Wireless Safety

Author: CEmarking TEAM | Last edited: 18.06.2020

Wireless communication is increasingly finding its way into production. In many cases a wireless interface is added to the existing interfaces. Especially where mobile machines have to be operated, people are tempted to use tablets for operation. This may work for pure visualization or data acquisition, but not when it comes to performing tasks in hazardous areas or directly operating a machine or robot. In these cases, safety functions such as emergency stop or enabling switch are essential.

These safety features cannot be provided by off-the-shelf tablets, which is why it has generally been necessary to use classic HMI panels with cables for operation in hazardous areas. In addition to the power supply, these ensure data communication and, last but not least, the transmission of the safety functions, either discretely or via safety protocols.

If mobile operator interfaces are to be used in a safety-relevant environment, it must be ensured, among other things, that no dangerous movements are triggered outside the visual range. If the correct length is selected, a cable represents a constructive limitation of the effective range. This is one of the major challenges when switching to radio. A chain, cord or additional proximity sensor could be used to define an effective range, but this would counteract the purpose of a wireless control device. In addition to the limitation of the effective range, issues such as availability and reaction times are challenges to be solved. Directly wired emergency stop buttons, for example, have a reaction time in the two-digit millisecond range and below and are highly available.

automatic emergency stop activation

If the operator leaves the effective range and the tolerance zone, an emergency stop shall be automatically triggered after a defined time. Practice teaches that, depending on the speed of the moving axes, a maximum delay of 100 ms must be guaranteed. At the reduced speed of 250 mm/s permitted by EN10218-2, this is an accepted 25 mm. If one now wants to use WLAN for the communication of the emergency stop signal by means of the black channel principle, these 100 ms are certainly attainable - but not guaranteed. Only the status 'Emergency stop not active' is received by the evaluating safety controller. If this information reaches the safety control unit too late or - in the worst case - does not reach it, an emergency stop is triggered. Ideally, this should only ever happen if an emergency stop has also been pressed. In this case, maximum machine availability would also be guaranteed.

However, since wireless communication is difficult to limit completely and no guaranteed latency times of less than 100 ms are to be expected, packet loss or delays in the communication of security data may occur. This will cause the machine to go into emergency stop without the emergency stop being pressed. This is a condition that is permissible from the point of view of the safety engineer and must therefore be accepted. From the operator's point of view, however, this state of affairs is not satisfactory, as it puts goals such as increasing effectiveness a long way off. For the machine or plant operator, this means that compromises must be made. One could restrict WLAN communication or exclude other WLAN participants in production to avoid undesired emergency stop situations - but this is becoming increasingly unrealistic.

Another important point is the tolerance or reaction time. Here too, a compromise would have to be found to ensure that an undesirable emergency stop rarely or never occurs. Although an acceptable level of availability can be found by increasing the tolerance time, this still requires that the bandwidth used remains stable. However, a later integration or retrofit using a wireless system via WLAN would have a massive impact on this. The previously 'designed' tolerance time must now be compared with the machine safety assessment. This means that at 500 ms (a value empirically determined in the field, for example, where standard WLAN use leads to almost no emergency stop packet loss), the 25 mm already mentioned would become 125 mm. The same values apply not only in the case of an emergency stop, but also with regard to the potential overtravel of axes when the enabling switch is released, and ultimately also for non-safe communication.

Effective range of safe operation

WLAN and Bluetooth components have a high range of 30 meters and more. What is a required feature for many applications on the one hand, means on the other hand that under certain circumstances the safe connection and thus the control of safety-relevant movements may still be possible at a distance from which visibility into the danger zone is no longer guaranteed. In practice, this would mean that an operator who goes to the break room, for example, could endanger another operator standing directly at the machine. In order to exclude this, organisational measures are possible; however, according to the Machinery Directive, constructive steps must be implemented before control-related and organisational measures.

Functional buttons via radiocontrol

A keystroke should usually lead to an immediate reaction. When activating a movement, it may be acceptable for a movement to be initiated once after 50 ms and another time after 200 ms reaction time (up to 100 ms, studies show that humans still perceive this as immediate). When stopping the axis or stopping a machine, on the other hand, an unconditional response time can result in stopping times, which can lead to accuracy problems or, in the worst case, to the destruction of work-pieces. Moreover, an unforeseeable over-travel cannot be controlled even by an experienced operator - this makes movement and travel keys with unpredictable reactions ergonomically useless. An alternative is to put the communication of the safe signals on other technologies. Here, for example, Bluetooth with its frequency hopping method and separation of bandwidths is a good choice. In this way, security signals with minimal bandwidth can be transmitted independently of the WLAN signals of the operating device and independently of other WLAN subscribers. In other words, stable response times of guaranteed under 100 ms can be achieved, independent of the WLAN load. This method of separate radio links ensures a robust, secure radio connection and thus high availability with fast and guaranteed response times.