IROS2019国际学术会议论文集0785

Concept and Validation of a Large-scale Human-machine Safety System Based on Real-time UWB Indoor Localization* Wei Wang*, Zhuoqi Zeng, Wan Ding, Huajun Yu, and Hannes Rose AbstractIn production line, the conventional industrial robots and automatic machines require machinery safety pro- tection to guarantee the safety of human operators. A scalable and easy-to-confi gure safety system concept called “Real-time Safety Virtual Positioning” (RSVP) is proposed, which could act as potentially key enabler for agile production systems by eliminating fi xed safety installation and thus increasing productivity and fl exibility. The RSVP provides easy access to robots of automatic assembly lines in plants, e.g., automotive OEM, and supports virtualization and transparent to fully automatic and semi-automatic assembly line by knowing the position of persons and relevant objects (e.g., tools, fi nished and/or semi-fi nished goods, and materials). The focus of the paper will discuss the functional safety certifi cation realization (concept approved by TV (Technical Inspection Association) and validation details of indoor localization-based safety system developments. The detailed strategy of the functional safety requirements, danger diagnosis and reaction approach, com- munication among safety controller, robot and machine, and safe failure reaction are listed and analyzed. The physical hardware framework and software architecture of the safety system are built and developed with the 1oo2-architecture according to the Performance Levels (PL d) of ISO 13849 and the Safety Integrity Levels (SIL 2) of IEC 61508. The implicated algorithms and data process of the UWB-based (Ultra-Wide Band) indoor localization system are introduced. The safety system concept is validated and verifi ed in an ABS (Anti-lock Braking System) production line with human-robot co-existence environment. I. INTRODUCTION The modern manufacturing scene is venturing into new corners of high-density, labor-intensive production and down new avenues for collaboration. Following these, the potential danger and safety problems between the operator and high- speed robots/danger machines becomes inevitable issues. As the standard and traditional solution, the protection cells with safeguards (e.g. safety fence, emergency button, inter- locker, light curtain, etc.) are used to isolate the robots/danger machines from operator 1. Currently, in conjunction with new safety standards and advanced safety peripheral devices, robots and humans are now able to go where few dared before 2. Robots embedded with the safety-rated monitored stop and soft axis limiting from robot controller enable the safeguarding 3. The safety software packages with space and speed limiting installed *This work was supported by National Key R in Section III, the proposed approach including safety operation defi nition, system architecture, and technical solutions are presented. Section III investigates the system construction in a real ABS production line. In Section IV, the main contributions are summarized. II. FUNCTIONALSAFETYSYSTEMCONCEPT CONSTRUCTION For the RSVP safety system development, two challenges are the key factors of this proposed safety system: How to ensure that the operator takes localization tag and wear it in the constraint area? How to deal with the unpredicted events that the oper- ator intends to plug out the localization tag? To answer above questions, during the system concept phase with the constraint of the functional safety certifi ed system and stable running in production lines, all the re- quirements of functional safety (PL d, SIL2) and the working effi ciency of production line are balanced by constructing the reasonable operation regulations to avoid the unnecessary down time. As illustrated in Fig. 2, the RSVP system consists of fi ve modules: Tags: are mounted on human and robots (max. 90) that sends location packet to the Receiver. Packet includes Packet Control, Packet Index, Pan ID, Target address, Source address, Packet Type, Passphrase, Data (Battery voltage), FCS (CRC) and other related information. No interaction or communication between Tag and Tag. The Tag to receiver communication needs to be safe communication (Black Channel). Receivers: are installed at a fi xed position (max. 20), receive UWB signals from tags and other receivers, process the signals and then transfer them to location engines via Ethernet (LAN). It needs to be safe com- munication (Blank Channel). Safe Controller: Based on absolute position provided by location engine, the decision module will calculate the relative distance between human and machines, and make decisions to give output signal to the robots by Functional Safety over EtherCAT (FSoE)., e.g., reduce speed or stop robot. Location Engine: runs on safety controller and calcu- lates the absolute tag positions of both human beings and robots based on signals from receivers. The loca- tion engine is realized purely by software in the safe controller. RSVP UI (user interface): that runs on safety controller and can be confi gured by operator (safety operation) is designed to give the confi guration information into safety system according to the specifi c production line and shows the real-time scene with system status. Fig. 2: The RSVP system overview A. Functional Safety Requirements The core features of Safe Controller are listed below: Safe Operation: Calculates the distance of tags on human and robot. The robot should slow down once the operator enters into the warning zone (yellow). The robot should stop once the operator enters into the danger zone (red). Monitors the system for any possible failures, which leads RSVP to Safe Failure. All the robots and machines stop and the entrances gate is controlled. Once any registered tag (entered the controlled zone) has lost then RSVP gets into Safe Failure. When the operator enters in the