Safety by Design: Soft Safety, Safe PLC and Integrated Drive Technology

Safety by Design: Soft Safety(Safe PLC and Integrated Drive Safety)

CMA/Flodyne/HydradyneSafety by Design Technical Symposium 2010

April 13th-14th, 2010Gary Thrall, BRUS/ETC

2Electric Drives and Controls 2008-03-06; BRC/PRM3; J. Ost© Alle Rechte bei Bosch Rexroth AG, auch für den Fall von Schutzrechtsanmeldungen. Jede Verfügungsbefugnis, wie Kopier- und Weitergaberecht, bei uns.

Safety by Design - Drive for Technology Symposium 2010Standards

ChallengeNew Machine Directive 2006/42/EGChange of standards

- EN 954-1 is going to be replaced- Probabilistic approach- Functional Safety Management- Safety requirements for application

programmingSafety concept of all machines to be usedafter Nov 2011 needs to be revised

From the user standpoint

PFHSILPL

Validation & Verification

Software Testing

Safety Plan



How to avoid any hazard ?The European Machine Directive (MRL) requires

that the operation, set-up, maintenance of a machine does not lead to any hazardavoidance or minimization of the hazardadditional measures if the hazard can‘t be eliminatedinformation about the remaining risk

The machine builder has to prove that everything was done that has to be done


Safety by Design - Drive for Technology Symposium 2010

Harmonized European StandardsPresumption of conformity

- Fulfilling harmonized standards the machine builder can assume that the safety aspects of the machine directive are met

State of the Art- The manufacturer should be sure that the used measures /

technology are state of the art

Type AStandards

Type BStandards

Type CStandards

Basic Standards(Principles and Definitions for all Machines)

Type B1Superior Safety Aspects

Type B2Requirements for Safety Devices

Type CSpecific Requirementsfor specific machines

ISO 12100ISO 14121

EN 574Two-Hand

EN 418Emergency Stop

EN 61496-1Safety light curtains

EN 954ISO 13849 IEC 60204IEC 62061

PrintingEN 1010

Machine toolsEN 12417EN 12415EN 12478

PressesEN 692EN 693

PackagingEN 415



Change of Standards

EN ISO 13849-1

November 2011

EN 954-1

EN 61800-5-2

November 2006

November 2007

January 2006

IEC 61508

EN 62061

Valid Standard

Valid Standard Period 3 years

Valid Standard

Valid Standard

Valid Standard

invalid

Transition

Mac

hine

Bui

lder

Com

pone

nts

98/37/EG

January 2012

2006/42/EGEuropean Machine Directive



Change of Standards

Source: TÜV Rheinland

Technology

StandardsSafety on Machines


Technology


Technology



Change of Standards – Shortcomings of EN 954

Is not intended for complex and programmable electronic SystemsFailure Models are not adapted to complex electronic (µC, ASIC’s)Does not consider all aspects of the functional safety

- Failure avoidant safety measures- Avoidance and control of systematic failures- Documentation- Validation

Does not take the probability of dangerous failure into consideration- categorizes the structural design of safety relevant parts

(hardware) and their reliability and therefore the resistance against failures and the behavior in case of a failure only


Machine Builder


Process IndustryFactory Automation

EN ISO 13849-1EN ISO 13849-1

EN 954-1EN 954-1

EN 62061EN 62061

IEC 61508IEC 61508

DIN VDE 0801DIN VDE 0801

Safety of Machines(all technologies)

Electric, electronic and programmable electronic control systems (E/E/PES)

EN IEC 61511EN IEC 61511

Vendor

Invalid afterOct. 30th, 2011

C-StandardsEN 12417EN 12415EN 1010EN 415…..

C-StandardsEN 12417EN 12415EN 1010EN 415…..

Two competing standardsDoes this help building

machines safer?



Change of Standards

EN ISO 13849-1:2006

EN 954-1 IEC 61508

Deterministic Probabilistic

Proven Methods New Concepts

safety functionsrisk graphcategories (structure)

quantification: reliability and testing qualityfailures of common cause

+



What’s necessary to make a machine safe?

Risk

residual risk which is accepted by public

Inherent Process RiskChange of

Process Design

Additional Measures

SafetyInstrumented

System

Risk = Severity x Probability

EN ISO 13849-1:2006

EN 62061

IEC 61508EN 61800-5-2

The higher the contribution to risk reductionthe more resistant the safety function must be, that means the small probability of dangerous failure is allowed!

The higher the contribution to risk reductionthe more resistant the safety function must be, that means the small probability of dangerous failure is allowed!



-< 10-84

e>= 10-8 to 10-73

d>= 10-7 to 10-62

c>= 10-6 to 3 x 10-61

b>= 3 x 10-6 to 10-51

a>= 10-5 to 10-4-

Performance LevelPL

ISO 13849

Probability of dangerous failure per hour (1/h)

PFHd

Safety Integrity LevelSIL

IEC 61508IE

C 6

2061

ISO

138

49

Safety Software RequirementsMeasures for control and avoidance of systematic failures

Safety-related Parts of Control Systemof all Technologies

Simplified Estimation (worst case)regarding to:

HW Structure (Category like EN 954)Diagnostic Coverage (DC)

Reliability MTTFdFailure of Common Cause (CC)

electrical, electronic and programmable electronic control

Systems

calculation formula for subsystem architectures



Simplified V-model of software safety life-cycle (Annex J)General requirement: readable, understandable, testable, maintainable

SafetyFunctions

Specification

Safety relatedSoftware

specification

Systemdesign

ModuleDesign

Coding

Validation

IntegrationTesting

ModuleTesting

ValidatedSoftware

VerificationOutput

Validation

Verification SoftwareSpecification:- erroneous interpretation- avoiding gaps- precisely defining conditions- all the possible cases are handled- consistency tests- the different parameterizing cases- the reaction following a failure

Verification Coding:Programming Guide Lines


SafetyFunctions

Specification

Safety relatedSoftware

specification

Systemdesign

ModuleDesign

Coding

Validation

IntegrationTesting

ModuleTesting

ValidatedSoftware

Validation


Software Safety Requirements (Extract)PL c to e

- Software design– State diagram or program flow chart– Modular and structured programming– Function blocks of limited size of coding– Code execution inside FB should have one entry and one exit

point– Architecture: input –> processing -> output– Assignment of a safety output at only one program location– Techniques for detection of external failure and for defensive

programming– Safety related and non-safety related application Software shall

be coded in different function blocks with well-defined data links– No logical combination of non-safety and safety related data that

lead to downgrading of the integrity level (e.g. no OR allowed)



Harmonization of International Standards

EuropeNorth America

ISO 12100 / ISO 14121

IEC 61508

IEC 60204

IEC 62061

IEC 61800-5-2

ISO 13849-1OSHA

ANSI/PMMI B155.1ANSI B65.1

NFPA 79:2007etc.

Machine Directive

EN ISO 13849-1EN 62061EN 60204



Harmonization of International StandardsNFPA 79: 2007 (examples from Annex A)

- A9.2 Information on the safety-related aspects of control functions is under consideration within IEC 62061 and ISO 13849 (revision)

- A9.4.1 IEC 62061, ISO 13849-1, ISO 13849-2 and ANSI B11-TR4 give guidance on design according to the determined risk reduction in the risk assessment.

- A9.4.3.2 IEC 62061, ISO 13849-1, ISO 13849-2 provide requirements for the design of control systems incorporating the use of software- and firmware-based controllers to performing safety-related functions. IEC 61508 provides requirements for the design of software- and firmware-based safety controllers. IEC 61800-5-2 and IEC 61508 give guidance to the drive manufacturer on the design of drives intended to provide safety functions.



