1. Technical Field
The present invention relates to improved safety of production equipment by integration of a machine's safety-related parts and safety-related control into one homogeneous safety-related control system (SRCS), where the machine, operator, and SRCS are continuously monitored and whereby any fault within the SRCS is discovered within the system's response time. More particularly, the present invention relates to a system of interrelated electrical, sensing, and mechanical modules designed and deployed to sense the intrusion of an object into a controlled space and upon such sensing to initiate a proper machine control signal, based on the event taking place at the machine. The machine signal is monitored to ensure that it achieved its intended safety function. Still more particularly, the present invention relates to an improved machine safety control that interfaces with 1) an electrosensitive sensing device, 2) safety mechanism initiation devices, 3) safety mechanism monitoring means, and 4) safety mechanism event control means.
2. Description of the Prior Art
Prior art views the machine safety system as an assemblage of component parts that together create a safety system. Standard devices used in such safety systems may include a two-hand control, an electro-sensitive protective device, a safety control, a protective light curtain, a motion monitor, a position monitor, a machine primary control element monitor, a machine control interface, a stop position monitor, or a brake monitor. Various combinations of these standard devices may be used in a given safety system. Each of these devices has a response time which is safety-critical in that it must fulfill its function in the stoppage of the press or other machine as a hand or other body part is rushing into a hazardous area. If even one device in the chain fails to respond within its proper time frame, the press will not stop in time to prevent injury. Most high-integrity devices of this nature have their response times monitored; however, because each is an independent stand-alone component, the response time can only be measured from the elapsed time that the component received its input to some specified time after its output was to occur. For fault-tolerant reasons, it is desirable to allow sufficient time, after the normal response time of the device, for monitoring the device's state. This additional time is to allow the mechanical parts of the output device or devices to come to a complete rest.
Furthermore, since most of these devices are monitored only for a complete failure to change state within an allotted time period, the actual response time of the device itself cannot be determined. For example, if a safety device with a normal response time of 5 mS is allocated 100 mS as its upper limit for determining a complete failure, then it can be difficult to determine the exact response time of that device. The actual response time could be 5 mS?, 25 mS?, 50 mS?, or 99 mS? There is no way to be sure. In an isolated incident, such ambiguity may not be all that safety-critical because of the margin-of-safety designed within the parameters of a particular employment of the device, however, such ambiguity would likely present various problems if allowed in a multiple safety device system.
A major problem occurs when individual components are linked in a chain of events and each component is monitored only for complete failure to change state. If there is no system for checking the actual overall response time of each event in the chain of events with respect to the start of the event (e.g. sensing function), the machine may accumulate response time error, and the component will validate its own output state at some elapsed time after its input signal. An individual component cannot detect whether its input signal was late and so it may erroneously validate its output signal at some extended period of time after it should have normally responded. Thus, the response time errors are allowed to accumulate. There is no opportunity to cure or detect that accumulation and so the overall stop time may become hazardously long.
Accumulative response time failures can occur in all of the following mechanisms:
1. Delay in code generation for polling light beam channels of a light curtain system. PA0 2. Delay in light beam channel being polled. PA0 3. Delay in sequencing to next light beam channel. PA0 4. Delay in completing full scan of all light beam channels. PA0 5. Delay in processing receiver signal. PA0 6. Delay in transmitting output signal to relay coil of Output Signal Switching Device (OSSD). PA0 7. Delay in OSSD energizing/de-energizing. PA0 8. Delay in OSSD contacts opening/closing. PA0 9. Elapsed time between OSSD input versus verification of OSSD output. PA0 10. Delay in FSD's coil energizing/de-energizing. PA0 11. Delay in FSD's contacts opening/closing. PA0 12. Elapsed time between FSD's input versus verification of output. PA0 13. Delay in Machine Primary Control Element's (MPCE's) energizing/de-energizing. PA0 14. Delay in MPCE's movable opening/closing. PA0 15. Elapsed time between MPCE's input versus verification of output. PA0 16. Delay in Stop Performance Monitoring (SPM) output signal. PA0 17. Delay in SPM processing. PA0 18. Elapsed time between SPM input versus output calculation.
