黑信道+标准协议:移动机械安全集成核心解法(中英文)

AGV 和 AMR 等移动机器人不再是生产边缘的孤立机器，它们正逐渐成为工厂工作流程不可或缺的一部分，与人员、基础设施和固定自动化系统进行交互。

虽然移动机器的内置安全理念已相当成熟，但将这些机器集成到工厂车间安全系统中却带来了新的挑战，尤其是在唯一可行的连接方式是无线连接的情况下。了解这些挑战以及如何应对它们，是现代生产环境中移动自动化规模化应用的关键。

Mobile robots such as AGVs and AMRs are no longer isolated machines operating at the edge of production. They are becoming an integral part of factory workflows, interacting with people, infrastructure, and stationary automation systems. 

While onboard safety concepts for mobile machines are well established, integrating these machines into factory floor safety systems introduces new challenges, especially when the only viable connection is wireless. Understanding these challenges, and how to address them, is key to scaling mobile automation in modern production environments. 

1. 系统架构：挑战的起点

1. System architecture: where the challenge begins 

要了解为什么将移动机器集成到工厂车间安全系统中会面临挑战，就必须从整体上审视系统架构，从移动设备到工厂车间，以及连接它们的无线网络。

To understand why integrating mobile machines into factoryfloor safety systems is challenging, it’s necessary to look at the system architecture as a whole, from the mobile device to the factory floor, and the wireless network that must connect them. 

1.1 移动机械：移动安全岛

1.1 Mobile machines as “safe islands on wheels” 

现代AGV和AMR可以被视为移动安全岛。它们通常配备自身的安全传感器和安全逻辑，旨在保护机器附近人员和设备的安全。紧急停止按钮、激光扫描仪和驱动相关的安全功能均由本地系统控制，从而在检测到危险时能够实现快速响应。

这种本地安全设置通常基于移动机械内部的统一安全网络。同样重要的是，该车载安全系统由机器制造商拥有和认证。因此，通常不允许第三方访问车载安全网络。这些原则体现在ISO36914等标准中，并由欧盟机械法规2023/1230强化，这两项法规都更加强调为移动机械制定明确的安全概念。

简而言之，移动机械本身是安全的——但其安全系统与工厂车间安全基础设施隔离，而工厂车间安全基础设施是它日益需要交互的。

Modern AGVs and AMRs can be seen as safe islands on wheels. They typically carry their own safety sensors and safety logic, designed to protect people and equipment in the immediate vicinity of the machine. Emergency stop buttons, laser scanners, and driverelated safety functions are handled locally, allowing very fast reaction times when a hazard is detected. 

This local safety setup is usually based on a homogeneous safety network inside the mobile machine. Just as importantly, this onboard safety system is owned and certified by the machine manufacturer. As a result, thirdparty access to the onboard safety network is normally not allowed. These principles are reflected in standards such as ISO 36914 and reinforced by the EU Machinery Regulation 2023/1230, both of which place increased emphasis on clearly defined safety concepts for mobile machines. 

In short, the mobile machine is safe on its own - but its safety system is isolated from the factoryfloor safety infrastructure it increasingly needs to interact with. 

1.2 工厂车间安全系统：分布式且非同质化

1.2 Factoryfloor safety systems: distributed and inhomogeneous 

把目光从移动机器转向工厂车间，情况完全不同了。工厂车间安全系统：

• 由最终用户而非机器制造商选择；

• 分布在广阔的区域；

• 通常采用层级式结构，包含多个PLC和安全区域。

不同的机器、单元和基础设施组件可能使用不同的安全协议和自动化平台。其结果是形成了一个非同质化的安全架构，需要在原本设计为无缝协作的机器、区域和系统之间交换安全信号。

核心挑战显而易见：如何将移动机器人集群与工厂车间的安全信号处理系统连接起来？

The picture changes completely when we look beyond the mobile machine and onto the factory floor. Factoryfloor safety systems are: 

• selected by the end user, not the machine builder, 

• distributed across large areas, and 

• often hierarchical, with multiple PLCs and safety zones. 

Different machines, cells, and infrastructure components may use different safety protocols and automation platforms. The result is an inhomogeneous safety architecture, where safety signals need to be exchanged across machines, zones, and systems that were never designed to work together seamlessly. 

The core challenge is clear: how do you attach a mobile robot fleet to safety signal processing on the factory floor?  

1.3 无线连接是唯一桥梁，以及它为何存在问题

1.3 Wireless as the only bridge, and why that’s a problem

实际上，将移动机器连接到工厂车间安全系统的唯一现实方法是无线通信。移动机器会移动，而有线安全连接根本行不通。

然而，无线连接也带来了一系列新的问题：

• 通信稳定性降低，

• 接入点间漫游，

• 以共享无线介质作为传输介质，以及

• 网络延迟远高于 100 毫秒。

无线基础设施通常是为 IT 流量设计的，在 IT 流量中，缓冲和重传是可以接受的。但安全通信则不同。安全信号无法无限期地缓冲，反复丢包会导致系统进入安全状态——这通常会导致不必要的停机和可用性降低。

In practice, there is only one realistic way to connect mobile machines to factoryfloor safety systems: wireless communication. Mobile machines move, and wired safety connections are simply not feasible. 

