Functional Safety over NetworksFollow article
How do you feel about this article? Help us to provide better content for you.
Thank you! Your feedback has been received.
There was a problem submitting your feedback, please try again later.
What do you think of this article?
Industrial networks have been utilised for a long time now. Even decades before the terms “Industry 4.0” or the “Industrial Internet of Things” were mentioned designers have been using field buses. However, the implementation of safety over networks has only been around for just over a decade and some designers have still not made the jump to using them because they prefer to hardwire their safety concept or, in some cases, are nervous about the safety integrity of a network. Here I appraise different safety concepts and try to highlight the advantages of safe network communication.
It is still very common to open up a cabinet on new machines and see a powerful standard PLC working away with a single safety relay next to it controlling two contactors that cut all power to a machine. There is nothing wrong with this approach and the benefit of such a system is that the safety concept is robust and simple. It is usually not rocket science to backwards engineer a simple circuit and work out that, for example, it stops any dangerous movement if an Emergency Stop button is pressed, or a gate is opened.
BS EN ISO 13849-1 and BS EN ISO 13849-2 are the designated standards in the UK that can be used to assist with the design of safety-related parts of control systems (SRP/CS’s). At the time of writing this, the use of these standards as part of their complete design and assessment allows the presumption of conformity with the UK Supply of Machinery (Safety) Regulations in order that a UKCA mark can be applied. Additionally, apart from some regional information for the BS (British Standards) version, these standards are identical to the European versions (EN ISO 13849-1 and EN ISO 13849-2). They describe methods of calculating the performance level (PLa to PLe) of safety functions on a machine and cover Verification and Validation. The PL is an estimation of the probability of dangerous failure per hour, or PFHd. A PLe system has a lower probability than a PLd system, figure 1.
Figure 1: Probability of Dangerous Failure per hour
It can also be seen that BS EN IEC 62061 is another standard that can help calculate this value but talks about SIL claim limits instead of PL’s.
If you are unfamiliar with any of these terms or with functional safety in general as a topic then I have attached a very useful document created by SICK called the “Six Steps to a Safe Machine”. This document is a comprehensive guide and covers this subject from the viewpoint of Europe. SICK (UK) Ltd can also offer services such as functional safety training and or consultancy etc.
Calculating the PL of a safety function for a simple circuit with a safety relay is actually quite straight forward, especially if you are also using safety components that provide PL’s. For example, figure 2 below shows the calculation of the PL of the safety function for a simple door interlock going into a safety relay with a dry contact expansion module.
Figure 2: The simplified method according to BS EN ISO 13849 for the calculation of PL
Since the PL of each subsystem is PLe and they are all category 4 and there are 3 or less subsystems, using the simplified method of BS EN ISO 183849 it can be assumed that the PL of the complete safety function is also PLe.
The advent of configurable safety relays (such as the SICK Flexi Soft or Flexi Classic systems) was a huge step forward from electromechanical safety relays. These devices allowed complex functions to be implemented by either setting rotary/dip switches or using a dedicated software tool to programme ladder or function block logic. There are many options on the market and they range from compact simple systems with limited I/O to complex expandable modular systems that can grow with the application. However, there are basically two options with regards to a safety concept:
- A standard PLC with a dedicated safety controller
- A safety PLC which can do both
Each has its’ own advantages and disadvantages but I will not go into them here…
Safety controllers usually only offer discrete I/O (Boolean, ON/OFF), although some devices on the market also offer additional interfaces such as analogue inputs or encoder inputs such as the SICK Flexi Soft, figure 3.
Figure 3: Safety Controller additional interfaces
Safe logic controllers have enabled productivity gains and reduced downtime against simple relay systems in myriad applications for years. Far too many to list here but below I shall give one example.
To improve the process on mechanical presses, PSDI “Presence Sensing Device Initiation” can be applied. PSDI uses safety light curtains to safely initiate machine cycles on a mechanical press automatically.
When a component has been placed in a press and the operators' hands are removed, this is detected by the light curtain and a press cycle starts automatically. This means that the operator’s time is freed up to get the next piece ready to replace the one being worked on and then the cycle repeats. The system is completely safe because if the operator reaches through when there is hazardous movement (downwards movement for example) then the machine is brought to a stop. This system involves using cams and sensors for safe position and combining this information in function blocks in a safety controller with the safety light curtain outputs to create a safe logic algorithm. PSDI replaces a conventional two-hand control system and reduces six actions to just 4 which saves a lot of time, view the video below to see this in action. There are also ergonomic advantages gained with the smooth workflow.