Harmonization of International StandardsNFPA 79:2007

- 9.2.5.4.1.4* Where a Category 0 or Category 1 stop is used for the emergency stop function, it shall have a circuitry design (including sensors, logic, and actuators) according to the relevant risk as required by Section 4.1 and 9.4.1. Final removal of power to the machine actuators shall be ensured and shall be by means of electromechanical components. Where relays are used to accomplish a Category 0 emergency stop function, they shall be non retentive relays.Exception: Drives, or solid state output devices, designed for safety-related functions shall be allowed to be the final switching element, when designed according to relevant safety standards

(Annex A refers to the European Standards)A.9.2.5.4.1.4 IEC 61508 and IEC 61800-2 - Designed for Safety

Without this design confirmation the system will still require the electromechanical means of final disconnect.



Harmonization of International StandardsANSI/PMMI B155.1

- This version of the standard has been harmonized with international (ISO) and European (EN) standards by the introduction of hazard identification and risk assessment as the principal method for analyzing hazards to personnel and achieving a level of acceptable risk. This version of the standard is a major revision that integrates the requirements of ISO 12100 parts 1 and 2, and ISO 14121, as well as U.S. standards. Suppliers meeting the requirements of ANSI/PMMI B155.1:2006 may simultaneously meet the requirements of these three ISO standards.

1)

1) Risk Scoring like ISO 13849may be used.



Harmonization of International StandardsANSI/PMMI B155.1

- 7.2.8 Programmable electronic systems (PES) used in safety functions

– 7.2.8.1 GeneralPES may include a programmable logic controller (PLC), servo motion controller, computer numerical control (CNC), personal computer, human-machinery interface (HMI) or programmable limit switch (PLS). American National Standard ANSI/PMMI B155.1-2006 Page 29. A PES can be applied to safety functions when the design and use of the system meets the requirement(s) of the risk assessment. The design measures of the PES shall be chosen so the safety related performance provides adequate risk reduction per ISO 13849-1, and meets the appropriate safety integrity level (SIL) per IEC 62061. The PES shall be installed and validated to ensure that the specified performance for each safety function has been achieved. See also SIL in IEC 61508-5, IEC TR 61508-0..



Harmonization of International StandardsANSI/RIA/ISO 10218-1-2007 (Robots for Industrial Environment –Safety Requirements) Part 1 – Robots

- In 2007, according to Roberta Nelson Shea, U.S. robot users may soon gain greater access to these and other emerging technologies. That will come with the approval by ANSI - the American National Standards Institute - of ISO 10218 Part 1, an international robot safety standard that was published last June by the International Organization for Standardization (ISO)...

- Approved by ANSI 8/17/2007 as ANSI, RIA, and ISO standard



Benefits of Harmonization of International StandardsEnd User

- Same standards for machines sourced worldwide coming into their plant

- Multi-nationals can use same standards for plants at locations worldwide

Machine builder- Same standards for users worldwide – reducing need for

design variantsEquipment and Component suppliers

- Same standards for users worldwide – reducing need for certification to different (and in the past sometimes conflicting) standards

All- Same methodologies defined by IEC-61508 to be used in

all industries and applications



Listed Testing Laboratories by the Occupational Safety and Health Administration (OSHA)

Standards approvable by NRTL

NRTLs listed by OSHA


Safety by Design - Drive for Technology Symposium 2010Integrated Safety on Levels of IndraMotion

ChallengeNew Machine Directive 2006/42/EGChange of standards

- EN 954-1 is going to be replaced- Probabilistic approach- Functional Safety Management- Safety requirements for application

programmingSafety concept of all machines to be usedafter Nov 2009 needs to be revised

From the user standpointChance

Make it right from the beginning. Upgrade it to state of the artModern safety technology offer advantages for machine builders and end usersInternational harmonized standards make global business easier since ANSI refers on newer IEC standardsUsing certified components makes life easier

PFHSILPL

Validation & Verification

Software Testing

Safety Plan



Safety on Board offers a simple and safe implementation of functional safety in accordance with safety standards and keeps the availability of the machine at the highest level

