Oct 01, 2015
Dr. Wolfgang [email protected]
Neue
Kenngren
in IEC 61784-3
Edition 3
IEC 61784-3
Status
Status
Previous
New
Hot stuff
Parameter
3
Dr.-Ing. Wolfgang Stripf / FSCP Kenngren in IEC 61784-3
VDE-Tagung "funktionalesicherheit2013"
The Fieldbus vision
Coexistence of safety-
and standard communication
Laserscanner
Standard
PLC Standard
input/output
Level
switch
E.g. Emergency
StopSafety
PLC
Safety
input/output
Lightcurtains Robots
Drives
Status
Previous
New
Hot stuff
Parameter
4
Dr.-Ing. Wolfgang Stripf / FSCP Kenngren in IEC 61784-3
VDE-Tagung "funktionalesicherheit2013"
Fieldbus standards (IEC 61158 / 61784)
IEC 61158(Communication Layers)
IEC 61158(Communication Layers)
-3 Data-link Service, Type 1,2, 3, 4,7,8,11,12,14...22
-3 Data-link Service, Type 1,2, 3, 4,7,8,11,12,14...22
-5 App. Layer Service, Type 1,2, 3, 4,5,7,8,9, 10, 11...22
-5 App. Layer Service, Type 1,2, 3, 4,5,7,8,9, 10, 11...22
-4 Data-link Protocol, Type 1,2, 3, 4,7,8,11,12,14...22
-4 Data-link Protocol, Type 1,2, 3, 4,7,8,11,12,14...22
IEC 61784-1(Communication Profiles)
IEC 61784-1(Communication Profiles)
IEC 61784-2(Realtime Ethernet RTE)
IEC 61784-2(Realtime Ethernet RTE)
IEC 61784-3(Functional Safety Profiles)
IEC 61784-3(Functional Safety Profiles)
...General
Part
...General
Part
IEC 61784-4(Security)
IEC 61784-4(Security)
IEC 61784-5(Installation)
IEC 61784-5(Installation)
IEC 61918
...-3PROFIsafe
...-3PROFIsafe
IEC 62443
...-2CIP
Safety
...-2CIP
Safety
...-6InterbusSafety
...-6InterbusSafety
...-x3rd
Edition
...-x3rd
Edition
...-1FFSIS
...-1FFSIS
-1Over-
view
-1Over-
view
-2Phys.
Layer
-2Phys.
Layer
-6 App. Layer Protocol, Type 1,2, 3, 4,5,7,8,9, 10, 11...22
-6 App. Layer Protocol, Type 1,2, 3, 4,5,7,8,9, 10, 11...22
Status
Previous
New
Hot stuff
Parameter
5
Dr.-Ing. Wolfgang Stripf / FSCP Kenngren in IEC 61784-3
VDE-Tagung "funktionalesicherheit2013"
FSCPs in IEC 61784-3 Edition 3 and in EN 50325-5
Safety over EtherCAT
Open Safety
EPA Safety
CC-Link Safety
SafetyNet p
CAN open
Safety
EN 50325-5
AS-i Safetyat Work
Standard?
