How to Integrate Safety

System integration: Incorporating safety into a machine or a process at the design stage is more cost-effective than doing so later. Here’s a look at how several integrators and manufacturers approach upfront safety integration and the resulting benefits. This is a Control Engineering August feature article.

By Jeanine Katzel for Control Engineering August 21, 2010

Failures in industrial safety systems can cause death and destruction; integrating safety during the design process can save time, money, and lives, and avoid daily headlines. An environmentally devastating oil spill off the Louisiana Gulf Coast continues to dominate the news, a disaster resulting from a deadly explosion on an offshore drilling rig that took 11 lives. Not a month before, an underground explosion caused by methane gas killed 29 in a West Virginia mine. Dramatically different in many ways, these tragic events share a common thread: somewhere, somehow, an industrial safety system failed.

Manufacturing takes safety seriously—and thankfully these tragedies are the exception and not the rule—but the fact remains that if safety procedures and systems falter for even an instant, catastrophe can occur. Systems must be fail-safe; and the need to integrate safety into manufacturing equipment and operations early in the design process has never been more apparent than in these days of technological sophistication and fragile economies. While integrating safety into manufacturing design is simpler, more efficient, and more cost-effective than adding it later, more importantly it helps avoid loss of property and life.

Safety approached as an afterthought becomes very difficult to retrofit into an existing machine, process, or system. To illustrate the wisdom of incorporating it upfront, Control Engineering asked leading manufacturers, vendors, and integrators to explain how they have integrated safety into manufacturing systems and the benefits of doing so. The following examples describe the application of a variety of safety functions. Use the links provided for expanded discussions of each, see links below to additional articles at Home.

Automated material handling system cuts injuries, labor

By automating a material handling system, Wisconsin-based CNC Solutions helped a customer streamline its operation, reduce the labor involved, and produce a more consistent product more quickly than the previous manual system. The integrator, who focuses on using technology to provide plant automation solutions for machine and process controls, believes automation is the key to staying competitive, providing safety, and achieving a fast return on investment. Any injury affects downtime, increases workers’ compensation and insurance rates, and impacts the bottom line.

In this case, the size and weight of sheet metal blanks led to material handling issues. The customer’s manual operation was labor intensive, requiring two people to handle the product. Sharp sheet metal edges created safety hazards and caused multiple compensation claims. CNC Solutions sought to reduce the amount of material handling required and have just one person operate the system in a safe manner. CNC Solutions accomplished this by reducing the number of times the product was physically touched during the process from eight to zero, says the integrator involved.

Under the new system, a robot moves the product from its previous operation directly into the work cell in a stacked form. The multi-station robotic system processes parts as needed and stacks them for use in the next operation. The automated system delivers uninterrupted production, virtually eliminating human-related downtime and repetitive motion injuries. One operator enters a part number in the human-machine interface (HMI) and moves the stacked parts in and out of the cell on wheeled carts, significantly reducing injury incidence. Perimeter guarding with access gates and door interlocks increases safety even further.

PLCs get safety up and running fast

System integrators at D&D Automation, Stratford, Ontario, Canada, say all safety circuits should be in place before any device is operable. During the design phase of a project, it may be impossible to cover everything from a safety integration standpoint, but having as many bases covered as possible is still best.

For a body shop start-up project for a car assembly plant, the first step D&D Automation took on all framing lines was to establish communication and network connections using a Pilz safety PLC (programmable logic controller).

“Any safety bus or device issues needed to be resolved before moving on,” says the integrator involved. “Once we had all our safety communications and networks up, we could start flagging the safety I/O. In most cases, a safety PLC is a luxury as you can tailor your safety logic and make modifications according to your needs without having to rewire relays. This is not to say that hardwired safety circuits are commissioned any differently. The commissioning steps still apply. However, the ability to modify safety logic in a safety PLC is also its disadvantage. To prevent improper edits or tampering, be sure to password-protect your work!”

In this case, heavy traffic in and out of the cell and the timeframe required for tooling adjustments made it imperative to get as much safety running as soon as possible. E-stops, gates, and light curtains needed to be functional to protect workers within or around the cell. Programmable safety PLCs gave the integrator the ability to almost completely tailor safety functionality to its needs. The controls department at the facility was able to create its own modular function blocks. The integrator then worked with the controls department to develop and implement a combination light curtain/safety gate block. When gates are open and the plane of the light curtains is broken, the system generates a safety stop in the adjacent work cell.

The group also customized a safety synchronization feedback from the shop robots via their respective safety bus nodes. Dual-channel outputs from the robot node are activated after the robot completes its own safety routine and are used within the safety program for motor interlocks to indicate the robot is within its safe working envelope. Programmable safety PLCs also help reduce troubleshooting time. The ability to monitor safety programs enables missing input conditions to be found quickly without needing a multimeter or having to sort through drawing sets.

Make safety integration a job for experts

Safety automation projects present challenges that go beyond the typical project. Legal requirements must be met, and the application must be validated (sometimes by a regulatory agency) to ensure associated risks are at acceptable levels given various application scenarios. For example, will safe conditions be maintained if misuse occurs or equipment fails?

Integrating safety technology into a project requires extensive knowledge, application expertise, and years of experience, insists Juergen Bukowski, Sick safety program manager. Safety programming relies extensively on the abilities of the PLC programmer, who must get the equipment up and running, adapt it for the environment, and make changes “on the fly.” Consider, says Bukowski, a typical safety application in which material must exit the machine but no person or material may be allowed in. “This can be accomplished by ‘muting’ a light curtain with additional sensors. Muting automatically temporarily suspends operation of the safety device. When the sensors detect a pallet, the safety light curtain is muted,” he says.

A safety PLC can do the job, notes Bukowski; a safe, pre-certified muting function block ensures safe suspension of the light curtain (see diagram). Assume the muting sensor is a reflector switch for which the output is HIGH when it sees a reflector and LOW when an object is in the light path.

“The muting function block needs to be HIGH on the sensor input to mute the light curtain,” Bukowski adds. “An inexperienced integrator might see this as no problem and say, ‘Let’s negate the signal by using a NOT function block.’ ”

Though such a solution may work fine and appear safe, continues Bukowski, what if the common power supply for the two sensors breaks down? “Both sensors will switch off,” he says. “It will appear to the safety PLC that both sensors see the object and result in the suspension of the light curtain. An unsafe situation may easily occur by adapting a safe concept (function block) to a real-world scenario,” he warns. “In this case, use of active HIGH sensors in combination with additional control signals or time monitoring functions would be necessary.”

Manufacturers carefully select qualified integrators for their automation projects. They must do the same with the safety portions of those projects. Keep them separate, suggests Bukowski. “Leave safety to the experts,” he says. “Experienced safety integrators will reduce the likelihood of safety risks during all phases of a project. Making use of simple, easy-to- use tools for design, simulation, and testing also helps validate safety functions throughout the life cycle of the machine or project.”

Safety PLCs over safety Ethernet harness the power of one wire

Incorporating safety functions during the initial design process is the far better option, agree Siemens and solutions partner Advanced Engineering, Franklin, TN. Even starting small is beneficial, because most safety capabilities can accommodate a growing system.

In a recent project, Advanced Engineering saw how specifying a safety PLC as early as possible in the planning process saves time and money when designing the wiring and planning functionality. Using safety Ethernet to do start/stop, speed references, and safety over the same wire turned out to be “a big savings,” says Jim Neufeldt, president of the firm. “Soon everything will have safety Ethernet. Plug up to a device, and you’ll get control, diagnostics, and safety. You can set up zones and reset the device. With smart devices, such as a drive, other functions are available as well.”

The company works extensively in the automotive industry and has installed many safety systems with more than 200 I/O safety points. “Typically, that requires a great deal of wiring,” says Neufeldt. “However, distributing the I/O points using Profinet and a Siemens Simatic S7-300F processor significantly reduces the wiring and enhances operator safety.”

In one case, an automaker setting up zones for robots and stamping presses sought to safeguard the zones. The effort would require a great number of safety relays, and the manufacturer was concerned about cost. The integrator suggested instead a design with safety PLCs and safe I/O. It included guarding zones between presses and determining which functions to shut down for each zone so that the operators could enter a zone safely. Using relays would have cost approximately $100,000. The safety PLC design was installed for about $60,000. The automaker has since modified the system, making changes that would have been nearly impossible with relays.

