Created Date: April 4th, 2020

Applicability: CB-series & e-Series

 

1) Emergency Stop (Estop) and Safeguard Stop Safety Functions on your UR

Universal Robots’ cobots have a variety of safety functions, of which this article describes connection to the Estop Safety Function and the Safeguard Stop Safety Function.  The Estop Safety Function has a functional safety rating of PLd Category 3 for both the CB3 and the e-Series.  See the User Manual for the details including the PFHd values.  The Safeguard Stop Safety Function is PLd for all UR cobots, however CB3 is Category 2 while the e-Series is Category 3. Inputs are to be the same state, with low being the “stop” or safe state.

1.1) Emergency Stop (Estop) Purpose

The emergency stop is only to be used for emergencies.  By definition, the Estop device is manually actuated (manual action by a human).  The UR Estop Safety Function can be triggered by an external emergency stop pushbutton or as an output from the safety controller of external equipment. Figure 1 shows an example external emergency stop pushbutton.

If a non-safety, controlled or operational stop is needed, then use a separate pushbutton to trigger the stop.  This is typically connected to XXXX (non-safety input). 

The Estop is ONLY to be used for emergency purposes.  Emergency stopping causes stress and wear on solenoids and brakes.  These components are designed expecting a finite (limited) number of emergency stops before component replacement and/or service is required.

Do NOT the UR emergency stop function, trigged by either the emergency stop pushbutton or the emergency stop input, to stop the robot for non-safety purposes (e.g. production stop, shift changes, breaks, coffee, lunch).

Excessive use of the Estop causes the stresses that damage, wear and decrease the life of parts.

Excessive use of the Estop can invalidate the warranty; this is considered to be misuse.

1.2) What is the difference between Emergency Stop and Safe Stop?

The Safeguard stop input is used for the connection of an external safeguarding device (protective device).  A safeguard (protective device) detects intrusion or presence in a detection zone. Typical protective devices used in robot applications include:

• interlocking device for a guard (not typical for collaborative applications); and
• sensitive protective equipment (SPE) detects presence in the device’s detection zone. Typical SPE for collaborative applications are safety laser scanners, light curtains, pressure-sensitive protective devices (e.g. safety mats, skin-like such as “Airskin”).

 

1.3) Comparison between Emergency Stop and Safeguard Stop

	Emergency Stop	Safeguard Stop
Triggered by	Estop pushbutton on UR teach pendant. Any external connection to an Estop input in the UR Control Box	External connection of a safeguard (protective device) to the safeguard stop input in the UR Control Box
What is the intended result?	Stop the robot	Stop the robot
Purpose of stop	Emergencies	Protection of workers
Stop category (IEC 60204-1)	1	2
After stopping, what happens?	Power removed from the joints and the mechanical brake solenoid engages	Power is retained Position is held as a monitored standstill
Safety function PL & Category see User Manual for PFHd values and other safety function details	PLd Category 3	PLd CB3: Category 2 e-Series: Category 3
Other:
UR program execution	Stops	Pauses
UR re-initialization required	Brake release (see Restart)	No
Robot power	Off (control box power is on)	On
Reset	Manual reset required at the Estop device	Configurable: automatic or manual, depends on risk assessment
Restart required	Yes	No: depends on risk assessment
Frequency of use	Infrequent (emergency purposes only)	Frequent (every cycle to infrequent)

 

2) Connections

The use of inputs (e.g. EStop, Safeguard Stop and configurable) is determined according to your application project and its application risk assessment. Below are some of the standards that are could be applicable for robot application.  Other standards could be required.  Comply with what is relevant for your robot application.

• ISO 10218-2 Safety requirements for industrial robots - Part 2: Robot systems and integration
• ISO/TS 15066 Collaborative robots <applications>
• ISO 13849-1 Safety-related parts of control systems - Part 1: General principles for design
• ISO 13850 Emergency stop function - Principles for design
• ISO 13855 Positioning of safeguards with respect the approach speeds of parts of the human body
• ISO 13857 Safety distances to prevent hazard zones being reached by upper and lower limbs
• ISO/TR 24119 Evaluation of fault masking serial connection of interlocking devices associated with guards with potential free contacts
• IEC 60204-1 Electrical equipment of machines - Part 1: General requirements
• IEC 62046 Application of protective equipment to detect the presence of persons

2.1) Connecting to UR Control Box inputs (dedicated and configurable) for Estop and Safeguard Stop

Each stop input (Estop or Safeguard) will be connected to different terminals inside the UR control box. All safety I/O are pairs (redundant) and redundancy must be maintained – do NOT jumper safety I/O .

NOTE: See ISO 13849 for information about how series connection affects functional safety performance.  ISO/TR 24119 contains information about fault masking of serial connection of interlocking devices.

This section describes where to find and how to connect to the

• dedicated safety inputs (terminal to the left of the controller in yellow with red text) and
• configurable I/O (four terminals in the center of the controller in yellow with black text).

2.1.1) Dedicated dual inputs are located on the left of the controller

EI0 and EI1 are dedicated to trigger the Emergency Stop Safety Function of the robot.
SI0 and SI1 are dedicated to trigger the Safeguard Stop Safety Function of the robot.

As shown, these dedicated inputs are not used (shown jumpered). See topics 3.1 Factory Default and 1.3 and its table comparing the emergency stop and the safeguard stop.

 

2.1.2) Configurable I/O are CI0 to CI7 and CO0 to CO7

The configurable I/O can be used as common digital inputs/outputs or configured as safety I/O for emergency stop, resetting the protective stop  or activation of reduced mode (changing safety function parameters from “normal” to “reduced” limits).

To change the configuration to safety I/O, perform the following configuration steps:

1. Go to the INSTALLATION -> SECURITY -> I/Os tab on the teach pendant
2. When you change the configurable I/O to be safety I/O, they start to work in pairs (for the I/O architecture to be Category 3).  For example: CI0 and CI1 work together, like EI0 and EI1 and SI0 and SI1 because now they are safety I/O.

    

   

2.1.3) Activating configurable inputs for safety-related use

Select the tab Installation -> Safety -> I/O tab:

• Configure the Inputs and outputs for your application.
• Choose the purpose of the input:
  • emergency stop,
  • reduced mode (reduced safety function parameter values),
  • reset a stop,
  • mode selection (auto or manual),
  • 3-position enabling device.

The safeguard stop is used for connection of safeguards (protective devices).  If a safeguard stop reset is needed, it is connected to a configurable input (CI0 to CI7).

Another emergency stop input can be configured to use inputs CI0 to CI7, in addition to using the dedicated input (emergency  stop in red). Typical reasons for having 2 Estop inputs is to use one for an external emergency stop device and use the other for the emergency stop input from external safety controllers.

 

3) Examples

The UR User Manual describes examples of connections available with UR robots.

3.1) Factory default

The default setup of the dedicated safety I/O is for these inputs to be jumpered or bypassed, as shown in the figure below:

The default settings enable the integration, programming and commissioning of the robot before the application is verified and validated.  It is possible that the application risk assessment will not require an external Estop (using EI0 and EI1) or safeguarding.  Some collaborative applications do not require safeguarding so the dedicated safeguard stop inputs might be unused. 

3.2) Connecting an external emergency stop device

In most of the applications, it’s desirable to also have an external Emergency Stop pushbutton (or other Estop device).

The illustration shows how to connect an emergency stop pushbutton to the dedicated Estop input:

If another Estop input is needed, use a configurable input (see 2.1.2 and 2.1.3).

If more than one external Estop is needed, the decision depends on the risk assessment and the PLr of the Estop Safety Function. Series connection affects the functional safety performance, according to ISO 13849-1. 

If the resulting PL of the Estop Safety Function is acceptable, the illustration on the top shows a series connection.

If needed for the PLr or due to the application’s needs of the UR Robot configurable I/O, an external safety controller can be used for multiple Estop inputs.  The safety controller Estop Outputs will connect to the UR Robot dedicated Emergency Stop Inputs.

3.3) Sharing the emergency stop with other machines

It is often desired to set up a common emergency stop circuit when the robot is used together with other machines. Sometimes this is called a “global” or “cell” Estop.  By doing this, the operator does not need to think about which emergency stop buttons to use – in an emergency situation. The Robot Emergency Stop input cannot be used for sharing purposes, since both machines will wait for the each other to go out of the emergency stopped condition.

To share the emergency stop function with other machinery, the following configurable I/O functions must be configured through the GUI.

Configurable input pair: External emergency stop. Configurable output pair: System emergency stop.

The illustration below shows how two UR robots share their emergency stop functions. In this example, the configured I/O are “CI0-CI1” and “CO0-CO1”.

If more than two UR robots or other machines need to be connected, a safety controller is needed for the multiple emergency stop signals.

3.4) Safeguard stop with automatic reset

An example of a safeguard stop input is an interlocking device monitoring a guard’s position (open or closed).  The robot would receive a safeguard stop command from the interlocking device when a guard is opened, see illustration below.

This configuration is only intended for applications where there is NO whole-body access.  The guard opening allows access by a portion of the body (hands and arms) but not the whole body.

If whole body access is possible, then a reset would be required – see 3.5.

3.) Safeguard stop with manual reset

If an application requires safeguarding and whole-body access is possible without continuous detection, then a manual reset or other means to prevent restart is required.

To have a safeguard stop with a manual reset, the configurable I/O is used.  A reset control device is installed outside the hazard zone or safeguarded space, according the risk assessment.  This reset enables restarting robot motion. 

Examples where a manual reset would be required:

1. Use of an interlocked guard where whole-body access is possible.
2. Use of a light curtain to initiate a stop. After after passing through the light curtain’s detection zone, the operator would not be detected – just like whole body access with an interlocked guard.
3. Use of a safety mat or a safety laser scanner with incomplete coverage such that an operator can gain access to hazard zones and be undetected by the protective device.

The reset control device must be a two-channel type. In this example, the I/O configured for reset is “CI0-CI1”, see below.

4) Conclusion

Universal Robots collaborative robots has embedded safe with continuous and redundant monitoring of all functions and security. Always follow user and service manual.

The user has responsibility to follow all guidelines, if UR identifies that there is a misuse, the warranty can be voided. Always follow the manufacturer's manuals.

If there are any questions, please contact Universal Robots’ team or your local support.