This blog gives an introduction to the use of variable speed drives in machinery safety functions. It is intended to help those who are familiar with a.c inverter drives but less so with safety-related control systems. It should help the reader to understand the principles and go on to access the large amount of detailed material which is available about safety-related systems.
The term “Functional Safety” is applied where electrical, electronic or programmable equipment is used to carry out functions which affect human safety. This is a huge topic, which includes diverse applications such as railway signalling and the monitoring and control of large process plant where many people could be at risk in the event of an accident. However most commonly in drive applications it would refer to some kind of machinery, where the control system can be used to prevent a situation where a person would be at risk of injury from the operation of the machinery. A simple example is a safety barrier, which needs to be opened frequently in order to obtain access to part of the machinery, but when it is open the machinery must not be able to operate. A system of sensors and actuators can be designed to detect the state of the barrier and control the machine.
With the availability of intelligent programmable equipment such as PLCs and digital VSDs, safety systems can be more flexible and intelligent than this example, allowing flexible operation whilst still maintaining safety. For example, it might be possible to allow continued operation at reduced speed when a barrier is open, possibly conditional upon a special safety key being operated by a qualified person, or perhaps when that person’s face is recognised, or some other precaution.
The crucial factor with safety functions is that the reliability of the function has to be considerably better than can be achieved by straightforward electrical, electronic or programmable equipment. However good the quality of a conventional electrical or electronic circuit, some component faults can occur which result in it failing to carry out the required safety function, but without the fault becoming apparent. Hardware for safety functions has therefore to be designed with self-testing or “fail-safe” features built in. During product development the effects of hardware failures have to be analysed in a Failure Modes and Effects Analysis (FMEA) and potentially dangerous failure modes must be reduced by design to a very low level. A typical target for the PFHD (probability of failure in a dangerous direction) for integrity level SIL3 would be 10-8 per hour, i.e. a failure rate of less than one per 10,000 years. Such low failure rates always require special structures in electronic control systems. Note here that we are referring to random failures which occur during the intended working life of the equipment, and not to life expectancy. Parts with known wearout mechanisms within the intended life of the system can be managed by planned maintenance.
In most applications involving drives the safety of a fixed machine is being addressed, and the most common option is to use two independent channels for the safety function, with cross-checking arranged so that in the event of a discrepancy the drive stops, i.e. the driving torque stops. In most machines this results in a safe state. For a machine like a hoist which could move under gravity without a drive, measures have to be taken to ensure it cannot cause a hazard when the drive torque disappears.
Figure 1 illustrates a basic two-channel safety system which is also referred to as a “one out of two” or 1oo2 system, meaning that if one of the two channels requests a stop then the machine stops. This is the most common arrangement for a machinery safety control system. A fault in either sensor or signal conditioning processor does not lead to a loss of the safety function. Note that Figure 1 is a functional diagram only, the “AND gate” at the output is not a simple logic chip, because that would introduce a single point failure mechanism, if the logic chip failed. It could be a two-channel STO input on the drive, or some other method where the common cause failure of a single device is eliminated.
The diagnostic function shown in grey is usually necessary to ensure continuing safety, because without it, although a fault in one channel does not cause the safety function to fail, it would be possible for the machine to continue operating indefinitely with one channel in the unsafe state. A second failure would then lead to a dangerous condition.
The use of embedded processors running firmware and software introduces a new dimension to functional safety. The software does not have random failures, but its complexity means that it is difficult to ensure that it operates as intended under all conditions and sequences of events. This cannot be proven by a test of the complete system as a “black box” – the software has to be written in a well defined language with measures taken to avoid coding errors, and carefully structured in modules which can be specified and tested at every step. It also has to be proven that the modules cannot be affected adversely by other activities in the processor system, and this is difficult if other non-safety code runs on the same processor.
The necessary discipline of creating a clear unambiguous specification, with a test plan, and thoroughly documenting the process, applies both to writing the code and to designing the complete system.
One important control over software quality is to distinguish a “limited variability language” (LVL) from a “full variability language” (FVL). The LVL is restricted to configuring pre-approved modules with well-defined functions in a restricted way so that the result can be tested by a simple sequential test programme. The LVL would have been created using a FVL such as C++ etc., which had undergone a full rigorous design process, and was then locked off beyond access by the LVL programmer.
The ease with which software can be changed also means that a secure system of version control must be in place, including the prevention of unauthorised alterations.
Many safety functions which comprise simple sequences and combinations of inputs to control outputs can be implemented in a PLC with special features to prevent hazards from hardware faults and software errors, i.e. a “safety PLC”. However there are applications where the drive is especially well placed to implement such functions cost-effectively:
The need for rigorous management and implementation of safety system design means that the relevant international standards are complex and dense. In this note we will just look at a few key features of the standards most relevant to machinery safety.
International standards are prefixed by ISO or IEC. European CENELEC standards are prefixed by EN. We will look at the EN versions here, the international forms use the same numbers with different prefixes. The EN versions have the status of harmonised standards for the EC Machinery Directive.
