Safety over EtherCAT | Description of the technology

Safety over EtherCAT | Description of the technology

A basic principle for testing and certification of bus systems for transferring safety-relevant messages was first presented in 2000 by the HVBG electrical engineering committee. The basic testing principle specified in the current version [GS-ET-26] is the basis for the international pre-IEC 61784-3 standard. This standard defines the following error assumptions for such a network: corruption, repetition, interchanging, loss, delay, insertion, masquerading and invalid addressing of messages.A safety protocol must be able to handle all these errors via suitable measures, i.e. they must be detected according to the required safety category.

Safety over EtherCAT | Software

The message delay assumption is particularly relevant for Ethernet-based systems. The application of non-safety-certified infrastructure components such as switches or routers creates scope for message delays. Even time monitoring (watchdog) of arriving messages is not sufficient.


The Safety over EtherCAT protocol has been assessed by German Technical Inspection Agency (TÜV). It is certified as a protocol for transferring process data between Safety over EtherCAT devices up to SIL 3 according to IEC 61508. The implementation of the Safety over EtherCAT protocol in a device must meet the requirements of the safety target. The associated product-specific requirements must be taken into account.

Any transmission link can be used, including fieldbus systems, Ethernet or similar transfer routes, optical fiber cables, copper cables, or radio links. There are no restrictions or requirements for Bus Couplers or other devices located along the transfer route. A conformance test for supporting implementation of the protocol in devices is currently being developed. This test is a pure protocol test for checking the behavior of the safety protocol via the communication interface of a test device (black box test).

Safety over EtherCAT | Test

The first step is reading the device description file of the test device in order to determine the possible parameters for the test. Test scripts from a configuration can then be executed on a standard PC. The test device is subjected to correct and faulty frames and the response is compared with an expected result. A test report summarizes the results of the individual test steps.

Application example

The safety and functionality of a safe transfer protocol can only be proven through implementation of the specification in a product. Devices with Safety over EtherCAT have been available since 2005. Safety over EtherCAT is therefore one of the first Industrial Ethernet real-time communication systems supporting a safe protocol.

This application utilizes the benefits of the technology. The safety components are deployed wherever they are required in the automation system. Scalable local input and output components can be used in the system. An additional input or output can be extended flexibly using safety and non-safety Bus Terminals as required.

Safety over EtherCAT | TwinSAFE

The safety logic is also embedded within the network strand. A standard PLC can thus continue dealing with control tasks without a safety extension. Safe input and output functions are linked in the local safety logic in the form of an intelligent, safe Bus Terminal. This saves the costs otherwise required for an expensive safety PLC and enables scaling of the logic according to the task at hand. Only the messages between the Safety over EtherCAT master and the allocated safe slaves are routed via the non-safe, standard PLC.

Beckhoff currently offers three safe I/O components: an input terminal with four safe inputs, an output terminal with four safe outputs, and a Logic Terminal with configurable safety logic and four local safe outputs. Safety-relevant parameterization of the devices can be implemented via a safe configuration tool integrated in the standard programming environment (TwinCAT). Finally, the resulting safe parameter set is uploaded (password-monitored) to the safe logic terminal. During each startup, the Logic Terminal distributes the safe application parameters to the configured input and output terminals. This enables simple exchange of input and output terminals without having to adapt or reload the configuration.