Application Example with iCube Safety, ASM-7, and SLIO Safety Modules
| Version Number | Description |
|---|---|
| 1.0 | Application Example with iCube Safety, ASM-7, and SLIO Safety Modules |
1. Supported Components
| Component Name | Version |
|---|---|
| iC9200 series | ≥ 2024.3 |
| iCube Engineer | ≥ 2024.3 |
2. Solution details
2.1 Introduction
This document describes how to implement (2) safety sub-functions for a conceptual machine tool system in which iCube is integrated with ASM-7 and SLIO safety I/O modules. These safety sub-functions are designed to achieve the required risk reduction for the system described in this document and hazards which were identified in a prior risk assessment.
- Safe Speed Limit: Based on SLS and is used to monitor reduced speed operation of the system and reduce risk of injury due to hazards motion (e.g. impact, crushing, etc.).
- Emergency Stop:Uses SS1-t to perform a Stop Category 1, which will de-energize the motion system following a time delay in which the motor is decelerated by the iCube standard PLC.
There are multiple axes in this system which can generate hazardous motion, though, for simplicity this application note will focus on how to implement these safety functions on (1) Sigma-7 axis equipped with an ASM-7 module. Those concepts can be applied to additional axes as needed.
2.2 Related Documents & Resources
Manuals
- Sigma-7 400V Advanced Safety Module ASM-7 Product Manual (SIEPYEUOS7S0)
- Application Manual Advanced Safety Module for Sigma-7-Series SERVOPACKs (SIEP YEUOS7S 02A)
- Sigma-7 SERVOPACK with 400V input power and EtherCAT (CoE) Communications References FT_EX Specification for Advanced Safety Module Product Manual (SIEPS80000230)
- SLIO Safe Digital Input and Safe Digital Output Module Operating manual (HB300E_SM-S_02x-1SD10_23-20)
- SLIO EtherCAT Interface Module Manual (HB300E_IM_053-1EC01_21-10)
eLearning Videos
2.3 Safety Precautions
This application note has been prepared for use by persons who are experienced with the integration, commissioning, and testing of safety related control systems which involve servo drives, multi-axis controllers, sensors, and other similar equipment.
Documentation for products used in this application note, including operating manuals and safety manuals, must be read and understood. This document is not intended as a substitute for Yaskawa manuals and does not supersede any precautions or prohibitions made within Yaskawa product documentation.
All precautions and prohibitions in Yaskawa product documentation must be read and understood by the user.
It is the user’s responsibility to confirm that the Yaskawa products and the safety functions described in this application note are suitable for their application.
It is the user’s responsibility to confirm conformity with any standards, code, or regulations that apply if the Yaskawa product is used in combination with any other products.
2.4 Scope
Topics covered by this application note covers topics relate to the implementation and commissioning of the safety related parts of the control system (SRP/CS), including:
- ASM-7 parameter configuration with the Advanced Safety Module Parameter Editor
- Creating iCube project
- Configuring FSoE addresses and other safety related device parameters
- Mapping Safety PLC variables to relevant process data items
- Details of requesting, monitoring, and returning from the ASM-7’s safety functions.
Other phases of the safety lifecycle, such as the risk assessment and design of the SRP/CS, shown in Figure 1, are assumed to have been completed previously and are not addressed here.
Please refer to Yaskawa documentation listed in the Related Documents & Resources section for further information regarding use of the Yaskawa products included in this application note.
Figure 1 - Risk Reduction Process (Simplified)
2.5 Description of Example Machine
The system shown below is a multi-axis machine tool system which uses the following Yaskawa products:
- iCube FSoE Controller
- Sigma-7 Servopacks with ASM-7
- SLIO safe and non-safe I/Os
Figure 2 - Example Machine System
There are (4) axes of motion in this system: (3) linear which provide motion in XYZ and (1) for rotary. The (3) linear axes are the sources of hazardous motion and are equipped with ASM-7 cards to provide the system’s safe motion functions.
