EN 61800-5-2: more than just Safe Torque Off

19 January 2016

Ross Fenion offers an insight into the application of the safe motion standard EN 61800-5-2. 

Safety functions in the field of motion are often reduced to a single bullet point announcing that safe torque off (STO) is integrated into a drive.  However, with the increase of electronically driven motion control to consider the safety functions, and assess whether they are suitable for the application and the electronics being using.

Stop functions are found are in both EN 60204 and ISO 13849 and define the same three stop functions with different titles:  Stop Category 0 (Safe torque off), stop category 1 (safe stop 1), and stop category 2 (safe stop 2), today technology enables these functions to be integrated into the drive and enables a large number of more flexible stop and safety limiting options. Servo amplifiers with integrated safety functions, in accordance with EN 61800-5-2 are now available, providing simpler solutions, even for complex safety requirements. 

EN 61800-5-2 provides a systematic method to identify the safety function enabled by a motion control system and assists in the design and verification to ensure that it meets the required safety performance. The standard divides safety functions into stop functions, Safe motion functions, and Safe braking functions. 

Safe stop functions
Safe Torque Off (STO): The power to the motor is safely removed, so that no further movement is possible. It is not necessary to monitor standstill. If an external force effect is to be anticipated, additional measures should be provided to safely prevent any potential movement. This safety function corresponds to a category 0 stop (uncontrolled stop) in accordance with IEC 60204-1. If the function is triggered during operation, the motor will run down in an uncontrolled manner, which is why this function is generally used as a safe reset lock or in conjunction with the safety function SS1. Modern servo amplifiers include an integrated safe shutdown path, so safe devices are now available that prevent unexpected start-up and shut down safely in the case of danger. 

Safe Stop 1 (SS1):  Defined motor braking is part of the safety function. When the motor is at standstill, the STO function is triggered. This safety function corresponds to a category 1 stop (controlled stop) in accordance with IEC 60204-1. In many applications, drives cannot simply be shut down because they would then run down slowly, which could cause a hazard. Also, an uncontrolled run down of this type often takes considerably longer than controlled axis braking. 

The safe stop 1 function (SS1) monitors controlled braking of the axis directly within the servo amplifier. Once the set braking ramp has run its course, the drive is shut down safely. The reaction times are reduced compared with external monitoring solutions; as a result, in many cases the safety distances to the danger points can also be reduced. This provides a number of benefits, such as improved ergonomics for the plant operator, space savings due to the reduced distance between the guards and the danger points and, last but not least, cost savings.

Safe Stop 2 (SS2): Defined motor braking is part of the safety function. When the motor is at standstill, a safe operating stop (SOS) is triggered.  The motor at standstill is in closed loop operations. The standstill position is held precisely. This safety function corresponds to a category 2 stop (controlled stop) in accordance with IEC 60204-1. If the axes no longer need to be shut down at standstill, they will actively hold their current position, so the synchronisation between axes and process is no longer lost. 

As a result, the axes can be restarted immediately. The drive-integrated function leads to shorter reaction times, thereby minimising the risks. The monitoring functions’ response times have a direct influence on the potential channels available until a safety shutdown occurs. As the reaction times are used in the calculation of the safety distances, the benefits listed for the safe stop 1 function also apply here.

Safe motion functions
Modern drive solutions not only examine how axes are switched on and off, but also look at the potential risks that may arise during operation of the axes.  

Safe Operating Stop (SOS): This monitors the standstill position while the motor is in a controlled loop status. Once the safety function has been lifted, the production or machining process can be continued with no loss of precision. This function is generally used in combination with a safe stop 2 (SS2) function, as standstill monitoring usually involves a braking process. 

The limit value can be specified as both a speed threshold and a position window. Application of the SOS function is generally intended for the standstill phases of a process. 

Safely Limited Speed (SLS): In practice, this safety function is often applied as safely reduced speed. Defined transition from the operating speed in automatic mode to the reduced speed in setup mode must be guaranteed. If the monitoring function detects that the limit value has been violated, the drive must be shut down safely. 

