KST SafeOperation 35 en

KST System Technology
KUKA.SafeOperation 3.5
For KUKA System Software 8.6
Assembly and Operating Instructions
Issued: 11.04.2019
KST SafeOperation 3.5 V3
KUKA Deutschland GmbH
© Copyright 2019
Zugspitzstraße 140
D-86165 Augsburg
Germany
This documentation or excerpts therefrom may not be reproduced or disclosed to third parties
without the express permission of KUKA Deutschland GmbH.
Other functions not described in this documentation may be operable in the controller. The user
has no claims to these functions, however, in the case of a replacement or service work.
We have checked the content of this documentation for conformity with the hardware and soft-
ware described. Nevertheless, discrepancies cannot be precluded, for which reason we are not
able to guarantee total conformity. The information in this documentation is checked on a regu-
lar basis, however, and necessary corrections will be incorporated in the subsequent edition.
Subject to technical alterations without an effect on the function.
KIM-PS5-DOC
Translation of the original documentation
Publication: Pub KST SafeOperation 3.5 (PDF) en

PB11503
Book structure: KST SafeOperation 3.5 V3.2

BS10607
Version: KST SafeOperation 3.5 V3
2/289 | www.kuka.com KST SafeOperation 3.5 V3 | Issued: 11.04.2019

Contents
1 Introduction.............................................................................................. 9
1.1 Target group.......................................................................................................... 9
1.2 Industrial robot documentation.............................................................................. 9
1.3 Representation of warnings and notes................................................................. 9
1.4 Trademarks............................................................................................................ 10
1.5 Terms used............................................................................................................ 10
1.6 Licenses................................................................................................................. 13
2 Product description................................................................................. 15
2.1 Overview of SafeOperation................................................................................... 15
2.2 Monitoring spaces................................................................................................. 17
2.2.1 Stop reactions without “Braking before restricted areas”..................................... 19
2.2.2 Stop reactions with “Braking before restricted areas”.......................................... 19
2.2.3 Coordinate systems............................................................................................... 20
2.2.4 Cell area................................................................................................................ 21
2.2.5 Cartesian workspaces........................................................................................... 22
2.2.6 Cartesian protected spaces.................................................................................. 23
2.2.7 Axis-specific workspaces....................................................................................... 25
2.2.8 Axis-specific protected spaces.............................................................................. 26
2.2.9 Braking before restricted areas............................................................................. 28
2.2.10 Space-specific velocity.......................................................................................... 29
2.2.11 Reference stop...................................................................................................... 30
2.3 Safe tools............................................................................................................... 31
2.4 Velocity monitoring functions................................................................................. 32
2.5 Safe operational stop for axis groups.................................................................. 33
2.6 Reference switch module...................................................................................... 33
2.7 Overview of connecting cables............................................................................. 34
3 Technical data.......................................................................................... 37
3.1 Service life............................................................................................................. 37
3.2 Reference switch................................................................................................... 37
3.3 Connector pin assignment of reference cable X42-XS Ref................................. 38
3.4 Circuit digram of reference switch XS Ref........................................................... 39
3.5 Hole pattern for actuating plate............................................................................ 40
4 Safety......................................................................................................... 41
4.1 General.................................................................................................................. 41
4.1.1 Liability................................................................................................................... 41
4.1.2 Intended use of the industrial robot...................................................................... 41
4.1.3 EC declaration of conformity and declaration of incorporation............................ 42
4.1.4 Terms used............................................................................................................ 42
4.2 Personnel............................................................................................................... 45
4.3 Workspace, safety zone and danger zone........................................................... 46
4.3.1 Determining stopping distances............................................................................ 46
4.4 Triggers for stop reactions.................................................................................... 46
4.5 Safety functions..................................................................................................... 47
4.5.1 Overview of the safety functions.......................................................................... 47
KST SafeOperation 3.5 V3 | Issued: 11.04.2019 www.kuka.com | 3/289

4.5.2 Safety controller..................................................................................................... 48

4.5.3 Selecting the operating mode............................................................................... 48
4.5.4 “Operator safety” signal......................................................................................... 49
4.5.5 EMERGENCY STOP device................................................................................. 50
4.5.6 Logging off from the higher-level safety controller............................................... 50
4.5.7 External EMERGENCY STOP device.................................................................. 51
4.5.8 Enabling device..................................................................................................... 51
4.5.9 External enabling device....................................................................................... 52
4.5.10 External safe operational stop.............................................................................. 53
4.5.11 External safety stop 1 and external safety stop 2............................................... 53
4.5.12 Velocity monitoring in T1....................................................................................... 53
4.6 Additional protective equipment............................................................................ 54
4.6.1 Jog mode............................................................................................................... 54
4.6.2 Software limit switches.......................................................................................... 54
4.6.3 Mechanical end stops........................................................................................... 54
4.6.4 Mechanical axis limitation (optional)..................................................................... 54
4.6.5 Options for moving the manipulator without drive energy................................... 55
4.6.6 Labeling on the industrial robot............................................................................ 55
4.6.7 External safeguards............................................................................................... 55
4.7 Overview of operating modes and safety functions............................................. 56
4.8 Safety measures.................................................................................................... 56
4.8.1 General safety measures...................................................................................... 56
4.8.2 IT security.............................................................................................................. 58
4.8.3 Transportation........................................................................................................ 58
4.8.4 Start-up and recommissioning.............................................................................. 59
4.8.4.1 Checking machine data and safety configuration................................................ 60
4.8.4.2 Start-up mode........................................................................................................ 62
4.8.5 Manual mode......................................................................................................... 63
4.8.6 Simulation.............................................................................................................. 64
4.8.7 Automatic mode..................................................................................................... 65
4.8.8 Maintenance and repair........................................................................................ 65
4.8.9 Decommissioning, storage and disposal.............................................................. 66
4.8.10 Safety measures for “single point of control”....................................................... 66
4.9 Applied norms and regulations............................................................................. 68
5 Installation................................................................................................ 71
5.1 System requirements............................................................................................. 71
5.2 Installation via WorkVisual.................................................................................... 71
5.2.1 Installing or updating KUKA.SafeOperation 3.5................................................... 71
5.2.2 Uninstalling KUKA.SafeOperation 3.5................................................................... 72
5.3 Installation via smartHMI....................................................................................... 73
5.3.1 Installing or updating KUKA.SafeOperation 3.5................................................... 73
5.3.2 Uninstalling KUKA.SafeOperation 3.5................................................................... 74
6 Operation.................................................................................................. 77
6.1 User groups........................................................................................................... 77
6.2 Displaying user rights............................................................................................ 77
6.3 Opening the safety configuration.......................................................................... 78
6.4 Overview of buttons.............................................................................................. 78

6.5 Displaying information about the safety configuration......................................... 79

6.6 Displaying hardware options................................................................................. 80
6.7 Displaying the revision log.................................................................................... 80
6.8 Displaying machine data....................................................................................... 80
6.9 Importing the safety configuration (XML import).................................................. 81
6.10 Exporting the safety configuration (XML export).................................................. 83
6.11 Safe robot retraction in case of space violation.................................................. 83
7 Start-up and configuration..................................................................... 85

7.1 System safety instructions.................................................................................... 85
7.2 Jogging the robot without a higher-level safety controller................................... 85
7.3 Overview: Start-up and configuration................................................................... 86
7.4 Information about the safety configuration........................................................... 88
7.4.1 Safe definition of Cartesian protected spaces..................................................... 89
7.4.2 Safe definition of Cartesian protected spaces for BBRA..................................... 91
7.4.3 Unexpected protected space violation at space corners..................................... 92
7.5 Configuring safety monitoring functions................................................................ 93
7.5.1 Activating safe monitoring..................................................................................... 93
7.5.2 Configuring global parameters.............................................................................. 93
7.5.2.1 Switching safe Cartesian monitoring on/off.......................................................... 96
7.5.3 Configuring a cell area.......................................................................................... 97
7.5.4 Configuring a Cartesian space............................................................................. 99
7.5.5 Configuring an axis space.................................................................................... 103
7.5.6 Configuring axis monitoring functions................................................................... 108
7.5.6.1 Parameter: Braking time....................................................................................... 111
7.5.6.2 Parameter: Maximum velocity T1......................................................................... 113
7.5.7 Configuring safe operational stop for axis groups............................................... 114
7.5.8 Configuring a safe tool.......................................................................................... 116
7.5.9 Activating “Braking before restricted areas”......................................................... 119
7.5.10 Configuring the reference position and reference group..................................... 121
7.5.11 Saving the safety configuration............................................................................. 124
7.6 Editing the local safety configuration in WorkVisual............................................ 124
7.7 Overview of the mastering test............................................................................. 125
7.7.1 Mastering test via reference switch...................................................................... 126
7.7.1.1 Programs for the mastering test........................................................................... 128
7.7.1.2 Variables for the mastering test............................................................................ 128
7.7.1.3 Selecting a reference position.............................................................................. 129
7.7.1.4 Installing the reference switch and actuating plate.............................................. 130
7.7.1.5 Connecting the reference switch.......................................................................... 131
7.7.1.6 Configuring the reference groups to be checked in file....................................... 132
7.7.1.7 Teaching positions for the mastering test............................................................. 133
7.7.1.8 Checking the reference position (actuation with tool).......................................... 135
7.7.1.9 Performing a mastering test manually.................................................................. 136
7.7.2 Mastering test with external mastering confirmation............................................ 137
7.7.2.1 Signal diagram for external mastering confirmation............................................. 138
7.7.2.2 Safety acceptance: checking the external mastering confirmation...................... 139
7.8 Brake test.............................................................................................................. 139
7.8.1 Overview of the brake test.................................................................................... 139
7.8.2 Sequence when testing a brake........................................................................... 141

7.8.3 Programs for the brake test.................................................................................. 141

7.8.4 Overview of the brake test setup......................................................................... 142
7.8.4.1 Activating the brake test, defining the cycle time and axes................................ 143
7.8.4.2 “Brake test configuration” window......................................................................... 144
7.8.4.3 Configuring input and output signals for the brake test...................................... 145
7.8.4.4 Signal diagram of the brake test – examples...................................................... 147
7.8.4.5 Teaching positions for the brake test................................................................... 149
7.8.4.6 Testing the sequence in the case of defective brakes........................................ 150
7.8.5 Performing a brake test........................................................................................ 151
7.8.5.1 Performing a brake test for requested axes (cyclically via program).................. 151
7.8.5.2 Performing a brake test for active axes (manually)............................................. 153
7.8.5.3 Performing a brake test for further axes (e.g. couplable axes)........................... 154
7.8.6 Automatic brake check.......................................................................................... 155
7.8.7 System functions for the brake test...................................................................... 156
7.8.7.1 GET_AXESMASK()............................................................................................... 156
7.8.7.2 GET_BRAKETEST_TIME()................................................................................... 157
7.9 Override reduction................................................................................................. 158
7.9.1 System variables for override reduction............................................................... 158
7.9.2 Override reduction with spline.............................................................................. 159
7.9.3 Override reduction for velocity monitoring............................................................ 159
7.9.4 Override reduction for space monitoring.............................................................. 160
7.9.5 Examples: override reduction with spline/without BBRA..................................... 162
7.9.6 Examples: override reduction with BBRA............................................................. 164
7.10 Safety acceptance overview................................................................................. 166
7.11 Checking that the safety functions are functioning correctly............................... 167
7.11.1 Testing Cartesian velocity limits............................................................................ 167
7.11.2 Testing axis-specific velocity limits........................................................................ 168
7.11.3 Checking the safe operational stop for an axis group......................................... 169
7.11.4 Testing Cartesian monitoring spaces.................................................................... 170
7.11.5 Testing axis-specific monitoring spaces................................................................ 171
7.11.6 Checking the values for the maximum braking ramp.......................................... 171
7.12 Checking the values for the safe axis monitoring functions................................ 174
7.13 Activating the safety configuration........................................................................ 175
7.14 Deactivating safe monitoring................................................................................. 176
8 Interfaces to the higher-level controller............................................... 177

8.1 Safety functions via Ethernet safety interface...................................................... 177
8.1.1 SafeOperation via Ethernet safety interface......................................................... 181
8.1.2 Diagnostic signals via Ethernet interface............................................................. 185
8.2 SafeOperation via interface X13........................................................................... 189
8.2.1 Mastering test via interface X42........................................................................... 191
9 Diagnosis.................................................................................................. 193
9.1 Displaying the diagnostic data with the diagnostic monitor................................. 193
9.2 Displaying the diagnostic data for the safety interface........................................ 193
9.3 System variables for diagnosis............................................................................. 193
9.4 Outputs for space monitoring................................................................................ 195
10 Messages.................................................................................................. 197
10.1 Information about the messages.......................................................................... 197

10.2 System messages from module: CrossMeld (KSS)............................................. 197

10.2.1 KSS15016.............................................................................................................. 197
10.2.2 KSS15017.............................................................................................................. 197
10.2.3 KSS15018.............................................................................................................. 198
10.2.4 KSS15019.............................................................................................................. 201
10.2.5 KSS15033.............................................................................................................. 205
10.2.6 KSS15034.............................................................................................................. 205
10.2.7 KSS15035.............................................................................................................. 206
10.2.8 KSS15036.............................................................................................................. 207
10.2.9 KSS15037.............................................................................................................. 207
10.2.10 KSS15039.............................................................................................................. 208
10.2.11 KSS15040.............................................................................................................. 209
10.2.12 KSS15041.............................................................................................................. 211
10.2.13 KSS15042.............................................................................................................. 212
10.2.14 KSS15043.............................................................................................................. 214
10.2.15 KSS15044.............................................................................................................. 216
10.2.16 KSS15045.............................................................................................................. 217
10.2.17 KSS15046.............................................................................................................. 220
10.2.18 KSS15047.............................................................................................................. 221
10.2.19 KSS15048.............................................................................................................. 221
10.2.20 KSS15049.............................................................................................................. 222
10.2.21 KSS15050.............................................................................................................. 223
10.2.22 KSS15051.............................................................................................................. 224
10.2.23 KSS15052.............................................................................................................. 224
10.2.24 KSS15053.............................................................................................................. 227
10.2.25 KSS15054.............................................................................................................. 228
10.2.26 KSS15065.............................................................................................................. 229
10.2.27 KSS15066.............................................................................................................. 229
10.2.28 KSS15079.............................................................................................................. 233
10.2.29 KSS15081.............................................................................................................. 234
10.2.30 KSS15083.............................................................................................................. 235
10.2.31 KSS15107.............................................................................................................. 235
10.2.32 KSS15108.............................................................................................................. 238
10.2.33 KSS15109.............................................................................................................. 238
10.2.34 KSS15110.............................................................................................................. 240
10.2.35 KSS15111.............................................................................................................. 241
10.2.36 KSS15112.............................................................................................................. 242
10.2.37 KSS15113.............................................................................................................. 242
10.2.38 KSS15114.............................................................................................................. 244
10.2.39 KSS15127.............................................................................................................. 245
10.2.40 KSS15134.............................................................................................................. 246
10.2.41 KSS15135.............................................................................................................. 247
11 Appendix................................................................................................... 249
11.1 Checklists............................................................................................................... 249
11.1.1 Precondition for safety acceptance based on the checklists............................... 249
11.1.2 Checklist: robot and system.................................................................................. 249
11.1.3 Checklist: Safety functions.................................................................................... 250
11.1.4 Checklist: Cartesian velocity monitoring functions............................................... 254

11.1.5 Checklist: Axis-specific velocity monitoring.......................................................... 255

11.1.6 Checklist: Safe operational stop for axis groups................................................. 259
11.1.7 Checklist: Cell area............................................................................................... 261
11.1.8 Checklist: Cartesian monitoring spaces................................................................ 262
11.1.9 Checklist: Axis-specific monitoring spaces........................................................... 264
11.1.10 Checklist: Braking before restricted areas............................................................ 269
11.1.11 Checklist: Safe tools.............................................................................................. 270
11.2 Applied norms and regulations............................................................................. 275
12 KUKA Service........................................................................................... 277

12.1 Requesting support............................................................................................... 277
12.2 KUKA Customer Support...................................................................................... 277
Index 285

Introduction
1 Introduction
1.1 Target group
This documentation is aimed at users with the following knowledge and

skills:
• Advanced knowledge of the robot controller system

• Advanced KRL programming skills
For optimal use of our products, we recommend that our customers

take part in a course of training at KUKA College. Information about the
training program can be found at www.kuka.com or can be obtained di-
rectly from our subsidiaries.
1.2 Industrial robot documentation
The industrial robot documentation consists of the following parts:
• Documentation for the robot arm

• Documentation for the robot controller
• Documentation for the smartPAD-2
• Operating and programming instructions for the System Software
• Instructions for options and accessories
• Spare parts in KUKA.Xpert
Each of these sets of instructions is a separate document.
1.3 Representation of warnings and notes
Safety
These warnings are provided for safety purposes and must be observed.
DANGER
These warnings mean that it is certain or highly probable that death or
severe injuries will occur, if no precautions are taken.
WARNING
These warnings mean that death or severe injuries may occur, if no
precautions are taken.
CAUTION
These warnings mean that minor injuries may occur, if no precautions
are taken.
NOTICE
These warnings mean that damage to property may occur, if no precau-
tions are taken.
These warnings contain references to safety-relevant information or gen-

eral safety measures.
These warnings do not refer to individual hazards or individual precau-
tionary measures.

This warning draws attention to procedures which serve to prevent or rem-

Introduction
edy emergencies or malfunctions:

SAFETY INSTRUCTION
The following procedure must be followed exactly!
Procedures marked with this warning must be followed exactly.
Notices
These notices serve to make your work easier or contain references to

further information.
Tip to make your work easier or reference to further information.
1.4 Trademarks
CIP Safety® is a trademark of ODVA.
EtherCAT® is a registered trademark and patented technolo-

gy, licensed by Beckhoff Automation GmbH, Germany.
PROFINET is a trademark of the PROFIBUS users’ organization.
1.5 Terms used
Term Description
Axis range Range of an axis in degrees or millimeters within
which the axis moves. The axis range is defined
by a lower and an upper axis limit.
Axis limit An axis has 2 axis limits that define the axis
range. There is an upper and a lower axis limit.
Stopping distance Stopping distance = reaction distance + braking
distance
The stopping distance is part of the danger zone.
Workspace Monitoring space that the defined axes or the safe
tool are not allowed to leave. The axes or the safe
tool must always move within the limits of the
workspace.
(>>> 2.2.5 "Cartesian workspaces" Page 22)
(>>> 2.2.7 "Axis-specific workspaces" Page 25)
BBRA Braking before restricted areas
The “Braking before restricted areas” function is an
alternative response that can optionally be
selected for existing range monitoring functions:
• Cartesian monitoring spaces

• Axis-specific monitoring spaces
(>>> 2.2.9 "Braking before restricted areas"
Page 28)

Introduction
Term Description
CIP Safety CIP Safety is an Ethernet/IP-based safety interface
for connecting a safety PLC to the robot controller.
(PLC = master, robot controller = slave)
(>>> 8.1.1 "SafeOperation via Ethernet safety inter-
face" Page 181)
CK Customer-built Kinematics
DRS Drive Ramp Stop
Synchronous stop at drive level (also: servo sys-
tem stop).
Fictitious STOP 1 - End position of a drive ramp stop calculated from
the current robot state.
DRS end position
EtherCAT EtherCAT is an Ethernet-based field bus (Ethernet
interface).
(>>> 8.1.2 "Diagnostic signals via Ethernet inter-
face" Page 185)
EtherNet/IP EtherNet/IP is an Ethernet-based field bus (Ether-
net interface).
face" Page 185)
FSoE Fail Safe over EtherCAT
An EtherCAT-based safety interface for connecting
a safety PLC to the robot controller.
face" Page 181)
Danger zone The danger zone consists of the workspace and
the stopping distances.
Mastering test The mastering test is used to check whether the
current positions of the robot and the external axes
correspond to a reference position.
(>>> 7.7 "Overview of the mastering test"
Page 125)
KL KUKA linear unit
Alarm space An alarm space signals a workspace violation by
setting an output. The alarm spaces are perma-
nently assigned to the configurable outputs of the
safety interface used.
Monitoring time The monitoring time begins with an internal mas-
tering test request and lasts 2 hours. The user is
prompted to perform a mastering test within this
period of time. Once the time has elapsed, the ro-
bot is stopped and an acknowledgement message
is displayed.
Polygon, convex A convex polygon is a polygon consisting of at
least 3 different corners. Triangles and squares are
examples of convex polygons.
(>>> 2.2.4 "Cell area" Page 21)

Introduction KUKA.SafeOperation 3.5
Term Description
PROFINET PROFINET is an Ethernet-based field bus (Ether-
net interface).
face" Page 185)
PROFIsafe PROFIsafe is a PROFINET-based safety interface
for connecting a safety PLC to the robot controller.
(PLC = master, robot controller = slave)
face" Page 181)
Reference group A reference group contains the axes of a kinematic
system that are required for moving to a reference
position and are to be subjected to safe monitor-
ing.
Reference position The reference position is a Cartesian position to
which the robot moves during the mastering test.
(>>> 7.7.1.3 "Selecting a reference position"
Page 129)
Reference stop Safety stop that is triggered if the mastering test
has not been performed. The reference stop can
be activated for monitoring spaces.
(>>> 2.2.11 "Reference stop" Page 30)
Reference switch A reference switch can be used for the mastering
test. The reference position is confirmed using the
reference switch.
(>>> 2.6 "Reference switch module" Page 33)
SBC Safe Brake Control
SBC is a safety function for controlling brakes.
Protected space Monitoring space into which the defined axes or
the safe tool are not allowed to intrude. The axes
or the safe tool must always move outside the lim-
its of the protected space.
(>>> 2.2.6 "Cartesian protected spaces" Page 23)
(>>> 2.2.8 "Axis-specific protected spaces"
Page 26)
SHS1 Safety STOP 1
SIB Safety Interface Board
Safety STOP 0 A stop that is triggered and executed by the safety
controller. The safety controller immediately
switches off the drives and the power supply to the
brakes.
Note: This stop is called safety STOP 0 in this
document.

Introduction
Term Description
Safety STOP 1 A stop that is triggered and monitored by the safe-
ty controller. The braking operation is carried out
by the non-safety-oriented section of the robot con-
troller and monitored by the safety controller. As
soon as the manipulator has stopped, the safety
controller deactivates the drives and the power
supply of the brakes.
document.
Safety STOP 2 A stop that is triggered and monitored by the safe-
ty controller. The braking operation is carried out
by the non-safety-oriented section of the robot con-
troller and monitored by the safety controller. The
drives remain activated and the brakes released.
document.
Safe operational In the event of a safe operational stop, the system
stop monitors standstill of the axes for which the safe
operational stop is configured. When the axes are
at a monitored standstill, they may move within the
configured axis angle or distance tolerances.
(>>> 2.5 "Safe operational stop for axis groups"
Page 33)
Safe tools A safe tool can be modeled using up to 12 config-
urable spheres. These spheres are monitored
against the limits of the Cartesian monitoring
spaces. Each safe tool has a safe TCP against
which the configured velocity limits are monitored.
(>>> 2.3 "Safe tools" Page 31)
Monitoring space A monitoring space can be defined in Cartesian
terms or axis-specifically and as a workspace or
protected space.
(>>> 2.2 "Monitoring spaces" Page 17)
X22 Optional interface for controlling a second brake
X25 Optional interface for special cabinets
Cell area Cartesian workspace that forms a convex polygon
with 3 … 10 vertices (corners) and is limited in ±Z
direction. The cell area is the maximum permitted
working range of the robot.
(>>> 2.2.4 "Cell area" Page 21)
1.6 Licenses
The KUKA license conditions and the license conditions of the open-
source software used can be found in the following folders:
• Under .\LICENSE on the data storage medium with the installation
files of the KUKA software
• Under D:\KUKA_OPT\Option package name\LICENSE after installation
on the robot controller
• In the license folder under the name of the option package in the Op-
tions catalog after installation in WorkVisual

Introduction KUKA.SafeOperation 3.5
Further information about open-source licenses can be requested from

the following address: [email protected]

Product description
2 Product description
2.1 Overview of SafeOperation
Functions
SafeOperation is a safety option with the following functions:

• Safe monitoring of a maximum of 16 user-defined, axis-specific or Car-
tesian monitoring spaces
• Safe monitoring of a user-defined cell area
• Braking before restricted areas (BBRA)
• Safe monitoring of axis-specific velocities
• Safe monitoring of space-specific velocities
• Safe monitoring of Cartesian velocities
• Modeling of up to 16 safe tools with safe TCP
• Safe stop via safety controller
• Safe operational stop for up to 6 axis groups
• Connection to a higher-level controller, e.g. to a safety PLC
• Safe inputs for activation of the monitoring functions
• Safe outputs for status messages of the monitoring functions
• Configurable motion to verify mastering:
‒ Mastering test via KUKA reference switch
‒ Mastering test via external system with external mastering confir-
mation
WorkVisual
The safety configuration can either be created and edited in WorkVisual

or, after installation on the robot controller, via the smartHMI.
The following hardware options can only be activated in WorkVisual (not
via the smartHMI):
• SBC: Safe disconnection of brake voltage for second brake via output
at X22
• SHS1: Safety stop STOP 1 via safe input at X25
(>>> 7.6 "Editing the local safety configuration in WorkVisual" Page 124)
Information about the safety configuration in WorkVisual is contained in
the WorkVisual documentation.
Areas of application
• Human-robot cooperation
• Direct loading of workpieces without an intermediate support
• Replacement of conventional axis range monitoring systems
SafeOperation cannot and must not be used in conjunction with a CK.

Product description KUKA.SafeOperation 3.5
In the case of couplable external axes, safe position sensing is not pos-
sible, as the safety controller does not evaluate any mastering informa-
tion for these axes and the machine data change during the runtime of
the controller.
On account of this restriction, only the following safety functions are
available for couplable external axes:
• Monitoring of the maximum axis velocity in T1
• Braking ramp monitoring
• Standstill monitoring
Functional principle
The industrial robot moves within the limits that have been configured and
activated. The actual positions are continuously calculated and monitored
against the safety parameters that have been set.
If the “Braking before restricted areas” function is active, the fictitious
STOP 1 - DRS end position based on the actual position is monitored in
addition to the actual position.
The safety controller monitors the industrial robot by means of the safety
parameters that have been set. If a monitoring limit is violated, the robot
and external axes stop.
Fig. 2-1: Example of a cell with SafeOperation
1 Reference switch 5 System control panel

2 Robot 6 Robot controller
3 Loading station 7 Bending machine
4 Safety mat
Components
These software components are included in the safety option:

• KUKA.SafeOperation 3.5
These hardware components are optionally available:
• Reference switch module

Product description
Brake test
The brake test serves as a diagnostic measure for the robot axis and ex-
ternal axis brakes. The brakes are activated for the stop reactions safety
stop 0 and safety stop 1.
If a safety option is installed and the safe monitoring is active, the brake
test is automatically active.
Interfaces
Various interfaces are available for connection to a higher-level controller.

The safe I/Os of these interfaces can be used, for example, to signal a vi-
olation of safety monitoring functions.
• Ethernet safety interfaces:
‒ EtherCAT/FSoE
‒ EtherNet/IP/CIP Safety
‒ PROFINET/PROFIsafe
• Discrete safety interface for safety options:
‒ X13 via Extended SIB
2.2 Monitoring spaces
Description
A maximum of 16 monitoring spaces can be configured. A cell area must

also be configured.
A monitoring space can be defined as a Cartesian cuboid or by means of
individual axis ranges. Each monitoring space can be set as a workspace
or protected space.
(>>> 2.2.5 "Cartesian workspaces" Page 22)
(>>> 2.2.6 "Cartesian protected spaces" Page 23)
(>>> 2.2.7 "Axis-specific workspaces" Page 25)
(>>> 2.2.8 "Axis-specific protected spaces" Page 26)
For every monitoring space, a space-specific Cartesian velocity can be de-
fined inside or outside the monitoring space.
(>>> 2.2.10 "Space-specific velocity" Page 29)
For each monitoring space, a reference stop can be set that stops the ro-
bot if no mastering test has been carried out.
(>>> 2.2.11 "Reference stop" Page 30)
Monitoring can be activated and deactivated for each individual monitoring
space, or activated by means of safe inputs.
Safe outputs are permanently assigned to the monitoring spaces. The
safe outputs are set if a monitoring space is violated.
It is possible to configure the system in such a way that a safety stop is
triggered when the monitoring space is violated (“Stop at boundaries”
function). The type of safety stop and the time when the stop is triggered
depend on whether the “Braking before restricted areas” function has
been activated:
• Without “Braking before restricted areas”: Safety stop 0 is triggered at
the space limit.
• With “Braking before restricted areas”: Safety stop 1 is triggered be-
fore the space limit.
(>>> 2.2.9 "Braking before restricted areas" Page 28)

Cell area
The cell area is a Cartesian workspace in the form of a convex polygon

with 3 to 10 vertices (corners) and is limited in the ±Z direction.
(>>> 2.2.4 "Cell area" Page 21)
The cell area is permanently monitored and always active. The corners
can be configured, activated and deactivated individually.
If the cell area is violated, a safety stop is triggered.
The type of safety stop and the time when the stop is triggered depend
on whether the “Braking before restricted areas” function has been activa-
ted:
• Without “Braking before restricted areas”: Safety stop 0 is triggered at
the space limit.
• With “Braking before restricted areas”: Safety stop 1 is triggered be-
fore the space limit.
Stopping distance
If the robot is stopped by a monitoring function, it requires a certain stop-

ping distance before coming to a standstill.
The stopping distance depends primarily on the following factors:
• Robot type
• Velocity of the robot
• Position of the robot axes
• Payload
• Category and type of stop (STOP 0 or STOP 1)
The stopping distance when a monitoring function is triggered varies ac-

cording to the specific robot type. This aspect must be taken into ac-
count by the system integrator during parameterization of the monitoring
functions as part of the safety assessment.
Further information about the stopping distances and stopping times can
be found in the assembly or operating instructions of the relevant robot.
Stop reactions
The stop reactions depend on whether the “Braking before restricted

areas” function has been activated.
(>>> 2.2.1 "Stop reactions without “Braking before restricted areas”"
Page 19)
(>>> 2.2.2 "Stop reactions with “Braking before restricted areas”"
Page 19)

Product description
2.2.1 Stop reactions without “Braking before restricted areas”
Reaction Description Example

Safety stop 0 The stop is triggered in T2, AUT or Robot exceeds the limit of an acti-
AUT EXT mode if the robot vated workspace in Automatic
exceeds a monitoring space limit. mode.
Safety stop 1 The stop is triggered in T1 mode if Robot exceeds the limit of an acti-
the robot exceeds a monitoring vated workspace in T1 mode.
space limit.
The stop is triggered if a monitoring A protected space in which the ro-
function is just being activated and bot is currently situated is activated
the robot has already exceeded the by a safety mat.
monitoring space limit.
The stop is triggered in T2, AUT or After a restart of the robot
AUT EXT mode if a reference stop controller, the safety controller re-
is enabled for an activated monitor- quests a mastering test. This stops
ing space and a mastering test is the robot.
requested internally.
2.2.2 Stop reactions with “Braking before restricted areas”
Reaction Description Example

Safety stop 0 A stop is triggered if a safety stop 1 The robot cannot execute the con-
is not performed as expected, i.e. trolled safety stop 1 (drive ramp
the monitoring of safety stop 1 is stop) due to overload, power failure
violated. or hardware defect.
Safety stop 1 / The stop is triggered in T2, AUT or Robot approaches a space limit in
path-oriented AUT EXT mode if there is an immi- T2 mode. The robot is stopped as
drive ramp stop nent space violation by the robot soon as the fictitious STOP 1 - DRS
(STOP 1 - DRS) (fictitious STOP 1 - DRS end posi- end position exceeds the monitoring
tion exceeds monitoring space limit) space limit.
or if the robot exceeds a monitoring
space limit.
Safety stop 1 - The stop is triggered in T1 mode if The robot exceeds the limit of an
path-maintaining the robot threatens to violate the activated workspace in T1 mode or
EMERGENCY space (fictitious STOP 1 - DRS tar- the fictitious STOP 1 - DRS target
STOP (STOP 1) get position exceeds monitoring position exceeds the limit of an acti-
space limit) or if the robot exceeds vated workspace.
a monitoring space limit.
The stop is triggered if a monitoring A protected space in which the ro-
function is just being activated and bot is currently situated or in which
the robot has already exceeded the it remains at a standstill due to a
monitoring space limit or the ficti- triggered STOP 1 - DRS upon acti-
tious STOP 1 - DRS target position vation, is activated by a safety mat.
is in the activated monitoring space.
The stop is triggered in T2, AUT or After a restart of the robot
AUT EXT mode if a reference stop controller, the safety controller re-
for an activated monitoring space is quests a mastering test. This brings
active and a mastering test is re- the robot to a standstill.
quested internally.

2.2.3 Coordinate systems
Overview
The following Cartesian coordinate systems are defined in the robot con-
troller:
• WORLD
• ROBROOT
• BASE
• TOOL
Fig. 2-2: Overview of coordinate systems
Description
WORLD
The WORLD coordinate system is a permanently defined Cartesian coor-
dinate system. It is the root coordinate system for the ROBROOT and
BASE coordinate systems.
By default, the WORLD coordinate system is located at the robot base.
ROBROOT
The ROBROOT coordinate system is a Cartesian coordinate system,
which is always located at the robot base. It defines the position of the ro-
bot relative to the WORLD coordinate system.
By default, the ROBROOT coordinate system is identical to the WORLD
coordinate system. $ROBROOT allows the definition of an offset of the ro-
bot relative to the WORLD coordinate system.
BASE
The BASE coordinate system is a Cartesian coordinate system that de-
fines the position of the workpiece. It is relative to the WORLD coordinate
system.

By default, the BASE coordinate system is identical to the WORLD coordi-
Product description
nate system. It is offset to the workpiece by the user.
TOOL
The TOOL coordinate system is a Cartesian coordinate system which is
located at the tool center point.
As standard, the origin of the TOOL coordinate system is located at the
flange center point. (In this case it is called the FLANGE coordinate sys-
tem.) The TOOL coordinate system is offset to the tool center point by the
user.
Angles of rotation of the robot coordinate systems
Angle Rotation about axis
Angle A Rotation about the Z axis
Angle B Rotation about the Y axis
Angle C Rotation about the X axis
2.2.4 Cell area
Description
The cell area is a Cartesian monitoring space that is limited in the ±Z di-
rection. The safe tool on the mounting flange of the robot is modeled us-
ing up to 12 configurable spheres; when the robot moves, these spheres
move with it. These spheres are monitored against the cell area and must
only move within this cell area.
If a sphere violates the limits of the cell area, the robot stops with a safety
stop 0 as long as the “Braking before restricted areas” function is not acti-
vated. Otherwise, a safety stop 1 is triggered before the space limit.
WARNING
Cartesian monitoring spaces are only monitored against the spheres
used to model the safe tool. Robot components situated outside the tool
spheres are not monitored and a space violation by these components
is not detected. Cartesian monitoring spaces and tool spheres must
therefore be designed and configured in such a manner that the unmo-
nitored robot components do not pose any threat.
The cell area is configured in the WORLD coordinate system as a convex

polygon with 3 ... 10 corners.
A convex polygon is a polygon consisting of at least 3 different corners.
The line segments between any 2 corners must not be outside the poly-
gon. Triangles and squares are examples of convex polygons.
Fig. 2-3

1 Example of a convex polygon with 6 corners

2 Example of a non-convex polygon with 6 corners
Example
The diagram shows an example of a configured cell area.
Fig. 2-4: Example of cell area
1 Cell area
2 Safely monitored tool spheres
3 Robot
2.2.5 Cartesian workspaces
Description
The safe tool on the mounting flange of the robot is modeled using up to
12 configurable spheres; when the robot moves, these spheres move with
it. These spheres are simultaneously monitored against the activated Car-
tesian workspaces and must move within the workspaces.
If the “Braking before restricted areas” function is active, the spheres are
additionally monitored at the fictitious STOP 1 - DRS end position. At this
fictitious end position, they must move within the workspaces.
If a sphere violates the limit of a workspace at the actual position, e.g.
when the monitoring space is activated via an input, the following reac-
tions are triggered:
• A safe output is reset (state: “logic 0”).
The safe outputs are set if a monitoring space is not violated (state:
“logic 1”).
If interface X13 is used, safe outputs are only available for monitoring
spaces 1 … 6.
• The robot is stopped (precondition: parameter Stop at boundaries is
activated for the space).

Product description
• Monitoring of the space-specific velocity is activated (precondition:
Space violated is set for the space at parameter Vmax valid if).
If a sphere violates the limit of a workspace at the fictitious STOP 1 -
DRS end position, the following reactions are triggered:
WARNING
Only KUKA linear units are supported as ROBROOT kinematic systems.
Example
The diagram shows an example of a configured Cartesian workspace.
Fig. 2-5: Example of a Cartesian workspace
1 Working space
3 Robot
2.2.6 Cartesian protected spaces
Description
The safe tool on the mounting flange of the robot is modeled using up to
12 configurable spheres; when the robot moves, these spheres move with

it. These spheres are simultaneously monitored against the activated Car-
Product description
tesian protected spaces and must move outside the protected spaces.
If the “Braking before restricted areas” function is active, the spheres are
additionally monitored at the fictitious STOP 1 - DRS end position. At this
fictitious end position, they must move outside the protected spaces.
The length, width and height of a protected space must not fall below the
predefined minimum value. This value depends on the global maximum
Cartesian velocity and the radius of the smallest sphere of the safe tool.
(>>> "Minimum protected space dimensions" Page 89)
If a sphere violates the limit of a protected space at the actual position,
e.g. when the monitoring space is activated via an input, the following re-
actions are triggered:
“logic 1”).
spaces 1 … 6.
If a sphere violates the limit of a protected space at the fictitious
STOP 1 - DRS end position, the following reactions are triggered:
WARNING
Only KUKA linear units are supported as ROBROOT kinematic systems.
Example
The diagram shows an example of a Cartesian protected space.

Product description
Fig. 2-6: Example of a Cartesian protected space
1 Protected space
3 Robot
2.2.7 Axis-specific workspaces
Description
The axis limits can be set and monitored individually for each axis via the
software. The resulting axis range is the permissible range of an axis with-
in which the robot may move. The individual axis ranges together make
up the overall workspace, which may consist of up to 8 axis ranges.
A maximum of 8 axes or, in the case of kinematic systems with master/
slave axes, a maximum of 8 drives can be configured for each monitor-
ing space.
If the “Braking before restricted areas” function is active, an additional

check is carried out to ascertain whether the axis position at the fictitious
STOP 1 - DRS end position is inside the permissible range.
If the robot violates an axis limit with the actual position, e.g. when the
monitoring space is activated via an input, the following reactions are trig-
gered:
“logic 1”).
spaces 1 … 6.


If the robot violates an axis limit with the fictitious STOP 1 - DRS end po-
sition, the following reactions are triggered:
Example
The diagram shows an example of an axis-specific workspace. The work-

space of axis 1 is configured from ‑110° to +130° and corresponds to the
permissible motion range of the robot.
Fig. 2-7: Example of an axis-specific workspace
1 Workspace 3 Stopping distance

2 Robot 4 Protected space
2.2.8 Axis-specific protected spaces
Description
The axis limits can be set and monitored individually for each axis via the
software. The resulting axis range is the protected range of an axis within
which the robot may not move. The individual axis ranges together make
up the protected space, which may consist of up to 8 axis ranges.
ing space.
If the “Braking before restricted areas” function is active, an additional

check is performed to establish whether the axis position at the fictitious
STOP 1 - DRS end position is outside the protected area.
If the robot violates an axis limit with the actual position, e.g. when the
monitoring space is activated via an input, the following reactions are trig-
gered:

Product description
“logic 1”).
spaces 1 … 6.
If the robot violates an axis limit with the fictitious STOP 1 - DRS end po-
sition, the following reactions are triggered:
WARNING
In the case of axes that can rotate more than 360°, e.g. axis 1, the con-
figured axis ranges refer to the position of the axis (including sign) and
not to the sector of a circle. Serious injury and severe damage to the
robot can be caused. If, for example, a protected space of +90° to
+270° is configured, the robot can move through the protected space in
the other direction from -90° to -185°. In this case, it is advisable to
configure a workspace from -90° to +90°.
Fig. 2-8: Example of an axis-specific protected space through which

the robot can move
1 Workspace 3 Protected space

2 Robot 4 Protected space through
which the robot can move
Example
The diagram shows an example of an axis-specific protected space. The

safeguarded space and the stopping distances correspond to the config-
ured protected space. The motion range of axis 1 is limited to ‑185° to
+185° by means of software limit switches. The protected space is config-

ured from ‑110° to ‑10°. This results in 2 permissible motion ranges for
Product description
the robot, separated by the configured protected space.
Fig. 2-9: Example of an axis-specific protected space
1 Permissible range 1 4 Protected space

2 Robot 5 Permissible range 2
3 Stopping distance
2.2.9 Braking before restricted areas
Description
The “Braking before restricted areas” function changes the way the robot
behaves at the limits of the monitoring spaces and of the cell area.
With the “Braking before restricted areas” function, the fictitious STOP 1 -
DRS end position based on the actual position is monitored in addition to
the actual position. If this end point violates a monitoring space, this indi-
cates an impending violation of this monitoring space by the robot.
In this case, a STOP 1 - DRS is triggered, bringing the robot to a stand-
still at the precalculated end point. Due to the small safety margin in the
precalculation, the robot can generally be stopped before the monitoring
space.
A STOP 1 - DRS is a safely monitored drive ramp stop. This usually de-
viates from the programmed path.
If the safety controller detects a violation of the monitored braking ramp,
a safety stop 0 is triggered. As the stopping distance of the robot devi-
ates significantly from the stopping distance of the drive ramp stop in
this instance, this case should be taken into consideration in the risk as-
sessment of the cell.
Possible reasons for an escalation of this nature are, for example:
• Power failure
• Controller fault
• Operation outside of the specification limits
• Hardware fault at the time the drive ramp stop is executed

Product description
Example
The figures show the behavior of the robot at the limits of a Cartesian and
axis-specific monitoring space when “Braking before restricted areas” is
activated.
Fig. 2-10: Braking before Cartesian space limit
1 Anticipated stop position of current position

2 Anticipated stop position of current position with safety margin
3 Actual stop with end point before monitoring space
Fig. 2-11: Braking before axis-specific space limit
1 Anticipated stop position of current position

2 Anticipated stop position of current position with safety margin
3 Actual stop with end point before monitoring space
2.2.10 Space-specific velocity
Description
For Cartesian and axis-specific monitoring spaces, a Cartesian velocity

can be defined which is monitored if the space is violated or not violated.
A safe TCP is defined for every safe tool. This safe TCP is monitored
against a configured velocity limit. If the safe TCP exceeds the velocity
limit, the robot is stopped safely.
Example
The diagram shows an example of a Cartesian workspace. If the safe

TCP on the safe tool exceeds the velocity limit inside the workspace, the
robot is stopped with a safety stop 0.

