Blurring the Lines Between Automation and Safety

Thanks to changes in standards and laws, safety systems and automation controls can now be combined into one system. Despite some initial hesitation about doing this, users are embracing such integration and experiencing bottom-line advantages that go far beyond safety. "The main incentive for integrating is making it more cost effective," says Asish Ghosh, vice president of manufacturing advi...

By Hank Hogan July 1, 2006

AT A GLANCE

Common cause failures

Safety integrity levels

Software-based safety

Lower wiring and other costs

Sidebars: Safety level, component choices affect costs

Thanks to changes in standards and laws, safety systems and automation controls can now be combined into one system. Despite some initial hesitation about doing this, users are embracing such integration and experiencing bottom-line advantages that go far beyond safety.

‘The main incentive for integrating is making it more cost effective,’ says Asish Ghosh, vice president of manufacturing advisory services at the ARC Advisory Group of Dedham, MA. Savings arise from lower engineering and lifecycle costs. Use of a combined system, for example, can cut wiring needs substantially and thereby deliver savings in wiring expenses and cabinet space.

Kevin Colloton, marketing manager for GuardLogix at Rockwell Automation, notes other benefits, such as a common set of system components for control and safety. And that commonality extends beyond hardware as well. ‘Manufacturers can also reduce their software and support costs; the same software can be used throughout the plant, and operators only have to learn one architecture,’ he explains.

So, what do integrated safety and control systems look like and how are they being applied today?

Failure avoidance

In an ARC report, Ghosh noted that integrated systems need to be carefully designed and configured so as to reduce the risk of a common cause failure, one in which a problem on the control side compromises the safety function. Ghosh recommends first adopting an appropriate safety implementation standard, either IEC 61511 or ANSI/ISA-84.00.01. That selection then has to be followed by hazard and risk analyses based on the standard. Part of the process should involve deciding the right level of protection for a given manufacturing operation. After the analysis is complete, a certified list of suppliers can be drawn up and, finally, a system chosen that meets the requirements.

System manufacturers resolve safety issues and the possibility of a common cause failure in a variety of ways. ABB, for example, complies with IEC 61508 and IEC 61511 standards using TÜV certified hardware. This arrangement ensures that downloads to the controller running a safety application are prevented, for example, so the safety integrity level (SIL) of the application isn’t compromised. What’s more, the company’s products run control and safety applications in a logicallyseparate fashion and, in effect, create two machines. ‘When this is done, no outside applications, SIL or non-SIL, may write to the SIL application in question without using human interaction, which requires confirmation,’ says Roy Tanner, systems marketing manager at ABB Inc.

Manufacturers also build in safeguards to prevent corruption and other problems arising from a power failure that occurs during configuration. The systems will default to a safe mode of operation.

Always remember, too, that the safety standards being met aren’t static documents, says Marc Immordino, product training manager for the WAGO Corp. They evolve, sometimes making things easier and sometimes not.

For instance, changes to ISO 11161 and ANSI B11.20 that are in development now should allow manufacturing systems in a zone to continue working while a neighboring zone is stopped due to a problem. The definition of a ‘zone’ is ambiguous, but there will be a clear need for zones to communicate with each other.

On the risk assessment side, says Immordino, rationalization of ISO13849-1 with IEC 61508 and 62061 will mean that safety functions will have to be evaluated, and the mean time to failure of electromechanical and mechanical devices will have to be determined—even though that could be highly dependent on the application itself. Any integrated system implementation should account for standards-based issues, which will vary by industry and other factors.

End-user corruption

These and other measures all but guarantee that inadvertent corruption is prevented. However, such efforts do leave the door open for corruption and common cause failure arising from the end-user. These problems could happen during initial configuration or in the process of later changes. For that reason, it’s important to follow guidelines outlined by the system manufacturer and third parties like TÜV during configuration.

Access protection policies need to be in place. Many of the integrated system manufacturers use passwords and other means to control access. ‘For production scenarios, we can implement one of several security measures that restrict access to the controller and make sure that only authorized personnel access the controller,’ says Rockwell Automation’s Colloton.

It’s essential these safeguards not be undone. Policies and procedures must be in place so that, for example, passwords don’t become common knowledge, end up at some unchanging default, or are written down on notes stuck to the system itself.

Finally, there must be enough of a visual differentiation between the control and safety environments so that operators can distinguish between them at a glance. Avoiding visual commonality, helps prevent users from working on the wrong system by mistake. Achieving the needed differentiation could be difficult, however, given that combined systems can have a very similar look and feel on each side. Indeed, such similarity is sometimes a selling point of integration.

