10 years of flexible functional safety
25 June 2009
Based on its openness and widespread installation, PROFIsafe is currently the global market leader with over 630,000 PROFIsafe nodes. Ten years ago, however, it was necessary to convince safety authorities, 25 renowned safety engineering companies, and users to accept the completely new technology.
10 years of flexible functional safety with PROFIsafe
Arguably, an idea has seldom achieved acceptance on the market so quickly as that behind safety-related communication via PROFIsafe. Ten years ago, neither users nor manufacturers, let alone testing laboratories, could imagine that safe communication over a fieldbus was possible. What was the situation at that time? Profibus, the only fieldbus with an integrated solution for all areas of production and process automation, was already established and in widespread use. However, when it came to matters of safety, the prevailing opinion was that safety engineering required hard-wired solutions based on relay technology, and few innovations were attempted. The great advantage of traditional safety engineering was its simplicity. Still, little by little the disadvantages of this method for meeting the requirements of modern automation became evident. These included, for instance, the costs for labor-intensive cabling, the low degree of flexibility and availability, and the significant effort required for restart after a stop due to the undefined stop positions of machines.
An enquiry from a large petrochemical company was destined to change the safety engineering world. “We were asked whether it was conceivable that safety-related functions could be transmitted over a fieldbus,” remembered Herbert Barthel, Head of the PI (Profibus & Profinet International) Working Group “Functional Safety”. In the world of production and process automation, this had been unimaginable up to that point. So, the decisive push came from an industrial sector that no one had expected. “At the time there were proprietary solutions in rail engineering, but these could not be transferred without additional work," explained Dr. Wolfgang Stripf, overall responsible for functional safety and data security within the Technical Committee 3 of PI. Unlike that industry, the two automation experts wanted an open technology that would be accepted by all manufacturers and users. At the same time, the safety institutions and testing laboratories would have to be brought on board.
Thereupon, in September 1998, a roundtable of 25 renowned safety companies was created. In this forum, the requirements of the individual manufacturers were not only discussed, but a possible concept for this type of communication was also put forward. In the ensuing months, a new PI working group worked intensely on the safe communication profile, which was named PROFIsafe. “We were in close contact with the testing bodies at all times, so that approval by TÜV and BGIA was ultimately no problem,” attributed Dr. Stripf as a key aspect for the subsequent success.
The response to the surprise coup was powerful, and not everyone could get used to the concept right away. However, skeptics were quickly convinced by the innovative idea of the PROFIsafe protocol. The PROFIsafe protocol functions without affecting the standard bus protocols. The safety-related data are transmitted together with the conventional data over a common bus cable. The transmission channel is regarded as a “black channel”, analogous to the familiar “black box”. All conceivable errors in this channel are detected exclusively by the PROFIsafe protocol. The solution is therefore independent of the particular transmission channel, for example, copper cable, fiber-optic cable, or radio.
The PROFIsafe protocol benefited from the simultaneous development of new safety standards based on actuarials and the introduction of SIL as a means for classifying the probability of dangerous equipment faults. This cleared the way for use of microprocessors, software, and communication. With PROFIsafe, therefore, proper functioning can be mathematically confirmed even if more than two mutually independent faults or failures occur. Every imaginable function and load scenario was run through systematically for this.
Another milestone was set in 2005 with PROFIsafe for Profinet for some users, the notion that PROFIsafe also functions on Ethernet and the fact that there are now an unlimited number of nodes in space certainly took some getting used to,” said Barthel in describing the reservations. But in this case as well, the black channel concept proved itself, according the conclusions of the PROFIsafe experts. “Admittedly, the additional risks made it necessary to expand the specification slightly and to define a second mode, i.e., the “V2 mode,” explained Barthel.
An essential ingredient for acceptance by the user was introduction of a certification system and the associated test environment. To ensure proper communication between different products of different manufacturers, the products must be tested for conformity to the PROFIsafe specification. Currently there are two test laboratories for this purpose, and others are in preparation. In addition, PROFIsafe requires safety-related examination of devices according to IEC 61508 by an independent testing institute. Recently, certification tests also became available for safety-related controllers with PROFIsafe (F-host). The prerequisite for an F-host test is a previously certified controller with Profibus, and/or Profinet (basic test), in which the PROFIsafe protocol is integrated. The F-host test, which is accepted by TÜV, is practically an automated test and only has to be performed once, provided nothing has changed in the PROFIsafe protocol driver program itself.
Modern field devices, such as laser scanners or light curtains, can now be developed as needed. In many applications, PROFIsafe opens up whole new opportunities, such as drives with integrated safety. With PROFIsafe, drives can now assume safe states without switching off the motor ("Emergency Stop”). Previously, the “Emergency Stop” button acted to physically interrupt the power supply of the motor. But, remote I/Os can also now contain safety-related modules, such as digital and analog inputs/outputs, power modules, or motor starters with integrated safety. These modules can be arranged in groups and deactivated in groups, as well.
For users, however, there is still another crucial point in favour of PROFIsafe. “Besides the demonstrated safety, PROFIsafe is adapted to the installed base (retrofit) and is also equipped for future requirements,” stressed Dr. Stripf. In addition, PROFIsafe is easy to implement. Also, a change from Profibus to Profinet causes no problems due to the independent communication profile and the black channel principle. The identical PROFIsafe driver software can be used both in Profinet as well as Profibus devices.
Meanwhile, there are controllers from a variety of manufacturers and approximately 50 different device types for PROFIsafe. The user therefore has access to a wide selection of certified products. In addition, the user benefits from the past 10 years of experience with PROFIsafe. Incidentally, this applies not only to production industries. PROFIsafe can be found in more than 4000 Profibus PA installations.
Thanks to its well thought-out simple concept, the PROFIsafe technology has been fully developed and accepted. In the future, PI will work to make the engineering process more convenient for the user and to provide the user with the necessary calculation results for planning purposes. PROFIsafe has meanwhile become an international standard with the issuance of IEC 61784-3-3. Detailed system descriptions are available or in preparation in numerous languages. A special PROFIsafe web portal www.profisafe.net keeps users up to date. A significantly improved version of the PROFIsafe development kit is available on the market with Version 3.4. This should allow other interesting device families to be won over to direct connection, such as robots, encoders, gas and fire detectors, overfill safety systems, pressure transmitters, etc. This will be supplemented by the regularly scheduled 3-day training courses for “PROFIsafe Certified Designer,” which are conducted jointly with the TÜV.
Contact Details and Archive...