Fig. 2-12: Space-specific velocity example
1 Working space
3 Robot
2.2.11 Reference stop
A reference stop can be activated for monitoring spaces. (= function Stop

if mastering test not yet done)
If the reference stop is activated and the following conditions are met, the
robot can only be moved in T1 mode:
• Monitoring space is activated.
• Mastering test requested internally.
If the reference stop is activated and the following preconditions are met,
the robot stops with a safety stop 1:
• Monitoring space is activated.
• Mastering test requested internally.
• Operating mode T2, AUT or AUT EXT
To be able to move the robot again in the stop-triggering operating
modes, the following possibilities are available:
• Perform mastering test in T1 mode.
• Deactivate monitoring spaces.
• Deactivate reference stop.

Product description
2.3 Safe tools
Description
Up to 16 safe tools can be defined. A safe TCP is defined for each safe
tool and monitored against the configured velocity limits.
A safe tool can be modeled using up to 12 configurable spheres. These
spheres are monitored against the limits of the Cartesian monitoring
spaces. The number of configurable spheres is limited to 96. For example,
it is possible to have up to 8 safe tools with a maximum number of
12 spheres per tool.
The sphere radius must not fall below the predefined minimum value. This
radius is dependent on the global maximum Cartesian velocity.
(>>> "Minimum sphere radius" Page 88)
The safe tools are activated using safe inputs. Only 1 safe tool may be
active at any time.
If interface X13 is used, tool 1 is always active. The tool cannot be acti-
vated via a safe input. An automated, safely monitored tool change is
thus not possible.
The safe TCP for the velocity monitoring can be freely configured in the
safety configuration. It is independent of the current TCP that is set in
the KUKA System Software with the variable $TOOL.
WARNING
Example
The diagram shows an example of a safe tool. 2 spheres and a safe TCP
are defined on the safe tool of the robot by means of the FLANGE coor-
dinate system.

Fig. 2-13: Safe tool
2.4 Velocity monitoring functions
Axis-specific and Cartesian velocities can be monitored.
Axis velocity
The velocity of every axis is monitored against a limit value:
• Limit value for reduced axis velocity (optional)

• Limit value for maximum axis velocity for T1 mode
Monitoring of the maximum axis velocity in T1 mode is part of the
standard safety configuration and always active.
• Limit value for maximum axis velocity (valid globally for every axis)
Cartesian velocity
The Cartesian velocity at the safe TCP of the active safe tool is moni-
tored. The velocity monitoring is always relative to $WORLD:
• Limit value for the reduced velocity at the safe TCP (optional)
• Limit value for the reduced velocity at the safe TCP for T1 mode
• Limit value for the global maximum velocity at the safe TCP and at
the sphere center points of the safe tool (not space-dependent)
• Space-specific velocity
(>>> 2.2.10 "Space-specific velocity" Page 29)

Product description
Stop reactions
Stop reaction Description Example

Safety stop 0 The stop is triggered if a monitoring In automatic operation, the robot ex-
function is already activated and the ceeds the activated limit value for
robot then exceeds the monitoring reduced axis velocity.
limit.
Safety stop 1 The stop is triggered if a monitoring The safe reduced velocity, for which
function is just being activated and the limit value has already been ex-
the robot has already exceeded the ceeded by the robot, is activated by
monitoring limit. a safety mat.
2.5 Safe operational stop for axis groups
Description
The global safe operational stop is one of the standard safety functions. If
it is activated via the safety interface, the standstill of all axes of the kine-
matic system is monitored. The axes may still move within the configured
axis angle or distance tolerances. These can be configured individually for
each axis.
With SafeOperation, the safe operational stop can additionally be config-
ured for up to 6 axis groups. An axis group comprises the axes that are
to be monitored when the safe operational stop is activated for this axis
group. Before monitoring is activated, the corresponding axes must be
stopped under program control.
slave axes, a maximum of 8 drives can be configured for each axis
group.
If the safe operational stop is activated for an axis group, the standstill of
the axes for which it has been configured is monitored using failsafe tech-
nology. The axes may still move within the configured axis angle or dis-
tance tolerances.
If the safe operational stop is violated, i.e. if the position tolerance for an
axis is exceeded or the velocity of an axis exceeds the maximum permit-
ted level, a safety stop 0 is triggered in response. The safety stop 0 af-
fects all axes, not just those for which the operational stop is configured.
This means that an unintended motion of an axis which is relevant for the
safe operational stop causes the machine to stop.
2.6 Reference switch module
Components
The reference switch module consists of the following components:

• Inductive reference switch XS Ref
• Straight or angled actuating plate
• Reference cable X42 - XS Ref
• Reference connector X42

Fig. 2-14: Reference switch module
1 Inductive reference switch 2 Straight actuating plate
Cable lengths
In combination with a straight or angled actuating plate, reference switch

modules are available with various cable lengths.
Length Actuating plate
7 m Straight or angled
15 m
25 m
40 m
2.7 Overview of connecting cables
The diagram shows an example of the connecting cables of the industrial

robot with connected reference switch. The reference switch is connected
to the robot controller via the reference cable. The maximum hose length
is 40 m.
In the case of a KR C4, only 1 reference switch can be connected di-
rectly to the robot controller. If multiple reference groups are required,
the reference switches can be connected to the safety PLC and activa-
ted via the bus interface that is in use. The safety PLC must evaluate
the reference switches and set the Mastering test input accordingly.
If the reference switch is activated via the bus interface, 1-channel refer-
encing must be prevented. The safety PLC may only set the Mastering
test signal to LOW if both input channels have a low level.

Product description
Fig. 2-15: Overview of connecting cables
Item Description
1 Robot controller
2 Robot
3 Reference switch XS Ref
4 Reference cable X42 - XS Ref (maximum cable length 40 m)
5 Data cable X21
NOTICE
Cables must not be connected and disconnected during operation. Only
the reference cable X42 - XS Ref supplied by KUKA may be used. Ref-
erence cable X42 - XS Ref is suitable for use in a cable carrier. The
minimum bending radii must be observed when routing cables.
Type of routing Bending radius

Fixed installation Min. 5xØ of cable
Installation in cable carrier Min. 10xØ of cable


Technical data
3 Technical data
3.1 Service life
The maximum permissible service life of safety-relevant hardware compo-

nents is 20 years. Once this time has been reached, the safety-relevant
hardware components must be exchanged.
3.2 Reference switch
Basic data
Designation Values
Ambient temperature -25 °C – +70 °C
Switching function Break contact
DC operating voltage or HIGH level in the case 24 V
of pulsed operating voltage of the reference
switch
Permissible range for the DC operating voltage 20 … 33 V
or HIGH level UB(HIGH) for pulsed voltage
LOW level UB(LOW) for pulsed voltage 0 … 5 V
Required pulse duty factor T(HIGH):T(LOW) for min. 4:1
pulsed voltage
Supported pulse duration T(LOW) for pulsed 0.1 … 20 ms
voltage
Protection rating IP67
Operating current (power consumption) without 5 mA
load
Permissible load current max. 250 mA
Permissible switching frequency max. 500 Hz
Permissible switching distance at the proximity 0 … 4 mm
switch surfaces
Short circuit and overload protection, pulsed Yes
Outputs • PNP
• LOW-active
• Dual-channel
LED function indicator Yes
Hysteresis when installed 0.2 … 1 mm
EMC conformity IEC 60947-5-2

Technical data KUKA.SafeOperation 3.5
Pulse duty factor
Fig. 3-1: Pulse duty factor for pulsed voltage
Hole pattern
Fig. 3-2: Hole pattern, reference switch
1 2 holes for fastening elements, Ø 6.6 mm

2 2 holes for roll pins, Ø 4 mm
3.3 Connector pin assignment of reference cable X42-XS Ref
Fig. 3-3: Connector pin allocation for reference cable X42 - XS Ref

Technical data
Fig. 3-4: Wiring diagram for reference cable X42 - XS Ref
3.4 Circuit digram of reference switch XS Ref
Fig. 3-5: Circuit digram of reference switch XS Ref
1 Switching element, channel A 2 Switching element, channel B

Technical data KUKA.SafeOperation 3.5
3.5 Hole pattern for actuating plate
Fig. 3-6: Hole pattern for actuating plate
1 2 M6 threaded holes for fastening elements

2 2 holes for fastening elements, Ø 9 mm

Safety
4 Safety
4.1 General
4.1.1 Liability
The device described in this document is either an industrial robot or a

component thereof.
Components of the industrial robot:
• Manipulator
• Robot controller
• Teach pendant
• Connecting cables
• External axes (optional)
e.g. linear unit, turn-tilt table, positioner
• Software
• Options, accessories
The industrial robot is built using state-of-the-art technology and in accord-
ance with the recognized safety rules. Nevertheless, misuse of the indus-
trial robot may constitute a risk to life and limb or cause damage to the
industrial robot and to other material property.
The industrial robot may only be used in perfect technical condition in ac-
cordance with its designated use and only by safety-conscious persons
who are fully aware of the risks involved in its operation. Use of the indus-
trial robot is subject to compliance with this document and with the decla-
ration of incorporation supplied together with the industrial robot. Any func-
tional disorders affecting safety must be rectified immediately.
Safety information
Information about safety may not be construed against KUKA Deutschland

GmbH. Even if all safety instructions are followed, this is not a guarantee
that the industrial robot will not cause personal injuries or material dam-
age.
No modifications may be carried out to the industrial robot without the au-
thorization of KUKA Deutschland GmbH. Unauthorized modifications will
result in the loss of warranty and liability claims.
Additional components (tools, software, etc.), not supplied by KUKA
Deutschland GmbH, may be integrated into the industrial robot. The user
is liable for any damage these components may cause to the industrial ro-
bot or to other material property.
In addition to the Safety chapter, this document contains further safety in-
structions. These must also be observed.
4.1.2 Intended use of the industrial robot
The industrial robot is intended exclusively for the use designated in the
“Purpose” chapter of the operating instructions or assembly instructions.
Any use or application deviating from the intended use is deemed to be
misuse and is not allowed. It will result in the loss of warranty and liability
claims.

Operation of the industrial robot in accordance with its intended use also
Safety
requires compliance with the operating and assembly instructions for the
individual components, with particular reference to the maintenance speci-
fications.
Misuse

misuse and is not allowed. This includes e.g.:
• Use as a climbing aid
• Operation outside the specified operating parameters
• Operation without the required safety equipment
4.1.3 EC declaration of conformity and declaration of incorporation
The industrial robot constitutes partly completed machinery as defined by

the EC Machinery Directive. The industrial robot may only be put into op-
eration if the following preconditions are met:
• The industrial robot is integrated into a complete system.
or: The industrial robot, together with other machinery, constitutes a
complete system.
or: All safety functions and safeguards required for operation in the
complete machine as defined by the EC Machinery Directive have
been added to the industrial robot.
• The complete system complies with the EC Machinery Directive. This
has been confirmed by means of a conformity assessment procedure.
EC declaration of conformity
The system integrator must issue an EC declaration of conformity for the

complete system in accordance with the Machinery Directive. The EC dec-
laration of conformity forms the basis for the CE mark for the system. The
industrial robot must always be operated in accordance with the applicable
national laws, regulations and standards.
The robot controller has a CE mark in accordance with the EMC Directive
and the Low Voltage Directive.
Declaration of incorporation
The partly completed machinery is supplied with a declaration of incorpo-

ration in accordance with Annex II B of the Machinery Directive
2006/42/EC. The assembly instructions and a list of essential require-
ments complied with in accordance with Annex I are integral parts of this
declaration of incorporation.
The declaration of incorporation declares that the start-up of the partly
completed machinery is not allowed until the partly completed machinery
has been incorporated into machinery, or has been assembled with other
parts to form machinery, and this machinery complies with the terms of
the EC Machinery Directive, and the EC declaration of conformity is
present in accordance with Annex II A.
4.1.4 Terms used
STOP 0, STOP 1 and STOP 2 are the stop definitions according to

EN 60204-1:2006.

Safety
Term Description
Axis range Range of each axis, in degrees or millimeters, within which it may
move. The axis range must be defined for each axis.
Stopping distance Stopping distance = reaction distance + braking distance
The stopping distance is part of the danger zone.
Workspace Area within which the robot may move. The workspace is derived
from the individual axis ranges.
User The user of the industrial robot can be the management, employer or
delegated person responsible for use of the industrial robot.
Danger zone The danger zone consists of the workspace and the stopping distan-
ces of the manipulator and external axes (optional).
Service life The service life of a safety-relevant component begins at the time of
delivery of the component to the customer.
The service life is not affected by whether the component is used or
not, as safety-relevant components are also subject to aging during
storage.
KUKA smartPAD see “smartPAD”
KUKA smartPAD-2
Manipulator The robot arm and the associated electrical installations
Safety zone The safety zone is situated outside the danger zone.
Safe operational stop The safe operational stop is a standstill monitoring function. It does
not stop the robot motion, but monitors whether the robot axes are
stationary. If these are moved during the safe operational stop, a
safety stop STOP 0 is triggered.
The safe operational stop can also be triggered externally.
When a safe operational stop is triggered, the robot controller sets an
output to the field bus. The output is set even if not all the axes were
stationary at the time of triggering, thereby causing a safety stop
STOP 0 to be triggered.
Safety STOP 0 A stop that is triggered and executed by the safety controller. The
safety controller immediately switches off the drives and the power
supply to the brakes.
Note: This stop is called safety STOP 0 in this document.
Safety STOP 1 A stop that is triggered and monitored by the safety controller. The
braking operation is carried out by the non-safety-oriented section of
the robot controller and monitored by the safety controller. As soon as
the manipulator has stopped, the safety controller deactivates the
drives and the power supply of the brakes.
When a safety STOP 1 is triggered, the robot controller sets an out-
put to the field bus.
The safety STOP 1 can also be triggered externally.

Safety KUKA.SafeOperation 3.5
Term Description
Safety STOP 2 A stop that is triggered and monitored by the safety controller. The
braking operation is carried out by the non-safety-oriented section of
the robot controller and monitored by the safety controller. The drives
remain activated and the brakes released. As soon as the
manipulator is at a standstill, a safe operational stop is triggered.
When a safety STOP 2 is triggered, the robot controller sets an out-
put to the field bus.
The safety STOP 2 can also be triggered externally.
Safety options Generic term for options which make it possible to configure addition-
al safe monitoring functions in addition to the standard safety func-
tions.
Example: SafeOperation
smartPAD Programming device for the robot controller
The smartPAD has all the operator control and display functions re-
quired for operating and programming the industrial robot. Two mod-
els exist:
• smartPAD
• smartPAD-2
In turn, for every model there are variants (e.g. with the varying
lengths of connecting cables).
The designation “KUKA smartPAD” or “smartPAD” refers to both mod-
els unless an explicit distinction is made.
Stop category 0 The drives are deactivated immediately and the brakes are applied.
The manipulator and any external axes (optional) perform path-orien-
ted braking.
Note: This stop category is called STOP 0 in this document.
Stop category 1 The manipulator and any external axes (optional) perform path-main-
taining braking.
• Operating mode T1: The drives are deactivated as soon as the

robot has stopped, but no later than after 680 ms.
• Operating modes T2, AUT (KR C4), AUT EXT (KR C4), EXT
(VKR C4):
The drives are switched off after 1.5 s.
Stop category 1 - The manipulator and any external axes (optional) perform path-orien-
Drive Ramp Stop ted braking.
• Operating mode T1: The drives are deactivated as soon as the

robot has stopped, but no later than after 680 ms.
• Operating modes T2, AUT (KR C4), AUT EXT (KR C4), EXT
(VKR C4):
The drives are switched off after 1.5 s.
Note: This stop category is called STOP 1 - DRS in this document.
Stop category 2 The drives are not deactivated and the brakes are not applied. The
manipulator and any external axes (optional) are braked with a path-
maintaining braking ramp.

Safety
Term Description
System integrator The system integrator is responsible for safely integrating the industri-
(plant integrator) al robot into a complete system and commissioning it.
T1 Test mode, Manual Reduced Velocity (<= 250 mm/s)
T2 Test mode, Manual High Velocity (> 250 mm/s permissible)
External axis Motion axis which is not part of the manipulator but which is control-
led using the robot controller, e.g. KUKA linear unit, turn-tilt table,
Posiflex.
4.2 Personnel
The following persons or groups of persons are defined for the industrial
robot:
• User
• Personnel
All persons working with the industrial robot must have read and under-
stood the industrial robot documentation, including the safety chapter.
User
The user must observe the labor laws and regulations. This includes e.g.:
• The user must comply with his monitoring obligations.

• The user must carry out briefing at defined intervals.
Personnel
Personnel must be instructed, before any work is commenced, in the type

of work involved and what exactly it entails as well as any hazards which
may exist. Instruction must be carried out regularly. Instruction is also re-
quired after particular incidents or technical modifications.
Personnel includes:
• System integrator
• Operators, subdivided into:
‒ Start-up, maintenance and service personnel
‒ Operating personnel
‒ Cleaning personnel
Installation, exchange, adjustment, operation, maintenance and repair

must be performed only as specified in the operating or assembly in-
structions for the relevant component of the industrial robot and only by
personnel specially trained for this purpose.
System integrator
The industrial robot is safely integrated into a complete system by the sys-
tem integrator.
The system integrator is responsible for the following tasks:
• Installing the industrial robot

• Connecting the industrial robot
• Performing risk assessment
• Implementing the required safety functions and safeguards

• Issuing the EC declaration of conformity

• Attaching the CE mark
• Creating the operating instructions for the system
Operators
The operator must meet the following preconditions:

• The operator must be trained for the work to be carried out.
• Work on the system must only be carried out by qualified personnel.
These are people who, due to their specialist training, knowledge and
experience, and their familiarization with the relevant standards, are
able to assess the work to be carried out and detect any potential
hazards.
Work on the electrical and mechanical equipment of the industrial robot

may only be carried out by specially trained personnel.
4.3 Workspace, safety zone and danger zone
Workspaces are to be restricted to the necessary minimum size. A work-

space must be safeguarded using appropriate safeguards.
The safeguards (e.g. safety gate) must be situated inside the safety zone.
In the case of a stop, the manipulator and external axes (optional) are
braked and come to a stop within the danger zone.
The danger zone consists of the workspace and the stopping distances of
the manipulator and external axes (optional). It must be safeguarded by
means of physical safeguards to prevent danger to persons or the risk of
material damage.
4.3.1 Determining stopping distances
The system integrator’s risk assessment may indicate that the stopping
distances must be determined for an application. In order to determine the
stopping distances, the system integrator must identify the safety-relevant
points on the programmed path.
When determining the stopping distances, the robot must be moved with
the tool and loads which are also used in the application. The robot must
be at operating temperature. This is the case after approx. 1 h in normal
operation.
During execution of the application, the robot must be stopped at the point
from which the stopping distance is to be calculated. This process must
be repeated several times with a safety stop 0 and a safety stop 1. The
least favorable stopping distance is decisive.
A safety stop 0 can be triggered by a safe operational stop via the safety
interface, for example. If a safety option is installed, it can be triggered,
for instance, by a space violation (e.g. the robot exceeds the limit of an
activated workspace in Automatic mode).
A safety stop 1 can be triggered by pressing the EMERGENCY STOP de-
vice on the smartPAD, for example.
4.4 Triggers for stop reactions
Stop reactions of the industrial robot are triggered in response to operator

actions or as a reaction to monitoring functions and error messages. The

following table shows the different stop reactions according to the operat-
Safety
ing mode that has been set.
Trigger T1, T2 AUT, AUT EXT
Start key released STOP 2 -
STOP key pressed STOP 2
Drives OFF STOP 1
$MOVE_ENABLE input STOP 2
drops out
Power switched off via STOP 0
main switch or power fail-
ure
Internal error in non-safe- STOP 0 or STOP 1
ty-oriented part of the ro-
(dependent on the cause of the error)
bot controller
Operating mode changed Safety stop 2
during operation
Safety gate opened (op- - Safety stop 1
erator safety)
Enabling switch released Safety stop 2 -
Enabling switch pressed Safety stop 1 -
fully down or error
E-STOP pressed Safety stop 1
Error in safety controller Safety stop 0
or periphery of the safety
controller
4.5 Safety functions
4.5.1 Overview of the safety functions
The following safety functions are present in the industrial robot:

• Selecting the operating mode
• Operator safety (= connection for the monitoring of physical safe-
guards)
• EMERGENCY STOP device
• Enabling device
• External safe operational stop
• External safety stop 1
• External safety stop 2
• Velocity monitoring in T1
The safety functions of the industrial robot meet the following require-
ments:
• Category 3 and Performance Level d in accordance with EN ISO
13849-1
The requirements are only met on the following condition, however:
• The EMERGENCY STOP device is pressed at least once every 12
months.
The following components are involved in the safety functions:

• Safety controller in the control PC

• KUKA smartPAD
• Cabinet Control Unit (CCU)
• Resolver Digital Converter (RDC)
• KUKA Power Pack (KPP)
• KUKA Servo Pack (KSP)
• Safety Interface Board (SIB) (if used)
There are also interfaces to components outside the industrial robot and
to other robot controllers.
DANGER
In the absence of operational safety functions and safeguards, the in-
dustrial robot can cause personal injury or material damage. If safety
functions or safeguards are dismantled or deactivated, the industrial ro-
bot may not be operated.
During system planning, the safety functions of the overall system must
also be planned and designed. The industrial robot must be integrated
into this safety system of the overall system.
4.5.2 Safety controller
The safety controller is a unit inside the control PC. It links safety-relevant
signals and safety-relevant monitoring functions.
Safety controller tasks:
• Switching off the drives; applying the brakes
• Monitoring the braking ramp
• Standstill monitoring (after the stop)
• Velocity monitoring in T1
• Evaluation of safety-relevant signals
• Setting of safety-oriented outputs
4.5.3 Selecting the operating mode
Operating modes
The industrial robot can be operated in the following modes:

• Manual Reduced Velocity (T1)
• Manual High Velocity (T2)
• Automatic (AUT)
• Automatic External (AUT EXT)
Do not change the operating mode while a program is running. If the

operating mode is changed during program execution, the industrial ro-
bot is stopped with a safety stop 2.

Safety
Operating
Use Velocities
mode
• Program verification:
Programmed velocity, maxi-
For test operation,
mum 250 mm/s
T1 programming and
teaching • Jog mode:
Jog velocity, maximum
250 mm/s
• Program verification:
T2 For test operation Programmed velocity
• Jog mode: Not possible
For industrial robots • Program operation:

AUT without higher-level Programmed velocity
controllers • Jog mode: Not possible
For industrial robots • Program operation:

AUT EXT with higher-level con- Programmed velocity
trollers, e.g. PLC • Jog mode: Not possible
Mode selector switch
The user can change the operating mode via the connection manager.
The connection manager is a view that is called by means of the mode
selector switch on the smartPAD.
The mode selector switch may be one of the following variants:
• With key
It is only possible to change operating mode if the key is inserted.
• Without key
WARNING
If the smartPAD is fitted with a mode selector switch without a key:
An additional device must be present to ensure that the relevant func-
tions cannot be executed by all users, but only by a restricted group of
people.
The device itself must not trigger motions of the industrial robot or other
hazards. If this device is missing, death or severe injuries may result.
The system integrator is responsible for ensuring that such a device is im-
plemented.
4.5.4 “Operator safety” signal
The “operator safety” signal is used for monitoring physical safeguards,

e.g. safety gates. Automatic operation is not possible without this signal.
In the event of a loss of signal during automatic operation (e.g. safety
gate is opened), the manipulator stops with a safety stop 1.
Operator safety is not active in modes T1 (Manual Reduced Velocity) and
T2 (Manual High Velocity).

WARNING
Following a loss of signal, automatic operation may only be resumed
when the safeguard has been closed and when the closing has been
acknowledged. This acknowledgement is to prevent automatic operation
from being resumed inadvertently while there are still persons in the
danger zone, e.g. due to the safety gate closing accidentally.
The acknowledgement must be designed in such a way that an actual
check of the danger zone can be carried out first. Other acknowledge-
ment functions (e.g. an acknowlegement which is automatically triggered
by closure of the safeguard) are not permitted.
The system integrator is responsible for ensuring that these criteria are
met. Failure to met them may result in death, severe injuries or consid-
erable damage to property.
4.5.5 EMERGENCY STOP device
The EMERGENCY STOP device for the industrial robot is the EMERGEN-
CY STOP device on the smartPAD. The device must be pressed in the
event of a hazardous situation or emergency.
Reactions of the industrial robot if the EMERGENCY STOP device is
pressed:
• The manipulator and any external axes (optional) are stopped with a
safety stop 1.
Before operation can be resumed, the EMERGENCY STOP device must
be turned to release it.
WARNING
Tools and other equipment connected to the robot must be integrated in-
to the EMERGENCY STOP circuit on the system side if they could con-
stitute a potential hazard.
Failure to observe this precaution may result in death, severe injuries or
considerable damage to property.
There must always be at least one external EMERGENCY STOP device

installed. This ensures that an EMERGENCY STOP device is available
even when the smartPAD is disconnected.
(>>> 4.5.7 "External EMERGENCY STOP device" Page 51)
4.5.6 Logging off from the higher-level safety controller
If the robot controller is connected to a higher-level safety controller, this

connection will inevitably be terminated in the following cases:
• Switching off the voltage via the main switch of the robot
Or power failure
• Shutdown of the robot controller via the smartHMI
• Activation of a WorkVisual project in WorkVisual or directly on the ro-
bot controller
• Changes to Start-up > Network configuration
• Changes to Configuration > Safety configuration
• I/O drivers > Reconfigure
• Restoration of an archive
Effect of the interruption:

Safety
• If a discrete safety interface is used, this triggers an EMERGENCY
STOP for the overall system.
• If the Ethernet interface is used, the KUKA safety controller generates
a signal that prevents the higher-level controller from triggering an
EMERGENCY STOP for the overall system.
If the Ethernet safety interface is used: In his risk assessment, the sys-
tem integrator must take into consideration whether the fact that switch-
ing off the robot controller does not trigger an EMERGENCY STOP of
the overall system could constitute a hazard and, if so, how this hazard
can be countered.
Failure to take this into consideration may result in death, injuries or
damage to property.
WARNING
If a robot controller is switched off, the E-STOP device on the smartPAD
is no longer functional. The user is responsible for ensuring that the
smartPAD is either covered or removed from the system. This serves to
prevent operational and non-operational EMERGENCY STOP devices
from becoming interchanged.
Failure to observe this precaution may result in death, injuries or dam-
age to property.
4.5.7 External EMERGENCY STOP device
Every operator station that can initiate a robot motion or other potentially
hazardous situation must be equipped with an EMERGENCY STOP de-
vice. The system integrator is responsible for ensuring this.
There must always be at least one external EMERGENCY STOP device
installed. This ensures that an EMERGENCY STOP device is available
even when the smartPAD is disconnected.
External EMERGENCY STOP devices are connected via the customer in-
terface. External EMERGENCY STOP devices are not included in the
scope of supply of the industrial robot.
4.5.8 Enabling device
The enabling devices of the industrial robot are the enabling switches on
the smartPAD.
• smartPAD: 3 enabling switches
• smartPAD-2: 4 enabling switches
The enabling switches have 3 positions:
• Not pressed
• Center position
• Fully pressed (panic position)
In the test modes, the manipulator can only be moved if at least one of
the enabling switches is held in the center position.
It is possible to hold several enabling switches in the center position si-
multaneously. This makes it possible to adjust grip from one enabling
switch to another one.
In the test modes, the manipulator can be stopped in the following ways:
• Press at least one enabling switch down fully.
Pressing an enabling switch down fully triggers a safety stop 1.

• Or release all enabling switches.

Releasing all (!) enabling switches held in the center position triggers
a safety stop 2.
Releasing one of multiple enabling switches held in the center position

does not trigger a reaction.
If multiple switches are held in the center position, it is not possible to
distinguish whether one of them was intentionally released or if it was
unintentionally released as the result of an accident.
If an enabling switch malfunctions (e.g. jams in the center position), the

industrial robot can be stopped using one of the following methods:
• Press another enabling switch down fully.

• Actuate the EMERGENCY STOP device.
• Release the Start key.
WARNING
The enabling switches must not be held down by adhesive tape or other
means or tampered with in any other way.
Death, injuries or damage to property may result.
Function test
The function of the enabling switches must be tested in the following ca-
ses:
• Following initial start-up or recommissioning of the industrial robot
• After a software update
• After disconnecting and reconnecting a smartPAD (the same smart-
PAD or another one)
• The test must be carried out at least once every 12 months.
To test, perform the following steps separately for each enabling switch:
1. Move the manipulator in a test mode.
2. While the manipulator is moving, press the enabling switch down fully
and hold it down for 3 seconds.
The test is passed in the following case:
• The manipulator stops.
• And: No error message for the enabling device is displayed (Enabling
switch error or similar).
If the test has not been passed for one or more enabling switches, the
smartPAD must be exchanged and the test must be performed again.
4.5.9 External enabling device
External enabling devices are required if it is necessary for more than one
person to be in the danger zone of the industrial robot.
The function of the external enabling switches must be tested at least
once every 12 months.
Which interface can be used for connecting external enabling devices is
described in the “Planning” chapter of the robot controller operating in-
structions and assembly instructions.
External enabling devices are not included in the scope of supply of the
industrial robot.

Safety
4.5.10 External safe operational stop
The safe operational stop can be triggered via an input on the customer
interface. The state is maintained as long as the external signal is FALSE.
If the external signal is TRUE, the manipulator can be moved again. No
acknowledgement is required.
4.5.11 External safety stop 1 and external safety stop 2
Safety stop 1 and safety stop 2 can be triggered via an input on the cus-
tomer interface. The state is maintained as long as the external signal is
FALSE. If the external signal is TRUE, the manipulator can be moved
again. No acknowledgement is required.
If interface X11 is selected as the customer interface, only the signal
Safety stop 2 is available.
4.5.12 Velocity monitoring in T1
In T1 mode, the velocity is safely monitored on both an axis-specific and

Cartesian basis.
• Applicable up to and including System Software 8.5.7:

For customer kinematic systems (CKs), only the axis-specific
velocity is safely monitored in T1 mode. The Cartesian position on
the flange is only available for KUKA kinematic systems using safe
technology.
• Applicable for System Software 8.5.8 or higher:
For all kinematic systems, the axis-specific velocity is safely moni-
tored in T1 mode. The Cartesian velocity is safely monitored in T1 if
the associated setting is activated in the safety configuration.
Axis-specific monitoring
If an axis exceeds its velocity limit, a safety stop 0 is triggered.

• Default limit value for rotational axes: 30 °/s
• Default limit value for linear axes: 250 mm/s
From System Software 8.3 onwards, the axis-specific monitoring can be

configured using the Maximum velocity T1 parameter. Further informa-
tion about this can be found in the Operating and Programming In-
structions for System Integrators documentation for the System Soft-
ware.
Cartesian monitoring
The Cartesian monitoring refers to the velocity at the flange. If a limit val-
ue is exceeded, a safety stop 0 is triggered.
• Default limit value: 250 mm/s
If an additional safety option (e.g. SafeOperation) is used, the limit value
can be configured. It can be reduced, but not increased.

4.6 Additional protective equipment
4.6.1 Jog mode
In the operating modes T1 (Manual Reduced Velocity) and T2 (Manual

High Velocity), the robot controller can only execute programs in jog
mode. This means that it is necessary to hold down an enabling switch
and the Start key in order to execute a program.
• Releasing the enabling switch triggers a safety stop 2.
• Pressing the enabling switch down fully (panic position) triggers a
safety stop 1.
• Releasing the Start key triggers a STOP 2.
4.6.2 Software limit switches
The axis ranges of all manipulator and positioner axes are limited by
means of adjustable software limit switches. These software limit switches
only serve as machine protection and must be adjusted in such a way
that the manipulator/positioner cannot hit the mechanical end stops.
The software limit switches are set during commissioning of an industrial
robot.
Further information is contained in the operating and programming in-
structions.
4.6.3 Mechanical end stops
Depending on the robot variant, the axis ranges of the main and wrist ax-
es of the manipulator are partially limited by mechanical end stops.
Additional mechanical end stops can be installed on the external axes.
WARNING
If the manipulator or an external axis hits an obstruction or a mechani-
cal end stop or mechanical axis limitation, the manipulator can no
longer be operated safely. The manipulator must be taken out of opera-
tion and KUKA Deutschland GmbH must be consulted before it is put
back into operation.
4.6.4 Mechanical axis limitation (optional)
Some manipulators can be fitted with mechanical axis limitation systems

in axes A1 to A3. The axis limitation systems restrict the working range to
the required minimum. This increases personal safety and protection of
the system.
In the case of manipulators that are not designed to be fitted with me-
chanical axis limitation, the workspace must be laid out in such a way that
there is no danger to persons or material property, even in the absence of
mechanical axis limitation.
If this is not possible, the workspace must be limited by means of photo-
electric barriers, photoelectric curtains or obstacles on the system side.
There must be no shearing or crushing hazards at the loading and trans-
fer areas.
This option is not available for all robot models. Information on specific
robot models can be obtained from KUKA Deutschland GmbH.

Safety
4.6.5 Options for moving the manipulator without drive energy
The system user is responsible for ensuring that the training of person-
nel with regard to the response to emergencies or exceptional situations
also includes how the manipulator can be moved without drive energy.
Description
The following options are available for moving the manipulator without
drive energy after an accident or malfunction:
• Release device (optional)
The release device can be used for the main axis drive motors and,
depending on the robot variant, also for the wrist axis drive motors.
• Brake release device (option)
The brake release device is designed for robot variants whose motors
are not freely accessible.
• Moving the wrist axes directly by hand
There is no release device available for the wrist axes of variants in
the low payload category. This is not necessary because the wrist ax-
es can be moved directly by hand.
Information about the options available for the various robot models and
about how to use them can be found in the assembly and operating in-
structions for the robot or requested from KUKA Deutschland GmbH.
NOTICE
Moving the manipulator without drive energy can damage the motor
brakes of the axes concerned. The motor must be replaced if the brake
has been damaged. The manipulator may therefore be moved without
drive energy only in emergencies, e.g. for rescuing persons.
4.6.6 Labeling on the industrial robot
All plates, labels, symbols and marks constitute safety-relevant parts of

the industrial robot. They must not be modified or removed.
Labeling on the industrial robot consists of:
• Identification plates
• Warning signs
• Safety symbols
• Designation labels
• Cable markings
• Rating plates
Further information is contained in the technical data of the operating in-

structions or assembly instructions of the components of the industrial
robot.
4.6.7 External safeguards
The access of persons to the danger zone of the industrial robot must be
prevented by means of safeguards. It is the responsibility of the system
integrator to ensure this.

Physical safeguards must meet the following requirements:

Safety
• They meet the requirements of EN ISO 14120.

• They prevent access of persons to the danger zone and cannot be
easily circumvented.
• They are sufficiently fastened and can withstand all forces that are
likely to occur in the course of operation, whether from inside or out-
side the enclosure.
• They do not, themselves, represent a hazard or potential hazard.
• Prescribed clearances, e.g. to danger zones, are adhered to.
Safety gates (maintenance gates) must meet the following requirements:
• They are reduced to an absolute minimum.

• The interlocks (e.g. safety gate switches) are linked to the operator
safety input of the robot controller via safety gate switching devices or
safety PLC.
• Switching devices, switches and the type of switching conform to the
requirements of Performance Level d and category 3 according to
EN ISO 13849-1.
• Depending on the risk situation: the safety gate is additionally safe-
guarded by means of a locking mechanism that only allows the gate
to be opened if the manipulator is safely at a standstill.
• The button for acknowledging the safety gate is located outside the
space limited by the safeguards.
Further information is contained in the corresponding standards and reg-

ulations. These also include EN ISO 14120.
Other safety equipment
Other safety equipment must be integrated into the system in accordance

with the corresponding standards and regulations.
4.7 Overview of operating modes and safety functions
The following table indicates the operating modes in which the safety
functions are active.
Safety functions T1 T2 AUT AUT EXT
Operator safety - - Active Active
EMERGENCY STOP device Active Active Active Active
Enabling device Active Active - -
Reduced velocity during
Active - - -
program verification
Jog mode Active Active - -
Software limit switches Active Active Active Active
4.8 Safety measures
4.8.1 General safety measures
cordance with its intended use and only by safety-conscious persons. Op-
erator errors can result in personal injury and damage to property.

It is important to be prepared for possible movements of the industrial ro-
Safety
bot even after the robot controller has been switched off and locked out.
Incorrect installation (e.g. overload) or mechanical defects (e.g. brake de-
fect) can cause the manipulator or external axes to sag. If work is to be
carried out on a switched-off industrial robot, the manipulator and external
axes must first be moved into a position in which they are unable to move
on their own, whether the payload is mounted or not. If this is not possi-
ble, the manipulator and external axes must be secured by appropriate
means.
DANGER
In the absence of operational safety functions and safeguards, the in-
dustrial robot can cause personal injury or material damage. If safety
functions or safeguards are dismantled or deactivated, the industrial ro-
bot may not be operated.
DANGER
Standing underneath the robot arm can cause death or injuries. For this
reason, standing underneath the robot arm is prohibited!
CAUTION
The motors reach temperatures during operation which can cause burns
to the skin. Contact must be avoided. Appropriate safety precautions
must be taken, e.g. protective gloves must be worn.
smartPAD
The user must ensure that the industrial robot is only operated with the
smartPAD by authorized persons.
If more than one smartPAD is used in the overall system, it must be en-
sured that it is clearly recognizable which smartPAD is connected to which
industrial robot. They must not be interchanged.
WARNING
The operator must ensure that decoupled smartPADs are immediately
removed from the system and stored out of sight and reach of person-
nel working on the industrial robot. This serves to prevent operational
and non-operational EMERGENCY STOP devices from becoming inter-
changed.
Failure to observe this precaution may result in death, severe injuries or
considerable damage to property.
In certain cases, and at least every 12 months, the enabling switches on

the smartPAD must be subjected to a function test.
(>>> "Function test" Page 52)
Modifications
After modifications to the industrial robot, checks must be carried out to

ensure the required safety level. The valid national or regional work safety
regulations must be observed for this check. The correct functioning of all
safety functions must also be tested.
New or modified programs must always be tested first in Manual Reduced
Velocity mode (T1).
After modifications to the industrial robot, existing programs must always
be tested first in Manual Reduced Velocity mode (T1). This applies to all
components of the industrial robot and includes e.g. modifications of the
external axes or to the software and configuration settings.

Faults
The following tasks must be carried out in the case of faults in the indus-
trial robot:
• Switch off the robot controller and secure it (e.g. with a padlock) to
prevent unauthorized persons from switching it on again.
• Indicate the fault by means of a label with a corresponding warning
(tagout).
• Keep a record of the faults.
• Eliminate the fault and carry out a function test.
4.8.2 IT security
cordance with its intended use and only by safety-conscious persons.
In particular, security-conscious use includes that it be operated in an IT
environment which meets the current security-relevant standards and for
which there is an overall concept for IT security.
IT security entails not only technical aspects but, at a minimum, also
those of organization, personnel and infrastructure.
KUKA urgently recommends that operators implement an information se-
curity management system for their products which designs, coordinates
and monitors the tasks related to information security.
Sources for information about IT security for companies include:

• Independent consulting firms
• National cyber security authorities
National authorities often make their recommendations available on the In-
ternet. In addition to their official language, some national authorities pro-
vide their information in English.
4.8.3 Transportation
Manipulator
The prescribed transport position of the manipulator must be observed.

Transportation must be carried out in accordance with the operating in-
structions or assembly instructions of the robot.
Avoid vibrations and impacts during transportation in order to prevent
damage to the manipulator.
Robot controller
The prescribed transport position of the robot controller must be observed.

Transportation must be carried out in accordance with the operating in-
structions or assembly instructions of the robot controller.
Avoid vibrations and impacts during transportation in order to prevent
damage to the robot controller.
External axis (optional)
The prescribed transport position of the external axis (e.g. KUKA linear
unit, turn-tilt table, positioner) must be observed. Transportation must be
carried out in accordance with the operating instructions or assembly in-
structions of the external axis.

Safety
4.8.4 Start-up and recommissioning
Before starting up systems and devices for the first time, a check must be
carried out to ensure that the systems and devices are complete and op-
erational, that they can be operated safely and that any damage is detec-
ted.
The valid national or regional work safety regulations must be observed
for this check. The correct functioning of all safety functions must also be
tested.
The passwords for the user groups must be changed in the KUKA Sys-
tem Software before start-up. The passwords must only be communica-
ted to authorized personnel.
WARNING
The robot controller is preconfigured for the specific industrial robot. If
cables are interchanged, the manipulator and the external axes (option-
al) may receive incorrect data and can thus cause personal injury or
material damage. If a system consists of more than one manipulator, al-
ways connect the connecting cables to the manipulators and their corre-
sponding robot controllers.
If additional components (e.g. cables), which are not part of the scope
of supply of KUKA Deutschland GmbH, are integrated into the industrial
robot, the user is responsible for ensuring that these components do not
adversely affect or disable safety functions.
NOTICE
If the internal cabinet temperature of the robot controller differs greatly
from the ambient temperature, condensation can form, which may cause
damage to the electrical components. Do not put the robot controller in-
to operation until the internal temperature of the cabinet has adjusted to
the ambient temperature.
Function test
The following tests must be carried out before start-up and recommission-
ing:
General test:
It must be ensured that:
• The industrial robot is correctly installed and fastened in accordance

with the specifications in the documentation.
• There is no damage to the robot that could be attributed to external
forces. Examples: Dents or abrasion that could be caused by an im-
pact or collision.
WARNING
In the case of such damage, the affected components must be ex-
changed. In particular, the motor and counterbalancing system must
be checked carefully.
External forces can cause non-visible damage. For example, it can
lead to a gradual loss of drive power from the motor, resulting in un-
intended movements of the manipulator. Death, injuries or consider-
able damage to property may otherwise result.
• There are no foreign bodies or loose parts on the industrial robot.

• All required safety equipment is correctly installed and operational.

