Vertical Load Best Practices

 
When applying servo drive products that have built in Safe Torque Off inputs, there are some best practices to
keep in mind. All of this information is focused very narrowly on the protection of the machine from damage. It is
assumed for this document that a risk assessment has been performed for the safety of personnel.

This document also assumes that appropriate tuning has been applied. Tuning for vertical loads (or loads with
uneven static torque loading) is different than basic loads. Best practices for tuning vertical loads is covered in a
separate document.
 
Normal Operation
Sequence of Actions
The principle rule for applying Safe Torque Off at the drive is that it should never be done until after the axis has
stopped, the brake has been engaged, and the axis has been disabled.
 
The full sequence is shown here:
1. Safe access request (such as depressing an Emergency Stop or Safe Stop)
2. Begin timer until Safe Torque Off is applied
3. Detection by the drive using hardwired enable or by the controller using an MSF instruction
4. Deceleration to zero speed
5. Brake engaged
6. Drive disabled
7. Torque removed using Safe Torque Off inputs on drive
8. Access allowed
Following this procedure is very easy to accomplish with properly written code in fully guarded and locked safety
solutions. It is much more difficult with other safety strategies.
 
Guarded and Locked with Access Request
Before the doors are unlocked and access is granted to the cell, the operator must request that torque be removed
from the drives. That can be done at various stages of the machine. The sequence must stop the axis, apply the
brake, disable the axis, and only then remove torque. Removing torque sooner can lead to damage of the holding
brake in the motor. The simplest way to implement this type of control is through the use of a timer.
 In a GuardLogix safety system, use a timer instruction in the Safety Task between the entry request
(Emergency Stop or Safe Stop button) and the actual removal of torque from the drives. During that time,
the standard control can decelerate the axis, apply the brake, and disable the axis.
 With relays, use a configurable time delay relay such as the MSR138DP relay or the GuardMaster EMD
relay to allow time for the axis to stop. Monitor the request status in the PLC (to command a controlled
stop and disable) or use a hardwired enable input at the drive to perform that automatically.
 It is possible to use a GuardLogix controller and manage the delay using a hardwired delayed relay instead
of the timer instruction. The explanation for why this would be done, and how it would be accomplished, is
covered in the last section of this document.
 
Guarded but Unlocked with Sensing Only
If the doors are monitored but not locked while the axis is moving, this can lead to a very difficult reaction time and
safe distance calculation. Simply removing the torque as soon as the guard door is opened could lead to torque
being removed before the motor parking brake is engaged and the drive is disabled. This is not recommended.
Building in a delay as described in the Guarded and Locked with Access Request case would need to be included in
the safe distance calculation. As an example, using a five second delay relay with this intention would lead to a
minimum distance over 10 meters between the axis and the door.
 
Unguarded
With safety solutions that are not fully guarded, the additional reaction time to stop the axis must be factored into
the safety reaction time and the safe distance calculations. The implementation of that type of solution is not the
focus of this document.
 
Brake Engage/Release Delays
It is important to set the axis attributes for MechanicalBrakeEngageDelay and MechanicalBrakeReleaseDelay to
appropriate values for the motor being used. The time set for each drive should be greater than or equal to the
times listed in the Rotary Motor Technical Data document (GMC-TD001). Those values can be set using the Actions
Parameter List in the AXIS_CIP_DRIVE user interface. They can also be adjusted using SSV instructions during
runtime.
 
Stop Actions
Also set using the Actions Parameter List are the stop actions the drive will use in different circumstances. Set the
following parameters for optimal performance:
 ProgrammedStopMode = Fast Disable
 Shutdown Action = Disable
 Stopping Action = Current Decel & Disable
 Stopping Torque = this should be configured for the highest stopping torque that the mechanics can
sustain.
 Stopping Time Limit = this should be set to a value less than the request-to-access delay time.
If the hardwired enable input on the drive is wired, that will also need to be set on the Action Parameters Page
with the following setting:
 Enable Input Deactivated = StopDrive
 
