IROS2019国际学术会议论文集 0785

Concept and Validation of a Large scale Human machine Safety System Based on Real time UWB Indoor Localization Wei Wang Zhuoqi Zeng Wan Ding Huajun Yu and Hannes Rose Abstract In production line the conventional industrial robots and automatic machines require machinery safety pro tection to guarantee the safety of human operators A scalable and easy to confi gure safety system concept called Real time Safety Virtual Positioning RSVP is proposed which could act as potentially key enabler for agile production systems by eliminating fi xed safety installation and thus increasing productivity and fl exibility The RSVP provides easy access to robots of automatic assembly lines in plants e g automotive OEM and supports virtualization and transparent to fully automatic and semi automatic assembly line by knowing the position of persons and relevant objects e g tools fi nished and or semi fi nished goods and materials The focus of the paper will discuss the functional safety certifi cation realization concept approved by T V Technical Inspection Association and validation details of indoor localization based safety system developments The detailed strategy of the functional safety requirements danger diagnosis and reaction approach com munication among safety controller robot and machine and safe failure reaction are listed and analyzed The physical hardware framework and software architecture of the safety system are built and developed with the 1oo2 architecture according to the Performance Levels PL d of ISO 13849 and the Safety Integrity Levels SIL 2 of IEC 61508 The implicated algorithms and data process of the UWB based Ultra Wide Band indoor localization system are introduced The safety system concept is validated and verifi ed in an ABS Anti lock Braking System production line with human robot co existence environment I INTRODUCTION The modern manufacturing scene is venturing into new corners of high density labor intensive production and down new avenues for collaboration Following these the potential danger and safety problems between the operator and high speed robots danger machines becomes inevitable issues As the standard and traditional solution the protection cells with safeguards e g safety fence emergency button inter locker light curtain etc are used to isolate the robots danger machines from operator 1 Currently in conjunction with new safety standards and advanced safety peripheral devices robots and humans are now able to go where few dared before 2 Robots embedded with the safety rated monitored stop and soft axis limiting from robot controller enable the safeguarding 3 The safety software packages with space and speed limiting installed This work was supported by National Key R in Section III the proposed approach including safety operation defi nition system architecture and technical solutions are presented Section III investigates the system construction in a real ABS production line In Section IV the main contributions are summarized II FUNCTIONALSAFETYSYSTEMCONCEPT CONSTRUCTION For the RSVP safety system development two challenges are the key factors of this proposed safety system How to ensure that the operator takes localization tag and wear it in the constraint area How to deal with the unpredicted events that the oper ator intends to plug out the localization tag To answer above questions during the system concept phase with the constraint of the functional safety certifi ed system and stable running in production lines all the re quirements of functional safety PL d SIL2 and the working effi ciency of production line are balanced by constructing the reasonable operation regulations to avoid the unnecessary down time As illustrated in Fig 2 the RSVP system consists of fi ve modules Tags are mounted on human and robots max 90 that sends location packet to the Receiver Packet includes Packet Control Packet Index Pan ID Target address Source address Packet Type Passphrase Data Battery voltage FCS CRC and other related information No interaction or communication between Tag and Tag The Tag to receiver communication needs to be safe communication Black Channel Receivers are installed at a fi xed position max 20 receive UWB signals from tags and other receivers process the signals and then transfer them to location engines via Ethernet LAN It needs to be safe com munication Blank Channel Safe Controller Based on absolute position provided by location engine the decision module will calculate the relative distance between human and machines and make decisions to give output signal to the robots by Functional Safety over EtherCAT FSoE e g reduce speed or stop robot Location Engine runs on safety controller and calcu lates the absolute tag positions of both human beings and robots based on signals from receivers The loca tion engine is realized purely by software in the safe controller RSVP UI user interface that runs on safety controller and can be confi gured by operator safety operation is designed to give the confi guration information into safety system according to the specifi c production line and shows the real time scene with system status Fig 2 The RSVP system overview A Functional Safety Requirements The core features of Safe Controller are listed below Safe Operation Calculates the distance of tags on human and robot The robot should slow down once the operator enters into the warning zone yellow The robot should stop once the operator enters into the danger zone red Monitors the system for any possible failures which leads RSVP to Safe Failure All the robots and machines stop and the entrances gate is controlled Once any registered tag entered the controlled zone has lost then RSVP gets into Safe Failure When the operator enters in the forbidden zone corre sponded machines should be stopped Emergency Operation Once the emergency button is pressed all robots and machine inside danger zone should be stopped and entrance gate should be controlled