During the Free Safety Talks that we did with Schmersal Canada and Franklin Empire, we had a “hot question” come up regarding Category 2 architecture and the testing interval requirement. In the short video below, Doug answers that question.
If you have more questions or felt something wasn’t clear in the video, leave us a comment and we will get back to you!
[3] German Social Accident Insurance (DGUV) – Institute for Occupational Safety and Health (BGIA), “Functional safety of machine controls — Application of ISO 13849 – 1 — Report 2/2008e”, Institute for Occupational Safety and Health (BGIA), Sankt Augustin, DE, 2008.
Original content here is published under these license terms:
X
License Type:
Non-commercial, Attribution, Share Alike
License Summary:
You may copy this content, create derivative work from it, and re-publish it for non-commercial purposes, provided you include an overt attribution to the author(s) and the re-publication must itself be under the terms of this license or similar.
You can’t argue with Free Stuff! Last week we partnered with Schmersal Canada and Franklin Empire to put on three days of Free Safety Talks. We had full houses in all three locations, Windsor, London and Cambridge, with nearly 60 people participating.
We had two great presenters who helped people understand Pre-Start Health and Safety Reviews (PSRs) [1], CSAZ432-2016 [2], Interlocking Devices [3] and Fault Masking [4].
Mr Vashi at Franklin Empire Cambridge
Franklin Empire provided us with some great facilities and breakfast to keep our minds working. Thanks, Franklin Empire and Ben Reid who organized all of the registrations!
Mr Nix discussing injury rates in machine modes of operation
Reason #2 – Understanding Interlocking Devices
Mr Kartik Vashi, CFSE
Mr Kartik Vashi, CFSE, discussed the ISO Interlocking Device standard, ISO 14119. This standard provides readers with guidance in the selection and application of interlocking devices, including the four types of interlocking devices and the various coding options for each type. Did you know that ISO 14119 is also directly referenced in CSAZ432-16 [2]? That means this standard is applicable to machinery built and used in Canada as of 2016. If you don’t know what I’m talking about, you can contact Mr Vashi to get more information.
ISO 14119 Fig 2 showing some aspects of different types of interlocking devices [3]
Reason #3 – Understanding Fault Masking
Mr Vashi also talked about fault masking, an important and often misunderstood situation that can occur when interlocking devices or other electromechanical devices, like emergency stop buttons, are daisy-chained into a single safety relay or safety input on a safety PLC. Mr Vashi drew from ISO/TR 24119 to help explain this phenomenon. If you don’t understand the impact that daisy-chaining interlocking devices can have on the reliability of your interlocking systems, Mr Vashi can help you get a handle on this topic.
A part of ISO 24119 Fig 2 showing one common method of daisy-chaining interlocking devices [4]
Reason # 4 – Pre-Start Health and Safety Reviews
Mr Doug Nix, C.E.T.
Mr Nix opened his presentation with a discussion of some commonly asked questions about Pre-Start Health and Safety Reviews (PSRs). There are many ways that people become confused about the WHY, WHAT, WHEN, WHERE, WHO and HOW of PSRs, and Mr Nix covered them all. This unique-to-Ontario process requires an employer to have machines, equipment, racking and processes reviewed by a Professional Engineer or another Qualified Person when certain circumstances exist (see O. Reg. 851, Section 7 Table). If you are confused by the PSR requirements, contact Mr Nix for help with your questions.
Reason #5 – Understanding the changes to CSAZ432
CSAZ432 [2] was updated in 2016 with many changes. This much-needed update came after 12 years experience with the 2004 edition and many changes in machinery safety technology. Mr Nix briefly explored the many changes that were brought to Canadian machine builders in the new edition, including the many new references to ISO and IEC standards. These new references will help European machine builders get their products accepted in Canadian markets. Both Mr Vashi and Mr Nix sit on the CSA Technical Committee responsible for CSAZ432.
Reason #6 – Hot Questions
We like to over-deliver, so here’s the bonus reason!
We had some great questions posed by our attendees, two of which we are answering in video posts this week. If you have ever considered using a programmable safety system for lockout, our first video explains why this is not yet a possibility. Mr Nix gets into some of the reliability considerations behind the O.Reg. 851 Sections 75 and 76 and CSAZ460 requirements.
