TM540TRE.433-ENG - Integrated Safe Motion Control - V4330 - SR1.10

TM540
Integrated safe motion control

Prerequisites and requirements
Training modules TM210 – Working with Automation Studio
TM410 – Working with integrated motion control or TM415 – Introduction to
mapp Axis
TM510 – Working with SafeDESIGNER
Software Safety Release R 1.10
SafeDESIGNER toolset
Hardware SG4 CPU with POWERLINK V2 interface / interface card
SafeLOGIC (X20SL8100, X20SLX410)
ACOPOSmulti SafeMOTION inverter module or ACOPOS P3 with
SafeMOTION
2 TM540 - Integrated safe motion control

Table of contents
Table of contents
1 Introduction........................................................................................................................................... 4
1.1 Learning objectives................................................................................................................. 5
2 Operating principle of "safe motion control"........................................................................................ 6
2.1 Comparison to motion control without integrated safety technology...................................... 6
2.2 Advantages of integrated safety technology...........................................................................7
2.3 Safe power transmission system............................................................................................ 7
2.4 The idle current principle........................................................................................................ 9
2.5 Implementing safety functions.............................................................................................. 10
2.6 Error states with SafeMOTION............................................................................................. 10
3 Project development...........................................................................................................................12
3.1 Configuration in Automation Studio...................................................................................... 13
3.2 Using SafeDESIGNER..........................................................................................................15
4 Safe drive configuration..................................................................................................................... 19
4.1 Parameters for the safety response time............................................................................. 19
4.2 Setting the units system for SafeMOTION........................................................................... 19
4.3 Safe monitoring of the motor/encoder shaft connection....................................................... 21
4.4 Error handling........................................................................................................................21
5 Integrated safety functions................................................................................................................. 25
5.1 Overview of safety functions.................................................................................................25
5.2 Using safety functions...........................................................................................................30
5.3 Safety functions and their application...................................................................................30
6 Summary............................................................................................................................................ 52
7 Example solutions for safety applications..........................................................................................53
TM540 - Integrated safe motion control 3

Introduction
1 Introduction
The TM540 – Safe Motion Control training module is designed to familiarize you with SafeMOTION
safety functions and demonstrate how they can be used in SafeDESIGNER and Automation Studio.
This training course will explore the relationship between safety-oriented and non-safety-oriented (stan-
dard) applications. It will introduce the safety functions available with SafeMOTION and explain how to
use them.
Modbus, TCP/IP, POWERLINK
STO
PLC/PC
ACOPOSmicro X20 SafeIO
B&R Automation Studio X67 SafeIO

SafeDESIGNER
X20 SafeIO X20 SafeIO X20 SafeIO
X67 SafeIO
SafeLOGIC
POWERLINK
ACOPOSmulti
ACOPOSmulti
ACOPOSmulti
ACOPOSmulti
ACOPOSmulti
ACOPOSmulti
ACOPOSmulti
ACOPOSmulti
ACOPOSmulti
STO
STO
ACOPOSmulti SafeMOTION ACOPOS ACOPOSinverter SafeROBOTICS
Figure 1: Integrated safety technology
The safety functions integrated in the drive open up entirely new possibilities for guaranteeing the safety
of personnel while maintaining maximum machine availability.
The TM540 – Safe Motion Control training module was designed to accompany training semi-
nars and does not represent a full documentation of integrated safe motion control technology.
Complete documentation can be found in the SafeMOTION user's manual and in Automation
Help.
Safety technology \ Libraries \
The user's manual can be downloaded free of charge from www.br-automation.com under
Downloads / Safety technology / <Any device type with SafeMOTION>.

Introduction
1.1 Learning objectives
The goal of this training module is to become familiar with the SafeMOTION safety functions and to learn
how they are used.
• Participants will learn the principles on which safe integrated motion control operates.
• Participants will learn about the available safety functions and how they are used (STO, SS1,
etc.).
• Participants will learn how to add and configure a safe drive in Automation Studio.
• Participants will learn about the relationship between standard and safety applications.
• Participants will learn about the function blocks in the PLCopen Safety library and the proce-
dure for developing safety functions.
• Participants will learn the procedure for commissioning and maintenance.
In order to correctly implement a safety application, it is important that applicable regulations

and standards are observed in all phases of the safety application's lifecycle. This training
module only covers the use of the integrated safety functions from SafeMOTION functions in
SafeDESIGNER. This training manual can therefore never replace sound training in safety-re-
lated topics.

Operating principle of "safe motion control"
2 Operating principle of "safe motion control"
The ACOPOS servo product family device with SafeMOTION behaves from the point
of view of the standard application like a ACOPOS servo product family device without
integrated safety technology. The drive can therefore be integrated in a POWERLINK
network and operated using PLCopen function blocks as usual.
The ACOPOS servo product family devices with SafeMOTION differ through additional
software and hardware, which evaluates the encoder signal with regard to safety, has
control of pulse disabling and controls the motor holding brake output. This functionality
will be referred to as SafeMOTION.
The purpose of this section is to explain the fundamental characteristics of motion control with integrated
safety technology as well as to present its main advantages.
2.1 Comparison to motion control without integrated safety technology
The fundamental purpose of safe motion control is to interrupt the signals from the processor and power
supply when an error occurs in order to cut the power to the motor. This interruption is done via safe
pulse disabling, which in the case of standard safety technology is controlled via two inputs on the power
inverter. These inputs are generally referred to as "Enable1" and "Enable2".
In B&R integrated safety technology, these inputs are fed internally via SafeMOTION rather than via an
external connection on the housing. The encoder signal is also evaluated in order to monitor the speed
and position limits as needed. In addition, the safe motor holding brake output on the inverter module
is switched and monitored.
The integrated safety technology does not actively intervene in control and therefore only handles ver-
ifying and monitoring functions.
Stopping an axis
The advantage of integrated safety technology is the possibility to respond to safety-related events.
The drive does not necessarily have to be powered off, but can be brought to a standstill in a controlled
manner and monitored.
This action is not carried out by the safety application, it is handled by the standard application. The
possibility for the safety application to communicate with the standard application will be described later
(interface).
Commands to stop or switch off the axis are already known and are also called here from a program
on the PLC.
The safety application can now set up a time or ramp window and e.g. handle standstill monitoring.
In the end (e.g. the standard application accelerates further in an unauthorized way), the safety applica-
tion can only switch on pulse disabling on the inverter and activate the holding brake. This ensures that
no additional energy is introduced into the system.
Safety violations should not be the normal situation, they should only serve as a safety function. Inter-
action with the standard application is therefore alsways required.

2.2 Advantages of integrated safety technology
Seamless integration of safety technology in the standard application is a reality with B&R's safety tech-
nology products. This allows fixed wiring to be replaced by safe data transfer via the existing machine
bus system. Flexibly configured or programmed safety behavior can be adapted optimally to various
safety situations. Complete diagnostic information about safety components accessible via the machine
bus system provides detailed data about the state of the machine.
Wiring of the "Enable" inputs (controller enable) is not needed because it is enabled via the safety ap-
plication.
Monitoring the position and speed can be done without additional hardware because the encoder system
is safety certified.
The safety application monitors the process, so the existing standard application can continue to be used
and adapted. There is no need to create a new program with the safety function.
The response times achieved minimize residual movement in the event of an error resulting in a signif-
icant increase in safety!
2.3 Safe power transmission system
The main components of a safe power transmission include:

• SafeMOTION-compatible device (ACOPOS P3 or ACOPOSmulti inverter module)
• Encoder cable
• Motor cable
• Motor with position encoder
The certified ACOPOSmotor SafeMOTION variant also constitutes a compact device.
The latest version of the "B&R motors / Encoder list" can be downloaded from www.br-au-
tomation.com
The encoder interface/SafeMOTION module is built into the inverter module and cannot be replaced.
The ACOPOS P3 SafeMOTION variant was designed with customer requirements for scalability in mind.
The safety functions have been grouped and can be activated using a Technology Guard License.
Using a SafeLOGIC controller, you can operate these servo drives with controller enable ("Enable") as
usual in the first steps as a known ACOPOS device with all configuration settings and test possibilities.

SafeMOTION
Electronics SafeMOTION
Electronics
POWERLINK Communication EPL safety
Control Monitoring,
Encoder position Diagnostic
Current/ Speed / Postition / Brake
functions
Motor control Safe pulse disabling
Brake control Brake control
Power stage Safe current measurement*
Enc. signal
connection
connection
Brake
Motor
B&R safety motor
Motor shaft Motor Brake Encoder shaft Encoder
* Only valid for ACOPOSmulti SafeMOTION SinCos & ACOPOS P3 SafeMOTION
A functinal safety encoder, safe encoder mounting and/or corresponding cables

may be required depending on the safety function being used.
Figure 2: Example: Safe power transmission system using an ACOPOSmulti SafeMOTION
Exercise: Commissioning a safe axis
Exercise
The goal of this exercise is to prepare an ACOPOSmulti SafeMOTION inverter module for operation.
• Create a project in Automation Studio and add the hardware (SafeLOGIC controller, ACOPOS-
multi, etc.). Assign the node numbers based on the hardware used.
When specifying the device parameters, you will need to specify that the ACOPOSmulti
SafeMOTION inverter module's DC bus will be supplied with 24 V. (Right click on the ACOPOS
configuration)
• Parameter "Velocity Error Monitoring" in the ACOPOS configuration (Real Axis \ Movement Er-
ror limits\) must be set to "mcSTOP_AUTOMATIC1".
• Open SafeDESIGNER and add function block SF_SafeMC_BR_V3.
• Connect the S_AxisID input to the axis reference variable and the Activate input to a constant
with the value TRUE.
• Set the following parameters in the parameter list for the safe axis in SafeDESIGNER (to allow
movement with minimal work):

Name Value Reason

SMS - Enable (Safe Maximum Speed) Disabled Is initially disabled because the
maximum speed is set to 0 by
default, and would thus gener-
ate an error when starting.
Encoder monitoring - Position error monitoring Disabled Is initially disabled because the
- Enable tolerance is set to 0 by default,
Encoder monitoring - Speed error monitoring - Disabled and would thus generate an er-
Enable ror when starting.
Automatic reset on start - Enable Enabled To prevent having to have an

edge on the "Reset" input of the
function block after booting.
• Transfer the project to the controller and the SafeDESIGNER project to the
SafeLOGIC controller.
• After transfer is complete, the axis should be restarted.
• After booting, SafeMOTION activates pulse disabling and the motor brake. The axis can now
be operated normally in the testing environment.
• Observe the LED on the device and the Logger in Automation Studio.
Function block descriptions can be opened directly from SafeDESIGNER by right-clicking on a

function block and selecting "Help on function block/FU" from its shortcut menu.
2.4 The idle current principle
Integrated safety technology with SafeMOTION uses the idle current principle. When there is a logical
0 at a controller input or the current is interrupted, the corresponding safety function or error response
is executed.
The idle current principle ensures that the system tends toward the safest possible result in case of
failure.
This method is an example of the general principle referred to in engineering as "fail-safe".
This is why cutting off the drive's energy and torque is the only safe function that can be executed at any
time. The consequences that are described below are a result of the fail-safe principle.
This approach represents the current state of technology and is handled identically by all competitors
on the market.
Situations involving external forces (e.g. hanging loads) can result in dangerous movements!
If this poses a safety risk, then the user must implement the necessary equipment to eliminate
the risk (e.g. mechanical brakes)! This equipment must correspond to the required safety level!

2.5 Implementing safety functions
As described in the previous sections, SafeMOTION does not actively intervene in open and closed
control loops on the inverter module. Only pulse disabling and the motor holding brake output are op-
erated directly.
Safe pulse disabling

Safe pulse disabling prevents control pulses from the processor from reaching the inverter's power stage.
These missing control signals cause the impedance in the power transistors to spike, which in turn cuts
the power to the motor. Safe pulse disabling is set up the same way with the SafeMOTION option as
in standard ACOPOS devices.
The difference is that no external wiring is required. Instead, pulse disabling is activated internally in the
module by SafeMOTION. Control takes place using two channels.
If the drive was moving before an error, it will coast to a standstill. The residual movement and remaining
time must be considered for the worst-case scenario when making all of the calculations for the machine's
safety circuit.
If pulse disabling is active, the operating system will detect a voltage drop and report errors
6058: Enable1: Voltage dip" and "6059: Enable2: Voltage dip". These errors must be acknowl-
edged in the standard application.
Safe motor holding brake output

The safe motor holding brake output can enable the motor brake output independently of the active
controller on the inverter module. A transistor interrupts the flow of current, the magnetic field in the coil
is weakened and the motor brake engages.
The voltage on the motor brake output are is evaluated by SafeMOTION, with the transistors tested
cyclically.
2.6 Error states with SafeMOTION
There are essentially two error states, whereby pulse disabling and the safe motor holding brake output
are not enabled.
The distinction between which error state exists can also be seen on the LED on the hardware device
being used or in the Logger.
• FAIL SAFE state
• FUNCTIONAL FAIL SAFE state
2.6.1 FAIL SAFE state
If a hardware or firmware error occurs, then the safe inverter module switches to a non-acknowledgeable
error state – the FAIL SAFE state. A logbook entry in Automation Studio provides more detailed infor-
mation regarding a pending error, which can also be evaluated in the standard application. If a hardware
defect is detected, then the inverter module must be replaced.
Errors can also be caused by incorrectly configured parameters, however. If this is the case, then the
safe configuration must be checked and transfered to the SafeLOGIC controller in corrected form. Then
the device must be switched on again in order to return to OPERATIONAL status.

Safe pulse disabling is always active in the FAIL SAFE state (i.e. the motor is no longer supplied
with power or generating torque). In this state, the motor holding brake output is always set to
0 V, which engages a connected motor holding brake.
The motor holding brake will suffer mechanical wear if the motor is in motion just before the
safe state is triggered.
2.6.2 FUNCTIONAL FAIL SAFE state
If a monitored limit is exceeded or an encoder error occurs during operation, then the device changes
to an acknowledgeable error state – the FUNCTIONAL FAIL SAFE state – as long as safe evaluation
of the encoder signal is required for the safety functions being used. Information about any errors that
occur can be found in the logbook entry in Automation Studio.
If the module switches to the FUNCTIONAL FAIL SAFE state:

• The S_NotErrFUNC output on the function block is reset.
• The drive loses all torque/power and coasts to a stop!
• The motor holding brake output is set to 0 V, which engages a connected motor hold-
ing brake.
• In the event of an error, a synchronous axis will no longer be synchronous.
If cutting off torque and coasting to a stop on the machine is a problem, an STO1 with delayed STO can
also be set in the SafeMOTION parameters. This provides the possibility for the standard application to
initiate a short circuit stop with the motor. This results in increased braking of the motor – and therefore
the axis – using values that go beyond the defined limits.
The temperature of the motor windings will increase, and this should be taken into account. If there is a
risk of motor overheating, the ACOPOS drive automatically switches off and the motor coasts to a stop.
As an alternative, some type of external brake could be installed on the mechanical system.

Project development
3 Project development
There are two main aspects of project development:

• Configuring and managing the hardware, and programming the standard application in
Automation Studio
In Automation Studio, the ACOPOS servo product family can be added and the standard appli-
cation developed normally. Status values for SafeMOTION are available, e.g. via I/O mapping.
• Developing the safety application and defining safety-related parameters in
SafeDESIGNER
In SafeDESIGNER, a function block can be used to control SafeMOTION behavior. This allows
pulse disabling to be activated (STO - Safe Torque Off) and a speed limit to be monitored, for
example.
The following are the steps needed to put an ACOPOS servo product family device with SafeMOTION
into operation:
1) Opening or creating a project in Automation Studio
2) Adding a SafeLOGIC controller
3) Inserting an ACOPOS servo product family device with SafeMOTION
4) Developing the standard application in Automation Studio
5) Opening SafeDESIGNER and defining the safety-related parameters
6) Adding a SafeMOTION function block and connecting the axis reference variable
Commissioning
During commissioning and training, initial transfer can be made easier.
It is helpful to avoid work related to safety-relevant acknowledgment using Setup mode on the SafeL-
OGIC controller.
This is available with Safety Release 1.10, AR >=B4.26 and SafeDESIGNER Version 4.3.
Hardware \ X20 system \ X20 modules \ CPUs \ X20(c)SL81xx \ Software functions \ Setup
mode
Acknowledgment can also take place without a hardware contact in SafeDESIGNER via remote control.
Safety technology \ SafeDESIGNER \ User documentation \ Commissioning the SafePLC \

Dialogs for controlling the safety control system \ Remote Control

Project development
3.1 Configuration in Automation Studio
Automation Studio provides everything needed to completely manage inverter modules.

From the perspective of Automation Studio, a device with SafeMOTION acts like a standard ACOPOS
servo product family device without SafeMOTION. The difference is that there are one or two safe nodes
behind the POWERLINK node. The necessary axis movement sequences can be programmed using
the PLCopen Motion library or via mapp Motion (MpAxis, etc.). In addition, information is also available
about active safety functions on the axis.
Management involves the following:
• Adding the hardware with SafeMOTION in the Physical View
• Configuring the axis in the Configuration View (already known)
• Assigning safe axes to the SafeLOGIC controller
• Configuring the safety axs in SafeDESIGNER
• Accessing status and control information
Motion control \ mapp Motion \

Motion control \ mapp Motion \ Library \ Technology \ MpAxis
Motion control \ mapp Motion \ Libraries \ Core \ McAxis
3.1.1 Adding the SafeMOTION axes
Adding the ACOPOS servo product family device with SafeMOTION is done as usual and does not differ
from a device without integrated safety technology.
After adding the device with SafeMOTION being used, it appears as usual in the hardware tree (Physical
View in Automation Studio).
Figure 3: Hardware tree with ACOPOSmulti SafeMOTION inverter module added as an example
SafeMOTION always requires a SafeLOGIC or SafeLOGIC-X controller, because otherwise

the controller enable cannot be activated!

Project development
3.1.2 Configuring basic settings and assigning safe axes to the SafeLOGIC controller
After a device has been added in the hardware tree, it is still possible to change the default settings.
Then open up the Physical View in Automation Studio and open the shortcut menu by right-clicking on
the SafeMOTION device. Select Open I/O configuration from the menu to open the configuration for the
SafeMOTION device.
Figure 4: Opening the I/O configuration
The following window appears for configuring the safe axis:
Figure 5: I/O configuration for SafeMOTION on an ACOPOSmulti inverter module

Project development
3.2 Using SafeDESIGNER
SafeDESIGNER is used to develop the safety application that will run on the SafeLOGIC controller as
well as to configure the individual modules. This is done by automatically applying all safety-related
components assigned to corresponding SafeLOGIC controllers in the Automation Studio configuration.
The SafeDESIGNER project shows all devices with SafeMOTION along with the rest of the safety-related
components in the Safety View. Selecting a device with SafeMOTION opens its associated parameter
list, which will be described in more detail in the next section.
Figure 6: Safety View and parameter list in SafeDESIGNER
Special function blocks that are compliant with PLCopen Safety have been implemented to ensure ef-
ficiently. These function blocks have simplified the development of safety applications. Because they
are certified, they reduce time and costs throughout all phases of a safety application's lifecycle. From
the specification and implementation to testing and checking functions, the procedure used is more like
virtual wiring than programming.
Each function block has an S_AxisID input that is used as an axis reference. This axis reference is a
variable and can be generated by moving the device with SafeMOTION from the hardware tree to the
workspace using drag-and-drop. Connecting an axis reference to the S_AxisID input of the function
block assigns it to the respective device with SafeMOTION.
The following image shows what the axis reference looks like when used with the SF_SafeMC_Posi-
tion_BR_V1_1 function block.
Figure 7: Function block with a connected "gAxis01" axis reference variable

Project development
Available libraries
The following sections describe these function blocks. The individual inputs and outputs will not be ex-
plained in detail since a detailed description can be opened directly in SafeDESIGNER by right-clicking
on a function block.
The function blocks are grouped in different libraries. These libraries aren't included in the
project by default but can be added in SafeDESIGNER by selecting Project / Add library
Figure 8: Overview of the relevant libraries depending on the hardware available with SafeMOTION that is being used
The following description refers to use of PLCopen_Motion_SF_2 for the ACOPOSmulti with
SafeMOTION, but there are corresponding function blocks with the same safety function in other libraries.
Right-click on SafeMOTION block in SafeDESIGNER for more information about safety func-
tions
Hardware \ Motion control \ SafeMOTION \ Safety technology \ Integrated safety functions \
Safety technology \ Libraries \
• openSAFETY_Motion_SF
• openSAFETY_BuR_Motion_SF
• PLCopen_Motion_SF_X
• RoboticCtrl_SF_X
3.2.1 SF_SafeMC_BR_V3 function block
This function block makes it easy to use the safety functions implemented on the ACOPOSmulti
SafeMOTION inverter module.
The left side contains not only input for the axis reference, but also the inputs for enabling and resetting
the function block in addition to an input for requesting the integrated safety functions. As described in
section "The idle current principle" on page 9, these inputs are "Low active". A safety function is not
requested as long as the input signal has the logical value SAFETRUE. If the signal takes on the logical
value SAFEFALSE, then the respective safety function is requested. If a function is not used at all,

Project development
then the corresponding input on the function block will be left open. This disables the function on the
SafeMOTION module. The right side of the function block contains outputs that indicate the status of the
individual safety functions and any errors that occur.
The SF_SafeMC_BR_V3 function block can only be used with Safety Release 1.9 and later.
If Safety Release 1.4 is currently in use, then the SF_SafeMC_BR_V2 function block must be
used.
If Safety Release 1.3 is currently in use, then the SF_SafeMC_BR function block must be used.
The DiagCode output on the function block returns the current status of the state machine
for SafeMOTION. Descriptions of the various states and their meanings are included in the
description of the function block.
3.2.2 SF_SafeMC_Position_BR_V2 function block
The primary purpose of the SF_SafeMC_Position_BR_V2 function block is to establish a connection

between the safe position of an axis and its associated status. An assignment is then made to a defined
safe axis.
The SF_SafeMC_Position_BR_V2 function block can be used to process the current safe position of an
axis in the safety application.
To ensure valid evaluation of the position signal, the corresponding status bit S_PositionValid must also
always be checked! The position itself is only considered homed and valid if this output parameter is
set to SAFETRUE.
The SF_SafeMC_Position_BR_V2 function block can only be used with Safety Release 1.9 or
higher.
If Safety Release 1.4 is currently in use, then the SF_SafeMC_Position_BR function block must
be used.
3.2.2.1 Application example
The following application example illustrates one possible use of the Safe Position Monitor function on
the SafeLOGIC controller.
Figure 9: SF_SafeMC_Position_BR_V2: The "Safe Position Monitor" function

Project development
3.2.3 Function block SF_SafeMC_Speed_BR
The primary purpose of the SF_SafeMC_Speed_BR function block is to establish a connection between
the safe speed of an axis and the associated encoder error status. An assignment is then made to a
defined safe axis.
The SF_SafeMC_Speed_BR function block can be used to process the current safe speed of an axis in
the safety application. To ensure valid evaluation of the speed signal, the corresponding encoder error
status bit S_NotErrENC must also always be checked. The speed signal itself is only considered valid
if this output parameter is set to SAFETRUE.
The S_Axis_ID input must be connected to the axis reference variable in the normal way. The S_S-
caledSpeed output parameter indicates the current value of the scaled safe speed for a real axis. This
value is only valid if the S_NotErrENC output has the SAFETRUE state. This indicates the general error
status of the encoder signal.
3.2.3.1 Application example
The following application example illustrates one possible comparison of the scaled safe speed with a
permanent defined value in the safety application.
Figure 10: SF_SafeMC_Speed_BR: Evaluation of the scaled safe speed
3.2.4 SF_SafeMC_SBT_BR function block
This function block makes it easy to use the safe brake test implemented in SafeMOTION. As usual, the
left side of the function block contains an input for the axis reference and an input for enabling the brake
test. This input is "Low Active". The S_SafetyActiveSBT output on the right side of the function block
is SAFETRUE for as long as the safe brake test is being performed. After successfully performing the
brake test, the S_SafetyStatusSBT output is set to SAFETRUE. After a timer has expired, the output
is reset and the brake test must be repeated.
SF_SafeMC_SBT_BR_V1_00
SAFEBOOL S_RequestSBT S_SafetyActiveSBT SAFEBOOL
SAFEINT S_AxisID S_SafetyStatusSBT SAFEBOOL
Figure 11: SF_SafeMC_SBT_BR function block
This function block is available exclusively with ACOPOSmulti SafeMOTION SinCos.

Safe drive configuration
4 Safe drive configuration
Before the drive can be operated, the SafeMOTION parameters must be adjusted.
Descriptions of individual parameters can be found in the user's manual and Automation Help.
• SafeMOTION user's manual:
"SafeDESIGNER parameters" section
• Automation Help:
Hardware / Motion control / ACOPOSmulti SafeMOTION / Safety technology / Register
description / SafeDESIGNER parameters
4.1 Parameters for the safety response time
The first parameter block deals with the safety response time for SafeMOTION and corresponds to the
parameters for other safety components.
These parameters are normally configured for all safe nodes of the SafeLOGIC controller in
SafeDESIGNER. If the values need to be changed for one or more safe nodes, then the "Manual Con-
figuration" parameter must be set to "Yes".
Detailed descriptions of individual parameters are provided in the user's manual for the device used in
the "Parameters for the safety response time in SafeDESIGNER" or in Automation Help.
Hardware \ Motion control \ SafeMOTION \ Safety technology / SafeMOTION register descrip-

tion / Parameters in SafeDESIGNER
4.2 Setting the units system for SafeMOTION
The next block in the parameter list deals with configuring the units system for the safety-related eval-
uation of the encoder signal.
These parameters can be set independently of the units system used for the standard application.
One especially important parameter is the "Maximum speed to normalize the speed range" parameter.
As its name indicates, this parameter represents the maximum speed to which the speed should be
normalized. The following formula is used:
If the default value of 32767 units is used, then then scaling factor is 1 and the scaled speed is the same
as the physical speed.
In the event that the velocity exceeds the value 32767 (maximum value of a signed 16-bit integer variable)
at the maximum expected speed and with the defined unit system, the parameter "Maximum speed to
normalize the speed range" will be accordingly adjusted.
This will scale the displayed velocity.

Scaling "Maximum speed to normalize the speed range" with the help of an example
A unit system of 10000 units per revolution is defined for the axis in the standard application as well as
in SafeDESIGNER. Safety function SLS1 is requested during operation, whereby the physical velocity
must be limited to 8000 units per second.
It is expected for the unit system to cause the application to exceed the maximum displayable veloc-
ity of 32767 units/s (3.2767 Rev/s). If the drive is accelerated to a velocity >32767 units/s, then the
SafeMOTION module will change to the FUNCTIONAL FAIL SAFE state and the error 115961 "SMC:
Encoder - SafeSpeed exceeded INT16 range" is entered in the logger.
In order to allow higher velocities, the parameter "Maximum speed to normalize the speed range" must
be increased. In this case, the value would be set to 65534. This results in the following table:
If the controller is turned on and a movement is started with a physical velocity of 10000 units/s, the result
is a scaled displayed velocity of 5000 units/s. This must be half of the physical velocity due to scaling.
Scaling does not influence the physical velocity limit. If the axis is accelerated to a velocity greater than
8000 units./s when SLS1 has been requested, then SafeMOTION changes to the FUNCTIONAL FAIL
SAFE state. This value is shown scaled, which in this case would be 4000 units/s.
Exercise: Scaling "Maximum speed to normalize the speed range"

The objective of this exercise is to understand speed scaling and the SafeMOTION help tools.
Since only 16 bits are available for the safe speed, a maximum speed of 32,767 units/s can be shown.
With scaling, higher speeds should be shown.
• Configuration under General settings - Maximum speed to normalize speed range to 65,000
• Use of function block SF_SafeMC_Speed_BR_V1_01
• Build and transfer
• Check with SafeDESIGNER and show variable status, as well as Motion help tool
Hardware \ Motion control \ SafeMOTION \ Safety technology / Programming the safety func-
tion / SafeMOTION help tool

4.3 Safe monitoring of the motor/encoder shaft connection
Mechanical error prevention is not needed in some applications and can be replaced by the safety-ori-
ented "Encoder monitoring" function in SafeMOTION.
Mechanical encoder connection errors (breakage, slippage, mismatch) are detected using the position
setpoint and the speed setpoint of the position controller in SafeMOTION. Position lag errors and speed
errors are created in SafeMOTION and checked against limit values.
The parameters in the "Encoder monitoring" block can be used to enable this monitoring and set the
respective limit values.
Additional information about restrictions that depend on the hardware used can be found in Automation
Help.
Hardware \ Motion control \ SafeMOTION \ Safety technology\ Integrated Safety Technology

SafeMOTION \ The safe power transmission system
4.4 Error handling
During development and commissioning, various errors can occur on the drive or in SafeMOTION. The
following section describes the most common causes of errors and how to deal with them.
4.4.1 Status indicators on the drive
The easiest way to check the status of the drive is to refer to the status indicators on the drive itself.
These can be seen e.g. with ACOPOSmulti SafeMOTION on the black cover of the respective module.
The following image shows the status indicators found on a ACOPOSmulti SafeMOTION 2-axis module.
On a 1 axis module, there are no status indicators for the second inverter axis and the corresponding
SafeMOTION device.
Status of SafeMOTION module axis 1

Status of SafeMOTION module axis 2
Encoder SLOT1
Safety status of SafeMOTION module 2
Safety status of SafeMOTION module 1 Encoder SLOT2
Status of backup battery

SafeMOTION
Power supply POWERLINK

IxxxxDx
Inverter axis 1 Inverter axis 2

The following section describes the status indicators that apply to SafeMOTION.
4.4.1.1 SafeMOTION module - LED status indicators
There are 3 additional LEDs for each safe axis behind the front cover of an ACOPOSmulti SafeMOTION
inverter module:
Figure 12: 1-axis modules Figure 13: 2-axis modules
LED Color Description

R/E Green Red
Off Off Module not supplied with current, no
communication
Single flash Unlink mode
Double flash Updating firmware
Blinking PREOPERATIONAL mode
On Mode RUN
On Single flash, inverse Safety-related firmware invalid
Triple flash, inverse Updating safety-related firmware
On Communication error
Off On Errors
Status LED Red Warning/Error on the channel
Pulse disabling output, During the boot phase, the channel
high-side LEDs are always lit constantly red.
Orange 24 V on the output
Off 0 V on the output
Pulse disabling output, During the boot phase, the channel
low-side LEDs are always lit constantly red.
Table 1: SafeMOTION module - LED status indicators

LED Color Description

Motor holding brake output During the boot phase, the channel
LEDs are always lit constantly red.
SE Red Off Mode RUN
1s
Boot phase or defective processor
Safe state PREOPERATIONAL
Safe communication channel not OK
Boot phase, Invalid firmware
On Non-acknowledgeable error state,

FAIL SAFE state
The two "SE" indicators are two separate LEDs that show the states of safety
processor 1 and safety processor 2. This is only distinguishable when the front cov-
er is open, however.
Table 1: SafeMOTION module - LED status indicators
Constantly lit "SE" LEDs indicate a non-acknowledgeable FAIL SAFE state. The cause of this
could be a defective module or faulty configuration.
Check the entries in the logbook! If you are able to rule out a faulty configuration, then the
module is defective and must be replaced immediately.
It is your responsibility to ensure that all necessary repair measures or corrections to the con-
figuration are initiated after an error occurs since subsequent errors can result in dangerous
situations!
4.4.2 Logger
During development, the module may start with the FAIL SAFE state or switch to the FUNCTIONAL
FAIL SAFE state unexpectedly. The most common reason for this is an incorrect parameter setting in
SafeDESIGNER. The logbook can be used to identify the cause of the error.
The Logger window in Automation Studio can be used to view the logbook. It is then possible to set the
filter to show only safety-related entries. Each entry in the Logger window has an error number, a short
description and additional information.

Figure 14: Logbook entry showing incorrect parameter setting for the SLS speed limit
The short description only provides basic information. The complete error text can be found in Automation
Help. It can be found by entering the error number in the search field for the help system. For some
errors, the additional information can provide helpful clues about the cause of the error.
With error 115744, for example, the 113 in the additional information means that the module
is in the FAIL SAFE state because the speed limit for SLS is set outside the valid range. This
error can be corrected by modifying the parameter setting for SafeMOTION in SafeDESIGNER.
Once the project is transferred to the SafeLOGIC controller and SafeMOTION is restarted, the
error will no longer appear.

Integrated safety functions
5 Integrated safety functions
5.1 Overview of safety functions
If a safety function is not used in the application, then the respective input must remain open.
The following safety functions are supported by the SafeMOTION module:
Safety function ACOPOSmulti EN ISO 13849-1 EN 61508 / EN 62061 Safe

SafeMOTION encoder
En- evaluation
Dat Sin- necessary
2.2 Cos EnDat 2.2 SinCos EnDat 2.2 SinCos
Starting
in Safety
Release
Safe Torque Off PL e / CAT PL e / CAT
(STO) R 1.3 R 1.4 4 4 SIL 3 SIL 3 No
Safe Torque Off R 1.3 R 1.4 PL d / CAT PL d / CAT SIL 2 SIL 2 No
One Channel 3 3
(STO1)
Safe Operation R 1.3 R 1.4 PL d / CAT Max. PL SIL 2 Max. SIL
Stop (SOS) 3 e / CAT 4, 3, Yes
depends depends
on the en- on the en-
coder used coder used
Safe Stop 1 (SS1) R 1.3 R 1.4 Time- Time- Time- Time- Time-based
based mon- based based based monitoring:
itoring: monitoring: monitoring: monitoring: No
PL e / CAT PL e / CAT SIL 3 SIL 3 Ramp-
4 4 Ramp- Ramp- based mon-
Ramp- Ramp- based based itoring:
based mon- based monitoring: monitoring: Yes
itoring: monitoring: SIL 2 Max. SIL
PL d / CAT Max. PL 3,
3 e / CAT 4, depends
depends on the en-
on the encoder used
coder used
Safe Stop 2 (SS2) R 1.3 R 1.4 PL d / CAT Max. PL SIL 2 Max. SIL Yes
3 e / CAT 4, 3,
depends depends
Table 2: ACOPOSmulti SafeMOTION: Safety functions and associated safety levels


