Technical Field

The present disclosure generally relates to safety of industrial devices. In particular, a method of handling safety of an industrial device, an electronic control system for handling safety of an industrial device, and an industrial device system comprising an electronic control system and an industrial device, are provided.

Background

Industrial robots are used in a wide range of industrial applications. The control of an industrial robot alone is often rather complex. If the industrial robot is also controlled together with one or more external axes, the complexity of the control may increase drastically. Examples of such external axes comprise conveyors, positioners, tracks, reorientable tables, and servo guns or other types of tools carried by the industrial robot. An industrial device comprising the industrial robot and the external axes may in total comprise several tens of axes.

In many applications, there is a need for a safety rated monitoring of observables of an industrial device, such as positions, speeds and torques of axes of an industrial robot and of any external axes. Such safety rated monitoring is often complex, in particular when a number of axes is high.

WO 2018091064 Al discloses an industrial robot system comprising a plurality of robots. Each robot includes a robot controller for controlling the motions of the robot. Each of the robot controllers is allowed to receive sensor data from at least one safety sensor, and comprises a safety logic unit configured to generate safety commands based on sensor data from the at least one safety sensor.

Summary

In order to provide a safety rated monitoring of observables of an industrial device, an electronic control system may include both a safety rated software and a non-safety rated software, functionally separated from the safety rated software. The safety rated software and the non-safety rated software may be implemented in a safety-related part and a control part, respectively. The non-safety rated software may be used to control the industrial device to perform various tasks and may be created and/ or modified by a human user in the field. The safety rated software may be used to monitor operations of the industrial device in accordance with a safety function and to command a protective stop if the industrial device does not comply with the safety function.

During operation of the industrial device, it may be desired to deactivate one or more axes thereof. One reason for the deactivation may be that the axis is not needed for a particular task. Another reason for the deactivation may be that a tool of the industrial device should be changed. In a corresponding manner, it may be desired to also activate one or more axes of the industrial device. Regardless of reason for the deactivation or activation of the axis, the safety rated software may need to be informed of this to change a supervision criterion of a safety function to thereby prevent issuance of an unintentional protective stop. This means that the deactivation or activation of an axis may have to be programmed in two places, i.e., both in the non-safety rated software and in the safety rated software. The non-safety rated software is however typically not allowed direct access to the safety rated software, for example since the non-safety rated software may have insufficient reliability, e.g., regarding diagnostics and random failures. To send a command directly from the non-safety rated software to the safety rated software to change the supervision criterion of the safety function implemented in the safety rated software therefore carries the risk of unsafe behavior. Communicating from the control part to the safety-related part using safety input/output, I/O, modules may not be acceptable from a functional safety perspective. In present solutions, there is therefore no signal passage from the control part to the safety-related part. On the other hand, communication from the safety-related part to the control part is straightforward, e.g., using safety I/O modules.

Under the assumption that one would want to harbor the entirety of an application-related algorithmic structure on the control part, the safety- related part would have no information regarding the nature of the structure, its status or its degree of progress. In existing solutions today, however, such information maybe required to solve a problem at hand, thus leading to complex implementations in which application-related information is also encoded in the safety-related part. For example, a stand-alone safety PLC (programmable logic controller) providing a safety protocol may be used to this end. The complexity and costs associated with the communication between the non-safety rated software and the safety rated software are thus high.

One object of the invention is to provide an improved method of handling safety of an industrial device.

A further object of the invention is to provide an improved electronic control system for handling safety of an industrial device.

A still further object of the invention is to provide an improved industrial device system comprising an electronic control system and an industrial device.

These objects are achieved by the method according to appended claim i, the electronic control system according to appended claim 7 and the industrial device system according to appended claim 13.

The invention is based on the realization that by having a safety-related part and a non-safety rated control part agreeing that a particular signature movement of an industrial robot should trigger a particular change of a supervision criterion of a safety function in the safety-related part, the safety- related part can be caused to make this change when the control part commands the industrial robot to perform the signature movement to thereby greatly facilitate handling of safety.

According to a first aspect, there is provided a method of handling safety of an industrial device, the method comprising providing an electronic control system comprising a safety-related part configured to provide a safety function by monitoring at least one observable of the industrial device and commanding a safety response of the industrial device if an actual value of the at least one observable violates a supervision criterion, and a control part configured to control actions of the industrial device, where the safety-related part has access to one or more reference values of one or more of the at least one observable associated with a signature action of the industrial device; controlling, by the control part, the industrial device to perform the signature action; recognizing, by the safety-related part, the signature action by recognizing that one or more actual values of the at least one observable correspond to the one or more reference values; and changing, by the safety- related part, the supervision criterion of the safety function upon recognizing the signature action.

Since the safety-related part acts to change the supervision criterion based on one or more actual values from the industrial device, no dedicated command signal to change the supervision criterion may have to be sent from the control part to the safety-related part. Instead, the supervision criterion may be changed purely based on operational observables of the industrial device. This enables a safe change of the supervision criterion, for example to safely activate and/or deactivate an axis of the industrial device, using a robust and cost-efficient solution of low complexity. The method enables the supervision criterion to be easily changed without requiring safety I/O modules or safety PLCs, or without requiring use of safety I/O modules or safety PLCs, between the safety-related part and the control part. The performance of the signature action by the industrial device represents an intended request to change the response of the safety function. The signature action may be a predefined behavior of the industrial device that will trigger a change of the supervision criterion.

