drive and motor safety

1Electric Drives and Controls 2009-02-26; BRC/SPD G. Kobs© Alle Rechte bei Bosch Rexroth AG, auch für den Fall von Schutzrechtsanmeldungen. Jede Verfügungsbefugnis, wie Kopier- und Weitergaberecht, bei uns.

CMAFH Drive For Technology 2010Drive and Motor Safety

Safety on Board –Integrated, certified and consistentSafety on Board –Integrated, certified and consistent

CMAFHDrive For Technology 2010

Drive and Motor Safety

Gary Thrall Senior Product Support Engineer

Bosch Rexroth Corporation


CMAFH Drive For Technology 2010Drive and Motor Safety

New European Standards

IndraDrive safety functions according new standardsIndraDrive C/ M

Coming soon – IndraDrive Cs L4 optionSTO and SBC

Safety on Board –Integrated, certified and consistentSafety on Board –Integrated, certified and consistent


EC

Machine Builder

EN 13849-1 (EN 954-1)EN 62061

EN 61800-5-2

CMAFH Drive For Technology 2010Passport into European Community market (EEA)

European Machinery Directive

Fulfilling harmonized standards the manufacturer can assume that the safety

aspects of the machine directive are met


CMAFH Drive For Technology 2010 Change of Safety Standards

EN ISO 13849-1

December 2009

EN 954-1

EN 61800-5-2

November 2006

November 2007

January 2006

IEC 61508

EN 62061

Valid Standard

Valid Standard Period 3 years

Valid Standard

Valid Standard

Valid Standard

Transition

Mac

hine

Bui

lder

Com

pone

nts

98/37/EG

January 2010

2006/42/EGEuropean Machinery Directive

Today

Extended 2 more years

Transition


CMAFH Drive For Technology 2010Performance Level of EN ISO 13849-1:2006

The Performance Level is defined byCategory (architecture), identical to EN 954-1 and C-StandardsMTTFd (Meantime to dangerous failure in one channel)

DC (Diagnostic Coverage): Share of detected failures

CCF (Common Cause Failures affecting both channels)Measures against systematic failures

Denotation of MTTFd Range of MTTFd

Low

Medium

High

3 years <= MTTFd < 10 years



Denotation of DC Range of DC

None

Low

Medium

DC < 60%

60% <= DC < 90%

90% <= DC < 99%

High 99% <= DC


CMAFH Drive For Technology 2010 Performance Level of EN ISO 13849-1:2006

A Performance Level d could be achieved by:

Cat. 3 Cat. 2DCavg = medium or DCavg . = medium MTTFd = medium MTTFd = high


CMAFH Drive For Technology 2010 EN 62061 and EN 13849-1

-< 10-84

e>= 10-8 to 10-73

d>= 10-7 to 10-62

c>= 10-6 to 3 x 10-61

b>= 3 x 10-6 to 10-51

a>= 10-5 to 10-4-

Performance LevelPL

ISO 13849

Probability of dangerous failure per hour (1/h)

PFHd

Safety Integrity LevelSIL

IEC 61508IE

C 6

2061

ISO

138

49

PFHd – Probability of a dangerous Failure per Hour

All Technologies

Simplified Estimation (worst case)regarding to:

HW Structure (Category like EN 954)Diagnostic Coverage (DC)

Reliability MTTFdFailure of Common Cause (CC)

electrical, electronic and programmable

calculation formula for subsystem architectures


CMAFH Drive For Technology 2010 Performance Level in total

Performance Level of the combination of SRP/CS

PFHtotal = PFHSensor + PFHIO + PFHSafetyPLC + n x PFHDrive

PFHtotal = 2,29 10-7 + 4,29 10-8 + 2,47 10-8 + 6 x 4,29 10-8

PFHtotal = 5,54 10-7 < 10-6 -> PL d

EN ISO 13849-1:2006 Category 3 PL d

SRP/CS1PL1

SRP/CS2PL2

SRP/CS3PL3

SRP/CS4PL4SRP/CS5

PL5SRP/CS6PL6SRP/CS7

PL7SRP/CS8PL8SRP/CS9

PL9

Cat 3 Cat 3 Cat 3

Cat 3

9Electric Drives and Controls 2008-11-07; BRC/SPM; J. Ost© Alle Rechte bei Bosch Rexroth AG, auch für den Fall von Schutzrechtsanmeldungen. Jede Verfügungsbefugnis, wie Kopier- und Weitergaberecht, bei uns.

CMAFH Drive For Technology 2010 SafeMotion - More than just Switching Off!