for out RSVP gets into Safe Failure If the RSVP system needs to be restarted once Safe Failure happens the entire system should be restarted manually from initialization after releasing the emer gency button B Safe Failure Process From the requirements of functional safety system scope is looking for exit criteria to recover Safe Failure There 202 fore the robot machine should be kept in shut down state not recoverable through software with remaining in Safe Failure for the following cases Operator and robot tags loss or stability loss Power of registered wearable tags is cut off 3 consecutive position data lost Safety controller internal fault Emergency button is pressed The RSVP system shall be able to recover from fault state for the following errors Emergency button releases change the status to INI TIALIZE the RSVP system starts from initialization The recovery condition would be the RSVP system restart due to the removal of internal faults C Danger Diagnosis Approach In RSVP system we defi ne two safety distances accord ing to the distance between wearable devices and tags on robots Figure 3 Large Safety distance LSD the distance allows the robots to slow down to reduced speed into 250 mm s The parameters of two distances calculation in the RSVP system such as the stopping time and max moving speed could be confi gured easily according to the system responding time LSD Kh Kr1 Kb1 T A L Tz 1 Short Safety Distance SSD the distance within which the robots must stop to avoid hurting a human The SSD can be calculated as SSD Kh Kr2 Kb2 T A L Tz 2 where for example Kh 1600 mm s is maximum human moving speed Kr1 2000 mm s is maximum moving speed of robot arm Kr2 250 mm s is safe moving speed of robot arm Kb1 2000 mm s is maximum moving speed of robot base only for mobile application Kb2 250 mm s is safe moving speed of robot base A 850 mm is the length of human arm and L is Maximum horizontal distance from a tag to the far end of corresponding part Tzis tolerance zone T 200 ms is the selected system stopping time respectively If tags are installed on top of robot base the Kb1and Kb2 can be set as zero Detection zones are defi ned as circles whose center is located at tags on robots and whose radius is LSD and SSD respectively Tolerance zone Tz 7 1 Es where Es is systematic infl uence This tolerance zone shall be added into the above LSD and SSD According to experimental results is confi gured as 153 mm here D Entrance Gate Control for Access In order to enter the controlled area confi gured valid operators via RSVP UI must stand on the pressure sensitive mat and wear the wearable devices The tags which is not confi gured or whose localization data stability is less than 4 seconds on the mat are not validated to enter the controlled area Fig 3 The robot safety zone diagram If both conditions are met the RSVP controller will open the entrance gate for entry or exit The tag status is dynam ically updated with REGISTERED UNREGISTERED Moreover an operator shall be able to exit through the gate when the system is in safe failure III THERSVP SYSTEMVALIDATIONDETAILS A System Architecture As the requirement of the PLd SIL2 safety level on the one hand high availability architecture is required in a control system on the other hand such architecture needs to be combined with high safety measures 12 In this context the standard IEC 61508 presents a set of system architectures to fulfi ll dependability requirements based mainly on redun dancy and diagnosis By considering high safety the 1oo2 architecture is selected and designed in the RSVP system Fig 4 The RSVP system physiscal hardware framework 1 Physical Architecture see Figure 4 Within the 1oo2 architecture the RSVP system is designed for the dual channel solution two individual UWB localization system as input and safety certifi ed system component entrance sensor mat center computation unit and FSoE communi cation As the key centering component the MEN F75P1 is selected It is an x86 Intel Atom E680T based fail safe vital embedded computer safety certifi ed QNX certifi able 1 203 up to SIL4 with on board dual redundancy for functional safety and a third CPU for I O communication The menTCS platform from MEN safety controller has a functional safe certifi ed component called PACY The PACY allows the safe application running on safe CPU known as CP These two safety CPUs CP1 Based on the experimental results the time difference of arrival TDOA positioning process that provided better accuracy were chosen which means in RSVP system totally 200 tags can be used at the same time based on TDOA To be noticed because the TDOA requirements of time synchronization and the only one master receiver will periodically send 2 3https www beckhoff de default asp highlights fsoe default htm Fig 5 The RSVP system embedded fl owchart Fig 6 The RSVP system user interface UI synchronization packet to each slave receivers and tags 14 17 It is allowed that the failure of synchronization of Slave Receivers can be up to 3 times because of the high clock accuracy of Slave Receiver But in the case of more than 3 times the system will enter into safe state i e safe controller will send the STOP signal to the robot controller 2 NLOS LOS Diagnosis During the real time experi ments different approaches are investigated for Line of Sight LOS and Non Line of Sight NLOS detection In addition in the RSVP system the NLOS detection that can 204 be realized based on the features extracted from channel impulse response CIR are tested Different characteristics can be observed with LOS NLOS CIRs In our previous research 18 21 the NLOS identifi cation were achieved based on the CIR features In TDOA only if the range difference calculated based on two LOS CIRs received by two BSs is used further for position estimation Thus enough number of BSs need to be installed 3 Localization Data Post fi ltering Furthermore the Kalman Filter KF is selected to reduce the noise which is realized by two steps