Do safe drive controls also require safe position encoders?

Transcript

1 Do safe drive controls also require safe position encoders? Problem 1 In order for machines to be operated safely, safety functions are often required for the limitation of rotary and linear speeds, axis positions, etc. Frequency converters with integrated safety functions - are used for this purpose, or safety PLCs, tachometric relays and similar components. The associ ated sensor technology for the detection of axis positions or rotary angles on spindles generally takes the form of position encoders with sine/cosine interfaces. These products are also increasingly 1 . What available in safe versions intended for use in a specified Performance Level (PL) or SIL advantages do safe sine/cosine position encoders offer over conventional products? What aspects need to be considered when "unsafe" encoders are used? These questions will be discussed with reference to an example safety function: SF1, "limitation of a rotary spindle speed in setup mode" This function is to be implemented in Performance Level PL d in accordance with EN ISO 13849 -1 [1] . 2 Implementation of the SF1 safety function ary encoders together with The SF1 safety function is to be implemented by the use of one or two rot a frequency converter with the integrated safety function of SLS (safely limited speed). Figure 1 shows the corresponding safety -related block diagram (selection of the operating mode is a safety function in its own right and is not therefore shown). The diagram consists of a subsystem G (rotary encoder) and an encapsulated subsystem T1 (frequency converter). Figure 1: SF1 – safety -related block diagram Encapsulated subsystems are components for which the manufacturer states the PL/SIL and the 2 , where applicable in conjunction with requirements concerning the products' use. The fre- PFH - quency converter T1 possesses interfaces for two sine/cosine encoders, and is able to perform fault detection measures. The design of subsyste m G is not clear, since it could be implemented by a range of architectures. 1 SIL: Safety Integrity Level 2 PFH: Average probability of a dangerous failure per hour Position encoders 1 of 9 3) (12.201 Page

2 www.dguv.de/ifa Before these architectures are considered however, the possible faults of rotary encoders must be determined. Component faults and their impacts upon the safety function ultimatel y constitute the basis for determining whether a single conventional rotary encoder is sufficient for attainment of d, whether two conventional rotary encoders are required, or whether safe rotary encoders must PL be employed. Possible faults in rotary encoders 2.1 Figure 2 shows a cutaway view of a typical rotary encoder. Figure 2: Rotary encoder (source: Fritz Kübler GmbH) The encoder shaft, bearings, disc, electronics, housing and connector are visible. The functional structure of the encoder is shown in Figure 3. Figure 3: Structural arrangement of a sine/cosine rotary encoder (source: Fritz Kübler GmbH) Page Position encoders (12.201 3) 2 of 9

3 www.dguv.de/ifa channel As this diagram shows, some of the functional elements of the rotary encoder are of single- 3 – assuming that sine and cosine are treated as two separate channels channel design, others two- (this will be discussed in more detail below). It is immediately apparent that mechanical faults on the shaft, bearings or disc could simultaneously affect the sine and cosine channels. Should for example the encoder shaft become detached from the motor shaft, changes in the motor position no longer lead to a (correct) change in the sine/cosine signals. Unless additional measures are taken, this fault 4 , since the signals output to the encoder cannot be detected in the frequency converter connected by the encoder are still within the permissible range. Other component faults lead to falsification of sine and/or cosine output signals (see [2] , Table D.16) which can be detected in the frequency con- 2 2 ) = 1. φ ) + cos ( φ ( verter by monitoring for sin SF1 with the use of conventional rotary encoders 2.2 The Performance Level required for the desired safety function, "SF1, limitation of the rotary spindle speed", is PL d. The encoder subsystem must therefore also satisfy at least PL d. PL d is possible in the designated architectures of Category 2 and Category 3 in accordance with [1] . Table 1: Requirements for Category 2 and 3 subsystems for use in PL d Category 2 Requirements for PL d Category 3 Basic principles Mandatory , Tab A.1, D.1) [3] ( Well - tried principles Mandatory ( [3] , Tab A.2, D.2) to high Medium High MTTF of each channel d A single fault must not result in • loss of the safety function Testing at suitable intervals Component faults A single fault is detected • wherever possible by reasonable means Low to medium DC Measures must be taken, see Annex F in EN ISO 13849- 1 CCF 1 13849- ISO Measures must be taken, see Annex G in EN Systematic failure -7 -6 to < 10 per hour ≥ 10 PFH to a dangerous failure Mean time MTTF d Level of diagnostic coverage DC Common- cause failure CCF PFH Average probability of a dangerous failure per hour 3 Sine and cosine signals are generated in the same optoelectronic ASIC. Owing to their signal form and phase difference, they can however be treated as separate channels; all dangerous component failures are detected by testing for 2 2 ) = 1. sin φ ( φ ) + cos ( 4 One possible additional measure is for example a plausibility check in the frequency converter, provided no external forces apply, as for example on vertical axes. If the motor drive signal is known and a corresponding motor movement is anticipated, comparison with the motor position signalled by the position encoder can identify a discrepancy and therefore a fault. Application of this method is difficult in practice and it will not be considered further here, since it requires de tailed equency converter, control circuit, motor behaviour, etc. knowledge of the fr Page Position encoders (12.201 3) 3 of 9

