1、Safety Profiles for Real-TimeEthernet-Based IndustrialAutomation Networks Safety Profiles for Real-TimeEthernet-Based IndustrialAutomation Networks Alberto EliaLuca FerrariniCarlo VeberSafety Profiles for Real-Time Ethernet-Based Industrial Automation NetworksCopyright 2009 by ISAInternational Socie
2、ty of Automation67 Alexander DriveP.O. Box 12277Research Triangle Park, NC 27709All Rights Reserved.Printed in the United States of America.10 9 8 7 6 5 4 3 2ISBN: 978-1-934394-77-9No part of this work may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, elect
3、ronic, mechanical, photocopying, recording or otherwise, without the prior written permission of the publisher. NoticeThe information presented in this publication is for the general education of the reader. Because neither the author nor the publisher have any control over the use of the informatio
4、n by the reader, both the author and the publisher disclaim any and all liability of any kind arising out of such use. The reader is expected to exercise sound professional judgment in using any of the information presented in a particular application. Additionally, neither the author nor the publis
5、her have investigated or considered the affect of any patents on the ability of the reader to use any of the information in a particular application. The reader is responsible for reviewing any possible patents that may affect any particular use of the information presented. Any references to commer
6、cial products in the work are cited as examples only. Neither the author nor the publisher endorses any referenced commercial product. Any trademarks or trade names referenced belong to the respective owner of the mark or name. Neither the author nor the publisher makes any representation regarding
7、the availability of any referenced commercial product at any time. The manufacturers instructions on use of any commercial product must be followed at all times, even if in conflict with the information in this publication.Library of Congress Cataloging-in-Publication DataElia, Alberto.Safety profil
8、es for real-time ethernet-based industrial automation networks / Alberto Elia, Luca Ferrarini, Carlo Veber.p. cm.Includes bibliographical references and index.ISBN 978-1-934394-77-91. Communication in industrial safety. 2. Manufacturing processesSafety measuresData processing. 3. Human-machine syste
9、msDesign. 4. Ethernet (Local area network system) I. Ferrarini, Luca. II. Veber, Carlo. III. Title. IV. Title: Safety profiles for real-time ethernet-based industrial automation networks.TA158.5.E45 2009670.4270289dc222008043197 To my mother, EdvigeAlberto EliaTo my mother, MartaLuca FerrariniTo Sab
10、rinaCarlo VeberviiThe O3neida Publications SeriesThis book is one of a series of books to be produced within O3neida onvarious subjects related to distributed automation.O3neida is a Canadian not-for-profit corporation. O3neida Europe isa not-for-profit association headquartered in Brussels, Belgium
11、. Togetherthey form the hub of the O3neida networks. Their joint mission is tooperate as a network of networks fostering the development and deploy-ment of distributed industrial automation technologies based on openstandards. These standards include, among others, the Foundation for Intelli-gent Ph
12、ysical Agents (FIPA), the Device Profile for Web Services(DPWS), Web Crawler (WC), and International Electrotechnical Com-mission (IEC) 61131 and 61499.This book is addressed to technical university students andresearchers who wish to understand network systems in industrial auto-mation and their fe
13、atures related to real-time and functional safetyrequirements. The book begins with the introduction of the basics of standardEthernet, specifying the Open System Interconnection (OSI) referencemodel layers and identifying Ethernets drawbacks. This discussion willclarify the requirements and the sol
14、utions adopted by the communicationprotocols presented later in the book. Second, “real-time capability” is defined with specific regard to com-munication within safety-related systems, underlying the strict correla-tion between time performance and external requirements. Finally, the specifications
15、 of the safety profiles of five communicationprotocols (namely PROFIsafe, Ethernet Powerlink Safety, SERCOS IIIviii The O3neida Publications SeriesSafety, EtherCAT Safety and Ethernet/IP Safety) are investigated. Thetechnical characteristics of each communication protocol are considered,and the meas
16、ures adopted to detect errors and keep the residual error prob-ability under a certain limit are also analyzed.Future volumes in the O3neida/ISA series will address other equallypressing issues such as case studies of IEC 61499 implementation, sup-porting real-time execution in industrial automation
17、 applications, andOntologies. O3neida will also provide a compendium of selected papersfrom the 50th ANIPLA Conference. O3neida will also produce materials on automation objects as part ofthis series.Finally, this book is the result of a concerted effort by many O3neidamembers. I thank them all for
