Encoders for Safety Related Applications

HEIDENHAIN offers encoders that can be used in safety-related applications. These encoders operate as single-encoder systems with purely serial data transmission via EnDat 2.2. Reliable transmission of the position is based on two independently generated absolute position values and on error bits. These are then provided to the safe control. In addition to rotary encoders with different mounting options, absolute sealed linear encoders are also available. Absolute angle encoders round out HEIDENHAIN’s product program for functional safety.

Safety is becoming increasingly important in machine and plant construction. Proof of this can be seen in new legislation and in the heightened safety regulations of national and international standards. These high requirements mainly serve to protect human beings, but material assets and the environment are also receiving more consideration.

The goal of functional safety is to minimize or even eliminate risks that can occur during normal or impaired operation of machines or facilities. This is achieved primarily with redundant systems. For example, axes that are moved in safety-related applications require redundant position information in order to perform the corresponding safety functions. Various system configurations can be realized in order to capture independent position values. One possibility is the use of two encoders per axis. In many cases, however, a more economical solution requiring only one position encoder is preferred. Until now, analog encoders with sine and cosine signals were used for this. HEIDENHAIN offers a purely serial, single encoder solution for safety-related position measuring systems in safety-oriented applications in accordance with EN 61 508 and EN 13 849. This means that safety applications can now take advantage of all the benefits of serial data transfer, such as optimization of costs, diagnostic possibilities, automatic commissioning and rapid formation of the position value.

Safety-related position measuring systems

HEIDENHAIN measuring systems for safety-related applications are tested for compliance with EN ISO 13 849-1 (successor to EN 954-1) as well as EN 61 508 and EN 61 800-5-2. These standards describe the assessment of safety-related systems, for example based on the failure probabilities of integrated components and subsystems. This modular approach helps the manufacturers of safety-related systems to implement their complete systems, because they can begin with subsystems that have already been qualified. Safety-related position measuring systems with purely serial data transmission via EnDat 2.2 accommodate this technique. In a safe drive, the safety related position measuring system is such a subsystem. A safety-related position measuring system consists of:

  • Encoder with EnDat 2.2 transmission component
  • Data transfer line with EnDat 2.2 communication and HEIDENHAIN cable
  • EnDat 2.2 receiver component with monitoring function (EnDat master) In practice, the complete “safe servo drive” system consists of:
  • Safety-related position measuring system
  • Safety-related control (including EnDat master with monitoring functions)
  • Power stage with motor power cable and drive
  • Physical connection between encoder and drive (e.g. rotor/stator connection)

In addition to the safety-related position measuring systems with EnDat 2.2 interface, HEIDENHAIN also offers safety-related encoder solutions for applications with DRIVE-CLiQ1) interface. For details, please refer to the respective product documentation. Upon request HEIDENHAIN can provide additional data about the individual products (failure rate, fault model as per 61 800-5-2, D16) for the use of standard encoders (e.g. with 1 VPP output signals) in safety-related applications. 1) DRIVE-CLiQ is a registered trademark of the SIEMENS Corporation.

Field of application

Safety-related position measuring systems from HEIDENHAIN are designed so that they can be used as single-encoder systems in applications with control category SIL-2 (according to EN 61 508), performance level “d”, category 3 (according to EN ISO 13 849).

Additional measures in the control make it possible to use certain encoders for applications up to SIL-3, PL “e”, category 4. The suitability of these encoders is indicated appropriately in the documentation (catalogs / product information sheets). The functions of the safety-related position measuring system can be used for the following safety tasks in the complete system (also see EN 61 800-5-2):

Function

The safety strategy of the position measuring system is based on two mutually independent position values and additional error bits produced in the encoder and transmitted over the EnDat 2.2 protocol to the EnDat master. The EnDat master assumes various monitoring functions with which errors in the encoder and during transmission can be revealed. The two position values are then compared. The EnDat master then makes the data available to the safe control. The control periodically tests the safety-related position measuring system to monitor its correct operation.

The architecture of the EnDat 2.2 protocol makes it possible to process all safety relevant information and control mechanisms during unconstrained controller operation. This is possible because the safety-relevant information is saved in the additional information. According to EN 61 508, the architecture of the position measuring system is regarded as a single-channel tested system.

Documentation on the integration of the position measuring system

The intended use of position measuring systems places demands on the control, the machine designer, the installation technician, service, etc. The necessary information is provided in the documentation for the position measuring systems. In order to be able to implement a position measuring system in a safety-related application, a suitable control is required. The control assumes the fundamental task of communicating with the encoder and safely evaluating the encoder data. The requirements for integrating the EnDat master with monitoring functions in the safe control are described in the HEIDENHAIN document 533095. It contains, for example, specifications on the evaluation and processing of position values and error bits, and on electrical connection and cyclic tests of position measuring systems. Document 1000344 describes additional measures that make it possible to use suitable encoders for applications up to SIL-3, PL “e”, category 4.

Machine and plant manufacturers need not attend to these details. These functions must be provided by the control. Product information sheets, catalogs and mounting instructions provide information to aid the selection of a suitable encoder. The product information sheets and catalogs contain general data on function and application of the encoders as well as specifications and permissible ambient conditions. The mounting instructions provide detailed information on installing the encoders.

The architecture of the safety system and the diagnostic possibilities of the control may call for further requirements. For example, the operating instructions of the control must explicitly state whether fault exclusion is required for the loosening of the mechanical connection between the encoder and the drive. The machine designer is obliged to inform the installation technician and service technicians, for example, of the resulting requirements (see also information under “Safety-related characteristic values”).

Safety-related characteristic values

Additional parameters, as described below, become relevant for the use of position measuring systems in safety-oriented applications. These parameters are to be complied with when designing the safety system of a machine.

The Probability of Dangerous Failure per Hour (PFH value) indicates the probability of a hazardous encoder failure per hour. The failure rate of the encoder is included in the calculation of the PFH value for the complete system.

The error reaction time in the application depends mainly on the cycle times of the safety module in the control and the connected actuators (brake, contactors, etc.). In addition, application-specific settings (e.g. EnDat clock frequency) can influence this value. For this reason, the error reaction time indicated in the control documentation should be referred to.

The safe position describes the maximum possible position offset of the encoder until safe fault detection is ensured. The characteristic value refers to the position value 1 in fault-free operation and is given in the encoder’s unit of measure. It significantly influences the minimum distance required to provide protection from pinching (e.g. of fingers). The safe position is divided into the values for the encoder and for the mechanical coupling.

The value for the encoder describes the maximum position offset including the influence of the position value comparison in the control (algorithm according to document 536402). Besides quantization errors, it also includes any position deviations occurring in the encoder. Depending on the control and the application, the characteristic value safety-relevant measuring step (SM) may also be relevant for the parameterization of the safety function. The control documentation includes a corresponding note in such cases.

The characteristic value mechanical coupling provides information in case of the “loosening of the mechanical connection” fault. Table D16 of the standard for electrical drives, EN 61 800-5-2, defines the loss or loosening of the mechanical connection between the encoder and drive as a fault that requires consideration. Since it cannot be guaranteed that the control will detect such errors, in many cases the possibility of a fault must be eliminated. If fault exclusion is required in the control’s operating instructions, the information for the safe mechanical connection is to be taken into account. Otherwise it can be ignored.

For a friction-type connection with fault exclusion there is no additional mechanical offset that would need to be considered for the safe position.

If the fault exclusion is fulfilled only by a mechanical stop with backlash, this maximum possible offset is to be calculated into the safe position. This is done by adding the values for the encoder and for the mechanical coupling.

Important note! Fault exclusion can be connected with constraints on the permissible specifications. This is to be considered for the selection of a suitable encoder or type of mounting. In addition, fault exclusions for the loss or loosening of the mechanical coupling usually require additional measures when mounting the encoders or in the event of servicing (e.g. anti-rotation lock for screws) that are not necessary in standard applications. The design engineer of a machine must strictly adhere to these additional measures

 

Please note the following documents: Adhere to the information in the following documents to ensure the correct and intended operation of an encoder:

  • Product Information / Catalog and Mounting Instructions of safety-related position measuring systems

For implementation in a control:

  • Specification for Safe Control 533095
  • Supplementary Specification for SIL 3, PL “e”, Cat. 4 1000344
  • EnDat Interface Description 297403
  • Electrical Connection Directive 231929
  • Requirements for Position Value Comparison 536402