  |
Electric Drives and Controls |
Hydraulics |
Linear Motion and Assembly Technologies Pneumatics Service |
Safety on Board Functional Safety in
Automation Technology
Integrated, certified and consistent
2
Safety on Board –
integrated, certified and consistent
Whether the task involves
SafeMotion, the SafeLogic, the
|
machine tools, packag- ing and printing machines, assembly, handling or robot |
drive-based safety solution from Rexroth, means much more than |
controller-based safety solution from Rexroth, replaces inflex- |
applications, the protec-
just the “safe stop” ible wired safety
|
tion of personnel, machines and tools is absolutely paramount. In order to meet |
of machinery. Rather, SafeMotion is the first step in the realization of safe machine concepts. SafeMotion allows the operator to have access |
relays with flexible, programmable safety software. With the consistent IndraWorks engineering frame- work, the system of processing |
these expectations, modern
to the process without danger, signals from peripherals can be
|
safety concepts have to com- ply with demanding require- ments such as “safe motion”, |
increases availability by reducing downtimes and therefore increases productivity. |
quickly and easily adjusted to a wide variety of machine concepts. SafeLogic can help to reduce start- up and validation times drastically, |
“safe processing of peripheral
while a high-performance diagnos-
|
signals” and “safe commu- nication”. Safety on Board |
tics tool delivers guaranteed maxi- mum plant availability. |
from Rexroth meets all these
requirements and is a synonym
for well thought-out and intel-
ligent safety solutions from the
Automation House.
Our Automation House is a unique modular toolkit which gives you everything you need to create leading- edge automation solutions. Fromdrive and control systems to the high-performance software framework forstandardized engineering and user-friendly operation. This innovation gives you all the privileges associated with modern automation technology –integration, intelligence and investmentfor the future.
3
Integrated Certified Consistent
Maximum protection for person- Safety on Board provides the From the drive to the controller –nel, reduced downtime, increased machine manufacturer with a SafeMotion and SafeLogic mergeavailability and simplified start- guarantee of maximum safety and perfectly to form a comprehensiveup and validation – these are just reliability on the basis of compo- safety concept. To enable safetysome of the advantages of integrat- nents and system solutions which data to be exchanged between theed safety technology from Rexroth. are tested and certified in accor- controller and the drive, SERCOSBy integrating safety functions in dance with the latest safety stan- has been extended to include thestandard components, we upgrade dards. This minimizes the cost CIP Safety based SERCOS safetythem to full-fledged safety compo- and effort involved in the valida- protocol. The control communica-nents. These can be used as stand tion of plant and machinery and tion system transfers both standardalone components or as part of our gives the manufacturer assurance – data and safety data, eliminatingsystem solutions. both in functional and legal terms. any other interfaces and offering
major potential for savings.
The standardized IndraWorksengineering framework for config-uration, programming and diagno-sis increases plant availability anddrastically cuts start-up times.
|
Safety on Board – From the drive to the control system, Rexroth offers safety solutions that can be optimally scaled. |
Safety peripherals can be integrat- ed with the help of SERCOS safety or PROFIsafe – either directly or via safe I/O modules. This makes SafeLogic the first safety control- ler to support two safety protocols simultaneously. |
It goes without saying thatSafeMotion is also available asa stand alone component.The drive-integrated safetytechnology is capable of beingintegrated in every kind of systemarchitecture via discrete, two-channel control systems or safebus systems.
4
SafeMotion –
Safe stop and more
Safe drive technology from Rexroth means more than just safe stopping. Above all it is
safe motion functions that give you the means of protecting your personnel effectively, increasing
productivity and realizing new safety concepts.
Whenever operators have to work safety technology, with many years safety door locking, various safelyinside the machine either for of experience in the field. “Safety limited positions and a safe brak- commisioning purposes or for pro- on Board” was introduced to the ing and holding system to prevent cess-related reasons, it is a require- market by Rexroth as early as 1999 vertical axes from falling. ment of the Machinery Directive and has been continually expanded
that the machine manufacturer has with the addition of further func- Convincing advantages:made provision for special safety tions ever since. • Increased machine productiv-precautions, because any uncon- ity as a result of shorter specialtrolled movements can be a danger Expanded range of functions mode times
for persons in the event of a mal- In addition to the traditional • No unnecessary idle timesfunction. Rexroth has these mal- safe stop and motion functions, because the line circuit breakerfunctions fully under control and IndraDrive also supports more does not have to be openedas a pioneer of drive-integrated than 18 safety functions, such as • No need for re-synchronization
of coupled axes
|
Axis movements minimized thanks to ultra-short response times |
• High reliability thanks to certi- fied and integrated safety func- tions |
||||
|
Safety increased 400-fold |
• Savings on limit switches, mea- surement and analysis units and control cabinet size • Reductions in time and money |
||||
spent on certification 2 IndraDrive safety technology from Rexroth
• Online-self-monitoring instead of forced offline-checking-pro- cedure, i.e. no periodic machine
shutdown needed for fault detec- Conventional safety technology 800
tion
Axis movement in mm in fault scenario
|
Before a user in the protected area reacts to an error with an acknowledgement linked to contacts, a linear axis with a ball screw has already traveled 100 to 200 mm, |
linear motors have already traveled 400 to 800 mm. IndraDrive safety technology finds the error within 2 ms and the axis moves only 2 mm. |
5
SafeMotion –
Certified safety functions
|
V |
t |
Safe Torque Off (STO) Safe Torque Off Stop category 0 in accordance with IEC 60204-1: Safe drive torque cut off |
VMax |
t |
Safe Maximum Speed (SMS) The maximum speed is safely monitored irrespective of the mode of operation. |
||||||||||||||||
|
V |
t |
Safe Stop and Safe Safe Stop 1
Stop IEC 60204-1: Safely monitored stop, control or drive
controlled with safe drive torque |
Safe Braking And Holding System (SBS)
The safe braking and holding sys and monitors two independent brakes |
||||||||||||||||||
|
V S |
t |
Safe Operating Stop (SS2, SOS) Safe Stop 2, Safe Operating Stop Stop category 2 in accordance with IEC 60204-1: Safely monitored stop with safely monitored standstill at controlled torque |
Safe Door Locking (SDL) When all the drives in one protection zone are in safe status, the safety door lock is released |
||||||||||||||||||
|
V |
Safely Limited Speed (SLS) If enable signal is given a safely limited speed is monitored in special operating mode |
V S |
Safely Limited Increment (SLI) If enable signal is given a safely limited incre- ment is monitored in special operating mode |
||||||||||||||||||
tt
|
V |
Safely Monitored Direction (SDI) A safe direction (clockwise, counterclockwise) is also monitored in addition to safe motion |
V |
Safely Monitored Deceleration (SMD) Safely monitored deceleration ramp when stopping |
t
|
S |
Safely limited Position (SLP) A safely limited position range is also monitored in addition to safe motion |
S |
Safely Limited Position Switch (SPS) Monitoring of safe software limit switches |
|||||||
|
Safe Inputs/Outputs (SIO) Dual-channel safety peripherals can be connected to the drive and made available to the controller via the safety bus |
Safe Communicaton |
Safe Communication (SCO) Selection/deselection of safety functions and transfer of process data (e.g. actual position values) via safety bus |
||||||||
All safety functions are certified as compliant with standards ISO 13849-1:2006 1), IEC 61800-5-2:2007 1), IEC 61508:1998-2000 1), IEC 62061 1), ISO 13849-1:1999, EN 954-1:1996, ISO 13849-2:2003, IEC 60204-1:1997, EN 50178-1:1997, IEC 61800-3:2004,UL 508C R7.03, C22.2 No. 0.8-M86 (R2003), CAN/CSA C22.2 No. 14-95, NFPA 79:2007 ER1 through TÜV Rheinland, TÜV RheinlandNorth America Inc. and SIBE Switzerland. 1)Currently in preparation
6
SafeMotion –
Fast, autonomous, reliable
Fast Stand alone Reliable
The drive-integrated safety tech- IndraDrive with integrated safety The safety functions in IndraDrive nology in IndraDrive monitors technology can be used as a stand are tested by independent certifi- movements where they are gener- alone component because two cation bodies and are compliantated. The results are very rapid redundant and diverse monitoring with the latest safety standards. Youresponse times of just 2 ms upon channels are directly integrated in can rely on the certified safety oftriggering of the internal monitors. the drive. The safety peripherals IndraDrive and therefore reduceThis is particularly important for such as mode selectors or enable the need to organize certificationhigh-dynamic drives because oth- switches, for example, can be con- yourself. Since the complete moni-erwise there is a risk of impermis- nected directly to the drive so toring system is integrated in thesibly large residual distances. The that the safety functions can be drive you can be sure of maximumdrives remain in position control switched active. In contrast to safety without possibility of tam-during any intervention work on conventional safety technology pering.
the machine, which eliminates the there is no need for additional need to disconnect from the mains external measurement and moni- power supply and re-synchronize toring devices. This results in coupled axes. Reducing these spe- space-saving, low-cost solutions. cial mode times leads to significant improvements in plant producti-
vity.
|
Conventional safety solution involving external relays |
IndraDrive drive-integrated safety technology |
||||||||||||||||||||
|
Drive enable |
I |
Channel 1 |
Additional encoder |
I |
Channel 1 |
||||||||||||||||
|
External monitoring unit (standstill, speed, etc.) |
M E |
I |
Channel 2 |
M |
|||||||||||||||||
7
|
Simple start-up The safety parameters – such as a monitored, limited speed, for |
There are different ways in which the dual-channel selection of the required safety functions in the drive can be realized: |
||||
|
example – are parameterized in a simple menu-guided start-up procedure. With removable mem- ory cards, reproducing the safety |
Option L1 – Safe Torque Off (STO) Selection of the safety functions: Both channels via 24 V contacts |
Option S1 – Safe Stop and Safe Motion 1) Selection of the safety functions: Both channels via 24 V contacts |
|||
parameters in series production
Communication system Communication system
Control Control
machines is simplicity itself, as is re-importing whenever a switch of drive controller is made.
