Home » Papers » Variable Frequency Drive Basic Safety Guidelines

Variable Frequency Drive Basic Safety Guidelines

Preface
This paper provides basic guidelines on functional safety considerations when selecting and integrating a variable frequency drive (VFD) system into the control system of a machine. Functional safety is that aspect of safety that relies upon the correct functioning of a control system. In machinery applications, it is typically associated with preventing injury arising out of contact with moving mechanical parts. Functional safety is distinct from other aspects of safety, such as the use of fixed guards to physically prevent access to moving mechanical parts, or measures to prevent exposure to the live parts of electrical circuits.



In identifying factors to consider when selecting a variable frequency drive system and integrating it into the control system of a machine, this guide refers to various functional safety standards that are relevant to variable frequency drive systems and the safety-related control systems into which they can be integrated. It also explains some of the common terminology that these standards use.

Guidelines on installing variable frequency drive systems from the perspective of mechanical/electrical safety and avoidance of EMC problems is provided by the Gozuk Installation Guidelines for variable frequency drive systems, whilst standards that address more general safety considerations of VFDs are referred to in the Gozuk CE Marking Guide.

Although this guideline represents the views of the Gozuk VFDs Technical Working Group, it has no legal force. To ensure that machinery complies with legal requirements, readers are therefore advised to consult relevant national legislation and associated harmonized standards.

This guide is applicable to safety-related control systems of machinery that incorporate an electrical variable frequency drive system.

It considers the use of variable frequency drive systems with varying functional safety capabilities. It distinguishes between variable frequency drive systems that have no inherent functional safety capability, and those that are capable of the partial or complete implementation of specific safety functions of machinery. It highlights issues that persons with responsibility for one or more of the following tasks should consider:
  • Selection of a variable frequency drive system for use in the safety-related control system of a machine, or
  • Specification, design, development, integration, commissioning and validation of a safety-related control system of a machine that incorporates a variable frequency drive system.
The design of a variable frequency drive system itself is outside the scope of this paper.
Top

1. Introduction

1.1 General
The use of VFDs in machinery continues to increase in accordance with the demand for improved automation and energy efficiency. The extent of applications is diverse, ranging from small self-contained machine tools through to large-scale manufacturing plant. One consequence of this has been the development of VFDs with enhanced functionality, which are capable of performing complex automation tasks that would have previously been assigned to supplementary systems incorporating Programmable Logic Controllers (PLC) for example. A more recent variant of this trend is the development of VFD with in-built safety-related systems that provide some functional safety capability.

The adjustable speed electrical variable frequency drive system has been adopted by the IEC 61800 series of International Standards for VFD, with European versions of these published as the EN 61800 series. More recently, IEC 61800-5-21 introduced the concept of a variable frequency drive system (SR), which is essentially a type of variable frequency drive system with some functional safety capability that can support the implementation of particular safety functions.

As illustrated in Fig.1, a variable frequency drive system includes a Basic Drive Module (BDM) plus the necessary motor(s) and feedback sensor(s). The Basic Drive Module covers those elements of a variable frequency drive system that are generally referred to as a VFD. In the case of a variable frequency drive system (SR), relevant parts of it are capable of implementing particular safety functions.
Variable frequency drive system

Most modern motion control systems utilise AC motors and VFDs, reflecting the lower maintenance requirements of AC motors compared to their DC counterparts, and also the improved affordability of AC drives. Synchronous AC motors, such as brushless servomotors, are typically used in motion control applications requiring highly accurate position control, whereas asynchronous (e.g. induction) motors can be adequate for less precise speed control applications. The basic architecture of an AC drive in Figure 1 is, however, applicable to both classifications of AC motor.

A control system will typically consist of input devices, some logic solving functionality and output devices. Input devices can be sensors or switches that provide information on the status of particular variables, whilst the logic solver processes this information and initiates any appropriate response of the output device.
Basic elements of a control system

This basic description is equally applicable to control systems that implement safety functions, or to those that implement process functions that are not safety-related.

