Enhance manufacturing safety with tips on cobot integration, functional safety components, and simplified machine safety for secure, efficient operations.
We get technical
Safety in Manufacturing I Volume 1
Safety in manufacturing How to safely incorporate cobots in industrial workplaces Component designs to satisfy functional safety standards Making light work of machine safety
we get technical
1
Editor’s note The manufacturing floor has the potential to be one of the most dangerous places on Earth. Without proper mitigation through safeguards and strict adherence to safety regulations workers in this environment face serious bodily harm or worse. This magazine will go over technologies and solutions that can help to reduce those dangers to your workforce. Whether you are implementing a collaborative robot or just guarding entry to a metal forming press, the products and technologies featured in this collection are just a small selection of solutions available to customers to find here at Digikey. For more information, please check out our website at www.digikey.com/automation.
4 8 16
Safety in manufacturing
How to safely incorporate cobots in industrial workplaces
Basic understanding of safety circuits
24 32 38 42 48 54
Component designs to satisfy functional safety standards
Basics of safety interlocks
Danger – keep out
Making light work of machine safety
Reducing robot risk: how to design a safe industrial environment
Using laser scanners to safeguard your workforce
2
Safety in manufacturing
As manufacturing continues to become increasingly automated, manufacturers continue to look for ways to protect their most important asset: their workforce. Robots, autonomous ground vehicles, material handling equipment, and more complex systems can create more dangerous workspaces than ever before without the proper safeguards installed on the production floor. There are many forms of safety devices available today–the below are just a couple to get you thinking about the options available to you. E-Stops (emergency stops) are one of the most recognizable and most commonly thought of safety devices on the production floor. Think of them as the immediate interface to stop a machine. The E-Stop is typically in a normally closed position within a circuit that when pressed opens the circuit and cuts power to the device. To re-engage the circuit, the E-Stop must be pulled out or in a twist to open configuration returning the circuit to operational. According to OSHA, ANSI, NFPA79 and ISO 13850, IEC 60204-1, E-Stops are required to be installed where they are easily accessible to the operator and resetting the E-Stop should not allow operations to resume. A second redundant action is required such as an all- clear function through a circuit on the PLC (programmable logic controller).
Written by: Eric J. Halvorson
Partnership Marketing Manager II — Strategic Programs I Automation & Control At DigiKey
we get technical
4
5
Safety in manufacturing
impractical. They come in a variety of sizes and levels of sensitivity to fit the needs of the manufacturer in meeting OSHA standards. Safety PLCs are a way to program in safeguards in the way that they monitor the health of a line. Through redundancies, the safety PLC is designed to run diagnostics to determine if a part of the line or a component is faulty. If an event such as a broken wire or motor is running outside of spec, the safety PLC will immediately shut down the entire affected system to help prevent injury or damage. The safety PLC must adhere to a specific SIL (safety integrity level) and must meet IEC 62061, ISO 13849-1, and IEC 61058. These are just some of the many safety devices available to manufacturers and installers today. There are many more. When automating a process, it is absolutely necessary to seek advice from a safety expert and consultant to ensure you have covered all of the possible hazards within your facility to protect your workforce and investment. These experts and consultants can help you to navigate OSHA, ANSI, and all other safety regulatory agencies. About the author Eric J. Halvorson is partnership marketing manager II – strategic programs | automation & control at DigiKey.
Door interlocks are another physical safety device commonly integrated on the production floor. Safety interlocks are used on physical barriers such as gates and doors. The Safety interlock, much like the E-Stop, operate in a normally closed circuit. When the gate or door is opened, the circuit is interrupted, and all work is halted. Interlocks are required to meet ISO 14119 and ISO 13849. Another form of safety is an operator presence trigger. These come in many shapes and sizes. For example, in a safety mat. A safety mat is activated by the presence of someone standing on the mat. This can be utilized in a few different ways. It may trigger
a machine to stop, go in reverse or deactivate when presence is detected. This helps to ensure that human workers are out of the way, allowing the machine to operate. Laser safety scanners have become very popular with the rise of cobots. The scanner uses a 360-degree beam that indicates how close a worker or an object are in relation to the robot. Usually with set zones the robot will decrease speed depending upon the closeness of the individual or object. In the orange or yellow zone, the robot is slowed to
collaborative speed until the object or person have exited. If the red zone is triggered, the robot will then slow or even stop completely until safe. Light curtains are especially effective in areas where crushing or pinching hazards exist such as hydraulic presses. The light curtain uses photoelectric beams that project from a transmitter to a receiver. If the beam is broken, all work stops immediately until the obstruction is cleared. Light curtains are particularly effective when solid gates or barricades are
we get technical
6
7
How to safely incorporate cobots in industrial workplaces
Compact industrial robots are now available that can be cost- effectively integrated into even small production lines. Part of their appeal is that such robots can collaborate with a human operator to offload repetitive tasks that would otherwise tire the operator and lead to mistakes. The problem is that working in close proximity to a moving machine poses safety risks for humans. The key to keeping collaborative robots (cobots) safe is to carefully consider the risks involved and configure the robot and its control system to mitigate potential hazards. Fortunately, technical specifications are now available to help guide developers along the path to safety. This article looks at the advantages of adding cobots to a working environment and points out the safety concerns before describing the recent regulatory guidelines and presenting risk assessment
and mitigation strategies. It then introduces cobots with built-in safety mechanisms that allow them to be safely added to any production or workflow environment. Why add collaborative robots? Industrial robots in major manufacturing facilities have long proven their worth in terms of increasing production throughput while reducing costs. Now compact, generalized industrial robots are bringing such benefits to mid and small scale production. Unlike their larger scale counterparts, however, compact robots are designed to operate in cooperation with their human operators rather than in isolation ( Figure 1 ). The two share a workspace, helping to minimize the robot's use of valuable production floor space and improve its cost-effectiveness.