The evolution of safety technology

Safety reaction

Switching off SafeMotion

Safety condition


CMAFH Drive For Technology 2010Conventional versus Integrated

M

E

G

externalmonitoring

unit(standstill, speed, ...)

controllerenable additional

feedback

Conventional safety solution

Drive

Channel 1

Channel 2

M

E

E two-

chan

nel s

witc

hing

-off

Drive-integratedsafety technology

Drive


3 principles are realized to detect latent failures

Dual channel data operation with diversityCross data comparison of safety related functionsDynamization of static modes

Due to this method one single failure may not deactivate the safety function --> Category 3 (recommended Safety level in most guidelines)A risk analysis by the machine builder and end user is required in accordance to Annex I of the European Community Directive for machines 98/37/EG

CMAFH Drive For Technology 2010Safety On Board with IndraDrive

Note: - only Safe Torque Off

in BASIC

Encoders with only TTL interface or only serial interface are not allowed for integrated safety technology functions.

All encoders with 1 Vpp signals (e. g. EnDat, HIPERFACE,...) and all resolvers supported by the encoder interface can be used for integrated safety technology. It is always the feedback at X4 connector that is evaluated.


SafeMotion – Functional Safety in Automation Technology

CMAFH Drive For Technology 2010Selection of safety functions

Channel 1

Communication

M

E

Channel 2E

Control

Option S224V / 24V

Auto Set-up

Two.

-cha

nnel

inte

rruptChannel 1

Communication

M

E

Channel 2E

Control

Option S224V / 24V

Auto Set-upAuto Set-up

Two.

-cha

nnel

inte

rrupt

Drive

Channel 1

Safe Communication(Profisafe, SERCOS III Safety)

M

Channel 2

E

SafeControl

Option S2Safe communication

Auto Set-upAuto Set-up

Two-

chan

neli

nter

rupt

Drive


CMAFH Drive For Technology 2010 Safety on Board - Functional Safety

channel 2

channel 1

X41

X41

channel 2

channel 1

transducer

X41

SERCOScommon

parts

STO using 24V / 24V or 24V / 0V

SLS using SERCOS / 24VOne L2 PFH value independent from control (opener / closer, opener / opener)

One S2 PFH value independent from the control and the safety technology feature.Separate PFH value for the feedback

power section

channel 2

channel 1

transducer

X41

X31/X32common

parts

SLS using 24 V/ 24V

Safe Torque Off Safe Motion

Preliminary information

Safe Torque Off:PFH = 2 * 10 -9 1/h

Safe Motion:PFH drive and feedback = 5 * 10 -8 1/h


CMAFH Drive For Technology 2010 Functional Safety According to ISO 13849-1

safety switches safety I/O safety PLC safety drives

Certified components

Standard components

SRP/CS1PL1

SRP/CS2PL2

SRP/CS3PL3

SRP/CS4PL4

SRP/CS5PL5

SRP/CS6PL6

SRP/CS7PL7

SRP/CS8PL8

SRP/CS9PL9

S

S

input PPCDP SIIDP

safety switches I/O PLC

IndraDrive

K1

IEC 61508 IEC 61508IEC 61508

IEC 61800-5-2

ISO 13849

ISO 13849Drive



Standard components

SRP/CS1PL1

SRP/CS2PL2

SRP/CS3PL3

SRP/CS4PL4

SRP/CS5PL5

SRP/CS6PL6

SRP/CS7PL7

SRP/CS8PL8

SRP/CS9PL9

S

S

input PPCDP SIIDP


IndraDrive

K1

IEC 61508 IEC 61508IEC 61508

IEC 61800-5-2

ISO 13849

ISO 13849Drive



Standard components

SRP/CS1PL1

SRP/CS2PL2

SRP/CS3PL3

SRP/CS4PL4

SRP/CS5PL5

SRP/CS6PL6

SRP/CS7PL7

SRP/CS8PL8

SRP/CS9PL9

S

S

input PPCDP SIIDP


IndraDrive

K1

IEC 61508 IEC 61508IEC 61508

IEC 61800-5-2

ISO 13849

ISO 13849Drive



Standard components

SRP/CS1PL1

SRP/CS2PL2

SRP/CS3PL3

SRP/CS4PL4

SRP/CS5PL5

SRP/CS6PL6

SRP/CS7PL7

SRP/CS8PL8

SRP/CS9PL9

S

S

input PPCDP SIIDP


IndraDrive

K1

IEC 61508 IEC 61508IEC 61508

IEC 61800-5-2

ISO 13849

ISO 13849Drive

Verification with SISTEMALibrary for certified and standard components


CMAFH Drive For Technology 2010 Certification according to new Standards

Safe Motion EN

954

-1IE

C 6

1508

IndraDriveSince 2004 more than 100,000

installed drivesCategory 3

Development project “New Standards”

Hardware Modification of Control UnitsCSH….-L1-…. -> CSH….-L2-…. CSH….-S1-…. -> CSH….-S2-….CSB….-L1-…. -> CSB….-L2-…. CDB….-L1-…. -> CDB….-L2-…. CDB….-S1-…. -> CDB….-S2-….