It was previously regarded as essential for safety functions to be performed by simple low complexity control systems, operating independently of the more complex control systems that perform process functions. However, just as microprocessor-based systems are now widely used to perform complex control tasks, the demand for increasingly complex safety functions often requires implementations using electronic technology. The use of complex technology in safety-related systems requires a standardized approach, which has led to the development of functional safety standards such as IEC 61508 and its derivatives.
Top

2. Variable Frequency Drive and Machinery Safety

2.1 General
As the use of a VFD in a machine can impact upon its safety performance, it is necessary to firstly consider the overall requirements for machinery safety.

Machinery that is supplied within the European Economic Area (EEA) must comply with the Machinery Directive and other applicable European Directives. This can be achieved by complying with relevant harmonised European standards listed in the Official Journal of the European Union (OJEU), because these grant a presumption of conformity with particular requirements of a European Directive.

In accordance with the breadth of their scope, harmonized European standards for the Machinery Directive are categorized as type-A, type-B and type-C standards.

The three type-A standards EN 12100-1, EN 12100-2 and EN 14121-1 are the principal machinery safety standards. Although they are directly applicable to all machines, they also set out a strategy for developers of more specific type-B and type-C machinery safety standards. At the time of producing these guidelines, work was underway to consolidate these 3 standards into a single standard (EN 12100).

The various type-B standards relate to particular safety aspects of machinery (type-B1), or to particular protective devices (type-B2). For example, the type-B1 standards EN 620618 and EN ISO 13849-19 provide a methodology for achieving an adequate level of functional safety in a machine's safety-related control system, whilst relevant parts of EN 6020410 address safety requirements for electrical equipment of machines. As an example of a type-B2 standard, EN 108811 applies to protective devices that provide an interlocking function, such as interlock switches for movable guards.

Type-C standards provide safety requirements for particular types of machinery. They take account of type-A and type-B standards, referring extensively to their requirements and adapting these to the specific machinery.

After machinery has been taken into service, the user bears responsibility for its ongoing safety. This will include a requirement to comply with the Provision and Use of Work Equipment Regulations 1998 (PUWER), which are the UK implementation of the Use of Work Equipment Directive. Amongst the requirements of this legislation is the ongoing need for safety-related control systems to achieve a sufficient level of functional safety.

2.2 Risk Assessment
It is a requirement that machinery is the subject of a risk assessment during its initial design, and also when any modification or change of use is considered. Any proposal to modify the control system of a machine, by installing a new VFD for example, should therefore be risk assessed.

The harmonised European standard EN 14121-1 provides a methodology for the risk assessment of machinery. With reference to Figure 3, the objective of risk assessment is to determine whether the actual risk exceeds a tolerable level. If this is found to be the case, it will be necessary to implement protective measures to reduce the actual risk, and to then reassess this risk. This iterative process should continue until the risk has been reduced to a level that is at or below the tolerable level.
The concept of risk reduction

A risk assessment of a machine must consider all aspects of its use, including normal operation, maintenance, and foreseeable misuse. The risk associated with a particular hazard can be considered as a combination of the severity of the harm that can occur, and the likelihood of that harm occurring.

If a particular hazard presents an unacceptable risk, then where practicable, the hazard should be eliminated by implementing appropriate design changes. For example, it may be possible to re-dimension or reposition machinery parts so that they no longer present a trapping hazard.

If a hazard cannot be eliminated using this inherently safe design approach, then the associated risk can be reduced by applying safeguards (e.g. fixed guards, interlocking guards, protective devices) and complementary protective measures. Where it is not practicable to use fixed guarding to prevent access to a moving part of a machine - for example, because a particular type of intervention must be performed frequently - then other safeguards such as interlocking guards and/or protective devices are typically used.

When a machine supplier has implemented inherently safe design measures and safeguards and complementary measures so far as is practicable, further risk reduction can be achieved by providing the user with relevant information and instructions.

Risk reduction provided by interlocking guards and/or protective devices relies on the correct functioning of a control system, of which the interlocking/protective device will be a part. Similarly, for the complementary protective measure of an emergency stop function, the emergency stop actuator will form part of a control system that must function correctly for the emergency stop function to be performed.