On the other hand, certain setups may be inherently more secure than others simply because of their nature. Karl Rapp, branch manager for machine tools at Bosch Rexroth Electric Drives and Controls, notes that drive-based parameters aren’t modified as often as ones in programmable logic controllers. That, he says, makes ‘drive-based safety systems very reliable and self-contained, with little intentional or accidental interference.’

Increased efficiency

A look at several examples shows how integrated control and safety systems are being used. Buenos Aires-based Atanor SA is a global leader in chemicals, petrochemicals, polymers and agrochemicals. The company is also a major Argentine producer of hydrogen peroxide, which is increasingly in demand at paper mills as a bleaching agent. Atanor recently brought online a new plant at its Rio Tercero site. The plant, AOA 2, will eventually produce over 14,000 metric tons of hydrogen peroxide a year, Argentina’s total domestic demand.

When building the facility, Atanor went with an integrated safety and control implementation from ABB that had been certified by an independent agency, TÜV, to be safety instrumented system (SIS) compliant with IEC 61508 and IEC 61511. It also had components that meet the required SIL, including controllers, field input devices, I/O modules and field actuators.

The setup includes five operations workstations, each with six local and one remote screen. There are also engineering, information management, and maintenance views. The new system cut personnel needs without compromising safety, according to Odel Priotti, general manager of AOA 2, AOA 1, and the ascetic acid plant at Rio Tercero. For instance, he says, ‘a single operator can start up the plant completely in less than 10 minutes. The integrated control and safety system provides quick and safe shut down too. We can shut down the plant in less than five minutes if we need to.’ It used to take two operators 45 minutes to shut down the plant.

Another key advantage to the integrated system is a common engineering environment, which means one set of engineering tools for both the control and safety functions. That unified setup cut down engineering, training, operations, maintenance, and spare parts needs, reducing the associated life-cycle costs. ‘The system has brought maintenance advantages as well— from the control room though PC engineering,’ Priotti adds. ‘We can configure instruments, modify alarm visualization ranges, and so on.’

Decentralized, integrated

Discrete manufacturers also are seeing the benefits of integrated safety. In the automotive industry, Mewag Meashinenfabrik AG of Wasen, Switzerland supplies bending equipment that shapes workpieces as needed. Mechanized bending heads make possible bends of different radii and complex geometries. Tubes with diameters of up to 150 mm are handled, even if they have machined ends with flanges, ring assemblies and nuts.

To cut retooling times for end-users, Mewag designed the tool heads for easy access and arranged the machine horizontally. Besides being fast, tool head changes needed to be done safely, which is one reason why Mewag designed in an intelligent safety system. For this they went with a decentralized approach, employing Bosch Rexroth drives that support a wide variety of safety functions without external hardware. There’s no need, for instance, to go with the traditional safety practice of using power relays in main power or engine supply lines.

Mewag’s technical manager, Samuel Gerber, noted that this decentralized yet integrated control and safety approach paid multiple dividends. ‘The absence of external monitoring devices and measuring systems means that we need less wiring and also save on control cabinet space,’ he says.

Other aspects provide additional benefits. It’s possible in special operation modes to have the tool travel at a safely reduced speed. When switched from normal to special operation, those drives in the security zone come to a safe stop, allowing machine operators to enter the area without risk.

It’s the stopping (which is done quickly in an integrated environment) that offers an advantage when combined with easy access to the tool head. ‘This in turn means that throughput time is considerably reduced,’ says Gerber.

There can also be a safety bonus. Safe motion in the drives can detect an error within two milliseconds, limiting movement to 2 mm. By comparison, setups in which an operator in a protected zone responds to an error with contactor-based verification can result in much longer stopping distances, possibly hundreds of millimeters.

Software-based safety

In another example from the automotive industry, the Kuka Toledo Productions Operation LLC (KTPO) turned to an integrated automation and control system from Siemens Energy and Automation. KTPO is a subsidiary of Kuka, a company that makes car-body robotic production systems, and is a supplier of automobile bodies to DaimlerChrysler. In becoming a tier 1 supplier, KTPO needed to engineer a better safety solution than hardwired systems being installed in each production cell.

Hardwired automotive machine safety systems traditionally use hard fencing, remote emergency stop pushbuttons, safety gate switches, safety mats, light curtains, and a great many redundant relays and redundant wiring. It is an expensive and inflexible scheme.

Working with Siemens, Kuka came up with an integrated approach that combined safety and standard machine control on one fieldbus. That eliminated almost all relays, saving control panel space and other hardware. It also cut engineering design, trouble-shooting and overall wiring costs. The integrated control and safety system was combined with changes in the power wiring that implemented a modular three-phase bus bar. The new power wiring approach cut the overall cell footprint by 20%.