Since the control part is configured to control the industrial device to perform a signature action, and since the safety-related part has access to the one or more reference values associated with this signature action, the functionality to change the supervision criterion in response to a particular signature action maybe said to be agreed on by both the safety-related part and the control part. The signature action thus represents a signature that can be recognized by the safety-related part and may therefore be said to constitute a handshake action. The method enables collection of application-related information in the control part only. By using the signature action as a means to pass information from the control part to the safety-related part, the safety-related part can participate in application-specific steps. The method therefore leads to a less complex implementation of an application. For example, the method may not need a safety PLC. As a consequence, costs can be reduced. Once the safety-related part has changed the supervision criterion, the safety-related part may send a confirmation signal to the control part.

The recognition that the one or more actual values of the at least one observable correspond to the one or more reference values may comprise a comparison between an actual pattern of the one or more actual values with a reference pattern of the one or more reference values. If the actual pattern matches the reference pattern, e.g., within a defined tolerance, the safety- related part can recognize that the signature action has been performed.

In an industrial device, it is possible to design a unique signature action that can be commanded by the control part and that will be practically impossible to perform by mistake or by failure, such as a specific movement or pose of an industrial robot. This agreement on the signature action between the safety- related part and the control computer part thereby ensures that an unintentional change of the response of the safety function will not be caused by a mistake or a failure. The performance of the signature action thus indicates to the safety-related part an intent of the control part to change the supervision criterion. The signature action may thus be referred to as a supervision criterion changing action.

The industrial device may be configured to perform actions, such as tasks, in a physical workspace. Depending on what type of task is to be performed, it may be desired to deactivate one or more axes of the industrial device, e.g., for a certain time period. For example, the industrial device may comprise a track and an industrial robot positioned on the track. In this case, the track may not have to move to perform certain tasks, and the track may then be deactivated. In a further example, a tool of an industrial robot may be deactivated before being detached.

When an axis is deactivated, a power supply to, and a signal communication with, the axis may be stopped. The deactivation and activation of axes of the industrial device allow for flexibility in production.

The industrial device may comprise one or more axes. Each axis may define a degree of freedom. The industrial device may comprise one or more sensors and an actual value may be read from each sensor. The signature action may for example be recognized based on a collection of actual values read from a plurality of sensors.

The industrial device may comprise at least one actuator for driving each axis. One or more sensors may be associated with one or more axes. One or more actual values of the at least one observable may however be obtained from a sensor that is not necessarily associated with a particular axis, such as a camera or other type of sensor monitoring the industrial device to provide an actual value of an observable.

The at least one observable may for example comprise position, speed, acceleration, torque, signal connection, power supply and/or temperature. Each observable may be associated with an axis of the industrial device. Each observable may be a parameter.

The safety-related part may monitor operations of the industrial device using the safety function. The one or more observables monitored by the safety function may or may not be the same one or more observables that are used to recognize the signature action.

The safety-related part may for example compare the actual value of an observable with a supervision parameter value to provide the safety function. The supervision parameter value may indicate a limit or an interval of acceptable actual values of the industrial device without triggering the safety response. The safety-related part may for example monitor whether the actual value of the at least one observable exceeds the supervision parameter value in order to determine whether the actual value violates the supervision criterion. The change of the supervision criterion may comprise changing one or more such supervision parameter values.

The one or more reference values and/ or the one or more supervision parameter values may be stored in the electronic control system, such as in a safety-related memory thereof. Alternatively, or in addition, one or more reference values and/ or one or supervision parameter values may be accessed from an external source.

As a further example, the change of the supervision criterion may comprise changing a type of the safety response, i.e. an output of the safety function. As a further example, the change of the supervision criterion may comprise enabling or disabling a specific input to the safety function.

The safety-related part and the control part may or may not be provided on the same hardware. The safety-related part and the control part may comprise a safety rated software and a non-safety rated software, respectively. A safety rating may here for example refer to International Electrotechnical Commission, IEC, standard 61508-3, edition 2.0, 2010-04. The safety function may be implemented in accordance with the International Organization for Standardization (ISO) standard 13849-1.

The signature action may involve one, several or all axes of the industrial device. The change of the supervision criterion may comprise changing a supervision criterion for one, several or all axes of the industrial device.

The safety response may comprise bringing the industrial device to a safe state, which in turn may comprise stopping the industrial device, activating brakes, limiting power to one or more actuators, and/ or removing power to one or more actuators. In particular, the safety response may comprise a protective stop, such as a category-o stop, a category-i stop or a category-2 stop, for example as defined in IEC 60204-1:2016. A category-o stop maybe an uncontrolled stop of the industrial device by immediate removal of power to any actuator thereof. The industrial device may then be braked by one or more power-off brakes. A category-i stop maybe a controlled stop of the industrial device with power available to the actuators to achieve the stop and a subsequent removal of power when the stop is achieved. A category-2 stop may be a controlled stop with power left available to the actuators.