Control systems that incorporate these interlocking/protective devices or emergency stop devices constitute 'safety-related control systems, because they must function correctly in order for safety to be achieved. An element of the machine's safety is thus provided by functional safety measures, with the relevant control systems considered to implement particular 'safety functions' that contribute towards reducing risk to a tolerable level.

It is essential that a machine's risk assessment is reviewed whenever consideration is given to any modification or upgrade, including changes that affect the control system. Any proposal to incorporate a VFD into the control system of a machine, or to replace an existing VFD with an alternative type, should therefore prompt a review of the risk assessment. This should identify any new or changed risks that such a modification could introduce.

Installing a VFD into a machine can affect the general performance of its control systems, and could introduce new risks such as the potential to exceed the original design speed or for bi-directional motion. Caution must also be exercised to ensure that the VFD does not compromise existing safety functions, which could unintentionally become reliant upon functions of the VFD that do not have sufficient functional safety capability.

2.3 Risk reduction and functional safety
As an example of functional safety, if an access point on a machine is safeguarded using an interlocking guard, then the interlocking device and other control devices that it interacts with in order to restrict moving parts of the machine will form part of a safety-related control system. The associated safety function could require moving parts to stop, or to operate at a reduced speed, whenever the guard is open.

A safety-related control system of a machine must be designed and configured so that it can:
a) perform all safety functions that are necessary to maintain or achieve the safety of the machine, and
b) perform each of these safety functions with a measure of integrity that is appropriate for the potential consequences of its failure.
A functional description of all of the safety functions, together with a measure of their required integrity, forms the basis of what is generally referred to as a 'Safety Requirements Specification'. The formulation of this is a fundamental requirement of the machinery functional safety standards described in Chapter 3.2 of these guidelines.

2.4 Functional safety considerations for a variable frequency drive system

2.4.1 Non safety-related VFDs
For most VFDs, the complex electronics and software that provides their functionality will not have been designed, developed, integrated and validated in accordance with an appropriate functional safety standard, such as EN 61800-5-2. Such VFDs are therefore unsuitable, by themselves, for fully implementing safety functions of machinery.

For example, if a VFD output is configured to control an electromechanical brake that constrains a mechanical load, but the parts of the VFD that control this output have insufficient integrity for the specific application, then it will be necessary to provide supplementary interlocking measures for brake control.

Although non safety-related VFDs can be capable of performing an extensive range of motion control functions, such as holding a motor at rest or limiting its position, speed or torque, the lack of verified integrity for such motion control functions means that the VFDs cannot be regarded as safety-related.

When integrating such a VFD into a machine, it is therefore necessary to implement any safety functions independently of it, or across a combination of the VFD and a supplementary safety-related control system. This will ensure that any failure within the complex electronics and software of the VFD cannot, by itself, lead to an unsafe situation, i.e. the safety functions do not depend solely upon the VFD for their correct operation. Figure 4 illustrates the approach to implementing safety functions using a non safety-related VFD and supplementary safety-related control systems.
implementing safety functions

A safety function that is implemented independently of a VFD will generally monitor some variable, and then initiate an appropriate reaction if this exceeds a set limit. For example, the position, speed or acceleration of a moving part of the machine, or the status of an emergency-stop actuator, could be monitored by a suitable controller, which initiates a response when the monitored variable violates a set limit, or if the emergency-stop actuator is pressed.

The safety-related reaction to a violation of the limit must be specific to the application, but will typically require the safety-related control system to disable moving parts by de-energising terminal devices such as electromechanical contactors, clutches, or brakes. For example, an electromechanical contactor(s) could be de-energised in order to prevent moving parts from starting-up unexpectedly from rest.

Although safety functions implemented in this way do not depend solely on the VFD for their correct operation, it is often necessary for the safety-related control system to interact with the VFD. For example, a motor can be stopped very rapidly by commanding the VFD to decelerate it to a standstill before it switches off motor power. A safety function that prevents motion can then be initiated, by de-energising an electromechanical contactor(s) which controls motor and/or VFD power.

