Driving Functional Safety in Motor Drives

IEC 61800-5-2 Is Specifically Designed for the Functional Safety Certification of Components

Aw 1769 F1

According to Kevin Connelly, business development manager, power and controls at Underwriters Laboratories (UL), component manufacturers now have an important opportunity to secure functional safety certification that gives them—and their customers—a higher level of assurance than they have had before.

“Now there is the possibility—and the standards—to integrate safety functions into motor drives,” he says. “In conventional machine/safety relations, you always needed safety relays, sensors, programmable logic controllers and so on; today, much of that external or additional safety equipment can be integrated into the drives themselves.”

In fact, adjustable speed power drive systems are playing an increasing role in the design, implementation, and achievement of safety. This has come about for a number of reasons, including increasing automation, the demand for increased productivity, and the desire to reduce the physical labor of operators. “Before standards were established, there was a reluctance to accept electronic and programmable electronic components in safety related functions,” says Thomas Maier, principal engineer, functional safety, at UL. This was due to uncertainty regarding the safety performance of this technology.

With the advent of IEC 61800-5-2, times have changed, in terms of functional safety and motor drives. “This is a functional safety standard for components,” explains Maier. “It is derived from IEC 61508—the standard that drives the functional safety of machinery in the United States and Europe—and it is a standard that should ease the integration of functionally safe frequency converters, drives, and other power drive systems into safety installations, according to IEC 61508, IEC 62061, or EN ISO 13849-1.”

Stop, and Go Forward

To see how the new technology and new standards are affecting functional safety, Maier says to consider the simple emergency stop for a drive: for a conventional drive, to install an emergency stop requires an emergency stop button, an electronic safety relay that monitors the button, and a contactor actuated by the safety relay to remove the power from the drive and make it stop. However, with integrated functional safety, you can get rid of the contactor, which typically is large and expensive, as well as the safety relay by integrating safety logic into the drive.

“That’s a big economic advantage for our customers, and for our customers’ customers,” says Maier. “Machine builders save space, components, and money, and have a less complex system that is easier to monitor and maintain.”

According to Maier, having the component with integrated functional safety makes it easier to design safety systems, as they can be considered safety modules that are easily plugged into the overall safety installation. Examples of industrial applications where they could be used:
• Machine tools, robots, production test equipment, and test benches
• Papermaking machines and textile production machines
• Process lines in plastics, chemicals, or metal production; rolling mills
• Cement crushing machines, cement kilns, mixers, centrifuges, extrusion machines
• Drilling machines
• Conveyors, materials handling machines, hoisting equipment
• Pumps, fans, etc.

“There are numerous examples where control systems employ adjustable speed power drive systems as part of safety measures to reduce risk,” says Maier. “A good example is the safety function called ‘safety limited speed.’” This function is used when a safety door is opened or light curtain crossed to slow down a machine to a speed that is no longer dangerous to the operator.

“In such cases, production is not stopped,” notes Maier. “Or, the operator can come close to the machine and do commissioning work or repair work; having the machine in motion allows testing to be done on the spot.”

Safety First

IEC 61800-5-2 provides a methodology to identify the contribution made by an adjustable speed power drive system to identified safety functions and enables the appropriate design and verification that it meets the required performance. “First, you need to have the safety requirements,” says Maier. “That means safety-related functions: identifying which functions are safety-critical, and knowing how safe they need to be.”

A measure of the degree of safety needed has to be set, either at a safety integrity level (if the installation is according to IEC 61508 or IEC 62061) or at a performance level (if the installation is according to EN ISO 13849-1). The first step of development, then, would be to write a safety requirement specification. “This means specifying the functions and safety levels in more detail in relation to the interfaces that you plan as well as explaining how to activate the safety functions, what the fail safe reactions will be, and what reaction times will be needed,” explains Maier.

You may have to customize these functions. If, say, you have a safety limited speed, there is no interest in fixing that to a certain value; it must be customizable. So the challenge of customizing safety-relevant parameters in the drive must be addressed. “Everything you define in that document will be implemented, and everything you have implemented will be verified against the safety requirements specification,” notes Maier.

From that point on, it is very important that the developer of the system uses good development processes, especially when it comes to software. They’ll need a structured approach to software; a V model-based design is highly recommended. (The V model approach is common good practice in the development of software and complex systems. On the left side of the “V” is the development path; on the right side is the verification path. For every step of development, corresponding verification or validation must take place.)

“With this approach, we get hold of critical problems, and discover faults, as early on as possible.” says Maier.

Simpler, Safer, and Less Expensive

According to Connelly, one of the real benefits for machine and system builders is that IEC 61800-5-2 is a component-based standard. “This means that you can give that component—that drive—a certificate,” he says. “This tells the machine builder, or more importantly, the test houses that have to certify or inspect a machine or system, that they don’t have to look any further into the component.”

The certification tells them what is inside. They know what it delivers. And they can consider it a module. “This will ease the machine design task, as well as the testing and certification task,” concludes Connelly.

More in Home