4 www.dguv.de/ifa Since, when conventional encoders are used, no safety -related product data are generally available from the manufacturer, users are responsible for demonstrating that the requirements to be met by [4] . discussed here are actually met the encoder subsystem summarized in Table 1 for the example The first problems emerge at this point: the documentation required for evaluation, such as compo - nent lists, failure data of the components used, FMEA, etc., is not likely to be available in full to users. The support of the encoder manufacturer is therefore generally required. cur, and An essential aspect is the behaviour of the encoder subsystem when component faults oc when they are detected. This will be discussed in more detail below. 2.2.1 Category 3, two conventional encoders -related block diagram. The encoder Figure 4 shows the schematic circuit diagram and the safety system is formed by two conventional rotary encoders. The sine/cosine output signals from en- coder 1 are processed in channel 1 of the frequency converter, those from encoder 2 in channel 2. 2 2 ) + cos ) = 1; should this φ φ ( ( For detection of encoder faults, monitoring is performed for sin ion not be met, a fault response is triggered. The speed is determined from the encoder signals criter in a two- -checking detects faults in the channel arrangement in channel 1 and channel 2. Cross frequency converter and to some extent also in the encoder. DC encoder G1 G1 ≠ sin²(φ) + cos²(φ) 1 T1 G2 sin Channel 1 cos Encoder G1 Fault DCM reaction sin Channel 2 cos Encoder G2 ≠ sin²(φ) + cos²(φ) 1 DC encoder G2 ≙ DCM Data cross monitoring Frequency converter T1 Two conventional rotary encoders and signal processing in the safe frequency converter T1 Figure 4: Category 3 requires single- fault tolerance, i.e. the incidence of a single fault must not lead to loss of the safety function. The architecture considered here is two- channel throughout; satisfaction of the requirement for single- fault tolerance should not therefore be a problem. Attention should however be paid to the mechanical coupling of the encoder to the movement in the machine that is to be A single fault must not simultaneously have dangerous effects upon encoder 1 and monitored. encoder 2. Alternatively, the two encoders can share the same mounting provided fault exclusion can be assumed for the movement/encoder coupling for at least one of the two encoders. Page Position encoders (12.201 3) 4 of 9

