Skip to main content
Skip table of contents

Safety Manual for DEN-S-NET Safe Motion - PRELIMINARY

This version of the Safety Manual is PRELIMINARY. The information is subject to change.

Scope

This document defines the DEN-S-NET Safety Specifications and the Integration Requirements that must be fulfilled in the user interface board to guarantee Functional Safety.

Safety Concept

The DEN-S-NET is a product of the Novanta Summit Safety Series, a family of servo drives with Functional Safety capabilities. The product consists on a Summit Servo Drive with a hardware-implemented STO function and a monitoring board (Summit Safety Core), that runs a safety-certified firmware in a safety MCU.

The Summit Safety Core receives safety function commands via FSoE network communication (ETG 6100), a safety communications protocol based on the black-channel concept, or via safe digital inputs. To monitor the safety variables, the Novanta Summit Safety Series MCUs read the safety inputs and communications. In the case of receiving the command or detecting a fault, the system activates the STO function, which is implemented by hardware. The control of the motion remains on the Novanta Summit Servo Drive, whose software is considered non-safe. 

The Safe Torque Off (STO) is a safety function that prevents motor torque in an emergency event while DEN-S-NET remains connected to the power supply. When STO is activated, the power stage is disabled by hardware and the drive power transistors are disconnected, no matter what control or firmware does. The motor shaft will slow down until it stops under inertia and frictional forces. The STO function can be triggered via FSoE or via the Safe Input signals.

Although not common, in the event of a failure of the power stage during an STO situation, the maximum expected motor movement with torque can be up to 180º electrical degrees. The system must be designed to avoid any hazard in this situation. STO safety function is eligible only when the drive is controlling three-phase permanent magnet synchronous rotating motors. STO does not apply to DC brushed motors.

The Safe Stop 1 time controlled (SS1-t) initiates the motor deceleration by commanding it to the Motion Controller. After a configurable time delay (safely configured via FSoE) the SS1-t function triggers an STO function. The SS1-t function can be triggered via FSoE or via the Safe Input signals.

The Safe Input (SI) function reads a redundant safe input signal (composed of 2 physical channels) and provides its value via FSoE. If only one of the Safe Input channels is low-level, then the SI is read as low-level. If the values of the Safe Input channels are different for a short period of time, it is considered that a fault in the wiring has happened, detecting an Abnormal Fault. If this fault is maintained for a long period of time, this fault becomes latching and requires a power cycle to remove it.

Since DEN-S-NET is a pluggable module intended for being integrated on an electronic interface board, it requires some external electronic components to fulfill the safety requirements (see Interface and Integration Requirements).

Safety Specifications

Glossary

The following glossary is required to understand the Safety Specifications

Concept

Definition

prevents

"prevents" is written when there is a single limit only.

initiates

"initiates" is written when the safety function starts a motion action

keeps

"keeps" is written when there is an upper and lower limit.

Safety Functions

The following parameters are showcasing the worst case of all possible combinations of safety related control functions

Safety Function

Safety relevant parameters according to IEC 61508:2010

(certification pending)

Safety relevant parameters according to EN ISO 13849-1:2015

(certification pending)

Safety Function Reaction Time

Safe Torque Off (STO)

The function prevents* rotating torque from being provided to the motor.

Safety integrity level: SIL3

PFH = 3.44 e-10 1/h

SFF: > 99 % (High) 

Performance Level: PLe

Category: 3

MTTFd = 75 years

DCavg: 99% High

tSF ≤ 25 ms

  • Safety Function is activated via FSoE communication: The Safety Function Reaction time is measured as the time since an FSoE command is received and the safety function is activated

  • Safety Function is activated with the state of the Safe Input: The Safety Function Reaction time is measured as the time since an input changes its state (crosses VIL) and the safety function is activated.

  • Safe Input (SI): The Safety Function Reaction time is measured as the time since an input changes its state (crosses VIH or VIL) and the FSoE message with the updated value is sent to the Master.

Safe Stop 1 time controlled (SS1-t)

As per EN 61800-5-2:2017: initiates* the motor deceleration and performs the STO function after application specific time delay. 

Safe Input (SI)

Reads a redundant safe input signal (composed of 2 physical channels) and provides its value via FSoE. If only one of the signals is low-level, the SI is read as low-level.

