4th IFAC Symposium on Telematics Applications

4th
4th IFAC
IFAC Symposium
November on
on Telematics
6-9, 2016. UFRGS,
Symposium Applications
Porto Alegre,
Telematics RS, Brazil
Applications
4th IFAC Symposium
November
November 6-9,
6-9, 2016. on Telematics
2016. UFRGS,
UFRGS, Porto Applications
Porto Alegre,
Alegre, RS,
RS, Brazil
Available online at www.sciencedirect.com
Brazil
November 6-9, 2016. UFRGS, Porto Alegre, RS, Brazil

ScienceDirect
Influence of networkIFAC-PapersOnLine
parameters49-30 on(2016)
the278–283
recovery time of a ring topology
Influence
Influence of network parameters on the recovery time of a ring topology
Influence of
of network
network parameters
parameters on
on the
the
PROFINET network recovery
recovery time
time of
of aa ring
ring topology
topology
PROFINET
PROFINET network
network
PROFINET network
Fábio Alves Fernandes*, Guilherme Serpa Sestito*, André Luís Dias*, Dennis Brandão*, Paolo Ferrari**
Fábio
Fábio Alves
Alves Fernandes*,
Fernandes*, Guilherme
Guilherme Serpa
Serpa Sestito*,  André
Sestito*, André Luís
Luís Dias*,
Dias*, Dennis
Dennis Brandão*,
Brandão*, Paolo
Paolo Ferrari**
Ferrari**
Fábio Alves Fernandes*, Guilherme Serpa Sestito*,
 André Luís Dias*, Dennis Brandão*, Paolo Ferrari**

* Electrical Engineering Department, University of São Paulo
** Electrical 
Electrical Engineering
Engineering
São Carlos, Brazil (fabio.alves.fernandes@usp.br Department,
Department, University
University of
, guilherme.sestito@usp.br, of São
São Paulo
Paulo
São Carlos,
Carlos, Brazil * Electrical Engineering
Brazil (fabio.alves.fernandes@usp.br Department, University ofandreldias@usp.br
(fabio.alves.fernandes@usp.br ,, guilherme.sestito@usp.br,
guilherme.sestito@usp.br, São Paulo
andreldias@usp.br
, dennis@sc.usp.br )
São andreldias@usp.br ,, dennis@sc.usp.br
dennis@sc.usp.br ))
São Carlos, Brazil (fabio.alves.fernandes@usp.br , guilherme.sestito@usp.br, andreldias@usp.br , dennis@sc.usp.br )
** Department of Information Engineering, University of Brescia,
** Department
** of Information Engineering, University of Brescia,
** Department
Department of
of Information
Brescia,
Brescia,
Engineering,
Engineering, University
Italy, (paolo.ferrari@unibs.it
Information
Italy,
) of
University
(paolo.ferrari@unibs.it ) of Brescia,
Brescia,
Brescia, Italy, (paolo.ferrari@unibs.it )
Brescia, Italy, (paolo.ferrari@unibs.it )
Abstract: This paper proposes a study on the use of ring topology to increase availability of PROFINET
Abstract:
networks. This
Abstract: This paper proposes
paper
It discusses proposes aa study
the influence study on on the
the use
use of of ring
ring topology
topology to increase
to increase availability
(MRP),availability
watchdog of of PROFINET
PROFINET
Abstract:
networks. This
It paper proposes
discusses the a studyof
influence ofonMedia
the useRedundancy
Media of ring topology
Redundancy
Protocol
Protocolto increase
(MRP), availability
watchdog
time,
of
time,
and the
PROFINET
and the
networks.
computational It discusses
power ofthetheinfluence
PROFINET of Media
ControllerRedundancy Protocol (MRP),
on the communication watchdog
recovery timetime,afterand the
a ring
networks.
computational It discusses
power ofthetheinfluence
PROFINET of Media
ControllerRedundancy
on the Protocol (MRP),
communication watchdog
recovery time time,
after and
a the
ring
computational
fracture. The paper power of the to
proposes PROFINET
consider two Controller on the communication
main contributions to the overallrecoveryrecoverytime time:after a ring
the first is
computational
fracture. The power
paper of the to
proposes PROFINET
consider Controller
two on the communication
main contributions
contributions to the
thewhile
overall recovery
recovery time
time: after a ring
the first
first is
fracture.
related to The
the paper
low proposes
level to consider
(Ethernet layer two
2) main
redundancy management, to overall the recovery
second time:
is the
related to is
the
fracture.
related to The
the paper
low proposes
level to consider
(Ethernet layer tworedundancy
2) main contributions management, to thewhile
overall the recovery
second time:
is the first
related to is
the
related
softwareto the low levelof(Ethernet layer 2) redundancy management, while the second is related
haveto the
related
software toconfiguration
the low levelof(Ethernet
configuration
the entire
the entire
entire
network.
layer
network.