|
Channel 1 |
Auto Manual |
I |
Channel 1 |
24V
M M
|
alternatively 24V |
Channel 2 |
I |
Channel 2 |
0V
|
24V / 0V or 24V / 24V |
24V / 24V |
||||||||||||||||||||||||||
|
Simple service handling For servicing, the safety param- eters are simply imported to a new device. All that has to be checked is the identification of the drive |
Option S1 – Safe Stop and Safe Motion 1) Selection of the safety functions: One channel via 24 V contact and one channel via standard control communica- tion system |
Option S1 – Safe Stop and Safe Motion 1) Selection of the safety functions: Both channels via safety bus |
|||||||||||||||||||||||||
|
(manufacturer, machine type, axis). There is no need for the validation procedures to be repeated again on-site. |
Control |
Communication system |
Safe Control |
Communication system |
|||||||||||||||||||||||
|
I |
Auto Manual |
Auto Manual |
|||||||||||||||||||||||||
|
Channel 1 |
Channel 1 |
||||||||||||||||||||||||||
I
M M
|
I |
Channel 2 |
Channel 2 |
24V / Communication system Safe communication system1) IndraDrive drives with Option S1 support
all the safety functions shown on page 5.
8
SafeMotion –
The safe braking and holding system
Rexroth is the first company in the world to integrate a safe braking and holding system
in its drives for preventing vertical axes from crashing. This redundant concept provides
maximum safety even after the power has been shut off.
Personnel frequently have to carry Safety for man and machineout work in the machining areas • Certified in accordance withof plant and machinery – be it for EN 954-1, Category 3 forcommisioning, rectifying faults or maximum safety
as part of process optimization. • Prevents axes under the load ofParticular caution is required here gravitational force from fallingif any axes are under the load of • Lightning response in the eventgravitational force in the area of of a malfunction thanks to drive-access. Vertical or inclined axes integrated monitoringcan be a danger in particular when • Two independent brakes – sepa-disconnected from the power sup- rately controlled and monitoredply because of the risk of falling • Redundant holding of the verti-unintentionally. Possible causes cal axis even after the powerinclude holding brakes that are supply has been switched off,soiled, oily or damaged as a result e.g. in the event of an emergencyof mechanical wear, or faults in the switch-off or emergency stopbrake controls. • Escalation strategy with gradu- ated impact of the three braking
The Rexroth safe braking and forces minimizes the stress onholding system provides protection the mechanical systemagainst such dangers through three • Open for various different elec-independent channels – sensing the trically released brakes – can alsomotor torque and two redundant be installed on the load-sidebrakes.
9
Open for different brake systems brakes can be used. The second brake, would be reliably detectedDifferent machines use different channel brake control is provided and intercepted by this solution.brake systems, which is why the by an external control unit moni- Once both holding systems havesafe braking and holding system is tored by the drive. There are no successfully passed the brake test,open and can also integrate prod- safety-specific requirements for the the internal brake status for aucts from other suppliers with ease. individual brakes. parameterizable time is set to “Ok”.It is even possible to use hydrauli- Within this time it will be permis-cally or pneumatically actuated rod Detecting dormant faults sible to enter and remain in theor guide rail brakes. To detect dormant faults (e.g. oily area beneath the vertical axis with- holding brakes) the brakes have to out the need for a new brake test.
Both brakes have to be released be tested at regular intervals. First electrically and comply with the the current load torque caused by specification for the control the gravitational force has to be signals. For motors with housings determined.
the holding brake integrated in
the motor is normally used as the The brakes are then applied in first brake. The second brake takes sequence and subjected to a load the form of a brake fitted either from the drive in both directions, directly to the motor flange or to the load in each case being 1.3 the transmission exit end or on the times the maximum weight load load-side. This offers the advantage of the application. At the same of ensuring that any failures in time the positional information mechanical transmission elements is monitored by two channels on are also reliably controlled as well. the basis of a parameterizable tol- For direct drive motors, underlying erance range. An “overrunning” principles mean that only load-side axis, caused for example by an oily
|
Safe discon- nection of the power supply |
Universal integration of diverse types of brake, e.g. |
|||||||||
|
Dual-channel selection of the safety functions |
Dual-channel control of the brakes |
Motor brake |
||||||||
|
Safe acknowl- edgement |
Attachment brake Brake fitted on the load-side |
The safe braking and holding system is based on two independent brakes which are separately controlled and monitored by the redundant and diverse channels in the drive. |
||||||||
SafeLogic –
Safe logic processingsimply programmed
SafeLogic from Rexroth –
Functional principle The transmission path therefore
|
programmable, functional safety up to SIL 3, certified in accordance with IEC 61508. |
SafeLogic is available for control- ler and PC-based control systems. This involves upgrading standard control systems with an optional |
becomes a “Black Channel” and has no impact on safety – irrespec- tive of the medium or transmission path selected. |
As an integral component of
function module. This function
|
standard control systems it allows the user to program both standard and safety |
module provides all the resources required for safe logic processing. The information exchanged |
Communication For the communication interface it is possible to use either the SERCOS and/or PROFIBUS inter- |
applications together on a
between the participants in a face on the standard controller.
