Abstract: The slide safety stop function in a servo stamping machine is the most critical safety feature of the entire machine. Failure of this function can directly lead to serious accidents such as personal injury or equipment damage. This paper investigates the failure problem of the slide safety stop function and reduces the probability of safety control system failure when executing the slide stop function by adding redundancy and diagnostic coverage to the existing electrical control system. Reliability parameter calculations and actual usage results demonstrate that this method can effectively improve the reliability of the slide safety stop function in servo stamping machines.
1 Introduction
As a new trend in the development of stamping equipment, many domestic and foreign companies have begun to develop servo mechanical presses. Compared with crank-connecting rod presses, servo presses can reduce maintenance time and costs, reduce energy consumption, realize complex processes, and achieve maximum caliber force at any position. During the operation of a servo press, the most common danger is the crushing hazard caused by the up-and-down movement of the slide driven by the servo motor. Especially for stamping processes that frequently require manual loading and unloading, ensuring the slide is stationary when personnel enter the danger zone is crucial.
Traditional slider stopping methods use a stop signal to directly cut off the servo enable. This single-channel actuator disconnection method has low reliability; a single failure can lead to the failure of safety functions. This article will provide methods to improve reliability.
2. Slider safety stop failure issue
Taking the emergency stop function as an example, when a dangerous situation occurs, the operator presses the emergency stop button on the press, and the servo system should immediately respond and stop the slider (i.e., the servo motor) from running. In practical applications, a single-channel emergency stop button is directly connected to the servo enable position. When the normally closed contact of the emergency stop button opens, the servo enable signal is disconnected, cutting off the servo motor power source and causing the servo motor to engage the brake via the internal single-channel circuit. The circuit is shown in Figure 1.
Figure 1. Emergency Stop Control Servo Stop Circuit Diagram
This structure has several significant problems:
(1) After the emergency stop button has been operated for a long time, the metal contacts may stick together, causing the normally closed contacts inside the emergency stop button to fail to disconnect after being pressed.
(2) Poor wiring may cause a short circuit between the servo enable terminal and the external 24V signal, so that when the emergency stop is pressed, the emergency stop signal is disconnected but the servo enable is still present.
(3) A single fault occurred in the internal single-channel circuit of the servo driver, which caused the enable signal to be disconnected but the power supply of the servo motor to be unable to be cut off.
All of the aforementioned failures will result in the servo motor failing to stop properly after the emergency stop button is pressed, ultimately causing the slider to injure personnel. These failures are all hazardous, and the control system cannot diagnose them. Besides the emergency stop function, single-channel safety doors and light-grate-triggered slider-stopping safety functions also suffer from similar hazardous failure issues. Therefore, such a control system lacks the high reliability to ensure personnel safety.
3 Safety control loop design
Due to the inherent dangers of presses, the international standard EN692 specifically addresses the safety of mechanical presses. A risk assessment of a servo press revealed that for manually loaded and unloaded presses, if a control system is used to achieve the slide stop function, the control loop reliability must meet the requirements of ISO 13849-1 PLe, meaning the probability of a hazardous failure per hour is 10⁻⁸/h ≤ PFHd ≤ 10⁻⁷/h. To achieve this performance target, multiple factors must be considered, including system category, mean time to hazardous failure, mean diagnostic coverage, common-cause failures, and systemic failures. Before designing the loop, the stopping method of the servo drive must first be determined.
3.1 Determine the servo drive stop type
According to the safety standards IEC 61800-5-2 and IEC 60204 for adjustable speed electric drive systems, the stopping types of servo drive equipment can be divided into three types:
(1) Safety Torque Off (STO): This stopping method directly cuts off the power supply between the servo drive system and the motor. After the STO function is triggered, the motor is in an uncontrolled state and will only rely on natural inertia to reach a final stop.
(2) Safety Stop 1 (SS1): This stopping method first applies the brakes to the motor through the braking system until the defined delay time is reached or the motor stops, then cuts off the power supply to the motor, thus triggering STO. Compared with STO, SS1 applies control braking to the motor before it reaches a stationary state.
(3) Safety Stop 2 (SS2): This stop method monitors the stationary state of the motor. Compared with the stop methods STO and SS1, SS2 does not cut off the power supply to the motor, so the torque of the motor will always be maintained.
