XII International PhD Workshop OWD 2010, 23–26 October 2010

Comparison of Safety Solutions in

Juraj Ľupták, Tomáš Ondrašina, University of Žilina

Abstract meets the requirements for resistance to electrical In many cases the industrial communication noise, mechanical vibrations, temperature effects and systems is component part of system which partook has the required persistence. It is also a successful in safety critical process control. Undetected implementation in the section of communication corruption of data transmission can cause protocols which deals with the interoperability of considerable substantially damages within smart devices and other devices and a data equipments, environments or demands on human transmission among them, including the health and this is reason why system have to be management of these transmissions. It is not the designed so that guarantee required Safety Integrity only communication technology but it is a solution Level. Paper deals with summarization of safety of several producers, associations of producers and solutions in industrial Ethernet with orientation to users. Common to all of these solutions is that they communication profiles families: CPF 2, CPF 3 and are trying to use the Ethernet technology and the CPF 13. In the paper is underline the safety open TCP/IP protocol of the internet technology as well solution, which in the future will be compatible with and at the same time meet the demands placed on several types of safety products. the data collection and communication for operating and controlling processes, machines and lines. These 1. Introduction conclusions must adapt to the current solutions of industrial buses, from which they are derived [1]. Industrial communication networks are becoming a part of wide measuring and control systems. They are using the modern information technology. The industrial network is in many cases a part of a system, which takes place in the management of SafetyRelated Critical Processes for example the management of certain manufacturing processes in mechanical engineering, chemical industry, nuclear power, traffic management. In this situation we cannot derivate the definition of safety mechanisms within a communication from general rules defined for commercial purposes. The system must be Fig.1. Industrial Ethernet in the automation designed to guarantee the required safety integrity environment. level SIL. Recently many different families of the The communication links among network industrial Ethernet networks occur. In the case of participants fig.1. are beside the model “client industrial machines safety, production lines safety, server”, used mostly for the data exchange between ranged from control up to the automated two entities, using also protocols for efficient data production, enormous costs are given to the safety exchange among multiple participants. It means on the purpose of using several types of protocols based on the principle “publisher communication networks. From this arise the effort subscriber” and “producerconsumer”. The data to find a safety communication profile which will be transfer occurs in a greater extent than in the office possible to use in any case. network and that is from a Byte up to hundred of MB transferred between the display panels and at the 2. Industrial Ethernet level of control computers. Industrial Ethernet is a successfully used IEEE According [2] safety standards EN 9541, IEC 802.3 standard in the area of connectors, 61508 and DIN 19250th are currently most often transmission media and other circuit solution that used for the E / E / PE systems. When dividing

331 safety systems into categories, classes and levels, the Recently, the technology of industrial Ethernet is standards are based on the analysis of system risks becoming well known and modifications of the and define the security measures for the reduction of Safety Ethernet are developed. It is one of the most existing risks to a user acceptable level. Safety recent topics in the field of automation technology requirements for the system can be defined only if development in the industrial countries. It also the acceptable risk and risk associated with the covers the questions of data transmission within the controlled process is known. The safety standards industrial control systems. recommend to carry out the risk analysis in the initial stages of the life cycle of the system. That is to 2.2. Option to solve the security identify a relevant hazards resulting from an adverse protection in the industrial networks effects and determine the risk associated with the There is no absolute safety of any system. The process for the required security functions of the risks which arise during the operation can be system. eliminated only to a particular tolerable level. This IEC (International Electrotechnical Commission) can be achieved with the help of technical and with the increase number of industrial Ethernet administrative regulations. When ensuring trouble variants standardized almost all its variations which free running of a safetyrelevant system, technical have a national support and are used in practice. hardware or software restrictions are made. A There are ten variants of the industrial Ethernet degree of functional safety of a system and integrity network in documents like IEC/PAS (Publicly of a system security can be achieved with the Available Standard). They are shown in the table 1. application of the restrictions. (according to [3]). Table 1. Versions of the industrial Ethernet network 2.2.1. The Safety Communication Profile CIP Safety Standard Type IEC/PAS 62030 - RTPS The Safety Communication Profile CIP Safety IEC/PAS 62405 Vnet/IP belongs to the second family of communication IEC/PAS 62406 TCnet profiles CPF2. It is designed for the SR applications IEC/PAS 62407 EtherCAT which are using the communication protocol CIP. It IEC/PAS 62408 is extending its competences by ensuring a simple IEC/PAS 62409 EPA transfer of a security relevant and irrelevant data one IEC/PAS 62410 SERCOS III by one and allows user to create a safetyrelevant IEC/PAS 62411 PROFINET connection among two (producer/consumer IEC/PAS 62412 P – NET on IP connection between two security objects) or more IEC/PAS 62413 EtherNet/IP (producer/consumer connection among multiple security objects) applications and thus can provide a 2.1. Industrial Ethernet PROFINET high level of a safety integrity required in a safety PROFINET technology is now getting to the relevant applications. forefront in the section of conventional industrial CIP Safety has an model of an application layer networks. It is gradually replacing the widespread and user profiles of devices expanded by a safety PROFIBUS technology and it is becoming a relevant functions (see fig. 2.) . standard in a safetyrelated applications. The basic idea of safetyrelated communication is that the safety of a transfer must be operated by a trusted transmission system. PROFINET is an open industrial communication system. The first experiments with this system are dated back to the year 2002. It contains qualitatively new concept of communication based on the Ethernet industrial network and it is inspired by the experiences and the structure of PROFIBUS protocol [4]. Fig.2. Routing of safety-relevant data Several versions arose beside the PROFINET After adding the services of CIP Safety into the industrial network like in the industrial bus application and user layer, the security increase from PROFIBUS. They are listed as PROFINET CBA SIL 0 to SIL 3 when comparing with standard (Component Based Automation, it is also known as applications. The terminal safety relevant application PROFINET V1), PROFINET IO (Input/Output, objects ensure the integrity of security with the help PROFINET V2) and PROFINET IRT of specific safetyrelevant functions [5]. (Isochronous Real Time, PROFINET V3) which use The safety protocol is located above the standard different communication channel. network protocol. The safety layers formulate the

332 safetyrelated message, sent the safetyrelated the memory elements of a network elements, the message, receive and decode new safetyrelated following security mechanisms are recommended for message. When the safetyrelated message is decoded the PROFIsafe profile: and verified the data are further transfered to the • Identification of the sender and recipient. safetyrelated application. • Serial number (virtual). • Data integrity check. • Time monitoring.

2.2.3. The safety communication profile openSAFETY This method of protection is used for the Sercos III, EtherNet / IP, ModbusTCP, Powerlink, compatible for all Ethernet types. OpenSAFETY is open safety protocol also in the technical respects: • given the protocol's busindependence, • Fig.3. Safety layer of the CIP Safety profile openSAFETY can be used with all , 2.2.2. The safety communication profile • industrial Ethernet solutions. PROFIsafe OpenSAFETY uses a frame with a uniform This method of protection is compatible for the format, no matter whether for payload data transfer, PROFIBUS or the PROFINET safety networks. or time synchronization purposes and for a PROFIsafe is the first open safety configuration. Frame length depends on the amount communication technology for globally distributed of data to be transferred. automated systems. It was designed on the basis of Safety nodes are solved on the network knowledge and experience from a railway signalling automatically, recognition of frame types and lengths techniques which are defined in IEC 62280 [6]. On do not have to be configured. this basis, the safetyrelevant communication is Causes of fault and prevention operated with standard transmission system and The majority of the data transmission errors are additional safety protocol. from incorrect information forwarded by the Standard transmission system includes all gateways. E.g., data packets may be lost, data hardware and basic protocols of the reference duplications may occur, feeds it into the wrong ISO/OSI model. Safetyrelevant and safety network. irrelevant applications share one transmission system The time stamp, which is one of the most (PROFIBUS, PROFINET IO) at the same time. important mechanisms of this protocol, prevents The Safetyrelevant functions consist of safety delays, data duplications and mixups. Stamp enables mechanisms which reveal errors of a safetyirrelevant the receiver to prevent double read and set the time transmission system or keep the error rate below the period of various packets.[8] required level [7]. OpenSAFETY frame (see fig. 4.) consists of two PROFIsafe profile can be used in two operating subframes with identical content. Two identical modes: frames duplicate into one frame and is able to • Version V1 (V1.0 to V1.2) – for SR transport data up to 254 bytes of payload data. Each communication within PROFIBUS DP/PA subframe is provided with an individual checksum. types of network. The identical content of these frames is compared by • Version V2 – for SR communication within the receiver. PROFINET I/O or PROFIBUS DP/PA types of network. The communication profile PROFIsafe is based on the principles of a pooling method among Master and Slave type devices and on the implementation SR measures to eliminate the errors during the transmission. PROFIsafe is recently certified up to the SIL 3 integrity level. The safety mechanisms of PROFIsafe profile. To eliminate the communication errors of a transmission system of an industrial networks like repetition, deletion, insertion, delay, reordering, disruption, message masking and errors caused by Fig.4. OpenSAFETY Frame

