Safe and redundant networking - Ethernet as a basis for

fail-safe and fault-tolerant automation

Franz Handermann
HIMA Paul Hildebrandt GmbH + Co KG
68777 Brühl

Today automation projects are executed under greater and greater costs and time pressure. The
realization times for plants become conditionally in the global competition. Often the vendor is
confronted with more or less complete requirements. Unfortunately, changes in the specification at a
very late time have already become commonplace. Thus, very high flexibility is asked for in system
engineering.

The dream of each automation engineer are systems and devices that can be matched perfectly to his
needs and settings and can be easily used. A dream? Not really! Nowadays openness is the keyword.

For the process and manufacturing industries it is time to use the new technologies. The technological
trend is the move towards open, transparent commercial installations based on intranet/Internet
technologies and off from legacy, vendor driven systems.

Open Systems
Openness is the concept and the basis for interoperability. A component from one vendor
can replace a similar component of another vendor. Easily, and it may not even involve any
further expenditure. In order to achieve this, all components must be based on widely
accepted industrial standards. These standards may be formal – approved by a commission
body such as IEC, IEEE, DIN – or de-facto through market forces. De-facto standards are
commonly used protocols that almost everyone is familiar with. If you look around you meet
different standards e.g. EN50170 (Profibus), IEEE802.3 (Ethernet), Interbus, IEC61131-3
and so on. But also Windows NT and its components like COM/DCOM, OPC (OLE for
Process Control), ActiveX are so widely used that they are in fact de-facto standards in
industry.

Open systems in process automation must satisfy the following requirements:

• Based on industry standards

• Maximum interoperability of diverse components
• Easy integration of components of multiple vendors
• Easy communication in heterogeneous environments
• Shared common database
• Easy customization and extension (Scalability)
• Open application program interfaces
• Application software independent of the hardware used

Such openness enables all participants to bundle the suitable systems and components up
for their needs. An integrated overall system eventually contains the best components
available in the market. Clearly defined interfaces allow the flexible adaptation of the system
in case of changing conditions or requirements for a plant as well as unforeseeable future
extensions or requirements.

Safe and redundant networking – Ethernet as a basis for fail safe and fault tolerant automation
Page 1 of 6
Today modern control systems already resemble "software control systems” and are
characterized by an object-orientated common database. Devices are rather software objects
than real hardware. Only through the consistent use and the adherence to accepted
standards make a seamless communication in this kind of DCS possible. Data sharing is
crucial to open systems.

Figure 1: Open control system (© Control Magazine)

Openness also means effectiveness. Each manufacturer concentrates completely on his key
issues, his core competence and therefore makes his product or module the best available to
the market. Customers or system integrators in turn can concentrate on the capability of the
entire system without any special knowledge of the functionality of each single component.
This means useful sharing of jobs to everyone’s advantage.
Additionally, the possibility to choose the best available product on the market guarantees
that the user will not to fall in the “Lock-In” syndrome. The user is no longer dominated by
special technologies from one vendor, no matter if this technology fits his further installations
or not.

Openness enables simple in-house standards, e.g. preconfigured templates, because this
can be done without considering hardware or device specific peculiarities. In most cases it is
possible, despite a supplier change, to integrate the new module or device in an existing
system and to protect the former investment.

Beside all the technical advantages, open systems offer many more benefits to the user in
the process industries:

• Lower product costs

• Lower engineering and integration costs
• Lower maintenance costs
• Lower training effort
• Increased performance due to rapidly improving technologies.

Safe and redundant networking – Ethernet as a basis for fail safe and fault tolerant automation
Page 2 of 6
Safety Systems and Openness
How does the trend towards open systems influence safety-related systems?

Safety-related PES (Programmable Electronic Systems) are based on very sophisticated

technologies due to the special requirements for safety. These systems are really the exact
opposite of openness. On the other hand, safety-related systems will be more and more a
part of the overall automation system in a process plant and the user’s demand for a
homogeneously operating desktop will increase. An idea fully compliant with the targets and
characteristics of open systems.

With respect to safety systems there are some requirements:

• Encapsulation of the safety functions

• Nevertheless
- Transparency of the safety-related system
- Interfaces compliant to industry standards
- Homogeneous Engineering

These requirements are fulfilled by standard interfaces. The use of industry standards
outside of all safety-related functions provides the same characteristic outwards compared to
a non-safety-related open system. On the other hand it should be possible to use non-
standard devices for safety-related applications.

With the creation of the HIMA H41q/H51q family, based on the HIMA HIQuad Technology,
HIMA also introduced a new safety-related communication network based on Standard
Ethernet IEEE 802.3. This new safety communication network, named SafeEthernet, is
certified by the TÜV as well as the safety-related PES itself and can be used for applications
up to safety requirement class RC6/SIL3. Simultaneously the Ethernet hardware is used to
establish a high-speed communication link to a DCS or SCADA system to transfer all needed
data from the HIMA safety system.

Both examples will be explained in the next sections as a main aspect of communication in
an open control system. The backbone of an open control system is, no doubt, a high-speed
network – Ethernet

SafeEthernet
Every part of the process control and automation industry - from embedded systems to the
Fieldbus Foundation - has recognized the importance of Ethernet. Ethernet has become the
dominant network technology at the controller supervisory level. Each vendor of controllers,
PLCs and DCSs has an Ethernet interface and it is now moving towards the device and I/O
level.

Ethernet itself has progressed from its theoretical beginning in the early 70s from an official
standard of IEEE to a real standard for business systems and, to a large extent, control
systems. In spite of this fact there is a surprising confusion about Ethernet. What may not be
obvious is that data communication has different quality of service (QoS) requirements
depending on the level of automation hierarchy. Device and Control networks require a
defined response time. Device networks are often designed to favor low latency
requirements over information throughput. One of the most effective techniques for keeping
the latency under control is to transfer all information in a fixed scan cycle. Control networks
are a mix of routine scanning of data values with on-demand signaling of alarm conditions,
along with transfer of large items such as controller and device programs, batch recipes and
process reports. Ethernet is qualified to handle this amount of data.

Safe and redundant networking – Ethernet as a basis for fail safe and fault tolerant automation
Page 3 of 6
In the case of the process industries QoS there are requirements like determinism,
reliability/availability, interoperability, openness and safety, and last but not least, it should be
inexpensive. The HIMA SafeEthernet pays attention to these requirements and additionally
reaches a very high level of safety – namely RC6/SIL3.

To fulfill the safety requirements SafeEthernet detects and handles failures such as:

• distortion of the transmitted data (double or lost bits, changes of bits, ...)
• wrong addressing of messages (sender, receiver, ...)
• wrong order of data (repetition, loss, exchange, ...)
• wrong timing (inadmissible delay, echo, ...)

The HIMA SafeEthernet bases on the standard IEEE 802.3 Ethernet. This fact allows the use
of all the standard Ethernet off-the-shelf-hardware devices like hubs, switches and routers for
design and operation of a HIMA safety network. The transmission of the safety-related data
does not influence or change the standard Ethernet protocol frames. In this way this
technique is comparable to the known VPN (Virtual Private Network) technology used for
transmission of mission critical data in the banking or assurance business.

Today one of the most named disadvantages of Ethernet in automation is the missing
determinism. In the case of the standard Ethernet, several stations share the medium. Each
node can send data after making sure that the medium is clear. Simultaneous sending and
limited running speed on the medium can cause collisions of data packets.
The CSMA/CD access method takes care to notice these collisions, and it causes the device
to send the data again. However, the data transmission time cannot be predicted. This fact
disqualified Ethernet for the real-time use in automation.
In contrast to standard Ethernet, HIMA SafeEthernet is deterministic if it is used in its own
safety domain (segment). A special protocol mechanism allows SafeEthernet to guarantee a
deterministic behavior even in the case of lost or additional nodes or segments. A safety
domain can cover up to 32 safety nodes (incl. HIMA OPC server). The PES itself supports up
to 64 safety nodes. This technology opens an excellent way towards really distributed safety
technology close to the field.

Figure 2: Fully redundant SafeEthernet

But safety automation in process industries also asks for high availability. On the one hand,
with HIMA SafeEthernet, you can design small package units tolerating failures without

Safe and redundant networking – Ethernet as a basis for fail safe and fault tolerant automation
Page 4 of 6
stopping the process operation. On the other hand HIMA, SafeEthernet also supports a fully
redundant network for applications with high availability. All components (modules) can be
replaced on-line during operation in case of a failure. The reconnection to the running
network will be established automatically without any needs for configuration. Engineering
and operating a redundant safety network becomes as easy as one-two-three.

Besides the savings in engineering, the start of HIMA SafeEthernet is a big improvement in
data transmission speed. The HIMA H41q/H51 family uses 100 Mbps Ethernet technology. In
contrast to the previous generation of safety networks it is up to 100 times faster.

Ethernet also allows the change of transport media. No matter if you use copper, fiber optics,
radio waves or satellite communication - the use of HIMA SafeEthernet guarantees the safe
(RC6/SIL3), highly available and reliable transmission of safety-related data.

SafeEthernet and Intranet/Internet

Standard Ethernet hardware and protocol frame as a basis for HIMA SafeEthernet opens
another interesting application – the use of the company intranet or even the Internet as a
transport media for safety critical data. A recently performed study by NTNU (Norwegian
Technical University), Maritime Tentech AS at the facilities of Statoil in Norway confirms this
application. Three HIMA H41q systems installed in Kristiansand, Bergen and Trondheim
were linked via HIMA SafeEthernet using the STATOIL Intranet to communicate and
exchange safety critical data.

Stjør
34M

8 H

2
1
F

Figure 3: Distributed Safety System using HIMA SafeEthernet

All safety-related data were correctly transmitted, but, as expected, the determinism was lost,
a result of using shared media – the classical Ethernet network bottleneck.

Safe and redundant networking – Ethernet as a basis for fail safe and fault tolerant automation
Page 5 of 6
Different ways of solving this problem are on the horizon:

1. The need for a higher speed resulted in Fast Ethernet, standard Ethernet again, but now
operating at 100Mbps or 200Mbps in full duplex mode. Currently auto-sensing 10/100
Ethernet is becoming a standard interface for network devices. Also the Gigabit Ethernet
is on the way.
2. Ethernet is a scalable technology, (micro) segmenting the network to give the
applications the bandwidth they require is a simple way to balance the needs of all
network users and devices (e.g. mentioned before as a safety domain).
3. The use of switches also produces a new situation: If switches are used consistently,
collisions are avoided. Ethernet becomes real-time compatible and meets the timing
requirements. With the use of switches, delivery times can be defined and they are
deterministic – a characteristic which is missing in the CSMA/CD method.
4. Another point is a further development of Ethernet itself. IEEE 802.1p/q standards
contain priority message delivery and QoS to the standard Ethernet frame format.

All these further developments are moving towards the consistent use of Ethernet as THE
standard automation network of the future.

Safe and redundant networking – Ethernet as a basis for fail safe and fault tolerant automation
Page 6 of 6