Emergency stop implementation ideas
Harprit
Posts: 539
I am a bit new to this to please keep that in mind.
I am running a small Rockwell milling machine from a Propeller
Works fine with encoder motors. X and Y axis only. Both on same Prop.
Point to point implementation only at this time.
Everything is in SPIN.
I need to implement an emergency stop switch that will kill everything. NOW!
Here are my ideas since we do not have interrupts.
Read Estop in a cog that turns off all the cogs on Estop
This works but the system has to be rebooted.
Read Estop in each an every method used, first thing, and shut things off on Estop.
This does not seem like the best solution and slows things up more than necessary
Have a switch external to the system that kills all the power. Bad, bad, bad technique.
The best idea I have had it to turn on the brake on the amplifiers on Estop but it has
all the above problems.
Has someone worked up a solution to this problem?
Any ideas?
Harprit
I am running a small Rockwell milling machine from a Propeller
Works fine with encoder motors. X and Y axis only. Both on same Prop.
Point to point implementation only at this time.
Everything is in SPIN.
I need to implement an emergency stop switch that will kill everything. NOW!
Here are my ideas since we do not have interrupts.
Read Estop in a cog that turns off all the cogs on Estop
This works but the system has to be rebooted.
Read Estop in each an every method used, first thing, and shut things off on Estop.
This does not seem like the best solution and slows things up more than necessary
Have a switch external to the system that kills all the power. Bad, bad, bad technique.
The best idea I have had it to turn on the brake on the amplifiers on Estop but it has
all the above problems.
Has someone worked up a solution to this problem?
Any ideas?
Harprit
Comments
What do you mean by "emergency"?
If the thing has gone mad due to electrical/software error and is busy chewing itself, or your fingers, up then perhaps all power off is a good idea when you hit the emergency button.
If the software has gone mad the perhaps the idea of a master COG that kills all the COGS is not a bad idea. So what if it has to be rebooted? If continuing from where you were stopped is important then that is not an emergency only a pause.
On the Boeing 777 there is a big switch above the pilots head that disconnects all the Primary Flight Computers if the pilot thinks they have lost their sanity. After that the pilot can do his best to fly using analogue electronics. No thought to "reboot" in that situation.
How do I know this? I was the guy who tested the operation of that switch in the test lab. It failed !!!
One I had not thought about. Even so let me thank the respondents and
share what I have experience with (from designing CNC machines)
Its not everything is fine or everything went south. There is some continuity.
We implement Optional shop (M01) and absolute stop (M00)
We implement ability to modify the feed rate in real time with a potentiometer.
Usually up to 200% and down to 10% of the feed rate.
All solenoids etc that control things have to release power when switch off
The system implements both an electrical shut down of critical systems and a
much slower but more orderly shut down of the CPU and OP Sys.
A part that may take two hours to machine cannot start from scratch if there is
a malfunction (like a broken or dull tool) it must allow the replacement of the tool.
resetting it and then proceeding from any number of places in the program. Don't
forget that the tool changer positioning etc has to be accommodated when the dull tool
is removed and replaced thus compromising tool changer positioning and tool locations.
Its best if the system keeps track of all the movements automatically and the
operator does not have to make critical adjustments.
On large complicated parts the path of the tool to the cuts is critical. Many thing
get in the way so some of this has to be remembered also if things go wrong.
All this does not have to be implemented here but it is nice not to have to have
a computer attached to the Prop at all times. The solution I was seeking would allow
this one spec. to be implemented.
Thanks all
Harprit.
But as for an emergency stop, you can certainly decelerate under a fixed time delay. At the end of the time delay, you cut power with an industry accepted safety relay or safety controller. The time delay is part of the relay or controller itself.
What's so wrong with recording both the physical positions and the position in the data file of where you were at the stop event? Then take whatever reasonable action to disengage and stop. Then write your program so it is able to restart from where it left off?
I have designed hundreds of machines and I have never done this or have ever seen it implemented. Even over Devicenet Safety I have always implemented Hard wired measures to engage Brakes and Take power from any and all motion controls. In software the most that is commonly done is to provide safe start-up conditions when the E-stop is removed but a dry contact is almost always required to reinitialize the machine for user safety.
The main concern is that on power up or disengaging the E-stop, the machine should do nothing until User has verified and initialized the machine for safe action. Typically powering down the possessor controlling the machine is bad form as it holds the position and state of the machine. The point of an E-Stop is to instantly and without fail stop all movement of the machine, this includes taking power from any drives, hydraulic or pneumatic solenoids, and engaging any lockouts the machine may need to provide or prevent access to parts of the machine.
This is not a trivial task as someones life or health is at risk.
I personally always have a break on the Y-axis of any machine to prevent it from falling due to gravity unless its driven with a worm gear. This break should be disengaged with power and engaged without power as a fail safe. Also A manual break release withing arms reach of the Y-axis tool and a manual Tool drop/lift non-powered control would be ideal.
Their are good write-ups on safe implementation of e-stop conditions on Rockwell site that I recommend Starting with this document -http://samplecode.rockwellautomation.com/idc/groups/literature/documents/in/sgi-in001_-en-p.pdf
In my opinion you should keep the safety system as simple as possible (simple things are usually less likely to fail than overly complicated systems) I'm sure that you could get some great ideas from looking at older automation to see how their safety measures were done before microcontrollers were commonplace.
Rick_H
The main concern is that on power up or disengaging the E-stop, the machine should do nothing until User has verified and initialized the machine for safe action.
I took a few class in school for robotic and automation and # 1 thing that was talk about was what is in red above
The # 1 RULE in Robotic is that NO human can be hurt in anyway or property in any way from the robot movements
I use this Idea also when working or thing about writing a micro controller programing code routine
To me this is a MUST ^^^^^
I have seen and work on machine that did not kill power to all systems but kill power to pump motors X and Y servo
X would be your Ram
Y would be your distance to the Ram
X and Y would have to go there HOME position and would have to start the program over again
Harprit
A part that may take two hours to machine cannot start from scratch if there is
a malfunction (like a broken or dull tool) it must allow the replacement of the tool. <<<< NO not if the "system" when in to an "error" it will NOT have a HOME reference any more
"meaning that if your encoder dose not have the right value any more" this would be a System Error
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The one above happen to a another machine that work on because it also had a system error and the problem here was that the battery for the Memory chip had fail and ref values where not there any more
When this machine work right as long as it did not go into a system error it would let you have the same setting even if you push the E STOP
I work on a machine that this happen the tool broke and the machinc when into a system error because it could not find the home position any more because the trup "Trup is round had move an 1/8 or about 15* Degree" from where it was suppost to be it was a good thing that it when in to a system error because it would have destroy the ram
also when you hit the E STOP it would have to find HOME Position before it would pick up where it was but you had to go in the program to find where you where last
also when you want to change the tool you had to put it in hand and even the when you when back to AUTO it would frist go to home position frist
resetting it and then proceeding from any number of places in the program. This could be done If there are no system error
Don't forget that the tool changer positioning etc has to be accommodated when the dull tool is removed and replaced thus compromising tool changer positioning and tool locations. This is true how ever if there where any adjustmet setting made to the new tool it's self then your HOME Position may not still be there
Its best if the system keeps track of all the movements automatically and the operator does not have to make critical adjustments.
To do this may or may not be a good idea
RobotWorkshop
If it is truly and emergency and it is caused by a hidden software bug or perhaps something zapped the microcontroller you certainly don't want to count on that to stop any machine........
I have to agree with you on this one I would not either
The #1 thing to think about is safety
I know that time is money B U T
Please keep this in mind while you are doing this project or any other project is that you want every one to go home to there love ones and your love ones with all of you not part of you or that you died
Harpit is talking about having 2 stops. An "absolute stop (M00)" which would be the E-stop and will hopefully disconnect all power to motors and any other hazardous equipment.
The "Optional stop (M01)" would be a secondary stop that would allow the equipment to be safely adjusted or modified and then continue where it left off. This could be as simple as moving to a home position and shutting off power to motors and any other hazardous equipment.
An EMERGENCY STOP, is just that. STOP it's an EMERGENCY...
