Issue 1 / April 2010 The Magazine for the Industrial Standard 5, Volume FACTS openSAFETY – the key to your safety solution

openSAFETY: the first open and bus-independent safety standard for all solutions

Save time and expenses: how everyone benefits from openSAFETY

openSAFETY over SERCOS III, EtherNet/IP, -TCP, POWERLINK, and your

www.open-safety.org 2 Special 1/2010

openSAFETY: the first open and bus- independent safety standard for all Industrial Ethernet solutions

The data transfer protocol that carries safety frame traffic has no bearing at Highlights at a glance: all on the functionality of the safety protocol. This is called the Black Chan- nn one single, uniform standard for all leading nel principle: all safety-oriented mech­ nn maximum productivity due to efficient cross- a­­nisms are exclusively implemented on communication the application level, which enables total independence from the underlying nn reduced commissioning and maintenance time transport layer. A brief look at the basic nn automatic safe parameterization structure of data transfer protocols may serve to illustrate the principle. nn perfectly suited to safe modular machine concepts nn sole 100% open safety solution nn Transport and Application Layers nn fastest IEC 61508 SIL3 communication solution nn no risk involved in investment: TÜV certified The standardized OSI (“Open Systems conformance test Interconnection”) data communication model is the reference scheme for nn perfectly suited to back-plane buses today’s most common non-proprietary data transfer protocols. This system is comprised of seven layers that enable the processing of data in a hierarchically With openSAFETY, the EPSG has intro- communication solutions. The EPSG structured way. Every layer represents duced the world’s first 100% open provides active support for imple­ a stage determined by protocols in safety protocol. In fact, openSAFETY menting openSAFETY on top of any and which data transfer tasks are carried is open not only in terms of its legal all data transfer protocols, and also out according to specific rules. The basis, but also literally open in techni- offers help e.g. for certification and two fundamental, low-level layers are cal respects: given the protocol’s bus- conformance tests. The open source the so-called Physical Layer and the independence, openSAFETY can be license of this TÜV-certified protocol , which are also jointly used with all fieldbuses, Industrial stack ensures that the technology is a referred to as physical layers. These Ethernet solutions, or industry-specific very secured investment for all users. layers define the physical interface to

Choose your certification authority: IEC 61508 certification by TÜV Rheinland and TÜV Süd special 3 Das Magazin zum Standard FACTS im Industrial Ethernet

All logos are registed trademarks of the corresponding vendor organization. They solely represent the associated technology and the related possible application. openSAFETY is independent from every fieldbus association.

the transmission medium, and provide a format that higher-level applications anisms implemented in this layer test functions to check whether an can digest, and ensures syntactically enable safety-oriented decoding and actual connection between a sending correct data exchange. Other tasks encoding of payload data pertaining to and a receiving device is established carried out in the Presentation Layer specific safety-sensitive applications. at all. Ethernet only specifies these two include data compression and data For the sake of simplicity, the blue area low-level physical layers. Also referred encryption. The top layer in the OSI in the center of this illustration covers to as “transfer layers,” the third and model is the Application Layer. For this all the transport-oriented layers 2 fourth layer handle the timing and layer, no strict definition of a task or through 6. The choice of transport logical order of data transfer as well as range of tasks is applicable. It provides medium, or, more precisely, of a specific data attribution to applications. Com- various services to actual applications data transfer protocol, is of marginal prising all transport-oriented services, that operate outside the scope of this importance. these four layers combined can be said model. Inspired by the OSI model, to constitute no more than the traffic the illustration below highlights that medium for application data, which, in openSAFETY exclusively specifies the the OSI model, is attributed to the upper high-level, application-oriented layers layers. These high-level layers include of the protocol stack. The safety mech- the Session Layer and Presentation Layer. These two are often grouped with the Application Layer, since all programs and applications directly access all three of them. The Session Inspired by the OSI model, Layer administers the organization and layer 7 Your Application this schematic view of synchronization of data exchange be- openSAFETY’s general tween applications. E.g. if a connection implementation illustrates layer 6 is interrupted, services on this layer that the open safety protocol ensure that communication is resumed CAN Modbus EtherNet/Ip exclusively specifies the from the point of interruption once the layer 5 appli­cation-oriented layer – connection is back in operation. Layer the basic prerequisite to enable 6, the Presentation Layer, translates EtherCAT Your Fieldbus Black Channel operation. system-specific representations into layer 4