By moving from a hardware-based safety system to one that resides in software, Kuka was able to have common safety code that could be changed and ported from one system to another. That capability cut commissioning time. ‘We built the system in no time and commissioning was surprisingly easy,’ said Kuka engineer Rod Brown. ‘This approach saved tens of thousands of dollars on the first installation alone.’

These savings arose in part due to the need for less wiring and other components. KUKA engineers reported an 85% reduction in relays, local I/O, terminal blocks, and cable connections with the new approach. One of the reasons that this was possible was the use of point-level diagnostics for all critical standard and safety I/O. Those same diagnostics were employed for bus-level faults. Through the use of a diagnostic repeater, the information on the fieldbus was reported on the HMI. To assist troubleshooting, the system can locate breaks in the communication cable to within a foot.

In this setup, the Siemens processor handles normal machine functions, as well as monitoring and controlling all safety devices. There’s a common programming environment, with similar ladder logic for process control and safety functions.

Simpler implementation

At 3M’s tape manufacturing plant in London, Ontario, Canada, more than 40 types of tape are produced. An adhesive is applied to a backing, cured, and then cut to the right width on one of eight tape converting machines. While the machines met 3M’s high quality standards, the control systems inspired less than perfect confidence, largely because of their age.

‘We were concerned that the old controls, some being 30-40 years old, could bring a machine down for weeks or months if a part failed,’ says Tracy Harvey, a senior electrical engineer with 3M Canada. Another problem was that the old controls made it difficult to comply with new safety codes.

Faced with the need to upgrade the controls, 3M decided to use an integrated controls and safety solution from Rockwell Automation. Having the two systems in one means that data tags could be shared and the implementation simplified. Long experience with Rockwell Automation products also played a role in the decision.

The plan calls for upgrading one of the converting machines and then following with the others. Harvey reports that the first installation has gone smoothly—without any production impact—and he expects that the new control system (along with upgrades to drives that run the machines) will lead to increased throughput. Better torque control, in particular, should allow the engineers to reduce waste and so boost output, he says. Such improvements are being investigated and upgrades for the rest of the machines are being planned.

These and other examples show that integrated safety and control systems are being successfully implemented. They are also delivering benefits beyond safety in a wide variety of industries.

ONLINE EXTRA

Related Control Engineering articles include:

How To Assess Risk

Machine Retrofits and Safety

Safety Networks Up and Running

Reach for Machine Safety

Safety level, component choices affect costs

Marc Immordino, product training manager for the Wago Corp., notes that determining the integrity of a safety system ultimately involves answering a whole string of component related questions. The first of these is the decision as to which category of safety protection to run at. That choice is partially driven by regulation, partially by what’s called for in standards and somewhat by geography. In Europe, for example, safety protection is the law, while in the U.S. safety is more likely covered in guidelines with possible legal and financial ramifications.

No matter the location, however, assuring safety always has an impact on cost, Immordino says. With each safety integrity level (SIL) having a dangerous failure rate one-tenth that of the preceding one, the cost of implementation soars as the level goes up. The safety level drives considerations of the type of safety sensor, the location of stop switches, and such components as light curtains or safety mats. For that reason, Immordino says, even after all of these component questions are answered, there’s still more to be done.

‘It is always a good idea to go back and re-evaluate the system, to ensure the level of protection designed is appropriate and not too much or too little,’ he says.

Safety level, component choices affect costs

Marc Immordino, product training manager for the Wago Corp., notes that determining the integrity of a safety system ultimately involves answering a whole string of component related questions. The first of these is the decision as to which category of safety protection to run at. That choice is partially driven by regulation, partially by what’s called for in standards and somewhat by geography. In Europe, for example, safety protection is the law, while in the U.S. safety is more likely covered in guidelines with possible legal and financial ramifications.

No matter the location, however, assuring safety always has an impact on cost, Immordino says. With each safety integrity level (SIL) having a dangerous failure rate one-tenth that of the preceding one, the cost of implementation soars as the level goes up. The safety level drives considerations of the type of safety sensor, the location of stop switches, and such components as light curtains or safety mats. For that reason, Immordino says, even after all of these component questions are answered, there’s still more to be done.

‘It is always a good idea to go back and re-evaluate the system, to ensure the level of protection designed is appropriate and not too much or too little,’ he says.

Safety level, component choices affect costs

Marc Immordino, product training manager for the Wago Corp., notes that determining the integrity of a safety system ultimately involves answering a whole string of component related questions. The first of these is the decision as to which category of safety protection to run at. That choice is partially driven by regulation, partially by what’s called for in standards and somewhat by geography. In Europe, for example, safety protection is the law, while in the U.S. safety is more likely covered in guidelines with possible legal and financial ramifications.

No matter the location, however, assuring safety always has an impact on cost, Immordino says. With each safety integrity level (SIL) having a dangerous failure rate one-tenth that of the preceding one, the cost of implementation soars as the level goes up. The safety level drives considerations of the type of safety sensor, the location of stop switches, and such components as light curtains or safety mats. For that reason, Immordino says, even after all of these component questions are answered, there’s still more to be done.

‘It is always a good idea to go back and re-evaluate the system, to ensure the level of protection designed is appropriate and not too much or too little,’ he says.

Safety level, component choices affect costs

Marc Immordino, product training manager for the Wago Corp., notes that determining the integrity of a safety system ultimately involves answering a whole string of component related questions. The first of these is the decision as to which category of safety protection to run at. That choice is partially driven by regulation, partially by what’s called for in standards and somewhat by geography. In Europe, for example, safety protection is the law, while in the U.S. safety is more likely covered in guidelines with possible legal and financial ramifications.

No matter the location, however, assuring safety always has an impact on cost, Immordino says. With each safety integrity level (SIL) having a dangerous failure rate one-tenth that of the preceding one, the cost of implementation soars as the level goes up. The safety level drives considerations of the type of safety sensor, the location of stop switches, and such components as light curtains or safety mats. For that reason, Immordino says, even after all of these component questions are answered, there’s still more to be done.

‘It is always a good idea to go back and re-evaluate the system, to ensure the level of protection designed is appropriate and not too much or too little,’ he says.

Safety level, component choices affect costs

Marc Immordino, product training manager for the Wago Corp., notes that determining the integrity of a safety system ultimately involves answering a whole string of component related questions. The first of these is the decision as to which category of safety protection to run at. That choice is partially driven by regulation, partially by what’s called for in standards and somewhat by geography. In Europe, for example, safety protection is the law, while in the U.S. safety is more likely covered in guidelines with possible legal and financial ramifications.

No matter the location, however, assuring safety always has an impact on cost, Immordino says. With each safety integrity level (SIL) having a dangerous failure rate one-tenth that of the preceding one, the cost of implementation soars as the level goes up. The safety level drives considerations of the type of safety sensor, the location of stop switches, and such components as light curtains or safety mats. For that reason, Immordino says, even after all of these component questions are answered, there’s still more to be done.

‘It is always a good idea to go back and re-evaluate the system, to ensure the level of protection designed is appropriate and not too much or too little,’ he says.

Safety level, component choices affect costs

Marc Immordino, product training manager for the Wago Corp., notes that determining the integrity of a safety system ultimately involves answering a whole string of component related questions. The first of these is the decision as to which category of safety protection to run at. That choice is partially driven by regulation, partially by what’s called for in standards and somewhat by geography. In Europe, for example, safety protection is the law, while in the U.S. safety is more likely covered in guidelines with possible legal and financial ramifications.

No matter the location, however, assuring safety always has an impact on cost, Immordino says. With each safety integrity level (SIL) having a dangerous failure rate one-tenth that of the preceding one, the cost of implementation soars as the level goes up. The safety level drives considerations of the type of safety sensor, the location of stop switches, and such components as light curtains or safety mats. For that reason, Immordino says, even after all of these component questions are answered, there’s still more to be done.

‘It is always a good idea to go back and re-evaluate the system, to ensure the level of protection designed is appropriate and not too much or too little,’ he says.

Safety level, component choices affect costs

Marc Immordino, product training manager for the Wago Corp., notes that determining the integrity of a safety system ultimately involves answering a whole string of component related questions. The first of these is the decision as to which category of safety protection to run at. That choice is partially driven by regulation, partially by what’s called for in standards and somewhat by geography. In Europe, for example, safety protection is the law, while in the U.S. safety is more likely covered in guidelines with possible legal and financial ramifications.

No matter the location, however, assuring safety always has an impact on cost, Immordino says. With each safety integrity level (SIL) having a dangerous failure rate one-tenth that of the preceding one, the cost of implementation soars as the level goes up. The safety level drives considerations of the type of safety sensor, the location of stop switches, and such components as light curtains or safety mats. For that reason, Immordino says, even after all of these component questions are answered, there’s still more to be done.

‘It is always a good idea to go back and re-evaluate the system, to ensure the level of protection designed is appropriate and not too much or too little,’ he says.