Control Buses and Safety Networks Speed Up, but Remain Divided

Joe Feeley is editor in chief for Control Design and Industrial Networking. Email him at [email protected] or check out his Google+ profile.Exceptional machine safety performance results from paying close attention to potential outcomes. So this is something of a heads up about a new networking trend that may impact the way you think about machine safety system design.Safety in automation is hardly a new concept. But safety issues formerly received less attention because they did not impact the overall ability of OEMs to sell their machines.In the 1970s, industrial equipment users began moving from relays to solid-state devices. Relays always were susceptible to operator manipulation, but programmable solid-state equivalents were not. Early adopters included General Motors, which wanted an alternative to the hundreds of electromechanical relays in the control systems of stamping presses and assembly processes.In the '90s, solid-state safety controls grew in popularity, particularly in Europe. That began to change things significantly with international approaches to machine safety, most notably by the western Europeans through the 1997 Machine Directive legislation on safety. The law requires specific safety measures on equipment that bears the CE mark. "The driving force as far as we were concerned in the U.K., and in Europe generally, was the need for free trade," says Brian Clark, a U.K.-based standards consultant for machinery control and electrical safety. "The directives set out safety requirements in general terms and, in many cases, they were absolute requirements," Clark says. "But the directors were quite clever, particularly in the machine directive, because it says the machine shall be safe. There's no such thing as a safe machine — there's always a hazard. But it says, in order to meet this requirement, you've got to use the latest advances available to improve safety as time goes on." Clark's point: Just because a machine was safe in 1990, it might not be safe in 2000. Machine builders have to use the latest technology if it provides additional protection.As some North American component vendors doing business with Europe found themselves having to comply with these regulations, so too did OEMs shipping machines to Europe. Machinery entering the U.S. from Europe demonstrated noticeable safety improvements that end users began to expect from their American OEMs. The movement had begun.

A European Bias A recent Frost & Sullivan report details how the European market for machine guarding systems is approaching $400 million a year, double that of the North American market. Some of this is due to the way components are defined, since some components are safety classified in Europe, but not in the U.S. In Europe, an e-stop has a very specific definition. It has to have a latching function, among other features. In the U.S., it can be either a latching function or just a regular pushbutton with a separate dropout relay. There may be other reasons, too. "I would say Europe in general, and for sure Germany, France and the U.K., have a long-standing tradition and well-evolved safety culture," says Thomas Pilz, president, Pilz Automation Safety. "In Germany, there is a large set of standards and regulations for building safe machines. People are used to the idea that when you build the machine, you build the safety system, too." Building the safety system first makes dollar and cents sense. "In fact, it's a very economic way to do it. It's a lot more expensive to retrofit a machine," says Derek Jones, manager, safety business development, EJA. "That thinking has been embedded in Europe."

Show Them the Money
The thinking about the relationship between the control system and safety has changed. "A few years ago, the machine control system was not considered to be safety-related," Clark says. "All it did was start and stop the machine. Quite often, the operator was in control of the hazard. If he ran a tool at too high a rate, he effectively generated his own hazard. And so all the safety measures were add-on." The safer the system, the less productive it must be. Companies felt that safety was a necessary expense that could not be recovered.

An oft-mentioned example involves safety gates that seal off dangerous operations from employees. Gates can take up to 10 seconds to open, 10 seconds to close. If this activity normally happens 100 times a shift, as operators move parts in and out, the productivity losses can be significant. The risk of a poorly trained employee overriding the gates also is a distinct possibility.

If these mechanical gates are replaced with electronic light curtains that stop the equipment when a beam is interrupted, down time is reduced.

When the safety system and control system are conceived of as having complementary functions, productivity enhancements improve further. For example, a robotic welding cell with a perimeter guard shuts the entire operation down if an operator breaks the light curtain. If the control system knows what area the broken beam applies to, by use of safety controllers and intelligent devices, only the appropriate cell area will be safely shut down and the rest of the cell will operate unhindered.

The argument against the extra cost associated with advanced safety controls wilts against the evidence that machine uptime, reduced accident rates, and lower injury-related compensation costs improve overall economics. Companies are beginning to understand the relationship between investment costs to get an operation up and running and the benefits of a properly integrated control and safety system once manufacturing begins.

Lots of good things can happen. Over the lifecycle of the machine, users benefit from improved diagnostics, better communication of data, safer operation, and improved uptime. This includes controlling the operation under routine maintenance and repair conditions without entirely disabling an operation.

