A new approach to robotic safety: SafetyBUS p at BMW

The author

Richard Piggin, Chairman of the SafetyBUS

p Club International e.V., Northampton, UK.

Keywords

Keywords: Robots, Safety, Fieldbus, Automation, Automotive

Abstract

Availability, reliability, flexibility and comprehensive diagnostics are the most significant demands placed upon safety systems today. Increasing payloads, work ranges and cycle times of robotic processes necessitate a different approach to safety, particularly other than that offered by conventional safety relays and fencing. The development of fieldbus for safety-related applications and new International and European Standards have fundamentally changed the manner in which safety is now being engineered in the plant. BMW are the first to directly integrate robotic safety functions using a safety-related fieldbus.

Electronic access

The research register for this journal is available at

http://www.emeraldinsight.com/researchregisters

 

The current issue and full text archive of this journal is available at

http://www.emeraldinsight.com/0143-991X.htm

 

 

Introduction

The changing characteristics of robot processes, with increasing payloads, work ranges and cycle times necessitate a more flexible approach to safety, which cannot be addressed with traditional methods.

Conventional safety relay technology has also restricted functionality of safety systems, particularly in terms of flexibility and diagnostics. Kuka Roboter GmbH have developed a safety system for industrial

robots incorporating the safety-related fieldbus, SafetyBUS p, in cooperation with Pilz GmbH. The Electronic Safety Circuit (ESC) coupled with SafetyBUS p and Pilz Programmable Safety System (PSS) safety controllers are now being used by BMW at their Body in White (BIW) line in Dingolfing, Germany.

 

Fieldbus networks are now widely used for transmitting control data, but not safety-related data. Conventional fieldbus technology is generally prohibited for safety-related use, unless the bus system is

designed to meet the requirements of a safety system. Machine safety systems will benefit from the simplification that fieldbus can provide, along with other generic benefits such as ease of maintenance, faster installation and reduced downtime. More advantages can be realized when fieldbus is utilized in a sophisticated manner, as in the BMW application, where the changes in technology enable, flexible approaches to safety engineering.

 

Specifically designed safety-related fieldbus are required, and must meet new international standards, such as IEC 61508 (Functional safety of electrical/electronic/programmable electronic safety-related

systems) or the sector specific/horizontal implementations. Standards based upon IEC 61508 are currently in preparation for the process and machinery sectors (IEC 61511 and IEC 62061, respectively), and the safety functionality of electrical power drive systems (IEC 61800-5-2). These new standards enable safety technology developments to be utilized, where some standards have previously restricted their use. Safety standards in the past have not reflected the state of the art in programmable control and data communications.

 

BMW SafetyBUS p

BMW have utilized SafetyBUS p (Plate 1) within a modular automation concept for the seven series chassis or BIWproduction line. A goal of the modular automation concept is the increased transparency, leading to the reduction of obstructions, affording greater visibility and ease of maintenance. This requires a flexible  approach to safety engineering, with the traditional fences being replaced by protective windows, with loading stations and doors being supplanted by high speed safety gates, light curtains or scanners. Important considerations in the development of the ESC/SafetyBUS p by Kuka were the changing demands of automotive manufacturers, such as increasing payloads (greater than 125 kg), work ranges and cycle times of robotic processes (up to 20 cycles per min). The ESC/SafetyBUS p gateway was developed to address these needs, in order that alternative approaches could be utilized, such as the facility to monitor limits (in addition to interfacing robot safety signals, the gateway provides 14 inputs and 2 outputs).