Each signature action may comprise a movement and/or a position of the industrial device.

The industrial device may comprise an industrial robot. The industrial robot may comprise a manipulator having a plurality of axes, such as at least three axes. According to one example, the industrial robot comprises a manipulator having six or seven axes.

The industrial device may comprise at least one axis in addition to the axes of the industrial robot. Examples of such additional or external axes comprise a conveyor, a track, a reorientable table and a tool. In case the industrial robot comprises a detachable tool having an axis, this axis may be considered to be an external axis with respect the industrial robot. Examples of such tools comprise a gripper and a servo gun. The movement and/or the position maybe a movement and/or a position of a tool center point, TCP, of the industrial robot. In case the TCP is moved and/ or positioned in a particular manner to perform the signature action, several axes of the industrial robot may typically have to move and a plurality of actual values may therefore have to correspond to respective reference values. For this reason, the handshaking between the safety-related part and the control part is far more reliable than sending a single signal from the control part to the safety-related part, which maybe erroneous. The reliability will increase drastically if the signature action is a sequence comprising a plurality of movements and/ or a plurality of positions of the TCP.

According to one variant, each position of the TCP is a pose representing both the position and the orientation of the TCP.

As one alternative, in case the industrial device comprises a belt conveyor, a movement and/or a position of the signature action maybe a movement and/ or a position of a belt of the belt conveyor.

The signature action may comprise a deactivation action. In this case, the changing of the supervision criterion may comprise increasing a supervision parameter value to be compared with the actual value of the at least one observable or muting the safety function. In these ways, it can be ensured that the safety response is not unintentionally triggered, for example by a tool change of an industrial robot. The supervision parameter value may be increased by at least 20 %, such as by at least 50 %, to allow higher actual values of the industrial device without triggering the safety response. With muting is meant a temporary suspension of the safety function, for example according to the ISO standard 13849-1.

When attaching, detaching, activating or deactivating an axis of the industrial device, one or more actual values from this axis may fluctuate. By increasing the supervision parameter value or muting the safety function, it can be avoided that such attachment, detachment, activation or deactivation unintentionally triggers the safety response.

Alternatively, or in addition, the signature action may comprise an activation action. In this case, the changing of the supervision criterion may comprise decreasing a supervision parameter value to be compared with the actual value of the at least one observable or unmuting the safety function. The supervision parameter value may be reduced by at least 20 %, such as by at least 50 %, to only permit lower actual values of the industrial device without triggering the safety response.

As an alternative to the activation action, the supervision criterion may be restored, e.g., the supervision parameter value maybe decreased or the safety function may be unmuted, after expiry of a predefined time limit from the initial change of the supervision criterion. The time limit may for example be at least one second and/ or less than 60 seconds.

In case the industrial device comprises an industrial robot, the method may comprise providing one or more safety changing regions. The supervision criterion may be changed by the safety-related part in response to one or more positionings and/or movements of the TCP in relation to such safety changing region. According to one example, when the TCP enters into and leaves from one such safety changing region, a supervision parameter value may be increased and reduced, respectively. Each such positioning and/ or movement of the TCP may constitute a signature action according to the present disclosure.

According to an alternative example, the method may comprise reducing the supervision parameter value or muting the safety function when the TCP has entered and left the safety changing region in a first manner, and increasing the supervision parameter value or unmuting the safety function when the TCP has entered and left the safety changing region in a second manner, different from the first manner. Also in this alternative example, each such movement of the TCP may constitute a signature action according to the present disclosure.

In any case, movements of the TCP to perform a signature action may be commanded by the control part and maybe detected by the safety-related part. The deactivation action and the activation action may alternatively be referred to as a first type of action and a second type of action, respectively. The deactivation action may be different from the activation action.

According to a second aspect, there is provided an electronic control system for handling safety of an industrial device, the electronic control system comprising a safety-related part configured to provide a safety function by monitoring at least one observable of the industrial device and commanding a safety response of the industrial device if an actual value of the at least one observable violates a supervision criterion, and a control part configured to control actions of the industrial device; wherein the safety-related part has access to one or more reference values of one or more of the at least one observable associated with a signature action of the industrial device; wherein the control part is configured to control the industrial device to perform the signature action; and wherein the safety-related part is configured to recognize the signature action by recognizing that one or more actual values of the at least one observable correspond to the one or more reference values, and to change the supervision criterion of the safety function upon recognizing the signature action.

The safety-related part and/ or the control part may comprise program code which, when executed by at least one data processing device, causes the at least one data processing device to perform, or command performance of, any step as described in connection with the first aspect. The electronic control system and the industrial device of the second aspect may be of any type described in connection with the first aspect, and vice versa.

Each signature action may comprise a movement and/or a position of the industrial device. The industrial device may comprise an industrial robot.

The movement and/or the position maybe a movement and/or a position of a tool center point, TCP, of the industrial robot.

The signature action may comprise a deactivation action. In this case, the changing of the supervision criterion may comprise increasing a supervision parameter value to be compared with the actual value of the at least one observable or muting the safety function.

Alternatively, or in addition, the signature action may comprise an activation action. In this case, the changing of the supervision criterion may comprise decreasing a supervision parameter value to be compared with the actual value of the at least one observable or unmuting the safety function.

