InTech Home Communities
Bookmark and Share
01 May 2004

Safety networking

New technology enables greater flexibility.

By Richard Piggin

The changing characteristics of manufacturing processes, along with increasing demands, necessitate a more flexible approach to safety, which traditional methods cannot address. Conventional safety relay technology has also restricted functionality of safety systems, particularly in terms of flexibility and diagnostics.

Fieldbus networks are now widely used for transmitting control data, but not safety-related data. Conventional fieldbus technology is generally not for safety-related use, unless the bus system meets the requirements of a safety system. Machine safety systems will benefit from the simplification that fieldbus can provide, and from other generic benefits such as ease of maintenance, faster installation, and reduced downtime. More advantages can occur when an organization uses fieldbus in a sophisticated manner, where the developments in safety-related technology enable flexible approaches to safety engineering.

A specifically designed safety fieldbus is required for safety-related applications, and it must meet new international standards, such as IEC 61508 (Functional safety of electrical/electronic/programmable electronic safety-related systems) or the sector specific/horizontal implementations. Standards based upon IEC 61508 are currently in preparation for the process and machinery sectors (IEC 61511 and IEC 62061, respectively) and the safety functionality of electrical power drive systems (IEC 61800-5-2). These new standards enable one to use safety technology developments, where some standards have previously restricted their use. Safety standards in the past have not reflected the state of the art in programmable control and data communications and have encouraged the use of electromechanical components instead. These new standards and revisions of others will reflect the significant developments in safety-related automation.

The removal of parallel hardwiring in controls using conventional fieldbus affords design flexibility, modularity, testing, and maintenance; the same benefits can occur in safety circuits with safety-related fieldbus. Safety circuits will become less complex, with far fewer cables and connections. This will improve reliability and greatly assist maintenance, simplifying reconfiguration over the lifetime of the system. Safety fieldbus architectures with bridges, routers, gateways, and various media options will meet the needs of most applications and provide flexibility to support future upgrades.

Safety fieldbus

Conventional fieldbus networks are not suitable for safety-related controls, because additional error detection and avoidance mechanisms are required. Although conventional networks have appropriate error detection and correction methods, without modification they lack the ability to independently and rapidly detect network, cable, or safety device failures. An independent safety layer is necessary to detect connection or device failures and implement the required emergency shutdown action to avoid danger.

The additional safety protocol layers must detect and provide protection against errors such as repetition, loss, insertion, incorrect sequencing, message corruption, delay, and the coupling of safety and standard data. At least one measure must be in the system as a defense against each error. These include a running number sequence, watchdog timer, reception acknowledgement, data integrity assurance, redundancy, and different data integrity assurance systems for safety and standard messaging.

Adding safety layers to fieldbus
Adding safety layers to fieldbus
 

New age

One of the principal benefits of safety fieldbus is the simplified connectivity of devices and equipment. Initial fieldbus devices provided I/O interfacing, with integration for a range of equipment developed afterward. The same applies to safety fieldbus. Established safety network technologies now provide additional benefits with increasing connectivity to a variety of safety-related products. These include more traditional light curtains, scanners, and emergency stops, and more sophisticated devices such as robots, safety drives, safe pneumatics, and various wireless devices. The new safety-related devices do not just offer an alternative method to achieving safety, but enable new approaches to safety engineering.

SafetyBus p is a safety-related industrial network in widespread use, and it provides an example of the current developments in safety networking. It is based on controller area network (CAN) technology, one of the most widely used networking technologies today, with car, machine, and industrial applications. (Bosch originally developed the CAN technology for use in noisy automotive environments.) SafetyBus p enables the connection of up to 64 network devices on a single network with a maximum length of 3.5 kilometers (without fiber, bridges, or routers that can extend the network further). SafetyBus p is suitable for use in safety systems up to EN 954-1 Category 4 and SIL 3 applications according to IEC 61508.

Safety measures against possible transmission errors in messages
Safety measures against possible transmission errors in messages

Auto robots

BMW has used SafetyBus p safety-related fieldbus within a modular automation concept for its 7 Series chassis or body-in-white production line. A goal of BMW's modular automation concept is increased transparency, leading to the reduction of obstructions, which affords greater visibility and ease of maintenance. This requires a flexible approach to safety engineering, with the traditional fences replaced by protective windows, with loading stations and doors supplanted by high-speed safety gates, light curtains, or scanners.

Important considerations were the changing demands of automotive manufacturers, which included increasing payloads (greater than 125 kilograms), work ranges, and cycle times of robotic processes (up to 20 cycles per minute). The integration of a safety-related interface for the BMW robots with a SafetyBus p gateway addressed these needs. The direct safety-network interfacing and use of a programmable safety controller provides ease of safety-related programming (not hardwired logic or relays), rapid and simplified cabling, wear-free contacts, continuous monitoring, and self-testing. These in turn increase productivity and lower life-cycle ownership cost due to the improved ease of maintenance, facilitated by reduced system complexity and comprehensive diagnostics. Benefits afforded by this technology include:

  • Increased flexibility, modification of safety logic occurs without the need to change hardware, and the use of fieldbus for safety communications reduces the changes necessary should system modifications be required.
  • No additional safety I/O modules required (limit switches see support through the safety gateway) and ease of robot safety programming via robot software block.
  • Comprehensive diagnostics with continuous monitoring and self-test of components and safety communication.
  • Reduced installation and commissioning due to easier safety logic programming/realization and simplified wiring and testing.
Safety-related robotic functions
Safety-related robotic functions

Safety drives

Following the introduction of IEC 61508, a draft "daughter" standard is now available. IEC 61800-5-2 covers adjustable-speed electrical power drive systems and is heavily based on IEC 61508. The new draft standard enables one to develop safe-related drives for safety fieldbus. Following IEC 61800-5-2, the SafetyBus p implementation allows the master programmable logic controller (PLC) to retain direct control of the drive, but the safety system continuously monitors the drive's output. As long as the drive performs as the safety system expects it to, the standard PLC will continue to control the drive. Should there be any deviation, the safety system (comprising the safety drive monitor and safety controller) will immediately take control and shut down the drive. So, in the case of an opened safety gate, the safety system will instruct the PLC to run the drive in "safe" mode and instruct the monitoring system to check and make sure the system is doing the work.

This overall concept allows for two alternative embodiments: a separate external monitoring unit connected to the drive, or a special drive with the safety monitoring functions integrated within the same housing.

For either embodiment, the safety functions that one needs to incorporate include monitoring the standstill condition, monitoring the reduced speed operation, position monitoring, monitoring the synchronization of two or more positions or speeds, and communicating with the safety controller via the safety fieldbus network.

Already one manufacturer has developed a monitoring unit that works with either fixed speed or variable-speed motor drives (it is also suitable for hydraulic drives). The safety monitor uses absolute or incremental signals to monitor positions or speeds via a special encoder interface. Received data undergoes comparison with expectations, and the system either internally processes the results or a SafetyBus p network ends up forwarding them for processing by another safety controller.

Safety-related fieldbus offers significant advantages over traditional hardwired safety systems, which should now be familiar to fieldbus exponents. The removal of parallel hardwiring in controls using conventional fieldbus affords design flexibility, modularity, and ease of testing and maintenance, with associated cost reductions. The same benefits can occur in machine safety circuits with safety-related fieldbus.

With safety fieldbus, machine safety circuits become less complex, with far fewer cables and connections, which in turn reduce the associated design, commissioning, and installation costs.

The use of safety-related fieldbus improves reliability and greatly assists maintenance, simplifying reconfiguration over the lifetime of the system. Where intelligence distributes down at the device level, comprehensive diagnostics are available, enabling rapid fault rectification. This makes maintenance faster and easier.

Some safety networks allow one to configure devices and complete networks remotely, with embedded intelligence in devices providing rich machine/plant diagnostics. Intelligent devices can alert operators to deteriorating performance using device parameters and preventative diagnostic data. Using preconfigured diagnostic messaging ensures the provision of comprehensive diagnostics without the requirement to design specific messaging (although the facility enables these messages to customize rapidly), which is sometimes deemed noncritical at equipment commissioning. Direct fieldbus interfaces can monitor the full suite of device functions, such as safety drives and robotic interfaces, which is easy via I/O interfacing. Comprehensive diagnostics enable users to plan equipment maintenance before failures occur. Traditional hardwired safety circuits cannot provide the specific diagnostics or flexibility available from programmable systems.

Additional functionality and flexibility can occur with the use of programmable safety controllers. Safety fieldbus has these advantages, while providing continuous monitoring of safety circuits. Timely detection and display of diagnostics can happen with the combination of a programmable safety controller and a human-machine interface. Status and safety diagnostics from the safety controller can easily integrate into PLC/PC-based systems, using a conventional (nonsafe) fieldbus. With such facilities built in, one can avoid the need to design in diagnostics, saving significant additional engineering expense. Safety fieldbus architectures with bridges, routers, gateways, and various media options will meet the needs of most applications and provide flexibility to support future upgrades.

Developments in safety-related fieldbus are transforming the way safety is engineered in the plant. The requirements of reliability, flexibility, and comprehensive diagnostics can no longer occur with conventional relay-based safety systems. The development of safety-related networks fulfills these essential needs catered for by traditional systems, while supporting new functionality for specialized and future safety system demands.

Safety-related drive monitor
Safety-related drive monitor

Behind the byline

Dr. Richard Piggin is the chairman of the SafetyBUS p Club International e.V. He earned his engineering doctorate in fieldbus technology at the University of Warwick, where he was a senior research fellow. Contact him at r.piggin@safetybus.co.uk. SafetyBUS p Club International e.V. is the independent organization of SafetyBUS p users, integrators, and developers, which promotes the use and technical development of SafetyBUS p technology in safety-related automation. The organization started in 1999 and comprises more than 50 members; there are some 80,000 SafetyBUS p installed nodes to date.


Return to Previous Page

Coming Next

Ask The Experts

Read questions answered by our experts or join the email list.

Feedback Hub

ISA Jobs

All contents copyright of ISA © 1995-2012 All rights reserved.
Find Local Sections | ISA Home | Report a Problem | Privacy & Legal Policies | Site Map | Help | Contact Us
ISA  |  67 T.W. Alexander Drive, Research Triangle Park, NC 27709 USA  |  (919) 549-8411