Safety I: Keeping it Safe
| By: Kristin Lewotsky, Contributing Editor
There was a time when motion was motion and safety was safety. Back then, safety in motion control meant cutting power to a motor when personnel were accessing the machinery or when someone hit the emergency stop (e-stop). Today, safety means protecting machine and process, as well as personnel, using sensors and systems that can detect faults and irregularities as defined by a range of parameters. The response can range from a full-stop, power-off state known as safe torque off to incremental jogs under operator control.
The definition of safety changes depending on who you talk to. To some, safety means the machine automatically detecting when a human operator may be entering an area of risk and stopping motion to prevent injury. To others it includes circuitry to provide an e-stop/lock out capability for everything from immediately halting the machine if a person is in danger of injury to safely stopping it for maintenance or repair operations.
At its core, says Eric Hollister, product sales engineer at Pilz Automation Safety (Canton, Michigan), safety comes down to three simple concepts: redundancy, diversity and the ability to self-check. “Those three principles are carried through from your input, which monitors your process and your environment; to your control architecture, which takes those inputs and logically defines what the area has to do; to the actuators, to guarantee that the motion or process that's put into action does exactly what you want it to.”
Redundancy guards against single point of failure, for example by using dual circuitry, dual feedback loops and so on. Diversity minimizes the risk of common-mode failure by using more than one technology in critical tasks, such as incorporating both optical and magnetic encoders to monitor position. Of course, common-mode failures can stem from implementation as well as technology. Having dual encoders provides no benefit if they’re both mounted improperly. In such a case, motion could still be occurring but the operator would have no idea.
Self-checking provides yet another way to detect errors. “You build self checking into your software with watchdog timers, or by comparing the two signals against each other,” says Hollister. “Let's say something fell, disconnecting both encoder cables. They would stop at the exact same time, generating either a standstill or a non-communication error. That's where you need self checking and monitoring of those switches to monitor what's actually in your environment.”
For the first decades of automation control, the safety system was kept separate from the motion system. While motion systems often used programmable logic controllers (PLCs), such sophisticated electronics were not considered robust enough to guarantee complete removal of torque from the motor on command (for example, by e-stop) or in the event the system detected a fault. Instead, standards required safety systems to use hardwired electromechanical relays with redundant circuits. “We lived with that technology because when the PLCs first came out they were unreliable for protecting operators,” says Tim Parmer, safety solutions expert at Siemens Energy and Automation (Norcross, Georgia). “We went back to the reliable electromechanical solutions and that provided a safety layer that people were comfortable with. When the PLC went into an infinite loop or failed, or the drives failed, the safety layer could still remove the power and protect the operator.”
Although electromechanical safety systems based on relays may offer reliability and robustness, the technology has its challenges. “It's cumbersome to work with and it's very engineering-intensive to design,” says Parmer. “Because of the effort required, people had pressure to take a lot of shortcuts or reduce the number of safety protection devices installed. That's the philosophy that came out of the requirement to use electromechanical relay designs -- we have to put in safety, so we put as little in as possible because it’s hard to design and it shuts the machine down and people can’t easily find the fault.”
Clearly, there was room for improvement and PLC developers stepped up to the challenge. As PLCs evolved and added RAM and processing power, they began to take over functions such as data monitoring and diagnostics. Today’s PLCs can incorporate redundant electronics and self-checking capabilities, making them robust enough to replace the electromechanical safety relays while maintaining the protection required. Today, safety PLCs and safety-rated drives work together, continually monitoring themselves for failure modes to yield a level of safety commensurate to relay-based systems while simplifying design and implementation.
Ironically, although electromechanical safety relays were initially considered more reliable than PLCs for safety, the technology can be high maintenance as a result of increased failure rates. “The drawback of having to pull power with a contactor is that if you have an operation where, say, the operator is breaking a light curtain and you're wanting to pull power from the amplifier, there's always a reasonably long delay time to recharge the DC bus in the servo drive,” says Chris Knudsen, product marketing manager of Yaskawa Electric America Inc. (Waukegan, Illinois).
That delay is on the order of a half second to a second, he says, but the problem is bigger than that. The servo amplifier incorporates a soft-start resistor that can only be recharged perhaps twice a minute. If an operator frequently breaks the light curtain, suddenly the delay becomes much longer; recharge it too many times and you get premature failure.
And it doesn’t just stop there. “The most frequent maintenance problem on the machine when using electromechanical relay systems was the contactors that opened the electrical current to safely remove power,” Parmer notes. “The best contactors have an operational life of around a million operations and then you have to replace them. Now we're doing safety interlocks with programmable electronic contacts that have near infinite lifetimes.”
Through safe torque-off functions, light curtains can now electronically isolate the output of the motor. The approach ensures that the motor won’t have power and allows operators to more frequently go into shutdown situations without having to wait for the DC bus to charge up.
Of course, the safety of personnel is paramount, but almost as important is the safety of the machine itself. Damage to capital equipment costs money, not only in repairs and replacement but in downtime. “Obviously, the most important requirement is that it doesn't munch fingers, but damaging equipment is bad, too,” says Brian Schmidt, senior applications engineer at Bosch Rexroth Corp. (Hoffman Estates, Illinois). “Anything that can be done to reduce the chances of that is a positive thing. The requirement to have power completely removed is something that slows set-up time and error recovery, though, because the operator has to shut down power and lock it out and then he can't utilize the power of the servos to do what he needs to do on the machine.”
Today’s new drives not only include Safe Torque Off and Safe Stop 1 (SS1) functions, they feature extended safety functions like Safe Operating Stop and Safe Stop 2, says Kevin Wu, safety technical expert for motion control at Siemens. “Safe Operating Stop consists of monitoring the standstill position of a drive with a defined tolerance window that the drive must not violate,” he says. “If the drive violates the condition, then the drive is brought to a Safe Torque Off state. Personnel can enter the protected machine areas without having to shut down the machine as long as Safe Operating Stop is active. Safe Stop 2’s stop response is a controlled stop and then it transitions to a Safe Operating Stop state. Safe Operating Stop can also be activated individually,” he adds.
The extended functionality provides important benefits. On a jammed packaging machine, for example, the operator could put a machine in Safe Operating Stop, open a door, and clear the jam without having to completely power down -- and power back up -- the servos. “It’s not de-energized but the enable pulse sent to the motor is disabled or inhibited,” says Wu. “There’s no way for your drive to spin back up with the DC link energized.” Because the routine does not remove three-phase power to the drive system, the machine can start up again very quickly, reducing downtime. “The only time you really need to de-energize the whole thing is if you're actually doing some kind of service work on the drive system,” he notes. “That's when you have to do a lockout/tag out, and actually remove that DC energy link and perform your service work.”
This approach pays bigger dividends than just speeding the restart process. Depending on the system and components, putting the motor in a Safe Torque Off state can prevent maintenance from accessing diagnostic data to determine the fault, or whether components in the network have even failed. Safety is a worthy goal, but few things are more annoying than the machine that shuts down because of an unspecified and non-obvious safety fault that the operators then need to spend time hunting down. If the drive remains energized under a safety mode, staff can run diagnostic routines to get data. When the drive is de-energized, power has to be returned before they can even begin to look for the problem, which increases downtime.
Besides Safe Operating Stop, systems are also increasingly able to operate in Safe Limited Speed mode, which allows the operators to index the machine in set increments at predefined speed(s). Consider a web-based process in which an in-feed axis pulls material into the machine. Such elements are typically large rollers incorporating gearheads, so if the in-feed section gets jammed, clearing it manually could be a laborious, time-consuming task, even if the drive remains energized. Safe motion capabilities allow operators to use the power of the system to help clear the problem, say by backing the feed up to remove the jam.
Safe motion doesn’t mean free motion but a carefully controlled movement. Hardware and software can constrain the motor to only go in reverse, for example. The motion can be indexed, only shifting a minimal amount for each increment, and of course it’s monitored the entire time. “The whole time, the encoder on the servo is being monitored in the drive and simultaneously in the safety card itself,” says Schmidt. “If motion is detected outside of the limitations we've imposed, then the drive will instantly be shut down, the motor will be switched to a torque free state.”
Part II of this article will cover pitfalls and new trends in implementing safety.