The HIGHEST form of EMERGENCY is Danger to Life, then Limb, then Machine.
Have two stops if need be - an EMERGENCY STOP and a Controlled Stop.
An ESTOP should return all equipment to a safe position (or stop it dead) as soon as practicable. A controlled stop can do things like return to position X or Y.
ESTOPS should be implemented in hardware, Controlled Stops can be software.
After an ESTOP the thing {what ever it was you were working on} _might_ be a write off, but it's better to ruin a tool/device than loose a vital part of your anatomy.
PLEASE PLEASE do NOT implement an ESTOP just in software - I've seen _way_ to many machines go wild because an input got stuck on, or the machine was busy doing something else - When I punch an EStop I need it to STOP NOW!!!.
This is written somewhat from the point of view of a machine operator using the RS-274 language by EIA. This language is used by most machine manufactures, not independent software implementations from CAD sources. Google it if you want to read more.
Essentially an emergency stop is a switch that allows you to stop before the end of the current instruction. If you can wait, you can use the "single step" switch to stop at the end of the current instruction (step)
Restarting is not trivial because of look ahead requirements and tool diameter compensation requirements. You have to look ahead 5 to 7 instructions before you can execute the current instructions because future instructions can affect what you do next. Added to this is the fact that canned cycles complicate things. By and large you cannot start in the middle of any canned cycle.
Is if much easier to read and comprehend RS-274D instructions as compared to the endless code generated by CAD interpreters. By far easier.
Stopping a carbide cutter (I e the spindle motor) in the middle of a cut pretty much guarantees that you will break the too tip. Replacement will be necessary in most cases. Then re-compensate/offset/reset etc.
I could not understand why opening a guard/door makes it not important to restart in the middle of a program.
No matter what you do the various motors will not stop immediately. Everything takes time so some sort of compromise is necessary whenever you want to stop quickly. If the encoders are left powered, all position related information will be preserved. Yes I understand that the encoders themselves might fail.
M01 is an options stop controlled by a switch. It can be in any instruction block you choose
M00 is an absolute stop. It stops machine motion but usually the spindle will stay on. It too can be in any block. Both have nothing to do with E stop.
A reasonable approach combines software and hardware responses to an emergency stop. But this might be more that is desirable on a small Propeller controlled machine. Keep in mind that every hardware shut off implemented is software controlled except the power that pushing in the E stop disconnects.
Operator safety is of course always a prime concern. There are no arguments about this.
Losing the home position in the event of an E stop is very undesirable because the machine then has to be re-homed and that is not trivial with a complicated part in place on the table. You cannot just go home. All sorts of things can be in the way.
There does not have to be an emergency to use E stop. It can be just to stop the machine before the end of the current instruction block. This too has to be accommodated in an intelligent way.
E stop cannot return the machine to anything. There is too much to go wrong. It has to be done by an intelligent being who is well trained to operate the machine.
This is the end as far as my posting on this subject.
Thanks to all who took the time to respond
Regards
Harprit.
not lets JOG the motor or pause a program ..
I agree true E-Stop is best done with a relay but in some devices killing ALL power at the input can be hazardous.
EG the E-Stop on a Nuke power plant is not one to kill power but to enguage the motors to drop in the Kill rods .
If all you want to do is pause then SW is fine but you will still need a hard E-Stop somewhere in the device
In our robo lab here in college we have the big red/twist to reset shroom button for estop on the main drive contactor but a normal red PB for "casual stop /pause" its done in SW ..
Peter
Sorry, this is completely wrong.
An E-Stop halts the machine immediately and UNDER ALL CONDITIONS.
An E-stop is in fact a chain of E-stops. These are switches that are connected in series (and only in series). Every switch is an opener and ONLY an opener. This ensures that the chain works even if the cable breaks (you'll have to repair it before continuing).
In that E-stop chain, you will find one or more manual E-stops, limit switches, over-temperature-switches, door switches, etc.
Whenever the E-stop chain is interrupted, the COMPLETE machine gets powerless and may never be able to be switched on again without reseting that switch.
There are just a very few exceptions like a door switch that might reduce the feed rate to a low value like 0.5 m/min or reduce the spindle-rpm to a maximum of 200.
