Networking Safety - Having Your Cake and Eating It Too

Safety is a serious business and does not allow shortcuts. More recently, users of automation equipment also have realized that safety is good for the bottom line.

Unfortunately, properly designed safety implementations using light curtains, e-stops and door interlock switches based on traditional techniques using redundant wiring tend to be complex. At the same time, they limit the flexibility needed to implement desirable features like zoning and automatic diagnostics. Because a safety solution has to satisfy additional requirements — compared to non-safe control solutions — most engineers accepted the high level of complexity, low degree of flexibility and associated high cost of implementation. After all, we are talking about control- safe and fault-redundant designs.

But is this really necessary?

Before considering ways to improve safety systems, it is a good idea to take a look at the traditional, hardwired approach. Figure 1 shows a situation where three emergency stops are connected to a conventional safety relay. In the released state (i.e., the e-stop button pulled out), the redundant, typically force-guided e-stop contacts are closed, allowing current to flow. As soon as one of the e-stops is pushed, the current flow is interrupted and the safety relay will cause the safe contacts to drop out.

Under fault conditions, it may happen that one of the two e-stop contacts is stuck in the closed position and only one contact is opening. The redundant nature guarantees that restart under these conditions is not allowed. By adding an additional auxiliary contact, it even is possible to determine which e-stop was responsible for the machine shutdown.

Frequently, this contact is called a diagnostics contact even though the level of diagnostic information is so limited it hardly deserves the name. In hardwired safety systems, the safety and diagnostics are totally independent; the independent AUX contacts are independently wired to inputs on a (non-safe) PLC. And the fact that those AUX contacts can fail independently and therefore may not represent the state of the safe contacts is one of the biggest problems of traditional hardwired safety solutions.

WELDED CONTACTS

Imagine a contact on one of the e-stops is welded shut. Next, consider what happens when this e-stop is used to turn the machine off. The welded contact will remain closed. The second safe contact will open, and since this is a sufficient condition to cause a shutdown, the safety relay contacts will open up and the machine will be safe.

Evaluating the state of the AUX contact — closed at this point in time — the PLC can correctly indicate which e-stop caused the shutdown. This typically is indicated on an HMI, a stack light or by using illumination on the e-stop itself.

The problems start as soon as the operator attempts to restart the machine. Because the welded contact never dropped out, the safety relay inhibits restarting. Unfortunately the AUX contact — now open — provides no guidance. An experienced maintenance person may conclude that something is wrong with the e-stop that was used last, causing the shutdown. Recreating the shutdown scenario and armed with an ohm meter, this skilled person probably will find it relatively easy to confirm the error, limiting the downtime to perhaps an hour or two.

INTERMITTENT CONTACTS

While a welded contact is relatively simple to find — once it is welded it is closed for good and can be detected with diligence and an ohm meter — intermittent contacts are entirely different and a much more serious problem. Figure 2 shows a door interlock switch where one lead is not properly connected, causing nuisance shutdowns. Intermittent contacts frequently are due to machine vibration and as a consequence are never detected once the system has shutdown.

With the contact closed, the machine will restart and run just fine until vibration causes the next unscheduled shutdown. And since traditional hardwired safety systems provide no help, operators either can hope for the intermittent problem to permanently fail or start checking every lead until the offending wire has been found. This can take hours. Frequently, with the intent to properly address the issue between shifts, operators are tempted to jumper out large sections of the safety system, creating situations with potentially catastrophic consequences.

THE SOLUTION IS BETTER DIAGNOSTICS

With those problems in mind, it is obvious why better diagnostics is desirable. The good news is that putting safety on an approved network can address many of the diagnostics issues. Clearly, not every commonly used industrial networking solution can be used. Networks evaluated and approved by the governing bodies and agencies use a number of different methods to do the seemingly impossible: Transmit safe data over non-redundant wiring.

Depending on the implementation, methods are used that range from long checksums, to individually numbered communication packets, to dynamic safety codes. Safety at Work (SaW), the safety technology that uses the two-conductor AS-Interface as its underlying communication network, will be used to outline the benefits of making the switch from hardwired safety to a networked approach. While the details may differ in the various safety network solutions, the end result probably is very similar.

DYNAMIC SAFETY CODES

In order to see the benefits of networking safety, a few new concepts need to be discussed. Three important aspects to remember include:

  • AS-Interface is a two-conductor data and power networking solution.

  • Each data exchange transmits 4 bits of input and output data.

  • A 32-bit dynamic safety code is used to transmit safety information.

Enabling the safe transmission of data is a simple, effective process. During the manufacturing process, each and every safety component is assigned a unique, never-to-be-repeated, 32-bit code number. Transmitting 4 bits at a time, the 32-bit code is split up into eight individual data transactions.

As long as a safe device is in its released state, this 32-bit dynamic safety code is transmitted over the network. But as soon as the door is opened or the e-stop depressed, instead of the next 4-bit safety sequence package, a 0000 bit package is sent. For illustration purposes, Figure 2 shows the setup of a network with only one e-stop and one door interlock switch — far short of the possible 32 devices that can be connected to a network.