According to a third aspect, there is provided an industrial device system comprising an electronic control system according to the second aspect and the industrial device. The industrial device may be of any type described in connection with the first aspect.

The industrial device may comprise, or be constituted by, an industrial robot.

Brief Description of the Drawings

Further details, advantages and aspects of the present disclosure will become apparent from the following description taken in conjunction with the drawings, wherein:

Fig. 1: schematically represents a side view of an industrial device system according to one example comprising an industrial device and an electronic control system;

Fig. 2: schematically represents a block diagram of the industrial device system;

Fig. 3: schematically represents a side view of the industrial device system when the industrial device performs an action according to one example; Fig. 4: schematically represents a side view of the industrial device system when the industrial device performs an action according to a further example and a protective stop of the industrial device is commanded;

Fig. 5: schematically represents a side view of the industrial device system when the industrial device performs a deactivation action according to one example;

Fig. 6: schematically represents a side view of the industrial device system when the industrial device has performed a tool change according to one example when a supervision criterion has been changed;

Fig. 7: schematically represents a side view of the industrial device system when the industrial device performs an activation action according to one example;

Fig. 8: schematically represents a side view of the industrial device system according to a further example;

Fig. 9: schematically represents a side view of the industrial device system when the industrial device performs an action according to a further example and a protective stop of the industrial device is commanded;

Fig. 10: schematically represents a side view of the industrial device system when the industrial device performs a deactivation action according to a further example;

Fig. 11: schematically represents a side view of the industrial device system when the industrial device has performed a tool change according to a further example;

Fig. 12: schematically represents a partial view of the industrial device system when the industrial device moves along a first path of a deactivation action according to a further example;

Fig. 13: schematically represents a partial view of the industrial device system during movement along a second path of the deactivation action in Fig. 12;

Fig. 14: schematically represents a partial view of the industrial device system when the industrial device moves along a first path of an activation action according to a further example;

Fig. 15: schematically represents a partial view of the industrial device system during movement along a second path of the activation action in Fig. 14;

Fig. 16: schematically represents a side view of the industrial device system according to a further example;

Fig. 17: schematically represents a side view of the industrial device system when the industrial device performs a deactivation action according to a further example;

Fig. 18: schematically represents a side view of the industrial device system after a tool change according to a further example;

Fig. 19. schematically represents a side view of the industrial device system when the industrial device performs an activation action according to a further example; and

Fig. 20: is a block diagram outlining general steps of a method according to one example.

Detailed Description

In the following, a method of handling safety of an industrial device, an electronic control system for handling safety of an industrial device, and an industrial device system comprising an electronic control system and an industrial device, will be described. The same or similar reference numerals will be used to denote the same or similar structural features.

Fig. 1 schematically represents a side view of an industrial device system 10 according to one example. The industrial device system 10 comprises an industrial device 12 and an electronic control system 14. The electronic control system 14 is here exemplified as a robot controller.

The industrial device 12 of this example comprises an industrial robot 16. The industrial robot 16 of this example comprises a base 18 and a manipulator 20 movable relative to the base 18. The manipulator 20 of this specific example comprises a first link 22a rotatable relative to the base 18 at a first axis 24a, a second link 22b rotatable relative to the first link 22a at a second axis 24b, a third link 22c rotatable relative to the second link 22b at a third axis 24c, a fourth link 22d rotatable relative to the third link 22c at a fourth axis 24b, a fifth link 22e rotatable relative to the fourth link 22d at a fifth axis 24c, and a sixth link 22f rotatable relative to the fifth link 22e at a sixth axis 24b Fig. 1 further shows a tool center point, TCP, 26 of the industrial robot 16.

The industrial robot 16 further comprises a first tool 24g!, here exemplified as a gripper having one degree of freedom. When attached to the industrial robot 16, the first tool 24g! forms an external axis with respect to the industrial robot 16 and a seventh axis of the industrial device 12.

The first tool 24g! is in this example detachably mounted to a tool flange 28 fixed to the sixth link 22f. The manipulator 20 in Fig. 1 is a serial manipulator and the first tool 24g! is provided at a distal end of a kinematic chain thereof. The industrial robot 16 in Fig. 1 is however only one of many examples. The manipulator 20 may for example alternatively or additionally comprise one or more translational axes.

The industrial device 12 of this example further comprises a second tool 24g2 for attachment to the industrial robot 16 instead of the first tool 24g!. In Fig. 1, the second tool 24g2 is attached to a tool stand 30 and is therefore not in use. One or both of the first and second tools 24g! and 24g2 may also be referred to with reference numeral "24g".

The industrial device 12 of this specific and non-limiting example further comprises a conveyor 24b. The conveyor 24I1 of this example comprises an endless conveyor belt. The conveyor 24I1 forms a further example of an external axis with respect to the industrial robot 16, here an eighth axis of the industrial device 12. One, several or all of the axes 24a-24h may also be referred to with reference numeral "24". In Fig. 1, each axis 24 has one degree of freedom. The electronic control system 14 of this specific example comprises a safety- related part 32 and a control part 34. The safety-related part 32 monitors the industrial device 12 in accordance with a safety function. In this example, the safety-related part 32 monitors each of the axes 243-24!!.

