07 en - Fso - 11 - Um - D

ABB industrial drives
User’s manual
FSO-11 safety functions module
List of related manuals and guides
Drive hardware manuals Code (English)
ACS880-01 hardware manual 3AUA0000078093
ACS880-04 hardware manual 3AUA0000128301
ACS880-07 (45 to 560 kW) hardware manual 3AUA0000105718
ACS880-07 (560 to 2800 kW) hardware manual 3AUA0000143261
ACS880-104 inverter modules hardware manual 3AUA0000104271
ACS880-107 inverter units hardware manual 3AUA0000102519
Drive firmware manuals

ACS880 primary control program firmware manual 3AUA0000085967
Drive option manuals

ACS-AP-x assistant control panels user’s manual 3AUA0000085685
FSO-11 safety function module user's manual 3AUA0000097054
Manuals and quick guides for I/O extension modules,
fieldbus adapters, etc.
Drive PC tool manuals

Drive composer start-up and maintenance PC tool user's 3AUA0000094606
manual
General drive safety guides

Functional safety; Technical guide No. 10 3AUA0000048753
Safety and functional safety; A general guide 1SFC001008B0201
You can find manuals and other product documents in PDF format on the Internet. See section Document library on
the Internet on the inside of the back cover. For manuals not available in the Document library, contact your local ABB
representative.
User’s manual
FSO-11 safety functions module
Table of contents
1. Safety
7. Installation
10. Start-up
 2013 ABB Oy. All Rights Reserved. 3AUA0000097054 Rev D

EN
EFFECTIVE: 2013-06-27
Table of contents 5
Table of contents
List of related manuals and guides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1. Safety
Contents of this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Use of warnings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2. Introduction to the manual

Exclusion of liability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Applicability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Safety
.......... 13
Compatible products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Supported safety functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Target audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Purpose of the manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Recommended reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Related standards and directives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Safety related . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Other . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3. Safety information and considerations

Meeting the requirements of the Machinery Directive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Safety considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Response times . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
FSO-11 diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
I/O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Safety function acknowledgement modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Encoderless mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Speed estimation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Proof testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Safety separation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
4. Overview
6 Table of contents
System description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
FSO-11 and safety system components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Type designation label . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Operational characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
5. Implemented safety functions

Contents of this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Safety functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Ramp monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Function indication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Cascade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Safe torque off (STO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
STO base function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Safe brake control (SBC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
SBC after STO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
SBC before STO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Safe stop 1 (SS1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
SS1 with time monitoring .............................................. 46
SS1 with ramp monitoring .............................................. 47
SS1 with speed limit activated SBC ....................................... 49
Safe stop emergency (SSE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
SSE with time monitoring .............................................. 52
SSE with ramp monitoring ............................................. 53
SSE with speed limit activated SBC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Safely-limited speed (SLS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
SLS with speed below monitored speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
SLS with speed above monitored speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Safe maximum speed (SMS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
6. Planning for installation

Requirements for designers and installers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Mechanical installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Installation site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Electrical installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
General requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Power supply connection/cables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Ensuring the EMC compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Selecting control cables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Routing the cables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Standard function and wiring examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Table of contents 7
7. Installation
Mechanical installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Electrical installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Terminals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Connection procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
8. Installation checklists
Checklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
General checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Common cause failure (CCF) checklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
9. Configuration
Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Configuring the FSO-11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
FSO-11 parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Configuring general settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
How to configure general settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Configuring I/O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
How to configure I/O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Configuring STO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
How to configure STO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Configuring SBC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
How to configure SBC after STO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
How to configure SBC before STO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Configuring SS1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
How to configure SS1 with time monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
How to configure SS1 with ramp monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
How to configure SS1 with speed limit activated SBC . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Configuring SSE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
How to configure SSE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
How to configure SSE with time monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
How to configure SSE with ramp monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
How to configure SSE with speed limit activated SBC . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Configuring SAR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
How to configure SARn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Configuring SLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
How to configure SLSn with time monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
How to configure SLSn with ramp monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Configuring SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
How to configure SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
10. Start-up
Safety considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
8 Table of contents
11. Verification and validation

Contents of this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Verifying the achieved SIL/PL level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Validation procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Validation checklist for start-up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Authorized person . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Acceptance test reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Proof test intervals during operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Residual risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
12. Fault tracing

Status LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Warnings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Event types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
User-selectable events for the function requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
User-selectable events for the limit hits and special events . . . . . . . . . . . . . . . . . . . . . . 155
Auxiliary code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
13. Maintenance
FSO-11 module failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Replacing the FSO-11 module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Drive replacement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Reinstalling the FSO-11 module to another drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Drive firmware update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Updating the firmware of the drive where the FSO-11 is installed . . . . . . . . . . . . . . . . 160
Factory reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Proof tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Decommissioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
14. Technical data

Electrical data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Control connection data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Terminal and lead-through data for the control cables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Degrees of protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Size and weight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Cooling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Speed estimation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Safety functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Safety data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Basic safety data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Safety data for some typical configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Table of contents 9
Life time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Response times . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
15. Dimension drawings

FSO-11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Further information
Product and service inquiries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Product training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Providing feedback on ABB Drives manuals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Document library on the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
10 Table of contents
Safety 11
1
Safety
Contents of this chapter
This chapter explains the usage of warnings in this manual.
Use of warnings
Warnings caution you about conditions which can result in serious injury or death
and/or damage to the equipment, and advise on how to avoid the danger. The
following warning symbols are used in this manual:
Electricity warning warns of hazards from electricity which can cause

physical injury and/or damage to the equipment.
General warning warns about conditions, other than those caused by

electricity, which can result in physical injury and/or damage to the equipment.
12 Safety
Introduction to the manual 13
2
Introduction to the manual
This chapter states exclusion of liability and describes the applicability, compatible
products, supported safety functions, target audience and purpose of the manual.
The chapter also lists contents of this manual, recommended reading as well as
related standards and directives, and explains used definitions, terms and
abbreviations. The safety certificate is included at the end of the chapter.
Exclusion of liability
This manual is an informative aid only. It contains information needed to use the
FSO-11 safety functions module when implementing safety systems. The information
and examples given are for general use only. They do not describe all the necessary
details for implementing a safety system. The manufacturer of the machinery always
remains ultimately responsible for the product safety and compliance with applicable
laws. ABB does not accept any liability for direct or indirect injury or damage caused
by the information contained in this document. ABB hereby disclaims all liabilities that
may result from this document.
The FSO-11 module must not be opened, otherwise the safety classification will
become invalid and the warranty cease to be in effect.
Applicability
This manual applies to the FSO-11 safety functions module, firmware version 1.32
and later, until the next revision of the manual is published.
14 Introduction to the manual
Compatible products
 Drives
• ACS880 series
 Tools
• Drive composer pro PC tool.
Supported safety functions

This manual provides instructions for creating the following safety functions
(according to EN 61800-5-2:2007) for the ACS880 drives:
• Safe torque off (STO) – standard feature in ACS880 drives, see page 40
• Safe brake control (SBC), see page 42
• Safe stop 1 (SS1), without encoder only, see page 46
• Safe stop emergency (SSE), see page 50
• Safely limited speed (SLS), without encoder only, see page 56
• Safe maximum speed (SMS), see page 58.
Note: The FSO-11 does not support encoder or safe fieldbus in safety applications.
Target audience
The manual is intended for qualified persons who design the safety application, plan
the installation as well as install and commission the safety application. Read the
manual before starting work on the safety application. The reader is expected to know
the fundamentals of safety technology, electricity, wiring, electrical components and
electrical schematic symbols.
Purpose of the manual

The manual explains how to install the FSO-11 safety functions module and configure
and commission the supported safety functions. It describes how to meet and
maintain safety life cycle requirements of the FSO-11 to ensure required safety
performance and specified safety integrity.
Drive-specific technical, configuration and installation details are found in the drive
Hardware manual (see List of related manuals and guides on page 2).
Contents
Chapter Safety (page 11) explains the usage of warnings in this manual.
Chapter Introduction to the manual (this chapter, page 13) states exclusion of liability
and describes the applicability, compatible products, supported safety functions,
target audience and purpose of the manual.
It also lists contents of this manual, recommended reading as well as related
standards and directives, and explains used definitions, terms and abbreviations. The
safety certificate is included at the end of the chapter.
Chapter Safety information and considerations (page 21) contains general safety
considerations and information to be taken into account when applying the FSO-11
safety functions.
Chapter Overview (page 27) briefly describes the FSO-11 with safety system
components as well as the FSO-11 layout, connections, type designation label and
operational characteristics.
Chapter Implemented safety functions (page 33) describes how the safety functions
are implemented with the drive and how they operate.
Chapter Planning for installation (page 59) gives instructions and references to
instructions in other manuals for planning the safety system installation, as well as the
requirements for installation in the applicable safety standards.
Chapter Installation (page 65) gives examples of how to connect the FSO-11 module
to the ACS880.
Chapter Installation checklists (page 71) contains a checklist for checking the
mechanical and electrical installation of the FSO-11 module and refers to common
cause failure checklists in standards.
Chapter Configuration (page 73) describes the password usage, outlines the
configuration process, lists the FSO-11 parameters and gives examples of how to
configure the FSO-11 to implement each safety function as described in chapter
Implemented safety functions.
Chapter Start-up (page 135) describes the general precautions to be taken before
starting up the safety system for the first time.
Chapter Verification and validation (page 137) describes verification and validation of
the implemented safety functionality.
Chapter Fault tracing (page 147) describes the status LEDs and provides generic
diagnostics and troubleshooting tips for FSO-11 related faults generated by the drive.
Chapter Maintenance (page 157) explains replacement of the FSO-11 module in
case of a module failure, reinstalling the FSO-11 module to another drive, updating
the firmware of the drive where the FSO-11 is installed, factory reset, FSO-11 update
and decommissioning as well as proof tests.
Chapter Technical data (page 163) contains the technical specifications of the
FSO-11, for example electrical data, sizes and safety data.
Chapter Dimension drawings (page 173) shows dimension drawings of the FSO-11
module.
Recommended reading
This manual is based on the following standards. It is recommend that one is familiar
with these standards before implementing safety-related systems.
• EN 61800-5-2:2007, Adjustable speed electrical power drive systems – Part 5-2:
Safety requirements – Functional. (Includes safety function definitions.)
• EN ISO 13849-1:2008, Safety of machinery – Safety-related parts of control
systems – Part 1: General principles for design
• EN 62061:2005, Safety of machinery – Functional safety of safety-related
electrical, electronic and programmable electronic control systems
• EN 60204-1:2006, Safety of machinery – Electrical equipment of machines – Part
1: General requirements.
Before starting the implementation of safety-related systems, it is highly
recommended to read and understand the following manuals, which will also be
referred to in the later chapters of this manual.
• Functional safety; Technical guide No. 10 (3AUA0000048753 [English])
• Safety and functional safety; A general guide (1SFC001008B0201 [English])
• Firmware manual of the drive.
Related standards and directives

Referenced standards are listed in the table below.
Standard Name
EN 60204-1:2006 Safety of machinery – Electrical equipment of machines – Part 1:
General requirements
IEC 61508 Parts 1-7, Functional safety of electrical/electronic/programmable electronic
Ed. 2.0:2010 safety-related systems
EN 61800-5-2:2007 Adjustable speed electrical power drive systems – Part 5-2: Safety
requirements – Functional
EN 62061:2005 Safety of machinery – Functional safety of safety-related electrical,
electronic and programmable electronic control systems
EN ISO 12100:2010 Safety of machinery – General principles for design – Risk
assessment and risk reduction
EN ISO 13849-1:2008 Safety of machinery – Safety-related parts of control systems –
Part 1: General principles for design. EN ISO 13849-1 has replaced
EN 954-1:1996 in November 2009.
2006/42/EC European Machinery Directive
Standard Name
Other Sector-specific C-type standards
Definitions
Safety-related definitions according to EN ISO 13849-1:2008, EN 62061:2005 and
EN 61800-5-2:2007 are presented in the table below.
Term Definition
Acknowledgement Acknowledges an event when the FSO-11 is in use. See section
Acknowledgement on page 34. See also term Reset on page 17.
Common cause failure Failure, which is the result of one or more events, causing
(CCF) coincident failures of two or more separate channels in a multiple
channel (redundant architecture) subsystem, leading to failure of a
Safety related electronic control function (SRCF)
Functional safety Part of the safety of the machine and the machine control system
which depends on the correct functioning of the SRECS, other
technology safety-related systems and external risk reduction
facilities
Hazard Potential source of harm (physical injury, or damage to health or
equipment)
Power drive systems Adjustable speed electrical power drive system suitable for use in
(Safety related), safety-related applications
PDS(SR)
Proof test Test that can detect faults and degradation in a Safety related
electronic control system (SRECS) and its subsystems so that, if
necessary, the SRECS and its subsystems can be restored to an
"as new" condition or as close as practical to this condition.
Protective measure Measure intended to achieve risk reduction
Reasonably foreseeable Use of a machine in a way not intended by the designer, but which
misuse may result from readily predictable human behavior
Reset Factory reset. Clears the configuration and sets the parameters to
their factory default values.
Residual risk Risk remaining after protective measures have been taken
Response time of The internal response time of the FSO-11, that is the time in which
FSO-11 the STO control output of the FSO-11 reacts after receiving a
request. Usually this is not the same as the time from the request to
the safe state of the machine application. See also term Safety
function response time on page 17.
Risk Combination of the probability of occurrence of harm and the
severity of that harm
Safe state STO activated (STO relay opened)
Safety function Response time of the combination of the drive and FSO-11. See
response time also term Response time of FSO-11 on page 17.
Term Definition
Safety related control Control function implemented by a SRECS with a specified integrity
function (SRCF) level that is intended to maintain the safe condition of the machine
or prevent an immediate increase of the risk(s)
Safety related electrical Electrical control system of a machine whose failure can result in an
control system (SRECS) immediate increase of the risk(s)
Stop category There are three categories of stop functions:
• stop category 0: an uncontrolled stop where power to the
machine actuators is removed immediately
• stop category 1: a controlled stop where the machine actuators
have power for stopping, after which the power is removed
• stop category 2: a controlled stop where the machine actuators
continue to have power.
Category 0 and 1 definitions also apply to Emergency stop
categories.
Validation Confirmation by, for example, analysis that the safety system meets
the functional safety requirements of the specific application
Verification Confirmation by, for example, testing that the safety system meets
the requirements set by the specification
Scaling speed A user-defined reference value. See parameter 170 Speed scaling
on page 88.
Zero speed Speed below the value given with parameter 163 Zero speed
without encoder on page 88.
Terms
The following terms are used in this manual as defined in the table below.
Term Definition
External active Load in systems where the motor speed does not decrease when the motor
load control is stopped.
Life time The period of time for which a device is designed to remain within it's
specifications
Safety function Function, with a specified safety performance, which is intended to maintain
the safe condition of the installation or prevent hazardous conditions arising
at the installation.
Example: Safe torque off (STO)
Safety module Part of a safety system, physical entity.
Example: FSO-11 safety functions module.
Safety system Whole safety system including for example human interface, FSO-11 safety
functions module, drive and sensors.
Abbreviations
 Safety related
This manual uses abbreviations for safety levels as defined in the table below.
Abbreviation Reference Description
B10d EN ISO 13849-1 Number of cycles until 10% of the components fail
dangerously (for pneumatic and electromechanical
components).
CCF EN ISO 13849-1 Common cause failure
DC EN ISO 13849-1 Diagnostic coverage (%)
FIT IEC 61508 Failure in time: 1E-9 hours. Expected failure rate of
semiconductors and other electronic devices.
HFT IEC 61508 Hardware fault tolerance
MTTFd EN ISO 13849-1 Mean time to dangerous failure: (The total number of
life units) / (the number of dangerous, undetected
failures) during a particular measurement interval
under stated conditions
PFD IEC 61508 Probability of dangerous failure on demand
PFHd IEC 61508 Average frequency of dangerous failure [h-1]
(Probability of dangerous failures per hour)
PL EN ISO 13849-1 Performance level (a-e)
SC IEC 61508 Systematic Capability
SFF IEC 61508 Safe failure fraction (%)
SIL IEC 61508 Safety integrity level (1-3)
STO EN 61800-5-2 Safe torque off
T1 IEC 61508 Proof test interval
 Other
This manual uses other than safety related abbreviations as defined in the table
below.
Abbreviation Description
AWG American wire gauge
BCU-xx Drive control unit type (xx = version number)
CRC Cyclic redundancy check
ELV Extra-low voltage
I/O Input/output
PCB Printed circuit board
PELV Protected extra-low voltage (IEC 60364-4-41)
ZCU-xx Drive control unit type (xx = version number)
Certificate
TÜV Nord certificate for FSO-11 and ACS880 drive is attached below. Check the
validity of the certificate with specific drive variant from the ABB Library.
Safety information and considerations 21
3
Safety information and
considerations
This chapter contains general safety considerations and information to be taken into
account when applying the FSO-11 safety functions.
WARNING! The FSO-11 safety functions module is delivered with the safety
functions bypassed by jumper wires in connectors X:113 and X:114 to allow
initial drive commissioning without the need to configure safety functions first. The
safety system must always be properly commissioned and verified/validated before it
can be considered safe.
Meeting the requirements of the Machinery Directive

