New Thinking in Machinery Safeguarding Strategy
by Jeff Fryman, Director, Standards Development
Robotic Industries Association Posted 02/18/2002
I recently had the opportunity to speak at the 2nd International Conference on Safety of Industrial Automated Systems. This was an excellent chance to learn of new developments and trends in the international market place. Held in Bonn, Germany, this was the second in a series. The next conference is scheduled for 2003 in Paris. The following is the paper I presented to the conference.
Recent developments in standardization have brought into focus, the safeguarding strategies necessary for the safety of workers employed in using automated machinery. Interestingly, these developments are occurring on multiple fronts. As additional 'normalization' is achieved worldwide, these new strategies will extend further than ever, and affect more people and the installation of automated machinery.
Risk Assessment, as suggested by ISO 12100, is playing a larger than ever roll in determining the safety of machinery. In the United States, we have adopted a new revision to the Robot Safety Standard, ANSI/RIA R15.06-1999. This updated standard now has an entire section on risk assessment and methodology, as well as specific guidelines for safeguarding robotic systems.
Looking at a typical risk assessment model, the requirement to explore the limits of the machine and answer the question 'Is the machine safe?' can present some unique challenges in robotics. Robots provide for 'flexible' automation, and thus are highly configurable machines that have unique capabilities. All must be appropriately safeguarded. Most of our 'answers' are found in existing literature, but mandating them in the standard is new.
One of the most unique aspects of a robot is its multiple axes and large motion envelope or work space. This large space gives the robot its flexibility, but also creates a significant hazard to personnel, particularly if the robot is handling a large work piece. This entire hazard area must be protected. That can be expensive, both in protective devices, and plant floor real estate. Thus, the standard requires that a 'Restricted Space' be created by the installation of limiting devices. These limiting devices must function 'outside' the robot task or operating program. This restricted space is intended to be a smaller space and be more easily safeguarded.
The specific requirements are that the primary axis (one with the greatest displacement motion) has provision for an adjustable mechanical stop, and the next two axes of greatest displacement motion have provisions for mounting adjustable mechanical or non-mechanical limiting devices. This is a requirement placed on the manufacturer, to ensure that the user has capability to comply with the standard. The user must create the restricted space by installing limiting devices; hard stops on the primary axis, and stops or devices which signal a stop on the second and third axes. It is desirable that these devices be adjustable, meaning that the space limitation may be changed as necessary.
Unique to robotics is singularity, a condition caused by the collinear alignment of two or more robot axes resulting in unpredictable robot motion and velocities. Though potentially undesirable at any time, singularity becomes a specific hazard during the task of teaching (programming) the robot.
Singularity refers to a position in space where the robot arm has an unlimited number of 'correct' options to move from its current position to its next position in space. Though most manufacturers include algorithms to provide a single 'correct' response to singularity, the resultant motion of the robot arm through multiple axes may well exceed the safe 'slow speed' limit even while the tool center point remains stationary.
This condition is particularly hazardous to the teacher, who is tasked to be inside the safeguarded space of the robot, with robot motion enabled. His primary safeguard is his 'single point of control', i.e. the robot teach pendant. Advancing the robot through the point of singularity results in potentially unexpected motion of the robot arm, which is not otherwise 'controlled' by the pendant.
The requirement to the manufacturer is to cause the robot to stop prior to correcting for the singularity, to notify the operator that a singularity condition exists, and to require a specific response from the operator before continuing. This is a requirement only in the teach mode, and is meant to warn the teacher of the condition, and to allow him to teach a new point, or move out of harms way before continuing the robot motion.
Enabling devices certainly are not new, but what is new is the better understanding of how people react to stressful or unexpected events. We have had the 'dead-man' switch concept for many years. The problem with that two-position design is that it can truly be a dead man switch.
Studies have shown that people react differently to situations. The safety intent of an enabling device is to protect a person by allowing them to 'enable' a hazardous action such as robot motion. 'Disabling' the hazard when it presents an impending harm to the person being protected provides the safety. The classic two-position (on-off) switch design protects only when released, i.e. if the person holding the switch lets go. Studies and anecdotal information indicate that many people hold tighter (death grip) rather than releasing a hold on something, particularly if that something is supposed to protect you. The three-position (off-on-off) switch thus protects the holder in either reaction.
A key element in implementing the three-position enabling device is that it be an ergonomically proper installation. This requires that the center-on position be easy to determine and comfortable to maintain. To date, the best installations have involved a slide switch pulling against differently tensioned spring positions. The middle position is pulling against light spring pressure, where the spring will return the switch to the off position when released. The middle position is also then resting on a much stronger spring that will compress to the off position when squeezed by the holder. Surveys of users have reported a general satisfaction and no problems with this type installation.
Safety Controls Circuitry
Perhaps the best safeguarding we can provide an individual is to design a system where they are not exposed to any hazards. Sound challenging? Yes, but achievable. Success lies in removing any incentive for the individual to 'short-cut' the safety we design into automated machinery systems.
One such design is the provision for two types of machine stops, the safety-stop and the emergency-stop. Each stop has a distinct function. This is why the ANSI/RIA R15.06-1999 has mandated the two types of stopping circuits.
Every machine is designed with an emergency or e-stop circuit. The potential trap to individual safety is when we include all the stop requirements in the e-stop circuit. An e-stop is designed to be an all encompassing, all-inclusive, hard stopping of all hazards associated with an operation. When this is the only stop provided, and an operator perceives it as an obstacle to doing is job, then he will actively try to defeat the safety. If he successfully defeats the safety provided by our design, he is placing himself in an unacceptable position of risk against a hazard we have identified as harmful.
The emergency-stop should be treated as just that, an emergency stop. That is one that is an active stop, initiated by an operator, in response to a perceived problem. When you have a dedicated e-stop circuit, the components may be the 'well tried' components we are accustomed to seeing in e-stop circuits.
A safety-stop circuit, whether initiated by safeguarding devices, or by an operator requesting access to a safeguarded space, should handle all other stops. Now, through control logic, we can control the stop and what is affected by the stop. In a long assembly line, this may only involve a small group of machinery rather than the whole line. Also, resetting of the circuit does not have to include the manual resetting of the e-stop circuit. In the case of robots, enabling the teach pendant may allow for the re-application of drive power under single point of control. These actions can enhance the ability of persons to do their jobs, as they perceive them, without compromising safety.
A safety-stop may be a passive stop, initiated by a safeguarding device. The safety control circuitry for such a stop must be more reliable than an e-stop circuit. This is necessary since the person exposed to an identified hazard may not know they are exposed to the hazard; nor that the sensing device may have failed and a stop may not have been commanded.
Worldwide normalization continues, and understanding these concepts from the U. S. robot safety standard becomes more relevant as they are offered for ISO consideration. It is incumbent on all of us to strive for the safest possible workplace through the proper design of our automated industrial machinery.
To learn more about these topics and other aspects of robot safeguarding, join us for the Regional Robot Safety Workshop in Louisville, KY, April 23-25, 2002.