Real Safety Network Capabilities
There has been widespread adoption of machine safety components such as safety monitors, safety relays, safety interlock switches, and related devices by U.S. machine builders over the past few years. However, machine safety networks are not yet a reality in a true sense. Code is the reason. "Both U.S. (NFPA 79-1997) and European (IEC 60204-1) electrical codes require an electromechanical solution for level 0 or level 1 applications, where an emergency machine off or minimally controlled shutdown is required," says Larry Sunday, product marketing manager, machine safeguarding products, Schneider Electric/Square D. "Individual components such as safety relays and e-stop inputs (typically pushbuttons or cable pull switches), while hardwired together, do not constitute a network per se." Even when components are attached to a network, this capability today is used strictly as a monitoring or status reporting mechanism, he says. The actual interruption of the electrical circuit on the machine still needs to be carried out by a traditional, hardwired electromechanical device per NFPA 79-1997.

Source: SafetyBusThat said, U.S. and European standards committees are currently exploring proposals for closer harmonization between standards, which might facilitate acceptance of machine safety networks (Figure 1). The potential for savings in reduced wiring and component costs is the primary issue behind this effort, in addition to the desire for an easier way to monitor machine activities and failures. "Even if the current wording is approved, however, it will be late 2002 at the earliest before codes could take effect," Sunday says.

Many believe it will happen in their environment. "We're going to be into a safety network, I think that's going to happen," says Mike Miller, a design and engineering manager at Walt Disney World, where ride safety is as much a priority as we'll ever find. "I see it a number of years off. The technology will be there, but I think there's still going to be a lot of resistance." His sentiments may resonate well with OEMs with critical applications.

"I think we're in the start of an evolutionary process," says Derek Jones, EJA, a controls supplier and safety consultant. "It's relatively simple with complex technology to use monitoring methods that will detect a fault. The problem is that you detect a fault and switch your machine off." He points out it's not a good result to have a process that frequently, however safely, switches itself off.

"One of the major factors that sometimes gets forgotten is for a long time now we've stipulated hardwired, electromechanical, electromagnetic technology. Now, in terms of external disturbance, which is one of the factors that affects equipment, you need quite a high change in energy level to affect something like a relay or a switch. You need a far lower changing energy level for complex equipment, so it's not quite so simple."

Other distinctions may become harder to separate. "The trend now is that functionality between a control system and a safety system is really starting to blur," Miller says. "It's blurring to the point that the design through the risk assessment and hazard analysis allows the controls engineer a little bit more leverage. In many instances, the controller that is doing your control system functionality, i.e., starting and stopping, the safety system controller that is verifying the operation, and also the diagnostic system could very well be the same processor. But because of (standards-imposed) safety-related devices, force-guided relays, and loopback, the systems have taken on new complexity."

Clear Differences Remain
Standard PLCs are unsuitable for safety functionality because a single failure can cause them not to work as intended. European certification agency Technischer Überwachungsverein (TÜV) makes it clear PLCs are not designed for, and should not be used for, implementing an emergency stop system, nor to control a safety-critical process.    

Source: SafetyBusHowever, a few manufacturers now make special safety PLCs, designed and third-party approved for safety functions (Figure 2). These use two- or three-channel redundant and diverse architecture, different compilers and software libraries, different logic families on each channel, and so on. A diverse architecture helps to reduce common-mode failures due to systematic issues or component design flaws.

"Because of those features, our Safe PLC functions correctly even in the presence of a fault," says Thomas Pilz, president of Pilz Automation Safety, a strong supporter of the SafetyBus, one of the emerging CAN-based safety networks in Europe that is beginning to establish a presence in the U.S. "Our method for achieving diversity uses a different brand of standard, mature and proven microprocessor on each channel. All three processors must be in agreement or the system will effect a controlled shutdown."

Safety PLCs must include extensive internal cross-checking and self-monitoring, so that a fault can be normally detected before an accumulation of faults leads to a hazard.

The use of safety PLCs is effectively restricted by some national regulations that still specify the use of hardware-based or even hardwired circuits for certain purposes. One example of a restriction is in U.S. standard ANSI/NFPA 79 for e-stops.

Pioneering OEMs
Finding a North American OEM that has moved confidently to safety networks isn't easy. TitanScan Technologies uses the SafetyBus for the sterilization systems it sells primarily to the medical device industry (Figure 3). The company moved away from hardwired safety controls to this serial communications protocol about two years ago.

Source: TitanScan"The SafetyBus meets all European safety applications from category 2 up to and including category 4 in accordance with EN 954-1," says Essie Ghaffary, senior controls engineer at TitanScan. "That was the main evidence we needed to be confident in this approach." Titan had previously used hardwired relays, with their inherently costlier and more time-consuming installation disadvantages.

