The use of functionally safe devices has increased sharply in recent years. In 2017 alone, the number of PROFIsafe nodes brought to market grew by nearly 2 million. Today, well over 10 million nodes are integrated in production plants. There is hardly a machine or system today that does not make use of safety functions. Another trend is the distribution of demanding automation tasks over multiple controllers that communicate with one another using OPC UA. There are, for example, industries in which there is traditionally a very heterogeneous automation landscape auch as food and beverage, in which controllers from different vendors are often used. However, there is no cross-manufacturer standard for the functionally safe transfer between controllers – and, thus, between machines represented by these controllers.
Another problem with existing safety protocols is the lack of a concept for dynamically establishing and terminating connections. The current state of technology requires early during the project planning phase that ‘who communicates with whom’ be defined and those corresponding safe addresses be permanently encoded. Should the communication patterns change or expand, the safety function of all participants must be changed, which usually requires a costly re-certification.
In the context of Industry 4.0, this is no longer in keeping with the times. It should be possible to rearrange modular machines, e.g., consisting of processing machines, loading and unloading systems as well as other incoming and outgoing transport units, during running operation if necessary without interrupting production for an unnecessarily long time. If there are safety functions that span over multiple modules – e.g., “safely reduced speed while opening a loading unit” – they must be available immediately after rearranging the modules and, if necessary, an automatic self-test plus user acknowledgement. Cumbersome manual testing of the safety function or even re-approval by an external agency would not be tolerable in these scenarios. There are even more extreme requirements in autonomous mobile vehicles, crane trolleys or robots that move autonomously from machine to machine. Reconfiguration of the safety function must be possible here without any human interaction.
To facilitate such scenarios, a safety protocol between controllers from various manufacturers is necessary that allows connections to be established and terminated dynamically and yet simultaneously supports all concepts that correspond to the current state of technology.
Proven technology for safe concepts
One solution to the problem is offered by the “Safety over OPC UA” specification, which is currently in review. Since OPC UA is becoming increasingly important for connections between controllers from different manufacturers, it makes sense to extend it to functionally safe communication, as well. For this purpose, the joint working group between PI and the OPC Foundation, consisting of well-known companies and organizations, was started in November 2017. The experts defined the key points for functional safety and the boundary conditions: The safety concept is available to all members of the OPC Foundation and PI. It is compliant with IEC61784-3 “Functional safety fieldbuses” and uses existing PROFIsafe mechanisms.
Thus, the following still applies: a single cable for standard communication and safety-related communication. And it will again be based on the proven black-channel principle. This can also be applied to controller-controller communication, whereby the OPC UA communication stack then performs the role of the black-channel. The proven protocol safety mechanisms – CRC, codenames, monitoring numbers, watchdog monitoring and the SIL monitor – will also be adopted.
The OPC UA stack and the network components, such as gateways or routers, do not need to be taken into consideration during a certification and can also be subsequently adapted or expanded at any time. Relevant to certification is only the correctness of the implementation of the PROFIsafe protocol on a functionally safe platform.
More flexibility
In the review version, the fundamental concept and detailed development of the specifications were defined. The new specification first addresses the client/server communication models of OPC UA. A connection to Pub/Sub including Pub/Sub via TSN is already provided for, thereby allowing even very short cycle times to be realized in the communication. Unidirectional, bidirectional and multicast connections are possible, as are arbitrary network topologies (e.g., line, tree, star, ring). With up to 1500 bytes, there are also sufficient reserves with respect to the data quantities.
Adjustments were necessary in the state machines, the protocol datagrams and the initialization, since controllers with equal rights now communicate with each other, rather than a controller communicating with subordinate devices. Clarified in the definition of the state machine of the PROFIsafe protocol are, for example, how a connection is established, when process values or safe substitute values are to be output or how a restart is to be acknowledged. Another aspect is the definition of the data types and data structures that are to be transferred as well as the safe testing to determine whether both communication partners even have the same understanding of how the transferred data are to be interpreted.
Also new are the simplified diagnostics. Particularly with complex safety functions in which multiple controllers from various manufacturers are involved, it is important to quickly identify and localize errors and determine the cause. The specification therefore also defines the diagnostic data that are to be displayed to ensure that the same error text is displayed for each error type (e.g., CRC error or time-out) for all controllers. Diagnostics are possible via the already existing mechanisms of the individual manufacturers as well as via OPC UA, which speeds up the localization and identification of possible error sources.
Changing communication partners
With Safety over OPC UA, connections can also be established or terminated at runtime. A given interface can be used in turn by different partners, thereby allowing a connection to be established dynamically. Benefiting from this equally are modular machines, autonomous guided vehicles (AGVs), autonomous moving robots(AMRs), and tool changers.
In contrast to today’s functional safety communication protocols, nodes no longer have to know all of the others initially at the project planning stage. This makes it possible, for example, to add a new mobile robot to a system without having to reconfigure all of the existing machines.
Advantages of the PROFIsafe solution
By retaining the proven PROFIsafe principle, it will be significantly easier in the future for the manufacturers to establish a functionally safe connection between controllers. Due to the many proven uses of PROFIsafe, this also ensures high acceptance by both manufacturers and end users, as well as notified bodies such as certification authorities. Also nice about this is the fact that no specific requirements are necessary for non-safety components. An unlimited number of network nodes is thereby possible, and the communication speed is not limited.
That this concept functions was shown by an initial trial implementation as a proof of concept at the PI joint stand at SPS/IPC/Drives 2018. The specification, which is currently under review, will be completed in time for the Hanover Fair 2019. Test specifications in which test procedures are defined are being prepared concurrently.
The result of the collaboration between PI and the OPC Foundation is a practice-oriented as well as sustainable solution for the future in the area of functional safety that is supported by the majority of manufacturers and users.
Dr. Max Walter
Head, PI PROFIsafe over OPC UA Working Group