Developments in drive-based safety can save significant time and cost

Paul Boughton

Many developments in the field of machinery safety over the past ten years have been aimed at mitigating the overhead relating to additional hardware, wiring, commissioning and operational issues, but now the tide has turned and safety functionality can actually add value. Thanks to recent advances in solid-state electronics, industrial fieldbus networks, software and, of course, machinery safety standards, it is possible to enhance machine productivity and availability by the judicious use of safety-related control systems.

One of the main requirements for machinery safety stems from the fact that moving components present a hazard. If these movements are controlled by servo drives, as they often are when motion – and machinery efficiency – need to be optimised, the technology now exists to implement drive-based safety.

This philosophy, for which products fully approved by TUV are available, is a further evolution of Lenze's concept of drive-based automation, in which intelligence is built into decentralised drives, enabling them to perform many of the functions traditionally handled by motion controllers and/or PLCs (programmable logic controllers) or other control systems. With drive-based safety, the drive is additionally able to perform safety functions that would otherwise require multiple safety relays, monitoring units and a dedicated speed/position sensor (Fig. 1).

Incorporating safety within the drive delivers a number of benefits for the machine designer, safety-relevant control system designer, and the end user as well – in particular, significant time and cost savings can be achieved.

Machine builder and SI benefits

Starting with the machine builder or system integrator (SI), there is no longer a need to specify a number of different safety relays and monitors for use with emergency stop switches, safety light curtains and similar safety components, as all of these can be connected directly to the drive. Furthermore, if a Profibus DP industrial fieldbus network is employed and the Profisafe option is selected, wiring can be simplified as well. With the elimination of multiple safety relays and monitors, the requirement for cabinet space is reduced and, ultimately, so is the need for factory floor space.

If the designer also has to make provision for slow-speed running, hold-to-run or single-cycle operation, these are all far easier to implement using drive-based safety than by traditional methods, as the engineering is carried out largely in software instead of hard-wiring safety relays and monitors.

Machine builders and system integrators working on complex machinery are increasingly conforming to IEC/EN 61508 (Functional safety of electrical/electronic/programmable electronic safety-related systems), rather than the simpler BS EN 954-1 (Safety of machinery, Safety related parts of control systems, General principles for design) – which in fact does not permit the use of programmable safety systems. IEC/EN 61508 is soon to be complemented by a daughter standard for machinery (IEC 62061 – Safety of machinery, Functional safety of safety-related electrical, electronic and programmable electronic control systems), and both of these standards require the designer of the safety-related electrical control system (SRECS) to calculate the Safety Integrity Level (SIL).

These calculations take account of factors such as the Mean Time To Failure (MTTF) and, inevitably, the overall reliability of a system is adversely affected by high numbers of components. In extreme cases, a complex safety system will require individual components of a higher SIL rating (which are therefore more expensive) than comparable components performing the same role within a less complex system, simply in order to achieve the required overall SIL rating. However, by using drive-based safety and replacing numerous discreet safety relays and monitors with a single programmable module within the drive, the SIL calculations are simplified and there is a reduced possibility that higher integrity safety components will be called for – thereby potentially saving cost for the machine builder.

Other savings during the design phase accrue from a faster, easier design cycle, and simplified design verification and documentation.


Savings during commissioning

When it comes to commissioning the machine, time and cost savings are achieved through the ability to pre-test programmed safety functions rather than relying entirely on in-situ function tests. The fact that the safety functions are integral within the drive also avoids problems traditionally associated with integrating the drive and safety circuit - typically via relays and contactors. Diagnostic data for the safety circuit further reduces the time required for commissioning, especially if the Profisafe option is utilised.

A built-in facility for slow-speed, hold-to-run and single-cycle operation can also be invaluable during commissioning, as set-ups and verification of correct operation can be carried out more easily with less risk of damage to the machinery or process - and without compromising the safety of the operatives and commissioning engineers.