Protective barriers enclose the system (3) sides. Operators are allowed to approach from (1) side which is protected by a light curtain. When workers are inside of the area protected by the light curtain, the system will operate at a safety limited speed in order to allow operation to continue while reducing risk of injury to nearby workers who are involved with maintenance, setting/teaching, cleaning, or troubleshooting. Once the light curtain is broken, the system will operate at the reduced speed until the main reset, located outside of the protected area by the machine, is pressed. For the purposes of this document, it is assumed that the customer has taken appropriate measures to prevent reset while a worker is inside of the light curtain.
Emergency stop buttons are located at the main operator panel and also on the system within the protective barriers. When pressed, the E-Stop will trigger a stop category 1 controlled stop on the servo axes, in which the servos are decelerated and then de-energized. The controlled stop is used in this system to prevent the axes with limited travel to decelerate without running into the mechanical limits, as opposed to coasting (stop category 0).
All safety functions that are used by this system will use monitoring functions in the ASM-7, SS1-t and SLS. These safety functions do not control the deceleration or speed; this control will be performed by the iCube standard PLC.
2.6 Safety System Diagram
Figure 3 - Safety System Line Diagram
2.7 Safety Application Implementation Process
The process of implementing the safety application described by this document are shown below, in particular the ASM-7 and iCube Safety PLC configuration.
Additional setup, such as configuring & tuning the servo, programming of the standard PLC, etc. may be required to allow proper verification and validation testing of the safety system and is not covered in this document. While this area of work is shown in Figure 4 as occurring before the ASM-7 configuration, some aspects of this work (e.g. creating the iCube project, programming the standard PLC, etc.) may be done at different times in this process.
Figure 4 - Safety Application Implementation Process
2.8 ASM Parameter Editor
This section describes the parameters which need to be set for the ASM-7 in the Advanced Safety Module Parameter Editor to implement the functionality described in this application note. Also below are locations in Yaskawa documentation which have detailed instructions about how to use the Advanced Safety Module Parameter Editor.
- Ch. 9 of Sigma-7 400V Advanced Safety Module ASM-7 Product Manual (SIEPYEUOS7S01)
- Ch. 3 of Application Manual Advanced Safety Module for Sigma-7-Series SERVOPACKs (SIEP YEUOS7S 02A)
The “General Device Parameters”, shown in Table 1, is where properties of the ASM-7 card such as the FSoE address and serial number are found. This is also where a description of the project can be written.
Location | Parameter | Value |
General Device Parameters | Project Description | modify as needed |
Will the Advanced Safety Module be connected to an FSoE Master? | Yes | |
FSoE Address | 0x0001 | |
Advanced Safety Module Serial Number | D021XO978610020 |
Table 1 - General Device Parameters
Basic definitions of the encoder and motor used with the ASM-7 are defined in the “Motor and Encoder Parameters” screen, for example motor type (rotary or linear), motor encoder usage (incremental or absolute), whether the axis is linear or rotary, label for the position units, etc. It is important that the servopack parameters defined via SigmaWin and/or iCube Engineer match the settings here, otherwise an A.EC1 alarm may occur.
Combined with the User Unit Parameters, the settings shown in Table 2 will define the axis as linear with millimeters as the position unit.
Location | Parameter | Value |
Motor and Encoder Parameters | Basic Application | Linear Application |
Motor/Encoder Type | SGM7J-***7* | |
Motor Type | Rotary Motor | |
Motor Maximum Speed (rpm) | 6000 | |
Motor Encoder Usage | Absolute Single-turn | |
Motor Direction | Forward | |
Encoder Deviation (mm) | 10 | |
Encoder Deviation Windows (ms) | 100 | |
Position Units | mm | |
External Encoder | None or not used for safety | |
User Units Input Mode | Enter the user units directly |
Table 2 - Motor and Encoder Parameters
The parameters shown in Table 3 for the “User Units” screen will configure the ASM-7’s units to mm, mm/s, and m/s2 with a 10mm/rev ballscrew.
Note: The Numerator values are 20-bit values as opposed to the 24-bit resolution supported by the Sigma-7 motors. The ASM-7 uses 20 bit resolution for all safe position, velocity, and acceleration values including limits.