|
control system with the same IndraWorks engineering tool. The applications are completely |
data connection, i.e. between the producer and the consumer, is exchanged in the form of safe data telegrams. If the consumer deter- |
Both networks are run simultane- ously and serve both the standard and the safety components in a mix. |
decoupled from each other so
mines that the received data is
|
that any changes to the stan- dard application have no influ- ence on the safety application. |
incorrect or if there is an error in transmission, it switches to a predefined, safe error status. |
To this end, not only is SERCOS safety supported but the PROFIsave V2 protocol for connecting intelligent third-party safety components as well. |
SERCOSsafety
Black Channel
PROFIsafe
11
Programming
|
Old: Discrete wiring of safety relays |
New: Graphic wiring of function blocks |
The safety application is created with the IndraWorks SafetyMana- ger. Programming is in accor- dance with the principles of the the wiring of discrete safety relay. Certified function modules take the place of the relay and graphic connections (programming) between the function modules replace the discrete wiring. |
PLCopen-Safety specification. Theprinciple is that the programmingis configured along similar lines to
At an organizational level a dis-tinction is made between two usergroups:
• The basic level user only con-
nects up the function blocks along the same lines as the
Project planning Operation
discrete wiring. The resultantprogram reduces to a minimumthe cost and effort involved inthe validation process.
|
Programming |
Visualization |
• For the extended level user the more extensive functionality allows user-defined function blocks to be created. |
However, the effort involved in
the validation of these function
Parameterization
blocks is considerably higher. On the other hand, once they havebeen verified they are suitablefor use in the basic level, withthe aforementioned advantages.This therefore provides a simplemeans of implementing organi-zational measures associated withfunctional safety management.
12
SafeLogic –
Safe peripherals without limits
Safe peripherals are inte-
Safe interlinked machinery Safe inputs and outputs
|
grated via the standard bus systems SERCOS III and PROFIBUS DP, with |
The safe exchange of data between the individual safety controllers for machine linkages is also via SERCOS safety and the C2C trans- |
To meet requirements for safety integrity, Rexroth Inline SIL 2 and SIL 3 SafetyIO modules are available for safety periphals sig- |
PROFINET IO to be available
port mechanism of SERCOS III. nal inputs and outputs. The I/O
|
in the future as well. When used together with the control- ler-based IndraControl L, safe |
Safe drive technology The IndraDrive drive-integrated safety technology can be integrated |
modules can be run on SERCOS, PROFIBUS DP and the local bus regardless. |
I/O modules can be integrated
in networks via SERCOS III for
|
directly via the local bus – with any order of standard and SafetyIO modules possible. |
interpolation drives. It is also pos- sible to integrate drives in position- ing block mode via PROFIBUS DP, with integration via PROFINET IO also available in future as well. |
SERCOS safety C2C
|
PC-based Controller- based |
SIL 2 SIL 3 |
Inline local bus
SIL 2 SIL 3
Safety function module
IndraDive with SERCOS safety
SIL 2 SIL 3
IndraDrive withPROFIsafe
13
SIL 2
|
For SIL 2 requirements (PL d) the Rexroth Inline DI8, DI16 and DO8 standard I/O modules can be used. A SafetyIO converter containing all the safety-related measures is positioned upstream of the “safe” |
IndraControl L |
Local |
I/O modules. Here, one SIL 2 input
Distributed
|
is generated from input channels assigned in pairs to two standard input modules. The required test pulses can be directly picked off |
SERCOS safety PROFIsafe |
the module. Both mono and com- plementary NC and NO combina-
|
tions can be connected. All stuck-at faults and crossover |
IndraControl L |
Local |
faults are detected. A SIL 2 outputis designed in such a way that onephysical output can be used toswitch two redundant contactors. The contactor is monitored directly
Distributed
|
in the SafetyIO converter via the self-monitoring external device monitoring inputs. |
SERCOS safety PROFIsafe |
The advantage SIL 3
This offers average savings of The requirements of SIL 3 (PL e) 40% compared to SIL 3 modules, apply only in exceptional cases.depending on the expansion Rexroth Inline supplies specialoption. The range of types is also SIL 3 SafetyIO modules for thesereduced since they are used as applications.
standard modules as well.
