Non-critical events such as EMI/EMC disturbances, under-voltages and communication errors should not stop operations, but can cause temporary interruptions. ABB’s AC500-S Safety PLC can differentiate between these and real hazards, which should result in a safe stop when triggered by a safety device.
Traditionally, sensors or switches inform a safety control device about the presence of humans. The machine is then stopped, its speed reduced, or the space of movement for robots or automatic guided vehicles (AGVs) is restricted. If communications with a safety sensor fail, or the device itself fails, a machine safe stop is usually initiated by the safety PLC. This will occur even though the sensor fault is only temporary and there is no real risk to humans or nearby equipment. This leads to costly, unnecessary machine stoppages.
For example, an AGV can run normally with a safely-limited speed setting within a safe zone. However, if an obstacle or human is detected in this zone, it stops immediately. Such stops could also be caused by temporary failures of the AGV’s safety sensors caused by electromagnetic interference, power supply fluctuations, network traffic overloads or wireless drop-outs.
Without the new safety concept – known as failover – there is no differentiation between temporary failures and more permanent ones, resulting in unnecessary machine downtime and large, but avoidable, financial losses.
“According to several surveys, one minute of production line downtime costs an average of $20,000,” explains Yauheni Veryha, product manager for ABB’s safety PLCs. “If we assume that the average downtime and recovery, due to a safety device malfunction, takes 15 minutes, then implementing the failover concept can save $300,000 per year. If we take into account the required design time to implement the concept in the production facility, the customer could still be saving $200,000 in the first year and $300,000 every year afterwards.”
The failover concept provides an alternative to a direct safe stop. The idea is that the transient failure of a safety device does not always need a safe stop, but can be bridged temporarily and safely by re-configuring the safety program’s logic and reaction to safety events, without compromising on safety.
For instance, if an AGV’s safety laser scanner experiences a communication error, it will not necessarily trigger a safe stop. If redundant devices, such as remote safety cameras controlled by a central safety control station, are covering the same area, a safety stop will be triggered only if the camera detects a real hazard.
Safety network protocols such as PROFIsafe support the recognition of communication errors and device faults. This provides the ability to distinguish between temporary communication errors and device faults.
A safety PLC supporting the failover concept “will help companies with complex machine safety applications to minimise costs while providing maximum reliability, efficiency and flexibility,” Veryha argues. The PLC, he adds, “protects people, machines and processes, the environment and investments”.