Bridge fieldbus module and method for operating a bridge fieldbus module
By bridging the coupling elements and data processing devices of the fieldbus module, the complexity of data exchange between incompatible security protocols is solved, enabling reliable data exchange and functional safety requirements between different security protocols, and improving the reliability and security of data transmission.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- TURCK HOLDING GMBH
- Filing Date
- 2024-05-21
- Publication Date
- 2026-06-12
AI Technical Summary
In existing technologies, data exchange between incompatible security protocols is quite complex, requiring two modules to serve different security protocols respectively, and each digital bit needs a secure output and a secure input, making it difficult to meet functional safety requirements.
A bridging fieldbus module is adopted, which includes coupling elements and data processing devices. It can identify, convert and compare messages of different safety protocols, and realize data exchange while meeting functional safety requirements. The correctness of data transmission is ensured through redundancy conversion and checksum mechanism.
It enables reliable data exchange between different security protocols, meets functional safety requirements, reduces device complexity, and improves the reliability and security of data transmission.
Smart Images

Figure CN121220009B_ABST
Abstract
Description
Technical Field
[0001] This disclosure relates to a bridging fieldbus module designed to interconnect two networks. This disclosure relates to a method for operating such a bridging fieldbus module. This disclosure relates to a computer program and / or computer-readable medium including instructions that, when executed by a computer, cause the computer to perform the method at least in part.
[0002] This disclosure pertains to the technical field of industrial automation. Background Technology
[0003] In Moraees et al. (DE MORAES JOAO et al.: "Archticture of an industrial analog input designed to meet safety requirements", 2018 IEEE 19TH LATIN-AMERICAN TEST SYMPOSIUM (LATS), IEEE, 12. März2018 (2018-03-12), Seiten 1-4), XP033335915, DOI: 10.1109 / LATW.2018.8349673), an industrial analog input architecture that meets safety requirements is described.
[0004] DE 10 2020 113 572 A1 describes a protocol converter for transforming security-related messages between a first network and a second network. The protocol converter includes a single-channel interface device capable of exchanging messages with both the first and second networks. The first network has at least one first participant with a first security communication layer processing a first security communication protocol, and the second network has at least one second participant with a second security communication layer processing a second security communication protocol. The protocol converter further includes: a single-channel filter module device connected to the interface device, for determining messages using the first security communication protocol and messages using the second security communication protocol based on messages received from the interface device; and at least a dual-channel security module connected to the filter module device, for converting messages determined by the filter module device that use the first security communication protocol into messages using the second security communication protocol, or vice versa. Summary of the Invention
[0005] In the context of this prior art, the purpose of this disclosure is to provide an apparatus and / or method, each of which is suitable for enriching the prior art.
[0006] Therefore, this objective is achieved through a bridging fieldbus module designed to interconnect two fieldbus networks.
[0007] The first fieldbus network of these two fieldbus networks uses a first security protocol and Black Channel Prinzip for safety-related messages. The second fieldbus network of these two fieldbus networks uses a second security protocol, different from the first security protocol, and Black Channel Prinzip for safety-related messages.
[0008] The bridging fieldbus module includes a coupling element designed to identify safety-related messages received at the fieldbus bridging module from a first fieldbus network.
[0009] The bridging fieldbus module is designed to receive security-related messages from a first network that correspond to a first security protocol.
[0010] The bridging fieldbus module is designed to convert safety-related messages received from and identified from the first fieldbus network into first and second safety-related messages corresponding to the second safety protocol.
[0011] The bridging fieldbus module is designed to compare the first safety-related message and the second safety-related message with each other.
[0012] The bridging fieldbus module is designed to output the first safety-related message and / or the second safety-related message to the second fieldbus network, optionally only when the first safety-related message and the second safety-related message are consistent, based on the comparison results.
[0013] The bridging fieldbus module can be designed to combine a first safety-related message and a second safety-related message into a further message, and output the further message to a second fieldbus network.
[0014] As long as the term "network" is used in the following description, it can be understood as "fieldbus network".
[0015] A fieldbus can be understood as a bus system that connects field devices (such as sensors or actuators) to automation equipment or fieldbus modules for communication.
[0016] A fieldbus network can be understood as a collection of fieldbus modules implemented via a bus as a fieldbus, all using the same security protocol.
[0017] Therefore, participants in these two networks can be distinguished based on whether they are suited to use the first or second security protocol. Since the bridging fieldbus module is designed to process messages in both the first and second security protocols, it can be part of both networks, thereby establishing a communication connection or bridging between them.
[0018] A safety protocol can be understood as a communication protocol used to transmit (optionally predetermined) safety-related data or messages in automation applications. Therefore, a safety protocol is a special form of communication protocol or bus protocol applicable to fieldbus systems.
[0019] Safety protocols can satisfy predetermined requirements for functional safety, and optionally satisfy a predetermined level of safety requirements.
[0020] Safety requirement level is a term in the field of functional safety, and is also referred to as safety level or safety integrity level (SIL) in the international standards IEC 61508 / IEC 61511. Safety requirement levels are used to assess the reliability of safety functions in electrical / electronic / programmable electronic (E / E / PE) systems. The required level derives safety-oriented design principles that must be followed to minimize the risk of failure.
[0021] It is conceivable that, in addition to safety protocols, bus protocols that do not meet functional safety requirements may be implemented. Non-safety-related data, such as diagnostic data, may be transmitted (optionally predetermined) through or by means of this bus protocol.
[0022] Here, the black channel principle is used. The black channel principle is typically based on communication channels or bus protocols that do not meet pre-defined requirements for functional safety. However, for safety-oriented system designs, it may be necessary to demonstrate compliance with relevant standards, such as IEC 61508. In such systems, if a communication method that cannot achieve this demonstration (such as Ethernet) is used, the black channel principle can be used as an alternative. For this purpose, a security protocol is typically integrated between the security application and the "non-secure" standard communication channel. This security protocol meets the security level of the safety-oriented system and identifies and controls transmission errors in the underlying communication layer. This means that the "non-secure" transmission channel is continuously monitored for integrity by the higher-level "secure" protocol. In other words, in the black channel principle, the insecure communication channel can be monitored by the security protocol.
[0023] In the “insecure” channel, examples of transmission errors at the packet level include duplication, loss, insertion, out-of-order delivery, tampering, delay, and / or confusion between secure and insecure messages.
[0024] If the security protocol identifies this type of error, an error response can be initiated. It is conceivable that (transmission) errors can still be controlled and therefore tolerated; otherwise, it is conceivable to switch the facility to a secure state, such as shutdown.
[0025] Safety-oriented fieldbus protocols or safety protocols are specified in the following standards: IEC 61158 (basic communication), IEC 61784-2 (real-time communication) and IEC 61784-3-18 (safety profile).
[0026] The aforementioned device offers a number of advantages, which will be described below.
[0027] There are different security protocols that are incompatible with each other (referred to above as the first security protocol and the second security protocol).
[0028] In existing solutions, two incompatible security protocols can exchange security-guided digital signals by outputting data from the security output of one module and reading it from the security input of another module.
[0029] However, this solution is more complex because it requires two modules, each serving one of the two incompatible security protocols, and each digital bit needs a secure output and a secure input.
[0030] Data can be reliably exchanged between two safety protocols via a (optionally unique) fieldbus module according to this disclosure (which acts as a bridge between two incompatible safety protocols, i.e., a bridging fieldbus module), and optionally, input and / or output data of the bridging fieldbus module can also be exchanged. This is made possible, in particular, by redundant conversion of safety-related data (described above as messages present in the first safety protocol). This redundant conversion allows for the elimination of errors that may occur during the conversion process, ensuring the safety of meeting the aforementioned functional safety requirements.
[0031] The following explains in detail the possible improvements to the above device.
[0032] Converting a security-related message received from the first network into a first security-related message may include forming a first checksum for the first security-related message.
[0033] Converting a security-related message received from the first network into a second security-related message may include forming a second checksum for the second security-related message.
[0034] Based on the comparison results, the first security-related message can be output to the second network along with the first checksum.
[0035] Furthermore, based on the comparison results, the second security-related message can be output to the second network along with the second checksum.
[0036] It is conceivable that the first message and the first checksum together form the first subframe, and the second message and the second checksum together form the second subframe, so that the first subframe and the second subframe can be output to the second network in a single message.
[0037] A checksum can be understood as a numerical value used to verify the integrity of data (in this case, the first or second message). A checksum can be calculated from either the first or second message and can identify specific errors within either message. Depending on the complexity of the checksum calculation rules, multiple errors can be identified and optionally corrected.
[0038] It is conceivable that a cyclic redundancy check (CRC) would be employed. CRC is a method used to determine a data checksum or parity value in order to identify errors during transmission and / or storage. Ideally, this method can even automatically correct received data, thereby avoiding retransmission. CRC itself is known to those skilled in the art and therefore will not be further elaborated upon.
[0039] By transmitting the first and second messages, along with their respective checksums, within a single message, it is possible to verify whether these two messages have been correctly transmitted to the fieldbus module or receiver in the second network. Furthermore, the correctness of the conversion can be checked by comparing these two checksums. This comparison can be performed by the network's fieldbus module (i.e., the receiver of the further message) and, additionally or alternatively, by the bridging fieldbus module.
[0040] The bridging fieldbus module may include a first data processing device, which is designed to convert security-related messages received from a first network into first security-related messages, and optionally to form a first checksum.
[0041] The primary data processing device can be a microcontroller. A microcontroller (MCU) can be understood as a semiconductor chip that includes a processor and peripheral functions. It is conceivable that the working memory and program memory reside partially or entirely on the same chip. A microcontroller can be implemented as a single-chip computer system. Therefore, for some microcontrollers, the term "System-on-a-Chip" (SoC) is also used.
[0042] The first data processing device may include a first secure memory, which is designed to temporarily store a first message and optionally a first checksum.
[0043] A secure memory can be understood as a memory or storage device that meets the same functional safety requirements as the first and / or second security protocols. By using a secure memory, the entire system can meet the functional safety requirements.
[0044] The bridging fieldbus module may include a second data processing device, which is designed to convert security-related messages received from the first network into second security-related messages, and optionally to form a second checksum.
[0045] The second data processing device may include a second secure memory, which is designed to temporarily store a second message and optionally a second checksum.
[0046] The descriptions of the first data processing device and the first memory above also apply similarly to the second data processing device and the second memory.