Several different
2) redundancy
Several management,
different
configurations
while the second
configurations
of networks
of The is related
networks tobeen
haveresultsthe
been
software
created inconfiguration
laboratory and of many
the others network.
have been Several
analyzed different
in real configurations
industry of
plants. networks
collectedhave been
software
created inconfiguration
laboratory and of many
the entire
others network.
have been Several
analyzed different
in real configurations
industry of The
plants. networks
collectedhaveresults
been
created
show how in laboratory
watchdog could and many othersrecovery
influence have been timeanalyzed
since itsinviolation
real industrycould plants.
trigger Thehigher collected results
level routines
created
show howin laboratory
watchdog and many
could othersrecovery
influence have been time analyzed
since its its inviolation
real industrycould plants.
trigger Thehigher collected results
level routines
routines
show
whose
show how
how watchdog
duration
watchdog is could
basically influence
set
could influenceby recovery
PROFINET
recovery time time since
controller
since its violation
computational
violation couldcould trigger
capability.
trigger On higher
On
higher level
balance, relevant
level routines
whose
whose
suggestionsduration
duration is basically
is basically
to increase set by PROFINET
set by PROFINET
the availability of PROFINET controller
controller
networkscomputational
computational
are pointed capability.
capability.
out. balance, relevant
On balance, relevant
whose
suggestionsduration is basically
to increase
increase set by PROFINET
the availability
availability of PROFINET
PROFINET controller
networkscomputational
are pointed
pointed capability.
out. On balance, relevant
suggestions to the of networks are out.
© 2016, IFAC
suggestions
Keywords: to (International
increase
PROFINET; the Federation
availability
Media of Automatic
of
Redundancy PROFINET Control)
Protocol;networksRealHosting
time byEthernet;
are pointedElsevier Ltd.
out. HighAllAvailability;
rights reserved. Ring
Keywords:
Topology; PROFINET;
Keywords: Industrial
PROFINET; Media Redundancy
Media
Automation. Redundancy Protocol; Protocol; Real Real timetime Ethernet;
Ethernet; High High Availability;
Availability; Ring Ring
Keywords:
Topology; PROFINET;
Industrial Media Redundancy Protocol; Real time Ethernet; High Availability; Ring
Automation.
Topology; Industrial Automation.
Topology; Industrial Automation. 
1. INTRODUCTION  PROFINET network is implemented using ring topology in
1. INTRODUCTION  PROFINET network is implemented
1. INTRODUCTION
1. INTRODUCTION PROFINET
laboratory, aiming network
networkto is
is verify networkusing
implemented using ring
ring topology
time in in
ring topology
recovery in
inaa
An important requirement in the world of industrial PROFINET laboratory,
laboratory, aiming
aiming to
to
implemented
verify
verify network
network
using
recovery
recovery
topology
time
time in
in a
An important requirement in thethe availability,
world of of which
industrial failure. In parallel, some real networks have been analyzed in
An important
automation is therequirement
control system in world industrial is laboratory,
failure.
failure. In aiming some
In parallel,
parallel,
to verify
some real networkhave
real networks
networks
recovery analyzed
have been
been
time in ina
analyzed in
An important
automation is requirement
the control in the availability,
system world of which industrial is real industry plants. In Section 4 the results and the analysis
automation
directly relatedis tothethecontrol system availability,
communication which as
network reliability, is failure. In parallel, some real networks have been analyzed in
automation
directly relatedis tothethecontrol system availability,
communication network which as
reliability, is real real
are industry
industry plants.
presented: plants.
influenceIn
In Section
Section 4
4 the
of parametersthe results
results and
and the
is analyzed the analysis
analysis
such as
directly
reported related
standards to the
IEC communication
61784 and IEC network
62439. reliability, as real industry plants. In Section 4 the results and the analysis
directly related
reported standards to IEC
the communication
61784 and IEC network reliability, as are
62439. are presented:
presented:
watchdog time, influence
influence
number of
of parameters
ofswitches
parameters is
is analyzed
composinganalyzedthe such as
suchthat
ring as
reported standards IEC 61784 and IEC 62439. are presented:
watchdog time, influence
number ofswitches
of parameters is analyzed
composing the suchthat
ring as
reported standards IEC 61784 and IEC
Currently, there are several communication network works 62439. watchdog with time,
MRP, number
and of switches
PROFINET composing
controller the ring
computational that
Currently, there are several
several communication network works watchdog
works with time,
MRP, number
and of switches
PROFINET composing
controller the ring
computational that
Currently,
technologies there are
for industrial communication
applications; network
Real Time Ethernet power. with MRP,
Finally, and 5PROFINET
Section brings relevant controller computational
conclusions.
Currently,
technologies there
for are several
industrial communication
applications; Real Time network works
Ethernet power. with MRP,
Finally, and 5PROFINET
Section brings controller
relevant computational
conclusions.
technologies
Networks (RTE)for industrial
are expanding applications; Real
and theirReal Time
use Time Ethernet
is on Ethernet power. Finally, Section 5 brings
the rise power. Finally, Section 5 brings relevant conclusions. relevant conclusions.
technologies
Networks (RTE)for industrial
are expanding applications;
and their use is on the rise
Networks
Sauter
Networks (RTE)
et al. (2006).
