Understanding safety functions: Safe speed and safe standstill

Last updated on November 7th, 2022 at 04:24 pm

In this post, I’ll discuss two safety-related parameters: safe speed and safe standstill. Speed control is a very common machine function. Conveyors, mixers, pumps, and many other applications rely on variable-speed drives. Some speed parameters are also safety-related because variations in speed can increase the risk to workers. See this post for more information on safety-related parameters.

TL;DR

“Safe reduced speed” safety functions protect workers from hazardous machine movements by increasing the chance that harm can be avoided and sometimes by reducing the inertia of the moving part by reducing the velocity of the movement. This is commonly used in robotics and system where slow-speed jog functions are used.

A “safe standstill” safety function is used when the machine uses the SS2 function in a motor drive to bring a machine to a stop and hold the position under power. It can also provide a trigger signal to unlock guards when a guard-locking function is used.

Contents

Safety-related parameters

As a reminder, ISO 13849-1 [1] sets requirements for safety-related parameters. I won’t repeat them here so we can dig deeper into where the speed-related parameter requirements come from and how they are used in real-world designs.

When is “safe reduced speed” used?

To understand when safe reduced speeds are used, we must go to ISO 12100 since that standard sets the minimum requirements for all machines. You may recall that ISO 12100 is the only type A standard and is the origin of the more detailed requirements in the type B and C standards.

ISO 12100 requirements

ISO 12100 [2] sets out the fundamental requirements for safe machine designs. Clause 6 speaks to the many ways that risk can be reduced. Clause 6.2.11 is quite long, so I have excerpted just the relevant bits for the discussion. In clause 6.2.11, you will find,

6.2.11 Applying inherently safe design measures to control systems

6.2.11.1 General

The design measures of the control system shall be chosen so that their safety-related performance provides a sufficient amount of risk reduction (see ISO 13849-1 or IEC 62061).

…

Typical examples of hazardous machine behaviour are…

— uncontrolled speed change,

…

Control systems shall be designed to limit…the safe design parameters (for example, range, speed, acceleration, deceleration, load capacity).

For example:

— the travelling speed of mobile pedestrian-controlled machinery other than remote-controlled shall be compatible with walking speed;

— the range, speed, acceleration and deceleration of movements of the person-carrier and carrying vehicle for lifting persons shall be limited to non-hazardous values, taking into account the total reaction time of the operator and the machine;

ISO 12100

The preceding excerpts set out the situations where the design of the control system should limit variations in speed, acceleration and deceleration, among other parameters, to “non-hazardous,” i.e., safe values. Clause 6.2.11.9 continues by adding requirements for the design of the control system. Again this clause is quite long, so I am just showing the relevant part:

6.2.11.9 Control mode for setting, teaching, process changeover, fault-finding, cleaning or maintenance

Where, for setting, teaching, process changeover, fault-finding, cleaning or maintenance of machinery, a guard has to be displaced or removed and/or a protective device has to be disabled, and where it is necessary for the purpose of these operations for the machinery or part of the machinery to be put into operation, the safety of the operator shall be achieved using a specific control mode which simultaneously

c) permits operation of the hazardous elements only in reduced risk conditions (for example, reduced speed, reduced power/force, step-by-step, for example, with a limited movement control device)

ISO 12100

Key concepts

The key concepts for safe speed control are shown below. Safe speed control

• is an inherently safe design measure
• includes setting “non-hazardous” speed parameters and preventing unexpected speed changes
• can include the selection of a speed value that is compatible with human capabilities, e.g., walking speed or speed compatible with the average ability of people to avoid harm
• is used when manual intervention is needed inside the machine’s danger zone, including setting, teaching, etc.
• is permitted only in reduced risk conditions, i.e., full-speed operation under manual control is not normally allowable.

Examples

Safe speed control is commonly used in robotics, where the maximum tool centre point speed is limited to 250 mm/s by ISO 10218-1 [3]. Other common applications are in CNC machining centres where safe reduced speeds may be used for manual jogging of axes while setting up a job. These are examples of setting speed parameters compatible with the human ability to avoid harm. The 250 mm/s value was selected in the early 1990s as a “reasonable” value. Since then, research has shown that a better value for most people would be in the 130-150 mm/s range [4]; however, the former value has been used for so long that it is now entrenched in many standards. That doesn’t mean you can use a lower value in your design.