A safety-related control system used in conjunction with a non safety-related VFD should be designed, developed, integrated and validated in accordance with relevant harmonised European standards, the most pertinent of which are described in Chapter 3. Although the more recent EN 62061 and EN ISO 13849-1 are the preferred standards for addressing the integrity requirements of safety-related control systems, EN 954-1 can still be suitable for low complexity safety-related control systems consisting of simple sensors and electromechanical relays and contactors.

Compliance with EN 954-1 will cease to grant a presumption of conformity with the Machinery Directive after 2011, and its applicability to more complex safety-related control systems is hampered by its various limitations. Its application to new designs is therefore not recommended.

Regardless of which standard is used, the resulting safety-related control system must provide the level of risk reduction assigned to it, which it does by performing the necessary safety-function(s) with an appropriate degree of integrity.

2.4.2 Safety-related variable frequency drives
A variable frequency drive system (SR) incorporates a 'safety-related VFD' that has been designed to be capable of implementing (either completely or partially) one or more safety functions. In some of these VFDs the functional safety capability is provided by safety modules that supplement the standard version of the VFD, whereas in other VFDs it is an inherent design feature.

The emergence of safety-related VFDs prompted the development of IEC 61800-5-2 (EN 61800-5-2 in Europe), which is a product-specific implementation of the IEC 61508 basic safety publication. It specifically addresses the functional safety requirements for variable frequency drive system(SR)s, and is described in more detail in Chapter 4.

The hardware and software that implements safety functions in a safety-related VFD will have been produced in accordance with a suitable functional safety standard. As EN 61800-5-2 has only been available since 2007, some earlier products might claim compliance with other functional safety standards, such as EN 61508 or EN 954-1.

EN 61800-5-2 recognizes that the particular functionality and integrity of safety functions can vary between safety-related VFDs. For example, some products might provide only one safety function, such as the removal of output power in response to a disabling input, whereas others can provide several complex motion control safety functions.

It also recognises that the safety functions provided by a particular safety-related VFD can have dissimilar integrity values, although an implementation in common hardware and/or software often results in a uniform value being declared.

Prospective users of variable frequency drive system(SR)s need to be aware of this variation in the quantity, functionality and integrity of safety functions provided by different products. Appropriate decisions can then be taken when selecting a variable frequency drive system(SR) for a particular application, so as to ensure that it can adequately perform all of the required safety functions.

As the use of a safety-related VFD can lead to simplification or elimination of some supplementary safety-related control systems, it can reduce the requirement for devices such as safety monitors, limit switches, position cams, contactors and relays. In some cases, it can also result in faster response times than when supplementary safety-related control systems are used.

The use of a safety-related VFD in a machine will not necessarily result in a safe machine. Having selected a safety-related VFD that can perform the required safety functions with a suitable integrity, the overall safety-related control system into which it is incorporated should then be designed, developed, integrated and validated using the methodology within EN 62061 or EN ISO 13849-1, which are described in Chapter 3.2.

Where the configuration of a safety function involves the setting of parameters within a variable frequency drive system(SR), then measures to ensure the accuracy of these parameters and to restrict their reconfiguration to competent personnel are necessary.
Top

3. Functional Safety Standards for Machinery

3.1 EN 60204-1:2006
Safety of machinery – Electrical equipment of machines – Part 1: General requirements

IEC 60204-1, which CENELEC have adopted within Europe as EN 60204-1, is the generic harmonised European standard for electrical equipment of machines. Its broad scope covers both electrical safety and functional safety, and in respect of the latter it specifies requirements for electrical control devices, circuits, and functions. In particular, it refers to harmonised European Standards EN 62061 and EN ISO 13849-1 for the integrity requirements of safety functions and safety-related control systems.

EN 60204-1 introduces the concept of a 'stop category', which classifies stop functions according to whether or not power is removed from the machine actuators, and the timing of this power removal. This concept is relevant to a machine's emergency stop function, and to any safety functions that involve bringing hazardous movements to a stop (for example, when an interlocking guard is opened).

