The present invention relates to a safety circuit that monitors a number of sensors for intrusion of objects or people into the workspace of a robot and controls the drive power to the motion control system via an emergency-stop circuit.
Safety switches or safety sensors serve for shutting off drive power to machinery when people or objects enter a designated work place zone. Typically, a safety switch is connected to the door or opening that provides access to the work place zone. The safety switch is typically tripped when the door is opened, shutting off drive power to the machinery. Devices of this type are used to prevent people or objects from entering the work place zone while the machine is in operation, decreasing the potential for injury and/or damage to the machinery. Other non-tactile-type intrusion sensors are infrared or ultrasonic, whose sensing zone could be a light curtain or fence, or it could be a quadrant or cone. Typically, drive power to machinery is removed when intrusion is detected, which requires a skilled operator to restart the machinery. Frequently occurring nuisance trips can defeat the advantages of having an automatic machine doing unattended or mundane tasks such as automated refueling for automobiles, because the store attendant is forced to frequently come outside to restart drive power. (It is generally accepted that a consumer is not qualified to restart drive power.)
In an industrial controls environment, presence sensing device initiation (PSDI) is a mode of operation where an intrusion sensor acts as a safeguarding device, but it is also used in a control configuration such that intrusions are monitored so that the xe2x80x9ccontrol starts a robot cycle when the sensing field is clear without the need of pressing any additional cycle enable or run buttonsxe2x80x9d (ANSI/RIA R15.06/1999). This is used to safeguard an operator who is feeding parts to a robot for processing. It is a mode of operation used to start motion for an imminent robot cycle. So far, it lacks sufficient details for implementation, specifically regarding inhibiting motion during the operator""s intrusion.
There are a number of patents in this field including U.S. Pat. Nos. 4,263,647; 5,451,879; 4,616,216; 5,263,570; 4,912,384; 5,319,306; 5,278,454; 5,426,355; 4,481,449; 5,880,954; 4,818,866; 4,898,263; 5,280,622; 6,173,814; 4,437,089; 5,218,196; 5,408,089, all of which are incorporated herein by reference. Also incorporated herein by reference is U.S. Pat. No. 6,392,318 entitled xe2x80x9cProgrammable Emergency-Stop Circuit.xe2x80x9d
All references cited herein are incorporated by reference in their entirety, to the extent not inconsistent with the explicit teachings set forth herein.
The safety circuit of the subject invention provides a means for monitoring a number of sensors for intrusion of objects or people into the workspace of a robot, monitors the motion control system, and controls the drive power to the motion control system via an emergency-stop circuit. The safety circuit navigates between permitting the machine to move, inhibiting it for Level 2 Intrusions (precautionary type), and killing drive power for Level 1 Intrusions (serious type). Such navigation establishes a methodology for automated recovery from precautionary situations.
Now, there is a need for a machine to remove drive power when an intrusion incident becomes serious but to automatically recover from cleared precautionary intrusion incidents without requiring a skilled operator""s deliberate action. There is a need to provide a framework for implementing this functionality.
At a minimum, such a machine consists of an emergency-stop circuit, at least one intrusion sensor, a safety circuit, and a motion control system that is responsible for effecting the motion to carry out the machine""s function. When necessary to avoid the most hazardous situation, the safety circuit kills drive power by utilizing a control signal to the emergency-stop circuit, which in turn stops the flow of bulk power to the motion control system. The emergency-stop circuit also possesses a second, independent interface to start and stop this flow of bulk power.
Accordingly, it is the first object of the invention for the safety circuit take over parts of the motion control system from time to time with the purpose of stopping and disabling motion for each axis but permitting bulk power to remain flowing (HALT state), where the safety circuit subsequently releases control back to the motion control system sometime thereafter (ACTIVE state) so that productivity may resume.
To make further use of this, it is the second object of the invention to provide the safety circuit with at least one intrusion sensor, such that from the sum of all intrusion sensors, the safety circuit can determine the severity of a single or multiple intrusion incidents, where it decides whether the intrusion is severe or precautionary. Here, the safety circuit continues scrutiny for a precautionary intrusion incident in case it becomes severe.
To make further use of this, it is the third object of the invention for the safety circuit when in an ACTIVE state to take over when an intrusion incident occurs so that all axes are stopped (HALT state), to remain in the HALT state if any incident is precautionary but no incident is severe, to kill drive power when an incident is severe (KILLED state), and to release control back to the motion control system if all incidents clear thereby enabling automatic recovery (ACTIVE state). It is the further object of the invention for the safety circuit after entering the KILLED state to remain in the KILLED state until drive power is restarted (ACTIVE state) and while in the KILLED state to force drive power off when an intrusion is sensed and to not force drive power off after all intrusions have cleared. It is the further object of the invention for the safety circuit to enter a KILLED state when drive power is lost as sensed by the safety circuit (e.g. emergency-stop button utilized) or prior to the 1st energizing cycle after logic is first powered.
It is the fourth object of the present invention for the safety circuit to emit a visual and/or audible signal when in the HALT state to alert an intruder that productivity is halted.
It is the fifth object of the present invention to model the motion control system as a sensor in order to detect continuously that proper motion control is being conducted. Here, the complex motion control system is considered xe2x80x9cpotentially unsafexe2x80x9d, but the safety circuit""s subsequent monitoring renders the overall system xe2x80x9csafexe2x80x9d. When properly operating, the xe2x80x9csensorxe2x80x9d reports status to demonstrate that the motion control system can definitely control, move, stop, disable, enable each axis of the machine and also definitely handle the case when an axis has a xe2x80x9cmotion control faultxe2x80x9d (e.g. disabling feedback that stops motion when an axis exceeds an error limit or a limit switch trips due to accidental, controlled movement passed a positional limit).
It is the sixth object of the invention for the safety circuit to declare a xe2x80x9csafety circuit faultxe2x80x9d when uncertain of the proper operation of the motion control system or any other sensor such that a hazardous situation may exist. The safety circuit kills drive power and enters the ERROR state. While in the ERROR state, it continues to force drive power off, and it remains in the ERROR state until the fault is logged and corrected, if necessary, at which time it returns to the KILLED state.
When motion control system does have full control of the axes (ACTIVE state), a first scenario for risk assessment is in effect, which considers a person is safely outside the workspace of the machine but further considers he may enter the workspace at any time. During this time, normal machine movements and processing are carried out. Here, the assessment considers it hazardous when the safety circuit senses an uncertainty in the location, velocity, or force of an axis (e.g. bad sensor), does not get data or gets corrupt or incoherent data from the motion control system, or senses that the motion control system does not see or cannot handle a motion control fault (e.g. fails to stop an out-of-control axis). These are hazardous situations, established based on application criteria, and each is a safety circuit fault, because it is not certain that the safety circuit can take over to disable motion and safely stop all axes in the event that person does eventually enter the workspace.
When the motion control system itself recognizes, based on application established thresholds, a loss in its ability to reliably control motion, it declares a severe motion control fault and requests the safety circuit to remove or kill drive power. Accordingly, it is the seventh object of the present invention to enable the motion control system to explicitly tell the safety circuit either to kill drive power (KILL motion control state) or that the motion control system is ready (READY motion control state).
When the safety circuit does take over during a precautionary intrusion (HALT state), a second scenario for risk assessment considers that the person has just entered the workspace of the machine but is not in immediate danger. In this case, assessment considers it additionally hazardous when any sensory data from the motion control system shows continued motion or a potential for additional motion, such as positional data showing continued movement. Exceeding an application established threshold for any of these is a safety circuit fault.
Additionally, certain handshaking between the motion control system and the safety circuit improves overall safety. Accordingly, it is the eighth object of the present invention for the for the motion control system to acknowledge explicitly a take over by the safety circuit (HALT ACK motion control state) and to acknowledge regaining control (READY motion control state). A failure of the motion control system to do either constitutes a safety circuit fault, unless a KILL request is made.
It is the ninth object of the invention for the safety circuit to periodically test a sensor to ensure proper operation of the sensor. The safety circuit conducts a test of the motion control system by simulating a precautionary intrusion. The motion control system passes the test after: (i) it is determined all axes are stopped after the safety circuit takes over and (ii) subsequently when the motion control system properly regains control.
It is the tenth object of the invention to provide further handshaking between the motion control system and the safety circuit in order to ensure their synchronization and provide the motion control system a state to reinitialize. Accordingly, the motion control system explicitly communicates READY or NOT READY to the safety circuit, and the safety circuit accommodates by navigating between ACTIVE and DISABLED states, respectively, where all other changes of state criteria have priority. Additionally, a requirement for a READY motion control state is satisfied with a NOT READY motion control state, where the safety circuit navigates to the DISABLED state instead of the ACTIVE state. When in the DISABLED state, since the motion control system is not ready to servo, the safety circuit declares a safety circuit fault whenever sensory data from the motion control system shows motion or a potential for motion, such as an enabled servo amplifier. It is further the object that the safety circuit when in the KILLED state additionally forces drive power off until the motion control system reports a NOT READY motion control state so that it is certain the motion control system has seen the loss of drive power condition before drive power can be restarted.
It is the eleventh object of the invention for the resulting system to be used as an automatic refueling system for automobiles.