SPRY347 June   2022

 

  1.   At a glance
  2.   Authors
  3.   3
  4.   Introduction
  5.   Functional safety requirements for industrial robots
    1.     ISO 13849 in factory automation
    2.     ISO 10218 in industrial robots
  6.   Designing functional safety architectures for industrial robots
    1.     Dual external safety controllers
    2.     Single integrated safety controller
    3.     Dual integrated safety controllers
  7.   Processor-level integration for industrial robots
  8.   Making certification easier
    1.     Documentation support
    2.     Software support
  9.   Summary
  10.   References

Designing functional safety architectures for industrial robots

ISO10218-1 specifies the safety requirements for industrial robots. According to the standard, an industrial robot shall be designed so that it complies with PLd with structure Cat3 as described in ISO 13849-1:2006, or so it complies with SIL 2 with a hardware fault tolerance of 1 (HFT=1) as described in IEC 62061:2005. Specifically, the industrial robot architecture must meet HFT=1 to ensure that a single fault in any of the safety-related parts of the control system does not lead to the loss of the safety function of the system. When a single fault occurs, the safety function is always performed and a safe state shall be maintained until the detected fault is corrected.

Considering the robot controller use case in more detail, there are several ways a dual-channel safety architecture (HFT=1) can be realized:

  • Dual external safety controllers: Central computing and communication processors with two separate MCUs or MPUs to implement safety channel 1 and safety channel 2 as shown in Figure 1.
  • Single integrated safety controller with one external safety controller: Safety channel 1 integrates into either the central compute processor or the communication processor and a separate processor is used for safety channel 2.
  • Dual integrated safety controllers: Safety channel 1 integrates into the central compute processor and safety channel 2 integrated in the communication processor. There is no need for an additional external processor to handle the safety channels.