• The power supply ratings of the industrial robot correspond to the

local supply voltage and mains type.
• The ground conductor and the equipotential bonding cable are suffi-
ciently rated and correctly connected.
• The connecting cables are correctly connected and the connectors are
locked.
Test of the safety functions:
A function test must be carried out for the following safety functions to en-
sure that they are functioning correctly:
• Local EMERGENCY STOP device

• External EMERGENCY STOP device (input and output)
• Enabling device (in the test modes)
• Operator safety
• All other safety-relevant inputs and outputs used
• Other external safety functions
4.8.4.1 Checking machine data and safety configuration
WARNING
The industrial robot must not be moved if incorrect machine data or an
incorrect controller configuration are loaded. Death, severe injuries or
considerable damage to property may otherwise result. The correct data
must be loaded.
• Following the start-up procedure, the practical tests for the machine
data must be carried out. The tool must be calibrated (either via an
actual calibration or through numerical entry of the data).
• Following modifications to the machine data, the safety configuration
must be checked.
• After activation of a WorkVisual project on the robot controller, the
safety configuration must be checked.
• If machine data are adopted when checking the safety configuration
(regardless of the reason for the safety configuration check), the prac-
tical tests for the machine data must be carried out.
• System Software 8.3 or higher: If the checksum or the activation code
of the safety configuration has changed, the safe axis monitoring func-
tions must be checked.
Up to and including System Software 8.5, the value in the safety con-
figuration is “Checksum”; for 8.6 and above, it is “Activation code”.
Information about checking the safety configuration and the safe axis
monitoring functions is contained in the Operating and Programming In-
structions for System Integrators.
If the practical tests are not successfully completed in the initial start-up,
KUKA Deutschland GmbH must be contacted.
If the practical tests are not successfully completed during a different pro-
cedure, the machine data and the safety-relevant controller configuration
must be checked and corrected.
General practical test
If practical tests are required for the machine data, this test must always
be carried out.

For 6-axis robots:
Safety
The following methods are available for performing the practical test:
• TCP calibration with the XYZ 4-point method
The practical test is passed if the TCP has been successfully calibra-
ted.
Or:
1. Align the TCP with a freely selected point. The point serves as a ref-
erence point.
• The point must be located so that reorientation is possible.
• The point must not be located on the Z axis of the FLANGE coor-
dinate system.
2. Move the TCP manually at least 45° once in each of the A, B and C
directions.
The movements do not have to be accumulative, i.e. after motion in
one direction it is possible to return to the original position before mov-
ing in the next direction.
The practical test is passed if the TCP does not deviate from the ref-
erence point by more than 2 cm in total.
For palletizing robots:
Palletizing robots, in this case, are either robots that can be used only as
palletizers from the start or robots operated in palletizing mode. The latter
must also be in palletizing mode during the practical test.
First part:
1. Mark the starting position of the TCP.
Also read and note the starting position from the Actual position –
Cartesian display on the smartHMI.
2. Jog the TCP in the X direction. The distance must be at least 20% of
the robot’s maximum reach. Determine the exact length via the Actual
position display.
3. Measure the distance covered and compare it with the distance value
displayed on the smartHMI. The deviation must be < 5%.
4. Repeat steps 1 and 2 for the Y direction and Z direction.
The first part of the practical test is passed if the deviation is < 5% in ev-
ery direction.
Second part:
• Rotate the tool manually about A by 45°: once in the plus direction,
once in the minus direction. At the same time, observe the TCP.
The second part of the practical test is passed if the position of the TCP
in space is not altered during the rotations.
Practical test for axes that are not mathematically coupled
If practical tests are required for the machine data, this test must be car-
ried out when axes are present that are not mathematically coupled.
1. Mark the starting position of the axis that is not mathematically cou-
pled.
Also read and note the start position from the Actual position display
on the smartHMI.
2. Move the axis manually by a freely selected path length. Determine
the path length from the Actual position display.
• Move linear axes a specific distance.
• Move rotational axes through a specific angle.

3. Measure the length of the path covered and compare it with the value
displayed on the smartHMI.
The practical test is passed if the values differ by no more than 5%.
4. Repeat the test for each axis that is not mathematically coupled.
Practical test for robot on KUKA linear unit
ried out if the robot and KL are mathematically coupled.
• Move the KL manually in Cartesian mode.
The practical test is passed if the TCP does not move at the same
time.
Practical test for couplable axes
ried out when axes are present that can be physically coupled and uncou-
pled, e.g. a servo gun.
1. Physically uncouple the couplable axis.
2. Move all the remaining axes individually.
The practical test is passed if it has been possible to move all the re-
maining axes.
4.8.4.2 Start-up mode
Description
The industrial robot can be set to Start-up mode via the smartHMI user in-
terface. In this mode, the manipulator can be moved in T1 without the ex-
ternal safeguards being put into operation.
The safety interface used affects “Start-up” mode:
Discrete safety interface
• System Software 8.2 or earlier:
Start-up mode is always possible if all input signals at the discrete
safety interface have the state “logic zero”. If this is not the case, the
robot controller prevents or terminates Start-up mode.
If an additional discrete safety interface for safety options is used, the
inputs there must also have the state “logic zero”.
• System Software 8.3 or higher:
Start-up mode is always possible. This also means that it is independ-
ent of the state of the inputs at the discrete safety interface.
If an additional discrete safety interface is used for safety options: The
states of these inputs are also irrelevant.
Ethernet safety interface
The robot controller prevents or terminates Start-up mode if a connection
to a higher-level safety system exists or is established.
Effect
When the Start-up mode is activated, all outputs are automatically set to
the state “logic zero”.
If the robot controller has a peripheral contactor (US2), and if the safety
configuration specifies for this to switch in accordance with the motion en-
able, then the same also applies in Start-up mode. This means that if mo-

tion enable is present, the US2 voltage is switched on – even in Start-up
Safety
mode.
NOTICE
The maximum number of switching cycles of the peripheral contactors is
175 per day.
Hazards
Possible hazards and risks involved in using Start-up mode:
• A person walks into the manipulator’s danger zone.

• In a hazardous situation, a disabled external EMERGENCY STOP de-
vice is actuated and the manipulator is not shut down.
Additional measures for avoiding risks in Start-up mode:
• Cover disabled EMERGENCY STOP devices or attach a warning sign

indicating that the EMERGENCY STOP device is out of operation.
• If there is no safety fence, other measures must be taken to prevent
persons from entering the manipulator’s danger zone, e.g. use of
warning tape.
Use
Intended use of Start-up mode:

• Start-up in T1 mode when the external safeguards have not yet been
installed or put into operation. The danger zone must be delimited at
least by means of warning tape.
• Fault localization (periphery fault).
• Use of Start-up mode must be minimized as much as possible.
WARNING
Use of Start-up mode disables all external safeguards. The service per-
sonnel are responsible for ensuring that there is no-one in or near the
danger zone of the manipulator as long as the safeguards are disabled.
Failure to observe this precaution may result in death, injuries or dam-
age to property.
Misuse

misuse and is not allowed. KUKA Deutschland GmbH is not liable for any
damage resulting from such misuse. The risk lies entirely with the user.
4.8.5 Manual mode
General
Manual mode is the mode for setup work. Setup work is all the tasks that
have to be carried out on the industrial robot to enable automatic opera-
tion. Setup work includes:
• Jog mode
• Teaching
• Programming
• Program verification
The following must be taken into consideration in manual mode:

• New or modified programs must always be tested first in Manual Re-

duced Velocity mode (T1).
• The manipulator, tooling or external axes (optional) must never touch
or project beyond the safety fence.
• Workpieces, tooling and other objects must not become jammed as a
result of the industrial robot motion, nor must they lead to
short-circuits or be liable to fall off.
• All setup work must be carried out, where possible, from outside the
safeguarded area.
Setup work in T1
If it is necessary to carry out setup work from inside the safeguarded

area, the following must be taken into consideration in the operating mode
Manual Reduced Velocity (T1):
• If it can be avoided, there must be no other persons inside the safe-
guarded area.
• If it is necessary for there to be several persons inside the safeguar-
ded area, the following must be observed:
‒ Each person must have an enabling device.
‒ All persons must have an unimpeded view of the industrial robot.
‒ Eye-contact between all persons must be possible at all times.
• The operator must be so positioned that he can see into the danger
area and get out of harm’s way.
• Unexpected motions of the manipulator cannot be ruled out, e.g. in
the event of a fault. For this reason, an appropriate clearance must be
maintained between persons and the manipulator (including tool).
Guide value: 50 cm.
The minimum clearance may vary depending on local circumstances,
the motion program and other factors. The minimum clearance that is
to apply for the specific application must be decided by the user on
the basis of a risk assessment.
Setup work in T2
If it is necessary to carry out setup work from inside the safeguarded

area, the following must be taken into consideration in the operating mode
Manual High Velocity (T2):
• This mode may only be used if the application requires a test at a ve-
locity higher than that possible in T1 mode.
• Teaching and programming are not permissible in this operating mode.
• Before commencing the test, the operator must ensure that the ena-
bling devices are operational.
• The operator must be positioned outside the danger zone.
• There must be no other persons inside the safeguarded area. It is the
responsibility of the operator to ensure this.
4.8.6 Simulation
Simulation programs do not correspond exactly to reality. Robot programs

created in simulation programs must be tested in the system in Manual
Reduced Velocity mode (T1). It may be necessary to modify the pro-
gram.

Safety
4.8.7 Automatic mode
Automatic mode is only permissible in compliance with the following safety

measures:
• All safety equipment and safeguards are present and operational.

• There are no persons in the system.
• The defined working procedures are adhered to.
If the manipulator or an external axis (optional) comes to a standstill for
no apparent reason, the danger zone must not be entered until an EMER-
GENCY STOP has been triggered.
4.8.8 Maintenance and repair
After maintenance and repair work, checks must be carried out to ensure
the required safety level. The valid national or regional work safety regula-
tions must be observed for this check. The correct functioning of all safety
functions must also be tested.
The purpose of maintenance and repair work is to ensure that the system
is kept operational or, in the event of a fault, to return the system to an
operational state. Repair work includes troubleshooting in addition to the
actual repair itself.
The following safety measures must be carried out when working on the
industrial robot:
• Carry out work outside the danger zone. If work inside the danger
zone is necessary, the user must define additional safety measures to
ensure the safe protection of personnel.
• Switch off the industrial robot and secure it (e.g. with a padlock) to
prevent it from being switched on again. If it is necessary to carry out
work with the robot controller switched on, the user must define addi-
tional safety measures to ensure the safe protection of personnel.
• If it is necessary to carry out work with the robot controller switched
on, this may only be done in operating mode T1.
• Label the system with a sign indicating that work is in progress. This
sign must remain in place, even during temporary interruptions to the
work.
• The EMERGENCY STOP devices must remain active. If safety func-
tions or safeguards are deactivated during maintenance or repair work,
they must be reactivated immediately after the work is completed.
DANGER
Before work is commenced on live parts of the robot system, the main
switch must be turned off and secured against being switched on again.
The system must then be checked to ensure that it is deenergized.
It is not sufficient, before commencing work on live parts, to execute an
EMERGENCY STOP or a safety stop, or to switch off the drives, as this
does not disconnect the robot system from the mains power supply.
Parts remain energized. Death or severe injuries may result.
Faulty components must be replaced using new components with the

same article numbers or equivalent components approved by KUKA
Deutschland GmbH for this purpose.
Cleaning and preventive maintenance work is to be carried out in accord-
ance with the operating instructions.

Robot controller
Even when the robot controller is switched off, parts connected to periph-
eral devices may still carry voltage. The external power sources must
therefore be switched off if work is to be carried out on the robot control-
ler.
The ESD regulations must be adhered to when working on components in
the robot controller.
Voltages in excess of 50 V (up to 780 V) can be present in various com-
ponents for several minutes after the robot controller has been switched
off! To prevent life-threatening injuries, no work may be carried out on the
industrial robot in this time.
Water and dust must be prevented from entering the robot controller.
Counterbalancing system
Some robot variants are equipped with a hydropneumatic, spring or gas

cylinder counterbalancing system.
The hydropneumatic and gas cylinder counterbalancing systems are pres-
sure equipment and, as such, are subject to obligatory equipment monitor-
ing and the provisions of the Pressure Equipment Directive.
The user must comply with the applicable national laws, regulations and
standards pertaining to pressure equipment.
Inspection intervals in Germany in accordance with Industrial Safety
Order, Sections 14 and 15. Inspection by the user before commissioning
at the installation site.
The following safety measures must be carried out when working on the
counterbalancing system:
• The manipulator assemblies supported by the counterbalancing sys-
tems must be secured.
• Work on the counterbalancing systems must only be carried out by
qualified personnel.
Hazardous substances
The following safety measures must be carried out when handling hazard-
ous substances:
• Avoid prolonged and repeated intensive contact with the skin.
• Avoid breathing in oil spray or vapors.
• Clean skin and apply skin cream.
To ensure safe use of our products, we recommend regularly requesting

up-to-date safety data sheets for hazardous substances.
4.8.9 Decommissioning, storage and disposal
The industrial robot must be decommissioned, stored and disposed of in

accordance with the applicable national laws, regulations and standards.
4.8.10 Safety measures for “single point of control”
Overview
If certain components in the industrial robot are operated, safety measures

must be taken to ensure complete implementation of the principle of “sin-
gle point of control” (SPOC).

The relevant components are:
Safety
• Submit interpreter
• PLC
• OPC server
• Remote control tools
• Tools for configuration of bus systems with online functionality
• KUKA.RobotSensorInterface
The implementation of additional safety measures may be required. This

must be clarified for each specific application; this is the responsibility of
the system integrator, programmer or user of the system.
Since only the system integrator knows the safe states of actuators in the
periphery of the robot controller, it is his task to set these actuators to a
safe state, e.g. in the event of an EMERGENCY STOP.
T1, T2
In modes T1 and T2, the components referred to above may only access
the industrial robot if the following signals have the following states:
Signal State required for SPOC
$USER_SAF TRUE
$SPOC_MOTION_ENABLE TRUE
Submit interpreter, PLC
If motions, (e.g. drives or grippers) are controlled with the submit interpret-
er or the PLC via the I/O system, and if they are not safeguarded by oth-
er means, then this control will take effect even in T1 and T2 modes or
while an EMERGENCY STOP is active.
If variables that affect the robot motion (e.g. override) are modified with
the submit interpreter or the PLC, this takes effect even in T1 and T2
modes or while an EMERGENCY STOP is active.
Safety measures:
• In T1 and T2, the system variable $OV_PRO must not be written to

by the submit interpreter or the PLC.
• Do not modify safety-relevant signals and variables (e.g. operating
mode, EMERGENCY STOP, safety gate contact) via the submit inter-
preter or PLC.
If modifications are nonetheless required, all safety-relevant signals
and variables must be linked in such a way that they cannot be set to
a dangerous state by the submit interpreter or PLC. This is the re-
sponsibility of the system integrator.
OPC server, remote control tools
These components can be used with write access to modify programs,

outputs or other parameters of the robot controller, without this being no-
ticed by any persons located inside the system.
Safety measure:
If these components are used, outputs that could cause a hazard must be
determined in a risk assessment. These outputs must be designed in such
a way that they cannot be set without being enabled. This can be done
using an external enabling device, for example.

Tools for configuration of bus systems
If these components have an online functionality, they can be used with

write access to modify programs, outputs or other parameters of the robot
controller, without this being noticed by any persons located inside the
system.
• WorkVisual from KUKA
• Tools from other manufacturers
Safety measure:
In the test modes, programs, outputs or other parameters of the robot
controller must not be modified using these components.
4.9 Applied norms and regulations
Name/Edition Definition
2006/42/EC:2006 Machinery Directive:

Directive 2006/42/EC of the European Parliament and of the Coun-
cil of 17 May 2006 on machinery, and amending Directive 95/16/EC
(recast)
2014/30/EU:2014 EMC Directive:

Directive 2014/30/EC of the European Parliament and of the Coun-
cil dated 26 February 2014 on the approximation of the laws of the
Member States concerning electromagnetic compatibility
2014/68/EU:2014 Pressure Equipment Directive:

Directive 2014/68/EU of the European Parliament and of the Coun-
cil dated 15 May 2014 on the approximation of the laws of the
Member States concerning pressure equipment
(Only applicable for robots with hydropneumatic counterbalancing
system.)
EN ISO 13850:2015 Safety of machinery:

Emergency stop - Principles for design
EN ISO 13849-1:2015 Safety of machinery:

Safety-related parts of control systems - Part 1: General principles
of design
EN ISO 13849-2:2012 Safety of machinery:

Safety-related parts of control systems - Part 2: Validation
EN ISO 12100:2010 Safety of machinery:

General principles of design, risk assessment and risk reduction
EN ISO 10218-1:2011 Industrial robots – Safety requirements:

Part 1: Robots
Note: Content equivalent to ANSI/RIA R.15.06-2012, Part 1
EN 614-1:2006+A1:2009 Safety of machinery:

Ergonomic design principles - Part 1: Terms and general principles

Safety
EN 61000-6-2:2005 Electromagnetic compatibility (EMC):
Part 6-2: Generic standards; Immunity for industrial environments
EN 61000-6-4:2007 + Electromagnetic compatibility (EMC):

A1:2011
Part 6-4: Generic standards; Emission standard for industrial envi-
ronments
EN 60204-1:2006/ Safety of machinery:

A1:2009
Electrical equipment of machines - Part 1: General requirements


Installation
5 Installation
The option package can either be installed on the robot controller via the
smartHMI or via WorkVisual.
5.1 System requirements
Hardware
Robot controller:
• KR C4
OR
• KR C4 compact
Without Ethernet safety interface, only X11 is available as safety inter-
face for the KR C4 compact:
‒ No switchable spaces and tools with X11 (only static safety moni-
toring possible)
‒ Safety interface X42 essential for connecting the reference switch
Software
Robot controller:
• KUKA System Software 8.6

• If the Ethernet safety interface EtherNet IP/CIP Safety is used:
‒ KUKA.EtherNet/IP M/S 4.1
• If the Ethernet safety interface PROFINET/PROFIsafe is used:
‒ KUKA.PROFINET M/S 5.0
Laptop/PC:
• WorkVisual 6.0
Compatibility
KUKA.SafeOperation 3.5 must not be installed on a robot controller to-

gether with other safety options:
• KUKA.SafeRangeMonitoring 3.5
• KUKA.SafeSingleBrake 3.5
5.2 Installation via WorkVisual
5.2.1 Installing or updating KUKA.SafeOperation 3.5
Description
The option package is installed in WorkVisual and added to the project.

During project deployment, the option package is automatically installed
on the robot controller.
In the case of an update, the existing configuration is automatically
adopted. If this is not desired, the existing version must first be uninstal-
led.

Installation KUKA.SafeOperation 3.5
It is advisable to archive all relevant data before updating a software

package.
Precondition
• User group “Expert” or higher

• T1 or T2 mode
• No program is selected.
• Network connection between PC and robot controller
• The option package is available as a KOP file.
Procedure
1. Install the KUKA.SafeOperation 3.5 option package in WorkVisual.

2. Load the active project from the robot controller.
3. Insert the KUKA.SafeOperation 3.5 option package into the project.
4. Configure the option package in WorkVisual as required.
(>>> 7.6 "Editing the local safety configuration in WorkVisual"
Page 124)
5. Deploy the project from WorkVisual to the robot controller and activate
it.
6. The request for confirmation Do you want to activate the project […]?
is displayed on the smartHMI. The active project is overwritten during
activation. If no relevant project will be overwritten: Answer the query
with Yes.
7. An overview with the changes and a request for confirmation are dis-
played on the smartHMI. Answer this with Yes.
The option package is installed and the message Reconfiguration in
progress ... is displayed. When the message disappears, reconfigura-
tion is completed.
Information about procedures in WorkVisual is contained in the WorkVi-

sual documentation.
LOG file
A LOG file is created under C:\KRC\ROBOTER\LOG.
5.2.2 Uninstalling KUKA.SafeOperation 3.5
Description
The option package can be uninstalled via WorkVisual.

It is advisable to archive all relevant data before uninstalling a software
package.
Preparation
• Deactivate safe monitoring.

If the safe monitoring is not deactivated on the robot controller, the config-
ured safety monitoring functions will remain active after the software has
been uninstalled.
Safe monitoring can only be deactivated by the user group “Safety main-
tenance” or higher.
(>>> 7.14 "Deactivating safe monitoring" Page 176)

Installation
Precondition
• User group “Expert” or higher

• T1 or T2 mode
• Safe monitoring has been deactivated.
• Network connection between PC and robot controller
Procedure
1. Load the project from the robot controller.

2. Remove the KUKA.SafeOperation 3.5 option package from the project.
A window with modifications is displayed.
3. Deploy the project from WorkVisual to the robot controller and activate
it.
with Yes.
The option package is uninstalled and the message Reconfiguration in
tion is completed.
Information about procedures in WorkVisual is contained in the WorkVi-

sual documentation.
LOG file
5.3 Installation via smartHMI
5.3.1 Installing or updating KUKA.SafeOperation 3.5
It is advisable to archive all relevant data before updating a software

package.
In the case of an update, the existing configuration is automatically

adopted. If this is not desired, the existing version must first be uninstal-
led.
Precondition
• User rights: Function group General configuration

But at least the user group “Expert”
• T1 or T2 mode
• USB stick with the option package (KOP file)
NOTICE
We recommend using a KUKA USB stick. Data may be lost if a stick
from a different manufacturer is used.

Procedure
1. Connect the USB stick to the robot controller or smartPAD.

2. In the main menu, select Start-up > Additional software.
3. Press New software: The entry KUKA.SafeOperation 3.5 must be dis-
played in the Name column and drive E:\ or K:\ in the Path column.
If not, press Refresh.
4. If the specified entries are now displayed, continue with step 5.
Otherwise, the path from which the software is to be installed must be
configured first:
a. Press the Configure button.
b. Select a line in the Installation paths for options area.
Note: If the line already contains a path, this path will be overwrit-
ten.
c. Press Path selection. The available drives are displayed.
d. If the stick is connected to the robot controller: Select E:\.
If the stick is connected to the smartPAD: K:\ instead of E:\
e. Press Save. The Installation paths for options area is displayed
again. It now contains the new path.
f. Mark the line with the new path and press Save again.
5. Activate the check mark at KUKA.SafeOperation 3.5 and press Install.
Confirm the installation query with OK.
with Yes.
tion is completed.
8. Remove the stick.
LOG file
5.3.2 Uninstalling KUKA.SafeOperation 3.5
It is advisable to archive all relevant data before uninstalling a software

package.
Preparation
• Deactivate safe monitoring.

If the safe monitoring is not deactivated on the robot controller, the config-
ured safety monitoring functions will remain active after the software has
been uninstalled.
Safe monitoring can only be deactivated by the user group “Safety main-
tenance” or higher.
(>>> 7.14 "Deactivating safe monitoring" Page 176)
Precondition
• User rights: Function group General configuration

Installation
• T1 or T2 mode
• Safe monitoring has been deactivated.
Procedure
1. In the main menu, select Start-up > Additional software.

2. Activate the check mark at KUKA.SafeOperation 3.5 and press Unin-
stall. Answer the request for confirmation with Yes.
with Yes.
tion is completed.
LOG file


Operation
6 Operation
6.1 User groups
Description
The configuration of the safety functions of the System Software and the
installed safety option is assigned to defined user groups. Access cannot
be influenced via function groups.
The user rights of the safety recovery technician are restricted by the in-
stallation of a safety option.
• Safety recovery technician
The safety recovery technician can activate an existing safety configu-
ration of the robot using the corresponding activation code. He cannot
edit or modify the safety configuration.
• Safety maintenance technician
Like the administrator, the safety maintenance technician can perform
all functions including those of the safety systems. He can edit and
modify the safety configuration.
The safety maintenance technician must be specially trained in the
safety configuration.
• Administrator
Like the safety maintenance technician, the administrator can perform
all functions including those of the safety systems. He can edit and
modify the safety configuration.
The administrator must be specially trained in the safety configuration
if he wishes to edit and modify the safety configuration.
Additionally, in the rights management, the administrator can modify
which rights a user group has.
The safety configuration may only be edited and modified by specially

trained personnel.
We recommend training courses at KUKA College for training personnel.

Information about the training program can be found at www.kuka.com
or can be obtained directly from our subsidiaries.
Passwords
The user groups are protected by means of a password. The default

password for all groups is “kuka”.
Before start-up, the password for each user group must be changed.
The passwords must only be communicated to authorized personnel. In
particular, the change of password must ensure that only authorized and
trained persons can modify the safety configuration.
6.2 Displaying user rights
Description
If tasks belonging to the standard functions of the system software are as-
signed to a function group, this is specified. In the case of tasks that are
not assigned to any function group, the permanently assigned, minimum
required user group is specified.

In the rights management, the user can view what user group is currently
Operation
assigned to what function group, i.e. the minimum user group required to
execute a function from a function group.
Procedure
1. In the main menu, select Start-up > Rights management.

The Rights management window opens.
2. Select the Function groups tab.
6.3 Opening the safety configuration
Description
On opening, the safety configuration checks whether there are any rele-
vant deviations between the data in the robot controller and those in the
safety controller.
• If there are no deviations, the safety configuration opens directly.
• If there are deviations, the troubleshooting wizard is opened. A de-
scription of the problem and a list of possible causes is displayed. The
user can select the applicable cause. The wizard then suggests a sol-
ution.
Further information about checking the safety configuration is contained

in the Operating and Programming Instructions for System Integrators.
Procedure
1. In the main menu, select Configuration > Safety configuration.

2. Only for the “Administrator” user group: Confirm the safety message
with OK.
6.4 Overview of buttons
The following buttons are available:

Button Description
Reset all to defaults Resets all parameters of the safety configuration to the de-
fault values.
Reset changes Resets all changes since the last time the configuration was
saved.
Revision log The log of changes to the safety configuration is displayed.
View The safety-relevant machine data are displayed.
Properties The properties of a monitoring space or safe tool can be de-
fined.
Export Parts of the safety configuration can be exported into an XML
file (XML export).
Import Parts of the safety configuration can be imported as an XML
file (XML export).
Communication parameters The safety ID of the PROFINET device can be changed.
Note: Further information is contained in the Operating and
Programming Instructions for System Integrators.
Global parameters The global parameters of the safety configuration can be de-
fined.

Operation
Button Description
Hardware options The hardware settings can be defined.
Note: Further information is contained in the Operating and
Programming Instructions for System Integrators.
Check machine data It is possible to check whether the machine data of the safety
configuration are up to date.
Safe operational stop The safe operational stop can be defined.
Save Saves and activates the safety configuration for the robot.
Touch-up Saves the current robot position as a corner of a cell area.
OR
Saves the current axis angle as the lower limit or upper limit
of the axis-specific monitoring space.
Touch-up reference position Saves the current robot flange position or the position of the
for group axes of a reference group as a reference position.
Cell configuration The cell area can be defined.
Back Back to the tab
6.5 Displaying information about the safety configuration
Procedure
• In the main menu, select Configuration > Safety configuration.
Description
The Common tab contains the following information:

Parameter Description
Robot Serial number of the robot
Safety controller • Installed safety option version
• Safety controller version (internal)
Parameter data set • Activation code of the safety configuration
• Time stamp of the safety configuration (date and time last
saved)
• Safety configuration version
Machine data Time stamp of the safety-relevant machine data (date and
time last saved)
Brake test State of the brake test
• Deactivated: No axis is tested.

• Activated: One or more axes are tested.

Operation KUKA.SafeOperation 3.5
Current configuration • Name of the safety interface
• State of Cartesian monitoring (= velocity monitoring in T1)
‒ Activated, Deactivated
• State of safe monitoring
‒ Activated, Deactivated
• Number of velocity-monitored axes
• Number of monitoring spaces
• Number of protected spaces
• Number of safe tools
6.6 Displaying hardware options
Description
The configuration of the hardware options can be displayed on the

smartHMI.
Procedure

The Safety configuration window opens.
2. Press Hardware options.
The configuration of the advanced hardware functions can only be modi-

fied via WorkVisual (not via the smartHMI).
6.7 Displaying the revision log
Description
Every modification to the safety configuration and every saving operation

are automatically logged. The log can be displayed on the smartHMI.
Procedure

2. On the Common tab, press Revision log.
6.8 Displaying machine data
Description
The safety-relevant machine data can be displayed on the smartHMI.
Procedure

2. On the Common tab, press View.

Operation
6.9 Importing the safety configuration (XML import)
Description
Parts of the safety configuration can be imported as an XML file. The im-
portable parameters depend on the installed safety option:
SafeOperation SafeRangeMonitoring SafeSingleBrake
Cell configuration
Cartesian monitoring
spaces
Axis-specific monitor-
ing spaces
Tools
Global parameters
In order to generate an XML file for importing, the user has the following
options:
• Export the current safety configuration of the robot controller to an
XML file and edit it. In this way it is possible to ensure that the format
of the XML file is correct for a subsequent import.
(>>> 6.10 "Exporting the safety configuration (XML export)" Page 83)
• Generate the XML file on the basis of the XML schema C:\KRC
\SmartHMI\Schemes\SafetyConfigImport.xsd, e.g. using a script pro-
grammed by the user.
The following points must be observed when editing the XML files:
• The XML schema defines the structure of the XML file for the import.
For individual parameters, the XML schema allows higher values than
the installed version of the safety option.
• The XML file to be imported should only contain parameters and val-
ues which are supported by the current safety option. If this is not the
case, it can prevent the XML import from occurring.
It is also possible to import safety configurations in WorkVisual. Informa-

tion about this can be found in the WorkVisual documentation.
Precondition
• Safety option is installed.

• User group “Safety maintenance” or higher
• T1 or T2 mode
Procedure

2. Press Import. The available drives are displayed.
3. Navigate to the directory where the XML file to be imported is located.
4. Select the XML file and press Next.
The parameters configured in the XML file are compared with the cur-
rent parameters of the safety configuration.
5. If notification, warning or error messages occur, these are displayed in
the Safety configuration window.

To continue with the XML import, press Next.

Operation
The Next button is deactivated in the event of error messages. Ana-

lyze errors and cancel the XML import.
• Rectify the error in the XML file and repeat the XML import.
• OR: Select the correct XML file and repeat the XML import.
6. A tree view provides an overview of the parameters to be imported.
(>>> "Parameter display" Page 82)
By default, only those nodes which contain changes to the current
safety configuration are expanded in the tree view. The parameters
which are changed by the XML import are displayed in blue text.
7. Check the parameters.
If not all of the required safety functions are configured correctly, or if
the wrong XML file was selected, cancel the XML import.
• Rectify the error in the XML file and repeat the XML import.
• OR: Select the correct XML file and repeat the XML import.
8. Press Import. The safety configuration is imported.
9. Save safety configuration.
(>>> 7.5.11 "Saving the safety configuration" Page 124)
10. If plausibility errors are detected while saving, the user is informed of
this by a dialog. Close the dialog with OK.
11. Rectify errors directly in the safety configuration and save the safety
configuration.
OR
Rectify the error in the XML file, repeat the XML import and save the
Following a change to the safety configuration, safety acceptance must

be carried out and documented by means of checklists.
Parameter display
The display with the overview of the parameters to be imported has the
following columns:
Column Description
Parameter name Name of the parameter in the Safety configu-
ration window
Result Value of the parameter following import of the
safety configuration
Current Value of the parameter in the current safety
configuration
Imported Value of the parameter in the XML file to be
imported
The column is hidden when the display opens.
The following buttons are available for changing the display:
Button Description
Display import col- Displays or hides the Imported column.
umn
Check box active: Column is displayed.
Check box not active: Column is hidden.
Collapse all All nodes in the tree view are collapsed.
Expand all All nodes in the tree view are expanded.

Operation
Button Description
Expand changes Only those nodes which contain changes to the
current safety configuration are expanded in
the tree view.
6.10 Exporting the safety configuration (XML export)
Description
Parts of the safety configuration can be exported into an XML file:

• Cell configuration
• Monitoring spaces
• Tools
• Global parameters
The XML file always contains all the parameters which are contained in
the exported parts of the safety configuration.
Exporting is always possible, irrespective of whether a safety option is in-
stalled or not. However, an export only makes sense if a safety option is
installed.
The current safety configuration of the robot controller is exported. If the
safety configuration contains unsaved changes, these are also exported.
If invalid values are entered in the safety configuration, the export is abor-
ted with an error message (plausibility error).
It is also possible to export safety configurations in WorkVisual. Informa-
tion about this can be found in the WorkVisual documentation.
Procedure

2. Press Export. The available drives are displayed.
3. Select the desired file path and press Export.
The safety configuration is saved in an XML file. The file name is gen-
erated automatically.
6.11 Safe robot retraction in case of space violation
Description
If the robot has violated a monitoring space, it is stopped by the safety

controller (precondition: function Stop at boundaries is active). The robot
must be moved out of the violated space in T1 mode.
After a “Stop at boundaries”, the robot can only be moved in T1 mode.
No other operating mode can be set until the robot has left the violated
space.
If the space is violated in T2 or Automatic mode, only a status message

is displayed. The status message indicates which space has been viola-
ted.
If the space is violated in T1 mode, the acknowledgement message Ackn.:
Stop because workspace exceeded is additionally displayed.

Operation KUKA.SafeOperation 3.5
Precondition
• Operating mode T1
Procedure
1. When the acknowledgement message is displayed, confirm it with OK.

2. Press and hold down the enabling switch.
3. Move the robot out of the violated space:
• Using the jog keys (manual mode)
• Using the Start and Start backwards keys (program mode)
The status message is cleared when the robot has left the violated space.

Start-up and configuration

7 Start-up and configuration
7.1 System safety instructions
During system planning, the safety functions must be planned. Required

safety functions that are not implemented with the SafeOperation safety
option must be implemented using different safety measures.
The stopping distance when a monitoring function is triggered varies ac-

cording to the specific robot type. This aspect must be taken into ac-
count by the system integrator during parameterization of the monitoring
functions as part of the safety assessment.
Further information about the stopping distances and stopping times can
be found in the assembly or operating instructions of the relevant robot.
WARNING
Serious system errors, severe damage to the robot and injury or death
can result from not carrying out the risk analysis. Risk analysis must be
carried out before start-up and after any safety-relevant modification.
• Define axes that must be tested in the brake test.
• Determine brake test cycle time.
• Determine axis-specific and Cartesian limit values for the reduced
velocity.
• Define axis-specific and Cartesian monitoring spaces.
• Define axes that must be configured for a safe operational stop.
WARNING
Incorrect configuration of the safe monitoring functions may result in
death or severe injuries and major damage to property. Consequently,
safety options may not be operated until after safety acceptance has
been carried out in accordance with the checklists.
The checklists must be completed fully and confirmed in writing.
(>>> 11.1 "Checklists" Page 249)
WARNING
If safe monitoring is deactivated, the configured safety monitoring func-
tions are inactive.
WARNING
Serious injury and severe damage to the robot can be caused by
changing the machine data. Modifying the machine data may deactivate
monitoring functions. Machine data may only be modified by authorized
personnel.
7.2 Jogging the robot without a higher-level safety controller
Description
To jog the robot without a higher-level safety controller, Start-up mode

must first be activated. The robot can then be jogged in T1 mode.
Start-up mode has the following effect on the safety configuration:
• Tool 1 is always active in Start-up mode.

Start-up and configuration KUKA.SafeOperation 3.5
• In Start-up mode, all safety monitoring functions that can be activated

via safe inputs are deactivated.
(>>> 8.1.1 "SafeOperation via Ethernet safety interface" Page 181)
• The following safety monitoring functions remain active in Start-up
mode:
‒ Monitoring of the cell area
‒ Monitoring of global maximum Cartesian velocity
‒ Monitoring of global maximum axis velocity
‒ Workspace monitoring functions that are configured as always ac-
tive
‒ Monitoring of the workspace-specific velocity in workspaces that
are configured as always active
‒ Velocity monitoring in T1
DANGER
External safeguards are disabled in Start-up mode. Observe the safety
instructions relating to Start-up mode.
(>>> 4.8.4.2 "Start-up mode" Page 62)
Precondition
• User rights: Function group Start-up mode

• If an Ethernet safety interface is used: No connection to a higher-level
safety controller
• T1 mode
Procedure
• In the main menu, select Start-up > Service > Start-up mode.
Menu Description
Start-up mode is active. Touching
the menu item deactivates the
mode.
Start-up mode is not active. Touch-
ing the menu item activates the
mode.
7.3 Overview: Start-up and configuration
Step Description
1 Set up brake test.
(>>> 7.8 "Brake test" Page 139)
2 If required: activate the following hardware options in Work-
Visual:
• SBC at safe output X22

• SHS1 at safe output X25
(>>> 7.6 "Editing the local safety configuration in WorkVisu-
al" Page 124)


Step Description
3 If a reference switch is being used for the mastering test:
1. Select reference position.

(>>> 7.7.1.3 "Selecting a reference position" Page 129)
2. Install reference switch and actuating plate.
(>>> 7.7.1.4 "Installing the reference switch and actuat-
ing plate" Page 130)
3. Connect reference switch.
(>>> 7.7.1.5 "Connecting the reference switch"
Page 131)
4 If a safety PLC is being used:
• Configure the communication via the interface to the

higher-level controller.
(>>> 8 "Interfaces to the higher-level controller" Page 177)
5 Master the robot.
Note: Further information about mastering is contained in
the operating and programming instructions for the System
Software.
6 Activate safe monitoring.
(>>> 7.5.1 "Activating safe monitoring" Page 93)
7 Configure global parameters:
• Mastering type
• Mastering test input
• Cartesian velocity monitoring functions
(>>> 7.5.2 "Configuring global parameters" Page 93)
8 Configure monitoring spaces.
(>>> 7.5.3 "Configuring a cell area" Page 97)
(>>> 7.5.4 "Configuring a Cartesian space" Page 99)
(>>> 7.5.5 "Configuring an axis space" Page 103)
9 Configure axis monitoring.
(>>> 7.5.6 "Configuring axis monitoring functions"
Page 108)
(>>> 7.5.7 "Configuring safe operational stop for axis
groups" Page 114)
10 Configure safe tools.
(>>> 7.5.8 "Configuring a safe tool" Page 116)
• Program a mastering test.

(>>> 7.7.1.7 "Teaching positions for the mastering test"
Page 133)

Step Description
• Configure the reference position and reference groups.

(>>> 7.5.10 "Configuring the reference position and refer-
ence group" Page 121)
(>>> 7.7.1.6 "Configuring the reference groups to be
checked in file" Page 132)
13 If a reference switch is being used for the mastering test
and the reference switch is actuated by a ferromagnetic
part of the tool, or following a tool change:
• Check the accuracy of the reference position.

(>>> 7.7.1.8 "Checking the reference position (actuation
with tool)" Page 135)
14 Save safety configuration.
(>>> 7.5.11 "Saving the safety configuration" Page 124)
15 Perform mastering test.
(>>> 7.7.1.9 "Performing a mastering test manually"
Page 136)
16 Carry out safety acceptance.
(>>> 7.10 "Safety acceptance overview" Page 166)
(>>> 7.11 "Checking that the safety functions are function-
ing correctly" Page 167)
(>>> 7.12 "Checking the values for the safe axis monitoring
functions" Page 174)
17 Archive safety configuration.
Note: Further information about archiving is contained in
the operating and programming instructions for the System
Software.
18 If a new safety configuration is activated:
• Compare the activation code displayed when the safety

configuration is archived with the activation code docu-
mented in the checklist for safety functions.
(>>> 7.13 "Activating the safety configuration" Page 175)
7.4 Information about the safety configuration
WARNING
Minimum sphere radius
The sphere radius must not fall below the predefined minimum value. This
radius is dependent on the global maximum Cartesian velocity.

The minimum sphere radius is calculated as follows:

• rmin [mm] >= 0.5 * (maximum Cartesian velocity [mm/s] * 0.012 s)
The smallest possible radius is 10 mm. A radius smaller than 10 mm can-
not be configured, even if the calculation gives a smaller value.
If values that are too small are configured, a message is displayed when
saving and the configuration is prevented from being saved.
Minimum protected space dimensions
The length, width and height of a protected space must not fall below the
predefined minimum value. This value depends on the global maximum
Cartesian velocity and the radius of the smallest sphere of the safe tool.
The minimum space dimensions (= minimum length, width and height) are
calculated as follows:
• amin [mm] ≥ 0.018 s * maximum Cartesian velocity [mm/s] − 2 *
rsphere [mm]
A precondition for a correct result is that the sphere radius has been con-
figured correctly. (>>> "Minimum sphere radius" Page 88)
The smallest permissible length, width and height is 10 mm. Values small-
er than 10 mm cannot be configured, even if the calculation gives a small-
er value.
If values that are too small are configured, a message is displayed when
saving and the configuration is prevented from being saved.
7.4.1 Safe definition of Cartesian protected spaces
Here, different constellations are covered which can cause a protected

space violation to not be detected:
• Narrow protected spaces
• Motion across corners
Narrow protected spaces
With narrow protected spaces, there is a risk that the robot may be able
to move through the protected space without the space violation being de-
tected. The risk is partially reduced by the specified minimum value for
the sphere radius and space dimensions.
To further reduce the risk, the following rules must be observed in the
configuration of protected spaces:
• An area to be protected must always lie completely within a protected
space, i.e. be enclosed by the protected space.
• Shielding an area to be protected using a narrow protected space
(e.g. by replicating a light curtain) is not permitted.
• The stopping distances of the robot must also be taken into account
when defining a protected space. The protected space must overlap
with the area to be protected on all sides so that the robot can under
no circumstances enter the area to be protected.

Fig. 7-1: Definition of protected space
1 Area to be protected
2 Protected space shields the area to be protected (not allowed)
3 Protected space encloses the entire area to be protected
Motion across corners
If a sphere is moved across the corner of a protected space at a high ve-

locity, there is a risk of the space violation not being detected.
To ensure that a signal is always reliably triggered on violation of an
alarm space, this space must be made large enough to ensure that its full
width, length or height is passed through.
Fig. 7-2: Protected space as an alarm space
1 Target area
2 Sphere moves across corner of protected space (signal not trig-
gered)
3 Protected space is passed through completely (signal reliably trig-
gered)


7.4.2 Safe definition of Cartesian protected spaces for BBRA
Description
When the “Braking before restricted areas” function is used, it must addi-
tionally be taken into account that it is only the start and end points of the
fictitious braking path that are checked and not the entire fictitious braking
path. In the event of an unfavorable combination of protected space con-
figuration and path, this can cause the protected space to be violated by
the actual position without prior detection of an impending violation via the
fictitious STOP 1 - DRS end position.
Example
Fig. 7-3: Unfavorable combination of protected space configuration

and path
1 Protected space
2 Tool sphere path at actual position (orange)
3 Tool sphere path at fictitious STOP 1 - DRS end position (blue)
4 Drive ramp stop at space limit; braking path passes through pro-
tected space (green line)
The impending space violation cannot be detected because the fictitious
STOP 1 - DRS end position is situated outside the protected space. The
robot is stopped at the space limit due to the monitoring of the actual po-
sition and executes a drive ramp stop in accordance with the precalcula-
ted path. The braking path passes through the protected space and the
robot comes to a standstill again outside the protected space.