One of the main advantages of utilizing a network is wiring simplicity. With AS-Interface, this means that the e-stop and door switch are directly connected to the positive and negative leads of the network, receiving power from and exchanging data with the network.

Two more components need to be mentioned. The gateway enables communication on AS-Interface and exchanges data upwards with the PLC. Any of the commonly used upper level networks, from DeviceNet to PROFIBUS, PROFINET to EtherNet/IP, is supported. In a simplistic sense, the gateway is a translator between the upper-level network going to the PLC and AS-Interface. The other component is the safety monitor. This is where the safe contacts reside and it can be thought of as a “networked, fully configurable safety relay.”

When the e-stop is in its released state, it constantly sends the dynamic safety code, 4-bits at a time. The safety monitor reads this data, compares it to the expected data and, as it finds a match, concludes that the e-stop is in the released state. If, on the other hand, the door is opened, the data from the door interlock switch contains only 0000 packets, indicating to the safety monitor that the door has been opened. From the user point of view and for the purpose of diagnostics, the details of the safety code sequence are not important. What is important for the user is that the PLC receives the same information as the safety monitor and it is simple to add an additional rung of PLC logic (see Figure 4) that evaluates as true as soon as the guard door is opened or the e-stop is pushed. This logic replaced the need for the auxiliary contacts used on standard hardwired solutions.

But what about the two failure cases (welded contact and intermittent contact) we talked about earlier? To address those cases, we need to discuss another quality of the 4-bit data packets. Since each safety device still contains two redundant safe contacts internally, the inventors of SaW designed the system in such a way that the state of each contact is reflected in 2 of the 4 bits. The following table summarizes the possible states of a safety device and how those states influence the data transmitted over the network. And because this data is also transmitted to the PLC, a user application can evaluate it and identify previously undetectable states.

Thus far we talked only about why and how a networked safety solution simplifies and enhances safety diagnostics at the PLC level. As mentioned earlier, it is the safety monitor that makes safety happen. Quickly looking at the steps involved in setting up the safety monitor shows another reason why networking safety in general — and AS-Interface Safety at Work in particular — simplifies and enhances installations.

Once all components are connected to the two-conductor network cable, power is applied, bringing everything to life. The next step is assigning addresses to the safe devices. Pushing a couple of buttons on the gateway is all it takes in terms of configuration.

Lastly, a drag-and-drop software tool is used to define the logic that ties the states of safe devices to OSSDs. It is here where reset and simultaneity conditions are configured, timing behavior is specified and logic relations between various safe and non-safe inputs are set. This logic is then downloaded to the safety monitor and activated. Besides the fact that numerous types of safety relays are replaced by just one type of safety monitor, any future changes to the safe logic are performed though software. Once the network is up and running, wires are never touched again, clearly an advantage for any application.

APPROVALS

Before applying a new safety technology, check if the necessary local and international approvals have been obtained by device manufacturers. The good news is that networked safety can be used in applications up to CAT 4 (according to EN 954), SIL3 (according to IEC61508) and in some cases even PL e (according to ISO 13849). In North America, OSHA, by means of NFPA 79, has approved using networked safety since its 2002 maintenance cycle.

With automation equipment being built on either side of the Atlantic and then shipped across the ocean, it makes a lot of sense to utilize safety hardware that follows global standards and regulations. Safety networks, while not entirely new, still are new enough to embrace the idea of global market penetration and approvals.

Today's networked safety solutions are powerful and flexible. Still, engineers are working on additional solutions and devices, so it is a good idea to ask the supplier of any available solution for forward and backward compatibility. Another important issue is configuration software and tools. Will the tool that's available today still work in 5 years? And if not, what is the cost of keeping up with software developments?

State of safety device Data transmitted on AS-Interface Note
Normal operation, both safe contacts are closed Dynamic code sequence Usually this state is not directly evaluated by the PLC
Normal operation, both safe contacts are opened indicating that the safety device has been used to indicate a safety function (e.g., machine shutdown) Static 0000 bit pattern This input bit pattern is evaluated by PLC ladder logic using four “examine OFF” statements in series (see Figure 4)
One of the safe contacts in the safe device is welded 00xx or xx00, where xx indicates bit toggling while the 00 part is constant for as long as the safe device is activated The PLC can evaluate this situation and automatically inform maintenance the very instant the error occurred. PLC programmers even have the ability to annunciate the required replacement part to further reduce downtime.
Intermittent contacts Multiple occurrences of 00xx or xx00 followed by toggling 4-bit packets indicates an intermittent contact The PLC can evaluate this situation and automatically inform maintenance the very instant the error occurred. PLC programmers can program the system to suggest the proper maintenance steps depending on the safety device exhibiting the fault.


Helge Hornis is responsible for Intelligent Systems at Pepperl+Fuchs Inc. He has worked with a large number of users on RFID and sensor bus solutions, has managed integration projects at key customers and was directly involved in the development of a unique 3D position measuring system. He also holds a seat on the board of AS-Interface USA, the North American arm of AS-International.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish