This morning I read news of the tests that the May Government plans to use when assessing the Brexit deal they are trying to negotiate with the EU.
If you scroll down through the tests you will discover that the UK really doesn’t want anything to change, including CE Marking, a fundamental part of the EU Single Market. Donald Tusk has made it very clear that the UK will not have access to the single market after Brexit, so the items relating to regulatory harmonisation are traps that will almost certainly cause rejection of the deal.
Further down, you will also see that May does not want to lose the freedom of movement of people or money. If you know anything about the EU, you probably know that the three pillars of the EU are the freedom of movement of:
People
Goods
Capital
The tests show that the UK hopes to keep all of these, which begs the question, why leave at all? The UK already has all the items in the tests as a member of the EU. These are granted as part of membership. The costs associated with maintaining this charade are astronomical while staying in the union provides significant benefits and relatively few costs.
Isn’t it time for Prime Minister May and her government to give up this game and admit that Brexit is a bad deal for the UK, and that continued membership is the best way forward?
Original content here is published under these license terms:
X
License Type:
Non-commercial, Attribution, Share Alike
License Summary:
You may copy this content, create derivative work from it, and re-publish it for non-commercial purposes, provided you include an overt attribution to the author(s) and the re-publication must itself be under the terms of this license or similar.
This entry is part 1 of 3 in the series Safety Labels
Machinery Safety Labels
The third level of the Hierarchy of Controls is Information for Use. Safety Labels are a key part of the Information for Use provided by machine builders to users and are often the only information that many users get to see. This makes the design and placement of the safety labels critical to their effectiveness. There is as much risk in the under-use of safety labels as there is in the over-use of safety labels. Often, machine builders and users simply select generic labels that are easily available from catalogues, missing the opportunity to design labels that are specific to the machine and the hazards present. Continue reading “Machinery Safety Labels: 3 Top Tools for Effective Warnings”
Original content here is published under these license terms:
X
License Type:
Non-commercial, Attribution, Share Alike
License Summary:
You may copy this content, create derivative work from it, and re-publish it for non-commercial purposes, provided you include an overt attribution to the author(s) and the re-publication must itself be under the terms of this license or similar.
Ed. Note: This article was revised 25-Jul-17 to include information on safe standstill.
Safe Drive Control including STO
Variable Frequency Drive for conveyor speed control [1]Motor drives are everywhere. From DC variable speed drives and indexing drives, through AC Variable Frequency drives, servo drives and stepper motor drives, the capabilities and the flexibility of these electronic systems has given machine designers unprecedented capabilities when compared to basic relay or contactor-based motor starters. We now have the capability to control mechanisms using motors in ways that would have been hard to imagine at the beginning of the industrial revolution. Along with these control capabilities come safety-related functions like Safe Torque Off (STO).
Since we are controlling machinery, safety is always a concern. In the 1990’s when I started designing machinery with motor drives, dealing with safety concerns usually meant adding a suitably rated contactor upstream of the drive so that you could interrupt power to the drive in case something went wrong. With early servo drives, interrupting the supply power often meant losing position data or worse. Placing contactors between the drive and the motor solved this problem, but interrupting the supply power would sometimes cause the drive stage of the servo controller to blow up if the switch-off happened with the motor running and under high load. Motor drive manufacturers responded by providing contactors and other components built into their drives, creating a feature called Safe Torque Off (STO).
STO describes a state where “The drive is reliably torque-free” [2]. The functions discussed in this article are described in detail in IEC 61800 – 5-2 [3]. The functions are also listed in [10, Table 5.2]. Note that only Safe Torque Off and Safe Stop 1 can be used for emergency stop functions. Safe Torque Off, Safe Stop 1 and Safe Stop 2 can be used for safety-related stop functions initiated by a safeguarding device. This distinction, between emergency stop functions and safeguarding functions, is an important one.
If you have been a reader of this blog for a while, you may recall that I have discussed stop categories before. This article expands on those concepts with the focus on motor drives and their stopping functions specifically. I’ve also talked about Emergency Stop extensively. You might be interested in reading more about the e-stop function, starting with the post “Emergency Stop – What’s so confusing about that?”
Safe Torque Off (STO)
According to Siemens, “The STO function is the most common and basic drive-integrated safety function. It ensures that no torque-generating energy can continue to act upon a motor and prevents unintentional starting.” Risk assessment of the machinery can identify the need for an STO function. The devices used for this application are described in IEC 60204 – 1 in clause 5.4 [4]. The design features for prevention of unexpected starting are covered in more detail in EN 1037 [5] or ISO 14118 [6]. If you are interested in these standards, ISO 14118 is in the process of being revised. A new version should be available within 12 – 18 months.
The STO function operates as shown in Fig.1. The blue line represents the drive speed/velocity, V, on the y-axis, with time, t, on the x-axis. The orange arrow and the dotted line show the initiation of the stopping function.
