BS EN 61784-3-3:2017
$215.11
Industrial communication networks. Profiles – Functional safety fieldbuses. Additional specifications for CPF 3
| Published By | Publication Date | Number of Pages |
| BSI | 2017 | 144 |
This part of the IEC 61784-3 series specifies a safety communication layer (services and protocol) based on CPF 3 of IEC 61784-1, IEC 61784-2 (CP 3/1, CP 3/2, CP 3/4, CP 3/5 and CP 3/6) and IEC 61158 Types 3 and 10. It identifies the principles for functional safety communications defined in IEC 61784-3 that are relevant for this safety communication layer. This safety communication layer is intended for implementation in safety devices only.
NOTE 1 It does not cover electrical safety and intrinsic safety aspects. Electrical safety relates to hazards such as electrical shock. Intrinsic safety relates to hazards associated with potentially explosive atmospheres.
This part 1 defines mechanisms for the transmission of safety-relevant messages among participants within a distributed network using fieldbus technology in accordance with the requirements of IEC 61508 series2 for functional safety. These mechanisms may be used in various industrial applications such as process control, manufacturing automation and machinery.
This part provides guidelines for both developers and assessors of compliant devices and systems.
NOTE 2 The resulting SIL claim of a system depends on the implementation of the selected functional safety communication profile within this system – implementation of a functional safety communication profile according to this part in a standard device is not sufficient to qualify it as a safety device.
PDF Catalog
| PDF Pages | PDF Title |
|---|---|
| 2 | National foreword |
| 7 | English CONTENTS |
| 13 | FOREWORD |
| 15 | Figures Figure 1 – Relationships of IEC 617843 with other standards (machinery) |
| 16 | Figure 2 – Relationships of IEC 617843 with other standards (process) |
| 19 | 1 Scope 2 Normative references |
| 21 | 3 Terms, definitions, symbols, abbreviated terms and conventions 3.1 Terms and definitions 3.1.1 Common terms and definitions |
| 27 | 3.1.2 CPF 3: Additional terms and definitions |
| 31 | 3.2 Symbols and abbreviated terms 3.2.1 Common symbols and abbreviated terms |
| 32 | 3.2.2 CPF 3: Additional symbols and abbreviated terms |
| 33 | 3.3 Conventions 4 Overview of FSCP 3/1 (PROFIsafe™) |
| 34 | Figure 3 – Basic communication preconditions for FSCP 3/1 Figure 4 – Structure of an FSCP 3/1 safety PDU |
| 35 | Figure 5 – Safety communication on CPF 3 |
| 36 | 5 General 5.1 External documents providing specifications for the profile 5.2 Safety functional requirements 5.3 Safety measures |
| 37 | 5.4 Safety communication layer structure 5.4.1 Principle of FSCP 3/1 safety communications Figure 6 – Standard CPF 3 transmission system Tables Table 1 – Deployed measures to master errors |
| 38 | 5.4.2 CPF 3 communication structures Figure 7 – Safety layer architecture |
| 39 | Figure 8 – Basic communication layers Figure 9 – Multiport switch bus structure |
| 40 | Figure 10 – Linear bus structure Figure 11 – Crossing network borders with routers |
| 41 | 5.5 Relationships with FAL (and DLL, PhL) 5.5.1 Device model Figure 12 – Complete safety transmission paths |
| 42 | 5.5.2 Application and communication relationships 5.5.3 Data types Figure 13 – IO Device model Table 2 – Data types for FSCP 3/1 |
| 43 | 6 Safety communication layer services 6.1 F-Host services Figure 14 – FSCP 3/1 communication structure |
| 44 | Figure 15 – F user interface of F-Host driver instances |
| 45 | Figure 16 – Motivation for "Channel-related Passivation" |
| 46 | 6.2 F-Device services |
| 47 | Figure 17 – F-Device driver interfaces |
| 48 | 6.3 Diagnosis 6.3.1 Safety alarm generation 6.3.2 F-Device safety layer diagnosis including the iPar-Server |
| 49 | 7 Safety communication layer protocol 7.1 Safety PDU format 7.1.1 Safety PDU structure Table 3 – Safety layer diagnosis messages |
| 50 | 7.1.2 Safety IO data 7.1.3 Status and Control Byte Figure 18 – Safety PDU for CPF 3 Figure 19 – Status Byte |
| 51 | Figure 20 – Control Byte |
| 52 | 7.1.4 (Virtual) MonitoringNumber Figure 21 – The Toggle Bit function |
| 53 | 7.1.5 (Virtual) MNR mechanism (F_CRC_Seed=0) 7.1.6 (Virtual) MNR mechanism (F_CRC_Seed=1) Figure 22 – F-Device MonitoringNumber Table 4 – MonitoringNumber of an F-Host PDU Table 5 – MonitoringNumber of an F-Device PDU |
