Safe Decentralization and Enable Principle

As explained already, in many cases safety technology follows the developments made in standard control technology. The benefits from transferring the input/output level to the field via decentralization have resulted in the same process being applied to safety related inputs and outputs. This was followed by the development of a safety bus system, which not only allows field inputs and outputs but also a safety related connection between safety control systems.

The diagram below illustrates a typical application in which the enable principle has been implemented.

Circuit diagram for the enable principle

The safety control system switches the safety-related outputs, and the standard PLC transfers the switch command for the corresponding output to the safety control system via fieldbus.

Essentially it is a really simple principle, if you ignore the disadvantage that the switch command from the standard control system must be considered in the program for the safety control system. Graphically speaking the situation is this: The standard control system must place the switch command on the fieldbus, from where the failsafe control system retrieves it before inserting it into the output's control program as an AND function.

Programming becomes unclear, because the control task and safety function are mixed within the safety control system. A further development of the field transfer principle helps to simplify this case.

The diagram below illustrates the extension of the enable principle. The enable for the control command from the standard control system now takes place directly at input/output level. Handling is simplified tremendously as a result; both control systems can be programmed and tested independently. Performing the enable in the I/O system means there are no delay times from processing within the safety control system, and it's no longer necessary to pass on the control commands via the fieldbus.

Extending the enable principle

Integration of safe control technology within the automation environment

Cycle times are becoming ever shorter, while productivity and the demands on plant and machine control systems are increasing. In addition to the technical control requirements, the need for information regarding process and machine data is constantly growing. As a result, communication technologies from the office world are increasingly making their mark on control technology. One consequence of this trend, for example, is the growth of Ethernet-based bus systems in automation technology, right down to field and process level.

Until now safety technology has been characterized more or less as a “monitoring function” and has been incorporated as such into the automation chain. The process control system dominates and defines the actual process stages. As a “monitoring instrument”, the safety control system either agrees or disagrees with the decisions of the process control system.

Monitoring is limited to safety-relevant control functions, as is the enable. Process outputs without a safety requirement are unaffected. A distinct benefit of such a procedure is the fact that the tasks, and therefore the responsibilities, are clearly separated. A separate system is responsible for the design and monitoring of the safety technology; another separate control system manages the machine and the process. This way it is possible to guarantee the absence of feedback: Changes made primarily in the standard control system will not adversely affect the safety control system. This is an essential safety requirement of a safety system.

The division of duties also has a number of positive aspects: firstly it increases overall performance, because each unit simply concentrates on the matters for which it has been designed and configured. Productivity increases do not just impact positively on the output of the plant or machine: they can also be beneficial in terms of handling, if faster reaction times enable safety distances to be minimized, for example. Separation can also be used to transfer responsibility for the individual systems to different individuals. That helps both sides, because everyone can concentrate on the task in hand.

“Enable” operating principle, with safety relay or safety control system.

Today's safety control systems: Overview of safety control systems

Safety control systems essentially came about because of the desire to connect safety through programming, in a similar way to that of a PLC control system. It's no surprise then, that safety control systems are following the example of the PLC world. Centralized systems came first, followed by decentralized systems in conjunction with safebus systems. Programming followed the same formula, except that the instruction set was drastically reduced from the start to just a few languages, such as IL (Instruction List) or LD (Ladder Logic/Ladder Diagram). These measures were taken for reasons of safety, for the opinion was that limiting the programming
options would minimize the errors made in generating the program. Initial systems clearly focused on processing safety functions. Although even at the start it was possible to program the safety control system for standard automation, in practice this application found very limited use.

Safety-related features aside, there is little to distinguish safety control systems from standard automation control systems in terms of their actual function. Essentially a safety control system consists of two PLC control systems which process the application program in parallel, use the same process I/O image and continuously synchronize themselves. It sounds so simple, but the detail is quite complex: Cross-comparisons, testing of the input/output level, establishing a common, valid result, etc. are all multi-layer processes, which
illustrate the internal complexity of such systems. Ultimately, of course, the user is largely unaware of this; with the exception of some specific features, such as the use of test pulse signals to detect shorts across the contacts, modern systems behave in the same way as other PLC control systems.