7.4.3 Unexpected protected space violation at space corners
At the corners of a Cartesian protected space, unexpected space viola-

tions can occur even though the tool sphere is clearly outside the space
boundary.
The following figure depicts the closest path along which a tool sphere
can theoretically move about a Cartesian protected space. It can be
moved along this closest path and reoriented without violating the protec-
ted space.
Fig. 7-4: Path of a tool sphere along the space surface
1 Protected space 3 Tool spheres reoriented

2 Tool spheres
The monitoring responds earlier than expected at the corners because of
the virtually expanded space boundaries. Depending on the radius of the
tool sphere, the protected space is expanded virtually on all sides (X, Y,
Z) by precisely this radius.
As long as the tool sphere infringes the expanded space boundaries in
only one direction, the protected space is not violated. If, however, the ex-
panded protected space is infringed in 2 planes simultaneously, this is
evaluated as a space violation.


Fig. 7-5: Protected space violation at space corners
1 Protected space
2 Protected space expanded by the radius of the tool sphere
3 Space violation in the X direction
4 Space violation in the Y direction
In the figure, a simplified depiction is used. Only the space expansion in
the directions X and Y is shown.
7.5 Configuring safety monitoring functions
7.5.1 Activating safe monitoring
Configuration of the safety monitoring functions is only possible if safe

monitoring has been activated.
Precondition
• User group Safety Maintenance Technician or higher

• T1 or T2 mode
Procedure
1. Open the safety configuration.

2. Press Global parameters.
3. Set the check mark at Safe monitoring.
4. Save the safety configuration or continue configuration.
7.5.2 Configuring global parameters
Precondition

• T1 or T2 mode

• Safety configuration is open.

• Safe monitoring is active.
Procedure
• Press Global parameters and set parameters.

1. If the mastering test is to be performed via an external system, se-
lect the mastering type External confirmation.
2. A safety notification is displayed. Confirm with OK.
The external mastering confirmation is activated and the Refer-
ence position tab is deactivated.
Once the external mastering confirmation has been activated, responsi-

bility for confirmation of the mastering lies outside the robot controller.
The safety maintenance technician must ensure that the mastering test
on the external system is correctly executed and confirmed.
Parameters
Fig. 7-6: Global parameters


Safe monitoring Check box active: Safe monitoring is activated.
Check box not active: Safe monitoring is not
activated.
Default: Safe monitoring not activated.
Mastering type Reference switch = mastering test is carried
out via KUKA reference switch.
External confirmation = mastering test is per-
formed via external system and with external
mastering confirmation.
Default: Reference switch
Mastering test input Mastering type Reference switch:
at cabinet = reference switch is connected via
interface X42.
via bus interface = reference switch is con-
nected via Ethernet safety interface.
Default: at cabinet
Mastering type External confirmation:
at cabinet = mastering is confirmed via inter-
face X42.
via bus interface = mastering is confirmed via
Ethernet safety interface.
Default: at cabinet
Maximum Cartesian Limit value for global maximum Cartesian ve-
velocity locity (not space-dependent)
• 0.5 … 30,000 mm/s

Default: 10,000 mm/s
Reduced Cartesian Limit value for safely reduced Cartesian veloci-
velocity ty
• 0.5 … 30,000 mm/s

Reduced Cartesian Limit value for safely reduced Cartesian veloci-
velocity T1 ty in T1 mode
• 0.5 … 250 mm/s

Default: 250 mm/s
Cartesian monitoring This parameter is always present, irrespective
of whether a safety option is used or not.
Default: active
(>>> 7.5.2.1 "Switching safe Cartesian monitor-
ing on/off" Page 96)

7.5.2.1 Switching safe Cartesian monitoring on/off

The Cartesian monitoring: check box refers to all Cartesian safety

functions, including safe Cartesian monitoring in T1 mode. The check
box is always present, irrespective of whether a safety option is used or
not.
There is always a basic, non-safe limitation of the speed in T1 mode to
<= 250 mm/s as well as a safe monitoring of the axis-specific speed.
They are not influenced by the setting Cartesian monitoring:.
Description
Safe Cartesian monitoring refers to both KUKA kinematic systems as well

as customer kinematic systems (CKs).
As a rule, the settings for safe Cartesian monitoring must not be changed
on the controller. The reason is that WorkVisual projects almost always
have only one possible setting: either active or inactive. They can only be
transferred to the robot controller if the setting is correct.
The setting for safe Cartesian monitoring can, however, be changed on
the robot controller in the following cases:
• If simulated axes are used, active monitoring can be deactivated.
This is the only case in which the user can decide whether to operate
the kinematic system with or without monitoring.
• If the robot controller indicates via a message that monitoring is not
possible.
If simulated axes are used and monitoring is active in WorkVisual, it
can only first be determined during the test on the robot controller
whether the kinematic system can be moved. (It is not possible to de-
termine this before in WorkVisual.) If the kinematic system cannot be
moved, a message is generated which indicates that Cartesian moni-
toring is not possible.
WARNING
To operate a kinematic system for which safe Cartesian monitoring is
not possible, this monitoring can be deactivated. Before deactivation, a
risk assessment must be carried out. Failure to carry this out may result
in death to persons or severe injuries.
Precondition

• T1 or T2 mode
Procedure

2. On the Common tab, press Global parameters.
3. Remove the check mark at Cartesian monitoring: and press Save.
4. Answer the request for confirmation with Yes. The controller is recon-
figured.
5. Once the reconfiguration has been completed, the following message
is displayed: The changes were saved successfully.
Confirm the message with OK.


7.5.3 Configuring a cell area
Precondition

• T1 or T2 mode
Procedure
1. Select the Monitoring spaces tab and press Cell configuration.

The Cell configuration window opens.
2. Enter the upper and lower bounds of the cell area.
3. Select a corner from the list.
The parameters of the corner are displayed.
4. Activate the corner of the cell area if necessary. Set the check mark
for the corner to do so.
Corners 1 to 4 are activated as standard.
5. Move the robot to one corner of the cell area.

6. Press Touch-up. The X and Y coordinates of the corner are saved.
The taught point refers to $WORLD and the tool $TOOL that is be-
ing used.
7. Repeat steps 3 to 6 to define further corners.

There must be at least 3 corners activated.

Parameters
Fig. 7-7: Cell area configuration
Reference system Reference coordinate system
• $WORLD
Z min Lower limit of the cell area
• -100,000 mm … +100,000 mm
Default: -30,000 mm
Z max Upper limit of the cell area
• -100,000 mm … +100,000 mm
Default: 30,000 mm


Activated Check box active: Corner of cell area is activa-
ted.
(corner)
Check box not active: Corner of cell area is not
activated.
Default corner 1 to 4: Activated
Default corner 5 to 10: Not activated
X, Y X, Y coordinate of corner 1 to 10 relative to the
WORLD coordinate system
(corner)
• -100,000 mm … +100,000 mm
Default corner 1 or 4: +100,000 mm
Default corner 2 or 3: -100,000 mm
Default corner 5 to 10: 0 mm
7.5.4 Configuring a Cartesian space
Precondition

• T1 or T2 mode
Procedure
1. Select the Monitoring spaces tab and select the monitoring space
from the list.
The parameters of the monitoring space are displayed.
2. Enter the name of the monitoring space (max. 24 characters).
3. Select the space type Cartesian space and set the parameters of the
monitoring space.
4. Press Properties.
The Cartesian properties of {0} window is opened.
5. Select the reference coordinate system and enter Cartesian positions.
Parameters
Fig. 7-8: Cartesian space

Type Type of monitoring space
Workspace = The safe tool must move within
the configured limits of the monitoring space.
(Space violation if the safe tool leaves the
monitoring space.)
Protected space = The safe tool must move
outside the configured limits of the monitoring
space. (Space violation if the safe tool enters
the monitoring space.)
Default: Workspace
Activation Activation of monitoring space
always off = monitoring space is not active.
always active = monitoring space is always
active.
by input = monitoring space is activated by a
safe input.
If interface X13 is used, safe inputs are only
available for monitoring spaces 12 … 16.
(>>> 8.2 "SafeOperation via interface X13"
Page 189)
Default: always off
Space type Type of monitoring space
Cartesian space = Cartesian monitoring space
Axis space = axis-specific monitoring space
Default: Cartesian space
Stop at boundaries A stop is triggered if the space is violated.
Check box active: Robot stops if the monitoring
space limits are exceeded.
Check box not active: Robot does not stop if
the monitoring space limits are exceeded.
Default: Robot stops at boundaries.
V max Limit value of the space-specific velocity
• 0.5 … 30,000 mm/s

Vmax valid if Validity of the space-specific velocity
not used = space-specific velocity is not moni-
tored.
Space not violated = space-specific velocity is
monitored if the monitoring space is not viola-
ted.
Space violated = space-specific velocity is
monitored if the monitoring space is violated.
Default: not used


Stop if mastering test Activation of reference stop
not yet done
Check box active: Reference stop is activated
for the monitoring space.
Check box not active: Reference stop is not
activated for the monitoring space.
Default: Reference stop activated.
Properties
Fig. 7-9: Cartesian properties

Reference system Reference coordinate system
• $WORLD
• $ROBROOT
Default: $WORLD
Space dimensions Length, width and height of the monitoring space (display on-
ly)
The length, width and height of a protected space must not
fall below the predefined minimum value. This value depends
on the global maximum Cartesian velocity and the radius of
the smallest sphere of the safe tool.
(>>> "Minimum protected space dimensions" Page 89)
Origin X, Y, Z Offset of the origin of the Cartesian monitoring space in X, Y
and Z relative to the selected reference coordinate system.
• -100,000 mm … +100,000 mm
Default: 0 mm
Origin A, B, C Orientation in A, B and C at the origin of the Cartesian moni-
toring space relative to the selected reference coordinate sys-
tem.
Origin A, C:
• -180° … +180°
Origin B:
• -90° … +90°
Default: 0°
Distance to origin Minimum X, Y and Z coordinates of the Cartesian monitoring
space relative to the origin
XMin, YMin, ZMin
• -100,000 mm … +100,000 mm
Default: 0 mm
Distance to origin Maximum X, Y and Z coordinates of the Cartesian monitoring
space relative to the origin
XMax, YMax, ZMax
• -100,000 mm … +100,000 mm
Default: 0 mm
Example
The example shows a Cartesian monitoring space whose origin is offset in

the X, Y and Z directions (yellow arrow) relative to the $ROBROOT sys-
tem. The orientation A, B, C at the origin of the Cartesian monitoring
space is identical to the orientation at the origin of $ROBROOT.


Fig. 7-10: Example of a Cartesian monitoring space
7.5.5 Configuring an axis space
Precondition

• T1 or T2 mode
Procedure
1. Select the Monitoring spaces tab and select the monitoring space
from the list.
The parameters of the monitoring space are displayed.
2. Enter the name of the monitoring space (max. 24 characters).
3. Select the space type Axis space and set the parameters of the mon-
itoring space.
The Axis-specific properties of {0} window opens.
5. Select axis from the list.
The axis-specific properties are displayed.
6. Activate the monitoring of axis limits by setting the check mark at
Monitoring.
7. Move the axis to the upper axis limit in axis-specific mode.
8. Press Touch-up to save the current axis position.
9. Move the axis to the lower axis limit in axis-specific mode.
10. Press Touch-up to save the current axis position.
11. Repeat steps 5 to 10 to define the axis limits for additional axis rang-
es.


ing space.
Parameters
Fig. 7-11: Axis space
Type Type of monitoring space
working space = The axes must move within
the configured limits of the monitoring space.
(Space violation if the axes leave the monitor-
ing space.)
protected space = The axes must move out-
side the configured limits of the monitoring
space. (Space violation if the axes enter the
monitoring space.)
Default: Workspace
Activation Activation of monitoring space
always off = monitoring space is not active.
always active = monitoring space is always
active.
by input = monitoring space is activated by a
safe input.
If interface X13 is used, safe inputs are only
available for monitoring spaces 12 … 16.
(>>> 8.2 "SafeOperation via interface X13"
Page 189)
Default: always off
Space type Type of monitoring space
Cartesian space = Cartesian monitoring space
Axis space = axis-specific monitoring space
Default: Cartesian space
Stop at boundaries A stop is triggered if the space is violated.
Check box active: Robot stops if the monitoring
space limits are exceeded.
Check box not active: Robot does not stop if
the monitoring space limits are exceeded.
Default: Robot stops at boundaries.


V max Limit value of the space-specific velocity
• 0.5 … 30,000 mm/s

Vmax valid if Validity of the space-specific velocity
not used = space-specific velocity is not moni-
tored.
Space not violated = space-specific velocity is
monitored if the monitoring space is not viola-
ted.
Space violated = space-specific velocity is
monitored if the monitoring space is violated.
Default: not used
Stop if mastering test Activation of reference stop
not yet done
Check box active: Reference stop is activated
for the monitoring space.
Check box not active: Reference stop is not
activated for the monitoring space.
Default: Reference stop activated.

Properties
Fig. 7-12: Axis-specific properties


Monitoring Activation of monitoring
Check box active: Monitoring is activated.
Check box not active: Monitoring is not activated.
Default: Monitoring is not activated.
Lower limit Lower limit of the axis-specific monitoring space
(lower axis limit) • Rotational axes: -360° … +360°
Default: -360°
• Linear axes: -30,000 mm … +30,000 mm
Default: -30,000 mm
The lower limit of an axis-specific workspace must be at least
0.5° or 1.5 mm less than the upper limit.
The axis-specific protected space is dependent on the maxi-
mum axis velocity. The minimum size for the axis-specific pro-
tected space is equal to the distance that the relevant axis
can travel at maximum axis velocity in an interval of 18 ms. If
this minimum value is violated, a message is displayed.
Current position Axis-specific actual position (display only)
• Red: axis position not allowed, as monitoring space is vio-

lated
• Green: axis position allowed
Upper limit Upper limit of the axis-specific monitoring space
(upper axis limit) • Rotational axes: -360° … +360°
Default: 360°
• Linear axes: -30,000 mm … +30,000 mm
Default: 30,000 mm
The upper limit of an axis-specific workspace must be at least
0.5° or 1.5 mm greater than the lower limit.
The axis-specific protected space is dependent on the maxi-
mum axis velocity. The minimum size for the axis-specific pro-
tected space is equal to the distance that the relevant axis
can travel at maximum axis velocity in an interval of 18 ms. If
this minimum value is violated, a message is displayed.
Icons
Icon Description
Icon for rotational and infinitely rotating axes
Icon for linear axes
Icon for simulated axes

Icon for decouplable axes

7.5.6 Configuring axis monitoring functions
Description
Monitoring of the braking time and the maximum axis velocity in T1 is part
of the standard safety configuration and always active. The parameters
can also be modified if safe monitoring is deactivated.
Precondition

• T1 or T2 mode
• To modify option-specific monitoring functions: Safe monitoring is ac-
tive.
Procedure
1. Select the Axis monitoring tab.

2. Edit the parameters of the standard safety configuration as required.
3. If necessary, activate monitoring of the safely reduced axis velocity for
one axis. To do so, select the desired axis and set the check mark at
Monitoring.
4. Change the limit value for the safely reduced axis velocity if necessa-
ry.
5. Modify the maximum velocity for rotational axes and linear axes (valid
globally for every axis).


Parameters
Fig. 7-13: Axis monitoring
Monitoring Activation of monitoring
Check box active: axis is monitored.
Check box not active: axis is not monitored.
Default: axis is not monitored.
Braking time Duration of the axis-specific braking ramp monitoring for safe-
ty stop 1 and safety stop 2
• 500 … 15,000 ms
Default: 1,500 ms
(>>> 7.5.6.1 "Parameter: Braking time" Page 111)

Maximum velocity T1 Maximum axis velocity in T1
• Rotational axes: 1.0 … 100.00°/s

Default: 30°/s
• Linear axes: 1.0 … 1,500 mm/s
Default: 250 mm/s
This parameter enables a servo gun, for example, to be cali-
brated in T1 with a higher velocity than 250 mm/s.
Note: The Cartesian velocities at the flange and at the TCP
are monitored independently of this parameter and cannot ex-
ceed 250 mm/s.
(>>> 7.5.6.2 "Parameter: Maximum velocity T1" Page 113)
Reduced velocity Limit value for safely reduced axis velocity
• Rotational axes: 0.5 … 5,000 °/s

Default: 5,000°/s
• Linear axes: 1.5 … 10,000 mm/s
Maximum velocity rotational Limit value for global maximum velocity for rotational axes
axis
• 0.5 … 5,000 °/s
Default: 1,000°/s
The axis-specific protected space is dependent on the global
maximum axis velocity. A defined minimum size for the axis-
specific protected space is derived from the global maximum
axis velocity; the size must not fall below this value. If this
minimum value is violated, a message is displayed.
Maximum velocity translation- Limit value for global maximum velocity for translational axes
al axis
• 0.5 … 30,000 mm/s
Default: 5,000 mm/s
The axis-specific protected space is dependent on the global
maximum axis velocity. A defined minimum size for the axis-
specific protected space is derived from the global maximum
axis velocity; the size must not fall below this value. If this
minimum value is violated, a message is displayed.
Icons
Icon Description


7.5.6.1 Parameter: Braking time

Description
If a safety stop 1 or 2 occurs, the safety controller monitors the braking

process. Among other things, it monitors whether the axis-specific velocity
remains below its monitoring ramp. If the velocity is too high, i.e. if the
ramp is violated, then the safety controller triggers a safety stop 0.
The ramp monitored in T1 mode cannot be changed and applies for the
braking process from the configured maximum T1 velocity of the respec-
tive axis down to standstill.
The monitoring ramp valid in the other operating modes can be adapted
using the Braking time parameter.
The parameter Braking time modifies the monitoring ramp. It does not
modify the actual time required by the kinematic system for braking.
The safety controller also monitors the braking ramp for axes which are
configured as couplable or grouped together in coupling groups. To be
able to alter the configured braking time for this monitoring function, the
coupling must be temporarily canceled.
The coupling of the axes can be canceled and set again in WorkVisual.
Information about this can be found in the WorkVisual documentation.
WARNING
Only increase the default time if it is necessary to do so. This might be
required, for example, in the case of very heavy machines and/or very
heavy loads, as these cannot stop within the default time.
The safety maintenance technician must check whether and to what ex-
tent the Braking time value needs to be modified in each specific appli-
cation. He must also check whether the modification makes additional
safety measures necessary, e.g. installation of a gate lock.
The monitoring ramp (for all modes apart from T1) is determined as fol-
lows:
• The ramp starts at 106% of the rated speed of the axis. This value re-
mains constant for the first 300 ms.
• Similarly, a constant value of 10.6% of the rated speed of the axis ap-
plies for the last 300 ms of the configured braking time.
• Over the intervening time, the permissible velocity is reduced linearly
from 106% to 10.6% of the rated speed of the axis.
• Allowance for the brake closing time for safety stop 1:
200 ms before the configured braking time elapses, the brake is com-
manded to close (SBC) and the drives enable signal (AF) is canceled.
• In the event of a safety stop 2, the standstill monitoring is activated af-
ter completion of the braking process, but no later than after the con-
figured braking time.

Fig. 7-14: Monitoring ramp for safety stop 1
1 Velocity profile during braking (example)

2 Monitoring ramp for braking time TBT
3 Brake closing time TBCT is taken into account within the moni-
toring ramp
n Percentage of the rated speed of the axis

t (s) Time (in seconds)
T0 The moment when safety stop 1 or 2 is initiated
TBT Braking time
Default value of Braking time parameter: 1.5 s
TBCT Brake closing time: 0.2 s
Signals:
FF Motion enable
AF Drives enable
SBC Safe Brake Control
STO Safe Torque Off
Limitations
Braking time can be configured separately for each axis. At the moment
of braking, however, the value used for all axes is always the highest val-
ue entered.
Recommendation: for greater transparency, enter the same value for all
axes.


Value increased
If the value Braking time is increased, this has the following conse-
quences:
The monitoring ramp becomes longer and flatter, i.e. monitoring is now
less strict. It is now less likely that the braking process will violate the
ramp.
Fig. 7-15: Example: value is increased
1 Velocity profile during braking (example)

2 Monitoring (lower Braking time value)
3 Monitoring (higher Braking time value)
Value reduced
If the value “Braking time” is reduced, this has the following effect:
The monitoring ramp becomes shorter and steeper, i.e. monitoring is now
stricter. There is now a higher probability that a braking process will vio-
late the ramp.
7.5.6.2 Parameter: Maximum velocity T1
Description
The safety controller monitors whether the maximum velocity in T1 re-

mains below the configured values even for axes which are configured as
couplable or grouped together in coupling groups. To be able to alter the
configured values for these axes, the coupling must be temporarily can-
celed.
WARNING
Only alter the default value of Maximum velocity T1 if it is necessary
to do so. This can be the case, for example, when positioning welding
guns if these are to be moved at process velocity in T1 mode.
The safety maintenance technician must check whether and to what ex-
tent the value needs to be modified in each specific application. He
must also check whether the modification makes additional safety meas-
ures necessary, e.g. installation of a gate lock.

WARNING
Following modifications to the Maximum velocity T1 parameter, the
new value must be checked. The new value must also be checked if it
is smaller than the previous value.
(>>> 7.11.2 "Testing axis-specific velocity limits" Page 168)
7.5.7 Configuring safe operational stop for axis groups
Description
The safety controller monitors whether the position tolerance is observed

in the event of a safe operational stop even for axes which are configured
as couplable or grouped together in coupling groups.
Preparation
• To be able to alter the configured values for these axes, the coupling
must be temporarily canceled.
Precondition

• T1 or T2 mode
Procedure
1. Select the Axis monitoring tab and press Safe operational stop.
The Safe operational stop window opens.
2. Select axis from the list.
3. Enter the position tolerance for this axis.
The position tolerance configured here also applies to the global
safe operational stop, with which all axes are monitored.
The global safe operational stop is one of the standard safety func-
tions. The position tolerances can also be modified if safe
monitoring is deactivated.
4. Activate one or more axis groups in which the axis is to be monitored

by activating the corresponding check box (set the check mark).
5. Repeat steps 2 to 4 to define further monitoring functions.

slave axes, a maximum of 8 drives can be configured for each axis
group.


Parameters
Fig. 7-16: Safe operational stop
Monitoring in axis groups 1-6 Safe operational stop for axis group 1 … 6
Check box active: Axis is monitored in axis group.
Check box not active: Axis is not monitored in axis group.
Default: No monitoring
Position tolerance Tolerance for standstill monitoring in the case of safe opera-
tional stop. The axis may still move within this tolerance when
a safe operational stop is active.
• Rotational axes: 0.001° … 1°

Default: 0.01°
• Linear axes: 0.003 - 3 mm
Default: 0.1 mm

Icons
Icon Description

7.5.8 Configuring a safe tool
Precondition

• T1 or T2 mode
Procedure
1. Select the Tools tab and select a tool from the list.
The parameters of the safe tool are displayed.
2. Activate safe tool. To do so, set the check mark at Activation.
3. Enter a name for the tool (max. 24 characters).
4. Define the safe TCP of the tool.
The Properties of {0} window opens.
6. Press the “plus” key of the external axis to configure a tool sphere.
The parameters of the sphere are displayed.
7. Monitoring of the first sphere of the first tool to be configured is activa-
ted as standard. Activate monitoring for all other spheres and tools by
setting the check mark at Monitoring.
8. Enter the coordinates of the center of the sphere and the radius of the
sphere.
9. Repeat steps 6 to 8 to define additional spheres for the safe tool.


Parameters
Fig. 7-17: Tool and TCP
Activation Activation of the safe tool
Check box active: Safe tool is activated.
Check box not active: Safe tool is not activa-
ted.
Default tool 1: Activated
Default tool 2 … 16: Not activated
Note: If interface X13 is used, tool 1 is always
active. The tool cannot be activated via a safe
input. An automated, safely monitored tool
change is thus not possible.
TCP X, Y, Z X, Y and Z coordinates of the safe TCP for ve-
locity monitoring
• -10,000 mm … +10,000 mm
Default: 0 mm

Properties
Fig. 7-18: Tool properties
The following buttons are available:

Button Description
Plus key
Adds a tool sphere and displays its parameters.
Delete key
Deletes the selected tool sphere.
Monitoring Check box active: Sphere is monitored.
Check box not active: Sphere is not monitored.
X, Y, Z X, Y and Z coordinates of the sphere center
point relative to the FLANGE coordinate system
• -10,000 mm … +10,000 mm
Default: 0 mm


Radius Radius of the sphere at the safe tool
• 0 … 10,000 mm
Default: 250 mm
The sphere radius must not fall below the pre-
defined minimum value. This radius is depend-
ent on the global maximum Cartesian velocity.
(>>> "Minimum sphere radius" Page 88)
7.5.9 Activating “Braking before restricted areas”
Precondition

• T1 or T2 mode
• The braking ramps of the axes have been verified by KUKA or by the
user / safety maintenance technician.
• If the braking ramps have been verified by the user / safety mainte-
nance technician: The function has been enabled in the machine data
of the kinematic system in WorkVisual.
WARNING
Whether a KUKA kinematic system supports BBRA is stored in the ma-
chine data. If this is the case, the set braking ramps of this kinematic
system have been checked by KUKA and verified as suitable for BBRA.
• For kinematic systems with a variable mounting position, the verifica-
tion applies exclusively to the “Floor” mounting position. The braking
ramps must be verified separately for the use of BBRA in other
mounting positions.
• For kinematic systems with a fixed mounting position, the verification
applies exclusively to the defined mounting position.
The verification refers to motions of the kinematic system without the in-
fluence of a ROBROOT kinematic system, e.g. a linear axis. If the robot
is expanded with a ROBROOT kinematic system, the values are only
valid if no simultaneous motions (robot kinematic system plus ROB-
ROOT kinematic system) are executed. Simultaneous motions may
cause the BBRA braking ramp monitoring to be violated.
Before KUKA kinematic systems are used with BBRA in normal opera-
tion, they should be verified by KUKA.
KUKA cannot verify the braking ramps of third-party kinematic systems,
e.g. linear axes. In order to enable these for BBRA nevertheless, the
user/safety maintenance technician can mark such a kinematic system
as verified in the machine data.
For verification purposes, it is necessary to check whether the axis is
able to execute the ramp indicated in the safety configuration in all an-
ticipated situations. This can also include superposed motions of KUKA
kinematic systems and third-party kinematic systems, for example.
(>>> 7.11.6 "Checking the values for the maximum braking ramp"
Page 171)

Further information about editing the machine data of a kinematic sys-

tem is contained in the WorkVisual documentation.
Procedure
1. Select the Braking before restricted areas tab.

2. Set the check mark next to the Activate braking before restricted
areas check box.
Parameters
Fig. 7-19: Braking before restricted areas
Drive ramp stop group Synchronously braking axes belong to a drive ramp stop
group (display only)
Braking ramp of drive unit Maximum possible braking ramp for an axis (display only)
Activating “Braking before re- Activating the “Braking before restricted areas” function
stricted areas”
Check box active: Function is activated.
Check box not active: Function is not activated.
Default: Function is not activated.


Icons
Icon Description

7.5.10 Configuring the reference position and reference group
Precondition

• T1 or T2 mode
• Mastering type Reference switch is configured.
Procedure
1. Select the tool and base for Cartesian jogging.

2. Select the Reference position tab.
3. If external axes are configured, enter for each external axis the num-
ber of the reference group to which it is to be assigned.
4. Move all axes of reference group 1 to the corresponding reference po-
sition.
5. On the tab, select one of the axes of reference group 1.
6. Press Touch-up reference position for group to accept the refer-
ence position for the axes in reference group 1.
The coordinates of the Cartesian reference position are displayed in
the configuration window.
7. If present, move external axes in reference group 2 to the correspond-
ing reference position and save with Touch-up reference position for
group.
8. If present, move external axes in reference group 3 to the correspond-
ing reference position and save with Touch-up reference position for
group.

Parameters
Fig. 7-20: Reference position


Reference group Each axis that is to be subjected to safe monitoring must be
assigned to a reference group. There are 3 reference groups:
• Reference group 1
Robot axes and external axes on which a robot is instal-
led are always assigned to reference group 1.
Such external axes include KLs, for example, that serve
as a carrier kinematic system for the robot.
• Reference group 2, 3
Only external axes can be assigned to reference groups 2
and 3. There must be no robot installed on them.
Default: 1
Reference position Axis-specific coordinates of the reference position
To monitor the mastering, the axis angles of the robot axes
are defined for a specific Cartesian reference position. During
the mastering test, the robot moves to the Cartesian refer-
ence position and the actual position of the axes is compared
with the setpoint position.
• Rotational axes: -360° … +360°

Default: 45°
• Linear axes: -30,000 mm … +30,000 mm
Default: 1,000 mm
Current position Axis-specific actual position (display only)
• Red: reference position not allowed, as too near master-

ing position
• Green: reference position allowed
Mastering position The axis angles at the mastering position are defined in the
machine data (display only).
Cartesian reference position X, Y and Z coordinates of the Cartesian reference position
X, Y, Z relative to the WORLD coordinate system (display for refer-
ence group 1)
The coordinates of the Cartesian reference position refer to
the center point of the mounting flange.
• -30,000 mm … +30,000 mm
Default: 0 mm
Icons
Icon Description


7.5.11 Saving the safety configuration
WARNING
Serious injury and severe damage to the robot can be caused by an er-
ror during saving or a failed reinitialization. If an error message is dis-
played after saving, the safety configuration must be checked and
saved again.
Precondition

• Safety configuration is completed.
Procedure
1. Click on Save and answer the request for confirmation with Yes.
The safety configuration is saved on the hard drive and the activation
code of the safety configuration is saved to the RDC.
The robot controller is automatically reinitialized.
2. The activation code of the safety configuration is displayed on the
Common tab.
Note the activation code in the checklist for safety functions.
(>>> 11.1.3 "Checklist: Safety functions" Page 250)
7.6 Editing the local safety configuration in WorkVisual
Description
Instead of using the smartHMI, the safety configuration can be created

and edited entirely in WorkVisual. The tabs in WorkVisual are the same
as those on the smartHMI.
The following hardware options can only be activated in WorkVisual (not
via the smartHMI):
• SBC: Safe disconnection of brake voltage for second brake via output
at X22
• SHS1: Safety stop STOP 1 via safe input at X25
Fig. 7-21: Extended hardware options in WorkVisual
Precondition
• The safety option is installed in WorkVisual.


• The project that is to be edited has been loaded and opened.
• The safety option has been added to the project.
Procedure
1. Set the robot controller as the active controller.

2. Select the menu sequence Editors > Safety configuration (local) or
double-click on the Safety controller node in the Hardware view. The
Local safety configuration window is opened.
3. Select the Global parameters area on the Common tab and activate
the check box for Safe monitoring.
4. Edit the local safety configuration as required.
5. If the hardware options SBC or SHS1 are required, select the Hard-
ware options area on the Common tab. Then expand the Extended
hardware options area and activate the check boxes of the required
options.
6. Save and close the local safety configuration.
7.7 Overview of the mastering test
Description
A mastering test checks at a suitable reference position whether the

saved reference position of the motor of an axis corresponds to the actual
mechanical position of the axis.
The procedure used to perform the mastering test can be set in the safety
configuration:
• Mastering test via KUKA reference switch
A reference switch is used for the mastering test. The robot moves to
a taught reference position. The reference position is confirmed using
the reference switch.
• Mastering test via external system and with external mastering confir-
mation
An independent, user-specific referencing system such as a tracker,
navigation system or absolute encoder is used for external mastering
confirmation. The robot moves to a reference position saved in the
higher-level controller. The mastering test must be confirmed via a
safe input signal of the robot controller.
The safety integrity of the safety functions that are based on safe axis
positions is limited until the mastering test has been performed and con-
firmed. The safety functions may behave differently from how they were
configured, creating additional hazards in the system.
It is advisable to perform the mastering test as quickly as possible once
this is requested by the robot controller. In addition, the system integra-
tor must determine, by means of a risk assessment, whether additional
system-specific safety measures must be taken if the mastering test has
not been carried out, e.g. a reference stop.
Request
The following events cause a mastering test to be requested:
• Robot controller is rebooted (internal request)

• Robot is remastered (internal request)
• I/O driver is reconfigured (internal request)

• Only relevant for mastering test via reference switch: Input $MASTER-
INGTEST_REQ_EXT is set externally, e.g. by a PLC (external request)
Monitoring time
The robot controller generates the following message for an internal mas-
tering test request: Mastering test required (internal). The robot can be
moved for another 2 hours (monitoring time) without a mastering test and
mastering confirmation.
Once the monitoring time has elapsed, the robot stops with a safety stop
1 and the robot controller displays the following acknowledgement mes-
sage: Ackn.: Mastering test time interval expired. Once the message has
been acknowledged, the robot can be moved for another 2 hours.
7.7.1 Mastering test via reference switch
Description
In the mastering test, a specific reference position is addressed, and the

reference switch is used to check whether the actual position of the robot
and specific external axes correspond to the reference position taught in
the safety configuration.
Infinitely rotating axes are taken into consideration in the mastering test
with modulo 360°, i.e. the reference position is always relative to the cir-
cle.
If the deviation between the current position and the reference position is
too great, the mastering test has failed. The robot stops with a safety stop
1 and can only be moved in T1 mode.
Axes checked
During a mastering test, the following axes are checked:

• Robot and external axes which are relevant for determining the Carte-
sian position
• External axes which are monitored in axis-specific monitoring spaces
NOTICE
Incorrect mastering of external axes which have not been checked by
the mastering test can lead to personal injury or material damage. Cor-
rect mastering of the external axes which have not been checked must
be ensured by means other than the mastering test.
Reference group
Each axis that is to be subjected to safe monitoring must be assigned to

a reference group. There are 3 reference groups:
• Reference group 1
Robot axes and external axes on which a robot is installed are always
assigned to reference group 1.
Such external axes include KLs, for example, that serve as a carrier
kinematic system for the robot.
• Reference group 2, 3
Only external axes can be assigned to reference groups 2 and 3.
There must be no robot installed on them.
All axes of a reference group are mastered together.


During the mastering test, all axes of a reference group must be in the
reference position in order to actuate the reference switch. If not all the
axes of a reference group are involved in actuating the reference
switch, the position of the axes cannot be checked.
Execution
The mastering test is carried out using the program “masref_main.src”. It

can be started in the following ways:
• Automatic
Integrate “masref_main.src” into the application program in such a way
that it is cyclically called as a subprogram. If a mastering test is re-
quested, the robot detects this and starts the mastering test.
• Manual
For this, start the program “masref_main.src” manually.
Overview
Step Description
1 Select reference position.
(>>> 7.7.1.3 "Selecting a reference position" Page 129)
2 Install reference switch and actuating plate.
(>>> 7.7.1.4 "Installing the reference switch and actuating
plate" Page 130)
3 Connect reference switch.
(>>> 7.7.1.5 "Connecting the reference switch" Page 131)
4 Configure the input signal $MASTERINGT-
EST_REQ_EXT for the external mastering test request.
This signal is declared in the file $machine.dat in the di-
rectory KRC:\ROBOTER\KRC\STEU\MADA and must be
assigned to a suitable input. As standard, the signal is
routed to $IN[1026].
5 In the file “masref_user.dat” and in the safety configura-
tion, configure the reference groups to be checked.
(>>> 7.7.1.6 "Configuring the reference groups to be
checked in file" Page 132)
6 Teach positions for the mastering test in the program
“masref_user.src”.
The reference position must be taught in the program
“masref_user.src” and in the safety configuration.
(>>> 7.7.1.7 "Teaching positions for the mastering test"
Page 133)

Step Description
7 Only if the reference switch is actuated by a ferromagnet-
ic part of the tool or following a tool change:
Check the accuracy of the reference position.
(>>> 7.7.1.8 "Checking the reference position (actuation
with tool)" Page 135)
8 If the mastering test is to be executed automatically:
Integrate “masref_main.src” into the application program
in such a way that it is cyclically called as a subprogram.
9 If the mastering test is to be executed manually:
Start the program “masref_main.src” manually.
(>>> 7.7.1.9 "Performing a mastering test manually"
Page 136)
7.7.1.1 Programs for the mastering test
The following programs are used for the mastering test:

Program Directory Description
masref_main.src R1\System The program checks whether a mastering test is
required and must be executed as soon as possi-
ble after an internal request. If the program is not
executed within 2 hours, the robot stops and the
robot controller generates a message.
If a mastering test is required, the robot performs
it immediately.
The program calls the program “masref_user.src”
that is used to address the reference position.
masref_user.src R1\Program The program contains 3 subprograms for moving
to reference positions 1 to 3 and 3 subprograms
for the motion away from reference positions 1 to
3 after the mastering test has been performed.
If the motion away from the reference position is
not taught, the robot and external axes remain
stationary after the mastering test. The robot con-
troller generates an error message.
7.7.1.2 Variables for the mastering test
Variable Description
$MASTERINGTEST_ACTIVE State of the mastering test
TRUE = mastering test is active.
FALSE = no mastering test is active.
$MASTERINGTEST_GROUP Number of the reference group that is currently in the ref-
erence position
• 0: No reference group in reference position

• 1 - 3: Reference group with this number in reference
position


$MASTERINGTEST_REQ_INT Internal mastering test request from the safety controller
TRUE = mastering test is requested.
FALSE = mastering test is not requested.
$MASTERINGTEST_REQ_EXT Input for the external request for mastering test, e.g. from
the safety PLC
TRUE = mastering test is requested.
FALSE = mastering test is not requested.
Note: This signal is declared in the file $machine.dat in
the directory KRC:\ROBOTER\KRC\STEU\MADA and must
be assigned to a suitable input. As standard, the signal is
routed to $IN[1026].
$MASTERINGTEST_SWITCH_ Check of the function of the reference switch
OK
TRUE = reference switch is OK.
FALSE = reference switch is defective.
7.7.1.3 Selecting a reference position
Description
The reference position can be approached with the actuating plate or with
a ferromagnetic part of the tool as follows:
Fig. 7-22: Example position of reference switch actuating plate
1 Tool
2 Actuating plate
3 Reference switch
4 Mechanical mounting fixture for the reference switch
5 Actuated reference switch

Selection criteria
The reference run must be selected in accordance with the following crite-
ria:
• The position of the reference switch and actuating plate does not inter-
fere with the work sequence of the robot.
• The reference position is not a position in which the axes are in a sin-
gularity.
• In the reference position, both proximity switch surfaces of the refer-
ence switch are actuated by the switching surface (actuating plate or
tool).
• All axes of a reference group are in the reference position in order to
actuate the reference switch.
• In the reference position, the robot axes are at least ±5° (rotational ax-
es) or ±15 mm (linear axes) away from the mastering position.
• The position of the reference switch is within the motion range of the
robot.
7.7.1.4 Installing the reference switch and actuating plate
Precondition
• The robot controller is switched off and secured to prevent unauthor-

ized persons from switching it on again.
• The reference run has been selected in accordance with the required
criteria.
(>>> "Selection criteria" Page 130)
Procedure
1. Prepare a mechanical mounting fixture for mounting the reference

switch.
2. Attach the reference switch to the mounting fixture.
3. If the actuating plate is being used, fasten the actuating plate to the
robot flange or tool.
NOTICE
To ensure that the reference position remains stable, the reference
switch and actuating plate must be securely installed.


Example
Fig. 7-23: Example of an actuating plate on the tool
1 Robot
2 Actuating plate on tool
3 Tool
4 Reference switch on mounting fixture
7.7.1.5 Connecting the reference switch
WARNING
The robot controller is preconfigured for the specific industrial robot. If
cables are interchanged, the manipulator and the external axes (option-
al) may receive incorrect data and can thus cause personal injury or
material damage. If a system consists of more than one manipulator, al-
ways connect the connecting cables to the manipulators and their corre-
sponding robot controllers.
In the case of a KR C4, only 1 reference switch can be connected di-

rectly to the robot controller. If multiple reference groups are required,
the reference switches can be connected to the safety PLC and activa-
ted via the bus interface that is in use. The safety PLC must evaluate
the reference switches and set the Mastering test input accordingly.
Precondition

• Reference switch is installed.

• Reference cable X42 - XS Ref (maximum cable length 40 m)
Procedure
1. Route the reference cable X42 - XS Ref correctly (in a fixed installa-
tion or cable carrier).
NOTICE
When routing the cable, avoid mechanical damage and observe the
minimum bending radii.
The following bending radii serve as guide values:

2. Connect the reference cable: Connect X42 to the robot controller and
XS Ref to the reference switch.
7.7.1.6 Configuring the reference groups to be checked in file
Description
The reference groups to be checked must be configured in the file “mas-

ref_user.dat”. For this, the reference groups to be checked are entered in
an array. The order in which the reference groups are entered determines
the order in which they are subsequently called in the mastering test.
Configuration file
Directory C:\KRC\R1\Program
File masref_user.dat
Fold reference groups
Array MASREFg_GroupSequence[3]
Precondition
• User group Expert
Procedure
1. Open the file in the navigator.

2. Enter the numbers of the reference groups to be checked in the array.
(0 means that no reference group will be checked here.)
3. Save and close the file.
Example
Reference groups 1 and 2 are called and checked in sequence during the
mastering test. Reference group 3 is not required:
reference groups
...
DECL GLOBAL CONST INT MASREFg_GroupSequence[3] ; contains
reference groups to test
MASREFg_GroupSequence[1]=1

The order in which the reference groups are called is irrelevant for the

mastering test. It is equally permissible to call and check reference group
2 first and then reference group 1.
reference groups
...
DECL GLOBAL CONST INT MASREFg_GroupSequence[3] ; contains
reference groups to test
7.7.1.7 Teaching positions for the mastering test
Description
The following points must be taught for each reference group:

• Movement to the reference switch
• Reference position
The reference position must additionally be taught in the safety con-
figuration.
• Movement away from the reference switch
Precondition
• User rights of the following function groups:

‒ Critical KRL program changes
‒ Program selection and deselection
‒ Block selection
‒ General configuration
‒ Jogging with the jog keys
Or alternatively:
Jogging using the 6D mouse
‒ Teach local points
But at least the user group “Safety maintenance”
• The reference switch is installed and connected.
• T1 or T2 mode
Procedure
1. Open the program “masref_user.src”.