In order to fulfill the requirements of the Machine directive, the requirements in the
applicable standards must be met and the FSO-11 must be used according to all
instructions provided in this manual.
Implementing safety functions requires following a process, which is introduced for
example in Functional safety; Technical guide No. 10 (3AUA0000048753 [English]).
The process includes a risk assessment, and residual risks, as well as any
foreseeable misuse, must be documented in the user instructions of the machinery.
22 Safety information and considerations
Responsibilities
It is the responsibility of the machine builder / OEM / system integrator to ensure that
the essential health and safety requirements specified in the Machinery Directive are
met.
If you detect any failure in safety functions, contact your local ABB representative.
Safety considerations
Note: After you initially start-up the FSO-11 and also after you later modify any
application parameters or the configuration, you must check the safety of the entire
system by doing a verification according to the system safety verification plan and by
doing a validation of the correct operation of the safety application. See Verification
and validation on page 137.
 Response times
Safety function response time and FSO-11 response times are specified in section
Response times on page 172.
 FSO-11 diagnostics
The FSO-11 performs extensive auto diagnostics tests during the runtime operation
on FSO-11 internal parts as well as the communication and STO connection between
the FSO-11 and the drive, and it will go into the Fault state if it detects a fault. If the
safety functions are still in control, the SSE is activated, otherwise the STO is
activated.
• The communication between the FSO-11 and the drive is diagnosed continuously.
• The STO connection between the FSO-11 and the drive STO connector is
diagnosed during the power up and periodically during the runtime.
 I/O
The FSO-11 supports input and output redundancy.
The FSO-11 provides an option for applying diagnostic pulsing for its inputs and
outputs. When applied, the pulsing enables the FSO-11 diagnostics to detect cable
failures as follows:
• Inputs: Open-circuiting and short-circuiting failures are detected, with the
exception of failures that short-circuit the sensor. These failures are detected
upon input activation when redundant connection is used.
TP2 Test pulse 1
TP1 Test pulse 2
DI1 Digital input 1 Failure can be detected

DI2 Digital input 2 Failure cannot be detected
(except upon input activation
when redundancy is used)
• Outputs: Failures that short-circuit the signal to the voltage supply or the ground
potential are detected. Failures that open-circuit the actuator are not detected.
 Safety function acknowledgement modes

Safety functions have two acknowledgement modes for entering the Operational
state (during the first start-up or after a safety function request is removed):
• Monitored: In the monitored (manual) restart (recommended), the user must first
acknowledge the FSO-11 state to allow the drive to restart.
• Automatic: In the automatic restart, the FSO-11 grants the drive permission to
restart after a safety function request is removed or the start-up is complete. If the
drive is in the automatic start mode, it starts automatically, which may cause
danger.
The acknowledgement mode can be selected separately for the start-up, STO (SSE
and SS1 always end in STO) and SLS.
Note: STO, SSE and SS1 cannot be acknowledged before the motor is stopped.
Note: The FSO-11 is not designed to protect a machine against intentional misuse.
WARNING! If the FSO-11 is used in the automatic mode, make sure that the
system is designed so that this does not cause unacceptable risk.
 Encoderless mode
Note: The FSO-11 uses drive output frequency measurement to estimate the motor
speed instead of measuring the motor speed with an encoder. This has to be taken
into consideration when designing safety functions, that is, whether this type of speed
estimation is suitable for the application.
Note: Observe restrictions for use. At least normal Identification run, preferably full
Identification run must be performed.
In the encoderless mode,
• the motor must decelerate when the power is switched off – for example, in a
crane application, the hanging load would potentially cause an accelerating
motion, thus the encoderless mode, and thereby the FSO-11, cannot be used for
these types of applications.
• the drive cannot be used in generator mode (torque limit) operation where an
external force is rotating the motor faster than the drive controls the motor.
• the system must be designed so that it has no physical capability of
accelerating/decelerating from an acceptable speed to a dangerous speed within
the response time of the FSO-11 (see section Safety data on page 167).
• depending on the load, the frequency estimation of an encoderless drive may not
be equal to the actual induction motor speed.
WARNING! Do not use encoderless mode in applications when the external

load of the application may rotate the motor driven shaft in spite of the drive
frequency. In this case, an encoder and encoder supporting version of the FSO must
be used to measure and monitor the shaft speed.
 Speed estimation
The FSO-11 monitors the frequency with which the drive is rotating the magnetic field
in the motor because the FSO-11 has no way of detecting the actual speed with
which the motor shaft is rotating.
Note: “Speed” is used in this manual instead of “frequency”.
Note: It must be taken into account in the system design that the FSO-11 estimation
and the actual motor speed differ by the slip, which is dependent on the load of the
motor among other things.
 Characteristics
The allowed speed range depends on the used motor.
-18000…+18000 rpm
Max. speed range =
Number of motor pole pairs
 Proof testing
Periodic proof testing of for example electromechanical parts of the safety system
may be required in order to maintain the claimed SIL / PL level of the system. In this
case proof testing must be taken in to consideration in the safety calculations and it
must be properly documented in the user documentation. Proof testing has to be
verified in the acceptance testing during the commissioning phase.
The FSO-11 module itself does not require periodic proof testing.
External contactors, relays and mechanical actuators must be sized correctly for
safety use as the automatic diagnostics only monitor the electrical connections; the
mechanical final elements like brakes are not diagnosed.
Failure of a mechanical actuator, for example a brake, could lead up to an undetected
fault, and a possible loss of the load control.
 Safety separation
The FSO-11 and the drive Safe torque off (STO) channel/function are safety relevant,
and the rest of the drive is considered as not safety relevant, for example the drive
regular I/O cannot be used for requesting safety functions on the FSO-11.
WARNING! The Safe torque off function does not disconnect the voltage of the
main and auxiliary circuits from the drive. Therefore maintenance work on
electrical parts of the drive or the motor can only be carried out after isolating the
drive system from the main supply, from the rotating permanent magnet motors and
from the rotating motors equipped with sinus filters; asserting the STO is not
sufficient.
Note: The Safe torque off function can be used for stopping the drive in the
operational mode. If a running drive is stopped by using the STO function, the drive
will stop by coasting.
Overview 27
4
Overview
This chapter briefly describes the FSO-11 with safety system components as well as
the FSO-11 layout, connections, type designation label and operational
characteristics.
28 Overview
System description
 FSO-11 and safety system components
Example figure of an FSO-11 safety functions module, ACS880 drive, safety PLC,
switches and buttons.
Safety PLC
system master
Safe stopping
FSO-11
Gate opening switch
Safety function requests
Prevention of unexpected
start-up
Key switch
Emergency stop
Stop button
Channel separation
The FSO-11 safety functions module is an option for ACS880 drives. Safe torque off
(STO) is a standard feature on ACS880 drives.
The FSO-11 does not operate the drive; it only monitors the actions of the drive and
commands safety functions to be executed. The request for safety functions can
come from an external safety system, for example a push button, safety PLC, or from
the FSO-11 internal fault. If the drive does not fulfill the commands of the FSO-11, the
FSO-11 will shut down the drive using the Safe torque off (STO) function.
Safety functions supported by the FSO-11 are presented in chapter Implemented
safety functions on page 33.
Overview 29
 Layout
2 1
4b
4
5
8 9
4
No Description
1 24 V DC input connection
2 Safe torque off (STO) connection
3 Data connection
4, Mounting for drives with ZCU-11 control unit shown. Two mounting points on each side.
4b The screw fixed at 4b also grounds the enclosure of the FSO-11. Mounting points for
drives with other control units may vary.
5 FSO-11 grounding screw, grounds the electronics
6 FSO-11 status LEDs, see section Status LEDs on page 147.
7 Input / output status LEDs, one for each I/O connector (see 8). The LEDs are in two rows
above the corresponding two rows of I/O connectors. The LED is lit if the state of the
corresponding I/O is ON (24 V in the input or output). The data shown by LEDs is only
indicative and cannot be considered safe.
30 Overview
No Description
8 Input / output connections
• 4 redundant or 8 single digital inputs, or combinations of redundant and single inputs.
Possible redundant pairs: X113:1 & X114:1, X113:2 & X114:2, X113:3 & X114:3 and
X113:4 & X114:4.
• 3 redundant or 6 single digital outputs, or combinations of redundant and single
outputs. Possible redundant pairs: X113:7 & X114:7, X113:8 & X114:8 and X113:9 &
X114:9.
• two 24 V DC reference outputs with configurable diagnostic pulses.
9 Factory reset button (under the label)
 Connections
The FSO-11 has several safety I/O’s for external safety devices, for example buttons,
gates and indicators. FSO-11 does not have ability to interface to an encoder.
When using the Safe brake control (SBC) function, the mechanical brake is controlled
by the FSO-11. For more information on the SBC, see section Safe brake control
(SBC) on page 42.
One FSO-11 is needed for each drive/inverter to be monitored.
Connection details are described in section Terminals on page 67.
 Type designation label

The type designation label is attached on the top of the FSO-11 module. An example
label and explanation of the label contents are shown below.
1 2 3
ABB OY FSO-11 SN: 41101B0001 CODE: 3AXD50000000005
3AXD5000000000541101B0001
3AXD5000000000541101B0001
3AXD5000000000541101B0001 RoHS
4 5
No Description
1 Type
2 Serial number of format MYYWWRXXXX, where
M: Manufacturer
YY: 11, 12, … for 2011, 2012, …
WW: 01, 02, 03, … for week 1, week 2, week 3, …
R: A, B, C, … for product revision number
XXXX: Integer starting every week from 0001
3 ABB MRP code of the FSO-11 module
4 Combined ABB MRP code and serial number
5 RoHS mark
Overview 31
 Operational characteristics
The FSO-11 monitors that the drive operates within the configured operating limits,
and if the limits are exceeded, activates the STO function within the response time.
Activation of the STO function removes the torque and, if configured, applies the
brake.
WARNING! The Safe torque off function does not disconnect the voltage of the
main and auxiliary circuits from the drive. See the warning on page 25.
Prevention of unexpected start-up is also handled by the FSO-11.

The supported functions are preprogrammed in the firmware; they cannot be
programmed in any way.
Authorized personnel configure the FSO-11 with the Drive composer pro PC tool. The
FSO-11 checks the authorization with a password before it is possible to edit the
FSO-11 parameters. Parameters are sent from the tool to the drive, and after the tool
has displayed the CRC values of the parameters, the user must validate the feedback
values.
The FSO-11 goes into the Fault state if it detects an internal fault during its
diagnostics tests.
The FSO-11 has to be rebooted after the drive has recovered from a power failure.
The FSO-11 should be normally rebooted by circulating the power. It is also possible
to reboot FSO-11 by using the drive parameter 96.09, but FSO-11 accepts this 'soft
boot' only if it is in the Fault state.
Note: Always remember to configure SSE and SAR0 functions to have correct limit
hit or fault reaction behaviour.
32 Overview
Implemented safety functions 33
5
Implemented safety functions
This chapter describes how the safety functions are implemented with the drive and
how they operate.
Safety functions
The FSO-11 supports the following safety functions:
Safety function Stop category Information Page

Safe torque off (STO) Stop category 0 Drive feature 40
Safe brake control (SBC) Safe brake output 42
Safe stop 1 (SS1) Stop category 1 Also with ramp monitoring 46
Safe stop emergency (SSE) Configurable as STO or 50
SS1 with E-Stop ramp
Safely-limited speed (SLS) Safely limited speed 56
Safe maximum speed (SMS) Function permanently 58
on/off
34 Implemented safety functions
General
 Acknowledgement
Acknowledgement can be configured to be manual or automatic, separately for the
start-up, STO (SSE and SS1 always end in STO) and SLS. In manual
acknowledgement there must be an acknowledgement button connected to the
FSO-11. In automatic acknowledgement the FSO-11 automatically acknowledges the
start-up, STO or SLS when this has completed successfully.
Acknowledgement cannot be performed if
• safety function request is active
• STO, SSE, SS1: safety function is not completed
• SLS: speed is not below monitored limit.
All active safety functions that can be acknowledged are acknowledged with the
same acknowledgement.
The acknowledgement button is connected like a normal safety input. 24 V in the
input is the standby (negative) state and 0 V is the positive (acknowledge) state.
Button release allowed
0.3 s 3.0 s
ID Description
A Normal acknowledgement: The acknowledgement is recognized when the button is
released after pressing it; the system must detect both falling and rising edge changes
for successful acknowledgement triggering. The pressing time of the button must be
between 0.3 s…3.0 s.
B Short low signals (less than 300 ms) are ignored.
C Too long interruptions (signal low longer than 3 s) on the signal are ignored and a
warning message is generated to the drive. If there is something to acknowledge, it is
ignored and the user must press the acknowledgement button again. If there is nothing
to acknowledge, nothing happens and no errors are generated.
 Ramp monitoring
The ramp monitoring is configured with four parameters as described below.
Motor speed
Time
ID Description
A Ramp minimum time from the scaling speed to the zero speed. Specified for each SARn
ramp, n = 0…1 separately. For example for SAR0: parameter 104 SAR0 min ramp
time to zero.
B Target time for the ramp down from the scaling speed to the zero speed. Specified for
each SARn ramp, n = 0…1 separately. For example for SAR0: parameter 103 SAR0
ramp time to zero.
C Ramp maximum time from the scaling speed to the zero speed. Specified for each SARn
ramp, n = 0…1 separately. For example for SAR0: parameter 105 SAR0 max ramp time
to zero.
D Initial allowed range for the SARn ramp. This is the time when the monitoring of the ramp
maximum time is started after the request. Common for all ramps SARn, n = 0…1.
Parameter 127 SAR initial allowed range.
Note: Maximum allowed time for a ramp is ten minutes from 1500 rpm to the zero speed.
 Function indication
The logic state of the output indication can be configured to be active low or active
high.
STO, SS1, SSE

States of the configured and connected functions are indicated with FSO-11 digital
outputs when the function is started:
• Stopping functions are always started immediately (first they monitor the time,
then possibly the ramp).
• STO is indicated right away when the request is active (requested from input or by
diagnostics).
• Ramp monitoring (SAR0 and SAR1, see section Configuring SAR on page 127) is
not indicated.
Digital output indication is removed when the function is completed.
• SSE and SS1 are completed when the STO is acknowledged.
Stopping indication is activated when the stopping function has completed, but is not
yet acknowledged. There are separate indications for each stopping function STO,
SSE and SS1 (parameters 21 STO completed output, 31 SSE completed output and
40 SS1 completed output) and one common for all of them (parameter 6 Stop
completed output).
SLS
• SLS indication starts when the speed is in the monitored range, and indication is
removed when the function is completed or the monitored speed limit is exceeded
(this also causes the SLS to trip, that is, SSE is activated).
 States
The FSO-11 can be in one of the following states:
• Power down: STO active, power off (below 19 V)
• Start-up: STO active, power on (above 19 V), start-up checks performed
• Configuration: STO active, setting of parameters
• Operational: STO inactive, FSO-11 running
• Safe: STO active, FSO-11 running
• Fault: STO active, FSO-11 or communication fault detected.
Power
Power down switch-off
(STO active) Drive com-

poser pro
Start-up
(STO active)
Drive com- Drive com-
poser pro poser pro
Operational Configuration
(STO inactive) (STO active)
Safe
(STO active)
Acknowl-
edgement
Fault
Normal/obligatory transitions (STO active)
Possible transitions
At power-up, the FSO-11 goes into the Start-up state; it performs start-up checks and,
according to the configuration, enters the Operational state either automatically or
after a manual acknowledgement.
The Drive composer pro PC tool can request the Configuration state, when the
FSO-11 is in the Start-up, Operational, Safe or Fault state and the drive is in the
Torque off mode (not modulating). The FSO-11 exits the Configuration state into the
Start-up state either by a request from the Drive composer pro PC tool, or by
removing the power from the FSO-11 (through the Power down state).
In the Operational and Safe states, the FSO-11 can execute the safety functions.
Note: When the FSO-11 is in the Configuration state, the status/fault LED is lit red.
This requires the FSO-11 power down cycle to take the new parameters into use
before entering the Operational state.
If there is an internal fault, the FSO-11 enters the Fault state. The FSO-11 exits the
Fault state either by a request from the Drive composer pro PC tool into the
Configuration state, or by removing the power from the FSO-11 into the Power down
state or with drive parameter 96.09. In the latter case, the FSO-11 starts again
normally from the Start-up state after restoring power.
When the FSO-11 is in the Power down, Start-up, Configuration, Safe or Fault state,
the STO is always active. When the FSO-11 is in the Operational state, the STO is
inactive.
 Cascade
It is possible to cascade up to six FSO-11’s into a daisy-chain type network
(resembles somewhat an I/O master-follower system): If an FSO-11 triggers a
cascaded function, it passes the triggering information to the next FSO-11, which
triggers the next one, and so on, until the last FSO-11 again triggers the first one.
Acknowledgement
Automatic acknowledgement
Emergency stop
G
ER EN
EM
CY
FSO-11 FSO
FSO-11 FSO
FSO-11
STO P
Master Follower Follower

In Out In Out In Out
Safety Safety
Safety Safety
Safety
function 1 function
function 1 function
function 1
In Out
Safety
Safety Safety
Safety Safety
Safety
function
function 2 function
function 2 function
function 2
Cascade I/O connections must be set to use diagnostic pulsing.

One of the cascaded FSO-11’s must be configured as a master and the others as
followers.
All of the cascaded FSO-11’s must be set to use automatic acknowledgement. The
master may have an acknowledgement button, and the acknowledgement always
starts from the master.
Up to two safety functions can be cascaded. However, if the whole cascaded system
must trip after reaching a limit of either function, you must have either the SSE or
STO function in the system.
If an FSO-11 activates STO for any reason, also the cascaded SSE output is
triggered.
Safe torque off (STO)

 STO base function
The STO brings the machine safely into a no-torque state and/or prevents it from
starting accidentally.
For more information on the STO base function in ACS880 drives, see the drive
Firmware manual.
The operation of the STO function is described in the time diagram and table below.
Motor STO time to zero speed

speed
Time
STO request
Active
Inactive STO state
STO state indication
STO completed
indication
ID Description
A Time to zero speed: Time from the STO activation to the moment when the
acknowledgment becomes allowed. Configured to the estimated time in which the motor
coasts to a stop from the maximum speed.
B STO request removal allowed (shaded area). The STO request must be active for at
least 10 ms. The STO request must be removed before the acknowledgement is
accepted.
1 STO activated after the STO request has been received (for example from the I/O)
2 Acknowledgement is not allowed before the motor is presumably stopped.
3 After the time to zero speed (A) has elapsed, the STO is completed and the
acknowledgement is possible as soon as the STO request has been removed.
4 After the acknowledgement (manual or automatic), the STO is deactivated.
Note: Logic states of the STO state indication and STO completed indication signals
(outputs) are configurable.
Note: STO activation also activates the SSE state indication signal (output), if the
SSE is cascaded. See Safe stop emergency (SSE) on page 50 and Cascade on
page 39.
For configuration, see section How to configure STO on page 107 in chapter
Configuration.
Safe brake control (SBC)

The SBC provides a safe output for controlling external (mechanical) brakes.
If the SBC is used, it is always combined with the STO, except in drive proof testing.
The SBC can be configured to be activated before, at the same time with, or after the
STO. The SBC and STO combination can also be configured to be activated below a
certain speed level while ramping down to the zero speed (see SS1 with speed limit
activated SBC on page 49 and SSE with speed limit activated SBC on page 55). In
that case, the SBC is activated at the configured speed level.
 SBC after STO

The operation of the SBC after the STO is described in the time diagram and table
below.
STO time to zero speed
Motor
speed SBC delay
Time
STO request
Inactive Active STO state

Inactive SBC control
Active
STO completed
indication
ID Description
A SBC delay: Time from the STO activation to the moment when the mechanical brake is
active (on). Configurable.
B Time to zero speed: Time from the STO activation to the moment when the
C STO request removal allowed (shaded area). The STO request can be removed after a
minimum down time. It must be removed before the acknowledgement is accepted.
1 STO activated after the STO request has been received (for example from the I/O)
2 SBC is activated
3 Acknowledgement is not allowed before the motor is presumably stopped.
ID Description
4 After the time to zero speed (B) has elapsed, the STO is completed and the
acknowledgement is possible as soon as the STO request has been removed.
5 After the acknowledgement (manual or automatic), the STO and SBC are deactivated,
and the control is given back to the drive, which controls the brake from now on.
page 39.
It is possible to set the SBC delay so that the SBC is activated while the motor is still
rotating, as in the example above.
For configuration, see section How to configure SBC after STO on page 109 in
chapter Configuration.
 SBC before STO

The target of the 'negative' SBC delay is to have the mechanical brake closed just
before (or at the same moment as) the STO is opened.
The operation of the SBC before the STO is described in the time diagram and table
below.
Motor speed
SBC delay < 0
Time
STO request
STO state
Active STO state indication
Inactive
SBC control
Active
STO completed indication
ID Description
A SBC delay: Time from the STO activation to the moment when the mechanical brake is
active (on). Value negative.
B Time to zero speed: Time from the STO activation to the moment when the
C STO request removal allowed (shaded area). The STO request can be removed after a
1 SBC activated after the STO request has been received (for example from the I/O)
2 Braking has ended and the motor is at a standstill.
3 STO activated after the SBC delay (A) has elapsed.
4 After the time to zero speed (B) has elapsed, the acknowledgement is possible as soon
as the STO request has been removed.
5 After the acknowledgement (manual or automatic), the STO and SBC are deactivated,
and the control is given back to the drive, which controls the brake from now on.
page 39.
For configuration, see section How to configure SBC before STO on page 111 in
chapter Configuration.
Safe stop 1 (SS1)

The SS1 stops the motor safely, initiating the STO function below a specified speed
or after a specified time limit.
 SS1 with time monitoring
Motor speed SS1 delay for STO
Zero
speed Time
SS1 request
Active STO state
Inactive
SS1 state
SS1 state indication
SS1 completed indication
ID Description
A SS1 delay for STO: Time after which the STO is activated regardless of the speed.
B Time to zero speed: Time from the STO activation to the moment when acknowledgment
becomes allowed. Configured to the estimated time in which the motor coasts to a stop
from the maximum speed. Relevant only if 3b occurs.
C Zero speed: Speed limit for activating the STO
D SS1 request removal allowed (shaded area). The SS1 request can be removed after a
E Safety function response time
1 SS1 request received (for example from the I/O)
2 After the safety function response time, ramping down is started (ramp is defined by the
drive).
3 Speed goes below the defined zero speed limit, and the STO is activated.
Note: You can define still an extra STO delay. See parameter 171 Zero speed delay for
STO.
3b If the drive has not ramped down fast enough when the delay for STO (A) has elapsed,
the STO is activated now and the time to zero speed (B) is started.
4 After the acknowledgement (manual or automatic), the STO and SS1 are deactivated.
ID Description
4b If the drive had not ramped down fast enough at 3b, acknowledgement would become
allowed now.
Note: Logic states of the STO state indication, SS1 state indication and SS1
completed indication signals (output) are configurable.
Note: SS1 monitoring is started immediately after the SS1 request is received.
For configuration, see section How to configure SS1 with time monitoring on page
113 in chapter Configuration.
 SS1 with ramp monitoring
Motor speed
Zero
speed Time
SS1 request
Active STO state

Inactive
SS1 state
ID Description
A Time to zero speed: Time from the STO activation to the moment when the
coasts to a stop from the maximum speed. Relevant only if 2b occurs.
B Zero speed: Speed limit for activating the STO.
C SS1 request removal allowed (shaded area). The SS1 request can be removed after a
D Safety function response time
1 SS1 request received (for example from the I/O)
2 After the safety function response time, ramping down with SAR1 ramp and SAR1 ramp
monitoring is started.
2b If the drive has not followed the ramp, the STO is activated now and the time to zero
speed (A) is started.
ID Description
3 Speed goes below the defined zero limit, the SAR monitoring is stopped and the STO is
activated.
STO.
4 After acknowledgement (manual or automatic), the STO and SS1 are deactivated, and
the control is given back to the drive, which is allowed to modulate again.
4b If the drive had not followed the ramp at 2b, acknowledgement would become allowed
now.
For configuration, see section How to configure SS1 with ramp monitoring on
page 115 in chapter Configuration.
Note: If parameter 106 SAR1 ramp time to zero has value 0, the drive defines ramp
times.
 SS1 with speed limit activated SBC

Motor speed
SBC
speed
Zero
speed Time
SS1 request
STO state
Active
Inactive STO state indication
SBC control
SS1 state
ID. Description
A SBC speed: Speed below which the brake is activated while ramping
B Zero speed: Speed limit for activating the STO
C SS1 request removal allowed (shaded area). The SS1 request can be removed after a
1 SS1 is requested (for example from the I/O).
2 After the safety function response time, ramping down with SAR0/SAR1 monitoring is
started.
3 Speed is below the SBC speed; the SAR monitoring is stopped and the brake is
activated
4 STO is activated after brake activation.
5 After acknowledgement (manual or automatic), the STO and the brake are deactivated,
and the control is given back to the drive, which is allowed to modulate again.
For configuration, see section How to configure SS1 with speed limit activated SBC
on page 117 in chapter Configuration
Safe stop emergency (SSE)

The SSE can be configured to execute either the STO, or the SS1 with emergency
ramp.
The behavior of the SSE with STO is identical to the pure STO, except that different
timing parameters are used.
The behavior of the SSE with SS1 with emergency ramp is identical to the SS1 with
ramp monitoring.
For configuration, see section How to configure SSE on page 119 in chapter
Configuration.
Always set the SSE related parameters. An internal monitoring of the FSO module
may trigger the SSE function even you do not have defined any external request
signal in use.
The operation of the SSE function with STO is described in the time diagram and
table below.
Motor SSE time to zero speed with STO

speed
Time
SSE request
Active
STO state
Active
SSE state
SSE state indication
SSE completed
indication
ID Description
A SSE time to zero speed with STO: Time from the STO activation to the moment when the
B SSE request removal allowed (shaded area). The SSE request can be removed after a
1 STO activated after the SSE request has been received (for example from the I/O).
2 Acknowledgment not yet allowed before the motor is presumably stopped.
ID Description
3 After the time to zero speed (A) has elapsed, the acknowledgement is possible as soon
as the STO request has been removed.
4 After the acknowledgement, the STO and SSE are deactivated, and the control is given
back to the drive.
Note: Logic states of the STO state indication signal, SSE state indication and SSE
 SSE with time monitoring
Motor speed SSE delay for STO
Zero
speed Time
SSE request
Active
Inactive STO state
Active SSE state
SSE completed indication
ID Description
A SSE delay for STO: Time after which the STO is activated regardless of the speed.
B STO time to zero speed: Time from the STO activation to the moment when
C Zero speed: Speed limit for activating the STO
D SSE request removal allowed. (shaded area) The SSE request can be removed after a
E Safety function response time
1 SSE request received (for example from the I/O)
2 Ramping down is started. (SAR0 ramp)
3 Speed goes below the defined zero speed limit and the STO is activated.
STO.
3b If the drive has not ramped down fast enough when the delay for STO (A) has elapsed,
the STO is activated now and the time to zero speed (B) is started.
4 After acknowledgement (manual or automatic), the STO and SSE are deactivated.
4b If the drive had not ramped down fast enough at 3b, acknowledgement would become
allowed now.
Note: SSE monitoring is started immediately after the SSE request is received.
For configuration, see section How to configure SSE with time monitoring on
 SSE with ramp monitoring
Motor speed
Zero
speed Time
SSE request
Active
Inactive STO state
Active SSE state
ID Description
A Time to zero speed. Time from the STO activation to the moment when the
B Zero speed: Speed limit for activating the STO.
C SSE request removal allowed (shaded area). The SSE request can be removed after a
1 SSE request received (for example from the I/O)
2 After the safety function response time, ramping down with SAR0 monitoring is started.
2b If the drive has not followed the ramp, the STO is activated now and the time to zero
speed (A) is started.
3 Speed goes below the defined zero limit, the SAR monitoring is stopped and the STO is
activated.
STO.
ID Description
4 After the acknowledgement (manual or automatic), the STO and SSE are deactivated,
and the control is given back to the drive, which is allowed to modulate again.
4b If the drive had not followed the ramp at 2b, acknowledgement would become allowed
now.
For configuration, see section How to configure SSE with ramp monitoring on
 SSE with speed limit activated SBC
Motor speed
SBC
speed
Zero
speed Time
SSE request
Active
Inactive STO state
SBC control
SSE state
ID. Description
A SBC speed: Speed below which the brake is activated while ramping
B Zero speed: Speed limit for activating the STO
C SSE request removal allowed (shaded area). The SSE request can be removed after a
1 SSE is requested (for example from the I/O).
2 Ramping down with SAR0 monitoring is started.
3 Speed is below the SBC speed; the SAR monitoring is stopped and the brake is
activated
4 STO is activated after the brake activation.
5 After the acknowledgement (manual or automatic), the STO and the brake are
deactivated, and the control is given back to the drive.
For configuration, see section How to configure SSE with speed limit activated SBC
on page 125 in chapter Configuration
Safely-limited speed (SLS)

The SLS prevents the motor from exceeding the specified speed limit.
If the speed should reach the maximum limit, the SSE would be activated.
 SLS with speed below monitored speed

This applies to both time and ramp monitoring.
Motor speed
Zero
speed Time
SLS request
Active
Inactive SLS state
SLS state indication
ID Description
A SLS upper trip limit
B SLS request removal allowed (shaded area). The SLS request can be removed after a
1 SLS is requested, the speed is below the SLS upper trip limit and so the monitoring is
started.
2 SLS request is removed, but the monitoring is still on if manual acknowledgement is
configured. If automatic acknowledgement is configured, the monitoring is also ended.
3 SLS is acknowledged (manually) and the monitoring is ended.
Note: Logic state of the SLS state indication signal (output) is configurable.
For configuration, see section Configuring SLS on page 128 in chapter Configuration.
 SLS with speed above monitored speed

This applies to time monitoring.
Motor speed SLS time delay
Zero
speed Time
SLS request
Active SLS state
Inactive
SLS state indication
ID Description
A SLS upper trip limit
B SLS request removal allowed (shaded area). The SLS request can be removed after a
C SLS time delay: Delay for forcing to start SLS monitoring when time monitoring is in use.
1 SLS is requested but the speed is above the SLS upper trip limit.
2 The drive starts to ramp down. If ramp monitoring were in use, the SAR1 ramp would be
used from here until the speed would go below the SLS upper trip limit. If time monitoring
were in use, the ramp defined by the drive parameters would be used from here until the
speed would go below the SLS upper trip limit.
3 Speed is below the SLS upper trip limit and the monitoring of the SLS is started.
4 The FSO-11 would start the SLS monitoring at the latest here, that is, after the SLS time
delay has elapsed.
5 SLS request is removed, but the monitoring is still on.
6 SLS is acknowledged (manually or automatically) and the monitoring is ended. When the
SLS is removed, the drive continues with the previously set speed.
Note: Logic state of the SLS state indication signal (output) is configurable.
Note: If the SLS monitoring must be activated immediately, regardless of the current
speed, time monitoring with zero time must be used instead of ramp monitoring.
For configuration, see section Configuring SLS on page 128 in chapter Configuration.
Safe maximum speed (SMS)

SMS is used to protect the machine from too high speeds/frequencies. It can only be
configured to be on or off. The upper and lower limits can be configured separately.
If the speed should reach the maximum limit, the SSE would be activated.
Motor speed
Time
ID Description
A SMS maximum speed
B SMS minimum speed
For configuration, see section Configuring SMS on page 134 in chapter

Configuration.
Planning for installation 59
6
Planning for installation
This chapter gives instructions and references to instructions in other manuals for
planning the safety system installation, as well as the requirements for installation in
the applicable safety standards.
Requirements for designers and installers

• Designers and installers must be trained to understand the requirements and
principles of designing and installing safety-related systems.
• Designers and maintainers must be trained to understand the causes and
consequences of Common Cause Failures (CCF). See the checklist for the
appropriate standard in section Common cause failure (CCF) checklists on page
72.
Mechanical installation
 Installation site
The subsystem elements must always be likely to operate within the range of
temperature, humidity, corrosion, dust, vibration, etc. over which it has been tested,
without the use of external environmental control.
The FSO-11 module must only be used in an environment where no conductive dust
or contaminants are present. One way to ensure proper protection against
contamination is to use the FSO-11 in at least an IP 54 enclosure. For further
information on environmental limits of the FSO-11, see chapter Planning the
mechanical installation in the drive Hardware manual.
60 Planning for installation
WARNING! Operating the drive system with a safety module in environmental

conditions that are outside of the specified ranges for the safety module may
result in losing the safety function.
Electrical installation
 General requirements
Electrical installation of the safety system must be performed according to the
practices outlined in chapter Planning the electrical installation in the drive Hardware
manual.
Reading chapter Installation checklists on page 71 provides additional advice for the
planning.
All wiring must be well protected, routed and clamped where practicable.
When installing cabling it must be assured that there is no pulling or pinching on the
cables.
 Connections
Inputs and outputs
To design the safety system architecture and select components to be used, it is
essential to read and understand the different architecture options (for example single
channel / redundancy).
Single inputs can be connected to any connection X113:1…4 or X114:1…4, and they
can use either one of the test pulses X113:10 and X114:10.
Redundant inputs must be connected so that one input is connected to X113:n and
uses test pulse X113:10, and the other is connected to X114:n and uses test pulse
X114:10 (n= 1…4; the same for both inputs).
TP2 X114:10 Test pulse 1
TP1 X113:10 Test pulse 2
DI1 X113:n, n = 1…4 Digital input 1

DI2 X114:n, n = 1…4 Digital input 2
Note: Calculation software can be used to assist in selecting the appropriate

architecture that will meet the safety integrity requirements for a particular application.
 Power supply connection/cables

The system must be protected against over-voltage and over-current.
The length of the cabling between the FSO-11 and its power supply must be
three meters or shorter, or a sufficiently low interference level must be otherwise
guaranteed.
Note: The 24 V DC power supply should be equipped with a supply disconnecting
device to enable the easy start-up of the FSO-11.
 Ensuring the EMC compatibility

The system must only be used in the EMC environment it is designed for, or
necessary mitigations must be applied.
 Selecting control cables

For the control cables to on-field devices, it is recommended that shielded cabling is
used. Double-shielded cable is the best alternative for low-voltage digital signals but
single-shielded twisted multipair cable is also usable.
See Control connection data on page 163 and chapter Planning the electrical
installation in the drive Hardware manual.
 Routing the cables

See chapter Planning the electrical installation in the drive Hardware manual. Follow
especially the rules below:
• When using redundant signaling, take care to avoid common cause failures in the
cables. This can be done by routing the two channels through two well-apart
routes, or by protecting the cabling appropriately, for example by using double-
shielded cables.
• Never mix 24V-level signals with non-ELV-signals or power feeds in the same
cable.
• Safety Related Electronic Control System (SRECS) signal cables for the
individual channels must be routed separately from the other channels at all
positions or sufficiently shielded.
• SRECS signal and electrical energy power cables must be separated at all
positions or sufficiently shielded.
• Cross-connection between the channels of the subsystem must be prevented.
• Signal paths must be physically separated (for example separation in wiring).
 Standard function and wiring examples

Passive switch
Examples:
• Limit switch
• Emergency stop button
X113 X114 Physical separation of the

different channels or appropriate
TP 10 cable protection (eg. double-
9 shielding)
DO 8
7
6
GND
5
4
3
DI
2
Channel separation
1
Diagnostic pulses
Relay / contactor output with feedback

Safety relays must have positive driven contacts. Contactors must have mechanically
linked contacts.
Examples:
• Brake control
• Door/gate unlock
X113 X114
TP 10
9
DO 8
7
6
GND
5
4
3
DI
2
1
Diagnostic pulses
Active sensors / input signals from solid state devices

Examples:
• PLC 24 V DC PNP
• Light curtain OSSD
Physical separation of the different channels

or appropriate cable protection (eg. double-
X113 X114 shielding)
Diagnostic pulses from an
TP 10
active sensor must not be
9
CH 2 24 V DC overlapping.
DO 8 PNP
7 outputs
6 CH 1
GND +
5
4 COM /
3 GND GND
DI
2
1
Channel separation
Outputs to solid state devices

Example:
• PLC 24 V DC NPN
Physical separation of different the channels

or appropriate cable protection (eg. double-
X113 X114 shielding)
TP 10
9 CH 1 24 V DC
DO 8 NPN
7 CH 2 inputs
6 +
GND
5
4 COM /
GND GND
3
DI
2
1
Channel separation
Diagnostic pulses
Cascade
Example:
X114 X113 Module 1

