Functional safety is a property of a machine or system that guarantees that it does not pose an unacceptable risk to human health during operation. Dangers can arise, for example, at direct physical human-machine interfaces due to unforeseeable or undetected technical faults in the machine. Organizational and technical measures of functional safety are designed to avoid systematic errors during development and to detect and control random errors (e.g. due to hardware failures) during operation at an early stage. This article describes the challenges related to industry 4.0 and the resulting opportunities for functional safety, based on the principles of functional safety and its design principles.
Fundamentals of functional safety
A risk assessment must be carried out for each machine and system at the time of design. Important factors in this assessment are the limits of the machine, the frequency of occurrence of a hazard and the severity of a possible injury. All stages of the machine life-cycle must be recorded and assessed. If the determined risk is higher than permitted despite specific design measures, the machine manufacturer must implement further technical measures. These are referred to as functional safety measures. The functional safety requirements are harmonized in technical standards (see IEC 61508, EN 13849, EN 62061 or EN 61511). These standards give the developers a choice between various error detection and control measures, and describe their effectiveness in achieving the required maximum residual risk. Depending on the standard used, the value for the accepted residual risk is referred to as the Safety Level (Safety Integrity Level, SIL) or Performance Level.
Furthermore, the standards also describe the necessary measures to avoid systematic errors during development. These also differ in their degree depending on the safety level to be achieved.
Design principles
The simple and structured design (architecture, system, module) and the corresponding verification and validation procedures accompanying the development play a major role here. The safety-relevant requirements and their correct implementation must be tracked throughout the entire development process. Every safety-related requirement must be implemented, but no function may be implemented without a corresponding requirement. This is the principle of forward and backward traceability of safety requirements. Once a machine or system has been implemented within its specified limits and parameters and the effectiveness of all safety-related requirements have been validated, the machine may be operated in its intended applications.
In contrast to the error-avoiding measures during development, the error-detecting and error-controlling technical measures are mainly effective in the operating phase of a machine or system. Hardware failures caused by component aging or environmental influences, sporadic communication errors between sub-modules of a machine or other random errors in components must be reliably detected and controlled. This error detection must also take place within a time frame that ensures that a dangerous state is not reached at any time. This means that the machine must be transferred to the so-called safe state before a danger to humans is created. All hardware components (e.g. CPU, memory) of systems with continuous safety requirements must therefore be cyclically diagnosed and tested. This places high additional demands on resources.
In systems with a high safety integrity level, a hardware fault tolerance of at least 1 is also mandatory. This means that the hardware architecture provides for 2-channel capability in the safety-relevant parts. By mutually monitoring the intermediate and final results of their process values, the two independent and possibly diverse channels ensure a very high level of error detection and the certainty that at no time is an incorrect calculation result transferred to the output periphery. In safe control systems with integrated safe communication systems such as PROFIsafe, incorrect data must not be packed into a safety telegram. If this were to happen, the error can no longer be diagnosed by the receiver. This is known as the “pistol shot” principle.
A very good technical error-detecting measure is the logical and temporal program run monitoring. Here an independent intelligent diagnostic unit checks the correct logical sequence of previously defined program points. If these points are also passed through in a correct time window, then the output of the calculation results can be approved by the diagnostic unit.
Modularization (safe processing, safe communication)
An important design feature of functionally safe systems is modularization into simple logical subfunctions. Examples of this are the safe reading of process values, safe communication, if necessary, via a safe communication network to a safe controller or the safe execution of programmed safety functions. This modularization into partial safety functions including the necessary interface description makes it easier and safer to implement extensions and changes to an overall system. Furthermore, the underlying error models in communication networks differ significantly from electromechanical structures. Accordingly, the error detection mechanisms are also adapted accordingly.
New challenges related to industry 4.0
The topic “The fourth industrial revolution” is omnipresent and, technically speaking, means above all the complete digitalization and networking of all things involved in the value chain. It also leads to a fusion of OT and IT. These new technologies promise opportunities, but from the point of view of functional safety they also hold risks. It is therefore all the more important that the basic principles of functional safety do not change. The primary objective remains the minimization of the risk of a machine and system (however smart) to a level of acceptable risk. So what are the new challenges that arise from the flexibility of modular machines and systems and the increased networkability of safety-relevant components with regard to functional safety?
The first step in a directive-compliant approach to the safe design of a machine is to define its limits. At first glance, this appears to be in stark contrast to the flexible, intelligent, self-configuring, adaptive modular machine in the context of industry 4.0. The fact that interfaces between cooperating machine parts must also be standardized with regard to their safety-relevant data and parameters is beyond question, but it is also only part of the answer. Even if configurations and their dynamic changes are known in advance and can therefore be planned, the start-up and shut-down processes of machine modules must be monitored in terms of safety so that, for example, the required safety-relevant characteristic values of the entire plant are ensured at all times.
This monitoring and supervision are fully automatic and therefore do not require any additional organizational measures or complex configuration tasks from the operator. In order for these mechanisms to be automated, industry 4.0-compliant safety components must be able to dynamically read out their safety-relevant parameters. Similarly, the certification process for a modular machine, whose “foreseeable use” takes on a completely different meaning from the point of view of self-adapting machine parts, must be considerably simplified. This is where the testing and certification institutes face new requirements. Solutions are currently being developed in joint projects with other manufacturers and the TÜV.
Secure global networking
Increasing worldwide communication between devices brings new, as yet unconsidered error models in secure communication into play. Most of the safe communication protocols internationally standardized today in IEC 61784-3-3 are based on the so-called black channel principle. Transmission errors, e.g. within non-safe IP telegrams or infrastructure components, are detected by error-detecting measures in the safe communication end points with a sufficient residual error probability.
According to IEC, the Black Channel principle requires the exact definition of the standard infrastructure used, transmission media and their assumed error rates within closed limits. Based on this, the error-detecting measures were specified after analysis of the respective specific standard communication protocol. The variance of the partly control-dependent, different standard network protocols is now reflected in a multitude of different safety protocols. In the future, safe communication between machines from different control manufacturers will be made possible by standardizing the OPC UA client-server or pub/sub mechanisms and the OPC UA safety protocol based on them. By supporting a globally unique addressing model and the flexibility and dynamics of communication relationships, this new safety protocol is future-proof and a prerequisite for the industry 4.0 suitability of a smart machine. All current solution approaches in the field of Functional Safety and industry 4.0 are tested for the effectiveness of the error detection measures by the responsible certification authorities, implemented in the development offices with regard to effective technical feasibility, but above all evaluated by the customers with regard to ease of operation and handling.
Opportunities of PLCnext Technology and Safety
PLCnext Technology provides users above all with scalable openness in the selection and implementation of control tasks regarding programming languages and network connection. In addition, it opens undreamt-of possibilities for the integration of tasks that in the past were typically the responsibility of the IT world. Security issues are already considered in the design principles right from the start. The integration of a scalable, functionally safe hardware and firmware platform as a safety controller opens new opportunities in the implementation of applications in machine and plant automation. The degrees of freedom regarding the use of high-level languages are also transferred to the programming of the safe application. The reloadability of functionally safe code creates new technical possibilities as well as new (service) business models in combination with the PLCnext Store. In the future, algorithms of artificial intelligence could also guarantee functional safety under changing risks at optimal cost while increasing the availability of smart machines and systems. And a safe PLCnext Control has the technological potential to become a significant building block on the path of merging IT or OT as well as safety and security.
