From Static to Dynamic Safety with Pilz
- Published: Thursday, 13 September 2012 18:03
In the past, the subject of machinery safety has been equated to that of the E-STOP function. The combination of what’s possible in normative terms with new technical solutions for safety tasks and combined application knowledge, increasingly enables productivity and machine availability requirements to also be met. Flexible, dynamic safety can only be achieved with an integrated operation of sensor, control and actuator technology.
Anywhere that man and machine work together, there is always the possibility that the machine will initiate a hazardous movement. Safety has primarily been characterised by binary events such as the operation of an emergency stop device, opening of a safety gate or interruption of a light curtain, for example. Even today, the safety concept for many plants and machines is designed in such a way that, if a protected area is accessed, power is removed to all the drives, if not the entire plant. With increasing automation and interlinked plant, machines and processes, the functional requirements of safety technology in particular are on the rise.
With productivity continually increasing, it must be possible to work within defined detection zones in a plant, without disrupting the whole production process. After all: a hard shutdown is generally associated with further disadvantages, whether these involve loss of productivity, extended downtimes due to more complex recommissioning procedures or a restriction in the machine’s operating and maintenance concept.
Safety should not be viewed in isolation
The manufacturing industry is characterised by a growing level of automation and interlinked plants and processes. As such, safety cannot be viewed in isolation and rarely relates solely to individual zones or components within a plant. safety has become a key component in the plant’s overall function and overall cost analysis. Standstill and inspection periods play an increasingly important role in the assessment of the overall machine lifecycle.
With all these requirements there is a growing desire for dynamic safety, in other words, the ability to adapt safety functions to changing protection requirements with greater flexibility. This changes the view of safety itself; it is regarded less as a product and more as a cross-device function.
Standards and directives provide the framework
Applicable laws and standards provide the framework for safety-related solutions. Within the European Union, the Machinery Directive is the benchmark on which the functional safety of plant and machinery must be based. The following standards are of vital importance within the Machinery Directive: EN 62061 (Safety of machinery – Functional safety of electrical, electronic and programmable control systems) and EN ISO 13849-1 (Safety of machinery – Safety-related parts of control systems). In comparison with its predecessor standard EN 954-1, the latter provides more practical guidance for the implementation of safety and is therefore an important prerequisite for dynamic safety.
One example is the operating mode "Operation with safety gate open", which was not defined in EN 954-1. Previously, the required operating mode selector switch was implemented as a separate key switch – often without any safety function. The C standards now provide the relevant specifications for a safe operating mode selection function with reference to the Machinery Directive 2006/42/EC, EN ISO 12100-2 ("Safety of machinery – General principles for design – Risk assessment and risk reduction") and EN 60204-1 ("Safety of machinery – Electrical equipment of machines - Part 1: General requirements"). The definitions contained there enable additional forms to be specified, such as "Safely reduced speed with safety gate open". In "Set-up" mode, speed can now be safely monitored to avoid unnecessary standstill and recommissioning times.
Benchmark for safety-related requirements
Precise knowledge of what is permitted from a legal perspective and what is technically feasible is a prerequisite for designing safety technology that will offer the greatest possible potential for productive machine operation. The new standards EN 13849-1 and IEC 62061 specify that safety-related solutions must be considered with their individual characteristic values and must be assessed mathematically over the whole process chain, from the sensor technology to the control system and beyond to the actuator technology. This may sometimes require multi-layered states or results from complex calculations, to which the safety technology must react appropriately. As a result, it is becoming less likely for today’s automation tasks to be resolved using classic procedures.
Sensors with vision
Many safety sensors operate strictly in accordance with a binary model: a safety gate is opened; the sensor detects this and generates a shutdown signal for the safe machine control system. For dynamic safety concepts, sensors must be able to assess events in a clearly graduated manner. For example, they should be able to distinguish whether a person is within the potential action radius of a hazardous movement (warning zone) or has already accessed a zone with an increased safety requirement (detection zone). It must be possible to adjust these zones dynamically and to track the movements of a machine or robot, for example.
New, camera-based processes, such as those used by the safe camera system SafetyEYE for zone monitoring or the camera-based, mobile protection system PSENvip for press brakes, can monitor protected fields and detection zones safely in 3D. These sensor systems interact with the evaluation function via safe communication channels and guarantee optimum plant productivity.
Through an overall assessment of all the safety functions surrounding the "press brake" machine, safe position data can also be used, for example, to adjust the sensor’s protected areas specifically to the current protection requirement of the operator or tool, or to adjust these in accordance with positional information. This function enables "dynamic muting" through the network, thereby ensuring higher machine productivity.
Modern electronic sensor systems are much more powerful and provide considerably more information than a purely binary switch signal. The quantity and quality of information is a precondition for being able to design safety functions dynamically. On SafetyEYE for example, zone information is already available in the form of safe, 3-dimensional zones – but this is reduced to standardised, binary interface signals within the application. In future it should be possible for this zone information to be evaluated directly from the safe drive technology. So the drive network is able to react to this multi-dimensional zone information with the corresponding motion path, anticipating it as it were.
Control system for standard and safety
Programmable safety systems are currently in use, whose function can be configured via software. These are much more flexibility in comparison with safety relays, with their fixed function range. To ensure that programs remain clear and understandable, on most systems the instruction set is limited, as is the number of available editors. So far this has not posed a problem, provided plant and machinery only undertake simple safety tasks.
However, safety technology increasingly requires more complex relationships with the individual elements in the overall process chain. Programmable safety systems must be able to safely record, process and output more complex measured variables, such as speed settings. Not only does this affect the sensor/actuator interface that is used, it also places new demands on the processing logic functions.
Safe control technology has fundamentally changed the world of automation. Today, it is an important prerequisite for ensuring that machinery is not only safe but also provides availability and high productivity. Programmable logic controllers and programmable safety systems may have been developed successively, but today’s market trend is to combine both areas – standard and safety – within one control solution. The automation system PSS 4000 from Pilz enables you to build automation solutions that cover standard and safety-related tasks in equal measure and are easy for the user to operate. The Program Editor for STL (Structured Text Language) is one of the very latest system developments. With PAS STL as an additional member of the family of IEC 61131-3 Editors, Pilz enables safety-related and standard functions to be programmed consistently and in full, on the same standardised basis. With the STL Editor, for the first time it is possible to resolve safety tasks up to SIL3.
Actuator technology: Staying safe, under power
In order to prevent hazardous movements, it is clear that the safety technology should be dovetailed with the actuator technology. Until now a safe motion controller has been a combination of safe motion monitoring, safe isolation of the motor from the energy supply and non-safety-related motion generation. For technical and economic reasons, the drive electronics – servo amplifier and frequency converter - have remained non-safety-related components within automation. So until today, additional safe components have taken care of safety, bringing the drive to a de-energised, safe condition in the event of a fault, or safely monitoring the movement of the connected motor. Now it is possible to integrate these additional safe components into the drive. For example, the motion control system PMCprimo DriveP can be expanded using the safety card PMCprotego S. The result is a complete solution for the drive, control system and safety.
For example, a safe, dynamic application could look as follows: When a safety gate is opened, the motor is braked safely with a defined ramp and then remains at standstill under active control. If the relevant authorisation is present and a safe operating mode is activated for set-up mode, the motor will move in jog mode at a safely reduced speed. When this operating mode is ended and the safety gate is closed, the safety function is re-established for each machine operator. In other words: if static detection zone monitoring has been violated, production can continue at a reduced number of cycles and with safely monitored movements.
Co-ordinated, dynamic safety concepts enable flexible system reactions: from safe reduced speed to safe co-ordination of multi-axis systems, through to safety-related control of drives in relation to load and torque. A high-performance, safe interconnection between these elements guarantees that, when a zone has been exceeded, the drive axes react to the warning signals by safely reducing the speed, through safe position control or with safe torque limitation.
Holistic approach brings benefits
When knowledge of standards, products and applications is combined, system solutions for safe automation are the result, where functions are co-ordinated in such a way that the individual subfunctions interact. The automation system PSS 4000 is one example illustrating how the boundaries between the safety and control function is becoming increasingly permeable. It is very rare for users to demand a clear separation, but they do value an absence of feedback and a clear distinction between the areas of responsibility.
Increasingly, safety is an integral part of the overall plant and machine function and must therefore be considered from the start. For safe control technology means nothing more than making the control function intrinsically safe.
What impact does this have on developments in safety technology? Clearly it will be necessary to think more in terms of systems. If subfunctions are to be interlinked to optimum effect, subfunctions cannot simply be added retrospectively. Ultimately, the challenge lies in integrating the functions into the overall system.
Safety technology requirements are undergoing a structural change: processes are becoming ever more dynamic and the demand for controlled access to the process is rising along with productivity requirements, gradually changing safety technology in the process. The previous strategy of a safe shutdown when a safety function was called upon or in the event of an error will be less acceptable in future. Ultimately, the safe integration of sensor, control and actuator technology opens up new freedoms when it comes to planning dynamic process cycles and work areas in which man and machine interact, guaranteeing the safety of the machine operator at all times – in any operating mode – during the whole machine cycle.
Author: Armin Glaser, Head of Product Management, Pilz GmbH & Co. KG,