Starting end of December, 2009, machine safety technology must meet the requirements of ISO 13849-1 and IEC 62061. For the first time, there will now be concrete regulations for the configuration and programming of electric and electronic systems in a standard that applies to machine manufacturing. Reason enough to take a closer look at their content and impact.
Electric and electronic safety products are vital components in a machine's safety chain. With the increasing complexity of machine automation and the higher demands on the safety technology with respect to protection against manipulation, process monitoring and configuration safety, more and more programmable and configurable electronic systems are being implemented. These systems are easy to use and can react flexibly to different requirements - advantages that are very convincing for decision-makers in development and design departments. Not surprising then, that so many of these systems are already being offered on the market today, and that new products for this area of application are appearing almost monthly. What are the differences between these products? What are their key advantages and disadvantages?
In the interest of readability, this article will focus on the ISO 13849-1 standard, since the requirements of IEC 62061 are mostly identical or comparable with regard to the topics covered below.
Maintenance versus safety
Among other things, ISO 13849-1 requires machine manufacturers to consider the effect that various processes and manual actions, such as repair, setup, cleaning, error analysis, etc. have on safety when identifying and specifying the safety functions. That means that predictable misuse that might occur during repair and maintenance of the machine must be accounted for in the safety concept and appropriate preventative measures must be implemented.
Especially disturbances, and the resulting service required at any time of day or night, hold numerous dangers that could negatively affect the safety of the machine. Say the service technician needs to replace a component. This person is solely responsible for ensuring that the replacement part is connected properly to ensure safety. Wiring mix-ups are generally detected, but can you really depend on this in every situation? Assume the signals of two similar light curtains are swapped. Is the prescribed wiring test designed with enough care to detect this mistake? What are the consequences if a single DIP switch on the safe rotation speed monitor has the wrong setting? This may change the limit value for the safe low speed to a value many times higher than the correct one. Maybe this error even slipped in during the last exchange, and although the maintenance technician is careful to make the same settings as on the old module, they are still the wrong settings. And what might happen if a safety switching device for 6 A is replaced by a 4 A device because there were no more 6 A devices in stock? This error would surely also go unnoticed, yet the safety functionality with regard to a performance level, and the resulting very low probability of a dangerous failure, is certainly lost.
In short, with the pressure of maintaining production levels, the common practice for handling service scenarios like these puts the safety technician in charge of configuring the safety application, and ultimately makes him or her responsible for ensuring that all of the safety technology is functioning properly. And this happens with every service call, regardless of the time of day. These error scenarios may be manageable when the safety application is very simple. In other situations however, a system with integrated configuration management is what is needed. In these systems, a central safety device – generally a SafePLC with exchangeable configuration memory – monitors the entire safety-related configuration. The system is therefore immediately able to detect incompatible devices or incorrect settings and restart is inhibited by the safety technology. Some systems also offer removable terminals, which makes it possible to exchange devices without disconnecting cables. These features make the service technician's job significantly easier.
Selecting the right programming language
A further aspect of the new standard is in the structure and language variability of the configuration software needed for a safety system. ISO 13849-1 differentiates between programming languages with "Limited Variability Language" (LVL) and "Full Variability Language" (FVL).
Limited Variability Languages (LVLs) make it possible to combine predefined library functions to implement the safety requirements in the program. The user is also protected against the otherwise so frequent sources of error during programming. Formation of loops, use of pointers and global variables are prohibited, for example. LVLs include the IEC 61131-3 programming languages FBD (Function Block Diagram) and LAD (Ladder Diagram). Some manufacturers offer proprietary solutions here; however, these don't allow the application program to be reused if the system is replaced.
Full Variability Languages (FVLs) offer all programming possibilities. These include the IEC 61131-3 languages IL (Instruction List) and ST (Structured Text), as well as the high-level languages C, C++ and more. Programming in an FVL is not restricted in any way, and therefore leaves open all the possible sources of error involved in programming. This includes, for example, the formation of endless loops, memory errors due to faulty pointers and incorrect access to global variables.
Because of the many potential errors, the implementation of application software in an FVL requires a considerably more involved development process than an implementation in an LVL. ISO 13849-1 prescribes a very simplified software development process for implementations in an LVL. On the other hand, the IEC 61508 series of standards applies when the application software is implemented in an FVL. This series of standards consists of 7 parts with a total of approximately 430 pages. The installation of a standard-compliant development process in accordance to IEC 61508 in and of itself represents an enormous investment. Software implementation in an FVL therefore involves disproportionately more time and expenses than implementation in an LVL. When selecting a programming language it is therefore well-advised to choose an LVL. When selecting a system, the configuration software and its classification should be evaluated based on these criteria.
Integrated Safety Technology
With its Integrated Safety Technology, B&R has raised the bar for straightforward applications, reliable service scenarios and continuous scalability. The safety functions are programmed in the Automation Studio SafeDESIGNER. In addition to FBK and LD language elements that conform to IEC 61131-3, users have a TÜV certified library with 20 function blocks for machine automation available to them. All function blocks fully correspond to the PLCopen standard. Programming of the safety application is reduced to the virtual wiring of the logical blocks. This very straightforward and intuitive operation makes the resulting applications clearly structured and easy to understand. Errors are prevented very early in all stages of development. SafeDESIGNER precisely meets all expectations placed on an LVL programming system. Still, the toolkit also makes it possible to create extensive, complex applications, since it is not limited to the configuration of individual blocks, but also allows for free programming with all the possibilities permitted for an LVL. This makes the SafeDESIGNER program editor the only certified system on the market that masters the conflicting objectives of open programming and strict adherence to LVL.
The safety application developed in SafeDESIGNER is run on the safe CPU (SafeLOGIC). It supports cycle times from 1 ms and the connection of up to 100 safety-related peripheral devices such as I/O modules, servo drives with integrated safety functions or light curtains, and much more. The very modular concept allows for technically compatible and economically competitive solutions to be created for an extremely broad range of applications. These begin with the simplest applications with fewer than 10 safety-related I/O channels, and reach all the way to complex systems with hundreds of safe I/O points. Various safety functions in the drive as well as in the light curtain are available in all these applications based on the same platform and the same programming system. Sophisticated algorithms and functions for automatic handling of various options in series production, based on the same safety application, round off the portfolio of functions.
Integrated Safety Technology from B&R provides welcome relief for the service technician in order to ensure the machine's safety. The configuration management integrated in SafeLOGIC guarantees consistent configurations and documents all work performed on the safety-relevant components. The integrated diagnostics, which can of course also be used for remote diagnostics, plays an important role in making sure service technicians are able to respond correctly to any situation. The modularity of the X20 System with its removable terminals frees the service technician from the substantial task of disconnecting all the critical safety-related wiring in order to exchange a component.
B&R's portfolio of safety products is rounded off by the safe drive technology components. The modular drive system ACOPOSmulti from B&R has all the most important safety functions for handling drives in the field of machine manufacturing. To protect the user from accidental misuse and remove the pitfalls of safety technology, SafeLOGIC manages the configuration and parameters here as well. This relieves the service technician from disproportionate responsibilities with respect to the safety technology.
Author: Franz Kaufleitner, Product Manager Integrated Safety Technology, B&R, Eggelsberg, Austria