WirelessHART: Applying Wireless Technology in
Real-Time Industrial Process Control
Jianping Song, Song Han, Aloysius K. Mok
Department of Computer Sciences
The University of Texas at Austin
Austin, TX 78712, USA
{sjp, shan, mok}@cs.utexas.edu
Deji Chen, Mike Lucas, Mark Nixon
Emerson Process Management
12301 Research Blvd., Bldg. III
Austin, TX 78759, USA
{deji.chen, mike-1.lucas, mark.nixon}@emerson.com
Wally Pratt
HART Communication Foundation
9390 Research Blvd., Suite I-350
Austin, TX 78759, USA
wallyp@hartcomm.org
Abstract
Wireless technology has been regarded a s a paradigm
shifter in the process industry. The first open wireless com-
munication standard specifically designed for process mea-
surement and control applications, WirelessHART was offi-
cially released in September 2007 (as a part of the HART
7 Specification). WirelessHART is a secure and TDMA-
based wireless mesh networking technology operating in the
2.4GHz ISM radio band. In this paper, we give an intro-
duction to the architecture of WirelessHART and share our
first-hand experience in building a prototype for this spec-
ification. We describe several challenges we had to tackle
during the implementation, such as the design of the timer,
network wide synchronization, communication security, re-
liable mesh networking, and the central network manager.
For each challenge, we provide a detailed analysis and pro-
pose our solution. Based on the prototype implementation,
a simple WirelessHART network has been built for the pur-
pose of demonstration. The demonstration network in turn
validates our design. To the best of our knowledge, this is the
first reported effort to build a WirelessHART protocol stack.
1 Introduction
Wireless process control has been a popular topic re-
cently in the field of industrial control [20, 1 5, 14]. Com-
pared to traditional wired process control systems, their
wireless counterparts have the potential to save costs and
make installation easier. Also, wireless technologies open
up the potential for new automation applications. Sev-
eral industrial organizations, such as ISA [7], HART [3],
WINA [8] and ZigBee [10], have been actively pushing the
application of wireless technologies in industrial automa-
tion. As a milestone of such efforts, WirelessHART is rati-
fied by the HART Communication Foundation in September
2007. WirelessHART is the first open wireless communica-
tion standard specifically designed for process measurement
and control applications [3].
Before WirelessHART is released, there have been a few
publicly available standards on office and manufacturing au-
tomation, such as ZigBee [10] and Bluetooth [2]. However,
these technologies cannot meet the stringent requirements of
industrial control. Compared with office applications, indus-
trial applications have stricter timing requirement and higher
security concern. For example, many monitoring applica-
tions are expected to retrieve updates from sensors every one
second. Neither ZigBee nor Bluetooth makes any effort to
provide a guarantee on end-to-end wireless communication
delay. In addition, industrial environments are harsher for
wireless applications in terms of interferences and obstacles
than office environment. Some interferences may be persis-
tent. ZigBee, without built-in channel hopping technique,
would surely fail in such environments. Bluetooth assumes
quasi-static star network, which is not scalable enough to be
used in large process control systems.
The new WirelessHART is specifically targeted to solve
these problems and provide a complete solution for process
control applications. At the very bottom, it adopts IEEE
802.15.4-2006 [5] as the physical layer. On top of that,
WirelessHART defines its own time-synchronized MAC
layer. Some notable features of WirelessHART MAC in-
clude strict 10ms time slot, network wide time synchroniza-
tion, channel hopping, channel b lacklisting, and industry-
standard AES-128 ciphers and keys. The network layer
supports self-organizing and self-healing mesh networking
techniques. In this way, messages can be routed around in-
terferences and obstacles. WirelessHART also d istinguishes
itself from o ther public standards by maintaining a central
network m anager. The network manager is responsible for
maintaining up-to- date routes and communication schedules
for the network, thus guarantee the network performance.
In this paper we discuss how we developed a prototype
IEEE Real-Time and Embedded Technology and Applications Symposium
1080-1812/08 $25.00 © 2008 IEEE
DOI 10.1109/RTAS.2008.15
377
IEEE Real-Time and Embedded Technology and Applications Symposium
1080-1812/08 $25.00 © 2008 IEEE
DOI 10.1109/RTAS.2008.15
377
IEEE Real-Time and Embedded Technology and Applications Symposium
1080-1812/08 $25.00 © 2008 IEEE
DOI 10.1109/RTAS.2008.15
377
WirelessHART protocol stack. Based on the prototype, we
build a three-node network for demonstration purposes. The
goal of this paper is to introduce the WirelessHART archi-
tecture and to share our first-hand experiences on an imple-
mentation of the specification. The contributions of this pa-
per are threefold:
• Introduction of the a rchitecture of WirelessHART.
