Fehlersichere Funktionsbausteine FR Regalbediengerte v4.0 en

Fail-safe blocks for
storage and retrieval

machines
Siemens
Storage and retrieval machines / V4.0 Industry
Online
https://support.industry.siemens.com/cs/ww/de/view/101167223 Support
Legal information
Legal information
Using the application examples
The application examples illustrate the solution of automation tasks with the interaction of several
components in the form of text, graphics and/or software blocks. The application examples are a
free-of-charge service provided by Siemens AG and/or a subsidiary company of Siemens AG
("Siemens"). They are non-binding and do not claim to be complete and functional with regard to
configuration or equipment. The application examples do not represent customer-specific
solutions but are merely designed to provide help for typical tasks. You yourself are responsible
for the proper and safe operation of products in compliance with the applicable regulations. You
must check the function of the respective application example and adapt it specifically to your
system.
Siemens grants you the non-exclusive, non-sublicensable and non-transferable right of use of the
application examples by professionally trained personnel. Any change to the application examples
is made purely at your own risk. Transfer to third parties or duplication of the application examples
or extracts thereof is only permitted in combination with your own products. The application
examples do not necessarily undergo the usual tests and quality checks of a paid product, may
contain functional and performance defects and may be subject to errors. You are responsible for
ensuring that the application examples are used in such a way that any malfunctions do not lead
to property damage or personal injury.
Disclaimer of liability
Siemens excludes any liability, irrespective of the legal grounds, in particular for the usability,
availability, completeness and freedom from defects of the application examples, as well as
associated notes, configuration data and performance data and any damage caused by these.
This shall not apply in cases of mandatory liability, for example under the German Product
Liability Act, or in cases of intent, gross negligence or culpable loss of life, injury or health
impairment, non-compliance with a guarantee, fraudulent non-disclosure of a defect or culpable
breach of material contractual obligations. The claims for compensation for the breach of essential
contractual obligations are, however, limited to the foreseeable damage typical for the type of
© Siemens AG 2022 All rights reserved
contract, except in the event of intent or gross negligence or injury to life, body or health. The
above provisions do not entail a change in the burden of proof to your detriment. You exempt
Siemens from any third-party claims that may exist or arise in this connection, unless Siemens is
compulsorily liable by law.
By using the application examples, you acknowledge that Siemens cannot be made liable for any
claims beyond the liability clause described.
Additional notes
Siemens reserves the right to make changes to these application examples at any time without
prior notice. In cases of discrepancies between the suggestions in the application examples and
other Siemens publications, such as catalogs, then the content of the other documentation shall
have precedence.
In addition to this, the Siemens terms and conditions of use apply
(https://support.industry.siemens.com).
Security information
Siemens provides products and solutions with industrial security functions that support the secure
operation of plants, systems, machines and networks.
In order to protect plants, systems, machines and networks against cyber threats, it is necessary
to implement – and continuously maintain – a holistic, state-of-the-art industrial security concept.
Siemens products and solutions constitute only one element of such a concept.
Customers are solely responsible for preventing unauthorized access to their plants, systems,
machines and networks. Such systems, machines and components should only be connected to
an enterprise network or the internet if and to the extent such a connection is necessary and only
when appropriate security measures (e.g. firewalls and/or network segmentation) are in place.
Additionally, Siemens recommendations relating to appropriate security measures should be
taken into account. For more information about Industrial Security, please visit:
https://www.siemens.com/industrialsecurity.
At Siemens, our products and solutions undergo continuous development to make them even
more secure. Siemens expressly recommends that updates are carried out as soon as they
become available and that only the current product version is always used. Use of product
versions that are no longer supported, and failure to apply latest updates may increase
customer’s exposure to cyber threats.
To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed
at: https://www.siemens.com/industrialsecurity.
F-Bausteine für Regalbediengeräte

Entry ID: 101167223, V4.0, 2022 2
Table of contents
Table of contents
Legal information ......................................................................................................... 2
1 Storage and retrieval machines and safety functions ................................... 5
1.1 General design for safe position sensing ............................................. 5
1.2 Supported encoder combinations and configuration variants .............. 6
1.2.1 Safety-relevant motor encoder with safety-related mounting and
positive locking mechanical system ..................................................... 6
1.2.2 Safety-related motor encoder with safety-related mounting,
positive locking mechanical system and reference switch
mounted in a safety-related fashion ..................................................... 6
1.2.3 Two-encoder system with connection via SINAMICS S120 ................ 7
1.2.4 Two encoder system with connection by the distributed I/O ................ 8
1.2.5 Three-encoder system ......................................................................... 8
1.2.6 Summary of the encoder variants ...................................................... 10
1.2.7 Safety-related characteristic values of the encoder variants ............. 11
2 System and software requirements ............................................................... 16
2.1 General information ............................................................................ 16
2.2 Safety requirements ........................................................................... 16
2.3 Software ............................................................................................. 16
2.4 Safety aspects when creating blocks ................................................. 17
2.4.1 Delimitation EN 528:2021 with respect to the ASRM block
library .................................................................................................. 17
2.4.2 The ASRM block package was developed according to the

following standards: ............................................................................ 17
2.4.3 Safety functions that are not taken into consideration ....................... 18
3 Fail-safe function blocks for storage and retrieval machines .................... 19
3.1 Overview............................................................................................. 19
3.1.1 Safety note ......................................................................................... 19
3.1.2 Fail-safe blocks .................................................................................. 20
3.1.3 Block connections .............................................................................. 21
3.1.4 Block numbers and signatures ........................................................... 21
3.1.5 Integration in the cyclic interrupt – F-OB ............................................ 21
3.1.6 Using instance data blocks/multi-instances ....................................... 22
3.1.7 Response times .................................................................................. 22
3.1.8 Runtimes ............................................................................................ 22
3.2 LFASRS_SafePosition ....................................................................... 22
3.2.1 Introduction ......................................................................................... 22
3.2.2 Connections ....................................................................................... 24
3.2.3 Interrelationship between the assignment of the block inputs
and the drive configuration ................................................................. 28
3.2.4 Principle of operation.......................................................................... 32
3.3 LFASRS_SLPMonitor ......................................................................... 42
3.3.1 Introduction ......................................................................................... 42
3.3.2 Connections ....................................................................................... 43
3.4 LFASRS_Endzone ............................................................................. 50
3.4.1 Introduction ......................................................................................... 50
3.4.2 Connections ....................................................................................... 51
3.5 LFASRS_SBRMonitor ........................................................................ 59
3.5.1 Introduction ......................................................................................... 59
3.5.2 Connections ....................................................................................... 59
3.6 LFASRS_BrakeTest ........................................................................... 64

Entry ID: 101167223, V4.0, 2022 3
Table of contents
3.6.1 Introduction ......................................................................................... 64

3.6.2 Connections ....................................................................................... 65
3.6.4 Application example for safely controlling external brakes ................ 76
3.7 LFASRS_LoadMonitor ....................................................................... 79
3.7.1 Introduction ......................................................................................... 79
3.7.2 Connections ....................................................................................... 80
3.7.3 Scaling the input quantities ................................................................ 83
3.8 LFASRS_PositionSingleEnc .............................................................. 88
3.8.1 Introduction ......................................................................................... 88
3.8.2 Connections ....................................................................................... 89
3.8.3 Interrelationship between the assignment of the block inputs
and the drive configuration ................................................................. 90
3.8.5 Safety-related velocity ........................................................................ 95
3.9 LFASRS_MinMax ............................................................................... 96
3.9.1 Introduction ......................................................................................... 96
3.9.2 Connections ....................................................................................... 96
4 Interaction of the blocks ................................................................................. 98
4.1 Overview............................................................................................. 98
4.2 Signal flow between the components ................................................. 98
4.2.1 Automation task .................................................................................. 98
4.3 Response in the case of an error ....................................................... 99

4.4 Block interconnections ..................................................................... 100
4.4.1 1-encoder variant ............................................................................. 100
4.4.2 2 and 3-encoder variant ................................................................... 101
4.4.3 Additionally required blocks ............................................................. 102
4.4.4 Additional information ....................................................................... 102
5 Abbreviations ................................................................................................. 103
6 Support ........................................................................................................... 104
7 Appendix ........................................................................................................ 105
Runtime and memory utilization of the blocks, based on the CPU 1516F-3
PN/DP............................................................................................... 105
8 References ..................................................................................................... 106
9 History............................................................................................................. 106

Entry ID: 101167223, V4.0, 2022 4
1 Storage and retrieval machines and safety functions
1.1 General design for safe position sensing
1 Storage and retrieval machines and safety

functions
This chapter provides a schematic overview of the application conditions of fail-
safe function blocks for storage and retrieval machines and the supported
hardware design versions.
1.1 General design for safe position sensing

The following components are essentially required when using fail-safe function
blocks for storage and retrieval machines, subsequently referred to as "ASRM
blocks", depending on the expansion level and the functions used.
• Fail-safe SIMATIC S7-1500 controller – STEP7 Safety Advanced
• SINAMICS S120 converter with CU320-2 (from firmware release 4.6),
subsequently called SINAMICS S120, with encoder for example connected to
o SMC20/SMC30
o or via DRIVE-CLiQ.
• PROFIBUS/PROFINET transfer between SINAMICS and the F-CPU
• F-DQ module to control the brakes
• External mechanical brake and/or motor holding brake
• Signal source for load measurement for overload/slack rope detection, e.g. via
F-AI with qualified encoder or two encoders, which are checked against each
other for plausibility (e.g. load cell and motor torque)
A hardware configuration example is shown below:

Fig. 1-1: Hardware configuration
S7-1500F ET200SP
PROFINET mit PROFIsafe

DRIVE-CLiQ
SINAMICS S120
E
SIN/COS Maschinentisch
Geber
E I
SSI-Geber Innitiator für
Geberabgleich oder
Referenznocken
The block package covers several variants of encoder combinations, see also
Table 1-1. The following scenarios relating to additional components required are
obtained that can deviate depending on the specific application; however, they
must be comparable from a safety-related perspective:

Entry ID: 101167223, V4.0, 2022 5
1.2 Supported encoder combinations and configuration variants
1.2 Supported encoder combinations and configuration

variants
An overview of the encoder combinations supported by the ASRM blocks is
provided in the following.
1.2.1 Safety-relevant motor encoder with safety-related mounting and

positive locking mechanical system
Data acquisition:
• Safety-related SIN/COS motor encoder with safety-related mounting via
PROFIsafe telegram 902 from a SINAMICS S120.
• The absolute position is transferred to the F-CPU e.g. via a standard telegram
from SINAMICS S120.
SI determines the absolute position actual value of the motor encoder, and is
transferred to the F-CPU using a safety-related telegram. The motor encoder must
be a safety-related encoder (safety-related motor encoder with safety-related
mounting).
The signal flow of the safety function therefore looks like this:
Fig. 1-2: Variant 1: Safety-related motor encoder with positive locking mechanical system
SINAMICS S120 F-CPU
Motorgeber
SMC20 F 32bit Wert F
(sin/cos)
Auslösen der Sicherheitsfunktionen

(Basic und Extended)
Safety note
The safety-related motor encoder must be safely homed using the Safety
Integrated functions of the SINAMICS S120. The safe absolute position actual
value, the validity of the encoder and the status of the safe home position must
be directly used from the PROFIsafe telegram 902. The mechanical system of
the application must be designed so that it is positive locking. The signals must
be interconnected according to the interconnection example in Chapter 4.4.1.
1.2.2 Safety-related motor encoder with safety-related mounting, positive

locking mechanical system and reference switch mounted in a safety-
related fashion
Data acquisition:
• Safety-related SIN/COS motor encoder with safety-related mounting via
PROFIsafe telegram 902 from a SINAMICS S120.
• Reference switch mounted in a safety-related fashion
SI determines the position actual value of the motor encoder, and is transferred to
the F-CPU using a safety-related telegram. The motor encoder must be a safety-
related encoder (safety-related motor encoder with safety-related mounting).

Entry ID: 101167223, V4.0, 2022 6
The signal flow of the safety function therefore looks like this:
Fig. 1-3: Variant 1: Safety-related motor encoder with positive locking mechanical system
SINAMICS S120 F-CPU
Motorgeber
(sin/cos)

Sicher angebauter
Referenzschalter
Safety note
The reference switch must be read-in at a fail-safe input and must be mounted in
a safety-related fashion. The motor encoder must be mounted in a safety-related
fashion and the mechanical system of the application must be designed so that it
is positive locking.
1.2.3 Two-encoder system with connection via SINAMICS S120

Data acquisition:
• The SIN/COS motor encoder is connected e.g. via an SMC20 or a DRIVE-
CLiQ Interface (SMI) with the direct measuring system (SSI) e.g. via an
SMC30 with the SINAMICS S120. The closed-loop position control is realized
via the direct measuring system.
To achieve two-channel data transfer to the F-CPU, the position actual value of the
direct encoder is transferred via the standard telegram. SI determines the position
actual value of the motor encoder, and is transferred to the F-CPU using a safety-
related telegram. The motor encoder must conform with the requirements of
SINAMICS Safety Integrated. Safety-related mounting is not required, as in this
case possible faults are monitored and detected through the cross comparison with
the second encoder.
Fig. 1-4: Variant 2: Two-encoder system, connected via SINAMICS S120

SINAMICS S120 F-CPU
direkter Geber SMC30 Standard 32bit Wert Standard
Motorgeber
(sin/cos)


Entry ID: 101167223, V4.0, 2022 7
1.2.4 Two encoder system with connection by the distributed I/O
Data acquisition:
a) SIN/COS motor encoder (safety-related mounting is not required)
corresponding to the requirements of SINAMICS Safety Integrated (e.g. via
SMC20 or DQI/SMI) via PROFIsafe telegram from SINAMICS S120, direct
measuring system via standard telegram from SSI module (e.g. TM PosInput
2) to the F-CPU.
Fig. 1-5: Variant 3 a): Two-encoder system, connected via distributed I/O
SINAMICS S120 F-CPU
Peripherie
Standard Standard (z.B. ET200MP/ direkter Geber
ET200SP)
Motorgeber
(sin/cos)

b) SIN/COS motor encoder (safety-related mounting is not required)

SMC20 or DQI/SMI) via PROFIsafe telegram from SINAMICS S120, direct
encoder via standard telegram PROFIBUS/PROFINET-capable encoder
Fig. 1-6: Variant 3 b): Two-encoder system, connected via direct encoder
SINAMICS S120 F-CPU
Standard Standard direkter Geber
Motorgeber
SMC20 F 32Bit Wert F
(sin/cos)

1.2.5 Three-encoder system
Data acquisition:
a) SIN/COS motor encoder (safety-related mounting is not required)
SMC20 or DQI/SMI) via PROFIsafe telegram from SINAMICS S120.
Two direct measuring systems via standard telegram (Fig. 1-7):
• Position 1 via SINAMICS S120
• Position 2 from the distributed I/O with secure communication via F-
module
Alternatively:
• Position 1 via SINAMICS S120 with secure communication via
PROFIsafe telegram of the converter
• Position 2 from distributed I/O

Entry ID: 101167223, V4.0, 2022 8
Fig. 1-7: Variant 4 a): Three-encoder system, position encoder via SINAMCS 120 and
distributed PLC I/O, secure communication via F-module
SINAMICS S120 F-CPU
Peripherie
(z.B. ET200MP/
direkter Geber SMC30 Standard Standard ET200SP mit direkter Geber
fehlersicherem
Modul)
QBAD des fehlersichern Moduls

Motorgeber
(sin/cos)

b) SIN/COS motor encoders correspond to the requirements of SINAMICS Safety

Integrated via PROFIsafe telegram from SINAMICS S120.
Two direct measuring systems via standard telegram:
• Positions 1 and 2 via distributed I/O. One channel with secure
communication via F-module.
Fig. 1-8: Variant 4 b): Three-encoder system, position encoder via distributed PLC I/O,
secure communication via F-module.
SINAMICS S120 F-CPU
Standard Standard direkter Geber
Peripherie
(z.B. ET200MP/
Motorgeber ET200SP mit direkter Geber
(sin/cos) fehlersicherem
Modul)
QBAD des fehlersichern Moduls

Three-encoder systems are used if a higher level of slip is to be expected or a

higher degree of availability is specified. Instead, the position is checked for
plausibility by performing a cross comparison between the two direct measurement
systems.
Safety note
To achieve the specified diagnostic coverage, the two direct measuring systems
must be installed in opposite directions.
Safety note
To detect a "frozen" bus driver, i.e. communication is no longer active between
the measuring system and CPU, a fail-safe module is inserted in at least one
channel in the station, via which the direct measuring system is read. If
communication now becomes inadmissibly slow or fails completely, then the F-
module involved signals a communication error. This is then evaluated in the
safety program and must be used to initiate a stop response.

Entry ID: 101167223, V4.0, 2022 9
1.2.6 Summary of the encoder variants
The following table summarizes the encoder combinations that are in principle
possible and their ability to be actually implemented. pos1, pos2 as well as possi
make reference to the interconnection at the "LFASRS_SafePosition" block
described in more detail in Chapter 3.2. Legend, see below.
A motor encoder (MSSI or MNSI) is always required to acquire the safe position
and velocity; the motor encoder data is acquired via the SI part of the drive.
The following encoder combinations should be provided depending on the specific
application scenario:
Table 1-1: Overview of possible encoder combinations

pos1 pos2 possi Reference
switch
Variant 1.1: Safety-related
motor encoder with positive --- --- MSSI(A) ---
locking mechanical system
Variant 1.2: safety-related
motor encoder with reference
--- --- MSSI(R) RSS
switch mounted in a safety-
related fashion
Variant 2: Two-encoder
MSSI(R)/
system: Connection via LD-SMx-NS --- ---

MNSI(R)
SINAMICS S120.
Variants 3 a) and b): Two-
MSSI(R)/
encoder system: Connection LD-DP-NS --- ---
MNSI(R)
via the distributed I/O.
Variant 4 a): Three-encoder
system. Position encoder via
MSSI(R)/
SINAMCS 120 and distributed LD-SMx-NS1 LD-DP-KS1 ---
MNSI(R)
PLC I/O. Secure
Variant 4 b): Three-encoder
system. Position encoder via MSSI(R)/
LD-DP-NS1/2 LD-DP-KS1/2 ---
distributed PLC I/O. Secure MNSI(R)
1 Overwriting
the process image must be detected, which is why the position actual
values must oppose one another.
2The evaluation unit design must have diversity, e.g. Pos1 via ET200SP with TM
PosInput 2, pos2 directly via PROFINET/PROFIBUS.
Legend:
MSSI(A): Motor encoder, safety-related mounting, via SI F-telegram 32 bit absolute
safety position actual value
MSSI(R): Motor encoder, safety-related mounting, via SI F-telegram 32 bit relative
safe position actual value
MNSI(R): Motor encoder, no safety-related mounting, via SI F-telegram 32 bit
relative safe position actual value
LD-SMx-NS: Position actual value Epos from the direct measuring system via
SMC/SMI via standard telegram 32 bit, not safety-related
LD-DP-NS: Position actual value from the direct measuring system via distributed
I/O, no safety-related communication (e.g. PROFINET encoder, TM PosInput 2).