Like all powered machinery, these cobots have the potential to cause injury if not utilized properly. Integration of a cobot into a production line, then, requires that careful consideration be given to the issue of operator safety. Factors to keep in mind include the robot's range and speed of motion, the materials it is handling, and the operator's method and frequency of interaction. Once those are understood, appropriate safety-enhancing features can be incorporated into the system design. Regulatory requirements from organizations such as OSHA (Occupational Safety and Health Administration) in the US, CCOHS in Canada, and the European Commission mandate some elements of cobot operational safety. OSHA 29 Code of Federal Regulations (CFR) 1910, for instance, calls for systems to lock out hazardous energy sources during servicing operations (Section 147) and to prevent electrical shocks from occurring during operation (Section 333). Such regulations, however, were developed to apply to all forms of industrial machinery and have not necessarily kept pace with technology. There is relatively little regulation specific to industrial robots in general or cobots in particular. Industry has filled the gap, however, by developing several technical standards specific to industrial robots. These include the IEC
Written by: Richard A. Quinnell
Contributed By DigiKey's North American Editors
Figure 1: Small industrial robots are designed to operate in cooperation with humans rather than in isolation. (Image source: KraussMaffel/ KUKA Robotics)
we get technical
9
How to safely incorporate cobots in industrial workplaces
own way to reflect their specific circumstances. One of the insights that ISO/TS 15066 has brought to the industry, however, is a quantitative definition of physical contact between robot and human that is non-injurious. This definition is especially important in cobot applications, where physical contact is highly likely or even intended. The standard defines two types of contact: transient and quasi-static ( Figure 3 ). Situations in which the human can readily move away from contact with the robot, such as a robot part bumping against the operator’s arm, are considered transient. When the human is trapped between the robot and a fixed object, such as a robotic gripper pressing the operator's hand against the tabletop, the contact is considered quasi-static. The limits for force of contact in a cobot application are based on the human threshold of pain. Collaborative robots must be configured so that any contact, intended or otherwise, will be below the pain threshold. Force limit values vary depending on what body part is involved. Head contact has a much lower pain threshold than arm contact, for instance. Further, quasi-static contacts have lower thresholds than transient contacts.
Situation
Contact type
Intended
Transient
Robot-Human Contact
Accidental
Quasi- stationary
Result of failure
Figure 3: Robot-human contact—accidental or anticipated—falls into two categories: transient and quasi-stationary. (Image source: Richard A. Quinnell)
Once risks have been identified and evaluated, the critical question to ask for each is, "Is this an acceptable level of risk?" In most cases, a negligible or very low risk is tolerable and everything else will require one or more forms of mitigation.Choosing an appropriate form of risk mitigation followed by re-evaluation of the risk are thus the next steps along the road to robot safety, to be repeated until all risks have been reduced to acceptable levels.
cages to keep humans out of the robot's workspace with interlocks to shut down the robot when a human enters the workspace. For cobot applications, where robots need to share a collaborative workspace with humans, other methods are needed. The industry has identified four key approaches for collaborative robot- human interaction: n Safety-rated monitored stop n Hand-guiding n Speed and separation monitoring n Power and force limiting Developers will need to determine which approach or combination of approaches best fits their application. The safety-rated monitored stop works well in applications where the operator interacts with the robot only under specific conditions, such as loading or
Figure 2: Risk level assessment requires examining the severity and likelihood of possible injuries. (Image source: Richard A. Quinnell)
Once the risks are identified, each must be evaluated. This evaluation categorizes each such interaction as a negligible, low, medium, high, or very high risk using three key criteria: n Severity of potential injury n Frequency and/or duration of exposure to the hazard n Probability of avoiding the hazard A representative risk evaluation tree is shown in Figure 2 . The severity of injury ranges from minor, such as cuts or bruises that completely heal in a few days, to serious, resulting in permanent damage or death. Exposure ranges from low (occasional) to high (frequent or continual), and avoidance probability ranges from likely to not possible. Evaluators can quantify these criteria in their
itself, but the entire application and operating environment. A robotic system handling sharp-edged sheets of metal, for instance, creates different risks than those of a system handling cardboard boxes. Similarly, risk assessment for a robot equipped with a gripper will differ from that of a robot with a drill or soldering iron. Thus, developers must fully understand the system's scope of operations, the robot's movement characteristics, the workspace and workflow, and other similar factors in order to identify the potential risk sources in robot operation. These sources include any possible robot-human interaction—whether intended, inadvertent, or resulting from equipment failure—that might result in an injury of some kind.
