External safety controller requirements

Without the CS..A safety option, a safety controller or a safety relay must be used. The following requirements apply analogously:

  • The safety controller and all other safety-related subsystems must be approved for at least the safety class required in the overall system for the respective application-related safety sub-function.

The following table shows an example of the required safety class of the safety controller:

Application

Requirement for safety controller

Performance level d according to EN ISO 13849-1, SIL 2 according to EN 62061

Performance level d according to EN ISO 13849‑1
SIL 2 according to EN 61508

Performance level e according to EN ISO 13849‑1, SIL 3 according to EN 62061

Performance level e according to EN ISO 13849‑1
SIL 3 according to EN 61508

  • The wiring of the safety controller must be suitable for the endeavored safety class (see manufacturer's documentation). The STO input of the device can be switched with 2 poles (sourcing output, sourcing/sinking, or serial sourcing), or with 1 pole (sourcing output).
  • The values specified for the safety controller must be strictly adhered to when designing the circuit.
  • Only guards with back-step protection may be used at the STO input of the device. The guards must be connected to the CS..A safety option via a safety relay or a safety controller.
  • To stop the drive in an emergency in accordance with EN 60204-1, emergency stop control devices must be connected to the STO input of the device as follows:
    • via the CS..A safety option
    • via a safety relay
    • via a safety controller
  • To ensure protection against an unexpected restart in accordance with EN ISO 14118, the safe control system must be designed and connected in such a way that resetting the command device alone does not lead to a restart. This means that a restart may only be carried out after a manual reset of the safety circuit.
  • If no fault exclusion is used for the STO wiring in accordance with EN ISO 13849-2 or EN 61800-5-2, the external safety device must detect the following faults in the STO wiring within 20 s depending on the connection type:
    • Two-pole sourcing output:
    • Short circuit of 24 V at F_STO_P1 or F_STO_P2 (Stuck-at 1)
    • Crossfault between F_STO_P1 and F_STO_P2
    • Two-pole sourcing/sinking:
    • Short circuit of 24 V at F_STO_P1 (Stuck-at 1)
    • Short circuit of 0 V at F_STO_M (Stuck-at 0)
    • Dual-channel serial sourcing output:
    • Fault exclusion is mandatory
    • Single-pole sourcing:
    • Short circuit of 24 V at F_STO_P (Stuck-at 1)
  • Test pulses can take place in the switched on or switched off condition with connection type "Two-pole sourcing output".
    • The test pulses on both sourcing channels must be switched with a time delay. However, additional switch-off test pulses may occur simultaneously.
    • The test pulses in both sourcing channels must not exceed 1 ms.
    • The next switch-off test pulse in one sourcing channel must only occur after a 2 ms time period.
    • A maximum of 3 switch-on test pulses may be generated in sequence at an interval of 2 ms. Wait for at least 500 ms after any packet before you generate another switch-on test pulse or another switch-on test pulse packet.
    • The signal levels must be read back by the safety controller and compared to the expected value.
    • The signal levels may have a maximum temporal discrepancy of 130 ms. In case of a larger temporal discrepancy, the device changes to the STO fault state (F20.11).
  • Test pulses can take place in the switched on or switched off condition with connection type "Two-pole sourcing/sinking".
    • The test pulses in the sourcing and sinking channel must not exceed 1 ms.
    • The next switch-off test pulse in the sourcing or sinking channel must only occur after a 2 ms time period.
    • A maximum of 3 switch-on test pulses may be generated in sequence at an interval of 2 ms. Wait for at least 500 ms after any packet before you generate another switch-on test pulse or another switch-on test pulse packet.
    • The signal levels must be read back by the safety controller and compared to the expected value.
  • Test pulses can take place in the switched on or switched off condition with connection type "Single-pole sourcing output".
    • The test pulse on the sourcing channel must not exceed 1 ms.
    • The next switch-off test pulse may only occur after a time period of 2 ms at the earliest.
    • A maximum of 3 switch-on test pulses may be generated in sequence at an interval of 2 ms. Wait for at least 500 ms after any packet before you generate another switch-on test pulse or another switch-on test pulse packet.
    • The signal levels must be read back by the safety controller and compared to the expected value.