SafeLogic increases the flexibility of the safety application

SafeMotion raises the productivity of the machine

Control

Network

DriveAvoidance of unintended movement

Safe

Pro

cess

Flow

Con

trol

Safe

Dat

a

Tran

smis

sion

Safe

Mov

emen

t

Safe Processing

Safe Communication



Drive based Safety Functions

Safely monitored DecelerationSafe Torque OffSafe Operational StopSafe Stop 1Safe Stop 2Safely limited SpeedSafe Maximum SpeedSafely limited IncrementSafe DirectionSafely limited PositionSafe Position SwitchesSafe Homing ProcedureSafe Door LockingSafe I/O interface for Safety-PLCSafe Braking and Holding System


25Electric Drives and Controls 2008-03-08; BRC/PRM3; J. Ost


Safe Braking and Holding System – A New Milestone!

Fall protection on axes with gravity loadsWorld’s only onboard solution which complies with EN 954-1 Category 3Two independent brakes separately controlled and monitored by redundant, diverse channels in the driveEscalation strategy to protect the mechanical subsystemsApplications

PressesReel StandsLoading gantriesVertical guard doors…


3 principles are realized to detect latent failures

Dual channel data operation with diversityCross data comparison of safety related functionsDynamization of static modes


Safety On Board with IndraDrive

Dynamization


27Electric Drives and Controls 2007-11-05; BRC/PRM1; G. Kobs

IndraDrive Certificates – For global Business!


SIBE Certificate accepted by TÜV Rheinland- EN 954-1, ISO13849-1:1999

NRTL listing by TÜV Rheinland North America- NFPA 79, UL 508C, CAN/CSA C22.2,

ISO 13849-1:1999IEC 61508 certification by TÜV Rheinland and TÜV Rheinland of North America in work

- IEC 61508, IEC 61800-5-2, ISO 13849-1: 2006- with MPx06Vxx in 4Q/2008- S2, L2 control units

IndraDrive Mi and IndraDrive Cs with safety technology

- Expected availability: 2010



IndraDrive with Safety Functions – A Convincing Technology!

Safety Technology made by the experts having more than 8 years field experienceScalable Safety Functions minimize the potential of tampering and therefore reduce the hazard for injury caused by bypassing the safety measuresIncreased productivity by reducing downtimeOnline Testing (Failure Detection) during runtimeCost savings by reduction of external components and wiringMinimal Movement in case by detecting failures within 2msHigh reliability due to a encapsulated, certified solutionIndependent, whether wired, or with or without a safety PLC



Safety Functions“ASP“ used for E-Stop and “Stop/Locking“. (Machine stop synchronized by the virtual master axis) Safe Operational Stop when guards are openSafely limited speed in combination with safe direction for jogging forward and backward

Example Printing


Safe operational stop at printing cylinder for sleeve change

Safely limited speed for cylinder washing or jogging with open guards


“ASP“ used for E-Stop and “Stop/Locking“. (Machine stop synchronized by the virtual master axis)

Example Printing



Example printingSafe Mode:

- Safe Drive Interlock (ASP)- Safe Operational Stop (SBH)- Safely limited Speed (SBB)- Safely limited Speed with Safe Direction

Normal Operation:- Safe Maximum Speed

Tool plate could come offif centrifugal force becomes higher than magnetic force


connection to periphery

Safety by Design - Drive for Technology Symposium 2010Modern Safety Technology on Machines

Complexity

Flexibility

E30

E1

E1

also parameterizable, modular Safety Modules

E1

E1

E30

Safety-Field bus

Safety-Installation bus

A B C D



Directly Hooked up to the Drive (A)No-Safety PLCDoor interlock can be controlled by the driveConnection to periphery

Both channels discrete wired- Requires open-contactor and

antivalent signals (may require relays with ESPE, E-Stop, Enabling)

One channel via the command variable- Requires open-contactor (may require

relays with ESPE)Diagnosis

By reading drive parameterIn case of direct wiring of both channels extra wiring to the controller necessary for detailed information