(RTE) are expanding
areThese
expanding latest and their
their use
technologies
and is
is on
use offers the
the rise
on specific rise 2. PROFINET AND MEDIA REDUNDANCY PROTOCOL
Sauter
Sauter et
et al.
al. (2006).
characteristics (2006).
(such These
These
as latest
latest technologies
communication technologies
in offers
offers specific
deterministic specific
time, 2.
2. PROFINET
PROFINET AND
AND MEDIA
MEDIA REDUNDANCY
REDUNDANCY PROTOCOL
PROTOCOL
Sauter et al. (2006). These latest technologies offers specific 2. PROFINET AND MEDIA REDUNDANCY PROTOCOL
characteristics
characteristics
synchronization (such
(such
between as communication
as communication
field devices, in
and deterministic
in deterministic
exchange of time, The PROFINET protocol is a Real Time Ethernet network
time,
small
The PROFINET protocol is a Real Time Ethernet
network
characteristics (such as communication in deterministic time, The
(RTE) PROFINET
supported by protocol
Profibus is a Real Time Ethernet network
synchronization
data efficiently between
synchronization between field
field devices,
and frequently, devices, and
and exchange
Felser exchange
(2005)) that of
of small
small
are The (RTE) PROFINET
supported protocol
by Profibus is aInternational
Real Time (PI),
International Ethernet
(PI),
designed for
network
designed for
synchronization between field devices, and exchange of small (RTE)
use in supported
industrial by Profibus
communication International
networks. (PI), designed
Characterized for
data efficiently
data efficiently
extremely useful and
and
in frequently,
frequently,
industrial Felser
applications, (2005))
Felser (2005)) Duerkop that are
thatet areal. (RTE)
use in supportedcommunication
industrial by Profibus International
networks. (PI), designedbyforaa
Characterized
by
data efficiently and frequently, Felser (2005)) that are use in industrial communication networks. Characterized by
extremely
extremely useful
useful et
(2012), Akerberg in industrial
in al.
industrial
(2009) and applications,
applications,
Ferrari et al. Duerkop
(2010). et
Duerkop al.
al. use
etLast, central
central
station
in industrial
station
that
that
communicates
communication
communicates
with
networks.
with
field devices
Characterized
field devices by aa
spread
spread
extremely
(2012),RTE useful
Akerberg in industrial
et al.
al. (2009)
(2009) applications,
and to Ferrari Duerkop
et al.
al. (2010). et
(2010). Last, al.
Last, central
across station
the that
network communicates
as described with
in field
Profibus devices spread
International
(2012),
these Akerberg
networks et and Ferrari et central the station that communicates with field devices spread
(2012),RTE
these Akerberg
networks et al.also
also
provide
(2009)
provideand to the users
Ferrari
the et al. strategies
users (2010). Last,
strategies
for across
for across
(2012). the network
networkthree
It supports as described
as different
describedtypes in
in Profibus
Profibus
of devices: International
International
these RTE
redundancy networks
that can also provide to the users strategies for across the network as described in Profibus International
these RTE networks
redundancy that canalsoincrease
provide to
increase
thetheavailability
the users strategies
availability
of the
of for (2012).
the (2012). It It supports
supports threethree different
different types
types of of devices:
devices:
redundancy
automation
redundancy that
system.
that can
can increase
increase the
the availability
availability of
of the
the •(2012). It supports three
IO-Controller is the different
centraltypes of devices:
station of intelligence,
automation
automation system.
system. • IO-Controller
•• responsible
IO-Controller is
for is the
thethe central
central station
station of
of intelligence,
automation system.
In the 2015, with more that 10 Millions of installed nodes, IO-Controller
responsible for is
the
management
the central
management
and control
station
and of intelligence,
control
throughout
intelligence,
throughout
In the 2015,
2015, is withone more that 10 Millions of installed
installed nodes, responsible
the data
responsible for
transfer the
for the management
management and control throughout
process; and control throughout
In the
PROFINET with moreof that
the 10 Millions
leading of
solutions among nodes,the the data transfer process;
In the 2015, is
PROFINET withone moreof that
the 10 Millions
leading of installed
solutions among nodes,the the data transfer
• IO-Device process;field devices such as sensors,
represents
PROFINET is one of the leading solutions among the the
different RTE technologies. The rapid spread of PROFINET • IO-Device represents field devices such as sensors, data transfer process;
PROFINET
different RTE istechnologies.
one of theThe leading
rapid solutions
spread among the • actuators, IO-Device IO represents
modules, fieldthatdevices such as
exchanges sensors,
information
different RTE
installation technologies.
requires a carefully The rapid
rapid spread
The analysis of theof
of PROFINET
PROFINET
PROFINET • actuators,
of performance IO-Device IO represents
modules, fieldthatdevices such as sensors,
different RTE
installation technologies.
