COBOTs - Safety Rated Monitored Stop

COBOTs - Safety Rated Monitored Stop

This blog continues my series of robot safety posts. In my last blog, I jumped ahead to the more exciting SSM (speed and separation monitoring) safety function. This month I need to get back to basics and discuss stopping functions. Stopping is something all robots, cobots and mobots must be able to do. Being stopped is the ultimate safe state for both SSM and PFL (power and force limiting which I will cover next month) and therefore has the highest SIL or PL of any implemented safety functions. Of course, stopping alone is not sufficient, the robot and its load must stay stopped until it is safe to move again. There is a similar requirement to stay stopped after power is applied.

The basic types of stops are covered in IEC 60204-1 which defines categories 0, 1, and 2 stops.

 Stop functions

Figure 1 - Stopping functions from IEC 60204-1

These stopping functions are expanded on in IEC 61800-5-2 (functional safety of variable speed drives) where we have the following:

STO – safe torque off – This is equivalent to stop category 0 from IEC 60204-1 with the power removed and everything coasting to a stop. This means the stop can be slow.

SS1 – safe stop 1 – this uses the capabilities of the drive to stop faster than simply removing the power, once stopped it reverts to STO

SS2 – safe stop 2 – similar to SS1 but uses SOS as the final destination rather than STO

SOS – safe operating stop – this is an interesting stop because it uses the functionality of the drive to actively resist movement

STO could be implemented by opening a contactor or for lots of modern drives with PWM disable/pulse blocking. Pulse blocking can be implemented using isolated gate drivers such as the ADuM4135 by asserting the control signals so that the output goes to off state. In a previous blog I looked at one such circuit from Annex B of IEC 61800-5-2 but that used the older Opto technology rather than digital isolators.

The topic of this blog is safety-rated monitored stop from the robot safety standard ISO 10218 so let's look at its description from the standard.

 Safety-rated monitored stop

Figure 2 - Description of SSM from ISO 10218-2

Safety rated monitored stop does not require the drive power to be removed but does require that the stop is monitored i.e. check for movement. In effect, it is a category 2 stop from IEC 60204-1 and an SOS from IEC 61800-5-2.

ISO TS 15066 gives additional guidance to ISO 10218:2011 on the use of robots in collaborative applications. This guidance is being rolled into ISO 10218:202X.

Figure 3 - Truth table for SSM from ISO TS 15066

In summary, the robot can enter the collaborative workspace if there is no human present. While there is no person present the robot can operate away but as soon as someone enters the area the robot must stop. In a future blog, I will cover the standards related to safety-rated human presence detection including the IEC 61496 and IEC 62998 series.

Safety rated monitored stop collaborative applications utilize a protective stop, this is distinct from an emergency stop. Below is a summary of the various stops.

Normal stop – as the name implies every machine should have a stop control with stop taking precedence over any start. The use of this control is frequent and the stop will be a category 0 or 1 stop according to IEC 60204-1.

Protective stop – typically initiated by laser scanners, 3D TOF cameras or light curtains. Activation is infrequency for the purpose of risk reduction. Its reset (i.e. allowing movement again) can be automatic. Categories 0,1 or 2 allowed.

Emergency stop – this is the stop initiated by the big red and yellow button. Its initiation is manual, its reset is manual, and its purpose is for emergency use only.  Category 0 or 1 stop only allowed. There is a whole standard, ISO 13850, dedicated to the design of emergency stops.

ISO 10218-1:2011 5.3.8.1 makes having an emergency and protective stop inputs mandatory.

There are similar issues outside of industrial with ISO 13842 having the following.

Figure 4 - Performance levels for stopping functions of personal care robots

An interesting question is if stopping could actually cause a hazard. For instance, a mobot (AGV, AMR, AIV, industrial truck…) stops blocking a fire exit or if working outside blocks a ramp for wheelchair users or stops on a cross walk/pedestrian crossing impeding pedestrians and eventually traffic. All these need to be considered in any real-life hazard analysis and risk assessment.

What about movement while the robot has no power applied at all. This could be due to gravity or someone physically moving the robot arm. Both raise issues related to a robot knowing its pose on powerup and I will consider this further in a future blog.

I haven’t covered the time to achieve a safe stop, this was covered in my last blog in this series.

For all previous blogs in this Safety Matters series, see here.

For an excellent IFA document on IEC 61800-5-2 including lots of information on STO and SOS see here. Information on pulse blocking/PWM disable is on pages 23, 24 even if the examples show old style opto-couplers as opposed to some of the nice digital isolators from ADI.

Note – one thing about robots is the sheer number of relevant standards. The last time I was at the international robot safety conference they actually had a game of standards bingo. Every time you heard a standard, you checked it off on the bingo card provided in your welcome handbook.