New Firmware Version MPX07VRS

Deliverable since July 2009


CMAFH Drive For Technology 2010 SafeMotion – Preliminary Data

Safe Torque Off (L2):

EN ISO 13849-1:2006 Category 3 PL = e

IEC 61508EN 62061:2005EN 61800-5-2:2007 SIL3

PFHd = 2 * 10 -9 1/h

MTTFd = 100 years (limitation by standard)

Mission Time = 20 years

The PFH values are based on a 100% duty cycle (24h/ 365 days)



Safe Motion (S2):

EN ISO 13849-1:2006 Category 3 PL = d

IEC 61508EN 62061:2005EN 61800-5-2:2007 SIL2

PFHd Drive = 3 * 10 -8 1/hPFHd Feedback = 2 * 10 -8 1/h (Stegmann/ Heidenhain motor feedback)

MTTFd = 100 years (limitation by standard)

Mission Time = 20 years

To calculate the MTTFd value for a drive and feedback combination: Add the PFH values and convert then into a MTTFd value. Do not add the MTTFd values since they are limited to 100 years.

The PFH values are based on a 100% duty cycle (24h/ 365 days)



Preliminary Data for IndraDrive, Safety on Board

Safe Torque Off: PFHd = 2 * 10 -9 1/h = 2 % of max. SIL3 value

Safe Motion: PFHd Drive and feedback = 5 * 10 -8 1/h = 5 % of max. SIL2 value

-< 10-84

e>= 10-8 to 10-73

d>= 10-7 to 10-62

c>= 10-6 to 3 x 10-61

b>= 3 x 10-6 to 10-51

a>= 10-5 to 10-4-

Performance LevelPL

ISO 13849

Probability of dangerous failure per hour (1/h)

PFHd

Safety Integrity LevelSIL

IEC 61508

IEC

620

61

ISO

138

49


CMAFH Drive For Technology 2010 IEC 61800-5-2 – New Terminology (not all available)

SCASafe Cam

SMTSafe Motor Temperature

STRSafe Torque Range

SLTSafely-limited Torque

SBS 1)Safe Braking and Holding System

SBCSafe Brake Control

SMP 1)Safely-monitored Position

SLPSafely-limited Position

SDISafe Direction

SLISafely-limited Increment

SMS 1)Safe Maximum Speed

SSMSafe Speed Monitor

SSRSafe Speed Range

SLSSafely-limited Speed

SARSafe Acceleration Range

SLASafely-limited Acceleration

SMD 1)Safely-monitored Deceleration

SOSSafe Operating Stop

SS2Safe Stop 2

SS1Safe Stop 1

STOSafe Torque Off

1) N

ot d

efin

ed in

IEC

618

00-5

-2

EN 61800-5-2: 2007 Functional safety for speed variable drives


CMAFH Drive For Technology 2010 Terms of EN 61800-5-2 – New Terminology (available)

EN 61800-5-2: 2007 Functional safety for speed variable drives (C-standard)New terms and definitions

EN 954-1 Rexroth Safety functionsSafety option IEC 61800-5-2 Terms Abk.

Safety related starting lookout L2 Safe Torque off STOSafety related standstill S2 Safe Stop 1 SS1Safety related operational stop S2 Safe Stop 2 SS2Safety related operational stop S2 Safe Operating Stop SOSSafety related drive interlock S2 Safe Stop 1 (Emergency Stop) SS1 ESSafety related monitored stopping process S2 Safely-Monitored Deceleration *1 SMDSafety related reduced speed S2 Safely-Limited Speed SLSSafety related limited increment S2 Safely-Limited Increment SLISafety related direction of motion S2 Safe Direction SDISafety related absolute position S2 Safely-Monitored Position SMPSafety related absolute end position S2 Safely-Limited Position SLPSafety related control of a door locking device S2 Safe Door Locking *1 SDLCommunication via PROFIsafe S2 Safe Communication *1 SCOSafety related in-/outputs via PROFIsafe S2 Safe I/O *1 SIOSafety related braking and holding system S2 Safe Braking and Holding System 1 SBS

