Powerflex 525s, Safety Circuits and monitoring

testsubject

Member
Join Date
Feb 2004
Location
Chicago, Il
Posts
836
Guys,

I am curious if this is okay.

We currently use the Relay output of the PF525 (set 76 to 29 [SAFE-OFF]).

We then daisy chain all these relays from 24vdc and to one of the inputs of the safety PLC.
This is the VFD Monitor.

I am thinking of changing this to doing it with software since it is a monitor to restart the safety, not a risk specific function.

How does everyone handle to "monitor" portion of the safety circuit?
 
janner,

thanks for your response. Is there any documentation out there to support this?

A more detailed example:
We are using a Safety PLC to generate the STO to the group of PowerFlex 525 VFDs. In the VFD we are using the Relay output (t076 set to 29) to confirm that the STO is active. All these relays are daisy-chained as an input to the Safety PLC. If this input is high, it is okay to reset the STO. I am thinking that this information can be transmitted directly to the Safety PLC from the control PLC (via ethernet) since I am already monitoring the VFD and this information is available there.

I am off in this assumption?


I am looking to get rid of all the wiring if it is not needed.
 
Parameter b006 - Drive Status

janner,

thanks for your response. Is there any documentation out there to support this?

A more detailed example:
We are using a Safety PLC to generate the STO to the group of PowerFlex 525 VFDs. In the VFD we are using the Relay output (t076 set to 29) to confirm that the STO is active. All these relays are daisy-chained as an input to the Safety PLC. If this input is high, it is okay to reset the STO. I am thinking that this information can be transmitted directly to the Safety PLC from the control PLC (via ethernet) since I am already monitoring the VFD and this information is available there...

I'm not sure what information exactly you are monitoring from the PowerFlex 525 drive in the "control PLC", but the following technote describes the correct parameter/bit to monitor for the drive's internal "Safety Active/Inactive" status...

538997 - PowerFlex 525 drive Safe Off Torque Monitoring
Access Level: Everyone

Parameter b006 - Drive Status bit "5" will provide you the drive's internal STO status, which you can pass on over Ethernet (EtherNet/IP, I would recommend, for deterministic availability).

I am just providing the technote as you appear to be requesting official confirmation on the matter. As janner_10 has mentioned, the monitoring of a Safety Function does not have to be provided by means of Safety Related Parts of the Control System (SRP/CS). One thing you do have to be careful with is making sure that the monitoring signal you do provide does not create an Automatic Reset of the Safety Function, if an Automatic Reset has been Risk Assessed as hazardous. But that advice goes for all monitored Safety Functions, and not just in this particular scenario.

If you are already reading this parameter in then I would say proceed as intended...

PF525%20-%20b006%20Drive%20Status.png


Regards,
George
 
What safety standard or degree of safety performance are you designing to ?

It sounds like you are using the fault relays as a "External Device Monitoring" circuit.

How does your safety relay/controller/PLC handle a Reset ? Is there a manually-pressed emergency stop reset button ?

It's my guess that because the fault relays are controlled by a general purpose programmable device (the PowerFlex, implementing the setting of Parameter t076) then you could implement the same function with another general-purpose programmable device.

Is this a GuardLogix controller ?

Also please confirm that these are PowerFlex 525 drives, which I believe have only hardwired Safe-Torque-Off, not STO over the Ethernet CIP Safety network like the PowerFlex 527 drives.
 
George,

Thanks for the info on b006.

What safety standard or degree of safety performance are you designing to ?

It sounds like you are using the fault relays as a "External Device Monitoring" circuit.

How does your safety relay/controller/PLC handle a Reset ? Is there a manually-pressed emergency stop reset button ?

It's my guess that because the fault relays are controlled by a general purpose programmable device (the PowerFlex, implementing the setting of Parameter t076) then you could implement the same function with another general-purpose programmable device.

Is this a GuardLogix controller ?

Also please confirm that these are PowerFlex 525 drives, which I believe have only hardwired Safe-Torque-Off, not STO over the Ethernet CIP Safety network like the PowerFlex 527 drives.


Ken,

It is the Powerflex 525 drives we are using. The Safety Module the Wieland SP-COP2.

We are using CAT 3 and there is a hard reset to the SP-COP2. This is not configured to Auto Reset.

I am not looking to replace the STO; that will remain hardwired. I am looking to replace the hardwired active monitor in the drive that is currently wired to relay 1 (daisy chained to all drives in the system) with a software monitor in the PLC and then transmit that to SP-COP2.

