Ross Fenion, the business development manager for drives and motion control at Pilz, offers an insight into the application of the safe motion standard EN 61800-5-2.
Safety functions in the field of motion are often reduced to a single bullet point announcing that safe torque off (STO) is integrated into this drive. However, with the increase of electronically driven motion control, end users and OEMs alike need to consider the safety functions and assess whether they are suitable for the application and the electronics they are using.
Stop functions are found in both EN 60204 and ISO 13849 and define the same three stop functions with different titles:
- Stop category 0 (safe torque off)
- Stop category 1 (safe stop 1)
- Stop category 2 (safe stop 2)
Modern drive technology enables these functions to be integrated into the drive and also introduces the possibility of a large number of more flexible stop and safety limiting options. Servo amplifiers with integrated safety functions in accordance with EN 61800-5-2 are now available, providing much simpler options, even for complex safety requirements.
EN 61800-5-2 (Adjustable speed electrical power drive systems. Safety requirements. Functional) provides a systematic method to identify the safety function enabled by a motion control system, and assists in the appropriate design and verification to ensure that it meets the required safety performance. The standard divides safety functions into Stop functions, Safe motion functions and Safe braking functions. Below are the descriptions of stop and safety functions that can be used on a modern drive and an example of its use.
Safe stop functions
Safe Torque Off (STO)
The power to the motor is safely removed so that no further movement is possible. It is not necessary to monitor standstill. If an external force effect is anticipated, additional measures should be provided to safely prevent any potential movement (mechanical brakes, for example). This safety function corresponds to a Category 0 stop (uncontrolled stop) in accordance with IEC 60204-1 (Safety of machinery. Electrical equipment of machines. General requirements). If the function is triggered during operation, the motor will run down in an uncontrolled manner, which is not desirable in practice. That is why this function is generally used as a safe reset lock or in conjunction with the safety function SS1. Modern servo amplifiers include an integrated safe shutdown path, so safe devices are now available that prevent unexpected start-up and shut down safely in the case of danger.
Typical application: this is still the most common type of stop and is typically used on conveyors and other none position-specific applications.
Safe Stop 1 (SS1)
With safe stop 1 (SS1), defined motor braking is part of the safety function. When the motor is at standstill, the STO function is triggered. This safety function corresponds to a Category 1 stop (controlled stop) in accordance with IEC 60204-1. In many applications, drives cannot simply be shut down because they would then run down slowly, which could cause a hazard. Also, an uncontrolled run down of this type often takes considerably longer than controlled axis braking. The safe stop 1 function (SS1) monitors controlled braking of the axis directly within the servo amplifier. Once the set braking ramp has run its course, the drive is shut down safely. The reaction times are reduced compared with external monitoring approaches; as a result, in many cases the safety distances to the danger points can also be reduced. This provides a number of benefits such as improved ergonomics for the plant operator, space savings due to the reduced distance between the guards and the danger points, and, last but not least, cost savings.
Typical application: SS1 is often used in press applications or as a minimum on any application with a large load inertia.
Safe Stop 2 (SS2)
With safe stop 2 (SS2), defined motor braking is again part of the safety function. When the motor is at standstill, a safe operating stop (SOS) is triggered. Unlike safe stop 1 (SS1), the motor at standstill is in closed-loop operation. This means that the standstill position is held precisely, due to the active control loop. This safety function corresponds to a category 2 stop (controlled stop) in accordance with IEC 60204-1. So what are the benefits of the safe stop 2 (SS2) function? If the axes no longer need to be shut down at standstill, they will actively hold their current position, so the synchronisation between axes and process is no longer lost.
As a result, the axes can be restarted immediately at any time, which clearly increases plant availability. Here, too, the drive-integrated function leads to shorter reaction times, thereby minimising the risks. The monitoring functions' response times have a direct influence on the potential channels available until a safety shutdown occurs. As the reaction times are used in the calculation of the safety distances, the benefits listed for the safe stop 1 function will also apply here.
Typical application: this function can be used in a vertical axis or any application where maintaining position synchronisation is critical.
Safe motion functions
Modern drive systems not only examine how axes are switched on and off, but also look at the potential risks that may arise during operation of the axes. The functions employed to avoid and/or reduce these risks are summarised here under the heading of Safe motion functions.
Safe Operating Stop (SOS)
The safe operating stop (SOS) has already been described with the safe stop 2 (SS2) safety function. It monitors the standstill position while the motor is in a controlled loop status. Once the safety function has been lifted, the production or machining process can be continued with no loss of precision. This function is generally used in combination with a safe stop 2 (SS2) function, as standstill monitoring usually involves a braking process.
As described above, the limit value can be specified as both a speed threshold and a position window. Application of the safe operating stop (SOS) function is generally intended for the standstill phases of a process. A typical situation would be access to a danger point during process intervention; an operator stops production using a command such as Stop at end of cycle, for example. Once the plant has stopped, the safe operating stop (SOS) function is activated, after which the guard locking device on the access gate is unlocked. The plant can now be accessed without risk.
Typical application: this function is can be used as part of a production process.
Safely Limited Speed (SLS)
Safely limited speed (SLS) is probably the best known safety function. In practice, this safety function is often applied as safely reduced speed. As a result, a defined transition from the operating speed in automatic mode to the reduced speed in setup mode must be guaranteed. If the monitoring function detects that the limit value has been violated, the drive must be shut down safely.
Operators must be protected from any hazard that would lead to an uncontrolled axis start-up in the event of an error. When the safely limited speed (SLS) function is used for these jog functions, the system provides the shortest possible reaction time in the event of an error.
Typical application: in manufacturing processes where some element of the material needs the speed to be limited - for example, in food production.
Safe Speed Range (SSR)
The safe speed range (SSR) can be used to monitor a safe minimum speed, as well as an upper limit. SSR can generally be used for permanent process monitoring. Risks cannot always be eliminated just by limiting the capacity for speeds to suddenly increase. Speeds that reduce suddenly as the result of an error can also present a risk. If axes are operating at a defined distance, a speed that drops abruptly on just one of the two axes may create a risk of crushing. These are the cases for which the SSR function have been defined and developed. This function would be used to shut down the relevant axes, thereby eliminating any hazard to the machine operator.
Typical application: this function can be invaluable in mixing applications where an incorrect speed could mean the loss of expensive product.
Safely Limited Torque (SLT) and Safe Torque Range (STR)
Torque-measuring systems are not widely used on standard drives, but servo drive technology provides the option for indirect measurement via the motor current. The motor current is proportional to the motor's torque, so the hazard resulting from a hazardous movement is limited. Non-hazardous values as regards the effect of forces can be found in the limit value list 2003, in the BIA Report. Such a procedure may only be carried out via drive-integrated safety technology.
Typical application: this function is essential for the growing application of collaborative robotics.
Safely Limited Position (SLP)
Safe position monitoring ensures that the motor does not exceed a preset position limit value. If a limit value is violated, the motor is braked using a safe stop. The stopping performance achievable from a technical point of view must be taken into account. Below the limit value there are no restrictions in terms of acceleration or speed of the motor. Absolute position detection is required for this safety function. Absolute encoders may be used or relative measuring systems may be combined with a safe reference run.
Typical application: stacker or gantry cranes.
Safely Limited Increment (SLI)
The motor is allowed to travel a permitted distance following a start command. A safe stop function must be triggered once the limit value is reached. If the permitted distance is exceeded, this must be detected and the drive must be safely brought to a standstill. Encoder systems with relative measurement are sufficient for this safety function.
Typical application: roller feed.
Safe Direction (SDI)
This prevents the motor from moving in an invalid direction. This safety function is frequently used in combination with safely limited speed (SLS) in setup mode. Here, too, the drive-integrated system enables the fastest possible shutdown.
Typical application: to eliminate risks to operators entering a work area.
Safe Cam (SCA)
A safe output signal indicates whether the motor is positioned inside a specified range. These ranges are absolute position windows within a motor rotation. The basic function involves safe monitoring of absolute positions, which is why appropriate sensor systems must be used.
Typical application: to limit motion so as to prevent damage to machine elements due to out-of-limits movements.
Safe Speed Monitoring (SSM)
The safe speed monitoring safety function (SSM) is very closely related to safely limited speed (SLS). However, if a limit value is violated there is no functional reaction from the components that are monitored, merely a safe message that can be evaluated and processed by a higher-level safety control system. On one side the control system can perform more complex reaction functions, while, on the other, the safety function can be used for process monitoring.
Typical application: a centrifuge application.
Safely Limited Acceleration (SLA) and Safe Acceleration Range (SAR)
Safety functions relating to acceleration monitoring are not widely used in the current state-of-the-art technology. In servo drive technology, Ferraris sensors are used to detect acceleration only in special applications of machine tools or printing machinery. Standard drives cannot process these signals in their control loops; monitoring of these acceleration signals is very complex in practice.
Typical application: large or unstable loads.
Safe Brake Functions
Functions related to holding brakes and service brakes have been summarised under the heading of safe brake functions.
Safe Brake Control (SBC)
Safe brake control (SBC) supplies a safe output signal to drive an external mechanical brake. The brakes used must be 'safety brakes' in which a quiescent current operates against a spring. If the current flow is interrupted, the brake will engage. Control modules frequently include a power reduction feature when the brake is released to reduce energy consumption or brake heating.
A safe brake test may be required to detect errors during operation, depending on the risk analysis. Holding brakes and service brakes are often used on axes with suspended loads. Along with the brake, the brake drive is another key component in terms of the safety function. The safe brake control (SBC) function is generally used to control the holding brake activated once an axis is at standstill.
Typical application: stage and theatre production, especially wire work.
Safe Brake Test (SBT)
Using the safe brake test (SBT) function can significantly increase safety. In many cases, simply controlling a holding brake safely is not enough to make a vertical axis safe. If the wearing, mechanical part of the brake is not maintained regularly, it cannot be guaranteed that the holding brake will apply the designated braking action in the event of danger. The safe brake test (SBT) function provides an automatic test which replaces previous measures that could only be implemented through organisational and manual operations; if the result is negative, it can bring the plant to a standstill and signal an error. This reduces maintenance work considerably.
Typical application: roller coasters or elevators.
More than Safe Torque Off
As more motion is electronically regulated, safe motion will play an increasing role in machinery safety where the advantages of safe working could be realised; not only benefiting workers through a safer working environment but also the overall company by increasing production and reducing down time.
It is important to note that while safety functions on drives can be of great benefit, they do not represent a complete safety system. The entire system must be considered when assessing overall safety.
To learn more about the safe motion standard EN 61800-5-2 and drives and motion control go to www.pilz.co.uk.