- Email: [email protected]
Safety through Common Industrial Protocol
Safety through Common Industrial Protocol R. Štohl*. K. Stibor **
* CEITEC - Central European Institute of Technology, Brno University of Technology, Brno (e-mail: [email protected]). ** Faculty of Electrical Engineering and Communication Brno University of Technology, Brno University of Technology, Brno (e-mail: [email protected]).
Abstract: Safety is important factor in industry. This article should show that there can be better way to take care about safety functions, than hard-wired components. It should show that use of integrated safety solutions can bring a lot of advantages to industrial applications. Keywords: machinery, machinery safety, CIP, CIP safety, M.I.C.E, SIL.
1. INTRODUCTION
Implementation of M.I.C.E – improved physical layer (separate chapter).
Safety of applications is increasing its importance. After hard wired technology time of solving safety requests by networks is coming. Article below shows one of possible ways, which can be used to achieve functional safety.
Use of slightly modified ISO/OSI model – CIP uses same physical to transport layers (Fig. 1).
2. EASE OF USE
Compatibility with office applications – reporting from production to the “manager’s table”.
Use of CIP™ (Common Industrial Protocol) (Rockwell Automation, 2004) on EtherNet/IP provides to the user absolutely vendor-free communication for all of his part of production plant. EtherNet/IP uses same physical layer as standard Ethernet which is used in offices of same plant for email, internet protocols, file transfers etc. Industrialization of Ethernet has started in 1980’s very slowly. Higher press on developing fully standardized Ethernet for industrial needs came with visualization in 1990’s. At present most of industrial plants cannot exist without communication between productions, control centre, maintenance, management, stock and other important part of factories. 2.1 EtnerNet/IP
Fig. 1. Comparison of OSI model and CIP layers
In 1990’s Ethernet networks were used for various applications in manufacturing. Main issue of Ethernet in industry was unscheduled communication, which was important for time-critical production control. This issue was solved by use of 100 Mbps and 1Gbps Ethernet and it was further improved with use of routed star technology. Development of EtherNet/IP expands possibility of industrial EtherNet to massive volume of users, who were thinking about transfer of their applications from local to remote control.
Exchange of time critical data uses so called producer – consumer messaging model. This is supported by multicast service on physical layer. Once there is produced message, for example on distributed input, it is identified by number of connection, stored in CPU memory, not by IP address of Network scanner. This helps to save bandwidth of whole network. Now let’s assume that visualization wants same data for example for trending of measured value. All what needs application in this visualization is number of connection, which is displayed on a panel? Same principle will be used for server which uses for example historization of data, OPC servers etc.
Why is EtherNet/IP so important for industrial application? Its main features are:
3. IDEAL INFRASTRUCTURE FOR INDUSTRY
Producer-consumer services – easy control, configure and collect data from network(s).
At the beginning of this section we have to say, that there is not unique solution for all industries. There are a lot of
questions, which have to be answered before we can start to plan architecture of network. Because EtherNet/IP (Rockwell Automation, 2004) has more-less same attributes as office Ethernet. 3.1 Devices The first question, which has to be answered, is type and number of devices which will be used in application. Another attributes of network needs are motion or safety, which are time critical applications, another requirements have distributed I/Os, or motor starters for example with embedded logic for emergency cases like loss of communication. 3.2 Type of media Once you know which devices you will use, you have to decide if you will use copper or optic media to transfer your data. This decision is important especially for applications that require long distance communication or communication with drives, where in extreme cases EMI can cause faulty communication or interruption. 3.3 Architecture The Architecture is another important question. With EtherNet/IP you can choose more-less the same architectures (Rockwell Automation 2009) like in office use. Most applications are based on star technology, where centre of this star is managed switch with embedded monitoring quality of services. For example Stratix8000 device is using tags to communicate with PLCs and other network members to inform them about situation in network. Very similar application is structured network with backbone on the top. This topology is used mainly in applications with strongly centralized control, where single machines of production lines have their own switch or router with distributed I/Os; all these machines are connected over Ethernet twisted pair cable to the central control room where PLC controlling all of applications is located. Mainly in process industry and especially in applications with requirements on safety a ring topology with ability to auto reconfiguration after interruption in any single point of network is used. For example Stratix8000 connected to optical ring uses DLR technology, which allows automatic reconfiguration in the order of microseconds. Linear topology is used in industry as well. This topology is used very often with safety I/Os or motion servo drives. For this network topology a discrete network scanner is used very often, usually it is a network with single purpose. Goal of this application is to secure these types of networks from all other network traffic. Why? Let’s say that we have single purpose machine. Everything is functional from manufacturer, but it is used star topology. Production manager needs to monitor space for material by IP camera, which allows better and faster logistics. Maintenance takes any camera and he decided to use network of the machine – it is connected to the
factory network. After camera is connected, machine starts to stop occasionally and nobody knows why. I assume you feel that there was increased network traffic. Thanks to this value of request packet interval was overcame and because of this safety reason machine stops when it happened. If designer would use for safety and motion separated networks, this situation could not come through. 3.4 M.I.C.E. M.I.C.E is categorization of environment where our application will be used. This categorization helps the users and designers to choose appropriate devices for their application. It is acronym of Mechanical Ingress Climatic & Chemicals and EMC resistance of used hardware. To build architecture you have to prioritize what are your most critical factors and after this, you can select products which meet these requirements. Mechanical resistance describes mechanical attributes of wires, connectors, and other components. It is divided into three levels, where M1 is lowest resistance (more-less office use) and M3 is for heavy industry with special connectors, cables and I/Os. Ingress resistance describes how easy it is for dust or water to penetrate into the given component. Again we have three steps, where I1 is mainly for office use (there is no protection against water and ingress is in range of IP20 to provide basic protection). Highest is I3, where components can be for example less than 30 minutes in water not deeper than 1m. Climatic & Chemical resistance describes resistance of components for temperature, change of temperatures, humidity and a resistance against basic chemicals as oil, salt, soap and other chemical and climatic factors. Again we have three steps, where C1 is mainly for office use and C3 has best parameters of protection. Last parameter of M.I.C.E. is Electromagnetic resistance. E1 has same requirements as EMC standards for industrial area (EN 61000-6), E3 has increased requests of EMC protection. For most of application in buildings is a used M.I.C.E. requirement with all ones. For most of industrial applications are used M.I.C.E. requirements with most of twos. For some applications is used M.I.C.E. with some threes. M.I.C.E. is promoted mainly by ODVA organization (www.ova.org). 4. IV.
CIP SAFETY
In previous chapters we introduced EtherNet/IP and basic way how to build right industrial network. Now let’s mention couple of words about safety. Safety is increasing its importance during the time. It helps to the users of machine to protect health and lives of operation crew of machines as well as to protect property of companies decreasing of loses. In the past the only way to solve safety was to use hardwired
safety modules. At present increasing number of users are migrating to the safety solved by special PLCs with distributed safety I/Os. Off course this brought problems to the manufacturers, how to transfer safety information from input to the processor and how to send reaction to the outputs from the processor. There are two major ways. The first of them is a special network (ODVA 2003), which uses for example company Pilz. They promote their SafetyBus or SafetyNet. This is physically separated network with all of its advantages and disadvantages. The second way is to use standard network and to use certified communication protocol to transfer data between users, which use this protocol, but it cannot have impact on users which “don’t under-stand this protocol”. In the first chapter we have slightly modified OSI model. Now let’s improve this model with safety requirements.