requires a carefully analysis spread
of the performance actuators,
cyclically IO the
with modules,
IO that exchanges
controller; exchanges information
information
installation
that can be requires
obtained,aa and carefully analysis
analysisofof
the creation the
the performance
ofdesign guidelines. actuators, with IO modules, that exchanges information
installation
that
that can
can be requires
be isobtained,
obtained,
carefully
and
andthe the creation
creation of
theredundancy design performance
design guidelines.
offeatures guidelines. • cyclically
cyclically
IO-Supervisor
cyclically
with the
with
the
the
IO
IO controller;
IO
controller;
represents the engineering station. It
controller;
This paper focuser on offered by
that can be isobtained, andthe theredundancy
creation offeatures
design guidelines. •• purposes
IO-Supervisor
IO-Supervisor is to representsandthe
represents
configure the engineering
engineering station.
station. It
It
This
This paper
paper isand
PROFINET focuser
focuser
its mainon
on the aimredundancy
is to give features offered
offered by
some directions by
to • purposes IO-Supervisor is to representsandtheperform
configure
diagnostics
engineering
perform diagnostics
across
station.
acrossIt
This paper
PROFINET is focuser
and on the redundancy features offered by purposes
the network. is to configure and perform diagnostics across
PROFINET
engineers and its
dealing main
itswith
mainhigh aim is
is to
to give
aimavailability some
some directions
give systems directions
built to
to
over purposes
the network. is to configure and perform diagnostics across
PROFINET and its mainhigh aim is to give systems some directions to the
engineers
engineers
PROFINET. dealing
dealing with with high availability
availability systems built built over
over PROFINET the network.
network. communication can be synchronized or
engineers
PROFINET. dealing with high availability systems built over PROFINET communication
PROFINET.
PROFINET.
PROFINET
unsynchronized, as discussed incan
communication canFerraribe
be et synchronized
synchronized
al. (2007) and or
or
This paper is organized as follows: Section 2 addresses issues PROFINET unsynchronized, communication
as discussed canFerrari
in be et synchronized
al. (2007) or
and
This paper is organized as follows: Section 2 addresses issues unsynchronized,
Fontanelli et al. as
(2014). discussed in Ferrari et al. (2007) and
This paper
related to isPROFINET
organized asprotocol follows: Section
and 2 addresses
Media issues unsynchronized,
Redundancy Fontanelli et al. as discussed in Ferrari et al. (2007) and
(2014).
This paper
related to isPROFINET
organized asprotocol follows: Section
and 2 addresses
Media issues Fontanelli et al. (2014).
related
Protocol
related
to(MRP).
to
PROFINET
PROFINET Sectionprotocol
3, exposes
protocol
and the
and
Media
Mediacase Redundancy
Redundancy
of study: a Fontanelli et al. (2014).
Redundancy
Protocol
Protocol (MRP).
(MRP). SectionSection 3, 3, exposes
exposes the the case
case of of study:
study: aa
Protocol (MRP). Section 3, exposes the case of study: a
Copyright
2405-8963 ©© 2016,
2016 IFAC 278Hosting by Elsevier Ltd. All rights reserved.
IFAC (International Federation of Automatic Control)
Copyright
Peer review©
Copyright 2016
©under IFAC
2016 responsibility
IFAC 278
278Control.
of International Federation of Automatic
Copyright © 2016 IFAC
10.1016/j.ifacol.2016.11.141 278
 2016 IFAC TA
November 6-9, 2016. Porto Alegre, Brazil
Fábio Alves Fernandes et al. / IFAC-PapersOnLine 49-30 (2016) 278–283 279
Communication between IO-Controller and IO-Devices is
done by the establishment of an Application Relationship
(AR). Each AR means a logical connection required to
provide the exchange of data between two devices. Data to be
exchanged are defined in different Communication
Relationship (CR). There are different types of CRs. Cyclic
process data flows over the IO Data CR, the configuration
data and other acyclic data flow over the Record Data CR and
real time alarm data over Alarm CR. In PROFINET, the
cyclical data exchange between the IO-Controller and an IO-
Device can start only after all the CRs between them have
been configured and parameterized, as described in Profibus
International (2012).
Two important time parameters in PROFINET technology is
the cycle time and the watchdog time. Both of them are set in
the design phase and their values are very important for
network performance. In details:
• Cycle time refers to refresh rate at which the cyclical IO
Data are sent by a device to other one (i.e. from IO-
Device to IO-Controller for input data and vice versa for
the output data); it should be noted that PROFINET
exploits full-duplex capability of Ethernet, hence the IO
Data are sent independently in the two directions.
• The watchdog value is the time used to monitor the
correct receipt of data. Hence, the watchdog supervises
the ARs, meaning that if the AR consumer does not
receive any IO Data during the predefined watchdog time
interval, the AR is aborted. In other word, the watchdog
time is the time the automation application can still be
considered working properly even if it is not receiving
feedback from the field
According to Profibus International (2012) the watchdog
time of a device is related with the cycle type, and it can be
calculated by Equation 1:
Watchdog_Time = Watchdog_Factor × Cycle_Time
where the Watchdog_Factor is defined as the number of
consecutive messages not received by a device.
