A Beginners Guide to CIP Safety
This may be your first time reading about CIP safety. Welcome, we will talk about how this protocol works as well as its similarities and differences with standard communication protocols. While this will be a technical overview, we will not discuss safety programming specific topics, but instead an overall picture of how CIP safety fits into the evolving industrial automation industry.
Over the past decade, with the advancements from hard-wired safety relays to programmable network-monitored safety devices, it is necessary to understand how this technology works and how you can benefit. It is important that everyone from business managers to engineers understand how this technology can be used to save cost as well as increase safety.
Some common questions around CIP Safety:
- What is CIP Safety?
- Is there special hardware for CIP Safety?
- Does CIP Safety communicate differently to a PLC (Programmable Logic Controller)?
- How is CIP Safety used in Industrial Automation?
- Are there programming differences when using CIP Safety?
- So what? How does this benefit an integrator or company?
What is CIP Safety?
The Common Industrial Protocol (CIP) is designed to allow different networks to be used with a shared protocol. CIP Safety is the TÜV certified extension to the standard CIP protocol1. It extends the model by adding CIP Safety application layer functionality to the existing protocol-specific objects and connections already established. Allen Bradley systems utilize GuardLogix programmable safety controllers and safety remote IO modules. IO modules are available using CIP (Common Industrial Protocol) Safety in ControlNet™, DeviceNet™ and EthernetIP™.
Is There Special Hardware to Use CIP Safety?
No, because of the safeguards in place to protect the data from incorrect modules and erroneous data, CIP Safety can be run over common network cabling. There are, however, considerations in safety applications for response time to ensure employee safety. In time-critical safety applications, it is important to control latency of packets between the safety PLC and its safety modules to maintain required response time to changes in the memory of the device.
For CANBUS networks this generally means shorter cabling requirements or reduced nodes (freeing commun
ication scan time). When dealing with EthernetIP, managed switches may be required to segregate the machine from large networks segregating only certain traffic or certain ports reducing traffic on the local network. Another alternative, is to have a dedicated EthernetIP scanner set to private (126.96.36.199). This allows the PLC to see up to 253 devices on a local network that are separated from the plant or main network.
How is CIP Safety Used in Industrial Automation?
When configuring automation lines, it is important to protect employees from dangerous equipment, specially equipment in motion. This also means controlling energy when the employee must interact with the machine2. These devices must ensure the safety of the employee and have multiple layers of redundancy including utilizing dual channels (parallel) for both inputs and output.
It is possible to create programmable solutions for very complex safety situations, such as interaction with robotic safety zones, or multiple human presence safety devices. These same situations would be difficult to provide a simple solution with hard-wired safety relays, creating complex prints and a more difficult installation troubleshooting.
Does CIP Safety communicate differently to a PLC?
Yes, while CIP Safety travels through the same network media, an additional level of security is added for packets containing Safety data. There is safety data verification, such as timestamps and Safety CRC (Cyclic Redundancy Code) that validate the integrity of the data received. Allen Bradley CIP Safety utilizes a SNN (Safety Network Number) which is a unique hexadecimal number for each safety device4. The safety PLC must claim ownership of the safety device in order to exchange safety data back and forth. This back-checking means packets will not be given to a device that does not match the address and the SNN given by the safety PLC.
Are there programming differences when using CIP Safety?
In Studio5000™ or Logix5000™ you will notice there will be an additional main task specified for Safety. Each of the safety routines that will control safety related functions should be contained in this area. Safety tags are required to program in the safety task, and they can be used in the non-safety process task for monitoring. Standard tags, however, cannot be directly used in the safety task4.
It is recommended to utilize SIL3 compliant built-in functions such as RIN, CROUT, ESTOP, etc. in the safety task when reading or controlling safety devices. This ensures compliance with approved national machine safety measures, such as channel monitoring and alarming, should the channels not match states for more than 250 milliseconds, indicating wiring or sensor issues. This monitoring when triggered, will cause faults in the safety instructions disabling them to safe state (OFF), requiring the channels change states in both directions together before the “.FP” (Fault Present) but will turn off enabling the instruction again.
So What? How Does This Benefit the Integrator or Company?
Companies utilizing CIP safety can reduce wiring requirements (easier installation and troubleshooting) while still safely tackling complex interactions between humans and machine. These systems allow for integrated architecture and with the ethernet modules, the health of the module and other statuses can be seen through explicit messages or the configuration bytes of the modules.
With the increase in collaborative machines or guided robotic assembly/process, the safety of the employees relies on the companies understanding of minimum safeguards between machine and operator. This allows for optimization of a process without affecting safety as they are controlled separately inside of the controller.
Finally, the last feature that is important to cover, regardless of the physical network used for CIP Safety is locking the Safety program after it has been validated. This does two things, first, it prevents accidental overwriting by verifying safety signature (created when locked) code of a locked PLC against the file being downloaded. Second, it prevents unwanted changes to the safety while in operation as the lock on the Safety PLC can be password protected. This does not affect the standard PLC routines, which can still be modified if required, even when the safety is locked.
1 “ODVA: The CIP Safety Specification” ODVA, January 2005-November 2008. https://www.odva.org/Technology-Standards/Common-Industrial-Protocol-CIP/CIP-Safety
2 “CIP Safety on EtherNet/IP” HMS Technology Center Ravensburg GmbH, 07June2016. https://www.ixxat.com/docs/librariesprovider8/default-document-library/downloads/safety/cip-safety-on-ethernet-ip—generic-porting-guide-(4-02-0501-20002).pdf?sfvrsn=6913b0d6_14
3 “Industrial Ethernet Book.” The Industrial Ethernet Book,
4 Riemer, Jon. “Introduction to Safety PLCs GuardLogix & CIP Safety.” Werner Electric, 2018, www.wernermn.com/wp-content/uploads/2018/09/T11-What-is-Safety-over-Ethernet.pdf