It should be noted that a stop category classification is distinct from an integrity classification assigned to a safety function. In particular, EN 954-1/EN ISO 13849-1 'categories' of integrity and EN 60204-1 'stop categories' should not be confused.

Table 1 - Stop categories according to EN 60204-1 (Clause 9.2.2)
Stop category
Function
0
Stopping by immediate removal of power to the machine actuators (i.e. an uncontrolled stop)
1
A controlled stop with power available to the machine actuators to achieve the stop and then removal of power when the stop is achieved
2
A controlled stop with power left available to the machine actuators

The concept of stop categories can be particularly relevant if a machine incorporates a VFD, because VFDs can perform the controlled deceleration of a motor that is required by stop categories 1 and 2.
EN 60204-1 also stipulates the use of stop category 0 or 1 for the emergency stop function of a machine, so that power is ultimately removed from the machine actuators.

3.2 EN 62061 and EN ISO 13849-1
Regardless of which of these harmonized European standards is applied to the design of a safety-related control system of a machine, their overall methodology is essentially the same.

When it has been determined that a safety-related control system contributes towards the required risk reduction on a machine, application of the selected standard involves specifying the required safety functions and assigning an integrity to each of these based on the amount of risk reduction required. Safety-related control systems that perform the safety functions can then be designed according to the requirements of the selected standard.

Where a safety related VFD is to be used for the implementation of any safety functions:
  • Select the variable frequency drive system(SR) with appropriate capabilities in terms of particular safety functions and their integrity.
  • Interface the variable frequency drive system(SR) with other subsystems and consider the validity of signals and commands from these
  • Design, develop, integrate and validate the overall safety-related control system, including the hardware, software, parameterisation, etc.

3.2.1 EN 62061:2005
Safety of machinery – Functional safety of safety-related electrical, electronic, and programmable electronic control systems

IEC 62061 is the machinery sector implementation of IEC 61508, and in Europe it has been adopted by CENELEC as EN 62061. It is applicable to safety-related control systems consisting of electrical, electronic, or programmable electronic (E/E/PE) technology of any complexity, but not to other technologies such as mechanical, hydraulics, or pneumatics. In particular, the emergence of machinery safety devices incorporating complex E/E/PE technology prompted its development as a means of integrating such devices into safety-related control systems.

EN 62061 specifies a safety function's integrity in terms of the quantitative SIL (Safety Integrity Level) measures of integrity introduced by IEC 61508. However, it disregards SIL 4, the highest level of integrity, because the risk reduction associated with this is beyond typical machinery applications. It also restricts the expression of ranges of probability of dangerous failure for each SIL to 'per hour' (PFHD) values, because only the continuous and high demand modes of operation are considered relevant to machinery applications. Table 2 shows the ranges of probability of dangerous failure per hour corresponding to each relevant SIL.

Table 2 - EN 62061 SILs
EN 62061 Safety Integrity Levels: target failure values
SIL
Probability of a dangerous failure per hour (PFHD)
3
≥10-8 to <10-7
2
≥10-7 to <10-6
1
≥10-6 to <10-5

EN 62061 provides a risk matrix method for assigning a SIL to a safety function on the basis of required risk reduction. Once this has been determined, a safety-related control system can be developed in accordance with the standard's requirements for that SIL.The term Safety-Related Control Function (SRCF) to used to denote a safety function that is implemented by a Safety-Related 'Electrical' Control System (SRECS).

SILs are a comprehensive measure of integrity, taking account of factors such as component reliability, system structure, fault detection and the control and avoidance of systematic failures. The range from SIL 1 (lowest) up to SIL 3 (highest) can therefore be regarded as a hierarchy. With increasing SIL of a SRCF, the requirements for the associated SRECS, in terms of these factors that influence its integrity, are increasingly rigorous.

EN 62061 considers a SRECS to consist of one or more series subsystems, each of which can generally be classified as an input device, a logic solving device, or an output device. The SIL that the overall SRECS can achieve will be constrained by either the lowest SILCL22 (SIL Claim Limit) amongst the series subsystems, or by the overall probability of dangerous random hardware failure calculated as a sum of individual subsystem PFHD values.

