Scribd
Upload
39 views32 pages

Safety At175 - en P

The document outlines the Safe Monitoring solution using drives, focusing on performance considerations and safety functions. It details the dependencies on firmware and Logix Designer, achievable safety ratings, and the features of Kinetix 5700 and PowerFlex drives. Additionally, it distinguishes between drive-based and controller-based safety functions, emphasizing their integration and execution methods.

Uploaded by

yoquins22
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
39 views32 pages

Safety At175 - en P

The document outlines the Safe Monitoring solution using drives, focusing on performance considerations and safety functions. It details the dependencies on firmware and Logix Designer, achievable safety ratings, and the features of Kinetix 5700 and PowerFlex drives. Additionally, it distinguishes between drive-based and controller-based safety functions, emphasizing their integration and execution methods.

Uploaded by

yoquins22
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 32

Safe Monitoring

Solution using Drives,


Performance Considerations
Commercial Engineering
May 2020
Table of Contents
1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 Firmware & Logix Designer Dependencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Achievable Safety Ratings of the Safe Monitoring Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 Safety Features of Kinetix 5700 and PowerFlex Drives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.4 Defining Drive Based and Controller Based Safety Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2 Drive Based Safety Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.1 Safety Actions Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2 Initiate Safety Function Execution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2.1 Initiating STO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2.2 Initiating SS1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.3 Safe Torque Off (STO) Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.3.1 Safe Torque Off – Connected Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.3.2 Safe Torque Off – Running Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.4 Safe Stop 1 (SS1) Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.4.1 Timed SS1 used with Connected Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.4.2 Timed SS1 used with Running Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.4.3 Monitored SS1 used with Connected Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.4.4 Monitored SS1 used with Running Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3 Controller Based Safety Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.1.1 Monitored SS1 used with Controller Based Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4 Drive Safety Instructions Performance Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.1 SFX – Safety Feedback Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.1.1 Safety Task Update Period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
4.1.2 Safety Input RPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
4.1.3 Velocity Average Filter Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
4.1.4 Feedback Resolution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4.2 SFX Performance Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
5 Guidance on System Reaction Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
6 SS1 Program Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Rockwell Automation • Safe Monitoring Solution with Drives | 02


1 Background
This document will describe and explore the performance impact of using drive based or controller based
safety functions. Both drive and controller based safety functions involve tight interaction between the drive,
safety, and standard programs. This is the Safe Monitoring solution. There are many benefits to using an
integrated Safe Monitoring solution, including:

• The ability to perform intricate and customized safety logic


• Manage multiple safety zones
• Inherent flexibility, modularity and scalability
• Manage a large number of safety I/O devices
• Tightly integrate safety diagnostic data
• Manage safety actions across both servo and standard drives

The components of a Logix architected Safe Monitoring solution consists of:


• GuardLogix® or Compact GuardLogix safety controller
• Kinetix® 5700 ERS3/SerB, Kinetix 5700 ERS4, PowerFlex® (20-750-S4) Advanced Safety Module
• This document will only cover the PowerFlex 755 Integrated Motion on EtherNet/IP™ (CIP™) solution
• Kinetix VP motors with SIL2 rated encoders (optional)
• Studio 5000 Logix Designer® Version 31 or greater

All examples and timing diagrams in this document show the Kinetix 5700 ERS4 drive.

1.1 Firmware & Logix Designer Dependencies


When using different Kinetix or PowerFlex drives, the hardware (firmware) and Logix Designer software
require prerequisites for the Safe Monitoring solution. Logix Designer must be version 31 or higher.

Controller Kinetix 5700 ERS3 Kinetix 5700 ERS3/ Kinetix 5700 ERS4 with
with Version 7.x SerB with Version 9.x Version 9.x firmware (or >)
firmware firmware (or >)

GuardLogix 5580 Network or Network STO, SS1-t Controller Based: SFX, STO, SS1,
and Compact Hardwired or Hardwired STO SS2, SOS, SLS, SLP, SDI, SBC
GuardLogix 5380 STO ONLY
Drive Based: STO, SS1-t*, SS1-m**,
Safety Feedback, Safety
Dual-Channel Feedback

GuardLogix 5570 Network or Network STO, SS1-t Network STO, SS1-t


and Compact Hardwired or Hardwired STO
GuardLogix 5370 STO ONLY

*SS1-t is Safe Stop 1 (Stop Category 1) – Timed


**SS1-m is Safe Stop 1 (Stop Category 1) – Monitored

Table 1.1 Logix and Kinetix Dependencies for Safe Monitoring Solutions

Rockwell Automation • Safe Monitoring Solution with Drives | 03


PowerFlex 755 (CIP) PowerFlex 755 (CIP)
with 20-750-S3 safety card with 20-750-S4 safety card*

GuardLogix 5580 and Network or Hardwired STO ONLY Controller Based: SFX,STO, SS1,
Compact GuardLogix 5380 SS2, SOS, SLS, SLP, SDI, SBC

Drive Based: STO, SS1-t, SS1-m,


Safety Feedback, Safety Dual-
Channel Feedback, SBC

PowerFlex Firmware Rev Version 14 Version 14

PowerFlex AOP Rev Version 19 Version 19

*The PowerFlex 755 table will show the Integrated Motion on EtherNet/IP (CIP) solution only

Table 1 .2 Logix and PowerFlex Dependencies for Safe Monitoring Solutions

1.2 Achievable Safety Ratings of the Safe Monitoring Solution


The combination of these devices can provide safety solutions with a rating up to SIL3, PLe. Figure 1.1 and
1.2 show examples of using Kinetix and PowerFlex drives and different feedback configurations to achieve
various safety levels.

Fig. 1.1 Kinetix 5700 Safe Monitoring Solution Achievable Rating

Figure 1.2 PowerFlex 755/755T Safe Monitoring Solution Achievable Rating

Rockwell Automation • Title of document | 04


Figure 1.3 shows the different available configurations to achieve different safety levels using a
Kinetix 5700 ERS4.

Feedback Types Assigned to Feedback Ports for SIL 2 and PL d Applications

Feedback Types Assigned to Feedback Ports for SIL 3/PL e Applications

Figure 1.3 Kinetix Drive Achievable Safety Ratings

Rockwell Automation • Safe Monitoring Solution with Drives | 05


1.3 Safety Features of Kinetix 5700 and PowerFlex Drives
There are features that are available for both drive families. Below is a feature comparison between the
PowerFlex 755 and Kinetix 5700 drives.

Cat0 is a Category 0 stop which is defined as an uncontrolled stop by immediately removing power to the
machine actuator. This would be the drive Disable & Coast stopping action.

Cat1 is a Category 1 stop which is defined as a controlled stop with power to the machine actuator available
to achieve the stop then removal of power when the stop is achieved. This would be the drive Current Decel
& Disable stopping action.

In the table below, STO is Safe Torque Off, SS1 is Safe Stop 1, and SBC is Safe Brake Control.

PowerFlex 755

PowerFlex 755
Kinetix 5700

Kinetix 5700

Kinetix 5700
ERS3/SerB

20-750-S4
20-750-S3
ERS4
ERS3
Feature

Hardwired STO X X X X

Networked STO X X X X X

SFX X X

SS1 Drive Based (Timed) X X X

SS1 Drive Based (Monitored) X X

Safety Connection Loss Stopping Action (STO or SS1) X X X

Safety Connection Idle Stopping Action (STO or SS1) X X X

Motion Connection Loss Stopping Action (Cat 0 or Cat 1 Stop) X X


(Kinetix feature only)
Motion Connection Idle Stopping Action (Cat0 or Cat1) X X
(Kinetix feature only)
Dedicated STO Input (Hardwired Mode) Cat 0 X X X X *

STO Output (Network Mode) Cat 0 X X X X X

STO Output (Drive Controlled) Cat 1 X X X

STO Output (Controller Based) Cat 1 X X X

Configurable Safety Inputs X


(4 inputs)

Configurable Safety Outputs X


(2 outputs)

SBC (Drive Based) X

SBC (Controller Based) X X

Speed Monitoring X X

*There are no dedicated STO inputs. The drive has four safety inputs that can be programmed to behave like STO inputs.

Table 1.3 Safety Features Available for PowerFlex and Kinetix Drives

Rockwell Automation • Safe Monitoring Solution with Drives | 06


1.4 Defining Drive Based and Controller Based Safety Functions
The drive based safety function is when the drive monitors and executes the safety function. The controller
based safety function is when the controller monitors and executes the safety function. The differences
between drive and controller based safety functions is how and where the safety function is monitored
and executed. Both drive and controller based safety functions initiate from the controller using different
methods. It is important to note that any safety function, by itself, does not control the motor. Either the
drive or the motion control program is used to manage control of the motor based on the safety function
executing. Table 1.4 highlights some differences between the two methods:

Attribute Drive Based Safety Function Controller Based Safety Function

Safety Function Initialized Control of the Request bit in the Control input request parameter of Drive
Output Assembly Safety Instruction

Configuration Drive Module Add-On Profile (AOP) Drive Safety Instructions

Configuration Changes Fixed, changed with Drive AOP and Changeable when controller is running and
program download instruction is not actively monitoring

System Reaction Time Faster Not as fast as drive based

Table 1 .4 Differences between Drive and Controller Based Safety Function

Rockwell Automation • Safe Monitoring Solution with Drives | 07


The Figures below show the operational sequence for Drive vs. Controller Based Safety Function for the
STO/SS1 safety function.

Figure 1.4 Example showing STO/SS1 Safety Function Operation using Drive Based Safety Function

Figure 1.5 Example showing STO/SS1 Safety Function Operation using Controller Based Safety Function

Rockwell Automation • Safe Monitoring Solution with Drives | 08


2 Drive Based Safety Functions
There are two drive based safety functions, Safe Torque Off (STO) and Safe Stop 1 (SS1). They are configured
in the Kinetix 5700 ERS3 Series B, ERS4 servo drives and the PowerFlex 755 S4 option card. The drive based
safety function configuration for STO and SS1 is done in the Drive Module Add-On Profile (AOP).