Many modern motor drives, including servo drives and variable frequency drives, provide control modes like Safe Torque Off (STO), Safe Stop 1 (SS1) and Safe Stop 2 (SS2) and Safe Operating Stop (SOS) [5]. If you are specifically interested in STO and SS1, you might be interested in my article on safe drive control modes.

Design implementation of Safe Reduced Speed

Depending on the ISO 13849-1 PL_r, or the IEC 62061 SIL_r needed for the application, the drive may not have high enough reliability. In this case, a second channel may be required to ensure that safe standstill monitoring is reliable. This can be achieved by adding another means of standstill detection, like a second encoder or a standstill monitoring device. An example circuit diagram showing this type of monitoring can be found in Fig. 1 [6, Fig. 8.37], showing a safety PLC and drive used to provide an “inching” or “jog” function.

In Fig. 1, the encoders are labelled G1 and G2. Both encoders are connected to the safety PLC to provide two-channel feedback required for Category 3 architecture. G1 is also connected to the motor drive for position and velocity feedback as needed for the application. Note that this drive also has a contactor upstream, Q1, to provide one channel of the two required for Category 3. The second channel would be provided by the Pulse Blocking input on the drive. For more on how this circuit functions and how the functional safety analysis is completed, see [6, Ex. 8.2.21] and the 2019 version of the report [7]. If you are interested in seeing this system in SISTEMA, you can download the project files from IFA [8]. One last note: a mechanical aspect to the functional safety of the system is Fig. 1 – the encoders must be connected to the motor shaft using a rigid coupling, like a square key or a splined shaft. A set screw or other connection could fail due to vibration, or other failure modes cannot be used. Even thread-locking adhesives to secure set screw couplings are not considered adequate.

Safe Stop 2 (SS2)

Safe Stop 2 is related to Stop Category 2, defined in IEC 60204-1 [9].

stop category 2 — a controlled stop with power left available to the machine actuators.

IEC 60204-1

Stop Category 2 is commonly used where a motor drive is used to maintain the position of a load while some other machine function or operator intervention occurs. Suppose you have a vertical machine axis where Stop Category 2 is the most appropriate stopping function under normal conditions. You will need to consider failure modes where the power might be lost to the motor, and therefore the suspended load would fall due to gravity. A spring-set brake could be used to ensure that the axis did not fall. Alternatively, if the axis uses a gearbox and ball screw, there may be enough inherent resistance to back-driving that there is no concern about the axis falling. There are many ways to achieve automatic load-holding besides brakes, but remember, whatever you choose must be effective in power loss conditions. I recommend using an FMEA to examine what happens when power is lost to a drive system so that the effects of power loss on a system using Stop Category 2 can be evaluated.

Defining Safe Stop 2

safe stop 2

SS2

function which either

a) initiates and controls the motor deceleration rate within set limits to stop the motor and initiates the safe operating stop function when the motor speed is below a specified limit, or

b) initiates and monitors the motor deceleration rate within set limits to stop the motor and initiates the safe operating stop function when the motor speed is below a specified limit, or

c) initiates the motor deceleration and initiates the safe operating stop function after an application specific time delay

Note 1 to entry: This safety function corresponds to a controlled stop in accordance with stop category 2 of IEC 60204–1.

ISO 16090-1, 3.1.14

Safe Stop 2 relies upon a Safe Operating Stop to hold the motor position. As shown in Fig. 2 below, Safe Stop 2 differs from Safe Stop 1 because the system enters a Safe Operating Stop (SOS) condition [10], not STO, when the motion stops. SOS is a safety function. Full torque remains available from the motor to hold the tooling in position. Safe standstill is monitored by the drive or other means.

Since SS2 relies on SOS, we need to understand what SOS is and how it works.

Safe Operating Stop (SOS)

During a safe operating stop (SOS), the motor is brought to a specific position and held there by the drive. Full torque is available to keep the tooling in position. The stop condition is monitored safely by the drive.