Location | Parameter | Value |
User Units | Numerator Position | 1048576 |
Denominator Position | 10 | |
Numerator Velocity | 1048576 | |
Denominator Velocity | 10 | |
Numerator Acceleration | 1048576 | |
Denominator Acceleration | 1000 | |
Position Units | mm/s | |
Speed/Velocity Units | mm/s | |
Acceleration Units | m/s2 |
Table 3 - User Units
The I/O Configuration settings in Table 4 are intended to provide some spare digital output and input channels for the application, if needed. All of these spare digital output/inputs are 2-channel. The digital outputs are set with 2ms test pulses. The digital input settings include a 10ms Filter Time to filter out test pulses or spurious transitions, and also a 20ms Discrepancy Time to allow for debounce, delay between the 2 channels, etc.
Location | Parameter | Value |
I/O Configuration | Port A Function | Digital Output |
Port A Test Pulse Length (ms) | 2 | |
Port B Function | Digital Output | |
Port B Test Pulse Length (ms) | 2 | |
Port C Function | Digital Input | |
Port C Filter Time (ms) | 10 | |
Port C Discrepancy Time | 20 |
Table 4 - I/O Configuration
The Safe Stop 1 (Time Controlled) safety function (SS1-t) is configured for Slot 1 and provides a 500ms time delay between when the SS1-t function is requested and when the motor is de-energized with an STO. The function is activated by Virtual Input 0, and reports that it is in a Safe State (i.e. STO) with Virtual Output 0. Note that the SS1-t safety function only monitors time and does not decelerate the motor; control of the motor’s deceleration is to be done by the iCube standard PLC (e.g. MC_Stop, MC_GroupStop, etc.).
Location | Parameter | Value |
Slot 1 Parameters | Safety Function | SS1-t |
Activation Input | Virtual Input 0 | |
Output Signal Type | Virtual Output 0 | |
Output Signal Behavior | HIGH during safe state | |
Monitoring time t2 (ms) | 500 |
Table 5 - Slot 1 Parameters
Slot #2 is configured with the Safe Limited Speed (SLS) safety function and the parameters in Table 6 are intended to provide an “instantaneous” safe speed limit, for simplicity. This is done by setting the waiting times t1 and t2 to 0s, so that Speed Limit s2 becomes active when the SLS function is requested. Virtual Input 1 is used to request the safety function and Virtual Output 1 reports when the safety function is operating.
The SLS function also allows an error reaction to be configured which would be used, for example, in a case where the active SLS limits are exceeded. In this application the SS1-t function is used for the SLS error reaction to allow a stop category 1 to be performed if an error occurs.
Location | Parameter | Value |
Slot 2 Parameters | Safety Function | SLS |
Activation Input | Virtual Input 1 | |
Output Signal Type | Virtual Output 1 | |
Output Signal Behavior | HIGH during operation | |
Waiting time t1 (ms) | 0 | |
Speed limit s1 (mm/s) | 10000 | |
Waiting time t2 (ms) | 0 | |
Speed limit s2 (mm/s) | 100 |
Table 6 - Slot 2 Parameters
Slot #3 is configured with the SS1-t function which will be used as the Slot 2 error reaction. Virtual Output 2 reports when the motor is in a safe state (STO) and a 500ms time delay is used to allow time for the motor to be decelerated (e.g. by the iCube standard PLC).
Location | Parameter | Value |
Slot 3 Parameters | Safety Function | SS1-t |
Activation Input | Limit Violation Slot 1 | |
Output Signal Type | Virtual Output 2 | |
Output Signal Behavior | HIGH during safe state | |
Monitoring time t2 (ms) | 500 |
Table 7 - Slot 3 Parameters
2.8 iCube Engineer Parameters
The tables in this section provide all parameters which need to be changed in a new iCube Engineer project to implement the application described in this document. Please refer to the iCube Engineer help as well as the SLIO Safe Digital Input and Safe Digital Output Module Operating manual (HB300E_SM-S_02x-1SD10_23-20).
After creating a new iCube Engineer project for the iCube controller (iC9226M-FSoE), the range of allowed IP addresses as well as the actual IP address of the iCube controller are set through the parameters shown in Table 8. Please note that the table below shows default values; be sure to use the iCube’s actual IP address and that the Start/End IP addresses use the correct subnet (if other than 192.168.1.1).
