Bihl+Wiedemann GmbH: Article - Safety at Work? Of Course! And Convenient!

10/04/02 - Article - Safety at Work? Of Course! And Convenient!

Safety at Work? Of Course! And Convenient!

For "Safety at Work", the safety oriented version of AS-Interface, generally any master can be used. But working with a master that offers additional features planning, commissioning, operation and maintenance of a Safety at Work network can be made even easier by means of new application functions and convenient data management on the master level.

"Safety at Work" means using AS-Interface in safety oriented applications up to category 4, the highest level of the relevant European standard EN 954-1. Its central element, the safety monitor, has now been certified by the TÜV-Nord, an official authority in Germany for safety related products. Consequently "Safety at Work" can be used without limitations and is offered by several manufacturers.

The issue is no longer whether or not Safety at Work can be used. It is now how comfortably it can be implemented in an AS-Interface network. The user is supported by the fact that the interoperability of all components, one of the highlights of AS-Interface, is maintained in Safety at Work despite its higher requirements. Masters (gateways), safe slaves and standard slaves of different manufacturers can be combined with the new safety monitor within one network as the user likes. This gives the user the opportunity to choose from a wide range of products which differ in terms of functionality, ease of operation and other characteristics.

Figure 1: The principle of Safety at Work

The concept of Safety at Work ⁽¹⁾:

In its standard version AS-Interface uses a highly protected data transmission system, which does not have to be altered for safety applications. This results in two specialties for Safety at Work:

As long as only safe input signals are required (e.g. emergency shutdown, door lock checking devices, light curtains, etc.) the standard AS-Interface network needs only to be supplemented with a safety monitor. All other components (standard slaves, power supply, master and host) and the telegram structure remain the same as in the standard AS-Interface network. A special safety feature for the communication between the safe slaves and the safety monitor increases safety. This is achieved by a dynamization of the telegrams they exchange. If necessary (i.e. when a safe slave responds or if an error occurs) the safety monitor takes control of the system and puts it into a defined, safe state by switching off the auxiliary power of critical actuators.
Safety components and standard components can be combined in a network. Special safety slaves complying with EN 954-1 are only required for the (possibly few) critical signals. All other components can be standard AS-Interface devices. Even currently existing standard AS-Interface networks can be retrofitted with safety components.

The concept, as well as the universal safety monitor, has been certified by the official authorities (TÜV or BIA). For details see note (1) at the end of this article.

AS-Interface masters and gateways (“links”) with application functions

Using the example of a master family we will show how one can make use of AS-Inter-face’s inherent interoperability and a clever data management and evaluation system on the master level. Key ideas are application functions and a human-machine-interface (HMI).

The principle of Safety at Work is familiar by now (see Figure 1 and the box above), so there is no need to explain it in detail here. Due to the higher requirements of the safety technique, however, a Safety at Work network produces additional data, so additional solutions must be considered. The most different stop situations need to be analyzed. The monitor records (or generates) this data and provides it for evaluation. According to the concept the data is read, through the master, by the higher control (or host) by means of a function block. This data can then be evaluated by the host.

It is, however, more sophisticated to add additional functions to the system by allocating them to the master as “application functions”. This approach is based on the following ideas:

In addition to the standard AS-Interface data all data that can be recorded and edited by the master is provided in such a way that a user programming an individual application can access it directly. Thus he or she can easily design the program to react to different situations immediately.
If all gateways and masters of a family are configured identically the AS-Interface network itself becomes completely independent of the higher level system. Since the data is provided regardless of which host system is used function blocks are not required. Therefore any change of the host system is made much easier.
If this data is also provided via a display, such as an HMI, it can be used at the master for a complete in place diagnosis, regardless of the location or configuration of the host or its current operating state.

Figure 2: The new master with graphic display, shown here as a gateway to Profibus (picture: Bihl + Wiedemann)

Bihl+Wiedemann’s new generation of masters and gateways (“links”) ⁽²⁾ offers this support to the user (figure 2). They are provided with all standard AS-Interface functions, additional application functions and either a standard or enhanced graphical display. Their benefits can be seen in Safety at Work networks particularly because they enable easy integration of safety features into an AS-Interface system, but they apply generally to any master.

All of the functions of the extended AS-Interface specification (V. 2.11), which was introduced about the same time as Safety at Work, are implemented. These functions include the data describing the slaves (I/O, ID, ID1 and ID2), input and output data images, slave parameters, the extended address range of up to 62 slaves, the integrated input and output of analog data complying with profile S-7.3, input and output of long messages complying with profile S-7.4, handling of peripheral faults, etc. See figure 3 for an overview. Details of these functions have already been described in previous documents ⁽¹⁾.

Figure 3: The structure of the new family of Bihl+Wiedemann masters shown in a block diagram. In addition to the standard AS-Interface functions the master level – as firmware constituent of all masters – offers additional application functions for easy handling of all safety-related data. The host interface, which represents the connection to the higher level computer, is product-specific, i.e. for a master for a PC it is different than for a master for a particular PLC or for a gateway to one of the higher level fieldbuses (2) . The graphic display has access to all functions and becomes an HMI. In a double master the blocks “bus interface” and “master level” are provided twice.

