Discovering Safety Networks

For Rod Brown, it was a revelation.

As a controls process engineer at KUKA Flexible Production Systems, an automotive system integrator based in Sterling Heights, Mich., Brown was well aware of the way that factory safety systems had traditionally been built with hard wiring and safety relays. It was an approach mandated by long-standing North American safety standards.

So it was a surprise for Brown in 2003 when he learned through a vendor that the rules of the game recently had changed. Revisions made in 2002 to NFPA 79—the National Fire Protection Association standard covering electrical equipment in industrial machinery—had legitimized use of certain “software and firmware-based controllers” as an alternative to hard-wired safety solutions.

The change opened the door for use of certified safety programmable logic controllers (PLCs) and associated safety fieldbus networks. Both technologies had been deployed for several years in Europe, but at the time, were little used and largely unknown in the United States.

Good timing

For Brown and KUKA, the timing was propitious.

The company had just been approached to quote on a program to become a Tier One supplier of auto bodies to Chrysler Group, the Auburn Hills, Mich.-based automaker owned by DaimlerChrysler AG.

For the program, KUKA had already been looking for ways to streamline the size of the large safety panels required by traditional hard-wired safety systems. And when KUKA learned about the NFPA 79 changes from the Automation and Motion Division of Siemens Energy & Automation Inc., the big Norcross, Ga., automation vendor, it saw a way to reach its goals, Brown says. “We really wanted to concentrate on what was the next big cost to attack, and that was safety, with all the relays and big panel sizes.”

KUKA won the Tier One contract from DaimlerChrysler, and constructed a body shop totaling around 300,000 square feet in Toledo, Ohio, to handle the business. KUKA Toledo Productions Operation LLC, which houses 245 KUKA welding and material handling robots, began producing Jeep Wrangler vehicle bodies for Chrysler late last year. And by eschewing the traditional hard-wired approach to safety in the plant in favor of a certified safety fieldbus networking system, the company truly hit pay dirt, Brown relates.

The KUKA Toledo facility relies on Allen-Bradley ControlLogix PLCs from Rockwell Automation Inc., Milwaukee, and a DeviceNet fieldbus network to handle standard machine control functions. But for its safety system, KUKA selected Siemens S7 safety PLCs that communicate over an open, Profibus fieldbus network using Profisafe—a safety application protocol introduced in 1999 by Profibus International. Profisafe has been certified by TÜV, an international testing laboratory, as suitable for use up to Safety Integrity Level 3, or SIL 3, as specified under the International Electrotechnical Commission’s IEC 61508 standard governing safety in programmable systems.

Phenomenal

Had the KUKA plant used a traditional hard-wired safety system, panel sizes would have required a minimum four-door enclosure measuring 82 inches high-by-18 inches deep, Brown says. “You’d have hard relays in there and multiconductor cables running back and forth.” But with the Profisafe network approach, that size was reduced to a two-door, 60-inch high enclosure that is just 10 inches deep. “I reduced my panel size, I got rid of all of my relays, and my cable tray size was reduced phenomenally, because I’m not running all those big cables,” Brown notes. “All I’ve got is the cord running down the whole length of my machines, using the Profibus cord set.”

In addition to saving valuable floor space, the safety networking approach reduced machine safety component count by an impressive 85 percent compared to a hard-wired system, Brown says. This significantly reduced upfront engineering requirements, while shortening installation time and lowering labor costs. “Everything was double-ended cords, so it was a plug-and-play job,” making installation easy, he notes. Further, there was no need for a tedious hard-wired circuit checkout prior to start-up, thanks to the safety PLC and network system’s built-in point-level diagnostics. Labor savings totaled 30 percent to 35 percent, Brown estimates, while installation time was cut by at least 20 percent to 25 percent.

In the future, the safety network is expected to pay major dividends in system uptime and flexibility for KUKA. When faults or machine stops occur, the built-in diagnostics will pinpoint the source for display on a human-machine interface (HMI), eliminating the need for extensive troubleshooting typical of hard-wired systems. The safety network will also greatly simplify the effort required when body model changes dictate the need for more robots or line reconfigurations.

The open-architecture Profisafe design is an additional plus, says Brown, enabling selection of components from other vendors besides Siemens. KUKA currently uses Profisafe-ready light curtains from Banner Engineering Corp., Minneapolis, Brown says. And Profisafe devices are available from a variety of other vendors, including Beckhoff, Sick, Turck and Wago.

Deja vu

The KUKA decision to go with a Profisafe network for safety is in line with an emergent industry trend away from hard-wired safety systems, say industry sources. Just as standard PLCs and fieldbus networks have replaced hard-wired relay logic for factory control functions over the last several decades—boosting flexibility and saving oodles in reduced wiring and engineering costs—safety PLCs and open-architecture safety networks are expected to do the same for safety relays.

