A black channel approach to functional safety, combined with the advantages of EtherCAT, reduces costs, simplifies commissioning and improves performance
Functional safety as an integrated part of a fieldbus network architecture has become a standard in modern control systems. However, the reality of many options available on the market is often at odds with how they’re advertised. This article, the fifth in a year-long series about EtherCAT, will provide just the facts about safety technology.
Safety over EtherCAT, for one, is a factual term. It is not Safety by EtherCAT. The EtherCAT protocol itself does not manipulate the logic for the safety data. Safety over EtherCAT – aka Fail Safe over EtherCAT (FSoE) – is a mathematically assured way of providing a dual “black channel” for transferring safety data.
FSoE was developed by the EtherCAT Technology Group (ETG) in collaboration with Beckhoff Automation, and certified products have been available since 2005. An interesting fact about the ETG’s approach is the safety data communications coexist in parallel on one wire with the non-safe data: process (cyclic) and mailbox (acyclic) data. A separate, safety-specific bus is not required and safety hardware can be directly connected with non-safety EtherCAT devices.
Black channel benefits
It is becoming more common for a fieldbus safety protocol to take a black channel approach for machine safety communication. The intent of the black channel is that the data going from one safety device to another is secured in such a way that the communication system carrying the data has no influence on the safety of the data – if it were to tamper accidentally or intentionally with the safety data, it would definitely be detected and therefore do no harm.
The main EtherCAT network appears to be invisible to the safety functionality of the devices. The bus system carrying the functional safety data does not perform any safety-related task; it only serves as the transmission medium. The black channel approach thus means that the transport mechanism and the medium do not have to be included in a safety assessment.
To comply with relevant safety standards, a safety bus data container must be transported completely unmodified from a safety sender to a safety receiver, no matter what kind of transmission system is being used. The safety measures are encapsulated in the end devices.
Full safety feature set and certifications to back it up
With machine safety, you must be precise about everything that goes into the system. With predictability comes safety. FSoE has a wealth of features that help detect errors in the safety communication, including:
Every FSoE device has a unique 16-bit address.
Every safety data container has a separate CRC for the safety data.
Every FSoE device has its own internal state machine. During start-up the safe device must go through the state machine successfully to communicate safety data.
If there is an error, the state machine is reset, the device goes to a safe state, and the safety controller must re-establish the connection.
Watchdog timers (WD) are reset every time safety data is properly processed. If there are multiple consecutive checksum errors or communications are lost, the WD will time out and put the safety device into a safe state.
The combination of error detection mechanisms is so reliable that, on average, a system can run for 100,000 years before an error could go undetected.
The FSoE protocol meets the requirements of IEC 61508 up to Safety Integrity Level (SIL) 3 as well as those of IEC 61784-3. The TÜV Süd Rail agency, which is recognized internationally as an independent “notified body” for safety approvals, has evaluated and certified the FSoE protocol. This means that the system integrator no longer has to prove the suitability of certified devices with FSoE protocol, and thus has much less effort in certifying the machine or process. The special properties of the FSoE protocol also ensure that with FSoE the black channel is truly independent of the underlying fieldbus communication system. With other safety systems, the user must observe certain restrictions and, for example, ensure that the underlying bus system meets specific reliability requirements.
Increased openness, increased safety communication
From the beginning, ETG has focused on ensuring the EtherCAT technology is open and accessible. FSoE is no exception: It has been standardized in IEC 61784-3-12, is licensed free of charge and is thus an open protocol. Any ETG member gets access to all FSoE documents and is free to develop and sell their own safety devices. In fact, the ETG actively encourages development of EtherCAT safety products by providing the complete ecosystem for such development free of charge, resulting in numerous vendors and available products. Machine builder OEMs appreciate the flexibility of a wide selection of products and not being tied to a single vendor. End users benefit from the high performance of EtherCAT and lower costs than standalone machine safety systems. Everyone wins.
The openness of FSoE is not always the case with competing safety protocols on the market today. Some protocols are closed and proprietary. Any control solution with a proprietary safety solution will largely constrain the developer and end user to one vendor’s hardware and tools.
Although you can technically use FSoE over any communication bus, the extreme efficiency of EtherCAT’s functional methodology provides key advantages. These include:
Real-time reactions – even in highly dynamic drive architectures.