Safety Specifications

Safety Specification

Value

Command Source

FSoE: All Safety Functions

Safe Inputs: STO or SS1-t (configurable)

Fail-Safe over EtherCAT (FSoE) specifications

  • ETG.5100 V1.2.0 - Protocol Specification

  • ETG.5120 V1.0.0 - Protocol Enhancements

    • Section 6 -Safety related parameter download (SRA)

  • ETG.6100 V1.3.0 - Safety Drive Profile

FSoE cycle time

≤ 50 ms

Standards compliance 

Targeted standards (certification pending):

  • EN 61800-5-2:2017

  • EN IEC 62061:2021

  • EN 61508:2010

  • EN ISO 13849-1:2015

  • EN 61784-3:2021

Fault Reaction Time

tSF ≤ 25 ms

System maximum Reaction Time from a Detected Fault until safe state is reached.

High-demand mode

The EUC (Equipment Under Control) is considered as a high-demand or continuous demand mode system.

Mission Time

The mission time of the EUC is of 20 years.

Diagnostic Time Interval 

In order to guarantee the correct operation of the safety functions, the user must execute the External Diagnostic Test regularly (see External Diagnostic Test).

The diagnostic test interval is defined as a minimum of 1 activation per 3 months. 

Included Diagnostics

Multiple diagnostic mechanisms are included. Some of them are:

  • Internal power supply voltage monitors. 

  • Logic and Temporal Watchdog

  • MCU-to-MCU Comparison

  • MCU Internal Diagnostics (RAM, ROM, CPU, etc.)

  • FSoE communication diagnostics

  • Dual-Channel STO Comparison

  • Abnormal Safe Input: dual-channel values mismatch. Becomes latching after a long period of time

STO firmware notification

A STO stop is notified to the motion controller and creates a fault that can be read externally from any communication interface, however, STO operation is totally independent and decoupled from control or firmware. 

External Diagnostic Test

The operation of all the diagnostic circuits must be verified at least once per 3 months. The following procedure details a method that forces the execution of all the internal diagnostic methods. If the procedure results are not the expected ones, safety could be violated and the system cannot be used. Note that it is responsibility of the customer to prevent any hazards related to motor movement during this proof test. 

The procedure requires the drive to be connected to a three-phase permanent magnet synchronous rotating motor.

Procedure Step

Action

1

Power off the drive. Wait for a least 10 seconds to ensure internal capacitors discharge.

2

Power on the drive but do not initiate the FSoE communication.

Provide a high-level value to the Safe Inputs.

3

Remain in this state more than tABN_LATCH_MAX seconds.

4

Initiate the FSoE communication and transition to state DATA.

5

Deactivate the STO Safety Function via FSoE:

  • STO = Disabled

6

Transition to a normal operation state where the power stage can be enabled, and perform some motor movement. Check that no Safety-related error appears.

7

Provide a low-level value to the Safe Inputs. Check that the Safe Input value is low and that no failure has been raised.

Interface and Integration Requirements

The following table details the Interface and Integration Requirements that guarantee Functional Safety.

Safe Inputs

Integration Requirement

Value

Safe Inputs Interface electrical characteristics

Input pins

\SAFE_INPUT_A and \SAFE_INPUT_B

Number of independent channels

2

Type of Inputs

Active-low.

Digital inputs with ESD protection.

Safe Inputs Mandatory External Requirements

  • Input series resistor of 220 Ω ±1%, ≥ 200 mW

  • Pull-down resistor (after series resistor) of 7.5 kΩ ±1%, ≥ 100 mW

  • Overvoltage protection on \SAFE_INPUT_x signals, limiting to Vmax_fault in case of an external fault. 

See External Requirements for Safe Inputs, Feedback Interface and Logic Supply

All following calculations are considering the use of the Safe Input Mandatory External Requirements

Maximum input LOW level (VIL)

0.8 V (below this value the \SAFE_INPUT_x is ACTIVE).

SAFE_INPUT voltage is measured before the Mandatory External Circuit.

See External Requirements for Safe Inputs, Feedback Interface and Logic Supply

Input current at VIL voltage (IIL)

> 50 µA

Minimum Input HIGH level (VIH)

3.1 V (above this value the \SAFE_INPUT_x is INACTIVE).

SAFE_INPUT voltage is measured before the Mandatory External Circuit.

See External Requirements for Safe Inputs, Feedback Interface and Logic Supply

Input current at VIH voltage (IIH)

< 420 µA

Maximum absolute ratings

  • Vmax_nom (maximum nominal voltage) = 6 V

  • Vmax_fault (maximum voltage in the event of an external failure) = 25 V

SAFE_INPUT voltage is measured before the Mandatory External Circuit.

See External Requirements for Safe Inputs, Feedback Interface and Logic Supply

Max. Input current

  • ≤ 2.5 mA @ Vmax_nom (without internal failures)

  • ≤ 12 mA @ Vmax_nom in case of internal failure

  • ≤ 10 mA @ Vmax_fault (without internal failure)

ESD capability

IEC 61000-4-2 (ESD) ± 15 kV (air), ± 8 kV (contact)

Related Diagnostics

  • Abnormal Safe Input: Detects signals discrepancy between \SAFE_INPUT_1A and \SAFE_INPUT_1B

  • Latching Abnormal Safe Input: After a long period of maintained Abnormal Safe Input, the fault becomes latching. Requires power-supply reset.

Safe Inputs Interface timing characteristics

Max. filtered OSSD pulses

tOSSDpulse ≤ 1 ms

Low-level pulses of duration below tOSSDpulse are filtered.

See Pulse Filtering Circuit for OSSD.

Min. OSSD discrepancy time between pulses

tOSSDdisc ≥ 2 ms

Low-level pulses must differ ≥ tOSSDdisc to ensure proper filtering.

See Pulse Filtering Circuit for OSSD.

Min. time between pulses (OSSD)

tOSSDperiod ≥ 10 ms

OSSD pulses must be separated, at least tOSSDperiod to ensure proper filtering.

See Pulse Filtering Circuit for OSSD.

Abnormal Safe Input diagnostic time

tABN ≤ 5 ms

Minimum Safe Inputs signals discrepancy time that causes an Abnormal Fault and activates the Safety Functions.

Abnormal STO latching time

tABN_LATCH ≤ 25 ms

Minimum Safe Inputs signals discrepancy time that guarantees a latching Abnormal STO Fault.

Pulse Filtering Circuit for OSSD

The following diagram depicts the \SAFE_INPUT signals when using pulse filtering for OSSD.

Safe Input Operation States

The truth table of the Safe Inputs is shown next indicating the different states of the system:

Mode

State

\SAFE_INPUT_A status / voltage

\SAFE_INPUT_B status / voltage

Safety Function

State description

Normal operation

Safety Function Enabled

0

< VIL

0

< VIL

Enabled

Safety function is enabled via Safe Inputs. The kind of Safety function activated is configurable via FSoE communication.

Safety Function Disabled

1

> VIH

1

> VIH

Disabled

Safety function triggered by Safe Inputs is deactivated. If no other Safety function is commanded via FSoE or as a cause of a diagnostic, the system is able to provide torque to the motor.

Abnormal operation

Abnormal Safe Input

0

< VIL

1

> VIH

Enabled

If any issue is detected on the dual-channel Safe Input function (the channels logic level is different), an Abnormal Fault is detected, activating the Safety function and reporting it.

1

> VIH

0

< VIL

Enabled

Abnormal Safe Input Latched

x

-

x

-

Enabled

If the Abnormal Fault persists for t ≥ tABN_LATCH_MAX, the fault becomes latching, maintaining the Safety Function activated until a power supply reset cycle is performed.

Supplies

Integration Requirement

Value

Logic Supply Voltage Range 

  • 3.3 V ± 3% (nominal range from 3.20 V to 3.40 V; maximum voltage in case of external failure 25 V).

Safety function is maintained with an overvoltage failure within the specified range, but the other system functions could become non-operational.

Logic Supply Connection

In the event of a failure in the power stage, any logic interface could become connected to Power Supply, including Safe Inputs and Logic Supply. The safety function would be maintained, but any logic interface pin could become connected to a dangerous voltage. If not properly decoupled, this could risk the safety integrity in other drives or elements in the system.

For this reason, it is not recommended that the safety-related inputs (Safe Inputs and Logic Supply) share connection with other pins (even from the same drive) without protection elements in between.

See External Requirements for Safe Inputs, Feedback Interface and Logic Supply

Power Supply Voltage Range

48 V SELV (range from 8 V to 60 V; maximum failure voltage 60 V)

Note: The system is single fault tolerant. No additional faults (internal or external) can be handled after an external failure.

Integration Requirement

Value

3.3V Safe Supply Output

Output pins

3.3V_SAFE_EXT

Type of Supply

3.3V +5% / -7.5% supply provided by DEN-S-NET.

