Do You Really Need that Separate Safety Network?

Why install the latest generation of safety networks? Most people would put the money saved on less wiring at the top of their list of answers.

But not Kevin Zeinemann, electrical engineering manager at Curt G. Joa Inc., in Sheboygan Falls, Wis. Instead, he ranks flexibility as the most important attribute of this generation of open networks that can accommodate signals from safety devices, in addition to the other data flowing within them.

His reason for ranking the benefits differently is that his employer is a privately held builder of custom machines that produce diapers and other kinds of disposable, absorbent pads made from laminated webs. These complex, 150-foot-long machines laminate together as many as nine webs of material.

Because many of Joa’s customers operate in fiercely competitive consumer markets, they are eager to incorporate the latest cost-saving technology, and to produce the latest features that are currently popular with consumers. Consequently, it is not unusual for their requirements for machines to change three and four times in the design phase alone. “It’s hard for us to lock down a design because our machines and processes are changing up to the minute they leave the building,” explains Zeinemann.

And the changes don’t stop at delivery. Customers continually update their machines in the field to cater to evolving consumer tastes or to introduce new cost-saving technologies as they become available. A diaper manufacturer, for example, may need to change graphics frequently, perhaps from Elmo to Bugs Bunny to another on a weekly basis. “It may be as simple as changing the materials,” says Zeinemann. “Or it may be as complex as pulling 40 feet out of the machine and putting in another 40 feet.”

To generate the necessary flexibility, Joa has adopted a modular approach. It builds its machines from a toolbox of predesigned and proven hardware and software components. Each machine, moreover, is made in 10-foot modular sections that are bolted and plugged together. Because each section has its own communications and control scheme, the sections can be unplugged for shipping and for retrofits in a few days. Until recently, the safety network had been a big obstacle to this strategy. The machine had to be hard-wired with numerous relays interlocked with drives, input/output (I/O) points and guard switches to protect operators and the machine at start-up and shutdown. “It is hard to modularize a hard-wired design,” says Zeinemann. “So installing the wiring, troubleshooting problems and making modifications was a nightmare.”

Nightmare begone

Things changed when he and his colleagues began using the GuardLogix integrated safety system from Milwaukee-based controls vendor Rockwell Automation Inc. They were able to integrate the safety system with the Allen-Bradley ControlLogix programmable automation controllers that they were already using. Although they had to put the safety devices on a separate DeviceNet network initially, they switched the safety devices to Ethernet as soon as EtherNet/IP became available.

Now, the designers tie the safety devices to local I/O blocks attached to the same EtherNet/IP-based network that runs throughout each machine. Besides streamlining disassembly for shipping, the modularity makes it much easier to accommodate dramatic design changes in a matter of hours, and to incorporate new drives and other technologies as they become available. “Having flexibility just makes it so much easier to deliver a highly engineered product without a lot of extra redesign work,” says Zeinemann.

The same holds true for retrofits in the field. If a customer wants to change a feature on its product, having only one network makes it much easier to replace a 30- to 40-foot section in the middle of the machine. “Instead of having to splice into that hard-wired circuit, we can drop a new modular machine section in and just plug it into the Ethernet,” Zeinemann explains.

He reports that achieving this new flexibility was not without a few challenges. First was the additional load that the safety functions put on the main processor. As a result, the processing speed was too slow to control the complex motion of the entire line. Because a machine typically has six to eight controllers on it, “we decided to put the motion component on one of the other secondary processors,” says Zeinemann. The other major challenge was learning to lock programs with signatures to prevent unauthorized people from opening and modifying the programs.

Packaging safety data

Clever ways of packaging data are the technical breakthroughs that allow users such as Joa to send safety signals over the same network as other kinds of data. For Rockwell Automation’s networks, the key is the safety extensions that the Open DeviceNet Vendors Association (ODVA), of Ann Arbor, Mich., added to its common industrial protocol (CIP). Consequently, the open networks controlled by ODVA—that is, DeviceNet, ControlNet and EtherNet/IP—can now accommodate both safety and other data over any medium—copper wire, fiber-optic cable or wireless.

Using its CIP network as a foundation, ODVA developed CIP Safety, a TUV-certified, network-independent safety protocol that relies on the end nodes, rather than the bridges, routers or intermediate nodes. “Safety messages are encoded in a transmitting device and decoded and checked in a receiving device,” explains Katherine Voss, ODVA’s executive director. “Their integrity throughout the transmission is ensured through the use of an extensive set of protection measures, such as time-stamping, redundant data and checking codes.”

The resulting design allows users to install standard communication devices, which tend to be easier to install and maintain than the old safety-certified gateways. It also uses producer-consumer communications and is routable. “So safety connections can go across multiple networks, including EtherNet/IP and DeviceNet,” says Voss.