However, wireless introduces a new set of problems: 

• Reduced communication stability, 

• Roaming between access points, 

• Shared air as a transmission medium, and 

• Network delays well above 100 ms. 

Wireless infrastructure is typically designed for IT traffic, where buffering and retransmissions are acceptable. Safety communication is different. Safety signals cannot be buffered indefinitely, and repeated packet loss will cause the system to enter a safe state - often leading to unnecessary stops and reduced availability.  

1.4 解决架构差距：将无线视为黑信道

1.4 Solving the architectural gap: treating wireless as a black channel 

解决方案并非使无线通信具有确定性，而是将其视为黑信道。在黑信道方法中，底层传输介质被假定为设计上不可靠。安全完整性完全由安全协议保证，而非网络本身。

诸如 CIP Safety 和 PROFIsafe 等标准化安全协议正是为此目的而设计的。它们允许安全信号在包括 WiFi 在内的标准以太网上传输，同时保持高达 SIL3/PLe 的安全完整性。

即使网络质量波动，信号的安全完整性也不会受到影响。真正发生变化的是可用性。网络质量会影响能够安全通信的设备数量以及必须配置的安全超时时间，进而影响响应时间。

The solution is not to make wireless deterministic, but to treat it as a black channel. In a blackchannel approach, the underlying transport medium is assumed to be unreliable by design. Safety integrity is ensured entirely by the safety protocol, not by the network. 

Standardized safety protocols such as CIP Safety and PROFIsafe are explicitly designed for this purpose. They allow safety signals to be transmitted over standard Ethernet networks, including WiFi, while maintaining safety integrity up to SIL 3 / PL e. 

Even when network quality fluctuates, the safety integrity of the signal remains unaffected. What does change is availability. Network quality influences how many devices can communicate safely and how long safety timeouts must be configured, which in turn affects reaction times.  

2. 支持 CIP Safety 和 PROFIsafe

2. Supporting CIP Safety and PROFIsafe  

CIP Safety 和 PROFIsafe 都遵循黑信道原理，但在无线环境中的表现有所不同。

基于 EtherNet/IP 的 CIP Safety 完全基于 IP，因此更容易通过标准 IT 基础设施和现有无线网络进行路由。这使其特别适用于已经依赖 WiFi 进行车队管理或诊断的移动设备。

另一方面，PROFIsafe 在通信层效率更高，但对无线接入点有特定的功能要求。

在许多工厂中，这两种协议共存，因此移动设备必须能够根据部署环境支持其中一种协议。

CIP Safety and PROFIsafe both follow the black channel principle, but they behave differently in wireless environments. 

CIP Safety on EtherNet/IP is purely IPbased, which makes it easier to route through standard IT infrastructure and existing wireless networks. This makes it particularly suitable for mobile machines that already rely on WiFi for fleet management or diagnostics. 

PROFIsafe, on the other hand, is more efficient on the communication layer but requires specific capabilities in wireless access points.  

In many factories, both protocols coexist, which is why mobile machines must be prepared to support either, depending on the deployment environment.  

3. Safe2Link简介：弥合差距

3. Introducing Safe2Link: bridging the gap 

Anybus Safe2Link正是为了弥合这一差距而设计的。

Safe2Link在现有无线基础设施上实施标准化的安全协议，允许移动机器和固定安全系统之间交换安全信号，而无需更改机载安全配置。

该方法并非编写新的安全逻辑，而是对已认证的安全功能进行参数化，并重用机器和工厂车间中已有的资源。

This is exactly the gap the Anybus Safe2Link is designed to bridge. 
The Safe2Link implements standardized safety protocols over existing wireless infrastructure, allowing safety signals to be exchanged between mobile machines and stationary safety systems without changing the onboard safety configuration. 

Instead of programming new safety logic, the approach is to parameterize certified safety functions and reuse what is already there, both on the machine and on the factory floor. 

3.1 从架构到实现

3.1 From architecture to implementation 

在典型的系统架构中，移动机器已经包含用于导航和运动的车辆控制器、用于快速响应的本地安全传感器和安全逻辑，以及与更高层系统（例如车队或仓库管理系统）的无线连接。

同时，工厂车间包含外部紧急停止装置、安全PLC和其他安全相关基础设施，这些都必须能够影响移动机器的行为。挑战在于如何在不修改已认证的车载安全网络的情况下，通过不可靠的无线链路将这些外部安全信号环路传输到移动机器。

这种组合系统视图凸显了为什么需要一个专用的标准化机制来安全地连接移动和固定安全系统，同时保持快速的本地响应和整体系统认证。

In a typical system architecture, mobile machines already contain a vehicle controller for navigation and motion, local safety sensors and safety logic for fast reaction, and wireless connectivity to higher level systems such as fleet or warehouse management. 