the prediction step and the update step Two kinds of KF are used constant velocity CV and constant acceleration CA model In the CV model constant velocity is assumed for current state vector estimation While in the CA model the assumption is that the acceleration is constant Since the movement of the objects in reality is the combination velocity and acceleration Thus we found out that one single model can not describe the real dynamic of the system In order to improve the post fi ltering performance in the RSVP system the Interacting Multiple Model IMM is applied to fuse CV and CA model Based on the position estimation results the advantage of IMM can be summarized as follows enhancing following ability weakening fl uctuate and excessive sensibility and smoothing targets dynamic trajectory C Control and Communication with Robot and Machine The MEN menTCS platform is selected to co work with KRC4 robot in the RSVP system The menTCS including F75P and K1 K2 cards has been certifi ed up to SIL4 As it communicates with KUKA KRC4 via EK1100 and EL6695 01 EtherCAT bridge as displayed in Figure 4 via FSoE The functional safe certifi ed PACY of the menTCS plat form allows the safe application running on safe CPU to control MEN I O cards such as K1 K2 and other FSoE slaves it can also communicate with other third party FSoE master such as KUKA KRC4 via EK1100 and EL6695 01 PACY is designed as a framework integrates the FSoE com munication modules already inside Users can use provided PACY APIs to access the I O data via FSoE communication 22 To communicate with an FSoE slave PACY needs to be confi gured accordingly in advance In this case as long as one more KRC4 robot is added into the EtherCAT ring via FSoE communication the application need to tell PACY allocation specifi c input and output data space for KUKA KRC4 that is enabled by 8 byte FSoE input data 23 IV EXPERIMENTALTESTS The entire RSVP system is validated and verifi ed in the ABS production line of the Bosch Plant As illustrated in Figure 7 the entire line is isolated as a 12m 11m size area with safety fences and one entrance gate As illustrated in Figure 8 the production line is fully automatic with one packaging operator always stay in line one line manager frequently entering leaving and one technician gets inside once line needs maintenance The production line consists of fi ve KUKA Agilus robots located in different workcells The RSVP system is composed of the following components localization sensor system physical fences sensor mate dual directional entrance gate wearable charging station UI screen wearable devices and RSVP safety controller Fig 7 The RSVP system construction in production line Fig 8 The RSVP system components in scene In order to test the performance of the RSVP system the fi eld test for the static accuracy analysis and dynamic accuracy analysis and latency measurement were carried out respectively The tag frequency is set as 20Hz the number of receivers and static tags are 8 and 9 respectively 1 Static accuracy analysis As illustrated in Figure 7 the 9 tags are deposited at various specifi c positions on the cabinets the enclosures and the robot arms and tag positions by RSVP system are measured for a period of 1 hour As shown in Figure 9 the static tag test results could be concluded as Static test analysis Raw data UWB localization system contains outliers Outliers can be removed by RSVP fi ltering algorithm Filtered data distributes around the actual position Static performance Similar performance at different positions Slight drift in the areas around fences enclosures Accuracy 20 cm after fi ltering in complex working condition in the production line 2 Dynamic accuracy analysis and latency measurement As displayed in Figure 10 based on the methods and algorithms discussed in section III part B the experimental of dynamic test with human operator wearing the tag with 205 Fig 9 Histogram of the positions raw and fi ltered data the setup of 8 receivers are carried out in ABS production line The raw and fi ltered data are compared and displayed directly on the 2D sketch Dynamic test analysis See Figure 10 a Raw data contains outliers Accuracy 20 cm after fi ltering Good performance in normal working area Lower performance on the border of covered area Filtering latency measurement See Figure 10 b System consists communication position computing and fi ltering latency Filtering latency depends on tag frequency fi ltering method and parameters optimization Ensuring the accuracy average fi ltering latency of sev eral trials is less than 0 3 s Tag speed 4 m s Several sequences of the system testing in production line are shown in Figure 11 For more detailed information please refers to the supplementary video V CONCLUSION The RSVP system concept provides a new potential op tional candidate for the industrial customers who have the needs of safety system for the consideration and customiza tion of large scale installation in a plant fenceless cost effi ciency easy maintenance and fl exibility The proposed RSVP system was designed and developed under the machin ery functional safety requirements of PL d SIL 2 The entire UWB based safety system concept and infrastructure was constructed tested and validated in our ABS manufacturing plant which brings a good improvement of the performance and cost effi ciency after evaluation The paper also shared detailed development progress strategy and consideration of functional safety system wireless indoor localization and functional safety requirements And currently the RSVP system is preparing in the formal phase of safety system a Raw and fi ltered data during dynamic test b Filtering latency measurement Fig 10 Dynamic test in ABS production line a operator wearing a tag b scene visualization c operator entering d robot slows down Fig 11 The RSVP system runs in the ABS production line certifi cation based on the approved concept by T V which is committed to achieving certifi ed