Building a better sensor safety network
Actuator sensor interface (AS-i) is a 2-wire networking solution for discrete I/O, analog data, encoders, and intelligent sensors. When the first components were introduced, AS-i was quickly accepted as a fast and low-cost method of transmitting binary I/O data from the field to the PLC. With 31 I/O nodes, the system handled a total of 124 inputs and 124 outputs (4 I/O for each I/O node). Designed to be fast and deterministic, it takes each node only about 150 nano seconds to update its I/O.
This translates into a worst-case system update time of approximately 5msec. In addition to processing speed, the developing consortium also saw the need for a system with superior noise immunity and unparalleled ease of use. As a result, AS-i offers a topology-free structure and time-saving features, such as automatic single-node replacement and node insertion/removal under power.
Due to its success as an industrial networking solution, AS-i was quickly identified as an ideal candidate for the next paradigm shift in automation. Users were ready to apply AS-i to the “holy grail of hardwired applications.” In 2001, AS-i Safety at Work (SaW) was released in Europe, with the U.S. following in 2002. As before, a core requirement for SaW was to be compatible with all applications in the field, no matter how old.
Un-wiring safety devices
When the safety of operators (first and foremost) and machines (second) are involved, every conceivable effort must be taken to develop a solution that functions reliably under the most adverse conditions. While such a system must always err on the side of safety, no user can afford a system that is prone to frequent erroneous shutdowns. Consequently, a network approach to functional safety must be based on the most stable networking concept available. Since network stability is a prime benefit of AS-i, the choice is simple. In fact, AS-i is designed to detect 100% of all noise-based, single-bit errors (i.e., situations where noise alters exactly one bit in the data packet), 100% of all 2-bit errors, and 99.9999% of higher order 3 and 4-bit errors.
Combined with a differential data signal and signal filtering, extensive simulation and field-testing have shown that the likelihood for a substation error is extremely low. In order to satisfy the strict requirements for safety systems, additional steps were taken.
AS-i Safety at Work utilizes a standard AS-i system, including an AS-i power supply and AS-i gateway or scanner (Fig. 1). Only two new components are needed to bring functional safety to any existing AS-i system, regardless of how old the installation is. These components are the safety nodes and the safety monitor.
Safety nodes are I/O nodes constructed to satisfy the strict rules set forth by safety regulations, and offer inputs for typical safety devices like e-stops, pressure mats, key switches, and door interlocks.
The safety monitor is a monitoring device that contains the output signal switching devices (OSSDs), replacing safety relays in traditional hard-wired installations. As the name “monitor” implies, it is only monitoring the safety nodes.
Understanding how a safety node interacts with the safety monitor requires one additional concept: the dynamic safety code.
The dynamic safety code
Since SaW, like any safety system, transmits data over an inherently unsafe medium (it is quite simple to cut a wire), additional steps must be taken to guarantee that safety data from e-stops, light curtains, key switches, and other safety-rated input devices will result in reliable and fast opening of the OSSDs.
Each AS-i node, irrespective of what kind of node one is talking about, receives 4 bits of output data from the gateway/scanner and replies with 4 bits of input data (Fig. 2). Standard nodes (i.e., nonsafe nodes) transmit 4 bits representing the states of 4 connected sensors. As long as the states of the sensors do not change, the data from such a node is “static” over time.
Safety nodes do not transmit “e-stop pushed,” but rather “e-stop not pushed.” This seems like a trivial difference, but is quite important for SaW. As long as a safety input connected to the safety node has not been activated, it transmits a unique safety code sequence. It is this dynamic code sequence that can now be evaluated. The safety monitor performs this evaluation.
As long as safe inputs on the safety nodes are not activated, the safety code sequence is transmitted. The safety monitor compares the received code sequence with an expected sequence. As long as no difference exists, the OSSDs remain closed. As soon as a difference is detected, the safety monitor goes into the safe state, opening the OSSDs.
Compatibility is a reality
As in the past, every modification of AS-i was required to be fully forward and backward compatible. This is still the case with SaW. Note that the transmission of safe data between a safety node and a safety monitor is strictly one-way. The monitor evaluates the safety codes transmitted by safety nodes. The network scanner is not even considered when it comes to safety. With regard to SaW, the scanner only facilitates the flow of safety codes. Incidentally, the scanner does not even “know” that a safety node is sending special data.
