Integrated Safety and Motion
Safety functions combined with motion control systems allow simpler operations and cost savings. Previously separate systems were needed. Full shutdowns can be avoided in some situations.
Ever increasing speeds of machines and manufacturing processes underscore the need for enhanced onboard safety functions.
Not every presumed “emergency” requires full shutdown of a machine system. Yet, traditional safety systems offered only complete removal of power regardless of the risk level involved, resulting in unavoidable loss of productivity.
A newer approach is based on comprehensive risk and reliability assessment of the machine system which is then associated with the degree of machine shutdown needed to prevent harm or injury. This allows safe access to machines with the main power left on, to ease setups and troubleshooting and more quickly return to production. Added safety functions prevent unwanted or accidental motion of motors and actuators.
Safety standards have defined functional safety and made it a necessary part of motion control, whereas previously these were separate systems. Europe has led the way with standards like EN 954-1 and IEC 61508, but the 2007 revision of NFPA 79 opened up functional safety to U.S. manufacturers and users. (See more on safety standards online.) Experts say the real driver for integration, however, has been the ability to verify functional safety by tests according to the standards by a nationally recognized testing laboratory.
Safety, integration, benefits
Amid examining technology and productivity issues it’s important to remember the main concern of safe motion: prevention of worker injury or fatality.
Bosch Rexroth Corp. (BRC) considers immediate connectivity and quicker machine stopping time the prime benefit of integrating safety and motion. “When a safety function is activated, you don’t want additional delays
Bosch Rexroth's drivebased SafeMotion and controller-based Safe Logic systems allow operators safe access to food processing or packaging machines to rectify a fault quickly without the need for shutdown.
with fieldbus couplers and/or a slow monitoring PLC to first determine then execute a safety action,” says David Arens, food and packaging applications engineer for Bosch Rexroth. Importantly, bringing a machine to a safe stop condition quickly reduces the chance of injury.
Integration extends benefits to the machine’s bottom line with safety system monitoring and diagnosis. “Efficient diagnosis saves costs by allowing machines to be returned to production faster,” explains Arens.
Related savings come from reduced maintenance due to using one fieldbus. “This benefits OEMs and end users because fewer system connections mean fewer points of failure to be checked,” states Arens. Bosch Rexroth implements integrated safety in its drives and motion systems via one of four fieldbus formats: SERCOS III, Profibus, Profinet, and EtherCAT.
Siemens Energy & Automation attributes several benefits to integrated safety and motion, including fewer components than typically required for traditional safety circuits, reduced engineering time to develop those circuits, less cabinet space for housing components, and less assembly wiring time.
“Furthermore, integrated safety allows greater diagnostic capabilities not inherent in hardwired systems,” says John Krasnokutsky, motion control marketing manager at Siemens E&A. The drive controller can send information of what safety function has been activated, and why, to an HMI screen for evaluation by the operator. Such readily available data reduce troubleshooting time.
Yaskawa Electric used EN 954-1, the present "gold standard" for machinery safety risk assessment, as the basis to certify its V1000 and A1000 drives. A more probabilistic risk assessment method in ISO 13849-1 is scheduled to replace EN 954-1 in November 2009
Siemens builds seven safety functions into its Sinamics S drive family, which offers servo, flux vector, and open-loop motor control. The safety functions are safe torque off (STO), safe stop 1 (SS1), safe stop 2 (SS2), safe operating stop (SOS), safely limited speed (SLS), safe speed monitor (SSM), and safe brake control (SBC)—as defined in standard IEC 61800-5-2 (see more online). Safety functions are turned on via Starter, the configuration software of Sinamics S, and selection of the appropriate action.
“Three basic safety stop commands (STO, SS1, and SBC) can be safety-wired directly to the drive without additional hardware,” Krasnokutsky notes. “However, users can initiate all safety functions over a Profibus or Profinet system through the Profisafe profile.” An alternate implementation path is to use a safe terminal module that connects to the Sinamics S backplane, called Drive-CliQ.
Safety functions include advanced features. For example, SOS holds the motor at full torque (zero speed) and monitors movement from a position setpoint; SLS monitors up to four configurable speed limit values in both rotary directions.
Yaskawa Electric America (YEA) sees users benefiting from integrated safety in overall cost savings, and in minimizing worker hazards. The need for fewer sensors and contactors, and less wiring, also helps cut costs. Results are measurable in higher reliability, longer equipment life, and less labor for installation and troubleshooting, according to YEA.
“Integrated safety allows fast dynamics thanks to simplified protection steps and less time and money spent for maintenance as it is performed within a safe environment meeting stringent TÜV certification,” says Dr. Jun Kang, YEA’s chief engineer for drive technology.
Yaskawa integrates STO safety function in its V1000, A1000, and F7 variable frequency drives and Sigma-5 SGDV series servo amplifiers. With STO, a safety circuit trigger cuts power to the motor (which coasts to a stop), but power to the drive isn’t interrupted. A1000 drive can add more controlled motor ramp down (SS1 and SS2) with a minor software change. V1000, A1000, and F7 drives are certified to EN 954-1 by the internationally recognized testing agency TÜV.
