PROFIsafe is a technology designed to address safety-critical communication needs in industrial environments by integrating safety functions directly into existing PROFIBUS and PROFINET networks. Before the introduction of PROFIsafe, industrial safety systems frequently relied on separate physical wiring, dedicated safety relays, and redundant controllers, which contributed to increased complexity, cost, and maintenance. The original PROFIBUS and PROFINET networks were primarily intended for standard automation communication without built-in mechanisms for ensuring functional safety—a critical component in applications such as emergency stops, machine guarding, and fail-safe operations.
PROFIsafe, initially developed in 1998 as a standard in collaboration with several automation device manufacturers, aimed to meet legislative requirements for functional safety in industrial systems. In its second iteration in 2005, PROFIsafe was enhanced to support Ethernet-based PROFINET networks, expanding its capabilities beyond the original PROFIBUS. The protocol provides an additional safety layer to both PROFIBUS and PROFINET networks, enabling the transmission of safety-critical data alongside standard communication over the same physical medium. This integration ensures deterministic and error-checked communication for applications requiring Safety Integrity Level (SIL) compliance, such as emergency stops and machine guarding.
PROFIsafe also utilizes mechanisms like cyclic redundancy checks (CRC), time monitoring, and sequence numbering to detect errors, eliminate faults, and maintain system safety, without the need for additional cabling or separate hardware. Therefore, any changes or disturbances in the safety data can be detected and corrected before they lead to functional safety issues along with reducing installation complexity, cost, and system footprint while ensuring compliance with international safety standards like IEC 61508 (Basic safety standard for functional safety). Hence, these measures are crucial for guaranteeing that safety-critical data is transmitted correctly and promptly over the same network infrastructure used for standard industrial communications.
The black channel principle is a fundamental concept in the design of safety communication protocols like PROFIsafe. It refers to the idea of ensuring safety-critical data transmission through a secure and reliable communication channel that is essentially opaque or "black" to external interference or manipulation. PROFIsafe implements the black channel principle to safeguard safety-related information from unauthorized access, tampering, or corruption, thus maintaining the integrity and reliability of the safety system.
The IEC 61508 standard defines the "black channel" as a communication channel with unsecured or non-application-specific properties. The black channel principle enables secure communication to be ensured despite the inherent characteristics of the communication channel. In the context of functional safety, black channels typically involve the transmission of safety-related signals over standardized communication media like Ethernet or wireless.
Encapsulation of Safety Data
PROFIsafe encapsulates safety-critical data within a dedicated portion of the communication frame, separate from non-safety-related data. This ensures that safety messages remain distinct and identifiable within the communication stream, facilitating their secure transmission and reception.
Data Integrity Verification
PROFIsafe employs mechanisms such as cyclic redundancy check (CRC) to verify the integrity of safety data transmitted over the communication channel. CRC calculates a checksum based on the transmitted data, which is then compared with a checksum received at the receiving end. Any discrepancies indicate potential data corruption, prompting appropriate error handling mechanisms.
Redundancy and Error Handling
PROFIsafe often employs redundancy techniques, such as redundant communication paths or redundant devices, to enhance fault tolerance and reliability. In the event of communication failures or errors, redundant paths or devices can ensure the continued transmission of safety-critical data, maintaining system integrity and availability.
By adhering to the black channel principle, PROFIsafe ensures that safety-critical information is transmitted securely and reliably within industrial automation systems. This approach helps to mitigate the risk of accidents, injuries, and equipment damage by protecting safety communication from external interference, manipulation, or unauthorized access.
IEC 61508 is an international standard published by the International Electrotechnical Commission (IEC) that establishes requirements for the functional safety of electrical, electronic, and programmable electronic safety-related systems.
It defines a safety lifecycle with 16 phases, covering the entire lifecycle from initial concept to decommissioning. The lifecycle phases are divided into three main groups: analysis, realization, and operation. All phases focus on ensuring the safety function of the system. Specific techniques are required across the lifecycle to avoid mistakes and errors that could undermine the safety system.
Moreover, IEC 61508 takes a probabilistic approach to risk, recognizing that zero risk can never be achieved, only probabilities can be reduced. The risk is assessed based on the frequency (likelihood) of the hazardous event and the severity of the consequences. Safety functions are then implemented to reduce the risk to a tolerable level, using a combination of electrical/electronic/programmable electronic systems (E/E/PES) and other technologies.
IEC 61508 also embraces the "black channel" principle, where the safety-related communication is independent of the underlying transmission channel. This allows PROFIsafe and other safety protocols to provide secure communication over a variety of network technologies without relying on their specific characteristics for safety.
IEC 61508 is a comprehensive standard that establishes a risk-based, lifecycle approach to the functional safety of electrical, electronic, and programmable electronic safety-related systems. It is a foundational standard that is widely adopted across many industries to ensure the safe operation of machinery and processes.
PROFIsafe incorporates several key technical features and aspects to ensure robust safety communication in industrial environments, as follows:
Addressing
PROFIsafe uses unique source, and destination addresses to identify safety devices on the network. The "Base for PROFIsafe addresses" parameter in the F-CPU properties defines a range for automatically assigning the PROFIsafe destination addresses. This ensures network-wide uniqueness of the addresses. For PROFIsafe address type 1, the F-destination addresses must not overlap between F-CPUs. For PROFIsafe address type 2, the F-destination addresses can overlap if the F-source addresses are different.
Communication
PROFIsafe communication is transmitted over the same PROFINET or PROFIBUS network as standard communication. All nodes in the safety-related communication must be certified according to IEC 61010 and be both PROFINET/PROFIBUS and PROFIsafe certified. PROFIsafe provides mechanisms to detect communication errors, message repetitions, message delays, and logical errors. This ensures the safe transmission of data.
GSD Files
PROFIsafe devices require the same communication setup with safety controllers as standard PROFINET/PROFIBUS devices. PROFIsafe GSD files must be secured to protect the communication integrity, so they are compiled with a special tool that calculates a safety CRC that is then incorporated into the GSD. PROFIsafe components may also be called F-components (Failsafe), so a PROFIsafe GSD could be called an F-GSD.
Parameters and F-Parameters
When the safety controller sends parameters to the devices, the setup information is transmitted and received using the PROFIsafe drivers. The parameter setup ensures the same level of data protection as for safety data for I/Os. The technology-specific parameters of an F-Device are called iParameters. In case an F-Device needs different iParameters at runtime, PROFIsafe provides additional services.
PROFIsafe Services
The main services provide exchange of F-Output and F-Input data. During start-up or in case of errors, the actual process values are replaced by default fail-safe values. PROFIsafe provides additional services via flags in the Control Byte and Status Byte, such as "activate_FV" and "FV_activated", to handle different safe states. PROFIsafe communication errors cause the F-Host driver to switch into a safe state, and PROFIsafe provides a service ("OA_Req") to inform the user program that an operator intervention and acknowledgement is requested.
Diagnostic and Monitoring Capabilities
PROFIsafe provides comprehensive diagnostic and monitoring capabilities to detect and diagnose faults or malfunctions in safety devices and communication channels. Real-time monitoring of safety systems allows for proactive maintenance and troubleshooting, ensuring the reliability and availability of safety functions.
Flexibility and Scalability
PROFIsafe offers flexibility in system configuration and scalability to accommodate various industrial applications. It supports different network topologies and architectures, allowing for the customization of safety solutions to meet specific requirements. Whether it's a small standalone machine or a large-scale industrial plant, PROFIsafe can scale accordingly to ensure safety.
Hilscher's netX technology platform, consisting of the netX SoCs, associated firmware and extensive protocol stacks, supports the development of devices that have to fulfil high functional safety requirements. The netX acts as a black channel for the safety system. The netX firmware provides the services to exchange data, parameters and diagnosis information required to implement the safety-relevant applications. The safety application can support for example, Functional Safety over EtherCAT (FSoE), CIP Safety or PROFIsafe dependent on used communication system.
On the hardware side, as with non-safety devices, the netX forms the interface to the fieldbus or real-time Ethernet systems. The safety frames are treated like I/O data and forwarded to the safety-relevant application. The corresponding application firmware for the netX 90 can be implemented on the application side of the controller, for example. It retrieves the data packets from the dual port memory (DPM) and forwards them to a defined interface. On the safety side, two redundant CPUs then receive the data via a galvanically isolated serial interface for further processing.
Nel mondo sempre più complesso dell’automazione con processi di produzione sofisticati e macchine modulari, la sicurezza funzionale assume un ruolo sempre più rilevante. È quindi fondamentale la conformità alle norme quali IEC 61508 o ISO 13849. Leggete qui come potete implementare dispositivi conformi a livello di sicurezza con netX.
Siete alla ricerca di un partner di integrazione per il vostro progetto di comunicazione industriale? Dai chip netX capaci di supporto multi-protocollo alle applicazioni IIoT - la nostra rete di aziende partner vi offre l’assistenza di cui avete bisogno!
