Safety over EtherCAT

Overview
Requirements
Safety over
EtherCAT
 Architecture
 Definitions
EtherCAT
 State machine
Technology Group
 Frame structure
 Summary
Conformance
Applications
 Safety over EtherCAT

Requirements
Requirements
Safety over
EtherCAT
Safety over EtherCAT Technology
 Architecture
 Architecture
 Definitions
 Definitions
 State machine
 State Machine
 Frame structure
 Telegram
 Summary
 Summary
Conformance

Applications
Conformance
 Applications

12.2019 Safety over EtherCAT Seminar 2

 Safety in industrial automation

Requirements
 Functional Safety
Safety over
EtherCAT  Protection against malfunction of machines
 Architecture  Protection of the machine operator against
 Definitions dangerous movements
 State machine
 Frame structure
 Summary
 Safety functions (Examples)
Conformance  Monitoring of the workspace of a machine
Applications  Door guarding (with interlocking)
 Protection with light curtain / laser scanner
 Safe feeding of material
 Muting
 Safe movement with manual intervention
 Two-Hand control
 Emergency Stop
 Safe operating stop
 Safely-limited speed
12.2019 Safety over EtherCAT Seminar 3
 Safety in industrial automation

Requirements
Material feeding
Safety over Muting
EtherCAT
 Architecture Two-Hand control

 Definitions
 State machine Protection of workspace
e.g. with Laser scanner
 Frame structure
 Summary
Conformance
Emergency
Applications stop

Operator
Diagnosis

Safely-limited
Position / Speed Setup /
Maintenance

Door guarding with Safety guard

Interlocking

12.2019 Safety over EtherCAT Seminar 4

 Modern safety concepts

Requirements
Safety over
EtherCAT
 Architecture
 Definitions
 State machine
 Frame structure
 Summary
Conformance
Applications

12.2019 Safety over EtherCAT Seminar 5

 Advantages of Safetybus systems

Requirements
 Fast reaction
Safety over
EtherCAT  applicable for high dynamic drive architecture
 Architecture
 Definitions
 Simplified System
 State machine
 Frame structure
 better clarity
 Summary  simple cabling
Conformance  simple extension of the system
Applications  better diagnosis
 and therefore: higher safety

 Pre-tested safety functions within the devices according

to the legal standards

 Lower costs

12.2019 Safety over EtherCAT Seminar 6

 International standardization

Requirements
 German approach: BGIA Test principles GS-ET-26
Safety over
EtherCAT  Test principles of the German Institute for
 Architecture Occupational Safety and Health
 Definitions  Bus systems for the transport of safety-related
 State machine messages
 Frame structure
 Assessment requirements of the BGIA to evaluate
 Summary
safety bus systems
Conformance
Applications
 Basis of the IEC 61784-3

 IEC 61784-3
 DIGITAL DATA COMMUNICATIONS FOR
MEASUREMENT AND CONTROL
Part 3: Profiles for functional safety
communications in industrial network - General
rules and profile definitions
 Based on Black Channel approach (see below)

12.2019 Safety over EtherCAT Seminar 7

 IEC 61784-3

Requirements
Safety over
EtherCAT
 Architecture
 Definitions
 State machine
 Frame structure
 Summary
Conformance
Applications

12.2019 Safety over EtherCAT Seminar 8

 IEC 61784-3
Functional safety communication model

Requirements
Safety over Safety Safety logical connection Safety
EtherCAT Communication Communication
 Architecture Layer Layer
 Definitions Application Black channel Application
 State machine
Layer (opt.) Layer (opt.)

 Frame structure Data Link Data Link

 Summary Layer Gateway Layer
Conformance Physical Application Physical
Applications Layer Layer (opt.) Layer
Data Link
Layer

Physical
Layer

Repeater,
Switch
Fieldbus, Backplane Fieldbus Fieldbus

12.2019 Safety over EtherCAT Seminar 9

 Safety function decomposition

Requirements
Safety over Safety Function
EtherCAT
 Architecture
 Definitions Logical connection Logical connection
 State machine
 Frame structure 1%
 Summary
Sensor(s) Bus Logic Bus Actuator(s)
Conformance
Applications
 Probability of failure for the safety function, according to
IEC 61508:
PFHSafetyFunction < 10-8…10-7/h for SIL 3

 The IEC 61784-3 highly recommends that the safety

communication channel does not consume more than
1 % of the maximum PFD or PFH of the target SIL for
which the functional safety communication profile is
designed:
PFHLogicalConnection < 10-9/h for SIL3
12.2019 Safety over EtherCAT Seminar PFHSafetyFunction = PFHSensor + PFHLogic + PFHActor + PFHLogicalConnection
10
 Safety-over-EtherCAT

Requirements
 Safety-over-EtherCAT defines a safe communication
Safety over
EtherCAT
layer, to transfer safe process data between Safety-over-
 Architecture
EtherCAT devices.
 Definitions
 State machine  FSoE is an open technology
 Frame structure
 Supported by EtherCAT Technology Group (ETG)
 Summary
Conformance
 Part of IEC 61784-3 international standard
Applications
 The protocol is approved by an independent Notified
Body (TÜV Süd Rail GmbH).

12.2019 Safety over EtherCAT Seminar 11

 FSoE – Typical Hardware Architecture

Requirements
 1-channel standard communication system
Safety over
EtherCAT  Redundant hardware for safety protocol and
 Architecture safety-related application
 Definitions
 State machine
Device
 Frame structure
 Summary
Controller A Controller B
Conformance
Safety Protocol Safety Protocol
Applications

EtherCAT Slave
Magnetics

Magnetics
In controller Out

RJ45
RJ45

PHY

PHY
Port Port

12.2019 Safety over EtherCAT Seminar 12

 FSoE – Software Architecture

Requirements
Device 1 Device 2
Safety over
EtherCAT
Safety Safety
 Architecture
Application Application
 Definitions
 State machine
Standard Standard
 Frame structure Application Application
 Summary
Safety over Safety over
Conformance Safety over
EtherCAT EtherCAT
EtherCAT
Applications Protocol Protocol

EtherCAT EtherCAT EtherCAT

Communication Interface Communication Interface DLL and AL

EtherCAT Telegram

Safety data container (FSoE Frame)

EtherCAT is used as a “black channel”.

It contains safety and standard information.
12.2019 Safety over EtherCAT Seminar 13
 Safety over EtherCAT | System Example

Requirements
 Centralized or decentralized Safety-Logic
Safety over
EtherCAT  Standard PLC routes the safety messages
 Architecture
Standard Safety Inputs Safety Sensors
 Definitions PLC
 State machine
 Frame structure
 Summary
Conformance
Applications Centralized Safety Outputs
Safety Logic

Decentralized
Safety Drives Safety Logic

12.2019 Safety over EtherCAT Seminar 14

 FSoE – Master / Slave Connection

Requirements FSoE Master

Safety over Master of an FSoE
EtherCAT Connection. The FSoE
 Architecture Master initiates the
safety communication.
 Definitions
The FSoE Master
 State machine sends an FSoE Master
 Frame structure Frame, that contains
the SafeOutputs.
 Summary
An FSoE Master can
Conformance handle one or more
FSoE Slaves.
Applications

SafeOutputs
in the FSoE
Master Frames
FSoE
Master

12.2019 Safety over EtherCAT Seminar 15

 FSoE – Master / Slave Connection

Requirements FSoE FSoE Slave

Safety over Slaves
Slave of an FSoE
EtherCAT Connection.
 Architecture The FSoE Slave sends
 Definitions the FSoE Slave Frame,
after receiving a valid
 State machine FSoE Master Frame.
 Frame structure The FSoE Slave Frame
 Summary contains the SafeInputs.
SafeInputs in the An FSoE Slave is
Conformance
FSoE Slave Frames assigned to one FSoE
Applications Master.

SafeOutputs
in the FSoE
Master Frames
FSoE
Master

12.2019 Safety over EtherCAT Seminar 16

 FSoE – Communication Cycle

Requirements FSoE Cycle

Safety over The FSoE Cycle
EtherCAT consists of an FSoE
 Architecture Master Frame, that is
confirmed by the FSoE
 Definitions Slave Frame.
 State machine The FSoE Master
 Frame structure sends the FSoE Master
Frame to the FSoE
 Summary Slave.
Conformance With sending the frame
the FSoE Master starts
Applications
a Watchdog-Timer.

FSoE Master Frame

Start Watchdog

12.2019 Safety over EtherCAT Seminar 17

 FSoE – Communication Cycle

Requirements FSoE Cycle

Safety over The FSoE Cycle
EtherCAT consists of an FSoE
 Architecture FSoE Slave Master Frame, that is
confirmed by the FSoE
 Definitions
Frame
Slave Frame.
 State machine The FSoE Master
 Frame structure sends the FSoE Master
Frame to the FSoE
 Summary Slave.
Conformance With sending the frame
the FSoE Master starts
Applications
a Watchdog-Timer.
Only after receiving a
valid FSoE Slave
Frame, the FSoE
Master generates the
next FSoE Master
Frame and starts a new
FSoE Cycle.


FSoE Watchdog Time

12.2019 Safety over EtherCAT Seminar 18

 FSoE – Watchdog Time

Requirements FSoE Watchdog Time

Safety over Each device monitors
EtherCAT that the partner device
 Architecture FSoE responses within the
Watchdog Time safety configured FSoE
 Definitions  Watchdog Time.
 State machine If the Watchdog Time
 Frame structure exceeds, the device
switches to the state
 Summary “Reset”.
Conformance
Applications

12.2019 Safety over EtherCAT Seminar 19

 FSoE – Connections

Requirements FSoE Connection

Safety over The FSoE Connection
EtherCAT is a logically connection
 Architecture between one FSoE
Master and one FSoE
 Definitions Slave.
 State machine It is a system-unique
 Frame structure Connection-ID.

 Summary The uniqueness has to

be checked by a safe
Conformance Connection-ID 1 configurator.
Connection-ID 3
Applications

Connection-ID 2

12.2019 Safety over EtherCAT Seminar 20

 FSoE – FSoE Slave Address

Requirements FSoE Slave Address

Safety over Next to the Connection-
EtherCAT FSoE Slave Address ID each FSoE Slave
 Architecture has a system-unique
16-Bit FSoE Slave
 Definitions Address.
 State machine This address can be
 Frame structure adjusted for the device,
e.g. with a DIP-Switch.
 Summary
The FSoE Slave
Conformance Address is used for the
Applications unique addressing of
the device.
Up to 65,535 devices
can be addressed.

12.2019 Safety over EtherCAT Seminar 21

 FSoE State Machine per Connection

Requirements For each FSoE

Safety over
Reset_ok
Connection an FSoE
EtherCAT
Reset State Machine exists in
 Architecture
the FSoE Master and in
 Definitions the FSoE Slave.
 State machine Session
 Frame structure
Session_ok
The FSoE Master
 Summary handles one State
Conformance Machine per FSoE
Applications
Slave.
Connection
After Power-On the
FSoE Master and the
Conn_ok
FSoE Slave are in state
Reset.
Parameter
Only in state Data the
Data safe State of the
Param_ok
Outputs can be left.

12.2019 Safety over EtherCAT Seminar 22

 FSoE State Machine – Error behavior

Requirements In case of an FSoE

Safety over Connection error the
EtherCAT
Reset devices change to the
 Architecture
Reset state.
 Definitions
 State machine Session Examples
 Frame structure  FSoE Watchdog
 Summary expires
Conformance  CRC checks fails
Applications
Connection  FSoE Reset telegram
received

Parameter

Data

12.2019 Safety over EtherCAT Seminar 23

 Safety over EtherCAT: Software Architecture

Requirements Device 1 FSoE Frame

Safety over The FSoE Frame is
EtherCAT Safety embedded as a
Application Container in the
 Architecture
process data of the
 Definitions Standard device.
Application
 State machine Each device detects a
 Frame structure Safety over new FSoE Frame, if at
EtherCAT least one Bit in the
 Summary Protocol FSoE Frame is
changed.
Conformance EtherCAT
Communication Interface Every 2 Byte SafeData
Applications
are checked by a
EtherCAT Frame 2 Byte CRC.

Ethernet EtherCAT 1. Data- The maximum number

FSoE
FSoE
FSoE
HDR
Process Data FCS
2. Datagram of SafeData is therefore
Header Header gram not restricted by the
protocol.
FSoE Frame

Safe Safe Safe

CMD CRC_0 CRC_1 CRC_n Conn ID
Data 0 Data 1 Data n

12.2019 Safety over EtherCAT Seminar 24

 Safety measures for Safety over EtherCAT

Requirements Measure Sequence Watchdog Connection ID CRC

Safety over Error Number Calculation
EtherCAT Unintended repetition  
 Architecture Loss   
 Definitions
Insertion  
 State machine
Incorrect sequence  
 Frame structure
Corruption 
 Summary
Unacceptable delay 
Conformance
Masquerade  
Applications
Repeating memory
 
errors in Switches
Incorrect forwarding

between segments

12.2019 Safety over EtherCAT Seminar 25

 Safety over EtherCAT – Features

Requirements
 The FSoE specification has no restrictions according to:
Safety over
EtherCAT  Communication layer and interface
 Architecture  Transmission speed
 Definitions
 Length of safe process data
 State machine
 Frame structure
 Summary  Routing via unsafe gateways, fieldbuses or backbones is
Conformance possible, even wireless.
Applications

12.2019 Safety over EtherCAT Seminar 26

 Safety over EtherCAT – Features

Requirements
 FSoE Frame is mapped in the cyclic PDOs
Safety over
EtherCAT  Minimum FSoE Frame-Length: 6 Byte
 Architecture  Maximum FSoE Frame-Length: Depending on the
 Definitions number of safe process data of the Slave Device
 State machine
 Therefore the protocol is suitable for safe I/O as well
 Frame structure
as for functional safe motion control
 Summary
Conformance
Applications  Confirmed transfer from the FSoE Master to the FSoE
Slave and vice versa.

 Safety-related Device Parameter can be downloaded

from the Master to the Slave at Boot-Up of the FSoE
Connection.
 Watchdog time
 Device specific safety-related Parameter for Slave
application

12.2019 Safety over EtherCAT Seminar 27

 Safety over EtherCAT – Features

Requirements
 Probability of failure PFH < 10-9/h
Safety over
EtherCAT  Based on Bit Error Probability of 10-2 of underlying
 Architecture communication channel
 Definitions no restrictions for device manufacturers and end user
 State machine
 Frame structure
 Summary
 The protocol is developed according to IEC 61508
Conformance
Safety Integrity Level (SIL) 3
Applications
 The protocol is approved by TÜV Süd Rail GmbH
(Notified body)

 Certified products with Safety-over-EtherCAT are

available since 2005.

 Safety-over-EtherCAT is part of IEC 61784-3 Functional

safety fieldbuses

12.2019 Safety over EtherCAT Seminar 28

 Safety over EtherCAT – Open Solution

Requirements
 FSoE is disclosed within the ETG.5100
Safety over
EtherCAT
and part of IEC 61784-3 Functional Safety Fieldbuses
 Architecture  FSoE is recommended Chinese Standard
 Definitions GB/T 36006-2018
 State machine
 Frame structure
 Safety over EtherCAT Implementation Support
 Summary
Conformance
 Support for planning, implementation and
Applications
certification

 FSoE Conformance Test

 Test cases to approve conformance for FSoE Master
and FSoE Slave devices are available and approved
 FSoE Conformance Test Tool for FSoE Slave
devices approved by TUV

 Implementations of several vendors already exist

12.2019 Safety over EtherCAT Seminar 29

 Safety over EtherCAT - Vendors 41
*as of 12/2019
Requirements
Safety over
EtherCAT
 Architecture
 Definitions
 State machine
 Frame structure
 Summary
Conformance
Applications

12.2019 Safety over EtherCAT Seminar 30

 Safety over EtherCAT Conformance

Requirements
 ETG.9001 Safety over EtherCAT Policy
Safety over
EtherCAT  defines FSoE conformance testing rules and policies
 Architecture
 Definitions
 FSoE Devices shall fulfil following requirements:
 State machine
 Frame structure
 Compliance to
 Summary  IEC 61508 and / or relevant sector / product
Conformance standards
Applications  IEC 61784-3 general part
 ETG.5100 Safety over EtherCAT Specification
 EtherCAT Conformance Test Policy (if
applicable)
 Passing Functional Safety Assessment and approval
of the FSoE Device by a Notified Body

12.2019 Safety over EtherCAT Seminar 31

 Device Assessment and Approval

Requirements
Vendor If applicable
Safety over FSoE EtherCAT
EtherCAT
Test Center Test Center
 Device development with Safety over EtherCAT
Architecture
(according IEC 61508 or appropriate product norm)
 Definitions Perform FSoE Perform EtherCAT
 State machine
Conformance Test Conformance Test
 Frame structure
EMC Tests
passed FSoE passed EtherCAT
 Summary
(increased immunity) Overall safety FSoE Test
lifecycle process passed
Conformance Conformance
Conformance Test Test
EMC Test Lab
Applications

