Networked safety in three steps

Networked safety is increasing, where programmable controllers replace relays, doing for functional safety what the PLC did for machine control. Most machine owners no longer view safety as a burden but as an opportunity to enhance machine uptime and increase profitability. Here’s an example of how networked safety might work for you. (See four diagrams and three steps explaining how to network machine safety.)

By Helge Hornis December 29, 2010

Safety is an opportunity to enhance machine uptime and increase profitability for machine owners. Networked safety is increasing, where programmable controllers replace relays, doing for functional safety what the PLC did for machine control. Here’s an example of how it might work for you. (See four diagrams and three steps to networked safety below.)

The world of functional safety continues to change. The EN954 safety standard is on its way out, to be replaced by a modern EN ISO 13849 approach. Most machine owners no longer view safety as a burden but as an opportunity to enhance machine uptime and increase profitability. Networked safety is increasingly common; programmable controllers can replace relays and do for functional safety what the PLC did for machine control.

Figure 1. The example cell uses light curtains to control product access in and out of the hazardous area.  Each light curtain is muted by a pair of photoelectric sensors. A solenoid interlocking door switch keeps operators from opening a guard door unless access has been granted by the PLC. An e-stop and two push button modules complete this simple setup. The network addresses are listed next to the hardware components. 

For machine builders and system integrators, the most interesting change involves networked safety, possible in three easy steps,  in conjunction with a programmable safety controller.  Because integrators are faced with working in a multitude of PLC environments, a PLC neutral safety approach is most beneficial. It provides a safety solution that can be integrated with Allen-Bradley, Siemens, Mitsubishi, Schneider, and Omron PLCs, among others, and can be transferred easily from one PLC to the next. One safety network technology, available since 1994, is called AS-Interface, an open solution supported by about 300 device manufactures. In the following example system, a manufacturing cell has two light curtains to control cell access. These are muted by incoming and outgoing product. A personnel access door to the cell is controlled by a solenoid locking safety key switch. No system would be ready without an e-stop and a few reset buttons. Eight networked devices will be used.

Step 1: Setting up the network

Since the network is the transport mechanism for all information—safety and conventional—stable network communication must be accomplished first. With AS-Interface:  

  1. Route the network cable along the cell and attach the modules/devices to the network 
    • AS-Interface allows any network topology. Time required: For the eight devices, one hour should be sufficient (see figure 1).
  2. Assign a unique address to each module/device
    • A simple handheld addressing tool is used to assign each device its own address. Time required: Approximately five minutes.
  3. Transfer the configuration into the safety controllers
    • For the safety controller to scan the network devices effectively, it needs to know their addresses. This is done using the buttons on the safety controller without a PC or  software to install. Time required: 15 seconds.

Step 2: Safety functions

Desired safety functions are constructed using a drag-and-drop interface that creates an intuitive current chart diagram, linking input variables (such as the states of the safety devices) with logical operations, connecting them with safe outputs (OSSDs). Physical outputs can be dry contacts, used to control safety contactors or electronic-safe outputs that are directly connected to electronic-safe inputs on modern drives. Figure 2 shows the current chart system diagram. The group of functions highlighted in green represents the e-stop and the solenoid door interlock switch. Both are directly linked to the global “AND-Function.” The global “AND-Function” assures that the OSSDs will activate the machine only (such as transition into the released state) when all its inputs contribute a logical 1. In a conventional hardwired system it corresponds to electrically connecting all input devices in series.

Double-clicking on a function block opens its dialog box. Figure 3 is the configuration dialog box for the e-stop. The name “E-Stop all” and the network address 1-9 of the physical e-stop are specified here.  Since the e-stop, by regulation, needs to be tied into a reset button, Local acknowledgement has been activated. The rest condition can be any suitable data bit transmitted via the network, and in our example it is the green button (such as Input data bit 3) on the push button module with address 1-5A. Output bits, controlled by the PLC, can also be used, allowing a reset condition to be activated via human-machine interface (HMI).

The configuration for the door interlock switch is similar but may not, depending on the design of the system, require a reset. In contrast to hardwired solutions, one OSSD can operate as an auto start with respect to one input and require a reset condition with respect to another. Each device can have its own reset data bit, or all devices can share the same reset condition.

In conventional hardwired installations, light curtains that require muting functions are commonly connected to external muting modules. The muting sensors are also connected to these modules. All configuration steps are performed locally at the muting module, which only provides the two safe output contacts that are then wired either directly into a safety relay or end up being part of a collection of devices connected in series.

With a networked approach, once the light curtains and muting sensors are communicating on the network, the behavior of the muting setup is entirely specified in software. The red and blue highlighted sections in figure 2 (also see figure 4) are the In-Flow and Out-Flow light curtains with their respective muting sensors. To setup muting, the state of the light curtain is simply OR connected with the muting function. The muting function offers various operational states including two- and four-sensor muting, directional muting, override, and enable inputs.  The muting function can deactivate as soon as the light curtain has been cleared, which makes it virtually impossible to pass anything back through the light curtain even when the object on the conveyor still activates the muting sensors.

Step 3: Available diagnostics

Once the configuration has been transferred into the safety controller, graphical diagnostics are available. The borders around the function block and lines connecting the function blocks are used as follows. When an input contributes a TRUE (in the released state) the function block is solid green. The connecting line to the next function is also solid green. Several other colors (red, yellow) and flashing states are used to provide detailed feedback.

In addition to the graphical user interface, numerical values representing the colors of the function blocks are also transmitted to the PLC. This allows the PLC to constantly monitor the system, bring up status and error messages on the HMI, and perform time/date stamped data logging.

Switching out the PLC

Because all safety operations are performed by the safety controller affecting safe outputs that are also part of the AS-Interface network, the PLC does not get involved in the “safety relevant decision.” It is strictly used to control nonsafe operations and evaluate safety diagnostics information. Consequently, this technology is PLC independent and allows a machine builder to reuse all the safety setup when switching from one PLC to another.

Figure 2: Using a simple drag-and-drop interface, function blocks from the Device library are combined to perform logical operations. Once this configuration is running on the safety controller, the color of the function block borders and connecting lines are used to indicate the state of a device. Verifying the operation and finding problems is easy and fast.

Figure 3:  Double-clicking a function block opens the associated dialog box. In this example, the e-stop function is tied in with the physical e-stop (which has been assigned the network address 1-9). Several timing parameters (such as synchronization time, stabilizing time, and tolerance time) allow the user to specify the time discrepancy and expected contact bounce of the redundant contacts. Local acknowledgement defines a reset condition for this e-stop (done using input bit 3 from the push button module at address 1-5A.)  

Figure 4: The state of the light curtain is OR connected with the state of the muting function. Within the muting function the light curtain is also evaluated. This enables the muting function to be turned OFF by the light curtain, which increases the safety of the setup. The other inputs to the muting functions are the muting sensors and nonsafe data bits controlling muting override and muting enable functions.

Helge Hornis is manager, intelligent systems, Pepperl+Fuchs, and

Learn more about safety over AS-i