We sat down with B&R’s safety expert Franz Kaufleitner to learn what the new standard has to offer and what implications it has for B&R’s openSAFETY technology.
With openSAFETY, B&R already offers an open, bus-agnostic safety standard. What’s different about OPC UA Safety?
Kaufleitner: Both of these safety communication standards are based on the black channel principle. The difference is that OPC UA Safety has been specified by the OPC Foundation, an organization in which all of the leading automation suppliers are represented. They are all on board with the vendor-agnostic OPC UA communication standard, and in the future OPC UA Safety as well.
What specific advantages are there to the OPC Foundation specification?
Kaufleitner: After many years of anticipation, the calls for an internationally recognized safety protocol have finally been answered. The OPC Foundation has brought together a diverse group of manufacturers in pursuit of a common goal. The new standard covers the needs of both discrete and process manufacturing, including specialized sectors like oil and gas and maritime. That’s a very important aspect when it comes to ensuring global acceptance of the technology.
If B&R is now moving in the direction of OPC UA Safety, what does the future look like for openSAFETY?
Kaufleitner: B&R will continue to develop and offer openSAFETY technology. It will coexist with OPC UA Safety, and the two will complement each other. B&R customers can keep using openSAFETY in their existing machines, for example, while also using OPC UA Safety for line-level safety communication. In a way, you could say they get an OPC UA upgrade for their proven openSAFETY applications.
What does coexistence of the two technologies look like in practice?
Kaufleitner: Both technologies are based on the black channel principle. So, in the B&R system, both openSAFETY and OPC UA Safety use the same, proven POWERLINK and OPC UA over TSN network resources. What’s decisive is that all the applications come together on B&R’s SafeLOGIC controller. Since both safety protocols are implemented on our safety controller, it can communicate just as easily via openSAFETY or OPC UA Safety – on the same device at the same time. When it comes operation of the machine or plant, it makes no difference which safety protocol is used. The same applies to software development.
When you say that openSAFETY and OPC UA Safety are both based on the black channel principle, what exactly does that mean?
Kaufleitner: Safety communication always occurs between two safety nodes. Whether OPC UA Safety or openSAFETY, the safety protocol enables the nodes to exchange data with each other safely. What’s special about these safety protocols is that they detect any faults that might occur during transmission of the data. One way to identify data loss is through time monitoring, for example. If a fault occurs, the receiving node usually sets the data to 0, sending the application into a safety state. The probability of a fault going undetected is far below the thresholds required by the applicable IEC 61784-3 standard. That’s why transport layers like POWERLINK or OPC UA over TSN are not considered during safety appraisal, nor is the network infrastructure, like routers and switches. These components can’t bring the machine into a dangerous state, because any conceivable faults would be detected by the safety protocol. The transport layers are therefore referred to as a black channel layer.
OPC UA Safety was created to allow machines from different manufacturers to communicate with each other safely. What was the most challenging part of that?
Kaufleitner: There are three main considerations when it comes to machine-to-machine safety communication. The first problem that needs to be solved are address conflicts. Imagine a production line with twenty identical robots, each with an emergency stop function. In the robot, the emergency stop function is identified by an address – let’s say #01. Since all the robots are constructed identically, and since the application program should ideally not be modified during commissioning, our production line ends up with 100 instances of address #01. It’s obviously very important that these addresses don’t get mixed up. OPC UA Safety does that using globally unique SafetyBaseID identifiers that are generated for each robot.
You said there are three main considerations. What are the other issues?
Kaufleitner: The second challenge is to establish seamless cybersecurity. OPC UA Safety uses OPC UA security mechanisms, making it the first – and so far only – standard to offer integrated security all the way from the cloud to the sensor.
And, finally, machines running different control systems must be able to communicate with one another. Since OPC UA Safety is supported by all of the world’s leading manufacturers, data can be exchanged safely between all of their automation devices.
The more controllers from different manufacturers interact with each other, the more complex safety functions become. And as that happens, detecting errors becomes increasingly difficult. How does OPC UA Safety deal with that?
Kaufleitner: The key is to detect faults and localize their root cause quickly. OPC UA Safety defines which diagnostics data should be displayed for each type of fault, such as a timeout. The error code that is output for a given fault type is always the same, regardless of which control system is used. Diagnostics can be performed using the existing mechanisms provided by the controls manufacturer or via OPC UA, which significantly accelerates the process of identifying the source of the fault.
What specific advantages can machine builders look forward to with OPC UA Safety?
Kaufleitner: Both manufacturers and their automation suppliers are dealing with a dramatic shift in consumer behavior. In addition to more online shopping, they also have to handle increasing product variety and unpredictable fluctuations in demand. So, what they need are exceptionally flexible, adaptable machines. With OPC UA Safety, they have the perfect safety communication system to go with these machines. Safety technology requirements are now taken into account on machines with components from different manufacturers. It becomes possible to produce small batches of frequently changing products efficiently and safely.