The electrosensitive protection device's change of state is the event which starts the chain of events to occur and should be the event in which all interim switch elements are clocked.
Typically, an electrosensitive protection device's signal processing circuit functions at a fixed "off"/"on" threshold level. The optical receiving elements, upon receiving a certain amount of radiation from their corresponding emitting elements, produce an illuminated "on" signal upon an object, such as a hand blocking a certain percentage of light, and the amplitude of the illuminated signal drops. Hopefully it drops to the "off" threshold level and the signal processing circuitry produces a machine stop signal.
The problem with this fixed "off" threshold level is that the amount of radiation needed to be removed from the receiving element is a function of the amplitude of the illuminated signal. For instance, a system with a fixed "off" threshold of 50 mV and an amplitude of an illuminated signal of 150 mV would require a blockage of radiation equivalent to 100 mV to reach its fixed "off" threshold. Conversely, the same system with an amplitude of an illuminated signal of 12 V would require blockage of radiation equivalent to 11.05 V to reach its fixed "off" threshold. For light curtain systems this radiation is generally produced by infrared light beams. In the first scenario, very little of the light beam had to be blocked to reach the "off" state. However, in the second scenario, the entire light beam needs to be obscured before reaching the "off" state. Assuming the beam diameters are the same size, it would require a much larger object to obscure all of the light beam in second scenario than in first scenario.
This problem is further exacerbated by the physics of the spectral relationship of light in which the beam spreads in a conical pattern over space. This results in two spin off problems. First, the beam diameter becomes larger as the distance between the emitter and receiver increases. Thus if the signal amplitude remains constant, the object size required to obscure the entire beam diameter increases, therefore the detection capabilities become application dependent, i.e. detection capabilities increase when distance increases. Second, the increased beam diameter can be reflected off nearby surfaces and rerouted to the receiver failing to detect the intruding object.
The problem is further exacerbated by the fact that photodetector elements are simple devices, they simply react to the presence or absence of light, thus other ambient light sources can create this rise in signal amplitude. Furthermore, ambient light is produced by various sources found in the common industrial workplace, i.e. sun, fluorescent lamps, halogen strobes, remote control devices, photoelectric devices and the like. This rise in signal amplitude will now require that enough of the normal system light plus the ambient light (which may be coming from a different direction) be obscured by the object in order to reach the fixed "off" threshold. This problem is even further exacerbated by systems that amplify their received light signal for transmission to the signal processing circuit. Such systems may amplify ambient light when the source is obscured, thus appearing as an unobstructed signal.
This problem is still further exacerbated if the photodetector circuitry is allowed to go into saturation, an event whereby the photodetector is being struck with so much light that it passes its entire supply current or voltage. The problem here is that no one knows how far into saturation the detector has gone, thus no one knows how much radiation is required to get it out of saturation nor how much reduction of radiation is required to drop the signal to its fixed "off" threshold. For example, saturation can be analogous to a water valve with the water being substituted for electricity (i.e. velocity and volume i.e. current and voltage i.e. PSI). The water valve may be half open at five turns, at which point, it passes all the water supplied to it. This is the valve's saturation level. One may continue turning the valve until it is fully opened, 10 turns, but no greater volume of water would flow. Someone else, who wanted to reduce the flow of water, would have no knowledge of how far they had to turn the valve before reaching the analog state of water flow.
Closed shorts between emitting devices and/or detecting devices in multichannel light curtain systems could result in detection capability loss. For instance, if a short was across adjacent LED emitters they could both turn on simultaneously, and as their light beams conically expand over space, each beam could be striking the intended detector. Similarly, if a short was across adjacent detectors, both detectors could produce an illuminated signal based on one LED emitter being on due to the conical expansion of the beam being large enough to cover both detectors. Either situation could endanger the operator, because an intrusion into the light array may go undetected.
The signal processing circuitry of a light curtain system may reliably detect an intrusion into its sensing zone, however, there is no assurance that its output circuitry has the ability to change state and thus achieve the desired result. The system must test itself to ensure that any intrusion results in an output state. For real-time continuous systems, this test must ensure that the response time of the output state is maintained.
