Figure 7: Safety monitors receiving and sending safety impulses to the drive. More safety devices and wiring are needed compared to integrated drive-based functional safety (see figure 8).

Functional safety can be easily achieved with safety devices that are, themselves, already certified to the most relevant functional safety standards. ABB drives include many certified safety functions either as standard, or are offered as options. A good example is the TÜV-certified safety functions module (the FSO-12 or FSO-21 variant), which is compatible with ABB’s ACS880 drive series.

SAFE TORQUE OFF (STO) AS THE FOUNDATION 

ABB has put great emphasis on building safety functionality into its drives. We offer cost-efficient safety solutions with our drives and PLCs, as well as a full range of safety relays and contactors, emergency stop switches and other safety devices. Depending on the needed machinery safety, our solutions can range from one drive to an entire system of drives.

As mentioned in part 1, safe torque off (STO) is the foundation of drive-based functional safety. Several ABB’s drives therefore have STO built-in as a standard feature, while some drive series offer it as an option. 

The all-compatible ACS880 drives with STO (as standard) are the best-equipped, most-modern example of integrated drive-based functional safety. They provide highest machinery safety capability, complying with SIL 3 and PL e safety level.

STO can be supplemented with additional safety functions like safely-limited speed (SLS), to ensure a specific speed level in the drive, and machine, is not exceeded. Safety functions that are integrated inside the drive eliminate the use of costly external safety add-ons like contactors, safety relays, etc. Using integrated drive-based functional safety results in cleaner installation and lower costs, with fewer components needed to reach the required SIL or PL.

THREE EXAMPLES

In this section, three different ways of implementing ABB drive-based functional safety solutions are shown, using the example of an industrial conveyor belt.

In our imaginary example we assume people are frequently interacting with a conveyor belt by placing on and picking off material from it. Based on a risk analysis made for the conveyor, it should remain safely powerless when stopped (e.g., for cleaning). This means that the motor must be in a non-torque state when stopped, because unexpected startup has been identified as a risk.

When a red emergency stop button is pressed, at any time, the conveyor must stop in a safe manner. And when people are near the conveyor inside the protective cage, the conveyor speed must be safely reduced for safe material handling.

Risk reduction in our examples can be achieved by implementing three machine safety functions:

  • Prevention of unexpected startup (POUS)
  • Emergency stop
  • Safely-limited speed (SLS)

This is done by using two drive-safety functions: safe torque off (STO) and safely-limited speed (SLS). STO is used for both emergency stopping with an emergency stop device and prevention of unexpected startup, to keep the motor from starting with e.g., a lockable on/off switch connected to the STO. The machine safety system can be built using ABB safety devices for maximum control, as presented in the following examples.

Example 1:

Traditional Safety Solution Using a Drive, Safety Monitoring Device, Safety Encoder, and Contactors

The traditional way of building a safety system includes connecting safety limit switches, relays/external safety monitoring devices and contactors together with the drive (see figure 7).

Once the protective cage door to the conveyor has been opened the safety limit switch detects the open door. This sends signals to the drive to decrease speed. At the same time the signal is sent to an external safety monitoring device (safety logic), which together with an encoder speed measurement, creates a safety function SLS, for safe speed monitoring.

People can now interact safely with the slowly moving conveyor and perform their task. After leaving the conveyor and closing the protective cage door, the safety monitor has to be reset with a button, before the conveyor is allowed to increase back to normal speed.

If, for some reason during the safe speed phase when SLS is active, there is a malfunction that causes the conveyor belt to suddenly increase speed, the safety monitor will detect the overspeed and activate the motor contactor that interrupts the drive’s output to the motor, thus stopping the conveyor.

Figure 8: Safety logic integrated into the drive for effective safety monitoring. Less safety devices and wiring needed compared to traditional safety solution (see figure 7).

Example 2:

Integrated Drive-based Functional Safety

With integrated drive-based functional safety, the safety functions are implemented into the machine via the drive. As a result, the use of externally wired discrete safety devices such as safety monitors, wiring, an encoder (see figure 8) can be eliminated.

Integrated drive-based functional safety not only simplifies the overall safety design process, but with fewer parts and less wiring, the complexity of configuration and installation is also significantly reduced for a lower total cost. Compared to the traditional safety solution, integrated drive-based functional safety includes the same functionality but it is simply built into the drive. The most basic functionality level is the STO circuit inside the drive which can safely disable the drive’s power stage, thus eliminating any need for a motor contactor.

ABB’s offering of drives with STO as a standard feature includes e.g. ACS880, ACS580, ACH580, ACQ580, ACS380, DCS880, ACSM1, and MicroFlex e190. The ACS800 drives have STO built-in as an optional feature.

When additional integrated safety functions are needed, ABB’s optional TÜV-certified safety functions module (FSO-12 or FSO-21) is perfectly suited for the ACS880 drives. Alternatively a simpler safety solution is ABB’s optional TÜV-certified safety functions fieldbus module (FSPS-21) that is easy to plug into ACS380, ACS580, and ACS880 drives.

The safety functions module (FSO-12 or FSO-21) and safety functions fieldbus module (FSPS-21) can be used in systems up to SIL 3/PL e. The Safety functions module (FSO-12 or FSO-21) offers several safety functions including: Safe stop 1 (SS1, as SS1-r and SS1-t implementations), Safe stop emergency (SSE), Safe brake control (SBC), Safelylimited speed (SLS), Safe maximum speed (SMS) and prevention of unexpected startup (POUS). Compared to the FSO-12 the FSO-21 offers additionally Safe direction (SDI) and Safe speed monitor (SSM). Both safety function modules are capable of monitoring safe speed in encoderless mode (in open loop). This is made possible when monitoring is based on a pre-set motor profile, speed profile and speed estimation of the safety functions module. The FSO-21 also supports closed loop safe speed monitoring together with the pulse encoder interface module (FSE-31).  

The Safety functions fieldbus module (FSPS-21) offers Safe torque off (STO), Safe stop 1 (SS1-t) and prevention of unexpected startup (POUS). Using the safety functions module eliminates the hassle of figuring out how to hook up and wire the logic with relays and contactors, as the drives safety functions are predesigned in the module, waiting to be commissioned. In addition, it is easy to commission and configure the drive system using Drive composer pro, the common PC tool for the ACS880 drive series.

Benefits of integrated drive-based functional safety:

  • No wearing parts needed to be changed or maintained
  • Less wiring saves costs and time.
  • Safety functionality seamlessly integrated into the drive operation.
  • Using STO as the motor switch off path, instead of a contactor, is fast and saves money, space, and wear/ maintenance
  • With STO there is no need to power off the drive or use an output contactor for prevention of unexpected startup, enabling faster restarts and eliminating any need for resetting a position referenced, etc.
  • Cost and space savings with the capability for safe speed monitoring without encoder for applications without active loads (motor slows down when the drive is shut down)
  • The safety functions module is easy to install and commission (only for ACS880 drives)
  • The safety functions module (FSO-12 or FSO-21) has several safety functions in one compact module
  • With the safety functions modules, safety monitoring of movements is integrated to the drive. No additional logic or design is needed.
Figure 9: Safety system with traditional and integrated drive-based safety functions,
controlled by a safety PLC.

Example 3:

System Safety Monitoring Solutions Using Drives and a Safety PLC for Multiple Drive Control

When a safety system includes several drives, a safety PLC can be used for controlling drives and machines from a common source (see figure 9). System safety monitoring can, of course, be designed using a traditional safety solution combined with a safety PLC (such ABB’s AC500-S safety PLC). In this way different safety functions can be performed with the application being controlled by one common safety PLC.

A better strategy might be to build the safety monitoring solution using integrated drive-based functional safety together with a safety PLC. In this alternative the safety PLC (AC500-S) is connected to the drive with a fieldbus adapter module that provides PROFIsafe connectivity. This can be applied using the safety functions module (FSO-12 or FSO-21) together with a fieldbus adapter module (FENA-21 or FPNO-21) or the safety functions fieldbus module (FSPS-21), which doesn’t require a separate fieldbus module to work.

In integrated drive-based functional safety the PLC controls the overall safety system via the safety functions modules inside ACS880 drives, thus providing different safety functions and key diagnostics information. The drives perform local safety monitoring by controlling motor speed, torque, and stopping.

Grouping of the drives according to the safety zones in the application is also possible. For example, an overspeed of any drive on a conveyor line may require all drives to stop, which is possible by activating the STO in all drives. Similarly, an emergency stop command typically can stop all drives, whereas a prevention of unexpected start-up grouping may be divided into smaller groups.

Benefits of drive-based functional safety with safety PLC:

  • Reduced wiring between the PLC (such as AC500-S) and drive(s) when a fieldbus adapter module (FENA-21 or FPNO-21) is used
  • Safety functions module (FSO-12 or FSO-21) in ACS880 drives supports the safety PLC with diagnostics and safety information (i.e., safe motor speed information)
  • Safety function fieldbus module (FSPS-21) reduces the need for components to ensure PROFIsafe over PROFINET connectivity
  • Single supplier for safety devices simplifies the ordering process and brings cost efficiency
  • Common support for reducing machine downtime
  • Possibility to group drives according to the need of the specific functions

FUNCTIONAL SAFETY DESIGN TOOL: FSDT-01 

ABB’s functional safety design tool FSDT-01 helps the designer create safety function documentation to support the safety design of their machine. The tool is easy-to-use and guides the user to select the right devices, such as drives, PLC’s and other safety devices, from premade libraries. With these it is then verified that the required SIL/PL for the safety function is achieved. The necessary safety functionality and SIL/PL is defined based on the risk assessment performed by the machine designer.

The industrial environment is full of moving machine parts which can cause hazardous situations and lead to severe and often permanent injuries. The role of functional safety is to protect people, property and ecosystems from often preventable accidents. It is therefore the ultimate responsibility of device suppliers, machine builders and system integrators to ensure that the products they deliver are safe.

Safety for machines is achieved by complying with relevant safety directives and standards. In the EU, the EHSR which machine builders must comply with are defined in the EU Machinery Directive 2006/42/EC and the harmonized standards under this directive. 

In other market areas, there is their own local safety legislation (for example, the United States, Brazil, and South Korea). In the market areas, other than EU, it is necessary to check the local safety legislation and use global IEC and ISO standards, which provide the necessary safety requirements and guidance.

For machine builders outside of EU the IEC/ISO versions of the EU’s harmonized standards provide the necessary requirements and guidance. Different market areas also have their own local safety legislation.

Drives have been used for decades in many industrial applications. Where safety in automation systems once required many external add-on devices, the ever-increasing levels of automation employed in industry combined with the electro technical capability of many modern drives and safety PLCs mean drive systems now contribute greatly to the overall safety of a system.

Today, new and improved safety solutions and standards enable safety to become an integrated part of drive functionality. Drive-based functional safety means providing drive-based motion control that protects people, property, and ecosystems.


FOR MORE INFORMATION

Joonas T. Saarela is technical product manager for functional safety and can be reached at joonas.t.saarela@fi.abb.com. Ilpo Kangas is product compliance manager and can be reached at ilpo.kangas@fi.abb.com. Mikko Ristolainen is functional safety manager and can be reached at mikko.ristolainen@fi.abb.com. ABB drives offer many features that can help the safety designers achieve the required level of safety in a cost-effective way. For more information, visit www.abb.com/safety


MODERN PUMPING TODAY, July 2019
Did you enjoy this article?
Subscribe to the FREE Digital Edition of Modern Pumping Today Magazine!

SUBSCRIBE_FLAT_Master_RKWL