CIP Safety

Introduction to CIP Safety

In the intricate world of industrial automation, ensuring safety and maintaining efficient communication are paramount. The integration of sophisticated machinery and advanced technologies necessitates stringent safety measures to protect both personnel and assets. This is where the importance of functional safety and communication protocols becomes evident, serving as the backbone of safe and seamless operations in industrial settings.

Communication protocols play a vital role in this ecosystem, enabling the real-time exchange of safety-critical information across various components of an industrial automation system. These protocols ensure connectivity between machines, devices, and systems, facilitating greater visibility and control over operations. By allowing for the integration of multiple safety systems onto a single network, communication protocols like CIP Safety reduce the need for multiple communication lines and diminish the risk of human error, thus contributing significantly to the overall safety of industrial automation environments.

The history of CIP Safety, a protocol designed to ensure fail-safe communication between nodes in a safety network, traces its roots back to the early 2000s. This innovative approach was introduced by the ODVA (Open DeviceNet Vendor Association), aiming to enhance safety in industrial environments. CIP Safety is part of the broader Common Industrial Protocol (CIP) framework, which facilitates interoperability across various industrial networks such as Ethernet/IP, DeviceNet, and ControlNet.

CIP Safety provides a robust safety communication protocol that could coexist with other application layer standards like CIP Motion and CIP Security This adaptability allowed for seamless integration and increased flexibility within industrial environments, enabling the mixing of safety devices and standard devices on the same network.

The adoption of CIP Safety grew as industries recognized its potential to significantly improve operational safety. It provides high integrity safety services and diagnostics in the application layer without requiring special communications hardware. This feature set ensures transmission integrity by detecting errors and allowing devices to take appropriate actions, thereby maintaining safety up to Safety Integrity Level (SIL) 3 according to IEC 61508 standards.

Basics of CIP Safety

The Common Industrial Protocol (CIP) revolutionizes the integration of safety functionalities into industrial networks by leveraging a standardized, Ethernet-based platform. This innovation is particularly embodied in CIP Safety which extends the capabilities of the standard CIP framework by incorporating high-integrity safety services and diagnostics in the application layer. CIP Safety is designed to provide fail-safe communication between nodes on a safety network. This protocol ensures the integrity of safety-related data transmission, allowing for the coexistence of safety and standard devices on the same network or wire, thereby enhancing flexibility and integration within industrial automation applications. CIP Safety has been certified by TÜV Rheinland as a black channel protocol, meaning its safety integrity is not dependent on the physical media, allowing it to be communicated over various wired and wireless systems.

Redundancy is a fundamental principle for functional safety and therefore also for CIP Safety. It refers to the duplication of critical elements within the communication system to ensure fault tolerance and reliability. Specifically, CIP Safety employs Class 1 connections, characterized by redundancy and deterministic behaviour, to ensure that safety-critical messages are transmitted reliably and redundantly across the network. In case of a communication failure or loss of data integrity, redundant communication paths are utilized to ensure that safety-related information reaches its destination. Moreover, the protocol ensures that all outputs revert to a safe state in case of closed communication or loss of connectivity, minimizing the risk of accidents or injuries.

CIP Safety supports a comprehensive array of safety applications designed to prevent accidents, protect personnel, and ensure the safe operation of industrial machinery and processes. Among these critical safety functions are:

  • Emergency stop (E-Stop) systems 

    Allows for the instantaneous deactivation of machinery or processes in response to emergency situations or hazardous conditions.

  • Safety interlocks 

    Plays a crucial role in monitoring and controlling access to hazardous areas or machinery, ensuring that personnel cannot enter unsafe zones during operation.

  • Safe speed monitoring and safe position monitoring: 

    Essential for preventing unsafe conditions or collisions by monitoring and limiting the speed of machinery and verifying the safe positioning of machinery components or tooling, respectively.

    Safe torque off (STO) 

    Disables torque output from motor drives to prevent unintended movements or rotation.

  • Safety mats and light curtains 

    Detects the presence of personnel in hazardous areas, triggering safety measures to halt machinery operation.

  • Two-hand control systems 

    Requires simultaneous activation by both hands to initiate potentially hazardous operations, ensuring operator safety.

To assess and rate the reliability and performance of these safety functions within industrial environments, CIP Safety leverages Safety Integrity Level (SIL) and Performance Level (PL) methodologies. SIL is a measure of the reliability of safety functions in terms of their ability to mitigate risks associated with hazardous events, with levels ranging from SIL 1 (lowest) to SIL 4 (highest). Each level corresponds to a specific target failure probability, and CIP Safety implementations are evaluated and certified to achieve specific SIL levels, ensuring they meet the required safety integrity and performance criteria. On the other hand, PL is a measure of the performance of safety-related parts of control systems, focusing on their ability to achieve the desired safety performance in hazardous situations. PL levels range from PL a (lowest) to PL e (highest), each corresponding to a specific level of risk reduction. CIP Safety components and devices are evaluated and certified to meet specific PL levels, ensuring they achieve the required level of safety performance. The application of SIL and PL to CIP Safety involves the evaluation of safety functions, certification and validation of components, devices, and systems to achieve specific SIL or PL levels, and continuous improvement to enhance reliability, performance, and safety integrity over time. This rigorous process demonstrates compliance with safety standards and regulatory requirements, ensuring ongoing adherence to evolving safety standards and industry best practices.