14
SafeLogic – Technical data
Safety function module
|
Platform |
IndraControl L 20 x 120 x 70 mm (W x H x D) IndraControl P PCI-format |
|||
|
Protocols |
SERCOS safety yes PROFIsafe V2 yes |
|||
Number of safety participants 64
Telegram memory max. 2 kByte
Fail-safe I/O > 500
Processing time per 1k of instructions 0.5 ms
Cycle times Protocol cycle time min. 1 ms
Safety cycle time type 10 – 30 ms
Ambient conditions 5 – 55 °C
Voltage supply internal
SIL 2 SafetyIO converter
SafetyIO converter per station 1
PROFIBUS DP yes
Interfaces SERCOS III in preparation
Local bus (Rexroth Inline) in preparation
|
Digital inputs |
SIL 2-cannels (PL d/Cat. 3) max. 32 Test signals 2 |
||
|
Digital outputs |
SIL 2-cannels (PL d/Cat. 3) max. 16 Output current 0.5 A |
Device monitoring 16
Filter groups 4
Discrepancy time groups 4
Group switch-off yes
Ambient conditions 5 – 55 °C
Voltage supply 24 V (max. 8 A)
Actuator supply 6 A
Current load UT1, UT2 0.7 A each
UL 260 mA
SIL 3 SafetyIO module
|
Input channels |
SIL 2-cannels (PL d/Cat. 3)/SIL 3-channels (PL e/Cat. 4) 8/4 Cycle signals 2 |
||
|
Output channels |
SIL 3-channels (PL e/Cat. 4) 8 Output current 2 A |
Ambient conditions 5 – 55 °C
15
SERCOS safety –
for safe communication worldwide
Safe data transmission up
SERCOS safety means: SERCOS III
|
to SIL 3 in accordance with IEC 61508 – SERCOS safety combines the advantages |
• The use of the CIP Safety 1) mechanisms for protocol security • Adaptation of SERCOS on CIP Safety |
Direct cross-communication per- mits data exchange between two safety slaves without the safety master having to route the data. |
of the SERCOS III Ethernet-
• SERCOS-specific Safety profile SERCOS III can therefore be used
|
based communication sys- tem and the internationally established safety protocol |
SERCOS safety offers the following: • Simple realization of safety |
to create structures which work without any central safety control system whatsoever and which allow ultra-short response times. |
CIP Safety. This permits real
applications up to SIL 3 in accor-
|
time, safety and standard IP data to be exchanged via the same medium and beyond the
|
dance with IEC 61508, even for ultra-short cycle times • Drastic reduction in topology costs compared to current solutions • Drive-integrated safety functions incorporated in the machine control system to optimum effect, increasing plant produc- |
SERCOS safety profiles |
CIP Safety |
CIP Safety profiles |
CIP Safety-based networks and
tivity in the process
|
components. |
• Realization of homogeneous safety solutions in which the |
Adaption to CIP Safety |
control system, drive, data trans-mission and I/O peripherals allmerge to optimum effect
SERCOS
• Implementation of central and
SERCOS III
distributed architectures to meetthe highest requirements in
|
terms of performance and deter- ministics |
SERCOS safety – integrated safety |
1) CIP Safety is a registered Trademark of the ODVA (Open DeviceNet Vendor Association)
16
Safety on Board –In machine tools
C standard Machine type Safety-related control functions acc. EN 954-1:1996
|
Enable device Reduced speed Interlocking of guards |
Emergency stop |
||||||
|
EN 12417: Mar 2007 Machining centers Category 3 Category 1 and verification, Category 3 |
Category 3 Category 3 |
||||||
EN 12415: May 2003 Turning lathes Category 3 Category 3 Category 3 Category 1 (contact-based) Category 3 (electronic)
|
EN 14070: Jan 2006 Transfer and single-purpose or special-purpose machines |
Category 3 Category 1 and verification, Category 3 |
Category 3 Category 3 |
When it comes to setting up tools Example topology: Machine tool
|
and probes, carrying out control measurements or clearing faults, the SafeLogic and SafeMotion |
IndraMotion MTX |
|||||
|
control and drive-integrated safety functions ensure that applications |
IndraDrive/IndraDyn |
|||||
SERCOS safety can be configured safely and easily,
in accordance with EN 12415,
EN 12417, EN 14070, for example.