The data type I am using (AB:powerFlex525V_E_986E6156:I:O) has the following parameter; DriveStatus_param_SafetyActive. I thought I could use this instead of it being hardwired and sending this bit (actually I would chain all the drives bits and send the result) to the SP-COP2 over ethernet to satisfy the Safety Active input in the SP-COP2.


I guess, ultimately, I am looking for confirmation that what I want to do is possible and the documentation to back it up.

Thanks so much for all your help.
 
As further support for your plan, I have had issues with using the Relay Outputs of VFDs in Safety Monitor circuits. The energy used in Safety Relays is typically very low and over time, can be too low to burn off any film of contaminants on the relay contact surfaces. So a year or two down the road, you start getting false negatives, meaning the contacts are closed, but the low energy signal doesn't get through any more.
 
As further support for your plan, I have had issues with using the Relay Outputs of VFDs in Safety Monitor circuits. The energy used in Safety Relays is typically very low and over time, can be too low to burn off any film of contaminants on the relay contact surfaces. So a year or two down the road, you start getting false negatives, meaning the contacts are closed, but the low energy signal doesn't get through any more.

jraef,

That is a very good point. I had not thought about that but it is something else to take into consideration.
 
Jeff Kiper, where are you ? We need a functional safety expert !

The usual function of an External Device Monitoring circuit is for a safety-rated relay or contactor that has force-guided contacts. The EDM feedback contact is physically linked to the output contacts. And typically there are two series safety relays/contactors, so there are two independent EDM feedback contacts to the safety controller.

Your hardwired status relays aren't physically linked to anything; they are standalone relays that are software controlled by the general-purpose firmware inside the PowerFlex 525.

The status relays rely only on the firmware and general functionality of the PowerFlex 525. The network feedback relies on the PowerFlex, its network module, the network infrastructure, and the general purpose PLC controller. Both are single channels, but the network feedback relies on a more complex controller and user programs, not on a single parameter.

I think that you can use the network as a Category 3 EDM if the Reset button is still physically in series with the output from the PLC to the safety controller's EDM channel. A single failure of the drive, or network, or PLC user program, or PowerFlex parameter/firmware will not cause an uncommanded reset unless the Reset button itself fails as well.
 
Jeff Kiper, where are you ? We need a functional safety expert !

The usual function of an External Device Monitoring circuit is for a safety-rated relay or contactor that has force-guided contacts. The EDM feedback contact is physically linked to the output contacts. And typically there are two series safety relays/contactors, so there are two independent EDM feedback contacts to the safety controller.

Your hardwired status relays aren't physically linked to anything; they are standalone relays that are software controlled by the general-purpose firmware inside the PowerFlex 525.

The status relays rely only on the firmware and general functionality of the PowerFlex 525. The network feedback relies on the PowerFlex, its network module, the network infrastructure, and the general purpose PLC controller. Both are single channels, but the network feedback relies on a more complex controller and user programs, not on a single parameter.

I think that you can use the network as a Category 3 EDM if the Reset button is still physically in series with the output from the PLC to the safety controller's EDM channel. A single failure of the drive, or network, or PLC user program, or PowerFlex parameter/firmware will not cause an uncommanded reset unless the Reset button itself fails as well.

Ken,

Thanks for the response.

This sounds like what I am trying to accomplish. Is there any documentation that you can recommend I look at this to support it? My boss is really onboard to make the change but wants "proof."
 
The reason a feedback loop is used on a safety contactor is to increase your diagnostic coverage. That is, it's no good having dual safety contactors for redundancy if you can't detect when one of them fails and welds in. If that event goes undetected, you're back to no redundancy. So the feedback loop shows that all your safety contactors have dropped out and are therefore healthy and operable.

You can argue that this is unnecessary on a PF525 with STO, because the safety module on the drive is self-monitoring. That is, if one channel of your STO becomes faulty, the drive will detect it and refuse to reset regardless of the status of the inputs. Hey presto; fault detected, redundancy requirements met. However, that's not to say that there's no reason to use it at all; just that one can make an argument that it's not required.

