Jeff Fryman, Director of Standards Development, Robotic Industries Assn.
Last month, I summarized some of the critical elements in a risk assessment strategy for safeguarding machinery, based on a wealth of experience in complex motion control within RIA, the Robotic Industries Assn.
A robot has multiple-axis functionality and a large motion envelope or workspace. This large space gives the robot its flexibility, but also creates a significant hazard to personnel. Limiting devices are necessary to deal with this.
I also touched on singularity in robotic motion caused by the collinear alignment of two or more robot axes, which can result in unpredictable motion and velocities.
This month, we focus on enabling devices and control circuits.
Enabling devices certainly are not new, but what is new is the better understanding of how people react to stressful or unexpected events. We have had the dead-man switch concept for many years. The problem with that two-position design is that it can truly be a dead man switch.
Studies have shown that people react differently to situations. The safety intent of an enabling device is to protect a person by allowing them to enable a hazardous action such as robot motion. Disabling the hazard when it presents an impending harm to the person being protected provides the safety. The classic two-position (on-off) switch design protects only when released; i.e., if the person holding the switch lets go. Studies and anecdotal information indicate that many people instinctively hold tighter (death grip) in a dangerous situation rather than releasing a hold on something, particularly if that something is supposed to protect you. The three-position (off-on-off) switch thus protects the holder in either reaction.
A key element in implementing the three-position enabling device is that it be an ergonomically sound design. To date, the best installations have involved a slide switch pulling against differently tensioned spring positions. The middle position is pulling against light spring pressure, where the spring will return the switch to the off position when released. The middle position is also resting on a much stronger spring that will compress to the off position when squeezed. Surveys of users have reported a general satisfaction and no problems with this type of installation.
The best safeguarding design we can provide is a system where operators are not exposed to any hazards. Sound challenging? Yes, but it is achievable. Success lies in removing any incentive for the individual to shortcut the safety system.
One such design provides for two types of machine stops, the safety stop and the emergency stop. Each device has a distinct function. This is why ANSI/RIA R15.06-1999 mandates the two types of stopping circuits.
Every machine is designed with an emergency or e-stop circuit. The potential trap to individual safety comes when the design includes all the stop requirements in the e-stop circuit. An e-stop is designed to be an all-encompassing, all-inclusive, hard stopping of all hazards associated with an operation. When this is the only stop provided, and an operator sees it as an obstacle to doing his job, then he will actively try to defeat the safety, placing him in an unacceptable position of risk against an identified hazard.
The emergency stop should be treated as just thatan emergency stop. It must be an active stop, initiated by an operator in response to a perceived problem.
A safety stop circuit, whether initiated by safeguarding devices or by an operator requesting access to a safeguarded space, should handle all other stops.
Through control logic, we can control the stop and what is affected by the stop. In a long assembly line, this may only involve a small grouping of machinery, rather than the entire line. Also, resetting of the circuit does not have to include the manual resetting of the e-stop circuit. These actions can enhance the ability of operators to do their jobs, as they perceive them, without compromising safety.
A safety-stop may be a passive stop, initiated by a safeguarding device. The safety control circuitry for such a stop must be more reliable than an e-stop circuit. This is necessary since the person exposed to an identified hazard may recognize neither the hazard exposure nor that the sensing device has failed and a stop has not been commanded.
Worldwide normalization of these practices continues, and understanding these concepts is incumbent on all of us as we strive for the safest possible workplace through the proper design of our automated industrial machinery.
| About the Author |