SafeMOTION encoder
En- evaluation
Dat Sin- necessary
Safely Limited R 1.3 R 1.4 PL d / CAT Max. PL SIL 2 Max. SIL Yes
Speed (SLS) 3 e / CAT 4, 3,
depends depends
Safe Maximum R 1.3 R 1.4 PL d / CAT Max. PL SIL 2 Max. SIL Yes
Speed (SMS) 3 e / CAT 4, 3,
depends depends
Safe Direction R 1.3 R 1.4 PL d / CAT Max. PL SIL 2 Max. SIL Yes
(SDI) 3 e / CAT 4, 3,
depends depends
Safely Limited In- R 1.3 R 1.4 PL d / CAT Max. PL SIL 2 Max. SIL Yes
crement (SLI) 3 e / CAT 4, 3,
depends depends
Safely Limited Ac- R 1.9 R 1.9 PL d / CAT Max. PL SIL 2 Max. SIL Yes
celeration (SLA) 3 e / CAT 4, 3,
depends depends
Safe Brake Control R 1.3 R 1.4 PL d / CAT PL d / CAT SIL 2 SIL 2 No
(SBC) 3 3
Safely Limited Po- R 1.4 R 1.4 PL d / CAT Max. PL SIL 2 Max. SIL Yes
sition (SLP) 3 e / CAT 4, 3,
depends depends
Safe Maximum R 1.4 R 1.4 PL d / CAT Max. PL SIL 2 Max. SIL Yes
Position (SMP) 3 e / CAT 4, 3,
depends depends
Safe Homing R 1.4 R 1.4 PL d / CAT Max. PL SIL 2 Max. SIL Yes
3 e / CAT 4, 3,
depends depends


SafeMOTION encoder
En- evaluation
Dat Sin- necessary
Safe Brake Test - R 1.7 - Max. PL - Max. SIL Yes
(SBT) d / CAT 3, 2,
depends depends
Remanent Safe R 1.9 - PL d / CAT - SIL 2 - Yes
Position (RSP) 3
Safety function ACOPOSmotor EN ISO 13849-1 EN 61508 / EN Safe

SafeMOTION 62061 encoder
evaluation
necessary
Starting
in Safety
Release
Safe Torque Off (STO) R 1.10 PL e / CAT 4 SIL 3 No
Safe Torque Off One R 1.10 PL d / CAT 3 SIL 2 No
Channel (STO1)
Safe Operation Stop R 1.10 PL d / CAT 3 SIL 2
(SOS) Yes
Safe Stop 1 (SS1) R 1.10 Time-based moni- Time-based moni- Time-based
toring: toring: monitoring:
PL e / CAT 4 SIL 3 No
Ramp-based mon- Ramp-based mon- Ramp-based
itoring: itoring: monitoring:
PL d / CAT 3 SIL 2 Yes
Safe Stop 2 (SS2) R 1.10 PL d / CAT 3 SIL 2 Yes
Safely Limited Speed R 1.10 PL d / CAT 3 SIL 2 Yes
(SLS)
Safe Maximum Speed R 1.10 PL d / CAT 3 SIL 2 Yes
(SMS)
Safe Direction (SDI) R 1.10 PL d / CAT 3 SIL 2 Yes
Safely Limited Incre- R 1.10 PL d / CAT 3 SIL 2 Yes
ment (SLI)
Safely Limited Acceler- R 1.10 PL d / CAT 3 SIL 2 Yes
ation (SLA)
Safe Brake Control R 1.10 PL d / CAT 3 SIL 2 No
(SBC) 1)
Table 3: ACOPOSmotor SafeMOTION: Safety functions and associated safety levels

Safety function ACOPOSmotor EN ISO 13849-1 EN 61508 / EN Safe

evaluation
necessary
Safely Limited Position R 1.10 PL d / CAT 3 SIL 2 Yes
(SLP)
Safe Maximum Position R 1.10 PL d / CAT 3 SIL 2 Yes
(SMP)
Safe Homing R 1.10 PL d / CAT 3 SIL 2 Yes
Remanent Safe Posi- R 1.10 PL d / CAT 3 SIL 2 Yes
tion (RSP)
Table 3: ACOPOSmotor SafeMOTION: Safety functions and associated safety levels
1) Safety function SBC does not apply to the motor holding brake integrated in the ACOPOSmotor
SafeMOTION; it is not safety-related.
Safety function ACOPOS P3 EN ISO 13849-1 EN 61508 / EN Safe

evaluation
EnDat 2.2 necessary
Starting in Safe-
ty Release
Safe Torque Off
(STO) R 1.10 PL e / CAT 4 SIL 3 No
Safe Torque Off R 1.10 PL d / CAT 3 SIL 2 No
One Channel
(STO1)
Safe Operation R 1.10 PL d / CAT 3 SIL 2
Stop (SOS) Yes
Safe Stop 1 (SS1) R 1.10 Time-based moni- Time-based moni- Time-based
toring: toring: monitoring:
PL e / CAT 4 SIL 3 No
Ramp-based mon- Ramp-based mon- Ramp-based
itoring: itoring: monitoring:
PL d / CAT 3 SIL 2 Yes
Safe Stop 2 (SS2) R 1.10 PL d / CAT 3 SIL 2 Yes
Safely Limited R 1.10 PL d / CAT 3 SIL 2 Yes
Speed (SLS)
Safe Maximum R 1.10 PL d / CAT 3 SIL 2 Yes
Speed (SMS)
Safe Direction R 1.10 PL d / CAT 3 SIL 2 Yes
(SDI)
Safely Limited In- R 1.10 PL d / CAT 3 SIL 2 Yes
crement (SLI)
Safely Limited Ac- R 1.10 PL d / CAT 3 SIL 2 Yes
celeration (SLA)
Table 4: ACOPOS P3 SafeMOTION: Safety functions and associated safety levels

Safety function ACOPOS P3 EN ISO 13849-1 EN 61508 / EN Safe

evaluation
EnDat 2.2 necessary
Safe Brake Control R 1.10 PL d / CAT 3 SIL 2 No
(SBC)
Safely Limited Po- R 1.10 PL d / CAT 3 SIL 2 Yes
sition (SLP)
Safe Maximum R 1.10 PL d / CAT 3 SIL 2 Yes
Position (SMP)
Safe Homing R 1.10 PL d / CAT 3 SIL 2 Yes
Safe Brake Test Project step 2 Yes
(SBT)
Safely Limited Project step 2 Yes
Torque (SLT)
Remanent Safe R 1.10 PL d / CAT 3 SIL 2 Yes
Position (RSP)
Table 4: ACOPOS P3 SafeMOTION: Safety functions and associated safety levels
Guidelines for using the integrated safety functions
ACOPOSmulti SafeMOTION and ACOPOSmotor SafeMOTION

At least the Activate and S_AxisID inputs must be connected. Otherwise, the SafeMOTION
module will not be operated by the SafeLOGIC controller. As a result, pulse disabling and the
motor holding brake output will be permanently set to 0 V, which means that the controller
cannot be switched on.
ACOPOS P3 SafeMOTION
At a minimum, inputs Activate, S_AxisID and S_Control_Activate must be connected on
function block SF_oS_MOTION_Basic_BR or SF_oS_MOTION_BR for each axis being used.
All of the safety functions that are being used must be tested.
A function is considered to be "in use" if the corresponding input is connected or the safety
function has been configured!
The following libraries and function blocks are available in SafeDESIGNER for creating a safe applica-
tion.
Drive system Library

ACOPOSmulti SafeMOTION EnDat 2.2 "PLCopen_Motion_SF_2" on page
ACOPOSmulti SafeMOTION SinCos
ACOPOSmotor SafeMOTION EnDat 2.2

Drive system Library

ACOPOS P3 SafeMOTION EnDat 2.2 "openSAFETY_BuR_Motion_SF" on page
tions
5.2 Using safety functions
The first thing is to realize that the integrated safety functions provided by SafeMOTION are purely
monitoring functions.
This means that using an SLS function (Safely Limited Speed) in SafeDESIGNER does not mean that
movements will automatically be executed at reduced speed, but rather that the speed will be monitored
with respect to a configured speed limit. The individual motion functions such as positive movement in
a particular direction must be programmed in Automation Studio. This can be done using the MpAxis
library. The request for a safety function must be reacted to accordingly in the standard application in
Automation Studio – corresponding movements must be made and limits must be observed.
Safety functions can be enabled either permanently (SMS - Safe Maximum Speed, SMP - Safe Maximum
Position) through configuration or be requested by a function block during runtime.
The behavior of safety functions is determined by the parameter settings for the SafeMOTION
configuration in SafeDESIGNER.
Individual parameters are described in the user's manual for the respective device and in Au-
tomation Help for the respective functions.
5.3 Safety functions and their application
The following section describes the integrated safety functions and how they are used.
The following applies to all monitoring safety functions:

If a current speed or position limit is violated, then SafeMOTION switches to the acknowledge-
able FUNCTIONAL FAIL SAFE error state. This has the following consequences:
• Synchronized axes are no longer synchronous.
• Pulse disabling is activated, which cuts off torque and force and causes the drive to
coast to a standstill.
• The motor holding brake is switched to 0 V. This causes the connected motor holding
brake to engage.
• The S_NotErrFUNC output on the function block is reset.
If cutting off torque and coasting to a stop on the machine is a problem, an STO1 with delayed STO can
also be set in the SafeMOTION parameters. This provides the possibility for the standard application to
initiate a short circuit stop with the motor. This results in increased braking of the motor – and therefore
the axis – using values that go beyond the defined limits.

The temperature of the motor windings will increase, and this should be taken into account. If there is a
risk of motor overheating, the ACOPOS drive automatically switches off and the motor coasts to a stop.
As an alternative, some type of external brake could be installed on the mechanical system.
5.3.1 Safe Torque Off (STO)
STO is the fundamental safe- Control bit

STO
ty function for SafeMOTION and
safety because it represents the t
"idle current principle". Status bit

STO
A request from the STO safety
function activates safe pulse dis- t
abling and switches off the torque Speed

and power to the drive. Activa-
tion of safe pulse disabling is per- t
formed actively by SafeMOTION. Torque on
motor
Figure 15: Safe Torque Off (STO)
A STO request causes synchronized axes to no longer be synchronous.
If the drive is in motion at the time STO is requested, it will coast to a stop. The resulting residual
movement and time depends on the properties of the machine and must always be considered
when dimensioning the safety equipment.
The maximum possible (worst case) movement must be assumed.
Using this safety function

When STO is triggered, the drive is immediately prevented from supplying torque-generating power. This
function can be used for motors that are able to reach standstill in a sufficiently short amount of time on
their own (e.g. due to friction) or where coasting to a standstill is irrelevant from a safety point of view.

Exercise: Emergency switch-off functionality

The objective of this exercise is to complete practical testing for the simplest safety function.
The emergency switch-off button, which is wired on an SI module, is evaluated with the appropriate
function block from the PLCopen_SF library and STO should be triggered on the SafeMC block.
• Implement necessary programming in SafeDESIGNER, compile and transfer
• Connect emergency switch-off button with power in a standard application
• Move axis at set speed
• Press the emergency switch-off button
• Stop the axis and activate pulse disabling
• Check progress using the LED on the hardware
• Acknowledge the safety functions
• Acknowledge the error in the standard application
• Restart the movement.
As an option, STO can also be used with a time delay or SS1 can be used.
tions
5.3.2 Safe Torque Off, single-channel (STO1)
The STO1 safety function works in the same way as STO. The only difference is that either only the high-
side or only the low-side IGBTs are switched off depending on the configuration. The two configuration
options (Highside/Lowside) are equivalent with regard to safety technology.
It is possible to set delay times for switching off the IGBT and the safe motor holding brake output.

In principle, the STO1 function (Safe Torque Off, single-channel) is used the same way as STO, with
the exception that in the standard application a short circuit braking procedure can be implemented as
the drive coasts to a standstill.

