Until recently, machine and robot builder OEMs needed two automation systems. One of them controlled the machine or robot, while the second dealt specifically with machine safety. Typically, the machine safety system required a separate safety PLC and a dedicated hard-wired I/O network.
Dan Hebert was senior technical editor for Control, Control Design and Industrial Networking.
Separate hard-wired safety systems were required for a number of reasons. First, many suppliers simply charged too much for their safety controllers and I/O, restricting use to safety functions. Second, safety-rated versions of many digital communication networks were still in the regulatory approval stages. Third, many OEM customers were not quite ready for change in the sensitive area of safety.
All that changed in the past few years, and integrated safety is fast becoming a viable solution in many OEM applications. Today, you can put control and safety functions into the same automation system, and run machine and safety I/O signals over the same wired or wireless safety-rated network. The price difference between standard and safety-rated controllers has narrowed, meaning that it's often cost-effective to use one automation system for both control and safety, especially in systems with a high percentage of safety I/O compared with standard I/O. Of equal importance, OEM customer acceptance grows more widespread.
Integrated Safety I/O is Faster/Easier
Brent Lekx-Toniolo is the director of the Automation Division at Toniolo Research & Development, an automation and robotics systems integrator in Oxford Mills, Ontario. He has experience with old, separate, safety systems and with new, integrated alternatives, and he prefers the new.
Toniolo built a control and safety system for a spot weld assembly cell with 11 robots. The safety system included emergency stops, access control to safeguarded spaces, robot-to-human interference detection (a combination of robot zone switches and light curtains), and general detection of operators entering work stations via light curtains.
"This was a very large safety implementation that included fail-safe over EtherCat (FSoE), 380 TwinSafe inputs, and 144 TwinSafe outputs across the welding system on 15 EtherCat I/O stations," Lekx-Tonilo explains. "On top of the significant safety requirements of the cell, the systems also needed to control more than 600 standard I/O points, 12 pneumatic manifolds and two servo drives, while interfacing with 11 robot controllers.
|
Distributed Safety Next? The next step for some applications could well be distributed safety, with safety functions separated from the main controller via distributed safety components, but still tightly integrated to the main controller via a high-speed safety-rated network. A distributed safety component can perform safety functions independently of the main controller, continuing operation even if all communications with the main controller are lost. Some machines are built in modules, with each module performing a specific function. The builder mixes and matches modules to create the machine, with interconnections among modules typically via a digital network. |
Lekx-Toniolo found, to his surprise, that Beckhoff Automation's TwinSafe system could perform both the control and safety functions, and it was faster than the old, dedicated safety system. "The typical deactivation time of a standard safety relay is 20 ms and most safety relay systems require cascading of safety relays to build safety logic," he notes. "Many older safety networks have system response times that exceed 120 ms, and frequently exceed 200 ms. Currently, the PLC task, the entire EtherCat network and all safety in the welding cell is updated every 20 ms, which is much faster than a traditional PLC and relay-based system."
Lekx-Toniolo had less than three months to design and develop all the software for the machine's control system. "Beckhoff's IEC 61131-compliant programming environment as well as TwinSafe/FSoE came together as an integrated package that helped reduce engineering and integration times," he says.
Having one common automation platform with one network that can handle standard and motion control as well as safety requirements is not only simpler, it also consumes much less cabinet space than more traditional designs that use safety relays or multiple control platforms.
"Benefits of the system included a reduction in wiring, complete modularity, and the ability to reuse system elements in the future with very little reengineering," Lekx-Toniolo explains. "The cabinet space was reduced to less than a quarter of that typically required for a weld cell of this size."
Because it's based on pre-programmed safety function blocks, a TwinSafe environment is easy to adopt, understand and use, Lekx-Toniolo says. "The performance of EtherCat and TwinSafe let us mount safety devices closer to the hazard, which in turn allows operators to be to closer to the work piece, lowering overafll machine cycle times."
Rod Brown, engineer at Kuka, says a single control system simplifies the job. Kuka used a Siemens Industry programmable safety controller in a robotic automobile body shop to control multiple doors, main control panels with auxiliary panels on the robots, roller tables and assorted remote devices. The Siemens controller acts as both the control processor for normal machine functions, and the safety processor to monitor and control all safety devices.
By working from one common programming environment, and using ladder logic for both process control and safety, Kuka substantially reduced its engineering efforts and increased flexibility. "We built the system in no time and commissioning was surprisingly easy," Brown says. "This approach saved us tens of thousands of dollars on the first installation alone."
Integrated Safety Upgrades
CAMotion, based in Atlanta, faced a safety problem that probably couldn't have been solved with separate safety systems. CAMotion builds X, Y, Z, Theta machines for all types of motion, including overhead gantries, with many applications in the printing industry.
In one overhead gantry system, CAMotion had to integrate control and safety functions because its overhead robot worked in the presence of human operators on the ground.
What is particularly interesting about the application is that the safety I/O communicates with the PLC control system over a wireless safety-rated network. The gantry I/O communicates to the PLC on the ground, entrusting the safety of the system to wireless.
Figure 1. A combination of an integrated and distributed automaton system is used to provide control and safety for this robot weld assembly cell.
"We built a large-overhead-gantry-robot log-depalletizing system (Figure 2) that picks up heavy ‘logs' in the form of green strapped book pages on a pallet, and loads them onto a conveyor," says Steve Ross, control engineer at CAMotion. "The safety problem was that people could be in the area, which was not protected by safety barriers. The system had to use vision sensors mounted on the overhead gantry to detect the presence of people, and stop operations if anyone intruded."
People need to be in the area because, after the robot deposits a log onto the conveyor, operators have to remove a strap and end boards. The robot gantry actually operates in the presence of humans, who are free to move around. The safety system ensures that the robot and the humans never meet.
"Because the gantry is overhead and mobile, we had to use an integrated safety system with wireless transmission between the gantry I/O and the ground-based PLC," Ross adds. "We used a Siemens integrated safety PLC to control the robot and perform the safety functions, a single network for both control and safety I/O, and laser scanners mounted on the gantry to detect people, find the pallets, and help direct the robot to pick up the pallets and put them on conveyors."
Figure 2, camotion.jpg. This overhead gantry crane communicates wirelessly with the automation system on the ground, thus entrusting safety functions to a safety-rated wireless link.
One network and one PLC simplified the application, reduced the amount of wiring, and helped cut installation time by 30%, Ross says, adding that it enabled fast trouble-shooting and diagnostics, allowing deployment in two days.
"We think it's critical that all robotic systems be able to accommodate a human working with the robot," Ross says. "This becomes increasingly important for cost-effective machines. The more closely a system allows humans and robots to work, the more productive it can be."
A video of the installation can be viewed at www.ControlDesign.com/CAMotion.
Integrated Safety Gets Around
Integrated safety applications are becoming more widespread, turning up in one industry after another. Diosna in Osnabrück, Germany, supplies a variety of custom-built machines to the food, pharmaceutical and chemical industries.
The company used a Rockwell Automation GuardLogix PAC to handle the batch control, process parameter control, and all of the automation needed for a compact granulator system for a tablet manufacturing plant in Puerto Rico. GuardLogix also handles the machine's safety infrastructure. Diosna likes the fact that a PAC can be used for both control and safety, particularly with respect to the programming environment.
"All of our machines are bespoke, custom-created to match the customer's application requirements," says Henning Falk, product manager at Diosna. "However, we can reuse blocks of code for standard operations, and we've found that program editing on the AB equipment has been nice and simple." Unlike older separate safety systems with their complex and specialized programming requirements, newer integrated safety systems feature programming methods and concepts similar to standard automation.
Amcor, a packaging manufacturer headquartered in Hawthorn, Australia, also used a GuardLogix integrated safety solution at its aluminum can production plant.
"Previously, standard controllers on the plant's 11 bodymaker and trimming machines were interlocked with a separate hard-wired safety control system," says Tim Roback, marketing manager for safety systems at Rockwell Automation. "Now, 11 individual integrated safety controllers provide control and safety functions — reducing costs for hardware, software, development and support."
John D'Silva, business development manager for integrated safety at Siemens Industry, describes an installation at an unnamed automotive production line: "The engineers looked for a platform that would be flexible, simple for their electricians to program and troubleshoot, and which would integrate readily on a fieldbus with third-party components such as robots and valve blocks," he explains. "Simatic Failsafe PLC technology with Profisafe was selected to allow standard and safety functions on one PLC for the price of standard technology. Where special knowledge used to be necessary for programming, standard control and safety functions can now be programmed by the same editor with fail-safe programming in ladder logic and error detection capabilities to achieve SIL 3, Cat. 4."
The question of implementing an integrated safety system is no longer a matter of the future, argues Dan Hornbeck, safety market development manager at Rockwell Automation. "The technology is in place today and is well accepted to allow for the easy integration of an integrated safety solution," he says. "An integrated system allows manufacturers and machine builders to reap a multitude of rewards, including simplified development, installation, diagnostics and maintenance."
Figure 3, diosna.jpg. This compact granulator system is comprised of a granulator, a mixer granulator and a fluid bed drier, with all automation provided by an integrated control and safety PLC.
The Impact of EN ISO 13849-1
The latest version of Machinery Directive EN 13949-1 has been with us since 2007. The standard introduced new criteria such as Diagnostic Coverage (DC) and Mean Time to Danfgerous Failure (MTTFd), which need to be considered when designing a system.
The norm when a standard is rewritten is a two-year changeover period. This lets manufacturers modify their designs and documentation to align with new requirements. Using this rule, EN 954-1 should have been revoked and replaced by EN 13849-1 in late 2009.
"There were a few complaints made to the commission that two years didn't allow sufficient time for some manufacturers of components to provide the information and data needed to calculate failure rates, as required by the latest standard," says Kevin Ives, Pilz Automation Technology. "The commission agreed and therefore delayed revoking EN 954-1 until the end of 2011."
Because the newer standards better reflect state of the art in machine safety system design, Pilz recommends that machine builders adopt these standards sooner rather than wait until the end of the transition period. The new standard reflects the increased tendency to use electronic and programmable systems for safety rather than traditional electromechanical devices in use when EN 954-1 was published. In effect, the standard recognizes and accepts the trend toward integrated safety and away from separate safety relays.
EN ISO 13849-1 provides requirements for the design and integration of safety-related parts of control systems, including software. It has wide applicability because it applies to all technologies, including electrical, hydraulic, pneumatic and mechanical.
"We believe the new standard provides machinery designers and users with many advantages when assessing the reliability of safety systems," Ives states. "While there is an increased complexity in requirements to make design calculations, tools such as our PAScal Safety Calculator are available to calculate the required Performance Level (PL) and Safety Integrity Level (SIL). This software also evaluates safety system designs and generates the necessary documents to be included in the machine's technical file."
Advantages of Integrated Safety
1. One controller instead of two
2. One network instead of two
3. One programming environment instead of two
4. Lower cost in some applications
5. More compact
6. Fewer spares required
Integrated Safety Drawbacks
1. Customer may not accept concept
2. More expensive in some applications
3. May not be available from preferred supplier
4. Lower speed
5. Single point of failure in certain architectures