SOS definition

The definition for SOS is

safe operating stop

SOS

operational stop with additional control system measures for monitoring standstill, preventing hazardous machine movements due to control system faults

Note 1 to entry: The SOS function prevents the motor from deviating from the stop position by more than a specified value. The power drive system supplies the motor with energy so that it can withstand external forces; see also IEC 61800-5-2.

ISO 16090-1, 3.1.12

The function is shown in Figure 3, below [10].

In Fig. 3, the y-axis, s, represents the position of the tooling, NOT the velocity, while the x-axis represents time, t. The start of the position holding function is shown by the orange arrow and dashed line. The period following the green dashed line is the SOS period.

Monitoring

Once the drive brings the machine to stop, the definition requires that “standstill monitoring” is provided to ensure that a fault is generated if the machine begins to move before the SOS condition is released.

SOS is not normally used for the emergency stop function. IEC 60204-1 provides an exception where the use of Stop Category 2 is concerned; however, great care is needed when developing the technical justification. Under certain conditions, it may be used when guard interlocks are opened, i.e., the guard door on a CNC lathe is opened so the operator can place a new workpiece.

Safe standstill

A safe standstill is a condition where motion has stopped and is being monitored by a safety-rated device whose output signals control the release of guard locking devices. A safe standstill is not the same as zero-speed because zero-speed can be achieved without using safety-rated control components and design. In contrast, a safe standstill requires both suitable components and design.

When is “safe standstill” used?

A safe standstill is part of a Category 2 Stop [9] or SS2. Another safety function that uses a safe standstill is the guard locking function [14]. In that case, achieving a safe energized or de-energized standstill condition is used to trigger the unlocking of the guard.

What is a “safe standstill”?

Two standards provide definitions for “safe standstill.” The first, ISO 20430 [11], the standard for horizontal plastic injection moulding machines, provides a simple definition with little specific guidance on how the standstill is created and maintained.

safe standstill

standstill (3.1.17) during which unexpected start-up is prevented

Note 1 to entry: See Figure 6 for the relation of standstill , safe standstill, stopping (3.1.19), safe stopping (3.1.20) and overall system stopping performance (3.1.21).

ISO 20430, 3.1.18

Figure 6 referenced in the definition is similar but slightly different from Fig. 3 in this article. It provides additional details that may be relevant to applications beyond plastic injection moulding machines. You can view the figure here.

So a safe standstill requires the prevention of unexpected start-up, and therefore additional requirements are likely to be found in ISO 14118 [12]. Reviewing [12], no specific requirements apply to safe-standstill, so all relevant parts of that standard will apply.

More specific requirements can be found in ISO 16090-2 [13].

safe energized standstill

safety function preventing an unexpected movement of the slide of more than a defined amount from the stopped position, with energy supplied to the servomotor(s) to resist to external forces, and without actuation of the mechanical brake(s)

ISO 16092-2, 3.9

This definition applies to SOS and, therefore, to SS2 since the power to the actuators is maintained. There is also a definition for a safe de-energized standstill, but since it’s not relevant to this discussion, I’ll leave you to look that up on your own.

In the definition, reference is made to the servomotor. Since position maintenance with any other drive is generally not practicable, the technical committee has chosen to be very specific about the drive type. Referring back to Fig. 1 above, T1 is a servo drive system.

There are various ways to achieve a safe standstill. Here are three approaches [12]:

1. Rotation sensors
   Sensors can monitor the drive components’ motion, including proximity sensors, resolvers, and encoders. A safe standstill monitoring device is used when a standstill has occurred.  When a machine has an unstable rest position, a proximity sensor should be used to ensure the machine is safe before the guard locking devices are released.
2. Back EMF monitoring
   Back electromotive force or back-EMF is the voltage created in an electric motor due to the armature’s rotation in the motor’s magnetic field. This voltage opposes the applied voltage and is approximately proportional to the motor’s rotational speed. Back EMF remains after the supply voltage has been removed, indirectly allowing monitoring devices to measure motor speed and standstill.
3. Failsafe timer
   Failsafe timers are time delay relays designed for use in safety functions. Failsafe timers can be used when the stopping performance of the machinery is consistent and known.
   The time delay starts following the removal of power from the drive motor. The relay releases the guard locking devices at the end of the time delay.
   Regular time delay relays cannot be used for this purpose; only fail-safe relays designed for safety functions can be used, along with suitable safety systems design techniques like ISO 13849 or IEC 62061.