Entry ID: 101167223, V4.0, 2022 10
LD-DP-KS: Position actual value from the direct measuring system via distributed
I/O, safety-related communication using F-module at the backplane bus.
RSS: Fail-safe reference switch, safety-related mounting
Safety note
When the safely transferred relative position actual value (MSSI(R)) of the
SINAMICS S120 is used in the control system, then the following FAQ should be
taken into consideration:
https://support.industry.siemens.com/cs/ww/de/view/109746390
The reference to the absolute position at the control system level is established
using block LFASRS_SafePosition described in Chapter 3.2.
In variant 1, the use of the safely transferred relative position actual value
(MSSI(R)) is not permissible. In this case, the safely transferred absolute position
actual value (MSSI(A)) of the SINAMICS S120 must be used in the control
system.
To be able to use the safety function integrated in the drive, for the subsequently
described software architecture, it is assumed that all motor encoders are SIN/COS
encoders and these are read in from the safety program using a fail-safe telegram.
A second encoder is used for the plausibility check based on the configuration
variants described above.
1.2.7 Safety-related characteristic values of the encoder variants
The various encoder variants are listed in Chapter 1.2. Which variant is used
depends on the particular application. When using the subsequently described
drive software solution in a safety-related application, it is absolutely necessary that
one of the described variants is used.
As a result of the various encoder variants and the resulting wide range of
hardware variants that can be used, the safety integrity level (SIL) of the safety
functions are defined by the user. In order to comply with EN 528:2021, as a
minimum this must correspond to SIL2/PLr d over the complete safety function
(Acquire-> Evaluate -> Respond).
To provide verification, this section describes the parameters that the software
solution has a direct influence on when calculating the safety integrity level based
on EN 62061:2015. Only block "Acquire" is described. Block "Evaluate"
corresponds to a SIMATIC F-CPU with STEP7 Safety Advanced, certified up to
SIL3/PL e, block "React", a SINAMICS S120, certified up to SIL2/PL d. The precise
characteristic values of blocks Evaluate and React are specified in the appropriate
data sheets.
While variants 2, 3a), 3b), 4a) and 4b) comply with the requirements according to
subsystem D, variant 1 complies with the requirements according to subsystem C,
as subsequently shown:

Entry ID: 101167223, V4.0, 2022 11
Subsystem C according to EN 62061:2015 (Chapter 6.7.8.2.4):

Fig. 1-9
Subsystem D according to EN 62061:2015 (Chapter 6.7.8.2.5):

Fig. 1-10

Entry ID: 101167223, V4.0, 2022 12
Table 1-2: Parameters according to EN 62061:2015

Subsystem SIL CL
λDs1 λDs2 DC1 DC2 β T1 T2
(SFF/HFT) limit
Variant 1.1: Safety-related motor
encoder with positive locking C (≥0,991/0) Internal safety function of the SINAMICS S120, certified according to SIL2/PLd
mechanical system
Variant 1.2: Safety-related motor
encoder with positive locking
C (≥0,991/0) Internal safety function of the SINAMICS S120, certified according to SIL2/PLd
mechanical system and safe
reference mark
Variant 2: Two-encoder system:
Connection via SINAMICS S120. 0.02
Variant 3: Two-encoder system: according to
Connection via the distributed I/O. Table 1-3:

Variant 4 a): Three-encoder 99% as a Assessing Correspondin
result of the common g to
system. Position encoder via Dependent Dependent Dependent
diagnostics see cause errors the call
SINAMCS 120 and distributed PLC D (≥0.991/12) 33 on the on the on the
implemented DC1 according to interval of the
I/O. Secure communication via F- hardware hardware hardware
in the ASRM EN safety
module. block library program
62061:2015
Variant 4 b): Three-encoder Annex F.1
system. Position encoder via
distributed PLC I/O. Secure
Comments relating to Table 1-2: Parameters according to EN 62061:2015:
1. The diagnostics implemented in the ASRM block library means that the diagnostics detects all potentially hazardous faults, then it follows
∑ λS + ∑ λDD
that: λDU → 0. From this, the calculation of SFF (SFF = ∑ ∑
) immediately results in SFF ≥ 0.99.
λS + λDD +∑ λDU
2. The failure of a subsystem element does not result in the loss of the SRCF, as this error would be detected as a result of the comparison
value as well as the plausibility check (due to the redundant architecture). It follows immediately from this that HFT = 1.
3. According to EN 62061:2015 Table 5, for HFT = 1 and SFF ≥ 0.99 a SIL CL of 3 is obtained.
The assessment of common cause failures according to EN 62061:2015 Annex F.1 is shown in the following table. In some instances, measures
against common cause failure are as a result of the solution implemented in the ASRM block library, and in some instances users must take the
appropriate measures. The measures that the user must always apply are appropriately marked in the subsequent table. If additional measures

Entry ID: 101167223, V4.0, 2022 13
should be applied, which are shown in gray in the table, then this can improve the CCF factor and/or β value; conversely, measures that are not
applied reduce the CCF factor and/or β value.
Table 1-3: Assessing common cause errors according to EN 62061:2015 Annex F.1
Feature Reference Points Reason
Separation/isolation
Are SRECS signal cables for the individual channels routed separately from 1a 5
other channels at all positions or are they sufficiently protected?
Where information coding/decoding is used, is it sufficient for detecting signal 1b 10 Given as a result of the solution implemented
transfer errors? in the ASRM block library
Are SRECS signal cables and power cables separate at all positions or 2 5
adequately protected?
If subsystem elements can contribute to a CCF, are they provided as physically 3 5 Request that the user installs the sensor
separate devices in their local enclosures? system

Diversity/redundancy
Does the subsystem utilize various electrical technologies for example, one 4 8
electronic or programmable electronic and the other an electromechanical
relay?
Are elements used in the subsystem that utilize various physical principles (e.g. 5 10
detection elements at a protective door, that use mechanical and magnetic
sensing techniques)?
Are elements with different time responses with reference to functional 6 10 Given as a result of the solution implemented
operation and/or failure types used in the subsystem? in the ASRM block library
Do the subsystem elements have a diagnostic test interval of ≤ 1 min? 7 10 Given as a result of the solution implemented
in the ASRM block library.
Note: The call interval of the safety program
must be less than 1 min!
Complexities/Draft/Application
Are the cross connections between channels of a subsystem obstructed, with 8 2 Given as a result of the solution implemented
the exception of the cross connections that are used for diagnostics? in the ASRM block library
Assessment/analysis
Have the results of the failure modes and effects analysis been examined to 9 9 Given as a result of the solution implemented
establish sources of common cause failures, and have certain of these types of in the ASRM block library
sources been eliminated beforehand as a result of the system design?

Entry ID: 101167223, V4.0, 2022 14
Feature Reference Points Reason

Are field failures analyzed and the associated data fed back into the design 10 9
department?
Competence/training
Do subsystem designers understand the causes and consequences of common 11 4 Request to the user
cause failures?
Monitoring the environmental conditions
Are the subsystem elements likely to always work within the temperature, 12 9 Request that the user selects the sensor
humidity, corrosion, dust, vibration, etc. range in which they have been tested, system
even without externally monitoring the environmental conditions?
Is the subsystem immune to the negative effects of electromagnetic 13 9 Request that the user selects the sensor
interference up to and including the limits defined in Annex E? system
Result 68 According to EN 62061:2015 Table F.2:

β = 0.02
Table 1-4: EN 62061:2015 Annex F.2

Total number of points Factors of failures in sequence
common cause (β)
< 35 10 % (0.1)
35 to 65 5 % (0.05)
65 to 85 2 % (0.02)
85 to 100 1 % (0.01)

Entry ID: 101167223, V4.0, 2022 15
2 System and software requirements

2.1 General information
The fail-safe function blocks for storage and retrieval machines described in the
following chapters can be used in conjunction with the fail-safe Siemens S7-
1500(T)F automation system; the following are recommended, for example:
• CPU 1516F-3 PN/DP
As introduction, the safety aspects when generating fail-safe function blocks is
discussed, before their properties are then explained in detail.
The fail-safe function blocks for storage and retrieval machines were developed for
individual subfunctions in order to ensure that the blocks can be used in a modular
fashion.
2.2 Safety requirements

The following safety requirements can be satisfied when using the S7-1500F
automation system:
Safety Integrity Level SIL1 to SIL3 acc. to IEC 61508 2nd Edition
2.3 Software
The following Siemens SIMATIC software must be installed on the PC/PG in order
to use the fail-safe function blocks for storage and retrieval machines:
• SIMATIC STEP 7 Professional V17 or higher

• SIMATIC STEP 7 Safety Advanced V17 or higher
as well as for the drive parameterization
• SINAMICS Startdrive V17 or higher

• SINAMICS MICROMASTER STARTER V4.4 or higher, alternatively
The current version is well as all predecessor versions of the SINAMICS

MICROMASTER STARTER can be downloaded at the following link:

Entry ID: 101167223, V4.0, 2022 16
2.4 Safety aspects when creating blocks

The blocks for the safety-related control of storage and retrieval machines were
created based on certified fail-safe function blocks in F-FBD and F-LAD. The
compiler of the development tool generates coded fail-safe blocks. These can then
be included in the libraries and called in any F- FB and F- FC.
Regarding the internal implementation and the underlying software development

process, the fail-safe function blocks for storage and retrieval machines comply
with the requirements according to PLd/SIL2. However, it must also be proven that
the behavior and principle of operation of the function blocks from the ASRM block
package used in the user software are compliant with the requirements laid down
in the relevant standards. Generally, verification can be provided by performing a
function test.
Also due to restrictions regarding the hardware components that can be used,
specifically converters, the SIL level that can be achieved is restricted to PLd/SIL2
when using fail-safe function blocks for storage and retrieval machines.
The safety-related parameters required for verifying hardware components are

listed in Chapter 1.2.7.
2.4.1 Delimitation EN 528:2021 with respect to the ASRM block library

2.4.2 The ASRM block package was developed according to the following
standards:
• EN 528:2021
• EN ISO 13849-1:2015
• EN ISO 13849-2:2012
• EN 62061:2015
The following requirements from EN 528 are applied in the library:

Requirements according to EN 528 (RN15) Table B.1:
10) Function to stop travel motion at the end of the travel section (e.g. end of
the aisle, when the power fails, when collisions occur, if more than one machine
is traveling along the same rail)
16) Preventing the load carrying equipment leaving the centered position
Requirements according to EN 528 (RN15) Chapter 4 (supplementing Table B.1):
Control device:
4.3.8 Stop function (referred to the actuators)
Hoisting gear:
4.4.1.1 Hoisting gear brake – general (referred to the brake test)
4.4.2 a) – b) Limiting hoisting and lowering motion
4.4.3 Overload protection and slack condition protection
In addition, general requirements apply, e.g. for auxiliary functions.

Entry ID: 101167223, V4.0, 2022 17
2.4.3 Safety functions that are not taken into consideration
The block package is evaluated also according to product standard EN 528

(RN15). The safety functions required are described there in Table B.1. As
supplement, additional requirements are listed in Chapter 4 of the Standard.
Chapter 2.4.2 establishes a reference to the requirements that can be derived from
EN 528 (RN15) for the block package being described here.
Other requirements from EN 528 (RN15), e.g. interlocking devices or operating
mode selection, must be implemented independently by the user using the
appropriate logic circuits. The SINAMICS S120 converter also provides additional
safety functions for this purpose (e.g. STO/SS1/SOS and others).
Design aspects of the standard (for example, dimensioning the brakes), i.e. specific
requirements placed on components or on the design of the machine, are not part
of this specification. The user must apply the appropriate measures to completely
comply with the standard.

Entry ID: 101167223, V4.0, 2022 18
3 Fail-safe function blocks for storage and retrieval machines
3 Fail-safe function blocks for storage and

retrieval machines
3.1 Overview
3.1.1 Safety note
As shown in Chapter 2.4, the fail-safe function blocks for storage and retrieval
machines comply with the requirements as laid down in EN 528:2021.
The safety integrity of the particular safety function is only obtained through the
correct interconnection. This is the reason that the correct interconnection of each
fail-safe function block of this library and the overall functionality of the safety
functions must be validated with the application-specific hardware and software
using both positive and negative tests.
The tests should initially be performed in an area of the system that has sufficient
clearance to fixed end stops and limits. Further, it must be carefully ensured that
when performing any test the system can be safely stopped in the case of an
emergency.
For example, using trace recordings, the tests should be documented so that limit
value violations, shutdown conditions and stopping distances can be clearly
identified, so that a statement can be made about the correct function of each
individual safety function.
Safety note
Measures must be applied to protect against unauthorized changes and
manipulation. For at least online access, writing (fail-safe and standard), a CPU
password should be parameterized in the device settings. In the Safety
Administration, the safety program is password-secured against offline access
operations.
Safety note
Using non-fail-safe values from the standard part of the CPU in the fail-safe
program requires that these values are seamlessly consistent. Accordingly, it must
be ensured that the correlation does not influence non-fail safe programming or its
modification. After each program change, the integrity of these values must be
carefully checked as to whether writing cross-access operations occur.
It is recommended that the complete system, including fail-safe and non-fail-safe
parts, are protected against unauthorized external access according to the
relevant IT security guidelines.

Entry ID: 101167223, V4.0, 2022 19
3.1.2 Fail-safe blocks
Library "LFASRS_V40.zal17” contains the following blocks:

LFASRS_SafePosition Function block to generate a safe position and velocity
actual value
LFASRS_PositionSingleEnc Function block to generate a safe position and
velocity actual value using a safety encoder and safety
reference mark
LFASRS_SBRMonitor Function block for safe position monitoring
LFASRS_Endzone Function block to monitor the velocity at the end of the

travel range
LFASRS_BrakeTest Function block to perform a safety-related brake test in

conjunction with the SBT drive function
LFASRS_LoadMonitor Function block for overload and slack rope detection with
the possibility of testing the measuring equipment
LFASRS_SBRMonitor Function block to monitor the braking ramp
LFASRS_MinMax Function for minimum/maximum value selection

The following fail-safe blocks of the STEP7 Safety Advanced library are also
required:
F_TP (V1.4) Generates a pulse with a specific duration
F_W_BO (V2.0) Converts a value in the WORD format into 16 pieces of

data with data type bool
F_BO_W (V2.0) Converts 16 pieces of data of data type BOOL into a

value of data type WORD
These blocks are contained under Instructions-> Basic instructions.
Note The library blocks listed under SIMATIC STEP 7 Safety Advanced must be set to
the respective version releases before the ASRM library is integrated. In the
Safety Administration, the elements of the system library used must also be set
to Version 2.1. Otherwise, error messages can occur when compiling the safety
program.
Note To control the Safety Integrated functions of the SINAMICS drive family, the
LDrvSafe fail-safe library can also be used, which simplifies interconnecting the
relevant signals:

Entry ID: 101167223, V4.0, 2022 20
3.1.3 Block connections
For fail-safe blocks, a few special characteristics must be taken into account
regarding
block connections:
Note Although connections EN and ENO of the library blocks appear in the FBD/LAD
editor, they are neither evaluated nor supplied by the program code of the F-
block and may neither be interconnected nor parameterized.
3.1.4 Block numbers and signatures
Table 3-1: Block signatures

SIMATIC STEP 7
Safety
Block number Block name
Advanced
Block signature
FB200 LFASRS_SafePosition 0x20ADA130
FB205 LFASRS_PositionSingleEnc 0xA67CE88E
FB201 LFASRS_SLPMonitor 0xB055377B
FB202 LFASRS_Endzone 0xBF9A1D74
FB203 LFASRS_BrakeTest 0x4060EA2D

FB204 LFASRS_LoadMonitor 0x5BA31365
FB207 LFASRS_SBRMonitor 0xAB33F096
FC206 LFASRS_MinMax 0xA225BBC3
Unique FB/FC numbers are specified in the following chapter for the blocks to be
implemented. When required, these can be adapted to a specific machine; i.e. the
blocks can be freely renumbered; however, it is not permissible that they are
renamed.
Note In the following chapter, unique FB/FC numbers are assigned for the blocks
provided in this library. When required, these can be adapted to a specific
machine; i.e. the blocks can be freely renumbered. It is not permissible that the
blocks are renamed, as otherwise the safety program signature can change.
3.1.5 Integration in the cyclic interrupt – F-OB
Safety note
The specific configuration of the cycle time of the safety program depends on the
requirements obtained from the risk assessment for the machine for which the
blocks are used. The user is responsible for correctly performing the risk
assessment and appropriately configuring the times.

Entry ID: 101167223, V4.0, 2022 21
3.1.6 Using instance data blocks/multi-instances
Note ASRM blocks can be called as multi-instance blocks without any restrictions.
3.1.7 Response times
The response times required should be taken from the applicable risk assessment.
This involves a package of blocks that can be universally used; as a consequence,
a specific value for the response times of the individual safety functions cannot be
specified.
Safety note
Depending on the required response time, parameters sampleTime (and
therefore the call interval of the safety program) as well as possiSampleTime
should be parameterized in the ASRM blocks so that they are always shorter
than the maximum permitted response time. It should be carefully taken into
consideration that the hardware components used also influence the response
time. The achieved response time from sensor to actuator can be calculated
using table s7safety_rttplus.
3.1.8 Runtimes
The runtime values of the fail-safe ASRM blocks on the supported F-CPUs
required to calculate the response time can be taken from the table in Attachment
I).
Safety note
The user is obliged to ensure that the ASRM blocks are only interconnected and
parameterized in compliance with the standards applicable for the application.
This especially applies to the test rates for the brake test and the overload/slack
rope detection (slack condition protection) as well as all load and velocity limits.
Safety note
All of the position limits must be selected so that when these are exceeded the
particular axis can come to a standstill before the end of the travel range. The
value to be parameterized is also dependent on the maximum velocity to be
expected for the specific application as well as the maximum possible and
permissible deceleration.
3.2 LFASRS_SafePosition
3.2.1 Introduction
The fail-safe LFASRS_SafePosition function block generates a safe position actual

value from the discrepancy comparison between two encoders. The velocity is
calculated from the motor encoder value, and is verified based on the position
discrepancy comparison using an absolute encoder. Within a configurable time, the

Entry ID: 101167223, V4.0, 2022 22
positions between the motor encoder and the second encoder used for the
plausibility check must not deviate from each other by more than the slip tolerance
so that the velocity value can be regarded as safe. The safe position and velocity
form the basis for the other blocks described in this document.
A redundant position acquisition is always required if the position cannot be
uniquely acquired using the motor encoder from Safety Integrated (SI) in the drive.
This is the case if the encoder cannot be mounted in a safety-related fashion or the
mechanical system manifests slip or elongation (e.g. travel gear with wheel-rail
system or hoisting gear with a cable winch). The position-referred safety functions
in SI of the SINAMICS S120 can then no longer be used. A direct measuring
system must be used for position monitoring. This is realized in the F-CPU via this
block. The motor measuring system can then only serve to check the plausibility of
the direct position actual value.
For applications where a higher degree of slip can be expected, or a higher degree
of availability is demanded, then the block provides the option of deriving the safe
position based on a discrepancy comparison from two direct measuring systems.
Note When using this block, block F_BO_W (FC 176) must be in the block folder. It is
not permissible that these are renumbered!

