Working Through the Complexities of Selecting the Right Safety Controller

Safety in industrial systems is a critical and complex subject, making it challenging to specify the best safety controller for a given application. Among the considerations is the applicability of numerous international standards related to safety controllers like International Electrotechnical Commission (IEC) 60947-5-1, 61508-1/2/3, 61810-3, 62061, and International Standards Organization (ISO) 13849-1.

There are also a wide range of communications protocols to choose from, such as Safety over EtherCAT, also called FailSafe over EtherCAT (FSoE), which combines control and safety functions. There is also Ethernet/IP, PROFIsafe, and Modbus/TCP industrial Ethernet communication protocols. Additionally, there is also the choice of standalone or integrated solutions. Some platforms have various combinations of safety-rated and non-safety-rated outputs, some have fixed functionality, and others are reconfigurable and expandable.

This article briefly reviews the international safety standards and their applicability. It also examines the uses of the various communications protocols before digging into use cases ranging from tabletop assembly stations to entire factories for types of safety controllers like fixed function, reconfigurable, and expandable models. It presents specific examples using Banner Engineering, Phoenix Contact, Schneider Electric, and Omron Automation products.

Standards

Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems (E/E/PE, or E/E/PES), or IEC 61508, is the basic functional safety standard applicable to all industries. It includes methods of applying, designing, deploying, and maintaining automatic protection systems, called safety-related systems. It is based on the idea that any safety-related system must fail in a predictable way that is inherently safe. To gauge the effectiveness of functional safety designs, the standard defines safety integrity levels (SILs) from 1 to 4, with SIL4 indicating the highest level of risk reduction and SIL1 indicating the lowest level. The concept of SILs is also applied in other safety standards, but the number of SILs and their definitions can vary based on the needs of the operating environment.

There are many safety standards based on IEC 61508. Some of the standards related to safety controllers include:

IEC 60947-5-1:2016, Low-voltage switchgear and control gear - Part 5-1: Control circuit devices and switching elements - Electromechanical control circuit devices, applies to specific types of devices including:

• Manual control switches like pushbuttons, foot switches, rotary switches,and so on
• Electromagnetically operated control switches like relays or contactors that are time-delayed or instantaneous
• Position switches that are included in a machine
• Pilot switches like temperature or pressure-sensitive switches

IEC 62061:2021, Safety of machinery - Functional safety of safety-related control systems is the machinery-related version of IEC 61508. It specifies requirements for designing, integrating, and validating safety-related control systems. It applies to the system-level design of machinery-related safety control systems, subsystems, and safety-related devices used individually or in combination to implement machine safety functions.

IEC 61810-3:2015, Relays with forcibly guided (mechanically linked) contacts, is another important standard for safety controllers. It delineates special requirements and tests for elementary relays with forcibly guided contacts, also known as mechanically linked contacts. These special requirements apply in addition to the general requirements of IEC 61810-1. Force-guided relays are a basic component in many safety relay modules. In a Class A safety relay, all the contacts are forcibly guided. The standard requires that if a normally open (NO) contact becomes welded, all normally closed (NC) contacts must maintain a minimum opening of 0.5 mm when the coil is not energized (Figure 1).

Figure 1: If a NO (or NC) contact becomes welded, all NC (or NO) contacts must maintain a minimum distance of 0.5 mm when the coil is not energized.  (Image source: Omron Automation)

ISO 13849-1:2023, Safety of machinery Safety-related parts of control systems, includes guidance for designing and integrating the safety-related parts of control systems (SRP/CS) and their subsystems, including mechanical measures like guarding or interlocking functions, and related software. It applies to electrical, hydraulic, pneumatic, and mechanical SRP/CS used in high-demand and continuous modes of operation.

Going full circle back to IEC 61508, the standard also defines “black channels” for safety-related communications.

Black channels and communication protocols

IEC 61508 provides only a general definition of black channels and refers to standards like IEC 61784-3 for fieldbus applications and IEC 62280 for railway signaling. The concept of black channel communication is derived from the term ’black box’. In black channel communication, the network is the black box and is used purely as the transmission medium; the channel is unsecured, and safety is taken care of with a dedicated safety layer in the application software.

Black channels can be implemented on any standard network, like various implementations of Ethernet such as PROFIsafe or wireless local area network (WLAN) technologies. In a black channel application, it’s assumed that the primary communications channel is not secure enough for safety-related communications, and an additional safety layer is added to identify and eliminate any communication errors (Figure 2).

Figure 2: PROFIsafe can be used to implement the safety layer for black channel communications. (Image source: Phoenix Contact)

In addition to PROFIsafe, black channels can be implemented with other protocols like common industrial protocol safety (CIP safety) and FSoE. These protocols conform with IEC 61784-3:2021, including enhancements that address timeliness, authenticity, masquerade, and data integrity errors.

Tabletop safety

Safety concerns aren’t limited to large or powerful machines; tabletop assembly stations can require safety systems. In one case, semiautomatic tabletop assembly stations are used to make electronic components. Each station has a heavy-duty safety door with a non-contact safety switch, a safety light curtain at the part feed, and an emergency stop button to protect operators from semiautomatic equipment. Single-function safety relay controllers can be used on small machines like this tabletop assembly station to connect the safety devices and the machine to provide safe start and stop functions.