Although the scope of EN 62061 does not extend to the actual design of complex and/or programmable electronic subsystems, it does cover their integration into a SRECS. For these subsystems, standards such as IEC 61508, EN ISO 13849-1, or a product-specific functional safety standard (e.g. EN 61800-5-2 for VFDs) can be applicable.

The EN 62061 methodology is particularly amenable to safety-related VFDs that are compliant with EN 61800-5-2, as both standards are direct implementations of IEC 61508 and therefore have compatible methodologies. Furthermore, the terms that EN 61800-5-2 uses to specify the integrity of a safety-function (i.e. SIL Capability and PFH)23 of a safety-related VFD directly relate to the SILCL and PFHD values that EN 62061 requires for SRECS subsystems.

EN 62061 can also be applied if a safety-related VFD is compliant with other standards, such as IEC 61508 or EN 954-1. For IEC 61508 products, the integrity of safety functions will be expressed in compatible terms, whilst EN 62061 provides guidance on using supplementary information on Safe Failure Fraction (SFF) and Diagnostic Coverage (DC)25 to facilitate the integration of subsystems with integrity expressed as an EN 954-1 category.

3.2.2 EN ISO 13849-1:2008
Safety of machinery – Safety-related parts of control systems – Part 1: General principles for design

ISO 13849-1:2008 has been adopted in Europe by CEN26 as EN ISO 13849-1. It was developed as a direct revision of EN 954-1, with an unchanged scope covering electrical, mechanical, hydraulic, and pneumatic technologies. It is an improvement upon EN 954-1, resolving many of the deficiencies that hampered its predecessor's application to higher complexity systems, and consequently it is a considerably more complex standard.

EN ISO 13849-1 specifies a safety function's integrity as a quantitative PL (Performance Level). As shown in Table 3, a total of 5 PLs are used, each corresponding to a range of probability of dangerous failure per hour. By comparing the failure rates associated with PLs (Table 3) and SILs (Table 2), it is apparent that PLs generally provide a level of risk reduction from below SIL1 up to SIL 3.

Table 3 - EN ISO 13849-1 PLs
EN ISO 13849-1 Performance Levels: target failure values
PL
Average probability of a dangerous failure per hour (1/h)
e
≥ 10-8 to <10-7
d
≥ 10-7 to <10-6
c
≥ 10-6 to <3x10-6
b
≥ 3x10-6 to <10-5
a
≥ 10-5 to <10-4

EN ISO 13849-1 provides a risk graph for assigning a PL to a safety function on the basis of required risk reduction. After determining this PL, the standard can then be used to develop a safety-related control system that performs the particular safety function at the required PL. The term SRP/CS is used to denote a safety-related (part of a) control system that performs the safety function.

In considering factors that influence the integrity of a SRP/CS, EN ISO 13849-1 supplements the deterministic category classifications of EN 954-1 with quantifiable requirements for system structure, component reliability (MTTFd27), fault detection capability (DCavg) and measures against Common Cause Failures (CCF) for multi-channel structures. It also specifies qualitative measures for the control and avoidance of systematic failures.

With this comprehensive consideration of integrity, the PL of a safety function can be regarded as a 5-step hierarchical scale of its risk reduction capability, ranging from PLa (lowest) up to PLe (highest). With increasing PL, the standard's requirements for the SRP/CS, in terms of these considerations, are increasingly arduous.

To aid their integration into safety-related control systems using the EN ISO 13849-1 methodology, some safety-related VFDs are supplied with the integrity of their safety functions expressed in accordance with EN ISO 13849-1 as well as EN 61800-5-2.

Although EN ISO 13849-1 is not a direct implementation of IEC 61508, it does take account of broadly similar factors in its consideration of integrity. It therefore surpasses EN 954-1 in its suitability for complex electronic systems.

