Position-measurement systems optimized for safety can simplify the task of meeting IEC standards.
Safety is a rapidly growing topic. New legislation along with tightened national and international safety standards focus not only on protecting humans, but material assets and the environment. This emphasis on safety has made position-measuring systems more important. These systems help report machine status and impaired condition and thus play vital roles in maintaining safe conditions.
The first international safety standard for machine operation was established by the European Committee for Standardizations (CEN) in 1992. EN 954-1 established a procedure for the selection and design of safety systems for machinery through a five-step process: hazard analysis and risk assessment, establishing approved methods to reduce risk, detailing specific safety requirements of the control system, specify the overall design and human interface needs, and provide methods to validate the system for safe operation. It also identified several safety-related functions and parameters such as stop, emergency stop, manual reset, start and restart, response time, local control, the fluctuation, loss and restoration of power sources, muting of alerts, and manual overrides of safetyrelated functions.
Improvements in processors and programmable systems led to a revision of the EN 954-1 standard. Its deterministic approach was inadequate for new machinery. The successor, EN ISO 13849, incorporates reliability of components and programmable codes similar to IEC 61508 and its derived-product standards, such as IEC 62061 for electrical drives.
Moving axes are a potential danger that inspires designers to integrate mandatory safety functions directly in the drive. One trend that has emerged is the purely digital transmission of position values from encoder to the control. As a result, it takes more-complex electronic systems in both the drive control and encoders to acquire position data. Position encoders need entirely new techniques to meet stringent updated safety standards for machine and manufacturing systems.
One safety-related positionsensing technique uses redundant position values. Two independent position sensors verify and confirm the accuracy of the reading and act as backup should one fail. Genuine dual-channel redundancy means installing two encoders per axis. But the cost involved is an incentive for finding a way to safely use a single encoder. Until now, single encoders were analog devices generating sine and cosine signals. But there are advantages to redundant position values acquired via digital transmissions from a single encoder. While the cost of a digital-transmission encoder is higher, the cost is offset by simpler interface electronics in the controller. In addition, the encoders can diagnose themselves, perform selfconfiguration, and rapidly form the position value.
Examples of single encoders with dual-channel redundancy and digital data acquisition are the Heidenhain ExN 400 and ExN 1300 Series. Designed for safetyrelated applications and tested to IEC 61508 and EN ISO 13849, the Heidenhain encoders sport a pure serial interface using the EnDat 2.2 specification. Because their subsystems are already qualified, the encoders let developers of safety-related systems use a modular approach to their designs.
The position-measuring subsystem consists of the encoder itself with the EnDat 2.2 transmitter, the transmission line for EnDat 2.2 communication, and the EnDat 2.2 receiver component or EnDat Master. Entire "safe drives" include the safety-related position-measuring system, a safetyrelated control with EnDat Master monitoring functions, the power stage with motor power cable and drive, and the mechanical coupling between the encoder and drive.
Developers must integrate position-measuring subsystems into the complete system. The encoder mechanically couples to the drive via the shaft coupling. The EnDat master sits in the safe control to ensure electrical integration with its monitoring functions.
The encoder safety system transmits two mutually independent position values along with additional error-checking bits produced in the encoder to the EnDat Master using the EnDat 2.2 protocol. The EnDat Master checks the data stream for errors in the encoder and during transmission. It compares the two position values for any discrepancies. If there are no errors, the EnDat Master sends both position values and any mutually independent error bits to the safe control over two processor interfaces. In return, the safe control periodically tests the safety-related position measuring system via the EnDat Master.
The EnDat 2.2 protocol conducts all safety-related tests and information transfers during the period of "unconstrained" operation when the controller is basically idling. Thus safety issues are handled in what appears to be a background mode. Safety-related information such as self-diagnostic results and operational status is tacked on to the position value as additional information. The control can request the additional information every sampling cycle along with the actual position. So the architecture of the entire position-measuring system is regarded as a singlechannel tested system according to IEC 61508.
Besides measuring position, the Heidenhain safety-related systems can also handle other safety-related functions such as stop, controlled stop, limited jog increment, reduced linear or rotational speed, limited absolute position, and limits on torque and power. A point to note is that the standard specifies certain facets of how safety-related position-measuring systems integrate with the safety system of a drive or a machine. For example, the safe control must support two independent interfaces in a dual-channel structure. For the Heidenhain system, that means two EnDat Masters feeding two different microprocessors.
Errors force the control to switch to a safe condition that depends on the application. So the drive or control manufacturer usually develops the error handling strategy.
The safe control evaluates position values and error bits on the fly. Examples of items monitored include servo lag, standstill monitoring, and the comparison of the two position values. And several times daily the control undergoes automated forced dynamic sampling tests. Forced testing means the error bits are intentionally triggered and their reactions noted. Any forced bit that fails to trigger the proper response from the drive gets noted and should send the control back to a safe condition.
A safe control must also go back into a safe mode if it detects mechanical defects that could be unsafe. For example, it should detect a shaft or coupling break, a static misalignment from one shaft to the other, and any dynamic slip between shafts.
Original article by Thilos Schlicksbier, Dr. Johannes Heidenhain GmbH, Traunreut, Germany