Machine & Operator Safety
Preventing hazards: external motion monitoring combines safety functions with machine efficiency
By By Marcel Wöhner and Jörg Forcht
By By Marcel Wöhner and Jörg Forcht
November 16, 2018 – Motion monitoring enables efficient machine operation – but standards also demand maximum safety. With an external monitoring unit, safety functions can be implemented as standard on frequency converters and servo amplifiers of various performance classes and from various manufacturers; in most cases this can be achieved very economically.
The objective of safety technology was and always will be to prevent potentially hazardous movements. Nothing, then, is more obvious than to have a close connection between safety technology and motion generation. For technical and economic reasons, the drive electronics – servo amplifiers and frequency converters – have remained as non-safety-related components in very many applications. In such applications, the required safety is guaranteed through additional safe components, which bring the drive to a de-energized, safe condition in the event of a fault, or safely monitor the movement of the connected motor.
Motion monitoring has two main tasks: it must detect any violation of the limit values and then trigger an appropriate safe reaction. It must also detect any potential errors in the encoder system and likewise trigger an appropriate error reaction.
Even with external, safe motion monitoring systems, it is possible to implement many of the safety functions that are defined in IEC 61800-5-2 by reusing the existing actuator and sensor technology, even on older drive systems. This is significant, particularly where a retrofit is involved, because it means the cost of exchanging the drive, motor and sensor technology can be saved. Existing drive functions can also continue to be used. What’s more, it is no longer necessary to undergo the sometimes-complex process of converting the existing drive program to a new system, along with the additional training required to program the safety section.
The task of the external devices is to detect motion. The safety characteristic data of the employed sensors, e.g. rotary encoders or proximity switches, is significant in determining the safety level that can be achieved. Different solutions to suit the various requirements are available to monitor movements with external monitoring devices. At the highest level, it is important to distinguish between so-called standard encoders and “safe” encoders.
Pre-assembled adapter cables simplify connection of the external monitoring devices. These are inserted between the drive and feedback encoder and record the motion monitoring signals. Appropriate adapters are available for all common drive manufacturers and drive models.
Another advantage of using external motion monitoring modules is the fact that the safety system is independent from the employed drive system. So all the safety functions, special motion generation functions and motion control functions can be implemented within the usual system.
Compatibility with encoders
An important requirement for solutions with external safety is the ability to evaluate all standard sensor systems (rotary encoders in various designs, incremental encoders (TTL, HTL), Sin/Cos encoders) up to Performance Level (PL) d of ISO 13849-1 and two proximity switches up to PL e. This is made possible via feasibility checks within the external safety component that monitors the sensor signals. As a result, it is possible to achieve diagnostic coverage of up to 90 per cent on the encoder system. Through appropriate warning messages, a potential encoder failure can be detected early. It is also possible to use internal encoder diagnostics and to react to a potential fault signal from the rotary encoder with a protection violation.
If a higher PL is required, this can be achieved by using an appropriately certified, safe rotary encoder. The important factor here is the correct interaction between encoder and safety relay. The documentation belonging to the respective encoder describes the requirements of the monitoring device, which must be met in order to use the device and to claim the certified safety-related characteristic data.
If a certified, safe sensor cannot be used, it is still possible to achieve a higher PL with little effort. An additional proximity switch is fitted so that it scans the hazardous movement on a toothed wheel or shaft coupling, for example. The monitoring device can now continuously compare the established speed values from both encoder systems (standard rotary encoder and proximity switch). If the values are no longer feasible, the monitored axis is brought to a stop. As a result, motion monitoring up to PL e is possible with two standard components. Monitoring for broken shear pins or gear monitoring can also be implemented in the same way.
Safe motion monitoring solutions with external monitoring devices can be used in conjunction with standard, certified Sin/Cos encoders designed for up to PL e. As a result, safe motion monitoring can be implemented up to the maximum PL with only one encoder. If there are only a few safety functions to be linked to motion monitoring, individual relays provide an appropriate solution.
Reacting to errors
The more complex the task, the more beneficial existing add-on functions of the external monitoring devices are likely to be. In the event of an error, e.g. if a speed-monitoring function reacts, a drive should always be shut down as quickly as possible. Long transmission times to centralized safety systems and their program cycle times can often present a problem. With local stop outputs, which can drive the safety functions SS1 (Safe Stop 1) and STO (Safe Torque Off) directly, motion-monitoring modules can trigger a stop of the corresponding axis just a few milliseconds after the monitoring function has reacted. Thanks to integrated delay stages, it is even possible to implement the SS1 function, after an emergency stop signal has first been transmitted to the drive and after the drive’s STO function is activated when the set delay time has elapsed. This way, an axis can still be brought to a controlled standstill in the event of an error, before the controller inhibit makes braking impossible.
If you need to shut down not just one but multiple drives simultaneously, a cascading function can allow you to do it simply, within a few milliseconds; this is independent of fieldbus times or task cycles on the controller.
In their independence of the rest of the system, external motion monitoring systems allocate for future developments, both on the drive and the encoder side.
Marcel Wöhner is a product manager and Jörg Forcht is a product developer at Pilz GmbH & Co. KG.
This article originally appeared in the November/December 2018 issue of Manufacturing AUTOMATION.