PROFIsafe Profile: Industrial Safety

PROFIsafe profile details are incorporated into the PROFIsafe driver firmware in both an F-Controller and an F-device. The PROFIsafe driver is an encoding/decoding package that ensures the integrity of the safety portion of the communication.

Network Communication Challenges

The following errors are potential problems in network communications.

  1. Repetition – malfunction of a bus device causes old and obsolete safety messages to be repeated at the wrong time (for example, guard door is reported closed when it is already open).
  2. Deletion – malfunction of a bus device deletes a safety message (for example request for “safe operational stop”).
  3. Insertion – malfunction of a bus device inserts a safety message (for example deselection of the “safe operational stop”).
  4. Re-sequencing – malfunction of a bus device modifies the safety message sequence. For example, prior to initiating the safe operational stop one wants to select the safely reduced velocity. The machine will continue running while these messages are swapped, no stop is necessary.
  5. Data corruption – malfunction of a bus device or the transmission link perturbs safety messages.
  6. Masquerade –  malfunction of a bus device causes safety messages and non-safety messages mixed up.
  7. Revolving memory failure (FIFO)  –  malfunction of a bus device causes an overload situation by simulating incorrect safety messages to a service that belongs to the message is delayed or prevented.

The Remedies

These remedies were incorporated into the PROFIsafe Profile to address the problems identified in the previous section.  The following table identifies the remedies and problems they address.

  • Virtual Consecutive number– the PROFIsafe transmitters and receivers have counters that increment after every communication. If the number in the transmission does not match the number the receiver expects, then the receiver sets the communication to fail.
  • Timeout-with receipt– a timer is in the transmitter and the receiver. Upon receipt, the timer reset. If the timer expires before the next message arrives, the receiver sets the communication to fail.
  • A codename for sender and receiver- each controller/device has a unique codename on the network. If the codename does not match, the receiver sets the communication to fail.
  • Cyclic Redundancy Check (CRC)– The transmitter calculates a CRC based on the value of all the bits in the PROFIsafe portion of the buffer and then appends the CRC to the buffer. The receiver has the same CRC algorithm in it and it calculates the CRC on the received data. If the CRCs don’t match then the receiver sets the communication to fail.

PROFIsafe Safety data and Standard data

One of the requirements of PROFIsafe is that safety data, also called F-data(Failsafe-data), and standard PROFINET data can be mixed within a data payload,  with possible multiple instances of each. The following figure shows a PROFINET data portion of a PROFINET frame with both standard data and F-data. The location within the data payload of the PROFINET data of each standard and F data is fixed at parameterization.

Note: the data for one modular device is transmitted in a single PROFINET frame. If the modular device has modules installed that are F-I/Os then the data for those PROFIsafe modules will be in a corresponding data packets embedded in the larger PROFINET data payload.

This article is a short description of why PROFIsafe was created and how it works. The PROFIsafe System Description is a good place to start a more in-depth investigation into PROFIsafe.