EVS-S-NET Safety Manual - PRELIMINARY

prevents

"prevents" is written when there is a single limit only.

initiates

"initiates" is written when the safety function starts a motion action

keeps

"keeps" is written when there is an upper and lower limit.

Safe Torque Off (STO)

The function prevents* rotating torque from being provided to the motor.

Safety integrity level: SIL3

PFH = 4.94 e-10 1/h

SFF: > 99 % (High) 

Performance Level: PLe

Category: 3

MTTFd = 74 years

DCavg: 99% High

t_SF ≤ 25 ms

• Safety Function is activated via FSoE communication: The Safety Function Reaction time is measured as the time since an FSoE command is received and the safety function is activated

• Safety Function is activated with the state of the Safe Input: The Safety Function Reaction time is measured as the time since an input changes its state (crosses VIL) and the safety function is activated.

• Safe Input (SI): The Safety Function Reaction time is measured as the time since an input changes its state (crosses VIH or VIL) and the FSoE message with the updated value is sent to the Master.

Safe Stop 1 time controlled (SS1-t)

As per EN 61800-5-2:2017: initiates* the motor deceleration and performs the STO function after application specific time delay. 

Safe Input (SI)

Reads a redundant safe input signal (composed of 2 physical channels) and provides its value via FSoE. If only one of the signals is low-level, the SI is read as low-level.

FSoE: All Safety Functions

Safe Inputs: STO or SS1-t (configurable)

• ETG.5100 V1.2.0 - Protocol Specification

• ETG.5120 V1.0.0 - Protocol Enhancements

  • Section 6 -Safety related parameter download (SRA)

• ETG.6100 V1.3.0 - Safety Drive Profile

≤ 50 ms

Targeted standards (certification pending):

• EN 61800-5-2:2017

• EN IEC 62061:2021

• EN 61508:2010

• EN ISO 13849-1:2015

• EN 61784-3:2021

t_SF ≤ 25 ms

System maximum Reaction Time from a Detected Fault until safe state is reached.

The EUC (Equipment Under Control) is considered as a high-demand or continuous demand mode system.

The mission time of the EUC is of 20 years.

In order to guarantee the correct operation of the safety functions, the user must execute the External Diagnostic Test regularly (see External Diagnostic Test).

The diagnostic test interval is defined as a minimum of 1 activation per 3 months.  

Multiple diagnostic mechanisms are included. Some of them are:

• Internal power supply voltage monitors. 

• Logic and Temporal Watchdog

• MCU-to-MCU Comparison

• MCU Internal Diagnostics (RAM, ROM, CPU, etc.)

• FSoE communication diagnostics

• Dual-Channel STO Comparison

• Abnormal Safe Input: dual-channel values mismatch. Becomes latching after a long period of time

STO firmware notification

A STO stop is notified to the motion controller and creates a fault that can be read externally from any communication interface, however, STO operation is totally independent and decoupled from control or firmware. 

1

Power off the drive. Wait for a least 10 seconds to ensure internal capacitors discharge.

2

Power on the drive but do not initiate the FSoE communication.

Provide a high-level value to the Safe Inputs.

3

Remain in this state more than t_{ABN_LATCH_MAX} seconds.

4

Initiate the FSoE communication and transition to state DATA.

5

Deactivate the STO Safety Function via FSoE:

• STO = Disabled

6

Transition to a normal operation state where the power stage can be enabled, and perform some motor movement. Check that no Safety-related error appears.

7

Provide a low-level value to the Safe Inputs. Check that the Safe Input value is low and that no failure has been raised.

Input pins

\SAFE_INPUT_A and \SAFE_INPUT_B

2

Active-low.

Digital inputs with ESD protection.

• Input series resistor of 220 Ω ±1%, ≥ 200 mW

• Pull-down resistor (after series resistor) of 7.5 kΩ ±1%, ≥ 100 mW

• Overvoltage protection on \SAFE_INPUT_x signals, limiting to V_{max_fault} in case of an external fault. 

See External Requirements for Safe inputs, Feedback Interface and Logic Supply

All following calculations are considering the use of the Safe Input Mandatory External Requirements

0.8 V (below this value the \SAFE_INPUT_x is ACTIVE).

SAFE_INPUT voltage is measured before the Mandatory External Circuit.

See External Requirements for Safe inputs, Feedback Interface and Logic Supply

> 50 µA

3.1 V (above this value the \SAFE_INPUT_x is INACTIVE).

SAFE_INPUT voltage is measured before the Mandatory External Circuit.

See External Requirements for Safe inputs, Feedback Interface and Logic Supply

< 420 µA

• V_{max_nom} (maximum nominal voltage) = 6 V

• V_{max_fault} (maximum voltage in the event of an external failure) = 25 V

SAFE_INPUT voltage is measured before the Mandatory External Circuit.