forbidden zone, corre- sponded machines should be stopped. Emergency Operation: Once the emergency button is pressed, all robots and machine (inside danger zone) should be stopped and entrance gate should be controlled for out. RSVP gets into Safe Failure. If the RSVP system needs to be restarted once Safe Failure happens, the entire system should be restarted manually from initialization after releasing the emer- gency button. B. Safe Failure Process From the requirements of functional safety, system scope is looking for exit criteria to recover Safe Failure. There- 202 fore, the robot/machine should be kept in shut down state (not recoverable through software) with remaining in Safe Failure for the following cases: Operator and robot tags loss or stability loss: Power of registered wearable tags is cut off. 3 consecutive position data lost. Safety controller internal fault. Emergency button is pressed. The RSVP system shall be able to recover from fault state for the following errors: Emergency button releases: change the status to “INI- TIALIZE” (the RSVP system starts from initialization). The recovery condition would be the RSVP system restart due to the removal of internal faults. C. Danger Diagnosis Approach In RSVP system, we defi ne two safety distances accord- ing to the distance between wearable devices and tags on robots (Figure 3). Large Safety distance (LSD): the distance allows the robots to slow down to reduced speed into 250 mm/s. The parameters of two distances calculation in the RSVP system, such as the stopping time and max. moving speed, could be confi gured easily according to the system responding time. LSD = (Kh+ Kr1+ Kb1) T + A + L + Tz(1) Short Safety Distance (SSD): the distance, within which the robots must stop to avoid hurting a human. The SSD can be calculated as: SSD = (Kh+ Kr2+ Kb2) T + A + L + Tz(2) where, for example: Kh= 1600 mm/s is maximum human moving speed, Kr1= 2000 mm/s is maximum moving speed of robot arm, Kr2= 250 mm/s is safe moving speed of robot arm, Kb1= 2000 mm/s is maximum moving speed of robot base (only for mobile application), Kb2= 250 mm/s is safe moving speed of robot base, A = 850 mm is the length of human arm, and L is Maximum horizontal distance from a tag to the far end of corresponding part, Tzis tolerance zone, T = 200 ms is the selected system stopping time, respectively. If tags are installed on top of robot base, the Kb1and Kb2 can be set as zero. Detection zones are defi ned as circles, whose center is located at tags on robots and whose radius is LSD and SSD, respectively. Tolerance zone Tz= 7.1 + Es, where Es is systematic infl uence. This tolerance zone shall be added into the above LSD and SSD. According to experimental results, is confi gured as 153 mm here. D. Entrance Gate Control for Access In order to enter the controlled area, confi gured valid operators via RSVP UI must stand on the pressure sensitive mat, and wear the wearable devices. The tags, which is not confi gured or whose localization data stability is less than 4 seconds on the mat, are not validated to enter the controlled area. Fig. 3: The robot safety zone diagram If both conditions are met, the RSVP controller will open the entrance gate for entry or exit. The tag status is dynam- ically updated with REGISTERED/ UNREGISTERED. Moreover, an operator shall be able to exit through the gate when the system is in safe failure. III. THERSVP SYSTEMVALIDATIONDETAILS A. System Architecture As the requirement of the PLd, SIL2 safety level, on the one hand, high availability architecture is required in a control system; on the other hand, such architecture needs to be combined with high safety measures 12. In this context, the standard IEC 61508 presents a set of system architectures to fulfi ll dependability requirements based mainly on redun- dancy and diagnosis. By considering high safety, the 1oo2- architecture is selected and designed in the RSVP system. Fig. 4: The RSVP system physiscal hardware framework 1) Physical Architecture (see Figure 4): Within the 1oo2 architecture, the RSVP system is designed for the dual- channel solution (two individual UWB localization system as input) and safety-certifi ed system component (entrance sensor mat, center computation unit, and FSoE communi- cation). As the key centering component, the MEN F75P1 is selected. It is an x86 Intel Atom E680T based fail-safe vital embedded computer (safety-certifi ed QNX), certifi able 1 203 up to SIL4 with on-board dual redundancy for functional safety and a third CPU for I/O communication. The menTCS platform from MEN safety controller has a functional safe certifi ed component called PACY. The PACY allows the safe application running on safe CPU known as CP. These two safety CPUs (CP1 Based on the experimental results, the time difference of arrival (TDOA) positioning process that provided better accuracy were chosen, which means, in RSVP system, totally 200 tags can be used at the same time based on TDOA. To be noticed, because the TDOA requirements of time synchronization and the only one master receiver will periodically send 2 3https:/www.beckhoff.de/default.asp?highlights/fsoe/default.htm Fig. 5: The RSVP system embedded fl owchart Fig. 6: The RSVP system user interface (UI) synchronization packet to each slave receivers and tags 14 17. It is allowed that the failure of synchronization of Slave Receivers can be up to 3 times because of the high clock accuracy of Slave Receiver. But in the case of more than 3 times, the system will enter into safe state, i.e. safe controller will send the STOP signal to the robot controller. 2) NLOS/LOS Diagnosis: During the real-time experi- ments, different approaches are investigated for Line-of- Sight (LOS) and Non-Line-of-Sight (NLOS) detection. In addition, in the RSVP system, the NLOS detection that can 204 be realized based on the features extracted from channel impulse response (CIR) are tested. Different characteristics can be observed with LOS/NLOS CIRs. In our previous research 1821, the NLOS identifi cation were achieved based on the CIR features. In TDOA, only if the range difference calculated based on two LOS CIRs received by two BSs is used further for position estimation. Thus, enough number of BSs need to be installed. 3) Localization Data Post-fi ltering:Furthermore, the Kalman Filter (KF) is selected to reduce the noise, which is realized by two steps: the prediction step and the update step. Two kinds of KF are used: constant velocity (CV) and constant acceleration (CA) model. In the CV model, constant velocity is assumed for current state vector estimation. While in the CA model, the assumption is that the acceleration is constant. Since the movement of the objects in reality is the combination velocity and acceleration. Thus, we found out that one single model can not describe the real dynamic of the system. In order to improve the post-fi ltering performance in the RSVP system, the Interacting Multiple Model (IMM) is applied to fuse CV and CA model. Based on the position estimation results, the advantage of IMM can be summarized as follows: enhancing following ability, weakening fl uctuate and excessive sensibility, and smoothing targets dynamic trajectory. C. Control and Communication with Robot and Machine The MEN menTCS platform is selected to co-work with KRC4 robot in the RSVP system. The menTCS including F75P and K1, K2 cards has been certifi ed up to SIL4. As it communicates with KUKA KRC4 via EK1100 and EL6695- 01 EtherCAT bridge as displayed in Figure 4 via FSoE. The functional safe certifi ed PACY of the menTCS plat- form allows the safe application running on safe CPU to control MEN I/O cards such as K1, K2, and other FSoE slaves; it can also communicate with other third party FSoE master such as KUKA KRC4 via EK1100 and EL6695-01. PACY is designed as a framework, integrates the FSoE com- munication modules already inside. Users can use provided PACY APIs to access the I/O data via FSoE communication 22. To communicate with an FSoE slave, PACY needs to be confi gured accordingly in advance. In this case, as long as one more KRC4 robot is added into the EtherCAT ring via FSoE communication, the application need to tell PACY allocation specifi c input and output data space for KUKA KRC4 that is enabled by 8-byte FSoE input data 23. IV. EXPERIMENTALTESTS The entire RSVP system is validated and verifi ed in the ABS production line of the Bosch Plant. As illustrated in Figure 7, the entire line is isolated as a 12m 11m size area with safety fences and one entrance gate. As illustrated in Figure 8, the production line is fully automatic with one packaging operator always stay in line, one line manager frequently entering/leaving, and one technician gets inside once line needs maintenance. The production line consists of fi ve KUKA Agilus robots located in different workcells. The RSVP system is composed of the following components: localization sensor system, physical fences, sensor mate, dual-directional entrance gate, wearable charging station, UI screen, wearable devices, and RSVP safety controller. Fig. 7: The RSVP system construction in production line Fig. 8: The RSVP system components in scene In order to test the performance of the RSVP system, the fi eld test for the static accuracy analysis and dynamic accuracy analysis and latency measurement were carried out respectively. The tag frequency is set as 20Hz, the number of receivers and static tags are 8 and 9, respectively. 1) Static accuracy analysis: As illustrated in Figure 7, the 9 tags are deposited at various specifi c positions (on the cabinets, the enclosures and the robot arms), and tag positions by RSVP system are measured for a period of 1 hour. As shown in Figure 9, the static tag test results could be concluded as, Static test analysis Raw data (UWB localization system) contains outliers; Outliers can be removed by RSVP fi ltering algorithm; Filtered data distributes around the actual position. Static performance Similar performance at different positions Slight drift in the areas around fences, enclosures Accuracy 20 cm after fi ltering (in complex working condition in the production line) 2) Dynamic accuracy analysis and latency measurement: As displayed in Figure 10, based on the methods and algorithms discussed in section III part B, the experimental of dynamic test with human operator wearing the tag with 205 Fig. 9: Histogram of the positions (raw and fi ltered data) the setup of 8 receivers are carried out in ABS production line. The raw and fi ltered data are compared and displayed directly on the 2D sketch. Dynamic test analysis (See Figure 10(a) Raw data contains outliers Accuracy 20 cm after fi ltering Good performance in normal working area Lower performance on the border of covered area Filtering latency measurement (See Figure 10(b) System consists communication, position computing and fi ltering latency Filtering latency depends on tag frequency, fi ltering method and parameters optimization Ensuring the accuracy, average fi ltering latency of sev- eral trials is less than 0.3 s Tag speed: 4 m/s Several sequences of the system testing in production line are shown in Figure 11. For more detailed information, please refers to the supplementary video. V. CONCLUSION The RSVP system concept provides a new potential op- tional candidate for the industrial customers who have the needs of safety system for the consideration and customiza- tion of large-scale installation in a plant, fenceless, cost effi ciency, easy maintenance, and fl exibility. The proposed RSVP system was designed and developed under the machin- ery functional safety requirements of PL d, SIL 2. The entire UWB-based safety system concept and infrastructure was constructed, tested and validated in our ABS manufacturing plant, which brings a good improvement of the performanc