From a technical standpoint, it makes no difference whether the high-side or low-side transistors
are disabled.
By default, failure of ENABLE1 or ENABLE2 will cause a short circuit stop to occur in
SafeMOTION. The firmware on ACOPOS servo product family devices determines which side
of the motor windings is short circuited.
5.3.3 Safe Homing
SafeMOTION evaluates the encoder independently of the motion control loop. As a result, a reference
for the safe absolute position must be configured.
The Safe Homing function provides a way to establish a reference between the safe encoder
position and the machine position.
Depending on the homing mode, it may be necessary for the drive to perform a homing procedure. A
homing procedure requires the control functions between the electronic controller and the drive motor to
be active. Other safety functions might have to be selected in order to prevent a hazardous state during
the homing procedure.
The following homing modes are supported:
• Direct
Direct mode is used if the current position of the axis is known and only has to be applied to
SafeMOTION.
• Reference Switch
This mode correlates with the homing modes "Switch gate", "Abs switch" and "Limit switch" for
the ACOPOS servo product family. Depending on the configuration, the axis will pass over the
reference switch / limit switch multiple times. This needs to be connected to the function block's
S_ReferenceSwitch input via a safe input module.
• Home Offset / Home Offset with Correction
If an absolute encoder is being used, then the machine reference can be established via an offset
to the encoder position. A homing procedure is therefore not necessary. The offset is configured
in SafeDESIGNER using the "Home Position or Home Offset" parameter.

The homing mode "Home Offset / Home Offset with Correction" is only available for with EnDat
2.2.
The parameters for safe homing can be set in SafeDESIGNER in the "Homing" parameter block and are
described in the user's manual for the respective device.
Procedure for safe homing with SafeMOTION:
• Homing is triggered by a rising edge on input S_RequestHoming.
• At the same time, SafeMOTION resets the S_SafePositionValid status bit.
• Once homing is successfully completed, output S_SafePositionValid is set.
• Input S_RequestHoming must be reset.
The homing procedure must be complete within the "Homing Monitoring Time (µs)" or else SafeMOTION
will switch to the FUNCTIONAL FAIL SAFE state. The homing procedure will be aborted if input S_Re-
questHoming is reset before the procedure is completed.
Exercise: Safe homing

The objective of this exercise is to become familiar with homing in relation to SafeMOTION.
In this exercise, the main task should be to perform simple, direct homing.
• Set "Home Position" to a value or 0 and "Mode" = Direct in SafeDESIGNER
• Add and connect SF_SafeMC_Position_BR_V2_00
• Add variable to SafeMC block on input "S_RequestHoming"
• Build and transfer the SafeDESIGNER project
• Switch on in the standard application or testing environment and perform homing
• In the safety application, enable input "S_RequestHoming"
• Determine if homing was successful by reading output "S_SafePositionValid" on function block
SF_SafeMC_Position_BR_V2_00.
Under "General settings - Standstill monitoring" it may be necessary to set "Speed tolerance"
to the minimum value in order to prevent an error during homing that would keep homing from
being completed.
Homing using a switch can be done as an optional exercise.

The movement and search for the switch must be triggered in the standard application after the corre-
sponding homing procedure has been started in the safety application.
More information about safe homing can also be found under:

tions

5.3.4 Remanent Safe Position (RSP)
With this safety function, after the safe position has been homed once to the machine position, the homed
safe position does not have to be homed again after a power off/on cycle. It is only possible to store
valid position data after a controlled standstill of the drive. The standstill must therefore be ensured. It
must also be ensured that no power is supplied to the drive while the data is being saved so that it is
not possible for the drive to move. These requirements are met when using the STO and SOS safety
functions.
When switched off, the axis is not permitted to move if the remanent safe position is used for
homing!
Warning messages in the user's manual or in Automation Help must be followed:
Hardware \ Motion control \ SafeMOTION \ Safety technology \ Integrated safety functions \Re-
manent Safe Position (RSP)
This safety function is not intended to provide a functional safe position following an uncontrolled machine
failure. The following procedure is defined in order to achieve a controlled stop and enable the use of
the remanent safe position:
1) Stop the axis in a controlled manner (valid safe position required).
2) Achieve the RSPValid status.

This indicates whether the position has been stored and whether homing with RSP will be possi-
ble after powering off. The following conditions must be met in order to achieve the RSPValid sta-
tus:
° STO and SOS are selected.
° STO and SOS are active and in their safe state.
° The axis has been homed and the safe position is valid (S_SafePositionValid = TRUE).
° The store procedure is completed after the other conditions have been fulfilled.
3) Activate the technical measures required to prevent a dangerous movement. Execute a power off.
A dangerous movement is one that corresponds to half the safe encoder counting range minus
two times "Standstill monitoring - Position tolerance" (sSM_T).
4) Confirm the restored position by homing with RSP after powering on.
° To confirm the restored position after powering on, execute a homing command (i.e. rising
edge of the S_RequestHoming input) with the S_SwitchHomingMode input enabled.
If the switching frequency of the RSPValid status is too fast to complete the store procedure, a
warning is entered in the Safety Logger. The SOS and STO safety functions are active in this
state and are not deselected until the most recent store procedure is completed.

If the module is powered on after a controlled stop and homing is performed without the
S_SwitchHomingMode input enabled, or if an encoder error is detected, then homing with RSP
will cause the module to switch to the acknowledgeable FUNCTIONAL FAIL SAFE error state.
The drive loses all torque/power!
If an error or change in the configuration is detected when powering on after a controlled stop,
then the position is not applied and homing with RSP will cause the module to switch to the
acknowledgeable FUNCTIONAL FAIL SAFE error state.
The drive loses all torque/power!
If the FUNCTIONAL FAIL SAFE error state occurs when homing with RSP, the axis must be
homed again with the S_SwitchHomingMode input disabled in order to obtain a new, valid
safe position.
Optional exercise: Use of RSP

Safety function RSP makes it possible for a functional safe position to be guaranteed after a controlled
stop of the axis. The following procedure is defined in order to achieve a controlled stop and enable the
use of the remanent safe position:
1) Set the relevant parameter in SafeDESIGNER in the properties for the SafeMOTION axis
Standstill monitoring - Position tolerance (units) e.g.: 5
Standstill monitoring - Speed tolerance (units/s) e.g.: 100
Homing - Enable RSP: Enabled
2) Request variable definition for STO and SOS, initialize another variable for S_SwitchHoming-
Mode with SAFEFALSE
3) Commissioning the axis and safe homing (e.g. direct homing) to achieve status of S_SafePosi-
tionValid = TRUE
4) Turn on DEBUG mode and select safety functions STO and SOS (SAFEFALSE)
5) Status S_RSPValid must be SAFETRUE→ Position has been saved correctly
6) Switch off axis and switch on again (do not move axis)
7) After switching on, restore the position by setting S_SwitchHomingMode = SAFETRUE and
S_RequestHoming = SAFETRUE
8) Once status S_SafePositionValid is achieved again, the position has been restored, safety
functions STO and SOS can be deselected (SAFETRUE) and movement of the axis is once
again possible.
Function blocks used: SF_SafeMC_BR_V3_00, SF_SafeMC_Position_BR_V2_00

Further information on the topic of safe homing can be found in Automation Help.
tions

5.3.5 Interface with the standard application
From the standard application, I/O mapping can be used to access the status of SafeMOTION.
5.3.5.1 I/O mapping
The states of individual safety functions can be accessed via the I/O mapping window for the respective
SafeMOTION module. This information is provided in the form of status bits.
To connect PVs to the status bits, the "I/O mapping" window must be opened. As can be seen in the
following image, the PV can then be selected in the "PV or channel name" column.
Figure 16: PV mapping
Exercise: Interface with the standard application

The objective of this exercise is to be able to create a communications bridge from the standard application
to the safety application.

This topic has already been partly covered in Automation Studio Training: Integrated safety technology
(Safety) [SEM510.2] and should serve as a review and supplement.
• In SafeDESIGNER, convert output S_EStopOut on function block SF_EmergencyStop_V1_00
to type BOOL. Only standard data types are transferred, and no safe information.
• In the Safety View, a ToCPU_BOOL channel is then selected and a variable is created in the
program via drag-and-drop.
• This information can be accessed in the I/O mapping for the SafeLOGIC controller.
• In Automation Studio, additional information can be accessed in the I/O mapping for the
ACOPOS servo product family device with SafeMOTION being used (e.g. status of STO trigger-
ing, etc.).
5.3.6 Safe Brake Control (SBC)
The SBC safety function is a safe Control bit

SBC
(time-delayed) output that can be
used to safely control a motor hold- tSBC_ED
t
ing brake. Status bit

SBC
Safe brake
output
Figure 17: Safe Brake Control
SafeMOTION does not provide safe monitoring of the braking procedure.

The purpose of the delay time tSBC_ED is to compensate for the different runtimes of the standard and
safety applications.

SBC can be used together with STO and SS1. SBC offers the possibility of safely actuating a motor
holding brake on the motor after the torque-generating energy has been cut off.

5.3.7 Safe Brake Test (SBT)
Certain applications require testing a brake in fixed intervals by applying a defined torque to the engaged
brake.
The SBT safety function allows an engaged brake to be tested by applying a configurable stator current
for a specified period of time. This makes it possible to account for external forces (e.g. caused by a
hanging load).
The actual braking test (i.e. applying the torque) must be performed by the standard application. This
can be done using the special mode for the safe braking test provided by the PLCopen function block
MC_BR_BrakeTest_AcpAx (Bibliothek McAcpAx).
This safe braking test can be performed either manually using a command or automatically on a rising
edge on the SafeMOTION SBT Active bit (bit 24) of the SafeMOTION status word.
After the request is triggered by a falling edge on the input S_RequestSBT, SafeMOTION monitors the
process and sets the output S_SafetyStatusSBT to SAFTRUE after a valid braking test.
During monitoring, the output S_SafetyActivetSBT is set to SAFETRUE.
The output S_SafetyStatusSBT is reset after a timer has elapsed, indicating that the braking test must
be performed again.
Optional exercise: Brake test

The objective of this exercise is to gain a better understanding of standard applications and safety ap-
plications.
This exercise can only be done with the appropriate hardware (ACOPOSmulti SafeMOTION SinCos,
ACOPOS P3 SafeMOTION and a suitable motor with a safe brake).
• Function block MC_BR_BrakeTest_AcpAx from library McAcpAx (core technology) is required.
• Activate the test via the safety application
• Activate the test via the standard application
Further information about this can be found in Automation Help.
Motion control \ mapp Motion \ Libraries \ Core \ McAcpAx

tions
5.3.8 Safe machine options
The safety function makes it possible to modify module parameters from the standard application. To
do this, the first step is to instance the parameters in the application and then transfer them to the
SafeLOGIC controller using the safeDownloadData() function block in the AsSafety library.

Since the entire safe machine option data block is always transferred, the "enable bits" can be used
to enable each parameter. Each bit corresponds to a parameter. For parameters whose "enable bit" is
set, the default value (as configured in SafeDESIGNER) is overwritten by the value in the structure. For
parameters whose "enable bit" is not set, the default value (as configured in SafeDESIGNER) is retained.
The SafeMOTION module is then restarted, and the parameters are transferred to the SafeMOTION
module.
Safety-related parameters from the standard application will be changed! For this to be possi-
ble, measures must be implemented, which are described in the manual and in the safeDown-
loadData() function block!

Safe machine options
Programming \ Libraries \ Safety \ AsSafety \ Functions and function blocks \ safeDownloadData
\
Optional exercise: Safe machine options
1) Use this solution as example application to test the safe machine options.
° The solution can be installed via Tools - Upgrade (possibly necessary to adjust the node
number for the SafeLOGIC controller in the variable declaration and the password as
constants in the program).
° Activate the safe machine options in SafeDESIGNER on the SafeMOTION device.
2) Connect the VNC server on the PLC.

° Password: "c"
3) Check if the SafeMODULE ID (Control) is correct

4) Set some parameters and enable them, e.g. speed limit for SLS1 to 5000 units/s.
The parameter structure in the Watch window can also be checked.
5) Transfer and acknowledge the parameters.
6) The SafeLOGIC controller restarts, which puts the parameters on the device.
7) Check whether the parameters in SafeMOTION have changed.
° Request SLS1 and test the current speed limit.

