Non-emergency machinery stops can be avoided with the arrival of a “failover” safety concept for use with ABB’s safety programmable logic controller (PLC). The concept distinguishes between a real safety reaction to a hazard—when the machine must stop—and those that trip the machine during non-critical events. The AC500-S Safety PLC can differentiate between these and a real hazard, which when triggered by a safety device, should result in a safe stop.
Improvements in productivity and availability are calculated based on the anticipated frequency of these temporary errors together with the average duration of downtime due to such events.
Traditionally, sensors or switches inform a safety control device about the presence of humans. The machine is then stopped, its speed reduced or the space of movement for robots or automatic guided vehicles (AGVs) is restricted. If communication to a safety sensor fails, or the device itself fails, a machine safe stop is usually initiated by the safety PLC. This will occur even though the sensor’s fault is only temporary and there is no real risk to human operators or nearby equipment. This can lead to unnecessary machine stops.
For example, an AGV can run normally with a safely limited speed setting within a safe zone. However, if an obstacle or human is detected in this zone, it stops immediately. Such stops could also be caused by temporary failures of the AGV’s safety sensors through electromagnetic interference, short power supply drops, network traffic overload or wireless drop-outs.
The failover concept provides an alternative to a direct safe stop. It is based on the concept that the transient failure of a safety device does not always need a safe stop, but can be temporarily and safely bridged by the re-configuration of the safety program’s logic execution and reaction to safety events, without compromising on the safety integrity level.
For instance, if the factory floor area that is protected by the AGV’s safety laser scanner using the AC500-S Safety PLC experiences a communication error, it will not necessarily trigger a safe stop. If redundant devices, such as a remote safety camera controlled by the central safety control station, are covering the same area, a safety stop will only be triggered if a real hazard is detected by this camera.
Safety network protocols like PROFIsafe support the recognition of communication errors and device faults. This provides the ability to distinguish between temporary communication errors and device faults, as implemented in AC500-S Safety PLC.