| 54 | Table 6 – MonitoringNumber of an F-Host PDU Table 7 – MonitoringNumber of an F-Device PDU |
| 55 | 7.1.7 CRC2 Signature (F_CRC_Seed=0) Figure 23 – F-Host CRC2 signature generation (F_CRC_Seed=0) |
| 56 | 7.1.8 CRC2 Signature (F_CRC_Seed=1) Figure 24 – Details of the CRC2 signature calculation (F_CRC_Seed=0) Figure 25 – CRC2 signature calculation (F_CRC_Seed=1) |
| 57 | 7.1.9 Non-safety IO data 7.2 FSCP 3/1 behavior 7.2.1 General Figure 26 – Details of the CRC2 signature calculation (F_CRC_Seed=1) Figure 27 – Safety layer communication relationship |
| 58 | 7.2.2 F-Host state diagram Figure 28 – F-Host state diagram |
| 59 | Table 8 – Definition of terms used in F-Host state diagram Table 9 – F-Host states and transitions |
| 61 | 7.2.3 F-Device state diagram |
| 62 | Figure 29 – F-Device state diagram Table 10 – Definition of terms used in Figure 29 |
| 63 | Table 11 – F-Device states and transitions |
| 65 | 7.2.4 Sequence diagrams Figure 30 – Interaction F-Host / F-Device during start-up |
| 66 | Figure 31 – Interaction F-Host / F-Device during F-Host power off → on |
| 67 | Figure 32 – Interaction F-Host / F-Device with delayed power on |
| 68 | Figure 33 – Interaction F-Host / F-Device during power off → on |
| 69 | Figure 34 – Interaction F-Host / F-Device while host recognizes CRC error |
| 70 | Figure 35 – Interaction F-Host / F-Device while device recognizes CRC error |
| 71 | 7.2.5 Timing diagram for a MonitoringNumber reset 7.2.6 Monitoring of safety times Figure 36 – Impact of the MNR reset signal |
| 72 | Figure 37 – Monitoring the message transit time F-Host ↔ F-Output Figure 38 – Monitoring the message transit time F-Input ↔ F-Host |
| 74 | 7.3 Reaction in the event of a malfunction 7.3.1 Unintended repetition Figure 39 – Extended watchdog time on request Table 12 – SIL monitor times |
| 75 | 7.3.2 Loss 7.3.3 Insertion 7.3.4 Incorrect sequence 7.3.5 Corruption of safety data 7.3.6 Unacceptable delay 7.3.7 Masquerade |
| 76 | 7.3.8 Addressing 7.3.9 Memory failures within switches Table 13 – Remedies for switch failures |
| 77 | 7.3.10 Loop-back 7.3.11 Network boundaries and router Table 14 – Safety network boundaries |
| 78 | 7.4 F-Startup and parameter change at runtime 7.4.1 Standard startup procedure 7.4.2 iParameter assignment deblocking 8 Safety communication layer management 8.1 F-Parameter 8.1.1 Summary Figure 40 – iParameter assignment deblocking by the F-Host |
| 79 | 8.1.2 F_Source/Destination_Address (Codename) 8.1.3 F_WD_Time (F-Watchdog time) Table 15 – Codename octet order |
| 80 | 8.1.4 F_WD_Time_2 (secondary F-Watchdog time) 8.1.5 F_Prm_Flag1 (Parameters for the safety layer management) Figure 41 – Effect of F_WD_Time_2 Figure 42 – F_Prm_Flag1 |
| 81 | Figure 43 – F_Check_SeqNr Figure 44 – F_Check_iPar Figure 45 – F_SIL |
| 82 | 8.1.6 F_Prm_Flag2 (Parameters for the safety layer management) Figure 46 – F_CRC_Length Figure 47 – F_CRC_Seed Figure 48 – F_Prm_Flag2 |
| 83 | 8.1.7 F_iPar_CRC (value of iPar_CRC across iParameters) Figure 49 – F_Passivation Figure 50 – F_Block_ID Figure 51 – F_Par_Version |
| 84 | 8.1.8 F_Par_CRC calculation (across F-Parameters) 8.1.9 Structure of the F-Parameter record data object 8.2 iParameter and iPar_CRC Figure 52 – F-Parameter |
| 85 | 8.3 Safety parameterization 8.3.1 Objectives Figure 53 – iParameter block |
| 86 | 8.3.2 GSDL and GSDML safety extensions Table 16 – GSDL keywords for F-Parameters and F-IO structures |
| 87 | Figure 54 – F-Parameter extension within the GSDML specification |
| 88 | 8.3.3 Securing safety parameters and GSD data |
| 89 | Figure 55 – F_Par_CRC signature including iPar_CRC Figure 56 – Algorithm to build CRC0 |
| 90 | Table 17 – GSD example in GSDL notation |
| 91 | Figure 57 – GSD example in GSDML notation Table 18 – Serialized octet stream for the examples |
| 92 | 8.4 Safety configuration 8.4.1 Securing the safety IO data description (CRC7) Table 19 – IO data structure items |
| 93 | 8.4.2 DataItem data type section examples |
| 94 | Figure 58 – DataItem section for F_IN_OUT_1 |
| 95 | Figure 59 – DataItem section for F_IN_OUT_2 |
| 96 | Figure 60 – DataItem section for F_IN_OUT_5 |
| 97 | 8.5 Data type information usage 8.5.1 F-Channel driver Figure 61 – DataItem section for F_IN_OUT_6 |
| 98 | 8.5.2 Rules for standard F-Channel drivers Figure 62 – F-Channel driver as "glue" between F-Device and user program Table 20 – Sample F-Channel drivers |