333

The probability of data devaluation in both Bibliography frames is very low and it declines with the length of a [1] ZEZULKA, F., HYNČICA, O., Průmyslový frame. ethernet (1). In AT&P journal. [online]. 2005 To verify the correctness of data and to enable no. 6. http://www.atpjournal.sk/casopisy/atp_ the receiving device to identify any stochastic error, 05/pdf/atp20050617.pdf the following principles will be used [9]: [2] FRANEKOVÁ M., KÁLLAY F., PENIAK P., • CRCcalculation. VESTENICKÝ P.: Komunikačná bezpečnosť • Comparison of datainformation of both priemyselných sietí. Edis, ŽU Žilina, 2007. sub frames. ISBN 9788080707156 • Checking of time stamp. [3] ZEZULKA, F., HYNČICA, O. Průmyslový • Checking of received address Ethernet VII: Přehled současných standardů. In (comparison with internal address or Automa. [online]. 2008, no. 2. address in lookuptable). http://www.odbornecasopisy.cz/res/pdf/3669 4.pdf The safety frame format and the safety related [4] DRAHOŠ, P., GABRIEL, J. Komunikačný services of openSAFETY fit to the requirements of systém PROFINET IO. In Automa. [online]. SIL3 (IEC 61508 [10]) and also it can be used for 2006, no. 7. http://www.odbornecasopisy.cz/ data transfer for all other SIL (SIL 1 to SIL 3) [9] index.php?id_document=31231 OpenSAFETY can be used with all fieldbuses, [5] ODVA, Odvadevicenet. In ODVA [online]. Industrial Ethernet solutions. 2010,http://www.odva.org/default.aspx?tabid =66 3. Conclusion [6] IEC 62280: Railway applications Recent years in the industrial automation are Communication, signalling and processing characterized by using the industrial Ethernet instead systems Part 1: Safetyrelated of the industrial even in safetycritical communication in closed transmission systems applications in its safety modification. This tendency [7] DIN EN 9541: Safety of maschinery Safety results in the development of safety profiles, their related parts of control system. Part 1: General verification and validation. The safety of industrial principles of design.1996 networks is becoming a priority in the industrial [8] OpenSAFETY, EPSG [online]. 2010, sphere. In the field of industrial Ethernet three http://www.opensafety.org/ potential safety concepts are in a progress. Namely: [9] EPSG W D P 304 V1.1.3 OpenSAFETY CIP safety, PROFIsafe and openSAFETY. protocol source [online]. 2010, CIP Safety lets you automate safety in plants http://www.ixxat.de/zugangsdaten_powerlink using the same network that is used for the standard _safety_de.html control, resulting in reduced engineering, installation [10] IEC 61508 Series on the Safety of Industrial and training costs; improved diagnostics. Automated Systems. : Safetyrelated electrical, PROFIsafe is one of most important profiles for electronic and programmable electronic PROFIBUS and PROFINET. PROFIsafe can be (E/E/PE) systems. 2005 used in safety applications up to Safety Integrity Level 3 (SIL) according to IEC 61508, mostly used Author: to in manufacturing plants. When failsafe devices Mgr. Juraj Ľupták such as emergency stop buttons or sensors indicate a University of Žilina fault condition, the PROFIsafe network activates a ul. Univerzitná 1 plant shutdown procedure over the fieldbus. 010 26 Žilina OpenSAFETY is the first open and bus tel. +421 41 513 3306 independent safety standard for all industrial fax Ethernet solutions, uses principle of Black Channel : email: [email protected] all safetyoriented mechanisms are exclusively implemented on the application level, which enables total independence from the underlying transport layer. In advantage is the openSAFETY concept with its open character and the ability to meet the market requirements for wide use in industry.

334