- IO-Link — main page
- Technology
- Functional safety
What is functional safety?
Functional safety refers to the principle of ensuring safety by means of a system’s correct operation. It ensures that a system or facility operates in a manner that reduces the risk of accidents or damage to an acceptable level, according to its safety classification.
Active safety
Active safety encompasses measures and systems designed to prevent accidents and hazardous situations. These are preventive measures that actively intervene in the operation of the system before a hazardous situation occurs.
In functional safety, active safety refers to the implementation of safety functions that continuously monitor the status of sensors, actuators, and controllers and, upon detection of a fault or hazard, take action to avoid the hazard. These functions are often integrated into the software and hardware and are specified by standards such as IEC 61508 or ISO 26262.
Passive safety (Non-reactive shutdown)
Passive safety encompasses measures and systems that help minimise the effects of an accident or hazardous situation after it has occurred. It does not intervene preventively, but rather reduces the consequences.
In the context of functional safety, passive safety can mean that the system is designed to "fail safely" in the event of a fault. An example would be that a device enters a safe state or shuts down when a fault is detected. Redundant systems that take over functionality in the event of a subsystem failure can also be considered part of passive safety.
The technical challenge is to ensure that in the event of a fault, an actuator is not inadvertently supplied with power – for example, by supplying power via US even though the safety-related power supply UA has already been deactivated.
To solve this problem, we have developed a consistent concept for single-fault-safe shutdown of the actuator supply (UA) within IO-Link systems. This concept defines the technical requirements for the use of our components in applications with functional safety requirements. All affected devices have been adapted accordingly and their design has been revised to reliably exclude relevant failure mechanisms. This ensures that our products enable reliable operation without adverse effects, even in safety-critical environments – while simultaneously complying with all applicable standards and guidelines.
Switch off IO-Link master / Ethernet modules
The animation demonstrates the safe shutdown of the UA voltage as the supply voltage for the IO-Link master or the Ethernet module. If, for example, a protection zone is violated or an emergency stop is pressed on the machine or system, the safety relay or the F-PLC disconnects this UA voltage for the module. A connected actuator can then no longer be switched via the valve and is in a safe state.
Switch off IO-Link modules
In addition to the bus-capable modules, the functional safety requirements have also been implemented in our IO-Link modules. In this example, we use an IO-Link module with two different UA voltages (UAL/UAR). This allows two different shutdown conditions to be stored in the F-PLC. Shutting down the UAL or UAR also prevents the valve from being switched.
The term "passive safety" is often used in discussions about IO-Link systems. However, in our view, this term is misleading because it creates the impression that these are safety-related components within the meaning of the Machinery Directive. In fact, neither IO-Link masters nor IO-Link IO modules meet the functional safety requirements: They have neither diagnostic coverage nor were they developed according to the specific development processes for safety-related products.
If such devices are used in applications where actuators must be safely deactivated, it is crucial that the components used do not impair or negate the effectiveness of the safety function. For this reason, we deliberately do not refer to "passive safety" but rather to non-interference and fault exclusion.
The downloadable document describes how to set up a system for the interference-free disconnection of an actuator's supply voltage using a safety relay and suitable devices from the ifm device families AL1xxx (IO-Link master) and AL2xxx (IO-Link input/output module), as well as AL43xx IO modules.