layer 3 pOWERlINK Sercos Wireless layer 2

layer 1 Ethernet RS485CAN USB … lVDS 4 Special 1/2010

Save time and expenses: how everyone benefits from openSAFETY

“Competition is good for business” – nn Rising development potential was sizable. The entry of this free market maxim is almost costs for communication Ether­net technology into industrial data always true, since healthy competition systems communications marked the next stage stimulates continual product improve- of development, one that was widely ments regarding quality as well as cost- A brief review of the history of bus-based associated with the expectation that, effectiveness. However, safety-oriented automation may serve to illustrate how finally, a universal standard would software and hardware development is investment risk has been increasing in prevail. However, as different manu­ a special case where this rule may not line with growing complexity. Ten years facturers chose strongly divergent apply, because manufacturers in a after the introduction of the first field- approaches to enable real-time per­ market economy are faced with a high bus, the market was full of different, form­ance with this techno­ ­logy, what investment risk: there are considerable competing systems. Infighting over followed was the fieldbus war all over development costs, but there is only the standardization of the technology again. Amongst a multitude of systems, comparatively small sales potential. ensued. Until the present day, industry about half a dozen have been able to Hence, the automation sector has long experts know this phase as the “field- claim major portions of the market: been calling for a universal safety bus war,“ which only seemed to end Profinet, Modbus-TCP, EtherNet/IP, protocol, i.e. one that would give all with the introduction of the IEC61158 – which all provide soft real-time per­form­­­ manufacturers a solid economic base a weak compromise because still, even ance, and the hard real-time systems for all further development of safety- this conclusion do not bring any overall POWERLINK, EtherCAT, and SERCOS III. oriented products. The introduction system compatibility. Still, even this There was a moderate increase of de­ of openSAFETY marks the first time a conclusion did not bring about overall vel­­­opment costs for In­dus­trial Ethernet standard of this kind has become system compatibility. It should be solutions in comparison to conventional available that can be used license noted, though, that development costs fieldbuses. At the same time, the sales free by anyone. for first generation buses were com­ potential could not be increased in the paratively low, whereas their market same proportion.

Development effort

Integrated safety technology

Industrial Ethernet

These graphs visualize how Fieldbuses investment risk increases as development becomes more and more complex. Sales potential special 5 Das Magazin zum Standard FACTS im Industrial Ethernet

Save time and expenses: how everyone benefits Plant automation “one safety standard for your entire production plant” from openSAFETY openSAFETY constitutes a universal safety standard for an entire production line, irrespective of the control system manufacturer and fieldbus standard used in it. plC Supplier 1 plC Supplier 2 plC Supplier 3 plC Supplier 4 The bus-independent openSAFETY standard therefore reduces costs as well as commissioning time for production facilities as a whole. Machine 1 Machine 2 Machine 3 Machine 4

nn Safety technology – nn The solution: a special case openSAFETY Benefits for plant operators Things look markedly different, however, A tried and tested, non-proprietary sys- for the development and certification tem, openSAFETY resolves this situation nn a single, consistent safety standard for an entire effort required to make products de- in a way that benefits both manufactur- line or plant signed for use in safety-sensitive areas, ers and users. Thanks to the Black nn  whenever these are to comply with the Channel principle that makes the safety for all control systems manufacturers IEC 61508 standard covering the protocol suitable for use with all fieldbus nn perfectly suited to safe modular plant concepts “ of electrical, elec- and Industrial Ethernet technologies, tronic, and programmable electronic safety technology manufacturers can fo- nn minimal commissioning and retrofit time safety-related systems.” In this area, cus on one universal system, and must there is a ten-fold increase of develop- only complete one safety development ment costs over those for non-safe process to serve all standard fieldbuses. fieldbus technology. Moreover, manu- Both the effort involved and the invest- facturers must demonstrate a wide ment risk are drastically reduced. open- range of experience relating to the SAFETY benefits plant and machine op- interpretation of the standards, and erators in much the same way. While Benefits for sensor manufacturers must have specialist know-how in they are responsible for safety in their certain methods and procedures. With machinery, they usually have no say nn only one-time development required highly demanding requirements and regarding the communication systems nn no extraordinary investment risk high costs on the one hand, and, at the used in it. These are predetermined by current time, a comparably small market the control systems the machine manu- nn minimal time-to-market for such products on the other, a “battle facturers have chosen to use. However, nn low costs due to open source of the systems” would seriously impede openSAFETY gives machinery operators the further development of bus-based a consistent safety solution for a heter­o­ nn interoperability guaranteed safety technology. E.g. sensor makers geneous control network in its entirety. would face immense efforts and high risk exposure if they were to develop their products in keeping with the safety standards of various different safety protocols. 6 Special 1/2010

