CAN

© CiA

Reiner Zitzmann(CAN in Automation)

www.can-cia.org

CANopen Safety

1 Chip 16-Bit MCU

CAN- Controller 1 CAN- Controller 2

CAN- Transceiver

CAN-Bus

CAN Tx 2 CAN Rx 2CAN Rx 1CAN Tx 1

CANopen Stack

Safety Applikation

redundant CANopen safety-relevant

monitoring, cross comparison.

sequence monitoring, time monitoring

object dictionary (OD)

(CANopen data

structures according to

DS301 and DS304)

event leading

to safety

critical

shutoff

watchdog

with independent

time base

higher level supply

voltage/voltage

monitoring

/NMI

alternating transmission

diagnostic

functions

(eg. RAM/ ROM/

Op- Code Test,

Register,

Periphery)

safety switching

device

control-

signal

dual channel

monitoring-

signal

dual channel

trigger-

signal

control-

signal

dual channel

testsignal

Sensor Actuator

object dictionary

(DS4xx)

safety shutoff

2nd shutoff path

monitoring the

2nd shutoff path

CAN

© CiA

Application fields• Generic control functions in machine building (SIL2 and SIL3)• Interfaces for extruder downstream devices (SIL2)• Embedded control system for medical devices (SIL2 and SIL3)• Control systems for industrial cranes (SIL3)• Electronic control units for forklifts (SIL3)• Elevator control systems (SIL2 and SIL3)• Garbage truck bodies and off-road vehicles (SIL2)• Control systems for rail vehicles and locomotives (SIL3)• Embedded control systems for building doors (SIL2)

CANopensafety easy to use

CAN

© CiA

Multiple device

Object dictionary

CANopen safety device

I/O lines(Process IF)

SRDO(Safety IF)

SDO(Configuration IF)

Emergency/SDO(Diagnostics IF)

Logicaldevice 1

to to

Virtualdevice 1

Virtualdevice n

Logicaldevice 8

to

Virtualdevice 1

Virtualdevice n

PDO/SDO(Control IF)

CAN

© CiA

Communication profile area

Index range Description

1000h to 1029h General communication objects

1200h to 12FFh SDO parameter objects

1300h to 13FFh CANopen safety objects

1400h to 1BFFh PDO parameter objects

1F00h to 1F11h SDO manager objects

1F20h to 1F27h Configuration manager objects

1F50h to 1F54h Program control objects

1F80h to 1F89h NMT master objects

CAN

© CiA

◆ Service Data Object (SDO) protocols ◆ Standard SDO protocols ◆ SDO block protocols◆ Safety-Related Data Object (SRDO) protocol◆ Process Data Object (PDO) protocol◆ Special object protocols: ◆ Synchronization (SYNC) protocol ◆ Time Stamp (TIME) protocol ◆ Emergency (EMCY) protocol◆ Network Management protocols: ◆ NMT Message protocol ◆ Boot-Up protocol ◆ Error Control protocols

- Heartbeat protocol- Node guarding protocol

Communication protocols

CAN

© CiA

CANopen network with safe nodes

PLC

S1 N1 S2 N2 N3 D1

MEmergency

Push Button

SLM

Drive

Controll

CAN Safety Power

Switch

S3

Sx Safety Node (S3: Saftey controller)Nx Normal Node

Dx Drive Controll

CAN

© CiA

indication(s)1 to 8 Byte

1 to 8 Byterequest

CAN Data Frame 1

Bit-wise inverted Data Field of CAN Data Frame 1

Safety-relevant Data Object

CAN

© CiA

time

SRDO1SRDO1

SRVT SRVT

time

SRDO1

SRDO1

SRDO1SRDO1

SCTSCT

SCT

SCT expired

refresh-time refresh-time

SRVT

SRVTexpired

SRDO Timing

CAN

© CiA

SRDO parameter record

Index Sub-Index Field in SRDO Communication Parameter Record Data Type

0h Number of entries UNSIGNED8

1h Information direction (TX or RX) UNSIGNED8

2h Refresh-time/SCT (in ms) UNSIGNED16

3h SRVT (in ms) UNSIGNED8

4h Transmission type UNSIGNED8

5h COB ID1 UNSIGNED32

13xxh

6h COB ID2 UNSIGNED32

CAN

© CiA

Optionally reserved IDs

Object CAN identifier

Global failsafe command 1h

Safety-relevant data objects (SRDO) 101h to 180h

Flying master 71h to 76h

Dynamic SDO request 6E0h

Node claiming procedure 6E1h to 6E3h

Node claiming procedure 6F0h to 6FFh

Layer setting services (LSS) 7E4h, 7E5h

CAN

© CiA

2000h 01h Object A

2003h 03h Object G2003h 02h Object F2003h 01h Object E2002h 00h Object D2001h 00h Object C2000h 02h Object B

