If you think safety requirements are difficult to sort out in North America, pity the machine builders and automation providers who are trying to sell systems in the global economy. Pity the users, too. In the U.S., where safety is concerned, all we have to deal with are OSHA, NFPA, and UL. In Europe, users and vendors deal with literally dozens of safety organizations, from continent-wide agencies such as the European Economic Union (EU), IEC, and CENELEC, to regulatory agencies in each country. Now, the growing interest in safety networks itself is entangled by this web of European and North American safety standards. Without a concerted effort by the standards and regulatory groups to provide a comprehensive, non-conflicting set of actionables, deploying digital safety systems will remain a murky task.
Ditch Hard Wiring and Relays? Not So Fast
A digital safety network meets safety requirements via a programmable controller and a digital network instead of relying on hard wiring from the safety sensors to conventional relay-based shutdown systems. This is a new approach toward safety system architecture that few people understand and many regulatory agencies can't seem to entirely agree upon.
Users and machine builders have, thus far, largely shunned this relatively new technology while they collectively wait for the various vendors and regulatory agencies to agree on common standards that would make digital safety networks a common accepted alternative, and not the bleeding-edge technology, product-safety lawsuit bonanza it has the current potential to be for tort lawyers.
"There is a small, but emerging market for safety buses/networks," says a recent Venture Development (www.vdc.com) study. "While there are some existing safety buses in use, this market is still nascent with several safety buses still in development."
How nascent? VDC says safety networks accounted for $7.1 million in sales worldwide, or 0.28% of the distributed/remote I/O market in 2002. It forecasts that safety networks will grow to $56.5 million, or 2% of the market by 2005.
The VDC report says Profisafe is presently the number one safety network, with 70.2% of sales in 2002. However, the report predicts its share will slip to 48.3% of the market by 2005. AS-Interface Safety at Work (AS-i) ran a distant second in 2002 at 18.7%, but climbs to 25.5% market share in 2005.
A 2001 study by ARC Advisory Group (www.arcweb.com), written by Richard Piggin, chairman of SafetyBus P Club (www.safetybus.com), identified 12 safety networks. Of those, only six showed up on the VDC radar as still being viable in 2005 (Table I): Profisafe, ASI, DNS, Ethernet Safety, SafetyBus P, and Interbus. Foundation Fieldbus Safety, which doesn't even exist yet, showed up on the VDC study in 6th place for 2005.
Table I: Safety Network Market
Profisafe 70.2% 48.3%
AS-i Safety 18.7% 25.5%
DeviceNet Safety -0- 13.1%
Ethernet Safety -0- 3.7%
SafetyBus P 10.1% 3.2%
Foundation Fieldbus -0- 2.8%
Interbus Safety -0- 2.2%
2002 market = $7.1 million
2005 market = $56.5 million
Source: Venture Development Corp.
It is interesting to note that SafetyBus P from Pilz and a group of primarily European partners ran a strong third with 10% of the market in 2002, but was projected to slip to 3.2% of the market in 2005. "SafetyBus P was released in 1998, but has maintained fairly limited market share," says VDC. "A major reason is that products for this bus are not being developed or offered by the major controller suppliers."
Indeed, most of the various safety networks are large-vendor driven, and the more the support, the more popular the safety network. The ARC study says Profisafe was developed in Germany with funding from the German government and cooperation among three major automation vendors: Klockener-Moeller, Robert Bosch, and Siemens.
Meanwhile, AS-i has the support of a dozen vendors, including Festo, Omron, Pepperl+Fuchs, and Schneider Electric.
DeviceNet Safety, predicted to be third in 2005, was originally developed by Rockwell Automation, which passed the intellectual property rights to the Open DeviceNet Vendor Assn., where it enjoys the support of ODVA's 250+ members.
Which Came First? Safety Chicken or Safety Egg?
End users, especially those in North America, face something of a Catch 22 when it comes to safety networks. "End users face a conflict when wanting to apply safety networks," says Ian Verhappen, engineering associate at Syncrude Canada Ltd., Fort McMurray, Alberta. "The various standards, such as NFPA, UL, FM, ISA, IEC, are not all in harmony. And, of course, with today's litigious society, the risk of contravening a standard industry practice is one that most companies are unwilling to take." And while ISA-S84 and IEC 61511 allow facilities to self-certify, provided they have done the statistical analysis that says they meet the SIL (Safety Instrument Level) requirements, "this is a chicken-and-egg situation, says Verhappen. "You cannot gather the data you require unless you have it installed, but you can't install it to get the data." So, he adds, facilities rely on their equipment suppliers to submit their equipment for analysis and certification from groups such as T "V, exida, HIMA, etc., to get the data required for the SIL calculation/analysis."