61508 standard on functional safety, the ISO 12100 standard on design for machine safety, and the ISO 10218-1 and -2 standards on safety for industrial robots. Most recently, industry has released the ISO/TS 15066 technical standard on collaborative robot safety. Only some sections of these standards are defined as requirements for robotic system design. The rest are recommendations that provide developers and operators with detailed guidelines for ensuring safe interaction of robots and humans. Cobot risk assessment The road to cobot safety begins with a careful risk assessment of the intended robotic operation and usage model—not just of the robot
Risk mitigation avenues
Some of the most preferred methods for risk mitigation include redesigning the process or layout of the robotic workspace to eliminate the hazard or to minimize exposure by limiting human interaction with the robot. Traditional industrial robot applications have limited human-robot interaction by using
we get technical
10
11
How to safely incorporate cobots in industrial workplaces
unloading the robot’s end-effector or performing inspections on work in progress. In this type of interaction, the robot operates autonomously within a protected workspace that is monitored to detect any human presence. The human operator initiates a safety- rated stop before entering that workspace, and while the operator is within the workspace, the robot remains powered but stationary. When the operator exits the workspace, the robot automatically resumes its autonomous operation. Should someone enter the monitored workspace without initiating the safety-rated stop, the system will initiate a protective stop that will shut down system power. In the hand guiding scenario, the operator initiates a safety-rated stop before entering the robot’s
workspace, then goes on to use a hand guiding mechanism to reposition the robotic arm before triggering the robot's next operation. The hand guiding mechanism may involve simply grasping the robot arm and manipulating it, or it can involve the use of a handheld control device to command the robot's motion. An application such as robotic lift assistance can utilize a hand- guided collaboration. Speed and separation monitoring are useful in situations where the operator and robot frequently share the same workspace and the operator is able to move freely within that space. In this scenario the system monitors the human's distance from the robot, working to maintain a minimum protective separation distance at all times
( Figure 4 ). When the two are at a safe separation distance—so that there is no possibility of contact— the robot is free to move at full speed. Should the separation lessen, the robot continues working but slows, serving to reduce the effort required to bring the robot to a complete stop. When the separation becomes too small, the robot comes to a safety-rated stop to ensure that there is no possibility for it to cause an injury. Defining the distances for each stage in this approach requires understanding the robotic system's movement capabilities. The system should be designed so that once the monitors detect a human moving toward the protected space, the robotic mechanisms come to a complete stop before the human can reach that space. In order to calculate suitable separation distances, developers need to know: n How fast the robot and human move n The system's reaction time to detect the potential intrusion n How long it takes for the robot to stop moving after it receives a command The workspace layout can help simplify the definition and monitoring of safety zones for the speed and separation monitoring approach. In one example, the layout creates inherent safety zones ( Figure 5 ). A workbench separates the human from the robot's operating space, in which the robot
these mitigation methods. The robot's physical design as well as the systems that control it are all factors to evaluate in determining how readily safety measures can be implemented. Typically, however, robot vendors have worked to make their systems safety ready. For example, the Agilus robot kit family from KUKA, includes a smartPAD touch operator panel for hand-guided control and the KR C4 system controller with integrated safety features. The optional KUKA.SafeOperation software completes the package. The kits’ arms come with various reach lengths, including 540 millimeters (mm) (KR 3 R540), 900 mm (KR 6 R900-2), and 1100 mm (KR 10 R1100-2) ( Figure 6 ).
Figure 5: Workspace design can create inherent safety zones. (Image source: Richard A. Quinnell)
can freely move at full speed. The robot can automatically reduce speed when it enters the collaborative areas at the sides of the workbench, which are laid out to limit opportunities for quasi-static contact. The reduced speed minimizes risk in this area by reducing potential transient contact force and maximizing the opportunity for avoiding any hazards. Mechanical stops can prevent the robotic mechanism from ever entering the human's operating area, eliminating risk. Such an arrangement would require only minimal monitoring of the robot's operating space for human intrusion to ensure a high degree of system safety. The power and force limiting approach is especially useful in applications where human-robot contact is highly likely. To use the approach, the robot must be capable of sensing when
unusual forces have been applied to the mechanism so that it can detect and react to contact. The robot should also be designed to minimize potential contact force, such as by avoiding sharp edges and pinch points, incorporating surface padding, and limiting movement speed. The application should be designed so that contact is infrequent and avoidable, with care taken to evaluate what types of contact (transient or quasi-static) might occur and what body parts might be involved. The application design should also aim to minimize the opportunities for quasi-static contact and prevent contact with head, neck, or throat altogether. Robotic system safety features Developers selecting a robot for a collaborative application should keep in mind how they might implement one or more of
Stop
Figure 6: Compact industrial robots such as the KUKA Agilus KR 3 are designed with safety as a major consideration and can safely share workspace and collaborate with human operators if industry standards are followed during setup. (Image source: Kuka Robotics)
Slow
Normal
Figure 4: Speed and separation monitoring identifies zones around the robot that define its safe operation. (Image source: Richard A. Quinnell)
we get technical
12
13
How to safely incorporate cobots in industrial workplaces
To further refine position- related safety monitoring, the SafeOperation software allows users to model the end-effector tool on the robot's mounting flange as a collection of up to six user-defined spheres. These spheres move with the robot arm. If the arm or the tool spheres move into or out of the monitoring spaces during operation, the software will respond. Possible responses include signaling an alarm, slowing the robot’s motion, or implementing a safety stop. Developers can thus readily control how the robot behaves anywhere within its range of motion.
Such features simplify the implementation of risk mitigation schemes, but do not in themselves ensure safe human-robot interaction. Developers seeking to integrate a robotic system into their production workflow, especially in a cooperative application, must do the work of risk assessment and mitigation, much of which will be specific to their application. This effort includes following all manufacturer guidelines and restrictions, properly training users, and implementing monitoring systems and barriers as needed.
Conclusion Robots and cobots are an increasingly welcome part of manufacturing and other
workflows but do present potential hazards that industrial automation developers must take into account. While newly developed standards for robot safety do help, the availability of robotic systems that have been built from the ground up with safety as a prime consideration makes the integration of robots into a workflow much easier, and safer.
All three robots are designed with rounded surfaces under energy absorbing padding to minimize the pressure of contact. Joints are covered to eliminate any pinching hazards. The robots also offer adjustable mechanical stops for key movement axes so that developers can physically restrict the robot’s operating space. The included smartPAD helps address applications where hand- guided operation is required ( Figure 7 ). The KR C4 controller comes with integrated safety software that includes routines for implementing safety-rated and emergency
stops as well as an ability to monitor industry standard external sensors, establishing a safety fence. In addition, the software can internally monitor the robot’s position and movement around any of its motion axes. KUKA.SafeOperation software enhances this internal monitoring by allowing developers to define a fixed operating cell: a convex polygon with three to ten corners outside of which the robot should never move ( Figure 7 ). In addition, developers can define up to 16 monitoring spaces within that cell using either Cartesian or axis-specific coordinates.
Figure 8: Developers can refine position related safety monitoring using KUKA. SafeOperation software with which they can define an operating area and model end-effector tools. (Image source: KUKA Robotics)
Figure 7: The KUKA robot kits include a smartPad touch operator panel to enable hand-guided control where appropriate. (Image source: KUKA Robotics)
we get technical
14
15
This article reviews the basics of safety circuits for automated machinery. The discussion will touch on standards that dictate required features; common setups; mechanisms for addressing faults and preventing tampering; and the functions of components often found in safety-circuit installations.
interdependent — are core to the function of today’s safety systems. These prevent machines from injuring operators or damaging their own components. For example, an interlock may prevent a machine from starting if its guard is open and stop the machine if a guard is opened during operation. Many simple interlock systems are purely mechanical. For example, in some machine designs, the guard pivots about an axis with an interlock cam attached. When the guard is open, the cam engages with a matching cam on the machine’s drive shaft to prevent operation of the axis. That means it’s only possible for the machine to operate when the guard is closed.
History and function of safety circuits In the early industrial period, machinery was extremely
dangerous. It was common for both factory and agricultural workers to lose fingers, limbs, and even their lives through entrapment in moving machinery. This led to the development of systems of guarding and other safety devices. Interlocks — which make the state of two or more machine functions
Most modern machines use electronic safety circuits or even microprocessor control to implement interlock safety
Basic understanding of safety circuits
By Lisa Eitel Contributed By DigiKey's North American Editors
we get technical
17
Basic understanding of safety circuits
emergence and resolution of one open switch or fault obscures the presence of another open switch or fault. Fault masking is most likely to occur where an installation includes volt-free contacts such as relays having no other power connections beyond that for the switch connection. Where such risk is unacceptable, more sophisticated wiring systems and methodologies may be necessary. Trapped-key interlocks are often used to ensure that all guards are locked shut before operating a machine. In these systems, locks on each safety guard have keys which can only be removed when the guard is barred shut. The keys can then be taken to the control or power unit and used to activate the machinery. Similarly, the keys are held captive while the machine is activated and can only be removed from the power unit after the machine has been shut down. The keys can then be used to open the guards again. Risk assessments and the requirements of governing standards ISO 14119 covers the safety of machinery with interlocking devices associated with guards and outlines design and selection principles to ensure machinery safety. It refers to other standards for general principles of risk assessment and risk reduction in the design of machinery.
