Distributed Safety for Increased Production, Decreased Downtime and Wiring
One of the hottest topics in automation today is the debate over whether to centralize or decentralize key control functions—and the handling of safety systems in these automation architectures is often a pivotal discussion point. This article examines how an automotive manufacturer approached the issue in a distributed manner.

By John D'Silva, Siemens Energy & Automation Inc.

Automobile model changes necessitate the continuous modification of an automotive production line. To better cope with these modifications using systems that addressed required safety standards, the engineers at a major North American automotive manufacturer first looked to establish an industrial communication platform that would be flexible, simple for their electricians to program and troubleshoot, and would integrate readily on a fieldbus network with third-party components such as robots and valve blocks. With these requirements in mind and having previously used a combination of hardwired, traditional safety relays for safety compliance, the engineers chose Simatic Failsafe PLC technology with Profisafe because it offered fast, easy adaptation, and a control reliable safety solution with minimum downtime. The graphic below depicts the Profisafe design setup used by the manufacturer.

Overview of Profisafe design

In the new network established at the facility, standard and safety functions now run on one PLC. This architecture provides a flexible and innovative safety technology for the price of standard hardwired relay technology. Another benefit of this architectural change to the safety technology is that where special knowledge was required for programming, standard and safety functions can now be programmed by the same editor using fail-safe programming in ladder logic with added error detection capabilities to achieve SIL3/CAT4.

Safe bet
The new safety design was applied uniformly across the manufacturer's robot cells, eliminating a large percentage of the contactors, relays, and complex interconnecting wiring previously required.

Several plant sections were commissioned separately with all necessary safety functions using distributed control with PLC cabinets, which reduced installation times due to the shorter cable distances between the islands rather than the distances previously encountered by wiring all the I/O devices back to the main panel. Detailed diagnostics from the touch panels helped streamline troubleshooting operations.

All safety functions were implemented using the S7315F Safety PLC with fail-safe and standard distributed I/O.

A key consideration for the manufacturer in this implementation was the ability to 'lock away' the safety functions, while retaining free access to the standard code. Configuration and programming of the safety technology is fully embedded in the Step 7 programming environment with the Distributed Safety software, which also includes pre-fabricated components from the F-library (applications blocks for E-stop circuits, muting control, etc.). Using this programming environment, a program is easy to change and therefore more flexible than permanently wired systems.

Because Profisafe technology permits the implementation of partner products, failsafe linking to neighboring plants was achieved simply, safely, and flexibly with conventional Profibus technology and associated bus couplers. In addition to enhancing safety, the higher availability and improved diagnostics enabled by Profibus generated improved production throughput resulting in greater return on investment.

Paintshop retrofit
For this retrofit project to comply with the changes in North American safety standards, the project manager identified a number of essential criteria to be met, including:

• Integration of the new safety solution with existing controls platform;
• Replacement of existing field devices and wiring;
• Ability to execute the retrofit with no, or limited scheduled down time;
• Effective use of the new systems, such as the quick recovery from fault conditions; and, of course,
• Cost effectiveness.

AS-Interface network safety products met these criteria and satisfied the requirements of the North American safety authorities. The required degree of safety is achieved in the AS-Interface network by transferring signals between the safety slaves and the safety monitor. Each cycle, the safety monitor expects a specific telegram from each slave, which continually changes according to a defined algorithm. If the expected telegram is not received due to a fault or an alarm, the safety monitor switches off after a maximum 40 ms (worst case) via its two-channel enable circuit.

The manufacturer's 'anti-chip' booth, which applies protective coating to a vehicle's rocker panels, and the 'black out' booth (which paints under-body components), were upgraded with the new Control Reliable AS-Interface network with minimal changes to the existing PLC control system. The safety related outputs were changed to memory bits and used in the start sequence of the related process, whereas the actual output was controlled in a fail-safe way by the safety monitor. Programmable safety technology in these systems allows a flexible and finely graduated safety concept to be employed in the paintshop, enabling individual zones in a cell to be shut down. This modular structure allows a limited area to be shut down without affecting the overall production by zone control using multiple safety monitors.

Direct-connection technology in the safety devices and safety input modules eliminates the need for distributed I/O stations, which reduces hardwiring to nearly zero. Here, too, no special knowledge is necessary for programming standard and safety functions, as this is done using pick-and-place functionality in ASIMON software.

Numerous individual measures, such as the mounting of lifting stations or linking conveyors, were installed on the weekends. This installation process greatly reduced the commissioning cost and site time required for a retrofit, and allowed for full functional testing prior to commissioning, which in this case was done in a test lab. Certain conversions had to be made during ongoing production, like new panel installations and cable drawing.

Once the paint shop line was up and running, faults and bottlenecks in the production process and on safety devices were detected and eliminated quickly because of better diagnostics. This had a direct effect on machine availability and productivity in addition to saving at least 10%-15% on engineering and commissioning costs. For an illustration of the auto manufacturer's overall electrical/controls cost savings using Siemens Totally Integrated Automation including safety, see the graphic below.

Cost savings using Totally Integrated Automation including safety

(Courtesy Automotive Business Unit, Siemens Energy & Automotive)

This chart depicts the cost savings for the automotive manufacturer using Siemens Totally Integrated Automation including safety as a complete single-sourced solution versus integrating solutions from multiple vendors to achieve the same system functionality.

For more information on Simplified Safety, click here.