Location | Parameter | Value |
Project > Settings > IPSubnet | Start IP Address | 192.168.1.1 |
End IP Address | 192.168.1.254 | |
ic9226M-FSOE > Settings > Ethernet | IP address | 192.168.1.1 |
Table 8 - iCube IP Address Settings
Set the FSoE Safety Address for the ASM-7 to the same value used in the Advanced Safety Module Parameter editor. This is the only parameter for the ASM-7 which needs to be set in iCube Engineer.
Location | Parameter | Value |
Servo > ASM-7 > Safety Parameters | FSoE Safety Address | 1 |
Table 9 - ASM-7 FSoE Safety Address
Units for the ASM-7 axis are configured in iCube and will match the User Units which were set up in the Advanced Safety Module Parameter Editor (millimeters). Table 10 shows the parameter values to use.
Location | Parameter | Value |
Motion Axes -> AXIS1 -> Configuration | Motor Type | Rotary |
Load Type | Linear | |
Motor Input Revs | 1 | |
Load Output Revs | 1 | |
Feed Constant | 10 |
Table 10 - Axis Configuration
Add I/O modules to the SliceBus as shown in Table 11. This will configure (1) of each standard digital input, digital output and also (1) each of safe digital input and safe digital output.
Location | Parameter | Value |
SliceBus > Module List | Module #1 | DI 8xDC24V (021-1BF00) |
Module #2 | DO 8xDC24V 0.5A (022-1BF00) | |
Module #3 | DI 4xDC24V Safety (021-1SD10) | |
Module #4 | DO 4xDC24V 0.5A Safety (022-1SD10) |
Table 11 - SliceBus Modules
The SliceBus safe digital input module, di-2, will be used with the Emergency Stop button located on the main control panel as well as with the light curtain. Table 12 shows the parameter values to use for this safe digital input module
- FSoE Device Address needs to match the actual address set via dip switches on the safe digital input module
- Each of these devices will use dual channel inputs and a Discrepancy Timeout of 30ms will be used; this timeout is based on the switching characteristics of the (2) contacts on the Emergency Stop buttons.
- Test pulses are deactivated for the digital input channels 0 & 1 which are connected to the light curtain, because the light curtain’s outputs already provide test pulses.
- For input channels 2 & 3, which handle the Emergency Stop Button, the test pulses are enabled because the Emergency Stop button only has dry contact outputs and does not provide test pulses.
- Input filters are set to 6ms to allow for potentially long test pulses (e.g. >2 ms)
- Behavior After Channel Errors is set to “Passivate the affected channel” to prevent the entire module from being passivated if an error occurs on one channel and allow continued operation as allowed by the safety application.
Location | Parameter | Value |
SliceBus > di-2 > Safety Parameters | FSoE Device Address | 2 |
Ch0,1: Input Evaluation | 2 channel | |
Ch0,1: Test Pulse Activation | deactivated | |
Ch2,3: Input Evaluation | 2 channel | |
Ch2,3: Test Pulse Activation | activated | |
Behavior after Channel Errors | Passivate the affected channel | |
Ch0,1: Input Signal Smoothing | 6 | |
Ch0,1: Discrepancy Timeout (ms) | 30 | |
Ch2,3: Input Signal Smoothing | 6 | |
Ch2,3: Discrepancy Timeout (ms) | 30 |
Table 12 - SliceBus Safe Digital Input Module Parameters
The SliceBus safe digital output module is used for spare digital outputs in this application and is configured using the settings in Table 13.
- FSoE Device Address needs to match the actual address set via dip switches on the safe digital output module
- All digital input channels are set for single channel mode (instead of dual channel), for simplicity
- Test Pulse length is set to 3ms for all channels for simplicity; this will allow SLIO digital outputs to be looped back to safe digital input channels as needed (3ms is minimum test pulse time allowed for this).
Location | Parameter | Value |
SliceBus > do-2 > Safety Parameters | FSoE Device Address | 3 |
Ch0,1: Activation Mode | 1 channel | |
Ch2,3: Activation Mode | 1 channel | |
Ch0: Test Pulse Length [us]: | 3ms | |
Ch1: Test Pulse Length [us]: | 3ms | |
Ch2: Test Pulse Length [us]: | 3ms | |
Ch3: Test Pulse Length [us]: | 3ms |
Table 13 - SliceBus Safe Digital Output Module Parameters
The safe digital input module installed on the SLIO bus coupler will be used for spare input channels. Some initial settings are provided in Table 14 though can be modified as needed:
- FSoE Device Address needs to match the actual address set via dip switches on the safe digital input module
- All input channels are configured for single channel evaluation
- Input signal smoothing is set to 6 ms to enable loopbacks from safe digital outputs
- Discrepancy timeout is not used in single channel mode
Location | Parameter | Value |
SLIO Bus Coupler > | FSoE Device Address | 4 |
Ch0,1: Input Evaluation | 1 channel | |
Ch0,1: Test Pulse Activation | deactivated | |
Ch2,3: Input Evaluation | 1 channel | |
Ch2,3: Test Pulse Activation | activated | |
Behavior after Channel Errors | Passivate the affected channel | |
Ch0,1: Input Signal Smoothing | 6 | |
Ch0,1: Discrepancy Timeout (ms) | 30 | |
Ch2,3: Input Signal Smoothing | 6 | |
Ch2,3: Discrepancy Timeout (ms) | 30 |
Table 14 - Bus Coupler Safe Digital Input Module Parameters
The safe digital output module on the bus coupler is available for use as spare output channels. Some initial settings are provided in Table 15 though can be modified as needed:
- FSoE Device Address needs to match the actual address set via dip switches on the safe digital output module
- All output channels are set for
- Ch 0 & 1 are configured as a single channel output, looped back to a dual channel safe digital input on the SliceBus, and used to simulate a light curtain’s dual channel outputs
- Ch 2 & 3 are configured as a single channel output
- Test pulse length on all channels is set to 3ms to allow loopback wiring from safe digital outputs to safe digital inputs.
Location | Parameter | Value |
SLIO Bus Coupler > do-2 > Safety Parameters | FSoE Device Address | 5 |
Ch0,1: Activation Mode | 1 channel | |
Ch2,3: Activation Mode | 1 channel | |
Ch0: Test Pulse Length [us]: | 3ms | |
Ch1: Test Pulse Length [us]: | 3ms | |
Ch2: Test Pulse Length [us]: | 3ms | |
Ch3: Test Pulse Length [us]: | 3ms |
Table 15 - Bus Coupler Safe Digital Output Module Parameters
2.9 Safety PLC Variable Mapping
Table 16 shows how the Process Data Items from each device are mapped to Safety PLC variables and how they are used by the application. Suggested names of Safety PLC variables are shown for convenience and can be modified by the user as needed.
Create the Safety PLC variables for the Process Data items shown below. Variables can be created in the Data Lists for each safety device:
- iCube controller (ic9226M-FSoE)
- Safety devices (e.g. ASM-7, safe DI, safe DO, etc.)
Device | Process Data Item | Safety PLC | Description |
SLIO Coupler | slio-3 / di-2 / DI0 | SPARE_DI_0 | Spare safe digital input |
SLIO Coupler | slio-3 / do-2 / DO0 | PRESENCE_DETECTED_SIM_CH1 | Loopback to Slicebus DI0, for simulating presence detected |
SLIO Coupler | slio-3 / do-2 / DO1 | PRESENCE_DETECTED_SIM_CH2 | Loopback to Slicebus DI1, for simulating presence detected |
SliceBus | di-2 / DI0 | PRESENCE_DETECTED_LC | Operator presence detected (2-channel) |
SliceBus | di-2 / DI1 | Reserved | reserved |
SliceBus | di-2 / DI2 | ESTOP | Emergency Stop (2-channel) |
SliceBus | di-2 / DI3 | reserved | reserved |
SliceBus | do-2 / DO0 | SPARE_DO_0 | Spare safe digital output |
SliceBus | di-1 / DI0 | RESET_BUTTON | Reset button signal |
ASM-7 | servo-1 / module-1 / Virtual Input 0 | SERVO_SS1t_REQ | Request for SS1t safety function |
ASM-7 | servo-1 / module-1 / Virtual Input 1 | SETVO_SLS_REQ | Request for SLS safety function |
ASM-7 | servo-1 / module-1 / Virtual Output 0 | SERVO_SS1t_SAFE_STATE | SS1t function in safe state |
