Black-channel approach to functional safety

Learning Objectives

  • A fieldbus safety protocol taking a black channel approach for machine safety communication is becoming more common.
  • Safety over EtherCAT (FSoE) is an open safety system with multiple vendors of safety controllers, safety inputs and outputs and functionally-safe drives.
  • Cyclic redundancy checks (CRCs) and watchdogs (WDs) help reduce potential errors.

Cybersecurity Insights

  • Fail Safe over EtherCAT (FSoE), which has been available since 2005, is a mathematically assured way of providing a dual “black channel” for transferring safety data, which can help private information secure.
  • Devices need to be rigorously tested and vested to ensure they can operate safely and aren’t vulnerable to a potential cybersecurity attack, which has become more common due to devices having internet connectivity.

Functional safety as an integrated part of a fieldbus network architecture has become a standard in modern control systems, though many options are at odds with how they’re advertised.  

Safety over EtherCAT is a factual term. The EtherCAT protocol does not manipulate the logic for the safety data. Safety over EtherCAT – aka Fail Safe over EtherCAT (FSoE) – is a mathematically assured way of providing a dual “black channel” for transferring safety data. Safety data communications coexist in parallel on one wire with the non-safe data: process (cyclic) and mailbox (acyclic) data. A separate, safety-specific bus is not required. FSoE certified products have been available since 2005.  

Black channel benefits

It is becoming more common for a fieldbus safety protocol to take a black channel approach for machine safety communication. The intent of the black channel is the data going from one safety device to another is secured so the communication system carrying the data has no influence on the safety of the data – if it were to tamper accidentally or intentionally with the safety data, it would be detected and do no harm.   

Figure 1: The safety measures are encapsulated in the safety end devices via the “black channel” approach. Courtesy: EtherCAT Technology Group

Figure 1: The safety measures are encapsulated in the safety end devices via the “black channel” approach. Courtesy: EtherCAT Technology Group

The main EtherCAT network appears to be invisible to the safety functionality of the devices. The bus system carrying the functional safety data does not perform any safety-related task; it only serves as the transmission medium. The black channel approach means the transport mechanism and the medium do not have to be included in a safety assessment. 

To comply with relevant safety standards, a safety bus data container must be transported unmodified from a safety sender to a safety receiver, no matter what kind of transmission system is being used. The safety measures are encapsulated in the end devices. 

Full safety feature set, certifications

With machine safety, users must be precise about everything that goes into the system. With predictability comes safety. FSoE has a wealth of features that help detect errors in the safety communication, including: 

  • Every FSoE device has a unique 16-bit address. 
  • Every safety data container has a separate cyclic redundancy check (CRC) for the safety data. 
  • Every FSoE device has its own internal state machine. During start-up the safe device must go through the state machine to communicate safety data. 
  • If there is an error, the state machine is reset, the device goes to a safe state, and the safety controller must re-establish the connection. 
  • Watchdog timers (WD) are reset every time safety data is properly processed. If there are multiple consecutive checksum errors or communications are lost, the WD will time out and put the safety device into a safe state.
Figure 2: The FSoE State Diagram. Courtesy: EtherCAT Technology Group

Figure 2: The FSoE State Diagram. Courtesy: EtherCAT Technology Group

The FSoE protocol meets the requirements of IEC 61508 up to Safety Integrity Level (SIL) 3 as well as those of IEC 61784-3. The TÜV Süd Rail agency, which is internationally-recognized as an independent “notified body” for safety approvals, has evaluated and certified the FSoE protocol. This means the system integrator no longer must prove the suitability of certified devices with FSoE protocol, and thus has much less effort in certifying the machine or process. The special properties of the FSoE protocol also ensure that with FSoE the black channel is independent of the underlying fieldbus communication system. With other safety systems, the user must observe certain restrictions and, for example, ensure the underlying bus system meets specific reliability requirements. 

Figure 3: The open FSoE protocol enables standardized data exchange between machines. Courtesy: EtherCAT Technology Group

Figure 3: The open FSoE protocol enables standardized data exchange between machines. Courtesy: EtherCAT Technology Group

Increased openness, increased safety communication

From the beginning, ETG has focused on ensuring the EtherCAT technology is open and accessible. FSoE has been standardized in IEC 61784-3-12, is licensed free of charge, so is an open protocol. Any ETG member gets access to all FSoE documents and is free to develop and sell safety devices.  

Some safety protocols are closed and proprietary. Any control solution with a proprietary safety solution will largely constrain the developer and end user to one vendor’s hardware and tools. 

