IEC 61800-5-2, functional safety of variable-speed drives

According to Kevin Connelly, business development manager for power and controls at UL, component manufacturers now have an important opportunity to secure functional safety certification that gives them - and their customers - a higher level of assurance than they have had before.

He says: "Now there is the possibility - and the standards - to integrate safety functions into motor drives. In conventional machine/safety relations, you always needed safety relays, sensors, programmable logic controllers and so on; today, much of that external or additional safety equipment can be integrated into the drives themselves."

In fact, adjustable speed power drive systems (also known as variable-speed drives or VSDs) are playing an increasing role in the design, implementation and achievement of safety. This has come about for a number of reasons, including increasing automation, the demand for increased productivity, and the desire to reduce the physical labour of operators. Thomas Maier, the principal engineer for functional safety at UL, comments: "Before standards were established, there was a reluctance to accept electronic and programmable electronic components in safety related functions." This was due to uncertainty regarding the safety performance of this technology.

Functional safety of electrical drives

With the advent of IEC 61800-5-2 (BS EN 61800-5-2 is identical), times have changed, in terms of functional safety and motor drives. Maier states: "This is a functional safety standard for components. It is derived from IEC 61508 - the standard that drives the functional safety of machinery in the United States and Europe - and it is a standard that should ease the integration of functionally safe frequency converters, drives, and other power drive systems into safety installations, according to IEC 61508, IEC 62061, or EN ISO 13849-1."

To see how the new technology and new standards are affecting functional safety, Maier says to consider the simple emergency stop for a drive: for a conventional drive, to install an emergency stop requires an emergency stop button, an electrical/electronic safety relay that monitors the button, and a contactor actuated by the safety relay to remove the power from the drive and make it stop. However, with integrated functional safety, you can get rid of the contactor, which typically is large and expensive, as well as the safety relay, by integrating safety logic into the drive.

Maier states: "That is a big economic advantage for our customers, and for our customers' customers. Machine builders save space, components, and money, and have a less complex system that is easier to monitor and maintain."

Simplified design of safety systems

According to Maier, having the component with integrated functional safety makes it easier to design safety systems, as they can be considered safety modules that are easily plugged into the overall safety installation.

Examples of industrial applications where they could be used are:

• Machine tools, robots, production test equipment and test benches
• Papermaking machines and textile production machines
• Process lines in plastics, chemicals or metal production
• Rolling mills
• Cement crushing machines, cement kilns, mixers, centrifuges, extrusion machines
• Drilling machines
• Conveyors, materials handling machines, hoisting equipment
• Pumps, fans, etc

Maier continues: "There are numerous examples where control systems employ adjustable-speed power drive systems as part of safety measures to reduce risk. A good example is the safety function called 'safety limited speed.'" This function is used when a safety door is opened or light curtain crossed to slow down a machine to a speed that is no longer dangerous to the operator.

"In such cases, production is not stopped. Or, the operator can come close to the machine and do commissioning work or repair work; having the machine in motion allows testing to be done on the spot."

Design and verification

IEC 61800-5-2 provides a methodology to identify the contribution made by an adjustable-speed power drive system to identified safety functions and enables the appropriate design and verification that it meets the required performance. Maier says: "First, you need to have the safety requirements. That means safety-related functions: identifying which functions are safety-critical, and knowing how safe they need to be."

A measure of the degree of safety needed has to be set, either at a safety integrity level (if the installation is according to IEC 61508 or IEC 62061) or at a performance level (if the installation is according to EN ISO 13849-1). The first step of development, then, would be to write a safety requirement specification, as Maier explains: "This means specifying the functions and safety levels in more detail in relation to the interfaces that you plan as well as explaining how to activate the safety functions, what the fail safe reactions will be, and what reaction times will be needed."

You may have to customise these functions. If, say, you have a safety limited speed, there is no interest in fixing that to a certain value; it must be customisable. So the challenge of customising safety-relevant parameters in the drive must be addressed. Maier says: "Everything you define in that document will be implemented, and everything you have implemented will be verified against the safety requirements specification."

From that point on, it is very important that the developer of the system uses good development processes, especially when it comes to software. They will need a structured approach to software; a V model-based design is highly recommended. (The V model approach is common good practice in the development of software and complex systems. On the left side of the 'V' is the development path; on the right side is the verification path. For every step of development, corresponding verification or validation must take place.)

Maier states: "With this approach, we get hold of critical problems, and discover faults, as early on as possible."

Certification of components

According to Connelly, one of the real benefits for machine and system builders is that IEC 61800-5-2 is a component-based standard. He says: "This means that you can give that component - that drive - a certificate. This tells the machine builder or, more importantly, the test houses that have to certify or inspect a machine or system, that they do not have to look any further into the component."

The certification tells them what is inside. They know what it delivers. And they can consider it a module. Connelly concludes: "This will ease the machine design task, as well as the testing and certification task."

For more information on functional safety in motor drives, contact Kevin Connelly at +1 631 546 2691 or email [email protected]. Additional information is available at www.ul.com/functionalsafety.