Additionally Bihl+Wiedemann has implemented extra application functions which go beyond the standard functions of the general AS-Interface specification:

A function to read all diagnostic values of the Safety at Work monitor into the master, provided that a separate slave address has been allocated to the monitor.
A list of all safe slaves, describing their status as either “activated” or “not activated”. These lists are generated after a request by the host and are available even if the monitor has not been provided with a separate address.
A list of all slaves, containing the number of cleared short-term communication errors that have occurred either since the master was switched on or since the last read-out of this list.
A list of all slaves with the profiles S-1.1 and S-3.A.1 which have either transmitted a pre-failure warning message or are marked as “not available” (data bits D1 or D2).

Human-machine interface in the master

Setup
AS-Interface Circuit
AS-Interface Slave Addr.
Force Offline
Operation Mode
Store Act. Cfg.
Permanent Param.
Permanent Cfg.
Addr. Assistant
LOS

IO + Param. Test
Binary Inputs
Binary Outputs
Analog Inputs
Analog Outputs
Parameters

Diagnosis
ec-Flags
actual config.
LPF
AS-Interface Master

adv.Diagnosis
Error Counters
LCS

AS-Interface Safety
Safety Slaves
Safety Monitor

PROFIBUS
PROFIBUS Address
PROFIBUS Status

Fig. 4: All master functions can be displayed with the menu on the graphical display. Figure 4 shows the first two menu levels. Figures 5, 6 and 8 show further levels.

The masters are additionally provided with a display (figure 2) for the communication with the user (exception: PC cards, as here the PC monitor can be used for this purpose). This function also exceeds the general AS-Interface specification. In the simple, classic version the addresses of all connected slaves can be displayed, configuration errors indicated and addresses changed.

The version provided with a graphic display goes far beyond this:

All functions of the master level (standard and application functions) are directly available via the graphic display, with no need for additional devices. The lists previously described can be displayed. Navigation is made simple by the easy to use menu (figure 4).
Slaves can be addressed, checked and parameterized individually through the master. The user can display inputs and set outputs. Since the master contains all functions of AS-Interface version 2.11 this applies to binary as well as analog values (see figure 5).
If a gateway is used address and parameters related to the higher level system can be configured.

This means that the functions and lists of the master are not only available to the host system via its interface to the master, but they can also be displayed for in place diagnosis. Functions the programmer does not wish to use in the application are nevertheless available visually at the master if required. Since the master is powered by the AS-Interface network these functions can be used even if the host network does not exist yet (during commissioning) or is temporarily cut off (during maintenance). In the case of large-area systems all functions can be used directly at the master, no matter how far the distance to the controller is.

Thus the graphic display allows a complete and easy in place diagnosis. It becomes a Human-Machine Interface (HIM) which is independent of any control or fieldbus. This is another characteristic of the new master family, above the application functions.

Intelligent solutions through application functions

The main reason for using AS-Interface is cost reduction. A proof of this is the widespread use of modules that support multiple “conventional” sensors and actuators. Integrated slaves are used less often, even though they enable new and intelligent automation solutions (which can greatly benefit the user) by providing additional data. Therefore some of the advantages of the bus technology – more information obtained from the process – are to a large extent neglected. One reason for this may be that until now the relevant information had to be integrated into the application program bit by bit.

Figure 5: Display example: digital and analog writing

Safety at Work will change this. More often the end user needs the option to react individually to certain situations to increase the availability of his or her system without having to cut back on safety. The application functions of the new master family make this easier than ever:

The status list of the safe slaves contains a “1” for each safe slave that has been activated, e.g. by an emergency shutdown switch. Not only is the address of the relevant slave shown immediately in the masters display, it is also available via the list for further processing, provided the reaction was caused by the activation of the safe slave and not by a fault. Thus it becomes very easy for the application programmer to check if one of the safe slaves has been activated and to use this information accordingly. The end user can be informed about the reason for a stoppage, for example, by a message on an external display like “Belt conveyor 1 stopped by emergency shutdown” or “Protected area entered”.

In such a case the system, or the relevant part of it, is stopped by the safety monitor. The reason for the stop – the “normal” response of a particular slave – is displayed clearly via the list in the master so the operator will not have to waste time looking for the cause.
Similar improvements apply to the lists recording the warning and availability messages of integrated intelligent slaves complying with profiles S-1.1 and S-3.A.1. This data also does not need to be integrated bit by bit by the user any more. Like the peripheral fault message it can be obtained from the master collectively. This makes it easy to use the data in order to improve system availability.
Additionally the master has direct access to the entire diagnostic data of the safety monitor, if the monitor has a separate AS-Interface address. During normal operation, or in the case of a safety situation, the safety monitor provides data for all details of the state of the system. Figure 6 shows an example. This data also allows a clear identification of further reasons for a stoppage – a fault in a safe slave, a configuration error of the network or a communication error. This makes it possible to program the application so that the system can react individually to each type of fault and inform the user accordingly.

