Safety control in discrete manufacturing has the primary goal of protecting humans against hazards, when working at or entering manufacturing sites. Basically, sensors or switches are used to inform a safety control device about the presence of humans in specific zones, or their attempt to enter such zones. Based on the actual status of the automated manufacturing process, the manufacturing line or individual devices are put into a state that reduces or limits potential hazards to a specified, acceptable range. Very often, this is achieved by stopping the machines, but sometimes it is also sufficient to reduce the speed of motion, or limit the space of movements of particular mechanisms, e.g. industrial robots or machine tools.
In the major cases, stopping the machine is implemented, while drives with safe stopping function (STO) are used. In case of industrial robots, the robot controller also does the safety control of the robot, where supervision of robot tool position and speed is commonly implemented. It is also known to use drives offering safety speed or position control.
In case of (potential) severe hazards, an emergency stop is issued, e.g. via an emergency stop button, or corresponding sensor devices. It brings the machine into a safe stop state, which needs dedicated confirmation to restart the machine.
The safety control for achieving its primary goal of protecting humans against hazards is relying on the availability of proper functioning of sensors and switches.
But sensors and switches might fail, for example in case an internal diagnostic function detects a power supply failure. Or the communication between the sensors or switches and the control logic can be faulty. When implementing safety control, therefore the control logic needs to have a safety concept for dealing with situations when the sensors or switches are not available, for example in case of an internal stop, which can be also called passivation.
Another reason may be when the communication between the sensors and switches and the control logic is in a faulty state. Passivation, or in other words unavailability of sensors or switches or disturbed communication between sensors or switches and the control logic is summarized under the term “failure situation”, to be distinct from the “hazard situation” explained earlier.
The control logic comprises a pre-defined reaction in such a failure situation as well.
In the known state of the art, the reaction to a failure situation is the same as the reaction to a hazard situation. So in case a faulty communication to a safety sensor or a failure in the sensor device itself is detected, a corresponding emergency function mode is activated, even if no hazard situation has been detected. This is a machine stop according to stop category 0 or 1 combined with manual resetting/restart of the machine. The productivity of the machine is reduced.
But often, a failure situation, for example the unavailability of the sensor, is only temporary, and is resolved more or less automatically within a certain time. In the state of the art, the machine is stopped anyway, causing unnecessary production losses.