For servo presses, if the safety function directly cuts off the driver's power supply, the slide will continue to run a distance due to inertial torque. This could still lead to injury from slide compression, so the STO (Stop-Off) stopping method cannot be used. On the other hand, since servo presses typically have large external loads, an external brake mechanism is usually added to ensure the slide remains in position even during power outages. In this case, SS1 is the ideal safety stopping method. For slide stopping during normal operation (such as loading/unloading, debris removal, etc.), to avoid the impact of repeated power switching on and off on the equipment and production process, the SS2 safety stopping method is more ideal.
3.2 Determine the system structure
As can be seen from Figure 1, because the input, control, and output sections all adopt a single-channel design, the system lacks fault tolerance. A single fault will cause the system to fail. However, by changing the system structure, reliability can be improved. To meet the reliability requirements of PLe, the safety system designed in this paper adopts a Level 4 structure category, which has the following characteristics:
(1) Any failure that occurs in safety-related components will not cause the safety function to fail.
(2) The safety system should detect individual faults when or before performing a safety function. If this measure is not feasible, the accumulation of undetected faults will not cause the safety function to fail.
The structure of the safety function system is shown in Figure 2.
Figure 2 Safety Function System Structure Diagram
In practical design, input, logic, and output components are all redundant, with the logic components primarily responsible for detecting all faults in the entire safety loop. This design adds a safety relay while retaining the original servo driver and converts the original single-channel loop into a dual-channel redundant loop. This method results in relatively low safety modification costs.
For the emergency stop servo safety circuit, redundant normally closed contacts will be used for the emergency stop button. The safety relay internally employs a redundant relay structure and adds a detection circuit to detect faults in all input, logic, and output components. Furthermore, an electronic fuse is used internally to detect short-circuit faults between channels. In the circuit diagram shown in Figure 3, S11-S12 is the first channel, S21-S22 is the second channel, S12-S34 is the reset/start channel, and Y1-Y2 is the feedback loop channel. When the equipment starts or resets, coil K3 is energized. If the dual-channel safety signals are normal at this time, relays K1 and K2 are energized, coil K3 is de-energized, and the safety output point outputs a signal.
Figure 3 Safety relay circuit structure
The emergency stop safety function input circuit is shown in Figure 4. The emergency stop button S1 adopts a dual-channel structure and is connected to the input circuit of the safety relay A1. A fault in either channel (such as contact welding) will cause the output contact of relay A1 to open.
Figure 4 Emergency Stop Safety Function Input Circuit
In terms of output circuit design, redundant contactors need to be added to the existing servo power circuit, and a safety relay with a power-off delay function needs to be used. SS1 is implemented by controlling the enable through instantaneous contact cut-off and the redundant contact cut-off through delayed contact. The actual design of SS1 using a safety relay as the logic controller is shown in Figure 5:
Figure 5 Emergency Stop Safety Function Output Circuit
In Figure 5, after reaching a stationary state after a certain delay, the delay contacts 37-38 and 47-48 of safety relay A1 will open, cutting off the servo power supply through two redundant contactors K1 and K2. This ensures that the servo power circuit can still be disconnected if either contactor fails. Additionally, the normally closed contacts of K1 and K2 are connected in series in the reset circuit of the safety relay, allowing the safety relay to check for faults in both contactors before each operation. It is important to note that the delay time setting must be determined based on the risk assessment results of the slider stopping.
3.3 Measures to improve diagnostic coverage
In a dual-channel input circuit, although the synchronicity of the two channels can be used to detect a fault in the contact welding of one channel, the use of dual channels also leads to short-circuit faults between contacts. If the dual-channel signals share a common terminal, then short-circuit faults between contacts cannot be detected, as shown in Figure 6.
Figure 6. Circuit diagram of short circuit fault between contacts not detected
As shown in Figure 6, the safety controller cannot detect a short circuit occurring at any point between S12 and S22. Although this single fault does not affect the safety function, the faults will accumulate if the emergency stop contact is re-welded, causing the safety function to fail. Therefore, the average diagnostic coverage of this input circuit can only reach 90%.
To address this issue, the input circuit of this design employs two independent channels on a safety relay, as shown in Figure 7. Channels S11-S12 detect a 24V signal, while channels S21-S22 detect a 0V signal. A short circuit between the contacts will trigger the electronic fuse between S11 and A1, stopping the controller. This method improves the diagnostic coverage of the input, achieving 99% coverage.