2. Insert a HALT statement in the subprograms MASREFSTARTGX() and
MASREFBACKGX() of the current reference group.
3. Close the program “masref_user.src”.
4. Set the variable MASREF_GroupNumber to the value of the current
reference group, e.g. 1.
• Via the variable correction function, Module: /R1/masref_main
• Or directly in the file R1/System/masref_main.dat in the fold refer-
ence groups
5. Select the program “masref_main.src”.
6. Perform block selection to the subprogram RunTest_Group(MAS-
REF_GroupNumber).

7. Press the Start key. The subprogram MASREFSTARTGX() of the pro-

gram “masref_user.src” is called.
8. In the subprogram MASREFSTARTGX(), program a motion to a point
approx. 10 cm before the reference switch and teach the required
points.
9. Program a LIN motion to the reference switch so that it is actuated.
This position is the reference position.
The distance from the reference switch must not exceed 2 mm in
the reference position. If the distance is greater, the reference switch
will not be actuated.
10. Teach the reference position.

11. Do not move the robot.
12. Teach the reference position in the safety configuration.
(>>> 7.5.10 "Configuring the reference position and reference group"
Page 121)
13. Return to the subprogram MASREFSTARTGX() and perform a block
selection to the END line.
14. Press the Start key. The subprogram MASREFBACKGX() of the pro-
gram “masref_user.src” is called.
15. In the subprogram MASREFBACKGX(), program the motion away
from the reference position and teach the required points.
16. Deselect the program “masref_main.src” and save the changes.
17. For further reference groups (2, 3), repeat the sequence from step 1.
18. For automatic operation, delete all HALT statements from the program
“masref_user.src” once again.
19. Cyclically call the program “masref_main.src” at a suitable point and
enable execution of the mastering test after an internal request.
Program
1
2 GLOBAL DEF MASREFSTARTG1()
3 Teach path and reference position for group 1
4
5 END
6
9
10 END
11
14
15 END
16
17 GLOBAL DEF MASREFBACKG1()
18 Teach path back for group 1
19
20 END
21
24
25 END


26
29
30 END
Line Description
5 Program the motion to the reference position of reference
group 1 and teach the reference position.
20 Teach the motion away from the reference position of refer-
ence group 1.
ence group 2.
ence group 3.
7.7.1.8 Checking the reference position (actuation with tool)
WARNING
The robot can move beyond the configured limits if the reference switch
is actuated by a ferromagnetic part of the tool and the accuracy at the
reference position is exceeded. Severe physical injuries or damage to
property may result. The accuracy of the reference position must be
checked.
WARNING
If the tool is exchanged, the reference position and the accuracy of the
reference position must be checked. If required, the reference position
must be adapted to the new tool. Failure to observe this precaution may
result in severe physical injuries or considerable damage to property.
Precondition

‒ Critical KRL program changes
‒ Program selection and deselection
‒ Block selection
‒ General configuration
‒ Jogging with the jog keys
Or alternatively:
Jogging using the 6D mouse
• The reference position has been taught in the program “mas-
ref_user.src”.
• The reference position has been taught in the safety configuration.
• T1 or T2 mode

Procedure
1. Open the program “masref_user.src”.

2. In the subprogram MASREFSTARTGX() of the current reference
group, insert a HALT statement immediately before the END line.
3. Close the program “masref_user.src”.
4. Set the variable MASREF_GroupNumber to the value of the current
reference group, e.g. 1.
• Via the variable correction function, Module: /R1/masref_main
• Or directly in the file R1/System/masref_main.dat in the fold refer-
ence groups
5. Select the program “masref_main.src”.
6. Perform block selection to the subprogram RunTest_Group(MAS-
REF_GroupNumber).
7. Press the Start key. The subprogram MASREFSTARTGX() of the pro-
gram “masref_user.src” is called and the robot moves to the reference
position.
8. Jog each axis individually in the positive and negative directions using
the jog keys and observe when the reference switch is no longer actu-
ated.
9. Analyze the axis-specific tolerances determined in this way for the
mastering test relative to the application and select a different refer-
ence position if necessary.
10. For further reference groups (2, 3), repeat the sequence from step 1.
11. For automatic operation, delete all HALT statements from the program
“masref_user.src” once again.
7.7.1.9 Performing a mastering test manually
Precondition
• User rights: Function group Program selection and deselection

If the reference switch is connected to the robot controller via inter-
face X42, the mastering test can be executed in Start-up mode.
• The reference groups to be checked have been configured in the file

“masref_user.dat”.
• The reference groups to be checked have been configured in the safe-
ty configuration.
• The reference position has been taught in the program “mas-
ref_user.src”.
• The reference position has been taught in the safety configuration.
• T1 or T2 mode
WARNING
The robot moves in T2 mode at the programmed velocity and can
cause personal injury or material damage. Make sure that the robot can-
not collide and that no persons are in the motion range of the robot.
Procedure
• Select the program “masref_main.src” and execute it through to the

end of the program.


7.7.2 Mastering test with external mastering confirmation
Description
If the mastering test is configured with external mastering confirmation, the

mastering cannot be verified using one of the reference positions saved in
the safety configuration. There is no KRL program to perform the master-
ing test.
The system integrator himself must check the mastering in the higher-level
controller as part of a safety function and must confirm the successful
mastering test via a safe input signal of the robot controller.
In the event that the higher-level controller recognizes a mastering error
or the mastering test fails, appropriate measures must be taken on the
robot controller, e.g. cancel the motion enable.
Signals
Safe input EJB (external mastering confirmation) is provided for external

mastering confirmation via the higher-level controller. The EJB signal is
available via the following interfaces:
• Ethernet safety interface
• Interface X42 combined with safety interface X13
In order to confirm mastering, a positive pulse must be created at input
EJB. The pulse must be at least 350 ms long and must not exceed 5 s. If
the EJB signal switches from “logic 0” to “logic 1” and switches back to
“logic 0” within the time frame, the mastering test is successfully con-
firmed.
The higher-level controller can determine whether mastering confirmation
is required via the safe output signals RR (robot referenced) and SO
(safety option active).
If safe output RR is “logic 0”, the mastering test must be confirmed. How-
ever, output RR is also “logic 0” in the following cases:
• The robot controller is switched off or is not yet fully booted (ready for
operation).
• The safety option is not active because safe monitoring is deactivated.
It is advisable to poll the safe output SO (safety option active). When us-
ing an Ethernet safety interface, it is also possible to poll the safe output
signal PSA (safety interface active). When safe output SO or PSA is “logic
1”, the state of safe output RR is also valid.

Fig. 7-24: Connection of higher-level controller (example)
1 Higher-level controller 3 Pulse generator

2 “Mastering OK” signal 4 Robot controller
Overview
The following steps are required in order to carry out external mastering
confirmation:
Step Description
1 Define the reference position and save it in the higher-level
controller.
2 When the mastering test is requested, address the refer-
ence position via the robot controller (via a user-created
KRL program).
3 Compare the setpoint position of the robot and external ax-
es with the reference position saved in the higher-level con-
troller to check whether the positions match.
4 If the position comparison is successful, confirm the master-
ing test via the higher-level controller. Send the confirmation
pulse at safe input EJB to the robot controller.
5 If the position comparison fails, the robot must no longer be
moved. Take appropriate measures on the robot controller
via the higher-level controller, e.g. cancel the motion ena-
ble.
7.7.2.1 Signal diagram for external mastering confirmation
Description
The signal diagram applies in the following case:

• The safe output signal RR is evaluated by the higher-level controller.
• The mastering test is requested by the robot controller. The RR signal
switches from “logic 1” to “logic 0”.
• The higher-level controller confirms the successful mastering test with
the pulse signal EJB.


• The RR signal switches from “logic 0” to “logic 1”. The message Mas-
tering test successfully carried out is displayed.
Fig. 7-25: Signal diagram: external mastering confirmation
1 Mastering test requested.

2 External mastering confirmation starts.
3 Successful mastering test is confirmed.
Errors
The following situations can lead to incorrect mastering confirmation:

• The pulse at safe input EJB is created by the higher-level controller
even though no mastering confirmation is required. Safe output RR is
already “logic 1”.
• The duration of the pulse is longer than 5 seconds.
• Safe input EJB is already “logic 1” when the robot controller is started.
In these situations, safe output RR switches to “logic 0” and the message
Mastering test failed is displayed. A renewed pulse at safe input EJB will
result in successful mastering confirmation.
7.7.2.2 Safety acceptance: checking the external mastering confirmation
All steps of the function sequence implemented on the external system for
the mastering test must be checked by the safety maintenance technician
during safety acceptance as part of a positive test.
In addition to the positive test, the potential errors to be assumed for the
external system must be analyzed at the system level, and corresponding
error control tests must be carried out. In the event of an error, no correct
mastering may be confirmed, i.e. the EJB signal must not be set.
7.8 Brake test
7.8.1 Overview of the brake test
Description
Each robot axis has at least one holding brake integrated into the motor.
The brake test checks to see if the braking torque is sufficiently high, i.e.
whether it exceeds a certain minimum value. The minimum value for the
individual motor types is stored in the machine data and cannot be config-
ured. (The brake test does not calculate the absolute value of the braking
torque.)

It is advisable to carry out the brake test when the robot is at operating
temperature. This is the case after approx. 1 h in normal operation.
Activation + configuration
• The “brake test” functionality is automatically active if a safety option

is installed and safe monitoring is activated.
• If the brake test is not automatically active, the user has the option of
manually activating it (in WorkVisual or on the robot controller).
• The axes to be checked in the brake test can be configured (in Work-
Visual or on the robot controller).
• The cycle time can be configured (in WorkVisual or on the robot con-
troller).
If the brake test is not automatically active, the operator must carry out
a hazard assessment to determine whether it is necessary to activate
the brake test for the specific application.
If the brake test is active, the operator must perform a hazard assess-
ment to determine the following:
• Which axes need to be tested
• What cycle time needs to be defined
It is irrelevant whether the brake test is automatically active or it is acti-
vated manually. The hazard assessment is required in both cases.
Request
Events which request the execution of a brake test

If the brake test is active, the following events request the execution of a
brake test:
• Input $BRAKETEST_REQ_EX is set externally, e.g. by a PLC (exter-
nal request)
• Robot controller boots with a cold start (internal request)
• Brake test cycle time has elapsed (internal request)
The default cycle time is 46 h. It elapses when the drives have been
in servo-control for a total of 46 h.
• Status message from the automatic brake check:
Brake defective, {Axis} permanently under servo control
Response following a request
1. If a request is present, the robot controller generates the following
message: Brake test required.
The robot can be moved for another 2 hours. (This is referred to as
the monitoring time)
2. The brake test must be performed within the monitoring time. Once
the brake test has been performed successfully, the cycle time re-
starts.
3. If the brake test is not performed, the robot stops once the monitoring
time expires. The robot controller generates the following acknowl-
edgement message: Cyclical check for brake test request not made.
The message cannot be acknowledged externally (by the PLC), but
must be acknowledged on the smartPAD.
Once the message has been acknowledged, the robot can be moved
for another 2 hours.


At the time of the brake test, a simulation can be switched on, for ex-
ample via $SIMULATED_AXIS, $SIMULATED_COOP_ROBOTS or
$SERVO_SIM. The simulated axes are not included in the brake test.
Simulated axes must be removed from the simulation and tested before
the end of the cycle time. Otherwise, the robot stops and the robot con-
troller generates the following acknowledgement message: Cyclical
check for brake test request not made. Once the message has been ac-
knowledged, the robot can be moved for another 2 hours.
Active and requested axes
“Active axes” are those axes selected in the Active Configuration column
in the Brake test configuration window.
“Requested axes” are the active axes for which there is currently a brake
test request.
7.8.2 Sequence when testing a brake
The brake test checks the brakes to be tested one after the other.
1. From the start position of the brake test, the axis to be tested moves
in the direction in which the software limit switch is situated further
away, and then moves back. The gravitation and friction of the axis to
be tested are determined during this motion.
Rotational axes move a maximum of 5° in the direction of the software
limit switch; linear axes a maximum of 10 cm.
2. When the axis has returned to its start position, the brake closes and
the motor torque exerted against the closed brake is increased.
The results of the brake test are shown in the message window.
3. If a brake has been identified as being defective, the robot moves to
the parking position following confirmation.
If a brake has reached the wear limit, the robot controller indicates
this by means of a message. A worn brake will soon be identified as
defective. Until then, the robot can be moved without restrictions.
If an axis is equipped with additional brakes, the main brake is tested first.
7.8.3 Programs for the brake test
The programs are located in the directory C:\KRC\ROBOTER\KRC\R1\TP

\BrakeTest.

Program Description
BrakeTestReq.src Performing the brake test cyclically (via program):
• All requested axes can be tested in one cycle using the program.
For this purpose, the program is called without parameters.
• A selection of the requested axes can also be tested using the
program. The desired axes are transferred as parameters when
calling the program. This enables the brake test to be divided into
multiple shorter cycles.
Note: This allows, for example, small breaks in the application to
be utilized for testing individual axes.
(>>> 7.8.5.1 "Performing a brake test for requested axes (cyclically
via program)" Page 151)
BrakeTestReq.src can also be selected manually. All active axes are
tested.
(>>> 7.8.5.2 "Performing a brake test for active axes (manually)"
Page 153)
BrakeTestAxes.src With the program, axes for which there is no brake test request can
be tested. In particular, it also enables the testing of axes which can-
not be activated for the brake test and thus cannot be tested via
BrakeTestReq.src. Couplable axes fall into this category, for example.
(>>> 7.8.5.3 "Performing a brake test for further axes (e.g. couplable
axes)" Page 154)
BrakeTestPark.src The parking position of the robot must be taught in this program.
If, during the brake test, a brake has been identified as being defec-
tive, the robot is moved to the parking position following confirmation.
BrakeTestStart.src The start position of the brake test can be taught in this program. The
robot starts the brake test from this position.
If the start position is not taught, the robot performs the brake test at
the actual position.
BrakeTestBack.src The end position of the brake test can be taught in this program. The
robot moves to this position after the brake test.
If the end position is not taught, the robot remains at the actual posi-
tion after the brake test.
7.8.4 Overview of the brake test setup
Step Description
In WorkVisual or on the robot controller:
1 Activate the brake test; define the cycle time and axes
• On the robot controller:

(>>> 7.8.4.1 "Activating the brake test, defining the
cycle time and axes" Page 143)
• In WorkVisual: Information about activating the brake
test in WorkVisual is contained in the WorkVisual
documentation.
On the robot controller:
2 Configure input and output signals for the brake test.
(>>> 7.8.4.3 "Configuring input and output signals for the
brake test" Page 145)


Step Description
3 Teach positions for the brake test.
(>>> 7.8.4.5 "Teaching positions for the brake test"
Page 149)
4 Test the sequence.
(>>> 7.8.4.6 "Testing the sequence in the case of defec-
tive brakes" Page 150)
7.8.4.1 Activating the brake test, defining the cycle time and axes
Precondition

• T1 or T2 mode
Procedure
1. In the main menu, select Configuration > Brake test configuration.

The Brake test configuration window opens.
(>>> 7.8.4.2 "“Brake test configuration” window" Page 144)
2. If necessary, activate or deactivate the check box for Forcedin the
Current configuration column.
3. Also make the desired settings for the cycle time and axes in the Cur-
rent configuration column.
4. Press the Activate button.
The message Reconfiguration in progress ... is displayed. The mes-
sage disappears automatically when reconfiguration has been comple-
ted. The new settings for the brake test are now saved and valid.

7.8.4.2 “Brake test configuration” window

Fig. 7-26: “Brake test configuration” window
Element Description
Configurations are • LED lights up green: The settings in the Active Configuration
identical and Current configuration columns are identical.
• LED lights up red: The settings are not identical.
Checksum Checksum of the brake test configuration in the corresponding column
• Checksums in both columns are identical:

The settings in the columns are identical. Corresponds to the
green LED for Configurations are identical.
• Checksums not identical:
The settings are not identical. Corresponds to the red LED.
Current configura- The settings can be modified in this column. The most recent modifi-
tion cations are shown.


Element Description
Active Configuration This column displays the valid settings. A check mark next to an axis
means that the axis is selected for the brake test.
This column is used for display purposes only. Modifications are not
possible here.
Forced • Check box not active: Automatic response of the brake test
‒ A safety option is installed and safe monitoring is active. The
brake test is thus automatically active.
‒ Or:
No safety option is installed or safe monitoring is not active.
The brake test is thus automatically inactive.
• Check box active: Forced response
The brake test has been explicitly activated by the user (Here or
in WorkVisual). It is active, irrespective of safety options or safe
monitoring.
Note: The Forced check box WITHOUT a check mark does not indi-
cate whether the brake test is active or not!
The state of the brake test is indicated in the Safety configuration
window on the Common tab:
• Activated: The brake test is active for at least one axis.

• Deactivated: The brake test is not active for any axis.
Cycle time [h] The cycle time specifies the interval at which the brake test is to be
executed.
• 1 … 1000
Default: 46. Unit: hours
[Axis no.]:[Robot type] The robot axes and external axes for which the brake test is to be
executed can be selected here. By default, all axes are selected.
The following external axes cannot be selected:
1. External axes that are simulated

2. External axes that are configured as couplable
3. External axes with motors that are grouped together into a cou-
pling group
Activate Saves the settings of the Current configuration column. The system
then automatically performs a reconfiguration. Once reconfiguration is
completed, new settings are valid and are displayed in the Active
Configuration column.
Activate is only available if the 2 columns have different settings.
Reset to active con- Resets the Current configuration column to the settings from the
figuration Active Configuration column.
Only available if the 2 columns have different settings.
7.8.4.3 Configuring input and output signals for the brake test
Description
All signals for the brake test are declared in the file $machine.dat in the
directory KRC:\STEU\MADA.

WARNING
These signals are not redundant in design and can supply incorrect in-
formation. Do not use these signals for safety-relevant applications.
Precondition
• User rights: Function group Critical KRL program changes
Procedure
1. Open the file $machine.dat in the directory KRC:\STEU\MADA in the

Navigator.
2. Assign inputs and outputs.
3. Save and close the file.
$machine.dat
Extract from the file $machine.dat (with default settings, without com-
ments):
...
SIGNAL $BRAKETEST_REQ_EX $IN[1026]
SIGNAL $BRAKETEST_MONTIME FALSE
...
SIGNAL $BRAKETEST_REQ_INT FALSE
SIGNAL $BRAKETEST_WORK FALSE
SIGNAL $BRAKES_OK FALSE
SIGNAL $BRAKETEST_WARN FALSE
...
Signals
There is 1 input signal. By default, it is routed to $IN[1026].

The output signals are preset to FALSE. There is no need to assign out-
put numbers to them.
Signal Description
$BRAKETEST_REQ_EX Input
• TRUE = brake test is being requested externally (e.g. by

PLC). The robot controller confirms the signal with
$BRAKETEST_REQ_INT = TRUE and generates message
27004.
• FALSE = brake test is not being requested externally.
$BRAKETEST_MONTIME Output
• TRUE = robot was stopped due to elapsed monitoring time.

Acknowledgement message 27002 is generated.
• FALSE = acknowledgement message 27002 is not active.
(Not generated, or has been acknowledged.)
$BRAKETEST_REQ_INT Output
• TRUE = message 27004 is active.

The signal is not set to FALSE again until a brake test is
carried out with a positive result, i.e. with message 27012.
• FALSE = brake test is not requested (either internally or ex-
ternally).


Signal Description
$BRAKETEST_WORK Output
• TRUE = brake test is currently being performed.

• FALSE = brake test is not being performed.
If no defective brakes have been detected, message 27012
is generated.
Edge TRUE → FALSE:
• Test was successfully completed. No brake is defective.

Message 27012 is generated.
• Or at least 1 defective brake was detected and the robot
has moved to the parking position.
• Or the program was canceled during execution of the brake
test.
$BRAKES_OK Output
• Edge FALSE → TRUE: Output was set to FALSE by the

previous brake test. The brake test was carried out again
and no defective brake was detected.
• Edge TRUE → FALSE: A brake has just been detected as
defective. Message 27007 is generated.
This signal does not take any couplable axes into account.
$BRAKETEST_WARN Output
• Edge FALSE → TRUE: At least 1 brake has been detected

as having reached the wear limit. Message 27001 is gener-
ated at the same time.
• Edge TRUE → FALSE: Output was set to TRUE by the
previous brake test. The brake test was carried out again
and no worn brake was detected.
This signal does not take any couplable axes into account.
Messages
No. Message
27000 Test of brakes {Axis bit mask} not executed because axes
are simulated
27001 Brake {Brake no.}{Axis no.} has reached the wear limit
27002 Cyclical check for brake test request not made
27003 Brake test for axes {Axis bit mask} required
27004 Brake test required
27007 Insufficient holding torque of brake {Brake no.}{Axis no.}
27009 Brake {Brake no.}{Axis no.} OK
27010 Unable to verify performance of brake {Brake}{Axis}
27012 Brake test successful
7.8.4.4 Signal diagram of the brake test – examples
Example 1
The signal diagram for the brake test applies in the following case:

• No brake has reached the wear limit.

• No brake is defective.
Fig. 7-27: Signal diagram: brakes OK
Item Description
1 The brake test is requested.
2 Automatic call of the program BrakeTestReq.src
Start of the brake test
3 The brake test is completed.
Example 2
The signal diagram for the brake test applies in the following case:
• Brake A2 is worn.
• Brake A4 is defective.
Fig. 7-28: Signal diagram: brakes not OK
Item Description
1 The brake test is requested.
$BRAKETEST_REQ_INT is not set to FALSE again until a
brake test is carried out with a positive result.
2 Automatic call of the program BrakeTestReq.src
Start of the brake test
3 Brake A2 is tested: brake is worn.
4 Brake A4 is tested: brake is defective.


Item Description
5 The robot has been moved to the parking position or the pro-
gram has been canceled.
7.8.4.5 Teaching positions for the brake test
Description
Start position and end position

The start position and end position can be taught.
• If the start position is not taught, the robot performs the brake test at
the actual position.
• If the end position is not taught, the robot remains at the actual posi-
tion after the brake test.
Parking position
The parking position must be taught.
If, during the brake test, a brake has been identified as being defective,
the robot is moved to the parking position following confirmation.
WARNING
If a brake is identified as being defective and the drives are deactivated,
the robot may sag. For this reason, no stop may be triggered during the
motion to the parking position. The monitoring functions that can trigger
a stop in this range (e.g. monitoring spaces) must be deactivated be-
forehand. No safety functions may be executed that would trigger a stop
(e.g. E-STOP, opening the safety gate, change of operating mode, etc.).
If a brake has been identified as being defective, the parking position
must be approached no faster than at 10% of maximum velocity.
WARNING
The parking position must be selected in a position where no persons
are endangered if the robot sags because of the defective brake. The
transport position, for example, can be selected as the parking position.
Further information about the transport position is contained in the robot
operating or assembly instructions.
WARNING
Make sure that the robot cannot collide and that no persons are in the
motion range of the robot.
Precondition

‒ Jogging with the jog keys or alternatively Jogging using the 6D
mouse
‒ Teach local points
• All output signals are assigned to outputs.
• T1 mode
Procedure
Start position:
1. Open the program BrakeTestStart.src in the directory R1\TP\BrakeTest.

2. Teach the motions to the start position of the brake test.

• The motions must be taught in such a way that the robot cannot
cause a collision on the way to the start position.
• In the start position, each robot axis to be tested must have a suf-
ficient motion range.
During the brake test, rotational axes move a maximum of 5° in
the direction in which the software limit switch is situated further
away; linear axes a maximum of 10 cm.
3. Save and close the program.
End position:
1. Open the program BrakeTestBack.src in the directory R1\TP\BrakeT-
est.
2. Teach the motions from the start position to the end position of the
brake test.
The start and end position may be identical.
Parking position:
1. Open the program BrakeTestPark.src in the directory R1\TP\BrakeTest.
2. Teach the motions from the end position to the parking position of the
robot.
Alternatively, the parking position can also be taught later when testing
the sequence.
(>>> 7.8.4.6 "Testing the sequence in the case of defective brakes"
Page 150)
7.8.4.6 Testing the sequence in the case of defective brakes
WARNING
WARNING
The parking position must be selected in a position where no persons
are endangered if the robot sags because of the defective brake. The
transport position, for example, can be selected as the parking position.
Further information about the transport position is contained in the robot
operating or assembly instructions.
WARNING
Description
The robot controller simulates a defective brake.


Precondition

• In the start position, an adequate motion range is available for each
axis to be tested. (Or, if no start position has been taught, in the ac-
tual position.)
During the brake test, rotational axes move a maximum of 5° in the
direction in which the software limit switch is situated further away; lin-
ear axes a maximum of 10 cm.
Procedure
1. Select the program BrakeTestReq.src in the directory R1\TP\BrakeT-

est.
The following message is displayed: Start key required
2. Press the Start key.
The following message is displayed: Should the brake test be car-
ried out manually or should the movement to the parking position
be checked?
3. Select the answer Park pos..
4. The BCO run is performed. The message Programmed path reached
(BCO) is displayed.
The following message is displayed: CAUTION! Braking effect of the
holding brakes no longer sufficient to hold the robot safely. Triggering
safety functions or switching off the drives can cause the robot to sag.
Following confirmation, the parking position/wait position is addressed..
Confirm the message with Park pos..
• The robot moves to the parking position if the parking position has
already been taught.
• If the parking position has not yet been taught, the following mes-
sage is displayed:
Parking position is invalid. Move the robot to the correct posi-
tion and press the “Touch Up” softkey.
In this case, move the robot manually to the desired parking posi-
tion and teach the position.
7.8.5 Performing a brake test
7.8.5.1 Performing a brake test for requested axes (cyclically via program)
Description
With BrakeTestReq.src, the axes for which there is a brake test request
can be tested. The axes can either be tested in a single cycle or the test
can be divided into several shorter cycles.
This allows, for example, small breaks in the application to be utilized
for testing individual axes.
Precondition
To integrate the program:


Procedure
Test in a single cycle:

Integrate BrakeTestReq.src into a suitable program (e.g. into CELL.src or
into the application program) in such a way that it is called cyclically as a
subprogram. If a brake test is requested, BrakeTestReq.src detects the re-
quest and starts the brake test.
• Call BrakeTestReq.src without parameters:
BrakeTestReq()
Further information:
The axes are tested in a single cycle, from the lowest axis number to the
highest.
Alternative procedure
Test divided into several shorter cycles:

Integrate BrakeTestReq.src into a suitable program in such a way that it is
called cyclically as a subprogram. If a brake test is requested, BrakeTest-
Req.src detects the request and starts the brake test.
• When calling BrakeTestReq.src, transfer the axes to be tested as pa-
rameters.
Further information:
• One or more of the requested axes can be tested per cycle. The indi-
vidual cycles do not have to follow one another directly.
• The order of the cycles is irrelevant. A cycle to test A6, for example,
can be called first. If multiple axes are tested in one cycle, however,
the lowest axis will always be tested first.
• In total, all requested axes must be tested. This must occur within the
monitoring time.
Parameter
The axes to be tested can be transferred as an integer or as a bit mask.

Bit 0 corresponds to A1; bit 1 to A2; …; bit 6 to A7/E1; …; bit 11 to
A12/E6.
Example for A1 and A3, as an integer:
BrakeTestReq(5)
Example for A1 and A3, as a bit mask:
BrakeTestReq('b101')
No parameter or parameter “-1” means: all active axes.
Example
In this example, the lowest numbered axis from amongst the axes with a
currently requested brake test is tested. Such an example can be integra-
ted into the application cycle at a suitable point in order to test one axis
per cycle.
int axes_bit_mask, test_bit_mask, counter

...
1 axes_bit_mask = get_axesmask(#braketest_required)
2 test_bit_mask = 1
3 if axes_bit_mask > 0 then


4 for counter=1 to 12
5 if (axes_bit_mask B_AND test_bit_mask) > 0 THEN
6 counter = 13
7 else
8 test_bit_mask = test_bit_mask*2
9 endif
10 endfor
11 braketestreq(test_bit_mask)
12 endif
...
Line Description
1 Query for which axes the brake test is currently requested.
2 By way of preparation, set the lowest possible axis (in this
case, A1) as the axis to be tested.
3 to 12 If there is a request for at least one axis, the IF block is
executed. It contains a counting loop.
4 to 10 The counting loop is designed in such a way that, upon ex-
iting it, test_bit_mask always corresponds to the lowest
axis of all those to be tested.
6 Exit the counting loop.
11 Call the brake test for the axis to be tested
test_bit_mask.
7.8.5.2 Performing a brake test for active axes (manually)
WARNING
WARNING
Description
This procedure can be used to test the active axes. The axes are tested
in a single cycle, from the lowest axis number to the highest.
This procedure can be used to process an existing brake test request.
Precondition


• In the start position, an adequate motion range is available for each

axis to be tested. (Or, if no start position has been taught, in the ac-
tual position.)
During the brake test, rotational axes move a maximum of 5° in the
direction in which the software limit switch is situated further away; lin-
ear axes a maximum of 10 cm.
Procedure
1. Select the program BrakeTestReq.src in the directory R1\TP\BrakeT-

est.
The following message is displayed: Start key required
The following message is displayed: Should the brake test be car-
ried out manually or should the movement to the parking position
be checked?
3. Select the answer BT man..
4. The BCO run is performed. The message Programmed path reached
(BCO) is displayed.
The following message is displayed: Brake test for axes {Axis bit
mask} required. The message lists the active axes.
The program now tests the brakes/axes successively, starting with the
lowest axis number.
6. Possible results:
• If a brake is OK, this is indicated by the following message: Brake
{Brake no.}{Axis no.} OK.
The message Brake test for axes {Axis bit mask} required then re-
appears. It now only lists the axes that have not yet been tested.
The program automatically tests the next axis.
If all brakes are OK, this is indicated after the brake test by the
following message: Brake test successful. (It is possible that one
or more brakes may have reached the wear limit. This is also indi-
cated by a message.)
Now deselect the program BrakeTestReq.src.
• If a brake is defective, this is indicated by the following message:
Insufficient holding torque of brake {Brake no.}{Axis no.}. The test
continues until all brakes have been tested.
Once all brakes have been tested, the following message is dis-
played: CAUTION! Braking effect of the holding brakes no longer
sufficient to hold the robot safely. Triggering safety functions or
switching off the drives can cause the robot to sag. Following con-
firmation, the parking position/wait position is addressed..
Now press Park pos. to move the robot to the parking position.
7.8.5.3 Performing a brake test for further axes (e.g. couplable axes)
Description
With BrakeTestAxes.src, axes for which there is no brake test request can
be tested. In particular, it also enables the testing of axes which cannot
be activated for the brake test and thus cannot be tested via BrakeTest-
Req(). Couplable axes fall into this category, for example.


Precondition
To integrate the program:

Procedure
Integrate BrakeTestAxes.src into a suitable program in such a way that it

is called as a subprogram.
• When calling BrakeTestAxes.src, transfer the axes to be tested as pa-
rameters.
Parameters
The axes to be tested can be transferred as an integer or as a bit mask.

Bit 0 corresponds to A1; bit 1 to A2; …; bit 6 to A7/E1; …; bit 11 to
A12/E6.
Example for A7/E1, as an integer:
BrakeTestReq(64)
Example for A7/E1, as a bit mask:
BrakeTestReq('b1000000')
No parameter or parameter “-1” means: all active axes.
Additional info
In principle, it is also possible to use BrakeTestAxes(axes) to test one or

more axes for which there is a request. When calling the test, the axes
must be transferred as parameters in this case too.
An existing brake test request can be processed using BrakeTestAxes.src.
If BrakeTestAxes.src is called for an active axis, this triggers a request
for all active axes! As usual, the request must be processed within the
monitoring time. It is therefore not possible to test individual active axes
using BrakeTestAxes.src.
7.8.6 Automatic brake check
Description
The default cycle time of the brake test is 46 hours. In order to detect de-
fective brakes as early as possible, however, even before the end of the
cycle time, the robot controller performs an additional, automatic brake
check.
If the brake check indicates that a brake might be defective, a brake test
must be performed for verification.
Decoupled axes and force-controlled axes are excluded from the brake
check.
Sequence
1. If a brake has been applied, the robot controller automatically checks

whether the axis is still moving. Motions within a narrow, internally de-
fined tolerance range are allowed.

The tolerance range corresponds to half of the standstill window.

The standstill window is: $IN_POS_MA[axis] * $IN_STILL_MA.
Further information about these system variables can be found in
the documentation Configuration of Kinematic Systems.
2. If the tolerance range is exceeded, this indicates that the brake is de-
fective. In this case, the robot controller switches the axis back to ser-
vo control to prevent it from sagging. The axis is now in the “BrakeDe-
fect” state.
Furthermore, the status message Brake defective, {Axis} permanently
under servo control is displayed.
3. The further procedure depends on whether or not the brake test is ac-
tive for the corresponding axis:
• Brake test is active:
The robot controller sets $BRAKETEST_REQ_INT to TRUE and
generates the following message: Brake test required. A brake test
must be performed within the next 2 hours, otherwise the robot will
stop!
• Brake test is not active:
The robot stops and the acknowledgement message Stop due to
defective brake is displayed.
The message can be acknowledged and the robot movement can
be resumed. The axis remains permanently under servo control,
i.e. its brakes are no longer applied. (Except if the safety controller
resets the “Motion enable” input.)
In order to enable the brakes to close again, a brake test must be
performed manually!
4. Once a brake test has been performed and has indicated that the axis
is working correctly, the status message Brake defective, {Axis} perma-
nently under servo control disappears again.
BrakeDefect
If an axis is in the “BrakeDefect” state, the robot controller ignores brake

closing requests for this axis and for the axes on the same brake channel.
If an axis is in the “BrakeDefect” state, its brakes nevertheless close in
the following case: the safety controller resets the “Motion enable” input,
e.g. in the case of an EMERGENCY STOP or short-circuit braking.
7.8.7 System functions for the brake test
7.8.7.1 GET_AXESMASK()
Description
Various queries concerning the axes involved in the brake test can be car-
ried out.
Syntax
result = GET_AXESMASK(axes)


Explanation of the syntax
Element Description
result Variable for the return value, type: INT
Bit mask, i.e. specification of which axes are involved
axes Type: ENUM AXESMASK_INFO
• #BRAKETEST_CONFIGURED
Axes configured for the brake test
Corresponds to the axes in the Active Configuration
column in the Brake test configuration window.
• #BRAKETEST_ACTIVATED
‒ If the brake test is active, the return value is as
for #BRAKETEST_CONFIGURED.
‒ If the brake test is not active, the return value is
“0”.
• #BRAKETEST_REQUIRED
Axes for which the brake test is currently requested
• #BRAKETEST_UNTESTED
Axes for which the state of the brake is BT_UNTES-
TED. Axes not configured for the brake test are also
included.
• #BRAKETEST_BRAKES_OK
Axes found to be OK in the most recent brake test
Example
Query for which axis the brake test is currently requested:
int axes_bit_mask
...
axes_bit_mask = get_axesmask(#braketest_required)
7.8.7.2 GET_BRAKETEST_TIME()
Description
Various time values related to the brake test can be polled.
Syntax
result = GET_BRAKETEST_TIME(time_type)

Explanation of the syntax
Element Description
result Variable for the return value, type: REAL
Time (unit: h)
time_type Times that can be polled
Type: ENUM BRAKETEST_TIME_INFO
• #BT_CONFIG_CYCLE_TIME
Cycle time for the brake test
Corresponds to the Cycle time [h] box in the Brake
test configuration window.
Cycle time [h]
• #BT_REMAINING_CYCLE_TIME
Remaining cycle time
• #BT_REMAINING_MON_TIME
Remaining monitoring time
7.9 Override reduction
Override reduction is not a safety function.
Override reduction is a velocity and space monitoring function that can be

activated using system variables.
• Override reduction prevents velocity limits that are monitored by the
safety controller from being exceeded.
• Override reduction in space monitoring functions ensures that the ve-
locity is reduced before a space limit is reached to such an extent that
the stopping distance is as short as possible in the event of a stop at
boundaries.
7.9.1 System variables for override reduction
The system variables for override reduction can be modified in the $cus-
tom.dat file, in a KRL program or via the variable correction function. If a
variable is modified, an advance run stop is triggered.
$SR_VEL_RED Override reduction for velocity monitoring
TRUE = override reduction is activated.
FALSE = override reduction is not activated.
Default: TRUE
$SR_OV_RED Reduction factor for override reduction as a percentage
The currently monitored velocity limit is reduced to this
percentage value.
• 10 - 95%
Default: 75%


$SR_WORKSPACE_RED Override reduction for space monitoring
TRUE = override reduction is activated.
FALSE = override reduction is not activated.
Default: TRUE
7.9.2 Override reduction with spline
If motion is carried out without spline, override reduction takes effect be-
fore workspace limits and at Cartesian velocity limits. If motion is carried
out with spline, override reduction also affects axis-specific velocity limits.
Override reduction has an effect … Without With spline
spline
before workspace Cartesian
limits
Axis-specific
(in T2, AUT and
AUT EXT)
on space-specific Cartesian space
velocity
Axis-specific space
on velocity limits Cartesian velocity
• Maximum velocity (not space-depend-

ent)
• Reduced velocity
• Reduced velocity for T1
Axis velocity
• Maximum velocity (valid globally for

every axis)
• Reduced velocity
• Maximum velocity for T1
Spline is a motion type that is suitable for particularly complex, curved
paths. Such paths can also be generated using approximated LIN and
CIRC motions, but splines have advantages, however.
The advantages of spline include:
• The path always remains the same, irrespective of the override set-
ting, velocity or acceleration.
• Circles and tight radii are executed with great precision.
It is advisable to use spline for optimal override reduction, e.g. in the case
of frequent motion along the workspace limits.
Further information about motion programming with spline is contained
in the “Operating and Programming Instructions for System Integrators”.
7.9.3 Override reduction for velocity monitoring
Description
The override reduction for velocity monitoring is activated with

$SR_VEL_RED = TRUE.

If override reduction is active, the velocity is automatically reduced so that

the lowest currently monitored velocity limit is not exceeded.

The variable $SR_OV_RED specifies the reduction factor for the override
reduction as a percentage. The velocity is reduced to the following value:
• Lowest currently monitored velocity limit * reduction factor
Example
The override reduction is configured with a reduction factor of 95%:

• $SR_VEL_RED = TRUE
• $SR_OV_RED = 95
The lowest Cartesian velocity limit active on the safety controller is a
space-specific velocity of 1,000 mm/s. The override reduction function re-
duces the Cartesian velocity at the safe TCP of the active tool to 950 mm/
s. The override reduction function is only triggered if it is foreseeable that
the limit of 950 mm/s will be exceeded without velocity reduction.
Fig. 7-29: Override reduction with $SR_VEL_RED
v3 Maximum Cartesian velocity; v3 = 1,200 mm/s

v2 Space-specific velocity; v2 = 1,000 mm/s
v1 Velocity v2 * reduction factor; v1 = 1,000 mm/s * 95% = 950 mm/s
t1 Override reduction is triggered: It is foreseeable that the limit v1
will be exceeded without the reduction in velocity.
t2 Override reduction is no longer triggered.
7.9.4 Override reduction for space monitoring
Description
The override reduction for space monitoring is activated with $SR_WORK-

SPACE_RED = TRUE.
Characteristics:
• Only affects monitoring spaces for which the “Stop at boundaries”

function has been configured
• Active in T2, AUT and AUT EXT modes
• Generally inactive in T1 mode, i.e. it is also inactive if $SR_WORK-
SPACE_RED = TRUE
• Dependent on the “Braking before restricted areas” function
Without BBRA
Override reduction with “Braking before restricted areas” deactiva-

ted:

When the robot approaches the space limit with override reduction activa-

ted, the velocity is continuously reduced. When the robot moves over the
space limit and is stopped, the velocity has already been greatly reduced.
The stopping distance is short and the robot quickly comes to a standstill.
When the robot approaches the space limit with override reduction deacti-
vated, the velocity is not reduced. The robot is still moving at full velocity
when it is stopped at the space limit. The robot does not come to a stand-
still as quickly as with override reduction active, as the stopping distance
is greater due to the higher velocity.
With BBRA
Override reduction with “Braking before restricted areas” activated:

When the robot approaches the space limit with override reduction activa-
ted, the velocity is continuously reduced to prevent the safety function
from being triggered. If necessary, the override is reduced to 0% if, for ex-
ample, the path being executed leads into a protected space.
If the robot is positioned before a temporarily activated space with 0%
override in T2 or AUT mode, it will resume its motion without any
further intervention as soon as the space is deactivated.
If the override cannot be reduced quickly enough to prevent safe space

monitoring from being triggered, then a path-maintaining EMERGENCY
STOP is executed.
When the robot approaches the space limit with override reduction deacti-
vated, the velocity is not reduced and the robot is stopped by the safety
controller with a STOP 1 - DRS. In this case, the robot does not normally
come to a stop on the path. Instead, it deviates from this path because
the STOP 1 - DRS is not path-maintaining.

Fig. 7-30: Overview: step-by-step prevention of space violation with BBRA
7.9.5 Examples: override reduction with spline/without BBRA
The following examples apply to safety configurations that do not use

the “Braking before restricted areas” function.
Changing workspace
A change of workspace is carried out from one Cartesian workspace to

another Cartesian workspace with a lower space-specific velocity vmax.
The following preconditions are met:
System variables:
• $SR_VEL_RED = TRUE
• $SR_OV_RED = 80
Safety configuration:

• The “Braking before restricted areas” function is deactivated.
• At least one tool sphere on the active tool is monitored.
• The workspace with the lower space-specific velocity vmax is switched
to active (permanently for preference).


• The space-specific velocity vmax is valid if the workspace is not viola-
ted.
With spline (red line), override reduction reduces the Cartesian velocity at
the safe TCP of the active tool in good time in the old workspace and
moves into the new workspace with the lower space-specific velocity.
Without spline (blue line), the Cartesian velocity is reduced in the old
workspace, but the override reduction function is not usually triggered ear-
ly enough. The lower space-specific velocity of the new workspace has
not yet been reached at the space limit and the robot stops with a safety
stop 0.
Fig. 7-31: Changing to a workspace with a lower vmax
1 Cartesian workspace with vmax = 1,000 mm/s,

reduced to 800 mm/s
2 Cartesian workspace with vmax = 500 mm/s,
reduced to 400 mm/s
Due to override reduction with $SR_OV_RED = 80, a maximum of 80

percent of the configured space-specific velocity vmax is reached in the
workspaces.
Moving into a protected space
A Cartesian protected space is configured into which the robot may not
move. If the robot approaches the protected space, override reduction is
triggered and reduces the velocity. If the robot attempts to enter the pro-
tected space, a safety stop 0 is triggered at the space limit.
System variables:
• $SR_WORKSPACE_RED = TRUE

• The “Braking before restricted areas” function is deactivated.
• The “Stop at boundaries” function is active.
• The protected space is switched to active.
With spline (red line), override reduction reduces the Cartesian velocity at
the safe TCP of the active tool to a value that roughly corresponds to a
program override of 1% while it is still in the permissible range. The robot
enters the Cartesian protected space with this velocity and is stopped with
a safety stop 0.

