SAFEGUARDING A MACHINE

Abstract

A safety system for safeguarding a machine is provided, said safety system having at least one safe sensor for producing safe data, wherein the safe sensor also produces non-safe data and/or a non-safe sensor for producing non-safe data is provided, wherein the safety system furthermore has a non-safe evaluation unit for processing the non-safe data and a safe evaluation unit that is configured to test the non-safe evaluation unit in that an evaluation result of the processing of the non-safe data is checked with reference to the safe data, The safe data have a lower accuracy and/or are more rarely available in comparison with the evaluation results.

Claims

1. A safety system for safeguarding a machine, said safety system having at least one of at least one safe sensor for producing safe data, with the safe sensor also producing non-safe data, and a non-safe sensor for producing non-safe data, wherein the safety system furthermore has a non-safe evaluation unit for processing the non-safe data and a safe evaluation unit that is configured to test the non-safe evaluation unit in that an evaluation result of the processing of the non-safe data is checked with reference to the safe data, and wherein the safe data have a lower accuracy and/or are more rarely available in comparison with the evaluation result.

2. The safety system in accordance with claim 1, wherein the safe evaluation unit is configured for the production of a safeguarding signal to the machine if the evaluation result is not plausible.

3. The safety system in accordance with claim 1, wherein the non-safe evaluation unit is configured for the production of control signals to the machine.

4. The safety system in accordance with claim 3, wherein the non-safe evaluation unit is configured for the production of control signals to safeguard the machine.

5. The safety system in accordance with claim 1, that has a safety controller having the safe evaluation unit.

6. The safety system in accordance with claim 1, that has a processing unit having the non-safe evaluation unit.

7. The safety system in accordance with claim 1, wherein the safe data have at least one binary object determination signal

8. The safety system in accordance with claim 1, wherein the safe data have information on whether a protected field has been infringed and on which it is.

9. The safety system in accordance with claim 1, wherein the safe sensor is configured as a safety laser scanner.

10. The safety system in accordance with claim 1, wherein the non-safe evaluation unit is configured to determine the distance of an object from the machine

11. The safety system in accordance with claim 1, wherein the safe sensor is configured to monitor a grid of a plurality of protected fields, with the safe data on the identity of an infringed protected field comprising safe position information.

12. The safety system in accordance with claim 11, wherein the safe evaluation unit is configured to check the evaluation result of the non-safe evaluation unit at a point in time at which the identity of an infringed protected field changes.

13. The safety system in accordance with claim 1, wherein the non-safe evaluation unit is configured to navigate a vehicle.

14. The safety system in accordance with claim 13, wherein the safe data have some position information at at least one reference position.

15. The safety system in accordance with claim 14, wherein the safe data have some position information at at least one reference position in that the safe sensor monitors reference protected fields.

16. A method of safeguarding a machine in which safe data are produced from at least one safe sensor and non-safe data are produced from at least on of the safe sensor and a non-safe sensor, wherein the non-safe data are processed in a non-safe manner and the non-safe processing is tested in that an evaluation result of the processing of the non-safe data is checked with reference to the safe data, and wherein the safe data have a lower accuracy and/or are more rarely available in comparison with the evaluation results.

Description

[0033] The invention will be explained in more detail in the following also with respect to further features and advantages by way of example with reference to embodiments and to the enclosed drawing. The Figures of the drawing show in:

[0034] FIG. 1 a schematic block representation of an embodiment of a safety system;

[0035] FIG. 2 an exemplary representation of a monitoring of a robot with distance monitoring and a grid of protected fields of two safety laser scanners;

[0036] FIG. 3 a schematic block representation of an embodiment of a safety system for the example of FIG. 2;

[0037] FIG. 4 a schematic block representation of an embodiment of a safety system for a similar monitoring situation as in FIG. 2, but now with a safety laser scanner and a safety 3D camera;

[0038] FIG. 5 a schematic block representation of an embodiment of a safety system for the navigation of a vehicle;

[0039] FIG. 6 an exemplary representation of a navigation of a vehicle with a position check through protected fields;

[0040] FIG. 7 a representation of a conventional safety concept; and

[0041] FIG. 8 a schematic block representation of a conventional safety system for the safety concept of FIG. 6.

[0042] FIG. 1 shows a schematic block representation of a safety system 10 for safeguarding a machine 12 such as a robot, a vehicle, or another usually complex machine. At least one safe sensor, there are two safe sensors 14a-b in the example, monitors a zone associated with the machine 12 such as its environment or an access path. A non-safe sensor 16 can optionally additionally be provided. The terms safe and non-safe are still to be understood such that corresponding components, transmission paths, and evaluations satisfy or do not satisfy the standardized criteria for safety named in the introduction. The sensors are preferably optoelectronic sensors, for instance laser scanners or camera, but can also be at least in part based on a different sensor principle.