That seems clear enough. All an end user, or industrial machine builder has to do is buy an approved safety network that meets all the regulations, right? Sorry, that may not work either, says Paul Wiancko, Professional Engineer with P.R.T. Wiancko & Associates of London, Ontario. "Many equipment safety standards do not yet address safety networks and, until this happens, there will be some reluctance to use and approve them," he explains.
Standards groups are still wrestling with safety networks, says Bud Adler, director of business development for process safety solutions at AE Solutions (www.aseolns.com). Adler sits on the ISA SP84 Safety Committee and on the working group that is addressing the use of buses in safety-related applications.
"The present safety standards (ANSI/ISA 84 and IEC 61508/ IEC 61511) do not endorse the use of digital bus communication for safety-related applications," says Adler. "There are several bus protocols with specialized application capability that have T "V approval for safety applications. But T "V approval typically is predicated on following the requirements for installation, operation, testing, documentation of change, and maintenance as described in the vendor's safety manual. Some of these manuals are quite intensive." As Adler understands it, most of the applications have been in machinery control applications.
What this means is that machine builders are among the lucky ones who can find an approved safety bus protocol. "One of our concerns as a company was the approval of this type [AS-i] of system for use in the U.S. by NEC committees," says Bill Elrod, engineer at Hartness Intl., manufacturer of packaging machinery in Greenville, S.C. "Now, with the recent acceptance of this method in the latest release of NFPA 79, which will allow the use of Control Systems Incorporating Software and Firmware Based Controllers,' we OEMs have options in designing integral systems."
Dan Stirpe, electrical engineer at Dauphin Graphic Machines, Millersburg, Pa., is another machine builder who is giving it a go. "We are working on a safety network for our next-generation control system, which will be deployed in 2004," says Stirpe. "We manufacture web printing machinery, or newspaper presses. Our current hardwired safety circuits became very complicated due to clutching, selectability of print units and folders, and flexible configurations. We are implementing a system that uses Profisafe in conjunction with failsafe CPUs and I/O."
Why Profisafe? "Primarily because we use Siemens hardware, and they have a very good selection of failsafe I/O, as well as CPUs," explains Stirpe. "This also allowed us to use a single network for safety and most of our lower-level control functions. We are just hardwiring the E-stop and guard circuits into failsafe I/O on a local failsafe PLC, and communicating over Profisafe to a master configuration PLC (also failsafe) to handle all of the selection and steering. This eliminates literally hundreds of force-guided relays as well as numerous safety monitoring relays."
Stirpe's actions highlight some of the advantages of safety networks: lower cost, fewer hardwired components, and flexibility. Now, add the ability to set up safety zones around equipment so that one safety infraction doesn't shut the entire machine or process down, and you begin to see the value of installing a network instead of hard-wired controls.
Who's Driving This Bus?
So what's holding up the technology? Standards organizations, of course. Piggin, author of the ARC study, says the international standards all center on IEC 61508, Functional Safety Of Electrical/Electronic/Programmable Electronic Safety Related Systems. "IEC 61508 has been criticized for being too generic and therefore difficult to implement," says Piggin. "Technical committees within the IEC must then make use of 61508 in preparation of their own standards. Hence, the developments of IEC 62061 (for machine builders), IEC 61511 (for process control), and other sector standards."
Process control people don't seem to like the standard either. "IEC 61508 has been regarded by some in the process industry as too prescriptive and vague, where ISA's S84 is performance based and sector specific," Piggin adds.
Piggin says some safety network manufacturers may claim compatibility with EN954-1, but this may not be enough. "EN954-1 is a generic safety standard that describes categories, requirements, functional characteristics, principles for the design of safety related control systems, and associated risk assessment," he explains. Risk assessment in this standard is a function of the severity of injury, the frequency of exposure, and the possibility of avoiding the hazard, and has little to do with how to set up a safety network. "Detailed guidance on specific data communication issues is not given,"Piggin warns.