Without spline (blue line), the Cartesian velocity is reduced while in the
permissible range, but the override reduction function is not usually trig-
gered early enough. The robot enters the Cartesian protected space at a
higher velocity than with spline. Here, once again, the robot stops with a
safety stop 0, but the braking reaction is more abrupt and the stopping
distance greater.
Fig. 7-32: Moving into a protected space
1 Permissible range 2 Cartesian protected space
7.9.6 Examples: override reduction with BBRA
The following examples apply to safety configurations that use the

“Braking before restricted areas” function.
Stopping before a protected space
move. In the example, the path leads into the protected space.
System variables:

• The “Braking before restricted areas” function is activated.
The override reduction function reduces the Cartesian velocity at the safe
TCP of the active tool down to a standstill within the permissible range.
This prevents the robot from reaching the Cartesian protected space. If it
is a temporary protected space and it is deactivated, the robot resumes its
motion without further intervention.


Fig. 7-33: Stop before space limit using override reduction
1 The robot is braked to a standstill on the path.

2 Protected space
3 Fictitious STOP 1 - DRS end positions monitored by the safety
controller do not violate the space because the velocity is suffi-
ciently reduced.
In the event that the override reduction does not reduce the velocity quick-
ly enough, the safety controller stops the robot with a STOP 1 - DRS as
soon as it detects that the end position of such a stop would violate the
space.
Fig. 7-34: Stop before space limit without override reduction
1 Robot is stopped by the safety controller using a STOP 1 - DRS if

there is an impending space violation.
2 Protected space
Moving past the protected space boundary
move. In the example, the path runs very closely past the protected
space.
System variables:

• The “Braking before restricted areas” function is activated.

When the robot approaches a protected space boundary, its Cartesian ve-
locity at the safe TCP of the active tool is reduced to such an extent that
the fictitious STOP 1 - DRS end position remains outside the protected
space. This makes use of the fact that the braking distance of a STOP 1 -
DRS is shortened on account of the reduced velocity.
In some cases, it may not be possible to reduce the velocity quickly
enough to prevent the stop point from penetrating the protected space. In
this case, a path-maintaining EMERGENCY STOP is triggered to prevent
a safety function from being violated and the safety controller from execut-
ing a non-path-maintaining STOP 1 - DRS as a result.
(>>> Fig. 7-30)
7.10 Safety acceptance overview
Description
The safety option must not be put into operation until the safety accept-
ance procedure has been completed successfully. For successful safety
acceptance, the points in the checklists must be completed fully and con-
firmed in writing.
The completed checklists, confirmed in writing, must be kept as docu-
mentary evidence.
Safety acceptance must be carried out in the following cases:

• Following initial start-up or recommissioning of the industrial robot
• After a change to the industrial robot
• After a change to the safety configuration
• After a software update, e.g. of the System Software
Safety acceptance after a software update is only necessary if the ac-
tivation code of the safety configuration changes as a result of the up-
date.
The safety configuration must be archived and the change log checked
after every modification. It is also advisable to print out the data set
containing the safety parameters using WorkVisual.
Checklists
The following checklists can be found in the Appendix:

• Checklist for robot and system
(>>> 11.1.2 "Checklist: robot and system" Page 249)
• Checklist for safety functions
• Checklist for Cartesian velocity monitoring functions
(>>> 11.1.4 "Checklist: Cartesian velocity monitoring functions"
Page 254)
• Checklist for axis-specific velocity monitoring functions
(>>> 11.1.5 "Checklist: Axis-specific velocity monitoring" Page 255)
• Checklist for safe operational stop for axis groups
(>>> 11.1.6 "Checklist: Safe operational stop for axis groups"
Page 259)
• Checklist for cell area
(>>> 11.1.7 "Checklist: Cell area" Page 261)


• Checklist for Cartesian monitoring spaces
(>>> 11.1.8 "Checklist: Cartesian monitoring spaces" Page 262)
• Checklist for axis-specific monitoring spaces
(>>> 11.1.9 "Checklist: Axis-specific monitoring spaces" Page 264)
• Checklist for “Braking before restricted areas” function
(>>> 11.1.10 "Checklist: Braking before restricted areas" Page 269)
• Checklist for safe tools
(>>> 11.1.11 "Checklist: Safe tools" Page 270)
7.11 Checking that the safety functions are functioning correctly
The configured velocity limits, the limits of the monitoring spaces and the
space-specific velocities must be checked with override reduction deacti-
vated. For this, the following variables must be set to FALSE in $CUS-
TOM.DAT:
• $SR_VEL_RED
• $SR_WORKSPACE_RED
To check the configured limits, the space and velocity limits are deliberate-
ly exceeded by means of test programs. If the safety configuration stops
the robot, the limits are correctly configured.
If the robot is stopped by the safety controller, a message with message
number 15xxx is displayed. If no message is displayed, or if a message
from a different number range is displayed, the safety controller must be
checked.
7.11.1 Testing Cartesian velocity limits
(>>> 11.1.4 "Checklist: Cartesian velocity monitoring functions" Page 254)
Description
The following Cartesian velocities must be tested:

• Reduced Cartesian velocity for T1
• Reduced Cartesian velocity
• Global maximum Cartesian velocity
Precondition
• Override reduction is deactivated.
SAFETY INSTRUCTION
Procedure
1. Create a test program in which the velocity limits are intentionally ex-
ceeded, e.g. configured with 1,000 mm/s, moved at 1,100 mm/s.
When testing the Cartesian velocity on a KL, the linear unit must al-
so be moved.
2. To test the reduced Cartesian velocity for T1, execute the test
program in operating mode T1.
3. To test the reduced Cartesian velocity and the maximum Cartesian ve-
locity, execute the test program in operating mode T2.

WARNING
Death, serious injuries or major damage to property may occur. If a pro-
gram is executed in test mode T2, the operator must be in a position
outside the danger zone.
7.11.2 Testing axis-specific velocity limits
(>>> 11.1.5 "Checklist: Axis-specific velocity monitoring" Page 255)
Description
The following axis-specific velocity limits must be tested:

• Maximum axis velocity for T1
• Reduced axis velocity
• Maximum axis velocity (valid globally for every axis)
It is only necessary to check the global maximum axis velocity if an axis

must not exceed a defined velocity. If the global maximum axis velocity
is only to limit the minimum axis-specific protected space, no verification
is required.
Precondition
Procedure
Testing limits for rotational axes:

SAFETY INSTRUCTION
1. Look up the maximum axis velocity Vmax in the data sheet of the
robot used.
ceeded, e.g. axis A1 configured with 190°/s, moved at 200°/s.
3. Calculate axis velocity $VEL_AXIS[x].
(>>> "Example calculation of $VEL_AXIS" Page 169)
4. Enter the axis velocity $VEL_AXIS[x] in the test program.
5. To test the maximum axis velocity for T1, execute the test program in
operating mode T1.
6. To test the reduced axis velocity and the maximum axis velocity, exe-
cute the test program in operating mode T2.
WARNING
Testing limits for linear axes:

SAFETY INSTRUCTION
ceeded, e.g. linear axis configured with 1,000 mm/s, moved at
1,100 mm/s.


2. To test the maximum axis velocity for T1, execute the test program in
operating mode T1.
3. To test the reduced axis velocity and the global maximum axis veloci-
ty, execute the test program in operating mode T2.
WARNING
Example calculation of $VEL_AXIS
Calculate the axis velocity $VEL_AXIS[x] as follows:

$VEL_AXIS[x] = (VTest / Vmax) * 100 = (200°/s / 360°/s) * 100 = 56
Element Description
x Number of the axis
Vtest Desired test velocity, in this example 200°/s
Unit: °/s
Vmax Maximum axis velocity according to the data sheet of the
robot
Unit: °/s
Enter the calculated axis velocity $VEL_AXIS[x] in the test program:
...
PTP {A1 -30}
HALT
$VEL_AXIS[1] = 56
PTP {A1 30}
...
7.11.3 Checking the safe operational stop for an axis group
(>>> 11.1.6 "Checklist: Safe operational stop for axis groups" Page 259)
Forces acting on the robot in the production process may result in a vi-
olation of the safe operational stop, e.g. when loading a workpiece into
a gripper. To remedy this, the position tolerance for the affected axis
must be increased.
Precondition
SAFETY INSTRUCTION
Procedure
1. Activate safe operational stop for the axis group.

2. Jog the first axis in the axis group in the positive or negative direction
using the jog keys and with a jog override of 1%.
A robot stop must be triggered (safety stop 0).
3. Deactivate safe operational stop for the axis group and reactivate it.
4. Repeat steps 2 to 3 to check further axes of the axis group.

7.11.4 Testing Cartesian monitoring spaces
(>>> 11.1.8 "Checklist: Cartesian monitoring spaces" Page 262)

Description
The configuration of the boundaries and the space-specific velocity must

be checked. If “Stop at boundaries” is not configured, an alarm space is
used for this.
The space surfaces can have any orientation. The robot must be moved
to each of the 6 space surfaces of a Cartesian monitoring space at 3 dif-
ferent points to check whether the limits have been programmed correctly.
An exception is made here for space surfaces that cannot be addressed
due to circumstances in the system.
The cell area is a Cartesian monitoring space and is tested in the same
way. Depending on the configuration, the cell area consists of 5, 6 or
more space surfaces. Each addressable space surface must be ad-
dressed at 2 different points to check whether the limits have been pro-
grammed correctly.
Fig. 7-35: Moving to space surfaces
Precondition
Procedure
Testing space limits:

SAFETY INSTRUCTION
1. Create a test program in which all positions addressed for checking

the space surfaces are taught.
2. Execute test program in T1 mode.
When testing a Cartesian monitoring space on a KL, the linear unit

must also be moved. It must be ensured that the monitoring space
moves with the linear unit and comes to a standstill.
Testing the space-specific velocity:

SAFETY INSTRUCTION
1. Create a test program in which the space-specific velocity is deliber-

ately exceeded, either inside or outside the monitoring space, e.g. 180
mm/s configured, moved at 200 mm/s.


WARNING
7.11.5 Testing axis-specific monitoring spaces
(>>> 11.1.9 "Checklist: Axis-specific monitoring spaces" Page 264)
Description
The configuration of the boundaries and the space-specific velocity must

be checked. If “Stop at boundaries” is not configured, an alarm space is
used for this.
Precondition
Procedure
Testing space limits:

SAFETY INSTRUCTION
• Jog each axis (that is to be monitored) once to the upper and lower
boundaries of the monitoring space in T1 mode using the jog keys or
Space Mouse.
Testing the space-specific velocity:
SAFETY INSTRUCTION
1. Create a test program in which the space-specific velocity is deliber-

ately exceeded, either inside or outside the monitoring space, e.g. 180
mm/s configured, moved at 200 mm/s.
WARNING
7.11.6 Checking the values for the maximum braking ramp
(>>> 11.1.10 "Checklist: Braking before restricted areas" Page 269)
Description
The “Braking before restricted areas” function is significantly dependent on

the profile of the braking ramp of STOP 1 - DRS. The braking ramp of a
drive ramp stop is linear and is defined by the maximum gradient that can
be maintained when the brakes are applied at full velocity.

Fig. 7-36: Braking ramp of a drive ramp stop
1 Monitoring of the braking ramp

2 Profile of the braking ramp
3 Gradient of the braking ramp
v1 Velocity when drive ramp stop is triggered
t1 End point of the braking ramp
If the value that is stored as the maximum braking ramp is too low, i.e.
the assumed braking ramp is too flat and the robot could, in theory, brake
more quickly, the robot will still execute the drive ramp stop as configured.
Fig. 7-37: Braking ramp flatter than required

2 Braking ramp as per configuration
3 Braking ramp that is theoretically possible
If, on the other hand, the value that is stored as the maximum braking
ramp is too high, i.e. the assumed braking ramp is too steep, the robot
will not be able to maintain this braking ramp in reality and the stop will
escalate to a safety stop 0.


Fig. 7-38: Braking ramp steeper than possible in reality

2 Braking ramp as per configuration
3 Braking ramp that is actually possible
4 Detection of the incorrect braking ramp, escalation to safety stop 0
Therefore, it is necessary to check that the braking ramp can be main-
tained in reality and that the braking ramp stored is not too steep. This
check must be carried out separately for each individual robot axis.
Precondition
• “Braking before restricted areas” is activated.

• At least 1 monitoring space is activated for the axis to be tested.
• Override reduction for space monitoring is deactivated:
‒ $SR_WORKSPACE_RED = FALSE
Procedure
The braking ramp must be checked separately for each axis at a valid
monitoring space. For this purpose, the monitoring space is deliberately
exceeded using a test program. The safety controller then stops the robot.
The following monitoring spaces can be used for checking purposes:
• An axis-specific monitoring space in which a limit is defined and active
for each axis to be checked
• A Cartesian monitoring space that is violated deliberately by the re-
spective single-axis motion
• The cell area that is violated deliberately by the respective single-axis
motion
The following steps must be carried out for each axis individually.
SAFETY INSTRUCTION
1. Create a test program in which the monitoring space of the axis is ex-
ceeded.
2. Execute the test program in T2 mode.
The safety controller stops the robot.
3. Check the active messages.
If a drive ramp stop is triggered by the safety controller due to an im-
pending space violation, the following message is displayed depending
on the type of space:

• Ackn: Safety stop before violation of monitoring space no.

{Number of monitoring space}
• Ackn.: Safety stop before leaving cell area.
4. If it was not possible to maintain the braking ramp, the following mes-
sage is displayed:
• Ackn.: The braking ramp of the robot has been violated.
This message suggests that the stored braking ramp is too steep. This
may be because the machine data stored in the safety controller are
not up to date.
Remedy:
a. Import the up-to-date machine data into the safety configuration

and activate them.
b. Check the braking ramp again.
c. If it remains impossible to maintain the braking ramp, contact KU-
KA.
WARNING
7.12 Checking the values for the safe axis monitoring functions
Description
When the safety configuration is saved, random errors can occur in the
system, resulting in the safety configuration ultimately containing values
that differ from those programmed by the user. This is an exceptional oc-
currence, but cannot be ruled out entirely.
To rule out the possibility of such an error occurring for the parameters
Braking time and Position tolerance, the values of these parameters
must be verified in the diagnostic monitor. No other type of verification is
possible for these parameters.
WARNING
The values must always be checked if the activation code has changed
on the Common tab in the Safety configuration window, i.e. not only if
the values themselves have been changed, but if any changes have
been made that affect the safety configuration.
If this check is not carried out, the safety configuration may contain in-
correct data. Death to persons, severe injuries or considerable damage
to property may result.
Precondition
• The values most recently saved for the parameters Braking time and
Position tolerance are known.
The most recently saved values can generally be found in a checklist,
sign-off sheet, or similar.
Procedure
SAFETY INSTRUCTION


1. In the main menu, select Diagnosis > Diagnostic monitor.
The Diagnostic monitor window opens.
2. Select the Safety controller (HnfHlp) area in the Module box.
Data are now displayed for this area.
3. Compare the values displayed for Braking time and Position toler-
ance with the most recently saved values.
4. Result:
• If the values match: OK.
Close the Diagnostic monitor window. No further action is neces-
sary.
• If the values do not match:
Enter and save the values again. If necessary, transfer the WorkVi-
sual project to the robot controller again.
Then carry out the check again. KUKA must be contacted if the
values still do not match.
7.13 Activating the safety configuration
Description
If the safety configuration on the robot controller has been updated (for
example, via a newly deployed WorkVisual project or the restoration of an
archive), the safety controller signals that the activation code of the safety
configuration is incorrect.
The safety maintenance technician must check the new safety configura-
tion and is responsible for ensuring that the correct safety configuration is
activated. The displayed activation code must match the expected activa-
tion code from the checklist for safety functions.
The administrator is also authorized to activate the safety configuration
following a prior check. They may only do so, however, if they have
been specially trained for the safety configuration.
The safety recovery technician requires the 8-digit activation code of the
safety configuration in order to activate it. The correct activation code
must be communicated by the safety maintenance technician or adminis-
trator.
Precondition
• User group “Safety recovery” or higher
Procedure

The safety configuration checks whether there are any relevant devia-
tions between the robot controller and the safety controller. The Trou-
bleshooting wizard window opens.
2. A description of the problem and a list of possible causes is displayed.
Select the cause from the list, e.g. restoration of an archive.
3. Press Activate to activate the updated safety configuration on the ro-
bot controller.
4. Only for the “Administrator” user group: Confirm the safety message
with OK.

5. Only for user group “Safety recovery”: Enter the activation code and
press Activate again.
7.14 Deactivating safe monitoring
WARNING
If safe monitoring is deactivated, the configured safety monitoring func-
tions are inactive.
Description
The following monitoring functions are part of the standard safety configu-
ration and always active. This means that these monitoring functions re-
main active when safe monitoring is deactivated:
• Monitoring of the braking time
• Monitoring of the maximum axis velocity in T1
• Monitoring of the axis positions during a global safe operational stop
(all axes)
Precondition

• T1 or T2 mode
Procedure
1. Open the safety configuration.

2. Press Global parameters.
3. Remove the check mark from Safe monitoring.
4. Click on Save and answer the request for confirmation with Yes.
The robot controller is automatically reinitialized.

Interfaces to the higher-level controller

8 Interfaces to the higher-level controller
The robot controller can communicate with the higher-level controller via
the safe I/Os of the following safety interfaces:
• Ethernet safety interfaces:
‒ EtherCAT/FSoE
‒ EtherNet/IP/CIP Safety
‒ PROFINET/PROFIsafe
Input and output bytes 2 … 7 are permanently assigned to the safety
monitoring functions of SafeOperation.
Input and output bytes 0 … 1 are assigned to the standard safety
functions.
• Discrete safety interface for safety options:
‒ X13 via Extended SIB
The safe I/Os of the discrete safety interface only offer a reduced
range of signals.
If the interface X13 (Extended SIB) is used, the relay outputs of the
Standard SIB and Extended SIB must be checked cyclically. The check-
ing instructions are contained in the robot controller operating instruc-
tions.
Further information about Extended SIB and interface X13 can be found
in the operating or assembly instructions for the robot controller and in
the Optional Interfaces assembly and operating instructions for the ro-
bot controller.
8.1 Safety functions via Ethernet safety interface
Description
The exchange of safety-relevant signals between the controller and the

system is carried out via the Ethernet safety interface (e.g. PROFIsafe or
CIP Safety). The assignment of the input and output states within the
Ethernet safety interface protocol are listed below. In addition, non-safety-
oriented information from the safety controller is sent to the non-safe sec-
tion of the higher-level controller for the purpose of diagnosis and control.
Reserved bits
Reserved safe inputs can be pre-assigned by a PLC with the values 0 or

1. In both cases, the manipulator will move. If a safety function is as-
signed to a reserved input (e.g. in the case of a software update) and if
this input is preset with the value 0, then the manipulator either does not
move or comes unexpectedly to a standstill.
KUKA recommends pre-assignment of the reserved inputs with 1. If a
reserved input has a new safety function assigned to it, and the input is
not used by the customer’s PLC, the safety function is not activated.
This prevents the safety controller from unexpectedly stopping the ma-
nipulator.

Interfaces to the higher-level controller KUKA.SafeOperation 3.5
Input byte 0
Bit Signal Description

0 RES Reserved 1
The value 1 must be assigned to the input.
1 NHE Input for external Emergency Stop
0 = external E-STOP is active
1 = external E-STOP is not active
2 BS Operator safety
0 = operator safety is not active, e.g. safety gate
open
1 = operator safety is active
3 QBS Acknowledgement of operator safety
Precondition for acknowledgment of operator safety
is the signal "Operator safety active" set in the BS
bit.
Note: If the “BS” signal is acknowledged by the
system, this must be specified under Hardware op-
tions in the safety configuration. Information is con-
tained in the Operating and Programming Instruc-
tions for System Integrators.
0 = operator safety has not been acknowledged
Edge 0 ->1 = operator safety has been acknowl-
edged
4 SHS1 Safety STOP 1 (all axes)
• FF (motion enable) is set to 0.

• Voltage US2 is switched off.
• AF (drives enable) is set to 0 after 1.5 s.
Cancelation of this function does not require ac-
knowledgement.
This function is not permissible for the EMERGEN-
CY STOP function.
0 = safety stop is active
1 = safety stop is not active
5 SHS2 Safety STOP 2 (all axes)
• FF (motion enable) is set to 0.

• Voltage US2 is switched off.
knowledgement.
CY STOP function.
0 = safety stop is active
1 = safety stop is not active
6 RES -
7 RES -


Input byte 1

0 US2 Supply voltage US2 (signal for switching the second
supply voltage, US2, without battery backup)
If this output is not used, it should be set to 0.
0 = switch off US2
1 = switch on US2
Note: Whether and how input US2 is used must be
specified under Hardware options in the safety
configuration. Information is contained in the Oper-
ating and Programming Instructions for System Inte-
grators.
1 SBH Safe operational stop (all axes)
Prerequisite: All axes are stationary
knowledgement.
CY STOP function.
0 = safe operational stop is active.
1 = safe operational stop is not active.
2 RES Reserved 11
3 RES Reserved 12
4 RES Reserved 13
5 RES Reserved 14
6 RES Reserved 15
7 SPA System Powerdown Acknowledge
The system confirms that it has received the power-
down signal. A second after the “SP” (System Pow-
erdown) signal has been set by the controller, the
requested action is executed, without the need for
confirmation from the PLC, and the controller shuts
down.
0 = confirmation is not active
1 = confirmation is active

Output byte 0

0 NHL Local E-STOP (local E-STOP triggered)
0 = local E-STOP is active
1 = local E-STOP is not active
1 AF Drives enable (the internal safety controller in the
KR C4 has enabled the drives so that they can be
switched on)
0 = drives enable is not active (the robot controller
must switch the drives off)
1 = drives enable is active (the robot controller
must switch the drives to servo-control)
2 FF Motion enable (the internal safety controller in the
KR C4 has enabled robot motions)
0 = motion enable is not active (the robot controller
must stop the current motion)
1 = motion enable is active (the robot controller
may trigger a motion)
3 ZS The signal ZS (enabling) is set to 1 (active) if the
following conditions are met:
• One of the enabling switches on the smartPAD

is in the center position (enabling signal has
been issued).
• T1 or T2 mode
• External enabling signal has been issued (signal
ZSE1/ZSE2).
• Robot can be moved (no external
EMERGENCY STOP, safety stop, etc.).
4 PE The signal “Peri enabled” is set to 1 (active) if the
following conditions are met:
• Drives are switched on.

• Safety controller motion enable signal present.
• The message “Operator safety open” must not
be active.
5 AUT The manipulator is in AUT or AUT EXT mode.

0 = AUT or AUT EXT mode is not active
1 = AUT or AUT EXT mode is active
6 T1 The manipulator is in Manual Reduced Velocity
mode.
0 = T1 mode is not active
1 = T1 mode is active
7 T2 The manipulator is in Manual High Velocity mode.
0 = T2 mode is not active
1 = T2 mode is active


Output byte 1

0 NHE External E-STOP has been triggered.
0 = external E-STOP is active
1 = external E-STOP is not active
1 BSQ Operator safety acknowledged
0 = operator safety is not assured
1 = operator safety is assured (input BS = 1 and, if
configured, input QBS acknowledged)
2 SHS1 Safety stop 1 (all axes)
0 = safety stop 1 is not active
1 = safety stop 1 is active (safe state reached)
3 SHS2 Safety stop 2 (all axes)
0 = safety stop 2 is not active
1 = safety stop 2 is active (safe state reached)
4 RES Reserved 13
5 RES Reserved 14
6 PSA Safety interface active
Precondition: An Ethernet interface must be instal-
led on the controller, e.g. PROFINET or Ethernet/IP
0 = safety interface is not active
1 = safety interface is active
7 SP System Powerdown (controller will be shut down)
One second after the SP signal has been set, the
PSA output is reset by the robot controller, without
confirmation from the PLC, and the controller is
shut down.
0 = controller on safety interface is active.
1 = controller will be shut down
8.1.1 SafeOperation via Ethernet safety interface
Description
The components of the industrial robot move within the limits that have
been configured and activated. The actual positions are continuously cal-
culated and monitored against the safety parameters that have been set.
The safety controller monitors the industrial robot by means of the safety
parameters that have been set. If a component of the industrial robot vio-
lates a monitoring limit or a safety parameter, the manipulator and
external axes (optional) are stopped. The Ethernet safety interface can be
used, for example, to signal a violation of safety monitoring functions.
In the case of the KR C4 compact or KR C4 compact slimline robot con-
troller, safety options such as SafeOperation are only available via the
Ethernet safety interface from KSS/VSS 8.3 onwards.

Reserved bits
Reserved safe inputs can be pre-assigned by a PLC with the values 0 or

1. In both cases, the manipulator will move. If a safety function is as-
signed to a reserved input (e.g. in the case of a software update) and if
this input is preset with the value 0, then the manipulator either does not
move or comes unexpectedly to a standstill.
KUKA recommends pre-assignment of the reserved inputs with 1. If a
reserved input has a new safety function assigned to it, and the input is
not used by the customer’s PLC, the safety function is not activated.
This prevents the safety controller from unexpectedly stopping the ma-
nipulator.
Input byte 2

0 JR Mastering test (input for reference switch)
0 = reference switch is active (actuated).
1 = reference switch is not active (not actu-
ated).
EJB External mastering confirmation (input for high
pulse from higher-level controller)
0 = external mastering confirmation is not ac-
tive (there is no pulse).
1 = external mastering confirmation is active
(there is a pulse).
The pulse must be at least 350 ms long and
must not exceed 5 s. If the EJB signal
switches from “logic 0” to “logic 1” and
switches back to “logic 0” within the time
frame, the mastering test is successfully con-
firmed.
1 VRED Reduced axis-specific and Cartesian velocity
(activation of reduced velocity monitoring)
0 = reduced velocity monitoring is active.
1 = reduced velocity monitoring is not active.
2 … 7 SBH1 ... 6 Safe operational stop for axis group 1 ... 6
Assignment: Bit 2 = axis group 1 … bit 7 =
axis group 6
Signal for safe operational stop. The function
does not trigger a stop, it only activates the
safe standstill monitoring. Cancelation of this
function does not require acknowledgement.
Input byte 3

0 … 7 RES Reserved 25 … 32
The value 1 must be assigned to the inputs.


Input byte 4

0 … 7 UER1 … 8 Monitoring spaces 1 … 8
Assignment: Bit 0 = monitoring space 1 … bit
7 = monitoring space 8
0 = monitoring space is active.
1 = monitoring space is not active.
Input byte 5

0 … 7 UER9 … 16 Monitoring spaces 9 … 16
Input byte 6

0 … 7 WZ1 … 8 Tool selection 1 … 8
Assignment: Bit 0 = tool 1 … bit 7 = tool 8
0 = tool is not active.
1 = tool is active.
Exactly one tool must be selected at all times.
Input byte 7

0 … 7 WZ9 … 16 Tool selection 9 … 16
Assignment: Bit 0 = tool 9 … bit 7 = tool 16
0 = tool is not active.
1 = tool is active.
Exactly one tool must be selected at all times.
Output byte 2

0 SO Activation status of the safety option
0 = safety option is not active.
1 = safety option is active
1 RR Robot referenced
Mastering test display
0 = mastering is not referenced.
1 = mastering test performed successfully.


2 JF Mastering error
The space monitoring is deactivated if at least
one axis is not mastered.
0 = mastering error. Space monitoring has
been deactivated.
1 = no error.
3 VRED Reduced axis-specific and Cartesian velocity
(activation status of reduced velocity monitor-
ing)
4 … 7 SBH1 ... 4 Activation status of safe operational stop for
axis group 1 ... 4
axis group 4
Output byte 3

0 … 1 SBH5 ... 6 Activation status of safe operational stop for
axis group 5 ... 6
axis group 6
2 SOS Safe Operation Stop
0 = a safety function has triggered a stop.
The output remains in the “0” state for at least
200 ms.
1 = none of the safety functions has triggered
a stop.
3 … 7 RES Reserved 28 … 32
Output byte 4

0 … 7 MR1 … 8 Alarm space 1 … 8
Assignment: Bit 0 = alarm space 1 (associ-
ated monitoring space 1) … bit 7 = alarm
space 8 (associated monitoring space 8)
0 = monitoring space is violated.
1 = monitoring space is not violated.
Note: An inactive monitoring space is consid-
ered to be violated by default, i.e. in this case
the associated safe output MRx has the state
“0”.


Output byte 5

0 … 7 MR9 … 16 Alarm space 9 … 16
Assignment: Bit 0 = alarm space 9 (associ-
ated monitoring space 9) … bit 7 = alarm
space 16 (associated monitoring space 16)
0 = monitoring space is violated.
1 = monitoring space is not violated.
Note: An inactive monitoring space is consid-
ered to be violated by default, i.e. in this case
the associated safe output MRx has the state
“0”.
Output byte 6

0 … 7 RES Reserved 49 ... 56
Output byte 7

0 … 7 RES Reserved 57 ... 64
8.1.2 Diagnostic signals via Ethernet interface
Description
Some signal states are extended to ensure that they can be detected reli-
ably. In the case of extended signal states, the minimum duration of the
extension is specified in square brackets. Values are specified in millisec-
onds, e.g. [200].
The diagnostic signals available via the Ethernet interface are not safe
signals and may only be used for diagnostic purposes.
Output byte 0

0 DG Validity for non-safety-oriented signals and da-
ta on this interface
0 = data are not valid
1 = data are valid
1 IFS Internal error in safety controller
0 = no error
1 = error [200]
2 FF Motion enable
0 = motion enable not active [200]
1 = motion enable active


3 AF Drives enable
0 = drives enable not active [200]
1 = drives enable active
4 IBN Start-up mode
Start-up mode enables jogging of the manipu-
lator without a higher-level controller.
0 = Start-up mode is not active.
1 = Start-up mode is active.
5 US2 Peripheral voltage
0 = US2 switched off
1 = US2 switched on
6 … 7 RES Reserved
Output byte 1

0 SO Activation status of the safety option
0 = safety option is not active
1 JF Mastering error (optional)
0 = no error
1 = mastering error, space monitoring deacti-
vated.
2 VRED Reduced velocity (optional)
3 VKUE At least one Cartesian velocity limit exceeded
(optional)
0 = no error
1 = velocity exceeded [200]
4 VAUE At least one axis velocity limit exceeded (op-
tional)
0 = no error
1 = velocity exceeded [200]
5 ZBUE Cell area exceeded (optional)
0 = no error
1 = cell area exceeded [200]


Output byte 2

0 SHS1 Safety stop (all axes) STOP 0 or STOP 1
0 = safety stop is not active.
1 = safety stop is active.
1 ESV External stop request violated
Safe operational stop SBH1, SBH2 or safety
stop SHS1, SHS2 violated
Braking ramp was not maintained or a moni-
tored axis has moved.
0 = no error
1 = violated
2 SHS2 Safety stop 2
0 = safety stop is not active.
1 = safety stop is active.
3 SBH1 Safe operational stop (axis group 1) (optional)
4 SBH2 Safe operational stop (axis group 2) (optional)
5 WFK Tool error (no tool) (optional)
0 = no error
1 = no tool selected.
6 WFME Tool error (more than one tool) (optional)
0 = no error
1 = more than one tool selected.
7 RES Reserved
Output byte 3

0 JR Mastering test (optional)
0 = mastering test is not active
1 = mastering test is active
1 RSF Reference switch error (optional)
0 = reference switch OK
1 = reference switch defective [200]
2 JRA Mastering test request (optional)
0 = mastering test not requested
1 = mastering test requested


3 JRF Mastering test failed (optional)
0 = mastering test OK
1 = mastering test failed
4 RS Reference stop (optional)
Reference run is only possible in T1 mode.
0 = no error
1 = reference stop due to impermissible oper-
ating mode
5 RIA Referencing interval (optional)
0 = no reminder
1 = reminder interval expired [200]
Output byte 4

0 … 7 WZNR Tool number (8-bit word) (optional)
0 = error (see WFK and WFME)
1 = tool 1
2 = tool 2, etc.
Output byte 5

0 … 7 UER1 … 8 Monitoring spaces 1 … 8 (optional)
Output byte 6

0 … 7 UER9 … 16 Monitoring spaces 9 … 16 (optional)


Output byte 7

0 … 7 UERV1 … 8 Stop in the event of a violation of monitoring
spaces 1 … 8 (optional)
0 = monitoring space is not violated, or moni-
toring space is violated but “Stop at bounda-
ries” has not been configured.
1 = monitoring space is violated and robot
stops with a safety stop [200]. Precondition:
“Stop at boundaries” has been configured.
Output byte 8

0 … 7 UERV9 … 16 Stop in the event of a violation of monitoring
spaces 9 … 16 (optional)
0 = monitoring space is not violated, or moni-
toring space is violated but “Stop at bounda-
ries” has not been configured.
1 = monitoring space is violated and robot
stops with a safety stop [200]. Precondition:
“Stop at boundaries” has been configured.
8.2 SafeOperation via interface X13
If interface X13 is used, tool 1 is always active. The tool cannot be acti-
vated via a safe input. An automated, safely monitored tool change is
thus not possible.
Further information about connection to interface X13 and the required

safety measures can be found in the Optional Interfaces assembly and
operating instructions for the robot controller.
Inputs
Some of the inputs can be configured in WorkVisual. As standard, the

configurable inputs are used to activate the monitoring space UER13 …
UER16. Alternatively, these inputs can be configured to activate the safe
operational stop SBH3 … SBH6.
It is not permissible to assign an input twice, i.e. to use it simultaneous-
ly for activating a monitoring space and a safe operational stop.

X13 Pin Signal Description

1, 2 (A) VRED Reduced axis-specific and Cartesian ve-
locity (activation of reduced velocity moni-
19, 20 (B)
toring)
1 = reduced velocity monitoring is not ac-
tive.
3, 4 (A) UER12 Monitoring space 12
21, 22 (B) 0 = monitoring space is active.
5, 6 (A) UER13 Monitoring space 13 (default)
SBH3 Safe operational stop (axis group 3)
13, 14 (A) SBH1 Safe operational stop (axis group 1)
31, 32 (B) 0 = safe operational stop is active.
15, 16 (A) SBH2 Safe operational stop (axis group 2)
33, 34 (B) 0 = safe operational stop is active.


The signal for the safe operational stop does not trigger a stop, it only
activates the safe standstill monitoring. Cancelation of this function does
not require acknowledgement.
Outputs
An inactive monitoring space is considered to be violated by default, i.e.

in this case the associated safe output MRx has the state “0”.
X13 Pin Signal Description

37, 38 (A) MR1 Alarm space 1 (associated monitoring
space 1)
55, 56 (B)
0 = space is violated.
1 = space is not violated.
space 2)
57, 58 (B)
space 3)
59, 60 (B)
space 4)
61, 62 (B)
space 5)
63, 64 (B)
space 6)
65, 66 (B)
49, 50 (A) SO Activation status of the safety option
67, 68 (B) 0 = safety option is not active.
51, 52 (A) RR Robot referenced
69, 70 (B) Mastering test display
0 = mastering is not referenced.
1 = mastering test performed successfully.
8.2.1 Mastering test via interface X42
Interface X42 provides a dual-channel input for the mastering test.

Further information regarding interface X42 can be found in the assem-

bly and operating instructions Optional Interfaces for the robot control-
ler.
Signal Description
JR Mastering test (input for reference switch)
0 = reference switch is active (actuated).
1 = reference switch is not active (not actuated).
EJB External mastering confirmation (input for high pulse from
higher-level controller)
0 = external mastering confirmation is not active (there is
no pulse).
1 = external mastering confirmation is active (there is a
pulse).
The pulse must be at least 350 ms long and must not
exceed 5 s. If the EJB signal switches from “logic 0” to
“logic 1” and switches back to “logic 0” within the time
frame, the mastering test is successfully confirmed.

Diagnosis
9 Diagnosis
9.1 Displaying the diagnostic data with the diagnostic monitor
Description
The current status of the safe inputs/outputs can be displayed in the diag-
nostic monitor.
Precondition
• User rights: Function group Diagnostic functions
Procedure

2. Select the Bus process data image[Name of bus/interface] module in
the Module box.
9.2 Displaying the diagnostic data for the safety interface
Description
For advanced diagnosis of the safe inputs/outputs, the diagnostic data for
the safety interface can be displayed.
Precondition
• The KUKA.DiagnosisSafety option package is installed.
Procedure
1. In the main menu, select Diagnosis > Safety interfaces.

2. Select the desired tab, e.g. PROFIsafe.
The diagnostic data are displayed.
Further information about advanced diagnosis can be found in the KU-

KA.DiagnosisSafety documentation.
9.3 System variables for diagnosis
$SR_ACTIVETOOL Number of the active safe tool
• 0: no safe tool or multiple safe tools are selected.

• 1 … 16: safe tool 1 … 16 is active.
$SR_AXISSPEED_OK Reduced axis acceleration exceeded
TRUE = axis velocity has not been exceeded.
FALSE = axis velocity has been exceeded.
The variable is set to FALSE when the excessive value is
detected and then set immediately back to TRUE.

Diagnosis KUKA.SafeOperation 3.5
$SR_CARTSPEED_OK Cartesian velocity exceeded
TRUE = Cartesian velocity has not been exceeded.
FALSE = Cartesian velocity has been exceeded.
The variable is set to FALSE when the excessive value is
detected and then set immediately back to TRUE.
$SR_DRIVES_ENABLE Enabling of the drives by the safety controller
TRUE = drives are enabled.
FALSE = drives are not enabled.
$SR_MOVE_ENABLE Enabling by the safety controller
TRUE = motion enable
FALSE = no motion enable
$SR_RANGE_ACTIVE[1] Activation status of monitoring spaces 1...16
… TRUE = monitoring space is active.
$SR_RANGE_ACTIVE[16] FALSE = monitoring space is not active.
$SR_RANGE_OK[1] Violation of monitoring spaces 1...16
… TRUE = monitoring space is not violated.
$SR_RANGE_OK[16] FALSE = monitoring space has been violated and the ro-
bot has been stopped.
Note: The variable depends on whether a stop has been
configured for the monitoring space in the event of a vio-
lation. If no stop is configured, the variable is always
TRUE.
$SR_SAFEMON_ACTIVE State of safe monitoring
TRUE = monitoring is activated.
FALSE = monitoring is not activated.
$SR_SAFEOPSTOP_ACTIVE[In- State of the safe operational stop
dex]
TRUE = safe operational stop is activated.
FALSE = operational stop is not activated
Index:
• 1: state of the global safe operational stop (all axes)

The global operational stop is a standard safety func-
tion of the Ethernet safety interface. (Input byte 1,
bit 1, safe operational stop)
• 2 … 7: state of the safe operational stop in relation to
axis group 1 … 6 (safe operational stop 1 …safe op-
erational stop 6)
$SR_SAFEOPSTOP_OK Violation of an externally activated operational stop
TRUE = no violation
FALSE = safe operational stop has been violated.
$SR_SAFEREDSPEED_ACTIVE State of the monitoring of the reduced velocity
TRUE = monitoring is activated.
FALSE = monitoring is not activated.

Diagnosis
9.4 Outputs for space monitoring
In the following error situations, outputs that signal a space violation like-
wise switch to the “violated” state (precondition: monitoring space is ac-
tive.):
• In the case of a Cartesian monitoring space, the Cartesian position is
invalid. The Cartesian position is invalid if one of the robot axes has
an invalid position. This applies in the following cases:
‒ An axis is unmastered.
‒ An encoder error has occurred.
‒ A communication error has occurred.
• In the case of an axis-specific monitoring space, the position of one of
the monitored axes is invalid. This applies in the following cases:
‒ An axis is unmastered.
‒ An encoder error has occurred.
‒ A communication error has occurred.
• In the case of a Cartesian monitoring space, no tool is selected or
several tools are selected simultaneously.
Signal states in error situations:
Output / variable Logic state
MRx (safe outputs) 0
UERVx 1
$SR_RANGE_OK[x] 0 (FALSE)

Diagnosis KUKA.SafeOperation 3.5

Messages
10 Messages
10.1 Information about the messages
The “Messages” chapter contains selected messages. It does not cover all
the messages displayed in the message window.
10.2 System messages from module: CrossMeld (KSS)
10.2.1 KSS15016
Message code KSS15016

Message text Ackn.: Stop due to standstill monitoring violation
Message type Acknowledgement message
Effect Ramp stop
Input of active commands (robot motions, program start) is blocked.
Possible cause(s) Cause: Safe operational stop violated (>>> Page 197)
Solution: Acknowledge message (>>> Page 197)
Cause: Safe operational stop violated
Description
At least one of the axes monitored for standstill has moved outside the
configured position tolerance.
Solution: Acknowledge message
Description
The program can be resumed once the message has been acknowledged.
Procedure
• An acknowledgeable message can be acknowledged with OK.

• All acknowledgeable messages can be acknowledged at once with All
OK.
10.2.2 KSS15017

Message text Ackn.: The braking ramp of the robot has been violated.

Messages KUKA.SafeOperation 3.5
Effect Short-circuit braking
Possible cause(s) Cause: Braking ramp for STOP 1 or safe operational stop not main-
tained (>>> Page 198)
Cause: Braking ramp for STOP 1 or safe operational stop not maintained
Description
The robot controller has not triggered strong enough braking in the case
of a STOP 1 or a safe operational stop.
Description
Procedure

OK.
10.2.3 KSS15018

Message text Ackn.: Maximum Cartesian velocity in T1 mode exceeded
Effect Ramp stop
Possible cause(s) Cause: $SR_VEL_RED is FALSE (>>> Page 199)

Solution: Change value of the variable (>>> Page 199)
Cause: $SR_OV_RED set too high (>>> Page 199)

Solution: Change value of the variable (>>> Page 200)
Cause: Invalid drive configuration in WorkVisual (>>> Page 200)

Solution: Adapt the drive configuration in WorkVisual
(>>> Page 201)

Cause: $SR_VEL_RED is FALSE
Messages
Description
The variable $SR_VEL_RED is used to activate the override reduction for

monitored velocities. If override reduction is active, the velocity is automat-
ically reduced so that the lowest currently monitored velocity limit is not
exceeded.
This override reduction is deactivated if the variable is FALSE.
The procedure for checking the current value of the variable is as
follows:
Checking instructions
1. In the main menu, select Display > Variable > Single.