The full TitanScan safety system is comprised of either concrete or steel, iron, and lead biological shielding and the supporting monitoring devices that monitor and control access, radiation levels, and ozone concentrations. It controls the operation of the equipment with conventional Allen-Bradley PLCs, remote I/O, and a variety of communications protocols including DeviceNet and DH+.

The company has seen no significant resistance to the use of a serial communications protocol for handling the safety system. "Our customers see the regulatory approvals and that is good enough for them," Ghaffary says.

One Wire Fits All?
Just as OEMs and system integrators have seen the benefits of replacing homerun wiring with buses and drops in their control network or safety network where possible, the next logical cost to question is why have two networks in the first place? If the issues regarding the hardwiring of e-stops and critical components are resolved, safety networks will gain substantial favor, probably very rapidly.

Safety and control integration provides the opportunity to consider using one network to handle both control and safety devices.

"Very few networks today completely use the number of nodes they can carry," Clark says. "So if you have a network that can handle 60 nodes and you have 15 safety-related, and another network with 20 non-safety related nodes, it's two underutilized networks."

If we start integrating control and safety today, systems will have a safety PLC, which will be a standalone, and a non-safety PLC. You'll still have to mount two separate boxes, two power supplies, two of everything. "Ultimately it will be a single rack with masters or controllers, safety-related in one slot and non-safety related in another slot," suggests Clark. "They will have a back link of communication to allow exchange of information, but will be integrated in a single system."

Miller believes the new processors are so powerful that, as technology progresses, we'll see that concentration. "Instead of multiple devices, it's going to be incorporated so that what we'll have is a rack and literally cards, and some cards will be safety-related, some cards will be control-related," he says.

Moving in the direction of a one-wire solution, the Open DeviceNet Vendor Assn. (ODVA) announced an initiative late last year to develop and promote DeviceNet Safety, an advanced safety network designed to meet the requirements of demanding machinery-shutdown applications.

"Traditionally, safety systems have relied on dated technologies like hardwired e-stops to provide protection for machine operators," says Dave VanGompel, a member of the ODVA Technical Review Board (TRB). "Although reliable, these systems have not kept pace with industry-wide developments over the years. As a result, they are expensive and difficult to implement and maintain."

Consisting of a safety protocol running on top of the traditional DeviceNet network, DeviceNet Safety would allow both standard and safety devices to operate on the same network. In addition, DeviceNet Safety will provide communication between safety nodes, including smart input/output and programmable logic controllers.

ODVA says the safety protocol will be media-independent. Although originally ported to DeviceNet, vendors and end users will be able to apply it to any network without regard to physical media.

The ODVA TRB submitted a DeviceNet Safety proposal to European certification agencies such as TÜV and Berufsgenossenschaftliches Institut für Arbeitssicherheit. Once feedback is received, ODVA will initiate a development effort to add the safety protocol to the existing DeviceNet specification.

Not everyone is willing to accept the inevitability of one-wire solutions. "The issue boils down to what you consider an acceptable response time," says Square D's Sunday. "The more traffic on a network, the greater the opportunity for variable response times. The expectation in North America is that hardwired safety products such as relays or e-stops must open an electrical circuit in less than 33 ms. While a slower response time might be alright for a conveyor, for example, it would be totally unacceptable for a potentially more dangerous or exacting environment, such as those involved in a machine tool or any spinning axis machine that must be enclosed."

He sees a modest middle ground approach to one-wire, but still with segregated messaging. "Using a sensor bus to connect the machine control network to the machine safety system could be possible with some conductors dedicated to safety systems and some to machine control functions," Sunday says. "The seven-wire Seriplex sensor bus cable, for example, can provide five conductors for control messaging, leaving two conductors dedicated to a safety system."   

Others simply think two wires is the best strategy. "Separate but equal networks talking to each other is best," says Pilz, realizing that Siemens and Rockwell Automation will push hard for a single-wire approach. "Both networks have clear responsibilities, but keeping them separate will mean simplified troubleshooting and reduced bus loads." His approach would eliminate unforeseen faults in standard nodes influencing the operation of fail-safe components.

Ghaffary sees no merging of the control system and safety system onto the same network backbone in the near future, although he has no major objections to the concept. "The programming for the SafetyBus is DOS-based and at present doesn't support the instruction sets for registers, files, etc., needed for standard PLCs," Ghaffary says. He says if the programming issues are resolved, he'd consider it. "I wonder why Allen-Bradley hasn't gone after this yet?"