There's simply more chaos than there should be, vendors are in a position to manipulate the standardization process, and everything related to safety networks is moving at a glacial pace. As Adler points out, ISA is a year away from making a decision. So, as far as the standards business goes, it's business as usual.
The lack of standards have never stopped aggressive vendors from offering products, so there are several perfectly workable safety networks on the market, all of which conform to one safety standard or another.
Some vendors have safety networks, but nobody knows about them, including their own customers. "Our preferred safety system vendor , Triconex , doesn't support safety networks," says an instrument engineer at Marathon Ashland Petroleum in Detroit. "Introducing new technology in refining takes time. I think it will happen, but I don't know when."
Another system integrator writes, "I am currently working with a major refiner, upgrading their safety systems as capital allows. They are employing Triconex controllers, which are all hardwired. No bus or comm system is even being considered."
All this comes as a surprise to Invenys-Triconex, which has had a safety network for years. "Triconex Peer-to-Peer (P2P) has been certified by T "V to meet IEC 61508 Safety Integrity Level (SIL) 3 standards," says Mark Hammer, director of industry marketing. "Triconex has offered this certified network since 1995."
Talk to your favorite system supplier to find out what's up. You may be thinking fieldbus-based networks, while your vendor has something else that will work. Meanwhile, here's a rundown of recent developments, based on the rankings from VDC.
Profisafe--The most popular safety network worldwide, Profisafe is based on the Profibus fieldbus system (Figure 1). According to Wolfgang Stripf of Siemens AG (www.siemens.de), and head of the Profibus Application Profiles technical committee, it can be used for factory and process automation tasks. Stripf says Profisafe's big breakthrough came at the 2002 Hanover Fair, when dozens of products were demonstrated, ranging from safe mini PLCs to light arrays, laser scanners, and remote I/O. "In other words, there is a complete selection for performing safe automation tasks, from the simplest to the most complex," says Stripf.
Profisafe is also writing its own specs. "As most security standards do not take a bus mode into account, the boundary conditions for safe communication had to be defined in a separate specification," Stripf says. "To keep the expense of certification as low as possible, an almost fully automatic Profisafe layer test was developed."
Siemens Energy & Automation in the U.S. (www.siemens.com) recently launched Safety Integrated USA, a new organization for applying safety technology, including networks, across all its product lines. Siemens sees two distinct markets for safety automation , process and discrete , so its process safety will be lead from Spring House, Pa., while discrete industry safety initiatives will be managed out of Norcross, Ga.
Figure 1: Profisafe Rules
Profisafe, the most popular safety bus, is based on the Profibus fieldbus. It allows
control and safety devices to share the same network.
Source: Profibus Nutzerorganisation e.V.
AS-Interface Safety at Work--Ranked number 2, AS-i is a two-wire master-slave system that has gateways to CAN, DeviceNet, Interbus, and Profibus, among others. Master controllers can be industrial PCs, PLCs, and process controllers. It has been around since 1991, and has become a European standard (EN 50295 and IEC 62026-2). AS-i boasts many successful installations, particularly in the automotive industry.
Helge Hornis, Ph.D., intelligent systems manager for Pepperl+Fuchs (www.us.pepperl-fuchs.com), says AS-i is a much simpler system than some of the others, which tends to keep costs down. "No safety PLC is required with AS-i and normal and safe data can be transmitted over the same wire," he adds. According to tests at a German manufacturer, AS-i costs about 85% of what it would cost for a standard hardwired safety system.
DeviceNet Safety/CIP--Ranked third, this DNS achieved T "V approval in July 2003 for its system specifications. Richard Galera, marketing manager, safety controls, for Rockwell Automation (www.ra.rockwell.com) says products will be submitted for T "V approval in 2004, and products will arrive on the market in 2005. "DeviceNet Safety will meet the requirements of IEC 61508 up to SIL 3," says Galera.
DNS is based on the Control and Information Protocol (CIP) found in DeviceNet, ControlNet, and Ethernet/IP, says Galera. ODVA received concept approval from T "V for the CIP safety protocol in 2002. "In the second phase of CIP Safety Development, companies will be able to link distributed DeviceNet Safety segments to standard CIP-based networks, such as Ethernet/IP," says Galera.
Which means current DeviceNet users can use existing wiring, and implement a safety system by adding DNS devices to an existing network (Figure 2).
