The subject matter disclosed herein relates to industrial “safety controllers” used for real-time control of industrial processes and appropriate for use in devices and systems intended to protect human life and health, and in particular to “safety I/O modules,” a component of a safety system.
“Safety controllers” are special purpose computers used to ensure the safety of humans working in the environment of an industrial process. Under the direction of a stored safety control program, a safety controller examines a series of inputs reflecting the status of the controlled process and changes a series of outputs controlling the industrial process. The inputs and outputs may be binary, i.e., on or off, or analog, i.e., providing a value within a continuous range. The inputs may be obtained from light curtains or other sensors attached to industrial process equipment and the outputs may be signals to power control relays, actuators or motors on the equipment.
“Safety I/O modules” are a form of distributed inputs and outputs (“I/O”) and are connected to and monitored by safety controllers. One benefit of using remote I/O includes the ability to place I/O where the devices reside. This greatly improves the ability to maintain and troubleshoot the I/O and devices. Further, installation time and wiring costs are greatly reduced. Safety I/O modules in particular provide additional benefits such as the ability to monitor the I/O safety reaction time, discussed in greater detail below also known as the CIP (Common Industrial Protocol) safety protocol extensions. If a safety I/O module is processing an input or output, it provides a safety reaction time which must meet industry requirements.
“Safety systems” are systems that incorporate safety controllers along with the electronics associated with emergency-stop buttons, interlock switches, light curtains and other machine lockouts to provide a safer working environment.
A critical component that factors into the design of a safety system is the “safety reaction time.” The safety reaction time, also known as the “safety response time,” is defined as the amount of time from a safety-related event as input to the safety system until the system is in the safe state. In other words, it is the time from electrical recognition of a safety demand such as an e-stop button depressed or light curtain traversed, until all the system's actuators operation to a safe state. The safe state is different for each system and can range from a stopped motor, a closed valve or a de-energized electrical component.
In designing safety systems, it is desirable to have a fast safety reaction time to permit the placement of safety components such as light curtains as close to machinery as possible. The safety reaction time of a safety system directly affects how close a component, e.g., a light curtain, can be placed to a piece of machinery, e.g., a press. In a properly designed safety system, the time it takes for an operator's hand to pass through a light curtain and come into contact with an unsafe machine component is greater than the time required for the safety controller to receive the light curtain input signal, process it and direct the machinery into a safe mode. Therefore, the faster the safety reaction time, the closer light curtains and similar safety devices can be mounted to the machinery. This is particularly beneficial when installation space is limited or if the machine operation includes frequent operator interventions such as inserting and removing workpieces.
The safety reaction time of an industrial system depends on the rate of data transmission between the components as well as the processing time of the safety controller. The safety reaction time is the sum of: the sensor reaction time, input reaction time, safety task reaction time, output reaction time and actuator reaction time. Each of these times is variably dependent on factors such as the type of I/O module and logic instructions within a specific safety program. The safety task reaction time of a controller is the worst-case delay from any input change presented to the controller until the processed output is set by the output producer. Each safety device implements a safety watchdog timer to limit the safety task reaction time to a maximum permissible time. If the safety task reaction time exceeds the safety watchdog timer, the safety device will fault and the outputs will automatically transition to a safe state.
In conjunction with the importance of having a fast safety reaction time, it is equally, if not more so, important that a safety system have a repeatable and reliable safety reaction time. Repeatability and reliability are critical because the various guard components of a safety system are installed at distances calculated using the safety reaction time. It would be unacceptable to place a light curtain at a certain calculated “safe” distance from a machine, only to have the safety reaction time drift higher after the installation. If that were to happen, it would be possible that an operator could come into contact with harmful machinery before it had fully entered its safe state.
To this extent, industry standards exist to ensure the proper operation, and therefore an accurate safety reaction time, of a safety device. For example, the International Electrotechnical Commission (IEC) developed standard 61508, entitled Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems. IEC 61508 specifies 4 safety integrity levels (SILs) of safety performance for a safety function. Safety systems with a SIL of 2 (SIL 2) and 3 (SIL 3) generally require redundancy for sensors, final control elements and control system processors.