ASM-7 | servo-1 / module-1 / Virtual Output 1 | SERVO_SLS_OPERATING | SLS function is operating |
ASM-7 | servo-1 / module-1 / Virtual Output 2 | SERVO_SLS_ERRORSAFESTATE | SLS error reaction stop function is in safe state |
ASM-7 | servo-1 / module-1 / SF_1 | SERVO_SLOT_1_FAULT | Fault has occurred with function assigned to slot 1 |
ASM-7 | servo-1 / module-1 / SF_2 | SERVO_SLS_FAULT | Fault has occurred with SLS function |
ASM-7 | servo-1 / module-1 / SF_3 | SERVO_SLOT_3_FAULT | Fault has occurred with function assigned to slot 3 |
ASM-7 | servo-1 / module-1 / FSoE Error | SERVO_FSOE_ERROR | FSoE error indication |
ASM-7 | servo-1 / module-1 / FSoE Error Ack | SERVO_FSOE_ERROR_ACK | Acknowledgement of FSoE error (from iCube) |
Table 16 - Safety PLC Variable Map
2.10 Controlled Stop Related Code
2.11 Safe Speed Limit Code
2.12 Reset Code
3. Appendix
3.1 Safety Function Requirements
The requirements of the Emergency Stop and Safe Speed limit safety sub-functions are found below in Table 17 & Table 18.
Item | Description |
Safety Sub-function Name | Emergency Stop |
Description | The Emergency Stop sub-function will stop and prevent hazardous motion by performing a controlled stop (Stop Category 1) with the SS1-t safety function |
Trigger Event | Pressing the Emergency Stop button will trigger the Emergency Stop sub-function |
Safe State | Servos are de-energized and at rest |
Reaction Initiated | Stop hazardous motion with a controlled stop (category 1) |
Response Time | The maximum allowed stopping time is 500ms |
Operating Mode(s) | The Emergency Stop sub-function will be available in all of the system’s operating modes |
System Interfaces | SS1-t Request: ASM-7 Virtual Input 0 |
Fault Reaction | The Emergency Stop sub-function does not include an error reaction |
Priority | HWBB state caused by another safety function will cause this function to also enter HWBB state |
Restart Requirements | Prior to the system being ready for a restart, all detected faults must be cleared and the Emergency Stop button(s) must be released |
Table 17 - Emergency Stop Sub-function Definition
Item | Description |
Safety Sub-function Name | Safe Speed Limit |
Description | The Safe Speed Limiting sub-function will monitor the motor speed to ensure that speed limits are not exceeded. This sub-function will be used to limit the motor's operating speed to a level which allows operators to avoid hazardous mechanisms and also to limit the severity of impact |
Trigger Event | The Safe Speed Limiting sub-function is activated when the system's ESPE (e.g. light curtain, safety laser scanner, pressure mat, etc.) detects operator presence |
Safe State | Servo motor is operating within allowed speed limits |
Reaction Initiated | Stop hazardous motion with a controlled stop (SS1-t) |
Response Time | The maximum allowed stopping time is 500ms |
Operating Mode(s) | The Safe Limited Speed sub-function will be available in the system's Automatic and Manual operating modes. |
System Interfaces | SLS Request: ASM-7 Virtual Input 1 |
Fault Reaction | When a fault (e.g. speed limit exceeded) is detected while this sub-function is operating, the SS1-t function will be executed and the ASM-7 will indicate when the motor is in a safe state with Virtual Output 2 |
Priority | HWBB state caused by another safety function will cause this function to also enter HWBB state |
Restart Requirements | To return to normal operation during either deceleration monitoring or constant speed monitoring, disable the SLS Request by disabling Virtual Input 1. |
Table 18 - Safe Speed Limit Sub-function Definition
3.2 Safety Function Timing Diagrams
Timing diagrams for the SLS and SS1-t based safety sub-functions described in this document are shown in Figure 5 and Figure 6 and include details about:
- Requesting the safety function
- Monitoring the safety function’s status
- Reactions to errors which occur
- Returning from the safety function
Figure 5 - Timing Diagram for SS1-t
Figure 6 - SLS with SS1-t Timing Diagram