Industrial Protocols Make Safety Work

As a result of a combination of health and safety regulations, corporate branding, and demand to optimize performance, safety has become ubiquitous in the world of motion control. By leveraging specialized commands like Safe Speed, Safe Direction, and Safe Torque Off, drives and controllers manage and monitor other components on the system to prevent harm to workers and to optimize machine throughput. Safety-enabled components alone are not enough, however. To pass data and commands back and forth among devices with enough confidence to support high-risk environments, machines need a safety communications layer capable of operating with residual error on the order of 10^-9 to ensure that essential safety messages reach their targets. Strictly speaking, these protocols do not contribute directly to the functional safety of the machine, and yet without them, there is no way the machine could remain safe.

Safety technology started out as a method to prevent injury to workers. Hardwired emergency stops and relays coupled to physical guards were designed to interrupt machine operation when potentially hazardous behavior occurred; for example, when operators opened an enclosure to clear a jam from among moving parts. It’s an effective approach that is still in broad use today.

The devices are simple, economical, and easy to implement. That simplicity can also be a drawback, however. Each device can only monitor one activity or condition, and the information delivered is limited. A machine with 50 access doors would require 50 relays to enable a design that could monitor all doors. If an access panel on a 100 foot packaging line is left open, for example, a relay-based safety system can shut down the machine and send an alert to the HMI. What it can’t do, however, is pinpoint the location of the noncompliant door. Instead, operators need to inspect the machine part by part, potentially lengthening downtime and losing revenue.

Over the past decade, increasing levels of processing power and memory have led to the development of safety-enabled drives and controllers. Unlike relays, these components are built to handle large axis counts. More important, their intelligence and memory enables them to do much more than simply fulfill the crucial role of ensuring operator safety. They enable a range of operating modes that allow equipment to function at varying levels while preventing injury. The result is not just a safe machine but a more productive machine that logs less downtime and restarts more quickly after a fault. The system doesn’t just shut down the line when a door is opened, it identifies which door is opened and then leverages options like Safe Speed, Safe Direction, and Safe Position to keep the production line functioning at the highest level possible while protecting operators.

None of this would be possible without a robust, reliable communications layer. Let’s take a closer look at what’s involved in guaranteeing that 10^-9 residual error.

Networked communications
The Open Systems Interconnection (OSI) model divides the architecture of a communication system into seven layers (see figure 1). For purposes of this article, we are most interested in level 1 (the physical layer), level 2 (transmission of data between two nodes connected by the physical layer), and level 7 (the application layer, which defines the communications protocols and interface methods used to allow devices to communicate).

Table 1: The Open Source Interconnection (OSI) seven-layer model stratifies the various tasks performed in a communication network,
ranging from the physical layer (layer 1) to the application layer (layer 7).

There was a time controllers and components were linked by point-to-point connections. More sophisticated, high-axis-count systems required fieldbus networks as defined by the IEC 61508 standard. These buses enable one-to-many architectures. Common fieldbuses used in discrete industrial automation include CANopen, DeviceNet and PROFIBUS.

Over the last decade, industrial Ethernet has begun to supplant fieldbus with ever broader deployment. Although certain sensor-level applications still work best with fieldbus protocols, industrial Ethernet can be used to not only link components and modules together, but machines, shop floor to top floor, and even geographically separated factories. It enables higher speed transmission over longer distances. It simplifies linking multiple host systems.

There are challenges to applying the protocol in a discrete manufacturing environment, however. The transmission control protocol (TCP) used in Ethernet is packet based and non-deterministic. That makes it difficult to apply in an environment in which commands need to be prioritized. That has led to the development of industrial protocols tuned for the specific demands of the application. Some versions include EtherNet/IP, PROFINET and EtherCAT, among others.

Safe communications
Even the best safety-enabled device is useless if the various system components can’t communicate reliably with one another. The data needs to be protected against corruption, lost packets, etc. This is where safety protocols come into play. Their role is not to supply safety functionality but simply to make sure that status messages and communications arrive uncorrupted and without delay.

The Ethernet protocol establishes frames that each hold a packet of data augmented by header information (wrappers) that indicate where and how each packet is to be routed. This takes place in the application layer (layer 7 of the OSI modeel)l. What is being transmitted (the application) is transparent to the protocol; it is only concerned with where that data needs to go.

To optimize transmission fidelity, safety protocols leverage the so-called ‘black- channel principle’, which is based on sending the safety data from device to device without any manipulation. This fits nicely with Ethernet and the seven-layer model. The safety data is treated as an application, encapsulated within the frame as it is routed through the network.

This is an important benefit, not just for data integrity but in terms of the effect on building and operating the system. Under normal circumstances, if a network machine had to meet Safety Integrity Level (SIL) 3, as defined by the IEC 61508 standard, not just the machine but also networking components like switches, routers, backplanes, etc. would need to be SIL-3 certified. With a safety protocol that leverages the black-channel approach, only the input module, controller, and output module need a SIL-3 certification. The rest of the network is considered a black- channel. As a result, network components like switches, routers, backplanes, etc. do not need to be SIL-3 certified. They consume only a fraction of the overall error budget, loosening the design constraints on the rest of the system.

Safety enabled drives and controllers have introduced new degrees of freedom in machine operation, allowing manufacturers to protect operators while speeding operations, cleaning, maintenance and recovery from faults. It’s not enough to choose ideal components, however. They need to be integrated with the proper safety protocols. Just as multiple fieldbus/industrial Ethernet options have developed over time, so have corresponding safety protocols (see table 2). Each has developed an ecosystem, allowing users to choose the solution most closely aligned with their applications and priorities.

ROI Calculator

Discover the potential cost savings of robotic automation over a 20-year system life

This calculator compares your current manual labor costs against the total cost of owning and operating a robotic system over its 20-year lifespan.

EXPLORE TODAY

Acknowledgments
The following individuals contributed background information to this article: Tom Moore, IHS; Eric Scott, Molex Canada Ltd.; Katherine Voss, ODVA; Bruce Brown, Bob Hirschinger, and Paul Kucharski, Rockwell Automation.