How 'Safe Motion' Works With Robots
September 2, 2008
"Safe Motion” is a concept that allows humans and machines to work in close proximity to each other. However, not all robot manufacturers interpret and define safe motion the same way. ASSEMBLY recently asked a group of experts to share their thoughts on the subject.
“Safe Motion” is a concept that has been around for several years. It traces its roots to the European machine tool industry, where vendors have developed a wide variety of motors, drive systems, controllers and motion actuation devices that improve safety. They allow human operators to work in close proximity to machines while performing routine tasks, such as maintaining equipment or loading parts. However, not all robot manufacturers interpret and define safe motion the same way.
ASSEMBLY recently asked a group of experts to share their thoughts on the subject. Participants included Chris Anderson, thermal technology leader at Motoman Inc. (West Carrollton, OH); Claude Dinsmoor, general manager of controller product development at FANUC Robotics America Inc. (Rochester Hills, MI); Gil Dominguez, safety consultant leader at Pilz Automation Safety (Canton, MI); Michael Gerstenberger, senior engineer at KUKA Robotics Corp. (Clinton Township, MI); Jerry Hendrickson, engineering program manger at Adept Technology Inc. (Livermore, CA); Brian McMorris, robotics industry manager at SICK Inc. (Minneapolis); and Robin Schmidt, chief engineer at ABB Robotics Inc. (Auburn Hills, MI).
ASSEMBLY: What is the concept of “safe motion?” How does it apply to robotics?
Anderson: Safe motion provides an assurance that the motion will be completed as programmed. Control-reliable is an industry-wide term that refers to circuits that will behave in a safe manner. Robot safety standards have definitions of control-reliable circuits as it pertains to robotics. Safe motion is achieved by having a redundant microprocessor performing the same control routine for the robot, and cross-checking frequently to verify that the robot is reacting as directed. Similarly, redundant sensors can be used and cross-checked to detect presence in a control-reliable fashion.
Dinsmoor: Safe motion systems use safety-rated software that has been designed and tested in accordance to accepted standards, such as ISO 13849, that define the operation and reliability of the software with respect to failures that may cause a dangerous condition. Such systems are typically designed with dual microprocessors, software, and significant real-time checking between processor-software pairs. These fault-detecting designs use well-established principles driven by the aerospace and transportation industry, and provide reliability in the detection of and response to failures within the overall system that could lead to unsafe movement of a robot.
Dominguez: Safe motion is the capability of providing motion control functions at an integrity level high enough to reliably provide risk reduction in safety-dependent applications. An integrity level is the measure of the predicted failure rate of a control function. Risk, the possibility of harm in relationship to the potential degree of severity, must be reduced to a tolerable level in a safety application. A given integrity level ensures that the possibility of harm occurring is sufficiently reduced to be tolerable for a safety-related function. These integrity levels and design requirements are now defined in a new standard, IEC 61800.
Safe motion extends the safeguarding of hazardous motion beyond the traditional dropping of power to the motors when personnel are exposed to a hazard. Protective measures implemented in traditional control systems, such as reduced speed and hold-to-run functions, can be further enhanced through this higher integrity. Setting safety-rated axis limits and defining safety zones in three-dimensional spaces allows manufacturers to reduce the restricted space of a robot to provide maximum clearance while minimizing the workcell.
The new ISO 10218 standard allows for collaborative operation between robots and humans. In this application, the robot may be allowed to stay in automatic, with power available to the motors and possibly continue its motion. The robot may safely limit its speed and, if necessary, stop in a safe standstill mode (safe operational stop) while the operator works on a part in the robot’s gripper. A safe operational stop is characterized by the halting of motion, while keeping torque output on the motors. Coupled with sophisticated presence-sensing technology, all the variations of this application have not been thought of yet.
Gerstenberger: The term “safe” implies that some form of failsafe technology is being applied. Typically, this will mean some form of redundant circuitry or processing, such that no single fault will result in an unsafe condition. So, “safe motion” means that the motion, such as speed or position, of a mechanism is being monitored to conform to what has been requested. In the field of robotics, this is being implemented in applications where humans need to interact directly with robots.
Another new application allows an operator to guide the robot by hand with the robot in automatic mode. Here, safe motion is used to ensure that the robot speed never exceeds a preconfigured limit, such as 250 millimeters per second or lower, and that the robot never moves outside a preconfigured space.
Hendrickson: For industrial robots, safety is governed by RIA standards for safe use. An application such as medical surgery requires a “shared workspace” with a surgeon, technician or anyone who enters the robot’s work envelope while the robot power is enabled. Standards with regards to people and animals within the robot’s work envelope have not been established yet. One of the traits of safe motion is the ability of a robot to reach its target without collision or harm. Another trait might be the accuracy of the motion trajectory or the accurate position at the end target point. An additional trait would be the ability of the robot to respond to being led by a person’s touch, in a safe manner.
Additional traits will become apparent, such as the ability of a robot to extract itself from an unsafe situation. For example, a person inadvertently moves toward a robot holding a sharp end effector. The robot might move out of the way or retract the sharp end effector, if the path were clear to do so, thereby protecting the person from unsafe motion.
