Safety at Work tutorial on networked safety strategies

Safety at Work, a multi-vendor, open technology, simplifies machine safety installations by collecting and controlling functional safety devices like e-stops, light curtains, guard switches, etc., connected to a simple and flexible two-conductor power and data network. See diagrams, video links.

By Helge Hornis, PhD July 23, 2012

Safety at Work, a multi-vendor, open technology, simplifies machine safety installations by collecting and controlling functional safety devices like e-stops, light curtains, guard switches, etc., connected to a simple and flexible two-conductor power and data network.

The basic idea behind Safety at Work is quite simple. Safe field devices transmit their safe data intelligently via a dynamic code sequence (some experts like to call this data the safety code or safety signature). Instead of conventional safety relays, a software-configurable safety controller (frequently called SafetyMonitor) evaluates this dynamic code sequence and makes logic decisions based on the user’s configuration. Redundant safe contacts, ultimately responsible to deactivate motor contactors, are either a part of the SafetyMonitor or implemented as a safe output module located in the field. When the Safety at Work technology was developed, the participating companies decided against inventing yet another proprietary communication network. Instead they used AS-Interface, a solution with a track record of being easy to use, highly flexible, and low cost. In addition to those advantages, another significant benefit of combining Safety at Work with AS-Interface is that all the hardware, tools, and solutions that have been developed for AS-Interface were immediately available for safety installation. Vendors supporting Safety at Work can provide more information. These include: Bihl+Wiedemann, Euchner, Festo, idec, ifm, Leuze electronic, Pepperl+Fuchs, Rockwell Automation, Schmersal, Schneider Electric, and Siemens.

Dynamic safety

Conventional hardwired safety solutions are based on redundant wiring. This approach has many disadvantages compared to exchanging safety relevant information over networks. Wiring complexity and its associated cost and downtime are just two frequently mentioned problems.

Safety at Work can be used in applications demanding the highest level of safety (CAT4, SIL3, and PLe), but so can many others. It is the dynamic code sequence approach taken by Safety at Work that allows this level of safety to be reached at a price level significantly below that of any other networked safety technology and with an installation simplicity that is second to none. The dynamic code sequence is a unique 32-bit number transmitted in four-bit chucks. During the configuration of the safety system, the safety controller learns these 32-bit numbers, one from each safe device connected to the network, and stores them as 8×4-bit matrixes. The safety controller requires the correct reception of these 32-bit code sequences and will shut down its safe outputs if this data is corrupt (perhaps indicating an internal failure of the safe device) or if the data is not being received at all (most likely if the cable is damaged). This procedure assures that a Safety at Work system will transition to the safe state as needed. But there is more to these four-bit chunks of data. Figure 1 shows a redundant e-stop connected to a safe input module. Two bits of each four-bit chunk are routed over one safe e-stop contact while the other two bits are routed over the second safe e-stop contact. This simple procedure results in the following:

  • It allows the safety controller to test for cross-shorts between the two safe contacts.
  • It gives the user the ability to determine if and when one of the redundant contacts is welded, disconnected, or sticky. And because this information is available over the network, it is not necessary to run any additional wires.

It is the second advantage alone that compared to the hardwired approach significantly reduces the required number of wire connections. Whereas hardwired solutions typically utilize an auxiliary contact to determine if an e-stop has been pressed or not, in Safety at Work this information is provided essentially for free. Further, the user not only knows which e-stop was responsible for deactivating the machine, but can also be informed about single contact problems.


Setting up a Safety at Work system comprises the following steps:

1. Building the network—This includes running the network cable; connecting an AS-Interface power supply responsible for powering all field devices, the safety controller, and the gateway; and assigning addresses to the field devices.

2. Setting up the safety logic—This is done using the graphical SIMON+ software. Once the safety logic has been created it is downloaded to the safety controller and tested.

3. PLC logic—Because the safety devices are part of a network, the non-safe PLC has the ability to see the data generated by the safe field devices. This allows the programmer to develop HMI screens guiding the machine operators. For instance, by looking at the data from each of the e-stops, the HMI can be set up to signal which e-stop was pressed, causing the shutdown.

Building the network

AS-Interface, a sensor/device level network, can include non-safe, safe, and even analog modules. See the online box for an assembly video link.

Set up the safety logic

Safety logic can be set up using Simon+ configuration software. For this, graphical function blocks are taken from the Device library and dropped onto processing windows (see Figure 2). Each processing window corresponds to a set of logic rules ultimately controlling a safe output.

Figure 3 shows the logic rules controlling safe output group 1 (OSSD1.)  Even though the logic flow is left to right, it may be easier to explain what is going on by evaluating the logic right to left.

The right-most function block is an Output device representing a safe output of the system with the user-assigned name OSSD1 (Motor). One level to the left are the Global & and a Start device. For this application, an Automatic start has been selected. As soon as the Global & is logically TRUE, the safe output OSSD1 (Motor) will turn on; a rest button is not needed in this case.

To the left of the Global & are a number of Input devices, that is, two e-stops and a safety guard switch. The Global & operation will be TRUE as soon as both its inputs are TRUE. The safety guard switch will be TRUE when the door is closed and latched. The two e-stops, on the other hand, are first combined using an AND Logic device. The AND Logic device is then connected to a Button device.

These four devices will perform as follows:

  • As soon as both e-stops are in their respective released states, the AND Logic device turns TRUE.
  • The Button device acts as a gate. For it to turn TRUE, its input—that is, the AND Logic device—must be TRUE plus the assigned input button bit must also be true temporarily. The button device accomplishes the necessary reset function for the e-stops.

As Figure 2 shows, a safety configuration may be made up of many individual processing windows, each of which defines a set of rules for one output. Using the word “output” is intentionally vague as this output can be a safe output that is onboard the safety controller or a safe output physically located in a remote safe output module. Remote safe outputs are very useful because they enable modularity at all levels of machine control. System designers are quite used to putting conventional outputs on machine sections and then controlling them over the selected network for the application. Breaking down the machine for shipment is then as easy as disconnecting the section for the network and reconnecting it at the location of reassembly. Such a simple solution was previously not available when a motor needed to be controlled safely. When using conventional hardwired safety technology, the safety relay controlling the motor had to be in the main controls cabinet. Typically this meant that motor power first had to be run to the controls cabinet and then back out to the motor. This is not only costly in terms of the high-voltage cables necessary, but it also complicates breakdown and reassembly of the entire machine. Unfortunately, many safety networking solutions still suffer from this shortcoming as they do not offer safe outputs that are convenient to use and can be located anywhere along the network.

With Safety at Work, using a safe remote output module is easy. Figure 4 shows the details window that pops up after double-clicking the OSSD1 (Motor) function block. After checking the Actuator box and providing the network address of the safe output module, it is ready to control safe outputs in the field. Several safe outputs can be assigned the same safe address. When that is done, all such remote modules will deactivate at the same time. This is an easy and very effective way to simultaneously stop the harmful motion at many locations of the machine. Because AS-Interface is the communication backbone for Safety at Work, motors can be controlled many hundred of meters apart.

Another type of output is a Coupling slave. Coupling slaves are used when multiple safety controllers on a network share safe data. In this case, two safety controllers independently control parts of a machine. When a light curtain on section A is interrupted, the safety controller for this section processes this signal using its safe logic. Since muting is used, interrupting the light curtain may not necessarily result in the deactivation of the machine. Further assume that a robot in machine section B must never rotate to section A when an operator is in section A. In this case it is imperative that machine section B “knows” something about the state of the light curtain so that it could shut down the robot if necessary. This is where safe coupling comes in. The two safety controllers are connected using a so-called coupling network and the output of the safe logic, instead of controlling a physical output, places data on this coupling network. From the point of view of the second safety controller, the one receiving the light curtain data, this piece of information looks just like that data from a safe field module—dynamic data when the released state is signaled and the ‘0000’ bit pattern when the shutdown request is transmitted.

With the ability to exchange safe data between multiple networks, it is now possible to set up safety systems with 961 safe input devices, a number so large that it must be viewed as a hypothetical limitation only.

While Safety at Work serves in an AS-Interface network through the help of a gateway, it is part of a PLC-controlled I/O solution. A new type of Safety at Work safety controller also allows the control of stand-alone safety systems without connection to a PLC. This approach gives users interested in a modern stand-alone safety solution the ability to control fairly complex systems without making any changes to existing PLC logic. A diagnostics output is a standard non-safe output on the controller. “On the controller” refers to standard outputs that are either local to the safety controller or an expansion network (also a standard AS-Interface network), so standard outputs can be any of hundreds of available AS-Interface modules with output.

Controlling these standard outputs allows the safety controller to activate an LED on an illuminated e-stop when the e-stop is pushed. Similarly, the safety controller can also control the locking solenoid on a protective door switch. The possibilities are limitless. To make this functionality even more powerful, it is not even necessary to control a safe output at all. Giving the safety controller the ability to use standard inputs and controlling standard outputs turns it into a safety PLC. Figure 5 shows a medium-size safety system with e-stops, light curtains, muting sensors, and protective latching door switches. A standard pushbutton unlatches the door, and the integrated LEDs are used to guide the operator and annunciate operational states—all without the need for a PLC.

Whereas safety PLCs for all their processing power cost thousands of dollars, this safety controller is easily a factor of 20 less expensive. Not as powerful and complex as a safety PLC, it is powerful enough to control a surprising fraction of typical safety systems.

– Helge Hornis, PhD, is manager intelligent systems group, Pepperl+Fuchs. Edited by Mark T. Hoske, content manager CFE Media, Control Engineering, and Plant Engineering,


P+F videos

– Safety at Work hardware is connected, logic configured, and the final system tested and debugged.

– A simple AS-Interface network of non-safe, safe, and analog modules is assembled.