When executing drive based safety functions, the main consideration is which hardware is in control of
stopping and disabling of the motor. Will this safety function be managed by the drive or by the user motion
control program? This leads to the selection of the safety function’s Action Source, which are selectable as
Connected Drive or Running Controller.

Depending on the machine’s mechanical design, having the user motion control program, manage a decel
limited, controlled stop to minimize stress on the mechanics can be the primary consideration. If reaction
time is the primary concern, and stopping the motor as fast as possible is required, having the drive stop the
motor is the better option.

2.1 Safety Actions Parameters


The Safety Actions parameters, located in the Axis Properties on the Actions tab, determine if the drive
or the user motion control program will initiate the stopping sequence in response to an STO or SS1
Request condition.

Figure 2.1 Safety Actions Location in Axis Properties

The selection options for both Safe Torque Off Action Source and Safe Stopping Action Source are:
• Connected Drive – the drive initiates the stopping sequence according to the Action selection
• Running Controller – requires the user motion control program to execute the stopping action

If the drive will be initiating the stopping sequence, the stopping method is based off the Action parameter
selection. The Safe Torque Off Action and/or Safe Stopping Action are ignored when Running Controller is
selected since the motion control program will be performing the stopping sequence.

The Safe Torque Off Action parameters are dependent on the axis configuration setting. Available options are:
• Disable & Coast
• Current Decel & Disable
• Ramped Decel & Disable (Velocity Mode, Frequency Mode only)

The Safe Stopping Action parameter options are dependent on the axis configuration setting. Available
options are:
• Current Decel (Disable implied)
• Ramped Decel (Velocity Mode, Frequency Mode only)

Rockwell Automation • Safe Monitoring Solution with Drives | 09


2.2 Initiate Safety Function Execution
When using networked safety, the Guardlogix controller is responsible for initiating the safety function
request. This is done by controlling bits in the Safety Output Assembly of the drive module. The safety
program logic is used to execute the drive based safety functions.

2.2.1 Initiating STO


The STO safety function is controlled by the drive module tag Module:SO.STOOutput tag. During normal
operation the Module:SO.STOOutput tag would be ON. To initiate the STO, the Module:SO.STOOutput tag would
need to transition to OFF. Below is an example of controlling the Module:SO.STOOutput bit.

2.2.2 Initiating SS1


The SS1 safety function is controlled by the drive module tag Module:SO.SS1Request tag. To initiate the SS1, the
Module:SO.SS1Request tag needs to transition to ON. Below is an example of controlling the SS1Request bit.

2.3 Safe Torque Off (STO) Examples


The STO safety function has some added functionality over Hardwired STO and previous network STO
solutions. This STO configuration allows a Category 1 Stop to be used and now includes an STO Delay.

The STO Delay starts timing when the Axis.SafeTorqueOffActiveStatus bit is set (ON). This delay is used to
allow time for the motor to decelerate to zero speed, engage a holding brake, and disable the motor before
removing torque producing ability when the STO Delay time expires.

Rockwell Automation • Safe Monitoring Solution with Drives | 10


Fig. 2.3 STO Execution with Different Action Sources

Both the STO and SS1 examples can use the Zero Speed value as an indicator that the motor has reached
zero speed. Zero Speed is an Axis parameter that can be modified and lets you manually set the zero-speed
condition that is used by the Logix Designer application to indicate the motor is at zero speed. This value is
used together with a disabling operation to determine when the holding brake output is applied in a Category
0 and Category 1 Stop and is a percentage of the motor rated speed. Once the motor speed is less than the
Zero Speed value, a timer begins timing (Zero Speed Time) which, upon expiring, is meant to indicate a true
zero-speed condition of the motor.

2.3.1 Safe Torque Off – Connected Drive


When the Safe Torque Off Action Source is Connected Drive, the drive will perform the Safe Torque Off
Action before removing torque producing ability and completing the STO request.

Figure 2.4 Axis Properties/Actions>Safe Torque Off Action Source – Connected Drive

Rockwell Automation • Safe Monitoring Solution with Drives | 11


Figure 2.5 Axis Properties/Parameter List – Stopping Torque/Time & Zero Speed Values

• In the Safety Program, Module:SO.STOOutput is cleared (OFF) to initiate the STO Request
• The drive sets Module: SI.STOActive (ON) and STO Delay begins timing
• C
 urrent Decel & Disable: The drive will use the Stopping Torque to bring the motor to Zero Speed
(Current Decel & Disable is shown - Disable and Coast is also available. When using Disable & Coast,
be sure the STO Delay is large enough so the motor can reach zero speed).
• A
 t Zero Speed, the drive disabling begins, the Mechanical Brake Output is cleared (OFF) and
MechanicalBrakeEngageDelay begins timing
• PowerStructureEnabled is cleared (OFF) once the MechanicalBrakeEngageDelay time expires
• STO Delay timer expires and torque producing ability is removed
• STO Request is complete