Operators must be protected from any hazard that would lead to an uncontrolled axis start-up in the event of an error. When the safely limited speed (SLS) function is used for these jog functions, the solution provides the shortest possible reaction time in the event of an error. 

Safe Speed Range (SSR):  This can be used to monitor a safe minimum speed, as well as an upper limit Safe speed range (SSR) can generally be used for permanent process monitoring. Risks cannot always be eliminated by limiting the capacity for speeds to suddenly increase. Speeds that reduce suddenly due to an error can also present a risk. If axes are operating at a defined distance, a speed that drops abruptly on just one of the two axes may create a risk of crushing. SSR would be used to shut down the relevant axes, eliminating any hazard to the machine operator.

Safely Limited Torque (SLT) and Safe Torque Range (STR):  Torque measuring systems are not widely used on standard drives, but servo drive technology provides the option for indirect measurement via the motor current. The motor current is proportional to the motor’s force or torque, so the hazard resulting from a hazardous movement is limited. 

Safely Limited Position (SLP): Safe position monitoring ensures that the motor does not exceed a preset position limit value. If a limit value is violated, the motor is braked using a safe stop. The stopping performance achievable from a technical point of view must be taken into account. Below the limit value there are no restrictions in terms of acceleration or speed of the motor. Absolute position detection is required for this safety function. 

Safely Limited Increment (SLI):  The motor is allowed to travel a permitted distance following a start command. A safe stop function must be triggered once the limit value is reached. If the permitted distance is exceeded, this must be detected and the drive must be safely brought to a standstill. Encoder systems with relative measurement are sufficient for this safety function.

Safe Direction (SDI):  This prevents the motor from moving in an invalid direction. This safety function is frequently used in combination with SLS in setup mode. Here too, the drive-integrated solution enables the fastest possible shutdown.

Safe Cam (SCA): A safe output signal indicates whether the motor is positioned inside a specified range. These ranges are absolute position windows within a motor rotation. The basic function involves safe monitoring of absolute positions, which is why appropriate sensor systems must be used.

Safe Speed Monitoring (SSM): This is closely related to SLS. However, if a limit value is violated there is no functional reaction from the components that are monitored, merely a safe message that can be evaluated and processed by a higher level safety control system. On one side the control system can perform more complex reaction functions, while on the other; the safety function can be used for process monitoring.

Safely Limited Acceleration (SLA) and Safe Acceleration Range (SAR): Safety functions relating to acceleration monitoring are not widely. In servo drive technology, Ferraris sensors are used to detect acceleration only in special applications of machine tools or printing machinery. Standard drives cannot process these signals in their control loops; monitoring of these acceleration signals is very complex in practice

Safe brake functions
Functions related to holding brakes and service brakes have been summarised under the heading of safe brake functions.

Safe Brake Control (SBC): This supplies a safe output signal to drive an external mechanical brake. The brakes used must be ‘safety brakes,’ in which a quiescent current operates against a spring. If the current flow is interrupted, the brake will engage. Control modules frequently include a power reduction feature when the brake is released to reduce energy consumption or brake heating. 

A safe brake test will detect errors during operation, depending on the risk analysis. Holding brakes and service brakes are often used on axes with suspended loads. Along with the brake, the brake drive is another key component in terms of the safety function. The SBC function is generally used to control the holding brake activated once an axis is at standstill.

Safe Brake Test (SBT):  In many cases, simply controlling a holding brake safely is not enough to make a vertical axis safe. If the wearing, mechanical part of the brake is not maintained regularly, it cannot be guaranteed that the holding brake will apply the designated braking action in the event of danger. The SBT function provides an automatic test which replaces previous measures that could only be implemented through organisational and manual operations. 

More than Safe Torque Off
As more motion is electronically regulated, safe motion will play an increasing role in machinery safety where the advantages of safe working could be realised; not only benefiting workers through a safer working environment but also the overall company by increasing production and reducing down time. 

It is important to note that while safety functions on drives can be of great benefit; they do not represent a complete safety solution. The entire system must be considered when assessing the overall safety. 

Ross Fenion is business development manager for drives and motion control at Pilz.

Contact Details and Archive...

Related Articles...

Additional Information...

Print this page | E-mail this page