A



Directly Hooked up to the Drive (A)

Discrete inputs allow multiple safety functionsASPOperation Mode (normally series connection of all safety devices which put the drive in SBHEnablingSB1 / SB2 switch

When to use?Small machine with limited safety functionsJust wiring and parameterization of the drive

A



Safety Modules (B)

E30

E1

E1


B

No-Safety PLCConnection to periphery

via Safety Modules- One channel direct wired- One channel via the command

variable(Parameterizeable) Safety Modules can offer the possibility to build groups (simple “AND” “OR”) at reduced wiring efforts

DiagnosisBy reading drive parameterSafety Modules offer diagnosis capabilities which might be linked to the standard control via field bus



Safety Modules (B)

E30

E1

E1


B

Discrete inputs allow multiple safety functions

ASPOperation Mode (normally series connection of all safety devices which put the drive in SBHEnablingSB1 / SB2 switch

When to use?Small machine with less complex safety functionsJust wiring and parameterization of the drive



Safety Modules (B) - Example

PNOZ

Euchner SK

K11

K12

K11

K21

K12

K22

Diagnosis &Dynamization

Master

Drive

EA20

n

EA30

E2n

Diagnosis &Dynamization-

Slave

Drive

EA20

n

EA30

E2n

PLC

qTür

_Arb

eits

raum

_ent

reie

gln

qDyn

am (E

A30

)

qAx_

SafO

pMod

eSw

itch

(E2)

K30

Load door

EA10

n

EA10

n

PNOZ

Euchner TZ

K21

K22

Work space door

qNor

mal

_ope

ratio

n



Safety Modules with limited logic processing functionality (C)

E1

E1

E30


C

Safety Controller with limited capabilities(Parameterizable) Safety Controller can offer some logic processing capabilitiesLimited number of I/Os

Connection to peripheryvia Safety Controller

- One channel direct wired- One channel via the command

variableInstallation bus reduces wiring efforts

DiagnosisBy reading drive parameterSafety Modules offer diagnosis capabilities which might be linked to the standard control via field bus



Safety Modules with limited logic processing functionality (C)

E1

E1

E30


C

Discrete inputs allow multiple safetyfunctions

ASPOperation Mode (normally series connection of all safety devices which put the drive in SBH)EnablingSB1 / SB2 switch

When to use?Machines with mid-range complexityWiring and parameterization of the drive and safety processing unit



Safety Modules with some logic processing functionality (C)

Euchner TP3 PLC

+24V


Master

IndraDrive

qDoo

r_Lo

ck

iAx_

Saf

Ctrl

Out

putS

tate

(A10

)

qDyn

amiz

atio

n(E

A30

)

EA

20n

EA

10

qAx_

Saf

OpM

odeS

witc

h (E

2)

EA

30

E2n

+24V


Slave

IndraDrive

EA

20n

EA

10

EA

30

E2n


Slave

IndraDrive

EA

20n

EA

10

EA

30

E2n

PNOZMulti-A1

i0 i1 i2 o4

i5 i6 i4i3 o0

Example for a drive group

+24V

L1



9 pin ribbon cable Special connector kit for

going over from standard wiringto 9 pin ribbon cable

Hardwiring from safety relays to 9 pin ribbon cableEase of use by

crimp connectorsEase of diagnostics by

24Volt signalsStandard wiring

Simple wiring recommendations for drive groups



Safety Modules with some logic processing functionality (C)



AS-iSafety

Monitor

AS-iSafety

Monitor

iEStopiProtection_Area_not_IOiEnable

qDynamization

EA30

E1n

E2n

E3n

IndraDrive

EA30

E1n

E2n

E3n

IndraDrive

EA30

E1n

E2n

E3n

IndraDrive

EA30

E1n

E2n

E3n

IndraDrive

PLC

EStop

ProtectionArea I/O

Enable AS-iSafety

Monitor

Con

sent

Sicherer AS-i Slave

Door 1 Door 2 Door nEStop

Sicherer AS-i Slave

Sicherer AS-i Slave

Sicherer AS-i Slave



Programmable Safety Control (D)