Ultimately, says Neufeldt, using a safety PLC is more productive than relays. They are more flexible, offer diagnostics, require few wires, and can accommodate distributed I/O without downtime.

Safety controller integration at GM

Greater emphasis on integrating safety also can increase throughput and save millions of dollars. More than 15 years ago, General Motors embarked on a journey to make its safety record among the world’s best. The program it launched cut the incident rate in its North American facilities dramatically, taking its lost workday case rate from 4.5 per 100 to 0.14 between 1993 and 2008. The automaker did it by “making safety—and our commitment to safety—visible to everyone at every level,” says Mike Douglas, the company’s senior manager and consultant, Global Health & Safety, Design, Standards, and Technologies.

GM executives and union representatives partnered to integrate safety from the shop floor to the top floor. Among the efforts were establishing safety task forces and creating a risk assessment program to help identify potential hazards, determine safety automation needs, and ensure machines and equipment met applicable code requirements. In one project, safety controls from Rockwell Automation were installed for tasks routine and integral to production, a move that saved GM several million dollars annually across five plants and helped reduce downtime. In fact, the safety features boosted plant throughput by four additional vehicles every five hours, which in turn increased GM’s bottom line.

That risk assessment process also led to integrating safe and standard control to streamline hardware, wiring, and productivity costs. GM focused on programmable controllers to reduce the cable and labor costs associated with the hardwiring required with safety relays. Then, it worked with Rockwell Automation to develop and implement what became the Allen-Bradley GuardLogix controller. The controllers, with a SIL (safety integrity level) 3 functionality rating, integrate safe and standard control. They are part of the Rockwell Automation Integrated Architecture system, which helps improve information-sharing, provide multi-disciplined control, reduce training costs, and accelerate programming and commissioning. The automation system’s operational intelligence and diagnostics also improve equipment productivity and lifespan, while reducing downtime.

Using the controllers instead of traditional safety relays helped GM reduce installation and debugging time for new body shop equipment. Previously, wiring for a typical five-robot cell required 640 wires/cables. The new system reduced wiring to one five-wire cable. “Plug and play” functionality and debug features also reduced installation and maintenance time and costs.

The GM safety journey continues as the automaker and its partner, Rockwell Automation, implement additional safety automation solutions that help trim costs, increase production, and, most importantly, keep people safe. When someone asks who’s responsible for safety at GM, Douglas says: “It’s simple—everybody is.”

Integrating functional safety, motion control

Integrators with motion control expertise are often asked to retrofit servo controlled motion to an existing machine or process. Servo control may offer a number of benefits, but whenever new motion is added, says Gary Thrall, senior product support engineer, Bosch Rexroth Corp., the functional safety of the machine must be considered.

Functional safety is best applied as part of the overall machine design process rather than as an add-on at the end, he says. A high-production automotive airbag assembly manufacturer improved cycle time by connecting a light curtain at the access to the load/unload station to the forward overtravel limit input of the servo drive. The servo moves the bag folding arms. If the operator reaches through the light curtain while the machine is still moving toward the unload station, the axis would stop. Moving away after releasing the completed airbag, motion would be allowed even though the operator’s hands were through the curtain.

By using a standard (non-safety) input without redundancy or diagnostics, says Thrall, a single failure could possibly cause a loss of stopping function and allow rapid motion toward the operator’s hands—the hazard the company was trying to avoid. The standard servo drive overtravel limit input is a circuit designed with normal good practice, but it is not a safety-rated redundant control-reliable circuit, he says. Among scores of machines, none has failed to a hazardous condition, but those involved chose to lower the risk.

Thrall suggests the plant consider the drive feature Safe Direction, as defined in IEC EN 61800-5-2. Safe Direction provides safety certified monitoring of the axis motion that reduces the axis to no torque if the axis moves more than a configurable distance in the "wrong" direction. Once configured, monitoring can be turned off and on with redundant complementary safety inputs to the drive—in this case, from the light curtain outputs.

In many retrofits, Thrall continues, the original system may not be up-to-date on basic guarding and interlocking. Often a simple single-channel non-redundant emergency stop to remove power is all that was provided. Adding proper guarding and door interlocking that drops power to servo drives may result in new errors and sequence restart issues. Dropping input power contactors also stresses bus capacitors, wastes energy from discharging and recharging, and decreases production cycle time.