EN ISO 12100 describes how the machinery risk assessment should be carried out, resulting in the allocation of safety functions to the control system if necessary. This is an essential precursor to the correct design of the safety-related control, and is the responsibility of the machine designer.
EN 61800-5-2 is a standard for functional safety of power drive systems. It defines a number of functions which are particularly suited to drives, referred to as “designated safety sub-functions”, such as Safe Torque Off (STO), Safely-limited speed (SLS) etc. The safety integrity of a complete safety function is measured by the SIL, which can take values of 1 (lowest) to 3. Since the drive is a sub-system of a complete safety-related control system this is referred to as its “SIL capability”.
EN 62061 is a standard for electrical/electronic/programmable control systems of machines, which uses the same SIL metric as EN 61800-5-2
EN ISO 13849-1 is a standard for control systems of machines, including non-electrical systems. It uses a different metric, the Performance Level (PL) and Category (from B to 4). A supplementary standard EN ISO 13849-2 covers “Validation”, which includes guidance on which faults need to be considered and which can be discounted (“fault exclusions”).
The foundation of much standardisation of safety-related electrical/electronic/programmable systems is the EN 61508-# series, parts 1 to 7. These are not in themselves harmonised standards since they cover all systems and not just control systems for machines.
The required SIL or PL for a given safety function is linked to the degree of risk which the function has to mitigate – i.e. the probability and severity of a possible injury. The process of deciding this begins with the risk assessment of the machine, which is described in EN ISO 12100. Rules for deriving the required SIL or PL are given in EN 62061 and EN ISO 13849-1.
The most basic safety function which a drive can offer is STO. An inverter drive controlling an induction motor is particularly suited to this function, because the inverter power stage has to be continually active with a complex and well-controlled PWM switching pattern for most of the power semiconductors in order to produce any torque in the motor. Figure 2 illustrates the basic power structure of the inverter.
The motor needs a rotating magnetic field in order to produce torque, which can only be generated by the six power transistors following a complex and well-defined switching pattern which generates a three-phase voltage set at the output terminals. In the absence of this control pattern, since the power supply to the inverter is DC, there are no faults in the inverter power circuit which can tend to cause torque. The worst case fault would be where two transistors in the opposite poles of two inverter legs conduct unintentionally, as shown by the red arrows in Figure 2. In that case a high uncontrolled current would flow in one motor phase until either the overcurrent protection scheme operated or the inverter was destroyed (the input fuse or breaker clears). None of this gives a rotating magnetic field, so there is no torque generated.
In the case of a permanent magnet or reluctance motor this worst-case fault would cause a temporary alignment torque until the protection device operated. In the limit, the motor could rotate by one pole pitch for a PM motor or half a pole pitch for a reluctance motor.
The interface between the inverter power stage and the drive STO control input has to be designed to maintain the very low probability of an unsafe failure, which would mean that the complex PWM control pattern was inadvertently passed through to the inverter transistors. Typically the arrangement uses some kind of “fail safe” technique, whereby just as in the inverter itself, component failures of all kinds result in a loss of the “Enable” command. There may be two independent channels so that the STO function can be readily interfaced to a two-channel safety controller.
Most of the other drive designated safety functions require some analysis of data such as motor current and/or speed etc. This is typically implemented in a microcontroller, with a second controller continually cross-checking the input and output data and the processor actions, as illustrated in Figure 3. Invariably the result of a discrepancy being detected is that the drive is disabled through the STO function.
The probability of a hardware fault in the dangerous direction is reduced to a tolerable level by having two channels with cross-checking. Input devices such as switches are duplicated to allow the detection of simple “stuck at” errors, and they may be supplied with diversified electrical pulses so that more subtle sneak faults between channels can be detected. Basic incremental shaft encoders have a useful inherent feature which allows most faults to be detected, since the two pulse tracks have a 90° phase shift which means that most errors result in an impossible pulse sequence, which can be detected. Digital outputs are checked by regular test pulses which test whether an output intentionally held in the high (true) logic state is still capable of going low – sometimes referred to as OSSD outputs.
The probability of a systematic fault, i.e. an inherent fault in the design, is reduced to a tolerable level by a most rigorous process of defining the precise requirements for the safety functions and tracking their implementation, testing and documentation.
The rigorous process of specifying and tracking safety functions has to be followed for every individual application, and the machinery designer is ultimately responsible for this. If a drive with functional safety features is being used as part of the design then it becomes a safety component, and its own safety requirements specification and certification become a part of the complete system documentation.
Within the European Union this requirement is embedded in law in the form of the Machinery Directive 2006/42/EC, which includes a definition and requirements for safety components where they are placed on the market separately. In practice this usually means that the drive with safety functions comes with a EC type examination certificate issued by an independent government-approved Notified Body, to allow it to be used in the safety related control system of a machine. If it has the STO function built in as standard, so that it might or might not be used as a safety component, the drive then has to have two separate EC manufacturer’s declarations, according to the Machinery Directive and the Low Voltage Directive.