BS EN 61784-3-8:2010 BSI Standards Publication Industrial communication networks — Profiles Part 3-8: Functional safety fieldbuses — Additional specifications for CPF NO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAW raising standards worldwide™ BS EN 61784-3-8:2010 BRITISH STANDARD National foreword This British Standard is the UK implementation of EN 61784-3-8:2010 The UK participation in its preparation was entrusted to Technical Committee AMT/7, Industrial communications: process measurement and control, including fieldbus A list of organizations represented on this committee can be obtained on request to its secretary This publication does not purport to include all the necessary provisions of a contract Users are responsible for its correct application © BSI 2010 ISBN 978 580 72031 ICS 25.040.40; 35.100.05 Compliance with a British Standard cannot confer immunity from legal obligations This British Standard was published under the authority of the Standards Policy and Strategy Committee on 30 September 2010 Amendments issued since publication Date Text affected EUROPEAN STANDARD EN 61784-3-8 NORME EUROPÉENNE August 2010 EUROPÄISCHE NORM ICS 25.040.40; 35.100.05 English version Industrial communication networks Profiles Part 3-8: Functional safety fieldbuses Additional specifications for CPF (IEC 61784-3-8:2010) Réseaux de communication industriels Profils Partie 3-8: Bus de terrain de sécurité fonctionnelle Spécification supplémentaire pour CPF (CEI 61784-3-8:2010) Industrielle Kommunikationsnetze Profile Teil 3-8: Funktional sichere Übertragung bei Feldbussen Zusätzliche Festlegungen für die Kommunikationsprofilfamilie (IEC 61784-3-8:2010) This European Standard was approved by CENELEC on 2010-07-01 CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the Central Secretariat or to any CENELEC member This European Standard exists in three official versions (English, French, German) A version in any other language made by translation under the responsibility of a CENELEC member into its own language and notified to the Central Secretariat has the same status as the official versions CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland and the United Kingdom CENELEC European Committee for Electrotechnical Standardization Comité Européen de Normalisation Electrotechnique Europäisches Komitee für Elektrotechnische Normung Management Centre: Avenue Marnix 17, B - 1000 Brussels © 2010 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members Ref No EN 61784-3-8:2010 E BS EN 61784-3-8:2010 EN 61784-3-8:2010 -2- Foreword The text of document 65C/591A/FDIS, future edition of IEC 61784-3-8, prepared by SC 65C, Industrial networks, of IEC TC 65, Industrial-process measurement, control and automation, was submitted to the IEC-CENELEC parallel vote and was approved by CENELEC as EN 61784-3-8 on 2010-07-01 Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights CEN and CENELEC shall not be held responsible for identifying any or all such patent rights The following dates were fixed: – latest date by which the EN has to be implemented at national level by publication of an identical national standard or by endorsement (dop) 2011-04-01 – latest date by which the national standards conflicting with the EN have to be withdrawn (dow) 2013-07-01 Annex ZA has been added by CENELEC Endorsement notice The text of the International Standard IEC 61784-3-8:2010 was approved by CENELEC as a European Standard without any modification In the official version, for Bibliography, the following notes have to be added for the standards indicated: IEC 61496 series NOTE Harmonized in EN 61496 series (partially modified) IEC 61508-1:2010 NOTE Harmonized as EN 61508-1:2010 (not modified) IEC 61508-4:2010 NOTE Harmonized as EN 61508-4:2010 (not modified) IEC 61508-5:2010 NOTE Harmonized as EN 61508-5:2010 (not modified) IEC 61784-2 NOTE Harmonized as EN 61784-2 IEC 61784-5 series NOTE Harmonized in EN 61784-5 series (not modified) IEC 61800-5-2 NOTE Harmonized as EN 61800-5-2 IEC 61918 NOTE Harmonized as EN 61918 ISO 10218-1 NOTE Harmonized as EN ISO 10218-1 ISO 12100-1 NOTE Harmonized as EN ISO 12100-1 ISO 13849-1 NOTE Harmonized as EN ISO 13849-1 ISO 13849-2 NOTE Harmonized as EN ISO 13849-2 -3- BS EN 61784-3-8:2010 EN 61784-3-8:2010 Annex ZA (normative) Normative references to international publications with their corresponding European publications The following referenced documents are indispensable for the application of this document For dated references, only the edition cited applies For undated references, the latest edition of the referenced document (including any amendments) applies NOTE When an international publication has been modified by common modifications, indicated by (mod), the relevant EN/HD applies Publication Year Title EN/HD Year IEC 60204-1 - Safety of machinery - Electrical equipment of machines Part 1: General requirements EN 60204-1 - IEC 61131-2 - Programmable controllers Part 2: Equipment requirements and tests EN 61131-2 - IEC 61158 Series Industrial communication networks Fieldbus specifications - EN 61158 Series IEC 61158-2 - Industrial communication networks – EN 61158-2 Fieldbus specifications Part 2: Physical layer specification and service definition - IEC 61158-3-18 - Industrial communication networks - Fieldbus EN 61158-3-18 specifications Part 3-18: Data-link layer service definition Type 18 elements - IEC 61158-4-18 - Industrial communication networks - Fieldbus EN 61158-4-18 specifications Part 4-18: Data-link layer protocol specification - Type 18 elements - IEC 61158-5-18 - Industrial communication networks - Fieldbus EN 