Functional Safety

Functional safety is a critical aspect in industrial automation. It ensures the safe operation of machinery and protects human health, the environment, and material integrity from potential threats or accidents caused by malfunctions. It is an integral part of the overall safety of equipment, relying on automatic protection functions to respond correctly to inputs and have predictable responses to failures. This concept extends to the end-to-end scope of a system's function, treating the function of a component or subsystem as part of the entire automatic protection function. 

Examples are motor control devices on robots that automatically stop the motor to avoid hazards. These systems provide operators with better operational metrics and control, allowing manufacturers to operate confidently within a well-defined functional safety environment. The importance of functional safety is further emphasized by its role in reducing the risk of equipment causing harm to people or damage to property due to malfunction or incorrect operation. It is a multidisciplinary field that requires collaboration between engineers, safety professionals, and regulatory authorities to ensure the highest level of safety for personnel, equipment, and the environment.  

In the field of industrial communication, which makes the integration of multiple machines, plants and systems within an automated industry possible in the first place, functional safety is achieved through special, superimposed safety protocols. These enable the reliable transmission of safety-critical data using the black channel principle. 

Functional safety is a complex and interdisciplinary field that involves expertise in electrical engineering, control systems, industrial communication, software development, and risk management. By adopting a systematic approach to safety design and implementation, organizations can minimize the likelihood of accidents and failures, thereby protecting personnel, assets, and the environment. Here are some key aspects: 

1. Standards and Regulations

Functional safety in industrial automation is governed by various international standards and regulations, such as the IEC 61508 series which provides guidelines and defines Safety Integrity Levels (SIL) for the functional safety of electrical, electronic, and programmable electronic systems. Other standards specific to industries or regions may also apply, such as ISO 13849 for machinery safety or IEC 62061 for safety of machinery control systems. 

2. Risk Assessment

A fundamental step in functional safety is the identification and assessment of potential hazards associated with the operation of industrial automation systems. This involves analyzing the likelihood and severity of various failure modes and their potential consequences. 

3. Redundancy and Fault Tolerance

Redundancy and fault tolerance techniques are employed to ensure that a system can continue to operate safely even in the presence of faults or failures. This may involve using redundant sensors, actuators, or control systems, as well as implementing diagnostic routines to detect and respond to faults in real-time. 

4. Communication

In industrial automation systems, communication plays a crucial role in coordinating the operation of various components and exchanging data between different subsystems. Implementing robust communication protocols with built-in error detection and correction mechanisms is essential for ensuring the reliability and integrity of data transmission in safety-critical applications. Additionally, special safety protocols are integrated to prioritize safety-related data transmission, incorporate redundancy and fail-safe mechanisms, and ensure compliance with industry safety standards and regulations. These safety protocols further enhance the protection of personnel, equipment, and the environment in hazardous industrial environments. 

5. Certification and Validation

Safety-critical systems and components often require certification from regulatory bodies or independent third-party organizations to verify compliance with relevant standards and regulations. Validation testing, including both simulation-based testing and real-world trials, is typically conducted to demonstrate the effectiveness of safety measures and ensure that systems meet specified safety requirements. 

he IEC 61508 series is a set of international standards developed by the International Electrotechnical Commission (IEC) that specifies requirements for the functional safety of electrical, electronic, and programmable electronic safety-related systems. These standards provide guidelines for the development, implementation, and management of safety-critical systems across various industries like industrial automation.  

The focus of the IEC 61508 series is to ensure that safety-related systems are designed, implemented, and operated in a manner that reduces the risk of hazardous failures to an acceptable level. The standard introduces the concept of Safety Integrity Levels (SILs), which are used to quantify the reliability and dependability of safety functions within a system. 

Safety Integrity Levels (SILs) are defined based on the likelihood of a safety function failing to perform its intended purpose when called upon to do so. SILs range from SIL 1 (lowest integrity) to SIL 4 (highest integrity), with each level representing a corresponding level of risk reduction. The higher the SIL level, the lower the probability of failure and the greater the risk reduction achieved by the safety function. 

Various characteristic values are used to define the SIL levels, including the Probability of Failure on Demand (PFD), the Risk Reduction Factor (RRF), the Probability of Failure per Hour (PFH) and the Mean Time Between Failures (MTBF). For illustration purposes, a list of SILs according to the RRF is provided below: 

Achieving higher SIL levels typically requires more rigorous design, testing, and maintenance practices, as well as the use of redundant and diverse safety measures to minimize the probability of failures. 