In conclusion, when a problem with the provider of the IO
Data occurs, or the network does not guarantee the delivery
of frames to the consumer of the IO Data (and this is exactly
the problem this paper deals with) the watchdog time expires
cancelling also the AR. In order to re-establish the AR, all the
configuration and the parametrization of the involved device
(or multiple devices) must be done again, leading to a
downtime (of variable duration) of the automation system.
2.1 Redundancy for PROFINET
There are several possibilities to increase the reliability and
availability of a communication network for industrial
automation. A simple approach is through the introduction of
a network redundancy strategy. General protocols derived
from IT world, like RSTP (Rapid Spanning Tree Protocol)
may be used, but they lack of the timeliness required by
industry applications. Therefore, IEC 62439 standard
proposes four different protocols as a solution for industry
grade redundancy protocols:
• Media Redundancy Protocol (MRP)
• Parallel Redundancy Protocol (PRP)
• Cross-network Redundancy Protocol (CRP)
• Beacon Redundancy Protocol (BRP)
The PROFINET technology supports many network
topologies, but for the redundancy architectures, it exploits
the ring topology combined with the MRP. In this manner,
automation systems with increased availability can easily be
built, Profibus International (2015), and Felser (2008).
Fig. 1 shows a ring network with a single domain MRP. The
PROFINET technology may support many domains,
provided that they do not overlap. A network domain must
contain a device that performs the role of Media Redundancy
Manager (MRM) and one or more devices with the role of
Media Redundancy Clients (MRCs). The MRM logically
opens the ring, preventing multicast and broadcast packet to
circulate forever in the loop, a condition that may saturate the
network with traffic. Each device in the ring must provide
two ports connected to the ring, which are called ring ports.
(1)
Fig. 1. Ring topology (closed ring)
There are some limitations in the use MRP, as follows:
• Supports up to 50 devices;
• the ring must consist of devices that support the MRP
protocol;
• ring devices must be interconnected via their ring ports
and must be members of the same redundancy domain.
The ports of the MRM connected to the ring may have three
different statuses, which are:
• Disable: port blocks all data traffic
• Blocked: port blocks data traffic, except for MRP control
frames and other LLDP frames (Link Layer Protocol );
• Forwarding: released port, allows data traffic of all types
of frames.
Generally, when there are no fails in the ring (“Close Ring”
conditions) the MRM has one of the two ring ports
configured as Forwarding and the other configured as
Blocking. Hence, the physical ring in the network treated as a
logical segment that begins at the MRM and ends at the MRC
connected to the Blocked port of the MRM. (MRC_3 in Fig.
1). In an event where the connection along the ring fails (no
279
2016 IFAC TA
280 Fábio Alves Fernandes et al. / IFAC-PapersOnLine 49-30 (2016) 278–283
November 6-9, 2016. Porto Alegre, Brazil
matter what is the cause), MRM is sole responsible for
changing port status, dealing with the failure. The MRM port
changes from Blocked to Forwarding, opening another path
for data flow. After a failure appears in the ring, the network
is called "Open Ring", (see Belie et al. (2013) ).
In order to detect faults, the MRM constantly sends test
frames every preset time called TST default at both Forwarding
and Blocked ports, as showed in Fig. 1. Usually, the test
frames travels along the ring in the two directions (the ring is
full duplex!) and reach the opposite ports after passing
through all the MRCs in the ring. The time within the MRM
must get back the control frames is defined as TestTimer. If
the test frames do not return after the expiring of TestTimer,
the MRM increases an internal counter (Test Counter). If the
counter reaches a certain predetermined value, defined as
TSTNRmax (typically 3 or 5), the MRM declares a ring
failure. In the case of frames return to MRM, the Test
Counter is reset again.
According to IEC62439 , the time to ring failure detection
(Tdetection) is given by equation 2.
Tdetection = TSTdefault × TSTNRmax (2)
After failure detection, the MRM must inform all the MRCs
that the ring is open and they have to take the proper
countermeasures. In details, the MRM sends Topology
Change frames on both its ring ports (that now, as state
before, are in the Forwarding state); the MRC, receiving the
Topology Change frames, clear all the entries of their MAC
Address table (i.e. the Ethernet Layer 2 address table used to
forward frames) related to the two ring ports.
When the failure is repaired, the MRM can receive again the
test frames. After receiving just one test frame, the MRM
reacts immediately, blocking one of its ring ports and
Topology Change frames. Thus the detection of the “Close
Ring” is faster than the detection of the “Open Ring”.
The recovery time of a MRP ring topology could be defined
as the sum of:
• the time needed by the MRM to detect the failure,
• the time that the MRM uses to send Topology Change
frames
• the time all MRCs take to adapt and learn again the
forwarding path.
According to IEC 62439, the time limit for a network that
uses the MRP recover is 200 milliseconds.