The control part 34 is configured to control the industrial device 12 to perform various tasks. The conveyor 24I1 may for example be driven towards or away from the industrial robot 16, and the industrial robot 16 may pick items 36 from the conveyor 24b or place items 36 on the conveyor 24I1 using the first tool 24gi.

When an axis 24 is attached and detached, the axis 24 may be mechanically connected and disconnected, respectively. When an axis 24 is activated, the axis 24 maybe addressable from the electronic control system 14, i.e., power and control signals are available between the electronic control system 14 and the axis 24. In this case, the electronic control system 14 can cause the axis 24 to perform a function. If the axis 24 is deactivated, the axis 24 may not be addressable from the electronic control system 14.

Fig. 2 schematically represents a block diagram of the industrial device system 10. Fig. 2 shows that the industrial device 12 of this specific and nonlimiting example comprises a plurality of sensors in signal communication with each of the safety-related part 32 and the control part 34, here a first sensor 38a arranged to detect an actual value of a first observable 40a associated with the first axis 24a, a second sensor 38b arranged to detect an actual value of a second observable 40b associated with the second axis 24b, a third sensor 38c arranged to detect an actual value of a third observable 40c associated with the third axis 24c, a fourth sensor 38b arranged to detect an actual value of a fourth observable 40b associated with the fourth axis 24b, a fifth sensor 38c arranged to detect an actual value of a fifth observable 4oe associated with the fifth axis 24c, a sixth sensor 38f arranged to detect an actual value of a sixth observable 4of associated with the sixth axis 24!', a seventh sensor 38g arranged to detect an actual value of a seventh observable 40g associated with the seventh axis 24g, and an eighth sensor 38b arranged to detect an actual value of an eighth observable 4oh associated with the eighth axis 24b. One, several or all sensors 38a-38h may also be referred to with reference numeral "38". One, several of all of the observables 4oa-4oh may also be referred to with reference numeral "40". Examples of observables 40 comprise position, speed, acceleration, torque, signal connection, power supply and/ or temperature. Although not illustrated, the industrial device 12 may also comprise an actuator, such as an electric motor, associated with each axis 24. In the specific example in Fig. 2, both the safety-related part 32 and the control part 34 are in signal communication with each sensor 38.

The safety-related part 32 of this example comprises a safety-related data processing device 42 and a safety-related memory 44. The safety-related memory 44 of this example has a safety-related computer program 46 and reference values 48 stored thereon. The safety-related computer program 46 comprises program code which, when executed by the safety-related data processing device 42, causes the safety-related data processing device 42 to perform, or command performance of, various steps as described herein.

The safety-related part 32 of this example also comprises the safety function 50. The safety function 50 is configured to monitor the observables 40 of the industrial device 12 in accordance with one or more supervision criterions. The safety function 50 of this example comprises at least one logic sequence including an input function 51, a logic function 53 and an output function 55. Each logic function 53 may form a safety related part of a control system (SRP/CS) in accordance with the ISO standard 13849-1. Each input function 51 may receive one of the observables 40. If an actual value of an observable 40 exceeds a supervision parameter value 57, as determined by the logic function 53, the output function 55 commands a safety response of the industrial device 12. Each supervision parameter value 57 thus forms a supervision criterion. Each supervision parameter value 57 may define an allowed interval for an actual value of the associated observable 40. As one non-limiting example, the observable 40 may be a speed of an axis 24 and the supervision parameter value 57 may define a maximum speed of that axis 24. The safety function 50 thus monitors whether any actual value of an observable 40 violates the supervision criterion. In this example, the safety function 50 compares the actual values of a plurality of observables 40 with corresponding supervision parameter values 57. The safety function 50 is thus used to monitor operation of the industrial device 12 and to issue a safety response if the operation of does not conform with the safety criterion. The safety-related computer program 46 can change one or more supervision parameter values 57 of the safety function 50.

The safety-related memory 44 of this example further has a plurality of signatures 52 stored thereon. Each signature 52 represents a signature action of the industrial device 12 and is associated with a set of reference values 48. In this example, each such associated set of reference values 48 represents expected values of the observables 40 when the signature action is performed by the industrial device 12. The reference values 48 may for example comprise numbers, closed intervals or open intervals.

The control part 34 of this example comprises a control data processing device 54 and a control memory 56. The control memory 56 of this example has a control computer program 58 stored thereon. The control computer program 58 comprises program code which, when executed by the control data processing device 54, causes the control data processing device 54 to perform, or command performance of, various steps as described herein. The control computer program 58 comprises program code which, when executed by the control data processing device 54, causes the control data processing device 54 to command the industrial device 12 to perform various actions, such as tasks. The control computer program 58 may be programmed by a human user, for example using a programming device, such as a teach pendant unit. The control part 34 can command the industrial device 12 to perform various tasks in a physical environment.

The control memory 56 of this example further has a plurality of signatures 52 stored thereon. The signatures 52 in the control memory 56 correspond to the signatures 52 in the safety-related memory 44. The control part 34 is configured to, for each signature 52, command the industrial device 12 to perform a signature action associated with the signature 52.

