Drive-based functional safety
Thursday, 03 April, 2014
Today, new drive technology is making the previously complicated job of implementing a machine safety system much easier. Recent technical advances make safer operation less complex, while at the same time offering exciting new potential for productivity and uptime gains.
In any industrial process it is critically important that when something goes wrong the machinery is quickly and safely brought to a safe state, which usually means stopped. Once stopped it must not start unexpectedly. Depending on the application and its work cycles, machines may also need to operate at reduced speed during specific times. Any malfunction in machine control can result in hazardous situations leading to serious injury, or even death, with disastrous effects for the company, its people and its image.
Ultimately, machine builders and system integrators have the responsibility for ensuring that any product or machine they supply is safe. It must be designed by following safety principles and must comply with relevant directives, standards and national laws. The machine’s end user has responsibility extending through the entire life cycle of an industrial system. It is thus vitally important that safety planning is included from the very start of any machine design process. This way safety becomes a natural, functional part of the machinery and not an afterthought.
Drive-based functional safety (which we can define as “active machine safety functionality designed to work with drives”) simplifies the task because drive safety functions are certified and integrated into the drive system.
Safety is important in industrial applications involving motors, drives and PLCs, and machine safety is achieved by identifying and reducing risks to an acceptable level. Risk reduction is done by an inherently safe design and by applying risk-reducing protection measures.
When done correctly, these measures can be flexible, reliable and easy to use. They also bring solid economic benefits such as increased productivity and uptime, without generating additional risks.
Towards integrated drive-based functional safety
The job of implementing a machine safety system is easier today thanks to three main factors:
- Modern electronics enable safety functions to be directly integrated into a drive’s safety logic, so functional safety is a standard feature of the drive.
- Legislation has kept pace with these advancements with new standards that define the requirements and provide guidelines for implementing machinery safety.
- Engineering companies have developed a wide range of safety devices and solutions that are easy to integrate in industrial applications for improved safety, uptime and functionality.
These three factors have enabled safety solutions that can be more effective in preventing accidents, less costly to implement, easier to adapt and more reliable than previous hardwired electromechanical systems.
The result is that electromechanical safety systems can now be replaced with electronic safety functions that are built directly into the drive’s safety logic, working seamlessly side by side with the drive’s normal control functions.
Drive-based functional safety solutions in industrial systems
Drives, simply put, control movements such as motor speed and torque in industrial applications like conveyors and cranes. As the level of complexity and modularity of industrial automation increases, drive-based functional safety is fast becoming an important part of overall safety design for industrial processes.
When sensing a hazardous situation, a drive-based functional safety system can react in several ways. It might, for example, initiate an emergency stop based on user input. Or if it detects an out-of-control situation such as system overspeed, it can stop a process in a controlled and orderly way.
In larger systems with several drives, control of the overall safety system can be done using a safety PLC, which activates drive-based safety functions when required in the whole system.
Typical drive-based functional safety functions
Safe torque off (STO)
STO is the required basic foundation for drive-based functional safety, since it brings a drive safely to a no-torque state. STO is typically used for prevention of an unexpected start-up of machinery (EN 1037) or for an emergency stop, fulfilling stop category 0 (EN 60204-1).
Safe stop 1 (SS1)
SS1 stops the motor safely using a controlled ramp stop and then activates the STO function. SS1 is typically used in applications like rolling mills where motion must be stopped in a controlled manner before switching to a no-torque state. In addition to a safe process stop, SS1 can also be used to implement an emergency stop, fulfilling stop category 1 (EN 60204-1).
Safe stop emergency (SSE)
SSE is a safety function specifically designed for emergency stops. SSE can be configured to execute either STO or SS1 depending on which emergency stop is suitable for the system. For examples of this functionality see Figures 1 and 2.
Safely-limited speed (SLS)
SLS prevents motors from exceeding a defined speed limit. The SLS safety function can be used in applications such as decanters, mixers, conveyors or paper machines where excess speed can be hazardous - for example, during maintenance or cleaning operations.
Safe maximum speed (SMS)
SMS is a variant of the SLS safety function. It provides continuous protection against a motor exceeding a defined maximum speed limit.
Safe brake control (SBC)
SBC provides a safe output signal to control a mechanical holding brake. Drills, cranes, winches, hoists, vertical conveyors and elevators that need external brake solutions require this type of safety function. Typical use for SBC is when a drive is switched off with the STO function and there is an active load affecting the motor (such as a hanging load on a crane or winder).
Machinery Directive, relevant harmonised standards and national laws
Under the directives, national and regional laws, end users, machine builders and system integrators are generally responsible for safety of machines and systems. In this article we will mainly refer to EU legislation, which however is based on IEC/ISO standards that are globally applicable.
To fulfil the requirements of EU Machinery Directive 2006/42/EC, it is sensible for the machine builder to follow a roadmap of set safety design steps. This helps both to meet legal requirements for the CE compliance marking and also to generate the necessary technical documentation.
Functional safety regulations in the EU consist of two parts: the Machinery Directive and the harmonised safety standards. The harmonised standards provide the technical means and procedures to fulfil the Machinery Directive requirements.
European standardisation organisations CEN, CENELEC and ETSI have harmonised certain international IEC/ISO standards as means to fulfil the legal requirements of the Machinery Directive. Product standard EN/IEC 61800-5-2 specifically focuses on drive-based functional safety and defines the standardised safety functions such as safe torque off (STO), safe stop 1 (SS1) and safely-limited speed (SLS).
Harmonised standards: relevant for safety design including drives
The harmonised safety standards are a collection of ISO, IEC and European standards listed under the EU Machinery Directive. A harmonised standard, identified by the prefix EN, is an agreed norm in the EU member states and basis for national laws. Outside the EU the same standards, in IEC/ISO versions, provide a global requirement framework that machine design should comply with.
Roadmap for achieving conformity
The Machinery Directive requires machine manufacturers (or their representatives) to perform and document a risk assessment. The machine design must then take these results into account, with any risks reduced to an acceptable level. This is done either via risk-reducing machine design changes or by applying appropriate safeguarding techniques such as drive-based functional safety.
After the risks have been reduced to an acceptable level, measures to control any residual risks have to be documented in user documentation (warnings, instructions etc).
A common way to design a safe machine and ensure conformity is to follow suitable harmonised standards when implementing the safety system. By fulfilling requirements of harmonised standards, it is presumed that the machine conforms to EHSR of the Machinery Directive.
Certified safety devices greatly simplify the design and validation process of a safety system. This is a big advantage since certified devices already have the necessary safety capability to achieve a given safety level and the necessary supporting safety data for safety integrity level (SIL)/performance level (PL) verification calculations.
Usually a third-party certification is not necessary for machines. Manufacturers can ‘self-declare’ conformity to the Directive based on proper design and documentation, a conformity assessment and achievement of CE marking.
Harmonised standards provide unified guidelines for hazard and risk assessment, and also outline the approach for reducing risks to acceptable level (EN ISO 12100). Designing machine safety functionality is most effectively achieved by following the harmonised standards for the specific machine types, if they exist, or the harmonised generic machinery application standards EN/IEC 62061 or EN ISO 13849-1.
Drive-based functional safety
Functional safety can be easily achieved with safety devices that are, themselves, already certified to the most relevant functional safety standards. Safety functions that are integrated inside the drive eliminate the use of costly external safety add-ons like contactors, safety relays, etc. Using integrated drive-based functional safety results in cleaner installation and lower costs, with fewer components needed to reach the required SIL or PL.
Example: Traditional safety solution
The traditional way of building a safety system includes connecting safety limit switches, relays and external safety monitoring devices and contactors, together with the drive.
Once the protective cage door to the conveyor has been opened the safety limit switch detects the open door. This sends signals to the drive to decrease speed. At the same time the signal is sent to an external safety monitoring device (safety logic), which together with an encoder speed measurement creates a safety function SLS for safe speed monitoring.
People can now interact safely with the slowly moving conveyor and perform their task. After leaving the conveyor and closing the protective cage door, the safety monitor has to be reset with a button, before the conveyor is allowed to increase back to normal speed.
If, for some reason, during the safe speed phase when SLS is active, there is a malfunction that causes the conveyor belt to suddenly increase speed, the safety monitor will detect the overspeed and activate the motor contactor that interrupts the drive’s output to the motor, thus stopping the conveyor.
The main benefit of a traditional electromechanical safety solution is that the safety solution can be built together with drives that do not have safety functionality integrated into them.
Example: Integrated drive-based functional safety
With integrated drive-based functional safety, the safety functions are implemented into the machine via the drive. As a result, the use of externally wired discrete safety devices such as safety monitors, wiring and encoder can be eliminated.
Integrated drive-based functional safety not only simplifies the overall safety design process, but with fewer parts and less wiring, the complexity of configuration and installation is also significantly reduced for a lower total cost.
Compared to the traditional safety solution, integrated drive-based functional safety includes the same functionality but it is simply built into the drive. The most basic functionality level is the STO circuit inside the drive, which can safely disable the drive’s power stage, thus eliminating any need for a motor contactor.
Using drive-integrated safety functions eliminates the hassle of figuring out how to hook up and wire the logic with relays, reset signals and contactors as the drive safety functions are predesigned in the module, waiting to be commissioned.
Where multiple drive systems are in use, a safety PLC can be used to coordinate the safety functions of the individual drives, further eliminating the need for additional hardware, and the associated additional design and implementation costs.
Summary
The industrial environment is full of moving machine parts which can cause hazardous situations and lead to severe and often permanent injuries. The role of functional safety is to protect people, property and ecosystems from often preventable accidents. It is therefore the ultimate responsibility of device suppliers, machine builders and system integrators to ensure that the products they deliver are safe.
Safety for machines is achieved by complying with relevant safety directives and standards. In the EU, the EHSR which machine builders must comply with are defined in the Machinery Directive 2006/42/EC and the harmonised standards under this directive. For machine builders outside of EU, the IEC/ISO versions of the EU’s harmonised standards provide the necessary requirements and guidance.
Drives have been used for decades in many industrial applications. Where safety in automation systems once required many external add-on devices, the ever-increasing levels of automation employed in industry combined with the electrotechnical capability of many modern drives and safety PLCs mean drive systems now contribute greatly to the overall safety of a system.
Today, new and improved safety solutions and standards enable safety to become an integrated part of drive functionality. Drive-based functional safety means providing drive-based motion control that protects people, property and ecosystems
Is it a leak? Understanding the adiabatic process in pressure calibration
The adiabatic process is a physical phenomenon that can make us think our pressure calibration...
The case for industrial energy efficiency: thinking global and acting local
Australia needs to strengthen its transition to high-efficiency technology, enable its operations...
Heat regeneration should be a key consideration
Heat regeneration is the process whereby heat from a process that would otherwise be lost or...