As long as the guard doors are
|
closed the machine produces at full speed. In special mode the doors are allowed to be opened |
SERCOS safety or PROFIsafe |
Inline |
X Y Z B S TC SIL 2 IO |
and, depending on the protectionarea, various safety functions areactive which, for example, monitorthe safe operating stop or permit
|
operation at limited speed. In auto- matic mode it is possible to have the process monitored with higher safely monitored speeds. |
Auto Manual |
17
Safety on Board –
In printing and converting machines
C standard Machine type Safety-related control functions acc. EN 954-1:1996
|
EN 1010 Safety requirements for the design and construction of printing and paper converting machines |
Without regular access as part of operations |
With regular access as part of operations |
EN 1010-1: Mar 2005 Common requirements Category 3 Category 4
|
EN 1010-2: Jan 2006 Printing and varnishing machinery including pre-press machinery |
Refer to EN 1010-1 Refer to EN 1010-1 |
EN 1010-3: Dec 2002 Cutting machines Refer to EN 1010-1 Refer to EN 1010-1
|
EN 1010-4: Sept 2004 Bookbinding, paper converting and finishing machines |
Refer to EN 1010-1 Refer to EN 1010-1 |
|||||
|
EN 1010-5: Oct 2005 Machines for the production of corruga- ted board and machines for the conver- sion of flat and corrugated board |
Refer to EN 1010-1 Refer to EN 1010-1 |
|||||
|
Whether for changing plates or offset blankets, washing the rollers |
Example topology: Printing press |
|||||
IndraMotion MLC
or changing the reels, SafeLogic
|
and SafeMotion have everything needed for safe printing and paper conversion in accordance with |
Section |
the requirements, for example,
SERCOS safety
of EN 1010. The safety functions
IndraMotion MLC
such as the monitoring of protec- tion areas, for example, or limited
Unit
|
speeds or safe direction of rotation, are certified functions which are |
SERCOS safety |
IndraDrive/IndraDyn
available in the controller and the drive. These safety functions areeasy to integrate in the applicationwith the help of function blocks,enabling safety and standard appli-cations to be merged with each
|
other to optimum effect. |
SERCOS safety or PROFIsafe SIL 2 IO Inline |
18
Safety on Board –
In packaging machines
|
C standard Machine type Servo-drive systems: Safe Operating Stop |
Safety-related control functions |
EN 415-2: Oct 2000 Pre-formed rigid container packaging machines Category 2
EN 415-3: Oct 2000 Form, fill and seal machines Category 1 or 2
EN 415-4: Aug 1997 Palletizers and depalletizers Category 1 or 2
EN 415-5: Oct 2006 Wrapping machines Refer to IEC 61508
EN 415-6: Oct 2003 Pallet wrapping machines Category 3 Category 3
EN 415-7: Oct 2006 Group and secondary packaging machines SIL 2 SIL 1
EN 415-8: Jan 2005 Strapping machines Category 3 Category 1 to 3
Be it during forming, filling, clos- Example topology: Food processing and packaging machine ing, multi-packing or palletizing –
|
if a product or wrapper becomes jammed for example, then the |
IndraMotion MLC |
operator will need to access the
IndraDrive/IndraDyn inside of the machine safely in
order to rectify the fault quickly. SafeLogic and SafeMotion enable
SERCOS safety
a safe torque cut-out or a safe operating stop that does not entail
|
switching off electromechani- cally the power and therefore does not result in a time-consuming machine restart. Overall equip- ment effectiveness (OEE) can thus be significantly increased. The |
SERCOS safety or PROFIsafe Inline |
SIL 2 IO |
||||||
|
requirements imposed by stan- dards such as EN 415 for packag- ing machines can be met with SafeLogic and SafeMotion. |
Auto Manual |
|||||||
19
Safety on Board –
In handling and assembly applications
C standard Machine type Drives Safety-related control functions
EN ISO 10218: Feb 2007 Robots for industrial environments – Safety requirements Category 3
EN 201 (A2): Oct 2005 Injection-molding machines Category 3 in accordance
with Annex G.3,Category 4
Today, modern manufacturing Example topology: Handling application
|
cells with multiple access points have to be capable of meeting the following requirements: • Safe release of the working area of interlinked robots • Material infeed and fault clear- |
IndraLogic |
ance must be possible
IndraLogic
• The robots must be capable of
IndraDrive/IndraDyn
being set up for new productionjobs by the operator
SafeLogic and SafeMotion imple-ment the requirements of stan-
|
dards such as ISO 10218 safely and easily. During the teaching in of new positions and operations, SafeMotion provides protection against uncontrolled axis move- |
SERCOS safety or PROFIsafe SIL 3 IO Inline SIL 2 IO |
ments. The robots can move underfull load in the process. Peripherals
|
are integrated via SERCOS safety or PROFIsafe SIL 2 and SIL 3 SafetyIO modules. |
Auto Manual |
20
Functional safety –
Not just a question of standards
Start
With the CE Mark of
Conformity the manufacturer
Specification of the limits of the machine declares that his plant and
machinery meet basic safety
requirements. Standards help
Identification of hazards
to provide the basis for veri-
fying that this is actually the
Risk estimation
case. Does this mean that
safety technology is simply a
Risk assessment
question of standards?