Fig. 2. CIP protocol with CIP safety As you can see on the figure 2, the biggest advantage is the possibility to use safety I/Os on the network, where are standard inputs as well. To provide safety control of application, off course some type of safety PLC (for example SmartGuard) or integrated safety PLC (for example GuardLogix) is needed. Otherwise you will not be able to control safety outputs and read safety inputs with standard PLC. All modules are easy to install, safety environment of control systems is checking basic configuration. Reduced cost in comparison with solution with discrete safety and normal network, better faster and more detailed diagnostics. All devices with the exception of controller are without safety routines, what supports possibility of re-placement of faulty device under power. All there above described features are in accordance with demands of SIL3. 4.1 SIL SIL certification comes from set of standards EN IEC 61508 (part 1 to 7). SIL is acronym of Safety Integrity Level. SIL level can reach levels from SIL 1 with lowest safety and reliability requests up to SIL 4 with highest safety and reliability requirements. SIL 1 to SIL 3 are very often used in machinery, SIL 4 is mostly used in nuclear power devices, petrochemical and chemical industry. If we would simplify
the SIL rating, we could say that SIL 1 is required where there is occasionally harm of human, SIL 2 where this harm has lasting effect, SIL 3 where this harm can have fatal consequences and SIL 4 where can be harmed or killed higher number of people. Beware, that this is just simplification of very sophisticated field and categorization into SIL requires deep study of appropriate standards. 4.2 How is CIP safety secured? When we use hard-wired solution a decision, the application is safe or not is very easy. It has to comply with template in standards or with solutions recommended and certified by producer of this device. Of course producers of safety PLCs with safety I/Os cannot make templates for all possible variants. In this case, CIP safety (ODVA2 2006) is the most critical part of the safety chain between safety inputs and safety actuators. CIP is provided on application layer, CIP safety is more-less nothing other, than securing data packets by checksums and time stamps. When input module detects pushed emergency stop in both channels, it will send information to the microprocessor of this unit. This microprocessor will prepare packet to send which will consists of all normal information of packet on Ethernet, in a data-block there will be information about inputs (not only status, but also diagnostic information), add there will be a safety message which consists of safety checksum, safety network number, processor owner and status of sender; data are closed by standard checksum of the packet. Because CIP data are packed inside space for data of classic Ethernet, physical layer can be shared, because for devices which don’t understand CIP this information is not useful. CIP has certified application layer, not physical layer. This is the biggest advantage of safety communication. 4.3 Routing between Networks Safety networks can easily replace classic hardwired applications where it is needed. Especially where is needed to transfer safety information for long distances, where is needed better diagnostic of safety inputs and outputs, interaction with visualization and other sophisticated solution, using networks allows greater flexibility than classic solutions. Once we will use networks, it is advantage to use network, which allows transporting safety information. Because CIP including CIP safety is present at application layer, it allows using all network media which can transport application protocol. At present DeviceNet, ControlNet and Ethernet are certified. EtherNet has each year bigger marketshare and it is increasing its importance in industrial segment. Again because of presence of the CIP in application layer, we can communicate over various networks. Let’s imagine three machines with standard PLC, fourth in production line will have safety integrated PLC. All three machines will have their standard distributed I/Os, visualization etc. And it will be connected over DeviceNet. All machines together will be connected by EtherNet. Thanks to this inter-connection there
will be possible to transfer safety information from distributed safety I/Os to the safety PLC, which will control safety part of this application. Do you ask if there is any advantage? Most important is price. This solution is much cheaper than common hard-wired solution. Another factor important for most of owners is fast and accurate diagnostic. 5. CONCLUSIONS This paper describes CIP-based safety networks (ODVA 2006) that are at least as reliable and safe as hard wired solutions. ACKNOWLEDGEMENTS This work was realised in CEITEC - Central European Institute of Technology with research infrastructure supported by the project CZ.1.05/1.1.00/02.0068 financed from European Regional Development Fund. This work was partially supported in by grant „Modern Methods and Approaches in Automation“ from the Internal Grant Agency of Brno University of Technology (grant No. FEKT-S-11-6), Grant Agency of the Czech Republic (102/09/H081 SYNERGY – Mobile Sensoric Systems and Network).
REFERENCES Allbright, L. F. (2009). Albright’s chemical engineering handbook. CRC Press, Boca Raton. Becker R. et al. (2002). AS-Interface - The Automation Solution, AS-Inernational Association, Gelnhausen. Cisco Systems Inc. (2003). Internetworking Technologies Handbook (4th Edition), Cisco press, 978-1587051197, San Jose Schweitzer, P. A. (1997). Handbook of Separation Techniques for Chemical Engineers. McGraw-Hill company. New York. *** (2005) http:/www.modbus.org – The Modbus organization, Accessed on: 2011-08-20. ODVA (2003). Safety Networks. White paper. Milwaukee. USA. ODVA (2006). Media Planning and Installation Manual. Milwaukee. USA. ODVA (2006). Network Infrastructure for EtherNet/IP. Milwaukee, USA. Rockwell Automation (2004). EtherNet/IP Performance Application Solution. Millwaukee. USA. Rockwell Automation (2009). NetLinx Selection Guide. Millwaukee. USA.
