Chapter 7

Safe Networking

Contents
7.0 Conventional bus systems
7.1 Safe bus systems
7.1.1 Structure of a safe bus system
7.1.2 Selecting a safe bus system
7.2 SafetyBUS p: the safe bus system

183
Safe Networking
184
Safe Networking
 7.0 Conventional bus systems

Great changes have taken place in the field of automation technology

over the last few years. This is especially true of fieldbus systems
that enable plant and machinery to be modular and decentralised.
The associated application options and benefits, such as increasingly
less wiring and the flexibility to adapt to changing requirements, are
well known.

As features such as data transfer requirements will vary from plant to

plant, and fieldbus systems need to be optimised to meet different
criteria, several different systems have become established as
standard". Basically, however, the advantages of a network increase

Master

Factory bus
2 (e.g. Ethernet)
185
Safe Networking
PLC Visualisation
Plant bus
(e.g. Interbus)

M M M M
Sensor/Actuator Bus
(e.g. AS-i-Bus)

M M M

Fig. 69: Typical bus arrangement

 the larger the plant or the machine, and the greater the number of
subscribers that can be connected. A number of different functions
are likely to be required, for example, acquiring a machines sensory
data or transferring data between two sites, to name just two. But
whatever your requirement, the capabilities of the fieldbus being used
will be taken into account through a hierarchical bus structure. A
typical arrangement would include a factory bus, a plant bus and
possibly a separate bus system for the sensor/actuator area.

186 3
Safe Networking
 7.1 Safe bus systems

In principle, a similar bus system would also be of interest to the

safety technology sector. After all, the requirement for a similarly
complex connection of input devices (e.g. emergency stops or safety
gate switches) to actuators (e.g. contactors or valves) is equally valid.

4 187
Fig. 70: Typical safety bus arrangement Safe Networking

However, none of the established bus systems for the standard sector
can in any way meet the requirements of a safety-related network.
This is why Pilz has decided to develop a safe bus system to
supplement the current range of fieldbuses. With the safety-related
network, users will enjoy the same benefits they have come to expect
from conventional, well-established fieldbus systems, such as less
wiring, universal diagnostics and greater flexibility and openness. The
safe bus system has an open protocol, enabling different field
modules from other manufacturers to be connected.
 A safe bus system can also be used to network safety-related control
systems such as the PSS-range of safety systems. In essence,
users of programmable safety systems will notice little change: they
will use the same familiar software for programming, they will still be
able to use the available software blocks and will also be able to
communicate with the decentralised I/Os via their addresses.

Established fieldbus systems do not meet the requirements of a

safe network. This is because of the requirements of the Machinery
Regulations, in particular with regard to EN 292-1 (Safety of
machinery. Basic concepts, general principles for design. Basic
terminology, methodology), EN 1050 (Safety of machinery. Principles
for risk assessment) and EN 954-1 (Safety of machinery. Safety
related parts of control systems. General principles for design). For
category 4, EN 954-1 states that a single fault in the control system
shall not lead to a loss of the safety function, and that the single
fault is detected at or before the next demand upon the safety
function. It goes on to say: If this is not possible, an accumulation of
faults shall not lead to a loss of the safety function. In other words, it
must be possible to manage a variety of potential faults.
188
We need to start by acknowledging that on a physical, single-channel
Safe Networking

bus, the possibility of a communication error occurring can never

positively be excluded. Given this background, the objective is to
reach the highest possible level of safety, not by avoiding errors (for
this is practically impossible), but by controlling them. The mechanisms
that lead to communication errors are well known. The measures that
can be taken to counter a few isolated error types are also common
knowledge. The safe bus system has been developed with a package
of measures to ensure that each communication error on the bus is
detected and controlled. One such measure, for example, is Echo
Mode, which ensures that any data loss or delay is safely detected.
Measures taken to ensure safety relate not only to data
communication, but directly to the bus system itself. For example, if a
subscriber fails, the ability to safely display this information within a
certain period of time must be guaranteed. All things considered, a
number of measures targeting different aspects are required in order
to design a safe bus system. In general these will affect the bus
protocol, the network management and the hardware of the bus
components, which are normally designed to be both diverse and
redundant.