|
Certainly they cover basic requirements but they do not absolve the manufacturer from |
Safe? No |
Yes |
End |
his responsibilities in respect
Measures for risk reduction
|
of risk assessment and the implementation of measures. |
Analysis of potential hazards / Risk assessment EN ISO 12100 and EN 1050 (ISO 14121) specify the basic process involved in identifying dangers, estimating risks and developing and assessing the effectiveness of measures. |
||||||||
|
The European Machinery Directive Manufacturers of plant and machinery are required to carry out an analysis of potential dangers and a risk assess- ment before construction is permitted. This is stipulated in the European Machinery Directive 98/37/EC, or the revised version of 2006/42/EC. The Machinery Directive has been incorpo- rated in the national legislation of all the countries of Europe, which means that it is legally binding. The European Commission draws attention to the fact that the require- ments of 2006/42/EC, ensuing as a consequence of the new Machinery Directive, can and should be complied with as of now in the development and manufacture of machinery. |
However, up until Dec. 29, 2009 it is still permissible for Declarations of Conformity to refer to 98/37/EC only. CEN/CENELEC The harmonized standards organized by CEN/CENELEC provide the manu- facturers with help with verification because it can be assumed that in applying them the manufacturer will be conforming with the requirements of the Machinery Directive at the same time. However, in legal terms they are not binding. |
C standards C standards stipulate specified requirements for certain types of machine such as, for example, machin- ing centers, printing presses and paper converting machinery and presses. Machine types covered by C standards have had a risk analysis carried out and the standards also specify concrete measures for the reduction of risks for those machine types. For those machines or parts of machines which are not included in the C standards, the manufacturer is responsible for undertaking the analy- sis of potential dangers and the risk assessment himself. |
|||||||
21
|
Standards in a state of change Up to now the safety-related compo- nents of machine control systems have had to be designed in compliance with EN 954-1. As from November 2009 the only applicable standard will be its successor, EN ISO 13849-1. This means that EN 954-1 may only be used for a transitional period for machines brought into circulation before the deadline of October 2009. |
European Machinery Directive 98/37/EC EN 954-1 Applicable standard Transitional period 3 years EN ISO 13849-1 EN 62061 November 2006 |
2006/42/EC
January 2010
Applicable standard
November 2009
Applicable standard
|
Accounting for failure probabilities EN 954-1 takes a deterministic approach which is largely defined by hardware-oriented structures and cat- egories. With the growing importance of programmable electronics, in particular, in safety technology, it became neces- sary to adjust the simple error model to account for advances in technology and take account of modern concepts as well. The new safety standards therefore take account of a probabilistic approach. Instead of considering the failure of a safety function in absolute terms it is assessed in terms of probability. Depending on the potential risk, the safety measure has to demonstrate a certain level of reliability, i.e. there must only be a certain probability of it failing. The entire product life-cycle is taken into account because many systematic “faults” occur early on in the planning stage. From the specifications and implementation to modifications and taking out of operation, requirements are made of all the phases in the life-cycle. Implementation is checked by means of verification and validation which has to be planned in concrete form in advance as part of a “Functional Safety Management Process” designed to ensure that quality is guaranteed. |
January 2006
IEC 61508 The IEC 61508 standard is the “mother” of all safety standards which take a holistic probabilistic approach. It classi- fies the probabilities of failure in Safety Integrity Levels (SIL) 1–4, with the requirements of SIL 4 being the highest. As a general rule this standard is used by manufacturers of safety devices as a test standard. For machine builders, however, the requirements and mea- sures are specified on a user-oriented basis in standards IEC 62061/ IEC ISO 13849-1. IEC 62061:2005 Since Jan. 1, 2006 the IEC 62061 standard can be taken into account as a harmonized standard for electrically and electronically programmable safety technology in machines. It is based on IEC 61508 and applies the level restricted to SIL 1–3 for classification. In order to simplify the calculation of reli- ability for the safety function, it specifies 4 sub-system architectures. In terms of the programming of the safety applica- tion, the requirements of IEC 62061 are |
Applicable standard
November 2007
Applicable standard
more limited than those of IEC 61508in relation to the graphic programminglanguages line ladder diagram (LD) orfunction block diagram (FBD).
ISO 13849-1:2006
ISO 13849-1 is based on the well-known hardware-oriented structuresand categories in EN 954-1 but alsocombines them with failure probabili-ties. Unlike the IEC 62061 standard,ISO 13849-1 can also be applied tonon-electrical/non-electronic systems.The requirements are grouped in5 performance levels (PL).
ISO 13849-1 is also restricted tosimple graphic programming lan-guages.
IEC 61800-5-2:2007
The IEC 61800-5-2 standard is aproduct standard for electrical driveswith integrated safety functions.The requirements are based onIEC 61508 and are also expressedin Safety Integrity Level (SIL) 1–3.