Similarly, from the point of view of a safety node, the existence of the safety monitor is irrelevant. The job of the safety node is to evaluate its inputs and send safety codes. It makes no difference if a safety monitor evaluates those safety codes. Similar arguments can be made for the safety monitor. Its job is to evaluate the data for those nodes that are identified as safety nodes in the configuration. If a node is not identified in the configuration as being safe, the safety monitor disregards it.
Putting all this together, it becomes apparent that SaW is 100% compatible with any existing AS-i installation, irrespective of how old, how new, or the kind of nodes being used.
Installation is simplified since only the safety monitor needs to be configured. Safety nodes are simply added to the network where needed. The AS-i scanner (by default) requires no safety-related configuration. Using SaW is a process that is easily learned. Once the hardware has been added to the AS-i network, the intuitive and powerful ASiMON interface is used to specify the configuration and logic operation of the system.
With ASiMON, a user who has only marginal exposure to SaW can configure the safety monitor within minutes. All that is necessary is to define which safety nodes are monitored, how the OSSDs are turned off (i.e., stop category 0 or stop category 1), and how the OSSDs are closed again once the e-stop has been released or the light curtain has been cleared. The configuration is then downloaded to the monitor. After an electronic sign-off step, the system can be activated. Naturally, a configuration can be simple (e.g., any configured e-stop will immediately open the OSSD), or advanced (timing functions, logic operations, external trigger functions, and startup tests).
In addition to defining the configuration, ASiMON also offers a powerful diagnostics tool. Since every operation of the safety monitor is represented by a graphical “function block,” the status of each function block is again displayed on the diagnostics screen. Color indications are used to show if the OSSDs are open or closed, if the safety nodes are transmitting safety codes, or if the external triggers are expected.
Once the safety system has been fully configured, a log file can be uploaded from the safety monitor and printed. This log file contains the parameters used for the configuration and allows a user to identify what is done, when it was done, and how it was done.
Ultimately, users are not interested in great technical detail, but rather the benefits they can derive from those implementation solutions. In the case of AS-i Safety at Work, the list of advantages over conventional hard-wire and other bus-based solutions is significant. SaW allows users to:
Quickly configure a safety system, offering the benefits as standard AS-i installations
Further reduce the total number of wires needed for any given installation.
Monitor both the state of any safety input and the state of the OSSDs
Install safety input devices and OSSDs anywhere along the network, and modify the setup anytime during the project
Print the safety log created by ASiMON, thus reducing the time necessary to create system documentation, while at the same time reducing possible documentation errors
Use a powerful visualization tool to check the behavior of the safety hardware
Add safety nodes wherever needed, even during the final phases of the project
Add OSSDs anytime, anywhere.
Since the first SaW products were released a few years ago, manufactures have developed a selection of safety nodes as well as safety devices with integrated safety functionality. In the near future, users can expect more field-mountable safety nodes with additional functionality, enclosure-mounted modules that also offer nonsafe outputs, safety nodes for light curtains, and a growing number of integrated solutions like door interlocks. Once users have experienced the flexibility, simplicity, and benefits of AS-i Safety at Work, it has the potential of becoming the premier safety network of choice.
The author is available to answer questions. Helge Hornis can be reached at (330) 486-0148. Article edited by James Silvestri, Managing Editor, 630-288-8777, email@example.com .
AS-i Safety at Work benefits
Approved for Category 4 and SIL 3 safety
No safety PLC needed
Up to 31 safety nodes per AS-i network
Compatible with existing AS-i installations, old or new
Add safety nodes anywhere, anytime; Configuration update takes only minutes
Monitor state (activated/not activated) of any safe input without wiring auxiliary contacts
Field and enclosure mountable safe inputs
Safe inputs and normal outputs on one safety node
Easy configuration with MS-Windows drag-and-drop tool
Supports graphical configuration monitoring
Place safety monitor wherever convenient
OSSDs can be read via AS-i
Automatic single-node replacement