At the same time, the factory floor includes external emergency stop devices, safety PLCs, and other safety related infrastructure that must be able to influence the behavior of mobile machines. The challenge is to loop these external safety signals into the mobile machine without modifying the certified onboard safety network, and to do so over an unreliable wireless link. 

This combined system view highlights why a dedicated, standardized mechanism is required to safely bridge mobile and stationary safety systems while preserving fast local reaction and overall system certification. 

3.2 Safe2Link 硬件特性

3.2 Safe2Link hardware features 

Safe2Link 是一款紧凑、坚固的远程安全 I/O 设备，专为移动环境设计。主要硬件特性包括：

• 支持 EtherNet/IP 和 CIP 安全协议，并计划支持 PROFIsafe；

• IP54 防护等级的铝制外壳，适用于恶劣环境；

• 集成以太网交换机和 M12 连接器；

• 安全和非安全 I/O，包括双安全输入、双安全输出和 SS1t 指示。

清晰的状态指示灯有助于在调试和运行期间快速排除故障。

The Safe2Link is a compact, rugged remote safety I/O device designed for mobile environments. Key hardware features include: 

• Support for EtherNet/IP with CIP Safety, with PROFIsafe planned, 

• An IP54rated aluminum housing suitable for harsh conditions, 

• Integrated Ethernet switch and M12 connectors, and 

• Safe and nonsafe I/O, including dual safe inputs, dual safe outputs, and SS1t indication. 

Clear status indicators support fast troubleshooting during commissioning and operation.  

3.3 Safe2Link 软件特性

3.3 Safe2Link software features 

在软件方面，Safe2Link 专注于互操作性和减少重新认证工作量：

• 符合标准的 EtherNet/IP 适配器和 CIP 安全目标，

• 通过 EDS 文件和 Sistema 库进行标准化集成，以及

• 通过安全现场总线对移动设备进行唯一寻址。

Safe2Link 无需编写自定义安全逻辑，即可在启动时进行安全参数传输、可配置的滤波和传感器监控。这显著降低了集成风险和认证工作量。

诸如 Safe Stop Category 1 (SS1t) 和 SafeBound™ 等高级功能，可将快速的本地安全停止与较慢的远程安全停止相结合，这在无法避免无线延迟的情况下至关重要。

On the software side, the Safe2Link focuses on interoperability and reduced recertification effort: 

• Conformance approved EtherNet/IP adapter and CIP Safety target, 

• Standardized integration via EDS files and Sistema libraries, and 

• Unique addressing of mobile devices via the safety fieldbus. 

Instead of programming custom safety logic, Safe2Link allows safe parameter transfer at startup, configurable filtering, and sensor supervision. This significantly reduces integration risk and certification effort.  

Advanced functions such as Safe Stop Category 1 (SS1t) and SafeBound™ allow fast local safe stops to be combined with slower remote safe stops, which is critical when wireless delays cannot be avoided.  

3.4 远程安全停止集成的结构化路径

3.4 A structured path to integrating a remote safe stop 

远程安全停止的集成遵循以下四个清晰的步骤：

• 接入额外的安全停止源；

• 利用现有无线基础设施建立通信链路；

• 使用经型式认可的组件配置外部安全网络；以及

• 作为系统认证的一部分，验证安全运行。

这种结构化的方法使移动机械能够在保持其车载安全系统完整性的同时，参与到工厂级安全理念中。

The integration of a remote safe stop follows four clear steps: 

• Loop in an additional safe stop source, 

• Establish the communication link using existing wireless infrastructure, 

• Configure the external safety network using type approved components, and 

• Verify safe operation as part of the system certification. 

This structured approach allows mobile machines to participate in factory level safety concepts while preserving the integrity of their onboard safety systems.  

4. 结论

4. Conclusion 

随着移动机械设备成为现代生产环境不可或缺的一部分，将其集成到工厂车间安全系统中已不再是可选项。无线通信势在必行，但这并不意味着必须以牺牲安全性为代价。

通过将标准化的黑通道安全协议与 Safe2Link 等实用解决方案相结合，安全集成将变得可预测、可认证且可扩展。这正是如何将安全理念转化为实际行动的方式。

As mobile machines become an integral part of modern production environments, integrating them into factory floor safety systems is no longer optional. Wireless communication is unavoidable, but it does not have to compromise safety. 

By combining standardized black channel safety protocols with a practical implementation like the Safe2Link, safety integration becomes predictable, certifiable, and scalable. That is how we move from safety logic to real world action.