Is Safety I/O's Fault Detection and Diagnostics Worth the Price?

Should We Push for Safety I/O?: Does Its Fault Detection and Diagnostics Justify the Cost Hit?

The safety system we include on our machines has been a combination of a programmable safety controller with some regular distributed I/O to achieve a baseline SIL 3. Are we missing the boat by not trying to push the idea of safety I/O for better fault detection and diagnostics despite the cost hit?

- from November '09 Control Design

ANSWERS

Get on the Boat

You are missing the boat by not offering safe I/O with your system, as the benefits of using safe I/O on a safety network like DeviceNet or EtherNet/IP Safety do outweigh the costs from an end-user perspective. As mentioned in the question, the main benefits are better fault detection and diagnostics. Also, the solution likely cannot truly be considered SIL 3 with the use of non-safe I/O. This is because safe I/O has redundancy features typically not found in non-safe I/O.

Michael Frayne, product manager,
Molex (www.molex.com)

Dig a Little Deeper

Ensuring the integrity of any machine sometimes can be very confusing. Many times, the cost to implement a safety system with safety products seems to be high, until you dig below the surface. Safety products are tested, documented and certified by the manufacturers and governing bodies (TÜV, UL cUL). When properly applied they will meet the highest integrity level they are rated for, and eliminate a lot of the guesswork for additional engineering, documentation, rationalization, proof of concept and time. Can a safety system be designed with non-safety controls? Yes, but do you have the all the knowledge, expertise and time factored in? If your system fails, everything you do—from the wiring to the documentation—will and can be scrutinized. Many safety products, depending on their rating, offer redundancy, fault detection and dual channel with testing. As for the safety diagnostics and fault detection costing more, that is questionable. The ability to find faults in a minimal amount of time can be crucial for companies. The longer the downtime, the more money and productivity they might lose. Remember, the lowest SILCL for a subsystem limits the maximum achievable safety integrity level (SIL) for the overall system. In other words, a safety system is never better than the weakest link. You should also consider the probability of dangerous failure per hour (PFHd) for the overall control system. Both EN ISO 13849-1 and IEC 62061 can help you define your requirement for the design and rationalization of your complete control system.

Christine Frank, safety products marketing manager,
Sick (www.sickusa.com)

Total Cost of Ownership

I've seen OEMs struggle with the new IEC 62061 and ISO 13849 safety standards. Calculations on which SIL or PL level can be achieved depends heavily on the components being used in the entire safety chain—that is, from sensor to input module to safety PLC to output module to actuator—as well as the connectivity and implementation of all these devices. SIL3 being the highest safety category for machinery, you have to use components with integrated diagnostic functions that reduce the amount of otherwise undetected faults. This is called diagnostic coverage and is used among other parameters to determine the SIL of a safety system. Whereas in the past using standard redundant inputs and outputs with feedback monitoring might have been sufficient to achieve a Category 4 rating, you now have to use safety-rated devices to get to SIL 3. These safety rated components—e.g., safety I/O modules—have numerous built-in redundancy and diagnostic features that have been designed into the hardware and firmware of those modules and have been certified by agencies specialized in safety, like TÜV.

You are missing the boat by not using safety I/O to design a safety circuit that meets SIL 3. Aside from being compliant with the new safety standards, safety I/O offers a lot of additional benefits, as well. Diagnosing wiring issues during initial machine commissioning, as well as during regular operation, can greatly improve startup and downtime of machinery. A tight integration of the safety PLC and the machine controller can annunciate any detected fault directly to the operator via the machine HMI without the need of running additional wires to additional machine I/O or troubleshooting separate safety loops that aren't connected to the machine control at all.

To compare the cost of standard vs. safety-rated hardware alone is simply not a valid measure for deciding which way to go, as it only represents a small percentage of the overall system. The cost of both implementing and commissioning a safety system can quickly outrun the hardware purchase cost. Look at the total cost of ownership of using safety I/O along with a safety PLC that is tightly integrated with your machine controller, yet that is flexible and can be added to any control system architecture, and you will find that these systems will be a lot more economical.

Robert Muehlfellner, director, automation technology,
B&R Industrial Automation (www.discover-automation.com)

Maybe It's Your Distributed I/O

Assuming that the distributed I/O is part of an overall control system required to meet a targeted SIL rating, I would be more concerned that the regular distributed I/O is compromising the SIL 3 rating of the controller and, therefore, the complete control system.

If the distributed I/O requires SIL, but the I/O has not been properly certified to IEC 61508 or another standard under this safety umbrella standard, depending on the industry, the designer must document the calculations that determined the SIL value of the distributed I/O chosen, as well as the SIL value of the overall control system. If the calculations were never done, or if properly certified distributed I/O was not used, then there can be no documented proof that the control system meets the targeted SIL. When using properly certified devices, the device manufacturer provides SIL reliability data. This saves the designer the time of calculating the reliability data.

Mike Garrick, product marketing lead specialist,
Phoenix Contact Interface (www.phoenixcontact.com)

Open to Interpretation

Let's explain the technology at the heart of your question. In the past, seamless communication was nearly impossible, because no single network was able to integrate safety and standard control systems, while also enabling the seamless transport of data across multiple plant floor physical networks. That changed with emergence of standards such as the common industrial protocol (CIP). CIP is an application protocol for industrial networking that is independent of the physical network. The CIP provides a set of common services for control, configuration, collection and sharing across all of the CIP networks.

Given these integrated networking capabilities, the answer to your question depends on how it is interpreted.

Interpretation 1: You have a safety PLC with your safety devices wired to it, and each safety component has a third contact wired into a standard I/O point for machine diagnostics and annunciation. You also might have several components wired in series and connected to a single pair of safety PLC inputs, which means you probably do not have enough safety I/O to go around. If this scenario is accurate, then you are missing the boat. Rather than receiving information about which door is open or which light curtain is interrupted via additional standard PLC inputs, it would be much more cost-effective to receive this information across a communications network between the safety and standard PLCs. Using an integrated communication network, like CIP, would reduce labor time and costs associated with purchasing additional I/O and wiring the networks. Also, if you are wiring safety devices in series and running them into a single pair of safety PLC inputs, you are losing the ability to diagnose which of those devices are tripped. Use additional safety I/O, one pair of each device, and you will be able to tell exactly which device is causing your machine issues and get the machine back into production sooner. If you are using standard I/O with your safety PLC as part of the safety system, then you are not achieving SIL 3.

Interpretation 2: You are using an integrated controller that handles safety and standard control functions for your machine. This control architecture delivers value by its ability to perform safety and standard control with a single controller in a single application environment and often with a single network that supports the safety and standard data and communication. The value that the safety portion of the control system delivers is to help ensure the controller will respond to a demand with a lower probability of dangerous failure than a standard implementation. The higher the SIL or performance-level capability of the controller, the lower the probability the system will fail to danger. While a safety system including safety I/O does have higher diagnostics coverage and fault detection than standard I/O to achieve a SIL or performance level, these capabilities are used internally to detect faults and shut down the device, rather than provide additional status information to the operator. Using safety I/O where it's not required will add unnecessary cost and not deliver the incremental capabilities you mentioned. If this interpretation of your question is accurate, your system already should provide good diagnostics to identify device faults on the standard side, depending on the system you specified. In this case, take full advantage of your integrated safety controller to implement safety where it's needed and standard control where it's not, and then optimize your design.

Tim Roback, marketing manager, safety systems,
Jeff Gellendin, product manager, safety PLCs,
Rockwell Automation (www.rockwellautomation.com)

It's All About the AS-Interface

Since you are designing to SIL 3, you already have identified the added benefit of getting some diagnostics information. The unfortunate fact is that you are paying for this by having to run many individual wires, resulting in a high level of complexity during the design-and-build phase, not to mention the increase in possible failures at all those connection points.

Safety networks can do much more than provide better diagnostics as can easily be seen in the case of AS-Interface Safety at Work. This technology has been designed to reduce the overall cost of ownership by addressing all aspects of the installation.

For instance, with AS-Interface Safety at Work, users do not need a safe-rated PLC, and yet they still get SIL 3. Additionally, if an installation is designed to be controlled by PLC A and later needs to be switched to PLC B, the only piece of hardware that is swapped out is a gateway. The safety function remains untouched and works exactly the same way as before; no changes to the safety configuration are needed.

Diagnostics is another strong aspect of this technology. By connecting the safe devices to the AS-Interface network, the PLC will receive data concerning the state of the individual contacts; working with aux-contacts is finally a thing of the past. Armed with this information, a programmer can finally create intelligent HMI screens that not only show which safety door has been opened, but also point out if a magnetic switch is welded or an e-stop has a sticky contact.

The cost of switching to AS-Interface Safety at Work technology is surprisingly low.

Helge Hornis, Ph.D, manager, intelligent systems,
Pepperl+Fuchs (www.pepperl-fuchs.com)