Prior art demonstrates the use of redundant output devices which are monitored for a switching state using a method remote of the safety control system. The primary problem with this method is that the state of the output device is monitored without regard to the time it took to change its state in relationship to the event (i.e. blockage of light curtain) that commanded the change of state, thus the device may respond but may respond too late to prevent injury.
As a secondary problem, prior art devices rely on one of two output devices changing states. With the failure of one device, the other device performs the machine stop function, and the remote monitoring control prevents re-energization of the non-failing device thus resulting in a lockout condition. For a higher safety integrity system, "common cause failures" such as an electrical surge, burst, dip, etc., or an electromagnetic disturbance, EMI, RFI, ESD, etc., must be overcome.
Current stop performance monitors are used primarily on mechanical presses as a means to identify that the brake mechanism is wearing down and the machine no longer stops within its original requirements. Typically this is accomplished by initiating a stop command shortly before the press's ram has reached top of stroke, at which point, a signal is sent from the press's cam to initiate the brake and disengage the clutch. A second signal from the cam is then read to determine the cam's angular displacement. In the event this signal exceeds its parameters, and the ram has gone beyond top of stroke, an alarm is actuated. The problem with this verification method is that it does not monitor the response time of the switching elements in the chain of the real stop command, thus accumulated response time errors are not detected.
For cyclical machines that have a potentially hazardous half-cycle and virtually nonhazardous half-cycle (i.e. presses), it would be desirous to have the operator be able to reach into the machine during the nonhazardous time to extract parts. To achieve this objective, a light curtain must be bypassed (muted) during the nonhazardous half-cycle in order to not send a stop command to the machine's moving parts. This is potentially a very dangerous practice if in the event of malfunction the mute function was not turned off during the hazardous portion of the machine cycle and/or if the hazard/non-hazard portion of a machine cycle were reversed.
Prior art demonstrates how to achieve the muted state by using position sensors that interface with the machine's control system. Upon receiving a signal from the sensors, the control system energizes a bypass relay located in the current path of the light curtain's output devices so that during the nonhazardous half-cycle, a light curtain detecting an intrusion does not produce a stop output. However, the signal never reaches the MPCEs because the interposing bypass relay is rerouting the current flow to the MPCEs. The position sensors for presses are located at the top of the ram stroke and at the bottom of the ram stroke. The sensor at the bottom of the stroke initiates the muted condition and the one at the top of the stroke disengages the muted condition.
From the standpoint of high safety integrity this is a flawed system, one which uses single-channel techniques whereby any single failure of numerous devices could result in danger. For example, the interposing bypass relay used to keep the MPCE energized could fail in the "on" state, thereby removing the safety light curtain function during the hazardous half-cycle. The top sensor could also fail, thus not turning "off" the muted condition. The position sensors could be physically inverted, creating a bypass of the safety devices during the hazardous half-cycle. The machine control input signal from the position sensor could fail in a muted condition, and the machine's output signal could fail in a muted condition resulting in a similar danger to the operator.
Typically, the start actuator of a machine is a simple "on"/"off" switch, which when manually placed in the "on" position remains there until manually switched to the "off" position. From the standpoint of safety, this type of switch configuration is flawed. For example, in the event of power interruption of the source, the machine would automatically stop, and when the source power is restored, the machine will be put in motion. This situation is very dangerous for an operator or maintenance person who may be troubleshooting the cause of shut down in the hazard area. This type of switch configuration is further flawed by the fact that the switch is not interactive with the safety control system. The safety system cannot effect it upon system failure. This configuration is still further flawed in the event the machine system has a bypass, i.e. mute, which may bypass the safety system based on de-energizing one or more relays.
Typically, two-hand control devices are stand alone safety devices that when actuated initiate machine motion. Typically these devices have a circuit to ensure neither actuator is fastened down (thus allowing for single-hand control) and that they both are actuated within a specified time of each other. These devices must be kept depressed during the hazardous cycle (i.e. downward stroke of the machine). Failure to keep both actuators depressed will result in machine stoppage. This system is flawed in the respect that many failures can occur which would jeopardize safety integrity, such as the commingling of safety lines in which one-hand control produces both signals due to cross interference.
Presence-sensing Device Initiation (PSDI) is a method of initiation of the machine cycle upon interruption and restoration of the light curtain's sensing zone. During the nonhazardous portion of the machine cycle, the operator reaches into the machine's hazard area to remove the product thereby creating an interruption and restoration of the sensing zone of the light curtain. PSDI functions in either a single break mode (as described above) or a double break mode in which the operator enters and leaves the detection zone twice (removing the finished product and inserting new material).
This mode of operation can be extremely dangerous because the sensing function of the light curtain is governing the machine initiation, not the operator. In the event of malfunction of the light curtain, interfacing control system, machine position sensors, machine feedback signals, or any of the above response times, the machine could initialize a cycle suddenly and abruptly.
The prior art has addressed this mode of operation primarily by way of avoidance. In the isolated cases in which it has been implemented, the onus of safety has been put on the machine installer via programming the machine control's PLC (Programmable Logic Control). This is flawed in the respect that the PLC is not a safety control. The PLC does not have a physical structure of redundancy and comparison, and thus failures go undetected. This mode of operation is further flawed in that it assumes the programmer is familiar with the safety techniques and measures needed to ensure high level safety integrity of the software and how to implement software tests.
There are six basic modes of operations in which light curtain systems interface with the machine based on how the operator is to interact with the machine. Establishing a functional interrelationship of the safety-related parts with the other functional parts of the machine has traditionally been done by interfacing the safety-related parts with the machine control. In this solution, the safety systems default their safety-related integrity to the machine control (i.e. PLC). From the standpoint of high-level safety integrity this method is flawed. The PLC is not structured with two-channels where each channel performs its safety-related function independent of the other by comparing its result with the other and any disparity resulting in a lockout. In addition, the machine control has no knowledge of the start of the event (i.e. last unblocked light curtain scan). Therefore it has no way to verify accumulated response time errors. Also, because the machine control is programmed in the field, the program must reside in Random Access Memory (RAM). RAM is susceptible to alteration and is recommended for limited use. Where RAM is used in a high safety integrity computer system, the system must have two-channels, and each channel must assure it performs RAM checks to ensure bit corruption has not occurred. In addition, the ability to program software in a structured high safety integrity manner is not what one could reasonably assume would be found in the workplace.
Traditional safety devices were constructed by interfacing discreet safety-related parts to a machine controller. The user settings were a programmed-in function by the user. As discussed above, this method fails to ensure high safety integrity.
Therefore, what is needed is a system that measures each device's response time in relation to the start of the event (the beginning of a new scan cycle of the detection device following a scan that detected no hand or other interruption in the hazard or sensing field). By measuring the elapsed time of each component in the chain of events from the start of the scan cycle, each component's response time can be validated and the accumulation of slow response times monitored.
What is also needed is an intelligent light curtain system that can "learn" its environmental surroundings and setup parameters (i.e. its own signal strength) and can adjust itself as necessary. In addition, what is needed is for the intelligent system to recognize its own light source and distinguish it from other spurious bursts of radiation. What is further needed is for the system to not allow its detection device to go into saturation. Still further, what is needed is that the safety integrity of the learning process be maintained throughout the system.
In order to overcome the response time monitoring problem of accumulation error, what is needed is a homogeneous system that incorporates the light curtain function and the safety-related control function, whereby the output response time of each device in the stop chain of command is clocked from the last unblocked scan of the light curtain. Further, the monitoring must be performed within milliseconds of when the device was to change state in order to provide a secondary method of machine stoppage in the event of failure to respond. To overcome problems associated with common failures of similar devices, an additional, dissimilar switching device in an unrelated current path is required.
For high integrity safety-related control systems, it is not enough to simply ensure that it produced an output. What is needed in this safety system is to ensure that the proper output is realized. The safety-related control system must monitor for the safe state of the machine. If that state is not realized within a specified time of response, the safety-related control system must be able to produce a secondary output to protect the operator. Each element in the stop chain of command must be monitored for its timely change of state in relationship to the last unblocked scan of the light curtain system.
