Many system designers are seeing safety networks for the first time, so says Kevin Monnin, Consulting Applications Engineer, Motion Control Systems, Research & Development, Siemens Energy & Automation, Inc. “For a long time, NFPA 79 (electrical standard for industrial machinery), prohibited using devices other than relays, such as PLCs for safety control, especially over a network. The original specification required the use of hard wiring,” says Carl Henning, Deputy Director, PTO, PROFIBUS and PROFINET, North America. The 2002 version of NFPA 79 added the allowance to use a software- or firmware-based controller for safety if the controller is approved for that purpose. The 2007 version removed the restriction that required the use of electromechanical contacts for the “final removal of power” when using safety-rated drives, says Monnin.
In traditional hardwired safety installations the state of the safe device is transmitted over two sets of wires so that the safety relay can compare two pieces of information. If there is a discrepancy, the safety interlock, or electromechanical switch, will change to the safe state by opening its normally closed (NC) electrical contacts upon switch activation.
In a safety network, the safety controller takes the place of the safety relay. The network relies on functions specified within the protocol that work with redundant hardware to ensure the integrity of transmitted data. “The primary benefit a safety network has over a relay-based approach is the interconnection of the distributed devices on the factory floor,” says Tim Parmer, Safety Business Development Manager, Integrated Safety, Siemens Energy & Automation, Inc. Its architecture is similar to that of a standard control network in that it uses a programmable logic controller (PLC) and a cable to transmit messages so that devices on the network can communicate with each other. However, unlike standard networks that are designed to tolerate a certain number of errors, a safety network monitors safety and non-safety devices, and if it detects corrupt data, it will react by executing pre-determined safe operations. This may include the safe and orderly shutdown of an entire production line, or a single safety zone to minimize the effect on production. The operation itself depends on the capabilities of the network, as well as the parameters set for the specific operation.
Safety networks have many benefits over traditional hardwired relays. They are easier to install, operate, and maintain and are more flexible than safety relays. “It is a very simple connection technology,” says Parmer. With safety networks, the wiring is similar to automation wiring in that all switches can be wired back to pairs of terminals. “When the wiring is complete, you have a consistent, repeatable wiring of switches,” says Parmer. The termination resistors are built into the connectors. When you require additional safety or non-safety devices on a network, you can simply run a line off of any point on the network and install the new device.
As requirements are becoming more complex, safety networks get the job done better, smarter, and faster because they reduce wiring, downtime, and cost; as well as add diagnostic and predictive maintenance capabilities.
Networks provide detailed diagnostic information in the event of an error or shutdown. Safety networks will indicate where, when, and why a problem occurred, whereas a basic relay only signals an on/off condition, so the operator must search for the machine that caused it. According to Dave Sullivan, Safety Products Manager, Rockwell Automation, “We have a tremendous level of error checking in our protocol to detect communication errors. When errors in the safety system do occur, this information can be displayed on an HMI, so an operator can view what has tripped or failed and where.” It is one of the benefits of the safety PLC and safety network, which reduces equipment downtime, he says. What’s more, every I/O module can send detailed data for each I/O point back to the CPU automatically. “These I/O modules are very intelligent and are the first line of defense in controlling the safety system. They are checking the wiring, the communication, and the switch transitions to make sure they travel together as they should,” says Sullivan.
Safety comes in many sizes. The ET200S F controller with snapped-on modular I/O makes a small standalone safety PLC.
Safety networks also keep production lines active when one machine in a cell of multiple machines must be taken offline for maintenance or setup purposes. For example, the other machines and the gantry loader can be safely directed not to work with a particular machine during the time that it is being serviced. “This was not impossible to do in the days of safety relays,” says Monnin, “but it was too complex to design a hardwired system to locate the devices that might need extra attention. It also required additional wiring and extra input monitoring on the PLC just for the safety monitoring,” he adds. Now, controllers in the machines, and possibly the master controller, can communicate over the network. They are knowledgeable about the environment.