Figure 1 – Safe Torque Off function [1]At the beginning of the stopping process (orange arrow and dotted line), the drive gate pulses are immediately shut off, removing torque from the motor (i.e., zero torque). The speed of the driven equipment will drop at a rate determined by the system friction and inertia until standstill is achieved. The zero torque condition is maintained until the safety function permits restarting (area outlined with yellow/black zebra stripe). Note that drive standstill may occur if the friction and inertia of the system permit, but it is possible that the driven equipment may coast for some time. You may be able to move the driven equipment by hand or gravity with the drive in the STO mode.
STO is an uncontrolled stopping mode [4, 3.56]:
uncontrolled stop
stopping of machine motion by removing electrical power to the machine actuators
NOTE This definition does not imply any other state of other (for example, non-electrical) stopping devices, for example, mechanical or hydraulic brakes that are outside the scope of this standard.
The definition above is important. Uncontrolled stops are the most common form of stopping used in machines of all types and is required as a basic function for all machines. There are various ways of achieving STO, including the use of a disconnecting device, emergency stop systems, and gate interlocking systems that remove power from machine actuators.
The embodiment of the uncontrolled stop concept is Stop Category 0 [4, 9.2.2]:
stop category 0 — stopping by immediate removal of power to the machine actuators (i.e., and uncontrolled stop, see 3.56)
Stop category 0 is only appropriate where the machinery has little inertia, or where mechanical friction is high enough that the stopping time is short. It may also be used in cases where the machinery has very high inertia, but only for normal stopping when coasting time is not a factor, not for safety stopping functions where the time to a no-motion state is critical.
There are a few other stopping modes that are often confused with STO:
Safe Stop 1
Safe Stop 2
Safe Operating Stop
Safe Standstill
Let’s explore the differences.
Safe Stop 1 (SS1)
If a defined stopping time is needed, a controlled stopping function will be required followed by entry into STO. This stopping function is called “Safe Stop 1” (SS1).
SS1 is directly related to Stop Category 1 [4, 9.2.2]. As described in [4], Stop Category 1 functions as follows:
stop category 1 — a controlled stop (see 3.11) with power available to the machine actuators to achieve the stop and then removal of power when the stop is achieved;
A “controlled stop” is defined in [4, 3.11]:
controlled stop
stopping of machine motion with electrical power to the machine actuator maintained during the stopping process
Once the controlled stop is completed, i.e., machine motion has stopped, the drive may then be placed into STO (or category 0 stop). The stopping process is shown in Fig. 2 [7].
Figure 2 – Safe Stop 1
The stopping process starts where the orange arrow and dotted line are shown. As compared to Fig. 1 where the deceleration curve is gentle and exponential, the active stopping period in Fig. 2 is a linear curve from operating speed to zero speed. At the blue dotted line, the drive enters and stays in STO. The yellow/black zebra striped area of the curve outlines the complete stopping function. This stopping method is typical of many types of machinery, particularly those with servo-driven mechanisms.
Safe Stop 2 (SS2)
In some cases, the risk assessment may show that removing power completely from a mechanism will increase the risk. An example might be a vertical axis where the motor drive is used to maintain the position of the tooling. Removing power from the drive with the tool raised would result in the tooling crashing to the bottom of the axis in an uncontrolled way. Not the desired way to achieve any type of stop!
There are various to prevent this kind of occurrence, but I’m going to limit the discussion here to the Safe Stop 2 function.
Let’s start with the definition [4, 3.11]:
controlled stop
stopping of machine motion with electrical power to the machine actuator maintained during the stopping process
Wait! The definition of a controlled stop is exactly the same as a stop category 1, so what is the difference? For that we need to look to [4, 9.2.2]:
stop category 2 — a controlled stop with power left available to the machine actuators.
Emergency Stop functions cannot use Stop Category 2 [4, 9.2.5.4.2]. If you have tooling where Stop Category 2 is the most appropriate stopping function under normal conditions, you will have to add an another means to prevent the axis from falling during the emergency stop. The additional means could be a spring-set brake that is held released by the emergency stop system and is applied when the e-stop system removes power from the tooling. There are many ways to achieve automatic load-holding besides brakes, but remember, whatever you choose it must be effective in power loss conditions.
As shown in Fig. 3, the operation of Safe Stop 2 differs from Safe Stop 1 in that, instead of entering into STO when motion stops, the system enters Safe Operating Stop (SOS) [8], notSTO. SOS is a Stop Category 2 function. Full torque remains available from the motor to hold the tooling in position. Safe standstill is monitored by the drive or other means.
