Foreword
Safety technologies in motion control are a crucial aspect of machine safety control. The IEC 62061/EN 13849 standard covers numerous safety technologies related to motion control; however, practical application is contingent upon concrete implementation and the provision of safety guarantees for production and personnel. In fact, the concept of motion control safety encompasses many facets.
1. Shift in security technology thinking
In recent years, safety technology has become the most concerned technology hotspot in the field of industrial automation. However, regarding safety, although a few professionals have a good understanding of it, most people's understanding of it is still partial and one-sided. Several important ideas must be corrected, otherwise the one-sidedness of safety technology will lead to the inability to make a holistic judgment on safety technology.
1.1 Security technology involves the concept of lifecycle management rather than a "product concept".
"Our products meet SIL3 level certification" is a typical product concept. SIL3 certification for a particular product only means that the product meets the safety requirements for electrical component design; it does not mean the system's safety level is SIL3. This is because a safety system must be viewed holistically, throughout its entire lifecycle. Viewing it in isolation is inappropriate. It's a process that must adhere to safety regulations and standards throughout the entire process, from system risk assessment, solution determination, design, testing, simulation, operation, upgrades, and maintenance. A safety system is more of a technical extension of a management philosophy than simply a technical or product issue.
In summary, a security system is closer to a "management system for production operations" than a component of a technology or product. Any concept that understands security as a technology or product is "partial" or "one-sided".
1.2 Security brings benefits, not unreturned investments.
Another problem with security systems is the neglect of security investment by enterprises. Security systems are often seen as an investment with little effect, or as an unnecessary expense. In fact, security systems can bring benefits to enterprises in the following ways:
1.2.1 Increased Production Efficiency Due to Safety
For safety systems, the adoption of new safety designs, such as B&R's Smart Safe Reaction technology, can ensure personal safety without downtime while simultaneously ensuring production continuity. The risk to enterprises regarding personal safety lies in the potential costs of compensation and legal liabilities arising from personal accidents, and these costs have become even greater today as safety is given greater importance. Therefore, safety systems bring not only the potential benefits of personal safety but also the ability to maintain production continuity and avoid losses of work-in-process.
1.2.2 Safety protection is an important investment in equipment.
For critical equipment such as injection molds, extruder screws, high-precision cam mechanisms in textile and packaging machinery, wind turbine generators, and gas turbines, safety systems can also ensure that they are protected from damage and even the potential huge property losses caused by destruction.
1.2.3 Breakthroughs in security technologies: technological barriers and market entry requirements
Looking to the future, if domestically produced equipment wants to enter the global market, safety technology will become a potential market entry barrier. Safety technology will become an important technological barrier in the future machinery field. This is why developed countries in machinery manufacturing, such as Europe, the United States, and Japan, emphasize the importance of safety technology. It is not only for safety considerations but also for market considerations. Therefore, it is necessary to plan ahead and realize the research and application of safety technology.
2. Scope of SafeMotion
Motion control safety follows the principles defined in IEC 61508, namely, the safety of any single component does not guarantee the safety of the whole system. Functional safety consistency can only be defined as a safe system if all components of the entire system are safe. Therefore, it includes multiple components such as safe encoders, motors, drive technology, safe programming, and safe communication. Of course, it also includes the safety logic—processor safety—which is not included in this discussion.
2.1 SafeMOTION Safety Drive Technology
Drive safety is the core of safe motion control. It is based on safe product design, function development, specifications and standards. Safety functions include important functional design requirements such as STO, SS1, SLS and SMP to ensure the safety of the motion process. This section will take B&R's SafeMOTION as a reference to introduce some of its key functions and practical applications in detail.
2.1.1 STO - Safety Torque Cut-off (as shown in Figure 1)
STO is the most basic safety function, implemented through hard-wiring with direct drive trigger signal input. This is a basic function found in most drives and frequency converters. The STO function is used to prevent the drive from restarting unexpectedly. According to the EN60204-1.5.4 specification, STO invalidates the drive pulse and cuts off the power supply to the motor (EN60204-1 Class 0 Emergency Stop). This state can be monitored internally in the drive.
For example, when the emergency stop button is pressed, the torque output of the motor must be cut off. Of course, this only refers to maintaining the set cut-off torque of the motion shaft when it is necessary to cut off the torque output, and the motor will stop by natural inertia.
For robotic applications, it is essential to ensure the brakes are engaged when the robotic arm is suspended; safety features must be considered and designed holistically.
Figure 1 - STO safety torque cut-out function
2.1.2 SLS - Safe Speed Limit (as shown in Figure 2)
For a machine in operation, a non-zero kinetic energy state poses a potential danger. However, reducing the speed can significantly reduce the risk of injury to the human body, while also ensuring that the equipment is not interrupted. This is because, for many operating machines, restarting could mean a huge waste. First, there is the damage and loss of work-in-process, as the preparation time required for startup, such as in spinning and warp knitting processes, results in significant work involving rethreading and handling broken yarns.
SLS provides a pre-set speed limit for the system, allowing it to operate at low speeds when entering a safe zone or for safe maintenance, thus ensuring personal safety.