Functional Safety Communication Profiles
Interbus
SafetyCIP
Safety
FF
SIS
PROFIsafe
RAPInet Safety
IE
Considerations in previous editions 1 + 2
of
IEC 61784-3
Status
Previous
New
Hot stuff
Parameter
7
Dr.-Ing. Wolfgang Stripf / FSCP Kenngren in IEC 61784-3
VDE-Tagung "funktionalesicherheit2013"
Quantification of Safety Communication
SensorSensorSensor PESPESPES ActuatorActuatorActuator
Safety FunctionSafety Function
Logical
connection
The sum of the residual error rates of all logical connections of a safety function shall
not exceed 1 %
of the PFD, PFH of that safety function
e.g. for SIL3 with 10-7 / h 1 x 10-9 / h
Logical
connection
The 1 % rule:
Status
Previous
New
Hot stuff
Parameter
8
Dr.-Ing. Wolfgang Stripf / FSCP Kenngren in IEC 61784-3
VDE-Tagung "funktionalesicherheit2013"
"Black Channel" communication principle
GatewayGatewaySafety
Communication Layer
SafetyCommunication
Layer
Application Layer (optional)
Application Layer (optional)
Data Link LayerData Link Layer
Physical LayerPhysical Layer
Application Layer (optional)
Application Layer (optional)
Data Link LayerData Link Layer
Physical LayerPhysical Layer
FALFAL
DLLDLL
PhLPhL
SafetyCommunication
Layer
SafetyCommunication
Layer
FALFAL
DLLDLL
PhLPhL
Internalcommunication link
FieldbusFieldbus
Otherprotocol
Device
e.g. Repeater,Switches,Wireless
61158 Communication Layers
61784 Functional SafetyCommunication Profile
61784 Functional SafetyCommunication Profile
New: "Intelligent" (programmable) IO data router
Covered so far
in the
Black
Channel: Repeater, switches, wireless
Status
Previous
New
Hot stuff
Parameter
9
Dr.-Ing. Wolfgang Stripf / FSCP Kenngren in IEC 61784-3
VDE-Tagung "funktionalesicherheit2013"
Safety
Communication
Layer (FSCP)
Safety
Communication
Layer (FSCP)
Safety
Communication
Layer (FSCP)
Safety
Communication
Layer (FSCP)
Device
Logical connection
Black Channel (closed system)
with constraints (Pe, rates, etc.)
Corruption
Unintended
repetion
Incorrect
sequence
LossUnacceptable
delay
Insertion
Masquerade
Addressing
Out-of-sequence
Loopback
Examples of communi-
cation errors
Fieldbus messages with
non-safety and/or safety PDUs
Sample rate of
safety PDUs
Unknown error detection and
repetition of messages
Traditional characterizations (IT world)
IEC 61784-3 started with the "Prfgrundstze GS-ET-26" with its IT driven communication errors
Status
Previous
New
Hot stuff
Parameter
10
Dr.-Ing. Wolfgang Stripf / FSCP Kenngren in IEC 61784-3
VDE-Tagung "funktionalesicherheit2013"
Send pointer
Receive pointer
Pointer failure
Queue:
New error type: Out-of-sequence
Storage elements within the Black Channel:
How many messages shall be considered for the design of the FSCP?
Status
Previous
New
Hot stuff
Parameter
11
Dr.-Ing. Wolfgang Stripf / FSCP Kenngren in IEC 61784-3
VDE-Tagung "funktionalesicherheit2013"
Safety Measures (IEC 61784-3)
Status
Previous
New
Hot stuff
Parameter
12
Dr.-Ing. Wolfgang Stripf / FSCP Kenngren in IEC 61784-3
VDE-Tagung "funktionalesicherheit2013"
Model for calculations: BSC
1 1
0 0
Q
Q
P
P
Binary Symmetric Channel(BSC)
1 1
0 0
Q
Q
P
PX
Binary Erasure Channel(BEC)
P = Pe for all bits equal Bit Error Probability (BEP)
The bits are falsified independently
Binary Symmetric Channel and Assumptions:
Pe Pe Pe Pe
1-Pe 1-Pe 1-Pe 1-Pe
Message bits:
Status
Previous
New
Hot stuff
Parameter
13
Dr.-Ing. Wolfgang Stripf / FSCP Kenngren in IEC 61784-3
VDE-Tagung "funktionalesicherheit2013"
Proper and improper CRC Polynomials
0.00001 0.0001 0.001 0.01 0.1epsilon
1. 10 - 10
1. 10 - 8
1. 10 - 6
Pue g=16^ 1^9003 , n=1008
0.00001 0.0001 0.001 0.01 0.1epsilon
1. 10 - 10
1. 10 - 8
1. 10 - 6
Pue g=16^ 1^9003 , n=1008
0.0005 0.001 0.005 0.01 0.05 0.1epsilon
1. 10 - 12
1. 10 - 11
1. 10 - 10
1. 10 - 9
Pue g=16^ 1^99999331 , n=1056
0.0005 0.001 0.005 0.01 0.05 0.1epsilon
1. 10 - 12
1. 10 - 11
1. 10 - 10
1. 10 - 9
Pue g=16^ 1^99999331 , n=1056
2-r
Gradient = Hamming distance
= dmax
10-6
10-8
10-10
0,00001 0,0001 0,001 0,01 0,1
Bit Error Probability
ResidualError Probability Generator polynomial: 19003h n = dmax = 1008
Improper Polynomial
knekerndk
eCRC PPkn
PR
12)(
min
Usage of "proper" generator polynomials makes our lifes easier :
Caution: Formula only applicable for proper polynomials!