(cascade
1
2 master)
DI
3
4
5 GND
E-stop ACK 6
7
button button 8 DO
9
10 TP
Common
GND
Physical separation of the different X114 X113 Module 2
channels or appropriate cable protection
1
(eg. double-shielding) 2 DI
3
4
5 GND
6
7
8 DO
9
10 TP
Common
GND
X114 X113 Module 3
1
2 DI
3
4
5 GND
6
7
8 DO
9
10 TP
Channel separation Common

GND
Diagnostic pulses
Installation 65
7
Installation
This chapter gives examples of how to connect the FSO-11 module to the ACS880.
WARNING! The supply voltage for FSO-11 is 24 V DC. If the FSO-11 is

supplied with a higher voltage, for example 230 V or 115 V, it is damaged and
needs to be replaced.
WARNING! For connecting the FSO-11 module to the drive, only use wire kits
delivered by ABB.
66 Installation
Mechanical installation
If you have ordered the FSO-11 module option with the drive, it is delivered with the
FSO-11 already installed and the FSO-11 data cable connected, so you can go
directly to section Electrical installation on page 67.
If you have ordered the FSO-11 module option separately, it is delivered in its own
package. Install the FSO-11 mechanically on the drive as described in chapter
Electrical installation in the drive Hardware manual.
Depending on the type of the drive, the location of the module may be for example
one of the following:
Installation 67
Electrical installation
 Terminals
The connections are shown in the figure below.
X110:
DATA Data connection to drive
control unit
X111:
1 STO STO 24 V
2 STO STO ground
3 STO STO1LO drive internal signal
4 STO STO2LO drive internal signal
X112:
1 POWER 24 V
2 POWER 0 V
B
X113:
A 1 DI Channel 1 digital input 1
2 DI Channel 1 digital input 2
B A 3 DI Channel 1 digital input 3
5 GND Signal ground
6 GND Signal ground
7 DO Channel 1 digital output 1
10 TP Channel 1 test pulse out
X114:
A Electronics grounding screw 4 DI Channel 2 digital input 4
B Enclosure grounding screw, at one of the 5 GND Signal ground
mounting points, depending on the drive 6 GND Signal ground
type 7 DO Channel 2 digital output 1
10 TP Channel 2 test pulse out
68 Installation
 Connection procedure
Depending on the type of the drive, the location of the module may be for example
one of the following shown in the figures below.
1. Ensure that the FSO-11 electronics grounding screw is properly tightened.
2. Ensure that the FSO-11 enclosure grounding screw is properly tightened.
2 1
1
3. Ensure that the FSO-11 data cable (terminal X110) is connected to the drive.
3
Installation 69
4. Connect the supplied four-wire cable to the FSO-11 terminal X111 and plug the
other end of the cable to the drive STO connection. Use the tightening torque of
0.24 Nm (2.1 lbf·in) for the FSO-11 terminals.
5. Connect the digital inputs, digital outputs, test pulses and ground at the FSO-11
terminals X113 and X114 according to the application. Use the tightening torque
of 0.24 Nm (2.1 lbf·in).
5
4
5
70 Installation
6. Connect the power supply wires to the FSO-11 terminal X112. Use the tightening
torque of 0.24 Nm (2.1 lbf·in) for the FSO-11 terminals.
6
6
Installation checklists 71
8
Installation checklists
This chapter contains a checklist for checking the mechanical and electrical
installation of the FSO-11 module and refers to common cause failure checklists in
standards.
Checklists
Check the mechanical and electrical installation of the FSO-11 before start-up. Go
through the checklists below together with another person. Read chapter Safety on
page 11 before you work on the safety system.
72 Installation checklists
 General checklist
Check
MECHANICAL INSTALLATION (See Planning for installation and Installation: Mechanical

installation)
The ambient operating conditions are within the allowed range.
The module is fastened properly.
ELECTRICAL INSTALLATION (See Planning for installation and Installation: Electrical

installation)
The drive and the module are properly grounded to the same potential.
If a PELV power supply is used, its ground has to be in the same potential as the drive
ground.
Appropriate supply (input power) fuses are installed.
Signal wiring between the drive and the module is routed separately from the power
supply wiring and high power cables (drive supply and motor cabling).
Signal wiring is appropriately clamped, marked and protected.
 Common cause failure (CCF) checklists

Check measures against common cause failures (CCF). There is one checklist in
EN ISO 13849-1 and another in EN 62061. The checklists are useful for both the
planning of the installation and the actual installation.
Configuration 73
9
Configuration
This chapter describes the password usage, outlines the configuration process, lists
the FSO-11 parameters and gives examples of how to configure the FSO-11 to
implement each safety function as described in chapter Implemented safety functions
on page 33.
Password
Note: You need a password to be able to copy the configuration to the FSO-11.
The configuration is protected with a password. You need a password to be able to
upload the parameters from the drive to the FSO-11 and download the modified
parameters from your PC to the FSO-11.
The password is set to “12345678” at the factory. The password must contain 4…8
digits. When you change it, do not forget the new password; otherwise you have to do
a factory reset to the FSO-11 which clears the configuration and resets the
parameters to the factory defaults. The password is reset to the default “12345678”.
Factory defaults are not a valid configuration, so you have to reconfigure the FSO-11
or download the configuration to the FSO-11.
Configuring the FSO-11

The FSO-11 parameters are set with the Drive composer pro PC tool. The names of
the FSO-11 parameters and parameter settings are shown in the manual as they
appear on the screen when using the tool. See the Drive composer PC tool user's
manual (3AUA0000094606 [English]) for instructions on using the tool.
Note: Only trained persons are allowed to configure safety functions.
74 Configuration
Note: Configuration is only possible when the motor is stopped and the drive is not
modulating.
Note: After you initially start-up the FSO-11 and also after you later modify any
application parameters or the configuration, you must check the safety of the entire
system by doing a verification according to the system safety verification plan and by
doing a validation of the correct operation of the safety application. See Verification
and validation on page 137.
When configuring the FSO-11, follow the steps shown in the diagram below:
Configuration
1 Plan configuration
2 Configure
3 Print, sign and file the configuration report
Do commissioning tests
Print, sign and file the commissioning report
1. Plan the configuration (parameter values) according to the safety system,

installation, wiring, etc.
2. Set the parameter values in the Drive composer pro PC tool.
a. Start the drive and stop the motor.
b. Connect your PC to the drive, start the tool and select Safety settings.
c. Open the parameters for setting in one of these two ways:
• First start: Upload the parameters from the FSO-11 to the tool (button
Upload from FSO). Password is required.
• Existing configuration: Open the configuration file (button Open safety
file).
Configuration 75
d. Set the safety function parameters.

• General parameters: Start from the general parameters. Check at least
that the motor parameters are correct.
• I/O: Check that the I/O parameters are set according to the installation
(wiring) plan. Remove diagnostic pulsing from any unused I/O. Check
possible safety relays and cascade connections
Note: If there are only passive devices (for example switches) connected,
do not make any changes to the diagnostic pulsing. However, if there is an
active device (for example a PLC or light curtain), check if it can use the
same diagnostic pulsing as the FSO-11; if not, tune the FSO-11 diagnostic
pulsing.
• Safety functions: You must at least configure the STO, regardless of what
you use the FSO-11 for or which safety functions you are using. The STO
is essential for the FSO-11 to be able to make the system safe; all other
functions are just for monitoring the drive
e. After configuring all functions, do these two steps:
• Save the configuration to your PC (button Save safety file).
• Download the configuration to the FSO-11 (button Download to FSO and
validate). Password is required.
f. After downloading, the FSO-11 and the tool validate the configuration, and the
tool asks you to confirm the validation.
g. The tool then automatically reboots the drive to take the changes in use.
h. If necessary, change the password to protect the settings (button Change
password). Password is required.
Note: The motor must be stopped if you change the password.
3. After validation, print the report from the configuration, including all the values of
the parameters and CRC. Sign and file the report according to your safety
management plan.
Note: If you want to clear the configuration and start configuration again from the
factory setup, do a factory reset. See section Factory reset on page 161.
76 Configuration
FSO-11 parameters
The following table lists the FSO-11 parameters: The parameter row shows
parameter number, name, description and default value. The subsequent rows show
the parameter value range or names, descriptions and numerical values of the
selectable named alternatives.
For additional information on parameters and their settings, see the drive Firmware
manual.
Note: When the encoderless mode is used, the unit of the speed parameters is rpm.
Note: When the FSO-11 is connected to the drive, you must set drive parameter
31.22 STO indication run/stop to value 3, 4 or 5. This setting prevents the drive from
making a fault every time the FSO-11 opens the STO. The FSO-11 will generate the
necessary faults to the drive event system.
Note: If Time is selected for the method of SLS activation monitoring, the ramp used
is defined by the drive ramp parameters.
No Name/Value Description Default /
sel. value
200 Safety Safety related parameters
1 FSO type Type of the safety functions module 12
6 Stop completed Digital output indicating completion of any stop. Active None
output if STO, SSE or SS1 is completed.
None No input connected 0
DO X113:7 & X114:7 Redundant output X113:7 & X114:7 1
DO X113:7 Single output X113:7 4
7 STO input A Digital input connected to the STO primary input DI X113:1 &
X114:1
DI X113:1 & X114:1 Redundant input X113:1 & X114:1 1
DI X113:1 Single input X113:1 5
Configuration 77

sel. value
8 STO input B Digital input connected to the STO secondary input. None
Secondary input is mostly used for the cascade
connection.
See parameters 188 Cascade A and 189 Cascade B.
9 Restart delay after Time after which the restart is allowed after the STO 2000 ms
STO
0…3,600,000 ms Time
11 STO SBC usage Brake usage is always coupled with the STO. This None
parameter defines how.
None No brake 0
Delayed brake Time controlled brake 1
12 STO SBC delay Brake usage delay relative to the STO. Negative 3,600,000
value means that the brake is activated before STO ms
activation. Note: Mechanical brake delays must be
included in here.
-1000… Time
3,600,000 ms
15 SSE/SS1 SBC Absolute speed below which the brake is activated 0.0 rpm
speed while ramping. If the value is 0.0 rpm, this feature is
not in use.
0.0…1000.0 rpm Speed
16 SBC output Digital output connected to the SBC output (brake None
relays)
None No output connected 0
78 Configuration

sel. value
17 SBC feedback type Where the SBC gets the feedback from Safety relay
feedback
Safety relay Feedback is connected to a safety relay (inverted 0
feedback state compared with the outputs)
Mechanical brake Feedback is connected to a mechanical brake (same 1
feedback state as the outputs, but delayed)
18 SBC feedback Action taken when there is a problem on the SBC STO
action feedback
STO STO activated 0
19 STO Selects the method for the STO acknowledgement. Manual
acknowledgement See section Safe torque off (STO) on page 40 for
more information on the STO acknowledgement.
Manual FSO module reads the STO acknowledgement signal 0
through the interface defined by parameter 162
Acknowledgement button input.
Automatic FSO module generates the STO acknowledgement 1
signal automatically after the STO request is off and
the system is in safe state.
20 STO output Digital output indicating activity of the STO None
21 STO completed Digital output indicating completion of the STO. Active None
output when the time defined by parameter 9 Restart delay
after STO has elapsed after the STO request.
Configuration 79

sel. value
24 SSE time to zero Time in which the acknowledgement is allowed after 3,600,000
speed with STO the SSE, when the SSE activates the STO (parameter ms
27 SSE function = Immediate STO)
0…3,600,000 ms Time
25 SSE input A Digital input connected to the SSE primary input None
26 SSE input B Digital input connected to the SSE secondary input. None
connection.
27 SSE function Function activated by the SSE Immediate
STO
Immediate STO SSE activates the STO immediately 0
80 Configuration

sel. value
Emergency ramp SSE activates the SS1 with emergency ramp 1
28 SSE monitoring Method used for the SSE monitoring Ramp
method
Ramp Ramp monitoring 0
Time Time monitoring 1
29 SSE delay for STO Time delay after which the STO is executed if time 2000 ms
monitoring used.
See parameter 28 SSE monitoring method.
0…1,800,000 ms Time
30 SSE output Digital output indicating activity of the SSE None
31 SSE completed Digital output indicating completion of the SSE. Active None
output when the speed is below the speed defined by
parameter 163 Zero speed without encoder and the
STO is active.
35 SS1 input A Digital input connected to the SS1 primary input None
Configuration 81

sel. value
36 SS1 input B Digital input connected to the SS1 secondary input. None
connection.
37 SS1 monitoring Method used for the SS1 monitoring Ramp
method
38 SS1 delay for STO Time delay after which the STO is executed if time 1000 ms
monitoring used.
See parameter 37 SS1 monitoring method.
0…1,800,000 ms Time
39 SS1 output Digital output indicating activity of the SS1 None
82 Configuration

sel. value
40 SS1 completed Digital output indicating completion of the SS1. Active None
output when the speed is below the speed defined by
parameter 163 Zero speed without encoder and the
STO is active.
60 SLS1 input A Digital input connected to the SLS with limits 1 None
(primary input)
61 SLS1 input B Digital input connected to the SLS with limits 1 None
(secondary input). Secondary input is mostly used for
cascade connection (only SLS1 can be cascaded).
Configuration 83

sel. value
62 SLS2 input Digital input connected to the SLS with limits 2 None
84 Configuration

sel. value
65 SLS1 trip limit SLS1 negative speed limit tripping the drive -250.0 rpm
negative
-30000.0 …0.0 rpm Speed
66 SLS1 trip limit SLS1 positive speed limit tripping the drive 250.0 rpm
positive
0.0…30000.0 rpm Speed
67 SLS1 limit negative SLS1 negative speed limit for the drive -200.0 rpm
-30000.0 …0.0 rpm Speed
68 SLS1 limit positive SLS1 positive speed limit for the drive 200.0 rpm
0.0…30000.0 rpm Speed
negative
-30000.0 …0.0 rpm Speed
positive
0.0…30000.0 rpm Speed
-30000.0 …0.0 rpm Speed
0.0…30000.0 rpm Speed
negative
-30000.0 …0.0 rpm Speed
positive
0.0…30000.0 rpm Speed
-30000.0 …0.0 rpm Speed
0.0…30000.0 rpm Speed
negative
-30000.0 …0.0 rpm Speed
Configuration 85

sel. value
positive
0.0…30000.0 rpm Speed
-30000.0 …0.0 rpm Speed
0.0…30000.0 rpm Speed
81 SLS activation Method of SLS activation monitoring Ramp
monitoring method
82 SLS time delay Delay for starting speed monitoring when time 4000 ms
monitoring is used.
See parameter 81 SLS activation monitoring method.
0…4,000,000 ms Time
83 SLS1 output A Digital output connected to the SLS1 primary output None
84 SLS1 output B Digital output connected to the SLS1 secondary None
output. Secondary output is mostly used for cascade
connection.
85 SLS2 output Digital output connected to the SLS2 None
86 Configuration

sel. value
88 SLS SLS acknowledgement method Automatic
acknowledgement
Manual Manual acknowledgement after the removal of 0
requests
Automatic Automatic acknowledgement after the removal of 1
requests
92 SMS function SMS activation Inactive
Inactive Deactivates the SMS 0
Active Activates the SMS 1
Configuration 87

sel. value
93 SMS limit negative Negative speed limit for the SMS -2000.0 rpm
-30000.0 …0.0 rpm Speed
94 SMS limit positive Positive speed limit for the SMS 2000.0 rpm
0.0 …30000.0 rpm Speed
103 SAR0 ramp time to Defines the target time for the reference emergency 1000 ms
zero stop ramp SAR0 for the SSE.
Target time = Time in which drive decelerates the
motor from speed 170 Speed scaling to speed
163 Zero speed without encoder.
1…1,800,000 ms Time
104 SAR0 min ramp Defines the minimum ramp time for the SAR0 ramp 500 ms
time to zero monitoring.
0…1,799,999 ms Time.
Note: With value 0 ms, this is not monitored
105 SAR0 max ramp Defines the maximum ramp time for the SAR0 ramp 1500 ms
1…3,600,000 ms Time
106 SAR1 ramp time to Defines the target time for the reference safe stopping 2000 ms
zero ramp SAR1 for SS1 or SLS.
Target time = Time in which drive decelerates the
motor from speed 170 Speed scaling to speed
163 Zero speed without encoder
0…1,800,000 ms Time.
Note: Note: With value 0 ms, the drive uses
emergency stop ramp defined by the drive
parameters. However, the FSO module monitors
actual ramp using the remaining SAR1 parameters.
107 SAR1 min ramp time Defines the minimum ramp time for the SAR1 ramp 1000 ms
to zero monitoring.
0…1,799,999 ms Time
Note: With value 0 ms, ramp is not monitored
1…3,600,000 ms Time
127 SAR initial allowed Initial allowed range for the SAR (min/max modifies 100 ms
range the range when the ramp goes on)
0…60,000 ms Time
161 Power-up Power-up acknowledgement method Automatic
acknowledgement
Manual Manual acknowledgement after the removal of 0
requests
requests
88 Configuration

sel. value
162 Acknowledgement Digital input connected to the button for None
button input acknowledging operations
163 Zero speed without General zero speed limit for safety functions when no 90.0 rpm
encoder safety encoder in use
6.0…600.0 rpm Speed
165 Motor nominal Defines the nominal motor speed 1500.0 rpm
speed
1.0 …30000.0 rpm Speed
166 Motor nominal Defines the nominal motor frequency 50.00 Hz
frequency
0.00…500.00 Hz Frequency
167 STO indication ext Defines the event type for an external function Event
request request (STO, SSE or SS1) ending in the STO.
Note: Faults which trigger the STO are always faults.
None No event generated 0
Fault Fault generated 1
Warning Warning generated 2
Event Pure event generated 3
168 STO indication Defines the event type for the limit hits of SLS1, …, Fault
safety limit SLS4 and SMS functions, and ramp and time
monitoring of the safety ramps SAR0 and SAR1.
Note: Faults which trigger the STO are always faults.
None No event generated 0
Warning Warning generated 2
170 Speed scaling Defines a speed value that the FSO uses as a 1500 rpm
reference point in calculations. Example: See
parameter 103 SAR0 ramp time to zero.
0…1800 rpm Speed
Configuration 89