Although users can technically use FSoE over any communication bus, the efficiency of EtherCAT’s functional methodology provides key advantages such as: 

  • Real-time reactions – even in highly dynamic drive architectures. 
  • Simplified systems – simple cabling, simple extension of the system, better diagnostics and therefore higher availability. One cable can very easily replace all discrete safety wiring. 
  • Lower costs. One can use standard industrial Ethernet cabling and connectors. 
  • Safety data and process data can share one network and one cable. 

Centralized and decentralized safety logic is possible, which means safety features can be added to a control system without having to replace the programmable logic controller (PLC) with a complex safety controller and possibly rewrite the application code. Since they share the same communication system, safety controllers can notify non-safety controllers about safety events, such as the pressing of the emergency stop at the other end of the plant. 

Figure 4: Safety over EtherCAT – System Example. Courtesy: EtherCAT Technology Group

Figure 4: Safety over EtherCAT – System Example. Courtesy: EtherCAT Technology Group

Is an integrated safety system really safe?

A question occasionally asked is: “What happens if a bit in the safety data that turns a motor on is unintentionally set by a corrupted frame?”  

The answer is two things work together: CRCs and watchdog (WD) timers. 

1. Cyclic redundancy check (CRC) 

Detecting corrupted data via the CRC plays a key role in meeting safety bus reliability requirements. Every Ethernet frame containing EtherCAT datagrams has an overall CRC checked at each port of each EtherCAT device. If there is a CRC error, the frame is invalidated. Every safety container also has its own CRC, which is evaluated separately by the FSoE controller and FSoE device, so no corrupted data can affect the system.  

2. Watchdogs (WD) 

Watchdog timeouts also are crucial for detecting an FSoE communication error condition. 

Depending on how fast the network is being run, nothing will happen until the EtherCAT watchdog times out (typically 100 ms). The watchdog resets itself after a non-error frame is received. There is also a separate FSoE watchdog (also typically 100 ms) and the same applies: If the FSoE watchdog times out, the safety group will get a communications error and go to the safe state. Users can distinguish safety-specific communication issues. 

There’s more good news. FSoE allows for functional safety in a drive with the ETG.6100.1 Safety Drive Profile. The FSoE control command allows for advanced safe motion functions according to IEC 61800-5-2. This means FSoE drives can handle increasingly popular safety functionality like safe torque off (replacing redundant motor contactors), safe speed range, safe operating stop, etc. The safety functionality in the FSoE drive can be triggered by the drive’s internal logic or by FSoE. The drive safety status word can be communicated back to the safety controller with FSoE, which is a feature-filled diagnostic tool. 

Figure 5: ETG.6100.1 Safety Drive Profile. Courtesy: EtherCAT Technology Group

Figure 5: ETG.6100.1 Safety Drive Profile. Courtesy: EtherCAT Technology Group

Ensuring safety device interoperability

Conformance and interoperability are always taken seriously and testing for the safety device is streamlined with an ecosystem for FSoE implementation, testing and release. The ETG’s goal is to support FSoE device manufacturers to realize implementations as quickly as possible with a smooth certification process. 

Safety devices must first pass an in-house conformance test and then pass a conformance test specifically for FSoE devices, which uses TÜV-certified test cases. Additionally, all FSoE devices must also pass a complete conformance test (basic conformance and FSoE-specific conformance) at the EtherCAT Test Center in Nuremberg, whereas the FSoE test is conducted by TÜV personnel at the same location so both can be done in one appointment.  

Finally, the vendor can go to its notified body for final device approval and certification. The ETG conformance methodology benefits the process of designing safety devices and ensuring their interoperability. Machine builders, system integrators and end users benefit because the device will be interoperable with other devices in the system. 

Figure 6: Acceptance process for a FSoE device. Courtesy: EtherCAT Technology Group

Figure 6: Acceptance process for a FSoE device. Courtesy: EtherCAT Technology Group

A better approach to function safety

Safety over EtherCAT (FSoE) is an open safety system with multiple vendors of safety controllers, safety inputs and outputs and functionally-safe drives. Conformance and interoperability are taken seriously, freeing the user to source from multiple vendors for an ideally suited safety system. The FSoE devices in that system help ensure everything will work safely.  

Robert Trask, P.E., North America Representative of the EtherCAT Technology Group, a CFE Media and Technology content partner. Edited by Chris Vavra, web content manager, Control Engineering, CFE Media and Technology, cvavra@cfemedia.com 

MORE ANSWERS 

Keywords: Ethernet, EtherCAT, Safety over EtherCAT (FSoE) 

ONLINE 

See additional Ethernet stories at https://www.controleng.com/networking-and-security/ethernet/ 

CONSIDER THIS 

Have you used Safety over EtherCAT (FSoE)?

Source