Safety-certified and diverse-redundant encoders for motion control

For motion control systems, a key to improving operational safety is ensuring the sensors the system relies on to maintain control are trustworthy.

By Klaus Matzker September 11, 2020


Learning Objectives

  • Safety should be a major facet of any heavy machinery design.
  • Safety-certified encoders can help streamline the development of safety-critical systems.
  • Magnetic and optical encoders also can help improve safety.

Safety should always be an important design objective. This is especially true for machinery such as lifts and elevators, industrial robots or construction machinery where equipment malfunction or loss of control could result in serious injuries or damage. In some jurisdictions, formal safety analyses to reduce the risk of serious accidents are legally required.

For motion control systems, a key to improving operational safety is ensuring the sensors the system relies on to maintain control are trustworthy. Sensors such as encoders, inclinometers, and others must provide dependable feedback on the motion/position of the mechanical components being controlled. In the event of a sensor malfunction, these devices must provide the control system with a clear message the feedback loop has failed and actions should be taken to limit or halt operations.

A widely-used method of ensuring motion control systems are reliable and fail-safe is to incorporate a degree of redundancy into the feedback loops. If the control system receives similar signals from two different sensors set up to measure the same mechanical property, it is reasonable to assume that both are functioning properly. Discrepancies between the readings would indicate a fault.

Safety-certified encoders

Encoders are available from several sensor manufacturers that feature built-in redundancy in the form of two separate rotation measurement modules installed in one housing, sharing one shaft. A special verification chip monitors outputs from these two modules to check for consistent measurements. If a discrepancy is detected, this chip will block the transmission questionable data to the controller, indicating a fault. With this fail-safe feature, these encoders can be certified to Performance Level PL d, Cat. 3 (according to the safety standard ISO 13849) or SIL 3 (according to IEC 61508). Certification is carried out by special licensed agencies.

Safety-certified encoders can be used to streamline the development of safety-critical systems since they are guaranteed to provide the control system with either verified position data or a clear indication it has developed a fault. However, there are drawbacks. This approach can be inflexible when handling failure situations: since these sensors simply switch off, they provide no guidance on how to transition the machinery to a safe state.

Certified devices also can be more expensive than ordinary encoders because of the cost of certification by an independent lab. Moreover, they are only available in a limited number of mechanical configurations, so the machine builder may be obliged to use adaptors to make them fit into a design.

Introducing diverse-redundant encoders

Diverse-redundant sensors provide a less expensive, more flexible alternative to certified encoders for safety-related motion control systems. Like their certified counterparts, these devices have two measurement modules built into a shared housing (redundancy). However, in this case, signals from both measurement systems are transmitted to the controller (such as a programmable logic controller or industrial computer) via a CANopen network. The supervising controller is responsible for comparing the output of the two semi-independent measurement systems to verify both are functioning correctly.

To reduce the danger of common cause faults, these devices are built with magnetic and optical measurement technologies. These measurement systems are mounted in tandem on a shared shaft and installed in common housing. Resolution is 16 bits per revolution.

The list of available options includes robust housings designed for protection levels up to IP67, different connector types, and many flange and shaft variants (hollow or solid shaft). This range of choice make it possible to select a configuration that can be integrated into new or existing machines. Communications are handled through the CANopen interface.

Safety-ready encoders are suitable for harsh environments and a wide range of operating temperatures. Magnetic encoder technology is robust and the optical components have been specially protected against condensation by the addition of an extra membrane. The optical and magnetic sensor elements are absolute encoders that measure the position value in single and in multi-turn mode – absolutely battery- and maintenance-free.

These devices can be less expensive and more versatile than specialty safety-certified encoders, while often being effective in terms of improving functional safety. To assist in safety certification of a motion control system mean time to dangerous failure (MTTFd) data is provided by the manufacturer.

The range of applications for safety encoders ranges from heavy construction equipment and mobile machines to crane technology and elevators to complex stage technology for complex productions.

Selecting safety encoders

For one-off or low volume products developed under tight time constraints, the convenience of working with SIL or PL-certified encoders (reduced development times, less safety knowledge required) might outweigh the extra cost and limited availability of these devices.

For many projects, diverse-redundant encoders can provide an effective and cost-efficient solution. The two independent measurement channels provide a sound basis for building machines that can be certified to Performance Level PL d, Cat. 3, according to ISO 13849. Diverse-redundant encoders also offer flexibility in handling malfunction conditions. In some cases, the control system might be able to use other system knowledge to make a reasonable assessment as to which redundant measurement module is malfunctioning and if the surviving module can provide useful position data. In this case, the designer might be able to implement a restricted operating mode to extend the availability of the machine until the defective device can be replaced.

Klaus Matzker, product manager, Posital Fraba. Edited by Chris Vavra, associate editor, Control Engineering, CFE Media and Technology,


Keywords: machine safety, machine encoders, motion control

Safety should be a major facet of any heavy machinery design.

Safety-certified encoders can help streamline the development of safety-critical systems.

Magnetic and optical encoders also can help improve safety.


How could motion sensors help your machine safety and motion control challenges?

Author Bio: Klaus Matzker, product manager, POSITAL-FRABA.