I'll try be brief, but that's not easy with such important subjects...
I am a CMSE...
While, in general, I do link a lot of technotes here, I do so to back up, compliment or perhaps better explain what I am commenting on or providing advice on. I've mentioned before how serious I take the topic of Safety. So much so that I've trained and continue to train up to a relatively high Standard. Like many subjects here on the Forum, I do not ever, in good faith, advise someone to carry out a Safety Function design, implementation or modification without first being sure of what I'm talking about. Anything else would be reckless and dangerous of me.
That being said...
I've mentioned before here that the PowerFlex 525 drives, using STO alone, may achieve up to Cat. 3/PLd (SIL2/PLd) for a Category 0 or 1 Stop. The STO Safety channels are redundant and internally self diagnostic. The drive will detect wiring faults or time discrepancy of S1/S2 switching (up to 1s allowed in later firmware). Their "Safe State" condition is made available internally as a control reliable status bit (bit 4 within b006). This status bit, derived from the self monitored STO feature, has the equivalency of auxiliary contacts on redundant Safety Actuators, which may be used for a Monitored Reset circuit.
Using a programmable Safety relay or controller, this status bit is permissible as a monitored Safe State active signal. The implicit network connection of the drive to a standard controller, and the use of datalinks, ensures the data is updated deterministically. The safety controller should likewise receive this status deterministically. If a connection is broken the status of the STO may be indeterminate. However, this failure would not lead to the loss of the Safety Function at the next demand (Cat. 3). When the STO is next tripped, if the Safe State status is indeterminately not detected as present, the STO will not reset. If the Safe State status is indeterminately present, then the STO should also not reset. Why? Because ISO 13849-1 stipulates that instruction reset functions must occur on falling edge signals when implementing a programmable Safety Function Monitored Reset. So in order to provide a reset, we must see the monitored status bit change after the Safety Function has tripped.
Cat. 3 also states that, where reasonably practicable, single faults shall be detected, and if detected, shall always execute the Safety Function. The following is not necessary for Cat. 3/PLd (SIL2/PLd), but does not hurt the Diagnostic Coverage...
To detect a single fault, such as the loss of a network connection, we may already have watchdog features available or we may create a watchdog to monitor a connection. If the connection from the drive to the standard controller is broken, the standard controller can flag this detected fault to the Safety controller and the Safety Function may be executed. If the connection between the Safety controller and the standard controller is broken, the Safety controller can flag this detected fault and the Safety Function may be executed.
Of course, upon detection of the connection loss of the drive, the standard controller may also assert a normal control interlocked Stop to the drive. Standard good practice.
That is far from including all aspects of such a design (I'm trying to be brief) but the above goes above and beyond for Cat. 3/PLd (SIL2/PLd).
If we require a PowerFlex with STO to achieve Cat. 3/PLe (SIL3/PLe), then additionally we must use an external Safety Actuator (Contactor).
I'll turn on the technical jargon for a minute...
Cat. 3 Single fault tolerant
Using Sistema
PowerFlex 525
MTTFd = 140412 years
DC = 0% (Assuming no Diagnostics)
Safety Contactor
Avg. 1 operation/hr
MTTFd = 22831 years
DC = 99% (monitoring of mechanically linked contact)
In order to eliminate any potential errors due to common cause failure (CCF) we have applied sufficient engineering methods to achieve a score of over 65 points (min. CCF must be >= 65).
This scoring allows us to achieve PLe and also a calculated overall PFHd of 5.8 e-8. This equates to a Probability of Dangerous Failure per Hour of < 0.00000058%...
Quite
PLeasing to the eye.
Lest I'm further doubted, I will also provide this complimentary information, provided by my esteemed colleague Dave Rasmussen - Functional Safety Engineer (TÜV Rheinland) and is Rockwell's North America Safety Manager...
Functional Specification for use of PowerFlex 525 STO with GuardLogix and POINT I/O...
Dave Rasmussen said:
...Hazardous motion is prevented by the drive Safe Torque Off (STO). The PowerFlex 525 STO inputs are connected to a pair of pulse tested outputs on the 1734OB8S output module. The I/O module is connected via CIP Safety over an EtherNet/IP network to the GuardLogix safety controller. The safety code uses a block called Configurable Redundant Output (CROUT) to control outputs connected to the drive STO inputs. There is no hardwired feedback for the PowerFlex 525 STO, so the CROUT shall use the output as feedback. The status of the STO is obtained via EtherNet/IP and shall be included in the zone safety Reset signal logic to verify operation.
Where a Cat 0 Stop is required by the Risk Assessment the STO inputs will be removed upon actuation of the safeguard.
Where a Cat 1 Stop is required by the Risk Assessment the drive will be issued a fast stop command upon actuation of the safeguard, followed by a time delayed removal of STO inputs. The time delay will be based on normal running conditions, and shall allow the drive time to stop the load.
When all safeguard conditions are satisfied, no faults are detected on the Safety Zone, and the reset push button is pressed, the controller then issues an output signal to the Safety output module to switch ON a pair of outputs to energize the STO...
So again, I/We would say proceed as intended...
Regards,
George