Its trigger can be an external switch/light curtain, which is common for machines. For example, warp knitting machines or robot operating spaces often use light curtains to ensure that the machine speed is reduced to a low state when a person enters the working area, such as reducing the linear speed from 10m/s to 1m/s. SLS must reduce the speed in the time interval t0 to t1. In safety systems, this depends on the response capability of the safety communication bus. For networks based on real-time Ethernet, instructions can be transmitted in microseconds and the set value of the safety speed can be achieved in milliseconds.
Figure 2 - SLS safety speed limit
The SLS function is used to monitor the drive to a programmable maximum speed. Four different limit values can be activated. In SOS mode, the speed setpoint is not automatically affected. After SLS is activated, more advanced control must ensure that the drive drops below the speed limit within a reference time.
2.1.3 SS1 - Safe Parking (as shown in Figure 3)
When the drive's safety function is activated and the motion does not stop quickly enough due to load inertia, the rectifier can actively brake, eliminating the need for wear-dependent mechanical braking.
Figure 3-SS1 Safe Parking 1
When the safety encoder is detected to be faulty, or when the system is designed to have SS1 functionality and SS1 is activated by a higher-level controller, the speed ramp curve for SS1 can be pre-configured. The system monitors the decrease in speed, and when the speed drops to the set speed, the STO (Stop Torque) is applied, causing the machine to stop. When applying this system, it is necessary to consider whether the braking distance when the ramp is reached is calculated to be safe.
Another safe stopping method is SS2, which, unlike SS1, provides complete stopping torque via the drive.
2.1.4 SOS - Safe Operation Shutdown (as shown in Figure 4)
SOS is a crucial function for synchronous stopping of machines in multi-axis applications. When SOS is activated, the drive must maintain a braking torque to keep the drive shaft in its current position. Unlike SS1 and SS2, the drive does not brake automatically. Instead, the controller provides a ramp descent, allowing each relevant axis to keep in sync within an adjustable delay.
Synchronous stopping is crucial for textile machinery such as tricot warp knitting machines, spinning long carriages, multi-motor driven rovings, and printing presses, because it allows the machines to remain safe while ensuring that work-in-process such as yarn, paper, and film are not torn, resulting in waste and complex mechanical and electrical restart times.
Figure 4 - Safe Operation and Shutdown SOS
2.1.5 SLI Security Increment Limits (as shown in Figure 5)
Safety Increment Limit - Activated by the encoder's calculated value or by safety logic design. It is used in conjunction with other functions such as STO, SOS, and SLS. This function will be activated when the encoder is not detected or when the encoder fails.
Figure 5. SLI - Security-Limited Incremental Functionality
The safety motion control module monitors the encoder position, as well as encoder hysteresis and failure, and sets a window range for the position. Within this range, the SLI function will not be triggered. For feeding or transmission applications, monitoring the increment can ensure that the feeding is within a safe range and avoid damage caused by overfeeding.
2.1.6 Other safety motion control functions
In addition to the above functions, due to space limitations, other functions will not be described in detail and are only for reference. Taking B&R's SafeMOTION as an example, it also includes some other safety functions, as shown in Figures 6 and 7.
Figure 6. SMP schematic diagram
SMP maximum safe position: The controller monitors the safe position window and the position monitoring speed limit independently to ensure that the drive operates as designed and can safely find the origin.
Figure 7 - SLP - Safety Limitation Location
Safety Limit Position (SLP) - This is crucial for ensuring tool safety in metalworking and CNC systems. SBC - SBC is used to control braking during zero-current operation, such as motor braking. The brake control circuit is a fail-safe, two-channel design. Safety Direction (SDI) ensures that prohibited reverse rotations due to misoperation will not occur, thus ensuring the safety of machines and personnel. Due to space limitations, it will not be elaborated further.
2.2 Encoder and motor shaft connection monitoring (as shown in Figure 8)
Figure 8 - Encoder connection to motor shaft
Safe motion control must consider the potential risks of the shaft connection between the motor and the encoder, including monitoring for shaft connection hysteresis, encoder-detected damage and slippage, to ensure that motion control errors are addressed and responded to in a timely manner.
The encoder speed does not match the load speed. Static misalignment includes errors such as motor acceleration runaway and encoder position mismatch with load position.
By monitoring the electrical status of the encoder, relevant safety mechanisms can be triggered. Functions such as SS1, STO, and SBC all require monitoring the encoder's speed, position, hysteresis error, etc.
2.3 Robot Safety - SafeROBOTICS
Robot safety differs from motion control in synchronous positioning control, and its safety design also differs from other safety functions. The earliest technology to provide robot safety based on bus technology was B&R's SafeROBOTICS technology, which provides personal safety guarantees for the robot's operating space.
This technology is also known as SLS & TCP, which is a safety speed limit for the center point of the robot's end effector. It is not simply similar to the SLS function because the robot's TCP speed is not defined by a single axis. Moreover, its safety action also involves the robot's own calculations. Therefore, it is a more complex safety design, even though on the surface it is to reduce speed to achieve safety.
Robot safety is a factor that must be considered in the future era of widespread robot use.