With industrial robots, safe motion occurs with controlled kinematic motion and separation of people from the robot’s work envelope. This is done by active and passive systems, like interlock barrier enclosures and light curtains. In an industrial setting, the only time people need to be in the robot’s work envelope is when servicing or teaching the robot. In this case, there are two modes: Automatic mode, which has full speed-power available to the robot, and manual mode, which has reduced speed-power robot operation. Industrial robots are currently unequipped to sense and react to the environment sufficiently for safe motion with humans.
Robots are not inherently safe. Robots are unaware of their surroundings and environment. Robots need to be treated as a component in a “safe system.” Safe systems need to take into account internal variables, such as controls and redundant safety systems to ensure, for example, a correct robot trajectory. Safe systems also need to take into account external variables, such as interference events. It is best to detect and avoid an event such as a collision before it happens. Stop on detection of collision must be used in conjunction with low energy operation to prevent or minimize harm and is a less desirable solution. It goes without saying: If you have detected a collision, it’s too late.
McMorris: The idea of limited robot motion, or “safe motion,” requires sensors that detect the position of the robot in 3D space and its velocities in all vectors. [In addition], that detection must be redundant to eliminate the possibility of failure to hazard. Until very recently, the safety practices solved the problem of limiting robot motion by eliminating dynamic obstacles (humans) from the work area. This has been done through fencing, enclosed rooms with limited access, and safety or disabling devices that cause the robot to come to a complete stop before the human can enter the workspace occupied by the robot and its tooling or payload.
But, new standards allow robots and humans to interact in the same workspace. For this to happen, robots are being equipped with safety encoders on every axis of motion for redundant monitoring of motion and safety operating systems (the software that controls motion in respect to other objects and does so in a fail-safe fashion). Advanced sensors, such as safety laser scanners and safety vision systems, are required to continually monitor and feed back to the robot controller the workspace in two or three dimensions.
Schmidt: The robotics industry has continually improved the performance and safety of robots as we implement new technologies. In the past, the typical approach to ensure the safety of people working with or near robots was to make sure there was no possibility of motion occurring by disabling the machine. New technology has given us the ability to create redundant systems to ensure safety without completely disabling the machine. This new generation of machine control using safe motion allows safer, close interaction with people and machines.
There are a couple of ways to implement a safe motion system. An example would be similar to the technology used with some safety PLCs. They use two microprocessors of different types and different operating systems that cross-check each other. This cross-checking will detect any difference in the logic or monitoring function and cause the system to stop safely. This system is used in parallel with the existing motion control system to, in effect, have three systems making sure the motion that is happening is correct. Additional sensors can be used to validate the position of the robot and make sure all the systems are synchronized.
“Safe Motion” is a concept that has been around for several years. It traces its roots to the European machine tool industry, where vendors have developed a wide variety of motors, drive systems, controllers and motion actuation devices that improve safety. They allow human operators to work in close proximity to machines while performing routine tasks, such as maintaining equipment or loading parts. However, not all robot manufacturers interpret and define safe motion the same way.
ASSEMBLY recently asked a group of experts to share their thoughts on the subject. Participants included Chris Anderson, thermal technology leader at Motoman Inc. (West Carrollton, OH); Claude Dinsmoor, general manager of controller product development at FANUC Robotics America Inc. (Rochester Hills, MI); Gil Dominguez, safety consultant leader at Pilz Automation Safety (Canton, MI); Michael Gerstenberger, senior engineer at KUKA Robotics Corp. (Clinton Township, MI); Jerry Hendrickson, engineering program manger at Adept Technology Inc. (Livermore, CA); Brian McMorris, robotics industry manager at SICK Inc. (Minneapolis); and Robin Schmidt, chief engineer at ABB Robotics Inc. (Auburn Hills, MI).
ASSEMBLY: What is the concept of “safe motion?” How does it apply to robotics?
Anderson: Safe motion provides an assurance that the motion will be completed as programmed. Control-reliable is an industry-wide term that refers to circuits that will behave in a safe manner. Robot safety standards have definitions of control-reliable circuits as it pertains to robotics. Safe motion is achieved by having a redundant microprocessor performing the same control routine for the robot, and cross-checking frequently to verify that the robot is reacting as directed. Similarly, redundant sensors can be used and cross-checked to detect presence in a control-reliable fashion.
Dinsmoor: Safe motion systems use safety-rated software that has been designed and tested in accordance to accepted standards, such as ISO 13849, that define the operation and reliability of the software with respect to failures that may cause a dangerous condition. Such systems are typically designed with dual microprocessors, software, and significant real-time checking between processor-software pairs. These fault-detecting designs use well-established principles driven by the aerospace and transportation industry, and provide reliability in the detection of and response to failures within the overall system that could lead to unsafe movement of a robot.
Dominguez: Safe motion is the capability of providing motion control functions at an integrity level high enough to reliably provide risk reduction in safety-dependent applications. An integrity level is the measure of the predicted failure rate of a control function. Risk, the possibility of harm in relationship to the potential degree of severity, must be reduced to a tolerable level in a safety application. A given integrity level ensures that the possibility of harm occurring is sufficiently reduced to be tolerable for a safety-related function. These integrity levels and design requirements are now defined in a new standard, IEC 61800.
