machines
ANSI B11.9 (1997) Grinding machines – Safety Requirements for Construction Care
and Use
ANSI B11.10 (2003) Metal Sawing Machines – Safety Requirements for Construction
Care and Use
ANSI B11.11 (2001) Safety Requirements for Gear & Spline Cutting Machines
ANSI B11.19 (2003) Performance Criteria for Safeguarding
ANSI B11.20 (1996) Manufacturing systems/Cells – Safety Requirements for
Construction Care and Use
ANSI B11.22 (2002) Machine tools Using Lasers – Safety Requirements for
Construction Care and Use
ANSI B11.23 (2002) Safety Requirements for Machine Centers
ANSI B11.24 (2002) Safety Requirements for Transfer Machines
ANSI B11.TR–1 (1993) Ergonomic Guidelines for the design, installation and use of ma-
chine tools
ANSI B11.TR–3 (2000) Risk assessment and risk reduction – A guide to estimate, evalu-
ate and reduce risks associated with machine tools
ANSI B11.TR–4 Application of programmable electronic systems for the safety
related functions of machine covered by the B11 safety standard
series (in development)
ANSI Z244.1 (2003) Control of hazardous energy – Lockout/tagout and alternative
methods
ANSI Z535.1 (2002) Safety Color Code
ANSI Z535.3 (2002) Criteria for Safety Symbols
ANSI Z535.4 (2002) Product Safety Signs and Labels
ANSI Z535.5 (2002) Accident Prevention Tags and Labels

2.10 Safety requirements in Japan
10.04
2-41
2.10 Safety requirements in Japan
The situation in Japan is different than that in Europe and the US. Comparable leg-
islation regarding functional safety such as in Europe does not exist. Further, prod-
uct liability does not play a role such as in the US.
There are no legal requirements to apply Standards but an administrative recom-
mendation to apply JISs (Japanese Industrial Standards):
Japan bases its approach on the European concept and uses basic Standards as
its National Standards (refer to Table 2-7).
Table 2-7 Japanese Standards
ISO/IEC number JIS number Comment
ISO12100–1 JIS B 9700–1 Earlier designation TR B 0008
ISO12100–2 JIS B 9700–2 Earlier designation TR B 0009
ISO14121 (EN1050) JIS B 9702
ISO13849–1 (Ed. 1) JIS B 9705–1
ISO13849–2 (Ed. 2) JIS B 9705–1
IEC60204–1 JIS B 9960–1
IEC61508–1 to 7 JIS C 0508
IEC 62061 A JIS number has still not been assigned

2.11 Basics of SINUMERIK Safety Integrated
10.04
2-42
2.11.1 Certification/EC type test
Category 3 acc. to EN 954–1
SINUMERIK Safety Integrated is certified according to the EC Machinery Direc-
tive by an approved test laboratory.
The safety machine functions correspond to Category 3 according to EN 954–1
(the safe brake test is an exception – this corresponds to the requirements, Cate-
gory 2).
This means that SINUMERIK Safety Integrated can be used for all machine tool
and production machines. With SI, machinery construction OEMs can themselves
verify their machines independent of whether there are harmonized standards
available. The prerequisite to do this is that an acceptance test has been success-
fully completed (refer to Chapter ”NCK acceptance test support” and Chapter
”Acceptance report”).
In his documentation or declaration of conformance, the machinery construction
OEM should refer to the EC type examination (certificate) for SINUMERIK Safety
Integrated.
2.11.2 Basic features of SINUMERIK Safety Integrated
Features of the two–channel, diverse structure
A two–channel, diverse structure is characterized by the following features:
S Two–channel structure with at least 2 independent computers (i.e. computers
with different hardware and software).
S Crosswise result and data comparison with forced checking procedure in order
to be able to itself detect faults in functions that are infrequently used (dormant
faults).
S The computers can access data, reaction–free and decoupled at the shared
(common) interfaces (e.g. actual value input).
Sensing
The 611 digital control module senses the actual values through the 1st actual
value input for a 1–encoder system and through the 1st and 2nd actual value input
for a 2–encoder system; it provides this data to the control and the drive through 2
separate actual value channels.