Safety for your investment

Since safety-oriented product develop- their use, and, of course, the scope on it, and no demanding know-how ment is characterized by particularly and proper budgetability of develop- requirements must be met. As it is al- challenging conditions, namely high ment costs. openSAFETY is a safe ready TÜV-certified and incorporated costs and a somewhat small sales choice in every respect for product into the IEC 61784-3 standard, potential, finding a way to ensure long- manufacturers and end users. This openSAFETY also minimizes develop- term investment viability is an absolute solution gives them a ready-to-use ment risks. Last not least, users also imperative for system and product safety stack with a proven track record enjoy an extremely sound legal basis manufacturers within this market seg- of many years in actual applications. for long-term investment viability, since ment. Investment protection depends In contrast to dedicated, proprietary openSAFETY has been made available on various parameters: the availability devel­opments, there are no high devel- under the BSD open source license. and reliability of the hardware and soft- opment costs for this solution, no ware that is used, a safe legal basis for lengthy periods of time must be spent

4x faster = 16x greater productivity with openSAFETY

openSAFETY Failsafe over EtherCAT

POWERLINK EtherCAT Master Master Cross-traffic enhances safety: A network featuring cross-traffic capability (pictured on the left) Safe Safe 3 enables direct node-to-node PLC PLC 2 communication for safety devices, 4 whereas, by contrast, communi­ cation in a network that does not Safe Safe feature cross-traffic (see right 1 1 Safe Sensor Safe Sensor side) must always go through Motion X Motion X Master and Safety Master nodes. In the latter case, signal transfer times are quadrupled, and an Task: Task: emergency stop is delayed. (X) Safe Node 1 has to send data to Safe Node 2 (X) Safe Node 1 has to send data to Safe Node 2 Solution: Solution: (1) Safe Node 1 sends data to Safe Node 2 (1) Safe Node 1 sends data to EtherCAT Master (2) EtherCAT Master relays data to Safety Master (3) Safety Master sends data to EtherCAT master (4) EtherCAT master relays data to Safety Node2 special 7 Das Magazin zum Standard FACTS im Industrial Ethernet

Simple is safer: how cross-traffic enhances safety

400 in your machine 350 500 1 300 450 0,9 250 400 0,8 350 0,7 ance [mm] t 200 300 increased 0,6 productivity 250 0,5

dis with

ance [mm] openSAFETY 150 t 200 0,4 velocity [m/s] dis 150 0,3 100 100 0,2 50 0,1 50 0 0 00,5 1 1,5 2 2,5 3 0 time [s] 0 0,5

openSAFETY s openSAFETY [mm] conventional concept s [mm] faster reaction time with openSAFETY v openSAFETY [m/s] v [m/s]

Fault response time for safe operational stop: even minimal extensions of reaction time may fatally increase the emergency stopping distance. Since openSAFETY only specifies the each other, with no need for a detour application layer, the performance and via a Master. In safety-oriented net- reaction times of a safe network that works, cross-traffic not only enables implements this safety protocol de- installations in which safety controllers pends on the data transfer protocol need not be placed in the center: by that is used. Data transfer protocols allowing for straight and direct commu- time [s] differ in terms of available bandwidth, nication in hazardous situations, cross- the cycle times that can be achieved, traffic capability also benefits reaction Benefits for and functional features, such as e.g. times. Since the emergency stopping machine manufacturers hot-plugging capability or cross-traffic distance of an axis (see illustration for data communication on the safe above) increases with the square of nn free choice of safety sensors network. Though the reaction time of a the fault response time and negative nn faster reaction times safety solution is also determined by acceleration, quadrupling the signal the cycle periods in absolute terms, transfer time will result in a 16-fold nn tighter safety distances cross-traffic is one capability that will extension of the emergency stopping nn  decisively enhance the performance of distance. higher productivity a safety-oriented system. An original nn easy commissioning and diagnostics feature of the Ethernet standard, cross- nn  traffic denotes the ability of nodes on a facilitation of Machinery Directive implementation network to communicate directly with 8 Special 1/2010

openSAFETY – how it works

openSAFETY is basically notable for its nn Automatic safe nn No faults go nn Causes of fault data transfer definitions, for the high- parameter distribution undetected level configuration services it provides, A substantial portion of all data trans- and especially for its encapsulation of One special openSAFETY highlight is openSAFETY uses checksum procedures fer errors results from incorrect data data that is relevant to safety into an the automatic safe distribution of to perpetually examine whether trans- forwarding by gateways. E.g., data extremely flexible telegram format. parameters: the protocol enables ferred data content is incomplete, and duplications may occur if a network is Indeed, in all applications, openSAFETY storing all configuration details for constantly monitors the data transfer linked to other networks via two gate- uses a frame with a uniform format, safety applications, such as e.g. light rate. Due to extremely short cycle times, ways, both of which transfer the same no matter whether for payload data curtains, in the safety controller. If a failures are detected almost without set of data. On the other hand, data transfer, or for configuration or time device is exchanged, the safety con- any delay. Since all data traffic irregu- packets may be lost if a gateway does synchronization purposes. As variable troller automatically and safely loads larities will thus be recognized, even not pass on data at all, or feeds it into as it is economic, frame length is con- the stored configuration onto the unsafe networks do not compromise the wrong network. If data packets can tingent on the amount of data to be swapped application – i.e. users do safety functionality. The following only be transferred as a sequence of transferred. The safety nodes on the not need to manually configure the paragraph points out which type of partial packets because of their length, network automatically recognize the new node when they replace a safety transmission errors may occur, and there is a risk that different transfer content, i.e. frame types and lengths device. explains the mechanisms openSAFETY routes via various gateways result in do not have to be configured. uses to identify or prevent these faults. mix-ups or erroneous insertions of spe-