[0043] The safety system has a non-safe controller 18 and a safety controller 20 for the evaluation of the different sensor data. They are preferably each per se separate hardware modules, as shown. Alternatively, they could at least partly be functional blocks in the sensors 14, 16 or a common controller 18, 20. The division into safe and non-safe paths would remain here.

[0044] The non-safe controller 18 preferably has a high processing power and flexibility and is able to communicate and process large amounts of data. It is, for example, a non-safe standard controller or a CPU or also a GPU in an industrial computer. An edge computing infrastructure or a cloud solution are furthermore conceivable. Since the processing has to be non-safe, approaches from machine learning are also possible such as deep learning and all the variants of neural networks.

[0045] The non-safe controller 18 receives and processes non-safe sensor data from the non-safe sensor 16, if present, alternatively or additionally also non-safe data from a safe sensor 14a-b. The non-safe sensor data are typically complex and extensive, for instance images, point clouds, or scan data. The non-safe controller 18 forms a functional branch in which complex evaluations of larger sensor data amounts run. Standard hardware modules can be used for this purpose because no or at most low safety demands have to be satisfied.

[0046] The safety controller 20 is in contrast safely configured by two-channel ports, processing paths, and corresponding evaluations. Instead it only offers comparatively simple evaluation possibilities, interfaces with small bandwidth, typically only for binary signals, and limited storage and processing capacities.

[0047] The safety controller 20 receives safe data of the safe sensors 14a-b. The safe sensors 14a-b have therefore already substantially reduced or compressed the original sensor data by internal safe evaluation. As a rule, only a binary safe signal is output (OSSD, output signal switching device), in some cases a plurality thereof, to deliver the information as which of a plurality of protected fields monitored in parallel has been infringed. The safety controller 20 optionally also receives non-safe data of the non-safe sensor 16, with the additional redundancy being able to increase the safety level.

[0048] The safety controller 20 forms a test branch or a plausibilization branch for the non-safe controller 18. For this purpose, an evaluation result is transferred from the non-safe controller 18 to the safety controller. The evaluation result can, but by no means must, be the desired output value of the non-safe evaluation, but is rather possibly only a portion thereof or even a specific test value that is produced in the actual evaluation for the safety controller 20. The safety controller 20 now checks with reference to the safe data whether the evaluation result corresponds to its expectation and thus uncovers possible errors of the non-safe controller 18.

[0049] Examples for the evaluation result transferred for test purposes and for the safe data with reference to which the evaluation result is tested will be given further below. The expectation is derived in FIG. 1 from the safe signals of the safe sensors 14a-b. It must be mentioned that different safe system data, for instance safe position information of the machine 12 or process information such as specific dimensions and the like, can equally be used. The respective source of such safe data, in particular the machine 12, is understood as a safe sensor with respect to this roll in such cases.

[0050] The non-safe controller 18 produces control signals for the machine 12 from its evaluation. This expressly includes its safeguarding, that is the moving into a safe state because the (initially) non-safe evaluation has recognized a hazard situation. The machine 12 as a rule still has its own controller with which the non-safe controller 18 communicates. The safety controller 20 in turn safeguards the machine 12 with a safe safeguarding signal if the test of the non-safe controller 18 discovered an error. It is also conceivable here in advance to tolerate errors up to a certain degree, for example not to trigger any safety response if the error no longer occurs in the following test cycle. It is conceivable that, without any representation by corresponding arrows, the machine 12 returns information to the non-safe controller 18 and/or to the safety controller 20.

[0051] The safety controller 20 thus monitors the non-safe controller 18 with reference to the evaluation result. The machine 12 is primarily controlled by the non-safe controller 18. The safety controller 20 as a rule only as a passive monitoring mechanism checks whether the control signals of the non-safe controller 18 are consistent with the safe data and the expectation derived therefrom. In the case of a deviation or on an occurrence of an implausible evaluation result of the non-safe controller 18, the safety controller 20 can intervene and take over the control of the machine 12. The safeguarding of the machine 12 can mean its stopping or an emergency stop. Other safety relevant maneuvers are path-bound slowing, stopping, and restarting as well as safety relevant evasion maneuvers, which are particularly suitable in the case of robots or AGVs.

[0052] The procedure of creating safety by tests is described in principle in the safety standard ISO/EN 13849-1. A single-channel architecture with category 2 testing is achieved with every input, i.e. with a safe sensor 14a-b or with a non-safe sensor 16. Very high safety categories such as category 4 or performance level PL-d can thus also be reached by a plurality of sensors 14a-b, 16. The aim of the invention is, however, not necessarily to satisfy very high safety demands, even if this is possible, but rather flexibility including the most varied safety levels. The specifically reached safety level does not solely depend on the basic architecture of the safety system 10, but also on the safely levels of the sensor 14a-b used and on the evaluations and the plausibilization steps.