Safety-Field bus

D

Programmable Safety ControllerFlexible (IEC61131-1) programming

- FBs- OEM libraries

“unlimited” number of I/OsConnection to periphery

Safety-I/O- Built-in diagnosis

Safety Field bus- Standard, Safety-I/O and Drive on one

field bus- reduces wiring efforts

DiagnosisImplicit diagnosis of the Safety-I/Os within the standard diagnosis



Programmable Safety Control (D)

Safety-Field bus

D

Safety-Field bus allows unlimited safety functions

Boolean Control and Status BitsFeedback and Command valuesDrive as I/O unit

When to use?Machines with higher complexityCommon powerful diagnosisCommon engineeringProgramming of safety functions(instead of wiring)



Why a Safety-PLC is not enough!However

- Many machines can be done without a Safety-PLC- Bosch Rexroth can offer real safe motion which is the key to

increase the productivity and safety, since the operator can do his job, he does not get hindered and motivated to tamper the safety measures.

- There are alternative concepts possible even with a competitors PLC

Our competitors may offer a Safety-PLC- But they can’t offer safe drives which provide more than a

safe stop or standstill- There is no alternative available

Bosch Rexroth is on it’s way to offer an integrated Safety-Control for all system solutions and all platforms



Why Safe Logic Processing?

Machine Operators

Cleaners

Service

Complex machines withMultiple access areasMultiple safety zonesMultiple operation panels

Fine-scaled safety functionsEscalated reaction rather than always shutting down

Safety Levels regarding the authorization Levels of

Machine operatorMaintenance peopleCleanersService

VersatilityModular machine designTailored to customer preferences

MaintenancePersonnel


SafetyControl


Failure detectionMinimizing the residual risk

WiringCost cutting of hardware and soft costs

InterfacesReduction of interfaces and minimizing the data exchange and programming effort

AvailabilityIntegration of the drive based safety functions in the overall engineering (diagnosis)

ValidationEffort reduction by using certified functions

StandardControl

Discrete SignalsLimit safety Functions

Additional Data Exchange

SafeMotionSafeMotionSafeMotionSafeMotion

Traditional Solutions offer Potential for Improvements

Auto Set-upAuto Set-up

DifferentEngineering Tools

++-

SafetyIO

StandardIO



One certified automation system

Standard + Safety

SafeMotionSafeMotionSafeMotionSafeMotion

One certified communication system

Standard + Safety

One certified engineering system

Standard + Safety

Certified FBs to represent the drive based safety functions in the PLC

Certified FBs for analysis of the safety periphery

Data exchange between motion and safety on system level

Integrated Solutions – Standard and Safety merge together

Auto Set-upAuto Set-up

++-

StandardIO

SafetyIO

SafetyControl

StandardControl

SafeLogicSafeLogic

SI

SI

MC


Inline

IndraControl V

IndraWorksEngineering

IndraControl L

IndraDyn IndraDyn

Inline


Flexible connection of all components via one single network

StandardControlIODrives

SafetyControlIODrives

One-cable Safety-NetworkSERCOS safety

Consistent Engineering with IndraWorks

Safety Control

Safety Drive

Safety I/O

SafeLogicSafeLogicSafeLogicSafeLogic

Integration of 3rd party componentsPROFIsafe

IndraDrive



Logic Motion

IEC61131-3

Safety

Logic Motion

IEC 61131-3

Safety

SafeLogic – Just added when needed!

