Safety in a new way

10 years of flexible functional safety.

Based on its openness and widespread installation, PROFIsafe is currently the global market leader with over 630,000 PROFIsafe nodes. Ten years ago, however, it was necessary to convince safety authorities, 25 renowned safety engineering companies, and users to accept the completely new technology.

The PROFIsafe vision

The PROFIsafe vision


Arguably, an idea has seldom achieved acceptance on the market so quickly as that behind safety-related communication via PROFIsafe. Ten years ago, neither users nor manufacturers, let alone testing laboratories, could imagine that safe communication over a fieldbus was possible. What was the situation at that time? PROFIBUS, the only fieldbus with an integrated solution for all areas of production and process automation, was already established and in widespread use. However, when it came to matters of safety, the prevailing opinion was that safety engineering required hard-wired solutions based on relay technology, and few innovations were attempted. The great advantage of traditional safety engineering was its simplicity. Still, little by little the disadvantages of this method for meeting the requirements of modern automation became evident. These included, for instance, the costs for labor-intensive cabling, the low degree of flexibility and availability, and the significant effort required for restart after a stop due to the undefined stop positions of machines.

An inquiry from a large petrochemical company was destined to change the safety engineering world. “We were asked whether it was conceivable that safety-related functions could be transmitted over a fieldbus,” remembered Herbert Barthel, Head of the PI (PROFIBUS & PROFINET International) “Functional Safety” Working Group. In the world of production and process automation, this had been unimaginable up to that point. So, the decisive push came from an industrial sector that no one had expected. “At the time there were proprietary solutions in rail engineering, but these could not be transferred without additional work,” explained Dr. Wolfgang Stripf, overall responsible for functional safety and data security within the Technical Committee 3 of PI. Unlike that industry, the two automation experts wanted an open technology that would be accepted by all manufacturers and users. At the same time, the safety institutions and testing laboratories would have to be brought on board.

Thus, in September 1998, a roundtable of 25 renowned safety companies was created. In this forum, the requirements of the individual manufacturers were not only discussed, but a possible concept for this type of communication was also put forward. In the ensuing months, a new PI working group worked intensely on the safe communication profile, which was named PROFIsafe. “We were in close contact with the testing bodies at all times, so that approval by TÜV and BGIA was ultimately no problem,” attributed Dr. Stripf as a key aspect for the subsequent success. The first version of the specification, including the positive concept evaluations by the testing bodies, was available for presentation at the next Hanover Fair in 1999.

"Black Channel" Approach
A common bus cable
The response to the surprise coup was powerful, and not everyone could get used to the concept right away. However, skeptics were quickly convinced by the innovative idea of the PROFIsafe protocol. This protocol functions without affecting the standard bus protocols. The safety-related data are transmitted together with the conventional data over a common bus cable. The transmission channel is regarded as a “black channel”, analogous to the familiar “black box”. All conceivable errors in this channel are detected exclusively by the PROFIsafe protocol. The solution is therefore independent of the particular transmission channel, for example, copper cable, fiber-optic cable, or radio.

The PROFIsafe protocol benefited from the simultaneous development of new safety standards based on actuarials and the introduction of SIL as a means for classifying the probability of dangerous equipment faults. This cleared the way for use of microprocessors, software, and communication. With PROFIsafe, therefore, proper functioning can be mathematically confirmed even if more than two mutually independent faults or failures occur. Every imaginable function and load scenario was run through systematically for this.

Implementation in the field
“Another milestone was set in 2005 with PROFIsafe for PROFINET. For some users, the notion that PROFIsafe also functions on Ethernet and the fact that there are now an unlimited number of nodes in space certainly took some getting used to,” said Barthel in describing the reservations. But in this case as well, the black channel concept proved itself, according the conclusions of the PROFIsafe experts. “Admittedly, the additional risks made it necessary to expand the specification slightly and to define a second mode, i.e., the “V2 mode,” explained Barthel.

An essential ingredient for acceptance by the user was introduction of a certification system and the associated test environment. To ensure proper communication between different products of different manufacturers, the products must be tested for conformity to the PROFIsafe specification. Currently there are two test laboratories for this purpose, and others are in preparation. In addition, PROFIsafe requires safety-related examination of devices according to IEC 61508 by an independent testing institute. Recently, certification tests also became available for safety-related controllers with PROFIsafe (F-host). The prerequisite for an F-host test is a previously certified controller with PROFIBUS and/or PROFINET (basic test), in which the PROFIsafe protocol is integrated. The F-host test, which is accepted by TÜV, is practically an automated test and only has to be performed once, provided nothing has changed in the PROFIsafe protocol driver program itself.
fig3
Open for new possibilities
Modern field devices, such as laser scanners or light curtains, can now be developed as needed. In many applications, PROFIsafe opens up whole new opportunities, such as drives with integrated safety. With PROFIsafe, drives can now assume safe states without switching off the motor (“Emergency Stop”). Previously, the “Emergency Stop” button acted to physically interrupt the power supply of the motor. But, remote I/Os can also now contain safety-related modules, such as digital and analog inputs/outputs, power modules, or motor starters with integrated safety. These modules can be arranged in groups and deactivated in groups, as well.

For users, however, there is still another crucial point in favor of PROFIsafe. “Besides the demonstrated safety, PROFIsafe is adapted to the installed base (retrofit) and is also equipped for future requirements,” stressed Dr. Stripf. In addition, PROFIsafe is easy to implement. Also, a change from PROFIBUS to PROFINET causes no problems due to the independent communication profile and the black channel principle. The identical PROFIsafe driver software can be used both in PROFINET as well as PROFIBUS devices.

Meanwhile, there are controllers from a variety of manufacturers and approximately 50 different device types for PROFIsafe. The user therefore has access to a wide selection of certified products. In addition, the user benefits from the past 10 years of experience with PROFIsafe. Incidentally, this applies not only to production industries. PROFIsafe can be found in more than 4000 PROFIBUS PA installations.

Conclusion
Thanks to its well thought-out simple concept, the PROFIsafe technology has been fully developed and accepted. In the future, PI will work to make the engineering process more convenient for the user and to provide the user with the necessary calculation results for planning purposes. PROFIsafe has meanwhile become an international standard with the issuance of IEC 61784-3-3. Detailed system descriptions are available or in preparation in numerous languages. The special PROFIsafe web portal keeps users up to date. A significantly improved version of the PROFIsafe development kit is available on the market with Version 3.4. This should allow other interesting device families to be won over to direct connection, such as robots, encoders, gas and fire detectors, overfill safety systems, pressure transmitters, etc. This will be supplemented by the regularly scheduled 3-day training courses for “PROFIsafe Certified Designer,” which are conducted jointly with the TÜV.

Based on a paper by Dr. Peter Wenzel
Executive Director, PROFIBUS Nutzerorganisation e. V. Germany

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s