5.3.9 Safe Operating Stop (SOS)
An enabled SOS safety function Control bit

SOS
monitors the drive to ensure that
it stops safely. SafeMOTION does t
not control pulse disabling. Status bit

SOS
The drive can remain active and
must be kept at standstill by the t
standard application. Torque on

motor
To prevent the axis from drifting, t

both the speed and position are
Speed
monitored with standstill tolerance
limits ("Speed tolerance", "Position
vSM_T
vSM_T
t
tolerance"). The values for these

limit parameters can be set in
Position sEM_T
SafeDESIGNER. sEM_T
Figure 18: Safe Operating Stop
The position window is generated when the safety function is requested. The next time a request is
made, the standstill tolerance position window is regenerated based on the current position.

During the SOS function, the drive remains active and operators are protected against unintentional axis
movements, e.g. during setup. Safe standstill monitoring (with speed and position tolerances) begins as
soon as the request is made.
The drive must be at standstill when the request is made or else an error will be triggered.

5.3.10 Safe Stop 1 (SS1)

tRM_ED tSS1_RM
When requesting the SS1 safety Control bit
SS1
function, the deceleration process
of the axis is monitored until stand- t
still after the ramp delay time pass- Status bit
es. After decelerating, safe pulse SDC
disabling is activated and switches t

off the torque/power to the drive.
Status bit
SS1
Torque on
motor
Speed Optional
Figure 19: Safe Stop 1, SS1
Synchronous axes will no longer be synchronous when SS1 is in a safe state.
The deceleration itself is controlled by the non-safety-related standard application.

The purpose of the ramp delay time parameter "Ramp monitoring - Enable delay time" (tRM_ED) is to
compensate for the different runtimes of standard and safety applications.
Depending on the requirements for the safety function and its parameter settings, it is possible to monitor
either only the deceleration time tSS1_RM or the deceleration ramp as well.
If the monitoring limits are violated during deceleration, then an acknowledgeable error state is entered.
One advantage of monitoring the deceleration ramp is that it reduces the assumed remaining distance
to standstill when an error occurs.
If a violation occurs during ramp monitoring, safe pulse disabling is activated immediately and the drive
switches to an acknowledgeable FUNCTIONAL FAIL SAFE error state .

The SS1 function enables a controlled (monitored) stop function for the axes. This allows active decel-
eration thereby preventing dangers that could otherwise occur due to axes spinning out.

The SS1 safety function does not include monitoring of the axis standstill. It simply activates
pulse disabling once the axis has come to a stop.
Exercise: Safe standstill and pulse disabling (SS1)

The objective of this exercise is use SS1 in a practical application.
A light curtain and a mode switch are installed on the exercise hardware for this purpose.
The mode switch should set manual and automatic mode (center position is neutral, no mode).
In automatic mode, the axis should be moved at a constant speed and the axis should be stopped when
the light curtain is triggered, and SS1 must immediately be activated. After 3 s, torque must be removed
from the axis.
• Put the light curtain into operation using function block SF_ESPE_V1_00 and the necessary
configuration in SafeDESIGNER
• Configure mode switch with positions manual and automatic using SF_ModeSelector_V1_00
• Connect SS1 on function block SF_SafeMC_BR_V3_00 with the light curtain output when in
automatic mode.
• Start the movement from the standard application using the green button when the mode switch
is set to automatic.
• Trigger the light curtain by moving your hand through it
• Analyze the behavior in SafeDESIGNER
• Acknowledge using the green button
tions

5.3.11 Safe Stop 2 (SS2)

tRM_ED tSS2_RM
With SS2, the deceleration Control bit
process is monitored until stand- SS2
still after the ramp delay time pass- t
es. The drive must then be kept Status bit

SDC
at standstill by the standard appli-
cation. As with SOS, this standstill t
is monitored by SafeMOTION ac- Status bit

cording to the configured standstill SS2
tolerance window "Standstill mon- t
itoring - Speed tolerance" (vSM_T) Torque on

motor
and "Standstill monitoring - Posi-
tion tolerance" (sSM_T). t
Optional
As with SS1, it is possible to mon- Speed
itor either only the deceleration vSM_T

t
time T(Ramp Monitoring Time) or the de-
vSM_T
celeration ramp as well depending

Position sSM_T
on the requirements of the safety sSM_T
function. One advantage of moni- t
toring the deceleration ramp is that

it reduces the assumed remaining
Figure 20: Safe Stop 2, SS2
distance to standstill when an error
occurs.
The purpose of the ramp delay time parameter "Ramp monitoring - Enable delay time" (tRM_ED) is to
compensate for the different runtimes of standard and safety applications.

Only the SS2 function enables a controlled (monitored) stop function for the axes. This protects operators
against unintentional axis movements, e.g. during setup.
After being stopped by the standard application, the drive must be actively held at standstill.

Exercise: Safe standstill after movement (SS2)

The objective of this exercise is to implement manual mode.
The light curtain should not trigger SS1 (previous exercise), and the green button should jog the axis as
long as it is pressed. (In automatic mode, the light curtain should still work)
• Set the mode switch to manual.
• Move the axis via the standard application by pressing the green button on the hardware struc-
ture.
• Test light curtain functionality by passing your hand through it and making sure it is not trig-
gered.
• Release the green button, axis must stop but controller remains switched on.
• SS2 must be active as soon as the green button is released.
• Start the testing environment and move the axis to trigger a safety violation.
• Analyze SafeDESIGNER, Logger and the LEDs on the hardware to determine if a safety viola-
tion has occured.
tions
5.3.12 Safely Limited Position (SLP)

tSLP_ED
The purpose of the SLP safety Control bit
SLP
function is to monitor a specified
position window. The "Safe Lower t
Position Limit for SLP" and "Safe Status bit
SLP
Upper Position Limit for SLP" pa-
rameters can be used to configure t
the limits of the monitoring range.
Position sSLP_UL
The S_SafetyActiveSLP status
bit will be set to SAFETRUE if no
errors occur while monitoring is ac-
tive.
sSLP_LL
Figure 21: Safely Limited Position (SLP)
The axis must be homed successfully before using the Safely Limited Position function. If a
homing procedure is not completed successfully or the S_SafePositionValid status changes,
then the request for the SLP safety function causes the module to switch to the acknowledge-
able FUNCTIONAL FAIL SAFE error state.

To minimize the residual distance when the position window is exceeded, a position-dependent speed
limit is monitored in addition to the position.
When the position limit is approached, the monitored speed limit is calculated in such a way that the drive
will come to a full stop before the positioning limit is reached using the configured "Ramp monitoring -
Speed deceleration limit" (aRM_L) parameter.
Permitted speed in the direction of the upper position limit:
Permitted speed in the direction of the lower position limit:
The position-dependent speed limit is illustrated in the following figure.
sSLP_UL
Speed - sSLP_LL
vLIM LIMSLP,NEG LIMSLP,POS
vSM_T
vSM_T
Position
sSM_T sSM_T
Figure 22: Position-dependent speed window
If the position-dependent speed limit is violated, then the module changes to the acknowledgeable
FUNCTIONAL FAIL SAFE error state.
5.3.13 Safe Maximum Position (SMP)
The difference between SMP and SLP is that SMP cannot be actively requested. It is either enabled or
disabled by the configuration.
When enabled, the current position is constantly monitored against a defined position window.
The "SMP - Lower position limit" (sSMP_LL) and "SMP - Upper position limit" (sSMP_UL) parameters can be
used to configure the limits of the monitoring range.

The SMP safety function only works with homed axes since it requires a safe absolute position.
If SMP is configured, a 15-minute timeout period begins when pulse disabling is activated. The homing
procedure must take place during this time.
When homing is completed and if there were no errors during monitoring, the S_SafetyActiveSMP
status bit is set to SAFETRUE.
As with the SLP safety function, the "Safe Maximum Position" safety function also monitors a position-de-
pendent speed limit in addition to the position in order to minimize the residual distance if the position
window is exceeded.
For more information, see the description of the "Safe Limited Position" (SLP) safety function.
5.3.14 Safely Limited Speed (SLS)

tRM_ED tSLSX_RM
The purpose of the SLS safety Control bit
SLSX
function is to monitor a specified
speed limit: Parameters "SLS1 - t
Speed limit", "SLS2 - Speed lim- Status bit

SDC
it", "SLS3 - Speed limit", "SLS4
t
- Speed limit" (vSLSX_L). It is al-
so possible to monitor deceleration Status bit
SLSX
until the limit is reached if needed t

by the application.
Optional
Speed
Four different speed limits can be
monitored in SafeMOTION. All lim- vSLSX_L
its can also be monitored in paral- t

vSLSX_L
lel. If a request is made to monitor
multiple speed limits at the same Optional
time, then the lowest limit value
will always be monitored. To make
this possible, the function block in- Figure 23: Safely Limited Speed, SLS
cludes four different inputs S_Re-
questSLSX [X = 1..4].
The purpose of the ramp delay time T(Delay time to start ramp monitoring) is to compensate for the different runtimes
of standard and safety applications.
As with SS1 and SS2, the deceleration ramp monitoring can be adapted according to requirements
so that either only the deceleration time or both the deceleration time and the deceleration ramp are
monitored.

Maintenance tasks and setup mode often require work to be performed on a machine while it is running.
This increases the potential for hazardous situations. SLS monitors whether the drive speed is below a
limit value. This ensures greater safety when working on the machine while it is running.

Exercise: Manual mode limits speed

The objective of this exercise is to activate at least one Safely Limited Speed in manual mode without
the light curtain causing a safety cutoff.
The corresponding parameters must be set for a maximum speed of 2.5 rev/s.
• Parameter settings for SLS1, triggering SLS1 in manual mode
• Building and transferring
• Switch to manual mode
• Start the movement by pressing the green button at a speed <2.5 rev/s (no violation)
• Start the movement by pressing the green button at a speed >2.5 rev/s and a safety violation
• Analysis of the response in the Logger, error messages and StatusLED on the device
5.3.15 Safe Maximum Speed (SMS)
The difference between SMS and SLS is that "Safe Maximum Speed" cannot be actively requested. It is
either enabled or disabled by the configuration. When enabled, the current speed is constantly monitored
against a defined limit.
If the limit is exceeded, safe pulse disabling is activated immediately and the acknowledgeable FUNC-
TIONAL FAIL SAFE state is entered.
5.3.16 Safe Direction (SDI)
The SDI safety function monitors the defined direction of movement.

Either the positive or the negative direction can be monitored. The S_RequestSDIpos and S_Re-
questSDIneg inputs are available on the function block for this.
When monitoring the direction of movement, then standstill tolerance ("Standstill monitoring - Position
tolerance" (sSM_T) parameter) is not permitted to be exceeded in the forbidden direction of movement.
When moving in the permitted direction of movement, the position window moves along with it.
If the limit is violated, safe pulse disabling is activated and the system enters a FUNCTIONAL FAIL
SAFE state.

Control bit Control bit

SDIneg SDIpos
t t
tSDI_ED tSDI_ED
Status bit Status bit

SDIneg SDIpos
t t
sSM_T
Position Position
sSM_T
sSM_T
t t
sSM_T
Figure 24: Safe Direction, negative Figure 25: Safe Direction, positive
The safe direction function can be enabled in parallel with other safety functions. For example, Safely
Limited Speed can be limited to a certain direction.
The purpose of the delay time T(Delay time to start SDI [μs]) is to compensate for the different runtimes of
standard and safety applications.

This safety function prevents axes from moving in an unexpected direction (e.g. in setup mode), which
could endanger the person setting up the machine.

