The evolution of functional safety

Over the last few decades, the functional safety of machines and systems has been ensured solely through the use of safety relays. In large-scale systems, this meant long parallel runs of dedicated wires from safety input devices to safety relays and, in turn, to the safety output devices. These functional safety systems were cumbersome to troubleshoot and inflexible in case of expansions or retrofits.
With the growth and availability of safe controllers and networks, two established approaches for implementing safety technology are made possible.
The first involves the use of remote safety controllers that feature their own separately installed safe network. Compared to traditional safety relays, this approach dramatically increases the flexibility of the safety application at the expense of increased costs.
In the second approach, the safe controller is integrated into the standard controller and uses the “existing” network to communicate with the safe devices. In practice, this approach has proven to be the better option in terms of technical and economic efficiency. Since the existing networks and infrastructure can be used, the installation and connection work needed to integrate functional safety into the machine or system is significantly reduced. This approach is therefore ideally suited for distributed applications with a medium to high number of safe I/Os. A special safety controller or safe bus system is no longer necessary.
Recently market studies show that less than 50 safe I/Os are built into most of the applications for machine and plant engineering. Based on these findings, the use of a safe controller makes economic sense only in situations where a large number of safe I/O are used in an extensive area. Many users are therefore looking for a solution that combines the flexibility of a safe controller plus the associated safe I/Os distributed in the network and the intuitive operation of the safety relay.

Automation safety without the need for a safety controller
Today, however, a different approach to distributed safety in an automated industrial network is available. New technology makes it possible to eliminate the strong dependencies between the fail-safe PLC and the safety protocol by achieving two conditions:
1.     The safe logic must not be an integrated part of central PLC, but rather decentralized and separated from the standard PLC as in the case of a configurable safety relay.
2.     The safe logic must communicate via special protocol over an already installed standard network to read safety input signals from distributed sensors and write safety outputs to actuators.
To reach these conditions, a special logic module can act as a standard network device. This logic module is distributed in the network and handles all safety logic processing on-site. Processing this safety data is done via internally redundant processors, much like a configurable safety relay can process its own safety program. Unlike a configurable safety relay, however, the distributed logic module can communicate to its associated safe input and safe output signals via a special protocol on the standard network.
This safety protocol does not contain any network or PLC-specific dependencies, but operates on the “black channel” principle, like that of a PROFIsafe system. The entire network, including the standard PLC and all infrastructure components located in the data path of the safety signals, is part of the black channel. Safety failure detection is only implemented at the end points of communication, which can detect failures within the black channel with a residual failure probability for the highest safety levels (i.e. PL e, Cat 4, SIL 3, as seen in the figure above).
Using this communication principle, the safe I/O can be distributed throughout the network, while still communicating back to the same logic module. This creates even more system flexibility. Input and output devices can be wired where they are needed, eliminating the need for long bundled sensor and actuator wire runs throughout the system.
Functional safety should no longer be viewed as a separate issue. Users can gain major competitive advantages by thoroughly integrating it into the automation solution of a machine or plant. Extensive diagnostic options reduce installation costs and downtime and hence increase availability and productivity.

Kian Sanjari, P.Eng., is product marketing manager for I/O & Networking for Phoenix Contact. Reach him at ksanjari@phoenixcontact.ca.

This article originally appeared in the March/April 2013 issue of Manufacturing AUTOMATION.