Figure 3 — Safe Stop 2
Depending on the ISO 13849 – 1 PLr, or the IEC 62061 SILr needed for the application, the drive may not have high enough reliability on its own. In this case, a second channel may be required to ensure that safe standstill monitoring is adequately reliable. This can be achieved by adding another means of standstill detection, like a second encoder, or a standstill monitoring device. An example circuit diagram showing this type of monitoring can be found in Fig. 4 [10, Fig. 8.37], showing a safety PLC and drive used to provide an “inching” or “jog” function.
Figure 4 — Safely limited speed for inching mode – PLd, Cat. 3 [10]In Fig. 4, the encoders are labelled G1 and G2. Both encoders are connected to the safety PLC to provide two-channel feedback required for Category 3 architecture. G1 is also connected to the motor drive for position and velocity feedback as needed for the application. Note that this particular drive also has a contactor upstream, Q1, to provide one channel of the two required for Category 3. The second channel would be provided by the pulse blocking input on the drive. For more on how this circuit functions and how the functional safety analysis is completed, see [10].
Safe Operating Stop (SOS)
During a safe operating stop (SOS), the motor is brought to a specific position and held there by the drive. Full torque is available to keep the tooling in position. The stop is monitored safely by the drive. The function is shown in Figure 4 [9].
Figure 5 — Safe Operating Stop
In Fig. 5, the y-axis, s, represents the position of the tooling, NOT the velocity, while the x-axis represents time, t. The start of the position holding function is shown by the orange arrow and dashed line. The period following the green dashed line is the SOS period.
SOS cannot be used for the emergency stop function. Under certain conditions it may be used when guard interlocks are opened, i.e., the guard door on a CNC lathe is opened so that the operator can place a new workpiece.
There a quite a few additional “safe” drive functions. For more on these functions and how to implement them, see [2] and application data from your favourite drive manufacturer. Reference is also provided in [9, Table 5.2].
Safe Standstill
Safe standstill is a condition where motion has stopped and is being monitored by a safety-rated device whose output signals are used to control the release of guard locking devices. Safe standstill is not the same as zero-speed because zero-speed can be achieved without the use of safety-rated control components and design, while safe standstill requires both suitable components and design.
There are various ways to achieve safe standstill. Here are three approaches [12]:
Rotation sensors
Sensors including proximity sensors, resolvers, and encoders can be used to monitor the motion of the drive components. A safe standstill monitoring device is used to when standstill has occurred. When a machine has an unstable rest position, a proximity sensor should be used to ensure the machine is in a safe condition before the guard locking devices are released.
Back EMF monitoring
Back electromotive force or Back EMF is the voltage created in an electric motor due to the rotation of the armature in the magnetic field in the motor. This voltage opposes the applied voltage and is approximately proportional to the rotational speed of the motor. Back EMF remains after the supply voltage has been removed, allowing monitoring devices to indirectly measure motor speed and standstill.
Failsafe timer
Failsafe timers are time delay relays designed for use in safety functions. Failsafe timers can be used when the stopping performance of the machinery is consistent and known.
Following removal of power from the drive motor, the time delay starts. At the end of the time delay, the relay releases the guard locking devices.
Regular time delay relays cannot be used for this purpose, only fail-safe relays designed to be used in safety functions can be used, along with suitable safety systems design techniques like ISO 13849 or IEC 62061.
Conclusions
As you can see, there are significant differences between STO, SS1, SS2, SOS and Safe Standstill. While these functions may be used together to achieve a particular safety function, some are functions of the implementation of the motor drive, e.g., STO. Some are a function of the design of the motor drive itself, e.g., STO, SS1, SS2, and SOS, or the design of controls external to the motor drive, e.g., safe standstill. The similarities between these various functions can make it easy to confuse them. Care needs to be taken to ensure that the correct technical approach is used when realising the safety function required by the risk assessment.
[10] M. Hauke, M. Schaefer, R. Apfeld, T. Boemer, M. Huelke, T. Borowski, K. Büllesbach, M. Dorra, H. Foermer-Schaefer, W. Grigulewitsch, K. Heimann, B. Köhler, M. Krauß, W. Kühlem, O. Lohmaier, K. Meffert, J. Pilger, G. Reuß, U. Schuster, T. Seifen and H. Zilligen, “Functional safety of machine controls – Application of ENISO 13849 – Report 2/2008e”, BGIA – Institute for Occupational Safety and Health of the German Social Accident Insurance, Sankt Augustin, 2017.
Special thanks go out to two of my regular readers for suggesting this post: Matt Ernst and controlsgirl, who comments frequently. Thanks for the ideas and the questions that sparked this post!
Original content here is published under these license terms:
X
License Type:
Non-commercial, Attribution, Share Alike
License Summary:
You may copy this content, create derivative work from it, and re-publish it for non-commercial purposes, provided you include an overt attribution to the author(s) and the re-publication must itself be under the terms of this license or similar.