Dave Stuber of Custom Controls Solutions, St. Charles, IL, suggests use of Safe Stop 2 functionality, as defined in standard IEC EN 61800-5-2, which protects the operator should a drive start up unexpectedly. It allows a drive to maintain torque and hold position while stopped. All axes in a complicated system can maintain position and synchronization while doors are opened for setup adjustments. The safety function monitors for motion and shuts down to no torque if there is motion beyond a determined safe limit. Power cycling stress, contactor wear, time delay, errors, and additional logic for mid-cycle restart are avoided.

Integrated safety means security as well

Safety instrumented systems (SIS) require advanced integrator skills. An integrator must demonstrate the competency and qualifications to do SIS work and be able to deliver a system proven to meet client requirements for the safety integrity level (SIL) of each safety instrumented function (SIF), says Neil Crompton, managing director of UK-based Trinity Systems Ltd. Most safety systems need to have their communications functions integrated into the DCS communications infrastructure safely and securely, he says. To do this, the integrator must be able to configure and deploy the communications capabilities of the SIS and DCS.

Integrators must harden the communications integration by providing highly secure and robust systems. Cyber security is increasingly critical. Without it, an integrator could deliver a system that could potentially experience a loss of view or, worse, a loss of real-time data between the SIS and the DCS they are integrating. Meeting this challenge requires integrators to leverage the cyber security features of SIS and DCS, develop new tools, and develop new skill sets.

Systems must have communications and security solutions flexible enough to collaborate with third-party DCS and easy enough to deploy to deliver the needed safety functions. SIS functions must be partitioned appropriately from the DCS functions so that a loss of communications or integrity will not prevent the safety system from performing its designed function, which is to keep the processes that require protection in a safe state.

Some SIS systems self-police communications access. In one case, Invensys Operations Management collaborated with Byres Security, a cyber security firm, to add an OPC firewall to its Tricon Communications Modules (TCM). The firewall enabled a layer of defense-in-depth that lets integrators enjoy the flexibility and integration benefit of OPC Classic without worrying about security systems once associated with DCOM-based systems.

Often the integrator must develop tools to augment vendor-supplied functionality. In one case, Trinity Systems developed a remote viewer that takes advantage of the communications security features of the Triconex TCM and Triconex Firewall. The viewer provides a simple and reasonably priced window into the SIS from a business or a primary control network, while the Triconex Tofino Firewall and the Triconex Communication Module’s on-board User Access Security Model ensure that it is a read-only window that can never impact safety functionality.

“Processors and manufacturers are continuously threatened by new and increasingly dangerous cyber attacks, which require greater vigilance and security,” said Joe Scalia, portfolio architect, Invensys Operations Management. “An OPC firewall mitigates those risks by managing the traffic to and from the communications module, providing further assurance that a cyber incursion will not compromise integrated communications between the safety and critical control systems and supervisory HMI or distributed control systems.”

Jeanine Katzel is a contributing editor to Control Engineering. Reach her at

Find automation system integrators specializing in safety and security systems, machine build/retrofits, machine design/control, manufacturing engineering, and others at Global System Integrators.

For more on the vendors and integrators mentioned in this article, visit their websites: (Advanced Engineering)

Wisconsin Robot Automation | CNC Solutions (D&D Automation)

General Motors: Pushing the Limits of Transportation & Technology

Select a Region | Rockwell Automation

Tofino Industrial Security Solution | Looking for an easy way to secure SCADA or industrial control systems? Tofino Security is the solution for you. (Byres Security)

Home – Trinity Integrated Systems Ltd

ONLINE extras – read more about each application above and see additional photos.

Applying programmable safety PLCs: D&D Automation

Integrating safety requires attention to cyber security issues as well: Trinity Systems Ltd.

Leave it to the experts: Integrating safety in automation requires specialized knowledge – Sick Inc.

Providing safety through systems integration: CNC Solutions

Safe journey: GM program strives to make safety everyone’s job – Rockwell Automation

Safety from a System Integrator Perspective: Bosch Rexroth Corp.

Using a common wire: Safety PLCs with safety Ethernet – Advanced Engineering

Also read…

Machine Safety blog

System Integration Channel on Control Engineering

System Integration newsletter