Drive and Motor Safety

Drive and Motor Safety CMAFH Drive For Technology 2010 Drive and Motor Safety Gary Thrall Senior Product Support Engineer Bosch Rexroth Corporation Safety on on Board Integrated, certified and consistent 1

Drive and Motor Safety New European Standards IndraDrive safety functions according new standards IndraDrive C/ M Coming soon IndraDrive Cs L4 option STO and SBC Safety on on Board Integrated, certified and consistent 2

Passport into European Community market (EEA) Machine Builder European Machinery Directive EC Fulfilling harmonized standards the manufacturer can assume that the safety aspects of the machine directive are met EN 13849-1 (EN 954-1) EN 62061 EN 61800-5-2 3

Change of Safety Standards Today Machine Builder European Machinery Directive 98/37/EG EN 954-1 Valid Standard Period 3 years EN ISO 13849-1 Transition November 2006 EN 62061 January 2006 2006/42/EG January 2010 Extended 2 more years Transition Valid Standard December 2009 Valid Standard Components EN 61800-5-2 IEC 61508 November 2007 Valid Standard Valid Standard 4

Performance Level of EN ISO 13849-1:2006 The Performance Level is defined by Category (architecture), identical to EN 954-1 and C-Standards MTTF d (Meantime to dangerous failure in one channel) Denotation of MTTF d Low Medium High Range of MTTF d 3 years <= MTTF d < 10 years 10 years <= MTTF d < 30 years 30 years <= MTTF d < 100 years DC (Diagnostic Coverage): Share of detected failures Denotation of DC None Low Medium High Range of DC DC < 60% 60% <= DC < 90% 90% <= DC < 99% 99% <= DC CCF (Common Cause Failures affecting both channels) Measures against systematic failures 5

Performance Level of EN ISO 13849-1:2006 A Performance Level d could be achieved by: Cat. 3 Cat. 2 DC avg = medium or DC avg. = medium MTTF d = medium MTTF d = high 6

EN 62061 and EN 13849-1 Safety Integrity Level SIL IEC 61508 Probability of dangerous failure per hour (1/h) PFH d Performance Level PL ISO 13849 IEC 62061-1 1 2 3 >= 10-5 to 10-4 >= 3 x 10-6 to 10-5 >= 10-6 to 3 x 10-6 >= 10-7 to 10-6 >= 10-8 to 10-7 a b c d e ISO 13849 4 < 10-8 - electrical, electronic and programmable calculation formula for subsystem architectures All Technologies Simplified Estimation (worst case) regarding to: HW Structure (Category like EN 954) Diagnostic Coverage (DC) Reliability MTTF d Failure of Common Cause (CC) PFH d Probability of a dangerous Failure per Hour 7

Performance Level in total Performance Level of the combination of SRP/CS SRP/CS 1 PL 1 Cat 3 SRP/CS 2 PL 2 Cat 3 SRP/CS 3 PL 3 Cat 3 SRP/CS 4 SRP/CS PL 4 5 SRP/CS PL 5 6 SRP/CS PL 6 7 SRP/CS PL 7 8 SRP/CS PL 8 9 PL 9 PFH total = PFH Sensor + PFH IO + PFH SafetyPLC + n x PFH Drive Cat 3 PFH total = 2,29 10-7 + 4,29 10-8 + 2,47 10-8 + 6 x 4,29 10-8 PFH total = 5,54 10-7 < 10-6 -> PL d EN ISO 13849-1:2006 Category 3 PL d 8

SafeMotion - More than just Switching Off! The evolution of safety technology Safety reaction Switching off Safety condition SafeMotion Electric Drives and Controls 2008-11-07; BRC/SPM; J. Ost 9

Conventional versus Integrated controller enable external monitoring unit (standstill, speed,...) E Drive M additional feedback G E E Drive Channel 1 Channel 2 two-channel switching-off M Conventional safety solution Drive-integrated safety technology Electric Drives and Controls 2008-11-07; BRC/SPM; J. Ost 10

