Estop

Another good brief on EStops from the geckodrive group. with the authors
permission.
bill

Message: 4
   Date: Mon, 26 May 2003 13:46:46 -0600
   From: Jim Buslepp <jbuslepp@xxxxxxx
Subject: Re:disable input and emergency stops

Appologies for the long post. The discussion of emergency stops struck a
nerve. My first real job was as an avionics designer. In the aircraft
industry, safety is a huge issue, bordering on a religion. Later I worked
on some systems on which the safety systems were poorly implemented. Trying
to retrofit those systems into something acceptable was a long, painful and
ultimately (in my view) unsuccessful odyssey. It would have been so much
easier, more effective and less expensive to do it right the first time!

Most of the discussion of using the gecko's disable switch or the +5V
supply in an emergency stop implementation seems to have assumed that
stopping the motors is sufficient. I don't think it is. The primary purpose
of having an emergency stop is to protect people in the event they do
something stupid or there's a major malfunction. In most cases, the threat
is mechanical. Trapping, cutting or crushing part of someone's body.
However, this is not always the case. Electrical hazards also exist,
especially for repair and maintenance personnel. It would not be surprising
for these people to assume that the emergency stop will cut power in such a
situation. In some cases a person being shocked will be unable to let go of
the conductors he or she is in contact with, leading to very serious
injuries. It would be very dangerous for a second person to try to pull an
injured coworker off the machine in such a circumstance. Therefore, a
properly designed emergency stop should cut off power as close to the
source as possible.

My priorities in designing safety systems, including emergency stops are
first to protect people, second to protect hardware, and a distant third to
make it easy to restart the equipment once the problem has been resolved.
The reliability of the system in protecting people must be as close to
perfect as humanly possible. This leads me to keep these systems simple.

I don't think the issue of equipment being damaged if power is suddenly
removed is valid. Properly designed systems and subsystems must be designed
to survive power failures without damage. I assume we've all experienced
power failures from time to time. Therefore it should be obvious that the
system as a whole should be able to withstand a sudden loss of power. It is
also a fact of life that power supplies and wiring break from time to time.
This doesn't happen often, but when it does collateral damage to other
subsystems should not be tolerated.

My motor drive experience is in the semiconductor process tool industry, so
the requirements may be different than those in the machine tool industry.
We referred to the emergency stop as emergency power off (EPO) because we
felt it more descriptive of the function.

I find the following guidelines useful. Since I'm an electronics engineer,
they are written from that perspective. Mechanical designers may need to
adapt them to make them meaningful in their work.

- The EPO switch should be used only when there is an immanent threat of
injury to people or damage to equipment. To allow other uses "dilutes" the
meaning of the big red mushroom and leads to poor design compromises.

- The EPO hardware should be as simple and reliable as possible.

- The number of cables and components that are powered when the EPO is
asserted is to be kept to a minimum.

- The EPO hardware should fail safe. Having a machine down because of a
fault in the EPO circuit costs money. Having it up with a faulty EPO could
cost lives. For example, mushroom switches are available with normally open
and normally closed contacts. With normally open contacts, a broken wire or
unmated connector can defeat the EPO. This fault would probably be hidden.
A wire broken during maintenance could disable the EPO for years.
Therefore, normally closed contacts are preferred.

- To the extent possible, all wiring and components that are powered when
the EPO is asserted are segregated in an internal enclosure within the
machine. This enclosure is clearly labeled to ensure that maintenance
personnel know that the circuitry inside is live when the EPO is asserted.
Operators do not have access to the inside of this enclosure. This
enclosure cannot be opened without tools.

- All cables and components outside this enclosure that are live when the
EPO is asserted are clearly labeled. Operator access to these components
must be precluded. Tools are required for the removal of panels that
provide access to all components that are live when the EPO is asserted.

- When the EPO is asserted, all moving parts must stop as quickly as
possible. Once stopped, it should be possible for a person to move them far
enough to free a trapped person.

- All power supply voltages must be drained to near zero quickly. Bringing
them down to less than 1V within 1 second seems a reasonable minimum
standard. Most systems should better that considerably.

With these criteria in mind, I feel that dropping primary power to the
system is essential. I would not except the controllers as this requires me
to keep too many components live. Keep in mind that this is not a routine
event. The EPO should only be activated when there is immanent danger or
hurting a person or damaging the machine. In this circumstance crashing the
operating system or having to home the machine is acceptable.  If a stop is
needed for more routine situations it should be implemented separately.

Asserting disable bits may be a nice extra to stop the motors faster if it
takes significant time for the power supplies to drop, but  this should not
be part of the primary EPO. If a lot of inertia is involved, motor windings
can be shorted briefly to act as a brake. This is especially effective with
stepper motors. The short should be removed after short time (probably less
than a second) to allow parts to be moved to free a trapped person. Either
of these features must be implemented in such a way that they do not
degrade the reliability or speed of the basic EPO function.

These are the opinions of one engineer. They are written in bits, not
stone. Take them or leave them as you see fit.

Jim Buslepp






[Non-text portions of this message have been removed]