Safety in Motion

Not every presumed “emergency” requires full shutdown of a machine system. Yet, traditional safety systems offer only complete removal of power regardless of the risk level involved, resulting in unavoidable loss of productivity.

A newer approach is based on comprehensive risk and reliability assessment of the machine system, which is then associated with the degree of machine shutdown needed to prevent harm or injury. This allows safe access to machines with the main power left on, to ease setups and troubleshooting and more quickly return to production. Added safety functions prevent unwanted or accidental motion of motors and actuators.

Safety standards have defined functional safety and made it a necessary part of motion control, whereas previously these were separate systems. Europe has led the way with standards like EN 954-1 and IEC 61508, and the 2007 revision of NFPA 79 opened up functional safety to US manufacturers and users.

Experts say the real driver for integration, however, has been the ability to verify functional safety by tests according to the standards by a nationally recognized testing laboratory.

Integration benefits

Bosch Rexroth considers immediate connectivity and quicker machine stopping time the prime benefit of integrating safety and motion. “When a safety function is activated, you don’t want additional delays with fieldbus couplers and/or a slow monitoring PLC to first determine then execute a safety action,” says David Arens, food and packaging applications engineer for Bosch Rexroth. Importantly, bringing a machine to a safe stop condition quickly reduces the chance of injury.

Integration extends benefits to the machine’s bottom line with safety system monitoring and diagnosis. “Efficient diagnosis saves costs by allowing machines to be returned to production faster,” explains Arens.

Related savings come from reduced maintenance due to using one fieldbus. “This benefits OEMs and end users because fewer system connections mean fewer points of failure to be checked,” states Arens. Bosch Rexroth implements integrated safety in its drives and motion systems via one of four fieldbus formats: SERCOS III, Profibus, Profinet, and EtherCAT.

Arens also points out that , “A proper safety assessment is needed even after the safety system is installed to assure it protects all people in and around the machine.” Another step for successful implementation is knowledge of application-specific safety standards. For example, different types of guards, doors, interlocks, and safety precautions apply to different machinery.

Siemens Energy & Automation attributes several benefits to integrated safety and motion, including fewer components than typically required for traditional safety circuits, reduced engineering time to develop those circuits, less cabinet space for housing components, and less assembly wiring time.

“Furthermore, integrated safety allows greater diagnostic capabilities not inherent in hardwired systems,” says John Krasnokutsky, Siemens’ motion control marketing manager. The drive controller can send information of what safety function has been activated, and why, to an HMI screen for evaluation by the operator. Such readily available data reduce troubleshooting time.

Siemens builds seven safety functions into its Sinamics S drive family, which offers servo, flux vector, and open-loop motor control. The safety functions as defined in standard IEC 61800-5-2 are:

• STO – safe torque off

• SS1 – safe stop 1

• SS2 – safe stop 2

• SOS – safe operating stop

• SLS – safely limited speed

• SSM – safe speed monitor

• SBC – safe brake control

Safety functions are turned on via Starter, the configuration software of Sinamics S, and selection of the appropriate action. “Three basic safety stop commands (STO, SS1, and SBC) can be safety-wired directly to the drive without additional hardware,” Krasnokutsky notes. “However, users can initiate all safety functions over a Profibus or Profinet system through the Profisafe profile.” An alternate implementation path is to use a safe terminal module that connects to the Sinamics S backplane, called Drive-CliQ.

Siemens safety functions include advanced features. For example, SOS holds the motor at full torque (zero speed) and monitors movement from a position setpoint; and SLS monitors up to four configurable speed limit values in both rotary directions.

Yaskawa Electric sees users benefiting from integrated safety in overall cost savings, and in minimizing worker hazards. The need for fewer sensors and contactors, and less wiring, also helps cut costs. Results are measurable in higher reliability, longer equipment life, and less labor for installation and troubleshooting.

“Integrated safety allows fast dynamics thanks to simplified protection steps and less time and money spent for maintenance as it is performed within a safe environment meeting stringent TÜV certification,” says Jun Kang, chief engineer for drive technology, Yaskawa Electric America.

Yaskawa integrates STO safety function in V1000, A1000, and F7 variable frequency drives, and in Sigma-5 SGDV series servo amplifiers.