5 www.dguv.de/ifa Category 3, a single conventional encoder 2.2.2 It can be seen clearly that in this architecture (see Figure 5), breakage of the connection between the encoder shaft and the drive shaft immediately results in undetected dangerous failure of the safety function, unless additional measures take effect in the frequency converter (e.g. comparison with anticipated behaviour). T1 G1 sin Channel 1 cos Encoder G1 Fault DCM reaction Channel 2 sin²(φ) + cos²(φ) 1 ≠ DC encoder G1 ≙ DCM Data cross monitoring Frequency converter T1 Subsystem G1 in Category 3 with a single conventional rotary encoder and signal processing in the safe Figure 5: onverter T1 frequency c Fault exclusion for the mechanical connection between the movement and the encoder is therefore absolutely essential. The encoder manufacturer must provide evidence of adequate strength for this purpose. Failure of the mounting causing the enco der enclosure to turn with the shaft may also have an effect upon the safety function, and must be considered (see [2] , Table D.16). Note: where the encoder is integrated into the control circuit of the motor, it could be assumed in the past that encoder faults caused by faulty motor commutation also resulted in fault detection via the process. However, modern control algorithms may at times operate i n encoderless mode even when an encoder is connected; it can therefore no longer be assumed that faults will be detected quickly through disruptions in functioning of the machine. 2 2 ) + cos - ( φ ) = 1. Compo ( φ Faults in the encoder and wiring faults are detected by monitoring for sin nent faults can occur in which both sine and cosine channels fail dangerously (such as interruption in the power supply or wiring faults). This architecture is nevertheless able to satisfy the single- fault tolerance requirement for Category 3, since fault detection in the frequency converter by way of 2 2 ) + cos φ ) = 1 is of high quality (DC ≥ 99%) and so fast (within the process safety time) that a ( ( φ sin dangerous state does not arise (see [5] , Section 6.2.6). This structure does not satisfy the desig- -1; the simplified method in the standard for calculation of the PFH, nated architectures of ISO 13849 and therefore SISTEMA software, cannot be used in the first instance. Category 2, one conventional encoder 2.2.3 - If the encoder subsystem is implemented with only a single encoder and fault detection is not possi - che ble within the process safety time, a Category 2 solution may be possible. Figure 6 shows the s matic circuit diagram and the safety -related block diagram. Page 3) (12.201 Position encoders 5 of 9

6 www.dguv.de/ifa T1 G1 sin Channel 1 cos T1 Encoder G1 Fault DCM reaction Channel 2 sin²(φ) + cos²(φ) 1 ≠ DC encoder G1 DCM Data cross monitoring ≙ Frequency converter T1 Subsystem G1 in Category 2 with a single conventional rotary encoder and signal processing in the safe Figure 6: frequency converter T1 Single ory 2; exclusion of mechanical faults is not -fault tolerance is not a requirement for Categ and the therefore absolutely necessary. Strict requirements are however placed upon the MTTF d d. In the preceding example for Category 3 with a single encoder, a fault exclusion was for PL DC avg assumed for breakage of the coupling between movement and encoder. This was the only means by which single -fault tolerance could be attained, since no measures whatsoever are available for fault detection. This mechanical fault can also not be detected in Category 2. The principle of Category 2 is however that the safety function is tested at reasonable intervals. This condition cannot be met, owing to the lack o f a facility for testing. In the absence of fault exclusion for coupling of the move- ment and encoder, implementation of the "single encoder" subsystem is therefore also not possible in Category 2. SF1 with the use of a safe rotary encoder 2.3 -related data for safe encoders are stated by the manufacturer; they therefore All necessary sa fety constitute an encapsulated subsystem (see Figure 7). -related block diagram Figure 7: SF1 – safety Only the following is then necessary for the SF1 safety function considered here: • d Select an encoder that is suitable at least for use in PL + PFH : PFH = PFH • Calculate PFH encoder SF1 SF1 T1 • Check whether the fault detection stipulated on the data sheet for the encoder is performed by the frequency converter T1 e? ferent for PL 2.4 What is dif If the SF1 safety function assumed in the example is to satisfy the requirements for Performance Level PL d as follows: e, the requirements for the encoder subsystem differ from those for PL 6 of 9 (12.201 Position encoders Page 3)