preventive/corrective measures

h ing ks ame mp es ta ier otection tinct fructur ime monitor edundancyoss-chec wit tr Faults Time s T Identif CRC pr R Dis cr s Duplication

loss

Insertion

Incorrect sequence

Delay

Distortion

Mix-up of standard and Safety Frames

The table lists all known transmission errors and openSAFETY’s applicable fault recognition mechanisms. special 9 Das Magazin zum Standard FACTS im Industrial Ethernet openSAFETY – how it works

cific packet segments. The forwarding of data may also be delayed due to high load on a gateway. Another poten- Frame tial source of faulty data is electro­ magnetic interference, which may Payload data area distort data, namely by “flipping” single bits or even by destroying entire information sections. Moreover, in net- works where standard data as well as safety data are transferred, so-called “masquerades” can occur, i.e. stand­ DataCRC DataCRC ard data is taken to be safety data due to mix-ups and insertions. This may result in serious malfunctions. subframe 1 subframe 2 nn Fault identification and prevention Safety Frame

One of openSAFETY’s most crucial mechanisms is the time stamp, which prevents data duplications, mix-ups, and delays. Every data packet is The safety frame is contained in the payload data area of a standard frame; it is comprised of two identical subframes, stamped with the current time when it each of which carries an individual checksum to safeguard its integrity. is sent. This stamp enables the receiver to avoid double read-outs, and to determine the chronological sequence of different packets as well as any to generate a checksum for each data identical content of the two subframes. the safety nodes that are scattered delays. openSAFETY does not depend set, and attaches that as well as the The probability that the same data is throughout these into one domain. on distributed clocks; a special proce- key as a bit sequence to the data set. changed or destroyed in two such sub- Safe and unsafe devices can be dure provides for reliable synchroniza- This checksum is a distinctive encoding frames is extremely low, and even lower operated within one domain. Gateways tion of all microcontroller clocks within of the data set itself. Using the bit the more the frame length increases. allow for intercommunication between the nodes. Time monitoring is employed sequence and the key, the receiver That said, even in this extremely excep- different safety domains. openSAFETY in order to prevent faults caused by calculates the original data set, and tional case, the checksums still serve enables users to enforce hierarchical data loss or excessive delays, i.e. the checks the result against the data set as a corrective. The special format of separations as well as to establish nodes are continuously monitored for that was received in the clear. If any openSAFETY frames, i.e. the two sub- separate safety zones on a network. live operation and proper functioning. deviations from the original data frames with their own individual check- Therefore, e.g. installations can be In addition, as they are prompted for content are detected, the message sums, also makes “masquerades” made in one zone, while production reply, Consumers can tell that the data will be ignored. extremely unlikely to occur, and pre- in other zones carries on unimpeded. link remains established. openSAFETY cludes any erroneous processing of a In every domain, a Safety Configuration implements this mechanism, which is nn Structure of an masked standard message. Manager (SCM) is responsible for con- called “Watchdog,” as a software- openSAFETY frame tinuous monitoring of all safety nodes. based function. The identifier precludes nn The openSAFETY any mix-ups on the receiving end: openSAFETY duplicates the frame to network openSAFETY frames feature a unique, be transferred and conjoins the two 8-bit or 16-bit identification tag that identical frames into one openSAFETY An openSAFETY network may contain encodes parts of the address field, the frame. Hence, the openSAFETY frame up to 1023 safety domains, with up to telegram type contained, and the consists of two subframes with identical 1023 nodes or devices permitted within frame type. The most reliable means to content. Each subframe is provided each of these. Safety domains can identify changes to the original content with an individual checksum as a safe- extend over different and inhomoge- is the CRC procedure, which uses a key guard. The receiver compares the neous networks, and can integrate 10 Special 1/2010

openSAFETY over SERCOS III

nn SERCOS III nn How it works

openSAFETYopenSAFETY openSAFETYopenSAFETY over over SERCOS Fieldbus III WorkingWorking Draft Draft Proposal Proposal V0.0.1V0.0.1

