Today, machine tools and systems around the world have to meet increasingly stringent occupational health and safety requirements. Important markets - above all China - have already adopted safety standards based on the European model. If safety is already integrated into the drive, corresponding machines can be produced much more cost-effectively. Electronically implemented safety functions offer shorter response times, the elimination of mechanical components ensures less wear and tear and less maintenance is required; in addition, the space requirement and wiring effort are reduced.

While the 'Safe Torque Off' safety function - STO for short - is now almost standard in servo drives, other frequently required functions such as 'Safe Operation Stop' (SOS) or 'Safe Stop 1' or 'Safe Stop 2' are less common. The reason: in order to integrate safety functions, manufacturers must meet the stringent requirements of the international standard EN/IEC 61800-5-2. Fault monitoring and the safe implementation of emergency stop functions are very complex in modern machine tools with servo drives, especially in industrial robots, which have a high degree of complexity with their numerous interlinked axes. Smaller manufacturers in particular usually do not have the capacity for safe developments - which is why even drives with a built-in STO function usually delegate fault detection and diagnostic tests to external devices (safety controller, safety PLC). However, there is an easier way - with the help of a generic platform solution such as 'NTSafeDrive' from Newtec. Drives with an integrated STO function can be expanded with additional safety functions without major development effort - including redundantly implemented monitoring logic, fault detection and diagnostic measures. All common safety functions described in IEC 61800-5-2 are supported (see box, p. 86): Safe Torque Off (STO), Safe Stop 1 and 2 (SS1/SS2), Safe Operating Stop (SOS), Safely Limited Position (SLP), Safely Limited Speed (SLS), Safe Speed Monitor (SSM), Safe Direction (SDI), Safely Limited Increment (SLI) and Safe Brake Control (SBC).

The challenges of integration

In principle, a safety function is triggered if defined limit values are exceeded. Sensors are used to monitor certain physical variables (operating data) that are directly dependent on the desired safety function. NTSafeDrive calculates application-dependent target values - such as speed, position or angle of rotation - from the transmitted physical operating data, compares the calculated values with the specified limit values of the active safety function(s) and triggers the safe torque-off function of the servo drive if they are exceeded.

NTSafeDrive is connected to the drive controller via a black channel protocol, which can use SPI (Serial Peripheral Interface) or EMIF (External Memory Interface) as a communication interface.

© Newtec

In order to ensure maximum possible safety integrity (effectiveness of the integrated safety functions) - for servo drives this is Safety Integrity Level (SIL) 3 in accordance with IEC 61508/EN 62061 or Performance Level PL e in accordance with EN ISO 13849 - various aspects must be taken into account: safe acquisition of the required operating data, safe limit value specification for the safety functions (parameterization) and safe monitoring logic and triggering. In addition, errors in the safety-related development itself must be ruled out. The appropriate procedure is described in the IEC 61508 standard.

IEC 61508 distinguishes between safe and dangerous faults for possible failures. The achievable safety integrity level of a safety function is determined, among other things, by the probability of a dangerous failure and the proportion of harmless failures in the total number of possible failures (safe failure fraction, SFF). The SFF required for a specific SIL depends on the type and architecture of the system. For example, redundant (multi-channel) systems in which each channel can trigger the safety function itself can achieve a higher safety integrity with less effort than single-channel systems. Fault diagnosis measures also help to further reduce the probability of a dangerous failure occurring, as a detected dangerous failure that triggers the safety function can be transferred to the pool of harmless failures.

It should be noted, however, that the entire safety chain - in this case the combination of NTSafeDrive and servo drive - must always be considered in terms of safety performance. Therefore, the safety parameters of the STO function integrated in the drive are also relevant for the maximum achievable safety level of the entire system.

Secure data capture

The dual-chip architecture of NTSafeDrive, realized with two FPGAs or processors and up to six safe inputs and outputs with sensor connection via Sin/Cos, TTL (RS422), HTL (push-pull), SSI, BISS, EnDat 2.2, Hiperface DSL, A-Safety format.

© Newtec

The first prerequisite for real safety is correct data acquisition. Any errors that occur - for example due to a faulty sensor - should be detected correctly and the system should be transferred to a safe state. In principle, the sensory acquisition of safety-relevant data - for example the position of moving axes - should therefore be redundant, as the fault tolerance of zero required for single-channel sensor systems is difficult to achieve. For higher safety integrity (SIL 3), diversity may also be required, i.e. the parallel use of different sensor technologies - for example optical and magnetic scanning. As different sensor concepts are possible depending on the requirements and framework conditions, NTSafeDrive was designed to be interface-independent so that the sensor technology can be optimally tailored to the respective application.

