Motion-based machines are running more axes at higher speeds and faster accelerations. This creates a demand for machines that move safely and that also satisfy regulations and competitive pressures. Once a primary safety mechanism, interlock switches are now obsolete because operators often need access with open guards for setup or clearing jams. When guards are open, motion must be controlled at safe limits to prevent injury to personnel and damage to equipment.

Consider a stacking sequence that is misordered or that has misaligned products. Those products that aren't restacked and reordered create a dangerous situation when a palletizing robot moves several hundred pounds back and forth. To fix this, an operator enters the protective guarding while the machine runs at limited torque and speed. The operator jogs one or two axes at slow speed and holds others at a safe standstill. Setup, inspecting workpieces, and clearing machine jams are addressed this way too.

Drive-integrated safety

When machines operate at high speed, safety devices must react quickly to faults, bringing equipment to a safe speed or complete stop. In the case of an axis accelerating at 1 m/sec2 (achieving full speed in a fraction of a second), emergency safety devices must react in milliseconds.

One solution uses discrete, external circuits and controls to limit motion. However, this adds an extra safety layer, increasing design complexity and often resulting in a “non-standard” solution. Furthermore, these “add-ons” aren't necessarily optimized for best performance.

Another solution to safety involves PLCs that replace conventional hard-wired relays. But, these safety PLCs have relatively slow scan rates and follow a lengthy path from sensor to PLC and back, delaying reaction times.

The best solution is placing the safety responsibility in the drive for autonomous monitoring. Autonomous monitoring allows for fast reaction times — without delays between the drive and controller. Fast reaction times correspond directly to reduced axis movement, while slow reaction times correspond to incorrect positioning moves.

A case in point is contact-based verification: By the time an operator in a protected zone responds to an error, a linear axis with roller ball spindles can move four to eight inches, and linear motors up to 31 in. However, by integrating safety control in the drive, errors are detected within milliseconds, limiting axis moves to one or two millimeters. This is up to 400 times faster than a controller-based solution.

Safety functions that integrate directly into intelligent drives also eliminate PLCs and CNCs and maintain the drive's footprint. Drive-based safety technology operates independently of supervisory control systems, and therefore, does not require contactors on the main power or motor power lines or additional external speed-monitoring devices. And, drives with safety onboard eliminate additional hardware and I/O, cutting wiring and installation costs.

Distributed intelligence is key

In a motion control system, processing power is classified as centralized or distributed — the difference being its location. With centralized intelligence, finite PLC processing power is divided among all axes. The processing power available for each axis diminishes as axes are added. With distributed intelligence, processing power is added each time an axis is added. The processing power available for each axis remains constant (because it resides in the axis itself). Thanks to advances in micro-electronic design, intelligence can move outward to sensors, motors, drives, and other components. In simple cases, this intelligence is rudimentary. For example, sensors can consolidate data about temperature trends and send an alarm if thresholds are exceeded. In more complicated cases, an intelligent drive handles complex camming, monitoring, and other processor-intensive functions. Drive processing power provides all control and housekeeping functions of the driven axis and synchronizes other drives. The central PLC becomes a supervisor, and initiates recipes/job parameters, and communicates upward in the factory network.

While many solutions provide a “safe stop,” it is equally important to stop in a controlled manner. Rather than simply removing power, drive-integrated safety functions actually control motion, providing quick and orderly stops. Depending on the application, drives can decelerate axes at the best possible or fastest speed. Drives can also be de-energized to remove all torque, or can be held in position under energy for jogging at safely reduced speeds.

Dual-channel monitoring

From the signal-level perspective, drive safety looks like this: Two independent channels transmit and process all safety-related information. Both the primary and secondary channels are located in the basic drive unit, however, the secondary channel is an optional safety module. Each constantly compares data to ensure correct safety parameters are in place. Deviations result in errors, whereby the drive enters safety mode and axes are brought to a standstill. This safety channel cross-checking easily identifies problems such as:

  • Safety function activated on only one system

  • Wrong safety function activated

  • Different monitoring parameters

  • Faulty safety function

  • Accidental hardware and software errors

Machines are set to safe operation via the dual channels (on the drive) by changing the mode switch from normal to special. After all selected drives switch to safe status, the master holds the protective door interlock open so an operator can enter safely. Drive-based safety is advantageous because it eliminates implementing power protection in the network and motor feed areas. And, operators can switch to the special operating mode from any location while drives remain in position-monitoring mode.

Once at a safe standstill, operators can jog axes at safely reduced speeds for setup, maintenance, troubleshooting, or repair. If axes carrying heavy weights are located in the access area, dropping is an additional danger. After a request for access, the drive tests the corresponding holding brake function before enabling the protective door to be held open. While someone is underneath the axes, both the safe operation stop and tested brake operate in parallel so that redundant stopping systems prevent uncontrolled falling of the axes. Access request signals connect redundantly to the drive, which internally monitors limits using redundant software and hardware modules.

Productive and flexible

Productivity demands call for minimal setup and machine downtime. As such, drive-integrated safety lets a machine return to normal production in little time. Because power isn't removed from the drive, it returns to work without waiting for capacitors to recharge or for the operator to recover from an emergency stop. Also, without a loss of position, machines don't have to “home” before restarting production.

All machines have different safety requirements. To accommodate various machines, drive-integrated systems offer flexible, password-protected safety parameters. For example, printing equipment may limit safe speed to 5 m/min, while general automation equipment may limit safe speed to 2 m/min. General guidelines exist, but machine builders usually conduct their own hazard analysis to determine specific safety values. Machine safety can also be pre-certified so OEMs don't have to worry about the certification process.

For more information, contact Bosch Rexroth at (800) 739-7684, visit www.boschrexroth-us.com, or email the editor at ctelling@penton.com.

Designed to meet European safety standards

Before machine builders or OEMs put a machine into circulation in Europe, manufacturers must analyze risks that may occur during use, in accordance with the European Machine Guideline. For uncontrolled machine movements, risk analysis must include duration and frequency within the hazardous area, escapes for the operator, and severity of injuries. The resulting analysis can be used to define the safety category for safety-related components in accordance with EN 954-1.

EN 954-1 is a European standard for safe operation at open guarding. The standard contains several classifications of machine components' ability to withstand faults. In Europe, demand is growing for equipment that meets EN 954-1 safety guidelines. For international OEMs, EN 954-1 compatible equipment is a competitive advantage.

This standard defines several categories, or levels, of safety. Category B is the basic requirement on which all other categories are built. Basic requirements involve selecting components so the safety system withstands fundamental conditions, such as operating stresses, vibration, or process materials (fluids and other agents). This category does not require safety systems to operate after a fault. On the other hand, Category 3 safety, or single-fault safety, means that a single fault, detected by cyclic tests, doesn't lead to a loss of the safety function.