Principle of decentralized safety technology
Depending on the desired safety level, periphery devices such as E-STOP switches are generally connected to a safety control system in a dual-channel configuration. The redundancy and additional cable tests mean that faults such as short circuits or open circuits can be detected and managed. A bus cable uses single-channel, serial communication, which does not provide physical line redundancy. That's why additional measures in the protocol are needed to cover faults such as a disconnected bus cable or communication problems.
Handling communication errors
The sections below describe typical errors and measures which may occur when safety-related data is communicated via an industrial communication system, and ways in which these can be handled.
Message repetition
Malfunctions within the bus subscriber can lead to telegram repetition. Each message is given a sequential number so that repeated messages are detected. The receiver is "expecting" the sequential number, so it will detect repeated telegrams and initiate appropriate measures.
Message loss
Messages may be deleted as a result of a malfunction on a bus subscriber or the receiver may stop receiving telegrams because the bus cable has been disconnected, for example. The receiver uses a sequential number to detect the loss of data packets. A timeout on the receiver also monitors the latest time by which a new message must arrive. Once this timeout has elapsed, the receiver is able to bring the application to a safe condition.
Message insertion
Additional messages may creep in as the result of a malfunction on a bus subscriber. As with message repetition, the sequential number can be used to detect and manage this situation.
Incorrect message sequence
Errors on a bus subscriber or on telegram-storing elements such as switches and routers can corrupt the telegram sequence. However, this will be detected through the sequential numbers.
Message corruption
Malfunctions on a bus subscriber or faults on the communication medium, e. g. problems due to EMC, can corrupt messages: A data security mechanism (check sum) applied to the safety related telegram content will recognize this and detect the corrupted message.
Message delay
A malfunction on the bus subscriber or an incalculable data volume in the bus system can lead to delays: A timeout on the receiver will detect the delays and initiate appropriate measures.
Combining safety-related and non- safety-related communication functions
In mixed systems containing safety-related and nonsafety-related subscribers, receivers will sometimes interpret a telegram from a standard subscriber as a safety-related telegram. Such mistakes on the part of the receiver can be avoided using measures such as unique IDs across the network and varied data security features for safety-related and non-safety-related messages.
Errors and measures, using SafetyNET p as an example, taken from BIA GS-ET 26. |
No comments:
Post a Comment