The basic function of an interlocking guard is to prevent the execution of hazardous operations it covers until that guard closes. So, if something or someone forces the guard open during operation, the guarded operation should stop. In some cases, a guard-locking device may be fitted to prevent opening of the guard during machine operation. It should be noted that although machines can operate when the guards are closed, the closure of a guard shouldn’t trigger the beginning of a hazardous operation. Instead, such operations should require a separate start command. One exception is something called a control guard
— a special type of interlocking guard with a start function capable of starting a hazardous operation when the guard is closed, without a separate start command. Also covered in ISO 14119 is the concept of a safety-system defeat. This is an action that bypasses a machine’s interlocks. For example, an operator may accidentally or deliberately rest a heavy object on a position switch while the guard is open, which in turn may grant access to workspaces that become dangerous when the machine is in operation. Properly designed safety systems make it impossible to defeat interlocks in any reasonably foreseeable manner — either manually or
with readily available objects nearby. This includes the removal of switches or actuators using tools that are used to operate the machine or are readily available such as screw drivers, hex tools, adhesive tape or wire. This also means that spare keys should not be accessible for trapped key systems. ISO 14119 puts interlocking devices into four categories: n Type 1 interlocking devices have mechanically actuated position switches with uncoded actuators such as a rotary cam, linear cam, or hinge. These are relatively easy to defeat by resting an object on the switch or holding it in position in some other way.
Figure 1: Shown here is a Banner Engineering SC10 Series safety controller designed to deliver the functionality of three safety relay modules. (Image source: Banner Engineering)
systems. Electronics give far greater flexibility in the
series so that if any section of the guard is not closed properly, the whole circuit will be open, and the machine will not run. In fact, controls in a safety circuit also require series wiring to ensure safe conditions in the event of any loosening of connections or sudden breaks in (such as severing of) the safety-component wiring. One caveat related to the series wiring of safety circuits: when a circuit contains more than four safety switches or includes frequently used switches or gates, there’s a decrease in the design’s performance level (PL r — which is detailed in the next article section) as well as an increased risk of fault masking . The latter is when the
arrangement of guards and the complexity of safety procedures than mechanical solutions. Typical electronic safety circuits only allow the machine to operate if the circuit is closed — a structure called normally closed (NC) operation. They also wire safety components in series to maximize effectiveness and minimize complexity and cost.
Consider a typical safety installation with a number of
position switches that are NC when the corresponding section of guard is closed. These position switches are wired into the installation in
we get technical
18
19
Basic understanding of safety circuits
the SRP/CS can be classified according to its: n Resistance to faults n Behavior if a fault does occur All design work on a machine incorporating safety should start with a risk assessment according to ISO 12100 to identify hazards and estimate risks. The risk- reduction process then involves first applying inherently safe design, then safeguards, and finally information for use. Any protective measures that depend on the control system must then be evaluated using a special iterative process. This involves determining the required performance level (PL r ) for each safety function and its mean time to dangerous failure (MTTF D ) to determine the reliability of the SRP/CS. Each part may be assigned a performance level from a through to e — with PL a having the highest probability of a dangerous fault and PL e having the lowest probability. The specific way that the failures may occur involves the considerations set out above for ISO 14119. Variations on safety- circuits — and some example arrangements For large enclosures such as gated robotic cells, safety arrangements are a little different. This is because guards are often closed with the operator inside the active workspace. So, in many instances,
All design work on a machine incorporating safety should start with a risk assessment according to ISO 12100 to identify hazards and estimate risks.
Figure 2: Particularly unique are safety circuits associated with robotics — especially for robotics that employ teach pendants (as shown here) as well as collaborative robots.
n Type 2 interlocking devices have mechanically actuated position switches with coded actuators such as a shaped actuator (tongue) or trapped-key. These are considerably more difficult to defeat. n Type 3 interlocking devices have non-contact position switches with uncoded actuators such as proximity switches. The difficulty involved in defeating Type 3 interlocks depends on the actuation principle involved. Capacitive, ultrasonic and optic actuators can be defeated by a wide range of objects. Inductive actuators may be defeated by any ferric metal object. Magnetic actuators require a magnet to defeat them. n Type 4 interlocking devices have non-contact position switches with coded actuators, such as RFID tags, coded magnets or coded optical tags. These are extremely difficult to defeat if properly constructed so that the coded actuator cannot be removed.
