Herbert Barthel, chairman of the ProfiSafe working group, and Wolfgang Stripf, chairman of the Profibus technical committee on application profiles, provide this update on progress
ProfiSafe, the safe transmission method using Profibus DP and its range of transmission technologies, such as RS 485 (main area: production), MBP-IS* (main area: process) and optical fibre, has passed the acid test in comprehensive applications up to SIL3, AK6 and Category 4.
So what has happened since the first publication of the Profibus specification V1.0 at the Hanover Trade Fair 1999? Which devices are now available/being developed? How is market acceptance of the new functions? What is the current situation with regard to global regulations and standards? What findings have been made concerning inspections and testing and certifications? Is ProfiSafe being further developed? This article will attempt to provide answers for these questions and many more.
Since the way in which the ProfiSafe method works has already been explained in many publications, this article will only touch on the main points.
ProfiSafe is based on the polling principle of Profibus between a master and its assigned slaves and assumes an encapsulation of the safety measures in the communication stations, ie, the standard Profibus with its ASICs, cables, plugs etc is implemented exactly as before.
ProfiSafe uses four measures to safeguard against possible errors during the transmission of messages, such as incorrect addressing, loss, delay, etc: continuous numbering of ProfiSafe data; time monitoring; authenticity monitoring by means of passwords; and an optimised CRC fuse.
Implementation of Profibus in production with high response times as well as in hazardous areas of the process industry with minimum power losses places high demands on the flexibility of realisation in field devices, which include laser scanners, light grids, drives, robots, cut off valves, overcharge fuses, gas detectors, etc.
As most modern devices use microprocessors, it made sense to use software to implement the ProfiSafe method.
The operating conditions determine the choice of microprocessor with regard to high performance or low power loss.
ProfiSafe adapts ideally and automatically to its environment and only requires a few Kbytes of the memory that is already available anyway: this means there is no need for an additional power supply and no further space is required in the already crowded housing.
ProfiSafe becomes a component of the device-specific safety software.
As soon as the specification was completed, a group of companies began to jointly develop a generic ProfiSafe driver software for slaves. In this instance, 'generic' means that the driver is implemented in Ansi-C and according to coding guidelines for safety engineering for different microprocessors and C-compilers. It is primarily designed to employ two channels, but in certain circumstances can also be used for single-channel applications. For the specifications, the acceptance departments merely confer so-called 'positive technical reports' that were created some time ago for the drivers.
For acceptance of the software on a specific hardware, there is now a TUV certificate (certificate of the German Technical Inspectorate) under the number Z2 01 12 20411 008.
Within the framework of a partnership contract, field device manufacturers can currently obtain a CD-ROM with driver sources, tools, and useful instructions on very favourable terms.
In the field of process engineering, safety applications require an approach that goes above and beyond functional safety.
For example, in some processes it is not always possible to monitor pressure and temperature independently of one another.
The high availability of sensor functions places high demands on constructional skill and experience.
Thus, 'established operational reliability' plays an extremely important role.
Until now, the relatively small number of safety facilities (usually SIL2) was usually dealt with using standard field devices and 4-20mA transmission technology.
Communication failures, such as a line breakage or short-circuit could be detected, the devices were operationally reliable and safety monitoring was carried out in the host system through analysis of different signals.
In the case of devices equipped with microprocessors, guidelines such as the Namur recommendation NE79 define the necessary prerequisites, such as watchdog timers, memory tests, etc.
So what is the situation when fieldbuses are used and what contribution can ProfiSafe make? A field device in accordance with NE79, connected to Profibus and with established operational reliability, is just as suitable for SIL2 applications as a 4-20mA device.
It would just be subject to the same communication error possibilities mentioned previously: incorrect addressing, loss, delay, etc.
However, this risk would be eliminated if a one-channel ProfiSafe driver were used.
In future, this solution means that, at very little extra cost, standard Profibus field devices with established operational reliability can be used for both standard and safety related operation.
This does not affect the implementation of certified products.
It is a subject of recurring discussion whether distributed safety engineering needs to be implemented over a separate safety bus besides the standard fieldbus.
No problem for Profibus and ProfiSafe as they allow implementation using a one-cable solution with a combined standard and safety control in a CPU, as well as with separate cables and separate CPUs using the same equipment.
Compared to a heterogeneous solution with two different bus systems, this homogeneous solution offers advantages by using the same technology and engineering tools with uniform operation.
Practical reports indicate increasing demand for a one-cable solution.
The arrival of integrated safe drives will show whether the supply of standard bus and electric power can cope with a further bus cable.
One system manufacturer offers the retro-fitting of safety software packages for some of its standard CPUs that meet the necessary requirements for fail-safe applications.