Safety Function Module converts standard controller into a safety controller

Optional extendible (can be upgraded later)No interference (constant cycle times, standard program and safety program have no influence on each other)

Seamless engineering and diagnostics in the standard control contextNo need for synchronization interfaces between the safety controller and the standard controller

HardwareApplications program



Working Principle

Safety Integrity gets ensured by the communication end-points (producer – consumer) independently of the transmission network (Black Channel)

Use of the interfaces of the standard control- SERCOS III

- PROFIBUS

- PROFInet

CPUStandardControl

SIII

DPS

1

2

S

I/O

1

1 2

I/O

1 2

SS

SS

SS

2

1 2

Black ChannelBlack Channel

on SERCOS III


Safety Function Module for PC-and embedded controls

Safe networking between SERCOS networks using SERCOS safety C2CSafety sensor/actuator peripherals attached to

Inline local bus,

SERCOSPROFIBUS/PROFInet

Safety-I/O scaleable for SIL2 and SIL3 applications


Seamless Safety Topology – Homogenous and Open!

SERCOS safety

PROFIsafeIndraDrivePROFIsafe

IndraDriveSERCOS safety

Local busInline

Safety-I/O

Safety-Function module

EmbeddedControl

PCControl

SERCOS safety C2C

SIL2 SIL3

SIL2 SIL3

SIL2 SIL3



SERCOS safety – CIP Safety on SERCOS

Agreement between ODVA and SI, that SERCOS safety uses the CIP SafetyTM

technology to safeguard the data transmission

SERCOS safety V2.0 is

CIP Safety on SERCOSAdaptation of SERCOS to CIP SafetySERCOS specific safety profiles in accordance with the basic CIP Safety Profiles

BRC implements SERCOS safety on SERCOS III

SERCOS III SERCOS II

SERCOSadaptation to CIP Safety

CIP Safety

SEROCS safetyProfiles

CIP SafetyProfiles

Supported by:


SafetyManager contains everything to

Plan

Parameterize and

Program

the safety projectFull seamless integration with the standard tool

Same look and feelComprehensive diagnostics

Systematic safety integrity features built into the tool

User managementPLCopen Safety compliance


IndraWorks - Easy, Safe and Compliant Engineering!

SafetyManager

EditorKonfiguratorLibs

IndraWorks


“Graphical Programming“Analogous to the discrete wiring of conventional safety switching devices

Certified Function Blocks comparable to safety switching devices

The user can confine the verification according to the verification & validation plan at system integrationFunction Blocks are available as certified components


Principles



IndraWorks SafetyManager

Standard PLC

Safety-Function-Module

Safety-Program

Safety-IO

Safety-Viewer

Safety-Editor



SafeLogic – Functional Safety Flexible Programmed!

Lower Total Cost of Ownership from planning to operationOne communication medium for standard and safety technology, for I/O, Logic and DrivesSIL2, SIL3 scalabilityOptionally extendable, even later onMakes additional safety components (restart inhibits, two hand control, door locking, …) obsoleteCertified

Absence of interference between Safety and Standard Streamlines validationProvides constant cycle times

Easy Programming according to standardsOne common and consistent toolGraphical „wiring“ of certified FBsIntegration of the drive based safety technology into the safety application program at the bestIntegrated measures to avoid systematic failures

Integrated SolutionFor all systems and all platforms



SafeMotionSafe Braking and Holding SystemMarket leader, every fourth axis with safety functions ordered19 certified safety functionsFailure detection within 2 ms

SafeLogicOptional and independent from the standard controlFully integrated, everything on one cable, standard and safetyNo interference between Standard and Safety (cycle time, validation)Multi-Master: SERCOS safety and PROFIsafe

I/OScaleable in accordance to different requirement Levels (SIL)locally or distributed on PROFIBUS or SERCOSSIL2 roughly 40% cheaper than SIL3

EngineeringCommon tool for standard and safety applicationCertified Safety FBsIntegration of the drive based safety functions at the best



SafeMotion Drive BasedSafety Technology

SafeLogic SIL3 I/O

SafeLogic Safety-Function-Module

SafeLogic Safety-IO-Converter

SafeLogicIW SafetyManager


Safety by Design - Drive for Technology Symposium 2010Integrated Safety

RiskUnwanted motion or hazardous work- arounds of safety interlocks to recover from machine jams?

Mitigation Bosch Rexroth Motion on BoardSafe Stop andSafe Motion.