Entry ID: 101167223, V4.0, 2022 23
Fig. 3-1: LFASRS_SafePosition

3.2.2 Connections
All variables, type bool listed in the following table are preassigned FALSE, all
integer variables are preassigned 0 and all word variables are preassigned
W#16#0.
Inputs
Table 3-2
Data
Name Description
type
sampleTime DInt Block sampling time [ms]
Call interval of the safety program
posConfig Bool Configuration word for encoder interconnection
1: two direct measuring systems + motor encoder
0: one direct measuring system + motor encoder
1st direct measuring system - measured value
pos1 DInt
[mm]
1st direct measuring system - encoder signal
pos1Valid Bool
status
1: Encoder signal valid

Entry ID: 101167223, V4.0, 2022 24
0: Encoder fault
2nd direct measuring system - measured value
pos2 DInt
[mm]
2nd direct measuring system - encoder signal
pos2Valid Bool
status
0: Encoder fault
Motor encoder Safety Integrated - measured
possi DInt
value [µm]
Motor encoder Safety Integrated - encoder signal
possiValid Bool
status
0: Encoder fault
possiSampleTime DInt SINAMICS Safety Integrated - sampling time [ms]
Sampling time of SI configured in the drive
possiCount DInt SINAMICS Safety Integrated - cycle counter [ms]
cyclic counter value of telegram 902
posMin DInt min. permissible position [mm]
posMax DInt max. permissible position [mm]
max. permissible encoder deviation pos1 to
discrepancyAfterFailure DInt
possi/pos2 after the encoder fault [mm]

After an encoder fault, for a 2-encoder system pos1
and possi, and for a 3-encoder system, pos1 and
pos2 must not deviate more than the value
parameterized here.
max. permissible encoder deviation pos1 to pos2
discrepancyPos1Pos2 DInt
in operation [mm]
For a 3-encoder system, the deviation between pos1
and pos2 must not exceed the value parameterized
here.
minimum permissible encoder deviation pos1 to
possi in operation [mm]
discrepancyPos1PossiMin DInt
The deviation between pos1 and possi that is
permissible at each velocity.
maximum permissible encoder deviation pos1 to
discrepancyPos1PossiMax DInt
possi in operation [mm]
At the maximum velocity (vMax), the deviation
between pos1 and possi must not exceed this value.
max. permissible encoder deviation pos1 to the
discrepancyStartupPos1 DInt
last valid value after the encoder fault [mm]
For a 2 encoder system, after an encoder error from
possi, the actual value of pos1 may not deviate from
the previously saved value of pos1 for the error-free
system by more than the value parameterized here.
vStandstill DInt Velocity limit for standstill detection [mm/min]
max. permissible velocity to check the
vMax DInt
plausibility [mm/min]
vDiscWindow DInt Tolerance window velocity monitoring [mm]
vSyncIntervall DInt Tracking interval velocity monitoring [ms]
referencePos DInt Reference position [mm]

Entry ID: 101167223, V4.0, 2022 25
with a positive signal edge at reference, pos1, pos2

and possi are aligned to this position.
reference Bool Referencing
0 -> 1: Determining the offset of encoders regarding
referencePos
sync Bool Alignment
0 -> 1: to check the plausibility of encoders used
(possi and/or pos2, depending on posConfig) an
alignment is carried out with encoder 1 (pos1).
ack Bool Acknowledgment
If an error has occurred in normal operation, then
this must be reset using ack before the system is
restarted.
The acknowledgment is realized using a positive
signal edge at ack; in normal operation this has no
effect.
Outputs
Table 3-3
Name Data type Description
safePos DInt safe position actual value [mm]
safe position (for all additional blocks of this block package)
posValid Bool Position actual value status

1: safePos was safely generated
referenced Bool Referencing status
1: Both encoders are referenced, and the discrepancy between the
two encoders is within the tolerance window
safeV DInt safe velocity actual value [mm/min]
safe velocity (for all additional blocks of this block package)
vValid Bool Velocity actual value status
1: safeV was safely generated
standstill Bool Zero speed detection
1: Actual velocity less than vStandstill
movesPositive Bool Movement in the positive direction
movesNegative Bool Movement in the negative direction
Sync request
1: Pos1 & Pos2 within discrepancyAfterFailure, an alignment can
syncReq Bool
be performed
0: Alignment not required
ackReq Bool Acknowledgment request
1: Errors that have gone can be acknowledged
0: No acknowledgment requested
error Bool Error
1: At least one fault detected
0: No error active
diag Word Diagnostic word
Information about the function status and errors of the block are
issued at this output.

Entry ID: 101167223, V4.0, 2022 26
Structure of DIAG
Table 3-4
Bit Description Reset condition
1 <= possi_sampleTime <= 1023
vSyncIntervall > 0
0 < sampleTime <=
2 * possi_sampleTime
vDiscWindow >= 0
0 Value range violation of the input variables
discrepancyAfterFailure >= 0
discrepancyPos1PossiMax >=
discrepancyPos1PossiMin
discrepancyPos1Pos2 >= 0
discrepancyStartupPos1 >= 0
Relationship of the input variables with respect
vSyncIntervall / sampleTime are an integer
1 to one another cannot be represented as integer
multiple of one another
multiple
vMax >= vStandstill
incorrect reference of the input variables with
2
respect to one another posMax >= posMin
Actual position <= posMax and pos. signal edge

3 Actual position> posMax
at ack
Actual position >= posMin and pos. signal edge
4 Actual position < posMin
at ack
Actual velocity <= vMax and pos. signal edge at
5 Actual velocity > vMax
ack
Velocity discrepancy <= vDiscWindow and
6 max. permissible velocity discrepancy exceeded
positive signal edge at ack
Reference point approach and positive signal
7 Initial referencing is missing
edge at reference
pos1 – possi > discrepancyPos1PossiMax pos. Signal edge at sync
8
(2-encoder system)
9 pos1Valid/possiValid/pos2Valid == 0 dependent on diag bits 10 - 12
After an encoder fault: "Position actual value pos1" – "Last valid
"Actual position actual value pos1" – "Last valid position actual value pos1" <=
10 position actual value pos1" > discrepancyStartupPos1 and pos. signal edge at
discrepancyStartupPos1 ack or pos. signal edge at sync
(2-encoder system)
After an encoder fault: pos1 – possi <= discrepancyAfterFailure and
11 pos1 – possi > discrepancyPos1PossiMax pos. signal edge at ack or pos. signal edge at
(2/3-encoder system) sync
After an encoder fault: pos1 – pos2 <= discrepancyAfterFailure and
12 pos1 – pos2 > discrepancyPos1Pos2 pos. signal edge at ack or pos. signal edge at
(3-encoder system) sync
13 Internal calculation error pos. Signal edge at ack if the error has gone
14 Reserved ---
15 Reserved ---

Entry ID: 101167223, V4.0, 2022 27
3.2.3 Interrelationship between the assignment of the block inputs and the
drive configuration
The safe absolute position actual value from the drive is transferred as a 32 bit
value in unit µm via PROFIsafe telegram 902. For this purpose, in the converter
"Extended functions via PROFIsafe" must be set and the safety functions enabled.
Fig. 3-2: Safety Integrated setting in the converter

The drive type must then be set to linear axis, the monitoring cycle is subsequently
important for the parameterization at the block.
Fig. 3-3: Safety Integrated configuration
The encoder parameterization opens via point "Actual value acquisition/mechanical

system". Here, the leadscrew pitch and the gearbox stage must be set so that they
correspond to the mechanical design. Depending on the specific encoder variant,
the particular safe position must be enabled in the safety function.

Entry ID: 101167223, V4.0, 2022 28
1-encoder variant
Here, the safe position as well as the safe absolute position must be enabled for
transfer. The safe position value must be valid and the axis must have been safely
referenced. Function SLP can be activated and used in the drive. Alternatively, this
monitoring can be realized using block LFASRS_SLPMonitor of this library.
Fig. 3-4: safe position 1-encoder variant

2 & 3 encoder variant

For these variants, it is only permissible that the transfer of "Safe position" is
enabled. "Safe absolute position" should remain inhibited. A safe, relative position
actual value is sufficient, as block LFASRS_SafePosition establishes the absolute
position actual value reference, as explained in the function description.

Entry ID: 101167223, V4.0, 2022 29
Fig. 3-5: safe position transfer 2 & 3-encoder variants
Encoder configuration at block 1-encoder variant

value in unit [µm] via the PROFIsafe telegram. The encoder value must be scaled
once by dividing by 1000 at pos1 and additionally directly interconnected to possi
without scaling. Parameters sampleTime, possiSampleTime, possiCount,
vStandstill, vMax and vSyncIntervall are relevant when calculating the safe
velocity, and must be interconnected as described.
Note When using block LFASRS_SafePosition, the safety note from 1.2.1 must be
carefully taken into consideration. Outputs safePos, posValid and referenced are
not permissible and only safe velocity safeV may be used.
Note
The following parameters must be parameterized corresponding to the
specifications (Chapter 1.2.1) even if they are not relevant for a pure safe
velocity calculation:
- posMin
- posMax
- discrepancyAfterFailure
- discrepancyPos1PossiMin
- discrepancyPos1PossiMax
- discrepancyStartupPos1
Encoder configuration at block 2 & 3-encoder variant

The safe position actual value from the drive is transferred as a 32 bit value in unit
[µm] via the PROFIsafe telegram. The encoder value of the first direct encoder is
interconnected in [mm] to pos1, or if a second direct encoder is being used, its
encoder value is interconnected with pos2 in [mm] and posConfig is parameterized
with 1.
The plausibility of the velocity calculated from possi is always checked using the
encoder interconnected at pos1. For posConfig = 0, the plausibility of position pos1
is checked using the encoder interconnected at possi; for posConfig = 1, the
plausibility of pos1 is checked with respect to pos2.

Entry ID: 101167223, V4.0, 2022 30
Note pos1 and pos2 expect opposing values!
Note The encoder values at pos1 and pos2 must always be positive.
Safety note
The signals interconnected at pos1 and pos2 must originate from two independent
sources. If a signal source is jumpered at both inputs, then non-plausible values
of this channel cannot be detected, for example. The safety integrity of the block
is then no longer guaranteed.
Safety note
Encoder value possi moves in the range between -737280mm and +737280mm.
An overflow can occur if possi assumes values higher than +737280mm or
values less than-737280mm. As a result of the high value change as well as the
resulting discrepancy, the enable signals are reset and the system initiates the
shutdown response specified by the user. This is why possi must be monitored
for excessively low/excessively high values.

Entry ID: 101167223, V4.0, 2022 31
3.2.4 Principle of operation
Parameterization
Safety note
For an error-free exchange of the actual position value for pos1/pos2 between the
DB of the technology object and the safety program, the conversion from the real
data type to DInt in OB1 (or another OB that has a lower priority than the F-OB)
must be implemented directly or in a lower-level block. Only in this way can the
integrity of the safety program be guaranteed. The converted position actual value
should be saved in a transfer DB, which is only used for transferring data between
the standard and safety program.
Position actual value from the technology object:

Cody example for copying over
1. The position-defining encoder is interconnected at pos1 in [mm].

2. At input pos1Valid, the user has the option of interconnecting possibly
available additional validity queries relating to the position actual value (e.g.
error bit from the module). If no information of this type is available, then the
input must be permanently set to TRUE.
3. The block sampling time, e.g. the configured call interval of the F-OB, which
calls the safety program, is parameterized at input sampleTime.

Entry ID: 101167223, V4.0, 2022 32
4. The sampling rate of Safety Integrated in the drive is parameterized at

possiSampleTime, and possiCount should be interconnected with the counter
value from telegram 902.
5. sampleTime is relevant for internal block calculations.
6. The safety-related relative position actual value of the motor encoder from
telegram 902 in [µm] is interconnected at input possi.
7. For applications with high slip and/or to achieve a higher degree of availability,
users have the option of interconnecting a second direct encoder in [mm] at
pos2.
8. Via posConfig, the user has the possibility switching between modes for one
and two direct encoders. If the input is set, the block is in the mode for two
direct encoders; otherwise in the mode for one position-defining encoder.
9. The significance of inputs pos2Valid and/or possiValid is equivalent to the
corresponding inputs for pos1.
10. If the block is incorrectly parameterized, safety-related substitute values are
issued at the outputs. The outputs safePos and safeV assume the highest DInt
value (2147483647), the outputs posValid, referenced and vValid are reset to 0
and output error is set to 1. Depending on the cause of the incorrect
parameterization, the bits are set as follows to 1 in output word diag:
a. Value range violation of the input quantities => bit 0
b. Relationship of the input variables with respect to one another cannot
be represented as integer multiple => bit 1
c. Incorrect reference of the input variables with respect to one another

=> bit 2
This error state can only be resolved through correct parameterization,
acknowledgment is not possible.
Safety note
The block must be parameterized with fixed values, and must not be performed
via variables during the CPU runtime.
When parameterizing, it must be ensured that the following relationships can

be represented as integer multiple:
vSyncIntervall / sampleTime
Further, the following relationships between the input variables must exist:
vMax >= vStandstill
posMax >= posMin
Sampling rates
To calculate the velocity, the SI cycle in the drive (possiSampleTime) is used as
time base, and not the block cycle of the LFASRS_SafePosition block on the
CPU (sampleTime, generally the call interval of the safety program). To avoid
inadmissibly high subsampling, it must be ensured that the ratio sampleTime =>
2x possiSampleTime. Likewise, sampleTime must be an integer multiple of
possiSampleTime.

Entry ID: 101167223, V4.0, 2022 33
Example: possiSample Time in the drive = 12ms (default value)

In this case, sampleTime can be parameterized to the following values:
24 ms = 2x possiSampleTime
The permissible value ranges of the individual inputs should be taken from the
table describing the inputs.
The block detects if not all of the specified preconditions are satisfied, and signals
this by setting the appropriate diag bits.
Note
The block only checks the parameterization for the 1st call. This increases the
performance for further operation of the block.
As a consequence, changing the parameterization is not possible while the
system is operational. The safety program must be regenerated and loaded each
time that the operating parameters of the block are changed.
Starting behavior
Note When considering differences between position actual values pos1 and possi or
pos1 and pos2, reference is always made to the position actual values (with
offset) with reference to the reference point.
An alignment of possi to pos1 or pos2 to pos1 is always made to the position
actual value (with offset) (with reference to the reference point) of pos1.
11. After a CPU restart, outputs vValid, posValid and referenced initially have a
signal of 0.
12. To be able to travel to the reference point, posValid must be set to 1 by
aligning both encoders using a positive signal edge at sync. The position actual
value is now valid and can be used for making statements regarding the
relative position; however, a safe absolute evaluation of the position is still not
permissible as long as referenced signals a 0.
As long as referenced supplies a 0 signal, then the position is only suitable for a
relative reference, an absolute evaluation is only permissible for referenced = 1.
Depending on the specific application, for referenced = 0, the system must only
WARNING
travel with a safely reduced velocity.
13. If the axis is located at the reference point defined using input referencePos,
then the block is referenced using a positive signal edge at reference,
referenced changes to 1. The position actual value output at safePos is now
also suitable for absolute value evaluation.
Safety-related position actual value – 2-encoder system (posConfig == 0)

14. To generate the safe position, the position actual values must be valid, which is
signaled to the block using a 1 signal at inputs pos1Valid and possiValid.

Entry ID: 101167223, V4.0, 2022 34
Note
An encoder fault should always result in the withdrawal of input signal pos1Valid
or possiValid/pos2Valid. As a consequence, the safety-related actual value is
immediately declared to be invalid and the position tolerance monitoring hidden.
As a consequence, an encoder fault does not mean that the safety-related
reference is immediately lost and the safe position can be reproduced after the
encoder returns.
15. The safe position actual value is output via output safePos. A 1 signal at output
posValid indicates that the safe position actual value is valid. A 1 signal at
output referenced indicates that the safe position actual value may be used as
safe absolute position actual value. For a 0 signal at output referenced, the
safe position actual value may only be used as safe, relative position actual
value.
16. If an invalid position actual value is signaled at inputs pos1Valid and/or
possiValid using a 0 signal, or a step in the position actual value of pos1 is
detected (position change > 2x maximum velocity vMAx), then outputs
posValid, referenced and vValid are reset to 0, output error is set to 1, and in
output word diag bit 9 is set to 1 and depending on the cause, bit 10 or 11 is
set to 1. In addition, the last valid position actual value from pos1 is internally
saved.
17. If position actual values are signaled as again being valid at inputs pos1Valid
and possiValid using a 1 signal, the block checks whether the safety-related
reference is still valid. For this purpose, safe referencing must have been
already performed.
18. One of the following conditions must be satisfied in order to declare that a
safety-related reference is still valid:
a. If the difference between position actual values from pos1 and possi
(with the associated position offset (see Point 15)) lies within the
parameterized tolerance window discrepancyAfterFailure and the
value of possi is greater than ‚0‘, then the reference is declared to be
still valid.
b. If the difference between the position actual value of pos1 and the last
valid saved position actual value from pos1 lies within the
parameterized tolerance window discrepancyStartupPos1, then the
reference is declared to be still valid. For deviations, bit 10 in output
word diag is set to 1.
19. If, using the techniques described in Points 18a and/or 18b, the safety-related
reference can still be declared valid, then output ackReq is set to 1 and the
error state can be acknowledged using a positive signal edge at input ack.
Outputs posValid, referenced and vValid are again set to 1, outputs error and
ackReq are reset to 0, and bits 9, 10 and 11 are reset to 0 in output word diag.
Position actual value possi is aligned with respect to position actual value pos1
as described under Point 13.
20. If, using the technique described in Points 18a and/or 18b, the safety-related
reference cannot be declared as still valid, then a new safety-related reference
must be performed using a reference point approach. For this purpose, using a
positive signal edge at input sync, as described under Point 52, the encoder
can be aligned (output ERROR is reset to 0 and in output word DIAG, bits 9,
10 and 11 are reset to 0), and after the reference point approach as described
under Point 13, the safety-related referencing is carried out.
21. If the difference between the position actual values of pos1 and possi (with the
associated position offset) for position actual values that are signaled valid

Entry ID: 101167223, V4.0, 2022 35
exceeds the tolerance window that is calculated between

discrepancyPos1PossiMin and discrepancyPos1PossiMax based on the
current velocity, then outputs posValid, referenced and vValid are reset to 0,
output error is set to 1, and in output word diag bit 8 is set to 1.
22. In this error state, a statement cannot be made regarding the validity of the
safety-related reference, and a new safe reference must be established using
a reference point approach. For this purpose, using a positive signal edge at
input sync, as described under Point 12, the encoder can be aligned (output
error is reset to 0) and after the reference point approach as described under
Point 13 the safety-related referencing is performed. If, when a fault occurs, the
system is already at the reference point, then the safe reference can be directly
performed using a positive signal edge at input reference. Bit 8 is reset to 0 in
output word diag.
23. If safePos exceeds the value of posMax, then output error is set to 1 and bit 3
is set to 1 in output word diag. Output posValid is reset to 0.
24. If safePos again falls below the value of posMax, then output ackReq is set to
1, and the error state can be acknowledged using a positive signal edge at
input ack. Output error and ackReq are reset to 0, bit 3 is set to 0 in output
word diag. Output posValid is again set to 1.
25. If safePos falls below the value of posMin, then output error is set to 1 and bit 4
is set to 1 in output word diag. Output posvalid is reset to 0.
26. If safePos again exceeds the value of posMin, then output ackReq is set to 1,
and the error state can be acknowledged using a positive signal edge at input
ack. Output error and ackReq are reset to 0, bit 4 is set to 0 in output word
diag. Output posValid is again set to 1.
Safety-related position actual value – 3-encoder system (posConfig == 1)
27. To generate the safe position, the position actual values must be valid, which is
signaled to the block using a 1 signal at inputs pos1Valid, possiValid and
pos2Valid.
Note
An encoder fault should always result in the withdrawal of input signal pos1Valid,
possiValid or pos2Valid. As a consequence, the safe position actual value is
immediately declared as invalid. As a consequence, an encoder fault does not
mean that the safety-related reference is immediately lost but can be reproduced
after the encoder returns.
posValid signals that the safe position actual value is valid. A 1 signal at output
referenced indicates that the safe position actual value may be used as safe
absolute position actual value. For a 0 signal at output referenced, the safe
position actual value may only be used as safe, relative position actual value.

