Machine & Operator Safety
Automation safety over a non-safe industrial network
By Gabriel Khon Phoenix Contact
By Gabriel Khon Phoenix Contact
Feb. 25, 2016 – Machine and plant engineers must observe functional safety standards, such as ANSI B11.19, EN ISO 13849 and IEC 61508, when they are constructing their equipment. Safety in today’s market has come a long way from the simple, single-function safety relays of the past. Now engineers are left to question what is best for the efficient implementation of the prevailing safety requirements in their process: programmable, network-enabled safety controllers or spatially limited, configurable safety relays?
Configurable safety relays
Configurable safety relays are similar to hard-wired safety relays, but contain the logical processing power required to configure multiple safety sensors using a single device. The logic configuration is typically done using a screwdriver on a selector dial, a simple on-board configuration screen or basic software configuration. Technological developments also allow these devices to report status back to a master PLC via an RJ45 or fieldbus module connection. Easy configuration and communication with logical controllers have greatly contributed to the growth of configurable safety relays in hazardous applications. Customers can now have a customizable safety solution that requires less wiring time and can be integrated without special training or advanced classes in programming languages. This can reduce logistics costs, because one part number can be stocked to handle all safety applications for all machines or processes. Even the safety program can be saved and transferred to replacement devices for easy repair. But even with all these advantages, configurable safety relays still fall short of safety PLCs in distributed safety applications because they cannot communicate over a safe network. In a distributed safety application, safety inputs and outputs are needed throughout the machine.
To accommodate systems like this, there are two options:
1. The installer can run safe I/O wiring across long distances through the machine back to the configurable safety relay, or
2. Each remote safety application can use separate configurable safety relays. This will lead to increased wiring and setup times, as well as inefficient use of configurable safety relay I/Os.
Because of these shortfalls, the only efficient way to connect a distributed safety system is to use a safe PLC and its associated safety protocol.
Programmable safe PLCs
While configurable safety relays replace simple relay solutions at moderate safety I/O counts, the programmable fail-safe PLC replaces the configurable safety relay at higher safe I/O counts. A programmable fail-safe PLC also has significantly more processing power and safety functionality. These specialized PLCs offer better integration, programming resources and a larger amount of usable safety signals for functions like safe motion and robot control. The fail-safe PLC uses a standardized safety network to communicate to safe I/Os on the network. This allows direct control and monitoring of hazards.
Programmable fail-safe PLCs offer increased computing power and functionality, but they also require certain preconditions that can present challenges in designing and certifying a system. The first and most important precondition is that the PLC being used has a “fail-safe” version. Though safety technology has grown significantly over the past decade, some PLCs do not have a fail-safe version or add-on processor widely available yet.
Machine builders also need to consider that specific customer control requirements may vary region to region, and different PLCs may be specified altogether.
Designing systems for multiple PLCs can be time-consuming and expensive, especially considering change control within each system. If a change is made to the overall design, then each individual safety design must also reflect that change. This could lead to multiple versions of multiple controls systems being in the field at the same time.
If you are considering different solutions for different regions, then it is also worthwhile to consider the safety network and communication protocol each solution requires. A system that uses both PROFIBUS and EtherNet/IP will require communication bus couplers, cabling and safety I/O for each of those protocols. This increases the need for logistical control and stocking for these parts.
Bridging safely: the distributed configurable safety relay
Today, however, a different approach to distributed safety in an automated industrial network is available. New technology makes it possible to eliminate the strong dependencies between the fail-safe PLC and the safety protocol by achieving two conditions:
• The safe logic must not be an integrated part of central PLC, but rather decentralized and separated from the standard PLC as in the case of a configurable safety relay.
• The safe logic must communicate via special protocol over an already installed standard network to read safety input signals from distributed sensors and write safety outputs to actuators.
To reach these conditions, a special logic module can act as a standard network device. This logic module is distributed in the network and handles all safety logic processing on-site. Processing this safety data is done via internally redundant processors, much like a configurable safety relay can process its own safety program. Unlike a configurable safety relay, the distributed logic module can communicate to its associated safe input and safe output signals via a special protocol on the standard network.
This safety protocol does not contain any network or PLC-specific dependencies, but operates on the “black channel” principle, like that of a PROFIsafe system. The entire network, including the standard PLC and all infrastructure components located in the data path of the safety signals, is part of the black channel. Safety failure detection is only implemented at the end points of communication, which can detect failures within the black channel with a residual failure probability for the highest safety levels (PL e, Cat 4, SIL 3).
Gabriel Khon is the product manager – I/O & Network at Phoenix Contact in Milton, Ont. Born in 1980 in Buenos Aires, Argentina, he earned a degree in electrical engineering from Michigan State University and a master’s degree in marketing from Universidad de San Andrés. He has worked with Phoenix Contact for 10 years.
This column also appears in the May 2016 issue of Manufacturing AUTOMATION.