As result clear from the above, the MRP only take care of the
Ethernet Layer 2 network, and it does not take into account
the effect that ring reconfiguration has on the application
protocols transported over the ring. In particular, MRP does
not consider that a ring reconfiguration may cause the
disruption of the data exchange between IO Controller and IO
Device.
2.2 .Switch cascading in PROFINET
It may be interesting the evaluation of the influence on the in
recovery time of the number of switches installed between
the IO-Controller and the IO-Device, called “line depth”.
This parameter is important because every switch introduces
280
a delay that may be considered while the planning of the ring
topology; it should be remembered that the physical ring
topology is maintained by the MRM as a logical cascade of
switches (see previous section).
Following the PROFINET installation guidelines published
by the Profibus International (2014), the limit of switches in a
row depends on the update time of every device and the
switch forwarding technique (“store and forward” or “cut
through”). The limit is related to the forwarding time required
by the switch, which is smaller for “cut-through” switched
than for store-forward” switches. The suggested limits are
reported in Table I.
Analyzing the numbers in the tables, it is clear that only a
configuration with short cycle time and “store and forward”
switched may lead to visible impact on the ring topology
recovery time. On the other hand, the switches that are used
both in the laboratory experiments and in real industrial
applications are “cut-through”, because they generally offer
better performance. Consequently, at the moment, it is very
hard to experimentally evaluate the influence of the number
of switches in network recovery time and it will be
considered in future works.
Table 1. Number of switches in a row depending on type
Cycle Number of “cut- Number of “store
time through” switches and forward”
(ms) switches
1 7 64
2 14 100
4 28 100
8 58 100
3. CASES OF STUDY
In this paper, two classes of cases of study have been
considered: laboratory based cases and real application cases.
A. Laboratory experimental setup
The case of study proposes to identify the influence of the
watchdog time on the network recovery time in a ring
topology. For this reason, a PROFINET network had been
implemented using the equipment shown in Table 2. Fig. 2
shows the connections between the equipment in order to
obtain a ring topology. The MRM of the system is the switch
connected to the IO-Controller, which is marked with a red
point in the Fig. 2. It is important to highlight that the ring is
only composed by managed switches in this work. The AR
and CR are created between the IO-Controller and the IO-
Device for communication proposed.
A measuring system for capturing the network traffic was
used for network recovery time verification. This
measurement system consists of an Industrial Ethernet TAP
model EDS2100 made by Kunbus: such a device must be
connected in between (in series) two Ethernet stations and it
is able to copy all the Ethernet traffic passing through its
monitored ports. All the traffic is sent to a monitor station
using a third Ethernet port. The TAP is almost transparent to
the network, inserting delays less than 1 nanosecond. By the
way the TAP inserts a timestamp in network packets with a
 2016 IFAC TA
November 6-9, 2016. Porto Alegre, Brazil
Fábio Alves Fernandes et al. / IFAC-PapersOnLine 49-30 (2016) 278–283 281

resolution of 10ns. In the considered experimental setup the Controller, but several IO-Devices. For this reason, in these
collected packets are sent to a computer station with real cases, the TAP in inserted series with the link of the IO-
Wireshark software and PNT (PROFINET Network Analysis Controller, and the recovery time is the time interval that the
Tool) for offline analysis. IO Controller takes to return in exchange data with all the IO
Devices in the system. A sample network topology for the
The analysis methodology consists in evaluation the behavior
case of measurements taken in real systems is shown in Fig.
of the cyclic data exchange between the IO Controller and the
3.
IO Device in order to determine the effect of ring opening
and closing. For this reason, the TAP is installed between the Table 3. Network parameters in real cases.
IO Device and a switch.
Network IO-Devices Switches in the ring
Table 2. Equipment in the implemented network. L1 76 8
L2 100 19
Quantity Description Function
L3 142 13
1 CPU S7 1200 IO-Controller
L4 225 11
1 ET200-S IO-Device
3 Scalance X208 Switch The fault simulation procedure for real networks is the
1 TAP EDS 2100 Meas. System following:
1 PC + Wireshark + PNT Meas. System
• initially all the ring traffic passes through the cable A,
while the port of cable C is disabled and no traffic is
flowing
• while the network is running properly, cable A is removed
manually performing a break (failure) in the ring
topology. From this moment the network status is called
"Open Ring".
• after a few seconds, cable A is reconnected to its original
position, and the network returns to its former status,
called "Closed Ring".

Fig. 2. Network topology for the study C

The fault simulation procedure is the following:
• while the network is running properly, cable B is removed
manually performing a break (failure) in the ring
topology. From this moment the network status is called
"Open Ring".
• after a few seconds, cable B is reconnected to its original
position, and the network returns to its former status,
called "Closed Ring".
The suggested procedure provides scenarios to verify the
recovery time, i.e. measuring the time interval that IO
Controller takes to return in data exchange with the IO
Device through the test system. These scenarios are played
for different values of watchdog parameter.
