Wireless communication is increasingly finding its way into production. In many cases, a wireless interface is being added to the existing interfaces. Especially where mobile machine operation is required, it is easy to be tempted to use tablets for operation. This may work for pure visualization or data acquisition, but not when it comes to carrying out tasks in hazardous areas or operating a machine or robot directly. In these cases, safety functions such as emergency stop or enabling switches are essential.

Classic tablets cannot offer these safety features, which is why classic HMI operating devices with cables have generally had to be used for operation in hazardous areas. In addition to the power supply, these also ensure data communication and, last but not least, the transmission of safety functions, either discreetly or via safety protocols.

If mobile operating devices are to be used in a safety-relevant environment, it is important to ensure that no dangerous movements are triggered outside the field of vision. If the length is selected correctly - usually 5 m, 10 m or 15 m - a cable represents a constructive restriction of the effective range. This is one of the greater challenges when switching to radio. A chain or cord could be used to define an operating range, but this would defeat the purpose of a wireless operating device. In addition to limiting the effective range, issues such as availability and response times are challenges that need to be solved. Directly wired emergency stop buttons, for example, have a response time in the double-digit millisecond range and below and are highly available.

If the operator leaves the effective range and the tolerance zone, an emergency stop is triggered automatically after a defined time.

© Keba

Practice shows that, depending on the speed of the moving axes (robots, gantries, automated guided vehicles), a maximum overtravel of 100 ms must be guaranteed. At the reduced speed of 250 mm/s permitted by EN10218-2, this is an accepted 2.5 cm. If WLAN is to be used for communicating the emergency stop signal using the black channel principle, this 100 ms can certainly be achieved - but is not guaranteed. Only the status 'emergency stop not active/pressed' has to reach the evaluating safety controller. If this information reaches the safety controller too late or - in the worst case - not at all, an emergency stop is triggered. Ideally, this only ever happens if an emergency stop has also been pressed. In this case, maximum machine availability would also be guaranteed.

However, as WLAN communication is difficult to restrict completely and no guaranteed latency times of less than 100 ms can be expected, packet losses or delays in the communication of safety data can occur. This leads to the machine going into emergency stop without the emergency stop having been pressed. This is a condition that is permissible from the TÜV's point of view and must therefore be accepted. From the operator's point of view, however, this condition is not satisfactory, as it means that goals such as increasing efficiency are a long way off.

For the machine or system operator, this means having to make compromises. WLAN communication could be restricted or other WLAN users in production could be excluded in order to avoid unwanted emergency stop situations - but this is becoming increasingly unrealistic. As the image data is transmitted to the mobile operating device via Wi-Fi, it must be ensured in the design of the application architecture, for example, that the application never utilizes the communication channel to such an extent that other essential use cases, such as documentation in the cloud or remote services, could trigger another unwanted emergency stop. Although this is feasible, it is not easy to implement, and at the very least involves a considerable amount of effort and restrictions that should not be underestimated. Functions that are now indispensable, such as the aforementioned camera, would have to be prevented or restricted - an absolute no-go for many.

Another important point is the tolerance or response time. Here, too, a compromise would have to be found so that an unwanted emergency stop occurs rarely or not at all. Although an acceptable value for availability can be found by increasing the tolerance time, this still requires that the bandwidth used remains stable. A later integration or retrofit, in which a wireless system via WLAN is used, would have a massive impact on this. The previously 'designed' tolerance time would now have to be compared with the machine safety assessment. This means that the 2.5 cm already mentioned would become 12.5 cm at 500 ms (a value empirically determined in the field, for example, at which standard WLAN use leads to almost no more emergency stop packet losses). The same values apply not only for emergency stops, but also with regard to the potential overtravel of axes when the enabling switch is released and ultimately also for non-secure communication.

Functional buttons via radio

The hand-held control unit can be used for up to four hours on battery power.

© Keba

Pressing a button should usually lead to an immediate reaction. When activating a movement, it may be acceptable for a movement to be initiated once after 50 ms and another time after 200 ms reaction time (according to studies, humans still perceive this as immediate up to 100 ms). However, when stopping the axis or stopping a machine, an unguaranteed reaction time can result in overtravel times, which can lead to accuracy problems or, in the worst case, to the destruction of workpieces. An unpredictable overrun cannot be controlled even by an experienced operator, making movement and traverse buttons with undefined reactions ergonomically unusable.

One alternative is to use other technologies to communicate the safe signals. Bluetooth, for example, with its frequency hopping method and separation of bandwidths, is a good option here. In this way, safety signals with minimal bandwidth can be transmitted independently of the operating device's WLAN signals and independently of other WLAN subscribers. In other words, stable response times of less than 100 ms are guaranteed, regardless of the WLAN load. This method of separate radio links ensures a robust, secure radio connection (availability) with fast and guaranteed response times.

Effective range of safe operation

As already mentioned, another function of the cable is the limiting function. It is intended to ensure that no movement that triggers a hazard can be initiated from too great a distance without insight - even if it is often difficult to walk only a few steps because the cable has been limited. An example: The cable is mounted at position '6 o'clock' and ensures clockwise travel to '2 o'clock' and counter-clockwise travel to '10 o'clock'. If you want to go from the '2 o'clock' position to '4 o'clock', you cannot take the short route, but have to go past '6 o'clock' because the cable has been dimensioned accordingly.

WLAN and Bluetooth components have a long range of 30 meters and more. While this is a required feature for many applications, it also means that a secure connection and thus the control of safety-relevant movements may still be possible at a distance from which visibility of the danger zone is no longer guaranteed. In practice, this would mean that an operator going into the break room, for example, could endanger another operator standing directly at the machine. Although organizational measures can be taken to prevent this, the Machinery Directive stipulates that design measures must be implemented before control and organizational measures.

Implementation using the example of KeTop T15x safe wireless

Against the background of the considerations discussed in this article, Keba developed the concept of the KeTop T150/T155 safe wireless generation of mobile operating devices. In order to meet the response times required in the safety environment, this solution transmits all visualization data via a WLAN connection between a so-called 'connection box' and the hand-held operating device, while all safety data is transmitted via Bluetooth. The existing WLAN infrastructures can still be used; there is no need to consider network utilization or take any other special precautions with regard to industrial WLAN.

WiFi options ensure that the HMI device can be used with inactive emergency stop and enabling switch in tablet mode.

© Keba

WiFi options ensure that the HMI device can be used in tablet mode with an inactive emergency stop and enabling switch. If this is not desired, a local, dedicated wireless mode is only created after pairing - i.e. initiating the point-to-point connection with the base station. The local WiFi of the base station is not visible to other devices and can therefore only be connected to a KeTop T15x. Before and after pairing/unpairing, it is possible to set the WiFi to inactive. This wireless solution was created to comply with security guidelines. The separation of WiFi for visualization data and Bluetooth for security data makes external intrusion even more difficult. Another connection was created for pairing itself (RFID) to ensure the highest security standards here too. In summary, these separate radio connections mean that even a temporary failure of the application would not trigger an emergency stop or set the enabling switch to inactive.

On the subject of effective range limitation: WLAN or Bluetooth also provide the basis for determining distances. Field strength measurements are not reliable or accurate enough for this, as changes in temperature or humidity, for example, can change the measured value by more than the tolerance range. For various reasons, Keba has implemented a technology for distance measurement and thus for limiting the effective range, which is independent of the components to be installed in the area of the machines. A maximum distance is defined and this results in a theoretical circle around the base station, similar to a wired device around the plug-in point.

As the operator can now be guided by being warned as soon as he reaches the effective range limits, it is possible to speak of an actual cable replacement from the point of view of safe machine operation. If a first defined threshold is exceeded, continuous operation should still be possible. An emergency stop or immediate withdrawal of consent, on the other hand, may seem permissible but is not acceptable - after all, the motto is usability and safety, not vice versa. With the Keba solution, a warning area can now also be parameterized, which serves as a 'buffer' between the effective area and the violation area. The concept also provides for a pulsating emergency stop and vibration of the control unit. This is intended to prompt the operator to move closer to the machine again within a configurable period of time. If, despite visual and haptic warnings, the operator is unteachable and moves out of the warning area, consent is withdrawn and an emergency stop is triggered.

Last but not least, there must always be a functional emergency stop at the point of (safe) operation in accordance with the standard. This is why the Keba solution - also for reasons of simpler installation at the base station - always provides a functional emergency stop. The KeTop T15x safe wireless concept has been tested by TÜV Rheinland and complies with SIL3 and Cat4/PLe safety standards.

Author: Dr. Christian Hüttner is Product Manager at Keba.