1 An open and vendor-independent SERCOS III requires dedicated hard- 2 3 4 standard for digital drive interfaces, ware on both the Master and the Slave 5 SERCOS III not only specifies the side. Such SERCOS III hardware 6 7 WorkingWorking Draft Draft Proposal hardware architecture of the physical relieves the host CPU of all communi- 8 openSAFETYopenSAFETY connections as well as a protocol cation tasks, and ensures quick real- 9 openSAFETYopenSAFETY over over SERCOS Fieldbus III

structure, but also features extensive time data processing and hardware- 10 profile definitions. ForSERCOS III, based synchronization. The SERCOS 11 12

i.e. the third generation of the Sercos user organization provides a SERCOS 13 Version 0.0.1 Interface that was originally introduced III IP core to support FPGA-based 14 © EPSG 15 ( Standardisation Group)

to the market in 1985, Standard SERCOS III hardware development. 16 2010 17 18 Ethernet serves as the data transfer SERCOS III uses a summation frame 19 protocol. This communication system method. Daisy chain or closed ring is predominantly used in Motion cabling is required for the network

EPSG Technical Working Group internal use only Control-based automation systems. nodes. Data is processed while pass- ing through a device, using different types of telegrams for different com­ Specification mu­nication types. Due to the full-duplex capability of the Ethernet connection, topology will produce a double ring, a daisy chain will actually yield a single allowing for redundant data transfer. ring already, whereas a proper ring Cross-traffic is enabled by the two communication interfaces every node is equipped with: in a daisy chain as well as a ring network, the real-time telegrams pass through every node on their way back and forth, i.e. they are processed twice per cycle. Hence, devices are capable of communicating with each other within a communication Layer model for Application cycle, with no need to route their data openSAFETY through the Master. Besides the real- over SERCOS III time channel, which uses time slots with reserved bandwidths to ensure RT channels (primary/secondary) collision-free data transfer, SERCOS III Cross-communication also provides for an optional non-real- time channel. Nodes are synchronized MS communication on the hardware level, with a cue taken Synchr. straight from the first real-time telegram at the beginning of a communication cycle. The Master Synchronization Telegram (MST) is embedded into the SERCON 100M/S first telegram for that purpose. Keeping + synchronization offsets below 100 Ethernet Dual pHY nanoseconds, a hardware-based procedure compensates for runtimes and runtime variations resulting from the Ethernet hardware. Various network special 11 Das Magazin zum Standard FACTS im Industrial Ethernet

segments may use different cycle clocks and still achieve fully synchronized operation. nn Organization PLC A registered association, SERCOS International e.V., supports the tech- nology’s ongoing development and ensures standards compliance. Over 50 control system makers and more than 30 drive manufacturers are members of the user organization. Safe Logic nn openSAFETY Safe Sensor openSAFETY utilizes the Black Channel principle, i.e. it works as an implemen- tation on top of an existing, unaltered SERCOS III solution. The cross-traffic feature provided by SERCOS III is used Light curtain by openSAFETY for cyclical safe data exchange. SSDOs are transmitted on the non-real-time (NRT) channel. Ideal docking is ensured for openSAFETY via Safe Motion SERCOS III function profiles (FSP). Safe I/O The openSAFETY over SERCOS III specification contains a complete description of all mechanisms and functions.

e-Stop

Typical ring topology of a safe SERCOS III network 12 Special 1/2010

openSAFETY over EtherNet/IP

nn  nn  EtherNet/IP How it works openSAFETYopenSAFETY openSAFETYopenSAFETY over over EtherNet/IP Fieldbus WorkingWorking Draft Draft Proposal Proposal V0.0.1V0.0.1

1 2 Initially released in 2000, EtherNet/IP EtherNet/IP runs on standard Ethernet 3 4 is an open industrial standard devel- hardware and uses both TCP/IP and 5 6 Working Draft Proposal oped by Allen-Bradley (Rockwell Auto- UDP/IP for data transfer. Due to the 7 Working Draft Proposal

mation) and the ODVA (Open DeviceNet Producer/Consumer functionality sup- 8 openSAFETYopenSAFETY

Vendors Association). The “Ethernet ported by the CIP protocol, EtherNet/IP 9 openSAFETYopenSAFETY over over EtherNet/IP Fieldbus

Industrial Protocol” is essentially a has various communication mecha- 10 port of the CIP application protocol nisms at its disposal, e.g. cyclic polling, 11 12 (Common Industrial Protocol), which time or event triggers, multicast or 13 Version 0.0.1

14 © EPSG

was already used by ControlNet and simple point-to-point connections. The 15 (Ethernet POWERLINK Standardisation Group)

