Functional safety
Safe shutdown via IO-Link Safety
Version 1.0 of the technical specification 'IO-Link Safety - System Extensions' was published around a year ago. More than 20 companies from the field of functional safety were involved in its development. What has happened since then?
The IO-Link technology for connecting intelligent sensors and actuators to automation systems is now firmly established in mechanical and plant engineering: 5.3 million nodes had already been installed by the end of 2016 and over 8 million by the end of 2017. Originally developed for communication in non-safety-related applications, the community behind IO-Link has also been systematically addressing the topic of 'functional safety' for a few years now. Version 1.0 of the technical specification 'IO-Link Safety - System Extensions' was finally published in April 2017. Prior to this, the corresponding concept of safe communication had been confirmed by TÜV-SÜD.
Figure 1: Functionally safe modules on the remote I/O: IO-Link Safety will make it possible to reduce the large number of FS module types to one FS master in future. This is particularly advantageous for compact remote I/O with a higher degree of protection - for example IP67.
© Profibus user organizationFor a better understanding, the technology of IO-Link Safety and some important advantages are briefly presented. The starting point is the classic connection of simple safety devices to remote I/O systems on the fieldbus with a functionally safe communication profile (FSCP), as shown in Figure 1, left: Depending on the type of sensor or actuator, an FS-AE (analog input), FS-AA (analog output), FS-DE (digital input) or FS-DA (digital output) is required in order to implement modern safety solutions. As with basic IO-Link, IO-Link Safety reduces the variety of I/O modules to one type - the FS-Master (see Figure 1, right).
Until now, functional safety in automation has been characterized by shutdown functions such as 'emergency stop' or 'emergency stop', and corresponding binary sensors such as pushbuttons, light grids or laser scanners are widely used. With IO-Link Safety, it is now possible to safely record more analog measurements and then let the safety controller decide whether to switch off or safely stop.
In principle, such applications can also be solved at fieldbus level with an FSCP using safe field devices. However, there are now already more than ten FSCPs worldwide with a regional focus. For device manufacturers aiming for global marketing, the development effort for the communication interfaces would therefore be greater than for the actual safety technology.
Why IO-Link Safety?
Figure 2: Universal FS-Device for all FSCPs: One FS-Device can handle both OSSDe operation on classic FS-DE modules and secure communication on FS masters.
© Profibus user organizationFigure 2 shows the solution with IO-Link Safety. One universal FS-Device with IO-Link Safety fits all FSCPs, provided there is at least one FS-Master for this FSCPx. As it is usually specialized manufacturers who deal with IO-Link masters on certain fieldbuses, it is also obvious for these specialists to dedicate themselves to the FS-Master variant. FS device manufacturers, on the other hand, can concentrate fully on the safety task of their devices. It will take a while for this market to establish itself. However, the general migration strategy of IO-Link will help here: There is the transition from so-called SIO mode (standard I/O switching signal) to IO-Link communication mode. This means that a device can be operated both in switching mode on a classic DE module and in communication mode on the new IO-Link master. The migration strategy for IO-Link Safety is very similar. However, the switching mode is not limited to a switching signal. Safe switch-off sensors are also called OSSD (Output Switching Sensing Device). These are redundant switching signals that were initially driven by relay outputs and switched antivalently to detect cable faults. In the course of the changeover to electronic solutions, the equivalent switching signals were introduced because an antivalent state is no longer possible in the event of a power failure. Short, offset test pulses, which are read back and evaluated by the device, are now used to detect faults.
IO-Link Safety has decided to limit the large number of existing test pulse solutions to a type 'C' and class '1' defined in the ZVEI position paper CB24I, which covers a very large number of product types on the market. Due to the maximum cable length of 20 m with IO-Link, the electrical properties are well-defined and allow this simplification. IO-Link Safety expects this to result in very stable operation and simplification for the user by eliminating filter and discrepancy time settings (offset of the two signals). The solution is referred to as OSSDe.
With IO-Link Safety, the second OSSDe signal is assigned to pin 2 of the M12 connector. This assignment conforms to the specifications of the automation initiative of the German automotive industry (AIDA).
Safety communication
Figure 3: The 'Black Channel' principle: IO-Link Safety uses the unchanged IO-Link standard communication as a means of transport for its secure process data between the respective FS-Device technology and the fieldbus gateway (FSCP).
© Profibus user organizationFor communication operation, IO-Link Safety has chosen the proven 'Black Channel' principle as shown in Figure 3 . This means that a safe communication layer is placed on top of the existing communication stack of the IO-Link master (master for short) and the IO-Link device (device for short). In addition to management, this layer consists of a protocol state machine for receiving and sending safe messages (safety PDU), which consist of the safe process data and an additional safety code. The protocol is responsible for checking the timely receipt of new data, which must originate from the correct sender and be unaltered.