Over-current, over-voltage, under-voltage and reverse-current protected.

Can be used to supply Feedbacks transceivers.

Overvoltage Protection

≤ 3.8 V 

Maximum voltage that will be provided by DEN-S-NET in the event of an internal failure

Undervoltage protection

≥ 2.8 V

Minimum voltage (other than 0) that will be provided by DEN-S-NET in the event of an internal failure

Maximum output current

150 mA

Maximum reverse voltage

Vmax_fault = 5.5 V

Maximum voltage that can be provided externally in the event of an external failure

Maximum output capacitance

20 µF

Network Interface

Integration Requirement

Value

Network interface

The system must be able to interface 2 ports of MDI Differential pairs to be used in 100BASE-TX (requires external magnetics).

Feedback Interface

Even if the feedback sensors are not used for Safety purposes, the voltage levels must be respected in order to guarantee Safety Integrity.

Absolute Encoder Port 1

Integration Requirement

Value

Absolute Encoder Port 1

Feedback pins

ABSENC1_DATA and ABSENC1_CLK

Type of signals

Digital signals CMOS Voltage levels

  • ABSENC1_DATA: Input

  • ABSENC1_CLK: Output

Mandatory External Requirements

  • Overvoltage protection on Feedback signals, limiting to Vmax_fault in case of an external fault. 

See External Requirements for Safe Inputs, Feedback Interface and Logic Supply

Maximum input LOW level (VIL)

0.8 V

Minimum Input HIGH level (VIH)

2.0 V

Maximum absolute ratings

  • Vmax_nom (maximum nominal voltage)= 3.5 V

  • Vmax_fault (maximum voltage in the event of an external failure) = 5.5 V

Maximum Data Rate

10 Mbps

Absolute Encoder Port 2

Integration Requirement

Value

Absolute Encoder Port 2

Feedback pins

ABSENC2_DATA and ABSENC2_CLK

Type of signals

Digital signals CMOS Voltage levels

  • ABSENC2_DATA: Input

  • ABSENC2_CLK: Output

Mandatory External Requirements

  • Overvoltage protection on Feedback signals, limiting to Vmax_fault in case of an external fault. 

See External Requirements for Safe Inputs, Feedback Interface and Logic Supply

Maximum input LOW level (VIL)

0.8 V

Minimum Input HIGH level (VIH)

2.0 V

Maximum absolute ratings

  • Vmax_nom (maximum nominal voltage)= 3.5 V

  • Vmax_fault (maximum voltage in the event of an external failure) = 5.5 V

Maximum Data Rate

10 Mbps

Quadrature Incremental Encoder

Integration Requirement

Value

Quadrature Incremental Encoder

Feedback pins

DIG_ENC_1A, DIG_ENC_1B and DIG_ENC_1Z

Type of Sensor

Quadrature incremental encoder (QEI) with index or ABZ

Type of signals

Digital signals CMOS Voltage levels

Mandatory External Requirements

  • Overvoltage protection on Feedback signals, limiting to Vmax_fault in case of an external fault. 

See External Requirements for Safe Inputs, Feedback Interface and Logic Supply

Maximum input LOW level (VIL)

0.8 V

Minimum Input HIGH level (VIH)

2.0 V

Maximum absolute ratings

  • Vmax_nom (maximum nominal voltage)= 3.5 V

  • Vmax_fault (maximum voltage in the event of an external failure) = 5.5 V

Maximum Frequency

10 MHz

Digital Halls

Integration Requirement

Value

Digital Halls

Feedback pins

HALL_1, HALL_2 and HALL_3

Type of Sensor

3 x Digital Hall sensors per pole pair.

  • 120° displacement between sensors.

Type of signals

Digital signals CMOS Voltage levels

Mandatory External Requirements

  • Overvoltage protection on Feedback signals, limiting to Vmax_fault in case of an external fault. 

See External Requirements for Safe Inputs, Feedback Interface and Logic Supply

Maximum input LOW level (VIL)

0.8 V

Minimum Input HIGH level (VIH)

2.0 V

Maximum absolute ratings

  • Vmax_nom (maximum nominal voltage)= 3.5 V

  • Vmax_fault (maximum voltage in the event of an external failure) = 5.5 V

Maximum Frequency

5 kHz

External Requirements for Safe inputs, Feedback Interface and Logic Supply

The following conceptual diagram summarizes the external requirements for the Safe Inputs and Logic Supply.

