Control Engineering Online Update for April 8, 2005

By Control Engineering Staff April 8, 2005
April 8, 2005
Highlights Security Webcast
Many industrial manufacturing facilities are presently reviewing programmable safety systems (PSS) to meet single fault tolerant or fail-safe under single fault condition requirements or Category 4 (CAT 4 per EN 954-1) safety levels. This article considers some of the relevant considerations potential users should evaluate prior to proceeding with a PSS solution.

This Webcast will focus on issues that are driving interest in industrial cyber and physical security solutions. We’ll provide an overview of security gaps at industrial sites and how they can be mitigated. Sponsored by Control Engineering & Honeywell. REGISTER TODAY AT

Programmable Safety Systems: 9 Issues to Consider

Programmable safety systems fall into two general groups: safety programmable logic controllers (PLCs) and safety device networks. Safety PLCs are similar in look and operation to standard PLCs but have significantly more on-board hardware redundancy and/or algorithms to perform the required safety checks and guarantee a fail-safe state under a single component failure. These safety PLCs often allow safety and process to be integrated into one controller and can handle complex safety interlocks.

If the PSS incorporates process control, the process hardware must be separated from the safety modules by a barrier. Any safety devices on the process side of the barrier would be limited to a maximum of a CAT 3 rating because the process signals could interact with the safety devices and jeopardize the CAT 4 rating. If safety and process are not integrated into the single controller, the safety controllers can communicate with an existing process controller to share information.

Safety device networks are generally used for connecting many safety devices, such as emergency stop push buttons, over a network cable. Somewhere on the network is a piece of hardware that manages the network safety requirements and monitors the state of the devices. If a failure is detected in a device or on the network and/or an interlock is activated, the hardware unit will open all of the connected loads to ensure a safe state. Limited logic functions are often available. These networks cost effectively connect safety devices by reducing wiring and generally focus only on the safety function, not process control. There are also safety networks used to connect safety PLCs and related hardware when large safety systems are required; however, these are distinctly different than the safety device networks discussed here.