[0047] By setting up a second data processing unit, redundancy can be ensured. This has the following advantages: if an error occurs in one of the two data processing units, the error can be identified by cross-comparing the results with those of the other data processing unit performing the same (safety) function. Therefore, the two data processing units can monitor each other.
[0048] As mentioned above, both fieldbus networks use the black channel principle.
[0049] The bridging fieldbus module also includes a coupling element designed to identify safety-related messages received at the fieldbus bridging module.
[0050] The coupling element can be designed to output the identified security-related messages to the first data processing device.
[0051] The coupling element can be designed to output the identified security-related messages to a second data processing device.
[0052] The coupling element can be implemented as a switch or gateway. The coupling element can be part of a black channel that terminates at a first or second data processing unit. Therefore, the coupling element can enable the transmission of both security-related and security-related data between two fieldbus networks.
[0053] The foregoing can be summarized in other words and in conjunction with the possible more specific design solutions of this disclosure described below, wherein the following description shall not be construed as a limitation of this disclosure.
[0054] A bridged fieldbus module with two Ethernet ports can be provided, wherein the first Ethernet port is connected to a first network implementing a first security bus protocol, and the second Ethernet port is connected to a second network implementing a second security bus protocol that is incompatible with the first security bus protocol.
[0055] Bridged fieldbus modules can have safety inputs and safety outputs.
[0056] The bridging fieldbus module may include two data storage units for safety-related data, which are stored redundantly in both data storage units.
[0057] Checksums (CRCs) can be generated separately from security-related data. The checksums of the first data storage and the second data storage can be compared to each other to check the validity of the data and verify the consistency of the data in the two storage areas.
[0058] One type of security bus protocol can be a commercially available security protocol (e.g., Profisafe, CIPPSafety), for which compatible controllers, actuators, sensors, and other network participants from different manufacturers are readily available. Another type of security bus protocol may have the following characteristics:
[0059] • Security-related information can exist in a redundant manner (e.g., as two parts with the same information content).
[0060] • Each part can be protected by a test to check its validity, and / or
[0061] • It can be a security bus protocol that is not commonly used in the market. For this security bus protocol, only “own” security network participants are set up (where the structure and security mechanisms of the protocol are known, such as Open Safety).
[0062] At least one of the two memories may have three storage areas, wherein a first storage area in these storage areas is provided for a first security protocol in the two security protocols, a second storage area in these storage areas is provided for a second security protocol in the two security protocols, and a third storage area in these storage areas is provided for security input and / or output data received at the bridging fieldbus module from sensors and / or actuators directly connected to the bridging fieldbus module.
[0063] This disclosure also relates to a method for operating a bridged fieldbus module designed to interconnect two fieldbus networks.
[0064] The first fieldbus network of these two fieldbus networks uses a first security protocol and the black channel principle for safety-related messages. The second fieldbus network of these two fieldbus networks uses a second security protocol, different from the first security protocol, and the black channel principle for safety-related messages.
[0065] The method includes receiving, at the bridging fieldbus module, a security-related message corresponding to a first security protocol from a first fieldbus network.
[0066] The method includes identifying safety-related messages received from a first fieldbus network at a fieldbus bridging module by means of a coupling element.
[0067] The method includes converting identified security-related messages received from a first fieldbus network into first and second security-related messages corresponding to a second security protocol.
[0068] The method includes comparing a first security-related message and a second security-related message with each other.
[0069] The method includes outputting a first security-related message and / or a second security-related message to a second network based on the comparison result.
[0070] The method may include combining a first security-related message and a second security-related message into a further message, and outputting the further message to a second network.
[0071] This method can also be referred to as the control method for bridging fieldbus modules.
[0072] The method may be a computer-implemented method, meaning that one, more, or all of the steps of the method may be performed at least in part by a computer or data processing device (optionally by the aforementioned bridging fieldbus module).
[0073] The above description of the bridged fieldbus module also applies similarly to this method, and vice versa.
[0074] In addition, a computer program including instructions is provided that, when executed by a computer, causes the computer to at least partially perform or implement the methods described above.
[0075] The program code of a computer program can exist in any code, especially in code suitable for controlling fieldbus modules.
[0076] The above description of the bridging fieldbus module and method also applies similarly to computer programs, and vice versa.
[0077] Furthermore, a computer-readable medium, particularly a computer-readable storage medium, is provided. This computer-readable medium includes instructions that, when executed by a computer, cause the computer to at least partially perform or implement the methods described above.
[0078] This means that a computer-readable medium may be provided that includes the computer programs defined above. A computer-readable medium can be any digital data storage device, such as a USB flash drive, hard disk, CD-ROM, SD card, or SSD card (or SSD drive / SSD hard disk).
[0079] Computer programs are not necessarily required to be stored on such computer-readable storage media for use by the bridging fieldbus module; they can also be obtained via the Internet or other external means.
[0080] The descriptions above regarding bridging fieldbus modules, methods, and computer programs are similarly applicable to computer-readable media, and vice versa. Attached Figure Description
[0081] The alternative embodiments of this disclosure will now be described with reference to Figures 1 to 5.
[0082] Figure 1 schematically illustrates a network with two fieldbus networks interconnected by a bridging fieldbus module according to the present disclosure.
[0083] Figure 2 shows in detail and independently schematically the bridged fieldbus module according to the present disclosure of Figure 1.
[0084] Figure 3 schematically illustrates a flowchart of the method of this disclosure for operating the bridged fieldbus modules of Figures 1 and 2, when converting security-related messages from a first security protocol to a second security protocol.
[0085] Figure 4 schematically illustrates the data format corresponding to the second security protocol.
[0086] Figure 5 schematically illustrates a flowchart of the method of this disclosure for operating the bridged fieldbus modules of Figures 1 and 2, when converting security-related messages from a second security protocol to a first security protocol, and...
[0087] Figure 6 schematically illustrates a flowchart of another disclosed method for operating the bridged fieldbus modules of Figures 1 and 2. Detailed Implementation
[0088] The network 100 shown in Figure 1 has two fieldbus networks 1 and 2.
[0089] The first fieldbus network 1 of these two fieldbus networks is described in detail below.
[0090] The first fieldbus network 1 of these two fieldbus networks includes two fieldbus modules 11 and 12, an emergency stop switch 13, a relay 14, and a light curtain 15. The two fieldbus modules 11 and 12 are interconnected via a first fieldbus 16. The emergency stop switch 13 is connected to the safety input of the first fieldbus module 11. The relay 14 is connected to the safety output of the first fieldbus module 11. The light curtain 15 is connected to the safety input of the second fieldbus module 12.
[0091] The first fieldbus network 1 communicates via fieldbus 16 using a bus protocol employing a first security protocol. Here, the black channel principle is used. This means that the security protocol used, designed to ensure the correct transmission of security-related data from sender to receiver, is independent of the bit transport layer (physical layer) or bus protocol. For example, it is conceivable to use Industrial Ethernet with Profi Safe running on it as the bit transport layer (physical layer) or bus protocol. The two fieldbus modules 11 and 12 of the first fieldbus network 1 are designed to transmit (i.e., receive and output) security-related data or information via fieldbus 16 using Profi Safe.
[0092] It is conceivable that the first fieldbus module 11 receives a message (in the form of a simple digital signal) from the actuated emergency stop switch 13, and then outputs a message (also in the form of a simple digital signal) as a control signal to the relay 14, causing the relay 14 to switch to the desired state. It is also conceivable that the first fieldbus module 11 receives a message from the first safety protocol of the triggered grating 15 via the second fieldbus module 12, and then outputs a message (in the form of a simple digital signal) as a control signal to the relay 14, causing the relay 14 to switch to the desired state.
[0093] The second fieldbus network, 2, is described in detail below.
[0094] The second fieldbus network 2 of these two fieldbus networks also includes two fieldbus modules 21 and 22, and three emergency stop switches 23, 24, and 25, and an actuator 26. The two fieldbus modules 21 and 22 are interconnected via a second fieldbus 27. The first of the three emergency stop switches (hereinafter referred to as the second emergency stop switch 23) is connected to the safety input of the first fieldbus module 21. The second and third of the three emergency stop switches (hereinafter referred to as the third and fourth emergency stop switches 24 and 25) are respectively connected to the safety input of the second fieldbus module 22. The actuator 26 (e.g., a motor) is connected to the safety output of the second fieldbus module 22.
[0095] The second fieldbus network 2 communicates via fieldbus 27 using a bus protocol employing a second security protocol. Here, the black channel principle is also used. This means that the second security protocol, designed to ensure the correct transmission of security-related data from sender to receiver, is independent of the bit transport layer (physical layer) or bus protocol. For example, it is conceivable to use an industrial Ethernet network with Open Safety as the security protocol running on it as the bit transport layer (physical layer) or bus protocol. The two fieldbus modules 21 and 22 of the second fieldbus network 2 are designed to transmit (i.e., receive and output) security-related data or information via fieldbus 27 using Open Safety.
[0096] It is conceivable that, at the second fieldbus module 22, a message from the second safety protocol via the actuated second emergency stop switch 23 is received via the first fieldbus module 21, and subsequently, a message acting as a control signal is output from the second fieldbus module 22 to the actuator 26, causing the actuator 26 to switch to the desired state (e.g., off). It is also conceivable that, at the second fieldbus module 22, a message from the actuated third and / or fourth emergency stop switches 24, 25 is received, and subsequently, a message acting as a control signal is output from the second fieldbus module 22 to the actuator 26, causing the actuator 26 to switch to the desired state.
[0097] However, in all of the above cases, communication occurs only within the first fieldbus network or the second fieldbus network 1, 2.
[0098] However, it is also conceivable that the following situations must be mapped by Network 100.
[0099] The safe state is defined as follows: relay 14 of the first fieldbus network 1 and actuator 26 of the second fieldbus network 2 are both de-energized or in the desired state. This safe state should be introduced when one of the emergency stop switches 13, 23, 24, 25 and / or the light curtain 15 is actuated or triggered.
[0100] Therefore, the logic running in the program of a single fieldbus module in fieldbus modules 11, 12, 21, and 22 of these two networks 1 and 2 executes safety functions. Thus, all safety-related data of these two fieldbus networks 1 and 2 must be made available to this logic.