10.04
2-43
Evaluating
The safety–related functions are executed independently of one another by the
NCK–CPU and the drive CPU. Both CPUs cyclically and mutually compare their
safety–related data and results (crosswise data comparison). A test can be
carried–out from both CPUs to check the shutdown paths (forced checking proce-
dure).
Responding
When safety–related functions respond, the NCK and/or the drive can act on the
power module through the shutdown paths and safely stop the axis/spindle.
2.11.3 Forced checking procedure
Forced checking procedure, general (extract from /6/)
”...A forced checking procedure must be carried–out for all static (steady–stage)
signals and data. Within the required time (8 h), the state must change from a log-
ical 1 to a logical 0 – or vice versa. If the state remains static in a fault situation,
then this is detected at the latest as a result of this forced checking procedure and
the subsequent comparison.
A forced checking procedure must be used, e.g. for components that are required
to stop a process (e.g. contactors and power semiconductors) – the so–called
shutdown path and for the shutdown condition. Generally, it is not possible to test a
shutdown condition, e.g. violation of a limit value criterion, using other methods
such as e.g. crosswise data comparison, when the machine is in an acceptable
(good) condition. This also applies to errors along the entire shutdown path includ-
ing associated hardware, software and power switching elements. By integrating a
test stop every eight hours with a comparison and expected status, faults can also
be detected when the machine is in an acceptable (good) condition....”
(Comment: Acceptable (good) condition means that there are no machine faults
that are apparent to the operator).
Forced checking procedure with Safety Integrated
The forced checking procedure is used to detect faults/errors in the software and
hardware of the two monitoring channels. In order to do this, the safety–relevant
parts in both channels must be processed at least once during a defined period in
all safety–relevant branches. Any faults/errors in the monitoring channel would
cause deviations and will be detected by the cross–wise data comparison.

10.04
2-44
The forced checking procedure of the shutdown path (test stop) must be triggered
by the user or integrated in the process as an automatic procedure, e.g.:
S When the axes are stationary after the system has been powered–up
S When the protective door is opened
S In defined cycles (e.g. every 8 hours)
S In the automatic mode – dependent on the time and event.
The forced checking procedure also includes testing the safety–relevant sensors
and actuators. In this case, the entire circuit including the ”safe programmable
logic” (SPL) is tested to ensure that it is correctly functioning.
Note
A defined, fixed 8–hour cycle is not mandatory while in the automatic mode (when
the protective door is closed). In this case, the forced–checking procedure can be
linked to when the 8 hours expires with the next time that the protective door is
opened.
Error in the monitoring channel
An error in the monitoring channel results in deviations and is detected by the
crosswise data comparison.
Crosswise data comparison
Dormant errors in the safety–relevant data of the two monitoring channels are de-
tected by the crosswise data comparison.
In the case of ”variable” data, tolerance values defined using machine data are
used by which amount the results of the two channels may deviate from one
another without initiating a response (e.g. tolerance for crosswise data comparison
of actual positions).
Note
Errors that are detected as a result of the forced checking procedure or crosswise
data comparison lead to a STOP F response (refer to Chapter 3.1.5 ”Stop
responses”) and initiate a further stop response when safety integrated is active.