Performed
by TÜV Süd

Notified Body

Functional Safety Assessment and Approval

Process according to ETG.9100 FSoE Policy

12.2019 Safety over EtherCAT Seminar 32
 FSoE Conformance Test Tool

Requirements Approved EtherCAT Slave

Safety over FSoE Test Information ESI
EtherCAT
cases (XML) (XML-File)
 Architecture
 Definitions
 State machine
 Frame structure EtherCAT
 Summary Conformance EtherCAT
Conformance Test Tool SAFETY
SLAVE
Applications (CTT)

EtherCAT Master Device under Test

EtherCAT Slave
FSoE Slave
FSoE Test
Results

12.2019 Safety over EtherCAT Seminar 33

 System aspects

Requirements Machine A Machine B Machine C

Safety over
Safety-related communication via standard communication systems
EtherCAT
 Architecture e.g. Ethernet or wireless
 Definitions
 State machine
 Frame structure
 Summary
Conformance
Applications

Pass of safety
data through
backbone
Fieldbus Machine-wide
Option
safety functions,
e.g. Emergency
Stop or Safe
Standstill
Safety
Option

12.2019 Safety over EtherCAT Seminar 34

 Safety for modern automation

Requirements FSoE Master Frame M FSoE Master Device

Safety over
EtherCAT FSoE Slave Frame S FSoE Slave Device
 Architecture
 Definitions
 State machine
 Frame structure
 Summary
Conformance
Applications
M

Connection ID 1
S

 Configured Master-Slave Connections

 Communication is routed via standard PLC

12.2019 Safety over EtherCAT Seminar 35

 Safety for modern automation

Requirements FSoE Master Frame M FSoE Master Device

Safety over
EtherCAT FSoE Slave Frame S FSoE Slave Device
 Architecture
 Definitions
 State machine
 Frame structure
 Summary
Conformance
Applications
M

Connection ID 2
S S

 Configured Master-Slave Connections

 Communication is routed via standard PLC

12.2019 Safety over EtherCAT Seminar 36

 Safety for modern automation

Requirements M FSoE Master Device

Safety over
EtherCAT S FSoE Slave Device
 Architecture
 Definitions
 State machine
 Frame structure
 Summary S S
Conformance
Conn ID 3

Applications Conn ID 4
M

Conn ID 1
Conn ID 2
S S M

 Several Master in one network

 Safety groups with group-switch-off possible

12.2019 Safety over EtherCAT Seminar 37

 Safety for modern automation

Requirements M FSoE Master Device

Safety over
EtherCAT S FSoE Slave Device
 Architecture
 Definitions
 State machine
 Frame structure
 Summary
Conformance
Applications S
M

Conn ID 5
M

 “Master–Master” communication via Master&Slave

implementation in the device
 Unique Conn-ID necessary!
 Used for machine chaining
12.2019 Safety over EtherCAT Seminar 38
 Application | Tire and wheel testing machine

Requirements
Safety over
EtherCAT
 Architecture
 Definitions
 State machine
 Frame structure
 Summary
Conformance
Applications

12.2019 Safety over EtherCAT Seminar 39

 Application | Tire and wheel testing machine

Requirements
 Advantages for the costumer:
Safety over
EtherCAT  Integration of Safety functions in the TwinSAFE system
 Architecture  Emergency stop
 Definitions
 Safety fence monitoring
 State machine
 Frame structure
 Small switch box directly at the safety fence
 Summary  Optimum interaction between standard automation and
Conformance safety technology
Applications  Reduced engineering and hardware costs
 Simplified wiring
 Modifications are easy to implement
 Only one tool needed for Standard and Safety functions
 TwinSAFE software editor conveniently integrated in
the TwinCAT system

12.2019 Safety over EtherCAT Seminar 40

 Safety over EtherCAT

Requirements
Safety over www.ethercat.org
EtherCAT
 Architecture
 Definitions
 State machine
 Frame structure
 Summary
Conformance
Applications

EtherCAT Technology Group

Dr. Guido Beckmann
g.beckmann@ethercat.org
12.2019 Safety over EtherCAT Seminar 41