Structure of a safe control system:

• Two separate channels
• Diverse structure using different hardware
• Inputs and outputs are constantly tested
• User data is constantly compared
• Voltage and time monitoring functions
• Safe shutdown in the event of error/danger

Application Blocks for Safe Analog Processing

In the past, processing analog signals safely using safety relays was as good as impossible. Only the integration of special expansion modules and the availability of customized application blocks has made safe analog processing possible. In a similar procedure to that of the drive environment, configurable safety relays can be used to evaluate sensor information from the analogue process environment. This may relate to process conditions such as fill level, position or speed for example; there's practically no limit to the extended application
options. With analog signals it is also possible to define limit values, threshold values or value ranges, inside which a measured value may move; this is done through the module configuration or by setting parameters in the user block. Reliable monitoring therefore becomes a reality; all values can be evaluated and further processed.

Example: Range monitoring 4 … 20 mA current loop

With range monitoring, the first step is to define the permitted value range. Depending on the selected condition (“greater than” or “less than”), the output for threshold value monitoring is set to “0” if the recorded value exceeds or drops below a range limit.

2 range limits are to be defined in this example:

• I < 3 mA monitors for open circuit and 
• I > 21 mA monitors for input device error

Example: Monitoring the position of a control valve via range monitoring

Control valves in process technology, e.g. to control flow rates, are generally controlled in analog; feedback on the valve position is also analog. Without safe analog processing, until now, only special switches have been able to evaluate position signals from valves. The new technology allows you to set as many valve
positions as you like and to monitor compliance, safety and reliably.

Application blocks in the drive environment

In addition to general safety functions such as monitoring of safety gates, emergency off/emergency stop function or light curtain evaluation, configurable safety relays also offer special expansion modules and specific application blocks for advanced options such as the safe detection of movement and standstill on drives. Two axes are possible per expansion module, each with eight limit values for speed monitoring, standstill monitoring and detection of clockwise and anti-clockwise rotation. In this way, motion information can be integrated directly into the safety system, irrespective of the drive system you are using.

With normal standard encoders, monitoring is possible up to Category 3 of EN 954-1 or Performance Level d of EN ISO 13849. This is significant for two reasons: fi rstly, there is no need for expensive, safe encoders and secondly, laborious wiring is no longer necessary thanks to the simple “listening function” of the encoder signals – “tapping” the encoder cable via a T-junction. The direct signal tap on the motor encoder minimises the work
involved in the mechanical and electrical design through appropriate adapter cable for the widest range of drives. In the simplest way possible, speed and standstill detection, including evaluation via customized application blocks, is available via plug and play.

Application blocks for press applications

In addition to application blocks for individual functions, complete application packages are also available for specific self-contained applications such as mechanical and hydraulic presses, for example. Such packages are designed to perform control functions as well as meeting safety-related requirements. The package contains all the basic functions that a press needs: e.g. blocks for setup, single-stroke and automatic operating modes; monitoring a mechanical camshaft; run monitoring to monitor the mechanical transmission for shearpin
breakage; monitoring of electrosensitive protective equipment in detection and/or cycle mode; monitoring and control of the press safety valve plus cycle initiation via a two-hand control device.

Safe Control and Monitoring of Presses

Benefits of Application Blocks

Configurable safety relays offer a wide range of predefined application blocks. These blocks form the basis for implementing the safety technology requirements of plant and machinery. The availability of blocks for the widest possible range of applications and functions enables the user to implement his requirements quickly and effectively.

Application Blocks for Muting Function
The “muting function” is one of those laborious functions which previously required the application of special relays, but which can now be implemented easily using configurable safety relays. This function is used to automatically and temporarily suspend a safety function, such as a light curtain or laser scanner. It is often applied, for example, to transport material into or out of a danger zone. A distinction is made between sequential and cross muting. Typical application areas include the automotive industry, on palletizing and drink dispensing machines, or in the manufacture of stone products (concrete blocks, tiles etc.). Additional sensor technology is used to distinguish between persons and objects.

Example: Sequential muting
Muting phase 1:

• Material in front of the danger zone
• Light beam device active
• Muting lamp off

 
Muting phase 2:

• Muting sensors 1 and 2 operated
• Light beam device suspended
• Muting lamp active

Muting phase 3:

• Muting sensors 3 and 4 operated
• Light beam device suspended
• Muting lamp active

Muting phase 4:

• Muting process ended
• Light beam device reactivated
• Muting lamp off

Safety-Related and Non-Safety-Related Communication

Communication on contact-based safety relays is very limited. Simply displaying fault conditions can sometimes prove difficult. Switching to electronic versions already makes communication somewhat easier: LEDs flash, sometimes with varying frequencies, to distinguish between specific malfunctions. LCD displays indicate errors and/or operating states in plain text. Configurable safety relays offer a whole new set of options: Fieldbus modules can be used to connect them to almost any fieldbus; they can even exchange safety-related data via special interconnection modules. This enables data to be exchanged with non-safety-related fieldbus subscribers, in order to share diagnostic data or transfer control commands to the configurable safety relay, for example.

The ability to transfer data safely via special interconnection modules opens up new horizons: If several machines are working together in a network, for example, safety requirements will demand that safety signals are exchanged between the control systems. Previously this could only be achieved by exchanging digital signals. This is a laborious process and is extremely inefficient due to the high cost for each piece of information transmitted. If interconnection modules are used to replace the previous hard-wired solution; the
amount of wiring is reduced, while the amount of information data, including safety technology data, is  increased.

Configurable Safety Relays Increase Flexibility

Similar to progress in the automation technology sector, safety technology has gradually developed from hard-wired relay technology to contact-based safety relays and devices with integrated logic function and beyond to flexible, configurable safety relays. The idea was to make safety technology more transparent and manageable for the user. This was the major driving force behind development of the devices and ultimately led also to the development of new types of configuration tools, which graphically display function and logic and then forward the configured setting to the relay via memory chip. The result is a high degree of flexibility for the responsible electrical design engineer; their plans only have to consider the number of digital and analogue inputs/outputs required. They can incorporate the functions at some later date and adapt them to suit the changed situation if necessary. At the same time, any work involved in wiring the logic functions also disappears.

With this generation of devices, the safety functions and their logic connections are configured exclusively via the software tool. The manufacturer provides the safety functions within application blocks; certified bodies such as BG or TÜV will have already tested them for safety. With the help of safe application blocks and the logic connections between these blocks, the plant or machine builder creates the safety-related application they require, an application which they would previously have implemented by wiring contactors and relays in a laborious, time-consuming process. Contacts and wires are replaced by lines between the ready-made
application blocks. An electrical circuit diagram showing the logic functions is no longer required.

Logic connections between the blocks for simple configuration.

Not only is it easy to connect the application blocks to each other, a simple click of the mouse is all it takes to adapt them fully to the requirements of the relevant application. Block properties define the behavior of the individual blocks within the application: whether single or multi-channel, with or without automatic reset, e.g. when a safety gate is closed. Parameters that determine how a block will behave can be easily set in accordance with the application's safety requirement.

Configure function elements.

The parameters available in the “Configure Function Element” window (see illustration) essentially mirror the familiar functions from the safety relays. They no longer have to be set laboriously on the device or be selected via jumpers; with the parameter tool everything operates in the simplest way possible. Users will find all the useful, proven elements from the world of the classic safety relays, just represented in a different format. This new configuration method has another quite simple, safety-related benefit: Once the configuration has been selected, it cannot easily be modified by unauthorized persons via screwdriver or device selector switch.

Simple configuration of the required input and output modules, plus the availability of special modules for speed or analog processing, enable the user to create a safety system that suits his own individual needs. Functions can be added or adapted later with relative ease. The user simply selects these modules from a hardware list and then creates the necessary logic functions.