When designing a safety circuit, interlocking devices should be selected to minimize the possibility of a defeat. Consideration should also be given to: n The overall system stopping performance , which is the amount of time required for the machine to become safe after a stop command is issued. n The access time , which is the time it takes a person to reach the hazard after the stop command has been initiated. The overall system stopping performance must be significantly
trapped-key systems are used to ensure that operators are outside the workspace upon the closing of gates; and only then can the robot begin its full-speed operation. Of course, traditional robots can typically be operated in a low-speed teach mode with the operator in the cell, but when operating at full speed (unlike collaborative robots) they must not come into close proximity to humans. Even in teach mode, unless the robot is fitted with a force feedback system, there is still the danger of the operator being crushed. The handheld control unit is therefore normally fitted with a dead man’s switch which will shut down the robot if the operator becomes incapacitated.
Another automation situation requiring specialized safety is personnel-tended conveyor systems. Here, it may be necessary for personnel to work alongside conveyors operating rather quickly. This has a significant risk of entrapment resulting in serious injury, and so should be avoided wherever possible. But where such workspaces are essential to an operation’s productivity — as in Amazon Fulfillment Centers, for example — distributed stop switches in the form of pull-cords and stop strips must be installed. These give personnel a reliable means to stop the conveyor along its entire length. Such stops should be arranged so that an operator can easily grab or press them without having to hunt for them during an emergency.
The safety devices should also be positioned so that an injured or unconscious person falling or being pulled into the conveyor automatically triggers a stop. Multiple stop devices and redundant circuits may be required, and where conveyors are accessible from both sides, such safety devices must be present on both sides as well. Common safety-circuit components Mechanical switches include position switches, used to detect gate and guarding positions, and manually activated stop switches such as e-stop palm buttons and pull-cords. Non-contact switches, such as light and inductive sensors, may be also used in a similar
more rapid than the access time. There should also be
consideration of whether guards require emergency release, to allow manual opening from outside, or escape release to allow manual release from inside. ISO 13849 is referenced by ISO 14119, it is in two parts, covering the principles of designing and validating the safety-related part of a control system (SRP/ CS). According to this standard,
we get technical
20
21
Basic understanding of safety circuits
Laser scanners function much like light curtains. However, instead of having a separate transmitter and receiver to maintain a barrier, laser scanners can monitor gateways as well as portal areas from a single piece of hardware. In other words, light curtains provide perimeter guarding whereas laser scanners provide protection for larger portals into areas such as conveyor and robotic cells. As with all safety components, use of laser scanners requires calculation of the minimum safety distance. This value depends on the overall system stopping performance and the access time. However, the overall system stopping performance is likely to be considerably longer for laser scanners than that for light curtains due to the additional processing involved. The electronic safety circuits and safety components of today afford plant and OEM design engineers flexible options for protecting personnel and equipment. Software and other supplier resources help simplify the specification of safety systems for traditional interlock arrangements, workspaces protected by trapped-key designs, and even flexible areas that require plant personnel or machine operators to work in close proximity to conveyors, robotics, and other moving equipment associated with industrial automation.
Figure 3: SX Series safety laser scanners from Banner Engineering can safeguard access points and areas in industrial applications. The
way. These types of interlock components tend to be used with physical guards and gates. They are covered well by the standards discussed above. Other types of safety components that may be used within safety circuits include light curtains, laser scanners, and safety mats. Safety mats use pressure sensors embedded in a rubber platform to provide a simple way of detecting when a person steps into a guarded area. These have, in recent years, been largely replaced by optical systems such as light curtains and laser scanners.
Light curtains can remove the need for physical guarding by creating a virtual guard to stop a machine axis if any of the curtain’s beams are broken. The light curtain consists of two parts — a transmitter and a receiver. The transmitter projects an array of parallel light beams. The receiver detects these beams and if any of them is broken, it triggers a machine stop. Benefits of light curtains include clear visibility of the working area as well as unrestricted access and rapid movement in and out of the protected area.
device continuously scans 275° to protect personnel and machinery with warnings and safety zones customizable with free configuration software. Muting functions are also configurable in this software that, along with muting sensors networked to the SX Series scanner, eliminate the need for an additional module or controller. (Image source: Banner Engineering)
we get technical
22
23
Component designs to satisfy functional safety standards
Functional safety systems include electronics in the form of sensors, I/O, controls, switches, electromechanical components, fluid-power components, and software that detect dangerous conditions and change the machine state to prevent dangerous situations from arising.