*1 Not defined in EN 61800-5-2


CMAFH Drive For Technology 2010Drive-Integrated Safety Features

Safe Torque Off (STO)Safe Stop 1 (SS1)Safe Stop 1 - Emergency Stop (SS1-ES)Safe Stop 2 (SS2, SOS)Safely Monitored Deceleration (SMD)Safely Limited Speed (SLS)Safe Maximum Speed (SMS)Safely Limited Increment (SLI)Safe Direction (SDI)Safely Monitored Position (SMP)Safely Limited Position (SLP)Safe Door Locking (SDL)Safe I/O interface for Safety-PLC (SIO)Safe Braking and Holding System (SBS)new


Safe Torque off (Stop Category 0*)

Drive is torque-lessPower is cut safely (pulse inhibit)

v

tt0

Safe Torque Off (STO)

CMAFH Drive For Technology 2010 Drive Based Safety Functions

* according to EN 60204-1



Safe Stop 1 (SS1) / Safe Stop 2 (SS2)

Controlled Stopping according to stop category 1* (SS1)

monitored stopping, control or drive controlled with safe decelerationTorque-less standstill of the drivesPower is cut safely (STO)

Controlled Stopping according to stop category 2* (SS2)

monitored stopping, control or drive controlledcontrolled standstill after stopping, no power off (SOS)

* according to EN 60204-1

v, s tt0 t1

v

tt0 t1



Safely Limited Speed (SLS) / Safely Limited Increment (SLI)

Within the Safe Mode a safely limited speed and / or a safely limited increment can be enabled (enabling device)

In case the speed/increment monitoring window will be triggered the drive will be safely stopped automatically in accordance with the stop category 1.

v, s

v

t

v, s

t

t0 t1 30



Safe Direction (SDI)

In addition a safe direction (right, left) can be defined.

In case the direction changes the drive will be safely stopped automatically in accordance with the stop category 1.

v

t0



Safe Maximum Speed (SMS1)

The monitoring of a safely limited maximum speed is active always, regardless the operation mode of the drive (Automatic/Manual Mode)

In case the parameterized maximum speed will be exceeded the drive will be safely stopped automatically in accordance with the stop category 1.

vMax

t

120

1) Not defined in IEC 61800-5-2


In the safe operation mode a working area (absolute position) can be defined

In case the parameterized working area will be left, the drive will be safely stopped automatically in accordance with the stop category 1.

Position 1 Position 2

Working Area

CMAFH Drive For Technology 2010Drive Based Safety Functions

Safely Monitored Position (SMP1)

1) Not defined in IEC 61800-5-2



s

v v max

Max. deceleration

Positive Limit Switch

Negative Limit Switch

Max. deceleration

Safely Limited Position (SLP)active in normal and safe operation mode

- The drive is not able to cross the limited switches- The drive is stopped automatically when the available

deceleration torque would not be sufficient to stop the load before the parameterized position area will be left

Offers cost saving by replacing hardware position limit switch


Safely Monitored Deceleration – safety in the stopping process


n

t1

SMDNC-controlled stopping process with safely

monitored deceleration (SMD)

Braking of coupled drives: It may occur that individual axes must still accelerate, in order to stop the total movement

Safe stop in a defined time due to predictive behavior of the drive

The drive checks each cycle whether it is possible to stop within the time t1. If this is not possible such as by wrong set point of the control, the drive takes over the braking.


Safe braking and holding system – a new milestone

CMAFH Drive For Technology 2010Safety on Board - Safe Braking and Holding System

Safe Braking and Holding System (SBS)

Fall protection for axes with gravity loads

Operator protection in special operating mode

World’s only on board solution which complies with EN ISO 13849-1, Cat. 3 PL d and EN 62061 SIL 2

Two independent brakes separately controlled and monitored by redundant, diverse channels in the drive

Escalation strategy to protect the mechanical subsystems

Active as well after energy cutting by emergency stop



During special operation modepersons may be present in the machine when following special safety precautions- Configuration- Measuring- Troubleshooting

During automatic operation the machines and equipment are running at full speed without operators

Vertical or inclined axes can even present a danger when they are switched off and inadvertently coming down



• Safe

• Braking and

• Holding system

Effective even after energy cut-off through emergency stop

Fall protection of gravity-loaded axes

Personal protection of operators during special operation mode


The safe braking and holding system is based on two independent brakes which are separately controlled and monitored by the redundant diversified channels in the drive.

two-channel control of the brakes

two-channel selection of the safety feature e.g. safely-monitored deceleration

Safe energy cutting Universal integration of different brake types, e.g.