The safety software has a time-diversity design, runs in protected areas, and is uninfluenced by the standard user program.
The associated remote I/O field devices can be supplemented by special F modules.
The first CNC programmable controllers also allow connection of ProfiSafe field devices.
As an open solution, ProfiSafe will become more widespread when more system manufacturers enable connection to safety programmable controllers and support processing of ProfiSafe data.
As the majority of manufacturers still work with different hardware, the ProfiSafe working group within Profibus International has also looked into connection options with these systems.
For this purpose, the most common data types have been defined and rules laid down for their arrangement.
Using the GSD information of a field device, the ProfiSafe driver can now be installed in the safety CPU.
The corresponding expansions of the specification have produced version 1.11, which has been available to download on the Internet at the Profibus Web site since July 2001.
A UML modelling of the host component in 'Rhapsody in C' has been executed to enable C implementations.
As already mentioned, software plays a major role with ProfiSafe.
These developments have been accompanied by the new IEC 61508 that has recently become the European standard and primarily deals with software development procedures.
A number of regulations and standards do not deal with the new solution possibilities and are therefore currently being revised or completely rewritten.
This includes IEC 61511, which deals with the special requirements of process safety on the basis of IEC 61508.
For safety-related machine programmable controllers with programmable electronics, EN 654-2 also refers to IEC 61508. IEC 62061, regarded as a standard for the machinery sector under IEC 61508, is also in development.
In the USA, the revised version of the NFPA79, expected to be published by the end of 2002, will also see the disappearance of existing restrictions regarding programmable electronics for emergency stop functions and the introduction of requirements similar to those in Europe for all safety functions.
Back to ProfiSafe.
Even in the early sessions of the working group in 1998 it became apparent that just the safe transmission of telegrams over the standard Profibus cable would not suffice for the related new solution possibilities.
How does a sensor manufacturer benefit, for example, if only the cut off signals can be transmitted over the bus while, in the event of a fault, parameterisation, diagnostics, and device exchange must be executed locally over a time-consuming PC connection and RS232 interface on the intelligent F field device? This has produced increased demand for system manufacturer support for fast device exchange and integration of commissioning and diagnostics software of the field device in the engineering software of the system manufacturer for shared use of communication routes and project storage.
This type of integration is essential in order to meet customer demand for higher production flexibility (eg, program-controlled parameterisation) and increased availability (predictive/faster diagnostics and preventative maintenance).
For this reason, the ProfiSafe specification already shows ways for a comprehensive integration of safe sensors and actuators in automation concepts.
In the course of its development, it has been further fine-tuned and expanded to a three-component model. This aims to make device manufacturers largely independent of the system manufacturers.
The three-component model is based on related Profibus activities, such as 'Communication Function Blocks in IEC61131-3' and 'FDT/DTM (Field Device Tool /Device Type Manager)'.
The following is a typical scenario: the parameterisation/diagnostics tool of a device manufacturer (DTM) has access to the F-slave (eg, laser scanner) over the FDT interface of the engineering station (ES) of a system manufacturer, independent of the implemented networks (routing function).
All the usual parameterisations and diagnostics can be executed and stored in the ES (step 1).
Optionally, using a proxy FB, the parameter set can be stored in the control system in the form of entity data.
Transmission is executed acyclically over the MS1 channel (step 2).
These means can also be used to implement Teach-in and program-controlled/automatic parameterisation for fast device exchange in the event of a fault.
As a rule, the proxy FB is supplied by the F-device manufacturer.
In the case of safety-related functions, parameter verification is required.
To do this, the DTM can read the parameters directly from the control system and compare with the parameters in the device (step 3).
In the case of diagnostics, it is also possible for the user to display/print out exact instructions on how to eliminate the fault.
Parallel to implementing this concept, the members of the working group are currently also working on the problem of EMC regulations for safety devices (F-field devices) on the fieldbus, which are not harmonised.
Different definitions have also been agreed since with regard to immunity interference for devices previously operated independently, such as IEC 61496 for electrosensitive protective systems (eg, light grids) or IEC 61131-2 for programmable controllers.) Testing principles, such as those that must be adhered to for bus operation, can also be seen to be emerging.
Also on the working group's agenda for the near future is the continuation of the specification for safe internode connection and safe ProfiNet communication.
However, the requirement for this is the market maturity of the underlying standard communication.
Notes * MBP-IS = 'Manchester Coded - Bus Powered and Intrinsically safe' supersedes the previous Profibus designation 'IEC 1158-2'.
Due to further development, the respective IEC standard now lists additional methods, so that a new unique designation was required.