7 www.dguv.de/ifa → high : medium/high MTTF • d : low/medium → high • DC avg • If the function is implemented in Category 4, attention must be paid to the possible accumulation of undetected faults. [6] on the application of fault exclusions must be considered. The information in ISO/TR 23849 • – as always – be achieved only by the use of a suitable encoder. can A sufficiently high MTTF d 2 2 ) = 1 fail unnoticed, the next fault may lead to dang φ ) + cos ( φ ( erous failure Should checking for sin of the safety function. This is not permissible in Category 4. Further measures are therefore required, such as redundant performance of monitoring, testing of the efficacy of monitoring, use of two en- coders, etc. As described in 2.2, fault exclusion for the coupling between the movement and the encoder is required for single- 23849 [6] places constraints upon the encoder systems. ISO/TR application of fault exclusions in PL e and SIL 3, stating that it is not generally the rule. If the encoder is suitably mechanically overengineered, this is however also permissible in PL e/SIL , Table D.16). 3 (see [2] Guidance for selection 3 - The conclusions from the discussion in the above paragraph are shown in Figure 8 diagrammati cally . The flow chart is intended to assist in the reaching of decisions on the use of safe or conven- tional encoders. It draws attention to performance of the measures that may be required. Page Position encoders (12.201 3) 7 of 9

8 www.dguv.de/ifa Start Is fault Use two encoders; a single fault exclusion possible No must not simultaneously have for coupling of the dangerous effects upon both movement and encoders. encoder? Yes For the encoder: - Are basic and well-tried principles applied? Is the PL/SIL - Perform FMEA No known for the - Determine MTTF d encoder? - Define DC measures - Confirm CCF - Consider systematic failures Yes Use encoder as specified Ensure fault detection in the by the manufacturer controller In Cat. 3/Cat. 4: Yes Faults must be detected within Is only a single the process safety time encoder used? No No All encoders considered? Yes End Figure 8: Use of safe or conventional encoders in PL c, d and e? Page 8 of 9 Position encoders (12.2013)

9 www.dguv.de/ifa 4 Summary Conventional rotary encoders can in principle be used in safety functions. It must however be demonstrated in each case that the required Perform ance Level is satisfied. This requires detailed support by the manufacturer. The fault exclusion knowledge of the product, which generally entails for the coupling between the movement and the encoder that is required for single-encoder systems is particularly critical. In comparison, the use of safe encoders is much simpler, since all the neces- sary safety-related information is available. 5 Literature [1] EN ISO 13849-1: Safety of machinery – Safety-related parts of control systems – Part 1: General principles for design (07.07). Beuth, Berlin 2007 speed electrical power drive systems – Part [2] EN IEC 61800-5-2 (VDE 0160-150-2): Adjustable 5-2: Safety requirements – Functional (04.08). Beuth, Berlin 2008 EN ISO 13849-2: Safety of machinery – Safety-related parts of control systems – Part 2: [3] Validation (02.13). Beuth, Berlin 2013 Bömer, T.; Schaefer, M.: Differences between using standard components or safety compo- [4] nents to implement safety functions of machiner y. Published by: Institut für Arbeitsschutz der Deutschen Gesetzlichen Unfallversicherung (IFA), Sankt Augustin 2011. www.dguv.de/webcode/m204554 [5] Hauke, M.; Schaefer, M.; Apfeld, R.; Bömer, T.; Huelke, M.: Functional safety of machine con- eutsche Gesetzliche Unfallversicherung (DGUV), trols. BGIA-Report 2/2008e. Published by: D Berlin 2009. www.dguv.de/webcode/e91335 [6] ISO/TR 23849: Guidance on the application of ISO 13849-1 and IEC 62061 in the design of safety-related control systems for machinery (05.10). Beuth, Berlin 2010 Author: Ralf Apfeld Division 5: Accident prevention/product safety Institute for Occupational Safety and Health of the German Social Accident Insurance (IFA) Sankt Augustin Position encoders (12.2013) Page 9 of 9

Related documents