Integrated or separate safety systems
Machine designers must consider many factors when deciding on safety system architecture for factory automation
By Larry Reynolds
Factory equipment continues to become increasingly intelligent in large part due to the improved processing power and communication abilities found within underlying controllers, sensors, and components. This is true for basic machine operation and functionality, as well as for the safety systems. Therefore, just as designers must evaluate features when selecting an automation platform, they also need to consider safety system options.
Equipment automation can be deemed a critical application, yet it is clear that properly designing the safety aspects are even more crucial. This has typically meant applying safety components to the fundamental automated system, throughout the life cycle of the system. The purpose of a safety system is to bring a machine to a safe state as quickly as possible if a safety sensor is triggered by personnel or equipment conditions, or an emergency stop pushbutton.
The most basic safety systems are based on hardwired safety relays. More flexibility and other advanced capabilities are available with digital safety controllers and safety-rated smart relays, which can be used in conjunction with nonsafety automation controls. Taking this a step further, there are complete control platforms available for merging factory automation and safety functions into a single integrated digital system. This article discusses evaluations that designers and engineers should perform as they consider the right safety system fit for their machine automation application.
Risk assessment comes first
Regardless of the final safety system approach, the first step is for qualified personnel to perform a risk assessment to identify potential hazards. Team members with backgrounds in design/engineering, equipment function, operations, and maintenance apply their experience to identify risks, the frequency and duration of worker exposure, and how risks can be removed or mitigated. Equipment manufacturers generally follow methods outlined in various standards, such as ANSI B11.0, ANSI B11:19, ANSI/RIA R15.06, or ISO 12100 to name a few.
In very general terms, if an unsafe condition can be sensed, then the equipment should be deenergized and stopped, or in some instances, the equipment should just hold its position or return to a safe position. Unsafe conditions can include a variety of situations, such as an out-of-place guard, a pressure mat sensing a worker entering a hazardous area, a pushed emergency stop button, or even a failure within the safety system itself. Field devices may be simple like an emergency stop pull-cable, or more complex like a configurable light curtain.
Safety systems must be designed, installed, wired, and configured to act based on condition monitoring to make the equipment as safe as possible. A risk assessment is fundamental to understand the hazards, and how the equipment can be brought to a safe state when an unsafe condition is detected.
Driving to a safe state
Understanding the concept of a safe state is important to any safety discussion. Most often, a safe state is achieved by removing sources of energy, such as electricity, compressed air, or hydraulics. Some high-inertia equipment can be commanded to actively brake to a faster stop using regenerative variable frequency drives or other mechanical means. There may be mechanisms requiring activation to lock the equipment in position.
In some situations, there may be a requirement to maintain power to hold equipment in the safest state. Some energized equipment may hold product or tooling in an elevated position because deenergizing it would cause the material or equipment to drop in a way more unsafe than just a holding position. From the standpoint of IEC 60204-1 or NFPA 79, there are three stop categories that designers may consider in their effort to drive equipment to a safe state:
- Category 0: An uncontrolled stop by immediately removing power to the machine actuators.
- Category 1: A controlled stop keeping machine actuator power available to achieve the stop, and then removing power once the stop is achieved.
- Category 2: A controlled stop with power left available to the machine actuators.
A risk assessment will not only define the risk, but also identify how best to remove it. This in turn points to what devices can be applied for best safety.
Paths to proper safety
Having defined the risks and how the equipment can be driven to a safe state, the design process turns to specific means and methods for implementing a safety system. Here the team will find three main paths:
- basic safety relays
- individual safety controllers or safety-rated smart relays, sometimes used in conjunction with nonsafety automation controls
- fully integrated equipment/safety control systems where machine control and safety monitoring are performed on the same platform, such as a safety programmable logic controller (PLC)
Many safety solutions could be implemented in any of these three ways with acceptable performance. Therefore, designers will need to consider some other criteria outside of basic safety, such as:
- hardware costs
- installation costs
- design effort required
- programming/configuration effort required
- maintainability for troubleshooting
- operator friendliness
- long-term support
- ease of future updates or modifications
More advanced safety components, especially for the fully integrated approach, can cost much more from a hardware and configuration standpoint than basic safety devices do. Sometimes this cost is somewhat offset by that fact that basic safety components often require a higher installation cost. Also, if long-term maintenance and operations are considered, there are many benefits to safety controllers and fully integrated systems.
The following sections explore the advantages and downsides of each approach.
Basic safety relays
Hardwired safety control wiring was the original method of providing machine safety, because much of machine automation uses electrical signals that can be interrupted to stop operation. Even pneumatics, hydraulics, and other types of nonelectrical stored energy can incorporate solenoids or other electromechanical means for deactivation.
Designers can improve wired safety for handling more complex situations by designing it with safety-sensing devices and relays that are energized when conditions are safe and deenergized when they are not to provide a fail-safe function. These devices incorporate features like redundant signal sensing to satisfy control reliability and circuitry to analyze the inputs.
Some safety relays are similar to standard relays with added safety features, such as monitored auxiliary contacts, while others may have additional characteristics making them specifically adapted to functions like emergency stop button circuits or light curtains for a basic machine (figure 1). Sometimes a more advanced safety relay may be used in conjunction with a standard safety relay, such as to increase the number of controlled outputs. When specific hardwired safety components are used, often in a redundant fashion, a high-reliability safety circuit is the result.
Modern safety relays are specifically standardized components, with features like electrically isolated and mechanically force-guided operational contacts and monitoring contacts, to best ensure that the relay functions as intended and provides notification if there is a malfunction (figure 2).