sel. value
171 Zero speed delay for Defines the delay time for the drive STO activation at 0 ms
STO the zero speed when the drive decelerates along the
FSO module stop ramps SAR0 or SAR1.
The delay counter starts when the speed reaches
163 Zero speed without encoder.
• For the SAR0 ramp, the delay counter stops and
the FSO module activates the drive STO when the
zero speed delay has passed.
• For the SAR1 ramp, the delay counter does not use
this parameter value as such but the FSO module
calculates a suitably compensated delay for the
counter using this value and 106 SAR1 ramp time
to zero (or if that is zero then 108 SAR1 max ramp
time to zero).
Note: The FSO module activates the drive STO
immediately if the drive stops modulating before the
delay has passed (ie, the motor actual speed reaches
0 rpm).
Note for the SS1: Even the SS1 function is time
monitored, this parameter is in effect if the related
SAR parameters have valid values. See above.
0…30000 ms Time
172 Transient mute time Defines the mute time for the drive transient 0 ms
operations. When speed monitoring detects a safety
function limit hit, FSO module will not act immediately
but it waits for the Transient mute time first. If the
speed is still out of the limit after the Transient mute
time, the FSO module will start the safety actions.
Example: Use of the Transient mute time may be
useful in applications where the motor runs a high
inertia (mass) load and the rapid changes in speed
are not possible.
0…1000 ms Time
181 M/F mode for Master/follower mode of this FSO-11 module for both A = follower,
cascade cascade channels separately B = follower
A = follower, B = This module is a follower on cascade connection A 0
follower and a follower on cascade connection B.
A = master, B = This module is the master on cascade connection A 1
follower and a follower on cascade connection B.
A = follower, B = This module is a follower on cascade connection A 2
master and the master on cascade connection B.
A = master, B = This module is the master on cascade connection A 3
master and the master on cascade connection B.
182 DO X113:7 logic Logic state of digital output X113:7 Active low
state
90 Configuration

sel. value
Active low Active state of the output is low voltage. 0
Active high Active state of the output is high voltage. 1
state
state
state
state
state
188 Cascade A For each FSO module in cascade A, the digital input None
connected to the safety function is also internally
connected to the corresponding digital output of the
module (digital input -> digital output). This resembles
a master/follower connection.
See section Cascade on page 39.
None Not cascaded 0
X113:1 & X114:1 -> Redundant cascade X113:1 & X114:1 -> X113:7 & 1
X113:7 & X114:7 X114:7
X113:8 & X114:8 X114:8
X113:9 & X114:9 X114:9
X113:1 -> X113:7 Single cascade X113:1 -> X113:7 4
Configuration 91

sel. value
189 Cascade B For each FSO module in cascade B, the digital input None
module (digital input -> digital output).
None Not cascaded 0
X113:7 & X114:7 X114:7
X113:8 & X114:8 X114:8
X113:9 & X114:9 X114:9
190 DI diagnostic pulse Length of the diagnostic pulse for digital inputs 0.5 ms
length
0.5 ms 0
1 ms 1
2 ms 2
191 DI diagnostic pulse Cycle time of the diagnostic pulse falling edge for 10,000 ms
period digital inputs (time between diagnostic pulse falling
edges)
50…59,000 ms Time
192 DI X113:1 diag pulse Diagnostic pulse of digital input X113:1 on or off Off
on/off
Off Diagnostic pulse off 0
On Diagnostic pulse on 1
on/off
on/off
on/off
92 Configuration

sel. value
on/off
on/off
on/off
on/off
200 DO diagnostic pulse Length of the diagnostic pulse for digital outputs 1 ms
length
0.5 ms 0
1 ms 1
2 ms 2
201 DO diagnostic pulse Cycle time of the diagnostic pulse falling edge for 10,000 ms
period digital outputs (time between diagnostic pulse falling
edges)
30…59,000 ms Time
202 DO X113:7 diag Diagnostic pulse of digital output X113:7 on or off Off
pulse on/off
pulse on/off
pulse on/off
pulse on/off
pulse on/off
Configuration 93

sel. value
pulse on/off
208 Safety relay 1 output Output for the safety relay 1 None
209 Safety relay 1 Feedback input of the safety relay 1 None
feedback
210 Safety relay 2 output Output for the safety relay 2 None
feedback
239 FSO speed ch1 Shows the motor speed estimate 1 of the FSO
module. The module reads the value from drive via
the communication channel 1.
0.00 … rpm Speed
94 Configuration

sel. value
240 FSO speed ch2 Shows the motor speed estimate 2 of the FSO
module. The module reads source data from drive via
communication channel 2 and calculates the speed
estimate 2 using the data.
0.00 … rpm Speed
241 FSO DI status States of the FSO inputs
Bit Name Values
0 Input X113:1 0 = Off, 1 = On
1 Input X113:2 0 = Off, 1 = On
2 Input X113:3 0 = Off, 1 = On
3 Input X113:4 0 = Off, 1 = On
4 Input X114:1 0 = Off, 1 = On
5 Input X114:2 0 = Off, 1 = On
6 Input X114:3 0 = Off, 1 = On
7 Input X114:4 0 = Off, 1 = On
242 FSO DO status States of the FSO outputs

Bit Name Values
0 Output X113:7 0 = Off, 1 = On
1 Output X113:8 0 = Off, 1 = On
2 Output X113:9 0 = Off, 1 = On
4 Output X114:7 0 = Off, 1 = On
5 Output X114:8 0 = Off, 1 = On
6 Output X114:9 0 = Off, 1 = On
Configuration 95

sel. value
243 FSO control word 1 States of the FSO commands
Bit Name Values
0 STO request 0 = Off, 1 = On
1 SSE request 0 = Off, 1 = On
2 SS1 request 0 = Off, 1 = On
3 SS2 request 0 = Off, 1 = On
4 SAR0 request 0 = Off, 1 = On
10 SLS1 request 0 = Off, 1 = On
14 SOS request 0 = Off, 1 = On
15 SDI positive request 0 = Off, 1 = On
244 FSO control word 2 States of the FSO commands

Bit Name Values
0 SDI negative request 0 = Off, 1 = On
1 CRC request 0 = Off, 1 = On
2 FSO brake 0 = Off, 1 = On
96 Configuration

sel. value
245 FSO status word 1 FSO status word 1
Bit Name Values
0 FSO mode bit 1 0 = Undefined
1 FSO mode bit 2 1 = Boot mode
2 = Running mode
2 FSO mode bit 3
3 = Fail safe mode
4 = Configuration
mode
3 FSO state bit 0 = Safe state
1 = Operational
5 FSO STO active 0 = Off, 1 = On
6 Brake state 0 = Off, 1 = On
8 SSE monitoring 0 = Off, 1 = On
9 SS1 monitoring 0 = Off, 1 = On
10 SS2 monitoring 0 = Off, 1 = On
11 SAR0 monitoring 0 = Off, 1 = On
246 FSO status word 2 FSO status word 2

Bit Name Values
1 SLS1 monitoring 0 = Off, 1 = On
5 SOS monitoring 0 = Off, 1 = On
6 SDI positive monitoring 0 = Off, 1 = On
7 SDI negative monitoring 0 = Off, 1 = On
8 SSM1 0 = Off, 1 = On
9 SSM2 0 = Off, 1 = On
10 SSM3 0 = Off, 1 = On
11 SSM4 0 = Off, 1 = On
12 SMS monitoring 0 = Off, 1 = On
Configuration 97

sel. value
247 Drive status word 1 Drive status word 1
Bit Name Description Values
0 Drive status bit 1 0 = Disabled
1 Drive status bit 2 1 = Readyon
2 Drive status bit 3 2 = Readyrun
3 = Starting
3 Drive status bit 4
4 = Readyref
5 = Stopping
6 = Faulted
4 Brake proof test Drive 0 = Off, 1 = On
requests a
brake proof
test.
5 Encoder present 0 = Off, 1 = On
6 Modulation 0 = Off, 1 = On
7 STO circuit 1 0 = Off, 1 = On
8 STO circuit 2 0 = Off, 1 = On
9 SS1 active State on the 0 = Off, 1 = On
10 SS2 active drive side 0 = Off, 1 = On
11 SAR0 active 0 = Off, 1 = On
98 Configuration

sel. value
248 Drive status word 2 Drive status word 2
Bit Name Description Values
1 SLS1 active State on the 0 = Off, 1 = On
2 SLS2 active drive side 0 = Off, 1 = On
3 SLS3 active 0 = Off, 1 = On
4 SLS4 active 0 = Off, 1 = On
5 SOS active 0 = Off, 1 = On
6 SDI positive 0 = Off, 1 = On
active
7 SDI negative 0 = Off, 1 = On
active
8 Drive brake 0 = Off, 1 = On
9 STO 1 diag Drive has 0, 1
10 STO 2 diag noticed an 0, 1
STO diag-
nostic pulse
on circuit
1/2.
252 FSO configuration FSO user configuration version

version
0…4294967295
254 CRC of the FSO configuration checksum 0
configuration
0…65535 Checksum
Configuration 99
Configuring general settings

 How to configure general settings
To configure the general settings, set the FSO-11 parameters listed in the table below
to appropriate values using the Drive composer pro PC tool.
Example: The figure below and the Example value column in the table show an
example I/O set-up:
• Acknowledgement button is connected to input X114:4. After power-up the
acknowledgement can only be performed manually.
• Motor nominal frequency 50.00 Hz
• Motor nominal speed 1360.0 rpm
• Zero speed 90.0 rpm
• External requests ending in the STO are reported to the drive as events. Other
safety function limit hits are reported as faults.
Acknowledgement Power-up
button input acknowledgement
Motor nominal frequency STO indication ext request

= 50.00 Hz = Event Drive
M Motor nominal speed
event
= 1360.0 rpm STO indication safety limit system
= Fault
Zero speed without encoder
= 90.0 rpm
No Name/Value Description Example

value
200 Safety Safety parameters
161 Power-up Power-up acknowledgement method Manual
acknowledgeme
nt
Manual Manual acknowledgement after the removal of requests 0
162 Acknowledgeme Digital input connected to the button for acknowledging DI X114:4
nt button input operations
163 Zero speed General zero speed limit for safety functions when no 90.0 rpm
without encoder safety encoder in use
165 Motor nominal Defines the nominal motor speed 1360.0 rpm
speed
100 Configuration

value
166 Motor nominal Defines the nominal motor frequency 50.00 Hz
frequency
167 STO indication Defines the event type for an external function request Event
ext request (STO, SSE or SS1) ending in the STO.
168 STO indication Defines the event type for the limit hits of SLS1, …, SLS4 Fault
safety limit and SMS functions, and ramp and time monitoring of the
safety ramps SAR0 and SAR1.
Configuration 101
Configuring I/O
 How to configure I/O
To configure the I/O, set the FSO-11 parameters listed in the table below to
appropriate values using the Drive composer pro PC tool. The location of the input
and output terminals on the FSO-11 module is shown in section Layout on page 29.
102 Configuration
example I/O set-up:
• All inputs use diagnostic pulses with 1 ms width and 30 s period.
• one redundant cascaded connection from input 1 to output 7
• one safety relay (always redundant) connected to output 8 with feedback
connected to input 3
• All outputs, except X114:9, have active low logic state and diagnostic pulsing on.
Pulse width 1 ms and period 59 s.
• Output X114:9 has active high logic state and no diagnostics pulses can be used.
Cascade A =
X113:1 & X114:1 ->
X113:1 DI X113:1 diag X113:7 & X114:7 DO X113:7 logic
pulse on/off = On state = Active low
Cascade B = None X113:7
X113:2 DI X113:2 diag DO X113:7 diag
pulse on/off = On pulse on/off = On
X113:3 DI X113:3 diag
pulse on/off = On DO diagnostic pulse DO X113:8 logic
length = 1 ms state = Active low
X113:4 DI X113:4 diag X113:8
pulse on/off = On DO diagnostic pulse DO X113:8 diag
period = 59000 ms pulse on/off = On
I DO X113:9 logic
O
N state = Active low
X113:9
U
P Safety relay 1
DO X113:9 diag
pulse on/off = On
T
U output = DO X113:8
& X114:8
P
T X114:1 DI X114:1 diag Safety relay 1 DO X114:7 logic U
pulse on/off = On
S DI X114:2 diag
feedback =
DI X113:4
state = Active low
X114:7 T
X114:2 DO X114:7 diag
pulse on/off = On pulse on/off = On S
DI X114:3 diag Safety relay 2
X114:3 pulse on/off = On output = None DO X114:8 logic
DI X114:4 diag Safety relay 2 state = Active low
X114:4 X114:8
pulse on/off = On feedback = None DO X114:8 diag
pulse on/off = On
DI diagnostic pulse DO X114:9 logic

length = 1 ms state = Active high
X114:9
DI diagnostic pulse DO X114:9 diag
period = 30000 ms pulse on/off = Off
X113:10 X114:10
TP Diagnostic (test) pulses
Note: The safety relay inputs and outputs must be configured so that in the safe state
the circuit is disconnected (0 V).
Configuration 103
Inputs
Set the length and period of the diagnostic pulse for the digital inputs. Select for each
input whether the diagnostic pulse is on or off.
value
190 DI diagnostic Length of the diagnostic pulse for digital inputs 1 ms
pulse length
1 ms 1
191 DI diagnostic Cycle time of the diagnostic pulse falling edge for digital 30,000 ms
pulse period inputs (time between diagnostic pulse falling edges)
192 DI X113:1 diag Diagnostic pulse of digital input X113:1 on or off On
pulse on/off
pulse on/off
pulse on/off
pulse on/off
pulse on/off
pulse on/off
pulse on/off
pulse on/off
On Diagnostic pulse off 1
Outputs
Set the logic state for each digital output. Set the length and period of the diagnostic
pulse for the digital outputs. Select for each output whether the diagnostic pulse is on
or off.
value
state
104 Configuration

value
state
state
state
state
187 DO X114:9 logic Logic state of digital output X114:9 Active high
state
200 DO diagnostic Length of the diagnostic pulse for digital outputs 1 ms
pulse length
1 ms 1
201 DO diagnostic Cycle time of the diagnostic pulse falling edge for digital 59,000 ms
pulse period outputs (time between diagnostic pulse falling edges)
202 DO X113:7 diag Diagnostic pulse of digital output X113:7 on or off On
pulse on/off
pulse on/off
pulse on/off
pulse on/off
pulse on/off
pulse on/off
Configuration 105
Cascade connection
If the FSO-11 module belongs to a cascaded safety function, connect the digital input
also to the corresponding digital output. See section Cascade on page 39.
value
169 M/F mode for Master/follower mode of this FSO-11 module for both A = follower,
cascade cascade channels separately B = follower
A = follower, B = This module is a follower on cascade connection A and a 0
follower follower on cascade connection B.
188 Cascade A For each FSO module in cascade A, the digital input X113:1 &
connected to the safety function is also internally X114:1 ->
connected to the corresponding digital output of the X113:7 &
module (digital input -> digital output). This resembles a X114:7
master/follower connection.
X113:1 & X114:1 Redundant cascade X113:1 & X114:1 -> X113:7 & X114:7 1
-> X113:7 &
X114:7
189 Cascade B For each FSO module in cascade B, the digital input None
module (digital input -> digital output).
None Not cascaded 0
106 Configuration
Safety relays
If you want to control a safety relay or contactor with the FSO module, define the use
of the related I/O with these parameters. See also section Relay / contactor output
with feedback on page 62.
value
208 Safety relay 1 Output for the safety relay 1 DO X113:8
output & X114:8
DO X113:8 & Redundant output X113:8 & X114:8 2
X114:8
209 Safety relay 1 Feedback input of the safety relay 1 DI X113:4
feedback
210 Safety relay 2 Output for the safety relay 2 None
output
feedback
Configuration 107
Configuring STO
 How to configure STO
To configure the STO, set the FSO-11 parameters listed in the table below to
appropriate values using the Drive composer pro PC tool. For more information on
the STO function, see page 40.
example of a simple STO function set-up:
• redundant emergency button connected to input
• automatic acknowledgement
• restart delay after STO 1000 ms
• no output connected
• no brake.
STO acknowledgement
STO active
STO input A Speed Restart delay after STO STO output
= DI X113:1 & X114:1 = None
STO input B STO completed
= None output
SSE/SS1 SBC
speed Time
STO SBC usage = None

value
X114:1
DI X113:1 & Redundant input X113:1 & X114:1 1
X114:1
connection.
9 Restart delay Time after which the restart is allowed after the STO 1000 ms
after STO
11 STO SBC usage Brake usage is always coupled with the STO. This None
parameter defines how.
108 Configuration

value
None No brake 0
15 SSE/SS1 SBC Absolute speed below which the brake is activated while 0.0 rpm
speed ramping. If the value is 0.0 rpm, this feature is not in use.
19 STO Selects the method for the STO acknowledgement. Automatic
acknowledgeme
nt
signal automatically after the STO request is off and the
system is in safe state.
output when the time defined by parameter 9 Restart delay after
STO has elapsed after the STO request.
Configuration 109
Configuring SBC
 How to configure SBC after STO
To configure the SBC after the STO, set the FSO-11 parameters listed in the table
below to appropriate values using the Drive composer pro PC tool. For more
information on the SBC after the STO, see page 42.
example of a set-up of the SBC after the STO:
• STO with brake
• delayed brake with 900 ms delay
• brake connected to redundant output
• STO is activated if brake feedback fails.
Note: Maximum response time of the FSO-11 and drive combination is 100 ms.
STO acknowledgement
Restart delay after STO

Speed
STO input A STO output
= DI X113:1 & X114:1 STO SBC delay = None
= None output
STO activated SBC activated
Time
Check also STO SBC usage = Delayed brake
feedback input SBC output
= DO X113:7 &
SBC feedback action X114:7

value
X114:1
X114:1
110 Configuration

value
connection.
See parameter 188 Cascade A.
after STO
11 STO SBC usage Brake usage is always coupled with the STO. This Delayed
parameter defines how. brake
12 STO SBC delay Brake usage delay relative to the STO. Negative value 900 ms
means that the brake is activated before STO activation.
Note: Mechanical brake delays must be included in here.
16 SBC output Digital output connected to the SBC output (brake relays) DO X113:7
& X114:7
X114:7
action feedback
STO STO activated 0
acknowledgeme
nt
Configuration 111
 How to configure SBC before STO