 

The system architecture on a typical line comprises 50 assembly stations, with an Industrial Personal Computer (IPC) for process monitoring, diagnostics, archiving, loading of programs, and data exchange between the different control layers. Industrial Ethernet links the IPC to the Siemens S7 Programmable Logic Controller (PLC), which interfaces to the PSS Safety Controller via 2MB Interbus fiber for diagnostic and status information. Other Interbus devices comprise, operator consoles, valve terminals,

drives and portable welders. BMW have chosen to implement a clear separation between standard control and safety, with the design of the plant in accordance with risk assessment to EN 954-1 Category 3 or 4 as appropriate. SafetyBUS p is suitable for use in safety systems up to Category 4, connecting 40 safety-related devices per network to the Pilz Safety Controller. The safety devices on the SafetyBUS p network include emergency stops, light curtains, scanners, safety gates using safety I/O and the Kuka robot ESC/ SafetyBUS p gateway. These are interfaced at each workstation, robot or conveyor station. This approach provides flexibility and scope for future expansion, regardless of the specific interfacing requirements of individual stations and location of emergency stops.

 

Safety fieldbus

Conventional fieldbus networks are not suitable for safety-related controls, since additional error detection and avoidance mechanisms are required. While conventional networks have appropriate error detection and correction methods, without modification they lack the ability to detect independently and rapidly the network, cable, or safety device failures. An independent safety layer (Figure 1) is necessary to detect connection or device failures and implement the required emergency shutdown action to avoid danger. The additional safety protocol layers must detect and provide protection against the errors such as repetition, loss, insertion, incorrect sequencing, message corruption, delay and the coupling of safety and standard data. At least one measure must be implemented as a defense against each error. These include a running number sequence, watchdog timer, reception acknowledgement, data integrity assurance, redundancy and different data integrity assurance systems for safety and standard messaging.

 

Plate 1 Safety-related networking with SafetyBUS p BMW

 

 

Robotic safety functionality

The interfacing choices for the various safety functions (Figure 2) include the traditional safety relay approach, a centralized safety controller, which can be directly hardwired or distributed via safety-related fieldbus. When SafetyBUS p is used to interface the robot, either several remote safety I/O or a single SafetyBUS p gateway can be used.

 

The Robotic Integration Specification developed by SafetyBUS p established a standard profile for the robot interface input/ output image (Figure 3). This incorporates basic functions such as:

  • robot status

  • local and remote emergency stop

  • drive status

  • operating mode

  • robot reset

  • status of guarding equipment

In addition to these functions, it is also possible to assign special functions within the same robotic profile. The significant number of digital I/O in the profile enables the monitoring and connection of various peripheral devices, such as welding transformers and valves. The standardized diagnostics are stored locally to the robot in non-volatile memory, these include device specific robot or communication errors that are available via the safety network for analysis.

 

Robotic safety implementation approaches

 

(1) Safety Relays are centralized in a control cabinet close to the robot requiring parallel wiring to a cabinet and within the same cabinet. The safety logic is achieved with 24V signals, further parallel wiring is required for limited diagnostic functions.

 

(2) Modular Safety PLC, the safety controller would be mounted in the cabinet, with parallel hardwiring. This solution offers ease of programming using certified software blocks for the relay logic. Online diagnostics are available and communicated to (PLCs) and Human Machine Interface (HMI) over conventional fieldbus. A distinct  advantage is the continuous monitoring and self-testing. Being electronically based, this method offers wear free semiconductor outputs.

 

(3) Safety PLC with remote I/O using SafetyBUS p. This has similar benefits to the centralized safety PLC approach, with the same controller and conventional fieldbus connectivity, however installation and commissioning are facilitated by the use of fieldbus wiring. SafetyBUS p provides three core cabling to the control cabinet and direct interfacing to limit switches and the Kuka Electronic Safety Circuit (ESC) via two SafetyBUS p remote I/O units. Additional diagnostics are also available.

 

Figure 2 Safety-related robotic functions

 

(4) Safety PLC with direct SafetyBUS p interface to robot ESC. The same advantages apply to the use of a programmable safety controller with SafetyBUS p, (ease of programming, rapid and simplified cabling, wear free contacts, continuous monitoring and self-testing) with significant benefits from the direct interfacing of the robotic safety circuits (Figure 4). These include:

  • Increased productivity and lower lifecycle ownership cost due to the improved ease of maintenance, facilitated by reduced system complexity and comprehensive diagnostics.

