PROFIsafe would not be complete if there were only a specification of the safety communication protocol. For F-Devices questions would be raised such as:
- Do I need to protect my F-Device against very high voltages coming across the PROFIBUS / PROFINET cable from an unknown other source?
- Is it safe to use the same 24V power supply that I use for the standard devices in my network?
- How do I test my F-Devices for the "increased immunity" that is required by IEC 61508?
- What are the installation rules?
- What are the security requirements?
The fieldbus standards IEC 61158 and IEC 61784-1, -2 require for all devices within the network "to comply with the legal requirements of that country where they are deployed (for example, as indicated by the CE mark). The measures for protection against electrical shocks (i.e. electrical safety) within industrial applications shall be based on the IEC 61010 series or IEC 61131-2, clause 10 depending on device type specified therein". These measures are called PELV (Protected Extra Low Voltage) and limit the permitted voltages in case of one failure to ranges that are not dangerous for humans. Due to this normally legal requirement, it is possible to limit the protection effort within an F-Device or an F-Host.
It is possible to use the same 24V power supplies for standard and F-Devices / F-Hosts. In both cases the power supplies shall provide PELV due to legal requiremens.
For each safety application, the corresponding SRS (Safety Requirements Specification) shall define electromagnetic immunity limits (see IEC 61000-1-1) which are required to achieve electromagnetic compatibility. These limits should be derived taking into account both the electromagnetic phenomena (see IEC 61000-2-5) and the required safety integrity levels. For general industrial applications the IEC 61326-3-1 defines immunity requirements for equipment performing or intended to perform safety related functions. Product standards such as IEC 61496-1 (e.g. laser scanners) may define increased immunity requirements for some phenomena. The environmental conditions within the process industries can be different from those of general industrial environments. Thus the specific requirements and performance criteria described in IEC 61326-3-2 can be used for PA Devices. For PROFIsafe a particular EMC test bed is defined.
The objective of safety is to maintain safety functions in order to prevent personnel from being injured, e.g., by de-energizing hazardous elements. A characteristic measure for a safety function is SIL (Safety Integrity Level). It describes the safety function's probability of a dangerous failure per hour, e.g. 10-7/h for SIL3.
In contrast, the objective of high availability (fault tolerance) is to maintain the control functions even in case of failures. A characteristic measure for high availability is the ratio of uptime to the total operation time, for example 99.99%. Redundancy is a means that can be used together with others to achieve this objective. PROFIsafe is designed such that it can be deployed with or without redundancy for fault tolerance. Figure 14 shows possible combinations.
It is the goal of PROFIsafe to integrate safety communication into the standard PROFIBUS and PROFINET networks with minimal impact on the existing installation guidelines. In order to achieve reliable performance and to fulfill legal requirements, following the PROFIsafe specifications and guidelines is highly recommended. Some major issues to be considered are mentioned below. Preconditions All standard and F-Devices on the network shall be electrically safe as outlined in chapter "PROFIsafe deployment - Electrical Safety". All F-Devices shall be certified according IEC 61508 and, in case of process automation according to IEC 61511. They shall be tested and approved for PROFIsafe conformity by PI test laboratories. All other standard devices within a PROFIsafe network shall prove conformity to PROFIBUS or PROFINET via a PI certificate or equivalent evidence. Constraints For PROFIBUS DP, no spurs or branch lines are permitted. For PROFINET IO, the following rules ap
- Less than 100 switches in a row
- Only one F-Host per submodule
- All network components must be suitable for an industrial environment (e.g. IEC 61131-2)
- No single-port routers permitted to separate PROFIsafe islands (characterized by unique F-Addresses)
The new IEC 60204-1 provides concepts on how to protect against electrical shock (emergency switching off) with lockable motor protection circuit breakers, main circuit breakers and main isolators with fuses. Figure 15 demonstrates these concepts. It also shows the recommended 5-wire power line connections (TN-S) with separated N and PE lines and the shielded cables between drives and motors. The IEC 60204-1 is a valuable source for many other safety issues complementing the PROFIsafe technology. The corresponding national standard NFPA 79 considers some deviations for the North American market (Figure 2).
More and more applications such as AGV (Automated Guided Vehicles), rotating machines, gantry robots, and teach panels use wireless transmission in PROFIBUS and PROFINET networks. PI will specify details for WLAN and Bluetooth as well. PROFIsafe, with its error detection mechanism for bit error probabilities up to 10-2 is approved for both "Black Channels". However, the security issues below must be considered.
With PROFINET being based on Industrial Ethernet as an open network and in the context of wireless transmission the issue of security has been raised. PI is pushing the concept of building so-called security zones which can be considered to be closed networks (Figure 16). The only possibility to cross open networks such as Industrial Ethernet Backbones from one security zone to another is via Security Gates. The security gates use generally accepted mechanisms such as VPN (Virtual Private Network) and Firewalls to protect themselves from intrusion. PROFIsafe networks allways shall be located inside security zones and protected by Security Gates if connections to open networks cannot be avoided.
For wireless transmission, the IEEE 802.11i standard provides sufficient security measures for PROFIsafe networks. Only the Infrastructure Mode is permitted; the Adhoc Mode shall not be used. More details can be found in the PROFIsafe specification.
Usually the response times of normal control functions are fast enough for safety functions as well. However, some time-critical safety applications need safety function response times (SFRT) to be considered more thoroughly. Presses that are protected by light curtains are examples. A machine designer wants to know very early at what minimum distance the light curtain shall be mounted away from the hazardous press. It is common agreement that a hand moves at a maximum of 2 m/s. The minimum distance s to be considered then is s = 2 m/s x SFRT if the resolution of the light curtain is high enough to detect a single finger (EN 999). Otherwise correction summands are needed.
Now what is the mystery behind an SFRT? The model in Figure 17 is used to explain the definition. The model consists of an input F-Device, a PROFIsafe bus transmission, signal processing in an F-Host, another PROFIsafe bus transmission, and an output F-Device each with its own statistical cycle times. The maximum time for a safety signal to pass through this chain is called TWCDT (Total Worst Case Delay Time) considering that all parts require their particular maximum cycle times. In case of safety the considerations go even further: The signal could be delayed even more if one of the parts just fails at that point in time. Thus, a delta time needs to be added for that particular part which represents the maximum difference between its watchdog time and its worst case delay time (there is no need to consider more than one failure at one time). Eventually, TWCDT plus this delta time comprise the SFRT. Each and every F-Device shall provide information about its worst case delay time as required in the PROFIsafe specification in order for the engineering tools to estimate the SFRTs.