To configure the SBC before the STO, set the FSO-11 parameters listed in the table
below to appropriate values using the Drive composer pro PC tool. For more
information on the SBC before the STO, see page 44.
example of a set-up of the SBC before the STO:
• STO with negative brake
• delayed brake with negative delay -500 ms
• brake connected to redundant output
• STO activated if brake feedback fails.
Note: Maximum response time of the FSO-11 and drive combination is 100 ms.
STO acknowledgement
Speed
Restart delay after STO
STO input A STO output

STO SBC delay = -500 ms
= DI X113:1 & X114:1 = None

= None STO activated output
SBC activated
Check also Time
SBC output
feedback input STO SBC usage = Delayed brake = DO X113:7 &
X114:7
SBC feedback action

value
X114:1
X114:1
connection.
112 Configuration

value
after STO
11 STO SBC usage Brake usage is always coupled with the STO. This Delayed
parameter defines how. brake
12 STO SBC delay Brake usage delay relative to the STO. Negative value -500 ms
means that the brake is activated before STO activation.
Note: Mechanical brake delays must be included in here.
16 SBC output Digital output connected to the SBC output (brake relays) DO X113:7
& X114:7
X114:7
action feedback
STO STO activated 0
acknowledgeme
nt
Configuration 113
Configuring SS1
 How to configure SS1 with time monitoring
To configure the SS1 with time monitoring, set the FSO-11 parameters listed in the
table below to appropriate values using the Drive composer pro PC tool. For more
information on the SS1 with time monitoring, see page 46.
example of an SS1 with time monitoring set-up:
• SS1 with time monitored ramp
• delay for activating STO 2000 ms
• single output connected
• speed activated brake not in use
• monitored ramp (SAR1).
SS1 monitoring method = Time

SS1 input A SS1 output
= DI X113:1 & X114:1 Speed SS1 delay for STO = DO X114:9
SS1 input B SS1 completed
= None output
SSE/SS1 SBC
speed
Zero speed
Time

value
35 SS1 input A Digital input connected to the SS1 primary input DI X113:1 &
X114:1
X114:1
connection.
37 SS1 monitoring Method used for the SS1 monitoring Time
method
114 Configuration

value
38 SS1 delay for Time delay after which the STO is executed if time 2000 ms
STO monitoring used.
39 SS1 output Digital output indicating activity of the SS1 DO X114:9
output when the speed is below the speed defined by parameter
163 Zero speed without encoder and the STO is active.
Configuration 115
 How to configure SS1 with ramp monitoring

To configure the SS1 with ramp monitoring, set the FSO-11 parameters listed in the
information on the SS1 with ramp monitoring, see page 47.
example of an SS1 with ramp monitoring set-up:
• monitored ramp (SAR1; see section How to configure SARn on page 127)
• speed activated brake not in use.
SS1 monitoring method = Ramp

Remember to configure SAR1
= DI X113:1 & X114:1 Speed = DO X114:9
= None output
SSE/SS1 SBC
speed
Zero speed Time

value
X114:1
X114:1
connection.
method
116 Configuration

value
Configuration 117
 How to configure SS1 with speed limit activated SBC

To configure the SS1 with speed limit activated SBC, set the FSO-11 parameters
listed in the table below to appropriate values using the Drive composer pro PC tool.
For more information on the SS1 with speed limit activated SBC, see page 49.
example of an SS1 with speed limit activated SBC set-up:
• speed activated brake in use, speed below which the brake is activated
180.0 rpm.
SS1 monitoring method = Ramp

= DI X113:1 & X114:1 Speed = DO X114:9
= None output
SSE/SS1 SBC
speed
Zero speed Time

value
X114:1
X114:1
connection.
method
118 Configuration

value
Configuration 119
Configuring SSE
 How to configure SSE
Note: Always remember to configure SSE and SAR0 functions to have correct limit
hit or fault reaction behaviour.
To configure the SSE, set the FSO-11 parameters listed in the table below to
the SSE function, see page 50.
example of a simple SSE set-up:
• no outputs connected
• STO related features configured in STO function.
Parameter SSE time to zero speed with STO must be configured to be the estimated
time in which the motor coasts to a stop from the maximum speed.
SSE function = Immediate STO
Speed
SSE time to zero
SSE input A speed with STO SSE output
= DI X113:1 & X114:1 = None
SSE input B SSE completed
= None output
Time

value
24 SSE time to zero Time in which the acknowledgement is allowed after the 5000 ms
speed with STO SSE, when the SSE activates the STO (parameter 27
SSE function = Immediate STO)
25 SSE input A Digital input connected to the SSE primary input DI X113:1 &
X114:1
X114:1
connection.
120 Configuration

value
27 SSE function Function activated by the SSE Immediate
STO
Immediate STO SSE activates the STO immediately 0
30 SSE output Digital output indicating activity of the SSE None
Configuration 121
 How to configure SSE with time monitoring

To configure the SSE with time monitoring, set the FSO-11 parameters listed in the
information on the SSE with time monitoring, see page 52.
example of an SSE with time monitoring set-up:
• time monitored ramp
• delay for activating STO 2000 ms
SSE function = Emergency ramp

SSE input A SSE output
= DI X113:1 & X114:1 SSE monitoring method = Time = DO X113:9
SSE input B Speed SSE delay for STO SSE completed

= None output
SSE/SS1 SBC
speed
Zero speed Time

value
speed ramping. If the value is 0.0 rpm, this feature is not in use..
X114:1
X114:1
connection.
27 SSE function Function activated by the SSE Emergency
ramp
28 SSE monitoring Method used for the SSE monitoring Time
method
122 Configuration

value
29 SSE delay for Time delay after which the STO is executed if time 2000 ms
STO monitoring used.
30 SSE output Digital output indicating activity of the SSE DO X113:9
Configuration 123
 How to configure SSE with ramp monitoring

To configure the SSE with ramp monitoring, set the FSO-11 parameters listed in the
information on the SSE with ramp monitoring, see page 53.
example of an SSE with ramp monitoring set-up:
SSE monitoring method = Ramp

SSE input A SSE output
= DI X113:1 & X114:1 = DO X113:9
SSE input B Speed SSE completed
= None output
SSE/SS1 SBC
speed
Zero speed
Time

value
X114:1
X114:1
connection.
ramp
method
124 Configuration

value
Configuration 125
 How to configure SSE with speed limit activated SBC

To configure the SSE with speed limit activated SBC, set the FSO-11 parameters
For more information on the SSE with speed limit activated SBC, see page 55.
example of an SSE with speed limit activated SBC set-up:
• speed activated brake in use, speed below which the brake is activated is
240.0 rpm.

SSE input A SSE monitoring method = Ramp SSE output
= DI X113:1 & X114:1 Remember to configure SAR0 = DO X113:9
Speed
SSE input B SSE completed
= None output
SSE/SS1 SBC
speed
Zero speed
Time

value
X114:1
X114:1
connection.
ramp
method
126 Configuration

value
Configuration 127
Configuring SAR
 How to configure SARn
To configure the SARn (n = 0…1), set the FSO-11 parameters listed in the table
below to appropriate values using the Drive composer pro PC tool.
example of a SAR0 set-up:
• SAR0
• ramp time from scaling speed to zero speed 800 ms
• minimum allowed ramp 500 ms
• maximum allowed ramp 1000 ms.
SAR0
Speed
Scaling speed
Zero speed
Time
SAR0 min ramp SAR0 max ramp

time to zero time to zero
SAR0 ramp time to zero

value
103 SAR0 ramp time Defines the target time for the reference emergency stop 800 ms
to zero ramp SAR0 for the SSE.
104 SAR0 min ramp Defines the minimum ramp time for the SAR0 ramp 500 ms
106 SAR1 ramp time Defines the target time for the reference safe stopping -
to zero ramp SAR1 for SS1 or SLS.
107 SAR1 min ramp Defines the minimum ramp time for the SAR1 ramp -
108 SAR1 max ramp Defines the maximum ramp time for the SAR1 ramp -
128 Configuration
Configuring SLS
 How to configure SLSn with time monitoring
To configure the SLSn (n = 1…4) with time monitoring, set the FSO-11 parameters
For more information on the SLS function, see page 56.
example of an SLS1 with time monitoring set-up:
• SLS1 (time monitored)
• redundant activation button connected to input
• SLS activation delay 2000 ms
• positive limits: target 1200.0 rpm, trip limit 1320.0 rpm
• negative limits: target -900.0 rpm, trip limit -1020.0 rpm
• automatic acknowledgement.
SLS1 SLS acknowledgement
SLS activation monitoring method = Time
SLS1 input A SLS1 output A

= DI X113:2 & X114:2 = DO X114:7
Speed SLS time delay
SLS1 trip limit positive
SLS1 limit positive

SLS1 input B SLS1 output B
= None = None
Zero speed
{ Time
SLS1 limit negative

SLS1 trip limit negative

value
60 SLS1 input A Digital input connected to the SLS with limits 1 (primary DI X113:2 &
input) X114:2
Configuration 129

value
X114:2
negative
positive
67 SLS1 limit SLS1 negative speed limit for the drive -900.0 rpm
negative
68 SLS1 limit SLS1 positive speed limit for the drive 1200.0 rpm
positive
81 SLS activation Method of SLS activation monitoring Time
monitoring
method
82 SLS time delay Delay for starting speed monitoring when time monitoring 2000 ms
is used.
83 SLS1 output A Digital output connected to the SLS1 primary output DO X114:7
84 SLS1 output B Digital output connected to the SLS1 secondary output. None
Secondary output is mostly used for cascade connection.
acknowledgeme
nt
requests
For SLSn (n = 2…4), instead of SLS1 parameters, configure the corresponding SLSn
parameters listed in the table below as appropriate. The Example value column
shows the parameter default values.
value
None No input connectedd 0
130 Configuration

value
negative
positive
negative
72 SLS2 limit SLS2 positive speed limit for the drive -400.0 rpm
positive
negative
positive
negative
positive
negative
positive
negative
positive
Configuration 131
 How to configure SLSn with ramp monitoring

To configure the SLSn (n = 1…4) with ramp monitoring, set the FSO-11 parameters
For more information on the SLS function, see page 56.
example of an SLS2 with ramp monitoring set-up:
• SLS2 (ramp monitored)
• redundant activation button connected to input
• positive limits: target 1200.0 rpm, trip limit 1320.0 rpm
• negative limits: target -900.0 rpm, trip limit -1020.0 rpm
• automatic acknowledgement.
SLS2 SLS acknowledgement
SLS activation monitoring method = Ramp

SLS2 input SLS2 output
= DI X113:3 & X114:3 = DO X114:7
Speed
SLS2 limit positive
Zero speed { Time
SLS2 limit negative

value
62 SLS2 input Digital input connected to the SLS with limits 2 DI X113:3 &
X114:3
X114:3
69 SLS2 trip limit -1020.0 rpm
negative
positive
132 Configuration

value
negative
positive
81 SLS activation Method of SLS activation monitoring Ramp
monitoring
method
85 SLS2 output Digital output connected to the SLS2 DO X114:7
acknowledgeme
nt
requests
For SLSn (n = 1, 3…4), instead of SLS2 parameters, configure the corresponding

SLSn parameters listed in the table below as appropriate. The Example value column
shows the parameter default values.
value
60 SLS1 input A Digital input connected to the SLS with limits 1 (primary None
input)
None No input connectedd 0
65 SLS1 trip limit SLS2 positive speed limit tripping the drive -250.0 rpm
negative
positive
negative
68 SLS1 limit SLS2 negative speed limit for the drive 200.0 rpm
positive
negative
Configuration 133

value
positive
negative
positive
negative
positive
79 SLS4 limit SLS4 negative speed limit tripping the drive -1000.0 rpm
negative
positive
83 SLS1 output A Digital output connected to the SLS1 primary output None
84 SLS1 output B Digital output connected to the SLS1 secondary output. None
Secondary output is mostly used for cascade connection.
134 Configuration
Configuring SMS
 How to configure SMS
To configure the SMS, set the FSO-11 parameters listed in the table below to
the SMS function, see page 58.
example of an SMS set-up:
• SMS activated
• positive limit 1800.0 rpm
• negative limit -1200.0 rpm.
Speed SMS function
SMS limit positive
Time
SMS limit negative

value
92 SMS function SMS activation Active
Active Activates the SMS 1
93 SMS limit Negative speed limit for the SMS -1200.0 rpm
negative
94 SMS limit Positive speed limit for the SMS 1800.0 rpm
positive
Start-up 135
10
Start-up
This chapter describes the general precautions to be taken before starting up the
safety system for the first time.
Safety considerations
The start-up may only be carried out by a qualified electrician. The safety instructions
must be followed during the start-up. See the drive and the safety component specific
safety instructions in the individual product manuals.
WARNING! Until all the safety functionality is validated, the system must not
be considered safe.
Checks
Before starting the system for the first time, make sure that
• the installation has been checked, according to the individual product checklists
(drive, safety component) and the checklist provided in this document
• all necessary configuration steps have been completed
• all tools are cleared from the installation area to prevent short circuits and
projectiles
• starting the system does not cause any danger.
For the start-up and validation of the STO, see chapter Planning the electrical
installation, section Implementing the Safe torque off function in the drive Hardware
manual.
136 Start-up
Verification and validation 137
11
Verification and validation
This chapter describes verification and validation of the implemented safety
functionality.
Verification and validation produce documented proof of the compliance of the
implementation with specified safety requirements.
Further information can be found in Technical guide No. 10 - Functional safety
(3AUA0000048753 [English]).
Verifying the achieved SIL/PL level

Verification of the functional safety system demonstrates and ensures that the
implemented safety system meets the requirements specified for the system in the
safety requirements specification phase.
The most convenient way to verify the required SIL/PL level reached with the
implemented system is to use a specific safety calculator software.
Validation procedure
WARNING! Until all the safety functionality is validated, the system must not
be considered safe.
The acceptance test must be performed to each safety function.

138 Verification and validation
The acceptance test using the start-up checklist described below (see Validation
checklist for start-up) must be performed:
• at initial start-up of the safety function
• after any changes related to the safety function (wiring, components, settings,
etc.)
• after any maintenance work related to the safety function.
The acceptance test should include at least the following steps:
• having an acceptance test plan
• testing all commissioned functions for proper operation
• testing all used inputs for proper operation
• testing all used outputs for proper operation
• documenting all acceptance tests performed
• testing person signing and archiving the acceptance test report for further
reference.
 Validation checklist for start-up

Validation of the STO function
Note: The STO is the basic safety function and it has to be validated first.
The acceptance tests for the STO function of the drive are described in chapter
Planning the electrical installation in the drive Hardware manual.
Validation of the other safety functions

Once the system is fully configured and wired for the safety functions, and the start-
up safety check has been done, you must carry out the following functional test
procedure for each configurated safety function:
1. Have the system at the Operational state when the safety function is requested.
2. Initiate an implemented safety function by requesting it with the designated trigger
device.
3. Verify that the desired functionality takes place.
4. Ensure that the acknowledgement has been configurated as suitable for the
application (for example manual/automatic acknowledgement).
5. Document the test results to the acceptance test report.
6. Sign and file the acceptance test report.
Validation of the SBC function

Follow the steps below to validate the SBC function with time controlled brake:
1. Ensure that parameter STO SBC usage is set to Delayed brake and parameter
STO SBC delay is set correctly. (see section How to configure SBC after STO on
page 109 and How to configure SBC before STO on page 111).
2. Set parameter SBC feedback action in case of a problem on the SBC feedback
(STO or nothing).
3. Ensure that the drive can be run and stopped freely.
4. Start the drive to the maximum motor speed allowed for the application.
5. Activate the STO function (for example disconnect the signal from the field device
to the FSO-11 input).
6. Check that the SBC is activated after the motor has stopped when a positive STO
SBC delay is used. In case of a negative STO SBC delay, ensure that the SBC is
activated first and the STO after the delay has elapsed.
7. Check that the SBC feedback input is activated after the activation of the SBC
output.
8. Set an acknowledgement (for example with the control panel), restart the drive
and check that the brake will open and the motor runs normally.
Validation of the SSE and SS1 functions with time monitoring

Follow the steps below to validate the SSE and SS1 functions with time monitoring
(each function separately):
1. Check the SSE (SS1) input connections from the field equipment to the FSO-11
against the circuit diagrams
2. Ensure that parameter SSE monitoring method is set to Time (parameter SS1
monitoring method is set to Time). See section How to configure SSE with time
monitoring on page 121 (How to configure SS1 with time monitoring on page 113).
3. Check that parameter SSE delay for STO (SS1 delay for STO) is set properly.
4. Start the drive and check that the motor can run at the maximum speed.
5. Activate the SSE or SS1 circuit (for example disconnect the signal from the field
device to the FSO-11 input).
6. Check that the speed ramps down properly and the time monitoring is set
correctly.
7. If the SBC is in use, check that the SBC is activated below the speed defined by
parameter SSE/SS1 SBC speed (SSE/SS1 SBC speed).
8. Check that the STO is activated.
and check that the motor runs normally.
10. If the motor can rotate in the reverse direction, repeat the test procedure for the
reverse direction.
Validation of the SSE and SS1 functions with ramp monitoring

Follow the steps below to validate the SSE and SS1 functions with ramp monitoring
(each function separately):
1. Check the SSE (SS1) input connections from the field equipment to the FSO-11
against the circuit diagrams.
2. Ensure that parameter SSE monitoring method is set to Ramp (parameter SS1
monitoring method is set to Ramp). See section How to configure SSE with ramp
monitoring on page 123 (How to configure SS1 with ramp monitoring on page
115).
3. Check that the SAR0 (SAR1) ramp times are set properly. See section How to
configure SARn on page 127.
4. Start the drive and check that the motor can run at the maximum speed.
5. Activate the SSE (SS1) circuit (for example disconnect the signal from the field
6. Check that the speed ramps down properly and the SAR0 (SAR1) monitoring is
set correctly.
parameter SSE/SS1 SBC speed (SSE/SS1 SBC speed).
reverse direction.
Validation of the SLS function with time monitoring

