Machine safety is required, so how are builders and industry making it happen? Is it safe for you to stick your hand in there (Figure 1)? Getting started with integrated control and safety is a project-by-project decision.
Integrated control and safety is a suitable solution to just about any machine application from small, lean automation to a large multi-station assembly line, but are there areas where it really shines? And what is available to help simplify this integrated control and safety solution? Industrial automation suppliers have online information and a range of products to answer these questions. Let’s take a look at safety and more specifically at how integrated control and safety is being implemented.
"Safety is safety, regardless of how it is designed and wrapped into the machine or automated system," notes Alan Metelsky, chief controls engineer, new product development at The Gleason Works in Rockford, Illinois. "It is important to note that implementing integrated control and safety does not provide you with a more or less safe machine. The performance level (PL) or category does not change. You can achieve the same exact performance level while using a stand-alone safety relay or a stand-alone programmable safety controller or by implementing a safety PLC such as a B&R Integrated Safety hardware into your application."
Just as with any application, each safety function on a machine has a required performance level based upon the risk assessment, continues Metelsky. "The same design practices remain in place for any safety control system—component selection, system architecture and conditions of use factor into achieving the level of reliability that a given safety function requires," he says.
Safety design is involved from the beginning of the project. "We ensure that safety is addressed from the proposal stage all the way through to startup, acceptance and training," comments Mike King, functional safety engineer, TÜV Rheinland, and director—automation, electrical, instrumentation, IT at The JDI Group in Maumee, Ohio. "Safety has to be part of the core design process from beginning to end. We always inquire as to where the client is within the machinery safety lifecycle, as defined by ISO 12100 or ANSI B11:0. If a risk assessment has already been done, we will review it with the end users. If not, we offer our services to help complete that and Rockwell Automation's Safety Solutions are helpful, in that regard, from start to finish."
Sodecia GTAC, a Canadian full-service supplier of automotive chassis, powertrain and body assemblies, starts by assessing the overall I/O count estimation, functionality requirements such as e-stops, safety gates, human presence sensing and budget, explains Brent Lekx-Toniolo, controls concept developer at Sodecia in London, Ontario. "From there we can develop our concept and design direction,” he continues. "We perform a risk assessment starting at the design phase of the machine. The assessment drives what safety integrity level (SIL), category (Cat) or performance level (PL) we’ll be aiming for. In the case of Beckhoff TwinSafe, we generally have the ability to hit the desired level required, be it small, simple systems on to larger, more complicated systems."
The integrated option
Whether it’s a simple machine or larger system, machine builders are finding integrated control and safety works with a wide range of machines (Figure 2). "Typically we use a safety processor for single and multi-station machines,” notes Dean Colwell, controls engineering manager—assembly and welding automation at Fori Automation in ShelbyTownship, Michigan. "This approach allows for better machine diagnostics and fewer compromises and system capability. It’s becoming increasingly rare for us to use safety relays in our designs."
There are few differences in design between small, medium and large systems for Fori, continues Colwell. "Typically single station machines will get an integrated safety PLC such as a Siemens Fail-Safe CPU or similar, the same as individual stations in an assembly line. In the case of an assembly line, there will typically be a cell controller—a supervising Fail-Safe CPU—to tie all the control and safety together. This includes safety coordination, such as safety hand-off where a rail-guided cart progresses through a series of automated stations. Our general approach is to integrate safety at the station level and scale up based on the scope of the project."
Colwell prefers integrated safety as it allows for a simpler distributed design approach. "This means that the safety devices and the input to the safety PLC reside in the same location making troubleshooting easier. Integrated systems allow for better defined and finer resolution in diagnostics messages."
Integrated control and safety has come a long way, and it has been a long road. "When safety technology was in its infancy, nearly all machine safety was handled by hardwired sensor and relay systems," comments Zachary Stank, product marketing specialist for safety at Phoenix Contact USA. "It wasn't until the mid-2000s, when safety standards were updated to include integrated safety control devices, that we started to see safety devices being designed and integrated into PLC systems. More recently, the influence of Industrial Internet of Things (IIoT) has really pushed the market toward integrated safety and control. The need for real-time diagnostics and data has moved integrated safety from widely accepted to a must-have on most control systems."
Size matters when integrated
A truly integrated safety system incorporates standard control, safety control and motion control into one controller, says Chris Brogli, safety business development manager at Rockwell Automation. "This type of integrated safety programmable automation controller (PAC) provides advanced control features, maximum flexibility and enhanced diagnostics, which help improve both safety and productivity," he says
Other systems include semi-integrated or discrete control where a separate safety relay or safety controller is connected to the standard programmable logic controller (PLC) for basic diagnostic information on the state of the safety system. These types of systems provide diagnostic feedback but do not provide advanced functionality or enhanced flexibility, which is generally required for larger, more complex systems.
To determine which type of safety system is best for an application, Brogli suggests control designers follow the Machinery Safety Life Cycle (Figure 3), as defined by ISO 12100 or ANSI B11:0. The first two steps are critical for identifying the risks, mitigation techniques and functional requirements based on system complexity, size and operational characteristics.
Machines, safety and functional requirements vary widely. "Safety relays are appropriate for minimal zone control applications with local hardwired I/O," notes Brogli. "Programmable safety controllers are appropriate for more complex logic or when there is an existing standard machine controller and designers want to add safety. As complexity increases, a configurable safety relay or an integrated safety PAC will likely be more effective and beneficial. Many options exist."
Integrated control and safety for all?
Safety has to be designed in and not an afterthought, and the safety solutions are never a one size fits all. "Sometimes a safety controller is overkill and not required," notes King at The JDI Group. "For small systems with one or two safety devices or stops, we will usually end up using a single safety relay, such as the A-B GSR or similar. For a mid-level system with several zones and devices, e-stops and light curtains, we may use a software-configurable safety relay, such as the A-B 440C-CR30 or similar. When the control system gets to be the size of a fully automated, multi-station system, we will typically use a safety PAC integrated approach (Figure 4)."
Typically, our customers understand the benefits of an integrated approach, notes Fori Automation's Colwell. "Where design requirements are specified, we find an integrated approach is now the norm," he says. "When not specified, we favor an integrated approach. We find that, although more expensive up front, the commissioning is simplified, resulting in a lower system cost."
The influence of IIoT has expanded the innovation and integration in safety technology, says Stank at Phoenix Contact. "Many manufacturers now offer configurable relay solutions, which are like scaled-down safety PLCs," he says. "Many of these configurable safety relay systems also have the ability to be easily networked, so they can provide safety status over an industrial protocol."
Product innovations that have emerged over the past few years are networkable safety systems. "These safety systems are very similar to configurable safety relays, with one major difference; they are integrated into the standard PLC I/O systems and run on the existing automation protocol," notes Stank.
"This allows for the simplicity in designing configurable safety logic, while being distributed within an automation network. Distributed safety logic allows for remote wiring of safety sensors, minimizing the wires that are run through large systems and allowing safety to be easily added to existing PLC installations."
Integrated control and safety at the edge
In the past, everything was hardwired to I/O blocks, contactors and drives that were mounted in remote cabinets. "These cabinets were placed in areas that had clusters of I/O devices and motors," says Rockwell’s Brogli. "This hardwired approach has changed over the years. Now, it is more common to use remote I/O blocks and motors and drives that are connected via Ethernet using quick-connect cables. This significantly reduces the need to fabricate panels, run conduits and mount hardware."
For example, Rockwell Automation offers an integrated safety PAC that can be mounted outside of a control panel and connected to on-machine I/O blocks, motors and drives to create a modular approach to machine design at the edge.
"Nowadays, fail-safe drives and motor starters can be direct-connected to the network," notes John D’Silva, safety technology manager a Siemens Industry. This often eliminates the need for safety outputs to be connected in the traditional way—hardwired to contactors which require the use of force guided, positive opening contacts and monitoring of the contacts.
Networks can help companies to improve safety when they upgrade their facilities to speed up production. "An automotive manufacturer wanted to add safety to its widely used PLCs and improve diagnostics," notes D'Silva. "Using Siemens failsafe motor starters and connecting them to other systems via ProfiNet, the manufacturer saved space and reduced diagnostic time. The failsafe motor starters are self-monitoring in compliance with SILCL 3/PL e and therefore do not need to be monitored in the feedback circuit of the upstream evaluation unit/control. This failsafe motor starter integrates failsafe control by accommodating one contactor for each switching direction, one overload relay and one contactor for redundancy."
When specifying a safety system in a new machine, the control designer has the freedom to specify the safety-related parts of the control system (SRP/CS) utilizing the latest technologies available, notes Nate Gose, safety solutions manager at Sick.
"For example, many safety component manufacturers offer safety laser scanners (PLd/Cat. 3), light curtains (PLe/Cat. 4) and interlock switches to execute risk reduction strategies," he says. "Furthermore, software-programmable safety controllers (PLe/Cat. 4) have become a very cost-effective way to handle the logic of the safety system, while remaining very scalable and flexible."
When specifying the output portion of the safety function in a new machine, the options for machine primary control elements (MPCEs) can be selected to not only handle the safety-related functions, but the non-safety-related functions, as well. A safety-rated variable frequency drive (VFD), typically PLe, Cat.3, is a good example, notes Gose. It can provide safety-related functions such as safe torque off (STO), which can be utilized as part of the SRP/CS to meet the PLr. The VFD can also control the motion functions such as speed, position, direction and braking of a motor. Additionally, there are many other safety-rated MPCEs available that provide redundancy and monitoring of hydraulic and pneumatic systems to meet any PLr.
These safety-rated drives often cost more. If machine owners do not want to invest the money required to replace standard drives with safety drives, often safety contactors may be a lower-cost option, explains Gose. The control designer may still be able to utilize the electronic braking functionality of the existing standard drive, and, once the motion has stopped, redundant and monitored safety contactors could be considered the MPCE of the safety function.
Bringing safety into the PLC
“Integrated safety is a means of bringing the safety application into the PLC application via software, eliminating the need for discrete I/O handshaking," notes Metelsky at Gleason. "The safety application software runs seamlessly with the PLC application software as one. All of the parameters, values and recipes are shared in a single application, increasing the flexibility of safety functions."
Implementing integrated safety can be justified in two different ways—enhancement and simplification. "The safety functions required by the risk assessment can be enhanced by leveraging advanced features like safe motion and process or condition-dependent variables, says Metelsky.
"While the functionality is advanced, the architecture and troubleshooting can be simplified. B&R's Integrated Safety, for example, can be used to reduce the number of stand-alone, independent devices on the machine, reduce the number of fieldbuses on the machine and eliminate the use of discrete wiring being used for PLC to safety handshaking. Integrating the safety application into the PLC control application enables the use of global software variables and multiple hardware configuration options within a single software project; something that would not be possible when using a stand-alone safety devices."
Improving function and productivity
"Again, it is very important to note that integrate safety does not make the machine any more or less safe," notes Gleason’s Metelsky. "The most exciting gains are made when the integration of safety and control allows for less obtrusive safety functions that do not interfere with the process or the operator. Nearly every plant has a machine where productivity or operability is severely restricted by the safety systems, and this is a recipe for the circumvention of safety systems that often leads to injury."
Discrete safety control is hampered by the very nature of being separate, continues Metelsky. "The safety logic often does not know what product is in the machine, what current speeds are, where machine axes are positioned or even who is operating the machine and what their level of access should be," he says. "The list goes on and on, and it is easy to see how integrating the safety control and regular machine control yields many new opportunities."
Getting better control of both safety and the machine is one of the opportunities. "Integrated safety systems have enhanced flexibility through advanced control that allows designers to use strategies such as safe speed and zone control to minimize machine downtime," comments Rockwell's Brogli.
"Zone control allows one area of a machine or production line to be serviced at a slower speed or stopped, while the rest of the operation continues as usual. Safe speed allows sanitation and maintenance technicians to perform regular cleaning, adjustments and minor servicing tasks on a machine while it is running at a safe speed. Both of these methods improve machine productivity, while also optimizing worker safety."
"Safety technologies have evolved from solutions such as hard guarding, that prevent physical access, to solutions such as door switches, that detect access to today’s devices that control access such as light curtains, area scanners and safety cameras," notes Brogli from Rockwell Automation. "These technologies used to be hardwired, but today they are connected over networks using advanced safety protocols like CIP safety over Ethernet and DeviceNet or safety over wireless networks. This is continuing to change the way engineers design and implement safety solutions."
Many of the newer products available today have direct network connectivity, which eliminates the need for interfacing using hardwired I/O. "New drives and servos can be controlled by Ethernet without the need for hardwired signals to the safe-torque off (STO) boards,” says Brogli. "This is the same for some safety logic devices. For example, on-machine safety controllers can be mounted directly on the machine without the need for a control panel."
ProfiSafe has been one of the enabling technologies for many safety devices, especially drives with integrated safety on networks. "Nowadays, drives can provide safe states without de-energizing the motor," comments Siemens’ D’Silva. "For example, the new safety feature, safe operating stop (SOS), holds the motor under closed-loop control in a certain position. This new possibility requires a paradigm shift for the user. In earlier times, pushing an emergency-stop button caused the power lines to be physically disconnected from the motor, and therefore there was no electrical danger for a person exchanging the motor."
Using a pneumatic manifold system with the ability to integrate safety functionality, such as the ASCO Zoned Safety Manifold, allows the user the flexibility to achieve functional safety per ISO 13849. "We would love to see other vendors come onboard with integrated safety," notes Lekx-Toniolo at Sodecia GTAC.
"Pneumatic valve banks that can receive safety commands, and feedback safety related data is just one example. Many robotic OEMs now have integrated safety within their own systems, which offers functionality we simply did not have even just 4-5 years ago (Figure 5). However, some of the smaller component vendors have been slow to adopt integrated safety. This would seem to be the next logical step in creating more advanced, integrated safety systems."
Currently the big hole in product availability is combination or configurable-on machine safety I/O, says Fori’s Colwell. "I’ve been given many reasons for it, but the solutions are generally not elegant," he continues. "I’d like to see I/O blocks that can be directly connected to remote e-stops, light curtains, safety mats and the like. This needs to be done universally not for product or vendor specific devices—universal integrated control and safety at the edge. As a machine builder, we need to work with many different OEM's and related safety devices, but we struggle to find a universal approach to integrate them without using custom terminal boxes at the final point of connection."
The JDI Group has made use of the standard industry tools and the tools that some safety-device vendors have made available, and those continue to be useful, notes JDI’s King. "And the device integration has come a long way in recent years," he continues. "We would like to see a continuation of the trend to make it easier to monitor and integrate safety into the overall control design process. This in turn makes it easier for our customers to maintain and modify the integrated control and safety system as needs require."