It is the task of safety communication between two partners to deliver
- Correct data
- To the right destination
Various errors may occur when messages are transferred in complex network topologies, whether due to hardware failures, extraordinary electromagnetic interference, or other influences. A message can be lost, occur repeatedly, be inserted from somewhere else, appear delayed or in an incorrect sequence, and/or show corrupted data. In the case of safety communications, there may also be incorrect addressing: a standard message erroneously appears at an F-Device and pretends to be a safety message. Different transmission rates may additionally cause bus component storage effects to occur. Out of the numerous remedies known from literature, PROFIsafe concentrates on those presented in the matrix shown in Figure 7.
These safety measures include:
- The consecutive numbering of the PROFIsafe messages ("sign-of-life")
- A time expectation with acknowledgement ("watch-dog")
- A codename between sender and receiver ("F-Address")
- Data integrity checks (CRC = cyclic redundancy check)
Using the Consecutive Number, a receiver can see whether or not it received the messages completely and within the correct sequence. When it returns a message with the Consecutive Number only as an acknowledgement to the sender, the sender, too, will be assured. Basically, a simple "toggle bit" would have proven sufficient. However, due to the storage buffers in some bus components, e.g. switches, a 24-bit counter was selected for PROFIsafe.
In safety technology, it not only matters that a message transfers the correct process signals or values, the updated actual values must arrive within a fault tolerance time, thus enabling the respective F-Device to automatically initiate any necessary safety reactions on site, e.g. stoppage of movement. For this purpose, the F-Devices utilize a watchdog timer that is restarted whenever a new PROFIsafe message with incremented Consecutive Numbers arrives.
The 1:1 relationship between the master and a slave facilitates the detection of misdirected message frames. Sender and receiver must simply have identification (codename) that is unique in the network, and can be used for verifying the authenticity of a PROFIsafe message. PROFIsafe uses an "F-Address" as the codename.
A cyclic redundancy check (CRC) plays a key role in detecting corrupted data bits. The necessary probabilistic examination makes use of the definitions within the IEC 61508 that considers the probability of dangerous failures of entire safety functions. PROFIsafe follows this approach (Figure 9).
According to these definitions, a safety circuit includes all sensors, actuators, transfer elements and logic processes that are involved in a safety function. IEC 61508 defines overall values for the probability of failures for different safety integrity levels. For SIL3, for example, this is 10-7/h. For the transmission, PROFIsafe is allowed a mere 1% contribution, meaning that the permissible probability of dangerous failures is 10-9/h. This permits suitable CRC polynomials to be determined for the intended PROFIsafe message lengths. The resulting residual error probability of undetected corrupted PROFIsafe messages at a maximum bit error probability of 10-2 guarantees the required order of magnitude. PROFIsafe uses a 24-bit and a 32-bit CRC generator polynomial to calculate the corresponding 3- or 4-byte signatures. The quality of the chosen CRC polynomials and the special calculation method is such that PROFIsafe is totally independent of any error detection mechanisms of the "Black Channel".
A PROFIsafe message that is exchanged between F-Host and its F-Device is carried within the payload of a standard PROFIBUS or PROFINET message. In case of a modular F-Device with several F-Modules, the payload consists of several PROFIsafe messages. Figure 8 shows the format of a PROFIsafe message.
It begins with F-Input or F-Output data using the already-mentioned subset of data types. These data structures of a particular F-Device usually are defined via its associated GSD (General Station Description) file. Normally, factory automation and process automation place different requirements upon a safety system. One deals with short ("bit") signals that must be processed at a very high speed, the other involves longer ("floating point") process values that may take a little more time. PROFIsafe therefore offers two different lengths for data structures. One length is limited to a maximum of 12 bytes requiring a 3-byte CRC signature to ensure data integrity. The other length is limited to 123 bytes requiring a 4-byte CRC signature.
Following the F-Input or F-Output data is a Control Byte if the message is from the F-Host or a Status Byte if it is from the F-Device. This information is needed to synchronize the sender and receiver of PROFIsafe messages.
The PROFIsafe data ends with a CRC signature depending on the length of the F-Input or F-Output data as mentioned above.
The Consecutive Number is not transmitted within a PROFIsafe message. Both sender and receiver use their own counters that are synchronized via the Control Byte and Status Byte. Correct synchronization is monitored through the inclusion of the counter values into the CRC signature calculation.
The "F-Address" is secured by inclusion in the CRC signature calculation as well.
Senders and receivers of PROFIsafe messages are located in layers above the "Black Channel" communication layers (Figure 4). Usually these PROFIsafe layers are realized in software ("drivers"). Their central functionality is a state machine controlling the regular cyclic processing of PROFIsafe messages and the exceptions such as start-up, power-on/off, CRC error handling, etc. Figure 10 shows how the PROFIsafe layers interact with the technology part in F-Devices and with the user program in F-Hosts.
The main services provide exchange of F-Output and F-Input data. During start-up, or in case of errors, the actual process values are replaced by default fail-safe values. These fail-safe values shall be all "0" to force the receiver into a safe state (de-energize).
For F-Devices where de-energize is not the only possible safe state but rather low speed instead, PROFIsafe provides additional services via a flag in the Control Byte ("activate_FV"). In return, an F-Device can inform the user program that it activated its safe state via a flag in the Status Byte ("FV_activated").
PROFIsafe communication errors cause the F-Host driver to switch into a safe state. A safety function is usually not allowed to automatically switch from a safe state to normal operation without human interaction. To inform the user program that an operator intervention and acknowledgement is requested, PROFIsafe provides an additional service ("OA_Req"). PROFIsafe informs the F-Device about a pending request such that the F-Device can indicate it via a LED (optional). The operator acknowledgement can be passed over from the user program to the F-Host driver via a corresponding service ("OA_C").
The technology-specific parameters of an F-Device are called iParameters. In case an F-Device needs different iParameters at runtime, another set of services is available. One service allows the user program to switch the F-Device into a mode during which it will accept new iParameters ("iPar_EN"). The other indicates to the user program the readiness to resume normal safety operation ("iPar_OK").
The PROFIsafe services for F-Device technology include the corresponding exchange of F-Output and F-Input data, the extra possibility to activate and report fail-safe values, the indicators for the iParameter handling and for the already-mentioned operator request.
Additionally the F-Device technology is able to report device faults to the F-Host driver via a flag in the Status Byte ("Device_Fault").
The duration of the demand of an F-Device for a safety reaction shall be long enough to be transmitted by the PROFIsafe communication (at least two increments of the Consecutive Number). A special service informs the technology about new Consecutive Numbers in order to facilitate the realization of this requirement.
Diagnostic information from the PROFIsafe layer may be passed over to the technology part via a special service.
Last but not least the technology is able to pass over the F-Parameters to the PROFIsafe layer. The F-Device received these F-Parameters together with all the other parameters during startup. What is the purpose of these F-Parameters?
The F-Parameters are containing information for the PROFIsafe layer to adjust its behavior to particular customer needs and to doublecheck the correctness of assignments. The most important F-Parameters are:
- F_S/D_Address (short F-Address)
The F_S/D_Address is a unique address for safety devices within one PROFIsafe island. The F-Device technology compares this F-Address with the locally assigned value of a microswitch or otherwise entered information to ensure the authenticity of the connection.
The F_WD_Time specifies a number of milliseconds for a watchdog timer. This timer monitors the reception of the next valid PROFIsafe message.
F_SIL indicates the SIL expected by the user for the particular F_Device. It is compared with the locally stored manufacturer information.
F_iPar_CRC is a signature across all the iParameters within the technology of the F-Device.
Finally, the F_Par_CRC is a signature across all the F-Parameters which is used to ensure correct delivery of the F-Parameters.
That's an overview of PROFIsafe and we will now get into the details. Are you ready? Let's see what else PI is offering.