In the case of larger machines or systems - for example in the packaging industry - the operator is usually protected from dangerous movements by a safety fence or enclosure. Access to the danger zone is possible via a door. From the point of view of machine safety, in addition to the safety functions 'protection against unexpected start-up' and 'stopping via emergency stop device', a further safety function must often be guaranteed: the 'safely limited speed (SLS) when the safety gate is open'. The SLS function makes it easier for the operator to set up a production system or carry out troubleshooting.

An exemplary structure of the safety function: In addition to the encoder for detecting the speed, the evaluation logic, such as the 'PSC1' safety controller from Schmersal, and the drive itself, the monitoring of the safety gate must usually also be included in the consideration, as the SLS function is generally activated with this.

© Schmersal

A current white paper from Schmersal and Wachendorff presents an exemplary safety solution for such a system, which includes a redundant encoder and a small safety controller, and provides assistance in evaluating the safety-related suitability of this solution. In order to determine and verify the required safety level, the EN ISO 13849 series of standards is used in this example. The risk assessment has resulted in a performance level (PLr) of d for the machine in question. This can be implemented in various ways. Category 3 is usually suitable for technical implementation. It requires single-fault safety, which is typically achieved through a consistent two-channel design.

The use of a rotary encoder is ideal for measuring the speed. In addition to the encoder, the evaluation logic - such as the 'PSC1' safety controller from Schmersal - and the drive itself, the monitoring of the safety gate must usually be taken into account, as the SLS function is generally activated with this safety gate.

In this structure, consideration of the rotary encoder for speed detection is particularly relevant.

The easiest way to achieve the required dual-channel capability would be to use two separate encoders, which would have to be mounted at different locations in order to be mechanically dual-channel. In practice, however, this is often time-consuming and difficult. It is more practical to only have to use one mounting position. The rotary encoder from Wachendorff combines these two properties: it consists of two completely independent encoders with different technologies in one housing. In addition to the simplified installation, the internal redundancy also allows the requirements of category 3 to be met.

The redundant encoder

A redundant encoder basically consists of two completely self-sufficient standard encoders, which means that the entire electronic part of the encoder can be regarded as a two-channel system. Only the mechanical structure, consisting of the shaft and bearing assembly, is designed as a single-channel system. The standard for electric drives EN 61800-5-2 stipulates that the fault must be considered by disconnecting the mechanical connection between the encoder and the drive. In many cases, fault exclusion is required, as the control system cannot necessarily detect such a fault. This fault exclusion can be achieved by dimensioning the mounting elements accordingly and using a 100 % reliable mechanical connection.

Wachendorff encoders are based on the principle of diversity. This means that reliability is specifically increased by using different measuring principles and therefore using as few identical components as possible. The basic idea here is that the different sensor platforms also react with different levels of sensitivity or insensitivity to faults of any kind and therefore do not fail at the same time, so that the downstream electronics can reliably detect this possible failure.

The redundant standard encoder provides diverse (magnetic and optical) signals that are generated completely independently of each other, but can still be correlated with each other. Even the supply voltage is available separately for each sensor unit.

Subsystem 'Speed detection'

The PSC1 safety controller and the programming of the application in SafePLC2. Category 3 requires, among other things, fault detection (DC). In the example described, this takes place via the 'PSC1' safety controller. Function blocks for the most important monitoring functions are already integrated in the 'SafePLC2' programming tool of the 'PSC1' and the probability of errors is minimized due to the simple programming.

© Schmersal

The single-fault safety required by category 3 is ensured by the continuous two-channel speed/direction detection in the encoder. The fault detection (DC) also required is not integrated in the encoder and must therefore take place in the evaluation logic.

The 'PSC1' safety control series from Schmersal is a good example of this. If required by the application, it can be used to safely monitor up to twelve axes. The encoders can be easily connected via D-Sub interfaces. By cross-comparing the two encoder signals or, in the case of sin-cos encoders, by evaluating the relation sin²+cos²=1, any errors that occur are detected and an error response is initiated. In addition, the 'SafePLC2' programming tool of the 'PSC1' already contains function blocks for the most important monitoring functions in accordance with DIN EN 61800-5-2, for example SLS, SOS (Safe Operating Stop) or SCA (Safe Cam, safe position monitoring). These can be easily integrated into the safety logic program.