B Real industry plant
In order to evaluate more complex scenario and also to show Fig. 3 Network topology for the case of real networks. The
how industry is dealing with the high availability of measurement point is the link of the controller.
networks, real application cases as used in industry have been
evaluated. Measurement campaigns have been carried out in 4. RESULTS
4 different configurations used in real plant during normal
The first experimental observation is that, during laboratory
production. The Table 3 shows the parameters of the different
test, the communication between IO Controller and IO
real PROFINET networks. All the networks have a single IO-
Device may be interrupted twice during the fault simulation

281
2016 IFAC TA
282 Fábio Alves Fernandes et al. / IFAC-PapersOnLine 49-30 (2016) 278–283
November 6-9, 2016. Porto Alegre, Brazil

procedure: when performing the break, removing cable B, experiments were done using different values for watchdog in
from "Closed Ring" to "Open Ring" status, and again when IO Device (ET200S): 60, 40 and 6 milliseconds. Each
reconnecting cable B, from "Open Ring" to "Closed Ring" experiment is repeated seven times. The results for the
status. Fig. 4 - Graph 1 shows the interruption of the traffic average RT and RRT are shown in Table 4. The value of
toward the IO-Device (as seen by the TAP installed TSTdefault and TSTNRmax are respectively 20ms and 3.
according Fig. 2) when the ring is opened and when ring is From the results of experiments A it is clear that the detection
closed again. of the “Open Ring” is slower than the detection of “Closed
Ring”, since in the last case just one test frame is needed. By
This behavior is easily explained since it depends on the
the way, the condition of “Closed Ring” is very dangerous if
MRM behavior. In details:
the MRM does not quickly block one of its ports.
• At the beginning of the experiments the MRM has the
Table 4. Average values for RT and RRT in experiments
link A in forwarding and the link C blocked.
• Manually disconnecting link B forces MRM to put also C Watchdog Value RT RRT
Experiment
in forwarding. [ms] [ms] [ms]
• Reconnecting link B forces MRM to block again link C. Minimum 48 18
MRM is the sole responsible for loop control and this is A 60 Average 55 23
the unique option that it has to logically open the ring. Maximum 60 28
Minimum 3506 18
In order to confirm this behavior the TAP has been temporary B 40 Average 3520 21
moved on the link C: the Fig. 4 - Graph 2 shows that the data Maximum 3534 28
exchange between IO Controller and IO Device in the cable Minimum 3460 3466
C is only present when the link B is disconnected. C 6 Average 3465 3472
Maximum 3470 3480

Again from experiment A, it can be noted that the watchdog

Fig. 4. Data traffic behavior during the experiment.
The PROFINET cycle time is 2 ms. The number of packets
per period is shown, with the period = 100 ms.
Thus, it is worth to define two kind of time interval before
carrying out the experiments:
• the Recovery Time (RT): the time interval needed to
reestablish the communication between the IO Controller
and the IO Device when a failure happens in the ring
topology.
• the Reconnection Recovery Time (RRT): the time interval
needed to reestablish the communication between the IO
Controller and the IO Device when the ring is closed
again.
4.1 Watchdog influence in the laboratory tests
For watchdog influence analysis on the RT and RRT, three
value is greater than both RT and RRT. Frames are lost and
do not arrive to their destinations (either IO-Controller or IO-
Device), but the watchdog do not expires and the AR
between IO Controller and IO Device, is not aborted. From
the application point of view, the redundancy switchover
controlled by MRP at Ethernet Layer 2 is seamless (i.e.
transparent) for the application.
In the experiment B, the watchdog set to 40ms. In this case,
the watchdog expires before the MRP process of ring
reconfiguration is completed, and the AR between IO
Controller and IO Device is cancelled. As a consequence, the
IO-Controller takes RT=3.52 s to re-establish the data
exchange because a new configuration procedure must take
place. Again, in experiment B, the MRP ring reconfiguration
after reconnection is faster that the watchdog and in this case
the RRT remains the same as in experiment A.
If (in experiment C) the watchdog time is decreased to 6 ms
(a value lower than any MRP reconfiguration times), the AR
is cancelled both when disconnecting and when reconnecting
the cable B. RT and RTT are almost identical with a value
greater than 3.4 s.
From these experiments, it is clear that the watchdog is the
real threshold between a seamless transition at application
level or a loss of communication. More in detail, if the MRP
reconfiguration time is lower than the watchdog, the
application does not halt while, if it is higher, the application
stops.
4.2 Recovery time in real systems
In order to avoid application from stopping when the ring is
opened or closed, the first approach is to increase the
watchdog time at a value grater that the MRP reconfiguration
time. However increasing the watchdog time results in

282
 2016 IFAC TA
November 6-9, 2016. Porto Alegre, Brazil
Fábio Alves Fernandes et al. / IFAC-PapersOnLine 49-30 (2016) 278–283 283
increasing the time the application is assumed to work
properly without feedback. In real application, this time
cannot be increased without limits, because safety issues
came into play (e.g. motors running without feedback,
chemical reactions without control, etc.).