61158-5-18 specifications Part 5-18: Application layer service definition Type 18 elements - IEC 61158-6-18 - Industrial communication networks - Fieldbus EN 61158-6-18 specifications Part 6-18: Application layer protocol specification - Type 18 elements - IEC 61326-3-1 - EN 61326-3-1 Electrical equipment for measurement, control and laboratory use EMC requirements Part 3-1: Immunity requirements for safetyrelated systems and for equipment intended to perform safety-related functions (functional safety) - General industrial applications - BS EN 61784-3-8:2010 EN 61784-3-8:2010 -4- Publication Year Title EN/HD IEC 61326-3-2 - EN 61326-3-2 Electrical equipment for measurement, control and laboratory use EMC requirements Part 3-2: Immunity requirements for safetyrelated systems and for equipment intended to perform safety-related functions (functional safety) - Industrial applications with specified electromagnetic environment IEC 61508 Series Functional safety of EN 61508 electrical/electronic/programmable electronic safety-related systems Series IEC 61511 Series Functional safety - Safety instrumented systems for the process industry sector Series IEC 61784-1 - Industrial communication networks - Profiles - EN 61784-1 Part 1: Fieldbus profiles - IEC 61784-3 2010 Industrial communication networks - Profiles - EN 61784-3 Part 3: Functional safety fieldbuses - General rules and profile definitions 2010 IEC 62061 - Safety of machinery - Functional safety of safety-related electrical, electronic and programmable electronic control systems EN 61511 EN 62061 Year - - –4– BS EN 61784-3-8:2010 61784-3-8 © IEC:2010(E) CONTENTS INTRODUCTION Scope 10 Normative references 10 Terms, definitions, symbols, abbreviated terms and conventions 11 3.1 Terms and definitions 11 3.1.1 Common terms and definitions 11 3.1.2 CPF 8: Additional terms and definitions 16 3.2 Symbols and abbreviated terms 16 3.2.1 Common symbols and abbreviated terms 16 3.2.2 CPF 8: Additional symbols and abbreviated terms 17 3.3 Conventions 17 Overview of FSCP 8/1 (CC-Link Safety™) 17 General 18 5.1 5.2 5.3 External documents providing specifications for the profile 18 Safety functional requirements 18 Safety measures 18 5.3.1 General 18 5.3.2 Sequence number 19 5.3.3 Time expectation 19 5.3.4 Connection authentication 20 5.3.5 Feedback message 20 5.3.6 Different data integrity assurance system 20 5.4 Safety communication layer structure 20 5.5 Relationships with FAL (and DLL, PhL) 21 5.5.1 Overview 21 5.5.2 Data types 21 Safety communication layer services 21 6.1 6.2 General 21 SASEs 21 6.2.1 M1 safety device manager class specification 21 6.2.2 S1 safety device manager class specification 22 6.3 SARs 22 6.3.1 M1 safety connection manager class 22 6.3.2 S1 safety connection manager class 22 6.4 Process data SAR ASEs 23 6.4.1 M1 safety cyclic transmission class specification 23 6.4.2 S1 safety cyclic transmission class specification 23 Safety communication layer protocol 24 7.1 7.2 Safety PDU format 24 7.1.1 General 24 7.1.2 Abstract syntax 24 7.1.3 Transfer syntax 26 State description 30 7.2.1 Overview 30 7.2.2 Idle 31 BS EN 61784-3-8:2010 61784-3-8 © IEC:2010(E) –5– 7.2.3 FAL running 31 7.2.4 SCL running 32 7.2.5 Fail safe 32 7.2.6 Safety data transmission and processing 32 7.2.7 Forced termination 34 Safety communication layer management 34 8.1 8.2 8.3 General 34 Connection establishment and confirmation processing 35 Safety slave verification 35 8.3.1 General 35 8.3.2 Safety slave information verification process 35 8.3.3 Safety slave parameter transmission 35 System requirements 36 9.1 Indicators and switches 36 9.1.1 Switches 36 9.1.2 Indicators 36 9.2 Installation guidelines 37 9.3 Safety function response time 37 9.3.1 General 37 9.3.2 Time calculation 37 9.4 Duration of demands 39 9.5 Constraints for calculation of system characteristics 39 9.5.1 System characteristics 39 9.5.2 Residual error rate (Λ) 39 9.6 Maintenance 40 9.7 Safety manual 40 10 Assessment 41 Annex A (informative) Additional information for functional safety communication profiles of CPF 42 A.1 Hash function calculation 42 A.2 … 42 Annex B (informative) Information for assessment of the functional safety communication profiles of CPF 43 Bibliography 44 Table – Selection of the various measures for possible errors 19 Table – M1 safety device manager attribute format 24 Table – S1 safety device manager attribute format 24 Table – M1 safety connection manager attribute format 24 Table – S1 safety connection manager attribute format 25 Table – M1 safety cyclic transmission attribute format 25 Table – S1 safety cyclic transmission attribute format 26 Table – M1 safety device manager attribute encoding 26 Table – S1 safety device manager attribute encoding 27 Table 10 – M1 safety connection manager attribute encoding 27 Table 11 – S1 safety connection manager attribute encoding 27 –6– BS EN 61784-3-8:2010 61784-3-8 © IEC:2010(E) Table 12 – M1 safety cyclic transmission attribute encoding 28 Table 13 – S1 safety cyclic transmission attribute encoding 29 Table 14 – Safety master monitor timer operation 33 Table 15 – Safety slave monitor timer operation 33 Table 16 – Safety data monitor timer operation 33 Table 17 – Details of connection establishment and confirmation processing 35 Table 18 – Details of slave information verification processing 35 Table 19 – Details of safety slave parameter transmission processing 36 Table 20 – Monitor LEDs 36 Table 21 – Safety function response time calculation 38 Table 22 – Safety function response time definition of terms 38 Table 23 – Number of occupied slots and safety data 39 Table 24 – Residual error rate