Control devices

Most control component manufacturers have safe standstill monitoring devices you can design for your projects. These devices are also easy to use when you need to retrofit standstill monitoring into a control system that does not have it.

If you are using safe motion platforms like those offered by B & R or Siemens, you will find that the safety system configuration software has a safe-standstill function block available.

I’ve included a TechBrief from Schmersal here, but you should check with your preferred component vendor(s) to see what they can offer.

There are a few additional “safe” drive functions; see my article on safe drive control.

Courses

If you are unsure how to proceed with functional safety or ISO 13849, check out our FS101 course. This course will teach you how to proceed:

• with a review of machinery risk assessment
• developing the Safety Requirement Specifications
• analyzing your design
• developing the validation documentation, and
• developing the validation test procedure

This course is suitable for control systems designers and engineers. If you have a CMSE designation or equivalent, and you’re still not feeling confident about how to use ISO 13849, this course will work for you too. The course includes a review of machinery risk assessment according to ISO 12100. Our RA101 course will give you the needed expertise if you have never had risk assessment training.

---

References

[1] Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design, ISO 13849-1. International Organization for Standardization (ISO). 2015.

[2] Safety of machinery — General principles for design — Risk assessment and risk reduction, ISO 12100. International Organization for Standardization (ISO). 2010.

[3] Robots and robotic devices — Safety requirements for industrial robots — Part 1: Robots, ISO 10218-1. International Organization for Standardization (ISO). 2011.

[4] Y. Chinniah, B. Aucourt, and R. Bourbonnière, “Study of Machine Safety for Reduced-Speed or Reduced-Force Work R-956,” Montreal: Institut de recherche Robert-Sauvé en santé et en sécurité du travail (IRRST), 2017.

[5] Adjustable speed electrical power drive systems – Part 5-2: Safety requirements – Functional, IEC 61800-5-2. International Electrotechnical Commission (IEC). 2016.

[6] M. Hauke, et al, “Functional safety of machine controls — Application of EN ISO 13849 — IFA Report 2/2008e”, German Social Accident Insurance (DGUV), Sankt Augustin, 2009.

[7] M. Hauke, et al, “Functional safety of machine controls — Application of EN ISO 13849 — IFA Report 2/2017e”, German Social Accident Insurance (DGUV), Sankt Augustin, 2019.

[8] “Functional safety of machine controls – Application of EN ISO 13849 (BGIA Report 2/2008e)”, dguv.de. [Online]. Available: https://www.dguv.de/ifa/publikationen/reports-download/bgia-reports-2007-bis-2008/bgia-report-2-2008/index-2.jsp. [Accessed: 06-Sep-2022].

[9] Safety of machinery – Electrical equipment of machines – Part 1: General requirements, IEC 60204-1. International Electrotechnical Commission (IEC). 2018.

[10] “Safe Stop 2 (SS2) – Safety Integrated – Siemens”, Industry.siemens.com, 2017. [Online]. Available: http://www.industry.siemens.com/topics/global/en/safety-integrated/machine-safety/product-portfolio/drive-technology/safety-functions/Pages/safe-stop2.aspx. [Accessed: 19-Jun-2017].

[10] Machine tools safety — Machining centres, Milling machines, Transfer machines — Part 1: Safety requirements, ISO 16090-1, International Organization for Standardization (ISO). 2017.

[11] Plastics and rubber machines — Injection moulding machines — Safety requirements, ISO 20430. International Organization for Standardization (ISO). 2020.

[12] Safety of machinery — Prevention of unexpected start-up, ISO 14118. International Organization for Standardization (ISO). 2017.

[13] Machine tools safety — Presses — Part 2: Safety requirement for mechanical presses, ISO 16092-2. International Organization for Standardization (ISO). 2019.

[14] Safety of machinery — Interlocking devices associated with guards — Principles for design and selection, ISO 14119. International Organization for Standardization (ISO). 2013.

© 2022, Compliance inSight Consulting Inc.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.