With STO, a safety circuit trigger cuts power to the motor (which coasts to a stop), but power to the drive isn’t interrupted. A1000 drive can add more controlled motor ramp down (SS1 and SS2) with a minor software change. V1000, A1000, and F7 drives are certified to EN 954-1 by the internationally recognized testing agency TÜV.

SS1 and SS2 capability is in the works for Yaskawa’s Sigma-5 SGDV amplifiers via an option card; also an EtherCAT option card is scheduled for summer 2009 launch, explains Scott Carlberg, servo product marketing manager.

Safety features in electric drives, such as safe torque off or safe disable, “revolve around how a system or machine shuts down correctly in response to a worker being exposed to a potential hazard,” explains Carlberg.

Redundancy rules

Redundancy is an important aspect of a safety system as it eliminates the possibility of a single failure compromising the safety function. At Bosch Rexroth, David Arens says this translates to using at least two operating channels in safety systems – whether two hardwired channels, one hardwired plus one fieldbus channel, or two independent channels within the fieldbus. Similarly, the encoder module splits its signals to two monitoring channels. If either monitor detects improper motion, the machine goes to a safe condition.

For simplicity, the Yaskawa V1000 microdrive uses one safety input, but splits the input internal to the drive to satisfy redundancy requirements of standard EN 954-1, category 3. Current interruption in either circuit triggers a safe disable, shutting off the output transistors’ gate circuit, which cuts power to the motor. A1000 drive employs two safety inputs where current interruption in either input similarly causes safe disable.

Redundancy in Siemens’ Sinamics S drives is handled by a two-processor system with independent switchoff paths and internal monitoring. “This provides the dual channel required by safety systems. Hence, if one channel fails or sends inconsistent data, the other knows about it and the system faults in a safe state,” says John Krasnokutsky.

Fieldbus favors

Combining safety with motion in one system has been enabled, in part, by development of communication buses more reliable than hardwired non-intelligent systems.

Requirements included proof that communication and motion control could work independently on the same fieldbus, a way to verify communication integrity, and fast data flow – under 10 ms in cyclic or repeated messages, says BRC’s Arens. Also needed were drives, safety devices, I/O modules, etc., able to read and respond to safety signals fast enough and test reliably to a safety standard.

One notable fieldbus – EtherCAT – has for some time provided high-performance communication for automation, motion control, and safety applications, notes Joey Stubbs of the EtherCAT Technology Group (ETG).

EtherCAT technology originated from Beckhoff Automation of Germany. It became an open bus in 2003 with the creation of EtherCAT Technology Group. Today, ETG has 910 members from 44 countries comprised of drive and device vendors, machine builders, and end users.

“Functional Safety-over-EtherCAT (FSoE) protocol was developed for use with EtherCAT fieldbus to ensure that users can take full advantage of integrated safety in their machine control designs without the need for dedicated safety-specific wiring or communication cables,” Stubbs says.

For added safety functionality, ETG has recently enhanced the FSoE protocol with a standard device profile for EtherCATenabled drives called Safety Drive Profile. Stubbs attributes the ability of Safety Drive Profile to integrate motion and safety to three “ingredients”:

• Well-defined EtherCAT drive profiles of DS402 (CAN) or SERCOS Drive Profile

• Well-defined FSoE protocol, which allows standard implementation of safety devices and logic controllers on EtherCAT, independent of a vendor

• Definition of safety-relevant drive functions as part of IEC 61800-5-2

“By combining these three open ingredients, there is now opportunity to have true vendor-independence when implementing safety in motion applications,” he says. Benefits of FSoE Safety Drive Profile reportedly include easier integration of third-party drives and other devices in safety systems that include motion.

“This is a must for integrators who want flexibility to select the most suitable components from multiple vendors,” Stubbs says. “In addition, today’s safety-enabled drives go beyond old methods of ‘drop mains power’ and ‘disable motors’ – to new methods such as safe speed limits, safe-stop functionality, and safe torque.”

But amid examining technology and productivity issues, it’s important to remember the main concern of safe motion: prevention of worker injury or fatality

For while technology has only recently advanced integrated safety and motion to reality, the basic principles of human safety and machine efficiency have long been known. In 1890 Werner von Siemens stated, “Prevention of accidents must not be understood as a regulation required by law, but as a precept of human responsibility and economic reason.”

Frank Bartos is Consulting Editor, Control Engineering.