A quick internet search will uncover lots of information from various suppliers explaining how the application of a safety controller can improve efficiency. I have many case studies myself about muting, sequence monitoring, speed and separation monitoring, etc.
Safety over a Network
PLC’s have long been able to communicate with each other and just two things are required:
- BUS - The physical connection or layer intended to carry the information (describes the wiring concept and connection plugs, for example, RJ45 connectors and Ethernet cable)
- PROTOCOL - The language used so that devices can understand each other
There are many advantages to be gained from using a telecommunications network such as reduced cost, installation time and improved diagnostics. Some examples of industrial network standards are RS-232, Modbus, Ethernet/IP and Profinet.
In 2007, IEC 61784-3:2007 was published. Entitled:
“Industrial communication networks - Profiles - Part 3: Functional safety fieldbuses - General rules and profile definitions”
This standard covers adding a “safe data layer” on top of an existing field bus protocol and there are open versions available on the market such as PROFISAFE, CIP Safety and proprietary version like the SICK EFI Pro solution which is based on CIP Safety so that these devices can be used but also has another layer specifically for SICK devices. This enables the creation of powerful systems to solve complex applications whilst keeping cost down, figure 4.
Figure 4: EFI Pro system with 3rd party CIP Safety devices
One question that I always get asked is, “Do I need some special safety Ethernet cable?”
The answer to this is “No” because it is the protocol that is failsafe and it is an additional layer on top of the existing system, figure 5.
Figure 5: EFI Pro Concept
- The first layer is standard Ethernet technology described in IEEE 802.3 (e.g. 100BASE-T1 – 100 Mbit/s Ethernet over a single twisted pair)
- The second layer describes Common industrial protocol which is additional to the first layer (e.g. a suite of messages and services covering things like control, synchronisation, diagnostics, etc. for automation applications)
- The third layer is CIP Safety which adds additional service with high integrity for safety applications up to PLe/SIL3 (BS EN ISO 13849/BS EN IEC 62061). This, again, is additional, enabling both standard and safe devices to operate on the same network. Any devices with CIP or CIP safety capability can be used on this network regardless of vendor.
- The fourth layer (in this case) is EFI Pro which is used for EFI pro SICK devices and offers additional extensions (Device scan, pre-engineered integration, time synchronisation etc.)
Since EFI Pro is based on the previous three layers, it can be implemented using existing CIP wiring components and no special wires are needed. There are now also devices available that can convert Ethernet signals from wire to a wireless medium and then back again. Therefore, as long as the data does not change, the protocol is adhered to and safe communication can be continued. However, it should be pointed out that wireless mediums can be tricky in industrial situations and any safety concept should be fully tested first! It is often the case that response time has to be sacrificed in wireless communication to allow a more robust solution that could have a major impact on safety.
The main advantage of using a safe network over a hardwired system is that much more data can be communicated over one cable. To safely connect two safety controllers together without using a safe fieldbus would require lots of individual wires for each signal, whereas a process image can contain many Bytes of information with both inputs and outputs. This dramatically reduces the amount of cables that are required in a system. There are also additional advantages such as:
- Can be used with pre-existing wiring
- In some cases a complete project can be configured in one software tool, using one file
- Associated software tools can usually produce a comprehensive report containing information on the devices in the network (e.g. process image descriptions, fields programmed in a scanner, the logic programmed in different controllers and wiring diagrams). This kind of information can be placed directly into any technical file and is something which you would have to painfully gather together if using isolated systems with different software tools
At SICK we have many examples of how a safe network can solve complex applications such as:
- Gaining access of up to 8 protective fields simultaneously on a safety laser scanner protecting a robot for sequence monitoring
- Adjusting protective fields on an AGV/AMR based on speed & direction calculated from rotary encoders
- Connecting global E-Stop information between machines and implementing safety zones etc.
To find out more you can take a look at my LinkedIn page or go to our website (www.sick.com).
With the evolution of AMR’s, AGV’s and robots, it is important that the safety concepts of the future keep up with the flexibility of the applications and safety networks will play a huge part in this. Here at SICK, we are here to help you along the way to achieve your “Industry 4.0” or “Industrial Internet of things” (IIoT) applications. We have 75 years of experience in Industrial Automation with an extensive product portfolio and a worldwide team of TUV qualified functional safety engineers and PLC experts on hand to back it up.
If you have any questions then please feel free to add any comments below or contact me directly,
Dr. Martin Kidman, Ph.D.
Market Product Manager – Safety Solutions
SICK (UK) Ltd