TwinSAFE: Safety and I/O technology in one system

Advanced electronic safety technology offers a wide range of benefits in terms of flexibility, handling, diagnostics, and, of course, wiring effort. However, genuine added value only comes from an integrated system offering optimum synergy between standard automation and safety technology. TwinSAFE – the safety solution from Beckhoff – integrates safety functionalities into the existing control architecture.

Conventionally, automation and safety technology are often implemented separately. TwinSAFE from Beckhoff provides a consistent hardware and software technology for achieving integrated and simplified handling, ranging from safe input and output terminals and safe miniature controllers for the Bus Terminal system to the AX5000 Servo Drives. On the software side, the TwinSAFE technology is fully integrated with the TwinCAT automation software, enabling convenient configuration of safety functionality. Together with the Beckhoff TwinSAFE/FSoE protocol, holistic and very flexible integrated solutions according to SIL3 can be implemented.

 

The I/O construction kit is extended safely

With the TwinSAFE system, Beckhoff offers the option of simply expanding the IP 20 I/O systems, and to transfer the complete cabling for the safety circuit into the already existing fieldbus network. TwinSAFE is available for Bus Terminals (K-bus) as well as EtherCAT Terminals (E-bus). Safe signals can be mixed with standard signals without restriction. This saves design effort, installation and material. Maintenance is simplified significantly through faster diagnosis and simple replacement of only a few components. The TwinSAFE Terminals only include three basic functionalities: digital inputs: KL1904 and EL1904, digital outputs: KL2904, EL2902 and EL2904, as well as the KL6904 Logic Terminal and the EL6900 TwinSAFE PLC. For a large number of applications, all sensors and actuators can be wired on these terminals. The required logical link of the inputs and the outputs is handled by the KL6904 TwinSAFE controller or the EL6900 TwinSAFE PLC. For small configurations, the tasks of a fail-safe PLC can thus be handled within the Bus Terminal system.

 

TwinSAFE architecture

The TwinSAFE concept enables a wide range of safety tasks to be realised. Structures with mixed standard and safety-relevant signals are possible. Configuration of separate networks is also possible. Alternatively, the TwinSAFE system can be operated as a stand-alone solution or as a decentralised pre-processing system with safe communication between a higher-level safety controller. The KL6904 TwinSAFE Logic Terminals or EL6900 TwinSAFE PLCs are networked via the TwinCAT System Manager. Safety-relevant networking of the machines can thus simply and cost-effectively be realised via bus systems or existing Ethernet connections. The TwinSAFE system facilitates encapsulation and decoupling of individual production or manufacturing cells. System extensions or changeovers can be implemented quickly and without wiring effort.

 

TwinSAFE Bus Terminals

The TwinSAFE Bus Terminals enable connection of all common safety sensors and actuators. They can be operated with the TwinSAFE Logic. The TwinSAFE/FSoE protocol (Fail Safe over EtherCAT) is used for secure communication. The TwinSAFE Logic Bus Terminal or the TwinSAFE PLC EL6900 is the link unit between the TwinSAFE input and output terminals. It enables the configuration of a simple, flexible and cost-effective decentralised safety control system. Therefore, there are no safety requirements for the higher-level control. The typical safety functions required for the automation of machines, such as emergency stop, safety door, etc., are already permanently included in the respective logic. The user can configure the terminal according to the safety requirements of his application.

 

Safe system networking

A further significant system benefit is the fact that inter-system communication can be realised with little effort. In most systems consisting of several individual machines, it is a problem to transfer safety-relevant signals between different sections. System communication is generally based on standard signals and shared by the Beckhoff system for safety-relevant data. This is made possible by the KL6904 Logic Terminal or the EL6900 TwinSAFE PLC, which can communicate not only with safe inputs and outputs, but also with other safety and logic units.

Networking of individual TwinSAFE Logic Terminals or TwinSAFE PLCs enables simple and cost-effective safety-relevant networking of machines via bus systems. The TwinSAFE system facilitates encapsulation and decoupling of individual production or manufacturing cells. System extensions or change­overs can be implemented quickly and without wiring effort. All fieldbus systems including real-time Ethernet or EtherCAT are suitable for this type of machine-to-machine (M2M) communication. Communication is monitored as follows: each logic and I/O terminal offers different mechanisms for local communication monitoring. As the central unit, TwinCAT deals with data routing and provides an “envelope” for the communication connection between two machines or two controllers. The system transfers safety-relevant data within this “envelope”.

 

The TwinSAFE protocol

The TwinSAFE protocol developed by Beckhoff is an open technology in the EtherCAT Technology Group (ETG) under the name FSoE (Fail Safe over EtherCAT). It enables safety-relevant data to be transferred via any medium (“genuine black channel”), since the transfer medium does not contribute to the safety of the system. Fieldbus systems such as PROFIBUS, CANopen or Ethernet systems such as EtherCAT can be used in conjunction with TwinSAFE. All of these systems can also be mixed without restriction. Since advanced automation communication networks (either in the form of a fieldbus or an Ethernet connection) invariably also include a number of non-safety-relevant devices, these must obviously not influence the safety of the system. Document GS-ET-26 “Prüfgrundsätze Bussysteme für die Übertragung sicherheitsrelevanter Nachrichten” (rules for testing bus systems for the transmission of safety-relevant messages, available only in German) describes the following fault scenarios that have to be considered: repetition, loss, insertion, wrong sequence, corruption of messages, delay, coupling of safety-relevant and non-safety-relevant transfer functions. The TwinSAFE protocol can handle these and other fault scenarios. The residual fault rate of the TwinSAFE protocol meets the requirements of IEC 61508 SIL 3 and is therefore suitable for typical industrial automation applications. The protocol is variable and automatically adapts to the data lengths to be transferred. For example, the TwinSAFE protocol enables Ethernet with 100 Mbit/s or a serial interface with 10 kbit/s to be used for transferring safety-relevant data. The communication system is not burdened with unnecessary overhead.

 

The TwinSAFE protocol is suitable for a range of devices such as digital I/Os, drive controllers, measuring transducers or laser scanners. All safety- and non-safety-relevant data are available to the non-safety-relevant controller (TwinCAT) for further processing or analysis. Excellent diagnostic functions enable very effective debugging, thereby increasing system availability. Standard and safety controller and standard and safety bus no longer have to be separated, which opens up new opportunities.