The most recent advances involve the safe motion of safety rated drives, which came about because of a significant revision to NFPA 79 in October 2007. “Prior to that change, U.S. standards still required the use of electromechanical contacts for the final removal of power if the drive was safety-rated. If a safety event occurred, the only option was to remove the power from the drive,” says Parmer. “The revision allows the designer to make a more comprehensive response to a safety event,” he says. The safest option might be to direct the machine to go to a certain position or to make a change in torque. “You can take the drive into a safe stop and return it to operation without a wait for the drive to cycle back up. It is possible to diagnose the drive while it is running,” says Parmer. “You can see the status of the drive during the shutdown condition and determine whether it was involved.”
Most common safety protocols implement the “Single Channel Approach,” which lets you run your standard and safety network on the same wire. This requires the use of a standard PLC with integrated but logically separated safety processing.
The extended safety functions include a safe stop as well as a safe limited speed. With the machine operating at a reduced speed, the operator door can be opened for visualizing a part, looking at the actual process of manufacturing, or performing routine maintenance, such as cleaning out a critical area of the machine. Traditionally, if the operator entered such an area, the machine had to go to a hard stop. It would then go through another startup sequence, causing additional downtime. “Now, the operator can go into an access area and open a door, for example, and put the drive into a safe limited speed. The drive then monitors itself in a CAT 3 safety monitoring state, so that if anything happens to increase the speed while the door is open, the drive will shut down the motion.”
The automotive and robotics industries were among the first manufacturing industries to adopt safety networks. According to Monnin, “Industries that use complex machines and large production lines are likely to benefit from these newer technologies. Power train manufacturing operations of domestic car builders are actively pursuing them.” Other industries are also beginning to look at safety networks, he says. Mainly, it depends on production requirements and the number of machines. “The more complex and more distributed the machines, the more likely the manufacturer will benefit from a safety network,” says Parmer. However, in many cases, a safety relay is still the appropriate solution. “We see the entire spectrum of production requirements — from a high volume manufacturer to a local job shop. There is a different level of sophistication required depending on the application,” says Parmer.
Henning agrees: “It depends on the complexity of the system. If you are looking at a very simple machine that does not have a PLC, then hardwiring may be the sensible solution.” However, safety relays are available that have more capabilities than traditional types. Providers can drop in at many different points — from a single relay—type solution through more sophisticated relays. Small standalone bus architectures are available, to networks that are fully integrated with the automation system. But Henning adds that as systems become more complex, and as the requirement for having many different types of safety inputs and outputs increases, it makes more sense to move to safety over a network.
“Still many designers think they have to use safety relays. We are trying to build this educational process, and it is much better than it was in the past,” says Monnin. “We want people to know that they have another option. Today, the conversation in the industry is changing from, ‘Can you use this technology?’ to ‘Why aren’t you using it?’ The benefits are tremendous.”
Siemens Energy & Automation, Inc.
www.siemens.com
PTO, PROFIBUS and PROFINET, North America
www.us.profibus.org
Rockwell Automation
www.rockwell.com
Run safety and standard control networks over one cable
Historically, users have installed a standard control network and a separate, specific network dedicated to transmitting safety messaging on the machine. According to Sullivan, over the last few years, the trend has been to consolidate the number of networks used in the transmission of information. Every network incurs costs for installation, training, and maintenance. Most of today’s standard safety protocols transmit safety messages using existing control network cables together with the standard messages. “You no longer have to run a separate network,trunk line, drop line, set of taps, or have double interfaces for your controller — one for the safety network and one for the standard network. You can use all of your devices on the same network,” says Dave VanGompel, Network Technologist, Networks, Rockwell Automation.
Wireless safety is in operation
The latest trend is moving safety over wireless. “We already have a number of wireless installations, such as in moving gantry applications,” says Carl Henning, Deputy Director, PTO, PROFIBUS and PROFINET, North America. You can take a standard wireless Ethernet connection point and run a safety protocol through it. For example, an operator can use an HMI for safety and stop functions. Parmer says that if you can run a wire to the device, then that is most likely the best option. With wireless, you run the risk of having a momentary drop in communication if the signal is interrupted. This drop in communication causes a timeout period where the system goes into a shutdown state. The operator must then reset it to put it back into operation. However, if it is an AGV, overhead gantry, or a moving cart on an amusement park ride, wireless gives you an additional way to stop that motion.
Filed Under: Factory automation, Networks • connectivity • fieldbuses, Relays, Safety systems + components
Tell Us What You Think!