Functional safety (fail-safe) is the overall part of safety which aims to prevent hazards due to the incorrect functioning of industrial machinery. Traditionally, functional safety systems relied on separately wired circuits that are expensive to build, commission, and maintain. Nowadays, functional safety can be done over the fieldbus, shifting from safety in hard relays to safety in logic. With over 13 million installed nodes worldwide (2019), PROFIsafe is the industry-leading solution for functional safety over the bus.
PROFIsafe eliminates the need for a separate safety network and reduces industrial network architectures to a single bus. PROFIsafe extends the standard PROFINET communication protocol to address unique requirements for safety-related information necessary to conform to strict safety standards.
Functional Safety Standards
PROFIsafe ensures the integrity of fail-safe signals transmitted between safety devices and a safety controller, thereby meeting all relevant safety standards. Specifically, such measures include the highest safety categories: up to SIL3 according to IEC 61508 / IEC 62061, and Category 4 according to EN 954-1, or PL “e” according to ISO 13849-1.
Network Components and Implementation
Not all PROFINET devices support PROFIsafe. Therefore, the user must carefully select their safety components. During implementation, the user selects the elements within the network that require safety; only those network components require PROFIsafe capabilities. As shown in the figure below, the overall network configuration may contain a mix of fail-safe (yellow) and standard (grey) components. Also, PROFIsafe is designed to work independently of the base transmission channel, whether that channel is copper wire, fiber optics, wireless, or a backplane.
PROFIsafe components are commonly called F-components (fail-safe). The following are PROFIsafe elements in an F-system:
- The F-GSD file (General Station Description file: PROFINET device description provided by the device manufacturer) contains all the information to allow an F-controller to set up and communicate with the device. A Cyclic Redundancy Check (CRC) protects the F-GSD file to ensure its’ safety conformance.
- The F-config tool is the programming environment. It uses F-GSDs to create and download the system configuration and F-program to the F-controller. The F-program and configuration are subject to PROFIsafe safety checks to ensure correct functioning.
- The F-controller executes the safety program.
- F-Devices use hardware safety techniques to ensure their safe operation. I/O, light curtains, valves, and drives are a few examples of F-devices.
PROFIsafe Mechanisms
PROFIsafe protects communication from the safety signal origination to the signal destination (and vice versa). It ensures the integrity of the safety portion of the communication. Within any Ethernet-based network, certain communication errors can occur, such as message repetition, deletion, or delays. PROFIsafe incorporates several remedies to address all possible communication errors accordingly. The following table lists the remedies and indicates which errors they mitigate.
The transmission rate and any built-in error detection mechanisms of the transmission protocol are considered “Black Channels” and they play no role in safety considerations. This approach frees users from having to worry about the safety assessment of the individual system communication paths. Also, there is no need for safety rated cables or connectors. The following figure illustrates the Black Channel principle:
The “Black Channel” principle
PROFIsafe Certification
Device manufacturers that choose to add this Profile to their PROFINET product, must certify such products for PROFIsafe before it is available to the public. PI Test Laboratories perform the approved PROFIsafe layer tests on behalf of assessment bodies such as:
With the following link, you can download the Full PROFINET Application Profile White-Paper:
PROFINET Application Profiles: PROFIsafe, PROFIenergy, PROFIdrive
-Nelly Ayllon