Safety in Automation
Any active industrial process is more or less associated with the risk
- of injuring or killing people,
- of destroying nature
- of damaging investments.
With most processes it is quite easy to avoid risk without special requirements imposed on automation systems. However, there are typical applications associated with high risk, e.g. presses, saws, tooling machines, robots, conveying and packing systems, chemical processes, high pressure operations, off-shore technology, fire and gas sensing, burners, cable cars, etc. These applications need special care and technology.
Over time the market balances out the reliability and availability of standard automation technology to a certain economic cost level. That means the failure or error rate of standard automation technology under normal circumstances is just acceptable for normal operations but not sufficient for the above-mentioned high-risk applications.
The situation may be compared with a public mail system. While normal letter delivery is expected to be as affordable as possible at a certain reliability level, everybody will use special mail for important messages.
In the past, micro-controllers, software, personal computers and communication networks were dramatically influencing the standard automation technologies thus leading to cost reduction, increased flexibility and higher availability. With respect to safety, existing standards and regulations were prohibiting any use of those technologies. Safety automation had to be "hard-wired" and based on "relay" technology. See Figure 1.
This dichotomy or gap is quite natural due to the fact that safety relies on trusted technology or material. Trust, in turn, is based on experience and experience on time. But adding "classic" safety to modern automation solutions always leads to disappointing situations. For example, costs due to additional wiring and engineering, less flexibility and availability than expected and other disadvantages such as undefined stop positions of machines and tedious efforts to resume operation.
This situation has now changed dramatically. Micro-controllers and software have been proven in use in millions of applications and the preconditions for their use in safety applications are given since the introduction of the international standard IEC 61508.
The error detection mechnisms of many types of digital communication systems have been investigated and are well understood. Standards like IEC 62280-1 have been paving the ways.
That's why PI has developed the PROFIsafe technology as an additional layer on top of the existing PROFIBUS and PROFINET protocols. It reduces the error probability of the data transmission between an F-Host (safety controller) and an F-Device to the level required by or better than the relevant standards.
PROFIsafe can be realized in software only making it easy to implement while covering the entire spectrum of safety applications utilizing PROFIBUS and PROFINET in process and factory automation. It is even approved for wireless transmission channels such as WLAN and Bluetooth. With the help of certain security provisions it can be used on open Industrial Ethernet Backbones.
It covers the need for high availability and low power consumption in process automation as well as the demand for short reaction times within milliseconds in factory automation.
Modern F-Devices such as laser scanners or drives with integrated safety now can flourish as needed. The handling of their individual safety parameters (iParameters) is made easy due to sophisticated system support. This system support comprises interfaces for F-Device tools within engineering frameworks (for example the Tool Calling Interface) and iParameter storage and retrieval options (iPar-Server). It is important to note that the tool interfaces and the iPar-Server feature can also be used by any non-safety device.
The IEC 61508 standard defines special requirements such as increased electromagnetic immunity without specifying the details. A supplemental guideline "PROFIsafe Environment" fills this gap and others for the development and deployment of F-Devices and F-Hosts.
There is common agreement within PI that only F-Devices and F-Hosts in PROFIBUS and PROFINET networks that are certified according IEC 61508 are permitted. Conformity with the PROFIsafe protocol shall be tested by PI test laboratories and certified by the PNO office. A supplemental document "PROFIsafe Test Specification" defines the roles and tasks of assessment bodies such as TÜV and the roles and tasks of PI test laboratories.
In most countries, national laws regulate how people and the environment shall be protected. In Europe, the "Low Voltage Directive", the "EMC Directive", and the "Machinery Directive" are examples of such legislation. The laws in turn refer to International Standards.
In Figure 2 you will find a selection of IEC and ISO standards dealing with safety and fieldbus issues and how they are related.
The basic standard for functional safety is the IEC 61508 covering the functional safety of electrical equipment and the basic principles and procedures. It introduces a quantitative approach for calculating the residual probability of so-called safety functions to fail (Safety Integrity Levels - SIL). It is mainly useful for F-Device and F-Host developers. The sector standard IEC 62061 describes the specific safety aspects for machinery applications such as those found in factory automation. This standard deals with ready-to-use systems, subsystems, and elements and how to assess safety functions for certain combinations of these. ISO 13849-1 is the successor of the EN 954-1 and has a similar scope. However, it introduces a slightly different calculation model (Performance Levels - PL) and covers non-electrical devices such as hydraulic valves, etc. For machine safety, the basic terminology and methodology used are defined in ISO 12100-1. ISO 14121 provides the principles of risk assessment. The IEC 60204-1 specifies general requirements and recommendations relating to the electrical equipment of machines. Some of the issues are power supply, protection against electrical shock, emergency stops, conductors and cables, etc. Product standards such as IEC 61496, IEC 61800-5-2, and IEC 61131-6 for example, deal with the requirements for individual device families.
The annex of the European "Machinery Directive" lists the machines and parts which legally require certification by a "Notified Body" (BIA, TÜV, FM (Factory Mutual), etc.). If there is a harmonized corresponding product standard (for example, IEC 61496), a declaration by the manufacturer is sufficient.
The requirements for F-Devices and F-Hosts to provide increased electromagnetic immunity are defined in IEC 61326-3-1. Special functional safety (FS) performance criteria allow for incorrect functioning under increased electromagnetic interference conditions above the normally required levels. However, in these cases the equipment under test (EUT) at least shall go into a safe state.
The fieldbus standards are specified in IEC 61158 and IEC 61784-1. Realtime Ethernet variants such as PROFINET IO are defined in IEC 61784-2. Common parts for installation guidelines are summed up in IEC 61918, whereas profile-specific parts are collected in IEC 61784-5. Common parts for security guidelines are summed up in IEC 62443, whereas profile-specific parts are collected in IEC 61784-4.
In Figure 3 you will find a similar selection of IEC and ISO standards adapted to the requirements of process automation. Here, the sector standard IEC 61511 is considering the particular situation of long term experience ("proven-in-use") with very sensitive process instrumentation and a specified electromagnetic environment in this area. Thus, the IEC 61326-3-2 takes these EMC requirements into account.