If the control part 34 for example intends to detach the first tool 24g! to be able to pick up the second tool 24g2, this intention may not be known by the safety-related part 32. If a supervision criterion of the safety function 50 is not changed, the safety function 50 will then detect the detachment of the first tool 24gi as a loss of function, i.e., a violation of the supervision criterion, and issue a safety response. In this example, such safety response is not in line with the intention by the control part 34.

In the electronic control system 14, there is a clear functional separation between the safety-related part 32 and the control part 34. The separation may also be physical, like in this example. In this example, the safety-related part 32 and the control part 34 comprise safety rated software and non-safety rated software, respectively.

Fig. 3 schematically represents a side view of the industrial device system 10. The control part 34 has commanded the industrial device 12 to perform an action 60a according to one example. The action 60a is a movement of the TCP 26 along a path. During performance of the action 60a, the safety- related part 32 continuously or repeatedly monitors whether the actual values of the observables 40, as measured by the sensors 38, comply with the safety function 50. The safety-related part 32 also continuously or repeatedly monitors whether the actual values of the observables 40 during performance of the action 60a correspond to the reference values 48 of any of the signatures 52.

Fig. 4 schematically represents a side view of the industrial device system 10 when the industrial device 12 performs an action 60b according to a further example. The action 60b is a deactivation and detachment of the first tool 24gi, as commanded by the control part 34. Since the safety-related part 32 is not aware that the first tool 24g! should be deactivated and detached, and since some observables 40 start to fluctuate more after this deactivation and detachment, a protective stop 62 of the industrial device 12 is commanded by the safety-related part 32, i.e., by the safety function 50 since one or more observables 40 violate the associated supervision criterion by exceeding the associated supervision parameter value 57. The protective stop 62 is one example of a safety response according to the present disclosure. The protective stop 62 in Fig. 4 is unintentional since it is triggered despite the industrial device 12 performs an intentional action 60b.

Fig. 5 schematically represents a side view of the industrial device system 10 when the industrial device 12 performs an action 60c according to a further example. The action 60c constitutes a signature action according to one example and a deactivation action according to one example. The action 60c is commanded by the control part 34, here based on one of the signatures 52. The action 60c of this specific and non-limiting example comprises moving the TCP 26 in a helix comprising three full turns. The safety-related part 32 now detects that the actual values of the observables 40 during performance of the action 60c correspond to the reference values 48 of one of the signatures 52. For example, observables 40 in the form of positions of each axis 24 may be used to detect this correspondence. As a consequence, the safety-related part 32 performs a change of supervision criterions of the safety function 50, where the change is associated with the signature 52. In this example, the safety-related part 32 increases a plurality of supervision parameter values 57 of the safety function 50 in response to recognizing that the action 60c is performed by the industrial device 12. This is illustrated in that the line of the box of the safety function 50 changes from a solid line in Fig. 4 to a dashed line in Fig. 5. After these changes of the supervision criterions of the safety function 50, values of the observables 40 are allowed to fluctuate to a greater extent in this example. To this end, the safety-related computer program 46 may comprise program code which, when executed by the safety-related data processing device 42, causes the safety-related data processing device 42 to change one or more supervision parameter values 57 of the safety function 50 in response to recognizing the action 60c. When one or more supervision parameter values 57 are changed, a parameterization of the safety function 50 is changed and thereby also a response of the safety function 50. The parameterization of the safety function 50 can be changed, e.g., by the safety-related computer program 46, without changing a performance level of the safety function 50 and without having to redo verification and validation of the safety function 50. Examples of supervision parameter values 57 may comprise predefined limits of position, speed, acceleration or torque of an actual value of an observable 40.

Since the safety-related part 32 acts to change the supervision criterions of the safety function 50 based on the actual values from the industrial device 12, no dedicated command signal to change the supervision criterions may have to be sent from the control part 34 to the safety-related part 32. The method therefore provides a robust, low complexity and cost-efficient way to handle safety in the industrial device 12.

Fig. 6 schematically represents a side view of the industrial device system 10 when the industrial device 12 has performed an action 6od according to a further example. The action 6od is a tool change and is commanded by the control part 34. The action 6od comprises deactivation of the first tool 24g!, detachment of the first tool 24g! from the industrial robot 16 and placement of the first tool 24g! on the tool stand 30, attachment of the second tool 24g2 picked up by the industrial robot 16 from the tool stand 30, and activation of the second tool 24g2. Similarly to Fig. 4, the observables 40 start to fluctuate more after the deactivation and detachment of the first tool 24g!. However, since the supervision parameter values 57 have been increased, the safety function 50 will not command a protective stop 62. The safety function 50 may for example allow higher peaks in currents to the axes 24, which may increase during the tool change, when the supervision parameter values 57 have been increased.

