Safety-over-EtherCAT: Which Solution for Integration?

Reading time: 6 minutes

System failures and errors caused by software or hardware can lead to critical malfunctions. Industries such as chemical, automotive, medical, railway, aerospace, nuclear, and many others require the implementation of extremely high safety levels for their systems and applications to prevent or at least minimize risks to people and the environment, thereby protecting against threats and negative consequences of disruptions or failures. To this end, systems and applications are equipped with additional sensors, actuators, and decision-making units specified and certified according to strict requirements and standards. The most well-known are the Safety Integrity Levels (SIL) of the IEC 61508 standard and the Performance Levels (PL) of the ISO 13849 standard, defined as the relative degree of risk reduction provided by a safety function.

The EtherCAT Technology Group (ETG), of which ISIT is a member, designed, certified, and introduced Safety-over-EtherCAT (also known as Fail-Safe over EtherCAT, abbreviated as FSoE) to support the construction of safety-critical systems by integrating high-level safety communication as defined in the IEC 61784-3 standard. FSoE describes a protocol for transmitting safety data up to SIL3 between FSoE devices. By excluding the lower levels of the fieldbus (basic EtherCAT), the protocol is open and independent of underlying bus systems, following the black channel communication principle. This low-level bus cyclically transmits FSoE frames according to safety constraints but does not play a particular role in the functional safety of the communication.

An FSoE master communicates with an FSoE slave via a connection called an "FSoE connection." This connection requires each device to transmit its own new message only upon receiving a new message from the associated device. The state of the entire connection between the FSoE master and the FSoE slave is monitored on both devices during each FSoE cycle, including the communication cycle time. The FSoE master manages multiple FSoE connections to support communication with several FSoE slaves.

With a Safety-over-EtherCAT approach, the communication system relies on the black channel principle, which is not considered safe. The standard EtherCAT communication system uses a single channel to transfer both standard and safety-critical data.

The black channel approach allows for the transmission of both safety and non-safety data over the same bus. The FSoE protocol is implemented using a black channel approach; there is no safety dependency on the standard communication interface.

The following requirements are imposed on the elements of an FSoE application or system:

• EtherCAT devices requiring a SIL/PL level must be approved by a Certification Institute in addition to the ETG. They can operate on either EtherCAT masters or slaves.

• Requirements for the EtherCAT master:
• Support for slave-to-slave communication
• Copy safety frames from the FSoE master to FSoE slaves and vice versa

Due to the black channel communication, the transport layers up to the field network are not involved in functional safety, and it is therefore not necessary to obtain certification for the EtherCAT master (black channel principle) if it has no role in the safety part.

To help you develop expertise in this technology and apply it to your specific needs, ISIT offers a comprehensive range of products and services: