The present invention relates to a method and apparatus for the automated determination of an action region for an emergency stop actuation device in an industrial plant.
The following discussion of related art is provided to assist the reader in understanding the advantages of the invention, and is not to be construed as an admission that this related art is prior art to this invention.
An “emergency stop” is an important and prescribed safety requirement in technical installations. A distinction is generally made between the emergency stop, which stops a plant component and therefore prevents a dangerous movement, and the emergency switching-off, which switches off the plant component, or, stated differently disconnects the plant component from the voltage supply, and therefore prevents risks caused by electrical voltages in the plant. The following description will refer only to the emergency stop which involves stopping a movement as quickly as possible.
The requirements for the emergency stop are standardized in various international standards. There are the requirements according to DIN EN ISO 13850, “Safety of machinery—Emergency stop function—Principles for design”, which also specifies, for example, the form, color, operability and fitting of actuation devices or command devices for the emergency stop, for example as a pushbutton, a handle or a switch.
Yet another relevant standard to the topic is DIN EN 60204-1 with the title “Safety of machinery—Electrical equipment of machines, is directed towards avoiding dangerous situations and their risks and to take into account safety measures during design. In addition, maintenance and repair measures, as well as improved machine reliability and ease of operation are considered.
The abovementioned standards require that the emergency stop actuation devices are easily and quickly reached. Furthermore, prerequisite for these actuation devices are sufficient number of them, that danger points are clear from their actuation location and the assignment of an associated section to the actuation device is clear.
While the present invention may be applicable to emergency stopping of any process, device and machine in the plant, for brevity, the following specifications would exchangably relate to such plant components generically as ‘machines’. Similarly, while an emergency stop activation device may take the form of a button, a handle, a software, a transmitter or any other form of a control, for brevity the present specifications shall use the term ‘button’ as exchangeable with the term activation device, for all such devices.
An important requirement is therefore that the activation of the emergency stop button clearly handles the safety situation. Thus, which device and/or machine is stopped by the respective button is desirably intuitively clear. If it is not possible to perceive any clear boundary of the machine (for example by suitable marking), it is expected that all safety-relevant situations in the direct field of view of the person triggering the emergency button will be handled. Further desirably, the actuation of the emergency button would not have any further, potentially negative effects on machines in the plant which are not in the person's field of view.
The operating region of the actuation device will be referred to below and denotes the set of locations in the plant which are allocated to a particular actuation device and for which the conditions described above apply. Stated differently, an operating region relates to a region from which the actuation device may be securely activated.
Presently, an appropriate safety plan for implementing the requirements predefined by a relevant standard in a plant is produced only after the layout of the installation and machines has been definitively stipulated. Stated differently, such plan is produced after the information relating to the local positioning of the plant components in the plant, and the operative relationships between the individual plant components are known. This plan has hitherto generally been produced manually. The plan produced in this manner is then fixed and documented.
In modern flexible plants, as will be found more and more often in future in particular (cyberphysical systems, industry 4.0 initiative), the layout of the plant is intended to be dynamically changeable in a manner adapted to the utilization of the plant, the product currently being produced or other factors. In such an environment, it is often impossible or impractical to prepare the complete required safety plan in advance.
The problem is intensified even further by the use of decentralized structures, for example when each individual machine is treated as a cyberphysical system, or stated differently as a combination of IT, software components with mechanical and electronic parts which communicate via a data infrastructure, for example the Internet. A cyberphysical system is characterized by its high degree of complexity. Cyberphysical systems are formed by networking embedded systems via wired or wireless communication links. In such an environment, it is very challenging to create a safety plan in advance. This problem is further intensified in a decentralized environment, for example when each machine is treated as a cyberphysical system with only limited knowledge of the respective context in which it operates.
Certain production facilities or factories have a set of interacting, partially autonomous machines. In a modern production facility, these machines are intended to be dynamically arranged; in particular, it is possible to occasionally change the respective local region in which the machine is used. It is therefore very advantageous to minimize the engineering complexity of conversion to such a new arrangement and, in particular, to avoid the need for manual planning.
It would therefore be desirable and advantageous to provide an improved method and apparatus to obviate prior art shortcomings and to enable automatic calculation of an effective region for an actuation device (equivalently referred to as emergency stop button or emergency stop device). It would also be desirable and advantageous to provide an improved plant capable of automatically determining at least one effective region of an emergency stop device, and in certain embodiments thereof, to form a safety plan for the plant or portions thereof, from a plurality of automatically determined effective regions. Optionally, a safety plan or the effective region(s) may be manually edited.