IndraDrive

Safe feedback

HAT



IndraDrive with safety functions – a convincing technology

CMAFH Drive For Technology 2010SafeMotion – functional safety in automation technology

Safety Technology made by the experts having more than 10 years field experience

Scalable Safety Functions minimize the potential of tampering and therefore reduce the hazard for injury caused by passing the safety measures

Increased productivity by reducing downtime

Online Testing (Failure Detection) during runtime

Cost savings by reduction of external components and wiring

Minimal Movement in case of emergency by detecting failures within 2 ms

High reliability due to an encapsulated, certified solution

Stand-alone – whether wired, or with or without a safety PLC


CMAFH Drive For Technology 2010Coming Soon – Safe Torque Off for IndraDrive Cs

Safe Torque Off (L4): (A new type code to distinguish different features)IndraDrive Cs with L4 option is currently expected to go from EW to PT (available for sale) by end of May 2010

Certification by TÜV Rheinland is expected to be done by then• L4 option will include STO (Safe Torque Off) and SBC (Safe Brake

Control)• SBC is 2-channel control of the standard holding brake so that if there is a

short in either wire or a failure in one channel, the brake will still be applied. • L4 STO circuit is completely redesigned from L1/L2

• has safe mode within a test period. The test pulse is < 1ms. • with on-line dynamization, no need for an acknowledgement contact to meet

Cat. 4, PL e, SIL 3 -- the lifetime issue of the relay contact in the L1/L2 is gone. • L4 connector for is no longer a D-sub

• 6-pin cage clamp connector with separate clamp for incoming and outgoing wire at each pin

• daisy-chain up to 25 axes. Just daisy chain 4 terminals with discrete wires from one drive to the next. This eliminates the cable management issues of the ribbon cable in previous design. Easier and less expensive.


Einpoliges Schaltgerät der Kategorie 3, PL d, SIL 2 mit Zwangsöffnergemäß EN 60947-5-1

IndraDrive CsSTO-Option

Kategorie 4, PL eSIL3

24 V24 V

24 V STO-Anwahl Ch1

24 V STO-Anwahl Ch2

Dynamisierte Ausgänge mit < 1 ms Testimpuls

Einkanalige STO-Anwahl über ein einpoliges Schaltgerät

Anwahl über 1 Öffnerkontakt

0 V Ground für Ch1 und Ch2

CMAFH Drive For Technology 2010Coming Soon – Safe Torque Off for IndraDrive Cs

R eset

R ückm eldung

No tHa lt

Zei t verzögert

IndraDrive CsSTO-Option

Kategorie 4, PL eSIL3

24 V24 V

24 V STO-Anw ahl Ch1

24 V S TO-A nwa hl Ch2

+ 2 4V

E.Stopp

E xternes S iche rh eit s-schaltgerätK ate gorie 4, P L e , SIL 3

Dynam is ierte A usgän ge m it < 1 ms Testim puls

SS1-Funktion einer Achse in Verbindung mit einem Sicherheitsschaltgerät

A nwahl üb er 2 Öffn erkonta kte

oderNC-Stopp

0 V Groun d fü r Ch1 u nd C h2

Single channel STO application over a single pole switch device

SS1 functionality [single axis wired] with an external safety device:

STO-Option

Anwahl Ch1

STO-Option1. Antrieb 2. Antrieb

SS1-Funktion mehrerer Achsen mit Sicherheitsschaltgerät und externer Verdrahtung

Anwahl Ch2

Anwahl Ch1

Anwahl Ch2

24 V24 V

24 V24V

24 V24 V

0 V0 V

SS1 function multiaxis with an external safety device and external wiring

SBC-Funktion

24 V

0 V

ODER

Bremse 24 V

Bremse 0 V

SBC-Anwahl Ch 2

SBC-Anwahl Ch 1

Nicht sichere Ansteuerung der Bremse aus der Standard-FW

SBC Function


CMAFH Drive For Technology 2010Safety on Board and Safe Motion - Additional Resources

www.BoschRexroth.com/safety

http://www.dguv.de/ifa/en/pra/softwa/sistema/index.jsp or just Google “IFA SISTEMA” for BGIA software to calculate PFHd and Performance Level to IEC 13849

www.BoschRexroth.com/MediaDirectory for downloadable manuals including Safety on Board Application Manual

Bosch Rexroth Safety on Board hands-on workshop – next scheduled for April 21st and 22nd in Hoffman Estates (more to follow)


CMAFH Drive For Technology 2010Functional Safety with Safety on Board

Safety on Board

Always on the safe side

Unexpected movements

Risk for human and machine.

drive and motor safety

Technology

integrated safety

board safety

auch fr den

jede verfgungsbefugnis

motor safetycmafh drive

recommended safety level

board integrated

channel switching