9 Considerations
1. Risk analysis : This would involve all stakeholders and often includes operators, maintenance staff, engineering staff, and health and safety groups. This group would identify all possible risks and then identify means to eliminate or mitigate the hazards. This process is the first and most important step in safety design, as the results will dictate the level of redundancy required for the process, which often limits the suitable hardware solutions. For processes that require higher safety integrity or redundancy, a PSS is often the best choice.
2. Safety system category level : To meet CAT 4, devices connected to the inputs of the safety systems must be certified for use in CAT 4 systems. This is typically a device with positively guided parallel redundant contacts. The outputs of the safety system must be connected to interrupting devices that are also CAT 4 rated and monitored by the safety system. This often means parallel redundant contactors (or relays) with positively guided auxiliary contacts for monitoring purposes. In a retrofit situation, this often means that existing input devices need to be replaced and that some additional hardware is required between the safety system and the loads to ensure that the overall safety solution is control reliable. If these are not upgraded, the safety level of the overall safety system is reduced to lowest CAT level of any sub-section or safety device within the system.
3. Safety hardware certification : The most stringent method is for the manufacturer to have an independent testing body review and test the hardware to international standards and issue a written certification. Other options for technical inspection are certification to lesser standards; more local standards; or simply designed in accordance with certain specific standards.
4. Safety hardware response time : Given the software flexibility of PSSs, programmability can result in longer response times than hardwired safety relay (SR) units. The response time is the time from safety input activation through to verified opening of the loads. Response times of tens or hundreds of milliseconds are typical. Response times should be evaluated when operator access is involved and programs are larger, to ensure that the required stop times and distances are met. In some cases, distances of light curtains and other devices may need to be increased to adequately protect operators.
5. Compatibility : Many PSSs use a phase-shifted pulse signal on the input and output channels to detect device failures or short/open circuits between input channels. Some devices, such as light curtains, often employ a similar feature to monitor correct operation. In certain cases, these types of self-checking devices cannot be connected to the safety hardware unless one of the checking mechanisms is disabled. The flexibility of the PSS often can accommodate the required configuration without limiting the system functionality or the CAT rating.
6. Retrofit versus new designs : Retrofits often involve added challenges over new designs because the safety system must be compatible with the existing hardware and production downtime must be kept to a minimum. Safety device networks can often reduce wiring time and required downtime by connecting devices to a common cable instead of individual wires to each device. It is also imperative that any required communications for process or safety signals be developed and fully tested off-line before committing to equipment changes. The safety hardware should be reviewed to ensure that suitable I/O cards or modules exist to handle the voltage levels of the existing system.
Questions to ask: What impact will result in the existing process when the safety system is removed from the existing system and ported to the new safety solution? Will some new safety signals need to be redirected back to the remaining process side and, if so, will they be hardwired or network based? How much reprogramming of the existing process controller will be required? What is the cost of any new or replacement devices?
7. Safety system application focus : Some safety systems leverage similar software environments for application development of their process and safety hardware, while other systems require a separate programming package with new functionality that must be learned. This will impact the cost of the project and the learning curve of the developers as well as training of operators, engineering, and maintenance staff. Some platforms allow safety for cell safeguarding, robots, and presses to be handled in one unified controller, while others require multiple platforms to address a machine with this range of equipment.
8. Installation : A safeguarding hardware supplier, safety design firm, and installation trades, among others, are involved to implement a PSS solution. An overall project manager should exist to ensure the owner’s interests are being met and the overall safety strategy is correctly implemented. Testing of the PSS is critical prior to installation to ensure minimum interruption to production and confirm safety and process functionality. Time should be budgeted into the schedule to allow for testing and verification offsite, as well as for the testing of all networks, safety devices/wiring and hardware power-up tests as soon as power is available on site. If the software has been tested and simulated off-site and the wiring/hardware tested on-site, then the number of challenges experienced during commissioning will be minimized. All activities that can be done prior to the commissioning window, such as mounting hardware, running wire/conduit, labeling items, and testing will also minimize production loss, especially for retrofits. A commissioning plan, including tests to be performed for all safety devices and functions, is also required. These tests must be performed, passed, and documented so that all stakeholders are confident that the planned safety functionality has been met and due diligence was achieved. Until this step is completed, the safety upgrade is not deemed finished and the equipment should not be used by operators.
9. Maintenance of the installed PSS : The installed system may require a pre-start health and safety review (PSHSR). If the hardware used provides an internal cyclic redundancy check (CRC) code to identify the exact program running, this must be recorded in the PSHSR, otherwise a detailed printout should be maintained. If the designers of the safety system will be a distinctly separate party from the PSHSR reviewer, then the owner of the equipment should ensure that both parties are clear on the safety approach so that the PSHSR party will certify the final design. A new PSHSR will be required for any software changes that are made (new CRC code) as the software performs a critical component of the safety solution. As such, an internal process should be defined and controlled to ensure changes are only made by knowledgeable staff, passwords are controlled, PSHSRs are performed, documentation updates are maintained, and safety procedures/notifications issued and updated as required. Procedures for maintenance, engineering, and operators must be issued and include how to interface with the new PSS. Training on the hardware, software, the application portion and the overall safety system will be required for all three parties to ensure successful implementation and ongoing support.

Project results

PSSs have secured a role in more complex production lines and in smaller equipment cells because they have proven to be more cost effective than multiple SRs. Smaller and more cost effective platforms are arriving on the market and these will slowly replace SRs on all but the smallest of cell safety applications. Larger and more integrated safety solutions are also becoming available. This will reduce the cost of hardware and development and allow others to use the equipment effectively on larger production lines and multiple machine types. Also, many safety networks are being developed to add to the existing ones, and this will allow for easier installation into the existing process controller installed base, resulting in more opportunity to use a PSS system effectively. PSS products will grow in depth and breadth over the next few years, much like PLC offerings have over the last decade.

Steven Voll, P. Eng., is managing principal at Stantec Consulting Ltd.;