Status
Previous
New
Hot stuff
Parameter
14
Dr.-Ing. Wolfgang Stripf / FSCP Kenngren in IEC 61784-3
VDE-Tagung "funktionalesicherheit2013"
mvPRP eCRCe )((Pe
)
= Residual error rate per hourRCRC
(Pe
) = residual error probability
v
= number of safety messages per hour
m
= worst case number of message sinks (e.g. logic solver, actuator)
SIL relationship
Applicable for safety functions up to SIL
Probability of a dangerous failure per hour for the FSCP
Maximum permissible residual error rate for the FSCP
4 < 10-10
/ h
< 10-10
/ h
3 < 10-9
/ h
< 10-9
/ h
2 < 10-8
/ h
< 10-8
/ h
1 < 10-7
/ h
< 10-7
/ h
NOTE Values in this table are based on the assumption that the
functional safety communication system contributes no more than 1% of the total faults of the safety function.
"Sample rate"
Status
Previous
New
Hot stuff
Parameter
15
Dr.-Ing. Wolfgang Stripf / FSCP Kenngren in IEC 61784-3
VDE-Tagung "funktionalesicherheit2013"
E-StopE-Stop ProcessingProcessing DriveDrive
DriveDrive
DriveDrive
Example 1:
m = 4
Safety Function
Logical connection
Key
Fieldbus network
Worst case number of message sinks "m"
Example 1:
One safety function with a total of m = 4 sinks (1 x Processing, 3 x drives)
Status
Previous
New
Hot stuff
Parameter
16
Dr.-Ing. Wolfgang Stripf / FSCP Kenngren in IEC 61784-3
VDE-Tagung "funktionalesicherheit2013"
E-StopE-Stop ProcessingProcessing
DriveDrive
DriveDrive
DriveDrive
Logical connection
Key
Fieldbus network
Example 2:
3 independent production cells
m = 2Safety Function 2
Safety Function 1
Safety Function 3
Worst case number of message sinks "m"
Example 2:
Three safety functions with each m = 2 sinks (1 x Processing, 1 x drive)
New considerations for
Edition 3 of
IEC 61784-3
Status
Previous
New
Hot stuff
Parameter
18
Dr.-Ing. Wolfgang Stripf / FSCP Kenngren in IEC 61784-3
VDE-Tagung "funktionalesicherheit2013"
Timeliness
of safety data ("Aktualitt")
Authenticity
of safety data ("Authentizitt")
Integrity
of safety data ("Unversehrtheit")
Formula: SL
(Pe) = RCRC
(Pe) v m
FSCP to show Residual Error Rates for:
Data(t)
Data(t)
Data(t-)
Data(A1)
Data(A1)
Data(An)
Data(A1,t)
Data(A1,t)
Storage
Other source
Corruption
IEC 61508 requirements
Status
Previous
New
Hot stuff
Parameter
19
Dr.-Ing. Wolfgang Stripf / FSCP Kenngren in IEC 61784-3
VDE-Tagung "funktionalesicherheit2013"
Safety
Communication
Layer (FSCP)
Safety
Communication
Layer (FSCP)
Safety
Communication
Layer (FSCP)
Safety
Communication
Layer (FSCP)
Device
Logical connection
Black Channel (closed system)
with constraints (Pe, rates, etc.)
New characteristics
Fieldbus messages with
non-safety and/or safety PDUs
Sample rate of
safety PDUs ()
Unknown error detection and
repetition of messages
New characteristics: "TADI" ("TADIS")
Corruption
Unintended
repetion
Incorrect
sequence
LossUnacceptable
delay
Insertion
Masquerade
Addressing
Out-of-sequence
Loopback
Examples of communi-
cation errors
TimelinessTimeliness AuthenticityAuthenticity SecuritySecurityData IntegrityData Integrity
Status
Previous
New
Hot stuff
Parameter
20
Dr.-Ing. Wolfgang Stripf / FSCP Kenngren in IEC 61784-3
VDE-Tagung "funktionalesicherheit2013"
InitializationInitialization
Correct FSCP operationCorrect FSCP operation
StartStart
Warm startWarm startFaultFault
Tolerated
error (optional)
New: Protocol phases to consider
Expanded considerations:
Setup or change
Initialization (establish communication)
Operation (process data exchange)
Warmstart after transition from Fault
Shutdown
Hot stuff
Status
Previous
New
Hot stuff
Parameter
22
Dr.-Ing. Wolfgang Stripf / FSCP Kenngren in IEC 61784-3
VDE-Tagung "funktionalesicherheit2013"
DA SA
Fieldbus address
CRCNon-safety
PDU
Safety PDU
Non-safety
PDU
Bit error probability = Pe
Model and assumptions
How to calculate (estimate) Residual Error Rates (RER)?
Transmitted bits across the fieldbus BSC model
Misrouting faults (Authenticity expectation)
Uniform distribution
Store and foreward faults (Timeliness expectation) Uniform distribution
Status
Previous
New
Hot stuff
Parameter
23
Dr.-Ing. Wolfgang Stripf / FSCP Kenngren in IEC 61784-3
VDE-Tagung "funktionalesicherheit2013"
n user data r Generator polynomial = x4
+ x1
+ x0
1 1 1 0
CRC-signature
Principle of CRC signature calculation
Status
Previous
New
Hot stuff
Parameter
24
Dr.-Ing. Wolfgang Stripf / FSCP Kenngren in IEC 61784-3
VDE-Tagung "funktionalesicherheit2013"
DA SA
Safety PDU
CRC signatureDataAuthenticity
(A-code)
Timeliness
(T-code)
Expectation:Equal to (one of)
Expectation:Equal to
Fieldbus address
Rest
0 Data incorrect, or from incorrect source, or
out of time
Rest = 0 Data correct with
certain RP,
*) If several values are permitted (window "w") and/or sequence number/time stamp with wrap over,
Timeliness will also have a certain RP RP: Residual Error Probability
Local A-CodeLocal A-Code
Local T-Code *)Local T-Code *)
Step : Authenticity 100 % correct,
Step : Timeliness has certain RP *)
CRC calculation
using generator
polynomial
CRC calculation
using generator
polynomial
Locally stored parameter
Locally generated synchronized value
Safety checks within the receiver: :
"Explicit" safety measures
Status
Previous
New
Hot stuff
Parameter
25
Dr.-Ing. Wolfgang Stripf / FSCP Kenngren in IEC 61784-3
VDE-Tagung "funktionalesicherheit2013"
DA SA
Safety PDU
CRC signatureData
Fieldbus address
Rest
0 Data incorrect, or from incorrect source, or
out of time
*) If sequence number/time stamp with wrap over,
Timeliness will also have a certain RP
RP: Residual Error Probability
Local A-CodeLocal A-Code
Local T-Code *)Local T-Code *)
Rest = 0 Data correct with certain
RP,Authenticity at a certain RP,Timeliness at a certain RP
S
e
e
d
CRC calculation
using generator
polynomial
CRC calculation
using generator
polynomial
Optional for performance
Safety checks within the receiver: :
"Implicit" safety measures
Status
Previous
New
Hot stuff
Parameter
26
Dr.-Ing. Wolfgang Stripf / FSCP Kenngren in IEC 61784-3
VDE-Tagung "funktionalesicherheit2013"
Bus
interface
Bus
interfaceBus
interface
Bus
interface
Intended safety message, e.g. SIL3
Message with incorrect fieldbus address or internal address
(Non-safety or lower SIL)
Logical connection (authenticity)
Bit error probability = Pe
(configured)
Message source
(configured)
Message source
Message
sink
Message
sinkInternal address
Fieldbus address
KeyPA
Probability of an authenticity error for logical connections