As shown in Ferrari et al. (2011), real PROFINET networks
have tens of devices, many switches in the ring, and are
managed by IO-Controller with finite computational
capability. All these constrains contribute to increase the RT
perceived by the application, but only when the RT is greater
than the watchdog. The Table 5 shows the recovery times of
different real PROFINET networks using ring topology.
The analysis of the experimental data, obtained in network
with the same IO-Controller model, shows that the RT is
comparable with the RT measured in laboratory in the
networks L1, L2 and L3, despite the higher number of IO-
Devices in these real cases. On the contrary in network L4,
when the number of devices that abort the AR with the IO-
controller during the redundancy switchover increases too
much, the RT jumps to very high value. The explanation is
that the IO-Controller cannot configure all these devices at
the same time, but it needs several runs to put smaller groups
of devices back in data exchange. It results a longer RT when
the computational capability of the IO-Controller is
exceeded.
Table 5. Recovery time (RT) in real cases.
Aborted ARs
IO- Switches
Network during RT (s)
Devices in the ring
switchover
L1 76 8 7 3,67
L2 100 19 15 3,71
L3 142 13 23 4,11
L4 225 11 43 12,71
5. CONCLUSIONS
Undoubtedly, the MRP protocol is an important technique to
increase the availability of an industrial automation network,
as well as being a simple strategy and easy to apply. This
work developed a simple methodology to measure with high
resolution the recovery time in a PROFINET network in ring
topology using MRP protocol.
The experiments show that if MRP reconfiguration time is
lower than the watchdog time, the automation application
does not halt, while if it is higher the application stops. In
addition, when the application stops, the recovery time
increase a lot due to the new configuration and
parametrization of all the ARs between IO-Devices and the
IO-Controller. This last contribution is depending on the
number of device in the network, on their complexity (more
parameters), and on the computational capability of the IO-
Controller
As a result, it is suggested to: configure the watchdog time as
high as possible for a safe operation of the automation
application. (taking into account all the application
dynamics.); minimize the MRP reconfiguration time
shortening the TSTdefault compatibly with the resulting
283
increase of traffic; perform benchmark on the selected IO-
Controller to assess the time needed to configure and
parametrize the whole network.
ACKNOWLEDGMENT
The authors acknowledge the academic support and research
structure from the Laboratory of Industrial Automation of the
Engineering School of Sao Carlos, at the University of São
Paulo.
REFERENCES
Akerberg, J., Bjorkman, M. (2009) Introducing Security
Modules in PROFINET IO. In: Proc. of IEEE Emerging
Technologies and Factory Automation 2009, Mallorca.
IEEE, p. 1-8.
Belie, F.; Martinovic, G. (2013). Model of Influence of MRP
on Network Performance. In: Proc. of IEEE Symposium
on Computers and Communications, Split, Croatia, July
07-10.
Duerkop, L. et. al. (2012). Towards Auto configuration of
Industrial Automation System: A Case Study Using
PROFINET IO. In: Proc. of IEEE Emerging Technologies
and Factory Automation, 2012. New York: IEEE, 2012.
Felser, M. (2005). Real-time Ethernet - Industry Prospective.
Proceedings of IEEE, v. 93, n.6, p. 1118-1129, New York
Felser, M. (2008). Media Redundancy for PROFINET IO. In:
Proc. of IEEE International Workshop on Factory
Communication Systems 2008, Dresden, May 21-23
Ferrari, P., Flammini, A., Marioli, D., Taroni, A., Venturini
F. (2007). Evaluation of timing characteristics of a
prototype system based on PROFINET IO RT Class 3.
In: Proc. of IEEE Emerging Technologies and Factory
Automation 2007. p.1254-1261.
Ferrari, P., Flammini, A., Rinaldi, S., Sisinni, E., (2010). On
the Seamless Interconnection of IEEE 1588 – Based
Devices Using a PROFINET IO Infrastructure. IEEE
Transactions on Industrial Informatics, Vol. 6, No 3,
2010, pp. 381-392
Ferrari, P., Flammini, A., Venturini, F., Augelli A. (2011).
Large PROFINET IO RT networks for factory
automation: a case study. In Proc. of Emerging
Technologies and Factory Automation 2011, pp. 1-4
Fontanelli, D., Macii, D., Rinaldi S., Ferrari, P., Flammini, A.
(2014). A servo-clock model for chains of transparent
clocks affected by synchronization period jitter. IEEE
Transactions on Instrumentation and Measurement. Vol.
63, No. 5, pp. 1085-1095
Profibus International. (2012). Application Layer protocol for
decentralized periphery and distributed automation,
Technical Specification for PROFINET IO, v. 2.3.
Available at http://www.profibus.com
Profibus International. (2014). PROFINET, Design
Guideline. v. 1.14, December 2014. Available at
http://www.profibus.com
Profibus International. (2015). PROFINET IO System
Redundancy. v. 1.10. Available online at
http://www.profibus.com
Sauter, T. , Soucek, S. , Kastner, W. , Dietrich, D. (2011).
The evolution of factory and building automation. IEEE
Industrial Electronics Magazine. V. 5, Issue 3, pp. 35-48.