CIP Safety supports both cyclic and acyclic communication modes. Cyclic Communication is particularly valuable for tasks requiring real-time monitoring and control, like emergency stop systems or safety interlocks. Acyclic Communication is suitable for configuration, diagnostic, or monitoring activities where the immediate availability of safety data is crucial, but the strict adherence to timing intervals is not.

Functional safety standards: IEC 61508 and ISO 13849

Compliance with safety standards, such as IEC 61508 and ISO 13849, is integral to the design and implementation of CIP Safety. IEC 61508 serves as an international standard that provides methods on how to apply, design, deploy, and maintain automatic protection systems called safety-related systems. It is a risk-based standard, meaning that the risk of hazardous operational situations is qualitatively assessed, and safety measures are defined to avoid or control systematic failures and to detect or control random hardware failures or mitigate their effects. This approach aligns with the objectives of CIP Safety, which aims to reduce the risk of failure to a tolerable level by undergoing certification and validation processes to ensure compliance with IEC 61508 requirements. This involves verifying the reliability, performance, and safety integrity of safety-related functions supported by CIP Safety protocols, including SIL assessment and certification while ensuring the safe communication between devices in industrial settings. ISO 13849 is another standard that complements the safety measures being applied to parts of machinery control systems that provide safety functions, known as safety-related parts of a control system. CIP Safety components and devices are certified and validated to meet specific performance levels (PL) defined in ISO 13849. This certification demonstrates that CIP Safety components achieve the required level of risk reduction and safety performance, as evaluated through rigorous testing, analysis, and documentation.

CIP Safety implementation

The core hardware and software components integral to the implementation of CIP Safety in industry encompass a variety of devices and systems, as follows:

  • Safety PLCs 

    Stand at the forefront of this safety architecture. These safety-rated PLCs act as the central control units, orchestrating safety logic and managing safety functions within industrial automation systems. 

  • Safety input and output (I/O) modules 

    For connecting safety devices—such as sensors, switches, and actuators—to the safety PLC. They play a vital role in ensuring that safety signals are transmitted accurately and reliably between the control system and the field devices, thus maintaining the integrity of the safety system. 

  • Safety relays and contactors 

    For executing safety interlocks, emergency stop circuits, and other safety-related control functions, these safety-rated relays and contactors provide reliable switching of electrical circuits in response to safety events. This ensures the prompt and effective activation of safety measures when needed. 

  • Safety sensors and actuators 

    Safety-rated sensors detect hazardous conditions, monitor personnel presence, and protect machinery. Likewise, safety-rated actuators control machinery to prevent accidents and ensure safety for personnel and assets. 

  • Safety communication interfaces 

    For the exchange of safety-critical data between the safety PLC and field devices. These interfaces ensure secure and reliable communication in compliance with safety standards and protocols. 

  • Safety configuration tools 

    Are essential for setting up and managing safety devices and systems within an industrial network.  

  • Safety programming libraries 

    They provide programmers with pre-defined functions and modules, facilitating the integration of critical safety routines such as emergency stops and safety interlocks into automation software. 

  • Safety PLC software 

    It includes specialized programming and diagnostic tools tailored for safety applications, ensuring effective management and coordination of safety protocols across the network. 

  • Safety system configuration and monitoring software 

    It offers insights into the operational status of safety devices and functions, enabling prompt identification and resolution of safety issues. 

  • Safety system integration software: 

    This software ensures seamless communication and interoperability between various safety and automation components. 

  • Safety simulation and testing tools 

    For comprehensive testing in virtual environments, identifying potential hazards and ensuring system readiness for real-world operations.

Benefits of CIP Safety

Implementing CIP Safety in industrial networks offers multiple advantages as follows:

Compatibility and interoperability

Its adherence to well-established industry standards IEC 61508 and ISO 13849 not only simplifies integration efforts but also facilitates the seamless exchange of safety-critical data between devices from various manufacturers, thereby streamlining the implementation process. 

Simplified architecture

By integrating safety functions (safety I/O blocks, safety interlock switches, light curtains, and safety controllers) into the existing industrial network infrastructure, CIP safety eliminates the need for separate safety networks or dedicated wiring. This reduction in complexity leads to lower system costs and simplifies the design, installation, and maintenance processes. 