10.04
2-45
2.11.4 Monitoring clock cycle and crosswise data comparison clock cycle
Setting the monitoring clock cycle time
The safety–relevant functions are monitored cyclically in the monitoring clock cycle
that can be set jointly for all axes/spindles using the following machine data:
Setting the monitoring clock cycle
for 840D
MD 10090: $MN_SAFETY_SYSCLOCK_TIME_RATIO
The specified clock cycle is checked and rounded–off to the next possible value
when the control runs–up and every time the machine data changes.
The resulting monitoring clock cycle is displayed using MD 10091:
$MN_INFO_SAFETY_CYCLE_TIME
(refer to Chapter 4.1 ”Machine data for SINUMERIK 840D”).
for 611digital
MD 1300: $MD_SAFETY_CYCLE_TIME
(refer to Chapter 4.2 ”Machine data for SIMODRIVE 611 digital”)
!
Warning
The monitoring clock cycle determines the response time of the safety–relevant
functions. It must therefore be selected to be ≤ 25 ms. The higher the monitoring
cycle setting, the greater the amount by which the monitored limit value is violated
in the event of an error and the more that the drive(s) overshoots.
Displaying the comparison clock cycle
MD 10092: $MN_INFO_CROSSCHECK_CYCLE_TIME specifies the maximum
crosswise comparison clock cycle in seconds. If the monitoring clock cycle is modi-
fied, then the crosswise comparison clock cycle is also changed.
In order to be able to support the different function configurations (expansions) of
the various control modules, the amount of data that is compared crosswise be-
tween the NCK and 611digital monitoring channel differs depending on the specific
axis. To display the actual crosswise data comparison cycle time, the axial MD
36992: $MA_SAFE_CROSSCHECK_CYCLE is used.

10.04
2-46
2.11.5 User agreement
Description
With a user agreement, an appropriately authorized person confirms that the cur-
rently displayed SI actual position of an axis corresponds to the actual position at
the machine.
This can be checked by traversing the axis to a known position (e.g. a visual mark)
or the axis is adjusted/calibrated and the SI actual position is therefore compared
in the ”user agreement” screen.
An axis/spindle with integrated safety functions can have the following status:
User agreement = yes, or
User agreement = no
The following data for each axis/spindle with activated Safety Integrated is dis-
played in the user agreement screen:
S Machine–axis name
– SI position
– User agreement
When does a user agreement have to be given?
A user agreement is only required when ”safe software limit switches” (SE) and/or
”safe software cams” (SN) are being monitored for an axis/spindle, i.e.
– when the axis/spindle is commissioned for the first time.
– when the user intends or needs to again manually and safely reference the
axis/spindle.
– if, after POWER ON, the standstill position did not correspond with the ac-
tual position and the control cancelled the user agreement.
– after parking an axis/spindle
(only if the change in position is greater than that defined using MD 36944:
Tolerance actual value comparison (referencing)).

10.04
2-47
Note
An axis/spindle must have the status User agreement = yes before the SN and SE
functions can be used.
For additional information regarding the user agreement function, please refer to
Chapter 3.11.2, ”Adjustment, calibration, axis states and history”.
Applicable for 840D from SW 3.6
For axes/spindles without the safety ”SE” and ”SN” functions, the saved standstill
(zero–speed) position is not evaluated if a user agreement has not been set.
!
Warning
If the drive is not reliable referenced and a user agreement has not been given,
then the following applies:
– The ”safe software cams” are active but not yet safe in the sense of control
Class 3.
– The ”safe software limit switches” are still not active.
Interlocking the user agreement
Before a user agreement can be issued, the interlock must be cancelled:
S Key–operated switch
in setting 3 –> the user agreement can be issued
After the user agreement has been issued, the interlocking must be again set (e.g.
the key withdrawn).
2.11.6 Enabling the safety–related functions
Global enable
SINUMERIK Safety Integrated (SI) with safety–relevant functions is enabled us-
ing a basic and axis option.
The SH function is operative if at least one safety–relevant function is activated.
The enable signal determines the number of axes/spindles for which SI can be ac-
tivated.

