Selecting the right safety control architecture

March 1, 2011
Match platform capabilities with application requirements.

The need to avoid expensive redevelopment has spurred safety-system evolution from hardwired to networked and now to integrated. Safety-rated controls are also proliferating, and increasingly precise for specific applications. However, selecting the most appropriate technologies requires consideration of capabilities and limitations.

High-demand (machinery) architectures

The two most common types of safety control architectures are single channel (1oo1 or 1 out of 1) and dual channel (1oo2 or 1 out of 2).

Single-channel 1oo1 architecture is the simplest safety system and is typically used in lower-level SIL 1, SIL 2, PL a, PL b, PL c, and CAT-2 systems. Its limited ability to detect bit or value faults, memory error, and problems from electrical noise is caused by heavy reliance on internal diagnostics written by human programmers. In addition, the diagnostics typically run using the same processor, memory, and data paths, which degrades reliability. Finally, microprocessors and circuit boards (including those for safety) are increasingly compact, and run on much lower voltages: This increases their susceptibility to soft errors — external electrical influences and cosmic rays affecting the electrical state of gates.

In short, 1oo1 systems have difficulty providing high diagnostic coverage, and undiagnosed errors can be missed. The complexity of modern microprocessors plus the potential for human error in writing diagnostic code complicate error detection and mitigation.

In contrast, full 1oo2 architecture consists of two channels throughout the system (sensors, inputs, logic solver, outputs, field devices), where each of the redundant logic solvers can execute the safety function individually.

If a fault is detected in one of the two channels, the other can execute safety functions or bring the system to a known safe state. When one channel has an undetected fault, a mismatch between the channels occurs, resulting in a failsafe condition. In these ways, 1oo2 systems reduce the risk of soft-error faults that cause unsafe conditions.

Because it's highly unlikely that one soft error will occur in both systems at the same time and at the same place, the vast majority of SIL 3, PL d, PL e, CAT 3 and CAT 4 rated systems use a 1oo2 architecture.

Evaluating safety attributes

Programming software affects ease of use and automation and security capabilities. Most offer at least one of the five IEC 61131-3 programming languages — though this doesn't imply that all are easily configured.

Here are some evaluation tips: Test drive different software. If possible, make head-to-head comparisons of the time required for basic configuration tasks. Consider convenient features: For example, tag-based systems allow use of real names, rather than physical addresses.

Some software can also help manage memory, eliminating manual separation of standard and safety memory, or partition logic. Here, standard logic, external HMIs, and other controllers can read but can't write to safety memory — which saves users time, because the system is setup automatically.

New safety add-on instructions (AOIs) are also speeding commissioning. AOIs encapsulate code for common and reusable functions, saving time and reducing errors.

Some software can even restrict access to plantwide operations or portions of a specific application. Manufacturers in highly regulated industries, such as life sciences and food and beverage, use these capabilities to only allow actions by qualified individuals — and manage revisions, fulfill regulatory requirements, and protect intellectual property.

Maximizing functionality

Integrated control functionality is another safety-architecture consideration. Implementing safety from a unit that incorporates motion, drive, sequential, and process functions cuts software, hardware, and training costs. Integrated controllers boost flexibility across a range of applications, even where a larger controller previously would have been excessive or cost-prohibitive: The scalable architecture can be adjusted to changing application demands.

In contrast, initially inexpensive solutions can ultimately cost more if they require significant engineering to work with standard automation, or inhibit future plans.


Ask: What are the connectivity choices to the control system, HMI, and other third-party equipment? Are multiple communications possible? Are separate gateways required? Are third-party interfaces supported? Systems that run on standard, unmodified Ethernet (whether fiber, wireless or standard copper) lower costs and allow distributed safety I/O on Ethernet while communicating to standard PLCs and HMIs on EtherNet/IP — with multiple protocols running simultaneously on the same Ethernet cable.

For more information, visit and click on the Safety Solutions button. Otherwise, call (440) 646-4117.

Sponsored Recommendations

The entire spectrum of drive technology

June 5, 2024
Read exciting stories about all aspects of maxon drive technology in our magazine.


May 15, 2024
Production equipment is expensive and needs to be protected against input abnormalities such as voltage, current, frequency, and phase to stay online and in operation for the ...

Solenoid Valve Mechanics: Understanding Force Balance Equations

May 13, 2024
When evaluating a solenoid valve for a particular application, it is important to ensure that the valve can both remain in state and transition between its de-energized and fully...

Solenoid Valve Basics: What They Are, What They Do, and How They Work

May 13, 2024
A solenoid valve is an electromechanical device used to control the flow of a liquid or gas. It is comprised of two features: a solenoid and a valve. The solenoid is an electric...

Voice your opinion!

To join the conversation, and become an exclusive member of Machine Design, create an account today!