Follow the steps below to validate the SLS function with time monitoring:
1. Check the SLS1 input connections from the field equipment to the FSO-11 against
the circuit diagrams.
2. If the cascade connection is used, check the cascade connections and this
checklist in all cascaded drives.
3. Ensure that parameter SLS1 limit positive is set properly and parameter SLS1
limit negative is set to zero (see section How to configure SLSn with time
monitoring on page 128).
4. Set parameters SLS1 trip limit positive and SLS1 trip limit negative to the correct
values (less than the speed defined by parameter SMS limit positive and more
positive than the speed defined by parameter SMS limit negative).
5. Set parameter SLS time delay to the correct value.
6. Select the correct SLS acknowledgement method (parameter SLS
acknowledgement).
7. Start the drive and check that the motor can run at a higher speed than the speed
defined by parameter SLS1 limit positive.
8. Activate the SLS1 monitoring (for example disconnect the signal from the field
9. Check that the speed ramps to below the speed defined by parameter SLS1 limit
positive before SLS time delay has elapsed.
10. If needed according to the risk assessment, test the application so that the SLS1
ramp monitoring trips the drive and other cascaded drives (that is, ramp down by
SSE). Only the SLS1 can be cascaded.
parameter SSE/SS1 SBC speed.
13. Set an acknowledgement (for example with the control panel) if the automatic
acknowledgement is not in use, restart the drive and check that the motor runs
normally.
reverse direction.
15. Repeat the test with the other used SLS functions (only the SLS1 can be
cascaded).
Validation of the SLS function with ramp monitoring

Follow the steps below to validate the SLS function with ramp monitoring:
1. Check the SLS1 input connections from the field equipment to the FSO-11 against
the circuit diagrams.
2. If the cascade connection is used, check the cascade connections and this
checklist in all cascaded drives.
3. Ensure that parameter SLS1 limit positive is set properly and parameter SLS1
limit negative is set to zero (see section How to configure SLSn with ramp
monitoring on page 131).
4. Set parameters SLS1 trip limit positive and SLS1 trip limit negative to the correct
values (less than the speed defined by parameter SMS limit positive and more
positive than the speed defined by parameter SMS limit negative)
5. Check that the SAR0 ramp times are set properly (see section How to configure
SARn on page 127).
6. Select the correct SLS acknowledgement method (parameter SLS
acknowledgement).
7. Start the drive and check that the motor can run at a higher speed than the speed
defined by parameter SLS1 limit positive.
8. Activate the SLS1 monitoring (for example disconnect the signal from the field
9. Check that the speed ramps to below the speed defined by parameter SLS1 limit
positive conform to the allowed rate between SAR0 min ramp time to zero and
SAR0 max ramp time to zero (see section How to configure SARn on page 127).
10. If needed according to the risk assessment, test the application so that the SLS1
time monitoring trips the drive and other cascaded drives (that is, ramp down by
SSE). Only the SLS1 can be cascaded.
parameter SSE/SS1 SBC speed.
13. Set an acknowledgement (for example with the control panel) if the automatic
acknowledgement is not in use, restart the drive and check that the motor runs
normally.
reverse direction.
15. Repeat the test with the other used SLS functions (only the SLS1 can be
cascaded).
Validation of the SMS function

Follow the steps below to validate the SMS function:
1. Ensure that the SMS is activated (see section How to configure SMS on page
134).
2. Set parameter SMS limit positive to half of the value to be used in the application
and parameter SMS limit negative to zero.
3. Ensure that the drive can be run and stopped freely.
4. Start up the drive and accelerate in the forward direction to a speed reference
higher than the SMS limit positive.
5. The FSO-11 detects overspeed. As a result the STO is activated, and the drive
displays a warning.
7. If the motor can rotate in the reverse direction, set parameter SMS limit positive to
zero and parameter SMS limit negative to half of the value to be used in the
application and repeat the test procedure for the reverse direction.
8. Set parameters SMS limit positive and SMS limit negative to their proper values.
9. Repeat the test procedure as near as possible the maximum design speed of the
machinery. This design speed must be same or higher than the maximum speed
of the drive.
10. Restart the drive and check that the motor can run at the maximum and minimum
speeds.
WARNING! If the SMS test is to be performed with the machinery coupled to

the motor, make sure that the machinery is able to withstand the fast speed
changes and the set maximum speed.
 Authorized person
The acceptance test of a safety function must be carried out by an authorized person.
Authorized person, who is authorized by the machine manufacturer, has expertise
and knowledge of the safety function. The test report must be documented and
signed by the authorized person.
 Acceptance test reports

Signed acceptance test reports must be stored in the logbook of the machine. The
report must include documentation of the start-up activities and test results,
references to the failure reports and resolution of failures. Any new acceptance test
performed due to changes or maintenance must also be logged in the logbook.
Note: It is always the responsibility of the machine builder to ensure that the
functionality of all the required safety functions has been appropriately verified and
validated.
WARNING! Until all the safety functionality is verified and working properly, the
system must not be considered safe.
Proof test intervals during operation

Proof tests are intended to ensure that the safety integrity of a safety system is
maintained continuously and does not deteriorate over time. Proof tests are often
required for mechanical brakes, for example. Proof tests are used mainly for parts of
the system that cannot be automatically diagnosed.
The proof test interval is the interval between two proof tests. When the proof test
interval has elapsed, the safety system has to be tested and restored to an "as new
condition". The proof test must also be part of the regular maintenance plan.
For some of the components (electronics), the proof test interval is the same as the
expected life time of the system.
A specific safety calculator software can assist in determining the requirements for
the proof tests.
Residual risks
The safety functions are used to reduce the recognized hazardous conditions. In
spite of this, it is not always possible to eliminate all potential hazards. Therefore the
warnings for the residual risks must be given to the operators.
Fault tracing 147
12
Fault tracing
This chapter describes the status LEDs and provides generic diagnostics and
troubleshooting tips for FSO-11 related faults generated by the drive.
Status LEDs
The status LEDs are situated on the front of the FSO-11 module. The table below
describes the status LED indications.
LED LED off LED lit and steady LED blinking
POWER No power Green Power to the - -
FSO-11 is on.
RUN FSO-11 is in Green FSO-11 is in the Green FSO-11 is in the
the Fault Operational or Configuration or
state, and Safe state. Start-up state.
Safe state
(STO
activated).
STATUS/FAULT The drive is in Green A safety function Green Request for a safety
normal is active. function has ended
operation, but it has not been
without active acknowledged.
safety
functions Red A fault or - -
FSO-11 is in the
and no faults. Configuration
state (RUN LED
is blinking)
STO The STO Green The STO circuit - -
circuit is is open.
closed and the
drive is in
operation.
148 Fault tracing
Faults
Code Fault Cause What to do
(hex)
7A8B FSO general fault A general fault trip. See the warning log for more 1)
information on the actual cause.
7A90 FSO stop FSO module has - 2)
completed completed STO, SS1 or
SSE function.
7A91 FSO safe speed Motor actual speed Check the drive. 3)
limit exceeded a safe speed
limit of the FSO module.
7A92 FSO out of eme Motor speed was not Make sure that the drive can 3)
ramp inside the ramp window decelerate the load using the ramp
during the SSE function. time (103 SAR0 ramp time to zero).
7A93 FSO ramp Drive coasted the motor Check that the FSO module speed 3)
coasted to stop instead of using limit for stopping the ramp
the ramp. deceleration is not excessive (163
Zero speed without encoder).
1)
This fault always follows certain malfunctions which the FSO module indicates by warnings. The FSO
module generates a warning indication first to allow the drive to control the system to a safe state after which
the drive trips (to this fault).
2)
This is a user-selectable event for a function request. See parameter 167 STO indication ext request and
the subsection User-selectable events for the function requests on page 154.
3)
This is a user-selectable event for a limit hit or a special event. See parameter 168 STO indication safety
limit and the subsection User-selectable events for the limit hits and special events on page155.
Fault tracing 149
Warnings
Code Warning Cause What to do
(hex)
A7D0 FSO general Warning from the FSO See Aux code for more details (for
warnings module, for example: the moment, for ABB internal use
• transition to the only).
Configuration state
• acknowledgement
button operated in a
wrong way
A7D1 FSO internal fault Internal fault in the FSO Replace the FSO module. Contact 1)
module your local ABB representative. See
the Aux code for more details (for the
moment, for ABB internal use only).
A7D2 FSO IO fault Problems in the I/O Check the FSO-11 I/O cabling. See 1)
cabling the Aux code for more details (for the
moment, for ABB internal use only).
A7D3 FSO STO fault Problems in the STO Check the FSO-11 STO cabling. 1)
cabling or inside the drive
A7D5 FSO Fault in Check all connections. See the Aux 1)
communication FSO communication code for more details (for the
fault moment, for ABB internal use only).
A7D7 FSO configuration Fault in FSO Check the FSO module parameter 1)
fault configuration settings.
A7D9 FSO encoderless Speed estimate is too • Check the behavior of the driven 1)
fault high load compared with the drive
control parameter settings.
• Check suitability of the drive train
and the motor.
• Adapt control parameters if gear
play or torsional rigidity causes
problems.
A7DA FSO temperature FSO module temperature • Check ambient conditions. Boot 1)
fault is excessive. the FSO module (power switch
off/on).
• Replace the FSO-11 module.
Contact your local ABB
representative.
AA90 FSO stop FSO module has - 2)
SSE function.
AA91 FSO safe speed Motor actual speed Check the drive. 3)
limit exceeded the Safe speed
150 Fault tracing

(hex)
AA92 FSO out of eme Motor speed was not Make sure that the drive can 3)
AA93 FSO ramp Drive coasted the motor Check that the FSO module zero 3)
coasted to stop instead of using speed limit for the deceleration ramp
the ramp. is not excessive (163 Zero speed
without encoder).
AAA1 FSO STO request FSO module received an - 2)
external STO request.
AAA2 FSO SSE request FSO module received an - 2)
external SSE request.
AAA3 FSO SS1 request FSO module received an - 2)

external SS1 request.
AAA4 FSO SLS1 hit FSO module detected a Check the drive. 3)
SLS1 speed limit
violation.
SLS2 speed limit
violation.
SLS3 speed limit
violation.
SLS4 speed limit
violation.
AAA8 FSO SMS hit FSO module detected a Check the drive. 3)
SMS speed limit violation.
AAA9 FSO SAR0 hit FSO module detected a Make sure that the drive can 3)
SAR0 limit violation. decelerate the load using the ramp
time (103 SAR0 ramp time to zero).
AAAA FSO SAR1 hit FSO module detected a Make sure that the drive can 3)
SAR1 limit violation decelerate the load using the ramp
Fault tracing 151

(hex)
AAB2 FSO ramp time hit FSO module detected a Make sure that the drive can 3)
violation of a time decelerate the load within the time
monitored ramp defined for ramp time monitoring.
• Check the drive ramp time settings.
• Check that the drive can in fact
accomplish the deceleration along
the ramp defined.
Make sure that the limit for ramp time
monitoring of the FSO module
exceeds the actual drive ramp time.
The parameter vary depending on the
safety function. For the SS1 function
it is 38 SS1 delay for STO.
AAB3 FSO zero spd hit Drive speed rushed Check the drive. 3)
during zero speed delay
AAB4 FSO speed sync FSO module detected a Restart the drive and FSO module. 3)
fail difference between the
two monitored motor
speed values (239 FSO
speed ch1 and 240 FSO
speed ch2).
1) This warning indicates a fault actually. However, the FSO module generates a warning indication first to
allow the drive to control the system to a safe state. When the system is in safe state, the drive trips. Fault
indication is 7A8B FSO general fault.
2)
This is a user-selectable event for a function request. See parameter 167 STO indication ext request and
3)
This is a user-selectable event for a limit hit or a special event. See parameter 168 STO indication safety
limit and the subsection User-selectable events for the function requests on page154.
152 Fault tracing
Events
Code Event Cause What to do
(hex)
B790 FSO general The FSO module See Aux code for more details (for
event generated an event other the moment, for ABB internal use
than fault or warning. only).
BA90 FSO stop FSO module has - 1)
SSE function.
BA91 FSO safe speed Motor actual speed Check the drive. 2)
limit exceeded the Safe speed
BA92 FSO out of eme Motor speed was not Make sure that the drive can 2)
BA93 FSO ramp Drive coasted the motor Check that the FSO module zero 2)
coasted to stop instead of using speed limit for the deceleration ramp
the ramp. is not excessive (163 Zero speed
without encoder).
BAA1 FSO STO request FSO module received an - 1)
external STO request.
BAA2 FSO SSE request FSO module received an - 1)
external SSE request.
BAA3 FSO SS1 request FSO module received an - 1)

external SS1 request.
BAA4 FSO SLS1 hit FSO module detected a Check the drive. 2)
SLS1 speed limit
violation.
SLS2 speed limit
violation.
SLS3 speed limit
violation.
SLS4 speed limit
violation.
BAA8 FSO SMS hit FSO module detected a Check the drive. 2)
SMS speed limit violation.
BAA9 FSO SAR0 hit FSO module detected a Make sure that the drive can 2)
SAR0 limit violation. decelerate the load using the ramp
Fault tracing 153
Code Event Cause What to do

(hex)
BAAA FSO SAR1 hit FSO module detected a Make sure that the drive can 2)
SAR1 limit violation decelerate the load using the ramp
BAB2 FSO ramp time hit FSO module detected a Make sure that the drive can 2)
violation of a time decelerate the load within the time
monitored ramp defined for ramp time monitoring.
• Check the drive ramp time settings.
• Check that the drive can in fact
accomplish the deceleration along
the ramp defined.
Make sure that the limit for ramp time
monitoring of the FSO module
exceeds the actual drive ramp time.
The parameter vary depending on the
safety function. For the SS1 function
it is 38 SS1 delay for STO.
BAB3 FSO zero spd hit Drive speed rushed Check the drive. 2)
during zero speed delay
BAB4 FSO speed sync FSO module detected a Restart the drive and FSO module. 2)
fail difference between the
two monitored motor
speed values (239 FSO
speed ch1 and 240 FSO
speed ch2).
1) This is a user-selectable event for a function request. See parameter 167 STO indication ext request and
2) This is a user-selectable event for a limit hit or a special event. See parameter 168 STO indication safety
limit and the subsection User-selectable events for the function requests on page154.
154 Fault tracing
Event types
The FSO module generates three types of events to the drive:
• Pure events, which are just informative data
• Warnings, which are shown to the user
• Faults, which stop the drive and are shown to the user.
The user can select the event type (warning, fault or event) for certain function
requests and limit hits:
• Parameter 167 STO indication ext request defines the event type for the STO,
SS1 and SSE function requests. The same parameter also defines the event type
that the FSO module generates when the function is completed.
• Parameter 168 STO indication safety limit defines the event type for the limit hits
of:
• SLS1, …, SLS4 and SMS functions
• ramp monitoring and time monitoring of the safety ramps SAR0 and SAR1.
 User-selectable events for the function requests

The table below lists the user-selectable events related to the function requests.
Function/ Events depending on

Incident the event type selection (parameter 167)
Fault Warning Event
STO function
STO request AAA1 FSO STO request AAA1 FSO STO request BAA1 FSO STO request
(warning)1)
STO 7A90 FSO stop AA90 FSO stop BA90 FSO stop
completed completed completed completed
SS1 function
SS1 request AAA3 FSO SS1 request AAA3 FSO SS1 request BAA3 FSO SS1 request
(warning)1)
SS1 completed 7A90 FSO stop AA90 FSO stop BA90 FSO stop
completed completed completed
SSE function
SSE request AAA2 FSO SSE request AAA2 FSO SSE request BAA2 FSO SSE request
(warning)1)
SSE 7A90 FSO stop AA90 FSO stop BA90 FSO stop
completed completed completed completed
1)If you select Fault for parameter 167 STO indication ext request, the FSO module
generates a warning at the function request, and a fault trip only after the function is
Fault tracing 155
completed. The fault trip is delayed because the drive must be able to control the
system to the safe state first.
Note: If you select None for parameter 167 STO indication ext request, the FSO
module generates no event when it receives a function request or detects that the
function is completed.
 User-selectable events for the limit hits and special events

The table below lists user-selectable events related to the limit hits.
Limit/Incident Events depending on

the event type selection (parameter 168)
Fault Warning Event
SLS1
SLS1 limit hit AAA4 FSO SLS1 hit AAA4 FSO SLS1 hit BAA4 FSO SLS1 hit
(warning)1)
System at safe 7A91 FSO safe speed AA91 FSO safe speed BA91 FSO safe speed
state limit limit limit
SLS2
(warning)1)
SLS3
(warning)1)
SLS4
(warning)1)
SMS
SMS limit hit AAA8 FSO SMS hit AAA8 FSO SMS hit BAA8 FSO SMS hit
(warning)1)
156 Fault tracing
Limit/Incident Events depending on

the event type selection (parameter 168)
Fault Warning Event
SAR0
SAR0 limit hit AAA9 FSO SAR0 hit AAA9 FSO SAR0 hit BAA9 FSO SAR0 hit
(warning)1)
SAR1
SAR0 limit hit AAAA FSO SAR1 hit AAAA FSO SAR1 hit BAAA FSO SAR1 hit
(warning)1)
Ramp time hit
Ramp time hit AAB2 FSO ramp time AAB2 FSO ramp time BAB2 FSO ramp time
hit (warning)1) hit hit
Zero speed hit
Zero speed hit AAB3 FSO zero spd hit AAB3 FSO zero spd hit BAB3 FSO zero spd hit
(warning)1)
Speed values not in synchrony
Speeds not in AAB4 FSO speed sync AAB4 FSO speed sync BAB4 FSO speed sync
sync. fail (warning)1) fail fail
1)
If you select Fault for parameter 168 STO indication safety limit, the FSO module
generates a warning at the limit hit, and a fault only after the system is at a safe state.
Note: If you select None for parameter 168 STO indication safety limit, the FSO
module generates no event when it detects a limit hit.
Auxiliary code
Faults, warnings and events have 32-bit auxiliary codes, which help in pinpointing the
problem. Consult ABB for more information on the auxiliary codes.
Maintenance 157
13
Maintenance
This chapter explains replacement of the FSO-11 module in case of a module failure,
reinstalling the FSO-11 module to another drive, updating the firmware of the drive
where the FSO-11 is installed, factory reset, FSO-11 update and decommissioning as
well as proof tests.
WARNING! Read and follow the instructions in chapter Safety instructions in

the drive Hardware manual. Ignoring the instructions can cause physical injury
or death, or damage to the equipment.
FSO-11 module failure

If the FSO-11 module fails to operate, you have to replace it with a new one; the
module is not repairable.
Note: Fail safe state: When FSO-11 is in fail safe state, it can be recovered by cycling
power supply or by restarting with drive parameter 96.06 Parameter restore.
WARNING! Read and follow the instructions in chapter Safety instructions in

the drive Hardware manual. Ignoring the instructions can cause physical injury
or death, or damage to the equipment.
 Replacing the FSO-11 module

1. Stop the driven machinery and prevent an unexpected start-up.
2. Upload the FSO-11 parameters from the FSO-11 to the Drive composer pro PC
158 Maintenance
tool and save the safety file.