In order to guarantee functional safety in an existing network that uses a conventional communication protocol, a superimposed safety protocol is required that ensures the functional transmission of safety-critical data using the black channel principle. The black channel principle was defined for this purpose in IEC 61508. It essentially means that safety-critical data should be protected and secured throughout its transmission within the system, regardless of the reliability of the communication channel itself. The black channel principle involves adding an extra safety layer between the last layer of the OSI model and the application, which allows for the combined transmission of standard and safety data through the same network or bus line. 

By definition, a black channel is considered an unknown communication channel, which implies that the specific details of the transmission medium are not relevant to the safety of the transmitted data. The black channel principle ensures that safety-related signals can be transmitted securely over standardized communication media, such as Ethernet or WLAN, from one point to another. This encapsulation of safety measures within the end devices allows for the safe protocol to tunnel through the underlying network channel without being affected by it. 

In practical terms, this translates to implementing robust communication protocols, encryption techniques, error detection, and correction mechanisms, and redundancy strategies to protect safety-critical data from potential threats or vulnerabilities in the network. By adhering to the black channel principle, functional safety systems can maintain the integrity and reliability of safety-critical data transmission, thus ensuring the overall safety of the system. 

PROFIsafe 

PROFIsafe is a safety communication protocol used in industrial automation systems with PROFIBUS and PROFINET networks. It provides a reliable and robust communication mechanism for transmitting safety-critical data between safety devices and controllers. Key features of PROFIsafe include: 

Redundancy: PROFIsafe employs redundant communication paths to ensure reliable transmission of safety-critical data, minimizing the risk of communication failures. 

Error Detection and Correction: The protocol incorporates advanced error detection and correction mechanisms to detect and mitigate communication errors, enhancing the integrity of safety-critical data transmission. 

Integration with PROFIBUS and PROFINET: PROFIsafe seamlessly integrates with PROFIBUS and PROFINET networks, leveraging their robustness and scalability while adding safety-specific functionalities. 

Safety over EtherCAT (FsoE) 

Safety over EtherCAT (FSoE or Fail-Safe over EtherCAT) is a safety communication protocol built upon the EtherCAT Industrial Ethernet technology. It enables the transmission of safety-critical data over standard EtherCAT networks, providing high-performance and deterministic communication for safety applications. Key features of Safety over EtherCAT include: 

Deterministic Communication: Safety over EtherCAT offers deterministic communication, ensuring precise timing and synchronization of safety-related messages within EtherCAT networks. 

Integration with EtherCAT: The protocol seamlessly integrates with standard EtherCAT networks, leveraging their high-speed communication capabilities while adding safety-specific functionalities. 

Distributed Safety Functions: Safety over EtherCAT supports distributed safety functions, allowing safety devices and controllers to be distributed throughout the network without compromising safety performance. 

CIP Safety 

CIP Safety is a safety communication protocol developed as part of the Common Industrial Protocol (CIP) family, commonly used with EtherNet/IP networks. It enables the transmission of safety-critical data over standard Ethernet networks, providing flexibility and interoperability for safety applications. Key features of CIP Safety include: 

Interoperability: CIP Safety facilitates interoperability between safety devices and controllers from different manufacturers, allowing them to communicate seamlessly within EtherNet/IP networks. 

Scalability: The protocol supports scalable safety architectures, enabling the integration of safety functions into both small-scale and large-scale automation systems without significant overhead. 

Integration with EtherNet/IP: CIP Safety integrates seamlessly with EtherNet/IP networks, leveraging their widespread adoption and robust communication capabilities while adding safety-specific functionalities. 

Hilscher is a company that specializes in industrial communication solutions, including hardware and software products for fieldbus and Industrial Ethernet protocols. While Hilscher's primary focus is on providing reliable and efficient communication solutions for industrial automation applications, their products and technologies also play a role in enabling functional safety in industrial systems. 

The company's netX technology, on which the communication controllers of the same name and a range of embedded modules and PC cards are based, already supports the development of functionally safe systems up to SIL 3. netX technology platform thus supports the development of devices that have to fulfil high functional safety requirements. The associated firmware provides the data packets for the required safety-relevant applications. These include, for example, Safety over EtherCAT, CIP Safety or PROFISAFE. The netX SoC is a black channel for the safety system. Hilscher works closely with experienced partners to implement safety layers for a specific device.