Safety II: Making Safety Work
| By: Kristin Lewotsky, Contributing Editor
A decade ago, safety systems and motion systems were kept separate. These days, the separation of safety and motion is softening. Increasingly, safety capabilities are getting embedded directly into motion control components and into the system itself. The next step up the ladder from safe motion is safe motion control, which is a beast of a different nature, says Roberta Nelson Shea, chief operations officer and general manager of Pilz Automation Safety (Canton, Michigan). Safe motion control isn’t just about removing torque or controlling speed in specified situations, it’s about confirming that what the motion system thinks it is doing is actually what is happening.
How do you accomplish that? Redundancy, for a start. We’ve already identified it as one of the key principles of safety, but even in the world of electromechanical relays, redundancy is not so easy to design in. “It still astounds me that people don’t realize they need dual circuitry to ensure that they don't miss that e-stop,” says Tim Parmer, safety solutions expert at Siemens Energy and Automation (Norcross, Georgia). “They will misuse a dual switch by having only half of it going to the safety circuit, I find it all the time. You have to think about the single point of failure. With the one e-stop button or door-guard switch, they’re only monitoring half of it, and they think they're getting high-level safety because it goes into a relay instead of a PLC.” A key function of any failsafe technology, whether relay or PLC based, is ensuring that no single failure can prevent the operation required for safety. Dual circuitry helps make sure that the signal gets through; designing a system to eliminate common-mode failure is even better.
Redundancy in the electronic design is not always obvious at first blush, though. “In the networking technology that we have today, we have extra layers of testing in the communications protocol,” says Parmer. “You don’t physically see two wires, it's just that if the network fails, there is extra test logic in the communication protocol and more than one monitoring circuit that fails to a safe state -- typically on both ends of the wire, the CPU and the I/O.”
The ideal system would be able to detect shaft slippage or breakage, or coupling breakage on the encoder in the servo. Just doubling up may not be sufficient, though. If you have an axis that you wish to monitor for speed and position, for example, you add a feedback loop. If you want to be really certain that the axis is doing what it says it is doing, you add a second to monitor the first, right? But how do you ensure that one is accurate?
“Probably the first mistake that I see is a designer thinks, ‘I need to check this,’ so they put in something to check it but they don’t realize that the component they put in to check it could fail,” says Nelson Shea. “Now, you’re in a situation where your checker has to be checked, but then the checker’s checker’s checker has to be checked, so it’s never as simple as you think. What if the two encoders slip compared to each other? What if they both slipped together compared to what's happening and neither of them are right but they still agree? It’s not just whether you’re monitoring it, it's how you’re monitoring it.”
The second big mistake is assuming that the system actually works as designed. It’s critical to not only check the operation of the components but to validate and functionally check the end result of the design. It might seem obvious but it doesn’t always happen.
When we take the discussion to this level, safety and feedback would seem to overlap, but they’re far from the same thing, Nelson Shea is quick to point out. “Closed loop feedback is how you ensure your product performs as you would like. That doesn't mean that it performs safely, though. You can have errors that accumulate, you can have errors as a result of other equipment impinging movement or preventing movement. That object impinging movement may be a body being crushed, for example, and what the feedback loop would say is, ‘I’m not getting to my point, let’s try a whole lot harder.’”
It takes a safety system with sensors to instigate a stop when personnel enter hazardous areas, or when embedded parameters preclude motion in certain regions or a fault is detected.
Ironically, today’s sophisticated safety-rated drives can actually introduce new risks in the absence of proper training. With electromechanical relay systems, a common shortcut was to begin handling the terminals of a motor after merely hitting the e-stop rather than invoking the e-stop and lock out/tag out both. “One thing I emphasize is that customers have to enhance their training of when you can physically put your hands on the power terminals,” says Parmer. “When you had the contactors removing power, they could hit the e-stop and put their hands on the terminals. Now, an e-stop with a safety-rated drive may stop motion but leave DC voltage so both an e-stop and a lockout are required to remove the power.” This is, he’s quick to point out, proper procedure with electromechanical relays, as well, but personnel often take shortcuts. “They should have done the e-stop/lock out like that before, but they could get away without it. Now they shouldn't try to do that.”
Going forward, integration of safety and motion is likely to continue. Past a certain point, though, it should be approached with caution. “It can’t ever be totally integrated,” Nelson Shea cautions. “You don't want to have your safety-related aspect of your equipment so completely integrated that no one even realizes what the safety related part of it is, because you could make a change and [accidentally] affect safety.”
Distributing intelligence -- and safety
While safety can be performed with either centralized or distributed control, distributed architectures offer certain inherent advantages. In addition to the reduced communications bandwidth demands of a distributed architecture, smart drives offer processing power and memory for redundant circuits and software checks in electronic safety systems. In fact, one of the big benefits of the intelligence that is permeating motion control today is the sheer amount of diagnostic information that’s available.
In the past, if a machine was shut down by a fault in the safety system, it was up to the operator to search out the problem. Today, every safety channel and device can have an address in the motion system. If someone bumps a light curtain, for example, the operator sees a message on the human machine interface (HMI) telling them not only that the fault originated in a light curtain but which light curtain. If the fault is system related, such as a wire that has vibrated loose and triggered a shutdown, it tells them that, too.
With such specificity, downtime goes from hours to minutes. “In the past, you had to search every light curtain, every door, every e-stop,” says Parmer. “With integrated safety, you don't have to get out there with ohm meters and radios and try to find the loose wire that's got you shut down. Now we have the technologies and safety standards in place to allow totally integrated safety and automation with system-level protection built into the common engineering tool. It’s the key to simplifying safety designs and providing the critical operational information where and when it’s needed to increase machine uptime and improve plant operating efficiency.”
One of the big complaints about safety systems is the occurrence of nuisance stops stemming from intermittent faults like loose wires. They may not involve danger to life, limb and machine, but they still cost in terms of downtime and lost production, not to mention frustration. It comes down to having the right safety system but it also comes down to having a safety culture. A system with safety designed in from the start would have wires locked down so that they couldn’t vibrate loose and create intermittent faults, for example. “The companies that tend to be a bit more hit or miss about the implementation of safety and understanding of safety tend to have more nuisance stops,” says Nelson Shea.
“If you have a company that’s used to safety, they’re using the right technology for the job,” agrees Hollister.
Safety isn’t something that can be done selectively, or as an afterthought, he emphasizes. That approach is simply asking for trouble. “The biggest problem we see is people implementing safety just part of the way through or only for electrical, as opposed to all sources of hazardous energy [pneumatic, hydraulic, mechanical, etc.],” says Hollister. “A lot of times, safety ends up being an afterthought. They’ll build a machine and then say, ‘Oh, we need to make it safe.’ It becomes almost a hindrance if you do it at that point in the game. You end up putting up guards that get in the way of the operations, or trying to cram controllers into a cabinet that’s already populated. If you account for safety from the start, you can usually design a system that’s as flexible and efficient as your standard process.”
Designing safety in from the beginning is also a benefit for vendors building components they hope to get safety rated. The approvals process doesn’t have to be expensive and time-consuming if the engineers begin by consulting the standards body to see what is necessary and working with them throughout the design process, Nelson Shea says. “If a company has a product and they’ve designed in safe stop, then they go to get it approved, the approval process takes forever. That’s because somebody designed something without fully understanding all of the ‘what if’s’ that go into really thinking through a design from a safety standpoint.”
If, instead, that same company sat down with the standards body at the beginning and described the product down to the functional operation level, and continued those discussions throughout development, things would be quite different. “The approval process would be really quite easy,” she says, “because the design went through an approval process while being designed.”
Advance planning can also inform which approvals are really necessary. “The challenge from a marketing perspective is planning your product line and trying to understand where most of the applications will fall [in terms of safety category],” says Chris Knudsen, product marketing manager of Yaskawa Electric America Inc. link to BG in new window (Waukegan, Illinois). “The category determines the level of safety design required in the product.”
As safety in motion control progresses, vendors need to constantly seek a better understanding of how to make safety technology and implementation as useful as possible to the end customer, which means establishing a dialog. So far, the feedback is all positive, Parmer says. “Any time I mention it, I get excitement in the room because now you can do one truly integrated system in which the safety PLC is monitoring all of your safe-stop devices and directly communicating to the safe drives. All of my customers want to know about it,” he adds. “It’s lightning in a bottle.”