10.04
2-48
Ordering data supplement
SINUMERIK Safety Integrated with one axis/spindle can only run with the appropriate
supplement.
Enabling safety–relevant functions
Which safety functions are to be effective can be individually selected for each axis
using the following machine data:
for 840D
MD 36901: $MA_SAFE_FUNCTION_ENABLE
(refer to Chapter 4.1 ”Machine data for SINUMERIK 840D”)
for 611digital
MD 1301: $MD_SAFE_FUNCTION_ENABLE
(refer to Chapter 4.2 ”Machine data for SIMODRIVE 611 digital”)
Among others, the following functions can be individually enabled:
S SBH/SG
S SE
S SN1+ , SN1 –, SN2 +, SN2 –, SN3 +, SN3 –, SN4 +, SN4–
S SG override
S Slip
S External stop signals
S Cam synchronization
S STOP E (since SW 6.4.15)
Note
To ensure that SBH can always be selected in the event of an error, the function
SBH/SG must be activated and appropriately parameterized when the function SE
and/or SN are(is) enabled.
The axis–specific enable data in the NCK must match those in the drive,
otherwise, the crosswise data comparison signals an error.
An axis is treated as an axis in terms of the global option if at least one
safety–relevant function is activated via the axis–specific enable data.
The maximum number of axes that may operate using the safety functions is
dependent on the number that has been enabled using the basic and axis option.

2.12 Increasing the availability using integrated safety technology
10.04
2-49
2.12 Increasing the availability using integrated safety technology
It is possible to implement completely new operator concepts at machines with dif-
ferent requirements by combining the safety functions listed in Chapter 3.1 ”Basic
mechanisms of the SI functions”. The operator can intervene – e.g. in the tool
magazine or at the setting–up location while in productive operation.
However, the most important consideration is always to provide the best possible
protection for the user while at the same time being able to use the machine for the
intended purpose.
Machine protection (machine, workpiece, tool, ...) can also profit to a large extent
as a result of these advantages.
Integrated safety technology now takes the emphasis away from purely hardware
and electro–mechanical–based solutions to those based on software and electron-
ics – thus gradually and successively replacing technology that is subject to wear.
Further, integrated safety technology provides intelligent system control right down
to the sensors and actuators – previously unknown for these types of applications.
This results in new diagnostic capabilities that offer preventive fault detection. Even
for faults that suddenly occur during production, the risk of injury to the operator
and damage to the machine can be significantly reduced as a result of fast fault
detection and coordinated, safe shutdown.
Integrated safety technology
Integrated safety technology allows
S Optimized processes
S Sub–processes that can operate in parallel
S Simpler machine infrastructures
S Practical machine handling concepts
Impact
Impact on the availability
S Reduced fault potential
S Longer production times
S Shorter downtimes
When applied consequentially, integrated safety technology offers considerable
potential for increasing the overall availability.

2.13 Overview of the safety–related functions
10.04
2-50
2.13 Overview of the safety–related functions
The safety–related functions are available in all modes and can communicate with
the process via safety–related input/output signals.
These can be implemented individually for each axis:
S Safe stopping process
When a monitoring function or a sensor responds (e.g. a light barrier), the
drives are safely controlled down to standstill.
S Safe operating stop (SBH)
Monitors the drives during standstill (to ensure that they remain stationary). The
drives remain fully functional in the position controlled mode.
S Safe standstill (SH)
The drive pulses are cancelled. The energy feed is safely and electronically dis-
connected.
S Safely–reduced speed (SG)
Configured speed limits are monitored, e.g. when setting–up without using an
agreement button.
S Safe software limit switches (SE)
Variable traversing range limits
S Safe software cams (SN)
To detect ranges
S Safe input/output signals (SGE/SGA)
Interface to the process
S Safe programmable logic (SPL)
All of the safe signals and internal logic are directly connected.
S Safe brake management (SBM)
Brakes are controlled through two channels and a cyclic brake test is carried–
out.
S Safety–relevant communication using distributed I/Os connected through a
standard bus for process and safety signals with PROFIBUS and the PROFI-
safe protocol.
S Safe software relays (SI relay)
Designed to implement an emergency stop with safe programmable logic and
similar requirements.
S Safe braking ramp (SBR)
Monitors the speed characteristic. The actual speed must be reduced after a
stop request has been issued.

840 d funções e safety integrated

840 d funções e safety integrated

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie 840 d funções e safety integrated

Ähnlich wie 840 d funções e safety integrated (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

840 d funções e safety integrated