Λ (occupied slots = 1) 40 Table 25 – Residual error rate Λ (occupied slots = 2) 40 Figure – Relationships of IEC 61784-3 with other standards (machinery) .7 Figure – Relationships of IEC 61784-3 with other standards (process) Figure – Relationship between SCL and the other layers of IEC 61158 Type 18 21 Figure – State diagram 31 BS EN 61784-3-8:2010 61784-3-8 © IEC:2010(E) –7– INTRODUCTION The IEC 61158 fieldbus standard together with its companion standards IEC 61784-1 and IEC 61784-2 defines a set of communication protocols that enable distributed control of automation applications Fieldbus technology is now considered well accepted and well proven Thus many fieldbus enhancements are emerging, addressing not yet standardized areas such as real time, safety-related and security-related applications This standard explains the relevant principles for functional safety communications with reference to IEC 61508 series and specifies several safety communication layers (profiles and corresponding protocols) based on the communication profiles and protocol layers of IEC 61784-1, IEC 61784-2 and the IEC 61158 series It does not cover electrical safety and intrinsic safety aspects Figure shows the relationships between this standard and relevant safety and fieldbus standards in a machinery environment Product standards IEC IEC 61496 61496 Safety Safety f.f e.g e.g light light curtains curtains IEC IEC 61131-6 61131-6 Safety Safety for for PLC PLC (under (underconsideration) consideration) IEC IEC 61784-4 61784-4 Security Security (profile-specific) (profile-specific) IEC IEC 61784-5 61784-5 Installation Installation guide guide (profile-specific) (profile-specific) IEC IEC 61800-5-2 61800-5-2 Safety Safety functions functions for for drives drives Safety Safety requirements requirements for for robots robots IEC IEC 62443 62443 Security Security (common (common part) part) Design of safety-related electrical, electronic and programmable electronic control systems (SRECS) for machinery SIL based IEC IEC 61918 61918 Methodology Methodology EMC EMC && FS FS IEC IEC 61784-3 61784-3 ISO ISO 12100-1 12100-1 and and ISO ISO 14121 14121 Safety Safety of of machinery machinery –– Principles Principles for for design design and and risk risk assessment assessment Installation Installation guide guide (common (common part) part) IEC IEC 61000-1-2 61000-1-2 Functional Functional safety safety communication communication profiles profiles ISO ISO 10218-1 10218-1 PL based Design objective Applicable standards IEC IEC 60204-1 60204-1 Safety Safety of of electrical electrical equipment equipment IEC IEC 61326-3-1 61326-3-1 ISO ISO 13849-1, 13849-1, -2 -2 Safety-related Safety-related parts parts of of machinery machinery (SRPCS) (SRPCS) Non-electrical Non-electrical Test Test EMC EMC && FS FS US: US: NFPA NFPA 79 79 (2006) (2006) Electrical Electrical IEC IEC 62061 62061 IEC IEC 61158 61158 series series // IEC IEC 61784-1, 61784-1, -2 -2 Fieldbus Fieldbus for for use use in in industrial industrial control control systems systems IEC IEC 61508 61508 series series Functional Functional safety safety (FS) (FS) (basic (basic standard) standard) Functional Functional safety safety for for machinery machinery (SRECS) (SRECS) (including (including EMC EMC for for industrial industrial environment) environment) Key (yellow) safety-related standards (blue) fieldbus-related standards (dashed yellow) this standard NOTE Subclauses 6.7.6.4 (high complexity) and 6.7.8.1.6 (low complexity) of IEC 62061 specify the relationship between PL (Category) and SIL Figure – Relationships of IEC 61784-3 with other standards (machinery) BS EN 61784-3-8:2010 61784-3-8 © IEC:2010(E) 7.2.6.2 – 33 – Sequence number Safety messages contain a sequence number (RNO) with a width of bits and a specified sequence The RNO is incremented and transmitted by the safety master The safety slave echoes the received RNO If an out of sequence RNO is received, the safety slave is transitioned to the safe state 7.2.6.3 Time expectation The SCL uses a safety monitor timer and safety data monitor timers to ensure reliable and continuous communications SLC management configures the timer value to a value of ms to 65 535 ms The safety monitor timer is used for confirming that safety cyclic communication is being performed normally, and the safety data monitor timers are used for confirming that successive safety cyclic communications are being performed normally Safety stations monitor the reception interval of the cyclic data that is protected by the normal safety data protection information by this safety monitor timer Additionally, safety slave stations monitor the reception intervals of the cyclic data that are protected by the normal safety data protection information by the safety data monitor timers Table 14 and Table 15 describe the operation of the safety monitor timer for both safety master and safety slave devices Table 14 – Safety master monitor timer operation Startup Termination Sending of safety data (RNO ≠ 0) Reception of slave response (refresh) data (of the same RNO as send RNO) to which safety data protection information has been properly added Error termination (1) At occurrence of a monitoring timeout (2) At detection of an RNO error Table 15 – Safety slave monitor timer operation Startup Reception of safety data (CMD ID=01h) Reset Termination Reception of master station polling and refresh data (previously RNO+1) to which safety data protection information has been properly added (1) At occurrence of a monitoring timeout (2) At detection of an RNO error (3) At reception of a forced termination request Table 