Preparing for Networked Safety

Gone are the days when they used to think about a hardwired system as being the only method, says David Arens, safety expert at Bosch Rexroth and member of the the American Society of Safety Engineers. “A safe system is simply defined as one that if it fails, it fails in a way that is going to protect the people and the machinery and the plant,” explains Brian Oulton, marketing mana...

By C.G. Masi, Control Engineering July 1, 2007
Sidebars:
Networked system turns out safety as well as productivity
Optical fiber keeps travelers safe under the Alps

Gone are the days when they used to think about a hardwired system as being the only method, says David Arens, safety expert at Bosch Rexroth and member of the the American Society of Safety Engineers.

“A safe system is simply defined as one that if it fails, it fails in a way that is going to protect the people and the machinery and the plant,” explains Brian Oulton, marketing manager for networks at Rockwell Automation.

“The networked safety approach,” says Helmut Kirnstoetter, responsible for product development and sales at B&R Industrial Automation, “is to have input, output, and drives running on the same infrastructure, the same network, and handling the same logic on a machine. The nice thing about it is, we can tie all of the motion components together over the local network. If you press an e-stop, you send a signal to the drive through the software, the drive can move all the machine axes to a safe position, then tell you ‘I’m in a safe spot,’ and allow the user to, for example, open the cabinet door.”

One of the motivations for running safety signals over the machine-control network is to reduce the number of cable runs.

Kelly Schachenman, manager of marketing for safety systems for Rockwell Automation adds: “All safety systems have three elements: 1) safety inputs or the safety sensors that detect a person’s intrusion into a potentially hazardous area; 2) safety actuators that control the flow of energy to potentially hazardous elements of the equipment in the hazardous area; and 3) safety logic, comprised of safety relays or safety PLCs, that determines how the safety system should intervene to make certain that the pre-determined safe conditions are satisfied.”

Networked safety is here, and here to stay. As Control Engineering pointed out in the March issue (“Safe-Motion Choices,” p. 52), the arguments for switching from point-to-point wiring to safety-related messages passing over the machine-control network are compelling. To achieve machine safety at any level, however, requires setting the system up correctly.

That leads immediately to the question of how engineers schooled in deploying hardwired safety systems can make the transition to networked safety. Is networked safety simply a product that you can buy? Can you just unpack a box marked “safe network,” and deploy it like a new television set?

The answer, not surprisingly, is “No.”

“Just using a bunch of components without an understanding of how to put them together does not make a safe system,” Oulton points out. “So it’s very important for an engineer to have proper training.”

Minimizing safety risks

“Unfortunately,” says Arens, “pretty much everyone will tell you it’s impossible to eliminate all risks You can limit risk, but it’s not going to be completely eliminated.”

“The law says you have to create a safe and secure working environment for your employees,” points out Robert Dorr, consulting application engineer with Siemens Energy and Automation. “Unfortunately it doesn’t say how. Now you have to go consult reference standards.”

Observers agree that the most relevant standard for machine safety is IEC 61508, which covers functional safety of electrical, electronic and programmable-electronic safety-related systems, such as automated machinery.

The standard issues from the International Electrotechnical Commission, a body made up of national committees, such as the U.S. American National Standards Institute (ANSI). IEC 61508 provides two important resources: It defines requirements for acceptable safety levels for the various types of equipment covered, and it defines a safety integrity level (SIL) system that provides a means of quantifying safety as applied to equipment and machines covered.

Calculation of SIL levels involves assessment of the probability that those functional safety items will do their jobs. Just because a feature is there, however, doesn’t mean it will be available when needed. An interlock, for example, which makes it impossible to perform proper setup or maintenance will have a high probability for being defeated by technicians charged with performing those operations. This increases the probability that the interlock will not be able to do its safety job when called upon, which has an impact on the system’s SIL.

“The first thing,” says Arens, “is you have to identify all the machines within the workplace that you’re going to do a risk assessment on.”

Mitigating risk is an iterative process.

The significant hazards for equipment and any associated control system in its intended environment have to be identified by the machine specifier or developer through a hazard analysis. “The person you have to look at first is the operator,” Siemens’ Dorr advises. “What could he be exposed to? Then you have to look at who else would be exposed. Obviously the maintenance guys could be—even somebody just walking by. So, the risk assessment looks at all possible risks. Then you devise measures to reduce those risks to an acceptable level.”

“You would then write a safety requirement specification,” says Schachenman, “to define how you would mitigate the hazards native to the machinery and the hazards of an operator working in the machinery performing various tasks. Next, design your system to mitigate those hazards as defined in the safety requirements specification. Finally, test the machinery to validate that the safety control system successfully mitigated the risks as defined in the Safety Requirements Specification.”

“This is a looping process, and it should take place whenever there’s a change,” Arens says. “Even beyond that, there is a periodic review to see that those safeguards are still operating according to the risk assessment that was performed.” The resulting documentation becomes the safety handbook on that machine.

Training

“It requires thorough knowledge of the regulations,” says Oulton, “as well as a thorough understanding of how to do a correct risk assessment, and proper application of the products that you’re using to make sure that the overall system… will fail in a safe and predictable manner.”

“There are actually three levels of training,” says Arens. “There’s the overall safety training, which you can get by going to an OSHA Training Camp. Then there’s a group called The Safety Equipment Distributors Association (SEDA) that offers a qualified safety sales professional training course.” That would be appropriate for system integrators building safety-rated machines for sale. The table lists additional training sources Arens recommends.

The third level is equipment specific. “The machine manufacturer will know the machine best,” Arens points out.