Figure 2.6 Timing chart showing the STO Action Source Connected Drive (Current Decel & Disable)

Rockwell Automation • Safe Monitoring Solution with Drives | 12


2.3.2 Safe Torque Off – Running Controller
When the Safe Torque Off Action Source is Running Controller, the user’s motion control program should
execute the stopping action and perform any additional control including disabling of the motor. Once the
Safe Torque Off delay expires, torque producing ability is removed and the STO Request is complete.
Safe Torque Off Action is ignored in this configuration.

Figure 2.7 Safety Actions>Safe Torque Off Action Source – Running Controller

• In the Safety Program, Module:SO.STOOutput is cleared (OFF) to initiate the STO Request

• The drive sets Module:SI.STOActive (ON) and STO Delay begins timing

• T
 he user motion control program, uses the pass-through axis tag Axis.SafeTorqueOffActiveStatus as a
condition to initiate the stopping of the motor to Zero Speed.

• A
 t Zero Speed, a disable is executed by the motion control program, Axis.MechanicalBrakeOutputStatus
is cleared (OFF) and MechanicalBrakeEngageDelay begins timing

• Axis.PowerStructureEnabledStatus is cleared (OFF) once the MechanicalBrakeEngageDelay expires

• STO Delay timer expires and torque producing ability is removed

• STO Request is complete

Rockwell Automation • Safe Monitoring Solution with Drives | 13


Figure 2.8 Timing chart showing the STO Action Source Running Controller

2.4 Safe Stop 1 (SS1) Examples


The SS1 (Safe Stop 1) is designed to perform a Category 1 stop. There are two different modes of the SS1,
Timed and Monitored. The modes are selected in the Drive AOP Properties.

Figure 2.9 SS1 Mode Selection from Drive Properties – SS1/Motion Safety Category

Similar to the STO safety function, the Action Source of the SS1 is selected as Connected Drive or Running
Controller. Either of these selections will take different monitoring and execution paths, but have the same
result. The SS1 examples can use the Zero Speed or Standstill Speed value as an indicator that the motor
has reached zero speed. Zero Speed is described in Section 2.3. Standstill speed is a parameter that can
be modified either by the SS1 instruction or in the Drive Module AOP and lets you manually set a zero-speed
condition that is in user units. Once the motor speed is below the Standstill Speed value, the “standstill“
condition is met. Standstill speed is used with the Monitored SS1 function only. When the Standstill Speed
condition is met, the STO request is initiated. It is typical for the Standstill Speed and Zero Speed to be
similar values. A way to think about Zero/Standstill speed and their use: Zero Speed is used in the Standard
environment as a permissive to disable the motor. Standstill Speed is used by the Safety environment to
initiate an STO request.

Rockwell Automation • Safe Monitoring Solution with Drives | 14


The figures below show the execution for both of the SS1 functions when using different Safe Stopping
Action Sources.

Figure 2.10 SS1-Timed Sequence Execution with different Safe Stopping Action Sources

Figure 2.11 SS1-Monitored Sequence Execution with different Safe Stopping Action Sources

IMPORTANT The Safe Stopping Action configuration in the Axis Properties shows the Action of Current
Decel. This is not changeable. SS1 is a Current Decel & Disable (Cat 1 Stop), SS2 is a Current Decel & Hold
(Cat 2 Stop). The reason Current Decel is the selection is because it is common to both SS1 and SS2.
At this time, the Current Decel selection implies a Disable to fulfill the SS1 condition.

Rockwell Automation • Safe Monitoring Solution with Drives | 15


2.4.1 Timed SS1 used with Connected Drive
Timed SS1 is available in the Kinetix 5700 ERS3/SerB/ERS4 and the PowerFlex 755 S4. The timed SS1 is a
basic function and used as a drive based safety function. The Timed SS1 uses the Stop Delay time and will not
monitor the deceleration of the motor. Once the Stop Delay expires, the STO Request is made from the drive.
The motor is decelerated by the drive using the Stopping Torque and Stopping Time to reach Zero Speed.
At Zero Speed, the motor is disabled by the drive.