We will highlight the features that make Wire-
lessHART suitable for wireless process control.
• Study of some challenging problems in Wire-
lessHART implementation. For practical concern, we
need to implement the feature-rich WirelessHART on
controllers with low processing power and limited re-
sources. We identified and analyzed some challenges,
such as time management, communication security,
and m esh networking.
• Sharing of some experiences and lessons learned
during the implementation. To the best of our knowl-
edge, this effort is the first reported attempt to im-
plement the newly approved WirelessHART standard.
Those who want to build a full-featured WirelessHART
stack should find our experiences helpful.
The r emainder of this paper is structured as follows. In
Section 2 we review some existing public standards in office
and manufacturing automation. We describe the layered ar-
chitecture of WirelessHART in Section 3. Section 4 presents
some challenges and our proposed solutions. In Section 5,
we validate our design by a demonstration WirelessHART
network. We talk about the future work and conclude the
paper in Section 6.
2 Background and Related works
Conceptually, WirelessHART n etworks are one special
type of wireless sensor network. Although it bears many
similarities with other wireless standards, such as Blue-
tooth [2], ZigBee [10], and Wi-Fi [4], WirelessHART dif-
ferentiates itself from them in many other aspects.
Wireless sensor network has received extensive study re-
cently [13, 18, 17, 21, 22, 12]. Different from generic
wireless sensor networks which assume that sensors are de-
ployed randomly and abundantly, the deployment of Wire-
lessHART network is deliberate and has only limited redun-
dancy. In a generic sensor network, many sensors may be
deployed in the same area and perform the same function.
However, in a WirelessHART network, sensors are usually
attached to field devices to collect specific environmental
data, such as flow speeds, fluid levels, or temperatures. A
reading from a sensor is not necessarily replaceable by that
from the nearby sensors. More importantly, generic wire-
less sensor networks are self-configurable and have no strict
requirements on timing and communication reliability. To
meet the requirements of wireless industrial applications,
WirelessHART uses a central network manager to provide
routing and communication schedules. Thus WirelessHART
is essentially a centralized wireless network.
WirelessHART, Bluetooth and ZigBee share a very ob-
vious feature: they all operate in the unrestricted 2.4GHz
ISM radio band, which is available nearly globally. On the
other hand, they distinguish from each other in many o ther
aspects. Both WirelessHART and Bluetooth support time
slots and channel hopping. However, Bluetooth is targeted
at Personal Area Networks (PAN), whose range is usually
set to 10 meters. Furthermore, Bluetooth only supports star-
type network topology, and one master can only have up to
7 slaves. These limitations make it awkward to apply Blue-
tooth in large industrial control systems. In contrast, Wire-
lessHART supports mesh networking directly. The topol-
ogy of a WirelessHART network can be a star, a cluster or a
mesh, thu s providing much better scalability.
Both WirelessHART and ZigBee are based on the IEEE
802.15.4 physical layer. While ZigBee uses the existing
IEEE 802.15.4 MAC, WirelessHART goes one step fur-
ther to define its own MAC protocol. WirelessHART in-
troduces channel hopping and channel blacklisting into the
MAC layer, while ZigBee can only utilize Direct Sequence
Spread Spectrum (DSSS) provided by IEEE 802.15.4. Thus,
if a noise is persistent, which is not unusual in industrial
fields, the performance of a ZigBee network might degrade
severely. By changing the communication channel pseudo-
randomly, WirelessHART can limit the damage to mini-
mum.
Just like ZigBee, Wi-Fi does not support channel hopping
either. In addition, power consumption is not a concern for
Wi-Fi. Thus, Wi-Fi is not a good fit for industrial env iron-
ment as well.
It is noteworthy that ISA SP100 [7] committee is also
working on wireless standards for industrial applications.
However, the standard is yet to be published.
3 WirelessHART Architecture
In order to make this paper self-contained, we elect to
describe in this section the parts of the WirelessHART spec-
ification that are related to o ur work.
Figure 1 illustrates the architecture of the WirelessHART
protocol stack according to the OSI 7-layer communication
model. As shown in this figure, WirelessHART protocol
stack includes five layers: physical layer, data link layer
1
,
network layer, transport layer and application layer. In addi-
tion, a central network manager [19] is introduced to manage
the routing and arbitrate the communication schedule.
1
In the rest of this paper, we use “data link layer” and “MAC layer”
interchangeably.