Anecdotally, I've used the STO of Powerflex 525's many times, and only once used the hardwired feedback loop as you describe. I've never linked the safety feedback in via comms. 99% of the systems I put in get validated by independent CMSE/CFSE experts and they never have any issues. That said, it depends on what PL you are trying to achieve, and that must be driven by risk assessment. Though you can argue it's not required, the use of the monitoring loop as part of your safety systems will increase your diagnostic coverage. You may already have enough DC to meet your required PL, in which case, you could get away without it. Or you might be right on the limit and using the safety feedback could be enough to get you over the line. There's no specific rule one way or the other - safety validation nowadays takes a much more holistic view of how robust, reliable and fault tolerant your safety systems are. We're now factoring in things like whether you're using a cheap s***ty knock-off brand contactor, or a tried-and-tested purpose-built safety contactor with a longer MMTFd (meantime to dangerous failure). From a design perspective it's good and bad; bad because it's much less black and white i.e. you can no longer just say "if I check these four boxes I comply regardless". But good because it gives you a lot more flexibility to say "well, normally we'd do this, but that's impractical here. But if I do this over here to increase my diagnostic coverage and provide another means of fault detection over there, I can still reach the PL required by the risk assessment".

Disclaimer: all this is based on upside-down land, which is being aligned with IEC standards. From what I understand you 'mericans don't always consider yourselves part of the "I" in IEC? :p
 
ASF,

Thanks for you input.

I was not trying to remove the feedback loop; just move it into the PLC.

I would still be monitoring the STO Active from the PF525. I would just be doing it in the PLC and sending the response to the Safety PLC.

And just to be clear: STO_active (t076=29) in the PF525 goes high if both STO channels inputs are off (Active). If I do not see STO_Active, there is something wrong with the STO. I do not think this would change the diagnostic coverage.

FYI, I am one of those yanks that are familiar with IEC; I wish we would just switch over already....

Thanks!

The same thing (I think) is occurring with the hardwire chain.
 
I'll try be brief, but that's not easy with such important subjects...

I am a CMSE...

While, in general, I do link a lot of technotes here, I do so to back up, compliment or perhaps better explain what I am commenting on or providing advice on. I've mentioned before how serious I take the topic of Safety. So much so that I've trained and continue to train up to a relatively high Standard. Like many subjects here on the Forum, I do not ever, in good faith, advise someone to carry out a Safety Function design, implementation or modification without first being sure of what I'm talking about. Anything else would be reckless and dangerous of me.

That being said...

I've mentioned before here that the PowerFlex 525 drives, using STO alone, may achieve up to Cat. 3/PLd (SIL2/PLd) for a Category 0 or 1 Stop. The STO Safety channels are redundant and internally self diagnostic. The drive will detect wiring faults or time discrepancy of S1/S2 switching (up to 1s allowed in later firmware). Their "Safe State" condition is made available internally as a control reliable status bit (bit 4 within b006). This status bit, derived from the self monitored STO feature, has the equivalency of auxiliary contacts on redundant Safety Actuators, which may be used for a Monitored Reset circuit.

Using a programmable Safety relay or controller, this status bit is permissible as a monitored Safe State active signal. The implicit network connection of the drive to a standard controller, and the use of datalinks, ensures the data is updated deterministically. The safety controller should likewise receive this status deterministically. If a connection is broken the status of the STO may be indeterminate. However, this failure would not lead to the loss of the Safety Function at the next demand (Cat. 3). When the STO is next tripped, if the Safe State status is indeterminately not detected as present, the STO will not reset. If the Safe State status is indeterminately present, then the STO should also not reset. Why? Because ISO 13849-1 stipulates that instruction reset functions must occur on falling edge signals when implementing a programmable Safety Function Monitored Reset. So in order to provide a reset, we must see the monitored status bit change after the Safety Function has tripped.

Cat. 3 also states that, where reasonably practicable, single faults shall be detected, and if detected, shall always execute the Safety Function. The following is not necessary for Cat. 3/PLd (SIL2/PLd), but does not hurt the Diagnostic Coverage...

To detect a single fault, such as the loss of a network connection, we may already have watchdog features available or we may create a watchdog to monitor a connection. If the connection from the drive to the standard controller is broken, the standard controller can flag this detected fault to the Safety controller and the Safety Function may be executed. If the connection between the Safety controller and the standard controller is broken, the Safety controller can flag this detected fault and the Safety Function may be executed.

Of course, upon detection of the connection loss of the drive, the standard controller may also assert a normal control interlocked Stop to the drive. Standard good practice.

That is far from including all aspects of such a design (I'm trying to be brief) but the above goes above and beyond for Cat. 3/PLd (SIL2/PLd).