[0053] In summary, a high performance non-safe controller 18 without any special safety architecture as a functional branch for processing complex sensor data is combined with a simple safety controller 20 as the test branch. The technical safety testing of the non-safe controller 18 is transposed into a separate safety controller 20. Results of the complex sensor data processing in the non-safe controller 18 are checked against an expectation. The safe data can be used as an expectation for validating the evaluation of the non-safe controller 18 due to the technical safety processing into simple safe data such as safe switching signals that has already taken place in the safe sensor. The fact is additionally preferably used that a large number of safe sensors 14a-b deliver both safe switching signals and complex sensor data. Alternatively, an additional non-safe sensor 16 is used as the source of the complex sensor data. In accordance with the invention, previously inaccessible safety functions can be flexibly implemented on an available non-safe controller 18 and safety controller 20 and the high quality sensor information can be utilized better. This concept can be used everywhere that safe or non-safe sensors 14a-b, 16 provide both sensor data and additionally safe data or switching signals as the basis of the plausibility check.

[0054] FIG. 2 shows by way of example the monitoring of a robot 12 with the aid of two safety laser scanners 14a-b for implementing a distance monitoring (in particular speed and separation monitoring). FIG. 3 shows the corresponding safety system 10 in a block representation. The safety laser scanners 14a-b monitor a grid of protected fields 22.sub.11..22.sub.nm. The regular rectangular grid shown of mutually identical protected fields 22.sub.11..22.sub.nm is particularly clear but irregular protected fields of different sizes and arranged with gap are also possible.

[0055] An object 24, here a person, is now detected, on the one hand, by the safety laser scanners 14a-b in specific protected fields 22.sub.15..22.sub.25 and corresponding binary switching signals (OSSD) are transferred to the safety controller 20. In addition, the scan data are evaluated as non-safe sensor data in the non-safe controller 18. In this process, distances from the respective scanner center are calculated by means of object localization such as indicated by arrows 26a-b. The distance of the person or of the object 24 from the robot 12 in accordance with the arrow 28 can then also be derived from this.

[0056] The non-safe controller 18 decides which control commands are to be given to the robot 12 and whether a safeguarding is necessary on the basis of the distance of the object 24, that can be recognized as a person or only as an arbitrary object, and possibly on the basis of further values such as the direction and speed of the movement. This evaluation and control is not yet safe up to this point. The non-safe controller 18 therefore transfers evaluation results such as the position, distance, or direction of movement to the safety controller 20.

[0057] The safety controller 20, on the other hand, has an expectation at least of the position of the object 24 on the basis of the infringed protected fields 22.sub.15, 22.sub.25. An interval can be indicated by this in which the position determined by the non-safe controller 18 or the distance of the object 24 has to be disposed to be plausible. If the evaluation result obtained by the non-safe controller 18 is disposed in this interval, the calculated distance value is deemed plausible. Otherwise, the safety controller 20 itself triggers a safety relevant response of the robot 12 as soon as the distance monitoring of the non-safe controller 18 can no longer be considered reliable.

[0058] It is particularly advantageous to use a status change of protected fields 22.sub.11..22.sub.nm as the trigger for a plausibilization. Status change means that an object 24 is detected in a protected field 22.sub.11..22.sub.nm previously not infringed or conversely a protected field 22.sub.11..22.sub.nm is no longer infringed. The position of the safety relevant object 24 is actually also particularly exactly known to the safety controller 20 on such a status change since the object 24 then has to be located at the protected field boundary. This point in time is therefore particularly favorable for a plausibilization.

[0059] FIG. 4 shows a modified further embodiment of the safety system 10 in which a safe 3D camera 14b has replaced the one safety laser scanner 14b. The safety laser scanner 14a, for example, has a high safety level SIL 2 or PL-d and the 3D camera 14b has a medium safety level PL-c. The 3D camera could alternatively also be non-safe. The non-safe controller 18 in turn has the object of determining the distance between the machine 12 and the object 24 from the non-safe data of the 3D camera, in particular from a depth map, and possibly additionally from the scan data of the safety laser scanner 14a and, optionally from the process data of the machine 12. The distance is compared with a less exact, but very safely known expected value in the safety controller 20 and is thus upgraded in a technical safety aspect. Further evaluation results such as the direction of movement or the speed can be determined in the non-safe controller 18 and can be plausibilized in the safety controller 20.

[0060] As in the example of FIG. 2, a grid of protected fields can again be monitored to derive the expected value and the comparison for the plausibilization can in particular be initiated actually at the time of a signaled protected field change. The high quality safety function of a three-dimensional speed and separation monitoring at a high safety level can be implemented using such a safety system 10.