Safe motion extends the safeguarding of hazardous motion beyond the traditional dropping of power to the motors when personnel are exposed to a hazard. Protective measures implemented in traditional control systems, such as reduced speed and hold-to-run functions, can be further enhanced through this higher integrity. Setting safety-rated axis limits and defining safety zones in three-dimensional spaces allows manufacturers to reduce the restricted space of a robot to provide maximum clearance while minimizing the workcell.
The new ISO 10218 standard allows for collaborative operation between robots and humans. In this application, the robot may be allowed to stay in automatic, with power available to the motors and possibly continue its motion. The robot may safely limit its speed and, if necessary, stop in a safe standstill mode (safe operational stop) while the operator works on a part in the robot’s gripper. A safe operational stop is characterized by the halting of motion, while keeping torque output on the motors. Coupled with sophisticated presence-sensing technology, all the variations of this application have not been thought of yet.
Gerstenberger: The term “safe” implies that some form of failsafe technology is being applied. Typically, this will mean some form of redundant circuitry or processing, such that no single fault will result in an unsafe condition. So, “safe motion” means that the motion, such as speed or position, of a mechanism is being monitored to conform to what has been requested. In the field of robotics, this is being implemented in applications where humans need to interact directly with robots.
Another new application allows an operator to guide the robot by hand with the robot in automatic mode. Here, safe motion is used to ensure that the robot speed never exceeds a preconfigured limit, such as 250 millimeters per second or lower, and that the robot never moves outside a preconfigured space.
Hendrickson: For industrial robots, safety is governed by RIA standards for safe use. An application such as medical surgery requires a “shared workspace” with a surgeon, technician or anyone who enters the robot’s work envelope while the robot power is enabled. Standards with regards to people and animals within the robot’s work envelope have not been established yet. One of the traits of safe motion is the ability of a robot to reach its target without collision or harm. Another trait might be the accuracy of the motion trajectory or the accurate position at the end target point. An additional trait would be the ability of the robot to respond to being led by a person’s touch, in a safe manner.
Additional traits will become apparent, such as the ability of a robot to extract itself from an unsafe situation. For example, a person inadvertently moves toward a robot holding a sharp end effector. The robot might move out of the way or retract the sharp end effector, if the path were clear to do so, thereby protecting the person from unsafe motion.
With industrial robots, safe motion occurs with controlled kinematic motion and separation of people from the robot’s work envelope. This is done by active and passive systems, like interlock barrier enclosures and light curtains. In an industrial setting, the only time people need to be in the robot’s work envelope is when servicing or teaching the robot. In this case, there are two modes: Automatic mode, which has full speed-power available to the robot, and manual mode, which has reduced speed-power robot operation. Industrial robots are currently unequipped to sense and react to the environment sufficiently for safe motion with humans.
Robots are not inherently safe. Robots are unaware of their surroundings and environment. Robots need to be treated as a component in a “safe system.” Safe systems need to take into account internal variables, such as controls and redundant safety systems to ensure, for example, a correct robot trajectory. Safe systems also need to take into account external variables, such as interference events. It is best to detect and avoid an event such as a collision before it happens. Stop on detection of collision must be used in conjunction with low energy operation to prevent or minimize harm and is a less desirable solution. It goes without saying: If you have detected a collision, it’s too late.
McMorris: The idea of limited robot motion, or “safe motion,” requires sensors that detect the position of the robot in 3D space and its velocities in all vectors. [In addition], that detection must be redundant to eliminate the possibility of failure to hazard. Until very recently, the safety practices solved the problem of limiting robot motion by eliminating dynamic obstacles (humans) from the work area. This has been done through fencing, enclosed rooms with limited access, and safety or disabling devices that cause the robot to come to a complete stop before the human can enter the workspace occupied by the robot and its tooling or payload.
But, new standards allow robots and humans to interact in the same workspace. For this to happen, robots are being equipped with safety encoders on every axis of motion for redundant monitoring of motion and safety operating systems (the software that controls motion in respect to other objects and does so in a fail-safe fashion). Advanced sensors, such as safety laser scanners and safety vision systems, are required to continually monitor and feed back to the robot controller the workspace in two or three dimensions.
Schmidt: The robotics industry has continually improved the performance and safety of robots as we implement new technologies. In the past, the typical approach to ensure the safety of people working with or near robots was to make sure there was no possibility of motion occurring by disabling the machine. New technology has given us the ability to create redundant systems to ensure safety without completely disabling the machine. This new generation of machine control using safe motion allows safer, close interaction with people and machines.
There are a couple of ways to implement a safe motion system. An example would be similar to the technology used with some safety PLCs. They use two microprocessors of different types and different operating systems that cross-check each other. This cross-checking will detect any difference in the logic or monitoring function and cause the system to stop safely. This system is used in parallel with the existing motion control system to, in effect, have three systems making sure the motion that is happening is correct. Additional sensors can be used to validate the position of the robot and make sure all the systems are synchronized.
Recent Articles by Austin Weber