[0101] For example, if this logic is executed only in the first fieldbus module 11 of the first fieldbus network 1, then the safety-related data for the three emergency stop switches 23, 24, and 25 of the second fieldbus network 2 must also be available in the first fieldbus network 1, so that the first fieldbus module 11 of the first fieldbus network 1 can access or receive this safety-related data. The same applies to the safety-related data for the actuator 26 of the second fieldbus network 2, which is generated by this logic and output by the first fieldbus module 11 of the first fieldbus network 1. This safety-related data must be available in the second fieldbus network 2 to the second fieldbus module 22 of the second fieldbus network 2, so that the second fieldbus module 22 of the second fieldbus network 2 can output the corresponding control signals (and thus, safety-related data) to the actuator 26.
[0102] However, this presents challenges: for example, in this scenario, the first and second security protocols (in which or through which security-related data is transmitted) are incompatible with each other, meaning that security-related data from the first fieldbus network 1 cannot be directly read from the second fieldbus network 2, and vice versa.
[0103] For this reason, the bridging fieldbus module 3 according to this disclosure is part of network 100, which interconnects or links the two fieldbus networks 1 and 2. The bridging fieldbus module 3 is designed to: receive security-related data from two security protocols; temporarily store this security-related data; translate it into the corresponding additional security protocol; and output it to the corresponding additional fieldbus network 1 or 2. For this purpose, the bridging fieldbus module 3 is connected to two fieldbuses 16 and 27. The bridging fieldbus module 3 will be further described in detail below with reference to Figure 2.
[0104] The bridging fieldbus module 3 includes a first port 31 for connecting to the fieldbus 16 of the first fieldbus network 1 of the two fieldbus networks, and implementing a bus protocol using a first security protocol on the fieldbus.
[0105] The bridging fieldbus module 3 includes a second port 32 for connecting to the fieldbus 27 of the second fieldbus network 2 of the two fieldbus networks, on which a bus protocol using a second security protocol that is incompatible with the first security protocol is implemented.
[0106] The bridging fieldbus module 3 includes a coupling element 33 connected to the first port and the second port 31, 32 respectively. The coupling element includes an insecure memory and acts as a switch.
[0107] The bridging fieldbus module 3 includes a first data processing device 34 having a first secure memory 341 and connected to a coupling element 33.
[0108] The bridging fieldbus module 3 includes a second data processing device 35 having a second secure memory 351 and connected to a coupling element 33.
[0109] The operation of the bridged fieldbus module 3 will be described in detail below with reference to Figure 3, which shows a flowchart of the method for operating the bridged fieldbus module 3.
[0110] In the first step S1 of the method, the coupling element 33 identifies the message received from the first fieldbus network 1 via the first port 31 in the first security protocol.
[0111] In the second step S2 of the method, the message identified in the first step S1 is transmitted from the coupling element 33 to the first data processing device and the second data processing devices 34 and 35.
[0112] Here, coupling element 33 is part of the black channel, while the two data processing devices 34 and 35 are no longer part of the black channel. Therefore, security-related data or messages can be processed in these two data processing devices 34 and 35.
[0113] In the third step S3 of the method, the message received from the coupling element 33 in the first security protocol is converted into corresponding messages 411 and 421 in the second security protocol (i.e., converted into messages corresponding to the structure specified according to the second security protocol) by means of the first data processing device and the second data processing device 34 and 35, respectively. This is accompanied by the formation of a first checksum or verification sum 412 in the first data processing device 34 and a second checksum 422 in the second data processing device 35, the second checksum being formed accordingly by the first message or the second message 411 and 421 in the second security protocol.
[0114] In the fourth step S4 of the method, message 411 generated by the first data processing device 34 is stored in the first memory 341 as the first message in the second security protocol. For this purpose, the first memory may have a separate storage area. In the fourth step S4 of the method, message 421 generated by the second data processing device 35 is also stored in the second memory 351 as the second message in the second security protocol. For this purpose, the second memory 351 may have a separate storage area. Both messages 411 and 421 are stored together with their associated checksums 412 and 422; that is, the first message 411 in the second security protocol is stored together with the first checksum 412, and the second message 421 in the second security protocol is stored together with the second checksum 422.
[0115] Therefore, security-related messages in the first security protocol are redundantly converted, protected by checksums 412 and 422, and stored.
[0116] In the fifth step S5 of the method, the two messages 411 and 421 (i.e., the first message 411 in the second security protocol and the second message 421 in the second security protocol) are compared, and / or their associated checksums 412 and 422 are compared. This comparison can be performed by one or two data processing devices 34 and 35. If the comparison determines that the two messages 411 and 421 and / or their checksums 412 and 422 are consistent, the method continues to the sixth step S6. Otherwise, it is possible to optionally further attempt to convert the message from the first security protocol to the second security protocol, to attempt to correct one of the two messages (especially in the case of slight differences), and / or to abort the method.
[0117] In the sixth step S6 of the method, the first data processing device and / or the second data processing devices 34 and 35 combine the first message 411 in the second security protocol stored in the first memory 341 and the second message 421 in the second security protocol stored in the second memory 351, along with their respective checksums 412 and 422, into message 4, and the message is read by the coupling element or coupler 33.
[0118] Figure 4 illustrates the structure of message 4. Message 4 in the second security protocol includes two subframes 41 and 42, which together form a security frame 40. Subframe 41 includes a first message 411 and a first checksum 412 from the second security protocol in the first memory 341, and subframe 42 includes a second message 421 and a second checksum 422 from the second security protocol in the second memory 342.
[0119] Alternatively, message 4 can be formed using only the first message or the second message 411, 421 and their respective checksums 412, 422. For this purpose, the corresponding message 411, 421 and its checksums 412, 422 can be provided twice in message 4. Thus, the first message or the second message 411, 421, together with their respective checksums 412, 422, forms the corresponding subframes 41, 42 of the security frame 40 of message 4.
[0120] In the seventh step S7 of the method, the message 4 obtained in the sixth step S6 is output from the coupler 33 via the second port 32 to the second fieldbus network 2, or more precisely, to its fieldbus 27.
[0121] Therefore, under the above circumstances, safety-related data can be transmitted from the first fieldbus network 1 to the second fieldbus network 2.
[0122] In the above application scenario, security-related messages existing in the first security protocol are converted into messages existing in the second security protocol. The above applies similarly to the situation where security-related messages existing in the second security protocol are converted into messages existing in the first security protocol. This will be described in detail below with reference to Figure 5 and Figures 1 to 4, showing only the differences from the above scenario. Figure 5 shows a flowchart of the method for converting messages from the second security protocol to the first security protocol, where the method steps and messages corresponding to the above steps are labeled with the same reference numerals and the suffix "'".
[0123] In the first step S1' of the method, the coupling element 33 identifies message 4 (similar to the first step S1 above) received from the second fieldbus network 2 via the second port 32 in the second security protocol.
[0124] In the second step S2' of the method, the message 4 identified in the first step S1' is transmitted from the coupling element 33 to the first data processing device and the second data processing devices 34 and 35 (similar to the second step S2 above).
[0125] In the third step S3' of the method (similar to the third step S3 described above), the first data processing device and the second data processing devices 34 and 35 respectively convert the message 4 received from the coupling element 33 in the second security protocol into corresponding messages 411' and 421' in the first security protocol (i.e., into messages corresponding to the structure specified according to the first security protocol). This is accompanied by the formation of a first checksum or verification sum 412' in the first data processing device 34 and a second checksum 422' in the second data processing device 35, the second checksum being formed accordingly by the first message or the second message 411' and 421' in the second security protocol.
[0126] In the fourth step S4' of the method (which is similar to the fourth step S4 described above), the message 411' generated by the first data processing device 34 is stored in the first memory 341 as the first message in the first security protocol. For this purpose, the first memory 341 may have a separate storage area. In the fourth step S4' of the method, the message 421' generated by the second data processing device 35 is also stored in the second memory 351 as the second message in the second security protocol. For this purpose, the second memory 351 may have a separate storage area. The two messages 411' and 421' are stored together with their associated checksums 412' and 422', that is: the first message 411' in the first security protocol is stored together with the first checksum 412', and the second message 421' in the first security protocol is stored together with the second checksum 422'.
[0127] Therefore, the security-related message 4 in the second security protocol is redundantly converted, protected by checksums 412' and 422', and stored.
[0128] In the fifth step S5' of the method (which is similar to the fifth step S5 of the method described above), the two messages 411' and 421' (i.e., the first message 411' in the first security protocol and the second message 421' in the first security protocol) are compared, and / or their associated checksums 412' and 422' are compared. This comparison can be performed by one or two data processing devices 34 and 35. If the comparison determines that the two messages 411' and 421' and / or their checksums 412' and 422' are consistent, the method continues to the sixth step S6'. Otherwise, it is possible to optionally further attempt to convert the message from the first security protocol to the second security protocol, to attempt to correct one of the two messages (especially in the case of slight differences), and / or to abort the method.
[0129] In the sixth step S6' of the method, the coupling element or coupler 33 reads either the first message 411' stored in the first memory 341 or the second message 421' stored in the second memory 351, along with their respective checksums 412' and 422', from the first security protocol. The structure of such a message according to the first security protocol corresponds to one of the subframes 41 and 42 of message 4 shown in FIG. 4.
[0130] In the seventh step S7' of the method, the message obtained in the sixth step S6' and existing in the first security protocol is output from the coupler 33 via the first port 31 to the first fieldbus network 1, or more precisely, to its fieldbus 16.
[0131] Therefore, under the above circumstances, safety-related data can be transmitted from the second fieldbus network 2 to the first fieldbus network 1.
[0132] The following describes in detail the additional or alternative design options for Network 100, and especially for the bridging fieldbus module 3.
[0133] In this design, network 100 has a fifth emergency stop switch 5 and a second relay 6. The fifth emergency stop switch 5 is connected to the safety input terminal 36 of the bridged fieldbus module 3, wherein the safety input terminal 36 has two connection terminals 361 and 362, thereby providing redundant wiring. The second relay 6 is connected to the safety output terminal 37 of the bridged fieldbus module 3, wherein the safety output terminal 37 has two connection terminals 371 and 372, thereby providing redundant wiring. Therefore, each message containing safety-related data is received from the fifth emergency stop switch 5 at the two connection terminals 361 and 362 of the safety input terminal 36, and each message containing safety-related data is output via the two connection terminals 371 and 372 of the safety output terminal 37. The description of the safety input and output terminals of the bridged fieldbus module 3 is similarly applicable to the aforementioned safety input and output terminals of the fieldbus modules 11, 12, 21, and 22 of the first and second fieldbus networks 1 and 2.
