The use of functionally safe devices has increased rapidly in recent years. In 2017 alone, the number of Profisafe nodes brought onto the market rose by almost 2 million. From today's perspective, well over 10 million nodes are integrated into production systems. Hardly any machine or system today can do without safety functions. Another trend is the distribution of demanding automation tasks to several controllers that communicate with each other via OPC UA, for example. In practice, however, this is often cumbersome: special couplers are required if controllers from different manufacturers need to be connected to each other in a functionally secure manner. This is usually associated with high hardware and engineering costs, and the handling is also very inflexible. This situation is particularly unsatisfactory in view of the increasing networking in companies. There are industries that traditionally have a very heterogeneous automation landscape. Typical examples are systems from the food and beverage industry, where many control systems from different manufacturers are often used. However, there is currently no manufacturer-independent standard for safe transmission between machines - and therefore between the control systems used in the machines.

Another shortcoming of existing safety protocols is the lack of a concept for dynamic connection establishment and termination. According to the current state of the art, it must be determined at the time of project planning who communicates with whom and corresponding safe addresses must be permanently coded in. A change or addition to these addresses results in the safety function being reset.

This is no longer appropriate in the context of Industry 4.0. Modular machines, for example, consisting of processing machines, loading and unloading systems and other infeed and outfeed transport units, should be rearranged as required during operation without interrupting production for an unnecessarily long time. If there are safety functions that extend across several modules - for example "safely reduced speed when opening a loading unit" - these must be available immediately after the modules have been rearranged and, if necessary, an automatic self-test plus user acknowledgement. A laborious manual check of the safety function or even a new acceptance by an external body would not be tolerable in these scenarios. There are even more extreme requirements for autonomous mobile vehicles, crane trolleys or robots that move independently from machine to machine. Here, it must be possible to reconfigure the safety function without human approval.

To make such scenarios possible, a safety protocol is required between control systems from different manufacturers that enables dynamic connection establishment and disconnection while supporting all state-of-the-art concepts.

Proven technology for safe concepts

Profisafe is already widely used. It therefore makes perfect sense to extend the Profisafe mechanisms to OPC UA.

© Profibus user organization

The "Safety over OPC UA based on Profisafe" specification, which is currently under review, offers a solution to this problem. As OPC UA is playing an increasingly important role for connections between controllers from different manufacturers, it makes sense to extend the Profisafe mechanisms to OPC UA. To this end, the Joint Working Group between PI and the OPC Foundation, consisting of well-known companies and organizations, was launched in November 2017. The experts define the key points for functional safety and the boundary conditions: the safety concept is available to all members of the OPC Foundation and PI. It conforms to IEC61784-3 "functional safety fieldbuses" and uses existing Profisafe mechanisms.

A single cable for standard communication and safety-related communication therefore still applies. And it will again be based on the proven black channel principle. This can also be transferred to controller-controller communication, with the OPC UA communication stack taking on the role of the black channel. The proven protocol security mechanisms - CRC check, codenames, monitoring number, watchdog monitoring and SIL monitor - are also adopted.

The OPC UA stack and the network components, such as gateways or routers, do not need to be considered during certification and can be adapted or expanded at any time, even retrospectively. Only the correct implementation of the Profisafe protocol on a functionally safe platform is relevant for certification.

More flexibility

The basic concept and detailed specification development have now been defined in the review version. The new specification initially addresses the client/server communication models of OPC UA. A connection to pub/sub including pub/sub via TSN is already planned so that very short communication cycle times can be realized later on. Unidirectional, bidirectional and multicast connections are just as possible as any network topology (e.g. line, tree, star, ring). There are also sufficient reserves for data volumes of up to 1500 bytes.

Adjustments were necessary in the state machines, the protocol datagrams and the initialization, as controllers with equal rights now communicate with each other instead of one controller with subordinate devices. When defining the state machine of the Profisafe protocol, for example, it is clarified how a connection is established, when process values or safe substitute values are to be output, or how a restart is to be acknowledged. Another aspect is the definition of the data types and data structures to be transmitted as well as the reliable check as to whether both communication partners have the same understanding of how the transmitted data is to be interpreted.