3. Safety Design and Process
The design of a safety system must follow a strict process and include verification and validation at each stage. Otherwise, the expected safety system effect will not be achieved. Each stage must be carried out in accordance with international IEC/ISO/EN standards, and the entire process must be monitored by certified safety engineers and certified by qualified certification bodies such as TUV or SGS.
3.1 Establishment of a safety management system
Based on the IEC 61508 and EN 62601 standards, the following questions are defined:
● Identify all security-related activities related to the machine and its surroundings;
● Develop policies and management strategies that meet functional safety consistency requirements;
● Clarify the responsibilities of relevant personnel
● Documentation, Processes, Records, and Resource Management
● Verify and confirm the plan
A corresponding management system must be established for machine safety, not just the technology and products themselves. Therefore, from this perspective, it is not an exaggeration to say that the safety system is a management system issue. Furthermore, IEC61508, EN62061 and other standards all adopt failure analysis and other methods and systems based on production and operation management, and their processes and management operations control follow the same management concepts and ideas.
3.2 Risk Assessment
The relevant standard is EN ISO 12100-1:
● Assess the potential hazards caused by the machine;
● Evaluate each identified risk individually (probability, frequency, and the likelihood and severity of harm that can be avoided).
This stage is crucial, as all potential possibilities must be considered. The completeness and accuracy of the risk assessment are the fundamental guarantee for the successful design of a security system.
3.3 Reduce security risks
Risk reduction measures include existing safety design methods, as well as safer designs and better design processes. For mechanical systems, corresponding safety protection measures must also be considered. From the perspective of residual risk management, relevant safety information also includes safety warning labels, warning lights, alarm measures, and operating procedures and documents on the machine itself.
3.4 Propose safety requirements and set objectives
Safety targets must be set for the system, taking into account the requirements of relevant international, industry, and domestic standards. For example, the elevator industry, metal processing industry, shipbuilding and transportation industries each have their own safety requirements for equipment and systems, which can be used as safety targets, and these targets can be higher than those.
SIL and PLC correspond to IEC61508 and EN13849 respectively. Their safety levels have corresponding calculation standards and methods, which can be found in relevant materials.
3.5 Design and Implementation of Safety Function System
Referencing safety-related standards such as EN ISO13849 or EN62061, define motion control-related designs, such as SIL and PL, and calculate and design relevant parameters such as failure, error response time, safe distance, and frequency of hazards.
Design the functional blocks, architecture, and processes related to safe motion control, and program and test the functions.
3.6 Verification Security System
The system security integrity is determined using the SIL Limitation Requirements (SIL CL) defined by the subsystem, the security integrity of the system's random hardware is measured using the probability of hazardous failures occurring per hour (PFHd) defined by the subsystem, and the common cause of failure (CCF) list is used to check that all necessary related items are not missing in the created security system. The level of SIL obtained is determined according to the definition of SIL.
3.7 Document Management
For safety systems, the entire process of establishing a safety management system, setting objectives, assessing risks, designing systems, testing and verifying must be governed by a strict document management system and certified. Any missing technical documentation indicates that the safety system does not meet the relevant standard requirements and is also considered to fail to meet the functional safety requirements.
3.8 Certification conforms to standards
The certification process is the most important. A third-party certification body must audit all documents, processes, specifications, and tests of the entire system, including the management system, risk assessment, and design, in accordance with standards before signing off on the certification. A system that has not been certified cannot be called a secure system.
Safe motion control is a very rigorous design process that must strictly refer to international standards such as IEC61508 and EN13849 and be completed in collaboration with safety technology providers, certification bodies, and customers. This article is for reference only.
About the author:
Song Huazhen (1972-) is a male who is currently the Marketing Manager and Engineer at B&R Industrial Automation (Shanghai) Co., Ltd. His main technical expertise is motion control and real-time communication technology.
B&R Industrial Automation is a global leader in automation, specializing in innovative cutting-edge automation technologies. Headquartered in Austria, it currently has branches in 68 countries and 166 offices worldwide. "Perfect Automation" and "Your Global Automation Partner" are B&R Industrial Automation's mission and pursuit.
In August 1996, B&R Industrial Automation (Shanghai) Co., Ltd. officially settled in Shanghai, China. Its localized sales and highly skilled technical team provide Chinese customers with faster service responses. For over a decade, B&R (China) has focused on providing domestic users with high-quality, comprehensive automation products and excellent technical solutions. Currently, B&R's products and solutions are widely used in mechanical automation fields such as packaging, printing, plastics, textiles, food and beverage, machine tools, semiconductors, and pharmaceuticals; as well as in process automation fields such as power, metallurgy, municipal engineering, transportation, petroleum, chemical, and cement industries. B&R products have obtained international certifications such as ISO 9001, UL, TÜV, and GOST-R, and their quality and performance have been widely praised by users, earning them a strong reputation. Today, B&R (China) has established offices in Beijing, Guangzhou, Jinan, Xi'an, Chengdu, and Shenyang. Its Shanghai office and other offices have established comprehensive technical training centers, as well as joint laboratories with universities throughout the country.
