Is Integrated Safety Acceptable Now?

April 18, 2016
Many in industry agree that it is. Fewer automation professionals seem to be holding onto the idea that processes will be safe only if the safety controls are kept separate from process controls.

No one wants safety to be an afterthought, a function imposed upon a well-designed process. For a growing number of manufacturers, that means they are replacing separate safety and process controls with control schemes that instead integrate the two functions. Once considered by many as a dangerous practice because of concerns about common-cause failures, integrated safety is coming into favor for the benefits it offers.

Integration not only eliminates hardware redundancies and reduces wiring to drive costs down, it also simplifies programming, assists alarm monitoring, and promotes better diagnostics.

Paper Converting Machine Co. (PCMC), a machine builder based in Green Bay, Wis., prides itself on its machine safety stance. “We differentiate ourselves from competitors by guiding our customers through the safety process and educating them on the opportunities safety presents,” explains Jason Stover, senior electrical project engineer. PCMC has climbed aboard the integrated safety bandwagon.

PCMC uses Rockwell Automation’s GuardLogix integrated platform to help its engineers design safety from the outset into upgrades of the company’s tissue converting, packaging, flexographic printing and non-woven technologies. With the integrated controls, the engineers can perform a risk assessment and define functional-safety requirements early in the design process. Then they can use it to verify and validate the safety system once the design is complete.

Because the process and safety controls are on the same platform, the engineers work in one programming environment. The common platform also permits sharing information between the controls to contextualize machinery operation and information, according to Steve Ludwig, safety programs manager at Rockwell Automation. This allows designing both safety and productivity into a machine from the beginning for maximal efficiency.

Complexity is the reason why PCMC chose the GuardLogix platform over other forms of integration, such as simply sharing a backplane or power source or linking a process controller to a safety controller over a network. “If there are only a few safety functions, a few safety relays may be fine,” Ludwig offers. “Separating the standard and safety logic devices makes sense if you have a small number of safety functions and no need for diagnostics and safety information.”

As complexity increases, however, so does the need for a configurable safety relay or an integrated controller platform. “For moderate to complex machines, the balance tends to weigh heavily in favor of integrated control systems, especially in applications that require data sharing between control and safety tasks,” Ludwig says.

Paths to integration

Other automation vendors echo Ludwig’s point in various ways. John D’Silva, safety technology manager for factory automation at Siemens Industry, says that industry is balancing cost with its need for reliable automation. “The failure or error rate of standard automation technology under normal circumstances is acceptable for many operations, but not for high-risk applications,” he says. Examples of high-risk applications include presses, robots, chemical processes, high-pressure operations, burners, and fire and gas sensing.

D’Silva compares the situation to deciding how to send a letter. “Normal delivery is expected to be as affordable as possible at a certain reliability level,” he says. “Everybody, however, will use special mail for important messages.”

Today, integrated safety is increasingly being perceived as delivering the expected reliability. “The traditional concept of separate conductors for safety signals and non-safety signals goes away when all this data can be consolidated onto one fieldbus that can carry both types of signals,” explains Dan Klein, fieldbus technology manager at Turck. “As long as the safety function is maintained, there is no need for a separate network infrastructure.”

To establish the necessary communications, many automation vendors have adapted the fieldbus technologies they were already using in general-purpose I/O to consolidate wiring, reduce complexity and cost, and enhance diagnostics. The key development driving this adaptation has been safety network protocols that establish fail-safe operations over existing general-purpose fieldbuses.

One example of this, highlighted by Klein, is of a shared communications bus operating as a “safety monitor” on an AS-Interface communication network. Here, safety control occurs at the monitor, and process control is at the AS-Interface master. Another example he offered is an Ethernet system where multiple masters can share the same communication network to provide safety and non-safety control independently.

AS-Interface is an early example of I/O combination in a device-level fieldbus protocol. “The concept has since been extended to other widely adopted protocols, including CIP Safety over DeviceNet and EtherNet/IP, and Profisafe over Profibus and Profinet,” Klein says. OpenSafety, an open protocol for safety communications over “black channel” Ethernet (more on “black channel” later in the article), has also been a critical development for manufacturer-specific safety solutions over industrial Ethernet, he says.

Consolidate to one network

The one-network concept has become a popular method for establishing integration. “Most users have become more comfortable with it and are even demanding it,” notes Deana Fu, product manager at Mitsubishi Electric Automation. “While some users still prefer separation at the controller level, they see the benefit in better data sharing over one network, which simplifies maintenance and troubleshooting.”

An example is Mitsubishi’s iQ-R Series platform, which has independent controllers for process and safety control. Not only do the controllers sit on the same platform and share the same core components, such as power supply and peripheral devices, but they also sit on the same CC-Link IE Field network and are programmed using the same software package.

“The two independent controllers communicate with each other through a shared high-speed data bus that is tightly synchronized and is not affected by I/O and network traffic,” Fu says. “There is no wiring or gateways between the two controllers, eliminating unnecessary points of failures.”

The one-network concept is finding use not only in machinery and discrete parts manufacturing, but also in the chemical and oil and gas industries, where incidents can result in extremely expensive failures, environmental damage, or even human fatalities. “These users are generally more comfortable with a hybrid approach where the main process and safety functions are physically separated at the controller level, but integrated at the network level for information sharing, diagnostics and monitoring,” Fu explains. The greater visibility helps operators resolve problems quickly as they arise.

Built-in redundancy and protection layers on today’s networks mitigate the risk of having common points of failure when both controllers are on the same network, according to Fu. “We’ve built a loop-back feature into a ring network topology that allows communication to continue without interruption, even when a station or cable is disconnected,” she says about CC-Link IE Field, an integrated network over industrial Ethernet. Consequently, a faulty station can be disconnected from the network without affecting communications among the other stations, and substations can take over the network if the master station experiences an error.

Don’t overload the bus

One of the challenges for implementing integrated controls is not overloading the bus. Response times can become unacceptably high if you put too many devices on the network. “So you need to make sure that the throughput is right for all the data on the network so that you can maintain the safety integrity levels (SILs) for the application,” advises John Sullivan, project director at DMC, a Chicago-based system integrator. “Vendors have certainly made that easier by setting up high-priority channels on their networks for safety information.”

An example of a high-priority channel is the “black channel” that Profisafe establishes on Profibus and Profinet, the networks that DMC prefers to use on its projects. Safety PLCs also give priority to safety functions.

Profisafe adds the black channel to an existing network as software. Safety information flows through the black channel, but it uses the same basic communication protocols used by the rest of the network. “The Profisafe protocol has no impact on the standard bus protocols,” Siemens’ D’Silva says. “On the other hand, it should be as independent as possible from the base transmission channels, be it copper wires, fiber optics, wireless or backplanes. Neither the transmission rates nor the error detection mechanism plays a role. For Profisafe, they are just black channels.”

Despite such remedies, reaction times can slow down as the amount of communications traffic increases. Although response times are usually sufficient for the SILs in most discrete-parts manufacturing, there are instances where they are not, Sullivan says. “It, for example, may be difficult to justify integrated safety for an overhead-crane application that needs millisecond response times,” he says. “Also, bigger lines and large process applications often have so much data that separation tends to be better.”

Even so, Sullivan does not think that hardwiring is inherently safer than integrated controls, mainly because hardwiring restricts options. He points to how integration made it easier to group equipment in a project that he and his colleagues completed recently for three floors of equipment at a food manufacturer. In this application, they were able to create overlapping safety zones. One e-stop, for example, could control five pieces of equipment, and the next one could also control five, yet both could share two pieces of equipment between them.

“It’s technically possible to do that with hardwired safety, but it’s usually too complex and costly to be practical,” Sullivan says. “With a safety-rated PLC, it’s relatively easy.” Hence, he believes that integration can enhance safety in ways that had been impractical in the past.