Safety is a top priority in industrial applications to protect employees and equipment from injury and damage. Welding, cutting, and pressing operations as well as high-speed axes and those handling dangerous workpieces or substances pose the most threat. In the U.S., plant operators must satisfy Occupational Safety and Health Administration (OSHA) regulations with safe equipment, operational procedures, and training protocols. Complementing these systems should be plant-
dangerous situations from arising. First originating in the European Union, today functional-safety design and regulations apply to suppliers, machine builders, and end users around the world. The harmonized European Norm (EN) and International Electrotechnical Commission (IEC) EN/IEC 62061 standard — listed in EU Machinery Directive 2006/42/EC — and the International Organization for Standardization (ISO) EN/ISO 13849-1 standard are the most applied. ISO 13849-1 and IEC 62061 can be cross-referenced, and OEMs and end users are free to use either. The only caveat is that functional safety relates to machines and controls and not devices or components … though the latter may offer functionalities supporting the satisfaction of a given safety rating. EN/IEC 62061 details requirements and recommendations as safety integrity levels for the design, integration, and validation of permanently installed (nonportable) machine or plant-
Figure 1: Light towers today use LEDs for efficiency and visibility. Some enhance safety with built-in buzzers to emit a siren to 100 dB during safety breaches. (Image source: Menics)
Written by: By Lisa Eitel
Contributed By DigiKey's North American Editors
specific analyses to identify pragmatic ways to enhance
installation SRECS — consisting of s afety- r elated e lectrical, electronic, and programmable controls. EN/IEC 62061 safety integrity levels (SILs) grade a system’s functional safety from 1 (most rudimentary) to 4 (most integrated and sophisticated) with SIL3 the highest possible for machines. Risks dictating the required SIL include the regularity of risk exposure, severity of the potential injury, incidence probability, and likelihood that a machine operator’s evasive maneuvers can help avoid harm.
worker well-being and equipment longevity. In addition, automated machinery must satisfy functional safety requirements via automatic machine actions or corrections to potentially or certainly unsafe conditions or failures. Functional safety systems include electronics in the form of sensors, I/O, controls, switches, electromechanical components, fluid-power components, and software that detect dangerous conditions and change the machine state to prevent
we get technical
25
Component designs to satisfy functional safety standards
IEC 61508 and IEC 62061 satisfaction involves testing safety controls (and validating machine modes, status criteria, and corrections) to confirm the machine’s functional safety rating. EN ISO 13849-1 and 2 also demand documented testing (static and dynamic) for confirmation of seamless safety control integration. Operator-triggered safety components Many safety-related components are designed to accept input from plant personnel and not through some intermediate section or axis of a machine or guard. These include tactile safety mats,
light curtains, consoles as well as human-machine interfaces (HMIs), touchable machinery locks, and (for emergencies only) bright red mushroom-head stop buttons. Personnel-facing safety components also include enclosures (protecting housed components according to NEMA ratings) as well as machine shields and wire ducts — simple yet reliable machine safety elements to protect personnel who must work near (and sometimes in) machines and their power and control panels. Cable-pull switches encircling hazardous machine sections let operators trigger emergency stops (e-stops) with a quick tug. Especially common around open- faced machines (impossible to guard) as well as unguarded conveyors, these safety elements differ from disconnect switches that de-energize circuits and secure dangerous work cells to keep personnel out. Other offerings include safety edges (strips) that install around machine-tool openings (especially those that execute cutting or pressing tasks) and floor safety mats that trigger (via specialized safety relays) safety responses upon detection of an operator stepping or standing on their surfaces. Somewhat more sophisticated are the aforementioned light curtains. These include an emitter of photoelectric beams that, if broken in the plane of detection
SIL Probability of failure on demand Risk reduction factor 1 0.1 to 0.01 10 to 100 2 0.01 to 0.001 100 to 1000 3 0.001 to 0.0001 1000 to 10,000 4 0.0001 to 0.00001 10,000 to 100,000 Table 1: Required SIL levels depend on the severity of injury should a given unsafe condition occur as well as the likelihood of that condition occurring. (Table source: IEC)
In contrast, EN/ISO 13849- 1:2005 details requirements and recommendations based on SRP/CSs — s afety- r elated p arts of c ontrol s ystems. SRP/ CS performance levels allow for quantification of machine safety capabilities no matter the subcomponents. The standard employs well-known performance level (PL) ratings of functional safety — ranging from “a”
(most rudimentary) to “e” (most integrated and sophisticated). Risks dictating the required PL include those applicable to SILs as well as the frequencies and durations of repeated exposures to the machine hazard. In addition, a complete PL rating includes a Category number (to indicate the overall system architecture) and the mean time to dangerous failure or MTTFd .