* CEITEC - Central European Institute of Technology, Brno University of Technology, Brno (e-mail: [email protected]). ** Faculty of Electrical Engineering and Communication Brno University of Technology, Brno University of Technology, Brno (e-mail: [email protected]).
Abstract: Safety is important factor in industry. This article should show that there can be better way to take care about safety functions, than hard-wired components. It should show that use of integrated safety solutions can bring a lot of advantages to industrial applications. Keywords: machinery, machinery safety, CIP, CIP safety, M.I.C.E, SIL.
1. INTRODUCTION
Implementation of M.I.C.E – improved physical layer (separate chapter).
Safety of applications is increasing its importance. After hard wired technology time of solving safety requests by networks is coming. Article below shows one of possible ways, which can be used to achieve functional safety.
Use of slightly modified ISO/OSI model – CIP uses same physical to transport layers (Fig. 1).
2. EASE OF USE
Compatibility with office applications – reporting from production to the “manager’s table”.
Use of CIP™ (Common Industrial Protocol) (Rockwell Automation, 2004) on EtherNet/IP provides to the user absolutely vendor-free communication for all of his part of production plant. EtherNet/IP uses same physical layer as standard Ethernet which is used in offices of same plant for email, internet protocols, file transfers etc. Industrialization of Ethernet has started in 1980’s very slowly. Higher press on developing fully standardized Ethernet for industrial needs came with visualization in 1990’s. At present most of industrial plants cannot exist without communication between productions, control centre, maintenance, management, stock and other important part of factories. 2.1 EtnerNet/IP
Fig. 1. Comparison of OSI model and CIP layers
In 1990’s Ethernet networks were used for various applications in manufacturing. Main issue of Ethernet in industry was unscheduled communication, which was important for time-critical production control. This issue was solved by use of 100 Mbps and 1Gbps Ethernet and it was further improved with use of routed star technology. Development of EtherNet/IP expands possibility of industrial EtherNet to massive volume of users, who were thinking about transfer of their applications from local to remote control.
Exchange of time critical data uses so called producer – consumer messaging model. This is supported by multicast service on physical layer. Once there is produced message, for example on distributed input, it is identified by number of connection, stored in CPU memory, not by IP address of Network scanner. This helps to save bandwidth of whole network. Now let’s assume that visualization wants same data for example for trending of measured value. All what needs application in this visualization is number of connection, which is displayed on a panel? Same principle will be used for server which uses for example historization of data, OPC servers etc.
Why is EtherNet/IP so important for industrial application? Its main features are:
3. IDEAL INFRASTRUCTURE FOR INDUSTRY
Producer-consumer services – easy control, configure and collect data from network(s).
At the beginning of this section we have to say, that there is not unique solution for all industries. There are a lot of
questions, which have to be answered before we can start to plan architecture of network. Because EtherNet/IP (Rockwell Automation, 2004) has more-less same attributes as office Ethernet. 3.1 Devices The first question, which has to be answered, is type and number of devices which will be used in application. Another attributes of network needs are motion or safety, which are time critical applications, another requirements have distributed I/Os, or motor starters for example with embedded logic for emergency cases like loss of communication. 3.2 Type of media Once you know which devices you will use, you have to decide if you will use copper or optic media to transfer your data. This decision is important especially for applications that require long distance communication or communication with drives, where in extreme cases EMI can cause faulty communication or interruption. 