[0061] FIG. 5 shows a schematic block representation of a further embodiment of the safety system 10 for the safe navigation of a vehicle, specifically of an at least partly autonomous vehicle (AGVautomated guided vehicle). An embodiment is shown having only one safety laser scanner 14, with alternatively a plurality of safety laser scanners and also other scanners such as cameras and the like being able to be used.

[0062] The navigation task requires the use of very complex processes such as SLAM (simultaneous localization and mapping), which a safety controller 20 could not provide at all with its limited resources. Since the non-safe controller 18 in principle makes use of arbitrary hardware, such algorithms can be implemented there.

[0063] The safety controller 20 in turn has the object of validating the evaluation results, in particular of confirming positions on the basis of protected field states of the safety laser scanner 14. The non-safe controller 18 for this purpose, possibly without being shown in FIG. 5, sends triggers or switchover signals for changing protected field configurations back to the safety laser scanner 14.

[0064] Test positions can be configured in the working zone of the vehicle 12 at which test positions unambiguous environmental features are checked as to presence and at least rough position by special reference protected fields. FIG. 6 shows as an application example the navigation of a vehicle 12a-c in three different positions in a warehouse with environmental objects 30 such as racks, walls, and the like. A safety laser scanner, not drawn, at the front of the vehicle 12a-b monitors six simultaneous protected fields S2-S6 that are programmed such that a very specific combination that is as unambiguous as possible of infringed and not infringed protected fields S1-S6 or a corresponding OSSD combination of the safety laser scanner is present at a reference position, for instance at a transfer point, here the vehicle 12a.

[0065] Safe data are, for example, transferred from the safety laser scanner to the safety controller 20, said safe data forming a six-digit bit pattern corresponding to the exemplary six protected fields S1-S6 here and in which an associated bit is set to zero when the protected field is free and to one when it has been infringed. Only the vehicle 12a at the reference position will accordingly deliver the reference bit pattern S=101010, while with vehicle 12b where S=001010, the protected field S1 remains free unlike at the reference position, and with vehicle 12c where S=000000, all the protected fields are even free. At least one bit thus does not coincide with the expectation for the reference position at every position except for vehicle 12a. The safely determined reference position in the safety controller 20 can thus verify the position of the non-safe controller 18 determined via SLAM, for example, in the position of the vehicle 12a.

[0066] This position confirmation can be completely mapped in the safe test branch of the safety controller 20. The safety laser scanner monitors the configured reference protected fields S1-S6 and delivers safe switching signals to the safety controller 20. The evaluation result delivered by the non-safe controller 18 is compared with the position known on the basis of the configuration of the reference protected fields and is confirmed with respect to the trigger times that are derived from the status of the reference protected fields and whose position is exactly known.

[0067] This is therefore a further example of how complex non-safe evaluations can be verified by transmission of fewer extremely compressed safe data. The safe data are only a bit pattern of a short length from object determination signals or protected field infringements. The length here corresponds to the number of simultaneously monitored protected fields and thus typically amounts to at most ten, at most twenty, at most fifty, or at most one hundred. Particularly with a higher number of protected fields to be configured, the system can provide an automatism to fix protected fields or to at least suggest them. For example, the vehicle 12a could be moved into the reference position and the respective overhang of the protected fields S1, S3, S5 with respect to the protected fields S2, S4, S6 at the border to the environmental objects 30 is automatically fixed.

[0068] Validations of the position preferably take place at positions that are particularly critical from a technical safety aspect, for instance where a transfer takes place such as in FIG. 6 or where specific safety functions are shut down (muting) or protected fields are switched over. The trigger can also be produced by the non-safe controller 18 from the determined position data, but a watchdog monitoring is then required. The status change of one or more reference protected fields can also be used as the trigger for a validation in the example of FIG. 5. The advantage again comprises the fact that the position of the vehicle 12 is also particularly exactly determined without SLAM at the time of the status change.

[0069] Alternatively or additionally to a safety system 10 with only a safety laser scanner 14 as in FIGS. 5 and 6, a localization and navigation could also take place with other sensors, for instance on a radio basis by means of UWB (ultra-wideband). Such a sensor could naturally itself be formed as safe with a high effort, but preferably complements the safety system 10 as an optional non-safe sensor 16 as in FIG. 1. In the navigation with such a non-safe sensor 16, the position information is then not only produced in a non-safe manner and evaluated in the non-safe controller 18, but is also still transmitted back to the vehicle 12 via a non-safe radio interface. The safety controller 20 of the vehicle 12 can then check with the aid of the reference protected fields described here whether the non-safely determined position is correct at the critical point at which the protected fields, for example, have to be switched over to move into a track.