PROFIsafe: Networked Functional Safety

Implementing functional safety over a network reduces the number of components, wire, and cabinets; speeds installation and commissioning; and increases uptime. With PROFIsafe, PI’s functional safety application profile, messages are exchanged transparently between Profibus (a serial fieldbus) and Profinet (an industrial Ethernet).

By Carl Henning July 24, 2012

If you are not implementing functional safety over a network you might as well be creating relay ladder logic on D-size vellum with a universal arm drafting machine—and realizing the design with actual relays and lots of wire.

Actually, for decades after the introduction of the PLC and fieldbuses, relays and hardwiring were still required for safety. Then in 2002 machine wiring standards were revised in the U.S. to permit implementing safety in logic controllers and transmitting safety messages over a network. Finally the benefits of PLCs and fieldbuses could be realized for safety. And now 10 years into the networked functional safety era, it’s time for you to realize these benefits in your own facilities.

To get you started: What do we mean by networked functional safety, how does it work, and why would you use it?

Safety via communication protocol

The overarching safety standard IEC 61508 defines safety as “the freedom from unacceptable risk of physical injury or of damage to the health of people, either directly, or indirectly as a result of damage to property or to the environment.” This makes functional safety “part of the overall safety that depends on a system or equipment operating correctly in response to its inputs.” With the safety messages transmitted over a fieldbus or Industrial Ethernet we have networked functional safety.

Functional safety is more than moving and reacting to safety messages. Functional safety begins with risk assessment. Having been assessed, risk can be mitigated in many ways from signage to guarding to safety circuitry. In implementing safety circuitry, networked functional safety is bookended by safety IO and a safety controller. Networked functional safety is more than the network—the network needs safety-rated IO on one side and a safety-rated controller on the other.

Networked functional safety can apply in the factory where discrete logic predominates or in the process plant where process instruments containing multiple variables and diagnostic data predominate. Motion control also is subject to networked functional safety. Once the only safety options available for motion were removing power and applying external brakes, but now additional safety options are available—options like “go to safe position.”

Secure messaging

Networked safety relies on a concept called “the black channel,” which tunnels through the fieldbus or Industrial Ethernet protocol to provide secure messaging. By doing so, other aspects of the network are not safety-relevant. So you don’t need safety-rated cable, connectors, gateways, or Ethernet switches. You can compare the black channel to a VPN connection in the Ethernet world. Virtual Private Networks (VPNs) create an encrypted tunnel through Ethernet infrastructure. This prevents other devices or activity on the network from interfering with the VPN traffic. 

PI (Profibus and Profinet International) pioneered the creation of the black channel through academic and practical activities over 12 years ago. To meet safety-certifying agencies requirements, PI came up with the following remedies to the listed potential failures:

PI PROFIsafe: Failure types and remedies

 Failure type

Remedy

 

Consecutive number

Time out with receipt

Codename for sender and receiver

Data consistency check

Repetition

X

 

 

 

Deletion

X

X

 

 

Insertion

X

X

X

 

Re-sequencing

X

 

 

 

Data corruption

 

 

 

X

Delay

 

X

 

 

Masquerade (standard message mimics failsafe)

 

X

X

X

FIFO failure within router

 

X

 

 

Courtesy: PI North America

The remedies are embedded in the data packets. If one of the remedies shows a failure (which must be detected in the receiving logic controller), the system will treat it as a safety event which returns all values to a predescribed safe state.

Because the black channel isolates the safety information in the fieldbus’ or industrial Ethernet’s data stream, connecting cables, connectors, and devices are not safety-relevant. Their failure would be detected by one of the remedies in place and a safety reaction would be generated.

In the case of PROFIsafe, PI’s functional safety application profile, the messages are exchanged transparently between Profibus (a serial fieldbus) and Profinet (an industrial Ethernet). Any type of media can be used: copper, fiber, or wireless. Devices in the discrete, process, or motion control application spaces can communicate to the same safety controller, allowing comprehensive safety scenarios.

Less cost, more uptime

There are technical and business benefits in using networked functional safety. The technical benefits of using a fieldbus transfer include a reduced number of components, less wire, fewer cabinets, faster installation, and faster commissioning.  Some business benefits derive from these, but the big addition is uptime. Just as a fieldbus and Industrial Ethernet can convey diagnostic information, networked functional safety does. In addition, manual maintenance in verifying switch and other safety functions is minimized since the system continually verifies this functionality.

A manufacturer of automotive body lines converted from hardwiring of safety circuitry to PROFIsafe and reduced the number of safety components by 85%. The amount of wire needed was also greatly reduced. The line needed less floor space since there were fewer enclosures. And the factory start-up time was reduced from several weeks to an afternoon.

Networked functional safety is a proven technology, widely used. Using it is a competitive advantage.  As an ARC white paper puts it: “Safety has evolved from being a cost burden to a strategy for improving productivity and reducing downtime.”

– Carl Henning is deputy director, PI North America (Profibus and Profinet in North America, formerly PTO); Edited by Mark T. Hoske, content manager CFE Media, Control Engineering and Plant Engineering, mhoske@cfemedia.com.