16 2010 DeviceNet, to the Ethernet data transfer CIP application protocol differentiates 17 18 protocol. EtherNet/IP is particularly between “implicit” I/O messages and 19 well established on the American “explicit” query/reply telegrams for

market and is often used with Rockwell configuration and data acquisition. EPSG Technical Working Group internal use only control systems. While explicit messages are embedded into TCP frames, real-time application data is sent via UDP owing to the latter Specification protocol’s more compact format and smaller overhead. A VLAN flag in the the center of a star topology network, header of the is used switches prevent collisions of data to prioritize time-critical data. Forming from devices that are hooked up via

Layer model for openSAFETY Application over EtherNet/IP Application CIp Data Management Services Explicit Messages, I/O Messages

CIp Message Routing, Connection Management

Encapsulation Transport TCp UDp

Network Ip

Data link EtherNet CSMA/CD

physical special 13 Das Magazin zum Standard FACTS im Industrial Ethernet

point-to-point connections. EtherNet/IP typically achieves soft real-time per­ form­ance with cycle times around 10 milliseconds. The CIPSync and CIPMotion protocol extension, an enhancement that is currently not yet PLC available, and precise node synchro­ nization via distributed clocks as specified in the IEEE 1588 standard are to deliver cycle times and jitter small enough to enable servo motor control. Switch nn Organization

Two organizations, the Open DeviceNet Vendors Association (ODVA) and ControlNet International, are jointly responsible for the maintenance and Safe Logic Safe Sensor ongoing development of CIP technology. nn openSAFETY Light curtain openSAFETY’s Black Channel function- ality enables a simple implementation on top of EtherNet/IP. With EtherNet/IP, Safe Motion openSAFETY makes use of the option Safe I/O to establish connections via its own assemblies. Safe communication then proceeds via these assemblies. In this solution, safety devices operate as a Producer and a Consumer at the same time, and are therefore capable of listening to safe data on the network.

All details are documented in the openSAFETY over EtherNet/IP speci­ ­ fication.

e-Stop

Typical star topology of a safe EtherNet/IP network 14 Special 1/2010

openSAFETY over Modbus-TCP

nn  nn Modbus-TCP How it works openSAFETYopenSAFETY openSAFETYopenSAFETY over over Modbus-TCP Fieldbus WorkingWorking Draft Draft Proposal Proposal V0.0.1V0.0.1

1 2 Developed as early as 1979 by US PLC Unlike Standard Ethernet, Modus-TCP 3 4 maker Gould Modicon (which is now a does not control node access to the 5 6 Working Draft Proposal division of Schneider Electric), the network using a CSMA/CD procedure 7 Working Draft Proposal

Modbus protocol is considered one of in the Data Link Layer, but handles ac- 8 openSAFETYopenSAFETY

the very first fieldbus systems. Enabling cess control through the Client/Server 9 openSAFETYopenSAFETY over over Modbus-TCP Fieldbus

communication between control sys- principle in the Application Layer. 10 tems and devices supplied by different That means that a unique address is 11 12 manufacturers, the open protocol even­ assigned to every node on the network, 13 Version 0.0.1

14 © EPSG

tually became something of an industry and that nodes are not allowed to send 15 (Ethernet POWERLINK Standardisation Group)

16 2010 standard. Modbus is purely an applica- data unless a node’s request to do so 17 18 tion protocol, i.e. it does not depend on is acknowledged by a Master with an 19 a transmission medium. Conceived and explicit prompt to proceed. Parameters

initiated by Schneider Automation, and data are encapsulated for sending, EPSG Technical Working Group internal use only Mod­bus-TCP draws on the same services and are embedded into the payload and the same object model as the origi­ data container of a TCP telegram. A nal Modbus varieties, i.e. Modbus ASCII, “Modbus Application Header” (MBAP) Specification Modbus RTU (asynchronous data is assigned to the payload data to transfer via RS-232 or RS-485), and ensure servers can definitely interpret based protocols (with TCP representing Modbus Plus (Token Passing). However, Modbus parameters and instructions “Transmission Control Protocol”), Mod- this new incarnation uses Ethernet as upon receipt. Only one Modbus appli- bus-TCP operates based on connections. its data transfer protocol, and uses cation telegram may be embedded into Prior to actual data transfer, a reliable TCP/IP packets for sending data. each TCP/IP telegram. Like all TCP- connection must therefore be estab-

Layer model for MODBUS Application protocol Specification openSAFETY layer 7 (available for free on www.modbus.org) over Modbus-TCP layer 6 Mapping MODBUS Messaging Implementation Guide MODBUS <> TCp/Ip (available for free on www.modbus.org) layer 5

layer 4 TCp IETF RFC 793

layer 3 Ip IETF RFC 791

layer 2 Ethernet MAC-layer IEEE 802.3 / IEEE 902.2 / Ethernet II

layer 1 Ethernet physics special 15 Das Magazin zum Standard FACTS im Industrial Ethernet openSAFETY over Modbus-TCP

lished between Master and Slave in order to ensure that data is received completely and in the correct sequence. Once that connection is established, the Client and Server can transfer any amount of payload data. For cyclical PLC input and output data transfer, the connection remains permanently in place. For service data, it is only estab- lished for the duration of the actual transmission. Server and Client nodes are able to establish and maintain several TCP/IP connections at the Safe Logic same time. Safe Sensor nn Organization