Prior stop performance monitors are flawed in the fact that they do not take into account all of the events in the stop chain of command. SPMs disregard all interposing devices which may respond sluggishly such as the light curtain, the OSSD, the FSDs, the MPCEs, etc. SPMs do not monitor the true stopping time of the machine as it relates to safety of the operator reaching through the light curtain's sensing field into a hazardous machine area. These SPMs are also limited to monitoring only one type of machine (i.e. clutch/brake type). What is needed is a means to determine machine motion and to equate the amount of elapsed time from blockage of the light curtain to the cessation of motion.
What is needed is a homogeneous safety control system with two-channel structure and dynamic signal processing. The system must know when the muted condition is to occur and recognize fault conditions in the process. The system must also detect any misapplication or physical alteration of the position sensors. The system must inform the operator of a muted condition, must not bypass necessary safety mechanisms, and must maintain stop control in the event of a malfunction. The system must also verify that the mute signals are functioning properly prior to allowing the mute condition to occur. All of this must be done without compromising operator safety.
What is needed is a safety start actuator that requires a deliberate act by the operator to enable the machine to be put in motion. After power restoration, the actuator must create a lock-out upon power interruption. The actuator must be an integral part of the SRCS and must be monitored to ensure that a failed "on" state cannot exist. In addition, the actuator, or another actuator, must perform a restart enable function. What is further needed is an indicator to inform the operator of the reason for the machine stoppage.
What is also required for high safety integrity are means to initiate machine motion in a safe manner and ensure that machine motion cannot occur until the hazard zone is vacated of personnel. Although the prior art is satisfactory for some applications, it does not satisfy the requirements for high safety integrity needs. What is needed is a two-channel technique with comparison and dynamic monitoring. The two-channel technique must include two signals from each actuator (i.e. 4 signals which are processed by two independent signal processors and compared). Each signal processor must independently control a machine motion initiation device. All switch contacts must be monitored dynamically for their off/on/off states, and signal processors must compare the results. Systematic failure must result in a lockout state which is only recoverable by qualified personnel.
Since the two-hand control must be kept depressed for the entire downstroke of the press, a safety means must be incorporated to ensure that the two-hand control "knows" the position of the press' ram. A single-channel means could fail in the "closed position" and could falsely indicate a ram at the bottom state. Even two such devices could produce a dangerous condition by one device failing in such a state and then the other at some future time. What is needed is for the ram-position devices to be two-channel with a comparison check and verified on a dynamic basis. There is a need to know when the ram is at the top of its stroke to validate the initialization of the next stroke, and such validation must correspond with predetermined time parameters. In addition, what is needed is that the position sensors be validated for their ability to change state prior to relying on them to determine the location of the ram without jeopardizing operator safety.
The SRCS must verify that its motion initiation devices are operating properly. Failure of the two-hand control's actuators, restart enable actuators, start enable actuators, output devices, control, etc., and/or failure of the position sensors, and/or the interfacing control (i.e. machine control) must be detected by a homogenous safety system and must result in a lockout condition. When any one of these failures is detected, all safety device outputs must go to the "off" state to stop the machine motion. It is insufficient for high integrity safety systems to merely have the two-hand control's output remain "off" especially when it is a single-channel output.
What is needed is to incorporate all the system components (i.e. light curtain components, machine feedbacks, position sensors, machine initiation devices, mute operations) into a single homogenous SRCS. The SRCS must have two-channel structure with comparison, high-level safety integrity software, and must monitor interfacing elements for their respective states and response times as pertaining to the light curtain scan.
What is needed is a single homogenous SRCS with field-selectable modes of operation that require no field software programming to perform their desired functional manner of man/machine interface. What is further needed is an SRCS of two-channel structure with comparison and dynamic monitoring capabilities, programmed-implementing structure software, and a self-test of that software.
Finally, what is needed is a homogenous SRCS that requires no user program, but has user-selectable means that are automatically verified and tested by the SRCS after originally having been validated by the installer subsequent to proper selection at commissioning.