Requirements for the external safety controller

If the CSO safety option is used, a safety controller or a safety relay must be used. The following requirements apply analogously:

    • The safety controller and all other safety-related subsystems must be approved for at least the safety class required in the overall system for the respective application-related safety function.

The following table shows an example of the required safety class of the safety controller:

Application

Requirement for safety controller

Performance level d according to EN ISO 13849-1, SIL 2 according to EN 62061

Performance level d according to EN ISO 13849‑1
SIL 2 according to EN 61508

  • The wiring of the safety controller must be suitable for the endeavored safety class (see manufacturer's documentation). The STO input of the device can be switched with 2 poles (sourcing/sinking) or with 1 pole (sourcing).
  • The values specified for the safety controller must be strictly adhered to when designing the circuit.
  • Only guards with back-step protection may be used at the STO input of the device. The guards must be connected to the CS..A safety option via a safety relay or a safety controller.
  • To stop the drive in an emergency in accordance with EN 60204-1, emergency stop control devices must be connected to the STO input of the device (CSO safety option) as follows:
    • via a safety relay
    • via a safety controller
  • To ensure protection against an unexpected restart in accordance with EN ISO 14118, the safe control system must be designed and connected in such a way that resetting the command device alone does not lead to a restart. This means that a restart may only be carried out after a manual reset of the safety circuit.
  • If no fault exclusion is used for the STO wiring in accordance with DIN EN ISO 13849‑2 or DIN EN 61800‑5‑2, the external safety device must detect the following faults with regard to the STO wiring within 20 s depending on the connection type:
    • Two-pole sourcing/sinking:
    • Short circuit of 24 V at F_STO_P1 (Stuck-at 1)
    • Short circuit of 0 V at F_STO_M (Stuck-at 0)
    • Dual-channel serial sourcing output:
    • Fault exclusion is mandatory
    • Single-pole sourcing:
    • Short circuit of 24 V at F_STO_P (Stuck-at 1)
  • Test pulses can take place in the switched on or switched off condition with connection type "Two-pole sourcing/sinking".
    • The test pulses in the sourcing and sinking channel must not exceed 1 ms.
    • The next switch-off test pulse in the sourcing or sinking channel must only occur after a 2 ms time period.
    • A maximum of 3 switch-on test pulses may be generated in sequence at an interval of 2 ms. Wait for at least 500 ms after any packet before you generate another switch-on test pulse or another switch-on test pulse packet.
    • The signal levels must be read back by the safety controller and compared to the expected value.
  • Test pulses can take place in the switched on or switched off condition with connection type "Single-pole sourcing output".
    • The test pulse on the sourcing channel must not exceed 1 ms.
    • The next switch-off test pulse may only occur after a time period of 2 ms at the earliest.
    • A maximum of 3 switch-on test pulses may be generated in sequence at an interval of 2 ms. Wait for at least 500 ms after any packet before you generate another switch-on test pulse or another switch-on test pulse packet.
    • The signal levels must be read back by the safety controller and compared to the expected value.