SS1 and SS2 capability is in the works for Sigma-5 SGDV amplifiers via an option card; also an EtherCAT option card is scheduled for summer 2009 launch, explains Scott Carlberg, servo product marketing manager at YEA.
Safety assessment is crucial
Safety features in electric drives, such as safe torque off or safe disable, “revolve around how a system or machine shuts down correctly in response to a worker being exposed to a potential hazard,” explains Carlberg.
BRC’s Arens says, “A proper safety assessment is needed even after the safety system is installed to assure it protects all people in and around the machine.” Another step for successful implementation is knowledge of application-specific safety standards. For example, different types of guards, doors, interlocks, and safety precautions apply to different machinery.
Redundancy is an important aspect of a safety system as it eliminates the possibility of a single failure compromising the safety function. At Bosch Rexroth, Arens says this translates to using at least two operating channels in safety systems—whether two hardwired channels, one hardwired plus one fieldbus channel, or two independent channels within the fieldbus. Similarly, the encoder module splits its signals to two monitoring channels. If either monitor detects improper motion, the machine goes to a safe condition.
For simplicity, Yaskawa V1000 microdrive uses one safety input, but splits the input internal to the drive to satisfy redundancy requirements of standard EN 954-1, category 3. Current interruption in either circuit triggers a safe disable, shutting off the output transistors’ gate circuit, which cuts power to the motor. A1000 drive employs two safety inputs where current interruption in either input similarly causes safe disable.
Redundancy in Siemens’ Sinamics S drives is handled by a two processor system with independent switch-off paths and internal monitoring. “This provides the dual channel required by safety systems. Hence, if one channel fails or sends inconsistent data, the other knows about it and the system faults in a safe state,” says Krasnokutsky.
Combining safety with motion in one system has been enabled, in part, by development of communication buses more reliable than hardwired non-intelligent systems. Requirements included proof that communication and motion control could work independently on the same fieldbus, a way to verify communication integrity, and fast data flow—under 10 ms in cyclic or repeated messages, says BRC’s Arens. Also needed were drives, safety devices, I/O modules, etc., able to read and respond to safety signals fast enough and test reliably to a safety standard.
EtherCAT handles communication of motion-specific safety functions among machine system elements via the Functional Safety-over-EtherCAT protocol. The industrial Ethernet-based fieldbus features SIL 3 capability.
One notable fieldbus—EtherCAT—for some time has provided high-performance communication for automation, motion control, and safety applications, notes Joey Stubbs, PE, PMP, North American representative of EtherCAT Technology Group (ETG).
“Functional Safety-over-EtherCAT (FSoE) protocol was developed for use with EtherCAT fieldbus to ensure that users can take full advantage of integrated safety in their machine control designs without the need for dedicated safety-specific wiring or communication cables,” Stubbs says.
For added safety functionality, ETG has recently enhanced the FSoE protocol with a standard device profile for EtherCAT-enabled drives called Safety Drive Profile. Stubbs attributes the ability of Safety Drive Profile to integrate motion and safety to three “ingredients”:
Well-defined EtherCAT drive profiles of DS402 (CAN) or SERCOS Drive Profile;
Well-defined FSoE protocol, which allows standard implementation of safety devices and logic controllers on EtherCAT, independent of a vendor; and
Definition of safety-relevant drive functions as part of IEC 61800-5-2.
“By combining these three open ingredients, there is now opportunity to have true vendor-independence when implementing safety in motion applications,” he says. Benefits of FSoE Safety Drive Profile reportedly include easier integration of third-party drives and other devices in safety systems that include motion.
“This is a must for integrators who want flexibility to select the most suitable components from multiple vendors,” Stubbs says. “In addition, today’s safety-enabled drives go beyond old methods of 'drop mains power’ and 'disable motors’—to safe speed limits, safe-stop functionality, safe torque, etc. EtherCAT technology originated from Beckhoff Automation of Germany. It became an open bus in 2003 with the creation of EtherCAT Technology Group. Today, ETG has 910 members from 44 countries comprised of drive and device vendors, machine builders, and end users.
“In general, the U.S. is behind the curve in integration of safety,” states Arens. The strategy has been to add safeguarding after the machine is installed rather than at the design stage. Led by Europe, the designed-in approach is less costly and extends safety beyond a machine’s point of operation.
“It gives machine operators options in applying integrated safety where bypassing the system may have been the only prior option,” adds Arens. “U.S. acceptance has been led by exporting companies, mainly in machine tool and printing machine markets. General automation and packaging have been slower adopters.”
Standards like IEC 61508 and particularly the 2007 revision of NFPA 79 promote U.S. acceptance of safety functions integrated into drives, according to Siemens. NFPA 79 now allows software/firmware based controllers to be used in safety-related functions where the drive serves as the final switching element. It eliminates the requirement for a final external disconnect (contactor).
“As customers become more comfortable with the new standards and integrated safety capabilities, implementation of safety-relevant drive systems will greatly increase,” Krasnokutsky adds.