A case in the UK illustrates the dangers of bypassing interlocking systems. A worker was killed by a conveyor system in a pre-cast concrete plant when he was working in an area normally protected by a key-exchange system. Here’s the link to the article on OHSOnline.com. Allowing workers into the danger zone of a machine without other effective risk reduction measures may be a death sentence.
Original content here is published under these license terms:
X
License Type:
Non-commercial, Attribution, Share Alike
License Summary:
You may copy this content, create derivative work from it, and re-publish it for non-commercial purposes, provided you include an overt attribution to the author(s) and the re-publication must itself be under the terms of this license or similar.
Ed. Note: This article was revised 25-Jul-17 to include information on safe standstill.
Safe Drive Control including STO
Variable Frequency Drive for conveyor speed control [1]Motor drives are everywhere. From DC variable speed drives and indexing drives, through AC Variable Frequency drives, servo drives and stepper motor drives, the capabilities and the flexibility of these electronic systems has given machine designers unprecedented capabilities when compared to basic relay or contactor-based motor starters. We now have the capability to control mechanisms using motors in ways that would have been hard to imagine at the beginning of the industrial revolution. Along with these control capabilities come safety-related functions like Safe Torque Off (STO).
Since we are controlling machinery, safety is always a concern. In the 1990’s when I started designing machinery with motor drives, dealing with safety concerns usually meant adding a suitably rated contactor upstream of the drive so that you could interrupt power to the drive in case something went wrong. With early servo drives, interrupting the supply power often meant losing position data or worse. Placing contactors between the drive and the motor solved this problem, but interrupting the supply power would sometimes cause the drive stage of the servo controller to blow up if the switch-off happened with the motor running and under high load. Motor drive manufacturers responded by providing contactors and other components built into their drives, creating a feature called Safe Torque Off (STO).
STO describes a state where “The drive is reliably torque-free” [2]. The functions discussed in this article are described in detail in IEC 61800 – 5-2 [3]. The functions are also listed in [10, Table 5.2]. Note that only Safe Torque Off and Safe Stop 1 can be used for emergency stop functions. Safe Torque Off, Safe Stop 1 and Safe Stop 2 can be used for safety-related stop functions initiated by a safeguarding device. This distinction, between emergency stop functions and safeguarding functions, is an important one.
If you have been a reader of this blog for a while, you may recall that I have discussed stop categories before. This article expands on those concepts with the focus on motor drives and their stopping functions specifically. I’ve also talked about Emergency Stop extensively. You might be interested in reading more about the e-stop function, starting with the post “Emergency Stop – What’s so confusing about that?”
Safe Torque Off (STO)
According to Siemens, “The STO function is the most common and basic drive-integrated safety function. It ensures that no torque-generating energy can continue to act upon a motor and prevents unintentional starting.” Risk assessment of the machinery can identify the need for an STO function. The devices used for this application are described in IEC 60204 – 1 in clause 5.4 [4]. The design features for prevention of unexpected starting are covered in more detail in EN 1037 [5] or ISO 14118 [6]. If you are interested in these standards, ISO 14118 is in the process of being revised. A new version should be available within 12 – 18 months.
The STO function operates as shown in Fig.1. The blue line represents the drive speed/velocity, V, on the y-axis, with time, t, on the x-axis. The orange arrow and the dotted line show the initiation of the stopping function.
Figure 1 – Safe Torque Off function [1]At the beginning of the stopping process (orange arrow and dotted line), the drive gate pulses are immediately shut off, removing torque from the motor (i.e., zero torque). The speed of the driven equipment will drop at a rate determined by the system friction and inertia until standstill is achieved. The zero torque condition is maintained until the safety function permits restarting (area outlined with yellow/black zebra stripe). Note that drive standstill may occur if the friction and inertia of the system permit, but it is possible that the driven equipment may coast for some time. You may be able to move the driven equipment by hand or gravity with the drive in the STO mode.
STO is an uncontrolled stopping mode [4, 3.56]:
uncontrolled stop
stopping of machine motion by removing electrical power to the machine actuators
NOTE This definition does not imply any other state of other (for example, non-electrical) stopping devices, for example, mechanical or hydraulic brakes that are outside the scope of this standard.