Basic safety relay designs also provide good familiarity for design and operations personnel, and the components themselves are economical. Safety relays are often used in conjunction with more advanced and expensive components to multiply safety outputs and interlock multiple electrical devices. Another feature to consider is that safety relay circuits are a separate system from any automated controls. The controls may monitor the safety circuit or even trip it, but they otherwise operate independently in parallel, an advantageous approach in many cases.
There are some considerations with the tried-and-true basic safety relay approach, however. These devices are less suitable for more complex safety designs. Furthermore, their hardwired nature means they are more difficult to modify in the future if there are technical product advancements or a need to improve the safety architecture. Another important consequence concerns the significant amount of field wiring that may be required to achieve the performance level required by the risk assessment. Recognition of these issues and the availability of high-value and high-performance electronics led to the creation of individual safety controllers.
Figure 1. A basic machine like this tape wrapper can be designed to provide the necessary safety using safety relays and light curtain relays.
Figure 2. Safety relays, like these examples from AutomationDirect, range from fundamental and reliable hardwired electromechanical force-guided relays to more advanced versions with additional features optimized for functions like emergency stop buttons or light curtains.
Individual safety controllers
With the introduction of robust digital industrial automation electronics, the progression from basic safety relays to individual safety controllers was natural. Many safety controller components look much like smart relays, and their outputs may operate similarly (figure 3).
However, safety controllers offer many expanded features. They can be all-in-one devices with inputs and outputs (I/O), or they may be modular with connectable components for the controller, inputs, outputs, and communications. This expandability enables safety controllers to easily connect with many more field devices.
A flexible configuration environment is another key attraction. Inputs and outputs are managed through software configuration. This means that zones can be assigned and even overlapped as necessary and changed in the future via an easy configuration change, instead of requiring a field wiring change, as with basic safety relays. All field devices are simply home-run to the safety controller, and more complex hardwired interconnection schemes are avoided.
Finally, because safety controllers usually have digital communications options, it is possible for the associated nonsafety automation control system to easily monitor the status of all safety system signals, while keeping the two systems independent.
The downsides revolve around cost-per-point for the components and the engineering cost to learn the programming software. For very small I/O counts, a safety controller will likely be more expensive than a few basic safety relays due to the step cost of the controller.
However, for larger I/O counts, a safety controller solution will become comparable to or less expensive than hardwired safety controls, when all hardware and installation is considered. And once the designers have learned the software, they can apply their design efforts to software configuration if any changes are needed, as opposed to inflexible hardwired circuit designs inherent to systems employing basic safety relays.
Figure 3. Safety controllers, such as these MOSAIC examples, are far more advanced than basic relays, with additional protective features, configurability, expandable I/O options, and even communication capabilities.
Full integration of equipment control with safety control
Machines and other factory equipment are often automated using programmable logic controllers, a very mature technology that can and often does work in conjunction, although in parallel, with basic safety relays or safety controllers. There are also specialized safety-rated PLCs that combine the equipment control abilities of standard PLCs with the safety functionality of safety controllers.
Safety PLCs are generally used for more complex systems with many I/O. They are very flexible and offer as many safety functions as safety controllers. Because equipment control and safety functionality are both handled within a single controller, there are no communication issues, and all configuration is handled within a consistent programming environment. More advanced diagnostics are available to help engineers and end users. However, keep in mind that equipment programming and safety programming are two separate activities.
The complexity of fully integrated safety PLCs comes at a price, which is higher for the hardware platform itself. It also demands a greater skill level to perform the programming. Their more specialized nature may also make them more challenging for end users to support as compared with standard PLCs and simpler safety systems.
Typical applications for this type of solution are found when a large proportion of the I/O points are safety related. When only a relatively small number of I/O points are safety related, this approach will be much more expensive than separate control and safety systems.
Making a safe choice
Each safety design situation and equipment application requires consideration of the equipment, risk, and safety provisions. Designers may find the following guidelines applicable.
For the most basic systems with few safety I/O and simple needs, basic safety relays are economical, easy to design, and readily maintained. If the I/O count is more than a few points or any more advanced features are needed, especially communications to a PLC, then safety controllers are an excellent fit and may result in an installed cost comparable to that of an equivalent relay system.
Fully integrated safety-rated PLCs allow equipment manufacturers and original equipment manufacturers (OEMs) to consolidate their control hardware bill of material and provide a tightly integrated automation and safety package. Once an OEM is geared up to use these more complex controllers, it may realize ongoing savings and performance benefits from this approach, although initial costs will be quite high.
However, if end users will be supporting this fully integrated control/safety equipment, they need to consider personnel training costs. If costs are prohibitive, end users may be better off specifying a consistent application of safety relays or controllers.
A final thought regards equipment protection in conjunction with personnel safety. These are related but not to be confused. Of course, personnel safety is absolutely the highest concern, and safety design must always be accomplished in accordance with industry standards.
However, designers can also apply many of the same safety concepts and components to provide automation that attempts to protect equipment and processes from improper operation, especially in the case of a failure or error. By preventing machinery from experiencing collisions or otherwise destroying itself, the safety risk is also reduced for personnel. Consider a grinding wheel where a speed control relay can be employed to limit the maximum speed, so the wheel will not fail, which could injure workers.
Another example is a robot system or similar moving equipment installed within a caged area known as a cell (figure 4). Safety systems can be configured such that if the gate is forcibly opened, the robot will undergo a rapid shutdown to protect personnel, even at the expense of product loss or equipment damage. However, other stop conditions might allow a more controlled robot stop while keeping the gates locked, and only unlock the gates when all energy is removed. This sort of good engineering practice keeps systems in operating order and helps prevent downtime while maintaining work safety.
For safety designs, there are three main approaches that are progressively more complex, capable, and costly. When designers complete a risk assessment and look at the cost versus performance options, they can determine the appropriate solution.
Figure 4. Advanced safety relays or safety controllers are more suitable for more complicated moving equipment installed within a guarded cell.