Another new feature is the simplified diagnostics. Particularly in the case of complex safety functions involving several control systems from different manufacturers, it is important to quickly detect and localize errors and find the cause. The specification therefore also defines the diagnostic data to be displayed in order to ensure that the same error text is displayed for each type of error (e.g. CRC error or time-out) for all controllers. Diagnosis is possible via the existing mechanisms of the individual manufacturers and also via OPC UA, which speeds up the localization and identification of possible error sources.

Changing communication partners

Functional safety for controller-controller communication via OPC UA based on Profisafe: a solution with which subordinate Profinet-based machines and also future subordinate TSN-based machines can cooperate.

© Profibus user organization

With Safety over OPC UA, connections can also be established and terminated at runtime. A given interface can be used alternately by different partners, making it possible to establish a dynamic connection. This benefits modular machines, autonomous guided vehicles (AGVs), autonomous moving robots (AMRs) and tool changers in equal measure.

Unlike with all current functionally safe communication protocols, it is no longer necessary to make all participants known to each other during project planning. This makes it possible, for example, to add a new mobile robot to the system without having to re-parameterize all fixed machines.

Advantages of the Profisafe solution

By retaining the proven Profisafe principle, it will be much easier for manufacturers to establish a functionally safe connection between controllers in the future. In addition, the many proven uses of Profisafe ensure a high level of acceptance among manufacturers and end users as well as bodies such as certification authorities. It is also relevant that no specific requirements are necessary for non-safety components. This means that an unlimited number of network participants is possible and the communication speed is not limited.

An initial trial implementation as a proof of concept at the PI joint stand at SPS IPC Drives 2018 showed that this concept works. The specification, which is currently under review, will be finalized for the Hannover Messe. At the same time, test specifications will be created in which test sequences will be defined.

The result of the collaboration between PI and the OPC Foundation is a practical and future-proof solution in the field of functional safety that is supported by the majority of manufacturers and users.

Author:
Dr. Max Walter is head of the Profisafe @ OPC UA working group at PI (Profibus & Profinet International).

The PI Conference 2019

More on the topic of 'Cross-plant safety with OPC UA based on Profisafe' will be presented and discussed at the PI Conference 2019 of the Profibus User Organization (PNO). Users will also be able to find out about other activities relating to Profinet and OPC UA. The PI Conference 2019 will provide an overview of the future direction of PI technologies with regard to the requirements of digitalization in production. Other Industry 4.0-relevant topics will be presented, including 'Why Profinet with TSN?' and 'What rights to data do users have with regard to Industry 4.0?'

The focus will also be on topics such as security challenges in automation, network architecture of the future, the latest findings on Profinet in process automation as well as Industry 4.0 information models and new fields of technology. The PI Conference will take place on March 19 and 20, 2019. More information is available online.

The cooperations

The mapping of Profinet objects in OPC UA.

© Profibus user organization

PI (Profibus & Profinet International) has been cooperating closely with the OPC Foundation for well over a decade. The range of topics is diverse. The FDI technology is specified jointly and in cooperation with the FieldComm Group. The aim of two other joint working groups is to provide OPC UA Companion Specifications for Profinet and IO-Link.

The transitions from Profinet to OPC UA require standardization of the data formats. In one of the two activities, an OPC UA information model is defined to represent the standardized object model of Profinet. This model should enable OPC UA services to access the objects of Profinet devices independently of the manufacturer. In the first step, the topics of asset management and diagnostics will be addressed.

The same applies to IO-Link. Industry 4.0 is based on a wide range of information from the field of production systems. In addition to the control of automated production and device configuration, this information is increasingly required for remote maintenance, asset management, predictive maintenance, condition monitoring and data analytics to optimize production and make it more flexible. The basis for this can only be open sensor-to-cloud communication. The IO-Link community has already completed and released the Companion Specification 'OPC UA for IO-Link' for this purpose.

The topic of Safety over OPC UA follows on seamlessly from the aforementioned topics. PI expects further areas of cooperation to emerge in the coming years.