Profisafe celebrates ten years of safety on a common cable

Arguably, an idea has seldom achieved acceptance on the market so quickly as that behind safety-related communication via Profisafe. Ten years ago, users, manufacturers and testing laboratories could not imagine that safe communication over a fieldbus was possible. What was the situation at that time? Profibus, which is claimed to be the only fieldbus with an integrated solution for all areas of production and process automation, was already established and in widespread use. However, when it came to matters of safety, the prevailing opinion was that safety engineering required hard-wired relay technology, and few innovations were attempted. The great advantage of traditional safety engineering was its simplicity. Still, little by little, the disadvantages of this method for meeting the requirements of modern automation became evident. These included the costs for labour-intensive cabling, the low degree of flexibility and availability, and the significant effort required for restart after a stop due to the undefined stop positions of machines.

An inquiry from a large petrochemical company was destined to change the safety engineering world. Herbert Barthel, the Head of the PI (Profibus and Profinet International) Functional Safety Working Group remembers: "We were asked whether it was conceivable that safety-related functions could be transmitted over a fieldbus." In the world of production and process automation, this had been unimaginable up to that point. So, the decisive push came from an industrial sector that no one had expected. Dr Wolfgang Stripf, who has overall responsibility for functional safety and data security within Technical Committee 3 of PI, states: "At the time there were proprietary solutions in rail engineering, but these could not be transferred without additional work." Unlike that industry, the two automation experts wanted an open technology that would be accepted by all manufacturers and users. At the same time, the safety institutions and testing laboratories would also have to be brought on board.

In September 1998, a roundtable of 25 safety companies was created. In this forum, the requirements of the individual manufacturers were not only discussed, but a possible concept for this type of communication was also put forward. In the ensuing months, a new PI working group worked intensely on the safe communication profile, which was named Profisafe. According to Dr Stripf, a key aspect for the subsequent success was that they were in close contact with the testing bodies at all times, so that approval by TUV and BGIA was ultimately no problem. The first version of the specification, including the positive concept evaluations by the testing bodies, was available for presentation at the next Hanover Fair in 1999.

A common cable

The response was powerful, though not everyone could get used to the concept right away. However, sceptics were quickly convinced by the innovative idea of the Profisafe protocol, which functions without affecting the standard bus protocols. The safety-related data is transmitted together with the conventional data over a common bus cable. The transmission channel is regarded as a 'black channel', analogous to the familiar 'black box'. All conceivable errors in this channel are detected exclusively by the Profisafe protocol. The solution is therefore independent of the particular transmission channel - for example, copper cable, fibre-optic cable or radio.

The Profisafe protocol benefited from the simultaneous development of new safety standards based on actuarials and the introduction of SIL (safety integrity level) as a means for classifying the probability of dangerous equipment faults. This cleared the way for use of microprocessors, software, and communication. With Profisafe, therefore, proper functioning can be mathematically confirmed, even if more than two mutually independent faults or failures occur. Every imaginable function and load scenario was run through systematically for this.

Installations

Another milestone was set in 2005 with Profisafe for Profinet. "For some users, the notion that Profisafe also functions on Ethernet - and the fact that there are now an unlimited number of nodes in space - certainly took some getting used to," said Barthel in describing the reservations. But in this case as well, the black channel concept proved itself, according the conclusions of the Profisafe experts. Barthel adds: "Admittedly, the additional risks made it necessary to expand the specification slightly and to define a second mode, ie the 'V2 mode'.".

An essential ingredient for acceptance by users was the introduction of a certification system and the associated test environment. To ensure proper communication between different products of different manufacturers, the products must be tested for conformity to the Profisafe specification. Currently there are two test laboratories for this purpose, and others are in preparation. In addition, Profisafe requires safety-related examination of devices according to IEC 61508 by an independent testing institute. Recently, certification tests also became available for safety-related controllers with Profisafe (F-host). The prerequisite for an F-host test is a previously certified controller with Profibus and/or Profinet (basic test), in which the Profisafe protocol is integrated. The F-host test, which is accepted by TUV, is practically an automated test and only has to be performed once, provided nothing has changed in the Profisafe protocol driver program itself.

New possibilities

Modern field devices, such as laser scanners or light curtains, can now be developed as needed. In many applications, Profisafe creates new opportunities, such as drives with integrated safety. With Profisafe, drives can now assume safe states without switching off the motor ('Emergency Stop'). Previously, the Emergency Stop button acted to physically interrupt the power supply of the motor. But, remote I/Os can also now contain safety-related modules, such as digital and analog inputs/outputs, power modules, or motor starters with integrated safety. These modules can be arranged in groups and deactivated in groups, as well.

For users, however, there is still another crucial point in favor of Profisafe. "Besides the demonstrated safety, Profisafe is adapted to the installed base (retrofit) and is also equipped for future requirements," stresses Dr Stripf. In addition, Profisafe is said to be easy to implement. Also, a change from Profibus to Profinet causes no problems due to the independent communication profile and the black channel principle. The identical Profisafe driver software can be used both in Profinet as well as Profibus devices.

Meanwhile, there are controllers from a variety of manufacturers and approximately 50 different device types for Profisafe. Users therefore have access to a wide selection of certified products. In addition, users benefit from the past 10 years of experience with Profisafe. Incidentally, this applies not only to production industries; Profisafe can be found in more than 4000 Profibus PA installations.

Conclusion

Thanks to its well thought-out, simple concept, Profisafe technology has been fully developed and accepted. In the future, PI will work to make the engineering process more convenient for users and to provide users with the necessary calculation results for planning purposes. Profisafe has meanwhile become an international standard with the publication of IEC 61784-3-3. Detailed system descriptions are available or in preparation in numerous languages. A special Profisafe web portal keeps users up to date. A significantly improved version of the Profisafe development kit is available on the market with Version 3.4. This should allow other interesting device families to be won over to direct connection, such as robots, encoders, gas and fire detectors, overfill safety systems, pressure transmitters, etc. This will be supplemented by the regularly scheduled three-day training courses for 'Profisafe Certified Designer', which are conducted jointly with the TUV.