While normally these diagnostic values are by the higher control through a function block, Bihl+Wiedemann has realized this by means of an application function in the master. Thus the availability of the diagnostic values in the master doesn’t depend on the control. This also enables the values to be displayed on the graphical display. The application programmer doesn’t need a host specific function block or to program one if it doesn’t exist for the control.

Figure 6: Status of the safe slave with the address according to the diagnosis string (more data available by paging)

The application programmer is supported by the application functions of the master. Consequently it becomes much easier for him or her to realize an intelligent solution and programming for any particular application will become less time consuming. For Safety at Work systems a clear differentiation between causes for a stoppage is more straightforward (see figure 7). This information can be used to enable restart situations. Thus the inherent advantage of the bus technology – the increase in available information – helps achieve high system availability and simple handling.

Increased network stability due to diagnostic strings and protocol analysis

The classic AS-Interface network generally reacts in a well-natured manner. Even if there are occasional faults on the system (as would be expected from any bus system) it continues to work reliably and in most cases the user will not even notice there was a fault. Typical examples are problems with extrem electromagnetic noise at a slave’s place or in an area of the network, a loose contact, slight violation of network layout rules (e.g., maximum length) or missing features in a non-certified slave. Faulty telegrams caused by one of these reasons are recognized automatically, repeated and in most cases resolved before the user could even notice them. Standard slaves may take up to three successive network cycles to correct this type of fault. The master only sends a message (“Configuration Error”) to the application program if the fault still exists for three cycles. This means that occasional faults will not interfere with system stability, but that serious faults are clearly identified and reported.

(1) Scheduled stop
(2) Stop after emergency shutdown
(3) Stop after response of a safety element (e.g. light curtain interrupted)
(4) Stop after communication error of a safe slave
(5) Stop after failure of a safe slave
(6) Stop after peripheral fault
(7) Stop after configuration fault
(8) Stop after power failure in the network
(9) Stop after warning message

Figure 7: Possible stop situations of a Safety-at-Work network. If the application program makes use of the detailed information, it can react specifically.

With a Safety at Work network, however, the user needs to be a bit more careful, since in this case if a “real” fault occurs the machine must be stopped quickly. To realize this the safety monitor only waits two cycles, instead of three, before it stops the system in reaction to a communication fault with a safe slave. This is the only way to guarantee a latency period of less than 40 milliseconds between the occurrence of the fault and the stoppage of the system. A possible disadvantage of this is that the system could be stopped erroneously in reaction to temporary instabilities. These erroneous stoppages are technically harmless, since they don’t reduce the safety of the system at all. However, they can present an annoyance by reducing the availability of the system. Therefore the user must take care to detect and avoid any of these kinds of instabilities when setting up the system.

Figure 8: Display example: result of the protocol analysis: slave 31A is apparently instable, slave 1B shows only occasional repetitions.

For this the user is aided by the application functions “diagnosis string” and “protocol analysis”. The latter contains the number of telegram repetitions for each slave tolerated by the specification. This tells the user which slaves are still complying with the specification, even though they are experiencing communication errors. In this way possible instabilities in the network can be detected and eliminated. If during commissioning or maintenance the user pays extra attention to telegram repetitions of safe slaves he or she will be able to significantly increase the availability of a Safety at Work system. The counters are easily read out from the graphical display, with no need for any extra program (see figure 8).

This process is additionally supported by the diagnostic values of the safety monitor. They provide a more detailed description of the reason for a stoppage than other master data. This is because the safety monitor has a latency period of up to 40 milliseconds before its outputs are disconnected. During this period the application and the AS-Interface network continue to work. The network itself, in fact, is in many cases stopped even later. This makes it more difficult to analyze the situation using the standard master data since the master has continued collecting data for several more cycles. The safety monitor, however, captures its data immediately prior to the stoppage. Making this data available to the master enables analysis especially in cases where a stoppage is caused unintentionally by the safety monitor (i.e. when an emergency shutdown has not been activated). The fact that this data is directly available via the HMI display eliminates the need to connect a separate output device.

Summary:

AS-Interface is rightly considered the easiest networking solution in automation. The same applies to the Safety at Work version. It is also true that any master – new or old version – can generally be used for safety applications. This is the main reason for introducing a safety monitor which can be used in any system, is used by all manufacturers and has all required official approvals. The master family presented here, however, goes beyond this. With their application functions and fully developed HMI these masters are the first to make explicit use of the Safety at Work concept. In so doing they support the user to a great extent in the different life cycle phases of an automated plant. They provide support during planning (support of intelligent application programs), commissioning (network independence and improved network quality), operation (high system availability) and maintenance (in place diagnosis and network analysis). Users working in automation systems will readily see this high degree of convenience.

Literature
(1) Madelung, O.W.: Addenda to the AS-Interface Handbook (2 nd edition), German and English; 2001, download file under www.madelung-online.de
(2) Bihl + Wiedemann: Overview over the gateways, see www.bihl-wiedemann.de

Author
Dr. Otto W. Madelung, Technical Consultancy Dr. Madelung,
www.madelung-online.de

This article has been published in following periodical: SPS-Magazin 4+5/2002

[back]