22
|
The required reliability of a safety function is determined with reference to severity (S), frequency (F) and potential for prevention (P). The required performance level (PL) is determined in accordance with ISO 13849-1 on the basis of classifications. |
In contrast, IEC 62061 allocates points [1 – 5] for the evaluation of the influencing factors and takes the likelihood of occurrence into consideration (W). The sum of F+W+P therefore determines the required SIL in dependency on the severity (S). |
For the evaluation of the achieved level of safety integrity, IEC 62061 stipulates a simplified mathematical procedure for predefined system structures. ISO 13849-1 on the other hand speci- fies the estimation of reliability (PL) as being dependent on the hardware-orient- ed structure (category), the determined mean time to dangerous failure (MTTFd) and the diagnostic coverage (DC) of a safety function. |
|||||||||
|
Performance Level (PL) ISO 13849-1:2006 |
Probability of dangerous failure per hour (1/h) |
Safety integrity level (SIL) IEC 61508 |
|||||||||
a ≥ 10-5 to 10-4 –
|
ISO 13849-1:2006 |
b ≥ 3 x 10-6 to 10-5 1 c ≥ 10-6 to 3 x 10-6 1 d ≥ 10-7 to 10-6 2 |
IEC 62061:2005
e ≥ 10-8 to 10-7 3
– < 10-8 4
Relationship between PL and SIL and the probability of failure in accordance with ISO 13849-1:2006
ISO 13849-1:2006 IEC 62061:2005
|
P 1 |
PL a |
Class = F + W + P |
|||||||||||||||||||||
|
S 1 |
F 1 F 2 |
P 2 P 1 P 2 |
PL b |
SIL 1 |
14–15 11–13 |
S 1 S 2 |
|||||||||||||||||
|
P 1 |
PL c |
8 –10 |
|||||||||||||||||||||
|
S 2 |
F 1 F 2 |
P 2 P 1 P 2 |
PL d PL e |
Risk |
SIL 2 SIL 3 |
14–15 11–13 8 –10 14–15 11–13 |
S 3 S 4 |
||||||||||||||||
S Severity of injury
F Frequency and/or exposure a hazardP Posibility of avoiding the hazard or limiting the harmW Probability of hazardous event
23
Standards for functional safety –European and worldwide
Globalization and harmonizationOther countries, other
regulations:
|
Country-specific regulations generally make it necessary |
ISO 12100 / ISO 14121 |
|||||||||||||
|
to develop different, country- specific machine concepts. However, the precondition
|
North America OSHA NFPA 79:2007 ANSI/PMMI B155.1 ANSI B65.1 … |
IEC 61508 IEC 60204-1 IEC 62061 IEC 61800-5-2 |
EN 62061 EN 60204 EN ISO 13849 … |
|||||||||||
EuropeanMachineryDirective
the world.
ISO 13849-1
|
Safety standards in the USA The 1970 Occupational Health and Safety Act requires that safety has to be guaranteed for all work on plant and machinery. In particular, if the owner/operator of the machine knowingly allows his personnel to be exposed to preventable hazards, he can expect to pay penalties running to millions of dollars in the event of an accident. The Occupational Safety and Health Administration (OSHA) issues higher authority standards, but also often refers to “standards” of the “American National Standard Institute (ANSI)”, which can be applied in a similar way to the European presump- tive effect. User organizations and associations such as the NFPA, NEMA, PMMI, RIA, etc., also produce additional machine- specific standards which are often incorporated in an ANSI standard. |
International harmonization of standards The introduction of the IEC 61508 standard and other standards derived from it such as IEC 62061 and ISO 13849-1 is a further step towards the international harmonization of the relevant safety standards. These stan- dards have already had an influence on many American standards and/or compliance with the standards is made a condition for the use of safety- related components. The ANSI/PMMI B155.1 (2006) standard, for example, harmonized the process for risk analy- sis in accordance with ISO 12100 / ISO 14121and refers to IEC 61508, IEC 62061 and ISO 13849-1, among others. The 2007 edition of the NFPA 79 takes account of drive systems which have been tested as acceptable in accordance with IEC 61508 and/or IEC 61800-5-2. |
NRTL Listing The OSHA designates testing orga- nizations as “National Recognized Testing Laboratories (NRTL)”. Even where these institutions make use of IEC 61508, for example, as the basis for testing and the results of the test correspond to those carried out by a testing organization certified in the EU, many North American companies still insist on a test by an NRTL. Bosch Rexroth therefore works with TÜV Rheinland North America Inc. as it is a testing organization which has NRTL-certification from the OSHA. |
Bosch Rexroth AG
Electric Drives and ControlsP.O. Box 13 57
97803 Lohr, GermanyBgm.-Dr.-Nebel-Str. 297816 Lohr, GermanyPhone +49 9352 40-0Fax +49 9352 40-4885www.boschrexroth.com
Presented by:
|
The data specified above only serve to describe the product. As our products are constantly being further developed, no statements concerning a certain condition or suitability for a certain application can be derived from our information. The information given does not release the user from the obligation of own judgment and verification. It must be remembered that our products are subject to a natural process of wear and aging. |
70 067 AE/2008-03 – A1 – HW R911323724 © Bosch Rexroth AG 2008 Subject to revisions! Printed in Germany |