Safety On Board with IndraDrive Note: - only Safe Torque Off in BASIC 3 principles are realized to detect latent failures Dual channel data operation with diversity Cross data comparison of safety related functions Dynamization of static modes Due to this method one single failure may not deactivate the safety function --> Category 3 (recommended Safety level in most guidelines) A risk analysis by the machine builder and end user is required in accordance to Annex I of the European Community Directive for machines 98/37/EG Encoders with only TTL interface or only serial interface are not allowed for integrated safety technology functions. All encoders with 1 Vpp signals (e. g. EnDat, HIPERFACE,...) and all resolvers supported by the encoder interface can be used for integrated safety technology. It is always the feedback at X4 connector that is evaluated. 11

Selection of safety functions SafeMotion Functional Safety in Automation Technology Control Communication Safe Control Safe Communication (Profisafe, SERCOS III Safety) Auto Set-up E E Channel 1 Channel 2 Two.-channel interrupt M E Auto Set-up Channel 1 Channel 2 Two-channel interrupt M Drive Option S2 24V / 24V Drive Option S2 Safe communication 12

Safety on Board - Functional Safety Safe Torque Off Safe Motion STO using 24V / 24V or 24V / 0V SLS using 24 V/ 24V X41 X41 channel 1 channel 2 power section X31/X32 X41 channel 1 channel 2 common parts transducer One L2 PFH value independent from control (opener / closer, opener / opener) SLS using SERCOS / 24V Preliminary information Safe Torque Off: PFH = 2 * 10-9 1/h Safe Motion: PFH drive and feedback = 5 * 10-8 1/h SERCOS X41 channel 1 channel 2 common parts transducer One S2 PFH value independent from the control and the safety technology feature. Separate PFH value for the feedback Electric Drives and Controls 2008-11-07; BRC/SPM; J. Ost 13

Functional Safety According to ISO 13849-1 Verification with SISTEMA Library for certified and standard components IEC 61508 IEC 61508 IEC 61508 IEC 61800-5-2 SRP/CS 1 SRP/CS 2 SRP/CS 3 SRP/CS SRP/CS 4 PL 1 PL 2 PL SRP/CS 5 3 SRP/CS PL PL 6 SRP/CS SRP/CS PL 4 7 5 8 PL 6 9 PL PL 7 8 9 safety switches safety I/O safety PLC safety drives Certified components ISO 13849 S input DP DP PPC SII IndraDrive S K1 safety switches I/O PLC Standard components Drive ISO 13849 Electric Drives and Controls 2008-11-07; BRC/SPM; J. Ost 14

Certification according to new Standards Safe Motion EN 954-1 IndraDrive Since 2004 more than 100,000 installed drives Category 3 Development project New Standards IEC 61508 Hardware Modification of Control Units CSH.-L1-. -> CSH.-L2-. CSH.-S1-. -> CSH.-S2-. CSB.-L1-. -> CSB.-L2-. CDB.-L1-. -> CDB.-L2-. CDB.-S1-. -> CDB.-S2-. Deliverable since July 2009 New Firmware Version MPX07VRS 15

SafeMotion Preliminary Data Safe Torque Off (L2): EN ISO 13849-1:2006 Category 3 PL = e IEC 61508 EN 62061:2005 EN 61800-5-2:2007 SIL3 PFH d = 2 * 10-9 1/h MTTF d = 100 years (limitation by standard) Mission Time = 20 years The PFH values are based on a 100% duty cycle (24h/ 365 days) 16

SafeMotion Preliminary Data Safe Motion (S2): EN ISO 13849-1:2006 Category 3 PL = d IEC 61508 EN 62061:2005 EN 61800-5-2:2007 SIL2 PFH d Drive = 3 * 10-8 1/h PFH d Feedback = 2 * 10-8 1/h (Stegmann/ Heidenhain motor feedback) MTTF d = 100 years (limitation by standard) Mission Time = 20 years To calculate the MTTF d value for a drive and feedback combination: Add the PFH values and convert then into a MTTF d value. Do not add the MTTF d values since they are limited to 100 years. The PFH values are based on a 100% duty cycle (24h/ 365 days) 17