3.3 Architecture The Architecture is another important question. With EtherNet/IP you can choose more-less the same architectures (Rockwell Automation 2009) like in office use. Most applications are based on star technology, where centre of this star is managed switch with embedded monitoring quality of services. For example Stratix8000 device is using tags to communicate with PLCs and other network members to inform them about situation in network. Very similar application is structured network with backbone on the top. This topology is used mainly in applications with strongly centralized control, where single machines of production lines have their own switch or router with distributed I/Os; all these machines are connected over Ethernet twisted pair cable to the central control room where PLC controlling all of applications is located. Mainly in process industry and especially in applications with requirements on safety a ring topology with ability to auto reconfiguration after interruption in any single point of network is used. For example Stratix8000 connected to optical ring uses DLR technology, which allows automatic reconfiguration in the order of microseconds. Linear topology is used in industry as well. This topology is used very often with safety I/Os or motion servo drives. For this network topology a discrete network scanner is used very often, usually it is a network with single purpose. Goal of this application is to secure these types of networks from all other network traffic. Why? Let’s say that we have single purpose machine. Everything is functional from manufacturer, but it is used star topology. Production manager needs to monitor space for material by IP camera, which allows better and faster logistics. Maintenance takes any camera and he decided to use network of the machine – it is connected to the
factory network. After camera is connected, machine starts to stop occasionally and nobody knows why. I assume you feel that there was increased network traffic. Thanks to this value of request packet interval was overcame and because of this safety reason machine stops when it happened. If designer would use for safety and motion separated networks, this situation could not come through. 3.4 M.I.C.E. M.I.C.E is categorization of environment where our application will be used. This categorization helps the users and designers to choose appropriate devices for their application. It is acronym of Mechanical Ingress Climatic & Chemicals and EMC resistance of used hardware. To build architecture you have to prioritize what are your most critical factors and after this, you can select products which meet these requirements. Mechanical resistance describes mechanical attributes of wires, connectors, and other components. It is divided into three levels, where M1 is lowest resistance (more-less office use) and M3 is for heavy industry with special connectors, cables and I/Os. Ingress resistance describes how easy it is for dust or water to penetrate into the given component. Again we have three steps, where I1 is mainly for office use (there is no protection against water and ingress is in range of IP20 to provide basic protection). Highest is I3, where components can be for example less than 30 minutes in water not deeper than 1m. Climatic & Chemical resistance describes resistance of components for temperature, change of temperatures, humidity and a resistance against basic chemicals as oil, salt, soap and other chemical and climatic factors. Again we have three steps, where C1 is mainly for office use and C3 has best parameters of protection. Last parameter of M.I.C.E. is Electromagnetic resistance. E1 has same requirements as EMC standards for industrial area (EN 61000-6), E3 has increased requests of EMC protection. For most of application in buildings is a used M.I.C.E. requirement with all ones. For most of industrial applications are used M.I.C.E. requirements with most of twos. For some applications is used M.I.C.E. with some threes. M.I.C.E. is promoted mainly by ODVA organization (www.ova.org). 4. IV.
CIP SAFETY
In previous chapters we introduced EtherNet/IP and basic way how to build right industrial network. Now let’s mention couple of words about safety. Safety is increasing its importance during the time. It helps to the users of machine to protect health and lives of operation crew of machines as well as to protect property of companies decreasing of loses. In the past the only way to solve safety was to use hardwired
safety modules. At present increasing number of users are migrating to the safety solved by special PLCs with distributed safety I/Os. Off course this brought problems to the manufacturers, how to transfer safety information from input to the processor and how to send reaction to the outputs from the processor. There are two major ways. The first of them is a special network (ODVA 2003), which uses for example company Pilz. They promote their SafetyBus or SafetyNet. This is physically separated network with all of its advantages and disadvantages. The second way is to use standard network and to use certified communication protocol to transfer data between users, which use this protocol, but it cannot have impact on users which “don’t under-stand this protocol”. In the first chapter we have slightly modified OSI model. Now let’s improve this model with safety requirements.