End user benefits

Many of the major advantages of drive-based safety, however, are enjoyed by the end user. With manufacturers today needing to optimise production, any saving in machine cycle time, however small, has a finite value. When the safety functions are integrated within the drive, the safety system response time is faster than for a comparable circuit using conventional safety technology. Stopping times are therefore shorter and, for example, safety light curtains can be positioned closer to the hazard; if an operator needs access via the light curtain for every machine cycle, the resultant time saving can amount to a considerable increase in throughput.

Furthermore, a facility for slow-speed operation can enable an operator to enter an area that would normally be classified as hazardous in order to rectify a problem without halting production. In complex manufacturing systems – such as automotive production lines – it is hugely beneficial to keep the line running, even if one section is temporarily operating at reduced speed. Whether the line is running at reduced speed or stopped altogether, drive-based safety also enables a faster start-up to be achieved once the cause of the interruption has been removed. A particular advantage of drive-based safety is that the power is not disconnected from the drive during a stop; this is important because it avoids having to wait for the drive's capacitors to recover and for the drive to be ready for use again. Again, for plants where downtime is very expensive, seconds or even milliseconds saved on each interruption can add up to a substantial saving long-term.

With the inherent intelligence of drive-based safety, diagnostic data relating to the safety functions is readily available. The cause of any safety-related interruption to the process can therefore be immediately identified – such as a light curtain being breached or an emergency stop switch being activated – thereby enabling the process to be restarted more quickly. If the drive’s Profibus DP communication capabilities are used, an operator or supervisor virtually anywhere on the plant can view the diagnostic information and investigate the cause without delay.

Another benefit for the end user is the extended life of the drive. Disconnecting and reconnecting power causes premature aging of some internal components, but drive-based safety avoids this problem because the power is not routinely disconnected.

A further area where drive-based safety can benefit production is during troubleshooting with non-safety related parts of the plant. With an easily implemented slow-speed or hold-to-run operating mode, for example, an engineer can get closer to the process to view what is happening without being exposed to an unacceptable risk. This helps to reduce the time taken to diagnose problems, enabling them to be solved more quickly and production resumed sooner.

Currently Lenze is offering drive-based safety on the L-force 9400 series of servo drives that are rated from 0.37kW to 11kW, and the intention is to launch models rated up to 400kW by the end of 2006. All L-force 9400 series drives can have the safety modules installed, and there is scope to introduce more safety modules with additional or alternative functionality in the future (Fig. 2). Because the servo drives will operate with suitable motors from any manufacturer, the concept of drive-based safety is equally applicable to machine upgrades and new-builds.

Lenze is a founder member of the Ethernet Powerlink (EPL) standardisation group, which is working towards a safety protocol for Ethernet-based communications; it is therefore likely that EPLsafety-compatible safety modules for the 9400 series servo drives will be launched in the future. Other versions of the safety modules for use with alternative safety fieldbuses are also under development by Lenze.

Already DaimlerChrysler in Germany, a Technology Product Partner with Lenze, has installed a number of L-force 9400 drives with safety modules, and the benefits have been clearly demonstrated. By implementing drive-based safety within a bodyshell manufacturing plant to achieve a 'safe torque off', the station cycle time has been reduced by an astonishing 46 seconds.


How drive-based safety works

Clearly drive-based safety offers major advantages for machine builders, system integrators and end users, but interested readers will want to know how this is achieved.

With the Lenze L-force 9400 servo drive, one of the beauties of the system is the simple plug-in module that delivers the safety functionality. There are currently two types of module available, the SM 100 that provides a ‘safe torque off’ function and the SM 300 that is far more capable. For applications that simply require ‘safe torque off’ (previously referred to as ‘safe standstill’) activated via a single emergency stop switch or other passive sensor - or multiple sensors connected in series – the SM 100 is a highly cost-effective module that delivers many of the advantages of drive-based safety. It is suitable for use with safety related control systems conforming to the requirements of BS EN 954-1 Category 4 or IEC/EN 61508 SIL 3. In addition to the safety input, this module has a single-channel output (for signalling to a PLC, for example) and two diagnostic LEDs.

The ‘safe torque off’ function of the SM 100 and SM 300 modules simply enables the torque to be removed from the motor so that it runs down to zero speed. In fact control of the motor is retained by the intelligence within the drive at all times, and the safety module acts as a monitor to check that both the drive and motor are behaving as expected. Should any deviation from the norm be detected, both gate drivers for the power stage of the drive are switched off by the fail-safe logic within the safety module.