The definition above is important. Uncontrolled stops are the most common form of stopping used in machines of all types and is required as a basic function for all machines. There are various ways of achieving STO, including the use of a disconnecting device, emergency stop systems, and gate interlocking systems that remove power from machine actuators.
The embodiment of the uncontrolled stop concept is Stop Category 0 [4, 9.2.2]:
stop category 0 — stopping by immediate removal of power to the machine actuators (i.e., and uncontrolled stop, see 3.56)
Stop category 0 is only appropriate where the machinery has little inertia, or where mechanical friction is high enough that the stopping time is short. It may also be used in cases where the machinery has very high inertia, but only for normal stopping when coasting time is not a factor, not for safety stopping functions where the time to a no-motion state is critical.
There are a few other stopping modes that are often confused with STO:
Safe Stop 1
Safe Stop 2
Safe Operating Stop
Safe Standstill
Let’s explore the differences.
Safe Stop 1 (SS1)
If a defined stopping time is needed, a controlled stopping function will be required followed by entry into STO. This stopping function is called “Safe Stop 1” (SS1).
SS1 is directly related to Stop Category 1 [4, 9.2.2]. As described in [4], Stop Category 1 functions as follows:
stop category 1 — a controlled stop (see 3.11) with power available to the machine actuators to achieve the stop and then removal of power when the stop is achieved;
A “controlled stop” is defined in [4, 3.11]:
controlled stop
stopping of machine motion with electrical power to the machine actuator maintained during the stopping process
Once the controlled stop is completed, i.e., machine motion has stopped, the drive may then be placed into STO (or category 0 stop). The stopping process is shown in Fig. 2 [7].
Figure 2 – Safe Stop 1
The stopping process starts where the orange arrow and dotted line are shown. As compared to Fig. 1 where the deceleration curve is gentle and exponential, the active stopping period in Fig. 2 is a linear curve from operating speed to zero speed. At the blue dotted line, the drive enters and stays in STO. The yellow/black zebra striped area of the curve outlines the complete stopping function. This stopping method is typical of many types of machinery, particularly those with servo-driven mechanisms.
Safe Stop 2 (SS2)
In some cases, the risk assessment may show that removing power completely from a mechanism will increase the risk. An example might be a vertical axis where the motor drive is used to maintain the position of the tooling. Removing power from the drive with the tool raised would result in the tooling crashing to the bottom of the axis in an uncontrolled way. Not the desired way to achieve any type of stop!
There are various to prevent this kind of occurrence, but I’m going to limit the discussion here to the Safe Stop 2 function.
Let’s start with the definition [4, 3.11]:
controlled stop
stopping of machine motion with electrical power to the machine actuator maintained during the stopping process
Wait! The definition of a controlled stop is exactly the same as a stop category 1, so what is the difference? For that we need to look to [4, 9.2.2]:
stop category 2 — a controlled stop with power left available to the machine actuators.
Emergency Stop functions cannot use Stop Category 2 [4, 9.2.5.4.2]. If you have tooling where Stop Category 2 is the most appropriate stopping function under normal conditions, you will have to add an another means to prevent the axis from falling during the emergency stop. The additional means could be a spring-set brake that is held released by the emergency stop system and is applied when the e-stop system removes power from the tooling. There are many ways to achieve automatic load-holding besides brakes, but remember, whatever you choose it must be effective in power loss conditions.
As shown in Fig. 3, the operation of Safe Stop 2 differs from Safe Stop 1 in that, instead of entering into STO when motion stops, the system enters Safe Operating Stop (SOS) [8], notSTO. SOS is a Stop Category 2 function. Full torque remains available from the motor to hold the tooling in position. Safe standstill is monitored by the drive or other means.
Figure 3 — Safe Stop 2
Depending on the ISO 13849 – 1 PLr, or the IEC 62061 SILr needed for the application, the drive may not have high enough reliability on its own. In this case, a second channel may be required to ensure that safe standstill monitoring is adequately reliable. This can be achieved by adding another means of standstill detection, like a second encoder, or a standstill monitoring device. An example circuit diagram showing this type of monitoring can be found in Fig. 4 [10, Fig. 8.37], showing a safety PLC and drive used to provide an “inching” or “jog” function.
