Safe motion control
Ross Fenion of Pilz offers an insight into the application of the safe motion standard EN 61800-5-2.
Safety functions in the field of motion are often reduced to a single bullet point announcing that safe torque off (STO) is integrated into this drive. However with the increase of electronically driven motion control end users and OEMs alike need to consider the safety functions, and assess whether they are suitable for the application.
Stop functions are found are in both EN 60204 and ISO 13849. Servo amplifiers with integrated safety functions in accordance with EN 61800-5-2 are now available, providing much simpler solutions, even for complex safety requirements. The standard divides safety functions into stop functions, safe motion functions, and safe braking functions.
Safe stop functions
Safe torque off (STO): The power to the motor is safely removed, so that no further movement is possible. It is not necessary to monitor standstill. If an external force effect is to be anticipated, additional measures should be provided to safely prevent any potential movement (eg mechanical brakes). This safety function corresponds to a category 0 stop (uncontrolled stop) in accordance with IEC 60204-1. If the function is triggered during operation, the motor will run down in an uncontrolled manner, which is not desirable in practice. That is why this function is generally used as a safe reset lock or in conjunction with the safety function SS1.
Safe stop 1 (SS1): Here defined motor braking is part of the safety function. The SS1 function monitors controlled braking of the axis directly within the drive. Once the set braking ramp has run its course, the drive is shut down safely. The reaction times are reduced compared with external monitoring solutions; as a result, in many cases the safety distances to the danger points can also be reduced.
Safe stop 2 (SS2): Defined motor braking is again part of the safety function. When the motor is at standstill, a safe operating stop (SOS) is triggered. Unlike SS1, the motor at standstill is in closed loop operation. This means that the standstill position is held precisely, due to the active control loop. This safety function corresponds to a category 2 stop (controlled stop) in accordance with IEC 60204-1. Benefits include that the axes no longer need to be shut down at standstill; they will actively hold their current position, so the synchronisation between axes and process is no longer lost. As a result, the axes can be restarted immediately at any time, which clearly increases plant availability.
Safe motion functions
Safe operating stop (SOS): This monitors the standstill position while the motor is in a controlled loop status. Once the safety function has been lifted, the production or machining process can be continued with no loss of precision. This function is generally used in combination with an SS2 function, as standstill monitoring usually involves a braking process. As described above, the limit value can be specified as both a speed threshold and a position window. Application of the safe operating stop (SOS) function is generally intended for the standstill phases of a process.
Safely limited speed (SLS): This is probably the best known safety function. In practice, this safety function is often applied as safely reduced speed. As a result, a defined transition from the operating speed in automatic mode to the reduced speed in setup mode must be guaranteed. If the monitoring function detects that the limit value has been violated, the drive must be shut down safely. Operators must be protected from any hazard that would lead to an uncontrolled axis start-up in the event of an error. When the safely limited speed (SLS) function is used for these jog functions, the solution provides the shortest possible reaction time in the event of an error.
Safe speed range (SSR): This can be used to monitor a safe minimum speed, as well as an upper limit, and can generally be used for permanent process monitoring. Risks cannot always be eliminated just by limiting the capacity for speeds to suddenly increase. Speeds that reduce suddenly as the result of an error can also present a risk. If axes are operating at a defined distance, a speed that drops abruptly on just one of the two axes may create a risk of crushing. These are the cases for which the safe speed range (SSR) function have been defined and developed. This function would be used to shut down the relevant axes, thereby eliminating any hazard to the machine operator.
Safely limited torque (SLT) and safe torque range (STR): Torque measuring systems are not widely used on standard drives, but servo drive technology provides the option for indirect measurement via the motor current. The motor current is proportional to the motor's force or torque, so the hazard resulting from a hazardous movement is limited. This function is essential for the growing application of collaborative robotics.
Safely limited position (SLP): Safe position monitoring ensures that the motor does not exceed a preset position limit value. If a limit value is violated, the motor is braked using a safe stop. Absolute position detection is required for this safety function.
Safely limited increment (SLI): The motor is allowed to travel a permitted distance following a start command. A safe stop function must be triggered once the limit value is reached. If the permitted distance is exceeded, this must be detected and the drive must be safely brought to a standstill. Encoder systems with relative measurement are sufficient for this safety function.
Safe direction (SDI): This prevents the motor from moving in an invalid direction. This safety function is frequently used in combination with safely limited speed (SLS) in setup mode. Here too, the drive-integrated solution enables the fastest possible shutdown.
Safe cam (SCA): A safe output signal indicates whether the motor is positioned inside a specified range. These ranges are absolute position windows within a motor rotation. The basic function involves safe monitoring of absolute positions, which is why appropriate sensor systems must be used.
Safe speed monitoring (SSM): This is very closely related to SLS. However, if a limit value is violated there is no functional reaction from the components that are monitored, merely a safe message which can be evaluated and processed by a higher level safety control system. On one side the control system can perform more complex reaction functions, while on the other the safety function can be used for process monitoring.
Safely limited acceleration (SLA) and safe acceleration range (SAR): Safety functions relating to acceleration monitoring are not widely used in the current state-of-the-art technology. In servo drive technology, Ferraris sensors are used to detect acceleration only in special applications of machine tools or printing machinery. Standard drives cannot process these signals in their control loops; monitoring of these acceleration signals is very complex in practice.
Safe brake functions
Safe brake control (SBC): This supplies a safe output signal to drive an external mechanical brake. The brakes used must be safety brakes, in which a quiescent current operates against a spring. If the current flow is interrupted, the brake will engage. A safe brake test may be required to detect errors during operation, depending on the risk analysis.
Safe brake test (SBT): In many cases, simply controlling a holding brake safely is not enough to make a vertical axis safe. If the wearing, mechanical part of the brake is not maintained regularly, it cannot be guaranteed that the holding brake will apply the designated braking action in the event of danger. The SBT function provides an automatic test which replaces previous measures that could only be implemented through organisational and manual operations; if the result is negative, it can bring the plant to a standstill and signal an error. This reduces maintenance work considerably.
Other News from Pilz Automation Technology
Latest news about Servo Drives