Entry ID: 101167223, V4.0, 2022 36
As long as output referenced delivers a 0 signal, the position output at safePos

can only be used for a relative reference. An absolute evaluation is only
permissible if output referenced supplies a 1 signal.
WARNING
29. If the position actual values are valid, then output syncReq is set to 1, and
using a positive signal edge at sync, the encoders can be aligned, i.e. any
existing or initial discrepancy between the position actual values of encoders
pos1 and possi as well as pos1 and pos2 (only if no safety-related reference is
available) is set to 0 with respect to the position actual value of pos1. The
outputs posValid and vValid are set to 1.
30. If the system has still not been referenced, or it was not possible to restore the
internal block safety-related reference, then bit 7 is set to 1 in output word diag.
31. If the position actual value is valid and the system is at the reference point, a
safe reference can be performed in the block with a positive signal edge at
reference, where for pos1, possi and pos2, a separate position offset relative to
the value specified at input referencePos is determined, which is then stored
internally. Outputs posValid, referenced and vValid are set to 1 if referencing
was successful. Bit 7 is reset to 0 in output word diag.
32. The block itself does not provide any retraction logic. Using a suitable logic
interconnection outside the block, it must be ensured that for a 0 signal at input
referenced the axis can only travel with a safely reduced velocity.
33. A velocity-dependent permissible discrepancy between

discrepancyPos1PossiMin and discrepancyPos1PossiMax is generated. The
discrepancy parameterized at dicrepancyPos1PossiMin is valid for every
velocity. Depending on the actual velocity, the maximum valid discrepancy
between the encoders is formed between discrepancyPos1PossiMin and
discrepancyPos1PossiMax, referred to vMax.
34. If an invalid position actual value is signaled at inputs pos1Valid, possiValid
and/or. pos2Valid using a 0 signal, a step in the position actual value of pos1 is
detected (position change > 2x maximum velocity vMax), if the difference of
pos1 and possi (with the associated position offset (see Point 31)) exceeds the
tolerance window discrepancyPos1PossiMax or the difference of pos1 and
pos2 (with the associated position offset (see Point 32)) exceeds the tolerance
window discrepancyPos1Pos2, then outputs posValid, referenced and vValid
are reset to 0, output error is set to 1 and in output word diag bits 9/10/11 are
set to 1.
35. If position actual values are signaled as again being valid at inputs pos1Valid,
possiValid and pos2Valid using a 1 signal, then the block checks whether the
safety-related reference is still valid. For this purpose, safe referencing must
have been already performed.
36. A check is made as to whether the difference between position actual value of
pos1 and pos2 (with the associated position offset (see Point 31)) lies within
the parameterized tolerance window discrepancyAfterFailure. If this is not the
case, bit 12 is set to 1 in output word diag.
37. If, using the technique described in Point 35, the safety reference can still be
declared valid, then output ackReq is set to 1 and the error state can be
acknowledged using a positive signal edge at input ack. Outputs posValid,
referenced and vValid are again set to 1, outputs error and ackReq are reset to
0, and bits 9 and 12 are reset to 0 in output word diag. Position actual value
possi is aligned with respect to position actual value pos1 as described under
Point 29. The position actual value from pos2 is not aligned with respect to
position actual value pos1 as the safety-related reference still exists.

Entry ID: 101167223, V4.0, 2022 37
38. If, using the technique described in Point 36, the safety-related reference
cannot be declared as still valid, then a new safety reference must be
performed using a reference point approach. The For this purpose, using a
positive signal edge at input sync, as described under Point 29, the encoder
can be aligned (output error is reset to 0 and in output word diag, bits 9 and 12
are reset to 0). As the safety-related reference is no longer available, in
addition to position actual value possi, position actual value pos2 is also
aligned with respect to position actual value pos1. The safety-related reference
can be performed after the reference point approach, as described under Point
31.
As long as referenced has a 0 signal, then the position is only suitable for a relative
reference, an absolute evaluation is only permissible for referenced = 1.
Depending on the specific application, for referenced = 0, the system must only
WARNING
travel with a safely reduced velocity.
The position actual value is not safely generated as long as posValid has a 0
signal. For a falling signal edge, a stop response should be initiated on an
application-for-application basis.
WARNING

Entry ID: 101167223, V4.0, 2022 38
Safe velocity actual value
43. The safe velocity calculated by the block from the absolute actual position
value of the motor encoder interconnected at possi is output at output safeV.
Note To increase the resolution, the velocity is output in unit [mm/min] instead of
[mm/s].
44. If safeV falls below the value parameterized at vStandstill, then at output
standstill this standstill is signaled using a 1 signal.
45. If safeV is higher/equal to vStandstill, then a 1 signal is output at
movesPositive, if safePos assumes increasingly higher values over time or a 1
signal is output at movesNegative if the values of safePos assume increasingly
lower values over time.
46. If safeV exceeds the value parameterized at vMAx, error and diag bit 5 are set
to 1. vValid is reset to 0.
47. If safeV again falls below the value parameterized at vMax, then ackReq is set
to 1, and the error state can be acknowledged using a positive signal edge at
input ack. Error and ackReq are reset to 0 and bit 5 is reset to 0 in output word
diag. Output vValid is again set to 1.
48. To what extent (specified in [mm]) the values of pos1 and possi may deviate
from one another within the vSyncIntervall (data in [ms]) without resulting in a
velocity error is parameterized at input vDiscWindow.
49. After the time parameterized at vSyncIntervall, the discrepancy of the relative
position from pos1 to possi, which has accumulated in the block, is reset in
order to facilitate a specific slip tolerance.
50. If the offset between pos1 and possi exceeds the value parameterized at input
vDiscWindow, then output error is set to 1, and bit 6 is set to 1 in output word
diag. Output vValid is reset to 0.
51. If the offset between pos1 and possi falls below the value parameterized at
input vDiscWindow, then output ackReq is set to 1, and the error state can be
acknowledged with a positive signal edge at input ack. Outputs error and
ackReq are reset to 0, and bit 6 in output word diag is reset to 0. Output vValid
is again set to 1.
As long as vValid supplies a 0 signal, then the velocity actual value has not been
safely generated.
WARNING

Entry ID: 101167223, V4.0, 2022 39
Referencing
52. If the system has still not been referenced, or it was not possible to restore the
internal block safety-related reference, then bit 7 is set to 1 in output word diag.
53. With a positive signal edge at reference, in the block a safety adjustment is
performed, where for the two raw position values, a separate position offset
relative to the value specified at input referencePos is determined and saved.
Output referenced is set if referencing was successful.
54. For successful referencing, both encoder actual values must be valid
(pos1Valid & possiValid (for posConfig = 0) or pos1Valid & pos2Valid &
possiValid = 1 (for posConfig = 1)
55. referenced is then set with a rising edge at input reference and the offsets are
internally saved.
56. referenced is withdrawn as soon as one of the tolerances defined in the
particular encoder variant is violated.
Note After an encoder fault, the block is able to reproduce the safe position safePos
without having to perform a reference point approach. If pos1Valid and
possiValid or pos2Valid (depending on whether posConfig= 0/1) have a rising
edge after the encoder returns, then after acknowledgment, the reference is
declared as being valid again in the block, as described for the particular
encoder variant.
Safety note
The signal for reference must be generated in a safety-related fashion, e.g. by
using reference mark switches. When referencing, the user must make a visual
inspection to ensure that the mechanical position corresponds to the reference
position, and referencing is performed using user acknowledgment at input
reference.
Note An encoder fault should always result in the withdrawal of input signal pos1Valid
or possiValid/pos2Valid. As a consequence, the safety-related actual value is
immediately declared to be invalid and the position tolerance monitoring hidden.
As a consequence, an encoder fault does not mean that the safety-related
reference is immediately lost and the safe position can be reproduced after the
encoder returns.
Synchronizing encoders
57. Output syncReq is set to 1 if synchronization is required. If the position actual
values are valid, using a positive signal edge at sync, the encoders can be
aligned, i.e. a discrepancy that has been established or an initial discrepancy
between the position actual values of encoder pos1 and possi as well as pos1
and pos2 (only for 3-encoder systems) is set to 0 with respect to the position
actual value of pos1. The outputs posValid and vValid are set to 1.

Entry ID: 101167223, V4.0, 2022 40
Cyclic synchronization means that the two channel architecture is overridden for
the position actual value processing and is therefore not permissible. When
synchronization is permissible, depends on the specific application and the user
WARNING is responsible for applying the correct logic interconnection.
Acknowledging errors
58. Assuming that an error is no longer active, diag and error are reset to 0 via a
positive signal edge. As soon as the block can be acknowledged, this is
indicated by a 1 signal at output ackReq. ackReq is reset to 0 after a positive
signal edge at ack.
Safety note
It is only permissible that qualified technical personnel acknowledge faults who
can assess the reason for the failure and the subsequent safety integrity.
A separate acknowledgment possibility must be provided to acknowledge this
error.
Additional diagnostic options

To optimize the system response, the currently active position and velocity
discrepancy from the instance DB of the block can be read-out for diagnostic
purposes.
For the position discrepancy, static variable "statPos1Pos2Delta" or
"statPos1PossiDelta", for the velocity discrepancy, static variable
"statVDiscrepancy".

Entry ID: 101167223, V4.0, 2022 41
3.3 LFASRS_SLPMonitor
3.3.1 Introduction
Fail-safe function block LFASRS_SLPMonitor is used to safely monitor the end

positions of a travel range. If the defined travel range is exited, then the block
signals this and, depending on the user interconnection, a stop response can be
initiated.
The block offers retraction logic so that the axis can return to the permitted travel
range. Using this, the axis can be moved away from the end position at a safety-
related velocity that can be parameterized at the block. To inhibit traversing further
towards the end stop, the block provides two signals to control function SDI in the
drive.
Fig. 3-6: LFASRS_SLPMonitor

not permissible that this is renumbered!

Entry ID: 101167223, V4.0, 2022 42
3.3.2 Connections
All variables, type bool listed in the following table are preassigned FALSE, all integer
variables are preassigned 0, and all word variables are preassigned W#16#0, unless
explicitly listed otherwise in the following table
Inputs
Table 3-5
safePos DInt Safety-related actual position [mm]
is supplied from the LFASRS_SafePosition
block.
posValid Bool Actual position valid
block.
1: Position plausible
0: Position not plausible, e.g. discrepancy
between the two encoders is outside the
specified tolerance.
If a 0 signal is present here, then bit diag. No.
5 is set.
referenced Bool Safe position is referenced
is supplied from LFASRS_SafePosition block
(absolute position reference established)

safeV DInt Safe actual velocity [mm/min]
block.
vValid Bool Actual velocity valid
block.
1: Velocity plausible
0: Velocity not plausible, e.g. increase in the
deviation over time between the two encoders
is outside the specified tolerance
If a 0 signal is present here, and the block is in
the retract mode then bit diag. No. 6 is set.
xNegative DInt minimum permissible position [mm]
If the value at input safePos falls below this
limit value, then output xNegativeOk is reset
xPositive DInt maximum permissible position [mm]
If the value at input safePos exceeds this limit
value, then output xPositiveOk is reset
vMaxRelease DInt Retraction velocity [mm/min]
If the block is in the retract mode, then this
value is issued at output slsThreshold.
vMaxRelease must be parameterized in the
range 1-2147483647. Otherwise, diag bit No.
4 is set
release Bool Retraction
If the permitted position range was exited,
then using this input, the axis can be moved
back into the permissible position range with
the velocity parameterized at vMaxRelease.
Motion is stopped as soon as a 0 signal is
present at this input while retracting.

Entry ID: 101167223, V4.0, 2022 43

enableMonitoringNegative Bool Activating monitoring in the negative limit
range
0 = Monitoring for falling below position and
velocity limits at xNegative is deactivated
1 = Monitoring for falling below position and
velocity limits at xNegative is activated.
Default assignment = 1
enableMonitoringPositive Bool Activating monitoring in the positive limit
range
0 = Monitoring for exceeding position and
velocity limits at xPositive is deactivated
1 = Monitoring for exceeding position and
velocity limits at xPositive is activated.
Ack Bool Acknowledgment
If an error has occurred in normal
operation, then this must be reset using
ack before the system is restarted.
The acknowledgment is only realized for a
positive signal edge at ack; in normal
operation this has no effect.
Outputs
Table 3-6
slsThreshold DInt SLS limit [mm/min]
The maximum traversing velocity
that is presently permissible is
output at this output. In normal
operation, this is 2147483647;
vMaxRelease is output here if the
user performs a retraction operation.
If vMaxRelease should be
parameterized <= 0, then substitute
value 1 is output here.
slsOk Bool Status SLS limit
1: safeV is less than/equal to
slsThreshold
0: safeV has exceeded the
slsThreshold value.
A stop response should be initiated
if this output should switch to 0.
xNegativeOk Bool Minimum position status
1: safePos is greater than/equal to
xNegative
0: safePos has fallen below the
value of xNegative.
xPositiveOk Bool Maximum position status
1: safePos is less than/equal to
xPositive
0: safePos has exceeded the value
of xPositive.

Entry ID: 101167223, V4.0, 2022 44

moveNegativeOk Bool Negative movement permitted
If a 0 signal is present at this output,
then it is not permissible that the
machine continues to move in the
negative direction. The output is
then set to 0 as soon as safePos
assumes values lower than
xNegative.
If safePos again lies above
xNegative, then the output is again
set after acknowledgment.
movePositiveOk Bool Positive movement permitted
If a 0 signal is present at this output,
then it is not permissible that the
machine continues to move in the
positive direction. The output is then
set to 0 as soon as safePos
assumes values higher than
xPositive.
If safePos again lies below
xPositive, then the output is again
set after acknowledgment.

If an error has occurred, which is

however no longer active and can
therefore be acknowledged, then
this block indicates this using a 1
signal at ackReq.
error Bool Error
This output is set if the block is
incorrectly parameterized or if, in
operation, the block detects a
potentially dangerous combination of
input signals. The output remains
set until no more errors are active
and an acknowledgment has been
made.
Information about the function status
and errors of the block are issued at
this output (see also the table below)

Entry ID: 101167223, V4.0, 2022 45
Structure of diag
Table 3-7
Bit No. Description Reset condition
0 Lower end position was fallen below While retracting safePos >=
xNegative and positive signal edge at
ack
1 Upper end position was exceeded While retracting safePos <= xPositive
and positive signal edge at ack
2 Actual velocity higher than the retraction safeV <= slsThreshold and pos.
velocity signal edge at ack
3 Reserved ---
4 Parameterization error retraction velocity 0 < vMaxRelease <= 2147483647
parameterized
5 Actual position invalid Actual position again valid
6 Actual velocity invalid Actual velocity is again valid
7 Actual position valid however not Actual position valid and referenced
referenced
8 Reserved ---
9 Reserved ---
10 Reserved ---
11 Reserved ---
12 Reserved ---
13 Reserved ---
14 Reserved ---
15 Reserved ---
Parameterization
1. The user must interconnect the safety-related position actual value of the
system to be monitored at the safePos input and its validity AND'ed with the
valid reference (referenced) at input posValid. Block "LFASRS_SafePosition"
(Chapter 3.2) provides the three signals as output.
2. Inputs safeV and vValid, which refer to the safe actual velocity, respond in the
same way.
3. The permitted range for the travel distance is parameterized by specifying the
upper and lower limit at inputs xPositive and xNegative.
4. vMaxRelease must lie in the range 1 – 2147483647. If values less than 1 or
values higher than 2147483647 are parameterized, then the block detects this
and diag bit 4 is set. error changes to 1.

Entry ID: 101167223, V4.0, 2022 46
Note
With the exception of xNegative and xPositive, this means that
reparameterization is not possible when the system is operational. The safety
program must be regenerated and loaded each time that the operating
parameters of the block are changed.
Position monitoring
5. As long as the position actual value is valid and is in the parameterized range,
the block does not signal an error, i.e. outputs error and diag supply a 0 signal.
6. If the position actual value is in the permissible range, but is however marked
as being invalid due to posValid = 0, then an error code is also output to diag.
error remains in the current state until acknowledgment, assuming that no
additional faults are received as a result of an additional active monitoring
function. All other outputs keep their current status up until acknowledgment or
until release is deselected. In this case diag bit No. 5 is set.
7. As soon as posValid changes back to 1, then diag bit No. 5 again indicates a 0
signal.
8. As soon as safePos lies outside the parameterized travel range, depending on
the direction in which this was exited, then xPositiveOk or xNegativeOk is set
to 0. A stop response in the drive must then be initiated in the user
interconnection.
9. In addition, diag bit No. 0 is set when the lower end position is fallen below or
diag bit No. 1 is set when the upper end position is exceeded. error is set to 1.
10. Monitoring in the positive direction can be deactivated with
enableMonitoringPositive = false; if the input = false, then the position specified
at xPositive can be exceeded without the block indicating a response at the
enable outputs. Monitoring in the negative direction can be bypassed with
enableMonitoringNegative = 0; if the input = false, then the position specified at
xNegative can be undershot without the block indicating a response at the
enable outputs.
11. The monitoring functions are reactivated by setting the inputs (= true). At the
time of activation, if a limit value is violated, the retract function (12) must be
used to move from this state back into the defined range. In this state, the
bypass cannot be reactivated.
Note The input signals at enableMonitoringNegative and enableMonitoringPositive are

preassigned = true. If a signal is programmed to control the inputs, then this
must be generated in a safety-related fashion, e.g. by using a key switch or
similar device.

Entry ID: 101167223, V4.0, 2022 47
Safety note
Block LFASRS_SafePosition signals a 0 signal at posValid via output error = 1.
When posValid drops out, then a stop response in the drive must be initiated via
a user interconnection. All other blocks indicate this status using an error code;
however, to avoid a flood of messages, error is not again set here to a 1 signal.
The end positions are no longer monitored. Active errors of the end position
monitoring can be immediately acknowledged xNegativeOk, xPositiveOk and
slsOk are set again.
If a 1 signal is again available at posValid, then the associated diag bit 5 is reset
and the end position monitoring continued.
Retraction
12. To return from the end position into the permitted travel range, the retraction
function of the block can be activated with a positive signal edge at release.
The velocity parameterized at vMaxRelease is then output at slsThreshold, and
depending on the direction of the end range violation, movePositiveOk or
moveNegativeOk is set to 0 to prevent additional motion that goes beyond the
end position. By establishing an interconnection with the associated SDI
signals of the drive (see Chapter 4.4), with movePositiveOk = 0, motion can be
inhibited in the positive direction and with moveNegativeOk = 0, motion can be
inhibited in the negative direction.
Note When using the SDI function of the drive, signals movePositiveOk and
moveNegativeOk can be used. The outputs of block LFASRS_SLPMonitor
indicate that motion in the positive or negative direction is enabled. For SDI+ and
SDI-, SDI inhibits the respective direction. This is the reason that
movePositiveOk must be interconnected with SDI- and moveNegativeOk with
SDI+.
Note The signal for release must be generated in a safety-related fashion, e.g. by
using a key switch or similar.
13. To facilitate retraction, xPositiveOk or xNegativeOk are reset to 1 when release

is selected; the stop response of the drive should then be deselected using a
suitable user circuit.
14. If, while retracting, safeV exceeds the value of vMaxRelease, then slsOk
changes to 0 and diag bit 2 is set.
15. A velocity error can be immediately acknowledged if the actual velocity safeV
lies below slsThreshold.
16. As soon as safePos returns to the parameterized permitted range, after
successful acknowledgment, the axis can again be moved with the full velocity,
i.e. the maximum velocity is reset at slsThreshold (maximum possible DINT
value = 2147483647).
17. If, when retracting, the system travels to the opposite end position, then the
block behaves as for the corresponding end range violation in normal
operation. This means that xPositiveOk or xNegativeOk again changes to 0,
and additional motion is only possible in the direction away from the end
position/end stop.
18. While safePos is outside the parameterized traversing range, if vValid = 0, then
the retraction velocity can no longer be safely monitored. As a consequence,
selection via release = 1 has no effect, an active retraction is stopped.

Entry ID: 101167223, V4.0, 2022 48
19. To exit this state, initially vValid must be set back to a 1 signal by
acknowledging via block LFASRS_SafePosition.
20. Retraction can then be continued. Alternatively, a jump can be made back to
the initial state by deselecting release and then acknowledging. If safePos still
lies outside the parameterized travel range, then the system responds
corresponding to Point 8.
Safety note
Block LFASRS_SafePosition signals a 0 signal at vValid via output error = 1.
When vValid drops out, then a stop response in the drive must be initiated using
an appropriate user interconnection. All other blocks indicate this status using an
error code; however, to avoid a flood of messages, error is not again set here to
a 1 signal. The retraction velocity is no longer monitored. Active errors for the
retraction monitoring can be immediately acknowledged, slsOk is set again.
Retraction via release can be normally exited, movePositiveOk and
moveNegativeOk are set again. If the axis is not in the valid position range at this
point in time, then xPositiveOk or xNegativeOk is withdrawn and error is set.
If a 1 signal is again available at vValid, then the associated diag bit 6 is reset,
and a possibly active retraction travel is again monitored.
Safety note
The parameterization of input vMaxRelease must be adapted to the safely

reduced speed permitted according to the application-specific risk assessment.
The interconnection of output movePositiveOk must match the selection of drive

function SDI for the positive direction. For movePositiveOk = 0, motion in the
positive direction must no longer be possible.
WARNING The same applies to the interconnection of output moveNegativeOk and
inhibiting the negative direction of movement.
It is absolutely necessary that the block outputs are linked with the correct
signals to control the drive.
Otherwise, inadmissible motion towards the end stops is possible, which cannot
be detected in the block.
signal edge at ack.