18、their dedication and commitment toO3neida as volunteers. I particularly thank Luca Ferrarini, Alberto Elia,and Carlo Veber of the Politecnico di Milano, Italy for leading this effortand also Allan Martel, O3neida Chief Operating Officer, for coordinatingand managing the development of the O3neida se
19、ries of books on distrib-uted automation.I also thank ISA for their interest and support in making the publica-tion and distribution of this important book possible.Antonio ValentiniChief Executive OfficerO3neidaix ContentsList of Figures xiList of Tables xiiiPreface xv1 Employment of Industrial Eth
20、ernet in Automated Plants . . . . . . 1Specification of a communication system through the OSI model 2Standard Ethernet 4CIM pyramidal structure 7Need for vertical integration in the enterprise network 10Conclusion 112 Real-Time Communication on Ethernet-Based Networks . . . . . 13Hard and soft real
21、-time control systems 14Real-time communication systems 17Requirements and solutions to achieve real-time data transfer 24Conclusion 373 Safety Profiles for Communication Systems According to IEC 61508 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Introduction to functional saf
22、ety (IEC 61508) 40Safety requirements for the network 41Black channel approach and safety profile 42Communication errors 44Measures 45Conclusion 48x Contents4 Analysis of the Safety Profiles for Ethernet-Based Communication Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51PR
23、OFIsafe 53Ethernet Powerlink Safety 55SERCOS III safety 58EtherCAT 60Ethernet/IP safety 625 Conclusion and Outlook. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67A Presentation of Standard IEC 61508: Functional Safety for E/E/PE Systems. . . . . . . . . . . . . . . . . . . . . .
24、. . . . . . . . . . . . . . . 71The purpose of IEC 61508 71Safety integrity levels 73Architectural constraints on hardware 73Glossary 77List of acronyms 83Bibliography 85Index 89xi List of FiguresFigure 11 OSI model structure and data transfer process 3Figure 12 Ethernet frame structure 7Figure 13 E
25、nterprise pyramidal functional structure according to the CIM approach 9Figure 14 Enterprise network levels 10Figure 15 Remote monitoring and debugging 11Figure 21 Validity function for both hard and soft real-time constraints 15Figure 22 Confinement of latency 22Figure 23 Synchronization mechanism
26、27Figure 24 Cycle time divided into a deterministic part and a non-deterministic part 33Figure 25 Shared time slots within the deterministic part of the cycle time 33Figure 26 Frame sharing via a ring topology 33Figure 27 Bypass of the TCP/IP stack 35Figure 28 Ethernet frame format according to IEEE
27、 802.1p 35Figure 31 Communication part responsibility 43Figure 32 Safety layer on top of the Application Layer 44Figure 41 Representation of jitter in statistical terms 53Figure 42 Real-time and non-real-time communication channels 58Figure 43 EtherCAT frame 61Figure 44 Encapsulation of CIP Safety f
28、rame in standard Ethernet frame 64Figure A1 Failure classification 74xiii List of TablesTable 31 Causes of errors due to the black channel 47Table 32 Safety measures and corresponding errors 49Table 41 PROFIsafe measures 56Table 42 EtherCAT safety measures 63Table 43 Ethernet/IP safety measures 66Ta
29、ble 51 Technical characteristics of the analyzed safety protocols 70Table A1 Safety levels 75Table A2 Hardware fault tolerance 75xv PrefaceEthernet was initially developed as a communication system in office areas to connect PCs and peripheral devices, whereas fieldbus systems were traditionally use
30、d in industrial automation plants. There is currently a need to interface industrial automation communication systems with the Internet domain through the use of Information Technology (IT) stan-dards and, at the same time, to preserve “real-time” characteristics for communication at the field level
31、. Ethernet meets these needs and paves the way to the “real-time enterprise.”On the other hand, the employment of standard Ethernet to support IT in an industrial environment causes a certain number of problems due to the different operating conditions (vibrations, excessive temperature, electromagn
32、etic disturbances, etc.) and the different communication requirements (deterministic data exchange, timing constraints, and safety integrity). In fact, in the industrial environment, deterministic data exchange is required to avoid collisions, which cause unpredictable trans-mission delays in the co
33、mmunication channel. Furthermore, real-time communication constraints are necessary for those systems for which the validity of the operations depends not only on the correctness of the exe-cution but also on the time at which actions are carried out.Finally, some industrial plants operate under wha
34、t could be haz-ardous conditions for people, the plant, or the environment. For such plants, the Distributed Control System (DCS) and the Emergency Shut Down (ESD) system must be designed to achieve and maintain a safe state for the controlled equipment. In order to achieve the required level of saf
35、ety integrity, such systems must be built on a high-speed, real-time, reliable, and fault-tolerant communication network, responsible for xvi Prefacetransferring suitable safety information within the overall distributed enterprise and field control structure. All of these requirements can be specif
36、ied, from the users viewpoint, through the specification of well-defined Quality of Service (QoS) parameters, which detail the required values for network characteristics (such as data rate, packet transmission latency, and error rate) and the required probabilities that the network will be able to
37、provide those values.The application of standard Ethernet technology does not meet the specified QoS parameters usually demanded on a factory floor. However, the attractive opportunity to interface the industrial communication sys-tems with the Internet domain and the advantageous possibility of mak
38、ing use at field level of a proven, standardized, and low-cost tech-nology make Ethernet the preferred candidate for a reference model in the development of suitable industrial communication systems that fulfill deterministic network access and real-time communication require-ments. Many “industrial
39、 Ethernet” solutions exist. In order to fulfill the network requirements for safety-related control and emergency systems according to the IEC 61508 standard, suitable additional safety layers on top of the application layer have been developed, creating a safety pro-file for the communication proto
40、col.This book is addressed to university students and researchers who wish to understand network systems in industrial automation and their features related to real-time and functional safety requirements. First, the basics of standard Ethernet will be introduced, specifying the Open System Intercon
41、nection (OSI) reference model layers and identifying Ethernets drawbacks. This discussion will clarify the requirements and the solutions adopted by the presented communication protocols. Second, “real-time capability” will be defined with specific regard to communica-tion within safety-related syst
42、ems, underlying the strict correlation between time performances and external requirements. Finally, the speci-fications of the safety profiles of five communication protocols (namely PROFIsafe, Ethernet Powerlink Safety, SERCOS III Safety, EtherCAT Safety and Ethernet/IP Safety) will be investigate
43、d. The technical charac-teristics of each communication protocol will be considered, and the measures adopted to detect errors and keep the residual error probability under a certain limit will be analyzed.The book is structured as follows:Chapter 1 introduces the basics of a generic network archite
44、cture, some specifications of standard Ethernet, and the need for the Preface xviiintegration of communication systems among different enterprise levels. Chapter 2 presents the definition and characterization of real-time communication and presents the requirements and solutions to achieve real-time
45、 communication over Ethernet.Chapter 3 introduces the basic concepts of “functional safety” defined by the IEC 61508 standard and reviews the requirements for a safety-related communication system and the corresponding solutions.Chapter 4 presents the technical characteristics of five safety profile
46、s as examples of Ethernet-based communication protocols and includes a detailed analysis of each profile according to the previously introduced requirements.Chapter 5 summarizes the main findings and provides conclusions and outlooks.Appendix A reviews some general topics of IEC 61508 and provides a
47、 glossary and list of acronyms.11Employment of Industrial Ethernet in Automated PlantsAn automated control system for an industrial plant should allow the plant to work autonomously according to scheduled tasks, stop the plant or put it in a safe state in case of dangerous situations, and provide in
48、for-mation for the supervision and monitoring of the plant. A distributed architecture of the control system allows for the division of an auto-mated plant into modular computational units and provides the ability to assign to each unit, or group of units, a defined set of tasks. However, the distri
49、buted allocation of resources generates problems with response times due to the time needed to transfer relevant information among the remote computational units. After a certain time, the information received by a functional unit (a Programmable Logic Controller PLC or an actuator) is no longer cur-rent, and is therefore outside the acceptable parameters for the units required reaction times. These reaction times are usually very strictly defined since the Distributed Control System (DCS) must coordinate operations in “real-time” to ensure pr
