Safety-over-EtherCAT : How to secure your EtherCAT platform

Reading time: 8 minutes

In this article:

System faults and errors caused by software or hardware can lead to hazardous events and significant losses. Industries such as chemical, automotive, medical, railway, aerospace, nuclear, and others require extremely high levels of safety for their systems and applications to prevent or at least minimize risks, protecting people and the environment from the negative consequences of malfunctions or failures. To this end, systems and applications are equipped with additional control loops specified and certified according to strict requirements and standards. One of the most renowned is the Safety Integrity Level (SIL) from the generic IEC61508 standard, defined as a relative level of risk reduction provided by a safety function, specifying a target level of risk reduction (probability of failure per hour – "pfh").

When implementing a decentralized system architecture, communication aspects must also be considered, especially if they carry data used by safety functions. The IEC61784-3 standard addresses this aspect.

The EtherCAT Technology Group (ETG) developed and introduced Safety-over-EtherCAT (or FailSafe over EtherCAT, abbreviated as FSoE) to enable the construction of safety-critical systems on the EtherCAT platform. FSoE describes a protocol for transferring safety data up to SIL3 level between FSoE devices. The protocol is open and independent of underlying bus systems, due to the exclusion of a subordinate fieldbus (Black Channel mechanism). The FSoE connection requires each device to send its own new message only upon receiving a new message from the partner device. The state of the links between the FSoE Master and FSoE Slave is bilaterally monitored through cycle time control (Watchdog timeout).

Modern communication systems not only achieve deterministic transfer of control data but also allow the transfer of safety-critical control data over the same medium.

EtherCAT utilizes the Safety-over-EtherCAT (FSoE) protocol for this purpose, providing:

The EtherCAT safety technology, designed in accordance with the IEC61508 standard, is approved by TÜV Süd Rail and standardized in IEC61784-3 (specifically 61784-3-12). The protocol is suitable for safety applications with a Safety Integrity Level up to SIL3.

With Safety-over-EtherCAT and the "Black Channel" technology, the communication system represented by the standard EtherCAT part becomes part of the black channel, which is not considered a safety element.

The main advantage is that it is not necessary to certify the EtherCAT elements or the protocol itself, also simplifying the hardware/software architectures of integrated components.

Safety-over-EtherCAT frames, known as safety containers, contain safety-critical process data and additional information used to secure this data. The safety containers are transported identically to other data. The safety of data transfer does not depend on the underlying communication technology and is not limited to EtherCAT; safety containers can travel through different fieldbus systems, Ethernet, or similar technologies, and can use copper cables, optical fibers, and even wireless connections.

The Black Channel principle allows the use of standard communication interfaces without requiring them to be safety-certified. This approach ensures that safety-related data is transmitted securely over standard communication channels, simplifying system design and reducing costs.

• EtherCAT devices requiring a SIL/PL level: These must be approved by a Certification Institute in addition to the ETG. They can operate on either EtherCAT masters or slaves.
• Requirements for the EtherCAT master:
• Support for slave-to-slave communication
• Copies safety frames from the FSoE Master to FSoE Slaves and vice versa

Due to the Black Channel communication, the transport layers up to the field network are not involved in functional safety, and it is therefore not necessary to obtain certification for the EtherCAT master (Black Channel principle) if it has no role in the safety part.

An active member of the ETG (EtherCAT Technology Group), ISIT is capable of helping you build expertise in this technology and apply it to your specific needs. ISIT offers a comprehensive range of products and services, including: