The Industrial Internet of Things—the idea that all systems should be connected on a global scale in order to share information—is quickly becoming a reality. Today, a growing number of companies, especially in the industrial equipment markets, are taking IIoT one step further by creating complex systems that integrate sensors, processing and communications to form intelligent factories, smart energy grids and even smart cities. These developments increase productivity and profitability, as well as enrich lives. New technology implemented on a Xilinx® Zynq®-7000 All Programmable SoC is helping to bring intelligent systems into the manufacturing sector of the IIoT. The smart gateway, designed by System-on-Chip engineering S.L. (SoC-e), stream-lines productivity and helps companies like Micro-deco become more reliably connected and secure. To maximize profitability, factories seek more flexibility in their layouts, more information about the process and manufactured products, more intelligence in the processing of this data and an effective integration of the human experience/interaction. However, as new technology is introduced into the factory sector, those creating it need to respect some rules. The first and most important is that production cannot stop. New technologies must be compatible with old systems and interoperability among vendors should be facilitated. Furthermore, the solutions should provide a means of taking the next step in automation, leading to more autonomous or decentralized analytics.
In order to achieve what many are calling the “fourth industrial revolution,” factories need infrastructure and systems to use the IT and electronics for automated production. Although many factories automated in the third industrialization wave, in many scenarios it is necessary to implement both steps simultaneously: the third and fourth evolutions of automation. This situation offers a good opportunity to integrate IT infrastructures that will fit with new requirements for smart factories but are compatible with the third- era production-scheduling and automation systems. Figure 1 depicts the typical production system widely used in industry that helps adapt and optimize production to demand. The enterprise resource-planning (ERP) soft-ware consists of tools that support the commercial database. It defines what to fabricate. Meanwhile, the manufacturing enterprise system (MES) focus-es on the scheduling of production. It uses the ERP outputs, communicates with the production plant equipment and tells the equipment what to do.
NETWORKING, PROCESSING AND SENSING IN THE SMART FACTORY
With many companies offering different types of factory equipment and many generations of that equipment coexist-ing, connecting equipment from differ-ent vendors and different time periods that conforms to different standards can be quite challenging. It’s further complicated by the fact that this factory equipment must also communicate with a company’s IT network (enterprise and/or Internet); combinations of PC-based systems; gateways, black boxes Factory equipment must communicate with a company’s IT network. Intelligent gateways will play a vital role in offering transparent operations between these two worlds: machine and IT.
Figure 1 – Scheduling the production via
and industrial switches built around multiple protocols. As such, a factory can quickly turn into a heterogeneous nightmare, lacking the simplicity and flexibility that a “plug-and-work” operation demands. Intelligent gateways like the CPPS-Gate40 from SoC-e (Figure 2) will play a vital role in offering secure and transparent operation between both worlds (machine and IT). Microdeco is a company that manufactures small metal parts for the auto-motive sector. The company is always looking for ways to enhance productivity and is at the forefront of using intelligent systems. In the company’s pilot plant, located in Ermua, Spain, Micro-deco has built a networking infrastructure around the concept of smart gate-ways that combine in the same system networking, processing and sensing.
One of the top challenges in creating a smart factory lies in connecting the various systems. The factory includes high-speed optical links that interconnect the various cyber physical production system (CPPS) areas—that is, each production group of machines, sensors and actuators. The intelligent gateway is in charge of all the communication infrastructure. This includes, the high-speed switching for the fiber links and flexible, trispeed Ethernet ports to implement regular Ethernet or Industrial Ethernet protocols in each cell, along with serial ports to implement widely used industrial protocols such as Modbusand Profibus.
Figure 3 shows how each smart gate-way installed in each machine (CPPS area) is tied to the next one using a sin-gle fiber-optic link. The infrastructureis completed by connecting all the devices in a single ring that implements the High-Availability Seamless Redundancy (HSR) protocol. This nonproprietary (IEC 62439-3 Clause 5) Ethernet “zero-de-lay recovery time” solution allows operators to disconnect any equipment from the ring without adversely affecting other nodes or equipment in the factory. This real plug-and-work operation facilitates plant layout modifications. Furthermore, HSR supports the redundant IEEE 1588v2
Figure 2 – The CPPS-Gate40 smart gateway from SoC-e
submicrosecond synchronization proto-col, which simplifies the synchronization of the system to perform precise reconstruction of the sampled sensor data or the implementation of control tasks. In order to provide seamless redundancy, each HSR node sends the Ether-net frames through both directions of the ring. This approach allows “hot” ca-ble or equipment plugging and unplugging. Each node is in charge of forward-ing both frames, and the IEEE 1588v2 support corrects the residence and link delay times to ensure timing accuracy in the entire network. Thus, frame hard-ware processing is mandatory to ensure low and constant latency times in every node. Indeed, the IEC standard recommends a “cut-through” approach for for-warding the frames in the ring. To avoid circulating frames, for unicast communications the node that receives the frames is in charge of re-moving them from the ring. For multi-cast and broadcast traffic, the sender removes the frames when it sees them again in the redundant port. Addition-al rules regarding circulating frames (such as corrupted frames) are applied to ensure network stability. HSR, combined in many cases with the Parallel Redundancy Protocol (PRP), is the recommended High-Avail-ability Ethernet protocol in the standard for the automation of one of the most critical sectors worldwide: power sub-stations. Other sectors, such as military and aerospace, are also adopting these Layer 2 solutions.
Smart gateways provide hardware switching from the Ethernet and seri-al ports to the HSR infrastructure ring. There are two smart gateways, repre-sented in the left and in the right of Fig-ure 3, that connect the HSR ring with the Ethernet-based enterprise network working as a redundancy box (Red-Box). Functionally, the access point represented on the right is optional, as it can be used to avoid the single point of failure that would appear in the case of a network using only one RedBox. We recommend implementing the dual-box setup in cases where
Figure 3 – Lathes section in the Microdeco factory
high availability is needed, or when it is necessary to manage PRP frames (IEC 62439-3 Clause 5) in the critical nodes in the enterprise network.
Additionally, there are internal networking ports in the gateway to the processing elements of the SoC device. In most cases, a “dumb” switching approach is useless to join plant and IT worlds. The heterogeneity in the data and network formats makes straightforward connections difficult. What’s needed is a powerful integrated processing system able to talk with local, enterprise or cloud databases. In addition, such a system would be in charge of translating protocols, managing HMI systems, supporting MES systems and even running soft PLCs for real-time control. But that is not all. The customer also expects such a system to perform complex sensor data preprocessing and filtering in the equipment, and of course, advanced cybersecurity operations.
The cybersecurity requirements in these kinds of advanced manufacturing facilities vary widely. Advanced security is necessary to protect the status of the production itself, avoiding any malicious or accidental interruption generated by any cyber infra-structure (device, network, software or hardware). It is also necessary to authenticate users and devices that are accessing information or any critical operation. Furthermore, this information and the control protocols need to be protected in terms of authentication and privacy, because factory networks are connected to larger IT networks in an enterprise and outside of it. These challenges can only be ad-dressed with a layered cybersecurity approach that takes into account each plant implementation. A common element in all the projects is the need to support secure boot and storage with encryption and authentication. This feature will make credible the implementation of secure software and secure net-works. The trusted embedded system is more and more difficult to protect due to the increasing number of devices and their heterogeneity. For authentication and for networking security, these systems can directly use many of the solutions present in the IT world today. Well-known authentication mechanisms like IEEE 802.1X combined with RADIUS are a good example. Many embedded systems with high-level operating systems can run cryptographic libraries (such as OpenSSL) to support all the secure Layer 3 protocols and applications useful for secure data interchange. How-ever, a big challenge arises when it is necessary to secure Layer 2 industrial protocols with strict real-time requirements. The analysis of these scenarios shows that the software approach of protecting these frames by applying cryptographic algorithms, even using crypto accelerators, is not straightforward, and in many cases custom hard-ware processing is required.
Figure 4 – Block diagram of Zynq SoC
In the presented topology, from the network and user point of view, it is necessary to secure three network links—the redundant HSR/PRP, the 10/100/1G switching port and the service ports—with authentication mechanisms. Furthermore, due to all the plant traffic passing through the intelligent gateway, the three links will play a vital role in monitoring traffic for potential threats. A final concept is the integration of a sensor interface suite. As discussed, the advances in the technology should help us to simplify the installations, not make them more complex. To fulfill this demand, we integrated all the standard digital and analog interfaces in the gateway. Additionally, we also included high-end interfaces for advanced vibration sensors and high-speed data acquisition interfaces with direct access to the Zynq SoC device.