Entry ID: 101167223, V4.0, 2022 49
3.4 LFASRS_Endzone
3.4.1 Introduction
The fail-safe LFASRS_Endzone function block is used to safety monitor the end
positions of a travel range or to monitor for collisions between two systems. If the
monitored system approaches the parameterizable positive and/or negative end
position, then its maximum permitted velocity, dependent on the current position
along a parameterizable curve, is monitored down to standstill to ensure that it
does not exceed the set limit. The curve is parameterized using a fail-safe array
with up to 10,000 interpolation points (maximum permissible velocity referred to a
position). Input SCALE allows the end zone to be scaled as integer number up to
100 meters.
If the axis travels beyond the end position, or the maximum permitted velocity is
exceeded, then the block signals this and, depending on the user interconnection,
a stop response initiated.
The block offers retraction logic so that after an end position has been passed, the
axis can return to the permitted travel range. Using this, the axis can be moved
away from the end position at a safe low velocity that can be parameterized at the
block. To inhibit traversing further towards the end stop, the block provides two
signals to control function SDI in the drive.
Fig. 3-7 LFASRS_Endzone

Entry ID: 101167223, V4.0, 2022 50
3.4.2 Connections
W#16#0.
Inputs
Table 3-8
Data
Name Description
type
scaleFactor DInt Scaling factor for the end zone
The factor allows the end zone to be extended to a
range of up to 100 meters
scaleFactor must be parameterized in the range 0 <
scaleFactor <= 10
is supplied from the LFASRS_SafePosition block.
posValid Bool Actual position valid
1: Position plausible
0: Position not plausible, e.g. discrepancy between
the two encoders is outside the specified tolerance.

referenced Bool Safe position is referenced
is supplied from LFASRS_SafePosition block
(absolute position reference established)
If the actual velocity is higher than the upper limit
calculated by the block in operation, or in the
retraction mode is higher than the upper limit
parameterized at vMaxRelease then output slsOk is
reset and the machine is stopped.
0: Velocity not plausible, e.g. increase in the
deviation over time between the two encoders is
outside the specified tolerance
xNegative DInt minimum permissible position [mm]
If the value at input safePos falls below this limit
value, then output xNegativeOk is reset.
xPositive DInt maximum permissible position [mm]
If the value at input safePos exceeds this limit
value, then output xPositiveOk is reset.
If the block is in the retract mode, then this value is
issued at output slsThreshold.
vMaxRelease must be parameterized in the range 1
<= vMaxRelease <= endzone[9999].
If the permitted position range was exited, after a
positive signal edge at this input, the axis can be
moved back into the permissible position range with
the velocity parameterized at vMaxRelease. Motion

Entry ID: 101167223, V4.0, 2022 51
Data
Name Description
type
is stopped as soon as a 0 signal is present at this
input while retracting.
enableMonitoringNegative Bool Activating monitoring in the negative limit range
0 = Monitoring for falling below position and velocity
limits at xNegative is deactivated
1 = Monitoring for falling below position and velocity
limits at xNegative is activated.
enableMonitoringPositive Bool Activating monitoring in the positive limit range
0 = Monitoring for exceeding position and velocity
limits at xPositive is deactivated
1 = Monitoring for exceeding position and velocity
limits at xPositive is activated.
If an error has occurred in normal operation, then
this must be reset using ack before the system is
restarted.
The acknowledgment is only realized for a positive
signal edge at ack; in normal operation this has no
effect.
InOut
Table 3-9
end zone Array of F-array with interpolation points to define the end
DInt zone
Outputs
Table 3-10
The maximum traversing velocity that is presently
permissible is output at this output. These are
cyclically calculated in the block by the parameterized
ramp function.
1: safeV is less than/equal to slsThreshold
0: safeV has exceeded the slsThreshold value.
A stop response should be initiated if this output
should switch to 0.
xNegativeOk Bool Minimum position status
1: safePos is greater than/equal to xNegative
0: safePos has fallen below the value of xNegative.
should switch to 0.
xPositiveOk Bool Maximum position status
1: safePos is less than/equal to xPositive
0: safePos has exceeded the value of xPositive.
should switch to 0.

Entry ID: 101167223, V4.0, 2022 52

If a 0 signal is present at this output, then it is not
permissible that the machine continues to move in the
negative direction. The output is then set to 0 as soon
as safePos assumes values lower than xNegative.
If safePos again lies above xNegative, then the output
is again set after acknowledgment.
If a 0 signal is present at this output, then it is not
permissible that the machine continues to move in the
positive direction. The output is then set to 0 as soon
as safePos assumes values higher than xPositive.
If safePos again lies below xPositive, then the output
is again set after acknowledgment.
If an error has occurred, which is however no longer
active and can therefore be acknowledged, then this
block indicates this using a 1 signal at ackReq.
error Bool Error
This output is set if the block is incorrectly
parameterized or if, in operation, the block detects a
potentially dangerous combination of input signals.
The output remains set until no more errors are active
and an acknowledgment has been made.

Information about the function status and errors of the
block are issued at this output.
Structure DIAG
Table 3-11
0 Lower end position was fallen below While retracting SAFE_POS <=
X_NEGATIVE and positive signal
edge at ACK
1 Upper end position was exceeded While retracting SAFE_POS <=
X_POSITIVE and positive signal
edge at ACK
2 Retraction velocity exceeded SAFE_V <= SLS_THRESHOLD
and pos. signal edge at ACK
3 Parameterization error envelope curve, Envelope curve according to
for remaining distance 0 the velocity is Chapter 3.4.3
not 0
4 Parameterization error retraction velocity 0 < VMAX_RELEASE <=
ENDZONE[9999].
5 Actual position invalid Actual position again valid
6 Actual velocity invalid Actual velocity is again valid
7 Reserved ---
8 Reserved ---
9 Actual velocity is too high regarding SAFE_V <= SLS_THRESHOLD
current position and direction and pos. signal edge at ACK
10 Reserved ---
11 Internal calculation error pos. Signal edge at ACK when the
error has gone
12 Reserved ---
13 Reserved ---
14 Reserved ---

Entry ID: 101167223, V4.0, 2022 53

15 Reserved ---
Parameterization
1. The user must interconnect the safety-related actual position value of the
system to be monitored at input safePos, its validity is interconnected at input
posValid and the state of the referencing is interconnected at input referenced.
Block "LFASRS_SafePos" (Chapter 3.2) provides the three signals as output.
2. Inputs safeV and vValid, which refer to the safe actual velocity, respond in the
same way.
3. The lower end stop is parameterized using input xNegative and the positive
end stop using xPositive.
4. The velocity envelope curve of the end zone to be monitored is parameterized
using a max. 10,000 interpolation points (velocity with respect to distance)
using F-ARRAY "endzone[]" referred to the remaining distance to an end
position/end stop. Correspondingly, the velocity envelope curves in the positive
and negative end zones are symmetrical with respect to one another.
5. With scaleFactor == 1, every endzone[x] interpolation point emulates a mm
travel range. By increasing scaleFactor to a maximum factor of 10, for 10,000
possible interpolation points, the end position that can be mapped increases
from 10 m up to 100 m.
6. Interpolation point endzone[0] must be parameterized with endzone[0] := 0
mm/min. If not all 10.000 interpolation points are to be monitored over the
complete end zone range, then the remaining interpolation points must be
parameterized with the maximum velocity.

Entry ID: 101167223, V4.0, 2022 54
Value from
endzone[9
999]
X
0
xNegative xPositive
0 mm remaining distance ‚x‘ 9.999 mm
Safety note
The user must validate the parameterized envelope curve himself, and the
correct functionality must be verified by making the appropriate traces and tests
(see Chapter 3.1.1).
Note The requirements relating to monotonic increase and gradient of the envelope
curve depend on the specific application and the associated risk assessment.
Note
With the exception of xNegative and xPositive, this means that
reparameterization is not possible when the system is operational. The safety
program must be regenerated and loaded each time that the operating
parameters of the block are changed.
Position and velocity monitoring

7. As long as the position actual value is valid and safeV is below the
parameterized velocity limit curve, the block does not signal an error, i.e.
outputs error and diag supply a 0 signal.
8. The associated maximum permissible velocity for this position is output at
slsThreshold dependent on safePos.
9. If the value at input safeV lies above this limit, and the system moves to the
end position, then output slsOk is set to 0, error changes to 1 and in addition,
diag bit No. 9 is set.
Depending on the user interconnection, a stop response is initiated in the drive.
10. As soon as safeV is again less than slsThreshold, the error can be
acknowledged and a 1 signal is output at ackReq.
11. The error can be reset using a positive signal edge at ack. error und die
corresponding diag bits then change back to 0 and slsOk again has a 1 signal.
12. If the value at input safeV lies above the permitted velocity, but the system is
moving away from the end position and is still not in the range of the opposite
end zone, then the system may travel with the velocity to endzone[9999]; the

Entry ID: 101167223, V4.0, 2022 55
currently possible velocity is output at slsThreshold. After this, an error is not

signaled here, error and the associated diag bits remain at 0.
13. If a 0 signal is present at posValid, then diag bit 5 is set, error remains in the
current state until acknowledgment, assuming that no other monitoring function
signals a fault. All other outputs keep their current status up until
acknowledgment or until release is deselected.
14. Monitoring in the positive direction can be deactivated with
enableMonitoringPositive = false; if the input = false, then the position specified
at xPositive can be exceeded and the velocity parameterized in the end zone
can be exceeded without the block indicating a response at the enable outputs.
Monitoring in the negative direction can be bypassed with
enableMonitoringNegative = 0; if the input = false, then the position specified at
xNegative can be undershot and the velocity parameterized in the end zone
can be exceeded without the block indicating a response at the enable outputs.
15. The monitoring functions are reactivated by setting the inputs (= true). At the
time of activation, if a limit value is violated, the retract function (Point 16) must
be used to move from this state back into the defined range. In this state, the
bypass cannot be reactivated.
Note The input signals at enableMonitoringNegative and enableMonitoringPositive are

preassigned = true. If a signal is programmed to control the inputs, then this
must be generated in a safety-related fashion, e.g. by using a key switch or
similar device.
Safety note
Block LFASRS_SafePosition signals a 0 signal at posValid via output error = 1.
When posValid drops out, then a stop response in the drive must be initiated via
a user interconnection. All other blocks indicate this status using an error code;
however, to avoid a flood of messages, error is not again set here to a 1 signal.
The maximum velocity and the envelope curve are no longer monitored. Active
errors for the maximum velocity and envelope curve monitoring can be
immediately acknowledged, slsOk is set again. Retraction via release can be
normally exited, movePositiveOk and moveNegativeOk are set again. If the axis
is not in the valid position range at this point in time, then xNegativeOk or
xPositiveOk is withdrawn and ERROR is set.
If a 1 signal is again available at posValid, then diag bit 5 is reset and the end
position and envelope curve monitoring continued.
16. If a 1 signal is again available at posValid, then diag bit 5 is reset.

17. If a 0 signal is present at vValid, then diag bit 6 is set, error remains in the
current state until acknowledgment, assuming that no additional active
monitoring functions signal other faults. All other outputs keep their current
status up until acknowledgment or until release is deselected.

Entry ID: 101167223, V4.0, 2022 56
Safety note
Block LFASRS_SafePosition signals a 0 signal at vValid via output error = 1.
When vValid drops out, then a stop response in the drive must be initiated using
an appropriate user interconnection. All other blocks indicate this status using an
error code; however, to avoid a flood of messages, error is not again set here to
a 1 signal. The maximum velocity and the envelope curve are no longer
monitored. Active errors for the maximum velocity and envelope curve
monitoring can be immediately acknowledged, slsOk is set again. Retraction via
release can be normally exited, movePositiveOk and moveNegativeOk are set
again. If the axis is not in the valid position range at this point in time, then
xNegativeOk or xPositiveOk is withdrawn and error is set.
If a 1 signal is again available at vValid, then diag bit 6 is reset and the maximum
velocity and envelope curve monitoring continued.
18. diag bit 6 is reset if a 1 signal is again available at vValid.

19. If safePos assumes values greater than xPositive or less than xNegative, then
the block behaves comparable to block "LFASRS_SLPMonitor" (Chapter 3.3).
Depending on the direction in which the travel range was exited, xPositiveOk
or xNegativeOk is set to 0. A stop response in the drive must then be initiated
in the user interconnection.
Retraction
20. The retraction function of the block can be activated by selecting release. If the
system is located within the permissible travel range, movePositiveOk and
moveNegativeOk are reset to 1, the velocity parameterized at vMaxRelease is
output at slsThreshold and this is internally monitored. The velocity envelope
curve is still monitored. If this supplies a value for the permitted velocity lower
than that parameterized at vMaxRelease, then the permitted velocity is limited
to the lower value. If the permitted travel range is exited, then the block
responds as described under Point 19.
21. To return from the end position into the permitted travel range, the retraction
function of the block can be activated by selecting release. The velocity
parameterized at vMaxRelease is then output at slsThreshold, and depending
on the direction of the end range violation, movePositiveOk or
moveNegativeOk is set to 0 to prevent additional motion in the end zone. By
establishing an interconnection with the associated SDI signals of the drive
(see Chapter 4.4), with movePositiveOk = 0, motion can be inhibited in the
positive direction and with moveNegativeOk = 0, motion can be inhibited in the
negative direction.
Note When using the SDI function of the drive, signals movePositiveOk and
moveNegativeOk can be used. The outputs of block LFASRS_SLPMonitor
indicate that motion in the positive or negative direction is enabled. For SDI+ and
SDI-, SDI inhibits the respective direction. This is the reason that
movePositiveOk must be interconnected with SDI- and moveNegativeOk with
SDI+.
Note The signal for release must be generated in a safety-related fashion, e.g. by

Entry ID: 101167223, V4.0, 2022 57
22. vMaxRelease must lie in the range 1 – endzone[9999]. If values less than 1 or
values higher than endzone[9999] are parameterized, then the block detects
this and signals it using diag bit 4. error changes to 1.
23. To facilitate retraction, xPositiveOk or xNegativeOk are reset to 1 when release
is selected; the stop response of the drive should then be deselected using a
suitable user circuit.
24. If, while retracting, safeV exceeds the value of vMaxRelease or the permissible
velocity of the opposing end zone, assuming that this lies below vMaxRelease,
then slsOk changes to 0 and diag bit 2 is set.
25. A velocity error can always be acknowledged if the actual velocity safeV lies
below slsThreshold.
26. As soon as safePos is back in the parameterized permitted range, after
acknowledgment, the axis can again be moved with the full velocity, i.e. the
permitted velocity of the envelope curve monitoring is output at slsThreshold
and monitored.
error and diag change back to 0.
27. While safePos is outside the parameterized traversing range, if vValid = 0, then
the retraction velocity can no longer be safely monitored. As a consequence,
selection via release = 1 has no effect.
28. To continue retraction, a 1 signal must be again set at block
LFASRS_SafePosition by acknowledging vValid.
29. Retraction can then be continued. Alternatively, a jump can be made back to
the initial state by deselecting release and then acknowledging. If safePos still
lies outside the parameterized travel range, then the system responds
corresponding to Point 17.
Safety note

Otherwise, inadmissible motion towards the end stops is possible that cannot be
detected by the block.
Assuming that an error is no longer active, diag and error are reset to 0 via a
positive signal edge. As soon as the block can be acknowledged, this is indicated
by a 1 signal at output ackReq. ackReq is reset to 0 after a positive signal edge at
ack.

Entry ID: 101167223, V4.0, 2022 58
3.5 LFASRS_SBRMonitor
3.5.1 Introduction
Fail-safe function block LFASRS_SBRMonitor monitors that a braking ramp is

complied with. If the drive velocity is not reduced along the parameterized down
ramp, for example after SS1 has been initiated, then the block issues a signal to
initiate STO or to close the brake. The monitoring start time can be delayed by the
value parameterized at input monitorDelayTime.
Fig. 3-8: LFASRS_SBRMonitor
3.5.2 Connections
W#16#0.
Exceptions:
Name Initial value
ramp_ok TRUE
limit_ok TRUE
Inputs
Table 3-12
sampleTime DInt Sampling time [ms]

Entry ID: 101167223, V4.0, 2022 59

The block sampling time, i.e. the call interval of the
safety program (cyclic interrupt OB interval for the F-OB)
is parameterized here in ms
rampTime DInt Ramp down time [ms]
Here, the value in ms for the ramp-down time from
maximum velocity down to standstill is parameterized
the same as in the drive. The gradient of the down ramp
is calculated from this value in conjunction with vMax. It
must be ensured that rampTime/sampleTime is an
integer multiple.
monitorDelayTime DInt Delay when starting monitoring
The delay time after which the brake ramp monitoring
starts for a positive signal edge at execute is specified
here in ms.
vMax DInt Max. permissible velocity [mm/min]
Here, the corresponding value for the maximum
operating velocity is parameterized the same as in the
drive. The gradient of the down ramp is calculated from
this value in conjunction with rampTime. It must be
ensured that vMax/(rampTime/sampleTime) is an integer
multiple.
vStopMonitoring DInt Shutdown threshold for monitoring [mm/min]
As soon as the actual velocity has fallen below this
threshold, the block can be acknowledged after the

braking ramp monitoring has been initiated.
maxToleranceV DInt Velocity tolerance [mm/min]
max. permissible value by which safeV can be exceeded
with respect to the configured braking ramp
maxTolerancePos DInt Position tolerance [mm]
max value by which safePos can be exceeded with
respect to the position limit according to the configured
braking ramp
is supplied from LFASRS_SafePosition block, the direct
measuring system is the signal source, which is read-in
via the standard program.
The velocity is derived in the block itself based on how
this value changes over time. If, after an SS1 has been
initiated, the block detects that the drive is not braked
along the configured ramp, then the block issues a 0
signal at SBROk so that a STO can be subsequently
initiated.
is supplied from LFASRS_SafePosition block, the motor
encoder is the signal source, which is read-in via the SI
part of the drive.
If, after an SS1 has been initiated, the block detects that
the drive is not braked along the configured ramp, then
the block issues a 0 signal at SBROk so that a STO can
be subsequently initiated.
execute Bool Starting monitoring
The block becomes active with a rising signal edge at
this input, i.e. the braking ramp monitoring is started
If an error has occurred in normal operation, then this
must be reset using ack before the system is restarted.