Can you imagine what a servo-motor with several kW does when the servo amp goes mad?
What you described is a program halt.
Nick
That poor ABB went in to a seizure and man did it fly .
For example on an axis, you do have cascading limits:
1. software limit (software knows where the machine is and stops before)
2. soft-limit switch. tells control that it is out of bounds
3. limit switch, in E-stop chain
4. mechanical limit
These limits are spaced by maybe 5 mm, depends on the speed of the machine.
Nick
G54 is extremely trivial. Re-referencing too, if it can be done manually (move axes so the tool doesn't collide with part).
Nick
This might mean - keeping hydraulics running (but hitting the check vales to ensure no further movement) in a hydraulic lift, or moving the sharp, hot electrode up out of the way, or even letting the brakes apply by 'tuning off' the brakes lift solenoid.
I have worked with Cutting machines and often they have a "Cycle stop button" - which might be a red mushroom - but they are NEVER labeled as EMERGENCY STOP.
AN EMERGENCY STOP NEEDS TO STOP THE MACHINE NOW (or as close to now as practicable - imagine a 3 mile long conveyor fully loaded with coal - it takes a 'time' to run down to a stop) If the belt were to stop instantly bits of coal would come off and fly everywhere.
If YOU ARE SILLY ENOUGH TO HAVE A BUTTON LABELED EMERGENCY STOP AND IT DOESN'T (it does a cycle stop for example) THEN TWO THINGS..
1) you had better have a good lawyer - as _WHEN_ you get sued, you will loose.
2) I'm VERY glad I don't work for you
Cycle stop might be red (and in fact is), but not a locking mushroom bottom. These are reserved for E-stop.
Nick
But it certainly wouldn't hurt to have the emergency offer feed back to attempt to save data, position, and so on. This is a secondary task and secondary priority.
And, don't assume that the feedback would always be provided. Faiures have a way of being total. There are always those emergencies that require completely over from scratch.
An E-stop can keep the CPU and all glass scales/encoders running and thus not lose any position at all. But this also means, that the control may not move anything by itself.
Every single signal connection between control and machine has to be opto-isolated. Be it digital or analogue. Isolation amplifiers (+/- 10 V) aren't cheap. The ISO124 costs around 15 + driver + DC/DC-converters + ... makes around 30 per channel.
Nick
That pretty much sums it up...
Note that on most powered woodworking machines I've used(tablemounted circular saw/router/planer, large bandsaws) they have two buttons, a recessed button for start, and a big red mushroom button for stop.
This is the professional stuff, that you need a forklift to get into place, though. The hobbyist models... not so much...
I would NOT expect it to work that way...
I would expect it to cut power to brakes that are holding the rods up, and that they would then drop at a controlled rate using some sort of mechanical brake, so that the entire operation is independent of availability of Electricity.
This way, a control-room failure will result in automatic and 'controlled' shutdown...
OM01 stops, or whatever they're called...
Take a look at modern inkjet plotters. If you lift the cover while it's plotting, the printhead will stop INSTANTLY, and a bl**dy beeping will come from it, but as soon as you close it again, the plot continues.
On these it's possible to cleanly stop and restart because not only is the 'tool'(the printhead) not affected by previous/next operation(unlike CNC machines), but they also have the time to cleanly stop the carriage because no one is THAT fast to open the cover.
(I'm well familiar with the cover sensor as I often have to block it when messing about with HP plotters... sometimes you can't see the problem unless it operates 'normally' without the cover to hide everything... Yeah, shame on me. )
So, on a CNC machine, there may be from a few milliseconds to a couple of seconds from someone starts opening the doors to the operator is in any danger. This means a 'door sensor' can be used to do a 'clean' shutdown, if the program running can accommodate the tool stop. Of course, you still need the E-STOP functionality, but that can be activated when the doors are opened beyond a certain point. (It's difficult to stuff your hand wery far into a machine with a slot only 1" wide.)
Not that I have any practical experience with CNC-machines. That was just my thinking out loud...
Dave KI4PSR
You can usually use the OM00 function(telling them there's an important meeting on another floor that they should have been in, right now), but sometimes...