[0134] The fifth emergency stop switch 5 and the second relay 6 do not use a safety protocol to communicate with the bridged fieldbus module 3. Data is transmitted from the fifth emergency stop switch 5 to the bridged fieldbus module as a (simple or redundant) digital signal (especially when no safety protocol is used), and output from the bridged fieldbus module as a (simple) digital signal to the second relay. However, it is conceivable that when the fifth emergency stop switch 5 is actuated, the actuator 26 of the second fieldbus network 2 must stop. Therefore, the safety-related data received from the fifth emergency stop switch 5 in the bridged fieldbus module 3 must also be provided to the second fieldbus network using the second safety protocol. This also applies to the first safety protocol, for example, when it is necessary to transmit safety-related data from the fifth emergency stop switch 5 to the first fieldbus module 11 of the first fieldbus network 1. Therefore, the above method is generally used here, with variations in the first step S1 or S1' and the second step S2 or S2', as detailed below. A flowchart of this variation method is shown in Figure 6. Method steps corresponding to the above steps are labeled with the same reference numerals and the suffix "''".
[0135] In the first step S1'' of the variant method, the same message from the fifth emergency stop switch 5 is received at the two connection terminals 361 and 362 of the safety input terminal 36.
[0136] In the second step S2'' of the variant method, the message received in the first step S1'' of the variant method is output from the first connection terminal 361 of the safety input terminal 36 to the first data processing device 34 of the bridged fieldbus module 3, and the message received in the first step S1'' of the variant method is output from the second connection terminal 362 of the safety input terminal 36 to the second data processing device 35 of the bridged fieldbus module 3.
[0137] In the third step S3'' of the variant method, the messages received from the first connection end or the second connection end 361, 362 in the first security protocol are converted into corresponding messages 411, 421 in the second (and / or first) security protocol by means of the first data processing device and the second data processing devices 34, 35, respectively. This is accompanied by the formation of a first checksum 412 (or 412') in the first data processing device 34 and a second checksum 422 (or 422') in the second data processing device 35, the second checksum being formed accordingly by the first message or the second message 411, 421 (or 411', 412') in the second (or first) security protocol. The third step S3'' of the variant method corresponds to the third step S3 of the method described above with reference to FIG3 (or the third step S3' of the method described above with reference to FIG5).
[0138] In the fourth step S4'' of the variant method, message 411 (or 411') generated by the first data processing device 34 is stored in the first memory 341 as the first message in the second (or first) security protocol. For this purpose, the first memory 341 may have a separate storage area. In the fourth step S4'' of the variant method, message 421 (or 421') generated by the second data processing device 35 is also stored in the second memory 351 as the second message in the second (or first) security protocol. For this purpose, the second memory 351 may have a separate storage area. Two messages 411 and 421 (or 411' and 421') are stored together with their associated checksums 412 and 422 (or 412' and 422'), that is: the first message 411 (or 411') in the second (or first) security protocol is stored together with the first checksum 412 (or 412'), and the second message 421 (or 421') in the second (or first) security protocol is stored together with the second checksum 422 (or 422').
[0139] Therefore, the message received via the secure input terminal 36 is redundantly converted into a second (or first) security protocol, protected and stored by checksums 412, 422 (or 412', 422'). The fourth step S4'' of the variant method corresponds to the fourth step S4 of the method described above with reference to FIG3 (or the fourth step S4' of the method described above with reference to FIG5).
[0140] In the sixth step S6'' of the variant method, the first message 411 in the second security protocol stored in the first memory 341 and the second message 421 in the second security protocol stored in the second memory 351, along with their respective checksums 412 and 422, are combined into message 4, and the message is read by the coupler 33.
[0141] Figure 4 illustrates the structure of message 4. Message 4 in the second security protocol includes two subframes 41 and 42, which together form a security frame 40. Subframe 41 includes a first message 411 and a first checksum 412 from the second security protocol in the first memory 341, and subframe 42 includes a second message 421 and a second checksum 422 from the second security protocol in the second memory 342.
[0142] When converting a message to the first security protocol, the coupling element or coupler 33 reads either the first message 411' stored in the first memory 341 or the second message 421' stored in the second memory 351, along with their respective checksums 412' and 422', from the first security protocol. The structure of this message according to or within the first security protocol corresponds to one of the subframes 41 and 42 of message 4 shown in FIG. 4.
[0143] The sixth step S6'' of the variant method corresponds to the sixth step S6 of the method described above with reference to Figure 3 (or the sixth step S6' of the method described above with reference to Figure 5).
[0144] In the seventh step S7'' of the variant method, message 4 obtained in the sixth step S6'' of the variant method is output from coupler 33 via the second port 32 to the second (or first) fieldbus network 2 (or 1), more precisely, to its fieldbus 27 (or 16). The seventh step S7'' of the variant method corresponds to the seventh step S7 of the method described above with reference to FIG3 (or the seventh step S7' of the method described above with reference to FIG5).