SIL 3-compliant safety devices typically have dual central processing units, also known as processors or CPUs, running independent safety functions. The safety functions have some shared commonality but also perform different tasks. The CPUs rely on standard watchdog timers, as are well known in the art, to verify that their clock sources are delivering a consistently steady clock pulse. Verification of the clock sources is needed to verify that the safety devices are providing the correct safety reaction times. However, watchdog timers are based on the frequency driving the CPU and therefore are only as accurate as the underlying clock source. Typically, a quartz-based oscillator is used to generate the clock pulses, i.e., the frequency, that drive a CPU, among other things. Under normal operating conditions, these oscillators are extremely reliable and durable. However, in an industrial environment, the crystals can get hot, jostled or contaminated causing them to drift and become unreliable.
If an oscillator clock source were to drift slower than the rated speed, the CPU driven by it would also run slower. For example, if a normally-rated 3.0 GHz CPU had a slightly slower clock source, it might instead run at 2.99999 GHz. If the system clock is tracking time by counting clock pulses, after 3.0×109 pulses, the actual elapsed time would be slightly longer than one second but the system clock would indicate that exactly one second has elapsed. Without an independent clock source to verify that 3.0×109 pulses took exactly one second, the CPU would have no way to know that it was operating slower or faster than normal. One potential real-life result of this could be a situation where a safety reaction time was designed and advertised to be 6.0 ms but in actuality ends up being closer to 6.1 ms. A watchdog function controlled by an independent clock source could detect the clock source speed drift and the safety system could respond accordingly. Although these numbers may appear to be minute timing differences, the SIL requirements for safety devices and safety systems are very demanding.
Therefore it is necessary that each CPU in a dual-CPU safety device have an independent clock source to verify that its own single clock source is operating within specified parameters. Traditional safety devices have multiple independent clock sources and therefore can use one of those clock sources when running a diagnostic to verify the accuracy of the primary clock source. In an attempt to make safety devices, such as safety I/O modules, smaller, each CPU may have only one clock source. However, there is no way for the device to verify the accuracy of each clock source without an external, independent clock source. This can be a problem with lesser expensive single clock source CPUs.
In a dual-CPU safety device having single clock source CPUs, one possible solution to the lack of independently verifying clock sources would be to use the clock source of the partner CPU to cross-check and verify the accuracy of the clock source of the primary CPU. However, this solution provides no way to ensure that the clock source of the partner, i.e., verifying, CPU is accurate. If the verifying CPU's clock source has drifted, it will not provide proper verification of the accuracy of the primary CPU's clock source. In other words, in the absence of a cross check, an inaccurate clock source in the partner CPU could be used to check the clock source of the primary CPU as well as verify that its own safety critical functions were completed within the rated safety reaction time.
U.S. Pat. No. 7,617,412, issued Nov. 10, 2009, by Shelvik et al., and entitled “SAFETY TIMER CROSSCHECK DIAGNOSTIC IN A DUAL-CPU SAFETY SYSTEM”, discloses a dual-CPU safety device that validates the accuracy of the clock source for each CPU. Through a diagnostic, the first CPU verifies the accuracy of the clock source of a second CPU and then the second CPU verifies the clock source of the first CPU. If it is determined that either CPU has a faulty clock source, the safety device faults and the controlled process enters a safe state.
If the elapsed time is within the range, the first and second processors swap roles wherein the first processor monitors the accuracy of the clock source of the second processor. After one cycle of the second safety loop, i.e., after the safety reaction time has elapsed as calculated by the clock source of the second processor, the second processor verifies its safety critical functions have been completed. If not, the second processor faults. If they have been completed, the second processor sends a rendezvous signal to the first processor which then determines if the safety reaction time, as determined by the second processor using its clock source, is within a pre-set range. The two processors continue swapping roles while the diagnostic is running.