  • Increased flexibility, modification of safety logic is achieved without the need to change hardware, and the use of fieldbus for safety communications reduces the changes necessary, should system modifications be required.

  • No additional safety I/O modules required (limit switches are supported by the ESC gateway).

  • Ease of robot safety programming via robot software block.

  • Comprehensive diagnostics with continuous monitoring and self-test of components and safety communication.

  • Reduced installation and commissioning due to easier safety logic programming/realization, simplified wiring and testing.

SafetyBUS p

SafetyBUS p is a CAN-based technology, enabling up to 64 network devices on a single network with a maximum length of 3.5km (without the use of fiber, bridges or routers that can extend the network further). SafetyBUS p allows the configuration of devices and complete networks remotely, with embedded intelligence in devices providing rich machine/plant diagnostics. Intelligent devices can alert operators to deteriorating performance using device parameters and preventative diagnostic data. Utilizing pre-configured diagnostic messaging ensures the provision of comprehensive diagnostics without the requirement to design specific messaging (although the facility enables these messages to be customized rapidly), which is sometimes deemed non-critical at equipment commissioning. Direct fieldbus interfaces allow the full suite of device functions to be monitored, such as safety drives and robotic interfaces, which is not easily achieved via I/O interfacing (Plate 2). Comprehensive diagnostics enable users to plan equipment maintenance before failures occur. Traditional hardwired safety circuits cannot provide the specific diagnostics or flexibility available from programmable systems.

 

Safety fieldbus benefits

Safety-related fieldbus offers significant advantages over traditional hardwired safety systems, which should now be familiar to fieldbus exponents. The removal of parallel hardwiring in controls using conventional fieldbus affords design flexibility, modularity, ease of testing and maintenance, with associated cost reductions. The same benefits can be realised in machine safety circuits with safety-related fieldbus.

 

Figure 3 SafetyBUS p robot profile input/outputs

 

Machine safety circuits become less complex, with far fewer cables and connections, which in turn reduce the associated design, commissioning and installation costs. The use of safety-related fieldbus will improve reliability and greatly assist maintenance, simplifying reconfiguration over the lifetime of the system. Where intelligence is distributed down at the device level, comprehensive diagnostics are available, enabling rapid fault rectification, making maintenance faster and easier.

 

Additional functionality and flexibility can be realized with the use of programmable safety controllers. SafetyBUS p adds these advantages, while providing continuous monitoring of safety circuits. Timely detection and display of diagnostics can be achieved with the combination of the PSS safety controller and HMI. Status and safety diagnostics from the PSS safety controller can be easily integrated into PLC/PC-based systems, using a conventional (non-safe) fieldbus. With such facilities built in, the need for diagnostics to be "designed in" is avoided, saving significant additional engineering expense. Further savings are likely as the range of safety devices increases from distributed I/O and emergency stops, to include more intelligent devices such as light curtains, safety-drives and robot interfaces (already available for SafetyBUS p). Safety fieldbus architectures with bridges, routers, gateways and various media options will meet the needs of most applications and provide flexibility to support future upgrades.

 

Figure 4 Robotic safety implementation

 

Plate 2 Kuka ESC/SafetyBUS p interface (showing the SafetyBUS p cable and connector top center)

 

Conclusion

Integrated robotic safety utilizing SafetyBUS p and the Kuka ESC provides an alternative approach to robotic engineering, meeting the increasing demands of robotic processes. The requirements of reliability, flexibility and comprehensive diagnostics, can no longer be met with conventional relay based systems. The development of the robotic profile for SafetyBUS p fulfils these essential needs, whilst supporting definable functionality for specialized and future requirements. 

 

This article was written and provided by Richard Piggin, Chairman of the SafetyBUS Association.  The purpose of the association is to promote the use and the distribution of the SafetyBUS p safety-oriented bus system. The association also has the target of integrating of the SafetyBUS p safety-oriented bus system into existing and future automation technology.  FOr more information about SAfetyBUS, please visit: www.safetybus.com.