SafeMotion Preliminary Data Safety Integrity Level SIL IEC 61508 Probability of dangerous failure per hour (1/h) PFH d Performance Level PL ISO 13849 IEC 62061-1 1 2 3 >= 10-5 to 10-4 >= 3 x 10-6 to 10-5 >= 10-6 to 3 x 10-6 >= 10-7 to 10-6 >= 10-8 to 10-7 a b c d e ISO 13849 4 < 10-8 - Preliminary Data for IndraDrive, Safety on Board Safe Torque Off: PFH d = 2 * 10-9 1/h = 2 % of max. SIL3 value Safe Motion: PFH d Drive and feedback = 5 * 10-8 1/h = 5 % of max. SIL2 value 18

IEC 61800-5-2 New Terminology (not all available) EN 61800-5-2: 2007 Functional safety for speed variable drives Safe Torque Off Safe Stop 1 Safe Stop 2 Safe Operating Stop Safely-monitored Deceleration Safely-limited Acceleration Safe Acceleration Range Safely-limited Speed Safe Speed Range Safe Speed Monitor Safe Maximum Speed STO SS1 SS2 SOS SMD 1) SLA SAR SLS SSR SSM SMS 1) Safely-limited Increment SLI Electric Drives and Controls 2008-11-07; BRC/SPM; J. Ost Safe Direction Safely-limited Position Safely-monitored Position Safe Brake Control Safe Braking and Holding System Safely-limited Torque Safe Torque Range Safe Motor Temperature Safe Cam SDI SLP SMP 1 ) SBC SBS 1) SLT STR SMT SCA 1) Not defined in IEC 61800-5-2 19

Terms of EN 61800-5-2 New Terminology (available) EN 61800-5-2: 2007 Functional safety for speed variable drives (C-standard) New terms and definitions EN 954-1 Rexroth Safety functions Safety option IEC 61800-5-2 Terms Abk. Safety related starting lookout L2 Safe Torque off STO Safety related standstill S2 Safe Stop 1 SS1 Safety related operational stop S2 Safe Stop 2 SS2 Safety related operational stop S2 Safe Operating Stop SOS Safety related drive interlock S2 Safe Stop 1 (Emergency Stop) SS1 ES Safety related monitored stopping process S2 Safely-Monitored Deceleration *1 SMD Safety related reduced speed S2 Safely-Limited Speed SLS Safety related limited increment S2 Safely-Limited Increment SLI Safety related direction of motion S2 Safe Direction SDI Safety related absolute position S2 Safely-Monitored Position SMP Safety related absolute end position S2 Safely-Limited Position SLP Safety related control of a door locking device S2 Safe Door Locking *1 SDL Communication via PROFIsafe S2 Safe Communication *1 SCO Safety related in-/outputs via PROFIsafe S2 Safe I/O *1 SIO Safety related braking and holding system S2 Safe Braking and Holding System 1 SBS *1 Not defined in EN 61800-5-2 20

Drive-Integrated Safety Features Safe Torque Off (STO) Safe Stop 1 (SS1) Safe Stop 1 - Emergency Stop (SS1-ES) Safe Stop 2 (SS2, SOS) Safely Monitored Deceleration (SMD) Safely Limited Speed (SLS) Safe Maximum Speed (SMS) Safely Limited Increment (SLI) Safe Direction (SDI) Safely Monitored Position (SMP) Safely Limited Position (SLP) Safe Door Locking (SDL) Safe I/O interface for Safety-PLC (SIO) new Safe Braking and Holding System (SBS) Electric Drives and Controls 2008-11-07; BRC/SPM; J. Ost 21

Drive Based Safety Functions Safe Torque Off (STO) v Safe Torque off (Stop Category 0*) t 0 t Drive is torque-less Power is cut safely (pulse inhibit) * according to EN 60204-1 22

