Meeting the need for safety
A combination
of redundancy, self testing and approved software is enabling multi-channel
PLC systems to meet safety requirements, says Stewart Robinson of
Pilz Automation Technology
The use of fieldbus
systems to replace conventional wiring in industrial control systems
is growing. Decentralised control is now well established, affordable
and reliable. Low implementation costs mean that fieldbus systems
can give cost savings even in systems with relatively small I/O
counts. However, the implementation cost is not the only consideration
when deciding to decentralise; there are other benefits such as
the flexibility and diagnostic capabilities that these systems provide.
There has also
been a trend towards increasing complexity in the safety-related
parts of plant and machinery control, partly due to an increased
awareness of the need for safety and partly because newer regulations
and standards have emphasised the 'integrity' required in safety-related
controls - for example IEC 61508 and EN 954-1.
The need for
'integrity' in the safety-related part of a control system has meant
that these circuits have usually been 'hard-wired' because conventional
controllers do not have a clearly defined failure mode, and therefore
do not meet the level of integrity required for safety. The same
is also true, of course, for conventional fieldbus systems.
The situation
has now changed. For quite some time high integrity, multiple processor
voting systems have been used in the process and petro-chemical
industries, for example. These systems are very expensive and require
specialist skills to implement them, which means they are unsuitable
for small applications and for machinery safety. However since the
mid-1990s there have also been available multi-channel PLC systems
that meet the requirements for safety by using a combination of
redundancy, self-testing and approved software.
Some decentralised
systems now have the level of integrity required to ensure safety,
bringing the proven advantages of fieldbus to safety-related controls.
There are a number of fieldbus systems in this category, some available,
some still being developed, and there are a number of different
approaches. In at least one case a 'bus' system has been developed
as a small, dedicated system using a specially developed communication
protocol based on a Time Triggered Protocol (TTP). This was developed
and approved using the requirements detailed in the EN standard
for AOPDs (Active Opto-Electronic Protective Devices), EN 61496-1.
It appears to be simple to configure but has limited scope and the
dedicated controller only supports a very limited amount of functions.
Enhanced fieldbus
Other systems include an existing fieldbus that has been developed
to provide the required level of integrity so that non-safety-related
and safety-related control can share the same network. These enhanced
fieldbuses will typically build into the standard protocol, or profile,
extra measures for error detection and reaction for the safety related
I/O modules, and will require a controller that is also approved
for safety-related applications. None of these systems are currently
available, but some are in the later stages of development.
Another approach
has been to develop a fieldbus that is dedicated to safety-related
control, but is a fully functional and open bus system. SafetyBUS
p from Pilz Automation Technology is such a system and has been
available, with certification, since 1999. Although a 'new' fieldbus,
SafetyBUS p uses CAN (Controller Area Network) as its basis.
BOX: There
has been a trend towards increasing the complexity in the safety
related parts of plant and machinery control, due to an increased
awareness in the need for safety
The use of an
existing fieldbus for safety (whether as an enhancement of an existing
system or as the basis for
a new bus) has meant that developers have needed to work on the
assumption that existing systems do not have the level of integrity
required for safety, and that communication errors cannot be excluded.
Safety is therefore achieved by adding more error checking within
the existing message frames, and by ensuring that all of the processing
is carried out in 'safe' hardware, using verifiable means in firmware.
The lack of a 'generic' standard for fieldbus has meant that developers
have needed to look at other standards for help. Among these other
standards are the recently completed IEC 61508 (Functional Safety
of Electrical/Electronic/Programmable Electronic safety-related
systems) and EN 954-1 (Safety of machinery: Safety related parts
of control systems - Part 1: General principle of design). Further
guidance can also be found in prEN 50159 (Railway applications -
Part 2: safety related communication in open transmission systems).
Safe operation
Whatever the guidance, the most important requirement for safe operation
is that any failure or error that could give rise to a reduction
of safety is detected and managed with an appropriate reaction,
before a hazardous situation can occur. Some work that has been
carried out by the German organisation BIA (Berufsgenossenschaftliches
Institut für Arbeitssicherheit) provides further guidance. The BIA
is responsible for research and testing for the statutory accident
insurance and prevention institutions in Germany. To address the
lack of appropriate standards for safety-related machine communications
the BIA formed a safety fieldbus working group. The working group
has adopted an approach in which the communication medium is viewed
as being inherently unsafe, recommending safety procedures that
can, nevertheless, ensure failsafe operation. To satisfy this last
requirement, procedures are added to the communications protocol
that are verified while the system is running (Table 1). To meet
the BIA requirements, at least one measure must be implemented against
each possible transmission error. Communication failures can then
be detected and the safety system shutdown in a safe and controlled
manner.