Fig. 7 schematically represents a side view of the industrial device system 10 when the industrial device 12 performs an action 6oe according to a further example. The action 6oe constitutes a signature action according to one example and an activation action according to one example. The action 6oe is commanded by the control part 34, here based on one of the signatures 52. The action 6oe of this specific and non-limiting example comprises moving the TCP 26 in a helix comprising three full turns, here in a direction opposite to the helix in Fig. 5. The safety-related part 32 now detects that the actual values of the observables 40 during performance of the action 6oe correspond to the reference values 48 of one of the signatures 52. As a consequence, the safety-related part 32 performs a change of supervision criterions of the safety function 50, where the change is associated with the signature 52. In this example, the safety-related part 32 decreases a plurality of supervision parameter values 57 of the safety function 50 in response to recognizing that the action 6oe is performed by the industrial device 12. This is illustrated in that the line of the box of the safety function 50 changes from a dashed line in Fig. 6 to a solid line in Fig. 7. After this change of the supervision criterions of the safety function 50, values of the observables 40 are allowed to fluctuate only to a lesser extent in this example.

The deactivation action 60c and the activation action 6oe represent agreements between the safety-related part 32 and the control part 34 without involving respective domain information of the safety-related part 32 and the control part 34. This enables a great flexibility of the safety handling of the industrial device 12 and an extremely low risk of errors.

The signature actions 60c and 6oe may be designed in the field, e.g., after installation of the industrial device system 10. The signature actions 60c and 6oe should be selected such that the control part 34 cannot be programmed by mistake to command the industrial device 12 to perform them.

Fig. 8 schematically represents a side view of the industrial device system 10 according to a further example. Mainly differences with respect to Figs. 3 to 7 will be described. As shown in Fig. 8, a virtual safety changing region 64a is defined in relation to the industrial device 12, both in the safety-related part 32 and in the control part 34. The safety changing region 64a is here exemplified as a sphere having a predetermined radius. The safety changing region 64a may alternatively be a cuboid or a volume of any shape. In this example, there is an agreement between the safety-related part 32 and the control part 34 that the safety-related part 32 should increase a plurality of supervision parameter values 57 of the safety function 50 when the TCP 26 enters the safety changing region 64a and that the safety-related part 32 should decrease the plurality of supervision parameter values 57 of the safety function 50 when the TCP 26 leaves the safety changing region 64a.

Fig. 9 schematically represents a side view of the industrial device system 10 when the industrial device 12 performs an action 6of according to a further example. The action 6of is a deactivation and detachment of the first tool 24gi on the conveyor 24b, as commanded by the control part 34. Since the deactivation and detachment of the first tool 24g! takes place outside the safety changing region 64a, the supervision criterions of the safety function 50 are not changed. The fluctuations of some actual values of the observables 40 associated with the deactivation and detachment of the first tool 24g! will therefore cause the safety function 50 to command a protective stop 62 of the industrial device 12. Thus, if activation, deactivation, attachment or detachment of the tool 24g is performed when the TCP 26 is positioned outside the safety changing region 64a, the protective stop 62 may be issued in this example.

Fig. 10 schematically represents a side view of the industrial device system 10 when the industrial device 12 performs an action 60g according to a further example. The action 60g constitutes a signature action and a deactivation action. The action 60g is commanded by the control part 34, here based on one of the signatures 52. The action 60g comprises moving the TCP 26 into the safety changing region 64a. The safety-related part 32 now detects that the actual values of the observables 40 during performance of the action 60g correspond to the reference values 48 of one of the signatures 52. As a consequence, the safety-related part 32 increases a plurality of supervision parameter values 57 of the safety function 50 in response to recognizing that the TCP 26 has entered the safety changing region 64a. When the TCP 26 is positioned inside the safety changing region 64a, values of the observables 40 are allowed to fluctuate to a greater extent and the tool change can be performed.

Fig. n schematically represents a side view of the industrial device system io when the industrial device 12 has performed an action 6oh according to a further example. The action 6oh is a tool change, a signature action and an activation action. As shown in Fig. n, the industrial robot 16 has detached the first tool 24gi and attached the second tool 24g2 to the tool flange 28 while the TCP 26 is inside the safety changing region 64a and supervision parameter values 57 of the safety function 50 are consequentially increased. When the TCP 26 leaves the safety changing region 64a at the end of the action 6oh, the plurality of supervision parameter values 57 of the safety function 50 are decreased. The activation and deactivation of the tool 24g are thus only allowed when the TCP 26 is positioned inside the safety changing region 64a. In this example, the supervision criterions of the safety function 50 are changed by the safety-related part 32 in response to a position of the TCP 26 in relation to the safety changing region 64a.

Fig. 12 schematically represents a partial view of the industrial device system 10 when the industrial device 12 performs an action 6oi according to a further example and the TCP 26 moves along a first path in relation to a virtual safety changing region 64b. Mainly differences with respect to Figs. 8 to 11 will be described. In Fig. 12, the TCP 26 has been commanded by the control part 34 to move along the first path to enter the safety changing region 64b from above.

Fig. 13 schematically represents a partial view of the industrial device system 10 when the industrial device 12 continues to perform the action 6oi by moving the TCP 26 along a second path. In Fig. 13, the TCP 26 has been commanded by the control part 34 to leave the safety changing region 64b to the right along the second path.

The action 6oi constitutes a signature action and a deactivation action. To detach and deactivate the first tool 24g!, the TCP 26 has to enter the safety changing region 64b from above and leave the safety changing region 64b to the right. In this example, the tool change may take place outside the safety changing region 64b.