3. Disconnect the supply with the supply disconnecting device.
4. Disconnect the auxiliary voltage supply to the FSO-11.
5. Remove the wiring and the FSO-11 module.
6. Mark clearly on the FSO-11 module that it is decommissioned.
7. Install the new FSO-11 module and wiring according to chapter Installation on
page 65.
8. Download the FSO-11 parameters from the Drive composer pro PC tool to the
FSO-11 according to chapter Configuration on page 73.
9. Perform the start-up procedure according to chapter Start-up on page 135.
10. Perform the validation procedure for each safety function according to chapter
Verification and validation on page 137.
Note: The STO is the basic safety function and it has to be validated first. The
acceptance tests for the STO function of the drive are described in chapter
11. Update the HW and SW versions of the new FSO-11 to the logbook of the driven
machine.
Maintenance 159
Drive replacement
If you have to replace the drive where the FSO-11 is installed, for example because of
a serious drive failure, follow the procedure below.
 Reinstalling the FSO-11 module to another drive

3. Disconnect the supply with the supply disconnecting device.
4. Disconnect the auxiliary voltage supply to the FSO-11.
5. Remove the wiring and the FSO-11 module.
6. Install the new drive. See the drive Hardware manual.
7. Install the FSO-11 module and wiring to the new drive according to chapter
Installation on page 65.
10. Update the HW and SW versions of the new drive to the logbook of the driven
machine.
160 Maintenance
Drive firmware update

If you have to update the firmware of the drive where the FSO-11 is installed, follow
the procedure below.
 Updating the firmware of the drive where the FSO-11 is installed

3. Update the firmware of the drive.
7. Update the HW and SW versions of the new drive to the logbook of the driven
machine.
Maintenance 161
Factory reset
Do a factory reset if
• you forget the password
• you want to do the configuration again from scratch.
Note: The factory reset clears the configuration and takes the factory default
values back in use. These default values are not the same as the pre-set values
in a delivered FSO-11 and these default values are invalid for restart. The
FSO-11 needs a full reconfiguration before it can be restarted.
1. Lift the Factory reset label to the right of the I/O terminals and push the button
underneath with for example a pen until the LEDs start to blink (about 5 seconds).
This returns the factory settings (parameters, including the password) to the
FSO-11.
2. Reconfigure the safety functions with the Drive composer pro PC tool. Make sure
that parameter 9 Restart delay after STO is set to a proper value.
3. Specify a new password with the tool.
Update
After any changes in the safety application or the safety system configuration, you
must perform the acceptance tests to verify that the safety functionality is maintained.
See chapter Verification and validation on page 137.
Proof tests
If periodic proof testing is necessary based on the safety calculations, you must
include proof tests in the maintenance plan and perform them periodically. See also
section Proof test intervals during operation on page 145.
Decommissioning
When decommissioning the FSO-11, make sure that the safety of the machine is
maintained until the decommissioning is complete. Mark clearly on the FSO-11
module that it is decommissioned.
162 Maintenance
Technical data 163
14
Technical data
This chapter contains the technical specifications of the FSO-11.
Electrical data
Supply voltage +24 ± 3 V DC
Current consumption Maximum 1000 mA
Inputs 4 redundant or 8 single, or combinations of redundant and
single, 24 V DC NPN
Outputs 3 redundant or 6 single, or combinations of redundant and
single, 24 V DC PNP
00594987.xls B
Control connection data

Logic levels “0” < 5 V, “1” > 15 V
Digital input impedance 4 kohm
Digital output drive 150 mA each, 700 mA total
capability
Max. allowed cable length 250 m (820 ft)
between the drive and the
activation switch
00594987.xls B
164 Technical data
Terminal and lead-through data for the control cables

Conductor size Tightening
torque
Solid or stranded Stranded, ferrule Stranded, ferrule with
without plastic sleeve plastic sleeve
Min/Max Min/Max Min/Max Min/Max Min/Max Min/Max
mm2 AWG mm2 AWG mm2 AWG N·m lbf·in
0.14/1.5 26/16 0.25/1.5 23/16 0.25/0.5 23/21 0.24 2.1
Conductor size, two conductors with the same cross section Tightening
torque
Solid Stranded Stranded, ferrules Stranded, TWIN
without plastic ferrules with
sleeve plastic sleeve
Min/Max Min/Max Min/Max Min/Max Min/Max Min/Max Min/Max Min/Max
mm2 AWG mm2 AWG mm2 AWG mm2 AWG N·m lbf·in
0.08/0.5 28/21 0.08/0.75 28/19 0.25/0.34 23/22 0.5/0.5 21/21 0.24 2.1
00594987.xls B
Degrees of protection
Degree of protection IP20
00594987.xls B
Size and weight

mm in kg lb
Length 100 3.94 - -
Width 60 2.36 - -
Depth (with wiring) 50 1.97 - -
Weight - - 0.230 0.507
00594987.xls B
Cooling
Cooling method Dry clean air (natural convection)
00594987.xls B
Technical data 165
Speed estimation
Speed range Allowed range depends on the used motor.
Maximum range: (-18000…+18000 rpm)/(number of motor pole
pairs).
Accuracy Static situation: With nominal speed and torque ± 30 rpm.
Dynamic situation: Depends on the torque. For example, without
torque, the tripping limit is higher than the SLS trip limit
parameter defines.
Operational frequency Drive output up to 200 Hz
Ambient conditions
Operation Storage Transportation
installed for in the protective in the protective
stationary use package package
Altitude 0…1000 m - -
(0…3300 ft) above
sea level, no derating
required
1000…2000 m
(3300…6600 ft)
above sea level, air
outside the module
derated to
-15…+49 °C
(+5…+120 °F)
2000…4000 m
(6600…13200 ft)
above sea level, air
outside the module
derated to
-15…+40 °C
(+5…+104 °F)
Air temperature -15…+70 °C -40…+70 °C -40…+70 °C
(+5…+158 °F); (-40…+158 °F) (-40…+158 °F)
+70 °C (+158 °F)
inside the module
Relative humidity 5…95%, 5…95%, 5…95%,
no condensation no condensation no condensation
allowed allowed allowed
00594987.xls B
166 Technical data
Safety functionality
Stopping functions
STO Safe torque off
SBC Safe brake control
SS1 Safe speed 1
SSE Safe stop emergency
Speed-related functions
SLS Safely-limited speed
SMS Safe maximum speed
SAR Safe acceleration range - SAR is only used for deceleration with SS1, SSE and SLS
Technical data 167
Safety data
 General
To determine the SIL/PL capability of the whole safety function where FSO-11 is
included, the failure rates (PFD/PFHd) of all components implementing the safety
function (see the figure on page 167) must be added.
FSO-11 Drive
Switch,
input Drive
Digital STO
device STO
input output
Logic
Speed Additional
measure- Digital actuator,
ment 1) output eg relay, or
cascaded
FSO-11
The safety data of the FSO-11 and the drive is composed of the safety data of the
subsystems used in the FSO-11 and the safety data of the drive STO.
1)
The Speed measurement subsystem of the FSO-11 is only included in those safety
functions that measure the speed of a motor. For example the Prevention of unexpected
start-up or the SSE with stop category 0 (drive coasts to a stop) do not use the speed
measurement subsystem.
• FSO-11 module with its subsystems. The FSO-11 acts as the logic part in the
safety function. Safety data for different subsystems is shown in section Basic
safety data on page 169. Safety data for some typical configurations of these
subsystems is pre-calculated and shown in section Safety data for some typical
configurations on page 171.
• Drive STO. All safety functions implemented with the FSO-11 utilize the drive
STO as the actuator. For the safety data, see the drive Hardware manual.
• SLS function. SLS always use the Speed measurement subsystem.
• SMS function. SMS function utilizes only FSO's subsystems Speed
Measurement, Logic 2 and STO output. SMS function is not controlled by inputs,
and it does not control any outputs.
• Functions which monitor the ramp speed (e.g. Emergency stop function).
These functions do not contain the Speed measurement subsystem, as the speed
monitoring is implementing diagnostics, not the actual safety function.
168 Technical data
• Feedback. Feedback circuit is not part of safety calculations. Thus the external
feedback contacts that are connected to the digital inputs of the FSO module are
not included in the calculations either.
• Sensors, input devices and possible additional actuators. For the safety data,
see the manufacturer’s documentation.
After calculating the total PFD/PFHd for the safety function, it must be verified that the
PFD/PFHd of the safety function fulfills the requirement for the targeted SIL/PL.
Technical data 169
 Basic safety data

The FSO-11 data related to safety standards IEC 61508, EN 61800-5-2,
EN ISO 13849-1 and EN 62061 is listed below for the different subsystems within
FSO module. The given safety data applies with proof test interval T1 = 20 years
(high demand and continuous mode of operation) and T1 = 2 years (low demand
mode of operation). Make sure that the proof test is performed within this time.
EN 61508 EN ISO 13849-1 EN 62061

SIL up to 3 PL up to e SILCL 3
SC 3 3AXD10000006135.doc D
1-ch. DI, 2-ch. DI, 1-ch. DI, 2-ch. DI, Logic 1, Logic 2,
pulses pulses no pulses no pulses 1-ch. DI or other
DO, no cases1)
pulses1)
SIL/SILCL 3 3 2 3 1 3
PL d e c e c e
PFHd (1/h) 5.08E-10 1.19E-12 5.94E-09 1.14E-11 1.30E-08 6.63E-11
(T1 =20 a) (T1 = 20 a) (T1 = 20 a) (T1 = 20 a) (T1 = 20 a) (T1 = 20 a)
PFDG (1/h) 4.71E-06 1.60E-08 5.20E-05 1.05E-07 1.05E-04 1.12E-05
(T1 = 2 a) (T1 = 2 a) (T1 = 2 a) (T1 = 2 a) (T1 = 2 a) (T1 = 2 a)
MTTFd (a) 19228 19228 19228 19228 3762 3762
HFT 0 1 0 1 0 1
Cat. 2 3 1 3 1 3
SFF (%) 99.64 99.96 95.80 99.60 73.72 93.34
DC (%) 91.44 99.00 0.00 90.38 57.00 89.11
3AXD10000006135.doc D
1)
Either logic subsystem (Logic 1 or Logic 2) is included in each safety function implemented
with the FSO-11. If the safety function contains any 1-channel digital input or output of the
FSO-11 with non-pulsed signals, the subsystem "Logic 1” must be used. Otherwise the
subsystem "Logic 2" is used.
170 Technical data
1-ch. DO, 2-ch. DO, 1-ch. DO, 2-ch. DO, STO Speed
pulses pulses no pulses no pulses output meas.
1)
SIL/SILCL 3 3 1 3 3 3
PL d e c e e e
PFHd (1/h) 8.82E-10 9.24E-12 4.58E-08 9.18E-11 1.06E-11 6.60E-09
(T1 =20 a)
PFDG (1/h) 9.90E-06 1.25E-07 4.01E-04 8.43E-07 1.43E-07 9.78E-05
(T1 =2 a)
MTTFd (a) 2472 2472 2472 2472 2154 251
HFT 0 1 0 1 1 1
Cat. 2 3 1 3 3 4
SFF (%) 99.69 99.84 83.74 98.38 99.81 99.00
DC (%) 98.09 99.00 0.88 90.10 99.00 99.00
3AXD10000006135.doc D
1)
Hint: If you use a 1-channel digital output without the test pulses but you connect a status indication of the
output back to a FSO module input, for example, by using an external auxiliary contact, you can use the safety
data for 1-ch. DO, pulses in the calculations instead of the data for 1-ch. DO, no pulses. (You do not need to
include the safety data of the feedback, in other words the data for the input to which the status indication is
connected.)
Technical data 171
 Safety data for some typical configurations

The table below shows FSO-11 safety data for some safety functions with typical
combinations of the FSO module subsystems. See section Basic safety data on page
169 for more information on the subsystems.
Subsystems used in the PFHd PFDG SFF HFT SIL MTTFd DC Cat. PL
safety function SILCL
-1
h % a %
Prevention of unexpected start-up / Emergency stop, with a safe output (e.g. releasing a mechanical
brake)
1-channel pulsed DI
Logic 2
1.47E-09 2.60E-05 99.30 0 3 842.77 96.14 2 d
STO-output
1-channel pulsed output
1-channel non-pulsed DI
Logic 1
6.48E-08 5.58E-04 92.56 0 2 842.77 51.80 1 c
STO-output
1-channel non-pulsed output
2-channel pulsed DI
Logic 2
8.73E-11 1.15E-05 99.42 1 3 842.77 96.78 3 e
STO-output
Logic 2
1.80E-10 1.23E-05 98.80 1 3 842.77 93.37 3 e
STO-output
SLS, with a safe status output
Speed measurement
1-channel pulsed DI
Logic 2 8.07E-09 1.24E-04 99.02 0 3 193.40 98.34 2 d
STO-output
Speed measurement
Logic 1 5.84E-08 6.56E-04 98.46 0 2 193.40 89.82 1 c
STO-output
Speed measurement
2-channel pulsed DI
Logic 2 6.69E-09 1.09E-04 99.03 1 3 193.40 98.49 3 e
STO-output
Speed measurement
Logic 2 6.78E-09 1.10E-04 98.99 1 3 193.40 97.71 3 e
STO-output
172 Technical data
 Life time
FSO-11 life time 20 years
00594987.xls B
 Response times
Safety function response time Maximum response time of the FSO-11 and drive
combination is 100 ms.
Note: Parameterable delays can change the response
time.
FSO-11 response time
• from an FSO-11 input to the drive Maximum 50 ms
STO activation
• from an FSO-11 input to an Maximum 35 ms
FSO-11 digital output activation
Cascade response time

• from the cascade input to the Maximum 35 ms
cascade output activation
• from the cascade input to the Maximum 35 ms
function activation
If the STO is cascaded, the worst case maximum time
when the last FSO-11 has activated the STO is
n · 35 ms where n is the number of cascaded FSO-11
modules.
00594987.xls B
Dimension drawings 173
15
Dimension drawings
The dimension drawings of the FSO-11 module with two different bottom plates for
different drive control unit types are shown below. The dimensions are given in
millimeters and [inches].
174 Dimension drawings
FSO-11
Further information
Product and service inquiries
Address any inquiries about the product to your local ABB representative, quoting
the type designation and serial number of the unit in question. A listing of ABB sales,
support and service contacts can be found by navigating to
www.abb.com/searchchannels.
Product training
For information on ABB product training, navigate to www.abb.com/drives and select
Training courses.
Providing feedback on ABB Drives manuals

Your comments on our manuals are welcome. Go to www.abb.com/drives and select
Document Library – Manuals feedback form (LV AC drives).
Document library on the Internet

You can find manuals and other product documents in PDF format on the Internet.
Go to www.abb.com/drives and select Document Library. You can browse the library
or enter selection criteria, for example a document code, in the search field.
Contact us
3AUA0000097054 Rev D (EN) EFFECTIVE: 2013-06-27

www.abb.com/drives
www.abb.com/windpower
www.abb.com/drivespartners

07 en - Fso - 11 - Um - D

Uploaded by

Copyright:

Available Formats

07 en - Fso - 11 - Um - D

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

07 en - Fso - 11 - Um - D

Uploaded by

Copyright:

Available Formats

ABB industrial drives

Drive firmware manuals

Drive option manuals

Drive PC tool manuals

General drive safety guides

 2013 ABB Oy. All Rights Reserved. 3AUA0000097054 Rev D

2. Introduction to the manual

3. Safety information and considerations

5. Implemented safety functions

6. Planning for installation

11. Verification and validation

12. Fault tracing

14. Technical data

Life time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

15. Dimension drawings

Electricity warning warns of hazards from electricity which can cause

General warning warns about conditions, other than those caused by

Supported safety functions

Purpose of the manual

Related standards and directives

Meeting the requirements of the Machinery Directive

TP2 Test pulse 1

TP1 Test pulse 2

DI1 Digital input 1 Failure can be detected

 Safety function acknowledgement modes

WARNING! Do not use encoderless mode in applications when the external

Safety function requests

 Type designation label

Prevention of unexpected start-up is also handled by the FSO-11.

Safety function Stop category Information Page

Button release allowed

STO, SS1, SSE

(STO active) Drive com-

Master Follower Follower

Cascade I/O connections must be set to use diagnostic pulsing.

Safe torque off (STO)

Motor STO time to zero speed

Safe brake control (SBC)

 SBC after STO

STO time to zero speed

Inactive Active STO state

 SBC before STO

SBC delay < 0

Safe stop 1 (SS1)

 SS1 with time monitoring

Motor speed SS1 delay for STO

STO time to zero speed

 SS1 with ramp monitoring

Active STO state

 SS1 with speed limit activated SBC

Safe stop emergency (SSE)

Motor SSE time to zero speed with STO

 SSE with time monitoring

Motor speed SSE delay for STO

STO time to zero speed

 SSE with ramp monitoring

 SSE with speed limit activated SBC

Safely-limited speed (SLS)

 SLS with speed below monitored speed