7.1.1 Structure of a safe bus system

Safe bus systems are designed in the same way as conventional
fieldbus systems. Typically they will have a central processing unit
(CPU), several decentralised input and output modules with digital or
analogue I/Os, and field modules that are connected directly, such as
light curtains. Generally the CPU will only have a few I/Os to cover
the local requirement in the control cabinet. It will also look after the
network configuration, in which information such as the number of
subscribers, the data communication rate or the addresses of the
subscribers is stored. No additional knowledge is required to
program the actual safety program. Even the connection to the
189
conventional fieldbus is made in familiar fashion, either through Safe Networking
appropriate interface cards or by means of interface modules housed
within the safety system.

The decentralised I/O modules have fewer I/Os in comparison to

conventional controllers, enabling the network to be finely
partitioned at a local level. The decentralised I/O-modules are
mainly used to connect safety devices such as emergency stop
switches or safety gates, but complex field modules may also be
connected to the safety bus via the decentralised inputs and outputs.
Where the bus has an open protocol (e.g. SafetyBUS p), field
 modules from other manufacturers can easily be integrated directly
into the safety bus via the available interface electronics.

From the point of view of safety, it may be sensible to partition the

plant into sub-sections. This takes into account the ability to form
groups within the safe bus system (see Fig. 71), enabling safety-
related data from a whole plant to be controlled through a single
safety bus. Sub-sections, however, may be assigned to different
groups. Should a fault occur, only the respective group would need
to switch to a safe condition. It is also possible to form supervisory
groups. A typical example of this would be in emergency stop
applications, where the emergency stop function is valid for the whole
plant, irrespective of the location of the relevant emergency stop
button. In a case such as this, where a signal group has been
formed, the emergency stop function must be operative for the whole
plant, even if a section of the plant (signal group) is in a group stop,
e.g. for maintenance work.

190
Safe Networking

Fig. 71: Emergency stop function via a safe network

7.1.2 Selecting a safe bus system
Conventional controllers have a number of different bus systems
available, each of which is optimised with regard to the requirements
of the particular plant. In the same way, the demands on the bus
system will differ within the safety section of the control system. The
amount of safety-related data on plants that mainly have emergency
stop functions is relatively small, whereas time-critical applications,
such as monitoring for a broken shearpin on a press, will involve
large amounts of safety data.

The operation of the plant, however, may require a combination of

safety functions requiring both large and small amounts of data. This
type of requirement would clearly benefit from a bus procedure that is
event-driven. This would only access the bus when information had
changed, in contrast to a bus that sends out data as part of each
cycle. The selection of an appropriate safe bus system may also
depend on which conventional fieldbus is already installed, as users
will be able to rely on a certain amount of knowledge as regards
diagnostics or maintenance, and will also be familiar with the
necessary tools.
191
Safe Networking
 7.2 SafetyBUS p: the safe bus system

SafetyBUS p is based on an event-driven bus procedure, i.e. data is

only sent when the status at the I/O or field module has changed.
This means that SafetyBUS p is particularly suitable for networking
plants that combine functions with variable signal frequencies and
fast reaction times. SafetyBUS p is a multi-master system based on
the proven CAN bus system. 64 subscribers can be connected via
SafetyBUS p using the PSS-range of programmable safety systems.

Subscribers may include not only the PSS programmable safety

systems but also decentralised I/O modules or field modules (e.g.
light curtains) that are connected to SafetyBUS p directly. Cable runs
of up to 1,000 m can be installed. The decentralised I/O modules (8
inputs/8 outputs) can be used to poll input devices (emergency stop,
safety gate or two-hand devices) or control actuators (e.g.
contactors). The system has been developed to meet the
requirements of category 4 in accordance with EN 954-1, and AK6 in
accordance with DIN 19250. Whether the connection is centralised
or decentralised, users view the plant configuration as a normal
192 process image of inputs and outputs. This means that all the
BG/TV-tested software blocks available for the PSS safety systems
Safe Networking

(emergency stop, two-hand, etc.) can still be used.

The ability to incorporate optoelectronic protective devices such as

light curtains into SafetyBUS p provides additional benefits. For
example, not only can the standard reports on the status of the
protected field be transmitted, but also additional diagnostic
information such as a reduction in the quantity of light received, so
that contamination or misalignment can be detected early.
SafetyBUS p also enables light curtains to be configured via the safe
bus system, making it relatively easy to blank individual light beams
or mute safety devices in order to move material in and out.

The security and flexibility of a safe, open bus system will

undoubtedly be the next step forward in the fast-changing world of
safety technology.

193
Safe Networking
194
Safe Networking