Entry ID: 101167223, V4.0, 2022 60
Outputs
Table 3-13
SBROk Bool Braking ramp monitoring status
1: Brake ramp is maintained or no monitoring function
active.
0: Drive does not brake, at least not along the
configured down ramp
If this output changes to 0, either STO should be
initiated or a mechanical brake applied.
ramping Bool Braking ramp status
1: Braking active
busy Bool Ramp monitoring status
1: Monitoring for position and velocity limit active
positionThreshold DInt Position limit value [mm]
effective limit for the ramp monitoring regarding position
change
velocityThreshold DInt Velocity limit value [mm/min]
effective limit for the ramp monitoring regarding velocity
If an error has occurred, which is however no longer
active and can therefore be acknowledged, then this
block indicates this using a 1 signal at ackReq.
error Bool Error

This output is set if the block is incorrectly
parameterized, or if, in operation, the block detects that
the SS1 braking ramp is violated. The output remains
set until no more errors are active and an
acknowledgment has been made.
block are issued at this output (see also the table below)
Structure diag
Table 3-14
Bit
Description Reset condition
No.
0 SS1 braking ramp not maintained safeV falls below vStopMonitoring
1 Parameterization error rampTime: is not an the ratio rampTime to
integer multiple of sampleTime sampleTime is an integer multiple
2 Reserved ---
3 Parameterization error vMax: vMax and the number of cycles
vMax / (rampTime / sampleTime) cannot be specified by rampTime and
represented as integer multiple sampleTime for the braking ramp
are an integer multiple of one
another
4 sampleTime <= 0 sampleTime parametrized > 0
5 maxToleranceV > vMax maxToleranceV parameterized
<= vMax
6 rampTime < 0 rampTime parametrized >= 0
7 Reserved ---
8 Reserved ---
9 Reserved ---
10 Reserved ---

Entry ID: 101167223, V4.0, 2022 61
Bit
No.
11 Internal calculation error pos. Signal edge at ack if the
error has gone
12 Reserved ---
13 Reserved ---
14 Reserved ---
Parameterization
1. The actual velocity, calculated by block safeV, is interconnected at input
LFASRS_SafePosition.
2. In the block, the brake ramp gradient is defined using rampTime and vMax. To
do this, sampleTime and rampTime are used to determine the number of
cycles that are required in order to brake from vMax down to standstill. In each
cycle, the maximum permissible velocity calculated in the block is appropriately
reduced.

rampTime / sampleTime
vMax / (rampTime/sampleTime)
maxToleranceV <= vMax

Entry ID: 101167223, V4.0, 2022 62
Safety note
vMax and rampTime must be parameterized so that when it is detected that the
permitted travel range has been exited, and the resulting stop reaction is
triggered, when an STO is initiated, the axis can always be braked to a standstill
before the physical end of the travel range
Note
As a consequence, re-parameterization is not possible while the system is
operational. The safety program must be regenerated and loaded each time that
the operating parameters of the block are changed.
Ramp monitoring
3. With a rising edge at execute, after delay time monitorDelayTime elapses, the
braking ramp monitoring is activated.
4. If safeV exceeds the internally calculated maximum permissible value, then
output SBROk changes to 0, error to 1 and diag bit 0 is set.
5. SBROk is also set to 0 if safePos changes per cycle by more than the
maximum position change per cycle calculated in the block. This means that
the ramp is monitored through two channels.
6. in this case error also changes to 1 and diag bit 0 is set.

7. Monitoring is exited as soon as execute is set to 0 and the internally calculated
velocity ramp has reached a value of 0.
8. A tolerance value for the velocity and position monitoring can be parameterized
via inputs maxToleranceV and maxTolerancePos. SBROk is then set to 0 if
safeV exceeds the internally calculated ramp + maxToleranceV or if the
position increase compared to the position at the time of selection is higher
than the internally calculated maximum value + maxTolerancePos.
For a 0 signal at SBROk, STO must be immediately initiated and/or the

mechanical brake(s) closed.
WARNING
positive signal edge.
As soon as the block can be acknowledged, this is indicated by a 1 signal at
output ackReq. ackReq is reset to 0 after a positive signal edge at ack.
10. After SBROk changed to a 0 signal, i.e. the braking ramp was not maintained,
the block can only be acknowledged if the actual velocity at safeV falls below
the value at vStopMonitoring. ackReq then changes to a 1 signal.

Entry ID: 101167223, V4.0, 2022 63
3.6 LFASRS_BrakeTest
3.6.1 Introduction
Fail-safe function block LFASRS_BrakeTest is used to control the SBT drive

function to test a motor holding brake or an external brake.
The torque specification and the test profiles are saved in the SI part of the drive in
the Safe Brake Test (SBT). When requested, the block automatically coordinates
the parameterized test sequences.
The correct functioning of two independent brakes is tested one after the other by
building up torque against the closed brake.
If the brake test is not successful, the block supports a retraction logic with SDI and
SLS. This means that travel motion is only possible with reduced velocity, or for an
application example involving hoisting gear, only downward motion is possible.
Fig. 3-9: LFASRS_BrakeTest
Note When using this block, blocks F_BO_W (FC 176), F_W_BO (FC 177) and F_TP
(FB 184) must be in the block folder. It is not permissible that these are
renumbered!

Entry ID: 101167223, V4.0, 2022 64
3.6.2 Connections
integer variables are preassigned 0, all TIME variables are preassigned T#0ms and
all word variables are preassigned W#16#0.
Inputs
Table 3-15
testIntervalTime Time Test interval
After this time elapses, the block requests that a brake test
is performed. This is signaled at output testRequired with a
1 signal.
The block sampling time, i.e. the call interval of the safety
program (cyclic interrupt OB interval of the F-OB) is
parameterized here in ms.
sequenceBrake1 Word Configuration parameters
The test pattern to be performed and the brake type for
brake 1 are defined according to the following schematic
via this input:
Bit 0: Test with test sequence 1 positive
Bit 1: Test with test sequence 1 negative

Bit 4: 0: External brake; 1: Motor holding brake
openBrake1Time DInt Opening time for brake 1 [ms]
The brake must completely open within this time, otherwise
a read back error is detected and the test is exited as not
having been successfully completed.
For this specific case, diag bit 0 is also set.
closeBrake1Time DInt Closing time for brake 1 [ms]
The brake must completely close within this time, otherwise
sequenceBrake2 Word Configuration parameters
The test pattern to be performed and the brake type for
brake 2 are defined according to the following schematic
via this input:
openBrake2Time DInt Opening time for brake 2 [ms]
The brake must completely open within this time, otherwise
closeBrake2Time DInt Closing time for brake 2 [ms]
The brake must completely close within this time, otherwise

Entry ID: 101167223, V4.0, 2022 65

For a brake test that was not successfully performed, if the
actual velocity is higher than the upper limit parameterized
at vMaxRelease, then output slsOk is reset and the
machine is stopped.
If the test was not successfully completed, then this value
is output at slsThreshold until a successful brake test was
completed.
vMaxRelease must be parameterized in the range 1-
2147483647. Otherwise, diag bit No. 4 is set
0: Velocity not plausible, e.g. increase in the deviation over
time between the two encoders is outside the specified
tolerance
If a 0 signal is present here, then bit diag. No. 6 is set.
feedbackDriveBrak Bool Brake control normal operation
e 0: Close brake
1: Open brake
feedbackBrake1 Bool Feedback signal, brake 1
0: Open
1: Closed
feedbackBrake2 Bool Feedback signal, brake 2
0: Open
1: Closed
ZSW3B WORD S120 Safety Info Channel – status word 3 (r10234)
Bit 00: sbtSelected
Drive feedback signal - select SBT
1: SBT selected
0: Function not selected
Bit 02: sbtActiveBr
Drive feedback signal - active brake
The number of the currently tested brake is signaled back from
the drive here:
0: Brake 1
1: Brake 2
Bit 03: sbtActive
Drive feedback signal - SBT status
1: Test running; drive establishes torque against a closed brake
0: Test not active; drive passive
Bit 04: sbtResult
Drive feedback signal – test result
0: Brake fault
1: Brake successfully tested
Bit 05: sbtFinished
Drive feedback signal - test sequence status
0: Test running
1: Test completed
Bit 06: sbtCloseBr
Brake control SBT for external brake
The drive issues the command to open/close the external brakes
via this input.
0: open external brake

Entry ID: 101167223, V4.0, 2022 66

1: close external brake
Bit 07: sbtFdbackDir
Drive feedback signal - torque buildup direction
Here, the drive signals back the direction of the torque that has
been currently established:
0: positive
1: negative
execute Bool Start brake test
The brake test is started using a positive signal edge at this
input. After the test has been successfully completed, the
time for the test interval is restarted and output testOk is
again set.
If an error has occurred in normal operation, then this must
be reset using ack before the system is restarted.
The acknowledgment is only realized for a positive signal
edge at ack; in normal operation this has no effect.
Outputs
Table 3-16
The maximum traversing velocity that is presently

permissible is output at this output. In normal operation,
this is 2147483647; vMaxRelease is output here if the
brake test was not successful. If vMaxRelease should be
parameterized <= 0, then substitute value 1 is output here.
A stop response should be initiated if this output should
switch to 0.
testRequired Bool Request to perform the brake test
1: Brake test requested
0: No brake test requested
busy Bool Test status
1: Test running
0: Test not selected
openBrake1 Bool Control signal for external brake 1
1: Open brake
0: Close brake
openBrake2 Bool Control signal for external brake 2
1: Open brake
0: Close brake
STW3B Word S120 Safety Control Channel – control word 3 (r10235)
Bit 00: sbtSelect
Drive communication: Brake test selected
Same conditions as for output busy
Bit 01: sbtStart
Drive communication: Start
1: Starts the test sequence
Bit 02: sbtBrSelect
Drive communication: Brake selection
0: Brake 1
1: Brake 2

Entry ID: 101167223, V4.0, 2022 67

Bit 03: sbtTorqueDir
Drive communication: Torque preselection
0: positive
1: negative
Bit 04: sbtSequence
Drive communication: Select test sequence
0: Sequence 1
1: Sequence 2
Bit 05: sbtFdbackBr
Drive communication: External brake status
0: Open
1: Closed
testOk Bool Test result status
0: Test error
1: Test successfully completed
brake1Ok Bool Status, brake 1
0: erroneous
1: OK
brake2Ok Bool Status, brake 2
0: erroneous
1: OK
releaseBothDirectio Bool Motion direction status
ns in the event of failed test is FALSE;

If an error has occurred, which is however no longer active
and can therefore be acknowledged, then this block
indicates this using a 1 signal at ackReq.
error Bool Error
This output is set if the block is incorrectly parameterized or
if, in operation, the block detects a potentially dangerous
combination of input signals. The output remains set until
no more errors are active and an acknowledgment has
been made.
block are issued at this output (see also the table below)
Structure of DIAG
Table 3-17
Bit
No.
0 Runtime error pos. Signal edge at ack, restart test, reset if
open/closeBrake1Time not test successfully completed
complied with
1 Runtime error pos. Signal edge at ack, restart test, reset if
open/closeBrake2Time not test successfully completed
complied with
2 SLS monitoring initiated safeV <= vMaxRelease and vValid == 1 and
safeV exceeds vMaxRelease or pos. signal edge at ack
vValid == 0 while the axis moves
for a test that was not successfully
completed
3 Reserved ---
4 Parameterization error value range sampleTime >= 1 and
openBrake1Time >= 1 and

Entry ID: 101167223, V4.0, 2022 68
Bit
No.
closeBrake1Time >= 1 and
openBrake2Time >= 1 and
closeBrake2Time >= 1 and
positionTolerance >= 0
and vMaxRelease >= 1
5 Parameterization error integer openBrake1Time / sampleTime can be
multiple ratio represented as integer multiple and
closeBrake1Time / sampleTime can be
represented as integer number
openBrake2Time / sampleTime can be
represented as integer multiple and
closeBrake2Time / sampleTime can be
represented as integer number
6 unplausible feedback signal from pos. Signal edge at ack, restart test, reset if
SBT: test successfully completed
7 Drive enable missing for an active pos. Signal edge at ack, restart test, reset if
brake test test successfully completed
8 Reserved ---
9 Time monitoring: No feedback pos. Signal edge at ack, restart test, reset if
signal sbtSelected within the test successfully completed
monitoring time after selecting SBT
10 Time monitoring external brake pos. Signal edge at ack, restart test, reset if
request initiated by SBT test successfully completed

12 Reserved ---
13 Reserved ---
14 Reserved ---
15 Warning: not a safe velocity, SBT vValid = 1
not possible
Parameterization
openBrake1Time / sampleTime
closeBrake1Time / sampleTime
openBrake2Time / sampleTime
closeBrake2Time / sampleTime

Entry ID: 101167223, V4.0, 2022 69
Note
Interface to the SINAMICS S120

The interface between the LFASRS_BrakeTest and the SINAMICS S120 is
subsequently described. The communication runs in the standard telegram via the
status/control word S_ZSW3B(Safety Info Channel status word 3)/S_STW3B
(Safety Control Channel control word 3). For this purpose, the SBT selection
should be interconnected to "SBT via SCC (p10235)". The signals are directly
interconnected with the block via the control/status word; the assignment can be
taken from the subsequent tables and the interface description of this block.
Communication direction LFASRS_BrakeTest -> SINAMICS S120

Table 3-18
Bit Meaning Remarks Parameter
1 Brake test selected
0 Select brake test r10235.0
0 Brake test deselected
1 Start brake test requested
1 Start brake test r10235.1
0 Start brake test not requested
1 Test brake 2 selected

2 Brake selection r10235.2
0 Test brake 1 selected
Select direction of 1 Negative direction selected
3 r10235.3
rotation 0 Positive direction selected
1 Test sequence 2 selected
4 Select test sequence r10235.4
0 Test sequence 1 selected
Status of external 1 External brake closed
5 r10235.5
brake 0 External brake open
6…15 Reserved -- -- --
Communication direction SINAMICS S120 -> LFASRS_BrakeTest

Table 3-19
1 Brake test selected
0 Brake test r10234.0
0 Brake test deselected
1 Setpoint specification for the drive
Setpoint specification,
1 Setpoint specification, external r10234.1
drive/external 0
(controller)
1 Test brake 2 active
2 Active brake r10234.2
0 Test brake 1 active
1 Test active
3 Brake test active r10234.3
0 Test inactive
1 Test successful
4 Brake test result r10234.4
0 Test error
1 Test run
5 Brake test completed r10234.5
0 Test incomplete
1 Close brake
6 External brake request r10234.6
0 Open brake
7 Current load sign 1 Negative sign r10234.7

Entry ID: 101167223, V4.0, 2022 70

0 Positive sign
8…13 Reserved -- -- --
Acceptance test SLP (SE)
1
Acceptance test SLP selected
14 r10234.14
(SE) selected Acceptance test SLP (SE)
0
deselected
Acceptance test mode 1 Acceptance test mode selected
15 r10234.15
selected 0 Acceptance test mode deselected
Note When testing an internal brake, the status feedback of the brake
feedbackBrake1/feedbackBrake2 from the drive status word (ZSW1) bit 12 can
be used.

Entry ID: 101167223, V4.0, 2022 71
Setting the safe brake test in the converter

Fig. 3-10: Setting the safe brake test
The sequence in which the brakes should be tested must match what is configured
in the SINAMICS S120 and at the LFASRS_BrakeTest. Otherwise, the block and
the SINAMICS S120 signal an error when performing the test.
The test sequence parameters are set in the SINAMICS S120, which test
sequences are to be performed and how are specified at LFASRS_BrakeTest.
Test sequence and error handling

1. After the time that can be parameterized at testIntervalTime has elapsed, the
block requests that a brake test is performed via output testRequired.
This is started using a rising signal edge at execute; busy is set to 1.
2. The test sequence for the specific brake is parameterized using input
sequenceBrake1 or sequenceBrake2.
Specification of sequenceBrake1/2 bit coded:

Entry ID: 101167223, V4.0, 2022 72

Brake 1 is always tested first and then brake 2.
3. If an error occurs during the test, then the test is immediately interrupted. Error
then changes to 1, busy is reset to 0.
4. At brake1Ok or brake2Ok, a 0 signal indicates that the test for this brake was
not successful, output testOk is set to 0.
5. These signals are only set to 1 after a test has been successfully performed.
6. If the test was not successfully performed, the velocity parameterized at input
vMaxRelease is output at slsThreshold and testOk outputs a 0 signal.
7. Further, if a test was unsuccessful, releaseBothDirections is set to 0. By
appropriately controlling the drive-side safety function SDI, ongoing travel can
be permitted in the safe direction only, i.e. for a hoisting gear, slowly
downward. As soon as the test was successfully performed,
releaseBothDirections again outputs a 1 signal.
8. If safeV exceeds the value of slsThreshold, then slsOk changes to 0 and diag
bit 2 is set.
9. If the test was successfully performed for both brakes, then the maximum
value is again output at slsThreshold (maximum DINT value = 2147483647) for
the permissible velocity.
11. As soon as the block can be acknowledged, this is indicated by a 1 signal at

12. If a brake test fails, a new test can only be started after acknowledgment using
a positive signal edge at ack. Execute must be selected to start.
13. If a 0 signal is present at vValid, then diag bit 15 is set.
14. In addition, error changes to 1 and slsOk to 0, if the block is in the retraction
mode.
16. If the test is started via execute = 1, then initially, the block signals this at
output busy. The SCC/SIC (Safety Control Channel/Safety Information
Channel) is interconnected as word, directly at the particular input and/or
output of the block. The internal signal processing in the block uses the
corresponding bits from the SIC for the brake test (for an easier understanding,
these are subsequently assigned symbols) and appropriately processes these.
The corresponding control signals for the brake test are then output together
using word SCC. To provide a better understanding, the internal signals from
the SCC or SIC words are designated with sbt....
17. In the block, depending on the parameterized test sequence, outputs
sbtBrSelect, sbtTorqueDir and sbtSequence are switched.
18. If the test was started, then the associated feedback signal from the drive must
be available at input sbtSelected.
19. The drive provides feedback about the brake that has just been tested at input
sbtActiveBr. This feedback is used to check the plausibility. If a contradiction
occurs regarding the control signals, the block sets error and diag bit 6.

Entry ID: 101167223, V4.0, 2022 73
For releaseBothDirections = 0, potentially hazardous motion must no longer be

executed. For hoisting gear, this would be for example upward motion, for travel
gear, motion in the positive or negative direction. For hoisting gear, drive function
WARNING SDI is predominantly used to inhibit a direction of motion, while for travel gear, the
drive function SOS is used when inhibiting any specific direction.
It is absolutely necessary that the block output, depending on the specific
application, is linked with the correct signal to control the drive.
Otherwise, inadmissible motion is possible that cannot be detected by the block.
Safety note
The parameterization of the retraction velocity at input vMaxRelease must be
adapted to the safely reduced velocity permitted according to the application-
specific risk assessment.
Safety note
Parameter "testIntervalTime" defines at which intervals a brake test is required.
The value that should be configured here depends on the specific application
and is also dependent on the risk assessment and the hardware architecture of
the safety function that has been implemented. Further, the time specifies the
maximum time between the test intervals; even if the interval time has still not
elapsed, the test can always be initiated. Depending on the application and risk
assessment, the test can be automatically performed during operation if the axis
to be tested is stationary (at a standstill).
Note A brake test is requested at each stop-start transition of the CPU.
Testing an external brake

If a 0 signal is present at sequenceBrake1/2.BIT4, then the following sequence is
executed to test an external brake:
20. If a 1 signal is available at sbtCloseBr, then depending on the state of
sbtActiveBr, the block either deactivates openBrake1 or openBrake2; i.e. it
closes the brake that has just been tested. Within the time parameterized at
closeBrake1Time/closeBrake2Time, a 1 signal must be available at feedback
channel feedbackBrake1/feedbackBrake2.
21. If this is not the case, then the test is canceled as described. error and diag bit
0/1 (depending on the brake presently being tested) change to 1.
22. After closeBrake1Time/closeBrake2Time has elapsed, and there is a 1 signal
at feedbackBrake1/feedbackBrake2, the closed brake is signaled to the drive
via sbtFdbackBr = 1 which then subsequently performs its test profile.
23. If the drive exits the test, the command to open the brake is issued at the block
input via sbtCloseBr using a 0 signal.
24. A 1 signal is again available at output openBrake1/openBrake2.
25. After the time parameterized at input openBrake1Time/openBrake2Time there
must be a 0 signal at feedback signal channel
feedbackBrake1/feedbackBrake2.
26. If this is not the case, then the test is canceled as described above. error and
diag bit 0/1 (depending on the brake presently being tested) change to 1.

Entry ID: 101167223, V4.0, 2022 74
27. After openBrake1Time/openBrake2Time has elapsed and there is a 0 signal at

feedbackBrake1/feedbackBrake2, then the open brake is signaled to the drive
via sbtFdbackBr = 0.
28. If the brakes were successfully tested, then the drive signals this using
sbtFinished = 1.
29. A 1 signal is present at input sbtResult if the test was successfully performed.
30. If required, this test pattern is repeated for the second brake or, depending on
sequenceBrake2.BIT4, the following test pattern is applied for the second
brake:
Testing a motor holding brake

If a 1 signal is present at sequenceBrake1/2.BIT4, then the following sequence is
executed to test a motor holding brake at the drive:
31. In this operating mode, the drive directly controls the brake. This means that
the drive autonomously executes its test profile; the block does not take into
consideration sbtCloseBr.
32. If the brake was successfully tested, then the drive signals this using
sbtFinished = 1.
33. A 1 signal is present at input sbtResult if the test was successfully performed.
Test completed
34. If the configured sequences for brake 1 have been performed without any
error, and the test for brake 2 has still not been completed, then Brake1Ok has
a 1 signal, Brake2Ok and testOk still have a 0 signal.

