11 November 2009
Modern machine and plant concepts demand safety solutions that can be flexibly and economically integrated into complex production processes. A major contribution in this respect is provided by a failsafe software controller that performs both process and safety functions jointly on an industrial personal computer.
By integrating the safety technology into a software controller it is possible, not only to adapt automation functions individually, but also to implement safety functions up to safety integrity level SIL 3 on the same PC-based automation system.
Functional safety technology is an important topic in industrial applications. Siemens has been a driving force of progress in this field for more than 20 years and supplies a broad range of safety-oriented products based on international standards.
In the field of PC-based software controllers, Siemens has for a considerable time been offering various solutions using Simatic WinAC. This software allows the functionality of a Simatic PLC to be implemented on a PC. This means that not only typical PC applications, but also automation tasks can be implemented on one platform.
At the same time, PC applications can also be seamlessly integrated into the world of the PLC. This integration is particularly beneficial if application-specific tasks ‘converge’ on the PC: If, for example, a special automation function is already implemented on a PC basis, this function can be seamlessly embedded into the PLC functionality.
With the new Simatic WinAC RTX F software controller, Siemens combines its many years of safety engineering with the openness of a PC-based system and for the first time it is possible to operate functions such as PC-based technology modules, a standard PLC program and safety program on a single PC hardware platform. [Technology modules are software to perform special functions such as gearbox synchronisation, cam disk synchronisation, print-mark correction, etc.]
Safety-oriented standards such as IEC/EN 61508 (functional safety of electrical / electronic / programmable electronic safety-related systems) are very demanding. In order to meet these demands—extending up to safety integrity level SIL 3, which is highly probable in the industrial environment—the reliability of the software execution must be guaranteed for all safety functions. They must always be processed in the same, correct way and all parts of the software must be fully processed.
‘Coded processing’Failsafe controllers must be able to evaluate safety-relevant field signals and immediately switch to or stay in a safe condition in the event of faults. This ability is based on the principle of time-diversified redundancy, also called Coded Processing.
Here, safety-oriented operations are processed on two different paths, that is to say with logically and chronologically different algorithms and the results compared at the end of the CPU cycle. In the case of deviations, a fault has occurred on one of the two paths and the CPU switches automatically to a safe condition. In addition the controllers have extensive self-diagnosis facilities.
The ‘Coded processing’ procedure allows safety-oriented applications to be realised with a single processor. It was first developed in connection with the STEP 7 option package ‘S7 Distributed Safety’ from the single channel Simatic S7 controller as long ago as 2002.
The safety chainA safety-oriented function of a machine or a plant, however, is not only the controller, but the entire chain. This is a combination of sensors for signal recording and a logic solver. The logic solver consists of controller and I/O modules for processing the input sensor signals and sending output signals to the actuators.
All components contribute to the functional safety of the plant, in order to bring the plant to a safe state in the event of a hazardous event or to keep it in a safe state. The safety integrity level that can be achieved depends on the weakest link in the processing chain.
The software controller WinAC RTX F fits into the portfolio of Simatic Safety Integrated as a Windows XP or XP Embedded controller in the logic solver. It is the first PC-based safety system.
The higher the degree of automation, the more the control needs to be monitored for safety. However, this is only possible if it is failsafe. Failsafe means that when a fault occurs, the system immediately switches to, or stays in, a safe condition.
In the case of Simatic Safety Integrated, the logic solver consists of failsafe single-channel controllers and failsafe dual-channel I/O modules. The failsafe communication is executed via the safety-oriented PROFIsafe profile and is supported by the software controller not only via Profibus, but also via Profinet.
Safety softwareThe user creates the safety-oriented part of the program with the STEP7 option package S7 Distributed Safety. It can be loaded onto the software controller in parallel with STEP7.
S7 Distributed Safety offers commands, operations, and blocks for implementing safety-related programs in F-LAD (ladder diagram) and F-FBD (function block diagram).
To this end, a library of ready-made function blocks, approved by TÜV Süd for safety-related functions, is available. This can be used for the failsafe modular controllers as well as the failsafe software controller. Customised libraries can also be used on both types of controllers. The programming itself is done in the same way as with the standard editors of STEP7 for LAD / FBD, so that no additional engineering expertise is necessary.
The logic solver (the controller and I/O modules) can only be used for a safety-related function if all safety components work together. This means the WinAC RTX F software controller has been installed on the PC hardware and a safety program has been created and loaded using S7 Distributed Safety.
In addition, the distributed I/O must be connected with the controller by means of the PROFIsafe profile. This combination of safety certified components permits a simplified acceptance of the machine or plant.