Figure 2.12 Timed SS1 Properties

• The SS1 Request function (drive based safety function) is initiated by setting the SS1Request bit ON
(Drive Safety Output tag – Module:SO.SS1Request=1)
• SS1 Stop Delay begins timing
• Stopping Torque/Stopping Time is used to decelerate the motor to reach Zero Speed
• A
 t Zero Speed, the drive disabling begins, the Mechanical Brake Output is cleared (OFF) and
BrakeEngageDelay begins timing
• PowerStructureEnabled bit is cleared (OFF) once the BrakeEngageDelay time expires
• SS1 Stop Delay expires and STO Request is made by the drive and the STO Action defined by the Axis
Properties is initiated
• STO Delay timer begins
• STO Delay timer expires and torque producing ability is removed
• STO Request is complete

Rockwell Automation • Safe Monitoring Solution with Drives | 16


Figure 2.13 Timed SS1 using Connected Drive Action Source

2.4.2 Timed SS1 used with Running Controller


Timed SS1 is available in the Kinetix 5700 ERS3/SerB/ERS4 and with the PowerFlex 755 S4. The Timed SS1
is used as a drive based safety function. The Timed SS1 uses the Stop Delay Time and will not monitor the
deceleration of the motor. Once the Stop Delay expires, the STO Request is made from the drive. The motor
is decelerated by the user motion control program to reach Zero Speed. At Zero Speed, the motor is disabled
by the user motion control program.

•T
 he SS1 Request (drive based safety function) is initiated by setting the SS1Request bit ON (Drive Safety
Output tag – Module:SO.SS1Request=1)
• SS1 Stop Delay begins timing
•U
 ser Motion Control Program is used (based on pass-through axis tag SS1ActiveStatus) to decelerate the
motor to Zero Speed
•A
 t Zero Speed, the motor is disabled from the user motion control program, Mechanical Brake Output is
cleared (OFF) and MechanicalBrakeEngageDelay begins timing
• PowerStructureEnabled is cleared (OFF) once the MechanicalBrakeEngageDelay expires
• SS1 Stop Delay expires and STO Request comes from the drive and STO Action defined by the Axis
Properties is initiated
• STO Delay timer begins
• STO Delay timer expires and torque producing ability is removed
• STO Request is complete

Rockwell Automation • Safe Monitoring Solution with Drives | 17


Figure 2.14 Timed SS1 using Running Controller Action Source

2.4.3 Monitored SS1 used with Connected Drive


Monitored SS1 is available in the Kinetix 5700 ERS4 and the PowerFlex 755 S4. When Monitored SS1 is used
with Connected Drive as the Action Source, the drive receives the SS1 Request from the safety program.
The drive will use the Stop Delay Time and the Safety defined Primary Feedback Device to monitor the
deceleration of the motor.

The motor is decelerated by the drive using the Stopping Torque and Stopping Time to reach Zero Speed.
At Zero Speed, the motor is disabled by the drive. Once the Stop Delay expires, or the Standstill Speed
is reached, the STO Request comes from the drive and the STO Action, as defined in the Axis Properties,
is performed.

Figure 2.15 Monitored SS1 Drive AOP Profile Settings

IMPORTANT Monitored SS1 is available with a Ramped Decel Safe Stopping Action when the axis is configured
for Velocity Loop, or Frequency Control. Position Loop uses Current Decel as the Safe Stopping Action.

Rockwell Automation • Safe Monitoring Solution with Drives | 18


More information on the SS1 parameters are explained in detail in the Kinetix 5700 Safe Monitor Functions
manual, Chapter 2.

• S
 S1 Request (drive based safety function) initiated by setting the SS1Request bit ON (Drive Safety Output
tag – Module:SO.SS1Request=1)
• W
 hen the Stop Monitor Delay has expired, the drive begins monitoring the Primary Feedback device’s
Deceleration ramp using the parameters configured
• SS1 Stop Delay begins timing
• C
 urrent Decel – if the motor is not at Standstill Speed, Stopping Torque/Stopping Time is used to decelerate
the motor to zero speed
• W
 hile the Deceleration ramp is within tolerances and reaches Zero Speed, the drive disabling begins,
Mechanical Brake Output is cleared (OFF) and MechanicalBrakeEngageDelay begins timing
• PowerStructureEnabled is cleared (OFF) once the MechanicalBrakeEngageDelay time expires
• At Standstill Speed, the STO Request is initiated by the drive and STO Action defined by the Axis Properties
begins – even if the SS1 Stop Delay has not expired
• STO Delay timer begins
• STO Delay timer expires and the ability to produce torque is removed
• STO Request is complete

IMPORTANT While the drive is monitoring the Primary Feedback device’s Deceleration ramp and a fault is
encountered, or the ramp is outside of the configured values, the fault action is a Disable & Coast function,
and the STO Delay will NOT be used. This can be problematic as a Disable & Coast (Cat 0 Stop) function can
cause problems for loads with holding brakes. Take care to avoid faults during the Deceleration monitoring.

Figure 2.16 SS1-Monitored using Connected Drive Action Source

Rockwell Automation • Safe Monitoring Solution with Drives | 19


2.4.4 Monitored SS1 used with Running Controller
Monitored SS1 is available in the Kinetix 5700 ERS4 and the PowerFlex 755 S4. When Monitored SS1 is used
with Running Controller as the Action Source, the drive receives the SS1 Request from the safety program
and will use the Stop Delay Time and the Safety defined Primary Feedback Device to monitor the deceleration
of the motor.

