Building a bridge to safety: automation safety over a non-safe industrial network
Safety in today’s market has come a long way from the simple, single-function safety relays of the past. Now engineers are left to question which is best for the efficient implementation of the prevailing safety requirements in their process: programmable, network-enabled safety controllers or spatially limited, configurable safety relays?
In machine automation, one of the primary objectives is the efficient and flexible integration of safety functions, and machine and plant engineers must observe functional safety standards, such as ANSI B11.19, EN ISO 13849 and IEC 61508, when they are constructing their equipment. Every automation system is different, but similar safety solutions are effective when comparing equally scaled applications. For small-scale applications, simple-to-configure safety relays are usually better suited, whereas large-scale applications usually employ highly integrated and networked failsafe PLCs. A new approach encompassing both flexible and easy network communications would bridge these two solutions and support machine builders during the realisation of an efficient, networked safety solution without the need for a full failsafe PLC.
Configurable safety relays
Configurable safety relays are similar to hard-wired safety relays but contain the logical processing power required to configure multiple safety sensors using a single device. The logic configuration is typically done using a screwdriver on a selector dial, a simple on-board configuration screen or basic software configuration. Technological developments also allow these devices to report status back to a master PLC via an RJ45 or fieldbus module connection.
Easy configuration and communication with logical controllers have greatly contributed to the growth of configurable safety relays in hazardous applications. Customers can now have a customisable safety solution that requires less wiring time and can be integrated without special training or advanced classes in programming languages. This can reduce logistics costs, because one part number can be stocked to handle all safety applications for all machines or processes. Even the safety program can be saved and transferred to replacement devices for easy repair.
Even with all these advantages, configurable safety relays still fall short of safety PLCs in distributed safety applications because they cannot communicate over a safe network. In a distributed safety application, safety inputs and outputs are needed throughout the machine.
To accommodate systems like this, there are two options:
- The installer can run safe I/O wiring across long distances through the machine back to the configurable safety relay.
- Each remote safety application can use separate configurable safety relays. This will lead to increased wiring and set-up times, as well as inefficient use of configurable safety relay I/Os.
Because of these shortfalls, the only efficient way to connect a distributed safety system is to use a safe PLC and its associated safety protocol.
Programmable safe PLCs
While configurable safety relays replace simple relay solutions at moderate safety I/O counts, the programmable failsafe PLC replaces the configurable safety relay at higher safe I/O counts. A programmable failsafe PLC also has significantly more processing power and safety functionality. These specialised PLCs offer better integration, programming resources and a larger amount of usable safety signals for functions like safe motion and robot control. The failsafe PLC uses a standardised safety network to communicate to safe I/Os on the network. This allows direct control and monitoring of hazards.
Programmable failsafe PLCs offer increased computing power and functionality, but they also require certain preconditions that can present challenges in designing and certifying a system.
The first and most important precondition is that the PLC being used has a failsafe version. Though safety technology has grown significantly over the past decade, some PLCs do not have a failsafe version or add-on processor widely available yet.
Machine builders also need to consider that specific customer control requirements may vary from region to region, and different PLCs may be specified altogether. Designing systems for multiple PLCs can be time-consuming and expensive, especially considering change control within each system. If a change is made to the overall design, then each individual safety design must also reflect that change. This could lead to multiple versions of multiple controls systems being in the field at the same time.
If considering different solutions for different regions, then it is also worthwhile to consider the safety network and communication protocol each solution requires. A system that uses both Profibus and EtherNet/IP will require communication bus couplers, cabling and safety I/O for each of those protocols. This increases the need for logistical control and stocking for these parts.
Another concern is customers who use their own ‘home-grown’ machine controls. Though they may be using a standard network, they are not using standard control software. Safe software tools and runtime technologies are available, but these components are based on safe hardware, which the machine builder must then develop.
The programmable failsafe PLC offers a significant advantage in safety functionality. The deep integration of safety logic and communication into the central PLC, however, means strong dependences on single-source providers, increased needs for engineering and logistic control, and inflexibility of components - all potential disadvantages.
Bridging safely - the distributed configurable safety relay
Today, however, a different approach to distributed safety in an automated industrial network is available. New technology makes it possible to eliminate the strong dependencies between the failsafe PLC and the safety protocol by achieving two conditions:
- The safe logic must not be an integrated part of central PLC, but rather decentralised and separated from the standard PLC as in the case of a configurable safety relay.
- The safe logic must communicate via special protocol over an already installed standard network to read safety input signals from distributed sensors and write safety outputs to actuators.
To reach these conditions, a special logic module can act as a standard network device. This logic module is distributed in the network and handles all safety logic processing on-site. Processing this safety data is done via internally redundant processors, much like a configurable safety relay can process its own safety program. Unlike a configurable safety relay, however, the distributed logic module can communicate to its associated safe input and safe output signals via a special protocol on the standard network.
This safety protocol does not contain any network or PLC-specific dependencies, but operates on the ‘black channel’ principle, like that of a PROFIsafe system. The entire network, including the standard PLC and all infrastructure components located in the data path of the safety signals, is part of the black channel. Safety failure detection is only implemented at the end points of communication, which can detect failures within the black channel with a residual failure probability for the highest safety levels (PL e, Cat 4, SIL 3) (see Figure 1).
Using this communication principle, the safe I/O can be distributed throughout the network, while still communicating back to the same logic module. This creates even more system flexibility. Input and output devices can be wired where they are needed, eliminating the need for long bundled sensor and actuator wire runs throughout the system. Having the standard PLC on the black channel also brings about several advantages:
- The standard PLC has direct readable access to all safe input signals coming from the input devices.
- The standard PLC has direct readable access to all safe output signals, which are mirrored as standard inputs by the safe output devices.
- The standard PLC can directly access all diagnostics information from all distributed safety modules.
- Standard I/O can be used inline with safe I/O modules.
From the user’s point of view, the safety logic module and its associated safe I/O modules are realised into one configurable safety relay function responsible for all safety functions. A detailed network view isn’t necessary for the configuration of the safety function because of the black channel communication philosophy.
The SafetyBridge system from Phoenix Contact, for example, combines the advantages of safe network communication with the simplicity of configurable safety relays. Due to the strict separation of the safety functionality from the standard PLC and network, there is no need for changes on safety relevant configuration and parameters if the standard PLC and network configurations are changed or adapted. This means that an approved safety application remains unchanged and is re-usable in various machines with various PLC types.
Bridging the safety data across the existing control network using a ‘black channel’ is a new approach to safe network communication in automation networks. The system can work independently of the relevant network and the standard control system used. Both simply act as a transport medium for safe data packets, which are exchanged between the safe input and safe output modules.
The safe inputs and outputs are distributed in the network and do not require a higher-level safety controller or a separate safety bus system. Therefore, instead of having to choose safe networks with safety controllers available accordingly, it is very easy for users to integrate into the systems or technologies they have come to rely on.
Meeting safety requirements can often be achieved with the simple architecture of single loop...
Many machine safety-related misconceptions continue to be widespread in manufacturing.
As industries begin to rely more heavily on automation, the general consensus is that new...