Based in the USA, the Modbus Organi- zation, Inc. (Modbus-IDA), caters to the interests of users and manufacturers of Modbus-TCP-enabled devices. Light curtain

nn openSAFETY

What is true for all busses is also true Safe Motion for Modbus-TCP: the Black Channel Safe I/O principle separates data transfer mech- anisms from the safety layer, i.e. leaves the actual Modbus routines untouched. Ethernet-enabled Modbus is not limited to TCP/IP communication, but may also utilize UDP/IP. openSAFETY exploits this option. Non-cyclical safety data is transferred via TCP/IP frames. Cyclical data, on the other hand, which is duplicated due to openSAFETY’s safe- guard mechanisms anyway, is delivered via UDP/IP.

The openSAFETY over Modbus-TCP e-Stop specification covers all details.

Sample safe Modbus-TCP network 16 Special 1/2010

openSAFETY over POWERLINK

nn  nn  POWERLINK How it works openSAFETYopenSAFETY openSAFETYopenSAFETY over over POWERLINK Fieldbus WorkingWorking Draft Draft Proposal Proposal V0.0.1V0.0.1

1 2 Developed by B&R in 2001, the real- POWERLINK uses a mixture of timeslot 3 4 time Industrial Ethernet protocol and polling procedures to achieve 5 6 Working Draft Proposal POWERLINK is characterized by cycle isochronous data transfer. In order to 7 Working Draft Proposal

times in the microsecond range, ensure coordination, a PLC or an indus­ 8 openSAFETYopenSAFETY

universal applicability, and maximum trial PC is designated to be the so-called 9 openSAFETYopenSAFETY over over POWERLINK Fieldbus

network configuration flexibility. A Managing Node (MN). This manager 10 com­plete­ly patent-free, vendor-inde- enforces the cycle timing that serves to 11 12 pendent, and purely software-based synchronize all devices, and controls 13 Version 0.0.1

14 © EPSG

real-time system, which has also been cyclical data communication. All other 15 (Ethernet POWERLINK Standardisation Group)

16 2010 available free of charge as an open devices operate as Controlled Nodes 17 18 source version since 2008, POWERLINK (CN). In the course of one clock cycle, 19 requires no proprietary hardware and the MN sends so-called “Poll Requests”

provides total user independence to one CN after another in a fixed EPSG Technical Working Group internal use only from licenses and specific vendors. sequence. Every CN replies immediately POWERLINK gives users completely to this request with a “PollResponse,” integrated CANopen mechanisms on which all other nodes can listen in on. Specification the one hand, and 100% compliance A POWERLINK cycle consists of three to the IEEE 802.3 Ethernet standard periods: during the “Start Period,” the lows as about 100 nanoseconds. on the other. As a result, POWERLINK MN sends a “Start of Cycle Frame” Cyclic isochronous data exchange provides all Standard Ethernet features (SoC) to all CNs to synchronize the takes place during the second period including cross-traffic, hot plugging, devices. Jitter, i.e. clock rate inaccuracy (“Cyclic Period”). Multiplexing allows and a free choice of network topology. due to fluctuations in the cycle, is as for optimized bandwidth use in this phase. The third period of a cycle marks the start of the asynchronous phase, which enables the transfer of large, non-time-critical data packets. layer 7 Such data, e.g. user data, is spread out over the asynchronous phases of several cycles. POWERLINK distin- layer 6 guishes between real-time and non- real-time domains. Since data transfer in the asynchronous period supports layer 5 CANopen Object Dictionary pDO/SDO Command standard IP frames, routers separate data safely and transparently from the layer 4 real-time domains.

layer 3 pOWERlINK Data link layer

layer 2 Ethernet physics Layer model for layer 1 openSAFETY over POWERLINK special 17 Das Magazin zum Standard FACTS im Industrial Ethernet

nn Organization

An independent organization with a democratic charter, the Ethernet POWERLINK Standardization Group (EPSG) was founded by drive and auto- PLC mation industry leaders in 2003. Their common goal is to standardize and to continue to develop and enhance POWERLINK technology. The EPSG cooperates with leading standardization organizations, e.g. CAN in Automation (CiA), IEC, and the Open Source Auto- Safe Logic mation Development Lab (OSADL). Safe Sensor nn openSAFETY openSAFETY is simply implemented on top of POWERLINK as well, with no impact at all on that base protocol. POWERLINK provides full-fledged cross- Light curtain traffic. openSAFETY uses this function to achieve extremely brief safe reaction times. All communication for initializing and parameterizing the system goes Safe Motion through POWERLINK’s asynchronous Safe I/O communication channel.