35. If the test was successfully performed for all configured test sequences, then
this is signaled at output testOk using a 1 signal and brake2Ok then also
indicates a 1 signal.
36. The time interval for when the next test is due (testIntervalTime) is restarted
and the block sets output BUSY back to 0.
As soon as the block can be acknowledged, this is indicated by a 1 signal at
38. If a brake test was unsuccessful, then acknowledgment is first required with a
positive signal edge at ack before a new test can be started via execute.

Entry ID: 101167223, V4.0, 2022 75
3.6.4 Application example for safely controlling external brakes
In the following function example, the external brakes should be controlled at F-DO
channel A30.0 ("brake1") and A30.1 ("brake2") by the LFASRS_BrakeTest block
for the brake test and also when initiating safety function STO.
The signal for STO (here designated as "STO_selection") is low-active; i.e. a 1
means that STO is not active, 0 means that at least one safety function is
requesting STO.
The feedback signals of the brakes are wired to the two standard inputs I2.0
("FeedbackBrake1") and I2.1 ("FeedbackBrake2"); a 1 signal indicates that the
brake is closed and a 0 signal indicates that the brake is open.
In this example, 100ms is used as monitoring time for opening/closing the brakes.
This time also depends on the response time specified in the risk assessment for
your safety functions.
Safety note
The parameterization of inputs openBrake(1/2)Time and closeBrake(1/2)Time as
well as feedbackTime used in this example, must be adapted to the required
response time of the safety function for the specific application.
The monitoring time must not exceed the required response time.
For reasons of transparency, in the following code example, only the relevant
interconnections for the above description of the application have been realized.
In order that a runnable program is a generated, block LFASRS_BrakeTest must

be parameterized as described in Chapter 3.6.3.
The example is subdivided into three networks.
In the first network, block LFASRS_BrakeTest is called. This does not directly
control the brakes, but only issues the control commands via temporary variables
#tempCtrlBrake1 and #tempCtrlBrake2 to networks 2 and 3.

Entry ID: 101167223, V4.0, 2022 76
Fig. 3-11
In the 2nd and 3rd networks, these signals are fed together with signal "STO" to a
FDBACK function block. Block FDBACK is included in the STEP7 Safety Advanced
library under number FB216 and monitors the feedback circuit. You can find
additional information about this block in the online help in the TIA Portal.
The brakes are only opened at output A30.0 ("brake1") and A30.1 ("brake2") if the
brake feedback circuit has no error and the logic operation at the ON input of the
FDBACK has a 1 signal.

Entry ID: 101167223, V4.0, 2022 77
Fig. 3-12

Entry ID: 101167223, V4.0, 2022 78
3.7 LFASRS_LoadMonitor
3.7.1 Introduction
The fail-safe LFASRS_LoadMonitor function block has the function of guaranteeing

safety-related overload and slack rope detection (slack condition protection).
1. Qualified (safety-related) measuring source as well as safety-related evaluation
(e.g. F-AI module)
2. Two diverse (non-safety relevant) measurement sources (e.g. motor torque via
SINAMICS and weighing cell via AI module), the plausibility of the encoder
values is checked using this block.
Safety note
The encoders and evaluation units used should be assessed according to how
they are used.
Retraction logic (to bring the machine back into the safe state) is provided when
identifying a slack condition or overload during operation. When identifying a slack
rope condition, retraction is monitored so that retraction is only permissible in the
upward direction with reduced velocity. For an overload condition, only retraction in
the downward direction is possible.
The block offers the option of making a distinction between static and dynamic
loads, as occurs when quickly lifting loads.
To check the correct functionality of the measuring equipment, after an interval that
can be parameterized elapses, the block requests that a calibration run is
performed.
Fig. 3-13: LFASRS_LoadMonitor

Entry ID: 101167223, V4.0, 2022 79
Note When using this block, block F_BO_W (FC 176) and block F_TP (FB 184) must
be in the block folder. It is not permissible that these are renumbered!
3.7.2 Connections
integer variables are preassigned 0, all TIME variables are preassigned T#0ms and
all word variables are preassigned W#16#0.
Inputs
Table 3-20
Data
Name Description
type
load1 DInt Load channel 1 [user-defined unit]
1-2147483647
load2 DInt Load channel 2 [user-defined unit]
1-2147483647
maxTolLoad DInt Tolerance window load monitoring [user-defined unit]
1-2147483647
maxLoadMode Bool Monitoring mode
0: Monitoring for static load
1: Monitoring for dynamic load
maxLoadDyn DInt max. dynamic load [user-defined unit]

1-2147483647
maxLoadStat DInt max. static load [user-defined unit]
1-2147483647
minLoad DInt min. load [user-defined unit]
1-2147483647
testIntervalTime Time Test interval
After this time elapses, the block requests that the measuring
equipment is tested. This is signaled at output testRequired
with a 1 signal.
The block sampling time, i.e. the call interval of the safety
program (cyclic interrupt OB interval for the F-OB) is
parameterized here in ms.
testDuration DInt Test duration [ms]
settleDuration DInt Settling time [ms]
For an overload/underload condition, this value is output at
slsThreshold
0: Velocity not plausible, e.g. increase in the deviation over
time between the two encoders is outside the specified
tolerance
standstill Bool Axis does not execute any motion
verificationValue DInt Calibration value 1 [user-defined unit]
1-2147483647
relevant for testing the measuring equipment

Entry ID: 101167223, V4.0, 2022 80
Data
Name Description
type
verificationMaxTol DInt Calibration tolerance 1 [user-defined unit]
1-2147483647
verificationMode Bool Test mode
0: Test with a constant load value
1: Test with a defined load step
verificationStart Bool Starting the measuring equipment test
Calibration is started using a positive signal edge at this
input. After the test has been successfully completed, the
time for the test interval is restarted.
If an overload/underload condition was detected by the
block, after a positive edge at this input, it is possible to
move in the direction still enabled by the block via
movePositiveOk/moveNegativeOk at the velocity configured
at vMaxRelease. Motion is stopped as soon as a 0 signal is
present at this input while retracting.
be reset using ack before the system is restarted.
The acknowledgment is only realized for a positive signal
edge at ack; in normal operation this has no effect.

Entry ID: 101167223, V4.0, 2022 81
Outputs
Table 3-21
The maximum travel velocity that is presently permissible is
output at this output. In normal operation, this is
2147483647; when an overload/underload condition is
detected, then vMaxRelease is output here. If vMaxRelease
should be parameterized <= 0, then substitute value 1 is
output here.
A stop response should be initiated if this output should
switch to 0.
testRequired Bool Request to test the measuring equipment
1: testIntervalTime elapsed
0: no test required
busy Bool Test status
1: Test running
0: Test not selected
testOk Bool Test result status
0: Test error
1: Test successfully completed

dynLoadOk Bool Dynamic overload status
0: Overload detected
1: Load OK
statLoadOk Bool Static overload status
0: Overload detected
1: Load OK
minLoadOk Bool Underload status
0: Slack rope detected
1: Load OK
If a 0 signal is present at this output, then it is not permissible
that the machine continues to move in the negative direction.
The output is then set to 0 as soon as the block detects a
slack rope condition.
If a 0 signal is present at this output, then it is not permissible
that the machine continues to move in the positive direction.
The output is then set to 0 as soon as the block detects an
overload.
If an error has occurred, which is however no longer active
and can therefore be acknowledged, then this block indicates
this using a 1 signal at ackReq.
error Bool Error
This output is set if the block is incorrectly parameterized or
if, in operation, the block detects a potentially dangerous
combination of input signals. The output remains set until no
more errors are active and an acknowledgment has been
made.
Information about the function status and errors of the block
are issued at this output.

Entry ID: 101167223, V4.0, 2022 82
Structure of diag
Table 3-22
Bit
No.
0 Discrepancy error load monitoring load1 and load2 within maxTolLoad and
positive signal edge at ack
1 Overload detected load1 and load2 less than maxLoadStat or
maxLoadDyn (depending on maxLoadMode)
– maxTolLoad and positive signal edge at
ack
2 Slack rope detected load1 and load2 greater than minLoad +
maxTolLoad and positive signal edge at ack
3 Parameterization error minLoad < maxLoadStat <= maxLoadDyn
4 The calibration settling operation Restart test
takes an inadmissibly long time
5 Inadmissibly large load fluctuations Restart test
during calibration
6 Parameterization error test times testDuration > settleDuration > 0 and both
times an integer multiple of sampleTime
7 Retraction velocity exceeded safeV <= slsThreshold and pos. signal edge
at ack
8 Parameterization error value range 0 < vMaxRelease <= 2147483647
and
0<= maxLoadDyn / maxLoadStat / minLoad

/ verificationValue / maxTolLoad /
verificationMaxTol <= 2147483647
parameterized
9 Actual velocity invalid Actual velocity is again valid and pos. signal
edge at ack
10 invalid value range input variables load1, load2 in the range 0 to 2147483647
12 Reserved ---
13 Reserved ---
14 Reserved ---
15 Reserved ---
3.7.3 Scaling the input quantities
The block expects that load limits or the actual values of the load are specified as
numerical value without units. The user must scale the input values corresponding
to the reference variable of the module that is being used. For F-AI modules, the
reference quantity is 27648, for example. Block "SCALE" is available in the STEP7
Safety Advanced F-library specifically for this purpose. If hardware with other
reference variables is used, then the user must program this scaling himself.
Safety note
The user must always correctly calculate the load limit values corresponding to
the requirements laid down in EN 528:2008. The user must correspondingly
interconnect the limit values that have been calculated at the block.

Entry ID: 101167223, V4.0, 2022 83
Parameterization
testDuration / sampleTime
settleDuration / sampleTime
minLoad < maxLoadStat <= maxLoadDyn

testDuration > sampleTime > 0
verificationMaxTol > 0
Note
Load monitoring
1. If two independent sources are used to measure the force, then after scaling
these must be interconnected to inputs load1 and/or load2. If one
measurement source is sufficient, then this is interconnected to both inputs.
2. If the difference between the two inputs is greater than the value
parameterized at maxTolLoad, then error = 1 und diag bit 0 is set
3. In addition, the velocity parameterized at vMaxRelease is output at
slsThreshold.
4. If both values are again within the window that can be parameterized using
maxTolLoad, with a positive signal edge at ack, output error and diag bit 0 are
again reset to 0.
5. Input maxLoadMode can be used to make a distinction between monitoring for
static overload (maxLoadMode = 0) or dynamic overload (maxLoadMode = 1).
6. For maxLoadMode =0, as soon as the value at load1 or load2 exceeds the
value parameterized at maxLoadStat, then this error is signaled at statLoadOk
using a 0 signal.
7. Further, error is set to 1 and diag bit 1 is set
8. For maxLoadMode =1, as soon as the value at load1 or load2 exceeds the
value parameterized at maxLoadDyn, then this error is signaled at dynLoadOk
using a 0 signal.
9. Further, error is set to 1 and diag bit 1 is set
10. As long as one of these errors is active, the velocity parameterized at
vMaxRelease is output at slsThreshold.
11. The response when minLoad is fallen below is equivalent

Entry ID: 101167223, V4.0, 2022 84
Retraction
12. The retraction function of the block can be activated using a 1 signal at input
release. Further travel in the positive direction is no longer permissible; the
block signals this using a 0 signal at movePositiveOk. With the appropriate
interconnection with the drive, the user must ensure that in this case the only
retraction direction that is possible is downward.
13. To facilitate retraction, dynLoadOk and/or statLoadOk are reset to 1 with a
rising edge at release; using a suitable user interconnection, the stop response
of the drive should then be deselected.
14. If, while retracting, safeV exceeds the value of vMaxRelease, then slsOk
changes to 0.
15. If in both cases load1 and load2 are again less than the active limit -
maxTolLoad, then error and diag bit 1 can be reset to 0 using a positive signal
edge at ack.
16. The maximum velocity is then again output at slsThreshold. (maximum DInt
value = 2147483647)
17. vMaxRelease must lie in the range 1 – 2147483647; if values lower than 1 are
parameterized, then the block detects this and signals it using diag bit 8. error
changes to 1. 1 is then output as substitute value for the retraction velocity.
18. If, while retracting vValid = 0, then the retraction velocity can no longer be
monitored in a safety-related fashion. As a consequence, selection via release
= 1 has no effect, an active retraction is stopped. diag bit 9 as well as error
change to 1, a 0 signal is available at slsOk.
Safety note
The signal for release must be generated in a safety-related fashion, e.g. by
Safety note

Otherwise, inadmissible motion towards the end stops is possible, which cannot
be detected by the block.
Using a defined load step (load jump) the sensor test can be used to verify that the
sensor detects a load; the sensor value changes and as a result of the load step, the
sensor value changes by the expected offset. During the sensor verification, maximum
limit maxLoad is itself not monitored during the settling phase and the test itself in order

Entry ID: 101167223, V4.0, 2022 85
to facilitate a step even if the sensor is under load. The requirement is that input
standstill =1, which means that the axis is stationary.
Testing the measuring equipment

20. After the time that can be parameterized at testIntervalTime has elapsed, the
force sensor must be tested; the block indicates this with a 1 signal at
testRequired.
21. The test is started with a positive signal edge at verificationStart, output busy
changes to 1.
22. Depending on input verificationMode, a constant load or a defined load step is
expected as test variable.
Safety note
Parameter "testIntervalTime" defines in which cyclic intervals a measurement
equipment test is required. The value that should be configured here depends on
the specific application and is also dependent on the risk assessment and the
hardware architecture of the safety function that has been implemented.
Case a): Test with a constant load

23. If a 0 signal is available at input verificationMode, then within settleDuration,
the measured load at load1 and load2 must assume the calibration value that
can be parameterized at verificationValue taking into account the tolerance
parameterized at verificationMaxTol.
24. If this is not the case, then error changes to a 1 signal and at diag bit 4 is set.
25. For the time parameterized at testDuration, the measured load value at load1
and load2 must not deviate from the verificationValue by more than
verificationMaxTol.
27. After testDuration has elapsed and there is a valid load value, busy is reset to
0 and output verificationOk is set to a 1 signal.
28. If testDuration is parameterized <= settleDuration, then diag bit 5 and error are
set to 1.
29. If sensor verification cannot be successfully completed, then this is displayed
at error and diag as described in Point 26. The test that was not successful can
then be acknowledged with a positive signal edge at ack. Output verificationOk
remains =0 until a successful test was performed.
Case b): Test with a defined load step

30. If a 1 signal is available at input verificationMode, then the load value must go
through a defined load range. When doing this, the signal at load1 and load2
must assume the expected range from verification Value within settleDuration.
32. During testDuration, the measured range must not deviate by more than
verificationMaxTol from the expected range parameterized at verificationValue.
33. If this is not the case, then error changes to a 1 signal and at diag bit 5 is set to
1.
34. After settleDuration elapses, if the measured signal level at load1 and load2 is
not higher than the output value before the test movement started by the
verificationValue (taking into consideration verificationMaxTol), then error is set
to 1 and diag bit 4 is set.

Entry ID: 101167223, V4.0, 2022 86
35. After testDuration has elapsed and there is a valid value for the load jump,
busy is reset to 0 and output testOk is set to a 1 signal.
36. If testDuration is parameterized <= settleDuration, then diag bit 6 and error are
set to 1.
37. If sensor verification cannot be successfully completed, then this is indicated at
error and diag as described in Point 31. The test that was not successful can
be acknowledged with a positive signal edge at ack; however, output
verificationOk remains = 0
38. A successful test is signaled using a 1 signal at output testOk. busy is reset to
0. testOk remains set to 1 until the next time that testRequired changes to 1 or
a new test is started.
Note A measurement equipment test is requested at each stop-start transition of the
CPU.
Acknowledging errors:
40. As soon as the block can be acknowledged, this is indicated by a 1 signal at
output ackReq.
41. ackReq is reset to 0 after a positive signal edge at ack.

Entry ID: 101167223, V4.0, 2022 87
3.8 LFASRS_PositionSingleEnc
3.8.1 Introduction
The block generates a safety-related actual position value for a load handling device
based on recurring plausibility checks of a safety-related, relative actual position value
of the motor encoder from Safety Integrated (SI) against a safely attached reference
mark. A position is calculated from the motor encoder value, and is verified based on
the position actual value comparison with respect to a reference mark. At the time that
the reference mark is detected, the position of the safety-related, relative motor encoder
must not deviate from the reference position of the reference mark by more than the
parameterizable tolerance.
not permissible that these are renumbered!
Note To use the block, an encoder mounted in a safety-related fashion must be used
as well as a reference sensor that is also mounted in a safety-related fashion.
Fig. 3-14 LFASRS_PositionSingleEnc

Entry ID: 101167223, V4.0, 2022 88
3.8.2 Connections
Inputs
Table 3-23
Data
Name Description
type
Block sampling time [ms]
sampleTime DInt
Call interval of the safety program
possi DInt Motor encoder Safety Integrated - measured value [µm]
Motor encoder Safety Integrated - encoder signal status
possiValid Bool 1: Encoder signal valid
0: Encoder fault
SINAMICS Safety Integrated - sampling time [ms]
possiSampleTime DInt
SINAMICS Safety Integrated - cycle counter [ms]
possiCount DInt
posMin DInt min. permissible position [mm]
posMax DInt max. permissible position [mm]
vStandstill DInt Velocity limit for standstill detection [mm/min]
max. permissible velocity to check the plausibility
vMax DInt
[mm/min]
referenceSensor Bool Reference sensor
Reference position [mm]
referencePos DInt with a positive signal edge at reference, possi is aligned to

this position.
Referencing
reference Bool 0 -> 1: Determines the offset of the possi encoder with
reference to the value specified at posReference
referenceToleranc Maximum permissible tolerance that must not be exceeded
DInt
e when detecting the reference sensor at referenceSensor.
Acknowledgment
ack Bool be reset using ack before the system is restarted.
The acknowledgment is realized using a positive signal edge
at ack; in normal operation this has no effect.
Outputs
Table 3-24
safe position actual value [mm]
safePos DInt safe position (for all additional blocks of this block
package)
Position actual value status
posValid Bool
1: safePos was safely generated
Referencing status
referenced Bool 1: The encoder is calibrated with respect to the reference
mark
safe velocity actual value [mm/min]
safeV DInt safe velocity (for all additional blocks of this block
package)
Velocity actual value status
vValid Bool
1: safeV was safely generated
Zero speed detection
standstill Bool
1: Actual velocity less than vStandstill

Entry ID: 101167223, V4.0, 2022 89

movesPositive Bool Movement in the positive direction
movesNegative Bool Movement in the negative direction
Acknowledgment request
ackReq Bool 1: Errors that have gone can be acknowledged
0: No acknowledgment requested
Error
error Bool 1: At least one fault detected
0: No error active
Diagnostic word
diag Word Information about the function status and errors of the
block are issued at this output.
Structure of diag
Table 3-25
Bit
No.
0 1 <= possiSampleTime <= 1023
Value range violation of the input 0 < sampleTime <=
variables 2 * possiSampleTime
discrepancyStartup >= 0
1 Reserved ---
2 incorrect reference of the input vMax >= vStandstill
variables with respect to one

another posMax >= posMin
3 Actual position <= posMax and pos. signal
Actual position> posMax
edge at ack
4 Actual position >= posMin and pos. signal
Actual position < posMin
edge at ack
5 Actual velocity <= vMax and pos. signal edge
Actual velocity > vMax
at ack
6 The position tolerance at the Reference point approach and positive signal
reference mark violated edge at reference
7 Reference point approach and positive signal
Initial referencing is missing
edge at reference
8 Reserved ---
9 possiValid == 1 and pos. signal edge at ack
possiValid == 0
or successful reference point approach
10 Reserved ---
11 Reserved ---
12 Reserved ---
14 Reserved ---
15 Reserved ---
3.8.3 Interrelationship between the assignment of the block inputs and the
drive configuration
value in unit µm via PROFIsafe telegram 902. For this purpose, in the converter
"Extended functions via PROFIsafe" must be set and the safety functions enabled.