For example, the PC hardware does not have to be approved separately, as it only makes a contribution to the availability of the plant. Errors, such as program execution errors or ‘bit-flips,’ are detected by the software which reacts accordingly. Communication errors are additionally recognised in the I/O groups and after a waiting period the channels are rendered passive or switched off.
The selection of the PC hardware is only slightly restricted by the requirements of the software controller. Current x86-compatible PC systems are supported, and an evaluation tool supplied with the package helps to document the suitability of the PC hardware.
The turnkey bundleThe choice of the right PC system decisively influences the performance of a plant. Code processing is very fast in PC-based systems, although the software controller must share the PC resources with Windows. The achievable cycle time depends on the settings that are necessary for the application.
In processes with several processor cores, the conditions improve considerably, as the software controller can reserve one core for itself. Attention should also be paid to the robustness of the hardware such as impact resistance, minimum use of moving parts (such as the fan, and hard disk), power failure buffering, to name just a few properties.
Finally, consideration should be given to the fieldbus compatibility of the PC: Are Profibus or Profinet interfaces on board? What about the PC hardware diagnostics?
For this reason, Siemens offers the software controller not just in the form of software for installation, but also as a turnkey bundle with the Industrial PC IPC427 RTX F for applications with Profibus and with the S7-modular Embedded Controller (S7-mEC) EC31-RTX F for applications using Profinet as the fieldbus (see Fig. 2).
Installed on the S7-mEC, the software controller WinAC RTX F also supports failsafe modules of the Simatic S7-300 series that are linked via the backplane bus with the S7-mEC. This makes very compact and economical solutions possible, as in certain circumstances, no fieldbus installation is necessary.
We have not yet considered the potential savings resulting from the great flexibility of a software solution in the event of subsequent plant modifications or expansions—to say nothing of the standardisation and portability properties.
Siemens Competence Centres for PC-based automation provide support for users during the design, engineering, and optimisation of a PC-based automation projects with Simatic WinAC and Simatic Industrial PCs.
In Cologne, for example, teams of experienced experts work closely together with the development departments in order to offer competent support to all their customers worldwide. In addition, the teams also possess the expertise for integrating special software and hardware components such as drivers and plug-in cards for communication or measured value cards in PC based solutions, with the Simatic WinAC open development kit ODK.
With its innovative concept of the WinAC RTX F, Siemens is raising productivity through the combination of PC-based automation with functional safety, while taking all current standards into account.
SIDEBAR: PROFIsafe Communication
PROFIsafe was the first communication standard to comply with safety standard IEC 61508 to permit standard and safety-related communication on the same bus cable. It was defined as an international standard in IEC 61784-3-3.
The PROFIsafe profile permits secure communication for the open standard buses Profibus and Profinet on the basis of standard network components and attains safety integrity level SIL 3.
Communication errors are detected quickly and reliably by appropriate measures. In order to detect loss or corruption of data, each data packet is subjected to a cyclic redundancy check (CRC) and assigned a consecutive number. Further measures for checking for falsification of addresses and delays include, for example, authentication monitoring by means of a unique address and time monitoring by means of a timeout.
Communication within a safety circuit operates in the following sequence: safety-related encoder signals from a bus node reach the safety-oriented controller via PROFIsafe. Following a logic operation, a corresponding output signal is forwarded to a failsafe PROFIsafe bus node. The host and the clients each have a PROFIsafe driver and respectively perform the checks for validity of the communication. The flash drive network components between the host and client are not safety-related and regarded as a ‘black channel’ as they are not relevant to the safety of the shutdown.
The use of standard components offers the following advantages:
* Standard design guidelines apply unchanged, such as, for instance, for shielding and lightning protection;* Implementation of failsafe redundant systems;* No effect on the number of bus nodes and the communications performance; and* No further need for stocks of duplicate cabling components.
In addition, there are enormous potential savings regarding the cabling and variety of different parts if the same bus cable is used for both safety related and standard communication.
According to the PROFIBUS Nutzerorganisation e. V. in Karlsruhe, PROFIsafe has already gained a high level of acceptance in safety-related plants. This is apparent from its enormous global market share: By the end of 2008, the number of PROFIsafe systems had reached 66,000 and the number of PROFIsafe devices was 630,000
A recently published study by the ARC puts the current total market for bus-capable safety devices at 700,000. According to this, PROFIsafe holds a 90% share of the market.
Failsafe communication can take place wirelessly via Profinet to the software controller. The operation of emergency stop pushbuttons on mobile panels, using PROFIsafe, is highly reliable.
Print this page | E-mail this page
This isn't a paywall. It's a Freewall. We don't want to get in the way of what you came here for, so this will only take a few seconds.
Register Now