Figure 2: DeviceNet Framework
Multiple DeviceNet Safety segments can be interconnected
using a high-speed EtherNet/IP Safety backbone, with all the
nodes communicating as if on the same segment.
Source: Rockwell Automation
Safety Ethernet--"Peer-to-peer networks are alive and well," argues Lawrence Beckman, president of SafePlex Systems, Houston, and member of the ISA S84 Safety Committee. Safety Ethernet, ranked fourth by VDC, is a modified version of Ethernet that is both safe and deterministic, and Beckman is using it in offshore platform applications (Figure 3). "We have employed them in many projects over the past five years, and most recently in several exploration and production safety applications in the Gulf of Mexico."
Figure 3: Offshore Safety Net
It's easier and less expensive to use
a safety network than to run wires
all over an offshore drilling platform.
Safety Ethernet was originally developed by HIMA (www.hima.com). It allows safety-related data to be integrated in a standard Ethernet network operating at speeds up to 100 Mbps, making it one of the fastest safety networks around. Safety Ethernet has been certified by T "V and BG for use up to Category 4 and SIL 3. Triconex' P2P network is based on Ethernet.
Safety Bus P--Although the SafetyBus P Club Intl. is now the official driving force behind SafetyBus P, Pilz Automation Safety (www.pilz.com) still makes the controller hardware.
SafetyBus P is based on Controller Area Network (CAN) technology. "Conventional fieldbus networks are not suitable for safety related controls," says Piggin, "because additional error detection and avoidance mechanisms are required. An additional safety layer is necessary to detect connection or device failures and implement the required emergency shutdown action to avoid danger."
Pilz accomplishes this by adding an application layer, plus a triple-redundant safety controller. The safety controller is divided into two sections, failsafe and standard. The failsafe section processes all safety-related functions.
Although Pilz claims that conventional fieldbus networks are not suitable for safety systems, the market appears to be deciding otherwise. Single networks that can carry both control and safety components have a huge advantage in cost and simplicity. For example, Profibus, AS-i, DeviceNet Safety, and Safety Internet are all based on fieldbus systems that do not require an extra level of complexity, and all are predicted to outsell Safety Bus P. Pilz is likely to remain a strong safety market force, given the reputation of its safety relays.
Foundation Fieldbus--According to Dave Glanzer, director of technology development, Foundation Fieldbus'(FF)upcoming safety network is based on IEC 61508 for equipment design and IEC 61511 for end user application. Glanzer says ISA SP84 work is similar to IEC 61511, but ISA does not have a standard equivalent to IEC 61508 for equipment design.
"Foundation Fieldbus' Safety Instrumented Systems (SIS) project is an End User Advisory Council initiative that was approved by the board of directors in October 2002," explains Glanzer. The draft preliminary technical specifications have been completed and planning is underway for laboratory validation testing during 2004. Glanzer claims safety certified devices with FF SIS technology should be available in 2005."
Bud Adler, who sits on the ISA committee, explains the problem: "Foundation Fieldbus has a strong following of those companies that support its use in safety-related applications. However, it's not that a digital network cannot be made safe enough for safety-related applications; it is the fact that there is not an approved measure of that safety availability in accordance with the safety standard."
Emerson Process Management, a big FF supporter, is probably agonizing over the delays. Emerson offers a full line of SIL and SIS equipment, and recently announced its DeltaV SIS, with redundant processors, HART networks, logic solvers, and digital communications. It has everything it needs, but Emerson can't call it a Safety Network because it doesn't fall into any of the categories listed above. "We do not conform to any of the listed safety networks," says Gary Law, DeltaV product manager.
Interbus--Phoenix Contact (www.phoenixcon.com) is the chief proponent of Interbus. It is almost a single-vendor system, but we have been assured that several German companies also make products. "An Interbus safety network is clearing significant milestones on its way to the market," says David Skelton, director of automation systems at Phoenix Contact. "Interbus safety, which is based upon the Interbus protocol standards, received T "V approval in November for its system specification. Products will be submitted for T "V approval in 2004 and should arrive in the market late next year."
Skelton claims the Interbus safety system will provide safety functions up to Category 4 according to EN 954, and SIL 3 according to IEC 61508. "Depending on the application, the user can use either a one-cable solution with integrated safety or a two-cable solution, where one bus cable is used for standard signals and the other for safety signals," he says.