The Variable display – Single window opens.
2. Enter the name of the variable in the Name box and confirm with the
Enter key.
The current value of the variable is displayed in the Current value
box.
Further information on override reduction is contained in the assembly

and operating instructions of the safety option.
Solution: Change value of the variable
Description
Change the value of the variable using the variable correction function.
Precondition
User rights:
• KSS: Function group General configuration

• VSS: User group “User” or higher
Procedure

2. Enter the variable name in the Name box and confirm with the Enter
key. The current value of the variable is displayed.
3. Enter the new value in the New value box.
4. Press the Set value button. The new value is displayed in the Cur-
rent value box.
Cause: $SR_OV_RED set too high
Description
The override reduction for monitored velocities is activated

($SR_VEL_RED = TRUE), but the value of the variable $SR_OV_RED is
set too high. The lower the value of $SR_OV_RED, the more a monitored
velocity limit is reduced by the override reduction.
The procedure for checking the current value of the variable is as
follows:


2. Enter the name of the variable in the Name box and confirm with the
Enter key.
The current value of the variable is displayed in the Current value
box.
Further information on override reduction is contained in the assembly

Solution: Change value of the variable
Description
Change the value of the variable using the variable correction function.
Precondition
User rights:
• KSS: Function group General configuration

• VSS: User group “User” or higher
Procedure

2. Enter the variable name in the Name box and confirm with the Enter
key. The current value of the variable is displayed.
3. Enter the new value in the New value box.
4. Press the Set value button. The new value is displayed in the Cur-
rent value box.
Cause: Invalid drive configuration in WorkVisual
Description
The drive configuration in WorkVisual has been configured incorrectly. The

wrong initial project has been loaded and supplied, for example.
Fig. 10-1: Example for interchanged main and wrist axes

The procedure for checking whether the drive configuration is cor-
Messages
rect is as follows:
1. Check whether the motor connectors are correctly connected at the in-
terface panel.
2. Check whether the plug-in connectors on the KPP, KSP, etc., are cor-
rectly connected.
3. Check whether the drive bus configuration in WorkVisual matches the
hardware actually installed.
Solution: Adapt the drive configuration in WorkVisual
Description
Configure the drive configuration correctly in WorkVisual.
Procedure
1. Open and activate the current WorkVisual project.

2. Right-click on the Controller components node on the Hardware tab
in the Project structure window.
3. Select Drive configuration from the context menu. The “Drive config-
uration” window opens.
4. Compare the configured configuration with the components actually in-
stalled.
5. Delete the incorrect connections between the modules (KPP, KSP).
6. Recreate the connections manually or select the correct solution via
the WorkVisual project analysis in the bottom right-hand corner.
7. Then save the project and transfer it to the controller.
10.2.4 KSS15019

Message text Ackn.: Maximum axis-specific velocity in T1 mode exceeded
Effect Ramp stop
Possible cause(s) Cause: Jog override too high (>>> Page 202)
Solution: Reduce the jog override (>>> Page 202)
Cause: Program override too high (>>> Page 202)

Solution: Reduce the program override (>>> Page 202)
Cause: Maximum axis velocity in T1 incorrectly configured

(>>> Page 203)
Solution: Change the safety configuration (>>> Page 203)

Cause: Kernel system commands excessively high velocity during

force test (>>> Page 204)
Solution: Adapt Maximum velocity T1 in the safety configuration
(>>> Page 204)
Cause: Jog override too high
Description
Jog override was set to an overly high value while jogging in T1 mode.
For this reason, at least one axis was moving more quickly than is permit-
ted for T1 mode.
Solution: Reduce the jog override
Description
Reduce the jog override for jogging mode.
Procedure
1. Touch the status indicator Overrides. The Overrides window opens.
Fig. 10-2: Overrides status indicator
2. Set the desired jog override. It can be set using either the plus/minus
keys or by means of the slider.
• Plus/minus keys: The value can be set to 100%, 75%, 50%, 30%,
10%, 5%, 3%, 1%.
• Slider: The override can be adjusted in 1 % steps.
3. Touch the status indicator Overrides again. (Or touch the area outside
the window.)
The window closes and the selected override value is applied.
Alternatively, the override can be set using the plus/minus key on the low-
er right-hand side of the smartPAD.
Cause: Program override too high
Description
Program override was set to an overly high value during program control
in T1 mode. For this reason, at least one axis was moving more quickly
than is permitted for T1 mode.
Solution: Reduce the program override
Description
Reduce the program override for program control.

Messages
Procedure
1. Touch the status indicator Overrides. The Overrides window opens.
Fig. 10-3: Overrides status indicator
2. Set the desired program override. It can be set using either the plus/
minus keys or by means of the slider.
• Plus/minus keys: The override can be adjusted in predefined
steps.
• Slider: The override can be adjusted in 1% steps.
3. Touch the status indicator Overrides again. (Or touch the area outside
the window.)
The window closes and the selected override value is applied.
Alternatively, the override can be set using the plus/minus key on the low-
er right-hand side of the smartPAD.
Cause: Maximum axis velocity in T1 incorrectly configured
Description
At least one axis moved more quickly than the highest permissible velocity
in T1 mode.
In the safety configuration, an incorrect value for the maximum axis veloc-
ity in T1 has been entered for at least one axis, for example, a value that
is different to the one specified by the system integrator.
The procedure for checking what values are configured is as follows:

3. For each axis, check what value is configured for the parameter Maxi-
mum velocity T1.
Solution: Change the safety configuration
Precondition

• T1 or T2 mode
Procedure
1. In the main menu, select Configuration > Safety configuration. The

safety configuration is opened.
2. Select the appropriate tab and modify the configuration as required.


Further information on safety acceptance is contained in the assembly

Cause: Kernel system commands excessively high velocity during force test
Description
The velocity of all axes is limited as standard to 250 mm/s in T1.

For the force test in KUKA.ServoGun, the kernel system takes over the
velocity of the weld gun after a certain point in time. Under certain circum-
stances (depending on the required force and transmission ratio), this may
exceed 250 mm/s. For this reason, a higher value must also be config-
ured for the parameter Maximum velocity T1 for the external axis.

3. For each axis, check what value is configured for the parameter Maxi-
mum velocity T1.
Solution: Adapt Maximum velocity T1 in the safety configuration
Description
Adapt the parameter Maximum velocity T1 in the safety configuration. To

do so, cancel the axis coupling and restore it again after adapting the pa-
rameter.
Precondition
• The affected project is open.
Procedure
1. Select Editors > Drive configuration in the menu bar.

The Drive configuration window opens.
2. Right-click on the connecting line between the gun motor and the
RDC and select Disable axis coupling.
3. Select Editors > Safety configuration (local) in the menu bar.
4. Switch to the Axis monitoring tab.
5. Adapt the value for Maximum velocity T1.
6. Return to the Safety configuration (local) window.
7. Right-click on the connecting line between the gun motor and the
RDC again and select Enable axis coupling.



Messages
10.2.5 KSS15033

Message text More then one tool activated in the safety controller
Message type Status message
Effect Ramp stop

Follow-up message KSS15034 (>>> Page 205)
Possible cause(s) Cause: More then one tool activated in the safety controller
(>>> Page 205)
Solution: Only activate the required safety-oriented tool
(>>> Page 205)
Cause: More then one tool activated in the safety controller
Description
More than one tool is activated in the safety controller. Only 1 safety-ori-
ented tool may be active at any time
Solution: Only activate the required safety-oriented tool
Description
Only activate the required tool via the associated safety-oriented input on
the Ethernet safety interface.
Procedure
1. Reset the inputs for invalid tools.

2. Specify the input for the required tool.
10.2.6 KSS15034

Message text Ackn.: More than one tool activated in the safety controller
Effect Ramp stop

Original message KSS15033 (>>> Page 205)
Possible cause(s) Cause: Error cause of the original message has been eliminated.
(>>> Page 206)

Cause: Error cause of the original message has been eliminated.

Messages
Description
This follow-up message is displayed if the error cause of the original mes-
sage has been eliminated.
Description
Procedure

OK.
10.2.7 KSS15035

Message text No tool activated in safety controller
Effect Ramp stop

Possible cause(s) Cause: No tool activated in safety controller (>>> Page 206)
Solution: Activate safety-oriented tool (>>> Page 206)
Cause: No tool activated in safety controller
Description
No tool is activated in the safety controller.

Only 1 safety-oriented tool may be active at any time. If SafeRangeMoni-
toring is used, tool 1 must be active. Tool 1 can be activated via input
WZ1 of the Ethernet safety interface.
Solution: Activate safety-oriented tool
Description
Activate the required tool via the associated safety-oriented input on the
Ethernet safety interface.
Procedure
• Specify the input for the required tool.

Messages
10.2.8 KSS15036

Message text Ackn.: No tool activated in safety controller
Effect Ramp stop

(>>> Page 207)
Description
Description
Procedure

OK.
10.2.9 KSS15037

Message text Cell area exceeded
Effect No braking reaction
No interlock of motions or commands
Possible cause(s) Cause: Cell area exceeded (>>> Page 208)

Solution: Move the robot out of the violated space: (>>> Page 208)

Cause: Cell area exceeded

Messages
Description
The active safe tool has left the cell area. There is a space violation.
Solution: Move the robot out of the violated space:
Description
The robot must be moved out of the violated space in T1 mode. No other
operating mode can be set until the robot has left the violated space.
Precondition
Procedure

10.2.10 KSS15039

Message text Ackn.: Maximum global Cartesian velocity exceeded
Effect Ramp stop
Possible cause(s) Cause: Global maximum Cartesian velocity incorrectly configured

(>>> Page 208)
Cause: Global maximum Cartesian velocity exceeded by program-

ming (>>> Page 209)
Solution: Correct programming (>>> Page 209)
Cause: Global maximum Cartesian velocity incorrectly configured
Description
The maximum permissible Cartesian velocity has been exceeded.

In the safety configuration, an incorrect value for the global maximum Car-
tesian velocity has been entered, for example, a value that is different to
the one specified by the system integrator.

The procedure for checking which value is configured for the parameter
Messages
Cartesian maximum velocity is as follows:

The safety configuration opens with the Common tab.
2. Press Global parameters. The global parameters are displayed.
3. Search for the parameter and check the value.
Precondition

• T1 or T2 mode
Procedure



Cause: Global maximum Cartesian velocity exceeded by programming
Description
The programmed path or programming method causes the Cartesian ve-

locity to exceed the maximum global Cartesian velocity defined in the
• Check programming.
Solution: Correct programming
Procedure
• Correct programming
Further information is contained in the documentation for the rele-
vant software.
10.2.11 KSS15040

Message text Ackn.: Maximum global axis velocity exceeded

Effect Ramp stop
Possible cause(s) Cause: Global maximum axis velocity incorrectly configured

(>>> Page 210)
Cause: Global maximum axis velocity exceeded by programming

(>>> Page 211)
Cause: Global maximum axis velocity incorrectly configured
Description
At least one axis has exceeded the maximum permissible value for global
axis velocity.
In the safety configuration, an incorrect value for the maximum velocity for
rotational axes or linear axes has been entered, for example, a value that
is different to the one specified by the system integrator.

3. Check the values of the following parameters:
• Maximum velocity rotational axis
• Maximum velocity translational axis
Precondition

• T1 or T2 mode
Procedure




Cause: Global maximum axis velocity exceeded by programming
Messages
Description
The programmed path or programming method causes at least one axis

to exceed the maximum permissible global axis velocity defined in the
Procedure
vant software.
10.2.12 KSS15041

Message text Ackn.: Maximum safe reduced Cartesian velocity exceeded
Effect Ramp stop
Possible cause(s) Cause: Safe reduced Cartesian velocity incorrectly configured

(>>> Page 211)
Cause: Safe reduced Cartesian velocity exceeded by programming

(>>> Page 212)
Cause: Safe reduced Cartesian velocity incorrectly configured
Description
The maximum permissible safe reduced Cartesian velocity has been ex-
ceeded.
In the safety configuration, an incorrect value for the safe reduced Carte-
sian velocity has been entered, e.g. a value that is different to the one
specified by the system integrator.
The procedure for checking which value is configured for the parameter
Reduced Cartesian velocity is as follows:


Messages
2. Press Global parameters. The global parameters are displayed.

3. Search for the parameter and check the value.
Precondition

• T1 or T2 mode
Procedure



Cause: Safe reduced Cartesian velocity exceeded by programming
Description
The programmed path or programming method causes the Cartesian ve-

locity to exceed the activated safe reduced Cartesian velocity defined in
the safety configuration.
Procedure
vant software.
10.2.13 KSS15042

Message text Ackn.: Safe reduced axis velocity exceeded

Messages
Effect Ramp stop
Possible cause(s) Cause: Safe reduced axis velocity incorrectly configured

(>>> Page 213)
Cause: Maximum value for safe reduced axis velocity exceeded by

programming (>>> Page 214)
Cause: Safe reduced axis velocity incorrectly configured
Description
At least one axis has exceeded the maximum permissible value for the
safe reduced axis velocity.
In the safety configuration, an incorrect value for the reduced axis velocity
has been entered for at least one axis, for example, a value that is differ-
ent to the one specified by the system integrator.

3. For each axis, check what value is configured for the parameter Re-
duced velocity.
Precondition

• T1 or T2 mode
Procedure




Cause: Maximum value for safe reduced axis velocity exceeded by programming
Messages
Description
The programmed path or programming method causes the maximum val-

ue for the safe reduced axis velocity defined in the safety configuration to
be exceeded by at least one axis.
If an override reduction is activated by $SR_VEL_RED=TRUE, but the ro-
bot moves without spline, the axis velocities are not reduced. The override
reduction then only has an effect on axis velocities if spline motions are
programmed.
Example
Axis 5 is moved into a singularity position. Axes 4 and 6 are therefore

considerably accelerated and the safe reduced axis velocity is exceeded.
Fig. 10-4: Wrist axis singularity (α5 position)
Procedure
vant software.
10.2.14 KSS15043

Message text External safe operational stop violated (axis group {Number of axis
group})


Messages
Possible cause(s) Cause: Value configured for position tolerance too low
(>>> Page 215)
Cause: Axis group incorrectly configured (>>> Page 215)

Cause: Value configured for position tolerance too low
Description
The value configured in the safety configuration for the position tolerance
of at least one axis in the axis group is too low. The values specified by
the system builder must be configured.

3. For each axis in the axis group, check whether the value entered for
Position tolerance matches the specified value.
Precondition

• T1 or T2 mode
Procedure



Cause: Axis group incorrectly configured
Description
The axis group is incorrectly configured in the safety configuration, i.e. the
group contains axes which are not to be monitored here. The axes speci-
fied by the system builder must be monitored.
The procedure for checking whether an axis is monitored in the cor-
rect axis group is as follows:


3. Select the axis that is to be checked from the list.
The check mark must be activated in the check box with the number
of the axis group in which the axis is to be monitored.
Precondition

• T1 or T2 mode
Procedure



10.2.15 KSS15044

Message text Ackn.: External safe operational stop violated (axis group {Number
of axis group})

(>>> Page 217)

Messages
Description
Description
Procedure

OK.
10.2.16 KSS15045

Message text Error at mastering reference switch
Possible cause(s) Cause: Reference cable X42 - XS Ref not correctly connected
(>>> Page 217)
Solution: Connect cable correctly (>>> Page 218)
Cause: Reference position taught incorrectly (>>> Page 218)

Solution: Reteach reference position and check accuracy
(>>> Page 218)
Cause: Reference switch installed incorrectly or moved

(>>> Page 218)
Solution: Reinstall or realign reference switch (>>> Page 219)
Cause: Reference cable X42 - XS Ref defective (>>> Page 219)

Solution: Exchange reference cable X42 - XS Ref (>>> Page 220)
Cause: Reference cable X42 - XS Ref not correctly connected
Description
The reference switch is connected to interface X42 on the robot controller

via the reference cable.
The procedure for checking whether the reference cable is correctly
connected is as follows:

Precondition

• The power cable is de-energized.
• Observe the ESD guidelines.
1. Check whether the connectors of the cable are connected firmly

enough.
2. Check whether pins are bent when connected.
Solution: Connect cable correctly
Precondition

Procedure
• Connect cable correctly.
Cause: Reference position taught incorrectly
Description
The reference position to which the robot moves in the mastering test has
been taught incorrectly. This results in single-channel referencing.
1. Move to reference position.

2. Check whether both proximity switch surfaces of the reference switch
are actuated by the switching surface (actuating plate or tool).
Solution: Reteach reference position and check accuracy
Description
The reference position must be taught in the subprogram that is executed

during the mastering test and in the safety configuration.
If the reference switch is actuated by the ferromagnetic part of a tool, the
accuracy of the newly taught reference position must be checked.
The reference position must be taught and checked in accordance with
the procedure described in the operating and assembly instructions.
Description
The taught reference position has been addressed correctly. Single-chan-

nel mastering occurs because the reference switch has been installed in
an incorrect position or has been moved.

Messages

Solution: Reinstall or realign reference switch
Description
The reference switch must installed or aligned in such a way that both
proximity switch surfaces of the reference switch are actuated simultane-
ously when the robot is in the reference position.
Fig. 10-5: Installation position of reference switch on external axis
Cause: Reference cable X42 - XS Ref defective
Description
The reference switch is connected to interface X42 on the robot controller

via the reference cable.
The procedure for checking whether the reference cable is defective
is as follows:
Precondition

1. Check whether the connectors are correctly connected. Particular at-

tention must be paid to:
• Pins pushed in

• Corrosion
• Scorched contacts
• Connector insert pushed back
• Socket pushed back
• Connector on correct slot
2. Check whether the cable is mechanically damaged. Causes of squash-
ed cables or wires can include the following:
• Cable straps too tight
• Clips too tight
• Trapped when closing a cover
• Bend radius too tight
3. Check whether the cable still conducts electricity. Particular attention
must be paid to:
• Cross-connection of individual wires
• Short-circuit of individual wires with the ground conductor
• Correct wiring in accordance with circuit diagram
Solution: Exchange reference cable X42 - XS Ref
Description
The reference cable must be exchanged.

NOTICE

Precondition

Procedure
1. Disconnect and remove the defective reference cable.

2. Route the new reference cable correctly (in a fixed installation or cable
carrier).
3. Connect the reference cable. Connect connector X42 to interface X42
on the robot controller and connector XS Ref to the reference switch.
10.2.17 KSS15046

Message text Error was at the mastering reference switch

Messages
Message type Notification message
Possible cause(s) Cause: Notification message following elimination of state of error

(>>> Page 221)
Solution: System information: no operator action required
(>>> Page 221)
Cause: Notification message following elimination of state of error
Description
This notification message is displayed once the state of error has been
eliminated and the associated status message has been revoked.
Description
This message provides system information to the operator and requires no

action.
10.2.18 KSS15047

Message text Mastering test required (internal)
10.2.19 KSS15048

Message text Ackn.: Mastering test time interval expired
Effect Ramp stop

Possible cause(s) Cause: Monitoring time elapsed (>>> Page 222)

Solution: Perform mastering test and acknowledge message
(>>> Page 222)
Cause: Monitoring time elapsed
Description
Following an internal mastering test request, the robot can be moved for
another 2 hours. This time has elapsed.
It is possible to acknowledge the message without performing a mastering
test beforehand. The robot can then be moved for another 2 hours without
referenced axes (not recommended).
The safety integrity of the safety functions based upon safe axis posi-
tions is limited until the mastering test has been performed and con-
firmed. The safety functions may behave differently from how they were
configured, creating additional hazards in the system.
Description
Following a successful mastering test, the message can be acknowledged.
Procedure
1. Perform mastering test.

2. Acknowledge the message with OK.
10.2.20 KSS15049

Message text Mastering test failed
Possible cause(s) Cause: Mastering test failed (>>> Page 223)

(>>> Page 223)
Cause: Mastering test failed (>>> Page 223)

Solution: Eliminate cause of error and carry out mastering test
(>>> Page 223)

Cause: Mastering test failed
Messages
Description
The mastering test has failed. The cause of the error is indicated in an
additional message.
Description
Following a successful mastering test, the message can be acknowledged.
Procedure
1. Perform mastering test.

Cause: Mastering test failed
Description
The mastering test has failed. The cause of the error is indicated in an
additional message.
Solution: Eliminate cause of error and carry out mastering test
Description
The error cause specified in the additional message must be eliminated

and the mastering test must then be performed again.
10.2.21 KSS15050

Message text Reference stop
Effect Ramp stop
Possible cause(s) Cause: Mastering test not yet performed successfully

(>>> Page 223)
Solution: Perform mastering test in T1 mode (>>> Page 224)
Cause: Mastering test not yet performed successfully
Description
The mastering test has not yet been performed successfully. The refer-
ence stop is triggered by an activated monitoring space for which the op-
tion Stop if mastering test not yet done is configured.

Solution: Perform mastering test in T1 mode

Messages
Description
The mastering test must be performed in T1 mode.
10.2.22 KSS15051

Message text Ackn.: Mastering test position not reached
Effect Ramp stop
Possible cause(s) Cause: Mastering test interrupted (>>> Page 224)

Solution: Acknowledge message and resume program
(>>> Page 224)
Cause: Mastering test interrupted
Description
The mastering test was interrupted before the reference position was
reached:
• Operating mode T1 or T2: The operator released the Start key.
• AUT EXT mode: The Start signal from the higher-level controller was
cancelled.
Solution: Acknowledge message and resume program
Description
Procedure

2. Operating mode T1 or T2: Press and hold down the Start key to re-
sume the program.
AUT EXT mode: Send the Start signal from the higher-level controller
to resume the program.
10.2.23 KSS15052

Message text Ackn.: Mastering reference switch not actuated

Messages
Effect Ramp stop
Possible cause(s) Cause: Reference switch fouled (>>> Page 225)

Solution: Clean the reference switch (>>> Page 225)
Cause: Reference switch moved (>>> Page 225)

Solution: Realign the reference switch (>>> Page 226)
Cause: Actuating plate bent (>>> Page 226)

Solution: Realign the actuating plate (>>> Page 226)
Cause: Referencing with incorrectly mastered robot (>>> Page 226)

Solution: Restore the mastering or remaster (>>> Page 226)
Cause: Reference switch defective (>>> Page 226)

Solution: Exchange the reference switch (>>> Page 227)
Cause: Reference switch fouled
Description
The reference switch was not actuated at the reference position because
the proximity switch surfaces of the reference switch are fouled.
Solution: Clean the reference switch
Procedure
• Clean the proximity switch surfaces of the reference switch.
NOTICE
Do not use aggressive cleaning agents.
Cause: Reference switch moved
Description
The taught reference position has been addressed correctly, but the refer-
ence switch not actuated. The reference switch or the device on which the
reference switch is installed has been moved.


Solution: Realign the reference switch

Messages
Description
The reference switch must aligned in such a way that both proximity
switch surfaces of the reference switch are actuated simultaneously when
the robot is in the reference position.
Cause: Actuating plate bent
Description
ence switch not actuated. The actuating plate fastened to the robot flange
or robot tool was bent.

are actuated by the actuating plate.
Solution: Realign the actuating plate
Description
The actuating plate must be aligned so that both proximity switch surfaces
of the reference switch are actuated simultaneously when the robot is in
the reference position.
Cause: Referencing with incorrectly mastered robot
Description
The reference switch was not actuated in the reference position. The ref-
erence position was not reached because the current mastering deviates
from the one used to teach the reference run.
Solution: Restore the mastering or remaster
Description
Restore the mastering with which the reference run was taught or remas-
ter the robot.
Cause: Reference switch defective
Description
ence switch is defective.

Solution: Exchange the reference switch
Messages
Description
The reference switch must be exchanged.
Precondition

Procedure
1. Unplug the reference cable.

2. Unscrew the reference switch.
3. Screw on the new reference switch.
4. Plug the reference cable into the new reference switch.
5. Perform a mastering test in order to check whether all reference
groups are referenced by the new switch.
10.2.24 KSS15053

Message text Ackn.: Mastering reference group no. {Number of the reference
group} not referenced
Effect Ramp stop
Possible cause(s) Cause: Reference group not taught (>>> Page 227)
Solution: Teach reference group (>>> Page 228)
Cause: Reference group not taught
Description
The reference group has not been taught.

The following points must be taught for the reference group:
• Motion to the reference switch
figuration.
• Motion away from the reference switch

The points are taught in the following file:

File
Directory C:\KRC\Roboter\KRC\R1\Program
File masref_user.src
The file contains 2 subprograms each for reference
groups 1 … 3.
MASREFSTARTG1() … MASREFSTARTG3()
The motion to the reference switch and the reference
position are taught here.
MASREFBACKG1() … MASREFBACKG3()
The motion away from the reference switch is taught
here.
1. Select the file in the Navigator and press Open. The file is displayed
in the editor.
2. Check whether the points required for addressing a reference group
have been taught.
Solution: Teach reference group
Description
The points required for addressing the reference group must be taught.
This activity must be carried out in accordance with the procedure de-
scribed in the assembly and operating instructions.
10.2.25 KSS15054

Message text Workspace monitoring functions deactivated (mastering error)
Possible cause(s) Cause: Axes unmastered (>>> Page 228)

Solution: Master unmastered axes (>>> Page 229)
Cause: Axes unmastered
Description
At least one axis is unmastered.

Solution: Master unmastered axes
Messages
Procedure
• Remaster all unmastered axes.
10.2.26 KSS15065

Message text Level at mastering reference switch was unexpectedly Low

(>>> Page 229)
(>>> Page 229)
Description
Description

action.
10.2.27 KSS15066

Message text Level at mastering reference switch is unexpectedly "low"
Possible cause(s) Cause: Reference switch fouled (>>> Page 230)

Solution: Clean the reference switch (>>> Page 230)

Cause: Mastering test input incorrectly configured (>>> Page 230)

Cause: Reference group not taught (>>> Page 231)

Solution: Teach reference group (>>> Page 232)

(>>> Page 232)
Solution: Reinstall or realign reference switch (>>> Page 232)
Cause: Reference switch defective (>>> Page 233)

Solution: Exchange the reference switch (>>> Page 233)
Cause: Reference switch fouled
Description
The reference switch was actuated for at least 5 minutes outside the mas-
tering test because the proximity switch surfaces of the reference switch
are fouled, e.g. with metal dust or weld spatter.
Solution: Clean the reference switch
Procedure
• Clean the proximity switch surfaces of the reference switch.
NOTICE
Do not use aggressive cleaning agents.
Cause: Mastering test input incorrectly configured
Description
The reference switch for the mastering test can be connected either to the
robot controller via interface X42, or to a higher level safety PLC that is
linked to the robot controller using an Ethernet safety interface.
The mastering test input must be configured accordingly in the safety con-
figuration.
The procedure for checking how the mastering test input is config-
ured is as follows:
1. Open the safety configuration: For this, select Configuration > Safety
configuration in the main menu.
2. On the Common tab, press Global parameters.
3. Check the parameter Mastering test input:
• at cabinet = reference switch is connected to the robot controller.
• via bus interface = reference switch is connected via Ethernet in-
terface.

Messages
Precondition

• T1 or T2 mode
Procedure



Cause: Reference group not taught
Description
The reference group has not been taught.

The following points must be taught for the reference group:
• Motion to the reference switch
figuration.
• Motion away from the reference switch

The points are taught in the following file:
File
Directory C:\KRC\Roboter\KRC\R1\Program
File masref_user.src
The file contains 2 subprograms each for reference
groups 1 … 3.
MASREFSTARTG1() … MASREFSTARTG3()
The motion to the reference switch and the reference
position are taught here.
MASREFBACKG1() … MASREFBACKG3()
The motion away from the reference switch is taught
here.
1. Select the file in the Navigator and press Open. The file is displayed
in the editor.
2. Check whether the points required for addressing a reference group
have been taught.

Solution: Teach reference group

Messages
Description
The points required for addressing the reference group must be taught.
This activity must be carried out in accordance with the procedure de-
scribed in the assembly and operating instructions.
Description
The reference switch was actuated outside of the mastering test for at
least 5 minutes. The reference switch is installed in the wrong position or
has been moved.

Solution: Reinstall or realign reference switch
Description
The reference switch must installed or aligned in such a way that both
proximity switch surfaces of the reference switch are actuated simultane-
ously when the robot is in the reference position.
Fig. 10-6: Installation position of reference switch on external axis

Cause: Reference switch defective
Messages
Description
The reference switch was actuated outside of the mastering test for at
least 5 minutes. The reference switch is defective.
Solution: Exchange the reference switch
Description
The reference switch must be exchanged.
Precondition

Procedure
1. Unplug the reference cable.

2. Unscrew the reference switch.
3. Screw on the new reference switch.
4. Plug the reference cable into the new reference switch.
5. Perform a mastering test in order to check whether all reference
groups are referenced by the new switch.
10.2.28 KSS15079

Message text Monitoring space no. {Number of monitoring space} violated
Possible cause(s) Cause: Monitoring space violated in T1 or T2 (>>> Page 233)

Cause: Monitoring space violated in T1 or T2
Description
The monitoring space has been violated in T1 or T2 mode. The active

safe tool, or at least one of the robot axes, is no longer situated in the
permissible range of the monitoring space.
The monitoring space is considered to have been violated if the monitor-
ing was only activated after the robot had moved over the space limit.

The permissible range depends on the type of monitoring space:

Messages
Space type Workspace Protected space

Cartesian space The active safe tool must move The active safe tool must move out-
within the limits of the monitoring side the limits of the monitoring
space. space.
The space is violated if the safe tool The space is violated if the safe tool
leaves the monitoring space. enters the monitoring space.
Axis space The axes must move within the lim- The axes must move outside the
its of the monitoring space. limits of the monitoring space.
The space is violated if the axes The space is violated if the axes
leave the monitoring space. enter the monitoring space.
Description
Precondition
Procedure

10.2.29 KSS15081

Message text Monitoring space no. {Number of monitoring space} exceeded
Possible cause(s) Cause: Monitoring space exceeded in T1 or T2 (>>> Page 234)

Cause: Monitoring space exceeded in T1 or T2
Description
The monitoring space has been exceeded in T1 or T2 mode. The active

safe tool, or at least one of the robot axes, is no longer situated in the
permissible range of the monitoring space.

If the space is exceeded in T1 mode, the acknowledgment message
Messages
Ackn.: Stop because workspace exceeded is also displayed.
The monitoring space is considered to have been exceeded if the monitor-
ing was already activated when the robot moved over the space limit.
The permissible range depends on the type of monitoring space:
Space type Workspace Protected space
Cartesian space The active safe tool must move The active safe tool must move out-
within the limits of the monitoring side the limits of the monitoring
space. space.
The space is exceeded if the safe The space is exceeded if the safe
tool leaves the monitoring space. tool enters the monitoring space.
Axis space The axes must move within the lim- The axes must move outside the
its of the monitoring space. limits of the monitoring space.
The space is exceeded if the axes The space is exceeded if the axes
leave the monitoring space. enter the monitoring space.
Description
Precondition
Procedure

10.2.30 KSS15083

Message text Ackn.: Cartesian velocity in monitoring space no. {Number of moni-
toring space} exceeded
Effect Ramp stop
10.2.31 KSS15107

Message text Error at the mastering confirmation input

Possible cause(s) Cause: Reference cable incorrectly connected (>>> Page 236)
Cause: Reference cable defective (>>> Page 237)

Solution: Exchange the reference cable (>>> Page 237)
Cause: Reference cable incorrectly connected
Description
The referencing system is connected to interface X42 on the robot control-

ler via the reference cable.
Precondition

• The higher-level controller and the connected referencing system are
switched off and secured against being switched on again.

enough.
Precondition

Procedure

Cause: Reference cable defective
Messages
Description
The referencing system is connected to interface X42 on the robot control-

ler via the reference cable.
The procedure for checking whether the reference cable is defective
is as follows:
Precondition

1. Check whether the connectors are correctly connected. Particular at-

tention must be paid to:
• Pins pushed in
• Corrosion
• Scorched contacts
• Connector insert pushed back
• Socket pushed back
• Connector on correct slot
2. Check whether the cable is mechanically damaged. Causes of squash-
ed cables or wires can include the following:
• Cable straps too tight
• Clips too tight
• Trapped when closing a cover
• Bend radius too tight
3. Check whether the cable still conducts electricity. Particular attention
must be paid to:
• Cross-connection of individual wires
• Short-circuit of individual wires with the ground conductor
• Correct wiring in accordance with circuit diagram
Solution: Exchange the reference cable
Precondition

Procedure
1. Disconnect and remove the defective reference cable.

2. Connect the new reference cable correctly.

NOTICE

3. Connect the reference cable to interface X42 on the robot controller

and to the interface to the referencing system.
10.2.32 KSS15108

Message text Error was at the mastering confirmation input

(>>> Page 238)
(>>> Page 238)
Description
Description

action.
10.2.33 KSS15109

Message text Level at mastering confirmation input is unexpectedly high

Messages
Possible cause(s) Cause: Input EJB is set to the wrong state (>>> Page 239)
Solution: Eliminate the error in the program of the higher-level con-
troller (>>> Page 239)
Cause: Reference cable is incorrectly wired to X42 (>>> Page 240)

Solution: Wire the reference cable correctly to X42 (>>> Page 240)
Cause: Input EJB is set to the wrong state
Description
If a mastering test is requested, for example after rebooting the robot con-
troller, and input EJB goes into the state “logic 1”, no external mastering
confirmation is possible.
Input EJB is set to the wrong state. The error lies in the higher-level con-
troller program that is used to address input EJB. Input EJB must be in
the state “logic 0” in order to confirm mastering via a positive pulse signal.
The procedure for checking the level at input EJB is as follows:

2. In the Module box, select the device, i.e. the interface via which the
pulse signal for external mastering confirmation is provided. To do so,
select the entry Device (Device name). The diagnostic data for the de-
vice are displayed.
The device name displayed in the entry depends on the configura-
tion in WorkVisual. The default name of the device can be changed
in WorkVisual.
3. Search for the entry E: Mastering confirmation (EJB) in the diagnos-

tic data:
• confirmed: Input EJB is in the state “logic 1”
• not confirmed: Input EJB is in the state “logic 0”
Solution: Eliminate the error in the program of the higher-level controller
Description
The error must be eliminated in the higher-level controller program that is

used to address input EJB.
Information on the external mastering confirmation and the signals rele-
vant to the connection of the higher-level controller can be found in the
assembly and operating instructions of the safety option.
Procedure
• Eliminate the error in the program.

Cause: Reference cable is incorrectly wired to X42

Messages
Description
If a mastering test is requested, for example after rebooting the robot con-
troller, and input EJB goes into the state “logic 1”, no external mastering
confirmation is possible.
Interface X42, via which the pulse signal is provided, is incorrectly wired.
Input EJB must be in the state “logic 0” in order to confirm mastering via
a positive pulse signal.

vice are displayed.
in WorkVisual.

tic data:
Solution: Wire the reference cable correctly to X42
Procedure
• Wire the reference cable to X42 in accordance with the circuit dia-
gram.
Further information regarding interface X42 can be found in the assem-

bly and operating instructions Optional Interfaces for the robot control-
ler.
10.2.34 KSS15110

Message text Level at mastering confirmation input was unexpectedly High

(>>> Page 241)
(>>> Page 241)

Messages
Description
Description

action.
10.2.35 KSS15111

Message text Pulse time monitoring of mastering confirmation violated
Possible cause(s) Cause: Pulse signal at input EJB too long (>>> Page 241)
Cause: Pulse signal at input EJB too long
Description
The higher-level controller confirmed a successful mastering test with a

positive pulse signal at input EJB. Because the pulse signal lasted longer
than 5 s at input EJB, the external mastering confirmation failed.
The pulse duration is incorrectly programmed in the higher-level controller
program that is used to address input EJB. The pulse must be at least
350 ms long and must not exceed 5 s. If the EJB signal switches from
“logic 0” to “logic 1” and switches back to “logic 0” within the time frame,
the mastering test is successfully confirmed.
Description


Procedure
10.2.36 KSS15112

Message text Pulse time monitoring of mastering confirmation violated

(>>> Page 242)
(>>> Page 242)
Description
Description

action.
10.2.37 KSS15113

Message text Mastering without reference request confirmed
Possible cause(s) Cause: Loose connection on reference cable to interface X42

(>>> Page 243)

Messages
Cause: Pulse signal at input EJB toggles continuously
(>>> Page 243)
Cause: Loose connection on reference cable to interface X42
Description

positive pulse signal at input EJB, even though no mastering test was re-
quested.
The reference cable is not correctly connected to interface X42, via which
the pulse signal is provided. There may be a loose connection.
Precondition


enough.
Precondition

Procedure
Cause: Pulse signal at input EJB toggles continuously
Description

positive pulse signal at input EJB, even though no mastering test was re-
quested.
The error lies in the higher-level controller program that is used to
address input EJB. The pulse signal may be toggling continuously.


vice are displayed.
in WorkVisual.

tic data:
Description

Procedure
10.2.38 KSS15114

Message text Mastering confirmed without reference request

(>>> Page 244)
(>>> Page 245)
Description

Messages
Description

action.
10.2.39 KSS15127

Message text Ackn.: Stop because workspace exceeded
Effect Ramp stop
Possible cause(s) Cause: Monitoring space violated or exceeded in T1

(>>> Page 245)
Solution: Acknowledge the message and move the robot out of the
violated space (>>> Page 245)
Cause: Impending violation or exceeding of monitoring space in T1

mode (>>> Page 246)
Solution: Acknowledge message and move robot away from work-
space limit (>>> Page 246)
Cause: Monitoring space violated or exceeded in T1
Description
The active safe tool or an axis position has violated or exceeded a moni-
toring space in T1 mode. A status message additionally indicates the af-
fected space.
Solution: Acknowledge the message and move the robot out of the violated
space
Description
The robot must be moved out of the violated space in T1 mode. This is
only possible once the message has been acknowledged.
Precondition
Procedure

3. Move the robot in the desired direction:

Cause: Impending violation or exceeding of monitoring space in T1 mode

Messages
Description
The active safe tool or an axis position threatened to violate or exceed a

monitoring space in T1 mode. It was possible to stop the robot before it
reached the space limit because the “Braking before restricted areas”
function is active.
Solution: Acknowledge message and move robot away from workspace limit
Description
The robot must be moved away from the workspace limit in T1 mode.
This is only possible once the message has been acknowledged.
Precondition
Procedure

10.2.40 KSS15134

Message text Ackn: Safety stop before violation of monitoring space no. {Number
of monitoring space}
Effect Maximum braking; the drives are switched off at standstill.
Possible cause(s) Cause: Impending violation or exceeding of monitoring space in T2,

AUT or AUT EXT mode (>>> Page 246)
Solution: Acknowledge message and move robot away from work-
space limit (>>> Page 247)
Cause: Impending violation or exceeding of monitoring space in T2, AUT or AUT

EXT mode
Description
The active safe tool or an axis position threatened to violate or exceed a

monitoring space in T2, AUT or AUT EXT mode. The robot was stopped
for this reason.

Solution: Acknowledge message and move robot away from workspace limit
Messages
Description
The robot must be moved away from the workspace limit in T1 mode.
This is only possible once the message has been acknowledged.
Precondition
Procedure

10.2.41 KSS15135

Message text Ackn.: Safety stop before leaving cell area.
Effect Maximum braking; the drives are switched off at standstill.
Possible cause(s) Cause: Impending violation of cell area limits (>>> Page 247)
Solution: Acknowledge message and move robot away from area
limit (>>> Page 247)
Cause: Impending violation of cell area limits
Description
The active safe tool threatened to exceed the cell area limits. The robot
was stopped for this reason.
Solution: Acknowledge message and move robot away from area limit
Description
The robot must be moved away from the area limit in T1 mode. This is
only possible once the message has been acknowledged.
Precondition
Procedure



Appendix
11 Appendix
11.1 Checklists
The checklists here serve merely as examples of checklists for safety

acceptance. It is permissible to carry out and document safety accept-
ance using user-specific checklists.
11.1.1 Precondition for safety acceptance based on the checklists
• Mechanical and electrical installation of the industrial robot have been

completed.
• Safety configuration is completed.
• The safety maintenance technician is trained. (Training course at KU-
KA College)
The system integrator is responsible for the design of the cell.

The safety maintenance technician uses the values and configurations
supplied by the system integrator to configure the robot and tests
whether the safety functions work as specified. The safety maintenance
technician does not perform a safety assessment of the system.
11.1.2 Checklist: robot and system
The inspection items of this checklist must be completed and confirmed

in writing by the system integrator.
Checklist
• Serial number of the robot: ____________________

• Serial number of the robot controller: ____________________
• Name of system integrator: ____________________
No. Inspection item OK

1 The industrial robot is in flawless mechanical condition and correctly instal-
led and fastened in accordance with the assembly or operating instructions
of the robot.
2 The permissible rated payload of the robot has not been exceeded.
3 There are no foreign bodies or defective or loose parts on the industrial
robot.
4 All safety equipment required for the system and robot is correctly installed
and operational.
5 The power supply ratings of the industrial robot correspond to the local
supply voltage and mains type, and the machine data correspond to these.
6 The connecting cables are correctly connected and the connectors are
locked.
7 The ground conductor and the equipotential bonding cable are sufficiently
rated and correctly connected.
8 The system meets all the relevant laws, regulations and norms valid for
the installation site.

Appendix KUKA.SafeOperation 3.5
Remarks / deviations
Place, date
Signature
By signing, the signatory confirms the correct and complete performance
of the safety acceptance test.
11.1.3 Checklist: Safety functions

in writing by the safety maintenance technician.
Checklist

• Activation code of the safety configuration: ____________________
• Time stamp of the safety configuration: ____________________
• Mastering test type (reference switch / external confirmation):
____________________
• Name of safety maintenance technician: ____________________
No. Inspection item OK Not relevant

1 Safe monitoring is activated.
2 Robot is mastered.
3 Is the “Braking before restricted areas” function activated?
4 The machine data have been checked and are appropriate
for the robot used.
(>>> 4.8.4.1 "Checking machine data and safety configura-
tion" Page 60)
The machine data loaded must match the machine data on
the identification plate of the robot.
5 The machine data of the external axes have been correctly
entered and checked.
Checking instructions:
• Move each external axis a defined distance by means of

a PTP_REL motion, e.g. 90°. Carry out a visual inspec-
tion and check whether this distance is covered.
• In the case of a KL, move the external axis a defined
distance by means of a PTP_REL motion, e.g. 500 mm.
Carry out a visual inspection and additionally monitor the
display of the Cartesian actual position to check whether
this distance is covered.
6 The local and external safety functions have been checked
and are functioning correctly.
(>>> 4.8.4 "Start-up and recommissioning" Page 59)

Appendix
7 The reference switch is firmly and stably mounted on the
mounting fixture.
plate" Page 130)
8 The actuating plate is firmly and stably mounted on the
robot flange or tool.
plate" Page 130)
9 The reference position has been taught in both the master-
ing test program and in the safety configuration.
10 The accuracy of the reference position has been checked.
(>>> 7.7.1.8 "Checking the reference position (actuation with
tool)" Page 135)
11 Was the mastering test successful?
12 Was the brake test successful?
Axis A1
Axis A2
Axis A3
Axis A4
Axis A5
Axis A6
External axes
13 Operator safety acknowledgement has been checked and is
functioning correctly.
(>>> 4.5.4 "“Operator safety” signal" Page 49)
14 Peripheral contactor (US2) has been checked and switches
at the right time.
Note: Further information about checking the peripheral con-
tactor is contained in the assembly instructions of the robot
controller.
15 Hardware option SHS1 at safe input X25 has been checked
and is functioning correctly.
Checking instructions:
1. Activate SHS1 via X25. To do so, set SHS1 to the state

“logic 0”.
2. An active SHS1 has the following effect:
• Motion enable is cancelled. Check that the motion
enable (FF) has the state “logic 0”.
• Voltage US2 is switched off. Check that the voltage
is switched off.
• Drives enable is cancelled and the drives are switch-
ed off. Check that the drives enable (AF) has the
state “logic 0”.
3. Test one axis to check whether it can be moved.
Safety function SHS1 is working correctly if the axis can-
not be moved.


16 Have the Cartesian and axis-specific velocities been config-
ured correctly and checked?
The corresponding checklists must be completed and con-
firmed in writing for the Cartesian and axis-specific velocity
monitoring functions.
(>>> 11.1.4 "Checklist: Cartesian velocity monitoring func-
tions" Page 254)
(>>> 11.1.5 "Checklist: Axis-specific velocity monitoring"
Page 255)
17 Has the correct configuration of the safe operational stop
been checked by moving all axes?
Each axis in an axis group must be tested individually.
The corresponding checklist must be completed and con-
firmed in writing for every axis group.
(>>> 11.1.6 "Checklist: Safe operational stop for axis groups"
Page 259)
18 The values for the parameters Braking time and Position
tolerance have been checked in the diagnostic monitor and
correctly saved.
(>>> 7.12 "Checking the values for the safe axis monitoring
functions" Page 174)
19 Has the correct configuration of the cell area been checked
by moving to all reachable limits?
firmed in writing for the cell area.

Appendix
20 Has the correct configuration of the monitoring spaces used
been checked by moving to all reachable limits?
Each space surface of a Cartesian monitoring space must
be addressed at 3 different points.
The axis of an axis-specific monitoring space must be
moved to the upper and lower limits of the space.
firmed in writing for each monitoring space used.
(>>> 11.1.8 "Checklist: Cartesian monitoring spaces"
Page 262)
(>>> 11.1.9 "Checklist: Axis-specific monitoring spaces"
Page 264)
Monitoring space 1
Monitoring space 2
Monitoring space 3
Monitoring space 4
Monitoring space 5
Monitoring space 6
Monitoring space 7
Monitoring space 8
Monitoring space 9
Monitoring space 10
Monitoring space 11
Monitoring space 12
Monitoring space 13
Monitoring space 14
Monitoring space 15
Monitoring space 16
21 Have the values stored for the maximum braking ramp for
the “Braking before restricted areas” function been checked?
(>>> 11.1.10 "Checklist: Braking before restricted areas"
Page 269)


22 Have the safe tools used been configured correctly and
checked?
At least one monitoring space and one velocity must be
checked with each safe tool.
firmed in writing for each safe tool used.
(>>> 11.1.11 "Checklist: Safe tools" Page 270)
Tool 1
Tool 2
Tool 3
Tool 4
Tool 5
Tool 6
Tool 7
Tool 8
Tool 9
Tool 10
Tool 11
Tool 12
Tool 13
Tool 14
Tool 15
Tool 16
23 The safety configuration has been archived.
24 If an existing safety configuration has been changed:
A change log has been created and checked.
: Must be checked by system integrator
Place, date
Signature
11.1.4 Checklist: Cartesian velocity monitoring functions

Description
The Cartesian velocity monitoring functions cannot be tested against a

discrete value. It is possible to carry out a test using an exaggerated val-
ue in order to check whether velocity monitoring is triggered.

Appendix
Precondition
• Override reduction for velocity monitoring functions is deactivated:

‒ $SR_VEL_RED = FALSE
Checklist

• Safe tool used in test: ____________________
Specified value:
• Value specified by cell planner, design engineer

Configured value:
• Value entered in the safety configuration

1 The global maximum Cartesian velocity has been correctly
configured and checked.
Specified value: __________ mm/s
Configured value: __________ mm/s
2 The safe reduced Cartesian velocity has been correctly
3 The safe reduced Cartesian velocity for T1 has been cor-
rectly configured and checked.
Place, date
Signature
11.1.5 Checklist: Axis-specific velocity monitoring

The trace function (oscilloscope) can be used to determine the axis ve-
locities.

Precondition
• Override reduction for velocity monitoring functions is deactivated:

Checklist

Specified value:

Configured value:

Test value:
• Value with which the test was carried out

1. Checking the global maximum axis velocity
It is only necessary to check the global maximum axis velocity if an axis
must not exceed a defined velocity. If the global maximum axis velocity
is only to limit the minimum axis-specific protected space, no verification
is required.
No. Axis name Inspection item OK Not relevant

The global maximum axis velocity has been correctly entered and
checked using at least one axis.
1 Specified value: ________ °/s or mm/s
Configured value: ________ °/s or mm/s
Test value: __________ °/s or mm/s
2. Checking the reduced axis velocity
The reduced axis velocity has been correctly configured and
checked for each axis.
2.1 Specified value: ________ °/s or mm/s

Appendix
Test value: _________ °/s or mm/s
Test value: ________ °/s or mm/s
3. Checking the maximum axis velocity for T1


The maximum axis velocity for T1 has been correctly configured
and checked for each axis.
Test value: _________ °/s or mm/s

Appendix
Place, date
Signature
11.1.6 Checklist: Safe operational stop for axis groups

A separate checklist must be completed for each axis group.
Precondition
Checklist

• Axis group number: ____________________
Specified value:

Configured value:


1 1st axis of the axis group has been
correctly configured and checked.
Position tolerance (specified value):
__________ ° or mm
Position tolerance (configured value):
__________ ° or mm
2 2nd axis of the axis group has been correct-
ly configured and checked.
__________ ° or mm
__________ ° or mm
3 3rd axis of the axis group has been correct-
__________ ° or mm
__________ ° or mm
4 4th axis of the axis group has been correct-
__________ ° or mm
__________ ° or mm
__________ ° or mm
__________ ° or mm
__________ ° or mm
__________ ° or mm
__________ ° or mm
__________ ° or mm
__________ ° or mm
__________ ° or mm

Appendix
Place, date
Signature
11.1.7 Checklist: Cell area

The accessible surfaces resulting from the configuration must be violated

one after the other, each at 2 different points, to demonstrate the correct
configuration of the cell area.
Precondition
• The monitoring spaces that can be activated by means of safe inputs

have been deactivated.
Checklist
• Serial number of the robot: ________________

• Time stamp of the safety configuration: ________________
• Safe tool used in test: ________________

1 The limit in the Z direction has been configured correctly
and checked.
Z min: ____________mm
Z max: ____________mm
2 Corner 1 has been correctly configured and checked.
X coordinate: __________ mm
Y coordinate: __________ mm


6 Corner 5 has been correctly configured.
Place, date
Signature
11.1.8 Checklist: Cartesian monitoring spaces

A separate checklist must be completed for each monitoring space.
Description
The accessible surfaces resulting from the configuration must be violated

one after the other, each at 3 different points, to demonstrate the correct
configuration of the monitoring space.

Appendix
Precondition
• The monitoring space to be checked is activated.

• Override reduction is deactivated:
Checklist

• Monitoring space checked (name, number): __________
• Type of space (protected space|workspace): ____________________
• Stop at boundaries (TRUE|FALSE): __________
• Reference stop (TRUE|FALSE): __________
• Space-specific velocity __________mm/s
• Space-specific velocity valid in: __________
• Safe tool used in test: _________________
• Always active (TRUE|FALSE): __________
• Reference coordinate system: _____________

1 The coordinates of the monitoring space have been cor-
rectly configured and checked.
Origin X: __________ mm
Origin Y: __________ mm
Origin Z: __________ mm
Origin A: __________ °
Origin B: __________ °
Origin C: __________ °
Distance to origin XMin: __________ mm
Distance to origin YMin: __________ mm
Distance to origin ZMin: __________ mm
Distance to origin XMax: __________ mm
Distance to origin YMax: __________ mm
Distance to origin ZMax: __________ mm
The following preconditions must be met to demonstrate the correct func-
tioning of the reference stop:
• Reference stop is active.
• Mastering test requested.
• Checked monitoring space is activated.


2 The correct functioning of the reference stop has been
checked.

tioning of the space-specific velocity:
• Space-specific velocity is active.

• The configured limit value of the space-specific velocity is less than
the limit value of the maximum Cartesian velocity.
• Robot exceeds the configured space-specific velocity.
• Override reduction for the velocity is deactivated: $SR_VEL_RED =
FALSE
Specified value:

Configured value:

3 The space-specific velocity has been correctly configured
and checked.
Place, date
Signature
11.1.9 Checklist: Axis-specific monitoring spaces

A separate checklist must be completed for each monitoring space.
Description
The configured limit values must successively be violated to demonstrate

the correct functioning of the monitoring space.
Precondition
• The monitoring space to be checked is activated.

• Override reduction is deactivated:

Appendix
Checklist

• Monitoring space checked (name, number): _________________
• Type of space (protected space|workspace): ____________________
• Stop at boundaries (TRUE|FALSE):_________________
• Reference stop (TRUE|FALSE): _________________
• Space-specific velocity _________________ mm/s
• Space-specific velocity valid in: _________________
• Safe tool used in test: _________________
• Always active (TRUE|FALSE): _________________
Specified value:

Configured value:

Determined value:
• Value determined during the test

1 1st axis of the monitoring space has been
Lower limit (specified value):
__________ ° or mm
Lower limit (configured value):
__________ ° or mm
Lower limit (determined value):
__________ ° or mm
Upper limit (specified value):
__________ ° or mm
Upper limit (configured value):
__________ ° or mm
Upper limit (determined value):
__________ ° or mm


2 2nd axis of the monitoring space has been
__________ ° or mm
__________ ° or mm
__________ ° or mm
__________ ° or mm
__________ ° or mm
__________ ° or mm
3 3rd axis of the monitoring space has been
__________ ° or mm
__________ ° or mm
__________ ° or mm
__________ ° or mm
__________ ° or mm
__________ ° or mm
4 4th axis of the monitoring space has been
__________ ° or mm
__________ ° or mm
__________ ° or mm
__________ ° or mm
__________ ° or mm
__________ ° or mm

Appendix
__________ ° or mm
__________ ° or mm
__________ ° or mm
__________ ° or mm
__________ ° or mm
__________ ° or mm
__________ ° or mm
__________ ° or mm
__________ ° or mm
__________ ° or mm
__________ ° or mm
__________ ° or mm
__________ ° or mm
__________ ° or mm
__________ ° or mm
__________ ° or mm
__________ ° or mm
__________ ° or mm


__________ ° or mm
__________ ° or mm
__________ ° or mm
__________ ° or mm
__________ ° or mm
__________ ° or mm
tioning of the reference stop:
• Reference stop is active.
• Mastering test requested.

9 The correct functioning of the reference stop has been
checked.

tioning of the space-specific velocity:
• Space-specific velocity is active.

• The configured limit value of the space-specific velocity is less than
the limit value of the maximum Cartesian velocity.
• Robot exceeds the configured space-specific velocity.
• Override reduction for the velocity is deactivated: $SR_VEL_RED =
FALSE

10 The space-specific velocity has been correctly configured
and checked.
Place, date
Signature

Appendix
11.1.10 Checklist: Braking before restricted areas

Precondition
• “Braking before restricted areas” is activated.

• At least 1 monitoring space is activated for the axis to be tested:
‒ Axis-specific monitoring space
‒ Or Cartesian monitoring space
‒ Or cell area (always activated)
Checklist

• Safe tool used in test: ____________________
• Monitoring space used in test: ____________________
• Values for axis group and braking ramp:
Axis Ramp stop group Braking ramp of drive
The braking ramp must be checked separately for each axis at a valid
monitoring space.


1 The correct configuration of the monitoring space used for
testing has been checked.
(>>> 11.1.9 "Checklist: Axis-specific monitoring spaces"
Page 264)
(>>> 11.1.8 "Checklist: Cartesian monitoring spaces"
Page 262)
2 When the axis approaches the monitoring space limit, the
robot stops with a safety stop 1 and, depending on the
type of space, one of the following messages is displayed:
• Ackn: Safety stop before violation of monitoring space

no. {Number of monitoring space}
• Ackn.: Safety stop before leaving cell area.
3 The message Ackn.: The braking ramp of the robot has
been violated. is not displayed.
Place, date
Signature
11.1.11 Checklist: Safe tools

A separate checklist must be completed for each safe tool.
Description
A monitoring space must be violated by each configured sphere to dem-

onstrate the correct functioning of the safe tool.
Checklist
• Serial number of the robot: _________________

• Time stamp of the safety configuration: _________________
• Safe tool checked (name, number): _______________
• Monitoring space used in sphere test (name, number):
________________
Specified value:

Configured value:
Appendix

1 Safe TCP of the tool
The X, Y and Z coordinates of the safe TCP are correctly
TCP X (specified value): __________ mm
TCP X (configured value): __________ mm
TCP Y (specified value): __________ mm
TCP Y (configured value): __________ mm
TCP Z (specified value): __________ mm
TCP Z (configured value): __________ mm
2 1st sphere on tool
The X, Y and Z coordinates of the sphere center point and
the sphere radius are correctly configured and checked.
X (specified value): __________ mm
X (configured value): __________ mm
Y (specified value): __________ mm
Y (configured value): __________ mm
Z (specified value): __________ mm
Z (configured value): __________ mm
Radius (specified value): __________ mm
Radius (configured value): __________ mm
3 2nd sphere on tool


4 3rd sphere on tool
5 4th sphere on tool

Appendix



Appendix
Place, date
Signature
11.2 Applied norms and regulations
The safety functions of KUKA.SafeOperation meet the requirements of

Category 3 and Performance Level d in accordance with EN ISO
13849-1:2015.


KUKA Service
12 KUKA Service
12.1 Requesting support
Introduction
This documentation provides information on operation and operator con-

trol, and provides assistance with troubleshooting. For further assistance,
please contact your local KUKA subsidiary.
Information
The following information is required for processing a support re-

quest:
• Description of the problem, including information about the duration
and frequency of the fault
• As comprehensive information as possible about the hardware and
software components of the overall system
The following list gives an indication of the information which is rele-
vant in many cases:
‒ Model and serial number of the kinematic system, e.g. the manip-
ulator
‒ Model and serial number of the controller
‒ Model and serial number of the energy supply system
‒ Designation and version of the system software
‒ Designations and versions of other software components or modifi-
cations
‒ Diagnostic package KRCDiag
Additionally for KUKA Sunrise: existing projects including applica-
tions
For versions of KUKA System Software older than V8: archive of
the software (KRCDiag is not yet available here.)
‒ Application used
‒ External axes used
12.2 KUKA Customer Support
Availability
KUKA Customer Support is available in many countries. Please do not

hesitate to contact us if you have any questions.
Argentina
Ruben Costantini S.A. (Agentur)
Luis Angel Huergo 13 20
Parque Industrial
2400 San Francisco (CBA)
Argentina
Tel. +54 3564 421033
Fax +54 3564 428877
[email protected]

KUKA Service KUKA.SafeOperation 3.5
Australia
KUKA Robotics Australia Pty Ltd
45 Fennell Street
Port Melbourne VIC 3207
Australia
Tel. +61 3 9939 9656
[email protected]
www.kuka-robotics.com.au
Belgium
KUKA Automatisering + Robots N.V.
Centrum Zuid 1031
3530 Houthalen
Belgium
Tel. +32 11 516160
Fax +32 11 526794
[email protected]
www.kuka.be
Brazil
KUKA Roboter do Brasil Ltda.
Travessa Claudio Armando, nº 171
Bloco 5 - Galpões 51/52
Bairro Assunção
CEP 09861-7630 São Bernardo do Campo - SP
Brazil
Tel. +55 11 4942-8299
Fax +55 11 2201-7883
[email protected]
www.kuka-roboter.com.br
Chile
Robotec S.A. (Agency)
Santiago de Chile
Chile
Tel. +56 2 331-5951
Fax +56 2 331-5952
[email protected]
www.robotec.cl
China
KUKA Robotics China Co., Ltd.
No. 889 Kungang Road
Xiaokunshan Town
Songjiang District
201614 Shanghai
P. R. China
Tel. +86 21 5707 2688
Fax +86 21 5707 2603
[email protected]
www.kuka-robotics.com

KUKA Service
Germany
Zugspitzstr. 140
86165 Augsburg
Germany
Tel. +49 821 797-1926
Fax +49 821 797-41 1926
[email protected]
www.kuka.com
France
KUKA Automatisme + Robotique SAS
Techvallée
6, Avenue du Parc
91140 Villebon S/Yvette
France
Tel. +33 1 6931660-0
Fax +33 1 6931660-1
[email protected]
www.kuka.fr
India
KUKA India Pvt. Ltd.
Office Number-7, German Centre,
Level 12, Building No. - 9B
DLF Cyber City Phase III
122 002 Gurgaon
Haryana
India
Tel. +91 124 4635774
Fax +91 124 4635773
[email protected]
www.kuka.in
Italy
KUKA Roboter Italia S.p.A.
Via Pavia 9/a - int.6
10098 Rivoli (TO)
Italy
Tel. +39 011 959-5013
Fax +39 011 959-5141
[email protected]
www.kuka.it

Japan
KUKA Japan K.K.
YBP Technical Center
134 Godo-cho, Hodogaya-ku
Yokohama, Kanagawa
240 0005
Japan
Tel. +81 45 744 7531
Fax +81 45 744 7541
[email protected]
Canada
KUKA Robotics Canada Ltd.
2865 Argentia Road, Unit 4-5
Mississauga
Ontario L5N 8G6
Canada
Tel. +1 905 858‑5852
Fax +1 905 858-8581
[email protected]
www.kukarobotics.ca
Korea
KUKA Robotics Korea Co. Ltd.
RIT Center 306, Gyeonggi Technopark
1271-11 Sa 3-dong, Sangnok-gu
Ansan City, Gyeonggi Do
426-901
Korea
Tel. +82 31 501-1451
Fax +82 31 501-1461
[email protected]
Malaysia
KUKA Robot Automation (M) Sdn Bhd
South East Asia Regional Office
No. 7, Jalan TPP 6/6
Taman Perindustrian Puchong
47100 Puchong
Selangor
Malaysia
Tel. +60 (03) 8063-1792
Fax +60 (03) 8060-7386
[email protected]

KUKA Service
Mexico
KUKA de México S. de R.L. de C.V.
Progreso #8
Col. Centro Industrial Puente de Vigas
Tlalnepantla de Baz
54020 Estado de México
Mexico
Tel. +52 55 5203-8407
Fax +52 55 5203-8148
[email protected]
www.kuka-robotics.com/mexico
Norway
KUKA Sveiseanlegg + Roboter
Sentrumsvegen 5
2867 Hov
Norway
Tel. +47 61 18 91 30
Fax +47 61 18 62 00
[email protected]
Austria
KUKA CEE GmbH
Gruberstraße 2-4
4020 Linz
Austria
Tel. +43 732 784 752 0
Fax +43 732 793 880
[email protected]
www.kuka.at
Poland
KUKA CEE GmbH Poland
Spółka z ograniczoną odpowiedzialnością
Oddział w Polsce
Ul. Porcelanowa 10
40-246 Katowice
Poland
Tel. +48 327 30 32 13 or -14
Fax +48 327 30 32 26
[email protected]
Portugal
KUKA Robots IBÉRICA, S.A.
Rua do Alto da Guerra n° 50
Armazém 04
2910 011 Setúbal
Portugal
Tel. +351 265 729 780
Fax +351 265 729 782
[email protected]
www.kuka.com

Russia
KUKA Russia OOO
1-y Nagatinskiy pr-d, 2
117105 Moskau
Russia
Tel. +7 495 665-6241
[email protected]
Sweden
KUKA Svetsanläggningar + Robotar AB
A. Odhners gata 15
421 30 Västra Frölunda
Sweden
Tel. +46 31 7266-200
Fax +46 31 7266-201
[email protected]
Switzerland
KUKA Roboter CEE GmbH
Linz, Zweigniederlassung Schweiz
Heinrich Wehrli-Strasse 27
5033 Buchs
Switzerland
Tel. +41 62 837 43 20
[email protected]
Slovakia
KUKA CEE GmbH
organizačná zložka
Bojnická 3
831 04 Bratislava
Slovakia
Tel. +420 226 212 273
[email protected]
Spain
KUKA Iberia, S.A.U.
Pol. Industrial
Torrent de la Pastera
Carrer del Bages s/n
08800 Vilanova i la Geltrú (Barcelona)
Spain
Tel. +34 93 8142-353
[email protected]

KUKA Service
South Africa
Jendamark Automation LTD (Agentur)
76a York Road
North End
6000 Port Elizabeth
South Africa
Tel. +27 41 391 4700
Fax +27 41 373 3869
www.jendamark.co.za
Taiwan
KUKA Automation Taiwan Co. Ltd.
1F, No. 298 Yangguang ST.,
Nei Hu Dist., Taipei City, Taiwan 114
Taiwan
Tel. +886 2 8978 1188
Fax +886 2 8797 5118
[email protected]
Thailand
KUKA (Thailand) Co. Ltd.
No 22/11-12 H-Cape Biz Sector Onnut
Sukhaphiban 2 road, Prawet
Bangkok 10250
Thailand
Tel. +66 (0) 90-940-8950
[email protected]
Czech Republic
KUKA Roboter CEE GmbH
organizační složka
Pražská 239
25066 Zdiby
Czech Republic
Tel. +420 226 212 273
[email protected]
Hungary
KUKA HUNGÁRIA Kft.
Fö út 140
2335 Taksony
Hungary
Tel. +36 24 501609
Fax +36 24 477031
[email protected]

USA
KUKA Robotics Corporation
51870 Shelby Parkway
Shelby Township
48315-1787
Michigan
USA
Tel. +1 866 873-5852
Fax +1 866 329-5852
[email protected]
www.kuka.com
United Kingdom
KUKA Robotics UK Ltd
Great Western Street
Wednesbury West Midlands
WS10 7LL
United Kingdom
Tel. +44 121 505 9970
Fax +44 121 505 6589
[email protected]
www.kuka-robotics.co.uk

Index Axis velocity, maximum..........................32, 110

Axis velocity, maximum global..................... 168
$BRAKES_OK.............................................. 147
Axis velocity, maximum in T1....... 32, 110, 168
$BRAKETEST_MONTIME............................146
Axis velocity, reduced............. 32, 33, 110, 168
$BRAKETEST_REQ_EX.............................. 146
Axis, active................................................... 141
$BRAKETEST_REQ_INT............................. 146
Axis, requested.............................................141
$BRAKETEST_WARN..................................147
$BRAKETEST_WORK................................. 147
$MASTERINGTEST_ACTIVE...................... 128
$MASTERINGTEST_GROUP...................... 128 B
$MASTERINGTEST_REQ_EXT...................129 BASE coordinate system............................... 20
$MASTERINGTEST_REQ_INT....................129 BBRA.............................................................. 10
$MASTERINGTEST_SWITCH_OK.............. 129 Brake check, automatic....................... 140, 155
$SR_ACTIVETOOL...................................... 193 Brake defect................................................... 57
$SR_AXISSPEED_OK................................. 193 Brake release device......................................55
$SR_CARTSPEED_OK................................194 Brake test............................................... 17, 139
$SR_DRIVES_ENABLE............................... 194 Brake test, cycle time.................................. 140
$SR_MOVE_ENABLE.................................. 194 Brake test, manual....................................... 153
$SR_OV_RED......................................158, 160 Brake test, programs....................................141
$SR_RANGE_ACTIVE................................. 194 Brake test, signals............................... 145, 147
$SR_RANGE_OK......................................... 194 Brake test, state............................................. 79
$SR_SAFEMON_ACTIVE............................ 194 Brake test, teaching positions......................149
$SR_SAFEOPSTOP_ACTIVE......................194 Brake, defective...........................149, 150, 153
$SR_SAFEOPSTOP_OK............................. 194 BrakeTestAxes.src........................................ 142
$SR_SAFEREDSPEED_ACTIVE.................194 BrakeTestBack.src................................142, 150
$SR_VEL_RED............................158, 159, 167 BrakeTestPark.src................................ 142, 150
$SR_WORKSPACE_RED........... 159, 160, 167 BrakeTestReq.src..........................................142
2006/42/EC:2006............................................ 68 BrakeTestStart.src................................ 142, 149
2014/30/EU:2014............................................ 68 Braking before restricted areas..................... 28
2014/68/EU:2014............................................ 68 Braking before restricted areas, activating.. 119
95/16/EC......................................................... 68 Braking before restricted areas, activation..120
Braking distance.......................................10, 43
Braking ramp, checking................................171
A Braking ramp, drive unit...............................120
Accessories.....................................................41 Braking time..................................................109
Activating, safety configuration.................... 175 Buttons, overview........................................... 78
Activation code, safety configuration............. 79
Activation, monitoring space................100, 104
Activation, reference stop.................... 101, 105 C
Actuating plate, hole pattern..........................40 Cable lengths, reference switch module....... 34
Actuating plate, installing............................. 130 Cartesian monitoring spaces, testing.......... 170
Administrator (user group)............................. 77 Cartesian protected spaces........................... 23
Alarm space....................................................11 Cartesian space, configuration...................... 99
Ambient temperature, reference switch.........37 Cartesian velocity limits, testing.................. 167
ANSI/RIA R.15.06-2012................................. 68 Cartesian velocity, maximum................. 95, 167
Appendix....................................................... 249 Cartesian velocity, reduced....................95, 167
Applied norms and regulations..............68, 275 Cartesian velocity, reduced for T1...............167
Areas of application........................................15 Cartesian workspaces.................................... 22
Automatic mode..............................................65 CE mark..........................................................42
Axis-specific monitoring spaces, testing......171 Cell area......................................13, 18, 21, 22
Axis-specific protected spaces.......................26 Cell area, configuration.................................. 97
Axis-specific velocity limits, testing..............168 Checking the reference position.................. 135
Axis-specific workspaces................................25 Checklists......................................................249
Axis angle, lower limit.................................. 107 CIP Safety................................. 11, 17, 71, 177
Axis angle, upper limit................................. 107 Circuit diagram, reference switch.................. 39
Axis limit............................................ 10, 25, 26 CK.............................................................11, 15
Axis limitation, mechanical............................. 54 CK, monitoring................................................53
Axis monitoring functions, checking............ 174 Cleaning work.................................................65
Axis monitoring functions, configuring......... 108 Compatibility................................................... 71
Axis range................................... 10, 25, 26, 43 Components....................................................16
Axis space, configuring................................ 103 Configuration...................................................85

Configuration, overview.................................. 86 F
Connecting cables.......................................... 41 Faults.............................................................. 58
Connecting cables, overview......................... 34 Fictitious STOP 1 - DRS end position.......... 11
Connector pin assignment, reference cable FLANGE coordinate system...........................21
X42-XS Ref.....................................................38 FSoE................................................ 11, 17, 177
Coordinate systems........................................20 Function test................................................... 59
Coordinate systems, angles...........................21 Functional principle.........................................16
Coordinate systems, orientation.....................21 Functions........................................................ 15
Counterbalancing system............................... 66
G
D General safety measures............................... 56
Danger zone.............................................11, 43 GET_AXESMASK()...................................... 156
Declaration of conformity............................... 42 GET_BRAKETEST_TIME().......................... 157
Declaration of incorporation.....................41, 42 Global parameters, configuring...................... 93
Decommissioning............................................66
Diagnosis...................................................... 193
Diagnosis, system variables.........................193
Diagnostic data, displaying.......................... 193 H
Diagnostic monitor (menu item)...................193 Hardware........................................................ 16
Diagnostic signals Hardware options, displaying......................... 80
Ethernet interface.................................... 185 Hardware, options.................................. 15, 124
Discrete safety interface........................ 17, 177 Hazardous substances................................... 66
Disposal.......................................................... 66 Hole pattern, actuating plate..........................40
Documentation, industrial robot....................... 9 Hole pattern, reference switch.......................38
Drive ramp stop group................................. 120 Hysteresis, reference switch.......................... 37
DRS.................................................................11
I
E Industrial robot................................................41
EC declaration of conformity......................... 42 Inputs/outputs, interface X13....................... 189
Electromagnetic compatibility (EMC)............. 69 Installation.......................................................71
Electromagnetic compatibility (EMC):............ 69 via smartHMI............................................. 73
EMC conformity, reference switch................. 37 via WorkVisual...........................................71
EMC Directive.......................................... 42, 68 Intended use...................................................41
EMERGENCY STOP device............. 50, 51, 56 Interface, X13............................................... 189
EMERGENCY STOP, external................ 51, 60 Interface, X42............................................... 191
EMERGENCY STOP, local............................ 60 Interface, X13.........................................17, 177
EN 60204-1:2006/A1:2009............................. 69 Interfaces...................................................... 177
EN 61000-6-2:2005........................................ 69 Introduction....................................................... 9
EN 61000-6-4:2007 + A1:2011...................... 69 IT security....................................................... 58
EN 614-1:2006+A1:2009................................68
EN ISO 10218-1:2011.................................... 68
EN ISO 12100:2010....................................... 68 J
EN ISO 13849-1...........................................275 Jog mode................................................. 54, 56
EN ISO 13849-1:2015....................................68
EN ISO 13849-2:2012....................................68
EN ISO 13850:2015....................................... 68 K
Enabling device........................................51, 56 KL....................................................................11
Enabling device, external............................... 52 Knowledge, required.........................................9
Enabling switches...........................................51 KUKA Customer Support............................. 277
EtherCAT..........................................11, 17, 177 KUKA Service...............................................277
Ethernet interface..................................... 11, 12 KUKA smartPAD.............................................43
Diagnostic signals................................... 185 KUKA smartPAD-2......................................... 43
Ethernet safety interfaces......................17, 177
EtherNet/IP................................ 11, 17, 71, 177
Extended SIB......................................... 17, 177
External axes..................................................41
L
Labeling.......................................................... 55
External axis................................................... 45
Liability............................................................ 41

Licenses..........................................................13 Performance Level......................................... 47

Limit value for safely reduced Cartesian Peripheral contactor....................................... 63
velocity in T1 mode........................................95 Permissible load current, reference switch... 37
Linear unit.......................................................41 Permissible switching distance, reference
Low Voltage Directive.....................................42 switch..............................................................37
Permissible switching frequency, reference
switch..............................................................37
M Personnel........................................................45
Machine data............................................60, 79 Plant integrator............................................... 45
Machine data, displaying................................80 Polygon, convex.................................11, 18, 21
Machinery Directive..................................42, 68 Position tolerance......................................... 115
Maintenance................................................... 65 Positioner........................................................ 41
Manipulator...............................................41, 43 Pressure Equipment Directive................. 66, 68
Manual mode..................................................63 Preventive maintenance work........................ 65
Mastering confirmation, external.................. 137 Product description.........................................15
Mastering position, reference position.........123 PROFINET................................ 12, 17, 71, 177
Mastering test................................................. 11 PROFIsafe.................................12, 17, 71, 177
Mastering test input........................................95 Protected space.......................... 12, 17, 24, 26
Mastering test via reference switch.............126 Protection rating............................................. 37
Mastering test, overview.............................. 125 Protective equipment......................................54
Mastering test, performing manually........... 136 Pulse duration, reference switch................... 37
Mastering test, programs............................. 128 Pulse duty factor, reference switch......... 37, 38
Mastering test, teaching positions............... 133
Mastering test, variables.............................. 128
Mastering type................................................ 95 R
Mechanical end stops.................................... 54 Radius, tool sphere........................................ 88
Messages......................................................197 Reaction distance.....................................10, 43
Monitoring space............................................ 13 Recommissioning............................................59
Monitoring space, axis-specific.................... 103 Reference cable X42-XS Ref, connector pin
Monitoring space, Cartesian.......................... 99 assignment..................................................... 38
Monitoring spaces.......................................... 17 Reference group............................12, 123, 126
Monitoring time.............................. 11, 126, 140 Reference group, configuring.......................121
Monitoring, physical safeguards.....................49 Reference groups, configuration.................. 132
Monitoring, velocity.........................................53 Reference position................................. 12, 126
Reference position, axis angle.................... 123
Reference position, Cartesian......................123
O Reference position, configuring................... 121
Open source................................................... 13 Reference position, selecting....................... 129
Operating current, reference switch.............. 37 Reference stop.........................................12, 30
Operating voltage, reference switch.............. 37 Reference switch............................................ 12
Operation........................................................ 77 Reference switch module...............................33
Operator safety..................................47, 49, 56 Reference switch, connecting...................... 131
Operators........................................................ 46 Reference switch, installing..........................130
Options............................................................41 Reference switch, technical data...................37
Outputs, reference switch.............................. 37 Reference system.................................. 98, 102
Overload......................................................... 57 Release device............................................... 55
Override reduction........................................ 158 Repair............................................................. 65
Override reduction, spline............................ 159 Revision log, displaying..................................80
Override reduction, system variables.......... 158 Robot controller.............................................. 41
Overview, buttons........................................... 78 ROBROOT coordinate system.......................20
Overview, configuration.................................. 86
Overview, connecting cables..........................34
Overview, mastering test..............................125 S
Overview, SafeOperation................................15 Safe monitoring.............................................. 95
Overview, safety acceptance....................... 166 Safe monitoring, activating.............................93
Overview, start-up...........................................86 Safe monitoring, deactivating.......................176
Safe operational stop..................13, 33, 43, 53
Safe operational stop, axis group 1 to 6.....115
P Safe operational stop, checking.................. 169
Panic position................................................. 51 Safe operational stop, configuring............... 114

Safe robot retraction.......................................83 STOP 0.................................................... 42, 44

Safe TCP........................................................ 31 STOP 1.................................................... 42, 44
Safe tool, configuration.................................116 STOP 2.................................................... 42, 44
Safe tools................................................. 13, 31 Stop at boundaries.............................. 100, 104
Safeguards, external...................................... 55 Stop category 0.............................................. 44
SafeOperation via Ethernet safety Stop category 1.............................................. 44
interface........................................................ 181 Stop category 2.............................................. 44
SafeOperation, overview................................ 15 Stop category 1, Drive Ramp Stop............... 44
Safety..............................................................41 Stop reactions....................................18, 33, 46
Safety acceptance, overview....................... 166 STOP 1 - DRS............................................... 44
Safety acceptance, precondition.................. 249 STOP 1, DRS end position............................11
Safety configuration, activating.................... 175 Stopping distance........................10, 18, 43, 46
Safety configuration, displaying information.. 79 Storage........................................................... 66
Safety configuration, editing in WorkVisual. 124 Support request............................................ 277
Safety configuration, export........................... 83 Switching function, reference switch............. 37
Safety configuration, import........................... 81 System integrator..................................... 42, 45
Safety configuration, opening........................ 78 System requirements......................................71
Safety configuration, saving......................... 124 System variables......................... 128, 158, 193
Safety controller..............................................48
Safety functions........................................47, 56
Safety functions, Ethernet safety interface..177 T
Safety functions, overview............................. 47 T1 (operating mode).......................................45
Safety functions, test....................................167 T2 (operating mode).......................................45
Safety instructions......................................9, 85 Target group..................................................... 9
Safety maintenance (user group).................. 77 Teach pendant................................................ 41
Safety of machinery........................ 68, 69, 275 Technical data.................................................37
Safety options.................................................44 Technical data, reference switch................... 37
Safety recovery (user group)......................... 77 Terms used..................................................... 10
Safety STOP 0.........................................12, 43 Terms used, safety......................................... 42
Safety STOP 1.........................................13, 43 Time stamp, machine data............................ 79
Safety STOP 2.........................................13, 44 Time stamp, safety configuration...................79
Safety STOP 0............................................... 43 TOOL coordinate system............................... 20
Safety STOP 1............................................... 43 Tool sphere, radius.........................................88
Safety STOP 2............................................... 44 Trademarks..................................................... 10
Safety stop, external...................................... 53 Training.......................................................9, 77
Safety zone.............................................. 43, 46 Transportation................................................. 58
Safety, general................................................41 Turn-tilt table...................................................41
SBC.................................................................12 Type of monitoring space.................... 100, 104
Selecting the operating mode................. 47, 48
Serial number, robot.......................................79
Service life................................................37, 43
SHS1...............................................................12
U
Uninstalling via smartHMI.............................. 74
SIB.................................................................. 12
Uninstalling via WorkVisual............................72
Signals, brake test............................... 145, 147
Updating via smartHMI...................................73
Simulation....................................................... 64
Updating via WorkVisual................................ 71
Single (menu item).............................. 199, 200
US2................................................................. 63
Single point of control.................................... 66
Use, contrary to intended use....................... 41
smartPAD................................................. 44, 57
Use, improper................................................. 41
Software................................................... 16, 41
User.......................................................... 43, 45
Software limit switches............................ 54, 56
User groups.................................................... 77
Space-specific velocity.................. 29, 100, 105
User rights, displaying....................................77
Space dimensions........................................ 102
Space type........................................... 100, 104
Sphere, radius................................................ 88
Spline, override reduction............................ 159 V
SPOC..............................................................66 Velocity monitoring......................................... 53
Standstill monitoring............................... 33, 115 Velocity monitoring functions..........................32
Start-up.....................................................59, 85 Velocity, space-specific...................................29
Start-up mode.......................................... 62, 85 Version, safety configuration.......................... 79
Start-up, overview...........................................86 Version, safety option.....................................79

W
Warnings........................................................... 9
Workspace......................10, 17, 22, 25, 43, 46
WorkVisual...................................................... 15
WORLD coordinate system............................20
X
X22..................................................................13
X25..................................................................13
XML export..................................................... 83
XML import..................................................... 81

KST SafeOperation 35 en

Uploaded by

Copyright:

Available Formats

KST SafeOperation 35 en

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

KST SafeOperation 35 en

Uploaded by

Copyright:

Available Formats

KST System Technology

Publication: Pub KST SafeOperation 3.5 (PDF) en

Book structure: KST SafeOperation 3.5 V3.2

Version: KST SafeOperation 3.5 V3

2/289 | www.kuka.com KST SafeOperation 3.5 V3 | Issued: 11.04.2019

KST SafeOperation 3.5 V3 | Issued: 11.04.2019 www.kuka.com | 3/289

4.5.2 Safety controller..................................................................................................... 48

4/289 | www.kuka.com KST SafeOperation 3.5 V3 | Issued: 11.04.2019

6.5 Displaying information about the safety configuration......................................... 79

7 Start-up and configuration..................................................................... 85

KST SafeOperation 3.5 V3 | Issued: 11.04.2019 www.kuka.com | 5/289

7.8.3 Programs for the brake test.................................................................................. 141

8 Interfaces to the higher-level controller............................................... 177

6/289 | www.kuka.com KST SafeOperation 3.5 V3 | Issued: 11.04.2019

10.2 System messages from module: CrossMeld (KSS)............................................. 197

KST SafeOperation 3.5 V3 | Issued: 11.04.2019 www.kuka.com | 7/289

11.1.5 Checklist: Axis-specific velocity monitoring.......................................................... 255

12 KUKA Service........................................................................................... 277

8/289 | www.kuka.com KST SafeOperation 3.5 V3 | Issued: 11.04.2019

1.1 Target group

This documentation is aimed at users with the following knowledge and

• Advanced knowledge of the robot controller system

For optimal use of our products, we recommend that our customers

1.2 Industrial robot documentation

The industrial robot documentation consists of the following parts:

• Documentation for the robot arm

1.3 Representation of warnings and notes

These warnings contain references to safety-relevant information or gen-

KST SafeOperation 3.5 V3 | Issued: 11.04.2019 www.kuka.com | 9/289

This warning draws attention to procedures which serve to prevent or rem-

edy emergencies or malfunctions:

Procedures marked with this warning must be followed exactly.

These notices serve to make your work easier or contain references to

CIP Safety® is a trademark of ODVA.

EtherCAT® is a registered trademark and patented technolo-

1.5 Terms used

• Cartesian monitoring spaces

10/289 | www.kuka.com KST SafeOperation 3.5 V3 | Issued: 11.04.2019

KST SafeOperation 3.5 V3 | Issued: 11.04.2019 www.kuka.com | 11/289

12/289 | www.kuka.com KST SafeOperation 3.5 V3 | Issued: 11.04.2019

KST SafeOperation 3.5 V3 | Issued: 11.04.2019 www.kuka.com | 13/289

Further information about open-source licenses can be requested from

14/289 | www.kuka.com KST SafeOperation 3.5 V3 | Issued: 11.04.2019

2.1 Overview of SafeOperation

SafeOperation is a safety option with the following functions:

The safety configuration can either be created and edited in WorkVisual

SafeOperation cannot and must not be used in conjunction with a CK.

KST SafeOperation 3.5 V3 | Issued: 11.04.2019 www.kuka.com | 15/289

Fig. 2-1: Example of a cell with SafeOperation

1 Reference switch 5 System control panel

These software components are included in the safety option:

16/289 | www.kuka.com KST SafeOperation 3.5 V3 | Issued: 11.04.2019

Various interfaces are available for connection to a higher-level controller.

2.2 Monitoring spaces

A maximum of 16 monitoring spaces can be configured. A cell area must

KST SafeOperation 3.5 V3 | Issued: 11.04.2019 www.kuka.com | 17/289

The cell area is a Cartesian workspace in the form of a convex polygon

If the robot is stopped by a monitoring function, it requires a certain stop-

The stopping distance when a monitoring function is triggered varies ac-