Drive Based Safety Functions Safe Stop 1 (SS1) / Safe Stop 2 (SS2) v Controlled Stopping according to stop category 1* (SS1) monitored stopping, control or drive controlled with safe deceleration t 0 t 1 t Torque-less standstill of the drives Power is cut safely (STO) Controlled Stopping according to stop category 2* (SS2) v, s t 0 t 1 t monitored stopping, control or drive controlled controlled standstill after stopping, no power off (SOS) * according to EN 60204-1 23

Drive Based Safety Functions Safely Limited Speed (SLS) / Safely Limited Increment (SLI) v Within the Safe Mode a safely limited speed and / or a safely limited increment can be enabled (enabling device) t 0 t 1 t 30 v, s v, s t In case the speed/increment monitoring window will be triggered the drive will be safely stopped automatically in accordance with the stop category 1. 24

Drive Based Safety Functions Safe Direction (SDI) v In addition a safe direction (right, left) can be defined. 0 t In case the direction changes the drive will be safely stopped automatically in accordance with the stop category 1. 25

Drive Based Safety Functions Safe Maximum Speed (SMS 1 ) v Max The monitoring of a safely limited maximum speed is active always, regardless the operation mode of the drive (Automatic/Manual Mode) 120 t In case the parameterized maximum speed will be exceeded the drive will be safely stopped automatically in accordance with the stop category 1. 1) Not defined in IEC 61800-5-2 26

Drive Based Safety Functions Safely Monitored Position (SMP 1 ) Working Area In the safe operation mode a working area (absolute position) can be defined Position 1 Position 2 In case the parameterized working area will be left, the drive will be safely stopped automatically in accordance with the stop category 1. 1) Not defined in IEC 61800-5-2 27

Drive Based Safety Functions Safely Limited Position (SLP) active in normal and safe operation mode - The drive is not able to cross the limited switches - The drive is stopped automatically when the available deceleration torque would not be sufficient to stop the load before the parameterized position area will be left Offers cost saving by replacing hardware position limit switch v v max Max. Positive Limit Switch Max. deceleration deceleration s Negative Limit Switch 28

Drive Based Safety Functions Safely Monitored Deceleration safety in the stopping process NC-controlled stopping process with safely monitored deceleration (SMD) Braking of coupled drives: It may occur that individual axes must still accelerate, in order to stop the total movement n SMD Safe stop in a defined time due to predictive behavior of the drive The drive checks each cycle whether it is possible to stop within the time t 1. If this is not possible such as by wrong set point of the control, the drive takes over the braking. t 1 29

Safety on Board - Safe Braking and Holding System Safe braking and holding system a new milestone Safe Braking and Holding System (SBS) Fall protection for axes with gravity loads Operator protection in special operating mode World s only on board solution which complies with EN ISO 13849-1, Cat. 3 PL d and EN 62061 SIL 2 Two independent brakes separately controlled and monitored by redundant, diverse channels in the drive Escalation strategy to protect the mechanical subsystems Active as well after energy cutting by emergency stop 30

Safety on Board - Safe Braking and Holding System During automatic operation the machines and equipment are running at full speed without operators During special operation mode persons may be present in the machine when following special safety precautions - Configuration - Measuring - Troubleshooting Vertical or inclined axes can even present a danger when they are switched off and inadvertently coming down 31

Safety on Board - Safe Braking and Holding System Fall protection of gravity-loaded axes Personal protection of operators during special operation mode Safe Braking and Holding system Effective even after energy cut-off through emergency stop 32

Safety on Board - Safe Braking and Holding System The safe braking and holding system is based on two independent brakes which are separately controlled and monitored by the redundant diversified channels in the drive. Safe energy cutting Universal integration of different brake types, e.g. two-channel selection of the safety feature e.g. safely-monitored deceleration two-channel control of the brakes IndraDrive HAT Safe feedback 33