16 – Safety data monitor timer operation Startup Reset Termination Reception of safety cyclic I/O data (CMD ID = 0Fh) Reception of master station polling and refresh data (previously RNO+2) to which safety data protection information has been properly added (1) At occurrence of a monitoring timeout (2) At detection of an RNO error (3) At reception of a forced termination request NOTE Safety slave stations have two safety data monitor timers A safety data monitor timer starts up upon reception of safety cyclic I/O data (CMS ID=0Fh and RNO=n), and reception of two successive data (RNO=n+2) resets it The other safety data monitor timer starts up upon reception of safety cyclic I/O data (CMD ID=0Fh and RNO=n+1), and reception of two successive data (RNO=n+3) reset it – 34 – BS EN 61784-3-8:2010 61784-3-8 © IEC:2010(E) The behavior of a safety master upon expiration of the safety monitor timer is specified as: 1) Failsafe processing such as the clearing of S-RX delivered to the SCL user to zero 2) Error notification to SCL user 3) Transition to the idle state The behavior of a safety slave upon expiration of the safety monitor timer is specified as: 1) Failsafe processing such as the termination of output to external devices 2) Error notification to SCL user 3) Transition to the safe state 7.2.6.4 Connection authentication The connection authentication is implemented by a set of a safety connection ID (Link ID) and a station number Each safety slave uses a bit Link ID which specifies its safety network system This provides the SRC with up to safety network systems The assignment of Link ID values shall be unique within a functional safety communication system The safety messages always contain the Link ID 7.2.6.5 Feedback message A feedback message is provided from each slave that confirms receipt of messages from the master The feedback message contains error status information from the slave as well as acknowledgment of the RNO, link ID, command ID and protocol support data field 7.2.6.6 Data integrity The CRC32 for FSCP 8/1 is calculated as described in Annex A The residual error rate for FSCP 8/1 is discussed in 9.5.2 7.2.6.7 Different data integrity assurance system The distinction between safety relevant and non-safety relevant messages is ensured by validating the uniqueness of safety messages to contain a properly formatted CRC checksum (32 bits), a 16-bit protocol support data field, an 8-bit command ID, a 3-bit link ID and a 4-bit RNO The IEC 61158 Type 18 protocol uses a different CRC algorithm (16-bit CRC) and no inclusion of protocol support data field, command ID, link ID or RNO 7.2.7 Forced termination Forced termination processing is used when the safety master requests a safety slave to terminate communication The safety slave that receives the forced termination request transitions to the fail safe state (stopping external output) and then immediately terminates communication 8.1 Safety communication layer management General Safety-related applications use the following services to configure the safety communication system: ⎯ establish connection; ⎯ verify slave configuration; ⎯ safety slave parameter transmission BS EN 61784-3-8:2010 61784-3-8 © IEC:2010(E) 8.2 – 35 – Connection establishment and confirmation processing Upon connection establishment, initial configuration is confirmed by validating that the SAREPs reside in safety devices and that safety cyclic transmission is supported This process is described in Table 17 Table 17 – Details of connection establishment and confirmation processing SAREP type Safety master Details of processing (1) Confirm that the slave is a safety slave device (This is confirmed by communicating the safety cyclic data.) (2) Confirm that the safety slave has received the establish connection command (This is confirmed by checking that the CMD and PSD of the response data are identical with the send data.) (3) Transmit the safety monitor timer value Safety slave (1) Confirm that the master is a safety master device (This is confirmed by communicating the safety cyclic data.) (2) Receive the safety monitor timer value and registers the value internally The safety master station transmits RNO = when sending the establish connection command 8.3 Safety slave verification 8.3.1 General Product information verification processing confirms that the actually connected safety slave stations match the safety slave stations currently set to the network parameters of the safety master station to detect misconnections and misconfiguration A replacement slave device that is not a safety slave, is detected and disabled at start-up 8.3.2 Safety slave information verification process The safety slave information verification process is described in Table 18 Table 18 – Details of slave information verification processing SAREP type Safety master Details of processing (1) Read the product information from safety slaves, and verify that information against product information set to network parameters (2) After verification, send the product information to safety slave stations Safety slave (1) Verify the product information of the slave against the product information received from the safety master Slave information verification processing verifies safety slave product information 8.3.3 Safety slave parameter transmission Safety slave configuration parameters are transmitted from the safety master to each safety slave This process is described in Table 19 BS EN 61784-3-8:2010 61784-3-8 © IEC:2010(E) – 36 – Table 19 – Details of safety slave parameter transmission processing SAREP type Details of processing Safety master (1) Read