Deterministic communication

Each piece of CIP Safety data is produced with a timestamp, enabling safety consumers to ascertain the age of the data they receive. This feature is crucial for ensuring that the data used in safety decisions is current and reliable. Furthermore, the inclusion of producer identifiers and consumer identifiers in each data production ensures that each message is delivered to and received by the correct consumer, thereby mitigating the risk of miscommunication or data misdirection. 

Scalability

Facilitates expansion or modification of safety systems due to its support for various network structures such as bus, star, and ring topologies as industrial operations evolve, accommodating changes with minimal disruption to existing processes.  

Reliability

CIP Safety employs Safety CRCs (Cyclic Redundancy Checks) or checksums for all safety transfers. This method is crucial for verifying the integrity of the information being transferred, ensuring that the data has not been altered or corrupted during transmission. 

Enhanced diagnostic capabilities

CIP Safety offers robust diagnostic capabilities to ensure system reliability and safety. It facilitates end-to-end diagnostics and monitoring of safety-related data by using cyclical heartbeat mechanisms and safety signatures to detect failures. The protocol enables real-time diagnostics, allowing for the identification of communication errors, device errors, and potential system malfunctions. These diagnostic features enhance the system's ability to perform predictive maintenance, reduce downtime, and ensure compliance with stringent safety standards. 

CIP Safety Applications in Industry

In oil and gas facilities, where the handling and processing of hazardous substances are routine, the importance of ensuring the safety of personnel and assets cannot be overstated. The implementation of CIP Safety plays a crucial role in this context, enabling the execution of critical safety functions such as emergency shutdown systems, fire and gas detection, and safety interlocks. These measures are essential for preventing accidents and mitigating risks associated with critical operations. Furthermore, the advent of remote monitoring and control technologies has significantly enhanced the safety and efficiency of these operations. With assets often scattered across vast and remote locations, CIP Safety facilitates real-time monitoring and control of safety-critical equipment and processes. The integration of safety-rated sensors and actuators with CIP Safety protocols allows for remote diagnostics, maintenance, and shutdown capabilities, thereby bolstering operational safety and efficiency. 

In the realm of industrial automation, the CIP Safety protocol emerges as an indispensable enabler, offering crucial functionalities such as monitored standstill. In this setup, sensors integrated into the safety control system detect human operators near robots and prompt an immediate halt if necessary. This proactive measure is fundamental in averting potential accidents and fostering a secure working environment where humans and machines coexist harmoniously. Equally critical are emergency stop actions, initiated by human operators to swiftly deactivate equipment in the event of an emergency, thereby safeguarding personnel. Furthermore, the integration of advanced safety functions such as speed and proximity monitoring, collision detection, and safe stop mechanisms into collaborative robots (cobots) further enhances their capacity to operate safely alongside humans. Leveraging technologies like force feedback, low-inertia servo motors, elastic actuators, and collision detection systems, cobots are tailored to limit power and force capabilities to levels deemed safe for human interaction.  

CIP Safety with Hilscher

Hilscher's netX technology platform, consisting of the netX SoCs, associated firmware and extensive protocol stacks, supports the development of devices that have to fulfil high functional safety requirements. The firmware supports the date exchange services for the required safety-relevant applications. These include, for example, Safety over EtherCAT, CIP Safety or PROFISAFE. The netX acts as a black channel for the safety system. 

On the hardware side, as with non-safety devices, the netX forms the interface to the fieldbus or real-time Ethernet systems. The safety frames are treated like I/O data and forwarded to the safety-relevant application. The corresponding application firmware for the netX 90 can be implemented on the application side of the controller, for example. It retrieves the data packets from the dual port memory (DPM) and forwards them to a defined interface. On the safety side, two redundant CPUs then receive the data via a galvanically isolated serial interface for further processing. 

Related Links

A hand pointing to the word work safety on a blue background.
Sécurité fonctionnelle avec netX

Dans l’univers de plus en plus complexe de l’automatisation, caractérisé par des procédés de production sophistiqués et des machines modularisées, la sécurité fonctionnelle joue un rôle de plus en plus important. La conformité aux normes comme IEC 61508 ou ISO 13849 est par conséquent essentielle. Découvrez comment mettre en œuvre facilement ces appareils respectant toutes les règles de sécurité avec netX.

Plus
Two Hilscher employees discussing a contract.
Assistance projets

Vous recherchez un partenaire d'intégration pour votre projet de communication industrielle ? Des puces netX multiprotocoles aux applications IIoT, notre réseau de sociétés partenaires vous apporte toute l’aide dont vous avez besoin !

Plus
A photo of the male and female customer support phone operator with different internationality
Customer Center / Sales Hilscher Gesellschaft für Systemautomation mbH

You've got questions? We've got the answers!