5.3.17 Safely Limited Increment (SLI)
With the SLI safety function, a movement is monitored with respect to a defined number of increments.
Control bit
SLI
tSLI_DD tSLI_DD tSLI_DD tSLI_DD t
Status bit
SLI
Speed
vSM_T
vSM_T
t
Position
sSLI_L ]
sSLI_L
sSLI_L ]
sSLI_L sSLI_L
sSLI_L t
Figure 26: Safely Limited Increment, SLI
The safe axis must be at standstill when this function is enabled. A position window is then generated
that is safety-monitored. This position window depends on the configured safe interval.
The standard application must guarantee that this position window is not exceeded. If the interval is
violated, safe pulse disabling is activated immediately and an acknowledgeable error state is triggered.
After the safety function is disabled, monitoring continues for the time T(SLI OFF Delay) This prevents con-
tinuous movement caused by constant jogging.
Optional exercise: SLI in manual mode

The objective of this exercise is linking with already implemented safety functions. The axis should not
be permitted to move beyond a certain distance in manual mode.
The manual mode has already been implemented with the selector switch.
Now, the movement range should be limited as an extension to the functionality.
• Configure SLI so that it moves a maximum of 2 motor revolutions in manual mode.
• After leaving manual mode, is the movement range should remain limited for 2 seconds.
• Test the setting for compliance with the specifications and test with a safety violation
• Analyze Logger, error message and status LEDs on the hardware

5.3.18 Safely Limited Acceleration (SLA)
The SLA safety function is used to monitor the acceleration or deceleration with respect to defined max-
imum limits.
Control bit tSLA_ED

SLA
Status bit
SLA
t
Speed
vSM_T
vSM_T t
Acceleration Deceleration -
Acceleration+ +
aSLA_DEC_N_L
1 2 3
aSLA_ACC_P_L
t
aSLA_ACC_N_L
aSLA_DEC_P_L
Acceleration -
Deceleration +
Optional exercise: Safe Limited Acceleration (SLA)

The objective of this exercise is becoming familiar with safety function Safe Limited Acceleration.
In the neutral position of the mode switch, a movement should be carried out in the testing environment.
The correct parameters for SLA should be determined in advance in order to prevent an error from oc-
curring.
• Open the testing environment record the current speed with the controller switched on and
tuned
• Calculate the acceleration using the derivative
• Determine the maximum values in the positive and the negative direction and configure in
SafeDESIGNER for SLA
• Extend the function block for the mode switch, activate SLA if neutral position in SafeDESIGN-
ER
• From manual or automatic mode, switch to the neutral position. Open the testing environment
and move the axis.

Summary
6 Summary
You should now be familiar with B&R's approach to safe motion control.
You have learned about the available safety components and can adapt them optimally to your own
applications.

Example solutions for safety applications
7 Example solutions for safety applications
The solutions for the examples are not considered to be a safety application, and should instead be a
practical reference for the safety tools in Automation Studio and SafeDESIGNER.
Exercise: Commissioning a safe axis
Exercise
The goal of this exercise is to prepare an ACOPOSmulti SafeMOTION inverter module for operation.
• Create a project in Automation Studio and add the hardware (SafeLOGIC controller, ACOPOS-
multi, etc.). Assign the node numbers based on the hardware used.
When specifying the device parameters, you will need to specify that the ACOPOSmulti
SafeMOTION inverter module's DC bus will be supplied with 24 V. (Right click on the ACOPOS
configuration)
• Parameter "Velocity Error Monitoring" in the ACOPOS configuration (Real Axis \ Movement Er-
ror limits\) must be set to "mcSTOP_AUTOMATIC1".
• Open SafeDESIGNER and add function block SF_SafeMC_BR_V3.
• Connect the S_AxisID input to the axis reference variable and the Activate input to a constant
with the value TRUE.
• Set the following parameters in the parameter list for the safe axis in SafeDESIGNER (to allow
movement with minimal work):
Name Value Reason
SMS - Enable (Safe Maximum Speed) Disabled Is initially disabled because the
maximum speed is set to 0 by
default, and would thus gener-
ate an error when starting.
Encoder monitoring - Position error monitoring Disabled Is initially disabled because the
- Enable tolerance is set to 0 by default,
Encoder monitoring - Speed error monitoring - Disabled and would thus generate an er-
Enable ror when starting.
Automatic reset on start - Enable Enabled To prevent having to have an

edge on the "Reset" input of the
function block after booting.
• Transfer the project to the controller and the SafeDESIGNER project to the
SafeLOGIC controller.
• After transfer is complete, the axis should be restarted.
• After booting, SafeMOTION activates pulse disabling and the motor brake. The axis can now
be operated normally in the testing environment.
• Observe the LED on the device and the Logger in Automation Studio.
Function block descriptions can be opened directly from SafeDESIGNER by right-clicking on a

function block and selecting "Help on function block/FU" from its shortcut menu.

7.1.1 Application example
The following application example illustrates one possible use of the Safe Position Monitor function on
the SafeLOGIC controller.
Figure 27: SF_SafeMC_Position_BR_V2: The "Safe Position Monitor" function
Exercise: Emergency switch-off functionality

The objective of this exercise is to complete practical testing for the simplest safety function.
The emergency switch-off button, which is wired on an SI module, is evaluated with the appropriate
function block from the PLCopen_SF library and STO should be triggered on the SafeMC block.
• Implement necessary programming in SafeDESIGNER, compile and transfer
• Connect emergency switch-off button with power in a standard application
• Move axis at set speed
• Press the emergency switch-off button
• Stop the axis and activate pulse disabling
• Check progress using the LED on the hardware
• Acknowledge the safety functions
• Acknowledge the error in the standard application
• Restart the movement.
As an option, STO can also be used with a time delay or SS1 can be used.
tions

Solution: Emergency switch-off functionality
The emergency switch-off is safety-compliant and used 2-wire technology, and is to be used
as an equivalent input.
This input together with function block SF_EmergencyStop_V1_00, which also includes func-
tionality for confirmation, provides activation for STO on the SafeMC block.
The green button on the hardware structure should be used for confirmation in addition to start
and stop.
Figure 28: Connections and settings in SafeDESIGNER

Figure 29: The output of the EmergencyStop function block can now be connected to the STO input
In the standard application, the reset button is used with the MpAxis function block via IO-
mapping and the available simple status of the emergency switch-off button is connected to
input "Power" of MpAxisBasics using a NC contact.
Exercise: Safe homing

The objective of this exercise is to become familiar with homing in relation to SafeMOTION.
In this exercise, the main task should be to perform simple, direct homing.
• Set "Home Position" to a value or 0 and "Mode" = Direct in SafeDESIGNER
• Add and connect SF_SafeMC_Position_BR_V2_00
• Add variable to SafeMC block on input "S_RequestHoming"
• Build and transfer the SafeDESIGNER project
• Switch on in the standard application or testing environment and perform homing
• In the safety application, enable input "S_RequestHoming"
• Determine if homing was successful by reading output "S_SafePositionValid" on function block
SF_SafeMC_Position_BR_V2_00.

Under "General settings - Standstill monitoring" it may be necessary to set "Speed tolerance"
to the minimum value in order to prevent an error during homing that would keep homing from
being completed.
Homing using a switch can be done as an optional exercise.

The movement and search for the switch must be triggered in the standard application after the corre-
sponding homing procedure has been started in the safety application.
More information about safe homing can also be found under:

tions
Solution: Safe homing
Figure 30: Implementing direct homing in SafeDESIGNER "SRequestHoming" is forced in Debug mode.

Optional exercise: Use of RSP

Safety function RSP makes it possible for a functional safe position to be guaranteed after a controlled
stop of the axis. The following procedure is defined in order to achieve a controlled stop and enable the
use of the remanent safe position:
1) Set the relevant parameter in SafeDESIGNER in the properties for the SafeMOTION axis
Standstill monitoring - Position tolerance (units) e.g.: 5
Standstill monitoring - Speed tolerance (units/s) e.g.: 100
Homing - Enable RSP: Enabled
2) Request variable definition for STO and SOS, initialize another variable for S_SwitchHoming-
Mode with SAFEFALSE
3) Commissioning the axis and safe homing (e.g. direct homing) to achieve status of S_SafePosi-
tionValid = TRUE
4) Turn on DEBUG mode and select safety functions STO and SOS (SAFEFALSE)
5) Status S_RSPValid must be SAFETRUE→ Position has been saved correctly
6) Switch off axis and switch on again (do not move axis)
7) After switching on, restore the position by setting S_SwitchHomingMode = SAFETRUE and
S_RequestHoming = SAFETRUE
8) Once status S_SafePositionValid is achieved again, the position has been restored, safety
functions STO and SOS can be deselected (SAFETRUE) and movement of the axis is once
again possible.
Function blocks used: SF_SafeMC_BR_V3_00, SF_SafeMC_Position_BR_V2_00

Further information on the topic of safe homing can be found in Automation Help.
tions

Solution: RSP
Figure 31: Possible connection example with logic blocks added (multiple usage)
For RSP to function properly after a restart, STO and SOS must be activated during start-up.
Figure 32: Variable declaration in SafeDESIGNER

Exercise: Interface with the standard application

The objective of this exercise is to be able to create a communications bridge from the standard application
to the safety application.
This topic has already been partly covered in Automation Studio Training: Integrated safety technology
(Safety) [SEM510.2] and should serve as a review and supplement.
• In SafeDESIGNER, convert output S_EStopOut on function block SF_EmergencyStop_V1_00
to type BOOL. Only standard data types are transferred, and no safe information.
• In the Safety View, a ToCPU_BOOL channel is then selected and a variable is created in the
program via drag-and-drop.
• This information can be accessed in the I/O mapping for the SafeLOGIC controller.
• In Automation Studio, additional information can be accessed in the I/O mapping for the
ACOPOS servo product family device with SafeMOTION being used (e.g. status of STO trigger-
ing, etc.).

Solution: Interface with the standard application
Easy assignment carried out via drag-and-drop or use of a global variable in SafeDESIGNER.
The signal is negated so that a signal is only transferred to the standard application when the
emergency switch-off is pressed.
Figure 33: Assigning an internal I/O channel to the CPU of a SafeLOGIC controller in SafeDESIGNER
Figure 34: Additional data types to transfer from the safety application via the SafeLOGIC controller

Figure 35: I/O mapping for SafeMOTION to obtain information about a safety violation
Optional exercise: Brake test

The objective of this exercise is to gain a better understanding of standard applications and safety ap-
plications.
This exercise can only be done with the appropriate hardware (ACOPOSmulti SafeMOTION SinCos,
ACOPOS P3 SafeMOTION and a suitable motor with a safe brake).
• Function block MC_BR_BrakeTest_AcpAx from library McAcpAx (core technology) is required.
• Activate the test via the safety application
• Activate the test via the standard application
Further information about this can be found in Automation Help.
Motion control \ mapp Motion \ Libraries \ Core \ McAcpAx

tions

Optional exercise: Safe machine options
1) Use this solution as example application to test the safe machine options.
° The solution can be installed via Tools - Upgrade (possibly necessary to adjust the node
number for the SafeLOGIC controller in the variable declaration and the password as
constants in the program).
° Activate the safe machine options in SafeDESIGNER on the SafeMOTION device.
2) Connect the VNC server on the PLC.

° Password: "c"
3) Check if the SafeMODULE ID (Control) is correct

4) Set some parameters and enable them, e.g. speed limit for SLS1 to 5000 units/s.
The parameter structure in the Watch window can also be checked.
5) Transfer and acknowledge the parameters.
6) The SafeLOGIC controller restarts, which puts the parameters on the device.
7) Check whether the parameters in SafeMOTION have changed.
° Request SLS1 and test the current speed limit.
Exercise: Safe standstill and pulse disabling (SS1)

The objective of this exercise is use SS1 in a practical application.
A light curtain and a mode switch are installed on the exercise hardware for this purpose.
The mode switch should set manual and automatic mode (center position is neutral, no mode).
In automatic mode, the axis should be moved at a constant speed and the axis should be stopped when
the light curtain is triggered, and SS1 must immediately be activated. After 3 s, torque must be removed
from the axis.
• Put the light curtain into operation using function block SF_ESPE_V1_00 and the necessary
configuration in SafeDESIGNER
• Configure mode switch with positions manual and automatic using SF_ModeSelector_V1_00
• Connect SS1 on function block SF_SafeMC_BR_V3_00 with the light curtain output when in
automatic mode.
• Start the movement from the standard application using the green button when the mode switch
is set to automatic.
• Trigger the light curtain by moving your hand through it
• Analyze the behavior in SafeDESIGNER
• Acknowledge using the green button
tions

Solution: Safe standstill and pulse disabling (SS1)
StartStopReset button (green) should be set to a discrepancy time of approx. 50 ms.