A further harmonised European standard, EN ISO 13849-2:200329, deals with validating the category of a SRP/CS. At the time of producing these guidelines, this was being revised to align it with the current EN ISO 13849-1:2008, so that it can be used to fully validate the PL of a SRP/CS.
Top

4. Functional Safety Standard for Variable Frequency Drive Systems

4.1 EN 61800-5-2:2007
Adjustable speed electrical variable frequency drive systems - Part 5-2: Safety requirements - Functional

Published in 2007, IEC 61800-5-2 was the first product-specific implementation of IEC 61508. It specifies functional safety requirements for the design and development, integration, and validation of variable frequency drive system(SR)s, and considers them as prospective subsystems of higher level safety-related control systems. It is applicable to adjustable speed electric VFD systems that are covered by the scope of other parts of the IEC 61800 series of standards.

EN 61800-5-2, which is the CENELEC adoption of this standard in Europe, is a harmonised European standard with respect to the Machinery Directive. This means that a variable frequency drive system(SR) designed in accordance with its provisions can, if appropriately used in a safety-related control system of a machine, be presumed to support certain aspects of the machine's conformity with the Machinery Directive.

EN 61800-5-2 specifies the integrity of safety functions provided by a safety-related VFD in terms of IEC 61508 SILs, and like EN 62061, it also omits SIL 4 and restricts the expression of their performance to a probability of dangerous failure per hour. Again, this is because only a level of risk reduction up to SIL 3 and the continuous and high demand modes of operation are considered relevant to a variable frequency drive system(SR).

4.2 Safety Functions according to EN 61800-5-2
Safety-related VFDs can provide an extensive and diverse range of safety functions. As machines account for a large proportion of their applications, many of these safety functions deal with hazards associated with motor-driven moving parts of machinery. They can either monitor or control some aspect of the VFD's performance, typically preventing motion of moving parts or limiting their position, speed or torque.

With monitoring-type safety functions, an input signal (e.g. an interlocking switch) or some variable (e.g. speed, position, etc) is monitored by the VFD, and an appropriate reaction (e.g. remove power from motor) is triggered if this violates a limit. For control-type safety functions, there is no corresponding reaction to a limit being violated. However, both classifications of safety function will require a 'fault reaction function' that attempts to initiate a safe state if the VFD's diagnostics detect a fault within the hardware/software that performs the safety function.

Although basic monitoring safety functions can be implemented using a standard VFD in conjunction with supplementary safety-related control systems, complex motion control safety functions can be difficult to implement using a standard VFD.

4.2.1 Stopping functions
EN 61800-5-2 refers to 4 safety functions associated with stopping and preventing motion of a motor controlled by a safety-related VFD:
  • Safe Torque Off (STO)
  • Safe Stop 1 (SS1)
  • Safe Stop 2 (SS2)
  • Safe Operating Stop (SOS)
The basics of STO safety function corresponds to an uncontrolled stop in accordance with EN 60204-1 stop category 0, but with a defined integrity level. It requires removal of power that can generate torque from the motor, and its implementation in a safety-related VFD is typically accomplished by a robust disablement of power semiconductor firing pulses. An implementation of the STO safety function externally to a (non safety-related) VFD would typically use an electromechanical contactor to remove power from the VFD and/or motor.

For an AC drive and motor combination, torque is produced if particular pairs of power semiconductors are in a conductive state, and this can only deliver sustained motion if different pairs of power semiconductors attain a conductive state in sequence. So if a single failure causes a power semiconductor to conduct unintentionally whilst the STO safety function is active, this will not produce torque, and multiple static failures will not result in sustained rotation.

The STO safety function does NOT constitute electrical isolation of a machine, which requires the use of a suitable supply disconnecting (isolating) device.

The STO safety function can be used to prevent an unexpected start-up of moving parts of a machine, or to achieve an uncontrolled stop. For some applications, this could result in an unacceptably long stopping time depending on the effects of friction and the inertia of a motor and its mechanical load. Furthermore, as there is no torque produced in a motor whilst the STO safety function is initiated, measures (e.g. a supplementary brake) may need to be taken to prevent the movement of mechanical loads that are under the influence of an external force such as gravity.