All of openSAFETY’s mechanisms, functions, and potential options are described in the openSAFETY over POWERLINK specification.

e-Stop

Sample safe POWERLINK network; generally speaking, all conceivable topologies are possible! 18 Special 1/2010

openSAFETY over your fieldbus

Other than the various familiar, widely used fieldbuses and Industrial Ethernet nn SIL3 TÜV certified protocol systems on the market, or even the lesser known, but specified communica­ nn mature technology – no risk of redesigns and tion protocols, there are also individual, recertification customized bus systems designed for nn open solution for all fieldbuses and Ethernet “in-house” use only that many automa- protocols – no proprietary development required tion applications continue to employ. for the safety layer Found in all sorts of industries, unique implementations of this kind are, in nn fastest possible time-to-market many cases, neither standardized nor nn secure long-term investment viability – legal and certified. Even for such environments, technical independence openSAFETY constitutes a suitable, uncomplicated safety solution. Due nn already tried, tested, and proven in high-end to true Black Channel operation, applications (e.g. with Safe Motion Control and which is a native openSAFETY feature, in process automation) the data transfer protocol never plays nn interoperability and simple certification guaranteed a role. nn TÜV-certified conformance test Since openSAFETY verifies the integrity nn IEC 61784-3-13 of transferred data at all times, contin- ually monitors the duration of trans- missions using special mechanisms, and immediately recognizes any data may be used as a basis for communi- nn What do users transfer errors that occur, even single- cation without compromising safety have to do? channel, unsafe transport networks functionality at all. Users who would like to implement an openSAFETY-based safety solution with their existing data communication system must only ensure that the safety Layer model for protocol, which is available free of openSAFETY layer 7 Your Application charge on the Internet, is integrated on over your solution the Application Layer of their bus sys- layer 6 tem. Anyone in need of help can simply request assistance from the EPSG. In summary, given that openSAFETY is layer 5 also already TÜV-certified, the basis for implementing safe data transfer capa- layer 4 Your Solution bility is provided for free and virtually laid at any user’s doorstep. layer 3

layer 2

layer 1 Ethernet RS485 CAN USB … lVDS special 19 Das Magazin zum Standard FACTS im Industrial Ethernet

Automotive OEMs and suppliers

Building Construction automation industry

Connecting Industries: Machine Chemical openSAFETY building industry provides one universal safety solution for all industrial sectors Energy Shipbuilding industry

Transport Food and beverage industry industry

Aerospace Wind energy industry industry

Solar energy pharmaceutical, cosmetics industry and medical industry

1/2010 Das Magazin zum Standard FACTS im Industrial Ethernet Safety device without openSAFETY IEC61508 Process IEC61508 process Definition Masthead IEC61508 process Setup Safety Product »POWERLINKFACTS« is an information product Design service of the EPSG – ETHERNET product Implementation POWERLINK STANDARDIZATION GROUP, Safety Network Design POWERLINK-Office, Kurfürstenstraße 112, Safety Network Implementation product Validation 10787 Berlin. Network Conformance Testing IEC61508 product Certification Conception, Layout, Project Marketing and Coordination: FR&P Werbeagentur Safety device with openSAFETY Reisenecker & Broddack GmbH, IEC61508 Process openSAFETY Workshop Kurfürstenstraße 112, 10787 Berlin IEC61508 process Setup Tel.: +49(0)30-85 08 85-0, Fax: -86 Safety Product reduced time-to-market product Design with openSAFETY Publication Management: product Implementation A.-Christian Broddack, Erich Reisenecker openSAFETY Reference Design Coordination Editorial Office/Production openSAFETY integration product Validation Team: Heide Rennemann-Ihlenburg openSAFETY conformance IEC61508 product Certification Editorial Office: gii die Presse-Agentur GmbH, Immanuelkirchstr. 12, 10405 Berlin Tel.: +49(0)30-53 89 65-0, Fax: -29 Time-to-market as a basis for success! Editor in Chief: Rüdiger Eikmeier Editorial Office: Heiko Wittke Editorial Assistant: Asja Kootz © Copyright Notice The name and layout of »POWERLINK- FACTS« are protected by copyright laws. Republication in full or in excerpts requires advance permission from the editorial office. FEEL SAFE ABOUT IT? eng l isch 2010 F rühjahr acts l ink F Power MM-E01013.806

The global standard for integrated safety technology significantely reduces the wiring costs, enables faster commissioning, and achieves top machine performance through efficient communication. openSAFETY gives you maximum productivity with certified safety. Compatibility to your Industrial Ethernet solution guaranteed.

www.open-safety.org