Wednesday, February 29, 2012

Standard EN 61800-5-2: Part 2

Manufacturers and suppliers of safe drives can demonstrate the safety integrity of their products by implementing the normative provisions of this part of EN 61800. This enables a safe drive to be installed into a safety-related control system by applying the principles of EN/IEC 61508, its sector standards (e.g. IEC 61511, IEC 61513, IEC 62061) or EN ISO 13849.

This part of EN 61800 does NOT define any requirements for:
  • The hazard and risk analysis for a specific application
  • The specification of safety functions for this application
  • The assignment of SILs to these safety functions
  • The drive system, with the exception of the interfaces
  • Secondary hazards (e.g. through failures within a production process)
  • Electrical, thermal and energy safety considerations covered in EN 61800-5-1
  • The manufacturing process of the PDS/Safety-related (SR)
  • The validity of signals and commands for the PDS/Safety-related (SR)

Sunday, February 26, 2012

Standard EN 61800-5-2

Adjustable speed electrical power drive systems - Part 5-2: Safety requirements. Functional: Part 5-2 of the standard series EN 61800 is a product standard for electrical drive systems with integrated safety functions. It defines the functional safety requirements for developing safe drives in accordance with the standard EN/IEC 61508. It applies to adjustable speed electrical power drive systems, as well as servo and frequency converters in general, which are dealt with in other parts of the standard series EN 61800.

EN 61800-5 Part 2: General requirements - Rating specifications for low voltage adjustable frequency a.c. power drive systems, lists a series of new terms, which are explained in greater detail below:



Power drive system (PDS)
System comprising power equipment (power converter module, AC motor, feed module, ...) and control equipment. The hardware configuration consists of a complete drive module (CDM) plus a motor or motors with sensors, which are mechanically connected to the motor shaft (the driven equipment is not included).

PDS/Safety-related (SR)
AC power drive system for safety-related applications.

Complete drive module (CDM)
Drive system without motor and without a sensor connected mechanically to the motor shaft; it comprises, but is not limited to, the BDM and expansions such as the feed module and auxiliary equipment.

Basic drive module (BDM)
Drive module consisting of a power converter module, control equipment for speed, torque, current, frequency or voltage and a control system for the power semiconductor components, etc.

Wednesday, February 22, 2012

Safe limit value specification

Safe motion monitoring requires not just safe motion detection but also the opportunity to specify limit values safely. The way in which this is achieved depends on the level of dynamics and the flexibility within the machine.

Relay-like systems often use constant limit values. For example, a fixed limit value can be defined by setting jumpers or via other setting options on the device. On safe control systems, multiple limit values can be defined via configuration or programming user interfaces. Selection can be made during operation via a safe I/O interconnection, through evaluation of sensor signals or through specification via a safe fieldbus, for example. Dynamic limit values can only be used in conjunction with a powerful, safe control system or a safe bus system with real-time capabilities. When combined with optical monitoring of the protected field in robot
applications, for example, safe speed can be reduced based on the distance of the operator from the danger zone: the closer the operator comes to the danger zone, the slower the motors move.

Sunday, February 19, 2012

Safe Motion Monitoring

Motion is described through the kinematic variables acceleration, speed and distance. As far as potential hazards are concerned, torques and forces also play a key role. The above variables are covered by the safety functions listed in the standard EN/IEC 61800-5-2. The implementation of safety-related monitoring is heavily dependent on the sensor technology used within the system. The sensor technology used within the drive technology is generally not safety-related and must be monitored for errors. For example, a critical status would occur if the rotary encoder was unable to supply a signal due to a defect, while power is applied to the motor and it is accelerating.

Moved axes in safety-related applications need redundant positional information in order to carry out relevant  safety functions. There are various ways to obtain independent position values: One possibility is to detect the defect through a second encoder. In this case, a safe component would have to monitor both encoders and guarantee that the plant is switched to a safe condition if an error occurs. Sometimes the advantage of this solution is that the two encoder systems detect the movement at different points on the machine and so can  detect defective mechanical transmission elements.

