Home >
Knowledge Base >
Community >
Downloads >AKD STO Performance Level d Clarification
In the AKD Installation manual, section 6.16.8.3 (Functional test) states: "You must test the STO function after initial start of the drive, after each interference into the wiring of the drive, or after exchange of one or several components of the drive." Can you provide some clarification on what "initial start" means? I assume this means only when the drive is commissioned?
I'm just starting to learn more about safety and based on the limited information I've read so far, it would seem difficult to reach a performance level d using a single channel STO like this. Since I don't have a copy of ISO 13849-1, I'm assuming this is how PLd could be achieved without using redundant STO's with fault detection, which is found on the 24A version of the AKD.
Comments & Answers
Joerg Muslewski said ...
Yes, you are right in. After commissioning you need to test the STO function.
If you are responsible for the safety, you need to test, validate and confirm that the complete safety equipment (HW and SW) works like it should in any case.
Normally, this cannot be done before the commissioning is done.
Matt Ellis said ...
I am under the impression that a requirement for Category 3 (similar to PLd) is:
"The system shall be designed so that a single fault in any of its parts does not lead to the loss of safety function."
If a single channel STO fails, I would think this would lead to the loss of a safety function.
I am also under the impression that for Category 3, "the fault must be detected at or before the next demand on the safety function". Without any type of monitoring signal coming back from the drive, how would a fault be detected?
kenny.hampton@… said ...
You are correct but there exist a second way to get to cat 3. The other way call fault exclusion. That means there is no fault possible if you use the drive in the specified environment.
This approach is used for the AKD / AKD-N / S300 / S700.
An Engineer from Kollmorgen
An Engineer from Kollmorgen sent this to me in an email:
"... there exist a second way to get to cat 3. The other way call fault exclusion. That means there is no fault possible if you use the drive in the specified environment.
This approach is used for the AKD / AKD-N / S300 / S700"
I would have thought that this should be spelled out in their documentation though if that is the case.
So they are saying the STO
So they are saying the STO function is so reliable that we can state a fault exclusion (MTTFd is infinite) on it. That's certainly what the documentation implies although as you say I would have expected them to spell it out explicitly.
My safety circuit is dual channel, the other part being a conventional mains contactor with auxiliary contact feedback.
My memory is not what it was!
My memory is not what it was! I find I looked into this a while ago and received the following comment on the Kollmorgen drive from a safety expert not connected with Kollmorgen:
"“The servo drive has its own internal checking and is SIL 2 / PL d capable when you wire it up as per the instructions, and there is no mention of feeding the drive fault status back into a safety logic solver such as the PNOZ s3 safety relay. If, however, you were to be using a contactor (or pair of contactors) in between the safety relay and drive then I would suggest that you do take contactor feedback back into the relay.”
Matt's original question has
Matt's original question has not been answered. Cat 3 is shown in the EN 13849 standard as having feedback to prove operation. The diagrams in the Kollmorgen manual show no feedback and no explanation as to how, therefore, PLd / cat 3 is achieved.
Perhaps the explanation is that the drive contains additional monitoring circuitry to check the STO operation?