Functional safety networks for Ethernet communication protocols

PROFIsafe extends the Profinet communication protocol to address unique requirements for safety-related information necessary to conform to strict safety standards.

By Nelly Ayllon February 12, 2021

Functional safety (fail-safe) is the overall part of safety which aims to prevent hazards due to the incorrect functioning of industrial machinery. Traditionally, functional safety systems relied on separately wired circuits that are expensive to build, commission, and maintain. Nowadays, functional safety can be done over the fieldbus, shifting from safety in hard relays to safety in logic.

PROFIsafe can provide functional safety over the bus. It is designed to eliminate the need for a separate safety network and reduces industrial network architectures to one bus. PROFIsafe extends the Profinet communication protocol to address unique requirements for safety-related information necessary to conform to strict safety standards.

Functional safety standards

PROFIsafe ensures the integrity of fail-safe signals transmitted between safety devices and a safety controller, meeting relevant safety standards. That includes the highest safety categories: up to SIL3 according to IEC 61508/IEC 62061, and Category 4 according to EN 954-1, or PL “e” according to ISO 13849-1.

Network components and implementation

Not all Profinet devices support PROFIsafe. Therefore, the user must carefully select safety components. During implementation, the user selects the elements within the network that require safety; only those network components require PROFIsafe capabilities. As shown in the figure, the overall network configuration may contain a mix of fail-safe (yellow) and standard (gray) components. Also, PROFIsafe is designed to work independently of the base transmission channel, whether that channel is copper wire, fiber optics, wireless, or a backplane.

PROFIsafe components are commonly called F-components (fail-safe). The following are PROFIsafe elements in an F-system:

The F-GSD file (General station description file: Profinet device description provided by the device manufacturer) contains all the information to allow an F-controller to set up and communicate with the device. A cyclic redundancy check (CRC) protects the F-GSD file to ensure its safety conformance.
The F-config tool is the programming environment. It uses F-GSDs to create and download the system configuration and F-program to the F-controller. The F-program and configuration are subject to PROFIsafe safety checks to ensure correct functioning.
The F-controller executes the safety program.
F-Devices use hardware safety techniques to ensure their safe operation. Input/output (I/O), light curtains, valves, and drives are a few examples of F-devices.

PROFIsafe mechanisms for protection

PROFIsafe protects communication from the safety signal origination to the signal destination (and vice versa). It also helps ensure the integrity of the safety portion of the communication. Within any Ethernet-based network, certain communication errors can occur, such as message repetition, deletion, or delays. PROFIsafe incorporates several remedies to address all possible communication errors accordingly. The following table lists the remedies and indicates which errors they mitigate.

Figure 2: Example of the black channel principle. Courtesy: PI North America[/caption]

Certifications for PROFIsafe

Device manufacturers that choose to add this profile to a Profinet product must certify such products for PROFIsafe before it is available to the public. PI test laboratories perform the approved PROFIsafe layer tests on behalf of assessment bodies such as:

TÜV (worldwide)
IFA (Germany)
SP (Sweden)
SUVA (Switzerland)
HSE (United Kingdom)
FM, UL (USA)

Nelly Ayllon, technical marketing director, PI North America, a CFE Media content partner. This article originally appeared on PI North America’s website. Edited by Chris Vavra, web content manager, Control Engineering, CFE Media, cvavra@cfemedia.com.