Application and Environmental Conditions

Functional Safety can only be guaranteed in the following environmental conditions:

Motor Type

Functional Safety is only considered when the drive is controlling three-phase permanent magnet synchronous rotating motors. STO does not apply to DC brush motors. 

Safe Stop

The STO function stops the torque supplied to the motor, but it continues to move with its own inertia and depending on the related mechanic the motor may even accelerate. It is the responsibility of the customer to prevent any hazards related to this unexpected motor movement.

Uncontrolled Motor Movement

In the event of a failure in the power stage, the motor shaft may provide torque up to a rotation of 180º electrical degrees. It is the responsibility of the customer to prevent any hazards related to this unexpected motor movement.  

Reparation

The product is not repairable. After a component fault is detected, the system must be taken out from operation.

Limited Access

The product must be placed in a limited access environment, so the final user cannot manipulate it without intention. 

Environmental Conditions

Pollution degree

Pollution degree 2 with an IP54 enclosure installation.

Over-voltage category 

II

Altitude 

< 2000 m above sea level.

Ambient Temperature (Operating)

-20 ºC to 60 ºC

Case Temperature (Operating)

-20 ºC to 70 ºC

Storage Temperature (Non-Operating)

-40 ºC to 100 ºC

Humidity (Operating and Non-Operating)

≤ 93% (non-condensing) at the Maximum Temperature

Vibration

10 Hz to 150 Hz, 1 g.

Test according to IEC 60068-2-6:2007-12: Test Fc

Shock

±5g Half-sine 30 ms

Test according to IEC 60068-2-27:2008-02: Shock

Heatsink Assembly

The product must be assembled and thermally coupled to a plate, case or heatsink for heat dissipation purposes. See the Installation section for further details.

EMC

Functional Safety has been tested according to IEC 61800-3:2018 procedures with the extended ranges of IEC 61800-5-2:2017 Annex E.

The interface board must meet the same EMC standards (IEC 61800-3:2018 with extended ranges of IEC 61800-5-2:2017).

To fulfill the EMC requirements the use of the following elements is required:

  • Input EMI filter.

  • Motor phases ferrite cable core.

  • Properly grounded aluminum enclosure. See grounding recommendations for further information.

  • Wiring Separation: The electrical energy cables (power supply and motor phases) must be sufficiently separated from information cables to avoid interferences.

Environmental

The interface board must meet the following environmental standards:

  • EN 60068-2-1:2007 - Test A: Cold

  • EN 60068-2-2:2007 - Test B: Dry heat

  • EN 60068-2-78:2013 - Test Cab: Damp heat, steady-state

  • EN 60068-2-6:2008 - Test Fc

  • EN 60068-2-27:2009 - Shock

Future Use Connections

Future Use Connections - Feedback Supply Monitoring

Integration Requirement

Value

5V Feedback Supply Monitoring

Input Pin

5V_FBK_SENSE

Type of input

Future Use. Monitoring of the 5V Feedback Supply.

It is recommended to connect to a 5V ± 10% supply.

Mandatory External Requirements

  • Input series resistor of 2.4 kΩ ±1%, ≥ 50 mW

Maximum absolute ratings

  • Vmax_nom (maximum nominal voltage) = 6.5 V

  • Vmax_fault (maximum voltage in the event of an external failure) = 25 V

Integration Requirement

Value

3.3V Feedback Supply Monitoring

Input Pin

3.3V_FBK_SENSE

Type of input

Future Use. Monitoring of the 3.3V Feedback Supply.

It is recommended to connect to a 3.3V ± 10% supply.

If 3.3V_SAFE_EXT is used, it is recommended to connect 3.3V_SAFE_EXT to 3.3V_FBK_SENSE.

Mandatory External Requirements

  • Guarantee maximum absolute ratings

Maximum absolute ratings

  • Vmax_nom (maximum nominal voltage) = 3.5 V

  • Vmax_fault (maximum voltage in the event of an external failure) = 25 V

Do Not Connect Pins

Integration Requirement

Value

Do Not Connect Pins

Pin number

16, 18, 37 and 41 of P2 Interface connector

Mandatory Requirements

In order to guarantee the Safety Integrity, pins 16, 18, 37 and 41 of P2 Interface connector must be left unconnected to the Interface board.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.