“There’s still going to be a place for hard-wired solutions in small machines where one device or maybe a couple of safety relays can solve the application. But if you’re talking about systems that have multiple nodes, it’s all going toward safety networks,” declares Dave Vasko, a Rockwell Automation engineering manager based in Mayfield Heights, Ohio, who is involved in industry activities aimed at open-architecture safety networks.

It’s a revolution that’s still in its early days, however, especially in North America, which has lagged behind Europe in safety fieldbus network implementations. According to Venture Development Corp. (VDC), a Natick, Mass., market research firm, the European market for safety fieldbus networks totaled $43.1 million in 2004 and will rise to $78.8 million in 2007. The North American market, meanwhile, totaled just $9.3 million in 2004, and will hit $20.7 million next year, VDC says.

Safety network systems typically rely upon hardware redundancy that works with various error detection, data sequencing and time checking techniques applied within the safety protocol to ensure the integrity of transmitted data. When errors or data corruption are detected, the system can execute a safe and orderly equipment shutdown.

One of the earliest safety networks on the market was SafetyBus p, from German-based Pilz Automation Safety. Launched in 1997, SafetyBus p works with Pilz’s Programmable Safety System (PSS) line of safety PLCs, available since the early 1990s, says Dino Mariuz, engineering manager for Pilz USA, in Canton, Mich. SafetyBus p still claims the largest safety network market share, according to VDC figures. But that lead is expected to slip as newer, open-architecture safety networks begin to gain traction. Pilz itself is working on an Ethernet-based safety network known as SafetyNet p, which could be available in 2007, Mariuz confirms.

Mixed Traffic

While SafetyBus p is designed to operate as a separate safety network using a separate safety PLC, other more recent safety offerings feature the ability to integrate data traffic from safety devices and standard devices on the same network, using a single integrated controller.

Such integrated, “mixed-traffic” capability is available with Profisafe, which runs on Profibus as well as on Profinet—the Ethernet version of Profibus. Profisafe on Profibus has been available since 1999, while Profisafe on Profinet began shipping in August last year, says Jeff Howe, product business manager for networking products at Siemens Energy & Automation.

Another recent entry with mixed-traffic capability is DeviceNet Safety, a safe version of the DeviceNet fieldbus network that uses the CIP Safety protocol developed by the Open DeviceNet Vendors Association (ODVA). CIP Safety is a set of safety extensions for Common Industrial Protocol, or CIP, which is an upper-level networking protocol shared by DeviceNet, EtherNet/IP and ControlNet, all open-architecture networks.

ODVA released the DeviceNet Safety specification in January 2005, and three vendors—Omron, Rockwell and Sick—all had DeviceNet Safety products available at the time of release, says Rockwell’s Vasko, who chairs the ODVA CIP Safety Special Interest Group. DeviceNet Safety is TÜV-certified for use up to SIL 3 as defined by IEC 61508, and TÜV in February this year issued a similar certification for CIP Safety on EtherNet/IP, the Ethernet version. The EtherNet/IP Safety specification was scheduled for release by ODVA in April, though EtherNet/IP Safety input/output (I/O) products are not expected to be available until 2007.

Another open-architecture safety network with mixed-traffic capability is AS-Interface (AS-i) Safety at Work, which uses the Actuator-Sensor Interface sensor level bus system as its foundation technology. A “bit bus” system, AS-i Safety at Work is designed to handle very small data quantities in each node, but is suitable for use on small, distributed systems and machines, says Tim Parmer, safety & redundant PLC product marketing manager at Siemens. Multiple vendors supply AS-i Safety at Work devices.

A Different way

As vendors gear up to provide safety fieldbus technology in the United States, they are eyeing a huge potential market. But they also concede that an education process will be required to sell the idea to some control engineers and others who have been schooled for decades on the need for hard-wired safety systems. “For traditional control engineers, going from hard wires to networks for safety is not at the forefront of their thought process,” observes Tom Kopanski, vice president and general manager, Automation and Motion Division, at Siemens Energy & Automation.

The challenge for vendors involves selling the concept of a “safety solution” that provides safety at a much higher level than is possible with hard-wired systems, Kopanski notes, with the improved efficiency and other benefits that come with having safety fully integrated with the automation system. “The good news for Siemens is that we’ve been doing this for years, because this is common practice in Europe,” says Kopanski. “But the reality is that there’s got to be an educational element to our strategy—and not just for Siemens, but for the industry—because this is a different way to do safety.”

At Sick Inc., in Minneapolis, Global Product Manager Jim O’Laughlin agrees. “People are still used to using safety relays,” O’Laughlin says. “But the people that we’ve talked with about safety fieldbus concepts, especially when we talk about open-architecture safety fieldbuses, have generally had a favorable response,” he adds. Sick offers safety devices for DeviceNet Safety and Profisafe, as well as for AS-i Safety at Work.

In many industry segments, the idea of safety fieldbus networks is just reaching the design stage, meaning the technology will begin showing up in next generation automation systems, says O’Laughlin. Notable exceptions are the automotive and robotics industries, he says, which have been quicker to adopt the technology.

Indeed, at Chrysler Group, for example, Bob Anderson, controls, robotics and welding manager, says that the automaker is “embracing quite significantly” the concept of integrated safety fieldbus networks. The advantages compared to hard-wired safety include lower costs, better diagnostics and improved flexibility, he observes.

Chrysler is currently using safety fieldbus networks in production environments at several plants, Anderson says. In all cases to date, these networks operate as separate safety networks with safety PLCs that are independent of the control network. Chrysler has used both Pilz SafetyBus p networks with PSS safety PLCs, as well as a proprietary Ethernet safety network from Rockwell that relies on that company’s Allen-Bradley Guard Safety PLC, introduced in 2001.

But future safety networks are on the drawing boards for Chrysler plants that will use Rockwell’s newer, integrated Allen-Bradley GuardLogix PLC that handles both control and safety functions, running mixed traffic on DeviceNet Safety networks, says Anderson. He refers to DeviceNet Safety as “a migration, or interim step” for use by Chrysler until EtherNet/IP Safety becomes available.

Anderson declines to say whether Chrysler plans to continue using both Pilz and Rockwell systems for safety networks in the future. But he does say that Chrysler is moving toward an integrated, safety technology using mixed-traffic networks, which the automaker believes offers the greatest advantages for large, complex systems such as body shops. Engineers at Chrysler’s European counterpart, Mercedes, have been deploying such integrated control and safety systems using Siemens technology for a while, Anderson observes. “But for a number of reasons, we [at Chrysler] don’t commonly use Siemens controls,” he adds, “and now that Rockwell has it integrated, that’s the direction we’re moving.”

No-Brainer

That kind of thinking made the selection process simpler for Dürr Systems Inc.—an Auburn Hills, Mich., supplier of automotive paint systems—when it set out last year to incorporate an integrated safety network into a new robotic painting zone, or cell, that it was developing. The company selected an Allen-Bradley GuardLogix controller and mixed-traffic DeviceNet Safety network technology for use in the system, which is based on Dürr’s new advanced painting robot called the Eco RP E32, says Dany Rheault, Dürr manager of Software Engineering.

“About 95 percent of what we sell in the United States to the Big Three automakers revolves around Allen-Bradley,” Rheault says. “And for us, the fact that they (Rockwell) had achieved a very clean way of combining safety and normal PLCs together was a really big factor in our decision.”

In the GuardLogix system, an Allen-Bradley ControlLogix processor equipped with safety capability is plugged into a standard ControlLogix chassis, together with a second processor called a safety partner. This integrated, dual-processor GuardLogix system handles both control and safety functions over three mixed-traffic DeviceNet Safety networks in the Dürr painting system. Each painting cell is equipped with four to eight Eco RP E32 robots. The new robot cells began shipping late last year.

Compared to the hard-wired safety approach that Dürr had used in previous painting systems, the new safety architecture enabled dramatic reductions in wiring and panel sizes, Rheault says. In the new system, Dürr uses small, networked “safety I/O boxes” that can be strategically located around the painting booth for communication with DeviceNet Safety-compatible devices, including light curtains, emergency stop buttons and door switches. The old approach required a six-foot tall, three-door central cabinet packed with relays and cables, in addition to an operator console, Rheault notes. But in the new system, a single operator desk measuring about 1.2 meters per side can handle all control and safety functions, he points out. “I’d say we eliminated about 75 percent of the PLC panel requirements.”

Fast Installation

Besides the cost savings, the new system makes on-site physical installation a breeze, when compared to the hard-wired approach. “Instead of trying to fit a six foot-tall, three-door wide panel into a facility, we can come in with these small panels and just set them in place,” Rheault says. He expects that installation time, including production start-up, will eventually be reduced to just 36 hours for the new system. “Before, we were talking about a couple of weeks.”

That faster installation time will mean that end-users will get quicker access to the painting system to meet their production requirements. And thanks to the DeviceNet Safety network and the GuardLogix system’s built-in diagnostics, plant personnel will be able to see fault messages tied to specific I/O or devices on the network when a safety stop occurs. Compared to a hard-wired approach, says Rheault, “one of the major benefits of this system is that it’s going to be a lot easier for the plant to troubleshoot.”

For more information, search keywords safety networks” and “safety PLCs ” at www.automationworld.com