The Convergence of Safety and Non-Safety Increases Scalability and Flexibility
Integrating safety systems into a machine’s standard control platform simplifies operation, increases diagnostic capabilities and creates safer work environments
Whether combining AT and IT or IT and OT, the convergence of previously disparate technologies continues to be an important topic because of the benefits to engineers, OEMs and end users. However, the integration of safety with non-safety technology is another convergence that deserves serious consideration. As with IT and OT, the combination of safety and non-safety into one system enables increased flexibility and scalability, better data acquisition across systems and more opportunities for customization. Most importantly, it creates a safer work environment for operators and plant personnel by accommodating more safety technology in more places.
TwinSAFE programmable safety devices in an I/O form factor that are also integrated into the main machine control architecture make this convergence possible. These I/O terminals feature integrated safety logic and communicate with the PC-based machine controller, whether they connect through a shared backplane or Ethernet cable. EtherCAT industrial Ethernet technology creates other opportunities for technology convergence in safety systems, such as built-in diagnostics and support for multiple fieldbuses. This approach is certainly a departure from previous architectures, in which safety and non-safety systems purposely remained separate in silos. The converging technologies enable machines to maintain safety integrity level (SIL) standards while offering further customization benefits.
To understand how this convergence works and why it is advantageous, it is important to first carefully consider the different levels of safety technology. These range from basic safety with simple relays to stand-alone safety controllers and up to distributed I/O terminals with programmable safety logic.
1. Basic safety devices
The traditional basic safety approach keeps safety systems entirely separate from the machine control platform. These safety devices include relays and switches that simply cut power to machines or modules if triggered. Although they are relatively low cost and require no programming effort, they must be hardwired directly to each module and every other safety device to ensure the entire machine or line stops operation when one device is tripped. Installation and wiring of safety relays is time- and labor-intensive, especially on larger machines.
Safety relays and other basic devices are usually not configurable. Because they possess no network connectivity, they cannot communicate back to the PLC or provide performance data or diagnostics beyond what their LED lights show. This was the only industrial safety solution for many years and met the minimum requirements for protecting operators and equipment. However, in the age of the Smart Factory and Industrie 4.0, basic safety has not kept pace with industry advances. It is inefficient to implement because it requires greater commissioning efforts and ultimately provides low-tech safeguards for workers.
2. Stand-alone safety controllers
Stand-alone safety controllers are expandable and offer some programmable logic, but as a result, these systems require additional engineering efforts. This method supports the ability to network safety devices and provides greater diagnostics for troubleshooting, but it does not truly enable the convergence of safety and non-safety systems.
Like basic safety technology, safety controllers remain physically separate from the machine controller. Although both contain logic, the safety controller and PLC only support asynchronous communication, which means crucial data from the safety system are not available for analysis. In addition, the safety device uses different software than the machine control logic, and the required training and maintenance for multiple software packages slows commissioning and troubleshooting.
3. Integrated safety with programmable I/Os
Greater technology convergence is happening through integrated safety systems with programmable safe I/O terminals. The safety terminals are differentiated on the outside by their solid yellow exteriors, and on the inside, they possess redundant circuits and microcontrollers to maximize reliability and meet IEC 61508 and DIN EN ISO 13849-1 safety standards. These devices are installed directly into a standard I/O segment alongside non-safe terminals and can communicate over modern industrial Ethernet systems like EtherCAT. Integrated safety can extend beyond I/O terminals to implement safety logic in components in the field, such as Servo Drives and servomotors with built-in Safe Torque Off (STO) and Safe Stop 1 (SS1) functionality. In any case, this method uses the same engineering environment as the machine control and provides maximum flexibility for distributed safety networks.
Programmable I/O modules can also support single-channel safety. With the necessary firmware for safe communication protocols, these modules allow engineers to set acceptable condition parameters for many different applications, such as temperature monitoring, level sensing, speed testing and pressure monitoring. This capability provides advantages for engineers in process industries, among other fields. These safety terminals possess a single yellow stripe on their exteriors to differentiate the single-channel analog technology from standard digital safety terminals in an I/O segment. Most importantly, the specialized single-channel terminals enable the use of standard I/O for safety tasks.
Integrated safety is essential in today’s manufacturing environments with greater use of robotics, complex motion control equipment and autonomous vehicles. Modern plants require both simple safety devices, such as e-stop buttons, and more sophisticated light curtains, safety switching mats and two-handed controllers, among others. PC-based automation software with standard safety function blocks allows engineers to create the necessary programs to protect workers and equipment in these work environments. During operation, the PC-based machine controller and safety controllers are able to monitor each other.
Increased performance data and diagnostics capabilities are available as a result of this convergence, and unlike with stand-alone safety controllers, the information can be easily displayed on the HMI because the safety system is connected to the PLC. More programming is necessary than with basic safety, but integrated systems simplify commissioning. They eliminate the complications caused by multiple programming environments, additional networks and the necessity to hardwire each device to all others. For EtherCAT-based devices, communication takes place using the TÜV-certified Safety over EtherCAT (FSoE) protocol.
Secure communication of safety data
FSoE – sometimes called Fail Safe over EtherCAT – transmits safety data over a plant’s existing network via a “black channel.” This secure channel within the network increments a Cyclic Redundancy Check (CRC) for every two bytes of safety data to ensure they are secure and error-free. The functional principles of EtherCAT enable the transmission of safety and non-safety data without limitations on transfer speed and cycle time. Designed for high-speed communications, EtherCAT checks the safety devices in real-time and immediately halts operation when tripped. In addition, built-in diagnostics help engineers troubleshoot physical issues, such as faults with cables, connectors or I/O terminals.
Supported by the EtherCAT Technology Group, FSoE is fieldbus-neutral and works over 100 Mbit/s EtherCAT, but it can also integrate with many other industrial Ethernet networks or fieldbuses. If plants use DeviceNet, PROFIBUS, CANopen, EtherNet/IP and PROFINET networks, implementing integrated safety systems with FSoE simply requires the addition of appropriate EtherCAT I/Os and gateway devices.
FSoE is not only certified by TÜV; it also meets all requirements for IEC 61508 and DIN EN ISO 13849-1. These safety designations remain unchanged whether communication occurs via legacy fieldbus, industrial Ethernet or over wireless networks. In addition, FSoE and integrated safety I/O unlock possibilities for increased customization.
Converging technologies enable customization
A key benefit of integrated safety is the ability to customize and test how safety systems function through software. If a customer has a modular machine, the OEM or integrator can disable a certain module in software, rather than the traditional route of redesigning and reprogramming the machine’s safety system. The previous method involved changing I/O, re-engineering components or creating crude workarounds, such as “jogging” wires to bypass unnecessary parts of the safety system. With PC-based automation software, these adjustments can be made quickly by adding or removing modules or groups.
Despite these advantages, some companies have been slow to adopt integrated safety technology due to concerns about combining safety and non-safety on one platform. However, TwinSAFE integrated safety is reliable and preferable to basic safety devices and stand-alone safety controllers. If the safety PLC and machine controller are in the same environment, then they know what the other is doing at all times and can communicate more effectively. With greater flexibility and faster installation, it is possible to design machines and plants to have more safety technology than ever before. As a result, implementing integrated safety with programmable I/O modules is by far the safest choice.
Are you ready to implement programmable safety to enhance your machine designs? Contact your local Beckhoff sales engineer today.
Sree Swarna Gutta is the I/O Product Manager for Beckhoff Automation LLC.
A version of this article previously appeared in Control Engineering.