While technology has only recently advanced integrated safety and motion to reality, its basic principles of human safety and machine efficiency have long been known. In 1890 Werner von Siemens stated, “Prevention of accidents must not be understood as a regulation required by law, but as a precept of human responsibility and economic reason.”
Frank J. Bartos, P.E., is Control Engineering consulting editor. Reach him at firstname.lastname@example.org .
Related resources on machine safety follow.
Review today’s machinery safety standards
Review today’s machinery safety standards
A number of interrelated—and sometimes overlapping—safety standards have been developed as a result of the European Commission’s enactment of the wide-ranging Machinery Directive. Different safety standards apply to manufacturers of machines and electronic control system and drives.
For machines builders, EN 954-1 (European), ISO 13849-1 (International Standards Organization), and IEC 62061 (International Electrotechnical Commission) standards currently apply with one important change. EN 954-1 (“Safety of machinery, Safety related parts of control systems”) is in a transitional period that expires as of Nov. 2009, when ISO 13849-1 (with the same title) becomes the applicable standard. EN 954-1 has served as a sort of “gold standard” but its simpler deterministic approach to assessment of risk and safety system reliability needed updating to newer probabilistic methods and technology advancements.
For electronic control system and drives manufacturers, applicable standards include IEC 61508 (“Functional safety of electrical/ electronic/ programmable electronic safety-related systems”) and IEC 61800-5-2 (“Adjustable speed electrical power drive systems”). These newer standards cover the concepts of functional safety discussed in the main article, “Integrated Safety and Motion.” They define methods to assess probability of dangerous failure in machine and control systems through calculation tools such as safety integrity level (SIL) and performance level (PL).
ISO 13849-1 builds on EN 954-1, specifying system reliability in one of five PLs, based on a “hardware-oriented structure,” calculated mean time to dangerous failure, and diagnostic coverage of the safety function. This standard applies beyond electric/electronic systems to include hydraulic and pneumatic equipment.
IEC 61508 was the first safety standard to address failure in a probabilistic way. It defines safety system requirements using SIL 1 through 4 and is often cited as a test standard for safety devices. This standard is also the basis for three others: ISO 13849-1, IEC 62061, and IEC 61800-5-2.
IEC 62061 (“Safety of machinery–Functional safety of safety-related electrical, electronic, and programmable electronic control systems”) applies safety classifications only up to SIL 3. Required SIL is obtained using three factors—exposure frequency; hazard occurrence probability; and prevention possibility—the sum of which determines a harm probability class. The class number expressed in four ranges and a further parameter, seriousness of possible harm (levels 1-4), form a matrix from which SIL can be determined.
IEC 61800-5-2 (“Adjustable speed electrical power drive systems”) applies specifically to electric drives. It also expresses safety requirements as SIL 1-3 and defines the various integrated safety functions (STO, SS1, etc.) discussed in the main article.
U.S. standards transition
Involvement of the U.S. in machinery safety standards originated through parts of American National Standard Institute (ANSI) and Occupational Safety and Health Administration (OSHA) standards that dealt with “removal of power from a motion device.”
A more recent and significant development is the change in the 2007 revision of NFPA 79: “Electical Standard for Industrial Machinery,” issued by the National Fire Protection Association. NFPA 79 (section 184.108.40.206.1.4) allows a safety-relevant drive to be the final safety disconnect (or switching element) for machine safety operation. This eliminates the need for a separate, external contactor or safety switch that was previously required.
NFPA 79 2007 covers control systems for safety related functions and recognizes safety testing of drive systems in accordance with IEC 61508 and IEC 61800-5-2.
Portions of this article are based on information in Bosch Rexroth Corp. publication “Safety Onboard Functional Safety in Automation” (2008).
Expect further safe motion advances in 3D
Most safety systems for industrial machinery rely on safety devices, such as sensors, switches, gates, and light curtains, which are basically two-dimensional devices. A recent addition of the safety camera to safeguarding robotic and machining cells promises to move safe motion into another dimension.
In 2007, Pilz GmbH—and its U.S. subsidiary, Pilz Automation Safety LP—introduced what they say is the world’s first 3D safe camera system for control and monitoring. Called SafetyEye, the sight-based system reportedly provides simpler safeguarding of potentially dangerous workplaces than a system of multiple two-dimensional sensors.
Depending on the application, SafetyEye allows a machine’s monitored danger zone to be divided into warning and detection zones, explained Andreas Hahn, product manager for Pilz, in a presentation at the SPS/IPC/Drives show (Nuremberg, Germany) in November 2008.
“This way, a violation of the monitored zone does not directly or automatically cause a machine to stop completely,” Hahn said. “If the system detects a person within the warning zone, machine speed can initially be reduced via safely limited speed (SLS), while a visual or audible warning is issued simultaneously. Should the person step back out of the warning zone, the machine immediately returns to normal operating speed.”
However, if SafetyEye senses a violation of the detection zone the machine is brought to a safe condition via safe stop 2 (SS2). SLS and SS2 are among safety functions defined in standard IEC 61800-5-2 (see more online). “This means that in many cases, safety fences [or other machinery safeguards] are no longer necessary,” Hahn concludes.