Greater functionality is provided by the SM 300 safety module, which is approved for use in safety related control systems meeting the requirements of BS EN 954-1 Category 3 or IEC/EN 61508 SIL 3. In addition to a ‘safe torque off’, the module also provides a Type 1 safe stop (in which the motor is ramped down to a controlled stop and the torque is then removed) and a Type 2 safe stop (in which the motor is ramped down to a controlled stop and the torque is then used to actively maintain zero speed – which also enables immediate resumption of an interrupted operation).

Other functions provided by the SM 300 are a ‘safely limited speed’ (reduced speed) operation, a ‘safe tip’ (hold-to-run) mode, a ‘safe direction’ mode (the motor is permitted to turn in one direction only) and a ‘safely limited increment’ mode (Fig. 3). In this last mode the motor moves in response to an input signal, but only for a limited increment before a safe stop (Type 1 or 2) is applied; after the predefined incremental move has been completed, another input signal is required before the next predefined incremental move is performed.

A total of four dual-channel safety sensors can be connected to the SM 300 module, which could be emergency stop switches, limit switches, safety light barriers or curtains, key switches (for selecting the operating mode, for example), enable buttons, acknowledge buttons, pressure-sensitive edges or mats, and so on. Furthermore, the safety module can accept a safety input from another module when used in a cascaded arrangement or, indeed, any other safety related control system. If the Profisafe safety fieldbus is used, a safe input signal can be received via this as well.

Safe outputs are also provided, either for signalling to another SM 300 safety module or another safety controller, or for forwarding sensor status information to a diagnostic display. If two or more drives with the SM 300 are connected together, it is possible to synchronise drive axes and monitor the synchronism to ensure that it remains within predetermined acceptable limits.


Dual redundancy

Within the SM 300 there are two microcontrollers in a redundant configuration. Each of these monitors the other to provide the level of safety required, but note that the two microcontrollers perform subtly different roles; while one monitors the signals within the drive to calculate the theoretical motor speed, the other uses the resolver feedback from the motor to measure the actual speed. The ‘calculated’ and ‘actual’ speed values are then compared by the microcontrollers; should any discrepancy be detected, the fail-safe logic within the safety module immediately disconnects the supply to the power stage PCB within the drive to ensure a ‘safe torque off’ state. Neither of the microcontrollers requires an input from an auxiliary speed/position sensor, which saves further cost and complexity compared with conventional fail-safe speed and standstill monitors.

Programming the safety functions is a matter of setting the relevant parameters using the Lenze L-force Engineer Windows-based programming software, and security measures are built in to ensure that the safety parameters are correctly transferred from the PC to the drive. When the parameters have been entered on the PC, they are assembled into a frame with checksums; the values are then transferred to both the drive memory module and the safety module. As a further check, the values are sent back to the L-force Engineer software, and the user must check and verify that they are correct. If they are, the user completes the parameterisation process, whereupon the parameters are password-protected so that they can only be modified by a user with the necessary access privileges. This delivers the required level of safety and security, but without sacrificing ease of use.

User-friendliness is becoming a major factor for machine builders today, and there are other patterns emerging in the field of drive technology. Dr Erhard Tellbuscher, chief executive officer at Lenze, comments: “We are seeing a new trend towards safety being integrated within drive products for two reasons: the technical and economical benefits. DaimlerChrysler, for example, will use our drive-based safety products on their production lines. Compared with other car manufacturers, DaimlerChrysler is ahead from a production equipment point of view, so we expect that a lot of other companies will follow.

“The previous 9300 servo drive was our first product to incorporate safety technology – a safety stop – so we have not had to go very far to get to extended safety functionality. But the technology, the way we do it, is very different in the 9400.

“One of the projects being worked on now by our research and development department is the integration of safety functionality within decentralised products such as inverters and motor starters.”

So the inference is that as well as drive-based safety being a reality now, it is only the beginning of other forms of motion-based safety from Lenze.

Recent Issues