In this case, a model SC10-2ROE from the SC10 Series of safety controllers from Banner Engineering was installed in the cabinet of each tabletop assembly station (Figure 3). This safety controller combines the functions of multiple safety relay modules into a single device, simplifying wiring and reducing the required space for the installation. In addition to supporting safety in small machines, these controllers are well-suited for use in crowded control cabinets. Even small safety controllers like the SC10 Series can have a wide array of features:

• In-Series Diagnostics (ISD) can connect as many as 70 safety devices. ISD provides detailed status and performance data from each safety device accessible with a human machine interface (HMI), PLC, or similar device, enabling users to troubleshoot machine safety systems, prevent faults, and reduce downtime.
• The icon-based drag-and-drop programming runs on a PC and simplifies setup and device management.
• An external memory card can be used to configure the device without needing a connection to a PC, speeding up configuration changes.
• Ten inputs, including four that can be set up as non-safety outputs. The automatic terminal optimization (ATO) function can be used to increase the total number of inputs to 14.
• Two 6 A safety relay outputs are available with three NO sets of independently controlled contacts.
• The ability to perform two functional stop types:
  • Category 0 is an uncontrolled stop with the immediate removal of power.
  • Category 1 is a controlled stop with a delay before power is removed. Delayed stops can be helpful in instances where machines need power for a braking mechanism.
• The support for Ethernet/IP, PROFINET, and Modbus/TCP communication protocols.

Figure 3: This tabletop assembly station includes a model SC10-2ROE safety controller (yellow device below the assembly station). (Image source: Banner Engineering)

Scalable safety across production lines

At the other end of the complexity spectrum from tabletop assembly, integrated safety can be implemented in assembly lines across a factory. For example, Sysmac NX102 controllers from Omron Automation integrate multiple open industrial protocols like EtherNET I/P, EtherCAT, IO-Link, and CIP Safety. The model NX102-1020 automation controller includes three communications ports, and it can integrate high-speed safety into machine control in lines that require fast cycle times. In addition, Omron’s NX Integrated Safety Controllers are SIL3 certified and include FSoE connectivity. NX-SL5 controllers like the model NX-SL5500 can simultaneously communicate FSoE over EtherCAT and CIP Safety on Ethernet/IP, enabling applications involving high-speed synchronous motion, machine-to-machine control, or communication with remote devices utilizing the CIP Safety (Figure 4).

Figure 4: NX integrated safety controllers from Omron can simultaneously communicate FSoE and CIP safety to implement integrated safety across assembly lines. (Image source: Omron Automation)

Configurable and expandable

When circumstances require a configurable and expandable safety solution, Phoenix Contact offers the PSRmodular safety system. The system can be configured for small applications with only three safety functions and large systems with up to 160 I/Os. The system includes a variety of safety functions like an analog module for monitoring 0 to 20 mA or 0 to 10 V signals, modules for motion monitoring of proximity switches, and various types of motion encoders. The relays installed in the safety relay module have force-guided contacts (Figure 5). The system can implement a range of safety functions, including:

• Electro-sensitive protective equipment
• Emergency stop
• Monitoring of movable guards like safety doors
• Two-hand control devices
• Zero-speed monitoring and speed monitoring

Figure 5: PSRmodular system safety relay module with force-guided contacts. (Image source: Phoenix Contact)

The PSRmodular safety system consists of several basic modules with core functionality like the model 1104981, and extension modules for enhanced I/O and protective functions like the model 1104884. The modules are software configurable, and the system is expandable using a PSR-TBUS DIN-rail connection.

Safety for simple to medium-complexity machines

Harmony safety modules from Schneider Electric are designed for simple to medium complexity machines like those used in food and beverage processing, hoisting, material handling, and packaging. They are offered in two series (Figure 6):

• Harmony XPS Basic offers an optimized solution for applications that use hardwired safety modules.
• Harmony XPS Universal combines the simple application of hardwired safety modules with various messages that usually require fieldbus technology to implement.

Figure 6: Harmony XPS Basic and Universal safety relays are ideal for managing single safety functions easily. (Image source: Schneider Electric)

XPSBAT basic safety modules like the XPSBAT12A1AP are used for monitoring Emergency stop circuits and provide category 0 and category 1 control options. Category 0 implements instantaneous stops, while Category 1 implements delayed stops with the delay adjustable from 0 to 15 minutes (900 seconds).

XPSUAK universal safety modules like model XPSUAK12AP can also implement Category 0 and 1 shutdowns. These safety modules can interface with a broader range of safety devices, including:

• Emergency stop circuits
• Switches activated by protection devices like mechanical guard switches and RFID safety switches
• Light curtains
• 4-wire sensing mats

Conclusion

When selecting safety switches for industrial systems, there’s a wide range of international standards to consider, plus communications protocols, including black channel communications. But that’s just the beginning; there are safety switches optimized for small systems like tabletop assembly operations, for hardwired installations found in food and beverage processing and material handling, for systems that need configurable or expandable solutions, and devices optimized to support scalable solutions across entire factories.