Safety Networks Begin to Emerge
The idea of a safety fieldbus may seem like an oxymoron. How the heck can you logically have one twisted-pair control loop operate in a safety-related environment that is traditionally, and often legally, required to have redundancy via hardwiring?Sure, practical objections aside, it would be terrific to secure, rather than drool over, some of the potential 40% savings in material and lab...
The idea of a safety fieldbus may seem like an oxymoron. How the heck can you logically have one twisted-pair control loop operate in a safety-related environment that is traditionally, and often legally, required to have redundancy via hardwiring?
Sure, practical objections aside, it would be terrific to secure, rather than drool over, some of the potential 40% savings in material and labor that implementing fieldbus can reportedly generate compared to 4-20 mA hardwire. It would be even better to gain added savings from fieldbus’ vastly better diagnostics, which enable proactive maintenance; pinpoint troublespots; and help shorten and decrease on-site maintenance visits.
‘There’s definite momentum for safety networks among big customers with big installations because they have hundreds and thousands of devices, and so the potential savings multiply quickly,’ says Claude Dinsmore, product development gm, Fanuc Robotics North America (Rochester Hills, Mich.).
David Skeleton, of Phoenix Contact (Harrisburg, Pa.), adds that, ‘There have been big increases recently in the use of sensors and intelligent devices. This is driving up wiring costs, and thereby fueling the need for fieldbus-based safety.’
That’s the good news. The bad news is that all those practical obstacles to using fieldbus as a safety network must still be solved long before the benefits begin to roll in. Also, for now and in the near future, safety networks are only likely to be applied in machinery safety and discrete manufacturing situation, mainly because process control applications are more complex and often can’t be shut down immediately.
|Besides fulfilling safety requirements with organized, repeated and confirmed messaging, Pilz Automation Safety LP (Canton, Mich.) reports that a safety network using its SafetyBus p can form internal groups that subsequently allow an application to be partitioned into subsections, which enables safety-related data from a whole plant to be controlled through one safety bus. Then, if a fault occurs, only the affected group would need to switch to a safe condition.|
Most importantly, whether hardwired or fieldbus-based, a safety network must be evaluated according to Safety Integrity Level (SIL) requirements to determine one of the four levels at which it can safely function. SILs 1, 2, 3 and 4 each correspond to a range of target likelihood of failures of a safety function. SIL is a property of a safety function, rather than of a system or any part of one.
|How Profisafe works: 1. The emergency button (connected to a fail-safe input module in the field device) is pushed. 2. During the next communication cycle, the safety controller (a PLC able to handle the safety application and also the standard automation task) sends output data to the field device (including fail-safe data according to the Profisafe profile). 3. The field device responds with input data (including fail-safe data according to Profisafe). 4. The controller’s safety application evaluates the data unit’s relevant part, and initiates the necessary program steps. 5. With the next telegram, information is sent to the appropriate station as part of the output data. 6. The motor stops.|
Many standards, rules and laws historically restricted use of low-power networks like fieldbus in safety-related settings, mainly because electricity has the potential to spark explosions. Because of these rules, and because even developing a safety fieldbus specification must be done with close regulatory oversight and collaboration, few if any safety network-based products have been released, though there are some safety-based modules.
Many traditional objections to safety networks have been addressed, and this, combined with better-organized software to meet bus integrity validation, has made it possible for some regulatory organizations to consider easing restrictions on possible fieldbus safety networks. Most of this reexamination has occurred in Europe, which observers agree is presently ahead of the U.S. in safety fieldbus development.
This lag is partially due the National Fire Protection Administration (NFPA, Quincy, Mass.), which has long prohibited the use of fieldbus or other powered networks as part of its NFPA 79 regulations governing electrical equipment in industrial machinery. Recently, several manufacturers, reportedly Siemens, Rockwell and Emerson, asked NFPA to reexamine its rules governing safety fieldbuses. The organization is presently voting whether to permit greater use of these networks and/or safety PLCs, and results are expected later in 2002.
Likewise, the International Electrotechnical Commission’s (IEC, Geneva, Switzerland) recently released its seven-part IEC 61508 standard for safety-related systems that are electrotechnical, such as electromechanical systems, solid-state electronic systems and computer-based systems. IEC 61508 was ratified by CENELEC’s technical board in July 2001, and the standard will be published as EN 61508 by August 2002. Any conflicting national, CENELEC (European Committee for Electrotechnical Standardization) or CEN (European Committee for Standardization), both in Brussels, Belgium, standards must be withdrawn by August 2004. New standards for process and machinery control, IEC 61511 and 62061 respectively, are also presently being developed by IEC, according to ARC Advisory Group (Dedham, Mass.).
In addition, the Robotic Industries Association (RIA, Ann Arbor, Mich.) updated its R15.06 standard in 1999, in part, to allow greater use of safety devices and network components. This update went info effect in June 2001, and it allows a network safety circuit to be used for control safety signals of ‘control reliable’ performance criteria, says Tom Field, Fanuc Robotics’ electrical group product development manager. This essentially requires, for example, third-party validation of a safety PLC for a software-controlled e-stop circuit using a triple redundant processor.
|Rockwell Automation’s planned NetLinx Safety will combine NetLinx Standard with safety extensions to the Control and Information protocol (CIP) to separate safety messages from standard messages. NetLinx Safety’s resulting cross checking and redundancy creates a communication mechanism able to serve SIL 3 applications.|
Profisafe extends Profibus
Perhaps the most well-known safety fieldbus is Siemens’ Profisafe standard, which was defined in early 2001. The company has already released several Profisafe-compatible devices, notably its S7 400 PLC and ET 200 I/O products.
Profisafe adds a safety-focused layer to the Profibus protocol; runs over standard Profibus hardware; and consequently provides added error detection capabilities to achieve SIL 3 and get messages through without any undetected errors.
Ron Mitchell, system engineer at the Profibus Interface Center (Johnson City, Tenn.) says Profisafe was only approved by TÜV, the designated regulatory organization, after an extensive examination of the algoritms and polynomials that Profisafe uses for its CNC calculations. In fact, TÜV continually reviewed Profisafe during its entire two- to three-year development process. Despite these efforts, convincing reluctant users of Profisafe’s usefulness and safety capabilities isn’t always easy.
‘It’s similar to the evolution from hard to soft PLCs, and parallels the move from 4-20mA hardwire to regular fieldbus. Changing mindsets takes time. We just have to keep chipping away, and keep explaining all of Profisafe’s possibilities,’ says Mr. Mitchell. ‘It’s hard to demonstrate the advantages safety networks because their safety functions occur mathematically in their firmware. Still, we’re now getting more and more inquiries about safety across the bus, where we weren’t getting any a year and a half ago.’
Siemens is also in the process of developing a lower level safety fieldbus protocol, entitled AS-i Safety at Work.
Pilz builds from scratch
While almost all safety fieldbus networks are simply extensions of existing fieldbuses Pilz Automation Safety LP (Canton, Mich.) built its two-year-old safety fieldbus virtually from scratch. Dino Mariuz, Pilz’s senior applications engineer, says Pilz started with a CANopen fieldbus system, and then added capabilities for checking signals; timing functions for sending and receiving signals; and other software to create its SafetyBus p. These capabilities make this isolated fieldbus safe by eliminating echoes, phantom and/or duplicated signals, and missed data.
‘Other developers have tried to incorporate safety into existing systems, but these can add too much traffic to a network,’ says Mr. Mariuz. ‘Many of our customers already have control networks, and we can add SafetyBus p to communicate through to their PLCs, etc.’
Mr. Mariuz adds that SafetyBus p is presently being used to assist existing fieldbus controls on a particle accelerator at Michigan State University (East Lansing, Mich.). SafetyBus p helps monitor a widespread gate system that must be secured before the accelerator is energized for experiments.
Pilz also reports that SafetyBus p is able to achieve EN 954-1 Category 4 approval because the two-chip chipset in all its devices are based on a programmable safety system (PSS), rather than the probabilistic approach used by IEC 61508’s integrity levels. PSS is a system of three separate PLCs that must calculate the same result before an output is set.
Mr. Mariuz says that users can easily expand SafetyBus p-based cells and zones by adding more modules, up to 64 nodes, and reconfiguring its software. Pilz has also developed software-based Safe Blocks for SafetyBus p’s Monitor Block System (MBS). Mr. Mariuz adds that very low-power modules, operating at less than 6 V, may eventually allow SafetyBus p to operate in hazardous, intrinsically safe applications.
|AS-i Safety at Work can form groups of safety signals by adding safety monitors to standard network components. Equipped with a two-channel enable circuit and four safety slaves, each monitor is assigned to a plant section that can be shut down with the appropriate enable circuit. In this case, configuration allows the safety module and Emergency Stop 1 to act on Safety Monitor 1, and the plant section assigned to it is shut down. Emergency Stop 2 works on both safety monitors, and shuts down both applicable plant sections.|
Not only is its SIL 3 safety network expected to be available within two years, Rockwell Automation (Mayfield Heights, O.) is developing a safety network specification, NetLinx Safety, that will use multiple wires and allows seamless communication between its two-year-old DeviceNet Safety and Ethernet/IP Safety protocols. Both are overseen by the Open DeviceNet Vendors Association (ODVA, Boca Raton, Fla.).
DeviceNet Safety adds an additional protocol layer to DeviceNet, which allows a network to detect and capture more remote error possibilities, which is required to achieve a high enough SIL rating to be a safety fieldbus. This is done by transmitting certain data twice, and by embedding additional cyclical redundancy checks (CRCs) in the system.
‘At a minimum, each data packet is carried twice, and not simply in two frames,’ says Suresh Nair, program manager of Rockwell’s safety communications and safety controls businesses. ‘Consequently, the fundamental difference is that DeviceNet Safety has two CPUs for communications. This means each of the two packets goes to a different CPU, and they’re cross checked, which is how we can guarantee achieving certain levels of integrity.’ In short, this is how a safety fieldbus can reproduce hardwire’s redundancy; achieve its required results using a different methodology; and deliver fieldbus’ promised savings on materials and labor, as well as its improved diagnostics.
Presently undergoing second-stage review by the TÜV and BIA organizations, NetLinx Safety will not just allow multiple links, but will also enable a multi-cell approach to safety fieldbus network. DeviceNet Safety with NetLinx is expected to be available in 1Q04, and Ethernet/IP Safety with NetLinx will be available six months later.
Do you have experience and expertise with the topics mentioned in this content? You should consider contributing to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.