IO-Link Safety recognizes two protocol formats: One format is intended for small amounts of data up to a maximum of three octets with a correspondingly short security code, the other for a maximum of 25 octets with a longer security code. Figure 3 also shows the connection between the IO-Link Safety communication layer of the FS master and the higher-level FSCP layer of the fieldbus. In terms of implementation, the two layers can be realized as software, for example in a redundant unit.
Figure 4: The standardized master interface ensures uniform FS master behaviour through well-defined services.
© Profibus user organizationOver the past year, there have been calls to better harmonize the behaviour of IO-Link masters and to allow the operation of masters from different manufacturers on one master tool. When IO-Link was designed and specified several years ago, special fieldbuses dominated and there were only a few buses based on Ethernet. A harmonized solution could not be tackled at that time due to a lack of 'overview knowledge'. This is different today: Ethernet-based fieldbuses are now the norm and experience in 'docking' IO-Link to fieldbuses is now available.
Figure 4 shows the top layers of an FS master, consisting of the configuration manager, parameter data storage, acyclic communication, the diagnostic unit and cyclic process data exchange. The standardized master interface - SMI for short - specifies standardized services for each of these units, which can be called up by the gateway. The gateway ensures adaptation to the respective user protocols. Cyclical process data is mapped from the IO-Link safety protocol to the FSCP of a fieldbus, for example, and vice versa ('mapping'). Acyclical data is transferred from and to the FS master tool via an IO-Link to UDP conversion (user-defined protocol). For the SMI, the individual protocol participants are 'clients' that need to be managed. The gateway is responsible for coordinating the access of these clients to the SMI.
IO-Link Safety had to extend this SMI. For example, in the configuration manager because of the additional safe parameters of the protocol state machine (e.g. monitoring time). The splitter/composer is a special feature for cyclical process data exchange. Here, the safety PDU is split off from the non-safety-related process data in a received IO-Link message, or the composition is carried out before sending.
In short: SMI is essential for IO-Link Safety. This is because the now detailed specifications for the FS-Master mean that safety assessments can be brought forward from the implementation level to the specification level and implementations become much simpler.
Development kit or technology provider?
The IO-Link community is in the fortunate position of not having to drive a joint development kit for IO-Link Safety. Among the member companies, there are so-called technology providers who already help in the design phase of a device and offer technology components (stacks).
The test cases in the test specification must be expanded as a result of the innovations. The two protocol state machines were already computer-simulated during the design phase with the aim of generating test patterns for an automated protocol tester. The test patterns are currently being optimized in order to avoid long test times.
Last but not least, SMI has been incorporated into version 1.1 of the IO-Link safety specification. This can be downloaded online. There have been no significant changes to the protocol itself. Concept assessments from test centers are available.
Author:
Wolfgang Stripf is head of the IO-Link Safety project.
You might also be interested in
Safety first
The development of cobots into a commodity product is closely linked to the issue of safety in robotics - a challenge that needs to be mastered efficiently.
read more...Locking with need for clarification - help with risk assessment
DIN EN ISO 1419 has already been available for five years. However, there are always uncertainties regarding the actual safety functions of a guard locking device, which the machine manufacturer must evaluate based on his risk assessment. Here is...
read more...Safe operation via radio - (how) does it work?
Many machine builders want to use tablets in addition to the existing machine operation. Demanded features such as WLAN, camera, multi-touch and much more are available here - but if safety functions are required, these devices reach their limits.
read more...Heavy-duty HRC requires new safety approaches
The topic of HRC is not just for 'lightweights'. In the field of heavy-duty robotics, solutions will also be in demand in the future that allow humans and robots to work together directly without the need for a safety fence. However, this requires...
read more...Secure hold in the slip ring
Transmitting safety-relevant data via slip rings is no trivial matter. Motion control experts from Kollmorgen have developed a TÜV-certified safety solution, including UL approval, together with slip ring manufacturer Stemmann-Technik.
read more...Validation neglected
EN ISO 13849 is decisive for the integration of safety-related control functions in machines. However, the part of the standard relating to validation is often neglected in practice - a major shortcoming.
read more...Dangerous movements well secured
How can dangerous movements be safeguarded? A challenge for the user, as there are a wide variety of functional and normative requirements. An overview.
read more...The intelligent safety switch
Safety modules and safety switches that communicate at I4.0 level simplify troubleshooting. However, the communication capability also has interesting potential for predictive maintenance and tamper protection.
read more...The vampire effect of quantification
There are always controversial discussions regarding the determination of risks for products and systems. But which approaches actually make sense in the context of safety and security? What approach does the new framework for safety and security -...
read more...