HOW SOC PROGRAMMABLE PLATFORMS DRIVE THE CHANGE
The “magic” of merging high-end net-working, powerful processing and sensing capabilities has been obtained thanks to SoC programmable plat-forms. Our product, named CPPS-Gate40, embeds a Xilinx Zynq-7000 All Programmable SoC device implemented on the SoC-e SMARTzynq OEM mod-ule. The dual-core ARM® Cortex™-A9 MPCore™ on the device is complemented with different memory resources (DDR3, flash, massive storage units, etc.) and hardware to support multiple high-speed networking links. This infra-structure offers a huge level of freedom to partition hardware and software processing in order to face the challenges these applications present. From the hardware perspective, the Zynq SoC’s programmable logic is the perfect candidate to implement the low-latency networking tasks combined with the IEEE 1588v2 hardware support units. Figure 4 is a block diagram of the SoC implementation for the CPPS-Gate40 in the Microdeco implementation. The network’s switching infrastructure is coordinated by the SoC-e HSR/PRP/Ethernet switch (HPS) IP core, which ensures a constant forwarding time of 550 nanoseconds in each node of the ring and integrates internal and external trispeed Ethernet ports. The internal port is sniffed and time-stamped by the Precise Time Ba-sic (PTB) IP core, providing support for the PTP stack. This IEEE 1588v2 infrastructure allows the smart gateway to work as master, slave, transparent clock and boundary clock. Thus, at the end, in each piece of equipment a synchronized 64-bit timer can be used for time-stamping, synchronization, control and as a common time reference
Figure 5 – Software infrastructure for the smart-factory network
to implement Time-Sensitive Network-ing (TSN) networks. These networking cores implemented on the FPGA section of the Zynq SoC are also ready to support cybersecurity features such as IEEE 802.1X authentication. This mechanism, combined with an external authentication server, protects non-authorized connections to the network ports. The Zynq SoC’s programmable logic also plays a vital role in securing Layer 2 control-related frames on the fly, like the authentication needed in the IEEE 1588v2 transparent clock operation.
The cybersecurity is further enhanced by the Zynq SoC’s secure boot. All the ex-ternal software and bit streams external from the device, even the bootloader and OS, are stored, AES-256 encrypted and HMAC authenticated. This feature, com-bined with other hardware security protections included in the device, ensures that data throughout the cyber infrastructure comes from trusted origins. Additionally, a SIEM agent installed in each CPPS-Gate40 runs (among others) the following security-related tasks: surveilance of new connections, authentication attempts, SSH connections and access to analytics tools; virus/malware detection; network attacks identification; and ARP traffic analysis.
The sensor interfaces are also implemented on the programmable logic sec-tion (high-speed data acquisition, digital filtering and FFT) and via some of the standard communication channels pres-ent on the Zynq SoC’s processing system (UART, I2C, SPI).The software infrastructure implemented on this equipment benefits from the seamless integration of Linux OS Ubun-tu’s distribution on the device. The list of features that Linux supports is extensive. For Microdeco’s specific implementation, Figure 5 summarizes the most relevant software services implemented on top of the Linux OS. A Python-based PLC emulator has been developed as the key piece to map sensor interfaces in a well-known Modbus TCP scheme. This approach simplifies the communication with the third-party MES software. In parallel, a SQL client trans-fers raw and preprocessed sensor data packets to a remote SQ Lserver. Specific alarms and selected data aredirectly published in a cloud-based couch DB data-base. The data analysis can be performed remotely in the enterprise or cloud server and even locally on the smart gateway. For this last purpose, the product in-cludes a temporal database that can pre-dict failures or other defined behaviors in the production and act locally. Big-data analysis software provided by Juxt.io is in charge of performing the predictive analytics related to machine behavior.
Network management is supported via SNMP thanks to SoC-e’s Portable Tools API. The cybersecurity infrastructure is built around the hardware support of SoC-e IP and the integrated SIEM agent for network and user activity surveillance.
INCREASING PROFITSTHROUGH TECHNOLOGY
Germany’s Fraunhofer Institute for Indus-trial Engineering and Automation fore-casts that Industry 4.0 may lead to a leap in productivity of 20 to 30 percent by 2025.However, the industrial sector needs progressive changes and friendly technologies and solutions. The Micro deco plant, for example, benefits from high-end technologies to integrate flexible and computation-ally powerful networking and processing infrastructures in its production lines.
The drivers of this approach are the adoption of open standards for net-working and for the data formats; the use of extensible and repartitionable SoC reconfigurable devices; and the selection of software frameworks that offer a high level of productivity (like Python over embedded Linux). Further-more, manufacturers can drastically re-duce their time-to-market in addressing this new market by means of the ready-to-use, value-added hardware IP now available. And of course, the system must also come with the highest levels of cybersecurity at the device, software and networking levels.
For more information on SoC-e’sIIo TI Portfolio, visit us on our website