Entry ID: 101167223, V4.0, 2022 90
Fig. 3-15: Safety Integrated setting in the converter
The drive type must then be set to linear axis, the monitoring cycle is subsequently
important for the parameterization at the block.
Fig. 3-16: Safety Integrated configuration
The encoder parameterization opens via point "Actual value acquisition/mechanical

system". Here, the leadscrew pitch and the gearbox stage must be set so that they
correspond to the mechanical design. Depending on the specific encoder variant,
the particular safe position must be enabled in the safety function.
It is only permissible that the transfer of "Safe position" is enabled. "Safe absolute
position" should remain inhibited. A safety-related, relative position actual value is
sufficient, as block LFASRS_PositionSingleEnc establishes the absolute position
actual value reference, as explained in the function description.
Fig. 3-17: safe position transfer 2 & 3-encoder variants

Entry ID: 101167223, V4.0, 2022 91
Parameterization
1. The block sampling time, e.g. the configured call interval of the F-OB, which
calls the safety program, is parameterized at input sampleTime.
2. The sampling rate of Safety Integrated in the drive is parameterized at
possiSampleTime, and possiCount should be interconnected with the counter
value from telegram 902.
3. sampleTime is relevant for internal block calculations.
4. The safety-related relative position actual value of the motor encoder from
telegram 902 in [µm] is interconnected at input possi.
5. If the block is incorrectly parameterized, safety-related substitute values are
issued at the outputs. The outputs safePos and safeV assume the highest DInt
value (2147483647), the outputs posValid, referenced and vValid are reset to 0
and output error is set to 1. Depending on the cause of the incorrect
parameterization, the bits are set as follows to 1 in output word diag:
a. Value range violation of the input quantities => bit 0
b. Relationship of the input variables with respect to one another cannot
be represented as integer multiple => bit 1
c. Incorrect reference of the input variables with respect to one another
=> bit 2
This error state can only be resolved through correct parameterization,

acknowledgment is not possible.
Safety note
The block must be parameterized with fixed values, and must not be performed
via variables during the CPU runtime.

Entry ID: 101167223, V4.0, 2022 92

vSyncIntervall / sampleTime
vMax >= vStandstill
posMax >= posMin
Sampling rates
To calculate the velocity, the SI cycle in the drive (possiSampleTime) is used as
time base, and not the block cycle of the LFASRS_SafePosition block on the
CPU (sampleTime, generally the call interval of the safety program). To avoid
inadmissibly high subsampling, it must be ensured that the ratio sampleTime =>
2x possiSampleTime. Likewise, sampleTime must be an integer multiple of
possiSampleTime.
Example: possiSample Time in the drive = 12ms (default value)
In this case, sampleTime can be parameterized to the following values:
Note
As a consequence, changing the parameterization is not possible while the
system is operational. The safety program must be regenerated and loaded each
time that the operating parameters of the block are changed.
Safe position actual value
6. To generate the safe position, the position actual value must be valid, which is
signaled to the block using a 1 signal at input possiValid.
posValid signals that the safe position actual value is valid. A 1 signal at output
referenced indicates that the safe position actual value may be used as safe
absolute position actual value. For a 0 signal at output referenced, the safe
position actual value may only be used as safe, relative position actual value.

Entry ID: 101167223, V4.0, 2022 93
Safety note
As long as output referenced delivers a 0 signal, the position output at safePos
can only be used for a relative reference. An absolute evaluation is only
permissible if output referenced supplies a 1 signal.
8. If the system has still not been homed, then bit 7 is set to 1 in output word diag.
9. If the position actual value is valid and the system is at the reference point, a
safe internal reference be performed with a positive edge at reference, where
possi determines a separate position offset relative to the value specified at
input referencePos; this is then stored internally. Outputs posValid, referenced
and vValid are set to 1 if referencing was successful. Bit 7 is reset to 0 in
output word diag.
Safety note
The signal for reference must be generated in a safety-related fashion, e.g. by
using reference mark switches. When referencing, the user must make a visual
inspection to ensure that the mechanical position corresponds to the reference
position, and referencing is performed using user acknowledgment at input
reference.
10. The block itself does not provide any retraction logic. Using a suitable logic
interconnection outside the block, it must be ensured that for a 0 signal at

output referenced the axis can only travel with safely reduced velocity.
11. If an invalid position actual value is signaled at input possiValid using a 0
signal, then outputs posValid, referenced and vValid are reset to 0, output error
is set to 1 and in output word diag bit 9 is set to 1.
12. In this error state, a statement cannot be made regarding the validity of the
safety-related reference, and a new safe reference must be established using
a reference point approach. If, when a fault occurs, the system is already at the
reference point, then the safe reference can be directly performed using a
positive signal edge at input reference. Bit 9 is reset in output word diag.
13. In operation, the reference mark in the axis traversing range is detected using
a positive signal edge at referenceSensor. With every positive signal edge at
the sensor, a check is made whether the current position at possi at the instant
that the signal edge is detected lies within the tolerance of referenceTolerance.
If the position value lies outside the tolerance, then referenced =0, error =1 and
diag bit 9 is set.
14. The safe position is no longer valid and a reference point approach must be
performed as described under Point 9.

Entry ID: 101167223, V4.0, 2022 94
3.8.5 Safety-related velocity
19. The safety-related velocity is output at safeV, which is calculated using the
safety-related relative position actual value of the motor encoder at input possi
via the cycle counter safely transferred at input possiCount.
20.
21. If safeV falls below the value parameterized at input vStandstill, then at output
standstill this standstill is signaled using a 1 signal.
22. If safeV is higher than vStandstill, then a 1 signal is output at movesPositive, if
safePos assumes increasingly higher values or at movesNegative a 1 signal is
output if the values of safePos assume lower values over time.
23. If safeV exceeds the value parameterized at input vMax, then output error is
set to 1 and in output word diag, bit 5 is set to 1. Output vValid is reset to 0.
24. If safeV again falls below the value parameterized at input vMax, then output
ackReq is set to 1, and the error state can be acknowledged using a positive
signal edge at input ack. Outputs error and ackReq are reset to 0, and bit 5 in
output word diag is reset to 0. Output vValid is again set to 1.
signal edge at ack.

Entry ID: 101167223, V4.0, 2022 95
3.9 LFASRS_MinMax
3.9.1 Introduction
Fail-safe function LFASRS_MinMax implements a minimum/maximum evaluation

from up to 8 DINT values. For example, the function can be used to select the
presently most restrictive SLS limit that is active.
Fig. 3-18
3.9.2 Connections
Inputs
Table 3-26
in1 DInt Operand 1 for evaluation
mode Bool Select min/max evaluation
0: Minimum evaluation
1: Maximum evaluation
Outputs
Table 3-27
q DInt Depending on the mode, minimum or maximum value of
the 8 inputs
Parameterization
1. The block is implemented as function. This means that when calling, all inputs
must be interconnected. If a minimum/maximum value evaluation is to be

Entry ID: 101167223, V4.0, 2022 96
performed from effectively fewer than 8 signals, then the signal sources must
be interconnected several times so that all block inputs are assigned.
Determining minimum/maximum value

2. If a 1 signal is present at input mode, then the block performs a maximum
value evaluation from the 8 inputs "in1" to "in8". The highest of these up to 8
DINT values are made available at output q.
3. If a 0 signal is present at input mode, then the block performs a minimum value
evaluation, this means the lowest of these 8 DINT values is output at q.

Entry ID: 101167223, V4.0, 2022 97
4 Interaction of the blocks

4.1 Overview
This chapter describes the essential points that must be taken into consideration
when using the fail-safe function blocks for storage and retrieval machines. The
interconnection options between the blocks are also shown as example.
The block package is modular and can be individually adapted to specific

applications.
The blocks execute an autonomous subfunction. Depending on the specific
machine in which they are used, not all blocks from the library are always required.
If additional functions are required to specifically control your application, then you
must create these yourself by adding additional fail-safe functions. The signals of
these functions are then interconnected with the ASRM blocks.
Note To control the Safety Integrated functions of the SINAMICS drive family, the
LDrvSafe fail-safe library can also be used, which simplifies interconnecting the
relevant signals:
Safety note
The safety-related times and the interconnection of the inputs and outputs must
be parameterized according to the directives applicable for the specific system
and must be checked at the system to ensure that they precisely match the
specific requirements.
4.2 Signal flow between the components

The following overview shows the signal flow between the interfaces of the blocks,
which can directly interact with one another. The other inputs that are not
connected should be parameterized as described above, but are not connected in
the following overview for reasons of clarity, as they do not exchange information
between the blocks, but are parameterized individually for each block.
4.2.1 Automation task
In the following overview, using an appropriate block interconnection, a hoisting

gear is monitored to ensure that it only moves through a defined range. Either
block LFASRS_SLPMonitor or block LFASRS_Endzone can be used for this
purpose. When LFASRS_Endzone is used, it is also possible to monitor the end
zones for reduced velocity. The safe position and velocity required for the above
named blocks, are supplied by block LFASRS_SafePosition. For load carrying
equipment or when the position actual value is ensured using reference cams,
block LFASRS_PositionSingleEnc can be used.

Entry ID: 101167223, V4.0, 2022 98
The hoisting gear is still monitored for overload and/or slack rope (slack condition
protection) via LFASRS_LoadMonitor.
Block LFASRS_BrakeTest is responsible for testing the correct functioning of the
hoisting gear brakes.
If LFASRS_LoadMonitor, LFASRS_BrakeTest or
LFASRS_SLPMonitor/LFASRS_Endzone identifies that a limit value has been
violated, then the SLS threshold is set to the value parameterized at the block.
Block LFASRS_SBRMonitor is used to monitor whether after SS1 has been
selected, the drive brakes along the configured down ramp. If this is not the case,
then a signal to initiate STO is generated.
By ANDing all relevant enable signals of the block, the signal to initiate a stop
response (e.g. SS1) for the drive can be generated.
For the retraction function of blocks LFASRS_Endzone, LFASRS_LoadMonitor and
LFASRS_SLPMonitor, by ANDing the corresponding
movePositiveOk/moveNegativeOk signals only the direction is permitted that
moves the system away from the end zone.
For block LFASRS_BrakeTest, the output releaseBothDirections can prevent the
hoisting gear from moving upward in the case of a failed brake test.
4.3 Response in the case of an error

If an error occurs at the block as a result of the block parameterization or due to an
invalid input assignment as a result of the process, then this is signaled by every
library block - with the exception of LFASRS_MinMax - using error = 1.
In addition, the library blocks, with the exception of LFASRS_MinMax, have a diag
output that permits more precise diagnostics based on the error code output there.

Entry ID: 101167223, V4.0, 2022 99
4.4 Block interconnections

4.4.1 1-encoder variant
Fig. 4-1: Block interconnection 1-encoder variant
SAFE_POS
POS_VALID
POS_SI skal REFERENCED
true SAFE_V
V_VALID
POS_SI
true AND SS1
Freifahr. AND SS1

AND SS1
AND SDI_NEG
Quit.
AND SS1
SAFE_V SAFE_V
V_VALID
REFERENCED
V_VALID
STO
AND SDI_POS
Quit. AND SS1
SAFE_POS
Quit. SAFE_V
Telegramm 902 POS_VALID SAFE_V
SS1 akt. V_VALID
REFERENCED
Quit.
SAFE_POS
AND SDI_POS
AND SS1 SS1
POS_VALID
V_VALID AND SS1
Freifahr.
AND SDI_POS
SDI_POS Quit.

Entry ID: 101167223, V4.0, 2022 100
4.4.2 2 and 3-encoder variant
Fig. 4-2: Block interconnection 2 and 3-encoder variants
SAFE_POS
POS1 REFERENCED
POS1 gültig SAFE_V
V_VALID
POS_SI AND SS1

POS_SI gültig Freifahr. AND SS1
AND SS1
AND SDI_POS
AND SS1
SAFE_V
Quit.
V_VALID
SAFE_POS
POS_VALID
REFERENCED
SAFE_V AND SDI_POS
V_VALID STO
Quit.
SAFE_POS
SAFE_V
SS1 akt.
Quit. Quit. AND SS1
SAFE_V
V_VALID
AND SS1 SS1
POS_VALID
V_VALID AND SS1 AND SDI_POS
AND SDI_POS
SDI_POS
Freifahr.
Quit.

Entry ID: 101167223, V4.0, 2022 101
4.4.3 Additionally required blocks
The following blocks of the STEP7 Safety Advanced library are called in the fail-
safe function blocks and therefore must be available in the block folder:
see Chapter 3.1.2
4.4.4 Additional information
Information about configuring and parameterizing the hardware as well as how to

handle STEP7 and the graphic editor (F-FBD or F-LAD) of SIMATIC Safety is
described in the listed manuals:
• SIMATIC Safety - Configuring and Programming
• SINAMICS S120 Safety Integrated Function Manual


Entry ID: 101167223, V4.0, 2022 102
5 Abbreviations
5 Abbreviations
Table 5-1
Abbreviation Meaning
CPU Central Processing Unit

CU Control Unit
DB Data block
DINT Double Integer; 32Bit data type
DQ Digital Output
F-AI Fail-safe analog module
F-CPU Failsafe central processing unit
FMEA Failure mode and effects analysis
HTL Type of incremental encoders
HW Hardware
I-DB Instance data block
INT Integer, 16 bit data type
PL Performance level
SBT Safe Brake Test

SDI Safe Direction
SI Safety Integrated
SIL Safety Integrity Level
SIN/COS Sine-cosine; type of incremental encoders
SLS Safety function Safely-Limited Speed
SLU Safe Length Unit
SOS Safe Operating Stop
SRS Safety Requirements Specification
SS1 Safe Stop 1
SS2 Safe Stop 2
SSI Synchronous serial interface; types of absolute encoders
Startdrive Configuration tool for drives
STO Safe Torque Off

Entry ID: 101167223, V4.0, 2022 103
6 Support
6 Support
Application Center
Contact the Application Center in D-91056 Erlangen if questions relating to using

the products described in the manual are not answered
mailto:tech.team.motioncontrol@siemens.com
or your Siemens contact person in the representative and branch offices

responsible for you.
http://www.automation.siemens.com/partner/
Training Center
Siemens offers a number of training courses to familiarize you with the SIMATIC
S7 automation system. Contact your regional Training Center, or the central
Training Center in D-90327 Nuremberg.
Telephone: +49 (0)911 895-3200
http://www.sitrain.com/
SIMATIC documentation on the internet/ Siemens intranet
You can find the documentation free of charge on the Internet at:
https://support.industry.siemens.com/
Use the Knowledge Manager listed there to quickly find the required
documentation.

Entry ID: 101167223, V4.0, 2022 104
7 Appendix
7 Appendix
Runtime and memory utilization of the blocks, based on the CPU 1516F-3 PN/DP
Table 7-1 Runtime and memory utilization of the blocks, based on the CPU 1516F-3 PN/DP
Load Main memory
Block Runtime
memory code
LFASRS_SafePosition 345 µs 204.6 kB 4.3 kB
LFASRS_SLPMonitor 20 µs 61.5 kB 1.4 KB
LFASRS_Endzone 250 µs 134.1 kB 2.8 kB
LFASRS_BrakeTest 300 µs 195.6 kB 4.9 kB
LFASRS_SBRMonitor 260 µs 123.4 kB 2.0 kB
LFASRS_LoadMonitor 320 µs 148.0 kB 3.4 kB
LFASRS_PositionSingleEnc 137 µs 124.8 kB 2.3 kB
LFASRS_MinMax 10 µs 33.4 kB 0.4 KB
Total without 1.485 µs 555.0 kB 17.8 kB
LFASRS_SLPMonitor
Total without 1.255 µs 509.8 kB 16.4 kB
LFASRS_Endzone

Entry ID: 101167223, V4.0, 2022 105
8 References
8 References
Table 8-1
Subject
\1\ Siemens Industry Online Support
https://support.industry.siemens.com
\2\ Download page of the article
\3\ SINAMICS S120: Safe Position - SP

\4\ SIMATIC - Failsafe LDrvSafe library for controlling Safety Integrated Functions for
the SINAMICS drive family
9 History
Table 9-1
Version Date Change
V1.0 07/2014 First Edition
V2.0 02/2016 Migration to TIA Portal
V2.1 04/2017 Revision, design variants and block F_SAFE_POS

V3.0 06/2018 Revision, block F_SAFE_POS and F_ENDZONE,
optimizations for TIA-Portal V15
V4.0 10/2022 Revision of all blocks, renaming of blocks and their formal
parameters, block LFASRS_PositionSingleEnc added to the
library

Entry ID: 101167223, V4.0, 2022 106

Fehlersichere Funktionsbausteine FR Regalbediengerte v4.0 en

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fehlersichere Funktionsbausteine FR Regalbediengerte v4.0 en

Uploaded by

Copyright:

Available Formats

Fail-safe blocks for

storage and retrieval

F-Bausteine für Regalbediengeräte

2.4.2 The ASRM block package was developed according to the

F-Bausteine für Regalbediengeräte

3.6.1 Introduction ......................................................................................... 64

4.3 Response in the case of an error ....................................................... 99

F-Bausteine für Regalbediengeräte

1 Storage and retrieval machines and safety

1.1 General design for safe position sensing

other for plausibility (e.g. load cell and motor torque)

A hardware configuration example is shown below:

PROFINET mit PROFIsafe

F-Bausteine für Regalbediengeräte

1.2 Supported encoder combinations and configuration

1.2.1 Safety-relevant motor encoder with safety-related mounting and

SINAMICS S120 F-CPU

Auslösen der Sicherheitsfunktionen

1.2.2 Safety-related motor encoder with safety-related mounting, positive

F-Bausteine für Regalbediengeräte

SINAMICS S120 F-CPU

Auslösen der Sicherheitsfunktionen

1.2.3 Two-encoder system with connection via SINAMICS S120

Fig. 1-4: Variant 2: Two-encoder system, connected via SINAMICS S120

direkter Geber SMC30 Standard 32bit Wert Standard

Auslösen der Sicherheitsfunktionen

F-Bausteine für Regalbediengeräte

1.2.4 Two encoder system with connection by the distributed I/O

Auslösen der Sicherheitsfunktionen

b) SIN/COS motor encoder (safety-related mounting is not required)

Standard Standard direkter Geber

Auslösen der Sicherheitsfunktionen

1.2.5 Three-encoder system

F-Bausteine für Regalbediengeräte

QBAD des fehlersichern Moduls

Auslösen der Sicherheitsfunktionen

b) SIN/COS motor encoders correspond to the requirements of SINAMICS Safety

SINAMICS S120 F-CPU

Standard Standard direkter Geber

Auslösen der Sicherheitsfunktionen

Three-encoder systems are used if a higher level of slip is to be expected or a

F-Bausteine für Regalbediengeräte

1.2.6 Summary of the encoder variants

Table 1-1: Overview of possible encoder combinations

system: Connection via LD-SMx-NS --- ---

F-Bausteine für Regalbediengeräte

1.2.7 Safety-related characteristic values of the encoder variants

F-Bausteine für Regalbediengeräte

Subsystem C according to EN 62061:2015 (Chapter 6.7.8.2.4):

Subsystem D according to EN 62061:2015 (Chapter 6.7.8.2.5):

F-Bausteine für Regalbediengeräte

Table 1-2: Parameters according to EN 62061:2015

Connection via the distributed I/O. Table 1-3:

F-Bausteine für Regalbediengeräte

separate devices in their local enclosures? system

F-Bausteine für Regalbediengeräte

Feature Reference Points Reason

Result 68 According to EN 62061:2015 Table F.2:

Table 1-4: EN 62061:2015 Annex F.2

F-Bausteine für Regalbediengeräte

2 System and software requirements

2.2 Safety requirements

• SIMATIC STEP 7 Professional V17 or higher