e.g. switches
Internal address
PA
Model for Authenticity considerations
Receiver shall be able to detect misdirected Safety PDUs:
Status
Previous
New
Hot stuff
Parameter
27
Dr.-Ing. Wolfgang Stripf / FSCP Kenngren in IEC 61784-3
VDE-Tagung "funktionalesicherheit2013"
DA SA
Misdirected
safety PDU
CRC signatureDataAuthenticity
(A-code)
Timeliness
(T-code)
Expectation:Equal to (one of)
Expectation:Equal to
Corrupted
fieldbus address
Rest
0 Data incorrect, or from incorrect source, or
out of time
Rest = 0 Certain probability
*) If several values are permitted (window "w") and/or sequence number/time stamp with wrap over,
Timeliness will also have a certain RP
RP: Residual Error Probability
Local A-CodeLocal A-Code
Local T-Code *)Local T-Code *)
Step : Authenticity incorrect
Step : Timeliness has certain RP *)
CRC calculation
using generator
polynomial
CRC calculation
using generator
polynomial
Locally stored parameter
Locally generated synchronized value
Safety checks within the receiver: :
Misdirected safety PDUs (Explicit)
Status
Previous
New
Hot stuff
Parameter
28
Dr.-Ing. Wolfgang Stripf / FSCP Kenngren in IEC 61784-3
VDE-Tagung "funktionalesicherheit2013"
DA SA
Misdirected
safety PDU
CRC signatureData
Corrupted
fieldbus address
Safety checks within the receiver: :
Rest
0 Data incorrect, or from incorrect source, or
out of time
*) If several values are permitted (window "w") and/or sequence number with wrap over,
Timeliness will also have a certain RP
RP: Residual Error Probability
UD: Uniform Distribution
BSC: Binary Symmetric Channel
Local A-CodeLocal A-Code
Local T-Code *)Local T-Code *)
Rest = 0 Data correct with RP acc. BSC,Authenticity with RP acc. UDTimeliness with RP acc. UD
S
e
e
d
CRC calculation
using generator
polynomial
CRC calculation
using generator
polynomial
Optional for performance
Correlation?Fieldbus address
Bit errors in
address responsible for mis-
directed safety PDU
BSC
Misdirected safety PDUs (Implicit)
Status
Previous
New
Hot stuff
Parameter
29
Dr.-Ing. Wolfgang Stripf / FSCP Kenngren in IEC 61784-3
VDE-Tagung "funktionalesicherheit2013"
New "Table 2" with RPs
FSCP categories
Timeliness (T) Authenticity (A) Data Integrity (DI)
Sequence number/
Time stamp
Safety connection authentication
Detection of masquerade
CRC signature
Explicit RPT = 2-T-Code
x w RPS = 2-A-Code
x d RPM RPI
Explicit and implicit
RPT RPS RPM
Implicit T or A
RPT RPS RPM
Implicit T and A
RPT RPS RPM
A new "Table 2" with Residual Error Probabilities (RP) was created for fast and easy estimates. The RPx values may be too pessimistic due to overlap effects from the CRC signature (data integrity).Together with the estimates of occurrences the Residual Error Rates (RR) can be calculated.
Status
Previous
New
Hot stuff
Parameter
30
Dr.-Ing. Wolfgang Stripf / FSCP Kenngren in IEC 61784-3
VDE-Tagung "funktionalesicherheit2013"
Approach with "universal" formula
"Table 2" could be accompanied by a proposed "universal" formula:
Caution: formula not yet approved by the group!
Prelim
inary
Benefit of a "universal" formula: better values due to no overlap from CRC signature (data integrity)
Parameterization
issues
Status
Previous
New
Hot stuff
Parameter
32
Dr.-Ing. Wolfgang Stripf / FSCP Kenngren in IEC 61784-3
VDE-Tagung "funktionalesicherheit2013"
Engineering
tool
CRC-secured FSCP parameter block
FSCP parameters
of the device,
e.g. timeout
Technology
(device specific
parameters)
CRC
CRC
Controller
CRC
Configuration &
parameterization
CRC
Device
toolDevice
Fieldbus
Parameterization considerations
Procedures to consider:
Assumption:
Parameter change rate: 1 / Day
Status
Previous
New
Hot stuff
Parameter
33
Dr.-Ing. Wolfgang Stripf / FSCP Kenngren in IEC 61784-3
VDE-Tagung "funktionalesicherheit2013"
Just do it!
Vielen Dank.
Fragen?