Plug & play in the context of modular production concepts means that systems not only have to be frequently modified, but also repeatedly tested and certified, particularly with regard to functional safety - either by an independent testing body or by the operator themselves. A dynamic, modular safety system could significantly simplify this process and thus help to save valuable time in the production process.

With this in mind, the SmartFactory KL technology initiative came up with the idea of using a simplified, partially or fully automated certification process for system expansions or additions. As a result, a partner consortium - consisting of Bosch Rexroth, B&R, Festo, PhoenixContact, Pilz and TÜV Süd - developed a dynamic safety concept for this and implemented it on the Industry 4.0 demo system. The new feature: for the first time, the emergency stop could be parameterized flexibly across individual production lines and no longer across the entire plant. The basis for this was the use of the Ethernet-based Profisafe communication protocol.

One after the other: The Industry 4.0 demo plant at SmartFactory KL consists of three production areas: two automated production lines and a manual assembly station. An automated guided vehicle system connects the three areas and ensures that the product to be manufactured - an individualized business card holder - can be produced flexibly in various ways.

To demonstrate the new safety concept on the system, the so-called interlocks of the machines were chosen as a showcase. The interlocks represent the interfaces between a machine and other machines in the network. When the interlocks are closed, the machine can ensure its own safety. When open, a machine cannot itself monitor whether a neighboring machine allows an employee to pass through the interlock. This results in the following necessity: If the safety gate of a neighboring machine is unlocked or if there is no neighbor at all when the interlock is open, the machine should switch to a safe state - for example, close the interlocks.

The cross-location character of the SmartFactory KL production system is made clear by the division of the modules into two production lines and a manual workstation.

© SmartFactory KL / C. Arnoldi

In the past, all production modules in the demo system were combined in a single emergency stop loop using direct wiring. However, this classic, wired technology led to high cabling costs when new production lines were formed. In addition, the amount of information that could be transmitted was severely limited; at the same time, it was difficult to determine the cause of a safe condition. The new, dynamic emergency stop concept ultimately eliminated these disadvantages.

As already mentioned, the foundation stone for the dynamic emergency stop concept was laid by Profisafe, a protocol that is now widely used in automation.

The dynamic emergency stop

In addition to Profisafe as the communication backbone, a central safety controller was installed in the server cabinet; at the same time, all modules in the system received small I/O couplers to exchange signals via the functional safety of the production modules. In future, modules or production lines can be dynamically parameterized via this architecture. The physically separated arrangement of the two production lines with a minimum distance also results in several independent emergency stop areas. The new concept also has advantages in this respect: If one line goes into a safe state, the rest of the plant can continue to produce, which significantly reduces production downtime in real operation. In other words: In the event of an emergency stop, only individual parts of the plant fail, but not the entire plant.

Another basic component of the new safety approach is TÜV Süd's modular certification concept. It provides for machines to implement safe profiles that are described in the asset administration shell. The asset administration shell combines all the data generated during the life cycle of a product.

The profiles describe the structure, behavior and interfaces of a machine. For the 'interlocks' use case, this means that an 'interlock' profile requires the existence of a physical interlock, which is mapped in the asset administration shell. It also means that the profile for safety gate monitoring must be implemented in order to ensure that a module enters a safe state even if the safety gate is opened when the interlock is open. Validation at runtime ensures that the machine has the necessary components to implement its profiles, which must also be evident from the asset administration shell. The profile also describes the behavior that interlocks are to be closed when a safety gate is unlocked.

If all machines in a network have implemented the profile, the network can be automatically certified as safe with regard to safety functions that require this profile. If the necessary information is missing, qualified personnel must assess the potential safety risks. In this way, manually confirmed configurations for this system configuration are saved and can also be automatically certified in future based on the new safety parameters dynamically stored in the asset administration shell.

The certification process in detail

Inspired by the concept of "Safe Line Automation" from member B&R in the SmartFactory-KL partner consortium, a certification process was described for the Industry 4.0 demo system. The process applies to the connection of a new device, machine part or a complete machine to the machine network and works as follows: By using OPC UA discovery mechanisms, a central secure controller recognizes the new element, establishes a connection to its asset administration shell and searches it for secure profiles. Inherent "OPC UA security features" are used to ensure the integrity of the process. In this way, the secure controller obtains a complete picture of the machines present in the plant and their secure functions without having to manually configure new elements.

The next step is to validate the profiles of the entire machine network. This involves checking whether the machines in the network meet the SIL (Safety Integrity Level) requirements for the specific application in all profiles. The combination of modules, work processes and workpiece (material) can result in a different risk potential and therefore different requirements for the safety function - classified by the Safety Integrity Level. In accordance with the concept of modular certification, this must be recognized when a machine is plugged in and processed correctly 'on-request'.

In addition, the correct implementation of all profiles of a machine is verified with the help of certificates stored digitally in the asset administration shell. The communication parameters for secure cyclical communication are then read from the asset administration shell and subjected to a plausibility check. This compares network timings, for example, and ensures that safe response times can be maintained in all safety functions.

Once all checks have been successfully completed, the control system establishes the connection to the cyclical communication and finally performs a profile-specific validation of the safety functions. This involves deliberately triggering parts or all of the safety functions to ensure that they are correctly implemented and configured dynamically. While all process steps up to and including the plausibility check can take place via OPC UA communication, secure communication based on a certified, secure protocol is essential for actual operation.

The next step is to implement a TSN-based implementation of a safety protocol in the demonstration plant as soon as the necessary products are available on the market.

Authors:
Dr. Haike Frank is Head of Public Relations and Marketing at SmartFactory KL;
Moritz Ohmer headed the Safety working group at SmartFactory KL until the end of August 2017.