Fig. 2. CIP protocol with CIP safety As you can see on the figure 2, the biggest advantage is the possibility to use safety I/Os on the network, where are standard inputs as well. To provide safety control of application, off course some type of safety PLC (for example SmartGuard) or integrated safety PLC (for example GuardLogix) is needed. Otherwise you will not be able to control safety outputs and read safety inputs with standard PLC. All modules are easy to install, safety environment of control systems is checking basic configuration. Reduced cost in comparison with solution with discrete safety and normal network, better faster and more detailed diagnostics. All devices with the exception of controller are without safety routines, what supports possibility of re-placement of faulty device under power. All there above described features are in accordance with demands of SIL3. 4.1 SIL SIL certification comes from set of standards EN IEC 61508 (part 1 to 7). SIL is acronym of Safety Integrity Level. SIL level can reach levels from SIL 1 with lowest safety and reliability requests up to SIL 4 with highest safety and reliability requirements. SIL 1 to SIL 3 are very often used in machinery, SIL 4 is mostly used in nuclear power devices, petrochemical and chemical industry. If we would simplify
the SIL rating, we could say that SIL 1 is required where there is occasionally harm of human, SIL 2 where this harm has lasting effect, SIL 3 where this harm can have fatal consequences and SIL 4 where can be harmed or killed higher number of people. Beware, that this is just simplification of very sophisticated field and categorization into SIL requires deep study of appropriate standards. 4.2 How is CIP safety secured? When we use hard-wired solution a decision, the application is safe or not is very easy. It has to comply with template in standards or with solutions recommended and certified by producer of this device. Of course producers of safety PLCs with safety I/Os cannot make templates for all possible variants. In this case, CIP safety (ODVA2 2006) is the most critical part of the safety chain between safety inputs and safety actuators. CIP is provided on application layer, CIP safety is more-less nothing other, than securing data packets by checksums and time stamps. When input module detects pushed emergency stop in both channels, it will send information to the microprocessor of this unit. This microprocessor will prepare packet to send which will consists of all normal information of packet on Ethernet, in a data-block there will be information about inputs (not only status, but also diagnostic information), add there will be a safety message which consists of safety checksum, safety network number, processor owner and status of sender; data are closed by standard checksum of the packet. Because CIP data are packed inside space for data of classic Ethernet, physical layer can be shared, because for devices which don’t understand CIP this information is not useful. CIP has certified application layer, not physical layer. This is the biggest advantage of safety communication. 4.3 Routing between Networks Safety networks can easily replace classic hardwired applications where it is needed. Especially where is needed to transfer safety information for long distances, where is needed better diagnostic of safety inputs and outputs, interaction with visualization and other sophisticated solution, using networks allows greater flexibility than classic solutions. Once we will use networks, it is advantage to use network, which allows transporting safety information. Because CIP including CIP safety is present at application layer, it allows using all network media which can transport application protocol. At present DeviceNet, ControlNet and Ethernet are certified. EtherNet has each year bigger marketshare and it is increasing its importance in industrial segment. Again because of presence of the CIP in application layer, we can communicate over various networks. Let’s imagine three machines with standard PLC, fourth in production line will have safety integrated PLC. All three machines will have their standard distributed I/Os, visualization etc. And it will be connected over DeviceNet. All machines together will be connected by EtherNet. Thanks to this inter-connection there
will be possible to transfer safety information from distributed safety I/Os to the safety PLC, which will control safety part of this application. Do you ask if there is any advantage? Most important is price. This solution is much cheaper than common hard-wired solution. Another factor important for most of owners is fast and accurate diagnostic. 5. CONCLUSIONS This paper describes CIP-based safety networks (ODVA 2006) that are at least as reliable and safe as hard wired solutions. ACKNOWLEDGEMENTS This work was realised in CEITEC - Central European Institute of Technology with research infrastructure supported by the project CZ.1.05/1.1.00/02.0068 financed from European Regional Development Fund. This work was partially supported in by grant „Modern Methods and Approaches in Automation“ from the Internal Grant Agency of Brno University of Technology (grant No. FEKT-S-11-6), Grant Agency of the Czech Republic (102/09/H081 SYNERGY – Mobile Sensoric Systems and Network).
REFERENCES Allbright, L. F. (2009). Albright’s chemical engineering handbook. CRC Press, Boca Raton. Becker R. et al. (2002). AS-Interface - The Automation Solution, AS-Inernational Association, Gelnhausen. Cisco Systems Inc. (2003). Internetworking Technologies Handbook (4th Edition), Cisco press, 978-1587051197, San Jose Schweitzer, P. A. (1997). Handbook of Separation Techniques for Chemical Engineers. McGraw-Hill company. New York. *** (2005) http:/www.modbus.org – The Modbus organization, Accessed on: 2011-08-20. ODVA (2003). Safety Networks. White paper. Milwaukee. USA. ODVA (2006). Media Planning and Installation Manual. Milwaukee. USA. ODVA (2006). Network Infrastructure for EtherNet/IP. Milwaukee, USA. Rockwell Automation (2004). EtherNet/IP Performance Application Solution. Millwaukee. USA. Rockwell Automation (2009). NetLinx Selection Guide. Millwaukee. USA.