System Examination: Motion Monitoring

Motion monitoring has two main tasks: it must detect any violation of the limit values and then trigger an appropriate reaction function. It must also detect any potential errors on the encoder system and likewise trigger an appropriate error reaction function. Both functions are heavily linked to the availability of the drive system. Noisy signals or poorly tuned control loops can cause sensitive monitoring mechanisms to trigger reaction functions and therefore reduce plant availability. Proper screening of the motor and encoder cables is absolutely essential. The algorithms for the monitoring functions can be applied via hysteresis or filter settings. The reaction times for these components are in the millisecond range. Motion monitoring is available as both an external and a drive-integrated solution. An integrated solution has clear advantages over an external device in terms of wiring effort and convenience. Disadvantages are higher retrofitting costs for existing plants and dependence on the converter that is used. This means that the technical properties of the drive, as well as the interfaces and the performance of the safety functions, have to fi t the application. With an external monitoring unit, safety functions can be implemented as standard on frequency converters and servo amplifiers of a different performance class or manufacturer.

System Examination: Safe Braking

Mechanical brakes must be used if the output shafts on motors or gearboxes are affected by forces that would trigger movement when the motor was shut down. Example applications are vertical axes or motors with high inertia. The operation of vertical axes is a special case as far as safety technology is concerned. The failsafe principle – the removal of power to the drives in the event of an error – is generally applied in safety technology, but in this case it would not lead to a safe condition because falling loads present a hazard. Mechanical brakes are incorporated to rectify this; their functionality must be constantly verified using special proof tests. As with
the encoder systems, various versions are available to fit the specific safety requirements. Dual channel  capability can be implemented either through two independent brakes or through a brake with two separate brake circuits. The advantage of two separate brakes is that faults can be covered within the mechanical transmission elements between the drive and the process. The brake configuration depends largely on the machine design and the overall safety concept.

System Examination: Safe Logic

Safety relays or programmable safety systems can perform the following tasks in systems with safe drive functions, depending on the application:

• Evaluation of input devices on protection equipment
• Activation of safety functions 
• Drive shutdown
• Evaluating the status of safely monitored drive axes in a multi-axis system
• Establishing the plant’s overall safety
• Specifying new limit values during operation 
• Interface between the drive controller and the safety functions

The safe logic can be implemented either as separate, external components or as drive integrated components. Safe logic is the interface between the sensors on the protection equipment and the safe monitoring unit. Drive-integrated solutions enable simple functions in single axis systems to be implemented economically. Sensors are connected directly on the drive and are evaluated. The limited number of safe interfaces makes cross-communication between the drives and complex logic links impossible. The scan time of the programmable safety system must be included in the assessment of the overall reaction time.
Depending on the size of the user program, this will range between 50 to 200 ms and therefore dominates over the delay in the shutdown path. It’s also necessary to consider a delay time on safe, digital inputs, which arises due to the input filters.

System Examination: Motors

The relevant properties for the motor in terms of its use in safety-related systems are:

• Type of movement (rotating, linear)
• Acceleration capability (inert asynchronous motor or air-borne linear drive)
• Integrated motor encoder
• Integrated holding brake incorporated into the safety concept

The motor’s acceleration capability influences the system’s maximum permitted overall reaction time. Highly dynamic linear motors have extremely low electrical time constants on the winding and a high overload capability, so that a multiple of the rated power is present in just a few milliseconds. Resolvers are widely used as motor encoders in servo drive technology. They are used in rotating motors and are both robust and economical. The measuring system provides an absolute position within a motor rotation, but has limited resolution due to the function principle. Only rarely can resolver signals be evaluated by safe monitoring components. For this reason, motor encoder systems with sine/cosine analogue tracks are preferable in safety-related applications with motion monitoring. Motor encoder systems with an all-digital interface can only be monitored using special manufacturer-specific safety components. Third party products cannot be connected.

System Examination: Drive Electronics

These days, modern frequency converters or servo amplifiers have an integrated safe shutdown path, through which the STO safety function can be performed. This shutdown path is generally accessible externally via a terminal pair and must be connected to 24 V DC. If the safety function is not in use, 24 V DC will be available permanently at the terminals. If the shutdown path is used as an STO or safe reset lock, the terminals must be connected to a safe output on a programmable safety system or safety relay. In this case it is important to ensure that the test pulse on the safe output does not initiate the safety function. A countermeasure is to use an input
filter with an appropriate time delay. Depending on the version, a feedback path is available for fault detection, to achieve greater safety integrity.

The benefits of a drive-integrated shutdown lie mainly in the:

• Reduced wiring requirement
• Rapid restart, as the intermediate circuit remains charged
• Short reaction time (measured from the falling edge at the input to the shutdown of the optocoupler, the reaction time is in the millisecond range)

Safe motion: System examination

Safe drive technology merges two issues which individually already involve a high level of complexity. The  challenge is to provide the user with transparent, comprehensible logic in the lifecycle of a safe motion application. The difficulty in configuring and selecting safe drive components is in translating the various influencing factors to the product requirements. Or to put it another way: in selecting products for an optimum, safe drive solution, which parameters are to be derived from which specifications?



The machine design and the functionality demanded by the end customer are essentially the factors that determine which drive technology will be used and how the machine will be operated in control technology terms. The resulting parameters are:

• How many drive axes are there?
• Does the system use servo amplifiers or frequency converters?
• Are the drives decentralized – i.e. outside the control cabinet?
• Which safe drive functions are required and how are the parameters to be set?
• Does the movement to be monitored involve an elliptical curve, synchronous drive axes or, in the simplest case, a single movement?

Specifications from the B and C standards and risk analyses will provide the safety integrity requirement (SIL and PL). These, of course, will also influence the required safety functions. The reaction times of the safe drive components are part of the overall machine design and must be fine-tuned as part of an iterative process. Factors such as stopping performance, safety distances, inertia of the moved mass or the reaction capability of the machine control system play a key role.

General requirements may be whether or not the machine is to be retrofitted with safe drive functions, for example. In some circumstances, existing components must continue to be used, a situation which will often favor an external safety solution. These criteria and parameters must be converted into a concept. The result is a safe drive solution, made up of standard market components.

Safe brake functions

Functions related to holding brakes and service brakes have been summarized under the heading of safe brake functions.





Safe brake control (SBC)
Safe brake control (SBC) supplies a safe output signal to drive an external mechanical brake. The brakes used must be “safety brakes”, in which a quiescent current operates against a spring. If the current flow is interrupted, the brake will engage. Control modules frequently include a power reduction feature when the brake is released to reduce energy consumption or brake heating. A safe brake test may be required to detect errors during operation, depending on the risk analysis.

Holding brakes and service brakes are often used on axes with suspended loads. Along with the brake, the brake drive is another key component in terms of the safety function. The safe brake control (SBC) function is generally used to control the holding brake activated once an axis is at standstill.



Safe brake test (SBT)
Using the safe brake test (SBT) function can significantly increase safety. In many cases, simply controlling a holding brake safely is not enough to make a vertical axis safe. If the wearing, mechanical part of the brake is not maintained regularly, it cannot be guaranteed that the holding brake will apply the designated braking action in the event of danger. The safe brake test (SBT) function provides an automatic test which replaces previous measures that could only be implemented through organizational and manual operations; if the result is negative, it can bring the plant to a standstill and signal an error. This reduces maintenance work  considerably.