Functional safety in real-time Ethernet

Franz Kaufleitner and Anton Meindl -- Control Engineering, 9/1/2006

The Ethernet network standard is an integral part of machine and manufacturing automation. Standard components, protocols, and tools provide openness, continuity, and data transparency. For this reason, Ethernet in automation is the prerequisite for easy-to-implement, reliable, and cost-efficient applications. Real-time capability plays an important role. Reaction times and precision in the microsecond range are becoming more important, and not just in machine manufacturing. However, current performance is not enough to meet future requirements. An important factor when selecting a real-time Ethernet system will be whether functional safety is integrated and how this has been done.

The specification for the safety protocol Ethernet Powerlink safety (EPLsafety) was designed by a separate workgroup within the Ethernet Powerlink Standardization Group (EPSG). Protocol development is driven by leading manufacturers of automation components and experts in safety technology. The main goal was to develop an open system with the highest performance, absolute independence from non-safe transport protocols, and transparent data exchange between safe and non-safe areas.

Today, most safety solutions have a dependable wiring system with central E-stop devices, because special safety controllers are generally still too expensive for mid-sized machines and systems. This approach lacks flexibility and increases wiring complexity and expense. Diagnosing errors in this case becomes complicated and limited.

Modern safety systems get by with a standard fieldbus made safe by special measures implemented for data transmission. Safe remote I/O components can then be distributed easily through the system. The safe controller function is handled locally by a safe PLC. If a CPU is being combined to handle safe and non-safe programming, transmitting data between the yellow (safe) and the gray (non-safe) worlds is relatively easy, but the scalability of the controller’s performance becomes extremely limited. For this reason, some systems execute safe program sequences in a separate, safe controller unit. When selecting the standard fieldbus system and safety protocol, it’s important to consider the runtime of safe data so the safe response time of the system can be adhered to.

How does a bus system become a bus system for safety-oriented applications? How does it differ from conventional bus systems?

Safety system requirements are specified by the IEC 61508-1 standard as well as the testing policies for testing and certifying bus systems for transmitting safety-oriented messages. To be used in safety-oriented applications, a bus system must be ready for any error that may occur during data transmission and include mechanisms that can bring the error under control and prevent potentially dangerous situations.

Probability of undiscovered errors that might cause a dangerous situation may not exceed the limits specified in the standard. For machine manufacturing applications where the IEC 61508 SIL3 safety level typically applies, this may not exceed 10-9 errors per hour. In other words, a dangerous situation may only occur because of an error on the bus once every 11,500 years or so.

To meet these high demands, safety-oriented bus systems are equipped with several mechanisms to prevent the following potential errors from occurring during data transmission: redundant data; data loss; inserted data; incorrect data sequences; corrupt data; and excessive transmission delays.

In addition, a network supports the application lifecycle and provides necessary services for error-free commissioning, device exchanges, diagnostics, configurations, etc.

For safety technology to be integrated into systems that use varying bus systems, it’s important that the safety-oriented protocol is not developed for just one certain network or bus system. All measures necessary for preventing errors must be implemented into the safety-oriented protocol layer to handle this. Special properties or features of the underlying transport protocol may not be employed to help prevent possible errors. Ethernet Powerlink Safety (EPLsafety) specification is independent of the transport protocol and can be used for non-Ethernet-based networks with lower bandwidth such as a CAN bus.

To handle data management, EPLsafety uses an object dictionary whose structure and format borrow from the mechanisms present in the CANopen object dictionary. This property is particularly appreciated by experienced CANopen users.

Early safety bus systems were isolated and structured to exchange safety-oriented data only. These bus systems have won proponents because this architecture uses bandwidth reserved solely for safety-oriented data. Under no circumstances can safety-critical data packets be held up by other data packets. This line of argument loses validity when dealing with real-time Ethernet systems like Ethernet Powerlink. This system reserves the exact amount of network bandwidth required by each station. In addition, Ethernet powerlink offers: Strict, deterministic timing; very short cycle times of 200 µs or less; low network jitter of less than 1 µs; and safe “worst case” response times.

The EPLsafety specification gives special attention to the protocol’s use in modular machines. Special services for these types of applications are available to allow commissioning and hardware exchanges during operation in systems where safety is critical.

Response times for discretely wired components are always shorter than those networked with bus systems. If an E-stop switching device is wired discretely with the safety relay, the shut-off signal is transmitted at nearly the speed of light, making it non-critical from a safety point of view. When a network is used, signal and processing runtimes on the bus need to be considered.

EPLsafety doesn’t even come close to exceeding the limits set by the IEC 61508 standard. For the first time, refresh times of 100 µs or less are possible with a safety-oriented protocol.

Current Ethernet Powerlink implementations work with cycle times of approximately 200 µs. Test devices are already handling cycle times of 100 µs. The extremely low error remainder probability of EPLsafety is already ready for these short cycle times and will allow it to be used in Gigabit Ethernet networks in the future.

With possible refresh time of 200 µs, EPLsafety is the fastest protocol by far for solving safety-oriented tasks.

Safety-oriented bus systems reduce wiring work and the possibility of errors while increasing flexibility in machine and manufacturing automation. Double wiring needed until recently no longer is necessary. Data from safety oriented devices can be analyzed directly and immediately by all other devices.

EPLsafety provides the first and only safety-oriented protocol with real-time capabilities for machine and manufacturing automation and for tasks that require operational safety. Response times assured by EPLsafety are at least a factor of 10 better than the response times of other safety-oriented fieldbus systems.

ONLINE EXTRA

More about Ethernet Powerlink

As mentioned, a safety relay enters a secure state if the safety-critical data stops coming in. To prevent the loss of a single packet from causing the failure of the system, the response time of this relay is typically set to more than double the refresh time. A refresh time of 200 µs results in a worst case response time of around 500 µs. When considering the safe worst case response time for the entire safety chain, the input signal filter times need to be added to the response times of the actuators.

If E-stop data stops being received, the safety relay recognizes an error and switches to a safe state by itself. The time between two data packets sent from the E-stop device is referred to as the refresh time. If the refresh time is 200 µs, then 18,000,000 safety-related messages are exchanged per hour. To adhere to the 10-9 (superscript -9) unrecognized errors per hour limit, there can only be one case of unrecognized corrupted data in 1.8x1016 (sup16) messages. This refers to the error remainder probability of the protocol, which in this case must be better than 1/1.8x1016 (sup16) =5.55x10-17(sup-17). The error remainder probability of a protocol is the value that determines the minimum allowed refresh time in the safety-oriented bus system and substantially influences the “worst case” response time of the application.

To handle this, the EPLsafety data format has been split into two sub-frames. Each sub-frame is secured using a separate checksum (CRC) that is calculated differently. This mechanism allows EPLsafety to achieve values for error remainder probability of 5.234x10-20(sup-20) for 1 byte, 7.061x10-20(sup-20) for 8 bytes, and 2.021x10-19(sup-19) for 249 bytes.

Ethernet Powerlink is an open, real-time industrial Ethernet network with more than 300 supporters and users worldwide. EPLsafety builds on this foundation and offers users the highest possible protection for their investments. The specification and certification processes being carried out by the EPSG ensure the interoperability of products from different manufacturers. Ethernet Powerlink protocols do not require special hardware, ASICs, network components, or switches. Ethernet Powerlink and EPLsafety are not patented and remain open for all interested product manufacturers and users.

Related reading from Control Engineering

• “'Ethernet' isn't a protocol; something needs to run in the wire”
• “Industrial Networks”
• “Safety Networks Up and Running”