|
In 1999 AS-Interface
introduced "Safety at Work", the first bus system being able to simultaneously
handle standard and safety-oriented devices on a single network. The goal of
this design was to eliminate the previously hard wired safety-oriented
applications by a bus technology without the need to introducing an additional
safety bus. Standard and safety-oriented components should be connected by the
simple two-conductor cable that made AS-Interface such a success. Additionally,
the system was not only supposed to be fully compatible with all existing
slaves but also, because of the wide-ranged usage possibilities of
AS-Interface, with all masters and gateways that were already available and not
safety-oriented by themselves. This standard compliant solution, approved by
regulatory agencies for usage in applications up to category 4/SIL 3, was
implemented by using separate safety contacts and controlling them by a safety
monitor. The Safety Monitor interfaces the safe inputs, supervises their
communications, and stops the application if the "STOP" signal is sent. The
Safety Monitor is constructed as a safe device and runs the safety
configuration. This configuration is created by the "ASIMON" PC application and
then downloaded to the Safety Monitor. This principal permits the design of
safety-oriented applications on the lowest field level without the necessity
for master or control system to be implemented safety-oriented by
themselves.
Safety at
Work was proven to be effective in numerous applications during the past 7
years. But like in most cases: "The proof of the pudding is in the
eating": Field experience leads to requests for new functionalities and the
latest AS-Interface specification 3.0 permits the realization of new ideas.
Bihl+Wiedemann reacted to these requests and developed a second-generation
Safety Monitor (fig.1).
A safe
output for OEM applications for Safety at Work
 |
Fig. 2: AS-i Safety
output in IP20 |
Safe
outputs for Safety at Work are used as "remote outputs" of the Safety Monitor
(figure 2). They offer two important advantages: the outputs can be implemented
at arbitrary locations in the system without the need for additional wiring
between the Safety Monitor and the location where the safe shutdown is needed.
Also, multiple safe outputs can share the same safe address due to the unique
communication method. This enables grouping of outputs for the
application.
The new
Safety Monitor
Since many
new features distinguish this new Bihl+Wiedemann's Safety Monitor, it makes
sense to call it "second generation" device. It is based on the
well-established stainless steel housing this manufacturer is known for
(fig.1):
-
Diagnosis data of the new
Safety Monitor:
RUN / Stop / Offline phase
Number of the
released circuit during a stop condition
Address of the initiating
slave
Detailed information concerning the cause of the STOP:
Operational-related STOP (STOP
without a null sequence)
Error-related STOP = STOP because of an error (code
error, slave failure, etc.)
iInternal device error History (last STOP cause)
retrievable
Condition of the network:
Erdschluss
Ground
fault
Supply voltage interruption
Over voltage
Double address
detection
Failed (standard) slave
Error counter per slave
retrievable
Actual slave conditions retrievable Restart conditions:
Restart
Reset of error
condition
Check necessary |
The
most important: The monitor has a display and keyboard enabling the user to
execute new and detailed diagnosis possibilities (see table) offering
considerable support during the design phase of the system as well as during
the maintenance and trouble shooting phase when the cause for a STOP must be
determined quickly. The previous logical and local separation of information
across the system, always considered annoying, is now rendered unnecessary. A
PC and the "ASIMON" software are no longer necessary to determine the reasons
for a sudden STOP of the system. This is especially important if users without
detailed background knowledge operate the system.
users without detailed
background knowledge operate the system. However, the parallel method of
transferring data via the RS232 to a PC is still available and thus permits the
programming of the Safety Monitor. As before it is still possible to display
the behavior of all safe slaves graphically.
- The Safety
Monitor is implemented as a slave in its network. Due to specification 3.0
enhancements it is now possible to "up link" all diagnostic data from the
Safety Monitor to the PLC and application program via the AS-Interface network.
All it takes is a master built according to specification 3.0 (independent of
the manufacturer). This feature becomes especially important if the data is
also needed by the upper level control system.
- This way all
diagnostic data is available at three different locations: locally on the
Safety Monitor display, on the optionally connected PC (providing the option to
print the data), and on the (potentially far away) control systems. Hence, the
user has the choice of where he/she wants to check the system: at the Safety
Monitor (in the field) or at the central control system. This represents the
inclusion of the detailed error diagnostics first introduced by Bihl+Wiedemann
into AS-Interface Safety at Work.
(The formerly used Safety Monitor
displayed current conditions only by using LEDs since it did not make sense to
generate diagnostic data that could not be transmitted to the master in its
entirety. Consequently, it was often necessary to diagnose a system by using a
PC.)
- The new
Monitor is able to create a safety message for a second AS-Interface network.
It does not only supervise safety devices on its own network but can also
function as a safety slave on a second Safety at Work network. Thus it is easy
and inexpensive to transmit safety information about the condition of the first
into a second network.
- The new
Safety Monitor supports now safety outputs. Safety at Work is not limited to
safety inputs any more.
-
 |
| Fig. 3: Memory Card |
The
configurations saved in the monitor can now be changed by replacing memory
cards. This simplifies support by the machine builder or system modifications.
Service calls are therefore considerably reduced.
- The advanced
AS-Interface diagnostics features, well know from the
Bihl+Wiedemann1 masters, were added: error counter, ground fault
detection, double address detection, noise monitoring, and over voltage
indication. These diagnostic methods offer additional support during error
diagnostics, operational tests at set-up and service.
- The new
Safety Monitor can be powered from the AS-Interface network, while the previous
generation Safety Monitor had to be powered by a (separate) 24 V supply.
Additionally, it is possible to redundantly power the system from a 24 V supply
or a second AS-Interface network in such a way that failure (for instance due
to a short circuit) does not lead to a loss of information about the condition
and the history of the Safety Monitor. This facilitates the analysis of the
problem causing this fault.
Safety
Monitor with integrated PROFIBUS Gateway
 |
Fig. 4: Safety monitor
with integrated
PROFIBUS
gateway |
Especially
for PROFIBUS networks there is another simplification: An AS-i 3.0 PROFIBUS
gateway with integrated Safety Monitor, also in a stainless steel housing, is
offered. This gateway allows access to all application functions, including
those that are not safety related, plus ensures the PC programming at the
location of the gateway. Prerequisite for using this gateway is only that it is
possible to place master and monitor at the same location without separating
them, for instance, by a repeater. If this condition is fulfilled the gateway
represents the most elegant solution offering space and cost advantages in
addition to user friendliness.
Interoperability and
compatibility
What
remains as strong as always are interoperability and compatibility, the
well-known foundations of AS-Interface. Naturally, the new Safety Monitor in
the stainless steel housing and the new gateway with integrated monitor can be
used with all safety-related slaves and modules, independent of their
manufacturers. However, interoperability includes more than the hardware: both
devices can load and execute any already existing configuration running on a
Safety Monitor of the first generation!
During normal operation the
stainless steel Safety Monitor operates as a specification compliant 3.0 slave
with the profile "combined transactions" and is interoperable with any 3.0
master and thus with any control system interfaced via an upper level network.
However, it is downward compatible as well: It can operate as a Safety Monitor
in networks with older masters according to specification 2.0 or 2.1. If used
as a replacement component in such network or for its easy error evaluation the
Safety Monitor can be configured as a simple 2.1 slave. In this case the PLC
application runs as before, without modifications of the master or application
program. Only the transmission of data using the new profile is not
possible.
Both, interoperability and compatibility are considered important
factors with respect to protecting the users investment in previously developed
safety technology solutions. |