[0145] List of reference numerals
[0146] 1. First Fieldbus Network
[0147] 11 First Fieldbus Module
[0148] 12 Second Fieldbus Module
[0149] 13 First Emergency Stop or Emergency Shutdown Switch
[0150] 14 First Relay
[0151] 15 gratings
[0152] 16 Fieldbus
[0153] 2 Second Fieldbus Network
[0154] 21 First Fieldbus Module
[0155] 22 Second Fieldbus Module
[0156] 23 Second emergency stop or emergency shutdown switch
[0157] 24 Third emergency stop or emergency shutdown switch
[0158] 25 Fourth Emergency Stop or Emergency Shutdown Switch
[0159] 26 actuators
[0160] 27 Fieldbus
[0161] 3 Bridged Fieldbus Module
[0162] 31 First Port
[0163] 32 Second Port
[0164] 33 coupling elements
[0165] 34 First Data Processing Device
[0166] 341 First Security Memory
[0167] 35 Second Data Processing Device
[0168] 351 Second Security Memory
[0169] 36 Secure Inputs
[0170] 361 First Connection End
[0171] 362 Second Connection Terminal
[0172] 37 Safety Output Terminal
[0173] 371 First Connection Terminal
[0174] 371 Second Connection Terminal
[0175] 4. According to the message of the second security protocol
[0176] 40 frames
[0177] 41 First Subframe
[0178] 411 First message according to the second security protocol
[0179] 412 First checksum
[0180] 42 Second Subframe
[0181] 421 Second message according to the second security protocol
[0182] 422 Second Checksum
[0183] 411' First message according to the first security protocol
[0184] 412' First checksum
[0185] 421' Second message according to the first security protocol
[0186] 422' Second checksum
[0187] 5. Fifth emergency stop or emergency shutdown switch
[0188] 6 Second Relay
[0189] 100 Network
[0190] Steps of the S1-S7, S1'-S7', S1''-S7'' (variant) method
Claims
1. A bridging fieldbus module, said bridging fieldbus module being designed for interconnecting two fieldbus networks, wherein: - The first fieldbus network of the two fieldbus networks uses a first security protocol and the black channel principle for security-related messages, and - The second fieldbus network of the two fieldbus networks uses a second security protocol and a black channel principle, which are different from the first security protocol, for the security-related messages. - The bridging fieldbus module mentioned above includes: - A coupling element designed to recognize safety-related messages received at the bridging fieldbus module from the first fieldbus network. - The bridging fieldbus module described therein is designed to: - Receive the security-related message corresponding to the first security protocol from the first fieldbus network. The feature is that the bridging fieldbus module is designed as follows: - The safety-related messages received and identified from the first fieldbus network are converted into first and second safety-related messages corresponding to the second safety protocol. - Compare the first security-related message and the second security-related message with each other, and - Based on the comparison result, the first safety-related message and / or the second safety-related message are output to the second fieldbus network.
2. The bridging fieldbus module according to claim 1, characterized in that: - Converting the safety-related message received from the first fieldbus network into the first safety-related message includes forming a first checksum for the first safety-related message. - Converting the safety-related message received from the first fieldbus network into the second safety-related message includes forming a second checksum for the second safety-related message, and - Based on the comparison result, the first security-related message is output to the second fieldbus network along with the first checksum.
3. The bridging fieldbus module according to claim 2, characterized in that: - Based on the comparison result, the second safety-related message, together with the second checksum, is also output to the second fieldbus network.
4. The bridging fieldbus module according to claim 2, characterized in that, The bridging fieldbus module includes a first data processing device, which is designed to convert the security-related message received from the first fieldbus network into the first security-related message and to form the first checksum.
5. The bridging fieldbus module according to claim 4, characterized in that, The coupling element is designed to output the identified security-related message to the first data processing device.
6. The bridging fieldbus module according to claim 4 or 5, characterized in that, The first data processing device includes a first secure memory, which is designed to temporarily store the first security-related message and the first checksum.
7. The bridging fieldbus module according to claim 2, characterized in that, The bridging fieldbus module includes a second data processing device, which is designed to convert the security-related message received from the first fieldbus network into a second security-related message and to form the second checksum.
8. The bridging fieldbus module according to claim 7, characterized in that, The coupling element is designed to output the identified security-related message to the second data processing device.
9. The bridging fieldbus module according to claim 7 or 8, characterized in that, The second data processing device includes a second secure memory, which is designed to temporarily store the second security-related message and the second checksum.
10. A method for operating a bridged fieldbus module, the bridged fieldbus module being designed to interconnect two fieldbus networks, wherein: - The first fieldbus network of the two fieldbus networks uses a first security protocol and the black channel principle for security-related messages, and - The second fieldbus network of the two fieldbus networks uses a second security protocol and a black channel principle, which are different from the first security protocol, for the security-related messages. - The method described therein includes: - Receives security-related messages from the first fieldbus network, corresponding to the first security protocol, at the bridging fieldbus module. - The safety-related messages received from the first fieldbus network at the bridging fieldbus module are identified by means of a coupling element. The method is characterized by comprising: - The identified safety-related messages received from the first fieldbus network are converted into first and second safety-related messages corresponding to the second safety protocol. - Compare the first security-related message and the second security-related message with each other, and - Based on the comparison result, the first safety-related message and / or the second safety-related message are output to the second fieldbus network.
11. A computer program and / or computer-readable medium comprising instructions that, when executed by a bridging fieldbus module, cause the bridging fieldbus module to perform the method of claim 10, wherein the bridging fieldbus module is designed to interconnect two fieldbus networks and has coupling elements.