By Thomas Steffens, TÜV Rheinland Industrie Service GmbH
Many industries have championed significant developments in drive applications in the past decade. As a result, they’ve been creating a new generation of applications and integration efforts generally referred to as safety-related applications.
This article outlines the general requirements regarding drives, particularly the EN 61800-5-2 standard, and discusses the implications for the new European Machinery Directive 2006/42/EC.
Drives With Integrated Safety Functions
According to the harmonized safety standards of the European Machinery Directive, the complete safety loop has to be considered in machinery’s safety function application. The safety loop implies that all parts in the application are responsible for the safety function. Typically, a safety loop consists of a sensor, logic and actuator. In one example, a light curtain could function as the sensor, a safe PLC as the logic, and a drive with integrated safety as the final element.
In general, a common safety function of drives is to stop a hazardous movement and/or to prevent an unexpected restart. The sensor, logic and actuator/final element work together in the safety function to prevent a hazardous movement.
A traditional design depends on external electromechanical components to interrupt the electrical power to the drive/motor. However, drives that include certified, integrated safety functions are starting to take advantage of controls to initiate full stops in the safety loop. This "electronic shutdown" of the drives/motors naturally provides various advantages in areas such as response times, reduced mechanical wear and tear, and component size. In most cases, this results in improved effectiveness and cost reduction.
The Applicable Standard
EN 61800-5-2 (adjustable speed electrical power drive systems) is the most applicable harmonized product standard for drives. Within this standard, the most basic safety function is the Safe Torque Off (STO).
Typically, to achieve STO, the final drive pulse-width-modulation (PWM) signals must be safely disconnected from the final switching transistors to prevent the motor from producing any further torque. This often is referred to as "safe state." The torque is removed, but, in some cases, the motor still could be turning due to its free inertia. Therefore, additional measures—brakes, for example—are necessary to prevent further motion.
All other safety functions described in the EN 61800-5-2 standard, such as Safe Stop 1 (SS1) and Safely Limited Speed (SLS), usually include the STO function as part of the safe state. The standard also requires that if any dangerous faults occur in the safety-related circuits, then the output should go into safe state. The safe state must be defined clearly, and the final version would therefore be STO. This sometimes is referred to as the fault reaction of a safety function.
These safety functions could be a part of the drive firmware, but in general the integrated safety is independent of the drive firmware. Most manufacturers realize integrated safety with a safety module. This safety module is responsible for the monitoring functions for safe motion, safe torque, etc. The STO function is realized by discrete hardware, and is an integral part of the standard drives. The safety module uses this STO safety circuit to switch off the drive.
The EN 61800-5-2 standard also defines requirements for safety-related monitor functions, including speed limit and position. Today, most manufacturers that supply drives are encouraged to comply with the EN 61800-5-2 standard, and to offer STO as the primary basic safety function. This safety function usually is realized by low-complexity discrete hardware—without the involvement of software. The drive’s main controller, if necessary, could solely provide additional diagnosis for this hardware. Let’s review the safety functions more closely.
Safe Torque Off (STO)
STO has one primary attribute as a safety function. When STO is activated, the drive does not provide any further torque to the machine/motor. If external forces to the load are expected, additional measures must be taken to prevent any further hazardous movement.
Safe Operating Stop (SOS)
Another integrated safety-related function is the Safe Operating Stop (SOS), which is required to monitor a specified position range during standstill. In the event of a fault within the SOS, STO and brake function are activated to maintain safe state. The STO part here is referred to as the "fault reaction" of the SOS function. Hence, the STO is a prerequisite.
STO should be designed for the highest Safety Integrity Level (SIL), SIL 3, according to EN 62061/EN 61800-5-2, and for Performance Level e (PL e), according to EN ISO 13849-1. The STO function is required to achieve the final safe state in case of safety-related faults. Also, the other safe-stop functions and safety-related monitoring functions are based on the STO function, and therefore are dependent on the safety integrity of the STO function. The STO function could be described as the bottleneck of the safety loop. For most of the application where safety-related monitor functions are used, SIL 2/ PL d could be sufficient.
Other important safety functions are SS1 and SS2, and the standard defines three different ways to achieve them. The most popular or simplified requirement is based on a fixed or predefined time delay after which the STO or SOS is activated. The time-dependent course for this is depicted in the figures below.