378378378
OSI Layer
Application
Presentation
Session
Transport
Network
Data Link
Physical
HART
Command Oriented. Predefined Data Types and
Application Procedures
Auto-Segmented transfer of large data sets, reliable
stream transport, Negotiated Segment sizes
Power-Optimized Redundant Path,
Mesh to the edge Network
A Binary, Byte Oriented, Token
Passing, Master/Slave Protocol
Secure, Time Synched TDMA/
CSMA, Frequency Agile with ARQ
Simultaneous Analog & Digital
Signaling 4-20mA Copper Wiring
2.4 GHz Wireless, 802.15.4 based
radios, 10dBm Tx Power
Wired FSK/PSK & RS 485 Wireless 2.4 GHz
Figure 1. Architecture of HART Communication Protocol
3.1 Physical layer
The WirelessHART physical layer is b ased mostly on the
IEEE STD 802.15.4-2006 2.4GHz DSSS physical layer [5].
This layer defines radio characteristics, such as the signaling
method, signal strength, and device sensitivity.
Just as IEEE 802.15.4 [5], WirelessHART operates in the
2400-2483.5MHz license-free ISM band with a d ata rate of
up to 250 kbits/s. Its channels are numbered from 11 to 26,
with a 5MHz gap between two adjacent channels.
3.2 Data Link Layer
One distinct feature of WirelessHART is the time-
synchronized data link layer. WirelessHART defines a strict
10ms time slot and utilizes TDMA technology to provide
collision free and deterministic com munications. The con-
cept of superframe is introduced to group a sequence of
consecutive time slots. Note a superframe is periodical,
with the total length of the member slots as the period.
All superframes in a WirelessHART network start from the
ASN(absolution slot number) 0, the time when the network
is first created. Each superframe then repeats itself along the
time based on its period.
In WirelessHART, a transaction in a time slot is de-
scribed by a vector:
{frame
id, index, type, src addr, dst addr, chan-
nel
offset}
where frame
id identifies the specific superframe; index
is the index of the slot in the superframe; type indicates
the type of the slot (transmit/receive/idle); src
add and
dst
addr are the addresses of the source device and destina-
tion device, respectively; channel
offset provides the logical
channel to be used in the transaction.
To fine-tune the channel usage, WirelessHART intro-
duces the idea of channel blacklisting. Channels affected
Figure 2. WirelessHART Data Link Layer Architecture
by consistent interferences could b e put in the black list. In
this way, the network administrator can disable the use of
those channels in the black list totally.
To support channel hopping, each device maintains an
active channel table. Due to chann e l blacklisting, the table
may have less than 16 entries. For a given slot and channel
offset, the actual channel is determined from the formula:
ActualChannel = (ChannelOffset + ASN) % NumChannels
The actual channel number is used as an index into the ac-
tive channel table to get the physical channel number. Since
the ASN is increasing constantly, the same channel offset
may be mapped to different physical channels in different
slots. Thus we provide channel diversity and enhance the
communication reliability.
Figure 2 describes the overall design of the data dink
layer which consists of six major modules as described in
the follow subsections.
3.2.1 Interfaces
The interface between the MAC and PHY layer describes
the service primitives provided by the physical layer, and the
interface between the MAC and NETWORK layer defines
the service primitives provided to the network layer.
3.2.2 Timer
Timer is a fundamental module in WirelessHART. It pro-
vides accurate timing to ensure the correct operating of the
system. One significant challenge we met during the im-
plementation is how to design the timer module and keep
those 10ms time slots in synchronization. The specific tim-
ing requirement inside a WirelessHART time slot is depicted
379379379
TsCCAOffset
TsCCA
TsRxTx
TsRxOffset
TsError
TsMaxPacket
TsRxAckDelay
TsAckWait
TsRxOffset TsRxOffset TsTxAckDelay TsAck
Figure 3 . WirelessHART Slot Timing
in Figure 3 and the implementation issues are addressed in
Section 4.
3.2.3 Communication Tables
Each network device maintains a collection of tables in the
data link layer. The superframe table and link table store
communication configurations created by the network man-
ager; the neighbor table is a list of neighbor nodes that the
device can reach directly and the graph table is used to col-
laborate with the network layer and record routing informa-
tion.
3.2.4 Link Scheduler
The functionality of the link scheduler is to determine the
next slot to be serviced based on the communication sched-
ule in the superframe table and link table. The scheduler is
complicated by such factors as transaction priorities, the link
changes, and the enabling and disabling of superframes. Ev-
ery event that can affect link scheduling will cause the link
schedule to be re-assessed.
3.2.5 Message Handling Module
The message handling module buffers the packets from the
network layer and physical layer separately.
3.2.6 State Machine
The state machine in the data link layer consists of three
primary components: the TDMA state machine, the XMIT
and RECV engines. The TDMA state machine is responsi-
ble for executing the transaction in a slot and adjusting the
timer clock. The XMIT and RECV engine deal with the
hardware directly, which send and receive a packet over the
transceiver, respectively.