The motor is decelerated by the user motion control program to reach Zero Speed. At Zero Speed, the motor
is disabled by the user motion control program. Once the SS1 Stop Delay expires, or the Standstill Speed is
reached, the STO Request is made from the drive and the STO Action, as defined in the Axis Properties, is
performed.

IMPORTANT Monitored SS1 is available with a Ramped Decel Safe Stopping Action when the axis is configured
for Velocity Loop, or Frequency Control. Position Loop uses Current Decel (with implied Disable) as a Safe
Stopping Action.

More information on the SS1 parameters are explained in detail in the Kinetix 5700 Safe Monitor Functions
manual, Chapter 2.

• S
 S1 Request (drive based safety function) initiated by setting the SS1Request bit ON (Drive Safety Output
tag – Module:SO.SS1Request=1)
• W
 hen the Stop Monitor Delay has expired, the drive begins monitoring the Primary Feedback device’s
Deceleration ramp using the parameters configured in the Drive AOP
• SS1 Stop Delay begins timing
• The user motion control program is used to decelerate the motor to reach Standstill Speed
• W
 hile the Deceleration ramp is within tolerances and reaches Zero Speed, the motor is disabled using
the motion control program, Mechanical Brake Output is cleared (OFF) and MechanicalBrakeEngageDelay
begins timing
• PowerStructureEnabled is cleared (OFF) once the MechanicalBrakeEngageDelay time expires
• At Standstill Speed, the STO Request is initiated by the drive and STO Action defined by the Axis Properties
begins – even if the SS1 Stop Delay has not expired
• STO Delay timer begins
• STO Delay timer expires and the ability to produce torque is removed
• STO Request is complete

IMPORTANT While the drive is monitoring the Primary Feedback device’s Deceleration ramp and a fault is
encountered, or the ramp is outside of the configured values, the fault action is a Disable & Coast function and
the STO Delay will NOT be used. This can be problematic as a Disable & Coast (Cat 0 Stop) function can cause
problems for loads with holding brakes. Take care to avoid faults during the Deceleration monitoring.

Rockwell Automation • Safe Monitoring Solution with Drives | 20


Figure 2.17 SS1-Monitored using Running Controller Action Source

3 Controller Based Safety Functions


The GuardLogix drive safety instructions are all controller based safety Functions. The instructions are
executed from the Safety program. These instructions are explained in detail in the GuardLogix Safety
Application Instruction Set manual, Chapter 3. For the purposes of this document, we are looking at how
using controller or drive based safety functions will effect performance and safety reaction time.

3.1.1 Monitored SS1 used with Controller Based Execution


Monitored SS1 is available in the Kinetix 5700 ERS4 and PowerFlex 755 S4. The controller based, Monitored
SS1 will use the SS1 and SFX instructions. The monitoring parameters of the Deceleration ramp are used from
the SS1 instruction and not from the Drive Module AOP Properties. The Deceleration ramp is monitored in
the Guardlogix Safety Program using the SS1 Instruction. The SFX will receive the motor speed and position
information from the drive and convert it to user units. The instruction is flexible in that it allows changes to
the deceleration parameters before the SS1 instruction is executed. The SS1 StandStillSpeed tag is evaluated
along with the FeedbackVelocity tag from the SFX instruction to initiate an STO Request.

Rockwell Automation • Safe Monitoring Solution with Drives | 21


3.1 SS1 instruction used for Controller Based Execution

Figure 3.2 Monitored SS1 sequence of Operation – Controller Based Safety Function

Rockwell Automation • Safe Monitoring Solution with Drives | 22


4 Drive Safety Instructions Performance Criteria
The controller based solution uses four components that are tied to the SFX instruction and Logic
scan timing. Since the SFX is used with all drive safety instructions, setting it optimally will improve
the performance of the instructions.

4.1 SFX – Safety Feedback Interface


The SFX instruction is used to provide a method of converting encoder counts into position units within
the Logix Safety task. The SFX will be used by the drive safety instructions to provide motor feedback
information inside the Safety Program.

Figure 4.1 SFX instruction example

Since the SFX is used in all drive safety instructions to provide feedback, the components that are used in
receiving ‘fresh’ data to the SFX instruction are important. Those components are:
• Safety Task Update period
• Safety Input RPI
• Velocity Average Time
• Safety Encoder Resolution

Rockwell Automation • Safe Monitoring Solution with Drives | 23


4.1.1 Safety Task Update Period
The safety task is a periodic task. This means the logic is scanned at the periodic rate, by default that is 20ms.
The periodic rate can be set higher or lower depending on the amount of programs and logic in the safety task
and the controller being used. The lower the periodic rate, the more frequent this logic is scanned.

The watchdog should be set such that enough time is provided for the Safety Programs to scan completely
before the safety task is triggered again. The Safety Task Update Period is also the Safety Output RPI set in
the Drive Module Properties. The Safety Task interrupt timing is the same as using a standard task.

Generally, safety logic does not need to be prioritized in its scan over standard logic – which may contain
motion control logic. That is, safety logic typically does not require the same priority as the motion control
programs. Safety monitoring within the Safety Task will generally not require the frequent scan interval that
a motion program may require.

Setting the safety task periodic rate to a small value, for example 10ms, will make the safety logic scan
quickly, but that comes at a cost of leaving less time for the standard tasks to completely scan. Additional
guidance on setting the rate of a periodic task, and assigning a priority, can be found in the Logix 5000
Controllers Tasks, Programs, and Routines manual.

Figure 4.2 Safety Task Update Period

The Kinetix 5700 Primary Feedback makes new Position and Velocity Safety data available every 3ms.
The minimum period of the Safety Task and the Safety Input RPI should not be set below 3ms. Any value
less than 3ms will not produce a benefit because new safety data would not be available from the drive.

4.1.2 Safety Input RPI


Safety Input RPI is the interval that new drive data is made available. The smaller this value, the more
frequently new data is made available. This value should not be set below the minimum drive feedback
rate of 3ms.

Figure 4.3 Safety Input RPI-Kinetix 5700 Drive AOP

10ms is often sufficient in providing the data required for safety logic control.

Rockwell Automation • Safe Monitoring Solution with Drives | 24


4.1.3 Velocity Average Filter Time
The velocity average time filter entry is found in the Drive AOP as part of the Primary Feedback settings.

Figure 4.4 Kinetix 5700 Drive AOP: Velocity Average Filter time parameter

The Velocity Average Time attribute is a moving-average window of time for which the velocity samples are
averaged. Large speed changes are avoided when velocity averaging is used. Smaller filter time values will
result in larger velocity deviations but the reaction time is faster. Larger filter time values will result
in smaller velocity deviation (smoother), but also adds more delay to the resulting velocity evaluation.
The reaction time is longer with larger filter time values.

Setting a larger value could be important if you are using the SLS function. A larger filter value would be used
to avoid large instantaneous velocity changes that would put the SFX velocity feedback outside the SLS
limits; since, with the larger filter, those changes are smoothed out. The larger the Average Velocity Filter
time also increases the reaction time.

An example of when using a smaller filter time is important is when the safety program is evaluating a
standstill speed (using the velocity feedback in the SFX) to initiate an STO function. In the case of the
standstill speed, if the filter is a larger value (for example, 100ms), it will take longer for the SFX to update
the actual motor velocity (because of the filter delay); so it will take the safety program longer to determine
the standstill speed has been met, which means the STO function initiation will be delayed. In this example,
the reaction time (and indirectly, the filter time) being smaller is important.

A typical value for the Average Velocity Filter is 30ms. Figure 4.5 shows how the Velocity Average Time value
effects the Velocity Resolution for a given feedback resolution. For more information on the Velocity Average
Filter time see the Kinetix 5700 Safe Monitor Functions manual, Chapter 3.

Figure 4.5 Velocity Average Filter time and Velocity Resolution

The FeedbackVelocity tag in the Safety Input Assembly is a filtered value using the Velocity Average Time.
It is not an instantaneous feedback velocity like the motion’s Axis ActualVelocity value.

Rockwell Automation • Safe Monitoring Solution with Drives | 25


4.1.4 Feedback Resolution
The Primary Feedback’s Effective Resolution will impact the Velocity Feedback (Module:SI.FeedbackVelocity).
The Primary Feedback Resolution is based on the hardware characteristics of the feedback device. Generally,
the position will not be impacted, but the velocity resolution will be impacted. Higher Feedback Resolution
(12-bit resolution vs. 9-bit resolution) will allow the Average Velocity Filter time to be set smaller and achieve
the same results as having a lower feedback resolution and a larger Average Velocity Filter Time. Since the
filter time is smaller with higher resolution feedback devices, the reaction time will be shorter.

4.2 SFX Performance Factors


The SFX instruction is used to convert encoder pulses to user units. The SFX instruction is used by the drive
safety instructions. Below are some examples of how changing the configuration variables mentioned above
will change the performance of the Velocity Feedback and the Velocity Error.

Figure 4.6 Example showing how Velocity Average Filter Time impacts Velocity Feedback
(Blue Pen – Actual Velocity from motor, Red Pen – Safety Feedback Velocity)

Rockwell Automation • Safe Monitoring Solution with Drives | 26


Figure 4.7 Example showing how the Encoder Resolution impacts velocity feedback
(Pink Pen – Safety Velocity Feedback)

Figure 4.8 Effect of Changing the Safety Task Update time and its effect on Speed Feedback
(Yellow Pen – ActualVelocity feedback from motor, Red Pen – Safety Feedback Velocity)

Rockwell Automation • Safe Monitoring Solution with Drives | 27


5 Guidance on System Reaction Time
Now that we understand what is involved in evaluating drive and controller based safety functions, let’s
examine what criteria, or questions, are involved with each method and how the reaction time would change.

There are many factors that can be changed when accumulating the total reaction time. Some times are
fixed, such as the hardware times used for the I/O modules and Safety Devices (for example, a light curtain)
and we can estimate the Safety Time by using the Safety Task Period as a guideline. The motor (actuator)
stopping time depends on the deceleration profile used. This will vary depending on the load, its inertia and
the method used to stop and disable the motor.

Any time there is logic interaction between the standard program, the safety program, and the drive,
the reaction time is impacted. This is the case with using both drive and controller based safety functions.

An overview of what was covered:

Figure 5.1 Drive Based Execution vs. Controller Based safety functions for the SS1 function

The flexibility of custom programming needs to be balanced with the reaction times required to meet your
application needs.

Is the reaction time the greatest importance when looking at the whole safety system?

Is the reaction time inconsequential to the time required to enter a safe zone tripped from a light curtain?

Does the application have to limit deceleration to a user defined ramp instead of using Stopping Torque,
which can be aggressive – but faster?

Are the monitored deceleration parameters changing with different parts – meaning they have to be modified
online while the program is executing?

Drive based safety functions with Connected Drive as the Action Source will require the smallest reaction
time. Controller based safety functions with Running Controller as the Action Source will generally require
the most reaction time.

As flexibility expands in the solution, the reaction times will generally become larger. Minimal program
interaction with the Motion Control Program and the Safety Program will result in the fastest reaction time.

Rockwell Automation • Safe Monitoring Solution with Drives | 28


Figure 5.2 Example showing Fastest Reaction Time vs Most Flexible Solution

In between the two use cases in Figure 5.2, there are several combinations that would generate fast reaction
times and flexibility that may suit your application.

For example, using a Monitored SS1 as a drive based safety function and the Safe Stopping Action of Running
Controller will allow a gradual deceleration ramp which can help the application mechanics, but still maintaining
the drive based initiation of the STO function within the drive.

The more interaction between the Safety Program, Standard Program and drive will increase the reaction
time. Based on the Logix program, the controller used, the drive AOP configuration, the reaction time will
vary. The Safety Estimator tool can be used to help determine the total reaction time. This tool can be found
in the Safety Accelerator Toolkit.

Some additional things that can impact the reaction time, in addition to the items already covered are:

• Z
 ero Speed/Standstill Speed Tolerance – The motor must have the smallest value that would allow the
fastest reaction time while still indicating a zero speed condition.

• I f the motor does not use a holding brake, set the times associated with the holding brake to zero.
Additionally:

– The STO Delay does not need to include the brake times. The STO Delay needs to be set sufficiently so it
includes the time for the motor reach zero speed and be disabled. Generally, extra time is not required
beyond that.

– The expiration of the STO Delay will remove the torque producing ability of the motor. Once this occurs,
the STO function will be complete. Set the STO Delay optimally to minimize the reaction time.

• I f the motor is using a holding brake, set the engage time optimally based on the motor used. Refer to the
Vertical Load and Holding Brake Management application technique, Chapter 1 for the times used with
your motor.

Rockwell Automation • Safe Monitoring Solution with Drives | 29


• M
 achine axis count – as more axes are added to the application, the drive based safety function’s reaction
time will remain relatively fixed, while the controller based safety function would have to scan and execute
additional logic for additional axes and control more motors, this means the reaction time could be longer.
Combining the execution types for different motors depending on the safety risk assessment will optimize
the reaction time.

• From a hardware standpoint, when the drive identifies an STO request, the drive removing torque, without
STO Delay for the Kinetix 5700 drives is 10ms or less.

6 SS1 Program Example


The drive based SS1 safety function simply uses the SS1Request bit, the logic is a single rung that enables
the bit when an SS1 is required.

The following example shows an SS1 used as a controller based safety function with Running Controller
as the Action Source for both SS1 and STO operation. This example logic is attached to this document.

The SFX and SS1 logic is in the Safety Program, the Motion Instructions are in the Standard Program.

Rockwell Automation • Safe Monitoring Solution with Drives | 30


When the SS1 is Active (using the Axis pass through tag from the Safety Program), the sequence to initiate
the Stop and Disable is executed:

Rockwell Automation • Safe Monitoring Solution with Drives | 31


In this example, the MAS will drive the motor to zero speed, once the MAS is complete (PC bit is ON), the
normal disable (MSF) will occur. Once the disable is complete, the STO is executed from the Safety Program.

Connect with us.

Expanding human possibility, GuardLogix, Kinetix, PowerFlex, Rockwell Automation and Studio 5000 Logix Designer are trademarks of Rockwell Automation, Inc.
CIP and Ethernet/IP are trademarks of ODVA, Inc.
Trademarks not belonging to Rockwell Automation are property of their respective companies.

Publication SAFETY-AT175A-EN-P – June 2020


Copyright © 2020 Rockwell Automation, Inc. All Rights Reserved. Printed in USA.

You might also like