the CRC32 of the ROM storage parameters from the safety slave stations, and verify this CRC32 with the CRC32 of the ROM storage parameters registered from the SCL user (2) Send the safety slave parameters to the safety slave Safety slave (1) Receive the safety slave parameters from the safety master, confirm the setting values, and perform internal registration processing System requirements 9.1 Indicators and switches 9.1.1 Switches Each safety device shall provide physical means for setting the following: ⎯ Online – Set this mode to establish a data link ⎯ Station number – 0: Safety master, to 64: Safety slave – required for safety slave only ⎯ Link ID – to ⎯ Baud rate – 156 kbit/s, 625 kbit/s, 2,5 Mbit/s, Mbit/s, 10 Mbit/s – required for safety master only ⎯ Reset – required for safety slave only and optionally provides physical means for setting the following: ⎯ Number of occupied slots – Station slots (1 or 2) occupied by one safety slave station ⎯ Line test – Verifies that the master is able to connect to all slave stations ⎯ Line test – Verifies that the master is able to connect to a specific slave station ⎯ Parameter check test – Verifies the parameter content ⎯ Hardware test – Verifies each individual module for normal operation 9.1.2 Indicators Indicator requirements are specified in Table 20 with the following interpretation: M = mandatory O = optional Indicator type, color and shape are not specified Also, where computers or other devices with screens are used, indication may be supported via indication on the screen Table 20 – Monitor LEDs No LED Name RUN Description Lit: Module normal Out: Watchdog timer error Safety master station Safety remote device station Safety remote I/O station M O O BS EN 61784-3-8:2010 61784-3-8 © IEC:2010(E) No LED Name ERR – 37 – Description Safety master station Safety remote device station Safety remote I/O station M O O M O O M O O Lit: Communication with all stations error This LED lights when one of the following occurs: Switch setting error Master station duplicated on same line Parameter content error Data link monitor timer activated Cable wire break Or cable influenced by noise on the transmission path Flashing: Communication error L RUN Lit: Data link execution in progress L ERR Lit: Communication error (self station) Flashing: Switch type setting was changed with power ON 9.2 Installation guidelines This standard specifies protocol and services for a safety communication system based on IEC 61158 Type 18 However, usage of safety devices with the safety protocol specified in this standard requires proper installation All devices connected to a safety communication system defined in this part shall fulfill SELV/PELV requirements, which are specified in the relevant IEC standards such as IEC 60204-1 Additional installation information is also given in [43] and [44] in the Bibliography 9.3 9.3.1 Safety function response time General As mentioned in 5.3, an integrated watchdog timer is used which provides the time expectation of each output channel on each safety output slave It ensures a safety function response time, which is the time between the detection of an event at the safety input slave and the response at the corresponding output channel(s) on the safety output slave(s) The safety function response time comprises the fieldbus transmission time from a safety input slave to the master and from the safety master to the safety output slave, including possible repetitions of the safety PDU due to transmission errors, the processing time on each safety slave (input and output), and the processing time within the SRC If the safety function response time of a specific output channel of a safety output slave is exceeded, the corresponding output channel is set to its safe state, which is usually the power OFF state 9.3.2 Time calculation An integrated watchdog timer providing the time expectation of each output channel on each safety output slave ensures a safety function response time, which is the time between the detection of an event at the safety input slave and the response at the corresponding output channel(s) on the safety output slave(s) without the processing time of the safety input The safety function response time comprises the fieldbus transmission time from a safety input slave to the master and from the safety master to the safety output slave, including BS EN 61784-3-8:2010 61784-3-8 © IEC:2010(E) – 38 – possible repetitions of the safety PDU due to transmission errors, the processing time on safety output slave, and the processing time within the SRC The safety function response time is calculated as the sum of (a) through (f) from Table 21 with the terms as defined in Table 22 NOTE The safety master calculates the timeout based on: the safety refresh monitoring time - ((WDT x n) x 2) NOTE (WDT x n) x is the time required for the safety master to send communication data Table 21 – Safety function response time calculation Item Maximum (a) Input device response time DT1 (b) Safety slave input processing time Time of noise removal filter + Processing time of remote input station (c) Monitoring time from safety input to safety output Safety data monitor time (d) Safety slave output processing time Processing time of remote output station (e) Output device response time DT2 Total (a)+(b)+(c)+(d)+(e) Table 22 – Safety function response time definition of terms Item Definition LS Link Scan Time as specified by the manufacturer n Value after the decimal point of LS/WDT (rounded up) SRRP Safety refresh response processing time As specified by the manufacturer m Value after the decimal point of SRRP/(WDT x n) (rounded up) Time of noise removal filter Configured in safety remote station settings (Setting value: ms to 50 ms) DT1, DT2 Response time of sensor or output destination controlling device As specified by the manufacturer Safety data monitor time Time set in network parameter Use the value derived from the following formula as the measure: Safety refresh monitor time x - ((WDT x n) x m) - 10 [ms] Safety refresh monitor time Time set in network parameter Use the value gained by the following calculation formula as the measure In triggered mode: (WDT x n) x + (WDT x n) x m x + (WDT x α) [ms] In free-running mode: (WDT x n) x + LS + (WDT x n) x m x + (WDT x α) [ms] where: α = 0, for LS ≤ 1,5 ms α = 1, for LS > 1,5 ms WDT (Watchdog timer) Time set in configuration parameter Triggered mode Mode which performs data link when sequence scan is synchronized with link scan In the triggered mode, sequence scan and link scan start simultaneously Free-running mode Mode which performs data link without synchronizing sequence program BS EN 61784-3-8:2010 61784-3-8 © IEC:2010(E) 9.4 – 39 – Duration of demands The duration of demand by the safety-related application to the safety communication layer shall be sufficient in duration such that demand is detected within the longest safety function response time by the application 9.5 Constraints for calculation of system characteristics 9.5.1 System characteristics The following basic data have to be adhered: ⎯ IEC 61158 Type 18: No restrictions ⎯ Maximum number of safety slots: 64 ⎯ Minimum scan cycle time: 10 ms ⎯ Maximum number of safety relevant I/O bits per safety PDU – slave to master: 208 ⎯ Maximum number of safety relevant I/O bits per safety PDU – master to slave: 168 9.5.2 Residual error rate (Λ) The residual error rate, Λ, for the safety system is directly impacted by the number of safety slave devices and their corresponding number of occupied slots in the system configuration Table 23 shows the impact of the number of occupied slots of the safety slave on the resulting frame length for its relevant safety PDU Table 23 – Number of occupied slots and safety data SAR Safety master station → Safety slave station Safety slave station → Safety master station 112 32bits 16bits 16bits 32bits C PSD M D A A S-RX 16bits 32bits 16bits 16bits 32bits CRC32 A A S-RY S-RW 16bits 64bits 64bits A A S-RX S-RWr 16bits 64bits 64bits 112 C PSD M D RS V, CMD,LI Safety master station CRC32 LID,RNO D,RNO → C PSD M D CRC32 208 16bits 16bits 32bits C PSD M D RS V, CMD,LI Safety slave station 16bits S-RY LID,RNO D,RNO Safety slave station A A RS V, CMD,LI D,RNO → Structure RS V, CMD,LI Safety master station Frame length (bits) Structure of safety PDU LID,RNO D,RNO Occupied slots CRC32 16bits 16bits 32bits 208 BS EN 61784-3-8:2010 61784-3-8 © IEC:2010(E) – 40 – Based on the frame length and the number of safety slaves in the safety system, Λ is found in Table 24 and Table 25 Table 24 – Residual error rate Λ (occupied slots = 1) Residual error rate probability, R pCRC32 Number of safety slaves Minimum cycle time ms Residual error rate, Λ 1,01 × 10 -24 10,0 7,27 × 10 -17 10,0 5,81 × 10 -16 16 10,0 1,16 × 10 -15 32 10,0 2,33 × 10 -15 42 10,0 3,05 × 10 -15 Table 25 – Residual error rate Λ (occupied slots = 2) Residual error rate probability, R pCRC32 Number of safety slaves Minimum cycle time ms Residual error rate, Λ 2,05 × 10 -19 10,0 1,47 × 10 -11 10,0 1,18 × 10 -10 16 10,0 2,36 × 10 -10 32 10,0 4,72 × 10 -10 The resulting residual error rate for all specified configurations of FSCP 8/1 is maintained below the 10 -7 (10 -9 attributable to the network) required in order to satisfy SIL3 and Category 9.6 Maintenance There are no SCL specific requirements for maintenance NOTE Specifications for system behavior in case of device repair and replacement are outside the scope of this standard The specification of these activities and the responsibilities are not relevant for the specification of services and protocols Usually this will be part of a functional safety management plan However, repair, replacement as well as maintenance, overall safety validation, overall operation, modifications, retrofits and decommissioning or disposal according to IEC 61508 are important issues which have to be taken into account It is recommended to contact the device or system supplier also NOTE For information on programming the SRP and setting the parameters of safety devices, it is strongly recommended to contact the device or system supplier Besides, it is recommended to take into account the documents [43] and [44] from the Bibliography In these documents additional information, e.g checklists, is given for the user of a CC-LINK-Safety system NOTE Additional requirements for maintenance – as well as other requirements – are specified in IEC 61508, IEC 61511 and/or IEC 62061 9.7 Safety manual The supplier of safety slaves that incorporate the SCL according to the SCL specifications given in this standard shall prepare an appropriate safety manual according to IEC 61508 This safety manual shall also include the installation requirements as specified in 9.2 as well as guidelines for the configuration of device switches In addition to switches common with BS EN 61784-3-8:2010 61784-3-8 © IEC:2010(E) – 41 – IEC 61158 Type 18, these guidelines shall include the statement that all safety devices on the same network shall be configured with the same Link ID See 9.1.1 According to the safety communication system based on IEC 61158 Type 18, it is strongly recommended to take into account the specifications [43], [44] and [45] of the Bibliography NOTE Before starting the implementation of a safety device it is good engineering practice to contact the CLPA to determine if there are amendments to implementation guidelines and/or implementation requirements 10 Assessment It is the manufacturer’s responsibility to develop the device to the appropriate development process according to the safety standards (see IEC 61508, IEC 61511, IEC 62061, …) and relevant legal regulations (e g European machinery directive) – 42 – BS EN 61784-3-8:2010 61784-3-8 © IEC:2010(E) Annex A (informative) Additional information for functional safety communication profiles of CPF A.1 Hash function calculation The CRC32 for FSCP 8/1 is calculated using the following algorithm: G(x) = x 32 + x 26 + x 23 + x 22 + x 16 + x 12 + x 11 + x 10 + x + x + x + x + x + x + This is the algorithm defined by IEEE 802.3 [28] A.2 Void … BS EN 61784-3-8:2010 61784-3-8 © IEC:2010(E) – 43 – Annex B (informative) Information for assessment of the functional safety communication profiles of CPF Information about test laboratories which test and validate the conformance of FSCP 8/1 products with IEC 61784-3-8 can be obtained from the National Committees of the IEC or from the following organization: CC-Link Partner Association 6F Meiji Yasuda Seimei Ozone Bldg 3-15-58, Ozone, Kita-ku Nagoya 462-0825 JAPAN Phone: +81 52 919 1588 Fax: +81 52 916 8655 E-mail: info@cc-link.org URL: http://www.cc-link.org/ BS EN 61784-3-8:2010 61784-3-8 © IEC:2010(E) – 44 – Bibliography [1] IEC 60050 (all parts), International Electrotechnical Vocabulary NOTE See also the IEC Multilingual Dictionary – Electricity, Electronics and Telecommunications (available on CD-ROM and at ) [2] IEC/TS 61000-1-2, Electromagnetic compatibility (EMC) – Part 1-2: General – Methodology for the achievement of the functional safety of electrical and electronic equipment with regard to electromagnetic phenomena [3] IEC 61131-6 10, Programmable controllers – Part 6: Functional safety [4] IEC 61496 (all parts), Safety of machinery – Electro-sensitive protective equipment [5] IEC 61508-1:2010 11 , Functional safety of electrical/electronic/programmable electronic safety-related systems – Part 1: General requirements [6] IEC 61508-4:2010 11 , Functional safety of electrical/electronic/programmable electronic safety-related systems – Part 4: Definitions and abbreviations [7] IEC 61508-5:2010 11 , Functional safety of electrical/electronic/programmable electronic safety-related systems – Part 5: Examples of methods for the determination of safety integrity levels [8] IEC 61784-2, Industrial communication networks – Profiles – Part 2: Additional fieldbus profiles for real-time networks based on ISO/IEC 8802-3 [9] IEC 61784-4 12 , Industrial communication networks – Profiles – Part 4: Secure communications for fieldbuses [10] IEC 61784-5 (all parts), Industrial communication networks – Profiles – Part 5: Installation of fieldbuses – Installation profiles for CPF x [11] IEC 61800-5-2, Adjustable speed electrical power drive systems – Part 5-2: Safety requirements – Functional [12] IEC 61918, Industrial communication networks – Installation of communication networks in industrial premises [13] IEC/TR 62059-11, Electricity metering equipment – Dependability – Part 11: General concepts [14] IEC/TR 62210, Power system control and associated communications – Data and communication security [15] IEC 62280-1, Railway applications – Communication, signalling and processing systems – Part 1: Safety-related communication in closed transmission systems [16] IEC 62280-2, Railway applications – Communication, signalling and processing systems – Part 2: Safety-related communication in open transmission systems [17] IEC 62443 (all parts), Industrial communication networks – Network and system security [18] ISO/IEC Guide 51:1999, Safety aspects — Guidelines for their inclusion in standards [19] ISO/IEC 2382-14, Information maintainability and availability technology – Vocabulary – Part 14: Reliability, [20] ISO/IEC 2382-16, Information technology – Vocabulary – Part 16: Information theory [21] ISO/IEC 7498 (all parts), Information technology – Open Systems Interconnection – Basic Reference Model [22] ISO 10218-1, Robots for industrial environments – Safety requirements – Part 1: Robot [23] ISO 12100-1, Safety of machinery – Basic concepts, general principles for design – Part 1: Basic terminology, methodology ————————— 10 In preparation 11 To be published 12 Proposed new work item under consideration BS EN 61784-3-8:2010 61784-3-8 © IEC:2010(E) – 45 – [24] ISO 13849-1, Safety of machinery – Safety-related parts of control systems – Part 1: General principles for design [25] ISO 13849-2, Safety of machinery – Safety-related parts of control systems – Part 2: Validation [26] ISO 14121, Safety of machinery – Principles of risk assessment [27] EN 954-1:1996 13 , Safety of machinery – Safety related parts of control systems – General principles for design [28] IEEE 802.3, IEEE Standard for Information technology – Telecommunications and information exchange between systems – Local and metropolitan area networks – Specific requirements Part 3: Carrier Sense Multiple Access with Collision Detection (CSMA/CD) Access Method and Physical Layer Specifications [29] ANSI/ISA-84.00.01-2004 (all parts), Functional Safety: Safety Instrumented Systems for the Process Industry Sector [30] VDI/VDE 2180 (all parts), Safeguarding of industrial process plants by means of process control engineering [31] GS-ET-26 14 , Grundsatz für die Prüfung und Zertifizierung von Bussystemen für die Übertragung sicherheitsrelevanter Nachrichten, May 2002 HVBG, Gustav-HeinemannUfer 130, D-50968 Köln ("Principles for Test and Certification of Bus Systems for Safety relevant Communication") [32] ANDREW S TANENBAUM, Computer Networks, 4th Edition, Prentice Hall, N.J., ISBN-10:0130661023, ISBN-13: 978-0130661029 [33] W WESLEY PETERSON, Error-Correcting Codes, 2nd Edition 1981, MIT-Press, ISBN 0262-16-039-0 [34] BRUCE P DOUGLASS, Doing Hard Time, 1999, Addison-Wesley, ISBN 0-201-49837-5 [35] New concepts for safety-related bus systems, 3rd International Symposium "Programmable Electronic Systems in Safety Related Applications ", May 1998, from Dr Michael Schäfer, BG-Institute for Occupational Safety and Health [36] DIETER CONRADS, Datenkommunikation, 3rd Edition 1996, Vieweg, ISBN 3-528-245891 [37] German IEC subgroup DKE AK 767.0.4: EMC and Functional Safety, Spring 2002 [38] NFPA79 (2002), Electrical Standard for Industrial Machinery [39] GUY E CASTAGNOLI, On the Minimum Distance of Long Cyclic Codes and Cyclic Redundancy-Check Codes, 1989, Dissertation No 8979 of ETH Zurich, Switzerland [40] GUY E CASTAGNOLI, STEFAN BRÄUER, AND MARTIN HERRMANN, Optimization of Cyclic Redundancy-Check Codes with 24 and 32 Parity Bits, June 1993, IEEE Transactions On Communications, Volume 41, No [41] SCHILLER F and MATTES T: An Efficient Method to Evaluate CRC-Polynomials for Safety-Critical Industrial Communication, Journal of Applied Computer Science, Vol 14, No 1, pp 57-80, Technical University Press, Łódź,Poland, 2006 [42] SCHILLER F and MATTES T: Analysis of CRC-polynomials for Safety-critical th Communication by Deterministic and Stochastic Automata, IFAC Symposium on Fault Detection, Supervision and Safety for Technical Processes, SAFEPROCESS 2006, pp 1003-1008, Beijing, China, 2006 [43] CC-Link Safety Specifications, Overview/Protocol, BAP-C1603-001, CLPA [44] CC-Link Safety Specifications, Implementation, BAP-C1603-002, CLPA [45] CC-Link Safety Specifications, Profiles, BAP-C1603-003, CLPA ————————— 13 To be replaced by ISO 13849-1 and/or IEC 62061 14 This document has been one of the starting points for this part It is currently undergoing a major revision This page deliberately left blank British Standards Institution (BSI) BSI is the independent national body responsible for preparing British Standards and other standards-related publications, information and services It presents the UK view on standards in Europe and at the international level It is incorporated by Royal Charter Revisions Information on standards British Standards are updated by amendment or revision Users of British Standards should make sure that they possess the latest amendments or editions It is the constant aim of BSI to improve the quality of our products and services We would be grateful if anyone finding an inaccuracy or ambiguity while using this British Standard would inform the Secretary of the technical committee responsible, the identity of which can be found on the inside front cover Tel: +44 (0)20 8996 9001 Fax: +44 (0)20 8996 7001 BSI provides a wide range of information on national, European and international standards through its Knowledge Centre BSI offers Members an individual updating service called PLUS which ensures that subscribers automatically receive the latest editions of standards Tel: +44 (0)20 8996 7669 Fax: +44 (0)20 8996 7001 Email: plus@bsigroup.com Buying standards You may buy PDF and hard copy versions of standards directly using a credit card from the BSI Shop on the website www.bsigroup.com/shop In addition all orders for BSI, international and foreign standards publications can be addressed to BSI Customer Services Tel: +44 (0)20 8996 9001 Fax: +44 (0)20 8996 7001 Email: orders@bsigroup.com In response to orders for international standards, it is BSI policy to supply the BSI implementation of those that have been published as British Standards, unless otherwise requested Tel: +44 (0)20 8996 7004 Fax: +44 (0)20 8996 7005 Email: knowledgecentre@bsigroup.com Various BSI electronic information services are also available which give details on all its products and services Tel: +44 (0)20 8996 7111 Fax: +44 (0)20 8996 7048 Email: info@bsigroup.com BSI Subscribing Members are kept up to date with standards developments and receive substantial discounts on the purchase price of standards For details of these and other benefits contact Membership Administration Tel: +44 (0)20 8996 7002 Fax: +44 (0)20 8996 7001 Email: membership@bsigroup.com Information regarding online access to British Standards via British Standards Online can be found at www.bsigroup.com/BSOL Further information about BSI is available on the BSI website at www.bsigroup.com/standards Copyright Copyright subsists in all BSI publications BSI also holds the copyright, in the UK, of the publications of the international standardization bodies Except as permitted under the Copyright, Designs and Patents Act 1988 no extract may be reproduced, stored in a retrieval system or transmitted in any form or by any means – electronic, photocopying, recording or otherwise – without prior written permission from BSI This does not preclude the free use, in the course of implementing the standard of necessary details such as symbols, and size, type or grade designations If these details are to be used for any other purpose than implementation then the prior written permission of BSI must be obtained Details and advice can be obtained from the Copyright & Licensing Manager Tel: +44 (0)20 8996 7070 Email: copyright@bsigroup.com BSI Group Headquarters 389 Chiswick High Road London W4 4AL UK Tel +44 (0)20 8996 9001 Fax +44 (0)20 8996 7001 www.bsigroup.com/standards raising standards worldwide™