The use of
the BIA guidelines would theoretically mean that virtually any fieldbus
system could be used for a safety-related application. However,
CAN stands out as the most popular choice. CAN has been chosen because
of its inherent robustness, its low cost and because it is already
proven in some safety-critical areas (anti-lock braking systems
for example) and it has also proved to be stable in some noisily
hostile areas (such as within engine bays). CAN was developed for
in-vehicle applications years ago and is a two-layer network covering
the physical and data link layers of the ISO/OSI model. The measures
for safety are implemented in the application layer. In the case
of SafetyBUS p, these measures include the incorporation of a safety
protocol within the CAN data field, and the use of the CAN arbitration
field to provide appropriate prioritising of messages.
SafetyBUS p
also makes use of hardware redundancy. A SafetyBUS p controller
is a member of the Pilz range of programmable safety systems (PSS).
These are triple processor, diverse redundant systems where all
three processors are used to manage the bus. Even 'simple' remote
I/Os use dual redundancy, ensuring safe operation even in the event
of complete bus failure.
BOX: PSS controllers
are triple processor, diverse redundant systems where all three
processors are used to manage the bus
BOX: The Pilz
PSS range of programmable safety systems includes small and compact
systems as well as modular, expandable units
SafetyBUS p
subscribers include Management Devices (MD), Logic Devices (LD)
and Input/Output Devices (I/OD). SafetyBUS p is an open system.
The SafetyBUS p Club International has members representing all
areas of the controls industry, including users and safety equipment
manufacturers (e.g. Daimler/Chrysler, VW, Festo, Sick, Lumiflex,
Guardscan and Fortress Interlocks. Within the various activities
of the club there is a group dealing with the integration of light
curtains, and a group dealing with the integration of drives. Ready-made,
approved chip sets are available to members to help with the integration
of all types of equipment. For example, at the recent SPS/IPC/DRIVES
exhibition in Nuremberg, there was a robot on display that incorporated
a SafetyBUS p node for the control of all safety-related functions.
SafetyBUS p
is one of a number of systems that is based on the principle that
safety-related control should be separated from conventional control.
This helps in a number of ways, not least of which is the validation
that is required for the safety functions. IEC 61508-2 7.4.2.3 states:
"Wherever practicable, the safety-related functions should be separated
from the non-safety-related functions."
With SafetyBUS
p, the entire bus configuration is carried out using the same software
used for generating the application program. Decentralised I/O information
is seen by its associated Logic Device as an extension of the I/O
process image, the addressing of which includes the node address.
This makes the configuration not only quick and straightforward
but also means that there is complete compatibility with software
modules that were developed for centralised systems, these modules
having been independently approved for use in safety-related applications.
Network bridges
It is quite common to make use of a number of different fieldbuses
in one application, with some 'bridges' between the various networks
to enable the sharing of common data and diagnostic information.
A typical example is a recently installed paper converting and packaging
line for tissue products. Here the MMIs are Industrial PCs running
Wonderware software, communicating with Rockwell ControlLogix PLCs
on Ethernet. The PLCs are also communicating on ControlNet, which
includes the remote I/O. There is also a DeviceNet network which
links one of the ControlLogix PLCs to the various drives, and a
SafetyBUS p network comprising 4 PSS 3100 PSS systems. Each of these
have some rack mounted I/O, and a number of remote I/Os all on the
same network. The PSS 3100 systems also incorporate ControlNet to
allow for the exchange of diagnostic data.
Safety-related
fieldbus systems now make it possible to decentralise the safety
control in many applications. The implementation of such systems
can reduce wiring cost, reduce hardware cost, increase functionality
and provide greater diagnostic capability. There is a choice between
networks that incorporate safety-related and conventional control
on one fieldbus, and the use of a separate network for safety. Mixed
systems give potentially greater cost savings, but a dedicated system
such as SafetyBUS p provides a clear distinction between safety-related
and conventional control, without adding significantly to cost.
This helps with the validation of the safety functions and also
follows the guidance given in IEC 61508.
|