The supervision parameter values 57 will only be increased by the safety function 50 when the safety-related part 32 recognizes that the TCP 26 enters and leaves the safety changing region 64b along the first and second paths in Figs. 12 and 13, respectively. These paths represent a clear and unambiguous indication that the intent of the control part 34 is to change the supervision criterions to perform a tool change. If the TCP 26 approaches the safety changing region 64b from a direction other than shown in Fig. 12, or if the TCP 26 leaves the safety changing region 64b in a direction other than shown in Fig. 13, the supervision criterions will not be changed.

Fig. 14 schematically represents a partial view of the industrial device system 10 when the industrial device 12 performs an action 6oj according to a further example by moving the TCP 26 along a first path. In Fig. 14, the TCP 26 has been commanded by the control part 34 to enter the safety changing region 64b from the left along the first path.

Fig. 15 schematically represents a partial view of the industrial device system 10 when the industrial device 12 continues to perform the action 6oj by moving the TCP 26 along a second path. In Fig. 15, the TCP 26 has been commanded by the control part 34 to leave the safety changing region 64b downwards along the second path.

The action 6oj constitutes a signature action and an activation action. The supervision parameter values 57 will only be decreased by the safety function 50 when the safety-related part 32 recognizes this particular path of the TCP 26 entering and leaving the safety changing region 64b. This path represents a clear and unambiguous indication that the intent of the control part 34 is to restore the supervision criterions after completion of the tool change. Many alternative movements of the TCP 26 in relation to the safety changing region 64b to cause the safety-related part 32 to change one or more supervision criterions of the safety function 50 are conceivable.

Fig. 16 schematically represents a side view of the industrial device system 10 according to a further example. Mainly differences with respect to Figs. 3 to 7 will be described. In Fig. 16, supervision parameter values 57 of the safety function 50 are set to predefined and relatively low values. Fig. 17 schematically represents a side view of the industrial device system 10 when the industrial device 12 performs an action 60k according to a further example. The action 60k constitutes a signature action and a deactivation action. In Fig. 17, the control part 34 has commanded the industrial robot 16 to adopt a first pose 66a, here based on one of the signatures 52. A pose of the industrial robot 16 comprises a both a specific position and a specific orientation of the TCP 26. As shown in Fig. 17, the first pose 66a is an unusual pose that will never be used by the industrial robot 16 other than as a signature for changing the supervision criterions. When the safety-related part 32 recognizes, based on the values of the observables 40, that the industrial robot 16 is in the first pose 66a, the safety-related part 32 increases the supervision parameter values 57 of the safety function 50 to predefined and relatively high values. In this way, the supervision criterions are changed from those of Fig. 16.

Fig. 18 schematically represents a side view of the industrial device system 10 after an action 60I according to a further example. The action 60I is a tool change. The first tool 24g! has been deactivated and detached, and the second tool 24g2 has been attached and activated while the supervision parameter values 57 of the safety function 50 have relatively high values to not cause triggering of the protective stop 62.

Fig. 19 schematically represents a side view of the industrial device system 10 when the industrial device 12 performs an action 60m according to a further example. The action 60m constitutes a signature action and an activation action. In Fig. 19, the control part 34 has commanded the industrial robot 16 to adopt a second pose 66b, different from the first pose 66a. As shown in Fig. 19, also the second pose 66b is an unusual pose that will never be used by the industrial robot 16 other than as a signature for changing the supervision criterions. When the safety-related part 32 recognizes, based on the values of the observables 40, that the industrial robot 16 is in the second pose 66b, the safety-related part 32 decreases the supervision parameter values 57 of the safety function 50 back to the respective values in Fig. 16.

Fig. 20 is a block diagram outlining general steps of a method according to one example. The method comprises a block S10 of providing an electronic control system 14 comprising a safety-related part 32 configured to provide a safety function 50 by monitoring at least one observable 40 of the industrial device 12 and commanding a safety response 62 of the industrial device 12 if an actual value of the at least one observable 40 violates a supervision criterion, and a control part 34 configured to control actions 6oa-6om of the industrial device 12, where the safety-related part 32 has access to one or more reference values 48 of one or more of the at least one observable 40 associated with a signature action 60c, 6oe, 60g, 6oh, 6oi, 6oj, 60k and 60m of the industrial device 12. The method further comprises a block S12 of controlling, by the control part 34, the industrial device 12 to perform the signature action 60c, 6oe, 60g, 6oh, 6oi, 6oj, 60k, and 60m. The method further comprises a block S14 of recognizing, by the safety-related part 32, the signature action 60c, 6oe, 60g, 6oh, 6oi, 6oj, 60k, and 60m by recognizing that one or more actual values of the at least one observable 40 correspond to the one or more reference values 48. The method further comprises a step S16 of changing, by the safety-related part 32, the supervision criterion of the safety function 50 upon recognizing the signature action 60c, 6oe, 60g, 6oh, 6oi, 6oj, 60k, and 60m.

While the present disclosure has been described with reference to exemplary embodiments, it will be appreciated that the present invention is not limited to what has been described above. For example, it will be appreciated that the dimensions of the parts maybe varied as needed. Accordingly, it is intended that the present invention may be limited only by the scope of the claims appended hereto.