The use of safety-certified safety sensors (with built-in redundancy) is often the fastest route to success. However, a two-channel structure with two non-safe sensors can also ensure safe measurement and transmission of the required parameters. In this case, however, additional diagnostic measures are necessary to validate the sensor data. For this reason, some of the diagnostic functions required by IEC 61508-2 have already been implemented in NTSafeDrive: All safety-relevant inputs and outputs have an additional test/feedback path to ensure that the interfaces are functioning correctly. The solution also checks the values of speed or position sensors for plausibility by comparing the values of both channels. If the deviations are too great, incorrect signal transmission is assumed and the stop function is triggered.

The actual core of NTSafe-Drive, however, is the universal safety IP core implemented in two FPGAs. This is a pre-qualified design function block for safe drive monitoring - i.e. for calculating the characteristic values from the sensor data, comparing them against the specified limit values, triggering the stop function and parameterizing the safety functions. Manufacturers can easily adapt the IP core to their individual applications and thus develop and certify safe drive monitoring up to SIL 3 for their drives with little effort.

Redundancy via 2-channel architecture

Monitoring is also completely redundant. This is ensured by the 2-channel architecture based on two FPGA circuits. All safety-relevant calculations are executed in parallel on both channels and monitored for correct function using diagnostic measures; if errors are detected on one of the two channels, the entire system switches off (1oo2). This minimizes the probability of a complete failure of the safety function(s), as it can be assumed that at least one switch-off path of the NTSafeDrive is still functional - except in the case of faults with a common cause. For this reason, IEC 61508 'only' requires an SFF of 90 % for 2-channel safety functions compared to 99 % for a single-channel solution.

Due to its interface-independent design, NTSafeDrive supports a large number of safe communication protocols. If the safety functions are activated and parameterized via Fail-Safe-over-Ethercat (FSoE), for example, the existing interfaces of the servo drive can also be used via end-to-end encryption. This allows manufacturers to use the generic platform without having to adapt their servo drives at great expense: In most cases, it is sufficient to add the required interfaces to the hardware and implement software in the servo drive's processor that ensures unaltered forwarding of the process data. As this software simply forwards the data transparently to NTSafe-Drive, there is no need for software development in accordance with IEC 61508-3 - this saves time and development costs.

However, the concept presented also allows operation without a safe communication protocol. As a particularly cost-effective alternative, parameterization of the safety functions using a keypad and 7-segment display is also conceivable, for example.

Authors:
Jasper Leinberger is responsible for customer-specific adaptations at Newtec;
Gerhard Weiß is head of platform development for NTSafeDrive at Newtec.

Safety functions according to IEC 61800-5-2

The sector standard IEC 61800-5-2 (in Germany DIN EN 61800-5-2) regulates the requirements for the functional safety of "electrical power drive systems with adjustable speed". By implementing the normative specifications, manufacturers enable the installation of their safe drives in machines and systems in accordance with the specifications of the higher-level standards IEC 61508 (basic standard for functional safety of electrical and electronic systems), DIN EN 62061 (functional safety of machine control systems) and DIN EN ISO 13849 (machine safety).

The most important class of safety functions are emergency stops. IEC 61800-5-2 defines three stop functions that correspond to the three stop categories 0, 1 and 2 from DIN EN 60204-1:

- Safe Torque Off (STO): Safe torque off (the power supply is interrupted immediately and the drive is brought to an uncontrolled standstill).
- Safe Stop 1 (SS1): The drive is brought to a controlled standstill and then the energy supply is interrupted, i.e. STO is activated.
- Safe stop 2 (SS2): The drive is brought to a controlled standstill and the standstill is monitored (the energy supply is therefore maintained).

In addition to these emergency stop functions, IEC 61800-5-2 also describes so-called "safe motion functions", which are intended to reduce risks during operation. These include, for example, the safe operation stop (SOS), in which the drive continues to be controlled, i.e. the safety controller continues to be supplied with position values. This function is necessary if frequent manual intervention in the process is required - for example in set-up mode.

Another function is Safely Limited Speed (SLS). Here, elements such as axes or spindles are monitored for a predefined speed or rotational speed. This is necessary, for example, during set-up or automatic machining. In addition to the speed, positions or the direction of movement can be monitored or brakes controlled.