See External Requirements for Safe inputs, Feedback Interface and Logic Supply

• ≤ 2.5 mA @ Vmax_nom (without internal failures)

• ≤ 12 mA @ Vmax_nom in case of internal failure

• ≤ 10 mA @ Vmax_fault (without internal failure)

IEC 61000-4-2 (ESD) ± 15 kV (air), ± 8 kV (contact)

• Abnormal Safe Input: Detects signals discrepancy between \SAFE_INPUT_A and \SAFE_INPUT_B

• Latching Abnormal Safe Input: After a long period of maintained Abnormal Safe Input, the fault becomes latching. Requires power-supply reset.

Max. filtered OSSD pulses

t_OSSDpulse ≤ 1 ms

Low-level pulses of duration below t_OSSDpulse are filtered.

See diagram OSSD Pulse Filtering.

t_OSSDdisc ≥ 2 ms

Low-level pulses must differ ≥ t_OSSDdisc to ensure proper filtering.

See diagram OSSD Pulse Filtering.

t_OSSDperiod ≥ 10 ms

OSSD pulses must be separated, at least t_OSSDperiod to ensure proper filtering.

See diagram OSSD Pulse Filtering.

t_ABN ≤ 5 ms

Minimum Safe Inputs signals discrepancy time that causes an Abnormal Fault and activates the Safety Functions.

t_{ABN_LATCH} ≤ 2500 ms

Minimum Safe Inputs signals discrepancy time that guarantees a latching Abnormal Safe Input Fault.

Normal operation

Safety Function Enabled

0

< VIL

0

< VIL

Enabled

Safety function is enabled via Safe Inputs. The kind of Safety function activated is configurable via FSoE communication.

Safety Function Disabled

1

> VIH

1

> VIH

Disabled

Safety function triggered by Safe Inputs is deactivated. If no other Safety function is commanded via FSoE or as a cause of a diagnostic, the system is able to provide torque to the motor.

Abnormal operation

Abnormal Safe Input

0

< VIL

1

> VIH

Enabled

If any issue is detected on the dual-channel Safe Input function (the channels logic level is different), an Abnormal Fault is detected, activating the Safety function and reporting it.

1

> VIH

0

< VIL

Enabled

Abnormal Safe Input Latched

x

-

x

-

Enabled

If the Abnormal Fault persists for t ≥ t_{ABN_LATCH_MAX}, the fault becomes latching, maintaining the Safety Function activated until a power supply reset cycle is performed.

• 5 V ± 2% (nominal range from 4.9 V to 5.1 V; maximum voltage in case of external failure 25 V).

Safety function is maintained with an overvoltage failure within the specified range, but the other system functions could become non-operational.

48 V SELV (range from 8 V to 60 V; maximum failure voltage 60 V)

Note: The system is single fault tolerant. No additional faults (internal or external) can be handled after an external failure.

Output pins

3.3V_SAFE_EXT

3.3V +5% / -7.5% supply provided by EVS-S-NET.

Over-current, over-voltage, under-voltage and reverse-current protected.

Can be used to supply Feedbacks transceivers.

≤ 3.8 V 

Maximum voltage that will be provided by EVS-S-NET in the event of an internal failure

≥ 2.8 V

Minimum voltage (other than 0) that will be provided by EVS-S-NET in the event of an internal failure

150 mA

V_{max_fault} = 5.5 V

Maximum voltage that can be provided externally in the event of an external failure

20 µF

The system must be able to interface 2 ports of MDI Differential pairs to be used in 100BASE-TX (requires external magnetics).

Feedback pins

ABSENC1_DATA and ABSENC1_CLK

Digital signals CMOS Voltage levels

• ABSENC1_DATA: Input

• ABSENC1_CLK: Output

• Overvoltage protection on Feedback signals, limiting to V_{max_fault} in case of an external fault. 

See External Requirements for Safe inputs, Feedback Interface and Logic Supply

0.8 V

2.0 V

• V_{max_nom} (maximum nominal voltage)= 3.5 V

• V_{max_fault} (maximum voltage in the event of an external failure) = 5.5 V

10 Mbps

Feedback pins

ABSENC2_DATA and ABSENC2_CLK

Digital signals CMOS Voltage levels

• ABSENC2_DATA: Input

• ABSENC2_CLK: Output

• Overvoltage protection on Feedback signals, limiting to V_{max_fault} in case of an external fault. 