Object Dictionary

Object GObject A Object ESRDO_1

Index Sub Object contents01h 2000h 01h 8h

02h 2003h 03h 10h

03h 2003h 01h 8h

1381h

1381h

1381h

SRDO mapping

CAN

© CiA

2000h 01h Object A

2003h 03h Object G2003h 02h Object F2003h 01h Object E2002h 00h Object D

2000h 02h Object B

Object Dictionary

Object A Object EObject GSRDO_1

Index Sub Object contents01h 2000h 01h 8h

02h 2003h 03h 10h

03h 2003h 01h 8h

1381h

1381h

1381h 2001h 00h

2001h 00h Object C

2003h 03h Object G

2001h 00h Object C

Object C

Variable SRDO mapping

CAN

© CiA

Object dictionary extension

Index Object Name Type Acc.1

M/O

1300h VAR GFC parameter UNSIGNED8 rw O

SRDO Communication Parameter

1301h RECORD 1st SRDO parameter SRDO Parameter (26h) rw M

1302h RECORD 2nd

SRDO parameter SRDO Parameter (26h) rw M/O*

::::: ::::: ::::: ::::: ::::: :::::

1340h RECORD 64th

SRDO parameter SRDO Parameter (26h) rw M/O*

1341h reserved

::::: :::::

1380h reserved

SRDO Mapping Parameter

1381h ARRAY 1st SRDO mapping UNSIGNED32 rw M

1382h ARRAY 2nd

SRDO mapping UNSIGNED32 rw M/O*

::::: ::::: ::::: ::::: ::::: :::::

13C0h ARRAY 64th

SRDO mapping UNSIGNED32 rw M/O*

13C1h reserved

::::: :::::

13FDh reserved

13FEh VAR Configuration valid UNSIGNED 8 rw M

13FFh ARRAY Safety Configuration Checksum UNSIGNED16 ro M

CAN

© CiA

BIA approval

CAN

© CiA

(1) Message repetition

(2) Message lost

(3) Message insertion

(4) Wrong message sequence

(5) Message corruption

(6) Message delay

(7) Coupling

Communication failures

CAN

© CiA

(1) Running number in safety-relevant messages

(2) Relative, absolute or double time-marks

(3) Time-out

(4) Confirmation of message

(5) Identifying of producer and consumer

(6) Application CRC

(7) Redundancy with cross-checking

Failure-avoiding methods

CAN

© CiA

Repetition

Lost

Insertion

Wrong sequence

Corruption

Delay

Coupling

Run

ning

num

ber

Tim

e m

ark

Tim

e-ou

t

Con

firm

atio

n

Iden

tific

atio

n

CR

C

Cro

ss-c

heck

Diff

eren

t dat

a

x

x

x

x

-

-

-

x

-

-

x

-

x

-

-

-

-

-

-

xx3

-

-

x

x1

-

x

-

x1

-

-

x2

-

-

-

x

- x -

- x -

- x -

-

x

-

-

x -

x4

-

-

-

- x

1) application-specific2) only for producer3) mandatory4) low error-rate shall betestable

Methods used byCANopen Safety

BIA recommendations

CAN

© CiA

CANopen safety chip

1 Chip 16-Bit MCU

CAN- Controller 1 CAN- Controller 2

CAN- Transceiver

CAN-Bus

CAN Tx 2 CAN Rx 2CAN Rx 1CAN Tx 1

CANopen Stack

Safety Applikation

redundant CANopen safety-relevant

monitoring, cross comparison.

sequence monitoring, time monitoring

object dictionary (OD)

(CANopen data

structures according to

DS301 and DS304)

event leading

to safety

critical

shutoff

watchdog

with independent

time base

higher level supply

voltage/voltage

monitoring

/NMI

alternating transmission

diagnostic

functions

(eg. RAM/ ROM/

Op- Code Test,

Register,

Periphery)

safety switching

device

control-

signal

dual channel

monitoring-

signal

dual channel

trigger-

signal

control-

signal

dual channel

testsignal

Sensor Actuator

object dictionary

(DS4xx)

safety shutoff

2nd shutoff path

monitoring the

2nd shutoff path

CAN

© CiA

Requirements (Consortium) CANopen Safety

• 2 independent CAN controllers• 2 TSRDO + 2 RSRDO• Minimal SRVT: 5 ms• Minimal refresh-time: 20 ms

CANopen• 2 TPDO + 2 RPDO• SRDO/PDO linking• SRDO/PDO static mapping• Heartbeat producer• Emergency producer