safety communication over industrial ethernet

Embedded Networking Solutions www.twincomm.nl

Safety communication over Industrial Ethernet for embedded systems

Kurt van Buul Twincomm

Embedded Networking Solutions


Safety

Risk = Chance of a damaging event x Expected damage

Safety = Reduction of dangers for people and environment

Safety - Some basics

Risk

Remaining Risk

Risk Reduction Methods

System Risk

Danger

Tolerated Risk



EN 61508

Functional

Safety

EN 13849-1

Safety of Machinery

EN 50128

Safety for Railway

EN 60601

Safety for Medical devices

EN 62061

Safety of Machinery –

Electrical control systems

EN 61511

Safety for Process Industry

IEC 61800-5-2

Safety for Drives

IEC 61496

Safety for protective

equipment

EN 61784-3

Safety fieldbus profiles

Sector Standards Product Standards


SIL Danger failure per hour1

1 ≥ 10-6 to < 10-5

2 ≥ 10-7 to < 10-6

3 ≥ 10-8 to < 10-7


Safety Integrity Level (SIL) - EN 61508

1 High demand or continuous mode

One failure in ~1100 years


SIL Danger failure per hour1 Assessment

1 ≥ 10-6 to < 10-5 Independent Person

2 ≥ 10-7 to < 10-6 Independent Departement

3 ≥ 10-8 to < 10-7 Independent Organisation


Safety Integrity Level (SIL) - EN 61508

1 High demand or continuous mode

One failure in ~1100 years



Safety Lifecycle (EN 61508)

Field of Application

Danger and Risk

analysis

Specification of

safety requirements

for the safety system

Overall safety

requirements

Design of • overall operation and

maintenance

• overall validation

• installation and

putting into service

Installation and

putting into service

Overall validation

Overall operation,

maintenance

and repair

End of life /

decommissioning

Concept

Modification and

retrofitting



Redundancy Safe State

Homogeneous

Divers

Power interrupt

Safe operation


Safety communication

Example

Node

Safety-PLC

Node

Emergency Stop

Lightcurtain

Main

Contactors


Safety communication

Safe communication ≠ Always available

Safety

Application

Standard

Application

Safety Stack

Safety

Application

Standard

Application

Safety Stack

Ethernet Interface Ethernet Interface

Protocol Stack Protocol Stack

Safe communication via a non-safe bus

Black Channel


Safety communication - Telegram

Mixed mode: Safety Telegram between Standard telegrams

DA SA End Start

Consec.

number

Safety

Source

address

Safety

Dest

address

Time

stamp

Safety

Application data

CRC

Std-Telegram Std-Telegram Std-Telegram Safety Telegram

DA SA End Start Encrypted Safety Data


Safety communication - Protocols

Safety protocols on top of communication protocols


General embedded design-in

2nd CPU

CPU

Non-safe Safe

Safety design

Application

Safe

Safe

Ethernet

Prot

Certification

Power

Supply



Tech

no

log

y

Pro

cess

& O

rgan

isati

on

Protocol certification Safety certification


A set of documents describing the safety system and its development is required:

Safety Requirement Specification

Functional Safety Management (FSM) or Safety Plan collates all structural

and technical activities during the different development phases

• Responsibilities and competences

• Communication / information flows

• Definition of product lifecycle

• Documentation (In- and Output documents for each lifecycle phase)

• Planning of methods and techniques to avoid errors

• Rating of the (achievable) functional safety

• Dealing with modifications

• Configuration management


Safety Development Process


Verification and validation plan

shows the fulfillment of the goals and requirements that

were defined for the different safety lifecycle phases

• Summary of used methods and techniques

(e.g. described by IEC EN 61508-2 and -3)

• List of used tools (e.g. Compilers, CAD-Systems etc.)

Hardware- and Software Design Documents

• Tracking of requirements shall be possible

• Documented Reviews necessary

User manual or Safety Manual

• User obligations and terms of use

• Restrictions to the appliance of the safety functions

• Description of the safety functions and their API


Safety Development Process (cont)


Modular Safety Design-in

Connector Connector

Standard Control Data

E

X

T

Internal

PWR

Supply

M

Fail safe

Control

Data

Pre-certified

Safety module

Data

stream

OUT IN

PWR

Host Application System

MCU FLASH

Peripherals

Motor

Control

Power

Circuit

RAM

Pre-certified

Internet &

Protocol Module

NW NW


Technical design-in

• Power Supply (SELV/PELV): Logic and Safe I/O

• Environmental operating conditions (EMC, temperature, humidity)

• Routing of safe I/O signals to external connectors

• Mechanical dimensions and clearances

• Electrical connection to non-safe communication controller

• Shielding and housing to achieve enhanced EMC requirements

Functional and technical testing

Adapt/provide Device Description-file & Product Safety Manual

Product Validation

Product Safety Approval e.g. by TÜV

Modular Safety Design-in

Integration & Certification


IXXAT Safe T100 Module

T100 Board connector

(Safe I/O, Channel, Power)

Safe I/O board

Safe CPU board

(safety protocol handling)

Anybus CompactCom

Industrial Ethernet Module

Example system set-up

Black Channel



Example system set-up



Design-in and Certification Steps

Pre-Certified IXXAT Safe T100

Thanks for your attention!

Twincomm

de Olieslager 44 T +31-40-2301.922

5506 EV Veldhoven E [email protected]

the Netherlands I www.twincomm.nl

Please visit us at booth 15