Figure 3: Laser scanners are a type of noncontact safety-feedback component best known for their helping AGVs navigate facilities. However, their applications abound — and they can sometimes offer an alternative to light curtains. (Image source: IDEC)
on their way to a receiver, quickly halt dangerous processes. They’re costlier than other options but justified where machine operators frequently interact with a machine section. Yet another sophisticated safety component is the two-hand safety console. These typically require simultaneous activation of separate switches to start or maintain machine operation. Before they’re trusted to protect plant personnel and equipment,
testing standards require that an e-stop using redundant relays should work if an operator trips the first channel between the logic and field devices … and should also work on the second channel between them. Such redundant e-stop functions are separately validated during machine commissioning. Automatic safety switches, sensors, and guards Separate from personnel-triggered safety-related components are those for automatic machine functions.
all operator-triggered safety components (and the safety
logic or controls into which they integrate) must be verified. For example, IEC 61508 and IEC 62061
Figure 2: The appropriate functional safety level for a given installation depends on qualitative variables, quantitative values, and the results of software-based analysis. (Image source: Design World)
we get technical
26
27
Component designs to satisfy functional safety standards
and controls to ensure intrinsically safe operation. Complementing all designs for electrical safety are surge-protective components to prevent voltage spikes from damaging electrical and electronic automation components involved in mains and drive power and/ or feedback and control-signal distribution. Built-in mechanical safety with brakes Brakes that qualify as safety brakes are also called failsafe brakes. These default to a stopped state (typically to lock or hold a motion axis) even if electrical or fluid power fails or is removed. All rely on spring-loaded or other mechanical action for this failsafe operation.
electrical or fluid power — or slow or lock a still-powered machine into a safe condition.
Another option for safety that qualifies as failsafe is the integration of dedicated safety controllers.
are noncontact RFID and magnetic safety switches that monitor the position (open or closed) of work-zone doors and disallow operator access during hazardous processes. Built-in safety with electrical breakers and isolators Safety components triggered by machine status also include those to ensure electrical safety. Circuit breakers (much like fuses) protect against the detrimental and dangerous effects of overload currents on mains, power branch, and signal circuits. Some installations include isolators for galvanic separation between field devices
Built-in lockouts with latches and switches
Switches and interlocks are essential elements on the outer perimeters of machine work cells. Safety limit switches have contacts that serve to automatically verify machine element positions or motions. In contrast, safety switches with higher functions — those called interlock safety switches — use tongue or hinge interlock mechanisms as tamper- resistant machine guards having positively driven (double-verifying NO and NC) switching contacts. Trapped-key interlock switches with mechanical keys and locks keep doors into machine workspaces closed until access is safe. Increasingly common though
Relays for hardwired safety One option for failsafe control is safety relay modules. These employ electronics with short- circuit and overvoltage protection as well as complementary relays. Hardwired electromechanical relays have been used for decades; they simply wire into automated
Case in point: Spring-set friction brakes that are pneumatically released often serve as failsafe brakes in servomotor-driven automation applications. All must carry a rating that certifies compliance with ISO 13849-1 — typically from the international product-testing organization Intertek Group. Thanks to their mechanical locking, these consume no electrical power while holding … which provides maximum reliability for safety- grade performance and avoids overheating associated with other electrically based modes of stopping. Life is rated in millions of cycles before common cause (predictable) failure to some percent of all components in the series. Where IIoT functionality is useful, failsafe brakes can also
include onboard diagnostics and sensor feedback to track operational status. Brakes having the highest functional safety ratings
incorporate multiple springs that mechanically lock machine axes via friction surfaces that interact with stationary elements inside the brake housing. Safety standards also require inclusion of sensors to confirm brake status.
controls and (in conjunction with emergency stop or light
curtains) electrically disconnect machine subsections as needed. Drawbacks include the need for extensive wiring onsite and a lack of reconfigurability. More advanced safety relays sport I/O and a modular design to facilitate flexible integration with sensors, machine controls, and automation networks. Safety controllers for programmable safety Another option for safety that qualifies as failsafe is the integration of dedicated safety controllers. Such controllers are more suitable than relays for complex automation systems because they can serve larger I/O arrays as well as PLC functions. The one caveat is that these standalone safety controllers necessitate additional
Safety relays and other safety controls
Supporting the functions of safety switches, sensors, and guards are safety relays and other controls. All share a common ability to (when needed) take the machine to a safe state through the removal of
Figure 4: Simple equipment needing just a handful of safety I/O can economically employ electromechanical safety relays such as this one. (Image source: Omron Automation)
we get technical
28
29
Page 1 Page 2-3 Page 4-5 Page 6-7 Page 8-9 Page 10-11 Page 12-13 Page 14-15 Page 16-17 Page 18-19 Page 20-21 Page 22-23 Page 24-25 Page 26-27 Page 28-29 Page 30-31 Page 32-33 Page 34-35 Page 36-37 Page 38-39 Page 40-41 Page 42-43 Page 44-45 Page 46-47 Page 48-49 Page 50-51 Page 52-53 Page 54-55 Page 56-57 Page 58Powered by FlippingBook