See External Requirements for Safe inputs, Feedback Interface and Logic Supply

0.8 V

2.0 V

• V_{max_nom} (maximum nominal voltage)= 3.5 V

• V_{max_fault} (maximum voltage in the event of an external failure) = 5.5 V

Maximum Data Rate

10 Mbps

Feedback pins

DIG_ENC_1A, DIG_ENC_1B and DIG_ENC_1Z

Quadrature incremental encoder (QEI) with index or ABZ

Digital signals CMOS Voltage levels

• Overvoltage protection on Feedback signals, limiting to V_{max_fault} in case of an external fault. 

See External Requirements for Safe inputs, Feedback Interface and Logic Supply

0.8 V

2.0 V

• V_{max_nom} (maximum nominal voltage)= 3.5 V

• V_{max_fault} (maximum voltage in the event of an external failure) = 5.5 V

10 MHz

Feedback pins

HALL_1, HALL_2 and HALL_3

Type of Sensor

3 x Digital Hall sensors per pole pair.

• 120° displacement between sensors.

Digital signals CMOS Voltage levels

• Overvoltage protection on Feedback signals, limiting to V_{max_fault} in case of an external fault. 

See External Requirements for Safe inputs, Feedback Interface and Logic Supply

0.8 V

2.0 V

• V_{max_nom} (maximum nominal voltage)= 3.5 V

• V_{max_fault} (maximum voltage in the event of an external failure) = 5.5 V

5 kHz

Functional Safety is only considered when the drive is controlling three-phase permanent magnet synchronous rotating motors. STO does not apply to DC brush motors. 

The product is not repairable. After a component fault is detected, the system must be taken out from operation.

The product must be placed in a limited access environment, so the final user cannot manipulate it without intention. 

Pollution degree

Pollution degree 2 with an IP54 enclosure installation.

II

< 2000 m above sea level.

-20 ºC to 60 ºC

-20 ºC to 70 ºC

-40 ºC to 100 ºC

≤ 93% (non-condensing) at the Maximum Temperature

10 Hz to 150 Hz, 1 g.

Test according to EN 60068-2-6:2008: Test Fc

±5g Half-sine 30 ms

Test according to EN 60068-2-27:2009: Shock

Functional Safety has been tested according to EN IEC 61800-3:2018 procedures with the extended ranges of EN 61800-5-2:2017 Annex E.

The interface board must meet the same EMC standards (IEC 61800-3:2018 with extended ranges of IEC 61800-5-2:2017).

To fulfill the EMC requirements the use of the following elements is required:

• Input EMI filter.

• Motor phases ferrite cable core.

• Properly grounded aluminum enclosure. See grounding recommendations for further information.

• Wiring Separation: The electrical energy cables (power supply and motor phases) must be sufficiently separated from information cables to avoid interferences.

The interface board must meet the following environmental standards:

• EN 60068-2-1:2007 - Test A: Cold

• EN 60068-2-2:2007 - Test B: Dry heat

• EN 60068-2-78:2013 - Test Cab: Damp heat, steady-state

• EN 60068-2-6:2008: Test Fc

• EN 60068-2-27:2009: Shock

Input Pin

5V_FBK_SENSE

Future Use. Monitoring of the 5V Feedback Supply.

It is recommended to connect to a 5V ± 10% supply.

• Input series resistor of 2.4 kΩ ±1%, ≥ 50 mW

• V_{max_nom} (maximum nominal voltage) = 6.5 V

• V_{max_fault} (maximum voltage in the event of an external failure) = 25 V

Input Pin

3.3V_FBK_SENSE

Future Use. Monitoring of the 3.3V Feedback Supply.

It is recommended to connect to a 3.3V ± 10% supply.

If 3.3V_SAFE_EXT is used, it is recommended to connect 3.3V_SAFE_EXT to 3.3V_FBK_SENSE.

• Guarantee maximum absolute ratings

• V_{max_nom} (maximum nominal voltage) = 3.5 V

• V_{max_fault} (maximum voltage in the event of an external failure) = 25 V

Output Pins

SOUT_A and SOUT_B

Future Use. General purpose Safe Output

V_{max_fault} = 25 V

Maximum voltage that can be provided externally in the event of an external failure

25 kΩ

Minimum impedance accepted at the output

Input Pins

SOUT_A_DIAG_INPUT and SOUT_B_DIAG_INPUT

Future Use. Input signals for SOUT external diagnostic. Active (failure detected) at low-level.

If not used, it is recommended to connect to pull up to 3.3V.

• Input series resistor of value R_diag: 2.4 kΩ ≤ R ≤ 33 kΩ

• The SOUT Diagnostic inputs are mandatory to allow system operation (if not used, must be pulled up).

• V_{max_nom} (maximum nominal voltage) = 3.5 V

• V_{max_fault} (maximum voltage in the event of an external failure) = 6.5 V

Pin number

51, 53, 55 and 58 of P3 Feedback Connector