On the module connected with the mode switch, it is sufficient to set the pulses to external.
Figure 36: Connect the function block for the mode switch
Light curtains:
Settings for the SI module (input 1&2 on the SI4100):
• Variable for the equivalence input
• Set to no pulse
• Set Filter Off to 1 ms
• Set discrepancy time to approx. 50 ms
Figure 37: Connect the function block for the light curtain
Set SS1 Ramp Monitoring Time to 3,000,000 µs and do not turn on ramp monitoring.

Figure 38: Connection to the SS1 safety function, SS1 should only be active in automatic mode, the light curtain is
ignored in manual mode.
In the standard application:

Switching on and homing can take place via Watch, example code for implementing the request
shown below:
IF ((gdiModeAuto) AND EDGENEG(gdiStartStop) AND (MpAxisBasic_0.PowerOn)) THEN
MpAxisBasic_0.MoveVelocity := TRUE;
ELSIF ((MpAxisBasic_0.InVelocity) AND (EDGENEG(gdiStartStop) OR (gdicmdLightCurt
MpAxisBasic_0.MoveVelocity := FALSE;
END_IF
Exercise: Safe standstill after movement (SS2)

The objective of this exercise is to implement manual mode.
The light curtain should not trigger SS1 (previous exercise), and the green button should jog the axis as
long as it is pressed. (In automatic mode, the light curtain should still work)
• Set the mode switch to manual.
• Move the axis via the standard application by pressing the green button on the hardware struc-
ture.
• Test light curtain functionality by passing your hand through it and making sure it is not trig-
gered.
• Release the green button, axis must stop but controller remains switched on.
• SS2 must be active as soon as the green button is released.
• Start the testing environment and move the axis to trigger a safety violation.
• Analyze SafeDESIGNER, Logger and the LEDs on the hardware to determine if a safety viola-
tion has occured.
tions

Solution: Safe standstill after movement (SS2)
SS2 is not permitted to be triggered on the SafeMOTION block in SafeDESIGNER when auto-
matic mode is active or when the green button has been pressed. (Due to the idle current prin-
ciple, a safe, logical 0 triggers the safety function. Thus manual mode and pressing the green
button are covered and SS2 is not triggered either in automatic mode or when the green button
is pressed.)
Figure 39: Connect SS2 according to the exercise definition
Do not forget to adjust the position tolerance for standstill monitoring.

A jump to the current speed can cause a safety violation when switching on. A value of 150
units/s for Standstill monitoring - Speed tolerance should not cause any problems.
In the standard application, the following code is sufficient for the manual process:
IF ((gdiModeManual) AND (gdiStartStop) AND (MpAxisBasic_0.PowerOn)) THEN
MpAxisBasic_0.JogPositive := TRUE;
ELSE
MpAxisBasic_0.JogPositive := FALSE;
END_IF

Exercise: Manual mode limits speed

The objective of this exercise is to activate at least one Safely Limited Speed in manual mode without
the light curtain causing a safety cutoff.
The corresponding parameters must be set for a maximum speed of 2.5 rev/s.
• Parameter settings for SLS1, triggering SLS1 in manual mode
• Building and transferring
• Switch to manual mode
• Start the movement by pressing the green button at a speed <2.5 rev/s (no violation)
• Start the movement by pressing the green button at a speed >2.5 rev/s and a safety violation
• Analysis of the response in the Logger, error messages and StatusLED on the device
Solution: Manual mode limits speed
Since a scaling of 1000 units per revolution is set, parameter SLS1 must be set to 2500.
On the SafeMC block, it is only necessary to invert sbModeManual with a NOT_S and connect
it to S_RequestSLS1. (Idle current principle)
In the standard application, a maximum speed of 2500 units/s must be set in the parameter
structure for MpAxisBasic when jogging so a safety violation is not generated.
Optional exercise: SLI in manual mode

The objective of this exercise is linking with already implemented safety functions. The axis should not
be permitted to move beyond a certain distance in manual mode.
The manual mode has already been implemented with the selector switch.
Now, the movement range should be limited as an extension to the functionality.
• Configure SLI so that it moves a maximum of 2 motor revolutions in manual mode.
• After leaving manual mode, is the movement range should remain limited for 2 seconds.
• Test the setting for compliance with the specifications and test with a safety violation
• Analyze Logger, error message and status LEDs on the hardware
Exercise: Scaling "Maximum speed to normalize the speed range"

The objective of this exercise is to understand speed scaling and the SafeMOTION help tools.
Since only 16 bits are available for the safe speed, a maximum speed of 32,767 units/s can be shown.
With scaling, higher speeds should be shown.
• Configuration under General settings - Maximum speed to normalize speed range to 65,000
• Use of function block SF_SafeMC_Speed_BR_V1_01
• Check with SafeDESIGNER and show variable status, as well as Motion help tool

Hardware \ Motion control \ SafeMOTION \ Safety technology / Programming the safety func-
tion / SafeMOTION help tool
Optional exercise: Safe Limited Acceleration (SLA)

The objective of this exercise is becoming familiar with safety function Safe Limited Acceleration.
In the neutral position of the mode switch, a movement should be carried out in the testing environment.
The correct parameters for SLA should be determined in advance in order to prevent an error from oc-
curring.
• Open the testing environment record the current speed with the controller switched on and
tuned
• Calculate the acceleration using the derivative
• Determine the maximum values in the positive and the negative direction and configure in
SafeDESIGNER for SLA
• Extend the function block for the mode switch, activate SLA if neutral position in SafeDESIGN-
ER
• From manual or automatic mode, switch to the neutral position. Open the testing environment
and move the axis.

Solution: Safely Limited Acceleration (SLA)
In the analysis in Trace in the testing environment, the problem is already evident (sampling
rate of 800 µs, derivative of SafeMC Actual Speed ACP10PAR_SAFEMC_SPEED_ACT) using
the current value. If the currently measured speed contains noise, then deviations will also be
seen in the acceleration.
Figure 40: Acceleration calculated using the current speed with switched on controller and axis at standstill (limit
values for the acceleration -16,250 to 20,000 units/s2)
Recommended setting in SafeDESIGNER here: >30,000 units/s2 in order to prevent an error

from occurring

Figure 41: Extension to function block for mode switch neutral position
Figure 42: Connection for safety request in the neutral position of the mode switch

Offered by the Automation Academy
Offered by the Automation Academy
The Automation Academy provides targeted training courses for our customers as well as our own em-
ployees.
At the Automation Academy, you'll develop the skills you need in no time!
Our seminars make it possible for you to improve your knowledge in the field of automation engineering.
Once completed, you will be in a position to implement efficient automation solutions using B&R technol-
ogy. This will make it possible for you to secure a decisive competitive edge by allowing you and your
company to react faster to constantly changing market demands.
Seminars
Quality and relevance are essential components of our seminars. The

pace of a specific seminar is based strictly on the experience that course
participants bring with them and tailored to the requirements they face. A
combination of group work and self-study provides the high level of flexi-
bility needed to maximize the learning experience.
Each seminar is taught by one of our highly skilled and experienced
trainers.
Training modules
Topic categories:
Our training modules provide the basis for learning both at seminars ➯ Control technology
as well as for self-study. These compact modules rely on a consistent ➯ Motion control
didactic concept. Their bottom-up structure allows complex, interre- ➯ Safety technology
lated topics to be learned efficiently and effectively. They serve as
➯ HMI
the best possible companion to our extensive help system. The train-
ing modules are available as downloads and can be ordered as print- ➯ Process control
ed versions. ➯ Diagnostics and service
➯ POWERLINK and openSAFETY
ETA system
The ETA system provides realistic constructions for training, education

and laboratory use. Two different basic mechanical constructions can be
selected. The ETA light system offers a high degree of mobility, saves
space and is well-suited for lab work. The ETA standard system has a
sturdy mechanical structure and includes pre-wired sensors and actua-
tors.
Find out more!
Would you like additional training? Are you interested in finding out what the B&R
Automation Academy has to offer? You've come to the right place.
Detailed information can be found under the following link:
www.br-automation.com/academy

V1.4.1.1 ©2018/04/03 by B&R, All rights reserved.
All registered trademarks are the property of their respective owners.
We reserve the right to make technical changes.

TM540TRE.433-ENG - Integrated Safe Motion Control - V4330 - SR1.10

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

TM540TRE.433-ENG - Integrated Safe Motion Control - V4330 - SR1.10

Uploaded by

Copyright:

Available Formats

TM540

Integrated safe motion control

2 TM540 - Integrated safe motion control

7 Example solutions for safety applications..........................................................................................53

TM540 - Integrated safe motion control 3

Modbus, TCP/IP, POWERLINK

ACOPOSmicro X20 SafeIO

B&R Automation Studio X67 SafeIO

X20 SafeIO X20 SafeIO X20 SafeIO

ACOPOSmulti SafeMOTION ACOPOS ACOPOSinverter SafeROBOTICS

Figure 1: Integrated safety technology

4 TM540 - Integrated safe motion control

1.1 Learning objectives

In order to correctly implement a safety application, it is important that applicable regulations

TM540 - Integrated safe motion control 5

2 Operating principle of "safe motion control"

2.1 Comparison to motion control without integrated safety technology

6 TM540 - Integrated safe motion control

2.2 Advantages of integrated safety technology

2.3 Safe power transmission system

The main components of a safe power transmission include:

The certified ACOPOSmotor SafeMOTION variant also constitutes a compact device.

TM540 - Integrated safe motion control 7

POWERLINK Communication EPL safety

Motor control Safe pulse disabling

Brake control Brake control

Power stage Safe current measurement*

Motor shaft Motor Brake Encoder shaft Encoder

* Only valid for ACOPOSmulti SafeMOTION SinCos & ACOPOS P3 SafeMOTION

A functinal safety encoder, safe encoder mounting and/or corresponding cables

Figure 2: Example: Safe power transmission system using an ACOPOSmulti SafeMOTION

Exercise: Commissioning a safe axis

8 TM540 - Integrated safe motion control

Name Value Reason

Automatic reset on start - Enable Enabled To prevent having to have an

Function block descriptions can be opened directly from SafeDESIGNER by right-clicking on a

2.4 The idle current principle

TM540 - Integrated safe motion control 9

2.5 Implementing safety functions

Safe pulse disabling

Safe motor holding brake output

2.6 Error states with SafeMOTION

2.6.1 FAIL SAFE state

10 TM540 - Integrated safe motion control

2.6.2 FUNCTIONAL FAIL SAFE state

If the module switches to the FUNCTIONAL FAIL SAFE state:

TM540 - Integrated safe motion control 11

There are two main aspects of project development:

Safety technology \ SafeDESIGNER \ User documentation \ Commissioning the SafePLC \

12 TM540 - Integrated safe motion control

3.1 Configuration in Automation Studio

Automation Studio provides everything needed to completely manage inverter modules.

Motion control \ mapp Motion \

3.1.1 Adding the SafeMOTION axes

SafeMOTION always requires a SafeLOGIC or SafeLOGIC-X controller, because otherwise

TM540 - Integrated safe motion control 13

Figure 4: Opening the I/O configuration

The following window appears for configuring the safe axis:

Figure 5: I/O configuration for SafeMOTION on an ACOPOSmulti inverter module

14 TM540 - Integrated safe motion control

3.2 Using SafeDESIGNER

Figure 6: Safety View and parameter list in SafeDESIGNER

Figure 7: Function block with a connected "gAxis01" axis reference variable