SafeMotion functional safety in automation technology IndraDrive with safety functions a convincing technology Safety Technology made by the experts having more than 10 years field experience Scalable Safety Functions minimize the potential of tampering and therefore reduce the hazard for injury caused by passing the safety measures Increased productivity by reducing downtime Online Testing (Failure Detection) during runtime Cost savings by reduction of external components and wiring Minimal Movement in case of emergency by detecting failures within 2 ms High reliability due to an encapsulated, certified solution Stand-alone whether wired, or with or without a safety PLC 34

Coming Soon Safe Torque Off for IndraDrive Cs Safe Torque Off (L4): (A new type code to distinguish different features) IndraDrive Cs with L4 option is currently expected to go from EW to PT (available for sale) by end of May 2010 Certification by TÜV Rheinland is expected to be done by then L4 option will include STO (Safe Torque Off) and SBC (Safe Brake Control) SBC is 2-channel control of the standard holding brake so that if there is a short in either wire or a failure in one channel, the brake will still be applied. L4 STO circuit is completely redesigned from L1/L2 has safe mode within a test period. The test pulse is < 1ms. with on-line dynamization, no need for an acknowledgement contact to meet Cat. 4, PL e, SIL 3 -- the lifetime issue of the relay contact in the L1/L2 is gone. L4 connector for is no longer a D-sub 6-pin cage clamp connector with separate clamp for incoming and outgoing wire at each pin daisy-chain up to 25 axes. Just daisy chain 4 terminals with discrete wires from one drive to the next. This eliminates the cable management issues of the ribbon cable in previous design. Easier and less expensive. 35

Coming Soon Safe Torque Off for IndraDrive Cs SS1 functionality [single axis wired] with SS1-Funktion einer Achse in Verbindung mit einem Sicherheitsschaltgerät an external safety device: Reset + 24V 24 V Dynam isierte Ausgänge 24 V m it < 1 ms Testim puls Single channel STO application over a single pole switch device Einkanalige STO-Anwahl über ein einpoliges Schaltgerät 24 V 24 V Dynamisierte Ausgänge mit < 1 ms Testimpuls Not Halt Externes Sicherheitsschaltgerät Kategorie 4, PL e, SIL 3 Z e i t v e r z ö g e r t IndraDrive Cs STO-Option Kategorie 4, PL e SIL3 Einpoliges Schaltgerät der Kategorie 3, PL d, SIL 2 mit Zwangsöffner gemäß EN 60947-5-1 IndraDrive Cs STO-Option Kategorie 4, PL e SIL3 R ückm eldung 24 V STO-Anw ahl Ch1 24 V STO-Anwahl Ch2 E.Stopp 0 V Ground für Ch1 und C h2 oder NC-Stopp Anwahl über 2 Öffnerkontakte SS1 function multiaxis with an external safety device and external wiring SS1-Funktion mehrerer Achsen mit Sicherheitsschaltgerät und externer Verdrahtung SBC-Funktion SBC Function 24 V STO-Anwahl Ch1 24 V STO-Anwahl Ch2 0 V Ground für Ch1 und Ch2 Anwahl über 1 Öffnerkontakt 24 V 24 V 24 V 24V 24 V 24 V 24 V SBC-Anwahl Ch 1 STO-Option STO-Option 1. Antrieb 2. Antrieb Nicht sichere Ansteuerung der Bremse aus der Standard-FW ODER Bremse 24 V Anwahl Ch1 Anwahl Ch1 SBC-Anwahl Ch 2 Bremse 0 V Anwahl Ch2 Anwahl Ch2 0 V 0 V 0 V 36

Safety on Board and Safe Motion - Additional Resources www.boschrexroth.com/safety http://www.dguv.de/ifa/en/pra/softwa/sistema/index.jsp or just Google IFA SISTEMA for BGIA software to calculate PFHd and Performance Level to IEC 13849 www.boschrexroth.com/mediadirectory for downloadable manuals including Safety on Board Application Manual Bosch Rexroth Safety on Board hands-on workshop next scheduled for April 21 st and 22 nd in Hoffman Estates (more to follow) 37

Functional Safety with Safety on Board Unexpected movements Risk for human and machine. Safety on Board Always on the safe side 38