PASSIVE SAFETY UP TO SIL3/PLE: GOOD REASONS TO BECOME ACTIVE!
Blanket criticism of individual safety- based shut-off of single actuators is hardly called for – in many scenarios, whether in an Ethernet or ASi network, this may well be the best approach, for example to meet safety-technical standards and ensure machine safety. The safety experts at Bihl+Wiedemann also know this from their own experience. But more and more machine and system builders are questioning their safety concepts: they recognize that maximum flexibility such as what is offered by individual safe outputs is not always necessary – for example when entire groups of actuators have to be safely shut off at the same time anyway due to process or machine considerations.
Passive safety presumes that the power supply for communication and for sensors be galvanically isolated from the actuator supply. This should also prevent cross-wiring and in general exclude faults between the auxiliary power for the actuators (AUX) and the external potential – the power supply via ASi – so that when shutoff is required there is also a guarantee that the power supply of a drive train will also be disconnected. This is not a given in most standard wiring schemes where M12 round cable is used. Based on Machine Directive 2006/42/EC this is specified and prescribed in greater detail in the safety standards EN ISO 13849-1 and EN 62061. This also means that just one single non-passively safe module in the topology results in the system as a whole no longer have a passively safe structure – as in so many other situations, safety technology is only as strong as its weakest link. Depending on the application a precise safety review of the entire relevant cabling path can essentially demonstrate that any fault situation will always result in a safe condition – but such a broad undertaking can mean considerable effort and expense. Unnecessary effort, since there is a more simple and more elegant way - with ASi and products from Bihl+Wiedemann that are suitable for passive safety.
The idea of passive safety technology with ASi is based on the premise that firstly, all connected actuators are controlled and can be turned off individually through their respective non-safe output, and secondly that when necessary entire groups of actuators can be disconnected from the power supply with a single safe output. ASi as the globally standardized fieldbus for the first automation level is ideal for this, since the ASi wiring concept is not only highly economical – compared with traditional fieldbus wiring technology it offers cost advantages of up to 68 percent. But also because the yellow ASi profile cable for control signals and power up to 8 A can be routed separately from the black AUX profile cable for auxiliary power up to 20 A. This concept automatically satisfies the requirement for galvanic isolation of the power supply for communication and sensors from the power supply of the actuators. And with Bihl+Wiedemann the user no longer has to worry about meeting the safety standards: nearly all the new ASi-5 modules, for example those with integrated IO-Link master, and many of the ASi-3 modules offered by the company meet the requirements for passive safety – which is indicated explicitly in the data sheets for the respective products.
The modules from Bihl+Wiedemann allow for passive safety up to SIL3 and PLe. When the auxiliary power in the black profile cable is turned off, the connected actuators are no longer supplied and can no longer carry out hazardous movements. But they remain continuously accessible, since the yellow profile cable continues to supply power to the sensors and to the bus communication and, unlike many Ethernet-based solutions, thereby enables signal transmission even in switch-off condition. This makes it possible to access modules – and often the connected peripherals as well – and to read diagnostic information for example, which can indicate possible fault causes.
Whether yellow or black – the ASi profile cables can be manufactured cost-efficiently as standardized bulk product and kept on rolls. They do not require pre-assembly like round cable for field buses and need no special M12 connection for sensors and actuators – these are simply and reliable connected to the ASi cable using piercing technology. In addition the black AUX cable with its up to 20 A capacity can handle significantly more auxiliary power than typical M12 round cable configurations. A lot of current for low “transmission costs” – ideal for motors in material handling applications, but also for integrating IO-Link solutions.
Instead of having to sacrifice an expensive safe output for each individual actuator, establishing passive safety on the controller side requires only a safety monitor with local outputs and a contact expansion module in order to turn the supply voltage off centrally – a much preferable alternative from a cost standpoint.
Passive safety from Bihl+Wiedemann is an interesting approach to implementing safety solutions where it is appropriate with technical and economical efficiency – with integration capability in all common controller worlds. In many cases this allows the safety technology as offered by the company in such a wide range – thanks to Safe Link including in more complex applications with safe coupling between multiple gateways and overarching safety functions – to be effectively expanded.
Functional safety in connection with traditional, Ethernet-based fieldbus solutions means - from a control and wiring perspective - that each single actuator has to be wired using a pre-assembled connection cable and provided with its own safe output. This can be accomplished , for example, by using the ASi safety gateways and Safe Link from Bihl+Wiedemann, whereby nearly 2,000 safety signals can be safely coupled to each other over Ethernet. The advantage of these solutions is obvious: maximum flexibility within the entire safety-related topology, since each actuator can be turned off individually. But is this individual voltage isolation even necessary for example for every single motorized roller in a conveyor line or each individual actuator on a packaging machine? Might it not suffice under some circumstances to simply turn off entire actuator groups at once? And what then happens with the communication to the actuator when it is turned off for safety reasons over Ethernet? Exactly! In such a case the data connection is dead – the modules cannot be accessed or read, and diagnostics or qualified error reporting is no longer possible. Which goes entirely against the principle of industry 4.0, nor is it compatible with digitalized IT structures within future-proof machine concepts. Also, you will not find much enthusiasm among decision makers when it comes to the value- diminishing, increased hardware and wiring expenses of a direct fieldbus termination for each individual actuator.