3.3 Network Layer and Transport Layer
The network layer and transport layer cooperate to pro-
vide secure and reliable end-to-end communication for net-
Figure 4. WirelessHART Mesh Networking
work devices
2
.
As shown in Figure 4, the basic elements of a typical
WirelessHART network include: (1) Field Devices that are
attached to the plant p rocess, (2) Handheld which is a
portable WirelessHART-enabled computer used to config-
ure devices, run diagnostics, and perform calibrations, (3) A
gateway that connects host applications with field devices,
and (4) A network manager that is responsible for config-
uring the network, scheduling and managing communica-
tion between WirelessHART devices.
To support the mesh communication technology, each
WirelessHART device is required to be able to forward
packets on behalf of other devices. There are two routing
protocols defined in WirelessHART:
• Graph Routing: A graph is a collection of paths that
connect network nodes. The paths in each graph is
explicitly created by the network manager and down-
loaded to each individual network device. To send a
packet, the source device writes a specific graph ID
(determined by the destination) in the network header.
All network devices on the way to the destination must
be pre-configured with graph information that specifies
the neighbors to which the packets may be forwarded.
• Source Routing: Source Routing is a supplement of
the graph routing aiming at network diagnostics. To
send a packet to its destination, the source device in-
cludes in the header an ordered list of devices through
which the packet must travel. As the packet is routed,
each routing device utilizes the next network device ad-
dress in the list to determine the next hop until the des-
tination device is reached.
2
For simplicity, in the rest of the paper , we will not separate these two
layers in the presentation.
380380380
3.4 Application Layer
The application layer is the top most layer in Wire-
lessHART. It defines various device commands, responses,
data types and status reporting. In WirelessHART, the com-
munication between the d evices and gateway is based on
commands and responses. The application layer is responsi-
ble for parsing the message content, extracting the command
number, executing the specified command, and generating
responses.
3.5 Securit y Architecture
WirelessHART is a secure network system. Both the
MAC layer and network layer provide security services.
The MAC layer provides hop-to-hop data integrity by us-
ing MIC. Both the sender and receiver use the CCM* mode
together with AES-128 as the underlying block cypher to
generate and compare the MIC.
The network layer employs various keys to provide con-
fidentiality and data integrity for end-to-end connections.
Four types of keys are defined in the security architecture:
• Public Keys which are used to generate MICs on the
MAC layer by the joining devices.
• Network Keys which are shared by all network devices
and used by existing devices in the network to generate
MAC MIC’s.
• Join Keys that are unique to each network dev ice and
is used during the joining process to authenticate the
joining device with the network manager.
• Session Keys that are generated by the network man-
ager and is unique for each end-to-end connection be-
tween two network devices. It provides end-to-end
confidentiality and data integrity.
Figure 5 describes the usage of these keys under two dif-
ferent scenarios: 1) a new network device wants to join the
network and 2) an existing network device is communicating
with the network manager. In the first scenario, the joining
device will use the public key to generate the MIC on MAC
layer and use the join key to generate the network layer MIC
and encrypt the join request. After the joining device is au-
thenticated, the network m an ager will create a session key
for the device and thus establish a secure session between
them. In the second scenario, on the MAC layer, the DLPDU
is authenticated with the network key; on the network layer,
the packet is authenticated and encrypted by the session key.
4 Challenges and Solutions
As described in Section 3, WirelessHART includes some
core modules, such as time management, mesh networking,
Figure 5. Keying Model
security and network management. It is a very challenging
task to build such a prototype on a resource-limited hard-
ware platform.
In the following subsections, we first introduce the hard-
ware platform we use. Then we describe those challenges
we met in the process of development and present our solu-
tions.
4.1 Hardware Platform
We base our implementation on the MC1321x evalua-
tion kit [1] provided by Freescale. This toolkit contains
one 1321x-NCB (Network Coordinator Board) board, two
1321x-SRB (Sensor Reference Board) boards, and a USB
Multilink BDM Programmer/Debugger. The only major dif-
ference between 1321x-NCB and 1321x-SRB is that 1321x-
NCB has a programmable 2-line LCD for displaying mes-
sages. Other than that, the two boards share the following
common features:
• 40 MHz 8-bit HCS08 MCU
• 2.4 GHz wireless transceiver compatible with the IEEE
802.15.4 standard
• Programmable 60 KB Flash and 4KB RAM memory
• Multiple 16-bit timers
• USB port to interface with PC
• 3-axis acceleration sensor and temperature sensor
• 4 LEDs and switches for demonstration, monitoring
and control
Together with the toolkit, Freescale also provides a sim-
ple IEEE 802.15.4 physical layer library in ANSI C. Our
task is to build a new WirelessHART protocol stack by us-
ing the physical layer library.
381381381
