Integrating Safety and Control

Until recently, machine and robot builder OEMs needed two automation systems. One of them controlled the machine or robot, while the second dealt specifically with machine safety. Typically, the machine safety system required a separate safety PLC and a dedicated hard-wired I/O network.

Separate hard-wired safety systems were required for a number of reasons. First, many suppliers simply charged too much for their safety controllers and I/O, restricting use to safety functions. Second, safety-rated versions of many digital communication networks were still in the regulatory approval stages. Third, many OEM customers were not quite ready for change in the sensitive area of safety.

All that changed in the past few years, and integrated safety is fast becoming a viable solution in many OEM applications. Today, you can put control and safety functions into the same automation system, and run machine and safety I/O signals over the same wired or wireless safety-rated network. The price difference between standard and safety-rated controllers has narrowed, meaning that it's often cost-effective to use one automation system for both control and safety, especially in systems with a high percentage of safety I/O compared with standard I/O. Of equal importance, OEM customer acceptance grows more widespread.

Integrated Safety I/O is Faster/Easier

Brent Lekx-Toniolo is the director of the Automation Division at Toniolo Research & Development, an automation and robotics systems integrator in Oxford Mills, Ontario. He has experience with old, separate, safety systems and with new, integrated alternatives, and he prefers the new.

Toniolo built a control and safety system for a spot weld assembly cell with 11 robots. The safety system included emergency stops, access control to safeguarded spaces, robot-to-human interference detection (a combination of robot zone switches and light curtains), and general detection of operators entering work stations via light curtains.

"This was a very large safety implementation that included fail-safe over EtherCat (FSoE), 380 TwinSafe inputs, and 144 TwinSafe outputs across the welding system on 15 EtherCat I/O stations," Lekx-Tonilo explains. "On top of the significant safety requirements of the cell, the systems also needed to control more than 600 standard I/O points, 12 pneumatic manifolds and two servo drives, while interfacing with 11 robot controllers.

Distributed Safety Next? Integrated safety is here as integrated automation systems that control the machine or robot and perform safety functions. Most of the popular I/O and sensor networks are safety-rated, allowing suppliers to provide a complete integrated control and safety solution. The next step for some applications could well be distributed safety, with safety functions separated from the main controller via distributed safety components, but still tightly integrated to the main controller via a high-speed safety-rated network. A distributed safety component can perform safety functions independently of the main controller, continuing operation even if all communications with the main controller are lost. Examples are small and compact safety PLCs, machine-mount safety-rated controllers, and motion and motor controllers with built-in safety functions. Beckhoff Automation implements distributed safety via its EL6900 safety PLC terminal, a distributed safety component supplied in the same 12 mm housing/installation format as its I/O terminals. Siemens Industry says that its Simatic ET 200pro Fail Safe controller is the industry's first machine-mount, safety-certified programmable controller rated for IP67 installation. Machine mounting eliminates the traditional electrical enclosure, and makes sense for larger machines or for machines built in separate modules. Many suppliers include safety functionality in their motion and motor controllers. Rockwell Automation's PowerFlex 70 motor drives have a safe torque-off embedded safety option certified at PLe/SIL 3 Cat. 3. This option removes rotational power to the motor without removing power from the drive for faster startup after a demand on the safety system. Safety in a distributed configuration can provide a number of benefits. The system can react more quickly to an unsafe condition because the controller is located close to the hazard and doesn't depend on communication back to a central controller. Further, safety functions remain intact even if the central controller fails. In addition, wiring costs can often be lower by wiring safety-related I/O directly to the local distributed safety component. Some machines are built in modules, with each module performing a specific function. The builder mixes and matches modules to create the machine, with interconnections among modules typically via a digital network. For modular machines, distributed safety as well as distributed control is a natural fit, with one integrated control and safety system per module.

Lekx-Toniolo found, to his surprise, that Beckhoff Automation's TwinSafe system could perform both the control and safety functions, and it was faster than the old, dedicated safety system. "The typical deactivation time of a standard safety relay is 20 ms and most safety relay systems require cascading of safety relays to build safety logic," he notes. "Many older safety networks have system response times that exceed 120 ms, and frequently exceed 200 ms. Currently, the PLC task, the entire EtherCat network and all safety in the welding cell is updated every 20 ms, which is much faster than a traditional PLC and relay-based system."