If a motor must be brought to a standstill more rapidly, this can be accomplished by either supplementary mechanical braking or by using the SS1 safety function. The SS1 safety function corresponds to a controlled stop in accordance with stop category 1 of EN 60204 - 1, but with a defined integrity level. It can be considered as a 2-stage safety function, consisting of controlled deceleration of the motor to a standstill followed by initiation of the STO safety function. EN 61800-5-2 affords some flexibility on whether the deceleration phase is safely monitored or controlled, and on whether the STO safety function is initiated when standstill is detected or after an application-specific time delay.

The SS2 safety function corresponds to a controlled stop in accordance with stop category 2 of IEC 60204-1, but with a defined integrity level. As with the SS1 safety function, it involves a controlled deceleration of the motor to a standstill, but this is followed by initiation of the SOS safety function rather than the STO safety function. With the SOS safety function, the VFD holds a motor in an energised but stopped state, with a holding torque that resists external forces and is therefore able to prevent the motor moving from the stopped position.

4.2.2 Other safety functions
Although not an exhaustive list, EN 61800-5-2 refers to various other safety functions that can be implemented by a safety-related VFD. Some of the more complex safety functions incorporate or combine simpler safety functions.
  • Safely-Limited Acceleration (SLA)
  • Safe Acceleration Range (SAR)
  • Safely-Limited Speed (SLS)
  • Safe Speed Range (SSR)
  • Safely-Limited Torque (SLT)
  • Safe Torque Range (STR)
  • Safely-Limited Position (SLP)
  • Safely-Limited Increment (SLI)
  • Safe Direction (SDI)
  • Safe Motor Temperature (SMT)
  • Safe Brake Control (SBC)
  • Safe Cam (SCA)
  • Safe Speed Monitor (SSM)

4.2.3 Specification of safety functions
EN 61800-5-2 requires the manufacturer of a safety-related VFD to provide details of all basic safety functions that it can perform. For each safety function, this information must include:
  • A functional specification, including details of the reaction when a monitored variable violates its limit, the fault reaction function, the response times, any order of priority in relation to other safety functions, and
  • An integrity expressed in terms of a 'SIL Capability' and a 'PFH'.

4.2.4 Applying a safety-related VFD
The user/integrator of a safety-related VFD that complies with EN 61800-5-2 will need to:
  • Conduct a risk assessment for the particular application
  • Identify all safety functions required and allocate a SIL to each of these (i.e. formulate a Safety Requirements Specification)
  • Select a variable frequency drive system(SR) with appropriate capabilities in terms of its safety functions and their integrity (specified in terms of a SIL Capability and PFH).
  • Interface the variable frequency drive system(SR) with other subsystems and consider the validity of signals and commands from these
  • Design, develop integrate and validate the overall safety-related control system, including the hardware, software, parameterisation, etc.
Where the solution requires a variable frequency drive system(SR) to interface with other subsystems in the safety-related control system, any input and/or output signalling will need to be of sufficient integrity.

An appropriate fault reaction will need to be selected for each safety function, and an appropriate response to violation of a limit will also need to be selected for those safety functions that perform a monitoring task. The timings associated with these reactions/responses will need to be suitable for the application.

It will also need to be established whether the priority of any simultaneously active safety functions that could present a conflict is suitable for the application.
Excellent article summarizing VFD Functional safety aspects.
- - - -> by: Rushabh

Post a Comment:

    
Plz Calculate (8 * 9) =
(Your comment will show after approved.)

You may also like:

Category
Featured Articles
Variable Frequency Drive Sizing Variable Frequency Drive SizingBefore selecting the size of a variable frequency drive (VFD), it is necessary to generally know the working environment, the ...
Variable Frequency Drive Basic Safety ... Variable Frequency Drive Basic Safety GuidelinesThis paper provides guidelines on functional safety considerations when selecting and integrating a variable frequency drive ...
service
Variable Frequency Drives control AC motor for energy savings by adjustable speed, for short VFD, also named variable speed drives and frequency inverter.