Abnormal Operation
Potential Causes
There are some cases in which the Normal Operation sequence cannot be initiated. All of these conditions result
in the Safe Torque Off inputs of the drive going to the presumed safe state of "off" before the drive has come to a
stop and engaged the brake as defined by the Normal Operation sequence above. Some examples include:
 Catastrophic power loss including brake control power
o Except in systems with dedicated cutover to backup generators, this cannot usually be ruled out
by a risk assessment.
o It is worth noting that a catastrophic power loss (such as the entire control cabinet) will cause the
brake to engage as soon as there is insufficient power to keep the brake open. It is also worth noting
that the drive will expend the stored energy in the DC bus to try to stop the axis; however the success
of that is dependent on the kinetic energy of the system when the power loss occurs.
 Power loss of any part of the safety circuit but not brake control power
o This should be mitigated through the application of good wiring practices, properly selected
circuit protection, and properly selected power supplies.
 Major fault on the safety controller (if used)
o Every effort should be taken to prevent this from happening due to a misapplication of code.
Protections against common controller faults (like divide by zero) should be implemented.
 Run-to-Program transition of the safety controller (if used)
o Clearly defined procedures should be in place to prevent this from happening as part of normal
operation.
 Safety Fault detected in the drive
o These faults are exceptionally rare except in cases of wiring errors and electrical noise
o This cannot be ruled out completely and must be factored into safe distance calculations
o The drive will immediately go to Safe Torque Off in this case
If any of these cannot be ruled out as part of the risk assessment and implementation, continue with the rest of
the document.
 
Calculating Fault Condition Falling Distance
The potential free-fall distance from rest is calculated by the equation:
0.5∗9.81 m
Distance= 2
∗( Brake ActionTime )2
s
Where the Brake Action Time is the total time required for the drive to set the brake, including the internal
recognition of a Safe Torque Off demand and the mechanical transition time of the brake.
 As an example, the Kinetix 6500 (with firmware revision 2.017 and beyond) has an internal reaction time
of up to 250 ms. The MPL-B540 motor has a brake engage delay time of up to 50 ms. This leads to a total
Brake Action Time of 300 ms, or approximately 450 mm.
 As another example, the Kinetix 5500 (with firmware revision 2.002 and beyond) has an internal reaction
time of up to 2 ms. The VPL-B063 motor has a brake engage delay time of up to 25 ms. This leads to a total
Brake Action Time of 27 ms, or approximately 3.6 mm.
If the calculated distance for the specific application in question is greater than allowable, further techniques need
to be applied. Those are detailed through the rest of this document.
 
Techniques to Avoid Falling Loads
Mechanical Advantage
Use mechanical advantage of gear ratios wherever possible. By using gear ratios which prevent back-driving the
load through the gearbox, the load cannot have any falling once the servo stops motion. This is possible only when
speeds and efficiency requirements allow it. By the nature of this design, it will be limited by the speed
requirements of load. It will also have lower energy efficiency in many cases.
 
Additional Safety Brake
The risk assessment shall determine whether an additional safety stopping brake or safety holding brake needs to
be implemented. The brakes within the motors are designed for holding only. If the brakes are applied while the
motor has too much stored mechanical energy, the brakes can shear and cause irreparable damage to the motor.
Though not specifically designed for applications where the load is moving, anecdotal evidence supports that the
motor holding brake can be used as a stopping brake a limited number of times without catastrophic failure. This
is not the intended design of the holding brake.
 
The additional safety brakes can be designed either to stop the load (such as the style used for elevator emergency
brakes) or simply provide another channel of holding. Typically stopping brakes will attach directly to the load and
its travel mechanism, while holding brakes are most economically applied through the gearbox. The risk
assessment must be the final determinant of the addition, location, and style of the brakes.
 
Interposing Relay
Use an Uninterruptable Power Supply (UPS) for the drive safety circuit, along with a delay relay. If using a
hardwired safety solution only, the only addition to the system would be the UPS for the safety circuitry power. If
using a GuardLogix safety solution, an interposing delay relay would be added between the distributed safety
outputs and the drive.
 
For this example with the MSR138.1DP relay, mind the following notes:
 V+ & V- are supplied from a power supply behind a UPS.
 The output labeled "K6500 Enable Input" can be omitted if the controller performs the stopping action
during normal operation. All of the abnormal operation cases would cause the drive to attempt to stop
during the delay time regardless of whether this input is wired.
 For a relay-only solution (without GuardLogix), the input wiring would change to match the input device.
The output wiring would still apply.
 

The UPS would need a regular maintenance schedule, since there is a known lifespan limitation with commercially
available UPS devices. Another alternative to the UPS is to use a capacitor bank; however that adds significant
engineering effort and a device that is not easily replaced. The recommendation is use the UPS instead of a
custom engineered solution.