If we require a PowerFlex with STO to achieve Cat. 3/PLe (SIL3/PLe), then additionally we must use an external Safety Actuator (Contactor).

I'll turn on the technical jargon for a minute...

Cat. 3 Single fault tolerant

Using Sistema

PowerFlex 525
MTTFd = 140412 years
DC = 0% (Assuming no Diagnostics)

Safety Contactor
Avg. 1 operation/hr
MTTFd = 22831 years
DC = 99% (monitoring of mechanically linked contact)

In order to eliminate any potential errors due to common cause failure (CCF) we have applied sufficient engineering methods to achieve a score of over 65 points (min. CCF must be >= 65).

This scoring allows us to achieve PLe and also a calculated overall PFHd of 5.8 e-8. This equates to a Probability of Dangerous Failure per Hour of < 0.00000058%...

Quite PLeasing to the eye.

Lest I'm further doubted, I will also provide this complimentary information, provided by my esteemed colleague Dave Rasmussen - Functional Safety Engineer (TÜV Rheinland) and is Rockwell's North America Safety Manager...

Functional Specification for use of PowerFlex 525 STO with GuardLogix and POINT I/O...

Dave Rasmussen said:
...Hazardous motion is prevented by the drive Safe Torque Off (STO). The PowerFlex 525 STO inputs are connected to a pair of pulse tested outputs on the 1734OB8S output module. The I/O module is connected via CIP Safety over an EtherNet/IP network to the GuardLogix safety controller. The safety code uses a block called Configurable Redundant Output (CROUT) to control outputs connected to the drive STO inputs. There is no hardwired feedback for the PowerFlex 525 STO, so the CROUT shall use the output as feedback. The status of the STO is obtained via EtherNet/IP and shall be included in the zone safety Reset signal logic to verify operation.

Where a Cat 0 Stop is required by the Risk Assessment the STO inputs will be removed upon actuation of the safeguard.

Where a Cat 1 Stop is required by the Risk Assessment the drive will be issued a fast stop command upon actuation of the safeguard, followed by a time delayed removal of STO inputs. The time delay will be based on normal running conditions, and shall allow the drive time to stop the load.

When all safeguard conditions are satisfied, no faults are detected on the Safety Zone, and the reset push button is pressed, the controller then issues an output signal to the Safety output module to switch ON a pair of outputs to energize the STO...

So again, I/We would say proceed as intended...

Regards,
George
 
George,

Thank you for your detailed explanation. It was very informative.

Where did Dave get the information stated in the quote? I am looking through 520-um001.pdf and cannot find this paragraph.
 
Hi, sorry to jump on an old thread but my question is directly related to this. We have a machine with a number of PowerFlex 525 drives. The monitoring circuit for the safety relay is daisy chained through Relay Output 2 (NC) of the drives. The parameter for the relay output (81) is set to MotorRunning. We are having issues where the NC relay is stuck open. Maybe similar to jraef's issues that he has experienced:

As further support for your plan, I have had issues with using the Relay Outputs of VFDs in Safety Monitor circuits. The energy used in Safety Relays is typically very low and over time, can be too low to burn off any film of contaminants on the relay contact surfaces. So a year or two down the road, you start getting false negatives, meaning the contacts are closed, but the low energy signal doesn't get through any more.

This equipment has only been in the plant for a year and we have replaced two of these drives for this reason already.

Can this monitoring be eliminated? Is it safe to assume that if the safety relay is not reset, the STO is not energized and the drive could not be running?
 

Similar Topics

Monday, we had a VFD that controls the spped of a conveyor belt fail on us. Took the replacement out of the box, installed it and bam, it failed...
Replies
37
Views
16,357
Need some help trying to set the IP address in a Powerflex 755 with a 20-HIM-A3 installed. Drive has an embedded Ethernet card from the factory...
Replies
4
Views
82
Dear We are working in AB Studio 5000 and the drive is a PowerFlex 755T. For this project I need to control a conveyor to a certain set point...
Replies
2
Views
74
I have 3 new PowerFlex 7000 VFD's. Rockwell was out to do some checking before startup. These are part of a larger electrical project. I gave the...
Replies
7
Views
204
Hey I'm setting up a powerflex 755T, but in the connected components wizard during startup, I'm getting an issue where next to the start button it...
Replies
1
Views
120
Back
Top Bottom