Simplified systems – simple cabling, simple extension of the system, better diagnostics and therefore higher availability. One cable can very easily replace all discrete safety wiring.
Lower costs. One can use standard industrial Ethernet cabling and connectors.
Safety data and process data can share one network and one cable.
Both centralized and decentralized safety logic is possible: this means that safety features can be added to a control system without having to replace the PLC with a complex safety controller and possibly rewrite the application code.
Since they both share the same communication system, safety controllers can notify non-safety controllers about safety events, such as for example, the pressing of the emergency stop at the other end of the plant.
Is an integrated safety system really safe?
A question we get asked occasionally is: “What happens if a bit in the safety data that turns a motor on is unintentionally set by a corrupted frame?”
That’s easy. Two things work together: CRCs and Watchdog timers.
1. Cyclic Redundancy Check (CRC)
Detecting corrupted data via the CRC plays a key role in meeting safety bus reliability requirements.
Every Ethernet frame containing EtherCAT datagrams has an overall CRC that is checked at each port of each EtherCAT device. If there is a CRC error, the frame is invalidated. Additionally, every safety container has its own CRC, which is evaluated separately by both the FSoE controller and FSoE device. So no corrupted data can affect the system.
2. Watchdogs (WD)
Watchdog timeouts are also crucial for detecting an FSoE communication error condition.
Depending on how fast you run the network, nothing will happen until the EtherCAT watchdog times out (typically 100 ms). The watchdog resets itself after a non-error frame is received. There is also a separate FSoE watchdog (also typically 100 ms) and the same applies: If the FSoE watchdog times out, the safety group will get a communications error and go to the safe state. Thus, you can distinguish safety-specific communication issues.
There’s more good news. FSoE allows for functional safety in a drive with the ETG.6100.1 Safety Drive Profile. Gone are the days of redundant contactors for every drive, along with the associated wiring, cost, additional space requirements and complexity. The FSoE control command allows for advanced safe motion functions according to IEC 61800-5-2. This means that FSoE drives can handle increasingly popular safety functionality like Safe Torque Off (replacing redundant motor contactors), Safe Speed Range, Safe Operating Stop, etc. The safety functionality in the FSoE drive can be triggered by the drive’s internal logic or by FSoE. The drive Safety Status Word can be communicated back to the safety controller with FSoE: a feature-filled diagnostic tool.
Ensuring safety device interoperability
As always with the ETG, conformance and interoperability are taken seriously. Another benefit of the ETG’s approach is how streamlined conformance testing for the safety device is. As with the EtherCAT base protocol, the ETG offers an ecosystem for FSoE implementation, testing and release. The ETG’s goal is to support FSoE device manufacturers to realize their implementations as quickly and successfully as possible with a certification process that goes as smoothly as possible.
Safety devices must first pass an in-house Conformance Test and then pass a Conformance Test specifically for FSoE devices, which uses TÜV-certified test cases. Additionally, all FSoE devices must also pass a complete conformance test (basic conformance and FSoE-specific conformance) at the EtherCAT Test Center in Nuremberg, whereas the FSoE test is conducted by TÜV personnel at the same location so that both can be done in one appointment.
Finally, the vendor can go to their notified body for final device approval and certification. The ETG conformance methodology greatly benefits the process of designing safety devices and ensuring their interoperability. Machine builders, system integrators and end users all benefit because the device will be interoperable with other devices in the system.
A better approach to safety, it’s a matter of fact
In conclusion, Safety over EtherCAT (FSoE) is a truly open safety system with multiple vendors of safety controllers, safety inputs and outputs, and functionally safe drives. Conformance and interoperability are taken seriously, freeing the user to source from multiple vendors for an ideally suited safety system. The FSoE devices in that system offer the confidence that everything will work safely as advertised.
Everyone benefits from the efficient and high-performance EtherCAT protocol, which can provide safety and regular machine communications over one cable. Costs are much lower than traditional safety systems – the expansive resources from the ETG and a wide choice of EtherCAT products assure this will continue to be the case. EtherCAT technologies – for both standard and safety communications – are truly the engineer’s choice.
Interested in boosting machine safety in your industrial automation applications? Contact ETG or your local Beckhoff sales engineer today.
Bob Trask, P.E., is the North American Representative for the EtherCAT Technology Group.
A version of this article previously appeared in Control Engineering. It is republished here with permission from ETG.