Safety services on a standard network

Communication networks have changed the look of today’s automation systems by distributing processing, sensors and actuators to where they are required.

By Control Engineering Europe December 6, 2020

CIP Safety extends the industry standard CIP base services by adding CIP Safety distinctive services to transport data for CIP based networks such as EtherNet/IP with high integrity. It can offer a scalable, network independent approach to safety networking, where the safety services are described in a well-defined layer, allowing the underlying network services to be changed. This approach is said to enable the seamless routing of safety data, allowing users to create end to end safety chains across multiple links.

The same motivations that originally moved communication networks into the industrial environment – greater distances, increased flexibility, reduced cost, and improved maintainability – are also driving the development of industrial safety networks. End users recognize the limitations of traditional hardwired safety solutions as hardwired systems are difficult to develop and maintain for all but the most basic applications. For example, hardwired safety systems employ relays, which are interconnected to provide a safety function. Furthermore, these systems place significant restrictions on the distance between devices.

As safety system developers progressed beyond basic E-stop functions, they found themselves forced to fall back to hardwired logic techniques, which have been out of widespread use for control functions since the 1970s. Even when they were successful in developing a significantly sized safety system, these were often costly and difficult to maintain.

Safety services

Because of these issues and a growing need for process data and flexibility, it is desirable to provide safety services on standard communication networks. The development of CIP Safety by ODVA for use on EtherNet/IP and other networks is one such example.

The key to these developments was not to create a network that could not fail, but to create a system in which failures in the network would cause safety devices to go to a known safe state. If users know to which state the system would go, they can make their application safe, yet this means that significantly more checking and redundant coding information would be required. Fortunately, communication networks have become pervasive in automated systems, and electronics capable of advanced diagnostics are widely available.

Functional safety

The foundation of functional safety is the IEC 61508 standard. Following the guidance of that standard, additional safety standards specific to industries, products, and technologies have been developed, such as IEC 62061, ISO 13849-1, and IEC 61784-3.

To avoid the complexity and maintenance of designing a dedicated safety-rated network, IEC 61508 and IEC 61784-3 emphasize another option called ‘the black channel’ which assumes that the network is completely unreliable, so diagnostics must exist outside of the network infrastructure. This concept stipulates that if a safety communication protocol has enough error detection built into the protocol, it can be transmitted independently across different network types without degrading the integrity of the safety data. This can include traversing multiple network links and network segmentation techniques.

Building a safety communication protocol with the black channel principle can be problematic if the corresponding standard communication protocol is heavily dependent on non-standard network hardware.

Fortunately, CIP Safety is based on the Common Industrial Protocol (CIP), which allows network independent routing of data. These base services have been extended to allow high integrity safety services by the addition of CIP Safety distinctive network services offering a solution for a scalable, routable, network-independent safety layer, removing the requirement for dedicated safety gateways. Since all safety devices execute the same protocol, independent of which media on which they reside, the user approach is consistent and independent of media or network used.

The Common Industrial Protocol (CIP) is designed to allow different networks to be used with a common protocol. Since it is designed to be media and datalink independent, it allows for expansion to other networks and to grow as Ethernet grows.

CIP Safety is an extension to the standard capabilities of CIP, and it has been certified by TÜV Rheinland for use in functional safety applications. It extends the model by adding CIP Safety application layer functionality, as shown in Figure 1.

Because the safety application layer extensions do not rely on the integrity of the underlying standard CIP services and datalink layers, single channel (non-redundant) hardware can be used for the datalink communication interface. This same partitioning of functionality allows standard routers to be used to route safety data across networks as long as the underlying safety data is not modified and between different layers of complex networks. The routing of safety messages is possible because the end device is responsible for confirming the integrity of the data. If an error occurs in the transmission of data or in the intermediate router, the end device will detect the failure and take an appropriate action.

Only the safety data that is needed is routed to the required cell, which reduces the individual bandwidth requirements. The combination of fast responding local safety cells and the inter-cell routing of safety data allows users to create significantly larger and more complex safety applications with fast response times.

For more information about CIP Safety go to:

This article originally appeared on Control Engineering Europe’s website