Figure 4 — Safely limited speed for inching mode – PLd, Cat. 3 [10]In Fig. 4, the encoders are labelled G1 and G2. Both encoders are connected to the safety PLC to provide two-channel feedback required for Category 3 architecture. G1 is also connected to the motor drive for position and velocity feedback as needed for the application. Note that this particular drive also has a contactor upstream, Q1, to provide one channel of the two required for Category 3. The second channel would be provided by the pulse blocking input on the drive. For more on how this circuit functions and how the functional safety analysis is completed, see [10].
Safe Operating Stop (SOS)
During a safe operating stop (SOS), the motor is brought to a specific position and held there by the drive. Full torque is available to keep the tooling in position. The stop is monitored safely by the drive. The function is shown in Figure 4 [9].
Figure 5 — Safe Operating Stop
In Fig. 5, the y-axis, s, represents the position of the tooling, NOT the velocity, while the x-axis represents time, t. The start of the position holding function is shown by the orange arrow and dashed line. The period following the green dashed line is the SOS period.
SOS cannot be used for the emergency stop function. Under certain conditions it may be used when guard interlocks are opened, i.e., the guard door on a CNC lathe is opened so that the operator can place a new workpiece.
There a quite a few additional “safe” drive functions. For more on these functions and how to implement them, see [2] and application data from your favourite drive manufacturer. Reference is also provided in [9, Table 5.2].
Safe Standstill
Safe standstill is a condition where motion has stopped and is being monitored by a safety-rated device whose output signals are used to control the release of guard locking devices. Safe standstill is not the same as zero-speed because zero-speed can be achieved without the use of safety-rated control components and design, while safe standstill requires both suitable components and design.
There are various ways to achieve safe standstill. Here are three approaches [12]:
Rotation sensors
Sensors including proximity sensors, resolvers, and encoders can be used to monitor the motion of the drive components. A safe standstill monitoring device is used to when standstill has occurred. When a machine has an unstable rest position, a proximity sensor should be used to ensure the machine is in a safe condition before the guard locking devices are released.
Back EMF monitoring
Back electromotive force or Back EMF is the voltage created in an electric motor due to the rotation of the armature in the magnetic field in the motor. This voltage opposes the applied voltage and is approximately proportional to the rotational speed of the motor. Back EMF remains after the supply voltage has been removed, allowing monitoring devices to indirectly measure motor speed and standstill.
Failsafe timer
Failsafe timers are time delay relays designed for use in safety functions. Failsafe timers can be used when the stopping performance of the machinery is consistent and known.
Following removal of power from the drive motor, the time delay starts. At the end of the time delay, the relay releases the guard locking devices.
Regular time delay relays cannot be used for this purpose, only fail-safe relays designed to be used in safety functions can be used, along with suitable safety systems design techniques like ISO 13849 or IEC 62061.
Conclusions
As you can see, there are significant differences between STO, SS1, SS2, SOS and Safe Standstill. While these functions may be used together to achieve a particular safety function, some are functions of the implementation of the motor drive, e.g., STO. Some are a function of the design of the motor drive itself, e.g., STO, SS1, SS2, and SOS, or the design of controls external to the motor drive, e.g., safe standstill. The similarities between these various functions can make it easy to confuse them. Care needs to be taken to ensure that the correct technical approach is used when realising the safety function required by the risk assessment.
[10] M. Hauke, M. Schaefer, R. Apfeld, T. Boemer, M. Huelke, T. Borowski, K. Büllesbach, M. Dorra, H. Foermer-Schaefer, W. Grigulewitsch, K. Heimann, B. Köhler, M. Krauß, W. Kühlem, O. Lohmaier, K. Meffert, J. Pilger, G. Reuß, U. Schuster, T. Seifen and H. Zilligen, “Functional safety of machine controls – Application of ENISO 13849 – Report 2/2008e”, BGIA – Institute for Occupational Safety and Health of the German Social Accident Insurance, Sankt Augustin, 2017.
Special thanks go out to two of my regular readers for suggesting this post: Matt Ernst and controlsgirl, who comments frequently. Thanks for the ideas and the questions that sparked this post!
Original content here is published under these license terms:
X
License Type:
Non-commercial, Attribution, Share Alike
License Summary:
You may copy this content, create derivative work from it, and re-publish it for non-commercial purposes, provided you include an overt attribution to the author(s) and the re-publication must itself be under the terms of this license or similar.
Copyright secured by Digiprove © 2018