Vendors of machine components, such as PLCs, motor drives, and machine networking products provide training in how to use their products safely. Arens’ company, Bosch Rexroth, for example, provides one-day, two-day and four-day training courses in applying its safety systems to machinery. “One thing you do want to look for,” Arens cautions, “is a certified training provider. The International Association for Continuing Education and Training certifies training providers.”

Siemens’ safety core team members “can provide custom training on site to an OEM using our products,” Dorr says. “We also have a training department that offers off site training and a training CD for users of our equipment.”

“Honestly, network safety is a pretty transparent part of the system,” says Schachenman. “It behaves exactly like the standard network. It’s just a vehicle to pass safety data in a way that has high integrity. The more difficult part is identifying what the hazards are and how you’re going to mitigate them, then writing good application code.”

“In the end,” Schachenman summarizes, “as with any hardwired or programmable safety system, you always have to do field testing to validate that indeed [you have made] the machinery safe.”

Vendor Location Website URL Description
Industrial Safety Integration Ontario, Canada www.industrialsafetyintegration.com Onsite and offsite safety training
Rockford Systems Rockford, IL www.rockfordsystems.com Monthly machine safeguarding seminar
Euchner USA East Syracuse, NY www.euchner-usa.com Risk assessment software

Networked system turns out safety as well as productivity

In the intensely competitive automotive manufacturing industry, the ability to reduce costs and increase productivity while maintaining a safe work environment is vital to a company’s survival. One example is International Automation. The company retrofits stamping machines for tier one suppliers to the automotive industry. A typical tandem line is 100 to 150 feet long and consists of five to seven stamping presses for metal forming. The company sought a new stamper control system to ensure high quality, reduce startup costs, and boost productivity, while complying with increasingly stringent safety regulations.

In addition to helping customers meet increasingly stringent quality and productivity demands, International Automation wanted to provide them with a flexible machine that could be easily integrated into existing plants. Producing a system that would have minimal effect on production was crucial. Equally critical was meeting all industry safety standards while ensuring that safety components improved costs and productivity.

The company first considered upgrading the stampers’ existing relay system. However, not only would the upgrade itself be costly, it would force a complete shut down of the customer’s production line for several days to install. After considering a number of options, the company chose Allen-Bradley’s GuardLogix controller from Rockwell Automation. The safety controller combines flexibility and high performance with integrated safety control features to meet SIL 3 requirements.

The system is programmed using the same development tool used by all Allen-Bradley Logix PACs, providing a familiar and easy-to-use environment for programmers. The software also helps manage safety memory so users don’t have to manually manage the separation of standard and safety memory, or worry about partitioning logic to isolate safety-related data.

In addition, the new control system allows the end customer to access production information using industrial PCs, so a plant manager or CEO can access production reports or make changes from an office.

All safety devices are connected via one cable using DeviceNet Safety I/O system to control and monitor safety circuits and detect I/O and field wiring failures. The company selected ControlNet as the core network architecture.

The fully implemented solution at International Automation delivered immediate results said to be well beyond expectations. Most drastic was the savings in startup costs, exceeding $1 million with its first customer. That amount is comparable with the customer’s average savings expectations after one year, but today International Automation can offer these savings in the start-up phase.

In addition, International Automation saw a major reduction in programming time. With programming typically taking from two to three weeks on a standard system, International Automation was able to write the program for the new safety control system in eight hours.

The system uses certified blocks to emulate the input functionality of a safety relay rather than using a relay system.

For more information, visit:

Optical fiber keeps travelers safe under the Alps

The Gotthard Tunnel in the Swiss Alps is considered to be one of the narrowest bottlenecks on the transit road between Northern and Southern Europe and one of the longest tunnels in the world (17 km). To ensure higher security for traffic flow, system integrator Weiss-Electronic employed optical fiber modems to transmit data from the 272 traffic lights and 68 speed or emergency display screens. The emergency system has three bus systems: one from the north portal through the middle, one from the south portal through the middle of the tunnel, and the longest from the north to south portal.

“The technical difficulty of such a project is the length of the tunnel”, says Joerg Gelz, project manager at Weiss-Electronic. “It is 17 km long and has just one tube for both directions. To conform to the security requirement, we have to adjust the traffic so that there are no more than 150 lorries per direction per hour, and not more than 1,000 car units per direction per hour (one lorry equals three car units, one bus equals two car units, and one car equals one car unit). In case of fire, the tunnel has to be closed in less than 10 seconds. This means that each light and each display panel has to display the right emergency message at the right place.”

The road-control installation allocates vehicles to lanes of the tunnel’s gateway, which can be closed when passage through the tunnel is impossible. Systematic metering of vehicles allows only a safe number of vehicles into the tunnel simultaneously. Also, by means of a so-called “drop control,” trucks can be singled out to avoid bunching in the 17 km long tunnel tube. This capability is especially important to prevent the spreading of flames in case of fire. The necessary signal switching occurs automatically if there is a problem, such as fire, CO concentration too high, or if stopped vehicles are detected.

The entire data management network is based on redundancy rings. Stations are organised in 3 km redundancy rings. Thus, the system can still be controlled in the event of a defective cable or device failure. All data from the lights or speed display panels is transmitted to the control system through Westermo’s LD-64 RS-485 fiber-optic modems. Each of the 68 stations has two LD-64 units—one for the normal bus and one for an emergency bus for alarm signal transmission in case of an optical link failure.

There are also 10 server units, each composed of two redundant servers. One is active and one is passive. In case of trouble, the active becomes passive and the passive changes to active. The head server is also redundant.

For more information, visit: