The Hidden Network

Practically all the fieldbus protocols take a "black channel" approach to their safety bus. However, defining a black channel is almost a black channel itself; everyone talks about it and uses it, but descriptions of it are mostly absent.

The name black channel is derived from the concept of a black box. The intent of both a black box and a black channel is that what goes in one end does not "see" anything between the inlet and outlet as it passes through the device. The difference is that, rather than a piece of hardware, it is the network itself that must appear to "not be there." The bus system, therefore, does not perform any safety-related tasks, but only serves as transmission medium.

Following a white-channel scheme would require that the bus networking and protocol be designed from the ground up for safety. All the network components would have to be safety-related and would need the associated approvals. The black-channel concept uses a non-trusted transmission system; the network gear is not safety-related. As a result, the advantage of the black-channel concept is that we can reuse regular network hardware for safety networks without having to modify more than the devices or nodes themselves.

No changes to the physical layers means the safety measures must be added as a safety layer on top of the Open Systems Interconnection (OSI) protocol Layer 7. The new layer is responsible for the transport of safety-relevant data. The remainder of the application layer is responsible for the acquisition and processing of user or process data.

As shown in Figure 1, the black channel uses a safety layer between the communication stack and the application per IEC 62280-1. The safety layer performs safety-related transmission functions, and checks on the communication to ensure that the integrity of the link meets the requirement for SIL 3 continuous, high-demand mode. Though it is an unlikely scenario, it is possible to use the black-channel concept with some non-safety related devices sitting on the same bus and sharing the communication media so that if somebody accidentally connects a non-safety device to the safety bus, it will not negatively impact the safety operation.

To comply with the relevant safety standards, a safety-bus frame must be passed completely unmodified from a safety sender to a safety receiver, no matter what kind of transmission system both nodes are using. Thus the safety measures are encapsulated in the communicating end nodes/devices as shown in Figure 2.

This means that none of the error detection mechanisms of the chosen communication technology are taken into account to guarantee the integrity of the transferred process data. Basically there are no restrictions with respect to transmission rate, number of bus devices or transmission technology—as long as the given safety application reaction times can tolerate the additional overhead parameters.

Detecting corrupted data bits through an additional cyclical redundancy check (CRC) plays a key role in meeting safety bus reliability requirements. The necessary probabilistic examination can benefit from the definitions within IEC 61508 that consider the probability of failure of the entire safety function. Because a safety circuit includes all sensors, actuators, transfer elements (this is the safety bus) and logic processes that are involved in the safety function, and the IEC 61508 standard defines overall values for the probability of failure of the system for different safety integrity levels, some fraction, typically 1% to 2%, of the overall SIL rating is assigned to the transfer element, which is the network equipment or black channel. For SIL 3, the probability of failure is 10-7/hour, and if transmission uses 1% of the permissible probability of failure, the probability failure rate for the safety bus system must be 10-9/hour. By selecting appropriate CRC polynomials for the intended frame length, the resulting residual error probabilities of the undetected corrupt data packets are guaranteed to meet or exceed the required limits (in this example 10-9/hour). Therefore. we are no longer depending on the error detection of the standard fieldbus protocol (white channel) because we have added the supplemental checks shown in Table 1.

The measures in Table 1, other than CRC for data integrity, are indicated in the appropriate column check for a range of other types of communication errors that can arise during transmission of a message between any two points. Each of these measures, as implied by the short explanation in brackets, provides the following benefit and increase in confidence of the reliability of the transmitted information:

• Consecutive Number – Confirming that the message transmitted is received and reassembled in the proper sequence is important, especially for messages that have more than one route option to get from point A to B.
• Time Out – Many buses have some form of acknowledgement mechanism, however, the majority of the Industrial Ethernet protocols use UDP, which does not support message acknowledgement. Therefore, an independent dedicated tool must be used.
• Codename – This is a way to be sure that messages are transferred between the two end devices/nodes for which they are intended and no others.

Using a safety layer as just described provides the advantage of easy and fast implementation and also allows safety margins to be ideally dimensioned and machine clock rates to be increased to meet the overall system safety/SIL requirements.

The functionality of the safety protocol is not concerned which transport protocol is used, because all safety-related mechanisms are integrated exclusively on the application layer of the protocol, and the safety bus functionality is thereby independent of the underlying transport layer.

The safety bus network does not benefit from any error detection mechanisms of underlying transmission channels, and thus supports the securing of whole communication paths, even backplanes, inside controllers or remote I/O.

Using the black channel approach ensures that the safety quality is independent of the communication channel.
Is the black channel concept really "black magic"? No. At most it is "sleight of hand," since just like the black box, it moves responsibility for making the "trick" work from the medium or messenger to the parts of the system actually doing the work and having the intelligence to tell the difference.

---

Ian Verhappen, P.Eng., is an ISA Fellow, ISA Certified Automation Professional and an authority on Foundation Fieldbus and industrial communications technologies. His website is www.industrialautomationnetworks.com.