I want to capture Functional Safety concepts. This is an important topic given the number of vehicles and their increasing automation. It was a major topic at the recent ArmTechCon.

Airbags, seat-belts, ABS, and tire-pressure-monitoring-systems are some of the safety features in a car.

Safety Function or Safety Instrumented Function (SIF): A function to take a system to a safe outcome when certain prerequisites on system inputs are not met. For example, turn on a warning indicator when seat-belt is not used or when the tire-pressure is below safe level, or deploy airbags when a collision is detected.

Safety Related Control Function (SRCF): This is the control mechanism by which the safety function is achieved. For example, collision above a certain impact threshold leads to airbag deployment by an airbag control module. Quote: “The airbag control module is installed inside the center console and contains a safety sensor, G sensor, ignition judgment circuit, and a backup power supply.”

Safety Integrity Level (SIL): The reliability of a safety-related-control-function is captured with a Safety Integrity Level or SIL. SIL level go from 1 to 4 (highest). SILs are derived from a risk estimation process and are used in estimating risk of a system built using pre-built components.

A safety standard is ISO26262. The V shaped functional safety process diagram describes the design steps flowing from OEM to supplier and verification steps flowing back from supplier to OEM (here). This process is used to achieve a Safety Integrity Level (SIL) where the SIL1, SIL2, SIL3, SIL4 reduce risk by a progressive factor of 10, i.e. by 10x, 100x, 1000x and 10000x. A hazard and operability study ( HAZOP ) is undertaken to understand the risks of the mechanism behaving incorrectly.

A good reference, from SIMATIC is here. Software aspects of safety function are discussed in in this whitepaper.

Safety systems for robotics are discussed here – this has a table of typical safety issues when a person enters a robot safeguarded area. Industrial robots security was briefly discussed in this blog here.

Another concept is SOTIF or Safety of the Intended Function, which comes up in functional safety discussions of AI-controlled vehicles. More links on it here.

An Nvidia safe driving report is here.

Robot safety systems must be concerned with graceful degradation in the face of component failures, bad inputs and extreme operating conditions. With the increasing complexity and prevelance of robots, one can expect these requirements to grow.

This document “Robot System Safety” describes the following safety features of Kuka robots-
— Restricted envelope
— EMERGENCY STOP
— Enabling switches
— Guard interlock

An interlock system described here for general control systems, is a mechanism for guaranteeing that an undesired combination of states does not occur – for e.g. robot moving when the cell door is open, or an elevator moving when the door is open. The combination of the controlled stop with the guard interlock is described as follows:

“The robot controller features a two–channel safety input, to which the guard interlock can be connected. In the automatic modes, the opening of the guard connected to this input causes a controlled stop, with power to the drives being maintained in order to ensure this controlled stop. The power is only disconnected once the robot has come to a standstill. Motion in Automatic mode is prevented until the guard connected to this input is closed. This input has no effect in Test mode. The guard must be designed in such a way that it is only possible to acknowledge the stop from outside the safeguarded space.”

This Stanford Linear Accelerator (SLAC) paper describes the advantages of PLCs for interlock design as:

. flexible system configuration due to modular hardware and software
. regularly scheduled background tests of PLC system and sensitive I/O
. comprehensive system self-tests
. intelligent fault diagnostics simplify trouble-shooting
. easy reconfiguration of the interlock logic
. no mechanical wear and tear
. improved security due to logic encapsulation in firmware

The SLAC use case is to lock the doors unless (a) the power has been shutoff or (b) the power is on but there is an explicit bypass for hot maintenance. They implement it on a Siemens PLC using statement lists (vs ladder logic or control system flowchart programming).
GE has a number of industrial interlocks for various safety functions – http://www.clrwtr.com/PDF/GE-Security/Sentrol-Catalog.pdf

A very useful article on interlocking devices – http://machinerysafety101.com/2012/06/01/interlocking-devices-the-good-the-bad-and-the-ugly/