Profisafe allows integrating a variety of safety devices on networks. Drives are an example. “Nowadays, they can provide safe states without de-energizing the motor,” D’Silva says. “For example, the new SOS [safe operating stop] feature holds the motor under closed-loop control in a certain position.” Consequently, users need not always cut power completely to put a device into a safe state.

A case against integration

Although integrated systems can often save money and enhance functionality, not everyone is convinced they provide enough safety. "We think that it's wrong to integrate control and safety because it runs the risk of common-cause failures," says Buddy Creef, director of North American sales at HIMA Americas, which provides stand-alone safety automation.

The risk comes from the similar, identical or even shared components that usually come with integration. "If you're running control and safety on similar pieces of hardware, operating systems or I/O networks, then you run the risk of the same problem causing a failure in both," Creef argues. "Control and safety need different operating systems, configuration programs and networks. By differentiating the two, there is never one problem that would make them both ineffective."

And integrating control and safety is not the only way to control costs and enhance functionality, Creef adds. Developments in safety instrumented systems (SISs) can help, too. Manufacturers like HIMA have exploited the faster processors, multitasking architectures and high-speed communications available today to develop increased diagnostics and what HIMA calls sequence of events. "We can report on up to 20,000 different actions in the system within 1 ms," Creef says.

These reports can flow directly into the alarm-and-events application of a basic process control system (BPCS) through a one-way connection. Because establishing such links can be a hassle for users, HIMA has done much of the work for them. Engineers at its DCS Labratory in Germany have developed the necessary methods for the major brands of DCSs and have published them in manuals.

Although the pendulum has certainly swung in favor of integrated control and safety systems in many quarters, Creef believes that it is beginning to swing back. "Several major users who have accepted integrated systems in the past are no longer accepting them," he says.

In pursuit of IT security

One company that has reverted is Bayer CropScience, a German manufacturer of crop-protection products. Concerns over IT security have convinced the company's Process Control Technology (PCT) group to change its mind about integrating safety and control. "Now, we use a separated solution when we build a new plant," says Bernhard Holzenkamp, senior manager of global PCT.

This policy applies to both controls and networks. "You also have different engineering stations and different databases," Holzenkamp notes. Wherever possible, he and his colleagues specify hardware from different vendors to avoid common failure modes and create more layers of separation.

Now, the only common point is the human-machine interface (HMI), which the company uses to view process information from both the SIS and the BPCS. "We usually do that with a redundant Modbus connection," Holzenkamp says, "but there are no safety signals going through it." The traffic goes only one way to make activity in the SIS visible on the BPCS' HMI.

The new policy is already being implemented in a nearly completed expansion in the herbicide production at the company's plant in Muskegon, Mich. The SIS is from HIMA and the BPCS is a DeltaV system from Emerson Process Management. These systems oversee a process consisting basically of a continuous reaction, a formulation operation, and a packaging operation.

"It's a mid-size project," Holzenkamp says, noting that about 70 pieces of new equipment and 800 I/Os are being installed. Because the project is an expansion of an existing facility, the company elected to continue using the conventional 4-20 mA wiring in combination with remote I/O used in the rest of the plant, rather than introducing new fieldbus technology.

In the past, the company had installed integrated systems mainly to reap the benefits of dealing with only one vendor. Holzenkamp also points to other benefits, such as less training for personnel, fewer system interfaces, easier access for remote-service providers, and greater simplicity from having just one database and one engineering station.

When you do an IT security assessment, however, these advantages often disappear. "For example, one engineering station is no longer an advantage," Holzenkamp says. "It may be better to create a physical separation that prevents access to one system from the other." At Bayer, the preference is to go so far as to put the safety and process control cabinets in separate rooms whenever possible.

The Muskegon facility has both the safety and process control cabinets in the same room. But to add a measure of security, the engineering station for the SIS remains disconnected and locked away in the control cabinet until the engineering staff needs it to make modifications.

So far, Bayer has no plans to replace existing integrated systems with separate ones. The PCT Group, however, has begun reassessing IT security on each of the company's integrated systems so that it can be strengthened wherever necessary.

Companies in this Article