Figure 7. Circuit diagram for detecting short circuit faults between contacts.
The diagnostic coverage of the output circuit mainly depends on whether feedback monitoring is implemented for the actuators. As shown in Figure 4, the status of contactors K1 and K2 controlling the servo power circuit is connected to the safety controller via normally closed contacts. Before starting the output, the safety controller first checks whether the two normally closed contacts are closed. If they are open, it indicates that the main contacts of K1 and K2 are stuck together, and the safety controller will stop the output and issue an alarm. Using this direct feedback monitoring method, DC can reach 99%. However, if only the status of either K1 or K2 is monitored, DC will be significantly reduced. The calculation formula is as follows:
(1)
It can be seen that if the feedback of K2 is not monitored, then... If K1 and K2 use the same components, then... This will cause the final DCavg to decrease to 49.5%.
It is important to note that since the safety controller diagnoses whether the main contacts of the contactor are faulty by monitoring the state of the normally closed contacts of the external contactor, the normally closed contacts of the contactor must accurately reflect the state of their normally open contacts. When the coil is not energized, if the normally open contacts of a typical contactor are welded together, their normally closed contacts will still be in the initial (i.e., closed) state. In this case, even with feedback monitoring, the external fault cannot be diagnosed, i.e., DC=0. For this problem, proven safety principles or components are needed to solve it. This design uses a contactor with a mechanical linkage structure, the internal structure of which is shown in Figure 8.
Figure 8. Contactor or relay with mechanical linkage structure
As shown in Figure 8, all contacts inside the contactor or relay are directly connected by linkages. This ensures that if any main contact fails (such as through welding), the auxiliary contact will inevitably disconnect. This guarantees the accuracy of feedback monitoring.
4 System Reliability Verification
After the safety system is assembled, the final step is to calculate whether the reliability of the safety loop meets the predetermined requirements. The reliability verification for this design follows ISO 13849-1. This standard applies not only to electronic and electrical systems but also to mechanical, hydraulic, and pneumatic systems. Because servo presses employ multi-system collaborative operation, this standard is most suitable. After determining the system structure and parameters, the reliability of the safety loop can be estimated using a lookup table method.
In this safety stop circuit design, since an external contactor is used to cut off the servo drive, the actual safety circuit consists of three parts: emergency stop, safety relay, and contactor.
(2)
Due to the complex internal structure of safety controllers, users cannot calculate their reliability values themselves; therefore, these values are usually provided by the component manufacturers. This article uses the Pilz PNOZ s5 safety relay as the logic controller.
To calculate and determine the parameters of these two components, it is necessary to use formulas 3 and 4. Both the emergency stop button and the contactor operate using contact switching, requiring calculations based on these formulas.
(3)
(4)
This refers to the number of times a component would activate when 10% of its components experience a dangerous failure; this figure must be provided by the component supplier. The values represent the number of component activations per year, the number of operating days per year for the equipment, the number of operating hours per day for the equipment, and the interval between two activations of the safety element.
Assuming that during actual operation of the press, personnel typically press the emergency stop button twice a day, and the press operates for 300 days a year, running two shifts (16 hours a day), the calculated number of presses is 400. If the emergency stop button is used 200,000 times, the calculated lifespan is approximately 5,000 years. The system is built according to the system construction method in Chapter 3. The input system structure reaches Category 4, with a diagnostic coverage rate of 99%. Under the premise of meeting the common cause failure requirements, the results can be found in the appendix table of ISO 13849-1.
Regarding the output, if the contactor's value is 200,000 cycles, and other parameters remain unchanged, then the output circuit's PFHDContactor can be calculated to be 9.06 x 10⁻¹⁰/h. The entire emergency stop safety circuit can achieve the highest performance level PLe, meeting the established requirements.
5. Conclusion
This article starts with the emergency stop function commonly used in servo presses and introduces the common safety stop function failure problems in ordinary servo drives. By adding a safety controller, changing the system structure, and increasing diagnostic coverage, the reliability of the safety stop loop is improved. Other basic safety functions on servo presses, such as safety interlocks and safety light curtains, can also be integrated into the control loop in this way, significantly improving the safety performance of the servo control section. Furthermore, this method can be used to improve the reliability of most other servo-controlled devices, not just servo presses. With the increasing emphasis on safety, it is believed that the application of adding safety systems to servo drives or directly integrating safety functions within servo drives will become increasingly widespread.