| 99 | 8.5.3 Recommendations for F-Channel drivers Figure 63 – Layout example of an F-Channel driver |
| 100 | 8.6 Safety parameter assignment mechanisms 8.6.1 F-Parameter assignment 8.6.2 General iParameter assignment Figure 64 – F-Parameter assignment for simple F-Devices and F-Slaves |
| 101 | 8.6.3 System integration requirements for iParameterization tools Figure 65 – F and iParameter assignment for complex F-Devices Table 21 – Requirements for iParameterization |
| 102 | Figure 66 – System integration of CPD-Tools |
| 103 | 8.6.4 iPar-Server Figure 67 – iPar-Server mechanism (commissioning) |
| 104 | Figure 68 – iPar-Server mechanism (for example F-Device replacement) |
| 105 | Figure 69 – iPar-Server request coding ("status model") |
| 106 | Figure 70 – Coding of SR_Type Table 22 – Specifier for the iPar-Server Request |
| 107 | Figure 71 – iPar-Server request coding ("alarm model") Table 23 – Structure of the Read_RES_PDU ("read record") |
| 108 | Table 24 – Structure of the Write_REQ_PDU ("write record") Table 25 – Structure of the Pull_RES_PDU ("Pull") Table 26 – Structure of the Push_REQ_PDU ("Push") |
| 109 | Figure 72 – iPar-Server state diagram |
| 110 | Table 27 – iPar-Server states and transitions |
| 111 | Table 28 – iPar-Server management measures |
| 112 | 9 System requirements 9.1 Indicators and switches 9.2 Installation guidelines 9.3 Safety function response time 9.3.1 Model |
| 113 | Figure 73 – Example safety function with a critical response time path Figure 74 – Simplified typical response time model |
| 114 | 9.3.2 Calculation and optimization Figure 75 – Frequency distributions of typical response times of the model |
| 115 | Figure 76 – Context of delay times and watchdog times |
| 116 | 9.3.3 Adjustment of watchdog times for FSCP 3/1 Figure 77 – Timing sections forming the FSCP 3/1 F_WD_Time |
| 117 | 9.3.4 Engineering tool support 9.3.5 Retries (repetition of messages) Figure 78 – Frequency distribution of response times with message retries |
| 118 | 9.4 Duration of demands Figure 79 – Retries with CP 3/1 Figure 80 – Retries with CP 3/RTE |
| 119 | 9.5 Constraints for the calculation of system characteristics 9.5.1 Probabilistic considerations Figure 81 – Residual error probabilities for the 24-bit CRC polynomial |
| 120 | Figure 82 – Residual error probabilities for the 32-bit CRC polynomial |
| 121 | 9.5.2 Safety related assumptions Figure 83 – Monitoring of corrupted messages Table 29 – Definition of terms in Figure 83 |
| 122 | 9.5.3 Non safety related constraints (availability) 9.6 Maintenance 9.6.1 F-Module commissioning / replacement 9.6.2 Identification and maintenance functions 9.7 Safety manual |
| 123 | Table 30 – Information to be included in the safety manual |
| 124 | 9.8 Wireless transmission channels 9.8.1 Black channel approach 9.8.2 Availability 9.8.3 Security measures Figure 84 – Considerations against systematic loop-back configuration errors |
| 125 | Figure 85 – Security for WLAN networks Table 31 – Definition of terms in Figure 85 Table 32 – Security measures for WLAN (IEEE 802.11) |
| 126 | Figure 86 – Security for Bluetooth networks Table 33 – Definition of terms in Figure 86 |
| 127 | 9.8.4 Stationary and mobile applications 9.9 Conformance classes Table 34 – Security measures for Bluetooth (IEEE 802.15.1) Table 35 – F-Host conformance class requirements |
| 129 | 10 Assessment 10.1 Safety policy 10.2 Obligations Table 36 – Main characteristics of protocol versions Table 37 – F-Host/F-Device conformance matrix |
| 131 | Annex A (informative) Additional information for functional safety communication profiles of CPF 3 A.1 Hash function calculation Figure A.1 – Typical "C" procedure of a cyclic redundancy check |
| 132 | Table A.1 – The table "Crctab24" for 24 bit CRC signature calculations |
| 133 | Table A.2 – The table "Crctab32" for 32 bit CRC signature calculations |
| 134 | A.2 Example values for MonitoringNumbers (MNR) Table A.3 – The table "Crctab16" for 16 bit CRC signature calculations |
| 135 | A.3 Response time measurements Figure A.2 – Comparison of the response time model and a real application Table A.4 – Values of CN_incrNR_64 and MNR for F-Host PDU |
| 136 | Figure A.3 – Frequency distribution of measured response times |
| 137 | Figure A.4 – F-Host with standard and safety-related application programs |
| 138 | Annex B (informative) Information for assessment of the functional safety communication profiles of CPF 3 |
| 139 | Bibliography |