Rotary encoders generally have several signal tracks, enabling them to detect direction or defined positions within a revolution, for example. These signals can also be consulted for feasibility tests, so that a second encoder system is not required. However, this is not a universal dual-channel structure as the movement is recorded from a shaft or lens. Dual encoder systems are also now available on the market. Such systems are suitable for functions such as safe absolute position. With a strict, diverse, dual-channel design it is even possible to achieve SIL 3 in accordance with EN/IEC 61508. In addition to an optical system a magnetic sensing system may also be used, for example. In terms of costs, however, an increase by a factor of two to three is to be expected compared with a non-safety-related encoder system.

Multi-turn encoders offer a more economical solution; they set their separate multi-turn and single-turn tracks in proportion and can therefore detect errors. In this case, safety-related pre-processing takes place within the  encoder system itself. Another option is to use motor signals: by recording voltages and/or currents,  calculations can be used to indicate the mechanical movement of the motor. A comparison with the encoder signals will uncover any dangerous failures.

Thursday, February 16, 2012

Basic Principles of Safe Motion

The objective of safety technology has always been to prevent potentially hazardous movements. Nothing, then, is more obvious than to dovetail safety technology with motion generation. For technical and economic reasons, the drive electronics – servo amplifiers and frequency converters – have remained non-safety-related  components within automation. Safety is therefore guaranteed through additional safe components, which bring the drive to a de-energized, safe condition in the event of a fault, or safely monitor the movement of the connected motor. The current market trend is to integrate these safe components into the drive.

In accordance with the current state of the art, a safe motion controller is a combination of safe isolation of the motor from the energy supply, safe motion monitoring and non-safety-related motion generation.


Safe isolation of the motor from the energy supply
Before explaining the different shutdown paths on a converter it's necessary to understand the fundamental mode of operation.
The following details refer to three-phase drive systems, as currently used in an industrial environment. To apply them to other actuator systems (e.g. DC drives, servo valves, …) is only possible under certain conditions and needs to be examined separately.


Internally a converter is divided into a control element and a power element. Both elements are galvanically isolated from each other via optocouplers. The power element is where the power fed in from the mains is prepared. A terminal voltage with variable amplitude and frequency is generated from the mains voltage and its constant amplitude and frequency. First of all the sinusoidal mains voltage in the rectifier is converted into a pulsating DC voltage. This is smoothed through a downstream capacitor – also known as an intermediate circuit. The intermediate circuit is also used to absorb the braking energy. The inverted rectifier then generates  an output voltage with sinusoidal fundamental wave through cyclical switching of positive and  negative intermediate circuit voltages. The converter's control element uses reference variables to generate pulse patterns, which are used to drive the power semiconductors on the inverted rectifier module. There are several shutdown paths that can be used to isolate the motor from the energy supply:



If the energy supply is isolated via the mains or motor, the mains or motor contactor must have positive-guided contacts. If the N/C contact is linked to the start signal on the converter, an error on the contactor contact will be detected. The highest category can be achieved if two contactors are connected in series and each is fed back to the N/C contacts. The disadvantage of mains isolation is that the intermediate circuit capacitor on the power element is discharged each time power is isolated and must be recharged when restarting. This has a negative impact on restart time and machine availability and also reduces the service
life of the intermediate circuit capacitors, because the charge/discharge processes accelerate aging of the capacitors.

If the motor was isolated the intermediate circuit would stay charged, but disconnecting the motor cable for wiring the contactor is a very complex process, so it is only rarely used in practice. Also, the use of motor contactors is not permitted on all converters. Potential overvoltages when isolating the contacts may damage the inverted rectifier. If there is a frequent demand to isolate the energy supply as a safety function, there will also be increased wear on the positive-guided contacts on the mains or motor contactor. Isolation of the reference variable (setpoint specification) or control variable (output stage enable) can be combined with the above shutdown paths. As the setpoint specification and output stage enable are frequently processor-based functions, they may not be used in combination, so that common cause failures are excluded.

The drive-integrated solution is based on the principle that the pulse patterns generated by the processor are safely isolated from the power semiconductors. On the drive systems examined in this case, motor movement results from an in-phase supply to the winding strands. This must occur in such a way that the overlap of the three resulting magnetic fields produces a rotating field. The interaction with the moving motor components creates a force action, which drives the motor. Without the pulse patterns, no rotating field is created and so
there is no movement on the motor. The optocouplers, which are used for galvanic isolation between the control and power element within a converter, are ideally suited as a shutdown path. For example, if the anode voltage of the optocoupler is interrupted and combined with the isolation of the control variable (control enable) mentioned previously, motor movement is prevented through two-channels.