The safety system we include on our machines has been a combination of a programmable safety controller with some regular distributed I/O to achieve a baseline SIL 3. Are we missing the boat by not trying to push the idea of safety I/O for better fault detection and diagnostics despite the cost hit?
- from November '09 Control Design
Get on the Boat
You are missing the boat by not offering safe I/O with your system, as the benefits of using safe I/O on a safety network like DeviceNet or EtherNet/IP Safety do outweigh the costs from an end-user perspective. As mentioned in the question, the main benefits are better fault detection and diagnostics. Also, the solution likely cannot truly be considered SIL 3 with the use of non-safe I/O. This is because safe I/O has redundancy features typically not found in non-safe I/O.
Michael Frayne, product manager,
Dig a Little Deeper
Ensuring the integrity of any machine sometimes can be very confusing. Many times, the cost to implement a safety system with safety products seems to be high, until you dig below the surface. Safety products are tested, documented and certified by the manufacturers and governing bodies (TÜV, UL cUL). When properly applied they will meet the highest integrity level they are rated for, and eliminate a lot of the guesswork for additional engineering, documentation, rationalization, proof of concept and time. Can a safety system be designed with non-safety controls? Yes, but do you have the all the knowledge, expertise and time factored in? If your system fails, everything you do—from the wiring to the documentation—will and can be scrutinized. Many safety products, depending on their rating, offer redundancy, fault detection and dual channel with testing. As for the safety diagnostics and fault detection costing more, that is questionable. The ability to find faults in a minimal amount of time can be crucial for companies. The longer the downtime, the more money and productivity they might lose. Remember, the lowest SILCL for a subsystem limits the maximum achievable safety integrity level (SIL) for the overall system. In other words, a safety system is never better than the weakest link. You should also consider the probability of dangerous failure per hour (PFHd) for the overall control system. Both EN ISO 13849-1 and IEC 62061 can help you define your requirement for the design and rationalization of your complete control system.
Christine Frank, safety products marketing manager,
Total Cost of Ownership
I've seen OEMs struggle with the new IEC 62061 and ISO 13849 safety standards. Calculations on which SIL or PL level can be achieved depends heavily on the components being used in the entire safety chain—that is, from sensor to input module to safety PLC to output module to actuator—as well as the connectivity and implementation of all these devices. SIL3 being the highest safety category for machinery, you have to use components with integrated diagnostic functions that reduce the amount of otherwise undetected faults. This is called diagnostic coverage and is used among other parameters to determine the SIL of a safety system. Whereas in the past using standard redundant inputs and outputs with feedback monitoring might have been sufficient to achieve a Category 4 rating, you now have to use safety-rated devices to get to SIL 3. These safety rated components—e.g., safety I/O modules—have numerous built-in redundancy and diagnostic features that have been designed into the hardware and firmware of those modules and have been certified by agencies specialized in safety, like TÜV.
You are missing the boat by not using safety I/O to design a safety circuit that meets SIL 3. Aside from being compliant with the new safety standards, safety I/O offers a lot of additional benefits, as well. Diagnosing wiring issues during initial machine commissioning, as well as during regular operation, can greatly improve startup and downtime of machinery. A tight integration of the safety PLC and the machine controller can annunciate any detected fault directly to the operator via the machine HMI without the need of running additional wires to additional machine I/O or troubleshooting separate safety loops that aren't connected to the machine control at all.
To compare the cost of standard vs. safety-rated hardware alone is simply not a valid measure for deciding which way to go, as it only represents a small percentage of the overall system. The cost of both implementing and commissioning a safety system can quickly outrun the hardware purchase cost. Look at the total cost of ownership of using safety I/O along with a safety PLC that is tightly integrated with your machine controller, yet that is flexible and can be added to any control system architecture, and you will find that these systems will be a lot more economical.
Robert Muehlfellner, director, automation technology,
B&R Industrial Automation (www.discover-automation.com)
Maybe It's Your Distributed I/O
Assuming that the distributed I/O is part of an overall control system required to meet a targeted SIL rating, I would be more concerned that the regular distributed I/O is compromising the SIL 3 rating of the controller and, therefore, the complete control system.
If the distributed I/O requires SIL, but the I/O has not been properly certified to IEC 61508 or another standard under this safety umbrella standard, depending on the industry, the designer must document the calculations that determined the SIL value of the distributed I/O chosen, as well as the SIL value of the overall control system. If the calculations were never done, or if properly certified distributed I/O was not used, then there can be no documented proof that the control system meets the targeted SIL. When using properly certified devices, the device manufacturer provides SIL reliability data. This saves the designer the time of calculating the reliability data.