A big benefit, therefore, is that users of these networks need not upgrade them, according to Kevin Colloton, product manager in Rockwell’s safety systems business. Many of his customers have been able to add safety directly to their existing infrastructures. The only other work was to update the flash firmware on some of the devices. These customers are reporting that they have been ableto develop and install safety systems between 30 percent and 50 percent faster than they would have with other architectures.

Voss points out that the ability to communicate across multiple networks extends beyond the networks controlled by her organization. “CIP Safety has been adopted as the functional safety protocol on SERCOS III (for Serial Real-time Communication System), SERCOS International’s new generation industrial Ethernet network,” she says.

In fact, Bosch Rexroth Corp., a Hoffman Estates, Ill.-based automation vendor, is running the CIP safety protocol on the SERCOS networking interface. “This protocol has the redundancy and communications checks that are necessary for redundant and monitored communications inside of our motion-control network,” says David Arens, food and packaging engineer at Bosch Rexroth.

He adds that the strategy exploits an advantage that SERCOS has over EtherNet/IP in node capacity and synchronization. Because of this advantage, he says that the SERCOS network can provide the sub-millisecond responses that are often needed for multi-axis machinery.

Running CIP on SERCOS allows Bosch to embed safety instructions into the communications telegram that actuates the axes, thereby keeping safety communications as close as possible to the actual physical motion of the machine. “Integral to the communications packet is a safety telegram, which is used in the handshaking at each drive,” explains Arens. “Having the safety technology incorporated into the drives themselves, each axis can respond independently to that safety signal without waiting on a PLC (programmable logic controller) to process the request.”

Despite the reach of CIP Safety across several networks, it is not the only safety protocol available today. The Profi organization, Profibus and Profinet International (PI), also has one called Profisafe. The strength of this protocol is that it allows users to construct safety scenarios across a more diverse mix of equipment, according to Carl Henning, deputy director of Profibus and Profinet North America, in Scottsdale, Ariz.

Users can apply it to discrete I/O in machinery in factories, process instrumentation in plants, and in drives for motion control. It also works across three kinds of media: Industrial Ethernet, RS-485-based serial fieldbus, and Profibus PA, which uses the same physical layer as Foundation Fieldbus. Because the Industrial Ethernet version runs on the Institute of Electrical and Electronics Engineers’ standard IEEE 802.3 wired Ethernet, it also runs on standard IEEE 802.11 wireless.

The Profi organization attributes this ability to a “black channel” approach, which Henning compares to the old concept of a black box. Because the black channel delivers the correct safety signal, you don’t care what happens in between and needn’t worry about safety-approved cable, connectors and routers.

“The safety-communications structure is such that it’s independent of the medium,” explains Charlie Fialkowski, process safety engineer at vendor Siemens Energy and Automation Inc., in Spring House, Pa. “The handshaking occurs among the devices that are communicating.” Because the handshaking method and its cyclical redundancy checks preserve the integrity of the data, Siemens has standardized on the Profi platform.

Depending on the network medium being used, the device can either sit right on the network or be wired to an I/O rack that is connected to the network. Typical devices in the machinery-building and discrete-parts-manufacturing industries include light curtains, emergency stops, door switches and other sensors. Right now in the process industries, the only limitation to greater use is a shortage of devices, other than I/O modules, that are certified for safety. “In the last five years, a number of device manufacturers have been investing the money necessary to get their devices certified,” says Fialkowski.

Diagnostics bonus

He and others think that, besides streamlining installation and upkeep, the biggest advantage of consolidating safety and control networks will be the range of diagnostics that it makes available. “Signals from hard-wired sensors simply say whether it’s safe or unsafe,” explains Arens at Bosch Rexroth. Putting the devices on a network, on the other hand, gives users the ability to monitor the systems, troubleshoot problems, and perform routine diagnostics without having to send a technician to pull and check each component manually.

Some of these diagnostics can be continuous, and others can be periodic, according to a preprogrammed maintenance schedule. A transmitter with a temperature element in it, for example, will report temperature continuously. In other instances, a controller could check the calibration of sensors automatically. It could tell a transmitter to hold its signal while going from zero to full scale and then to return to its original status. “This would tell you whether it drifted,” says Jeremy Bryant, a networking specialist at Siemens.

He notes that, labor notwithstanding, speed is probably the chief advantage of this kind of calibration check. “When you take a transmitter off line, you’re basically running blind for that period of time,” he says. “Most users want to minimize that.” Because the calibration checks allowed by the consolidation of networks are so fast, users could run them much more frequently in much less time.

More in Control